11 files changed, 227 insertions, 38 deletions

diff --git a/contrib/aix/README b/contrib/aix/README
index 82fd8be1b..2a299350a 100644
--- a/contrib/aix/README
+++ b/contrib/aix/README
@@ -26,6 +26,7 @@ and for comparison with the output from this script, however no code
 from lppbuild is included and it is not required for operation.
 
 SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
+PrivSep account handling fixes contributed by W. Earl Allen.
 
 
 Other notes:
@@ -45,3 +46,5 @@ you get to keep both pieces.
 
         - Darren Tucker (dtucker at zip dot com dot au)
           2002/03/01
+
+$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
index 3b3699660..727ac446d 100755
--- a/contrib/aix/buildbff.sh
+++ b/contrib/aix/buildbff.sh
@@ -1,6 +1,7 @@
 #!/bin/sh
 #
 # buildbff.sh: Create AIX SMIT-installable OpenSSH packages
+# $Id: buildbff.sh,v 1.6 2003/08/25 05:01:04 dtucker Exp $
 #
 # Author: Darren Tucker (dtucker at zip dot com dot au)
 # This file is placed in the public domain and comes with absolutely
@@ -14,9 +15,9 @@
 #       create a "config.local" in your build directory or set
 #       environment variables to override these.
 #
-[ -z "$PERMIT_ROOT_LOGIN" ] || PERMIT_ROOT_LOGIN=no
-[ -z "$X11_FORWARDING" ] || X11_FORWARDING=no
-[ -z "$AIX_SRC" ] || AIX_SRC=no
+[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
+[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
+[ -z "$AIX_SRC" ] && AIX_SRC=no
 
 umask 022
 
@@ -31,7 +32,7 @@ else
 fi
 
 #
-# We still support running from contrib/aix, but this is depreciated
+# We still support running from contrib/aix, but this is deprecated
 #
 if pwd | egrep 'contrib/aix$'
 then
@@ -121,7 +122,7 @@ cp $srcdir/README* $objdir/$PKGDIR/
 # Extract common info requires for the 'info' part of the package.
 #       AIX requires 4-part version numbers
 #
-VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//' | cut -f 2 -d _`
+VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
 MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
 MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
 PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
@@ -218,7 +219,7 @@ else
         fi
 
         # Create user if required
-        if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+        if lsuser ALL | cut -f1 -d: | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
         then
                 echo "PrivSep user $SSH_PRIVSEP_USER already exists."
         else
diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh
index 619493ae2..4f408e678 100755
--- a/contrib/aix/inventory.sh
+++ b/contrib/aix/inventory.sh
@@ -1,8 +1,10 @@
 #!/bin/sh
 #
 # inventory.sh
+# $Id: inventory.sh,v 1.5 2003/08/26 03:43:13 dtucker Exp $
 #
 # Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
+# This file is placed into the public domain.
 #
 # This will produce an AIX package inventory file, which looks like:
 #
diff --git a/contrib/aix/pam.conf b/contrib/aix/pam.conf
new file mode 100644
index 000000000..1495f43cb
--- /dev/null
+++ b/contrib/aix/pam.conf
@@ -0,0 +1,20 @@
+#
+# PAM configuration file /etc/pam.conf
+# Example for OpenSSH on AIX 5.2
+#
+
+# Authentication Management
+sshd    auth            required        /usr/lib/security/pam_aix
+OTHER   auth            required        /usr/lib/security/pam_aix
+
+# Account Management
+sshd    account         required        /usr/lib/security/pam_aix
+OTHER   account         required        /usr/lib/security/pam_aix
+
+# Session Management
+sshd    password        required        /usr/lib/security/pam_aix
+OTHER   password        required        /usr/lib/security/pam_aix
+
+# Password Management
+sshd    session         required        /usr/lib/security/pam_aix
+OTHER   session         required        /usr/lib/security/pam_aix
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index f7fbe15e5..97d6adf51 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -17,9 +17,9 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
 %if %{use_stable}
-  %define version       3.6.1p2
+  %define version       3.7p1
   %define cvs           %{nil}
-  %define release       2
+  %define release       1
 %else
   %define version       2.9.9p2
   %define cvs           cvs20011009
@@ -364,4 +364,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.42.2.1 2003/04/29 09:12:08 djm Exp $
+$Id: openssh.spec,v 1.43.2.2 2003/09/16 06:02:40 djm Exp $
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 71ea3455f..ec58964c9 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -1,4 +1,4 @@
-This package is the actual port of OpenSSH to Cygwin 1.3.
+This package is the actual port of OpenSSH to Cygwin 1.5.
 
 ===========================================================================
 Important change since 3.4p1-2:
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 2c6db51e5..e9c56aea9 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -279,12 +279,14 @@ then
 # Host *
 #   ForwardAgent no
 #   ForwardX11 no
-#   RhostsAuthentication no
 #   RhostsRSAAuthentication no
 #   RSAAuthentication yes
 #   PasswordAuthentication yes
+#   HostbasedAuthentication no
 #   BatchMode no
 #   CheckHostIP yes
+#   AddressFamily any
+#   ConnectTimeout 0
 #   StrictHostKeyChecking ask
 #   IdentityFile ~/.ssh/identity
 #   IdentityFile ~/.ssh/id_dsa
@@ -397,7 +399,7 @@ Port $port_number
 #HostKey ${SYSCONFDIR}/ssh_host_dsa_key
 
 # Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 3600
+#KeyRegenerationInterval 1h
 #ServerKeyBits 768
 
 # Logging
@@ -407,7 +409,7 @@ Port $port_number
 
 # Authentication:
 
-#LoginGraceTime 120
+#LoginGraceTime 2m
 #PermitRootLogin yes
 # The following setting overrides permission checks on host key files
 # and directories. For security reasons set this to "yes" when running
@@ -418,10 +420,6 @@ StrictModes no
 #PubkeyAuthentication yes
 #AuthorizedKeysFile     .ssh/authorized_keys
 
-# rhosts authentication should not be used
-#RhostsAuthentication no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
 # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
 #RhostsRSAAuthentication no
 # similar for protocol version 2
@@ -429,6 +427,8 @@ StrictModes no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # RhostsRSAAuthentication and HostbasedAuthentication
 #IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
@@ -437,6 +437,8 @@ StrictModes no
 # Change to no to disable s/key passwords
 #ChallengeResponseAuthentication yes
 
+#AllowTcpForwarding yes
+#GatewayPorts no
 #X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
@@ -447,11 +449,14 @@ StrictModes no
 UsePrivilegeSeparation $privsep_used
 #PermitUserEnvironment no
 #Compression yes
-
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS yes
+#PidFile /var/run/sshd.pid
 #MaxStartups 10
+
 # no default banner path
 #Banner /some/path
-#VerifyReverseMapping no
 
 # override default of no subsystems
 Subsystem      sftp    /usr/sbin/sftp-server
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 5a76adbaf..4da113181 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -171,8 +171,8 @@ then
     fi
     if request "Do you want to use this identity to login to this machine?"
     then
-      echo "Adding to ${pwdhome}/.ssh/authorized_keys2"
-      cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys2"
+      echo "Adding to ${pwdhome}/.ssh/authorized_keys"
+      cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
     fi
   fi
 fi
@@ -190,8 +190,8 @@ then
     fi
     if request "Do you want to use this identity to login to this machine?"
     then
-      echo "Adding to ${pwdhome}/.ssh/authorized_keys2"
-      cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys2"
+      echo "Adding to ${pwdhome}/.ssh/authorized_keys"
+      cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys"
     fi
   fi
 fi
diff --git a/contrib/findssl.sh b/contrib/findssl.sh
new file mode 100644
index 000000000..87a4abce2
--- /dev/null
+++ b/contrib/findssl.sh
@@ -0,0 +1,159 @@
+#!/bin/sh
+#
+# findssl.sh
+#       Search for all instances of OpenSSL headers and libraries
+#       and print their versions.
+#       Intended to help diagnose OpenSSH's "OpenSSL headers do not
+#       match your library" errors.
+#
+#       Written by Darren Tucker (dtucker at zip dot com dot au)
+#       This file is placed in the public domain.
+#
+# $Id: findssl.sh,v 1.1 2003/06/24 10:22:10 dtucker Exp $
+#       2002-07-27: Initial release.
+#       2002-08-04: Added public domain notice.
+#       2003-06-24: Incorporated readme, set library paths. First cvs version.
+#
+# "OpenSSL headers do not match your library" are usually caused by 
+# OpenSSH's configure picking up an older version of OpenSSL headers
+# or libraries.  You can use the following # procedure to help identify
+# the cause.
+# 
+# The  output  of  configure  will  tell you the versions of the OpenSSL
+# headers and libraries that were picked up, for example:
+# 
+# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
+# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
+# checking whether OpenSSL's headers match the library... no
+# configure: error: Your OpenSSL headers do not match your library
+# 
+# Now run findssl.sh. This should identify the headers and libraries
+# present  and  their  versions.  You  should  be  able  to identify the
+# libraries  and headers used and adjust your CFLAGS or remove incorrect
+# versions.  The  output will show OpenSSL's internal version identifier
+# and should look something like:
+
+# $ ./findssl.sh
+# Searching for OpenSSL header files.
+# 0x0090604fL /usr/include/openssl/opensslv.h
+# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
+# 
+# Searching for OpenSSL shared library files.
+# 0x0090602fL /lib/libcrypto.so.0.9.6b
+# 0x0090602fL /lib/libcrypto.so.2
+# 0x0090581fL /usr/lib/libcrypto.so.0
+# 0x0090602fL /usr/lib/libcrypto.so
+# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
+# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
+# 0x0090600fL /usr/lib/libcrypto.so.1
+# 
+# Searching for OpenSSL static library files.
+# 0x0090602fL /usr/lib/libcrypto.a
+# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
+# 
+# In  this  example, I gave configure no extra flags, so it's picking up
+# the  OpenSSL header from /usr/include/openssl (90604f) and the library
+# from /usr/lib/ (90602f).
+
+#
+# Adjust these to suit your compiler.
+# You may also need to set the *LIB*PATH environment variables if
+# DEFAULT_LIBPATH is not correct for your system.
+#
+CC=gcc
+STATIC=-static
+
+#
+# Set up conftest C source
+#
+rm -f findssl.log
+cat >conftest.c <<EOD
+#include <stdio.h>
+int main(){printf("0x%08xL\n", SSLeay());}
+EOD
+
+#
+# Set default library paths if not already set
+#
+DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
+LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
+LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
+LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
+export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+
+#
+# Search for OpenSSL headers and print versions
+#
+echo Searching for OpenSSL header files.
+if [ -x "`which locate`" ]
+then
+        headers=`locate opensslv.h`
+else
+        headers=`find / -name opensslv.h -print 2>/dev/null`
+fi
+
+for header in $headers
+do
+        ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
+        echo "$ver $header"
+done
+echo
+
+#
+# Search for shared libraries.
+# Relies on shared libraries looking like "libcrypto.s*"
+#
+echo Searching for OpenSSL shared library files.
+if [ -x "`which locate`" ]
+then
+        libraries=`locate libcrypto.s`
+else
+        libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
+fi
+
+for lib in $libraries
+do
+        (echo "Trying libcrypto $lib" >>findssl.log
+        dir=`dirname $lib`
+        LIBPATH="$dir:$LIBPATH"
+        LD_LIBRARY_PATH="$dir:$LIBPATH"
+        LIBRARY_PATH="$dir:$LIBPATH"
+        export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+        ${CC} -o conftest conftest.c $lib 2>>findssl.log
+        if [ -x ./conftest ]
+        then
+                ver=`./conftest 2>/dev/null`
+                rm -f ./conftest
+                echo "$ver $lib"
+        fi)
+done
+echo
+
+#
+# Search for static OpenSSL libraries and print versions
+#
+echo Searching for OpenSSL static library files.
+if [ -x "`which locate`" ]
+then
+        libraries=`locate libcrypto.a`
+else
+        libraries=`find / -name libcrypto.a -print 2>/dev/null`
+fi
+
+for lib in $libraries
+do
+        libdir=`dirname $lib`
+        echo "Trying libcrypto $lib" >>findssl.log
+        ${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
+        if [ -x ./conftest ]
+        then
+                ver=`./conftest 2>/dev/null`
+                rm -f ./conftest
+                echo "$ver $lib"
+        fi
+done
+
+#
+# Clean up
+#
+rm -f conftest.c
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index e7c3bb121..ce7c564c3 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 3.6.1p2
+%define ver 3.7p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
@@ -26,9 +26,6 @@
 # Is this build for RHL 6.x?
 %define build6x 0
 
-# Disable IPv6 (avoids DNS hangs on some glibc versions)
-%define noip6 0
-
 # Do we want kerberos5 support (1=yes 0=no)
 %define kerberos5 1
 
@@ -43,7 +40,6 @@
 # If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
 %if %{build6x}
 %define _sysconfdir /etc
-%define noip6 1
 %endif
 
 # Options for static OpenSSL link:
@@ -54,10 +50,6 @@
 # rpm -ba|--rebuild --define "smartcard 1"
 %{?smartcard:%define scard 1}
 
-# Option to disable ipv6
-# rpm -ba|--rebuild --define "noipv6 1"
-%{?noipv6:%define noip6 1}
-
 # Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
 %define rescue 0
 %{?build_rescue:%define rescue 1}
@@ -87,12 +79,12 @@ PreReq: initscripts >= 5.00
 %else
 PreReq: initscripts >= 5.20
 %endif
-BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers
+BuildPreReq: perl, openssl-devel, tcp_wrappers
 BuildPreReq: /bin/login
 %if ! %{build6x}
 BuildPreReq: glibc-devel, pam
 %else
-BuildPreReq: db1-devel, /usr/include/security/pam_appl.h
+BuildPreReq: /usr/include/security/pam_appl.h
 %endif
 %if ! %{no_x11_askpass}
 BuildPreReq: XFree86-devel
@@ -196,9 +188,6 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
 %if %{scard}
         --with-smartcard \
 %endif
-%if %{noip6}
-        --with-ipv4-default \
-%endif
 %if %{rescue}
         --without-pam --with-md5-passwords \
 %else
@@ -274,9 +263,11 @@ install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome
          rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
 %endif
 
+%if ! %{no_gnome_askpass}
 install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
 install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
 install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+%endif
 
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
 
@@ -400,6 +391,14 @@ fi
 %endif
 
 %changelog
+* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
+- Remove noip6 option. This may be controlled at run-time in client config 
+  file using new AddressFamily directive
+
+* Mon May 12 2003 Damien Miller <djm@mindrot.org>
+- Don't install profile.d scripts when not building with GNOME/GTK askpass
+  (patch from bet@rahul.net)
+
 * Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
 - Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
 
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 707c3a221..ca7437bd6 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name: openssh
-Version: 3.6.1p2
+Version: 3.7p1
 URL: http://www.openssh.com/
 Release: 1
 Source0: openssh-%{version}.tar.gz