From b925b4b82fe60bb764e23a0115c9de73b8e0b816 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 15 Sep 2003 22:40:49 -0700 Subject: [configure.ac] Fix portability issues. --- ChangeLog | 3 ++- configure.ac | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 93d88a511..6d772746a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ - deraadt@cvs.openbsd.org 2003/09/16 03:03:47 [buffer.c] do not expand buffer before attempting to reallocate it; markus ok + - (tim) [configure.ac] Fix portability issues. 20030914 - (dtucker) [Makefile regress/Makefile] Fix portability issues preventing @@ -1103,4 +1104,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2994 2003/09/16 03:31:03 mouring Exp $ +$Id: ChangeLog,v 1.2995 2003/09/16 05:40:49 tim Exp $ diff --git a/configure.ac b/configure.ac index ab630115b..59a2f55f6 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.154 2003/09/16 01:52:19 dtucker Exp $ +# $Id: configure.ac,v 1.155 2003/09/16 05:40:49 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2205,7 +2205,7 @@ AC_ARG_WITH(default-path, --with-default-path=PATH has no effect on this system. Edit /etc/login.conf instead.]) elif test "x$withval" != "xno" ; then - if ! test -z "$external_path_file" ; then + if test ! -z "$external_path_file" ; then AC_MSG_WARN([ --with-default-path=PATH will only be used if PATH is not defined in $external_path_file .]) @@ -2217,7 +2217,7 @@ $external_path_file .]) [ if test "x$external_path_file" = "x/etc/login.conf" ; then AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf]) else - if ! test -z "$external_path_file" ; then + if test ! -z "$external_path_file" ; then AC_MSG_WARN([ If PATH is defined in $external_path_file, ensure the path to scp is included, otherwise scp will not work.]) @@ -2652,7 +2652,7 @@ echo " At runtime, sshd will use the path defined in $external_path_file" echo " Make sure the path to scp is present, otherwise scp will not work" else echo " sshd default user PATH: $I" - if ! test -z "$external_path_file"; then + if test ! -z "$external_path_file"; then echo " (If PATH is set in $external_path_file it will be used instead. If" echo " used, ensure the path to scp is present, otherwise scp will not work.)" fi -- cgit v1.2.3 From e12104839298a45ecba1dc0059494229a1bf51f3 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Tue, 16 Sep 2003 17:23:29 +0000 Subject: - (bal) Missed dead header in inet_ntoa. --- ChangeLog | 3 ++- openbsd-compat/inet_ntoa.c | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6d772746a..2815cea8e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ [buffer.c] do not expand buffer before attempting to reallocate it; markus ok - (tim) [configure.ac] Fix portability issues. + - (bal) Missed dead header in inet_ntoa.c 20030914 - (dtucker) [Makefile regress/Makefile] Fix portability issues preventing @@ -1104,4 +1105,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2995 2003/09/16 05:40:49 tim Exp $ +$Id: ChangeLog,v 1.2996 2003/09/16 17:23:29 mouring Exp $ diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c index e0384491d..f9fdc9ee5 100644 --- a/openbsd-compat/inet_ntoa.c +++ b/openbsd-compat/inet_ntoa.c @@ -43,7 +43,6 @@ static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert E #include #include #include -#include "inet_ntoa.h" char *inet_ntoa(struct in_addr in) { -- cgit v1.2.3 From f2728099baa0fe4e6f1a8bfa321aefbf412f6543 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Sep 2003 07:24:25 +1000 Subject: - (djm) Sync with V_3_7 branch --- ChangeLog | 5 ++++- auth-pam.c | 20 +++++++++++--------- contrib/caldera/openssh.spec | 6 +++--- contrib/redhat/openssh.spec | 6 +++--- contrib/suse/openssh.spec | 2 +- openbsd-compat/inet_ntoa.c | 1 + 6 files changed, 23 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2815cea8e..71e501d00 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20030917 + - (djm) Sync with V_3_7 branch + 20030916 - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it @@ -1105,4 +1108,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2996 2003/09/16 17:23:29 mouring Exp $ +$Id: ChangeLog,v 1.2997 2003/09/16 21:24:25 djm Exp $ diff --git a/auth-pam.c b/auth-pam.c index 806c80860..22706c5d6 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.72 2003/09/13 12:12:11 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.73 2003/09/16 21:24:25 djm Exp $"); #ifdef USE_PAM #include @@ -672,17 +672,19 @@ do_pam_chauthtok(void) int do_pam_putenv(char *name, char *value) { - char *compound; int ret = 1; - #ifdef HAVE_PAM_PUTENV - compound = xmalloc(strlen(name)+strlen(value)+2); - if (compound) { - sprintf(compound,"%s=%s",name,value); - ret = pam_putenv(sshpam_handle,compound); - xfree(compound); - } + char *compound; + size_t len; + + len = strlen(name) + strlen(value) + 2; + compound = xmalloc(len); + + snprintf(compound, len, "%s=%s", name, value); + ret = pam_putenv(sshpam_handle, compound); + xfree(compound); #endif + return (ret); } diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 8e97c3818..8e8ac44d6 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,9 +17,9 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 3.6.1p2 + %define version 3.7p1 %define cvs %{nil} - %define release 2 + %define release 1 %else %define version 2.9.9p2 %define cvs cvs20011009 @@ -364,4 +364,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.43 2003/04/29 13:22:40 djm Exp $ +$Id: openssh.spec,v 1.44 2003/09/16 21:24:25 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 656e692e8..ce7c564c3 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,5 +1,5 @@ -%define ver 3.6.1p2 -%define rel 3 +%define ver 3.7p1 +%define rel 1 # OpenSSH privilege separation requires a user & group ID %define sshd_uid 74 @@ -84,7 +84,7 @@ BuildPreReq: /bin/login %if ! %{build6x} BuildPreReq: glibc-devel, pam %else -BuildPreReq: db1-devel, /usr/include/security/pam_appl.h +BuildPreReq: /usr/include/security/pam_appl.h %endif %if ! %{no_x11_askpass} BuildPreReq: XFree86-devel diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 707c3a221..ca7437bd6 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 3.6.1p2 +Version: 3.7p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c index f9fdc9ee5..e0384491d 100644 --- a/openbsd-compat/inet_ntoa.c +++ b/openbsd-compat/inet_ntoa.c @@ -43,6 +43,7 @@ static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert E #include #include #include +#include "inet_ntoa.h" char *inet_ntoa(struct in_addr in) { -- cgit v1.2.3 From 5efcecc26525b58f699997697e6114fd83708733 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Sep 2003 07:31:14 +1000 Subject: - (djm) OpenBSD Sync - markus@cvs.openbsd.org 2003/09/16 21:02:40 [buffer.c channels.c version.h] more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU --- ChangeLog | 6 +++++- buffer.c | 15 ++++++++++----- channels.c | 7 ++++--- version.h | 4 ++-- 4 files changed, 21 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 71e501d00..440e56a17 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ 20030917 - (djm) Sync with V_3_7 branch + - (djm) OpenBSD Sync + - markus@cvs.openbsd.org 2003/09/16 21:02:40 + [buffer.c channels.c version.h] + more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU 20030916 - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve @@ -1108,4 +1112,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2997 2003/09/16 21:24:25 djm Exp $ +$Id: ChangeLog,v 1.2998 2003/09/16 21:31:14 djm Exp $ diff --git a/buffer.c b/buffer.c index 8ff8c2f48..aee293f8b 100644 --- a/buffer.c +++ b/buffer.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.17 2003/09/16 03:03:47 deraadt Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.18 2003/09/16 21:02:39 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -23,8 +23,11 @@ RCSID("$OpenBSD: buffer.c,v 1.17 2003/09/16 03:03:47 deraadt Exp $"); void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ buffer_init(Buffer *buffer) void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* diff --git a/channels.c b/channels.c index 65a6a7f00..3d75c8f2b 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.194 2003/08/29 10:04:36 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.195 2003/09/16 21:02:40 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -229,12 +229,13 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } diff --git a/version.h b/version.h index 37e0c22ab..20daac42a 100644 --- a/version.h +++ b/version.h @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */ +/* $OpenBSD: version.h,v 1.39 2003/09/16 21:02:40 markus Exp $ */ -#define SSH_VERSION "OpenSSH_3.7p1" +#define SSH_VERSION "OpenSSH_3.7.1p1" -- cgit v1.2.3 From e007cf7fa45f59c7e3504247ebd10e8e42628a7e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Sep 2003 07:32:17 +1000 Subject: - (djm) Crank RPM spec file versions --- ChangeLog | 5 +++-- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 440e56a17..d450a8553 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,7 +4,8 @@ - markus@cvs.openbsd.org 2003/09/16 21:02:40 [buffer.c channels.c version.h] more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU - + - (djm) Crank RPM spec file versions + 20030916 - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it @@ -1112,4 +1113,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2998 2003/09/16 21:31:14 djm Exp $ +$Id: ChangeLog,v 1.2999 2003/09/16 21:32:17 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 8e8ac44d6..6cdfa83e9 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 3.7p1 + %define version 3.7.1p1 %define cvs %{nil} %define release 1 %else @@ -364,4 +364,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.44 2003/09/16 21:24:25 djm Exp $ +$Id: openssh.spec,v 1.45 2003/09/16 21:32:18 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index ce7c564c3..b65f37839 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 3.7p1 +%define ver 3.7.1p1 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index ca7437bd6..be6971d6e 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 3.7p1 +Version: 3.7.1p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 628c8732307100700f58b4baf6ea9af3a32133ea Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 17 Sep 2003 13:20:33 -0700 Subject: [openbsd-compat/inet_ntoa.c] 20030917 "Sync with V_3_7 branch" undid 20030916 "Missed dead header in inet_ntoa.c" --- ChangeLog | 4 +++- openbsd-compat/inet_ntoa.c | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d450a8553..bc5b49eea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ [buffer.c channels.c version.h] more malloc/fatal fixes; ok millert/deraadt; ghudson at MIT.EDU - (djm) Crank RPM spec file versions + - (tim) [openbsd-compat/inet_ntoa.c] 20030917 "Sync with V_3_7 branch" undid + 20030916 "Missed dead header in inet_ntoa.c" 20030916 - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve @@ -1113,4 +1115,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.2999 2003/09/16 21:32:17 djm Exp $ +$Id: ChangeLog,v 1.3000 2003/09/17 20:20:33 tim Exp $ diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c index e0384491d..f9fdc9ee5 100644 --- a/openbsd-compat/inet_ntoa.c +++ b/openbsd-compat/inet_ntoa.c @@ -43,7 +43,6 @@ static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert E #include #include #include -#include "inet_ntoa.h" char *inet_ntoa(struct in_addr in) { -- cgit v1.2.3 From 5d07e6d46518c3b74e98c153795f753c79740ba2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 18 Sep 2003 18:25:46 +1000 Subject: 20030918 - (djm) Bug #652: Fix empty password auth --- ChangeLog | 5 ++++- auth-passwd.c | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bc5b49eea..55c0ef223 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20030918 + - (djm) Bug #652: Fix empty password auth + 20030917 - (djm) Sync with V_3_7 branch - (djm) OpenBSD Sync @@ -1115,4 +1118,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3000 2003/09/17 20:20:33 tim Exp $ +$Id: ChangeLog,v 1.3001 2003/09/18 08:25:46 djm Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 95cc134de..971c7ba19 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -143,7 +143,7 @@ auth_password(Authctxt *authctxt, const char *password) char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; /* Check for users with no password. */ - if (strcmp(pw_password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) + if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) return ok; else { /* Encrypt the candidate password using the proper salt. */ -- cgit v1.2.3 From 677179f23a332c0d1e17fd0d00f5ffd5c4b311cb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 19 Sep 2003 16:30:14 +1000 Subject: - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; djast AT cs.toronto.edu --- ChangeLog | 6 +++++- INSTALL | 8 +------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 55c0ef223..5604deeca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20030919 + - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; + djast AT cs.toronto.edu + 20030918 - (djm) Bug #652: Fix empty password auth @@ -1118,4 +1122,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3001 2003/09/18 08:25:46 djm Exp $ +$Id: ChangeLog,v 1.3002 2003/09/19 06:30:14 djm Exp $ diff --git a/INSTALL b/INSTALL index 93070b105..a78112202 100644 --- a/INSTALL +++ b/INSTALL @@ -161,12 +161,6 @@ created. --with-xauth=PATH specifies the location of the xauth binary ---with-ipv4-default instructs OpenSSH to use IPv4 by default for new -connections. Normally OpenSSH will try attempt to lookup both IPv6 and -IPv4 addresses. On Linux/glibc-2.1.2 this causes long delays in name -resolution. If this option is specified, you can still attempt to -connect to IPv6 addresses using the command line option '-6'. - --with-ssl-dir=DIR allows you to specify where your OpenSSL libraries are installed. @@ -217,4 +211,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.56 2003/05/24 01:41:16 dtucker Exp $ +$Id: INSTALL,v 1.57 2003/09/19 06:30:14 djm Exp $ -- cgit v1.2.3 From f09ad861e62978d4f6d77453977d7b58d63caf07 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 19 Sep 2003 16:41:01 +1000 Subject: - (djm) Bug #661: Remove duplicate check for basename; from bugzilla-openssh AT thewrittenword.com --- ChangeLog | 4 +++- configure.ac | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5604deeca..b77f881ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; djast AT cs.toronto.edu + - (djm) Bug #661: Remove duplicate check for basename; from + bugzilla-openssh AT thewrittenword.com 20030918 - (djm) Bug #652: Fix empty password auth @@ -1122,4 +1124,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3002 2003/09/19 06:30:14 djm Exp $ +$Id: ChangeLog,v 1.3003 2003/09/19 06:41:01 djm Exp $ diff --git a/configure.ac b/configure.ac index 59a2f55f6..7f96c0473 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.155 2003/09/16 05:40:49 tim Exp $ +# $Id: configure.ac,v 1.156 2003/09/19 06:41:02 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -712,7 +712,7 @@ AC_ARG_WITH(tcp-wrappers, dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS(\ - arc4random __b64_ntop b64_ntop __b64_pton b64_pton basename \ + arc4random __b64_ntop b64_ntop __b64_pton b64_pton \ bcopy bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ getpeereid _getpty getrlimit getttyent glob inet_aton \ -- cgit v1.2.3 From 968c8d25e9201e4b75b56951df9082af5ed0499a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 19 Sep 2003 16:58:21 +1000 Subject: - (djm) Bug #641: Allow RedHat RPM building without GTK-2; Patch from jason AT devrandom.org --- ChangeLog | 4 +++- contrib/redhat/openssh.spec | 5 +++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index b77f881ca..33318e460 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ djast AT cs.toronto.edu - (djm) Bug #661: Remove duplicate check for basename; from bugzilla-openssh AT thewrittenword.com + - (djm) Bug #641: Allow RedHat RPM building without GTK-2; Patch from + jason AT devrandom.org 20030918 - (djm) Bug #652: Fix empty password auth @@ -1124,4 +1126,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3003 2003/09/19 06:41:01 djm Exp $ +$Id: ChangeLog,v 1.3004 2003/09/19 06:58:21 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index b65f37839..9c75c0339 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -34,6 +34,11 @@ %{?skip_x11_askpass:%define no_x11_askpass 1} %{?skip_gnome_askpass:%define no_gnome_askpass 1} +# Add option to build without GTK2 for older platforms with only GTK+. +# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples. +# rpm -ba|--rebuild --define 'no_gtk2 1' +%{?no_gtk2:%define gtk2 0} + # Is this a build for RHL 6.x or earlier? %{?build_6x:%define build6x 1} -- cgit v1.2.3 From 8040939f7269fa2adfe3deb264c2c2c6d1d93407 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 19 Sep 2003 17:05:24 +1000 Subject: - (djm) Bug #646: Fix location of x11-ssh-askpass; Jim --- ChangeLog | 3 ++- INSTALL | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 33318e460..0293a4114 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ bugzilla-openssh AT thewrittenword.com - (djm) Bug #641: Allow RedHat RPM building without GTK-2; Patch from jason AT devrandom.org + - (djm) Bug #646: Fix location of x11-ssh-askpass; Jim 20030918 - (djm) Bug #652: Fix empty password auth @@ -1126,4 +1127,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3004 2003/09/19 06:58:21 djm Exp $ +$Id: ChangeLog,v 1.3005 2003/09/19 07:05:24 djm Exp $ diff --git a/INSTALL b/INSTALL index a78112202..224a2dac2 100644 --- a/INSTALL +++ b/INSTALL @@ -33,7 +33,7 @@ http://www.gnome.org/ Alternatively, Jim Knoble has written an excellent X11 passphrase requester. This is maintained separately at: -http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html +http://www.jmknoble.net/software/x11-ssh-askpass/ PRNGD: @@ -211,4 +211,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.57 2003/09/19 06:30:14 djm Exp $ +$Id: INSTALL,v 1.58 2003/09/19 07:05:24 djm Exp $ -- cgit v1.2.3 From 91acbf211c2d7508155daf75461435333254093a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 19 Sep 2003 20:43:38 +1000 Subject: - (dtucker) [openbsd-compat/port-aix.h] Bug #640: Don't include audit.h unless required. Reorder to reduce warnings. --- ChangeLog | 4 +++- openbsd-compat/port-aix.h | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0293a4114..dd2609ae7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ - (djm) Bug #641: Allow RedHat RPM building without GTK-2; Patch from jason AT devrandom.org - (djm) Bug #646: Fix location of x11-ssh-askpass; Jim + - (dtucker) [openbsd-compat/port-aix.h] Bug #640: Don't include audit.h + unless required. Reorder to reduce warnings. 20030918 - (djm) Bug #652: Fix empty password auth @@ -1127,4 +1129,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3005 2003/09/19 07:05:24 djm Exp $ +$Id: ChangeLog,v 1.3006 2003/09/19 10:43:38 dtucker Exp $ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 09e7f9e97..b2a48cba9 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.14 2003/08/29 16:59:52 mouring Exp $ */ +/* $Id: port-aix.h,v 1.15 2003/09/19 10:43:38 dtucker Exp $ */ /* * @@ -30,10 +30,10 @@ #ifdef WITH_AIXAUTHENTICATE # include # include -# include -# ifdef HAVE_SYS_AUDIT_H +# if defined(HAVE_SYS_AUDIT_H) && defined(AIX_LOGINFAILED_4ARG) # include # endif +# include #endif /* Some versions define r_type in the above headers, which causes a conflict */ -- cgit v1.2.3 From c11b1e84204e0ff449e9f3c50b990264a54f8921 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 19 Sep 2003 20:56:51 +1000 Subject: - (dtucker) [session.c] Bug #643: Fix size_t -> u_int and fix null deref when /etc/default/login doesn't exist or isn't readable. Fixes from jparsons-lists at saffron.net and georg.oppenberg at deu mci com. --- ChangeLog | 5 ++++- session.c | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index dd2609ae7..fddf3314c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ - (djm) Bug #646: Fix location of x11-ssh-askpass; Jim - (dtucker) [openbsd-compat/port-aix.h] Bug #640: Don't include audit.h unless required. Reorder to reduce warnings. + - (dtucker) [session.c] Bug #643: Fix size_t -> u_int and fix null deref + when /etc/default/login doesn't exist or isn't readable. Fixes from + jparsons-lists at saffron.net and georg.oppenberg at deu mci com. 20030918 - (djm) Bug #652: Fix empty password auth @@ -1129,4 +1132,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3006 2003/09/19 10:43:38 dtucker Exp $ +$Id: ChangeLog,v 1.3007 2003/09/19 10:56:51 dtucker Exp $ diff --git a/session.c b/session.c index 4497f5c0b..616fee971 100644 --- a/session.c +++ b/session.c @@ -912,8 +912,7 @@ static void read_etc_default_login(char ***env, u_int *envsize, uid_t uid) { char **tmpenv = NULL, *var; - u_int i; - size_t tmpenvsize = 0; + u_int i, tmpenvsize = 0; mode_t mask; /* @@ -923,6 +922,9 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) */ read_environment_file(&tmpenv, &tmpenvsize, "/etc/default/login"); + if (tmpenv == NULL) + return; + if (uid == 0) var = child_get_env(tmpenv, "SUPATH"); else -- cgit v1.2.3 From 4724d96ca8af844c0c5446388e82e728e2b8c55e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 19 Sep 2003 21:25:23 +1000 Subject: - (dtucker) [acconfig.h] Updated basename test needs HAVE_BASENAME --- ChangeLog | 3 ++- acconfig.h | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fddf3314c..dade63953 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,7 @@ - (dtucker) [session.c] Bug #643: Fix size_t -> u_int and fix null deref when /etc/default/login doesn't exist or isn't readable. Fixes from jparsons-lists at saffron.net and georg.oppenberg at deu mci com. + - (dtucker) [acconfig.h] Updated basename test needs HAVE_BASENAME 20030918 - (djm) Bug #652: Fix empty password auth @@ -1132,4 +1133,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3007 2003/09/19 10:56:51 dtucker Exp $ +$Id: ChangeLog,v 1.3008 2003/09/19 11:25:23 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index 9bfb9b6c9..d0897d6b6 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.166 2003/09/16 01:52:19 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.167 2003/09/19 11:25:24 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -89,6 +89,9 @@ /* Define if you have the getuserattr function. */ #undef HAVE_GETUSERATTR +/* Define if you have the basename function. */ +#undef HAVE_BASENAME + /* Work around problematic Linux PAM modules handling of PAM_TTY */ #undef PAM_TTY_KLUDGE -- cgit v1.2.3 From 782390e62e6a71ad2acf59b8f58e2957afc9dd0f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 10:58:55 +1000 Subject: - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree builds. Portability corrections from tim@. --- ChangeLog | 6 +++++- Makefile.in | 15 ++++++++++----- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index dade63953..43f28ab10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20030923 + - (dtucker) [configure.ac] Bug #644: Fix "make clean" for out-of-tree + builds. Portability corrections from tim@. + 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; djast AT cs.toronto.edu @@ -1133,4 +1137,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3008 2003/09/19 11:25:23 dtucker Exp $ +$Id: ChangeLog,v 1.3009 2003/09/22 00:58:55 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index 8a8774461..4368132e5 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.249 2003/09/14 01:40:36 dtucker Exp $ +# $Id: Makefile.in,v 1.250 2003/09/22 00:58:56 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -192,20 +192,18 @@ ssh_prng_cmds.out: ssh_prng_cmds moduli: echo -clean: +clean: regressclean rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core (cd openbsd-compat && $(MAKE) clean) - (cd regress && $(MAKE) clean) -distclean: +distclean: regressclean rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core rm -f Makefile config.h config.status ssh_prng_cmds *~ rm -rf autom4te.cache (cd openbsd-compat && $(MAKE) distclean) (cd scard && $(MAKE) distclean) - (cd regress && $(MAKE) distclean) veryclean: distclean rm -f configure config.h.in *.0 @@ -373,6 +371,8 @@ uninstall: tests: $(TARGETS) BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ + [ -f `pwd`/regress/Makefile ] || \ + ln -s $(srcdir)/regress/Makefile `pwd`/regress/Makefile ; \ TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \ @@ -398,3 +398,8 @@ tests: $(TARGETS) TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \ EXEEXT="$(EXEEXT)" \ $@ + +regressclean: + if [ -f regress/Makefile -a -r regress/Makefile ]; then \ + (cd regress && $(MAKE) clean) \ + fi -- cgit v1.2.3 From 8a49dd107b0921b033753e6119e46b59b38e58a2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 10:59:34 +1000 Subject: Wrong filename --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 43f28ab10..480d42f91 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,5 @@ 20030923 - - (dtucker) [configure.ac] Bug #644: Fix "make clean" for out-of-tree + - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree builds. Portability corrections from tim@. 20030919 @@ -1137,4 +1137,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3009 2003/09/22 00:58:55 dtucker Exp $ +$Id: ChangeLog,v 1.3010 2003/09/22 00:59:34 dtucker Exp $ -- cgit v1.2.3 From 20379a37fa82030fcf46fac963e9f344dab03196 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 11:07:40 +1000 Subject: - (dtucker) [configure.ac] Bug #655: uid swapping issues on Mac OS X. Patch from max at quendi.de. --- ChangeLog | 4 +++- configure.ac | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 480d42f91..06e61e9e4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20030923 - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree builds. Portability corrections from tim@. + - (dtucker) [configure.ac] Bug #655: uid swapping issues on Mac OS X. + Patch from max at quendi.de. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1137,4 +1139,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3010 2003/09/22 00:59:34 dtucker Exp $ +$Id: ChangeLog,v 1.3011 2003/09/22 01:07:40 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 7f96c0473..538ecd2d9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.156 2003/09/19 06:41:02 djm Exp $ +# $Id: configure.ac,v 1.157 2003/09/22 01:07:40 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -131,6 +131,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) }], [AC_MSG_RESULT(working)], [AC_MSG_RESULT(buggy) AC_DEFINE(BROKEN_GETADDRINFO)], + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) [AC_MSG_RESULT(assume it is working)]) ;; *-*-hpux10.26) -- cgit v1.2.3 From ed9eb02326f653be1a76b5772bbe9a1632114f57 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 11:18:47 +1000 Subject: - (dtucker) [configure.ac] Bug #657: uid swappping issues on BSDi. --- ChangeLog | 3 ++- configure.ac | 7 ++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 06e61e9e4..df175c219 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ builds. Portability corrections from tim@. - (dtucker) [configure.ac] Bug #655: uid swapping issues on Mac OS X. Patch from max at quendi.de. + - (dtucker) [configure.ac] Bug #657: uid swappping issues on BSDi. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1139,4 +1140,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3011 2003/09/22 01:07:40 dtucker Exp $ +$Id: ChangeLog,v 1.3012 2003/09/22 01:18:47 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 538ecd2d9..5d1f85012 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.157 2003/09/22 01:07:40 dtucker Exp $ +# $Id: configure.ac,v 1.158 2003/09/22 01:18:47 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -230,6 +230,11 @@ mips-sony-bsd|mips-sony-newsos4) *-*-freebsd*) check_for_libcrypt_later=1 ;; +*-*-bsdi*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) + ;; *-next-*) conf_lastlog_location="/usr/adm/lastlog" conf_utmp_location=/etc/utmp -- cgit v1.2.3 From ed92b213212336d49417c1e7dae41caf6c63b2db Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 11:26:16 +1000 Subject: - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. --- ChangeLog | 5 +++-- configure.ac | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index df175c219..f88c0bb5d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,7 +3,8 @@ builds. Portability corrections from tim@. - (dtucker) [configure.ac] Bug #655: uid swapping issues on Mac OS X. Patch from max at quendi.de. - - (dtucker) [configure.ac] Bug #657: uid swappping issues on BSDi. + - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi. + - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1140,4 +1141,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3012 2003/09/22 01:18:47 dtucker Exp $ +$Id: ChangeLog,v 1.3013 2003/09/22 01:26:16 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 5d1f85012..88aa481a7 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.158 2003/09/22 01:18:47 dtucker Exp $ +# $Id: configure.ac,v 1.159 2003/09/22 01:26:16 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -403,6 +403,9 @@ mips-sony-bsd|mips-sony-newsos4) fi AC_DEFINE(DISABLE_FD_PASSING) AC_DEFINE(BROKEN_GETADDRINFO) + AC_DEFINE(SETEIUD_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") ;; -- cgit v1.2.3 From 00130115294af62753cd03c85fcdbcbcf63bc8bb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 11:40:24 +1000 Subject: - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS. Patch from david.haughton at ncr.com --- ChangeLog | 4 +++- configure.ac | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f88c0bb5d..6057cc8f8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ Patch from max at quendi.de. - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi. - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. + - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS. + Patch from david.haughton at ncr.com 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1141,4 +1143,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3013 2003/09/22 01:26:16 dtucker Exp $ +$Id: ChangeLog,v 1.3014 2003/09/22 01:40:24 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 88aa481a7..3a503d994 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.159 2003/09/22 01:26:16 dtucker Exp $ +# $Id: configure.ac,v 1.160 2003/09/22 01:40:25 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -286,6 +286,9 @@ mips-sony-bsd|mips-sony-newsos4) LIBS="$LIBS -lc89" AC_DEFINE(USE_PIPES) AC_DEFINE(SSHD_ACQUIRES_CTTY) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) ;; *-sni-sysv*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" -- cgit v1.2.3 From be79af1dfedfd43d4f432da0a98971d667f25d77 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 11:58:21 +1000 Subject: - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6. Part of patch supplied by bugzilla-openssh at thewrittenword.com --- ChangeLog | 4 +++- configure.ac | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6057cc8f8..dace988b1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS. Patch from david.haughton at ncr.com + - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6. + Part of patch supplied by bugzilla-openssh at thewrittenword.com 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1143,4 +1145,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3014 2003/09/22 01:40:24 dtucker Exp $ +$Id: ChangeLog,v 1.3015 2003/09/22 01:58:21 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 3a503d994..b602e915b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.160 2003/09/22 01:40:25 dtucker Exp $ +# $Id: configure.ac,v 1.161 2003/09/22 01:58:21 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -201,6 +201,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(WITH_IRIX_AUDIT) AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) AC_DEFINE(BROKEN_INET_NTOA) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; -- cgit v1.2.3 From d5e082f0d52f652ba50fe33c97f62442d6619045 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 12:08:23 +1000 Subject: - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with where gai_strerror is defined as "const char *". Part of patch supplied by bugzilla-openssh at thewrittenword.com --- ChangeLog | 6 +++++- configure.ac | 19 +++++++++++++++++-- openbsd-compat/fake-rfc2553.c | 6 +++++- openbsd-compat/fake-rfc2553.h | 4 ++-- 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index dace988b1..78a258ffe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ Patch from david.haughton at ncr.com - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6. Part of patch supplied by bugzilla-openssh at thewrittenword.com + - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c + openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with + where gai_strerror is defined as "const char *". Part of patch supplied + by bugzilla-openssh at thewrittenword.com 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1145,4 +1149,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3015 2003/09/22 01:58:21 dtucker Exp $ +$Id: ChangeLog,v 1.3016 2003/09/22 02:08:23 dtucker Exp $ diff --git a/configure.ac b/configure.ac index b602e915b..7a4bd6ffc 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.161 2003/09/22 01:58:21 dtucker Exp $ +# $Id: configure.ac,v 1.162 2003/09/22 02:08:23 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -731,7 +731,7 @@ dnl Checks for library functions. Please keep in alphabetical order AC_CHECK_FUNCS(\ arc4random __b64_ntop b64_ntop __b64_pton b64_pton \ bcopy bindresvport_sa clock fchmod fchown freeaddrinfo futimes \ - gai_strerror getaddrinfo getcwd getgrouplist getnameinfo getopt \ + getaddrinfo getcwd getgrouplist getnameinfo getopt \ getpeereid _getpty getrlimit getttyent glob inet_aton \ inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \ mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ @@ -743,6 +743,21 @@ AC_CHECK_FUNCS(\ truncate utimes vhangup vsnprintf waitpid \ ) +# IRIX has a const char return value for gai_strerror() +AC_CHECK_FUNCS(gai_strerror,[ + AC_DEFINE(HAVE_GAI_STRERROR) + AC_TRY_COMPILE([ +#include +#include +#include + +const char *gai_strerror(int);],[ +char *str; + +str = gai_strerror(0);],[ + AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, + [Define if gai_strerror() returns const char *])])]) + AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) dnl Make sure prototypes are defined for these before using them. diff --git a/openbsd-compat/fake-rfc2553.c b/openbsd-compat/fake-rfc2553.c index f44924836..0186b5300 100644 --- a/openbsd-compat/fake-rfc2553.c +++ b/openbsd-compat/fake-rfc2553.c @@ -37,7 +37,7 @@ #include "includes.h" -RCSID("$Id: fake-rfc2553.c,v 1.4 2003/06/13 22:43:23 djm Exp $"); +RCSID("$Id: fake-rfc2553.c,v 1.5 2003/09/22 02:08:23 dtucker Exp $"); #ifndef HAVE_GETNAMEINFO int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, @@ -77,7 +77,11 @@ int getnameinfo(const struct sockaddr *sa, size_t salen, char *host, #endif /* !HAVE_GETNAMEINFO */ #ifndef HAVE_GAI_STRERROR +#ifdef HAVE_CONST_GAI_STRERROR_PROTO +const char * +#else char * +#endif gai_strerror(int err) { switch (err) { diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h index b70b928f8..bf727ceac 100644 --- a/openbsd-compat/fake-rfc2553.h +++ b/openbsd-compat/fake-rfc2553.h @@ -1,4 +1,4 @@ -/* $Id: fake-rfc2553.h,v 1.6 2003/08/29 16:59:52 mouring Exp $ */ +/* $Id: fake-rfc2553.h,v 1.7 2003/09/22 02:08:23 dtucker Exp $ */ /* * Copyright (C) 2000-2003 Damien Miller. All rights reserved. @@ -137,7 +137,7 @@ int getaddrinfo(const char *, const char *, const struct addrinfo *, struct addrinfo **); #endif /* !HAVE_GETADDRINFO */ -#ifndef HAVE_GAI_STRERROR +#if !defined(HAVE_GAI_STRERROR) && !defined(HAVE_CONST_GAI_STRERROR_PROTO) char *gai_strerror(int); #endif /* !HAVE_GAI_STRERROR */ -- cgit v1.2.3 From 8daf4b45eab80b2fa4e06f26d09f834bd2e5bb93 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 12:32:00 +1000 Subject: - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update ssh-host-config to match current defaults, bump README version. Patch from vinschen at redhat.com. --- ChangeLog | 5 ++++- contrib/cygwin/README | 2 +- contrib/cygwin/ssh-host-config | 23 ++++++++++++++--------- 3 files changed, 19 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 78a258ffe..9058dfc7a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with where gai_strerror is defined as "const char *". Part of patch supplied by bugzilla-openssh at thewrittenword.com + - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update + ssh-host-config to match current defaults, bump README version. Patch from + vinschen at redhat.com. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1149,4 +1152,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3016 2003/09/22 02:08:23 dtucker Exp $ +$Id: ChangeLog,v 1.3017 2003/09/22 02:32:00 dtucker Exp $ diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 71ea3455f..ec58964c9 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -1,4 +1,4 @@ -This package is the actual port of OpenSSH to Cygwin 1.3. +This package is the actual port of OpenSSH to Cygwin 1.5. =========================================================================== Important change since 3.4p1-2: diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 2c6db51e5..e9c56aea9 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -279,12 +279,14 @@ then # Host * # ForwardAgent no # ForwardX11 no -# RhostsAuthentication no # RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes +# HostbasedAuthentication no # BatchMode no # CheckHostIP yes +# AddressFamily any +# ConnectTimeout 0 # StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_dsa @@ -397,7 +399,7 @@ Port $port_number #HostKey ${SYSCONFDIR}/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 3600 +#KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging @@ -407,7 +409,7 @@ Port $port_number # Authentication: -#LoginGraceTime 120 +#LoginGraceTime 2m #PermitRootLogin yes # The following setting overrides permission checks on host key files # and directories. For security reasons set this to "yes" when running @@ -418,10 +420,6 @@ StrictModes no #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys -# rhosts authentication should not be used -#RhostsAuthentication no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 @@ -429,6 +427,8 @@ StrictModes no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes @@ -437,6 +437,8 @@ StrictModes no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes +#AllowTcpForwarding yes +#GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes @@ -447,11 +449,14 @@ StrictModes no UsePrivilegeSeparation $privsep_used #PermitUserEnvironment no #Compression yes - +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS yes +#PidFile /var/run/sshd.pid #MaxStartups 10 + # no default banner path #Banner /some/path -#VerifyReverseMapping no # override default of no subsystems Subsystem sftp /usr/sbin/sftp-server -- cgit v1.2.3 From fbe3b36ca9386a9b32f05e36450216acaa8bb404 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 12:54:37 +1000 Subject: - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the OS does not support permanently dropping privileges. Patch from vinschen at redhat.com. --- ChangeLog | 5 ++++- uidswap.c | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 9058dfc7a..51c5584e4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update ssh-host-config to match current defaults, bump README version. Patch from vinschen at redhat.com. + - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the + OS does not support permanently dropping privileges. Patch from + vinschen at redhat.com. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1152,4 +1155,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3017 2003/09/22 02:32:00 dtucker Exp $ +$Id: ChangeLog,v 1.3018 2003/09/22 02:54:37 dtucker Exp $ diff --git a/uidswap.c b/uidswap.c index 3f13f9bf4..9e161d0f0 100644 --- a/uidswap.c +++ b/uidswap.c @@ -191,10 +191,12 @@ permanently_set_uid(struct passwd *pw) (u_int)pw->pw_gid); } +#ifndef HAVE_CYGWIN /* Try restoration of UID if changed (test clearing of saved uid) */ if (old_uid != pw->pw_uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) fatal("%s: was able to restore old [e]uid", __func__); +#endif /* Verify UID drop was successful */ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { -- cgit v1.2.3 From 051c270f88881688f62f3c56b78f0e177accf53e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 13:05:26 +1000 Subject: - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h, add canohost.h to stop warning. Based on patch from openssh-unix-dev at thewrittenword.com --- ChangeLog | 5 ++++- openbsd-compat/port-aix.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 51c5584e4..141666e76 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the OS does not support permanently dropping privileges. Patch from vinschen at redhat.com. + - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h, + add canohost.h to stop warning. Based on patch from openssh-unix-dev at + thewrittenword.com 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1155,4 +1158,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3018 2003/09/22 02:54:37 dtucker Exp $ +$Id: ChangeLog,v 1.3019 2003/09/22 03:05:26 dtucker Exp $ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 7a981634b..9fbcce936 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -27,11 +27,12 @@ #include "ssh.h" #include "log.h" #include "servconf.h" +#include "canohost.h" +#include "xmalloc.h" #ifdef _AIX #include -#include <../xmalloc.h> #include "port-aix.h" extern ServerOptions options; -- cgit v1.2.3 From 42d30828a476c47a0f2e2a2b87644c76652e1905 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 13:28:36 +1000 Subject: - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or higher. --- ChangeLog | 4 +++- INSTALL | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 141666e76..08a70ffac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,8 @@ - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h, add canohost.h to stop warning. Based on patch from openssh-unix-dev at thewrittenword.com + - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or + higher. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1158,4 +1160,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3019 2003/09/22 03:05:26 dtucker Exp $ +$Id: ChangeLog,v 1.3020 2003/09/22 03:28:36 dtucker Exp $ diff --git a/INSTALL b/INSTALL index 224a2dac2..d4b1bdbce 100644 --- a/INSTALL +++ b/INSTALL @@ -3,7 +3,7 @@ You will need working installations of Zlib and OpenSSL. -Zlib: +Zlib 1.1.4 or greater: http://www.gzip.org/zlib/ OpenSSL 0.9.6 or greater: @@ -211,4 +211,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.58 2003/09/19 07:05:24 djm Exp $ +$Id: INSTALL,v 1.59 2003/09/22 03:28:36 dtucker Exp $ -- cgit v1.2.3 From 7a74c6b428f7126fcbd21b12a0a1a5a3bd2205ae Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Sun, 21 Sep 2003 21:00:59 -0700 Subject: Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/ --- ChangeLog | 3 ++- configure.ac | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 08a70ffac..6152aaa71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,7 @@ thewrittenword.com - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or higher. + - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/ 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1160,4 +1161,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3020 2003/09/22 03:28:36 dtucker Exp $ +$Id: ChangeLog,v 1.3021 2003/09/22 04:00:59 tim Exp $ diff --git a/configure.ac b/configure.ac index 7a4bd6ffc..fedad3b07 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.162 2003/09/22 02:08:23 dtucker Exp $ +# $Id: configure.ac,v 1.163 2003/09/22 04:01:00 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -409,7 +409,7 @@ mips-sony-bsd|mips-sony-newsos4) fi AC_DEFINE(DISABLE_FD_PASSING) AC_DEFINE(BROKEN_GETADDRINFO) - AC_DEFINE(SETEIUD_BREAKS_SETUID) + AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") -- cgit v1.2.3 From 480ef8ddae5c5795859752c15f898271c019eefc Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Sun, 21 Sep 2003 21:38:11 -0700 Subject: [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN. Report by distler AT golem ph utexas edu. --- ChangeLog | 6 ++++-- configure.ac | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6152aaa71..7351ded5b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,7 @@ 20030923 - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree builds. Portability corrections from tim@. - - (dtucker) [configure.ac] Bug #655: uid swapping issues on Mac OS X. + - (dtucker) [configure.ac] Bug #665: uid swapping issues on Mac OS X. Patch from max at quendi.de. - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi. - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. @@ -25,6 +25,8 @@ - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or higher. - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/ + - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN. + Report by distler AT golem ph utexas edu. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1161,4 +1163,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3021 2003/09/22 04:00:59 tim Exp $ +$Id: ChangeLog,v 1.3022 2003/09/22 04:38:11 tim Exp $ diff --git a/configure.ac b/configure.ac index fedad3b07..ac1a4d9f3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.163 2003/09/22 04:01:00 tim Exp $ +# $Id: configure.ac,v 1.164 2003/09/22 04:38:11 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -131,10 +131,10 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) }], [AC_MSG_RESULT(working)], [AC_MSG_RESULT(buggy) AC_DEFINE(BROKEN_GETADDRINFO)], + [AC_MSG_RESULT(assume it is working)]) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) - [AC_MSG_RESULT(assume it is working)]) ;; *-*-hpux10.26) if test -z "$GCC"; then -- cgit v1.2.3 From 220bf133b699493f57ed22052108fccc17680ad7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 20:41:40 +1000 Subject: - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from article by genty at austin.ibm.com, included with the author's permission. --- ChangeLog | 4 +++- contrib/aix/pam.conf | 20 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 contrib/aix/pam.conf diff --git a/ChangeLog b/ChangeLog index 7351ded5b..6ce8fbaee 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,8 @@ - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/ - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN. Report by distler AT golem ph utexas edu. + - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from + article by genty at austin.ibm.com, included with the author's permission. 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1163,4 +1165,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3022 2003/09/22 04:38:11 tim Exp $ +$Id: ChangeLog,v 1.3023 2003/09/22 10:41:40 dtucker Exp $ diff --git a/contrib/aix/pam.conf b/contrib/aix/pam.conf new file mode 100644 index 000000000..1495f43cb --- /dev/null +++ b/contrib/aix/pam.conf @@ -0,0 +1,20 @@ +# +# PAM configuration file /etc/pam.conf +# Example for OpenSSH on AIX 5.2 +# + +# Authentication Management +sshd auth required /usr/lib/security/pam_aix +OTHER auth required /usr/lib/security/pam_aix + +# Account Management +sshd account required /usr/lib/security/pam_aix +OTHER account required /usr/lib/security/pam_aix + +# Session Management +sshd password required /usr/lib/security/pam_aix +OTHER password required /usr/lib/security/pam_aix + +# Password Management +sshd session required /usr/lib/security/pam_aix +OTHER session required /usr/lib/security/pam_aix -- cgit v1.2.3 From bd5361b23728640b7a6c2e4e10fcbd84101a6045 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 20:59:16 +1000 Subject: - markus@cvs.openbsd.org 2003/09/18 07:52:54 [sshconnect.c] missing {}; bug #656; jclonguet at free.fr --- ChangeLog | 6 +++++- sshconnect.c | 5 +++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6ce8fbaee..d2d2ebbb3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ Report by distler AT golem ph utexas edu. - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from article by genty at austin.ibm.com, included with the author's permission. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/09/18 07:52:54 + [sshconnect.c] + missing {}; bug #656; jclonguet at free.fr 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1165,4 +1169,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3023 2003/09/22 10:41:40 dtucker Exp $ +$Id: ChangeLog,v 1.3024 2003/09/22 10:59:16 dtucker Exp $ diff --git a/sshconnect.c b/sshconnect.c index 40d22800f..f29ac8088 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.147 2003/06/29 12:44:38 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $"); #include @@ -271,9 +271,10 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, optval = 0; optlen = sizeof(optval); if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, - &optlen) == -1) + &optlen) == -1) { debug("getsockopt: %s", strerror(errno)); break; + } if (optval != 0) { errno = optval; break; -- cgit v1.2.3 From d2730d39a1005502b406983de84b85f6b50237de Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:00:19 +1000 Subject: - markus@cvs.openbsd.org 2003/09/18 07:54:48 [buffer.c] protect against double free; #660; zardoz at users.sf.net --- ChangeLog | 5 ++++- buffer.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d2d2ebbb3..ff1df7ab3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,9 @@ - markus@cvs.openbsd.org 2003/09/18 07:52:54 [sshconnect.c] missing {}; bug #656; jclonguet at free.fr + - markus@cvs.openbsd.org 2003/09/18 07:54:48 + [buffer.c] + protect against double free; #660; zardoz at users.sf.net 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1169,4 +1172,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3024 2003/09/22 10:59:16 dtucker Exp $ +$Id: ChangeLog,v 1.3025 2003/09/22 11:00:19 dtucker Exp $ diff --git a/buffer.c b/buffer.c index aee293f8b..a80880bb9 100644 --- a/buffer.c +++ b/buffer.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.18 2003/09/16 21:02:39 markus Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.19 2003/09/18 07:54:48 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -39,6 +39,7 @@ buffer_free(Buffer *buffer) { if (buffer->alloc > 0) { memset(buffer->buf, 0, buffer->alloc); + buffer->alloc = 0; xfree(buffer->buf); } } -- cgit v1.2.3 From d1d41b318117258bd25f2eb2789ba3b91408bd16 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:01:27 +1000 Subject: - markus@cvs.openbsd.org 2003/09/18 07:56:05 [authfile.c] missing buffer_free(&encrypted); #662; zardoz at users.sf.net --- ChangeLog | 5 ++++- authfile.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ff1df7ab3..118f96c41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,9 @@ - markus@cvs.openbsd.org 2003/09/18 07:54:48 [buffer.c] protect against double free; #660; zardoz at users.sf.net + - markus@cvs.openbsd.org 2003/09/18 07:56:05 + [authfile.c] + missing buffer_free(&encrypted); #662; zardoz at users.sf.net 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1172,4 +1175,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3025 2003/09/22 11:00:19 dtucker Exp $ +$Id: ChangeLog,v 1.3026 2003/09/22 11:01:27 dtucker Exp $ diff --git a/authfile.c b/authfile.c index 1f46093e3..83ddd635f 100644 --- a/authfile.c +++ b/authfile.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.54 2003/05/24 09:30:39 djm Exp $"); +RCSID("$OpenBSD: authfile.c,v 1.55 2003/09/18 07:56:05 markus Exp $"); #include #include @@ -143,6 +143,7 @@ key_save_private_rsa1(Key *key, const char *filename, const char *passphrase, fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600); if (fd < 0) { error("open %s failed: %s.", filename, strerror(errno)); + buffer_free(&encrypted); return 0; } if (write(fd, buffer_ptr(&encrypted), buffer_len(&encrypted)) != -- cgit v1.2.3 From fb16b2411eda857cd358dc4c9c63b66edc217a51 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:04:23 +1000 Subject: - markus@cvs.openbsd.org 2003/09/18 08:49:45 [deattack.c misc.c session.c ssh-agent.c] more buffer allocation fixes; from Solar Designer; CAN-2003-0682; ok millert@ --- ChangeLog | 6 +++++- deattack.c | 6 +++--- misc.c | 13 ++++++++----- session.c | 18 ++++++++++-------- ssh-agent.c | 17 +++++++++-------- 5 files changed, 35 insertions(+), 25 deletions(-) diff --git a/ChangeLog b/ChangeLog index 118f96c41..7ba84a77c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,10 @@ - markus@cvs.openbsd.org 2003/09/18 07:56:05 [authfile.c] missing buffer_free(&encrypted); #662; zardoz at users.sf.net + - markus@cvs.openbsd.org 2003/09/18 08:49:45 + [deattack.c misc.c session.c ssh-agent.c] + more buffer allocation fixes; from Solar Designer; CAN-2003-0682; + ok millert@ 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1175,4 +1179,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3026 2003/09/22 11:01:27 dtucker Exp $ +$Id: ChangeLog,v 1.3027 2003/09/22 11:04:23 dtucker Exp $ diff --git a/deattack.c b/deattack.c index 0442501e7..8b55d6686 100644 --- a/deattack.c +++ b/deattack.c @@ -18,7 +18,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: deattack.c,v 1.18 2002/03/04 17:27:39 stevesk Exp $"); +RCSID("$OpenBSD: deattack.c,v 1.19 2003/09/18 08:49:45 markus Exp $"); #include "deattack.h" #include "log.h" @@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len, u_char *IV) if (h == NULL) { debug("Installing crc compensation attack detector."); + h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); } else { if (l > n) { + h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); n = l; - h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); } } diff --git a/misc.c b/misc.c index c457a952c..ac616de02 100644 --- a/misc.c +++ b/misc.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.21 2003/04/12 10:15:36 markus Exp $"); +RCSID("$OpenBSD: misc.c,v 1.22 2003/09/18 08:49:45 markus Exp $"); #include "misc.h" #include "log.h" @@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...) { va_list ap; char buf[1024]; + int nalloc; va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); + nalloc = args->nalloc; if (args->list == NULL) { - args->nalloc = 32; + nalloc = 32; args->num = 0; - } else if (args->num+2 >= args->nalloc) - args->nalloc *= 2; + } else if (args->num+2 >= nalloc) + nalloc *= 2; - args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); + args->list = xrealloc(args->list, nalloc * sizeof(char *)); + args->nalloc = nalloc; args->list[args->num++] = xstrdup(buf); args->list[args->num] = NULL; } diff --git a/session.c b/session.c index 616fee971..2898ac518 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.163 2003/08/31 13:29:05 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.164 2003/09/18 08:49:45 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -798,8 +798,9 @@ void child_set_env(char ***envp, u_int *envsizep, const char *name, const char *value) { - u_int i, namelen; char **env; + u_int envsize; + u_int i, namelen; /* * If we're passed an uninitialized list, allocate a single null @@ -826,12 +827,13 @@ child_set_env(char ***envp, u_int *envsizep, const char *name, xfree(env[i]); } else { /* New variable. Expand if necessary. */ - if (i >= (*envsizep) - 1) { - if (*envsizep >= 1000) - fatal("child_set_env: too many env vars," - " skipping: %.100s", name); - (*envsizep) += 50; - env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); + envsize = *envsizep; + if (i >= envsize - 1) { + if (envsize >= 1000) + fatal("child_set_env: too many env vars"); + envsize += 50; + env = (*envp) = xrealloc(env, envsize * sizeof(char *)); + *envsizep = envsize; } /* Need to set the NULL pointer at end of array beyond the new slot. */ env[i + 1] = NULL; diff --git a/ssh-agent.c b/ssh-agent.c index c05c61468..e1e6cae9b 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.111 2003/06/12 19:12:03 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.112 2003/09/18 08:49:45 markus Exp $"); #include #include @@ -784,7 +784,7 @@ process_message(SocketEntry *e) static void new_socket(sock_type type, int fd) { - u_int i, old_alloc; + u_int i, old_alloc, new_alloc; if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) error("fcntl O_NONBLOCK: %s", strerror(errno)); @@ -795,25 +795,26 @@ new_socket(sock_type type, int fd) for (i = 0; i < sockets_alloc; i++) if (sockets[i].type == AUTH_UNUSED) { sockets[i].fd = fd; - sockets[i].type = type; buffer_init(&sockets[i].input); buffer_init(&sockets[i].output); buffer_init(&sockets[i].request); + sockets[i].type = type; return; } old_alloc = sockets_alloc; - sockets_alloc += 10; + new_alloc = sockets_alloc + 10; if (sockets) - sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); + sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); else - sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); - for (i = old_alloc; i < sockets_alloc; i++) + sockets = xmalloc(new_alloc * sizeof(sockets[0])); + for (i = old_alloc; i < new_alloc; i++) sockets[i].type = AUTH_UNUSED; - sockets[old_alloc].type = type; + sockets_alloc = new_alloc; sockets[old_alloc].fd = fd; buffer_init(&sockets[old_alloc].input); buffer_init(&sockets[old_alloc].output); buffer_init(&sockets[old_alloc].request); + sockets[old_alloc].type = type; } static int -- cgit v1.2.3 From c0815c927e177f27b1bcd6370e4c2b10caf95efe Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:05:50 +1000 Subject: - miod@cvs.openbsd.org 2003/09/18 13:02:21 [authfd.c bufaux.c dh.c mac.c ssh-keygen.c] A few signedness fixes for harmless situations; markus@ ok --- ChangeLog | 5 ++++- authfd.c | 9 +++++---- bufaux.c | 8 ++++---- dh.c | 4 ++-- mac.c | 4 ++-- ssh-keygen.c | 6 +++--- 6 files changed, 20 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7ba84a77c..5f6f0403e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,9 @@ [deattack.c misc.c session.c ssh-agent.c] more buffer allocation fixes; from Solar Designer; CAN-2003-0682; ok millert@ + - miod@cvs.openbsd.org 2003/09/18 13:02:21 + [authfd.c bufaux.c dh.c mac.c ssh-keygen.c] + A few signedness fixes for harmless situations; markus@ ok 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1179,4 +1182,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3027 2003/09/22 11:04:23 dtucker Exp $ +$Id: ChangeLog,v 1.3028 2003/09/22 11:05:50 dtucker Exp $ diff --git a/authfd.c b/authfd.c index c78db6d94..5fdf1ca3d 100644 --- a/authfd.c +++ b/authfd.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.61 2003/06/28 16:23:06 deraadt Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.62 2003/09/18 13:02:21 miod Exp $"); #include @@ -114,7 +114,8 @@ ssh_get_authentication_socket(void) static int ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply) { - int l, len; + int l; + u_int len; char buf[1024]; /* Get the length of the message, and format it in the buffer. */ @@ -147,7 +148,7 @@ ssh_request_reply(AuthenticationConnection *auth, Buffer *request, Buffer *reply /* Extract the length, and check it for sanity. */ len = GET_32BIT(buf); if (len > 256 * 1024) - fatal("Authentication response too long: %d", len); + fatal("Authentication response too long: %u", len); /* Read the rest of the response in to the buffer. */ buffer_clear(reply); @@ -292,7 +293,7 @@ ssh_get_num_identities(AuthenticationConnection *auth, int version) /* Get the number of entries in the response and check it for sanity. */ auth->howmany = buffer_get_int(&auth->identities); - if (auth->howmany > 1024) + if ((u_int)auth->howmany > 1024) fatal("Too many identities in authentication reply: %d", auth->howmany); diff --git a/bufaux.c b/bufaux.c index 37cc27ff6..1df15b548 100644 --- a/bufaux.c +++ b/bufaux.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.29 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.30 2003/09/18 13:02:21 miod Exp $"); #include #include "bufaux.h" @@ -80,7 +80,7 @@ buffer_put_bignum(Buffer *buffer, BIGNUM *value) void buffer_get_bignum(Buffer *buffer, BIGNUM *value) { - int bits, bytes; + u_int bits, bytes; u_char buf[2], *bin; /* Get the number for bits. */ @@ -103,10 +103,10 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) void buffer_put_bignum2(Buffer *buffer, BIGNUM *value) { - int bytes = BN_num_bytes(value) + 1; + u_int bytes = BN_num_bytes(value) + 1; u_char *buf = xmalloc(bytes); int oi; - int hasnohigh = 0; + u_int hasnohigh = 0; buf[0] = '\0'; /* Get the value of in binary */ diff --git a/dh.c b/dh.c index 996428b7f..c924efee0 100644 --- a/dh.c +++ b/dh.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.24 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: dh.c,v 1.25 2003/09/18 13:02:21 miod Exp $"); #include "xmalloc.h" @@ -198,7 +198,7 @@ dh_gen_key(DH *dh, int need) if (dh->p == NULL) fatal("dh_gen_key: dh->p == NULL"); - if (2*need >= BN_num_bits(dh->p)) + if (need > INT_MAX / 2 || 2 * need >= BN_num_bits(dh->p)) fatal("dh_gen_key: group too small: %d (2*need %d)", BN_num_bits(dh->p), 2*need); do { diff --git a/mac.c b/mac.c index ab9a03d84..097f0b93b 100644 --- a/mac.c +++ b/mac.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: mac.c,v 1.5 2002/05/16 22:02:50 markus Exp $"); +RCSID("$OpenBSD: mac.c,v 1.6 2003/09/18 13:02:21 miod Exp $"); #include @@ -77,7 +77,7 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) if (mac->key == NULL) fatal("mac_compute: no key"); - if (mac->mac_len > sizeof(m)) + if ((u_int)mac->mac_len > sizeof(m)) fatal("mac_compute: mac too long"); HMAC_Init(&c, mac->key, mac->key_len, mac->md); PUT_32BIT(b, seqno); diff --git a/ssh-keygen.c b/ssh-keygen.c index e74d3cd37..5b7bc400a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.108 2003/08/14 16:08:58 markus Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.109 2003/09/18 13:02:21 miod Exp $"); #include #include @@ -191,8 +191,8 @@ do_convert_to_ssh2(struct passwd *pw) static void buffer_get_bignum_bits(Buffer *b, BIGNUM *value) { - int bits = buffer_get_int(b); - int bytes = (bits + 7) / 8; + u_int bits = buffer_get_int(b); + u_int bytes = (bits + 7) / 8; if (buffer_len(b) < bytes) fatal("buffer_get_bignum_bits: input buffer too small: " -- cgit v1.2.3 From a8151da5fe16c77f77e62f145e8b0efc25dc02c4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:06:46 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 09:02:02 [packet.c] buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471 --- ChangeLog | 5 ++++- packet.c | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5f6f0403e..5b8fcb9af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,9 @@ - miod@cvs.openbsd.org 2003/09/18 13:02:21 [authfd.c bufaux.c dh.c mac.c ssh-keygen.c] A few signedness fixes for harmless situations; markus@ ok + - markus@cvs.openbsd.org 2003/09/19 09:02:02 + [packet.c] + buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1182,4 +1185,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3028 2003/09/22 11:05:50 dtucker Exp $ +$Id: ChangeLog,v 1.3029 2003/09/22 11:06:46 dtucker Exp $ diff --git a/packet.c b/packet.c index 4ef639fd6..02b629f30 100644 --- a/packet.c +++ b/packet.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.109 2003/07/10 14:42:28 markus Exp $"); +RCSID("$OpenBSD: packet.c,v 1.110 2003/09/19 09:02:02 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -1020,7 +1020,9 @@ packet_read_poll2(u_int32_t *seqnr_p) cp = buffer_ptr(&incoming_packet); packet_length = GET_32BIT(cp); if (packet_length < 1 + 4 || packet_length > 256 * 1024) { +#ifdef PACKET_DEBUG buffer_dump(&incoming_packet); +#endif packet_disconnect("Bad packet length %u.", packet_length); } DBG(debug("input: packet len %u", packet_length+4)); -- cgit v1.2.3 From 631a4a9b3e2d6109b87e59f3cf2dac419d3764fe Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:08:21 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 09:03:00 [buffer.c] sign fix in buffer_dump; Jedi/Sector One; pr 3473 --- ChangeLog | 5 ++++- buffer.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5b8fcb9af..05021615d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -49,6 +49,9 @@ - markus@cvs.openbsd.org 2003/09/19 09:02:02 [packet.c] buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471 + - markus@cvs.openbsd.org 2003/09/19 09:03:00 + [buffer.c] + sign fix in buffer_dump; Jedi/Sector One; pr 3473 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1185,4 +1188,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3029 2003/09/22 11:06:46 dtucker Exp $ +$Id: ChangeLog,v 1.3030 2003/09/22 11:08:21 dtucker Exp $ diff --git a/buffer.c b/buffer.c index a80880bb9..69d5b57c0 100644 --- a/buffer.c +++ b/buffer.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.19 2003/09/18 07:54:48 markus Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.20 2003/09/19 09:03:00 markus Exp $"); #include "xmalloc.h" #include "buffer.h" @@ -169,7 +169,7 @@ buffer_ptr(Buffer *buffer) void buffer_dump(Buffer *buffer) { - int i; + u_int i; u_char *ucp = buffer->buf; for (i = buffer->offset; i < buffer->end; i++) { -- cgit v1.2.3 From 6fa8abd58bb8beac0e73ccdba6dfa1414cb1112c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:10:21 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 11:29:40 [ssh-agent.c] provide a ssh-agent specific fatal() function; ok deraadt --- ChangeLog | 5 ++++- ssh-agent.c | 22 ++++++++++++++++------ 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 05021615d..4707332af 100644 --- a/ChangeLog +++ b/ChangeLog @@ -52,6 +52,9 @@ - markus@cvs.openbsd.org 2003/09/19 09:03:00 [buffer.c] sign fix in buffer_dump; Jedi/Sector One; pr 3473 + - markus@cvs.openbsd.org 2003/09/19 11:29:40 + [ssh-agent.c] + provide a ssh-agent specific fatal() function; ok deraadt 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1188,4 +1191,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3030 2003/09/22 11:08:21 dtucker Exp $ +$Id: ChangeLog,v 1.3031 2003/09/22 11:10:21 dtucker Exp $ diff --git a/ssh-agent.c b/ssh-agent.c index e1e6cae9b..28a39a934 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.112 2003/09/18 08:49:45 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.113 2003/09/19 11:29:40 markus Exp $"); #include #include @@ -949,7 +949,7 @@ after_select(fd_set *readset, fd_set *writeset) } static void -cleanup_socket(void *p) +cleanup_socket(void) { if (socket_name[0]) unlink(socket_name); @@ -960,17 +960,28 @@ cleanup_socket(void *p) static void cleanup_exit(int i) { - cleanup_socket(NULL); - exit(i); + cleanup_socket(); + _exit(i); } static void cleanup_handler(int sig) { - cleanup_socket(NULL); + cleanup_socket(); _exit(2); } +void +fatal(const char *fmt,...) +{ + va_list args; + va_start(args, fmt); + do_log(SYSLOG_LEVEL_FATAL, fmt, args); + va_end(args); + cleanup_socket(); + _exit(255); +} + static void check_parent_exists(int sig) { @@ -1209,7 +1220,6 @@ main(int ac, char **av) #endif skip: - fatal_add_cleanup(cleanup_socket, NULL); new_socket(AUTH_SOCKET, sock); if (ac > 0) { mysignal(SIGALRM, check_parent_exists); -- cgit v1.2.3 From 3d326221714451b616b82744d38af484e718b49b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:11:20 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 11:30:39 [ssh-keyscan.c] avoid fatal_cleanup, just call exit(); ok deraadt --- ChangeLog | 5 ++++- ssh-keyscan.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4707332af..73b71dd80 100644 --- a/ChangeLog +++ b/ChangeLog @@ -55,6 +55,9 @@ - markus@cvs.openbsd.org 2003/09/19 11:29:40 [ssh-agent.c] provide a ssh-agent specific fatal() function; ok deraadt + - markus@cvs.openbsd.org 2003/09/19 11:30:39 + [ssh-keyscan.c] + avoid fatal_cleanup, just call exit(); ok deraadt 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1191,4 +1194,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3031 2003/09/22 11:10:21 dtucker Exp $ +$Id: ChangeLog,v 1.3032 2003/09/22 11:11:20 dtucker Exp $ diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 9fa8aaebc..9506ec196 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.44 2003/06/28 16:23:06 deraadt Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.45 2003/09/19 11:30:39 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -675,7 +675,7 @@ fatal(const char *fmt,...) if (nonfatal_fatal) longjmp(kexjmp, -1); else - fatal_cleanup(); + exit(255); } static void -- cgit v1.2.3 From 3dbff2a93b0f326cd4891654c3553f901df8ede7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:12:56 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 11:31:33 [channels.c] do not call channel_free_all on fatal; ok deraadt --- ChangeLog | 5 ++++- channels.c | 3 +-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 73b71dd80..ea27f1747 100644 --- a/ChangeLog +++ b/ChangeLog @@ -58,6 +58,9 @@ - markus@cvs.openbsd.org 2003/09/19 11:30:39 [ssh-keyscan.c] avoid fatal_cleanup, just call exit(); ok deraadt + - markus@cvs.openbsd.org 2003/09/19 11:31:33 + [channels.c] + do not call channel_free_all on fatal; ok deraadt 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1194,4 +1197,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3032 2003/09/22 11:11:20 dtucker Exp $ +$Id: ChangeLog,v 1.3033 2003/09/22 11:12:56 dtucker Exp $ diff --git a/channels.c b/channels.c index 3d75c8f2b..af2ae18b1 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.195 2003/09/16 21:02:40 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.196 2003/09/19 11:31:33 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -217,7 +217,6 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd, channels = xmalloc(channels_alloc * sizeof(Channel *)); for (i = 0; i < channels_alloc; i++) channels[i] = NULL; - fatal_add_cleanup((void (*) (void *)) channel_free_all, NULL); } /* Try to find a free slot where to put the new channel. */ for (found = -1, i = 0; i < channels_alloc; i++) -- cgit v1.2.3 From aaa56cb80473feda33ef44643cc2a95df9d67984 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:13:59 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 11:33:09 [packet.c sshd.c] do not call packet_close on fatal; ok deraadt --- ChangeLog | 5 ++++- packet.c | 5 +---- sshd.c | 10 +--------- 3 files changed, 6 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index ea27f1747..340be6e2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -61,6 +61,9 @@ - markus@cvs.openbsd.org 2003/09/19 11:31:33 [channels.c] do not call channel_free_all on fatal; ok deraadt + - markus@cvs.openbsd.org 2003/09/19 11:33:09 + [packet.c sshd.c] + do not call packet_close on fatal; ok deraadt 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1197,4 +1200,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3033 2003/09/22 11:12:56 dtucker Exp $ +$Id: ChangeLog,v 1.3034 2003/09/22 11:13:59 dtucker Exp $ diff --git a/packet.c b/packet.c index 02b629f30..6e7e574ab 100644 --- a/packet.c +++ b/packet.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.110 2003/09/19 09:02:02 markus Exp $"); +RCSID("$OpenBSD: packet.c,v 1.111 2003/09/19 11:33:09 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -165,8 +165,6 @@ packet_set_connection(int fd_in, int fd_out) buffer_init(&incoming_packet); TAILQ_INIT(&outgoing); } - /* Kludge: arrange the close function to be called from fatal(). */ - fatal_add_cleanup((void (*) (void *)) packet_close, NULL); } /* Returns 1 if remote host is connected via socket, 0 if not. */ @@ -1338,7 +1336,6 @@ packet_disconnect(const char *fmt,...) /* Close the connection. */ packet_close(); - fatal_cleanup(); } diff --git a/sshd.c b/sshd.c index 47df9caf1..4b3ff0da3 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.276 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.277 2003/09/19 11:33:09 markus Exp $"); #include #include @@ -587,8 +587,6 @@ privsep_preauth(void) if (pid == -1) { fatal("fork of unprivileged child failed"); } else if (pid != 0) { - fatal_remove_cleanup((void (*) (void *)) packet_close, NULL); - debug2("Network child is on pid %ld", (long)pid); close(pmonitor->m_recvfd); @@ -602,10 +600,6 @@ privsep_preauth(void) while (waitpid(pid, &status, 0) < 0) if (errno != EINTR) break; - - /* Reinstall, since the child has finished */ - fatal_add_cleanup((void (*) (void *)) packet_close, NULL); - return (authctxt); } else { /* child */ @@ -653,8 +647,6 @@ privsep_postauth(Authctxt *authctxt) if (pmonitor->m_pid == -1) fatal("fork of unprivileged child failed"); else if (pmonitor->m_pid != 0) { - fatal_remove_cleanup((void (*) (void *)) packet_close, NULL); - debug2("User child is on pid %ld", (long)pmonitor->m_pid); close(pmonitor->m_recvfd); monitor_child_postauth(pmonitor); -- cgit v1.2.3 From 8654d16f0ff3bfe17aa4616f03aba84acc5458e5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:14:55 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 17:40:20 [scp.c] error handling for remote-remote copy; #638; report Harald Koenig; ok millert, fgs, henning, deraadt --- ChangeLog | 6 +++++- scp.c | 5 +++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 340be6e2c..472cd7c41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -64,6 +64,10 @@ - markus@cvs.openbsd.org 2003/09/19 11:33:09 [packet.c sshd.c] do not call packet_close on fatal; ok deraadt + - markus@cvs.openbsd.org 2003/09/19 17:40:20 + [scp.c] + error handling for remote-remote copy; #638; report Harald Koenig; + ok millert, fgs, henning, deraadt 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1200,4 +1204,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3034 2003/09/22 11:13:59 dtucker Exp $ +$Id: ChangeLog,v 1.3035 2003/09/22 11:14:55 dtucker Exp $ diff --git a/scp.c b/scp.c index 4f9247c2d..a1f136a1f 100644 --- a/scp.c +++ b/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.108 2003/07/18 01:54:25 deraadt Exp $"); +RCSID("$OpenBSD: scp.c,v 1.109 2003/09/19 17:40:20 markus Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -426,7 +426,8 @@ toremote(char *targ, int argc, char **argv) } if (verbose_mode) fprintf(stderr, "Executing: %s\n", bp); - (void) system(bp); + if (system(bp) != 0) + errs = 1; (void) xfree(bp); } else { /* local to remote */ if (remin == -1) { -- cgit v1.2.3 From 9a2c4cddadf209e0b494fb10c1218424b53dd6fd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 22 Sep 2003 21:16:05 +1000 Subject: - markus@cvs.openbsd.org 2003/09/19 17:43:35 [clientloop.c sshtty.c sshtty.h] remove fatal callbacks from client code; ok deraadt --- ChangeLog | 5 ++++- clientloop.c | 26 +++++++++++++++++--------- sshtty.c | 12 +----------- sshtty.h | 3 +-- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index 472cd7c41..fd8abf04b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -68,6 +68,9 @@ [scp.c] error handling for remote-remote copy; #638; report Harald Koenig; ok millert, fgs, henning, deraadt + - markus@cvs.openbsd.org 2003/09/19 17:43:35 + [clientloop.c sshtty.c sshtty.h] + remove fatal callbacks from client code; ok deraadt 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1204,4 +1207,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3035 2003/09/22 11:14:55 dtucker Exp $ +$Id: ChangeLog,v 1.3036 2003/09/22 11:16:05 dtucker Exp $ diff --git a/clientloop.c b/clientloop.c index d8def78bd..bc50f0bca 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.112 2003/06/28 16:23:06 deraadt Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.113 2003/09/19 17:43:35 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -139,7 +139,6 @@ leave_non_blocking(void) if (in_non_blocking_mode) { (void) fcntl(fileno(stdin), F_SETFL, 0); in_non_blocking_mode = 0; - fatal_remove_cleanup((void (*) (void *)) leave_non_blocking, NULL); } } @@ -150,7 +149,6 @@ enter_non_blocking(void) { in_non_blocking_mode = 1; (void) fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); - fatal_add_cleanup((void (*) (void *)) leave_non_blocking, NULL); } /* @@ -844,8 +842,7 @@ client_channel_closed(int id, void *arg) id, session_ident); channel_cancel_cleanup(id); session_closed = 1; - if (in_raw_mode()) - leave_raw_mode(); + leave_raw_mode(); } /* @@ -1034,11 +1031,8 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) if (!isatty(fileno(stderr))) unset_nonblock(fileno(stderr)); - if (received_signal) { - if (in_non_blocking_mode) /* XXX */ - leave_non_blocking(); + if (received_signal) fatal("Killed by signal %d.", (int) received_signal); - } /* * In interactive mode (with pseudo tty) display a message indicating @@ -1387,3 +1381,17 @@ client_init_dispatch(void) else client_init_dispatch_15(); } + +/* client specific fatal cleanup */ +void +fatal(const char *fmt,...) +{ + va_list args; + + va_start(args, fmt); + do_log(SYSLOG_LEVEL_FATAL, fmt, args); + va_end(args); + leave_raw_mode(); + leave_non_blocking(); + _exit(255); +} diff --git a/sshtty.c b/sshtty.c index 2f47b06d1..4fb2d3dae 100644 --- a/sshtty.c +++ b/sshtty.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshtty.c,v 1.4 2003/07/16 10:36:28 markus Exp $"); +RCSID("$OpenBSD: sshtty.c,v 1.5 2003/09/19 17:43:35 markus Exp $"); #include "sshtty.h" #include "log.h" @@ -43,12 +43,6 @@ RCSID("$OpenBSD: sshtty.c,v 1.4 2003/07/16 10:36:28 markus Exp $"); static struct termios _saved_tio; static int _in_raw_mode = 0; -int -in_raw_mode(void) -{ - return _in_raw_mode; -} - struct termios get_saved_tio(void) { @@ -64,8 +58,6 @@ leave_raw_mode(void) perror("tcsetattr"); else _in_raw_mode = 0; - - fatal_remove_cleanup((void (*) (void *)) leave_raw_mode, NULL); } void @@ -94,6 +86,4 @@ enter_raw_mode(void) perror("tcsetattr"); else _in_raw_mode = 1; - - fatal_add_cleanup((void (*) (void *)) leave_raw_mode, NULL); } diff --git a/sshtty.h b/sshtty.h index 7ba4a2627..723b27846 100644 --- a/sshtty.h +++ b/sshtty.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sshtty.h,v 1.2 2001/06/26 17:27:25 markus Exp $ */ +/* $OpenBSD: sshtty.h,v 1.3 2003/09/19 17:43:35 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -40,7 +40,6 @@ #include -int in_raw_mode(void); struct termios get_saved_tio(void); void leave_raw_mode(void); void enter_raw_mode(void); -- cgit v1.2.3 From da4d9cf4bfc34052f60e7161abbe7b88517ab43a Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Mon, 22 Sep 2003 15:36:15 +0000 Subject: - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john on #unixhelp@efnet --- ChangeLog | 4 +++- ssh-rand-helper.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index fd8abf04b..35c648051 100644 --- a/ChangeLog +++ b/ChangeLog @@ -71,6 +71,8 @@ - markus@cvs.openbsd.org 2003/09/19 17:43:35 [clientloop.c sshtty.c sshtty.h] remove fatal callbacks from client code; ok deraadt + - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john + on #unixhelp@efnet 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1207,4 +1209,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3036 2003/09/22 11:16:05 dtucker Exp $ +$Id: ChangeLog,v 1.3037 2003/09/22 15:36:15 mouring Exp $ diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c index 7e65e4569..effc8745e 100644 --- a/ssh-rand-helper.c +++ b/ssh-rand-helper.c @@ -39,7 +39,7 @@ #include "pathnames.h" #include "log.h" -RCSID("$Id: ssh-rand-helper.c,v 1.13 2003/08/21 23:34:41 djm Exp $"); +RCSID("$Id: ssh-rand-helper.c,v 1.14 2003/09/22 15:36:15 mouring Exp $"); /* Number of bytes we write out */ #define OUTPUT_SEED_SIZE 48 @@ -563,7 +563,7 @@ prng_write_seedfile(void) debug("writing PRNG seed to file %.100s", filename); if (RAND_bytes(seed, sizeof(seed)) <= 0) - fatal("PRNG seed extration failed"); + fatal("PRNG seed extraction failed"); /* Don't care if the seed doesn't exist */ prng_check_seedfile(filename); -- cgit v1.2.3 From 7ff4e6dbe588aab63f1547e917734730f388aaa4 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 22 Sep 2003 19:50:14 -0700 Subject: [configure.ac] add --disable-etc-default-login option. ok djm --- ChangeLog | 3 ++- configure.ac | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 35c648051..344aa56e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -73,6 +73,7 @@ remove fatal callbacks from client code; ok deraadt - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john on #unixhelp@efnet + - (tim) [configure.ac] add --disable-etc-default-login option. ok djm 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1209,4 +1210,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3037 2003/09/22 15:36:15 mouring Exp $ +$Id: ChangeLog,v 1.3038 2003/09/23 02:50:14 tim Exp $ diff --git a/configure.ac b/configure.ac index ac1a4d9f3..dbb08fbb5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.164 2003/09/22 04:38:11 tim Exp $ +# $Id: configure.ac,v 1.165 2003/09/23 02:50:14 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2215,11 +2215,15 @@ else fi # check for /etc/default/login and use it if present. +AC_ARG_ENABLE(etc-default-login, + [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]],, +[ AC_CHECK_FILE("/etc/default/login", [ external_path_file=/etc/default/login ]) if test "x$external_path_file" = "x/etc/default/login"; then AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN) fi +]) dnl BSD systems use /etc/login.conf so --with-default-path= has no effect if test $ac_cv_func_login_getcapbool = "yes" -a \ -- cgit v1.2.3 From 5c3a55846a87a40d10aaf08123e4101388d22b87 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 23 Sep 2003 22:12:38 +1000 Subject: - (djm) Sync with V_3_7 branch: - (djm) Fix SSH1 challenge kludge - (djm) Bug #671: Fix builds on OpenBSD - (djm) Bug #676: Fix PAM stack corruption - (djm) Fix bad free() in PAM code - (djm) Don't call pam_end before pam_init - (djm) Enable build with old OpenSSL again - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu --- ChangeLog | 11 +++++++- INSTALL | 19 +++---------- auth-chall.c | 2 +- auth-pam.c | 84 +++++++++++++++++++++++++++++++++++++--------------------- cipher-3des1.c | 4 +++ cipher-aes.c | 4 +++ cipher-bf1.c | 5 ++++ cipher-ctr.c | 6 +++++ cipher.c | 2 ++ configure.ac | 4 +-- log.c | 3 +++ servconf.c | 2 +- sftp-int.c | 1 + 13 files changed, 96 insertions(+), 51 deletions(-) diff --git a/ChangeLog b/ChangeLog index 344aa56e3..6fd95f733 100644 --- a/ChangeLog +++ b/ChangeLog @@ -74,6 +74,15 @@ - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john on #unixhelp@efnet - (tim) [configure.ac] add --disable-etc-default-login option. ok djm + - (djm) Sync with V_3_7 branch: + - (djm) Fix SSH1 challenge kludge + - (djm) Bug #671: Fix builds on OpenBSD + - (djm) Bug #676: Fix PAM stack corruption + - (djm) Fix bad free() in PAM code + - (djm) Don't call pam_end before pam_init + - (djm) Enable build with old OpenSSL again + - (djm) Trim deprecated options from INSTALL. Mention UsePAM + - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 20030919 - (djm) Bug #683: Remove reference to --with-ipv4-default from INSTALL; @@ -1210,4 +1219,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3038 2003/09/23 02:50:14 tim Exp $ +$Id: ChangeLog,v 1.3039 2003/09/23 12:12:38 djm Exp $ diff --git a/INSTALL b/INSTALL index d4b1bdbce..86447f30a 100644 --- a/INSTALL +++ b/INSTALL @@ -101,11 +101,8 @@ name). There are a few other options to the configure script: ---with-pam enables PAM support. - ---enable-gnome-askpass will build the GNOME passphrase dialog. You -need a working installation of GNOME, including the development -headers, for this to work. +--with-pam enables PAM support. If PAM support is compiled in, it must +also be enabled in sshd_config (refer to the UsePAM directive). --with-prngd-socket=/some/file allows you to enable EGD or PRNGD support and to specify a PRNGd socket. Use this if your Unix lacks @@ -126,16 +123,6 @@ it if lastlog is installed in a different place. --with-osfsia, --without-osfsia will enable or disable OSF1's Security Integration Architecture. The default for OSF1 machines is enable. ---with-kerberos4=PATH will enable Kerberos IV support. You will need -to have the Kerberos libraries and header files installed for this -to work. Use the optional PATH argument to specify the root of your -Kerberos installation. - ---with-afs=PATH will enable AFS support. You will need to have the -Kerberos IV and the AFS libraries and header files installed for this -to work. Use the optional PATH argument to specify the root of your -AFS installation. AFS requires Kerberos support to be enabled. - --with-skey=PATH will enable S/Key one time password support. You will need the S/Key libraries and header files installed for this to work. @@ -211,4 +198,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.59 2003/09/22 03:28:36 dtucker Exp $ +$Id: INSTALL,v 1.60 2003/09/23 12:12:38 djm Exp $ diff --git a/auth-chall.c b/auth-chall.c index 6b7c8bd13..00d6e0ec5 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -92,7 +92,7 @@ verify_response(Authctxt *authctxt, const char *response) xfree(info); } /* if we received more prompts, we're screwed */ - res = (numprompts != 0); + res = (res == 0 && numprompts == 0) ? 0 : -1; } device->free_ctx(authctxt->kbdintctxt); authctxt->kbdintctxt = NULL; diff --git a/auth-pam.c b/auth-pam.c index 22706c5d6..75e2d16cb 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.73 2003/09/16 21:24:25 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.74 2003/09/23 12:12:38 djm Exp $"); #ifdef USE_PAM #include @@ -111,12 +111,12 @@ pthread_join(sp_pthread_t thread, void **value __unused) #endif -static pam_handle_t *sshpam_handle; -static int sshpam_err; -static int sshpam_authenticated; -static int sshpam_new_authtok_reqd; -static int sshpam_session_open; -static int sshpam_cred_established; +static pam_handle_t *sshpam_handle = NULL; +static int sshpam_err = 0; +static int sshpam_authenticated = 0; +static int sshpam_new_authtok_reqd = 0; +static int sshpam_session_open = 0; +static int sshpam_cred_established = 0; struct pam_ctxt { sp_pthread_t pam_thread; @@ -136,42 +136,51 @@ sshpam_thread_conv(int n, const struct pam_message **msg, { Buffer buffer; struct pam_ctxt *ctxt; + struct pam_response *reply; int i; + *resp = NULL; + ctxt = data; if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); - *resp = xmalloc(n * sizeof **resp); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + buffer_init(&buffer); for (i = 0; i < n; ++i) { - resp[i]->resp_retcode = 0; - resp[i]->resp = NULL; switch (PAM_MSG_MEMBER(msg, i, msg_style)) { case PAM_PROMPT_ECHO_OFF: - buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer); ssh_msg_recv(ctxt->pam_csock, &buffer); if (buffer_get_char(&buffer) != PAM_AUTHTOK) goto fail; - resp[i]->resp = buffer_get_string(&buffer, NULL); + reply[i].resp = buffer_get_string(&buffer, NULL); break; case PAM_PROMPT_ECHO_ON: - buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer); ssh_msg_recv(ctxt->pam_csock, &buffer); if (buffer_get_char(&buffer) != PAM_AUTHTOK) goto fail; - resp[i]->resp = buffer_get_string(&buffer, NULL); + reply[i].resp = buffer_get_string(&buffer, NULL); break; case PAM_ERROR_MSG: - buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer); break; case PAM_TEXT_INFO: - buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); + buffer_put_cstring(&buffer, + PAM_MSG_MEMBER(msg, i, msg)); ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer); break; @@ -181,12 +190,15 @@ sshpam_thread_conv(int n, const struct pam_message **msg, buffer_clear(&buffer); } buffer_free(&buffer); + *resp = reply; return (PAM_SUCCESS); + fail: - while (i) - xfree(resp[--i]); - xfree(*resp); - *resp = NULL; + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); buffer_free(&buffer); return (PAM_CONV_ERR); } @@ -258,6 +270,8 @@ sshpam_cleanup(void *arg) { (void)arg; debug("PAM: cleanup"); + if (sshpam_handle == NULL) + return; pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv); if (sshpam_cred_established) { pam_setcred(sshpam_handle, PAM_DELETE_CRED); @@ -600,40 +614,50 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { char input[PAM_MAX_MSG_SIZE]; + struct pam_response *reply; int i; + *resp = NULL; + if (n <= 0 || n > PAM_MAX_NUM_MSG) return (PAM_CONV_ERR); - *resp = xmalloc(n * sizeof **resp); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + for (i = 0; i < n; ++i) { switch (PAM_MSG_MEMBER(msg, i, msg_style)) { case PAM_PROMPT_ECHO_OFF: - resp[i]->resp = + reply[i].resp = read_passphrase(PAM_MSG_MEMBER(msg, i, msg), RP_ALLOW_STDIN); - resp[i]->resp_retcode = PAM_SUCCESS; + reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_PROMPT_ECHO_ON: fputs(PAM_MSG_MEMBER(msg, i, msg), stderr); fgets(input, sizeof input, stdin); - resp[i]->resp = xstrdup(input); - resp[i]->resp_retcode = PAM_SUCCESS; + reply[i].resp = xstrdup(input); + reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: fputs(PAM_MSG_MEMBER(msg, i, msg), stderr); - resp[i]->resp_retcode = PAM_SUCCESS; + reply[i].resp_retcode = PAM_SUCCESS; break; default: goto fail; } } + *resp = reply; return (PAM_SUCCESS); + fail: - while (i) - xfree(resp[--i]); - xfree(*resp); - *resp = NULL; + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); return (PAM_CONV_ERR); } diff --git a/cipher-3des1.c b/cipher-3des1.c index f9a352397..6f9f5dd6b 100644 --- a/cipher-3des1.c +++ b/cipher-3des1.c @@ -29,6 +29,10 @@ RCSID("$OpenBSD: cipher-3des1.c,v 1.1 2003/05/15 03:08:29 markus Exp $"); #include "xmalloc.h" #include "log.h" +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + /* * This is used by SSH1: * diff --git a/cipher-aes.c b/cipher-aes.c index c41def600..7ba950191 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -31,6 +31,10 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.1 2003/05/15 03:08:29 markus Exp $"); #include "xmalloc.h" #include "log.h" +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + #define RIJNDAEL_BLOCKSIZE 16 struct ssh_rijndael_ctx { diff --git a/cipher-bf1.c b/cipher-bf1.c index 64578bae8..5af695c17 100644 --- a/cipher-bf1.c +++ b/cipher-bf1.c @@ -28,6 +28,11 @@ RCSID("$OpenBSD: cipher-bf1.c,v 1.1 2003/05/15 03:08:29 markus Exp $"); #include #include "xmalloc.h" #include "log.h" + +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + /* * SSH1 uses a variation on Blowfish, all bytes must be swapped before * and after encryption/decryption. Thus the swap_bytes stuff (yuk). diff --git a/cipher-ctr.c b/cipher-ctr.c index a2bab5c14..4f0814b22 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -21,6 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.2 2003/06/17 18:14:23 markus Exp $"); #include "log.h" #include "xmalloc.h" +#if OPENSSL_VERSION_NUMBER < 0x00906000L +#define SSH_OLD_EVP +#endif + #if OPENSSL_VERSION_NUMBER < 0x00907000L #include "rijndael.h" #define AES_KEY rijndael_ctx @@ -135,7 +139,9 @@ evp_aes_128_ctr(void) aes_ctr.init = ssh_aes_ctr_init; aes_ctr.cleanup = ssh_aes_ctr_cleanup; aes_ctr.do_cipher = ssh_aes_ctr; +#ifndef SSH_OLD_EVP aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; +#endif return (&aes_ctr); } diff --git a/cipher.c b/cipher.c index e7c3c5411..ce533670b 100644 --- a/cipher.c +++ b/cipher.c @@ -87,9 +87,11 @@ struct Cipher { { "rijndael-cbc@lysator.liu.se", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, #endif +#if OPENSSL_VERSION_NUMBER >= 0x00906000L { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, +#endif { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL } }; diff --git a/configure.ac b/configure.ac index dbb08fbb5..164326c78 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.165 2003/09/23 02:50:14 tim Exp $ +# $Id: configure.ac,v 1.166 2003/09/23 12:12:38 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -480,7 +480,7 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ - util.h utime.h utmp.h utmpx.h) + util.h utime.h utmp.h utmpx.h vis.h) # Checks for libraries. AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) diff --git a/log.c b/log.c index 58ce8e5dd..9bce2555b 100644 --- a/log.c +++ b/log.c @@ -40,6 +40,9 @@ RCSID("$OpenBSD: log.c,v 1.28 2003/05/24 09:02:22 djm Exp $"); #include "xmalloc.h" #include +#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) +# include +#endif static LogLevel log_level = SYSLOG_LEVEL_INFO; static int log_on_stderr = 1; diff --git a/servconf.c b/servconf.c index 71e28b3cb..58f49a2f4 100644 --- a/servconf.c +++ b/servconf.c @@ -110,7 +110,7 @@ fill_default_server_options(ServerOptions *options) { /* Portable-specific options */ if (options->use_pam == -1) - options->use_pam = 1; + options->use_pam = 0; /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) diff --git a/sftp-int.c b/sftp-int.c index 94299aa43..c93eaabff 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -351,6 +351,7 @@ get_pathname(const char **cpp, char **path) for (i = j = 0; i <= strlen(cp); i++) { if (cp[i] == quot) { /* Found quote */ (*path)[j] = '\0'; + i++; break; } if (cp[i] == '\0') { /* End of string */ -- cgit v1.2.3 From dbb104791bc460b05441e5f48929a568de011fae Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 24 Sep 2003 08:30:18 +1000 Subject: - (djm) Update version.h and spec files for HEAD --- ChangeLog | 5 ++++- contrib/caldera/openssh.spec | 4 ++-- contrib/redhat/openssh.spec | 2 +- contrib/suse/openssh.spec | 2 +- version.h | 2 +- 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6fd95f733..d2b6de755 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20030924 + - (djm) Update version.h and spec files for HEAD + 20030923 - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree builds. Portability corrections from tim@. @@ -1219,4 +1222,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3039 2003/09/23 12:12:38 djm Exp $ +$Id: ChangeLog,v 1.3040 2003/09/23 22:30:18 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 6cdfa83e9..3f286d8c3 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 3.7.1p1 + %define version 3.7.1p2 %define cvs %{nil} %define release 1 %else @@ -364,4 +364,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.45 2003/09/16 21:32:18 djm Exp $ +$Id: openssh.spec,v 1.46 2003/09/23 22:30:19 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 9c75c0339..09e405475 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,4 +1,4 @@ -%define ver 3.7.1p1 +%define ver 3.7.1p2 %define rel 1 # OpenSSH privilege separation requires a user & group ID diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index be6971d6e..940bc4ade 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 3.7.1p1 +Version: 3.7.1p2 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/version.h b/version.h index 20daac42a..0a98e4290 100644 --- a/version.h +++ b/version.h @@ -1,3 +1,3 @@ /* $OpenBSD: version.h,v 1.39 2003/09/16 21:02:40 markus Exp $ */ -#define SSH_VERSION "OpenSSH_3.7.1p1" +#define SSH_VERSION "OpenSSH_3.7.1p2" -- cgit v1.2.3 From beaf6790e1ee4133ff12b22f9f61f8045f071cdc Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 24 Sep 2003 20:03:48 +1000 Subject: - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6. --- ChangeLog | 3 ++- configure.ac | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d2b6de755..0d70edd50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 20030924 - (djm) Update version.h and spec files for HEAD + - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6. 20030923 - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree @@ -1222,4 +1223,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3040 2003/09/23 22:30:18 djm Exp $ +$Id: ChangeLog,v 1.3041 2003/09/24 10:03:48 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 164326c78..812eb4333 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.166 2003/09/23 12:12:38 djm Exp $ +# $Id: configure.ac,v 1.167 2003/09/24 10:03:48 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -189,6 +189,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" AC_DEFINE(BROKEN_INET_NTOA) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; -- cgit v1.2.3 From b88fcc755d675a54140a264bffec49c8803bf475 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 25 Sep 2003 20:18:33 +1000 Subject: - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from michael_steffens at hp.com, ok djm@ --- ChangeLog | 7 ++++++- configure.ac | 5 +---- openbsd-compat/xcrypt.c | 4 ---- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0d70edd50..8e951dc9d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20030925 + - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove + DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from + michael_steffens at hp.com, ok djm@ + 20030924 - (djm) Update version.h and spec files for HEAD - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6. @@ -1223,4 +1228,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3041 2003/09/24 10:03:48 dtucker Exp $ +$Id: ChangeLog,v 1.3042 2003/09/25 10:18:33 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 812eb4333..505907c30 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.167 2003/09/24 10:03:48 dtucker Exp $ +# $Id: configure.ac,v 1.168 2003/09/25 10:18:34 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -146,7 +146,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(USE_PIPES) AC_DEFINE(LOGIN_NO_ENDOPT) AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) @@ -163,7 +162,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(USE_PIPES) AC_DEFINE(LOGIN_NO_ENDOPT) AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) @@ -177,7 +175,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(USE_PIPES) AC_DEFINE(LOGIN_NO_ENDOPT) AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c index 5b5d69c72..a0fe6c620 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c @@ -104,10 +104,6 @@ shadow_pw(struct passwd *pw) if (spw != NULL) pw_password = spw->ufld.fd_encrypt; -# elif defined(__hpux) && !defined(HAVE_SECUREWARE) - struct pr_passwd *spw; - if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) - pw_password = spw->ufld.fd_encrypt; # endif return pw_password; -- cgit v1.2.3 From d4d1815cae3ad1d9536e456a2772a97e7f666446 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 25 Sep 2003 19:04:34 -0700 Subject: [sshd_config] UsePAM defaults to no. --- ChangeLog | 3 ++- sshd_config | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8e951dc9d..fb8daf563 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from michael_steffens at hp.com, ok djm@ + - (tim) [sshd_config] UsePAM defaults to no. 20030924 - (djm) Update version.h and spec files for HEAD @@ -1228,4 +1229,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3042 2003/09/25 10:18:33 dtucker Exp $ +$Id: ChangeLog,v 1.3043 2003/09/26 02:04:34 tim Exp $ diff --git a/sshd_config b/sshd_config index dd53f1057..af0dec09f 100644 --- a/sshd_config +++ b/sshd_config @@ -69,7 +69,7 @@ # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may # bypass the setting of 'PasswordAuthentication' -#UsePAM yes +#UsePAM no #AllowTcpForwarding yes #GatewayPorts no -- cgit v1.2.3 From b210aa2cfa546d8c31f8c725d1de3050c747bd6e Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Tue, 30 Sep 2003 23:49:06 +0000 Subject: - (bal) Fix issues in openbsd-compat/realpath.c --- ChangeLog | 5 ++++- openbsd-compat/realpath.c | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fb8daf563..c782c10d5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20030930 + - (bal) Fix issues in openbsd-compat/realpath.c + 20030925 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from @@ -1229,4 +1232,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3043 2003/09/26 02:04:34 tim Exp $ +$Id: ChangeLog,v 1.3044 2003/09/30 23:49:06 mouring Exp $ diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c index 77da14e7c..922305ffd 100644 --- a/openbsd-compat/realpath.c +++ b/openbsd-compat/realpath.c @@ -150,7 +150,7 @@ loop: serrno = ENAMETOOLONG; goto err1; } - if (needslash == 0) + if (needslash) strlcat(resolved, "/", MAXPATHLEN); strlcat(resolved, wbuf, MAXPATHLEN); } -- cgit v1.2.3 From 3e33cecf71860f73656a73b754cc7b7b9ec0b0ce Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:12:36 +1000 Subject: - markus@cvs.openbsd.org 2003/09/23 20:17:11 [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h ssh-agent.c sshd.c] replace fatal_cleanup() and linked list of fatal callbacks with static cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@ --- ChangeLog | 14 ++++++++- Makefile.in | 6 ++-- auth-krb5.c | 11 ++----- auth.c | 10 +------ auth.h | 11 +++---- auth1.c | 10 ++----- auth2.c | 22 ++------------ canohost.c | 8 ++--- cleanup.c | 26 ++++++++++++++++ clientloop.c | 11 ++----- fatal.c | 4 +-- gss-serv.c | 8 ++--- log.c | 79 +----------------------------------------------- log.h | 9 ++---- monitor.c | 17 +++++------ monitor.h | 4 +-- monitor_wrap.c | 17 ++++++++--- monitor_wrap.h | 6 ++-- packet.c | 10 +++---- serverloop.c | 14 ++++----- session.c | 94 ++++++++++++++++++++++++++++++++++------------------------ session.h | 5 ++-- ssh-agent.c | 15 ++-------- sshd.c | 59 ++++++++++++++++++++++-------------- 24 files changed, 203 insertions(+), 267 deletions(-) create mode 100644 cleanup.c diff --git a/ChangeLog b/ChangeLog index c782c10d5..a25c731b0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +20031002 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/09/23 20:17:11 + [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c + cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h + monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h + ssh-agent.c sshd.c] + replace fatal_cleanup() and linked list of fatal callbacks with static + cleanup_exit() function. re-refine cleanup_exit() where appropriate, + allocate sshd's authctxt eary to allow simpler cleanup in sshd. + tested by many, ok deraadt@ + 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1232,4 +1244,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3044 2003/09/30 23:49:06 mouring Exp $ +$Id: ChangeLog,v 1.3045 2003/10/02 06:12:36 dtucker Exp $ diff --git a/Makefile.in b/Makefile.in index 4368132e5..dce12c4d1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.250 2003/09/22 00:58:56 dtucker Exp $ +# $Id: Makefile.in,v 1.251 2003/10/02 06:12:36 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -62,8 +62,8 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ - cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ - compat.o compress.o crc32.o deattack.o fatal.o \ + cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ + cleanup.o compat.o compress.o crc32.o deattack.o fatal.o \ hostfile.o log.o match.o moduli.o mpaux.o nchan.o packet.o \ readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ diff --git a/auth-krb5.c b/auth-krb5.c index 0aa5195b8..e31f2eb0e 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.12 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.13 2003/09/23 20:17:11 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -50,7 +50,6 @@ krb5_init(void *context) { Authctxt *authctxt = (Authctxt *)context; krb5_error_code problem; - static int cleanup_registered = 0; if (authctxt->krb5_ctx == NULL) { problem = krb5_init_context(&authctxt->krb5_ctx); @@ -58,10 +57,6 @@ krb5_init(void *context) return (problem); krb5_init_ets(authctxt->krb5_ctx); } - if (!cleanup_registered) { - fatal_add_cleanup(krb5_cleanup_proc, authctxt); - cleanup_registered = 1; - } return (0); } @@ -205,10 +200,8 @@ auth_krb5_password(Authctxt *authctxt, const char *password) } void -krb5_cleanup_proc(void *context) +krb5_cleanup_proc(Authctxt *authctxt) { - Authctxt *authctxt = (Authctxt *)context; - debug("krb5_cleanup_proc called"); if (authctxt->krb5_fwd_ccache) { krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); diff --git a/auth.c b/auth.c index 46e495adf..029672877 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.49 2003/08/26 09:58:43 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.50 2003/09/23 20:17:11 markus Exp $"); #ifdef HAVE_LOGIN_H #include @@ -263,14 +263,6 @@ allowed_user(struct passwd * pw) return 1; } -Authctxt * -authctxt_new(void) -{ - Authctxt *authctxt = xmalloc(sizeof(*authctxt)); - memset(authctxt, 0, sizeof(*authctxt)); - return authctxt; -} - void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) { diff --git a/auth.h b/auth.h index beaacb8bc..b081bb5cb 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.46 2003/08/28 12:54:34 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.47 2003/09/23 20:17:11 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -118,15 +118,14 @@ int user_key_allowed(struct passwd *, Key *); int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_password(Authctxt *authctxt, const char *password); -void krb5_cleanup_proc(void *authctxt); +void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ #include "auth-pam.h" -Authctxt *do_authentication(void); -Authctxt *do_authentication2(void); +void do_authentication(Authctxt *); +void do_authentication2(Authctxt *); -Authctxt *authctxt_new(void); void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); int auth_root_allowed(char *); @@ -149,8 +148,6 @@ char *get_challenge(Authctxt *); int verify_response(Authctxt *, const char *); void abandon_challenge_response(Authctxt *); -struct passwd * auth_get_user(void); - char *expand_filename(const char *, struct passwd *); char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); diff --git a/auth1.c b/auth1.c index dfe944dd1..38c0bf93c 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.53 2003/09/23 20:17:11 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -275,10 +275,9 @@ do_authloop(Authctxt *authctxt) * Performs authentication of an incoming connection. Session key has already * been exchanged and encryption is enabled. */ -Authctxt * -do_authentication(void) +void +do_authentication(Authctxt *authctxt) { - Authctxt *authctxt; u_int ulen; char *user, *style = NULL; @@ -292,7 +291,6 @@ do_authentication(void) if ((style = strchr(user, ':')) != NULL) *style++ = '\0'; - authctxt = authctxt_new(); authctxt->user = user; authctxt->style = style; @@ -332,6 +330,4 @@ do_authentication(void) packet_start(SSH_SMSG_SUCCESS); packet_send(); packet_write_wait(); - - return (authctxt); } diff --git a/auth2.c b/auth2.c index 41e77efdc..ef1173fe6 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.102 2003/08/26 09:58:43 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.103 2003/09/23 20:17:11 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -45,8 +45,6 @@ extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; -Authctxt *x_authctxt = NULL; - /* methods */ extern Authmethod method_none; @@ -85,13 +83,9 @@ int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); * loop until authctxt->success == TRUE */ -Authctxt * -do_authentication2(void) +void +do_authentication2(Authctxt *authctxt) { - Authctxt *authctxt = authctxt_new(); - - x_authctxt = authctxt; /*XXX*/ - /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; @@ -99,8 +93,6 @@ do_authentication2(void) dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - - return (authctxt); } static void @@ -264,14 +256,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) } } -/* get current user */ - -struct passwd* -auth_get_user(void) -{ - return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL; -} - #define DELIM "," static char * diff --git a/canohost.c b/canohost.c index 438175f76..fca7134f9 100644 --- a/canohost.c +++ b/canohost.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: canohost.c,v 1.37 2003/06/02 09:17:34 markus Exp $"); +RCSID("$OpenBSD: canohost.c,v 1.38 2003/09/23 20:17:11 markus Exp $"); #include "packet.h" #include "xmalloc.h" @@ -40,7 +40,7 @@ get_remote_hostname(int socket, int use_dns) memset(&from, 0, sizeof(from)); if (getpeername(socket, (struct sockaddr *)&from, &fromlen) < 0) { debug("getpeername failed: %.100s", strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } #ifdef IPV4_IN_IPV6 if (from.ss_family == AF_INET6) { @@ -296,7 +296,7 @@ get_remote_ipaddr(void) canonical_host_ip = get_peer_ipaddr(packet_get_connection_in()); if (canonical_host_ip == NULL) - fatal_cleanup(); + cleanup_exit(255); } else { /* If not on socket, return UNKNOWN. */ canonical_host_ip = xstrdup("UNKNOWN"); @@ -336,7 +336,7 @@ get_sock_port(int sock, int local) } else { if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) { debug("getpeername failed: %.100s", strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } } diff --git a/cleanup.c b/cleanup.c new file mode 100644 index 000000000..11d1d4d9a --- /dev/null +++ b/cleanup.c @@ -0,0 +1,26 @@ +/* + * Copyright (c) 2003 Markus Friedl + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#include "includes.h" +RCSID("$OpenBSD: cleanup.c,v 1.1 2003/09/23 20:17:11 markus Exp $"); + +#include "log.h" + +/* default implementation */ +void +cleanup_exit(int i) +{ + _exit(i); +} diff --git a/clientloop.c b/clientloop.c index bc50f0bca..d3a32a81a 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.113 2003/09/19 17:43:35 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.114 2003/09/23 20:17:11 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1384,14 +1384,9 @@ client_init_dispatch(void) /* client specific fatal cleanup */ void -fatal(const char *fmt,...) +cleanup_exit(int i) { - va_list args; - - va_start(args, fmt); - do_log(SYSLOG_LEVEL_FATAL, fmt, args); - va_end(args); leave_raw_mode(); leave_non_blocking(); - _exit(255); + _exit(i); } diff --git a/fatal.c b/fatal.c index 9e7d16000..ae1aaac6e 100644 --- a/fatal.c +++ b/fatal.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: fatal.c,v 1.1 2002/02/22 12:20:34 markus Exp $"); +RCSID("$OpenBSD: fatal.c,v 1.2 2003/09/23 20:17:11 markus Exp $"); #include "log.h" @@ -36,5 +36,5 @@ fatal(const char *fmt,...) va_start(args, fmt); do_log(SYSLOG_LEVEL_FATAL, fmt, args); va_end(args); - fatal_cleanup(); + cleanup_exit(255); } diff --git a/gss-serv.c b/gss-serv.c index 8fd1d63f0..6574f9750 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.3 2003/08/31 13:31:57 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.4 2003/09/23 20:17:11 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -232,9 +232,9 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client) return (ctx->major); } -/* As user - called through fatal cleanup hook */ +/* As user - called on fatal/exit */ void -ssh_gssapi_cleanup_creds(void *ignored) +ssh_gssapi_cleanup_creds(void) { if (gssapi_client.store.filename != NULL) { /* Unlink probably isn't sufficient */ @@ -249,8 +249,6 @@ ssh_gssapi_storecreds(void) { if (gssapi_client.mech && gssapi_client.mech->storecreds) { (*gssapi_client.mech->storecreds)(&gssapi_client); - if (options.gss_cleanup_creds) - fatal_add_cleanup(ssh_gssapi_cleanup_creds, NULL); } else debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism"); } diff --git a/log.c b/log.c index 9bce2555b..686a2a43c 100644 --- a/log.c +++ b/log.c @@ -34,7 +34,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: log.c,v 1.28 2003/05/24 09:02:22 djm Exp $"); +RCSID("$OpenBSD: log.c,v 1.29 2003/09/23 20:17:11 markus Exp $"); #include "log.h" #include "xmalloc.h" @@ -183,83 +183,6 @@ debug3(const char *fmt,...) va_end(args); } -/* Fatal cleanup */ - -struct fatal_cleanup { - struct fatal_cleanup *next; - void (*proc) (void *); - void *context; -}; - -static struct fatal_cleanup *fatal_cleanups = NULL; - -/* Registers a cleanup function to be called by fatal() before exiting. */ - -void -fatal_add_cleanup(void (*proc) (void *), void *context) -{ - struct fatal_cleanup *cu; - - cu = xmalloc(sizeof(*cu)); - cu->proc = proc; - cu->context = context; - cu->next = fatal_cleanups; - fatal_cleanups = cu; -} - -/* Removes a cleanup frunction to be called at fatal(). */ - -void -fatal_remove_cleanup(void (*proc) (void *context), void *context) -{ - struct fatal_cleanup **cup, *cu; - - for (cup = &fatal_cleanups; *cup; cup = &cu->next) { - cu = *cup; - if (cu->proc == proc && cu->context == context) { - *cup = cu->next; - xfree(cu); - return; - } - } - fatal("fatal_remove_cleanup: no such cleanup function: 0x%lx 0x%lx", - (u_long) proc, (u_long) context); -} - -/* Remove all cleanups, to be called after fork() */ -void -fatal_remove_all_cleanups(void) -{ - struct fatal_cleanup *cu, *next_cu; - - for (cu = fatal_cleanups; cu; cu = next_cu) { - next_cu = cu->next; - xfree(cu); - } - fatal_cleanups = NULL; -} - -/* Cleanup and exit */ -void -fatal_cleanup(void) -{ - struct fatal_cleanup *cu, *next_cu; - static int called = 0; - - if (called) - exit(255); - called = 1; - /* Call cleanup functions. */ - for (cu = fatal_cleanups; cu; cu = next_cu) { - next_cu = cu->next; - debug("Calling cleanup 0x%lx(0x%lx)", - (u_long) cu->proc, (u_long) cu->context); - (*cu->proc) (cu->context); - } - exit(255); -} - - /* * Initialize the log. */ diff --git a/log.h b/log.h index c3666818f..e0263194f 100644 --- a/log.h +++ b/log.h @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.9 2003/04/08 20:21:28 itojun Exp $ */ +/* $OpenBSD: log.h,v 1.10 2003/09/23 20:17:11 markus Exp $ */ /* * Author: Tatu Ylonen @@ -61,11 +61,6 @@ void debug(const char *, ...) __attribute__((format(printf, 1, 2))); void debug2(const char *, ...) __attribute__((format(printf, 1, 2))); void debug3(const char *, ...) __attribute__((format(printf, 1, 2))); -void fatal_cleanup(void); -void fatal_add_cleanup(void (*) (void *), void *); -void fatal_remove_cleanup(void (*) (void *), void *); -void fatal_remove_all_cleanups(void); - void do_log(LogLevel, const char *, va_list); - +void cleanup_exit(int); #endif diff --git a/monitor.c b/monitor.c index e5656470d..eaf66f7c8 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.50 2003/09/23 20:17:11 markus Exp $"); #include @@ -272,14 +272,17 @@ monitor_permit_authentications(int permit) } } -Authctxt * -monitor_child_preauth(struct monitor *pmonitor) +void +monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) { struct mon_table *ent; int authenticated = 0; debug3("preauth child monitor started"); + authctxt = _authctxt; + memset(authctxt, 0, sizeof(*authctxt)); + if (compat20) { mon_dispatch = mon_dispatch_proto20; @@ -292,8 +295,6 @@ monitor_child_preauth(struct monitor *pmonitor) monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); } - authctxt = authctxt_new(); - /* The first few requests do not require asynchronous access */ while (!authenticated) { authenticated = monitor_read(pmonitor, mon_dispatch, &ent); @@ -333,8 +334,6 @@ monitor_child_preauth(struct monitor *pmonitor) __func__, authctxt->user); mm_get_keystate(pmonitor); - - return (authctxt); } static void @@ -1185,7 +1184,7 @@ mm_record_login(Session *s, struct passwd *pw) if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } } /* Record that there was a login on that tty from the remote host. */ @@ -1200,7 +1199,6 @@ mm_session_close(Session *s) debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); if (s->ttyfd != -1) { debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); - fatal_remove_cleanup(session_pty_cleanup2, (void *)s); session_pty_cleanup2(s); } s->used = 0; @@ -1225,7 +1223,6 @@ mm_answer_pty(int socket, Buffer *m) res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); if (res == 0) goto error; - fatal_add_cleanup(session_pty_cleanup2, (void *)s); pty_setowner(authctxt->pw, s->tty); buffer_put_int(m, 1); diff --git a/monitor.h b/monitor.h index 2461156c7..a153f4168 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */ +/* $OpenBSD: monitor.h,v 1.12 2003/09/23 20:17:11 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -76,7 +76,7 @@ void monitor_reinit(struct monitor *); void monitor_sync(struct monitor *); struct Authctxt; -struct Authctxt *monitor_child_preauth(struct monitor *); +void monitor_child_preauth(struct Authctxt *, struct monitor *); void monitor_child_postauth(struct monitor *); struct mon_table; diff --git a/monitor_wrap.c b/monitor_wrap.c index 4034d569c..99dfc8508 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.31 2003/08/28 12:54:34 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.32 2003/09/23 20:17:11 markus Exp $"); #include #include @@ -66,6 +66,16 @@ extern struct monitor *pmonitor; extern Buffer input, output; extern ServerOptions options; +int +mm_is_monitor(void) +{ + /* + * m_pid is only set in the privileged part, and + * points to the unprivileged child. + */ + return (pmonitor->m_pid > 0); +} + void mm_request_send(int socket, enum monitor_reqtype type, Buffer *m) { @@ -94,7 +104,7 @@ mm_request_receive(int socket, Buffer *m) res = atomicio(read, socket, buf, sizeof(buf)); if (res != sizeof(buf)) { if (res == 0) - fatal_cleanup(); + cleanup_exit(255); fatal("%s: read: %ld", __func__, (long)res); } msg_len = GET_32BIT(buf); @@ -648,9 +658,8 @@ mm_pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) } void -mm_session_pty_cleanup2(void *session) +mm_session_pty_cleanup2(Session *s) { - Session *s = session; Buffer m; if (s->ttyfd == -1) diff --git a/monitor_wrap.h b/monitor_wrap.h index 5e0334588..76c02f13a 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.11 2003/08/28 12:54:34 markus Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.12 2003/09/23 20:17:11 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -40,6 +40,7 @@ struct mm_master; struct passwd; struct Authctxt; +int mm_is_monitor(void); DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); void mm_inform_authserv(char *, char *); @@ -72,9 +73,10 @@ int mm_sshpam_respond(void *, u_int, char **); void mm_sshpam_free_ctx(void *); #endif +struct Session; void mm_terminate(void); int mm_pty_allocate(int *, int *, char *, int); -void mm_session_pty_cleanup2(void *); +void mm_session_pty_cleanup2(struct Session *); /* SSHv1 interfaces */ void mm_ssh1_session_id(u_char *); diff --git a/packet.c b/packet.c index 6e7e574ab..52b4f664c 100644 --- a/packet.c +++ b/packet.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: packet.c,v 1.111 2003/09/19 11:33:09 markus Exp $"); +RCSID("$OpenBSD: packet.c,v 1.112 2003/09/23 20:17:11 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -868,7 +868,7 @@ packet_read_seqnr(u_int32_t *seqnr_p) len = read(connection_in, buf, sizeof(buf)); if (len == 0) { logit("Connection closed by %.200s", get_remote_ipaddr()); - fatal_cleanup(); + cleanup_exit(255); } if (len < 0) fatal("Read from socket failed: %.100s", strerror(errno)); @@ -1134,7 +1134,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) logit("Received disconnect from %s: %u: %.400s", get_remote_ipaddr(), reason, msg); xfree(msg); - fatal_cleanup(); + cleanup_exit(255); break; case SSH2_MSG_UNIMPLEMENTED: seqnr = packet_get_int(); @@ -1159,7 +1159,7 @@ packet_read_poll_seqnr(u_int32_t *seqnr_p) msg = packet_get_string(NULL); logit("Received disconnect from %s: %.400s", get_remote_ipaddr(), msg); - fatal_cleanup(); + cleanup_exit(255); xfree(msg); break; default: @@ -1336,7 +1336,7 @@ packet_disconnect(const char *fmt,...) /* Close the connection. */ packet_close(); - fatal_cleanup(); + cleanup_exit(255); } /* Checks if there is any buffered output, and tries to write some of the output. */ diff --git a/serverloop.c b/serverloop.c index a95390273..21656cf87 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.110 2003/06/24 08:23:46 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.111 2003/09/23 20:17:11 markus Exp $"); #include "xmalloc.h" #include "packet.h" @@ -60,7 +60,7 @@ extern ServerOptions options; /* XXX */ extern Kex *xxx_kex; -static Authctxt *xxx_authctxt; +extern Authctxt *the_authctxt; static Buffer stdin_buffer; /* Buffer for stdin data. */ static Buffer stdout_buffer; /* Buffer for stdout data. */ @@ -355,13 +355,13 @@ process_input(fd_set * readset) connection_closed = 1; if (compat20) return; - fatal_cleanup(); + cleanup_exit(255); } else if (len < 0) { if (errno != EINTR && errno != EAGAIN) { verbose("Read error from remote host " "%.100s: %.100s", get_remote_ipaddr(), strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } } else { /* Buffer any received data. */ @@ -756,8 +756,6 @@ server_loop2(Authctxt *authctxt) max_fd = MAX(connection_in, connection_out); max_fd = MAX(max_fd, notify_pipe[0]); - xxx_authctxt = authctxt; - server_init_dispatch(); for (;;) { @@ -900,7 +898,7 @@ server_request_session(char *ctype) c = channel_new(ctype, SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); - if (session_open(xxx_authctxt, c->self) != 1) { + if (session_open(the_authctxt, c->self) != 1) { debug("session open failed, free channel %d", c->self); channel_free(c); return NULL; @@ -974,7 +972,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) char *listen_address; u_short listen_port; - pw = auth_get_user(); + pw = the_authctxt->pw; if (pw == NULL) fatal("server_input_global_request: no user"); listen_address = packet_get_string(NULL); diff --git a/session.c b/session.c index 2898ac518..647be401e 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.164 2003/09/18 08:49:45 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.165 2003/09/23 20:17:11 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -66,7 +66,7 @@ RCSID("$OpenBSD: session.c,v 1.164 2003/09/18 08:49:45 markus Exp $"); Session *session_new(void); void session_set_fds(Session *, int, int, int); -void session_pty_cleanup(void *); +void session_pty_cleanup(Session *); void session_proctitle(Session *); int session_setup_x11fwd(Session *); void do_exec_pty(Session *, const char *); @@ -106,6 +106,8 @@ Session sessions[MAX_SESSIONS]; login_cap_t *lc; #endif +static int is_child = 0; + /* Name and directory of socket for authentication agent forwarding. */ static char *auth_sock_name = NULL; static char *auth_sock_dir = NULL; @@ -113,10 +115,8 @@ static char *auth_sock_dir = NULL; /* removes the agent forwarding socket */ static void -auth_sock_cleanup_proc(void *_pw) +auth_sock_cleanup_proc(struct passwd *pw) { - struct passwd *pw = _pw; - if (auth_sock_name != NULL) { temporarily_use_uid(pw); unlink(auth_sock_name); @@ -160,9 +160,6 @@ auth_input_request_forwarding(struct passwd * pw) snprintf(auth_sock_name, MAXPATHLEN, "%s/agent.%ld", auth_sock_dir, (long) getpid()); - /* delete agent socket on fatal() */ - fatal_add_cleanup(auth_sock_cleanup_proc, pw); - /* Create the socket. */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) @@ -217,13 +214,7 @@ do_authenticated(Authctxt *authctxt) else do_authenticated1(authctxt); - /* remove agent socket */ - if (auth_sock_name != NULL) - auth_sock_cleanup_proc(authctxt->pw); -#ifdef KRB5 - if (options.kerberos_ticket_cleanup) - krb5_cleanup_proc(authctxt); -#endif + do_cleanup(authctxt); } /* @@ -405,7 +396,7 @@ do_exec_no_pty(Session *s, const char *command) /* Fork the child. */ if ((pid = fork()) == 0) { - fatal_remove_all_cleanups(); + is_child = 1; /* Child. Reinitialize the log since the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -531,7 +522,7 @@ do_exec_pty(Session *s, const char *command) /* Fork the child. */ if ((pid = fork()) == 0) { - fatal_remove_all_cleanups(); + is_child = 1; /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -627,7 +618,7 @@ do_pre_login(Session *s) if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } } @@ -687,7 +678,7 @@ do_login(Session *s, const char *command) if (getpeername(packet_get_connection_in(), (struct sockaddr *) & from, &fromlen) < 0) { debug("getpeername: %.100s", strerror(errno)); - fatal_cleanup(); + cleanup_exit(255); } } @@ -1178,7 +1169,7 @@ do_rc_files(Session *s, const char *shell) if (debug_flag) { fprintf(stderr, "Running %.500s remove %.100s\n", - options.xauth_location, s->auth_display); + options.xauth_location, s->auth_display); fprintf(stderr, "%.500s add %.100s %.100s %.100s\n", options.xauth_location, s->auth_display, @@ -1663,11 +1654,6 @@ session_pty_req(Session *s) n_bytes = packet_remaining(); tty_parse_modes(s->ttyfd, &n_bytes); - /* - * Add a cleanup function to clear the utmp entry and record logout - * time in case we call fatal() (e.g., the connection gets closed). - */ - fatal_add_cleanup(session_pty_cleanup, (void *)s); if (!use_privsep) pty_setowner(s->pw, s->tty); @@ -1849,10 +1835,8 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr) * (e.g., due to a dropped connection). */ void -session_pty_cleanup2(void *session) +session_pty_cleanup2(Session *s) { - Session *s = session; - if (s == NULL) { error("session_pty_cleanup: no session"); return; @@ -1883,9 +1867,9 @@ session_pty_cleanup2(void *session) } void -session_pty_cleanup(void *session) +session_pty_cleanup(Session *s) { - PRIVSEP(session_pty_cleanup2(session)); + PRIVSEP(session_pty_cleanup2(s)); } static char * @@ -1958,10 +1942,8 @@ void session_close(Session *s) { debug("session_close: session %d pid %ld", s->self, (long)s->pid); - if (s->ttyfd != -1) { - fatal_remove_cleanup(session_pty_cleanup, (void *)s); + if (s->ttyfd != -1) session_pty_cleanup(s); - } if (s->term) xfree(s->term); if (s->display) @@ -2010,10 +1992,8 @@ session_close_by_channel(int id, void *arg) * delay detach of session, but release pty, since * the fd's to the child are already closed */ - if (s->ttyfd != -1) { - fatal_remove_cleanup(session_pty_cleanup, (void *)s); + if (s->ttyfd != -1) session_pty_cleanup(s); - } return; } /* detach by removing callback */ @@ -2154,8 +2134,44 @@ static void do_authenticated2(Authctxt *authctxt) { server_loop2(authctxt); -#if defined(GSSAPI) - if (options.gss_cleanup_creds) - ssh_gssapi_cleanup_creds(NULL); +} + +void +do_cleanup(Authctxt *authctxt) +{ + static int called = 0; + + debug("do_cleanup"); + + /* no cleanup if we're in the child for login shell */ + if (is_child) + return; + + /* avoid double cleanup */ + if (called) + return; + called = 1; + + if (authctxt == NULL) + return; +#ifdef KRB5 + if (options.kerberos_ticket_cleanup && + authctxt->krb5_ctx) + krb5_cleanup_proc(authctxt); #endif + +#ifdef GSSAPI + if (compat20 && options.gss_cleanup_creds) + ssh_gssapi_cleanup_creds(); +#endif + + /* remove agent socket */ + auth_sock_cleanup_proc(authctxt->pw); + + /* + * Cleanup ptys/utmp only if privsep is disabled, + * or if running in monitor. + */ + if (!use_privsep || mm_is_monitor()) + session_destroy_all(session_pty_cleanup2); } diff --git a/session.h b/session.h index 525e47f64..405b8fe8a 100644 --- a/session.h +++ b/session.h @@ -1,4 +1,4 @@ -/* $OpenBSD: session.h,v 1.20 2003/08/22 10:56:09 markus Exp $ */ +/* $OpenBSD: session.h,v 1.21 2003/09/23 20:17:11 markus Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -56,13 +56,14 @@ struct Session { }; void do_authenticated(Authctxt *); +void do_cleanup(Authctxt *); int session_open(Authctxt *, int); int session_input_channel_req(Channel *, const char *); void session_close_by_pid(pid_t, int); void session_close_by_channel(int, void *); void session_destroy_all(void (*)(Session *)); -void session_pty_cleanup2(void *); +void session_pty_cleanup2(Session *); Session *session_new(void); Session *session_by_tty(char *); diff --git a/ssh-agent.c b/ssh-agent.c index 28a39a934..0fe877299 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.113 2003/09/19 11:29:40 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.114 2003/09/23 20:17:11 markus Exp $"); #include #include @@ -957,7 +957,7 @@ cleanup_socket(void) rmdir(socket_dir); } -static void +void cleanup_exit(int i) { cleanup_socket(); @@ -971,17 +971,6 @@ cleanup_handler(int sig) _exit(2); } -void -fatal(const char *fmt,...) -{ - va_list args; - va_start(args, fmt); - do_log(SYSLOG_LEVEL_FATAL, fmt, args); - va_end(args); - cleanup_socket(); - _exit(255); -} - static void check_parent_exists(int sig) { diff --git a/sshd.c b/sshd.c index 4b3ff0da3..5c2711295 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.277 2003/09/19 11:33:09 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.278 2003/09/23 20:17:11 markus Exp $"); #include #include @@ -204,6 +204,9 @@ struct monitor *pmonitor; /* message to be displayed after login */ Buffer loginmsg; +/* global authentication context */ +Authctxt *the_authctxt = NULL; + /* Prototypes for various functions defined later in this file. */ void destroy_sensitive_data(void); void demote_sensitive_data(void); @@ -375,7 +378,7 @@ sshd_exchange_identification(int sock_in, int sock_out) strlen(server_version_string)) != strlen(server_version_string)) { logit("Could not write ident string to %s", get_remote_ipaddr()); - fatal_cleanup(); + cleanup_exit(255); } /* Read other sides version identification. */ @@ -384,7 +387,7 @@ sshd_exchange_identification(int sock_in, int sock_out) if (atomicio(read, sock_in, &buf[i], 1) != 1) { logit("Did not receive identification string from %s", get_remote_ipaddr()); - fatal_cleanup(); + cleanup_exit(255); } if (buf[i] == '\r') { buf[i] = 0; @@ -414,7 +417,7 @@ sshd_exchange_identification(int sock_in, int sock_out) close(sock_out); logit("Bad protocol version identification '%.100s' from %s", client_version_string, get_remote_ipaddr()); - fatal_cleanup(); + cleanup_exit(255); } debug("Client protocol version %d.%d; client software version %.100s", remote_major, remote_minor, remote_version); @@ -424,13 +427,13 @@ sshd_exchange_identification(int sock_in, int sock_out) if (datafellows & SSH_BUG_PROBE) { logit("probed from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); - fatal_cleanup(); + cleanup_exit(255); } if (datafellows & SSH_BUG_SCANNER) { logit("scanned from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); - fatal_cleanup(); + cleanup_exit(255); } mismatch = 0; @@ -476,7 +479,7 @@ sshd_exchange_identification(int sock_in, int sock_out) logit("Protocol major versions differ for %s: %.200s vs. %.200s", get_remote_ipaddr(), server_version_string, client_version_string); - fatal_cleanup(); + cleanup_exit(255); } } @@ -571,10 +574,9 @@ privsep_preauth_child(void) #endif } -static Authctxt * -privsep_preauth(void) +static int +privsep_preauth(Authctxt *authctxt) { - Authctxt *authctxt = NULL; int status; pid_t pid; @@ -590,7 +592,7 @@ privsep_preauth(void) debug2("Network child is on pid %ld", (long)pid); close(pmonitor->m_recvfd); - authctxt = monitor_child_preauth(pmonitor); + monitor_child_preauth(authctxt, pmonitor); close(pmonitor->m_sendfd); /* Sync memory */ @@ -600,7 +602,7 @@ privsep_preauth(void) while (waitpid(pid, &status, 0) < 0) if (errno != EINTR) break; - return (authctxt); + return (1); } else { /* child */ @@ -611,17 +613,12 @@ privsep_preauth(void) privsep_preauth_child(); setproctitle("%s", "[net]"); } - return (NULL); + return (0); } static void privsep_postauth(Authctxt *authctxt) { - extern Authctxt *x_authctxt; - - /* XXX - Remote port forwarding */ - x_authctxt = authctxt; - #ifdef DISABLE_FD_PASSING if (1) { #else @@ -804,8 +801,8 @@ main(int ac, char **av) int listen_sock, maxfd; int startup_p[2]; int startups = 0; - Authctxt *authctxt; Key *key; + Authctxt *authctxt; int ret, key_used = 0; #ifdef HAVE_SECUREWARE @@ -1460,18 +1457,25 @@ main(int ac, char **av) /* prepare buffers to collect authentication messages */ buffer_init(&loginmsg); + /* allocate authentication context */ + authctxt = xmalloc(sizeof(*authctxt)); + memset(authctxt, 0, sizeof(*authctxt)); + + /* XXX global for cleanup, access from other modules */ + the_authctxt = authctxt; + if (use_privsep) - if ((authctxt = privsep_preauth()) != NULL) + if (privsep_preauth(authctxt) == 1) goto authenticated; /* perform the key exchange */ /* authenticate user and start session */ if (compat20) { do_ssh2_kex(); - authctxt = do_authentication2(); + do_authentication2(authctxt); } else { do_ssh1_kex(); - authctxt = do_authentication(); + do_authentication(authctxt); } /* * If we use privilege separation, the unprivileged child transfers @@ -1494,7 +1498,7 @@ main(int ac, char **av) destroy_sensitive_data(); } - /* Perform session preparation. */ + /* Start session. */ do_authenticated(authctxt); /* The connection has been terminated. */ @@ -1787,3 +1791,12 @@ do_ssh2_kex(void) #endif debug("KEX done"); } + +/* server specific fatal cleanup */ +void +cleanup_exit(int i) +{ + if (the_authctxt) + do_cleanup(the_authctxt); + _exit(i); +} -- cgit v1.2.3 From 6cc310bd5fd4d15ad8194096e88741f7c17a3cbd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:15:15 +1000 Subject: - markus@cvs.openbsd.org 2003/09/23 20:18:52 [progressmeter.c] don't print trailing \0; bug #709; Robert.Dahlem@siemens.com ok millert/deraadt@ --- ChangeLog | 6 +++++- progressmeter.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a25c731b0..5da6cd64e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ cleanup_exit() function. re-refine cleanup_exit() where appropriate, allocate sshd's authctxt eary to allow simpler cleanup in sshd. tested by many, ok deraadt@ + - markus@cvs.openbsd.org 2003/09/23 20:18:52 + [progressmeter.c] + don't print trailing \0; bug #709; Robert.Dahlem@siemens.com + ok millert/deraadt@ 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1244,4 +1248,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3045 2003/10/02 06:12:36 dtucker Exp $ +$Id: ChangeLog,v 1.3046 2003/10/02 06:15:15 dtucker Exp $ diff --git a/progressmeter.c b/progressmeter.c index c315464ee..a244acf96 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: progressmeter.c,v 1.15 2003/08/31 12:14:22 markus Exp $"); +RCSID("$OpenBSD: progressmeter.c,v 1.16 2003/09/23 20:18:52 markus Exp $"); #include "progressmeter.h" #include "atomicio.h" @@ -200,7 +200,7 @@ refresh_progress_meter(void) strlcat(buf, " ", win_size); } - atomicio(vwrite, STDOUT_FILENO, buf, win_size); + atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1); last_update = now; } -- cgit v1.2.3 From 5dcdd219fb22f74d50c1a18997b72d89b7bf1fe9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:17:00 +1000 Subject: - markus@cvs.openbsd.org 2003/09/23 20:41:11 [channels.c channels.h clientloop.c] move client only agent code to clientloop.c --- ChangeLog | 5 ++++- channels.c | 45 +-------------------------------------------- channels.h | 3 +-- clientloop.c | 44 ++++++++++++++++++++++++++++++++++++++++++-- 4 files changed, 48 insertions(+), 49 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5da6cd64e..7f7b6f2a5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ [progressmeter.c] don't print trailing \0; bug #709; Robert.Dahlem@siemens.com ok millert/deraadt@ + - markus@cvs.openbsd.org 2003/09/23 20:41:11 + [channels.c channels.h clientloop.c] + move client only agent code to clientloop.c 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1248,4 +1251,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3046 2003/10/02 06:15:15 dtucker Exp $ +$Id: ChangeLog,v 1.3047 2003/10/02 06:17:00 dtucker Exp $ diff --git a/channels.c b/channels.c index af2ae18b1..060d0f507 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.196 2003/09/19 11:31:33 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.197 2003/09/23 20:41:11 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -2838,46 +2838,3 @@ auth_request_forwarding(void) packet_send(); packet_write_wait(); } - -/* This is called to process an SSH_SMSG_AGENT_OPEN message. */ - -void -auth_input_open_request(int type, u_int32_t seq, void *ctxt) -{ - Channel *c = NULL; - int remote_id, sock; - - /* Read the remote channel number from the message. */ - remote_id = packet_get_int(); - packet_check_eom(); - - /* - * Get a connection to the local authentication agent (this may again - * get forwarded). - */ - sock = ssh_get_authentication_socket(); - - /* - * If we could not connect the agent, send an error message back to - * the server. This should never happen unless the agent dies, - * because authentication forwarding is only enabled if we have an - * agent. - */ - if (sock >= 0) { - c = channel_new("", SSH_CHANNEL_OPEN, sock, sock, - -1, 0, 0, 0, "authentication agent connection", 1); - c->remote_id = remote_id; - c->force_drain = 1; - } - if (c == NULL) { - packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); - packet_put_int(remote_id); - } else { - /* Send a confirmation to the remote host. */ - debug("Forwarding authentication connection."); - packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); - packet_put_int(remote_id); - packet_put_int(c->self); - } - packet_send(); -} diff --git a/channels.h b/channels.h index bd2e92589..7d981479b 100644 --- a/channels.h +++ b/channels.h @@ -1,4 +1,4 @@ -/* $OpenBSD: channels.h,v 1.70 2002/06/24 14:33:27 markus Exp $ */ +/* $OpenBSD: channels.h,v 1.71 2003/09/23 20:41:11 markus Exp $ */ /* * Author: Tatu Ylonen @@ -214,7 +214,6 @@ void deny_input_open(int, u_int32_t, void *); /* agent forwarding */ void auth_request_forwarding(void); -void auth_input_open_request(int, u_int32_t, void *); /* channel close */ diff --git a/clientloop.c b/clientloop.c index d3a32a81a..e7a7d9fa7 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.114 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.115 2003/09/23 20:41:11 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1125,6 +1125,46 @@ client_input_exit_status(int type, u_int32_t seq, void *ctxt) /* Flag that we want to exit. */ quit_pending = 1; } +static void +client_input_agent_open(int type, u_int32_t seq, void *ctxt) +{ + Channel *c = NULL; + int remote_id, sock; + + /* Read the remote channel number from the message. */ + remote_id = packet_get_int(); + packet_check_eom(); + + /* + * Get a connection to the local authentication agent (this may again + * get forwarded). + */ + sock = ssh_get_authentication_socket(); + + /* + * If we could not connect the agent, send an error message back to + * the server. This should never happen unless the agent dies, + * because authentication forwarding is only enabled if we have an + * agent. + */ + if (sock >= 0) { + c = channel_new("", SSH_CHANNEL_OPEN, sock, sock, + -1, 0, 0, 0, "authentication agent connection", 1); + c->remote_id = remote_id; + c->force_drain = 1; + } + if (c == NULL) { + packet_start(SSH_MSG_CHANNEL_OPEN_FAILURE); + packet_put_int(remote_id); + } else { + /* Send a confirmation to the remote host. */ + debug("Forwarding authentication connection."); + packet_start(SSH_MSG_CHANNEL_OPEN_CONFIRMATION); + packet_put_int(remote_id); + packet_put_int(c->self); + } + packet_send(); +} static Channel * client_request_forwarded_tcpip(const char *request_type, int rchan) @@ -1360,7 +1400,7 @@ client_init_dispatch_13(void) dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data); dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ? - &auth_input_open_request : &deny_input_open); + &client_input_agent_open : &deny_input_open); dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ? &x11_input_open : &deny_input_open); } -- cgit v1.2.3 From 8fca6b57b488cb2f8cd71186e0f8e17c431f7980 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:18:22 +1000 Subject: - markus@cvs.openbsd.org 2003/09/26 08:19:29 [sshd.c] no need to set the listen sockets to non-block; ok deraadt@ --- ChangeLog | 5 ++++- sshd.c | 12 +----------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7f7b6f2a5..dc016a4fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - markus@cvs.openbsd.org 2003/09/23 20:41:11 [channels.c channels.h clientloop.c] move client only agent code to clientloop.c + - markus@cvs.openbsd.org 2003/09/26 08:19:29 + [sshd.c] + no need to set the listen sockets to non-block; ok deraadt@ 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1251,4 +1254,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3047 2003/10/02 06:17:00 dtucker Exp $ +$Id: ChangeLog,v 1.3048 2003/10/02 06:18:22 dtucker Exp $ diff --git a/sshd.c b/sshd.c index 5c2711295..36f34ff58 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.278 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.279 2003/09/26 08:19:29 markus Exp $"); #include #include @@ -1136,11 +1136,6 @@ main(int ac, char **av) verbose("socket: %.100s", strerror(errno)); continue; } - if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) { - error("listen_sock O_NONBLOCK: %s", strerror(errno)); - close(listen_sock); - continue; - } /* * Set socket options. * Allow local port reuse in TIME_WAIT. @@ -1280,11 +1275,6 @@ main(int ac, char **av) error("accept: %.100s", strerror(errno)); continue; } - if (fcntl(newsock, F_SETFL, 0) < 0) { - error("newsock del O_NONBLOCK: %s", strerror(errno)); - close(newsock); - continue; - } if (drop_connection(startups) == 1) { debug("drop connection #%d", startups); close(newsock); -- cgit v1.2.3 From 6177695c0b4e5cc3fbcbcbf6d041781465bc4680 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:19:47 +1000 Subject: - jmc@cvs.openbsd.org 2003/09/29 11:40:51 [ssh.1] - add list of options to -o and .Xr ssh_config(5) - some other cleanup requested by deraadt@; ok deraadt@ markus@ --- ChangeLog | 8 +- ssh.1 | 483 +++++++++++++++++++++++++++++++++++--------------------------- 2 files changed, 282 insertions(+), 209 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc016a4fa..d25f7c05b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,12 @@ - markus@cvs.openbsd.org 2003/09/26 08:19:29 [sshd.c] no need to set the listen sockets to non-block; ok deraadt@ + - jmc@cvs.openbsd.org 2003/09/29 11:40:51 + [ssh.1] + - add list of options to -o and .Xr ssh_config(5) + - some other cleanup + requested by deraadt@; + ok deraadt@ markus@ 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1254,4 +1260,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3048 2003/10/02 06:18:22 dtucker Exp $ +$Id: ChangeLog,v 1.3049 2003/10/02 06:19:47 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index c81cb42c6..21e573b6d 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.175 2003/07/22 13:35:22 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.176 2003/09/29 11:40:51 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -43,22 +43,14 @@ .Nd OpenSSH SSH client (remote login program) .Sh SYNOPSIS .Nm ssh -.Op Fl l Ar login_name -.Ar hostname | user@hostname -.Op Ar command -.Pp -.Nm ssh -.Bk -words -.Op Fl afgknqstvxACNTVX1246 +.Op Fl 1246AaCfgkNnqsTtVvXx .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec +.Op Fl D Ar port .Op Fl e Ar escape_char -.Op Fl i Ar identity_file -.Op Fl l Ar login_name -.Op Fl m Ar mac_spec -.Op Fl o Ar option -.Op Fl p Ar port .Op Fl F Ar configfile +.Op Fl i Ar identity_file +.Bk -words .Oo Fl L Xo .Sm off .Ar port : @@ -68,7 +60,12 @@ .Xc .Oc .Ek +.Op Fl l Ar login_name +.Op Fl m Ar mac_spec +.Op Fl o Ar option .Bk -words +.Op Fl p Ar port +.Ek .Oo Fl R Xo .Sm off .Ar port : @@ -77,29 +74,34 @@ .Sm on .Xc .Oc -.Op Fl D Ar port -.Ar hostname | user@hostname +.Oo Ar user Ns @ Oc Ns Ar hostname .Op Ar command -.Ek .Sh DESCRIPTION .Nm (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. -It is intended to replace -rlogin and rsh, and provide secure encrypted communications between +It is intended to replace rlogin and rsh, +and provide secure encrypted communications between two untrusted hosts over an insecure network. -X11 connections and -arbitrary TCP/IP ports can also be forwarded over the secure channel. +X11 connections and arbitrary TCP/IP ports +can also be forwarded over the secure channel. .Pp .Nm connects and logs into the specified -.Ar hostname . +.Ar hostname +(with optional +.Ar user +name). The user must prove his/her identity to the remote machine using one of several methods -depending on the protocol version used: +depending on the protocol version used. .Pp +If +.Ar command +is specified, +.Ar command +is executed on the remote host instead of a login shell. .Ss SSH protocol version 1 -.Pp First, if the machine the user logs in from is listed in .Pa /etc/hosts.equiv or @@ -107,9 +109,9 @@ or on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, if -.Pa \&.rhosts +.Pa .rhosts or -.Pa \&.shosts +.Pa .shosts exists in the user's home directory on the remote machine and contains a line containing the name of the client machine and the name of the user on that machine, the user is @@ -118,9 +120,9 @@ This form of authentication alone is normally not allowed by the server because it is not secure. .Pp The second authentication method is the -.Pa rhosts +.Em rhosts or -.Pa hosts.equiv +.Em hosts.equiv method combined with RSA-based host authentication. It means that if the login would be permitted by .Pa $HOME/.rhosts , @@ -135,7 +137,7 @@ and .Pa $HOME/.ssh/known_hosts in the .Sx FILES -section), only then login is permitted. +section), only then is login permitted. This authentication method closes security holes due to IP spoofing, DNS spoofing and routing spoofing. [Note to the administrator: @@ -154,24 +156,23 @@ RSA is one such system. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. +.Pp The file .Pa $HOME/.ssh/authorized_keys -lists the public keys that are permitted for logging -in. +lists the public keys that are permitted for logging in. When the user logs in, the .Nm program tells the server which key pair it would like to use for authentication. -The server checks if this key is permitted, and if -so, sends the user (actually the +The server checks if this key is permitted, and if so, +sends the user (actually the .Nm program running on behalf of the user) a challenge, a random number, encrypted by the user's public key. -The challenge can only be -decrypted using the proper private key. -The user's client then decrypts the -challenge using the private key, proving that he/she knows the private -key but without disclosing it to the server. +The challenge can only be decrypted using the proper private key. +The user's client then decrypts the challenge using the private key, +proving that he/she knows the private key +but without disclosing it to the server. .Pp .Nm implements the RSA authentication protocol automatically. @@ -179,7 +180,7 @@ The user creates his/her RSA key pair by running .Xr ssh-keygen 1 . This stores the private key in .Pa $HOME/.ssh/identity -and the public key in +and stores the public key in .Pa $HOME/.ssh/identity.pub in the user's home directory. The user should then copy the @@ -193,8 +194,9 @@ file corresponds to the conventional file, and has one key per line, though the lines can be very long). After this, the user can log in without giving the password. -RSA authentication is much -more secure than rhosts authentication. +RSA authentication is much more secure than +.Em rhosts +authentication. .Pp The most convenient way to use RSA authentication may be with an authentication agent. @@ -208,16 +210,14 @@ prompts the user for a password. The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. -.Pp .Ss SSH protocol version 2 -.Pp -When a user connects using protocol version 2 +When a user connects using protocol version 2, similar authentication methods are available. Using the default values for .Cm PreferredAuthentications , the client will try to authenticate first using the hostbased method; -if this method fails public key authentication is attempted, -and finally if this method fails keyboard-interactive and +if this method fails, public key authentication is attempted, +and finally if this method fails, keyboard-interactive and password authentication are tried. .Pp The public key method is similar to RSA authentication described @@ -233,8 +233,8 @@ and grants access if both the key is found and the signature is correct. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server. .Pp -If public key authentication fails or is not available a password -can be sent encrypted to the remote host for proving the user's identity. +If public key authentication fails or is not available, a password +can be sent encrypted to the remote host to prove the user's identity. .Pp Additionally, .Nm @@ -245,9 +245,7 @@ Protocol 2 provides additional mechanisms for confidentiality and integrity (hmac-md5, hmac-sha1). Note that protocol 1 lacks a strong mechanism for ensuring the integrity of the connection. -.Pp .Ss Login session and remote execution -.Pp When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. @@ -257,23 +255,20 @@ the remote command or shell will be automatically encrypted. If a pseudo-terminal has been allocated (normal login session), the user may use the escape characters noted below. .Pp -If no pseudo tty has been allocated, the -session is transparent and can be used to reliably transfer binary -data. +If no pseudo-tty has been allocated, +the session is transparent and can be used to reliably transfer binary data. On most systems, setting the escape character to .Dq none will also make the session transparent even if a tty is used. .Pp The session terminates when the command or shell on the remote machine exits and all X11 and TCP/IP connections have been closed. -The exit status of the remote program is returned as the exit status -of +The exit status of the remote program is returned as the exit status of .Nm ssh . -.Pp .Ss Escape Characters -.Pp -When a pseudo terminal has been requested, ssh supports a number of functions -through the use of an escape character. +When a pseudo-terminal has been requested, +.Nm +supports a number of functions through the use of an escape character. .Pp A single tilde character can be sent as .Ic ~~ @@ -291,37 +286,37 @@ The supported escapes (assuming the default are: .Bl -tag -width Ds .It Cm ~. -Disconnect +Disconnect. .It Cm ~^Z -Background ssh +Background +.Nm ssh . .It Cm ~# -List forwarded connections +List forwarded connections. .It Cm ~& -Background ssh at logout when waiting for forwarded connection / X11 sessions -to terminate +Background +.Nm +at logout when waiting for forwarded connection / X11 sessions to terminate. .It Cm ~? -Display a list of escape characters +Display a list of escape characters. .It Cm ~B -Send a BREAK to the remote system (only useful for SSH protocol version 2 -and if the peer supports it) +Send a BREAK to the remote system +(only useful for SSH protocol version 2 and if the peer supports it). .It Cm ~C Open command line (only useful for adding port forwardings using the .Fl L and .Fl R -options) +options). .It Cm ~R -Request rekeying of the connection (only useful for SSH protocol version 2 -and if the peer supports it) +Request rekeying of the connection +(only useful for SSH protocol version 2 and if the peer supports it). .El -.Pp .Ss X11 and TCP forwarding -.Pp If the .Cm ForwardX11 variable is set to .Dq yes -(or, see the description of the +(or see the description of the .Fl X and .Fl x @@ -342,8 +337,7 @@ The .Ev DISPLAY value set by .Nm -will point to the server machine, but with a display number greater -than zero. +will point to the server machine, but with a display number greater than zero. This is normal, and happens because .Nm creates a @@ -364,7 +358,7 @@ If the .Cm ForwardAgent variable is set to .Dq yes -(or, see the description of the +(or see the description of the .Fl A and .Fl a @@ -376,9 +370,7 @@ Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file. One possible application of TCP/IP forwarding is a secure connection to an electronic purse; another is going through firewalls. -.Pp .Ss Server authentication -.Pp .Nm automatically maintains and checks a database containing identifications for all hosts it has ever been used with. @@ -389,14 +381,12 @@ Additionally, the file .Pa /etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any new hosts are automatically added to the user's file. -If a host's identification -ever changes, +If a host's identification ever changes, .Nm warns about this and disables password authentication to prevent a trojan horse from getting the user's password. -Another purpose of -this mechanism is to prevent man-in-the-middle attacks which could -otherwise be used to circumvent the encryption. +Another purpose of this mechanism is to prevent man-in-the-middle attacks +which could otherwise be used to circumvent the encryption. The .Cm StrictHostKeyChecking option can be used to prevent logins to machines whose @@ -404,8 +394,22 @@ host key is not known or has changed. .Pp The options are as follows: .Bl -tag -width Ds -.It Fl a -Disables forwarding of the authentication agent connection. +.It Fl 1 +Forces +.Nm +to try protocol version 1 only. +.It Fl 2 +Forces +.Nm +to try protocol version 2 only. +.It Fl 4 +Forces +.Nm +to use IPv4 addresses only. +.It Fl 6 +Forces +.Nm +to use IPv6 addresses only. .It Fl A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file. @@ -417,10 +421,28 @@ can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent. +.It Fl a +Disables forwarding of the authentication agent connection. .It Fl b Ar bind_address Specify the interface to transmit from on machines with multiple interfaces or aliased addresses. -.It Fl c Ar blowfish|3des|des +.It Fl C +Requests compression of all data (including stdin, stdout, stderr, and +data for forwarded X11 and TCP/IP connections). +The compression algorithm is the same used by +.Xr gzip 1 , +and the +.Dq level +can be controlled by the +.Cm CompressionLevel +option for protocol version 1. +Compression is desirable on modem lines and other +slow connections, but will only slow down things on fast networks. +The default value can be set on a host-by-host basis in the +configuration files; see the +.Cm Compression +option. +.It Fl c Ar blowfish | 3des | des Selects the cipher to use for encrypting the session. .Ar 3des is used by default. @@ -428,7 +450,7 @@ It is believed to be secure. .Ar 3des (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. .Ar blowfish -is a fast block cipher, it appears very secure and is much faster than +is a fast block cipher; it appears very secure and is much faster than .Ar 3des . .Ar des is only supported in the @@ -444,18 +466,41 @@ be specified in order of preference. See .Cm Ciphers for more information. -.It Fl e Ar ch|^ch|none +.It Fl D Ar port +Specifies a local +.Dq dynamic +application-level port forwarding. +This works by allocating a socket to listen to +.Ar port +on the local side, and whenever a connection is made to this port, the +connection is forwarded over the secure channel, and the application +protocol is then used to determine where to connect to from the +remote machine. +Currently the SOCKS4 and SOCKS5 protocols are supported, and +.Nm +will act as a SOCKS server. +Only root can forward privileged ports. +Dynamic port forwardings can also be specified in the configuration file. +.It Fl e Ar ch | ^ch | none Sets the escape character for sessions with a pty (default: .Ql ~ ) . The escape character is only recognized at the beginning of a line. The escape character followed by a dot .Pq Ql \&. -closes the connection, followed -by control-Z suspends the connection, and followed by itself sends the -escape character once. +closes the connection; +followed by control-Z suspends the connection; +and followed by itself sends the escape character once. Setting the character to .Dq none disables any escapes and makes the session fully transparent. +.It Fl F Ar configfile +Specifies an alternative per-user configuration file. +If a configuration file is given on the command line, +the system-wide configuration file +.Pq Pa /etc/ssh/ssh_config +will be ignored. +The default for the per-user configuration file is +.Pa $HOME/.ssh/config . .It Fl f Requests .Nm @@ -471,6 +516,12 @@ something like .Ic ssh -f host xterm . .It Fl g Allows remote hosts to connect to local forwarded ports. +.It Fl I Ar smartcard_device +Specifies which smartcard device to use. +The argument is the device +.Nm +should use to communicate with a smartcard used for storing the user's +private RSA key. .It Fl i Ar identity_file Selects a file from which the identity (private key) for RSA or DSA authentication is read. @@ -487,15 +538,34 @@ It is possible to have multiple .Fl i options (and multiple identities specified in configuration files). -.It Fl I Ar smartcard_device -Specifies which smartcard device to use. -The argument is the device -.Nm -should use to communicate with a smartcard used for storing the user's -private RSA key. .It Fl k Disables forwarding of Kerberos tickets. This may also be specified on a per-host basis in the configuration file. +.It Fl L Xo +.Sm off +.Ar port : host : hostport +.Sm on +.Xc +Specifies that the given port on the local (client) host is to be +forwarded to the given host and port on the remote side. +This works by allocating a socket to listen to +.Ar port +on the local side, and whenever a connection is made to this port, the +connection is forwarded over the secure channel, and a connection is +made to +.Ar host +port +.Ar hostport +from the remote machine. +Port forwardings can also be specified in the configuration file. +Only root can forward privileged ports. +IPv6 addresses can be specified with an alternative syntax: +.Sm off +.Xo +.Ar port No / Ar host No / +.Ar hostport . +.Xc +.Sm on .It Fl l Ar login_name Specifies the user to log in as on the remote machine. This also may be specified on a per-host basis in the configuration file. @@ -506,6 +576,10 @@ be specified in order of preference. See the .Cm MACs keyword for more information. +.It Fl N +Do not execute a remote command. +This is useful for just forwarding ports +(protocol version 2 only). .It Fl n Redirects stdin from .Pa /dev/null @@ -526,14 +600,64 @@ program will be put in the background. needs to ask for a password or passphrase; see also the .Fl f option.) -.It Fl N -Do not execute a remote command. -This is useful for just forwarding ports -(protocol version 2 only). .It Fl o Ar option Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. +For full details of the options listed below, and their possible values, see +.Xr ssh_config 5 . +.Pp +.Bl -tag -width Ds -offset indent -compact +.It AddressFamily +.It BatchMode +.It BindAddress +.It ChallengeResponseAuthentication +.It CheckHostIP +.It Cipher +.It Ciphers +.It ClearAllForwardings +.It Compression +.It CompressionLevel +.It ConnectionAttempts +.It ConnectionTimeout +.It DynamicForward +.It EnableSSHKeysign +.It EscapeChar +.It ForwardAgent +.It ForwardX11 +.It GatewayPorts +.It GlobalKnownHostsFile +.It GSSAPIAuthentication +.It GSSAPIDelegateCredentials +.It Host +.It HostbasedAuthentication +.It HostKeyAlgorithms +.It HostKeyAlias +.It HostName +.It IdentityFile +.It KeepAlive +.It LocalForward +.It LogLevel +.It MACs +.It NoHostAuthenticationForLocalhost +.It NumberOfPasswordPrompts +.It PasswordAuthentication +.It Port +.It PreferredAuthentications +.It Protocol +.It ProxyCommand +.It PubkeyAuthentication +.It RemoteForward +.It RhostsRSAAuthentication +.It RSAAuthentication +.It SmartcardDevice +.It StrictHostKeyChecking +.It UsePrivilegedPort +.It User +.It UserKnownHostsFile +.It VerifyHostKeyDNS +.It XAuthLocation +.El .It Fl p Ar port Port to connect to on the remote host. This can be specified on a @@ -541,11 +665,40 @@ per-host basis in the configuration file. .It Fl q Quiet mode. Causes all warning and diagnostic messages to be suppressed. +.It Fl R Xo +.Sm off +.Ar port : host : hostport +.Sm on +.Xc +Specifies that the given port on the remote (server) host is to be +forwarded to the given host and port on the local side. +This works by allocating a socket to listen to +.Ar port +on the remote side, and whenever a connection is made to this port, the +connection is forwarded over the secure channel, and a connection is +made to +.Ar host +port +.Ar hostport +from the local machine. +Port forwardings can also be specified in the configuration file. +Privileged ports can be forwarded only when +logging in as root on the remote machine. +IPv6 addresses can be specified with an alternative syntax: +.Sm off +.Xo +.Ar port No / Ar host No / +.Ar hostport . +.Xc +.Sm on .It Fl s May be used to request invocation of a subsystem on the remote system. Subsystems are a feature of the SSH2 protocol which facilitate the use -of SSH as a secure transport for other applications (eg. sftp). +of SSH as a secure transport for other applications (eg.\& +.Xr sftp 1 ) . The subsystem is specified as the remote command. +.It Fl T +Disable pseudo-tty allocation. .It Fl t Force pseudo-tty allocation. This can be used to execute arbitrary @@ -556,8 +709,8 @@ Multiple options force tty allocation, even if .Nm has no local tty. -.It Fl T -Disable pseudo-tty allocation. +.It Fl V +Display the version number and exit. .It Fl v Verbose mode. Causes @@ -569,10 +722,6 @@ Multiple .Fl v options increase the verbosity. The maximum is 3. -.It Fl V -Display the version number and exit. -.It Fl x -Disables X11 forwarding. .It Fl X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file. @@ -582,94 +731,8 @@ Users with the ability to bypass file permissions on the remote host (for the user's X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. -.It Fl C -Requests compression of all data (including stdin, stdout, stderr, and -data for forwarded X11 and TCP/IP connections). -The compression algorithm is the same used by -.Xr gzip 1 , -and the -.Dq level -can be controlled by the -.Cm CompressionLevel -option for protocol version 1. -Compression is desirable on modem lines and other -slow connections, but will only slow down things on fast networks. -The default value can be set on a host-by-host basis in the -configuration files; see the -.Cm Compression -option. -.It Fl F Ar configfile -Specifies an alternative per-user configuration file. -If a configuration file is given on the command line, -the system-wide configuration file -.Pq Pa /etc/ssh/ssh_config -will be ignored. -The default for the per-user configuration file is -.Pa $HOME/.ssh/config . -.It Fl L Ar port:host:hostport -Specifies that the given port on the local (client) host is to be -forwarded to the given host and port on the remote side. -This works by allocating a socket to listen to -.Ar port -on the local side, and whenever a connection is made to this port, the -connection is forwarded over the secure channel, and a connection is -made to -.Ar host -port -.Ar hostport -from the remote machine. -Port forwardings can also be specified in the configuration file. -Only root can forward privileged ports. -IPv6 addresses can be specified with an alternative syntax: -.Ar port/host/hostport -.It Fl R Ar port:host:hostport -Specifies that the given port on the remote (server) host is to be -forwarded to the given host and port on the local side. -This works by allocating a socket to listen to -.Ar port -on the remote side, and whenever a connection is made to this port, the -connection is forwarded over the secure channel, and a connection is -made to -.Ar host -port -.Ar hostport -from the local machine. -Port forwardings can also be specified in the configuration file. -Privileged ports can be forwarded only when -logging in as root on the remote machine. -IPv6 addresses can be specified with an alternative syntax: -.Ar port/host/hostport -.It Fl D Ar port -Specifies a local -.Dq dynamic -application-level port forwarding. -This works by allocating a socket to listen to -.Ar port -on the local side, and whenever a connection is made to this port, the -connection is forwarded over the secure channel, and the application -protocol is then used to determine where to connect to from the -remote machine. -Currently the SOCKS4 and SOCKS5 protocols are supported, and -.Nm -will act as a SOCKS server. -Only root can forward privileged ports. -Dynamic port forwardings can also be specified in the configuration file. -.It Fl 1 -Forces -.Nm -to try protocol version 1 only. -.It Fl 2 -Forces -.Nm -to try protocol version 2 only. -.It Fl 4 -Forces -.Nm -to use IPv4 addresses only. -.It Fl 6 -Forces -.Nm -to use IPv6 addresses only. +.It Fl x +Disables X11 forwarding. .El .Sh CONFIGURATION FILES .Nm @@ -680,7 +743,7 @@ The file format and configuration options are described in .Sh ENVIRONMENT .Nm will normally set the following environment variables: -.Bl -tag -width Ds +.Bl -tag -width LOGNAME .It Ev DISPLAY The .Ev DISPLAY @@ -690,7 +753,7 @@ It is automatically set by to point to a value of the form .Dq hostname:n where hostname indicates -the host where the shell runs, and n is an integer >= 1. +the host where the shell runs, and n is an integer \*(Ge 1. .Nm uses this special value to forward X11 connections over the secure channel. @@ -768,7 +831,7 @@ and adds lines of the format .Dq VARNAME=value to the environment if the file exists and if users are allowed to change their environment. -See the +For more information, see the .Cm PermitUserEnvironment option in .Xr sshd_config 5 . @@ -797,7 +860,7 @@ Contains the public key for authentication (public part of the identity file in human-readable form). The contents of the .Pa $HOME/.ssh/identity.pub -file should be added to +file should be added to the file .Pa $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 1 RSA authentication. @@ -823,7 +886,8 @@ Lists the public keys (RSA/DSA) that can be used for logging in as this user. The format of this file is described in the .Xr sshd 8 manual page. -In the simplest form the format is the same as the .pub +In the simplest form the format is the same as the +.Pa .pub identity files. This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. @@ -839,7 +903,7 @@ by spaces): system name, public key and optional comment field. When different names are used for the same machine, all such names should be listed, separated by commas. -The format is described on the +The format is described in the .Xr sshd 8 manual page. .Pp @@ -879,7 +943,7 @@ By default is not setuid root. .It Pa $HOME/.rhosts This file is used in -.Pa \&.rhosts +.Em rhosts authentication to list the host/user pairs that are permitted to log in. (Note that this file is @@ -901,7 +965,9 @@ accessible by others. Note that by default .Xr sshd 8 will be installed so that it requires successful RSA host -authentication before permitting \s+2.\s0rhosts authentication. +authentication before permitting +.Em rhosts +authentication. If the server machine does not have the client's host key in .Pa /etc/ssh/ssh_known_hosts , it can be stored in @@ -912,21 +978,20 @@ will automatically add the host key to .Pa $HOME/.ssh/known_hosts . .It Pa $HOME/.shosts This file is used exactly the same way as -.Pa \&.rhosts . +.Pa .rhosts . The purpose for having this file is to be able to use rhosts authentication with .Nm without permitting login with -.Nm rlogin +.Xr rlogin or .Xr rsh 1 . .It Pa /etc/hosts.equiv This file is used during -.Pa \&.rhosts +.Em rhosts authentication. It contains -canonical hosts names, one per line (the full format is described on -the +canonical hosts names, one per line (the full format is described in the .Xr sshd 8 manual page). If the client host is found in this file, login is @@ -966,6 +1031,7 @@ above. exits with the exit status of the remote command or with 255 if an error occurred. .Sh SEE ALSO +.Xr gzip 1 , .Xr rsh 1 , .Xr scp 1 , .Xr sftp 1 , @@ -973,6 +1039,7 @@ if an error occurred. .Xr ssh-agent 1 , .Xr ssh-keygen 1 , .Xr telnet 1 , +.Xr hosts.equiv 5 , .Xr ssh_config 5 , .Xr ssh-keysign 8 , .Xr sshd 8 -- cgit v1.2.3 From a49d36e7b9727edf472750a249dd7655ae1594fd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:20:54 +1000 Subject: - markus@cvs.openbsd.org 2003/09/29 20:19:57 [servconf.c sshd_config] GSSAPICleanupCreds -> GSSAPICleanupCredentials --- ChangeLog | 5 ++++- servconf.c | 6 +++--- sshd_config | 4 ++-- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index d25f7c05b..b8cd03252 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,9 @@ - some other cleanup requested by deraadt@; ok deraadt@ markus@ + - markus@cvs.openbsd.org 2003/09/29 20:19:57 + [servconf.c sshd_config] + GSSAPICleanupCreds -> GSSAPICleanupCredentials 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1260,4 +1263,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3049 2003/10/02 06:19:47 dtucker Exp $ +$Id: ChangeLog,v 1.3050 2003/10/02 06:20:54 dtucker Exp $ diff --git a/servconf.c b/servconf.c index 58f49a2f4..0df62ad63 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.127 2003/09/01 18:15:50 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.128 2003/09/29 20:19:57 markus Exp $"); #include "ssh.h" #include "log.h" @@ -310,10 +310,10 @@ static struct { { "afstokenpassing", sUnsupported }, #ifdef GSSAPI { "gssapiauthentication", sGssAuthentication }, - { "gssapicleanupcreds", sGssCleanupCreds }, + { "gssapicleanupcredentials", sGssCleanupCreds }, #else { "gssapiauthentication", sUnsupported }, - { "gssapicleanupcreds", sUnsupported }, + { "gssapicleanupcredentials", sUnsupported }, #endif { "passwordauthentication", sPasswordAuthentication }, { "kbdinteractiveauthentication", sKbdInteractiveAuthentication }, diff --git a/sshd_config b/sshd_config index af0dec09f..5e026a609 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $ +# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -64,7 +64,7 @@ # GSSAPI options #GSSAPIAuthentication no -#GSSAPICleanupCreds yes +#GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may -- cgit v1.2.3 From 0ccb59b85ccb393d7ac3c4e483b060644bed2e64 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 16:26:34 +1000 Subject: - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring --with-pam. ok djm@ --- ChangeLog | 4 +++- configure.ac | 3 +-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index b8cd03252..ca696b1b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,8 @@ - markus@cvs.openbsd.org 2003/09/29 20:19:57 [servconf.c sshd_config] GSSAPICleanupCreds -> GSSAPICleanupCredentials + - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring + --with-pam. ok djm@ 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1263,4 +1265,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3050 2003/10/02 06:20:54 dtucker Exp $ +$Id: ChangeLog,v 1.3051 2003/10/02 06:26:34 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 505907c30..dd22c98d4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.168 2003/09/25 10:18:34 dtucker Exp $ +# $Id: configure.ac,v 1.169 2003/10/02 06:26:34 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -897,7 +897,6 @@ AC_ARG_WITH(pam, AC_CHECK_FUNCS(pam_getenvlist) AC_CHECK_FUNCS(pam_putenv) - disable_shadow=yes PAM_MSG="yes" AC_DEFINE(USE_PAM) -- cgit v1.2.3 From 7596d6866f0c29607e3997e644ef7cb113054084 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 17:32:30 +1000 Subject: - (dtucker) [ssh-gss.h] Prototype change missed in sync. --- ChangeLog | 3 ++- ssh-gss.h | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ca696b1b4..9183c8959 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,7 @@ GSSAPICleanupCreds -> GSSAPICleanupCredentials - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring --with-pam. ok djm@ + - (dtucker) [ssh-gss.h] Prototype change missed in sync. 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1265,4 +1266,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3051 2003/10/02 06:26:34 dtucker Exp $ +$Id: ChangeLog,v 1.3052 2003/10/02 07:32:30 dtucker Exp $ diff --git a/ssh-gss.h b/ssh-gss.h index 6b58adb3a..7bd1e1e61 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -113,7 +113,7 @@ OM_uint32 ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid); int ssh_gssapi_userok(char *name); void ssh_gssapi_do_child(char ***envp, u_int *envsizep); -void ssh_gssapi_cleanup_creds(void *ignored); +void ssh_gssapi_cleanup_creds(void); void ssh_gssapi_storecreds(void); #endif /* GSSAPI */ -- cgit v1.2.3 From f391ba673043ceb9b385f8e2f068c18d88a9c987 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 2 Oct 2003 20:07:09 +1000 Subject: - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations. Based on patches by Matthias Koeppe and Thomas Baden. ok djm@ --- ChangeLog | 4 +++- session.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9183c8959..188d68e94 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,8 @@ - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring --with-pam. ok djm@ - (dtucker) [ssh-gss.h] Prototype change missed in sync. + - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations. + Based on patches by Matthias Koeppe and Thomas Baden. ok djm@ 20030930 - (bal) Fix issues in openbsd-compat/realpath.c @@ -1266,4 +1268,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3052 2003/10/02 07:32:30 dtucker Exp $ +$Id: ChangeLog,v 1.3053 2003/10/02 10:07:09 dtucker Exp $ diff --git a/session.c b/session.c index 647be401e..ccdc4249f 100644 --- a/session.c +++ b/session.c @@ -906,7 +906,7 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) { char **tmpenv = NULL, *var; u_int i, tmpenvsize = 0; - mode_t mask; + u_long mask; /* * We don't want to copy the whole file to the child's environment, @@ -927,7 +927,7 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) if ((var = child_get_env(tmpenv, "UMASK")) != NULL) if (sscanf(var, "%5lo", &mask) == 1) - umask(mask); + umask((mode_t)mask); for (i = 0; tmpenv[i] != NULL; i++) xfree(tmpenv[i]); -- cgit v1.2.3 From 4a2505445f813d0637163f1e9c95f0b2fa993767 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Oct 2003 17:57:24 +1000 Subject: - markus@cvs.openbsd.org 2003/10/02 10:41:59 [sshd.c] print openssl version, too, several requests; ok henning/djm. --- ChangeLog | 8 +++++++- sshd.c | 5 +++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 188d68e94..630bd5ad9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20031003 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/10/02 10:41:59 + [sshd.c] + print openssl version, too, several requests; ok henning/djm. + 20031002 - OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/09/23 20:17:11 @@ -1268,4 +1274,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3053 2003/10/02 10:07:09 dtucker Exp $ +$Id: ChangeLog,v 1.3054 2003/10/03 07:57:24 dtucker Exp $ diff --git a/sshd.c b/sshd.c index 36f34ff58..7d97c92de 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.279 2003/09/26 08:19:29 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.280 2003/10/02 10:41:59 markus Exp $"); #include #include @@ -758,7 +758,8 @@ drop_connection(int startups) static void usage(void) { - fprintf(stderr, "sshd version %s\n", SSH_VERSION); + fprintf(stderr, "sshd version %s, %s\n", + SSH_VERSION, SSLeay_version(SSLEAY_VERSION)); fprintf(stderr, "Usage: %s [options]\n", __progname); fprintf(stderr, "Options:\n"); fprintf(stderr, " -f file Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE); -- cgit v1.2.3 From e3ca82e06caeaeb106e27eabfd5d0fce04bb4cd3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 3 Oct 2003 18:02:30 +1000 Subject: - markus@cvs.openbsd.org 2003/10/02 08:26:53 [ssh-gss.h] missing $OpenBSD:; dtucker --- ChangeLog | 5 ++++- ssh-gss.h | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 630bd5ad9..7023da584 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - markus@cvs.openbsd.org 2003/10/02 10:41:59 [sshd.c] print openssl version, too, several requests; ok henning/djm. + - markus@cvs.openbsd.org 2003/10/02 08:26:53 + [ssh-gss.h] + missing $OpenBSD:; dtucker 20031002 - OpenBSD CVS Sync @@ -1274,4 +1277,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3054 2003/10/03 07:57:24 dtucker Exp $ +$Id: ChangeLog,v 1.3055 2003/10/03 08:02:30 dtucker Exp $ diff --git a/ssh-gss.h b/ssh-gss.h index 7bd1e1e61..c76648ee0 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -1,3 +1,4 @@ +/* $OpenBSD: ssh-gss.h,v 1.3 2003/10/02 08:26:53 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * -- cgit v1.2.3 From 30aa44cf0a850fe4f3757edbe8c3e6553c14b3cc Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Fri, 3 Oct 2003 22:30:23 -0700 Subject: [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default option. --- ChangeLog | 4 +++- contrib/caldera/openssh.spec | 3 +-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7023da584..bee3a10c7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ - markus@cvs.openbsd.org 2003/10/02 08:26:53 [ssh-gss.h] missing $OpenBSD:; dtucker + - (tim) [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default + option. 20031002 - OpenBSD CVS Sync @@ -1277,4 +1279,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3055 2003/10/03 08:02:30 dtucker Exp $ +$Id: ChangeLog,v 1.3056 2003/10/04 05:30:23 tim Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 3f286d8c3..54690dec1 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -180,7 +180,6 @@ CFLAGS="$RPM_OPT_FLAGS" \ %configure \ --with-pam \ --with-tcp-wrappers \ - --with-ipv4-default \ --with-privsep-path=%{_var}/empty/sshd \ #leave this line for easy edits. @@ -364,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.46 2003/09/23 22:30:19 djm Exp $ +$Id: openssh.spec,v 1.47 2003/10/04 05:30:23 tim Exp $ -- cgit v1.2.3 From 6f1f611a529bebfa04bd0dbf5196375f5db5fe23 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 7 Oct 2003 10:18:22 +1000 Subject: - (djm) Delete autom4te.cache after autoreconf --- ChangeLog | 5 ++++- Makefile.in | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index bee3a10c7..ae55bf63d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20031007 + - (djm) Delete autom4te.cache after autoreconf + 20031003 - OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/10/02 10:41:59 @@ -1279,4 +1282,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3056 2003/10/04 05:30:23 tim Exp $ +$Id: ChangeLog,v 1.3057 2003/10/07 00:18:22 djm Exp $ diff --git a/Makefile.in b/Makefile.in index dce12c4d1..61e3d4076 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.251 2003/10/02 06:12:36 dtucker Exp $ +# $Id: Makefile.in,v 1.252 2003/10/07 00:18:22 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -222,6 +222,7 @@ catman-do: distprep: catman-do $(AUTORECONF) + -rm -rf autom4te.cache (cd scard && $(MAKE) -f Makefile.in distprep) install: $(CONFIGFILES) ssh_prng_cmds.out $(MANPAGES) $(TARGETS) install-files host-key check-config -- cgit v1.2.3 From 8846a076392fee28963ad6fbdc93ed980fbb08a1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Oct 2003 11:30:15 +1000 Subject: - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static cleanup functions. With & ok djm@ --- ChangeLog | 4 +++- auth-pam.c | 40 ++++++++++++++++++++-------------------- auth-pam.h | 4 +++- session.c | 7 +++++++ 4 files changed, 33 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae55bf63d..9ae28dbe7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 20031007 - (djm) Delete autom4te.cache after autoreconf + - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static + cleanup functions. With & ok djm@ 20031003 - OpenBSD CVS Sync @@ -1282,4 +1284,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3057 2003/10/07 00:18:22 djm Exp $ +$Id: ChangeLog,v 1.3058 2003/10/07 01:30:15 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 75e2d16cb..f5f030fff 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.74 2003/09/23 12:12:38 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.75 2003/10/07 01:30:16 dtucker Exp $"); #ifdef USE_PAM #include @@ -126,6 +126,7 @@ struct pam_ctxt { }; static void sshpam_free_ctx(void *); +static struct pam_ctxt *cleanup_ctxt; /* * Conversation function for authentication thread. @@ -245,15 +246,19 @@ sshpam_thread(void *ctxtp) return (NULL); /* Avoid warning for non-pthread case */ } -static void -sshpam_thread_cleanup(void *ctxtp) +void +sshpam_thread_cleanup(void) { - struct pam_ctxt *ctxt = ctxtp; - - pthread_cancel(ctxt->pam_thread); - pthread_join(ctxt->pam_thread, NULL); - close(ctxt->pam_psock); - close(ctxt->pam_csock); + struct pam_ctxt *ctxt = cleanup_ctxt; + + if (ctxt != NULL && ctxt->pam_thread != 0) { + pthread_cancel(ctxt->pam_thread); + pthread_join(ctxt->pam_thread, NULL); + close(ctxt->pam_psock); + close(ctxt->pam_csock); + memset(ctxt, 0, sizeof(*ctxt)); + cleanup_ctxt = NULL; + } } static int @@ -265,10 +270,9 @@ sshpam_null_conv(int n, const struct pam_message **msg, static struct pam_conv null_conv = { sshpam_null_conv, NULL }; -static void -sshpam_cleanup(void *arg) +void +sshpam_cleanup(void) { - (void)arg; debug("PAM: cleanup"); if (sshpam_handle == NULL) return; @@ -299,7 +303,6 @@ sshpam_init(const char *user) PAM_USER, (const void **)&pam_user); if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) return (0); - fatal_remove_cleanup(sshpam_cleanup, NULL); pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; } @@ -333,7 +336,6 @@ sshpam_init(const char *user) return (-1); } #endif - fatal_add_cleanup(sshpam_cleanup, NULL); return (0); } @@ -354,7 +356,7 @@ sshpam_init_ctx(Authctxt *authctxt) } ctxt = xmalloc(sizeof *ctxt); - ctxt->pam_done = 0; + memset(ctxt, 0, sizeof(*ctxt)); /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { @@ -372,7 +374,7 @@ sshpam_init_ctx(Authctxt *authctxt) xfree(ctxt); return (NULL); } - fatal_add_cleanup(sshpam_thread_cleanup, ctxt); + cleanup_ctxt = ctxt; return (ctxt); } @@ -481,8 +483,7 @@ sshpam_free_ctx(void *ctxtp) { struct pam_ctxt *ctxt = ctxtp; - fatal_remove_cleanup(sshpam_thread_cleanup, ctxt); - sshpam_thread_cleanup(ctxtp); + sshpam_thread_cleanup(); xfree(ctxt); /* * We don't call sshpam_cleanup() here because we may need the PAM @@ -524,8 +525,7 @@ start_pam(const char *user) void finish_pam(void) { - fatal_remove_cleanup(sshpam_cleanup, NULL); - sshpam_cleanup(NULL); + sshpam_cleanup(); } u_int diff --git a/auth-pam.h b/auth-pam.h index 5c952f305..58176f013 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.21 2003/09/02 13:18:53 djm Exp $ */ +/* $Id: auth-pam.h,v 1.22 2003/10/07 01:30:16 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -43,5 +43,7 @@ int do_pam_putenv(char *, char *); void print_pam_messages(void); char ** fetch_pam_environment(void); void free_pam_environment(char **); +void sshpam_thread_cleanup(void); +void sshpam_cleanup(void); #endif /* USE_PAM */ diff --git a/session.c b/session.c index ccdc4249f..8aa2b9015 100644 --- a/session.c +++ b/session.c @@ -2165,6 +2165,13 @@ do_cleanup(Authctxt *authctxt) ssh_gssapi_cleanup_creds(); #endif +#ifdef USE_PAM + if (options.use_pam) { + sshpam_cleanup(); + sshpam_thread_cleanup(); + } +#endif + /* remove agent socket */ auth_sock_cleanup_proc(authctxt->pw); -- cgit v1.2.3 From f4bf5d086a63a1c30f174405b9d64b9bfe024890 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Oct 2003 11:31:22 +1000 Subject: So people know who to blame... --- ChangeLog | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9ae28dbe7..1f3db2b85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,7 +4,7 @@ cleanup functions. With & ok djm@ 20031003 - - OpenBSD CVS Sync + - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/10/02 10:41:59 [sshd.c] print openssl version, too, several requests; ok henning/djm. @@ -15,7 +15,7 @@ option. 20031002 - - OpenBSD CVS Sync + - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/09/23 20:17:11 [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h @@ -1284,4 +1284,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3058 2003/10/07 01:30:15 dtucker Exp $ +$Id: ChangeLog,v 1.3059 2003/10/07 01:31:22 dtucker Exp $ -- cgit v1.2.3 From dfe6d914b7d2ad845a7fe2e92bdc4ff7c6f44539 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Oct 2003 17:40:56 +1000 Subject: - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a run-time switch, always build --with-md5-passwords. --- ChangeLog | 4 +++- contrib/redhat/openssh.spec | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1f3db2b85..bcca919b4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (djm) Delete autom4te.cache after autoreconf - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static cleanup functions. With & ok djm@ + - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a + run-time switch, always build --with-md5-passwords. 20031003 - (dtucker) OpenBSD CVS Sync @@ -1284,4 +1286,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3059 2003/10/07 01:31:22 dtucker Exp $ +$Id: ChangeLog,v 1.3060 2003/10/07 07:40:56 dtucker Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 09e405475..dd00c9fa9 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -190,11 +190,12 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS --with-default-path=/usr/local/bin:/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ --with-privsep-path=%{_var}/empty/sshd \ + --with-md5-passwords \ %if %{scard} --with-smartcard \ %endif %if %{rescue} - --without-pam --with-md5-passwords \ + --without-pam \ %else --with-pam \ %endif -- cgit v1.2.3 From 2e8c0cc75244b2354fea2cba5f11277fe47deed4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Oct 2003 17:49:56 +1000 Subject: - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c] Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@ --- ChangeLog | 4 +- configure.ac | 4 +- openbsd-compat/Makefile.in | 4 +- openbsd-compat/strtoul.c | 112 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 119 insertions(+), 5 deletions(-) create mode 100644 openbsd-compat/strtoul.c diff --git a/ChangeLog b/ChangeLog index bcca919b4..8ade4e7ea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ cleanup functions. With & ok djm@ - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a run-time switch, always build --with-md5-passwords. + - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c] + Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@ 20031003 - (dtucker) OpenBSD CVS Sync @@ -1286,4 +1288,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3060 2003/10/07 07:40:56 dtucker Exp $ +$Id: ChangeLog,v 1.3061 2003/10/07 07:49:56 dtucker Exp $ diff --git a/configure.ac b/configure.ac index dd22c98d4..02b7e2b82 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.169 2003/10/02 06:26:34 dtucker Exp $ +# $Id: configure.ac,v 1.170 2003/10/07 07:49:57 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -739,7 +739,7 @@ AC_CHECK_FUNCS(\ setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ setproctitle setregid setresgid setresuid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ - strlcat strlcpy strmode strnvis sysconf tcgetpgrp \ + strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ truncate utimes vhangup vsnprintf waitpid \ ) diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index c48593f7b..de9856eea 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.28 2003/07/24 06:52:14 mouring Exp $ +# $Id: Makefile.in,v 1.29 2003/10/07 07:49:57 dtucker Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,7 +16,7 @@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ LDFLAGS=-L. @LDFLAGS@ -OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o vis.o +OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtoul.o vis.o COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o diff --git a/openbsd-compat/strtoul.c b/openbsd-compat/strtoul.c new file mode 100644 index 000000000..877e6a01f --- /dev/null +++ b/openbsd-compat/strtoul.c @@ -0,0 +1,112 @@ +/* + * Copyright (c) 1990 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "includes.h" +#ifndef HAVE_STRTOUL + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include + +/* + * Convert a string to an unsigned long integer. + * + * Ignores `locale' stuff. Assumes that the upper and lower case + * alphabets and digits are each contiguous. + */ +unsigned long +strtoul(nptr, endptr, base) + const char *nptr; + char **endptr; + register int base; +{ + register const char *s; + register unsigned long acc, cutoff; + register int c; + register int neg, any, cutlim; + + /* + * See strtol for comments as to the logic used. + */ + s = nptr; + do { + c = (unsigned char) *s++; + } while (isspace(c)); + if (c == '-') { + neg = 1; + c = *s++; + } else { + neg = 0; + if (c == '+') + c = *s++; + } + if ((base == 0 || base == 16) && + c == '0' && (*s == 'x' || *s == 'X')) { + c = s[1]; + s += 2; + base = 16; + } + if (base == 0) + base = c == '0' ? 8 : 10; + + cutoff = ULONG_MAX / (unsigned long)base; + cutlim = ULONG_MAX % (unsigned long)base; + for (acc = 0, any = 0;; c = (unsigned char) *s++) { + if (isdigit(c)) + c -= '0'; + else if (isalpha(c)) + c -= isupper(c) ? 'A' - 10 : 'a' - 10; + else + break; + if (c >= base) + break; + if (any < 0) + continue; + if (acc > cutoff || acc == cutoff && c > cutlim) { + any = -1; + acc = ULONG_MAX; + errno = ERANGE; + } else { + any = 1; + acc *= (unsigned long)base; + acc += c; + } + } + if (neg && any > 0) + acc = -acc; + if (endptr != 0) + *endptr = (char *) (any ? s - 1 : nptr); + return (acc); +} +#endif /* !HAVE_STRTOUL */ -- cgit v1.2.3 From 3b2a06c0d7e4f044fc8dbf445d6e1a176c0e4cd9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Oct 2003 18:37:11 +1000 Subject: - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID on Reliant Unix. Patch from Robert.Dahlem at siemens.com. --- ChangeLog | 4 +++- configure.ac | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8ade4e7ea..37f54ff16 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ run-time switch, always build --with-md5-passwords. - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c] Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@ + - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID + on Reliant Unix. Patch from Robert.Dahlem at siemens.com. 20031003 - (dtucker) OpenBSD CVS Sync @@ -1288,4 +1290,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3061 2003/10/07 07:49:56 dtucker Exp $ +$Id: ChangeLog,v 1.3062 2003/10/07 08:37:11 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 02b7e2b82..45d21573f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.170 2003/10/07 07:49:57 dtucker Exp $ +# $Id: configure.ac,v 1.171 2003/10/07 08:37:11 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -300,6 +300,9 @@ mips-sony-bsd|mips-sony-newsos4) IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(SSHD_ACQUIRES_CTTY) external_path_file=/etc/default/login # /usr/ucblib/libucb.a no longer needed on ReliantUNIX -- cgit v1.2.3 From 89df7a3ecab70910fd745ddee01508f716255fb0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 7 Oct 2003 20:35:57 +1000 Subject: - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on Reliant Unix. Based on patch from Robert.Dahlem at siemens.com. --- ChangeLog | 4 +++- configure.ac | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 37f54ff16..a1da45ed7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,8 @@ Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@ - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID on Reliant Unix. Patch from Robert.Dahlem at siemens.com. + - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on + Reliant Unix. Based on patch from Robert.Dahlem at siemens.com. 20031003 - (dtucker) OpenBSD CVS Sync @@ -1290,4 +1292,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3062 2003/10/07 08:37:11 dtucker Exp $ +$Id: ChangeLog,v 1.3063 2003/10/07 10:35:57 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 45d21573f..44808f7e5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.171 2003/10/07 08:37:11 dtucker Exp $ +# $Id: configure.ac,v 1.172 2003/10/07 10:35:57 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -297,6 +297,7 @@ mips-sony-bsd|mips-sony-newsos4) CPPFLAGS="$CPPFLAGS -I/usr/local/include" # /usr/ucblib MUST NOT be searched on ReliantUNIX LDFLAGS="$LDFLAGS -L/usr/local/lib" + AC_CHECK_LIB(dl, dlsym, ,) IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(IP_TOS_IS_BROKEN) -- cgit v1.2.3 From 046dff2a07d63d41967d2e8b97c3d460336932a2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 8 Oct 2003 17:32:02 +1000 Subject: - dtucker@cvs.openbsd.org 2003/10/07 01:47:27 [sshconnect2.c] Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & #707. ok markus@ --- ChangeLog | 9 ++++++++- sshconnect2.c | 5 +++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a1da45ed7..6c1edbd9f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20031008 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2003/10/07 01:47:27 + [sshconnect2.c] + Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & #707. + ok markus@ + 20031007 - (djm) Delete autom4te.cache after autoreconf - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static @@ -1292,4 +1299,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3063 2003/10/07 10:35:57 dtucker Exp $ +$Id: ChangeLog,v 1.3064 2003/10/08 07:32:02 dtucker Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index 933c223ec..4e3ae2de7 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.124 2003/08/25 10:33:33 djm Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.125 2003/10/07 01:47:27 dtucker Exp $"); #include "openbsd-compat/sys-queue.h" @@ -361,7 +361,8 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt) debug3("input_userauth_banner"); msg = packet_get_string(NULL); lang = packet_get_string(NULL); - logit("%s", msg); + if (options.log_level > SYSLOG_LEVEL_QUIET) + fprintf(stderr, "%s", msg); xfree(msg); xfree(lang); } -- cgit v1.2.3 From 64dbccc2a517fb77f648e4a9aed5ae78719309bb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 8 Oct 2003 17:34:38 +1000 Subject: - djm@cvs.openbsd.org 2003/10/07 07:04:16 [sftp-int.c] sftp quoting fix from admorten AT umich.edu; ok markus@ --- ChangeLog | 5 ++++- sftp-int.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6c1edbd9f..aa0f798b0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [sshconnect2.c] Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & #707. ok markus@ + - djm@cvs.openbsd.org 2003/10/07 07:04:16 + [sftp-int.c] + sftp quoting fix from admorten AT umich.edu; ok markus@ 20031007 - (djm) Delete autom4te.cache after autoreconf @@ -1299,4 +1302,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3064 2003/10/08 07:32:02 dtucker Exp $ +$Id: ChangeLog,v 1.3065 2003/10/08 07:34:38 dtucker Exp $ diff --git a/sftp-int.c b/sftp-int.c index c93eaabff..2deb29bb1 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -25,7 +25,7 @@ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.62 2003/08/25 08:13:09 fgsch Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.63 2003/10/07 07:04:16 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -350,6 +350,7 @@ get_pathname(const char **cpp, char **path) /* Search for terminating quote, unescape some chars */ for (i = j = 0; i <= strlen(cp); i++) { if (cp[i] == quot) { /* Found quote */ + i++; (*path)[j] = '\0'; i++; break; -- cgit v1.2.3 From 796448276c37fdd76dd0770c88a6d73d1f65c18e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 8 Oct 2003 17:37:58 +1000 Subject: - deraadt@cvs.openbsd.org 2003/10/07 21:58:28 [sshconnect2.c] set ptr to NULL after free --- ChangeLog | 9 ++++++--- sshconnect2.c | 13 +++++++++---- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index aa0f798b0..2ec3e8294 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,11 +2,14 @@ - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2003/10/07 01:47:27 [sshconnect2.c] - Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & #707. - ok markus@ + Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & + #707. ok markus@ - djm@cvs.openbsd.org 2003/10/07 07:04:16 [sftp-int.c] sftp quoting fix from admorten AT umich.edu; ok markus@ + - deraadt@cvs.openbsd.org 2003/10/07 21:58:28 + [sshconnect2.c] + set ptr to NULL after free 20031007 - (djm) Delete autom4te.cache after autoreconf @@ -1302,4 +1305,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3065 2003/10/08 07:34:38 dtucker Exp $ +$Id: ChangeLog,v 1.3066 2003/10/08 07:37:58 dtucker Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index 4e3ae2de7..2ef4201ce 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.125 2003/10/07 01:47:27 dtucker Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.126 2003/10/07 21:58:28 deraadt Exp $"); #include "openbsd-compat/sys-queue.h" @@ -358,6 +358,7 @@ void input_userauth_banner(int type, u_int32_t seq, void *ctxt) { char *msg, *lang; + debug3("input_userauth_banner"); msg = packet_get_string(NULL); lang = packet_get_string(NULL); @@ -373,10 +374,14 @@ input_userauth_success(int type, u_int32_t seq, void *ctxt) Authctxt *authctxt = ctxt; if (authctxt == NULL) fatal("input_userauth_success: no authentication context"); - if (authctxt->authlist) + if (authctxt->authlist) { xfree(authctxt->authlist); - if (authctxt->methoddata) + authctxt->authlist = NULL; + } + if (authctxt->methoddata) { xfree(authctxt->methoddata); + authctxt->methoddata = NULL; + } authctxt->success = 1; /* break out */ } @@ -609,7 +614,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) packet_check_eom(); - status=ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, &recv_tok, &send_tok, NULL); xfree(recv_tok.value); -- cgit v1.2.3 From dc001a5ee3352b69d96a8970ec269df9df130fa3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 8 Oct 2003 17:47:19 +1000 Subject: - dtucker@cvs.openbsd.org 2003/10/07 01:52:13 [regress/Makefile regress/banner.sh] Test SSH2 banner. ok markus@ --- ChangeLog | 5 ++++- regress/Makefile | 5 +++-- regress/banner.sh | 31 +++++++++++++++++++++++++++++++ 3 files changed, 38 insertions(+), 3 deletions(-) create mode 100644 regress/banner.sh diff --git a/ChangeLog b/ChangeLog index 2ec3e8294..00a50c61a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - deraadt@cvs.openbsd.org 2003/10/07 21:58:28 [sshconnect2.c] set ptr to NULL after free + - dtucker@cvs.openbsd.org 2003/10/07 01:52:13 + [regress/Makefile regress/banner.sh] + Test SSH2 banner. ok markus@ 20031007 - (djm) Delete autom4te.cache after autoreconf @@ -1305,4 +1308,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3066 2003/10/08 07:37:58 dtucker Exp $ +$Id: ChangeLog,v 1.3067 2003/10/08 07:47:19 dtucker Exp $ diff --git a/regress/Makefile b/regress/Makefile index 623be8d82..da4a6731c 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.24 2003/07/03 08:24:13 markus Exp $ +# $OpenBSD: Makefile,v 1.25 2003/10/07 01:52:13 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec tests: $(REGRESS_TARGETS) @@ -14,6 +14,7 @@ LTESTS= connect \ proto-mismatch \ exit-status \ transfer \ + banner \ rekey \ stderr-data \ stderr-after-eof \ @@ -40,7 +41,7 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ ssh_config ssh_proxy sshd_config sshd_proxy \ rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ - ls.copy remote_pid + ls.copy banner.in banner.out remote_pid #LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp diff --git a/regress/banner.sh b/regress/banner.sh new file mode 100644 index 000000000..03e2fc8f1 --- /dev/null +++ b/regress/banner.sh @@ -0,0 +1,31 @@ +# $OpenBSD: banner.sh,v 1.1 2003/10/07 01:52:13 dtucker Exp $ +# Placed in the Public Domain. + +tid="banner" +echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy + +for s in 0 10 100 1000 10000 100000 ; do + if [ "$s" = "0" ]; then + # create empty banner + rm -f $OBJ/banner.in + touch $OBJ/banner.in + elif [ "$s" = "10" ]; then + # create 10-byte banner file + echo "abcdefghi" >$OBJ/banner.in + else + # increase size 10x + cp $OBJ/banner.in $OBJ/banner.out + for i in 0 1 2 3 4 5 6 7 8 ; do + cat $OBJ/banner.out >> $OBJ/banner.in + done + fi + + trace "test banner size $s" + verbose "test $tid: size $s" + ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out + if ! cmp $OBJ/banner.in $OBJ/banner.out ; then + fail "banner size $s mismatch" + fi +done + +rm -f $OBJ/banner.out $OBJ/banner.in -- cgit v1.2.3 From 0240ff786e08bf72a5b549e848cc4248ce93b636 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 8 Oct 2003 17:52:10 +1000 Subject: - djm@cvs.openbsd.org 2003/10/07 07:04:52 [regress/sftp-cmds.sh] more sftp quoting regress tests; ok markus --- ChangeLog | 5 ++++- regress/sftp-cmds.sh | 16 +++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 00a50c61a..dc3233956 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ - dtucker@cvs.openbsd.org 2003/10/07 01:52:13 [regress/Makefile regress/banner.sh] Test SSH2 banner. ok markus@ + - djm@cvs.openbsd.org 2003/10/07 07:04:52 + [regress/sftp-cmds.sh] + more sftp quoting regress tests; ok markus 20031007 - (djm) Delete autom4te.cache after autoreconf @@ -1308,4 +1311,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3067 2003/10/08 07:47:19 dtucker Exp $ +$Id: ChangeLog,v 1.3068 2003/10/08 07:52:10 dtucker Exp $ diff --git a/regress/sftp-cmds.sh b/regress/sftp-cmds.sh index 1256aeb2d..3669b19ff 100644 --- a/regress/sftp-cmds.sh +++ b/regress/sftp-cmds.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sftp-cmds.sh,v 1.5 2003/07/19 00:46:31 djm Exp $ +# $OpenBSD: sftp-cmds.sh,v 1.6 2003/10/07 07:04:52 djm Exp $ # Placed in the Public Domain. # XXX - TODO: @@ -79,6 +79,20 @@ echo "get $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ || fail "get failed" cmp $DATA ${COPY} || fail "corrupted copy after get" +rm -f ${COPY} +verbose "$tid: get quoted" +echo "get \"$DATA\" $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "get failed" +cmp $DATA ${COPY} || fail "corrupted copy after get" + +rm -f ${QUOTECOPY} +cp $DATA ${QUOTECOPY} +verbose "$tid: get filename with quotes" +echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ + || fail "put failed" +cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes" +rm -f ${QUOTECOPY} ${COPY} + rm -f ${COPY}.dd/* verbose "$tid: get to directory" echo "get $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \ -- cgit v1.2.3 From 6c0c0705e30d9bb2b5951d37c681ee943eb17c43 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 9 Oct 2003 14:13:53 +1000 Subject: - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ --- ChangeLog | 5 ++++- sshd_config.5 | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc3233956..ee86bb7c5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20031009 + - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ + 20031008 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2003/10/07 01:47:27 @@ -1311,4 +1314,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3068 2003/10/08 07:52:10 dtucker Exp $ +$Id: ChangeLog,v 1.3069 2003/10/09 04:13:53 dtucker Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index 727fdb12a..b402bbdad 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -613,7 +613,8 @@ If you enable this, you should probably disable .Cm PasswordAuthentication . If you enable .CM UsePAM -then you will not be able to run sshd as a non-root user. +then you will not be able to run sshd as a non-root user. The default is +.Dq no . .It Cm UsePrivilegeSeparation Specifies whether .Nm sshd -- cgit v1.2.3 From 439ce0daf95fef595ba2592d16b17401a8bee135 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 9 Oct 2003 14:20:15 +1000 Subject: Add FALLTHROUGH comment --- auth-pam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/auth-pam.c b/auth-pam.c index f5f030fff..11e53b61f 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.75 2003/10/07 01:30:16 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.76 2003/10/09 04:20:15 dtucker Exp $"); #ifdef USE_PAM #include @@ -439,6 +439,7 @@ sshpam_query(void *ctx, char **name, char **info, return (0); } error("PAM: %s", msg); + /* FALLTHROUGH */ default: *num = 0; **echo_on = 0; -- cgit v1.2.3 From 1f20394e92afa417c1201506f9ae8683170ac496 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 15:50:42 +1000 Subject: - jmc@cvs.openbsd.org 2003/10/08 08:27:36 [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8] scp and sftp: add options list and sort options. options list requested by deraadt@ sshd: use same format as ssh ssh: remove wrong option from list sftp-server: Subsystem is documented in ssh_config(5), not sshd(8) ok deraadt@ markus@ --- ChangeLog | 13 ++++- scp.1 | 168 ++++++++++++++++++++++++++++++++++++++-------------------- scp.c | 6 +-- sftp-server.8 | 5 +- sftp.1 | 142 ++++++++++++++++++++++++++++++++++--------------- sftp.c | 12 +++-- ssh.1 | 3 +- sshd.8 | 85 ++++++++++++++--------------- 8 files changed, 277 insertions(+), 157 deletions(-) diff --git a/ChangeLog b/ChangeLog index ee86bb7c5..d2c3255c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +20031015 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/10/08 08:27:36 + [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8] + scp and sftp: add options list and sort options. options list requested + by deraadt@ + sshd: use same format as ssh + ssh: remove wrong option from list + sftp-server: Subsystem is documented in ssh_config(5), not sshd(8) + ok deraadt@ markus@ + 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1314,4 +1325,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3069 2003/10/09 04:13:53 dtucker Exp $ +$Id: ChangeLog,v 1.3070 2003/10/15 05:50:42 dtucker Exp $ diff --git a/scp.1 b/scp.1 index a971500ee..bdc413337 100644 --- a/scp.1 +++ b/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.28 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.29 2003/10/08 08:27:36 jmc Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -20,24 +20,24 @@ .Sh SYNOPSIS .Nm scp .Bk -words -.Op Fl pqrvBC1246 -.Op Fl F Ar ssh_config -.Op Fl S Ar program -.Op Fl P Ar port +.Op Fl 1246BCpqrv .Op Fl c Ar cipher +.Op Fl F Ar ssh_config .Op Fl i Ar identity_file .Op Fl l Ar limit .Op Fl o Ar ssh_option +.Op Fl P Ar port +.Op Fl S Ar program .Sm off .Oo -.Op Ar user@ +.Op Ar user No @ .Ar host1 No : .Oc Ns Ar file1 .Sm on .Op Ar ... .Sm off .Oo -.Op Ar user@ +.Op Ar user No @ .Ar host2 No : .Oc Ar file2 .Sm on @@ -62,35 +62,24 @@ Copies between two remote hosts are permitted. .Pp The options are as follows: .Bl -tag -width Ds -.It Fl c Ar cipher -Selects the cipher to use for encrypting the data transfer. -This option is directly passed to -.Xr ssh 1 . -.It Fl i Ar identity_file -Selects the file from which the identity (private key) for RSA -authentication is read. -This option is directly passed to -.Xr ssh 1 . -.It Fl l Ar limit -Limits the used bandwidth, specified in Kbit/s. -.It Fl p -Preserves modification times, access times, and modes from the -original file. -.It Fl r -Recursively copy entire directories. -.It Fl v -Verbose mode. -Causes +.It Fl 1 +Forces .Nm -and -.Xr ssh 1 -to print debugging messages about their progress. -This is helpful in -debugging connection, authentication, and configuration problems. +to use protocol 1. +.It Fl 2 +Forces +.Nm +to use protocol 2. +.It Fl 4 +Forces +.Nm +to use IPv4 addresses only. +.It Fl 6 +Forces +.Nm +to use IPv6 addresses only. .It Fl B Selects batch mode (prevents asking for passwords or passphrases). -.It Fl q -Disables the progress meter. .It Fl C Compression enable. Passes the @@ -98,12 +87,85 @@ Passes the flag to .Xr ssh 1 to enable compression. +.It Fl c Ar cipher +Selects the cipher to use for encrypting the data transfer. +This option is directly passed to +.Xr ssh 1 . .It Fl F Ar ssh_config Specifies an alternative per-user configuration file for .Nm ssh . This option is directly passed to .Xr ssh 1 . +.It Fl i Ar identity_file +Selects the file from which the identity (private key) for RSA +authentication is read. +This option is directly passed to +.Xr ssh 1 . +.It Fl l Ar limit +Limits the used bandwidth, specified in Kbit/s. +.It Fl o Ar ssh_option +Can be used to pass options to +.Nm ssh +in the format used in +.Xr ssh_config 5 . +This is useful for specifying options +for which there is no separate +.Nm scp +command-line flag. +For full details of the options listed below, and their possible values, see +.Xr ssh_config 5 . +.Pp +.Bl -tag -width Ds -offset indent -compact +.It AddressFamily +.It BatchMode +.It BindAddress +.It ChallengeResponseAuthentication +.It CheckHostIP +.It Cipher +.It Ciphers +.It ClearAllForwardings +.It Compression +.It CompressionLevel +.It ConnectionAttempts +.It ConnectionTimeout +.It DynamicForward +.It EscapeChar +.It ForwardAgent +.It ForwardX11 +.It GatewayPorts +.It GlobalKnownHostsFile +.It GSSAPIAuthentication +.It GSSAPIDelegateCredentials +.It Host +.It HostbasedAuthentication +.It HostKeyAlgorithms +.It HostKeyAlias +.It HostName +.It IdentityFile +.It KeepAlive +.It LocalForward +.It LogLevel +.It MACs +.It NoHostAuthenticationForLocalhost +.It NumberOfPasswordPrompts +.It PasswordAuthentication +.It Port +.It PreferredAuthentications +.It Protocol +.It ProxyCommand +.It PubkeyAuthentication +.It RemoteForward +.It RhostsRSAAuthentication +.It RSAAuthentication +.It SmartcardDevice +.It StrictHostKeyChecking +.It UsePrivilegedPort +.It User +.It UserKnownHostsFile +.It VerifyHostKeyDNS +.It XAuthLocation +.El .It Fl P Ar port Specifies the port to connect to on the remote host. Note that this option is written with a capital @@ -112,6 +174,13 @@ because .Fl p is already reserved for preserving the times and modes of the file in .Xr rcp 1 . +.It Fl p +Preserves modification times, access times, and modes from the +original file. +.It Fl q +Disables the progress meter. +.It Fl r +Recursively copy entire directories. .It Fl S Ar program Name of .Ar program @@ -119,31 +188,15 @@ to use for the encrypted connection. The program must understand .Xr ssh 1 options. -.It Fl o Ar ssh_option -Can be used to pass options to -.Nm ssh -in the format used in -.Xr ssh_config 5 . -This is useful for specifying options -for which there is no separate -.Nm scp -command-line flag. -.It Fl 1 -Forces -.Nm -to use protocol 1. -.It Fl 2 -Forces -.Nm -to use protocol 2. -.It Fl 4 -Forces -.Nm -to use IPv4 addresses only. -.It Fl 6 -Forces +.It Fl v +Verbose mode. +Causes .Nm -to use IPv6 addresses only. +and +.Xr ssh 1 +to print debugging messages about their progress. +This is helpful in +debugging connection, authentication, and configuration problems. .El .Sh DIAGNOSTICS .Nm @@ -165,5 +218,4 @@ program in BSD source code from the Regents of the University of California. .Sh AUTHORS .An Timo Rinne Aq tri@iki.fi -and .An Tatu Ylonen Aq ylo@cs.hut.fi diff --git a/scp.c b/scp.c index a1f136a1f..364ab2860 100644 --- a/scp.c +++ b/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.109 2003/09/19 17:40:20 markus Exp $"); +RCSID("$OpenBSD: scp.c,v 1.110 2003/10/08 08:27:36 jmc Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -1019,8 +1019,8 @@ void usage(void) { (void) fprintf(stderr, - "usage: scp [-pqrvBC1246] [-F config] [-S program] [-P port]\n" - " [-c cipher] [-i identity] [-l limit] [-o option]\n" + "usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n" + " [-l limit] [-o ssh_option] [-P port] [-S program]\n" " [[user@]host1:]file1 [...] [[user@]host2:]file2\n"); exit(1); } diff --git a/sftp-server.8 b/sftp-server.8 index 871f83796..42f5d437c 100644 --- a/sftp-server.8 +++ b/sftp-server.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp-server.8,v 1.9 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: sftp-server.8,v 1.10 2003/10/08 08:27:36 jmc Exp $ .\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. .\" @@ -41,11 +41,12 @@ using the .Cm Subsystem option. See -.Xr sshd 8 +.Xr sshd_config 5 for more information. .Sh SEE ALSO .Xr sftp 1 , .Xr ssh 1 , +.Xr sshd_config 5 , .Xr sshd 8 .Rs .%A T. Ylonen diff --git a/sftp.1 b/sftp.1 index 753a4f2b9..05b972e46 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.45 2003/09/02 18:50:06 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.46 2003/10/08 08:27:36 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -31,15 +31,15 @@ .Sh SYNOPSIS .Nm sftp .Bk -words -.Op Fl vC1 -.Op Fl b Ar batchfile -.Op Fl o Ar ssh_option -.Op Fl s Ar subsystem | sftp_server +.Op Fl 1Cv .Op Fl B Ar buffer_size +.Op Fl b Ar batchfile .Op Fl F Ar ssh_config -.Op Fl P Ar sftp_server path +.Op Fl o Ar ssh_option +.Op Fl P Ar sftp_server_path .Op Fl R Ar num_requests .Op Fl S Ar program +.Op Fl s Ar subsystem | sftp_server .Ar host .Ek .Nm sftp @@ -84,6 +84,15 @@ and for details). The options are as follows: .Bl -tag -width Ds +.It Fl 1 +Specify the use of protocol version 1. +.It Fl B Ar buffer_size +Specify the size of the buffer that +.Nm +uses when transferring files. +Larger buffers require fewer round trips at the cost of higher +memory consumption. +The default is 32768 bytes. .It Fl b Ar batchfile Batch mode reads a series of commands from an input .Ar batchfile @@ -104,6 +113,16 @@ prefixing the command with a .Sq Ic \- character (for example, .Ic -rm /tmp/blah* ) . +.It Fl C +Enables compression (via ssh's +.Fl C +flag). +.It Fl F Ar ssh_config +Specifies an alternative +per-user configuration file for +.Xr ssh 1 . +This option is directly passed to +.Xr ssh 1 . .It Fl o Ar ssh_option Can be used to pass options to .Nm ssh @@ -115,35 +134,60 @@ for which there is no separate command-line flag. For example, to specify an alternate port use: .Ic sftp -oPort=24 . -.It Fl s Ar subsystem | sftp_server -Specifies the SSH2 subsystem or the path for an sftp server -on the remote host. -A path is useful for using -.Nm -over protocol version 1, or when the remote -.Xr sshd 8 -does not have an sftp subsystem configured. -.It Fl v -Raise logging level. -This option is also passed to ssh. -.It Fl B Ar buffer_size -Specify the size of the buffer that -.Nm -uses when transferring files. -Larger buffers require fewer round trips at the cost of higher -memory consumption. -The default is 32768 bytes. -.It Fl C -Enables compression (via ssh's -.Fl C -flag). -.It Fl F Ar ssh_config -Specifies an alternative -per-user configuration file for -.Xr ssh 1 . -This option is directly passed to -.Xr ssh 1 . -.It Fl P Ar sftp_server path +For full details of the options listed below, and their possible values, see +.Xr ssh_config 5 . +.Pp +.Bl -tag -width Ds -offset indent -compact +.It AddressFamily +.It BatchMode +.It BindAddress +.It ChallengeResponseAuthentication +.It CheckHostIP +.It Cipher +.It Ciphers +.It ClearAllForwardings +.It Compression +.It CompressionLevel +.It ConnectionAttempts +.It ConnectionTimeout +.It DynamicForward +.It EscapeChar +.It ForwardAgent +.It ForwardX11 +.It GatewayPorts +.It GlobalKnownHostsFile +.It GSSAPIAuthentication +.It GSSAPIDelegateCredentials +.It Host +.It HostbasedAuthentication +.It HostKeyAlgorithms +.It HostKeyAlias +.It HostName +.It IdentityFile +.It KeepAlive +.It LocalForward +.It LogLevel +.It MACs +.It NoHostAuthenticationForLocalhost +.It NumberOfPasswordPrompts +.It PasswordAuthentication +.It Port +.It PreferredAuthentications +.It Protocol +.It ProxyCommand +.It PubkeyAuthentication +.It RemoteForward +.It RhostsRSAAuthentication +.It RSAAuthentication +.It SmartcardDevice +.It StrictHostKeyChecking +.It UsePrivilegedPort +.It User +.It UserKnownHostsFile +.It VerifyHostKeyDNS +.It XAuthLocation +.El +.It Fl P Ar sftp_server_path Connect directly to a local sftp server (rather than via .Xr ssh 1 ) @@ -160,8 +204,17 @@ to use for the encrypted connection. The program must understand .Xr ssh 1 options. -.It Fl 1 -Specify the use of protocol version 1. +.It Fl s Ar subsystem | sftp_server +Specifies the SSH2 subsystem or the path for an sftp server +on the remote host. +A path is useful for using +.Nm +over protocol version 1, or when the remote +.Xr sshd 8 +does not have an sftp subsystem configured. +.It Fl v +Raise logging level. +This option is also passed to ssh. .El .Sh INTERACTIVE COMMANDS Once in interactive mode, @@ -170,16 +223,13 @@ understands a set of commands similar to those of .Xr ftp 1 . Commands are case insensitive and pathnames may be enclosed in quotes if they contain spaces. -.Bl -tag -width Ds +.Bl -tag -width "lmdir path" .It Ic bye Quit .Nm sftp . .It Ic cd Ar path Change remote directory to .Ar path . -.It Ic lcd Ar path -Change local directory to -.Ar path . .It Ic chgrp Ar grp Ar path Change group of file .Ar path @@ -219,6 +269,9 @@ flag is specified, then the file's full permission and access time are copied too. .It Ic help Display help text. +.It Ic lcd Ar path +Change local directory to +.Ar path . .It Ic lls Op Ar ls-options Op Ar path Display local directory listing of either .Ar path @@ -280,12 +333,12 @@ Rename remote file from .Ar oldpath to .Ar newpath . -.It Ic rmdir Ar path -Remove remote directory specified by -.Ar path . .It Ic rm Ar path Delete remote file specified by .Ar path . +.It Ic rmdir Ar path +Remove remote directory specified by +.Ar path . .It Ic symlink Ar oldpath Ar newpath Create a symbolic link from .Ar oldpath @@ -305,6 +358,7 @@ Escape to local shell. Synonym for help. .El .Sh SEE ALSO +.Xr ftp 1 , .Xr scp 1 , .Xr ssh 1 , .Xr ssh-add 1 , diff --git a/sftp.c b/sftp.c index c2a6593b8..fddc6875f 100644 --- a/sftp.c +++ b/sftp.c @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.37 2003/07/10 20:05:55 markus Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.38 2003/10/08 08:27:36 jmc Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -112,10 +112,12 @@ usage(void) extern char *__progname; fprintf(stderr, - "usage: %s [-vC1] [-b batchfile] [-o ssh_option] [-s subsystem | sftp_server]\n" - " [-B buffer_size] [-F ssh_config] [-P sftp_server path]\n" - " [-R num_requests] [-S program]\n" - " [user@]host[:file [file]]\n", __progname); + "usage: %s [-1Cv] [-B buffer_size] [-b batchfile] [-F ssh_config]\n" + " [-o ssh_option] [-P sftp_server_path] [-R num_requests]\n" + " [-S program] [-s subsystem | sftp_server] host\n" + " %s [[user@]host[:file [file]]]\n" + " %s [[user@]host[:dir[/]]]\n" + " %s -b batchfile [user@]host\n", __progname, __progname, __progname, __progname); exit(1); } diff --git a/ssh.1 b/ssh.1 index 21e573b6d..2ba7fa6fd 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.176 2003/09/29 11:40:51 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.177 2003/10/08 08:27:36 jmc Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -621,7 +621,6 @@ For full details of the options listed below, and their possible values, see .It ConnectionAttempts .It ConnectionTimeout .It DynamicForward -.It EnableSSHKeysign .It EscapeChar .It ForwardAgent .It ForwardX11 diff --git a/sshd.8 b/sshd.8 index 0eeea6666..34413e2a7 100644 --- a/sshd.8 +++ b/sshd.8 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.199 2003/08/13 08:46:31 markus Exp $ +.\" $OpenBSD: sshd.8,v 1.200 2003/10/08 08:27:36 jmc Exp $ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -44,7 +44,7 @@ .Sh SYNOPSIS .Nm sshd .Bk -words -.Op Fl deiqtD46 +.Op Fl 46Ddeiqt .Op Fl b Ar bits .Op Fl f Ar config_file .Op Fl g Ar login_grace_time @@ -78,9 +78,7 @@ This implementation of supports both SSH protocol version 1 and 2 simultaneously. .Nm works as follows: -.Pp .Ss SSH protocol version 1 -.Pp Each host has a host-specific RSA key (normally 1024 bits) used to identify the host. Additionally, when @@ -92,7 +90,7 @@ Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. -The client then generates a 256 bit random number. +The client then generates a 256-bit random number. It encrypts this random number using both the host key and the server key, and sends the encrypted number to the server. @@ -107,9 +105,9 @@ to use from those offered by the server. .Pp Next, the server and the client enter an authentication dialog. The client tries to authenticate itself using -.Pa .rhosts +.Em .rhosts authentication, -.Pa .rhosts +.Em .rhosts authentication combined with RSA host authentication, RSA challenge-response authentication, or password based authentication. @@ -137,7 +135,8 @@ or .Ql \&*NP\&* ). .Pp -Rhosts authentication is normally disabled +.Em rhosts +authentication is normally disabled because it is fundamentally insecure, but can be enabled in the server configuration file if desired. System security is not improved unless @@ -150,9 +149,7 @@ are disabled (thus completely disabling and .Xr rsh into the machine). -.Pp .Ss SSH protocol version 2 -.Pp Version 2 works similarly: Each host has a host-specific key (RSA or DSA) used to identify the host. However, when the daemon starts, it does not generate a server key. @@ -160,7 +157,7 @@ Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. .Pp The rest of the session is encrypted using a symmetric cipher, currently -128 bit AES, Blowfish, 3DES, CAST128, Arcfour, 192 bit AES, or 256 bit AES. +128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The client selects the encryption algorithm to use from those offered by the server. Additionally, session integrity is provided @@ -171,9 +168,7 @@ Protocol version 2 provides a public key based user (PubkeyAuthentication) or client host (HostbasedAuthentication) authentication method, conventional password authentication and challenge response based methods. -.Pp .Ss Command execution and data forwarding -.Pp If the client successfully authenticates itself, a dialog for preparing the session is entered. At this time the client may request @@ -192,8 +187,9 @@ connections have been closed, the server sends command exit status to the client, and both sides exit. .Pp .Nm -can be configured using command-line options or a configuration -file. +can be configured using command-line options or a configuration file +(by default +.Xr sshd_config 5 ) . Command-line options override values specified in the configuration file. .Pp @@ -205,9 +201,23 @@ by executing itself with the name it was started as, i.e., .Pp The options are as follows: .Bl -tag -width Ds +.It Fl 4 +Forces +.Nm +to use IPv4 addresses only. +.It Fl 6 +Forces +.Nm +to use IPv6 addresses only. .It Fl b Ar bits Specifies the number of bits in the ephemeral protocol version 1 server key (default 768). +.It Fl D +When this option is specified, +.Nm +will not detach and does not become a daemon. +This allows easy monitoring of +.Nm sshd . .It Fl d Debug mode. The server sends verbose debug output to the system @@ -267,7 +277,7 @@ be feasible. Specifies how often the ephemeral protocol version 1 server key is regenerated (default 3600 seconds, or one hour). The motivation for regenerating the key fairly -often is that the key is not stored anywhere, and after about an hour, +often is that the key is not stored anywhere, and after about an hour it becomes impossible to recover the key for decrypting intercepted communications even if the machine is cracked into or physically seized. @@ -276,6 +286,8 @@ A value of zero indicates that the key will never be regenerated. Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. +For full details of the options, and their values, see +.Xr sshd_config 5 . .It Fl p Ar port Specifies the port on which the server listens for connections (default 22). @@ -325,20 +337,6 @@ USER@HOST pattern in .Cm AllowUsers or .Cm DenyUsers . -.It Fl D -When this option is specified -.Nm -will not detach and does not become a daemon. -This allows easy monitoring of -.Nm sshd . -.It Fl 4 -Forces -.Nm -to use IPv4 addresses only. -.It Fl 6 -Forces -.Nm -to use IPv6 addresses only. .El .Sh CONFIGURATION FILE .Nm @@ -375,9 +373,9 @@ Changes to run with normal user privileges. .It Sets up basic environment. .It -Reads -.Pa $HOME/.ssh/environment -if it exists and users are allowed to change their environment. +Reads the file +.Pa $HOME/.ssh/environment , +if it exists, and users are allowed to change their environment. See the .Cm PermitUserEnvironment option in @@ -516,7 +514,7 @@ Limit local port forwarding such that it may only connect to the specified host and port. IPv6 addresses can be specified with an alternative syntax: -.Ar host/port . +.Ar host Ns / Ns Ar port . Multiple .Cm permitopen options may be applied separated by commas. @@ -524,13 +522,13 @@ No pattern matching is performed on the specified hostnames, they must be literal domains or addresses. .El .Ss Examples -1024 33 12121.\|.\|.\|312314325 ylo@foo.bar +1024 33 12121...312314325 ylo@foo.bar .Pp -from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23.\|.\|.\|2334 ylo@niksula +from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula .Pp -command="dump /home",no-pty,no-port-forwarding 1024 33 23.\|.\|.\|2323 backup.hut.fi +command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi .Pp -permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23.\|.\|.\|2323 +permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 .Sh SSH_KNOWN_HOSTS FILE FORMAT The .Pa /etc/ssh/ssh_known_hosts @@ -588,7 +586,7 @@ or by taking and adding the host names at the front. .Ss Examples .Bd -literal -closenet,.\|.\|.\|,130.233.208.41 1024 37 159.\|.\|.93 closenet.hut.fi +closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= .Ed .Sh FILES @@ -647,7 +645,7 @@ and/or .Pa id_rsa.pub files into this file, as described in .Xr ssh-keygen 1 . -.It Pa "/etc/ssh/ssh_known_hosts" and "$HOME/.ssh/known_hosts" +.It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" These files are consulted when using rhosts with RSA host authentication or protocol version 2 hostbased authentication to check the public key of the host. @@ -681,7 +679,7 @@ The file must be writable only by the user; it is recommended that it not be accessible by others. .Pp -If is also possible to use netgroups in the file. +It is also possible to use netgroups in the file. Either host or user name may be of the form +@groupname to specify all hosts or all users in the group. @@ -693,7 +691,7 @@ However, this file is not used by rlogin and rshd, so using this permits access using SSH only. .It Pa /etc/hosts.equiv This file is used during -.Pa .rhosts +.Em rhosts authentication. In the simplest form, this file contains host names, one per line. Users on @@ -800,9 +798,12 @@ This file should be writable only by root, and should be world-readable. .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , +.Xr chroot 2 , +.Xr hosts_access 5 , .Xr login.conf 5 , .Xr moduli 5 , .Xr sshd_config 5 , +.Xr inetd 8 , .Xr sftp-server 8 .Rs .%A T. Ylonen -- cgit v1.2.3 From a044f47679c27ca77b3ec19a6e0e148deb50a427 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 15:52:03 +1000 Subject: - markus@cvs.openbsd.org 2003/10/08 15:21:24 [readconf.c ssh_config.5] default GSS API to no in client, too; ok jakob, deraadt@ --- ChangeLog | 5 ++++- readconf.c | 4 ++-- ssh_config.5 | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index d2c3255c9..6dbe21d3e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ ssh: remove wrong option from list sftp-server: Subsystem is documented in ssh_config(5), not sshd(8) ok deraadt@ markus@ + - markus@cvs.openbsd.org 2003/10/08 15:21:24 + [readconf.c ssh_config.5] + default GSS API to no in client, too; ok jakob, deraadt@ 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1325,4 +1328,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3070 2003/10/15 05:50:42 dtucker Exp $ +$Id: ChangeLog,v 1.3071 2003/10/15 05:52:03 dtucker Exp $ diff --git a/readconf.c b/readconf.c index 13987ffa7..5a7084fe8 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.121 2003/09/01 18:15:50 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -885,7 +885,7 @@ fill_default_options(Options * options) if (options->challenge_response_authentication == -1) options->challenge_response_authentication = 1; if (options->gss_authentication == -1) - options->gss_authentication = 1; + options->gss_authentication = 0; if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; if (options->password_authentication == -1) diff --git a/ssh_config.5 b/ssh_config.5 index 7a435a90e..da162499b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.20 2003/09/02 18:50:06 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.21 2003/10/08 15:21:24 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -336,7 +336,7 @@ Specifies whether authentication based on GSSAPI may be used, either using the result of a successful key exchange, or using GSSAPI user authentication. The default is -.Dq yes . +.Dq no . Note that this option applies to protocol version 2 only. .It Cm GSSAPIDelegateCredentials Forward (delegate) credentials to the server. -- cgit v1.2.3 From 0a118da00eff14f018a055b3c187f27aa7d78ecd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 15:54:32 +1000 Subject: - markus@cvs.openbsd.org 2003/10/11 08:24:08 [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] remote x11 clients are now untrusted by default, uses xauth(8) to generate untrusted cookies; ForwardX11Trusted=yes restores old behaviour. ok deraadt; feedback and ok djm/fries --- ChangeLog | 7 ++++- readconf.c | 12 ++++++-- readconf.h | 3 +- ssh.1 | 7 +++-- ssh.c | 92 ++++++++++++++++++++++++++++++++++++++++++++---------------- ssh_config.5 | 24 ++++++++++++++-- 6 files changed, 112 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6dbe21d3e..dc5885854 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,11 @@ - markus@cvs.openbsd.org 2003/10/08 15:21:24 [readconf.c ssh_config.5] default GSS API to no in client, too; ok jakob, deraadt@ + - markus@cvs.openbsd.org 2003/10/11 08:24:08 + [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] + remote x11 clients are now untrusted by default, uses xauth(8) to generate + untrusted cookies; ForwardX11Trusted=yes restores old behaviour. + ok deraadt; feedback and ok djm/fries 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1328,4 +1333,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3071 2003/10/15 05:52:03 dtucker Exp $ +$Id: ChangeLog,v 1.3072 2003/10/15 05:54:32 dtucker Exp $ diff --git a/readconf.c b/readconf.c index 5a7084fe8..e5f2620a7 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.123 2003/10/11 08:24:07 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -89,7 +89,7 @@ RCSID("$OpenBSD: readconf.c,v 1.122 2003/10/08 15:21:24 markus Exp $"); typedef enum { oBadOption, - oForwardAgent, oForwardX11, oGatewayPorts, + oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts, oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, @@ -116,6 +116,7 @@ static struct { } keywords[] = { { "forwardagent", oForwardAgent }, { "forwardx11", oForwardX11 }, + { "forwardx11trusted", oForwardX11Trusted }, { "xauthlocation", oXAuthLocation }, { "gatewayports", oGatewayPorts }, { "useprivilegedport", oUsePrivilegedPort }, @@ -342,6 +343,10 @@ parse_flag: intptr = &options->forward_x11; goto parse_flag; + case oForwardX11Trusted: + intptr = &options->forward_x11_trusted; + goto parse_flag; + case oGatewayPorts: intptr = &options->gateway_ports; goto parse_flag; @@ -806,6 +811,7 @@ initialize_options(Options * options) memset(options, 'X', sizeof(*options)); options->forward_agent = -1; options->forward_x11 = -1; + options->forward_x11_trusted = -1; options->xauth_location = NULL; options->gateway_ports = -1; options->use_privileged_port = -1; @@ -872,6 +878,8 @@ fill_default_options(Options * options) options->forward_agent = 0; if (options->forward_x11 == -1) options->forward_x11 = 0; + if (options->forward_x11_trusted == -1) + options->forward_x11_trusted = 0; if (options->xauth_location == NULL) options->xauth_location = _PATH_XAUTH; if (options->gateway_ports == -1) diff --git a/readconf.h b/readconf.h index 60287f710..8aab2e606 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.55 2003/09/01 18:15:50 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.56 2003/10/11 08:24:08 markus Exp $ */ /* * Author: Tatu Ylonen @@ -30,6 +30,7 @@ typedef struct { typedef struct { int forward_agent; /* Forward authentication agent. */ int forward_x11; /* Forward X11 display. */ + int forward_x11_trusted; /* Trust Forward X11 display. */ char *xauth_location; /* Location for xauth program */ int gateway_ports; /* Allow remote connects to forwarded ports. */ int use_privileged_port; /* Don't use privileged port if false. */ diff --git a/ssh.1 b/ssh.1 index 2ba7fa6fd..107841533 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.177 2003/10/08 08:27:36 jmc Exp $ +.\" $OpenBSD: ssh.1,v 1.178 2003/10/11 08:24:08 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -43,7 +43,7 @@ .Nd OpenSSH SSH client (remote login program) .Sh SYNOPSIS .Nm ssh -.Op Fl 1246AaCfgkNnqsTtVvXx +.Op Fl 1246AaCfgkNnqsTtVvXxY .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec .Op Fl D Ar port @@ -624,6 +624,7 @@ For full details of the options listed below, and their possible values, see .It EscapeChar .It ForwardAgent .It ForwardX11 +.It ForwardX11Trusted .It GatewayPorts .It GlobalKnownHostsFile .It GSSAPIAuthentication @@ -732,6 +733,8 @@ can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring. .It Fl x Disables X11 forwarding. +.It Fl Y +Enables trusted X11 forwarding. .El .Sh CONFIGURATION FILES .Nm diff --git a/ssh.c b/ssh.c index 35418f693..39d1b2f6a 100644 --- a/ssh.c +++ b/ssh.c @@ -13,7 +13,7 @@ * called by a name other than "ssh" or "Secure Shell". * * Copyright (c) 1999 Niels Provos. All rights reserved. - * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. + * Copyright (c) 2000, 2001, 2002, 2003 Markus Friedl. All rights reserved. * * Modified to work with SSL by Niels Provos * in Canada (German citizen). @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.201 2003/09/01 18:15:50 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.202 2003/10/11 08:24:08 markus Exp $"); #include #include @@ -155,6 +155,7 @@ usage(void) fprintf(stderr, " -A Enable authentication agent forwarding.\n"); fprintf(stderr, " -a Disable authentication agent forwarding (default).\n"); fprintf(stderr, " -X Enable X11 connection forwarding.\n"); + fprintf(stderr, " -Y Enable trusted X11 connection forwarding.\n"); fprintf(stderr, " -x Disable X11 connection forwarding (default).\n"); fprintf(stderr, " -i file Identity for public key authentication " "(default: ~/.ssh/identity)\n"); @@ -264,7 +265,7 @@ main(int ac, char **av) again: while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { + "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVXY")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -291,6 +292,10 @@ again: case 'X': options.forward_x11 = 1; break; + case 'Y': + options.forward_x11 = 1; + options.forward_x11_trusted = 1; + break; case 'g': options.gateway_ports = 1; break; @@ -721,19 +726,25 @@ again: return exit_status; } +#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1" + static void x11_get_proto(char **_proto, char **_data) { + char cmd[1024]; char line[512]; + char xdisplay[512]; static char proto[512], data[512]; FILE *f; - int got_data = 0, i; - char *display; + int got_data = 0, generated = 0, do_unlink = 0, i; + char *display, *xauthdir, *xauthfile; struct stat st; + xauthdir = xauthfile = NULL; *_proto = proto; *_data = data; proto[0] = data[0] = '\0'; + if (!options.xauth_location || (stat(options.xauth_location, &st) == -1)) { debug("No xauth program."); @@ -742,28 +753,59 @@ x11_get_proto(char **_proto, char **_data) debug("x11_get_proto: DISPLAY not set"); return; } - /* Try to get Xauthority information for the display. */ - if (strncmp(display, "localhost:", 10) == 0) - /* - * Handle FamilyLocal case where $DISPLAY does - * not match an authorization entry. For this we - * just try "xauth list unix:displaynum.screennum". - * XXX: "localhost" match to determine FamilyLocal - * is not perfect. - */ - snprintf(line, sizeof line, "%s list unix:%s 2>" - _PATH_DEVNULL, options.xauth_location, display+10); - else - snprintf(line, sizeof line, "%s list %.200s 2>" - _PATH_DEVNULL, options.xauth_location, display); - debug2("x11_get_proto: %s", line); - f = popen(line, "r"); + /* + * Handle FamilyLocal case where $DISPLAY does + * not match an authorization entry. For this we + * just try "xauth list unix:displaynum.screennum". + * XXX: "localhost" match to determine FamilyLocal + * is not perfect. + */ + if (strncmp(display, "localhost:", 10) == 0) { + snprintf(xdisplay, sizeof(xdisplay), "unix:%s", + display + 10); + display = xdisplay; + } + if (options.forward_x11_trusted == 0) { + xauthdir = xmalloc(MAXPATHLEN); + xauthfile = xmalloc(MAXPATHLEN); + strlcpy(xauthdir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); + if (mkdtemp(xauthdir) != NULL) { + do_unlink = 1; + snprintf(xauthfile, MAXPATHLEN, "%s/xauthfile", + xauthdir); + snprintf(cmd, sizeof(cmd), + "%s -f %s generate %s " SSH_X11_PROTO + " untrusted timeout 120 2>" _PATH_DEVNULL, + options.xauth_location, xauthfile, display); + debug2("x11_get_proto: %s", cmd); + if (system(cmd) == 0) + generated = 1; + } + } + snprintf(cmd, sizeof(cmd), + "%s %s%s list %s . 2>" _PATH_DEVNULL, + options.xauth_location, + generated ? "-f " : "" , + generated ? xauthfile : "", + display); + debug2("x11_get_proto: %s", cmd); + f = popen(cmd, "r"); if (f && fgets(line, sizeof(line), f) && sscanf(line, "%*s %511s %511s", proto, data) == 2) got_data = 1; if (f) pclose(f); } + + if (do_unlink) { + unlink(xauthfile); + rmdir(xauthdir); + } + if (xauthdir) + xfree(xauthdir); + if (xauthfile) + xfree(xauthfile); + /* * If we didn't get authentication data, just make up some * data. The forwarding code will check the validity of the @@ -775,12 +817,14 @@ x11_get_proto(char **_proto, char **_data) if (!got_data) { u_int32_t rand = 0; - logit("Warning: No xauth data; using fake authentication data for X11 forwarding."); - strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); + logit("Warning: No xauth data; " + "using fake authentication data for X11 forwarding."); + strlcpy(proto, SSH_X11_PROTO, sizeof proto); for (i = 0; i < 16; i++) { if (i % 4 == 0) rand = arc4random(); - snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", rand & 0xff); + snprintf(data + 2 * i, sizeof data - 2 * i, "%02x", + rand & 0xff); rand >>= 8; } } diff --git a/ssh_config.5 b/ssh_config.5 index da162499b..7f3c7064a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.21 2003/10/08 15:21:24 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.22 2003/10/11 08:24:08 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -306,9 +306,27 @@ The default is .Pp X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host -(for the user's X authorization database) +(for the user's X11 authorization database) can access the local X11 display through the forwarded connection. -An attacker may then be able to perform activities such as keystroke monitoring. +An attacker may then be able to perform activities such as keystroke monitoring +if the +.Cm ForwardX11Trusted +option is also enabled. +.It Cm ForwardX11Trusted +If the this option is set to +.Dq yes +then remote X11 clients will have full access to the original X11 display. +If this option is set to +.Dq no +then remote X11 clients will be considered untrusted and prevented +from stealing or tampering with data belonging to trusted X11 +clients. +.Pp +The default is +.Dq no . +.Pp +See the X11 SECURITY extension specification for full details on +the restrictions imposed on untrusted clients. .It Cm GatewayPorts Specifies whether remote hosts are allowed to connect to local forwarded ports. -- cgit v1.2.3 From d05b60189552bb2746a069d0d320b0ee64df06e1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 15:55:59 +1000 Subject: - markus@cvs.openbsd.org 2003/10/11 08:26:43 [sshconnect2.c] search keys in reverse order; fixes #684 --- ChangeLog | 5 ++++- sshconnect2.c | 10 ++++++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc5885854..4eda171ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ remote x11 clients are now untrusted by default, uses xauth(8) to generate untrusted cookies; ForwardX11Trusted=yes restores old behaviour. ok deraadt; feedback and ok djm/fries + - markus@cvs.openbsd.org 2003/10/11 08:26:43 + [sshconnect2.c] + search keys in reverse order; fixes #684 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1333,4 +1336,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3072 2003/10/15 05:54:32 dtucker Exp $ +$Id: ChangeLog,v 1.3073 2003/10/15 05:55:59 dtucker Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index 2ef4201ce..f38fdf9a0 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.126 2003/10/07 21:58:28 deraadt Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.127 2003/10/11 08:26:43 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -453,7 +453,12 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt) debug2("input_userauth_pk_ok: fp %s", fp); xfree(fp); - TAILQ_FOREACH(id, &authctxt->keys, next) { + /* + * search keys in the reverse order, because last candidate has been + * moved to the end of the queue. this also avoids confusion by + * duplicate keys + */ + TAILQ_FOREACH_REVERSE(id, &authctxt->keys, next, idlist) { if (key_equal(key, id->key)) { sent = sign_and_send_pubkey(authctxt, id); break; @@ -1086,6 +1091,7 @@ userauth_pubkey(Authctxt *authctxt) while ((id = TAILQ_FIRST(&authctxt->keys))) { if (id->tried++) return (0); + /* move key to the end of the queue */ TAILQ_REMOVE(&authctxt->keys, id, next); TAILQ_INSERT_TAIL(&authctxt->keys, id, next); /* -- cgit v1.2.3 From 7eb3de0dfbec68b1ae187c7896f6539679231092 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 15:56:58 +1000 Subject: - markus@cvs.openbsd.org 2003/10/11 11:36:23 [monitor_wrap.c] return NULL for missing banner; ok djm@ --- ChangeLog | 5 ++++- monitor_wrap.c | 13 ++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4eda171ef..f54616ea6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,9 @@ - markus@cvs.openbsd.org 2003/10/11 08:26:43 [sshconnect2.c] search keys in reverse order; fixes #684 + - markus@cvs.openbsd.org 2003/10/11 11:36:23 + [monitor_wrap.c] + return NULL for missing banner; ok djm@ 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1336,4 +1339,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3073 2003/10/15 05:55:59 dtucker Exp $ +$Id: ChangeLog,v 1.3074 2003/10/15 05:56:58 dtucker Exp $ diff --git a/monitor_wrap.c b/monitor_wrap.c index 99dfc8508..e19984ec0 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.32 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.33 2003/10/11 11:36:23 markus Exp $"); #include #include @@ -224,7 +224,8 @@ mm_getpwnamallow(const char *login) return (pw); } -char *mm_auth2_read_banner(void) +char * +mm_auth2_read_banner(void) { Buffer m; char *banner; @@ -235,10 +236,16 @@ char *mm_auth2_read_banner(void) mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTH2_READ_BANNER, &m); buffer_clear(&m); - mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUTH2_READ_BANNER, &m); + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_AUTH2_READ_BANNER, &m); banner = buffer_get_string(&m, NULL); buffer_free(&m); + /* treat empty banner as missing banner */ + if (strlen(banner) == 0) { + xfree(banner); + banner = NULL; + } return (banner); } -- cgit v1.2.3 From f132c67e8e6d6025e1b23a4c55123f062c11f03d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 15:58:18 +1000 Subject: - jmc@cvs.openbsd.org 2003/10/12 13:12:13 [ssh_config.5] note that EnableSSHKeySign should be in the non-hostspecific section; remove unnecessary .Pp; ok markus@ --- ChangeLog | 7 ++++++- ssh_config.5 | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f54616ea6..439a5b4bc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,11 @@ - markus@cvs.openbsd.org 2003/10/11 11:36:23 [monitor_wrap.c] return NULL for missing banner; ok djm@ + - jmc@cvs.openbsd.org 2003/10/12 13:12:13 + [ssh_config.5] + note that EnableSSHKeySign should be in the non-hostspecific section; + remove unnecessary .Pp; + ok markus@ 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1339,4 +1344,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3074 2003/10/15 05:56:58 dtucker Exp $ +$Id: ChangeLog,v 1.3075 2003/10/15 05:58:18 dtucker Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 7f3c7064a..9073ce51f 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.22 2003/10/11 08:24:08 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.23 2003/10/12 13:12:13 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -186,7 +186,6 @@ Specifies the ciphers allowed for protocol version 2 in order of preference. Multiple ciphers must be comma-separated. The default is -.Pp .Bd -literal ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc'' @@ -260,6 +259,7 @@ or .Dq no . The default is .Dq no . +This option should be placed in the non-hostspecific section. See .Xr ssh-keysign 8 for more information. -- cgit v1.2.3 From b370ca9313b02581a5afff20d7555a34cf1f662d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 15:59:26 +1000 Subject: - markus@cvs.openbsd.org 2003/10/13 08:22:25 [scp.1 sftp.1] don't refer to options related to forwarding; ok jmc@ --- ChangeLog | 5 ++++- scp.1 | 11 +---------- sftp.1 | 11 +---------- 3 files changed, 6 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 439a5b4bc..486a2a981 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,9 @@ note that EnableSSHKeySign should be in the non-hostspecific section; remove unnecessary .Pp; ok markus@ + - markus@cvs.openbsd.org 2003/10/13 08:22:25 + [scp.1 sftp.1] + don't refer to options related to forwarding; ok jmc@ 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1344,4 +1347,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3075 2003/10/15 05:58:18 dtucker Exp $ +$Id: ChangeLog,v 1.3076 2003/10/15 05:59:26 dtucker Exp $ diff --git a/scp.1 b/scp.1 index bdc413337..4dab2a1db 100644 --- a/scp.1 +++ b/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.29 2003/10/08 08:27:36 jmc Exp $ +.\" $OpenBSD: scp.1,v 1.30 2003/10/13 08:22:25 markus Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -124,16 +124,10 @@ For full details of the options listed below, and their possible values, see .It CheckHostIP .It Cipher .It Ciphers -.It ClearAllForwardings .It Compression .It CompressionLevel .It ConnectionAttempts .It ConnectionTimeout -.It DynamicForward -.It EscapeChar -.It ForwardAgent -.It ForwardX11 -.It GatewayPorts .It GlobalKnownHostsFile .It GSSAPIAuthentication .It GSSAPIDelegateCredentials @@ -144,7 +138,6 @@ For full details of the options listed below, and their possible values, see .It HostName .It IdentityFile .It KeepAlive -.It LocalForward .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost @@ -155,7 +148,6 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It PubkeyAuthentication -.It RemoteForward .It RhostsRSAAuthentication .It RSAAuthentication .It SmartcardDevice @@ -164,7 +156,6 @@ For full details of the options listed below, and their possible values, see .It User .It UserKnownHostsFile .It VerifyHostKeyDNS -.It XAuthLocation .El .It Fl P Ar port Specifies the port to connect to on the remote host. diff --git a/sftp.1 b/sftp.1 index 05b972e46..00253037d 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.46 2003/10/08 08:27:36 jmc Exp $ +.\" $OpenBSD: sftp.1,v 1.47 2003/10/13 08:22:25 markus Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -145,16 +145,10 @@ For full details of the options listed below, and their possible values, see .It CheckHostIP .It Cipher .It Ciphers -.It ClearAllForwardings .It Compression .It CompressionLevel .It ConnectionAttempts .It ConnectionTimeout -.It DynamicForward -.It EscapeChar -.It ForwardAgent -.It ForwardX11 -.It GatewayPorts .It GlobalKnownHostsFile .It GSSAPIAuthentication .It GSSAPIDelegateCredentials @@ -165,7 +159,6 @@ For full details of the options listed below, and their possible values, see .It HostName .It IdentityFile .It KeepAlive -.It LocalForward .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost @@ -176,7 +169,6 @@ For full details of the options listed below, and their possible values, see .It Protocol .It ProxyCommand .It PubkeyAuthentication -.It RemoteForward .It RhostsRSAAuthentication .It RSAAuthentication .It SmartcardDevice @@ -185,7 +177,6 @@ For full details of the options listed below, and their possible values, see .It User .It UserKnownHostsFile .It VerifyHostKeyDNS -.It XAuthLocation .El .It Fl P Ar sftp_server_path Connect directly to a local sftp server -- cgit v1.2.3 From dda19d63ffeed569c57f4b9359bc358abe690d23 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 16:00:47 +1000 Subject: - jakob@cvs.openbsd.org 2003/10/14 19:42:10 [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] include SSHFP lookup code (not enabled by default). ok markus@ --- ChangeLog | 5 ++++- dns.c | 7 ++----- dns.h | 4 +--- readconf.c | 6 +----- ssh-keygen.c | 12 +----------- sshconnect.c | 10 +--------- 6 files changed, 10 insertions(+), 34 deletions(-) diff --git a/ChangeLog b/ChangeLog index 486a2a981..414a51f25 100644 --- a/ChangeLog +++ b/ChangeLog @@ -30,6 +30,9 @@ - markus@cvs.openbsd.org 2003/10/13 08:22:25 [scp.1 sftp.1] don't refer to options related to forwarding; ok jmc@ + - jakob@cvs.openbsd.org 2003/10/14 19:42:10 + [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] + include SSHFP lookup code (not enabled by default). ok markus@ 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1347,4 +1350,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3076 2003/10/15 05:59:26 dtucker Exp $ +$Id: ChangeLog,v 1.3077 2003/10/15 06:00:47 dtucker Exp $ diff --git a/dns.c b/dns.c index 90ab5601a..2fff1b802 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.6 2003/06/11 10:18:47 jakob Exp $ */ +/* $OpenBSD: dns.c,v 1.7 2003/10/14 19:42:10 jakob Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -28,7 +28,6 @@ #include "includes.h" -#ifdef DNS #include #ifdef LWRES #include @@ -44,7 +43,7 @@ #include "uuencode.h" extern char *__progname; -RCSID("$OpenBSD: dns.c,v 1.6 2003/06/11 10:18:47 jakob Exp $"); +RCSID("$OpenBSD: dns.c,v 1.7 2003/10/14 19:42:10 jakob Exp $"); #ifndef LWRES static const char *errset_text[] = { @@ -286,5 +285,3 @@ export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) return success; } - -#endif /* DNS */ diff --git a/dns.h b/dns.h index ba0ea9fb4..1eb07d96e 100644 --- a/dns.h +++ b/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.3 2003/05/14 22:56:51 jakob Exp $ */ +/* $OpenBSD: dns.h,v 1.4 2003/10/14 19:42:10 jakob Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -28,7 +28,6 @@ #include "includes.h" -#ifdef DNS #ifndef DNS_H #define DNS_H @@ -54,4 +53,3 @@ int verify_host_key_dns(const char *, struct sockaddr *, Key *); int export_dns_rr(const char *, Key *, FILE *, int); #endif /* DNS_H */ -#endif /* DNS */ diff --git a/readconf.c b/readconf.c index e5f2620a7..86d28bc8d 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.123 2003/10/11 08:24:07 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.124 2003/10/14 19:42:10 jakob Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -183,11 +183,7 @@ static struct { #endif { "clearallforwardings", oClearAllForwardings }, { "enablesshkeysign", oEnableSSHKeysign }, -#ifdef DNS { "verifyhostkeydns", oVerifyHostKeyDNS }, -#else - { "verifyhostkeydns", oUnsupported }, -#endif { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, { "rekeylimit", oRekeyLimit }, { "connecttimeout", oConnectTimeout }, diff --git a/ssh-keygen.c b/ssh-keygen.c index 5b7bc400a..4a3cf241a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.109 2003/09/18 13:02:21 miod Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.110 2003/10/14 19:42:10 jakob Exp $"); #include #include @@ -32,9 +32,7 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.109 2003/09/18 13:02:21 miod Exp $"); #ifdef SMARTCARD #include "scard.h" #endif -#ifdef DNS #include "dns.h" -#endif /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */ int bits = 1024; @@ -625,7 +623,6 @@ do_change_passphrase(struct passwd *pw) exit(0); } -#ifdef DNS /* * Print the SSHFP RR. */ @@ -655,7 +652,6 @@ do_print_resource_record(struct passwd *pw, char *hostname) printf("failed to read v2 public key from %s.\n", identity_file); exit(1); } -#endif /* DNS */ /* * Change the comment of a private key file. @@ -774,9 +770,7 @@ usage(void) fprintf(stderr, " -C comment Provide new comment.\n"); fprintf(stderr, " -N phrase Provide new passphrase.\n"); fprintf(stderr, " -P phrase Provide old passphrase.\n"); -#ifdef DNS fprintf(stderr, " -r hostname Print DNS resource record.\n"); -#endif /* DNS */ #ifdef SMARTCARD fprintf(stderr, " -D reader Download public key from smartcard.\n"); fprintf(stderr, " -U reader Upload private key to smartcard.\n"); @@ -959,11 +953,7 @@ main(int ac, char **av) if (print_public) do_print_public(pw); if (resource_record_hostname != NULL) { -#ifdef DNS do_print_resource_record(pw, resource_record_hostname); -#else /* DNS */ - fatal("no DNS support."); -#endif /* DNS */ } if (reader_id != NULL) { #ifdef SMARTCARD diff --git a/sshconnect.c b/sshconnect.c index f29ac8088..2c028f3a6 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.149 2003/10/14 19:42:10 jakob Exp $"); #include @@ -33,16 +33,12 @@ RCSID("$OpenBSD: sshconnect.c,v 1.148 2003/09/18 07:52:54 markus Exp $"); #include "misc.h" #include "readpass.h" -#ifdef DNS #include "dns.h" -#endif char *client_version_string = NULL; char *server_version_string = NULL; -#ifdef DNS int verified_host_key_dns = 0; -#endif /* import */ extern Options options; @@ -730,7 +726,6 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, /* The default */ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); msg2[0] = '\0'; -#ifdef DNS if (options.verify_host_key_dns) { if (verified_host_key_dns) snprintf(msg2, sizeof(msg2), @@ -741,7 +736,6 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, "No matching host key fingerprint" " found in DNS.\n"); } -#endif snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" @@ -908,7 +902,6 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { struct stat st; -#ifdef DNS if (options.verify_host_key_dns) { switch(verify_host_key_dns(host, hostaddr, host_key)) { case DNS_VERIFY_OK: @@ -927,7 +920,6 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) break; } } -#endif /* DNS */ /* return ok if the key can be found in an old keyfile */ if (stat(options.system_hostfile2, &st) == 0 || -- cgit v1.2.3 From 64b77bcb4b40c97eb1da058ee5648da1a34c3b63 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 16:07:53 +1000 Subject: - jakob@cvs.openbsd.org 2003/10/14 19:43:23 [README.dns] update Resynced with OpenBSD too: DNSFP support is now always compiled in so the configure support (and documentation thereof) can go away. --- ChangeLog | 5 ++++- README.dns | 23 +++++++++-------------- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/ChangeLog b/ChangeLog index 414a51f25..5d0201a71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,9 @@ - jakob@cvs.openbsd.org 2003/10/14 19:42:10 [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] include SSHFP lookup code (not enabled by default). ok markus@ + - jakob@cvs.openbsd.org 2003/10/14 19:43:23 + [README.dns] + update 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1350,4 +1353,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3077 2003/10/15 06:00:47 dtucker Exp $ +$Id: ChangeLog,v 1.3078 2003/10/15 06:07:53 dtucker Exp $ diff --git a/README.dns b/README.dns index e24092e03..97879183e 100644 --- a/README.dns +++ b/README.dns @@ -1,17 +1,13 @@ How to verify host keys using OpenSSH and DNS --------------------------------------------- -OpenSSH contains experimental support for verifying host keys using DNS -as described in draft-ietf-secsh-dns-xx.txt. The document contains -very brief instructions on how to test this feature. Configuring DNS -and DNSSEC is out of the scope of this document. +OpenSSH contains support for verifying host keys using DNS as described in +draft-ietf-secsh-dns-05.txt. The document contains very brief instructions +on how to use this feature. Configuring DNS is out of the scope of this +document. -(1) Enable DNS fingerprint support in OpenSSH - - configure --with-dns - -(2) Generate and publish the DNS RR +(1) Server: Generate and publish the DNS RR To create a DNS resource record (RR) containing a fingerprint of the public host key, use the following command: @@ -24,15 +20,14 @@ you should generate one RR for each key. In the example above, ssh-keygen will print the fingerprint in a generic DNS RR format parsable by most modern name server -implementations. If your nameserver has support for the SSHFP RR, as -defined by the draft, you can omit the -g flag and ssh-keygen will -print a standard RR. +implementations. If your nameserver has support for the SSHFP RR +you can omit the -g flag and ssh-keygen will print a standard SSHFP RR. To publish the fingerprint using the DNS you must add the generated RR to your DNS zone file and sign your zone. -(3) Enable the ssh client to verify host keys using DNS +(2) Client: Enable ssh to verify host keys using DNS To enable the ssh client to verify host keys using DNS, you have to add the following option to the ssh configuration file @@ -49,4 +44,4 @@ the remote host key, the user will be notified. Wesley Griffin -$OpenBSD: README.dns,v 1.1 2003/05/14 18:16:20 jakob Exp $ +$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $ -- cgit v1.2.3 From 072a7b178c5fc52fd249d12519804c60c26da253 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 16:10:25 +1000 Subject: - markus@cvs.openbsd.org 2003/10/14 19:54:39 [session.c ssh-agent.c] 10X for mkdtemp; djm@ --- ChangeLog | 5 ++++- session.c | 4 ++-- ssh-agent.c | 4 ++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5d0201a71..650d611dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,9 @@ - jakob@cvs.openbsd.org 2003/10/14 19:43:23 [README.dns] update + - markus@cvs.openbsd.org 2003/10/14 19:54:39 + [session.c ssh-agent.c] + 10X for mkdtemp; djm@ 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1353,4 +1356,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3078 2003/10/15 06:07:53 dtucker Exp $ +$Id: ChangeLog,v 1.3079 2003/10/15 06:10:25 dtucker Exp $ diff --git a/session.c b/session.c index 8aa2b9015..2b228906d 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.165 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.166 2003/10/14 19:54:39 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -144,7 +144,7 @@ auth_input_request_forwarding(struct passwd * pw) /* Allocate a buffer for the socket name, and format the name. */ auth_sock_name = xmalloc(MAXPATHLEN); auth_sock_dir = xmalloc(MAXPATHLEN); - strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); + strlcpy(auth_sock_dir, "/tmp/ssh-XXXXXXXXXX", MAXPATHLEN); /* Create private directory for socket */ if (mkdtemp(auth_sock_dir) == NULL) { diff --git a/ssh-agent.c b/ssh-agent.c index 0fe877299..d595479f9 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.114 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.115 2003/10/14 19:54:39 markus Exp $"); #include #include @@ -1100,7 +1100,7 @@ main(int ac, char **av) if (agentsocket == NULL) { /* Create private directory for agent socket */ - strlcpy(socket_dir, "/tmp/ssh-XXXXXXXX", sizeof socket_dir); + strlcpy(socket_dir, "/tmp/ssh-XXXXXXXXXX", sizeof socket_dir); if (mkdtemp(socket_dir) == NULL) { perror("mkdtemp: private socket dir"); exit(1); -- cgit v1.2.3 From 5f88d3440efc4364b8d3f4c5efec0dccb3c2e21c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 16:57:57 +1000 Subject: - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always compiled in but disabled in config. --- ChangeLog | 5 ++++- acconfig.h | 5 +---- configure.ac | 34 ++++++++++++---------------------- openbsd-compat/getrrsetbyname.c | 2 +- openbsd-compat/getrrsetbyname.h | 2 +- 5 files changed, 19 insertions(+), 29 deletions(-) diff --git a/ChangeLog b/ChangeLog index 650d611dd..da3331b36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -39,6 +39,9 @@ - markus@cvs.openbsd.org 2003/10/14 19:54:39 [session.c ssh-agent.c] 10X for mkdtemp; djm@ + - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c + openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always + compiled in but disabled in config. 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1356,4 +1359,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3079 2003/10/15 06:10:25 dtucker Exp $ +$Id: ChangeLog,v 1.3080 2003/10/15 06:57:57 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index d0897d6b6..80907f0dc 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.167 2003/09/19 11:25:24 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.168 2003/10/15 06:57:57 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -418,9 +418,6 @@ #undef LOCKED_PASSWD_PREFIX #undef LOCKED_PASSWD_SUBSTR -/* Define if DNS support is to be activated */ -#undef DNS - /* Define if getrrsetbyname() exists */ #undef HAVE_GETRRSETBYNAME diff --git a/configure.ac b/configure.ac index 44808f7e5..3d230a6e9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.172 2003/10/07 10:35:57 dtucker Exp $ +# $Id: configure.ac,v 1.173 2003/10/15 06:57:57 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -1961,28 +1961,18 @@ if test x$opensc_config_prefix != x ; then fi fi -# Check whether user wants DNS support -DNS_MSG="no" -AC_ARG_WITH(dns, - [ --with-dns Support for fetching keys from DNS (experimental)], +# Check libraries needed by DNS fingerprint support +AC_SEARCH_LIBS(getrrsetbyname, resolv, + [AC_DEFINE(HAVE_GETRRSETBYNAME)], [ - if test "x$withval" != "xno" ; then - DNS_MSG="yes" - AC_DEFINE(DNS) - AC_SEARCH_LIBS(getrrsetbyname, resolv, - [AC_DEFINE(HAVE_GETRRSETBYNAME)], - [ - # Needed by our getrrsetbyname() - AC_SEARCH_LIBS(res_query, resolv) - AC_SEARCH_LIBS(dn_expand, resolv) - AC_CHECK_FUNCS(_getshort _getlong) - AC_CHECK_MEMBER(HEADER.ad, - [AC_DEFINE(HAVE_HEADER_AD)],, - [#include ]) - ]) - fi - ] -) + # Needed by our getrrsetbyname() + AC_SEARCH_LIBS(res_query, resolv) + AC_SEARCH_LIBS(dn_expand, resolv) + AC_CHECK_FUNCS(_getshort _getlong) + AC_CHECK_MEMBER(HEADER.ad, + [AC_DEFINE(HAVE_HEADER_AD)],, + [#include ]) + ]) # Check whether user wants Kerberos 5 support KRB5_MSG="no" diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 44fa2755b..1478654d8 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c @@ -45,7 +45,7 @@ #include "includes.h" -#if defined(DNS) && !defined(HAVE_GETRRSETBYNAME) +#ifndef HAVE_GETRRSETBYNAME #include "getrrsetbyname.h" diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 6466a54d6..bdc6a4d3a 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h @@ -48,7 +48,7 @@ #include "includes.h" -#if defined(DNS) && !defined(HAVE_GETRRSETBYNAME) +#ifndef HAVE_GETRRSETBYNAME #include #include -- cgit v1.2.3 From b8b4d0bbbe29467a47a4014f37882a52066af1e1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 17:22:37 +1000 Subject: Fix comments to reflect recent change. --- openbsd-compat/getrrsetbyname.c | 2 +- openbsd-compat/getrrsetbyname.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 1478654d8..2307337a7 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c @@ -575,4 +575,4 @@ count_dns_rr(struct dns_rr *p, u_int16_t class, u_int16_t type) return (n); } -#endif /* defined(DNS) && !defined(HAVE_GETRRSETBYNAME) */ +#endif /* !defined(HAVE_GETRRSETBYNAME) */ diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index bdc6a4d3a..0739972fe 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h @@ -95,6 +95,6 @@ struct rrsetinfo { int getrrsetbyname(const char *, unsigned int, unsigned int, unsigned int, struct rrsetinfo **); void freerrset(struct rrsetinfo *); -#endif /* defined(DNS) && !defined(HAVE_GETRRSETBYNAME) */ +#endif /* !defined(HAVE_GETRRSETBYNAME) */ #endif /* _GETRRSETBYNAME_H */ -- cgit v1.2.3 From c6020651bae65dc5f8e1533c56871aed2c5883f3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 15 Oct 2003 17:48:20 +1000 Subject: - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. --- ChangeLog | 3 ++- auth.c | 11 +++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index da3331b36..699402a79 100644 --- a/ChangeLog +++ b/ChangeLog @@ -42,6 +42,7 @@ - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always compiled in but disabled in config. + - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1359,4 +1360,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3080 2003/10/15 06:57:57 dtucker Exp $ +$Id: ChangeLog,v 1.3081 2003/10/15 07:48:20 dtucker Exp $ diff --git a/auth.c b/auth.c index 029672877..fcafae861 100644 --- a/auth.c +++ b/auth.c @@ -90,6 +90,7 @@ allowed_user(struct passwd * pw) #ifdef HAS_SHADOW_EXPIRE #define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && spw != NULL) { + int disabled = 0; time_t today; today = time(NULL) / DAY; @@ -106,13 +107,19 @@ allowed_user(struct passwd * pw) return 0; } - if (spw->sp_lstchg == 0) { +#if defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && + spw->sp_warn == 0) + disabled = 1; /* Trusted Mode: expiry disabled */ +#endif + + if (!disabled && spw->sp_lstchg == 0) { logit("User %.100s password has expired (root forced)", pw->pw_name); return 0; } - if (spw->sp_max != -1 && + if (!disabled && spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { logit("User %.100s password has expired (password aged)", pw->pw_name); -- cgit v1.2.3 From 6b1f8a3cf50a1a384e223f060d7159a012893a10 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 15 Oct 2003 09:22:39 -0700 Subject: [regress/banner.sh] portability fix. --- ChangeLog | 3 ++- regress/banner.sh | 4 +--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 699402a79..a7082b412 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,7 @@ openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always compiled in but disabled in config. - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. + - (tim) [regress/banner.sh] portability fix. 20031009 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ @@ -1360,4 +1361,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3081 2003/10/15 07:48:20 dtucker Exp $ +$Id: ChangeLog,v 1.3082 2003/10/15 16:22:39 tim Exp $ diff --git a/regress/banner.sh b/regress/banner.sh index 03e2fc8f1..0f6a68dff 100644 --- a/regress/banner.sh +++ b/regress/banner.sh @@ -23,9 +23,7 @@ for s in 0 10 100 1000 10000 100000 ; do trace "test banner size $s" verbose "test $tid: size $s" ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out - if ! cmp $OBJ/banner.in $OBJ/banner.out ; then - fail "banner size $s mismatch" - fi + cmp $OBJ/banner.in $OBJ/banner.out || fail "banner size $s mismatch" done rm -f $OBJ/banner.out $OBJ/banner.in -- cgit v1.2.3 From 9568ad96addfa861a7cf58fcd2e45015571ed40f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 17 Oct 2003 16:32:11 +1000 Subject: - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with MD5 passwords even if PAM support is enabled. From steev at detritus.net. --- ChangeLog | 6 +++++- INSTALL | 5 +++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a7082b412..f0d7dbc9d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20031017 + - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with + MD5 passwords even if PAM support is enabled. From steev at detritus.net. + 20031015 - (dtucker) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2003/10/08 08:27:36 @@ -1361,4 +1365,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3082 2003/10/15 16:22:39 tim Exp $ +$Id: ChangeLog,v 1.3083 2003/10/17 06:32:11 dtucker Exp $ diff --git a/INSTALL b/INSTALL index 86447f30a..849781dd4 100644 --- a/INSTALL +++ b/INSTALL @@ -130,7 +130,8 @@ need the S/Key libraries and header files installed for this to work. support. You will need libwrap.a and tcpd.h installed. --with-md5-passwords will enable the use of MD5 passwords. Enable this -if your operating system uses MD5 passwords without using PAM. +if your operating system uses MD5 passwords. The resulting binary will +support both MD5 and traditional crypt type passwords. --with-utmpx enables utmpx support. utmpx support is automatic for some platforms. @@ -198,4 +199,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.60 2003/09/23 12:12:38 djm Exp $ +$Id: INSTALL,v 1.61 2003/10/17 06:32:11 dtucker Exp $ -- cgit v1.2.3 From 0d37b5ca7bbb3db7cbdba913a61f846d404b9415 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 21 Oct 2003 12:41:14 +1000 Subject: - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords directly. Noted by Darren.Moffat at sun.com. --- ChangeLog | 6 +++++- INSTALL | 7 ++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index f0d7dbc9d..5a7ee6a0b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20031021 + - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords + directly. Noted by Darren.Moffat at sun.com. + 20031017 - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with MD5 passwords even if PAM support is enabled. From steev at detritus.net. @@ -1365,4 +1369,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3083 2003/10/17 06:32:11 dtucker Exp $ +$Id: ChangeLog,v 1.3084 2003/10/21 02:41:14 dtucker Exp $ diff --git a/INSTALL b/INSTALL index 849781dd4..97ee76f64 100644 --- a/INSTALL +++ b/INSTALL @@ -130,8 +130,9 @@ need the S/Key libraries and header files installed for this to work. support. You will need libwrap.a and tcpd.h installed. --with-md5-passwords will enable the use of MD5 passwords. Enable this -if your operating system uses MD5 passwords. The resulting binary will -support both MD5 and traditional crypt type passwords. +if your operating system uses MD5 passwords and the system crypt() does +not support them directly (see the crypt(3/3c) man page). If enabled, the +resulting binary will support both MD5 and traditional crypt passwords. --with-utmpx enables utmpx support. utmpx support is automatic for some platforms. @@ -199,4 +200,4 @@ Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.61 2003/10/17 06:32:11 dtucker Exp $ +$Id: INSTALL,v 1.62 2003/10/21 02:41:14 dtucker Exp $ -- cgit v1.2.3 From ea4c670eb80721dab1237850011576eee15135f5 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 21 Oct 2003 22:27:08 +1000 Subject: - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set, make agent setgid during test. --- ChangeLog | 4 +++- regress/agent-ptrace.sh | 11 ++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5a7ee6a0b..5da85bea1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords directly. Noted by Darren.Moffat at sun.com. + - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set, + make agent setgid during test. 20031017 - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with @@ -1369,4 +1371,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3084 2003/10/21 02:41:14 dtucker Exp $ +$Id: ChangeLog,v 1.3085 2003/10/21 12:27:08 dtucker Exp $ diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index cd9c0023d..66c8dbc58 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -5,7 +5,7 @@ tid="disallow agent ptrace attach" if have_prog uname ; then case `uname` in - Linux|HP-UX|SunOS|NetBSD|AIX|CYGWIN*) + CYGWIN*) echo "skipped (not supported on this platform)" exit 0 ;; @@ -19,6 +19,15 @@ else exit 0 fi +if test -z "$SUDO" ; then + echo "skipped (SUDO not set)" + exit 0 +else + $SUDO chown root ${OBJ}${SSHAGENT} + $SUDO chgrp root ${OBJ}${SSHAGENT} + $SUDO chmod 2755 ${OBJ}${SSHAGENT} +fi + trace "start agent" eval `${SSHAGENT} -s` > /dev/null r=$? -- cgit v1.2.3 From 2bdacad70cb754f47fced50301c0ea535d98aa71 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 21 Oct 2003 23:12:37 +1000 Subject: Remove OBJ, shouldn't be there --- regress/agent-ptrace.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 66c8dbc58..3f6fbe78e 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -23,9 +23,9 @@ if test -z "$SUDO" ; then echo "skipped (SUDO not set)" exit 0 else - $SUDO chown root ${OBJ}${SSHAGENT} - $SUDO chgrp root ${OBJ}${SSHAGENT} - $SUDO chmod 2755 ${OBJ}${SSHAGENT} + $SUDO chown root ${SSHAGENT} + $SUDO chgrp root ${SSHAGENT} + $SUDO chmod 2755 ${SSHAGENT} fi trace "start agent" -- cgit v1.2.3 From 7c582db74b46f841f8efba7f5353ca16bf357ec2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Nov 2003 18:59:29 +1100 Subject: - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services are created correctly with CRLF line terminations. Patch from vinschen at redhat.com. --- ChangeLog | 7 ++++++- contrib/cygwin/ssh-host-config | 33 +++++++++++++++++---------------- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5da85bea1..2a9340f70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20031103 + - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services + are created correctly with CRLF line terminations. Patch from vinschen at + redhat.com. + 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords directly. Noted by Darren.Moffat at sun.com. @@ -1371,4 +1376,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3085 2003/10/21 12:27:08 dtucker Exp $ +$Id: ChangeLog,v 1.3086 2003/11/03 07:59:29 dtucker Exp $ diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index e9c56aea9..c69cfd88b 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -468,19 +468,21 @@ then fi # Care for services file +_my_etcdir="/ssh-host-config.$$" if [ $_nt -gt 0 ] then - _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" - _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$" + _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" + _services="${_my_etcdir}/services" else - _wservices="${WINDIR}\\SERVICES" - _wserv_tmp="${WINDIR}\\SERV.$$" + _win_etcdir="${WINDIR}" + _services="${_my_etcdir}/SERVICES" fi -_services=`cygpath -u "${_wservices}"` -_serv_tmp=`cygpath -u "${_wserv_tmp}"` +_serv_tmp="${_my_etcdir}/srv.out.$$" -mount -t -f "${_wservices}" "${_services}" -mount -t -f "${_wserv_tmp}" "${_serv_tmp}" +mount -t -f "${_win_etcdir}" "${_my_etcdir}" + +# Depends on the above mount +_wservices=`cygpath -w "${_services}"` # Remove sshd 22/port from services if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] @@ -490,13 +492,13 @@ then then if mv "${_serv_tmp}" "${_services}" then - echo "Removing sshd from ${_services}" + echo "Removing sshd from ${_wservices}" else - echo "Removing sshd from ${_services} failed\!" + echo "Removing sshd from ${_wservices} failed\!" fi rm -f "${_serv_tmp}" else - echo "Removing sshd from ${_services} failed\!" + echo "Removing sshd from ${_wservices} failed\!" fi fi @@ -508,18 +510,17 @@ then then if mv "${_serv_tmp}" "${_services}" then - echo "Added ssh to ${_services}" + echo "Added ssh to ${_wservices}" else - echo "Adding ssh to ${_services} failed\!" + echo "Adding ssh to ${_wservices} failed\!" fi rm -f "${_serv_tmp}" else - echo "Adding ssh to ${_services} failed\!" + echo "Adding ssh to ${_wservices} failed\!" fi fi -umount "${_services}" -umount "${_serv_tmp}" +umount "${_my_etcdir}" # Care for inetd.conf file _inetcnf="${SYSCONFDIR}/inetd.conf" -- cgit v1.2.3 From a47c9bcda632c6dc85dd3f15a454f154fba8a6a6 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Nov 2003 20:03:25 +1100 Subject: - markus@cvs.openbsd.org 2003/10/15 09:48:45 [monitor_wrap.c] check pmonitor != NULL --- ChangeLog | 6 +++++- monitor_wrap.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2a9340f70..e5db31fc3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services are created correctly with CRLF line terminations. Patch from vinschen at redhat.com. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/10/15 09:48:45 + [monitor_wrap.c] + check pmonitor != NULL 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords @@ -1376,4 +1380,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3086 2003/11/03 07:59:29 dtucker Exp $ +$Id: ChangeLog,v 1.3087 2003/11/03 09:03:25 dtucker Exp $ diff --git a/monitor_wrap.c b/monitor_wrap.c index e19984ec0..fe1460422 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.33 2003/10/11 11:36:23 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.34 2003/10/15 09:48:45 markus Exp $"); #include #include @@ -73,7 +73,7 @@ mm_is_monitor(void) * m_pid is only set in the privileged part, and * points to the unprivileged child. */ - return (pmonitor->m_pid > 0); + return (pmonitor && pmonitor->m_pid > 0); } void -- cgit v1.2.3 From 8cc39788cbe1d9caaf78ebb4c0a29ad6a61a9876 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Nov 2003 20:05:03 +1100 Subject: - markus@cvs.openbsd.org 2003/10/21 09:50:06 [auth2-gss.c] make sure the doid is larger than 2 --- ChangeLog | 5 ++++- auth2-gss.c | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e5db31fc3..5352c90d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ - markus@cvs.openbsd.org 2003/10/15 09:48:45 [monitor_wrap.c] check pmonitor != NULL + - markus@cvs.openbsd.org 2003/10/21 09:50:06 + [auth2-gss.c] + make sure the doid is larger than 2 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords @@ -1380,4 +1383,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3087 2003/11/03 09:03:25 dtucker Exp $ +$Id: ChangeLog,v 1.3088 2003/11/03 09:05:03 dtucker Exp $ diff --git a/auth2-gss.c b/auth2-gss.c index 75b94b009..a82b87f51 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.3 2003/09/01 20:44:54 markus Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.4 2003/10/21 09:50:06 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -79,6 +79,8 @@ userauth_gssapi(Authctxt *authctxt) xfree(doid); doid = packet_get_string(&len); + if (len <= 2) + packet_disconnect("Short OID received"); if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) { logit("Mechanism OID received using the old encoding form"); -- cgit v1.2.3 From 56afe145e0c77f3447cf2098a4601289bd1c7ef1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Nov 2003 20:06:14 +1100 Subject: - avsm@cvs.openbsd.org 2003/10/26 16:57:43 [sshconnect2.c] rename 'supported' static var in userauth_gssapi() to 'gss_supported' to avoid shadowing the global version. markus@ ok --- ChangeLog | 6 +++++- sshconnect2.c | 26 +++++++++++++------------- 2 files changed, 18 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5352c90d3..a4b846d8b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ - markus@cvs.openbsd.org 2003/10/21 09:50:06 [auth2-gss.c] make sure the doid is larger than 2 + - avsm@cvs.openbsd.org 2003/10/26 16:57:43 + [sshconnect2.c] + rename 'supported' static var in userauth_gssapi() to 'gss_supported' + to avoid shadowing the global version. markus@ ok 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords @@ -1383,4 +1387,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3088 2003/11/03 09:05:03 dtucker Exp $ +$Id: ChangeLog,v 1.3089 2003/11/03 09:06:14 dtucker Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index f38fdf9a0..6e61a353d 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.127 2003/10/11 08:26:43 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.128 2003/10/26 16:57:43 avsm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -480,7 +480,7 @@ int userauth_gssapi(Authctxt *authctxt) { Gssctxt *gssctxt = NULL; - static gss_OID_set supported = NULL; + static gss_OID_set gss_supported = NULL; static int mech = 0; OM_uint32 min; int ok = 0; @@ -488,18 +488,18 @@ userauth_gssapi(Authctxt *authctxt) /* Try one GSSAPI method at a time, rather than sending them all at * once. */ - if (supported == NULL) - gss_indicate_mechs(&min, &supported); + if (gss_supported == NULL) + gss_indicate_mechs(&min, &gss_supported); /* Check to see if the mechanism is usable before we offer it */ - while (mechcount && !ok) { + while (mech < gss_supported->count && !ok) { if (gssctxt) ssh_gssapi_delete_ctx(&gssctxt); ssh_gssapi_build_ctx(&gssctxt); - ssh_gssapi_set_oid(gssctxt, &supported->elements[mech]); + ssh_gssapi_set_oid(gssctxt, &gss_supported->elements[mech]); /* My DER encoding requires length<128 */ - if (supported->elements[mech].length < 128 && + if (gss_supported->elements[mech].length < 128 && !GSS_ERROR(ssh_gssapi_import_name(gssctxt, authctxt->host))) { ok = 1; /* Mechanism works */ @@ -521,14 +521,14 @@ userauth_gssapi(Authctxt *authctxt) /* Some servers encode the OID incorrectly (as we used to) */ if (datafellows & SSH_BUG_GSSAPI_BER) { - packet_put_string(supported->elements[mech].elements, - supported->elements[mech].length); + packet_put_string(gss_supported->elements[mech].elements, + gss_supported->elements[mech].length); } else { - packet_put_int((supported->elements[mech].length)+2); + packet_put_int((gss_supported->elements[mech].length)+2); packet_put_char(SSH_GSS_OIDTYPE); - packet_put_char(supported->elements[mech].length); - packet_put_raw(supported->elements[mech].elements, - supported->elements[mech].length); + packet_put_char(gss_supported->elements[mech].length); + packet_put_raw(gss_supported->elements[mech].elements, + gss_supported->elements[mech].length); } packet_send(); -- cgit v1.2.3 From 6db8f936aed10e9aca2cf37126264c12e2021cb0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Nov 2003 20:07:14 +1100 Subject: - markus@cvs.openbsd.org 2003/10/28 09:08:06 [misc.c] error->debug for getsockopt+TCP_NODELAY; several requests --- ChangeLog | 5 ++++- misc.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a4b846d8b..78e04928e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ [sshconnect2.c] rename 'supported' static var in userauth_gssapi() to 'gss_supported' to avoid shadowing the global version. markus@ ok + - markus@cvs.openbsd.org 2003/10/28 09:08:06 + [misc.c] + error->debug for getsockopt+TCP_NODELAY; several requests 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords @@ -1387,4 +1390,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3089 2003/11/03 09:06:14 dtucker Exp $ +$Id: ChangeLog,v 1.3090 2003/11/03 09:07:14 dtucker Exp $ diff --git a/misc.c b/misc.c index ac616de02..1f320353e 100644 --- a/misc.c +++ b/misc.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: misc.c,v 1.22 2003/09/18 08:49:45 markus Exp $"); +RCSID("$OpenBSD: misc.c,v 1.23 2003/10/28 09:08:06 markus Exp $"); #include "misc.h" #include "log.h" @@ -97,7 +97,7 @@ set_nodelay(int fd) optlen = sizeof opt; if (getsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &opt, &optlen) == -1) { - error("getsockopt TCP_NODELAY: %.100s", strerror(errno)); + debug("getsockopt TCP_NODELAY: %.100s", strerror(errno)); return; } if (opt == 1) { -- cgit v1.2.3 From 655a5e0987b4bfab58994c3c5044c00b38f4a640 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Nov 2003 20:09:03 +1100 Subject: - markus@cvs.openbsd.org 2003/11/02 11:01:03 [auth2-gss.c compat.c compat.h sshconnect2.c] remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk --- ChangeLog | 5 ++++- auth2-gss.c | 22 +++++++++++----------- compat.c | 8 ++------ compat.h | 3 +-- sshconnect2.c | 40 ++++++++++++++++------------------------ 5 files changed, 34 insertions(+), 44 deletions(-) diff --git a/ChangeLog b/ChangeLog index 78e04928e..67a747560 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - markus@cvs.openbsd.org 2003/10/28 09:08:06 [misc.c] error->debug for getsockopt+TCP_NODELAY; several requests + - markus@cvs.openbsd.org 2003/11/02 11:01:03 + [auth2-gss.c compat.c compat.h sshconnect2.c] + remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords @@ -1390,4 +1393,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3090 2003/11/03 09:07:14 dtucker Exp $ +$Id: ChangeLog,v 1.3091 2003/11/03 09:09:03 dtucker Exp $ diff --git a/auth2-gss.c b/auth2-gss.c index a82b87f51..84fb384f9 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.4 2003/10/21 09:50:06 markus Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.5 2003/11/02 11:01:03 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -78,19 +78,19 @@ userauth_gssapi(Authctxt *authctxt) if (doid) xfree(doid); + present = 0; doid = packet_get_string(&len); - if (len <= 2) - packet_disconnect("Short OID received"); - if (doid[0] != SSH_GSS_OIDTYPE || doid[1] != len-2) { - logit("Mechanism OID received using the old encoding form"); - oid.elements = doid; - oid.length = len; + if (len > 2 && + doid[0] == SSH_GSS_OIDTYPE && + doid[1] == len - 2) { + oid.elements = doid + 2; + oid.length = len - 2; + gss_test_oid_set_member(&ms, &oid, supported, + &present); } else { - oid.elements = doid + 2; - oid.length = len - 2; + logit("Badly formed OID received"); } - gss_test_oid_set_member(&ms, &oid, supported, &present); } while (mechs > 0 && !present); gss_release_oid_set(&ms, &supported); @@ -109,7 +109,7 @@ userauth_gssapi(Authctxt *authctxt) packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE); - /* Return OID in same format as we received it*/ + /* Return the OID that we received */ packet_put_string(doid, len); packet_send(); diff --git a/compat.c b/compat.c index af1d14321..2fdebe7fa 100644 --- a/compat.c +++ b/compat.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.69 2003/08/29 10:03:15 markus Exp $"); +RCSID("$OpenBSD: compat.c,v 1.70 2003/11/02 11:01:03 markus Exp $"); #include "buffer.h" #include "packet.h" @@ -79,11 +79,7 @@ compat_datafellows(const char *version) { "OpenSSH_2.5.3*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, { "OpenSSH_2.*," "OpenSSH_3.0*," - "OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_BUG_GSSAPI_BER}, - { "OpenSSH_3.2*," - "OpenSSH_3.3*," - "OpenSSH_3.4*," - "OpenSSH_3.5*", SSH_BUG_GSSAPI_BER}, + "OpenSSH_3.1*", SSH_BUG_EXTEOF}, { "Sun_SSH_1.0*", SSH_BUG_NOREKEY|SSH_BUG_EXTEOF}, { "OpenSSH*", 0 }, { "*MindTerm*", 0 }, diff --git a/compat.h b/compat.h index 7a5004455..efa0f081e 100644 --- a/compat.h +++ b/compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: compat.h,v 1.36 2003/08/29 10:03:15 markus Exp $ */ +/* $OpenBSD: compat.h,v 1.37 2003/11/02 11:01:03 markus Exp $ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. @@ -55,7 +55,6 @@ #define SSH_BUG_EXTEOF 0x00200000 #define SSH_BUG_PROBE 0x00400000 #define SSH_BUG_FIRSTKEX 0x00800000 -#define SSH_BUG_GSSAPI_BER 0x01000000 void enable_compat13(void); void enable_compat20(void); diff --git a/sshconnect2.c b/sshconnect2.c index 6e61a353d..f991f81d8 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.128 2003/10/26 16:57:43 avsm Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.129 2003/11/02 11:01:03 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -519,17 +519,11 @@ userauth_gssapi(Authctxt *authctxt) packet_put_int(1); - /* Some servers encode the OID incorrectly (as we used to) */ - if (datafellows & SSH_BUG_GSSAPI_BER) { - packet_put_string(gss_supported->elements[mech].elements, - gss_supported->elements[mech].length); - } else { - packet_put_int((gss_supported->elements[mech].length)+2); - packet_put_char(SSH_GSS_OIDTYPE); - packet_put_char(gss_supported->elements[mech].length); - packet_put_raw(gss_supported->elements[mech].elements, - gss_supported->elements[mech].length); - } + packet_put_int((gss_supported->elements[mech].length) + 2); + packet_put_char(SSH_GSS_OIDTYPE); + packet_put_char(gss_supported->elements[mech].length); + packet_put_raw(gss_supported->elements[mech].elements, + gss_supported->elements[mech].length); packet_send(); @@ -560,20 +554,18 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) /* Setup our OID */ oidv = packet_get_string(&oidlen); - if (datafellows & SSH_BUG_GSSAPI_BER) { - if (!ssh_gssapi_check_oid(gssctxt, oidv, oidlen)) - fatal("Server returned different OID than expected"); - } else { - if(oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen-2) { - debug("Badly encoded mechanism OID received"); - userauth(authctxt, NULL); - xfree(oidv); - return; - } - if (!ssh_gssapi_check_oid(gssctxt, oidv+2, oidlen-2)) - fatal("Server returned different OID than expected"); + if (oidlen <= 2 || + oidv[0] != SSH_GSS_OIDTYPE || + oidv[1] != oidlen - 2) { + debug("Badly encoded mechanism OID received"); + userauth(authctxt, NULL); + xfree(oidv); + return; } + if (!ssh_gssapi_check_oid(gssctxt, oidv + 2, oidlen - 2)) + fatal("Server returned different OID than expected"); + packet_check_eom(); xfree(oidv); -- cgit v1.2.3 From be8a771af144c1ef09ccc8db0cbfaa57b159a517 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 3 Nov 2003 22:52:52 +1100 Subject: - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid. --- ChangeLog | 3 ++- regress/agent-ptrace.sh | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 67a747560..ebf64f942 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,7 @@ - markus@cvs.openbsd.org 2003/11/02 11:01:03 [auth2-gss.c compat.c compat.h sshconnect2.c] remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk + - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid. 20031021 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords @@ -1393,4 +1394,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3091 2003/11/03 09:09:03 dtucker Exp $ +$Id: ChangeLog,v 1.3092 2003/11/03 11:52:52 dtucker Exp $ diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 3f6fbe78e..3cfc680ca 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -23,8 +23,8 @@ if test -z "$SUDO" ; then echo "skipped (SUDO not set)" exit 0 else - $SUDO chown root ${SSHAGENT} - $SUDO chgrp root ${SSHAGENT} + $SUDO chown 0 ${SSHAGENT} + $SUDO chgrp 0 ${SSHAGENT} $SUDO chmod 2755 ${SSHAGENT} fi -- cgit v1.2.3 From 418a386f2bb62ff03cee5dfc2c8d561aba08d8c1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Thu, 6 Nov 2003 20:27:51 +1100 Subject: - (djm) Clarify UsePAM consequences a little more --- ChangeLog | 5 ++++- sshd_config | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index ebf64f942..d31002b08 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20031106 + - (djm) Clarify UsePAM consequences a little more + 20031103 - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services are created correctly with CRLF line terminations. Patch from vinschen at @@ -1394,4 +1397,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3092 2003/11/03 11:52:52 dtucker Exp $ +$Id: ChangeLog,v 1.3093 2003/11/06 09:27:51 djm Exp $ diff --git a/sshd_config b/sshd_config index 5e026a609..8dfc772e8 100644 --- a/sshd_config +++ b/sshd_config @@ -68,7 +68,7 @@ # Set this to 'yes' to enable PAM authentication (via challenge-response) # and session processing. Depending on your PAM configuration, this may -# bypass the setting of 'PasswordAuthentication' +# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords' #UsePAM no #AllowTcpForwarding yes -- cgit v1.2.3 From 0947ddff72097b45021facdae40d0beac0fe1e10 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 13 Nov 2003 11:21:31 +1100 Subject: - (dtucker) [auth-pam.c] Append newlines to lines output by the pam_chauthtok_conv(). --- ChangeLog | 6 +++++- auth-pam.c | 6 +++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index d31002b08..1cb4a8e1d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20031113 + - (dtucker) [auth-pam.c] Append newlines to lines output by the + pam_chauthtok_conv(). + 20031106 - (djm) Clarify UsePAM consequences a little more @@ -1397,4 +1401,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3093 2003/11/06 09:27:51 djm Exp $ +$Id: ChangeLog,v 1.3094 2003/11/13 00:21:31 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 11e53b61f..c9122487e 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.76 2003/10/09 04:20:15 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.77 2003/11/13 00:21:32 dtucker Exp $"); #ifdef USE_PAM #include @@ -636,14 +636,14 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_PROMPT_ECHO_ON: - fputs(PAM_MSG_MEMBER(msg, i, msg), stderr); + fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); fgets(input, sizeof input, stdin); reply[i].resp = xstrdup(input); reply[i].resp_retcode = PAM_SUCCESS; break; case PAM_ERROR_MSG: case PAM_TEXT_INFO: - fputs(PAM_MSG_MEMBER(msg, i, msg), stderr); + fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg)); reply[i].resp_retcode = PAM_SUCCESS; break; default: -- cgit v1.2.3 From 798ca84d606abba35ea790ba0a8abb25ca2b67cb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 13 Nov 2003 11:28:49 +1100 Subject: - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All contrib/cygwin). Major update from vinschen at redhat.com. - Makefile provides a `cygwin-postinstall' target to run right after `make install'. - Better support for Windows 2003 Server. - Try to get permissions as correct as possible. - New command line options to allow full automated host configuration. - Create configs from skeletons in /etc/defaults/etc. - Use /bin/bash, allows reading user input with readline support. - Remove really old configs from /usr/local. --- ChangeLog | 12 +- contrib/cygwin/Makefile | 56 +++++ contrib/cygwin/README | 122 +++++----- contrib/cygwin/ssh-host-config | 502 ++++++++++++++++++++--------------------- contrib/cygwin/ssh-user-config | 64 +++++- 5 files changed, 441 insertions(+), 315 deletions(-) create mode 100644 contrib/cygwin/Makefile diff --git a/ChangeLog b/ChangeLog index 1cb4a8e1d..4a1c55a57 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,16 @@ 20031113 - (dtucker) [auth-pam.c] Append newlines to lines output by the pam_chauthtok_conv(). + - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All + contrib/cygwin). Major update from vinschen at redhat.com. + - Makefile provides a `cygwin-postinstall' target to run right after + `make install'. + - Better support for Windows 2003 Server. + - Try to get permissions as correct as possible. + - New command line options to allow full automated host configuration. + - Create configs from skeletons in /etc/defaults/etc. + - Use /bin/bash, allows reading user input with readline support. + - Remove really old configs from /usr/local. 20031106 - (djm) Clarify UsePAM consequences a little more @@ -1401,4 +1411,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3094 2003/11/13 00:21:31 dtucker Exp $ +$Id: ChangeLog,v 1.3095 2003/11/13 00:28:49 dtucker Exp $ diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile new file mode 100644 index 000000000..09e8ea2db --- /dev/null +++ b/contrib/cygwin/Makefile @@ -0,0 +1,56 @@ +srcdir=../.. +prefix=/usr +exec_prefix=$(prefix) +bindir=$(prefix)/bin +datadir=$(prefix)/share +docdir=$(datadir)/doc +sshdocdir=$(docdir)/openssh +cygdocdir=$(docdir)/Cygwin +sysconfdir=/etc +defaultsdir=$(sysconfdir)/defaults/etc +PRIVSEP_PATH=/var/empty +INSTALL=/usr/bin/install -c + +DESTDIR= + +all: + @echo + @echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'" + @echo "Be sure having DESTDIR set correctly!" + @echo + +move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config + $(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir) + mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir) + +remove-empty-dir: + rm -rf $(DESTDIR)$(PRIVSEP_PATH) + +install-sshdoc: + $(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir) + $(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS + $(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog + $(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE + $(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW + $(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README + $(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns + $(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep + $(INSTALL) -m 644 $(srcdir)/README.smartcard $(DESTDIR)$(sshdocdir)/README.smartcard + $(INSTALL) -m 644 $(srcdir)/RFC.nroff $(DESTDIR)$(sshdocdir)/RFC.nroff + $(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO + $(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG + +install-cygwindoc: README + $(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir) + $(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README + +install-doc: install-sshdoc install-cygwindoc + +install-scripts: ssh-host-config ssh-user-config + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) + $(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config + $(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config + +cygwin-postinstall: move-config-files remove-empty-dir install-doc install-scripts + @echo "Cygwin specific configuration finished." diff --git a/contrib/cygwin/README b/contrib/cygwin/README index ec58964c9..1cc6ae65c 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -1,4 +1,49 @@ -This package is the actual port of OpenSSH to Cygwin 1.5. +This package describes important Cygwin specific stuff concerning OpenSSH. + +The binary package is usually built for recent Cygwin versions and might +not run on older versions. Please check http://cygwin.com/ for information +about current Cygwin releases. + +Build instructions are at the end of the file. + +=========================================================================== +Important change since 3.7.1p2-2: + +The ssh-host-config file doesn't create the /etc/ssh_config and +/etc/sshd_config files from builtin here-scripts anymore, but it uses +skeleton files installed in /etc/defaults/etc. + +Also it now tries hard to create appropriate permissions on files. +Same applies for ssh-user-config. + +After creating the sshd service with ssh-host-config, it's advisable to +call ssh-user-config for all affected users, also already exising user +configurations. In the latter case, file and directory permissions are +checked and changed, if requireed to match the host configuration. + +Important note for Windows 2003 Server users: +--------------------------------------------- + +2003 Server has a funny new feature. When starting services under SYSTEM +account, these services have nearly all user rights which SYSTEM holds... +except for the "Create a token object" right, which is needed to allow +public key authentication :-( + +There's no way around this, except for creating a substitute account which +has the appropriate privileges. Basically, this account should be member +of the administrators group, plus it should have the following user rights: + + Create a token object + Logon as a service + Replace a process level token + Increase Quota + +The ssh-host-config script asks you, if it should create such an account, +called "sshd_server". If you say "no" here, you're on your own. Please +follow the instruction in ssh-host-config exactly if possible. Note that +ssh-user-config sets the permissions on 2003 Server machines dependent of +whether a sshd_server account exists or not. +=========================================================================== =========================================================================== Important change since 3.4p1-2: @@ -114,54 +159,6 @@ ${SYSTEMROOT}/system32/drivers/etc/services file: ssh 22/tcp #SSH daemon -=========================================================================== -The following restrictions only apply to Cygwin versions up to 1.3.1 -=========================================================================== - -Authentication to sshd is possible in one of two ways. -You'll have to decide before starting sshd! - -- If you want to authenticate via RSA and you want to login to that - machine to exactly one user account you can do so by running sshd - under that user account. You must change /etc/sshd_config - to contain the following: - - RSAAuthentication yes - - Moreover it's possible to use rhosts and/or rhosts with - RSA authentication by setting the following in sshd_config: - - RhostsAuthentication yes - RhostsRSAAuthentication yes - -- If you want to be able to login to different user accounts you'll - have to start sshd under system account or any other account that - is able to switch user context. Note that administrators are _not_ - able to do that by default! You'll have to give the following - special user rights to the user: - "Act as part of the operating system" - "Replace process level token" - "Increase quotas" - and if used via service manager - "Logon as a service". - - The system account does of course own that user rights by default. - - Unfortunately, if you choose that way, you can only logon with - NT password authentification and you should change - /etc/sshd_config to contain the following: - - PasswordAuthentication yes - RhostsAuthentication no - RhostsRSAAuthentication no - RSAAuthentication no - - However you can login to the user which has started sshd with - RSA authentication anyway. If you want that, change the RSA - authentication setting back to "yes": - - RSAAuthentication yes - Please note that OpenSSH does never use the value of $HOME to search for the users configuration files! It always uses the value of the pw_dir field in /etc/passwd as the home directory. @@ -169,7 +166,7 @@ If no home diretory is set in /etc/passwd, the root directory is used instead! You may use all features of the CYGWIN=ntsec setting the same -way as they are used by the `login' port on sources.redhat.com: +way as they are used by Cygwin's login(1) port: The pw_gecos field may contain an additional field, that begins with (upper case!) "U-", followed by the domain and the username @@ -186,6 +183,8 @@ way as they are used by the `login' port on sources.redhat.com: locuser::1104:513:John Doe,U-user,S-1-5-21-... +Note that the CYGWIN=ntsec setting is required for public key authentication. + SSH2 server and user keys are generated by the `ssh-*-config' scripts as well. @@ -194,15 +193,30 @@ configure are used for the Cygwin binary distribution: --prefix=/usr \ --sysconfdir=/etc \ - --libexecdir='${exec_prefix}/sbin' - -You must have installed the zlib and openssl packages to be able to + --libexecdir='$(sbindir)' \ + --localstatedir=/var \ + --datadir='$(prefix)/share' \ + --mandir='$(datadir)/man' \ + --with-tcp-wrappers + +If you want to create a Cygwin package, equivalent to the one +in the Cygwin binary distribution, install like this: + + mkdir /tmp/cygwin-ssh + cd $(builddir) + make install DESTDIR=/tmp/cygwin-ssh + cd $(srcdir)/contrib/cygwin + make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh + cd /tmp/cygwin-ssh + find * \! -type d | tar cvjfT my-openssh.tar.bz2 - + +You must have installed the zlib and openssl-devel packages to be able to build OpenSSH! Please send requests, error reports etc. to cygwin@cygwin.com. Have fun, -Corinna Vinschen +Corinna Vinschen Cygwin Developer Red Hat Inc. diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index c69cfd88b..18793ca85 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -1,6 +1,6 @@ -#!/bin/sh +#!/bin/bash # -# ssh-host-config, Copyright 2000, Red Hat Inc. +# ssh-host-config, Copyright 2000, 2001, 2002, 2003 Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. @@ -9,10 +9,7 @@ PREFIX=/usr # Directory where the config files are stored SYSCONFDIR=/etc - -# Subdirectory where an old package might be installed -OLDPREFIX=/usr/local -OLDSYSCONFDIR=${OLDPREFIX}/etc +LOCALSTATEDIR=/var progname=$0 auto_answer="" @@ -27,9 +24,11 @@ request() { if [ "${auto_answer}" = "yes" ] then + echo "$1 (yes/no) yes" return 0 elif [ "${auto_answer}" = "no" ] then + echo "$1 (yes/no) no" return 1 fi @@ -37,7 +36,7 @@ request() while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " - read answer + read -e answer done if [ "X${answer}" = "Xyes" ] then @@ -60,7 +59,7 @@ do option=$1 shift - case "$option" in + case "${option}" in -d | --debug ) set -x ;; @@ -73,21 +72,33 @@ do auto_answer=no ;; + -c | --cygwin ) + cygwin_value="$1" + shift + ;; + -p | --port ) port_number=$1 shift ;; + -w | --pwd ) + password_value="$1" + shift + ;; + *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" - echo " --debug -d Enable shell's debug output." - echo " --yes -y Answer all questions with \"yes\" automatically." - echo " --no -n Answer all questions with \"no\" automatically." - echo " --port -p sshd listens on port n." + echo " --debug -d Enable shell's debug output." + echo " --yes -y Answer all questions with \"yes\" automatically." + echo " --no -n Answer all questions with \"no\" automatically." + echo " --cygwin -c Use \"options\" as value for CYGWIN environment var." + echo " --port -p sshd listens on port n." + echo " --pwd -w Use \"pwd\" as password for user 'sshd_server'." echo exit 1 ;; @@ -96,8 +107,13 @@ do done # Check if running on NT -_sys="`uname -a`" -_nt=`expr "$_sys" : "CYGWIN_NT"` +_sys="`uname`" +_nt=`expr "${_sys}" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ ${_nt} -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running @@ -137,87 +153,33 @@ fi # Create /var/log and /var/log/lastlog if not already existing -if [ -f /var/log ] +if [ -f ${LOCALSTATEDIR}/log ] then - echo "Creating /var/log failed\!" + echo "Creating ${LOCALSTATEDIR}/log failed!" else - if [ ! -d /var/log ] + if [ ! -d ${LOCALSTATEDIR}/log ] then - mkdir -p /var/log + mkdir -p ${LOCALSTATEDIR}/log fi - if [ -d /var/log/lastlog ] + if [ -d ${LOCALSTATEDIR}/log/lastlog ] then - echo "Creating /var/log/lastlog failed\!" - elif [ ! -f /var/log/lastlog ] + chmod 777 ${LOCALSTATEDIR}/log/lastlog + elif [ ! -f ${LOCALSTATEDIR}/log/lastlog ] then - cat /dev/null > /var/log/lastlog + cat /dev/null > ${LOCALSTATEDIR}/log/lastlog + chmod 666 ${LOCALSTATEDIR}/log/lastlog fi fi # Create /var/empty file used as chroot jail for privilege separation -if [ -f /var/empty ] +if [ -f ${LOCALSTATEDIR}/empty ] then - echo "Creating /var/empty failed\!" + echo "Creating ${LOCALSTATEDIR}/empty failed!" else - mkdir -p /var/empty - # On NT change ownership of that dir to user "system" - if [ $_nt -gt 0 ] + mkdir -p ${LOCALSTATEDIR}/empty + if [ ${_nt} -gt 0 ] then - chmod 755 /var/empty - chown system.system /var/empty - fi -fi - -# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't -# the same as ${PREFIX} - -old_install=0 -if [ "${OLDPREFIX}" != "${PREFIX}" ] -then - if [ -f "${OLDPREFIX}/sbin/sshd" ] - then - echo - echo "You seem to have an older installation in ${OLDPREFIX}." - echo - # Check if old global configuration files exist - if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] - then - if request "Do you want to copy your config files to your new installation?" - then - cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} - cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} - fi - fi - if request "Do you want to erase your old installation?" - then - rm -f ${OLDPREFIX}/bin/ssh.exe - rm -f ${OLDPREFIX}/bin/ssh-config - rm -f ${OLDPREFIX}/bin/scp.exe - rm -f ${OLDPREFIX}/bin/ssh-add.exe - rm -f ${OLDPREFIX}/bin/ssh-agent.exe - rm -f ${OLDPREFIX}/bin/ssh-keygen.exe - rm -f ${OLDPREFIX}/bin/slogin - rm -f ${OLDSYSCONFDIR}/ssh_host_key - rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key - rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub - rm -f ${OLDSYSCONFDIR}/ssh_config - rm -f ${OLDSYSCONFDIR}/sshd_config - rm -f ${OLDPREFIX}/man/man1/ssh.1 - rm -f ${OLDPREFIX}/man/man1/scp.1 - rm -f ${OLDPREFIX}/man/man1/ssh-add.1 - rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 - rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 - rm -f ${OLDPREFIX}/man/man1/slogin.1 - rm -f ${OLDPREFIX}/man/man8/sshd.8 - rm -f ${OLDPREFIX}/sbin/sshd.exe - rm -f ${OLDPREFIX}/sbin/sftp-server.exe - fi - old_install=1 + chmod 755 ${LOCALSTATEDIR}/empty fi fi @@ -255,52 +217,16 @@ then fi fi -# Create default ssh_config from here script +# Create default ssh_config from skeleton file in /etc/defaults/etc if [ ! -f "${SYSCONFDIR}/ssh_config" ] then echo "Generating ${SYSCONFDIR}/ssh_config file" - cat > ${SYSCONFDIR}/ssh_config << EOF -# This is the ssh client system-wide configuration file. See -# ssh_config(5) for more information. This file provides defaults for -# users, and the values can be changed in per-user configuration files -# or on the command line. - -# Configuration data is parsed as follows: -# 1. command line options -# 2. user-specific file -# 3. system-wide file -# Any configuration value is only changed the first time it is set. -# Thus, host-specific definitions should be at the beginning of the -# configuration file, and defaults at the end. - -# Site-wide defaults for various options - -# Host * -# ForwardAgent no -# ForwardX11 no -# RhostsRSAAuthentication no -# RSAAuthentication yes -# PasswordAuthentication yes -# HostbasedAuthentication no -# BatchMode no -# CheckHostIP yes -# AddressFamily any -# ConnectTimeout 0 -# StrictHostKeyChecking ask -# IdentityFile ~/.ssh/identity -# IdentityFile ~/.ssh/id_dsa -# IdentityFile ~/.ssh/id_rsa -# Port 22 -# Protocol 2,1 -# Cipher 3des -# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc -# EscapeChar ~ -EOF - if [ "$port_number" != "22" ] + cp ${SYSCONFDIR}/defaults/etc/ssh_config ${SYSCONFDIR}/ssh_config + if [ "${port_number}" != "22" ] then echo "Host localhost" >> ${SYSCONFDIR}/ssh_config - echo " Port $port_number" >> ${SYSCONFDIR}/ssh_config + echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config fi fi @@ -322,35 +248,35 @@ fi # Prior to creating or modifying sshd_config, care for privilege separation -if [ "$privsep_configured" != "yes" ] +if [ "${privsep_configured}" != "yes" ] then - if [ $_nt -gt 0 ] + if [ ${_nt} -gt 0 ] then echo "Privilege separation is set to yes by default since OpenSSH 3.3." echo "However, this requires a non-privileged account called 'sshd'." - echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." + echo "For more info on privilege separation read /usr/share/doc/openssh/README.privsep." echo - if request "Shall privilege separation be used?" + if request "Should privilege separation be used?" then privsep_used=yes grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes net user sshd >/dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_passwd" != "yes" ] + if [ "${sshd_in_passwd}" != "yes" ] then - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: The following function requires administrator privileges!" - if request "Shall this script create a local user 'sshd' on this machine?" + if request "Should this script create a local user 'sshd' on this machine?" then - dos_var_empty=`cygpath -w /var/empty` - net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes - if [ "$sshd_in_sam" != "yes" ] + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + net user sshd /add /fullname:"sshd privsep" "/homedir:${dos_var_empty}" /active:no > /dev/null 2>&1 && sshd_in_sam=yes + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Creating the user 'sshd' failed!" fi fi fi - if [ "$sshd_in_sam" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" echo " Privilege separation set to 'no' again!" @@ -365,117 +291,41 @@ then fi else # On 9x don't use privilege separation. Since security isn't - # available it just adds useless addtional processes. + # available it just adds useless additional processes. privsep_used=no fi fi -# Create default sshd_config from here script or modify to add the -# missing privsep configuration option +# Create default sshd_config from skeleton files in /etc/defaults/etc or +# modify to add the missing privsep configuration option if [ ! -f "${SYSCONFDIR}/sshd_config" ] then echo "Generating ${SYSCONFDIR}/sshd_config file" - cat > ${SYSCONFDIR}/sshd_config << EOF -# This is the sshd server system-wide configuration file. See -# sshd_config(5) for more information. - -# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin - -# The strategy used for options in the default sshd_config shipped with -# OpenSSH is to specify options with their default value where -# possible, but leave them commented. Uncommented options change a -# default value. - -Port $port_number -#Protocol 2,1 -#ListenAddress 0.0.0.0 -#ListenAddress :: - -# HostKey for protocol version 1 -#HostKey ${SYSCONFDIR}/ssh_host_key -# HostKeys for protocol version 2 -#HostKey ${SYSCONFDIR}/ssh_host_rsa_key -#HostKey ${SYSCONFDIR}/ssh_host_dsa_key - -# Lifetime and size of ephemeral version 1 server key -#KeyRegenerationInterval 1h -#ServerKeyBits 768 - -# Logging -#obsoletes QuietMode and FascistLogging -#SyslogFacility AUTH -#LogLevel INFO - -# Authentication: - -#LoginGraceTime 2m -#PermitRootLogin yes -# The following setting overrides permission checks on host key files -# and directories. For security reasons set this to "yes" when running -# NT/W2K, NTFS and CYGWIN=ntsec. -StrictModes no - -#RSAAuthentication yes -#PubkeyAuthentication yes -#AuthorizedKeysFile .ssh/authorized_keys - -# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts -#RhostsRSAAuthentication no -# similar for protocol version 2 -#HostbasedAuthentication no -# Change to yes if you don't trust ~/.ssh/known_hosts for -# RhostsRSAAuthentication and HostbasedAuthentication -#IgnoreUserKnownHosts no -# Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes - -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes -#PermitEmptyPasswords no - -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes - -#AllowTcpForwarding yes -#GatewayPorts no -#X11Forwarding no -#X11DisplayOffset 10 -#X11UseLocalhost yes -#PrintMotd yes -#PrintLastLog yes -#KeepAlive yes -#UseLogin no -UsePrivilegeSeparation $privsep_used -#PermitUserEnvironment no -#Compression yes -#ClientAliveInterval 0 -#ClientAliveCountMax 3 -#UseDNS yes -#PidFile /var/run/sshd.pid -#MaxStartups 10 - -# no default banner path -#Banner /some/path - -# override default of no subsystems -Subsystem sftp /usr/sbin/sftp-server -EOF -elif [ "$privsep_configured" != "yes" ] + sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/ + s/^#Port 22/Port ${port_number}/ + s/^#StrictModes yes/StrictModes no/" \ + < ${SYSCONFDIR}/defaults/etc/sshd_config \ + > ${SYSCONFDIR}/sshd_config +elif [ "${privsep_configured}" != "yes" ] then echo >> ${SYSCONFDIR}/sshd_config - echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config + echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config fi # Care for services file _my_etcdir="/ssh-host-config.$$" -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc" _services="${_my_etcdir}/services" + # On NT, 27 spaces, no space after the hash + _spaces=" #" else _win_etcdir="${WINDIR}" _services="${_my_etcdir}/SERVICES" + # On 9x, 18 spaces (95 is very touchy), a space after the hash + _spaces=" # " fi _serv_tmp="${_my_etcdir}/srv.out.$$" @@ -494,29 +344,28 @@ then then echo "Removing sshd from ${_wservices}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Removing sshd from ${_wservices} failed\!" + echo "Removing sshd from ${_wservices} failed!" fi fi # Add ssh 22/tcp and ssh 22/udp to services if [ `grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then - awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp #SSH Remote Login Protocol\nssh 22/udp #SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" - if [ -f "${_serv_tmp}" ] + if awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}" then if mv "${_serv_tmp}" "${_services}" then echo "Added ssh to ${_wservices}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "Adding ssh to ${_wservices} failed!" fi rm -f "${_serv_tmp}" else - echo "Adding ssh to ${_wservices} failed\!" + echo "WARNING: Adding ssh to ${_wservices} failed!" fi fi @@ -541,11 +390,11 @@ then then echo "Removed sshd from ${_inetcnf}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else - echo "Removing sshd from ${_inetcnf} failed\!" + echo "Removing sshd from ${_inetcnf} failed!" fi fi @@ -563,34 +412,181 @@ then fi # On NT ask if sshd should be installed as service -if [ $_nt -gt 0 ] +if [ ${_nt} -gt 0 ] then - echo - echo "Do you want to install sshd as service?" - if request "(Say \"no\" if it's already installed as service)" + # But only if it is not already installed + if ! cygrunsrv -Q sshd > /dev/null 2>&1 then echo - echo "Which value should the environment variable CYGWIN have when" - echo "sshd starts? It's recommended to set at least \"ntsec\" to be" - echo "able to change user context without password." - echo -n "Default is \"binmode ntsec tty\". CYGWIN=" - read _cygwin - [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" - if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + echo + echo "Warning: The following functions require administrator privileges!" + echo + echo "Do you want to install sshd as service?" + if request "(Say \"no\" if it's already installed as service)" then - chown system ${SYSCONFDIR}/ssh* - echo - echo "The service has been installed under LocalSystem account." + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && sshd_server_in_passwd=yes + if [ "${sshd_server_in_passwd}" = "yes" ] + then + # Drop sshd_server from passwd since it could have wrong settings + grep -v '^sshd_server:' ${SYSCONFDIR}/passwd > ${SYSCONFDIR}/passwd.$$ + rm -f ${SYSCONFDIR}/passwd + mv ${SYSCONFDIR}/passwd.$$ ${SYSCONFDIR}/passwd + chmod g-w,o-w ${SYSCONFDIR}/passwd + fi + net user sshd_server >/dev/null 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo + echo "You appear to be running Windows 2003 Server or later. On 2003 and" + echo "later systems, it's not possible to use the LocalSystem account" + echo "if sshd should allow passwordless logon (e. g. public key authentication)." + echo "If you want to enable that functionality, it's required to create a new" + echo "account 'sshd_server' with special privileges, which is then used to run" + echo "the sshd service under." + echo + echo "Should this script create a new local account 'sshd_server' which has" + if request "the required privileges?" + then + _admingroup=`awk -F: '{if ( $2 == "S-1-5-32-544" ) print $1;}' ${SYSCONFDIR}/group` + if [ -z "${_admingroup}" ] + then + echo "There's no group with SID S-1-5-32-544 (Local administrators group) in" + echo "your ${SYSCONFDIR}/group file. Please regenerate this entry using 'mkgroup -l'" + echo "and restart this script." + exit 1 + fi + dos_var_empty=`cygpath -w ${LOCALSTATEDIR}/empty` + while [ "${sshd_server_in_sam}" != "yes" ] + do + if [ -n "${password_value}" ] + then + _password="${password_value}" + # Allow to ask for password if first try fails + password_value="" + else + echo + echo "Please enter a password for new user 'sshd_server'. Please be sure that" + echo "this password matches the password rules given on your system." + echo -n "Entering no password will exit the configuration. PASSWORD=" + read -e _password + if [ -z "${_password}" ] + then + echo + echo "Exiting configuration. No user sshd_server has been created," + echo "no sshd service installed." + exit 1 + fi + fi + net user sshd_server "${_password}" /add /fullname:"sshd server account" "/homedir:${dos_var_empty}" /yes > /tmp/nu.$$ 2>&1 && sshd_server_in_sam=yes + if [ "${sshd_server_in_sam}" != "yes" ] + then + echo "Creating the user 'sshd_server' failed! Reason:" + cat /tmp/nu.$$ + rm /tmp/nu.$$ + fi + done + net localgroup "${_admingroup}" sshd_server /add > /dev/null 2>&1 && sshd_server_in_admingroup=yes + if [ "${sshd_server_in_admingroup}" != "yes" ] + then + echo "WARNING: Adding user sshd_server to local group ${_admingroup} failed!" + echo "Please add sshd_server to local group ${_admingroup} before" + echo "starting the sshd service!" + echo + fi + passwd_has_expiry_flags=`passwd -v | awk '/^passwd /{print ( $3 >= 1.5 ) ? "yes" : "no";}'` + if [ "${passwd_has_expiry_flags}" != "yes" ] + then + echo + echo "WARNING: User sshd_server has password expiry set to system default." + echo "Please check that password never expires or set it to your needs." + elif ! passwd -e sshd_server + then + echo + echo "WARNING: Setting password expiry for user sshd_server failed!" + echo "Please check that password never expires or set it to your needs." + fi + editrights -a SeAssignPrimaryTokenPrivilege -u sshd_server && + editrights -a SeCreateTokenPrivilege -u sshd_server && + editrights -a SeDenyInteractiveLogonRight -u sshd_server && + editrights -a SeDenyNetworkLogonRight -u sshd_server && + editrights -a SeDenyRemoteInteractiveLogonRight -u sshd_server && + editrights -a SeIncreaseQuotaPrivilege -u sshd_server && + editrights -a SeServiceLogonRight -u sshd_server && + sshd_server_got_all_rights="yes" + if [ "${sshd_server_got_all_rights}" != "yes" ] + then + echo + echo "Assigning the appropriate privileges to user 'sshd_server' failed!" + echo "Can't create sshd service!" + exit 1 + fi + echo + echo "User 'sshd_server' has been created with password '${_password}'." + echo "If you change the password, please keep in mind to change the password" + echo "for the sshd service, too." + echo + echo "Also keep in mind that the user sshd_server needs read permissions on all" + echo "users' .ssh/authorized_keys file to allow public key authentication for" + echo "these users!. (Re-)running ssh-user-config for each user will set the" + echo "required permissions correctly." + echo + fi + fi + if [ "${sshd_server_in_sam}" = "yes" ] + then + mkpasswd -l -u sshd_server | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd + fi + fi + if [ -n "${cygwin_value}" ] + then + _cygwin="${cygwin_value}" + else + echo + echo "Which value should the environment variable CYGWIN have when" + echo "sshd starts? It's recommended to set at least \"ntsec\" to be" + echo "able to change user context without password." + echo -n "Default is \"ntsec\". CYGWIN=" + read -e _cygwin + fi + [ -z "${_cygwin}" ] && _cygwin="ntsec" + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -u sshd_server -w "${_password}" -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under sshd_server account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + else + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + then + echo + echo "The service has been installed under LocalSystem account." + echo "To start the service, call \`net start sshd' or \`cygrunsrv -S sshd'." + fi + fi + fi + # Now check if sshd has been successfully installed. This allows to + # set the ownership of the affected files correctly. + if cygrunsrv -Q sshd > /dev/null 2>&1 + then + if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] + then + _user="sshd_server" + else + _user="system" + fi + chown "${_user}" ${SYSCONFDIR}/ssh* + chown "${_user}".544 ${LOCALSTATEDIR}/empty + if [ -f ${LOCALSTATEDIR}/log/sshd.log ] + then + chown "${_user}".544 ${LOCALSTATEDIR}/log/sshd.log + fi fi fi fi -if [ "${old_install}" = "1" ] -then - echo - echo "Note: If you have used sshd as service or from inetd, don't forget to" - echo " change the path to sshd.exe in the service entry or in inetd.conf." -fi - echo echo "Host configuration finished. Have fun!" diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config index 4da113181..fe07ce360 100644 --- a/contrib/cygwin/ssh-user-config +++ b/contrib/cygwin/ssh-user-config @@ -1,9 +1,12 @@ #!/bin/sh # -# ssh-user-config, Copyright 2000, Red Hat Inc. +# ssh-user-config, Copyright 2000, 2001, 2002, 2003, Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. +# Directory where the config files are stored +SYSCONFDIR=/etc + progname=$0 auto_answer="" auto_passphrase="no" @@ -33,6 +36,15 @@ request() fi } +# Check if running on NT +_sys="`uname -a`" +_nt=`expr "$_sys" : "CYGWIN_NT"` +# If running on NT, check if running under 2003 Server or later +if [ $_nt -gt 0 ] +then + _nt2003=`uname | awk -F- '{print ( $2 >= 5.2 ) ? 1 : 0;}'` +fi + # Check options while : @@ -84,27 +96,27 @@ done # Ask user if user identity should be generated -if [ ! -f /etc/passwd ] +if [ ! -f ${SYSCONFDIR}/passwd ] then - echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file' + echo "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" echo 'first using mkpasswd. Check if it contains an entry for you and' echo 'please care for the home directory in your entry as well.' exit 1 fi uid=`id -u` -pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd` +pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd` if [ "X${pwdhome}" = "X" ] then - echo 'There is no home directory set for you in /etc/passwd.' + echo "There is no home directory set for you in ${SYSCONFDIR}/passwd." echo 'Setting $HOME is not sufficient!' exit 1 fi if [ ! -d "${pwdhome}" ] then - echo "${pwdhome} is set in /etc/passwd as your home directory" + echo "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" echo 'but it is not a valid directory. Cannot create user identity files.' exit 1 fi @@ -114,7 +126,7 @@ fi if [ "X${pwdhome}" = "X/" ] then # But first raise a warning! - echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!' + echo "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!" if request "Would you like to proceed anyway?" then pwdhome='' @@ -123,6 +135,17 @@ then fi fi +if [ -d "${pwdhome}" -a $_nt -gt 0 -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ] +then + echo + echo 'WARNING: group and other have been revoked write permission to your home' + echo " directory ${pwdhome}." + echo ' This is required by OpenSSH to allow public key authentication using' + echo ' the key files stored in your .ssh subdirectory.' + echo ' Revert this change ONLY if you know what you are doing!' + echo +fi + if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] then echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." @@ -139,6 +162,21 @@ then fi fi +if [ $_nt -gt 0 ] +then + _user="system" + if [ $_nt2003 -gt 0 ] + then + grep -q '^sshd_server:' ${SYSCONFDIR}/passwd && _user="sshd_server" + fi + if ! setfacl -m "u::rwx,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh" + then + echo "${pwdhome}/.ssh couldn't be given the correct permissions." + echo "Please try to solve this problem first." + exit 1 + fi +fi + if [ ! -f "${pwdhome}/.ssh/identity" ] then if request "Shall I create an SSH1 RSA identity file for you?" @@ -196,5 +234,17 @@ then fi fi +if [ $_nt -gt 0 -a -e "${pwdhome}/.ssh/authorized_keys" ] +then + if ! setfacl -m "u::rw-,u:${_user}:r--,g::---,o::---" "${pwdhome}/.ssh/authorized_keys" + then + echo + echo "WARNING: Setting correct permissions to ${pwdhome}/.ssh/authorized_keys" + echo "failed. Please care for the correct permissions. The minimum requirement" + echo "is, the owner and ${_user} both need read permissions." + echo + fi +fi + echo echo "Configuration finished. Have fun!" -- cgit v1.2.3 From ae52b7ca596adf4f2b9a5c6a19062f42a2543b02 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 13 Nov 2003 19:52:31 +1100 Subject: - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and PAM_ERROR_MSG messages. --- ChangeLog | 4 +++- auth-pam.c | 6 +++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4a1c55a57..5cffbbc2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ - Create configs from skeletons in /etc/defaults/etc. - Use /bin/bash, allows reading user input with readline support. - Remove really old configs from /usr/local. + - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and + PAM_ERROR_MSG messages. 20031106 - (djm) Clarify UsePAM consequences a little more @@ -1411,4 +1413,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3095 2003/11/13 00:28:49 dtucker Exp $ +$Id: ChangeLog,v 1.3096 2003/11/13 08:52:31 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index c9122487e..1f0b791ed 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.77 2003/11/13 00:21:32 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 08:52:31 dtucker Exp $"); #ifdef USE_PAM #include @@ -412,9 +412,9 @@ sshpam_query(void *ctx, char **name, char **info, case PAM_ERROR_MSG: case PAM_TEXT_INFO: /* accumulate messages */ - len = plen + strlen(msg) + 1; + len = plen + strlen(msg) + 2; **prompts = xrealloc(**prompts, len); - plen += snprintf(**prompts + plen, len, "%s", msg); + plen += snprintf(**prompts + plen, len, "%s\n", msg); xfree(msg); break; case PAM_SUCCESS: -- cgit v1.2.3 From 203c40b513853503417f030cd6557c6991431a97 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 15 Nov 2003 12:13:16 +1100 Subject: - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and HP-UX, skip test on AIX. --- ChangeLog | 6 +++++- regress/agent-ptrace.sh | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5cffbbc2c..ae096d4a9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20031115 + - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and + HP-UX, skip test on AIX. + 20031113 - (dtucker) [auth-pam.c] Append newlines to lines output by the pam_chauthtok_conv(). @@ -1413,4 +1417,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3096 2003/11/13 08:52:31 dtucker Exp $ +$Id: ChangeLog,v 1.3097 2003/11/15 01:13:16 dtucker Exp $ diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh index 3cfc680ca..bd79d7cb8 100644 --- a/regress/agent-ptrace.sh +++ b/regress/agent-ptrace.sh @@ -5,7 +5,7 @@ tid="disallow agent ptrace attach" if have_prog uname ; then case `uname` in - CYGWIN*) + AIX|CYGWIN*) echo "skipped (not supported on this platform)" exit 0 ;; @@ -41,7 +41,7 @@ EOF if [ $? -ne 0 ]; then fail "gdb failed: exit code $?" fi - grep 'ptrace: Operation not permitted.' >/dev/null ${OBJ}/gdb.out + egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.' >/dev/null ${OBJ}/gdb.out r=$? rm -f ${OBJ}/gdb.out if [ $r -ne 0 ]; then -- cgit v1.2.3 From 3e8f41e6ac9b4c39c667067e4bad8160095743f9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:09:50 +1100 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/11/03 09:03:37 [auth-chall.c] make this a little more idiot-proof; ok markus@ (includes portable-specific changes) --- ChangeLog | 10 +++++++++- auth-chall.c | 44 +++++++++++++++++++++++--------------------- 2 files changed, 32 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae096d4a9..ad94d39ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +20031117 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/11/03 09:03:37 + [auth-chall.c] + make this a little more idiot-proof; ok markus@ + (includes portable-specific changes) + + 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and HP-UX, skip test on AIX. @@ -1417,4 +1425,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3097 2003/11/15 01:13:16 dtucker Exp $ +$Id: ChangeLog,v 1.3098 2003/11/17 10:09:50 djm Exp $ diff --git a/auth-chall.c b/auth-chall.c index 00d6e0ec5..dd55d6eb0 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-chall.c,v 1.8 2001/05/18 14:13:28 markus Exp $"); +RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $"); #include "auth.h" #include "log.h" @@ -67,36 +67,38 @@ get_challenge(Authctxt *authctxt) int verify_response(Authctxt *authctxt, const char *response) { - char *resp[1]; - int res; + char *resp[1], *name, *info, **prompts; + u_int i, numprompts, *echo_on; + int authenticated = 0; if (device == NULL) return 0; if (authctxt->kbdintctxt == NULL) return 0; resp[0] = (char *)response; - res = device->respond(authctxt->kbdintctxt, 1, resp); - if (res == 1) { - /* postponed - send a null query just in case */ - char *name, *info, **prompts; - u_int i, numprompts, *echo_on; + switch (device->respond(authctxt->kbdintctxt, 1, resp)) { + case 0: /* Success */ + authenticated = 1; + break; + case 1: /* Postponed - retry with empty query for PAM */ + if ((device->query(authctxt->kbdintctxt, &name, &info, + &numprompts, &prompts, &echo_on)) != 0) + break; + if (numprompts == 0 && + device->respond(authctxt->kbdintctxt, 0, resp) == 0) + authenticated = 1; - res = device->query(authctxt->kbdintctxt, &name, &info, - &numprompts, &prompts, &echo_on); - if (res == 0) { - for (i = 0; i < numprompts; i++) - xfree(prompts[i]); - xfree(prompts); - xfree(name); - xfree(echo_on); - xfree(info); - } - /* if we received more prompts, we're screwed */ - res = (res == 0 && numprompts == 0) ? 0 : -1; + for (i = 0; i < numprompts; i++) + xfree(prompts[i]); + xfree(prompts); + xfree(name); + xfree(echo_on); + xfree(info); + break; } device->free_ctx(authctxt->kbdintctxt); authctxt->kbdintctxt = NULL; - return res ? 0 : 1; + return authenticated; } void abandon_challenge_response(Authctxt *authctxt) -- cgit v1.2.3 From 5a38897dbb417d2dacaaeae5bd5ce0718a7f3fb1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:10:47 +1100 Subject: - jakob@cvs.openbsd.org 2003/11/03 09:09:41 [sshconnect.c] move changed key warning into warn_changed_key(). ok markus@ --- ChangeLog | 6 ++++-- sshconnect.c | 37 +++++++++++++++++++++++++------------ 2 files changed, 29 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index ad94d39ff..a210ccf31 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,7 +4,9 @@ [auth-chall.c] make this a little more idiot-proof; ok markus@ (includes portable-specific changes) - + - jakob@cvs.openbsd.org 2003/11/03 09:09:41 + [sshconnect.c] + move changed key warning into warn_changed_key(). ok markus@ 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1425,4 +1427,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3098 2003/11/17 10:09:50 djm Exp $ +$Id: ChangeLog,v 1.3099 2003/11/17 10:10:47 djm Exp $ diff --git a/sshconnect.c b/sshconnect.c index 2c028f3a6..3c8f480ed 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.149 2003/10/14 19:42:10 jakob Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.150 2003/11/03 09:09:41 jakob Exp $"); #include @@ -52,6 +52,7 @@ extern pid_t proxy_command_pid; #endif static int show_other_keys(const char *, Key *); +static void warn_changed_key(Key *); /* * Connect to the given ssh server using a proxy command. @@ -785,20 +786,10 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, error("Offending key for IP in %s:%d", ip_file, ip_line); } /* The host key has changed. */ - fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); - error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); - error("It is also possible that the %s host key has just been changed.", type); - error("The fingerprint for the %s key sent by the remote host is\n%s.", - type, fp); - error("Please contact your system administrator."); + warn_changed_key(host_key); error("Add correct host key in %.100s to get rid of this message.", user_hostfile); error("Offending key in %s:%d", host_file, host_line); - xfree(fp); /* * If strict host key checking is in use, the user will have @@ -1045,3 +1036,25 @@ show_other_keys(const char *host, Key *key) } return (found); } + +static void +warn_changed_key(Key *host_key) +{ + char *fp; + char *type = key_type(host_key); + + fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); + + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); + error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); + error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); + error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); + error("It is also possible that the %s host key has just been changed.", type); + error("The fingerprint for the %s key sent by the remote host is\n%s.", + type, fp); + error("Please contact your system administrator."); + + xfree(fp); + xfree(type); +} -- cgit v1.2.3 From 8f746ec9703a0072c7a07a25e4c059f7533bf94b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:11:15 +1100 Subject: - jakob@cvs.openbsd.org 2003/11/03 09:37:32 [sshconnect.c] do not free static type pointer in warn_changed_key() --- ChangeLog | 5 ++++- sshconnect.c | 5 ++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index a210ccf31..86f4bffe8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ - jakob@cvs.openbsd.org 2003/11/03 09:09:41 [sshconnect.c] move changed key warning into warn_changed_key(). ok markus@ + - jakob@cvs.openbsd.org 2003/11/03 09:37:32 + [sshconnect.c] + do not free static type pointer in warn_changed_key() 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1427,4 +1430,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3099 2003/11/17 10:10:47 djm Exp $ +$Id: ChangeLog,v 1.3100 2003/11/17 10:11:15 djm Exp $ diff --git a/sshconnect.c b/sshconnect.c index 3c8f480ed..55ebd7ef2 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.150 2003/11/03 09:09:41 jakob Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.151 2003/11/03 09:37:32 jakob Exp $"); #include @@ -1041,7 +1041,7 @@ static void warn_changed_key(Key *host_key) { char *fp; - char *type = key_type(host_key); + const char *type = key_type(host_key); fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); @@ -1056,5 +1056,4 @@ warn_changed_key(Key *host_key) error("Please contact your system administrator."); xfree(fp); - xfree(type); } -- cgit v1.2.3 From 3e3b5145e59c78cbde0f31f59a9267867b8eea2f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:13:40 +1100 Subject: - djm@cvs.openbsd.org 2003/11/04 08:54:09 [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c] [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c] [session.c] standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@ --- ChangeLog | 8 +++++++- auth-krb5.c | 4 ++-- auth-passwd.c | 7 ++----- auth-rh-rsa.c | 7 ++++--- auth-rhosts.c | 6 +----- auth-rsa.c | 7 ++++--- auth.h | 6 +++--- auth1.c | 6 +++--- auth2-pubkey.c | 5 +---- auth2.c | 3 +-- monitor.c | 4 ++-- serverloop.c | 6 +++--- session.c | 4 ++-- 13 files changed, 35 insertions(+), 38 deletions(-) diff --git a/ChangeLog b/ChangeLog index 86f4bffe8..eb617187a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,12 @@ - jakob@cvs.openbsd.org 2003/11/03 09:37:32 [sshconnect.c] do not free static type pointer in warn_changed_key() + - djm@cvs.openbsd.org 2003/11/04 08:54:09 + [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c] + [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c] + [session.c] + standardise arguments to auth methods - they should all take authctxt. + check authctxt->valid rather then pw != NULL; ok markus@ 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1430,4 +1436,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3100 2003/11/17 10:11:15 djm Exp $ +$Id: ChangeLog,v 1.3101 2003/11/17 10:13:40 djm Exp $ diff --git a/auth-krb5.c b/auth-krb5.c index e31f2eb0e..101e53bca 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.13 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.14 2003/11/04 08:54:09 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -72,7 +72,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) krb5_error_code problem; krb5_ccache ccache = NULL; - if (authctxt->pw == NULL) + if (!authctxt->valid) return (0); temporarily_use_uid(authctxt->pw); diff --git a/auth-passwd.c b/auth-passwd.c index 971c7ba19..b7e275556 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $"); #include "packet.h" #include "log.h" @@ -60,11 +60,8 @@ auth_password(Authctxt *authctxt, const char *password) struct passwd * pw = authctxt->pw; int ok = authctxt->valid; - /* deny if no user. */ - if (pw == NULL) - return 0; #ifndef HAVE_CYGWIN - if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 2eb7e6e2d..29eb538ec 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.36 2003/06/02 09:17:34 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.37 2003/11/04 08:54:09 djm Exp $"); #include "packet.h" #include "uidswap.h" @@ -52,14 +52,15 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost, * its host key. Returns true if authentication succeeds. */ int -auth_rhosts_rsa(struct passwd *pw, char *cuser, Key *client_host_key) +auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key) { char *chost; + struct passwd *pw = authctxt->pw; debug("Trying rhosts with RSA host authentication for client user %.100s", cuser); - if (pw == NULL || client_host_key == NULL || + if (!authctxt->valid || client_host_key == NULL || client_host_key->rsa == NULL) return 0; diff --git a/auth-rhosts.c b/auth-rhosts.c index b42a64c90..585246e82 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.31 2003/06/02 09:17:34 markus Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.32 2003/11/04 08:54:09 djm Exp $"); #include "packet.h" #include "uidswap.h" @@ -173,10 +173,6 @@ auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostnam debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s", client_user, hostname, ipaddr); - /* no user given */ - if (pw == NULL) - return 0; - /* Switch to the user's uid. */ temporarily_use_uid(pw); /* diff --git a/auth-rsa.c b/auth-rsa.c index 5631d238c..2f0746b30 100644 --- a/auth-rsa.c +++ b/auth-rsa.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.57 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.58 2003/11/04 08:54:09 djm Exp $"); #include #include @@ -284,13 +284,14 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey) * successful. This may exit if there is a serious protocol violation. */ int -auth_rsa(struct passwd *pw, BIGNUM *client_n) +auth_rsa(Authctxt *authctxt, BIGNUM *client_n) { Key *key; char *fp; + struct passwd *pw = authctxt->pw; /* no user given */ - if (pw == NULL) + if (!authctxt->valid) return 0; if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) { diff --git a/auth.h b/auth.h index b081bb5cb..34afdb492 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.47 2003/09/23 20:17:11 markus Exp $ */ +/* $OpenBSD: auth.h,v 1.48 2003/11/04 08:54:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -102,9 +102,9 @@ int auth_rhosts(struct passwd *, const char *); int auth_rhosts2(struct passwd *, const char *, const char *, const char *); -int auth_rhosts_rsa(struct passwd *, char *, Key *); +int auth_rhosts_rsa(Authctxt *, char *, Key *); int auth_password(Authctxt *, const char *); -int auth_rsa(struct passwd *, BIGNUM *); +int auth_rsa(Authctxt *, BIGNUM *); int auth_rsa_challenge_dialog(Key *); BIGNUM *auth_rsa_generate_challenge(Key *); int auth_rsa_verify_response(Key *, BIGNUM *, u_char[]); diff --git a/auth1.c b/auth1.c index 38c0bf93c..ea81524f1 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.53 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.54 2003/11/04 08:54:09 djm Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -139,7 +139,7 @@ do_authloop(Authctxt *authctxt) BN_num_bits(client_host_key->rsa->n), bits); packet_check_eom(); - authenticated = auth_rhosts_rsa(pw, client_user, + authenticated = auth_rhosts_rsa(authctxt, client_user, client_host_key); key_free(client_host_key); @@ -156,7 +156,7 @@ do_authloop(Authctxt *authctxt) fatal("do_authloop: BN_new failed"); packet_get_bignum(n); packet_check_eom(); - authenticated = auth_rsa(pw, n); + authenticated = auth_rsa(authctxt, n); BN_clear_free(n); break; diff --git a/auth2-pubkey.c b/auth2-pubkey.c index d51e939f1..c28571ab6 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-pubkey.c,v 1.4 2003/06/24 08:23:46 markus Exp $"); +RCSID("$OpenBSD: auth2-pubkey.c,v 1.5 2003/11/04 08:54:09 djm Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -175,9 +175,6 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) Key *found; char *fp; - if (pw == NULL) - return 0; - /* Temporarily use the user's uid. */ temporarily_use_uid(pw); diff --git a/auth2.c b/auth2.c index ef1173fe6..a9490ccfd 100644 --- a/auth2.c +++ b/auth2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.103 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -77,7 +77,6 @@ static void input_userauth_request(int, u_int32_t, void *); static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); int user_key_allowed(struct passwd *, Key *); -int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); /* * loop until authctxt->success == TRUE diff --git a/monitor.c b/monitor.c index eaf66f7c8..e83fb45a7 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.50 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.51 2003/11/04 08:54:09 djm Exp $"); #include @@ -946,7 +946,7 @@ mm_answer_keyallowed(int socket, Buffer *m) debug3("%s: key_from_blob: %p", __func__, key); - if (key != NULL && authctxt->pw != NULL) { + if (key != NULL && authctxt->valid) { switch(type) { case MM_USERKEY: allowed = options.pubkey_authentication && diff --git a/serverloop.c b/serverloop.c index 21656cf87..98793b756 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.111 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.112 2003/11/04 08:54:09 djm Exp $"); #include "xmalloc.h" #include "packet.h" @@ -973,8 +973,8 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) u_short listen_port; pw = the_authctxt->pw; - if (pw == NULL) - fatal("server_input_global_request: no user"); + if (pw == NULL || !the_authctxt->pw) + fatal("server_input_global_request: no/invalid user"); listen_address = packet_get_string(NULL); listen_port = (u_short)packet_get_int(); debug("server_input_global_request: tcpip-forward listen %s port %d", diff --git a/session.c b/session.c index 2b228906d..0f8032430 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.166 2003/10/14 19:54:39 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.167 2003/11/04 08:54:09 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1532,7 +1532,7 @@ session_open(Authctxt *authctxt, int chanid) } s->authctxt = authctxt; s->pw = authctxt->pw; - if (s->pw == NULL) + if (s->pw == NULL || !authctxt->valid) fatal("no user for session %d", s->self); debug("session_open: session %d: link with channel %d", s->self, chanid); s->chanid = chanid; -- cgit v1.2.3 From a9fcd3ada222a731b8e6cce02b1693e31ca15695 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:16:55 +1100 Subject: - jakob@cvs.openbsd.org 2003/11/08 16:02:40 [auth1.c] remove unused variable (pw). ok djm@ (id sync only - still used in portable) --- ChangeLog | 6 +++++- auth1.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index eb617187a..6af457bc8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ [session.c] standardise arguments to auth methods - they should all take authctxt. check authctxt->valid rather then pw != NULL; ok markus@ + - jakob@cvs.openbsd.org 2003/11/08 16:02:40 + [auth1.c] + remove unused variable (pw). ok djm@ + (id sync only - still used in portable) 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1436,4 +1440,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3101 2003/11/17 10:13:40 djm Exp $ +$Id: ChangeLog,v 1.3102 2003/11/17 10:16:55 djm Exp $ diff --git a/auth1.c b/auth1.c index ea81524f1..2156c927d 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.54 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.55 2003/11/08 16:02:40 jakob Exp $"); #include "xmalloc.h" #include "rsa.h" -- cgit v1.2.3 From 939cd38122a2fadf9e82c15239ac86ec4cd1baec Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:17:24 +1100 Subject: - jmc@cvs.openbsd.org 2003/11/08 19:17:29 [sftp-int.c] typos from Jonathon Gray; --- ChangeLog | 5 ++++- sftp-int.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6af457bc8..e688333f2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ [auth1.c] remove unused variable (pw). ok djm@ (id sync only - still used in portable) + - jmc@cvs.openbsd.org 2003/11/08 19:17:29 + [sftp-int.c] + typos from Jonathon Gray; 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1440,4 +1443,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3102 2003/11/17 10:16:55 djm Exp $ +$Id: ChangeLog,v 1.3103 2003/11/17 10:17:24 djm Exp $ diff --git a/sftp-int.c b/sftp-int.c index 2deb29bb1..bc5cce8de 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -25,7 +25,7 @@ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.63 2003/10/07 07:04:16 djm Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.64 2003/11/08 19:17:29 jmc Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -50,7 +50,7 @@ extern int num_requests; /* This is set to 0 if the progressmeter is not desired. */ int showprogress = 1; -/* Seperators for interactive commands */ +/* Separators for interactive commands */ #define WHITESPACE " \t\r\n" /* Define what type of ls view (0 - multi-column) */ -- cgit v1.2.3 From f58b58ced10c2e9ae899f63d4e915ec9723cf5a1 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:18:23 +1100 Subject: - jakob@cvs.openbsd.org 2003/11/10 16:23:41 [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c] [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c] [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h] constify. ok markus@ & djm@ --- ChangeLog | 7 ++++++- bufaux.c | 6 +++--- bufaux.h | 6 +++--- cipher.c | 12 ++++++------ cipher.h | 12 ++++++------ hostfile.c | 10 +++++----- hostfile.h | 6 +++--- key.c | 40 +++++++++++++++++++++------------------- key.h | 46 +++++++++++++++++++++++----------------------- sftp-common.c | 10 +++++----- sftp-common.h | 10 +++++----- sftp-server.c | 16 ++++++++-------- ssh-dss.c | 20 ++++++++++---------- ssh-rsa.c | 10 +++++----- sshconnect.c | 4 ++-- sshd.c | 11 ++++++----- uuencode.c | 4 ++-- uuencode.h | 4 ++-- 18 files changed, 121 insertions(+), 113 deletions(-) diff --git a/ChangeLog b/ChangeLog index e688333f2..d1b0f6421 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,11 @@ - jmc@cvs.openbsd.org 2003/11/08 19:17:29 [sftp-int.c] typos from Jonathon Gray; + - jakob@cvs.openbsd.org 2003/11/10 16:23:41 + [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c] + [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c] + [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h] + constify. ok markus@ & djm@ 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1443,4 +1448,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3103 2003/11/17 10:17:24 djm Exp $ +$Id: ChangeLog,v 1.3104 2003/11/17 10:18:23 djm Exp $ diff --git a/bufaux.c b/bufaux.c index 1df15b548..339d74435 100644 --- a/bufaux.c +++ b/bufaux.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.30 2003/09/18 13:02:21 miod Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.31 2003/11/10 16:23:41 jakob Exp $"); #include #include "bufaux.h" @@ -50,7 +50,7 @@ RCSID("$OpenBSD: bufaux.c,v 1.30 2003/09/18 13:02:21 miod Exp $"); * by (bits+7)/8 bytes of binary data, msb first. */ void -buffer_put_bignum(Buffer *buffer, BIGNUM *value) +buffer_put_bignum(Buffer *buffer, const BIGNUM *value) { int bits = BN_num_bits(value); int bin_size = (bits + 7) / 8; @@ -101,7 +101,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) * Stores an BIGNUM in the buffer in SSH2 format. */ void -buffer_put_bignum2(Buffer *buffer, BIGNUM *value) +buffer_put_bignum2(Buffer *buffer, const BIGNUM *value) { u_int bytes = BN_num_bytes(value) + 1; u_char *buf = xmalloc(bytes); diff --git a/bufaux.h b/bufaux.h index 935553579..61c72e353 100644 --- a/bufaux.h +++ b/bufaux.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bufaux.h,v 1.18 2002/04/20 09:14:58 markus Exp $ */ +/* $OpenBSD: bufaux.h,v 1.19 2003/11/10 16:23:41 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -18,8 +18,8 @@ #include "buffer.h" #include -void buffer_put_bignum(Buffer *, BIGNUM *); -void buffer_put_bignum2(Buffer *, BIGNUM *); +void buffer_put_bignum(Buffer *, const BIGNUM *); +void buffer_put_bignum2(Buffer *, const BIGNUM *); void buffer_get_bignum(Buffer *, BIGNUM *); void buffer_get_bignum2(Buffer *, BIGNUM *); diff --git a/cipher.c b/cipher.c index ce533670b..a1c40cc4a 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.65 2003/05/17 04:27:52 markus Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.66 2003/11/10 16:23:41 jakob Exp $"); #include "xmalloc.h" #include "log.h" @@ -99,19 +99,19 @@ struct Cipher { /*--*/ u_int -cipher_blocksize(Cipher *c) +cipher_blocksize(const Cipher *c) { return (c->block_size); } u_int -cipher_keylen(Cipher *c) +cipher_keylen(const Cipher *c) { return (c->key_len); } u_int -cipher_get_number(Cipher *c) +cipher_get_number(const Cipher *c) { return (c->number); } @@ -311,7 +311,7 @@ cipher_set_key_string(CipherContext *cc, Cipher *cipher, */ int -cipher_get_keyiv_len(CipherContext *cc) +cipher_get_keyiv_len(const CipherContext *cc) { Cipher *c = cc->cipher; int ivlen; @@ -397,7 +397,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) #endif int -cipher_get_keycontext(CipherContext *cc, u_char *dat) +cipher_get_keycontext(const CipherContext *cc, u_char *dat) { Cipher *c = cc->cipher; int plen = 0; diff --git a/cipher.h b/cipher.h index fc7f6dd0f..74b3669fd 100644 --- a/cipher.h +++ b/cipher.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.h,v 1.33 2002/03/18 17:13:15 markus Exp $ */ +/* $OpenBSD: cipher.h,v 1.34 2003/11/10 16:23:41 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -79,13 +79,13 @@ void cipher_init(CipherContext *, Cipher *, const u_char *, u_int, void cipher_crypt(CipherContext *, u_char *, const u_char *, u_int); void cipher_cleanup(CipherContext *); void cipher_set_key_string(CipherContext *, Cipher *, const char *, int); -u_int cipher_blocksize(Cipher *); -u_int cipher_keylen(Cipher *); +u_int cipher_blocksize(const Cipher *); +u_int cipher_keylen(const Cipher *); -u_int cipher_get_number(Cipher *); +u_int cipher_get_number(const Cipher *); void cipher_get_keyiv(CipherContext *, u_char *, u_int); void cipher_set_keyiv(CipherContext *, u_char *); -int cipher_get_keyiv_len(CipherContext *); -int cipher_get_keycontext(CipherContext *, u_char *); +int cipher_get_keyiv_len(const CipherContext *); +int cipher_get_keycontext(const CipherContext *, u_char *); void cipher_set_keycontext(CipherContext *, u_char *); #endif /* CIPHER_H */ diff --git a/hostfile.c b/hostfile.c index 42a8aa71d..88c054912 100644 --- a/hostfile.c +++ b/hostfile.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.31 2003/04/08 20:21:28 itojun Exp $"); +RCSID("$OpenBSD: hostfile.c,v 1.32 2003/11/10 16:23:41 jakob Exp $"); #include "packet.h" #include "match.h" @@ -72,7 +72,7 @@ hostfile_read_key(char **cpp, u_int *bitsp, Key *ret) } static int -hostfile_check_key(int bits, Key *key, const char *host, const char *filename, int linenum) +hostfile_check_key(int bits, const Key *key, const char *host, const char *filename, int linenum) { if (key == NULL || key->type != KEY_RSA1 || key->rsa == NULL) return 1; @@ -98,7 +98,7 @@ hostfile_check_key(int bits, Key *key, const char *host, const char *filename, i static HostStatus check_host_in_hostfile_by_key_or_type(const char *filename, - const char *host, Key *key, int keytype, Key *found, int *numret) + const char *host, const Key *key, int keytype, Key *found, int *numret) { FILE *f; char line[8192]; @@ -188,7 +188,7 @@ check_host_in_hostfile_by_key_or_type(const char *filename, } HostStatus -check_host_in_hostfile(const char *filename, const char *host, Key *key, +check_host_in_hostfile(const char *filename, const char *host, const Key *key, Key *found, int *numret) { if (key == NULL) @@ -211,7 +211,7 @@ lookup_key_in_hostfile_by_type(const char *filename, const char *host, */ int -add_host_to_hostfile(const char *filename, const char *host, Key *key) +add_host_to_hostfile(const char *filename, const char *host, const Key *key) { FILE *f; int success = 0; diff --git a/hostfile.h b/hostfile.h index e3d116581..efcddc9f9 100644 --- a/hostfile.h +++ b/hostfile.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hostfile.h,v 1.13 2002/11/21 23:03:51 deraadt Exp $ */ +/* $OpenBSD: hostfile.h,v 1.14 2003/11/10 16:23:41 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -20,8 +20,8 @@ typedef enum { int hostfile_read_key(char **, u_int *, Key *); HostStatus check_host_in_hostfile(const char *, const char *, - Key *, Key *, int *); -int add_host_to_hostfile(const char *, const char *, Key *); + const Key *, Key *, int *); +int add_host_to_hostfile(const char *, const char *, const Key *); int lookup_key_in_hostfile_by_type(const char *, const char *, int, Key *, int *); diff --git a/key.c b/key.c index 54318cbbf..323e6ff84 100644 --- a/key.c +++ b/key.c @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.54 2003/07/09 13:58:19 avsm Exp $"); +RCSID("$OpenBSD: key.c,v 1.55 2003/11/10 16:23:41 jakob Exp $"); #include @@ -143,8 +143,9 @@ key_free(Key *k) } xfree(k); } + int -key_equal(Key *a, Key *b) +key_equal(const Key *a, const Key *b) { if (a == NULL || b == NULL || a->type != b->type) return 0; @@ -170,7 +171,8 @@ key_equal(Key *a, Key *b) } u_char* -key_fingerprint_raw(Key *k, enum fp_type dgst_type, u_int *dgst_raw_length) +key_fingerprint_raw(const Key *k, enum fp_type dgst_type, + u_int *dgst_raw_length) { const EVP_MD *md = NULL; EVP_MD_CTX ctx; @@ -292,7 +294,7 @@ key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len) } char * -key_fingerprint(Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) +key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep) { char *retval = NULL; u_char *dgst_raw; @@ -490,7 +492,7 @@ key_read(Key *ret, char **cpp) } int -key_write(Key *key, FILE *f) +key_write(const Key *key, FILE *f) { int n, success = 0; u_int len, bits = 0; @@ -522,8 +524,8 @@ key_write(Key *key, FILE *f) return success; } -char * -key_type(Key *k) +const char * +key_type(const Key *k) { switch (k->type) { case KEY_RSA1: @@ -539,8 +541,8 @@ key_type(Key *k) return "unknown"; } -char * -key_ssh_name(Key *k) +const char * +key_ssh_name(const Key *k) { switch (k->type) { case KEY_RSA: @@ -554,7 +556,7 @@ key_ssh_name(Key *k) } u_int -key_size(Key *k) +key_size(const Key *k) { switch (k->type) { case KEY_RSA1: @@ -611,7 +613,7 @@ key_generate(int type, u_int bits) } Key * -key_from_private(Key *k) +key_from_private(const Key *k) { Key *n = NULL; switch (k->type) { @@ -676,7 +678,7 @@ key_names_valid2(const char *names) } Key * -key_from_blob(u_char *blob, u_int blen) +key_from_blob(const u_char *blob, u_int blen) { Buffer b; char *ktype; @@ -726,7 +728,7 @@ key_from_blob(u_char *blob, u_int blen) } int -key_to_blob(Key *key, u_char **blobp, u_int *lenp) +key_to_blob(const Key *key, u_char **blobp, u_int *lenp) { Buffer b; int len; @@ -768,9 +770,9 @@ key_to_blob(Key *key, u_char **blobp, u_int *lenp) int key_sign( - Key *key, + const Key *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen) + const u_char *data, u_int datalen) { switch (key->type) { case KEY_DSA: @@ -792,9 +794,9 @@ key_sign( */ int key_verify( - Key *key, - u_char *signature, u_int signaturelen, - u_char *data, u_int datalen) + const Key *key, + const u_char *signature, u_int signaturelen, + const u_char *data, u_int datalen) { if (signaturelen == 0) return -1; @@ -815,7 +817,7 @@ key_verify( /* Converts a private to a public key */ Key * -key_demote(Key *k) +key_demote(const Key *k) { Key *pk; diff --git a/key.h b/key.h index 28753fdfa..50df8500b 100644 --- a/key.h +++ b/key.h @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.22 2003/06/24 08:23:46 markus Exp $ */ +/* $OpenBSD: key.h,v 1.23 2003/11/10 16:23:41 jakob Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -55,33 +55,33 @@ struct Key { DSA *dsa; }; -Key *key_new(int); -Key *key_new_private(int); -void key_free(Key *); -Key *key_demote(Key *); -int key_equal(Key *, Key *); -char *key_fingerprint(Key *, enum fp_type, enum fp_rep); -u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); -char *key_type(Key *); -int key_write(Key *, FILE *); -int key_read(Key *, char **); -u_int key_size(Key *); +Key *key_new(int); +Key *key_new_private(int); +void key_free(Key *); +Key *key_demote(const Key *); +int key_equal(const Key *, const Key *); +char *key_fingerprint(const Key *, enum fp_type, enum fp_rep); +u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *); +const char *key_type(const Key *); +int key_write(const Key *, FILE *); +int key_read(Key *, char **); +u_int key_size(const Key *); Key *key_generate(int, u_int); -Key *key_from_private(Key *); +Key *key_from_private(const Key *); int key_type_from_name(char *); -Key *key_from_blob(u_char *, u_int); -int key_to_blob(Key *, u_char **, u_int *); -char *key_ssh_name(Key *); -int key_names_valid2(const char *); +Key *key_from_blob(const u_char *, u_int); +int key_to_blob(const Key *, u_char **, u_int *); +const char *key_ssh_name(const Key *); +int key_names_valid2(const char *); -int key_sign(Key *, u_char **, u_int *, u_char *, u_int); -int key_verify(Key *, u_char *, u_int, u_char *, u_int); +int key_sign(const Key *, u_char **, u_int *, const u_char *, u_int); +int key_verify(const Key *, const u_char *, u_int, const u_char *, u_int); -int ssh_dss_sign(Key *, u_char **, u_int *, u_char *, u_int); -int ssh_dss_verify(Key *, u_char *, u_int, u_char *, u_int); -int ssh_rsa_sign(Key *, u_char **, u_int *, u_char *, u_int); -int ssh_rsa_verify(Key *, u_char *, u_int, u_char *, u_int); +int ssh_dss_sign(const Key *, u_char **, u_int *, const u_char *, u_int); +int ssh_dss_verify(const Key *, const u_char *, u_int, const u_char *, u_int); +int ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int); +int ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int); #endif diff --git a/sftp-common.c b/sftp-common.c index 5313b134d..4cea3c305 100644 --- a/sftp-common.c +++ b/sftp-common.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sftp-common.c,v 1.9 2003/05/24 09:30:40 djm Exp $"); +RCSID("$OpenBSD: sftp-common.c,v 1.10 2003/11/10 16:23:41 jakob Exp $"); #include "buffer.h" #include "bufaux.h" @@ -49,7 +49,7 @@ attrib_clear(Attrib *a) /* Convert from struct stat to filexfer attribs */ void -stat_to_attrib(struct stat *st, Attrib *a) +stat_to_attrib(const struct stat *st, Attrib *a) { attrib_clear(a); a->flags = 0; @@ -67,7 +67,7 @@ stat_to_attrib(struct stat *st, Attrib *a) /* Convert from filexfer attribs to struct stat */ void -attrib_to_stat(Attrib *a, struct stat *st) +attrib_to_stat(const Attrib *a, struct stat *st) { memset(st, 0, sizeof(*st)); @@ -124,7 +124,7 @@ decode_attrib(Buffer *b) /* Encode attributes to buffer */ void -encode_attrib(Buffer *b, Attrib *a) +encode_attrib(Buffer *b, const Attrib *a) { buffer_put_int(b, a->flags); if (a->flags & SSH2_FILEXFER_ATTR_SIZE) @@ -174,7 +174,7 @@ fx2txt(int status) * drwxr-xr-x 5 markus markus 1024 Jan 13 18:39 .ssh */ char * -ls_file(char *name, struct stat *st, int remote) +ls_file(const char *name, const struct stat *st, int remote) { int ulen, glen, sz = 0; struct passwd *pw; diff --git a/sftp-common.h b/sftp-common.h index 201611cc4..b42ba9140 100644 --- a/sftp-common.h +++ b/sftp-common.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sftp-common.h,v 1.4 2002/09/11 22:41:50 djm Exp $ */ +/* $OpenBSD: sftp-common.h,v 1.5 2003/11/10 16:23:41 jakob Exp $ */ /* * Copyright (c) 2001 Markus Friedl. All rights reserved. @@ -39,10 +39,10 @@ struct Attrib { }; void attrib_clear(Attrib *); -void stat_to_attrib(struct stat *, Attrib *); -void attrib_to_stat(Attrib *, struct stat *); +void stat_to_attrib(const struct stat *, Attrib *); +void attrib_to_stat(const Attrib *, struct stat *); Attrib *decode_attrib(Buffer *); -void encode_attrib(Buffer *, Attrib *); -char *ls_file(char *, struct stat *, int); +void encode_attrib(Buffer *, const Attrib *); +char *ls_file(const char *, const struct stat *, int); const char *fx2txt(int); diff --git a/sftp-server.c b/sftp-server.c index 9166853ed..d528a1d6e 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.43 2003/06/25 22:39:36 miod Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.44 2003/11/10 16:23:41 jakob Exp $"); #include "buffer.h" #include "bufaux.h" @@ -149,7 +149,7 @@ handle_init(void) } static int -handle_new(int use, char *name, int fd, DIR *dirp) +handle_new(int use, const char *name, int fd, DIR *dirp) { int i; @@ -184,7 +184,7 @@ handle_to_string(int handle, char **stringp, int *hlenp) } static int -handle_from_string(char *handle, u_int hlen) +handle_from_string(const char *handle, u_int hlen) { int val; @@ -298,7 +298,7 @@ send_status(u_int32_t id, u_int32_t error) buffer_free(&msg); } static void -send_data_or_handle(char type, u_int32_t id, char *data, int dlen) +send_data_or_handle(char type, u_int32_t id, const char *data, int dlen) { Buffer msg; @@ -311,7 +311,7 @@ send_data_or_handle(char type, u_int32_t id, char *data, int dlen) } static void -send_data(u_int32_t id, char *data, int dlen) +send_data(u_int32_t id, const char *data, int dlen) { TRACE("sent data id %u len %d", id, dlen); send_data_or_handle(SSH2_FXP_DATA, id, data, dlen); @@ -330,7 +330,7 @@ send_handle(u_int32_t id, int handle) } static void -send_names(u_int32_t id, int count, Stat *stats) +send_names(u_int32_t id, int count, const Stat *stats) { Buffer msg; int i; @@ -350,7 +350,7 @@ send_names(u_int32_t id, int count, Stat *stats) } static void -send_attrib(u_int32_t id, Attrib *a) +send_attrib(u_int32_t id, const Attrib *a) { Buffer msg; @@ -567,7 +567,7 @@ process_fstat(void) } static struct timeval * -attrib_to_tv(Attrib *a) +attrib_to_tv(const Attrib *a) { static struct timeval tv[2]; diff --git a/ssh-dss.c b/ssh-dss.c index 6cedcc4dc..381b7dedb 100644 --- a/ssh-dss.c +++ b/ssh-dss.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-dss.c,v 1.18 2003/02/12 09:33:04 markus Exp $"); +RCSID("$OpenBSD: ssh-dss.c,v 1.19 2003/11/10 16:23:41 jakob Exp $"); #include #include @@ -39,8 +39,8 @@ RCSID("$OpenBSD: ssh-dss.c,v 1.18 2003/02/12 09:33:04 markus Exp $"); #define SIGBLOB_LEN (2*INTBLOB_LEN) int -ssh_dss_sign(Key *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen) +ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp, + const u_char *data, u_int datalen) { DSA_SIG *sig; const EVP_MD *evp_md = EVP_sha1(); @@ -101,8 +101,8 @@ ssh_dss_sign(Key *key, u_char **sigp, u_int *lenp, return 0; } int -ssh_dss_verify(Key *key, u_char *signature, u_int signaturelen, - u_char *data, u_int datalen) +ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen, + const u_char *data, u_int datalen) { DSA_SIG *sig; const EVP_MD *evp_md = EVP_sha1(); @@ -119,7 +119,8 @@ ssh_dss_verify(Key *key, u_char *signature, u_int signaturelen, /* fetch signature */ if (datafellows & SSH_BUG_SIGBLOB) { - sigblob = signature; + sigblob = xmalloc(signaturelen); + memcpy(sigblob, signature, signaturelen); len = signaturelen; } else { /* ietf-drafts */ @@ -159,10 +160,9 @@ ssh_dss_verify(Key *key, u_char *signature, u_int signaturelen, BN_bin2bn(sigblob, INTBLOB_LEN, sig->r); BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s); - if (!(datafellows & SSH_BUG_SIGBLOB)) { - memset(sigblob, 0, len); - xfree(sigblob); - } + /* clean up */ + memset(sigblob, 0, len); + xfree(sigblob); /* sha1 the data */ EVP_DigestInit(&md, evp_md); diff --git a/ssh-rsa.c b/ssh-rsa.c index 53e5023f7..6e3be0a7e 100644 --- a/ssh-rsa.c +++ b/ssh-rsa.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-rsa.c,v 1.30 2003/06/18 11:28:11 markus Exp $"); +RCSID("$OpenBSD: ssh-rsa.c,v 1.31 2003/11/10 16:23:41 jakob Exp $"); #include #include @@ -31,8 +31,8 @@ static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *); /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */ int -ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp, - u_char *data, u_int datalen) +ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp, + const u_char *data, u_int datalen) { const EVP_MD *evp_md; EVP_MD_CTX md; @@ -96,8 +96,8 @@ ssh_rsa_sign(Key *key, u_char **sigp, u_int *lenp, } int -ssh_rsa_verify(Key *key, u_char *signature, u_int signaturelen, - u_char *data, u_int datalen) +ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen, + const u_char *data, u_int datalen) { Buffer b; const EVP_MD *evp_md; diff --git a/sshconnect.c b/sshconnect.c index 55ebd7ef2..bf8c23d73 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.151 2003/11/03 09:37:32 jakob Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $"); #include @@ -563,7 +563,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, int readonly, const char *user_hostfile, const char *system_hostfile) { Key *file_key; - char *type = key_type(host_key); + const char *type = key_type(host_key); char *ip = NULL; char hostline[1000], *hostp, *fp; HostStatus host_status; diff --git a/sshd.c b/sshd.c index 7d97c92de..a9001a040 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.280 2003/10/02 10:41:59 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.281 2003/11/10 16:23:41 jakob Exp $"); #include #include @@ -668,7 +668,8 @@ static char * list_hostkey_types(void) { Buffer b; - char *p; + const char *p; + char *ret; int i; buffer_init(&b); @@ -687,10 +688,10 @@ list_hostkey_types(void) } } buffer_append(&b, "\0", 1); - p = xstrdup(buffer_ptr(&b)); + ret = xstrdup(buffer_ptr(&b)); buffer_free(&b); - debug("list_hostkey_types: %s", p); - return p; + debug("list_hostkey_types: %s", ret); + return ret; } Key * diff --git a/uuencode.c b/uuencode.c index 21eaf4d3f..0a7c8d16a 100644 --- a/uuencode.c +++ b/uuencode.c @@ -23,13 +23,13 @@ */ #include "includes.h" -RCSID("$OpenBSD: uuencode.c,v 1.16 2002/09/09 14:54:15 markus Exp $"); +RCSID("$OpenBSD: uuencode.c,v 1.17 2003/11/10 16:23:41 jakob Exp $"); #include "xmalloc.h" #include "uuencode.h" int -uuencode(u_char *src, u_int srclength, +uuencode(const u_char *src, u_int srclength, char *target, size_t targsize) { return __b64_ntop(src, srclength, target, targsize); diff --git a/uuencode.h b/uuencode.h index 682b623ac..08e87c4bc 100644 --- a/uuencode.h +++ b/uuencode.h @@ -1,4 +1,4 @@ -/* $OpenBSD: uuencode.h,v 1.9 2002/02/25 16:33:27 markus Exp $ */ +/* $OpenBSD: uuencode.h,v 1.10 2003/11/10 16:23:41 jakob Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. @@ -26,7 +26,7 @@ #ifndef UUENCODE_H #define UUENCODE_H -int uuencode(u_char *, u_int, char *, size_t); +int uuencode(const u_char *, u_int, char *, size_t); int uudecode(const char *, u_char *, size_t); void dump_base64(FILE *, u_char *, u_int); #endif -- cgit v1.2.3 From c1f2792bd056dcefef5de55c5cbfdb1f790fd339 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:19:05 +1100 Subject: - dtucker@cvs.openbsd.org 2003/11/12 10:12:15 [scp.c] When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@ --- ChangeLog | 5 ++++- scp.c | 3 ++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index d1b0f6421..40a393109 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,9 @@ [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c] [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h] constify. ok markus@ & djm@ + - dtucker@cvs.openbsd.org 2003/11/12 10:12:15 + [scp.c] + When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@ 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1448,4 +1451,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3104 2003/11/17 10:18:23 djm Exp $ +$Id: ChangeLog,v 1.3105 2003/11/17 10:19:05 djm Exp $ diff --git a/scp.c b/scp.c index 364ab2860..36cf1b442 100644 --- a/scp.c +++ b/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.110 2003/10/08 08:27:36 jmc Exp $"); +RCSID("$OpenBSD: scp.c,v 1.111 2003/11/12 10:12:15 dtucker Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -273,6 +273,7 @@ main(int argc, char **argv) verbose_mode = 1; break; case 'q': + addargs(&args, "-q"); showprogress = 0; break; -- cgit v1.2.3 From 150b55745b5a0790cfc8d5e6560ab5e7f2f94340 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:19:29 +1100 Subject: - jakob@cvs.openbsd.org 2003/11/12 16:39:58 [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] update SSHFP validation. ok markus@ --- ChangeLog | 5 ++++- dns.c | 68 +++++++++++++++++++++++++----------------------------------- dns.h | 13 ++++++------ readconf.c | 5 +++-- ssh_config.5 | 19 ++++++++++++++++- sshconnect.c | 40 ++++++++++++++++++----------------- 6 files changed, 81 insertions(+), 69 deletions(-) diff --git a/ChangeLog b/ChangeLog index 40a393109..b5667e79a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,9 @@ - dtucker@cvs.openbsd.org 2003/11/12 10:12:15 [scp.c] When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@ + - jakob@cvs.openbsd.org 2003/11/12 16:39:58 + [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] + update SSHFP validation. ok markus@ 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1451,4 +1454,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3105 2003/11/17 10:19:05 djm Exp $ +$Id: ChangeLog,v 1.3106 2003/11/17 10:19:29 djm Exp $ diff --git a/dns.c b/dns.c index 2fff1b802..2342b6609 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.7 2003/10/14 19:42:10 jakob Exp $ */ +/* $OpenBSD: dns.c,v 1.8 2003/11/12 16:39:58 jakob Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -43,7 +43,7 @@ #include "uuencode.h" extern char *__progname; -RCSID("$OpenBSD: dns.c,v 1.7 2003/10/14 19:42:10 jakob Exp $"); +RCSID("$OpenBSD: dns.c,v 1.8 2003/11/12 16:39:58 jakob Exp $"); #ifndef LWRES static const char *errset_text[] = { @@ -83,7 +83,7 @@ dns_result_totext(unsigned int error) */ static int dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type, - u_char **digest, u_int *digest_len, Key *key) + u_char **digest, u_int *digest_len, const Key *key) { int success = 0; @@ -145,16 +145,15 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type, /* * Verify the given hostname, address and host key using DNS. - * Returns 0 if key verifies or -1 if key does NOT verify + * Returns 0 if lookup succeeds, -1 otherwise */ int verify_host_key_dns(const char *hostname, struct sockaddr *address, - Key *hostkey) + const Key *hostkey, int *flags) { int counter; int result; struct rrsetinfo *fingerprints = NULL; - int failures = 0; u_int8_t hostkey_algorithm; u_int8_t hostkey_digest_type; @@ -166,6 +165,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, u_char *dnskey_digest; u_int dnskey_digest_len; + *flags = 0; debug3("verify_hostkey_dns"); if (hostkey == NULL) @@ -175,28 +175,29 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, DNS_RDATATYPE_SSHFP, 0, &fingerprints); if (result) { verbose("DNS lookup error: %s", dns_result_totext(result)); - return DNS_VERIFY_ERROR; + return -1; } -#ifdef DNSSEC - /* Only accept validated answers */ - if (!fingerprints->rri_flags & RRSET_VALIDATED) { - error("Ignored unvalidated fingerprint from DNS."); - freerrset(fingerprints); - return DNS_VERIFY_ERROR; + if (fingerprints->rri_flags & RRSET_VALIDATED) { + *flags |= DNS_VERIFY_SECURE; + debug("found %d secure fingerprints in DNS", + fingerprints->rri_nrdatas); + } else { + debug("found %d insecure fingerprints in DNS", + fingerprints->rri_nrdatas); } -#endif - - debug("found %d fingerprints in DNS", fingerprints->rri_nrdatas); /* Initialize host key parameters */ if (!dns_read_key(&hostkey_algorithm, &hostkey_digest_type, &hostkey_digest, &hostkey_digest_len, hostkey)) { error("Error calculating host key fingerprint."); freerrset(fingerprints); - return DNS_VERIFY_ERROR; + return -1; } + if (fingerprints->rri_nrdatas) + *flags |= DNS_VERIFY_FOUND; + for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++) { /* * Extract the key from the answer. Ignore any badly @@ -218,35 +219,22 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, memcmp(hostkey_digest, dnskey_digest, hostkey_digest_len) == 0) { - /* Matching algoritm and digest. */ - freerrset(fingerprints); - debug("matching host key fingerprint found in DNS"); - return DNS_VERIFY_OK; - } else { - /* Correct algorithm but bad digest */ - debug("verify_hostkey_dns: failed"); - failures++; + *flags |= DNS_VERIFY_MATCH; } } } freerrset(fingerprints); - if (failures) { - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @"); - error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"); - error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!"); - error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!"); - error("It is also possible that the %s host key has just been changed.", - key_type(hostkey)); - error("Please contact your system administrator."); - return DNS_VERIFY_FAILED; - } - - debug("fingerprints found in DNS, but none of them matched"); + if (*flags & DNS_VERIFY_FOUND) + if (*flags & DNS_VERIFY_MATCH) + debug("matching host key fingerprint found in DNS"); + else + debug("mismatching host key fingerprint found in DNS"); + else + debug("no host key fingerprint found in DNS"); - return DNS_VERIFY_ERROR; + return 0; } @@ -254,7 +242,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address, * Export the fingerprint of a key as a DNS resource record */ int -export_dns_rr(const char *hostname, Key *key, FILE *f, int generic) +export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic) { u_int8_t rdata_pubkey_algorithm = 0; u_int8_t rdata_digest_type = SSHFP_HASH_SHA1; diff --git a/dns.h b/dns.h index 1eb07d96e..c5da22ef6 100644 --- a/dns.h +++ b/dns.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.h,v 1.4 2003/10/14 19:42:10 jakob Exp $ */ +/* $OpenBSD: dns.h,v 1.5 2003/11/12 16:39:58 jakob Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -45,11 +45,12 @@ enum sshfp_hashes { #define DNS_RDATACLASS_IN 1 #define DNS_RDATATYPE_SSHFP 44 -#define DNS_VERIFY_FAILED -1 -#define DNS_VERIFY_OK 0 -#define DNS_VERIFY_ERROR 1 +#define DNS_VERIFY_FOUND 0x00000001 +#define DNS_VERIFY_MATCH 0x00000002 +#define DNS_VERIFY_SECURE 0x00000004 -int verify_host_key_dns(const char *, struct sockaddr *, Key *); -int export_dns_rr(const char *, Key *, FILE *, int); + +int verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *); +int export_dns_rr(const char *, const Key *, FILE *, int); #endif /* DNS_H */ diff --git a/readconf.c b/readconf.c index 86d28bc8d..da49a3944 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.124 2003/10/14 19:42:10 jakob Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.125 2003/11/12 16:39:58 jakob Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -401,10 +401,11 @@ parse_flag: case oVerifyHostKeyDNS: intptr = &options->verify_host_key_dns; - goto parse_flag; + goto parse_yesnoask; case oStrictHostKeyChecking: intptr = &options->strict_host_key_checking; +parse_yesnoask: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%.200s line %d: Missing yes/no/ask argument.", diff --git a/ssh_config.5 b/ssh_config.5 index 9073ce51f..55ca907eb 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.23 2003/10/12 13:12:13 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.24 2003/11/12 16:39:58 jakob Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -642,6 +642,23 @@ host key database instead of .It Cm VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. +If this option is set to +.Dq yes , +the client will implicitly trust keys that matches a secure fingerprint +from DNS. +Insecure fingerprints will be handled as if this option was set to +.Dq ask . +If this option is set to +.Dq ask , +information on fingerprint match will be displayed, but the user will still +need to confirm new host keys according to the +.Cm StrictHostKeyChecking +option. +The argument must be +.Dq yes , +.Dq no +or +.Dq ask . The default is .Dq no . Note that this option applies to protocol version 2 only. diff --git a/sshconnect.c b/sshconnect.c index bf8c23d73..5972e2ba9 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.153 2003/11/12 16:39:58 jakob Exp $"); #include @@ -38,7 +38,7 @@ RCSID("$OpenBSD: sshconnect.c,v 1.152 2003/11/10 16:23:41 jakob Exp $"); char *client_version_string = NULL; char *server_version_string = NULL; -int verified_host_key_dns = 0; +int matching_host_key_dns = 0; /* import */ extern Options options; @@ -728,7 +728,7 @@ check_host_key(char *host, struct sockaddr *hostaddr, Key *host_key, fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX); msg2[0] = '\0'; if (options.verify_host_key_dns) { - if (verified_host_key_dns) + if (matching_host_key_dns) snprintf(msg2, sizeof(msg2), "Matching host key fingerprint" " found in DNS.\n"); @@ -892,23 +892,25 @@ int verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key) { struct stat st; + int flags = 0; - if (options.verify_host_key_dns) { - switch(verify_host_key_dns(host, hostaddr, host_key)) { - case DNS_VERIFY_OK: -#ifdef DNSSEC - return 0; -#else - verified_host_key_dns = 1; - break; -#endif - case DNS_VERIFY_FAILED: - return -1; - case DNS_VERIFY_ERROR: - break; - default: - debug3("bad return value from verify_host_key_dns"); - break; + if (options.verify_host_key_dns && + verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) { + + if (flags & DNS_VERIFY_FOUND) { + + if (options.verify_host_key_dns == 1 && + flags & DNS_VERIFY_MATCH && + flags & DNS_VERIFY_SECURE) + return 0; + + if (flags & DNS_VERIFY_MATCH) { + matching_host_key_dns = 1; + } else { + warn_changed_key(host_key); + error("Update the SSHFP RR in DNS with the new " + "host key to get rid of this message."); + } } } -- cgit v1.2.3 From fe44847cb82d984618176722376f0a491f7b2b29 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:19:49 +1100 Subject: - jmc@cvs.openbsd.org 2003/11/12 20:14:51 [ssh_config.5] make verb agree with subject, and kill some whitespace; --- ChangeLog | 5 ++++- ssh_config.5 | 8 ++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index b5667e79a..eb3c71b3f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ - jakob@cvs.openbsd.org 2003/11/12 16:39:58 [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] update SSHFP validation. ok markus@ + - jmc@cvs.openbsd.org 2003/11/12 20:14:51 + [ssh_config.5] + make verb agree with subject, and kill some whitespace; 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1454,4 +1457,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3106 2003/11/17 10:19:29 djm Exp $ +$Id: ChangeLog,v 1.3107 2003/11/17 10:19:49 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 55ca907eb..8857073a5 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.24 2003/11/12 16:39:58 jakob Exp $ +.\" $OpenBSD: ssh_config.5,v 1.25 2003/11/12 20:14:51 jmc Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -644,7 +644,7 @@ Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to .Dq yes , -the client will implicitly trust keys that matches a secure fingerprint +the client will implicitly trust keys that match a secure fingerprint from DNS. Insecure fingerprints will be handled as if this option was set to .Dq ask . @@ -657,8 +657,8 @@ option. The argument must be .Dq yes , .Dq no -or -.Dq ask . +or +.Dq ask . The default is .Dq no . Note that this option applies to protocol version 2 only. -- cgit v1.2.3 From 91c6aa4468a1a8b8e76fbf1c64719055c6acdffa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:20:18 +1100 Subject: - markus@cvs.openbsd.org 2003/11/14 13:19:09 [sshconnect2.c] cleanup and minor fixes for the client code; from Simon Wilkinson --- ChangeLog | 5 +++- sshconnect2.c | 80 +++++++++++++++++++++++++++-------------------------------- 2 files changed, 40 insertions(+), 45 deletions(-) diff --git a/ChangeLog b/ChangeLog index eb3c71b3f..8eba44a97 100644 --- a/ChangeLog +++ b/ChangeLog @@ -37,6 +37,9 @@ - jmc@cvs.openbsd.org 2003/11/12 20:14:51 [ssh_config.5] make verb agree with subject, and kill some whitespace; + - markus@cvs.openbsd.org 2003/11/14 13:19:09 + [sshconnect2.c] + cleanup and minor fixes for the client code; from Simon Wilkinson 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1457,4 +1460,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3107 2003/11/17 10:19:49 djm Exp $ +$Id: ChangeLog,v 1.3108 2003/11/17 10:20:18 djm Exp $ diff --git a/sshconnect2.c b/sshconnect2.c index f991f81d8..045f3081f 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.129 2003/11/02 11:01:03 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.130 2003/11/14 13:19:09 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -537,15 +537,44 @@ userauth_gssapi(Authctxt *authctxt) return 1; } +static OM_uint32 +process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt = authctxt->methoddata; + gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; + OM_uint32 status, ms; + + status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, + recv_tok, &send_tok, NULL); + + if (send_tok.length > 0) { + if (GSS_ERROR(status)) + packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); + else + packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); + + packet_put_string(send_tok.value, send_tok.length); + packet_send(); + gss_release_buffer(&ms, &send_tok); + } + + if (status == GSS_S_COMPLETE) { + /* If that succeeded, send a exchange complete message */ + packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); + packet_send(); + } + + return status; +} + void input_gssapi_response(int type, u_int32_t plen, void *ctxt) { Authctxt *authctxt = ctxt; Gssctxt *gssctxt; - OM_uint32 status, ms; int oidlen; char *oidv; - gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); @@ -557,9 +586,9 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) if (oidlen <= 2 || oidv[0] != SSH_GSS_OIDTYPE || oidv[1] != oidlen - 2) { + xfree(oidv); debug("Badly encoded mechanism OID received"); userauth(authctxt, NULL); - xfree(oidv); return; } @@ -570,76 +599,39 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt) xfree(oidv); - status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, - GSS_C_NO_BUFFER, &send_tok, NULL); - if (GSS_ERROR(status)) { - if (send_tok.length > 0) { - packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); - packet_put_string(send_tok.value, send_tok.length); - packet_send(); - gss_release_buffer(&ms, &send_tok); - } + if (GSS_ERROR(process_gssapi_token(ctxt, GSS_C_NO_BUFFER))) { /* Start again with next method on list */ debug("Trying to start again"); userauth(authctxt, NULL); return; } - - /* We must have data to send */ - packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); - packet_put_string(send_tok.value, send_tok.length); - packet_send(); - gss_release_buffer(&ms, &send_tok); } void input_gssapi_token(int type, u_int32_t plen, void *ctxt) { Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; - gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; gss_buffer_desc recv_tok; - OM_uint32 status, ms; + OM_uint32 status; u_int slen; if (authctxt == NULL) fatal("input_gssapi_response: no authentication context"); - gssctxt = authctxt->methoddata; recv_tok.value = packet_get_string(&slen); recv_tok.length = slen; /* safe typecast */ packet_check_eom(); - status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, - &recv_tok, &send_tok, NULL); + status = process_gssapi_token(ctxt, &recv_tok); xfree(recv_tok.value); if (GSS_ERROR(status)) { - if (send_tok.length > 0) { - packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); - packet_put_string(send_tok.value, send_tok.length); - packet_send(); - gss_release_buffer(&ms, &send_tok); - } /* Start again with the next method in the list */ userauth(authctxt, NULL); return; } - - if (send_tok.length > 0) { - packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); - packet_put_string(send_tok.value, send_tok.length); - packet_send(); - gss_release_buffer(&ms, &send_tok); - } - - if (status == GSS_S_COMPLETE) { - /* If that succeeded, send a exchange complete message */ - packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); - packet_send(); - } } void -- cgit v1.2.3 From 51bf11fcc9be7b101d0aee71da80a739f87e0608 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:20:47 +1100 Subject: - djm@cvs.openbsd.org 2003/11/17 09:45:39 [msg.c msg.h sshconnect2.c ssh-keysign.c] return error on msg send/receive failure (rather than fatal); ok markus@ --- ChangeLog | 5 ++++- msg.c | 37 +++++++++++++++++++++++-------------- msg.h | 4 ++-- ssh-keysign.c | 5 +++-- sshconnect2.c | 5 +++-- 5 files changed, 35 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8eba44a97..908fd233f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,9 @@ - markus@cvs.openbsd.org 2003/11/14 13:19:09 [sshconnect2.c] cleanup and minor fixes for the client code; from Simon Wilkinson + - djm@cvs.openbsd.org 2003/11/17 09:45:39 + [msg.c msg.h sshconnect2.c ssh-keysign.c] + return error on msg send/receive failure (rather than fatal); ok markus@ 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1460,4 +1463,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3108 2003/11/17 10:20:18 djm Exp $ +$Id: ChangeLog,v 1.3109 2003/11/17 10:20:47 djm Exp $ diff --git a/msg.c b/msg.c index 6a806c3f5..30bc3f107 100644 --- a/msg.c +++ b/msg.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: msg.c,v 1.6 2003/06/28 16:23:06 deraadt Exp $"); +RCSID("$OpenBSD: msg.c,v 1.7 2003/11/17 09:45:39 djm Exp $"); #include "buffer.h" #include "getput.h" @@ -30,7 +30,7 @@ RCSID("$OpenBSD: msg.c,v 1.6 2003/06/28 16:23:06 deraadt Exp $"); #include "atomicio.h" #include "msg.h" -void +int ssh_msg_send(int fd, u_char type, Buffer *m) { u_char buf[5]; @@ -40,10 +40,15 @@ ssh_msg_send(int fd, u_char type, Buffer *m) PUT_32BIT(buf, mlen + 1); buf[4] = type; /* 1st byte of payload is mesg-type */ - if (atomicio(vwrite, fd, buf, sizeof(buf)) != sizeof(buf)) - fatal("ssh_msg_send: write"); - if (atomicio(vwrite, fd, buffer_ptr(m), mlen) != mlen) - fatal("ssh_msg_send: write"); + if (atomicio(vwrite, fd, buf, sizeof(buf)) != sizeof(buf)) { + error("ssh_msg_send: write"); + return (-1); + } + if (atomicio(vwrite, fd, buffer_ptr(m), mlen) != mlen) { + error("ssh_msg_send: write"); + return (-1); + } + return (0); } int @@ -57,17 +62,21 @@ ssh_msg_recv(int fd, Buffer *m) res = atomicio(read, fd, buf, sizeof(buf)); if (res != sizeof(buf)) { - if (res == 0) - return -1; - fatal("ssh_msg_recv: read: header %ld", (long)res); + if (res != 0) + error("ssh_msg_recv: read: header %ld", (long)res); + return (-1); } msg_len = GET_32BIT(buf); - if (msg_len > 256 * 1024) - fatal("ssh_msg_recv: read: bad msg_len %u", msg_len); + if (msg_len > 256 * 1024) { + error("ssh_msg_recv: read: bad msg_len %u", msg_len); + return (-1); + } buffer_clear(m); buffer_append_space(m, msg_len); res = atomicio(read, fd, buffer_ptr(m), msg_len); - if (res != msg_len) - fatal("ssh_msg_recv: read: %ld != msg_len", (long)res); - return 0; + if (res != msg_len) { + error("ssh_msg_recv: read: %ld != msg_len", (long)res); + return (-1); + } + return (0); } diff --git a/msg.h b/msg.h index c07df88a7..0d3ea0658 100644 --- a/msg.h +++ b/msg.h @@ -1,4 +1,4 @@ -/* $OpenBSD: msg.h,v 1.2 2002/12/19 00:07:02 djm Exp $ */ +/* $OpenBSD: msg.h,v 1.3 2003/11/17 09:45:39 djm Exp $ */ /* * Copyright (c) 2002 Markus Friedl. All rights reserved. * @@ -25,7 +25,7 @@ #ifndef SSH_MSG_H #define SSH_MSG_H -void ssh_msg_send(int, u_char, Buffer *); +int ssh_msg_send(int, u_char, Buffer *); int ssh_msg_recv(int, Buffer *); #endif diff --git a/ssh-keysign.c b/ssh-keysign.c index c7ca5c4e4..b3db628c6 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-keysign.c,v 1.13 2003/07/03 08:09:06 djm Exp $"); +RCSID("$OpenBSD: ssh-keysign.c,v 1.14 2003/11/17 09:45:39 djm Exp $"); #include #include @@ -233,7 +233,8 @@ main(int argc, char **argv) /* send reply */ buffer_clear(&b); buffer_put_string(&b, signature, slen); - ssh_msg_send(STDOUT_FILENO, version, &b); + if (ssh_msg_send(STDOUT_FILENO, version, &b) == -1) + fatal("ssh_msg_send failed"); return (0); } diff --git a/sshconnect2.c b/sshconnect2.c index 045f3081f..388a25741 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.130 2003/11/14 13:19:09 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.131 2003/11/17 09:45:39 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -1240,7 +1240,8 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp, buffer_init(&b); buffer_put_int(&b, packet_get_connection_in()); /* send # of socket */ buffer_put_string(&b, data, datalen); - ssh_msg_send(to[1], version, &b); + if (ssh_msg_send(to[1], version, &b) == -1) + fatal("ssh_keysign: couldn't send request"); if (ssh_msg_recv(from[0], &b) < 0) { error("ssh_keysign: no reply"); -- cgit v1.2.3 From 9bdba70350919fced9ecdf5ca8a3709d22d69797 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:27:55 +1100 Subject: - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int conversation function --- ChangeLog | 4 +++- auth-pam.c | 35 +++++++++++++++++++++++------------ 2 files changed, 26 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 908fd233f..b850f42dd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,8 @@ - djm@cvs.openbsd.org 2003/11/17 09:45:39 [msg.c msg.h sshconnect2.c ssh-keysign.c] return error on msg send/receive failure (rather than fatal); ok markus@ + - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int + conversation function 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1463,4 +1465,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3109 2003/11/17 10:20:47 djm Exp $ +$Id: ChangeLog,v 1.3110 2003/11/17 10:27:55 djm Exp $ diff --git a/auth-pam.c b/auth-pam.c index 1f0b791ed..4d2f9c597 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.78 2003/11/13 08:52:31 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.79 2003/11/17 10:27:55 djm Exp $"); #ifdef USE_PAM #include @@ -156,9 +156,11 @@ sshpam_thread_conv(int n, const struct pam_message **msg, case PAM_PROMPT_ECHO_OFF: buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - ssh_msg_send(ctxt->pam_csock, - PAM_MSG_MEMBER(msg, i, msg_style), &buffer); - ssh_msg_recv(ctxt->pam_csock, &buffer); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; + if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1) + goto fail; if (buffer_get_char(&buffer) != PAM_AUTHTOK) goto fail; reply[i].resp = buffer_get_string(&buffer, NULL); @@ -166,9 +168,11 @@ sshpam_thread_conv(int n, const struct pam_message **msg, case PAM_PROMPT_ECHO_ON: buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - ssh_msg_send(ctxt->pam_csock, - PAM_MSG_MEMBER(msg, i, msg_style), &buffer); - ssh_msg_recv(ctxt->pam_csock, &buffer); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; + if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1) + goto fail; if (buffer_get_char(&buffer) != PAM_AUTHTOK) goto fail; reply[i].resp = buffer_get_string(&buffer, NULL); @@ -176,14 +180,16 @@ sshpam_thread_conv(int n, const struct pam_message **msg, case PAM_ERROR_MSG: buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - ssh_msg_send(ctxt->pam_csock, - PAM_MSG_MEMBER(msg, i, msg_style), &buffer); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; break; case PAM_TEXT_INFO: buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - ssh_msg_send(ctxt->pam_csock, - PAM_MSG_MEMBER(msg, i, msg_style), &buffer); + if (ssh_msg_send(ctxt->pam_csock, + PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) + goto fail; break; default: goto fail; @@ -232,6 +238,7 @@ sshpam_thread(void *ctxtp) if (sshpam_err != PAM_SUCCESS) goto auth_fail; buffer_put_cstring(&buffer, "OK"); + /* XXX - can't do much about an error here */ ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); pthread_exit(NULL); @@ -239,6 +246,7 @@ sshpam_thread(void *ctxtp) auth_fail: buffer_put_cstring(&buffer, pam_strerror(sshpam_handle, sshpam_err)); + /* XXX - can't do much about an error here */ ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); buffer_free(&buffer); pthread_exit(NULL); @@ -474,7 +482,10 @@ sshpam_respond(void *ctx, u_int num, char **resp) } buffer_init(&buffer); buffer_put_cstring(&buffer, *resp); - ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer); + if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) { + buffer_free(&buffer); + return (-1); + } buffer_free(&buffer); return (1); } -- cgit v1.2.3 From c756e9b56e5b4649f120c417eb9bc99cf23db10f Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 21:41:42 +1100 Subject: - (djm) Export environment variables from authentication subprocess to parent. Part of Bug #717 --- ChangeLog | 4 ++- auth-pam.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++------ auth-pam.h | 3 ++- session.c | 7 +++++- 4 files changed, 87 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index b850f42dd..bec42ac50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -45,6 +45,8 @@ return error on msg send/receive failure (rather than fatal); ok markus@ - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int conversation function + - (djm) Export environment variables from authentication subprocess to + parent. Part of Bug #717 20031115 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and @@ -1465,4 +1467,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3110 2003/11/17 10:27:55 djm Exp $ +$Id: ChangeLog,v 1.3111 2003/11/17 10:41:42 djm Exp $ diff --git a/auth-pam.c b/auth-pam.c index 4d2f9c597..92a3da406 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.79 2003/11/17 10:27:55 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); #ifdef USE_PAM #include @@ -117,6 +117,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static char **sshpam_env = NULL; struct pam_ctxt { sp_pthread_t pam_thread; @@ -128,6 +129,51 @@ struct pam_ctxt { static void sshpam_free_ctx(void *); static struct pam_ctxt *cleanup_ctxt; +/* Some PAM implementations don't implement this */ +#ifndef HAVE_PAM_GETENVLIST +static char ** +pam_getenvlist(pam_handle_t *pamh) +{ + /* + * XXX - If necessary, we can still support envrionment passing + * for platforms without pam_getenvlist by searching for known + * env vars (e.g. KRB5CCNAME) from the PAM environment. + */ + return NULL; +} +#endif + +/* Import regular and PAM environment from subprocess */ +static void +import_environments(Buffer *b) +{ + char *env; + u_int i, num_env; + int err; + + /* Import environment from subprocess */ + num_env = buffer_get_int(b); + sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); + debug3("PAM: num env strings %d", num_env); + for(i = 0; i < num_env; i++) + sshpam_env[i] = buffer_get_string(b, NULL); + + sshpam_env[num_env] = NULL; + + /* Import PAM environment from subprocess */ + num_env = buffer_get_int(b); + debug("PAM: num PAM env strings %d", num_env); + for(i = 0; i < num_env; i++) { + env = buffer_get_string(b, NULL); + + /* Errors are not fatal here */ + if ((err = pam_putenv(sshpam_handle, env)) != PAM_SUCCESS) { + error("PAM: pam_putenv: %s", + pam_strerror(sshpam_handle, sshpam_err)); + } + } +} + /* * Conversation function for authentication thread. */ @@ -220,10 +266,14 @@ sshpam_thread(void *ctxtp) Buffer buffer; struct pam_conv sshpam_conv; #ifndef USE_POSIX_THREADS + extern char **environ; + char **env_from_pam; + u_int i; const char *pam_user; pam_get_item(sshpam_handle, PAM_USER, (const void **)&pam_user); setproctitle("%s [pam]", pam_user); + environ[0] = NULL; #endif sshpam_conv.conv = sshpam_thread_conv; @@ -238,6 +288,24 @@ sshpam_thread(void *ctxtp) if (sshpam_err != PAM_SUCCESS) goto auth_fail; buffer_put_cstring(&buffer, "OK"); + +#ifndef USE_POSIX_THREADS + /* Export any environment strings set in child */ + for(i = 0; environ[i] != NULL; i++) + ; /* Count */ + buffer_put_int(&buffer, i); + for(i = 0; environ[i] != NULL; i++) + buffer_put_cstring(&buffer, environ[i]); + + /* Export any environment strings set by PAM in child */ + env_from_pam = pam_getenvlist(sshpam_handle); + for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) + ; /* Count */ + buffer_put_int(&buffer, i); + for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++) + buffer_put_cstring(&buffer, env_from_pam[i]); +#endif /* USE_POSIX_THREADS */ + /* XXX - can't do much about an error here */ ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -440,6 +508,7 @@ sshpam_query(void *ctx, char **name, char **info, **prompts = NULL; } if (type == PAM_SUCCESS) { + import_environments(&buffer); *num = 0; **echo_on = 0; ctxt->pam_done = 1; @@ -704,7 +773,6 @@ do_pam_chauthtok(void) * modules can handle things like Kerberos/GSI credentials that appear * during the ssh authentication process. */ - int do_pam_putenv(char *name, char *value) { @@ -730,15 +798,16 @@ print_pam_messages(void) /* XXX */ } +char ** +fetch_pam_child_environment(void) +{ + return sshpam_env; +} + char ** fetch_pam_environment(void) { -#ifdef HAVE_PAM_GETENVLIST - debug("PAM: retrieving environment"); return (pam_getenvlist(sshpam_handle)); -#else - return (NULL); -#endif } void diff --git a/auth-pam.h b/auth-pam.h index 58176f013..fd62e9534 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.22 2003/10/07 01:30:16 dtucker Exp $ */ +/* $Id: auth-pam.h,v 1.23 2003/11/17 10:41:42 djm Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -42,6 +42,7 @@ void do_pam_chauthtok(void); int do_pam_putenv(char *, char *); void print_pam_messages(void); char ** fetch_pam_environment(void); +char ** fetch_pam_child_environment(void); void free_pam_environment(char **); void sshpam_thread_cleanup(void); void sshpam_cleanup(void); diff --git a/session.c b/session.c index 0f8032430..b1e6255f4 100644 --- a/session.c +++ b/session.c @@ -1095,8 +1095,13 @@ do_setup_env(Session *s, const char *shell) * been set by PAM. */ if (options.use_pam) { - char **p = fetch_pam_environment(); + char **p; + + p = fetch_pam_child_environment(); + copy_environment(p, &env, &envsize); + free_pam_environment(p); + p = fetch_pam_environment(); copy_environment(p, &env, &envsize); free_pam_environment(p); } -- cgit v1.2.3 From 0425d40194f36c57423c014b0730a9d344dbe019 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 17 Nov 2003 22:18:21 +1100 Subject: - markus@cvs.openbsd.org 2003/11/17 11:06:07 [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h sshconnect2.c ssh-gss.h] replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob. --- ChangeLog | 7 +++++- auth2-gss.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++---------- gss-genr.c | 27 ++++++++++++++++++++++- gss-serv.c | 12 ++++++++++- monitor.c | 36 ++++++++++++++++++++++++++++--- monitor.h | 3 ++- monitor_wrap.c | 21 +++++++++++++++++- monitor_wrap.h | 3 ++- ssh-gss.h | 7 ++++-- sshconnect2.c | 36 +++++++++++++++++++++++++------ 10 files changed, 191 insertions(+), 29 deletions(-) diff --git a/ChangeLog b/ChangeLog index bec42ac50..fb3fdaac5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -43,6 +43,11 @@ - djm@cvs.openbsd.org 2003/11/17 09:45:39 [msg.c msg.h sshconnect2.c ssh-keysign.c] return error on msg send/receive failure (rather than fatal); ok markus@ + - markus@cvs.openbsd.org 2003/11/17 11:06:07 + [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c] + [monitor_wrap.h sshconnect2.c ssh-gss.h] + replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; + test + ok jakob. - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int conversation function - (djm) Export environment variables from authentication subprocess to @@ -1467,4 +1472,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3111 2003/11/17 10:41:42 djm Exp $ +$Id: ChangeLog,v 1.3112 2003/11/17 11:18:21 djm Exp $ diff --git a/auth2-gss.c b/auth2-gss.c index 84fb384f9..220862dc8 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.5 2003/11/02 11:01:03 markus Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.6 2003/11/17 11:06:07 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -43,6 +43,7 @@ extern ServerOptions options; static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); +static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); static void input_gssapi_errtok(int, u_int32_t, void *); @@ -129,7 +130,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) Gssctxt *gssctxt; gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; gss_buffer_desc recv_tok; - OM_uint32 maj_status, min_status; + OM_uint32 maj_status, min_status, flags; u_int len; if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) @@ -142,7 +143,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) packet_check_eom(); maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok, - &send_tok, NULL)); + &send_tok, &flags)); xfree(recv_tok.value); @@ -154,7 +155,7 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - userauth_finish(authctxt, 0, "gssapi"); + userauth_finish(authctxt, 0, "gssapi-with-mic"); } else { if (send_tok.length != 0) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); @@ -163,8 +164,13 @@ input_gssapi_token(int type, u_int32_t plen, void *ctxt) } if (maj_status == GSS_S_COMPLETE) { dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); - dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, - &input_gssapi_exchange_complete); + if (flags & GSS_C_INTEG_FLAG) + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, + &input_gssapi_mic); + else + dispatch_set( + SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, + &input_gssapi_exchange_complete); } } @@ -224,9 +230,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) gssctxt = authctxt->methoddata; /* - * We don't need to check the status, because the stored credentials - * which userok uses are only populated once the context init step - * has returned complete. + * We don't need to check the status, because we're only enabled in + * the dispatcher once the exchange is complete */ packet_check_eom(); @@ -236,12 +241,53 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt) authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); + userauth_finish(authctxt, authenticated, "gssapi-with-mic"); +} + +static void +input_gssapi_mic(int type, u_int32_t plen, void *ctxt) +{ + Authctxt *authctxt = ctxt; + Gssctxt *gssctxt; + int authenticated = 0; + Buffer b; + gss_buffer_desc mic, gssbuf; + u_int len; + + if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) + fatal("No authentication or GSSAPI context"); + + gssctxt = authctxt->methoddata; + + mic.value = packet_get_string(&len); + mic.length = len; + + ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, + "gssapi-with-mic"); + + gssbuf.value = buffer_ptr(&b); + gssbuf.length = buffer_len(&b); + + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) + authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); + else + logit("GSSAPI MIC check failed"); + + buffer_free(&b); + xfree(mic.value); + + authctxt->postponed = 0; + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); + dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); - userauth_finish(authctxt, authenticated, "gssapi"); + userauth_finish(authctxt, authenticated, "gssapi-with-mic"); } Authmethod method_gssapi = { - "gssapi", + "gssapi-with-mic", userauth_gssapi, &options.gss_authentication }; diff --git a/gss-genr.c b/gss-genr.c index bda12d6f1..6b7caad0e 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.2 2003/11/17 11:06:07 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -33,9 +33,12 @@ #include "compat.h" #include "log.h" #include "monitor_wrap.h" +#include "ssh2.h" #include "ssh-gss.h" +extern u_char *session_id2; +extern u_int session_id2_len; /* Check that the OID in a data stream matches that in the context */ int @@ -244,6 +247,28 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx) return (ctx->major); } +OM_uint32 +ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) +{ + if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, + GSS_C_QOP_DEFAULT, buffer, hash))) + ssh_gssapi_error(ctx); + + return (ctx->major); +} + +void +ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, + const char *context) +{ + buffer_init(b); + buffer_put_string(b, session_id2, session_id2_len); + buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST); + buffer_put_cstring(b, user); + buffer_put_cstring(b, service); + buffer_put_cstring(b, context); +} + OM_uint32 ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) { if (*ctx) diff --git a/gss-serv.c b/gss-serv.c index 6574f9750..de32a3f2e 100644 --- a/gss-serv.c +++ b/gss-serv.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv.c,v 1.4 2003/09/23 20:17:11 markus Exp $ */ +/* $OpenBSD: gss-serv.c,v 1.5 2003/11/17 11:06:07 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -287,4 +287,14 @@ ssh_gssapi_userok(char *user) return (0); } +/* Priviledged */ +OM_uint32 +ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +{ + ctx->major = gss_verify_mic(&ctx->minor, ctx->context, + gssbuf, gssmic, NULL); + + return (ctx->major); +} + #endif diff --git a/monitor.c b/monitor.c index e83fb45a7..97f1ee9f4 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.51 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.52 2003/11/17 11:06:07 markus Exp $"); #include @@ -134,6 +134,7 @@ int mm_answer_pam_free_ctx(int, Buffer *); int mm_answer_gss_setup_ctx(int, Buffer *); int mm_answer_gss_accept_ctx(int, Buffer *); int mm_answer_gss_userok(int, Buffer *); +int mm_answer_gss_checkmic(int, Buffer *); #endif static Authctxt *authctxt; @@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, + {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, #endif {0, 0, NULL} }; @@ -1781,14 +1783,42 @@ mm_answer_gss_accept_ctx(int socket, Buffer *m) gss_release_buffer(&minor, &out); - /* Complete - now we can do signing */ if (major==GSS_S_COMPLETE) { monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); } return (0); } +int +mm_answer_gss_checkmic(int socket, Buffer *m) +{ + gss_buffer_desc gssbuf, mic; + OM_uint32 ret; + u_int len; + + gssbuf.value = buffer_get_string(m, &len); + gssbuf.length = len; + mic.value = buffer_get_string(m, &len); + mic.length = len; + + ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); + + xfree(gssbuf.value); + xfree(mic.value); + + buffer_clear(m); + buffer_put_int(m, ret); + + mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m); + + if (!GSS_ERROR(ret)) + monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); + + return (0); +} + int mm_answer_gss_userok(int socket, Buffer *m) { @@ -1802,7 +1832,7 @@ mm_answer_gss_userok(int socket, Buffer *m) debug3("%s: sending result %d", __func__, authenticated); mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); - auth_method="gssapi"; + auth_method="gssapi-with-mic"; /* Monitor loop will terminate if authenticated */ return (authenticated); diff --git a/monitor.h b/monitor.h index a153f4168..621a4ad18 100644 --- a/monitor.h +++ b/monitor.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.h,v 1.12 2003/09/23 20:17:11 markus Exp $ */ +/* $OpenBSD: monitor.h,v 1.13 2003/11/17 11:06:07 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -52,6 +52,7 @@ enum monitor_reqtype { MONITOR_REQ_GSSSETUP, MONITOR_ANS_GSSSETUP, MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP, MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK, + MONITOR_REQ_GSSCHECKMIC, MONITOR_ANS_GSSCHECKMIC, MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT, MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, diff --git a/monitor_wrap.c b/monitor_wrap.c index fe1460422..c685535d3 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor_wrap.c,v 1.34 2003/10/15 09:48:45 markus Exp $"); +RCSID("$OpenBSD: monitor_wrap.c,v 1.35 2003/11/17 11:06:07 markus Exp $"); #include #include @@ -1134,6 +1134,25 @@ mm_ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *in, return (major); } +OM_uint32 +mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic) +{ + Buffer m; + OM_uint32 major; + + buffer_init(&m); + buffer_put_string(&m, gssbuf->value, gssbuf->length); + buffer_put_string(&m, gssmic->value, gssmic->length); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSCHECKMIC, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSCHECKMIC, + &m); + + major = buffer_get_int(&m); + buffer_free(&m); + return(major); +} + int mm_ssh_gssapi_userok(char *user) { diff --git a/monitor_wrap.h b/monitor_wrap.h index 76c02f13a..55be10b19 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h @@ -1,4 +1,4 @@ -/* $OpenBSD: monitor_wrap.h,v 1.12 2003/09/23 20:17:11 markus Exp $ */ +/* $OpenBSD: monitor_wrap.h,v 1.13 2003/11/17 11:06:07 markus Exp $ */ /* * Copyright 2002 Niels Provos @@ -62,6 +62,7 @@ OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **ctxt, gss_OID oid); OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *ctxt, gss_buffer_desc *recv, gss_buffer_desc *send, OM_uint32 *flags); int mm_ssh_gssapi_userok(char *user); +OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); #endif #ifdef USE_PAM diff --git a/ssh-gss.h b/ssh-gss.h index c76648ee0..2b6fe2130 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-gss.h,v 1.3 2003/10/02 08:26:53 markus Exp $ */ +/* $OpenBSD: ssh-gss.h,v 1.4 2003/11/17 11:06:07 markus Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. * @@ -50,6 +50,7 @@ #define SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE 63 #define SSH2_MSG_USERAUTH_GSSAPI_ERROR 64 #define SSH2_MSG_USERAUTH_GSSAPI_ERRTOK 65 +#define SSH2_MSG_USERAUTH_GSSAPI_MIC 66 #define SSH_GSS_OIDTYPE 0x06 @@ -108,11 +109,13 @@ void ssh_gssapi_error(Gssctxt *ctx); char *ssh_gssapi_last_error(Gssctxt *ctxt, OM_uint32 *maj, OM_uint32 *min); void ssh_gssapi_build_ctx(Gssctxt **ctx); void ssh_gssapi_delete_ctx(Gssctxt **ctx); +OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t); OM_uint32 ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid); +void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *); /* In the server */ int ssh_gssapi_userok(char *name); - +OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t); void ssh_gssapi_do_child(char ***envp, u_int *envsizep); void ssh_gssapi_cleanup_creds(void); void ssh_gssapi_storecreds(void); diff --git a/sshconnect2.c b/sshconnect2.c index 388a25741..f6368aadd 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.131 2003/11/17 09:45:39 djm Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.132 2003/11/17 11:06:07 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -222,7 +222,7 @@ static char *authmethods_get(void); Authmethod authmethods[] = { #ifdef GSSAPI - {"gssapi", + {"gssapi-with-mic", userauth_gssapi, &options.gss_authentication, NULL}, @@ -543,10 +543,12 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) Authctxt *authctxt = ctxt; Gssctxt *gssctxt = authctxt->methoddata; gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER; - OM_uint32 status, ms; + gss_buffer_desc gssbuf, mic; + OM_uint32 status, ms, flags; + Buffer b; status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, - recv_tok, &send_tok, NULL); + recv_tok, &send_tok, &flags); if (send_tok.length > 0) { if (GSS_ERROR(status)) @@ -560,9 +562,29 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) } if (status == GSS_S_COMPLETE) { - /* If that succeeded, send a exchange complete message */ - packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); - packet_send(); + /* send either complete or MIC, depending on mechanism */ + if (!(flags & GSS_C_INTEG_FLAG)) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE); + packet_send(); + } else { + ssh_gssapi_buildmic(&b, authctxt->server_user, + authctxt->service, "gssapi-with-mic"); + + gssbuf.value = buffer_ptr(&b); + gssbuf.length = buffer_len(&b); + + status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic); + + if (!GSS_ERROR(status)) { + packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC); + packet_put_string(mic.value, mic.length); + + packet_send(); + } + + buffer_free(&b); + gss_release_buffer(&ms, &mic); + } } return status; -- cgit v1.2.3 From 6aef38f5ac65ad599454159c82530b62d740b9b9 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 18 Nov 2003 10:45:20 +1100 Subject: - (djm) Fix early exit for root auth success when UsePAM=yes and PermitRootLogin=no --- ChangeLog | 6 +++++- monitor.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index fb3fdaac5..24bf3f835 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20031117 + - (djm) Fix early exit for root auth success when UsePAM=yes and + PermitRootLogin=no + 20031117 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/11/03 09:03:37 @@ -1472,4 +1476,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3112 2003/11/17 11:18:21 djm Exp $ +$Id: ChangeLog,v 1.3113 2003/11/17 23:45:20 djm Exp $ diff --git a/monitor.c b/monitor.c index 97f1ee9f4..c4f9a48fb 100644 --- a/monitor.c +++ b/monitor.c @@ -309,7 +309,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) authenticated = 0; #ifdef USE_PAM /* PAM needs to perform account checks after auth */ - if (options.use_pam) { + if (options.use_pam && authenticated) { Buffer m; buffer_init(&m); -- cgit v1.2.3 From 18df00cc77b39fe7858cf987eb9a4f7c314af018 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 18 Nov 2003 12:42:07 +1100 Subject: - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, and use it for do_pam_session. Fixes problems like pam_motd not displaying anything. ok djm@ --- ChangeLog | 7 +++++-- auth-pam.c | 56 +++++++++++++++++++++++++------------------------------- 2 files changed, 30 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index 24bf3f835..7acb76b9c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ -20031117 +20031118 - (djm) Fix early exit for root auth success when UsePAM=yes and PermitRootLogin=no + - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, + and use it for do_pam_session. Fixes problems like pam_motd not displaying + anything. ok djm@ 20031117 - (djm) OpenBSD CVS Sync @@ -1476,4 +1479,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3113 2003/11/17 23:45:20 djm Exp $ +$Id: ChangeLog,v 1.3114 2003/11/18 01:42:07 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 92a3da406..af8d37fab 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.81 2003/11/18 01:42:08 dtucker Exp $"); #ifdef USE_PAM #include @@ -52,6 +52,7 @@ RCSID("$Id: auth-pam.c,v 1.80 2003/11/17 10:41:42 djm Exp $"); #include "auth-options.h" extern ServerOptions options; +extern Buffer loginmsg; #define __unused @@ -497,13 +498,9 @@ sshpam_query(void *ctx, char **name, char **info, case PAM_AUTH_ERR: if (**prompts != NULL) { /* drain any accumulated messages */ -#if 0 /* XXX - not compatible with privsep */ - packet_start(SSH2_MSG_USERAUTH_BANNER); - packet_put_cstring(**prompts); - packet_put_cstring(""); - packet_send(); - packet_write_wait(); -#endif + debug("PAM: %s", **prompts); + buffer_append(&loginmsg, **prompts, + strlen(**prompts)); xfree(**prompts); **prompts = NULL; } @@ -630,21 +627,6 @@ do_pam_account(void) return (1); } -void -do_pam_session(void) -{ - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&null_conv); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_err = pam_open_session(sshpam_handle, 0); - if (sshpam_err != PAM_SUCCESS) - fatal("PAM: pam_open_session(): %s", - pam_strerror(sshpam_handle, sshpam_err)); - sshpam_session_open = 1; -} - void do_pam_set_tty(const char *tty) { @@ -691,7 +673,7 @@ is_pam_password_change_required(void) } static int -pam_chauthtok_conv(int n, const struct pam_message **msg, +pam_tty_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { char input[PAM_MAX_MSG_SIZE]; @@ -700,7 +682,7 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, *resp = NULL; - if (n <= 0 || n > PAM_MAX_NUM_MSG) + if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) return (PAM_CONV_ERR); if ((reply = malloc(n * sizeof(*reply))) == NULL) @@ -742,6 +724,8 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, return (PAM_CONV_ERR); } +static struct pam_conv tty_conv = { pam_tty_conv, NULL }; + /* * XXX this should be done in the authentication phase, but ssh1 doesn't * support that @@ -749,15 +733,10 @@ pam_chauthtok_conv(int n, const struct pam_message **msg, void do_pam_chauthtok(void) { - struct pam_conv pam_conv; - - pam_conv.conv = pam_chauthtok_conv; - pam_conv.appdata_ptr = NULL; - if (use_privsep) fatal("Password expired (unable to change with privsep)"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&pam_conv); + (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); @@ -768,6 +747,21 @@ do_pam_chauthtok(void) pam_strerror(sshpam_handle, sshpam_err)); } +void +do_pam_session(void) +{ + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + (const void *)&tty_conv); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: failed to set PAM_CONV: %s", + pam_strerror(sshpam_handle, sshpam_err)); + sshpam_err = pam_open_session(sshpam_handle, 0); + if (sshpam_err != PAM_SUCCESS) + fatal("PAM: pam_open_session(): %s", + pam_strerror(sshpam_handle, sshpam_err)); + sshpam_session_open = 1; +} + /* * Set a PAM environment string. We need to do this so that the session * modules can handle things like Kerberos/GSI credentials that appear -- cgit v1.2.3 From 8a1624c42df87c0dc0cad75f45bbb9eb34fcd59a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 18 Nov 2003 12:45:35 +1100 Subject: - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@ --- ChangeLog | 3 ++- auth-pam.c | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7acb76b9c..0f20d071a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, and use it for do_pam_session. Fixes problems like pam_motd not displaying anything. ok djm@ + - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@ 20031117 - (djm) OpenBSD CVS Sync @@ -1479,4 +1480,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3114 2003/11/18 01:42:07 dtucker Exp $ +$Id: ChangeLog,v 1.3115 2003/11/18 01:45:35 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index af8d37fab..2594bed3d 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.81 2003/11/18 01:42:08 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.82 2003/11/18 01:45:36 dtucker Exp $"); #ifdef USE_PAM #include @@ -167,11 +167,13 @@ import_environments(Buffer *b) for(i = 0; i < num_env; i++) { env = buffer_get_string(b, NULL); +#ifdef HAVE_PAM_PUTENV /* Errors are not fatal here */ if ((err = pam_putenv(sshpam_handle, env)) != PAM_SUCCESS) { error("PAM: pam_putenv: %s", pam_strerror(sshpam_handle, sshpam_err)); } +#endif } } -- cgit v1.2.3 From 4bb1dd3166c2a04394e9ec55fdff6bf6ad667e39 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 18 Nov 2003 22:01:25 +1100 Subject: - (djm) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2003/11/18 00:40:05 [serverloop.c] Correct check for authctxt->valid. ok djm@ --- ChangeLog | 10 +++++++--- serverloop.c | 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0f20d071a..f728c801a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,9 +2,13 @@ - (djm) Fix early exit for root auth success when UsePAM=yes and PermitRootLogin=no - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, - and use it for do_pam_session. Fixes problems like pam_motd not displaying - anything. ok djm@ + and use it for do_pam_session. Fixes problems like pam_motd not + displaying anything. ok djm@ - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@ + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2003/11/18 00:40:05 + [serverloop.c] + Correct check for authctxt->valid. ok djm@ 20031117 - (djm) OpenBSD CVS Sync @@ -1480,4 +1484,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3115 2003/11/18 01:45:35 dtucker Exp $ +$Id: ChangeLog,v 1.3116 2003/11/18 11:01:25 djm Exp $ diff --git a/serverloop.c b/serverloop.c index 98793b756..20255aaee 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.112 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.113 2003/11/18 00:40:05 dtucker Exp $"); #include "xmalloc.h" #include "packet.h" @@ -973,7 +973,7 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt) u_short listen_port; pw = the_authctxt->pw; - if (pw == NULL || !the_authctxt->pw) + if (pw == NULL || !the_authctxt->valid) fatal("server_input_global_request: no/invalid user"); listen_address = packet_get_string(NULL); listen_port = (u_short)packet_get_int(); -- cgit v1.2.3 From f96d18362d4d1702e804473465601c2d316f5e52 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 18 Nov 2003 22:01:48 +1100 Subject: - djm@cvs.openbsd.org 2003/11/18 10:53:07 [monitor.c] unbreak fake authloop for non-existent users (my screwup). Spotted and tested by dtucker@; ok markus@ --- ChangeLog | 6 +++++- monitor.c | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index f728c801a..f3ab7cfba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,10 @@ - dtucker@cvs.openbsd.org 2003/11/18 00:40:05 [serverloop.c] Correct check for authctxt->valid. ok djm@ + - djm@cvs.openbsd.org 2003/11/18 10:53:07 + [monitor.c] + unbreak fake authloop for non-existent users (my screwup). Spotted and + tested by dtucker@; ok markus@ 20031117 - (djm) OpenBSD CVS Sync @@ -1484,4 +1488,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3116 2003/11/18 11:01:25 djm Exp $ +$Id: ChangeLog,v 1.3117 2003/11/18 11:01:48 djm Exp $ diff --git a/monitor.c b/monitor.c index c4f9a48fb..d4c1c6eb2 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.52 2003/11/17 11:06:07 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.53 2003/11/18 10:53:07 djm Exp $"); #include @@ -567,6 +567,7 @@ mm_answer_pwnamallow(int socket, Buffer *m) if (pwent == NULL) { buffer_put_char(m, 0); + authctxt->pw = fakepw(); goto out; } -- cgit v1.2.3 From 8c5e91c03fdd2693f0635f8b2a9904bffc94ce16 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 21 Nov 2003 23:09:10 +1100 Subject: - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/11/20 11:39:28 [progressmeter.c] fix rounding errors; from andreas@ --- ChangeLog | 8 +++++++- progressmeter.c | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f3ab7cfba..8a978ec04 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20031121 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/11/20 11:39:28 + [progressmeter.c] + fix rounding errors; from andreas@ + 20031118 - (djm) Fix early exit for root auth success when UsePAM=yes and PermitRootLogin=no @@ -1488,4 +1494,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3117 2003/11/18 11:01:48 djm Exp $ +$Id: ChangeLog,v 1.3118 2003/11/21 12:09:10 djm Exp $ diff --git a/progressmeter.c b/progressmeter.c index a244acf96..39940bd9a 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: progressmeter.c,v 1.16 2003/09/23 20:18:52 markus Exp $"); +RCSID("$OpenBSD: progressmeter.c,v 1.17 2003/11/20 11:39:28 markus Exp $"); #include "progressmeter.h" #include "atomicio.h" @@ -80,7 +80,7 @@ format_rate(char *buf, int size, off_t bytes) bytes = (bytes + 512) / 1024; } snprintf(buf, size, "%3lld.%1lld%c%s", - (int64_t) bytes / 100, + (int64_t) (bytes + 5) / 100, (int64_t) (bytes + 5) / 10 % 10, unit[i], i ? "B" : " "); -- cgit v1.2.3 From a8e06cef35c205e1aa562513c6d034a10c8c9a6d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 21 Nov 2003 23:48:55 +1100 Subject: - djm@cvs.openbsd.org 2003/11/21 11:57:03 [everything] unexpand and delete whitespace at EOL; ok markus@ (done locally and RCS IDs synced) --- CREDITS | 4 +- ChangeLog | 6 +- INSTALL | 52 ++++---- LICENCE | 42 +++---- Makefile.in | 22 ++-- OVERVIEW | 18 +-- README | 20 +-- README.privsep | 12 +- README.smartcard | 14 +-- RFC.nroff | 4 +- TODO | 12 +- WARNING.RNG | 10 +- auth-chall.c | 2 +- auth-krb5.c | 6 +- auth-pam.c | 44 +++---- auth-passwd.c | 8 +- auth-sia.c | 2 +- auth.c | 10 +- auth1.c | 2 +- auth2-gss.c | 8 +- authfd.c | 4 +- authfd.h | 4 +- buffer.c | 2 +- channels.c | 6 +- cipher-ctr.c | 4 +- config.guess | 158 ++++++++++++------------ config.sub | 48 ++++---- configure.ac | 266 ++++++++++++++++++++-------------------- contrib/README | 6 +- contrib/aix/buildbff.sh | 50 ++++---- contrib/aix/inventory.sh | 4 +- contrib/caldera/ssh-host-keygen | 8 +- contrib/caldera/sshd.init | 8 +- contrib/cygwin/README | 4 +- contrib/cygwin/ssh-host-config | 18 +-- contrib/findssl.sh | 16 +-- contrib/gnome-ssh-askpass1.c | 14 +-- contrib/gnome-ssh-askpass2.c | 14 +-- contrib/redhat/openssh.spec | 6 +- contrib/solaris/README | 2 +- contrib/solaris/buildpkg.sh | 58 ++++----- contrib/solaris/opensshd.in | 16 +-- contrib/suse/openssh.spec | 24 ++-- defines.h | 4 +- dns.c | 6 +- entropy.c | 22 ++-- fixprogs | 2 +- gss-genr.c | 6 +- gss-serv-krb5.c | 14 +-- install-sh | 12 +- kex.c | 6 +- loginrec.c | 6 +- md5crypt.c | 8 +- mdoc2man.awk | 158 ++++++++++++------------ mkinstalldirs | 12 +- moduli.c | 62 +++++----- monitor.c | 4 +- monitor_wrap.c | 2 +- nchan.ms | 8 +- nchan2.ms | 8 +- packet.c | 2 +- readconf.h | 4 +- rijndael.c | 134 ++++++++++---------- scard-opensc.c | 16 +-- scp.c | 2 +- session.c | 8 +- sftp-client.c | 6 +- sftp-glob.c | 2 +- sftp-int.c | 14 +-- ssh-add.c | 8 +- ssh-agent.c | 4 +- ssh-keygen.c | 8 +- ssh-rand-helper.8 | 24 ++-- ssh-rand-helper.c | 38 +++--- ssh.c | 6 +- ssh_prng_cmds.in | 4 +- sshconnect.c | 10 +- sshconnect2.c | 8 +- sshd.c | 6 +- sshd_config.5 | 10 +- sshpty.c | 2 +- uidswap.c | 12 +- 82 files changed, 855 insertions(+), 851 deletions(-) diff --git a/CREDITS b/CREDITS index 092229cf7..86b20ebce 100644 --- a/CREDITS +++ b/CREDITS @@ -1,6 +1,6 @@ Tatu Ylonen - Creator of SSH -Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, +Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song - Creators of OpenSSH Alain St-Denis - Irix fix @@ -94,5 +94,5 @@ Apologies to anyone I have missed. Damien Miller -$Id: CREDITS,v 1.74 2003/09/07 02:34:54 dtucker Exp $ +$Id: CREDITS,v 1.75 2003/11/21 12:48:55 djm Exp $ diff --git a/ChangeLog b/ChangeLog index 8a978ec04..1b3518803 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - markus@cvs.openbsd.org 2003/11/20 11:39:28 [progressmeter.c] fix rounding errors; from andreas@ + - djm@cvs.openbsd.org 2003/11/21 11:57:03 + [everything] + unexpand and delete whitespace at EOL; ok markus@ + (done locally and RCS IDs synced) 20031118 - (djm) Fix early exit for root auth success when UsePAM=yes and @@ -1494,4 +1498,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3118 2003/11/21 12:09:10 djm Exp $ +$Id: ChangeLog,v 1.3119 2003/11/21 12:48:55 djm Exp $ diff --git a/INSTALL b/INSTALL index 97ee76f64..a1c0e4b6b 100644 --- a/INSTALL +++ b/INSTALL @@ -4,21 +4,21 @@ You will need working installations of Zlib and OpenSSL. Zlib 1.1.4 or greater: -http://www.gzip.org/zlib/ +http://www.gzip.org/zlib/ OpenSSL 0.9.6 or greater: http://www.openssl.org/ -(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 +(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1 Blowfish) do not work correctly.) OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system supports it. PAM is standard on Redhat and Debian Linux, Solaris and HP-UX 11. -NB. If you operating system supports /dev/random, you should configure -OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of -/dev/random. If you don't you will have to rely on ssh-rand-helper, which +NB. If you operating system supports /dev/random, you should configure +OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of +/dev/random. If you don't you will have to rely on ssh-rand-helper, which is inferior to a good kernel-based solution. PAM: @@ -37,7 +37,7 @@ http://www.jmknoble.net/software/x11-ssh-askpass/ PRNGD: -If your system lacks Kernel based random collection, the use of Lutz +If your system lacks Kernel based random collection, the use of Lutz Jaenicke's PRNGd is recommended. http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html @@ -54,7 +54,7 @@ http://www.sparc.spb.su/solaris/skey/ If you wish to use --with-skey then you will need the above library installed. No other current S/Key library is currently known to be -supported. +supported. 2. Building / Installation -------------------------- @@ -73,7 +73,7 @@ installation prefix, use the --prefix option to configure: make make install -Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override specific paths, for example: ./configure --prefix=/opt --sysconfdir=/etc/ssh @@ -104,26 +104,26 @@ There are a few other options to the configure script: --with-pam enables PAM support. If PAM support is compiled in, it must also be enabled in sshd_config (refer to the UsePAM directive). ---with-prngd-socket=/some/file allows you to enable EGD or PRNGD -support and to specify a PRNGd socket. Use this if your Unix lacks -/dev/random and you don't want to use OpenSSH's builtin entropy +--with-prngd-socket=/some/file allows you to enable EGD or PRNGD +support and to specify a PRNGd socket. Use this if your Unix lacks +/dev/random and you don't want to use OpenSSH's builtin entropy collection support. ---with-prngd-port=portnum allows you to enable EGD or PRNGD support -and to specify a EGD localhost TCP port. Use this if your Unix lacks -/dev/random and you don't want to use OpenSSH's builtin entropy +--with-prngd-port=portnum allows you to enable EGD or PRNGD support +and to specify a EGD localhost TCP port. Use this if your Unix lacks +/dev/random and you don't want to use OpenSSH's builtin entropy collection support. ---with-lastlog=FILE will specify the location of the lastlog file. +--with-lastlog=FILE will specify the location of the lastlog file. ./configure searches a few locations for lastlog, but may not find it if lastlog is installed in a different place. --without-lastlog will disable lastlog support entirely. ---with-osfsia, --without-osfsia will enable or disable OSF1's Security +--with-osfsia, --without-osfsia will enable or disable OSF1's Security Integration Architecture. The default for OSF1 machines is enable. ---with-skey=PATH will enable S/Key one time password support. You will +--with-skey=PATH will enable S/Key one time password support. You will need the S/Key libraries and header files installed for this to work. --with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny) @@ -134,12 +134,12 @@ if your operating system uses MD5 passwords and the system crypt() does not support them directly (see the crypt(3/3c) man page). If enabled, the resulting binary will support both MD5 and traditional crypt passwords. ---with-utmpx enables utmpx support. utmpx support is automatic for +--with-utmpx enables utmpx support. utmpx support is automatic for some platforms. --without-shadow disables shadow password support. ---with-ipaddr-display forces the use of a numeric IP address in the +--with-ipaddr-display forces the use of a numeric IP address in the $DISPLAY environment variable. Some broken systems need this. --with-default-path=PATH allows you to specify a default $PATH for sessions @@ -169,35 +169,35 @@ CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure 3. Configuration ---------------- -The runtime configuration files are installed by in ${prefix}/etc or +The runtime configuration files are installed by in ${prefix}/etc or whatever you specified as your --sysconfdir (/usr/local/etc by default). -The default configuration should be instantly usable, though you should +The default configuration should be instantly usable, though you should review it to ensure that it matches your security requirements. To generate a host key, run "make host-key". Alternately you can do so -manually using the following commands: +manually using the following commands: ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" Replacing /etc/ssh with the correct path to the configuration directory. -(${prefix}/etc or whatever you specified with --sysconfdir during +(${prefix}/etc or whatever you specified with --sysconfdir during configuration) If you have configured OpenSSH with EGD support, ensure that EGD is running and has collected some Entropy. -For more information on configuration, please refer to the manual pages +For more information on configuration, please refer to the manual pages for sshd, ssh and ssh-agent. 4. Problems? ------------ -If you experience problems compiling, installing or running OpenSSH. +If you experience problems compiling, installing or running OpenSSH. Please refer to the "reporting bugs" section of the webpage at http://www.openssh.com/ -$Id: INSTALL,v 1.62 2003/10/21 02:41:14 dtucker Exp $ +$Id: INSTALL,v 1.63 2003/11/21 12:48:55 djm Exp $ diff --git a/LICENCE b/LICENCE index b47556dda..dab902150 100644 --- a/LICENCE +++ b/LICENCE @@ -45,16 +45,16 @@ OpenSSH contains no GPL code. software are publicly available on the Internet and at any major bookstore, scientific library, and patent office worldwide. More information can be found e.g. at "http://www.cs.hut.fi/crypto". - + The legal status of this program is some combination of all these permissions and restrictions. Use only at your own responsibility. You will be responsible for any legal consequences yourself; I am not making any claims whether possessing or using this is legal or not in your country, and I am not taking any responsibility on your behalf. - - - NO WARRANTY - + + + NO WARRANTY + BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES @@ -64,7 +64,7 @@ OpenSSH contains no GPL code. TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, @@ -112,15 +112,15 @@ OpenSSH contains no GPL code. with the following license: * @version 3.0 (December 2000) - * + * * Optimised ANSI C code for the Rijndael cipher (now AES) - * + * * @author Vincent Rijmen * @author Antoon Bosselaers * @author Paulo Barreto - * + * * This code is hereby placed in the public domain. - * + * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -183,7 +183,7 @@ OpenSSH contains no GPL code. Nils Nordman Simon Wilkinson - Portable OpenSSH additionally includes code from the following copyright + Portable OpenSSH additionally includes code from the following copyright holders, also under the 2-term BSD license: Ben Lindstrom @@ -229,24 +229,24 @@ OpenSSH contains no GPL code. a) md5crypt.c, md5crypt.h * "THE BEER-WARE LICENSE" (Revision 42): - * wrote this file. As long as you retain this - * notice you can do whatever you want with this stuff. If we meet - * some day, and you think this stuff is worth it, you can buy me a + * wrote this file. As long as you retain this + * notice you can do whatever you want with this stuff. If we meet + * some day, and you think this stuff is worth it, you can buy me a * beer in return. Poul-Henning Kamp b) snprintf replacement * Copyright Patrick Powell 1995 - * This code is based on code written by Patrick Powell - * (papowell@astart.com) It may be used for any purpose as long as this + * This code is based on code written by Patrick Powell + * (papowell@astart.com) It may be used for any purpose as long as this * notice remains intact on all source code distributions c) Compatibility code (openbsd-compat) - Apart from the previously mentioned licenses, various pieces of code + Apart from the previously mentioned licenses, various pieces of code in the openbsd-compat/ subdirectory are licensed as follows: - Some code is licensed under a 3-term BSD license, to the following + Some code is licensed under a 3-term BSD license, to the following copyright holders: Todd C. Miller @@ -279,7 +279,7 @@ OpenSSH contains no GPL code. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - Some code is licensed under an ISC-style license, to the following + Some code is licensed under an ISC-style license, to the following copyright holders: Internet Software Consortium. @@ -297,7 +297,7 @@ OpenSSH contains no GPL code. * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - Some code is licensed under a MIT-style license to the following + Some code is licensed under a MIT-style license to the following copyright holders: Free Software Foundation, Inc. @@ -329,4 +329,4 @@ OpenSSH contains no GPL code. ------ -$OpenBSD: LICENCE,v 1.17 2003/08/22 20:55:06 markus Exp $ +$OpenBSD: LICENCE,v 1.18 2003/11/21 11:57:02 djm Exp $ diff --git a/Makefile.in b/Makefile.in index 61e3d4076..f1098fcb0 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.252 2003/10/07 00:18:22 djm Exp $ +# $Id: Makefile.in,v 1.253 2003/11/21 12:48:55 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -140,22 +140,22 @@ scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o - $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o - $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o - $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o - $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) + $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o - $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o progressmeter.o $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) @@ -193,12 +193,12 @@ moduli: echo clean: regressclean - rm -f *.o *.a $(TARGETS) logintest config.cache config.log - rm -f *.out core + rm -f *.o *.a $(TARGETS) logintest config.cache config.log + rm -f *.out core (cd openbsd-compat && $(MAKE) clean) distclean: regressclean - rm -f *.o *.a $(TARGETS) logintest config.cache config.log + rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core rm -f Makefile config.h config.status ssh_prng_cmds *~ rm -rf autom4te.cache @@ -343,7 +343,7 @@ uninstallall: uninstall -rmdir $(DESTDIR)$(mandir) -rmdir $(DESTDIR)$(libexecdir) -uninstall: +uninstall: -rm -f $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT) diff --git a/OVERVIEW b/OVERVIEW index ff03ecab2..df46ec28a 100644 --- a/OVERVIEW +++ b/OVERVIEW @@ -5,7 +5,7 @@ to developers.] This document is intended for those who wish to read the ssh source code. This tries to give an overview of the structure of the code. - + Copyright (c) 1995 Tatu Ylonen Updated 17 Nov 1995. Updated 19 Oct 1999 for OpenSSH-1.2 @@ -20,7 +20,7 @@ There are some subsystems/abstractions that are used by a number of these programs. Buffer manipulation routines - + - These provide an arbitrary size buffer, where data can be appended. Data can be consumed from either end. The code is used heavily throughout ssh. The basic buffer manipulation functions are in @@ -28,7 +28,7 @@ these programs. data types is in bufaux.c. Compression Library - + - Ssh uses the GNU GZIP compression library (ZLIB). Encryption/Decryption @@ -89,7 +89,7 @@ these programs. code is linked into the server. The routines also manipulate known hosts files using code in hostfile.c. Code in canohost.c is used to retrieve the canonical host name of the remote host. - Code in match.c is used to match host names. + Code in match.c is used to match host names. - In the client end, authentication code is in sshconnect.c. It reads Passwords/passphrases using code in readpass.c. It reads @@ -147,10 +147,10 @@ these programs. operations, and finally the server enters the normal session mode by calling server_loop in serverloop.c. This does the real work, calling functions in other modules. - + - The code for the server is in sshd.c. It contains a lot of stuff, including: - - server main program + - server main program - waiting for connections - processing new connection - authentication @@ -162,9 +162,9 @@ these programs. - There are several other files in the distribution that contain various auxiliary routines: - ssh.h the main header file for ssh (various definitions) - getput.h byte-order independent storage of integers - includes.h includes most system headers. Lots of #ifdefs. + ssh.h the main header file for ssh (various definitions) + getput.h byte-order independent storage of integers + includes.h includes most system headers. Lots of #ifdefs. tildexpand.c expand tilde in file names uidswap.c uid-swapping xmalloc.c "safe" malloc routines diff --git a/README b/README index 5709fbeaf..6cd096006 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ -- A Japanese translation of this document and of the OpenSSH FAQ is +- A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html - Thanks to HARUYAMA Seigo @@ -13,10 +13,10 @@ Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt, and Dug Song. It has a homepage at http://www.openssh.com/ This port consists of the re-introduction of autoconf support, PAM -support (for Linux and Solaris), EGD[1]/PRNGD[2] support and replacements -for OpenBSD library functions that are (regrettably) absent from other -unices. This port has been best tested on Linux, Solaris, HP-UX, NetBSD, -Irix and AIX. Support for SCO, NeXT and other Unices is underway. +support (for Linux and Solaris), EGD[1]/PRNGD[2] support and replacements +for OpenBSD library functions that are (regrettably) absent from other +unices. This port has been best tested on Linux, Solaris, HP-UX, NetBSD, +Irix and AIX. Support for SCO, NeXT and other Unices is underway. This version actively tracks changes in the OpenBSD CVS repository. The PAM support is now more functional than the popular packages of @@ -32,20 +32,20 @@ Please send bug reports and patches to the mailing list openssh-unix-dev@mindrot.org. The list is open to posting by unsubscribed users. -If you are a citizen of an USA-embargoed country to which export of -cryptographic products is restricted, then please refrain from sending +If you are a citizen of an USA-embargoed country to which export of +cryptographic products is restricted, then please refrain from sending crypto-related code or patches to the list. We cannot accept them. Other code contribution are accepted, but please follow the OpenBSD style guidelines[6]. Please refer to the INSTALL document for information on how to install -OpenSSH on your system. There are a number of differences between this +OpenSSH on your system. There are a number of differences between this port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7] for details and general tips. Damien Miller -Miscellania - +Miscellania - This version of OpenSSH is based upon code retrieved from the OpenBSD CVS repository which in turn was based on the last free sample @@ -63,4 +63,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.51 2003/01/08 12:28:40 djm Exp $ +$Id: README,v 1.52 2003/11/21 12:48:55 djm Exp $ diff --git a/README.privsep b/README.privsep index 64adad83b..9d48bbcf9 100644 --- a/README.privsep +++ b/README.privsep @@ -1,15 +1,15 @@ Privilege separation, or privsep, is method in OpenSSH by which operations that require root privilege are performed by a separate privileged monitor process. Its purpose is to prevent privilege -escalation by containing corruption to an unprivileged process. +escalation by containing corruption to an unprivileged process. More information is available at: http://www.citi.umich.edu/u/provos/ssh/privsep.html Privilege separation is now enabled by default; see the UsePrivilegeSeparation option in sshd_config(5). -On systems which lack mmap or anonymous (MAP_ANON) memory mapping, -compression must be disabled in order for privilege separation to +On systems which lack mmap or anonymous (MAP_ANON) memory mapping, +compression must be disabled in order for privilege separation to function. When privsep is enabled, during the pre-authentication phase sshd will @@ -38,9 +38,9 @@ privsep user and chroot directory: Privsep requires operating system support for file descriptor passing. Compression will be disabled on systems without a working mmap MAP_ANON. -PAM-enabled OpenSSH is known to function with privsep on Linux. +PAM-enabled OpenSSH is known to function with privsep on Linux. It does not function on HP-UX with a trusted system -configuration. +configuration. On Compaq Tru64 Unix, only the pre-authentication part of privsep is supported. Post-authentication privsep is disabled automatically (so @@ -61,4 +61,4 @@ process 1005 is the sshd process listening for new connections. process 6917 is the privileged monitor process, 6919 is the user owned sshd process and 6921 is the shell process. -$Id: README.privsep,v 1.12 2003/08/26 00:48:15 djm Exp $ +$Id: README.privsep,v 1.13 2003/11/21 12:48:55 djm Exp $ diff --git a/README.smartcard b/README.smartcard index 88810fc83..fdf83ecab 100644 --- a/README.smartcard +++ b/README.smartcard @@ -1,7 +1,7 @@ How to use smartcards with OpenSSH? OpenSSH contains experimental support for authentication using -Cyberflex smartcards and TODOS card readers, in addition to the cards +Cyberflex smartcards and TODOS card readers, in addition to the cards with PKCS#15 structure supported by OpenSC. To enable this you need to: @@ -27,8 +27,8 @@ Using libsectok: sectok> login -d sectok> jload /usr/libdata/ssh/Ssh.bin sectok> setpass - Enter new AUT0 passphrase: - Re-enter passphrase: + Enter new AUT0 passphrase: + Re-enter passphrase: sectok> quit Do not forget the passphrase. There is no way to @@ -51,9 +51,9 @@ Using libsectok: $ sectok sectok> login -d - sectok> acl 0012 world: w - world: w - AUT0: w inval + sectok> acl 0012 world: w + world: w + AUT0: w inval sectok> quit If you do this, anyone who has access to your card @@ -90,4 +90,4 @@ Common operations: -markus, Tue Jul 17 23:54:51 CEST 2001 -$OpenBSD: README.smartcard,v 1.8 2002/03/26 18:56:23 rees Exp $ +$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $ diff --git a/RFC.nroff b/RFC.nroff index bf7146a70..d6baed652 100644 --- a/RFC.nroff +++ b/RFC.nroff @@ -137,7 +137,7 @@ pseudo tty, starting X11 [X11] or TCP/IP port forwarding, starting authentication agent forwarding, and executing the shell or a command. When a shell or command is executed, the connection enters interactive -session mode. In this mode, data is passed in both directions, +session mode. In this mode, data is passed in both directions, new forwarded connections may be opened, etc. The interactive session normally terminates when the server sends the exit status of the program to the client. @@ -372,7 +372,7 @@ previous versions keep the same major protocol version; changes that are not compatible increment the major version (which will hopefully never happen). The version described in this document is 1.3. -The client will +The client will .ti 0 Key Exchange and Server Host Authentication diff --git a/TODO b/TODO index bca818523..03e268594 100644 --- a/TODO +++ b/TODO @@ -8,7 +8,7 @@ Documentation: - Install FAQ? - General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it - would be best to use them. + would be best to use them. - Create a Documentation/ directory? @@ -17,7 +17,7 @@ Programming: - Grep for 'XXX' comments and fix - Link order is incorrect for some systems using Kerberos 4 and AFS. Result - is multiple inclusion of DES symbols. Holger Trapp + is multiple inclusion of DES symbols. Holger Trapp reports that changing the configure generated link order from: -lresolv -lkrb -lz -lnsl -lutil -lkafs -lkrb -ldes -lcrypto @@ -26,7 +26,7 @@ Programming: fixing the problem. - Write a test program that calls stat() to search for EGD/PRNGd socket - rather than use the (non-portable) "test -S". + rather than use the (non-portable) "test -S". - More platforms for for setproctitle() emulation (testing needed) @@ -70,7 +70,7 @@ Clean up configure/makefiles: to allow people to (right/wrongfully) link against Bind directly. - Consider splitting configure.ac into seperate files which do logically - similar tests. E.g move all the type detection stuff into one file, + similar tests. E.g move all the type detection stuff into one file, entropy related stuff into another. Packaging: @@ -86,7 +86,7 @@ PrivSep Issues: + /dev/zero solution (Solaris) + No/broken MAP_ANON (Irix) + broken /dev/zero parse (Linux) -- PAM +- PAM + See above PAM notes - AIX + usrinfo() does not set TTY, but only required for legacy systems. Works @@ -96,4 +96,4 @@ PrivSep Issues: - Cygwin + Privsep for Pre-auth only (no fd passing) -$Id: TODO,v 1.55 2003/06/11 13:56:41 dtucker Exp $ +$Id: TODO,v 1.56 2003/11/21 12:48:55 djm Exp $ diff --git a/WARNING.RNG b/WARNING.RNG index ae43930a7..5d4ea8753 100644 --- a/WARNING.RNG +++ b/WARNING.RNG @@ -44,16 +44,16 @@ the specified program. The random number code will also read and save a seed file to ~/.ssh/prng_seed. This contents of this file are added to the random -number generator at startup. The goal here is to maintain as much +number generator at startup. The goal here is to maintain as much randomness between sessions as possible. The default entropy collection code has two main problems: 1. It is slow. -Executing each program in the list can take a large amount of time, -especially on slower machines. Additionally some program can take a -disproportionate time to execute. +Executing each program in the list can take a large amount of time, +especially on slower machines. Additionally some program can take a +disproportionate time to execute. Tuning the default entropy collection code is difficult at this point. It requires doing 'times ./ssh-rand-helper' and modifying the @@ -93,4 +93,4 @@ If you are forced to use ssh-rand-helper consider still downloading prngd/egd and configure OpenSSH using --with-prngd-port=xx or --with-prngd-socket=xx (refer to INSTALL for more information). -$Id: WARNING.RNG,v 1.5 2002/04/14 13:16:05 djm Exp $ +$Id: WARNING.RNG,v 1.6 2003/11/21 12:48:55 djm Exp $ diff --git a/auth-chall.c b/auth-chall.c index dd55d6eb0..a9d314dd2 100644 --- a/auth-chall.c +++ b/auth-chall.c @@ -84,7 +84,7 @@ verify_response(Authctxt *authctxt, const char *response) if ((device->query(authctxt->kbdintctxt, &name, &info, &numprompts, &prompts, &echo_on)) != 0) break; - if (numprompts == 0 && + if (numprompts == 0 && device->respond(authctxt->kbdintctxt, 0, resp) == 0) authenticated = 1; diff --git a/auth-krb5.c b/auth-krb5.c index 101e53bca..b41c4882b 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -28,7 +28,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-krb5.c,v 1.14 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -136,11 +136,11 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; - if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; goto out; - } + } snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); diff --git a/auth-pam.c b/auth-pam.c index 2594bed3d..8b1915669 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.82 2003/11/18 01:45:36 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.83 2003/11/21 12:48:55 djm Exp $"); #ifdef USE_PAM #include @@ -59,11 +59,11 @@ extern Buffer loginmsg; #ifdef USE_POSIX_THREADS #include /* - * Avoid namespace clash when *not* using pthreads for systems *with* - * pthreads, which unconditionally define pthread_t via sys/types.h + * Avoid namespace clash when *not* using pthreads for systems *with* + * pthreads, which unconditionally define pthread_t via sys/types.h * (e.g. Linux) */ -typedef pthread_t sp_pthread_t; +typedef pthread_t sp_pthread_t; #else /* * Simulate threads with processes. @@ -136,7 +136,7 @@ static char ** pam_getenvlist(pam_handle_t *pamh) { /* - * XXX - If necessary, we can still support envrionment passing + * XXX - If necessary, we can still support envrionment passing * for platforms without pam_getenvlist by searching for known * env vars (e.g. KRB5CCNAME) from the PAM environment. */ @@ -203,21 +203,21 @@ sshpam_thread_conv(int n, const struct pam_message **msg, for (i = 0; i < n; ++i) { switch (PAM_MSG_MEMBER(msg, i, msg_style)) { case PAM_PROMPT_ECHO_OFF: - buffer_put_cstring(&buffer, + buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - if (ssh_msg_send(ctxt->pam_csock, + if (ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) goto fail; - if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1) + if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1) goto fail; if (buffer_get_char(&buffer) != PAM_AUTHTOK) goto fail; reply[i].resp = buffer_get_string(&buffer, NULL); break; case PAM_PROMPT_ECHO_ON: - buffer_put_cstring(&buffer, + buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - if (ssh_msg_send(ctxt->pam_csock, + if (ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) goto fail; if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1) @@ -227,16 +227,16 @@ sshpam_thread_conv(int n, const struct pam_message **msg, reply[i].resp = buffer_get_string(&buffer, NULL); break; case PAM_ERROR_MSG: - buffer_put_cstring(&buffer, + buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - if (ssh_msg_send(ctxt->pam_csock, + if (ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) goto fail; break; case PAM_TEXT_INFO: - buffer_put_cstring(&buffer, + buffer_put_cstring(&buffer, PAM_MSG_MEMBER(msg, i, msg)); - if (ssh_msg_send(ctxt->pam_csock, + if (ssh_msg_send(ctxt->pam_csock, PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1) goto fail; break; @@ -402,11 +402,11 @@ sshpam_init(const char *user) return (-1); } #ifdef PAM_TTY_KLUDGE - /* - * Some silly PAM modules (e.g. pam_time) require a TTY to operate. - * sshd doesn't set the tty until too late in the auth process and + /* + * Some silly PAM modules (e.g. pam_time) require a TTY to operate. + * sshd doesn't set the tty until too late in the auth process and * may not even set one (for tty-less connections) - */ + */ debug("PAM: setting PAM_TTY to \"ssh\""); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); if (sshpam_err != PAM_SUCCESS) { @@ -695,7 +695,7 @@ pam_tty_conv(int n, const struct pam_message **msg, switch (PAM_MSG_MEMBER(msg, i, msg_style)) { case PAM_PROMPT_ECHO_OFF: reply[i].resp = - read_passphrase(PAM_MSG_MEMBER(msg, i, msg), + read_passphrase(PAM_MSG_MEMBER(msg, i, msg), RP_ALLOW_STDIN); reply[i].resp_retcode = PAM_SUCCESS; break; @@ -752,7 +752,7 @@ do_pam_chauthtok(void) void do_pam_session(void) { - sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, + sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", @@ -764,13 +764,13 @@ do_pam_session(void) sshpam_session_open = 1; } -/* +/* * Set a PAM environment string. We need to do this so that the session * modules can handle things like Kerberos/GSI credentials that appear * during the ssh authentication process. */ int -do_pam_putenv(char *name, char *value) +do_pam_putenv(char *name, char *value) { int ret = 1; #ifdef HAVE_PAM_PUTENV diff --git a/auth-passwd.c b/auth-passwd.c index b7e275556..4cbfe3689 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -97,7 +97,7 @@ auth_password(Authctxt *authctxt, const char *password) if (authenticate(pw->pw_name, password, &reenter, &authmsg) == 0 && ok) { char *msg; - char *host = + char *host = (char *)get_canonical_hostname(options.use_dns); authsuccess = 1; @@ -106,13 +106,13 @@ auth_password(Authctxt *authctxt, const char *password) debug3("AIX/authenticate succeeded for user %s: %.100s", pw->pw_name, authmsg); - /* No pty yet, so just label the line as "ssh" */ + /* No pty yet, so just label the line as "ssh" */ aix_setauthdb(authctxt->user); - if (loginsuccess(authctxt->user, host, "ssh", + if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0) { if (msg != NULL) { debug("%s: msg %s", __func__, msg); - buffer_append(&loginmsg, msg, + buffer_append(&loginmsg, msg, strlen(msg)); xfree(msg); } diff --git a/auth-sia.c b/auth-sia.c index cae5f0912..544b601b3 100644 --- a/auth-sia.c +++ b/auth-sia.c @@ -83,7 +83,7 @@ session_setup_sia(struct passwd *pw, char *tty) host = get_canonical_hostname(options.use_dns); - if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, + if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, tty, 0, NULL) != SIASUCCESS) fatal("sia_ses_init failed"); diff --git a/auth.c b/auth.c index fcafae861..a8cf0ce20 100644 --- a/auth.c +++ b/auth.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.50 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.51 2003/11/21 11:57:02 djm Exp $"); #ifdef HAVE_LOGIN_H #include @@ -129,7 +129,7 @@ allowed_user(struct passwd * pw) #endif /* HAS_SHADOW_EXPIRE */ #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ - /* grab passwd field for locked account check */ + /* grab passwd field for locked account check */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) if (spw != NULL) passwd = spw->sp_pwdp; @@ -137,7 +137,7 @@ allowed_user(struct passwd * pw) passwd = pw->pw_passwd; #endif - /* check for locked account */ + /* check for locked account */ if (!options.use_pam && passwd && *passwd) { int locked = 0; @@ -249,7 +249,7 @@ allowed_user(struct passwd * pw) if ((pw->pw_uid != 0) && (geteuid() == 0)) { char *msg; - if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { + if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &msg) != 0) { int loginrestrict_errno = errno; if (msg && *msg) { @@ -259,7 +259,7 @@ allowed_user(struct passwd * pw) pw->pw_name, msg); } /* Don't fail if /etc/nologin set */ - if (!(loginrestrict_errno == EPERM && + if (!(loginrestrict_errno == EPERM && stat(_PATH_NOLOGIN, &st) == 0)) return 0; } diff --git a/auth1.c b/auth1.c index 2156c927d..0615f4ae5 100644 --- a/auth1.c +++ b/auth1.c @@ -246,7 +246,7 @@ do_authloop(Authctxt *authctxt) #endif #ifdef USE_PAM - if (options.use_pam && authenticated && + if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) authenticated = 0; #endif diff --git a/auth2-gss.c b/auth2-gss.c index 220862dc8..799d3326c 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-gss.c,v 1.6 2003/11/17 11:06:07 markus Exp $ */ +/* $OpenBSD: auth2-gss.c,v 1.7 2003/11/21 11:57:03 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -82,11 +82,11 @@ userauth_gssapi(Authctxt *authctxt) present = 0; doid = packet_get_string(&len); - if (len > 2 && + if (len > 2 && doid[0] == SSH_GSS_OIDTYPE && doid[1] == len - 2) { - oid.elements = doid + 2; - oid.length = len - 2; + oid.elements = doid + 2; + oid.length = len - 2; gss_test_oid_set_member(&ms, &oid, supported, &present); } else { diff --git a/authfd.c b/authfd.c index 5fdf1ca3d..6a7c07205 100644 --- a/authfd.c +++ b/authfd.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.62 2003/09/18 13:02:21 miod Exp $"); +RCSID("$OpenBSD: authfd.c,v 1.63 2003/11/21 11:57:03 djm Exp $"); #include @@ -590,7 +590,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key) } int -ssh_update_card(AuthenticationConnection *auth, int add, +ssh_update_card(AuthenticationConnection *auth, int add, const char *reader_id, const char *pin, u_int life, u_int confirm) { Buffer msg; diff --git a/authfd.h b/authfd.h index 74b825c51..0a6a4e3ec 100644 --- a/authfd.h +++ b/authfd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: authfd.h,v 1.33 2003/06/11 11:18:38 djm Exp $ */ +/* $OpenBSD: authfd.h,v 1.34 2003/11/21 11:57:03 djm Exp $ */ /* * Author: Tatu Ylonen @@ -83,7 +83,7 @@ int ssh_add_identity_constrained(AuthenticationConnection *, Key *, int ssh_remove_identity(AuthenticationConnection *, Key *); int ssh_remove_all_identities(AuthenticationConnection *, int); int ssh_lock_agent(AuthenticationConnection *, int, const char *); -int ssh_update_card(AuthenticationConnection *, int, const char *, +int ssh_update_card(AuthenticationConnection *, int, const char *, const char *, u_int, u_int); int diff --git a/buffer.c b/buffer.c index 69d5b57c0..236aeb0cd 100644 --- a/buffer.c +++ b/buffer.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: buffer.c,v 1.20 2003/09/19 09:03:00 markus Exp $"); +RCSID("$OpenBSD: buffer.c,v 1.21 2003/11/21 11:57:03 djm Exp $"); #include "xmalloc.h" #include "buffer.h" diff --git a/channels.c b/channels.c index 060d0f507..4150b5504 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.197 2003/09/23 20:41:11 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.198 2003/11/21 11:57:03 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -970,7 +970,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset) have = buffer_len(&c->input); if (!(c->flags & SSH_SOCKS5_AUTHDONE)) { /* format: ver | nmethods | methods */ - if (have < 2) + if (have < 2) return 0; nmethods = p[1]; if (have < nmethods + 2) @@ -1397,7 +1397,7 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) data = buffer_ptr(&c->output); dlen = buffer_len(&c->output); #ifdef _AIX - /* XXX: Later AIX versions can't push as much data to tty */ + /* XXX: Later AIX versions can't push as much data to tty */ if (compat20 && c->wfd_isatty && dlen > 8*1024) dlen = 8*1024; #endif diff --git a/cipher-ctr.c b/cipher-ctr.c index 4f0814b22..a9ddb8a66 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: cipher-ctr.c,v 1.2 2003/06/17 18:14:23 markus Exp $"); +RCSID("$OpenBSD: cipher-ctr.c,v 1.3 2003/11/21 11:57:03 djm Exp $"); #include @@ -94,7 +94,7 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, EVP_CIPHER_CTX_set_app_data(ctx, c); } if (key != NULL) - AES_set_encrypt_key(key, ctx->key_len * 8, &c->aes_ctx); + AES_set_encrypt_key(key, ctx->key_len * 8, &c->aes_ctx); if (iv != NULL) memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); return (1); diff --git a/config.guess b/config.guess index e8f206123..3fe4d4f35 100755 --- a/config.guess +++ b/config.guess @@ -174,7 +174,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in fi ;; *) - os=netbsd + os=netbsd ;; esac # The OS release @@ -382,23 +382,23 @@ EOF # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit 0 ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} - exit 0 ;; + exit 0 ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint${UNAME_RELEASE} exit 0 ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} - exit 0 ;; + echo m68k-milan-mint${UNAME_RELEASE} + exit 0 ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} - exit 0 ;; + echo m68k-hades-mint${UNAME_RELEASE} + exit 0 ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} - exit 0 ;; + echo m68k-unknown-mint${UNAME_RELEASE} + exit 0 ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} exit 0 ;; @@ -462,8 +462,8 @@ EOF echo m88k-motorola-sysv3 exit 0 ;; AViiON:dgux:*:*) - # DG/UX returns AViiON for all architectures - UNAME_PROCESSOR=`/usr/bin/uname -p` + # DG/UX returns AViiON for all architectures + UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ @@ -476,7 +476,7 @@ EOF else echo i586-dg-dgux${UNAME_RELEASE} fi - exit 0 ;; + exit 0 ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit 0 ;; @@ -573,52 +573,52 @@ EOF 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` - sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in - 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 - 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 - 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in - 32) HP_ARCH="hppa2.0n" ;; - 64) HP_ARCH="hppa2.0w" ;; + sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` + case "${sc_cpu_version}" in + 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 + 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 + 532) # CPU_PA_RISC2_0 + case "${sc_kernel_bits}" in + 32) HP_ARCH="hppa2.0n" ;; + 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 - esac ;; - esac + esac ;; + esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c - #define _HPUX_SOURCE - #include - #include + #define _HPUX_SOURCE + #include + #include - int main () - { - #if defined(_SC_KERNEL_BITS) - long bits = sysconf(_SC_KERNEL_BITS); - #endif - long cpu = sysconf (_SC_CPU_VERSION); + int main () + { + #if defined(_SC_KERNEL_BITS) + long bits = sysconf(_SC_KERNEL_BITS); + #endif + long cpu = sysconf (_SC_CPU_VERSION); - switch (cpu) - { - case CPU_PA_RISC1_0: puts ("hppa1.0"); break; - case CPU_PA_RISC1_1: puts ("hppa1.1"); break; - case CPU_PA_RISC2_0: - #if defined(_SC_KERNEL_BITS) - switch (bits) - { - case 64: puts ("hppa2.0w"); break; - case 32: puts ("hppa2.0n"); break; - default: puts ("hppa2.0"); break; - } break; - #else /* !defined(_SC_KERNEL_BITS) */ - puts ("hppa2.0"); break; - #endif - default: puts ("hppa1.0"); break; - } - exit (0); - } + switch (cpu) + { + case CPU_PA_RISC1_0: puts ("hppa1.0"); break; + case CPU_PA_RISC1_1: puts ("hppa1.1"); break; + case CPU_PA_RISC2_0: + #if defined(_SC_KERNEL_BITS) + switch (bits) + { + case 64: puts ("hppa2.0w"); break; + case 32: puts ("hppa2.0n"); break; + default: puts ("hppa2.0"); break; + } break; + #else /* !defined(_SC_KERNEL_BITS) */ + puts ("hppa2.0"); break; + #endif + default: puts ("hppa1.0"); break; + } + exit (0); + } EOF (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null) && HP_ARCH=`$dummy` if test -z "$HP_ARCH"; then HP_ARCH=hppa; fi @@ -689,22 +689,22 @@ EOF exit 0 ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd - exit 0 ;; + exit 0 ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi - exit 0 ;; + exit 0 ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd - exit 0 ;; + exit 0 ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd - exit 0 ;; + exit 0 ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd - exit 0 ;; + exit 0 ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; @@ -731,10 +731,10 @@ EOF exit 0 ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` - FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` - echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" - exit 0 ;; + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" + exit 0 ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} exit 0 ;; @@ -836,7 +836,7 @@ EOF EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; - esac + esac objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} @@ -875,7 +875,7 @@ EOF s/.*supported targets: *// s/ .*// p'` - case "$ld_supported_targets" in + case "$ld_supported_targets" in elf32-i386) TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" ;; @@ -925,11 +925,11 @@ EOF echo i386-sequent-sysv4 exit 0 ;; i*86:UNIX_SV:4.2MP:2.*) - # Unixware is an offshoot of SVR4, but it has its own version - # number series starting with 2... - # I am not positive that other SVR4 systems won't match this, + # Unixware is an offshoot of SVR4, but it has its own version + # number series starting with 2... + # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. - # Use sysv4.2uw... so that sysv4* matches it. + # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit 0 ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) @@ -971,10 +971,10 @@ EOF exit 0 ;; pc:*:*:*) # Left here for compatibility: - # uname -m prints for DJGPP always 'pc', but it prints nothing about - # the processor, so we play safe by assuming i386. + # uname -m prints for DJGPP always 'pc', but it prints nothing about + # the processor, so we play safe by assuming i386. echo i386-pc-msdosdjgpp - exit 0 ;; + exit 0 ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit 0 ;; @@ -1003,8 +1003,8 @@ EOF /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && echo i586-ncr-sysv4.3${OS_REL} && exit 0 ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) - /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && echo i486-ncr-sysv4 && exit 0 ;; + /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ + && echo i486-ncr-sysv4 && exit 0 ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit 0 ;; @@ -1041,9 +1041,9 @@ EOF fi exit 0 ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort - # says - echo i586-unisys-sysv4 - exit 0 ;; + # says + echo i586-unisys-sysv4 + exit 0 ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm @@ -1065,11 +1065,11 @@ EOF exit 0 ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv${UNAME_RELEASE} else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv${UNAME_RELEASE} fi - exit 0 ;; + exit 0 ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit 0 ;; @@ -1179,11 +1179,11 @@ main () #include printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 - "4" + "4" #else "" #endif - ); exit (0); + ); exit (0); #endif #endif diff --git a/config.sub b/config.sub index a0b7bb9e8..75a74f78e 100755 --- a/config.sub +++ b/config.sub @@ -162,10 +162,10 @@ case $os in os=-chorusos basic_machine=$1 ;; - -chorusrdb) - os=-chorusrdb + -chorusrdb) + os=-chorusrdb basic_machine=$1 - ;; + ;; -hiux*) os=-hiuxwe2 ;; @@ -748,7 +748,7 @@ case $basic_machine in pbb) basic_machine=m68k-tti ;; - pc532 | pc532-*) + pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pentium | p5 | k5 | k6 | nexgen | viac3) @@ -775,22 +775,22 @@ case $basic_machine in power) basic_machine=power-ibm ;; ppc) basic_machine=powerpc-unknown - ;; + ;; ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown - ;; + ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown - ;; + ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown - ;; + ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; @@ -886,11 +886,11 @@ case $basic_machine in sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; - sv1) + sv1) basic_machine=sv1-cray os=-unicos ;; - sx*-nec) + sx*-nec) basic_machine=sx6-nec os=-sysv ;; @@ -948,8 +948,8 @@ case $basic_machine in os=-vms ;; vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; + basic_machine=f301-fujitsu + ;; vxworks960) basic_machine=i960-wrs os=-vxworks @@ -974,7 +974,7 @@ case $basic_machine in basic_machine=i386-pc os=-windows32-msvcrt ;; - xps | xps100) + xps | xps100) basic_machine=xps100-honeywell ;; ymp) @@ -1029,7 +1029,7 @@ case $basic_machine in sparc | sparcv9 | sparcv9b) basic_machine=sparc-sun ;; - cydra) + cydra) basic_machine=cydra-cydrome ;; orion) @@ -1074,8 +1074,8 @@ esac if [ x"$os" != x"" ] then case $os in - # First match some system type aliases - # that might get confused with valid system types. + # First match some system type aliases + # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` @@ -1179,7 +1179,7 @@ case $os in os=-rtmk-nova ;; -ns2 ) - os=-nextstep2 + os=-nextstep2 ;; -nsk*) os=-nsk @@ -1218,8 +1218,8 @@ case $os in -xenix) os=-xenix ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint ;; -none) ;; @@ -1256,7 +1256,7 @@ case $basic_machine in pdp10-*) os=-tops20 ;; - pdp11-*) + pdp11-*) os=-none ;; *-dec | vax-*) @@ -1349,19 +1349,19 @@ case $basic_machine in *-next) os=-nextstep3 ;; - *-gould) + *-gould) os=-sysv ;; - *-highlevel) + *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; - *-sgi) + *-sgi) os=-irix ;; - *-siemens) + *-siemens) os=-sysv4 ;; *-masscomp) diff --git a/configure.ac b/configure.ac index 3d230a6e9..5f302f5e5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.173 2003/10/15 06:57:57 dtucker Exp $ +# $Id: configure.ac,v 1.174 2003/11/21 12:48:55 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -48,7 +48,7 @@ fi AC_SUBST(LD) AC_C_INLINE -if test "$GCC" = "yes" || test "$GCC" = "egcs"; then +if test "$GCC" = "yes" || test "$GCC" = "egcs"; then CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized" fi @@ -57,7 +57,7 @@ case "$host" in *-*-aix*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) + AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) if (test -z "$blibpath"); then blibpath="/usr/lib:/lib:/usr/local/lib" fi @@ -252,7 +252,7 @@ mips-sony-bsd|mips-sony-newsos4) ;; *-*-solaris*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" + LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" need_dash_r=1 AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(LOGIN_NEEDS_UTMPX) @@ -581,10 +581,10 @@ AC_ARG_WITH(zlib, AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])) dnl UnixWare 2.x -AC_CHECK_FUNC(strcasecmp, +AC_CHECK_FUNC(strcasecmp, [], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ] ) -AC_CHECK_FUNC(utimes, +AC_CHECK_FUNC(utimes, [], [ AC_CHECK_LIB(c89, utimes, [AC_DEFINE(HAVE_UTIMES) LIBS="$LIBS -lc89"]) ] ) @@ -604,7 +604,7 @@ AC_EGREP_CPP(FOUNDIT, #ifdef GLOB_ALTDIRFUNC FOUNDIT #endif - ], + ], [ AC_DEFINE(GLOB_HAS_ALTDIRFUNC) AC_MSG_RESULT(yes) @@ -617,17 +617,17 @@ AC_EGREP_CPP(FOUNDIT, # Check for g.gl_matchc glob() extension AC_MSG_CHECKING(for gl_matchc field in glob_t) AC_EGREP_CPP(FOUNDIT, - [ - #include + [ + #include int main(void){glob_t g; g.gl_matchc = 1;} - ], - [ - AC_DEFINE(GLOB_HAS_GL_MATCHC) - AC_MSG_RESULT(yes) - ], - [ - AC_MSG_RESULT(no) - ] + ], + [ + AC_DEFINE(GLOB_HAS_GL_MATCHC) + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ] ) AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) @@ -637,7 +637,7 @@ AC_TRY_RUN( #include int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} ], - [AC_MSG_RESULT(yes)], + [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) @@ -645,10 +645,10 @@ int main(void){struct dirent d;exit(sizeof(d.d_name)<=sizeof(char));} ) # Check whether user wants S/Key support -SKEY_MSG="no" +SKEY_MSG="no" AC_ARG_WITH(skey, [ --with-skey[[=PATH]] Enable S/Key support - (optionally in PATH)], + (optionally in PATH)], [ if test "x$withval" != "xno" ; then @@ -659,7 +659,7 @@ AC_ARG_WITH(skey, AC_DEFINE(SKEY) LIBS="-lskey $LIBS" - SKEY_MSG="yes" + SKEY_MSG="yes" AC_MSG_CHECKING([for s/key support]) AC_TRY_RUN( @@ -681,7 +681,7 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } TCPW_MSG="no" AC_ARG_WITH(tcp-wrappers, [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support - (optionally in PATH)], + (optionally in PATH)], [ if test "x$withval" != "xno" ; then saved_LIBS="$LIBS" @@ -771,7 +771,7 @@ AC_CHECK_DECL(getrusage, [AC_CHECK_FUNCS(getrusage)]) dnl tcsendbreak might be a macro AC_CHECK_DECL(tcsendbreak, [AC_DEFINE(HAVE_TCSENDBREAK)], - [AC_CHECK_FUNCS(tcsendbreak)], + [AC_CHECK_FUNCS(tcsendbreak)], [#include ] ) @@ -784,12 +784,12 @@ dnl Checks for utmpx functions AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline ) AC_CHECK_FUNCS(setutxent utmpxname) -AC_CHECK_FUNC(daemon, +AC_CHECK_FUNC(daemon, [AC_DEFINE(HAVE_DAEMON)], [AC_CHECK_LIB(bsd, daemon, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_DAEMON)])] ) -AC_CHECK_FUNC(getpagesize, +AC_CHECK_FUNC(getpagesize, [AC_DEFINE(HAVE_GETPAGESIZE)], [AC_CHECK_LIB(ucb, getpagesize, [LIBS="$LIBS -lucb"; AC_DEFINE(HAVE_GETPAGESIZE)])] ) @@ -802,7 +802,7 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then #include int main(void){char b[5];snprintf(b,5,"123456789");exit(b[4]!='\0');} ], - [AC_MSG_RESULT(yes)], + [AC_MSG_RESULT(yes)], [ AC_MSG_RESULT(no) AC_DEFINE(BROKEN_SNPRINTF) @@ -826,14 +826,14 @@ unlink(template); exit(0); [ AC_MSG_RESULT(no) ], - [ + [ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_STRICT_MKSTEMP) ], [ AC_MSG_RESULT(yes) AC_DEFINE(HAVE_STRICT_MKSTEMP) - ] + ] ) fi @@ -858,7 +858,7 @@ main() exit(1); } else if (pid > 0) { /* parent */ waitpid(pid, &status, 0); - if (WIFEXITED(status)) + if (WIFEXITED(status)) exit(WEXITSTATUS(status)); else exit(2); @@ -922,8 +922,8 @@ if test "x$PAM_MSG" = "xyes" ; then [ #include #include - ], - [(void)pam_strerror((pam_handle_t *)NULL, -1);], + ], + [(void)pam_strerror((pam_handle_t *)NULL, -1);], [AC_MSG_RESULT(no)], [ AC_DEFINE(HAVE_OLD_PAM) @@ -994,12 +994,12 @@ AC_TRY_RUN( #include #define DATA "conftest.sslincver" int main(void) { - FILE *fd; - int rc; + FILE *fd; + int rc; - fd = fopen(DATA,"w"); - if(fd == NULL) - exit(1); + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) exit(1); @@ -1027,12 +1027,12 @@ AC_TRY_RUN( #include #define DATA "conftest.ssllibver" int main(void) { - FILE *fd; - int rc; + FILE *fd; + int rc; - fd = fopen(DATA,"w"); - if(fd == NULL) - exit(1); + fd = fopen(DATA,"w"); + if(fd == NULL) + exit(1); if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0) exit(1); @@ -1069,7 +1069,7 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.]) ] ) -# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the +# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the # version in OpenSSL. Skip this for PAM if test "x$check_for_libcrypt_later" = "x1"; then AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") @@ -1104,7 +1104,7 @@ AC_ARG_WITH(rand-helper, [ --with-rand-helper Use subprocess to gather strong randomness ], [ if test "x$withval" = "xno" ; then - # Force use of OpenSSL's internal RNG, even if + # Force use of OpenSSL's internal RNG, even if # the previous test showed it to be unseeded. if test -z "$OPENSSL_SEEDS_ITSELF" ; then AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG]) @@ -1241,7 +1241,7 @@ test -d /sbin && PATH=$PATH:/sbin test -d /usr/sbin && PATH=$PATH:/usr/sbin PATH=$PATH:/etc:$OPATH -# These programs are used by the command hashing source to gather entropy +# These programs are used by the command hashing source to gather entropy OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp) @@ -1297,8 +1297,8 @@ fi # More checks for data types AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [ AC_TRY_COMPILE( - [ #include ], - [ u_int a; a = 1;], + [ #include ], + [ u_int a; a = 1;], [ ac_cv_have_u_int="yes" ], [ ac_cv_have_u_int="no" ] ) @@ -1310,8 +1310,8 @@ fi AC_CACHE_CHECK([for intXX_t types], ac_cv_have_intxx_t, [ AC_TRY_COMPILE( - [ #include ], - [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ #include ], + [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], [ ac_cv_have_intxx_t="yes" ], [ ac_cv_have_intxx_t="no" ] ) @@ -1322,12 +1322,12 @@ if test "x$ac_cv_have_intxx_t" = "xyes" ; then fi if (test -z "$have_intxx_t" && \ - test "x$ac_cv_header_stdint_h" = "xyes") + test "x$ac_cv_header_stdint_h" = "xyes") then AC_MSG_CHECKING([for intXX_t types in stdint.h]) AC_TRY_COMPILE( - [ #include ], - [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], + [ #include ], + [ int8_t a; int16_t b; int32_t c; a = b = c = 1;], [ AC_DEFINE(HAVE_INTXX_T) AC_MSG_RESULT(yes) @@ -1347,8 +1347,8 @@ AC_CACHE_CHECK([for int64_t type], ac_cv_have_int64_t, [ #ifdef HAVE_SYS_BITYPES_H # include #endif - ], - [ int64_t a; a = 1;], + ], + [ int64_t a; a = 1;], [ ac_cv_have_int64_t="yes" ], [ ac_cv_have_int64_t="no" ] ) @@ -1359,8 +1359,8 @@ fi AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [ AC_TRY_COMPILE( - [ #include ], - [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ #include ], + [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], [ ac_cv_have_u_intxx_t="yes" ], [ ac_cv_have_u_intxx_t="no" ] ) @@ -1373,8 +1373,8 @@ fi if test -z "$have_u_intxx_t" ; then AC_MSG_CHECKING([for u_intXX_t types in sys/socket.h]) AC_TRY_COMPILE( - [ #include ], - [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], + [ #include ], + [ u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1;], [ AC_DEFINE(HAVE_U_INTXX_T) AC_MSG_RESULT(yes) @@ -1385,8 +1385,8 @@ fi AC_CACHE_CHECK([for u_int64_t types], ac_cv_have_u_int64_t, [ AC_TRY_COMPILE( - [ #include ], - [ u_int64_t a; a = 1;], + [ #include ], + [ u_int64_t a; a = 1;], [ ac_cv_have_u_int64_t="yes" ], [ ac_cv_have_u_int64_t="no" ] ) @@ -1399,7 +1399,7 @@ fi if test -z "$have_u_int64_t" ; then AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h]) AC_TRY_COMPILE( - [ #include ], + [ #include ], [ u_int64_t a; a = 1], [ AC_DEFINE(HAVE_U_INT64_T) @@ -1414,8 +1414,8 @@ if test -z "$have_u_intxx_t" ; then AC_TRY_COMPILE( [ #include - ], - [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ], + ], + [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ], [ ac_cv_have_uintxx_t="yes" ], [ ac_cv_have_uintxx_t="no" ] ) @@ -1428,8 +1428,8 @@ fi if test -z "$have_uintxx_t" ; then AC_MSG_CHECKING([for uintXX_t types in stdint.h]) AC_TRY_COMPILE( - [ #include ], - [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;], + [ #include ], + [ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1;], [ AC_DEFINE(HAVE_UINTXX_T) AC_MSG_RESULT(yes) @@ -1439,25 +1439,25 @@ if test -z "$have_uintxx_t" ; then fi if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ - test "x$ac_cv_header_sys_bitypes_h" = "xyes") + test "x$ac_cv_header_sys_bitypes_h" = "xyes") then AC_MSG_CHECKING([for intXX_t and u_intXX_t types in sys/bitypes.h]) AC_TRY_COMPILE( [ #include - ], + ], [ int8_t a; int16_t b; int32_t c; u_int8_t e; u_int16_t f; u_int32_t g; a = b = c = e = f = g = 1; - ], + ], [ AC_DEFINE(HAVE_U_INTXX_T) AC_DEFINE(HAVE_INTXX_T) AC_MSG_RESULT(yes) ], [AC_MSG_RESULT(no)] - ) + ) fi @@ -1638,8 +1638,8 @@ fi AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ AC_TRY_COMPILE( - [ #include ], - [ struct timeval tv; tv.tv_sec = 1;], + [ #include ], + [ struct timeval tv; tv.tv_sec = 1;], [ ac_cv_have_struct_timeval="yes" ], [ ac_cv_have_struct_timeval="no" ] ) @@ -1679,7 +1679,7 @@ main() strcpy(expected_out, "9223372036854775807"); snprintf(buf, mazsize, "%lld", num); if(strcmp(buf, expected_out) != 0) - exit(1); + exit(1); exit(0); } #else @@ -1837,8 +1837,8 @@ if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then fi AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [ - AC_TRY_LINK([], - [ extern char *__progname; printf("%s", __progname); ], + AC_TRY_LINK([], + [ extern char *__progname; printf("%s", __progname); ], [ ac_cv_libc_defines___progname="yes" ], [ ac_cv_libc_defines___progname="no" ] ) @@ -1850,8 +1850,8 @@ fi AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [ AC_TRY_LINK([ #include -], - [ printf("%s", __FUNCTION__); ], +], + [ printf("%s", __FUNCTION__); ], [ ac_cv_cc_implements___FUNCTION__="yes" ], [ ac_cv_cc_implements___FUNCTION__="no" ] ) @@ -1863,8 +1863,8 @@ fi AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [ AC_TRY_LINK([ #include -], - [ printf("%s", __func__); ], +], + [ printf("%s", __func__); ], [ ac_cv_cc_implements___func__="yes" ], [ ac_cv_cc_implements___func__="no" ] ) @@ -1889,8 +1889,8 @@ if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then fi AC_CACHE_CHECK([if libc defines sys_errlist], ac_cv_libc_defines_sys_errlist, [ - AC_TRY_LINK([], - [ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);], + AC_TRY_LINK([], + [ extern const char *const sys_errlist[]; printf("%s", sys_errlist[0]);], [ ac_cv_libc_defines_sys_errlist="yes" ], [ ac_cv_libc_defines_sys_errlist="no" ] ) @@ -1901,8 +1901,8 @@ fi AC_CACHE_CHECK([if libc defines sys_nerr], ac_cv_libc_defines_sys_nerr, [ - AC_TRY_LINK([], - [ extern int sys_nerr; printf("%i", sys_nerr);], + AC_TRY_LINK([], + [ extern int sys_nerr; printf("%i", sys_nerr);], [ ac_cv_libc_defines_sys_nerr="yes" ], [ ac_cv_libc_defines_sys_nerr="no" ] ) @@ -1911,7 +1911,7 @@ if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then AC_DEFINE(HAVE_SYS_NERR) fi -SCARD_MSG="no" +SCARD_MSG="no" # Check whether user wants sectok support AC_ARG_WITH(sectok, [ --with-sectok Enable smartcard support using libsectok], @@ -1937,7 +1937,7 @@ AC_ARG_WITH(sectok, fi AC_DEFINE(SMARTCARD) AC_DEFINE(USE_SECTOK) - SCARD_MSG="yes, using sectok" + SCARD_MSG="yes, using sectok" fi ] ) @@ -1957,12 +1957,12 @@ if test x$opensc_config_prefix != x ; then LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS" AC_DEFINE(SMARTCARD) AC_DEFINE(USE_OPENSC) - SCARD_MSG="yes, using OpenSC" + SCARD_MSG="yes, using OpenSC" fi fi # Check libraries needed by DNS fingerprint support -AC_SEARCH_LIBS(getrrsetbyname, resolv, +AC_SEARCH_LIBS(getrrsetbyname, resolv, [AC_DEFINE(HAVE_GETRRSETBYNAME)], [ # Needed by our getrrsetbyname() @@ -1975,37 +1975,37 @@ AC_SEARCH_LIBS(getrrsetbyname, resolv, ]) # Check whether user wants Kerberos 5 support -KRB5_MSG="no" +KRB5_MSG="no" AC_ARG_WITH(kerberos5, - [ --with-kerberos5=PATH Enable Kerberos 5 support], - [ - if test "x$withval" != "xno" ; then - if test "x$withval" = "xyes" ; then - KRB5ROOT="/usr/local" - else - KRB5ROOT=${withval} - fi + [ --with-kerberos5=PATH Enable Kerberos 5 support], + [ + if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + KRB5ROOT="/usr/local" + else + KRB5ROOT=${withval} + fi CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" - LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" - AC_DEFINE(KRB5) + LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" + AC_DEFINE(KRB5) KRB5_MSG="yes" - AC_MSG_CHECKING(whether we are using Heimdal) - AC_TRY_COMPILE([ #include ], - [ char *tmp = heimdal_version; ], - [ AC_MSG_RESULT(yes) - AC_DEFINE(HEIMDAL) - K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" - ], - [ AC_MSG_RESULT(no) - K5LIBS="-lkrb5 -lk5crypto -lcom_err" - ] - ) - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${KRB5ROOT}/lib" - fi + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) + K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" + ], + [ AC_MSG_RESULT(no) + K5LIBS="-lkrb5 -lk5crypto -lcom_err" + ] + ) + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${KRB5ROOT}/lib" + fi AC_SEARCH_LIBS(dn_expand, resolv) AC_CHECK_LIB(gssapi,gss_init_sec_context, @@ -2013,7 +2013,7 @@ AC_ARG_WITH(kerberos5, K5LIBS="-lgssapi $K5LIBS" ], [ AC_CHECK_LIB(gssapi_krb5,gss_init_sec_context, [ AC_DEFINE(GSSAPI) - K5LIBS="-lgssapi_krb5 $K5LIBS" ], + K5LIBS="-lgssapi_krb5 $K5LIBS" ], AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]), $K5LIBS) ], @@ -2021,10 +2021,10 @@ AC_ARG_WITH(kerberos5, AC_CHECK_HEADER(gssapi.h, , [ unset ac_cv_header_gssapi_h - CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" + CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" AC_CHECK_HEADERS(gssapi.h, , AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail]) - ) + ) ] ) @@ -2033,9 +2033,9 @@ AC_ARG_WITH(kerberos5, AC_CHECK_HEADER(gssapi_krb5.h, , [ CPPFLAGS="$oldCPP" ]) - KRB5=yes - fi - ] + KRB5=yes + fi + ] ) LIBS="$LIBS $K5LIBS" @@ -2100,7 +2100,7 @@ fi if test -z "$no_dev_ptmx" ; then if test "x$disable_ptmx_check" != "xyes" ; then - AC_CHECK_FILE("/dev/ptmx", + AC_CHECK_FILE("/dev/ptmx", [ AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) have_dev_ptmx=1 @@ -2108,7 +2108,7 @@ if test -z "$no_dev_ptmx" ; then ) fi fi -AC_CHECK_FILE("/dev/ptc", +AC_CHECK_FILE("/dev/ptc", [ AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) have_dev_ptc=1 @@ -2149,13 +2149,13 @@ fi AC_SUBST(mansubdir) # Check whether to enable MD5 passwords -MD5_MSG="no" +MD5_MSG="no" AC_ARG_WITH(md5-passwords, [ --with-md5-passwords Enable use of MD5 passwords], [ if test "x$withval" != "xno" ; then AC_DEFINE(HAVE_MD5_PASSWORDS) - MD5_MSG="yes" + MD5_MSG="yes" fi ] ) @@ -2195,13 +2195,13 @@ if test ! -z "$IPADDR_IN_DISPLAY" ; then DISPLAY_HACK_MSG="yes" AC_DEFINE(IPADDR_IN_DISPLAY) else - DISPLAY_HACK_MSG="no" + DISPLAY_HACK_MSG="no" AC_ARG_WITH(ipaddr-display, [ --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY], [ if test "x$withval" != "xno" ; then AC_DEFINE(IPADDR_IN_DISPLAY) - DISPLAY_HACK_MSG="yes" + DISPLAY_HACK_MSG="yes" fi ] ) @@ -2225,7 +2225,7 @@ if test $ac_cv_func_login_getcapbool = "yes" -a \ fi # Whether to mess with the default path -SERVER_PATH_MSG="(default)" +SERVER_PATH_MSG="(default)" AC_ARG_WITH(default-path, [ --with-default-path= Specify default \$PATH environment for server], [ @@ -2240,7 +2240,7 @@ Edit /etc/login.conf instead.]) $external_path_file .]) fi user_path="$withval" - SERVER_PATH_MSG="$withval" + SERVER_PATH_MSG="$withval" fi ], [ if test "x$external_path_file" = "x/etc/login.conf" ; then @@ -2324,14 +2324,14 @@ AC_ARG_WITH(superuser-path, AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses]) -IPV4_IN6_HACK_MSG="no" +IPV4_IN6_HACK_MSG="no" AC_ARG_WITH(4in6, [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses], [ if test "x$withval" != "xno" ; then AC_MSG_RESULT(yes) AC_DEFINE(IPV4_IN_IPV6) - IPV4_IN6_HACK_MSG="yes" + IPV4_IN6_HACK_MSG="yes" else AC_MSG_RESULT(no) fi @@ -2339,7 +2339,7 @@ AC_ARG_WITH(4in6, if test "x$inet6_default_4in6" = "xyes"; then AC_MSG_RESULT([yes (default)]) AC_DEFINE(IPV4_IN_IPV6) - IPV4_IN6_HACK_MSG="yes" + IPV4_IN6_HACK_MSG="yes" else AC_MSG_RESULT([no (default)]) fi @@ -2364,7 +2364,7 @@ piddir=/var/run if test ! -d $piddir ; then piddir=`eval echo ${sysconfdir}` case $piddir in - NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; + NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;; esac fi @@ -2436,7 +2436,7 @@ AC_ARG_ENABLE(pututline, [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]], [ if test "x$enableval" = "xno" ; then - AC_DEFINE(DISABLE_PUTUTLINE) + AC_DEFINE(DISABLE_PUTUTLINE) fi ] ) @@ -2719,7 +2719,7 @@ echo "" if test "x$PAM_MSG" = "xyes" ; then echo "PAM is enabled. You may need to install a PAM control file " echo "for sshd, otherwise password authentication may fail. " - echo "Example PAM control files can be found in the contrib/ " + echo "Example PAM control files can be found in the contrib/ " echo "subdirectory" echo "" fi diff --git a/contrib/README b/contrib/README index 67dbbd277..9de3d961d 100644 --- a/contrib/README +++ b/contrib/README @@ -1,4 +1,4 @@ -Other patches and addons for OpenSSH. Please send submissions to +Other patches and addons for OpenSSH. Please send submissions to djm@mindrot.org Externally maintained @@ -7,7 +7,7 @@ Externally maintained SSH Proxy Command -- connect.c Shun-ichi GOTO has written a very useful ProxyCommand -which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or +which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or https CONNECT style proxy server. His page for connect.c has extensive documentation on its use as well as compiled versions for Win32. @@ -47,7 +47,7 @@ Dominik Brettnacher mdoc2man.pl: Converts mdoc formated manpages into normal manpages. This can be used -on Solaris machines to provide manpages that are not preformated. +on Solaris machines to provide manpages that are not preformated. Contributed by Mark D. Roth redhat: diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh index 727ac446d..4a5c32b0e 100755 --- a/contrib/aix/buildbff.sh +++ b/contrib/aix/buildbff.sh @@ -1,12 +1,12 @@ #!/bin/sh # # buildbff.sh: Create AIX SMIT-installable OpenSSH packages -# $Id: buildbff.sh,v 1.6 2003/08/25 05:01:04 dtucker Exp $ +# $Id: buildbff.sh,v 1.7 2003/11/21 12:48:56 djm Exp $ # # Author: Darren Tucker (dtucker at zip dot com dot au) # This file is placed in the public domain and comes with absolutely # no warranty. -# +# # Based originally on Ben Lindstrom's buildpkg.sh for Solaris # @@ -45,7 +45,7 @@ fi if [ ! -f Makefile ] then echo "Makefile not found (did you run configure?)" - exit 1 + exit 1 fi # @@ -96,12 +96,12 @@ then PRIVSEP_PATH=/var/empty fi -# Clean package build directory +# Clean package build directory rm -rf $objdir/$PKGDIR FAKE_ROOT=$objdir/$PKGDIR/root mkdir -p $FAKE_ROOT -# Start by faking root install +# Start by faking root install echo "Faking root install..." cd $objdir make install-nokeys DESTDIR=$FAKE_ROOT @@ -136,15 +136,15 @@ echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)" # # Set ssh and sshd parameters as per config.local # -if [ "${PERMIT_ROOT_LOGIN}" = no ] +if [ "${PERMIT_ROOT_LOGIN}" = no ] then - perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ - $FAKE_ROOT/${sysconfdir}/sshd_config + perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config fi if [ "${X11_FORWARDING}" = yes ] then - perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ - $FAKE_ROOT/${sysconfdir}/sshd_config + perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config fi @@ -190,13 +190,13 @@ cat <>../openssh.post_i echo Creating configs from defaults if necessary. for cfgfile in ssh_config sshd_config ssh_prng_cmds do - if [ ! -f $sysconfdir/\$cfgfile ] - then - echo "Creating \$cfgfile from default" - cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile - else - echo "\$cfgfile already exists." - fi + if [ ! -f $sysconfdir/\$cfgfile ] + then + echo "Creating \$cfgfile from default" + cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile + else + echo "\$cfgfile already exists." + fi done echo @@ -244,19 +244,19 @@ echo # Generate keys unless they already exist echo Creating host keys if required. if [ -f "$sysconfdir/ssh_host_key" ] ; then - echo "$sysconfdir/ssh_host_key already exists, skipping." + echo "$sysconfdir/ssh_host_key already exists, skipping." else - $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" + $bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N "" fi if [ -f $sysconfdir/ssh_host_dsa_key ] ; then - echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." + echo "$sysconfdir/ssh_host_dsa_key already exists, skipping." else - $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" + $bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N "" fi if [ -f $sysconfdir/ssh_host_rsa_key ] ; then - echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." -else - $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" + echo "$sysconfdir/ssh_host_rsa_key already exists, skipping." +else + $bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N "" fi echo @@ -369,7 +369,7 @@ echo Creating $PKGNAME-$VERSION.bff with backup... rm -f $PKGNAME-$VERSION.bff ( echo "./lpp_name" - find . ! -name lpp_name -a ! -name . -print + find . ! -name lpp_name -a ! -name . -print ) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist # diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh index 4f408e678..e2641e79c 100755 --- a/contrib/aix/inventory.sh +++ b/contrib/aix/inventory.sh @@ -1,7 +1,7 @@ #!/bin/sh # # inventory.sh -# $Id: inventory.sh,v 1.5 2003/08/26 03:43:13 dtucker Exp $ +# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $ # # Originally written by Ben Lindstrom, modified by Darren Tucker to use perl # This file is placed into the public domain. @@ -59,5 +59,5 @@ find . ! -name . -print | perl -ne '{ } elsif ( -d $_ ) { # Entry is Directory print "\ttype=DIRECTORY\n"; - } + } }' diff --git a/contrib/caldera/ssh-host-keygen b/contrib/caldera/ssh-host-keygen index 28a97b9b4..3c5c17182 100755 --- a/contrib/caldera/ssh-host-keygen +++ b/contrib/caldera/ssh-host-keygen @@ -1,6 +1,6 @@ #! /bin/sh # -# $Id: ssh-host-keygen,v 1.1 2001/04/27 05:50:50 tim Exp $ +# $Id: ssh-host-keygen,v 1.2 2003/11/21 12:48:57 djm Exp $ # # This script is normally run only *once* for a given host # (in a given period of time) -- on updates/upgrades/recovery @@ -12,7 +12,7 @@ keydir=@sysconfdir@ keygen=@sshkeygen@ if [ -f $keydir/ssh_host_key -o \ - -f $keydir/ssh_host_key.pub ]; then + -f $keydir/ssh_host_key.pub ]; then echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key." else echo "Generating 1024 bit SSH1 RSA host key." @@ -20,7 +20,7 @@ else fi if [ -f $keydir/ssh_host_rsa_key -o \ - -f $keydir/ssh_host_rsa_key.pub ]; then + -f $keydir/ssh_host_rsa_key.pub ]; then echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key." else echo "Generating 1024 bit SSH2 RSA host key." @@ -28,7 +28,7 @@ else fi if [ -f $keydir/ssh_host_dsa_key -o \ - -f $keydir/ssh_host_dsa_key.pub ]; then + -f $keydir/ssh_host_dsa_key.pub ]; then echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key." else echo "Generating SSH2 DSA host key." diff --git a/contrib/caldera/sshd.init b/contrib/caldera/sshd.init index 90b36379a..983146f4f 100755 --- a/contrib/caldera/sshd.init +++ b/contrib/caldera/sshd.init @@ -1,6 +1,6 @@ #! /bin/bash # -# $Id: sshd.init,v 1.3 2001/11/03 19:09:33 tim Exp $ +# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $ # ### BEGIN INIT INFO # Provides: @@ -64,11 +64,11 @@ case "$1" in SVIemptyConfig @sysconfdir@/sshd_config && exit 6 if [ ! \( -f @sysconfdir@/ssh_host_key -a \ - -f @sysconfdir@/ssh_host_key.pub \) -a \ + -f @sysconfdir@/ssh_host_key.pub \) -a \ ! \( -f @sysconfdir@/ssh_host_rsa_key -a \ - -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ + -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \ ! \( -f @sysconfdir@/ssh_host_dsa_key -a \ - -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then + -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then echo "$SVIsubsys: host key not initialized: skipped!" echo "$SVIsubsys: use ssh-host-keygen to generate one!" diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 1cc6ae65c..1ed934307 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -25,7 +25,7 @@ Important note for Windows 2003 Server users: --------------------------------------------- 2003 Server has a funny new feature. When starting services under SYSTEM -account, these services have nearly all user rights which SYSTEM holds... +account, these services have nearly all user rights which SYSTEM holds... except for the "Create a token object" right, which is needed to allow public key authentication :-( @@ -103,7 +103,7 @@ features of the FAT/FAT32 filesystems. If you are installing OpenSSH the first time, you can generate global config files and server keys by running - + /usr/bin/ssh-host-config Note that this binary archive doesn't contain default config files in /etc. diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config index 18793ca85..9c0dabf41 100644 --- a/contrib/cygwin/ssh-host-config +++ b/contrib/cygwin/ssh-host-config @@ -263,7 +263,7 @@ then net user sshd >/dev/null 2>&1 && sshd_in_sam=yes if [ "${sshd_in_passwd}" != "yes" ] then - if [ "${sshd_in_sam}" != "yes" ] + if [ "${sshd_in_sam}" != "yes" ] then echo "Warning: The following function requires administrator privileges!" if request "Should this script create a local user 'sshd' on this machine?" @@ -339,13 +339,13 @@ if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ] then grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}" if [ -f "${_serv_tmp}" ] - then + then if mv "${_serv_tmp}" "${_services}" then echo "Removing sshd from ${_wservices}" else echo "Removing sshd from ${_wservices} failed!" - fi + fi rm -f "${_serv_tmp}" else echo "Removing sshd from ${_wservices} failed!" @@ -388,9 +388,9 @@ then then if mv "${_inetcnf_tmp}" "${_inetcnf}" then - echo "Removed sshd from ${_inetcnf}" + echo "Removed sshd from ${_inetcnf}" else - echo "Removing sshd from ${_inetcnf} failed!" + echo "Removing sshd from ${_inetcnf} failed!" fi rm -f "${_inetcnf_tmp}" else @@ -462,7 +462,7 @@ then do if [ -n "${password_value}" ] then - _password="${password_value}" + _password="${password_value}" # Allow to ask for password if first try fails password_value="" else @@ -541,7 +541,7 @@ then fi if [ -n "${cygwin_value}" ] then - _cygwin="${cygwin_value}" + _cygwin="${cygwin_value}" else echo echo "Which value should the environment variable CYGWIN have when" @@ -574,9 +574,9 @@ then then if [ $_nt2003 -gt 0 -a "${sshd_server_in_sam}" = "yes" ] then - _user="sshd_server" + _user="sshd_server" else - _user="system" + _user="system" fi chown "${_user}" ${SYSCONFDIR}/ssh* chown "${_user}".544 ${LOCALSTATEDIR}/empty diff --git a/contrib/findssl.sh b/contrib/findssl.sh index 87a4abce2..0c08d4a18 100644 --- a/contrib/findssl.sh +++ b/contrib/findssl.sh @@ -9,24 +9,24 @@ # Written by Darren Tucker (dtucker at zip dot com dot au) # This file is placed in the public domain. # -# $Id: findssl.sh,v 1.1 2003/06/24 10:22:10 dtucker Exp $ +# $Id: findssl.sh,v 1.2 2003/11/21 12:48:56 djm Exp $ # 2002-07-27: Initial release. # 2002-08-04: Added public domain notice. # 2003-06-24: Incorporated readme, set library paths. First cvs version. # -# "OpenSSL headers do not match your library" are usually caused by +# "OpenSSL headers do not match your library" are usually caused by # OpenSSH's configure picking up an older version of OpenSSL headers # or libraries. You can use the following # procedure to help identify # the cause. -# +# # The output of configure will tell you the versions of the OpenSSL # headers and libraries that were picked up, for example: -# +# # checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) # checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) # checking whether OpenSSL's headers match the library... no # configure: error: Your OpenSSL headers do not match your library -# +# # Now run findssl.sh. This should identify the headers and libraries # present and their versions. You should be able to identify the # libraries and headers used and adjust your CFLAGS or remove incorrect @@ -37,7 +37,7 @@ # Searching for OpenSSL header files. # 0x0090604fL /usr/include/openssl/opensslv.h # 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h -# +# # Searching for OpenSSL shared library files. # 0x0090602fL /lib/libcrypto.so.0.9.6b # 0x0090602fL /lib/libcrypto.so.2 @@ -46,11 +46,11 @@ # 0x0090581fL /usr/lib/libcrypto.so.0.9.5a # 0x0090600fL /usr/lib/libcrypto.so.0.9.6 # 0x0090600fL /usr/lib/libcrypto.so.1 -# +# # Searching for OpenSSL static library files. # 0x0090602fL /usr/lib/libcrypto.a # 0x0090604fL /usr/local/ssl/lib/libcrypto.a -# +# # In this example, I gave configure no extra flags, so it's picking up # the OpenSSL header from /usr/include/openssl (90604f) and the library # from /usr/lib/ (90602f). diff --git a/contrib/gnome-ssh-askpass1.c b/contrib/gnome-ssh-askpass1.c index b6b342b84..4d51032d1 100644 --- a/contrib/gnome-ssh-askpass1.c +++ b/contrib/gnome-ssh-askpass1.c @@ -23,14 +23,14 @@ */ /* - * This is a simple GNOME SSH passphrase grabber. To use it, set the - * environment variable SSH_ASKPASS to point to the location of - * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". * * There is only two run-time options: if you set the environment variable * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab - * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the - * pointer will be grabbed too. These may have some benefit to security if + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if * you don't trust your X server. We grab the keyboard always. */ @@ -87,7 +87,7 @@ passphrase_dialog(char *message) } entry = gtk_entry_new(); - gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, + gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, FALSE, 0); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_widget_grab_focus(entry); @@ -105,7 +105,7 @@ passphrase_dialog(char *message) /* Grab focus */ if (grab_server) XGrabServer(GDK_DISPLAY()); - if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, + if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME)) goto nograb; if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME)) diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c index 9e8eaf920..0ce8daec9 100644 --- a/contrib/gnome-ssh-askpass2.c +++ b/contrib/gnome-ssh-askpass2.c @@ -25,14 +25,14 @@ /* GTK2 support by Nalin Dahyabhai */ /* - * This is a simple GNOME SSH passphrase grabber. To use it, set the - * environment variable SSH_ASKPASS to point to the location of - * gnome-ssh-askpass before calling "ssh-add < /dev/null". + * This is a simple GNOME SSH passphrase grabber. To use it, set the + * environment variable SSH_ASKPASS to point to the location of + * gnome-ssh-askpass before calling "ssh-add < /dev/null". * * There is only two run-time options: if you set the environment variable * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab - * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the - * pointer will be grabbed too. These may have some benefit to security if + * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the + * pointer will be grabbed too. These may have some benefit to security if * you don't trust your X server. We grab the keyboard always. */ @@ -103,7 +103,7 @@ passphrase_dialog(char *message) message); entry = gtk_entry_new(); - gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, + gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE, FALSE, 0); gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE); gtk_widget_grab_focus(entry); @@ -124,7 +124,7 @@ passphrase_dialog(char *message) if (grab_pointer) { for(;;) { status = gdk_pointer_grab( - (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, + (GTK_WIDGET(dialog))->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME); if (status == GDK_GRAB_SUCCESS) break; diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index dd00c9fa9..a4d49f61c 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -200,7 +200,7 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS --with-pam \ %endif %if %{kerberos5} - --with-kerberos5=/usr/kerberos \ + --with-kerberos5=/usr/kerberos \ %endif @@ -398,7 +398,7 @@ fi %changelog * Mon Jun 2 2003 Damien Miller -- Remove noip6 option. This may be controlled at run-time in client config +- Remove noip6 option. This may be controlled at run-time in client config file using new AddressFamily directive * Mon May 12 2003 Damien Miller @@ -558,7 +558,7 @@ fi * Sun Apr 8 2001 Preston Brown - remove explicit openssl requirement, fixes builddistro issue -- make initscript stop() function wait until sshd really dead to avoid +- make initscript stop() function wait until sshd really dead to avoid races in condrestart * Mon Apr 2 2001 Nalin Dahyabhai diff --git a/contrib/solaris/README b/contrib/solaris/README index 9b0a46e29..eb4c590f4 100644 --- a/contrib/solaris/README +++ b/contrib/solaris/README @@ -17,7 +17,7 @@ Directions: If all goes well you should have a solaris package ready to be installed. -If you have any problems with this script please post them to +If you have any problems with this script please post them to openssh-unix-dev@mindrot.org and I will try to assist you as best as I can. - Ben Lindstrom diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh index c41b3f963..55203d7d5 100755 --- a/contrib/solaris/buildpkg.sh +++ b/contrib/solaris/buildpkg.sh @@ -5,7 +5,7 @@ # The following code has been provide under Public Domain License. I really # don't care what you use it for. Just as long as you don't complain to me # nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org) -# +# umask 022 # # Options for building the package @@ -13,7 +13,7 @@ umask 022 # # uncommenting TEST_DIR and using # configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty -# and +# and # PKGNAME=tOpenSSH should allow testing a package without interfering # with a real OpenSSH package on a system. This is not needed on systems # that support the -R option to pkgadd. @@ -81,7 +81,7 @@ export PATH # we will look for config.local to override the above options [ -s ./config.local ] && . ./config.local -## Start by faking root install +## Start by faking root install echo "Faking root install..." START=`pwd` OPENSSHD_IN=`dirname $0`/opensshd.in @@ -98,20 +98,20 @@ fi ## Fill in some details, like prefix and sysconfdir for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir do - eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` + eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` done ## Collect value of privsep user for confvar in SSH_PRIVSEP_USER do - eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` done ## Set privsep defaults if not defined if [ -z "$SSH_PRIVSEP_USER" ] then - SSH_PRIVSEP_USER=sshd + SSH_PRIVSEP_USER=sshd fi ## Extract common info requires for the 'info' part of the package. @@ -243,16 +243,16 @@ fi if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null then - echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" - echo "or group." + echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" + echo "or group." else - echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." + echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." - # create group if required - if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null - then - echo "PrivSep group $SSH_PRIVSEP_USER already exists." - else + # create group if required + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep group $SSH_PRIVSEP_USER already exists." + else # Use gid of 67 if possible if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null then @@ -260,15 +260,15 @@ else else sshdgid="-g $SSHDGID" fi - echo "Creating PrivSep group $SSH_PRIVSEP_USER." - \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER - fi - - # Create user if required - if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null - then - echo "PrivSep user $SSH_PRIVSEP_USER already exists." - else + echo "Creating PrivSep group $SSH_PRIVSEP_USER." + \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER + fi + + # Create user if required + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." + else # Use uid of 67 if possible if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null then @@ -276,10 +276,10 @@ else else sshduid="-u $SSHDUID" fi - echo "Creating PrivSep user $SSH_PRIVSEP_USER." + echo "Creating PrivSep user $SSH_PRIVSEP_USER." \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER - fi + fi fi [ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start @@ -358,12 +358,12 @@ cat >mk-proto.awk << _EOF BEGIN { print "i pkginfo"; print "i preinstall"; \\ print "i postinstall"; print "i preremove"; \\ print "i request"; print "i space"; \\ - split("$SYSTEM_DIR",sys_files); } + split("$SYSTEM_DIR",sys_files); } { for (dir in sys_files) { if ( \$3 != sys_files[dir] ) - { \$5="root"; \$6="sys"; } - else - { \$4="?"; \$5="?"; \$6="?"; break;} + { \$5="root"; \$6="sys"; } + else + { \$4="?"; \$5="?"; \$6="?"; break;} } } { print; } _EOF diff --git a/contrib/solaris/opensshd.in b/contrib/solaris/opensshd.in index 48b6c5702..50e18deea 100755 --- a/contrib/solaris/opensshd.in +++ b/contrib/solaris/opensshd.in @@ -22,24 +22,24 @@ HOST_KEY_RSA=$etcdir/ssh_host_rsa_key checkkeys() { if [ ! -f $HOST_KEY_RSA1 ]; then - ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" + ${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N "" fi if [ ! -f $HOST_KEY_DSA ]; then - ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" + ${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N "" fi if [ ! -f $HOST_KEY_RSA ]; then - ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" + ${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N "" fi } stop_service() { if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then - PID=`${CAT} ${PIDFILE}` + PID=`${CAT} ${PIDFILE}` fi if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then - ${KILL} ${PID} + ${KILL} ${PID} else - echo "Unable to read PID file" + echo "Unable to read PID file" fi } @@ -55,8 +55,8 @@ start_service() { sshd_rc=$? if [ $sshd_rc -ne 0 ]; then - echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing." - exit $sshd_rc + echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing." + exit $sshd_rc fi echo done. } diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 940bc4ade..d984ff22d 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -30,7 +30,7 @@ two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it -up to date in terms of security and features, as well as removing all +up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package includes all files necessary for both the OpenSSH @@ -100,8 +100,8 @@ make cd contrib gcc -O -g `gnome-config --cflags gnome gnomeui` \ - gnome-ssh-askpass.c -o gnome-ssh-askpass \ - `gnome-config --libs gnome gnomeui` + gnome-ssh-askpass.c -o gnome-ssh-askpass \ + `gnome-config --libs gnome gnomeui` cd .. %install @@ -140,34 +140,34 @@ else echo " /var/adm/fillup-templates/rc.config.sshd" fi if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then - echo "Generating SSH host key..." + echo "Generating SSH host key..." /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 fi if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then - echo "Generating SSH DSA host key..." + echo "Generating SSH DSA host key..." /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 fi if test -r /var/run/sshd.pid then - echo "Restarting the running SSH daemon..." + echo "Restarting the running SSH daemon..." /usr/sbin/rcsshd restart >&2 fi %preun if [ "$1" = 0 ] then - echo "Stopping the SSH daemon..." + echo "Stopping the SSH daemon..." /usr/sbin/rcsshd stop >&2 echo "Removing SSH stop/start scripts from the rc directories..." - rm /sbin/init.d/rc2.d/K20sshd - rm /sbin/init.d/rc2.d/S20sshd - rm /sbin/init.d/rc3.d/K20sshd - rm /sbin/init.d/rc3.d/S20sshd + rm /sbin/init.d/rc2.d/K20sshd + rm /sbin/init.d/rc2.d/S20sshd + rm /sbin/init.d/rc3.d/K20sshd + rm /sbin/init.d/rc3.d/S20sshd fi %files %defattr(-,root,root) -%doc ChangeLog OVERVIEW README* +%doc ChangeLog OVERVIEW README* %doc RFC.nroff TODO CREDITS LICENCE %attr(0755,root,root) %dir /etc/ssh %attr(0644,root,root) %config /etc/ssh/ssh_config diff --git a/defines.h b/defines.h index e662966fb..adf45d7fa 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.103 2003/09/16 01:52:19 dtucker Exp $ */ +/* $Id: defines.h,v 1.104 2003/11/21 12:48:55 djm Exp $ */ /* Constants */ @@ -84,7 +84,7 @@ enum # define S_ISDIR(mode) (((mode) & (_S_IFMT)) == (_S_IFDIR)) #endif /* S_ISDIR */ -#ifndef S_ISREG +#ifndef S_ISREG # define S_ISREG(mode) (((mode) & (_S_IFMT)) == (_S_IFREG)) #endif /* S_ISREG */ diff --git a/dns.c b/dns.c index 2342b6609..ad634f1f7 100644 --- a/dns.c +++ b/dns.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dns.c,v 1.8 2003/11/12 16:39:58 jakob Exp $ */ +/* $OpenBSD: dns.c,v 1.9 2003/11/21 11:57:03 djm Exp $ */ /* * Copyright (c) 2003 Wesley Griffin. All rights reserved. @@ -43,7 +43,7 @@ #include "uuencode.h" extern char *__progname; -RCSID("$OpenBSD: dns.c,v 1.8 2003/11/12 16:39:58 jakob Exp $"); +RCSID("$OpenBSD: dns.c,v 1.9 2003/11/21 11:57:03 djm Exp $"); #ifndef LWRES static const char *errset_text[] = { @@ -145,7 +145,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type, /* * Verify the given hostname, address and host key using DNS. - * Returns 0 if lookup succeeds, -1 otherwise + * Returns 0 if lookup succeeds, -1 otherwise */ int verify_host_key_dns(const char *hostname, struct sockaddr *address, diff --git a/entropy.c b/entropy.c index 216879786..f5381e32f 100644 --- a/entropy.c +++ b/entropy.c @@ -36,16 +36,16 @@ /* * Portable OpenSSH PRNG seeding: - * If OpenSSL has not "internally seeded" itself (e.g. pulled data from - * /dev/random), then we execute a "ssh-rand-helper" program which - * collects entropy and writes it to stdout. The child program must + * If OpenSSL has not "internally seeded" itself (e.g. pulled data from + * /dev/random), then we execute a "ssh-rand-helper" program which + * collects entropy and writes it to stdout. The child program must * write at least RANDOM_SEED_SIZE bytes. The child is run with stderr * attached, so error/debugging output should be visible. * * XXX: we should tell the child how many bytes we need. */ -RCSID("$Id: entropy.c,v 1.46 2003/08/25 01:16:21 mouring Exp $"); +RCSID("$Id: entropy.c,v 1.47 2003/11/21 12:48:55 djm Exp $"); #ifndef OPENSSL_PRNG_ONLY #define RANDOM_SEED_SIZE 48 @@ -86,16 +86,16 @@ seed_rng(void) close(p[1]); close(devnull); - if (original_uid != original_euid && - ( seteuid(getuid()) == -1 || + if (original_uid != original_euid && + ( seteuid(getuid()) == -1 || setuid(original_uid) == -1) ) { - fprintf(stderr, "(rand child) setuid(%li): %s\n", + fprintf(stderr, "(rand child) setuid(%li): %s\n", (long int)original_uid, strerror(errno)); _exit(1); } execl(SSH_RAND_HELPER, "ssh-rand-helper", NULL); - fprintf(stderr, "(rand child) Couldn't exec '%s': %s\n", + fprintf(stderr, "(rand child) Couldn't exec '%s': %s\n", SSH_RAND_HELPER, strerror(errno)); _exit(1); } @@ -114,12 +114,12 @@ seed_rng(void) close(p[0]); if (waitpid(pid, &ret, 0) == -1) - fatal("Couldn't wait for ssh-rand-helper completion: %s", + fatal("Couldn't wait for ssh-rand-helper completion: %s", strerror(errno)); signal(SIGCHLD, old_sigchld); /* We don't mind if the child exits upon a SIGPIPE */ - if (!WIFEXITED(ret) && + if (!WIFEXITED(ret) && (!WIFSIGNALED(ret) || WTERMSIG(ret) != SIGPIPE)) fatal("ssh-rand-helper terminated abnormally"); if (WEXITSTATUS(ret) != 0) @@ -134,7 +134,7 @@ seed_rng(void) } void -init_rng(void) +init_rng(void) { /* * OpenSSL version numbers: MNNFFPPS: major minor fix patch status diff --git a/fixprogs b/fixprogs index 61840cf81..af76ee392 100755 --- a/fixprogs +++ b/fixprogs @@ -65,7 +65,7 @@ foreach (@infile) { ($null, $null, $rate) = split(/,/, $ent[0]); $est = $rate / $entscale; # scale the estimate back } - } + } print OUT "\"$cmd\" $path $est\n"; } diff --git a/gss-genr.c b/gss-genr.c index 6b7caad0e..1e044dbbb 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-genr.c,v 1.2 2003/11/17 11:06:07 markus Exp $ */ +/* $OpenBSD: gss-genr.c,v 1.3 2003/11/21 11:57:03 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -258,8 +258,8 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) } void -ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, - const char *context) +ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, + const char *context) { buffer_init(b); buffer_put_string(b, session_id2, session_id2_len); diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index f48e09911..e358bcbdc 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gss-serv-krb5.c,v 1.1 2003/08/22 10:56:09 markus Exp $ */ +/* $OpenBSD: gss-serv-krb5.c,v 1.2 2003/11/21 11:57:03 djm Exp $ */ /* * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved. @@ -48,7 +48,7 @@ static krb5_context krb_context = NULL; /* Initialise the krb5 library, for the stuff that GSSAPI won't do */ -static int +static int ssh_gssapi_krb5_init() { krb5_error_code problem; @@ -127,10 +127,10 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) { int tmpfd; char ccname[40]; - - snprintf(ccname, sizeof(ccname), + + snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_%d_XXXXXX", geteuid()); - + if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) { logit("mkstemp(): %.100s", strerror(errno)); problem = errno; @@ -151,7 +151,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) } #endif /* #ifdef HEIMDAL */ - if ((problem = krb5_parse_name(krb_context, + if ((problem = krb5_parse_name(krb_context, client->exportedname.value, &princ))) { logit("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context, problem)); @@ -169,7 +169,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_free_principal(krb_context, princ); - if ((maj_status = gss_krb5_copy_ccache(&min_status, + if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds, ccache))) { logit("gss_krb5_copy_ccache() failed"); krb5_cc_destroy(krb_context, ccache); diff --git a/install-sh b/install-sh index e9de23842..220abbf61 100755 --- a/install-sh +++ b/install-sh @@ -125,7 +125,7 @@ if [ x"$dir_arg" != x ]; then else # Waiting for this to be detected by the "$instcmd $src $dsttmp" command -# might cause directories to be created, which would be especially bad +# might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if [ -f $src -o -d $src ] @@ -180,7 +180,7 @@ while [ $# -ne 0 ] ; do shift if [ ! -d "${pathcomp}" ] ; - then + then $mkdirprog "${pathcomp}" else true @@ -202,17 +202,17 @@ else # If we're going to rename the final executable, determine the name now. - if [ x"$transformarg" = x ] + if [ x"$transformarg" = x ] then dstfile=`basename $dst` else - dstfile=`basename $dst $transformbasename | + dstfile=`basename $dst $transformbasename | sed $transformarg`$transformbasename fi # don't allow the sed command to completely eliminate the filename - if [ x"$dstfile" = x ] + if [ x"$dstfile" = x ] then dstfile=`basename $dst` else @@ -243,7 +243,7 @@ else # Now rename the file to the real destination. $doit $rmcmd -f $dstdir/$dstfile && - $doit $mvcmd $dsttmp $dstdir/$dstfile + $doit $mvcmd $dsttmp $dstdir/$dstfile fi && diff --git a/kex.c b/kex.c index b070ccf42..5a952c9c2 100644 --- a/kex.c +++ b/kex.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kex.c,v 1.55 2003/04/01 10:31:26 markus Exp $"); +RCSID("$OpenBSD: kex.c,v 1.56 2003/11/21 11:57:03 djm Exp $"); #include @@ -310,7 +310,7 @@ choose_hostkeyalg(Kex *k, char *client, char *server) xfree(hostkeyalg); } -static int +static int proposals_match(char *my[PROPOSAL_MAX], char *peer[PROPOSAL_MAX]) { static int check[] = { @@ -392,7 +392,7 @@ kex_choose_conf(Kex *kex) kex->we_need = need; /* ignore the next message if the proposals do not match */ - if (first_kex_follows && !proposals_match(my, peer) && + if (first_kex_follows && !proposals_match(my, peer) && !(datafellows & SSH_BUG_FIRSTKEX)) { type = packet_read(); debug2("skipping next packet (type %u)", type); diff --git a/loginrec.c b/loginrec.c index bdac3e959..ce9e26fc5 100644 --- a/loginrec.c +++ b/loginrec.c @@ -158,7 +158,7 @@ #include "log.h" #include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.52 2003/07/06 05:20:46 dtucker Exp $"); +RCSID("$Id: loginrec.c,v 1.53 2003/11/21 12:48:55 djm Exp $"); #ifdef HAVE_UTIL_H # include @@ -442,7 +442,7 @@ login_write (struct logininfo *li) int login_utmp_only(struct logininfo *li) { - li->type = LTYPE_LOGIN; + li->type = LTYPE_LOGIN; login_set_current_time(li); # ifdef USE_UTMP utmp_write_entry(li); @@ -1534,7 +1534,7 @@ lastlog_get_entry(struct logininfo *li) lastlog_populate_entry(li, &last); return (1); case -1: - error("%s: Error reading from %s: %s", __func__, + error("%s: Error reading from %s: %s", __func__, LASTLOG_FILE, strerror(errno)); return (0); default: diff --git a/md5crypt.c b/md5crypt.c index e14d53ac1..b5e3b91ab 100644 --- a/md5crypt.c +++ b/md5crypt.c @@ -1,9 +1,9 @@ /* * ---------------------------------------------------------------------------- * "THE BEER-WARE LICENSE" (Revision 42): - * wrote this file. As long as you retain this - * notice you can do whatever you want with this stuff. If we meet some - * day, and you think this stuff is worth it, you can buy me a beer in + * wrote this file. As long as you retain this + * notice you can do whatever you want with this stuff. If we meet some + * day, and you think this stuff is worth it, you can buy me a beer in * return. Poul-Henning Kamp * ---------------------------------------------------------------------------- */ @@ -13,7 +13,7 @@ #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) #include -RCSID("$Id: md5crypt.c,v 1.7 2003/05/30 06:58:23 dtucker Exp $"); +RCSID("$Id: md5crypt.c,v 1.8 2003/11/21 12:48:55 djm Exp $"); /* 0 ... 63 => ascii - 64 */ static unsigned char itoa64[] = diff --git a/mdoc2man.awk b/mdoc2man.awk index 856e2d7c5..9135af07e 100644 --- a/mdoc2man.awk +++ b/mdoc2man.awk @@ -76,19 +76,19 @@ function add(str) { skip=1 ext=1 if(length(line)&&!(match(line," $")||prenl)) - add(OFS) + add(OFS) } else if(match(words[w],"^Xc$")) { skip=1 ext=0 if(!extopt) - prenl++ + prenl++ w=nwords } else if(match(words[w],"^Bd$")) { skip=1 if(match(words[w+1],"-literal")) { - literal=1 - prenl++ - w=nwords + literal=1 + prenl++ + w=nwords } } else if(match(words[w],"^Ed$")) { skip=1 @@ -96,7 +96,7 @@ function add(str) { } else if(match(words[w],"^Ns$")) { skip=1 if(!nospace) - nospace=1 + nospace=1 sub(" $","",line) } else if(match(words[w],"^No$")) { skip=1 @@ -107,20 +107,20 @@ function add(str) { add("``") add(words[++w]) while(w0;i--) { - add(refauthors[i]) - if(i>1) - add(", ") + add(refauthors[i]) + if(i>1) + add(", ") } if(nrefauthors>1) - add(" and ") + add(" and ") add(refauthors[0] ", \\fI" reftitle "\\fP") if(length(refissue)) - add(", " refissue) + add(", " refissue) if(length(refdate)) - add(", " refdate) + add(", " refdate) if(length(refopt)) - add(", " refopt) + add(", " refopt) add(".") reference=0 } else if(reference) { if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() } if(match(words[w],"^%T$")) { - reftitle=wtail() - sub("^\"","",reftitle) - sub("\"$","",reftitle) + reftitle=wtail() + sub("^\"","",reftitle) + sub("\"$","",reftitle) } if(match(words[w],"^%N$")) { refissue=wtail() } if(match(words[w],"^%D$")) { refdate=wtail() } if(match(words[w],"^%O$")) { refopt=wtail() } } else if(match(words[w],"^Nm$")) { if(synopsis) { - add(".br") - prenl++ + add(".br") + prenl++ } n=words[++w] if(!length(name)) - name=n + name=n if(!length(n)) - n=name + n=name add("\\fB" n "\\fP") if(!nospace&&match(words[w+1],"^[\\.,]")) - nospace=1 + nospace=1 } else if(match(words[w],"^Nd$")) { add("\\- " wtail()) } else if(match(words[w],"^Fl$")) { add("\\fB\\-" words[++w] "\\fP") if(!nospace&&match(words[w+1],"^[\\.,]")) - nospace=1 + nospace=1 } else if(match(words[w],"^Ar$")) { add("\\fI") if(w==nwords) - add("file ...\\fP") + add("file ...\\fP") else { - add(words[++w] "\\fP") - while(match(words[w+1],"^\\|$")) - add(OFS words[++w] " \\fI" words[++w] "\\fP") + add(words[++w] "\\fP") + while(match(words[w+1],"^\\|$")) + add(OFS words[++w] " \\fI" words[++w] "\\fP") } if(!nospace&&match(words[w+1],"^[\\.,]")) - nospace=1 + nospace=1 } else if(match(words[w],"^Cm$")) { add("\\fB" words[++w] "\\fP") while(w * Copyright 1996-1998, 2003 William Allen Simpson @@ -46,7 +46,7 @@ /* - * Debugging defines + * Debugging defines */ /* define DEBUG_LARGE 1 */ @@ -244,9 +244,9 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start) largememory = memory; /* - * Set power to the length in bits of the prime to be generated. - * This is changed to 1 less than the desired safe prime moduli p. - */ + * Set power to the length in bits of the prime to be generated. + * This is changed to 1 less than the desired safe prime moduli p. + */ if (power > TEST_MAXIMUM) { error("Too many bits: %u > %lu", power, TEST_MAXIMUM); return (-1); @@ -257,16 +257,16 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start) power--; /* decrement before squaring */ /* - * The density of ordinary primes is on the order of 1/bits, so the - * density of safe primes should be about (1/bits)**2. Set test range - * to something well above bits**2 to be reasonably sure (but not - * guaranteed) of catching at least one safe prime. + * The density of ordinary primes is on the order of 1/bits, so the + * density of safe primes should be about (1/bits)**2. Set test range + * to something well above bits**2 to be reasonably sure (but not + * guaranteed) of catching at least one safe prime. */ largewords = ((power * power) >> (SHIFT_WORD - TEST_POWER)); /* - * Need idea of how much memory is available. We don't have to use all - * of it. + * Need idea of how much memory is available. We don't have to use all + * of it. */ if (largememory > LARGE_MAXIMUM) { logit("Limited memory: %u MB; limit %lu MB", @@ -315,8 +315,8 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start) q = BN_new(); /* - * Generate random starting point for subprime search, or use - * specified parameter. + * Generate random starting point for subprime search, or use + * specified parameter. */ largebase = BN_new(); if (start == NULL) @@ -329,13 +329,13 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start) time(&time_start); - logit("%.24s Sieve next %u plus %u-bit", ctime(&time_start), + logit("%.24s Sieve next %u plus %u-bit", ctime(&time_start), largenumbers, power); debug2("start point: 0x%s", BN_bn2hex(largebase)); /* - * TinySieve - */ + * TinySieve + */ for (i = 0; i < tinybits; i++) { if (BIT_TEST(TinySieve, i)) continue; /* 2*i+3 is composite */ @@ -351,9 +351,9 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start) } /* - * Start the small block search at the next possible prime. To avoid - * fencepost errors, the last pass is skipped. - */ + * Start the small block search at the next possible prime. To avoid + * fencepost errors, the last pass is skipped. + */ for (smallbase = TINY_NUMBER + 3; smallbase < (SMALL_MAXIMUM - TINY_NUMBER); smallbase += TINY_NUMBER) { @@ -386,8 +386,8 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start) } /* - * SmallSieve - */ + * SmallSieve + */ for (i = 0; i < smallbits; i++) { if (BIT_TEST(SmallSieve, i)) continue; /* 2*i+smallbase is composite */ @@ -438,7 +438,7 @@ gen_candidates(FILE *out, int memory, int power, BIGNUM *start) * The result is a list of so-call "safe" primes */ int -prime_test(FILE *in, FILE *out, u_int32_t trials, +prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted) { BIGNUM *q, *p, *a; @@ -562,10 +562,10 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, count_possible++; /* - * The (1/4)^N performance bound on Miller-Rabin is - * extremely pessimistic, so don't spend a lot of time - * really verifying that q is prime until after we know - * that p is also prime. A single pass will weed out the + * The (1/4)^N performance bound on Miller-Rabin is + * extremely pessimistic, so don't spend a lot of time + * really verifying that q is prime until after we know + * that p is also prime. A single pass will weed out the * vast majority of composite q's. */ if (BN_is_prime(q, 1, NULL, ctx, NULL) <= 0) { @@ -575,9 +575,9 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, } /* - * q is possibly prime, so go ahead and really make sure - * that p is prime. If it is, then we can go back and do - * the same for q. If p is composite, chances are that + * q is possibly prime, so go ahead and really make sure + * that p is prime. If it is, then we can go back and do + * the same for q. If p is composite, chances are that * will show up on the first Rabin-Miller iteration so it * doesn't hurt to specify a high iteration count. */ @@ -594,7 +594,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, } debug("%10u: q is almost certainly prime", count_in); - if (qfileout(out, QTYPE_SAFE, (in_tests | QTEST_MILLER_RABIN), + if (qfileout(out, QTYPE_SAFE, (in_tests | QTEST_MILLER_RABIN), in_tries, in_size, generator_known, p)) { res = -1; break; @@ -610,7 +610,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, BN_CTX_free(ctx); logit("%.24s Found %u safe primes of %u candidates in %ld seconds", - ctime(&time_stop), count_out, count_possible, + ctime(&time_stop), count_out, count_possible, (long) (time_stop - time_start)); return (res); diff --git a/monitor.c b/monitor.c index d4c1c6eb2..449397e30 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.53 2003/11/18 10:53:07 djm Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.54 2003/11/21 11:57:03 djm Exp $"); #include @@ -313,7 +313,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) Buffer m; buffer_init(&m); - mm_request_receive_expect(pmonitor->m_sendfd, + mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_PAM_ACCOUNT, &m); authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); buffer_free(&m); diff --git a/monitor_wrap.c b/monitor_wrap.c index c685535d3..7ca9672ff 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -715,7 +715,7 @@ mm_do_pam_account(void) buffer_init(&m); mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_ACCOUNT, &m); - mm_request_receive_expect(pmonitor->m_recvfd, + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_ACCOUNT, &m); ret = buffer_get_int(&m); diff --git a/nchan.ms b/nchan.ms index 2d080228c..57576017b 100644 --- a/nchan.ms +++ b/nchan.ms @@ -1,8 +1,8 @@ -.\" $OpenBSD: nchan.ms,v 1.7 2001/01/29 01:58:17 niklas Exp $ +.\" $OpenBSD: nchan.ms,v 1.8 2003/11/21 11:57:03 djm Exp $ +.\" .\" -.\" .\" Copyright (c) 1999 Markus Friedl. All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -11,7 +11,7 @@ .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. -.\" +.\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. diff --git a/nchan2.ms b/nchan2.ms index 1cc51fa12..a7a67b127 100644 --- a/nchan2.ms +++ b/nchan2.ms @@ -1,7 +1,7 @@ -.\" $OpenBSD: nchan2.ms,v 1.2 2001/10/03 10:05:57 markus Exp $ -.\" +.\" $OpenBSD: nchan2.ms,v 1.3 2003/11/21 11:57:03 djm Exp $ +.\" .\" Copyright (c) 2000 Markus Friedl. All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: @@ -10,7 +10,7 @@ .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. -.\" +.\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR .\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES .\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. diff --git a/packet.c b/packet.c index 52b4f664c..16d5f972c 100644 --- a/packet.c +++ b/packet.c @@ -304,7 +304,7 @@ packet_connection_is_ipv4(void) if (to.ss_family == AF_INET) return 1; #ifdef IPV4_IN_IPV6 - if (to.ss_family == AF_INET6 && + if (to.ss_family == AF_INET6 && IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&to)->sin6_addr)) return 1; #endif diff --git a/readconf.h b/readconf.h index 8aab2e606..650132346 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.56 2003/10/11 08:24:08 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.57 2003/11/21 11:57:03 djm Exp $ */ /* * Author: Tatu Ylonen @@ -61,7 +61,7 @@ typedef struct { int connection_attempts; /* Max attempts (seconds) before * giving up */ int connection_timeout; /* Max time (seconds) before - * aborting connection attempt */ + * aborting connection attempt */ int number_of_password_prompts; /* Max number of password * prompts. */ int cipher; /* Cipher to use. */ diff --git a/rijndael.c b/rijndael.c index 6965ca3b0..1cd24de14 100644 --- a/rijndael.c +++ b/rijndael.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rijndael.c,v 1.14 2002/07/10 17:53:54 deraadt Exp $ */ +/* $OpenBSD: rijndael.c,v 1.15 2003/11/21 11:57:03 djm Exp $ */ /** * rijndael-alg-fst.c @@ -725,7 +725,7 @@ static const u32 rcon[] = { * @return the number of rounds for the given cipher key size. */ static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) { - int i = 0; + int i = 0; u32 temp; rk[0] = GETU32(cipherKey ); @@ -797,7 +797,7 @@ static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int (Te4[(temp ) & 0xff] & 0x000000ff); rk[13] = rk[ 5] ^ rk[12]; rk[14] = rk[ 6] ^ rk[13]; - rk[15] = rk[ 7] ^ rk[14]; + rk[15] = rk[ 7] ^ rk[14]; rk += 8; } } @@ -871,50 +871,50 @@ static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16 s3 = GETU32(pt + 12) ^ rk[3]; #ifdef FULL_UNROLL /* round 1: */ - t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; - t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; - t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; - t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; - /* round 2: */ - s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8]; - s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9]; - s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10]; - s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11]; + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7]; + /* round 2: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11]; /* round 3: */ - t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12]; - t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13]; - t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14]; - t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15]; - /* round 4: */ - s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16]; - s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17]; - s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18]; - s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19]; + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15]; + /* round 4: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19]; /* round 5: */ - t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20]; - t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21]; - t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22]; - t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23]; - /* round 6: */ - s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24]; - s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25]; - s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26]; - s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27]; + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23]; + /* round 6: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27]; /* round 7: */ - t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28]; - t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29]; - t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30]; - t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31]; - /* round 8: */ - s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32]; - s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33]; - s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34]; - s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35]; + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31]; + /* round 8: */ + s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32]; + s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >> 8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33]; + s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >> 8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34]; + s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >> 8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35]; /* round 9: */ - t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36]; - t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37]; - t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38]; - t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39]; + t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >> 8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36]; + t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >> 8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37]; + t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >> 8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38]; + t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >> 8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39]; if (Nr > 10) { /* round 10: */ s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >> 8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40]; @@ -1187,33 +1187,33 @@ static void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16 * apply last round and * map cipher state to byte array block: */ - s0 = - (Td4[(t0 >> 24) ] & 0xff000000) ^ - (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^ - (Td4[(t2 >> 8) & 0xff] & 0x0000ff00) ^ - (Td4[(t1 ) & 0xff] & 0x000000ff) ^ - rk[0]; + s0 = + (Td4[(t0 >> 24) ] & 0xff000000) ^ + (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t2 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t1 ) & 0xff] & 0x000000ff) ^ + rk[0]; PUTU32(pt , s0); - s1 = - (Td4[(t1 >> 24) ] & 0xff000000) ^ - (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^ - (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^ - (Td4[(t2 ) & 0xff] & 0x000000ff) ^ - rk[1]; + s1 = + (Td4[(t1 >> 24) ] & 0xff000000) ^ + (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t3 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t2 ) & 0xff] & 0x000000ff) ^ + rk[1]; PUTU32(pt + 4, s1); - s2 = - (Td4[(t2 >> 24) ] & 0xff000000) ^ - (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^ - (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^ - (Td4[(t3 ) & 0xff] & 0x000000ff) ^ - rk[2]; + s2 = + (Td4[(t2 >> 24) ] & 0xff000000) ^ + (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t0 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t3 ) & 0xff] & 0x000000ff) ^ + rk[2]; PUTU32(pt + 8, s2); - s3 = - (Td4[(t3 >> 24) ] & 0xff000000) ^ - (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^ - (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^ - (Td4[(t0 ) & 0xff] & 0x000000ff) ^ - rk[3]; + s3 = + (Td4[(t3 >> 24) ] & 0xff000000) ^ + (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^ + (Td4[(t1 >> 8) & 0xff] & 0x0000ff00) ^ + (Td4[(t0 ) & 0xff] & 0x000000ff) ^ + rk[3]; PUTU32(pt + 12, s3); } diff --git a/scard-opensc.c b/scard-opensc.c index 2489fec45..ff3017f5e 100644 --- a/scard-opensc.c +++ b/scard-opensc.c @@ -1,7 +1,7 @@ /* * Copyright (c) 2002 Juha Yrjölä. All rights reserved. * Copyright (c) 2001 Markus Friedl. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -81,7 +81,7 @@ sc_close(void) } } -static int +static int sc_init(void) { int r; @@ -91,7 +91,7 @@ sc_init(void) goto err; if (sc_reader_id >= ctx->reader_count) { r = SC_ERROR_NO_READERS_FOUND; - error("Illegal reader number %d (max %d)", sc_reader_id, + error("Illegal reader number %d (max %d)", sc_reader_id, ctx->reader_count -1); goto err; } @@ -131,7 +131,7 @@ sc_prkey_op_init(RSA *rsa, struct sc_pkcs15_object **key_obj_out, goto err; } } - r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, + r = sc_pkcs15_find_prkey_by_id_usage(p15card, &priv->cert_id, usage, &key_obj); if (r) { error("Unable to find private key from SmartCard: %s", @@ -193,7 +193,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT); if (r) return -1; - r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, + r = sc_pkcs15_decipher(p15card, key_obj, SC_ALGORITHM_RSA_PAD_PKCS1, from, flen, to, flen); sc_unlock(card); if (r < 0) { @@ -223,7 +223,7 @@ sc_sign(int type, u_char *m, unsigned int m_len, * the key will be rejected as using a non-repudiation key * for authentication is not recommended. Note: This does not * prevent the use of a non-repudiation key for authentication - * if the sign or signrecover flag is set as well. + * if the sign or signrecover flag is set as well. */ r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_SIGN); if (r) @@ -337,7 +337,7 @@ convert_rsa_to_rsa1(Key * in, Key * out) return; } -static int +static int sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj) { int r; @@ -358,7 +358,7 @@ sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj) } x509 = X509_new(); if (x509 == NULL) { - r = -1; + r = -1; goto err; } p = cert->data; diff --git a/scp.c b/scp.c index 36cf1b442..cece74a98 100644 --- a/scp.c +++ b/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.111 2003/11/12 10:12:15 dtucker Exp $"); +RCSID("$OpenBSD: scp.c,v 1.112 2003/11/21 11:57:03 djm Exp $"); #include "xmalloc.h" #include "atomicio.h" diff --git a/session.c b/session.c index b1e6255f4..3a3a09b5b 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.167 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: session.c,v 1.168 2003/11/21 11:57:03 djm Exp $"); #include "ssh.h" #include "ssh1.h" @@ -980,7 +980,7 @@ do_setup_env(Session *s, const char *shell) #endif #ifdef GSSAPI - /* Allow any GSSAPI methods that we've used to alter + /* Allow any GSSAPI methods that we've used to alter * the childs environment as they see fit */ ssh_gssapi_do_child(&env, &envsize); @@ -1012,7 +1012,7 @@ do_setup_env(Session *s, const char *shell) path = child_get_env(env, "PATH"); # endif /* HAVE_ETC_DEFAULT_LOGIN */ if (path == NULL || *path == '\0') { - child_set_env(&env, &envsize, "PATH", + child_set_env(&env, &envsize, "PATH", s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); } @@ -1266,7 +1266,7 @@ do_setusercontext(struct passwd *pw) endgrent(); # ifdef USE_PAM /* - * PAM credentials may take the form of supplementary groups. + * PAM credentials may take the form of supplementary groups. * These will have been wiped by the above initgroups() call. * Reestablish them here. */ diff --git a/sftp-client.c b/sftp-client.c index ffff0fe5a..8e657d1b5 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -28,7 +28,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.44 2003/06/28 16:23:06 deraadt Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.45 2003/11/21 11:57:03 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -798,7 +798,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, return(-1); } - local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, + local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, mode | S_IWRITE); if (local_fd == -1) { error("Couldn't open local file \"%s\" for writing: %s", @@ -946,7 +946,7 @@ do_download(struct sftp_conn *conn, char *remote_path, char *local_path, /* Override umask and utimes if asked */ #ifdef HAVE_FCHMOD if (pflag && fchmod(local_fd, mode) == -1) -#else +#else if (pflag && chmod(local_path, mode) == -1) #endif /* HAVE_FCHMOD */ error("Couldn't set mode on \"%s\": %s", local_path, diff --git a/sftp-glob.c b/sftp-glob.c index ee122a2cd..4f2234654 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -89,7 +89,7 @@ fudge_readdir(struct SFTP_OPENDIR *od) #ifdef __GNU_LIBRARY__ /* * Idiot glibc uses extensions to struct dirent for readdir with - * ALTDIRFUNCs. Not that this is documented anywhere but the + * ALTDIRFUNCs. Not that this is documented anywhere but the * source... Fake an inode number to appease it. */ ret->d_ino = inum++; diff --git a/sftp-int.c b/sftp-int.c index bc5cce8de..4c280b492 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -25,7 +25,7 @@ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.64 2003/11/08 19:17:29 jmc Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.65 2003/11/21 11:57:03 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -361,7 +361,7 @@ get_pathname(const char **cpp, char **path) } if (cp[i] == '\\') { /* Escaped characters */ i++; - if (cp[i] != '\'' && cp[i] != '\"' && + if (cp[i] != '\'' && cp[i] != '\"' && cp[i] != '\\') { error("Bad escaped character '\%c'", cp[i]); @@ -389,7 +389,7 @@ get_pathname(const char **cpp, char **path) return (0); fail: - xfree(*path); + xfree(*path); *path = NULL; return (-1); } @@ -530,7 +530,7 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) for (i = 0; g.gl_pathv[i]; i++) { if (!is_reg(g.gl_pathv[i])) { - error("skipping non-regular file %s", + error("skipping non-regular file %s", g.gl_pathv[i]); continue; } @@ -598,7 +598,7 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) for (n = 0; d[n] != NULL; n++) m = MAX(m, strlen(d[n]->filename)); - if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) + if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) width = ws.ws_col; columns = width / (m + 2); @@ -668,7 +668,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, strncmp(path, g.gl_pathv[0], strlen(g.gl_pathv[0]) - 1) == 0) { if ((a = do_lstat(conn, path, 1)) == NULL) { globfree(&g); - return (-1); + return (-1); } if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && S_ISDIR(a->perm)) { @@ -682,7 +682,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, struct winsize ws; /* Count entries for sort and find longest filename */ - for (i = 0; g.gl_pathv[i]; i++) + for (i = 0; g.gl_pathv[i]; i++) m = MAX(m, strlen(g.gl_pathv[i])); if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) diff --git a/ssh-add.c b/ssh-add.c index 2e394e5c1..e7699c95c 100644 --- a/ssh-add.c +++ b/ssh-add.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.68 2003/06/16 10:22:45 markus Exp $"); +RCSID("$OpenBSD: ssh-add.c,v 1.69 2003/11/21 11:57:03 djm Exp $"); #include @@ -169,14 +169,14 @@ add_file(AuthenticationConnection *ac, const char *filename) } } - if (ssh_add_identity_constrained(ac, private, comment, lifetime, - confirm)) { + if (ssh_add_identity_constrained(ac, private, comment, lifetime, + confirm)) { fprintf(stderr, "Identity added: %s (%s)\n", filename, comment); ret = 0; if (lifetime != 0) fprintf(stderr, "Lifetime set to %d seconds\n", lifetime); - if (confirm != 0) + if (confirm != 0) fprintf(stderr, "The user has to confirm each use of the key\n"); } else if (ssh_add_identity(ac, private, comment)) { diff --git a/ssh-agent.c b/ssh-agent.c index d595479f9..b1d603006 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.115 2003/10/14 19:54:39 markus Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.116 2003/11/21 11:57:03 djm Exp $"); #include #include @@ -179,7 +179,7 @@ confirm_key(Identity *id) p = read_passphrase(prompt, RP_ALLOW_EOF); if (p != NULL) { /* - * Accept empty responses and responses consisting + * Accept empty responses and responses consisting * of the word "yes" as affirmative. */ if (*p == '\0' || *p == '\n' || strcasecmp(p, "yes") == 0) diff --git a/ssh-keygen.c b/ssh-keygen.c index 4a3cf241a..95d22b6a4 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.110 2003/10/14 19:42:10 jakob Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.111 2003/11/21 11:57:03 djm Exp $"); #include #include @@ -902,13 +902,13 @@ main(int ac, char **av) case 'a': trials = atoi(optarg); if (trials < TRIAL_MINIMUM) { - fatal("Minimum primality trials is %d", + fatal("Minimum primality trials is %d", TRIAL_MINIMUM); } break; case 'M': memory = atoi(optarg); - if (memory != 0 && + if (memory != 0 && (memory < LARGE_MINIMUM || memory > LARGE_MAXIMUM)) { fatal("Invalid memory amount (min %ld, max %ld)", LARGE_MINIMUM, LARGE_MAXIMUM); @@ -987,7 +987,7 @@ main(int ac, char **av) if (have_identity && strcmp(identity_file, "-") != 0) { if ((in = fopen(identity_file, "r")) == NULL) { fatal("Couldn't open modulus candidate " - "file \"%s\": %s", identity_file, + "file \"%s\": %s", identity_file, strerror(errno)); } } else diff --git a/ssh-rand-helper.8 b/ssh-rand-helper.8 index a89185c0a..df559d332 100644 --- a/ssh-rand-helper.8 +++ b/ssh-rand-helper.8 @@ -1,4 +1,4 @@ -.\" $Id: ssh-rand-helper.8,v 1.1 2002/04/14 09:27:13 djm Exp $ +.\" $Id: ssh-rand-helper.8,v 1.2 2003/11/21 12:48:56 djm Exp $ .\" .\" Copyright (c) 2002 Damien Miller. All rights reserved. .\" @@ -34,22 +34,22 @@ .Op Fl b Ar bytes .Sh DESCRIPTION .Nm -is a small helper program used by +is a small helper program used by .Xr ssh 1 , .Xr ssh-add 1 , .Xr ssh-agent 1 , .Xr ssh-keygen 1 , -.Xr ssh-keyscan 1 +.Xr ssh-keyscan 1 and .Xr sshd 8 -to gather random numbers of cryptographic quality if the +to gather random numbers of cryptographic quality if the .Xr openssl 4 library has not been configured to provide them itself. .Pp -Normally +Normally .Nm will generate a strong random seed and provide it to the calling -program via standard output. If standard output is a tty, +program via standard output. If standard output is a tty, .Nm will instead print the seed in hexidecimal format unless told otherwise. .Pp @@ -57,19 +57,19 @@ will instead print the seed in hexidecimal format unless told otherwise. will by default gather random numbers from the system commands listed in .Pa /etc/ssh/ssh_prng_cmds . -The output of each of the commands listed will be hashed and used to -generate a random seed for the calling program. +The output of each of the commands listed will be hashed and used to +generate a random seed for the calling program. .Nm -will also store seed files in +will also store seed files in .Pa ~/.ssh/prng_seed between executions. .Pp -Alternately, +Alternately, .Nm -may be configured at build time to collect random numbers from a +may be configured at build time to collect random numbers from a EGD/PRNGd server via a unix domain or localhost tcp socket. .Pp -This program is not intended to be run by the end-user, so the few +This program is not intended to be run by the end-user, so the few commandline options are for debugging purposes only. .Bl -tag -width Ds .It Fl b Ar bytes diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c index effc8745e..abdb779f0 100644 --- a/ssh-rand-helper.c +++ b/ssh-rand-helper.c @@ -39,7 +39,7 @@ #include "pathnames.h" #include "log.h" -RCSID("$Id: ssh-rand-helper.c,v 1.14 2003/09/22 15:36:15 mouring Exp $"); +RCSID("$Id: ssh-rand-helper.c,v 1.15 2003/11/21 12:48:56 djm Exp $"); /* Number of bytes we write out */ #define OUTPUT_SEED_SIZE 48 @@ -115,19 +115,19 @@ double stir_gettimeofday(double entropy_estimate); double stir_clock(double entropy_estimate); double stir_rusage(int who, double entropy_estimate); double hash_command_output(entropy_cmd_t *src, unsigned char *hash); -int get_random_bytes_prngd(unsigned char *buf, int len, +int get_random_bytes_prngd(unsigned char *buf, int len, unsigned short tcp_port, char *socket_path); /* * Collect 'len' bytes of entropy into 'buf' from PRNGD/EGD daemon * listening either on 'tcp_port', or via Unix domain socket at * * 'socket_path'. - * Either a non-zero tcp_port or a non-null socket_path must be + * Either a non-zero tcp_port or a non-null socket_path must be * supplied. * Returns 0 on success, -1 on error */ int -get_random_bytes_prngd(unsigned char *buf, int len, +get_random_bytes_prngd(unsigned char *buf, int len, unsigned short tcp_port, char *socket_path) { int fd, addr_len, rval, errors; @@ -289,7 +289,7 @@ hash_command_output(entropy_cmd_t *src, unsigned char *hash) if (devnull == -1) { devnull = open("/dev/null", O_RDWR); if (devnull == -1) - fatal("Couldn't open /dev/null: %s", + fatal("Couldn't open /dev/null: %s", strerror(errno)); } @@ -314,7 +314,7 @@ hash_command_output(entropy_cmd_t *src, unsigned char *hash) execv(src->path, (char**)(src->args)); - debug("(child) Couldn't exec '%s': %s", + debug("(child) Couldn't exec '%s': %s", src->cmdstring, strerror(errno)); _exit(-1); default: /* Parent */ @@ -376,7 +376,7 @@ hash_command_output(entropy_cmd_t *src, unsigned char *hash) case -1: default: /* error */ - debug("Command '%s': select() failed: %s", + debug("Command '%s': select() failed: %s", src->cmdstring, strerror(errno)); error_abort = 1; break; @@ -400,8 +400,8 @@ hash_command_output(entropy_cmd_t *src, unsigned char *hash) if (error_abort) { /* * Closing p[0] on timeout causes the entropy command to - * SIGPIPE. Take whatever output we got, and mark this - * command as slow + * SIGPIPE. Take whatever output we got, and mark this + * command as slow */ debug2("Command '%s' timed out", src->cmdstring); src->sticky_badness *= 2; @@ -479,7 +479,7 @@ stir_from_programs(void) /* Stir it in */ RAND_add(hash, sizeof(hash), entropy); - debug3("Got %0.2f bytes of entropy from '%s'", + debug3("Got %0.2f bytes of entropy from '%s'", entropy, entropy_cmds[c].cmdstring); total_entropy += entropy; @@ -491,7 +491,7 @@ stir_from_programs(void) total_entropy += stir_rusage(RUSAGE_CHILDREN, 0.1); } else { debug2("Command '%s' disabled (badness %d)", - entropy_cmds[c].cmdstring, + entropy_cmds[c].cmdstring, entropy_cmds[c].badness); if (entropy_cmds[c].badness > 0) @@ -511,8 +511,8 @@ prng_check_seedfile(char *filename) struct stat st; /* - * XXX raceable: eg replace seed between this stat and subsequent - * open. Not such a problem because we don't really trust the + * XXX raceable: eg replace seed between this stat and subsequent + * open. Not such a problem because we don't really trust the * seed file anyway. * XXX: use secure path checking as elsewhere in OpenSSH */ @@ -651,7 +651,7 @@ prng_read_commands(char *cmdfilename) continue; /* done with this line */ /* - * The first non-whitespace char should be a double quote + * The first non-whitespace char should be a double quote * delimiting the commandline */ if (*cp != '"') { @@ -726,7 +726,7 @@ prng_read_commands(char *cmdfilename) /* * If we've filled the array, reallocate it twice the size - * Do this now because even if this we're on the last + * Do this now because even if this we're on the last * command we need another slot to mark the last entry */ if (cur_cmd == num_cmds) { @@ -761,7 +761,7 @@ usage(void) OUTPUT_SEED_SIZE); } -int +int main(int argc, char **argv) { unsigned char *buf; @@ -816,11 +816,11 @@ main(int argc, char **argv) /* * Seed the RNG from wherever we can */ - + /* Take whatever is on the stack, but don't credit it */ RAND_add(buf, bytes, 0); - debug("Seeded RNG with %i bytes from system calls", + debug("Seeded RNG with %i bytes from system calls", (int)stir_from_system()); #ifdef PRNGD_PORT @@ -835,7 +835,7 @@ main(int argc, char **argv) /* Read in collection commands */ if (prng_read_commands(SSH_PRNG_COMMAND_FILE) == -1) fatal("PRNG initialisation failed -- exiting."); - debug("Seeded RNG with %i bytes from programs", + debug("Seeded RNG with %i bytes from programs", (int)stir_from_programs()); #endif diff --git a/ssh.c b/ssh.c index 39d1b2f6a..e8639f66b 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.202 2003/10/11 08:24:08 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.203 2003/11/21 11:57:03 djm Exp $"); #include #include @@ -221,7 +221,7 @@ main(int ac, char **av) */ original_real_uid = getuid(); original_effective_uid = geteuid(); - + /* * Use uid-swapping to give up root privileges for the duration of * option processing. We will re-instantiate the rights when we are @@ -717,7 +717,7 @@ again: packet_close(); /* - * Send SIGHUP to proxy command if used. We don't wait() in + * Send SIGHUP to proxy command if used. We don't wait() in * case it hangs and instead rely on init to reap the child */ if (proxy_command_pid > 1) diff --git a/ssh_prng_cmds.in b/ssh_prng_cmds.in index 50e7771f9..0d29d49f1 100644 --- a/ssh_prng_cmds.in +++ b/ssh_prng_cmds.in @@ -2,10 +2,10 @@ # Format is: "program-name args" path rate -# The "rate" represents the number of bits of usuable entropy per +# The "rate" represents the number of bits of usuable entropy per # byte of command output. Be conservative. # -# $Id: ssh_prng_cmds.in,v 1.8 2002/07/14 21:43:58 tim Exp $ +# $Id: ssh_prng_cmds.in,v 1.9 2003/11/21 12:48:56 djm Exp $ "ls -alni /var/log" @PROG_LS@ 0.02 "ls -alni /var/adm" @PROG_LS@ 0.02 diff --git a/sshconnect.c b/sshconnect.c index 5972e2ba9..3d6cc375a 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.153 2003/11/12 16:39:58 jakob Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.154 2003/11/21 11:57:03 djm Exp $"); #include @@ -74,7 +74,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command) * Build the final command string in the buffer by making the * appropriate substitutions to the given proxy command. * - * Use "exec" to avoid "sh -c" processes on some platforms + * Use "exec" to avoid "sh -c" processes on some platforms * (e.g. Solaris) */ buffer_init(&command); @@ -261,15 +261,15 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, break; case -1: /* Select error */ - debug("select: %s", strerror(errno)); + debug("select: %s", strerror(errno)); break; case 1: /* Completed or failed */ optval = 0; optlen = sizeof(optval); - if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, + if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) { - debug("getsockopt: %s", strerror(errno)); + debug("getsockopt: %s", strerror(errno)); break; } if (optval != 0) { diff --git a/sshconnect2.c b/sshconnect2.c index f6368aadd..76670e8a8 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.132 2003/11/17 11:06:07 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.133 2003/11/21 11:57:03 djm Exp $"); #include "openbsd-compat/sys-queue.h" @@ -476,7 +476,7 @@ done: } #ifdef GSSAPI -int +int userauth_gssapi(Authctxt *authctxt) { Gssctxt *gssctxt = NULL; @@ -584,7 +584,7 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) buffer_free(&b); gss_release_buffer(&ms, &mic); - } + } } return status; @@ -1033,7 +1033,7 @@ pubkey_prepare(Authctxt *authctxt) key = ssh_get_next_identity(ac, &comment, 2)) { found = 0; TAILQ_FOREACH(id, &files, next) { - /* agent keys from the config file are preferred */ + /* agent keys from the config file are preferred */ if (key_equal(key, id->key)) { key_free(key); xfree(comment); diff --git a/sshd.c b/sshd.c index a9001a040..e92a13c5f 100644 --- a/sshd.c +++ b/sshd.c @@ -1055,8 +1055,8 @@ main(int ac, char **av) /* * Clear out any supplemental groups we may have inherited. This * prevents inadvertent creation of files with bad modes (in the - * portable version at least, it's certainly possible for PAM - * to create a file, and we can't control the code in every + * portable version at least, it's certainly possible for PAM + * to create a file, and we can't control the code in every * module which might be used). */ if (setgroups(0, NULL) < 0) @@ -1446,7 +1446,7 @@ main(int ac, char **av) packet_set_nonblocking(); - /* prepare buffers to collect authentication messages */ + /* prepare buffers to collect authentication messages */ buffer_init(&loginmsg); /* allocate authentication context */ diff --git a/sshd_config.5 b/sshd_config.5 index b402bbdad..06a197b76 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.25 2003/09/01 09:50:04 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.26 2003/11/21 11:57:03 djm Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -227,7 +227,7 @@ The default is .Dq no . .It Cm GSSAPIAuthentication Specifies whether user authentication based on GSSAPI is allowed. -The default is +The default is .Dq no . Note that this option applies to protocol version 2 only. .It Cm GSSAPICleanupCredentials @@ -608,10 +608,10 @@ If .Cm UsePrivilegeSeparation is specified, it will be disabled after authentication. .It Cm UsePAM -Enables PAM authentication (via challenge-response) and session set up. -If you enable this, you should probably disable +Enables PAM authentication (via challenge-response) and session set up. +If you enable this, you should probably disable .Cm PasswordAuthentication . -If you enable +If you enable .CM UsePAM then you will not be able to run sshd as a non-root user. The default is .Dq no . diff --git a/sshpty.c b/sshpty.c index 4747ceaf4..50b1f2ba3 100644 --- a/sshpty.c +++ b/sshpty.c @@ -343,7 +343,7 @@ pty_make_controlling_tty(int *ttyfd, const char *ttyname) if (fd < 0) error("open /dev/tty failed - could not set controlling tty: %.100s", strerror(errno)); - else + else close(fd); #endif /* _UNICOS */ } diff --git a/uidswap.c b/uidswap.c index 9e161d0f0..a5f76fdcd 100644 --- a/uidswap.c +++ b/uidswap.c @@ -180,28 +180,28 @@ permanently_set_uid(struct passwd *pw) #endif /* Try restoration of GID if changed (test clearing of saved gid) */ - if (old_gid != pw->pw_gid && + if (old_gid != pw->pw_gid && (setgid(old_gid) != -1 || setegid(old_gid) != -1)) fatal("%s: was able to restore old [e]gid", __func__); /* Verify GID drop was successful */ if (getgid() != pw->pw_gid || getegid() != pw->pw_gid) { - fatal("%s: egid incorrect gid:%u egid:%u (should be %u)", - __func__, (u_int)getgid(), (u_int)getegid(), + fatal("%s: egid incorrect gid:%u egid:%u (should be %u)", + __func__, (u_int)getgid(), (u_int)getegid(), (u_int)pw->pw_gid); } #ifndef HAVE_CYGWIN /* Try restoration of UID if changed (test clearing of saved uid) */ - if (old_uid != pw->pw_uid && + if (old_uid != pw->pw_uid && (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) fatal("%s: was able to restore old [e]uid", __func__); #endif /* Verify UID drop was successful */ if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { - fatal("%s: euid incorrect uid:%u euid:%u (should be %u)", - __func__, (u_int)getuid(), (u_int)geteuid(), + fatal("%s: euid incorrect uid:%u euid:%u (should be %u)", + __func__, (u_int)getuid(), (u_int)geteuid(), (u_int)pw->pw_uid); } } -- cgit v1.2.3 From 787b2ec18c013a5076765f93882550918658ea89 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 21 Nov 2003 23:56:47 +1100 Subject: more whitespace (tabs this time) --- auth-krb5.c | 16 ++++++++-------- auth-pam.c | 8 ++++---- auth-passwd.c | 2 +- auth-sia.c | 2 +- auth.c | 2 +- auth2-gss.c | 14 +++++++------- authfd.c | 2 +- buffer.c | 2 +- channels.c | 2 +- entropy.c | 4 ++-- gss-genr.c | 4 ++-- md5crypt.c | 4 ++-- moduli.c | 4 ++-- monitor.c | 18 +++++++++--------- monitor_wrap.c | 2 +- scard-opensc.c | 8 ++++---- scp.c | 2 +- session.c | 12 ++++++------ sftp-glob.c | 2 +- sftp-int.c | 6 +++--- ssh-keygen.c | 2 +- ssh-rand-helper.c | 12 ++++++------ sshconnect2.c | 18 +++++++++--------- 23 files changed, 74 insertions(+), 74 deletions(-) diff --git a/auth-krb5.c b/auth-krb5.c index b41c4882b..8377aed10 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -68,7 +68,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) krb5_principal server; char ccname[40]; int tmpfd; -#endif +#endif krb5_error_code problem; krb5_ccache ccache = NULL; @@ -97,10 +97,10 @@ auth_krb5_password(Authctxt *authctxt, const char *password) goto out; restore_uid(); - + problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user, ccache, password, 1, NULL); - + temporarily_use_uid(authctxt->pw); if (problem) @@ -135,7 +135,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) temporarily_use_uid(authctxt->pw); if (problem) goto out; - + if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, authctxt->pw->pw_name)) { problem = -1; @@ -143,13 +143,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password) } snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid()); - + if ((tmpfd = mkstemp(ccname+strlen("FILE:")))==-1) { logit("mkstemp(): %.100s", strerror(errno)); problem = errno; goto out; } - + if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) { logit("fchmod(): %.100s", strerror(errno)); close(tmpfd); @@ -166,12 +166,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password) authctxt->krb5_user); if (problem) goto out; - + problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache, &creds); if (problem) goto out; -#endif +#endif authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache); diff --git a/auth-pam.c b/auth-pam.c index 8b1915669..621940ab9 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.83 2003/11/21 12:48:55 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 12:56:47 djm Exp $"); #ifdef USE_PAM #include @@ -321,7 +321,7 @@ sshpam_thread(void *ctxtp) ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer); buffer_free(&buffer); pthread_exit(NULL); - + return (NULL); /* Avoid warning for non-pthread case */ } @@ -613,7 +613,7 @@ do_pam_account(void) { sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) return (0); @@ -773,7 +773,7 @@ int do_pam_putenv(char *name, char *value) { int ret = 1; -#ifdef HAVE_PAM_PUTENV +#ifdef HAVE_PAM_PUTENV char *compound; size_t len; diff --git a/auth-passwd.c b/auth-passwd.c index 4cbfe3689..54571f972 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -101,7 +101,7 @@ auth_password(Authctxt *authctxt, const char *password) (char *)get_canonical_hostname(options.use_dns); authsuccess = 1; - aix_remove_embedded_newlines(authmsg); + aix_remove_embedded_newlines(authmsg); debug3("AIX/authenticate succeeded for user %s: %.100s", pw->pw_name, authmsg); diff --git a/auth-sia.c b/auth-sia.c index 544b601b3..cdd39d670 100644 --- a/auth-sia.c +++ b/auth-sia.c @@ -100,7 +100,7 @@ session_setup_sia(struct passwd *pw, char *tty) if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) fatal("Couldn't launch session for %s from %s", pw->pw_name, host); - + sia_ses_release(&ent); if (setreuid(geteuid(), geteuid()) < 0) diff --git a/auth.c b/auth.c index a8cf0ce20..4b307dab3 100644 --- a/auth.c +++ b/auth.c @@ -597,7 +597,7 @@ fakepw(void) memset(&fake, 0, sizeof(fake)); fake.pw_name = "NOUSER"; fake.pw_passwd = - "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; + "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; fake.pw_gecos = "NOUSER"; fake.pw_uid = -1; fake.pw_gid = -1; diff --git a/auth2-gss.c b/auth2-gss.c index 799d3326c..9249988d3 100644 --- a/auth2-gss.c +++ b/auth2-gss.c @@ -255,21 +255,21 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) Buffer b; gss_buffer_desc mic, gssbuf; u_int len; - + if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep)) fatal("No authentication or GSSAPI context"); - + gssctxt = authctxt->methoddata; - + mic.value = packet_get_string(&len); mic.length = len; - + ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, "gssapi-with-mic"); - + gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); - + if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic)))) authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user)); else @@ -277,7 +277,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt) buffer_free(&b); xfree(mic.value); - + authctxt->postponed = 0; dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL); diff --git a/authfd.c b/authfd.c index 6a7c07205..42ca08256 100644 --- a/authfd.c +++ b/authfd.c @@ -607,7 +607,7 @@ ssh_update_card(AuthenticationConnection *auth, int add, buffer_put_char(&msg, type); buffer_put_cstring(&msg, reader_id); buffer_put_cstring(&msg, pin); - + if (constrained) { if (life != 0) { buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME); diff --git a/buffer.c b/buffer.c index 236aeb0cd..9217cb269 100644 --- a/buffer.c +++ b/buffer.c @@ -105,7 +105,7 @@ restart: goto restart; } /* Increase the size of the buffer and retry. */ - + newlen = buffer->alloc + len + 32768; if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", diff --git a/channels.c b/channels.c index 4150b5504..25f85c8b7 100644 --- a/channels.c +++ b/channels.c @@ -1035,7 +1035,7 @@ channel_decode_socks5(Channel *c, fd_set * readset, fd_set * writeset) else if (inet_ntop(af, dest_addr, c->path, sizeof(c->path)) == NULL) return -1; c->host_port = ntohs(dest_port); - + debug2("channel %d: dynamic request: socks5 host %s port %u command %u", c->self, c->path, c->host_port, s5_req.command); diff --git a/entropy.c b/entropy.c index f5381e32f..0997174b6 100644 --- a/entropy.c +++ b/entropy.c @@ -45,7 +45,7 @@ * XXX: we should tell the child how many bytes we need. */ -RCSID("$Id: entropy.c,v 1.47 2003/11/21 12:48:55 djm Exp $"); +RCSID("$Id: entropy.c,v 1.48 2003/11/21 12:56:47 djm Exp $"); #ifndef OPENSSL_PRNG_ONLY #define RANDOM_SEED_SIZE 48 @@ -93,7 +93,7 @@ seed_rng(void) (long int)original_uid, strerror(errno)); _exit(1); } - + execl(SSH_RAND_HELPER, "ssh-rand-helper", NULL); fprintf(stderr, "(rand child) Couldn't exec '%s': %s\n", SSH_RAND_HELPER, strerror(errno)); diff --git a/gss-genr.c b/gss-genr.c index 1e044dbbb..3f5727b3e 100644 --- a/gss-genr.c +++ b/gss-genr.c @@ -253,14 +253,14 @@ ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) if ((ctx->major = gss_get_mic(&ctx->minor, ctx->context, GSS_C_QOP_DEFAULT, buffer, hash))) ssh_gssapi_error(ctx); - + return (ctx->major); } void ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service, const char *context) -{ +{ buffer_init(b); buffer_put_string(b, session_id2, session_id2_len); buffer_put_char(b, SSH2_MSG_USERAUTH_REQUEST); diff --git a/md5crypt.c b/md5crypt.c index b5e3b91ab..8f2523e62 100644 --- a/md5crypt.c +++ b/md5crypt.c @@ -13,7 +13,7 @@ #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) #include -RCSID("$Id: md5crypt.c,v 1.8 2003/11/21 12:48:55 djm Exp $"); +RCSID("$Id: md5crypt.c,v 1.9 2003/11/21 12:56:47 djm Exp $"); /* 0 ... 63 => ascii - 64 */ static unsigned char itoa64[] = @@ -35,7 +35,7 @@ to64(unsigned long v, int n) *s++ = itoa64[v&0x3f]; v >>= 6; } - + return (buf); } diff --git a/moduli.c b/moduli.c index ae71b250b..eb8cb78e9 100644 --- a/moduli.c +++ b/moduli.c @@ -151,7 +151,7 @@ qfileout(FILE * ofile, u_int32_t otype, u_int32_t otests, u_int32_t otries, time(&time_now); gtm = gmtime(&time_now); - + res = fprintf(ofile, "%04d%02d%02d%02d%02d%02d %u %u %u %u %x ", gtm->tm_year + 1900, gtm->tm_mon + 1, gtm->tm_mday, gtm->tm_hour, gtm->tm_min, gtm->tm_sec, @@ -573,7 +573,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, count_in); continue; } - + /* * q is possibly prime, so go ahead and really make sure * that p is prime. If it is, then we can go back and do diff --git a/monitor.c b/monitor.c index 449397e30..46e8d16e6 100644 --- a/monitor.c +++ b/monitor.c @@ -783,7 +783,7 @@ int mm_answer_pam_start(int socket, Buffer *m) { char *user; - + if (!options.use_pam) fatal("UsePAM not set, but ended up in %s anyway", __func__); @@ -802,7 +802,7 @@ int mm_answer_pam_account(int socket, Buffer *m) { u_int ret; - + if (!options.use_pam) fatal("UsePAM not set, but ended up in %s anyway", __func__); @@ -1798,25 +1798,25 @@ mm_answer_gss_checkmic(int socket, Buffer *m) gss_buffer_desc gssbuf, mic; OM_uint32 ret; u_int len; - + gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); mic.length = len; - + ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); - + xfree(gssbuf.value); xfree(mic.value); - + buffer_clear(m); buffer_put_int(m, ret); - + mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m); - + if (!GSS_ERROR(ret)) monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); - + return (0); } diff --git a/monitor_wrap.c b/monitor_wrap.c index 7ca9672ff..e7c15cecd 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -720,7 +720,7 @@ mm_do_pam_account(void) ret = buffer_get_int(&m); buffer_free(&m); - + debug3("%s returning %d", __func__, ret); return (ret); diff --git a/scard-opensc.c b/scard-opensc.c index ff3017f5e..a9b7ebc61 100644 --- a/scard-opensc.c +++ b/scard-opensc.c @@ -189,7 +189,7 @@ sc_private_decrypt(int flen, u_char *from, u_char *to, RSA *rsa, int r; if (padding != RSA_PKCS1_PADDING) - return -1; + return -1; r = sc_prkey_op_init(rsa, &key_obj, SC_USAGE_DECRYPT); if (r) return -1; @@ -325,7 +325,7 @@ static void convert_rsa_to_rsa1(Key * in, Key * out) { struct sc_priv_data *priv; - + out->rsa->flags = in->rsa->flags; out->flags = in->flags; RSA_set_method(out->rsa, RSA_get_method(in->rsa)); @@ -349,7 +349,7 @@ sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj) EVP_PKEY *pubkey = NULL; u8 *p; char *tmp; - + debug("sc_read_pubkey() with cert id %02X", cinfo->id.value[0]); r = sc_pkcs15_read_certificate(p15card, cinfo, &cert); if (r) { @@ -391,7 +391,7 @@ sc_read_pubkey(Key * k, const struct sc_pkcs15_object *cert_obj) tmp = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX); debug("fingerprint %d %s", key_size(k), tmp); xfree(tmp); - + return 0; err: if (cert) diff --git a/scp.c b/scp.c index cece74a98..10f6428b2 100644 --- a/scp.c +++ b/scp.c @@ -907,7 +907,7 @@ bad: run_err("%s: %s", np, strerror(errno)); cp += j; statbytes += j; } while (amt > 0); - + if (limitbw) bwlimit(4096); diff --git a/session.c b/session.c index 3a3a09b5b..7e56c54fb 100644 --- a/session.c +++ b/session.c @@ -924,11 +924,11 @@ read_etc_default_login(char ***env, u_int *envsize, uid_t uid) var = child_get_env(tmpenv, "PATH"); if (var != NULL) child_set_env(env, envsize, "PATH", var); - + if ((var = child_get_env(tmpenv, "UMASK")) != NULL) if (sscanf(var, "%5lo", &mask) == 1) umask((mode_t)mask); - + for (i = 0; tmpenv[i] != NULL; i++) xfree(tmpenv[i]); xfree(tmpenv); @@ -953,7 +953,7 @@ void copy_environment(char **source, char ***env, u_int *envsize) debug3("Copy environment: %s=%s", var_name, var_val); child_set_env(env, envsize, var_name, var_val); - + xfree(var_name); } } @@ -1096,7 +1096,7 @@ do_setup_env(Session *s, const char *shell) */ if (options.use_pam) { char **p; - + p = fetch_pam_child_environment(); copy_environment(p, &env, &envsize); free_pam_environment(p); @@ -2033,13 +2033,13 @@ session_tty_list(void) for (i = 0; i < MAX_SESSIONS; i++) { Session *s = &sessions[i]; if (s->used && s->ttyfd != -1) { - + if (strncmp(s->tty, "/dev/", 5) != 0) { cp = strrchr(s->tty, '/'); cp = (cp == NULL) ? s->tty : cp + 1; } else cp = s->tty + 5; - + if (buf[0] != '\0') strlcat(buf, ",", sizeof buf); strlcat(buf, cp, sizeof buf); diff --git a/sftp-glob.c b/sftp-glob.c index 4f2234654..f099227f9 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -70,7 +70,7 @@ fudge_readdir(struct SFTP_OPENDIR *od) #ifdef __GNU_LIBRARY__ static int inum = 1; #endif /* __GNU_LIBRARY__ */ - + if (od->dir[od->offset] == NULL) return(NULL); diff --git a/sftp-int.c b/sftp-int.c index 4c280b492..599a3444d 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -390,7 +390,7 @@ get_pathname(const char **cpp, char **path) fail: xfree(*path); - *path = NULL; + *path = NULL; return (-1); } @@ -679,7 +679,7 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, if (!(lflag & SHORT_VIEW)) { int m = 0, width = 80; - struct winsize ws; + struct winsize ws; /* Count entries for sort and find longest filename */ for (i = 0; g.gl_pathv[i]; i++) @@ -759,7 +759,7 @@ parse_args(const char **cpp, int *pflag, int *lflag, int *iflag, *iflag = 1; cp++; } - + /* Figure out which command we have */ for (i = 0; cmds[i].c; i++) { int cmdlen = strlen(cmds[i].c); diff --git a/ssh-keygen.c b/ssh-keygen.c index 95d22b6a4..54aa5a59c 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -968,7 +968,7 @@ main(int ac, char **av) if (do_gen_candidates) { FILE *out = fopen(out_file, "w"); - + if (out == NULL) { error("Couldn't open modulus candidate file \"%s\": %s", out_file, strerror(errno)); diff --git a/ssh-rand-helper.c b/ssh-rand-helper.c index abdb779f0..8a320a71e 100644 --- a/ssh-rand-helper.c +++ b/ssh-rand-helper.c @@ -39,7 +39,7 @@ #include "pathnames.h" #include "log.h" -RCSID("$Id: ssh-rand-helper.c,v 1.15 2003/11/21 12:48:56 djm Exp $"); +RCSID("$Id: ssh-rand-helper.c,v 1.16 2003/11/21 12:56:47 djm Exp $"); /* Number of bytes we write out */ #define OUTPUT_SEED_SIZE 48 @@ -779,7 +779,7 @@ main(int argc, char **argv) /* Don't write binary data to a tty, unless we are forced to */ if (isatty(STDOUT_FILENO)) output_hex = 1; - + while ((ch = getopt(argc, argv, "vxXhb:")) != -1) { switch (ch) { case 'v': @@ -806,7 +806,7 @@ main(int argc, char **argv) } log_init(argv[0], ll, SYSLOG_FACILITY_USER, 1); - + #ifdef USE_SEED_FILES prng_read_seedfile(); #endif @@ -816,7 +816,7 @@ main(int argc, char **argv) /* * Seed the RNG from wherever we can */ - + /* Take whatever is on the stack, but don't credit it */ RAND_add(buf, bytes, 0); @@ -859,9 +859,9 @@ main(int argc, char **argv) printf("\n"); } else ret = atomicio(vwrite, STDOUT_FILENO, buf, bytes); - + memset(buf, '\0', bytes); xfree(buf); - + return ret == bytes ? 0 : 1; } diff --git a/sshconnect2.c b/sshconnect2.c index 76670e8a8..281fecdc9 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -546,7 +546,7 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) gss_buffer_desc gssbuf, mic; OM_uint32 status, ms, flags; Buffer b; - + status = ssh_gssapi_init_ctx(gssctxt, options.gss_deleg_creds, recv_tok, &send_tok, &flags); @@ -555,12 +555,12 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK); else packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN); - + packet_put_string(send_tok.value, send_tok.length); packet_send(); gss_release_buffer(&ms, &send_tok); } - + if (status == GSS_S_COMPLETE) { /* send either complete or MIC, depending on mechanism */ if (!(flags & GSS_C_INTEG_FLAG)) { @@ -572,21 +572,21 @@ process_gssapi_token(void *ctxt, gss_buffer_t recv_tok) gssbuf.value = buffer_ptr(&b); gssbuf.length = buffer_len(&b); - + status = ssh_gssapi_sign(gssctxt, &gssbuf, &mic); - + if (!GSS_ERROR(status)) { packet_start(SSH2_MSG_USERAUTH_GSSAPI_MIC); packet_put_string(mic.value, mic.length); - + packet_send(); } - + buffer_free(&b); gss_release_buffer(&ms, &mic); - } + } } - + return status; } -- cgit v1.2.3 From ec217adf70d3d49676c8a6d8fb4630904bd5e975 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 22 Nov 2003 12:11:06 +1100 Subject: Whitespace sync --- auth-krb5.c | 2 +- auth.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/auth-krb5.c b/auth-krb5.c index 8377aed10..859492478 100644 --- a/auth-krb5.c +++ b/auth-krb5.c @@ -40,7 +40,6 @@ RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $"); #include "auth.h" #ifdef KRB5 - #include extern ServerOptions options; @@ -105,6 +104,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password) if (problem) goto out; + problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops, &authctxt->krb5_fwd_ccache); if (problem) diff --git a/auth.h b/auth.h index 34afdb492..0be1f88c4 100644 --- a/auth.h +++ b/auth.h @@ -123,8 +123,8 @@ void krb5_cleanup_proc(Authctxt *authctxt); #include "auth-pam.h" -void do_authentication(Authctxt *); -void do_authentication2(Authctxt *); +void do_authentication(Authctxt *); +void do_authentication2(Authctxt *); void auth_log(Authctxt *, int, char *, char *); void userauth_finish(Authctxt *, int, char *); -- cgit v1.2.3 From 240fdfa90998439df519393d4aa475c14557dc36 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 22 Nov 2003 14:10:02 +1100 Subject: - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ --- ChangeLog | 5 ++++- channels.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1b3518803..1d9d7412c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20031122 + - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ + 20031121 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/11/20 11:39:28 @@ -1498,4 +1501,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3119 2003/11/21 12:48:55 djm Exp $ +$Id: ChangeLog,v 1.3120 2003/11/22 03:10:02 dtucker Exp $ diff --git a/channels.c b/channels.c index 25f85c8b7..5a2605f91 100644 --- a/channels.c +++ b/channels.c @@ -1398,8 +1398,8 @@ channel_handle_wfd(Channel *c, fd_set * readset, fd_set * writeset) dlen = buffer_len(&c->output); #ifdef _AIX /* XXX: Later AIX versions can't push as much data to tty */ - if (compat20 && c->wfd_isatty && dlen > 8*1024) - dlen = 8*1024; + if (compat20 && c->wfd_isatty) + dlen = MIN(dlen, 8*1024); #endif len = write(c->wfd, data, dlen); if (len < 0 && (errno == EINTR || errno == EAGAIN)) -- cgit v1.2.3 From 0eae4422350c4903a23d20b8a5153f939d721428 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 22 Nov 2003 14:15:30 +1100 Subject: knf in portable-code (no code change) --- auth1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth1.c b/auth1.c index 0615f4ae5..82fe5fb80 100644 --- a/auth1.c +++ b/auth1.c @@ -235,7 +235,7 @@ do_authloop(Authctxt *authctxt) if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { packet_disconnect("Authentication rejected for uid %d.", - pw == NULL ? -1 : pw->pw_uid); + pw == NULL ? -1 : pw->pw_uid); authenticated = 0; } #else -- cgit v1.2.3 From d76341616dfebd4addc9c9594767ab1832ccb100 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 22 Nov 2003 14:16:56 +1100 Subject: - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move AIX specific password authentication code to port-aix.c, call authenticate() until reenter flag is clear. --- ChangeLog | 5 +++- auth-passwd.c | 45 ++++----------------------------- openbsd-compat/port-aix.c | 64 +++++++++++++++++++++++++++++++++++++++-------- openbsd-compat/port-aix.h | 8 +++--- 4 files changed, 68 insertions(+), 54 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1d9d7412c..1d723126d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ 20031122 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ + - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] + Move AIX specific password authentication code to port-aix.c, call + authenticate() until reenter flag is clear. 20031121 - (djm) OpenBSD CVS Sync @@ -1501,4 +1504,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3120 2003/11/22 03:10:02 dtucker Exp $ +$Id: ChangeLog,v 1.3121 2003/11/22 03:16:56 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 54571f972..a27170ccc 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -43,9 +43,7 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $"); #include "servconf.h" #include "auth.h" #ifdef WITH_AIXAUTHENTICATE -# include "buffer.h" # include "canohost.h" -extern Buffer loginmsg; #endif extern ServerOptions options; @@ -89,44 +87,11 @@ auth_password(Authctxt *authctxt, const char *password) } # endif # ifdef WITH_AIXAUTHENTICATE - { - char *authmsg = NULL; - int reenter = 1; - int authsuccess = 0; - - if (authenticate(pw->pw_name, password, &reenter, - &authmsg) == 0 && ok) { - char *msg; - char *host = - (char *)get_canonical_hostname(options.use_dns); - - authsuccess = 1; - aix_remove_embedded_newlines(authmsg); - - debug3("AIX/authenticate succeeded for user %s: %.100s", - pw->pw_name, authmsg); - - /* No pty yet, so just label the line as "ssh" */ - aix_setauthdb(authctxt->user); - if (loginsuccess(authctxt->user, host, "ssh", - &msg) == 0) { - if (msg != NULL) { - debug("%s: msg %s", __func__, msg); - buffer_append(&loginmsg, msg, - strlen(msg)); - xfree(msg); - } - } - } else { - debug3("AIX/authenticate failed for user %s: %.100s", - pw->pw_name, authmsg); - } - - if (authmsg != NULL) - xfree(authmsg); - - return authsuccess; - } + if (aix_authenticate(pw->pw_name, password, + get_canonical_hostname(options.use_dns)) == 0) + return 0; + else + return ok; # endif # ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 9fbcce936..a9cbf49b0 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -29,6 +29,7 @@ #include "servconf.h" #include "canohost.h" #include "xmalloc.h" +#include "buffer.h" #ifdef _AIX @@ -36,6 +37,7 @@ #include "port-aix.h" extern ServerOptions options; +extern Buffer loginmsg; /* * AIX has a "usrinfo" area where logname and other stuff is stored - @@ -63,7 +65,7 @@ aix_usrinfo(struct passwd *pw) xfree(cp); } -#ifdef WITH_AIXAUTHENTICATE +# ifdef WITH_AIXAUTHENTICATE /* * Remove embedded newlines in string (if any). * Used before logging messages returned by AIX authentication functions @@ -83,27 +85,68 @@ aix_remove_embedded_newlines(char *p) if (*--p == ' ') *p = '\0'; } -#endif /* WITH_AIXAUTHENTICATE */ + +/* + * Do authentication via AIX's authenticate routine. We loop until the + * reenter parameter is 0, but normally authenticate is called only once. + * + * Note: this function returns 1 on success, whereas AIX's authenticate() + * returns 0. + */ +int +aix_authenticate(const char *name, const char *password, const char *host) +{ + char *authmsg = NULL, *msg; + int authsuccess = 0, reenter, result; + + do { + result = authenticate((char *)name, (char *)password, &reenter, + &authmsg); + aix_remove_embedded_newlines(authmsg); + debug3("AIX/authenticate result %d, msg %.100s", result, + authmsg); + } while (reenter); + + if (result == 0) { + authsuccess = 1; + + /* No pty yet, so just label the line as "ssh" */ + aix_setauthdb(name); + if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) { + if (msg != NULL) { + debug("%s: msg %s", __func__, msg); + buffer_append(&loginmsg, msg, strlen(msg)); + xfree(msg); + } + } + } + + if (authmsg != NULL) + xfree(authmsg); + + return authsuccess; +} -# ifdef CUSTOM_FAILED_LOGIN +# ifdef CUSTOM_FAILED_LOGIN /* * record_failed_login: generic "login failed" interface function */ void record_failed_login(const char *user, const char *ttyname) { - char *hostname = get_canonical_hostname(options.use_dns); + char *hostname = (char *)get_canonical_hostname(options.use_dns); if (geteuid() != 0) return; aix_setauthdb(user); -# ifdef AIX_LOGINFAILED_4ARG +# ifdef AIX_LOGINFAILED_4ARG loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH); -# else +# else loginfailed((char *)user, hostname, (char *)ttyname); -# endif +# endif } +# endif /* CUSTOM_FAILED_LOGIN */ /* * If we have setauthdb, retrieve the password registry for the user's @@ -135,8 +178,9 @@ aix_setauthdb(const char *user) debug3("%s: Could not read S_REGISTRY for user: %s", __func__, strerror(errno)); enduserdb(); -# endif +# endif /* HAVE_SETAUTHDB */ } -# endif /* CUSTOM_FAILED_LOGIN */ -#endif /* _AIX */ +# endif /* WITH_AIXAUTHENTICATE */ + +#endif /* _AIX */ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index b2a48cba9..975cdf051 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.15 2003/09/19 10:43:38 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */ /* * @@ -51,12 +51,14 @@ # include #endif +void aix_usrinfo(struct passwd *); + #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); -void aix_setauthdb(const char *); #endif -void aix_usrinfo(struct passwd *); +int aix_authenticate(const char *, const char *, const char *); +void aix_setauthdb(const char *); void aix_remove_embedded_newlines(char *); #endif /* _AIX */ -- cgit v1.2.3 From 4e06a1d75d0f692c84f21347d4e1c4242dc1a96e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 22 Nov 2003 14:25:15 +1100 Subject: - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net. Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ --- ChangeLog | 5 ++++- auth-sia.c | 5 +++-- configure.ac | 5 ++--- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1d723126d..79ce8267b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move AIX specific password authentication code to port-aix.c, call authenticate() until reenter flag is clear. + - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net. + Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA + is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ 20031121 - (djm) OpenBSD CVS Sync @@ -1504,4 +1507,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3121 2003/11/22 03:16:56 dtucker Exp $ +$Id: ChangeLog,v 1.3122 2003/11/22 03:25:15 dtucker Exp $ diff --git a/auth-sia.c b/auth-sia.c index cdd39d670..cd2dcb840 100644 --- a/auth-sia.c +++ b/auth-sia.c @@ -31,6 +31,7 @@ #include "log.h" #include "servconf.h" #include "canohost.h" +#include "uidswap.h" #include #include @@ -103,8 +104,8 @@ session_setup_sia(struct passwd *pw, char *tty) sia_ses_release(&ent); - if (setreuid(geteuid(), geteuid()) < 0) - fatal("setreuid: %s", strerror(errno)); + setuid(0); + permanently_set_uid(pw); } #endif /* HAVE_OSF_SIA */ diff --git a/configure.ac b/configure.ac index 5f302f5e5..b56d37f4d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.174 2003/11/21 12:48:55 djm Exp $ +# $Id: configure.ac,v 1.175 2003/11/22 03:25:16 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -409,14 +409,13 @@ mips-sony-bsd|mips-sony-newsos4) LIBS="$LIBS -lsecurity -ldb -lm -laud" else AC_MSG_RESULT(no) + AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") fi fi - AC_DEFINE(DISABLE_FD_PASSING) AC_DEFINE(BROKEN_GETADDRINFO) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) - AC_DEFINE(LOCKED_PASSWD_SUBSTR, "Nologin") ;; *-*-nto-qnx) -- cgit v1.2.3 From 28e7dfdb06fad2d6a146122251383dbee5f0a60d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 22 Nov 2003 14:36:35 +1100 Subject: Minor sync w/OpenBSD --- LICENCE | 1 - 1 file changed, 1 deletion(-) diff --git a/LICENCE b/LICENCE index dab902150..d7292998e 100644 --- a/LICENCE +++ b/LICENCE @@ -177,7 +177,6 @@ OpenSSH contains no GPL code. Damien Miller Kevin Steves Daniel Kouril - Per Allansson Wesley Griffin Per Allansson Nils Nordman -- cgit v1.2.3 From 4da295c051d9d02a73a46432ac116c31b6839274 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 22 Nov 2003 14:39:04 +1100 Subject: - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch --- ChangeLog | 3 ++- scp.c | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 79ce8267b..5f9913adb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net. Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ + - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch 20031121 - (djm) OpenBSD CVS Sync @@ -1507,4 +1508,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3122 2003/11/22 03:25:15 dtucker Exp $ +$Id: ChangeLog,v 1.3123 2003/11/22 03:39:04 djm Exp $ diff --git a/scp.c b/scp.c index 10f6428b2..53172c12d 100644 --- a/scp.c +++ b/scp.c @@ -92,7 +92,7 @@ void bwlimit(int); arglist args; /* Bandwidth limit */ -off_t limitbw = 0; +off_t limit_rate = 0; /* Name of current file being transferred. */ char *curfile; @@ -257,7 +257,7 @@ main(int argc, char **argv) speed = strtod(optarg, &endp); if (speed <= 0 || *endp != '\0') usage(); - limitbw = speed * 1024; + limit_rate = speed * 1024; break; case 'p': pflag = 1; @@ -589,7 +589,7 @@ next: (void) close(fd); haderr = result >= 0 ? EIO : errno; statbytes += result; } - if (limitbw) + if (limit_rate) bwlimit(amt); } if (showprogress) @@ -681,7 +681,7 @@ bwlimit(int amount) return; lamt *= 8; - wait = (double)1000000L * lamt / limitbw; + wait = (double)1000000L * lamt / limit_rate; bwstart.tv_sec = wait / 1000000L; bwstart.tv_usec = wait % 1000000L; @@ -908,7 +908,7 @@ bad: run_err("%s: %s", np, strerror(errno)); statbytes += j; } while (amt > 0); - if (limitbw) + if (limit_rate) bwlimit(4096); if (count == bp->cnt) { -- cgit v1.2.3 From ce34674a9fe98fd8d9df6f54de8dd3fc707826a8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 22 Nov 2003 14:41:58 +1100 Subject: sync whitespace - no code change --- session.c | 1 - 1 file changed, 1 deletion(-) diff --git a/session.c b/session.c index 7e56c54fb..63b7da1f0 100644 --- a/session.c +++ b/session.c @@ -204,7 +204,6 @@ do_authenticated(Authctxt *authctxt) close(startup_pipe); startup_pipe = -1; } - /* setup the channel layer */ if (!no_port_forwarding_flag && options.allow_tcp_forwarding) channel_permit_all_opens(); -- cgit v1.2.3 From 841b9f1aadbc18ad1e70d592c64e88782426bb53 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 22 Nov 2003 14:48:49 +1100 Subject: - (djm) [sftp-int.c] Remove duplicated code from bogus sync --- ChangeLog | 3 ++- sftp-int.c | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5f9913adb..8ae79cb62 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch + - (djm) [sftp-int.c] Remove duplicated code from bogus sync 20031121 - (djm) OpenBSD CVS Sync @@ -1508,4 +1509,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3123 2003/11/22 03:39:04 djm Exp $ +$Id: ChangeLog,v 1.3124 2003/11/22 03:48:49 djm Exp $ diff --git a/sftp-int.c b/sftp-int.c index 599a3444d..edb475bbb 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -352,7 +352,6 @@ get_pathname(const char **cpp, char **path) if (cp[i] == quot) { /* Found quote */ i++; (*path)[j] = '\0'; - i++; break; } if (cp[i] == '\0') { /* End of string */ -- cgit v1.2.3 From 5924ceb22d8eb5e03bad93b7c0b9c6e30ed0814b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 22 Nov 2003 15:02:42 +1100 Subject: - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code --- ChangeLog | 3 ++- packet.c | 7 ++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8ae79cb62..9f4a1f8d1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch - (djm) [sftp-int.c] Remove duplicated code from bogus sync + - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code 20031121 - (djm) OpenBSD CVS Sync @@ -1509,4 +1510,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3124 2003/11/22 03:48:49 djm Exp $ +$Id: ChangeLog,v 1.3125 2003/11/22 04:02:42 djm Exp $ diff --git a/packet.c b/packet.c index 16d5f972c..daae9ffaa 100644 --- a/packet.c +++ b/packet.c @@ -1403,10 +1403,10 @@ packet_not_very_much_data_to_write(void) } -#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) static void packet_set_tos(int interactive) { +#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) int tos = interactive ? IPTOS_LOWDELAY : IPTOS_THROUGHPUT; if (!packet_connection_is_on_socket() || @@ -1416,8 +1416,8 @@ packet_set_tos(int interactive) sizeof(tos)) < 0) error("setsockopt IP_TOS %d: %.100s:", tos, strerror(errno)); -} #endif +} /* Informs that the current session is interactive. Sets IP flags for that. */ @@ -1438,10 +1438,7 @@ packet_set_interactive(int interactive) return; if (interactive) set_nodelay(connection_in); -#if defined(IP_TOS) && !defined(IP_TOS_IS_BROKEN) packet_set_tos(interactive); -#endif - } /* Returns true if the current connection is interactive. */ -- cgit v1.2.3 From 927f52783ea99ac9bfad4f65bc5b79ba6255cc8c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Nov 2003 12:57:25 +1100 Subject: - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own function and call it unconditionally --- ChangeLog | 6 +++++- canohost.c | 52 +++++++++++++++++++++++++++++----------------------- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f4a1f8d1..4aa9e1d38 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20031123 + - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own + function and call it unconditionally + 20031122 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] @@ -1510,4 +1514,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3125 2003/11/22 04:02:42 djm Exp $ +$Id: ChangeLog,v 1.3126 2003/11/24 01:57:25 djm Exp $ diff --git a/canohost.c b/canohost.c index fca7134f9..f5145922e 100644 --- a/canohost.c +++ b/canohost.c @@ -20,6 +20,7 @@ RCSID("$OpenBSD: canohost.c,v 1.38 2003/09/23 20:17:11 markus Exp $"); #include "canohost.h" static void check_ip_options(int, char *); +static void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *); /* * Return the canonical name of the host at the other end of the socket. The @@ -42,29 +43,9 @@ get_remote_hostname(int socket, int use_dns) debug("getpeername failed: %.100s", strerror(errno)); cleanup_exit(255); } -#ifdef IPV4_IN_IPV6 - if (from.ss_family == AF_INET6) { - struct sockaddr_in6 *from6 = (struct sockaddr_in6 *)&from; - - /* Detect IPv4 in IPv6 mapped address and convert it to */ - /* plain (AF_INET) IPv4 address */ - if (IN6_IS_ADDR_V4MAPPED(&from6->sin6_addr)) { - struct sockaddr_in *from4 = (struct sockaddr_in *)&from; - struct in_addr addr; - u_int16_t port; - - memcpy(&addr, ((char *)&from6->sin6_addr) + 12, sizeof(addr)); - port = from6->sin6_port; - - memset(&from, 0, sizeof(from)); - - from4->sin_family = AF_INET; - fromlen = sizeof(*from4); - memcpy(&from4->sin_addr, &addr, sizeof(addr)); - from4->sin_port = port; - } - } -#endif + + ipv64_normalise_mapped(&from, &fromlen); + if (from.ss_family == AF_INET6) fromlen = sizeof(struct sockaddr_in6); @@ -185,6 +166,31 @@ check_ip_options(int socket, char *ipaddr) #endif /* IP_OPTIONS */ } +static void +ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len) +{ + struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr; + struct sockaddr_in *a4 = (struct sockaddr_in *)addr; + struct in_addr inaddr; + u_int16_t port; + + if (addr->ss_family != AF_INET6 || + !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr)) + return; + + debug3("Normalising mapped IPv4 in IPv6 address"); + + memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr)); + port = a6->sin6_port; + + memset(addr, 0, sizeof(*a4)); + + a4->sin_family = AF_INET; + *len = sizeof(*a4); + memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr)); + a4->sin_port = port; +} + /* * Return the canonical name of the host in the other side of the current * connection. The host name is cached, so it is efficient to call this -- cgit v1.2.3 From e00074a7267a2a73a75003dadf43459b7191349b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Nov 2003 13:07:45 +1100 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/11/23 23:17:34 [ssh-keyscan.c] from portable - use sysconf to detect fd limit; ok markus@ (tidy diff by adding SSH_SSFDMAX macro to defines.h) --- ChangeLog | 7 ++++++- defines.h | 10 +++++++++- ssh-keyscan.c | 6 ++---- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4aa9e1d38..c04479d7b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,11 @@ 20031123 - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own function and call it unconditionally + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/11/23 23:17:34 + [ssh-keyscan.c] + from portable - use sysconf to detect fd limit; ok markus@ + (tidy diff by adding SSH_SSFDMAX macro to defines.h) 20031122 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ @@ -1514,4 +1519,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3126 2003/11/24 01:57:25 djm Exp $ +$Id: ChangeLog,v 1.3127 2003/11/24 02:07:45 djm Exp $ diff --git a/defines.h b/defines.h index adf45d7fa..6d197c769 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.104 2003/11/21 12:48:55 djm Exp $ */ +/* $Id: defines.h,v 1.105 2003/11/24 02:07:46 djm Exp $ */ /* Constants */ @@ -529,6 +529,14 @@ struct winsize { # define krb5_get_err_text(context,code) error_message(code) #endif +/* Maximum number of file descriptors available */ +#ifdef HAVE_SYSCONF +# define SSH_SYSFDMAX sysconf(_SC_OPEN_MAX) +#else +# define SSH_SYSFDMAX 10000 +#endif + + /* * Define this to use pipes instead of socketpairs for communicating with the * client program. Socketpairs do not seem to work on all systems. diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 9506ec196..04d43da35 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -214,13 +214,11 @@ fdlim_get(int hard) if (getrlimit(RLIMIT_NOFILE, &rlfd) < 0) return (-1); if ((hard ? rlfd.rlim_max : rlfd.rlim_cur) == RLIM_INFINITY) - return 10000; + return SSH_SYSFDMAX; else return hard ? rlfd.rlim_max : rlfd.rlim_cur; -#elif defined (HAVE_SYSCONF) - return sysconf (_SC_OPEN_MAX); #else - return 10000; + return SSH_SYSFDMAX; #endif } -- cgit v1.2.3 From a4b33dfb6dff6bebb8f08f72eabaa796aa8bb7d4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Nov 2003 13:09:27 +1100 Subject: - djm@cvs.openbsd.org 2003/11/23 23:18:45 [ssh-keygen.c] consistency PATH_MAX -> MAXPATHLEN; ok markus@ (RCS ID sync only) - djm@cvs.openbsd.org 2003/11/23 23:21:21 [scp.c] from portable: rename clashing variable limit-> limit_rate; ok markus@ (RCS ID sync only) --- ChangeLog | 10 +++++++++- scp.c | 2 +- ssh-keygen.c | 2 +- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c04479d7b..1bc08b3e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,14 @@ [ssh-keyscan.c] from portable - use sysconf to detect fd limit; ok markus@ (tidy diff by adding SSH_SSFDMAX macro to defines.h) + - djm@cvs.openbsd.org 2003/11/23 23:18:45 + [ssh-keygen.c] + consistency PATH_MAX -> MAXPATHLEN; ok markus@ + (RCS ID sync only) + - djm@cvs.openbsd.org 2003/11/23 23:21:21 + [scp.c] + from portable: rename clashing variable limit-> limit_rate; ok markus@ + (RCS ID sync only) 20031122 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ @@ -1519,4 +1527,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3127 2003/11/24 02:07:45 djm Exp $ +$Id: ChangeLog,v 1.3128 2003/11/24 02:09:27 djm Exp $ diff --git a/scp.c b/scp.c index 53172c12d..1daa2ccf7 100644 --- a/scp.c +++ b/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.112 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: scp.c,v 1.113 2003/11/23 23:21:21 djm Exp $"); #include "xmalloc.h" #include "atomicio.h" diff --git a/ssh-keygen.c b/ssh-keygen.c index 54aa5a59c..961fd43e5 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.111 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.112 2003/11/23 23:18:45 djm Exp $"); #include #include -- cgit v1.2.3 From e0113ccc08725142ca263dd61734bc93e1a3d39b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Nov 2003 13:10:09 +1100 Subject: - dtucker@cvs.openbsd.org 2003/11/24 00:16:35 [ssh.1 ssh.c] Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@ --- ChangeLog | 5 ++++- ssh.1 | 5 ++--- ssh.c | 4 ++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1bc08b3e0..4f9a9d769 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ [scp.c] from portable: rename clashing variable limit-> limit_rate; ok markus@ (RCS ID sync only) + - dtucker@cvs.openbsd.org 2003/11/24 00:16:35 + [ssh.1 ssh.c] + Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@ 20031122 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ @@ -1527,4 +1530,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3128 2003/11/24 02:09:27 djm Exp $ +$Id: ChangeLog,v 1.3129 2003/11/24 02:10:09 djm Exp $ diff --git a/ssh.1 b/ssh.1 index 107841533..25de869ad 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.178 2003/10/11 08:24:08 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.179 2003/11/24 00:16:35 dtucker Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -539,8 +539,7 @@ It is possible to have multiple options (and multiple identities specified in configuration files). .It Fl k -Disables forwarding of Kerberos tickets. -This may also be specified on a per-host basis in the configuration file. +Disables forwarding (delegation) of GSSAPI credentials to the server. .It Fl L Xo .Sm off .Ar port : host : hostport diff --git a/ssh.c b/ssh.c index e8639f66b..d29ca37a9 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.203 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.204 2003/11/24 00:16:35 dtucker Exp $"); #include #include @@ -309,7 +309,7 @@ again: options.forward_agent = 1; break; case 'k': - /* ignored for backward compatibility */ + options.gss_deleg_creds = 0; break; case 'i': if (stat(optarg, &st) < 0) { -- cgit v1.2.3 From 3db2e4daf7333ac0b3ae90f23aa9668c7723ddfb Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 24 Nov 2003 13:33:34 +1100 Subject: - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original source file path (in OpenBSD tree). --- ChangeLog | 4 +++- openbsd-compat/base64.c | 2 ++ openbsd-compat/basename.c | 2 ++ openbsd-compat/daemon.c | 2 ++ openbsd-compat/dirname.c | 2 ++ openbsd-compat/getcwd.c | 2 ++ openbsd-compat/getgrouplist.c | 2 ++ openbsd-compat/getopt.c | 2 ++ openbsd-compat/getrrsetbyname.c | 2 ++ openbsd-compat/getrrsetbyname.h | 2 ++ openbsd-compat/glob.c | 2 ++ openbsd-compat/glob.h | 2 ++ openbsd-compat/inet_aton.c | 2 ++ openbsd-compat/inet_ntoa.c | 2 ++ openbsd-compat/inet_ntop.c | 2 ++ openbsd-compat/mktemp.c | 2 ++ openbsd-compat/readpassphrase.c | 2 ++ openbsd-compat/readpassphrase.h | 2 ++ openbsd-compat/realpath.c | 2 ++ openbsd-compat/rresvport.c | 2 ++ openbsd-compat/setenv.c | 2 ++ openbsd-compat/sigact.c | 2 ++ openbsd-compat/strlcat.c | 2 ++ openbsd-compat/strlcpy.c | 2 ++ openbsd-compat/strmode.c | 2 ++ openbsd-compat/strsep.c | 2 ++ openbsd-compat/strtoul.c | 2 ++ openbsd-compat/sys-queue.h | 2 ++ openbsd-compat/sys-tree.h | 2 ++ openbsd-compat/vis.c | 2 ++ openbsd-compat/vis.h | 2 ++ 31 files changed, 63 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 4f9a9d769..472988cd2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,8 @@ - dtucker@cvs.openbsd.org 2003/11/24 00:16:35 [ssh.1 ssh.c] Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@ + - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original + source file path (in OpenBSD tree). 20031122 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ @@ -1530,4 +1532,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3129 2003/11/24 02:10:09 djm Exp $ +$Id: ChangeLog,v 1.3130 2003/11/24 02:33:34 djm Exp $ diff --git a/openbsd-compat/base64.c b/openbsd-compat/base64.c index 91a5ab0ed..dcaa03e5d 100644 --- a/openbsd-compat/base64.c +++ b/openbsd-compat/base64.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/net/base64.c */ + /* $OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $ */ /* diff --git a/openbsd-compat/basename.c b/openbsd-compat/basename.c index 2054c8068..552dc1e1c 100644 --- a/openbsd-compat/basename.c +++ b/openbsd-compat/basename.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */ + /* $OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $ */ /* diff --git a/openbsd-compat/daemon.c b/openbsd-compat/daemon.c index 6dd45f6a7..c0be5fff9 100644 --- a/openbsd-compat/daemon.c +++ b/openbsd-compat/daemon.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */ + /*- * Copyright (c) 1990, 1993 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/dirname.c b/openbsd-compat/dirname.c index 1ab7516d8..25ab34dd6 100644 --- a/openbsd-compat/dirname.c +++ b/openbsd-compat/dirname.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */ + /* $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $ */ /* diff --git a/openbsd-compat/getcwd.c b/openbsd-compat/getcwd.c index 31d1cfe93..19be59172 100644 --- a/openbsd-compat/getcwd.c +++ b/openbsd-compat/getcwd.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */ + /* * Copyright (c) 1989, 1991, 1993 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/getgrouplist.c b/openbsd-compat/getgrouplist.c index 085cda8c3..59c164f44 100644 --- a/openbsd-compat/getgrouplist.c +++ b/openbsd-compat/getgrouplist.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */ + /* * Copyright (c) 1991, 1993 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/getopt.c b/openbsd-compat/getopt.c index 2136fbfcc..f5ee6778d 100644 --- a/openbsd-compat/getopt.c +++ b/openbsd-compat/getopt.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */ + /* * Copyright (c) 1987, 1993, 1994 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index 2307337a7..bb5451cd2 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */ + /* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */ /* diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 0739972fe..67937ef5f 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h @@ -1,3 +1,5 @@ +/* OPENBSD BASED ON : include/netdb.h */ + /* $OpenBSD: getrrsetbyname.c,v 1.4 2001/08/16 18:16:43 ho Exp $ */ /* diff --git a/openbsd-compat/glob.c b/openbsd-compat/glob.c index 50f35c304..7fafc8c40 100644 --- a/openbsd-compat/glob.c +++ b/openbsd-compat/glob.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */ + /* * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/glob.h b/openbsd-compat/glob.h index aceddbc48..3428b2013 100644 --- a/openbsd-compat/glob.h +++ b/openbsd-compat/glob.h @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: include/glob.h */ + /* $OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $ */ /* $NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $ */ diff --git a/openbsd-compat/inet_aton.c b/openbsd-compat/inet_aton.c index 5de49868d..c141bcc68 100644 --- a/openbsd-compat/inet_aton.c +++ b/openbsd-compat/inet_aton.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */ + /* $OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $ */ /* diff --git a/openbsd-compat/inet_ntoa.c b/openbsd-compat/inet_ntoa.c index f9fdc9ee5..dc010dc53 100644 --- a/openbsd-compat/inet_ntoa.c +++ b/openbsd-compat/inet_ntoa.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */ + /* * Copyright (c) 1983, 1993 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/inet_ntop.c b/openbsd-compat/inet_ntop.c index 075eac44f..7031625b4 100644 --- a/openbsd-compat/inet_ntop.c +++ b/openbsd-compat/inet_ntop.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */ + /* $OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $ */ /* Copyright (c) 1996 by Internet Software Consortium. diff --git a/openbsd-compat/mktemp.c b/openbsd-compat/mktemp.c index 2cd747835..aff8d2005 100644 --- a/openbsd-compat/mktemp.c +++ b/openbsd-compat/mktemp.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */ + /* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */ /* Changes: Removed mktemp */ diff --git a/openbsd-compat/readpassphrase.c b/openbsd-compat/readpassphrase.c index 0d0baf569..4ee1be5de 100644 --- a/openbsd-compat/readpassphrase.c +++ b/openbsd-compat/readpassphrase.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */ + /* $OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $ */ /* diff --git a/openbsd-compat/readpassphrase.h b/openbsd-compat/readpassphrase.h index 92908a489..178edf346 100644 --- a/openbsd-compat/readpassphrase.h +++ b/openbsd-compat/readpassphrase.h @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: include/readpassphrase.h */ + /* $OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $ */ /* diff --git a/openbsd-compat/realpath.c b/openbsd-compat/realpath.c index 922305ffd..218fbecb2 100644 --- a/openbsd-compat/realpath.c +++ b/openbsd-compat/realpath.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */ + /* * Copyright (c) 1994 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/rresvport.c b/openbsd-compat/rresvport.c index 608a3b184..75167065c 100644 --- a/openbsd-compat/rresvport.c +++ b/openbsd-compat/rresvport.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */ + /* * Copyright (c) 1995, 1996, 1998 Theo de Raadt. All rights reserved. * Copyright (c) 1983, 1993, 1994 diff --git a/openbsd-compat/setenv.c b/openbsd-compat/setenv.c index c9941c195..b7ba0ce83 100644 --- a/openbsd-compat/setenv.c +++ b/openbsd-compat/setenv.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */ + /* * Copyright (c) 1987 Regents of the University of California. * All rights reserved. diff --git a/openbsd-compat/sigact.c b/openbsd-compat/sigact.c index 35fbab0eb..2772ac574 100644 --- a/openbsd-compat/sigact.c +++ b/openbsd-compat/sigact.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */ + /* $OpenBSD: sigaction.c,v 1.3 1999/06/27 08:14:21 millert Exp $ */ /**************************************************************************** diff --git a/openbsd-compat/strlcat.c b/openbsd-compat/strlcat.c index cae16657c..70f01cb2a 100644 --- a/openbsd-compat/strlcat.c +++ b/openbsd-compat/strlcat.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */ + /* $OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $ */ /* diff --git a/openbsd-compat/strlcpy.c b/openbsd-compat/strlcpy.c index c8fe29987..ccfa12a0a 100644 --- a/openbsd-compat/strlcpy.c +++ b/openbsd-compat/strlcpy.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */ + /* $OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $ */ /* diff --git a/openbsd-compat/strmode.c b/openbsd-compat/strmode.c index adf5e273e..ea8d515e3 100644 --- a/openbsd-compat/strmode.c +++ b/openbsd-compat/strmode.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */ + /*- * Copyright (c) 1990 The Regents of the University of California. * All rights reserved. diff --git a/openbsd-compat/strsep.c b/openbsd-compat/strsep.c index b13671343..330d84ce1 100644 --- a/openbsd-compat/strsep.c +++ b/openbsd-compat/strsep.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */ + /* $OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $ */ /*- diff --git a/openbsd-compat/strtoul.c b/openbsd-compat/strtoul.c index 877e6a01f..24d0e253d 100644 --- a/openbsd-compat/strtoul.c +++ b/openbsd-compat/strtoul.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */ + /* * Copyright (c) 1990 Regents of the University of California. * All rights reserved. diff --git a/openbsd-compat/sys-queue.h b/openbsd-compat/sys-queue.h index dd5c47525..8ff19e452 100644 --- a/openbsd-compat/sys-queue.h +++ b/openbsd-compat/sys-queue.h @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: sys/sys/queue.h */ + /* $OpenBSD: queue.h,v 1.23 2003/06/02 23:28:21 millert Exp $ */ /* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ diff --git a/openbsd-compat/sys-tree.h b/openbsd-compat/sys-tree.h index 927ca04cd..73cfbe72a 100644 --- a/openbsd-compat/sys-tree.h +++ b/openbsd-compat/sys-tree.h @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: sys/sys/tree.h */ + /* $OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $ */ /* * Copyright 2002 Niels Provos diff --git a/openbsd-compat/vis.c b/openbsd-compat/vis.c index e6a2ce98d..1fb7a01e3 100644 --- a/openbsd-compat/vis.c +++ b/openbsd-compat/vis.c @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */ + /*- * Copyright (c) 1989, 1993 * The Regents of the University of California. All rights reserved. diff --git a/openbsd-compat/vis.h b/openbsd-compat/vis.h index 1c131cc85..663355a24 100644 --- a/openbsd-compat/vis.h +++ b/openbsd-compat/vis.h @@ -1,3 +1,5 @@ +/* OPENBSD ORIGINAL: include/vis.h */ + /* $OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $ */ /* $NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $ */ -- cgit v1.2.3 From 88368a3034f3fff742c3a4c79b873e2cb6a4c1bb Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 8 Dec 2003 12:35:59 -0800 Subject: [configure.ac] Bug 770. Fix --without-rpath. --- ChangeLog | 5 ++++- configure.ac | 38 ++++++++++++++++++++++---------------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/ChangeLog b/ChangeLog index 472988cd2..1cad1660c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20031208 + - (tim) [configure.ac] Bug 770. Fix --without-rpath. + 20031123 - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own function and call it unconditionally @@ -1532,4 +1535,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3130 2003/11/24 02:33:34 djm Exp $ +$Id: ChangeLog,v 1.3131 2003/12/08 20:35:59 tim Exp $ diff --git a/configure.ac b/configure.ac index b56d37f4d..e7249b9c9 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.175 2003/11/22 03:25:16 dtucker Exp $ +# $Id: configure.ac,v 1.176 2003/12/08 20:35:59 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -52,6 +52,18 @@ if test "$GCC" = "yes" || test "$GCC" = "egcs"; then CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wno-uninitialized" fi +AC_ARG_WITH(rpath, + [ --without-rpath Disable auto-added -R linker paths], + [ + if test "x$withval" = "xno" ; then + need_dash_r="" + fi + if test "x$withval" = "xyes" ; then + need_dash_r=1 + fi + ] +) + # Check for some target-specific stuff case "$host" in *-*-aix*) @@ -228,7 +240,9 @@ mips-sony-bsd|mips-sony-newsos4) ;; *-*-netbsd*) check_for_libcrypt_before=1 - need_dash_r=1 + if test "x$withval" != "xno" ; then + need_dash_r=1 + fi ;; *-*-freebsd*) check_for_libcrypt_later=1 @@ -252,8 +266,12 @@ mips-sony-bsd|mips-sony-newsos4) ;; *-*-solaris*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" - need_dash_r=1 + if test "x$withval" = "xno" ; then + LDFLAGS="$LDFLAGS -L/usr/local/lib" + else + LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" + need_dash_r=1 + fi AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) @@ -537,18 +555,6 @@ AC_CHECK_FUNC(getspnam, , AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen")) AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) -AC_ARG_WITH(rpath, - [ --without-rpath Disable auto-added -R linker paths], - [ - if test "x$withval" = "xno" ; then - need_dash_r="" - fi - if test "x$withval" = "xyes" ; then - need_dash_r=1 - fi - ] -) - dnl zlib is required AC_ARG_WITH(zlib, [ --with-zlib=PATH Use zlib in PATH], -- cgit v1.2.3 From 4c56843e44a7dfa10bce91a2440eaac0d918124e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 Dec 2003 19:01:51 +1100 Subject: - matthieu@cvs.openbsd.org 2003/11/25 23:10:08 [ssh-add.1] ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@. --- ChangeLog | 8 +++++++- ssh-add.1 | 7 ++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1cad1660c..9f3835558 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20031209 + - (dtucker) OpenBSD CVS Sync + - matthieu@cvs.openbsd.org 2003/11/25 23:10:08 + [ssh-add.1] + ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@. + 20031208 - (tim) [configure.ac] Bug 770. Fix --without-rpath. @@ -1535,4 +1541,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3131 2003/12/08 20:35:59 tim Exp $ +$Id: ChangeLog,v 1.3132 2003/12/09 08:01:51 dtucker Exp $ diff --git a/ssh-add.1 b/ssh-add.1 index fe0190859..6348197b3 100644 --- a/ssh-add.1 +++ b/ssh-add.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.39 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD: ssh-add.1,v 1.40 2003/11/25 23:10:08 matthieu Exp $ .\" .\" -*- nroff -*- .\" @@ -69,8 +69,9 @@ The passphrase is read from the user's tty. .Nm retries the last passphrase if multiple identity files are given. .Pp -The authentication agent must be running and must be an ancestor of -the current process for +The authentication agent must be running and the +.Ev SSH_AUTH_SOCK +environment variable must contain the name of its socket for .Nm to work. .Pp -- cgit v1.2.3 From 37afa9d9a463a45b0d8ac62c577deac95bc79c2b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 Dec 2003 19:05:42 +1100 Subject: - djm@cvs.openbsd.org 2003/11/26 21:44:29 [cipher-aes.c] fix #ifdef before #define; ok markus@ (RCS ID sync only, Portable already had this) --- ChangeLog | 6 +++++- cipher-aes.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9f3835558..545e5c382 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,10 @@ - matthieu@cvs.openbsd.org 2003/11/25 23:10:08 [ssh-add.1] ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@. + - djm@cvs.openbsd.org 2003/11/26 21:44:29 + [cipher-aes.c] + fix #ifdef before #define; ok markus@ + (RCS ID sync only, Portable already had this) 20031208 - (tim) [configure.ac] Bug 770. Fix --without-rpath. @@ -1541,4 +1545,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3132 2003/12/09 08:01:51 dtucker Exp $ +$Id: ChangeLog,v 1.3133 2003/12/09 08:05:42 dtucker Exp $ diff --git a/cipher-aes.c b/cipher-aes.c index 7ba950191..22d500d42 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -24,7 +24,7 @@ #include "includes.h" #if OPENSSL_VERSION_NUMBER < 0x00907000L -RCSID("$OpenBSD: cipher-aes.c,v 1.1 2003/05/15 03:08:29 markus Exp $"); +RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); #include #include "rijndael.h" -- cgit v1.2.3 From 1fb0425359f7753d0163c5dce6a3335359da8c5a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 Dec 2003 19:07:13 +1100 Subject: - markus@cvs.openbsd.org 2003/12/02 12:15:10 [progressmeter.c] improvments from andreas@: * saner speed estimate for transfers that takes less than a second by rounding the time to 1 second. * when the transfer is finished calculate the actual total speed rather than the current speed which is given during the transfer --- ChangeLog | 9 ++++++++- progressmeter.c | 10 +++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 545e5c382..648a8231a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,13 @@ [cipher-aes.c] fix #ifdef before #define; ok markus@ (RCS ID sync only, Portable already had this) + - markus@cvs.openbsd.org 2003/12/02 12:15:10 + [progressmeter.c] + improvments from andreas@: + * saner speed estimate for transfers that takes less than a second by + rounding the time to 1 second. + * when the transfer is finished calculate the actual total speed + rather than the current speed which is given during the transfer 20031208 - (tim) [configure.ac] Bug 770. Fix --without-rpath. @@ -1545,4 +1552,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3133 2003/12/09 08:05:42 dtucker Exp $ +$Id: ChangeLog,v 1.3134 2003/12/09 08:07:13 dtucker Exp $ diff --git a/progressmeter.c b/progressmeter.c index 39940bd9a..7b76c959e 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: progressmeter.c,v 1.17 2003/11/20 11:39:28 markus Exp $"); +RCSID("$OpenBSD: progressmeter.c,v 1.18 2003/12/02 12:15:10 markus Exp $"); #include "progressmeter.h" #include "atomicio.h" @@ -120,14 +120,18 @@ refresh_progress_meter(void) if (bytes_left > 0) elapsed = now - last_update; - else + else { elapsed = now - start; + /* Calculate true total speed when done */ + transferred = end_pos; + bytes_per_second = 0; + } /* calculate speed */ if (elapsed != 0) cur_speed = (transferred / elapsed); else - cur_speed = 0; + cur_speed = transferred; #define AGE_FACTOR 0.9 if (bytes_per_second != 0) { -- cgit v1.2.3 From 3175eb9a5a426f6e494d523fe6e96fcc426995c1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 Dec 2003 19:15:11 +1100 Subject: - markus@cvs.openbsd.org 2003/12/02 17:01:15 [channels.c session.c ssh-agent.c ssh.h sshd.c] use SSH_LISTEN_BACKLOG (=128) in listen(2). --- ChangeLog | 5 ++++- channels.c | 6 +++--- session.c | 4 ++-- ssh-agent.c | 4 ++-- ssh.h | 5 ++++- sshd.c | 4 ++-- 6 files changed, 17 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index 648a8231a..cbc173b68 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ rounding the time to 1 second. * when the transfer is finished calculate the actual total speed rather than the current speed which is given during the transfer + - markus@cvs.openbsd.org 2003/12/02 17:01:15 + [channels.c session.c ssh-agent.c ssh.h sshd.c] + use SSH_LISTEN_BACKLOG (=128) in listen(2). 20031208 - (tim) [configure.ac] Bug 770. Fix --without-rpath. @@ -1552,4 +1555,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3134 2003/12/09 08:07:13 dtucker Exp $ +$Id: ChangeLog,v 1.3135 2003/12/09 08:15:11 dtucker Exp $ diff --git a/channels.c b/channels.c index 5a2605f91..14405bd4b 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.198 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: channels.c,v 1.199 2003/12/02 17:01:14 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -2195,7 +2195,7 @@ channel_setup_fwd_listener(int type, const char *listen_addr, u_short listen_por continue; } /* Start listening for connections on the socket. */ - if (listen(sock, 5) < 0) { + if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { error("listen: %.100s", strerror(errno)); close(sock); continue; @@ -2550,7 +2550,7 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost, /* Start listening for connections on the socket. */ for (n = 0; n < num_socks; n++) { sock = socks[n]; - if (listen(sock, 5) < 0) { + if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { error("listen: %.100s", strerror(errno)); close(sock); return -1; diff --git a/session.c b/session.c index 63b7da1f0..00f8785f5 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.168 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -177,7 +177,7 @@ auth_input_request_forwarding(struct passwd * pw) restore_uid(); /* Start listening on the socket. */ - if (listen(sock, 5) < 0) + if (listen(sock, SSH_LISTEN_BACKLOG) < 0) packet_disconnect("listen: %.100s", strerror(errno)); /* Allocate a channel for the authentication agent socket. */ diff --git a/ssh-agent.c b/ssh-agent.c index b1d603006..e5232fc9b 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -35,7 +35,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.116 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: ssh-agent.c,v 1.117 2003/12/02 17:01:15 markus Exp $"); #include #include @@ -1138,7 +1138,7 @@ main(int ac, char **av) #ifdef HAVE_CYGWIN umask(prev_mask); #endif - if (listen(sock, 128) < 0) { + if (listen(sock, SSH_LISTEN_BACKLOG) < 0) { perror("listen"); cleanup_exit(1); } diff --git a/ssh.h b/ssh.h index e88b9b83e..a3b2ebbb5 100644 --- a/ssh.h +++ b/ssh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.h,v 1.74 2003/09/01 13:52:18 markus Exp $ */ +/* $OpenBSD: ssh.h,v 1.75 2003/12/02 17:01:15 markus Exp $ */ /* * Author: Tatu Ylonen @@ -103,4 +103,7 @@ /* Minimum modulus size (n) for RSA keys. */ #define SSH_RSA_MINIMUM_MODULUS_SIZE 768 +/* Listen backlog for sshd, ssh-agent and forwarding sockets */ +#define SSH_LISTEN_BACKLOG 128 + #endif /* SSH_H */ diff --git a/sshd.c b/sshd.c index e92a13c5f..b45bc0abc 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.281 2003/11/10 16:23:41 jakob Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.282 2003/12/02 17:01:15 markus Exp $"); #include #include @@ -1161,7 +1161,7 @@ main(int ac, char **av) /* Start listening on the port. */ logit("Server listening on %s port %s.", ntop, strport); - if (listen(listen_sock, 5) < 0) + if (listen(listen_sock, SSH_LISTEN_BACKLOG) < 0) fatal("listen: %.100s", strerror(errno)); } -- cgit v1.2.3 From 564f19e2370d71129a85c3aa1130ab812c3ae3c8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 Dec 2003 19:18:07 +1100 Subject: - markus@cvs.openbsd.org 2003/12/08 11:00:47 [kexgexc.c] print requested group size in debug; ok djm --- ChangeLog | 5 ++++- kexgexc.c | 11 ++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index cbc173b68..b1376c825 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,9 @@ - markus@cvs.openbsd.org 2003/12/02 17:01:15 [channels.c session.c ssh-agent.c ssh.h sshd.c] use SSH_LISTEN_BACKLOG (=128) in listen(2). + - markus@cvs.openbsd.org 2003/12/08 11:00:47 + [kexgexc.c] + print requested group size in debug; ok djm 20031208 - (tim) [configure.ac] Bug 770. Fix --without-rpath. @@ -1555,4 +1558,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3135 2003/12/09 08:15:11 dtucker Exp $ +$Id: ChangeLog,v 1.3136 2003/12/09 08:18:07 dtucker Exp $ diff --git a/kexgexc.c b/kexgexc.c index f14ac44ca..0193183b9 100644 --- a/kexgexc.c +++ b/kexgexc.c @@ -24,7 +24,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: kexgexc.c,v 1.1 2003/02/16 17:09:57 markus Exp $"); +RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $"); #include "xmalloc.h" #include "key.h" @@ -49,16 +49,14 @@ kexgex_client(Kex *kex) nbits = dh_estimate(kex->we_need * 8); if (datafellows & SSH_OLD_DHGEX) { - debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent"); - /* Old GEX request */ packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); packet_put_int(nbits); min = DH_GRP_MIN; max = DH_GRP_MAX; - } else { - debug("SSH2_MSG_KEX_DH_GEX_REQUEST sent"); + debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD(%u) sent", nbits); + } else { /* New GEX request */ min = DH_GRP_MIN; max = DH_GRP_MAX; @@ -66,6 +64,9 @@ kexgex_client(Kex *kex) packet_put_int(min); packet_put_int(nbits); packet_put_int(max); + + debug("SSH2_MSG_KEX_DH_GEX_REQUEST(%u<%u<%u) sent", + min, nbits, max); } #ifdef DEBUG_KEXDH fprintf(stderr, "\nmin = %d, nbits = %d, max = %d\n", -- cgit v1.2.3 From 1cbc44493527d9ad0d80d119d5f1fd047e575d4a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 9 Dec 2003 19:19:38 +1100 Subject: - djm@cvs.openbsd.org 2003/12/07 06:34:18 [moduli.c] remove unused debugging #define templates --- ChangeLog | 5 ++++- moduli.c | 11 +---------- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index b1376c825..4bb1ddf35 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,9 @@ - markus@cvs.openbsd.org 2003/12/02 17:01:15 [channels.c session.c ssh-agent.c ssh.h sshd.c] use SSH_LISTEN_BACKLOG (=128) in listen(2). + - djm@cvs.openbsd.org 2003/12/07 06:34:18 + [moduli.c] + remove unused debugging #define templates - markus@cvs.openbsd.org 2003/12/08 11:00:47 [kexgexc.c] print requested group size in debug; ok djm @@ -1558,4 +1561,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3136 2003/12/09 08:18:07 dtucker Exp $ +$Id: ChangeLog,v 1.3137 2003/12/09 08:19:38 dtucker Exp $ diff --git a/moduli.c b/moduli.c index eb8cb78e9..17c7281c5 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.2 2003/11/21 11:57:03 djm Exp $ */ +/* $OpenBSD: moduli.c,v 1.3 2003/12/07 06:34:18 djm Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -44,15 +44,6 @@ #include - -/* - * Debugging defines - */ - -/* define DEBUG_LARGE 1 */ -/* define DEBUG_SMALL 1 */ -/* define DEBUG_TEST 1 */ - /* * File output defines */ -- cgit v1.2.3 From a615314d3b784fbafff3ea72aaf7dc18cd23dbeb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 10 Dec 2003 00:52:37 +1100 Subject: - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below. --- ChangeLog | 3 ++- ssh-keyscan.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4bb1ddf35..6d38e3cd9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ - markus@cvs.openbsd.org 2003/12/08 11:00:47 [kexgexc.c] print requested group size in debug; ok djm + - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below. 20031208 - (tim) [configure.ac] Bug 770. Fix --without-rpath. @@ -1561,4 +1562,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3137 2003/12/09 08:19:38 dtucker Exp $ +$Id: ChangeLog,v 1.3138 2003/12/09 13:52:37 dtucker Exp $ diff --git a/ssh-keyscan.c b/ssh-keyscan.c index 04d43da35..68b6a0ad1 100644 --- a/ssh-keyscan.c +++ b/ssh-keyscan.c @@ -7,7 +7,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.45 2003/09/19 11:30:39 markus Exp $"); +RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $"); #include "openbsd-compat/sys-queue.h" -- cgit v1.2.3 From 5cd9d443ef70e5c8bf8cc21bc6cc81298e18e863 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 10 Dec 2003 00:54:38 +1100 Subject: - dtucker@cvs.openbsd.org 2003/12/09 13:52:55 [moduli.c] Prevent ssh-keygen -T from outputting moduli with a generator of 0, since they can't be used for Diffie-Hellman. Assistance and ok djm@ --- ChangeLog | 6 +++++- moduli.c | 11 ++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6d38e3cd9..6e87bfbb4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,10 @@ - markus@cvs.openbsd.org 2003/12/08 11:00:47 [kexgexc.c] print requested group size in debug; ok djm + - dtucker@cvs.openbsd.org 2003/12/09 13:52:55 + [moduli.c] + Prevent ssh-keygen -T from outputting moduli with a generator of 0, since + they can't be used for Diffie-Hellman. Assistance and ok djm@ - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below. 20031208 @@ -1562,4 +1566,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3138 2003/12/09 13:52:37 dtucker Exp $ +$Id: ChangeLog,v 1.3139 2003/12/09 13:54:38 dtucker Exp $ diff --git a/moduli.c b/moduli.c index 17c7281c5..371319d0f 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.3 2003/12/07 06:34:18 djm Exp $ */ +/* $OpenBSD: moduli.c,v 1.4 2003/12/09 13:52:55 dtucker Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -550,6 +550,15 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, continue; } + /* + * Primes with no known generator are useless for DH, so + * skip those. + */ + if (generator_known == 0) { + debug2("%10u: no known generator", count_in); + continue; + } + count_possible++; /* -- cgit v1.2.3 From b5820f40bf6c088b02106ef900c6608357834448 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:27:32 +1100 Subject: 20031217 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/12/09 15:28:43 [serverloop.c] make ClientKeepAlive work for ssh -N, too (no login shell requested). 1) send a bogus channel request if we find a channel 2) send a bogus global request if we don't have a channel ok + test beck@ --- ChangeLog | 11 ++++++++++- serverloop.c | 32 +++++++++++++++----------------- 2 files changed, 25 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6e87bfbb4..c99f53a13 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20031217 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/12/09 15:28:43 + [serverloop.c] + make ClientKeepAlive work for ssh -N, too (no login shell requested). + 1) send a bogus channel request if we find a channel + 2) send a bogus global request if we don't have a channel + ok + test beck@ + 20031209 - (dtucker) OpenBSD CVS Sync - matthieu@cvs.openbsd.org 2003/11/25 23:10:08 @@ -1566,4 +1575,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3139 2003/12/09 13:54:38 dtucker Exp $ +$Id: ChangeLog,v 1.3140 2003/12/17 05:27:32 djm Exp $ diff --git a/serverloop.c b/serverloop.c index 20255aaee..bc7cd656a 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.113 2003/11/18 00:40:05 dtucker Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.114 2003/12/09 15:28:43 markus Exp $"); #include "xmalloc.h" #include "packet.h" @@ -212,26 +212,23 @@ make_packets_from_stdout_data(void) static void client_alive_check(void) { - static int had_channel = 0; - int id; - - id = channel_find_open(); - if (id == -1) { - if (!had_channel) - return; - packet_disconnect("No open channels after timeout!"); - } - had_channel = 1; + int channel_id; /* timeout, check to see how many we have had */ if (++client_alive_timeouts > options.client_alive_count_max) packet_disconnect("Timeout, your session not responding."); /* - * send a bogus channel request with "wantreply", + * send a bogus global/channel request with "wantreply", * we should get back a failure */ - channel_request_start(id, "keepalive@openssh.com", 1); + if ((channel_id = channel_find_open()) == -1) { + packet_start(SSH2_MSG_GLOBAL_REQUEST); + packet_put_cstring("keepalive@openssh.com"); + packet_put_char(1); /* boolean: want reply */ + } else { + channel_request_start(channel_id, "keepalive@openssh.com", 1); + } packet_send(); } @@ -797,9 +794,9 @@ server_loop2(Authctxt *authctxt) } static void -server_input_channel_failure(int type, u_int32_t seq, void *ctxt) +server_input_keep_alive(int type, u_int32_t seq, void *ctxt) { - debug("Got CHANNEL_FAILURE for keepalive"); + debug("Got %d/%u for keepalive", type, seq); /* * reset timeout, since we got a sane answer from the client. * even if this was generated by something other than @@ -808,7 +805,6 @@ server_input_channel_failure(int type, u_int32_t seq, void *ctxt) client_alive_timeouts = 0; } - static void server_input_stdin_data(int type, u_int32_t seq, void *ctxt) { @@ -1048,7 +1044,9 @@ server_init_dispatch_20(void) dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &server_input_global_request); /* client_alive */ - dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_channel_failure); + dispatch_set(SSH2_MSG_CHANNEL_FAILURE, &server_input_keep_alive); + dispatch_set(SSH2_MSG_REQUEST_SUCCESS, &server_input_keep_alive); + dispatch_set(SSH2_MSG_REQUEST_FAILURE, &server_input_keep_alive); /* rekeying */ dispatch_set(SSH2_MSG_KEXINIT, &kex_input_kexinit); } -- cgit v1.2.3 From b9997192a71ae603500e80d52f3e4e24913b87da Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:29:22 +1100 Subject: - markus@cvs.openbsd.org 2003/12/09 17:29:04 [sshd.c] fix -o and HUP; ok henning@ --- ChangeLog | 5 ++++- sshd.c | 7 +++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c99f53a13..a86f092cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,9 @@ 1) send a bogus channel request if we find a channel 2) send a bogus global request if we don't have a channel ok + test beck@ + - markus@cvs.openbsd.org 2003/12/09 17:29:04 + [sshd.c] + fix -o and HUP; ok henning@ 20031209 - (dtucker) OpenBSD CVS Sync @@ -1575,4 +1578,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3140 2003/12/17 05:27:32 djm Exp $ +$Id: ChangeLog,v 1.3141 2003/12/17 05:29:22 djm Exp $ diff --git a/sshd.c b/sshd.c index b45bc0abc..50856317a 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.282 2003/12/02 17:01:15 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.283 2003/12/09 17:29:04 markus Exp $"); #include #include @@ -800,6 +800,7 @@ main(int ac, char **av) FILE *f; struct addrinfo *ai; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; + char *line; int listen_sock, maxfd; int startup_p[2]; int startups = 0; @@ -908,9 +909,11 @@ main(int ac, char **av) } break; case 'o': - if (process_server_config_line(&options, optarg, + line = xstrdup(optarg); + if (process_server_config_line(&options, line, "command-line", 0) != 0) exit(1); + xfree(line); break; case '?': default: -- cgit v1.2.3 From 9836cf8d717455f1bba2dfbf2e41f074fc6bac48 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:30:06 +1100 Subject: - markus@cvs.openbsd.org 2003/12/09 17:30:05 [ssh.c] don't modify argv for ssh -o; similar to sshd.c 1.283 --- ChangeLog | 5 ++++- ssh.c | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index a86f092cb..d737c855d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ - markus@cvs.openbsd.org 2003/12/09 17:29:04 [sshd.c] fix -o and HUP; ok henning@ + - markus@cvs.openbsd.org 2003/12/09 17:30:05 + [ssh.c] + don't modify argv for ssh -o; similar to sshd.c 1.283 20031209 - (dtucker) OpenBSD CVS Sync @@ -1578,4 +1581,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3141 2003/12/17 05:29:22 djm Exp $ +$Id: ChangeLog,v 1.3142 2003/12/17 05:30:06 djm Exp $ diff --git a/ssh.c b/ssh.c index d29ca37a9..222aaab7f 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.204 2003/11/24 00:16:35 dtucker Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.205 2003/12/09 17:30:05 markus Exp $"); #include #include @@ -205,7 +205,7 @@ main(int ac, char **av) int i, opt, exit_status; u_short fwd_port, fwd_host_port; char sfwd_port[6], sfwd_host_port[6]; - char *p, *cp, buf[256]; + char *p, *cp, *line, buf[256]; struct stat st; struct passwd *pw; int dummy; @@ -464,9 +464,11 @@ again: break; case 'o': dummy = 1; + line = xstrdup(optarg); if (process_config_line(&options, host ? host : "", - optarg, "command-line", 0, &dummy) != 0) + line, "command-line", 0, &dummy) != 0) exit(1); + xfree(line); break; case 's': subsystem_flag = 1; -- cgit v1.2.3 From 12c150e7e0711e29ea5dc78d3c9ed46221319dc5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:31:10 +1100 Subject: - markus@cvs.openbsd.org 2003/12/09 21:53:37 [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1] [ssh_config.5 sshconnect.c sshd.c sshd_config.5] rename keepalive to tcpkeepalive; the old name causes too much confusion; ok djm, dtucker; with help from jmc@ --- ChangeLog | 7 ++++++- readconf.c | 19 ++++++++++--------- readconf.h | 4 ++-- scp.1 | 4 ++-- servconf.c | 17 +++++++++-------- servconf.h | 4 ++-- sftp.1 | 4 ++-- ssh.1 | 4 ++-- ssh_config.5 | 36 ++++++++++++++++++------------------ sshconnect.c | 6 +++--- sshd.c | 6 +++--- sshd_config.5 | 48 ++++++++++++++++++++++++------------------------ 12 files changed, 83 insertions(+), 76 deletions(-) diff --git a/ChangeLog b/ChangeLog index d737c855d..0b97adc72 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,11 @@ - markus@cvs.openbsd.org 2003/12/09 17:30:05 [ssh.c] don't modify argv for ssh -o; similar to sshd.c 1.283 + - markus@cvs.openbsd.org 2003/12/09 21:53:37 + [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1] + [ssh_config.5 sshconnect.c sshd.c sshd_config.5] + rename keepalive to tcpkeepalive; the old name causes too much + confusion; ok djm, dtucker; with help from jmc@ 20031209 - (dtucker) OpenBSD CVS Sync @@ -1581,4 +1586,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3142 2003/12/17 05:30:06 djm Exp $ +$Id: ChangeLog,v 1.3143 2003/12/17 05:31:10 djm Exp $ diff --git a/readconf.c b/readconf.c index da49a3944..cd2c81443 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.125 2003/11/12 16:39:58 jakob Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.126 2003/12/09 21:53:36 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -78,7 +78,7 @@ RCSID("$OpenBSD: readconf.c,v 1.125 2003/11/12 16:39:58 jakob Exp $"); RSAAuthentication yes RhostsRSAAuthentication yes StrictHostKeyChecking yes - KeepAlives no + TcpKeepAlive no IdentityFile ~/.ssh/identity Port 22 EscapeChar ~ @@ -96,7 +96,7 @@ typedef enum { oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, + oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts, oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, @@ -169,7 +169,8 @@ static struct { { "stricthostkeychecking", oStrictHostKeyChecking }, { "compression", oCompression }, { "compressionlevel", oCompressionLevel }, - { "keepalive", oKeepAlives }, + { "tcpkeepalive", oTCPKeepAlive }, + { "keepalive", oTCPKeepAlive }, /* obsolete */ { "numberofpasswordprompts", oNumberOfPasswordPrompts }, { "loglevel", oLogLevel }, { "dynamicforward", oDynamicForward }, @@ -427,8 +428,8 @@ parse_yesnoask: intptr = &options->compression; goto parse_flag; - case oKeepAlives: - intptr = &options->keepalives; + case oTCPKeepAlive: + intptr = &options->tcp_keep_alive; goto parse_flag; case oNoHostAuthenticationForLocalhost: @@ -826,7 +827,7 @@ initialize_options(Options * options) options->check_host_ip = -1; options->strict_host_key_checking = -1; options->compression = -1; - options->keepalives = -1; + options->tcp_keep_alive = -1; options->compression_level = -1; options->port = -1; options->address_family = -1; @@ -909,8 +910,8 @@ fill_default_options(Options * options) options->strict_host_key_checking = 2; /* 2 is default */ if (options->compression == -1) options->compression = 0; - if (options->keepalives == -1) - options->keepalives = 1; + if (options->tcp_keep_alive == -1) + options->tcp_keep_alive = 1; if (options->compression_level == -1) options->compression_level = 6; if (options->port == -1) diff --git a/readconf.h b/readconf.h index 650132346..f2a859fbe 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.57 2003/11/21 11:57:03 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.58 2003/12/09 21:53:36 markus Exp $ */ /* * Author: Tatu Ylonen @@ -53,7 +53,7 @@ typedef struct { int compression; /* Compress packets in both directions. */ int compression_level; /* Compression level 1 (fast) to 9 * (best). */ - int keepalives; /* Set SO_KEEPALIVE. */ + int tcp_keep_alive; /* Set SO_KEEPALIVE. */ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ diff --git a/scp.1 b/scp.1 index 4dab2a1db..cbebb949a 100644 --- a/scp.1 +++ b/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.30 2003/10/13 08:22:25 markus Exp $ +.\" $OpenBSD: scp.1,v 1.31 2003/12/09 21:53:36 markus Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -137,7 +137,6 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile -.It KeepAlive .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost @@ -152,6 +151,7 @@ For full details of the options listed below, and their possible values, see .It RSAAuthentication .It SmartcardDevice .It StrictHostKeyChecking +.It TCPKeepAlive .It UsePrivilegedPort .It User .It UserKnownHostsFile diff --git a/servconf.c b/servconf.c index 0df62ad63..a6824a863 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.128 2003/09/29 20:19:57 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $"); #include "ssh.h" #include "log.h" @@ -61,7 +61,7 @@ initialize_server_options(ServerOptions *options) options->x11_use_localhost = -1; options->xauth_location = NULL; options->strict_modes = -1; - options->keepalives = -1; + options->tcp_keep_alive = -1; options->log_facility = SYSLOG_FACILITY_NOT_SET; options->log_level = SYSLOG_LEVEL_NOT_SET; options->rhosts_rsa_authentication = -1; @@ -159,8 +159,8 @@ fill_default_server_options(ServerOptions *options) options->xauth_location = _PATH_XAUTH; if (options->strict_modes == -1) options->strict_modes = 1; - if (options->keepalives == -1) - options->keepalives = 1; + if (options->tcp_keep_alive == -1) + options->tcp_keep_alive = 1; if (options->log_facility == SYSLOG_FACILITY_NOT_SET) options->log_facility = SYSLOG_FACILITY_AUTH; if (options->log_level == SYSLOG_LEVEL_NOT_SET) @@ -254,7 +254,7 @@ typedef enum { sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, - sStrictModes, sEmptyPasswd, sKeepAlives, + sStrictModes, sEmptyPasswd, sTCPKeepAlive, sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, @@ -334,7 +334,8 @@ static struct { { "permituserenvironment", sPermitUserEnvironment }, { "uselogin", sUseLogin }, { "compression", sCompression }, - { "keepalive", sKeepAlives }, + { "tcpkeepalive", sTCPKeepAlive }, + { "keepalive", sTCPKeepAlive }, /* obsolete alias */ { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, @@ -677,8 +678,8 @@ parse_flag: intptr = &options->strict_modes; goto parse_flag; - case sKeepAlives: - intptr = &options->keepalives; + case sTCPKeepAlive: + intptr = &options->tcp_keep_alive; goto parse_flag; case sEmptyPasswd: diff --git a/servconf.h b/servconf.h index 828e94c5c..3cf47bf2f 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.65 2003/09/01 18:15:50 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */ /* * Author: Tatu Ylonen @@ -58,7 +58,7 @@ typedef struct { int x11_use_localhost; /* If true, use localhost for fake X11 server. */ char *xauth_location; /* Location of xauth program */ int strict_modes; /* If true, require string home dir modes. */ - int keepalives; /* If true, set SO_KEEPALIVE. */ + int tcp_keep_alive; /* If true, set SO_KEEPALIVE. */ char *ciphers; /* Supported SSH2 ciphers. */ char *macs; /* Supported SSH2 macs. */ int protocol; /* Supported protocol versions. */ diff --git a/sftp.1 b/sftp.1 index 00253037d..91a288dfc 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.47 2003/10/13 08:22:25 markus Exp $ +.\" $OpenBSD: sftp.1,v 1.48 2003/12/09 21:53:37 markus Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -158,7 +158,6 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile -.It KeepAlive .It LogLevel .It MACs .It NoHostAuthenticationForLocalhost @@ -173,6 +172,7 @@ For full details of the options listed below, and their possible values, see .It RSAAuthentication .It SmartcardDevice .It StrictHostKeyChecking +.It TCPKeepAlive .It UsePrivilegedPort .It User .It UserKnownHostsFile diff --git a/ssh.1 b/ssh.1 index 25de869ad..33521268b 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.179 2003/11/24 00:16:35 dtucker Exp $ +.\" $OpenBSD: ssh.1,v 1.180 2003/12/09 21:53:37 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -634,7 +634,6 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlias .It HostName .It IdentityFile -.It KeepAlive .It LocalForward .It LogLevel .It MACs @@ -651,6 +650,7 @@ For full details of the options listed below, and their possible values, see .It RSAAuthentication .It SmartcardDevice .It StrictHostKeyChecking +.It TCPKeepAlive .It UsePrivilegedPort .It User .It UserKnownHostsFile diff --git a/ssh_config.5 b/ssh_config.5 index 8857073a5..3aafa4e7d 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.25 2003/11/12 20:14:51 jmc Exp $ +.\" $OpenBSD: ssh_config.5,v 1.26 2003/12/09 21:53:37 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -408,23 +408,6 @@ syntax to refer to a user's home directory. It is possible to have multiple identity files specified in configuration files; all these identities will be tried in sequence. -.It Cm KeepAlive -Specifies whether the system should send TCP keepalive messages to the -other side. -If they are sent, death of the connection or crash of one -of the machines will be properly noticed. -However, this means that -connections will die if the route is down temporarily, and some people -find it annoying. -.Pp -The default is -.Dq yes -(to send keepalives), and the client will notice -if the network goes down or the remote host dies. -This is important in scripts, and many users want it too. -.Pp -To disable keepalives, the value should be set to -.Dq no . .It Cm LocalForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. @@ -613,6 +596,23 @@ or .Dq ask . The default is .Dq ask . +.It Cm TCPKeepAlive +Specifies whether the system should send TCP keepalive messages to the +other side. +If they are sent, death of the connection or crash of one +of the machines will be properly noticed. +However, this means that +connections will die if the route is down temporarily, and some people +find it annoying. +.Pp +The default is +.Dq yes +(to send TCP keepalive messages), and the client will notice +if the network goes down or the remote host dies. +This is important in scripts, and many users want it too. +.Pp +To disable TCP keepalive messages, the value should be set to +.Dq no . .It Cm UsePrivilegedPort Specifies whether to use a privileged port for outgoing connections. The argument must be diff --git a/sshconnect.c b/sshconnect.c index 3d6cc375a..80b45c79e 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.154 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.155 2003/12/09 21:53:37 markus Exp $"); #include @@ -415,8 +415,8 @@ ssh_connect(const char *host, struct sockaddr_storage * hostaddr, debug("Connection established."); - /* Set keepalives if requested. */ - if (options.keepalives && + /* Set SO_KEEPALIVE if requested. */ + if (options.tcp_keep_alive && setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&on, sizeof(on)) < 0) error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); diff --git a/sshd.c b/sshd.c index 50856317a..ab029b00f 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.283 2003/12/09 17:29:04 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.284 2003/12/09 21:53:37 markus Exp $"); #include #include @@ -1398,8 +1398,8 @@ main(int ac, char **av) signal(SIGCHLD, SIG_DFL); signal(SIGINT, SIG_DFL); - /* Set keepalives if requested. */ - if (options.keepalives && + /* Set SO_KEEPALIVE if requested. */ + if (options.tcp_keep_alive && setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); diff --git a/sshd_config.5 b/sshd_config.5 index 06a197b76..ad3cf76df 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.26 2003/11/21 11:57:03 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.27 2003/12/09 21:53:37 markus Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -156,12 +156,12 @@ If this threshold is reached while client alive messages are being sent, will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from -.Cm KeepAlive +.Cm TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by -.Cm KeepAlive +.Cm TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive. @@ -292,27 +292,6 @@ or .Cm HostbasedAuthentication . The default is .Dq no . -.It Cm KeepAlive -Specifies whether the system should send TCP keepalive messages to the -other side. -If they are sent, death of the connection or crash of one -of the machines will be properly noticed. -However, this means that -connections will die if the route is down temporarily, and some people -find it annoying. -On the other hand, if keepalives are not sent, -sessions may hang indefinitely on the server, leaving -.Dq ghost -users and consuming server resources. -.Pp -The default is -.Dq yes -(to send keepalives), and the server will notice -if the network goes down or the client host crashes. -This avoids infinitely hanging sessions. -.Pp -To disable keepalives, the value should be set to -.Dq no . .It Cm KerberosAuthentication Specifies whether the password provided by the user for .Cm PasswordAuthentication @@ -580,6 +559,27 @@ Gives the facility code that is used when logging messages from The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. +.It Cm TCPKeepAlive +Specifies whether the system should send TCP keepalive messages to the +other side. +If they are sent, death of the connection or crash of one +of the machines will be properly noticed. +However, this means that +connections will die if the route is down temporarily, and some people +find it annoying. +On the other hand, if TCP keepalives are not sent, +sessions may hang indefinitely on the server, leaving +.Dq ghost +users and consuming server resources. +.Pp +The default is +.Dq yes +(to send TCP keepalive messages), and the server will notice +if the network goes down or the client host crashes. +This avoids infinitely hanging sessions. +.Pp +To disable TCP keepalive messages, the value should be set to +.Dq no . .It Cm UseDNS Specifies whether .Nm sshd -- cgit v1.2.3 From d696551443ff947cb6e3e690adcecd17877f16ea Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:31:53 +1100 Subject: - dtucker@cvs.openbsd.org 2003/12/09 23:45:32 [clientloop.c] Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@ --- ChangeLog | 5 ++++- clientloop.c | 15 ++++++++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0b97adc72..b7a73ae69 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,9 @@ [ssh_config.5 sshconnect.c sshd.c sshd_config.5] rename keepalive to tcpkeepalive; the old name causes too much confusion; ok djm, dtucker; with help from jmc@ + - dtucker@cvs.openbsd.org 2003/12/09 23:45:32 + [clientloop.c] + Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@ 20031209 - (dtucker) OpenBSD CVS Sync @@ -1586,4 +1589,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3143 2003/12/17 05:31:10 djm Exp $ +$Id: ChangeLog,v 1.3144 2003/12/17 05:31:53 djm Exp $ diff --git a/clientloop.c b/clientloop.c index e7a7d9fa7..67b9dfcea 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.115 2003/09/23 20:41:11 markus Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.116 2003/12/09 23:45:32 dtucker Exp $"); #include "ssh.h" #include "ssh1.h" @@ -89,6 +89,9 @@ extern Options options; /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; +/* Flag indicating that no shell has been requested */ +extern int no_shell_flag; + /* * Name of the host we are connecting to. This is the name given on the * command line, or the HostName specified for the user-supplied name in a @@ -1031,6 +1034,16 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) if (!isatty(fileno(stderr))) unset_nonblock(fileno(stderr)); + /* + * If there was no shell or command requested, there will be no remote + * exit status to be returned. In that case, clear error code if the + * connection was deliberately terminated at this end. + */ + if (no_shell_flag && received_signal == SIGTERM) { + received_signal = 0; + exit_status = 0; + } + if (received_signal) fatal("Killed by signal %d.", (int) received_signal); -- cgit v1.2.3 From baafb981a46d79e576b340dab436c17415f0033a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:32:23 +1100 Subject: - markus@cvs.openbsd.org 2003/12/14 12:37:21 [ssh_config.5] we don't support GSS KEX; from Simon Wilkinson --- ChangeLog | 5 ++++- ssh_config.5 | 6 ++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index b7a73ae69..39e8042da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ - dtucker@cvs.openbsd.org 2003/12/09 23:45:32 [clientloop.c] Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@ + - markus@cvs.openbsd.org 2003/12/14 12:37:21 + [ssh_config.5] + we don't support GSS KEX; from Simon Wilkinson 20031209 - (dtucker) OpenBSD CVS Sync @@ -1589,4 +1592,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3144 2003/12/17 05:31:53 djm Exp $ +$Id: ChangeLog,v 1.3145 2003/12/17 05:32:23 djm Exp $ diff --git a/ssh_config.5 b/ssh_config.5 index 3aafa4e7d..cb26eab69 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.26 2003/12/09 21:53:37 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.27 2003/12/14 12:37:21 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -350,9 +350,7 @@ Specifies a file to use for the global host key database instead of .Pa /etc/ssh/ssh_known_hosts . .It Cm GSSAPIAuthentication -Specifies whether authentication based on GSSAPI may be used, either using -the result of a successful key exchange, or using GSSAPI user -authentication. +Specifies whether user authentication based on GSSAPI is allowed. The default is .Dq no . Note that this option applies to protocol version 2 only. -- cgit v1.2.3 From 509b0107f0e67cb4af663c147179d35fa6425614 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:33:10 +1100 Subject: - markus@cvs.openbsd.org 2003/12/16 15:49:51 [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1] [ssh.c ssh_config.5] application layer keep alive (ServerAliveInterval ServerAliveCountMax) for ssh(1), similar to the sshd(8) option; ok beck@; with help from jmc and dtucker@ --- ChangeLog | 8 +++++++- clientloop.c | 45 +++++++++++++++++++++++++++++++++++++-------- clientloop.h | 4 ++-- readconf.c | 21 +++++++++++++++++++-- readconf.h | 4 +++- scp.1 | 4 +++- sftp.1 | 4 +++- ssh.1 | 4 +++- ssh.c | 9 +++------ ssh_config.5 | 38 +++++++++++++++++++++++++++++++++++++- 10 files changed, 117 insertions(+), 24 deletions(-) diff --git a/ChangeLog b/ChangeLog index 39e8042da..3593792c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,12 @@ - markus@cvs.openbsd.org 2003/12/14 12:37:21 [ssh_config.5] we don't support GSS KEX; from Simon Wilkinson + - markus@cvs.openbsd.org 2003/12/16 15:49:51 + [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1] + [ssh.c ssh_config.5] + application layer keep alive (ServerAliveInterval ServerAliveCountMax) + for ssh(1), similar to the sshd(8) option; ok beck@; with help from + jmc and dtucker@ 20031209 - (dtucker) OpenBSD CVS Sync @@ -1592,4 +1598,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3145 2003/12/17 05:32:23 djm Exp $ +$Id: ChangeLog,v 1.3146 2003/12/17 05:33:10 djm Exp $ diff --git a/clientloop.c b/clientloop.c index 67b9dfcea..626b29a5a 100644 --- a/clientloop.c +++ b/clientloop.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: clientloop.c,v 1.116 2003/12/09 23:45:32 dtucker Exp $"); +RCSID("$OpenBSD: clientloop.c,v 1.117 2003/12/16 15:49:51 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -127,6 +127,7 @@ static int connection_in; /* Connection to server (input). */ static int connection_out; /* Connection to server (output). */ static int need_rekeying; /* Set to non-zero if rekeying is requested. */ static int session_closed = 0; /* In SSH2: login session closed. */ +static int server_alive_timeouts = 0; static void client_init_dispatch(void); int session_ident = -1; @@ -313,6 +314,24 @@ client_check_window_change(void) } } +static void +client_global_request_reply(int type, u_int32_t seq, void *ctxt) +{ + server_alive_timeouts = 0; + client_global_request_reply_fwd(type, seq, ctxt); +} + +static void +server_alive_check(void) +{ + if (++server_alive_timeouts > options.server_alive_count_max) + packet_disconnect("Timeout, server not responding."); + packet_start(SSH2_MSG_GLOBAL_REQUEST); + packet_put_cstring("keepalive@openssh.com"); + packet_put_char(1); /* boolean: want reply */ + packet_send(); +} + /* * Waits until the client can do something (some data becomes available on * one of the file descriptors). @@ -322,6 +341,9 @@ static void client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, int *maxfdp, int *nallocp, int rekeying) { + struct timeval tv, *tvp; + int ret; + /* Add any selections by the channel mechanism. */ channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying); @@ -363,13 +385,18 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, /* * Wait for something to happen. This will suspend the process until * some selected descriptor can be read, written, or has some other - * event pending. Note: if you want to implement SSH_MSG_IGNORE - * messages to fool traffic analysis, this might be the place to do - * it: just have a random timeout for the select, and send a random - * SSH_MSG_IGNORE packet when the timeout expires. + * event pending. */ - if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) { + if (options.server_alive_interval == 0 || !compat20) + tvp = NULL; + else { + tv.tv_sec = options.server_alive_interval; + tv.tv_usec = 0; + tvp = &tv; + } + ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp); + if (ret < 0) { char buf[100]; /* @@ -386,7 +413,8 @@ client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp, snprintf(buf, sizeof buf, "select: %s\r\n", strerror(errno)); buffer_append(&stderr_buffer, buf, strlen(buf)); quit_pending = 1; - } + } else if (ret == 0) + server_alive_check(); } static void @@ -1365,7 +1393,8 @@ client_input_global_request(int type, u_int32_t seq, void *ctxt) rtype = packet_get_string(NULL); want_reply = packet_get_char(); - debug("client_input_global_request: rtype %s want_reply %d", rtype, want_reply); + debug("client_input_global_request: rtype %s want_reply %d", + rtype, want_reply); if (want_reply) { packet_start(success ? SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE); diff --git a/clientloop.h b/clientloop.h index 8056a40c3..56af06bc1 100644 --- a/clientloop.h +++ b/clientloop.h @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.h,v 1.7 2002/04/22 21:04:52 markus Exp $ */ +/* $OpenBSD: clientloop.h,v 1.8 2003/12/16 15:49:51 markus Exp $ */ /* * Author: Tatu Ylonen @@ -37,4 +37,4 @@ /* Client side main loop for the interactive session. */ int client_loop(int, int, int); -void client_global_request_reply(int type, u_int32_t seq, void *ctxt); +void client_global_request_reply_fwd(int, u_int32_t, void *); diff --git a/readconf.c b/readconf.c index cd2c81443..2591e0dba 100644 --- a/readconf.c +++ b/readconf.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.126 2003/12/09 21:53:36 markus Exp $"); +RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -105,6 +105,7 @@ typedef enum { oClearAllForwardings, oNoHostAuthenticationForLocalhost, oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, + oServerAliveInterval, oServerAliveCountMax, oDeprecated, oUnsupported } OpCodes; @@ -189,6 +190,8 @@ static struct { { "rekeylimit", oRekeyLimit }, { "connecttimeout", oConnectTimeout }, { "addressfamily", oAddressFamily }, + { "serveraliveinterval", oServerAliveInterval }, + { "serveralivecountmax", oServerAliveCountMax }, { NULL, oBadOption } }; @@ -307,7 +310,7 @@ process_config_line(Options *options, const char *host, /* NOTREACHED */ case oConnectTimeout: intptr = &options->connection_timeout; -/* parse_time: */ +parse_time: arg = strdelim(&s); if (!arg || *arg == '\0') fatal("%s line %d: missing time value.", @@ -733,6 +736,14 @@ parse_int: intptr = &options->enable_ssh_keysign; goto parse_flag; + case oServerAliveInterval: + intptr = &options->server_alive_interval; + goto parse_time; + + case oServerAliveCountMax: + intptr = &options->server_alive_count_max; + goto parse_int; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -860,6 +871,8 @@ initialize_options(Options * options) options->no_host_authentication_for_localhost = - 1; options->rekey_limit = - 1; options->verify_host_key_dns = -1; + options->server_alive_interval = -1; + options->server_alive_count_max = -1; } /* @@ -974,6 +987,10 @@ fill_default_options(Options * options) options->rekey_limit = 0; if (options->verify_host_key_dns == -1) options->verify_host_key_dns = 0; + if (options->server_alive_interval == -1) + options->server_alive_interval = 0; + if (options->server_alive_count_max == -1) + options->server_alive_count_max = 3; /* options->proxy_command should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ diff --git a/readconf.h b/readconf.h index f2a859fbe..3f27af961 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.58 2003/12/09 21:53:36 markus Exp $ */ +/* $OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $ */ /* * Author: Tatu Ylonen @@ -100,6 +100,8 @@ typedef struct { int enable_ssh_keysign; int rekey_limit; int no_host_authentication_for_localhost; + int server_alive_interval; + int server_alive_count_max; } Options; diff --git a/scp.1 b/scp.1 index cbebb949a..f5ca1e45a 100644 --- a/scp.1 +++ b/scp.1 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.31 2003/12/09 21:53:36 markus Exp $ +.\" $OpenBSD: scp.1,v 1.32 2003/12/16 15:49:51 markus Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -149,6 +149,8 @@ For full details of the options listed below, and their possible values, see .It PubkeyAuthentication .It RhostsRSAAuthentication .It RSAAuthentication +.It ServerAliveInterval +.It ServerAliveCountMax .It SmartcardDevice .It StrictHostKeyChecking .It TCPKeepAlive diff --git a/sftp.1 b/sftp.1 index 91a288dfc..8563e2bdd 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.48 2003/12/09 21:53:37 markus Exp $ +.\" $OpenBSD: sftp.1,v 1.49 2003/12/16 15:49:51 markus Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -170,6 +170,8 @@ For full details of the options listed below, and their possible values, see .It PubkeyAuthentication .It RhostsRSAAuthentication .It RSAAuthentication +.It ServerAliveInterval +.It ServerAliveCountMax .It SmartcardDevice .It StrictHostKeyChecking .It TCPKeepAlive diff --git a/ssh.1 b/ssh.1 index 33521268b..e2cd5d343 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.180 2003/12/09 21:53:37 markus Exp $ +.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -648,6 +648,8 @@ For full details of the options listed below, and their possible values, see .It RemoteForward .It RhostsRSAAuthentication .It RSAAuthentication +.It ServerAliveInterval +.It ServerAliveCountMax .It SmartcardDevice .It StrictHostKeyChecking .It TCPKeepAlive diff --git a/ssh.c b/ssh.c index 222aaab7f..da390c12d 100644 --- a/ssh.c +++ b/ssh.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh.c,v 1.205 2003/12/09 17:30:05 markus Exp $"); +RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $"); #include #include @@ -1029,16 +1029,13 @@ client_subsystem_reply(int type, u_int32_t seq, void *ctxt) } void -client_global_request_reply(int type, u_int32_t seq, void *ctxt) +client_global_request_reply_fwd(int type, u_int32_t seq, void *ctxt) { int i; i = client_global_request_id++; - if (i >= options.num_remote_forwards) { - debug("client_global_request_reply: too many replies %d > %d", - i, options.num_remote_forwards); + if (i >= options.num_remote_forwards) return; - } debug("remote forward %s for: listen %d, connect %s:%d", type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure", options.remote_forwards[i].port, diff --git a/ssh_config.5 b/ssh_config.5 index cb26eab69..210da059b 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.27 2003/12/14 12:37:21 markus Exp $ +.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -552,6 +552,42 @@ running. The default is .Dq yes . Note that this option applies to protocol version 1 only. +.It Cm ServerAliveInterval +Sets a timeout interval in seconds after which if no data has been received +from the server, +.Nm ssh +will send a message through the encrypted +channel to request a response from the server. +The default +is 0, indicating that these messages will not be sent to the server. +This option applies to protocol version 2 only. +.It Cm ServerAliveCountMax +Sets the number of server alive messages (see above) which may be +sent without +.Nm ssh +receiving any messages back from the server. +If this threshold is reached while server alive messages are being sent, +.Nm ssh +will disconnect from the server, terminating the session. +It is important to note that the use of server alive messages is very +different from +.Cm TCPKeepAlive +(below). +The server alive messages are sent through the encrypted channel +and therefore will not be spoofable. +The TCP keepalive option enabled by +.Cm TCPKeepAlive +is spoofable. +The server alive mechanism is valuable when the client or +server depend on knowing when a connection has become inactive. +.Pp +The default value is 3. +If, for example, +.Cm ServerAliveInterval +(above) is set to 15, and +.Cm ServerAliveCountMax +is left at the default, if the server becomes unresponsive ssh +will disconnect after approximately 45 seconds. .It Cm SmartcardDevice Specifies which smartcard device to use. The argument to this keyword is the device -- cgit v1.2.3 From 8975ddf11b17bf58191c653a0173d91e50e942c7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 17 Dec 2003 16:33:53 +1100 Subject: - markus@cvs.openbsd.org 2003/12/16 15:51:54 [dh.c] use <= instead of < in dh_estimate; ok provos/hshoexer; do not return < DH_GRP_MIN --- ChangeLog | 6 +++++- dh.c | 8 +++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3593792c1..5c63b2aa2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,10 @@ application layer keep alive (ServerAliveInterval ServerAliveCountMax) for ssh(1), similar to the sshd(8) option; ok beck@; with help from jmc and dtucker@ + - markus@cvs.openbsd.org 2003/12/16 15:51:54 + [dh.c] + use <= instead of < in dh_estimate; ok provos/hshoexer; + do not return < DH_GRP_MIN 20031209 - (dtucker) OpenBSD CVS Sync @@ -1598,4 +1602,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3146 2003/12/17 05:33:10 djm Exp $ +$Id: ChangeLog,v 1.3147 2003/12/17 05:33:53 djm Exp $ diff --git a/dh.c b/dh.c index c924efee0..c7a3e18be 100644 --- a/dh.c +++ b/dh.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: dh.c,v 1.25 2003/09/18 13:02:21 miod Exp $"); +RCSID("$OpenBSD: dh.c,v 1.26 2003/12/16 15:51:54 markus Exp $"); #include "xmalloc.h" @@ -279,11 +279,9 @@ int dh_estimate(int bits) { - if (bits < 64) - return (512); /* O(2**63) */ - if (bits < 128) + if (bits <= 128) return (1024); /* O(2**86) */ - if (bits < 192) + if (bits <= 192) return (2048); /* O(2**116) */ return (4096); /* O(2**156) */ } -- cgit v1.2.3 From e937be36c309fff54978e56159503bcfee76d4c0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 17 Dec 2003 18:53:26 +1100 Subject: - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for setres[ug]id() present but not implemented (eg some Linux/glibc combinations). --- ChangeLog | 5 ++++- acconfig.h | 8 +++++++- configure.ac | 26 +++++++++++++++++++++++++- uidswap.c | 4 ++-- 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5c63b2aa2..f768edcb3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -33,6 +33,9 @@ [dh.c] use <= instead of < in dh_estimate; ok provos/hshoexer; do not return < DH_GRP_MIN + - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for + setres[ug]id() present but not implemented (eg some Linux/glibc + combinations). 20031209 - (dtucker) OpenBSD CVS Sync @@ -1602,4 +1605,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3147 2003/12/17 05:33:53 djm Exp $ +$Id: ChangeLog,v 1.3148 2003/12/17 07:53:26 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index 80907f0dc..10ffd6bad 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.168 2003/10/15 06:57:57 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.169 2003/12/17 07:53:26 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -41,6 +41,12 @@ /* Define if your setregid() is broken */ #undef BROKEN_SETREGID +/* Define if your setresuid() is broken */ +#undef BROKEN_SETRESUID + +/* Define if your setresgid() is broken */ +#undef BROKEN_SETRESGID + /* Define to a Set Process Title type if your system is */ /* supported by bsd-setproctitle.c */ #undef SPT_TYPE diff --git a/configure.ac b/configure.ac index e7249b9c9..50b43ae31 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.176 2003/12/08 20:35:59 tim Exp $ +# $Id: configure.ac,v 1.177 2003/12/17 07:53:26 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -780,6 +780,30 @@ AC_CHECK_DECL(tcsendbreak, [#include ] ) +dnl Some platorms have setresuid that isn't implemented +AC_MSG_CHECKING(if setresuid seems to work) +AC_TRY_RUN([ +#include +#include +int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} + ], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESUID), + AC_MSG_RESULT(not implemented)] +) + +dnl Some platorms have setresgid that isn't implemented +AC_MSG_CHECKING(if setresgid seems to work) +AC_TRY_RUN([ +#include +#include +int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} + ], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESGID) + AC_MSG_RESULT(not implemented)] +) + dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for utmp functions diff --git a/uidswap.c b/uidswap.c index a5f76fdcd..4cabaa444 100644 --- a/uidswap.c +++ b/uidswap.c @@ -151,7 +151,7 @@ permanently_set_uid(struct passwd *pw) debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, (u_int)pw->pw_gid); -#if defined(HAVE_SETRESGID) +#if defined(HAVE_SETRESGID) && !defined(BROKEN_SETRESGID) if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); #elif defined(HAVE_SETREGID) && !defined(BROKEN_SETREGID) @@ -164,7 +164,7 @@ permanently_set_uid(struct passwd *pw) fatal("setgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); #endif -#if defined(HAVE_SETRESUID) +#if defined(HAVE_SETRESUID) && !defined(BROKEN_SETRESUID) if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0) fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno)); #elif defined(HAVE_SETREUID) && !defined(BROKEN_SETREUID) -- cgit v1.2.3 From 563eb99711026601974115e7d2084ad9b676a188 Mon Sep 17 00:00:00 2001 From: Ben Lindstrom Date: Thu, 18 Dec 2003 00:34:06 +0000 Subject: - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are using a real 'signal()' (Noticed by a NeXT Compile) --- ChangeLog | 4 +++- openbsd-compat/bsd-misc.c | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f768edcb3..4ed805c70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -36,6 +36,8 @@ - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for setres[ug]id() present but not implemented (eg some Linux/glibc combinations). + - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are + using a real 'signal()' (Noticed by a NeXT Compile) 20031209 - (dtucker) OpenBSD CVS Sync @@ -1605,4 +1607,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3148 2003/12/17 07:53:26 dtucker Exp $ +$Id: ChangeLog,v 1.3149 2003/12/18 00:34:06 mouring Exp $ diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 08b089bdc..44f4fcc1e 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -25,7 +25,7 @@ #include "includes.h" #include "xmalloc.h" -RCSID("$Id: bsd-misc.c,v 1.19 2003/08/25 01:16:21 mouring Exp $"); +RCSID("$Id: bsd-misc.c,v 1.20 2003/12/18 00:34:07 mouring Exp $"); /* * NB. duplicate __progname in case it is an alias for argv[0] @@ -164,7 +164,6 @@ int nanosleep(const struct timespec *req, struct timespec *rem) return(rc); } - #endif #ifndef HAVE_TCGETPGRP @@ -223,6 +222,7 @@ mysignal(int sig, mysig_t act) } return (osa.sa_handler); #else + #undef signal return (signal(sig, act)); #endif } -- cgit v1.2.3 From 454da0b3dcf8b62b57ff5cf1edfa606b90f553d2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 18 Dec 2003 12:52:19 +1100 Subject: - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban. --- ChangeLog | 5 ++++- configure.ac | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4ed805c70..40d0a21db 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20031218 + - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban. + 20031217 - (djm) OpenBSD CVS Sync - markus@cvs.openbsd.org 2003/12/09 15:28:43 @@ -1607,4 +1610,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3149 2003/12/18 00:34:06 mouring Exp $ +$Id: ChangeLog,v 1.3150 2003/12/18 01:52:19 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 50b43ae31..6c8621ce5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.177 2003/12/17 07:53:26 dtucker Exp $ +# $Id: configure.ac,v 1.178 2003/12/18 01:52:19 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -132,6 +132,9 @@ case "$host" in ;; *-*-dgux*) AC_DEFINE(IP_TOS_IS_BROKEN) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) ;; *-*-darwin*) AC_MSG_CHECKING(if we have working getaddrinfo) -- cgit v1.2.3 From 07705c788e9bcd8d35dfbb59d2b12c61b8601c9a Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 18 Dec 2003 15:34:31 +1100 Subject: - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive authentication. Partially fixes bug #423. Feedback & ok djm@ Some background on why this is the way it is: * Solaris 8's pam_chauthtok ignores the CHANGE_EXPIRED_AUTHTOK flag, so we must call do_pam_account() to figure out if the password is expired. * AIX 5.2 does not like having pam_acct_mgmt() called twice, once from the authentication thread and once from the main shell child, so we cache the result, which must be passed from the authentication thread back to the monitor. --- ChangeLog | 4 +++- auth-pam.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++------------- 2 files changed, 54 insertions(+), 14 deletions(-) diff --git a/ChangeLog b/ChangeLog index 40d0a21db..5727be82b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 20031218 - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban. + - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive + authentication. Partially fixes bug #423. Feedback & ok djm@ 20031217 - (djm) OpenBSD CVS Sync @@ -1610,4 +1612,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3150 2003/12/18 01:52:19 dtucker Exp $ +$Id: ChangeLog,v 1.3151 2003/12/18 04:34:31 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 621940ab9..2fe1e3382 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 12:56:47 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.85 2003/12/18 04:34:32 dtucker Exp $"); #ifdef USE_PAM #include @@ -53,6 +53,7 @@ RCSID("$Id: auth-pam.c,v 1.84 2003/11/21 12:56:47 djm Exp $"); extern ServerOptions options; extern Buffer loginmsg; +extern int compat20; #define __unused @@ -118,6 +119,7 @@ static int sshpam_authenticated = 0; static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; +static int sshpam_account_status = -1; static char **sshpam_env = NULL; struct pam_ctxt { @@ -144,6 +146,21 @@ pam_getenvlist(pam_handle_t *pamh) } #endif +void +pam_password_change_required(int reqd) +{ + sshpam_new_authtok_reqd = reqd; + if (reqd) { + no_port_forwarding_flag |= 2; + no_agent_forwarding_flag |= 2; + no_x11_forwarding_flag |= 2; + } else { + no_port_forwarding_flag &= ~2; + no_agent_forwarding_flag &= ~2; + no_x11_forwarding_flag &= ~2; + + } +} /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -152,6 +169,10 @@ import_environments(Buffer *b) u_int i, num_env; int err; + /* Import variables set by do_pam_account */ + sshpam_account_status = buffer_get_int(b); + pam_password_change_required(buffer_get_int(b)); + /* Import environment from subprocess */ num_env = buffer_get_int(b); sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env)); @@ -290,9 +311,26 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + + /* if (compat20) { */ + if (!do_pam_account()) + goto auth_fail; + if (sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + pam_password_change_required(0); + } + /* } */ + buffer_put_cstring(&buffer, "OK"); #ifndef USE_POSIX_THREADS + /* Export variables set by do_pam_account */ + buffer_put_int(&buffer, sshpam_account_status); + buffer_put_int(&buffer, sshpam_new_authtok_reqd); + /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) ; /* Count */ @@ -611,22 +649,22 @@ finish_pam(void) u_int do_pam_account(void) { + if (sshpam_account_status != -1) + return (sshpam_account_status); + sshpam_err = pam_acct_mgmt(sshpam_handle, 0); debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) - return (0); - - if (sshpam_err == PAM_NEW_AUTHTOK_REQD) { - sshpam_new_authtok_reqd = 1; - - /* Prevent forwardings until password changed */ - no_port_forwarding_flag |= 2; - no_agent_forwarding_flag |= 2; - no_x11_forwarding_flag |= 2; + + if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { + sshpam_account_status = 0; + return (sshpam_account_status); } - return (1); + if (sshpam_err == PAM_NEW_AUTHTOK_REQD) + pam_password_change_required(1); + + sshpam_account_status = 1; + return (sshpam_account_status); } void -- cgit v1.2.3 From c376c8647edb08fa1659882c4a96babedec94d18 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 18 Dec 2003 16:08:59 +1100 Subject: Enable commented-out "if (compat20)" test. (Should not have been committed.) --- auth-pam.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/auth-pam.c b/auth-pam.c index 2fe1e3382..9edf2c54e 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.85 2003/12/18 04:34:32 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.86 2003/12/18 05:08:59 dtucker Exp $"); #ifdef USE_PAM #include @@ -312,7 +312,7 @@ sshpam_thread(void *ctxtp) if (sshpam_err != PAM_SUCCESS) goto auth_fail; - /* if (compat20) { */ + if (compat20) { if (!do_pam_account()) goto auth_fail; if (sshpam_new_authtok_reqd) { @@ -322,7 +322,7 @@ sshpam_thread(void *ctxtp) goto auth_fail; pam_password_change_required(0); } - /* } */ + } buffer_put_cstring(&buffer, "OK"); -- cgit v1.2.3 From 3715be3cd3aab2bcf14a223c614f62c367730f67 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 19 Dec 2003 10:58:43 +1100 Subject: - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we typedef size_t ourselves. --- ChangeLog | 6 +++++- defines.h | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5727be82b..0cd1a31c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20031219 + - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we + typedef size_t ourselves. + 20031218 - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban. - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive @@ -1612,4 +1616,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3151 2003/12/18 04:34:31 dtucker Exp $ +$Id: ChangeLog,v 1.3152 2003/12/18 23:58:43 dtucker Exp $ diff --git a/defines.h b/defines.h index 6d197c769..d84c378dc 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.105 2003/11/24 02:07:46 djm Exp $ */ +/* $Id: defines.h,v 1.106 2003/12/18 23:58:43 dtucker Exp $ */ /* Constants */ @@ -240,6 +240,7 @@ typedef unsigned char u_char; #ifndef HAVE_SIZE_T typedef unsigned int size_t; # define HAVE_SIZE_T +# define SIZE_T_MAX UINT_MAX #endif /* HAVE_SIZE_T */ #ifndef HAVE_SSIZE_T -- cgit v1.2.3 From 06930c70ad47744dd96955a6a1b75df7c5eebc3b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:34:51 +1100 Subject: - djm@cvs.openbsd.org 2003/12/22 09:16:58 [moduli.c ssh-keygen.1 ssh-keygen.c] tidy up moduli generation debugging, add -v (verbose/debug) option to ssh-keygen; ok markus@ --- ChangeLog | 9 ++++++++- moduli.c | 27 ++++++++++++++++++--------- ssh-keygen.1 | 14 +++++++++++++- ssh-keygen.c | 18 ++++++++++++++++-- 4 files changed, 55 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0cd1a31c9..62095746d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20031231 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/12/22 09:16:58 + [moduli.c ssh-keygen.1 ssh-keygen.c] + tidy up moduli generation debugging, add -v (verbose/debug) option to + ssh-keygen; ok markus@ + 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we typedef size_t ourselves. @@ -1616,4 +1623,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3152 2003/12/18 23:58:43 dtucker Exp $ +$Id: ChangeLog,v 1.3153 2003/12/31 00:34:51 dtucker Exp $ diff --git a/moduli.c b/moduli.c index 371319d0f..a09073aed 100644 --- a/moduli.c +++ b/moduli.c @@ -1,4 +1,4 @@ -/* $OpenBSD: moduli.c,v 1.4 2003/12/09 13:52:55 dtucker Exp $ */ +/* $OpenBSD: moduli.c,v 1.5 2003/12/22 09:16:57 djm Exp $ */ /* * Copyright 1994 Phil Karn * Copyright 1996-1998, 2003 William Allen Simpson @@ -72,9 +72,10 @@ #define QTEST_JACOBI (0x08) #define QTEST_ELLIPTIC (0x10) -/* Size: decimal. +/* + * Size: decimal. * Specifies the number of the most significant bit (0 to M). - ** WARNING: internally, usually 1 to N. + * WARNING: internally, usually 1 to N. */ #define QSIZE_MINIMUM (511) @@ -169,7 +170,7 @@ sieve_large(u_int32_t s) { u_int32_t r, u; - debug2("sieve_large %u", s); + debug3("sieve_large %u", s); largetries++; /* r = largebase mod s */ r = BN_mod_word(largebase, s); @@ -474,6 +475,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, debug2("%10u: known composite", count_in); continue; } + /* tries */ in_tries = strtoul(cp, &cp, 10); @@ -498,13 +500,20 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, in_size += 1; generator_known = 0; break; - default: + case QTYPE_UNSTRUCTURED: + case QTYPE_SAFE: + case QTYPE_SCHNOOR: + case QTYPE_STRONG: + case QTYPE_UNKNOWN: debug2("%10u: (%u)", count_in, in_type); a = p; BN_hex2bn(&a, cp); /* q = (p-1) / 2 */ BN_rshift(q, p, 1); break; + default: + debug2("Unknown prime type"); + break; } /* @@ -524,6 +533,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, in_tries += trials; else in_tries = trials; + /* * guess unknown generator */ @@ -535,9 +545,8 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, else { u_int32_t r = BN_mod_word(p, 10); - if (r == 3 || r == 7) { + if (r == 3 || r == 7) generator_known = 5; - } } } /* @@ -569,7 +578,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, * vast majority of composite q's. */ if (BN_is_prime(q, 1, NULL, ctx, NULL) <= 0) { - debug2("%10u: q failed first possible prime test", + debug("%10u: q failed first possible prime test", count_in); continue; } @@ -582,7 +591,7 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, * doesn't hurt to specify a high iteration count. */ if (!BN_is_prime(p, trials, NULL, ctx, NULL)) { - debug2("%10u: p is not prime", count_in); + debug("%10u: p is not prime", count_in); continue; } debug("%10u: p is almost certainly prime", count_in); diff --git a/ssh-keygen.1 b/ssh-keygen.1 index dc4bcacd0..6dd615428 100644 --- a/ssh-keygen.1 +++ b/ssh-keygen.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.60 2003/07/28 09:49:56 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.61 2003/12/22 09:16:58 djm Exp $ .\" .\" -*- nroff -*- .\" @@ -89,12 +89,14 @@ .Op Fl g .Nm ssh-keygen .Fl G Ar output_file +.Op Fl v .Op Fl b Ar bits .Op Fl M Ar memory .Op Fl S Ar start_point .Nm ssh-keygen .Fl T Ar output_file .Fl f Ar input_file +.Op Fl v .Op Fl a Ar num_trials .Op Fl W Ar generator .Sh DESCRIPTION @@ -263,6 +265,16 @@ Specify desired generator when testing candidate moduli for DH-GEX. .It Fl U Ar reader Upload an existing RSA private key into the smartcard in .Ar reader . +.It Fl v +Verbose mode. +Causes +.Nm +to print debugging messages about its progress. +This is helpful for debugging moduli generation. +Multiple +.Fl v +options increase the verbosity. +The maximum is 3. .It Fl r Ar hostname Print DNS resource record with the specified .Ar hostname . diff --git a/ssh-keygen.c b/ssh-keygen.c index 961fd43e5..1156a010a 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-keygen.c,v 1.112 2003/11/23 23:18:45 djm Exp $"); +RCSID("$OpenBSD: ssh-keygen.c,v 1.113 2003/12/22 09:16:58 djm Exp $"); #include #include @@ -797,6 +797,7 @@ main(int ac, char **av) int opt, type, fd, download = 0, memory = 0; int generator_wanted = 0, trials = 100; int do_gen_candidates = 0, do_screen_candidates = 0; + int log_level = SYSLOG_LEVEL_INFO; BIGNUM *start = NULL; FILE *f; @@ -823,7 +824,7 @@ main(int ac, char **av) } while ((opt = getopt(ac, av, - "degiqpclBRxXyb:f:t:U:D:P:N:C:r:g:T:G:M:S:a:W:")) != -1) { + "degiqpclBRvxXyb:f:t:U:D:P:N:C:r:g:T:G:M:S:a:W:")) != -1) { switch (opt) { case 'b': bits = atoi(optarg); @@ -891,6 +892,15 @@ main(int ac, char **av) case 'U': reader_id = optarg; break; + case 'v': + if (log_level == SYSLOG_LEVEL_INFO) + log_level = SYSLOG_LEVEL_DEBUG1; + else { + if (log_level >= SYSLOG_LEVEL_DEBUG1 && + log_level < SYSLOG_LEVEL_DEBUG3) + log_level++; + } + break; case 'r': resource_record_hostname = optarg; break; @@ -932,6 +942,10 @@ main(int ac, char **av) usage(); } } + + /* reinit */ + log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1); + if (optind < ac) { printf("Too many arguments.\n"); usage(); -- cgit v1.2.3 From a32e19c637cec7b6c4ce779c6b6586c3880de6b2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:36:00 +1100 Subject: - markus@cvs.openbsd.org 2003/12/22 20:29:55 [cipher-3des1.c] EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr --- ChangeLog | 5 ++++- cipher-3des1.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 62095746d..c80577e5a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [moduli.c ssh-keygen.1 ssh-keygen.c] tidy up moduli generation debugging, add -v (verbose/debug) option to ssh-keygen; ok markus@ + - markus@cvs.openbsd.org 2003/12/22 20:29:55 + [cipher-3des1.c] + EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1623,4 +1626,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3153 2003/12/31 00:34:51 dtucker Exp $ +$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $ diff --git a/cipher-3des1.c b/cipher-3des1.c index 6f9f5dd6b..f815e8ae5 100644 --- a/cipher-3des1.c +++ b/cipher-3des1.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher-3des1.c,v 1.1 2003/05/15 03:08:29 markus Exp $"); +RCSID("$OpenBSD: cipher-3des1.c,v 1.2 2003/12/22 20:29:55 markus Exp $"); #include #include "xmalloc.h" @@ -126,6 +126,9 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx) struct ssh1_3des_ctx *c; if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) { + EVP_CIPHER_CTX_cleanup(&c->k1); + EVP_CIPHER_CTX_cleanup(&c->k2); + EVP_CIPHER_CTX_cleanup(&c->k3); memset(c, 0, sizeof(*c)); xfree(c); EVP_CIPHER_CTX_set_app_data(ctx, NULL); -- cgit v1.2.3 From 22ef5087543839dd14e1591923e669518b5c13e8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:37:34 +1100 Subject: - jakob@cvs.openbsd.org 2003/12/23 16:12:10 [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@ --- ChangeLog | 5 ++++- servconf.c | 12 +++++++++++- servconf.h | 4 +++- session.c | 28 +++++++++++++++++++++++++++- sshd_config | 3 ++- 5 files changed, 47 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index c80577e5a..d325407ab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ - markus@cvs.openbsd.org 2003/12/22 20:29:55 [cipher-3des1.c] EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr + - jakob@cvs.openbsd.org 2003/12/23 16:12:10 + [servconf.c servconf.h session.c sshd_config] + implement KerberosGetAFSToken server option. ok markus@, beck@ 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1626,4 +1629,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3154 2003/12/31 00:36:00 dtucker Exp $ +$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $ diff --git a/servconf.c b/servconf.c index a6824a863..b832c75b3 100644 --- a/servconf.c +++ b/servconf.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.129 2003/12/09 21:53:36 markus Exp $"); +RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $"); #include "ssh.h" #include "log.h" @@ -72,6 +72,7 @@ initialize_server_options(ServerOptions *options) options->kerberos_authentication = -1; options->kerberos_or_local_passwd = -1; options->kerberos_ticket_cleanup = -1; + options->kerberos_get_afs_token = -1; options->gss_authentication=-1; options->gss_cleanup_creds = -1; options->password_authentication = -1; @@ -181,6 +182,8 @@ fill_default_server_options(ServerOptions *options) options->kerberos_or_local_passwd = 1; if (options->kerberos_ticket_cleanup == -1) options->kerberos_ticket_cleanup = 1; + if (options->kerberos_get_afs_token == -1) + options->kerberos_get_afs_token = 0; if (options->gss_authentication == -1) options->gss_authentication = 0; if (options->gss_cleanup_creds == -1) @@ -250,6 +253,7 @@ typedef enum { sPermitRootLogin, sLogFacility, sLogLevel, sRhostsRSAAuthentication, sRSAAuthentication, sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup, + sKerberosGetAFSToken, sKerberosTgtPassing, sChallengeResponseAuthentication, sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress, sPrintMotd, sPrintLastLog, sIgnoreRhosts, @@ -301,10 +305,12 @@ static struct { { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, + { "kerberosgetafstoken", sKerberosGetAFSToken }, #else { "kerberosauthentication", sUnsupported }, { "kerberosorlocalpasswd", sUnsupported }, { "kerberosticketcleanup", sUnsupported }, + { "kerberosgetafstoken", sUnsupported }, #endif { "kerberostgtpassing", sUnsupported }, { "afstokenpassing", sUnsupported }, @@ -630,6 +636,10 @@ parse_flag: intptr = &options->kerberos_ticket_cleanup; goto parse_flag; + case sKerberosGetAFSToken: + intptr = &options->kerberos_get_afs_token; + goto parse_flag; + case sGssAuthentication: intptr = &options->gss_authentication; goto parse_flag; diff --git a/servconf.h b/servconf.h index 3cf47bf2f..57c7e5fab 100644 --- a/servconf.h +++ b/servconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.66 2003/12/09 21:53:37 markus Exp $ */ +/* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */ /* * Author: Tatu Ylonen @@ -80,6 +80,8 @@ typedef struct { * /etc/passwd */ int kerberos_ticket_cleanup; /* If true, destroy ticket * file on logout. */ + int kerberos_get_afs_token; /* If true, try to get AFS token if + * authenticated with Kerberos. */ int gss_authentication; /* If true, permit GSSAPI authentication */ int gss_cleanup_creds; /* If true, destroy cred cache on logout */ int password_authentication; /* If true, permit password diff --git a/session.c b/session.c index 00f8785f5..03a5ec570 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.169 2003/12/02 17:01:15 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1415,6 +1415,32 @@ do_child(Session *s, const char *command) */ environ = env; +#ifdef KRB5 + /* + * At this point, we check to see if AFS is active and if we have + * a valid Kerberos 5 TGT. If so, it seems like a good idea to see + * if we can (and need to) extend the ticket into an AFS token. If + * we don't do this, we run into potential problems if the user's + * home directory is in AFS and it's not world-readable. + */ + + if (options.kerberos_get_afs_token && k_hasafs() && + (s->authctxt->krb5_ctx != NULL)) { + char cell[64]; + + debug("Getting AFS token"); + + k_setpag(); + + if (k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) + krb5_afslog(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, cell, NULL); + + krb5_afslog_home(s->authctxt->krb5_ctx, + s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir); + } +#endif + /* Change current directory to the user\'s home directory. */ if (chdir(pw->pw_dir) < 0) { fprintf(stderr, "Could not chdir to home directory %s: %s\n", diff --git a/sshd_config b/sshd_config index 8dfc772e8..aaa30f4ba 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.66 2003/09/29 20:19:57 markus Exp $ +# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -61,6 +61,7 @@ #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes +#KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no -- cgit v1.2.3 From 0b3b97512fc3bae1aad38ddff2222bcca5f80f0e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:38:32 +1100 Subject: - millert@cvs.openbsd.org 2003/12/29 16:39:50 [sshd_config] KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK --- ChangeLog | 5 ++++- sshd_config | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index d325407ab..ad79ceb36 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - jakob@cvs.openbsd.org 2003/12/23 16:12:10 [servconf.c servconf.h session.c sshd_config] implement KerberosGetAFSToken server option. ok markus@, beck@ + - millert@cvs.openbsd.org 2003/12/29 16:39:50 + [sshd_config] + KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1629,4 +1632,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3155 2003/12/31 00:37:34 dtucker Exp $ +$Id: ChangeLog,v 1.3156 2003/12/31 00:38:32 dtucker Exp $ diff --git a/sshd_config b/sshd_config index aaa30f4ba..b45c8c561 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.67 2003/12/23 16:12:10 jakob Exp $ +# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -79,7 +79,7 @@ #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes -#KeepAlive yes +#TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no -- cgit v1.2.3 From ea2870619d295b0ff6398b3115c4a4e0ac543edb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 11:43:24 +1100 Subject: - dtucker@cvs.openbsd.org 2003/12/31 00:24:50 [auth2-passwd.c] Ignore password change request during password auth (which we currently don't support) and discard proposed new password. corrections/ok markus@ --- ChangeLog | 6 +++++- auth2-passwd.c | 20 ++++++++++++++------ 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index ad79ceb36..4c2e2f25c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,10 @@ - millert@cvs.openbsd.org 2003/12/29 16:39:50 [sshd_config] KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK + - dtucker@cvs.openbsd.org 2003/12/31 00:24:50 + [auth2-passwd.c] + Ignore password change request during password auth (which we currently + don't support) and discard proposed new password. corrections/ok markus@ 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1632,4 +1636,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3156 2003/12/31 00:38:32 dtucker Exp $ +$Id: ChangeLog,v 1.3157 2003/12/31 00:43:24 dtucker Exp $ diff --git a/auth2-passwd.c b/auth2-passwd.c index 67fb4c921..a4f482d2e 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-passwd.c,v 1.4 2003/08/26 09:58:43 markus Exp $"); +RCSID("$OpenBSD: auth2-passwd.c,v 1.5 2003/12/31 00:24:50 dtucker Exp $"); #include "xmalloc.h" #include "packet.h" @@ -38,16 +38,24 @@ extern ServerOptions options; static int userauth_passwd(Authctxt *authctxt) { - char *password; + char *password, *newpass; int authenticated = 0; int change; - u_int len; + u_int len, newlen; + change = packet_get_char(); - if (change) - logit("password change not supported"); password = packet_get_string(&len); + if (change) { + /* discard new password from packet */ + newpass = packet_get_string(&newlen); + memset(newpass, 0, newlen); + xfree(newpass); + } packet_check_eom(); - if (PRIVSEP(auth_password(authctxt, password)) == 1 + + if (change) + logit("password change not supported"); + else if (PRIVSEP(auth_password(authctxt, password)) == 1 #ifdef HAVE_CYGWIN && check_nt_auth(1, authctxt->pw) #endif -- cgit v1.2.3 From 2a6b029f9969491319600b4623d56a85e57b9833 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 31 Dec 2003 14:59:17 +1100 Subject: - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist. --- ChangeLog | 3 ++- configure.ac | 40 ++++++++++++++++++++++------------------ 2 files changed, 24 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4c2e2f25c..cd48ba423 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,7 @@ [auth2-passwd.c] Ignore password change request during password auth (which we currently don't support) and discard proposed new password. corrections/ok markus@ + - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist. 20031219 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we @@ -1636,4 +1637,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3157 2003/12/31 00:43:24 dtucker Exp $ +$Id: ChangeLog,v 1.3158 2003/12/31 03:59:17 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 6c8621ce5..5ac6acb38 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.178 2003/12/18 01:52:19 dtucker Exp $ +# $Id: configure.ac,v 1.179 2003/12/31 03:59:17 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -749,7 +749,7 @@ AC_CHECK_FUNCS(\ mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \ pstat readpassphrase realpath recvmsg rresvport_af sendmsg \ setdtablesize setegid setenv seteuid setgroups setlogin setpcred \ - setproctitle setregid setresgid setresuid setreuid setrlimit \ + setproctitle setregid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ truncate utimes vhangup vsnprintf waitpid \ @@ -783,29 +783,33 @@ AC_CHECK_DECL(tcsendbreak, [#include ] ) -dnl Some platorms have setresuid that isn't implemented -AC_MSG_CHECKING(if setresuid seems to work) -AC_TRY_RUN([ +AC_CHECK_FUNCS(setresuid, [ + dnl Some platorms have setresuid that isn't implemented, test for this + AC_MSG_CHECKING(if setresuid seems to work) + AC_TRY_RUN([ #include #include int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} - ], - [AC_MSG_RESULT(yes)], - [AC_DEFINE(BROKEN_SETRESUID), - AC_MSG_RESULT(not implemented)] -) + ], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESUID), + AC_MSG_RESULT(not implemented)] + ) +]) -dnl Some platorms have setresgid that isn't implemented -AC_MSG_CHECKING(if setresgid seems to work) -AC_TRY_RUN([ +AC_CHECK_FUNCS(setresgid, [ + dnl Some platorms have setresgid that isn't implemented, test for this + AC_MSG_CHECKING(if setresgid seems to work) + AC_TRY_RUN([ #include #include int main(){errno=0; setresgid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} - ], - [AC_MSG_RESULT(yes)], - [AC_DEFINE(BROKEN_SETRESGID) - AC_MSG_RESULT(not implemented)] -) + ], + [AC_MSG_RESULT(yes)], + [AC_DEFINE(BROKEN_SETRESGID) + AC_MSG_RESULT(not implemented)] + ) +]) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) -- cgit v1.2.3 From 7a2ea78cc416956be619fc82f59b4eb20b3c2225 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jan 2004 17:52:10 +1100 Subject: - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from jakob@ --- ChangeLog | 6 +++++- configure.ac | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index cd48ba423..53043c4ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040102 + - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from + jakob@ + 20031231 - (dtucker) OpenBSD CVS Sync - djm@cvs.openbsd.org 2003/12/22 09:16:58 @@ -1637,4 +1641,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3158 2003/12/31 03:59:17 dtucker Exp $ +$Id: ChangeLog,v 1.3159 2004/01/02 06:52:10 djm Exp $ diff --git a/configure.ac b/configure.ac index 5ac6acb38..bb7e59be0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.179 2003/12/31 03:59:17 dtucker Exp $ +# $Id: configure.ac,v 1.180 2004/01/02 06:52:10 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -150,6 +150,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) + AC_DEFINE_UNQUOTED(BIND_8_COMPAT, 1) ;; *-*-hpux10.26) if test -z "$GCC"; then -- cgit v1.2.3 From c8ec16651ea05e160f5dd51dc70f0db946ee2761 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jan 2004 17:53:04 +1100 Subject: - (djm) Remove useless DNS support configure summary message. from jakob@ --- ChangeLog | 3 ++- configure.ac | 3 +-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 53043c4ef..95f3dcf2c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20040102 - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from jakob@ + - (djm) Remove useless DNS support configure summary message. from jakob@ 20031231 - (dtucker) OpenBSD CVS Sync @@ -1641,4 +1642,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3159 2004/01/02 06:52:10 djm Exp $ +$Id: ChangeLog,v 1.3160 2004/01/02 06:53:04 djm Exp $ diff --git a/configure.ac b/configure.ac index bb7e59be0..dc81dafe1 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.180 2004/01/02 06:52:10 djm Exp $ +# $Id: configure.ac,v 1.181 2004/01/02 06:53:04 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2727,7 +2727,6 @@ if test ! -z "$superuser_path" ; then echo " sshd superuser user PATH: $J" fi echo " Manpage format: $MANTYPE" -echo " DNS support: $DNS_MSG" echo " PAM support: $PAM_MSG" echo " KerberosV support: $KRB5_MSG" echo " Smartcard support: $SCARD_MSG" -- cgit v1.2.3 From 0f47c53742a31b9682c05660dd8de1e860fb1fc5 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jan 2004 18:01:30 +1100 Subject: - (djm) OSX/Darwin put the PAM headers in a different place, detect this. Report from jakob@ --- ChangeLog | 4 +++- auth-pam.c | 6 +++++- configure.ac | 11 ++++++++--- includes.h | 4 ++++ 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 95f3dcf2c..0248a6308 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from jakob@ - (djm) Remove useless DNS support configure summary message. from jakob@ + - (djm) OSX/Darwin put the PAM headers in a different place, detect this. + Report from jakob@ 20031231 - (dtucker) OpenBSD CVS Sync @@ -1642,4 +1644,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3160 2004/01/02 06:53:04 djm Exp $ +$Id: ChangeLog,v 1.3161 2004/01/02 07:01:30 djm Exp $ diff --git a/auth-pam.c b/auth-pam.c index 9edf2c54e..31e1999f0 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,10 +31,14 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.86 2003/12/18 05:08:59 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.87 2004/01/02 07:01:31 djm Exp $"); #ifdef USE_PAM +#if defined(HAVE_SECURITY_PAM_APPL_H) #include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif #include "auth.h" #include "auth-pam.h" diff --git a/configure.ac b/configure.ac index dc81dafe1..9127489de 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.181 2004/01/02 06:53:04 djm Exp $ +# $Id: configure.ac,v 1.182 2004/01/02 07:01:31 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -499,7 +499,7 @@ int main(){exit(0);} AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ getopt.h glob.h ia.h lastlog.h limits.h login.h \ login_cap.h maillock.h netdb.h netgroup.h \ - netinet/in_systm.h paths.h pty.h readpassphrase.h \ + netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ @@ -929,7 +929,8 @@ AC_ARG_WITH(pam, [ --with-pam Enable PAM support ], [ if test "x$withval" != "xno" ; then - if test "x$ac_cv_header_security_pam_appl_h" != "xyes" ; then + if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ + test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then AC_MSG_ERROR([PAM headers not found]) fi @@ -958,7 +959,11 @@ if test "x$PAM_MSG" = "xyes" ; then AC_TRY_COMPILE( [ #include +#if defined(HAVE_SECURITY_PAM_APPL_H) #include +#elif defined (HAVE_PAM_PAM_APPL_H) +#include +#endif ], [(void)pam_strerror((pam_handle_t *)NULL, -1);], [AC_MSG_RESULT(no)], diff --git a/includes.h b/includes.h index 033cd91fa..ac9a950e0 100644 --- a/includes.h +++ b/includes.h @@ -147,7 +147,11 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } # include /* For INADDR_LOOPBACK */ #endif #ifdef USE_PAM +#if defined(HAVE_SECURITY_PAM_APPL_H) # include +#elif defined (HAVE_PAM_PAM_APPL_H) +# include +#endif #endif #ifdef HAVE_READPASSPHRASE_H # include -- cgit v1.2.3 From 3c80d4a7b7492cca812f1963c29686bbb99a19b7 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 2 Jan 2004 18:02:44 +1100 Subject: - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from jakob@ --- acconfig.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/acconfig.h b/acconfig.h index 10ffd6bad..2a5c4334c 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.169 2003/12/17 07:53:26 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.170 2004/01/02 07:02:44 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -430,6 +430,9 @@ /* Define if HEADER.ad exists in arpa/nameser.h */ #undef HAVE_HEADER_AD +/* Define if your resolver libs need this for getrrsetbyname */ +#undef BIND_8_COMPAT + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ -- cgit v1.2.3 From e918318f2b1b7429ebd5d1fecf13d0692d4f0280 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 5 Jan 2004 08:16:34 +1100 Subject: - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from cjwatson at debian.org. --- ChangeLog | 6 +++++- contrib/ssh-copy-id | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0248a6308..d8cd1a170 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040105 + - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from + cjwatson at debian.org. + 20040102 - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from jakob@ @@ -1644,4 +1648,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3161 2004/01/02 07:01:30 djm Exp $ +$Id: ChangeLog,v 1.3162 2004/01/04 21:16:34 dtucker Exp $ diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id index a1ad34a8d..a1c0a9234 100644 --- a/contrib/ssh-copy-id +++ b/contrib/ssh-copy-id @@ -38,7 +38,7 @@ if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then exit 1 fi -{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" +{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1 cat < Date: Mon, 5 Jan 2004 22:36:51 +1100 Subject: - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@ --- ChangeLog | 4 +++- acconfig.h | 5 ++++- configure.ac | 7 ++++++- includes.h | 5 +++++ servconf.c | 4 ++++ session.c | 2 +- 6 files changed, 23 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index d8cd1a170..e6311050f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20040105 - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from cjwatson at debian.org. + - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] + Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@ 20040102 - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from @@ -1648,4 +1650,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3162 2004/01/04 21:16:34 dtucker Exp $ +$Id: ChangeLog,v 1.3163 2004/01/05 11:36:51 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index 2a5c4334c..40162b731 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.170 2004/01/02 07:02:44 djm Exp $ */ +/* $Id: acconfig.h,v 1.171 2004/01/05 11:36:52 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -256,6 +256,9 @@ /* Define this if you are using the Heimdal version of Kerberos V5 */ #undef HEIMDAL +/* Define this if you want to use Heimdal's AFS support */ +#undef AFS + /* Define if you want S/Key support */ #undef SKEY diff --git a/configure.ac b/configure.ac index 9127489de..afc4ae9b4 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.182 2004/01/02 07:01:31 djm Exp $ +# $Id: configure.ac,v 1.183 2004/01/05 11:36:52 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2037,6 +2037,11 @@ AC_ARG_WITH(kerberos5, [ AC_MSG_RESULT(yes) AC_DEFINE(HEIMDAL) K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" + AC_SEARCH_LIBS(k_hasafs, kafs, + [ AC_DEFINE(AFS) + K5LIBS="-lkafs $K5LIBS" + ] + ) ], [ AC_MSG_RESULT(no) K5LIBS="-lkrb5 -lk5crypto -lcom_err" diff --git a/includes.h b/includes.h index ac9a950e0..02364bbd7 100644 --- a/includes.h +++ b/includes.h @@ -169,6 +169,11 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } # include /* Openpty on FreeBSD at least */ #endif +#if defined(HEIMDAL) && defined(AFS) +# include +# include +#endif + #include /* For OPENSSL_VERSION_NUMBER */ #include "defines.h" diff --git a/servconf.c b/servconf.c index b832c75b3..04a10fadf 100644 --- a/servconf.c +++ b/servconf.c @@ -305,7 +305,11 @@ static struct { { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, +#ifdef AFS { "kerberosgetafstoken", sKerberosGetAFSToken }, +#else + { "kerberosgetafstoken", sUnsupported }, +#endif #else { "kerberosauthentication", sUnsupported }, { "kerberosorlocalpasswd", sUnsupported }, diff --git a/session.c b/session.c index 03a5ec570..cf6722c34 100644 --- a/session.c +++ b/session.c @@ -1415,7 +1415,7 @@ do_child(Session *s, const char *command) */ environ = env; -#ifdef KRB5 +#if defined(HEIMDAL) && defined(AFS) /* * At this point, we check to see if AFS is active and if we have * a valid Kerberos 5 TGT. If so, it seems like a good idea to see -- cgit v1.2.3 From 0234e8607fc8643c0bf151d735c5771caf61f9f8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 8 Jan 2004 23:32:04 +1100 Subject: - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and only define if not already. From des at freebsd.org. --- ChangeLog | 6 +++++- auth-pam.c | 4 +--- defines.h | 6 +++++- 3 files changed, 11 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index e6311050f..a79b9fcf8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040108 + - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and + only define if not already. From des at freebsd.org. + 20040105 - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from cjwatson at debian.org. @@ -1650,4 +1654,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3163 2004/01/05 11:36:51 dtucker Exp $ +$Id: ChangeLog,v 1.3164 2004/01/08 12:32:04 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 31e1999f0..5c77edb66 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.87 2004/01/02 07:01:31 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.88 2004/01/08 12:32:04 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -59,8 +59,6 @@ extern ServerOptions options; extern Buffer loginmsg; extern int compat20; -#define __unused - #ifdef USE_POSIX_THREADS #include /* diff --git a/defines.h b/defines.h index d84c378dc..18d8995db 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.106 2003/12/18 23:58:43 dtucker Exp $ */ +/* $Id: defines.h,v 1.107 2004/01/08 12:32:04 dtucker Exp $ */ /* Constants */ @@ -129,6 +129,10 @@ including rpc/rpc.h breaks Solaris 6 #define INADDR_LOOPBACK ((u_long)0x7f000001) #endif +#ifndef __unused +#define __unused +#endif + /* Types */ /* If sys/types.h does not supply intXX_t, supply them ourselves */ -- cgit v1.2.3 From fd0894adae297f5ce1695d78b5738e21414d480c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 9 Jan 2004 00:19:25 +1100 Subject: - (dtucker) [configure.ac] Remove extra (typo) comma. --- ChangeLog | 3 ++- configure.ac | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a79b9fcf8..be12d3738 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20040108 - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and only define if not already. From des at freebsd.org. + - (dtucker) [configure.ac] Remove extra (typo) comma. 20040105 - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from @@ -1654,4 +1655,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3164 2004/01/08 12:32:04 dtucker Exp $ +$Id: ChangeLog,v 1.3165 2004/01/08 13:19:25 dtucker Exp $ diff --git a/configure.ac b/configure.ac index afc4ae9b4..10025cbc8 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.183 2004/01/05 11:36:52 dtucker Exp $ +# $Id: configure.ac,v 1.184 2004/01/08 13:19:25 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -793,7 +793,7 @@ AC_CHECK_FUNCS(setresuid, [ int main(){errno=0; setresuid(0,0,0); if (errno==ENOSYS) exit(1); else exit(0);} ], [AC_MSG_RESULT(yes)], - [AC_DEFINE(BROKEN_SETRESUID), + [AC_DEFINE(BROKEN_SETRESUID) AC_MSG_RESULT(not implemented)] ) ]) -- cgit v1.2.3 From 1b27c8fbcb8f59559bc3bcf4d9d6f739305b4ee8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 13 Jan 2004 22:35:58 +1100 Subject: - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No functional changes. This is in preparation for a change to catch the authentication thread exitting unexpectedly, to split functional and cosmetic changes. --- ChangeLog | 6 +++++- auth-pam.c | 27 +++++++++++++++------------ 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index be12d3738..11329d812 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040113 + - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No + functional changes. + 20040108 - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and only define if not already. From des at freebsd.org. @@ -1655,4 +1659,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3165 2004/01/08 13:19:25 dtucker Exp $ +$Id: ChangeLog,v 1.3166 2004/01/13 11:35:58 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 5c77edb66..fe2ae7711 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.88 2004/01/08 12:32:04 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.89 2004/01/13 11:35:59 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -68,10 +68,23 @@ extern int compat20; */ typedef pthread_t sp_pthread_t; #else +typedef pid_t sp_pthread_t; +#endif + +struct pam_ctxt { + sp_pthread_t pam_thread; + int pam_psock; + int pam_csock; + int pam_done; +}; + +static void sshpam_free_ctx(void *); +static struct pam_ctxt *cleanup_ctxt; + +#ifndef USE_POSIX_THREADS /* * Simulate threads with processes. */ -typedef pid_t sp_pthread_t; static void pthread_exit(void *value __unused) @@ -124,16 +137,6 @@ static int sshpam_cred_established = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; -struct pam_ctxt { - sp_pthread_t pam_thread; - int pam_psock; - int pam_csock; - int pam_done; -}; - -static void sshpam_free_ctx(void *); -static struct pam_ctxt *cleanup_ctxt; - /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST static char ** -- cgit v1.2.3 From 749bc95bd81aca8c69829551f9f1ae8c7d0bdefa Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 14 Jan 2004 22:14:04 +1100 Subject: - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits unexpectedly. with & ok djm@ --- ChangeLog | 6 +++++- auth-pam.c | 23 ++++++++++++++++++++++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 11329d812..95c575f41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040114 + - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits + unexpectedly. with & ok djm@ + 20040113 - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No functional changes. @@ -1659,4 +1663,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3166 2004/01/13 11:35:58 dtucker Exp $ +$Id: ChangeLog,v 1.3167 2004/01/14 11:14:04 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index fe2ae7711..14d0c7b7f 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.89 2004/01/13 11:35:59 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.90 2004/01/14 11:14:05 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -86,6 +86,23 @@ static struct pam_ctxt *cleanup_ctxt; * Simulate threads with processes. */ +static int sshpam_thread_status = -1; +static mysig_t sshpam_oldsig; + +static void +sshpam_sigchld_handler(int sig) +{ + if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) == -1) + return; /* couldn't wait for process */ + if (WIFSIGNALED(sshpam_thread_status) && + WTERMSIG(sshpam_thread_status) == SIGTERM) + return; /* terminated by pthread_cancel */ + if (!WIFEXITED(sshpam_thread_status)) + fatal("PAM: authentication thread exited unexpectedly"); + if (WEXITSTATUS(sshpam_thread_status) != 0) + fatal("PAM: authentication thread exited uncleanly"); +} + static void pthread_exit(void *value __unused) { @@ -107,6 +124,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused, _exit(1); default: *thread = pid; + sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler); return (0); } } @@ -122,6 +140,9 @@ pthread_join(sp_pthread_t thread, void **value __unused) { int status; + if (sshpam_thread_status != -1) + return (sshpam_thread_status); + signal(SIGCHLD, sshpam_oldsig); waitpid(thread, &status, 0); return (status); } -- cgit v1.2.3 From 7ae09627982e4a7cdf072f8900b212c9b590c23c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 14 Jan 2004 23:07:56 +1100 Subject: - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add test for case where cleanup has already run. --- ChangeLog | 4 +++- auth-pam.c | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 95c575f41..614fe9430 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits unexpectedly. with & ok djm@ + - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add + test for case where cleanup has already run. 20040113 - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No @@ -1663,4 +1665,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3167 2004/01/14 11:14:04 dtucker Exp $ +$Id: ChangeLog,v 1.3168 2004/01/14 12:07:56 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 14d0c7b7f..45c5e0a0a 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.90 2004/01/14 11:14:05 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.91 2004/01/14 12:07:56 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -92,6 +92,8 @@ static mysig_t sshpam_oldsig; static void sshpam_sigchld_handler(int sig) { + if (cleanup_ctxt == NULL) + return; /* handler called after PAM cleanup, shouldn't happen */ if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0) == -1) return; /* couldn't wait for process */ if (WIFSIGNALED(sshpam_thread_status) && @@ -132,6 +134,7 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused, static int pthread_cancel(sp_pthread_t thread) { + signal(SIGCHLD, sshpam_oldsig); return (kill(thread, SIGTERM)); } -- cgit v1.2.3 From a8df9248cea285d1a6d6d1ec8d33a24f208fdc42 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 15 Jan 2004 00:15:07 +1100 Subject: - (dtucker) [auth-pam.c] Add minor debugging. --- ChangeLog | 3 ++- auth-pam.c | 15 ++++++++++++--- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 614fe9430..0e48d5743 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ unexpectedly. with & ok djm@ - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add test for case where cleanup has already run. + - (dtucker) [auth-pam.c] Add minor debugging. 20040113 - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No @@ -1665,4 +1666,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3168 2004/01/14 12:07:56 dtucker Exp $ +$Id: ChangeLog,v 1.3169 2004/01/14 13:15:07 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 45c5e0a0a..0e2725b80 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.91 2004/01/14 12:07:56 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -178,6 +178,7 @@ pam_getenvlist(pam_handle_t *pamh) void pam_password_change_required(int reqd) { + debug3("%s %d", __func__, reqd); sshpam_new_authtok_reqd = reqd; if (reqd) { no_port_forwarding_flag |= 2; @@ -198,6 +199,8 @@ import_environments(Buffer *b) u_int i, num_env; int err; + debug3("PAM: %s entering", __func__); + /* Import variables set by do_pam_account */ sshpam_account_status = buffer_get_int(b); pam_password_change_required(buffer_get_int(b)); @@ -239,6 +242,7 @@ sshpam_thread_conv(int n, const struct pam_message **msg, struct pam_response *reply; int i; + debug3("PAM: %s entering, %d responses", __func__, n); *resp = NULL; ctxt = data; @@ -397,6 +401,7 @@ sshpam_thread_cleanup(void) { struct pam_ctxt *ctxt = cleanup_ctxt; + debug3("PAM: %s entering", __func__); if (ctxt != NULL && ctxt->pam_thread != 0) { pthread_cancel(ctxt->pam_thread); pthread_join(ctxt->pam_thread, NULL); @@ -411,6 +416,7 @@ static int sshpam_null_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { + debug3("PAM: %s entering, %d responses", __func__, n); return (PAM_CONV_ERR); } @@ -491,6 +497,7 @@ sshpam_init_ctx(Authctxt *authctxt) struct pam_ctxt *ctxt; int socks[2]; + debug3("PAM: %s entering", __func__); /* Refuse to start if we don't have PAM enabled */ if (!options.use_pam) return NULL; @@ -535,6 +542,7 @@ sshpam_query(void *ctx, char **name, char **info, char *msg; size_t len; + debug3("PAM: %s entering", __func__); buffer_init(&buffer); *name = xstrdup(""); *info = xstrdup(""); @@ -601,7 +609,7 @@ sshpam_respond(void *ctx, u_int num, char **resp) Buffer buffer; struct pam_ctxt *ctxt = ctx; - debug2("PAM: %s", __func__); + debug2("PAM: %s entering, %d responses", __func__, num); switch (ctxt->pam_done) { case 1: sshpam_authenticated = 1; @@ -630,6 +638,7 @@ sshpam_free_ctx(void *ctxtp) { struct pam_ctxt *ctxt = ctxtp; + debug3("PAM: %s entering", __func__); sshpam_thread_cleanup(); xfree(ctxt); /* @@ -682,7 +691,7 @@ do_pam_account(void) return (sshpam_account_status); sshpam_err = pam_acct_mgmt(sshpam_handle, 0); - debug3("%s: pam_acct_mgmt = %d", __func__, sshpam_err); + debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { sshpam_account_status = 0; -- cgit v1.2.3 From 44f75c14f6f1eacfe6e1c98eae742019de24ad6a Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 10:58:47 +1100 Subject: - djm@cvs.openbsd.org 2004/01/13 09:25:05 [sftp-int.c sftp.1 sftp.c] Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and enable use of "-b -" to accept batchfile from stdin; ok markus@ --- ChangeLog | 9 ++++++++- sftp-int.c | 11 ++++++++--- sftp.1 | 9 +++++++-- sftp.c | 28 ++++++++++++++++------------ 4 files changed, 39 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0e48d5743..9985b57ff 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20040121 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/01/13 09:25:05 + [sftp-int.c sftp.1 sftp.c] + Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and + enable use of "-b -" to accept batchfile from stdin; ok markus@ + 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits unexpectedly. with & ok djm@ @@ -1666,4 +1673,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3169 2004/01/14 13:15:07 dtucker Exp $ +$Id: ChangeLog,v 1.3170 2004/01/20 23:58:47 djm Exp $ diff --git a/sftp-int.c b/sftp-int.c index edb475bbb..a9423fe69 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -25,7 +25,7 @@ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.65 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.66 2004/01/13 09:25:05 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -41,6 +41,9 @@ RCSID("$OpenBSD: sftp-int.c,v 1.65 2003/11/21 11:57:03 djm Exp $"); /* File to read commands from */ extern FILE *infile; +/* Are we in batchfile mode? */ +extern int batchmode; + /* Size of buffer used when copying files */ extern size_t copy_buffer_len; @@ -1172,14 +1175,16 @@ interactive_loop(int fd_in, int fd_out, char *file1, char *file2) if (fgets(cmd, sizeof(cmd), infile) == NULL) { printf("\n"); break; - } else if (infile != stdin) /* Bluff typing */ + } + + if (batchmode) /* Echo command */ printf("%s", cmd); cp = strrchr(cmd, '\n'); if (cp) *cp = '\0'; - err = parse_dispatch_command(conn, cmd, &pwd, infile != stdin); + err = parse_dispatch_command(conn, cmd, &pwd, batchmode); if (err != 0) break; } diff --git a/sftp.1 b/sftp.1 index 8563e2bdd..cfa2e10b3 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.49 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD: sftp.1,v 1.50 2004/01/13 09:25:05 djm Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -99,7 +99,12 @@ Batch mode reads a series of commands from an input instead of .Em stdin . Since it lacks user interaction it should be used in conjunction with -non-interactive authentication. +non-interactive authentication. +A +.Ar batchfile +of +.Sq Ic \- +may be used to indicate standard input. .Nm will abort if any of the following commands fail: diff --git a/sftp.c b/sftp.c index fddc6875f..e288302fa 100644 --- a/sftp.c +++ b/sftp.c @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.38 2003/10/08 08:27:36 jmc Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.39 2004/01/13 09:25:05 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -43,7 +43,8 @@ extern char *__progname; char *__progname; #endif -FILE* infile; +FILE* infile = stdin; +int batchmode = 0; size_t copy_buffer_len = 32768; size_t num_requests = 16; static pid_t sshpid = -1; @@ -141,7 +142,6 @@ main(int argc, char **argv) addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); ll = SYSLOG_LEVEL_INFO; - infile = stdin; /* Read from STDIN unless changed by -b */ while ((ch = getopt(argc, argv, "1hvCo:s:S:b:B:F:P:R:")) != -1) { switch (ch) { @@ -171,13 +171,15 @@ main(int argc, char **argv) ssh_program = optarg; break; case 'b': - if (infile == stdin) { - infile = fopen(optarg, "r"); - if (infile == NULL) - fatal("%s (%s).", strerror(errno), optarg); - } else - fatal("Filename already specified."); + if (batchmode) + fatal("Batch file already specified."); + + /* Allow "-" as stdin */ + if (strcmp(optarg, "-") != 0 && + (infile = fopen(optarg, "r")) == NULL) + fatal("%s (%s).", strerror(errno), optarg); showprogress = 0; + batchmode = 1; break; case 'P': sftp_direct = optarg; @@ -241,13 +243,15 @@ main(int argc, char **argv) sftp_server : "sftp")); args.list[0] = ssh_program; - fprintf(stderr, "Connecting to %s...\n", host); + if (!batchmode) + fprintf(stderr, "Connecting to %s...\n", host); connect_to_server(ssh_program, args.list, &in, &out); } else { args.list = NULL; addargs(&args, "sftp-server"); - fprintf(stderr, "Attaching to %s...\n", sftp_direct); + if (!batchmode) + fprintf(stderr, "Attaching to %s...\n", sftp_direct); connect_to_server(sftp_direct, args.list, &in, &out); } @@ -260,7 +264,7 @@ main(int argc, char **argv) close(in); close(out); - if (infile != stdin) + if (batchmode) fclose(infile); while (waitpid(sshpid, NULL, 0) == -1) -- cgit v1.2.3 From 86a396857d4021a5f17c018654e2b7759c84dd04 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 11:00:04 +1100 Subject: - jmc@cvs.openbsd.org 2004/01/13 12:17:33 [sftp.1] remove unnecessary Ic's; kill whitespace at EOL; ok djm@ --- ChangeLog | 7 ++++++- sftp.1 | 12 ++++++------ 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9985b57ff..2c6dc85e3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,11 @@ [sftp-int.c sftp.1 sftp.c] Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and enable use of "-b -" to accept batchfile from stdin; ok markus@ + - jmc@cvs.openbsd.org 2004/01/13 12:17:33 + [sftp.1] + remove unnecessary Ic's; + kill whitespace at EOL; + ok djm@ 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits @@ -1673,4 +1678,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3170 2004/01/20 23:58:47 djm Exp $ +$Id: ChangeLog,v 1.3171 2004/01/21 00:00:04 djm Exp $ diff --git a/sftp.1 b/sftp.1 index cfa2e10b3..2a67a888e 100644 --- a/sftp.1 +++ b/sftp.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.50 2004/01/13 09:25:05 djm Exp $ +.\" $OpenBSD: sftp.1,v 1.51 2004/01/13 12:17:33 jmc Exp $ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -99,11 +99,11 @@ Batch mode reads a series of commands from an input instead of .Em stdin . Since it lacks user interaction it should be used in conjunction with -non-interactive authentication. +non-interactive authentication. A -.Ar batchfile -of -.Sq Ic \- +.Ar batchfile +of +.Sq \- may be used to indicate standard input. .Nm will abort if any of the following @@ -115,7 +115,7 @@ and .Ic lmkdir . Termination on error can be suppressed on a command by command basis by prefixing the command with a -.Sq Ic \- +.Sq \- character (for example, .Ic -rm /tmp/blah* ) . .It Fl C -- cgit v1.2.3 From 8f341f8b8b9e3fba2919b04cab2e3ce9df0f4139 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 11:00:46 +1100 Subject: - markus@cvs.openbsd.org 2004/01/13 19:23:15 [compress.c session.c] -Wall; ok henning --- ChangeLog | 5 ++++- compress.c | 6 +++--- session.c | 6 +++++- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2c6dc85e3..91cb0505f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ remove unnecessary Ic's; kill whitespace at EOL; ok djm@ + - markus@cvs.openbsd.org 2004/01/13 19:23:15 + [compress.c session.c] + -Wall; ok henning 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits @@ -1678,4 +1681,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3171 2004/01/21 00:00:04 djm Exp $ +$Id: ChangeLog,v 1.3172 2004/01/21 00:00:46 djm Exp $ diff --git a/compress.c b/compress.c index 85a361d3a..2dea7cf36 100644 --- a/compress.c +++ b/compress.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compress.c,v 1.19 2002/03/18 17:31:54 provos Exp $"); +RCSID("$OpenBSD: compress.c,v 1.20 2004/01/13 19:23:15 markus Exp $"); #include "log.h" #include "buffer.h" @@ -56,11 +56,11 @@ buffer_compress_init_recv(void) void buffer_compress_uninit(void) { - debug("compress outgoing: raw data %lu, compressed %lu, factor %.2f", + debug("compress outgoing: raw data %llu, compressed %llu, factor %.2f", outgoing_stream.total_in, outgoing_stream.total_out, outgoing_stream.total_in == 0 ? 0.0 : (double) outgoing_stream.total_out / outgoing_stream.total_in); - debug("compress incoming: raw data %lu, compressed %lu, factor %.2f", + debug("compress incoming: raw data %llu, compressed %llu, factor %.2f", incoming_stream.total_out, incoming_stream.total_in, incoming_stream.total_out == 0 ? 0.0 : (double) incoming_stream.total_in / incoming_stream.total_out); diff --git a/session.c b/session.c index cf6722c34..82e1996af 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $"); +RCSID("$OpenBSD: session.c,v 1.171 2004/01/13 19:23:15 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -58,6 +58,10 @@ RCSID("$OpenBSD: session.c,v 1.170 2003/12/23 16:12:10 jakob Exp $"); #include "session.h" #include "monitor_wrap.h" +#ifdef KRB5 +#include +#endif + #ifdef GSSAPI #include "ssh-gss.h" #endif -- cgit v1.2.3 From f84fed6f71fae6627f21c578dd1192e3014dac96 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 11:01:23 +1100 Subject: - markus@cvs.openbsd.org 2004/01/13 19:45:15 [compress.c] cast for portability; millert@ --- ChangeLog | 5 ++++- compress.c | 8 +++++--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 91cb0505f..48a4c2b1a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ - markus@cvs.openbsd.org 2004/01/13 19:23:15 [compress.c session.c] -Wall; ok henning + - markus@cvs.openbsd.org 2004/01/13 19:45:15 + [compress.c] + cast for portability; millert@ 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits @@ -1681,4 +1684,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3172 2004/01/21 00:00:46 djm Exp $ +$Id: ChangeLog,v 1.3173 2004/01/21 00:01:23 djm Exp $ diff --git a/compress.c b/compress.c index 2dea7cf36..0d1c7e55e 100644 --- a/compress.c +++ b/compress.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compress.c,v 1.20 2004/01/13 19:23:15 markus Exp $"); +RCSID("$OpenBSD: compress.c,v 1.21 2004/01/13 19:45:15 markus Exp $"); #include "log.h" #include "buffer.h" @@ -57,11 +57,13 @@ void buffer_compress_uninit(void) { debug("compress outgoing: raw data %llu, compressed %llu, factor %.2f", - outgoing_stream.total_in, outgoing_stream.total_out, + (unsigned long long)outgoing_stream.total_in, + (unsigned long long)outgoing_stream.total_out, outgoing_stream.total_in == 0 ? 0.0 : (double) outgoing_stream.total_out / outgoing_stream.total_in); debug("compress incoming: raw data %llu, compressed %llu, factor %.2f", - incoming_stream.total_out, incoming_stream.total_in, + (unsigned long long)incoming_stream.total_out, + (unsigned long long)incoming_stream.total_in, incoming_stream.total_out == 0 ? 0.0 : (double) incoming_stream.total_in / incoming_stream.total_out); if (compress_init_recv_called == 1 && inflate_failed == 0) -- cgit v1.2.3 From a04ad496f65ba1c0b6c71c13943ede2711464bc3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 11:02:09 +1100 Subject: - markus@cvs.openbsd.org 2004/01/19 09:24:21 [channels.c] fake consumption for half closed channels since the peer is waiting for window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@ reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo' --- ChangeLog | 7 ++++++- channels.c | 22 +++++++++++++++++----- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 48a4c2b1a..e88f86d7c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,11 @@ - markus@cvs.openbsd.org 2004/01/13 19:45:15 [compress.c] cast for portability; millert@ + - markus@cvs.openbsd.org 2004/01/19 09:24:21 + [channels.c] + fake consumption for half closed channels since the peer is waiting for + window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@ + reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo' 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits @@ -1684,4 +1689,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3173 2004/01/21 00:01:23 djm Exp $ +$Id: ChangeLog,v 1.3174 2004/01/21 00:02:09 djm Exp $ diff --git a/channels.c b/channels.c index 14405bd4b..e663c2159 100644 --- a/channels.c +++ b/channels.c @@ -39,7 +39,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: channels.c,v 1.199 2003/12/02 17:01:14 markus Exp $"); +RCSID("$OpenBSD: channels.c,v 1.200 2004/01/19 09:24:21 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1817,13 +1817,25 @@ channel_input_data(int type, u_int32_t seq, void *ctxt) c->type != SSH_CHANNEL_X11_OPEN) return; - /* same for protocol 1.5 if output end is no longer open */ - if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) - return; - /* Get the data. */ data = packet_get_string(&data_len); + /* + * Ignore data for protocol > 1.3 if output end is no longer open. + * For protocol 2 the sending side is reducing its window as it sends + * data, so we must 'fake' consumption of the data in order to ensure + * that window updates are sent back. Otherwise the connection might + * deadlock. + */ + if (!compat13 && c->ostate != CHAN_OUTPUT_OPEN) { + if (compat20) { + c->local_window -= data_len; + c->local_consumed += data_len; + } + xfree(data); + return; + } + if (compat20) { if (data_len > c->local_maxpacket) { logit("channel %d: rcvd big packet %d, maxpack %d", -- cgit v1.2.3 From fb1310eded0788f106dc7e1f113cc75e1206cb60 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 11:02:50 +1100 Subject: - markus@cvs.openbsd.org 2004/01/19 21:25:15 [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c] fix mem leaks; some fixes from Pete Flugstad; tested dtucker@ --- ChangeLog | 5 ++++- auth2-hostbased.c | 4 ++-- auth2-pubkey.c | 6 +++--- serverloop.c | 14 +++++++------- ssh-keysign.c | 3 ++- sshconnect2.c | 8 ++++---- 6 files changed, 22 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index e88f86d7c..70eebf71e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,9 @@ fake consumption for half closed channels since the peer is waiting for window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@ reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo' + - markus@cvs.openbsd.org 2004/01/19 21:25:15 + [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c] + fix mem leaks; some fixes from Pete Flugstad; tested dtucker@ 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits @@ -1689,4 +1692,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3174 2004/01/21 00:02:09 djm Exp $ +$Id: ChangeLog,v 1.3175 2004/01/21 00:02:50 djm Exp $ diff --git a/auth2-hostbased.c b/auth2-hostbased.c index 505d3eff4..1111ed67a 100644 --- a/auth2-hostbased.c +++ b/auth2-hostbased.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-hostbased.c,v 1.5 2003/06/24 08:23:46 markus Exp $"); +RCSID("$OpenBSD: auth2-hostbased.c,v 1.6 2004/01/19 21:25:15 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -114,7 +114,7 @@ userauth_hostbased(Authctxt *authctxt) buffer_len(&b))) == 1) authenticated = 1; - buffer_clear(&b); + buffer_free(&b); done: debug2("userauth_hostbased: authenticated %d", authenticated); if (key != NULL) diff --git a/auth2-pubkey.c b/auth2-pubkey.c index c28571ab6..3063eecc3 100644 --- a/auth2-pubkey.c +++ b/auth2-pubkey.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-pubkey.c,v 1.5 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth2-pubkey.c,v 1.6 2004/01/19 21:25:15 markus Exp $"); #include "ssh2.h" #include "xmalloc.h" @@ -123,9 +123,9 @@ userauth_pubkey(Authctxt *authctxt) authenticated = 0; if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), - buffer_len(&b))) == 1) + buffer_len(&b))) == 1) authenticated = 1; - buffer_clear(&b); + buffer_free(&b); xfree(sig); } else { debug("test whether pkalg/pkblob are acceptable"); diff --git a/serverloop.c b/serverloop.c index bc7cd656a..a777a048d 100644 --- a/serverloop.c +++ b/serverloop.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: serverloop.c,v 1.114 2003/12/09 15:28:43 markus Exp $"); +RCSID("$OpenBSD: serverloop.c,v 1.115 2004/01/19 21:25:15 markus Exp $"); #include "xmalloc.h" #include "packet.h" @@ -850,7 +850,7 @@ server_input_window_size(int type, u_int32_t seq, void *ctxt) } static Channel * -server_request_direct_tcpip(char *ctype) +server_request_direct_tcpip(void) { Channel *c; int sock; @@ -872,14 +872,14 @@ server_request_direct_tcpip(char *ctype) xfree(originator); if (sock < 0) return NULL; - c = channel_new(ctype, SSH_CHANNEL_CONNECTING, + c = channel_new("direct-tcpip", SSH_CHANNEL_CONNECTING, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "direct-tcpip", 1); return c; } static Channel * -server_request_session(char *ctype) +server_request_session(void) { Channel *c; @@ -891,7 +891,7 @@ server_request_session(char *ctype) * SSH_CHANNEL_LARVAL. Additionally, a callback for handling all * CHANNEL_REQUEST messages is registered. */ - c = channel_new(ctype, SSH_CHANNEL_LARVAL, + c = channel_new("session", SSH_CHANNEL_LARVAL, -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT, 0, "server-session", 1); if (session_open(the_authctxt, c->self) != 1) { @@ -920,9 +920,9 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt) ctype, rchan, rwindow, rmaxpack); if (strcmp(ctype, "session") == 0) { - c = server_request_session(ctype); + c = server_request_session(); } else if (strcmp(ctype, "direct-tcpip") == 0) { - c = server_request_direct_tcpip(ctype); + c = server_request_direct_tcpip(); } if (c != NULL) { debug("server_input_channel_open: confirm %s", ctype); diff --git a/ssh-keysign.c b/ssh-keysign.c index b3db628c6..9e9ebe2f1 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c @@ -22,7 +22,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-keysign.c,v 1.14 2003/11/17 09:45:39 djm Exp $"); +RCSID("$OpenBSD: ssh-keysign.c,v 1.15 2004/01/19 21:25:15 markus Exp $"); #include #include @@ -126,6 +126,7 @@ valid_request(struct passwd *pw, char *host, Key **ret, u_char *data, /* end of message */ if (buffer_len(&b) != 0) fail++; + buffer_free(&b); debug3("valid_request: fail %d", fail); diff --git a/sshconnect2.c b/sshconnect2.c index 281fecdc9..3a218113c 100644 --- a/sshconnect2.c +++ b/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.133 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $"); #include "openbsd-compat/sys-queue.h" @@ -1267,7 +1267,7 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp, if (ssh_msg_recv(from[0], &b) < 0) { error("ssh_keysign: no reply"); - buffer_clear(&b); + buffer_free(&b); return -1; } close(from[0]); @@ -1279,11 +1279,11 @@ ssh_keysign(Key *key, u_char **sigp, u_int *lenp, if (buffer_get_char(&b) != version) { error("ssh_keysign: bad version"); - buffer_clear(&b); + buffer_free(&b); return -1; } *sigp = buffer_get_string(&b, lenp); - buffer_clear(&b); + buffer_free(&b); return 0; } -- cgit v1.2.3 From e4f5a82d6e4748a99fef33a08986392742cc27c8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 14:11:05 +1100 Subject: - djm@cvs.openbsd.org 2004/01/21 03:07:59 [sftp.c] initialise infile in main, rather than statically - from portable --- ChangeLog | 5 ++++- sftp.c | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 70eebf71e..8cebcce96 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,9 @@ - markus@cvs.openbsd.org 2004/01/19 21:25:15 [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c] fix mem leaks; some fixes from Pete Flugstad; tested dtucker@ + - djm@cvs.openbsd.org 2004/01/21 03:07:59 + [sftp.c] + initialise infile in main, rather than statically - from portable 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits @@ -1692,4 +1695,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3175 2004/01/21 00:02:50 djm Exp $ +$Id: ChangeLog,v 1.3176 2004/01/21 03:11:05 djm Exp $ diff --git a/sftp.c b/sftp.c index e288302fa..0be27887f 100644 --- a/sftp.c +++ b/sftp.c @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.39 2004/01/13 09:25:05 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.40 2004/01/21 03:07:59 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -43,7 +43,7 @@ extern char *__progname; char *__progname; #endif -FILE* infile = stdin; +FILE* infile; int batchmode = 0; size_t copy_buffer_len = 32768; size_t num_requests = 16; @@ -141,7 +141,9 @@ main(int argc, char **argv) addargs(&args, "-oForwardX11 no"); addargs(&args, "-oForwardAgent no"); addargs(&args, "-oClearAllForwardings yes"); + ll = SYSLOG_LEVEL_INFO; + infile = stdin; while ((ch = getopt(argc, argv, "1hvCo:s:S:b:B:F:P:R:")) != -1) { switch (ch) { -- cgit v1.2.3 From f4da3bb6cadcb26fd6edd19887b5187c13724255 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 21 Jan 2004 17:07:16 +1100 Subject: - deraadt@cvs.openbsd.org 2004/01/11 21:55:06 [sshpty.c] for pty opening, only use the openpty() path. the other stuff only needs to be in openssh-p; markus ok - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an openpty() replacement --- ChangeLog | 8 +- openbsd-compat/Makefile.in | 4 +- openbsd-compat/bsd-openpty.c | 211 ++++++++++++++++++++++++++++++++++++++++ openbsd-compat/openbsd-compat.h | 7 +- sshpty.c | 192 +----------------------------------- 5 files changed, 225 insertions(+), 197 deletions(-) create mode 100644 openbsd-compat/bsd-openpty.c diff --git a/ChangeLog b/ChangeLog index 8cebcce96..dff32c6cb 100644 --- a/ChangeLog +++ b/ChangeLog @@ -26,6 +26,12 @@ - djm@cvs.openbsd.org 2004/01/21 03:07:59 [sftp.c] initialise infile in main, rather than statically - from portable + - deraadt@cvs.openbsd.org 2004/01/11 21:55:06 + [sshpty.c] + for pty opening, only use the openpty() path. the other stuff only needs + to be in openssh-p; markus ok + - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an + openpty() replacement 20040114 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits @@ -1695,4 +1701,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3176 2004/01/21 03:11:05 djm Exp $ +$Id: ChangeLog,v 1.3177 2004/01/21 06:07:16 djm Exp $ diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index de9856eea..5de20abbc 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.29 2003/10/07 07:49:57 dtucker Exp $ +# $Id: Makefile.in,v 1.30 2004/01/21 06:07:23 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtoul.o vis.o -COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o +COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o xmmap.o xcrypt.o PORTS=port-irix.o port-aix.o diff --git a/openbsd-compat/bsd-openpty.c b/openbsd-compat/bsd-openpty.c new file mode 100644 index 000000000..0a3c5e211 --- /dev/null +++ b/openbsd-compat/bsd-openpty.c @@ -0,0 +1,211 @@ +/* + * Please note: this implementation of openpty() is far from complete. + * it is just enough for portable OpenSSH's needs. + */ + +/* + * Copyright (c) 2004 Damien Miller. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Author: Tatu Ylonen + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * Allocating a pseudo-terminal, and making it the controlling tty. + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + */ + +#include "includes.h" +#if !defined(HAVE_OPENPTY) + +#ifdef HAVE_UTIL_H +# include +#endif /* HAVE_UTIL_H */ + +#ifdef HAVE_PTY_H +# include +#endif +#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) +# include +#endif + +#ifndef O_NOCTTY +#define O_NOCTTY 0 +#endif + +int +openpty(int *amaster, int *aslave, char *name, struct termios *termp, + struct winsize *winp) +{ +#if defined(HAVE__GETPTY) + /* + * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more + * pty's automagically when needed + */ + char *slave; + + if ((slave = _getpty(amaster, O_RDWR, 0622, 0)) == NULL) + return (-1); + + /* Open the slave side. */ + if ((*aslave = open(slave, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + return (0); + +#elif defined(HAVE_DEV_PTMX) + /* + * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 + * also has bsd-style ptys, but they simply do not work.) + */ + int ptm; + char *pts; + mysig_t old_signal; + + if ((ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY)) == -1) + return (-1); + + /* XXX: need to close ptm on error? */ + old_signal = signal(SIGCHLD, SIG_DFL); + if (grantpt(ptm) < 0) + return (-1); + signal(SIGCHLD, old_signal); + + if (unlockpt(ptm) < 0) + return (-1); + + if ((pts = ptsname(ptm)) == NULL) + return (-1); + *amaster = ptm; + + /* Open the slave side. */ + if ((*aslave = open(pts, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + +#ifndef HAVE_CYGWIN + /* + * Try to push the appropriate streams modules, as described + * in Solaris pts(7). + */ + ioctl(*aslave, I_PUSH, "ptem"); + ioctl(*aslave, I_PUSH, "ldterm"); +# ifndef __hpux + ioctl(*aslave, I_PUSH, "ttcompat"); +# endif /* __hpux */ +#endif /* HAVE_CYGWIN */ + + return (0); + +#elif defined(HAVE_DEV_PTS_AND_PTC) + /* AIX-style pty code. */ + const char *ttname; + + if ((*amaster = open("/dev/ptc", O_RDWR | O_NOCTTY)) == -1) + return (-1); + if ((ttname = ttyname(*amaster)) == NULL) + return (-1); + if ((*aslave = open(ttname, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + return (0); + +#elif defined(_UNICOS) + char ptbuf[64], ttbuf[64]; + int i; + int highpty; + + highpty = 128; +#ifdef _SC_CRAY_NPTY + if ((highpty = sysconf(_SC_CRAY_NPTY)) == -1) + highpty = 128; +#endif /* _SC_CRAY_NPTY */ + + for (i = 0; i < highpty; i++) { + snprintf(ptbuf, sizeof(ptbuf), "/dev/pty/%03d", i); + snprintf(ttbuf, sideof(ttbuf), "/dev/ttyp%03d", i); + if ((*amaster = open(ptbuf, O_RDWR|O_NOCTTY)) == -1) + continue; + /* Open the slave side. */ + if ((*aslave = open(ttbuf, O_RDWR|O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + return (0); + } + return (-1); + +#else + /* BSD-style pty code. */ + char ptbuf[64], ttbuf[64]; + int i; + const char *ptymajors = "pqrstuvwxyzabcdefghijklmno" + "ABCDEFGHIJKLMNOPQRSTUVWXYZ"; + const char *ptyminors = "0123456789abcdef"; + int num_minors = strlen(ptyminors); + int num_ptys = strlen(ptymajors) * num_minors; + struct termios tio; + + for (i = 0; i < num_ptys; i++) { + snprintf(ptbuf, sizeof(ptbuf), "/dev/pty%c%c", + ptymajors[i / num_minors], ptyminors[i % num_minors]); + snprintf(ttbuf, sizeof(ttbuf), "/dev/tty%c%c", + ptymajors[i / num_minors], ptyminors[i % num_minors]); + + if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1) { + /* Try SCO style naming */ + snprintf(ptbuf, sizeof(ptbuf), "/dev/ptyp%d", i); + snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%d", i); + if ((*amaster = open(ptbuf, O_RDWR | O_NOCTTY)) == -1) + continue; + } + + /* Open the slave side. */ + if ((*aslave = open(ttbuf, O_RDWR | O_NOCTTY)) == -1) { + close(*amaster); + return (-1); + } + /* set tty modes to a sane state for broken clients */ + if (tcgetattr(*amaster, &tio) != -1) { + tio.c_lflag |= (ECHO | ISIG | ICANON); + tio.c_oflag |= (OPOST | ONLCR); + tio.c_iflag |= ICRNL; + tcsetattr(*amaster, TCSANOW, &tio); + } + + return (0); + } + return (-1); +#endif +} + +#endif /* !defined(HAVE_OPENPTY) */ + diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 852948c54..6be1bcda4 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.24 2003/08/29 16:59:52 mouring Exp $ */ +/* $Id: openbsd-compat.h,v 1.25 2004/01/21 06:07:23 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -138,8 +138,9 @@ unsigned int arc4random(void); void arc4random_stir(void); #endif /* !HAVE_ARC4RANDOM */ - - +#ifndef HAVE_OPENPTY +int openpty(int *, int *, char *, struct termios *, struct winsize *); +#endif /* HAVE_OPENPTY */ /* #include XXX needed? For size_t */ diff --git a/sshpty.c b/sshpty.c index 50b1f2ba3..0fe3891b6 100644 --- a/sshpty.c +++ b/sshpty.c @@ -12,7 +12,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshpty.c,v 1.10 2003/06/12 07:57:38 markus Exp $"); +RCSID("$OpenBSD: sshpty.c,v 1.11 2004/01/11 21:55:06 deraadt Exp $"); #ifdef HAVE_UTIL_H # include @@ -22,17 +22,9 @@ RCSID("$OpenBSD: sshpty.c,v 1.10 2003/06/12 07:57:38 markus Exp $"); #include "log.h" #include "misc.h" -/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */ -#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY) -#undef HAVE_DEV_PTMX -#endif - #ifdef HAVE_PTY_H # include #endif -#if defined(HAVE_DEV_PTMX) && defined(HAVE_SYS_STROPTS_H) -# include -#endif #ifndef O_NOCTTY #define O_NOCTTY 0 @@ -48,7 +40,6 @@ RCSID("$OpenBSD: sshpty.c,v 1.10 2003/06/12 07:57:38 markus Exp $"); int pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) { -#if defined(HAVE_OPENPTY) || defined(BSD4_4) /* openpty(3) exists in OSF/1 and some other os'es */ char *name; int i; @@ -64,187 +55,6 @@ pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen) strlcpy(namebuf, name, namebuflen); /* possible truncation */ return 1; -#else /* HAVE_OPENPTY */ -#ifdef HAVE__GETPTY - /* - * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more - * pty's automagically when needed - */ - char *slave; - - slave = _getpty(ptyfd, O_RDWR, 0622, 0); - if (slave == NULL) { - error("_getpty: %.100s", strerror(errno)); - return 0; - } - strlcpy(namebuf, slave, namebuflen); - /* Open the slave side. */ - *ttyfd = open(namebuf, O_RDWR | O_NOCTTY); - if (*ttyfd < 0) { - error("%.200s: %.100s", namebuf, strerror(errno)); - close(*ptyfd); - return 0; - } - return 1; -#else /* HAVE__GETPTY */ -#if defined(HAVE_DEV_PTMX) - /* - * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 - * also has bsd-style ptys, but they simply do not work.) - */ - int ptm; - char *pts; - mysig_t old_signal; - - ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY); - if (ptm < 0) { - error("/dev/ptmx: %.100s", strerror(errno)); - return 0; - } - old_signal = signal(SIGCHLD, SIG_DFL); - if (grantpt(ptm) < 0) { - error("grantpt: %.100s", strerror(errno)); - return 0; - } - signal(SIGCHLD, old_signal); - if (unlockpt(ptm) < 0) { - error("unlockpt: %.100s", strerror(errno)); - return 0; - } - pts = ptsname(ptm); - if (pts == NULL) - error("Slave pty side name could not be obtained."); - strlcpy(namebuf, pts, namebuflen); - *ptyfd = ptm; - - /* Open the slave side. */ - *ttyfd = open(namebuf, O_RDWR | O_NOCTTY); - if (*ttyfd < 0) { - error("%.100s: %.100s", namebuf, strerror(errno)); - close(*ptyfd); - return 0; - } -#ifndef HAVE_CYGWIN - /* - * Push the appropriate streams modules, as described in Solaris pts(7). - * HP-UX pts(7) doesn't have ttcompat module. - */ - if (ioctl(*ttyfd, I_PUSH, "ptem") < 0) - error("ioctl I_PUSH ptem: %.100s", strerror(errno)); - if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0) - error("ioctl I_PUSH ldterm: %.100s", strerror(errno)); -#ifndef __hpux - if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0) - error("ioctl I_PUSH ttcompat: %.100s", strerror(errno)); -#endif -#endif - return 1; -#else /* HAVE_DEV_PTMX */ -#ifdef HAVE_DEV_PTS_AND_PTC - /* AIX-style pty code. */ - const char *name; - - *ptyfd = open("/dev/ptc", O_RDWR | O_NOCTTY); - if (*ptyfd < 0) { - error("Could not open /dev/ptc: %.100s", strerror(errno)); - return 0; - } - name = ttyname(*ptyfd); - if (!name) - fatal("Open of /dev/ptc returns device for which ttyname fails."); - strlcpy(namebuf, name, namebuflen); - *ttyfd = open(name, O_RDWR | O_NOCTTY); - if (*ttyfd < 0) { - error("Could not open pty slave side %.100s: %.100s", - name, strerror(errno)); - close(*ptyfd); - return 0; - } - return 1; -#else /* HAVE_DEV_PTS_AND_PTC */ -#ifdef _UNICOS - char buf[64]; - int i; - int highpty; - -#ifdef _SC_CRAY_NPTY - highpty = sysconf(_SC_CRAY_NPTY); - if (highpty == -1) - highpty = 128; -#else - highpty = 128; -#endif - - for (i = 0; i < highpty; i++) { - snprintf(buf, sizeof(buf), "/dev/pty/%03d", i); - *ptyfd = open(buf, O_RDWR|O_NOCTTY); - if (*ptyfd < 0) - continue; - snprintf(namebuf, namebuflen, "/dev/ttyp%03d", i); - /* Open the slave side. */ - *ttyfd = open(namebuf, O_RDWR|O_NOCTTY); - if (*ttyfd < 0) { - error("%.100s: %.100s", namebuf, strerror(errno)); - close(*ptyfd); - return 0; - } - return 1; - } - return 0; -#else - /* BSD-style pty code. */ - char buf[64]; - int i; - const char *ptymajors = "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ"; - const char *ptyminors = "0123456789abcdef"; - int num_minors = strlen(ptyminors); - int num_ptys = strlen(ptymajors) * num_minors; - struct termios tio; - - for (i = 0; i < num_ptys; i++) { - snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors], - ptyminors[i % num_minors]); - snprintf(namebuf, namebuflen, "/dev/tty%c%c", - ptymajors[i / num_minors], ptyminors[i % num_minors]); - - *ptyfd = open(buf, O_RDWR | O_NOCTTY); - if (*ptyfd < 0) { - /* Try SCO style naming */ - snprintf(buf, sizeof buf, "/dev/ptyp%d", i); - snprintf(namebuf, namebuflen, "/dev/ttyp%d", i); - *ptyfd = open(buf, O_RDWR | O_NOCTTY); - if (*ptyfd < 0) - continue; - } - - /* Open the slave side. */ - *ttyfd = open(namebuf, O_RDWR | O_NOCTTY); - if (*ttyfd < 0) { - error("%.100s: %.100s", namebuf, strerror(errno)); - close(*ptyfd); - return 0; - } - /* set tty modes to a sane state for broken clients */ - if (tcgetattr(*ptyfd, &tio) < 0) - logit("Getting tty modes for pty failed: %.100s", strerror(errno)); - else { - tio.c_lflag |= (ECHO | ISIG | ICANON); - tio.c_oflag |= (OPOST | ONLCR); - tio.c_iflag |= ICRNL; - - /* Set the new modes for the terminal. */ - if (tcsetattr(*ptyfd, TCSANOW, &tio) < 0) - logit("Setting tty modes for pty failed: %.100s", strerror(errno)); - } - - return 1; - } - return 0; -#endif /* CRAY */ -#endif /* HAVE_DEV_PTS_AND_PTC */ -#endif /* HAVE_DEV_PTMX */ -#endif /* HAVE__GETPTY */ -#endif /* HAVE_OPENPTY */ } /* Releases the tty. Its ownership is returned to root, and permissions to 0666. */ -- cgit v1.2.3 From 1d3ca58705157ffd764515021434343aba1e8037 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 22 Jan 2004 12:05:34 +1100 Subject: - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ GSSAPI detection, libs and includes. ok djm@ --- ChangeLog | 6 ++++- configure.ac | 71 ++++++++++++++++++++++++++++++++++++++++++------------------ 2 files changed, 55 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index dff32c6cb..df415f0ed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040122 + - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ + GSSAPI detection, libs and includes. ok djm@ + 20040121 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2004/01/13 09:25:05 @@ -1701,4 +1705,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3177 2004/01/21 06:07:16 djm Exp $ +$Id: ChangeLog,v 1.3178 2004/01/22 01:05:34 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 10025cbc8..5b094ba6c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.184 2004/01/08 13:19:25 dtucker Exp $ +# $Id: configure.ac,v 1.185 2004/01/22 01:05:35 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2020,39 +2020,58 @@ AC_SEARCH_LIBS(getrrsetbyname, resolv, KRB5_MSG="no" AC_ARG_WITH(kerberos5, [ --with-kerberos5=PATH Enable Kerberos 5 support], - [ - if test "x$withval" != "xno" ; then - if test "x$withval" = "xyes" ; then - KRB5ROOT="/usr/local" + [ if test "x$withval" != "xno" ; then + if test "x$withval" = "xyes" ; then + KRB5ROOT="/usr/local" + else + KRB5ROOT=${withval} + fi + + AC_DEFINE(KRB5) + KRB5_MSG="yes" + + AC_MSG_CHECKING(for krb5-config) + if test -x $KRB5ROOT/bin/krb5-config ; then + KRB5CONF=$KRB5ROOT/bin/krb5-config + AC_MSG_RESULT($KRB5CONF) + + AC_MSG_CHECKING(for gssapi support) + if $KRB5CONF | grep gssapi >/dev/null ; then + AC_MSG_RESULT(yes) + K5CFLAGS="`$KRB5CONF --cflags gssapi`" + dnl m4 quadragraphs: "sed 's/-l[^- ]*//g'" + K5LDFLAGS="`$KRB5CONF --libs gssapi | sed 's/-l@<:@^- @:>@*//g'`" + K5LIBS="`$KRB5CONF --libs gssapi | sed 's/-L@<:@^- @:>@*//g'`" else - KRB5ROOT=${withval} + AC_MSG_RESULT(no) + K5CFLAGS="`$KRB5CONF --cflags`" + K5LDFLAGS="`$KRB5CONF --libs | sed 's/-l@<:@^- @:>@*//g'`" + K5LIBS="`$KRB5CONF --libs | sed 's/-L@<:@^- @:>@*//g'`" fi + CPPFLAGS="$CPPFLAGS $K5CFLAGS" + LDFLAGS="$LDFLAGS $K5LDFLAGS" + AC_MSG_CHECKING(whether we are using Heimdal) + AC_TRY_COMPILE([ #include ], + [ char *tmp = heimdal_version; ], + [ AC_MSG_RESULT(yes) + AC_DEFINE(HEIMDAL) ], + AC_MSG_RESULT(no) + ) + else + AC_MSG_RESULT(no) CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" - AC_DEFINE(KRB5) - KRB5_MSG="yes" AC_MSG_CHECKING(whether we are using Heimdal) AC_TRY_COMPILE([ #include ], [ char *tmp = heimdal_version; ], [ AC_MSG_RESULT(yes) AC_DEFINE(HEIMDAL) K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken" - AC_SEARCH_LIBS(k_hasafs, kafs, - [ AC_DEFINE(AFS) - K5LIBS="-lkafs $K5LIBS" - ] - ) ], [ AC_MSG_RESULT(no) K5LIBS="-lkrb5 -lk5crypto -lcom_err" ] ) - if test ! -z "$need_dash_r" ; then - LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" - fi - if test ! -z "$blibpath" ; then - blibpath="$blibpath:${KRB5ROOT}/lib" - fi AC_SEARCH_LIBS(dn_expand, resolv) AC_CHECK_LIB(gssapi,gss_init_sec_context, @@ -2080,9 +2099,19 @@ AC_ARG_WITH(kerberos5, AC_CHECK_HEADER(gssapi_krb5.h, , [ CPPFLAGS="$oldCPP" ]) - KRB5=yes fi - ] + if test ! -z "$need_dash_r" ; then + LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib" + fi + if test ! -z "$blibpath" ; then + blibpath="$blibpath:${KRB5ROOT}/lib" + fi + fi ] + AC_SEARCH_LIBS(k_hasafs, kafs, + [ AC_DEFINE(AFS) + K5LIBS="-lkafs $K5LIBS" + ] + ) ) LIBS="$LIBS $K5LIBS" -- cgit v1.2.3 From 7fe8b72771ec847d824ce845f851338f1be9e6b2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Thu, 22 Jan 2004 12:48:26 +1100 Subject: - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not just HEIMDAL. Currently this will make no difference, as only Heimdal (which defines KRB5 anyway) has libkafs, however a libkafs that works with MIT may become available. In that case it will be used too. --- ChangeLog | 4 +++- session.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index df415f0ed..7d1c6db14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,8 @@ 20040122 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ GSSAPI detection, libs and includes. ok djm@ + - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not + just HEIMDAL. 20040121 - (djm) OpenBSD CVS Sync @@ -1705,4 +1707,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3178 2004/01/22 01:05:34 dtucker Exp $ +$Id: ChangeLog,v 1.3179 2004/01/22 01:48:26 dtucker Exp $ diff --git a/session.c b/session.c index 82e1996af..6a1cb7841 100644 --- a/session.c +++ b/session.c @@ -1419,7 +1419,7 @@ do_child(Session *s, const char *command) */ environ = env; -#if defined(HEIMDAL) && defined(AFS) +#if defined(KRB5) && defined(AFS) /* * At this point, we check to see if AFS is active and if we have * a valid Kerberos 5 TGT. If so, it seems like a good idea to see -- cgit v1.2.3 From c900128e55134291e2d5dd0ec7ad18d97625cee3 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 22 Jan 2004 16:10:03 -0800 Subject: [contrib/solaris/buildpkg.sh] Allow for the possibility of /usr/local being a symbolic link. Fixes problem reported by Henry Grebler. --- ChangeLog | 4 +++- contrib/solaris/buildpkg.sh | 9 ++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7d1c6db14..12a7f6a1b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ GSSAPI detection, libs and includes. ok djm@ - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not just HEIMDAL. + - (tim) [contrib/solaris/buildpkg.sh] Allow for the possibility of + /usr/local being a symbolic link. Fixes problem reported by Henry Grebler. 20040121 - (djm) OpenBSD CVS Sync @@ -1707,4 +1709,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3179 2004/01/22 01:48:26 dtucker Exp $ +$Id: ChangeLog,v 1.3180 2004/01/23 00:10:03 tim Exp $ diff --git a/contrib/solaris/buildpkg.sh b/contrib/solaris/buildpkg.sh index 55203d7d5..29d096306 100755 --- a/contrib/solaris/buildpkg.sh +++ b/contrib/solaris/buildpkg.sh @@ -23,9 +23,10 @@ SYSVINIT_NAME=opensshd MAKE=${MAKE:="make"} SSHDUID=67 # Default privsep uid SSHDGID=67 # Default privsep gid -# uncomment these next two as needed +# uncomment these next three as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes +#USR_LOCAL_IS_SYMLINK=yes # list of system directories we do NOT want to change owner/group/perms # when installing our package SYSTEM_DIR="/etc \ @@ -370,6 +371,12 @@ _EOF find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \ pkgproto $PROTO_ARGS | nawk -f mk-proto.awk > prototype +# /usr/local is a symlink on some systems +[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && { + grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new + mv prototype.new prototype +} + ## Step back a directory and now build the package. echo "Building package.." cd .. -- cgit v1.2.3 From d352636553bf85e21c697eca2e6873e78862576e Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 23 Jan 2004 14:16:26 +1100 Subject: - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from ralf.hack AT pipex.net; ok dtucker@ --- ChangeLog | 6 +++++- session.c | 6 ++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 12a7f6a1b..4d9d9faa4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040123 + - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from + ralf.hack AT pipex.net; ok dtucker@ + 20040122 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ GSSAPI detection, libs and includes. ok djm@ @@ -1709,4 +1713,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3180 2004/01/23 00:10:03 tim Exp $ +$Id: ChangeLog,v 1.3181 2004/01/23 03:16:26 djm Exp $ diff --git a/session.c b/session.c index 6a1cb7841..947ba5eff 100644 --- a/session.c +++ b/session.c @@ -1243,6 +1243,12 @@ do_setusercontext(struct passwd *pw) # ifdef __bsdi__ setpgid(0, 0); # endif +# ifdef USE_PAM + if (options.use_pam) { + do_pam_session(); + do_pam_setcred(0); + } +# endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { perror("unable to set user context"); -- cgit v1.2.3 From 84938141d4efb3b00496f1e819192ee3377dad70 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 23 Jan 2004 16:30:03 +1100 Subject: - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect Kerberos location (and thus work with Fedora Core 1); from jason AT devrandom.org --- ChangeLog | 5 ++++- contrib/redhat/openssh.spec | 9 +++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4d9d9faa4..395508ecd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,9 @@ 20040123 - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from ralf.hack AT pipex.net; ok dtucker@ + - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect + Kerberos location (and thus work with Fedora Core 1); + from jason AT devrandom.org 20040122 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ @@ -1713,4 +1716,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3181 2004/01/23 03:16:26 djm Exp $ +$Id: ChangeLog,v 1.3182 2004/01/23 05:30:03 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index a4d49f61c..30d026352 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,5 +1,5 @@ %define ver 3.7.1p2 -%define rel 1 +%define rel 0.2004012300 # OpenSSH privilege separation requires a user & group ID %define sshd_uid 74 @@ -181,6 +181,11 @@ environment. CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS %endif +%if %{kerberos5} +K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'` +echo K5DIR=$K5DIR +%endif + %configure \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ @@ -200,7 +205,7 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS --with-pam \ %endif %if %{kerberos5} - --with-kerberos5=/usr/kerberos \ + --with-kerberos5=$K5DIR \ %endif -- cgit v1.2.3 From 2dcd2393f4cddec66019608d71243d987a471277 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 23 Jan 2004 17:13:33 +1100 Subject: - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@ --- ChangeLog | 4 +++- configure.ac | 22 +++++++++++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 395508ecd..042dfb473 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect Kerberos location (and thus work with Fedora Core 1); from jason AT devrandom.org + - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for + zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@ 20040122 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ @@ -1716,4 +1718,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3182 2004/01/23 05:30:03 djm Exp $ +$Id: ChangeLog,v 1.3183 2004/01/23 06:13:33 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 5b094ba6c..c98332ac2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.185 2004/01/22 01:05:35 dtucker Exp $ +# $Id: configure.ac,v 1.186 2004/01/23 06:13:33 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -588,6 +588,26 @@ AC_ARG_WITH(zlib, ) AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])) +AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])) +AC_MSG_CHECKING(for zlib 1.1.4 or greater) +AC_TRY_RUN([ +#include +int main() +{ + int a, b, c, v; + if (sscanf(ZLIB_VERSION, "%d.%d.%d", &a, &b, &c) != 3) + exit(1); + v = a*1000000 + b*1000 + c; + if (v >= 1001004) + exit(0); + exit(2); +} + ], + AC_MSG_RESULT(yes), + [ AC_MSG_RESULT(no) + AC_MSG_ERROR([*** zlib too old - check config.log ***]) ] +) + dnl UnixWare 2.x AC_CHECK_FUNC(strcasecmp, -- cgit v1.2.3 From 6369958301f0184c95988f8c87a5494bab0bb0c6 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 23 Jan 2004 21:35:44 +1100 Subject: - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options. Patch from vinschen at redhat.com. --- ChangeLog | 4 +++- contrib/cygwin/README | 10 ++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 042dfb473..04c919858 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,8 @@ from jason AT devrandom.org - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@ + - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options. + Patch from vinschen at redhat.com. 20040122 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ @@ -1718,4 +1720,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3183 2004/01/23 06:13:33 dtucker Exp $ +$Id: ChangeLog,v 1.3184 2004/01/23 10:35:44 dtucker Exp $ diff --git a/contrib/cygwin/README b/contrib/cygwin/README index 1ed934307..fc0a2f69b 100644 --- a/contrib/cygwin/README +++ b/contrib/cygwin/README @@ -118,10 +118,12 @@ some options: usage: ssh-host-config [OPTION]... Options: - --debug -d Enable shell's debug output. - --yes -y Answer all questions with "yes" automatically. - --no -n Answer all questions with "no" automatically. - --port -p sshd listens on port n. + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --cygwin -c Use "options" as value for CYGWIN environment var. + --port -p sshd listens on port n. + --pwd -w Use "pwd" as password for user 'sshd_server'. Additionally ssh-host-config now asks if it should install sshd as a service when running under NT/W2K. This requires cygrunsrv installed. -- cgit v1.2.3 From 3c78c5ed2fd12785842bbb9e3bd030fab19a9221 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 23 Jan 2004 22:03:10 +1100 Subject: - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] Change AFS symbol to USE_AFS to prevent namespace collisions, do not include kafs.h unless necessary. From deengert at anl.gov. For consistency, all of the libkafs bits are now inside "#if defined(KRB5) && defined(USE_AFS)". --- ChangeLog | 5 ++++- acconfig.h | 6 +++--- configure.ac | 4 ++-- includes.h | 2 +- servconf.c | 2 +- session.c | 4 ++-- 6 files changed, 13 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index 04c919858..bbf853687 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@ - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options. Patch from vinschen at redhat.com. + - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] + Change AFS symbol to USE_AFS to prevent namespace collisions, do not + include kafs.h unless necessary. From deengert at anl.gov. 20040122 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ @@ -1720,4 +1723,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3184 2004/01/23 10:35:44 dtucker Exp $ +$Id: ChangeLog,v 1.3185 2004/01/23 11:03:10 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index 40162b731..27366ed17 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.171 2004/01/05 11:36:52 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.172 2004/01/23 11:03:10 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -256,8 +256,8 @@ /* Define this if you are using the Heimdal version of Kerberos V5 */ #undef HEIMDAL -/* Define this if you want to use Heimdal's AFS support */ -#undef AFS +/* Define this if you want to use libkafs' AFS support */ +#undef USE_AFS /* Define if you want S/Key support */ #undef SKEY diff --git a/configure.ac b/configure.ac index c98332ac2..b5fc7ace0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.186 2004/01/23 06:13:33 dtucker Exp $ +# $Id: configure.ac,v 1.187 2004/01/23 11:03:10 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2128,7 +2128,7 @@ AC_ARG_WITH(kerberos5, fi fi ] AC_SEARCH_LIBS(k_hasafs, kafs, - [ AC_DEFINE(AFS) + [ AC_DEFINE(USE_AFS) K5LIBS="-lkafs $K5LIBS" ] ) diff --git a/includes.h b/includes.h index 02364bbd7..764bd57fe 100644 --- a/includes.h +++ b/includes.h @@ -169,7 +169,7 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } # include /* Openpty on FreeBSD at least */ #endif -#if defined(HEIMDAL) && defined(AFS) +#if defined(KRB5) && defined(USE_AFS) # include # include #endif diff --git a/servconf.c b/servconf.c index 04a10fadf..a72246b6c 100644 --- a/servconf.c +++ b/servconf.c @@ -305,7 +305,7 @@ static struct { { "kerberosauthentication", sKerberosAuthentication }, { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, { "kerberosticketcleanup", sKerberosTicketCleanup }, -#ifdef AFS +#ifdef USE_AFS { "kerberosgetafstoken", sKerberosGetAFSToken }, #else { "kerberosgetafstoken", sUnsupported }, diff --git a/session.c b/session.c index 947ba5eff..3a6d1a028 100644 --- a/session.c +++ b/session.c @@ -58,7 +58,7 @@ RCSID("$OpenBSD: session.c,v 1.171 2004/01/13 19:23:15 markus Exp $"); #include "session.h" #include "monitor_wrap.h" -#ifdef KRB5 +#if defined(KRB5) && defined(USE_AFS) #include #endif @@ -1425,7 +1425,7 @@ do_child(Session *s, const char *command) */ environ = env; -#if defined(KRB5) && defined(AFS) +#if defined(KRB5) && defined(USE_AFS) /* * At this point, we check to see if AFS is active and if we have * a valid Kerberos 5 TGT. If so, it seems like a good idea to see -- cgit v1.2.3 From fcb6220da091b94c310a063b7ee939c5d5cd69e2 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Fri, 23 Jan 2004 18:35:16 -0800 Subject: [configure.ac] Remove hard coded -L/usr/local/lib and -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \ CPPFLAGS="-I/usr/local/include" ./configure if needed. --- ChangeLog | 5 ++++- configure.ac | 55 +++++++++++++++++++++++-------------------------------- 2 files changed, 27 insertions(+), 33 deletions(-) diff --git a/ChangeLog b/ChangeLog index bbf853687..dc9147f26 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,9 @@ - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] Change AFS symbol to USE_AFS to prevent namespace collisions, do not include kafs.h unless necessary. From deengert at anl.gov. + - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and + -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \ + CPPFLAGS="-I/usr/local/include" ./configure if needed. 20040122 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ @@ -1723,4 +1726,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3185 2004/01/23 11:03:10 dtucker Exp $ +$Id: ChangeLog,v 1.3186 2004/01/24 02:35:16 tim Exp $ diff --git a/configure.ac b/configure.ac index b5fc7ace0..51be4534b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.187 2004/01/23 11:03:10 dtucker Exp $ +# $Id: configure.ac,v 1.188 2004/01/24 02:35:16 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -67,11 +67,9 @@ AC_ARG_WITH(rpath, # Check for some target-specific stuff case "$host" in *-*-aix*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) if (test -z "$blibpath"); then - blibpath="/usr/lib:/lib:/usr/local/lib" + blibpath="/usr/lib:/lib" fi saved_LDFLAGS="$LDFLAGS" for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do @@ -198,8 +196,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; *-*-irix5*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" AC_DEFINE(BROKEN_INET_NTOA) AC_DEFINE(SETEUID_BREAKS_SETUID) @@ -209,8 +205,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*") ;; *-*-irix6*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS" PATH="$PATH:/usr/etc" AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) @@ -265,17 +259,8 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_REALPATH) AC_DEFINE(USE_PIPES) AC_DEFINE(BROKEN_SAVED_UIDS) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - CFLAGS="$CFLAGS" ;; *-*-solaris*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - if test "x$withval" = "xno" ; then - LDFLAGS="$LDFLAGS -L/usr/local/lib" - else - LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" - need_dash_r=1 - fi AC_DEFINE(PAM_SUN_CODEBASE) AC_DEFINE(LOGIN_NEEDS_UTMPX) AC_DEFINE(LOGIN_NEEDS_TERM) @@ -306,8 +291,6 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(USE_PIPES) ;; *-ncr-sysv*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lc89" AC_DEFINE(USE_PIPES) AC_DEFINE(SSHD_ACQUIRES_CTTY) @@ -316,9 +299,7 @@ mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(BROKEN_SETREGID) ;; *-sni-sysv*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" # /usr/ucblib MUST NOT be searched on ReliantUNIX - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_CHECK_LIB(dl, dlsym, ,) IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) @@ -333,28 +314,21 @@ mips-sony-bsd|mips-sony-newsos4) # otherwise you will find lots of "SIOCGPGRP errno 22" on syslog ;; *-*-sysv4.2*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_DEFINE(USE_PIPES) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) ;; *-*-sysv5*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" AC_DEFINE(USE_PIPES) AC_DEFINE(SETEUID_BREAKS_SETUID) AC_DEFINE(BROKEN_SETREUID) AC_DEFINE(BROKEN_SETREGID) ;; *-*-sysv*) - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" ;; *-*-sco3.2v4*) - CPPFLAGS="$CPPFLAGS -Dftruncate=chsize -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" + CPPFLAGS="$CPPFLAGS -Dftruncate=chsize" LIBS="$LIBS -los -lprot -lx -ltinfo -lm" RANLIB=true no_dev_ptmx=1 @@ -372,8 +346,6 @@ mips-sony-bsd|mips-sony-newsos4) if test -z "$GCC"; then CFLAGS="$CFLAGS -belf" fi - CPPFLAGS="$CPPFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib" LIBS="$LIBS -lprot -lx -ltinfo -lm" no_dev_ptmx=1 AC_DEFINE(USE_PIPES) @@ -587,7 +559,26 @@ AC_ARG_WITH(zlib, ] ) -AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])) +AC_CHECK_LIB(z, deflate, , + [ + saved_CPPFLAGS="$CPPFLAGS" + saved_LDFLAGS="$LDFLAGS" + save_LIBS="$LIBS" + dnl Check default zlib install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${saved_LDFLAGS}" + else + LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}" + fi + CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}" + LIBS="$LIBS -lz" + AC_TRY_LINK_FUNC(deflate, AC_DEFINE(HAVE_LIBZ), + [ + AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***]) + ] + ) + ] +) AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])) AC_MSG_CHECKING(for zlib 1.1.4 or greater) AC_TRY_RUN([ -- cgit v1.2.3 From 6814411b3edb2b8076042200b8e1c93b686f77cf Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 24 Jan 2004 13:50:39 +1100 Subject: - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com --- ChangeLog | 5 ++++- openbsd-compat/bsd-openpty.c | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index dc9147f26..580fecbf6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20040124 + - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com + 20040123 - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from ralf.hack AT pipex.net; ok dtucker@ @@ -1726,4 +1729,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3186 2004/01/24 02:35:16 tim Exp $ +$Id: ChangeLog,v 1.3187 2004/01/24 02:50:39 djm Exp $ diff --git a/openbsd-compat/bsd-openpty.c b/openbsd-compat/bsd-openpty.c index 0a3c5e211..512fb8451 100644 --- a/openbsd-compat/bsd-openpty.c +++ b/openbsd-compat/bsd-openpty.c @@ -151,7 +151,7 @@ openpty(int *amaster, int *aslave, char *name, struct termios *termp, for (i = 0; i < highpty; i++) { snprintf(ptbuf, sizeof(ptbuf), "/dev/pty/%03d", i); - snprintf(ttbuf, sideof(ttbuf), "/dev/ttyp%03d", i); + snprintf(ttbuf, sizeof(ttbuf), "/dev/ttyp%03d", i); if ((*amaster = open(ptbuf, O_RDWR|O_NOCTTY)) == -1) continue; /* Open the slave side. */ -- cgit v1.2.3 From 3084a6198cf03fed572624d5b3b76ad218e45ad2 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 26 Jan 2004 09:37:09 -0800 Subject: Typo in regress/README.regress --- ChangeLog | 5 ++++- regress/README.regress | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 580fecbf6..a467b821c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20040126 + - (tim) Typo in regress/README.regress + 20040124 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com @@ -1729,4 +1732,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3187 2004/01/24 02:50:39 djm Exp $ +$Id: ChangeLog,v 1.3188 2004/01/26 17:37:09 tim Exp $ diff --git a/regress/README.regress b/regress/README.regress index 916894a88..48048ab12 100644 --- a/regress/README.regress +++ b/regress/README.regress @@ -22,7 +22,7 @@ Environment variables. SUDO: path to sudo command, if desired. Note that some systems (notably systems using PAM) require sudo to execute some tests. -TEST_SSH_TRACE: set yo "yes" for verbose output from tests +TEST_SSH_TRACE: set to "yes" for verbose output from tests TEST_SSH_QUIET: set to "yes" to suppress non-fatal output. TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER @@ -83,4 +83,4 @@ Failed tests can be difficult to diagnose. Suggestions: Known Issues. -$Id: README.regress,v 1.1 2003/09/04 05:39:54 dtucker Exp $ +$Id: README.regress,v 1.2 2004/01/26 17:37:09 tim Exp $ -- cgit v1.2.3 From eafd8e9c5596a46d657ebb6aaaba8902ffbc8b8f Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 26 Jan 2004 14:10:10 -0800 Subject: 20040126 [regress/test-exec.sh] RhostsAuthentication is deprecated. --- ChangeLog | 3 ++- regress/test-exec.sh | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index a467b821c..a59f591aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 20040126 - (tim) Typo in regress/README.regress + - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. 20040124 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com @@ -1732,4 +1733,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3188 2004/01/26 17:37:09 tim Exp $ +$Id: ChangeLog,v 1.3189 2004/01/26 22:10:10 tim Exp $ diff --git a/regress/test-exec.sh b/regress/test-exec.sh index cc7ea67fe..debe7e3a4 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -185,7 +185,6 @@ Host * ChallengeResponseAuthentication no HostbasedAuthentication no PasswordAuthentication no - RhostsAuthentication no RhostsRSAAuthentication no BatchMode yes StrictHostKeyChecking yes -- cgit v1.2.3 From ba1c2b82c47c6ebf6b79c639bc71e1d6f7dd5d26 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 26 Jan 2004 16:02:17 -0800 Subject: [defines.h] Add defines for HFIXEDSZ and T_SIG --- ChangeLog | 3 ++- defines.h | 10 +++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index a59f591aa..6b67afe64 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20040126 - (tim) Typo in regress/README.regress - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. + - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG 20040124 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com @@ -1733,4 +1734,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3189 2004/01/26 22:10:10 tim Exp $ +$Id: ChangeLog,v 1.3190 2004/01/27 00:02:17 tim Exp $ diff --git a/defines.h b/defines.h index 18d8995db..31bb9a3cb 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.107 2004/01/08 12:32:04 dtucker Exp $ */ +/* $Id: defines.h,v 1.108 2004/01/27 00:02:17 tim Exp $ */ /* Constants */ @@ -133,6 +133,14 @@ including rpc/rpc.h breaks Solaris 6 #define __unused #endif +#ifndef HFIXEDSZ +#define HFIXEDSZ 12 +#endif + +#ifndef T_SIG +#define T_SIG 24 +#endif + /* Types */ /* If sys/types.h does not supply intXX_t, supply them ourselves */ -- cgit v1.2.3 From 2597bfd1fbc2ba9aca603c489cdf90d7b9ac5834 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 26 Jan 2004 19:03:39 -0800 Subject: [configure.ac includes.h] add for grantpt() and friends. --- ChangeLog | 3 ++- configure.ac | 4 ++-- includes.h | 3 +++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6b67afe64..ba47af80e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ - (tim) Typo in regress/README.regress - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG + - (tim) [configure.ac includes.h] add for grantpt() and friends. 20040124 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com @@ -1734,4 +1735,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3190 2004/01/27 00:02:17 tim Exp $ +$Id: ChangeLog,v 1.3191 2004/01/27 03:03:39 tim Exp $ diff --git a/configure.ac b/configure.ac index 51be4534b..3b04182d5 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.188 2004/01/24 02:35:16 tim Exp $ +# $Id: configure.ac,v 1.189 2004/01/27 03:03:39 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -474,7 +474,7 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ - sys/cdefs.h sys/mman.h sys/pstat.h sys/select.h sys/stat.h \ + sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \ sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h vis.h) diff --git a/includes.h b/includes.h index 764bd57fe..d2cc88213 100644 --- a/includes.h +++ b/includes.h @@ -134,6 +134,9 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } #ifdef HAVE_SYS_STRTIO_H #include /* for TIOCCBRK on HP-UX */ #endif +#if defined(HAVE_SYS_PTMS_H) && defined(HAVE_DEV_PTMX) +#include /* for grantpt() and friends */ +#endif #include /* For typedefs */ #include /* For IPv6 macros */ -- cgit v1.2.3 From 01326ebada378a58c1797fb5a75f631a70a020e0 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 26 Jan 2004 21:40:35 -0800 Subject: [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ and T_SIG to getrrsetbyname.h --- ChangeLog | 4 +++- defines.h | 10 +--------- openbsd-compat/getrrsetbyname.h | 8 ++++++++ 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index ba47af80e..0ba506f59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG - (tim) [configure.ac includes.h] add for grantpt() and friends. + - (tim) [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ + and T_SIG to getrrsetbyname.h 20040124 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com @@ -1735,4 +1737,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3191 2004/01/27 03:03:39 tim Exp $ +$Id: ChangeLog,v 1.3192 2004/01/27 05:40:35 tim Exp $ diff --git a/defines.h b/defines.h index 31bb9a3cb..5e63198e0 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.108 2004/01/27 00:02:17 tim Exp $ */ +/* $Id: defines.h,v 1.109 2004/01/27 05:40:35 tim Exp $ */ /* Constants */ @@ -133,14 +133,6 @@ including rpc/rpc.h breaks Solaris 6 #define __unused #endif -#ifndef HFIXEDSZ -#define HFIXEDSZ 12 -#endif - -#ifndef T_SIG -#define T_SIG 24 -#endif - /* Types */ /* If sys/types.h does not supply intXX_t, supply them ourselves */ diff --git a/openbsd-compat/getrrsetbyname.h b/openbsd-compat/getrrsetbyname.h index 67937ef5f..39995b63f 100644 --- a/openbsd-compat/getrrsetbyname.h +++ b/openbsd-compat/getrrsetbyname.h @@ -58,6 +58,14 @@ #include #include +#ifndef HFIXEDSZ +#define HFIXEDSZ 12 +#endif + +#ifndef T_SIG +#define T_SIG 24 +#endif + /* * Flags for getrrsetbyname() */ -- cgit v1.2.3 From 4f0fe684daa4f35e1c91224e144c91b4869946fa Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 27 Jan 2004 21:19:21 +1100 Subject: - (djm) OpenBSD CVS Sync - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03 [cipher.c] enable acss for ssh ok deraadt@ markus@ - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS if libcrypto lacks it --- ChangeLog | 11 ++- Makefile.in | 15 ++-- acss.c | 264 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ acss.h | 47 +++++++++++ cipher-acss.c | 84 +++++++++++++++++++ cipher.c | 21 ++++- 6 files changed, 430 insertions(+), 12 deletions(-) create mode 100644 acss.c create mode 100644 acss.h create mode 100644 cipher-acss.c diff --git a/ChangeLog b/ChangeLog index 0ba506f59..61b714348 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +20040127 + - (djm) OpenBSD CVS Sync + - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03 + [cipher.c] + enable acss for ssh + ok deraadt@ markus@ + - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS + if libcrypto lacks it + 20040126 - (tim) Typo in regress/README.regress - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. @@ -1737,4 +1746,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3192 2004/01/27 05:40:35 tim Exp $ +$Id: ChangeLog,v 1.3193 2004/01/27 10:19:21 djm Exp $ diff --git a/Makefile.in b/Makefile.in index f1098fcb0..1f6a4d43f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.253 2003/11/21 12:48:55 djm Exp $ +# $Id: Makefile.in,v 1.254 2004/01/27 10:19:22 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -61,12 +61,13 @@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) -LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ - cipher.o cipher-aes.o cipher-bf1.o cipher-ctr.o cipher-3des1.o \ - cleanup.o compat.o compress.o crc32.o deattack.o fatal.o \ - hostfile.o log.o match.o moduli.o mpaux.o nchan.o packet.o \ - readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ - key.o dispatch.o kex.o mac.o uuencode.o misc.o \ +LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o buffer.o \ + canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \ + cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ + compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ + log.o match.o moduli.o mpaux.o nchan.o packet.o \ + readpass.o rsa.o tildexpand.o ttymodes.o xmalloc.o \ + atomicio.o key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ entropy.o scard-opensc.o gss-genr.o diff --git a/acss.c b/acss.c new file mode 100644 index 000000000..65f5fa164 --- /dev/null +++ b/acss.c @@ -0,0 +1,264 @@ +/* $Id: */ +/* + * Copyright (c) 2004 The OpenBSD project + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#include + +#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L) + +#include "acss.h" + +/* decryption sbox */ +static unsigned char sboxdec[] = { + 0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76, + 0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b, + 0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96, + 0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b, + 0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12, + 0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f, + 0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90, + 0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91, + 0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74, + 0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75, + 0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94, + 0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95, + 0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10, + 0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11, + 0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92, + 0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f, + 0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16, + 0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b, + 0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6, + 0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb, + 0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72, + 0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f, + 0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0, + 0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1, + 0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14, + 0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15, + 0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4, + 0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5, + 0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70, + 0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71, + 0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2, + 0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff +}; + +/* encryption sbox */ +static unsigned char sboxenc[] = { + 0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75, + 0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b, + 0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21, + 0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f, + 0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5, + 0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab, + 0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0, + 0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2, + 0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74, + 0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76, + 0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20, + 0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22, + 0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4, + 0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6, + 0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1, + 0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf, + 0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25, + 0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b, + 0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71, + 0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f, + 0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5, + 0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb, + 0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0, + 0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2, + 0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24, + 0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26, + 0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70, + 0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72, + 0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4, + 0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6, + 0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1, + 0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff +}; + +static unsigned char reverse[] = { + 0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, + 0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, + 0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, + 0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, + 0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, + 0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, + 0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, + 0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, + 0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, + 0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, + 0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, + 0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, + 0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, + 0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, + 0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, + 0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, + 0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, + 0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, + 0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, + 0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, + 0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, + 0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, + 0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, + 0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, + 0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, + 0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, + 0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, + 0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, + 0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, + 0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, + 0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, + 0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff +}; + +/* + * Two linear feedback shift registers are used: + * + * lfsr17: polynomial of degree 17, primitive modulo 2 (listed in Schneier) + * x^15 + x + 1 + * lfsr25: polynomial of degree 25, not know if primitive modulo 2 + * x^13 + x^5 + x^4 + x^1 + 1 + * + * Output bits are discarded, instead the feedback bits are added to produce + * the cipher stream. Depending on the mode, feedback bytes may be inverted + * bit-wise before addition. + * + * The lfsrs are seeded with bytes from the raw key: + * + * lfsr17: byte 0[0:7] at bit 9 + * byte 1[0:7] at bit 0 + * + * lfsr25: byte 2[0:4] at bit 16 + * byte 2[5:7] at bit 22 + * byte 3[0:7] at bit 8 + * byte 4[0:7] at bit 0 + * + * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in + * lfsr25. + * + */ + +int +acss(ACSS_KEY *key, unsigned long len, const unsigned char *in, + unsigned char *out) +{ + unsigned long i; + unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp; + + lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0; + + /* keystream is sum of lfsrs */ + for (i = 0; i < len; i++) { + lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14); + key->lfsr17 = (key->lfsr17 >> 8) + ^ (lfsr17tmp << 9) + ^ (lfsr17tmp << 12) + ^ (lfsr17tmp << 15); + key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */ + + lfsr25tmp = key->lfsr25 + ^ (key->lfsr25 >> 3) + ^ (key->lfsr25 >> 4) + ^ (key->lfsr25 >> 12); + key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17); + key->lfsr25 &= 0x1ffffff; /* 25 bit LFSR */ + + lfsrsumtmp = key->lfsrsum; + + /* addition */ + switch (key->mode) { + case ACSS_AUTHENTICATE: + case ACSS_DATA: + key->lfsrsum = 0xff & ~(key->lfsr17 >> 9); + key->lfsrsum += key->lfsr25 >> 17; + break; + case ACSS_SESSIONKEY: + key->lfsrsum = key->lfsr17 >> 9; + key->lfsrsum += key->lfsr25 >> 17; + break; + case ACSS_TITLEKEY: + key->lfsrsum = key->lfsr17 >> 9; + key->lfsrsum += 0xff & ~(key->lfsr25 >> 17); + break; + default: + return 1; + } + key->lfsrsum += (lfsrsumtmp >> 8); + + if (key->encrypt) { + out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff]; + } else { + out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff; + } + } + + return 0; +} + +static void +acss_seed(ACSS_KEY *key) +{ + int i; + + /* if available, mangle with subkey */ + if (key->subkey_avilable) { + for (i = 0; i < ACSS_KEYSIZE; i++) + key->seed[i] = reverse[key->data[i] ^ key->subkey[i]]; + } else { + for (i = 0; i < ACSS_KEYSIZE; i++) + key->seed[i] = reverse[key->data[i]]; + } + + /* seed lfsrs */ + key->lfsr17 = key->seed[1] + | (key->seed[0] << 9) + | (1 << 8); /* inject 1 at bit 9 */ + key->lfsr25 = key->seed[4] + | (key->seed[3] << 8) + | ((key->seed[2] & 0x1f) << 16) + | ((key->seed[2] & 0xe0) << 17) + | (1 << 21); /* inject 1 at bit 22 */ + + key->lfsrsum = 0; +} + +void +acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode) +{ + memcpy(key->data, data, sizeof(key->data)); + memset(key->subkey, 0, sizeof(key->subkey)); + + if (enc != -1) + key->encrypt = enc; + key->mode = mode; + key->subkey_avilable = 0; + + acss_seed(key); +} + +void +acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey) +{ + memcpy(key->subkey, subkey, sizeof(key->subkey)); + key->subkey_avilable = 1; + acss_seed(key); +} +#endif diff --git a/acss.h b/acss.h new file mode 100644 index 000000000..fc6344dc8 --- /dev/null +++ b/acss.h @@ -0,0 +1,47 @@ +/* $Id: */ +/* + * Copyright (c) 2004 The OpenBSD project + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _ACSS_H_ +#define _ACSS_H_ + +/* 40bit key */ +#define ACSS_KEYSIZE 5 + +/* modes of acss */ +#define ACSS_AUTHENTICATE 0 +#define ACSS_SESSIONKEY 1 +#define ACSS_TITLEKEY 2 +#define ACSS_DATA 3 + +typedef struct acss_key_st { + unsigned int lfsr17; /* current state of lfsrs */ + unsigned int lfsr25; + unsigned int lfsrsum; + unsigned char seed[ACSS_KEYSIZE]; + unsigned char data[ACSS_KEYSIZE]; + unsigned char subkey[ACSS_KEYSIZE]; + int encrypt; /* XXX make these bit flags? */ + int mode; + int seeded; + int subkey_avilable; +} ACSS_KEY; + +void acss_setkey(ACSS_KEY *, const unsigned char *, int, int); +void acss_setsubkey(ACSS_KEY *, const unsigned char *); +int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *); + +#endif /* ifndef _ACSS_H_ */ diff --git a/cipher-acss.c b/cipher-acss.c new file mode 100644 index 000000000..e2e3a4060 --- /dev/null +++ b/cipher-acss.c @@ -0,0 +1,84 @@ +/* + * Copyright (c) 2004 The OpenBSD project + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" +#include + +RCSID("$Id: cipher-acss.c,v 1.1 2004/01/27 10:19:22 djm Exp $"); + +#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L) + +#include "acss.h" + +#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data) + +typedef struct { + ACSS_KEY ks; +} EVP_ACSS_KEY; + +#define EVP_CTRL_SET_ACSS_MODE 0xff06 +#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07 + +static int +acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA); + return 1; +} + +static int +acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, + unsigned int inl) +{ + acss(&data(ctx)->ks,inl,in,out); + return 1; +} + +static int +acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) +{ + switch(type) { + case EVP_CTRL_SET_ACSS_MODE: + data(ctx)->ks.mode = arg; + return 1; + case EVP_CTRL_SET_ACSS_SUBKEY: + acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr); + return 1; + default: + return -1; + } +} + +const EVP_CIPHER * +evp_acss(void) +{ + static EVP_CIPHER acss_cipher; + + memset(&acss_cipher, 0, sizeof(EVP_CIPHER)); + + acss_cipher.nid = NID_undef; + acss_cipher.block_size = 1; + acss_cipher.key_len = 5; + acss_cipher.init = acss_init_key; + acss_cipher.do_cipher = acss_ciph; + acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY); + acss_cipher.ctrl = acss_ctrl; + + return (&acss_cipher); +} +#endif + diff --git a/cipher.c b/cipher.c index a1c40cc4a..190b8688b 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.66 2003/11/10 16:23:41 jakob Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.67 2004/01/23 17:06:03 hshoexer Exp $"); #include "xmalloc.h" #include "log.h" @@ -52,6 +52,17 @@ RCSID("$OpenBSD: cipher.c,v 1.66 2003/11/10 16:23:41 jakob Exp $"); extern const EVP_CIPHER *evp_rijndael(void); extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); #endif + +#if !defined(EVP_CTRL_SET_ACSS_MODE) +# if (OPENSSL_VERSION_NUMBER >= 0x00906000L) +extern const EVP_CIPHER *evp_acss(void); +# define EVP_acss evp_acss +# define EVP_CTRL_SET_ACSS_MODE xxx /* used below */ +# else +# define EVP_acss NULL /* Don't try to support ACSS on older OpenSSL */ +# endif /* (OPENSSL_VERSION_NUMBER >= 0x00906000L) */ +#endif /* !defined(EVP_CTRL_SET_ACSS_MODE) */ + extern const EVP_CIPHER *evp_ssh1_bf(void); extern const EVP_CIPHER *evp_ssh1_3des(void); extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int); @@ -92,7 +103,9 @@ struct Cipher { { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, #endif - +#if defined(EVP_CTRL_SET_ACSS_MODE) + { "acss@openbsd.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, +#endif { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL } }; @@ -402,7 +415,7 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat) Cipher *c = cc->cipher; int plen = 0; - if (c->evptype == EVP_rc4) { + if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { plen = EVP_X_STATE_LEN(cc->evp); if (dat == NULL) return (plen); @@ -417,7 +430,7 @@ cipher_set_keycontext(CipherContext *cc, u_char *dat) Cipher *c = cc->cipher; int plen; - if (c->evptype == EVP_rc4) { + if (c->evptype == EVP_rc4 || c->evptype == EVP_acss) { plen = EVP_X_STATE_LEN(cc->evp); memcpy(EVP_X_STATE(cc->evp), dat, plen); } -- cgit v1.2.3 From b21be844711ff285ba24cf70bfb2c7238f60c1cc Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 27 Jan 2004 21:20:11 +1100 Subject: - mouring@cvs.openbsd.org 2004/01/23 17:57:48 [sftp-int.c] Fix issue pointed out with ls not handling large directories with embeded paths correctly. OK damien@ --- ChangeLog | 6 +++++- sftp-int.c | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 61b714348..8cf7e5eba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,10 @@ [cipher.c] enable acss for ssh ok deraadt@ markus@ + - mouring@cvs.openbsd.org 2004/01/23 17:57:48 + [sftp-int.c] + Fix issue pointed out with ls not handling large directories + with embeded paths correctly. OK damien@ - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS if libcrypto lacks it @@ -1746,4 +1750,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3193 2004/01/27 10:19:21 djm Exp $ +$Id: ChangeLog,v 1.3194 2004/01/27 10:20:11 djm Exp $ diff --git a/sftp-int.c b/sftp-int.c index a9423fe69..3ee57515d 100644 --- a/sftp-int.c +++ b/sftp-int.c @@ -25,7 +25,7 @@ /* XXX: recursive operations */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.66 2004/01/13 09:25:05 djm Exp $"); +RCSID("$OpenBSD: sftp-int.c,v 1.67 2004/01/23 17:57:48 mouring Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -595,17 +595,24 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) if (!(lflag & SHORT_VIEW)) { int m = 0, width = 80; struct winsize ws; + char *tmp; /* Count entries for sort and find longest filename */ for (n = 0; d[n] != NULL; n++) m = MAX(m, strlen(d[n]->filename)); + /* Add any subpath that also needs to be counted */ + tmp = path_strip(path, strip_path); + m += strlen(tmp); + xfree(tmp); + if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) width = ws.ws_col; columns = width / (m + 2); columns = MAX(columns, 1); colspace = width / columns; + colspace = MIN(colspace, width); } qsort(d, n, sizeof(*d), sdirent_comp); -- cgit v1.2.3 From b2d1c2b3b82fbbd78ed3dce8e26a3e70fb1b9165 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 27 Jan 2004 21:20:59 +1100 Subject: - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33 [cipher.c] rename acss@opebsd.org to acss@openssh.org ok deraadt@ --- ChangeLog | 6 +++++- cipher.c | 4 ++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8cf7e5eba..90c575141 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ [sftp-int.c] Fix issue pointed out with ls not handling large directories with embeded paths correctly. OK damien@ + - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33 + [cipher.c] + rename acss@opebsd.org to acss@openssh.org + ok deraadt@ - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS if libcrypto lacks it @@ -1750,4 +1754,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3194 2004/01/27 10:20:11 djm Exp $ +$Id: ChangeLog,v 1.3195 2004/01/27 10:20:59 djm Exp $ diff --git a/cipher.c b/cipher.c index 190b8688b..79c07ec4f 100644 --- a/cipher.c +++ b/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.67 2004/01/23 17:06:03 hshoexer Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.68 2004/01/23 19:26:33 hshoexer Exp $"); #include "xmalloc.h" #include "log.h" @@ -104,7 +104,7 @@ struct Cipher { { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, #endif #if defined(EVP_CTRL_SET_ACSS_MODE) - { "acss@openbsd.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, + { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, #endif { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL } }; -- cgit v1.2.3 From f6723f08e0b54e00f988f58ff0f1d4d8575ee7bd Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 27 Jan 2004 21:21:27 +1100 Subject: - djm@cvs.openbsd.org 2004/01/25 03:49:09 [sshconnect.c] reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785) from jclonguet AT free.fr; ok millert@ --- ChangeLog | 6 +++++- sshconnect.c | 11 ++++++----- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 90c575141..de87d774b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,10 @@ [cipher.c] rename acss@opebsd.org to acss@openssh.org ok deraadt@ + - djm@cvs.openbsd.org 2004/01/25 03:49:09 + [sshconnect.c] + reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785) + from jclonguet AT free.fr; ok millert@ - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS if libcrypto lacks it @@ -1754,4 +1758,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3195 2004/01/27 10:20:59 djm Exp $ +$Id: ChangeLog,v 1.3196 2004/01/27 10:21:27 djm Exp $ diff --git a/sshconnect.c b/sshconnect.c index 80b45c79e..dfeddd39e 100644 --- a/sshconnect.c +++ b/sshconnect.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.155 2003/12/09 21:53:37 markus Exp $"); +RCSID("$OpenBSD: sshconnect.c,v 1.156 2004/01/25 03:49:09 djm Exp $"); #include @@ -231,12 +231,12 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, if (timeout <= 0) return (connect(sockfd, serv_addr, addrlen)); - if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0) - return (-1); - + set_nonblock(sockfd); rc = connect(sockfd, serv_addr, addrlen); - if (rc == 0) + if (rc == 0) { + unset_nonblock(sockfd); return (0); + } if (errno != EINPROGRESS) return (-1); @@ -277,6 +277,7 @@ timeout_connect(int sockfd, const struct sockaddr *serv_addr, break; } result = 0; + unset_nonblock(sockfd); break; default: /* Should not occur */ -- cgit v1.2.3 From ec69203e45b8f567153a6e55396b048a67276d9b Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 27 Jan 2004 21:22:00 +1100 Subject: - djm@cvs.openbsd.org 2004/01/27 10:08:10 [sftp.c] reorder parsing so user:skey@host:file works (bugzilla #777) patch from admorten AT umich.edu; ok markus@ --- ChangeLog | 6 +++++- sftp.c | 12 ++++++------ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index de87d774b..50acfb04e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,10 @@ [sshconnect.c] reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785) from jclonguet AT free.fr; ok millert@ + - djm@cvs.openbsd.org 2004/01/27 10:08:10 + [sftp.c] + reorder parsing so user:skey@host:file works (bugzilla #777) + patch from admorten AT umich.edu; ok markus@ - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS if libcrypto lacks it @@ -1758,4 +1762,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3196 2004/01/27 10:21:27 djm Exp $ +$Id: ChangeLog,v 1.3197 2004/01/27 10:22:00 djm Exp $ diff --git a/sftp.c b/sftp.c index 0be27887f..fef28c3b7 100644 --- a/sftp.c +++ b/sftp.c @@ -24,7 +24,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.40 2004/01/21 03:07:59 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.41 2004/01/27 10:08:10 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -212,11 +212,6 @@ main(int argc, char **argv) userhost = xstrdup(argv[optind]); file2 = argv[optind+1]; - if ((cp = colon(userhost)) != NULL) { - *cp++ = '\0'; - file1 = cp; - } - if ((host = strrchr(userhost, '@')) == NULL) host = userhost; else { @@ -228,6 +223,11 @@ main(int argc, char **argv) addargs(&args, "-l%s",userhost); } + if ((cp = colon(host)) != NULL) { + *cp++ = '\0'; + file1 = cp; + } + host = cleanhostname(host); if (!*host) { fprintf(stderr, "Missing hostname\n"); -- cgit v1.2.3 From 4f9f6794c599c67c6ae6647ab5820cd1e36fca0d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 28 Jan 2004 12:26:14 +1100 Subject: - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ --- ChangeLog | 5 ++++- regress/README.regress | 10 +++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 50acfb04e..4d54861c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20040128 + - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ + 20040127 - (djm) OpenBSD CVS Sync - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03 @@ -1762,4 +1765,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3197 2004/01/27 10:22:00 djm Exp $ +$Id: ChangeLog,v 1.3198 2004/01/28 01:26:14 dtucker Exp $ diff --git a/regress/README.regress b/regress/README.regress index 48048ab12..b479c6c07 100644 --- a/regress/README.regress +++ b/regress/README.regress @@ -82,5 +82,13 @@ Failed tests can be difficult to diagnose. Suggestions: Known Issues. +- If you build with tcpwrappers and try to run the regression tests, + your hosts.allow must permit connections from localhost and from + "unknown". This is because some tests are performed via the loopback + interface, while others are done with "sshd -i" as a ProxyCommand. In + the latter case, when sshd calls getpeername() on the socket it will + fail (because it's not a tcp socket) and will be identified as + "unknown", which is then checked against tcpwrappers. -$Id: README.regress,v 1.2 2004/01/26 17:37:09 tim Exp $ + +$Id: README.regress,v 1.3 2004/01/28 01:26:14 dtucker Exp $ -- cgit v1.2.3 From 77970695deb9f7b05552b03b1f5264f821256438 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 28 Jan 2004 15:44:04 +1100 Subject: - (dtucker) [moduli] Import new moduli file from OpenBSD. --- ChangeLog | 3 +- moduli | 340 ++++++++++++++++++++++++++++++++++---------------------------- 2 files changed, 186 insertions(+), 157 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4d54861c1..62f18d09a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ 20040128 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ + - (dtucker) [moduli] Import new moduli file from OpenBSD. 20040127 - (djm) OpenBSD CVS Sync @@ -1765,4 +1766,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3198 2004/01/28 01:26:14 dtucker Exp $ +$Id: ChangeLog,v 1.3199 2004/01/28 04:44:04 dtucker Exp $ diff --git a/moduli b/moduli index 6b94e2e23..52639d336 100644 --- a/moduli +++ b/moduli @@ -1,158 +1,186 @@ -# $OpenBSD: moduli,v 1.1 2001/06/22 22:07:54 provos Exp $ +# $OpenBSD: moduli,v 1.2 2004/01/28 04:44:00 dtucker Exp $ # Time Type Tests Tries Size Generator Modulus -20010328182134 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF5449C221CB -20010328182222 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF5449C95A43 -20010328182256 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF5449CC8CFB -20010328182409 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF5449D9BDB7 -20010328182628 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF5449FB6EF3 -20010328182708 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A000153 -20010328182758 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A06E9EB -20010328182946 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A1F2C93 -20010328183015 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A206ADB -20010328183112 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A2A109B -20010328183143 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A2BC1BB -20010328183301 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A3ADCEB -20010328183532 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A5E8BAF -20010328183646 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A6D54D7 -20010328183712 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544A6EC46F -20010328184223 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544AB8626F -20010328184337 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544AC7DC73 -20010328184634 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544AEFF073 -20010328184714 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544AF594FF -20010328184807 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544AFEEC53 -20010328184910 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B0B3513 -20010328185030 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B165707 -20010328185334 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B3A9673 -20010328185423 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B426623 -20010328185451 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B4427DB -20010328185637 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B5E3FC7 -20010328185720 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B65964B -20010328185757 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B6A9373 -20010328185844 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B7203B3 -20010328185933 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B7A9FFF -20010328190006 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B7DAAD3 -20010328190054 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B855C2F -20010328190139 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B8C53EB -20010328190304 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544B9F26C3 -20010328190329 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544BA00697 -20010328190412 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544BA54313 -20010328190506 2 6 100 1023 5 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544BAEEF27 -20010328190550 2 6 100 1023 2 DCFAC4EFE89F5B082962AB9A67E8D63E84FA491E5D3874978815868595469163DA0661E6208A8C2CD4F83893B53864ADFD2154E8D8EFA146BAD808562E4BF6C90348FD79EEB3387D93FC7943BC450BA55399BA3CF3DFBD0D4E71800007B0E9D5F12E7A2CB7EA4E49812E715F8DC570C478DC2DEB1C49B0AE87A5DF544BB5CE0B -20010328200734 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC33395187 -20010328201124 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC334ED15B -20010328201358 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC3359FC07 -20010328201537 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC335F7A83 -20010328201829 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC336D1433 -20010328202120 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC337B253B -20010328202848 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC33A3D43F -20010328203335 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC33BF24A3 -20010328204332 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC34011B8B -20010328204443 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC3402A92F -20010328204617 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC3406D343 -20010328205458 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC3436FA2B -20010328210413 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC3471CF1B -20010328213513 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC352AF5EF -20010328215014 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC358CC3CB -20010328215520 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC35A9B7FF -20010328215733 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC35B2927F -20010328220114 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC35C47323 -20010328220334 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC35CFA9C3 -20010328220653 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC35E0BB37 -20010328220915 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC35E9CC23 -20010328221256 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC35FD7D67 -20010328221457 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC36052CCB -20010328222639 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC364A1E07 -20010328224126 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC36AD5557 -20010328225125 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC36EE57BF -20010328225751 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC3716A70B -20010328225943 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC371D010B -20010328230054 2 6 100 1534 5 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC371EB5C7 -20010328230301 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC37275F4B -20010328230628 2 6 100 1534 2 6DFD16D9669EDAF42EF5D4EED82AA84B0541DEC2045B6AF55021A184F32BCADE614A114137022C9A8B41C09AFC38199E7305864F70A8708F37FC2127264ECF4FA32391F243CC62B89602D3813082679E5BDF496BA9DFA4C818AD21EC261B6F11841E6F2DE1574CE95095841DAF052868CCD5E9BFCA543E0934B50A76A598E693136DE2D479AEF3785D97BAFF4FB85AB8D46DA424C4CC5E11ABCAF718837E16350982BF8A27728318EC02C71ED164F57CDB121B72614B7B7C406613EC3738C3F3 -20010329000424 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853ACAACAB -20010329001637 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853AE5BE0F -20010329002229 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853AEDE2D3 -20010329003652 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853B0F32CB -20010329005040 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853B30E503 -20010329014643 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853BC9AF57 -20010329021950 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853C205263 -20010329023256 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853C3F2E53 -20010329031049 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853CA28BBF -20010329032045 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853CB81103 -20010329052113 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853DF13B47 -20010329052449 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853DF3ED53 -20010329060404 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853E5D25E7 -20010329062856 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853E9CF013 -20010329063152 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853E9E1CEB -20010329070601 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853EF58B7F -20010329071302 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853F017697 -20010329072011 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853F0E72D3 -20010329072445 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853F14CE17 -20010329073641 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853F2EEBA3 -20010329075209 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853F52E927 -20010329080750 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853F776F8B -20010329084002 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853FC98043 -20010329084744 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853FD7EAAF -20010329090209 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993853FF9AF5F -20010329093527 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC3499385404E330B -20010329094652 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC349938540672D1F -20010329103445 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC349938540E4B213 -20010329111418 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC34993854144947F -20010329112031 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC3499385414F223B -20010329112413 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC349938541522073 -20010329114209 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC3499385417C8E53 -20010329125026 2 6 100 2046 2 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC3499385422E41AB -20010329132045 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC3499385427DD3FF -20010329134105 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC349938542AFA2D7 -20010329134914 2 6 100 2046 5 7ED0888B660A818F15E5F76A7F2BF10C99D74129DA04446C60116C9C800501060B8AFF075DCE0C08CEFDF695440E6F16FCCDB06359D080EF62D6485CBAEB94B92BE771D535B4EA9C5D14D84CD7649E25C7CFEA2C914486CC2BFDE77C4C0DF1D6DDED65FEE2F53A7FA690AFE38EE00C154FBAEFF935466B176CB0AED02458A552929F4EA7FC3E6F9F758DE7F22CC1F49641F492820441BDC109F0CE18F883FC93EA9AC4C1432682BA1C5B67BED8C861152A5F952A8CDCF1BCE02B8D93E80C113CE9FE2E4ACA49B2978B99A8C5FA231A77F5E7C604D44C7C6EA98D561294D4F7AB061432CAB8BBDCEC3659DE64F65265E6B9FC5F46879BB17CC349938542C04A37 -20010403222140 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0AB16DAF -20010403225231 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0AC56CFF -20010404053436 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0C2F4B7F -20010404092851 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0D04E7F7 -20010404093943 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0D07794B -20010404102659 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0D2BE8CF -20010404112553 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0D5D012B -20010404174625 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0EA59E17 -20010404184645 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0ED6DA4F -20010404193402 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0EFB39B3 -20010404230716 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B0FB07C1B -20010405044433 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B10DD9FC3 -20010405053429 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B11038737 -20010405062826 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B112E24E7 -20010405092601 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B11C9E9FB -20010405113007 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B123803EB -20010405122212 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B12612ED3 -20010405182035 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B13A25087 -20010405210758 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B142C4E23 -20010405220222 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B145878F3 -20010406020130 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B152AF6AB -20010406053538 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B15E78C8B -20010406073014 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1649BFEF -20010406074100 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B164D4E3F -20010406103625 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B16E07B33 -20010406131946 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B17706243 -20010406170234 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B182FD957 -20010406182949 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B18768903 -20010406203157 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B18DCFC3B -20010407022825 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1A1AF797 -20010407071024 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1B1551E7 -20010407112402 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1BF78EC7 -20010407123215 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1C30021B -20010407161504 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1CF27743 -20010407171629 2 6 100 3190 5 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1D25FAD7 -20010407191502 2 6 100 3190 2 669BA3ED661F226A090BE5644A2BB4209371B78FC3E6848A095821993F59084CA5EE12052F977D01F0666F03F6573B199DFEC9AB94588C2C60DE3B3E7CF5094587919FCC3FB40A61C261E891A0F91D9FFC8F30CA12CF809DD8290DD786FA8B041FFAC5793C38F38757EA6790472AC2692185B554B0046E8C065C983C0ACC8D2F85AB4BEDF7CE233009218C9691FE44261580D4149F1D4471B0B5DF79E224252474EBC3B7B5490950BB438BF498E79F8794498B3A3B5FBB42829C3BBEA4067F28C23BE40377B986BD5443CCCF02405B8CCCAA09E8179F0168D4969994171A6AD98F81015BC84E10A44E1EFD2E0862C5D1AAFE99014715A36800DBD9A6C51C0226CC82A651DAE4F73D54C4D103C13D1C15CF8CCA67D5CB39F03C66F3B7467F8FFDCC5074CD0C1B2538FBF956971BF39314CEDD20E1B10DE16D86E10BE7FA5B1A706AEB4C356F49807A22072CD00559AF0A863788956651919E26A315EAD1D26E7C98FC4CFA35A0F04DD400A2991A1FFE5B271FEDE54375896A29F968BE1D511BA466A92AC3E3772709FC815B1D8C2753 -20010420002705 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10C1E08F3 -20010420005243 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10C219FB3 -20010420035225 2 6 100 4094 5 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10C660B3F -20010420145749 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10D741313 -20010420205718 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10DD41193 -20010420232458 2 6 100 4094 5 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10E0AB4EF -20010421003952 2 6 100 4094 5 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10E22F857 -20010421013245 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10E31828B -20010421085157 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10EE28B2B -20010421092617 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10EE97A3B -20010421135621 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C10F52C463 -20010422012438 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C110627AF3 -20010422042530 2 6 100 4094 2 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C110A793B3 -20010422163438 2 6 100 4094 5 65B5B9F5ECFADB4CCB38D1BC894302E95B4843290F1A7A40579DF3E2FF98C1D3DA9F210857C784433DF32ADF9E0C80121211690E1FFB41B8DB4E86AFE388A09C9BB2C98EDC581C2E65D57F61BB920C3D1B7B058B5FADFF65D607DAFF443B8BA1ACE1A3A7B16EA0713F62537C6689E3C4A0F61198F3B054FCF140CFADD8622C0E7621998331E59DA6F72E9D608D0E58F526E95F485C7CA30A416617DA3CCFF722BB82362606283D054B34B83ECDB4C91BAB835944010EBE5E9FA7B016ED89891DD553CC71B5CF76EDB2A184B377F670D6AF191763EEFD175E48EA37EE18B9E44E2D017D845C444C8111816819866E490B52F7F879A0C6F401CF7859674F93E304365F4E8CB8C312EFB725732A46D7CF0C9D2939AEE25F428CEFC90959DBF8ADD612F343EF9BFCA2FBA61BD4BF93E1E54626D227FDA812E18D071579AB4EEAC9901DAB183BCB0D9F48732D92CE66B386EAE5D8212C9FD156DC3F09B171B5603E17A468D244F3B6880EBCDA189BA9E23E4A4C6C2995ACF264F8CE9D54B27316343C0BC19221F75E6A2AC68011741695E599F73460B7A042E0461DB189CDCE223B40336BF2251AE3B363159960C9F63B47EFC43790D474DABB9A686DAF21E0DD76533749FCA9F144FA9C243CEF1364C79D981ED81DC4635C73B7F8908BA190AA920ED370F815BC2F9B3D28ED87BE34A01498836222C17B70C246C03CA1C111D2A227 +20031210004503 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB22C583AB +20031210004553 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB22D0A0D7 +20031210004628 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB22D6CB97 +20031210004801 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB22F2D1B7 +20031210004827 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB22F5615B +20031210004919 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB230138C3 +20031210004952 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB2305F6A3 +20031210005018 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB230801DB +20031210005043 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB230A0383 +20031210005147 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB231C3A7F +20031210005230 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23249C1B +20031210005301 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23288F0F +20031210005438 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB2344EC9B +20031210005548 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB235892F3 +20031210005700 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB236C3F03 +20031210005841 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB238BC713 +20031210010040 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23B466C3 +20031210010119 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23BB1F8B +20031210010313 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23E03DDB +20031210010335 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23E130AB +20031210010422 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23EA20A3 +20031210010500 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB23F1807B +20031210010628 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB2409DC07 +20031210010759 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB2425487F +20031210010906 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB24397A3F +20031210010945 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB2440ABF7 +20031210011017 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB2445C00B +20031210011059 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB244E4EBF +20031210011158 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB245E056B +20031210011340 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB24808F43 +20031210011408 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB24834C0B +20031210011517 2 6 100 1023 2 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB2495148B +20031210011632 2 6 100 1023 5 DCF93A0B883972EC0E19989AC5A2CE310E1D37717E8D9571BB7623731866E61EF75A2E27898B057F9891C2E27A639C3F29B60814581CD3B2CA3986D2683705577D45C2E7E52DC81C7A171876E5CEA74B1448BFDFAF18828EFD2519F14E45E3826634AF1949E5B535CC829A483B8A76223E5D490A257F05BDFF16F2FB24A89B27 +20031210014802 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772D3B9DD3 +20031210015017 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772D463D83 +20031210015524 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772D68288B +20031210015701 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772D6C64C3 +20031210020258 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772D94316B +20031210022106 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772E1F8453 +20031210022738 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772E4BDAC7 +20031210022948 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772E5541E7 +20031210023056 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772E56464B +20031210023414 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772E695C8B +20031210024039 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772E939ABF +20031210024457 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772EAE295B +20031210024630 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772EB2BDFB +20031210025118 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772ED059DB +20031210025540 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772EECB4D3 +20031210025956 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F043973 +20031210030256 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F134903 +20031210030415 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F15B5EB +20031210030717 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F25BF3B +20031210030826 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F2670D7 +20031210031055 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F31E5F3 +20031210031311 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F3BFE2B +20031210032243 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F83082B +20031210032437 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F898187 +20031210032703 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772F95718B +20031210032953 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772FA3F5CB +20031210033059 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772FA48FEB +20031210033247 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772FAA6267 +20031210033633 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772FC1BE7B +20031210034313 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772FF18FA7 +20031210034507 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A772FF84977 +20031210035121 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A7730233FBF +20031210035813 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A773054E8F3 +20031210035955 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A7730597847 +20031210040259 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A77306A1B57 +20031210040704 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A77308258FB +20031210040913 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A77308A63F7 +20031210042047 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A7730DEEF8F +20031210042156 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A7730DFE787 +20031210042511 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A7730F1D3CB +20031210042907 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A773107039B +20031210043815 2 6 100 1535 5 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A7731492E37 +20031210045243 2 6 100 1535 2 FB54DC620BB7A5C2A28520E9FFC81958D7A76156412B647E9FCC729F84553FFB4428705868631244E0F804376D5F434C76608B93626D3AA169360C9DD40DFA3429F2E53AA4014730B49FFB6CCBC7FF9D0C391341610280598F7F8EE4E4F956683C59A740C7AB17A5C628694D4C36E6D6A54629822059ACD4C7C8C860262E7CBD04196BB41E7D194C91CFAB58353072EA09390E795733510D69D1267376B2FFA7BA2C88028820012DC84F6F250D88D1B6B44E22FCCDCDD3A3EC654A7731AB1953 +20031210054833 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1C0B0F8B +20031210055609 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1C1CF773 +20031210065401 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1CDD973F +20031210071146 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1D11D9FB +20031210071754 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1D1ED47B +20031210072552 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1D32CE4F +20031210073644 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1D4EC983 +20031210074309 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1D5D4F07 +20031210075517 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1D7DE133 +20031210081718 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1DC395C3 +20031210084322 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1E1A5567 +20031210085218 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1E3127AB +20031210090542 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1E586AD7 +20031210093920 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1EC6C9D3 +20031210100616 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1F19C713 +20031210103627 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1F7B82B3 +20031210104559 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1F95C2EF +20031210104836 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1F969EAF +20031210110201 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1FBEA0DF +20031210111610 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1FE4C70B +20031210111837 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1FE50DBB +20031210112215 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F1FE964FF +20031210124102 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F20F33023 +20031210125610 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F21208AFB +20031210130630 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F213CBA8B +20031210132517 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F21754843 +20031210132855 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F2179D39B +20031210140211 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F21E6E73B +20031210141340 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F22068817 +20031210143133 2 6 100 2047 5 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F223D6017 +20031210143812 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F224A70F3 +20031210150410 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F22A24CFB +20031210153131 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F22FAA253 +20031210153718 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F23071C7B +20031210154203 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F230FFC0B +20031210161808 2 6 100 2047 2 EEFD0DF9B60CBF61DDBA3364F8B6254256FC2DF3211B1D80F4556816C5D629B0A40228861BEE7B4497444DD9375EF7E8997BB7294C6AA097A1E5AD47DB72C14956898FD11CA292ED76215E09D8067835150928D5F09267B29214159C0CB695EECC90E05C0E21374ED6F04759B3F0E162EE2CFBC8259BC1A1F28C809700E1F3ECBA24A99A78BCCC6E776348705837F86A2B4A34DB592753468905179802788F52C337E0187F69C30D52C99546290D09154EAFEE72F9CA32A989AA45AD68220539A6AA302AEA4DCCCE7E6FCF6DEE57440A4511B4BAF5B4832D27247FDED231168413B12A0E1147A5706C56238788A7707463452E1254F2503BA197756F2383B65B +20031210185714 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061924F36F3 +20031210204537 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306192C04AB3 +20031210205604 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306192C3734B +20031210210523 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306192C58A0B +20031210233701 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306193680D03 +20031211013125 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306193E1DD73 +20031211052015 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306194DA94E3 +20031211064439 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619531A017 +20031211074935 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306195731BAB +20031211081053 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306195830BAB +20031211123240 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306196A4C097 +20031211160831 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061978B740B +20031211195847 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619889E1B3 +20031211201456 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619892ED83 +20031211221441 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619910A74B +20031211223303 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061991D35CB +20031211235558 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306199712CCB +20031212005818 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A306199AE96DB +20031212033251 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619A50DDD3 +20031212053332 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619AB31B57 +20031212084926 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619B8949F7 +20031212130319 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619C84A1A3 +20031212192346 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619E1B24BB +20031212210042 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619E7F37FB +20031213002102 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A30619F59BABB +20031213061439 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A0D9208F +20031213071620 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A115D66F +20031213072644 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A1186097 +20031213090613 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A17DACC7 +20031213110037 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A1F577E7 +20031213113226 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A2113AC3 +20031213120232 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A22A232B +20031213121926 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A23443D3 +20031213130353 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A25D51E7 +20031213143149 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A2B63CBB +20031213153322 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A2F05FC7 +20031213180906 2 6 100 3071 2 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A39439A3 +20031213183520 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A3A7705F +20031213192228 2 6 100 3071 5 DBB2151A52F948EE950BE096B2B7C2A260C5BBE57C02EC432FA6E2025306FE486F77352C63622A8F40A65ECD815737C9837C7803980D25CBFAA3438A1BA8A7D41F214A836AB31A067B5813967059AE75B73358FE33930E7B9BEE4149CD71A9234F9E7C35C5097456E2BF17F748E70FB2AB12BC9D75C1BB024CCEA7556384034A22840352DA1CF6EB9E09FA6C5B6317A74DF67318935850079364F06665282743B45E0ABE6866867FB13BE2A082F604E0BA399215A072CE818104A53F37D08F0373CE7DBBF4EBCEFF05349A025A7DD06D5E79205CD74919862E06BFD15990391BBBA75BD27A36C422165AA6CA14F6A1AA5CEB6D862456C7BDA91982DF12D159B859248A9159B935635199498628871815BF0C9F0706265988F9ABB278CBBB941A07E46A713D8F2C10E174C3E4138C3C125BF582359E4D6C3773609C9D6293C22C620AAAE50EF3BDFA3B97D802993BFE0E7BE01FAB3F3E8CE4A2454E5A01E2C08DE17D9D5B9F76D8466FBA22A14C11CA5C7E678514FD72B3DF3D0A3061A3D2DEA7 +20031213125532 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923E8050C3B +20031213125653 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923E8EB2F2B +20031213125813 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923EAB66F4B +20031213125934 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923EAFE508B +20031213130055 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923EB96812B +20031213130217 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923EBB738CB +20031213130337 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923EBDB337F +20031213130458 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923ECA8B62B +20031213130619 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923ECBCE443 +20031213130740 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923ED1637DB +20031213130901 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923ED3EA08F +20031213131021 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923EDC96C6B +20031213131142 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923EEB92FCF +20031213131303 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923F2D2CCF3 +20031213131424 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923F6C89BBB +20031213131545 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923F7962EDB +20031213131706 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923F85A4767 +20031213131827 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923F8A196C7 +20031213131947 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923F94500EF +20031213132108 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923FAF467BF +20031213132229 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923FB5A7803 +20031213132350 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923FB7D5467 +20031213132511 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923FC4A16D7 +20031213132632 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923FEEDC36F +20031213132752 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9923FFA077EF +20031213132913 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA992400725B7B +20031213133034 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA992400728FFB +20031213133155 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9924011CFA13 +20031213133316 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA99240165703F +20031213133436 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA99240166BA7B +20031213133557 2 6 200 4095 5 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA9924018E41B7 +20031213133718 2 6 200 4095 2 CE96240B0B5684D9E281FDA07D5B6C316E14C7AE83913F86D13CAD2546F93B533D15629D4B3E2C76753C5ABCC29A8FB610CA1C3EB1014B0FD8209C330FFF6EB8A562474B7D387E3F8074FA29D0B58BAD5E6967A0AD667C41D41E1241669431F865C57E9EEB00E69BEB1D18C3B940810324B394FAB8F75B27A9B4E7972F07B4916A6A3D50F0445024697155382BF1AD14F90F8BAB7E9D3CCBAE6CD84E488A98770A8C64943582C6D2BB529511945ABA146115273EB6BD718B62FEBFCD503FB56E8D4262E17DC5CE1A9B1D3E8FFA5CE0B825498BC6254DA9CC69DDF7AD9BA582AB8F812C4DE3228C88C5640BAEF5F62B7C039588D6CD7F694F039507AA3AAF4FB368A3712230FFC05B66A14C7003E2AD6A938D544B8B9908C4536F945AC4BDB1CA623F2826A25CA16B39730C9FE940A8642EB35088ED341BE768C10B152C8A65D32E4DBE68764E6B2ABDE6824088B6BE258D7E3AEA155CB919E1C500CDCEE435515CF09575F75551C16FBA0F3AEDE0AABA544E89A58E4C34E255EAAFD8F65340DAA55E3ED8AB903FE188416340ACE15D36F9CEDE379CC3586E6D320F72AA310A1B0A781D06B7418A50525105FA749306AC59A788D6866B7DDD0F4C059BA6CEE43FAD5AD2A362B9DE1C57324ADE8B5B46C6B1DDABD82F0670F7A4DA869F204EFB27EA7E049BC7D6CFD2071682C894161922A99108EB3BB8922113BA992402C07A93 -- cgit v1.2.3 From 22991ba2e2da92eda0cd2580022323fef8bea2c2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 30 Jan 2004 12:58:51 +1100 Subject: - dtucker@cvs.openbsd.org 2003/10/11 11:49:49 [Makefile banner.sh] Test missing banner file, suppression of banner with ssh -q, check return code from ssh. ok markus@ --- ChangeLog | 9 ++++++++- regress/Makefile | 4 ++-- regress/banner.sh | 25 ++++++++++++++++++++----- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 62f18d09a..6e7bdc2e4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20040129 + - (dtucker) OpenBSD CVS Sync regress/ + - dtucker@cvs.openbsd.org 2003/10/11 11:49:49 + [Makefile banner.sh] + Test missing banner file, suppression of banner with ssh -q, check return + code from ssh. ok markus@ + 20040128 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ - (dtucker) [moduli] Import new moduli file from OpenBSD. @@ -1766,4 +1773,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3199 2004/01/28 04:44:04 dtucker Exp $ +$Id: ChangeLog,v 1.3200 2004/01/30 01:58:51 dtucker Exp $ diff --git a/regress/Makefile b/regress/Makefile index da4a6731c..76e28d36d 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.25 2003/10/07 01:52:13 dtucker Exp $ +# $OpenBSD: Makefile,v 1.26 2003/10/11 11:49:49 dtucker Exp $ REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec tests: $(REGRESS_TARGETS) @@ -41,7 +41,7 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ ssh_config ssh_proxy sshd_config sshd_proxy \ rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ - ls.copy banner.in banner.out remote_pid + ls.copy banner.in banner.out empty.in remote_pid #LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp diff --git a/regress/banner.sh b/regress/banner.sh index 0f6a68dff..0b9c95007 100644 --- a/regress/banner.sh +++ b/regress/banner.sh @@ -1,13 +1,21 @@ -# $OpenBSD: banner.sh,v 1.1 2003/10/07 01:52:13 dtucker Exp $ +# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $ # Placed in the Public Domain. tid="banner" echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy +rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in +touch $OBJ/empty.in + +trace "test missing banner file" +verbose "test $tid: missing banner file" +( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/empty.in $OBJ/banner.out ) || \ + fail "missing banner file" + for s in 0 10 100 1000 10000 100000 ; do if [ "$s" = "0" ]; then # create empty banner - rm -f $OBJ/banner.in touch $OBJ/banner.in elif [ "$s" = "10" ]; then # create 10-byte banner file @@ -22,8 +30,15 @@ for s in 0 10 100 1000 10000 100000 ; do trace "test banner size $s" verbose "test $tid: size $s" - ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out - cmp $OBJ/banner.in $OBJ/banner.out || fail "banner size $s mismatch" + ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/banner.in $OBJ/banner.out ) || \ + fail "banner size $s mismatch" done -rm -f $OBJ/banner.out $OBJ/banner.in +trace "test suppress banner (-q)" +verbose "test $tid: suppress banner (-q)" +( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \ + cmp $OBJ/empty.in $OBJ/banner.out ) || \ + fail "suppress banner (-q)" + +rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in -- cgit v1.2.3 From 633f3e0dd06a466188f0d9ada921b02d94e6a338 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 30 Jan 2004 13:00:29 +1100 Subject: - jmc@cvs.openbsd.org 2003/11/07 10:16:44 [ssh-com.sh] adress -> address, and a few more; all from Jonathon Gray; --- ChangeLog | 5 ++++- regress/ssh-com.sh | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6e7bdc2e4..65235295e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ [Makefile banner.sh] Test missing banner file, suppression of banner with ssh -q, check return code from ssh. ok markus@ + - jmc@cvs.openbsd.org 2003/11/07 10:16:44 + [ssh-com.sh] + adress -> address, and a few more; all from Jonathon Gray; 20040128 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ @@ -1773,4 +1776,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3200 2004/01/30 01:58:51 dtucker Exp $ +$Id: ChangeLog,v 1.3201 2004/01/30 02:00:29 dtucker Exp $ diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh index 78ae6e9e1..c3715a242 100644 --- a/regress/ssh-com.sh +++ b/regress/ssh-com.sh @@ -1,4 +1,4 @@ -# $OpenBSD: ssh-com.sh,v 1.5 2003/05/14 22:08:27 markus Exp $ +# $OpenBSD: ssh-com.sh,v 1.6 2003/11/07 10:16:44 jmc Exp $ # Placed in the Public Domain. tid="connect to ssh.com server" @@ -29,7 +29,7 @@ SRC=`dirname ${SCRIPT}` # ssh.com cat << EOF > $OBJ/sshd2_config #*: - # Port and ListenAdress are not used. + # Port and ListenAddress are not used. QuietMode yes Port 4343 ListenAddress 127.0.0.1 -- cgit v1.2.3 From 46662bfc21dad33f8d7c05206bae15f79abe5b5f Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 30 Jan 2004 13:02:55 +1100 Subject: - djm@cvs.openbsd.org 2004/01/13 09:49:06 [sftp-batch.sh] don't delete thyself when running without obj/ ; ok markus@ --- ChangeLog | 5 ++++- regress/sftp-batch.sh | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 65235295e..038eb1e71 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ - jmc@cvs.openbsd.org 2003/11/07 10:16:44 [ssh-com.sh] adress -> address, and a few more; all from Jonathon Gray; + - djm@cvs.openbsd.org 2004/01/13 09:49:06 + [sftp-batch.sh] + don't delete thyself when running without obj/ ; ok markus@ 20040128 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ @@ -1776,4 +1779,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3201 2004/01/30 02:00:29 dtucker Exp $ +$Id: ChangeLog,v 1.3202 2004/01/30 02:02:55 dtucker Exp $ diff --git a/regress/sftp-batch.sh b/regress/sftp-batch.sh index f648eae80..365c47cfc 100644 --- a/regress/sftp-batch.sh +++ b/regress/sftp-batch.sh @@ -1,11 +1,11 @@ -# $OpenBSD: sftp-batch.sh,v 1.2 2003/01/10 07:52:41 djm Exp $ +# $OpenBSD: sftp-batch.sh,v 1.3 2004/01/13 09:49:06 djm Exp $ # Placed in the Public Domain. tid="sftp batchfile" DATA=/bin/ls${EXEEXT} COPY=${OBJ}/copy -BATCH=${OBJ}/sftp-batch.tmp +BATCH=${OBJ}/sftp.bb rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.* -- cgit v1.2.3 From dcc736b7de2206c391e46289f096f60426f7d418 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 30 Jan 2004 14:20:59 +1100 Subject: - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from tim@, ok several --- ChangeLog | 5 +++-- configure.ac | 24 +++++++++++++++++++++--- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index 038eb1e71..c540d7517 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,7 +9,8 @@ adress -> address, and a few more; all from Jonathon Gray; - djm@cvs.openbsd.org 2004/01/13 09:49:06 [sftp-batch.sh] - don't delete thyself when running without obj/ ; ok markus@ + - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from + tim@, ok several 20040128 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ @@ -1779,4 +1780,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3202 2004/01/30 02:02:55 dtucker Exp $ +$Id: ChangeLog,v 1.3203 2004/01/30 03:20:59 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 3b04182d5..c037ee7c8 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.189 2004/01/27 03:03:39 tim Exp $ +# $Id: configure.ac,v 1.190 2004/01/30 03:20:59 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -580,6 +580,15 @@ AC_CHECK_LIB(z, deflate, , ] ) AC_CHECK_HEADER([zlib.h], ,AC_MSG_ERROR([*** zlib.h missing - please install first or check config.log ***])) + +AC_ARG_WITH(zlib-version-check, + [ --without-zlib-version-check Disable zlib version check], + [ if test "x$withval" = "xno" ; then + zlib_check_nonfatal=1 + fi + ] +) + AC_MSG_CHECKING(for zlib 1.1.4 or greater) AC_TRY_RUN([ #include @@ -596,9 +605,18 @@ int main() ], AC_MSG_RESULT(yes), [ AC_MSG_RESULT(no) - AC_MSG_ERROR([*** zlib too old - check config.log ***]) ] + if test -z "$zlib_check_nonfatal" ; then + AC_MSG_ERROR([*** zlib too old - check config.log *** +Your reported zlib version has known security problems. It's possible your +vendor has fixed these problems without changing the version number. If you +are sure this is the case, you can disable the check by running +"./configure --without-zlib-version-check". +If you are in doubt, upgrade zlib to version 1.1.4 or greater.]) + else + AC_MSG_WARN([zlib version may have security problems]) + fi + ] ) - dnl UnixWare 2.x AC_CHECK_FUNC(strcasecmp, -- cgit v1.2.3 From 2df334380b54922097745bdb6f98f20342b10fbd Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 30 Jan 2004 14:34:21 +1100 Subject: - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h] Bug #775: Cray fixes from wendy at cray.com --- CREDITS | 3 +- ChangeLog | 4 +- configure.ac | 14 +++++- openbsd-compat/bsd-cray.c | 109 ++++++++++++++++++++++++++++++---------------- openbsd-compat/bsd-cray.h | 3 +- 5 files changed, 90 insertions(+), 43 deletions(-) diff --git a/CREDITS b/CREDITS index 86b20ebce..fe6270c97 100644 --- a/CREDITS +++ b/CREDITS @@ -88,11 +88,12 @@ Tom Bertelson's - AIX auth fixes Tor-Ake Fransson - AIX support Tudor Bosman - MD5 password support Udo Schweigert - ReliantUNIX support +Wendy Palm - Cray fixes. Zack Weinberg - GNOME askpass enhancement Apologies to anyone I have missed. Damien Miller -$Id: CREDITS,v 1.75 2003/11/21 12:48:55 djm Exp $ +$Id: CREDITS,v 1.76 2004/01/30 03:34:21 dtucker Exp $ diff --git a/ChangeLog b/ChangeLog index c540d7517..dd50a9c26 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,8 @@ [sftp-batch.sh] - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from tim@, ok several + - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h] + Bug #775: Cray fixes from wendy at cray.com 20040128 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ @@ -1780,4 +1782,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3203 2004/01/30 03:20:59 dtucker Exp $ +$Id: ChangeLog,v 1.3204 2004/01/30 03:34:21 dtucker Exp $ diff --git a/configure.ac b/configure.ac index c037ee7c8..97ef89a16 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.190 2004/01/30 03:20:59 dtucker Exp $ +# $Id: configure.ac,v 1.191 2004/01/30 03:34:22 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -360,6 +360,10 @@ mips-sony-bsd|mips-sony-newsos4) MANTYPE=man ;; *-*-unicosmk*) + AC_DEFINE(NO_SSH_LASTLOG) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) LDFLAGS="$LDFLAGS" @@ -367,14 +371,20 @@ mips-sony-bsd|mips-sony-newsos4) MANTYPE=cat ;; *-*-unicosmp*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(WITH_ABBREV_NO_TTY) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) LDFLAGS="$LDFLAGS" - LIBS="$LIBS -lgen -lacid" + LIBS="$LIBS -lgen -lacid -ldb" MANTYPE=cat ;; *-*-unicos*) + AC_DEFINE(SETEUID_BREAKS_SETUID) + AC_DEFINE(BROKEN_SETREUID) + AC_DEFINE(BROKEN_SETREGID) AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_FD_PASSING) AC_DEFINE(NO_SSH_LASTLOG) diff --git a/openbsd-compat/bsd-cray.c b/openbsd-compat/bsd-cray.c index f2ac428cc..f630366be 100644 --- a/openbsd-compat/bsd-cray.c +++ b/openbsd-compat/bsd-cray.c @@ -1,5 +1,5 @@ /* - * $Id: bsd-cray.c,v 1.12 2003/06/03 02:45:27 dtucker Exp $ + * $Id: bsd-cray.c,v 1.13 2004/01/30 03:34:22 dtucker Exp $ * * bsd-cray.c * @@ -59,6 +59,28 @@ #include #include #include "ssh.h" + +#include "includes.h" +#include "sys/types.h" + +#ifndef HAVE_STRUCT_SOCKADDR_STORAGE +# define _SS_MAXSIZE 128 /* Implementation specific max size */ +# define _SS_PADSIZE (_SS_MAXSIZE - sizeof (struct sockaddr)) + +# define ss_family ss_sa.sa_family +#endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ + +#ifndef IN6_IS_ADDR_LOOPBACK +# define IN6_IS_ADDR_LOOPBACK(a) \ + (((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \ + ((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1)) +#endif /* !IN6_IS_ADDR_LOOPBACK */ + +#ifndef AF_INET6 +/* Define it to something that should never appear */ +#define AF_INET6 AF_MAX +#endif + #include "log.h" #include "servconf.h" #include "bsd-cray.h" @@ -182,7 +204,7 @@ cray_setup (uid_t uid, char *username, const char *command) /* passwd stuff for ia_user */ passwd_t pwdacm, pwddialup, pwdudb, pwdwal, pwddce; ia_user_ret_t uret; /* stuff returned from ia_user */ - ia_user_t usent /* ia_user main structure */ + ia_user_t usent; /* ia_user main structure */ int ia_rcode; /* ia_user return code */ ia_failure_t fsent; /* ia_failure structure */ ia_failure_ret_t fret; /* ia_failure return stuff */ @@ -501,54 +523,54 @@ cray_setup (uid_t uid, char *username, const char *command) break; default: valid_acct = nam2acid(acct_name); - if (valid_acct == -1) { + if (valid_acct == -1) printf( "Account id not found for" " account name \"%s\"\n\n", acct_name); break; - } - /* - * If an account was given, search the user's - * acids array to verify they can use this account. - */ - if ((valid_acct != -1) && - !(ue.ue_permbits & PERMBITS_ACCTID)) { - for (i = 0; i < MAXVIDS; i++) { - if (ue.ue_acids[i] == -1) - break; - if (valid_acct == ue.ue_acids[i]) - break; - } - if (i == MAXVIDS || - ue.ue_acids[i] == -1) { - fprintf(stderr, "Cannot set" - " account name to " - "\"%s\", permission " - "denied\n\n", acct_name); - valid_acct = -1; - } - } } - } else { /* - * The client isn't connected to a terminal and can't - * respond to an acid prompt. Use default acid. + * If an account was given, search the user's + * acids array to verify they can use this account. */ - debug("cray_setup: ttyname false case, %.100s", - ttyname); - valid_acct = ue.ue_acids[0]; + if ((valid_acct != -1) && + !(ue.ue_permbits & PERMBITS_ACCTID)) { + for (i = 0; i < MAXVIDS; i++) { + if (ue.ue_acids[i] == -1) + break; + if (valid_acct == ue.ue_acids[i]) + break; + } + if (i == MAXVIDS || + ue.ue_acids[i] == -1) { + fprintf(stderr, "Cannot set" + " account name to " + "\"%s\", permission " + "denied\n\n", acct_name); + valid_acct = -1; + } + } } } else { /* - * The user doesn't have the askacid permbit set or - * only has one valid account to use. + * The client isn't connected to a terminal and can't + * respond to an acid prompt. Use default acid. */ + debug("cray_setup: ttyname false case, %.100s", + ttyname); valid_acct = ue.ue_acids[0]; } - if (acctid(0, valid_acct) < 0) { - printf ("Bad account id: %d\n", valid_acct); - exit(1); + } else { + /* + * The user doesn't have the askacid permbit set or + * only has one valid account to use. + */ + valid_acct = ue.ue_acids[0]; + } + if (acctid(0, valid_acct) < 0) { + printf ("Bad account id: %d\n", valid_acct); + exit(1); } /* @@ -778,4 +800,17 @@ cray_set_tmpdir(struct utmp *ut) ut->ut_jid = jid; strncpy(ut->ut_tpath, cray_tmpdir, TPATHSIZ); } -#endif +#endif /* UNICOS */ + +#ifdef _UNICOSMP +#include +/* + * Set job id and create tmpdir directory. + */ +void +cray_init_job(struct passwd *pw) +{ + initrm_silent(pw->pw_uid); + return; +} +#endif /* _UNICOSMP */ diff --git a/openbsd-compat/bsd-cray.h b/openbsd-compat/bsd-cray.h index a121ea152..de6ba1a8d 100644 --- a/openbsd-compat/bsd-cray.h +++ b/openbsd-compat/bsd-cray.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cray.h,v 1.10 2003/08/29 16:59:52 mouring Exp $ */ +/* $Id: bsd-cray.h,v 1.11 2004/01/30 03:34:22 dtucker Exp $ */ /* * Copyright (c) 2002, Cray Inc. (Wendy Palm ) @@ -53,7 +53,6 @@ extern char cray_tmpdir[]; # define MAXHOSTNAMELEN 64 #endif #ifndef _CRAYT3E -# include # define TIOCGPGRP (tIOC|20) #endif -- cgit v1.2.3 From 6f737f422cb7b4e64024a129dc37c4a57150279b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 30 Jan 2004 15:00:50 +1100 Subject: Minor wording change --- CREDITS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CREDITS b/CREDITS index fe6270c97..a1aec3c1c 100644 --- a/CREDITS +++ b/CREDITS @@ -88,12 +88,12 @@ Tom Bertelson's - AIX auth fixes Tor-Ake Fransson - AIX support Tudor Bosman - MD5 password support Udo Schweigert - ReliantUNIX support -Wendy Palm - Cray fixes. +Wendy Palm - Cray support. Zack Weinberg - GNOME askpass enhancement Apologies to anyone I have missed. Damien Miller -$Id: CREDITS,v 1.76 2004/01/30 03:34:21 dtucker Exp $ +$Id: CREDITS,v 1.77 2004/01/30 04:00:50 dtucker Exp $ -- cgit v1.2.3 From 9976246dfd175829f2a1bed0beeb5229a82d9492 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 15:22:43 +1100 Subject: - (dtucker) [acss.c acss.h] Fix $Id tags. --- ChangeLog | 5 ++++- acss.c | 2 +- acss.h | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index dd50a9c26..b5c905044 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20040206 + - (dtucker) [acss.c acss.h] Fix $Id tags. + 20040129 - (dtucker) OpenBSD CVS Sync regress/ - dtucker@cvs.openbsd.org 2003/10/11 11:49:49 @@ -1782,4 +1785,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3204 2004/01/30 03:34:21 dtucker Exp $ +$Id: ChangeLog,v 1.3205 2004/02/06 04:22:43 dtucker Exp $ diff --git a/acss.c b/acss.c index 65f5fa164..9364ba9fe 100644 --- a/acss.c +++ b/acss.c @@ -1,4 +1,4 @@ -/* $Id: */ +/* $Id: acss.c,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */ /* * Copyright (c) 2004 The OpenBSD project * diff --git a/acss.h b/acss.h index fc6344dc8..91b489542 100644 --- a/acss.h +++ b/acss.h @@ -1,4 +1,4 @@ -/* $Id: */ +/* $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */ /* * Copyright (c) 2004 The OpenBSD project * -- cgit v1.2.3 From 6977fe742b363b84822afd45c9b2ef36f16e0ae3 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 15:26:10 +1100 Subject: - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with OpenSSL >= 0.9.7. ok djm@ --- ChangeLog | 4 +++- cipher-acss.c | 4 ++-- cipher.c | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index b5c905044..aaae0204d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ 20040206 - (dtucker) [acss.c acss.h] Fix $Id tags. + - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with + OpenSSL >= 0.9.7. ok djm@ 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1785,4 +1787,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3205 2004/02/06 04:22:43 dtucker Exp $ +$Id: ChangeLog,v 1.3206 2004/02/06 04:26:10 dtucker Exp $ diff --git a/cipher-acss.c b/cipher-acss.c index e2e3a4060..3a966a74d 100644 --- a/cipher-acss.c +++ b/cipher-acss.c @@ -17,9 +17,9 @@ #include "includes.h" #include -RCSID("$Id: cipher-acss.c,v 1.1 2004/01/27 10:19:22 djm Exp $"); +RCSID("$Id: cipher-acss.c,v 1.2 2004/02/06 04:26:11 dtucker Exp $"); -#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L) +#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) #include "acss.h" diff --git a/cipher.c b/cipher.c index 79c07ec4f..8744cb7b7 100644 --- a/cipher.c +++ b/cipher.c @@ -54,7 +54,7 @@ extern void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); #endif #if !defined(EVP_CTRL_SET_ACSS_MODE) -# if (OPENSSL_VERSION_NUMBER >= 0x00906000L) +# if (OPENSSL_VERSION_NUMBER >= 0x00907000L) extern const EVP_CIPHER *evp_acss(void); # define EVP_acss evp_acss # define EVP_CTRL_SET_ACSS_MODE xxx /* used below */ -- cgit v1.2.3 From ef3a4a208c4bd711f7c4131e3bb293313652450d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 15:30:50 +1100 Subject: - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root user, since some modules might fail due to lack of privilege. ok djm@ --- ChangeLog | 4 +++- session.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index aaae0204d..02d50cbed 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (dtucker) [acss.c acss.h] Fix $Id tags. - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with OpenSSL >= 0.9.7. ok djm@ + - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root + user, since some modules might fail due to lack of privilege. ok djm@ 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1787,4 +1789,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3206 2004/02/06 04:26:10 dtucker Exp $ +$Id: ChangeLog,v 1.3207 2004/02/06 04:30:50 dtucker Exp $ diff --git a/session.c b/session.c index 3a6d1a028..02c5dca9b 100644 --- a/session.c +++ b/session.c @@ -519,7 +519,8 @@ do_exec_pty(Session *s, const char *command) #if defined(USE_PAM) if (options.use_pam) { do_pam_set_tty(s->tty); - do_pam_setcred(1); + if (!use_privsep) + do_pam_setcred(1); } #endif -- cgit v1.2.3 From f58fb7e727895b8f66ed9914ca0a04913f2b56c1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 15:59:06 +1100 Subject: - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO for HP-UX 11.11. If there are known-good configs where this is not required, please report them. ok djm@ --- ChangeLog | 5 ++++- configure.ac | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 02d50cbed..7ce9e0233 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ OpenSSL >= 0.9.7. ok djm@ - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root user, since some modules might fail due to lack of privilege. ok djm@ + - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO + for HP-UX 11.11. If there are known-good configs where this is not + required, please report them. ok djm@ 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1789,4 +1792,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3207 2004/02/06 04:30:50 dtucker Exp $ +$Id: ChangeLog,v 1.3208 2004/02/06 04:59:06 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 97ef89a16..768b174b2 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.191 2004/01/30 03:34:22 dtucker Exp $ +# $Id: configure.ac,v 1.192 2004/02/06 04:59:06 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -192,6 +192,10 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) + case "$host" in + *-*-hpux11.11*) + AC_DEFINE(BROKEN_GETADDRINFO);; + esac LIBS="$LIBS -lsec" AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; -- cgit v1.2.3 From ecc9d46dc53cddb5a220f89e6160b3ca6178bb9c Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:04:08 +1100 Subject: - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent accidentally inheriting from root's environment. ok djm@ --- ChangeLog | 4 +++- sshd.c | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 7ce9e0233..4db097614 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,8 @@ - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO for HP-UX 11.11. If there are known-good configs where this is not required, please report them. ok djm@ + - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent + accidentally inheriting from root's environment. ok djm@ 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1792,4 +1794,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3208 2004/02/06 04:59:06 dtucker Exp $ +$Id: ChangeLog,v 1.3209 2004/02/06 05:04:08 dtucker Exp $ diff --git a/sshd.c b/sshd.c index ab029b00f..ebb44db75 100644 --- a/sshd.c +++ b/sshd.c @@ -101,6 +101,7 @@ extern char *__progname; #else char *__progname; #endif +extern char **environ; /* Server configuration options. */ ServerOptions options; @@ -1101,6 +1102,11 @@ main(int ac, char **av) unmounted if desired. */ chdir("/"); +#ifndef HAVE_CYGWIN + /* Clear environment */ + environ[0] = NULL; +#endif + /* ignore SIGPIPE */ signal(SIGPIPE, SIG_IGN); -- cgit v1.2.3 From e45674ae8026b9399fc0778a7e964efbcd093689 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:17:51 +1100 Subject: - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Restore previous authdb setting after auth calls. Fixes problems with setpcred failing on accounts that use AFS or NIS password registries. --- ChangeLog | 5 ++++- openbsd-compat/port-aix.c | 44 +++++++++++++++++++++++++++++++++----------- openbsd-compat/port-aix.h | 11 ++++++++++- 3 files changed, 47 insertions(+), 13 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4db097614..8d9a94651 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,9 @@ required, please report them. ok djm@ - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent accidentally inheriting from root's environment. ok djm@ + - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Restore + previous authdb setting after auth calls. Fixes problems with setpcred + failing on accounts that use AFS or NIS password registries. 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1794,4 +1797,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3209 2004/02/06 05:04:08 dtucker Exp $ +$Id: ChangeLog,v 1.3210 2004/02/06 05:17:51 dtucker Exp $ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a9cbf49b0..6fc2ef771 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -39,6 +39,10 @@ extern ServerOptions options; extern Buffer loginmsg; +# ifdef HAVE_SETAUTHDB +static char old_registry[REGISTRY_SIZE] = ""; +# endif + /* * AIX has a "usrinfo" area where logname and other stuff is stored - * a few applications actually use this and die if it's not set @@ -119,6 +123,7 @@ aix_authenticate(const char *name, const char *password, const char *host) xfree(msg); } } + aix_restoreauthdb(); } if (authmsg != NULL) @@ -145,22 +150,21 @@ record_failed_login(const char *user, const char *ttyname) # else loginfailed((char *)user, hostname, (char *)ttyname); # endif + aix_restoreauthdb(); } # endif /* CUSTOM_FAILED_LOGIN */ /* * If we have setauthdb, retrieve the password registry for the user's - * account then feed it to setauthdb. This may load registry-specific method - * code. If we don't have setauthdb or have already called it this is a no-op. + * account then feed it to setauthdb. This will mean that subsequent AIX auth + * functions will only use the specified loadable module. If we don't have + * setauthdb this is a no-op. */ void aix_setauthdb(const char *user) { # ifdef HAVE_SETAUTHDB - static char *registry = NULL; - - if (registry != NULL) /* have already done setauthdb */ - return; + char *registry; if (setuserdb(S_READ) == -1) { debug3("%s: Could not open userdb to read", __func__); @@ -168,12 +172,11 @@ aix_setauthdb(const char *user) } if (getuserattr((char *)user, S_REGISTRY, ®istry, SEC_CHAR) == 0) { - if (setauthdb(registry, NULL) == 0) - debug3("%s: AIX/setauthdb set registry %s", __func__, - registry); + if (setauthdb(registry, old_registry) == 0) + debug3("AIX/setauthdb set registry '%s'", registry); else - debug3("%s: AIX/setauthdb set registry %s failed: %s", - __func__, registry, strerror(errno)); + debug3("AIX/setauthdb set registry '%s' failed: %s", + registry, strerror(errno)); } else debug3("%s: Could not read S_REGISTRY for user: %s", __func__, strerror(errno)); @@ -181,6 +184,25 @@ aix_setauthdb(const char *user) # endif /* HAVE_SETAUTHDB */ } +/* + * Restore the user's registry settings from old_registry. + * Note that if the first aix_setauthdb fails, setauthdb("") is still safe + * (it restores the system default behaviour). If we don't have setauthdb, + * this is a no-op. + */ +void +aix_restoreauthdb(void) +{ +# ifdef HAVE_SETAUTHDB + if (setauthdb(old_registry, NULL) == 0) + debug3("%s: restoring old registry '%s'", __func__, + old_registry); + else + debug3("%s: failed to restore old registry %s", __func__, + old_registry); +# endif /* HAVE_SETAUTHDB */ +} + # endif /* WITH_AIXAUTHENTICATE */ #endif /* _AIX */ diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 975cdf051..930b3f248 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.16 2003/11/22 03:16:57 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */ /* * @@ -51,6 +51,14 @@ # include #endif +/* + * According to the setauthdb man page, AIX password registries must be 15 + * chars or less plus terminating NUL. + */ +#ifdef HAVE_SETAUTHDB +# define REGISTRY_SIZE 16 +#endif + void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE @@ -60,5 +68,6 @@ void record_failed_login(const char *, const char *); int aix_authenticate(const char *, const char *, const char *); void aix_setauthdb(const char *); +void aix_restoreauthdb(void); void aix_remove_embedded_newlines(char *); #endif /* _AIX */ -- cgit v1.2.3 From 819d4526ca01cdb1e226df8b00c606c537e3e1f7 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:18:47 +1100 Subject: Add bug no. --- ChangeLog | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8d9a94651..7bc43d0db 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,9 +9,9 @@ required, please report them. ok djm@ - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent accidentally inheriting from root's environment. ok djm@ - - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Restore - previous authdb setting after auth calls. Fixes problems with setpcred - failing on accounts that use AFS or NIS password registries. + - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796: + Restore previous authdb setting after auth calls. Fixes problems with + setpcred failing on accounts that use AFS or NIS password registries. 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1797,4 +1797,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3210 2004/02/06 05:17:51 dtucker Exp $ +$Id: ChangeLog,v 1.3211 2004/02/06 05:18:47 dtucker Exp $ -- cgit v1.2.3 From 23bc8d0bff3ee9976be32a287079f7571b5bd50d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:24:31 +1100 Subject: - markus@cvs.openbsd.org 2004/01/30 09:48:57 [auth-passwd.c auth.h pathnames.h session.c] support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this). In -Portable, this is currently only platforms using bsdauth. --- ChangeLog | 8 ++++- acconfig.h | 5 ++- auth-passwd.c | 98 ++++++++++++++++++++++++++++++++++++++--------------------- auth.h | 1 + configure.ac | 7 ++++- pathnames.h | 5 +++ session.c | 89 +++++++++++++++++++++++++++++++++++------------------ 7 files changed, 147 insertions(+), 66 deletions(-) diff --git a/ChangeLog b/ChangeLog index 7bc43d0db..518c51bfd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,12 @@ - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796: Restore previous authdb setting after auth calls. Fixes problems with setpcred failing on accounts that use AFS or NIS password registries. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/01/30 09:48:57 + [auth-passwd.c auth.h pathnames.h session.c] + support for password change; ok dtucker@ + (set password-dead=1w in login.conf to use this). + In -Portable, this is currently only platforms using bsdauth. 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1797,4 +1803,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3211 2004/02/06 05:18:47 dtucker Exp $ +$Id: ChangeLog,v 1.3212 2004/02/06 05:24:31 dtucker Exp $ diff --git a/acconfig.h b/acconfig.h index 27366ed17..62252d760 100644 --- a/acconfig.h +++ b/acconfig.h @@ -1,4 +1,4 @@ -/* $Id: acconfig.h,v 1.172 2004/01/23 11:03:10 dtucker Exp $ */ +/* $Id: acconfig.h,v 1.173 2004/02/06 05:24:31 dtucker Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -65,6 +65,9 @@ /* from environment and PATH */ #undef LOGIN_PROGRAM_FALLBACK +/* Full path of your "passwd" program */ +#undef _PATH_PASSWD_PROG + /* Define if your password has a pw_class field */ #undef HAVE_PW_CLASS_IN_PASSWD diff --git a/auth-passwd.c b/auth-passwd.c index a27170ccc..d12996bba 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -42,11 +42,21 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $"); #include "log.h" #include "servconf.h" #include "auth.h" +#include "auth-options.h" #ifdef WITH_AIXAUTHENTICATE # include "canohost.h" #endif extern ServerOptions options; +int sys_auth_passwd(Authctxt *, const char *); + +static void +disable_forwarding(void) +{ + no_port_forwarding_flag = 1; + no_agent_forwarding_flag = 1; + no_x11_forwarding_flag = 1; +} /* * Tries to authenticate the user using password. Returns true if @@ -66,17 +76,21 @@ auth_password(Authctxt *authctxt, const char *password) return 0; #if defined(HAVE_OSF_SIA) + /* + * XXX: any reason this is before krb? could be moved to + * sys_auth_passwd()? -dt + */ return auth_sia_password(authctxt, password) && ok; -#else -# ifdef KRB5 +#endif +#ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); if (ret == 1 || ret == 0) return ret && ok; /* Fall back to ordinary passwd authentication. */ } -# endif -# ifdef HAVE_CYGWIN +#endif +#ifdef HAVE_CYGWIN if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); @@ -85,41 +99,57 @@ auth_password(Authctxt *authctxt, const char *password) cygwin_set_impersonation_token(hToken); return ok; } -# endif -# ifdef WITH_AIXAUTHENTICATE - if (aix_authenticate(pw->pw_name, password, - get_canonical_hostname(options.use_dns)) == 0) - return 0; - else - return ok; -# endif -# ifdef BSD_AUTH - if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", - (char *)password) == 0) - return 0; - else - return ok; -# else - { +#endif + return (sys_auth_passwd(authctxt, password) && ok); +} + +#ifdef BSD_AUTH +int +sys_auth_passwd(Authctxt *authctxt, const char *password) +{ + struct passwd *pw = authctxt->pw; + auth_session_t *as; + + as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", + (char *)password); + if (auth_getstate(as) & AUTH_PWEXPIRED) { + auth_close(as); + disable_forwarding(); + authctxt->force_pwchange = 1; + return (1); + } else { + return (auth_close(as)); + } +} +#elif defined(WITH_AIXAUTHENTICATE) +int +sys_auth_passwd(Authctxt *authctxt, const char *password) +{ + return (aix_authenticate(authctxt->pw->pw_name, password, + get_canonical_hostname(options.use_dns))); +} +#else +int +sys_auth_passwd(Authctxt *authctxt, const char *password) +{ + struct passwd *pw = authctxt->pw; + char *encrypted_password; + /* Just use the supplied fake password if authctxt is invalid */ char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; /* Check for users with no password. */ if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) - return ok; - else { - /* Encrypt the candidate password using the proper salt. */ - char *encrypted_password = xcrypt(password, - (pw_password[0] && pw_password[1]) ? pw_password : "xx"); + return (1); - /* - * Authentication is accepted if the encrypted passwords - * are identical. - */ - return (strcmp(encrypted_password, pw_password) == 0) && ok; - } + /* Encrypt the candidate password using the proper salt. */ + encrypted_password = xcrypt(password, + (pw_password[0] && pw_password[1]) ? pw_password : "xx"); - } -# endif -#endif /* !HAVE_OSF_SIA */ + /* + * Authentication is accepted if the encrypted passwords + * are identical. + */ + return (strcmp(encrypted_password, pw_password) == 0); } +#endif diff --git a/auth.h b/auth.h index 0be1f88c4..de2f1e800 100644 --- a/auth.h +++ b/auth.h @@ -52,6 +52,7 @@ struct Authctxt { int valid; /* user exists and is allowed to login */ int attempt; int failures; + int force_pwchange; char *user; /* username sent by the client */ char *service; struct passwd *pw; /* set if 'valid' */ diff --git a/configure.ac b/configure.ac index 768b174b2..64645217d 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.192 2004/02/06 04:59:06 dtucker Exp $ +# $Id: configure.ac,v 1.193 2004/02/06 05:24:31 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -42,6 +42,11 @@ else fi fi +AC_PATH_PROG(PATH_PASSWD_PROG, passwd) +if test ! -z "$PATH_PASSWD_PROG" ; then + AC_DEFINE_UNQUOTED(_PATH_PASSWD_PROG, "$PATH_PASSWD_PROG") +fi + if test -z "$LD" ; then LD=$CC fi diff --git a/pathnames.h b/pathnames.h index 89e22c77a..edeff2de3 100644 --- a/pathnames.h +++ b/pathnames.h @@ -150,6 +150,11 @@ #define _PATH_PRIVSEP_CHROOT_DIR "/var/empty" #endif +/* for passwd change */ +#ifndef _PATH_PASSWD_PROG +#define _PATH_PASSWD_PROG "/usr/bin/passwd" +#endif + #ifndef _PATH_LS #define _PATH_LS "ls" #endif diff --git a/session.c b/session.c index 02c5dca9b..5742296d5 100644 --- a/session.c +++ b/session.c @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: session.c,v 1.171 2004/01/13 19:23:15 markus Exp $"); +RCSID("$OpenBSD: session.c,v 1.172 2004/01/30 09:48:57 markus Exp $"); #include "ssh.h" #include "ssh1.h" @@ -1303,6 +1303,22 @@ do_setusercontext(struct passwd *pw) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); } +static void +do_pwchange(Session *s) +{ + fprintf(stderr, "WARNING: Your password has expired.\n"); + if (s->ttyfd != -1) { + fprintf(stderr, + "You must change your password now and login again!\n"); + execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL); + perror("passwd"); + } else { + fprintf(stderr, + "Password change required but no TTY available.\n"); + } + exit(1); +} + static void launch_login(struct passwd *pw, const char *hostname) { @@ -1324,6 +1340,40 @@ launch_login(struct passwd *pw, const char *hostname) exit(1); } +static void +child_close_fds(void) +{ + int i; + + if (packet_get_connection_in() == packet_get_connection_out()) + close(packet_get_connection_in()); + else { + close(packet_get_connection_in()); + close(packet_get_connection_out()); + } + /* + * Close all descriptors related to channels. They will still remain + * open in the parent. + */ + /* XXX better use close-on-exec? -markus */ + channel_close_all(); + + /* + * Close any extra file descriptors. Note that there may still be + * descriptors left by system functions. They will be closed later. + */ + endpwent(); + + /* + * Close any extra open file descriptors so that we don\'t have them + * hanging around in clients. Note that we want to do this after + * initgroups, because at least on Solaris 2.3 it leaves file + * descriptors open. + */ + for (i = 3; i < 64; i++) + close(i); +} + /* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group @@ -1337,11 +1387,18 @@ do_child(Session *s, const char *command) char *argv[10]; const char *shell, *shell0, *hostname = NULL; struct passwd *pw = s->pw; - u_int i; /* remove hostkey from the child's memory */ destroy_sensitive_data(); + /* Force a password change */ + if (s->authctxt->force_pwchange) { + do_setusercontext(pw); + child_close_fds(); + do_pwchange(s); + exit(1); + } + /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; @@ -1392,33 +1449,7 @@ do_child(Session *s, const char *command) * closed before building the environment, as we call * get_remote_ipaddr there. */ - if (packet_get_connection_in() == packet_get_connection_out()) - close(packet_get_connection_in()); - else { - close(packet_get_connection_in()); - close(packet_get_connection_out()); - } - /* - * Close all descriptors related to channels. They will still remain - * open in the parent. - */ - /* XXX better use close-on-exec? -markus */ - channel_close_all(); - - /* - * Close any extra file descriptors. Note that there may still be - * descriptors left by system functions. They will be closed later. - */ - endpwent(); - - /* - * Close any extra open file descriptors so that we don\'t have them - * hanging around in clients. Note that we want to do this after - * initgroups, because at least on Solaris 2.3 it leaves file - * descriptors open. - */ - for (i = 3; i < 64; i++) - close(i); + child_close_fds(); /* * Must take new environment into use so that .ssh/rc, -- cgit v1.2.3 From c52a29913d3850b4333000b3309cede03f8bf824 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:38:16 +1100 Subject: Sync Ids missed in password expiry sync --- auth-passwd.c | 2 +- auth.h | 2 +- pathnames.h | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/auth-passwd.c b/auth-passwd.c index d12996bba..5cc88155c 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -36,7 +36,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); #include "packet.h" #include "log.h" diff --git a/auth.h b/auth.h index de2f1e800..c51717f2c 100644 --- a/auth.h +++ b/auth.h @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.h,v 1.48 2003/11/04 08:54:09 djm Exp $ */ +/* $OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. diff --git a/pathnames.h b/pathnames.h index edeff2de3..53208cf58 100644 --- a/pathnames.h +++ b/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.13 2002/05/23 19:24:30 markus Exp $ */ +/* $OpenBSD: pathnames.h,v 1.14 2004/01/30 09:48:57 markus Exp $ */ /* * Author: Tatu Ylonen -- cgit v1.2.3 From a8be9e23d236f0e9c27214418280b752b68dbd54 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:40:27 +1100 Subject: - dtucker@cvs.openbsd.org 2004/02/05 05:37:17 [monitor.c sshd.c] Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@ --- ChangeLog | 5 ++++- monitor.c | 3 ++- sshd.c | 8 ++++++-- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 518c51bfd..2e98126da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this). In -Portable, this is currently only platforms using bsdauth. + - dtucker@cvs.openbsd.org 2004/02/05 05:37:17 + [monitor.c sshd.c] + Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@ 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1803,4 +1806,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3212 2004/02/06 05:24:31 dtucker Exp $ +$Id: ChangeLog,v 1.3213 2004/02/06 05:40:27 dtucker Exp $ diff --git a/monitor.c b/monitor.c index 46e8d16e6..009dcf182 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.54 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $"); #include @@ -1708,6 +1708,7 @@ monitor_init(void) mon = xmalloc(sizeof(*mon)); + mon->m_pid = 0; monitor_socketpair(pair); mon->m_recvfd = pair[0]; diff --git a/sshd.c b/sshd.c index ebb44db75..42484c064 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.284 2003/12/09 21:53:37 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.285 2004/02/05 05:37:17 dtucker Exp $"); #include #include @@ -200,7 +200,7 @@ int startup_pipe; /* in child */ /* variables used for privilege separation */ int use_privsep; -struct monitor *pmonitor; +struct monitor *pmonitor = NULL; /* message to be displayed after login */ Buffer loginmsg; @@ -306,6 +306,9 @@ grace_alarm_handler(int sig) { /* XXX no idea how fix this signal handler */ + if (use_privsep && pmonitor != NULL && pmonitor->m_pid > 0) + kill(pmonitor->m_pid, SIGALRM); + /* Log error and exit. */ fatal("Timeout before authentication for %s", get_remote_ipaddr()); } @@ -593,6 +596,7 @@ privsep_preauth(Authctxt *authctxt) debug2("Network child is on pid %ld", (long)pid); close(pmonitor->m_recvfd); + pmonitor->m_pid = pid; monitor_child_preauth(authctxt, pmonitor); close(pmonitor->m_sendfd); -- cgit v1.2.3 From 7f73a4955d289236119fb332f73c493d9ed85035 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 16:41:37 +1100 Subject: - markus@cvs.openbsd.org 2004/02/05 15:33:33 [progressmeter.c] fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@ --- ChangeLog | 5 ++++- progressmeter.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2e98126da..baebcd98f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,9 @@ - dtucker@cvs.openbsd.org 2004/02/05 05:37:17 [monitor.c sshd.c] Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@ + - markus@cvs.openbsd.org 2004/02/05 15:33:33 + [progressmeter.c] + fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@ 20040129 - (dtucker) OpenBSD CVS Sync regress/ @@ -1806,4 +1809,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3213 2004/02/06 05:40:27 dtucker Exp $ +$Id: ChangeLog,v 1.3214 2004/02/06 05:41:37 dtucker Exp $ diff --git a/progressmeter.c b/progressmeter.c index 7b76c959e..f42668526 100644 --- a/progressmeter.c +++ b/progressmeter.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: progressmeter.c,v 1.18 2003/12/02 12:15:10 markus Exp $"); +RCSID("$OpenBSD: progressmeter.c,v 1.19 2004/02/05 15:33:33 markus Exp $"); #include "progressmeter.h" #include "atomicio.h" @@ -107,7 +107,7 @@ refresh_progress_meter(void) off_t transferred; double elapsed; int percent; - int bytes_left; + off_t bytes_left; int cur_speed; int hours, minutes, seconds; int i, len; -- cgit v1.2.3 From 074593538a18780c24ac055210f55abd8adfbf2b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 6 Feb 2004 21:29:41 +1100 Subject: - (dtucker) [configure.ac includes.h] Include if present, required on Solaris 2.5.1 for queue_t, which is used by . --- ChangeLog | 4 +++- configure.ac | 4 ++-- includes.h | 3 +++ 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index baebcd98f..de37a0ba7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,8 @@ - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796: Restore previous authdb setting after auth calls. Fixes problems with setpcred failing on accounts that use AFS or NIS password registries. + - (dtucker) [configure.ac includes.h] Include if present, + required on Solaris 2.5.1 for queue_t, which is used by . - (dtucker) OpenBSD CVS Sync - markus@cvs.openbsd.org 2004/01/30 09:48:57 [auth-passwd.c auth.h pathnames.h session.c] @@ -1809,4 +1811,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3214 2004/02/06 05:41:37 dtucker Exp $ +$Id: ChangeLog,v 1.3215 2004/02/06 10:29:41 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 64645217d..bdff63db3 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.193 2004/02/06 05:24:31 dtucker Exp $ +# $Id: configure.ac,v 1.194 2004/02/06 10:29:42 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -494,7 +494,7 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \ rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \ strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \ sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \ - sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ + sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \ sys/un.h time.h tmpdir.h ttyent.h usersec.h \ util.h utime.h utmp.h utmpx.h vis.h) diff --git a/includes.h b/includes.h index d2cc88213..ca943c7e6 100644 --- a/includes.h +++ b/includes.h @@ -135,6 +135,9 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } #include /* for TIOCCBRK on HP-UX */ #endif #if defined(HAVE_SYS_PTMS_H) && defined(HAVE_DEV_PTMX) +# if defined(HAVE_SYS_STREAM_H) +# include /* reqd for queue_t on Solaris 2.5.1 */ +# endif #include /* for grantpt() and friends */ #endif -- cgit v1.2.3 From fc57f71fb1106a5b1b6d37cb595a21d36a049e7e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 7 Feb 2004 10:41:48 +1100 Subject: - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 [cipher-ctr.c] Use EVP_CIPHER_CTX_key_length for key length. ok markus@ (This will fix builds with OpenSSL 0.9.5) --- ChangeLog | 9 ++++++++- cipher-ctr.c | 5 +++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index de37a0ba7..380fe60fe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +20040207 + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 + [cipher-ctr.c] + Use EVP_CIPHER_CTX_key_length for key length. ok markus@ + (This will fix builds with OpenSSL 0.9.5) + 20040206 - (dtucker) [acss.c acss.h] Fix $Id tags. - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with @@ -1811,4 +1818,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3215 2004/02/06 10:29:41 dtucker Exp $ +$Id: ChangeLog,v 1.3216 2004/02/06 23:41:48 dtucker Exp $ diff --git a/cipher-ctr.c b/cipher-ctr.c index a9ddb8a66..395dabedd 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -14,7 +14,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: cipher-ctr.c,v 1.3 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: cipher-ctr.c,v 1.4 2004/02/06 23:41:13 dtucker Exp $"); #include @@ -94,7 +94,8 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, EVP_CIPHER_CTX_set_app_data(ctx, c); } if (key != NULL) - AES_set_encrypt_key(key, ctx->key_len * 8, &c->aes_ctx); + AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8, + &c->aes_ctx); if (iv != NULL) memcpy(c->aes_counter, iv, AES_BLOCK_SIZE); return (1); -- cgit v1.2.3 From 693f8a8aae5b79360f13f478c09235061aa59647 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sat, 7 Feb 2004 12:29:39 +1100 Subject: - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5. ok djm@, markus@ --- ChangeLog | 4 +++- cipher.c | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 380fe60fe..55031f702 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,8 @@ [cipher-ctr.c] Use EVP_CIPHER_CTX_key_length for key length. ok markus@ (This will fix builds with OpenSSL 0.9.5) + - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5. + ok djm@, markus@ 20040206 - (dtucker) [acss.c acss.h] Fix $Id tags. @@ -1818,4 +1820,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3216 2004/02/06 23:41:48 dtucker Exp $ +$Id: ChangeLog,v 1.3217 2004/02/07 01:29:39 dtucker Exp $ diff --git a/cipher.c b/cipher.c index 8744cb7b7..c13ff5862 100644 --- a/cipher.c +++ b/cipher.c @@ -98,7 +98,7 @@ struct Cipher { { "rijndael-cbc@lysator.liu.se", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, #endif -#if OPENSSL_VERSION_NUMBER >= 0x00906000L +#if OPENSSL_VERSION_NUMBER >= 0x00905000L { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, -- cgit v1.2.3 From e3dba82dd44c165716ce2a81157b6c2f269fc0af Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 12:50:19 +1100 Subject: - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's native password expiry. --- ChangeLog | 7 ++++++- auth-passwd.c | 14 ++------------ auth.h | 1 + openbsd-compat/port-aix.c | 39 +++++++++++++++++++++++++++++++++++---- openbsd-compat/port-aix.h | 8 ++++++-- 5 files changed, 50 insertions(+), 19 deletions(-) diff --git a/ChangeLog b/ChangeLog index 55031f702..20f1ec089 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20040210 + - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c + openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's + native password expiry. + 20040207 - (dtucker) OpenBSD CVS Sync - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 @@ -1820,4 +1825,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3217 2004/02/07 01:29:39 dtucker Exp $ +$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index 5cc88155c..a58dc042b 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -43,14 +43,11 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); #include "servconf.h" #include "auth.h" #include "auth-options.h" -#ifdef WITH_AIXAUTHENTICATE -# include "canohost.h" -#endif extern ServerOptions options; int sys_auth_passwd(Authctxt *, const char *); -static void +void disable_forwarding(void) { no_port_forwarding_flag = 1; @@ -121,14 +118,7 @@ sys_auth_passwd(Authctxt *authctxt, const char *password) return (auth_close(as)); } } -#elif defined(WITH_AIXAUTHENTICATE) -int -sys_auth_passwd(Authctxt *authctxt, const char *password) -{ - return (aix_authenticate(authctxt->pw->pw_name, password, - get_canonical_hostname(options.use_dns))); -} -#else +#elif !defined(CUSTOM_SYS_AUTH_PASSWD) int sys_auth_passwd(Authctxt *authctxt, const char *password) { diff --git a/auth.h b/auth.h index c51717f2c..b39e48d9a 100644 --- a/auth.h +++ b/auth.h @@ -123,6 +123,7 @@ void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ #include "auth-pam.h" +void disable_forwarding(void); void do_authentication(Authctxt *); void do_authentication2(Authctxt *); diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index 6fc2ef771..a5511bbef 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -98,10 +98,10 @@ aix_remove_embedded_newlines(char *p) * returns 0. */ int -aix_authenticate(const char *name, const char *password, const char *host) +sys_auth_passwd(Authctxt *ctxt, const char *password) { - char *authmsg = NULL, *msg; - int authsuccess = 0, reenter, result; + char *authmsg = NULL, *host, *msg, *name = ctxt->pw->pw_name; + int authsuccess = 0, expired, reenter, result; do { result = authenticate((char *)name, (char *)password, &reenter, @@ -114,7 +114,12 @@ aix_authenticate(const char *name, const char *password, const char *host) if (result == 0) { authsuccess = 1; - /* No pty yet, so just label the line as "ssh" */ + host = (char *)get_canonical_hostname(options.use_dns); + + /* + * Record successful login. We don't have a pty yet, so just + * label the line as "ssh" + */ aix_setauthdb(name); if (loginsuccess((char *)name, (char *)host, "ssh", &msg) == 0) { if (msg != NULL) { @@ -123,6 +128,32 @@ aix_authenticate(const char *name, const char *password, const char *host) xfree(msg); } } + + /* + * Check if the user's password is expired. + */ + expired = passwdexpired(name, &msg); + if (msg && *msg) { + buffer_append(&loginmsg, msg, strlen(msg)); + aix_remove_embedded_newlines(msg); + } + debug3("AIX/passwdexpired returned %d msg %.100s", expired, msg); + + switch (expired) { + case 0: /* password not expired */ + break; + case 1: /* expired, password change required */ + ctxt->force_pwchange = 1; + disable_forwarding(); + break; + default: /* user can't change(2) or other error (-1) */ + logit("Password can't be changed for user %s: %.100s", + name, msg); + if (msg) + xfree(msg); + authsuccess = 0; + } + aix_restoreauthdb(); } diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index 930b3f248..ef03661ed 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.17 2004/02/06 05:17:52 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.18 2004/02/10 01:50:20 dtucker Exp $ */ /* * @@ -36,6 +36,9 @@ # include #endif +/* For Authctxt */ +#include "auth.h" + /* Some versions define r_type in the above headers, which causes a conflict */ #ifdef r_type # undef r_type @@ -62,11 +65,12 @@ void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE +# define CUSTOM_SYS_AUTH_PASSWD 1 +int sys_auth_passwd(Authctxt *, const char *); # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); #endif -int aix_authenticate(const char *, const char *, const char *); void aix_setauthdb(const char *); void aix_restoreauthdb(void); void aix_remove_embedded_newlines(char *); -- cgit v1.2.3 From 9df3defdbb122c406072760e07859a3b4ebf567e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 13:01:14 +1100 Subject: - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h defines.h] Bug #14: Use do_pwchange to support password expiry and force change for platforms using /etc/shadow. ok djm@ --- ChangeLog | 9 ++++--- LICENCE | 1 + Makefile.in | 4 +-- auth-passwd.c | 7 ++++++ auth-shadow.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ auth.c | 19 -------------- auth.h | 4 +++ defines.h | 5 +++- 8 files changed, 104 insertions(+), 25 deletions(-) create mode 100644 auth-shadow.c diff --git a/ChangeLog b/ChangeLog index 20f1ec089..2aa2d537f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,7 +1,10 @@ 20040210 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c - openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's - native password expiry. + openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's + native password expiry. + - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h + defines.h] Bug #14: Use do_pwchange to support password expiry and force + change for platforms using /etc/shadow. ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1825,4 +1828,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3218 2004/02/10 01:50:19 dtucker Exp $ +$Id: ChangeLog,v 1.3219 2004/02/10 02:01:14 dtucker Exp $ diff --git a/LICENCE b/LICENCE index d7292998e..d8c157304 100644 --- a/LICENCE +++ b/LICENCE @@ -202,6 +202,7 @@ OpenSSH contains no GPL code. Todd C. Miller Wayne Schroeder William Jones + Darren Tucker * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/Makefile.in b/Makefile.in index 1f6a4d43f..2d7982312 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.254 2004/01/27 10:19:22 djm Exp $ +# $Id: Makefile.in,v 1.255 2004/02/10 02:01:14 dtucker Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -85,7 +85,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ kexdhs.o kexgexs.o \ auth-krb5.o \ auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-sia.o md5crypt.o + loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 diff --git a/auth-passwd.c b/auth-passwd.c index a58dc042b..e434a21e3 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -97,6 +97,13 @@ auth_password(Authctxt *authctxt, const char *password) return ok; } #endif +#ifdef USE_SHADOW + if (auth_shadow_pwexpired(authctxt)) { + disable_forwarding(); + authctxt->force_pwchange = 1; + } +#endif + return (sys_auth_passwd(authctxt, password) && ok); } diff --git a/auth-shadow.c b/auth-shadow.c new file mode 100644 index 000000000..604b13304 --- /dev/null +++ b/auth-shadow.c @@ -0,0 +1,80 @@ +/* + * Copyright (c) 2004 Darren Tucker. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "includes.h" +RCSID("$Id: auth-shadow.c,v 1.1 2004/02/10 02:01:14 dtucker Exp $"); + +#ifdef USE_SHADOW +#include + +#include "auth.h" +#include "auth-shadow.h" +#include "buffer.h" +#include "log.h" + +#define DAY (24L * 60 * 60) /* 1 day in seconds */ + +extern Buffer loginmsg; + +/* + * Checks password expiry for platforms that use shadow passwd files. + * Returns: 1 = password expired, 0 = password not expired + */ +int +auth_shadow_pwexpired(Authctxt *ctxt) +{ + struct spwd *spw = NULL; + const char *user = ctxt->pw->pw_name; + time_t today; + + if ((spw = getspnam(user)) == NULL) { + error("Could not get shadow information for %.100s", user); + return 0; + } + + today = time(NULL) / DAY; + debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today, + (int)spw->sp_lstchg, (int)spw->sp_max); + +#if defined(__hpux) && !defined(HAVE_SECUREWARE) + if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && + spw->sp_warn == 0) + return 0; /* HP-UX Trusted Mode: expiry disabled */ +#endif + + /* TODO: Add code to put expiry warnings into loginmsg */ + + if (spw->sp_lstchg == 0) { + logit("User %.100s password has expired (root forced)", user); + return 1; + } + + if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { + logit("User %.100s password has expired (password aged)", user); + return 1; + } + + return 0; +} +#endif /* USE_SHADOW */ diff --git a/auth.c b/auth.c index 4b307dab3..c6e7c21c4 100644 --- a/auth.c +++ b/auth.c @@ -106,25 +106,6 @@ allowed_user(struct passwd * pw) logit("Account %.100s has expired", pw->pw_name); return 0; } - -#if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && - spw->sp_warn == 0) - disabled = 1; /* Trusted Mode: expiry disabled */ -#endif - - if (!disabled && spw->sp_lstchg == 0) { - logit("User %.100s password has expired (root forced)", - pw->pw_name); - return 0; - } - - if (!disabled && spw->sp_max != -1 && - today > spw->sp_lstchg + spw->sp_max) { - logit("User %.100s password has expired (password aged)", - pw->pw_name); - return 0; - } } #endif /* HAS_SHADOW_EXPIRE */ #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ diff --git a/auth.h b/auth.h index b39e48d9a..b6a6a49a5 100644 --- a/auth.h +++ b/auth.h @@ -122,6 +122,10 @@ int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ +#ifdef USE_SHADOW +int auth_shadow_pwexpired(Authctxt *); +#endif + #include "auth-pam.h" void disable_forwarding(void); diff --git a/defines.h b/defines.h index 5e63198e0..5e1cac7bc 100644 --- a/defines.h +++ b/defines.h @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.109 2004/01/27 05:40:35 tim Exp $ */ +/* $Id: defines.h,v 1.110 2004/02/10 02:01:14 dtucker Exp $ */ /* Constants */ @@ -585,6 +585,9 @@ struct winsize { # endif #endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# define USE_SHADOW +#endif /* The login() library function in libutil is first choice */ #if defined(HAVE_LOGIN) && !defined(DISABLE_LOGIN) -- cgit v1.2.3 From ffae5320769fab707a8f0c533e5900d5e03f5820 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 13:05:40 +1100 Subject: - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat functions to avoid conflicts with Heimdal's libroken. ok djm@ --- ChangeLog | 4 +++- openbsd-compat/fake-rfc2553.h | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2aa2d537f..a5bb31b91 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h defines.h] Bug #14: Use do_pwchange to support password expiry and force change for platforms using /etc/shadow. ok djm@ + - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat + functions to avoid conflicts with Heimdal's libroken. ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1828,4 +1830,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3219 2004/02/10 02:01:14 dtucker Exp $ +$Id: ChangeLog,v 1.3220 2004/02/10 02:05:40 dtucker Exp $ diff --git a/openbsd-compat/fake-rfc2553.h b/openbsd-compat/fake-rfc2553.h index bf727ceac..eb88605fa 100644 --- a/openbsd-compat/fake-rfc2553.h +++ b/openbsd-compat/fake-rfc2553.h @@ -1,4 +1,4 @@ -/* $Id: fake-rfc2553.h,v 1.7 2003/09/22 02:08:23 dtucker Exp $ */ +/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */ /* * Copyright (C) 2000-2003 Damien Miller. All rights reserved. @@ -133,19 +133,23 @@ struct addrinfo { #endif /* !HAVE_STRUCT_ADDRINFO */ #ifndef HAVE_GETADDRINFO +#define getaddrinfo(a,b,c,d) (ssh_getaddrinfo(a,b,c,d)) int getaddrinfo(const char *, const char *, const struct addrinfo *, struct addrinfo **); #endif /* !HAVE_GETADDRINFO */ #if !defined(HAVE_GAI_STRERROR) && !defined(HAVE_CONST_GAI_STRERROR_PROTO) +#define gai_strerror(a) (ssh_gai_strerror(a)) char *gai_strerror(int); #endif /* !HAVE_GAI_STRERROR */ #ifndef HAVE_FREEADDRINFO +#define freeaddrinfo(a) (ssh_freeaddrinfo(a)) void freeaddrinfo(struct addrinfo *); #endif /* !HAVE_FREEADDRINFO */ #ifndef HAVE_GETNAMEINFO +#define getnameinfo(a,b,c,d,e,f,g) (ssh_getnameinfo(a,b,c,d,e,f,g)) int getnameinfo(const struct sockaddr *, size_t, char *, size_t, char *, size_t, int); #endif /* !HAVE_GETNAMEINFO */ -- cgit v1.2.3 From 1921ed9f966b6d8262a906d01e515b2737962e2b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 13:23:28 +1100 Subject: - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to change expired PAM passwords for SSHv1 connections without privsep. pam_chauthtok is still used when privsep is disabled. ok djm@ --- ChangeLog | 5 ++++- auth-pam.c | 29 ++++++++++------------------- auth-pam.h | 4 +--- session.c | 32 ++++++++++++++------------------ 4 files changed, 29 insertions(+), 41 deletions(-) diff --git a/ChangeLog b/ChangeLog index a5bb31b91..3acb6eca9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,9 @@ change for platforms using /etc/shadow. ok djm@ - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat functions to avoid conflicts with Heimdal's libroken. ok djm@ + - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to + change expired PAM passwords for SSHv1 connections without privsep. + pam_chauthtok is still used when privsep is disabled. ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1830,4 +1833,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3220 2004/02/10 02:05:40 dtucker Exp $ +$Id: ChangeLog,v 1.3221 2004/02/10 02:23:28 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 0e2725b80..562fb01f2 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.92 2004/01/14 13:15:08 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -155,11 +155,11 @@ pthread_join(sp_pthread_t thread, void **value __unused) static pam_handle_t *sshpam_handle = NULL; static int sshpam_err = 0; static int sshpam_authenticated = 0; -static int sshpam_new_authtok_reqd = 0; static int sshpam_session_open = 0; static int sshpam_cred_established = 0; static int sshpam_account_status = -1; static char **sshpam_env = NULL; +static int *force_pwchange; /* Some PAM implementations don't implement this */ #ifndef HAVE_PAM_GETENVLIST @@ -179,7 +179,7 @@ void pam_password_change_required(int reqd) { debug3("%s %d", __func__, reqd); - sshpam_new_authtok_reqd = reqd; + *force_pwchange = reqd; if (reqd) { no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; @@ -188,9 +188,9 @@ pam_password_change_required(int reqd) no_port_forwarding_flag &= ~2; no_agent_forwarding_flag &= ~2; no_x11_forwarding_flag &= ~2; - } } + /* Import regular and PAM environment from subprocess */ static void import_environments(Buffer *b) @@ -348,7 +348,7 @@ sshpam_thread(void *ctxtp) if (compat20) { if (!do_pam_account()) goto auth_fail; - if (sshpam_new_authtok_reqd) { + if (*force_pwchange) { sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); if (sshpam_err != PAM_SUCCESS) @@ -362,7 +362,7 @@ sshpam_thread(void *ctxtp) #ifndef USE_POSIX_THREADS /* Export variables set by do_pam_account */ buffer_put_int(&buffer, sshpam_account_status); - buffer_put_int(&buffer, sshpam_new_authtok_reqd); + buffer_put_int(&buffer, *force_pwchange); /* Export any environment strings set in child */ for(i = 0; environ[i] != NULL; i++) @@ -437,7 +437,7 @@ sshpam_cleanup(void) pam_close_session(sshpam_handle, PAM_SILENT); sshpam_session_open = 0; } - sshpam_authenticated = sshpam_new_authtok_reqd = 0; + sshpam_authenticated = 0; pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; } @@ -511,6 +511,8 @@ sshpam_init_ctx(Authctxt *authctxt) ctxt = xmalloc(sizeof *ctxt); memset(ctxt, 0, sizeof(*ctxt)); + force_pwchange = &(authctxt->force_pwchange); + /* Start the authentication thread */ if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) { error("PAM: failed create sockets: %s", strerror(errno)); @@ -744,12 +746,6 @@ do_pam_setcred(int init) pam_strerror(sshpam_handle, sshpam_err)); } -int -is_pam_password_change_required(void) -{ - return (sshpam_new_authtok_reqd); -} - static int pam_tty_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) @@ -828,6 +824,7 @@ do_pam_chauthtok(void) void do_pam_session(void) { + debug3("PAM: opening session"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) @@ -864,12 +861,6 @@ do_pam_putenv(char *name, char *value) return (ret); } -void -print_pam_messages(void) -{ - /* XXX */ -} - char ** fetch_pam_child_environment(void) { diff --git a/auth-pam.h b/auth-pam.h index fd62e9534..4bc8d6955 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.23 2003/11/17 10:41:42 djm Exp $ */ +/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */ /* * Copyright (c) 2000 Damien Miller. All rights reserved. @@ -37,10 +37,8 @@ u_int do_pam_account(void); void do_pam_session(void); void do_pam_set_tty(const char *); void do_pam_setcred(int ); -int is_pam_password_change_required(void); void do_pam_chauthtok(void); int do_pam_putenv(char *, char *); -void print_pam_messages(void); char ** fetch_pam_environment(void); char ** fetch_pam_child_environment(void); void free_pam_environment(char **); diff --git a/session.c b/session.c index 5742296d5..864967565 100644 --- a/session.c +++ b/session.c @@ -193,6 +193,15 @@ auth_input_request_forwarding(struct passwd * pw) return 1; } +static void +display_loginmsg(void) +{ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + printf("%s\n", (char *)buffer_ptr(&loginmsg)); + buffer_clear(&loginmsg); + } +} void do_authenticated(Authctxt *authctxt) @@ -389,12 +398,8 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); #if defined(USE_PAM) - if (options.use_pam) { + if (options.use_pam) do_pam_setcred(1); - if (is_pam_password_change_required()) - packet_disconnect("Password change required but no " - "TTY available"); - } #endif /* USE_PAM */ /* Fork the child. */ @@ -698,9 +703,10 @@ do_login(Session *s, const char *command) * If password change is needed, do it now. * This needs to occur before the ~/.hushlogin check. */ - if (options.use_pam && is_pam_password_change_required()) { - print_pam_messages(); + if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) { + display_loginmsg(); do_pam_chauthtok(); + s->authctxt->force_pwchange = 0; /* XXX - signal [net] parent to enable forwardings */ } #endif @@ -708,17 +714,7 @@ do_login(Session *s, const char *command) if (check_quietlogin(s, command)) return; -#ifdef USE_PAM - if (options.use_pam && !is_pam_password_change_required()) - print_pam_messages(); -#endif /* USE_PAM */ - - /* display post-login message */ - if (buffer_len(&loginmsg) > 0) { - buffer_append(&loginmsg, "\0", 1); - printf("%s\n", (char *)buffer_ptr(&loginmsg)); - } - buffer_free(&loginmsg); + display_loginmsg(); #ifndef NO_SSH_LASTLOG if (options.print_lastlog && s->last_login_time != 0) { -- cgit v1.2.3 From 0d86829fca3eaa01392a34547935f73463422c4e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 13:51:34 +1100 Subject: Remove auth-shadow.h reference --- auth-shadow.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/auth-shadow.c b/auth-shadow.c index 604b13304..8436eee5f 100644 --- a/auth-shadow.c +++ b/auth-shadow.c @@ -23,13 +23,12 @@ */ #include "includes.h" -RCSID("$Id: auth-shadow.c,v 1.1 2004/02/10 02:01:14 dtucker Exp $"); +RCSID("$Id: auth-shadow.c,v 1.2 2004/02/10 02:51:34 dtucker Exp $"); #ifdef USE_SHADOW #include #include "auth.h" -#include "auth-shadow.h" #include "buffer.h" #include "log.h" -- cgit v1.2.3 From cfea2063e5e1f5d1415fd520f48730268e68d69e Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 15:27:34 +1100 Subject: - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move include from port-aix.h to port-aix.c and remove unnecessary function definition. Fixes build errors on AIX. #include'ing auth.h in port-aix.h causes conflicting definitions of Authctxt in sshconnect2.c. Sigh. --- ChangeLog | 5 ++++- openbsd-compat/port-aix.c | 1 + openbsd-compat/port-aix.h | 6 +----- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3acb6eca9..4ac0ce1ac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to change expired PAM passwords for SSHv1 connections without privsep. pam_chauthtok is still used when privsep is disabled. ok djm@ + - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move + include from port-aix.h to port-aix.c and remove unnecessary function + definition. Fixes build errors on AIX. 20040207 - (dtucker) OpenBSD CVS Sync @@ -1833,4 +1836,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3221 2004/02/10 02:23:28 dtucker Exp $ +$Id: ChangeLog,v 1.3222 2004/02/10 04:27:34 dtucker Exp $ diff --git a/openbsd-compat/port-aix.c b/openbsd-compat/port-aix.c index a5511bbef..2895f0d44 100644 --- a/openbsd-compat/port-aix.c +++ b/openbsd-compat/port-aix.c @@ -24,6 +24,7 @@ * */ #include "includes.h" +#include "auth.h" #include "ssh.h" #include "log.h" #include "servconf.h" diff --git a/openbsd-compat/port-aix.h b/openbsd-compat/port-aix.h index ef03661ed..3118af9a9 100644 --- a/openbsd-compat/port-aix.h +++ b/openbsd-compat/port-aix.h @@ -1,4 +1,4 @@ -/* $Id: port-aix.h,v 1.18 2004/02/10 01:50:20 dtucker Exp $ */ +/* $Id: port-aix.h,v 1.19 2004/02/10 04:27:35 dtucker Exp $ */ /* * @@ -36,9 +36,6 @@ # include #endif -/* For Authctxt */ -#include "auth.h" - /* Some versions define r_type in the above headers, which causes a conflict */ #ifdef r_type # undef r_type @@ -66,7 +63,6 @@ void aix_usrinfo(struct passwd *); #ifdef WITH_AIXAUTHENTICATE # define CUSTOM_SYS_AUTH_PASSWD 1 -int sys_auth_passwd(Authctxt *, const char *); # define CUSTOM_FAILED_LOGIN 1 void record_failed_login(const char *, const char *); #endif -- cgit v1.2.3 From c28b88a3144f39a9cf244fbf7bb32d8532846fa1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 16:49:35 +1100 Subject: - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms that support it. from & ok mouring@ --- ChangeLog | 4 +++- configure.ac | 4 ++-- loginrec.c | 7 ++++++- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4ac0ce1ac..62090549d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move include from port-aix.h to port-aix.c and remove unnecessary function definition. Fixes build errors on AIX. + - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms + that support it. from & ok mouring@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1836,4 +1838,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3222 2004/02/10 04:27:34 dtucker Exp $ +$Id: ChangeLog,v 1.3223 2004/02/10 05:49:35 dtucker Exp $ diff --git a/configure.ac b/configure.ac index bdff63db3..5ecbf56db 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.194 2004/02/06 10:29:42 dtucker Exp $ +# $Id: configure.ac,v 1.195 2004/02/10 05:49:35 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -801,7 +801,7 @@ AC_CHECK_FUNCS(\ setproctitle setregid setreuid setrlimit \ setsid setvbuf sigaction sigvec snprintf socketpair strerror \ strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \ - truncate utimes vhangup vsnprintf waitpid \ + truncate updwtmpx utimes vhangup vsnprintf waitpid \ ) # IRIX has a const char return value for gai_strerror() diff --git a/loginrec.c b/loginrec.c index ce9e26fc5..71dbaea15 100644 --- a/loginrec.c +++ b/loginrec.c @@ -158,7 +158,7 @@ #include "log.h" #include "atomicio.h" -RCSID("$Id: loginrec.c,v 1.53 2003/11/21 12:48:55 djm Exp $"); +RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $"); #ifdef HAVE_UTIL_H # include @@ -1183,6 +1183,7 @@ wtmp_get_entry(struct logininfo *li) static int wtmpx_write(struct logininfo *li, struct utmpx *utx) { +#ifndef HAVE_UPDWTMPX struct stat buf; int fd, ret = 1; @@ -1202,6 +1203,10 @@ wtmpx_write(struct logininfo *li, struct utmpx *utx) (void)close(fd); return ret; +#else + updwtmpx(WTMPX_FILE, utx); + return 1; +#endif } -- cgit v1.2.3 From 13a707b60da56258d91170010d9fa1f75ef18eb0 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 10 Feb 2004 17:15:05 +1100 Subject: - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x. ok djm@ --- ChangeLog | 4 +++- configure.ac | 4 +--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 62090549d..bdba48a3c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,8 @@ definition. Fixes build errors on AIX. - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms that support it. from & ok mouring@ + - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x. + ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1838,4 +1840,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3223 2004/02/10 05:49:35 dtucker Exp $ +$Id: ChangeLog,v 1.3224 2004/02/10 06:15:05 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 5ecbf56db..a4111db8c 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.195 2004/02/10 05:49:35 dtucker Exp $ +# $Id: configure.ac,v 1.196 2004/02/10 06:15:05 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -165,7 +165,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(USE_PIPES) AC_DEFINE(LOGIN_NO_ENDOPT) AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec -lsecpw" @@ -181,7 +180,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) AC_DEFINE(USE_PIPES) AC_DEFINE(LOGIN_NO_ENDOPT) AC_DEFINE(LOGIN_NEEDS_UTMPX) - AC_DEFINE(DISABLE_UTMP) AC_DEFINE(LOCKED_PASSWD_STRING, "*") AC_DEFINE(SPT_TYPE,SPT_PSTAT) LIBS="$LIBS -lsec" -- cgit v1.2.3 From cee6d4cf5ac447aaba72972cc8ce835ca2378417 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 11 Feb 2004 18:48:52 +1100 Subject: - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check if HAS_SHADOW_EXPIRY is set. --- ChangeLog | 8 ++++++-- auth-passwd.c | 2 +- auth-shadow.c | 6 +++--- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index bdba48a3c..a520f68fe 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040211 + - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check + if HAS_SHADOW_EXPIRY is set. + 20040210 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's @@ -16,7 +20,7 @@ - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms that support it. from & ok mouring@ - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x. - ok djm@ + ok djm@ 20040207 - (dtucker) OpenBSD CVS Sync @@ -1840,4 +1844,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3224 2004/02/10 06:15:05 dtucker Exp $ +$Id: ChangeLog,v 1.3225 2004/02/11 07:48:52 dtucker Exp $ diff --git a/auth-passwd.c b/auth-passwd.c index e434a21e3..28f29cc65 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -97,7 +97,7 @@ auth_password(Authctxt *authctxt, const char *password) return ok; } #endif -#ifdef USE_SHADOW +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) if (auth_shadow_pwexpired(authctxt)) { disable_forwarding(); authctxt->force_pwchange = 1; diff --git a/auth-shadow.c b/auth-shadow.c index 8436eee5f..76c0d9f52 100644 --- a/auth-shadow.c +++ b/auth-shadow.c @@ -23,9 +23,9 @@ */ #include "includes.h" -RCSID("$Id: auth-shadow.c,v 1.2 2004/02/10 02:51:34 dtucker Exp $"); +RCSID("$Id: auth-shadow.c,v 1.3 2004/02/11 07:48:52 dtucker Exp $"); -#ifdef USE_SHADOW +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #include #include "auth.h" @@ -76,4 +76,4 @@ auth_shadow_pwexpired(Authctxt *ctxt) return 0; } -#endif /* USE_SHADOW */ +#endif /* USE_SHADOW && HAS_SHADOW_EXPIRE */ -- cgit v1.2.3 From 812e77614209115d88785f672b13a4728612bb9d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 11 Feb 2004 20:44:13 +1100 Subject: Remove password expiry from TODO --- TODO | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/TODO b/TODO index 03e268594..1b1d03c43 100644 --- a/TODO +++ b/TODO @@ -30,8 +30,6 @@ Programming: - More platforms for for setproctitle() emulation (testing needed) -- Handle changing passwords for the non-PAM expired password case - - Improve PAM support (a pam_lastlog module will cause sshd to exit) and maybe support alternate forms of authentications like OPIE via pam? @@ -96,4 +94,4 @@ PrivSep Issues: - Cygwin + Privsep for Pre-auth only (no fd passing) -$Id: TODO,v 1.56 2003/11/21 12:48:55 djm Exp $ +$Id: TODO,v 1.57 2004/02/11 09:44:13 dtucker Exp $ -- cgit v1.2.3 From 43fa557ce2b908373356cdf4b9dbd2da68350ba4 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Wed, 11 Feb 2004 14:46:40 -0800 Subject: [configure.ac] Fix comment to match code changes in ver 1.117 --- ChangeLog | 3 ++- configure.ac | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a520f68fe..9376eab58 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,7 @@ 20040211 - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check if HAS_SHADOW_EXPIRY is set. + - (tim) [configure.ac] Fix comment to match code changes in ver 1.117 20040210 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c @@ -1844,4 +1845,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3225 2004/02/11 07:48:52 dtucker Exp $ +$Id: ChangeLog,v 1.3226 2004/02/11 22:46:40 tim Exp $ diff --git a/configure.ac b/configure.ac index a4111db8c..91a4c4eeb 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.196 2004/02/10 06:15:05 dtucker Exp $ +# $Id: configure.ac,v 1.197 2004/02/11 22:46:40 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -1158,7 +1158,7 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.]) ) # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the -# version in OpenSSL. Skip this for PAM +# version in OpenSSL. if test "x$check_for_libcrypt_later" = "x1"; then AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt") fi -- cgit v1.2.3 From 9ad7e0e805157ad7374fe91dc20e6d0b2cc9ebf1 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 12 Feb 2004 07:17:10 -0800 Subject: [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] Portablity fixes. Data sftp transfers needs to be world readable. Some older shells hang on while loops when doing sh -n some_script. OK dtucker@ --- ChangeLog | 7 ++++++- Makefile.in | 4 +++- regress/sftp-badcmds.sh | 2 +- regress/test-exec.sh | 2 +- 4 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9376eab58..ae91e19c6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20040212 + - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] + Portablity fixes. Data sftp transfers needs to be world readable. Some + older shells hang on while loops when doing sh -n some_script. OK dtucker@ + 20040211 - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check if HAS_SHADOW_EXPIRY is set. @@ -1845,4 +1850,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3226 2004/02/11 22:46:40 tim Exp $ +$Id: ChangeLog,v 1.3227 2004/02/12 15:17:10 tim Exp $ diff --git a/Makefile.in b/Makefile.in index 2d7982312..eae406aa7 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.255 2004/02/10 02:01:14 dtucker Exp $ +# $Id: Makefile.in,v 1.256 2004/02/12 15:17:11 tim Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -375,6 +375,7 @@ tests: $(TARGETS) [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ ln -s $(srcdir)/regress/Makefile `pwd`/regress/Makefile ; \ + TEST_SHELL="@TEST_MINUS_S_SH@"; \ TEST_SSH_SSH="$${BUILDDIR}/ssh"; \ TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \ TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \ @@ -390,6 +391,7 @@ tests: $(TARGETS) BUILDDIR="$${BUILDDIR}" \ OBJ="$${BUILDDIR}/regress/" \ PATH="$${BUILDDIR}:$${PATH}" \ + TEST_SHELL="$${TEST_SHELL}" \ TEST_SSH_SSH="$${TEST_SSH_SSH}" \ TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \ TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \ diff --git a/regress/sftp-badcmds.sh b/regress/sftp-badcmds.sh index a6a19409d..eac189aaf 100644 --- a/regress/sftp-badcmds.sh +++ b/regress/sftp-badcmds.sh @@ -4,7 +4,7 @@ tid="sftp invalid commands" DATA=/bin/ls${EXEEXT} -DATA2=/bin/cat${EXEEXT} +DATA2=/bin/sh${EXEEXT} NONEXIST=/NONEXIST.$$ COPY=${OBJ}/copy GLOBFILES=`(cd /bin;echo l*)` diff --git a/regress/test-exec.sh b/regress/test-exec.sh index debe7e3a4..98851dc97 100644 --- a/regress/test-exec.sh +++ b/regress/test-exec.sh @@ -30,7 +30,7 @@ if [ ! -f $SCRIPT ]; then echo "not a file: $SCRIPT" exit 2 fi -if sh -n $SCRIPT; then +if $TEST_SHELL -n $SCRIPT; then true else echo "syntax error in $SCRIPT" -- cgit v1.2.3 From 3d5352e1561174adca1df4336358d1847190d107 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Thu, 12 Feb 2004 09:27:21 -0800 Subject: [configure.ac] Make sure -lcrypto is before -lsocket for sco3. ok mouring@ --- ChangeLog | 4 +++- configure.ac | 16 ++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index ae91e19c6..bee62a3de 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] Portablity fixes. Data sftp transfers needs to be world readable. Some older shells hang on while loops when doing sh -n some_script. OK dtucker@ + - (tim) [configure.ac] Make sure -lcrypto is before -lsocket for sco3. + ok mouring@ 20040211 - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check @@ -1850,4 +1852,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3227 2004/02/12 15:17:10 tim Exp $ +$Id: ChangeLog,v 1.3228 2004/02/12 17:27:21 tim Exp $ diff --git a/configure.ac b/configure.ac index 91a4c4eeb..6b1c3137f 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.197 2004/02/11 22:46:40 tim Exp $ +# $Id: configure.ac,v 1.198 2004/02/12 17:27:21 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -1021,12 +1021,6 @@ if test "x$PAM_MSG" = "xyes" ; then ) fi -# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, -# because the system crypt() is more featureful. -if test "x$check_for_libcrypt_before" = "x1"; then - AC_CHECK_LIB(crypt, crypt) -fi - # Search for OpenSSL saved_CPPFLAGS="$CPPFLAGS" saved_LDFLAGS="$LDFLAGS" @@ -1055,7 +1049,7 @@ AC_ARG_WITH(ssl-dir, fi ] ) -LIBS="$LIBS -lcrypto" +LIBS="-lcrypto $LIBS" AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), [ dnl Check default openssl install dir @@ -1157,6 +1151,12 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.]) ] ) +# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, +# because the system crypt() is more featureful. +if test "x$check_for_libcrypt_before" = "x1"; then + AC_CHECK_LIB(crypt, crypt) +fi + # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the # version in OpenSSL. if test "x$check_for_libcrypt_later" = "x1"; then -- cgit v1.2.3 From 98225c2950f30aaab75eb649dbe5c667ea2fda04 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 17 Feb 2004 16:49:41 +1100 Subject: - (djm) Simplify the license on code I have written. No code changes. --- ChangeLog | 5 ++++- openbsd-compat/bsd-arc4random.c | 32 ++++++++++++-------------------- openbsd-compat/bsd-getpeereid.c | 32 ++++++++++++-------------------- openbsd-compat/bsd-misc.c | 32 ++++++++++++-------------------- openbsd-compat/bsd-misc.h | 32 ++++++++++++-------------------- openbsd-compat/bsd-openpty.c | 30 +++++++++++------------------- 6 files changed, 63 insertions(+), 100 deletions(-) diff --git a/ChangeLog b/ChangeLog index bee62a3de..be5d4f1c1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20040217 + - (djm) Simplify the license on code I have written. No code changes. + 20040212 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] Portablity fixes. Data sftp transfers needs to be world readable. Some @@ -1852,4 +1855,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3228 2004/02/12 17:27:21 tim Exp $ +$Id: ChangeLog,v 1.3229 2004/02/17 05:49:41 djm Exp $ diff --git a/openbsd-compat/bsd-arc4random.c b/openbsd-compat/bsd-arc4random.c index 5f890968e..22003ff0a 100644 --- a/openbsd-compat/bsd-arc4random.c +++ b/openbsd-compat/bsd-arc4random.c @@ -1,31 +1,23 @@ /* - * Copyright (c) 1999-2000 Damien Miller. All rights reserved. + * Copyright (c) 1999,2000,2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" #include "log.h" -RCSID("$Id: bsd-arc4random.c,v 1.7 2003/05/18 14:13:38 djm Exp $"); +RCSID("$Id: bsd-arc4random.c,v 1.8 2004/02/17 05:49:55 djm Exp $"); #ifndef HAVE_ARC4RANDOM diff --git a/openbsd-compat/bsd-getpeereid.c b/openbsd-compat/bsd-getpeereid.c index bcda2c155..fe2edad71 100644 --- a/openbsd-compat/bsd-getpeereid.c +++ b/openbsd-compat/bsd-getpeereid.c @@ -1,30 +1,22 @@ /* - * Copyright (c) 2002 Damien Miller. All rights reserved. + * Copyright (c) 2002,2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$Id: bsd-getpeereid.c,v 1.2 2003/03/24 22:07:52 djm Exp $"); +RCSID("$Id: bsd-getpeereid.c,v 1.3 2004/02/17 05:49:55 djm Exp $"); #if !defined(HAVE_GETPEEREID) diff --git a/openbsd-compat/bsd-misc.c b/openbsd-compat/bsd-misc.c index 44f4fcc1e..7b06786f5 100644 --- a/openbsd-compat/bsd-misc.c +++ b/openbsd-compat/bsd-misc.c @@ -1,31 +1,23 @@ /* - * Copyright (c) 1999-2003 Damien Miller. All rights reserved. + * Copyright (c) 1999-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" #include "xmalloc.h" -RCSID("$Id: bsd-misc.c,v 1.20 2003/12/18 00:34:07 mouring Exp $"); +RCSID("$Id: bsd-misc.c,v 1.21 2004/02/17 05:49:55 djm Exp $"); /* * NB. duplicate __progname in case it is an alias for argv[0] diff --git a/openbsd-compat/bsd-misc.h b/openbsd-compat/bsd-misc.h index 6b70473f3..c8073942c 100644 --- a/openbsd-compat/bsd-misc.h +++ b/openbsd-compat/bsd-misc.h @@ -1,27 +1,19 @@ -/* $Id: bsd-misc.h,v 1.13 2003/08/29 16:59:52 mouring Exp $ */ +/* $Id: bsd-misc.h,v 1.14 2004/02/17 05:49:55 djm Exp $ */ /* - * Copyright (c) 1999-2003 Damien Miller. All rights reserved. + * Copyright (c) 1999-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #ifndef _BSD_MISC_H diff --git a/openbsd-compat/bsd-openpty.c b/openbsd-compat/bsd-openpty.c index 512fb8451..daf5f8b81 100644 --- a/openbsd-compat/bsd-openpty.c +++ b/openbsd-compat/bsd-openpty.c @@ -4,27 +4,19 @@ */ /* - * Copyright (c) 2004 Damien Miller. All rights reserved. + * Copyright (c) 2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* -- cgit v1.2.3 From 4e60ed74a670146364719bcd0f1fb6515a26edd4 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 17 Feb 2004 17:07:59 +1100 Subject: - djm@cvs.openbsd.org 2004/02/17 05:39:51 [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] [sftp-int.h sftp.c] switch to license.template for code written by me (belated, I know...) --- ChangeLog | 7 ++++++- sftp-client.c | 32 ++++++++++++-------------------- sftp-client.h | 32 ++++++++++++-------------------- sftp-glob.c | 32 ++++++++++++-------------------- sftp-glob.h | 32 ++++++++++++-------------------- sftp-int.h | 32 ++++++++++++-------------------- sftp.c | 32 ++++++++++++-------------------- 7 files changed, 78 insertions(+), 121 deletions(-) diff --git a/ChangeLog b/ChangeLog index be5d4f1c1..c1018b10e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,10 @@ 20040217 - (djm) Simplify the license on code I have written. No code changes. + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/02/17 05:39:51 + [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] + [sftp-int.h sftp.c] + switch to license.template for code written by me (belated, I know...) 20040212 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] @@ -1855,4 +1860,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3229 2004/02/17 05:49:41 djm Exp $ +$Id: ChangeLog,v 1.3230 2004/02/17 06:07:59 djm Exp $ diff --git a/sftp-client.c b/sftp-client.c index 8e657d1b5..81c5dd497 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -1,25 +1,17 @@ /* - * Copyright (c) 2001-2003 Damien Miller. All rights reserved. + * Copyright (c) 2001-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* XXX: memleaks */ @@ -28,7 +20,7 @@ /* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-client.c,v 1.45 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD: sftp-client.c,v 1.46 2004/02/17 05:39:51 djm Exp $"); #include "openbsd-compat/sys-queue.h" diff --git a/sftp-client.h b/sftp-client.h index 98e08ffa7..a0e8e44b3 100644 --- a/sftp-client.h +++ b/sftp-client.h @@ -1,27 +1,19 @@ -/* $OpenBSD: sftp-client.h,v 1.11 2002/09/11 22:41:50 djm Exp $ */ +/* $OpenBSD: sftp-client.h,v 1.12 2004/02/17 05:39:51 djm Exp $ */ /* - * Copyright (c) 2001,2002 Damien Miller. All rights reserved. + * Copyright (c) 2001-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* Client side of SSH2 filexfer protocol */ diff --git a/sftp-glob.c b/sftp-glob.c index f099227f9..f47367f10 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -1,29 +1,21 @@ /* - * Copyright (c) 2001,2002 Damien Miller. All rights reserved. + * Copyright (c) 2001-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-glob.c,v 1.13 2002/09/11 22:41:50 djm Exp $"); +RCSID("$OpenBSD: sftp-glob.c,v 1.14 2004/02/17 05:39:51 djm Exp $"); #include "buffer.h" #include "bufaux.h" diff --git a/sftp-glob.h b/sftp-glob.h index f879e8719..46b352024 100644 --- a/sftp-glob.h +++ b/sftp-glob.h @@ -1,27 +1,19 @@ -/* $OpenBSD: sftp-glob.h,v 1.8 2002/09/11 22:41:50 djm Exp $ */ +/* $OpenBSD: sftp-glob.h,v 1.9 2004/02/17 05:39:51 djm Exp $ */ /* - * Copyright (c) 2001,2002 Damien Miller. All rights reserved. + * Copyright (c) 2001-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ /* Remote sftp filename globbing */ diff --git a/sftp-int.h b/sftp-int.h index 8a04a03f6..031eb7aa7 100644 --- a/sftp-int.h +++ b/sftp-int.h @@ -1,27 +1,19 @@ -/* $OpenBSD: sftp-int.h,v 1.6 2003/01/08 23:53:26 djm Exp $ */ +/* $OpenBSD: sftp-int.h,v 1.7 2004/02/17 05:39:51 djm Exp $ */ /* - * Copyright (c) 2001,2002 Damien Miller. All rights reserved. + * Copyright (c) 2001-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ int interactive_loop(int, int, char *, char *); diff --git a/sftp.c b/sftp.c index fef28c3b7..a6e976e58 100644 --- a/sftp.c +++ b/sftp.c @@ -1,30 +1,22 @@ /* - * Copyright (c) 2001,2002 Damien Miller. All rights reserved. + * Copyright (c) 2001-2004 Damien Miller * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.41 2004/01/27 10:08:10 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.42 2004/02/17 05:39:51 djm Exp $"); #include "buffer.h" #include "xmalloc.h" -- cgit v1.2.3 From 34255b9f4c0546a455a71277ad05734ba6878198 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 17 Feb 2004 20:33:52 +1100 Subject: - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from stadal@suse.cz and simon@sxw.org.uk --- ChangeLog | 4 +++- gss-serv-krb5.c | 7 +++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c1018b10e..1497e6532 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,8 @@ [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] [sftp-int.h sftp.c] switch to license.template for code written by me (belated, I know...) + - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from + stadal@suse.cz and simon@sxw.org.uk 20040212 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] @@ -1860,4 +1862,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3230 2004/02/17 06:07:59 djm Exp $ +$Id: ChangeLog,v 1.3231 2004/02/17 09:33:52 djm Exp $ diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index e358bcbdc..7373beb6d 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -108,6 +108,7 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) krb5_error_code problem; krb5_principal princ; OM_uint32 maj_status, min_status; + int len; if (client->creds == NULL) { debug("No credentials stored"); @@ -178,11 +179,13 @@ ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client) client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache)); client->store.envvar = "KRB5CCNAME"; - client->store.envval = xstrdup(client->store.filename); + len = strlen(client->store.filename) + 6; + client->store.envval = xmalloc(len); + snprintf(client->store.envval, len, "FILE:%s", client->store.filename); #ifdef USE_PAM if (options.use_pam) - do_pam_putenv(client->store.envvar,client->store.envval); + do_pam_putenv(client->store.envvar, client->store.envval); #endif krb5_cc_close(krb_context, ccache); -- cgit v1.2.3 From ba53b839d30de74c994b8c6a20360967cb844ade Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 17 Feb 2004 20:46:59 +1100 Subject: - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@ --- ChangeLog | 3 ++- auth-pam.c | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1497e6532..2bb226cab 100644 --- a/ChangeLog +++ b/ChangeLog @@ -7,6 +7,7 @@ switch to license.template for code written by me (belated, I know...) - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from stadal@suse.cz and simon@sxw.org.uk + - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@ 20040212 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] @@ -1862,4 +1863,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3231 2004/02/17 09:33:52 djm Exp $ +$Id: ChangeLog,v 1.3232 2004/02/17 09:46:59 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 562fb01f2..0ab5554a3 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.93 2004/02/10 02:23:29 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.94 2004/02/17 09:46:59 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -242,7 +242,7 @@ sshpam_thread_conv(int n, const struct pam_message **msg, struct pam_response *reply; int i; - debug3("PAM: %s entering, %d responses", __func__, n); + debug3("PAM: %s entering, %d messages", __func__, n); *resp = NULL; ctxt = data; @@ -416,7 +416,7 @@ static int sshpam_null_conv(int n, const struct pam_message **msg, struct pam_response **resp, void *data) { - debug3("PAM: %s entering, %d responses", __func__, n); + debug3("PAM: %s entering, %d messages", __func__, n); return (PAM_CONV_ERR); } @@ -754,6 +754,8 @@ pam_tty_conv(int n, const struct pam_message **msg, struct pam_response *reply; int i; + debug3("PAM: %s called with %d messages", __func__, n); + *resp = NULL; if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO)) -- cgit v1.2.3 From 5cf8ef735c5d7d76c1c69e491419b1311ec1575b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 17 Feb 2004 23:20:07 +1100 Subject: - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for display after login. Should fix problems like pam_motd not displaying anything, noticed by cjwatson at debian.org. ok djm@ --- ChangeLog | 5 ++++- auth-pam.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2bb226cab..aa9e26c22 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,9 @@ - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from stadal@suse.cz and simon@sxw.org.uk - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@ + - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for + display after login. Should fix problems like pam_motd not displaying + anything, noticed by cjwatson at debian.org. ok djm@ 20040212 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] @@ -1863,4 +1866,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3232 2004/02/17 09:46:59 dtucker Exp $ +$Id: ChangeLog,v 1.3233 2004/02/17 12:20:07 dtucker Exp $ diff --git a/auth-pam.c b/auth-pam.c index 0ab5554a3..397f7d3a8 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -31,7 +31,7 @@ /* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */ #include "includes.h" -RCSID("$Id: auth-pam.c,v 1.94 2004/02/17 09:46:59 dtucker Exp $"); +RCSID("$Id: auth-pam.c,v 1.95 2004/02/17 12:20:08 dtucker Exp $"); #ifdef USE_PAM #if defined(HAVE_SECURITY_PAM_APPL_H) @@ -823,12 +823,57 @@ do_pam_chauthtok(void) pam_strerror(sshpam_handle, sshpam_err)); } +static int +pam_store_conv(int n, const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + struct pam_response *reply; + int i; + size_t len; + + debug3("PAM: %s called with %d messages", __func__, n); + *resp = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + + if ((reply = malloc(n * sizeof(*reply))) == NULL) + return (PAM_CONV_ERR); + memset(reply, 0, n * sizeof(*reply)); + + for (i = 0; i < n; ++i) { + switch (PAM_MSG_MEMBER(msg, i, msg_style)) { + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + len = strlen(PAM_MSG_MEMBER(msg, i, msg)); + buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len); + buffer_append(&loginmsg, "\n", 1 ); + reply[i].resp_retcode = PAM_SUCCESS; + break; + default: + goto fail; + } + } + *resp = reply; + return (PAM_SUCCESS); + + fail: + for(i = 0; i < n; i++) { + if (reply[i].resp != NULL) + xfree(reply[i].resp); + } + xfree(reply); + return (PAM_CONV_ERR); +} + +static struct pam_conv store_conv = { pam_store_conv, NULL }; + void do_pam_session(void) { debug3("PAM: opening session"); sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, - (const void *)&tty_conv); + (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); -- cgit v1.2.3 From a22897df0689d19e3fcd0d791fb63b49aa95c1cb Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Wed, 18 Feb 2004 11:21:12 +1100 Subject: - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a path with a "-" in it. From Sergio.Gelato at astro.su.se. --- ChangeLog | 6 +++++- configure.ac | 8 ++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index aa9e26c22..e150ef6f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040218 + - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a + path with a "-" in it. From Sergio.Gelato at astro.su.se. + 20040217 - (djm) Simplify the license on code I have written. No code changes. - (djm) OpenBSD CVS Sync @@ -1866,4 +1870,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3233 2004/02/17 12:20:07 dtucker Exp $ +$Id: ChangeLog,v 1.3234 2004/02/18 00:21:12 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 6b1c3137f..601cd7537 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.198 2004/02/12 17:27:21 tim Exp $ +# $Id: configure.ac,v 1.199 2004/02/18 00:21:12 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2085,9 +2085,9 @@ AC_ARG_WITH(kerberos5, if $KRB5CONF | grep gssapi >/dev/null ; then AC_MSG_RESULT(yes) K5CFLAGS="`$KRB5CONF --cflags gssapi`" - dnl m4 quadragraphs: "sed 's/-l[^- ]*//g'" - K5LDFLAGS="`$KRB5CONF --libs gssapi | sed 's/-l@<:@^- @:>@*//g'`" - K5LIBS="`$KRB5CONF --libs gssapi | sed 's/-L@<:@^- @:>@*//g'`" + dnl m4 quadragraphs: "sed 's/-l[^ ]* //g'" + K5LDFLAGS="`$KRB5CONF --libs gssapi | sed 's/-l@<:@^ @:>@* //g'`" + K5LIBS="`$KRB5CONF --libs gssapi | sed 's/-L@<:@^ @:>@* //g'`" else AC_MSG_RESULT(no) K5CFLAGS="`$KRB5CONF --cflags`" -- cgit v1.2.3 From d7d46bb6068927cf14c6b083eb50984d3111e05c Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 18 Feb 2004 14:11:13 +1100 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2004/02/17 07:17:29 [sftp-glob.c sftp.c] Remove useless headers; ok deraadt@ --- ChangeLog | 6 +++++- sftp-glob.c | 6 ++++-- sftp.c | 5 +++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index e150ef6f4..349eec382 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ 20040218 - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a path with a "-" in it. From Sergio.Gelato at astro.su.se. + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2004/02/17 07:17:29 + [sftp-glob.c sftp.c] + Remove useless headers; ok deraadt@ 20040217 - (djm) Simplify the license on code I have written. No code changes. @@ -1870,4 +1874,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3234 2004/02/18 00:21:12 dtucker Exp $ +$Id: ChangeLog,v 1.3235 2004/02/18 03:11:13 djm Exp $ diff --git a/sftp-glob.c b/sftp-glob.c index f47367f10..16c5e206a 100644 --- a/sftp-glob.c +++ b/sftp-glob.c @@ -15,7 +15,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sftp-glob.c,v 1.14 2004/02/17 05:39:51 djm Exp $"); +RCSID("$OpenBSD: sftp-glob.c,v 1.15 2004/02/17 07:17:29 djm Exp $"); #include "buffer.h" #include "bufaux.h" @@ -25,7 +25,9 @@ RCSID("$OpenBSD: sftp-glob.c,v 1.14 2004/02/17 05:39:51 djm Exp $"); #include "sftp.h" #include "sftp-common.h" #include "sftp-client.h" -#include "sftp-glob.h" + +int remote_glob(struct sftp_conn *, const char *, int, + int (*)(const char *, int), glob_t *); struct SFTP_OPENDIR { SFTP_DIRENT **dir; diff --git a/sftp.c b/sftp.c index a6e976e58..04b859a8d 100644 --- a/sftp.c +++ b/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.42 2004/02/17 05:39:51 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.43 2004/02/17 07:17:29 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -27,7 +27,8 @@ RCSID("$OpenBSD: sftp.c,v 1.42 2004/02/17 05:39:51 djm Exp $"); #include "sftp.h" #include "sftp-common.h" #include "sftp-client.h" -#include "sftp-int.h" + +int interactive_loop(int, int, char *, char *); /* sftp-int.c */ #ifdef HAVE___PROGNAME extern char *__progname; -- cgit v1.2.3 From 9a47d86661129552df18074cef60d00f682a5d17 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 18 Feb 2004 14:20:29 +1100 Subject: - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2004/02/17 07:17:29 [sftp-glob.c sftp.c] Remove useless headers; ok deraadt@ --- sftp-glob.h | 29 ----------------------------- sftp-int.h | 19 ------------------- 2 files changed, 48 deletions(-) delete mode 100644 sftp-glob.h delete mode 100644 sftp-int.h diff --git a/sftp-glob.h b/sftp-glob.h deleted file mode 100644 index 46b352024..000000000 --- a/sftp-glob.h +++ /dev/null @@ -1,29 +0,0 @@ -/* $OpenBSD: sftp-glob.h,v 1.9 2004/02/17 05:39:51 djm Exp $ */ - -/* - * Copyright (c) 2001-2004 Damien Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -/* Remote sftp filename globbing */ - -#ifndef _SFTP_GLOB_H -#define _SFTP_GLOB_H - -#include "sftp-client.h" - -int remote_glob(struct sftp_conn *, const char *, int, - int (*)(const char *, int), glob_t *); - -#endif diff --git a/sftp-int.h b/sftp-int.h deleted file mode 100644 index 031eb7aa7..000000000 --- a/sftp-int.h +++ /dev/null @@ -1,19 +0,0 @@ -/* $OpenBSD: sftp-int.h,v 1.7 2004/02/17 05:39:51 djm Exp $ */ - -/* - * Copyright (c) 2001-2004 Damien Miller - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -int interactive_loop(int, int, char *, char *); -- cgit v1.2.3 From 20e1fabace87376a9868b9bd83bd57db13f5763d Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 18 Feb 2004 14:30:55 +1100 Subject: - djm@cvs.openbsd.org 2004/02/17 11:03:08 [sftp.c] sftp.c and sftp-int.c, together at last; ok markus@ --- ChangeLog | 5 +- Makefile.in | 6 +- sftp-int.c | 1203 ----------------------------------------------------------- sftp.c | 1181 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 4 files changed, 1178 insertions(+), 1217 deletions(-) delete mode 100644 sftp-int.c diff --git a/ChangeLog b/ChangeLog index 349eec382..a5d3ee4df 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,9 @@ - djm@cvs.openbsd.org 2004/02/17 07:17:29 [sftp-glob.c sftp.c] Remove useless headers; ok deraadt@ + - djm@cvs.openbsd.org 2004/02/17 11:03:08 + [sftp.c] + sftp.c and sftp-int.c, together at last; ok markus@ 20040217 - (djm) Simplify the license on code I have written. No code changes. @@ -1874,4 +1877,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3235 2004/02/18 03:11:13 djm Exp $ +$Id: ChangeLog,v 1.3236 2004/02/18 03:30:55 djm Exp $ diff --git a/Makefile.in b/Makefile.in index eae406aa7..919b36819 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.256 2004/02/12 15:17:11 tim Exp $ +# $Id: Makefile.in,v 1.257 2004/02/18 03:35:11 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -158,8 +158,8 @@ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o progressmeter.o - $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o + $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff --git a/sftp-int.c b/sftp-int.c deleted file mode 100644 index 3ee57515d..000000000 --- a/sftp-int.c +++ /dev/null @@ -1,1203 +0,0 @@ -/* - * Copyright (c) 2001,2002 Damien Miller. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/* XXX: recursive operations */ - -#include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.67 2004/01/23 17:57:48 mouring Exp $"); - -#include "buffer.h" -#include "xmalloc.h" -#include "log.h" -#include "pathnames.h" - -#include "sftp.h" -#include "sftp-common.h" -#include "sftp-glob.h" -#include "sftp-client.h" -#include "sftp-int.h" - -/* File to read commands from */ -extern FILE *infile; - -/* Are we in batchfile mode? */ -extern int batchmode; - -/* Size of buffer used when copying files */ -extern size_t copy_buffer_len; - -/* Number of concurrent outstanding requests */ -extern int num_requests; - -/* This is set to 0 if the progressmeter is not desired. */ -int showprogress = 1; - -/* Separators for interactive commands */ -#define WHITESPACE " \t\r\n" - -/* Define what type of ls view (0 - multi-column) */ -#define LONG_VIEW 1 /* Full view ala ls -l */ -#define SHORT_VIEW 2 /* Single row view ala ls -1 */ - -/* Commands for interactive mode */ -#define I_CHDIR 1 -#define I_CHGRP 2 -#define I_CHMOD 3 -#define I_CHOWN 4 -#define I_GET 5 -#define I_HELP 6 -#define I_LCHDIR 7 -#define I_LLS 8 -#define I_LMKDIR 9 -#define I_LPWD 10 -#define I_LS 11 -#define I_LUMASK 12 -#define I_MKDIR 13 -#define I_PUT 14 -#define I_PWD 15 -#define I_QUIT 16 -#define I_RENAME 17 -#define I_RM 18 -#define I_RMDIR 19 -#define I_SHELL 20 -#define I_SYMLINK 21 -#define I_VERSION 22 -#define I_PROGRESS 23 - -struct CMD { - const char *c; - const int n; -}; - -static const struct CMD cmds[] = { - { "bye", I_QUIT }, - { "cd", I_CHDIR }, - { "chdir", I_CHDIR }, - { "chgrp", I_CHGRP }, - { "chmod", I_CHMOD }, - { "chown", I_CHOWN }, - { "dir", I_LS }, - { "exit", I_QUIT }, - { "get", I_GET }, - { "mget", I_GET }, - { "help", I_HELP }, - { "lcd", I_LCHDIR }, - { "lchdir", I_LCHDIR }, - { "lls", I_LLS }, - { "lmkdir", I_LMKDIR }, - { "ln", I_SYMLINK }, - { "lpwd", I_LPWD }, - { "ls", I_LS }, - { "lumask", I_LUMASK }, - { "mkdir", I_MKDIR }, - { "progress", I_PROGRESS }, - { "put", I_PUT }, - { "mput", I_PUT }, - { "pwd", I_PWD }, - { "quit", I_QUIT }, - { "rename", I_RENAME }, - { "rm", I_RM }, - { "rmdir", I_RMDIR }, - { "symlink", I_SYMLINK }, - { "version", I_VERSION }, - { "!", I_SHELL }, - { "?", I_HELP }, - { NULL, -1} -}; - -static void -help(void) -{ - printf("Available commands:\n"); - printf("cd path Change remote directory to 'path'\n"); - printf("lcd path Change local directory to 'path'\n"); - printf("chgrp grp path Change group of file 'path' to 'grp'\n"); - printf("chmod mode path Change permissions of file 'path' to 'mode'\n"); - printf("chown own path Change owner of file 'path' to 'own'\n"); - printf("help Display this help text\n"); - printf("get remote-path [local-path] Download file\n"); - printf("lls [ls-options [path]] Display local directory listing\n"); - printf("ln oldpath newpath Symlink remote file\n"); - printf("lmkdir path Create local directory\n"); - printf("lpwd Print local working directory\n"); - printf("ls [path] Display remote directory listing\n"); - printf("lumask umask Set local umask to 'umask'\n"); - printf("mkdir path Create remote directory\n"); - printf("progress Toggle display of progress meter\n"); - printf("put local-path [remote-path] Upload file\n"); - printf("pwd Display remote working directory\n"); - printf("exit Quit sftp\n"); - printf("quit Quit sftp\n"); - printf("rename oldpath newpath Rename remote file\n"); - printf("rmdir path Remove remote directory\n"); - printf("rm path Delete remote file\n"); - printf("symlink oldpath newpath Symlink remote file\n"); - printf("version Show SFTP version\n"); - printf("!command Execute 'command' in local shell\n"); - printf("! Escape to local shell\n"); - printf("? Synonym for help\n"); -} - -static void -local_do_shell(const char *args) -{ - int status; - char *shell; - pid_t pid; - - if (!*args) - args = NULL; - - if ((shell = getenv("SHELL")) == NULL) - shell = _PATH_BSHELL; - - if ((pid = fork()) == -1) - fatal("Couldn't fork: %s", strerror(errno)); - - if (pid == 0) { - /* XXX: child has pipe fds to ssh subproc open - issue? */ - if (args) { - debug3("Executing %s -c \"%s\"", shell, args); - execl(shell, shell, "-c", args, (char *)NULL); - } else { - debug3("Executing %s", shell); - execl(shell, shell, (char *)NULL); - } - fprintf(stderr, "Couldn't execute \"%s\": %s\n", shell, - strerror(errno)); - _exit(1); - } - while (waitpid(pid, &status, 0) == -1) - if (errno != EINTR) - fatal("Couldn't wait for child: %s", strerror(errno)); - if (!WIFEXITED(status)) - error("Shell exited abormally"); - else if (WEXITSTATUS(status)) - error("Shell exited with status %d", WEXITSTATUS(status)); -} - -static void -local_do_ls(const char *args) -{ - if (!args || !*args) - local_do_shell(_PATH_LS); - else { - int len = strlen(_PATH_LS " ") + strlen(args) + 1; - char *buf = xmalloc(len); - - /* XXX: quoting - rip quoting code from ftp? */ - snprintf(buf, len, _PATH_LS " %s", args); - local_do_shell(buf); - xfree(buf); - } -} - -/* Strip one path (usually the pwd) from the start of another */ -static char * -path_strip(char *path, char *strip) -{ - size_t len; - - if (strip == NULL) - return (xstrdup(path)); - - len = strlen(strip); - if (strip != NULL && strncmp(path, strip, len) == 0) { - if (strip[len - 1] != '/' && path[len] == '/') - len++; - return (xstrdup(path + len)); - } - - return (xstrdup(path)); -} - -static char * -path_append(char *p1, char *p2) -{ - char *ret; - int len = strlen(p1) + strlen(p2) + 2; - - ret = xmalloc(len); - strlcpy(ret, p1, len); - if (p1[strlen(p1) - 1] != '/') - strlcat(ret, "/", len); - strlcat(ret, p2, len); - - return(ret); -} - -static char * -make_absolute(char *p, char *pwd) -{ - char *abs; - - /* Derelativise */ - if (p && p[0] != '/') { - abs = path_append(pwd, p); - xfree(p); - return(abs); - } else - return(p); -} - -static int -infer_path(const char *p, char **ifp) -{ - char *cp; - - cp = strrchr(p, '/'); - if (cp == NULL) { - *ifp = xstrdup(p); - return(0); - } - - if (!cp[1]) { - error("Invalid path"); - return(-1); - } - - *ifp = xstrdup(cp + 1); - return(0); -} - -static int -parse_getput_flags(const char **cpp, int *pflag) -{ - const char *cp = *cpp; - - /* Check for flags */ - if (cp[0] == '-' && cp[1] && strchr(WHITESPACE, cp[2])) { - switch (cp[1]) { - case 'p': - case 'P': - *pflag = 1; - break; - default: - error("Invalid flag -%c", cp[1]); - return(-1); - } - cp += 2; - *cpp = cp + strspn(cp, WHITESPACE); - } - - return(0); -} - -static int -parse_ls_flags(const char **cpp, int *lflag) -{ - const char *cp = *cpp; - - /* Check for flags */ - if (cp++[0] == '-') { - for(; strchr(WHITESPACE, *cp) == NULL; cp++) { - switch (*cp) { - case 'l': - *lflag = LONG_VIEW; - break; - case '1': - *lflag = SHORT_VIEW; - break; - default: - error("Invalid flag -%c", *cp); - return(-1); - } - } - *cpp = cp + strspn(cp, WHITESPACE); - } - - return(0); -} - -static int -get_pathname(const char **cpp, char **path) -{ - const char *cp = *cpp, *end; - char quot; - int i, j; - - cp += strspn(cp, WHITESPACE); - if (!*cp) { - *cpp = cp; - *path = NULL; - return (0); - } - - *path = xmalloc(strlen(cp) + 1); - - /* Check for quoted filenames */ - if (*cp == '\"' || *cp == '\'') { - quot = *cp++; - - /* Search for terminating quote, unescape some chars */ - for (i = j = 0; i <= strlen(cp); i++) { - if (cp[i] == quot) { /* Found quote */ - i++; - (*path)[j] = '\0'; - break; - } - if (cp[i] == '\0') { /* End of string */ - error("Unterminated quote"); - goto fail; - } - if (cp[i] == '\\') { /* Escaped characters */ - i++; - if (cp[i] != '\'' && cp[i] != '\"' && - cp[i] != '\\') { - error("Bad escaped character '\%c'", - cp[i]); - goto fail; - } - } - (*path)[j++] = cp[i]; - } - - if (j == 0) { - error("Empty quotes"); - goto fail; - } - *cpp = cp + i + strspn(cp + i, WHITESPACE); - } else { - /* Read to end of filename */ - end = strpbrk(cp, WHITESPACE); - if (end == NULL) - end = strchr(cp, '\0'); - *cpp = end + strspn(end, WHITESPACE); - - memcpy(*path, cp, end - cp); - (*path)[end - cp] = '\0'; - } - return (0); - - fail: - xfree(*path); - *path = NULL; - return (-1); -} - -static int -is_dir(char *path) -{ - struct stat sb; - - /* XXX: report errors? */ - if (stat(path, &sb) == -1) - return(0); - - return(sb.st_mode & S_IFDIR); -} - -static int -is_reg(char *path) -{ - struct stat sb; - - if (stat(path, &sb) == -1) - fatal("stat %s: %s", path, strerror(errno)); - - return(S_ISREG(sb.st_mode)); -} - -static int -remote_is_dir(struct sftp_conn *conn, char *path) -{ - Attrib *a; - - /* XXX: report errors? */ - if ((a = do_stat(conn, path, 1)) == NULL) - return(0); - if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) - return(0); - return(a->perm & S_IFDIR); -} - -static int -process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) -{ - char *abs_src = NULL; - char *abs_dst = NULL; - char *tmp; - glob_t g; - int err = 0; - int i; - - abs_src = xstrdup(src); - abs_src = make_absolute(abs_src, pwd); - - memset(&g, 0, sizeof(g)); - debug3("Looking up %s", abs_src); - if (remote_glob(conn, abs_src, 0, NULL, &g)) { - error("File \"%s\" not found.", abs_src); - err = -1; - goto out; - } - - /* If multiple matches, dst must be a directory or unspecified */ - if (g.gl_matchc > 1 && dst && !is_dir(dst)) { - error("Multiple files match, but \"%s\" is not a directory", - dst); - err = -1; - goto out; - } - - for (i = 0; g.gl_pathv[i]; i++) { - if (infer_path(g.gl_pathv[i], &tmp)) { - err = -1; - goto out; - } - - if (g.gl_matchc == 1 && dst) { - /* If directory specified, append filename */ - if (is_dir(dst)) { - if (infer_path(g.gl_pathv[0], &tmp)) { - err = 1; - goto out; - } - abs_dst = path_append(dst, tmp); - xfree(tmp); - } else - abs_dst = xstrdup(dst); - } else if (dst) { - abs_dst = path_append(dst, tmp); - xfree(tmp); - } else - abs_dst = tmp; - - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1) - err = -1; - xfree(abs_dst); - abs_dst = NULL; - } - -out: - xfree(abs_src); - if (abs_dst) - xfree(abs_dst); - globfree(&g); - return(err); -} - -static int -process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) -{ - char *tmp_dst = NULL; - char *abs_dst = NULL; - char *tmp; - glob_t g; - int err = 0; - int i; - - if (dst) { - tmp_dst = xstrdup(dst); - tmp_dst = make_absolute(tmp_dst, pwd); - } - - memset(&g, 0, sizeof(g)); - debug3("Looking up %s", src); - if (glob(src, 0, NULL, &g)) { - error("File \"%s\" not found.", src); - err = -1; - goto out; - } - - /* If multiple matches, dst may be directory or unspecified */ - if (g.gl_matchc > 1 && tmp_dst && !remote_is_dir(conn, tmp_dst)) { - error("Multiple files match, but \"%s\" is not a directory", - tmp_dst); - err = -1; - goto out; - } - - for (i = 0; g.gl_pathv[i]; i++) { - if (!is_reg(g.gl_pathv[i])) { - error("skipping non-regular file %s", - g.gl_pathv[i]); - continue; - } - if (infer_path(g.gl_pathv[i], &tmp)) { - err = -1; - goto out; - } - - if (g.gl_matchc == 1 && tmp_dst) { - /* If directory specified, append filename */ - if (remote_is_dir(conn, tmp_dst)) { - if (infer_path(g.gl_pathv[0], &tmp)) { - err = 1; - goto out; - } - abs_dst = path_append(tmp_dst, tmp); - xfree(tmp); - } else - abs_dst = xstrdup(tmp_dst); - - } else if (tmp_dst) { - abs_dst = path_append(tmp_dst, tmp); - xfree(tmp); - } else - abs_dst = make_absolute(tmp, pwd); - - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_upload(conn, g.gl_pathv[i], abs_dst, pflag) == -1) - err = -1; - } - -out: - if (abs_dst) - xfree(abs_dst); - if (tmp_dst) - xfree(tmp_dst); - globfree(&g); - return(err); -} - -static int -sdirent_comp(const void *aa, const void *bb) -{ - SFTP_DIRENT *a = *(SFTP_DIRENT **)aa; - SFTP_DIRENT *b = *(SFTP_DIRENT **)bb; - - return (strcmp(a->filename, b->filename)); -} - -/* sftp ls.1 replacement for directories */ -static int -do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) -{ - int n, c = 1, colspace = 0, columns = 1; - SFTP_DIRENT **d; - - if ((n = do_readdir(conn, path, &d)) != 0) - return (n); - - if (!(lflag & SHORT_VIEW)) { - int m = 0, width = 80; - struct winsize ws; - char *tmp; - - /* Count entries for sort and find longest filename */ - for (n = 0; d[n] != NULL; n++) - m = MAX(m, strlen(d[n]->filename)); - - /* Add any subpath that also needs to be counted */ - tmp = path_strip(path, strip_path); - m += strlen(tmp); - xfree(tmp); - - if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) - width = ws.ws_col; - - columns = width / (m + 2); - columns = MAX(columns, 1); - colspace = width / columns; - colspace = MIN(colspace, width); - } - - qsort(d, n, sizeof(*d), sdirent_comp); - - for (n = 0; d[n] != NULL; n++) { - char *tmp, *fname; - - tmp = path_append(path, d[n]->filename); - fname = path_strip(tmp, strip_path); - xfree(tmp); - - if (lflag & LONG_VIEW) { - char *lname; - struct stat sb; - - memset(&sb, 0, sizeof(sb)); - attrib_to_stat(&d[n]->a, &sb); - lname = ls_file(fname, &sb, 1); - printf("%s\n", lname); - xfree(lname); - } else { - printf("%-*s", colspace, fname); - if (c >= columns) { - printf("\n"); - c = 1; - } else - c++; - } - - xfree(fname); - } - - if (!(lflag & LONG_VIEW) && (c != 1)) - printf("\n"); - - free_sftp_dirents(d); - return (0); -} - -/* sftp ls.1 replacement which handles path globs */ -static int -do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, - int lflag) -{ - glob_t g; - int i, c = 1, colspace = 0, columns = 1; - Attrib *a; - - memset(&g, 0, sizeof(g)); - - if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE, - NULL, &g)) { - error("Can't ls: \"%s\" not found", path); - return (-1); - } - - /* - * If the glob returns a single match, which is the same as the - * input glob, and it is a directory, then just list its contents - */ - if (g.gl_pathc == 1 && - strncmp(path, g.gl_pathv[0], strlen(g.gl_pathv[0]) - 1) == 0) { - if ((a = do_lstat(conn, path, 1)) == NULL) { - globfree(&g); - return (-1); - } - if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && - S_ISDIR(a->perm)) { - globfree(&g); - return (do_ls_dir(conn, path, strip_path, lflag)); - } - } - - if (!(lflag & SHORT_VIEW)) { - int m = 0, width = 80; - struct winsize ws; - - /* Count entries for sort and find longest filename */ - for (i = 0; g.gl_pathv[i]; i++) - m = MAX(m, strlen(g.gl_pathv[i])); - - if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) - width = ws.ws_col; - - columns = width / (m + 2); - columns = MAX(columns, 1); - colspace = width / columns; - } - - for (i = 0; g.gl_pathv[i]; i++) { - char *fname; - - fname = path_strip(g.gl_pathv[i], strip_path); - - if (lflag & LONG_VIEW) { - char *lname; - struct stat sb; - - /* - * XXX: this is slow - 1 roundtrip per path - * A solution to this is to fork glob() and - * build a sftp specific version which keeps the - * attribs (which currently get thrown away) - * that the server returns as well as the filenames. - */ - memset(&sb, 0, sizeof(sb)); - a = do_lstat(conn, g.gl_pathv[i], 1); - if (a != NULL) - attrib_to_stat(a, &sb); - lname = ls_file(fname, &sb, 1); - printf("%s\n", lname); - xfree(lname); - } else { - printf("%-*s", colspace, fname); - if (c >= columns) { - printf("\n"); - c = 1; - } else - c++; - } - xfree(fname); - } - - if (!(lflag & LONG_VIEW) && (c != 1)) - printf("\n"); - - if (g.gl_pathc) - globfree(&g); - - return (0); -} - -static int -parse_args(const char **cpp, int *pflag, int *lflag, int *iflag, - unsigned long *n_arg, char **path1, char **path2) -{ - const char *cmd, *cp = *cpp; - char *cp2; - int base = 0; - long l; - int i, cmdnum; - - /* Skip leading whitespace */ - cp = cp + strspn(cp, WHITESPACE); - - /* Ignore blank lines and lines which begin with comment '#' char */ - if (*cp == '\0' || *cp == '#') - return (0); - - /* Check for leading '-' (disable error processing) */ - *iflag = 0; - if (*cp == '-') { - *iflag = 1; - cp++; - } - - /* Figure out which command we have */ - for (i = 0; cmds[i].c; i++) { - int cmdlen = strlen(cmds[i].c); - - /* Check for command followed by whitespace */ - if (!strncasecmp(cp, cmds[i].c, cmdlen) && - strchr(WHITESPACE, cp[cmdlen])) { - cp += cmdlen; - cp = cp + strspn(cp, WHITESPACE); - break; - } - } - cmdnum = cmds[i].n; - cmd = cmds[i].c; - - /* Special case */ - if (*cp == '!') { - cp++; - cmdnum = I_SHELL; - } else if (cmdnum == -1) { - error("Invalid command."); - return (-1); - } - - /* Get arguments and parse flags */ - *lflag = *pflag = *n_arg = 0; - *path1 = *path2 = NULL; - switch (cmdnum) { - case I_GET: - case I_PUT: - if (parse_getput_flags(&cp, pflag)) - return(-1); - /* Get first pathname (mandatory) */ - if (get_pathname(&cp, path1)) - return(-1); - if (*path1 == NULL) { - error("You must specify at least one path after a " - "%s command.", cmd); - return(-1); - } - /* Try to get second pathname (optional) */ - if (get_pathname(&cp, path2)) - return(-1); - break; - case I_RENAME: - case I_SYMLINK: - if (get_pathname(&cp, path1)) - return(-1); - if (get_pathname(&cp, path2)) - return(-1); - if (!*path1 || !*path2) { - error("You must specify two paths after a %s " - "command.", cmd); - return(-1); - } - break; - case I_RM: - case I_MKDIR: - case I_RMDIR: - case I_CHDIR: - case I_LCHDIR: - case I_LMKDIR: - /* Get pathname (mandatory) */ - if (get_pathname(&cp, path1)) - return(-1); - if (*path1 == NULL) { - error("You must specify a path after a %s command.", - cmd); - return(-1); - } - break; - case I_LS: - if (parse_ls_flags(&cp, lflag)) - return(-1); - /* Path is optional */ - if (get_pathname(&cp, path1)) - return(-1); - break; - case I_LLS: - case I_SHELL: - /* Uses the rest of the line */ - break; - case I_LUMASK: - base = 8; - case I_CHMOD: - base = 8; - case I_CHOWN: - case I_CHGRP: - /* Get numeric arg (mandatory) */ - l = strtol(cp, &cp2, base); - if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) && - errno == ERANGE) || l < 0) { - error("You must supply a numeric argument " - "to the %s command.", cmd); - return(-1); - } - cp = cp2; - *n_arg = l; - if (cmdnum == I_LUMASK && strchr(WHITESPACE, *cp)) - break; - if (cmdnum == I_LUMASK || !strchr(WHITESPACE, *cp)) { - error("You must supply a numeric argument " - "to the %s command.", cmd); - return(-1); - } - cp += strspn(cp, WHITESPACE); - - /* Get pathname (mandatory) */ - if (get_pathname(&cp, path1)) - return(-1); - if (*path1 == NULL) { - error("You must specify a path after a %s command.", - cmd); - return(-1); - } - break; - case I_QUIT: - case I_PWD: - case I_LPWD: - case I_HELP: - case I_VERSION: - case I_PROGRESS: - break; - default: - fatal("Command not implemented"); - } - - *cpp = cp; - return(cmdnum); -} - -static int -parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, - int err_abort) -{ - char *path1, *path2, *tmp; - int pflag, lflag, iflag, cmdnum, i; - unsigned long n_arg; - Attrib a, *aa; - char path_buf[MAXPATHLEN]; - int err = 0; - glob_t g; - - path1 = path2 = NULL; - cmdnum = parse_args(&cmd, &pflag, &lflag, &iflag, &n_arg, - &path1, &path2); - - if (iflag != 0) - err_abort = 0; - - memset(&g, 0, sizeof(g)); - - /* Perform command */ - switch (cmdnum) { - case 0: - /* Blank line */ - break; - case -1: - /* Unrecognized command */ - err = -1; - break; - case I_GET: - err = process_get(conn, path1, path2, *pwd, pflag); - break; - case I_PUT: - err = process_put(conn, path1, path2, *pwd, pflag); - break; - case I_RENAME: - path1 = make_absolute(path1, *pwd); - path2 = make_absolute(path2, *pwd); - err = do_rename(conn, path1, path2); - break; - case I_SYMLINK: - path2 = make_absolute(path2, *pwd); - err = do_symlink(conn, path1, path2); - break; - case I_RM: - path1 = make_absolute(path1, *pwd); - remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - printf("Removing %s\n", g.gl_pathv[i]); - err = do_rm(conn, g.gl_pathv[i]); - if (err != 0 && err_abort) - break; - } - break; - case I_MKDIR: - path1 = make_absolute(path1, *pwd); - attrib_clear(&a); - a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; - a.perm = 0777; - err = do_mkdir(conn, path1, &a); - break; - case I_RMDIR: - path1 = make_absolute(path1, *pwd); - err = do_rmdir(conn, path1); - break; - case I_CHDIR: - path1 = make_absolute(path1, *pwd); - if ((tmp = do_realpath(conn, path1)) == NULL) { - err = 1; - break; - } - if ((aa = do_stat(conn, tmp, 0)) == NULL) { - xfree(tmp); - err = 1; - break; - } - if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { - error("Can't change directory: Can't check target"); - xfree(tmp); - err = 1; - break; - } - if (!S_ISDIR(aa->perm)) { - error("Can't change directory: \"%s\" is not " - "a directory", tmp); - xfree(tmp); - err = 1; - break; - } - xfree(*pwd); - *pwd = tmp; - break; - case I_LS: - if (!path1) { - do_globbed_ls(conn, *pwd, *pwd, lflag); - break; - } - - /* Strip pwd off beginning of non-absolute paths */ - tmp = NULL; - if (*path1 != '/') - tmp = *pwd; - - path1 = make_absolute(path1, *pwd); - err = do_globbed_ls(conn, path1, tmp, lflag); - break; - case I_LCHDIR: - if (chdir(path1) == -1) { - error("Couldn't change local directory to " - "\"%s\": %s", path1, strerror(errno)); - err = 1; - } - break; - case I_LMKDIR: - if (mkdir(path1, 0777) == -1) { - error("Couldn't create local directory " - "\"%s\": %s", path1, strerror(errno)); - err = 1; - } - break; - case I_LLS: - local_do_ls(cmd); - break; - case I_SHELL: - local_do_shell(cmd); - break; - case I_LUMASK: - umask(n_arg); - printf("Local umask: %03lo\n", n_arg); - break; - case I_CHMOD: - path1 = make_absolute(path1, *pwd); - attrib_clear(&a); - a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; - a.perm = n_arg; - remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - printf("Changing mode on %s\n", g.gl_pathv[i]); - err = do_setstat(conn, g.gl_pathv[i], &a); - if (err != 0 && err_abort) - break; - } - break; - case I_CHOWN: - case I_CHGRP: - path1 = make_absolute(path1, *pwd); - remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - if (!(aa = do_stat(conn, g.gl_pathv[i], 0))) { - if (err != 0 && err_abort) - break; - else - continue; - } - if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { - error("Can't get current ownership of " - "remote file \"%s\"", g.gl_pathv[i]); - if (err != 0 && err_abort) - break; - else - continue; - } - aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; - if (cmdnum == I_CHOWN) { - printf("Changing owner on %s\n", g.gl_pathv[i]); - aa->uid = n_arg; - } else { - printf("Changing group on %s\n", g.gl_pathv[i]); - aa->gid = n_arg; - } - err = do_setstat(conn, g.gl_pathv[i], aa); - if (err != 0 && err_abort) - break; - } - break; - case I_PWD: - printf("Remote working directory: %s\n", *pwd); - break; - case I_LPWD: - if (!getcwd(path_buf, sizeof(path_buf))) { - error("Couldn't get local cwd: %s", strerror(errno)); - err = -1; - break; - } - printf("Local working directory: %s\n", path_buf); - break; - case I_QUIT: - /* Processed below */ - break; - case I_HELP: - help(); - break; - case I_VERSION: - printf("SFTP protocol version %u\n", sftp_proto_version(conn)); - break; - case I_PROGRESS: - showprogress = !showprogress; - if (showprogress) - printf("Progress meter enabled\n"); - else - printf("Progress meter disabled\n"); - break; - default: - fatal("%d is not implemented", cmdnum); - } - - if (g.gl_pathc) - globfree(&g); - if (path1) - xfree(path1); - if (path2) - xfree(path2); - - /* If an unignored error occurs in batch mode we should abort. */ - if (err_abort && err != 0) - return (-1); - else if (cmdnum == I_QUIT) - return (1); - - return (0); -} - -int -interactive_loop(int fd_in, int fd_out, char *file1, char *file2) -{ - char *pwd; - char *dir = NULL; - char cmd[2048]; - struct sftp_conn *conn; - int err; - - conn = do_init(fd_in, fd_out, copy_buffer_len, num_requests); - if (conn == NULL) - fatal("Couldn't initialise connection to server"); - - pwd = do_realpath(conn, "."); - if (pwd == NULL) - fatal("Need cwd"); - - if (file1 != NULL) { - dir = xstrdup(file1); - dir = make_absolute(dir, pwd); - - if (remote_is_dir(conn, dir) && file2 == NULL) { - printf("Changing to: %s\n", dir); - snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); - if (parse_dispatch_command(conn, cmd, &pwd, 1) != 0) - return (-1); - } else { - if (file2 == NULL) - snprintf(cmd, sizeof cmd, "get %s", dir); - else - snprintf(cmd, sizeof cmd, "get %s %s", dir, - file2); - - err = parse_dispatch_command(conn, cmd, &pwd, 1); - xfree(dir); - xfree(pwd); - return (err); - } - xfree(dir); - } - -#if HAVE_SETVBUF - setvbuf(stdout, NULL, _IOLBF, 0); - setvbuf(infile, NULL, _IOLBF, 0); -#else - setlinebuf(stdout); - setlinebuf(infile); -#endif - - err = 0; - for (;;) { - char *cp; - - printf("sftp> "); - - /* XXX: use libedit */ - if (fgets(cmd, sizeof(cmd), infile) == NULL) { - printf("\n"); - break; - } - - if (batchmode) /* Echo command */ - printf("%s", cmd); - - cp = strrchr(cmd, '\n'); - if (cp) - *cp = '\0'; - - err = parse_dispatch_command(conn, cmd, &pwd, batchmode); - if (err != 0) - break; - } - xfree(pwd); - - /* err == 1 signifies normal "quit" exit */ - return (err >= 0 ? 0 : -1); -} - diff --git a/sftp.c b/sftp.c index 04b859a8d..7f7f50731 100644 --- a/sftp.c +++ b/sftp.c @@ -16,7 +16,7 @@ #include "includes.h" -RCSID("$OpenBSD: sftp.c,v 1.43 2004/02/17 07:17:29 djm Exp $"); +RCSID("$OpenBSD: sftp.c,v 1.44 2004/02/17 11:03:08 djm Exp $"); #include "buffer.h" #include "xmalloc.h" @@ -28,7 +28,26 @@ RCSID("$OpenBSD: sftp.c,v 1.43 2004/02/17 07:17:29 djm Exp $"); #include "sftp-common.h" #include "sftp-client.h" -int interactive_loop(int, int, char *, char *); /* sftp-int.c */ +/* File to read commands from */ +FILE* infile; + +/* Are we in batchfile mode? */ +int batchmode = 0; + +/* Size of buffer used when copying files */ +size_t copy_buffer_len = 32768; + +/* Number of concurrent outstanding requests */ +size_t num_requests = 16; + +/* PID of ssh transport process */ +static pid_t sshpid = -1; + +/* This is set to 0 if the progressmeter is not desired. */ +int showprogress; + +int remote_glob(struct sftp_conn *, const char *, int, + int (*)(const char *, int), glob_t *); /* proto for sftp-glob.c */ #ifdef HAVE___PROGNAME extern char *__progname; @@ -36,13 +55,1155 @@ extern char *__progname; char *__progname; #endif -FILE* infile; -int batchmode = 0; -size_t copy_buffer_len = 32768; -size_t num_requests = 16; -static pid_t sshpid = -1; +/* Separators for interactive commands */ +#define WHITESPACE " \t\r\n" + +/* Define what type of ls view (0 - multi-column) */ +#define LONG_VIEW 1 /* Full view ala ls -l */ +#define SHORT_VIEW 2 /* Single row view ala ls -1 */ + +/* Commands for interactive mode */ +#define I_CHDIR 1 +#define I_CHGRP 2 +#define I_CHMOD 3 +#define I_CHOWN 4 +#define I_GET 5 +#define I_HELP 6 +#define I_LCHDIR 7 +#define I_LLS 8 +#define I_LMKDIR 9 +#define I_LPWD 10 +#define I_LS 11 +#define I_LUMASK 12 +#define I_MKDIR 13 +#define I_PUT 14 +#define I_PWD 15 +#define I_QUIT 16 +#define I_RENAME 17 +#define I_RM 18 +#define I_RMDIR 19 +#define I_SHELL 20 +#define I_SYMLINK 21 +#define I_VERSION 22 +#define I_PROGRESS 23 + +struct CMD { + const char *c; + const int n; +}; + +static const struct CMD cmds[] = { + { "bye", I_QUIT }, + { "cd", I_CHDIR }, + { "chdir", I_CHDIR }, + { "chgrp", I_CHGRP }, + { "chmod", I_CHMOD }, + { "chown", I_CHOWN }, + { "dir", I_LS }, + { "exit", I_QUIT }, + { "get", I_GET }, + { "mget", I_GET }, + { "help", I_HELP }, + { "lcd", I_LCHDIR }, + { "lchdir", I_LCHDIR }, + { "lls", I_LLS }, + { "lmkdir", I_LMKDIR }, + { "ln", I_SYMLINK }, + { "lpwd", I_LPWD }, + { "ls", I_LS }, + { "lumask", I_LUMASK }, + { "mkdir", I_MKDIR }, + { "progress", I_PROGRESS }, + { "put", I_PUT }, + { "mput", I_PUT }, + { "pwd", I_PWD }, + { "quit", I_QUIT }, + { "rename", I_RENAME }, + { "rm", I_RM }, + { "rmdir", I_RMDIR }, + { "symlink", I_SYMLINK }, + { "version", I_VERSION }, + { "!", I_SHELL }, + { "?", I_HELP }, + { NULL, -1} +}; + +int interactive_loop(int fd_in, int fd_out, char *file1, char *file2); + +static void +help(void) +{ + printf("Available commands:\n"); + printf("cd path Change remote directory to 'path'\n"); + printf("lcd path Change local directory to 'path'\n"); + printf("chgrp grp path Change group of file 'path' to 'grp'\n"); + printf("chmod mode path Change permissions of file 'path' to 'mode'\n"); + printf("chown own path Change owner of file 'path' to 'own'\n"); + printf("help Display this help text\n"); + printf("get remote-path [local-path] Download file\n"); + printf("lls [ls-options [path]] Display local directory listing\n"); + printf("ln oldpath newpath Symlink remote file\n"); + printf("lmkdir path Create local directory\n"); + printf("lpwd Print local working directory\n"); + printf("ls [path] Display remote directory listing\n"); + printf("lumask umask Set local umask to 'umask'\n"); + printf("mkdir path Create remote directory\n"); + printf("progress Toggle display of progress meter\n"); + printf("put local-path [remote-path] Upload file\n"); + printf("pwd Display remote working directory\n"); + printf("exit Quit sftp\n"); + printf("quit Quit sftp\n"); + printf("rename oldpath newpath Rename remote file\n"); + printf("rmdir path Remove remote directory\n"); + printf("rm path Delete remote file\n"); + printf("symlink oldpath newpath Symlink remote file\n"); + printf("version Show SFTP version\n"); + printf("!command Execute 'command' in local shell\n"); + printf("! Escape to local shell\n"); + printf("? Synonym for help\n"); +} + +static void +local_do_shell(const char *args) +{ + int status; + char *shell; + pid_t pid; + + if (!*args) + args = NULL; + + if ((shell = getenv("SHELL")) == NULL) + shell = _PATH_BSHELL; + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(errno)); + + if (pid == 0) { + /* XXX: child has pipe fds to ssh subproc open - issue? */ + if (args) { + debug3("Executing %s -c \"%s\"", shell, args); + execl(shell, shell, "-c", args, (char *)NULL); + } else { + debug3("Executing %s", shell); + execl(shell, shell, (char *)NULL); + } + fprintf(stderr, "Couldn't execute \"%s\": %s\n", shell, + strerror(errno)); + _exit(1); + } + while (waitpid(pid, &status, 0) == -1) + if (errno != EINTR) + fatal("Couldn't wait for child: %s", strerror(errno)); + if (!WIFEXITED(status)) + error("Shell exited abormally"); + else if (WEXITSTATUS(status)) + error("Shell exited with status %d", WEXITSTATUS(status)); +} + +static void +local_do_ls(const char *args) +{ + if (!args || !*args) + local_do_shell(_PATH_LS); + else { + int len = strlen(_PATH_LS " ") + strlen(args) + 1; + char *buf = xmalloc(len); + + /* XXX: quoting - rip quoting code from ftp? */ + snprintf(buf, len, _PATH_LS " %s", args); + local_do_shell(buf); + xfree(buf); + } +} + +/* Strip one path (usually the pwd) from the start of another */ +static char * +path_strip(char *path, char *strip) +{ + size_t len; -extern int showprogress; + if (strip == NULL) + return (xstrdup(path)); + + len = strlen(strip); + if (strip != NULL && strncmp(path, strip, len) == 0) { + if (strip[len - 1] != '/' && path[len] == '/') + len++; + return (xstrdup(path + len)); + } + + return (xstrdup(path)); +} + +static char * +path_append(char *p1, char *p2) +{ + char *ret; + int len = strlen(p1) + strlen(p2) + 2; + + ret = xmalloc(len); + strlcpy(ret, p1, len); + if (p1[strlen(p1) - 1] != '/') + strlcat(ret, "/", len); + strlcat(ret, p2, len); + + return(ret); +} + +static char * +make_absolute(char *p, char *pwd) +{ + char *abs; + + /* Derelativise */ + if (p && p[0] != '/') { + abs = path_append(pwd, p); + xfree(p); + return(abs); + } else + return(p); +} + +static int +infer_path(const char *p, char **ifp) +{ + char *cp; + + cp = strrchr(p, '/'); + if (cp == NULL) { + *ifp = xstrdup(p); + return(0); + } + + if (!cp[1]) { + error("Invalid path"); + return(-1); + } + + *ifp = xstrdup(cp + 1); + return(0); +} + +static int +parse_getput_flags(const char **cpp, int *pflag) +{ + const char *cp = *cpp; + + /* Check for flags */ + if (cp[0] == '-' && cp[1] && strchr(WHITESPACE, cp[2])) { + switch (cp[1]) { + case 'p': + case 'P': + *pflag = 1; + break; + default: + error("Invalid flag -%c", cp[1]); + return(-1); + } + cp += 2; + *cpp = cp + strspn(cp, WHITESPACE); + } + + return(0); +} + +static int +parse_ls_flags(const char **cpp, int *lflag) +{ + const char *cp = *cpp; + + /* Check for flags */ + if (cp++[0] == '-') { + for(; strchr(WHITESPACE, *cp) == NULL; cp++) { + switch (*cp) { + case 'l': + *lflag = LONG_VIEW; + break; + case '1': + *lflag = SHORT_VIEW; + break; + default: + error("Invalid flag -%c", *cp); + return(-1); + } + } + *cpp = cp + strspn(cp, WHITESPACE); + } + + return(0); +} + +static int +get_pathname(const char **cpp, char **path) +{ + const char *cp = *cpp, *end; + char quot; + int i, j; + + cp += strspn(cp, WHITESPACE); + if (!*cp) { + *cpp = cp; + *path = NULL; + return (0); + } + + *path = xmalloc(strlen(cp) + 1); + + /* Check for quoted filenames */ + if (*cp == '\"' || *cp == '\'') { + quot = *cp++; + + /* Search for terminating quote, unescape some chars */ + for (i = j = 0; i <= strlen(cp); i++) { + if (cp[i] == quot) { /* Found quote */ + i++; + (*path)[j] = '\0'; + break; + } + if (cp[i] == '\0') { /* End of string */ + error("Unterminated quote"); + goto fail; + } + if (cp[i] == '\\') { /* Escaped characters */ + i++; + if (cp[i] != '\'' && cp[i] != '\"' && + cp[i] != '\\') { + error("Bad escaped character '\%c'", + cp[i]); + goto fail; + } + } + (*path)[j++] = cp[i]; + } + + if (j == 0) { + error("Empty quotes"); + goto fail; + } + *cpp = cp + i + strspn(cp + i, WHITESPACE); + } else { + /* Read to end of filename */ + end = strpbrk(cp, WHITESPACE); + if (end == NULL) + end = strchr(cp, '\0'); + *cpp = end + strspn(end, WHITESPACE); + + memcpy(*path, cp, end - cp); + (*path)[end - cp] = '\0'; + } + return (0); + + fail: + xfree(*path); + *path = NULL; + return (-1); +} + +static int +is_dir(char *path) +{ + struct stat sb; + + /* XXX: report errors? */ + if (stat(path, &sb) == -1) + return(0); + + return(sb.st_mode & S_IFDIR); +} + +static int +is_reg(char *path) +{ + struct stat sb; + + if (stat(path, &sb) == -1) + fatal("stat %s: %s", path, strerror(errno)); + + return(S_ISREG(sb.st_mode)); +} + +static int +remote_is_dir(struct sftp_conn *conn, char *path) +{ + Attrib *a; + + /* XXX: report errors? */ + if ((a = do_stat(conn, path, 1)) == NULL) + return(0); + if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) + return(0); + return(a->perm & S_IFDIR); +} + +static int +process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) +{ + char *abs_src = NULL; + char *abs_dst = NULL; + char *tmp; + glob_t g; + int err = 0; + int i; + + abs_src = xstrdup(src); + abs_src = make_absolute(abs_src, pwd); + + memset(&g, 0, sizeof(g)); + debug3("Looking up %s", abs_src); + if (remote_glob(conn, abs_src, 0, NULL, &g)) { + error("File \"%s\" not found.", abs_src); + err = -1; + goto out; + } + + /* If multiple matches, dst must be a directory or unspecified */ + if (g.gl_matchc > 1 && dst && !is_dir(dst)) { + error("Multiple files match, but \"%s\" is not a directory", + dst); + err = -1; + goto out; + } + + for (i = 0; g.gl_pathv[i]; i++) { + if (infer_path(g.gl_pathv[i], &tmp)) { + err = -1; + goto out; + } + + if (g.gl_matchc == 1 && dst) { + /* If directory specified, append filename */ + if (is_dir(dst)) { + if (infer_path(g.gl_pathv[0], &tmp)) { + err = 1; + goto out; + } + abs_dst = path_append(dst, tmp); + xfree(tmp); + } else + abs_dst = xstrdup(dst); + } else if (dst) { + abs_dst = path_append(dst, tmp); + xfree(tmp); + } else + abs_dst = tmp; + + printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); + if (do_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1) + err = -1; + xfree(abs_dst); + abs_dst = NULL; + } + +out: + xfree(abs_src); + if (abs_dst) + xfree(abs_dst); + globfree(&g); + return(err); +} + +static int +process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag) +{ + char *tmp_dst = NULL; + char *abs_dst = NULL; + char *tmp; + glob_t g; + int err = 0; + int i; + + if (dst) { + tmp_dst = xstrdup(dst); + tmp_dst = make_absolute(tmp_dst, pwd); + } + + memset(&g, 0, sizeof(g)); + debug3("Looking up %s", src); + if (glob(src, 0, NULL, &g)) { + error("File \"%s\" not found.", src); + err = -1; + goto out; + } + + /* If multiple matches, dst may be directory or unspecified */ + if (g.gl_matchc > 1 && tmp_dst && !remote_is_dir(conn, tmp_dst)) { + error("Multiple files match, but \"%s\" is not a directory", + tmp_dst); + err = -1; + goto out; + } + + for (i = 0; g.gl_pathv[i]; i++) { + if (!is_reg(g.gl_pathv[i])) { + error("skipping non-regular file %s", + g.gl_pathv[i]); + continue; + } + if (infer_path(g.gl_pathv[i], &tmp)) { + err = -1; + goto out; + } + + if (g.gl_matchc == 1 && tmp_dst) { + /* If directory specified, append filename */ + if (remote_is_dir(conn, tmp_dst)) { + if (infer_path(g.gl_pathv[0], &tmp)) { + err = 1; + goto out; + } + abs_dst = path_append(tmp_dst, tmp); + xfree(tmp); + } else + abs_dst = xstrdup(tmp_dst); + + } else if (tmp_dst) { + abs_dst = path_append(tmp_dst, tmp); + xfree(tmp); + } else + abs_dst = make_absolute(tmp, pwd); + + printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); + if (do_upload(conn, g.gl_pathv[i], abs_dst, pflag) == -1) + err = -1; + } + +out: + if (abs_dst) + xfree(abs_dst); + if (tmp_dst) + xfree(tmp_dst); + globfree(&g); + return(err); +} + +static int +sdirent_comp(const void *aa, const void *bb) +{ + SFTP_DIRENT *a = *(SFTP_DIRENT **)aa; + SFTP_DIRENT *b = *(SFTP_DIRENT **)bb; + + return (strcmp(a->filename, b->filename)); +} + +/* sftp ls.1 replacement for directories */ +static int +do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag) +{ + int n, c = 1, colspace = 0, columns = 1; + SFTP_DIRENT **d; + + if ((n = do_readdir(conn, path, &d)) != 0) + return (n); + + if (!(lflag & SHORT_VIEW)) { + int m = 0, width = 80; + struct winsize ws; + char *tmp; + + /* Count entries for sort and find longest filename */ + for (n = 0; d[n] != NULL; n++) + m = MAX(m, strlen(d[n]->filename)); + + /* Add any subpath that also needs to be counted */ + tmp = path_strip(path, strip_path); + m += strlen(tmp); + xfree(tmp); + + if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) + width = ws.ws_col; + + columns = width / (m + 2); + columns = MAX(columns, 1); + colspace = width / columns; + colspace = MIN(colspace, width); + } + + qsort(d, n, sizeof(*d), sdirent_comp); + + for (n = 0; d[n] != NULL; n++) { + char *tmp, *fname; + + tmp = path_append(path, d[n]->filename); + fname = path_strip(tmp, strip_path); + xfree(tmp); + + if (lflag & LONG_VIEW) { + char *lname; + struct stat sb; + + memset(&sb, 0, sizeof(sb)); + attrib_to_stat(&d[n]->a, &sb); + lname = ls_file(fname, &sb, 1); + printf("%s\n", lname); + xfree(lname); + } else { + printf("%-*s", colspace, fname); + if (c >= columns) { + printf("\n"); + c = 1; + } else + c++; + } + + xfree(fname); + } + + if (!(lflag & LONG_VIEW) && (c != 1)) + printf("\n"); + + free_sftp_dirents(d); + return (0); +} + +/* sftp ls.1 replacement which handles path globs */ +static int +do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path, + int lflag) +{ + glob_t g; + int i, c = 1, colspace = 0, columns = 1; + Attrib *a; + + memset(&g, 0, sizeof(g)); + + if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE, + NULL, &g)) { + error("Can't ls: \"%s\" not found", path); + return (-1); + } + + /* + * If the glob returns a single match, which is the same as the + * input glob, and it is a directory, then just list its contents + */ + if (g.gl_pathc == 1 && + strncmp(path, g.gl_pathv[0], strlen(g.gl_pathv[0]) - 1) == 0) { + if ((a = do_lstat(conn, path, 1)) == NULL) { + globfree(&g); + return (-1); + } + if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && + S_ISDIR(a->perm)) { + globfree(&g); + return (do_ls_dir(conn, path, strip_path, lflag)); + } + } + + if (!(lflag & SHORT_VIEW)) { + int m = 0, width = 80; + struct winsize ws; + + /* Count entries for sort and find longest filename */ + for (i = 0; g.gl_pathv[i]; i++) + m = MAX(m, strlen(g.gl_pathv[i])); + + if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) + width = ws.ws_col; + + columns = width / (m + 2); + columns = MAX(columns, 1); + colspace = width / columns; + } + + for (i = 0; g.gl_pathv[i]; i++) { + char *fname; + + fname = path_strip(g.gl_pathv[i], strip_path); + + if (lflag & LONG_VIEW) { + char *lname; + struct stat sb; + + /* + * XXX: this is slow - 1 roundtrip per path + * A solution to this is to fork glob() and + * build a sftp specific version which keeps the + * attribs (which currently get thrown away) + * that the server returns as well as the filenames. + */ + memset(&sb, 0, sizeof(sb)); + a = do_lstat(conn, g.gl_pathv[i], 1); + if (a != NULL) + attrib_to_stat(a, &sb); + lname = ls_file(fname, &sb, 1); + printf("%s\n", lname); + xfree(lname); + } else { + printf("%-*s", colspace, fname); + if (c >= columns) { + printf("\n"); + c = 1; + } else + c++; + } + xfree(fname); + } + + if (!(lflag & LONG_VIEW) && (c != 1)) + printf("\n"); + + if (g.gl_pathc) + globfree(&g); + + return (0); +} + +static int +parse_args(const char **cpp, int *pflag, int *lflag, int *iflag, + unsigned long *n_arg, char **path1, char **path2) +{ + const char *cmd, *cp = *cpp; + char *cp2; + int base = 0; + long l; + int i, cmdnum; + + /* Skip leading whitespace */ + cp = cp + strspn(cp, WHITESPACE); + + /* Ignore blank lines and lines which begin with comment '#' char */ + if (*cp == '\0' || *cp == '#') + return (0); + + /* Check for leading '-' (disable error processing) */ + *iflag = 0; + if (*cp == '-') { + *iflag = 1; + cp++; + } + + /* Figure out which command we have */ + for (i = 0; cmds[i].c; i++) { + int cmdlen = strlen(cmds[i].c); + + /* Check for command followed by whitespace */ + if (!strncasecmp(cp, cmds[i].c, cmdlen) && + strchr(WHITESPACE, cp[cmdlen])) { + cp += cmdlen; + cp = cp + strspn(cp, WHITESPACE); + break; + } + } + cmdnum = cmds[i].n; + cmd = cmds[i].c; + + /* Special case */ + if (*cp == '!') { + cp++; + cmdnum = I_SHELL; + } else if (cmdnum == -1) { + error("Invalid command."); + return (-1); + } + + /* Get arguments and parse flags */ + *lflag = *pflag = *n_arg = 0; + *path1 = *path2 = NULL; + switch (cmdnum) { + case I_GET: + case I_PUT: + if (parse_getput_flags(&cp, pflag)) + return(-1); + /* Get first pathname (mandatory) */ + if (get_pathname(&cp, path1)) + return(-1); + if (*path1 == NULL) { + error("You must specify at least one path after a " + "%s command.", cmd); + return(-1); + } + /* Try to get second pathname (optional) */ + if (get_pathname(&cp, path2)) + return(-1); + break; + case I_RENAME: + case I_SYMLINK: + if (get_pathname(&cp, path1)) + return(-1); + if (get_pathname(&cp, path2)) + return(-1); + if (!*path1 || !*path2) { + error("You must specify two paths after a %s " + "command.", cmd); + return(-1); + } + break; + case I_RM: + case I_MKDIR: + case I_RMDIR: + case I_CHDIR: + case I_LCHDIR: + case I_LMKDIR: + /* Get pathname (mandatory) */ + if (get_pathname(&cp, path1)) + return(-1); + if (*path1 == NULL) { + error("You must specify a path after a %s command.", + cmd); + return(-1); + } + break; + case I_LS: + if (parse_ls_flags(&cp, lflag)) + return(-1); + /* Path is optional */ + if (get_pathname(&cp, path1)) + return(-1); + break; + case I_LLS: + case I_SHELL: + /* Uses the rest of the line */ + break; + case I_LUMASK: + base = 8; + case I_CHMOD: + base = 8; + case I_CHOWN: + case I_CHGRP: + /* Get numeric arg (mandatory) */ + l = strtol(cp, &cp2, base); + if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) && + errno == ERANGE) || l < 0) { + error("You must supply a numeric argument " + "to the %s command.", cmd); + return(-1); + } + cp = cp2; + *n_arg = l; + if (cmdnum == I_LUMASK && strchr(WHITESPACE, *cp)) + break; + if (cmdnum == I_LUMASK || !strchr(WHITESPACE, *cp)) { + error("You must supply a numeric argument " + "to the %s command.", cmd); + return(-1); + } + cp += strspn(cp, WHITESPACE); + + /* Get pathname (mandatory) */ + if (get_pathname(&cp, path1)) + return(-1); + if (*path1 == NULL) { + error("You must specify a path after a %s command.", + cmd); + return(-1); + } + break; + case I_QUIT: + case I_PWD: + case I_LPWD: + case I_HELP: + case I_VERSION: + case I_PROGRESS: + break; + default: + fatal("Command not implemented"); + } + + *cpp = cp; + return(cmdnum); +} + +static int +parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd, + int err_abort) +{ + char *path1, *path2, *tmp; + int pflag, lflag, iflag, cmdnum, i; + unsigned long n_arg; + Attrib a, *aa; + char path_buf[MAXPATHLEN]; + int err = 0; + glob_t g; + + path1 = path2 = NULL; + cmdnum = parse_args(&cmd, &pflag, &lflag, &iflag, &n_arg, + &path1, &path2); + + if (iflag != 0) + err_abort = 0; + + memset(&g, 0, sizeof(g)); + + /* Perform command */ + switch (cmdnum) { + case 0: + /* Blank line */ + break; + case -1: + /* Unrecognized command */ + err = -1; + break; + case I_GET: + err = process_get(conn, path1, path2, *pwd, pflag); + break; + case I_PUT: + err = process_put(conn, path1, path2, *pwd, pflag); + break; + case I_RENAME: + path1 = make_absolute(path1, *pwd); + path2 = make_absolute(path2, *pwd); + err = do_rename(conn, path1, path2); + break; + case I_SYMLINK: + path2 = make_absolute(path2, *pwd); + err = do_symlink(conn, path1, path2); + break; + case I_RM: + path1 = make_absolute(path1, *pwd); + remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); + for (i = 0; g.gl_pathv[i]; i++) { + printf("Removing %s\n", g.gl_pathv[i]); + err = do_rm(conn, g.gl_pathv[i]); + if (err != 0 && err_abort) + break; + } + break; + case I_MKDIR: + path1 = make_absolute(path1, *pwd); + attrib_clear(&a); + a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; + a.perm = 0777; + err = do_mkdir(conn, path1, &a); + break; + case I_RMDIR: + path1 = make_absolute(path1, *pwd); + err = do_rmdir(conn, path1); + break; + case I_CHDIR: + path1 = make_absolute(path1, *pwd); + if ((tmp = do_realpath(conn, path1)) == NULL) { + err = 1; + break; + } + if ((aa = do_stat(conn, tmp, 0)) == NULL) { + xfree(tmp); + err = 1; + break; + } + if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { + error("Can't change directory: Can't check target"); + xfree(tmp); + err = 1; + break; + } + if (!S_ISDIR(aa->perm)) { + error("Can't change directory: \"%s\" is not " + "a directory", tmp); + xfree(tmp); + err = 1; + break; + } + xfree(*pwd); + *pwd = tmp; + break; + case I_LS: + if (!path1) { + do_globbed_ls(conn, *pwd, *pwd, lflag); + break; + } + + /* Strip pwd off beginning of non-absolute paths */ + tmp = NULL; + if (*path1 != '/') + tmp = *pwd; + + path1 = make_absolute(path1, *pwd); + err = do_globbed_ls(conn, path1, tmp, lflag); + break; + case I_LCHDIR: + if (chdir(path1) == -1) { + error("Couldn't change local directory to " + "\"%s\": %s", path1, strerror(errno)); + err = 1; + } + break; + case I_LMKDIR: + if (mkdir(path1, 0777) == -1) { + error("Couldn't create local directory " + "\"%s\": %s", path1, strerror(errno)); + err = 1; + } + break; + case I_LLS: + local_do_ls(cmd); + break; + case I_SHELL: + local_do_shell(cmd); + break; + case I_LUMASK: + umask(n_arg); + printf("Local umask: %03lo\n", n_arg); + break; + case I_CHMOD: + path1 = make_absolute(path1, *pwd); + attrib_clear(&a); + a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; + a.perm = n_arg; + remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); + for (i = 0; g.gl_pathv[i]; i++) { + printf("Changing mode on %s\n", g.gl_pathv[i]); + err = do_setstat(conn, g.gl_pathv[i], &a); + if (err != 0 && err_abort) + break; + } + break; + case I_CHOWN: + case I_CHGRP: + path1 = make_absolute(path1, *pwd); + remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g); + for (i = 0; g.gl_pathv[i]; i++) { + if (!(aa = do_stat(conn, g.gl_pathv[i], 0))) { + if (err != 0 && err_abort) + break; + else + continue; + } + if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { + error("Can't get current ownership of " + "remote file \"%s\"", g.gl_pathv[i]); + if (err != 0 && err_abort) + break; + else + continue; + } + aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; + if (cmdnum == I_CHOWN) { + printf("Changing owner on %s\n", g.gl_pathv[i]); + aa->uid = n_arg; + } else { + printf("Changing group on %s\n", g.gl_pathv[i]); + aa->gid = n_arg; + } + err = do_setstat(conn, g.gl_pathv[i], aa); + if (err != 0 && err_abort) + break; + } + break; + case I_PWD: + printf("Remote working directory: %s\n", *pwd); + break; + case I_LPWD: + if (!getcwd(path_buf, sizeof(path_buf))) { + error("Couldn't get local cwd: %s", strerror(errno)); + err = -1; + break; + } + printf("Local working directory: %s\n", path_buf); + break; + case I_QUIT: + /* Processed below */ + break; + case I_HELP: + help(); + break; + case I_VERSION: + printf("SFTP protocol version %u\n", sftp_proto_version(conn)); + break; + case I_PROGRESS: + showprogress = !showprogress; + if (showprogress) + printf("Progress meter enabled\n"); + else + printf("Progress meter disabled\n"); + break; + default: + fatal("%d is not implemented", cmdnum); + } + + if (g.gl_pathc) + globfree(&g); + if (path1) + xfree(path1); + if (path2) + xfree(path2); + + /* If an unignored error occurs in batch mode we should abort. */ + if (err_abort && err != 0) + return (-1); + else if (cmdnum == I_QUIT) + return (1); + + return (0); +} + +int +interactive_loop(int fd_in, int fd_out, char *file1, char *file2) +{ + char *pwd; + char *dir = NULL; + char cmd[2048]; + struct sftp_conn *conn; + int err; + + conn = do_init(fd_in, fd_out, copy_buffer_len, num_requests); + if (conn == NULL) + fatal("Couldn't initialise connection to server"); + + pwd = do_realpath(conn, "."); + if (pwd == NULL) + fatal("Need cwd"); + + if (file1 != NULL) { + dir = xstrdup(file1); + dir = make_absolute(dir, pwd); + + if (remote_is_dir(conn, dir) && file2 == NULL) { + printf("Changing to: %s\n", dir); + snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); + if (parse_dispatch_command(conn, cmd, &pwd, 1) != 0) + return (-1); + } else { + if (file2 == NULL) + snprintf(cmd, sizeof cmd, "get %s", dir); + else + snprintf(cmd, sizeof cmd, "get %s %s", dir, + file2); + + err = parse_dispatch_command(conn, cmd, &pwd, 1); + xfree(dir); + xfree(pwd); + return (err); + } + xfree(dir); + } + +#if HAVE_SETVBUF + setvbuf(stdout, NULL, _IOLBF, 0); + setvbuf(infile, NULL, _IOLBF, 0); +#else + setlinebuf(stdout); + setlinebuf(infile); +#endif + + err = 0; + for (;;) { + char *cp; + + printf("sftp> "); + + /* XXX: use libedit */ + if (fgets(cmd, sizeof(cmd), infile) == NULL) { + printf("\n"); + break; + } + + if (batchmode) /* Echo command */ + printf("%s", cmd); + + cp = strrchr(cmd, '\n'); + if (cp) + *cp = '\0'; + + err = parse_dispatch_command(conn, cmd, &pwd, batchmode); + if (err != 0) + break; + } + xfree(pwd); + + /* err == 1 signifies normal "quit" exit */ + return (err >= 0 ? 0 : -1); +} static void killchild(int signo) @@ -253,8 +1414,8 @@ main(int argc, char **argv) err = interactive_loop(in, out, file1, file2); #if !defined(USE_PIPES) - shutdown(in, SHUT_RDWR); - shutdown(out, SHUT_RDWR); + shutdown(in, SHUT_RDWR); + shutdown(out, SHUT_RDWR); #endif close(in); -- cgit v1.2.3 From 05a75b6e5b67390fd858eecc6046a39ae9933556 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 18 Feb 2004 14:31:23 +1100 Subject: - jmc@cvs.openbsd.org 2004/02/17 19:35:21 [sshd_config.5] remove cruft left over from RhostsAuthentication removal; ok markus@ --- ChangeLog | 6 +++++- sshd_config.5 | 9 +-------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index a5d3ee4df..f5a5e5670 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ - djm@cvs.openbsd.org 2004/02/17 11:03:08 [sftp.c] sftp.c and sftp-int.c, together at last; ok markus@ + - jmc@cvs.openbsd.org 2004/02/17 19:35:21 + [sshd_config.5] + remove cruft left over from RhostsAuthentication removal; + ok markus@ 20040217 - (djm) Simplify the license on code I have written. No code changes. @@ -1877,4 +1881,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3236 2004/02/18 03:30:55 djm Exp $ +$Id: ChangeLog,v 1.3237 2004/02/18 03:31:23 djm Exp $ diff --git a/sshd_config.5 b/sshd_config.5 index ad3cf76df..41228248c 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -34,7 +34,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.27 2003/12/09 21:53:37 markus Exp $ +.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -512,13 +512,6 @@ Specifies whether public key authentication is allowed. The default is .Dq yes . Note that this option applies to protocol version 2 only. -.Cm RhostsRSAAuthentication -should be used -instead, because it performs RSA-based host authentication in addition -to normal rhosts or /etc/hosts.equiv authentication. -The default is -.Dq no . -This option applies to protocol version 1 only. .It Cm RhostsRSAAuthentication Specifies whether rhosts or /etc/hosts.equiv authentication together with successful RSA host authentication is allowed. -- cgit v1.2.3 From 82c78b3b9dc5000af2294ce2010cf137dc8fa9ec Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 18 Feb 2004 15:42:31 +1100 Subject: - (djm) [log.c] Correct use of HAVE_OPENLOG_R --- ChangeLog | 3 ++- log.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index f5a5e5670..e46b10ff6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,7 @@ [sshd_config.5] remove cruft left over from RhostsAuthentication removal; ok markus@ + - (djm) [log.c] Correct use of HAVE_OPENLOG_R 20040217 - (djm) Simplify the license on code I have written. No code changes. @@ -1881,4 +1882,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3237 2004/02/18 03:31:23 djm Exp $ +$Id: ChangeLog,v 1.3238 2004/02/18 04:42:31 djm Exp $ diff --git a/log.c b/log.c index 686a2a43c..e4ea99589 100644 --- a/log.c +++ b/log.c @@ -265,7 +265,7 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) void do_log(LogLevel level, const char *fmt, va_list args) { -#ifdef OPENLOG_R +#ifdef HAVE_OPENLOG_R struct syslog_data sdata = SYSLOG_DATA_INIT; #endif char msgbuf[MSGBUFSIZ]; @@ -321,7 +321,7 @@ do_log(LogLevel level, const char *fmt, va_list args) snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { -#ifdef OPENLOG_R +#ifdef HAVE_OPENLOG_R openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); closelog_r(&sdata); -- cgit v1.2.3 From 051b0acbbce7218dcfa1521ad22f860aa20b3008 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Wed, 18 Feb 2004 22:59:43 +1100 Subject: - (djm) [log.c] Tighten openlog_r tests --- ChangeLog | 3 ++- log.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e46b10ff6..a61bddbf9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,7 @@ remove cruft left over from RhostsAuthentication removal; ok markus@ - (djm) [log.c] Correct use of HAVE_OPENLOG_R + - (djm) [log.c] Tighten openlog_r tests 20040217 - (djm) Simplify the license on code I have written. No code changes. @@ -1882,4 +1883,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3238 2004/02/18 04:42:31 djm Exp $ +$Id: ChangeLog,v 1.3239 2004/02/18 11:59:43 djm Exp $ diff --git a/log.c b/log.c index e4ea99589..0c4d5123a 100644 --- a/log.c +++ b/log.c @@ -265,7 +265,7 @@ log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr) void do_log(LogLevel level, const char *fmt, va_list args) { -#ifdef HAVE_OPENLOG_R +#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; #endif char msgbuf[MSGBUFSIZ]; @@ -321,7 +321,7 @@ do_log(LogLevel level, const char *fmt, va_list args) snprintf(msgbuf, sizeof msgbuf, "%s\r\n", fmtbuf); write(STDERR_FILENO, msgbuf, strlen(msgbuf)); } else { -#ifdef HAVE_OPENLOG_R +#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) openlog_r(argv0 ? argv0 : __progname, LOG_PID, log_facility, &sdata); syslog_r(pri, &sdata, "%.500s", fmtbuf); closelog_r(&sdata); -- cgit v1.2.3 From 2e45cb0fb4a1250792e27ce14c556661719e5861 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 20 Feb 2004 20:37:44 +1100 Subject: - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@ --- ChangeLog | 5 ++++- openbsd-compat/setproctitle.c | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index a61bddbf9..df4169bb5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ +20040220 + - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@ + 20040218 - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a path with a "-" in it. From Sergio.Gelato at astro.su.se. @@ -1883,4 +1886,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3239 2004/02/18 11:59:43 djm Exp $ +$Id: ChangeLog,v 1.3240 2004/02/20 09:37:44 djm Exp $ diff --git a/openbsd-compat/setproctitle.c b/openbsd-compat/setproctitle.c index b41100fc6..6e2b19bb4 100644 --- a/openbsd-compat/setproctitle.c +++ b/openbsd-compat/setproctitle.c @@ -41,8 +41,8 @@ #endif #define SPT_NONE 0 /* don't use it at all */ -#define SPT_PSTAT 1 /* cover argv with title information */ -#define SPT_REUSEARGV 2 /* use pstat(PSTAT_SETCMD, ...) */ +#define SPT_PSTAT 1 /* use pstat(PSTAT_SETCMD, ...) */ +#define SPT_REUSEARGV 2 /* cover argv with title information */ #ifndef SPT_TYPE # define SPT_TYPE SPT_NONE -- cgit v1.2.3 From 15ee748f2835f301499f8c31b6b4e56f5deca7de Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 22 Feb 2004 09:43:15 +1100 Subject: - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test to auth-shadow.c, no functional change. ok djm@ --- ChangeLog | 6 +++++- auth-shadow.c | 28 +++++++++++++++++++++++++++- auth.c | 33 ++++++++------------------------- auth.h | 3 ++- 4 files changed, 42 insertions(+), 28 deletions(-) diff --git a/ChangeLog b/ChangeLog index df4169bb5..38be7eb59 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040222 + - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test + to auth-shadow.c, no functional change. ok djm@ + 20040220 - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@ @@ -1886,4 +1890,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3240 2004/02/20 09:37:44 djm Exp $ +$Id: ChangeLog,v 1.3241 2004/02/21 22:43:15 dtucker Exp $ diff --git a/auth-shadow.c b/auth-shadow.c index 76c0d9f52..7d699bc40 100644 --- a/auth-shadow.c +++ b/auth-shadow.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$Id: auth-shadow.c,v 1.3 2004/02/11 07:48:52 dtucker Exp $"); +RCSID("$Id: auth-shadow.c,v 1.4 2004/02/21 22:43:15 dtucker Exp $"); #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #include @@ -36,6 +36,32 @@ RCSID("$Id: auth-shadow.c,v 1.3 2004/02/11 07:48:52 dtucker Exp $"); extern Buffer loginmsg; +/* + * For the account and password expiration functions, we assume the expiry + * occurs the day after the day specified. + */ + +/* + * Check if specified account is expired. Returns 1 if account is expired, + * 0 otherwise. + */ +int +auth_shadow_acctexpired(struct spwd *spw) +{ + time_t today; + + today = time(NULL) / DAY; + debug3("%s: today %d sp_expire %d", __func__, (int)today, + (int)spw->sp_expire); + + if (spw->sp_expire != -1 && today > spw->sp_expire) { + logit("Account %.100s has expired", spw->sp_namp); + return 1; + } + + return 0; +} + /* * Checks password expiry for platforms that use shadow passwd files. * Returns: 1 = password expired, 0 = password not expired diff --git a/auth.c b/auth.c index c6e7c21c4..6d999221c 100644 --- a/auth.c +++ b/auth.c @@ -28,9 +28,9 @@ RCSID("$OpenBSD: auth.c,v 1.51 2003/11/21 11:57:02 djm Exp $"); #ifdef HAVE_LOGIN_H #include #endif -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#ifdef USE_SHADOW #include -#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#endif #ifdef HAVE_LIBGEN_H #include @@ -76,7 +76,7 @@ allowed_user(struct passwd * pw) const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; char *shell; int i; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#ifdef USE_SHADOW struct spwd *spw = NULL; #endif @@ -84,34 +84,17 @@ allowed_user(struct passwd * pw) if (!pw || !pw->pw_name) return 0; -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#ifdef USE_SHADOW if (!options.use_pam) spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE -#define DAY (24L * 60 * 60) /* 1 day in seconds */ - if (!options.use_pam && spw != NULL) { - int disabled = 0; - time_t today; - - today = time(NULL) / DAY; - debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" - " sp_max %d", (int)today, (int)spw->sp_expire, - (int)spw->sp_lstchg, (int)spw->sp_max); - - /* - * We assume account and password expiration occurs the - * day after the day specified. - */ - if (spw->sp_expire != -1 && today > spw->sp_expire) { - logit("Account %.100s has expired", pw->pw_name); - return 0; - } - } + if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw)) + return 0; #endif /* HAS_SHADOW_EXPIRE */ -#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ +#endif /* USE_SHADOW */ /* grab passwd field for locked account check */ -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +#ifdef USE_SHADOW if (spw != NULL) passwd = spw->sp_pwdp; #else diff --git a/auth.h b/auth.h index b6a6a49a5..a8f61f403 100644 --- a/auth.h +++ b/auth.h @@ -122,7 +122,8 @@ int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ -#ifdef USE_SHADOW +#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) +int auth_shadow_acctexpired(struct spwd *); int auth_shadow_pwexpired(Authctxt *); #endif -- cgit v1.2.3 From aa0aecad99c4714336117d22a7c68982684cef4b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 22 Feb 2004 10:22:05 +1100 Subject: - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or password expiry. ok djm@ --- auth-shadow.c | 58 ++++++++++++++++++++++++++++++++++++++++++++-------------- auth.h | 1 + 2 files changed, 45 insertions(+), 14 deletions(-) diff --git a/auth-shadow.c b/auth-shadow.c index 7d699bc40..a85442d72 100644 --- a/auth-shadow.c +++ b/auth-shadow.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$Id: auth-shadow.c,v 1.4 2004/02/21 22:43:15 dtucker Exp $"); +RCSID("$Id: auth-shadow.c,v 1.5 2004/02/21 23:22:05 dtucker Exp $"); #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #include @@ -49,14 +49,25 @@ int auth_shadow_acctexpired(struct spwd *spw) { time_t today; + int daysleft; + char buf[256]; today = time(NULL) / DAY; - debug3("%s: today %d sp_expire %d", __func__, (int)today, - (int)spw->sp_expire); + daysleft = spw->sp_expire - today; + debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today, + (int)spw->sp_expire, daysleft); - if (spw->sp_expire != -1 && today > spw->sp_expire) { + if (spw->sp_expire == -1) { + debug3("account expiration disabled"); + } else if (daysleft < 0) { logit("Account %.100s has expired", spw->sp_namp); return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("account will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your account will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); } return 0; @@ -71,9 +82,11 @@ auth_shadow_pwexpired(Authctxt *ctxt) { struct spwd *spw = NULL; const char *user = ctxt->pw->pw_name; + char buf[256]; time_t today; + int daysleft, disabled = 0; - if ((spw = getspnam(user)) == NULL) { + if ((spw = getspnam((char *)user)) == NULL) { error("Could not get shadow information for %.100s", user); return 0; } @@ -83,21 +96,38 @@ auth_shadow_pwexpired(Authctxt *ctxt) (int)spw->sp_lstchg, (int)spw->sp_max); #if defined(__hpux) && !defined(HAVE_SECUREWARE) - if (iscomsec() && spw->sp_min == 0 && spw->sp_max == 0 && - spw->sp_warn == 0) - return 0; /* HP-UX Trusted Mode: expiry disabled */ + if (iscomsec()) { + struct pr_passwd *pr; + + pr = getprpwnam((char *)user); + + /* Test for Trusted Mode expiry disabled */ + if (pr != NULL && pr->ufld.fd_min == 0 && + pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 && + pr->ufld.fd_pw_expire_warning == 0 && + pr->ufld.fd_schange != 0) + disabled = 1; + } #endif - /* TODO: Add code to put expiry warnings into loginmsg */ - - if (spw->sp_lstchg == 0) { + /* TODO: check sp_inact */ + daysleft = spw->sp_lstchg + spw->sp_max - today; + if (disabled) { + debug3("password expiration disabled"); + } else if (spw->sp_lstchg == 0) { logit("User %.100s password has expired (root forced)", user); return 1; - } - - if (spw->sp_max != -1 && today > spw->sp_lstchg + spw->sp_max) { + } else if (spw->sp_max == -1) { + debug3("password expiration disabled"); + } else if (daysleft < 0) { logit("User %.100s password has expired (password aged)", user); return 1; + } else if (daysleft <= spw->sp_warn) { + debug3("password will expire in %d days", daysleft); + snprintf(buf, sizeof(buf), + "Your password will expire in %d day%s.\n", daysleft, + daysleft == 1 ? "" : "s"); + buffer_append(&loginmsg, buf, strlen(buf)); } return 0; diff --git a/auth.h b/auth.h index a8f61f403..de2222aaa 100644 --- a/auth.h +++ b/auth.h @@ -123,6 +123,7 @@ void krb5_cleanup_proc(Authctxt *authctxt); #endif /* KRB5 */ #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) +#include int auth_shadow_acctexpired(struct spwd *); int auth_shadow_pwexpired(Authctxt *); #endif -- cgit v1.2.3 From b4dc6c23a58a5e12c292c5cb3613bd5d924ff5ea Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 22 Feb 2004 10:23:35 +1100 Subject: - (dtucker) [auth-passwd.c] Only check password expiry once. Prevents multiple warnings if a wrong password is entered. --- auth-passwd.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/auth-passwd.c b/auth-passwd.c index 28f29cc65..b9679abd0 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -64,6 +64,7 @@ auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; int ok = authctxt->valid; + static int expire_checked = 0; #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) @@ -98,9 +99,12 @@ auth_password(Authctxt *authctxt, const char *password) } #endif #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) - if (auth_shadow_pwexpired(authctxt)) { - disable_forwarding(); - authctxt->force_pwchange = 1; + if (!expire_checked) { + expire_checked = 1; + if (auth_shadow_pwexpired(authctxt)) { + disable_forwarding(); + authctxt->force_pwchange = 1; + } } #endif -- cgit v1.2.3 From 31e0e8b997d4f2ccff3cd0e80867306dc9c21302 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 22 Feb 2004 11:37:48 +1100 Subject: - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path too. --- configure.ac | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 601cd7537..15bb53322 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.199 2004/02/18 00:21:12 dtucker Exp $ +# $Id: configure.ac,v 1.200 2004/02/22 00:37:48 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2091,8 +2091,8 @@ AC_ARG_WITH(kerberos5, else AC_MSG_RESULT(no) K5CFLAGS="`$KRB5CONF --cflags`" - K5LDFLAGS="`$KRB5CONF --libs | sed 's/-l@<:@^- @:>@*//g'`" - K5LIBS="`$KRB5CONF --libs | sed 's/-L@<:@^- @:>@*//g'`" + K5LDFLAGS="`$KRB5CONF --libs | sed 's/-l@<:@^ @:>@* //g'`" + K5LIBS="`$KRB5CONF --libs | sed 's/-L@<:@^ @:>@* //g'`" fi CPPFLAGS="$CPPFLAGS $K5CFLAGS" LDFLAGS="$LDFLAGS $K5LDFLAGS" -- cgit v1.2.3 From e828d0c75b5a6e8a1736b25802739516a0212d6d Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Sun, 22 Feb 2004 11:55:07 +1100 Subject: Add missed ChangeLog entries for previous commits... --- ChangeLog | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 38be7eb59..3bc838c7c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,12 @@ 20040222 - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test to auth-shadow.c, no functional change. ok djm@ + - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or + password expiry. ok djm@ + - (dtucker) [auth-passwd.c] Only check password expiry once. Prevents + multiple warnings if a wrong password is entered. + - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path + too. 20040220 - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@ @@ -1890,4 +1896,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3241 2004/02/21 22:43:15 dtucker Exp $ +$Id: ChangeLog,v 1.3242 2004/02/22 00:55:07 dtucker Exp $ -- cgit v1.2.3 From 1825f26d21af352f3a5e2a804636c92cee700282 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 00:01:27 +1100 Subject: - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the non-interactive path. ok djm@ --- ChangeLog | 6 +++++- session.c | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 3bc838c7c..515eb7095 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20040223 + - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the + non-interactive path. ok djm@ + 20040222 - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test to auth-shadow.c, no functional change. ok djm@ @@ -1896,4 +1900,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3242 2004/02/22 00:55:07 dtucker Exp $ +$Id: ChangeLog,v 1.3243 2004/02/23 13:01:27 dtucker Exp $ diff --git a/session.c b/session.c index 864967565..af2e71992 100644 --- a/session.c +++ b/session.c @@ -398,7 +398,7 @@ do_exec_no_pty(Session *s, const char *command) session_proctitle(s); #if defined(USE_PAM) - if (options.use_pam) + if (options.use_pam && !use_privsep) do_pam_setcred(1); #endif /* USE_PAM */ -- cgit v1.2.3 From 37bd3663bf47ea977e503ce8ba75dde675a7e4b9 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 09:19:15 +1100 Subject: - markus@cvs.openbsd.org 2004/02/19 21:15:04 [sftp-server.c] switch to new license.template --- ChangeLog | 8 +++++++- sftp-server.c | 32 ++++++++++++-------------------- 2 files changed, 19 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 515eb7095..721849fd0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +20040224 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2004/02/19 21:15:04 + [sftp-server.c] + switch to new license.template + 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the non-interactive path. ok djm@ @@ -1900,4 +1906,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3243 2004/02/23 13:01:27 dtucker Exp $ +$Id: ChangeLog,v 1.3244 2004/02/23 22:19:15 dtucker Exp $ diff --git a/sftp-server.c b/sftp-server.c index d528a1d6e..1d13e97b2 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1,28 +1,20 @@ /* - * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. + * Copyright (c) 2000-2004 Markus Friedl. All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, - * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF - * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include "includes.h" -RCSID("$OpenBSD: sftp-server.c,v 1.44 2003/11/10 16:23:41 jakob Exp $"); +RCSID("$OpenBSD: sftp-server.c,v 1.45 2004/02/19 21:15:04 markus Exp $"); #include "buffer.h" #include "bufaux.h" -- cgit v1.2.3 From efa3706f053895ffa6fca255585c20e55b11f769 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 09:20:29 +1100 Subject: - markus@cvs.openbsd.org 2004/02/23 12:02:33 [sshd.c] backout revision 1.279; set listen socket to non-block; ok henning. --- ChangeLog | 5 ++++- sshd.c | 12 +++++++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 721849fd0..5628b943f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,9 @@ - markus@cvs.openbsd.org 2004/02/19 21:15:04 [sftp-server.c] switch to new license.template + - markus@cvs.openbsd.org 2004/02/23 12:02:33 + [sshd.c] + backout revision 1.279; set listen socket to non-block; ok henning. 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1906,4 +1909,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3244 2004/02/23 22:19:15 dtucker Exp $ +$Id: ChangeLog,v 1.3245 2004/02/23 22:20:29 dtucker Exp $ diff --git a/sshd.c b/sshd.c index 42484c064..2bb3b9efe 100644 --- a/sshd.c +++ b/sshd.c @@ -42,7 +42,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.285 2004/02/05 05:37:17 dtucker Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $"); #include #include @@ -1151,6 +1151,11 @@ main(int ac, char **av) verbose("socket: %.100s", strerror(errno)); continue; } + if (fcntl(listen_sock, F_SETFL, O_NONBLOCK) < 0) { + error("listen_sock O_NONBLOCK: %s", strerror(errno)); + close(listen_sock); + continue; + } /* * Set socket options. * Allow local port reuse in TIME_WAIT. @@ -1290,6 +1295,11 @@ main(int ac, char **av) error("accept: %.100s", strerror(errno)); continue; } + if (fcntl(newsock, F_SETFL, 0) < 0) { + error("newsock del O_NONBLOCK: %s", strerror(errno)); + close(newsock); + continue; + } if (drop_connection(startups) == 1) { debug("drop connection #%d", startups); close(newsock); -- cgit v1.2.3 From 0acc92a93cf66305042bfe27a19d9767b39599b2 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 09:21:41 +1100 Subject: - markus@cvs.openbsd.org 2004/02/23 15:12:46 [bufaux.c] encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka and drop support for negative BNs; ok otto@ --- ChangeLog | 6 +++++- bufaux.c | 35 ++++++++++++++++++----------------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5628b943f..ce4550384 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ - markus@cvs.openbsd.org 2004/02/23 12:02:33 [sshd.c] backout revision 1.279; set listen socket to non-block; ok henning. + - markus@cvs.openbsd.org 2004/02/23 15:12:46 + [bufaux.c] + encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka + and drop support for negative BNs; ok otto@ 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1909,4 +1913,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3245 2004/02/23 22:20:29 dtucker Exp $ +$Id: ChangeLog,v 1.3246 2004/02/23 22:21:41 dtucker Exp $ diff --git a/bufaux.c b/bufaux.c index 339d74435..bf148316d 100644 --- a/bufaux.c +++ b/bufaux.c @@ -37,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: bufaux.c,v 1.31 2003/11/10 16:23:41 jakob Exp $"); +RCSID("$OpenBSD: bufaux.c,v 1.32 2004/02/23 15:12:46 markus Exp $"); #include #include "bufaux.h" @@ -103,46 +103,47 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) void buffer_put_bignum2(Buffer *buffer, const BIGNUM *value) { - u_int bytes = BN_num_bytes(value) + 1; - u_char *buf = xmalloc(bytes); + u_int bytes; + u_char *buf; int oi; u_int hasnohigh = 0; + if (BN_is_zero(value)) { + buffer_put_int(buffer, 0); + return; + } + if (value->neg) + fatal("buffer_put_bignum2: negative numbers not supported"); + bytes = BN_num_bytes(value) + 1; /* extra padding byte */ + if (bytes < 2) + fatal("buffer_put_bignum2: BN too small"); + buf = xmalloc(bytes); buf[0] = '\0'; /* Get the value of in binary */ oi = BN_bn2bin(value, buf+1); if (oi != bytes-1) - fatal("buffer_put_bignum: BN_bn2bin() failed: oi %d != bin_size %d", - oi, bytes); + fatal("buffer_put_bignum2: BN_bn2bin() failed: " + "oi %d != bin_size %d", oi, bytes); hasnohigh = (buf[1] & 0x80) ? 0 : 1; - if (value->neg) { - /**XXX should be two's-complement */ - int i, carry; - u_char *uc = buf; - logit("negativ!"); - for (i = bytes-1, carry = 1; i>=0; i--) { - uc[i] ^= 0xff; - if (carry) - carry = !++uc[i]; - } - } buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh); memset(buf, 0, bytes); xfree(buf); } -/* XXX does not handle negative BNs */ void buffer_get_bignum2(Buffer *buffer, BIGNUM *value) { u_int len; u_char *bin = buffer_get_string(buffer, &len); + if (len > 0 && (bin[0] & 0x80)) + fatal("buffer_get_bignum2: negative numbers not supported"); if (len > 8 * 1024) fatal("buffer_get_bignum2: cannot handle BN of size %d", len); BN_bin2bn(bin, len, value); xfree(bin); } + /* * Returns integers from the buffer (msb first). */ -- cgit v1.2.3 From a6ea420c38160bf06f97bd6169597594dabee982 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 09:24:01 +1100 Subject: - markus@cvs.openbsd.org 2004/02/23 15:16:46 [version.h] enter 3.8 --- ChangeLog | 5 ++++- version.h | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce4550384..10a82eec8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,6 +10,9 @@ [bufaux.c] encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka and drop support for negative BNs; ok otto@ + - markus@cvs.openbsd.org 2004/02/23 15:16:46 + [version.h] + enter 3.8 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1913,4 +1916,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3246 2004/02/23 22:21:41 dtucker Exp $ +$Id: ChangeLog,v 1.3247 2004/02/23 22:24:01 dtucker Exp $ diff --git a/version.h b/version.h index 0a98e4290..c4266292c 100644 --- a/version.h +++ b/version.h @@ -1,3 +1,3 @@ -/* $OpenBSD: version.h,v 1.39 2003/09/16 21:02:40 markus Exp $ */ +/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */ -#define SSH_VERSION "OpenSSH_3.7.1p2" +#define SSH_VERSION "OpenSSH_3.8p1" -- cgit v1.2.3 From 0d27ed1c19d6de6bd50ab1f5096aee1c1ee97f69 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 10:37:33 +1100 Subject: - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found with krb5-config, hunt down gssapi.h and friends. Based partially on patch from deengert at anl.gov. For the MIT Kerberos bug against krb5-config related to this see: http://krbdev.mit.edu/rt/Ticket/Display.html?id=2240 --- ChangeLog | 5 ++++- configure.ac | 31 +++++++++++++++---------------- gss-serv-krb5.c | 8 ++++++-- ssh-gss.h | 12 ++++++++++-- 4 files changed, 35 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 10a82eec8..297a12773 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,9 @@ - markus@cvs.openbsd.org 2004/02/23 15:16:46 [version.h] enter 3.8 + - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found + with krb5-config, hunt down gssapi.h and friends. Based partially on patch + from deengert at anl.gov. 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1916,4 +1919,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3247 2004/02/23 22:24:01 dtucker Exp $ +$Id: ChangeLog,v 1.3248 2004/02/23 23:37:33 dtucker Exp $ diff --git a/configure.ac b/configure.ac index 15bb53322..3769a739e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.200 2004/02/22 00:37:48 dtucker Exp $ +# $Id: configure.ac,v 1.201 2004/02/23 23:37:33 dtucker Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -2084,18 +2084,15 @@ AC_ARG_WITH(kerberos5, AC_MSG_CHECKING(for gssapi support) if $KRB5CONF | grep gssapi >/dev/null ; then AC_MSG_RESULT(yes) - K5CFLAGS="`$KRB5CONF --cflags gssapi`" - dnl m4 quadragraphs: "sed 's/-l[^ ]* //g'" - K5LDFLAGS="`$KRB5CONF --libs gssapi | sed 's/-l@<:@^ @:>@* //g'`" - K5LIBS="`$KRB5CONF --libs gssapi | sed 's/-L@<:@^ @:>@* //g'`" + AC_DEFINE(GSSAPI) + k5confopts=gssapi else AC_MSG_RESULT(no) - K5CFLAGS="`$KRB5CONF --cflags`" - K5LDFLAGS="`$KRB5CONF --libs | sed 's/-l@<:@^ @:>@* //g'`" - K5LIBS="`$KRB5CONF --libs | sed 's/-L@<:@^ @:>@* //g'`" + k5confopts="" fi + K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" + K5LIBS="`$KRB5CONF --libs $k5confopts`" CPPFLAGS="$CPPFLAGS $K5CFLAGS" - LDFLAGS="$LDFLAGS $K5LDFLAGS" AC_MSG_CHECKING(whether we are using Heimdal) AC_TRY_COMPILE([ #include ], [ char *tmp = heimdal_version; ], @@ -2152,14 +2149,16 @@ AC_ARG_WITH(kerberos5, if test ! -z "$blibpath" ; then blibpath="$blibpath:${KRB5ROOT}/lib" fi - fi ] - AC_SEARCH_LIBS(k_hasafs, kafs, - [ AC_DEFINE(USE_AFS) - K5LIBS="-lkafs $K5LIBS" - ] - ) + fi + + AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h) + AC_CHECK_HEADERS(gssapi_krb5.h gssapi/gssapi_krb5.h) + AC_CHECK_HEADERS(gssapi_generic.h gssapi/gssapi_generic.h) + + LIBS="$LIBS $K5LIBS" + AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS)) + ] ) -LIBS="$LIBS $K5LIBS" # Looking for programs, paths and files diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c index 7373beb6d..8ba3e7182 100644 --- a/gss-serv-krb5.c +++ b/gss-serv-krb5.c @@ -39,9 +39,13 @@ extern ServerOptions options; #ifdef HEIMDAL -#include +# include #else -#include +# ifdef HAVE_GSSAPI_KRB5 +# include +# elif HAVE_GSSAPI_GSSAPI_KRB5 +# include +# endif #endif static krb5_context krb_context = NULL; diff --git a/ssh-gss.h b/ssh-gss.h index 2b6fe2130..4f032aa8f 100644 --- a/ssh-gss.h +++ b/ssh-gss.h @@ -30,11 +30,19 @@ #include "buffer.h" +#ifdef HAVE_GSSAPI_H #include +#elif defined(HAVE_GSSAPI_GSSAPI_H) +#include +#endif #ifdef KRB5 -#ifndef HEIMDAL -#include +# ifndef HEIMDAL +# ifdef HAVE_GSSAPI_GENERIC_H +# include +# elif defined(HAVE_GSSAPI_GSSAPI_GENERIC_H) +# include +# endif /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ -- cgit v1.2.3 From 8a4e4f8779ca39e97a8580263c94dc91cfb745ca Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 10:58:10 +1100 Subject: Add missing ok --- ChangeLog | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 297a12773..617c5ec53 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,7 +15,7 @@ enter 3.8 - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found with krb5-config, hunt down gssapi.h and friends. Based partially on patch - from deengert at anl.gov. + from deengert at anl.gov. ok djm@ 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1919,4 +1919,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3248 2004/02/23 23:37:33 dtucker Exp $ +$Id: ChangeLog,v 1.3249 2004/02/23 23:58:10 dtucker Exp $ -- cgit v1.2.3 From a811d9a9a167ffb018f18be84dc810826e73c8f2 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 24 Feb 2004 13:05:11 +1100 Subject: - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime using sysconf() if available Based on patches from holger AT van-lengerich.de and openssh_bugzilla AT hockin.org --- ChangeLog | 5 ++++- groupaccess.c | 15 ++++++++++++--- uidswap.c | 27 ++++++++++++++++++++++++--- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 617c5ec53..1614e9e86 100644 --- a/ChangeLog +++ b/ChangeLog @@ -16,6 +16,9 @@ - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found with krb5-config, hunt down gssapi.h and friends. Based partially on patch from deengert at anl.gov. ok djm@ + - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime + using sysconf() if available Based on patches from + holger AT van-lengerich.de and openssh_bugzilla AT hockin.org 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1919,4 +1922,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3249 2004/02/23 23:58:10 dtucker Exp $ +$Id: ChangeLog,v 1.3250 2004/02/24 02:05:11 djm Exp $ diff --git a/groupaccess.c b/groupaccess.c index fbf794fc8..f50879f83 100644 --- a/groupaccess.c +++ b/groupaccess.c @@ -31,7 +31,7 @@ RCSID("$OpenBSD: groupaccess.c,v 1.6 2003/04/08 20:21:28 itojun Exp $"); #include "log.h" static int ngroups; -static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */ +static char **groups_byname; /* * Initialize group access list for user with primary (base) and @@ -40,19 +40,27 @@ static char *groups_byname[NGROUPS_MAX + 1]; /* +1 for base/primary group */ int ga_init(const char *user, gid_t base) { - gid_t groups_bygid[NGROUPS_MAX + 1]; + gid_t *groups_bygid; int i, j; struct group *gr; if (ngroups > 0) ga_free(); - ngroups = sizeof(groups_bygid) / sizeof(gid_t); + ngroups = NGROUPS_MAX; +#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX) + ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX)); +#endif + + groups_bygid = xmalloc(ngroups * sizeof(*groups_bygid)); + groups_byname = xmalloc(ngroups * sizeof(*groups_byname)); + if (getgrouplist(user, base, groups_bygid, &ngroups) == -1) logit("getgrouplist: groups list too small"); for (i = 0, j = 0; i < ngroups; i++) if ((gr = getgrgid(groups_bygid[i])) != NULL) groups_byname[j++] = xstrdup(gr->gr_name); + xfree(groups_bygid); return (ngroups = j); } @@ -84,5 +92,6 @@ ga_free(void) for (i = 0; i < ngroups; i++) xfree(groups_byname[i]); ngroups = 0; + xfree(groups_byname); } } diff --git a/uidswap.c b/uidswap.c index 4cabaa444..e652161af 100644 --- a/uidswap.c +++ b/uidswap.c @@ -16,6 +16,7 @@ RCSID("$OpenBSD: uidswap.c,v 1.24 2003/05/29 16:58:45 deraadt Exp $"); #include "log.h" #include "uidswap.h" +#include "xmalloc.h" /* * Note: all these functions must work in all of the following cases: @@ -38,7 +39,7 @@ static gid_t saved_egid = 0; /* Saved effective uid. */ static int privileged = 0; static int temporarily_use_uid_effective = 0; -static gid_t saved_egroups[NGROUPS_MAX], user_groups[NGROUPS_MAX]; +static gid_t *saved_egroups = NULL, *user_groups = NULL; static int saved_egroupslen = -1, user_groupslen = -1; /* @@ -68,18 +69,38 @@ temporarily_use_uid(struct passwd *pw) privileged = 1; temporarily_use_uid_effective = 1; - saved_egroupslen = getgroups(NGROUPS_MAX, saved_egroups); + + saved_egroupslen = getgroups(0, NULL); if (saved_egroupslen < 0) fatal("getgroups: %.100s", strerror(errno)); + if (saved_egroupslen > 0) { + saved_egroups = xrealloc(saved_egroups, + saved_egroupslen * sizeof(gid_t)); + if (getgroups(saved_egroupslen, saved_egroups) < 0) + fatal("getgroups: %.100s", strerror(errno)); + } else { /* saved_egroupslen == 0 */ + if (saved_egroups) + xfree(saved_egroups); + } /* set and save the user's groups */ if (user_groupslen == -1) { if (initgroups(pw->pw_name, pw->pw_gid) < 0) fatal("initgroups: %s: %.100s", pw->pw_name, strerror(errno)); - user_groupslen = getgroups(NGROUPS_MAX, user_groups); + + user_groupslen = getgroups(0, NULL); if (user_groupslen < 0) fatal("getgroups: %.100s", strerror(errno)); + if (user_groupslen > 0) { + user_groups = xrealloc(user_groups, + user_groupslen * sizeof(gid_t)); + if (getgroups(user_groupslen, user_groups) < 0) + fatal("getgroups: %.100s", strerror(errno)); + } else { /* user_groupslen == 0 */ + if (user_groups) + xfree(user_groups); + } } /* Set the effective uid to the given (unprivileged) uid. */ if (setgroups(user_groupslen, user_groups) < 0) -- cgit v1.2.3 From 2359aa985d5d853fb06cf1499bc6e1b0fe0173d4 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 13:17:30 +1100 Subject: - (dtucker) [uidswap.c] Minor KNF. ok djm@ --- ChangeLog | 3 ++- uidswap.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 1614e9e86..cf719e831 100644 --- a/ChangeLog +++ b/ChangeLog @@ -19,6 +19,7 @@ - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime using sysconf() if available Based on patches from holger AT van-lengerich.de and openssh_bugzilla AT hockin.org + - (dtucker) [uidswap.c] Minor KNF. ok djm@ 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1922,4 +1923,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3250 2004/02/24 02:05:11 djm Exp $ +$Id: ChangeLog,v 1.3251 2004/02/24 02:17:30 dtucker Exp $ diff --git a/uidswap.c b/uidswap.c index e652161af..44c4cb626 100644 --- a/uidswap.c +++ b/uidswap.c @@ -79,7 +79,7 @@ temporarily_use_uid(struct passwd *pw) if (getgroups(saved_egroupslen, saved_egroups) < 0) fatal("getgroups: %.100s", strerror(errno)); } else { /* saved_egroupslen == 0 */ - if (saved_egroups) + if (saved_egroups != NULL) xfree(saved_egroups); } -- cgit v1.2.3 From 18959006c0a6bf399a2ed5342cce827cf1cee2cf Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 23 Feb 2004 20:51:06 -0800 Subject: [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ --- ChangeLog | 3 ++- openbsd-compat/getrrsetbyname.c | 11 ++++------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf719e831..552fedf73 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,7 @@ using sysconf() if available Based on patches from holger AT van-lengerich.de and openssh_bugzilla AT hockin.org - (dtucker) [uidswap.c] Minor KNF. ok djm@ + - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1923,4 +1924,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3251 2004/02/24 02:17:30 dtucker Exp $ +$Id: ChangeLog,v 1.3252 2004/02/24 04:51:06 tim Exp $ diff --git a/openbsd-compat/getrrsetbyname.c b/openbsd-compat/getrrsetbyname.c index bb5451cd2..66d18142e 100644 --- a/openbsd-compat/getrrsetbyname.c +++ b/openbsd-compat/getrrsetbyname.c @@ -51,8 +51,6 @@ #include "getrrsetbyname.h" -/* #include "thread_private.h" */ - #define ANSWER_BUFFER_SIZE 1024*64 struct dns_query { @@ -161,7 +159,6 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, unsigned int rdtype, unsigned int flags, struct rrsetinfo **res) { - struct __res_state *_resp = &_res; int result; struct rrsetinfo *rrset = NULL; struct dns_response *response; @@ -190,19 +187,19 @@ getrrsetbyname(const char *hostname, unsigned int rdclass, } /* initialize resolver */ - if ((_resp->options & RES_INIT) == 0 && res_init() == -1) { + if ((_res.options & RES_INIT) == 0 && res_init() == -1) { result = ERRSET_FAIL; goto fail; } #ifdef DEBUG - _resp->options |= RES_DEBUG; + _res.options |= RES_DEBUG; #endif /* DEBUG */ #ifdef RES_USE_DNSSEC /* turn on DNSSEC if EDNS0 is configured */ - if (_resp->options & RES_USE_EDNS0) - _resp->options |= RES_USE_DNSSEC; + if (_res.options & RES_USE_EDNS0) + _res.options |= RES_USE_DNSSEC; #endif /* RES_USE_DNSEC */ /* make query */ -- cgit v1.2.3 From 9fc475f0c37e2bd171a710907fe60b15c5d869e3 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 24 Feb 2004 16:00:02 +1100 Subject: - (djm) Crank RPM spec versions --- ChangeLog | 3 ++- contrib/caldera/openssh.spec | 6 +++--- contrib/redhat/openssh.spec | 4 ++-- contrib/suse/openssh.spec | 2 +- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 552fedf73..b8e19fb5f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21,6 +21,7 @@ holger AT van-lengerich.de and openssh_bugzilla AT hockin.org - (dtucker) [uidswap.c] Minor KNF. ok djm@ - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ + - (djm) Crank RPM spec versions 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1924,4 +1925,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3252 2004/02/24 04:51:06 tim Exp $ +$Id: ChangeLog,v 1.3253 2004/02/24 05:00:02 djm Exp $ diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 54690dec1..599244b5d 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,11 +17,11 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 3.7.1p2 + %define version 3.8p1 %define cvs %{nil} %define release 1 %else - %define version 2.9.9p2 + %define version 3.8p1 %define cvs cvs20011009 %define release 0r1 %endif @@ -363,4 +363,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.47 2003/10/04 05:30:23 tim Exp $ +$Id: openssh.spec,v 1.48 2004/02/24 05:00:04 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 30d026352..05750e3a9 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,5 +1,5 @@ -%define ver 3.7.1p2 -%define rel 0.2004012300 +%define ver 3.8p1 +%define rel 1 # OpenSSH privilege separation requires a user & group ID %define sshd_uid 74 diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index d984ff22d..7eb71adf4 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 3.7.1p2 +Version: 3.8p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz -- cgit v1.2.3 From 5ce131f2b6f714bba1fa3214cc15a0b2b90d68e8 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 16:13:24 +1100 Subject: - (dtucker) [README] Add pointer to release notes. ok djm@ --- ChangeLog | 3 ++- README | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index b8e19fb5f..1935f0aa2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,6 +22,7 @@ - (dtucker) [uidswap.c] Minor KNF. ok djm@ - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ - (djm) Crank RPM spec versions + - (dtucker) [README] Add pointer to release notes. ok djm@ 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1925,4 +1926,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3253 2004/02/24 05:00:02 djm Exp $ +$Id: ChangeLog,v 1.3254 2004/02/24 05:13:24 dtucker Exp $ diff --git a/README b/README index 6cd096006..7e918fe08 100644 --- a/README +++ b/README @@ -1,3 +1,6 @@ +See: +http://www.openssh.com/txt/release-3.8 for the release notes. + - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html - Thanks to HARUYAMA Seigo @@ -63,4 +66,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.52 2003/11/21 12:48:55 djm Exp $ +$Id: README,v 1.53 2004/02/24 05:13:24 dtucker Exp $ -- cgit v1.2.3 From 149543e56d3c07de83bb13b5afea4ceb89bf7af1 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Tue, 24 Feb 2004 16:14:41 +1100 Subject: - (dtucker) {README.platform] Add platform-specific notes. --- ChangeLog | 3 ++- README.platform | 22 ++++++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) create mode 100644 README.platform diff --git a/ChangeLog b/ChangeLog index 1935f0aa2..c5f8667e4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -23,6 +23,7 @@ - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ - (djm) Crank RPM spec versions - (dtucker) [README] Add pointer to release notes. ok djm@ + - (dtucker) {README.platform] Add platform-specific notes. 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1926,4 +1927,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3254 2004/02/24 05:13:24 dtucker Exp $ +$Id: ChangeLog,v 1.3255 2004/02/24 05:14:41 dtucker Exp $ diff --git a/README.platform b/README.platform new file mode 100644 index 000000000..c4d0c74f8 --- /dev/null +++ b/README.platform @@ -0,0 +1,22 @@ +This file contains notes about OpenSSH on specific platforms. + +AIX +--- +As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry +settings, where previously it did not. Because of this, it's possible for +sites that have used OpenSSH's sshd exclusively to have accounts which +have passwords expired longer than the inactive time (ie the "Weeks between +password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired +chuser attribute). + +Accounts in this state must have their passwords reset manually by the +administrator. As a precaution, it is recommended that the administrative +passwords be reset before upgrading from OpenSSH <3.8. + +Solaris +------- +Currently, sshd does not support BSM auditting. This can show up as errors +when editting cron entries via crontab. See. +http://bugzilla.mindrot.org/show_bug.cgi?id=125 + +$Id: README.platform,v 1.1 2004/02/24 05:14:41 dtucker Exp $ -- cgit v1.2.3 From e8c898a54fcced28a11047d5633dfc947800a3b5 Mon Sep 17 00:00:00 2001 From: Tim Rice Date: Mon, 23 Feb 2004 21:47:04 -0800 Subject: [configure.ac] SCO3 needs -lcrypt_i for -lprot --- ChangeLog | 3 ++- configure.ac | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c5f8667e4..779be414d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,7 @@ - (djm) Crank RPM spec versions - (dtucker) [README] Add pointer to release notes. ok djm@ - (dtucker) {README.platform] Add platform-specific notes. + - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1927,4 +1928,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3255 2004/02/24 05:14:41 dtucker Exp $ +$Id: ChangeLog,v 1.3256 2004/02/24 05:47:04 tim Exp $ diff --git a/configure.ac b/configure.ac index 3769a739e..836e31730 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.201 2004/02/23 23:37:33 dtucker Exp $ +# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -336,7 +336,7 @@ mips-sony-bsd|mips-sony-newsos4) ;; *-*-sco3.2v4*) CPPFLAGS="$CPPFLAGS -Dftruncate=chsize" - LIBS="$LIBS -los -lprot -lx -ltinfo -lm" + LIBS="$LIBS -los -lprot -lcrypt_i -lx -ltinfo -lm" RANLIB=true no_dev_ptmx=1 AC_DEFINE(BROKEN_SYS_TERMIO_H) -- cgit v1.2.3 From 3342470472b45f000576e9f79f55bb30c7d517b8 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 24 Feb 2004 17:13:28 +1100 Subject: - (djm) Release 3.8p1 --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 779be414d..c2891ba41 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,7 @@ - (dtucker) [README] Add pointer to release notes. ok djm@ - (dtucker) {README.platform] Add platform-specific notes. - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot + - (djm) Release 3.8p1 20040223 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the @@ -1928,4 +1929,4 @@ - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. Report from murple@murple.net, diagnosis from dtucker@zip.com.au -$Id: ChangeLog,v 1.3256 2004/02/24 05:47:04 tim Exp $ +$Id: ChangeLog,v 1.3257 2004/02/24 06:13:28 djm Exp $ -- cgit v1.2.3