diff -uNr ../../OpenBSD/openssh-2.3.0/Makefile ./Makefile --- ../../OpenBSD/openssh-2.3.0/Makefile Fri Sep 1 00:52:23 2000 +++ ./Makefile Fri Nov 24 05:10:06 2000 @@ -1,13 +1,11 @@ # $OpenBSD: Makefile,v 1.6 2000/08/31 21:52:23 markus Exp $ -.include - -SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server +SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp #sftp-server distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ + install -c -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ ${DESTDIR}/etc/ssh_config - install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ + install -c -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ ${DESTDIR}/etc/sshd_config .include diff -uNr ../../OpenBSD/openssh-2.3.0/Makefile.inc ./Makefile.inc --- ../../OpenBSD/openssh-2.3.0/Makefile.inc Sun Oct 15 16:15:34 2000 +++ ./Makefile.inc Fri Nov 24 05:51:09 2000 @@ -1,13 +1,8 @@ -CFLAGS+= -I${.CURDIR}/.. +BINDIR?= /usr/local/bin +MANDIR= /usr/local/man/cat +CFLAGS+= -DHAVE_LOGIN_CAP -I${.CURDIR}/.. -I/usr/local/include CFLAGS+= -Wall -.include - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif +LDFLAGS+= -L${.CURDIR}/../lib -L/usr/local/lib +DPADD+= ${.OBJDIR}/../lib/libssh.a diff -uNr ../../OpenBSD/openssh-2.3.0/README.BSDI ./README.BSDI --- ../../OpenBSD/openssh-2.3.0/README.BSDI Thu Jan 1 02:00:00 1970 +++ ./README.BSDI Fri Nov 24 05:37:43 2000 @@ -0,0 +1,103 @@ +Copyright (c) 1999, 2000 + Vadim Vygonets . All rights reserved. + +This is a port of OpenSSH 2.3.0 to BSD/OS 3.x, 4.0 and 4.1. + +This may be the last port of OpenSSH to BSD/OS from me, because +BSDi is planning to ship OpenSSH with BSD/OS 4.2. + +The main points of this port are BSD authentication and login_cap +support. It also makes OpenSSH compile on BSD/OS out of the box. + +This port owes a great deal to Brian Fundakowski Feldman + and his port of OpenSSH from the FreeBSD +ports collection. + +This port also incorporates my patches to auth-passwd.c of ssh +1.2.26 (BSD authentication). I also tried to incorporate login +capabilities handling throughout sshd. The code was partly based +on Brian's code and partly on my older code. + +================================================================= += Changes from previous versions = +================================================================= + +2.3.0: + We link with OpenSSL 0.9.6 now. + + Diffs from the FreeBSD version are not distributed right + now (but will be). + + ConnectionsPerPeriod is currently not integrated. + Consider using MaxStartups instead. If you still need + ConnectionsPerPeriod, bug me and I may do it. + + sftp-server is not even compiled. It needs futimes(2) + system call, which does not exist on BSD/OS. I'm sure + this can be overcome quite easily, and I'll do it when I + feel like it (possibly never). + + Support of login_cap (and, possibly, BSD authentication) + from BSDi (thanks guys) is being integrated OpenBSD and + OpenSSH, so I have less work to do. The way these issues + are handled in the BSD/OS port of OpenSSH is somewhat + different now, as OpenBSD did it differently (and yes, + I've sent them my patches). Not that you shoud care, but + if something breaks, you know whom to blame. + +2.1.0: + The way login_cap_t is handled is different now. It's no + longer passed all way from do_authentication() down to + do_child(), but generated and destroyed in authentication + routines, and then generated in do_exec_{no_,}pty() and + destroyed in do_child. Passing it all way down became + cumbersome due to the way SSH2 authentication routines + are organized. And FreeBSD doesn't use login_cap_t in + OpenSSH authentication routines. + + There are now two different BSD/OS-related CPP macros, + LOGIN_CAP and BSD_AUTH. This is to prepare ground for + merging of this port with the FreeBSD port of OpenSSH. + +1.2.2/1.2.3: + Important note: sshd is now installed in /usr/local/sbin. + I strongly advise that you remove /usr/local/bin/sshd to + avoid confusion. + +================================================================= += INSTALLATION = +================================================================= + +IF YOU DON'T LIVE IN A FREE COUNTRY, DON'T BLAME ME IF YOU GET +ARRESTED FOR USING THESE INSTRUCTIONS. I don't care, alright? +Please also note that I can get arrested, too. + +You need OpenSSL 0.9.6. You can get it from: + http://www.openssl.org/ + +It seems that USA citizens and residents don't have to use RSAREF +now. If you still insist on using RSAREF, you can obtain it fom +RSA Security Inc. (http://www.rsa.com/). See the file INSTALL in +the OpenSSL distribution for some details. + +If you intend to use OpenSSL on an 80386 machine (as opposed to +i486 or higher), consult the file INSTALL in the OpenSSL +distribution. The rest of this file assumes that you are rich. + +Compile and install OpenSSL with the following commands: + $ ./config --prefix=/usr/local --openssldir=/usr/local/lib/openssl + $ make + $ make test + $ su + # make install + +OpenSSH expects to find OpenSSL header files in subdirectory ssl. +Calm it by doing: + # cd /usr/local/include + # ln -s openssl ssl + +Compile OpenSSH by doing: + $ make + +Install OpenSSH: + # make install diff -uNr ../../OpenBSD/openssh-2.3.0/auth-passwd.c ./auth-passwd.c --- ../../OpenBSD/openssh-2.3.0/auth-passwd.c Tue Oct 3 21:03:03 2000 +++ ./auth-passwd.c Fri Nov 24 04:26:40 2000 @@ -70,6 +70,31 @@ * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ +#ifdef BSD_AUTH /* BSDI and FreeBSD <=3? */ +int +auth_password(struct passwd *pw, const char *password, + login_cap_t *lc, char *style) +{ + extern ServerOptions options; + char *challenge; + int status; + + /* deny if no user. */ + if (pw == NULL) + return 0; + if (pw->pw_uid == 0 && options.permit_root_login == 2) + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + + /* style is already definitive */ + auth_setopt("auth_type", "auth-ssh"); + challenge = auth_value("challenge"); + status = auth_response(pw->pw_name, lc->lc_class, style, "response", + NULL, challenge ? challenge : "", (char *)password); + return (status > 0) && (status & AUTH_OKAY); +} +#else /* BSD_AUTH */ int auth_password(struct passwd * pw, const char *password) { @@ -111,3 +136,4 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw->pw_passwd) == 0); } +#endif /* BSD_AUTH */ diff -uNr ../../OpenBSD/openssh-2.3.0/auth-rhosts.c ./auth-rhosts.c --- ../../OpenBSD/openssh-2.3.0/auth-rhosts.c Tue Oct 3 21:03:03 2000 +++ ./auth-rhosts.c Thu Nov 23 18:33:48 2000 @@ -22,6 +22,13 @@ #include "uidswap.h" #include "servconf.h" +#ifdef __bsdi__ +/* Is innetgr() declared in any header file? */ +int +innetgr(const char *netgroup, const char *host, const char *user, + const char *domain); +#endif /* __bsdi__ */ + /* * This function processes an rhosts-style file (.rhosts, .shosts, or * /etc/hosts.equiv). This returns true if authentication can be granted diff -uNr ../../OpenBSD/openssh-2.3.0/auth.c ./auth.c --- ../../OpenBSD/openssh-2.3.0/auth.c Wed Oct 11 22:27:23 2000 +++ ./auth.c Thu Nov 23 14:24:24 2000 @@ -137,6 +137,16 @@ return 0; } } +#if defined(__FreeBSD__) || defined(__bsdi__) + /* Fail if the account's expiration time has passed. */ + if (pw->pw_expire != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_expire) + return 0; + } +#endif /* __FreeBSD__ || __bsdi__ */ /* We found no reason not to let this user try to log on... */ return 1; } diff -uNr ../../OpenBSD/openssh-2.3.0/auth.h ./auth.h --- ../../OpenBSD/openssh-2.3.0/auth.h Mon Oct 16 11:38:44 2000 +++ ./auth.h Fri Nov 24 04:28:18 2000 @@ -34,6 +34,10 @@ char *user; char *service; struct passwd *pw; +#ifdef BSD_AUTH + login_cap_t *lc; + char *style; +#endif /* BSD_AUTH */ }; void do_authentication(void); diff -uNr ../../OpenBSD/openssh-2.3.0/auth1.c ./auth1.c --- ../../OpenBSD/openssh-2.3.0/auth1.c Wed Oct 11 22:27:23 2000 +++ ./auth1.c Fri Nov 24 05:45:48 2000 @@ -64,7 +64,11 @@ * users. */ void +#ifdef BSD_AUTH +do_authloop(struct passwd * pw, char *luser, login_cap_t *lc, char *style) +#else /* BSD_AUTH */ do_authloop(struct passwd * pw, char *luser) +#endif /* BSD_AUTH */ { int authenticated = 0; int attempt = 0; @@ -236,7 +240,11 @@ packet_integrity_check(plen, 4 + dlen, type); /* Try authentication with the password. */ +#ifdef BSD_AUTH + authenticated = auth_password(pw, password, lc, style); +#else /* BSD_AUTH */ authenticated = auth_password(pw, password); +#endif /* BSD_AUTH */ memset(password, 0, strlen(password)); xfree(password); @@ -348,6 +356,10 @@ int plen; unsigned int ulen; char *user; +#ifdef BSD_AUTH + login_cap_t *lc = NULL; + char *style; +#endif /* BSD_AUTH */ /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -366,9 +378,26 @@ } #endif /* AFS */ +#ifdef BSD_AUTH + if ((style = strchr(user, ':')) != NULL) + *style++ = '\0'; +#endif /* BSD_AUTH */ + /* Verify that the user is a valid user. */ pw = getpwnam(user); + +#ifdef BSD_AUTH + if (pw != NULL) { + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + auth_setopt("auth_type", "auth-ssh"); + style = login_getstyle(lc, style, "auth-ssh"); + } + if (pw && lc && style && allowed_user(pw)) { +#else /* BSD_AUTH */ if (pw && allowed_user(pw)) { +#endif /* BSD_AUTH */ /* Take a copy of the returned structure. */ memset(&pwcopy, 0, sizeof(pwcopy)); pwcopy.pw_name = xstrdup(pw->pw_name); @@ -378,6 +407,11 @@ pwcopy.pw_class = xstrdup(pw->pw_class); pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); +#ifdef HAVE_LOGIN_CAP + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_expire = pw->pw_expire; + pwcopy.pw_change = pw->pw_change; +#endif /* HAVE_LOGIN_CAP */ pw = &pwcopy; } else { pw = NULL; @@ -397,7 +431,11 @@ #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ +#ifdef BSD_AUTH + auth_password(pw, "", lc, style)) { +#else /* BSD_AUTH */ auth_password(pw, "")) { +#endif /* BSD_AUTH */ /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", user, get_remote_ipaddr()); @@ -405,7 +443,11 @@ /* Loop until the user has been authenticated or the connection is closed, do_authloop() returns only if authentication is successfull */ +#ifdef BSD_AUTH + do_authloop(pw, user, lc, style); +#else /* BSD_AUTH */ do_authloop(pw, user); +#endif /* BSD_AUTH */ } if (pw == NULL) fatal("internal error, authentication successfull for user '%.100s'", user); @@ -416,5 +458,8 @@ packet_write_wait(); /* Perform session preparation. */ +#ifdef BSD_AUTH + login_close(lc); +#endif /* BSD_AUTH */ do_authenticated(pw); } diff -uNr ../../OpenBSD/openssh-2.3.0/auth2.c ./auth2.c --- ../../OpenBSD/openssh-2.3.0/auth2.c Sat Oct 14 14:16:56 2000 +++ ./auth2.c Thu Nov 23 15:37:28 2000 @@ -122,6 +122,9 @@ dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); +#ifdef BSD_AUTH + login_close(authctxt->lc); +#endif /* BSD_AUTH */ do_authenticated2(); } @@ -175,6 +178,10 @@ Authmethod *m = NULL; char *user, *service, *method; int authenticated = 0; +#ifdef BSD_AUTH + login_cap_t *lc; + char *style; +#endif /* BSD_AUTH */ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); @@ -186,6 +193,10 @@ method = packet_get_string(NULL); debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt #%d", authctxt->attempt); +#ifdef BSD_AUTH + if ((style = strchr(user, ':')) != NULL) + *style++ = '\0'; +#endif /* BSD_AUTH */ if (authctxt->attempt == 1) { /* setup auth context */ @@ -201,6 +212,14 @@ } authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); +#ifdef BSD_AUTH + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + auth_setopt("auth_type", "auth-ssh"); + authctxt->lc = lc; + authctxt->style = login_getstyle(lc, style, "auth-ssh"); +#endif /* BSD_AUTH */ } else if (authctxt->valid) { if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { @@ -307,7 +326,13 @@ if (m != NULL) m->enabled = NULL; packet_done(); - return authctxt->valid ? auth_password(authctxt->pw, "") : 0; + return authctxt->valid ? +#ifdef BSD_AUTH + auth_password(authctxt->pw, "", authctxt->lc, authctxt->style) +#else /* BSD_AUTH */ + auth_password(authctxt->pw, "") +#endif /* BSD_AUTH */ + : 0; } int @@ -323,7 +348,12 @@ password = packet_get_string(&len); packet_done(); if (authctxt->valid && - auth_password(authctxt->pw, password) == 1) +#ifdef BSD_AUTH + auth_password(authctxt->pw, password, authctxt->lc, authctxt->style) +#else /* BSD_AUTH */ + auth_password(authctxt->pw, password) +#endif /* BSD_AUTH */ + == 1) authenticated = 1; memset(password, 0, len); xfree(password); @@ -624,5 +654,10 @@ copy->pw_class = xstrdup(pw->pw_class); copy->pw_dir = xstrdup(pw->pw_dir); copy->pw_shell = xstrdup(pw->pw_shell); +#if defined(__FreeBSD__) || defined(__bsdi__) + copy->pw_class = xstrdup(pw->pw_class); + copy->pw_expire = pw->pw_expire; + copy->pw_change = pw->pw_change; +#endif /* __FreeBSD__ || __bsdi__ */ return copy; } diff -uNr ../../OpenBSD/openssh-2.3.0/channels.c ./channels.c --- ../../OpenBSD/openssh-2.3.0/channels.c Fri Oct 27 09:48:22 2000 +++ ./channels.c Thu Nov 23 14:24:24 2000 @@ -61,6 +61,10 @@ #include "key.h" #include "authfd.h" +#ifndef INADDR_LOOPBACK +#define INADDR_LOOPBACK (u_int32_t)0x7f000001 /* 127.0.0.1 */ +#endif + /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 diff -uNr ../../OpenBSD/openssh-2.3.0/includes.h ./includes.h --- ../../OpenBSD/openssh-2.3.0/includes.h Thu Sep 7 23:27:51 2000 +++ ./includes.h Thu Nov 23 14:24:24 2000 @@ -22,12 +22,12 @@ #include #include #include -#include #include #include #include #include #include +#include #include #include @@ -36,7 +36,6 @@ #include #include -#include #include #include #include @@ -63,5 +62,32 @@ * client program. Socketpairs do not seem to work on all systems. */ #define USE_PIPES 1 + +#if defined(__FreeBSD__) && __FreeBSD__ <= 3 || defined(__bsdi__) +/* + * Data types. + */ +#ifdef __FreeBSD__ +typedef u_char sa_family_t; +typedef int socklen_t; +#endif /* __FreeBSD__ */ + +/* + * bsd-api-new-02a: protocol-independent placeholder for socket addresses + */ +#define _SS_MAXSIZE 128 +#define _SS_ALIGNSIZE (sizeof(int64_t)) +#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_char) * 2) +#define _SS_PAD2SIZE (_SS_MAXSIZE - sizeof(u_char) * 2 - \ + _SS_PAD1SIZE - _SS_ALIGNSIZE) + +struct sockaddr_storage { + u_char ss_len; /* address length */ + sa_family_t ss_family; /* address family */ + char __ss_pad1[_SS_PAD1SIZE]; + int64_t __ss_align; /* force desired structure storage alignment */ + char __ss_pad2[_SS_PAD2SIZE]; +}; +#endif #endif /* INCLUDES_H */ diff -uNr ../../OpenBSD/openssh-2.3.0/lib/Makefile ./lib/Makefile --- ../../OpenBSD/openssh-2.3.0/lib/Makefile Fri Oct 13 20:59:15 2000 +++ ./lib/Makefile Thu Nov 23 15:39:14 2000 @@ -6,22 +6,13 @@ hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c \ - cli.c rijndael.c + cli.c rijndael.c strlcat.c strlcpy.c arc4random.c mkdtemp.c \ + timersub.c NOPROFILE= yes NOPIC= yes install: @echo -n - -.include - -.if (${KERBEROS:L} == "yes") -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -.if (${AFS:L} == "yes") -CFLAGS+= -DAFS -SRCS+= radix.c -.endif # AFS -.endif # KERBEROS .include diff -uNr ../../OpenBSD/openssh-2.3.0/lib/arc4random.c ./lib/arc4random.c --- ../../OpenBSD/openssh-2.3.0/lib/arc4random.c Thu Jan 1 02:00:00 1970 +++ ./lib/arc4random.c Thu Nov 23 18:29:25 2000 @@ -0,0 +1,196 @@ +/* $OpenBSD: arc4random.c,v 1.5 1999/09/28 01:24:48 deraadt Exp $ */ + +/* + * Arc4 random number generator for OpenBSD. + * Copyright 1996 David Mazieres . + * + * Modification and redistribution in source and binary forms is + * permitted provided that due credit is given to the author and the + * OpenBSD project (for instance by leaving this copyright notice + * intact). + */ + +/* + * This code is derived from section 17.1 of Applied Cryptography, + * second edition, which describes a stream cipher allegedly + * compatible with RSA Labs "RC4" cipher (the actual description of + * which is a trade secret). The same algorithm is used as a stream + * cipher called "arcfour" in Tatu Ylonen's ssh package. + * + * Here the stream cipher has been modified always to include the time + * when initializing the state. That makes it impossible to + * regenerate the same random sequence twice, so this can't be used + * for encryption, but will generate good random numbers. + * + * RC4 is a registered trademark of RSA Laboratories. + */ + +#include +#include +#include +#include +#include +#include +#include + +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +struct arc4_stream { + u_int8_t i; + u_int8_t j; + u_int8_t s[256]; +}; + +int rs_initialized; +static struct arc4_stream rs; + +static inline void +arc4_init(as) + struct arc4_stream *as; +{ + int n; + + for (n = 0; n < 256; n++) + as->s[n] = n; + as->i = 0; + as->j = 0; +} + +static inline void +arc4_addrandom(as, dat, datlen) + struct arc4_stream *as; + u_char *dat; + int datlen; +{ + int n; + u_int8_t si; + + as->i--; + for (n = 0; n < 256; n++) { + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si + dat[n % datlen]); + as->s[as->i] = as->s[as->j]; + as->s[as->j] = si; + } + as->j = as->i; +} + +static void +arc4_stir(as) + struct arc4_stream *as; +{ + int fd; + struct { + struct timeval tv; + u_int rnd[(128 - sizeof(struct timeval)) / sizeof(u_int)]; + } rdat; + + gettimeofday(&rdat.tv, NULL); + fd = open("/dev/random", O_RDONLY); + if (fd != -1) { + read(fd, rdat.rnd, sizeof(rdat.rnd)); + close(fd); +#if 0 + } else { + int i, mib[2]; + size_t len; + + /* Device could not be opened, we might be chrooted, take + * randomness from sysctl. */ + + mib[0] = CTL_KERN; + mib[1] = KERN_ARND; + + for (i = 0; i < sizeof(rdat.rnd) / sizeof(u_int); i ++) { + len = sizeof(u_int); + if (sysctl(mib, 2, &rdat.rnd[i], &len, NULL, 0) == -1) + break; + } +#endif + } + /* fd < 0 or failed sysctl ? Ah, what the heck. We'll just take + * whatever was on the stack... */ + + arc4_addrandom(as, (void *) &rdat, sizeof(rdat)); +} + +static inline u_int8_t +arc4_getbyte(as) + struct arc4_stream *as; +{ + u_int8_t si, sj; + + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si); + sj = as->s[as->j]; + as->s[as->i] = sj; + as->s[as->j] = si; + return (as->s[(si + sj) & 0xff]); +} + +static inline u_int32_t +arc4_getword(as) + struct arc4_stream *as; +{ + u_int32_t val; + val = arc4_getbyte(as) << 24; + val |= arc4_getbyte(as) << 16; + val |= arc4_getbyte(as) << 8; + val |= arc4_getbyte(as); + return val; +} + +void +arc4random_stir() +{ + if (!rs_initialized) { + arc4_init(&rs); + rs_initialized = 1; + } + arc4_stir(&rs); +} + +void +arc4random_addrandom(dat, datlen) + u_char *dat; + int datlen; +{ + if (!rs_initialized) + arc4random_stir(); + arc4_addrandom(&rs, dat, datlen); +} + +u_int32_t +arc4random() +{ + if (!rs_initialized) + arc4random_stir(); + return arc4_getword(&rs); +} + +#if 0 +/*-------- Test code for i386 --------*/ +#include +#include +int +main(int argc, char **argv) +{ + const int iter = 1000000; + int i; + pctrval v; + + v = rdtsc(); + for (i = 0; i < iter; i++) + arc4random(); + v = rdtsc() - v; + v /= iter; + + printf("%qd cycles\n", v); +} +#endif diff -uNr ../../OpenBSD/openssh-2.3.0/lib/mkdtemp.c ./lib/mkdtemp.c --- ../../OpenBSD/openssh-2.3.0/lib/mkdtemp.c Thu Jan 1 02:00:00 1970 +++ ./lib/mkdtemp.c Thu Nov 23 18:26:48 2000 @@ -0,0 +1,161 @@ +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +u_int32_t arc4random(void); + +static int _gettemp __P((char *, int *, int, int)); + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int pid, rval; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (*trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (*trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} diff -uNr ../../OpenBSD/openssh-2.3.0/lib/strlcat.c ./lib/strlcat.c --- ../../OpenBSD/openssh-2.3.0/lib/strlcat.c Thu Jan 1 02:00:00 1970 +++ ./lib/strlcat.c Wed Nov 24 05:36:00 1999 @@ -0,0 +1,71 @@ +/* $OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Appends src to string dst of size siz (unlike strncat, siz is the + * full size of dst, not space left). At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcat(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + size_t dlen; + + /* Find the end of dst and adjust bytes left but don't go past end */ + while (*d != '\0' && n-- != 0) + d++; + dlen = d - dst; + n = siz - dlen; + + if (n == 0) + return(dlen + strlen(s)); + while (*s != '\0') { + if (n != 1) { + *d++ = *s; + n--; + } + s++; + } + *d = '\0'; + + return(dlen + (s - src)); /* count does not include NUL */ +} diff -uNr ../../OpenBSD/openssh-2.3.0/lib/strlcpy.c ./lib/strlcpy.c --- ../../OpenBSD/openssh-2.3.0/lib/strlcpy.c Thu Jan 1 02:00:00 1970 +++ ./lib/strlcpy.c Thu Nov 11 16:33:17 1999 @@ -0,0 +1,68 @@ +/* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} diff -uNr ../../OpenBSD/openssh-2.3.0/lib/timersub.c ./lib/timersub.c --- ../../OpenBSD/openssh-2.3.0/lib/timersub.c Thu Jan 1 02:00:00 1970 +++ ./lib/timersub.c Sat Nov 20 10:30:23 1999 @@ -0,0 +1,54 @@ +/* + * Copyright (c) 1999 + * Vadim Vygonets . All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Vadim Vygonets nor the names of his contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY VADIM VYGONETS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL VADIM VYGONETS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* If you want it in public domain, contact me. */ + +/* + * void + * timersub(const struct timeval *a, const struct timeval *b, + * struct timeval *result); + * + * Does result = a - b with timeval. + * Originally written for OpenSSH (it was easier than to find the source). + * I really really hope this function must be void. + */ + +#include + +void +timersub(const struct timeval *a, const struct timeval *b, + struct timeval *result) +{ + result->tv_sec = a->tv_sec - b->tv_sec; + result->tv_usec = a->tv_usec - b->tv_usec; + if (result->tv_usec < 0) { + result->tv_usec += 1000000; + result->tv_sec--; + } +} diff -uNr ../../OpenBSD/openssh-2.3.0/login.c ./login.c --- ../../OpenBSD/openssh-2.3.0/login.c Thu Sep 7 23:27:52 2000 +++ ./login.c Fri Nov 24 05:44:31 2000 @@ -41,9 +41,22 @@ #include "includes.h" RCSID("$OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $"); +#ifndef __bsdi__ +#ifdef __FreeBSD__ +#include +#else /* __FreeBSD__ */ #include +#endif /* __FreeBSD__ */ +#endif /* __bsdi__ */ #include #include "ssh.h" + +#ifdef __bsdi__ +#include +void login(struct utmp *ut); +int logout(const char *line); +void logwtmp(const char *line, const char *name, const char *host); +#endif /* __bsdi__ */ /* * Returns the time when the user last logged in. Returns 0 if the diff -uNr ../../OpenBSD/openssh-2.3.0/pam_ssh/Makefile ./pam_ssh/Makefile --- ../../OpenBSD/openssh-2.3.0/pam_ssh/Makefile Thu Jan 1 02:00:00 1970 +++ ./pam_ssh/Makefile Thu Nov 23 14:24:24 2000 @@ -0,0 +1,15 @@ +# PAM module for SSH +# $FreeBSD: ports/security/openssh/files/pam_ssh_Makefile,v 1.1 1999/11/29 07:09:44 green Exp $ +.PATH: ${.CURDIR}/.. + +LIB= pam_ssh +DESTDIR= +SHLIB_NAME= pam_ssh.so +SRCS= log-client.c pam_ssh.c +CFLAGS+= -Wall +DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} ${LIBGCC_PIC} +LDADD+= ${CRYPTOLIBS} -lutil -lz -lgcc_pic +INTERNALLIB= yes +INTERNALSTATICLIB=yes + +.include diff -uNr ../../OpenBSD/openssh-2.3.0/pam_ssh/pam_ssh.c ./pam_ssh/pam_ssh.c --- ../../OpenBSD/openssh-2.3.0/pam_ssh/pam_ssh.c Thu Jan 1 02:00:00 1970 +++ ./pam_ssh/pam_ssh.c Thu Nov 23 14:24:24 2000 @@ -0,0 +1,496 @@ +/*- + * Copyright (c) 1999 Andrew J. Korty + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: ports/security/openssh/files/pam_ssh.c,v 1.3 2000/05/13 17:11:01 green Exp $ + * + */ + + +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH +#define PAM_SM_SESSION +#include +#include + +#include + +#include "includes.h" +#include "rsa.h" +#include "key.h" +#include "ssh.h" +#include "authfd.h" +#include "authfile.h" + +#define MODULE_NAME "pam_ssh" +#define NEED_PASSPHRASE "Need passphrase for %s (%s).\nEnter passphrase: " +#define PATH_SSH_AGENT "/usr/local/bin/ssh-agent" + + +void +rsa_cleanup(pam_handle_t *pamh, void *data, int error_status) +{ + if (data) + RSA_free(data); +} + + +void +ssh_cleanup(pam_handle_t *pamh, void *data, int error_status) +{ + if (data) + free(data); +} + + +/* + * The following set of functions allow the module to manipulate the + * environment without calling the putenv() or setenv() stdlib functions. + * At least one version of these functions, on the first call, copies + * the environment into dynamically-allocated memory and then augments + * it. On subsequent calls, the realloc() call is used to grow the + * previously allocated buffer. Problems arise when the "environ" + * variable is changed to point to static memory after putenv()/setenv() + * have been called. + * + * We don't use putenv() or setenv() in case the application subsequently + * manipulates environ, (e.g., to clear the environment by pointing + * environ at an array of one element equal to NULL). + */ + +SLIST_HEAD(env_head, env_entry); + +struct env_entry { + char *ee_env; + SLIST_ENTRY(env_entry) ee_entries; +}; + +typedef struct env { + char **e_environ_orig; + char **e_environ_new; + int e_count; + struct env_head e_head; + int e_committed; +} ENV; + +extern char **environ; + + +static ENV * +env_new(void) +{ + ENV *self; + + if (!(self = malloc(sizeof (ENV)))) { + syslog(LOG_CRIT, "%m"); + return NULL; + } + SLIST_INIT(&self->e_head); + self->e_count = 0; + self->e_committed = 0; + return self; +} + + +static int +env_put(ENV *self, char *s) +{ + struct env_entry *env; + + if (!(env = malloc(sizeof (struct env_entry))) || + !(env->ee_env = strdup(s))) { + syslog(LOG_CRIT, "%m"); + return PAM_SERVICE_ERR; + } + SLIST_INSERT_HEAD(&self->e_head, env, ee_entries); + ++self->e_count; + return PAM_SUCCESS; +} + + +static void +env_swap(ENV *self, int which) +{ + environ = which ? self->e_environ_new : self->e_environ_orig; +} + + +static int +env_commit(ENV *self) +{ + int n; + struct env_entry *p; + char **v; + + for (v = environ, n = 0; v && *v; v++, n++) + ; + if (!(v = malloc((n + self->e_count + 1) * sizeof (char *)))) { + syslog(LOG_CRIT, "%m"); + return PAM_SERVICE_ERR; + } + self->e_committed = 1; + (void)memcpy(v, environ, n * sizeof (char *)); + SLIST_FOREACH(p, &self->e_head, ee_entries) + v[n++] = p->ee_env; + v[n] = NULL; + self->e_environ_orig = environ; + self->e_environ_new = v; + env_swap(self, 1); + return PAM_SUCCESS; +} + + +static void +env_destroy(ENV *self) +{ + struct env_entry *p; + + env_swap(self, 0); + SLIST_FOREACH(p, &self->e_head, ee_entries) { + free(p->ee_env); + free(p); + } + if (self->e_committed) + free(self->e_environ_new); + free(self); +} + + +void +env_cleanup(pam_handle_t *pamh, void *data, int error_status) +{ + if (data) + env_destroy(data); +} + + +typedef struct passwd PASSWD; + +PAM_EXTERN int +pam_sm_authenticate( + pam_handle_t *pamh, + int flags, + int argc, + const char **argv) +{ + char *comment_priv; /* on private key */ + char *comment_pub; /* on public key */ + char *identity; /* user's identity file */ + Key key; /* user's private key */ + int options; /* module options */ + const char *pass; /* passphrase */ + char *prompt; /* passphrase prompt */ + Key public_key; /* user's public key */ + const PASSWD *pwent; /* user's passwd entry */ + PASSWD *pwent_keep; /* our own copy */ + int retval; /* from calls */ + uid_t saved_uid; /* caller's uid */ + const char *user; /* username */ + + options = 0; + while (argc--) + pam_std_option(&options, *argv++); + if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + return retval; + if (!((pwent = getpwnam(user)) && pwent->pw_dir)) { + /* delay? */ + return PAM_AUTH_ERR; + } + /* locate the user's private key file */ + if (!asprintf(&identity, "%s/%s", pwent->pw_dir, + SSH_CLIENT_IDENTITY)) { + syslog(LOG_CRIT, "%s: %m", MODULE_NAME); + return PAM_SERVICE_ERR; + } + /* + * Fail unless we can load the public key. Change to the + * owner's UID to appease load_public_key(). + */ + key.type = KEY_RSA; + key.rsa = RSA_new(); + public_key.type = KEY_RSA; + public_key.rsa = RSA_new(); + saved_uid = getuid(); + (void)setreuid(pwent->pw_uid, saved_uid); + retval = load_public_key(identity, &public_key, &comment_pub); + (void)setuid(saved_uid); + if (!retval) { + free(identity); + return PAM_AUTH_ERR; + } + RSA_free(public_key.rsa); + /* build the passphrase prompt */ + retval = asprintf(&prompt, NEED_PASSPHRASE, identity, comment_pub); + free(comment_pub); + if (!retval) { + syslog(LOG_CRIT, "%s: %m", MODULE_NAME); + free(identity); + return PAM_SERVICE_ERR; + } + /* pass prompt message to application and receive passphrase */ + retval = pam_get_pass(pamh, &pass, prompt, options); + free(prompt); + if (retval != PAM_SUCCESS) { + free(identity); + return retval; + } + /* + * Try to decrypt the private key with the passphrase provided. + * If success, the user is authenticated. + */ + (void)setreuid(pwent->pw_uid, saved_uid); + retval = load_private_key(identity, pass, &key, &comment_priv); + free(identity); + (void)setuid(saved_uid); + if (!retval) + return PAM_AUTH_ERR; + /* + * Save the key and comment to pass to ssh-agent in the session + * phase. + */ + if ((retval = pam_set_data(pamh, "ssh_private_key", key.rsa, + rsa_cleanup)) != PAM_SUCCESS) { + RSA_free(key.rsa); + free(comment_priv); + return retval; + } + if ((retval = pam_set_data(pamh, "ssh_key_comment", comment_priv, + ssh_cleanup)) != PAM_SUCCESS) { + free(comment_priv); + return retval; + } + /* + * Copy the passwd entry (in case successive calls are made) + * and save it for the session phase. + */ + if (!(pwent_keep = malloc(sizeof *pwent))) { + syslog(LOG_CRIT, "%m"); + return PAM_SERVICE_ERR; + } + (void)memcpy(pwent_keep, pwent, sizeof *pwent_keep); + if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, + ssh_cleanup)) != PAM_SUCCESS) { + free(pwent_keep); + return retval; + } + return PAM_SUCCESS; +} + + +PAM_EXTERN int +pam_sm_setcred( + pam_handle_t *pamh, + int flags, + int argc, + const char **argv) +{ + return PAM_SUCCESS; +} + + +typedef AuthenticationConnection AC; + +PAM_EXTERN int +pam_sm_open_session( + pam_handle_t *pamh, + int flags, + int argc, + const char **argv) +{ + AC *ac; /* to ssh-agent */ + char *comment; /* on private key */ + char *env_end; /* end of env */ + char *env_file; /* to store env */ + FILE *env_fp; /* env_file handle */ + Key key; /* user's private key */ + FILE *pipe; /* ssh-agent handle */ + const PASSWD *pwent; /* user's passwd entry */ + int retval; /* from calls */ + uid_t saved_uid; /* caller's uid */ + ENV *ssh_env; /* env handle */ + const char *tty; /* tty or display name */ + char hname[MAXHOSTNAMELEN]; /* local hostname */ + char parse[BUFSIZ]; /* commands output */ + + /* dump output of ssh-agent in ~/.ssh */ + if ((retval = pam_get_data(pamh, "ssh_passwd_entry", + (const void **)&pwent)) != PAM_SUCCESS) + return retval; + /* use the tty or X display name in the filename */ + if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty)) + != PAM_SUCCESS) + return retval; + if (*tty == ':' && gethostname(hname, sizeof hname) == 0) { + if (asprintf(&env_file, "%s/.ssh/agent-%s%s", + pwent->pw_dir, hname, tty) == -1) { + syslog(LOG_CRIT, "%s: %m", MODULE_NAME); + return PAM_SERVICE_ERR; + } + } else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwent->pw_dir, + tty) == -1) { + syslog(LOG_CRIT, "%s: %m", MODULE_NAME); + return PAM_SERVICE_ERR; + } + /* save the filename so we can delete the file on session close */ + if ((retval = pam_set_data(pamh, "ssh_agent_env", env_file, + ssh_cleanup)) != PAM_SUCCESS) { + free(env_file); + return retval; + } + /* start the agent as the user */ + saved_uid = geteuid(); + (void)seteuid(pwent->pw_uid); + env_fp = fopen(env_file, "w"); + pipe = popen(PATH_SSH_AGENT, "r"); + (void)seteuid(saved_uid); + if (!pipe) { + syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT); + if (env_fp) + (void)fclose(env_fp); + return PAM_SESSION_ERR; + } + if (!(ssh_env = env_new())) + return PAM_SESSION_ERR; + if ((retval = pam_set_data(pamh, "ssh_env_handle", ssh_env, + env_cleanup)) != PAM_SUCCESS) + return retval; + while (fgets(parse, sizeof parse, pipe)) { + if (env_fp) + (void)fputs(parse, env_fp); + /* + * Save environment for application with pam_putenv() + * but also with env_* functions for our own call to + * ssh_get_authentication_connection(). + */ + if (strchr(parse, '=') && (env_end = strchr(parse, ';'))) { + *env_end = '\0'; + /* pass to the application ... */ + if (!((retval = pam_putenv(pamh, parse)) == + PAM_SUCCESS)) { + (void)pclose(pipe); + if (env_fp) + (void)fclose(env_fp); + env_destroy(ssh_env); + return PAM_SERVICE_ERR; + } + env_put(ssh_env, parse); + } + } + if (env_fp) + (void)fclose(env_fp); + switch (retval = pclose(pipe)) { + case -1: + syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT); + env_destroy(ssh_env); + return PAM_SESSION_ERR; + case 0: + break; + case 127: + syslog(LOG_ERR, "%s: cannot execute %s", MODULE_NAME, + PATH_SSH_AGENT); + env_destroy(ssh_env); + return PAM_SESSION_ERR; + default: + syslog(LOG_ERR, "%s: %s exited with status %d", + MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval)); + env_destroy(ssh_env); + return PAM_SESSION_ERR; + } + key.type = KEY_RSA; + /* connect to the agent and hand off the private key */ + if ((retval = pam_get_data(pamh, "ssh_private_key", + (const void **)&key.rsa)) != PAM_SUCCESS || + (retval = pam_get_data(pamh, "ssh_key_comment", + (const void **)&comment)) != PAM_SUCCESS || + (retval = env_commit(ssh_env)) != PAM_SUCCESS) { + env_destroy(ssh_env); + return retval; + } + if (!(ac = ssh_get_authentication_connection())) { + syslog(LOG_ERR, "%s: could not connect to agent", + MODULE_NAME); + env_destroy(ssh_env); + return PAM_SESSION_ERR; + } + retval = ssh_add_identity(ac, key.rsa, comment); + ssh_close_authentication_connection(ac); + env_swap(ssh_env, 0); + return retval ? PAM_SUCCESS : PAM_SESSION_ERR; +} + + +PAM_EXTERN int +pam_sm_close_session( + pam_handle_t *pamh, + int flags, + int argc, + const char **argv) +{ + const char *env_file; /* ssh-agent environment */ + int retval; /* from calls */ + ENV *ssh_env; /* env handle */ + + if ((retval = pam_get_data(pamh, "ssh_env_handle", + (const void **)&ssh_env)) != PAM_SUCCESS) + return retval; + env_swap(ssh_env, 1); + /* kill the agent */ + retval = system(PATH_SSH_AGENT " -k"); + env_destroy(ssh_env); + switch (retval) { + case -1: + syslog(LOG_ERR, "%s: %s -k: %m", MODULE_NAME, + PATH_SSH_AGENT); + return PAM_SESSION_ERR; + case 0: + break; + case 127: + syslog(LOG_ERR, "%s: cannot execute %s -k", MODULE_NAME, + PATH_SSH_AGENT); + return PAM_SESSION_ERR; + default: + syslog(LOG_ERR, "%s: %s -k exited with status %d", + MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval)); + return PAM_SESSION_ERR; + } + /* retrieve environment filename, then remove the file */ + if ((retval = pam_get_data(pamh, "ssh_agent_env", + (const void **)&env_file)) != PAM_SUCCESS) + return retval; + (void)unlink(env_file); + return PAM_SUCCESS; +} + + +PAM_MODULE_ENTRY(MODULE_NAME); diff -uNr ../../OpenBSD/openssh-2.3.0/pty.c ./pty.c --- ../../OpenBSD/openssh-2.3.0/pty.c Fri Sep 8 00:13:37 2000 +++ ./pty.c Fri Nov 24 05:43:08 2000 @@ -14,9 +14,20 @@ #include "includes.h" RCSID("$OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $"); +#ifndef __bsdi__ +#ifdef __FreeBSD__ +#include +#else /* __FreeBSD__ */ #include +#endif /* __FreeBSD__ */ +#endif /* __bsdi__ */ #include "pty.h" #include "ssh.h" + +#ifdef __bsdi__ +int openpty(int *amaster, int *aslave, char *name, struct termios *termp, + struct winsize *winp); +#endif /* __bsdi__ */ /* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */ #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY) diff -uNr ../../OpenBSD/openssh-2.3.0/scp/Makefile ./scp/Makefile --- ../../OpenBSD/openssh-2.3.0/scp/Makefile Thu Jun 29 21:35:46 2000 +++ ./scp/Makefile Thu Nov 23 15:43:30 2000 @@ -4,10 +4,9 @@ BINOWN= root BINMODE?=555 - -BINDIR= /usr/bin MAN= scp.1 SRCS= scp.c +LDADD+= -lssh .include diff -uNr ../../OpenBSD/openssh-2.3.0/scp.c ./scp.c --- ../../OpenBSD/openssh-2.3.0/scp.c Wed Oct 18 20:23:02 2000 +++ ./scp.c Fri Nov 24 05:50:47 2000 @@ -80,6 +80,11 @@ #include "ssh.h" #include "xmalloc.h" +#ifdef __bsdi__ +void timersub(const struct timeval *a, const struct timeval *b, + struct timeval *result); +#endif /* __bsdi__ */ + #define _PATH_CP "cp" /* For progressmeter() -- number of seconds before xfer considered "stalled" */ diff -uNr ../../OpenBSD/openssh-2.3.0/servconf.c ./servconf.c --- ../../OpenBSD/openssh-2.3.0/servconf.c Sat Oct 14 14:12:09 2000 +++ ./servconf.c Fri Nov 24 05:44:40 2000 @@ -316,9 +316,9 @@ FILE *f; char line[1024]; char *cp, **charptr, *arg; - int linenum, *intptr, value; + int linenum = 0, *intptr, value; int bad_options = 0; - ServerOpCodes opcode; + ServerOpCodes opcode = 0; int i; f = fopen(filename, "r"); @@ -367,7 +367,11 @@ filename, linenum); exit(1); } - value = atoi(arg); + if (sscanf(arg, " %d ", &value) != 1) { + fprintf(stderr, "%s line %d: missing integer value.\n", + filename, linenum); + exit(1); + } if (*intptr == -1) *intptr = value; break; diff -uNr ../../OpenBSD/openssh-2.3.0/session.c ./session.c --- ../../OpenBSD/openssh-2.3.0/session.c Fri Oct 27 09:32:18 2000 +++ ./session.c Fri Nov 24 05:48:39 2000 @@ -53,8 +53,13 @@ #include "auth-options.h" #ifdef HAVE_LOGIN_CAP -#include -#endif +#ifdef __FreeBSD__ +#include +#include +#endif /* __FreeBSD__ */ +#include +#include +#endif /* HAVE_LOGIN_CAP */ /* types */ @@ -171,13 +176,14 @@ do_authenticated(struct passwd * pw) { Session *s; - int type, fd; + int type = 0, fd; int compression_level = 0, enable_compression_after_reply = 0; int have_pty = 0; char *command; int n_bytes; int plen; unsigned int proto_len, data_len, dlen; + int success = 0; /* * Cancel the alarm we set to limit the time taken for @@ -214,7 +220,7 @@ * or a command. */ for (;;) { - int success = 0; + success = 0; /* Get a packet from the client. */ type = packet_read(&plen); @@ -637,6 +643,9 @@ time_t last_login_time; struct passwd * pw = s->pw; pid_t pid = getpid(); +#ifdef HAVE_LOGIN_CAP + char *fname; +#endif /* * Get IP address of client. If the connection is not a socket, let @@ -680,6 +689,29 @@ else printf("Last login: %s from %s\r\n", time_string, hostname); } +#ifdef HAVE_LOGIN_CAP +#ifdef __bsdi__ + (void)printf("Copyright 1992, 1993, 1994, 1995, 1996, 1997 " + "Berkeley Software Design, Inc.\n"); + (void)printf("%s\n\t%s %s\n\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); + if ((fname = login_getcapstr(lc, "copyright", NULL, NULL)) != NULL) + auth_cat(fname); +#else /* __bsdi__ */ + fname = login_getcapstr(lc, "copyright", NULL, NULL); + if (fname != NULL && (f = fopen(fname, "r")) != NULL) { + while (fgets(line, sizeof(line), f) != NULL) + fputs(line, stdout); + fclose(f); + } else + (void)printf("%s\n\t%s %s\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); +#endif /* __bsdi__ */ +#endif /* HAVE_LOGIN_CAP */ if (options.print_motd) { #ifdef HAVE_LOGIN_CAP f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", @@ -795,6 +827,10 @@ struct stat st; char *argv[10]; +#ifdef __bsdi__ + /* On BSDI, let nologin be handled by libc. */ + auth_checknologin(lc); +#else /* __bsdi__ */ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) options.use_login = 0; @@ -816,6 +852,7 @@ exit(254); } } +#endif /* __bsdi__ */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ @@ -988,7 +1025,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ - for (i = 3; i < 64; i++) + for (i = 3; i < getdtablesize(); i++) close(i); /* Change current directory to the user\'s home directory. */ @@ -1007,11 +1044,35 @@ */ environ = env; +#ifdef HAVE_LOGIN_CAP + login_close(lc); +#endif + /* * Run $HOME/.ssh/rc, /etc/sshrc, or xauth (whichever is found first * in this order). */ if (!options.use_login) { +#if defined(__FreeBSD__) || defined(__bsdi__) + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + syslog(LOG_INFO, + "%s Password expired - forcing change", + pw->pw_name); + if (system("/usr/bin/passwd") != 0) + perror("/usr/bin/passwd"); + } + } +#endif /* __FreeBSD__ || __bsdi__ */ if (stat(SSH_USER_RC, &st) >= 0) { if (debug_flag) fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); @@ -1132,7 +1193,21 @@ */ argv[0] = (char *) cp; argv[1] = "-c"; - argv[2] = (char *) command; +#ifdef __bsdi__ + /* + * Dirty hack. scp is installed in /usr/local/bin, so it's not + * in $PATH by default. To make scp work, canonicalize command + * if it starts with "scp\s". What makes it worse is that + * everything is hardcoded. Oh well. I'm lazy. + */ + if (strncmp(command, "scp", 3) == 0 && + isspace(command[3])) { + argv[2] = xmalloc(strlen(command) + sizeof("/usr/local/bin/")); + strcpy(argv[2], "/usr/local/bin/"); + strcat(argv[2], command); + } else +#endif /* __bsdi__ */ + argv[2] = (char *) command; argv[3] = NULL; execve(shell, argv, env); perror(shell); diff -uNr ../../OpenBSD/openssh-2.3.0/sftp-server/Makefile ./sftp-server/Makefile --- ../../OpenBSD/openssh-2.3.0/sftp-server/Makefile Fri Sep 1 00:52:24 2000 +++ ./sftp-server/Makefile Fri Nov 24 04:53:25 2000 @@ -5,12 +5,12 @@ BINMODE?=555 -BINDIR= /usr/libexec +BINDIR= /usr/local/libexec MAN= sftp-server.8 SRCS= sftp-server.c log-server.c .include -LDADD+= -lcrypto # -lutil -lz +LDADD+= -lssh -lcrypto # -lutil -lz DPADD+= ${LIBCRYPTO} # ${LIBDES} ${LIBUTIL} ${LIBZ} diff -uNr ../../OpenBSD/openssh-2.3.0/ssh/Makefile ./ssh/Makefile --- ../../OpenBSD/openssh-2.3.0/ssh/Makefile Sun Sep 3 21:41:19 2000 +++ ./ssh/Makefile Thu Nov 23 16:29:18 2000 @@ -5,7 +5,6 @@ BINMODE?=4555 -BINDIR= /usr/bin MAN= ssh.1 LINKS= ${BINDIR}/ssh ${BINDIR}/slogin MLINKS= ssh.1 slogin.1 @@ -13,20 +12,7 @@ SRCS= ssh.c log-client.c readconf.c clientloop.c \ sshconnect.c sshconnect1.c sshconnect2.c -.include # for AFS - -.if (${KERBEROS:L} == "yes") -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS:L} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - .include -LDADD+= -lutil -lz -lcrypto +LDADD+= -lssh -lutil -lz -lcrypto DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} diff -uNr ../../OpenBSD/openssh-2.3.0/ssh-add/Makefile ./ssh-add/Makefile --- ../../OpenBSD/openssh-2.3.0/ssh-add/Makefile Thu Jun 29 21:35:47 2000 +++ ./ssh-add/Makefile Thu Nov 23 16:30:10 2000 @@ -5,12 +5,11 @@ BINMODE?=555 -BINDIR= /usr/bin MAN= ssh-add.1 SRCS= ssh-add.c log-client.c .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -uNr ../../OpenBSD/openssh-2.3.0/ssh-agent/Makefile ./ssh-agent/Makefile --- ../../OpenBSD/openssh-2.3.0/ssh-agent/Makefile Thu Jun 29 21:35:48 2000 +++ ./ssh-agent/Makefile Thu Nov 23 16:30:49 2000 @@ -5,12 +5,11 @@ BINMODE?=555 -BINDIR= /usr/bin MAN= ssh-agent.1 SRCS= ssh-agent.c log-client.c .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -uNr ../../OpenBSD/openssh-2.3.0/ssh-keygen/Makefile ./ssh-keygen/Makefile --- ../../OpenBSD/openssh-2.3.0/ssh-keygen/Makefile Thu Jun 29 21:35:48 2000 +++ ./ssh-keygen/Makefile Thu Nov 23 16:31:18 2000 @@ -5,12 +5,11 @@ BINMODE?=555 -BINDIR= /usr/bin MAN= ssh-keygen.1 SRCS= ssh-keygen.c log-client.c .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -uNr ../../OpenBSD/openssh-2.3.0/ssh.c ./ssh.c --- ../../OpenBSD/openssh-2.3.0/ssh.c Fri Oct 27 09:32:19 2000 +++ ./ssh.c Fri Nov 24 04:46:34 2000 @@ -185,6 +185,9 @@ log("Using rsh. WARNING: Connection will not be encrypted."); /* Build argument list for rsh. */ i = 0; +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif args[i++] = _PATH_RSH; /* host may have to come after user on some systems */ args[i++] = host; @@ -521,6 +524,11 @@ pwcopy.pw_class = xstrdup(pw->pw_class); pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); +#ifdef HAVE_LOGIN_CAP + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_expire = pw->pw_expire; + pwcopy.pw_change = pw->pw_change; +#endif /* HAVE_LOGIN_CAP */ pw = &pwcopy; /* Initialize "log" output. Since we are the client all output diff -uNr ../../OpenBSD/openssh-2.3.0/ssh.h ./ssh.h --- ../../OpenBSD/openssh-2.3.0/ssh.h Wed Oct 11 22:27:24 2000 +++ ./ssh.h Fri Nov 24 04:43:18 2000 @@ -29,6 +29,24 @@ /* Maximum number of TCP/IP ports forwarded per direction. */ #define SSH_MAX_FORWARDS_PER_DIRECTION 100 +#ifdef HAVE_LOGIN_CAP +#include +#endif /* HAVE_LOGIN_CAP */ + +#ifdef __bsdi__ +#define BSD_AUTH +#define login_getpwclass(pw) login_getclass((pw)->pw_class) +#define login_getclassbyname(foo, bar) NULL /* No idea what it does. */ + +size_t strlcat(char *dst, const char *src, size_t siz); +size_t strlcpy(char *dst, const char *src, size_t siz); +u_int32_t arc4random(void); +void arc4random_stir(void); +char* mkdtemp(char *path); + +void setproctitle(const char *fmt, ...); +#endif /* __bsdi__ */ + /* * Maximum number of RSA authentication identity files that can be specified * in configuration files or on the command line. @@ -75,7 +93,7 @@ #define HOST_DSA_KEY_FILE ETCDIR "/ssh_host_dsa_key" #define DH_PRIMES ETCDIR "/primes" -#define SSH_PROGRAM "/usr/bin/ssh" +#define SSH_PROGRAM "/usr/local/bin/ssh" /* * The process id of the daemon listening for connections is saved here to @@ -319,7 +337,12 @@ * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ -int auth_password(struct passwd * pw, const char *password); +#ifdef BSD_AUTH +int auth_password(struct passwd * pw, const char *password, + login_cap_t *lc, char *style); +#else /* BSD_AUTH */ +int auth_password(struct passwd * pw, const char *password); +#endif /* BSD_AUTH */ /* * Performs the RSA authentication dialog with the client. This returns 0 if diff -uNr ../../OpenBSD/openssh-2.3.0/sshconnect.c ./sshconnect.c --- ../../OpenBSD/openssh-2.3.0/sshconnect.c Sun Sep 17 18:52:51 2000 +++ ./sshconnect.c Thu Nov 23 14:24:25 2000 @@ -151,7 +151,11 @@ */ if (privileged) { int p = IPPORT_RESERVED - 1; +#ifdef __bsdi__ + sock = rresvport(&p); +#else /* __bsdi__ */ sock = rresvport_af(&p, family); +#endif /* __bsdi__ */ if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno)); else @@ -479,9 +483,11 @@ case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; break; +#ifdef INET6 case AF_INET6: local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); break; +#endif /* INET6 */ default: local = 0; break; diff -uNr ../../OpenBSD/openssh-2.3.0/sshd/Makefile ./sshd/Makefile --- ../../OpenBSD/openssh-2.3.0/sshd/Makefile Wed Oct 11 22:14:40 2000 +++ ./sshd/Makefile Fri Nov 24 04:49:47 2000 @@ -3,45 +3,14 @@ PROG= sshd BINOWN= root BINMODE=555 -BINDIR= /usr/sbin +BINDIR= /usr/local/sbin MAN= sshd.8 -CFLAGS+=-DHAVE_LOGIN_CAP SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ pty.c log-server.c login.c servconf.c serverloop.c \ auth.c auth1.c auth2.c auth-options.c session.c dh.c -.include # for KERBEROS and AFS - -.if (${KERBEROS:L} == "yes") -.if (${AFS:L} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV -SRCS+= auth-krb4.c -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.endif # KERBEROS - -.if (${SKEY:L} == "yes") -SRCS+= auth-skey.c auth2-skey.c -.endif - .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.if (${TCP_WRAPPERS:L} == "yes") -CFLAGS+= -DLIBWRAP -LDADD+= -lwrap -DPADD+= ${LIBWRAP} -.endif - -.if (${SKEY:L} == "yes") -CFLAGS+= -DSKEY -LDADD+= -lskey -DPADD+= ${SKEY} -.endif diff -uNr ../../OpenBSD/openssh-2.3.0/sshd.c ./sshd.c --- ../../OpenBSD/openssh-2.3.0/sshd.c Fri Oct 13 20:34:46 2000 +++ ./sshd.c Fri Nov 24 04:46:55 2000 @@ -75,6 +75,15 @@ int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ +#ifdef HAVE_LOGIN_CAP +#ifdef __FreeBSD__ +#include +#include +#endif /* __FreeBSD__ */ +#include +#include +#endif /* HAVE_LOGIN_CAP */ + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif diff -uNr ../../OpenBSD/openssh-2.3.0/sshd_config ./sshd_config --- ../../OpenBSD/openssh-2.3.0/sshd_config Wed Oct 11 22:14:39 2000 +++ ./sshd_config Fri Nov 24 04:47:26 2000 @@ -8,7 +8,7 @@ ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 -PermitRootLogin yes +PermitRootLogin no # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes diff -uNr ../../OpenBSD/openssh-2.3.0/uidswap.c ./uidswap.c --- ../../OpenBSD/openssh-2.3.0/uidswap.c Thu Sep 7 23:27:55 2000 +++ ./uidswap.c Fri Nov 24 05:40:32 2000 @@ -33,7 +33,9 @@ #endif /* _POSIX_SAVED_IDS */ /* Saved effective uid. */ +#ifdef SAVED_IDS_WORK_WITH_SETEUID static uid_t saved_euid = 0; +#endif /* SAVED_IDS_WORK_WITH_SETEUID */ /* * Temporarily changes to the given uid. If the effective user diff -uNr ../../OpenBSD/openssh-2.3.0/uuencode.c ./uuencode.c --- ../../OpenBSD/openssh-2.3.0/uuencode.c Thu Sep 7 23:27:55 2000 +++ ./uuencode.c Thu Nov 23 14:24:25 2000 @@ -27,6 +27,9 @@ #include "includes.h" #include "xmalloc.h" +#ifdef __bsdi__ +#include +#endif /* __bsdi__ */ #include RCSID("$OpenBSD: uuencode.c,v 1.7 2000/09/07 20:27:55 deraadt Exp $");