From c9fe39b1a41030636af326ad327518a4a42575c1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 Mar 2010 20:42:30 +1100 Subject: - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO so setting it in CFLAGS correctly skips IPv6 tests. --- ChangeLog | 6 +++++- configure.ac | 12 +++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index d6e4a4a25..c03d20f49 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ -20100307 +20100309 + - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO + so setting it in CFLAGS correctly skips IPv6 tests. + +20100308 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2010/03/07 22:16:01 [ssh-keygen.c] diff --git a/configure.ac b/configure.ac index a9960a7ba..331fb4572 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.444 2010/03/05 04:04:35 djm Exp $ +# $Id: configure.ac,v 1.445 2010/03/09 09:42:31 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.444 $) +AC_REVISION($Revision: 1.445 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -4128,12 +4128,10 @@ dnl Adding -Werror to CFLAGS early prevents configure tests from running. dnl Add now. CFLAGS="$CFLAGS $werror_flags" -if grep "#define BROKEN_GETADDRINFO 1" confdefs.h >/dev/null || \ - test "x$ac_cv_func_getaddrinfo" != "xyes" ; then - AC_SUBST(TEST_SSH_IPV6, no) -else +AC_CHECK_DECL(BROKEN_GETADDRINFO, + AC_SUBST(TEST_SSH_IPV6, no), AC_SUBST(TEST_SSH_IPV6, yes) -fi +) AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ -- cgit v1.2.3 From fa233ba73bdef475c2a509a914e352d544373d07 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 10 Mar 2010 16:12:02 -0800 Subject: - (tim) [contrib/suse/openssh.spec] crank version number here too. report by imorgan AT nas.nasa.gov --- ChangeLog | 4 ++++ contrib/suse/openssh.spec | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c03d20f49..89e297ab7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20100311 + - (tim) [contrib/suse/openssh.spec] crank version number here too. + report by imorgan AT nas.nasa.gov + 20100309 - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO so setting it in CFLAGS correctly skips IPv6 tests. diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index c09246d1f..90de767d3 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 5.3p1 +Version: 5.4p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 2bde3eec69dc6df434bac33d82aaf63697563416 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 11 Mar 2010 22:18:13 -0800 Subject: - (tim) [openssh/Makefile.in] Now that scard is gone, no need to make $(datadir) --- ChangeLog | 4 ++++ Makefile.in | 3 +-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 89e297ab7..16b5693d4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20100312 + - (tim) [openssh/Makefile.in] Now that scard is gone, no need to + make $(datadir) + 20100311 - (tim) [contrib/suse/openssh.spec] crank version number here too. report by imorgan AT nas.nasa.gov diff --git a/Makefile.in b/Makefile.in index 69e3567da..7c3464d86 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.306 2010/02/24 07:18:51 djm Exp $ +# $Id: Makefile.in,v 1.307 2010/03/12 06:18:13 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -249,7 +249,6 @@ install-files: $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) - $(srcdir)/mkinstalldirs $(DESTDIR)$(datadir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5 $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 -- cgit v1.2.3 From ded8fa0bc96a8ffe4b51bf2276c468132f4b1416 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 11 Mar 2010 22:32:02 -0800 Subject: - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. Patch from Corinna Vinschen. --- ChangeLog | 5 +++-- Makefile.in | 26 +++++++++++++------------- 2 files changed, 16 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 16b5693d4..533d2ec3f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20100312 - - (tim) [openssh/Makefile.in] Now that scard is gone, no need to - make $(datadir) + - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) + - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. + Patch from Corinna Vinschen. 20100311 - (tim) [contrib/suse/openssh.spec] crank version number here too. diff --git a/Makefile.in b/Makefile.in index 7c3464d86..839a40543 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.307 2010/03/12 06:18:13 tim Exp $ +# $Id: Makefile.in,v 1.308 2010/03/12 06:32:02 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -254,20 +254,20 @@ install-files: $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh - $(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add $(DESTDIR)$(bindir)/ssh-add - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent $(DESTDIR)$(bindir)/ssh-agent - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan - $(INSTALL) -m 0755 $(STRIP_OPT) sshd $(DESTDIR)$(sbindir)/sshd + $(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT) if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper $(DESTDIR)$(libexecdir)/ssh-rand-helper ; \ + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-rand-helper$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-rand-helper$(EXEEXT) ; \ fi - $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign $(DESTDIR)$(SSH_KEYSIGN) - $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper $(DESTDIR)$(SSH_PKCS11_HELPER) - $(INSTALL) -m 0755 $(STRIP_OPT) sftp $(DESTDIR)$(bindir)/sftp - $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server $(DESTDIR)$(SFTP_SERVER) + $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT) + $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -- cgit v1.2.3 From 4e0cea82dd75199c4a4f59165b1971d0d7c45919 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 11 Mar 2010 22:35:19 -0800 Subject: - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install on a Cygwin installation. Patch from Corinna Vinschen. --- ChangeLog | 2 ++ contrib/cygwin/Makefile | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 533d2ec3f..c6a3fe893 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. Patch from Corinna Vinschen. + - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install + on a Cygwin installation. Patch from Corinna Vinschen. 20100311 - (tim) [contrib/suse/openssh.spec] crank version number here too. diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile index 9f680c16c..fe3ae0bbd 100644 --- a/contrib/cygwin/Makefile +++ b/contrib/cygwin/Makefile @@ -42,11 +42,13 @@ install-sshdoc: $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.agent $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep - $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard + $(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.privsep $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG -- cgit v1.2.3 From 47f9a4106a417d57ff784b3a7fcffb803d6df56d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 14 Mar 2010 08:37:49 +1100 Subject: - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot AT fefe.de --- ChangeLog | 5 +++++ ssh-pkcs11-helper.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c6a3fe893..96196fc80 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20100314 + - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix + compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot + AT fefe.de + 20100312 - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c index d3bfb9838..8e3f57ace 100644 --- a/ssh-pkcs11-helper.c +++ b/ssh-pkcs11-helper.c @@ -17,8 +17,6 @@ #include "includes.h" -#ifdef ENABLE_PKCS11 - #include #ifdef HAVE_SYS_TIME_H # include @@ -39,6 +37,8 @@ #include "authfd.h" #include "ssh-pkcs11.h" +#ifdef ENABLE_PKCS11 + /* borrows code from sftp-server and ssh-agent */ struct pkcs11_keyinfo { -- cgit v1.2.3 From 1f574b254663776209951b0327090c19c41c0749 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sun, 14 Mar 2010 08:41:34 +1100 Subject: - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for ssh-pkcs11-helper to repair static builds (we do the same for ssh-keyscan). Reported by felix-mindrot AT fefe.de --- ChangeLog | 3 +++ Makefile.in | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 96196fc80..cfa7a1d4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot AT fefe.de + - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for + ssh-pkcs11-helper to repair static builds (we do the same for + ssh-keyscan). Reported by felix-mindrot AT fefe.de 20100312 - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) diff --git a/Makefile.in b/Makefile.in index 839a40543..476674b0e 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.308 2010/03/12 06:32:02 tim Exp $ +# $Id: Makefile.in,v 1.309 2010/03/13 21:41:34 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -160,7 +160,7 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco $(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o - $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) -- cgit v1.2.3 From c59e2443d30cc7ff2eebd57399e88d55748ba422 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:50:31 +1100 Subject: - jmc@cvs.openbsd.org 2010/03/08 09:41:27 [ssh-keygen.1] sort the list of constraints (to -O); ok djm --- ChangeLog | 6 ++++++ ssh-keygen.1 | 30 +++++++++++++++--------------- 2 files changed, 21 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index cfa7a1d4d..2270e0eb1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20100321 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2010/03/08 09:41:27 + [ssh-keygen.1] + sort the list of constraints (to -O); ok djm + 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 6557f9336..c819320db 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.89 2010/03/08 09:41:27 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -307,8 +307,15 @@ Please see the section for details. The constraints that are valid for user certificates are: .Bl -tag -width Ds -.It Ic no-x11-forwarding -Disable X11 forwarding (permitted by default). +.It Ic clear +Clear all enabled permissions. +This is useful for clearing the default set of permissions so permissions may +be added individually. +.It Ic force-command Ns = Ns Ar command +Forces the execution of +.Ar command +instead of any shell or command specified by the user when +the certificate is used for authentication. .It Ic no-agent-forwarding Disable .Xr ssh-agent 1 @@ -323,12 +330,8 @@ Disable execution of by .Xr sshd 8 (permitted by default). -.It Ic clear -Clear all enabled permissions. -This is useful for clearing the default set of permissions so permissions may -be added individually. -.It Ic permit-x11-forwarding -Allows X11 forwarding. +.It Ic no-x11-forwarding +Disable X11 forwarding (permitted by default). .It Ic permit-agent-forwarding Allows .Xr ssh-agent 1 @@ -342,12 +345,9 @@ Allows execution of .Pa ~/.ssh/rc by .Xr sshd 8 . -.It Ic force-command=command -Forces the execution of -.Ar command -instead of any shell or command specified by the user when -the certificate is used for authentication. -.It Ic source-address=address_list +.It Ic permit-x11-forwarding +Allows X11 forwarding. +.It Ic source-address Ns = Ns Ar address_list Restrict the source addresses from which the certificate is considered valid from. The -- cgit v1.2.3 From 77497e131857443cce9ec93fdb382e324002691a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:50:51 +1100 Subject: - jmc@cvs.openbsd.org 2010/03/10 07:40:35 [ssh-keygen.1] typos; from Ross Richardson closes prs 6334 and 6335 --- ChangeLog | 4 ++++ ssh-keygen.1 | 9 ++++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2270e0eb1..34d5dfdcb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - jmc@cvs.openbsd.org 2010/03/08 09:41:27 [ssh-keygen.1] sort the list of constraints (to -O); ok djm + - jmc@cvs.openbsd.org 2010/03/10 07:40:35 + [ssh-keygen.1] + typos; from Ross Richardson + closes prs 6334 and 6335 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/ssh-keygen.1 b/ssh-keygen.1 index c819320db..e79246b79 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.89 2010/03/08 09:41:27 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.90 2010/03/10 07:40:35 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -37,7 +37,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 8 2010 $ +.Dd $Mdocdate: March 10 2010 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -348,8 +348,7 @@ by .It Ic permit-x11-forwarding Allows X11 forwarding. .It Ic source-address Ns = Ns Ar address_list -Restrict the source addresses from which the certificate is considered valid -from. +Restrict the source addresses from which the certificate is considered valid. The .Ar address_list is a comma-separated list of one or more address/netmask pairs in CIDR @@ -414,7 +413,7 @@ in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting of a minus sign followed by a relative time in the format described in the .Sx TIME FORMATS section of -.Xr ssh_config 5 . +.Xr sshd_config 5 . The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character. .Pp -- cgit v1.2.3 From e513a911952901dc8bcaa76fcfba7bc45f23daae Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:51:21 +1100 Subject: - djm@cvs.openbsd.org 2010/03/10 23:27:17 [auth2-pubkey.c] correct certificate logging and make it more consistent between authorized_keys and TrustedCAKeys; ok markus@ --- ChangeLog | 4 ++++ auth2-pubkey.c | 31 +++++++++++++++++-------------- 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 34d5dfdcb..ac93d23c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,10 @@ [ssh-keygen.1] typos; from Ross Richardson closes prs 6334 and 6335 + - djm@cvs.openbsd.org 2010/03/10 23:27:17 + [auth2-pubkey.c] + correct certificate logging and make it more consistent between + authorized_keys and TrustedCAKeys; ok markus@ 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/auth2-pubkey.c b/auth2-pubkey.c index 51aa77487..c4cadf4e7 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) continue; if (!key_equal(found, key->cert->signature_key)) continue; - debug("matching CA found: file %s, line %lu", - file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s CA: %s", - key_type(found), fp); - xfree(fp); + debug("matching CA found: file %s, line %lu, %s %s", + file, linenum, key_type(found), fp); if (key_cert_check_authority(key, 0, 0, pw->pw_name, &reason) != 0) { + xfree(fp); error("%s", reason); auth_debug_add("%s", reason); continue; } if (auth_cert_constraints(&key->cert->constraints, - pw) != 0) + pw) != 0) { + xfree(fp); continue; + } + verbose("Accepted certificate ID \"%s\" " + "signed by %s CA %s via %s", key->cert->key_id, + key_type(found), fp, file); + xfree(fp); found_key = 1; break; } else if (!key_is_cert_authority && key_equal(found, key)) { @@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) static int user_cert_trusted_ca(struct passwd *pw, Key *key) { - char *key_fp, *ca_fp; + char *ca_fp; const char *reason; int ret = 0; if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + ca_fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); if (key_in_file(key->cert->signature_key, options.trusted_user_ca_keys, 1) != 1) { @@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw, Key *key) if (auth_cert_constraints(&key->cert->constraints, pw) != 0) goto out; - verbose("%s certificate %s allowed by trusted %s key %s", - key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp); + verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", + key->cert->key_id, key_type(key->cert->signature_key), ca_fp, + options.trusted_user_ca_keys); ret = 1; out: - if (key_fp != NULL) - xfree(key_fp); if (ca_fp != NULL) xfree(ca_fp); return ret; -- cgit v1.2.3 From c4cb47bc53434612c41333695b15350724d60d6a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:52:26 +1100 Subject: - djm@cvs.openbsd.org 2010/03/12 01:06:25 [servconf.c] unbreak AuthorizedKeys option with a $HOME-relative path; reported by vinschen AT redhat.com, ok dtucker@ --- ChangeLog | 4 ++++ servconf.c | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ac93d23c9..3112f6457 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,10 @@ [auth2-pubkey.c] correct certificate logging and make it more consistent between authorized_keys and TrustedCAKeys; ok markus@ + - djm@cvs.openbsd.org 2010/03/12 01:06:25 + [servconf.c] + unbreak AuthorizedKeys option with a $HOME-relative path; reported by + vinschen AT redhat.com, ok dtucker@ 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/servconf.c b/servconf.c index f9e2f2dfd..e09e0f1c8 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.205 2010/03/12 01:06:25 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -1223,7 +1223,17 @@ process_server_config_line(ServerOptions *options, char *line, charptr = (opcode == sAuthorizedKeysFile) ? &options->authorized_keys_file : &options->authorized_keys_file2; - goto parse_filename; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing file name.", + filename, linenum); + if (*activep && *charptr == NULL) { + *charptr = derelativise_path(arg); + /* increase optional counter */ + if (intptr != NULL) + *intptr = *intptr + 1; + } + break; case sClientAliveInterval: intptr = &options->client_alive_interval; -- cgit v1.2.3 From 4a5f0d325b723dcfdcc540f83ae8a3c08a589d7e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:53:04 +1100 Subject: - markus@cvs.openbsd.org 2010/03/12 11:37:40 [servconf.c] do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths free() (not xfree()) the buffer returned by getcwd() --- ChangeLog | 4 ++++ servconf.c | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3112f6457..95c87ba26 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,10 @@ [servconf.c] unbreak AuthorizedKeys option with a $HOME-relative path; reported by vinschen AT redhat.com, ok dtucker@ + - markus@cvs.openbsd.org 2010/03/12 11:37:40 + [servconf.c] + do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths + free() (not xfree()) the buffer returned by getcwd() 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/servconf.c b/servconf.c index e09e0f1c8..fa442bcea 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.205 2010/03/12 01:06:25 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.206 2010/03/12 11:37:40 markus Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -478,7 +478,7 @@ derelativise_path(const char *path) if ((cwd = getcwd(NULL, 0)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); - xfree(cwd); + free(cwd); xfree(expanded); return ret; } @@ -1228,7 +1228,7 @@ process_server_config_line(ServerOptions *options, char *line, fatal("%s line %d: missing file name.", filename, linenum); if (*activep && *charptr == NULL) { - *charptr = derelativise_path(arg); + *charptr = tilde_expand_filename(arg, getuid()); /* increase optional counter */ if (intptr != NULL) *intptr = *intptr + 1; -- cgit v1.2.3 From 8ddc71c13d3aac3f7eb13b67dc703b5508eae732 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:54:02 +1100 Subject: - djm@cvs.openbsd.org 2010/03/13 21:10:38 [clientloop.c] protocol conformance fix: send language tag when disconnecting normally; spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ --- ChangeLog | 4 ++++ clientloop.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 95c87ba26..3dc718056 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,10 @@ [servconf.c] do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths free() (not xfree()) the buffer returned by getcwd() + - djm@cvs.openbsd.org 2010/03/13 21:10:38 + [clientloop.c] + protocol conformance fix: send language tag when disconnecting normally; + spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/clientloop.c b/clientloop.c index 6ffef95a2..9ab56b44c 100644 --- a/clientloop.c +++ b/clientloop.c @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.218 2010/01/28 00:21:18 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.219 2010/03/13 21:10:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1484,6 +1484,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) packet_start(SSH2_MSG_DISCONNECT); packet_put_int(SSH2_DISCONNECT_BY_APPLICATION); packet_put_cstring("disconnected by user"); + packet_put_cstring(""); /* language tag */ packet_send(); packet_write_wait(); } -- cgit v1.2.3 From 1b61a2825e20e6d412aeed7ce16d888835e3398a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:55:06 +1100 Subject: - djm@cvs.openbsd.org 2010/03/13 21:45:46 [ssh-keygen.1] Certificates are named *-cert.pub, not *_cert.pub; committing a diff from stevesk@ ok me --- ChangeLog | 4 ++++ ssh-keygen.1 | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3dc718056..4df02fbb1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ [clientloop.c] protocol conformance fix: send language tag when disconnecting normally; spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ + - djm@cvs.openbsd.org 2010/03/13 21:45:46 + [ssh-keygen.1] + Certificates are named *-cert.pub, not *_cert.pub; committing a diff + from stevesk@ ok me 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/ssh-keygen.1 b/ssh-keygen.1 index e79246b79..1ee0835f3 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.90 2010/03/10 07:40:35 jmc Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.91 2010/03/13 21:45:46 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -37,7 +37,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: March 10 2010 $ +.Dd $Mdocdate: March 13 2010 $ .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -518,7 +518,7 @@ To generate a user certificate: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub .Pp The resultant certificate will be placed in -.Pa /path/to/user_key_cert.pub . +.Pa /path/to/user_key-cert.pub . A host certificate requires the .Fl h option: @@ -526,7 +526,7 @@ option: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub .Pp The host certificate will be output to -.Pa /path/to/host_key_cert.pub . +.Pa /path/to/host_key-cert.pub . In both cases, .Ar key_id is a "key identifier" that is logged by the server when the certificate -- cgit v1.2.3 From 5a5d94b12f389d24d5fec30a6bd8c8211a65cf43 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:57:49 +1100 Subject: - jmc@cvs.openbsd.org 2010/03/13 23:38:13 [ssh-keygen.1] fix a formatting error (args need quoted); noted by stevesk --- ChangeLog | 3 +++ ssh-keygen.1 | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4df02fbb1..d95e80aa0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,9 @@ [ssh-keygen.1] Certificates are named *-cert.pub, not *_cert.pub; committing a diff from stevesk@ ok me + - jmc@cvs.openbsd.org 2010/03/13 23:38:13 + [ssh-keygen.1] + fix a formatting error (args need quoted); noted by stevesk 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/ssh-keygen.1 b/ssh-keygen.1 index 1ee0835f3..3e03a9bd0 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.91 2010/03/13 21:45:46 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ .\" .\" -*- nroff -*- .\" @@ -538,7 +538,7 @@ By default, generated certificates are valid for all users or hosts. To generate a certificate for a specified set of principals: .Pp .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub -.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub +.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" .Pp Additional limitations on the validity and use of user certificates may be specified through certificate constraints. -- cgit v1.2.3 From 1cfbfaf4a003749657035b832c30e176dc26d491 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:58:24 +1100 Subject: - stevesk@cvs.openbsd.org 2010/03/15 19:40:02 [key.c key.h ssh-keygen.c] also print certificate type (user or host) for ssh-keygen -L ok djm kettenis --- ChangeLog | 4 ++++ key.c | 15 ++++++++++++++- key.h | 3 ++- ssh-keygen.c | 5 +++-- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index d95e80aa0..22bb981bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,10 @@ - jmc@cvs.openbsd.org 2010/03/13 23:38:13 [ssh-keygen.1] fix a formatting error (args need quoted); noted by stevesk + - stevesk@cvs.openbsd.org 2010/03/15 19:40:02 + [key.c key.h ssh-keygen.c] + also print certificate type (user or host) for ssh-keygen -L + ok djm kettenis 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/key.c b/key.c index 0d0c912e6..66592c7ed 100644 --- a/key.c +++ b/key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */ +/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -801,6 +801,19 @@ key_type(const Key *k) return "unknown"; } +const char * +key_cert_type(const Key *k) +{ + switch (k->cert->type) { + case SSH2_CERT_TYPE_USER: + return "user"; + case SSH2_CERT_TYPE_HOST: + return "host"; + default: + return "unknown"; + } +} + const char * key_ssh_name(const Key *k) { diff --git a/key.h b/key.h index 6a2e049af..4f17777c0 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */ +/* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -82,6 +82,7 @@ int key_equal(const Key *, const Key *); char *key_fingerprint(Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); const char *key_type(const Key *); +const char *key_cert_type(const Key *); int key_write(const Key *, FILE *); int key_read(Key *, char **); u_int key_size(const Key *); diff --git a/ssh-keygen.c b/ssh-keygen.c index dd662c907..37e516ff2 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.184 2010/03/07 22:16:01 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.185 2010/03/15 19:40:02 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1393,7 +1393,8 @@ do_show_cert(struct passwd *pw) SSH_FP_MD5, SSH_FP_HEX); printf("%s:\n", identity_file); - printf(" %s certificate %s\n", key_type(key), key_fp); + printf(" %s %s certificate %s\n", key_type(key), + key_cert_type(key), key_fp); printf(" Signed by %s CA %s\n", key_type(key->cert->signature_key), ca_fp); printf(" Key ID \"%s\"\n", key->cert->key_id); -- cgit v1.2.3 From 33334b27bc405607fb257c0b4580a38b3b6e4332 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:59:02 +1100 Subject: - stevesk@cvs.openbsd.org 2010/03/16 15:46:52 [auth-options.c] spelling in error message. ok djm kettenis --- ChangeLog | 3 +++ auth-options.c | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 22bb981bf..8e295ca5c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ [key.c key.h ssh-keygen.c] also print certificate type (user or host) for ssh-keygen -L ok djm kettenis + - stevesk@cvs.openbsd.org 2010/03/16 15:46:52 + [auth-options.c] + spelling in error message. ok djm kettenis 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/auth-options.c b/auth-options.c index 129301765..69b314fbd 100644 --- a/auth-options.c +++ b/auth-options.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.48 2010/03/07 11:57:13 dtucker Exp $ */ +/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -434,7 +434,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) goto out; } if (strlen(command) != clen) { - error("force-command constrain contains \\0"); + error("force-command constraint contains \\0"); goto out; } if (cert_forced_command != NULL) { @@ -454,7 +454,7 @@ auth_cert_constraints(Buffer *c_orig, struct passwd *pw) goto out; } if (strlen(allowed) != clen) { - error("source-address constrain contains \\0"); + error("source-address constraint contains \\0"); goto out; } if (cert_source_address_done++) { -- cgit v1.2.3 From 13a9f7247abccd4587822cdd5c95523032727c22 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 05:59:22 +1100 Subject: - djm@cvs.openbsd.org 2010/03/16 16:36:49 [version.h] crank version to openssh-5.5 since we have a few fixes since 5.4; requested deraadt@ kettenis@ --- ChangeLog | 4 ++++ version.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8e295ca5c..6490359bd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,10 @@ - stevesk@cvs.openbsd.org 2010/03/16 15:46:52 [auth-options.c] spelling in error message. ok djm kettenis + - djm@cvs.openbsd.org 2010/03/16 16:36:49 + [version.h] + crank version to openssh-5.5 since we have a few fixes since 5.4; + requested deraadt@ kettenis@ 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/version.h b/version.h index c604c753c..5d2b0b741 100644 --- a/version.h +++ b/version.h @@ -1,6 +1,6 @@ -/* $OpenBSD: version.h,v 1.57 2010/03/07 22:01:32 djm Exp $ */ +/* $OpenBSD: version.h,v 1.58 2010/03/16 16:36:49 djm Exp $ */ -#define SSH_VERSION "OpenSSH_5.4" +#define SSH_VERSION "OpenSSH_5.5" #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE -- cgit v1.2.3 From b086d4ac70d4a46cd74f66b86b809992bfc0ecb8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 22 Mar 2010 06:11:55 +1100 Subject: - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] [contrib/suse/openssh.spec] Crank version numbers --- ChangeLog | 2 ++ README | 4 ++-- contrib/caldera/openssh.spec | 6 +++--- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 5 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6490359bd..d4acdc414 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,8 @@ [version.h] crank version to openssh-5.5 since we have a few fixes since 5.4; requested deraadt@ kettenis@ + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Crank version numbers 20100314 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix diff --git a/README b/README index 0ecb670b6..a29f2007d 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-5.4 for the release notes. +See http://www.openssh.com/txt/release-5.5 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.72 2010/03/07 22:41:02 djm Exp $ +$Id: README,v 1.73 2010/03/21 19:11:55 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 7c291a0eb..6bea9a40f 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,11 +17,11 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 5.4p1 + %define version 5.5p1 %define cvs %{nil} %define release 1 %else - %define version 5.4p1 + %define version 5.5p1 %define cvs cvs20050315 %define release 0r1 %endif @@ -360,4 +360,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.69 2010/03/07 22:41:03 djm Exp $ +$Id: openssh.spec,v 1.70 2010/03/21 19:11:58 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index de24f1c5d..c13cfe60d 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 5.4p1 +%define ver 5.5p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 90de767d3..52ed915dc 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -13,7 +13,7 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 5.4p1 +Version: 5.5p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 62131dc6e2aa875b26a4deac097f256a382d816a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 24 Mar 2010 13:03:32 +1100 Subject: - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory containing the services file explicitely case-insensitive. This allows to tweak the Windows services file reliably. Patch from vinschen at redhat. --- ChangeLog | 5 +++++ contrib/cygwin/ssh-host-config | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index d4acdc414..d94247ab7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20100324 + - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory + containing the services file explicitely case-insensitive. This allows to + tweak the Windows services file reliably. Patch from vinschen at redhat. + 20100321 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2010/03/08 09:41:27 diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index b6f9511e2..d968d4619 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -90,7 +90,7 @@ update_services_file() { fi _serv_tmp="${_my_etcdir}/srv.out.$$" - mount -o text -f "${_win_etcdir}" "${_my_etcdir}" + mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}" # Depends on the above mount _wservices=`cygpath -w "${_services}"` -- cgit v1.2.3 From 7d09b8f8d90fb524e43bab1b675c0f7d5485dc8f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Mar 2010 08:52:02 +1100 Subject: - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson --- ChangeLog | 4 ++++ openbsd-compat/bsd-arc4random.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d94247ab7..88d4b2c1e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20100326 + - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection + for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson + 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory containing the services file explicitely case-insensitive. This allows to diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c index 9d4c8690e..d7c586253 100644 --- a/openbsd-compat/bsd-arc4random.c +++ b/openbsd-compat/bsd-arc4random.c @@ -84,7 +84,7 @@ arc4random_stir(void) } #endif /* !HAVE_ARC4RANDOM */ -#ifndef ARC4RANDOM_BUF +#ifndef HAVE_ARC4RANDOM_BUF void arc4random_buf(void *_buf, size_t n) { @@ -102,7 +102,7 @@ arc4random_buf(void *_buf, size_t n) } #endif /* !HAVE_ARC4RANDOM_BUF */ -#ifndef ARC4RANDOM_UNIFORM +#ifndef HAVE_ARC4RANDOM_UNIFORM /* * Calculate a uniformly distributed random number less than upper_bound * avoiding "modulo bias". -- cgit v1.2.3 From a83d90fbab8d8987d2086ce1fd5c5a05adb42c97 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 26 Mar 2010 10:27:33 +1100 Subject: - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally by Ingo Weinhold via Scott McCreary, ok djm@ --- ChangeLog | 2 ++ configure.ac | 10 ++++++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 88d4b2c1e..30a7ce269 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20100326 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson + - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally + by Ingo Weinhold via Scott McCreary, ok djm@ 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory diff --git a/configure.ac b/configure.ac index 331fb4572..7580ff591 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.445 2010/03/09 09:42:31 dtucker Exp $ +# $Id: configure.ac,v 1.446 2010/03/25 23:27:33 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.445 $) +AC_REVISION($Revision: 1.446 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -488,6 +488,12 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) *-*-dragonfly*) SSHDLIBS="$SSHDLIBS -lcrypt" ;; +*-*-haiku*) + LIBS="$LIBS -lbsd " + AC_CHECK_LIB(network, socket) + AC_DEFINE(HAVE_U_INT64_T) + MANTYPE=man + ;; *-*-hpux*) # first we define all of the options common to all HP-UX releases CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" -- cgit v1.2.3 From 44451d0af8ecbec2a17d47d75d3cca02d1239cf8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Mar 2010 10:40:04 +1100 Subject: - djm@cvs.openbsd.org 2010/03/25 23:38:28 [servconf.c] from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; ok dtucker@ --- ChangeLog | 5 +++++ servconf.c | 7 +++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 30a7ce269..cf3558c00 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally by Ingo Weinhold via Scott McCreary, ok djm@ + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2010/03/25 23:38:28 + [servconf.c] + from portable: getcwd(NULL, 0) doesn't work on all platforms, so + use a stack buffer; ok dtucker@ 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory diff --git a/servconf.c b/servconf.c index fa442bcea..7d027ddb9 100644 --- a/servconf.c +++ b/servconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.206 2010/03/12 11:37:40 markus Exp $ */ +/* $OpenBSD: servconf.c,v 1.207 2010/03/25 23:38:28 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -470,15 +470,14 @@ parse_token(const char *cp, const char *filename, char * derelativise_path(const char *path) { - char *expanded, *ret, *cwd; + char *expanded, *ret, cwd[MAXPATHLEN]; expanded = tilde_expand_filename(path, getuid()); if (*expanded == '/') return expanded; - if ((cwd = getcwd(NULL, 0)) == NULL) + if (getcwd(cwd, sizeof(cwd)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); - free(cwd); xfree(expanded); return ret; } -- cgit v1.2.3 From 8b90642fcf979737dc2f3152660b0561ec5b3a5d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Mar 2010 11:04:09 +1100 Subject: - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - set up SELinux execution context before chroot() call. From Russell Coker via Colin watson; bz#1726 ok dtucker@ --- ChangeLog | 3 +++ session.c | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf3558c00..c569328f5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ [servconf.c] from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; ok dtucker@ + - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - + set up SELinux execution context before chroot() call. From Russell + Coker via Colin watson; bz#1726 ok dtucker@ 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory diff --git a/session.c b/session.c index 639405fec..e032de692 100644 --- a/session.c +++ b/session.c @@ -1551,6 +1551,10 @@ do_setusercontext(struct passwd *pw) } #endif /* HAVE_SETPCRED */ +#ifdef WITH_SELINUX + ssh_selinux_setup_exec_context(pw->pw_name); +#endif + if (options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { tmp = tilde_expand_filename(options.chroot_directory, @@ -1575,10 +1579,6 @@ do_setusercontext(struct passwd *pw) if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); - -#ifdef WITH_SELINUX - ssh_selinux_setup_exec_context(pw->pw_name); -#endif } static void -- cgit v1.2.3 From 6480c63b759eb8add9387220fd8ed630e0563316 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Mar 2010 11:09:44 +1100 Subject: - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721 ok dtucker@ --- ChangeLog | 2 ++ channels.c | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index c569328f5..f217bd831 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - set up SELinux execution context before chroot() call. From Russell Coker via Colin watson; bz#1726 ok dtucker@ + - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721 + ok dtucker@ 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory diff --git a/channels.c b/channels.c index d8c53a4a8..a55d27817 100644 --- a/channels.c +++ b/channels.c @@ -3252,7 +3252,11 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); if (sock < 0) { - if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { + if ((errno != EINVAL) && (errno != EAFNOSUPPORT) +#ifdef EPFNOSUPPORT + && (errno != EPFNOSUPPORT) +#endif + ) { error("socket: %.100s", strerror(errno)); freeaddrinfo(aitop); return -1; -- cgit v1.2.3 From ffd1eaadb0b97c1f172ed0ec9eda51fd368617ae Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 26 Mar 2010 11:16:39 +1100 Subject: - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). --- ChangeLog | 2 ++ contrib/Makefile | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f217bd831..0243ef42f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ Coker via Colin watson; bz#1726 ok dtucker@ - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721 ok dtucker@ + - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using + pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory diff --git a/contrib/Makefile b/contrib/Makefile index 2cef46f6c..8b34eb221 100644 --- a/contrib/Makefile +++ b/contrib/Makefile @@ -9,7 +9,7 @@ gnome-ssh-askpass1: gnome-ssh-askpass1.c gnome-ssh-askpass2: gnome-ssh-askpass2.c $(CC) `pkg-config --cflags gtk+-2.0` \ gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \ - `pkg-config --libs gtk+-2.0` + `pkg-config --libs gtk+-2.0 x11` clean: rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass -- cgit v1.2.3 From df08341060fe956ec07514c75b93e7140d2ebda0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Mar 2010 11:18:27 +1100 Subject: - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys; bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ChangeLog | 2 ++ contrib/ssh-copy-id | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 0243ef42f..cc6cd5c56 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,8 @@ ok dtucker@ - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). + - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys; + bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@ 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index df74d25c8..65c0a8cd8 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -19,7 +19,7 @@ if [ "-i" = "$1" ]; then shift # and this should leave $1 as the target name fi else - if [ x$SSH_AUTH_SOCK != x ] ; then + if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then GET_ID="$GET_ID ssh-add -L" fi fi -- cgit v1.2.3 From 9c60f24f01cda386a210638b036dd16294ad4b76 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 26 Mar 2010 11:28:35 +1100 Subject: - djm@cvs.openbsd.org 2010/03/26 00:26:58 [ssh.1] mention that -S none disables connection sharing; from Colin Watson --- ChangeLog | 3 +++ ssh.1 | 9 ++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index cc6cd5c56..b64f17c87 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ [servconf.c] from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; ok dtucker@ + - djm@cvs.openbsd.org 2010/03/26 00:26:58 + [ssh.1] + mention that -S none disables connection sharing; from Colin Watson - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - set up SELinux execution context before chroot() call. From Russell Coker via Colin watson; bz#1726 ok dtucker@ diff --git a/ssh.1 b/ssh.1 index 3f815b8e7..c03771a3e 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $ -.Dd $Mdocdate: March 5 2010 $ +.\" $OpenBSD: ssh.1,v 1.303 2010/03/26 00:26:58 djm Exp $ +.Dd $Mdocdate: March 26 2010 $ .Dt SSH 1 .Os .Sh NAME @@ -558,7 +558,10 @@ argument is the listen port will be dynamically allocated on the server and reported to the client at run time. .It Fl S Ar ctl_path -Specifies the location of a control socket for connection sharing. +Specifies the location of a control socket for connection sharing +or the string +.Dq none +to disable connection sharing. Refer to the description of .Cm ControlPath and -- cgit v1.2.3 From ce3754bbf39ae2a978bdda68cf61fe311b4103d0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 26 Mar 2010 12:09:13 +1100 Subject: - dtucker@cvs.openbsd.org 2010/03/26 01:06:13 [ssh_config.5] Reformat default value of PreferredAuthentications entry (current formatting implies ", " is acceptable as a separator, which it's not. ok djm@ --- ChangeLog | 6 ++++++ ssh_config.5 | 10 +++------- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index b64f17c87..7e662faab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,12 @@ pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys; bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@ + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2010/03/26 01:06:13 + [ssh_config.5] + Reformat default value of PreferredAuthentications entry (current + formatting implies ", " is acceptable as a separator, which it's not. + ok djm@ 20100324 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory diff --git a/ssh_config.5 b/ssh_config.5 index 8cf02597d..410853560 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $ -.Dd $Mdocdate: March 5 2010 $ +.\" $OpenBSD: ssh_config.5,v 1.130 2010/03/26 01:06:13 dtucker Exp $ +.Dd $Mdocdate: March 26 2010 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -734,11 +734,7 @@ This allows a client to prefer one method (e.g.\& over another method (e.g.\& .Cm password ) The default for this option is: -.Do gssapi-with-mic , -hostbased, -publickey, -keyboard-interactive, -password +.Do gssapi-with-mic,hostbased,publickey,keyboard-interactive,password .Dc . .It Cm Protocol Specifies the protocol versions -- cgit v1.2.3 From 537d4dcfa0289e60ab6b964f12b4ede24f633e2e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 9 Apr 2010 13:35:23 +1000 Subject: - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong ones. Based on a patch from Roumen Petrov. --- ChangeLog | 4 ++++ contrib/cygwin/Makefile | 6 +++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7e662faab..12842f785 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20100409 + - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong + ones. Based on a patch from Roumen Petrov. + 20100326 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile index fe3ae0bbd..dc857f2ed 100644 --- a/contrib/cygwin/Makefile +++ b/contrib/cygwin/Makefile @@ -42,13 +42,13 @@ install-sshdoc: $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW $(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL $(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.agent - $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.agent + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys + $(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns $(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep - $(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.privsep + $(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG -- cgit v1.2.3 From c4ccb12ee49fc264a95984c2000d2248ad693a2a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 9 Apr 2010 14:04:35 +1000 Subject: - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we have it and the path is not provided to --with-libedit. Based on a patch from Iain Morgan. --- ChangeLog | 3 +++ configure.ac | 27 ++++++++++++++++++++++----- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 12842f785..89180d15b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20100409 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong ones. Based on a patch from Roumen Petrov. + - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we + have it and the path is not provided to --with-libedit. Based on a patch + from Iain Morgan. 20100326 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection diff --git a/configure.ac b/configure.ac index 7580ff591..4e232c7e0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.446 2010/03/25 23:27:33 dtucker Exp $ +# $Id: configure.ac,v 1.447 2010/04/09 04:04:36 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.446 $) +AC_REVISION($Revision: 1.447 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -1254,7 +1254,18 @@ LIBEDIT_MSG="no" AC_ARG_WITH(libedit, [ --with-libedit[[=PATH]] Enable libedit support for sftp], [ if test "x$withval" != "xno" ; then - if test "x$withval" != "xyes"; then + if test "x$withval" = "xyes" ; then + AC_PATH_PROG(PKGCONFIG, pkg-config, no) + if test "x$PKGCONFIG" != "xno"; then + AC_MSG_CHECKING(if $PKGCONFIG knows about libedit) + if "$PKGCONFIG" libedit; then + AC_MSG_RESULT(yes) + use_pkgconfig_for_libedit=yes + else + AC_MSG_RESULT(no) + fi + fi + else CPPFLAGS="$CPPFLAGS -I${withval}/include" if test -n "${need_dash_r}"; then LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" @@ -1262,14 +1273,20 @@ AC_ARG_WITH(libedit, LDFLAGS="-L${withval}/lib ${LDFLAGS}" fi fi + if test "x$use_pkgconfig_for_libedit" == "xyes"; then + LIBEDIT=`$PKGCONFIG --libs-only-l libedit` + CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`" + else + LIBEDIT="-ledit -lcurses" + fi + OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'` AC_CHECK_LIB(edit, el_init, [ AC_DEFINE(USE_LIBEDIT, 1, [Use libedit for sftp]) - LIBEDIT="-ledit -lcurses" LIBEDIT_MSG="yes" AC_SUBST(LIBEDIT) ], [ AC_MSG_ERROR(libedit not found) ], - [ -lcurses ] + [ $OTHERLIBS ] ) AC_MSG_CHECKING(if libedit version is compatible) AC_COMPILE_IFELSE( -- cgit v1.2.3 From 261d93a5cfe7ceecba3daa0e8f827c21dfdc7f23 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 9 Apr 2010 18:13:27 +1000 Subject: - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@ --- ChangeLog | 2 ++ configure.ac | 36 ++++-------------------------------- defines.h | 4 ++-- loginrec.c | 31 +++++++++++++++++++++++++++++++ logintest.c | 2 +- 5 files changed, 40 insertions(+), 35 deletions(-) diff --git a/ChangeLog b/ChangeLog index 89180d15b..eca278f2f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we have it and the path is not provided to --with-libedit. Based on a patch from Iain Morgan. + - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable + utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@ 20100326 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection diff --git a/configure.ac b/configure.ac index 4e232c7e0..a564c1340 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.447 2010/04/09 04:04:36 dtucker Exp $ +# $Id: configure.ac,v 1.448 2010/04/09 08:13:27 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.447 $) +AC_REVISION($Revision: 1.448 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -1557,8 +1557,8 @@ dnl Checks for utmp functions AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent) AC_CHECK_FUNCS(utmpname) dnl Checks for utmpx functions -AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline ) -AC_CHECK_FUNCS(setutxent utmpxname) +AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline getutxuser pututxline) +AC_CHECK_FUNCS(setutxdb setutxent utmpxname) dnl Checks for lastlog functions AC_CHECK_FUNCS(getlastlogxbyname) @@ -4087,34 +4087,6 @@ if test -n "$conf_wtmp_location"; then fi -dnl utmpx detection - I don't know any system so perverse as to require -dnl utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out -dnl there, though. -AC_MSG_CHECKING([if your system defines UTMPX_FILE]) -AC_TRY_COMPILE([ -#include -#include -#ifdef HAVE_UTMPX_H -#include -#endif -#ifdef HAVE_PATHS_H -# include -#endif - ], - [ char *utmpx = UTMPX_FILE; ], - [ AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) - system_utmpx_path=no ] -) -if test -z "$conf_utmpx_location"; then - if test x"$system_utmpx_path" = x"no" ; then - AC_DEFINE(DISABLE_UTMPX) - fi -else - AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", - [Define if you want to specify the path to your utmpx file]) -fi - dnl wtmpx detection AC_MSG_CHECKING([if your system defines WTMPX_FILE]) AC_TRY_COMPILE([ diff --git a/defines.h b/defines.h index c9b93bf71..fe25170e6 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.159 2010/01/13 23:44:34 tim Exp $ */ +/* $Id: defines.h,v 1.160 2010/04/09 08:13:27 dtucker Exp $ */ /* Constants */ @@ -674,7 +674,7 @@ struct winsize { #else /* Simply select your favourite login types. */ /* Can't do if-else because some systems use several... */ -# if defined(UTMPX_FILE) && !defined(DISABLE_UTMPX) +# if !defined(DISABLE_UTMPX) # define USE_UTMPX # endif # if defined(UTMP_FILE) && !defined(DISABLE_UTMP) diff --git a/loginrec.c b/loginrec.c index bca959707..6f655cb16 100644 --- a/loginrec.c +++ b/loginrec.c @@ -207,6 +207,7 @@ int syslogin_write_entry(struct logininfo *li); int getlast_entry(struct logininfo *li); int lastlog_get_entry(struct logininfo *li); +int utmpx_get_entry(struct logininfo *li); int wtmp_get_entry(struct logininfo *li); int wtmpx_get_entry(struct logininfo *li); @@ -508,6 +509,10 @@ getlast_entry(struct logininfo *li) #ifdef USE_LASTLOG return(lastlog_get_entry(li)); #else /* !USE_LASTLOG */ +#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \ + defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER) + return (utmpx_get_entry(li)); +#endif #if defined(DISABLE_LASTLOG) /* On some systems we shouldn't even try to obtain last login @@ -1608,6 +1613,32 @@ lastlog_get_entry(struct logininfo *li) #endif /* HAVE_GETLASTLOGXBYNAME */ #endif /* USE_LASTLOG */ +#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \ + defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER) +int +utmpx_get_entry(struct logininfo *li) +{ + struct utmpx *utx; + + if (setutxdb(UTXDB_LASTLOGIN, NULL) != 0) + return (0); + utx = getutxuser(li->username); + if (utx == NULL) { + endutxent(); + return (0); + } + + line_fullname(li->line, utx->ut_line, + MIN_SIZEOF(li->line, utx->ut_line)); + strlcpy(li->hostname, utx->ut_host, + MIN_SIZEOF(li->hostname, utx->ut_host)); + li->tv_sec = utx->ut_tv.tv_sec; + li->tv_usec = utx->ut_tv.tv_usec; + endutxent(); + return (1); +} +#endif /* USE_UTMPX && HAVE_SETUTXDB && UTXDB_LASTLOGIN && HAVE_GETUTXUSER */ + #ifdef USE_BTMP /* * Logs failed login attempts in _PATH_BTMP if that exists. diff --git a/logintest.c b/logintest.c index 7e9fbbfbb..4897ae0f9 100644 --- a/logintest.c +++ b/logintest.c @@ -264,7 +264,7 @@ showOptions(void) printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE); #endif #ifdef USE_UTMPX - printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE); + printf("\tUSE_UTMPX\n"); #endif #ifdef USE_WTMP printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE); -- cgit v1.2.3 From 627337d95bee7dd8d4690238a35fffd35072d1fa Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 10 Apr 2010 22:58:01 +1000 Subject: - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo back so we disable the IPv6 tests if we don't have it. --- ChangeLog | 4 ++++ configure.ac | 15 +++++++++------ 2 files changed, 13 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index eca278f2f..39e0ba45d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20100410 + - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo + back so we disable the IPv6 tests if we don't have it. + 20100409 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong ones. Based on a patch from Roumen Petrov. diff --git a/configure.ac b/configure.ac index a564c1340..0a0e2ea15 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.448 2010/04/09 08:13:27 dtucker Exp $ +# $Id: configure.ac,v 1.449 2010/04/10 12:58:01 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -15,7 +15,7 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. AC_INIT(OpenSSH, Portable, openssh-unix-dev@mindrot.org) -AC_REVISION($Revision: 1.448 $) +AC_REVISION($Revision: 1.449 $) AC_CONFIG_SRCDIR([ssh.c]) AC_CONFIG_HEADER(config.h) @@ -4123,10 +4123,13 @@ dnl Adding -Werror to CFLAGS early prevents configure tests from running. dnl Add now. CFLAGS="$CFLAGS $werror_flags" -AC_CHECK_DECL(BROKEN_GETADDRINFO, - AC_SUBST(TEST_SSH_IPV6, no), - AC_SUBST(TEST_SSH_IPV6, yes) -) +if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then + TEST_SSH_IPV6=no +else + TEST_SSH_IPV6=yes +fi +AC_CHECK_DECL(BROKEN_GETADDRINFO, TEST_SSH_IPV6=no) +AC_SUBST(TEST_SSH_IPV6, $TEST_SSH_IPV6) AC_EXEEXT AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ -- cgit v1.2.3