[Openssh-commits] r42 - in trunk: . contrib/caldera contrib/redhat contrib/suse debian openbsd-compat openbsd-compat/regress regress
ed_ at garage.maemo.org
ed_ at garage.maemo.org
Mon Mar 10 22:34:39 EET 2008
Author: ed_
Date: 2008-03-10 22:34:38 +0200 (Mon, 10 Mar 2008)
New Revision: 42
Modified:
trunk/ChangeLog
trunk/INSTALL
trunk/LICENCE
trunk/Makefile.in
trunk/README
trunk/README.platform
trunk/atomicio.c
trunk/auth-pam.c
trunk/auth-shadow.c
trunk/auth.c
trunk/auth2.c
trunk/bufbn.c
trunk/buildpkg.sh.in
trunk/channels.c
trunk/channels.h
trunk/cipher-3des1.c
trunk/cipher-bf1.c
trunk/cipher-ctr.c
trunk/clientloop.c
trunk/clientloop.h
trunk/config.h.in
trunk/configure
trunk/configure.ac
trunk/contrib/caldera/openssh.spec
trunk/contrib/redhat/openssh.spec
trunk/contrib/suse/openssh.spec
trunk/debian/changelog
trunk/defines.h
trunk/entropy.c
trunk/gss-genr.c
trunk/gss-serv.c
trunk/includes.h
trunk/kex.c
trunk/kex.h
trunk/key.c
trunk/log.c
trunk/loginrec.c
trunk/mac.c
trunk/mac.h
trunk/mdoc2man.awk
trunk/monitor.c
trunk/monitor_wrap.c
trunk/myproposal.h
trunk/openbsd-compat/Makefile.in
trunk/openbsd-compat/bsd-cray.c
trunk/openbsd-compat/bsd-getpeereid.c
trunk/openbsd-compat/bsd-misc.c
trunk/openbsd-compat/getrrsetbyname.c
trunk/openbsd-compat/openbsd-compat.h
trunk/openbsd-compat/openssl-compat.h
trunk/openbsd-compat/port-aix.c
trunk/openbsd-compat/port-linux.c
trunk/openbsd-compat/port-uw.c
trunk/openbsd-compat/port-uw.h
trunk/openbsd-compat/regress/closefromtest.c
trunk/openbsd-compat/xcrypt.c
trunk/openbsd-compat/xmmap.c
trunk/openssh.xml.in
trunk/packet.c
trunk/readconf.c
trunk/regress/agent-getpeereid.sh
trunk/scard-opensc.c
trunk/scp.0
trunk/scp.1
trunk/scp.c
trunk/servconf.c
trunk/session.c
trunk/sftp-server.0
trunk/sftp-server.8
trunk/sftp-server.c
trunk/sftp.0
trunk/sftp.1
trunk/ssh-add.0
trunk/ssh-add.1
trunk/ssh-agent.0
trunk/ssh-agent.1
trunk/ssh-agent.c
trunk/ssh-gss.h
trunk/ssh-keygen.0
trunk/ssh-keygen.1
trunk/ssh-keyscan.0
trunk/ssh-keyscan.1
trunk/ssh-keysign.0
trunk/ssh-keysign.8
trunk/ssh-rand-helper.0
trunk/ssh-rand-helper.c
trunk/ssh.0
trunk/ssh.1
trunk/ssh.c
trunk/ssh_config
trunk/ssh_config.0
trunk/ssh_config.5
trunk/sshconnect2.c
trunk/sshd.0
trunk/sshd.8
trunk/sshd.c
trunk/sshd_config
trunk/sshd_config.0
trunk/sshd_config.5
trunk/version.h
Log:
upgraded to upstream version 4.7p1-2
Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ChangeLog 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,3 +1,371 @@
+20070817
+ - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked
+ accounts and that's what the code looks for, so make man page and code
+ agree. Pointed out by Roumen Petrov.
+ - (dtucker) [INSTALL] Group the parts describing random options and PAM
+ implementations together which is hopefully more coherent.
+ - (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid.
+ - (dtucker) [INSTALL] Give PAM its own heading.
+ - (dtucker) [INSTALL] Link to tcpwrappers.
+
+20070816
+ - (dtucker) [session.c] Call PAM cleanup functions for unauthenticated
+ connections too. Based on a patch from Sandro Wefel, with & ok djm@
+
+20070815
+ - (dtucker) OpenBSD CVS Sync
+ - markus at cvs.openbsd.org 2007/08/15 08:14:46
+ [clientloop.c]
+ do NOT fall back to the trused x11 cookie if generation of an untrusted
+ cookie fails; from Jan Pechanec, via security-alert at sun.com;
+ ok dtucker
+ - markus at cvs.openbsd.org 2007/08/15 08:16:49
+ [version.h]
+ openssh 4.7
+ - stevesk at cvs.openbsd.org 2007/08/15 12:13:41
+ [ssh_config.5]
+ tun device forwarding now honours ExitOnForwardFailure; ok markus@
+ - (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler.
+ ok djm@
+ - (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec
+ contrib/suse/openssh.spec] Crank version.
+
+20070813
+ - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always
+ called with PAM_ESTABLISH_CRED at least once, which resolves a problem
+ with pam_dhkeys. Patch from David Leonard, ok djm@
+
+20070810
+ - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@
+ - (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From
+ Matt Kraai, ok djm@
+
+20070809
+ - (dtucker) [openbsd-compat/port-aix.c] Comment typo.
+ - (dtucker) [README.platform] Document the interaction between PermitRootLogin
+ and the AIX native login restrictions.
+ - (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't
+ used anywhere and are a potential source of warnings.
+
+20070808
+ - (djm) OpenBSD CVS Sync
+ - ray at cvs.openbsd.org 2007/07/12 05:48:05
+ [key.c]
+ Delint: remove some unreachable statements, from Bret Lambert.
+ OK markus@ and dtucker at .
+ - sobrado at cvs.openbsd.org 2007/08/06 19:16:06
+ [scp.1 scp.c]
+ the ellipsis is not an optional argument; while here, sync the usage
+ and synopsis of commands
+ lots of good ideas by jmc@
+ ok jmc@
+ - djm at cvs.openbsd.org 2007/08/07 07:32:53
+ [clientloop.c clientloop.h ssh.c]
+ bz#1232: ensure that any specified LocalCommand is executed after the
+ tunnel device is opened. Also, make failures to open a tunnel device
+ fatal when ExitOnForwardFailure is active.
+ Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
+
+20070724
+ - (tim) [openssh.xml.in] make FMRI match what package scripts use.
+ - (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call.
+ Report/patch by David.Leonard AT quest.com (and Bernhard Simon)
+ - (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5)
+ - (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}|
+
+20070628
+ - (djm) bz#1325: Fix SELinux in permissive mode where it would
+ incorrectly fatal() on errors. patch from cjwatson AT debian.org;
+ ok dtucker
+
+20070625
+ - (dtucker) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2007/06/13 00:21:27
+ [scp.c]
+ don't ftruncate() non-regular files; bz#1236 reported by wood AT
+ xmission.com; ok dtucker@
+ - djm at cvs.openbsd.org 2007/06/14 21:43:25
+ [ssh.c]
+ handle EINTR when waiting for mux exit status properly
+ - djm at cvs.openbsd.org 2007/06/14 22:48:05
+ [ssh.c]
+ when waiting for the multiplex exit status, read until the master end
+ writes an entire int of data *and* closes the client_fd; fixes mux
+ regression spotted by dtucker, ok dtucker@
+ - djm at cvs.openbsd.org 2007/06/19 02:04:43
+ [atomicio.c]
+ if the fd passed to atomicio/atomiciov() is non blocking, then poll() to
+ avoid a spin if it is not yet ready for reading/writing; ok dtucker@
+ - dtucker at cvs.openbsd.org 2007/06/25 08:20:03
+ [channels.c]
+ Correct test for window updates every three packets; prevents sending
+ window updates for every single packet. ok markus@
+ - dtucker at cvs.openbsd.org 2007/06/25 12:02:27
+ [atomicio.c]
+ Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@
+ - (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match
+ atomicio.
+ - (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in
+ openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h]
+ Add an implementation of poll() built on top of select(2). Code from
+ OpenNTPD with changes suggested by djm. ok djm@
+
+20070614
+ - (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the
+ USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be
+ shared with umac.c. Allows building with OpenSSL 0.9.5 again including
+ umac support. With tim@ djm@, ok djm.
+ - (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL
+ sections. Fixes builds with early OpenSSL 0.9.6 versions.
+ - (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition
+ of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the
+ subsequent <0.9.7 test.
+
+20070612
+ - (dtucker) OpenBSD CVS Sync
+ - markus at cvs.openbsd.org 2007/06/11 09:14:00
+ [channels.h]
+ increase default channel windows; ok djm
+ - djm at cvs.openbsd.org 2007/06/12 07:41:00
+ [ssh-add.1]
+ better document ssh-add's -d option (delete identies from agent), bz#1224
+ new text based on some provided by andrewmc-debian AT celt.dias.ie;
+ ok dtucker@
+ - djm at cvs.openbsd.org 2007/06/12 08:20:00
+ [ssh-gss.h gss-serv.c gss-genr.c]
+ relocate server-only GSSAPI code from libssh to server; bz #1225
+ patch from simon AT sxw.org.uk; ok markus@ dtucker@
+ - djm at cvs.openbsd.org 2007/06/12 08:24:20
+ [scp.c]
+ make scp try to skip FIFOs rather than blocking when nothing is listening.
+ depends on the platform supporting sane O_NONBLOCK semantics for open
+ on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
+ bz #856; report by cjwatson AT debian.org; ok markus@
+ - djm at cvs.openbsd.org 2007/06/12 11:11:08
+ [ssh.c]
+ fix slave exit value when a control master goes away without passing the
+ full exit status by ensuring that the slave reads a full int. bz#1261
+ reported by frekko AT gmail.com; ok markus@ dtucker@
+ - djm at cvs.openbsd.org 2007/06/12 11:15:17
+ [ssh.c ssh.1]
+ Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
+ GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
+ and is useful for hosts with /home on Kerberised NFS; bz #1312
+ patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
+ - djm at cvs.openbsd.org 2007/06/12 11:45:27
+ [ssh.c]
+ improved exit message from multiplex slave sessions; bz #1262
+ reported by alexandre.nunes AT gmail.com; ok dtucker@
+ - dtucker at cvs.openbsd.org 2007/06/12 11:56:15
+ [gss-genr.c]
+ Pass GSS OID to gss_display_status to provide better information in
+ error messages. Patch from Simon Wilkinson via bz 1220. ok djm@
+ - jmc at cvs.openbsd.org 2007/06/12 13:41:03
+ [ssh-add.1]
+ identies -> identities;
+ - jmc at cvs.openbsd.org 2007/06/12 13:43:55
+ [ssh.1]
+ add -K to SYNOPSIS;
+ - dtucker at cvs.openbsd.org 2007/06/12 13:54:28
+ [scp.c]
+ Encode filename with strnvis if the name contains a newline (which can't
+ be represented in the scp protocol), from bz #891. ok markus@
+
+20070611
+ - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit
+ fix; tested by dtucker@ and jochen.kirn AT gmail.com
+ - pvalchev at cvs.openbsd.org 2007/06/07 19:37:34
+ [kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
+ [ssh_config.5 sshd.8 sshd_config.5]
+ Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
+ must specify umac-64 at openssh.com). Provides about 20% end-to-end speedup
+ compared to hmac-md5. Represents a different approach to message
+ authentication to that of HMAC that may be beneficial if HMAC based on
+ one of its underlying hash algorithms is found to be vulnerable to a
+ new attack. http://www.ietf.org/rfc/rfc4418.txt
+ in conjunction with and OK djm@
+ - pvalchev at cvs.openbsd.org 2007/06/08 04:40:40
+ [ssh_config]
+ Add a "MACs" line after "Ciphers" with the default MAC algorithms,
+ to ease people who want to tweak both (eg. for performance reasons).
+ ok deraadt@ djm@ dtucker@
+ - jmc at cvs.openbsd.org 2007/06/08 07:43:46
+ [ssh_config.5]
+ put the MAC list into a display, like we do for ciphers,
+ since groff has trouble handling wide lines;
+ - jmc at cvs.openbsd.org 2007/06/08 07:48:09
+ [sshd_config.5]
+ oops, here too: put the MAC list into a display, like we do for
+ ciphers, since groff has trouble with wide lines;
+ - markus at cvs.openbsd.org 2007/06/11 08:04:44
+ [channels.c]
+ send 'window adjust' messages every tree packets and do not wait
+ until 50% of the window is consumed. ok djm dtucker
+ - (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then
+ fallback to provided bit-swizzing functions
+ - (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder"
+ argument to nanosleep may be NULL. Currently this never happens in OpenSSH,
+ but check anyway in case this changes or the code gets used elsewhere.
+ - (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should
+ prevent warnings about redefinitions of various things in paths.h.
+ Spotted by cartmanltd at hotmail.com.
+
+20070605
+ - (dtucker) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2007/05/22 10:18:52
+ [sshd.c]
+ zap double include; from p_nowaczyk AT o2.pl
+ (not required in -portable, Id sync only)
+ - djm at cvs.openbsd.org 2007/05/30 05:58:13
+ [kex.c]
+ tidy: KNF, ARGSUSED and u_int
+ - jmc at cvs.openbsd.org 2007/05/31 19:20:16
+ [scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
+ ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
+ convert to new .Dd format;
+ (We will need to teach mdoc2man.awk to understand this too.)
+ - djm at cvs.openbsd.org 2007/05/31 23:34:29
+ [packet.c]
+ gc unreachable code; spotted by Tavis Ormandy
+ - djm at cvs.openbsd.org 2007/06/02 09:04:58
+ [bufbn.c]
+ memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca
+ - djm at cvs.openbsd.org 2007/06/05 06:52:37
+ [kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
+ Preserve MAC ctx between packets, saving 2xhash calls per-packet.
+ Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
+ patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
+ committing at his request)
+ - (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that
+ OpenBSD's cvs now adds.
+ - (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so
+ mindrot's cvs doesn't expand it on us.
+ - (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs.
+
+20070520
+ - (dtucker) OpenBSD CVS Sync
+ - stevesk at cvs.openbsd.org 2007/04/14 22:01:58
+ [auth2.c]
+ remove unused macro; from Dmitry V. Levin <ldv at altlinux.org>
+ - stevesk at cvs.openbsd.org 2007/04/18 01:12:43
+ [sftp-server.c]
+ cast "%llu" format spec to (unsigned long long); do not assume a
+ u_int64_t arg is the same as 'unsigned long long'.
+ from Dmitry V. Levin <ldv at altlinux.org>
+ ok markus@ 'Yes, that looks correct' millert@
+ - dtucker at cvs.openbsd.org 2007/04/23 10:15:39
+ [servconf.c]
+ Remove debug() left over from development. ok deraadt@
+ - djm at cvs.openbsd.org 2007/05/17 07:50:31
+ [log.c]
+ save and restore errno when logging; ok deraadt@
+ - djm at cvs.openbsd.org 2007/05/17 07:55:29
+ [sftp-server.c]
+ bz#1286 stop reading and processing commands when input or output buffer
+ is nearly full, otherwise sftp-server would happily try to grow the
+ input/output buffers past the maximum supported by the buffer API and
+ promptly fatal()
+ based on patch from Thue Janus Kristensen; feedback & ok dtucker@
+ - djm at cvs.openbsd.org 2007/05/17 20:48:13
+ [sshconnect2.c]
+ fall back to gethostname() when the outgoing connection is not
+ on a socket, such as is the case when ProxyCommand is used.
+ Gives hostbased auth an opportunity to work; bz#616, report
+ and feedback stuart AT kaloram.com; ok markus@
+ - djm at cvs.openbsd.org 2007/05/17 20:52:13
+ [monitor.c]
+ pass received SIGINT from monitor to postauth child so it can clean
+ up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
+ ok markus@
+ - jolan at cvs.openbsd.org 2007/05/17 23:53:41
+ [sshconnect2.c]
+ djm owes me a vb and a tism cd for breaking ssh compilation
+ - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
+ ldv at altlinux.org.
+ - (dtucker) [auth-pam.c] Return empty string if fgets fails in
+ sshpam_tty_conv. Patch from ldv at altlinux.org.
+
+20070509
+ - (tim) [configure.ac] Bug #1287: Add missing test for ucred.h.
+
+20070429
+ - (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h
+ for select(2) prototype.
+ - (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype.
+ - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the
+ platform's _res if it has one. Should fix problem of DNSSEC record lookups
+ on NetBSD as reported by Curt Sampson.
+ - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
+ - (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS
+ so we don't get redefinition warnings.
+ - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
+ - (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__
+ __nonnull__ for versions of GCC that don't support it.
+ - (dtucker) [configure.ac defines.h] Have configure check for offsetof
+ to prevent redefinition warnings.
+
+20070406
+ - (dtucker) [INSTALL] Update the systems that have PAM as standard. Link
+ to OpenPAM too.
+ - (dtucker) [INSTALL] prngd lives at sourceforge these days.
+
+20070326
+ - (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c
+ openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines
+ to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@
+
+20070325
+ - (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX,
+ LIBWRAP and LIBPAM variables in Makefile with the general-purpose
+ SSHDLIBS. "I like" djm@
+
+20070321
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2007/03/09 05:20:06
+ [servconf.c sshd.c]
+ Move C/R -> kbdint special case to after the defaults have been
+ loaded, which makes ChallengeResponse default to yes again. This
+ was broken by the Match changes and not fixed properly subsequently.
+ Found by okan at demirmen.com, ok djm@ "please do it" deraadt@
+ - djm at cvs.openbsd.org 2007/03/19 01:01:29
+ [sshd_config]
+ Disable the legacy SSH protocol 1 for new installations via
+ a configuration override. In the future, we will change the
+ server's default itself so users who need the legacy protocol
+ will need to turn it on explicitly
+ - dtucker at cvs.openbsd.org 2007/03/19 12:16:42
+ [ssh-agent.c]
+ Remove the signal handler that checks if the agent's parent process
+ has gone away, instead check when the select loop returns. Record when
+ the next key will expire when scanning for expired keys. Set the select
+ timeout to whichever of these two things happens next. With djm@, with &
+ ok deraadt@ markus@
+ - tedu at cvs.openbsd.org 2007/03/20 03:56:12
+ [readconf.c clientloop.c]
+ remove some bogus *p tests from charles longeau
+ ok deraadt millert
+ - jmc at cvs.openbsd.org 2007/03/20 15:57:15
+ [sshd.8]
+ - let synopsis and description agree for -f
+ - sort FILES
+ - +.Xr ssh-keyscan 1 ,
+ from Igor Sobrado
+ - (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use
+ getpeerucred to implement getpeereid (currently only Solaris 10 and up).
+ Patch by Jan.Pechanec at Sun.
+ - (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have
+ HAVE_GETPEERUCRED too. Also from Jan Pechanec.
+
+20070313
+ - (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include
+ string.h to prevent warnings, from vapier at gentoo.org.
+ - (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the
+ selinux bits in -portable.
+ - (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in
+ bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h
+ in cipher-bf1.c. Patch from Juan Gallego.
+ - (dtucker) [README.platform] Info about blibpath on AIX.
+
20070306
- (djm) OpenBSD CVS Sync
- jmc at cvs.openbsd.org 2007/03/01 16:19:33
@@ -2816,4 +3184,4 @@
OpenServer 6 and add osr5bigcrypt support so when someone migrates
passwords between UnixWare and OpenServer they will still work. OK dtucker@
-$Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $
+$Id: ChangeLog,v 1.4738.2.1 2007/09/04 06:49:09 djm Exp $
Modified: trunk/INSTALL
===================================================================
--- trunk/INSTALL 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/INSTALL 2008-03-10 20:34:38 UTC (rev 42)
@@ -14,18 +14,38 @@
The remaining items are optional.
-OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
-supports it. PAM is standard on Redhat and Debian Linux, Solaris and
-HP-UX 11.
-
NB. If you operating system supports /dev/random, you should configure
OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
-/dev/random. If you don't you will have to rely on ssh-rand-helper, which
-is inferior to a good kernel-based solution.
+/dev/random, or failing that, either prngd or egd. If you don't have
+any of these you will have to rely on ssh-rand-helper, which is inferior
+to a good kernel-based solution or prngd.
+PRNGD:
+
+If your system lacks kernel-based random collection, the use of Lutz
+Jaenicke's PRNGd is recommended.
+
+http://prngd.sourceforge.net/
+
+EGD:
+
+The Entropy Gathering Daemon (EGD) is supported if you have a system which
+lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
+
+http://www.lothar.com/tech/crypto/
+
PAM:
-http://www.kernel.org/pub/linux/libs/pam/
+OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
+system supports it. PAM is standard most Linux distributions, Solaris,
+HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
+
+Information about the various PAM implementations are available:
+
+Solaris PAM: http://www.sun.com/software/solaris/pam/
+Linux PAM: http://www.kernel.org/pub/linux/libs/pam/
+OpenPAM: http://www.openpam.org/
+
If you wish to build the GNOME passphrase requester, you will need the GNOME
libraries and headers.
@@ -37,20 +57,15 @@
http://www.jmknoble.net/software/x11-ssh-askpass/
-PRNGD:
+TCP Wrappers:
-If your system lacks Kernel based random collection, the use of Lutz
-Jaenicke's PRNGd is recommended.
+If you wish to use the TCP wrappers functionality you will need at least
+tcpd.h and libwrap.a, either in the standard include and library paths,
+or in the directory specified by --with-tcp-wrappers. Version 7.6 is
+known to work.
-http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
+http://ftp.porcupine.org/pub/security/index.html
-EGD:
-
-The Entropy Gathering Daemon (EGD) is supported if you have a system which
-lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
-
-http://www.lothar.com/tech/crypto/
-
S/Key Libraries:
If you wish to use --with-skey then you will need the library below
@@ -72,7 +87,7 @@
If you modify configure.ac or configure doesn't exist (eg if you checked
the code out of CVS yourself) then you will need autoconf-2.61 to rebuild
the automatically generated files by running "autoreconf". Earlier
-version may also work but this is not guaranteed.
+versions may also work but this is not guaranteed.
http://www.gnu.org/software/autoconf/
@@ -162,7 +177,7 @@
need the S/Key libraries and header files installed for this to work.
--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
-support. You will need libwrap.a and tcpd.h installed.
+support.
--with-md5-passwords will enable the use of MD5 passwords. Enable this
if your operating system uses MD5 passwords and the system crypt() does
@@ -180,7 +195,7 @@
--with-default-path=PATH allows you to specify a default $PATH for sessions
started by sshd. This replaces the standard path entirely.
---with-pid-dir=PATH specifies the directory in which the ssh.pid file is
+--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
created.
--with-xauth=PATH specifies the location of the xauth binary
@@ -251,4 +266,4 @@
http://www.openssh.com/
-$Id: INSTALL,v 1.77 2007/03/02 06:53:41 dtucker Exp $
+$Id: INSTALL,v 1.84 2007/08/17 12:52:05 dtucker Exp $
Modified: trunk/LICENCE
===================================================================
--- trunk/LICENCE 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/LICENCE 2008-03-10 20:34:38 UTC (rev 42)
@@ -205,6 +205,7 @@
Darren Tucker
Sun Microsystems
The SCO Group
+ Daniel Walsh
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
Modified: trunk/Makefile.in
===================================================================
--- trunk/Makefile.in 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/Makefile.in 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.283 2006/10/23 21:44:47 tim Exp $
+# $Id: Makefile.in,v 1.285 2007/06/11 04:01:42 djm Exp $
# uncomment if you run a non bourne compatable shell. Ie. csh
#SHELL = @SH@
@@ -44,11 +44,8 @@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
-LIBSELINUX=@LIBSELINUX@
SSHDLIBS=@SSHDLIBS@
LIBEDIT=@LIBEDIT@
-LIBPAM=@LIBPAM@
-LIBWRAP=@LIBWRAP@
AR=@AR@
AWK=@AWK@
RANLIB=@RANLIB@
@@ -74,7 +71,7 @@
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
- entropy.o scard-opensc.o gss-genr.o kexgssc.o
+ entropy.o scard-opensc.o gss-genr.o umac.o kexgssc.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o
@@ -139,7 +136,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(SSHDLIBS) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -276,6 +273,7 @@
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
+ ln -s ../$(mansubdir)8/sshd.8 $(DESTDIR)$(mandir)/$(mansubdir)5/authorized_keys.5
if [ ! -z "$(INSTALL_SSH_RAND_HELPER)" ]; then \
$(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \
fi
Modified: trunk/README
===================================================================
--- trunk/README 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/README 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-4.6 for the release notes.
+See http://www.openssh.com/txt/release-4.7 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
-$Id: README,v 1.64.4.1 2007/03/06 10:27:56 djm Exp $
+$Id: README,v 1.66 2007/08/15 09:22:20 dtucker Exp $
Modified: trunk/README.platform
===================================================================
--- trunk/README.platform 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/README.platform 2008-03-10 20:34:38 UTC (rev 42)
@@ -23,6 +23,20 @@
IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
IPv6 known broken: 4.3.3ML11 5.1ML4
+If you wish to use dynamic libraries that aren't in the normal system
+locations (eg IBM's OpenSSL and zlib packages) then you will need to
+define the environment variable blibpath before running configure, eg
+
+blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
+ --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
+
+If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
+by default) then sshd checks that users are permitted via the
+loginrestrictions() function, in particular that the user has the
+"rlogin" attribute set. This check is not done for the root account,
+instead the PermitRootLogin setting in sshd_config is used.
+
+
Cygwin
------
To build on Cygwin, OpenSSH requires the following packages:
@@ -67,4 +81,4 @@
return the output from pam_nologin to the client.
-$Id: README.platform,v 1.7 2006/06/23 11:05:13 dtucker Exp $
+$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $
Modified: trunk/atomicio.c
===================================================================
--- trunk/atomicio.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/atomicio.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: atomicio.c,v 1.23 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: atomicio.c,v 1.25 2007/06/25 12:02:27 dtucker Exp $ */
/*
* Copyright (c) 2006 Damien Miller. All rights reserved.
* Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
@@ -32,7 +32,11 @@
#include <sys/uio.h>
#include <errno.h>
+#ifdef HAVE_POLL_H
+#include <poll.h>
+#endif
#include <string.h>
+#include <unistd.h>
#include "atomicio.h"
@@ -45,17 +49,24 @@
char *s = _s;
size_t pos = 0;
ssize_t res;
+ struct pollfd pfd;
+ pfd.fd = fd;
+ pfd.events = f == read ? POLLIN : POLLOUT;
while (n > pos) {
res = (f) (fd, s + pos, n - pos);
switch (res) {
case -1:
#ifdef EWOULDBLOCK
- if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)
+ if (errno == EINTR || errno == EWOULDBLOCK)
#else
- if (errno == EINTR || errno == EAGAIN)
+ if (errno == EINTR)
#endif
continue;
+ if (errno == EAGAIN) {
+ (void)poll(&pfd, 1, -1);
+ continue;
+ }
return 0;
case 0:
errno = EPIPE;
@@ -77,6 +88,7 @@
size_t pos = 0, rem;
ssize_t res;
struct iovec iov_array[IOV_MAX], *iov = iov_array;
+ struct pollfd pfd;
if (iovcnt > IOV_MAX) {
errno = EINVAL;
@@ -85,12 +97,22 @@
/* Make a copy of the iov array because we may modify it below */
memcpy(iov, _iov, iovcnt * sizeof(*_iov));
+ pfd.fd = fd;
+ pfd.events = f == readv ? POLLIN : POLLOUT;
for (; iovcnt > 0 && iov[0].iov_len > 0;) {
res = (f) (fd, iov, iovcnt);
switch (res) {
case -1:
- if (errno == EINTR || errno == EAGAIN)
+#ifdef EWOULDBLOCK
+ if (errno == EINTR || errno == EWOULDBLOCK)
+#else
+ if (errno == EINTR)
+#endif
continue;
+ if (errno == EAGAIN) {
+ (void)poll(&pfd, 1, -1);
+ continue;
+ }
return 0;
case 0:
errno = EPIPE;
Modified: trunk/auth-pam.c
===================================================================
--- trunk/auth-pam.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/auth-pam.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -161,9 +161,9 @@
WTERMSIG(sshpam_thread_status) == SIGTERM)
return; /* terminated by pthread_cancel */
if (!WIFEXITED(sshpam_thread_status))
- fatal("PAM: authentication thread exited unexpectedly");
+ sigdie("PAM: authentication thread exited unexpectedly");
if (WEXITSTATUS(sshpam_thread_status) != 0)
- fatal("PAM: authentication thread exited uncleanly");
+ sigdie("PAM: authentication thread exited uncleanly");
}
/* ARGSUSED */
@@ -686,8 +686,7 @@
return (NULL);
}
- ctxt = xmalloc(sizeof *ctxt);
- memset(ctxt, 0, sizeof(*ctxt));
+ ctxt = xcalloc(1, sizeof *ctxt);
/* Start the authentication thread */
if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
@@ -985,7 +984,8 @@
break;
case PAM_PROMPT_ECHO_ON:
fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
- fgets(input, sizeof input, stdin);
+ if (fgets(input, sizeof input, stdin) == NULL)
+ input[0] = '\0';
if ((reply[i].resp = strdup(input)) == NULL)
goto fail;
reply[i].resp_retcode = PAM_SUCCESS;
@@ -1130,9 +1130,8 @@
if (n <= 0 || n > PAM_MAX_NUM_MSG)
return (PAM_CONV_ERR);
- if ((reply = malloc(n * sizeof(*reply))) == NULL)
+ if ((reply = calloc(n, sizeof(*reply))) == NULL)
return (PAM_CONV_ERR);
- memset(reply, 0, n * sizeof(*reply));
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
Modified: trunk/auth-shadow.c
===================================================================
--- trunk/auth-shadow.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/auth-shadow.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -28,6 +28,7 @@
#include <shadow.h>
#include <stdarg.h>
#include <string.h>
+#include <time.h>
#include "key.h"
#include "hostfile.h"
Modified: trunk/auth.c
===================================================================
--- trunk/auth.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/auth.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -115,11 +115,11 @@
/* grab passwd field for locked account check */
#ifdef USE_SHADOW
if (spw != NULL)
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
passwd = get_iaf_password(pw);
#else
passwd = spw->sp_pwdp;
-#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
#else
passwd = pw->pw_passwd;
#endif
@@ -141,9 +141,9 @@
if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
locked = 1;
#endif
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
free(passwd);
-#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
if (locked) {
logit("User %.100s not allowed because account is locked",
pw->pw_name);
Modified: trunk/auth2.c
===================================================================
--- trunk/auth2.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/auth2.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.114 2007/03/01 10:28:02 dtucker Exp $ */
+/* $OpenBSD: auth2.c,v 1.115 2007/04/14 22:01:58 stevesk Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -292,8 +292,6 @@
}
}
-#define DELIM ","
-
static char *
authmethods_get(void)
{
Modified: trunk/bufbn.c
===================================================================
--- trunk/bufbn.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/bufbn.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufbn.c,v 1.5 2007/02/14 14:32:00 stevesk Exp $*/
+/* $OpenBSD: bufbn.c,v 1.6 2007/06/02 09:04:58 djm Exp $*/
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -201,12 +201,14 @@
return (-1);
}
if (len > 8 * 1024) {
- error("buffer_get_bignum2_ret: cannot handle BN of size %d", len);
+ error("buffer_get_bignum2_ret: cannot handle BN of size %d",
+ len);
xfree(bin);
return (-1);
}
if (BN_bin2bn(bin, len, value) == NULL) {
error("buffer_get_bignum2_ret: BN_bin2bn failed");
+ xfree(bin);
return (-1);
}
xfree(bin);
Modified: trunk/buildpkg.sh.in
===================================================================
--- trunk/buildpkg.sh.in 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/buildpkg.sh.in 2008-03-10 20:34:38 UTC (rev 42)
@@ -49,6 +49,8 @@
OPENSSHD=opensshd.init
OPENSSH_MANIFEST=openssh.xml
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
+SMF_METHOD_DIR=/lib/svc/method/site
+SMF_MANIFEST_DIR=/var/svc/manifest/site
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
PATH_USERADD_PROG=@PATH_USERADD_PROG@
@@ -196,15 +198,17 @@
# For Solaris' SMF, /lib/svc/method/site is the preferred place
# for start/stop scripts that aren't supplied with the OS, and
# similarly /var/svc/manifest/site for manifests.
- mkdir -p $FAKE_ROOT${TEST_DIR}/lib/svc/method/site
- mkdir -p $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site
+ mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
+ mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
- cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
- chmod 744 $FAKE_ROOT${TEST_DIR}/lib/svc/method/site/${SYSVINIT_NAME}
+ cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
+ chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
- cat ${OPENSSH_MANIFEST} | sed "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
- > $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
- chmod 644 $FAKE_ROOT${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
+ cat ${OPENSSH_MANIFEST} | \
+ sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
+ -e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
+ > $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
+ chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
else
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
@@ -214,19 +218,19 @@
[ "${PERMIT_ROOT_LOGIN}" = no ] && \
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
- $FAKE_ROOT/${sysconfdir}/sshd_config
+ $FAKE_ROOT${sysconfdir}/sshd_config
[ "${X11_FORWARDING}" = yes ] && \
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
- $FAKE_ROOT/${sysconfdir}/sshd_config
+ $FAKE_ROOT${sysconfdir}/sshd_config
# fix PrintMotd
perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
- $FAKE_ROOT/${sysconfdir}/sshd_config
+ $FAKE_ROOT${sysconfdir}/sshd_config
# We don't want to overwrite config files on multiple installs
-mv $FAKE_ROOT/${sysconfdir}/ssh_config $FAKE_ROOT/${sysconfdir}/ssh_config.default
-mv $FAKE_ROOT/${sysconfdir}/sshd_config $FAKE_ROOT/${sysconfdir}/sshd_config.default
-[ -f $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds ] && \
-mv $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds $FAKE_ROOT/${sysconfdir}/ssh_prng_cmds.default
+mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
+mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
+[ -f $FAKE_ROOT${sysconfdir}/ssh_prng_cmds ] && \
+mv $FAKE_ROOT${sysconfdir}/ssh_prng_cmds $FAKE_ROOT${sysconfdir}/ssh_prng_cmds.default
# local tweeks here
[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES}
@@ -336,7 +340,7 @@
svccfg delete -f $OPENSSH_FMRI
fi
# NOTE, The manifest disables sshd by default.
- svccfg import ${TEST_DIR}/var/svc/manifest/site/${SYSVINIT_NAME}.xml
+ svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
else
if [ "\${USE_SYM_LINKS}" = yes ]
then
Modified: trunk/channels.c
===================================================================
--- trunk/channels.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/channels.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.268 2007/01/03 03:01:40 stevesk Exp $ */
+/* $OpenBSD: channels.c,v 1.270 2007/06/25 08:20:03 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1657,7 +1657,9 @@
{
if (c->type == SSH_CHANNEL_OPEN &&
!(c->flags & (CHAN_CLOSE_SENT|CHAN_CLOSE_RCVD)) &&
- c->local_window < c->local_window_max/2 &&
+ ((c->local_window_max - c->local_window >
+ c->local_maxpacket*3) ||
+ c->local_window < c->local_window_max/2) &&
c->local_consumed > 0) {
packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
packet_put_int(c->remote_id);
Modified: trunk/channels.h
===================================================================
--- trunk/channels.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/channels.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.88 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: channels.h,v 1.89 2007/06/11 09:14:00 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -122,9 +122,9 @@
/* default window/packet sizes for tcp/x11-fwd-channel */
#define CHAN_SES_PACKET_DEFAULT (32*1024)
-#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
+#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
#define CHAN_TCP_PACKET_DEFAULT (32*1024)
-#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
+#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
#define CHAN_X11_PACKET_DEFAULT (16*1024)
#define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
Modified: trunk/cipher-3des1.c
===================================================================
--- trunk/cipher-3des1.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/cipher-3des1.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -35,9 +35,7 @@
#include "xmalloc.h"
#include "log.h"
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
+#include "openbsd-compat/openssl-compat.h"
/*
* This is used by SSH1:
Modified: trunk/cipher-bf1.c
===================================================================
--- trunk/cipher-bf1.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/cipher-bf1.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -35,9 +35,7 @@
#include "xmalloc.h"
#include "log.h"
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
+#include "openbsd-compat/openssl-compat.h"
/*
* SSH1 uses a variation on Blowfish, all bytes must be swapped before
Modified: trunk/cipher-ctr.c
===================================================================
--- trunk/cipher-ctr.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/cipher-ctr.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -29,13 +29,7 @@
/* compatibility with old or broken OpenSSL versions */
#include "openbsd-compat/openssl-compat.h"
-#ifdef USE_BUILTIN_RIJNDAEL
-#include "rijndael.h"
-#define AES_KEY rijndael_ctx
-#define AES_BLOCK_SIZE 16
-#define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
-#define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
-#else
+#ifndef USE_BUILTIN_RIJNDAEL
#include <openssl/aes.h>
#endif
Modified: trunk/clientloop.c
===================================================================
--- trunk/clientloop.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/clientloop.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.178 2007/02/20 10:25:14 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.181 2007/08/15 08:14:46 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -290,19 +290,29 @@
generated = 1;
}
}
- snprintf(cmd, sizeof(cmd),
- "%s %s%s list %s 2>" _PATH_DEVNULL,
- xauth_path,
- generated ? "-f " : "" ,
- generated ? xauthfile : "",
- display);
- debug2("x11_get_proto: %s", cmd);
- f = popen(cmd, "r");
- if (f && fgets(line, sizeof(line), f) &&
- sscanf(line, "%*s %511s %511s", proto, data) == 2)
- got_data = 1;
- if (f)
- pclose(f);
+
+ /*
+ * When in untrusted mode, we read the cookie only if it was
+ * successfully generated as an untrusted one in the step
+ * above.
+ */
+ if (trusted || generated) {
+ snprintf(cmd, sizeof(cmd),
+ "%s %s%s list %s 2>" _PATH_DEVNULL,
+ xauth_path,
+ generated ? "-f " : "" ,
+ generated ? xauthfile : "",
+ display);
+ debug2("x11_get_proto: %s", cmd);
+ f = popen(cmd, "r");
+ if (f && fgets(line, sizeof(line), f) &&
+ sscanf(line, "%*s %511s %511s", proto, data) == 2)
+ got_data = 1;
+ if (f)
+ pclose(f);
+ } else
+ error("Warning: untrusted X11 forwarding setup failed: "
+ "xauth key data not generated");
}
if (do_unlink) {
@@ -940,7 +950,7 @@
cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
if (s == NULL)
goto out;
- while (*s && isspace(*s))
+ while (isspace(*s))
s++;
if (*s == '-')
s++; /* Skip cmdline '-', if any */
@@ -987,9 +997,8 @@
goto out;
}
- s++;
- while (*s && isspace(*s))
- s++;
+ while (isspace(*++s))
+ ;
if (delete) {
cancel_port = 0;
@@ -1781,6 +1790,50 @@
return c;
}
+int
+client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
+{
+ Channel *c;
+ int fd;
+
+ if (tun_mode == SSH_TUNMODE_NO)
+ return 0;
+
+ if (!compat20) {
+ error("Tunnel forwarding is not support for protocol 1");
+ return -1;
+ }
+
+ debug("Requesting tun unit %d in mode %d", local_tun, tun_mode);
+
+ /* Open local tunnel device */
+ if ((fd = tun_open(local_tun, tun_mode)) == -1) {
+ error("Tunnel device open failed.");
+ return -1;
+ }
+
+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+ c->datagram = 1;
+
+#if defined(SSH_TUN_FILTER)
+ if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
+ channel_register_filter(c->self, sys_tun_infilter,
+ sys_tun_outfilter);
+#endif
+
+ packet_start(SSH2_MSG_CHANNEL_OPEN);
+ packet_put_cstring("tun at openssh.com");
+ packet_put_int(c->self);
+ packet_put_int(c->local_window_max);
+ packet_put_int(c->local_maxpacket);
+ packet_put_int(tun_mode);
+ packet_put_int(remote_tun);
+ packet_send();
+
+ return 0;
+}
+
/* XXXX move to generic input handler */
static void
client_input_channel_open(int type, u_int32_t seq, void *ctxt)
Modified: trunk/clientloop.h
===================================================================
--- trunk/clientloop.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/clientloop.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.16 2006/03/25 22:22:42 djm Exp $ */
+/* $OpenBSD: clientloop.h,v 1.17 2007/08/07 07:32:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -44,6 +44,7 @@
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,
int, Buffer *, char **, dispatch_fn *);
+int client_request_tun_fwd(int, int, int);
/* Multiplexing protocol version */
#define SSHMUX_VER 1
Modified: trunk/config.h.in
===================================================================
--- trunk/config.h.in 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/config.h.in 2008-03-10 20:34:38 UTC (rev 42)
@@ -155,6 +155,9 @@
/* OpenBSD's gcc has bounded */
#undef HAVE_ATTRIBUTE__BOUNDED__
+/* Have attribute nonnull */
+#undef HAVE_ATTRIBUTE__NONNULL__
+
/* OpenBSD's gcc has sentinel */
#undef HAVE_ATTRIBUTE__SENTINEL__
@@ -230,6 +233,14 @@
don't. */
#undef HAVE_DECL_LOGINSUCCESS
+/* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you
+ don't. */
+#undef HAVE_DECL_MAXSYMLINKS
+
+/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
+ don't. */
+#undef HAVE_DECL_OFFSETOF
+
/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you
don't. */
#undef HAVE_DECL_O_NONBLOCK
@@ -354,6 +365,9 @@
/* Define to 1 if you have the `getpeereid' function. */
#undef HAVE_GETPEEREID
+/* Define to 1 if you have the `getpeerucred' function. */
+#undef HAVE_GETPEERUCRED
+
/* Define to 1 if you have the `getpwanam' function. */
#undef HAVE_GETPWANAM
@@ -480,9 +494,6 @@
/* Define to 1 if you have the <libgen.h> header file. */
#undef HAVE_LIBGEN_H
-/* Define to 1 if you have the `iaf' library (-liaf). */
-#undef HAVE_LIBIAF
-
/* Define to 1 if you have the `nsl' library (-lnsl). */
#undef HAVE_LIBNSL
@@ -619,6 +630,12 @@
/* define if you have pid_t data type */
#undef HAVE_PID_T
+/* Define to 1 if you have the `poll' function. */
+#undef HAVE_POLL
+
+/* Define to 1 if you have the <poll.h> header file. */
+#undef HAVE_POLL_H
+
/* Define to 1 if you have the `prctl' function. */
#undef HAVE_PRCTL
@@ -736,6 +753,9 @@
/* Define to 1 if you have the `setvbuf' function. */
#undef HAVE_SETVBUF
+/* Define to 1 if you have the `set_id' function. */
+#undef HAVE_SET_ID
+
/* Define to 1 if you have the `SHA256_Update' function. */
#undef HAVE_SHA256_UPDATE
@@ -844,6 +864,9 @@
/* define if you have struct timeval */
#undef HAVE_STRUCT_TIMEVAL
+/* Define to 1 if you have the `swap32' function. */
+#undef HAVE_SWAP32
+
/* Define to 1 if you have the `sysconf' function. */
#undef HAVE_SYSCONF
@@ -958,6 +981,9 @@
/* Define if you have ut_type in utmpx.h */
#undef HAVE_TYPE_IN_UTMPX
+/* Define to 1 if you have the <ucred.h> header file. */
+#undef HAVE_UCRED_H
+
/* define if you have uintxx_t data type */
#undef HAVE_UINTXX_T
@@ -1039,6 +1065,9 @@
/* Define to 1 if you have the `_getshort' function. */
#undef HAVE__GETSHORT
+/* Define if you have struct __res_state _res as an extern */
+#undef HAVE__RES_EXTERN
+
/* Define to 1 if you have the `__b64_ntop' function. */
#undef HAVE___B64_NTOP
Modified: trunk/configure
===================================================================
--- trunk/configure 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/configure 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,5 +1,5 @@
#! /bin/sh
-# From configure.ac Revision: 1.372 .
+# From configure.ac Revision: 1.383 .
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.61 for OpenSSH Portable.
#
@@ -693,9 +693,7 @@
PATH_PASSWD_PROG
LD
SSHDLIBS
-LIBWRAP
LIBEDIT
-LIBPAM
INSTALL_SSH_RAND_HELPER
SSH_PRIVSEP_USER
PROG_LS
@@ -716,7 +714,6 @@
PROG_TAIL
INSTALL_SSH_PRNG_CMDS
OPENSC_CONFIG
-LIBSELINUX
PRIVSEP_PATH
xauth_path
STRIP_OPT
@@ -5390,9 +5387,12 @@
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
case $GCC_VER in
- 1.*) ;;
- 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
- 2.*) ;;
+ 1.*) no_attrib_nonnull=1 ;;
+ 2.8* | 2.9*)
+ CFLAGS="$CFLAGS -Wsign-compare"
+ no_attrib_nonnull=1
+ ;;
+ 2.*) no_attrib_nonnull=1 ;;
3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
*) ;;
@@ -5466,7 +5466,15 @@
fi
fi
+if test "x$no_attrib_nonnull" != "x1" ; then
+cat >>confdefs.h <<\_ACEOF
+#define HAVE_ATTRIBUTE__NONNULL__ 1
+_ACEOF
+
+fi
+
+
# Check whether --with-rpath was given.
if test "${with_rpath+set}" = set; then
withval=$with_rpath;
@@ -5604,6 +5612,8 @@
+
+
for ac_header in \
bstring.h \
crypt.h \
@@ -5626,6 +5636,7 @@
netgroup.h \
pam/pam_appl.h \
paths.h \
+ poll.h \
pty.h \
readpassphrase.h \
rpc/types.h \
@@ -5657,6 +5668,7 @@
time.h \
tmpdir.h \
ttyent.h \
+ ucred.h \
unistd.h \
usersec.h \
util.h \
@@ -8998,6 +9010,14 @@
_ACEOF
enable_etc_default_login=no # has incompatible /etc/default/login
+ case "$host" in
+ *-*-nto-qnx6*)
+ cat >>confdefs.h <<\_ACEOF
+#define DISABLE_FD_PASSING 1
+_ACEOF
+
+ ;;
+ esac
;;
*-*-ultrix*)
@@ -11820,8 +11840,7 @@
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
fi
- LIBWRAP="-lwrap"
- LIBS="$LIBWRAP $LIBS"
+ LIBS="-lwrap $LIBS"
{ echo "$as_me:$LINENO: checking for libwrap" >&5
echo $ECHO_N "checking for libwrap... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
@@ -11871,7 +11890,7 @@
#define LIBWRAP 1
_ACEOF
-
+ SSHDLIBS="$SSHDLIBS -lwrap"
TCPW_MSG="yes"
else
@@ -12500,6 +12519,9 @@
+
+
+
for ac_func in \
arc4random \
asprintf \
@@ -12522,6 +12544,7 @@
getnameinfo \
getopt \
getpeereid \
+ getpeerucred \
_getpty \
getrlimit \
getttyent \
@@ -12540,6 +12563,7 @@
ogetaddrinfo \
openlog_r \
openpty \
+ poll \
prctl \
pstat \
readpassphrase \
@@ -12573,6 +12597,7 @@
strtonum \
strtoll \
strtoul \
+ swap32 \
sysconf \
tcgetpgrp \
truncate \
@@ -13674,7 +13699,151 @@
+{ echo "$as_me:$LINENO: checking whether MAXSYMLINKS is declared" >&5
+echo $ECHO_N "checking whether MAXSYMLINKS is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_MAXSYMLINKS+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <sys/param.h>
+
+
+int
+main ()
+{
+#ifndef MAXSYMLINKS
+ (void) MAXSYMLINKS;
+#endif
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_have_decl_MAXSYMLINKS=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_have_decl_MAXSYMLINKS=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_MAXSYMLINKS" >&5
+echo "${ECHO_T}$ac_cv_have_decl_MAXSYMLINKS" >&6; }
+if test $ac_cv_have_decl_MAXSYMLINKS = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_MAXSYMLINKS 1
+_ACEOF
+
+
+else
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_MAXSYMLINKS 0
+_ACEOF
+
+
+fi
+
+
+
+{ echo "$as_me:$LINENO: checking whether offsetof is declared" >&5
+echo $ECHO_N "checking whether offsetof is declared... $ECHO_C" >&6; }
+if test "${ac_cv_have_decl_offsetof+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+
+#include <stddef.h>
+
+
+int
+main ()
+{
+#ifndef offsetof
+ (void) offsetof;
+#endif
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_cv_have_decl_offsetof=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_cv_have_decl_offsetof=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_have_decl_offsetof" >&5
+echo "${ECHO_T}$ac_cv_have_decl_offsetof" >&6; }
+if test $ac_cv_have_decl_offsetof = yes; then
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OFFSETOF 1
+_ACEOF
+
+
+else
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_DECL_OFFSETOF 0
+_ACEOF
+
+
+fi
+
+
+
+
for ac_func in setresuid
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
@@ -14989,7 +15158,7 @@
# Check for missing getpeereid (or equiv) support
NO_PEERCHECK=""
-if test "x$ac_cv_func_getpeereid" != "xyes" ; then
+if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
{ echo "$as_me:$LINENO: checking whether system supports SO_PEERCRED getsockopt" >&5
echo $ECHO_N "checking whether system supports SO_PEERCRED getsockopt... $ECHO_C" >&6; }
cat >conftest.$ac_ext <<_ACEOF
@@ -16430,7 +16599,7 @@
done
-
+saved_LIBS="$LIBS"
{ echo "$as_me:$LINENO: checking for ia_openinfo in -liaf" >&5
echo $ECHO_N "checking for ia_openinfo in -liaf... $ECHO_C" >&6; }
if test "${ac_cv_lib_iaf_ia_openinfo+set}" = set; then
@@ -16493,14 +16662,106 @@
{ echo "$as_me:$LINENO: result: $ac_cv_lib_iaf_ia_openinfo" >&5
echo "${ECHO_T}$ac_cv_lib_iaf_ia_openinfo" >&6; }
if test $ac_cv_lib_iaf_ia_openinfo = yes; then
+
+ LIBS="$LIBS -liaf"
+
+for ac_func in set_id
+do
+as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
+{ echo "$as_me:$LINENO: checking for $ac_func" >&5
+echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6; }
+if { as_var=$as_ac_var; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+/* Define $ac_func to an innocuous variant, in case <limits.h> declares $ac_func.
+ For example, HP-UX 11i <limits.h> declares gettimeofday. */
+#define $ac_func innocuous_$ac_func
+
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func (); below.
+ Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ <limits.h> exists even on freestanding compilers. */
+
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+
+#undef $ac_func
+
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char $ac_func ();
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined __stub_$ac_func || defined __stub___$ac_func
+choke me
+#endif
+
+int
+main ()
+{
+return $ac_func ();
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ eval "$as_ac_var=yes"
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ eval "$as_ac_var=no"
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+fi
+ac_res=`eval echo '${'$as_ac_var'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+if test `eval echo '${'$as_ac_var'}'` = yes; then
cat >>confdefs.h <<_ACEOF
-#define HAVE_LIBIAF 1
+#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1
_ACEOF
+ SSHDLIBS="$SSHDLIBS -liaf"
+fi
+done
- LIBS="-liaf $LIBS"
fi
+LIBS="$saved_LIBS"
### Configure cryptographic random number support
@@ -16926,7 +17187,7 @@
PAM_MSG="yes"
- LIBPAM="-lpam"
+ SSHDLIBS="$SSHDLIBS -lpam"
cat >>confdefs.h <<\_ACEOF
#define USE_PAM 1
@@ -16939,11 +17200,10 @@
# libdl already in LIBS
;;
*)
- LIBPAM="$LIBPAM -ldl"
+ SSHDLIBS="$SSHDLIBS -ldl"
;;
esac
fi
-
fi
@@ -25179,6 +25439,59 @@
fi
+{ echo "$as_me:$LINENO: checking if struct __res_state _res is an extern" >&5
+echo $ECHO_N "checking if struct __res_state _res is an extern... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+
+#include <stdio.h>
+#if HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+extern struct __res_state _res;
+int main() { return 0; }
+
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_link") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext &&
+ $as_test_x conftest$ac_exeext; then
+ { echo "$as_me:$LINENO: result: yes" >&5
+echo "${ECHO_T}yes" >&6; }
+
+cat >>confdefs.h <<\_ACEOF
+#define HAVE__RES_EXTERN 1
+_ACEOF
+
+
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ { echo "$as_me:$LINENO: result: no" >&5
+echo "${ECHO_T}no" >&6; }
+
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+ conftest$ac_exeext conftest.$ac_ext
+
# Check whether user wants SELinux support
SELINUX_MSG="no"
LIBSELINUX=""
@@ -25186,6 +25499,7 @@
# Check whether --with-selinux was given.
if test "${with_selinux+set}" = set; then
withval=$with_selinux; if test "x$withval" != "xno" ; then
+ save_LIBS="$LIBS"
cat >>confdefs.h <<\_ACEOF
#define WITH_SELINUX 1
@@ -25400,8 +25714,7 @@
{ (exit 1); exit 1; }; }
fi
- save_LIBS="$LIBS"
- LIBS="$LIBS $LIBSELINUX"
+ SSHDLIBS="$SSHDLIBS $LIBSELINUX"
for ac_func in getseuserbyname get_default_context_with_level
@@ -25503,7 +25816,6 @@
fi
-
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@@ -28917,9 +29229,7 @@
PATH_PASSWD_PROG!$PATH_PASSWD_PROG$ac_delim
LD!$LD$ac_delim
SSHDLIBS!$SSHDLIBS$ac_delim
-LIBWRAP!$LIBWRAP$ac_delim
LIBEDIT!$LIBEDIT$ac_delim
-LIBPAM!$LIBPAM$ac_delim
INSTALL_SSH_RAND_HELPER!$INSTALL_SSH_RAND_HELPER$ac_delim
SSH_PRIVSEP_USER!$SSH_PRIVSEP_USER$ac_delim
PROG_LS!$PROG_LS$ac_delim
@@ -28937,6 +29247,8 @@
PROG_VMSTAT!$PROG_VMSTAT$ac_delim
PROG_UPTIME!$PROG_UPTIME$ac_delim
PROG_IPCS!$PROG_IPCS$ac_delim
+PROG_TAIL!$PROG_TAIL$ac_delim
+INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
_ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 97; then
@@ -28978,10 +29290,7 @@
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
cat >conf$$subs.sed <<_ACEOF
-PROG_TAIL!$PROG_TAIL$ac_delim
-INSTALL_SSH_PRNG_CMDS!$INSTALL_SSH_PRNG_CMDS$ac_delim
OPENSC_CONFIG!$OPENSC_CONFIG$ac_delim
-LIBSELINUX!$LIBSELINUX$ac_delim
PRIVSEP_PATH!$PRIVSEP_PATH$ac_delim
xauth_path!$xauth_path$ac_delim
STRIP_OPT!$STRIP_OPT$ac_delim
@@ -28995,7 +29304,7 @@
LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF
- if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 15; then
+ if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 12; then
break
elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
@@ -29487,7 +29796,10 @@
echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
-echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
+echo " Libraries: ${LIBS}"
+if test ! -z "${SSHDLIBS}"; then
+echo " +for sshd: ${SSHDLIBS}"
+fi
echo ""
@@ -29513,12 +29825,12 @@
fi
if test ! -z "$NO_PEERCHECK" ; then
- echo "WARNING: the operating system that you are using does not "
- echo "appear to support either the getpeereid() API nor the "
- echo "SO_PEERCRED getsockopt() option. These facilities are used to "
- echo "enforce security checks to prevent unauthorised connections to "
- echo "ssh-agent. Their absence increases the risk that a malicious "
- echo "user can connect to your agent. "
+ echo "WARNING: the operating system that you are using does not"
+ echo "appear to support getpeereid(), getpeerucred() or the"
+ echo "SO_PEERCRED getsockopt() option. These facilities are used to"
+ echo "enforce security checks to prevent unauthorised connections to"
+ echo "ssh-agent. Their absence increases the risk that a malicious"
+ echo "user can connect to your agent."
echo ""
fi
Modified: trunk/configure.ac
===================================================================
--- trunk/configure.ac 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/configure.ac 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.372 2007/03/05 00:51:27 djm Exp $
+# $Id: configure.ac,v 1.383 2007/08/10 04:36:12 dtucker Exp $
#
# Copyright (c) 1999-2004 Damien Miller
#
@@ -15,7 +15,7 @@
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
AC_INIT(OpenSSH, Portable, openssh-unix-dev at mindrot.org)
-AC_REVISION($Revision: 1.372 $)
+AC_REVISION($Revision: 1.383 $)
AC_CONFIG_SRCDIR([ssh.c])
AC_CONFIG_HEADER(config.h)
@@ -94,9 +94,12 @@
CFLAGS="$CFLAGS -Wall -Wpointer-arith -Wuninitialized"
GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
case $GCC_VER in
- 1.*) ;;
- 2.8* | 2.9*) CFLAGS="$CFLAGS -Wsign-compare" ;;
- 2.*) ;;
+ 1.*) no_attrib_nonnull=1 ;;
+ 2.8* | 2.9*)
+ CFLAGS="$CFLAGS -Wsign-compare"
+ no_attrib_nonnull=1
+ ;;
+ 2.*) no_attrib_nonnull=1 ;;
3.*) CFLAGS="$CFLAGS -Wsign-compare" ;;
4.*) CFLAGS="$CFLAGS -Wsign-compare -Wno-pointer-sign" ;;
*) ;;
@@ -115,6 +118,10 @@
fi
fi
+if test "x$no_attrib_nonnull" != "x1" ; then
+ AC_DEFINE(HAVE_ATTRIBUTE__NONNULL__, 1, [Have attribute nonnull])
+fi
+
AC_ARG_WITH(rpath,
[ --without-rpath Disable auto-added -R linker paths],
[
@@ -198,6 +205,7 @@
netgroup.h \
pam/pam_appl.h \
paths.h \
+ poll.h \
pty.h \
readpassphrase.h \
rpc/types.h \
@@ -229,6 +237,7 @@
time.h \
tmpdir.h \
ttyent.h \
+ ucred.h \
unistd.h \
usersec.h \
util.h \
@@ -809,6 +818,11 @@
AC_DEFINE(DISABLE_LASTLOG)
AC_DEFINE(SSHD_ACQUIRES_CTTY)
enable_etc_default_login=no # has incompatible /etc/default/login
+ case "$host" in
+ *-*-nto-qnx6*)
+ AC_DEFINE(DISABLE_FD_PASSING)
+ ;;
+ esac
;;
*-*-ultrix*)
@@ -1141,8 +1155,7 @@
CPPFLAGS="-I${withval} ${CPPFLAGS}"
fi
fi
- LIBWRAP="-lwrap"
- LIBS="$LIBWRAP $LIBS"
+ LIBS="-lwrap $LIBS"
AC_MSG_CHECKING(for libwrap)
AC_TRY_LINK(
[
@@ -1158,7 +1171,7 @@
AC_DEFINE(LIBWRAP, 1,
[Define if you want
TCP Wrappers support])
- AC_SUBST(LIBWRAP)
+ SSHDLIBS="$SSHDLIBS -lwrap"
TCPW_MSG="yes"
],
[
@@ -1273,6 +1286,7 @@
getnameinfo \
getopt \
getpeereid \
+ getpeerucred \
_getpty \
getrlimit \
getttyent \
@@ -1291,6 +1305,7 @@
ogetaddrinfo \
openlog_r \
openpty \
+ poll \
prctl \
pstat \
readpassphrase \
@@ -1324,6 +1339,7 @@
strtonum \
strtoll \
strtoul \
+ swap32 \
sysconf \
tcgetpgrp \
truncate \
@@ -1396,6 +1412,14 @@
#include <unistd.h>
])
+AC_CHECK_DECLS(MAXSYMLINKS, , , [
+#include <sys/param.h>
+ ])
+
+AC_CHECK_DECLS(offsetof, , , [
+#include <stddef.h>
+ ])
+
AC_CHECK_FUNCS(setresuid, [
dnl Some platorms have setresuid that isn't implemented, test for this
AC_MSG_CHECKING(if setresuid seems to work)
@@ -1521,7 +1545,7 @@
# Check for missing getpeereid (or equiv) support
NO_PEERCHECK=""
-if test "x$ac_cv_func_getpeereid" != "xyes" ; then
+if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
AC_MSG_CHECKING([whether system supports SO_PEERCRED getsockopt])
AC_TRY_COMPILE(
[#include <sys/types.h>
@@ -2009,7 +2033,12 @@
# Search for SHA256 support in libc and/or OpenSSL
AC_CHECK_FUNCS(SHA256_Update EVP_sha256)
-AC_CHECK_LIB(iaf, ia_openinfo)
+saved_LIBS="$LIBS"
+AC_CHECK_LIB(iaf, ia_openinfo, [
+ LIBS="$LIBS -liaf"
+ AC_CHECK_FUNCS(set_id, [SSHDLIBS="$SSHDLIBS -liaf"])
+])
+LIBS="$saved_LIBS"
### Configure cryptographic random number support
@@ -2059,7 +2088,7 @@
PAM_MSG="yes"
- LIBPAM="-lpam"
+ SSHDLIBS="$SSHDLIBS -lpam"
AC_DEFINE(USE_PAM, 1,
[Define if you want to enable PAM support])
@@ -2069,11 +2098,10 @@
# libdl already in LIBS
;;
*)
- LIBPAM="$LIBPAM -ldl"
+ SSHDLIBS="$SSHDLIBS -ldl"
;;
esac
fi
- AC_SUBST(LIBPAM)
fi
]
)
@@ -3182,25 +3210,43 @@
[#include <arpa/nameser.h>])
])
+AC_MSG_CHECKING(if struct __res_state _res is an extern)
+AC_LINK_IFELSE([
+#include <stdio.h>
+#if HAVE_SYS_TYPES_H
+# include <sys/types.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+extern struct __res_state _res;
+int main() { return 0; }
+ ],
+ [AC_MSG_RESULT(yes)
+ AC_DEFINE(HAVE__RES_EXTERN, 1,
+ [Define if you have struct __res_state _res as an extern])
+ ],
+ [ AC_MSG_RESULT(no) ]
+)
+
# Check whether user wants SELinux support
SELINUX_MSG="no"
LIBSELINUX=""
AC_ARG_WITH(selinux,
[ --with-selinux Enable SELinux support],
[ if test "x$withval" != "xno" ; then
+ save_LIBS="$LIBS"
AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
SELINUX_MSG="yes"
AC_CHECK_HEADER([selinux/selinux.h], ,
AC_MSG_ERROR(SELinux support requires selinux.h header))
AC_CHECK_LIB(selinux, setexeccon, [ LIBSELINUX="-lselinux" ],
AC_MSG_ERROR(SELinux support requires libselinux library))
- save_LIBS="$LIBS"
- LIBS="$LIBS $LIBSELINUX"
+ SSHDLIBS="$SSHDLIBS $LIBSELINUX"
AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
LIBS="$save_LIBS"
fi ]
)
-AC_SUBST(LIBSELINUX)
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
@@ -4036,7 +4082,10 @@
echo " Compiler flags: ${CFLAGS}"
echo "Preprocessor flags: ${CPPFLAGS}"
echo " Linker flags: ${LDFLAGS}"
-echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
+echo " Libraries: ${LIBS}"
+if test ! -z "${SSHDLIBS}"; then
+echo " +for sshd: ${SSHDLIBS}"
+fi
echo ""
@@ -4062,12 +4111,12 @@
fi
if test ! -z "$NO_PEERCHECK" ; then
- echo "WARNING: the operating system that you are using does not "
- echo "appear to support either the getpeereid() API nor the "
- echo "SO_PEERCRED getsockopt() option. These facilities are used to "
- echo "enforce security checks to prevent unauthorised connections to "
- echo "ssh-agent. Their absence increases the risk that a malicious "
- echo "user can connect to your agent. "
+ echo "WARNING: the operating system that you are using does not"
+ echo "appear to support getpeereid(), getpeerucred() or the"
+ echo "SO_PEERCRED getsockopt() option. These facilities are used to"
+ echo "enforce security checks to prevent unauthorised connections to"
+ echo "ssh-agent. Their absence increases the risk that a malicious"
+ echo "user can connect to your agent."
echo ""
fi
Modified: trunk/contrib/caldera/openssh.spec
===================================================================
--- trunk/contrib/caldera/openssh.spec 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/contrib/caldera/openssh.spec 2008-03-10 20:34:38 UTC (rev 42)
@@ -17,7 +17,7 @@
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%if %{use_stable}
- %define version 4.6p1
+ %define version 4.7p1
%define cvs %{nil}
%define release 1
%else
@@ -357,4 +357,4 @@
* Mon Jan 01 1998 ...
Template Version: 1.31
-$Id: openssh.spec,v 1.60 2007/03/06 10:23:27 djm Exp $
+$Id: openssh.spec,v 1.61 2007/08/15 09:22:20 dtucker Exp $
Modified: trunk/contrib/redhat/openssh.spec
===================================================================
--- trunk/contrib/redhat/openssh.spec 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/contrib/redhat/openssh.spec 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-%define ver 4.6p1
+%define ver 4.7p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
Modified: trunk/contrib/suse/openssh.spec
===================================================================
--- trunk/contrib/suse/openssh.spec 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/contrib/suse/openssh.spec 2008-03-10 20:34:38 UTC (rev 42)
@@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
-Version: 4.6p1
+Version: 4.7p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/debian/changelog 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,3 +1,9 @@
+openssh (1:4.7p1-2.maemo1) unstable; urgency=low
+
+ * upgraded to upstream version 4.7p1-2
+
+ -- Ed Bartosh <bartosh at gmail.com> Mon, 10 Mar 2008 22:21:56 +0200
+
openssh (1:4.6p1-5.maemo3) unstable; urgency=low
* added AM icons
Modified: trunk/defines.h
===================================================================
--- trunk/defines.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/defines.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
-/* $Id: defines.h,v 1.138 2006/09/21 13:13:30 dtucker Exp $ */
+/* $Id: defines.h,v 1.143 2007/08/09 04:37:52 dtucker Exp $ */
/* Constants */
@@ -68,7 +68,7 @@
# endif
#endif
-#ifndef MAXSYMLINKS
+#if defined(HAVE_DECL_MAXSYMLINKS) && HAVE_DECL_MAXSYMLINKS == 0
# define MAXSYMLINKS 5
#endif
@@ -321,12 +321,6 @@
#ifndef _PATH_BSHELL
# define _PATH_BSHELL "/bin/sh"
#endif
-#ifndef _PATH_CSHELL
-# define _PATH_CSHELL "/bin/csh"
-#endif
-#ifndef _PATH_SHELLS
-# define _PATH_SHELLS "/etc/shells"
-#endif
#ifdef USER_PATH
# ifdef _PATH_STDPATH
@@ -449,6 +443,10 @@
# define __bounded__(x, y, z)
#endif
+#if !defined(HAVE_ATTRIBUTE__NONNULL__) && !defined(__nonnull__)
+# define __nonnull__(x)
+#endif
+
/* *-*-nto-qnx doesn't define this macro in the system headers */
#ifdef MISSING_HOWMANY
# define howmany(x,y) (((x)+((y)-1))/(y))
@@ -487,7 +485,7 @@
(struct cmsghdr *)NULL)
#endif /* CMSG_FIRSTHDR */
-#ifndef offsetof
+#if defined(HAVE_DECL_OFFSETOF) && HAVE_DECL_OFFSETOF == 0
# define offsetof(type, member) ((size_t) &((type *)0)->member)
#endif
@@ -696,7 +694,8 @@
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
-#ifdef HAVE_LIBIAF
+#if defined(HAVE_LIBIAF) && defined(HAVE_SET_ID) && !defined(BROKEN_LIBIAF)
+# define USE_LIBIAF
# define CUSTOM_SYS_AUTH_PASSWD 1
#endif
Modified: trunk/entropy.c
===================================================================
--- trunk/entropy.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/entropy.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -35,8 +35,9 @@
# include <fcntl.h>
#endif
#include <stdarg.h>
+#include <string.h>
+#include <signal.h>
#include <unistd.h>
-#include <signal.h>
#include <openssl/rand.h>
#include <openssl/crypto.h>
Modified: trunk/gss-genr.c
===================================================================
--- trunk/gss-genr.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/gss-genr.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,7 +1,7 @@
-/* $OpenBSD: gss-genr.c,v 1.17 2006/08/29 12:02:30 dtucker Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
/*
- * Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
+ * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
Modified: trunk/gss-serv.c
===================================================================
--- trunk/gss-serv.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/gss-serv.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.20 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.21 2007/06/12 08:20:00 djm Exp $ */
/*
* Copyright (c) 2001-2006 Simon Wilkinson. All rights reserved.
@@ -29,6 +29,7 @@
#ifdef GSSAPI
#include <sys/types.h>
+#include <sys/param.h>
#include <stdarg.h>
#include <string.h>
@@ -68,6 +69,53 @@
&gssapi_null_mech,
};
+
+/*
+ * Acquire credentials for a server running on the current host.
+ * Requires that the context structure contains a valid OID
+ */
+
+/* Returns a GSSAPI error code */
+/* Privileged (called from ssh_gssapi_server_ctx) */
+static OM_uint32
+ssh_gssapi_acquire_cred(Gssctxt *ctx)
+{
+ OM_uint32 status;
+ char lname[MAXHOSTNAMELEN];
+ gss_OID_set oidset;
+
+ gss_create_empty_oid_set(&status, &oidset);
+ gss_add_oid_set_member(&status, ctx->oid, &oidset);
+
+ if (gethostname(lname, MAXHOSTNAMELEN)) {
+ gss_release_oid_set(&status, &oidset);
+ return (-1);
+ }
+
+ if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
+ }
+
+ if ((ctx->major = gss_acquire_cred(&ctx->minor,
+ ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds, NULL, NULL)))
+ ssh_gssapi_error(ctx);
+
+ gss_release_oid_set(&status, &oidset);
+ return (ctx->major);
+}
+
+/* Privileged */
+OM_uint32
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+{
+ if (*ctx)
+ ssh_gssapi_delete_ctx(ctx);
+ ssh_gssapi_build_ctx(ctx);
+ ssh_gssapi_set_oid(*ctx, oid);
+ return (ssh_gssapi_acquire_cred(*ctx));
+}
+
/* Unprivileged */
char *
ssh_gssapi_server_mechanisms() {
@@ -115,57 +163,7 @@
gss_release_oid_set(&min_status, &supported);
}
-OM_uint32
-ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
-{
- if (*ctx)
- ssh_gssapi_delete_ctx(ctx);
- ssh_gssapi_build_ctx(ctx);
- ssh_gssapi_set_oid(*ctx, oid);
- return (ssh_gssapi_acquire_cred(*ctx));
-}
-/* Acquire credentials for a server running on the current host.
- * Requires that the context structure contains a valid OID
- */
-
-/* Returns a GSSAPI error code */
-OM_uint32
-ssh_gssapi_acquire_cred(Gssctxt *ctx)
-{
- OM_uint32 status;
- char lname[MAXHOSTNAMELEN];
- gss_OID_set oidset;
-
- if (options.gss_strict_acceptor) {
- gss_create_empty_oid_set(&status, &oidset);
- gss_add_oid_set_member(&status, ctx->oid, &oidset);
-
- if (gethostname(lname, MAXHOSTNAMELEN)) {
- gss_release_oid_set(&status, &oidset);
- return (-1);
- }
-
- if (GSS_ERROR(ssh_gssapi_import_name(ctx, lname))) {
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
- }
-
- if ((ctx->major = gss_acquire_cred(&ctx->minor,
- ctx->name, 0, oidset, GSS_C_ACCEPT, &ctx->creds,
- NULL, NULL)))
- ssh_gssapi_error(ctx);
-
- gss_release_oid_set(&status, &oidset);
- return (ctx->major);
- } else {
- ctx->name = GSS_C_NO_NAME;
- ctx->creds = GSS_C_NO_CREDENTIAL;
- }
- return GSS_S_COMPLETE;
-}
-
-
/* Wrapper around accept_sec_context
* Requires that the context contains:
* oid
Modified: trunk/includes.h
===================================================================
--- trunk/includes.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/includes.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -49,7 +49,7 @@
#ifdef HAVE_NEXT
# include <libc.h>
#endif
-#ifdef HAVE_PATHS
+#ifdef HAVE_PATHS_H
# include <paths.h>
#endif
Modified: trunk/kex.c
===================================================================
--- trunk/kex.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/kex.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.77 2007/01/21 01:41:54 stevesk Exp $ */
+/* $OpenBSD: kex.c,v 1.79 2007/06/05 06:52:37 djm Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
*
@@ -91,7 +91,7 @@
kex_buf2prop(Buffer *raw, int *first_kex_follows)
{
Buffer b;
- int i;
+ u_int i;
char **proposal;
proposal = xcalloc(PROPOSAL_MAX, sizeof(char *));
@@ -112,7 +112,7 @@
*first_kex_follows = i;
debug2("kex_parse_kexinit: first_kex_follows %d ", i);
i = buffer_get_int(&b);
- debug2("kex_parse_kexinit: reserved %d ", i);
+ debug2("kex_parse_kexinit: reserved %u ", i);
buffer_free(&b);
return proposal;
}
@@ -127,6 +127,7 @@
xfree(proposal);
}
+/* ARGSUSED */
static void
kex_protocol_error(int type, u_int32_t seq, void *ctxt)
{
@@ -198,6 +199,7 @@
kex->flags |= KEX_INIT_SENT;
}
+/* ARGSUSED */
void
kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
{
@@ -262,7 +264,8 @@
{
char *name = match_list(client, server, NULL);
if (name == NULL)
- fatal("no matching cipher found: client %s server %s", client, server);
+ fatal("no matching cipher found: client %s server %s",
+ client, server);
if ((enc->cipher = cipher_by_name(name)) == NULL)
fatal("matching cipher is not supported: %s", name);
enc->name = name;
@@ -278,8 +281,9 @@
{
char *name = match_list(client, server, NULL);
if (name == NULL)
- fatal("no matching mac found: client %s server %s", client, server);
- if (mac_init(mac, name) < 0)
+ fatal("no matching mac found: client %s server %s",
+ client, server);
+ if (mac_setup(mac, name) < 0)
fatal("unsupported mac %s", name);
/* truncate the key */
if (datafellows & SSH_BUG_HMAC)
@@ -312,7 +316,7 @@
{
k->name = match_list(client, server, NULL);
if (k->name == NULL)
- fatal("no kex alg");
+ fatal("Unable to negotiate a key exchange method");
if (strcmp(k->name, KEX_DH1) == 0) {
k->kex_type = KEX_DH_GRP1_SHA1;
k->evp_md = EVP_sha1();
@@ -406,7 +410,8 @@
for (mode = 0; mode < MODE_MAX; mode++) {
newkeys = xcalloc(1, sizeof(*newkeys));
kex->newkeys[mode] = newkeys;
- ctos = (!kex->server && mode == MODE_OUT) || (kex->server && mode == MODE_IN);
+ ctos = (!kex->server && mode == MODE_OUT) ||
+ (kex->server && mode == MODE_IN);
nenc = ctos ? PROPOSAL_ENC_ALGS_CTOS : PROPOSAL_ENC_ALGS_STOC;
nmac = ctos ? PROPOSAL_MAC_ALGS_CTOS : PROPOSAL_MAC_ALGS_STOC;
ncomp = ctos ? PROPOSAL_COMP_ALGS_CTOS : PROPOSAL_COMP_ALGS_STOC;
Modified: trunk/kex.h
===================================================================
--- trunk/kex.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/kex.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.44 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: kex.h,v 1.46 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -28,6 +28,7 @@
#include <signal.h>
#include <openssl/evp.h>
+#include <openssl/hmac.h>
#define KEX_DH1 "diffie-hellman-group1-sha1"
#define KEX_DH14 "diffie-hellman-group14-sha1"
@@ -89,10 +90,13 @@
struct Mac {
char *name;
int enabled;
- const EVP_MD *md;
u_int mac_len;
u_char *key;
u_int key_len;
+ int type;
+ const EVP_MD *evp_md;
+ HMAC_CTX evp_ctx;
+ struct umac_ctx *umac_ctx;
};
struct Comp {
int type;
Modified: trunk/key.c
===================================================================
--- trunk/key.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/key.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.68 2006/11/06 21:25:28 markus Exp $ */
+/* $OpenBSD: key.c,v 1.69 2007/07/12 05:48:05 ray Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -170,9 +170,7 @@
BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
default:
fatal("key_equal: bad key type %d", a->type);
- break;
}
- return 0;
}
u_char*
Modified: trunk/log.c
===================================================================
--- trunk/log.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/log.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: log.c,v 1.39 2006/08/18 09:13:25 deraadt Exp $ */
+/* $OpenBSD: log.c,v 1.40 2007/05/17 07:50:31 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -44,6 +44,7 @@
#include <string.h>
#include <syslog.h>
#include <unistd.h>
+#include <errno.h>
#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
# include <vis.h>
#endif
@@ -315,6 +316,7 @@
char fmtbuf[MSGBUFSIZ];
char *txt = NULL;
int pri = LOG_INFO;
+ int saved_errno = errno;
if (level > log_level)
return;
@@ -375,4 +377,5 @@
closelog();
#endif
}
+ errno = saved_errno;
}
Modified: trunk/loginrec.c
===================================================================
--- trunk/loginrec.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/loginrec.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -161,6 +161,7 @@
#include <pwd.h>
#include <stdarg.h>
#include <string.h>
+#include <time.h>
#include <unistd.h>
#include "xmalloc.h"
Modified: trunk/mac.c
===================================================================
--- trunk/mac.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/mac.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.c,v 1.12 2006/08/03 03:34:42 deraadt Exp $ */
+/* $OpenBSD: mac.c,v 1.14 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -42,63 +42,126 @@
#include "mac.h"
#include "misc.h"
+#include "umac.h"
+
+#define SSH_EVP 1 /* OpenSSL EVP-based MAC */
+#define SSH_UMAC 2 /* UMAC (not integrated with OpenSSL) */
+
struct {
char *name;
+ int type;
const EVP_MD * (*mdfunc)(void);
int truncatebits; /* truncate digest if != 0 */
+ int key_len; /* just for UMAC */
+ int len; /* just for UMAC */
} macs[] = {
- { "hmac-sha1", EVP_sha1, 0, },
- { "hmac-sha1-96", EVP_sha1, 96 },
- { "hmac-md5", EVP_md5, 0 },
- { "hmac-md5-96", EVP_md5, 96 },
- { "hmac-ripemd160", EVP_ripemd160, 0 },
- { "hmac-ripemd160 at openssh.com", EVP_ripemd160, 0 },
- { NULL, NULL, 0 }
+ { "hmac-sha1", SSH_EVP, EVP_sha1, 0, -1, -1 },
+ { "hmac-sha1-96", SSH_EVP, EVP_sha1, 96, -1, -1 },
+ { "hmac-md5", SSH_EVP, EVP_md5, 0, -1, -1 },
+ { "hmac-md5-96", SSH_EVP, EVP_md5, 96, -1, -1 },
+ { "hmac-ripemd160", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
+ { "hmac-ripemd160 at openssh.com", SSH_EVP, EVP_ripemd160, 0, -1, -1 },
+ { "umac-64 at openssh.com", SSH_UMAC, NULL, 0, 128, 64 },
+ { NULL, 0, NULL, 0, -1, -1 }
};
+static void
+mac_setup_by_id(Mac *mac, int which)
+{
+ int evp_len;
+ mac->type = macs[which].type;
+ if (mac->type == SSH_EVP) {
+ mac->evp_md = (*macs[which].mdfunc)();
+ if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
+ fatal("mac %s len %d", mac->name, evp_len);
+ mac->key_len = mac->mac_len = (u_int)evp_len;
+ } else {
+ mac->mac_len = macs[which].len / 8;
+ mac->key_len = macs[which].key_len / 8;
+ mac->umac_ctx = NULL;
+ }
+ if (macs[which].truncatebits != 0)
+ mac->mac_len = macs[which].truncatebits / 8;
+}
+
int
-mac_init(Mac *mac, char *name)
+mac_setup(Mac *mac, char *name)
{
- int i, evp_len;
+ int i;
for (i = 0; macs[i].name; i++) {
if (strcmp(name, macs[i].name) == 0) {
- if (mac != NULL) {
- mac->md = (*macs[i].mdfunc)();
- if ((evp_len = EVP_MD_size(mac->md)) <= 0)
- fatal("mac %s len %d", name, evp_len);
- mac->key_len = mac->mac_len = (u_int)evp_len;
- if (macs[i].truncatebits != 0)
- mac->mac_len = macs[i].truncatebits/8;
- }
- debug2("mac_init: found %s", name);
+ if (mac != NULL)
+ mac_setup_by_id(mac, i);
+ debug2("mac_setup: found %s", name);
return (0);
}
}
- debug2("mac_init: unknown %s", name);
+ debug2("mac_setup: unknown %s", name);
return (-1);
}
+int
+mac_init(Mac *mac)
+{
+ if (mac->key == NULL)
+ fatal("mac_init: no key");
+ switch (mac->type) {
+ case SSH_EVP:
+ if (mac->evp_md == NULL)
+ return -1;
+ HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md);
+ return 0;
+ case SSH_UMAC:
+ mac->umac_ctx = umac_new(mac->key);
+ return 0;
+ default:
+ return -1;
+ }
+}
+
u_char *
mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
{
- HMAC_CTX c;
static u_char m[EVP_MAX_MD_SIZE];
- u_char b[4];
+ u_char b[4], nonce[8];
- if (mac->key == NULL)
- fatal("mac_compute: no key");
if (mac->mac_len > sizeof(m))
- fatal("mac_compute: mac too long");
- HMAC_Init(&c, mac->key, mac->key_len, mac->md);
- put_u32(b, seqno);
- HMAC_Update(&c, b, sizeof(b));
- HMAC_Update(&c, data, datalen);
- HMAC_Final(&c, m, NULL);
- HMAC_cleanup(&c);
+ fatal("mac_compute: mac too long %u %lu",
+ mac->mac_len, sizeof(m));
+
+ switch (mac->type) {
+ case SSH_EVP:
+ put_u32(b, seqno);
+ /* reset HMAC context */
+ HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
+ HMAC_Update(&mac->evp_ctx, b, sizeof(b));
+ HMAC_Update(&mac->evp_ctx, data, datalen);
+ HMAC_Final(&mac->evp_ctx, m, NULL);
+ break;
+ case SSH_UMAC:
+ put_u64(nonce, seqno);
+ umac_update(mac->umac_ctx, data, datalen);
+ umac_final(mac->umac_ctx, m, nonce);
+ break;
+ default:
+ fatal("mac_compute: unknown MAC type");
+ }
return (m);
}
+void
+mac_clear(Mac *mac)
+{
+ if (mac->type == SSH_UMAC) {
+ if (mac->umac_ctx != NULL)
+ umac_delete(mac->umac_ctx);
+ } else if (mac->evp_md != NULL)
+ HMAC_cleanup(&mac->evp_ctx);
+ mac->evp_md = NULL;
+ mac->umac_ctx = NULL;
+}
+
/* XXX copied from ciphers_valid */
#define MAC_SEP ","
int
@@ -111,7 +174,7 @@
maclist = cp = xstrdup(names);
for ((p = strsep(&cp, MAC_SEP)); p && *p != '\0';
(p = strsep(&cp, MAC_SEP))) {
- if (mac_init(NULL, p) < 0) {
+ if (mac_setup(NULL, p) < 0) {
debug("bad mac %s [%s]", p, names);
xfree(maclist);
return (0);
Modified: trunk/mac.h
===================================================================
--- trunk/mac.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/mac.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.h,v 1.4 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: mac.h,v 1.6 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@@ -24,5 +24,7 @@
*/
int mac_valid(const char *);
-int mac_init(Mac *, char *);
+int mac_setup(Mac *, char *);
+int mac_init(Mac *);
u_char *mac_compute(Mac *, u_int32_t, u_char *, int);
+void mac_clear(Mac *);
Modified: trunk/mdoc2man.awk
===================================================================
--- trunk/mdoc2man.awk 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/mdoc2man.awk 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,6 +1,9 @@
#!/usr/bin/awk
#
+# $Id: mdoc2man.awk,v 1.8 2007/06/05 10:01:16 dtucker Exp $
+#
# Version history:
+# v4+ Adapted for OpenSSH Portable (see cvs Id and history)
# v3, I put the program under a proper license
# Dan Nelson <dnelson at allantgroup.com> added .An, .Aq and fixed a typo
# v2, fixed to work on GNU awk --posix and MacOS X
@@ -135,6 +138,12 @@
nospace=0
}
if(match(words[w],"^Dd$")) {
+ if(match(words[w+1],"^\\$Mdocdate:")) {
+ w++;
+ if(match(words[w+4],"^\\$$")) {
+ words[w+4] = ""
+ }
+ }
date=wtail()
next
} else if(match(words[w],"^Dt$")) {
@@ -157,6 +166,7 @@
refissue=""
refdate=""
refopt=""
+ refreport=""
reference=1
next
} else if(match(words[w],"^Re$")) {
@@ -168,9 +178,14 @@
}
if(nrefauthors>1)
add(" and ")
- add(refauthors[0] ", \\fI" reftitle "\\fP")
+ if(nrefauthors>0)
+ add(refauthors[0] ", ")
+ add("\\fI" reftitle "\\fP")
if(length(refissue))
add(", " refissue)
+ if(length(refreport)) {
+ add(", " refreport)
+ }
if(length(refdate))
add(", " refdate)
if(length(refopt))
@@ -187,6 +202,7 @@
if(match(words[w],"^%N$")) { refissue=wtail() }
if(match(words[w],"^%D$")) { refdate=wtail() }
if(match(words[w],"^%O$")) { refopt=wtail() }
+ if(match(words[w],"^%R$")) { refreport=wtail() }
} else if(match(words[w],"^Nm$")) {
if(synopsis) {
add(".br")
Modified: trunk/monitor.c
===================================================================
--- trunk/monitor.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/monitor.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.90 2007/02/19 10:45:58 dtucker Exp $ */
+/* $OpenBSD: monitor.c,v 1.91 2007/05/17 20:52:13 djm Exp $ */
/*
* Copyright 2002 Niels Provos <provos at citi.umich.edu>
* Copyright 2002 Markus Friedl <markus at openbsd.org>
@@ -422,6 +422,7 @@
monitor_set_child_handler(pmonitor->m_pid);
signal(SIGHUP, &monitor_child_handler);
signal(SIGTERM, &monitor_child_handler);
+ signal(SIGINT, &monitor_child_handler);
if (compat20) {
mon_dispatch = mon_dispatch_postauth20;
Modified: trunk/monitor_wrap.c
===================================================================
--- trunk/monitor_wrap.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/monitor_wrap.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.55 2007/02/19 10:45:58 dtucker Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.57 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright 2002 Niels Provos <provos at citi.umich.edu>
* Copyright 2002 Markus Friedl <markus at openbsd.org>
@@ -494,8 +494,8 @@
/* Mac structure */
mac->name = buffer_get_string(&b, NULL);
- if (mac->name == NULL || mac_init(mac, mac->name) == -1)
- fatal("%s: can not init mac %s", __func__, mac->name);
+ if (mac->name == NULL || mac_setup(mac, mac->name) == -1)
+ fatal("%s: can not setup mac %s", __func__, mac->name);
mac->enabled = buffer_get_int(&b);
mac->key = buffer_get_string(&b, &len);
if (len > mac->key_len)
Modified: trunk/myproposal.h
===================================================================
--- trunk/myproposal.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/myproposal.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.21 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.22 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@@ -47,7 +47,7 @@
"aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \
- "hmac-md5,hmac-sha1,hmac-ripemd160," \
+ "hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160," \
"hmac-ripemd160 at openssh.com," \
"hmac-sha1-96,hmac-md5-96"
#define KEX_DEFAULT_COMP "none,zlib at openssh.com,zlib"
Modified: trunk/openbsd-compat/Makefile.in
===================================================================
--- trunk/openbsd-compat/Makefile.in 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/Makefile.in 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.40 2006/08/30 17:24:41 djm Exp $
+# $Id: Makefile.in,v 1.41 2007/06/25 12:15:13 dtucker Exp $
sysconfdir=@sysconfdir@
piddir=@piddir@
@@ -18,7 +18,7 @@
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
-COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
Modified: trunk/openbsd-compat/bsd-cray.c
===================================================================
--- trunk/openbsd-compat/bsd-cray.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/bsd-cray.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,5 +1,5 @@
/*
- * $Id: bsd-cray.c,v 1.16 2006/09/01 05:38:41 djm Exp $
+ * $Id: bsd-cray.c,v 1.17 2007/08/15 09:17:43 dtucker Exp $
*
* bsd-cray.c
*
@@ -751,8 +751,6 @@
char *login = NULL;
struct jtab jtab;
- debug("received signal %d",sig);
-
if ((jid = waitjob(&jtab)) == -1 ||
(login = uid2nam(jtab.j_uid)) == NULL)
return;
Modified: trunk/openbsd-compat/bsd-getpeereid.c
===================================================================
--- trunk/openbsd-compat/bsd-getpeereid.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/bsd-getpeereid.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -37,6 +37,28 @@
return (0);
}
+#elif defined(HAVE_GETPEERUCRED)
+
+#ifdef HAVE_UCRED_H
+# include <ucred.h>
+#endif
+
+int
+getpeereid(int s, uid_t *euid, gid_t *gid)
+{
+ ucred_t *ucred = NULL;
+
+ if (getpeerucred(s, &ucred) == -1)
+ return (-1);
+ if ((*euid = ucred_geteuid(ucred)) == -1)
+ return (-1);
+ if ((*gid = ucred_getrgid(ucred)) == -1)
+ return (-1);
+
+ ucred_free(ucred);
+
+ return (0);
+}
#else
int
getpeereid(int s, uid_t *euid, gid_t *gid)
Modified: trunk/openbsd-compat/bsd-misc.c
===================================================================
--- trunk/openbsd-compat/bsd-misc.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/bsd-misc.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -17,6 +17,7 @@
#include "includes.h"
+#include <sys/types.h>
#ifdef HAVE_SYS_SELECT_H
# include <sys/select.h>
#endif
@@ -27,6 +28,7 @@
#include <string.h>
#include <signal.h>
#include <stdlib.h>
+#include <unistd.h>
#include "xmalloc.h"
@@ -156,7 +158,8 @@
tremain.tv_sec = 0;
tremain.tv_usec = 0;
}
- TIMEVAL_TO_TIMESPEC(&tremain, rem)
+ if (rem != NULL)
+ TIMEVAL_TO_TIMESPEC(&tremain, rem)
return(rc);
}
Modified: trunk/openbsd-compat/getrrsetbyname.c
===================================================================
--- trunk/openbsd-compat/getrrsetbyname.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/getrrsetbyname.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -67,14 +67,10 @@
#endif
#define _THREAD_PRIVATE(a,b,c) (c)
-/* to avoid conflicts where a platform already has _res */
-#ifdef _res
-# undef _res
+#ifndef HAVE__RES_EXTERN
+struct __res_state _res;
#endif
-#define _res _compat_res
-struct __res_state _res;
-
/* Necessary functions and macros */
/*
Modified: trunk/openbsd-compat/openbsd-compat.h
===================================================================
--- trunk/openbsd-compat/openbsd-compat.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/openbsd-compat.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.42 2006/09/03 12:44:50 dtucker Exp $ */
+/* $Id: openbsd-compat.h,v 1.43 2007/06/25 12:15:13 dtucker Exp $ */
/*
* Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -140,6 +140,7 @@
/* Home grown routines */
#include "bsd-misc.h"
#include "bsd-waitpid.h"
+#include "bsd-poll.h"
#ifndef HAVE_GETPEEREID
int getpeereid(int , uid_t *, gid_t *);
Modified: trunk/openbsd-compat/openssl-compat.h
===================================================================
--- trunk/openbsd-compat/openssl-compat.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/openssl-compat.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.7 2007/03/05 07:25:20 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.10 2007/06/14 13:47:31 dtucker Exp $ */
/*
* Copyright (c) 2005 Darren Tucker <dtucker at zip.com.au>
@@ -29,6 +29,11 @@
#endif
#ifdef USE_BUILTIN_RIJNDAEL
+# include "rijndael.h"
+# define AES_KEY rijndael_ctx
+# define AES_BLOCK_SIZE 16
+# define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
+# define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
# define EVP_aes_128_cbc evp_rijndael
# define EVP_aes_192_cbc evp_rijndael
# define EVP_aes_256_cbc evp_rijndael
Modified: trunk/openbsd-compat/port-aix.c
===================================================================
--- trunk/openbsd-compat/port-aix.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/port-aix.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -240,7 +240,7 @@
/*
* Don't perform checks for root account (PermitRootLogin controls
- * logins via * ssh) or if running as non-root user (since
+ * logins via ssh) or if running as non-root user (since
* loginrestrictions will always fail due to insufficient privilege).
*/
if (pw->pw_uid == 0 || geteuid() != 0) {
Modified: trunk/openbsd-compat/port-linux.c
===================================================================
--- trunk/openbsd-compat/port-linux.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/port-linux.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.3 2006/09/01 05:38:41 djm Exp $ */
+/* $Id: port-linux.c,v 1.4 2007/06/27 22:48:03 djm Exp $ */
/*
* Copyright (c) 2005 Daniel Walsh <dwalsh at redhat.com>
Modified: trunk/openbsd-compat/port-uw.c
===================================================================
--- trunk/openbsd-compat/port-uw.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/port-uw.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -79,7 +79,7 @@
#endif /* UNIXWARE_LONG_PASSWORDS */
result = (strcmp(xcrypt(password, salt), pw_password) == 0);
-#if !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
if (authctxt->valid)
free(pw_password);
#endif
@@ -127,7 +127,7 @@
functions that call shadow_pw() will need to free
*/
-#if !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
char *
get_iaf_password(struct passwd *pw)
{
@@ -144,6 +144,6 @@
else
fatal("ia_openinfo: Unable to open the shadow passwd file");
}
-#endif /* !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
#endif /* HAVE_LIBIAF */
Modified: trunk/openbsd-compat/port-uw.h
===================================================================
--- trunk/openbsd-compat/port-uw.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/port-uw.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -24,7 +24,7 @@
#include "includes.h"
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
char * get_iaf_password(struct passwd *pw);
#endif
Modified: trunk/openbsd-compat/regress/closefromtest.c
===================================================================
--- trunk/openbsd-compat/regress/closefromtest.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/regress/closefromtest.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -38,7 +38,7 @@
char buf[512];
for (i = 0; i < NUM_OPENS; i++)
- if ((fds[i] = open("/dev/null", "r")) == -1)
+ if ((fds[i] = open("/dev/null", O_RDONLY)) == -1)
exit(0); /* can't test */
max = i - 1;
Modified: trunk/openbsd-compat/xcrypt.c
===================================================================
--- trunk/openbsd-compat/xcrypt.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/xcrypt.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -98,7 +98,7 @@
pw_password = spw->sp_pwdp;
# endif
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
return(get_iaf_password(pw));
#endif
Modified: trunk/openbsd-compat/xmmap.c
===================================================================
--- trunk/openbsd-compat/xmmap.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openbsd-compat/xmmap.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -23,7 +23,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* $Id: xmmap.c,v 1.12 2006/08/24 09:58:36 dtucker Exp $ */
+/* $Id: xmmap.c,v 1.14 2007/06/11 02:52:24 djm Exp $ */
#include "includes.h"
@@ -38,12 +38,14 @@
#endif
#include <errno.h>
#include <stdarg.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include "log.h"
-void *xmmap(size_t size)
+void *
+xmmap(size_t size)
{
#ifdef HAVE_MMAP
void *address;
Modified: trunk/openssh.xml.in
===================================================================
--- trunk/openssh.xml.in 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/openssh.xml.in 2008-03-10 20:34:38 UTC (rev 42)
@@ -19,7 +19,7 @@
<service_bundle type='manifest' name='OpenSSH server'>
<service
- name='site/openssh'
+ name='site/__SYSVINIT_NAME__'
type='service'
version='1'>
@@ -56,7 +56,7 @@
<exec_method
name='start'
type='method'
- exec='/lib/svc/method/site/__SYSVINIT_NAME__ start'
+ exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start'
timeout_seconds='60'>
<method_context/>
</exec_method>
Modified: trunk/packet.c
===================================================================
--- trunk/packet.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/packet.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.145 2006/09/19 21:14:08 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.148 2007/06/07 19:37:34 pvalchev Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -632,7 +632,7 @@
enc = &newkeys[mode]->enc;
mac = &newkeys[mode]->mac;
comp = &newkeys[mode]->comp;
- memset(mac->key, 0, mac->key_len);
+ mac_clear(mac);
xfree(enc->name);
xfree(enc->iv);
xfree(enc->key);
@@ -647,14 +647,15 @@
enc = &newkeys[mode]->enc;
mac = &newkeys[mode]->mac;
comp = &newkeys[mode]->comp;
- if (mac->md != NULL)
+ if (mac_init(mac) == 0)
mac->enabled = 1;
DBG(debug("cipher_init_context: %d", mode));
cipher_init(cc, enc->cipher, enc->key, enc->key_len,
enc->iv, enc->block_size, crypt_type);
/* Deleting the keys does not gain extra security */
/* memset(enc->iv, 0, enc->block_size);
- memset(enc->key, 0, enc->key_len); */
+ memset(enc->key, 0, enc->key_len);
+ memset(mac->key, 0, mac->key_len); */
if ((comp->type == COMP_ZLIB ||
(comp->type == COMP_DELAYED && after_authentication)) &&
comp->enabled == 0) {
@@ -1249,7 +1250,6 @@
logit("Received disconnect from %s: %.400s",
get_remote_ipaddr(), msg);
cleanup_exit(255);
- xfree(msg);
break;
default:
if (type)
Modified: trunk/readconf.c
===================================================================
--- trunk/readconf.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/readconf.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.161 2007/01/21 01:45:35 stevesk Exp $ */
+/* $OpenBSD: readconf.c,v 1.162 2007/03/20 03:56:12 tedu Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1286,7 +1286,7 @@
cp = p = xstrdup(fwdspec);
/* skip leading spaces */
- while (*cp && isspace(*cp))
+ while (isspace(*cp))
cp++;
for (i = 0; i < 4; ++i)
Modified: trunk/regress/agent-getpeereid.sh
===================================================================
--- trunk/regress/agent-getpeereid.sh 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/regress/agent-getpeereid.sh 2008-03-10 20:34:38 UTC (rev 42)
@@ -7,7 +7,9 @@
ASOCK=${OBJ}/agent
SSH_AUTH_SOCK=/nonexistant
-if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1
+if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1 && \
+ grep "#undef.*HAVE_GETPEERUCRED" ${BUILDDIR}/config.h >/dev/null && \
+ grep "#undef.*HAVE_SO_PEERCRED" ${BUILDDIR}/config.h >/dev/null
then
echo "skipped (not supported on this platform)"
exit 0
Modified: trunk/scard-opensc.c
===================================================================
--- trunk/scard-opensc.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/scard-opensc.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -32,6 +32,7 @@
#include <openssl/x509.h>
#include <stdarg.h>
+#include <string.h>
#include <opensc/opensc.h>
#include <opensc/pkcs15.h>
Modified: trunk/scp.0
===================================================================
--- trunk/scp.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/scp.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -6,7 +6,7 @@
SYNOPSIS
scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
[-l limit] [-o ssh_option] [-P port] [-S program]
- [[user@]host1:]file1 [...] [[user@]host2:]file2
+ [[user@]host1:]file1 ... [[user@]host2:]file2
DESCRIPTION
scp copies files between hosts on a network. It uses ssh(1) for data
@@ -141,4 +141,4 @@
Timo Rinne <tri at iki.fi>
Tatu Ylonen <ylo at cs.hut.fi>
-OpenBSD 4.1 September 25, 1999 3
+OpenBSD 4.2 August 8, 2007 3
Modified: trunk/scp.1
===================================================================
--- trunk/scp.1 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/scp.1 2008-03-10 20:34:38 UTC (rev 42)
@@ -9,9 +9,9 @@
.\"
.\" Created: Sun May 7 00:14:37 1995 ylo
.\"
-.\" $OpenBSD: scp.1,v 1.40 2006/07/18 07:56:28 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.42 2007/08/06 19:16:06 sobrado Exp $
.\"
-.Dd September 25, 1999
+.Dd $Mdocdate: August 8 2007 $
.Dt SCP 1
.Os
.Sh NAME
@@ -34,7 +34,7 @@
.Ar host1 No :
.Oc Ns Ar file1
.Sm on
-.Op Ar ...
+.Ar ...
.Sm off
.Oo
.Op Ar user No @
Modified: trunk/scp.c
===================================================================
--- trunk/scp.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/scp.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.156 2007/01/22 13:06:21 djm Exp $ */
+/* $OpenBSD: scp.c,v 1.160 2007/08/06 19:16:06 sobrado Exp $ */
/*
* scp - secure remote copy. This is basically patched BSD rcp which
* uses ssh to do the data transfer (instead of using rcmd).
@@ -96,6 +96,9 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H)
+#include <vis.h>
+#endif
#include "xmalloc.h"
#include "atomicio.h"
@@ -582,7 +585,7 @@
off_t i, amt, statbytes;
size_t result;
int fd = -1, haderr, indx;
- char *last, *name, buf[2048];
+ char *last, *name, buf[2048], encname[MAXPATHLEN];
int len;
for (indx = 0; indx < argc; ++indx) {
@@ -591,17 +594,17 @@
len = strlen(name);
while (len > 1 && name[len-1] == '/')
name[--len] = '\0';
+ if ((fd = open(name, O_RDONLY|O_NONBLOCK, 0)) < 0)
+ goto syserr;
if (strchr(name, '\n') != NULL) {
- run_err("%s: skipping, filename contains a newline",
- name);
- goto next;
+ strnvis(encname, name, sizeof(encname), VIS_NL);
+ name = encname;
}
- if ((fd = open(name, O_RDONLY, 0)) < 0)
- goto syserr;
if (fstat(fd, &stb) < 0) {
syserr: run_err("%s: %s", name, strerror(errno));
goto next;
}
+ unset_nonblock(fd);
switch (stb.st_mode & S_IFMT) {
case S_IFREG:
break;
@@ -1021,7 +1024,8 @@
wrerr = YES;
wrerrno = errno;
}
- if (wrerr == NO && ftruncate(ofd, size) != 0) {
+ if (wrerr == NO && (!exists || S_ISREG(stb.st_mode)) &&
+ ftruncate(ofd, size) != 0) {
run_err("%s: truncate: %s", np, strerror(errno));
wrerr = DISPLAYED;
}
@@ -1116,7 +1120,7 @@
(void) fprintf(stderr,
"usage: scp [-1246BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
" [-l limit] [-o ssh_option] [-P port] [-S program]\n"
- " [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
+ " [[user@]host1:]file1 ... [[user@]host2:]file2\n");
exit(1);
}
Modified: trunk/servconf.c
===================================================================
--- trunk/servconf.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/servconf.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.170 2007/03/01 10:28:02 dtucker Exp $ */
+/* $OpenBSD: servconf.c,v 1.172 2007/04/23 10:15:39 dtucker Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -608,7 +608,6 @@
debug("connection from %.100s matched 'Host "
"%.100s' at line %d", host, arg, line);
} else if (strcasecmp(attrib, "address") == 0) {
- debug("address '%s' arg '%s'", address, arg);
if (!address) {
result = 0;
continue;
Modified: trunk/session.c
===================================================================
--- trunk/session.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/session.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1310,7 +1310,7 @@
# ifdef USE_PAM
if (options.use_pam) {
do_pam_session();
- do_pam_setcred(0);
+ do_pam_setcred(use_privsep);
}
# endif /* USE_PAM */
if (setusercontext(lc, pw, pw->pw_uid,
@@ -1352,7 +1352,7 @@
*/
if (options.use_pam) {
do_pam_session();
- do_pam_setcred(0);
+ do_pam_setcred(use_privsep);
}
# endif /* USE_PAM */
# if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
@@ -1361,11 +1361,11 @@
# ifdef _AIX
aix_usrinfo(pw);
# endif /* _AIX */
-#if defined(HAVE_LIBIAF) && !defined(BROKEN_LIBIAF)
+#ifdef USE_LIBIAF
if (set_id(pw->pw_name) != 0) {
exit(1);
}
-#endif /* HAVE_LIBIAF && !BROKEN_LIBIAF */
+#endif /* USE_LIBIAF */
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
@@ -2478,8 +2478,19 @@
return;
called = 1;
- if (authctxt == NULL || !authctxt->authenticated)
+ if (authctxt == NULL)
return;
+
+#ifdef USE_PAM
+ if (options.use_pam) {
+ sshpam_cleanup();
+ sshpam_thread_cleanup();
+ }
+#endif
+
+ if (!authctxt->authenticated)
+ return;
+
#ifdef KRB5
if (options.kerberos_ticket_cleanup &&
authctxt->krb5_ctx)
@@ -2491,13 +2502,6 @@
ssh_gssapi_cleanup_creds();
#endif
-#ifdef USE_PAM
- if (options.use_pam) {
- sshpam_cleanup();
- sshpam_thread_cleanup();
- }
-#endif
-
/* remove agent socket */
auth_sock_cleanup_proc(authctxt->pw);
Modified: trunk/sftp-server.0
===================================================================
--- trunk/sftp-server.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sftp-server.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -43,4 +43,4 @@
AUTHORS
Markus Friedl <markus at openbsd.org>
-OpenBSD 4.1 August 30, 2000 1
+OpenBSD 4.2 June 5, 2007 1
Modified: trunk/sftp-server.8
===================================================================
--- trunk/sftp-server.8 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sftp-server.8 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp-server.8,v 1.11 2006/07/06 10:47:57 djm Exp $
+.\" $OpenBSD: sftp-server.8,v 1.12 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
.\"
@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 30, 2000
+.Dd $Mdocdate: June 5 2007 $
.Dt SFTP-SERVER 8
.Os
.Sh NAME
Modified: trunk/sftp-server.c
===================================================================
--- trunk/sftp-server.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sftp-server.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-server.c,v 1.71 2007/01/03 07:22:36 stevesk Exp $ */
+/* $OpenBSD: sftp-server.c,v 1.73 2007/05/17 07:55:29 djm Exp $ */
/*
* Copyright (c) 2000-2004 Markus Friedl. All rights reserved.
*
@@ -319,7 +319,8 @@
logit("%s%sclose \"%s\" bytes read %llu written %llu",
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
handle_to_name(handle),
- handle_bytes_read(handle), handle_bytes_write(handle));
+ (unsigned long long)handle_bytes_read(handle),
+ (unsigned long long)handle_bytes_write(handle));
} else {
logit("%s%sclosedir \"%s\"",
emsg == NULL ? "" : emsg, emsg == NULL ? "" : " ",
@@ -702,7 +703,8 @@
a = get_attrib();
debug("request %u: setstat name \"%s\"", id, name);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
- logit("set \"%s\" size %llu", name, a->size);
+ logit("set \"%s\" size %llu",
+ name, (unsigned long long)a->size);
ret = truncate(name, a->size);
if (ret == -1)
status = errno_to_portable(errno);
@@ -754,7 +756,8 @@
char *name = handle_to_name(handle);
if (a->flags & SSH2_FILEXFER_ATTR_SIZE) {
- logit("set \"%s\" size %llu", name, a->size);
+ logit("set \"%s\" size %llu",
+ name, (unsigned long long)a->size);
ret = ftruncate(fd, a->size);
if (ret == -1)
status = errno_to_portable(errno);
@@ -1211,7 +1214,7 @@
int in, out, max, ch, skipargs = 0, log_stderr = 0;
ssize_t len, olen, set_size;
SyslogFacility log_facility = SYSLOG_FACILITY_AUTH;
- char *cp;
+ char *cp, buf[4*4096];
extern char *optarg;
extern char *__progname;
@@ -1295,7 +1298,15 @@
memset(rset, 0, set_size);
memset(wset, 0, set_size);
- FD_SET(in, rset);
+ /*
+ * Ensure that we can read a full buffer and handle
+ * the worst-case length packet it can generate,
+ * otherwise apply backpressure by stopping reads.
+ */
+ if (buffer_check_alloc(&iqueue, sizeof(buf)) &&
+ buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
+ FD_SET(in, rset);
+
olen = buffer_len(&oqueue);
if (olen > 0)
FD_SET(out, wset);
@@ -1309,7 +1320,6 @@
/* copy stdin to iqueue */
if (FD_ISSET(in, rset)) {
- char buf[4*4096];
len = read(in, buf, sizeof buf);
if (len == 0) {
debug("read eof");
@@ -1331,7 +1341,13 @@
buffer_consume(&oqueue, len);
}
}
- /* process requests from client */
- process();
+
+ /*
+ * Process requests from client if we can fit the results
+ * into the output buffer, otherwise stop processing input
+ * and let the output queue drain.
+ */
+ if (buffer_check_alloc(&oqueue, SFTP_MAX_MSG_LENGTH))
+ process();
}
}
Modified: trunk/sftp.0
===================================================================
--- trunk/sftp.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sftp.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -263,4 +263,4 @@
T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
filexfer-00.txt, January 2001, work in progress material.
-OpenBSD 4.1 February 4, 2001 4
+OpenBSD 4.2 June 5, 2007 4
Modified: trunk/sftp.1
===================================================================
--- trunk/sftp.1 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sftp.1 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
+.\" $OpenBSD: sftp.1,v 1.64 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2001 Damien Miller. All rights reserved.
.\"
@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd February 4, 2001
+.Dd $Mdocdate: June 5 2007 $
.Dt SFTP 1
.Os
.Sh NAME
Modified: trunk/ssh-add.0
===================================================================
--- trunk/ssh-add.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-add.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -30,8 +30,12 @@
-D Deletes all identities from the agent.
- -d Instead of adding the identity, removes the identity from the
- agent.
+ -d Instead of adding identities, removes identities from the agent.
+ If ssh-add has been run without arguments, the keys for the de-
+ fault identities will be removed. Otherwise, the argument list
+ will be interpreted as a list of paths to public key files and
+ matching keys will be removed from the agent. If no public key
+ is found at a given path, ssh-add will append .pub and retry.
-e reader
Remove key in smartcard reader.
@@ -99,4 +103,4 @@
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 4.1 September 25, 1999 2
+OpenBSD 4.2 June 12, 2007 2
Modified: trunk/ssh-add.1
===================================================================
--- trunk/ssh-add.1 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-add.1 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-add.1,v 1.43 2005/04/21 06:17:50 djm Exp $
+.\" $OpenBSD: ssh-add.1,v 1.46 2007/06/12 13:41:03 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@@ -37,7 +37,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 25, 1999
+.Dd $Mdocdate: June 12 2007 $
.Dt SSH-ADD 1
.Os
.Sh NAME
@@ -89,7 +89,18 @@
.It Fl D
Deletes all identities from the agent.
.It Fl d
-Instead of adding the identity, removes the identity from the agent.
+Instead of adding identities, removes identities from the agent.
+If
+.Nm
+has been run without arguments, the keys for the default identities will
+be removed.
+Otherwise, the argument list will be interpreted as a list of paths to
+public key files and matching keys will be removed from the agent.
+If no public key is found at a given path,
+.Nm
+will append
+.Pa .pub
+and retry.
.It Fl e Ar reader
Remove key in smartcard
.Ar reader .
Modified: trunk/ssh-agent.0
===================================================================
--- trunk/ssh-agent.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-agent.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -114,4 +114,4 @@
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 4.1 September 25, 1999 2
+OpenBSD 4.2 June 5, 2007 2
Modified: trunk/ssh-agent.1
===================================================================
--- trunk/ssh-agent.1 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-agent.1 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.44 2006/07/18 08:03:09 jmc Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.45 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Author: Tatu Ylonen <ylo at cs.hut.fi>
.\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 25, 1999
+.Dd $Mdocdate: June 5 2007 $
.Dt SSH-AGENT 1
.Os
.Sh NAME
Modified: trunk/ssh-agent.c
===================================================================
--- trunk/ssh-agent.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-agent.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.154 2007/02/28 00:55:30 dtucker Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.155 2007/03/19 12:16:42 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -120,6 +120,7 @@
/* pid of shell == parent of agent */
pid_t parent_pid = -1;
+u_int parent_alive_interval = 0;
/* pathname and directory for AUTH_SOCKET */
char socket_name[MAXPATHLEN];
@@ -421,10 +422,11 @@
buffer_put_char(&e->output, SSH_AGENT_SUCCESS);
}
-static void
+/* removes expired keys and returns number of seconds until the next expiry */
+static u_int
reaper(void)
{
- u_int now = time(NULL);
+ u_int deadline = 0, now = time(NULL);
Identity *id, *nxt;
int version;
Idtab *tab;
@@ -433,14 +435,22 @@
tab = idtab_lookup(version);
for (id = TAILQ_FIRST(&tab->idlist); id; id = nxt) {
nxt = TAILQ_NEXT(id, next);
- if (id->death != 0 && now >= id->death) {
+ if (id->death == 0)
+ continue;
+ if (now >= id->death) {
debug("expiring key '%s'", id->comment);
TAILQ_REMOVE(&tab->idlist, id, next);
free_identity(id);
tab->nentries--;
- }
+ } else
+ deadline = (deadline == 0) ? id->death :
+ MIN(deadline, id->death);
}
}
+ if (deadline == 0 || deadline <= now)
+ return 0;
+ else
+ return (deadline - now);
}
static void
@@ -826,10 +836,12 @@
}
static int
-prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp)
+prepare_select(fd_set **fdrp, fd_set **fdwp, int *fdl, u_int *nallocp,
+ struct timeval **tvpp)
{
- u_int i, sz;
+ u_int i, sz, deadline;
int n = 0;
+ static struct timeval tv;
for (i = 0; i < sockets_alloc; i++) {
switch (sockets[i].type) {
@@ -873,6 +885,17 @@
break;
}
}
+ deadline = reaper();
+ if (parent_alive_interval != 0)
+ deadline = (deadline == 0) ? parent_alive_interval :
+ MIN(deadline, parent_alive_interval);
+ if (deadline == 0) {
+ *tvpp = NULL;
+ } else {
+ tv.tv_sec = deadline;
+ tv.tv_usec = 0;
+ *tvpp = &tv;
+ }
return (1);
}
@@ -980,19 +1003,14 @@
_exit(2);
}
-/*ARGSUSED*/
static void
-check_parent_exists(int sig)
+check_parent_exists(void)
{
- int save_errno = errno;
-
if (parent_pid != -1 && kill(parent_pid, 0) < 0) {
/* printf("Parent has died - Authentication agent exiting.\n"); */
- cleanup_handler(sig); /* safe */
+ cleanup_socket();
+ _exit(2);
}
- mysignal(SIGALRM, check_parent_exists);
- alarm(10);
- errno = save_errno;
}
static void
@@ -1027,7 +1045,7 @@
extern char *optarg;
pid_t pid;
char pidstrbuf[1 + 3 * sizeof pid];
- struct timeval tv;
+ struct timeval *tvp = NULL;
/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
sanitise_stdfd();
@@ -1228,10 +1246,8 @@
skip:
new_socket(AUTH_SOCKET, sock);
- if (ac > 0) {
- mysignal(SIGALRM, check_parent_exists);
- alarm(10);
- }
+ if (ac > 0)
+ parent_alive_interval = 10;
idtab_init();
if (!d_flag)
signal(SIGINT, SIG_IGN);
@@ -1241,12 +1257,12 @@
nalloc = 0;
while (1) {
- tv.tv_sec = 10;
- tv.tv_usec = 0;
- prepare_select(&readsetp, &writesetp, &max_fd, &nalloc);
- result = select(max_fd + 1, readsetp, writesetp, NULL, &tv);
+ prepare_select(&readsetp, &writesetp, &max_fd, &nalloc, &tvp);
+ result = select(max_fd + 1, readsetp, writesetp, NULL, tvp);
saved_errno = errno;
- reaper(); /* remove expired keys */
+ if (parent_alive_interval != 0)
+ check_parent_exists();
+ (void) reaper(); /* remove expired keys */
if (result < 0) {
if (saved_errno == EINTR)
continue;
Modified: trunk/ssh-gss.h
===================================================================
--- trunk/ssh-gss.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-gss.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-gss.h,v 1.9 2006/08/18 14:40:34 djm Exp $ */
+/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
/*
* Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
*
@@ -117,7 +117,6 @@
ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
-OM_uint32 ssh_gssapi_acquire_cred(Gssctxt *);
OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
gss_buffer_desc *, gss_buffer_desc *, OM_uint32 *);
OM_uint32 ssh_gssapi_accept_ctx(Gssctxt *,
@@ -128,7 +127,6 @@
void ssh_gssapi_build_ctx(Gssctxt **);
void ssh_gssapi_delete_ctx(Gssctxt **);
OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
-OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
@@ -138,6 +136,7 @@
char *ssh_gssapi_kex_mechs(gss_OID_set, ssh_gssapi_check_fn *, const char *);
gss_OID ssh_gssapi_id_kex(Gssctxt *, char *, int);
int ssh_gssapi_server_check_mech(Gssctxt **,gss_OID, const char *);
+OM_uint32 ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
int ssh_gssapi_userok(char *name);
OM_uint32 ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
void ssh_gssapi_do_child(char ***, u_int *);
Modified: trunk/ssh-keygen.0
===================================================================
--- trunk/ssh-keygen.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-keygen.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -284,4 +284,4 @@
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 4.1 September 25, 1999 5
+OpenBSD 4.2 June 5, 2007 5
Modified: trunk/ssh-keygen.1
===================================================================
--- trunk/ssh-keygen.1 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-keygen.1 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.74 2007/01/12 20:20:41 jmc Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.75 2007/05/31 19:20:16 jmc Exp $
.\"
.\" -*- nroff -*-
.\"
@@ -37,7 +37,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 25, 1999
+.Dd $Mdocdate: June 5 2007 $
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
Modified: trunk/ssh-keyscan.0
===================================================================
--- trunk/ssh-keyscan.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-keyscan.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -104,4 +104,4 @@
This is because it opens a connection to the ssh port, reads the public
key, and drops the connection as soon as it gets the key.
-OpenBSD 4.1 January 1, 1996 2
+OpenBSD 4.2 June 5, 2007 2
Modified: trunk/ssh-keyscan.1
===================================================================
--- trunk/ssh-keyscan.1 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-keyscan.1 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keyscan.1,v 1.22 2006/09/25 04:55:38 ray Exp $
+.\" $OpenBSD: ssh-keyscan.1,v 1.23 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright 1995, 1996 by David Mazieres <dm at lcs.mit.edu>.
.\"
@@ -6,7 +6,7 @@
.\" permitted provided that due credit is given to the author and the
.\" OpenBSD project by leaving this copyright notice intact.
.\"
-.Dd January 1, 1996
+.Dd $Mdocdate: June 5 2007 $
.Dt SSH-KEYSCAN 1
.Os
.Sh NAME
Modified: trunk/ssh-keysign.0
===================================================================
--- trunk/ssh-keysign.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-keysign.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -39,4 +39,4 @@
AUTHORS
Markus Friedl <markus at openbsd.org>
-OpenBSD 4.1 May 24, 2002 1
+OpenBSD 4.2 June 5, 2007 1
Modified: trunk/ssh-keysign.8
===================================================================
--- trunk/ssh-keysign.8 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-keysign.8 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.8 2006/02/24 20:22:16 jmc Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.9 2007/05/31 19:20:16 jmc Exp $
.\"
.\" Copyright (c) 2002 Markus Friedl. All rights reserved.
.\"
@@ -22,7 +22,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd May 24, 2002
+.Dd $Mdocdate: June 5 2007 $
.Dt SSH-KEYSIGN 8
.Os
.Sh NAME
Modified: trunk/ssh-rand-helper.0
===================================================================
--- trunk/ssh-rand-helper.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-rand-helper.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -48,4 +48,4 @@
SEE ALSO
ssh(1), ssh-add(1), ssh-keygen(1), sshd(8)
-OpenBSD 4.1 April 14, 2002 1
+OpenBSD 4.2 April 14, 2002 1
Modified: trunk/ssh-rand-helper.c
===================================================================
--- trunk/ssh-rand-helper.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh-rand-helper.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -32,6 +32,7 @@
#include <stdarg.h>
#include <stddef.h>
+#include <string.h>
#include <netinet/in.h>
#include <arpa/inet.h>
Modified: trunk/ssh.0
===================================================================
--- trunk/ssh.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -4,7 +4,7 @@
ssh - OpenSSH SSH client (remote login program)
SYNOPSIS
- ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
+ ssh [-1246AaCfgKkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-i identity_file] [-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
@@ -147,6 +147,9 @@
multiple -i options (and multiple identities specified in config-
uration files).
+ -K Enables GSSAPI-based authentication and forwarding (delegation)
+ of GSSAPI credentials to the server.
+
-k Disables forwarding (delegation) of GSSAPI credentials to the
server.
@@ -371,8 +374,8 @@
protocols support similar authentication methods, but protocol 2 is pre-
ferred since it provides additional mechanisms for confidentiality (the
traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and
- integrity (hmac-md5, hmac-sha1, hmac-ripemd160). Protocol 1 lacks a
- strong mechanism for ensuring the integrity of the connection.
+ integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160). Protocol 1
+ lacks a strong mechanism for ensuring the integrity of the connection.
The methods available for authentication are: GSSAPI-based authentica-
tion, host-based authentication, public key authentication, challenge-re-
@@ -829,4 +832,4 @@
created OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 4.1 September 25, 1999 13
+OpenBSD 4.2 June 12, 2007 13
Modified: trunk/ssh.1
===================================================================
--- trunk/ssh.1 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh.1 2008-03-10 20:34:38 UTC (rev 42)
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.266 2006/12/11 21:25:46 markus Exp $
-.Dd September 25, 1999
+.\" $OpenBSD: ssh.1,v 1.270 2007/06/12 13:43:55 jmc Exp $
+.Dd $Mdocdate: June 12 2007 $
.Dt SSH 1
.Os
.Sh NAME
@@ -316,7 +316,8 @@
options (and multiple identities specified in
configuration files).
.It Fl K
-Enables forwarding (delegation) of GSSAPI credentials to the server.
+Enables GSSAPI-based authentication and forwarding (delegation) of GSSAPI
+credentials to the server.
.It Fl k
Disables forwarding (delegation) of GSSAPI credentials to the server.
.It Fl L Xo
@@ -544,7 +545,7 @@
.Pp
By default, the listening socket on the server will be bound to the loopback
interface only.
-This may be overriden by specifying a
+This may be overridden by specifying a
.Ar bind_address .
An empty
.Ar bind_address ,
@@ -681,7 +682,7 @@
but protocol 2 is preferred since
it provides additional mechanisms for confidentiality
(the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
-and integrity (hmac-md5, hmac-sha1, hmac-ripemd160).
+and integrity (hmac-md5, hmac-sha1, umac-64, hmac-ripemd160).
Protocol 1 lacks a strong mechanism for ensuring the
integrity of the connection.
.Pp
Modified: trunk/ssh.c
===================================================================
--- trunk/ssh.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.295 2007/01/03 03:01:40 stevesk Exp $ */
+/* $OpenBSD: ssh.c,v 1.301 2007/08/07 07:32:53 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -327,6 +327,7 @@
options.gss_deleg_creds = 0;
break;
case 'K':
+ options.gss_authentication = 1;
options.gss_deleg_creds = 1;
break;
case 'i':
@@ -861,6 +862,17 @@
"forwarding.");
}
}
+
+ /* Initiate tunnel forwarding. */
+ if (options.tun_open != SSH_TUNMODE_NO) {
+ if (client_request_tun_fwd(options.tun_open,
+ options.tun_local, options.tun_remote) == -1) {
+ if (options.exit_on_forward_failure)
+ fatal("Could not request tunnel forwarding.");
+ else
+ error("Could not request tunnel forwarding.");
+ }
+ }
}
static void
@@ -1123,33 +1135,6 @@
packet_send();
}
- if (options.tun_open != SSH_TUNMODE_NO) {
- Channel *c;
- int fd;
-
- debug("Requesting tun.");
- if ((fd = tun_open(options.tun_local,
- options.tun_open)) >= 0) {
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "tun", 1);
- c->datagram = 1;
-#if defined(SSH_TUN_FILTER)
- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
- channel_register_filter(c->self, sys_tun_infilter,
- sys_tun_outfilter);
-#endif
- packet_start(SSH2_MSG_CHANNEL_OPEN);
- packet_put_cstring("tun at openssh.com");
- packet_put_int(c->self);
- packet_put_int(c->local_window_max);
- packet_put_int(c->local_maxpacket);
- packet_put_int(options.tun_open);
- packet_put_int(options.tun_remote);
- packet_send();
- }
- }
-
client_session2_setup(id, tty_flag, subsystem_flag, getenv("TERM"),
NULL, fileno(stdin), &command, environ, &ssh_subsystem_reply);
@@ -1209,7 +1194,6 @@
/* XXX should be pre-session */
ssh_init_forwarding();
- ssh_control_listener();
if (!no_shell_flag || (datafellows & SSH_BUG_DUMMYCHAN))
id = ssh_session2_open();
@@ -1219,6 +1203,9 @@
options.permit_local_command)
ssh_local_cmd(options.local_command);
+ /* Start listening for multiplex clients */
+ ssh_control_listener();
+
/* If requested, let ssh continue in the background. */
if (fork_after_authentication_flag)
if (daemon(1, 1) < 0)
@@ -1315,7 +1302,7 @@
control_client(const char *path)
{
struct sockaddr_un addr;
- int i, r, fd, sock, exitval, num_env, addr_len;
+ int i, r, fd, sock, exitval[2], num_env, addr_len;
Buffer m;
char *term;
extern char **environ;
@@ -1464,29 +1451,44 @@
if (tty_flag)
enter_raw_mode();
- /* Stick around until the controlee closes the client_fd */
- exitval = 0;
- for (;!control_client_terminate;) {
- r = read(sock, &exitval, sizeof(exitval));
+ /*
+ * Stick around until the controlee closes the client_fd.
+ * Before it does, it is expected to write this process' exit
+ * value (one int). This process must read the value and wait for
+ * the closure of the client_fd; if this one closes early, the
+ * multiplex master will terminate early too (possibly losing data).
+ */
+ exitval[0] = 0;
+ for (i = 0; !control_client_terminate && i < (int)sizeof(exitval);) {
+ r = read(sock, (char *)exitval + i, sizeof(exitval) - i);
if (r == 0) {
debug2("Received EOF from master");
break;
}
- if (r > 0)
- debug2("Received exit status from master %d", exitval);
- if (r == -1 && errno != EINTR)
+ if (r == -1) {
+ if (errno == EINTR)
+ continue;
fatal("%s: read %s", __func__, strerror(errno));
+ }
+ i += r;
}
- if (control_client_terminate)
- debug2("Exiting on signal %d", control_client_terminate);
-
close(sock);
-
leave_raw_mode();
+ if (i > (int)sizeof(int))
+ fatal("%s: master returned too much data (%d > %lu)",
+ __func__, i, sizeof(int));
+ if (control_client_terminate) {
+ debug2("Exiting on signal %d", control_client_terminate);
+ exitval[0] = 255;
+ } else if (i < (int)sizeof(int)) {
+ debug2("Control master terminated unexpectedly");
+ exitval[0] = 255;
+ } else
+ debug2("Received exit status from master %d", exitval[0]);
if (tty_flag && options.log_level > SYSLOG_LEVEL_QUIET)
- fprintf(stderr, "Connection to master closed.\r\n");
+ fprintf(stderr, "Shared connection to %s closed.\r\n", host);
- exit(exitval);
+ exit(exitval[0]);
}
Modified: trunk/ssh_config
===================================================================
--- trunk/ssh_config 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh_config 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $
+# $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
@@ -41,9 +41,12 @@
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+# MACs hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
SendEnv LANG LC_*
HashKnownHosts yes
+ GSSAPIAuthentication yes
+ GSSAPIDelegateCredentials no
Modified: trunk/ssh_config.0
===================================================================
--- trunk/ssh_config.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh_config.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -200,9 +200,9 @@
ExitOnForwardFailure
Specifies whether ssh(1) should terminate the connection if it
- cannot set up all requested dynamic, local, and remote port for-
- wardings. The argument must be ``yes'' or ``no''. The default
- is ``no''.
+ cannot set up all requested dynamic, tunnel, local, and remote
+ port forwardings. The argument must be ``yes'' or ``no''. The
+ default is ``no''.
ForwardAgent
Specifies whether the connection to the authentication agent (if
@@ -365,9 +365,11 @@
MACs Specifies the MAC (message authentication code) algorithms in or-
der of preference. The MAC algorithm is used in protocol version
2 for data integrity protection. Multiple algorithms must be
- comma-separated. The default is: ``hmac-md5,hmac-sha1,hmac-
- ripemd160,hmac-sha1-96,hmac-md5-96''.
+ comma-separated. The default is:
+ hmac-md5,hmac-sha1,umac-64 at openssh.com,
+ hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+
NoHostAuthenticationForLocalhost
This option can be used if the home directory is shared across
machines. In this case localhost will refer to a different ma-
@@ -642,4 +644,4 @@
ated OpenSSH. Markus Friedl contributed the support for SSH protocol
versions 1.5 and 2.0.
-OpenBSD 4.1 September 25, 1999 10
+OpenBSD 4.2 August 15, 2007 10
Modified: trunk/ssh_config.5
===================================================================
--- trunk/ssh_config.5 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/ssh_config.5 2008-03-10 20:34:38 UTC (rev 42)
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.98 2007/01/10 13:23:22 jmc Exp $
-.Dd September 25, 1999
+.\" $OpenBSD: ssh_config.5,v 1.102 2007/08/15 12:13:41 stevesk Exp $
+.Dd $Mdocdate: August 15 2007 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -72,6 +72,22 @@
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.
.Pp
+Note that the Debian
+.Ic openssh-client
+package sets several options as standard in
+.Pa /etc/ssh/ssh_config
+which are not the default in
+.Xr ssh 1 :
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm SendEnv No LANG LC_*
+.It
+.Cm HashKnownHosts No yes
+.It
+.Cm GSSAPIAuthentication No yes
+.El
+.Pp
The configuration file has the following format:
.Pp
Empty lines and lines starting with
@@ -393,7 +409,7 @@
Specifies whether
.Xr ssh 1
should terminate the connection if it cannot set up all requested
-dynamic, local, and remote port forwardings.
+dynamic, tunnel, local, and remote port forwardings.
The argument must be
.Dq yes
or
@@ -668,7 +684,10 @@
for data integrity protection.
Multiple algorithms must be comma-separated.
The default is:
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.Bd -literal -offset indent
+hmac-md5,hmac-sha1,umac-64 at openssh.com,
+hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+.Ed
.It Cm NoHostAuthenticationForLocalhost
This option can be used if the home directory is shared across machines.
In this case localhost will refer to a different machine on each of
Modified: trunk/sshconnect2.c
===================================================================
--- trunk/sshconnect2.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sshconnect2.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.162 2006/08/30 00:06:51 dtucker Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.164 2007/05/17 23:53:41 jolan Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -31,6 +31,7 @@
#include <sys/stat.h>
#include <errno.h>
+#include <netdb.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
@@ -173,11 +174,9 @@
kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
#ifdef GSSAPI
- if (options.gss_keyex) {
- kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
- kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
- kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
- }
+ kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_client;
+ kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_client;
+ kex->kex[KEX_GSS_GEX_SHA1] = kexgss_client;
#endif
kex->client_version_string=client_version_string;
kex->server_version_string=server_version_string;
@@ -1433,7 +1432,7 @@
Sensitive *sensitive = authctxt->sensitive;
Buffer b;
u_char *signature, *blob;
- char *chost, *pkalg, *p;
+ char *chost, *pkalg, *p, myname[NI_MAXHOST];
const char *service;
u_int blen, slen;
int ok, i, len, found = 0;
@@ -1457,8 +1456,17 @@
return 0;
}
/* figure out a name for the client host */
- p = get_local_name(packet_get_connection_in());
+ p = NULL;
+ if (packet_connection_is_on_socket())
+ p = get_local_name(packet_get_connection_in());
if (p == NULL) {
+ if (gethostname(myname, sizeof(myname)) == -1) {
+ verbose("userauth_hostbased: gethostname: %s",
+ strerror(errno));
+ } else
+ p = xstrdup(myname);
+ }
+ if (p == NULL) {
error("userauth_hostbased: cannot get local ipaddr/name");
key_free(private);
xfree(blob);
Modified: trunk/sshd.0
===================================================================
--- trunk/sshd.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sshd.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -9,8 +9,8 @@
DESCRIPTION
sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these
- programs replace rlogin and rsh, and provide secure encrypted communica-
- tions between two untrusted hosts over an insecure network.
+ programs replace rlogin(1) and rsh(1), and provide secure encrypted com-
+ munications between two untrusted hosts over an insecure network.
sshd listens for connections from clients. It is normally started at
boot from /etc/rc. It forks a new daemon for each incoming connection.
@@ -45,7 +45,7 @@
-e When this option is specified, sshd will send the output to the
standard error instead of the system log.
- -f configuration_file
+ -f config_file
Specifies the name of the configuration file. The default is
/etc/ssh/sshd_config. sshd refuses to start if there is no con-
figuration file.
@@ -143,7 +143,8 @@
AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit AES. The
client selects the encryption algorithm to use from those offered by the
server. Additionally, session integrity is provided through a crypto-
- graphic message authentication code (hmac-sha1 or hmac-md5).
+ graphic message authentication code (hmac-md5, hmac-sha1, umac-64 or
+ hmac-ripemd160).
Finally, the server and the client enter an authentication dialog. The
client tries to authenticate itself using host-based authentication, pub-
@@ -156,10 +157,10 @@
tion of a locked account is system dependant. Some platforms have their
own account database (eg AIX) and some modify the passwd field ( `*LK*'
on Solaris and UnixWare, `*' on HP-UX, containing `Nologin' on Tru64, a
- leading `*LOCKED*' on FreeBSD and a leading `!!' on Linux). If there is
- a requirement to disable password authentication for the account while
- allowing still public-key, then the passwd field should be set to some-
- thing other than these values (eg `NP' or `*NP*' ).
+ leading `*LOCKED*' on FreeBSD and a leading `!' on most Linuxes). If
+ there is a requirement to disable password authentication for the account
+ while allowing still public-key, then the passwd field should be set to
+ something other than these values (eg `NP' or `*NP*' ).
If the client successfully authenticates itself, a dialog for preparing
the session is entered. At this time the client may request things like
@@ -477,13 +478,6 @@
lows host-based authentication without permitting login with
rlogin/rsh.
- /etc/ssh/ssh_known_hosts
- Systemwide list of known host keys. This file should be prepared
- by the system administrator to contain the public host keys of
- all machines in the organization. The format of this file is de-
- scribed above. This file should be writable only by root/the
- owner and should be world-readable.
-
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_rsa_key
@@ -502,6 +496,13 @@
convenience of the user so their contents can be copied to known
hosts files. These files are created using ssh-keygen(1).
+ /etc/ssh/ssh_known_hosts
+ Systemwide list of known host keys. This file should be prepared
+ by the system administrator to contain the public host keys of
+ all machines in the organization. The format of this file is de-
+ scribed above. This file should be writable only by root/the
+ owner and should be world-readable.
+
/etc/ssh/sshd_config
Contains configuration data for sshd. The file format and con-
figuration options are described in sshd_config(5).
@@ -526,8 +527,8 @@
SEE ALSO
scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
- chroot(2), hosts_access(5), login.conf(5), moduli(5), sshd_config(5),
- inetd(8), sftp-server(8)
+ ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5),
+ sshd_config(5), inetd(8), sftp-server(8)
AUTHORS
OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@@ -541,4 +542,4 @@
System security is not improved unless rshd, rlogind, and rexecd are dis-
abled (thus completely disabling rlogin and rsh into the machine).
-OpenBSD 4.1 September 25, 1999 9
+OpenBSD 4.2 August 16, 2007 9
Modified: trunk/sshd.8
===================================================================
--- trunk/sshd.8 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sshd.8 2008-03-10 20:34:38 UTC (rev 42)
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.234 2006/08/21 08:15:57 dtucker Exp $
-.Dd September 25, 1999
+.\" $OpenBSD: sshd.8,v 1.237 2007/06/07 19:37:34 pvalchev Exp $
+.Dd $Mdocdate: August 16 2007 $
.Dt SSHD 8
.Os
.Sh NAME
@@ -58,8 +58,11 @@
.Nm
(OpenSSH Daemon) is the daemon program for
.Xr ssh 1 .
-Together these programs replace rlogin and rsh, and
-provide secure encrypted communications between two untrusted hosts
+Together these programs replace
+.Xr rlogin 1
+and
+.Xr rsh 1 ,
+and provide secure encrypted communications between two untrusted hosts
over an insecure network.
.Pp
.Nm
@@ -117,7 +120,7 @@
When this option is specified,
.Nm
will send the output to the standard error instead of the system log.
-.It Fl f Ar configuration_file
+.It Fl f Ar config_file
Specifies the name of the configuration file.
The default is
.Pa /etc/ssh/sshd_config .
@@ -276,7 +279,7 @@
to use from those offered by the server.
Additionally, session integrity is provided
through a cryptographic message authentication code
-(hmac-sha1 or hmac-md5).
+(hmac-md5, hmac-sha1, umac-64 or hmac-ripemd160).
.Pp
Finally, the server and the client enter an authentication dialog.
The client tries to authenticate itself using
@@ -302,8 +305,9 @@
a leading
.Ql \&*LOCKED\&*
on FreeBSD and a leading
-.Ql \&!!
-on Linux). If there is a requirement to disable password authentication
+.Ql \&!
+on most Linuxes).
+If there is a requirement to disable password authentication
for the account while allowing still public-key, then the passwd field
should be set to something other than these values (eg
.Ql NP
@@ -761,15 +765,6 @@
but allows host-based authentication without permitting login with
rlogin/rsh.
.Pp
-.It /etc/ssh/ssh_known_hosts
-Systemwide list of known host keys.
-This file should be prepared by the
-system administrator to contain the public host keys of all machines in the
-organization.
-The format of this file is described above.
-This file should be writable only by root/the owner and
-should be world-readable.
-.Pp
.It /etc/ssh/ssh_host_key
.It /etc/ssh/ssh_host_dsa_key
.It /etc/ssh/ssh_host_rsa_key
@@ -793,6 +788,15 @@
These files are created using
.Xr ssh-keygen 1 .
.Pp
+.It /etc/ssh/ssh_known_hosts
+Systemwide list of known host keys.
+This file should be prepared by the
+system administrator to contain the public host keys of all machines in the
+organization.
+The format of this file is described above.
+This file should be writable only by root/the owner and
+should be world-readable.
+.Pp
.It /etc/ssh/sshd_config
Contains configuration data for
.Nm sshd .
@@ -829,6 +833,7 @@
.Xr ssh-add 1 ,
.Xr ssh-agent 1 ,
.Xr ssh-keygen 1 ,
+.Xr ssh-keyscan 1 ,
.Xr chroot 2 ,
.Xr hosts_access 5 ,
.Xr login.conf 5 ,
Modified: trunk/sshd.c
===================================================================
--- trunk/sshd.c 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sshd.c 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.349 2007/02/21 11:00:05 dtucker Exp $ */
+/* $OpenBSD: sshd.c,v 1.351 2007/05/22 10:18:52 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
Modified: trunk/sshd_config
===================================================================
--- trunk/sshd_config 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sshd_config 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,4 +1,4 @@
-# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
+# $OpenBSD: sshd_config,v 1.75 2007/03/19 01:01:29 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
@@ -11,11 +11,15 @@
# default value.
#Port 22
-#Protocol 2,1
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
Modified: trunk/sshd_config.0
===================================================================
--- trunk/sshd_config.0 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sshd_config.0 2008-03-10 20:34:38 UTC (rev 42)
@@ -282,9 +282,11 @@
MACs Specifies the available MAC (message authentication code) algo-
rithms. The MAC algorithm is used in protocol version 2 for data
integrity protection. Multiple algorithms must be comma-separat-
- ed. The default is: ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-
- sha1-96,hmac-md5-96''.
+ ed. The default is:
+ hmac-md5,hmac-sha1,umac-64 at openssh.com,
+ hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+
Match Introduces a conditional block. If all of the criteria on the
Match line are satisfied, the keywords on the following lines
override those set in the global section of the config file, un-
@@ -570,4 +572,4 @@
versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support
for privilege separation.
-OpenBSD 4.1 September 25, 1999 9
+OpenBSD 4.2 June 11, 2007 9
Modified: trunk/sshd_config.5
===================================================================
--- trunk/sshd_config.5 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/sshd_config.5 2008-03-10 20:34:38 UTC (rev 42)
@@ -34,8 +34,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.74 2007/03/01 16:19:33 jmc Exp $
-.Dd September 25, 1999
+.\" $OpenBSD: sshd_config.5,v 1.77 2007/06/08 07:48:09 jmc Exp $
+.Dd $Mdocdate: June 11 2007 $
.Dt SSHD_CONFIG 5
.Os
.Sh NAME
@@ -58,6 +58,33 @@
.Pq \&"
in order to represent arguments containing spaces.
.Pp
+Note that the Debian
+.Ic openssh-server
+package sets several options as standard in
+.Pa /etc/ssh/sshd_config
+which are not the default in
+.Xr sshd 8 .
+The exact list depends on whether the package was installed fresh or
+upgraded from various possible previous versions, but includes at least the
+following:
+.Pp
+.Bl -bullet -offset indent -compact
+.It
+.Cm Protocol No 2
+.It
+.Cm ChallengeResponseAuthentication No no
+.It
+.Cm X11Forwarding No yes
+.It
+.Cm PrintMotd No no
+.It
+.Cm AcceptEnv No LANG LC_*
+.It
+.Cm Subsystem No sftp /usr/lib/openssh/sftp-server
+.It
+.Cm UsePAM No yes
+.El
+.Pp
The possible
keywords and their meanings are as follows (note that
keywords are case-insensitive and arguments are case-sensitive):
@@ -512,7 +539,10 @@
for data integrity protection.
Multiple algorithms must be comma-separated.
The default is:
-.Dq hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 .
+.Bd -literal -offset indent
+hmac-md5,hmac-sha1,umac-64 at openssh.com,
+hmac-ripemd160,hmac-sha1-96,hmac-md5-96
+.Ed
.It Cm Match
Introduces a conditional block.
If all of the criteria on the
Modified: trunk/version.h
===================================================================
--- trunk/version.h 2008-02-23 22:48:07 UTC (rev 41)
+++ trunk/version.h 2008-03-10 20:34:38 UTC (rev 42)
@@ -1,9 +1,10 @@
-/* $OpenBSD: version.h,v 1.49 2007/03/06 10:13:14 djm Exp $ */
+/* $OpenBSD: version.h,v 1.50 2007/08/15 08:16:49 markus Exp $ */
-#define SSH_VERSION "OpenSSH_4.6"
+#define SSH_VERSION "OpenSSH_4.7"
#define SSH_PORTABLE "p1"
-#ifndef SSH_EXTRAVERSION
-#define SSH_EXTRAVERSION
+#ifdef SSH_EXTRAVERSION
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE " " SSH_EXTRAVERSION
+#else
+#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
#endif
-#define SSH_RELEASE SSH_VERSION SSH_PORTABLE SSH_EXTRAVERSION
More information about the Openssh-commits
mailing list