diff options
author | mnag <mnag@FreeBSD.org> | 2006-10-01 10:15:00 +0800 |
---|---|---|
committer | mnag <mnag@FreeBSD.org> | 2006-10-01 10:15:00 +0800 |
commit | 696bf5784930e45ea5e05c256ac4673ca1672da0 (patch) | |
tree | f476a39a3894947c30498934cab8778ad3facb1a | |
parent | fa42719cf388f200b9ec1c9df8116a820b677632 (diff) | |
download | freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.gz freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.tar.zst freebsd-ports-gnome-696bf5784930e45ea5e05c256ac4673ca1672da0.zip |
- Update to 4.4p1.
- Disable temporary HPN patch until HPN release new version.
- Fix rc.d script path in sshd.8
- Add FreeBSD-${PKGNAME} in SSH_VERSION and SSH_RELEASE like src does.
- Sync patches with src.
Security: CVE-2006-4924, CVE-2006-5051
21 files changed, 467 insertions, 448 deletions
diff --git a/security/openssh-portable/Makefile b/security/openssh-portable/Makefile index 2c4c8da8a202..81167ca74641 100644 --- a/security/openssh-portable/Makefile +++ b/security/openssh-portable/Makefile @@ -6,8 +6,7 @@ # PORTNAME= openssh -DISTVERSION= 4.3p2 -PORTREVISION= 1 +DISTVERSION= 4.4p1 PORTEPOCH= 1 CATEGORIES= security ipv6 MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%SUBDIR%/ \ @@ -42,8 +41,8 @@ USE_OPENSSL= yes USE_PERL5_BUILD= yes GNU_CONFIGURE= yes CONFIGURE_TARGET= --build=${MACHINE_ARCH}-portbld-freebsd${OSREL} -CONFIGURE_ARGS= --prefix=${PREFIX} --with-md5-passwords \ - --without-zlib-version-check +CONFIGURE_ARGS= --prefix=${PREFIX} --mandir=${MANPREFIX}/man \ + --with-md5-passwords --without-zlib-version-check PRECIOUS= ssh_config sshd_config ssh_host_key ssh_host_key.pub \ ssh_host_rsa_key ssh_host_rsa_key.pub ssh_host_dsa_key \ ssh_host_dsa_key.pub @@ -134,6 +133,7 @@ EXTRA_PATCHES+= ${FILESDIR}/scardpin.patch .endif .if defined(WITH_HPN) +IGNORE= option HPN is temporary disabled, waiting patch for new openssh release PATCH_DIST_STRIP= -p1 PATCH_SITES+= http://www.psc.edu/networking/projects/hpn-ssh/ PATCHFILES+= openssh-4.3p2-hpn12.diff.gz @@ -142,7 +142,7 @@ PATCHFILES+= openssh-4.3p2-hpn12.diff.gz .if defined(WITH_OVERWRITE_BASE) WITH_OPENSSL_BASE= yes BASE_SUFFIX= -overwrite-base -CONFIGURE_ARGS+= --mandir=${PREFIX}/share/man --localstatedir=/var +CONFIGURE_ARGS+= --localstatedir=/var EMPTYDIR= /var/empty PREFIX= /usr ETCSSH= /etc/ssh @@ -168,6 +168,13 @@ PLIST_SUB+= BASE="@comment " PLIST_SUB+= EMPTYDIR="${EMPTYDIR}" CONFIGURE_ARGS+= --sysconfdir=${ETCSSH} --with-privsep-path=${EMPTYDIR} +# Sync this with bsd.port.mk +.if (${OSVERSION} >= 700007 || ( ${OSVERSION} < 700000 && ${OSVERSION} >= 600101 )) +RC_SCRIPT_NAME= openssh +.else +RC_SCRIPT_NAME= openssh.sh +.endif + post-extract: .if defined(OPENSSH_SNAPSHOT) @# rc.d script have same name of openssh snapshot dir @@ -176,6 +183,21 @@ post-extract: post-patch: @${REINPLACE_CMD} -e 's|-ldes|-lcrypto|g' ${WRKSRC}/configure +.if defined(WITH_OVERWRITE_BASE) + @${REINPLACE_CMD} -e 's|%%PREFIX%%|${LOCALBASE}|' \ + -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 +.else + @${REINPLACE_CMD} -e 's|%%PREFIX%%|${PREFIX}|' \ + -e 's|%%RC_SCRIPT_NAME%%|${RC_SCRIPT_NAME}|' ${WRKSRC}/sshd.8 +.endif + @${REINPLACE_CMD} -E -e 's|SSH_VERSION|TMP_SSH_VERSION|' \ + -e 's|.*SSH_RELEASE.*||' ${WRKSRC}/version.h + @${ECHO_CMD} '#define FREEBSD_PORT_VERSION " FreeBSD-${PKGNAME}"' >> \ + ${WRKSRC}/version.h + @${ECHO_CMD} '#define SSH_VERSION TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + ${WRKSRC}/version.h + @${ECHO_CMD} '#define SSH_RELEASE TMP_SSH_VERSION SSH_PORTABLE FREEBSD_PORT_VERSION' >> \ + ${WRKSRC}/version.h pre-install: .if defined(WITH_OVERWRITE_BASE) @@ -204,13 +226,8 @@ post-install: .if defined(WITH_OVERWRITE_BASE) @${ECHO_CMD} "===> Installing rc.d startup script(s)" @${ECHO_CMD} "@cwd ${LOCALBASE}" >> ${TMPPLIST} -.if ${OSVERSION} >= 700007 - @${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh - @${ECHO_CMD} "etc/rc.d/openssh" >> ${TMPPLIST} -.else - @${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/openssh.sh - @${ECHO_CMD} "etc/rc.d/openssh.sh" >> ${TMPPLIST} -.endif + @${INSTALL_SCRIPT} ${WRKDIR}/openssh ${LOCALBASE}/etc/rc.d/${RC_SCRIPT_NAME} + @${ECHO_CMD} "etc/rc.d/${RC_SCRIPT_NAME}" >> ${TMPPLIST} @${ECHO_CMD} "@cwd ${PREFIX}" >> ${TMPPLIST} .endif @${CAT} ${PKGMESSAGE} diff --git a/security/openssh-portable/distinfo b/security/openssh-portable/distinfo index d8fac8339839..58e7e8569bff 100644 --- a/security/openssh-portable/distinfo +++ b/security/openssh-portable/distinfo @@ -1,6 +1,3 @@ -MD5 (openssh-4.3p2.tar.gz) = 7e9880ac20a9b9db0d3fea30a9ff3d46 -SHA256 (openssh-4.3p2.tar.gz) = 4ba757d6c933e7d075b6424124d92d197eb5d91e4a58794596b67f5f0ca21d4f -SIZE (openssh-4.3p2.tar.gz) = 941455 -MD5 (openssh-4.3p2-hpn12.diff.gz) = f2fef0ecd2315d940dbb5b9188546400 -SHA256 (openssh-4.3p2-hpn12.diff.gz) = 704ff6ac9737850ac04b77bbb613099c0d557be4a0b28925946a90a76d7d7ac0 -SIZE (openssh-4.3p2-hpn12.diff.gz) = 14891 +MD5 (openssh-4.4p1.tar.gz) = 793a709a8de695c22f523024d7e9bf07 +SHA256 (openssh-4.4p1.tar.gz) = 0252474af4009129cde6a2df2893fb1ac24316436758796f6adc043ac73b35ac +SIZE (openssh-4.4p1.tar.gz) = 1044334 diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c index e15f33234d56..fb0b95115016 100644 --- a/security/openssh-portable/files/patch-auth.c +++ b/security/openssh-portable/files/patch-auth.c @@ -1,24 +1,6 @@ ---- auth.c.orig Thu Aug 12 14:40:25 2004 -+++ auth.c Mon Sep 20 05:04:48 2004 -@@ -208,6 +208,17 @@ - return 0; - #endif - -+#ifdef __FreeBSD__ -+ /* Fail if the account's expiration time has passed. */ -+ if (pw->pw_expire != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_expire) -+ return 0; -+ } -+#endif /* __FreeBSD__ */ -+ - /* We found no reason not to let this user try to log on... */ - return 1; - } -@@ -472,7 +483,7 @@ +--- auth.c.orig Wed Sep 6 21:36:43 2006 ++++ auth.c Sat Sep 30 10:38:04 2006 +@@ -500,7 +501,7 @@ if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c index c574eee773db..06657e5cb608 100644 --- a/security/openssh-portable/files/patch-auth1.c +++ b/security/openssh-portable/files/patch-auth1.c @@ -1,30 +1,28 @@ ---- auth1.c.orig Sun Jul 17 04:26:44 2005 -+++ auth1.c Thu Sep 1 11:23:35 2005 -@@ -26,6 +26,7 @@ - #include "uidswap.h" +--- auth1.c.orig Fri Sep 1 02:38:36 2006 ++++ auth1.c Sat Sep 30 18:47:57 2006 +@@ -39,6 +39,7 @@ + #endif #include "monitor_wrap.h" #include "buffer.h" +#include "canohost.h" /* import */ extern ServerOptions options; -@@ -220,6 +221,15 @@ +@@ -238,6 +239,13 @@ char info[1024]; int prev = 0, type = 0; const struct AuthMethod1 *meth; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; -+#endif /* HAVE_LOGIN_CAP */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(options.use_dns); + from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ ++#endif debug("Attempting authentication for %s%.100s.", authctxt->valid ? "" : "invalid user ", authctxt->user); -@@ -270,6 +280,33 @@ +@@ -288,6 +296,26 @@ "type %d", type); goto skip; } @@ -48,13 +46,6 @@ + lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (authctxt->pw != NULL && !login_access(authctxt->pw->pw_name, from_host)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ if (!*(meth->enabled)) { verbose("%s authentication disabled.", meth->name); diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c index 37e596c15939..3a9e7a274684 100644 --- a/security/openssh-portable/files/patch-auth2.c +++ b/security/openssh-portable/files/patch-auth2.c @@ -1,67 +1,51 @@ ---- auth2.c.orig Tue Feb 8 11:52:48 2005 -+++ auth2.c Sat Mar 19 20:50:32 2005 -@@ -36,6 +36,7 @@ +--- auth2.c.orig Fri Aug 4 23:39:39 2006 ++++ auth2.c Sat Sep 30 10:38:04 2006 +@@ -44,6 +45,7 @@ + #include "dispatch.h" #include "pathnames.h" - #include "monitor_wrap.h" #include "buffer.h" +#include "canohost.h" #ifdef GSSAPI #include "ssh-gss.h" -@@ -136,6 +137,15 @@ +@@ -147,6 +149,13 @@ Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; -+#endif /* HAVE_LOGIN_CAP */ -+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(options.use_dns); + from_ip = get_remote_ipaddr(); -+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ ++#endif if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -183,6 +193,41 @@ +@@ -190,6 +199,27 @@ "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP -+ if (authctxt->pw != NULL) { -+ lc = login_getpwclass(authctxt->pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, authctxt->pw); -+ if (!auth_hostok(lc, from_host, from_ip)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+ if (!auth_timeok(lc, time(NULL))) { -+ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", -+ authctxt->pw->pw_name, from_host); -+ packet_disconnect("Logins not available right now."); -+ } -+ login_close(lc); -+ lc = NULL; -+ } ++ if (authctxt->pw != NULL) { ++ lc = login_getpwclass(authctxt->pw); ++ if (lc == NULL) ++ lc = login_getclassbyname(NULL, authctxt->pw); ++ if (!auth_hostok(lc, from_host, from_ip)) { ++ logit("Denied connection for %.200s from %.200s [%.200s].", ++ authctxt->pw->pw_name, from_host, from_ip); ++ packet_disconnect("Sorry, you are not allowed to connect."); ++ } ++ if (!auth_timeok(lc, time(NULL))) { ++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", ++ authctxt->pw->pw_name, from_host); ++ packet_disconnect("Logins not available right now."); ++ } ++ login_close(lc); ++ lc = NULL; ++ } +#endif /* HAVE_LOGIN_CAP */ -+#ifdef LOGIN_ACCESS -+ if (authctxt->pw != NULL && -+ !login_access(authctxt->pw->pw_name, from_host)) { -+ logit("Denied connection for %.200s from %.200s [%.200s].", -+ authctxt->pw->pw_name, from_host, from_ip); -+ packet_disconnect("Sorry, you are not allowed to connect."); -+ } -+#endif /* LOGIN_ACCESS */ -+#ifdef BSD_AUTH -+ if (authctxt->as) { -+ auth_close(authctxt->as); -+ authctxt->as = NULL; -+ } -+#endif + /* reset state */ auth2_challenge_stop(authctxt); diff --git a/security/openssh-portable/files/patch-clientloop.c b/security/openssh-portable/files/patch-clientloop.c deleted file mode 100644 index 78fba1757228..000000000000 --- a/security/openssh-portable/files/patch-clientloop.c +++ /dev/null @@ -1,11 +0,0 @@ ---- clientloop.c.orig Fri Aug 13 13:18:01 2004 -+++ clientloop.c Mon Sep 20 05:04:48 2004 -@@ -1581,7 +1581,7 @@ - - if (strcmp(ctype, "forwarded-tcpip") == 0) { - c = client_request_forwarded_tcpip(ctype, rchan); -- } else if (strcmp(ctype, "x11") == 0) { -+ } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { - c = client_request_x11(ctype, rchan); - } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { - c = client_request_agent(ctype, rchan); diff --git a/security/openssh-portable/files/patch-loginrec.c b/security/openssh-portable/files/patch-loginrec.c index 18e427f111a5..01a953a298dd 100644 --- a/security/openssh-portable/files/patch-loginrec.c +++ b/security/openssh-portable/files/patch-loginrec.c @@ -14,7 +14,7 @@ strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMP -+# if defined(__FreeBSD__) && __FreeBSD_version <= 400000 ++# if defined(__FreeBSD__) && __FreeBSD_version < 400000 strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); +# else diff --git a/security/openssh-portable/files/patch-readconf.c b/security/openssh-portable/files/patch-readconf.c new file mode 100644 index 000000000000..92e8a3ddb70c --- /dev/null +++ b/security/openssh-portable/files/patch-readconf.c @@ -0,0 +1,11 @@ +--- readconf.c.orig Fri Sep 1 02:38:37 2006 ++++ readconf.c Sat Sep 30 10:38:05 2006 +@@ -1112,7 +1122,7 @@ + if (options->batch_mode == -1) + options->batch_mode = 0; + if (options->check_host_ip == -1) +- options->check_host_ip = 1; ++ options->check_host_ip = 0; + if (options->strict_host_key_checking == -1) + options->strict_host_key_checking = 2; /* 2 is default */ + if (options->compression == -1) diff --git a/security/openssh-portable/files/patch-regress-test-exec.sh b/security/openssh-portable/files/patch-regress-test-exec.sh deleted file mode 100644 index 5fbf834f3c0c..000000000000 --- a/security/openssh-portable/files/patch-regress-test-exec.sh +++ /dev/null @@ -1,11 +0,0 @@ ---- regress/test-exec.sh.orig Fri Jun 25 05:46:09 2004 -+++ regress/test-exec.sh Tue Aug 17 05:27:49 2004 -@@ -178,6 +178,8 @@ - AcceptEnv _XXX_TEST_* - AcceptEnv _XXX_TEST - Subsystem sftp $SFTPSERVER -+ PermitRootLogin yes -+ UsePrivilegeSeparation no - EOF - - if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then diff --git a/security/openssh-portable/files/patch-servconf.c b/security/openssh-portable/files/patch-servconf.c new file mode 100644 index 000000000000..da3d241695da --- /dev/null +++ b/security/openssh-portable/files/patch-servconf.c @@ -0,0 +1,41 @@ +--- servconf.c.orig Fri Aug 18 11:23:15 2006 ++++ servconf.c Sat Sep 30 21:54:26 2006 +@@ -129,7 +129,7 @@ + { + /* Portable-specific options */ + if (options->use_pam == -1) +- options->use_pam = 0; ++ options->use_pam = 1; + + /* Standard Options */ + if (options->protocol == SSH_PROTO_UNKNOWN) +@@ -159,7 +159,7 @@ + if (options->key_regeneration_time == -1) + options->key_regeneration_time = 3600; + if (options->permit_root_login == PERMIT_NOT_SET) +- options->permit_root_login = PERMIT_YES; ++ options->permit_root_login = PERMIT_NO; + if (options->ignore_rhosts == -1) + options->ignore_rhosts = 1; + if (options->ignore_user_known_hosts == -1) +@@ -169,7 +169,7 @@ + if (options->print_lastlog == -1) + options->print_lastlog = 1; + if (options->x11_forwarding == -1) +- options->x11_forwarding = 0; ++ options->x11_forwarding = 1; + if (options->x11_display_offset == -1) + options->x11_display_offset = 10; + if (options->x11_use_localhost == -1) +@@ -207,7 +207,11 @@ + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; + if (options->password_authentication == -1) ++#ifdef USE_PAM ++ options->password_authentication = 0; ++#else + options->password_authentication = 1; ++#endif + if (options->kbd_interactive_authentication == -1) + options->kbd_interactive_authentication = 0; + if (options->challenge_response_authentication == -1) diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c index 170bc8911d39..56ea323b488f 100644 --- a/security/openssh-portable/files/patch-session.c +++ b/security/openssh-portable/files/patch-session.c @@ -1,344 +1,164 @@ ---- session.c.orig Sun Mar 6 12:38:52 2005 -+++ session.c Sat Mar 19 21:45:32 2005 -@@ -66,6 +66,11 @@ - #include "ssh-gss.h" - #endif - -+#ifdef __FreeBSD__ -+#include <syslog.h> -+#define _PATH_CHPASS "/usr/bin/passwd" -+#endif /* __FreeBSD__ */ -+ - /* func */ - - Session *session_new(void); -@@ -414,6 +419,13 @@ - log_init(__progname, options.log_level, options.log_facility, log_stderr); - - /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ -+ /* - * Create a new session and process group since the 4.4BSD - * setlogin() affects the entire process group. - */ -@@ -550,6 +562,14 @@ - - /* Child. Reinitialize the log because the pid has changed. */ - log_init(__progname, options.log_level, options.log_facility, log_stderr); -+ -+ /* -+ * Using login and executing a specific "command" are mutually -+ * exclusive, so turn off use_login if there's a command. -+ */ -+ if (command != NULL) -+ options.use_login = 0; -+ - /* Close the master side of the pseudo tty. */ - close(ptyfd); - -@@ -700,6 +720,18 @@ - struct sockaddr_storage from; - struct passwd * pw = s->pw; - pid_t pid = getpid(); +--- session.c.orig Fri Sep 1 02:38:37 2006 ++++ session.c Sat Sep 30 19:32:06 2006 +@@ -776,6 +776,24 @@ + { + FILE *f; + char buf[256]; +#ifdef HAVE_LOGIN_CAP -+ FILE *f; -+ char buf[256]; + const char *fname; -+ const char *shorttty; -+#endif /* HAVE_LOGIN_CAP */ -+#ifdef __FreeBSD__ -+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -+ char *newcommand = NULL; -+ struct timeval tv; -+ time_t warntime = DEFAULT_WARN; -+#endif /* __FreeBSD__ */ - - /* - * Get IP address of client. If the connection is not a socket, let -@@ -735,12 +767,101 @@ - } - #endif - -+#ifdef __FreeBSD__ -+ if (pw->pw_change || pw->pw_expire) -+ (void)gettimeofday(&tv, NULL); -+#ifdef HAVE_LOGIN_CAP -+ warntime = login_getcaptime(lc, "warnpassword", -+ DEFAULT_WARN, DEFAULT_WARN); -+#endif /* HAVE_LOGIN_CAP */ -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ logit("%s Password expired - forcing change", -+ pw->pw_name); -+ if (newcommand != NULL) -+ xfree(newcommand); -+ newcommand = xstrdup(_PATH_CHPASS); -+ } else if (pw->pw_change - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your password expires on %s", -+ ctime(&pw->pw_change)); -+ } -+ -+#ifndef USE_PAM -+ if (pw->pw_expire) { -+ if (tv.tv_sec >= pw->pw_expire) { -+ (void)printf( -+ "Sorry -- your account has expired.\n"); -+ logit( -+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.use_dns), s->tty); -+ exit(254); -+ } else if (pw->pw_expire - tv.tv_sec < warntime && -+ !check_quietlogin(s, command)) -+ (void)printf( -+ "Warning: your account expires on %s", -+ ctime(&pw->pw_expire)); -+ } -+#endif /* !USE_PAM */ -+#endif /* __FreeBSD__ */ -+ -+#ifdef HAVE_LOGIN_CAP -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ if (!auth_ttyok(lc, shorttty)) { -+ (void)printf("Permission denied.\n"); -+ logit( -+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s", -+ pw->pw_name, get_remote_name_or_ip(utmp_len, -+ options.use_dns), s->tty); -+ exit(254); -+ } -+#endif /* HAVE_LOGIN_CAP */ ++#endif + - if (check_quietlogin(s, command)) - return; - - display_loginmsg(); - -- do_motd(); +#ifdef HAVE_LOGIN_CAP -+ if (command == NULL && -+ !options.use_login) { -+ fname = login_getcapstr(lc, "copyright", NULL, NULL); -+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { -+ while (fgets(buf, sizeof(buf), f) != NULL) -+ fputs(buf, stdout); ++ fname = login_getcapstr(lc, "copyright", NULL, NULL); ++ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { ++ while (fgets(buf, sizeof(buf), f) != NULL) ++ fputs(buf, stdout); + fclose(f); -+ } else -+ (void)printf("%s\n\t%s %s\n", -+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", -+ "The Regents of the University of California. ", -+ "All rights reserved."); -+ } ++ } else +#endif /* HAVE_LOGIN_CAP */ ++ (void)printf("%s\n\t%s %s\n", ++ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", ++ "The Regents of the University of California. ", ++ "All rights reserved."); + -+ /* -+ * Print /etc/motd unless a command was specified or printing -+ * it was disabled in server options or login(1) will be -+ * used. Note that some machines appear to print it in -+ * /etc/profile or similar. -+ */ -+ if (command == NULL && !options.use_login) -+ do_motd(); - } ++ (void)printf("\n"); - /* -@@ -756,9 +877,9 @@ + if (options.print_motd) { #ifdef HAVE_LOGIN_CAP - f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", - "/etc/motd"), "r"); --#else -+#else /* !HAVE_LOGIN_CAP */ - f = fopen("/etc/motd", "r"); --#endif -+#endif /* HAVE_LOGIN_CAP */ - if (f) { - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stdout); -@@ -785,10 +906,10 @@ - #ifdef HAVE_LOGIN_CAP - if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0) - return 1; --#else -+#else /* HAVE_LOGIN_CAP */ - if (stat(buf, &st) >= 0) - return 1; --#endif -+#endif /* HAVE_LOGIN_CAP */ - return 0; - } - -@@ -974,7 +1095,14 @@ - { - char buf[256]; - u_int i, envsize; -- char **env, *laddr, *path = NULL; -+ char **env, *laddr; -+#ifdef HAVE_CYGWIN -+ char *path = NULL; -+#endif /* HAVE_CYGWIN */ -+#ifdef HAVE_LOGIN_CAP +@@ -1004,6 +1022,9 @@ + struct passwd *pw = s->pw; + #ifndef HAVE_LOGIN_CAP + char *path = NULL; ++#else + extern char **environ; + char **senv, **var; -+#endif /* HAVE_LOGIN_CAP */ - struct passwd *pw = s->pw; + #endif /* Initialize the environment. */ -@@ -982,6 +1110,9 @@ - env = xmalloc(envsize * sizeof(char *)); - env[0] = NULL; +@@ -1025,6 +1046,9 @@ + } + #endif -+ /* Moved up to resove confict with gsssapi patches */ + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); - #ifdef HAVE_CYGWIN - /* - * The Windows environment contains some setting which are -@@ -1046,9 +1177,21 @@ - - /* Normal systems set SHELL by default. */ - child_set_env(&env, &envsize, "SHELL", shell); -+#ifdef HAVE_LOGIN_CAP ++ + #ifdef GSSAPI + /* Allow any GSSAPI methods that we've used to alter + * the childs environment as they see fit +@@ -1044,11 +1068,22 @@ + child_set_env(&env, &envsize, "LOGIN", pw->pw_name); + #endif + child_set_env(&env, &envsize, "HOME", pw->pw_dir); ++ snprintf(buf, sizeof buf, "%.200s/%.50s", ++ _PATH_MAILDIR, pw->pw_name); ++ child_set_env(&env, &envsize, "MAIL", buf); + #ifdef HAVE_LOGIN_CAP +- if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0) +- child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); +- else +- child_set_env(&env, &envsize, "PATH", getenv("PATH")); ++ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); ++ child_set_env(&env, &envsize, "TERM", "su"); + senv = environ; + environ = xmalloc(sizeof(char *)); + *environ = NULL; -+ if (setusercontext(lc, pw, pw->pw_uid, -+ LOGIN_SETENV|LOGIN_SETPATH) < 0) { -+ perror("unable to set user context enviroment"); -+ } ++ (void) setusercontext(lc, pw, pw->pw_uid, ++ LOGIN_SETENV|LOGIN_SETPATH); + copy_environment(environ, &env, &envsize); + for (var = environ; *var != NULL; ++var) + xfree(*var); + xfree(environ); + environ = senv; -+#endif /* HAVE_LOGIN_CAP */ + #else /* HAVE_LOGIN_CAP */ + # ifndef HAVE_CYGWIN + /* +@@ -1069,15 +1104,9 @@ + # endif /* HAVE_CYGWIN */ + #endif /* HAVE_LOGIN_CAP */ + +- snprintf(buf, sizeof buf, "%.200s/%.50s", +- _PATH_MAILDIR, pw->pw_name); +- child_set_env(&env, &envsize, "MAIL", buf); +- + /* Normal systems set SHELL by default. */ + child_set_env(&env, &envsize, "SHELL", shell); } - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); /* Set custom environment options from RSA authentication. */ if (!options.use_login) { -@@ -1258,6 +1401,12 @@ +@@ -1287,6 +1316,10 @@ void do_setusercontext(struct passwd *pw) { -+ +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ -+ #ifndef HAVE_CYGWIN if (getuid() == 0 || geteuid() == 0) #endif /* HAVE_CYGWIN */ -@@ -1285,10 +1434,30 @@ +@@ -1314,10 +1347,31 @@ } # endif /* USE_PAM */ if (setusercontext(lc, pw, pw->pw_uid, - (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { -+ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH|LOGIN_SETUSER))) < 0) { ++ (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) { perror("unable to set user context"); exit(1); } +#ifdef CHROOT -+ user_dir = xstrdup(pw->pw_dir); -+ new_root = user_dir + 1; ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; + -+ while((new_root = strchr(new_root, '.')) != NULL) { -+ new_root--; -+ if(strncmp(new_root, "/./", 3) == 0) { -+ *new_root = '\0'; -+ new_root += 2; ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; + -+ if(chroot(user_dir) != 0) -+ fatal("Couldn't chroot to user directory %s", user_dir); -+ pw->pw_dir = new_root; -+ break; -+ } ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory %s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } + -+ new_root += 2; -+ } ++ new_root += 2; ++ } +#endif /* CHROOT */ -+ permanently_set_uid(pw); ++ /* Permanently switch to the desired uid. */ ++ permanently_set_uid(pw); #else # if defined(HAVE_GETLUID) && defined(HAVE_SETLUID) /* Sets login uid for accounting */ -@@ -1322,7 +1491,16 @@ - * Reestablish them here. - */ - if (options.use_pam) { -- do_pam_session(); -+ /* check if we have a pathname in the ttyname */ -+ shorttty = rindex( s->tty, '/' ); -+ if (shorttty != NULL ) { -+ /* use only the short filename to check */ -+ shorttty ++; -+ } else { -+ /* nothing found, use the whole name found */ -+ shorttty = s->tty; -+ } -+ do_pam_session(s->pw->pw_name, shorttty); - do_pam_setcred(0); - } - # endif /* USE_PAM */ -@@ -1417,7 +1595,7 @@ - * initgroups, because at least on Solaris 2.3 it leaves file - * descriptors open. +@@ -1472,6 +1526,9 @@ + char *argv[10]; + const char *shell, *shell0, *hostname = NULL; + struct passwd *pw = s->pw; ++#ifdef HAVE_LOGIN_CAP ++ int lc_requirehome; ++#endif + + /* remove hostkey from the child's memory */ + destroy_sensitive_data(); +@@ -1559,6 +1616,10 @@ */ -- for (i = 3; i < 64; i++) -+ for (i = 3; i < getdtablesize(); i++) - close(i); - } + environ = env; -@@ -1553,6 +1731,31 @@ ++#ifdef HAVE_LOGIN_CAP ++ lc_requirehome = login_getcapbool(lc, "requirehome", 0); ++ login_close(lc); ++#endif + #if defined(KRB5) && defined(USE_AFS) + /* + * At this point, we check to see if AFS is active and if we have +@@ -1590,7 +1651,7 @@ + fprintf(stderr, "Could not chdir to home directory %s: %s\n", + pw->pw_dir, strerror(errno)); + #ifdef HAVE_LOGIN_CAP +- if (login_getcapbool(lc, "requirehome", 0)) ++ if (lc_requirehome) exit(1); #endif } -+ -+#ifdef __FreeBSD__ -+ if (!options.use_login) { -+ /* -+ * If the password change time is set and has passed, give the -+ * user a password expiry notice and chance to change it. -+ */ -+ if (pw->pw_change != 0) { -+ struct timeval tv; -+ -+ (void)gettimeofday(&tv, NULL); -+ if (tv.tv_sec >= pw->pw_change) { -+ (void)printf( -+ "Sorry -- your password has expired.\n"); -+ syslog(LOG_INFO, -+ "%s Password expired - forcing change", -+ pw->pw_name); -+ if (system("/usr/bin/passwd") != 0) { -+ perror("/usr/bin/passwd"); -+ exit(1); -+ } -+ } -+ } -+ } -+#endif /* __FreeBSD__ */ - - if (!options.use_login) - do_rc_files(s, shell); diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c new file mode 100644 index 000000000000..a9f760bb3dc1 --- /dev/null +++ b/security/openssh-portable/files/patch-ssh-agent.c @@ -0,0 +1,10 @@ +--- ssh-agent.c.orig Fri Sep 1 02:38:37 2006 ++++ ssh-agent.c Sat Sep 30 18:30:32 2006 +@@ -1036,6 +1036,7 @@ + /* drop */ + setegid(getgid()); + setgid(getgid()); ++ setuid(geteuid()); + + #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) + /* Disable ptrace on Linux without sgid bit */ diff --git a/security/openssh-portable/files/patch-ssh.c b/security/openssh-portable/files/patch-ssh.c new file mode 100644 index 000000000000..ba7ddd3b6aa0 --- /dev/null +++ b/security/openssh-portable/files/patch-ssh.c @@ -0,0 +1,26 @@ +--- ssh.c.orig Sat Sep 2 02:32:40 2006 ++++ ssh.c Sat Sep 30 10:38:05 2006 +@@ -639,6 +640,23 @@ + + if (options.hostname != NULL) + host = options.hostname; ++ ++ /* Find canonic host name. */ ++ if (strchr(host, '.') == 0) { ++ struct addrinfo hints; ++ struct addrinfo *ai = NULL; ++ int errgai; ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = options.address_family; ++ hints.ai_flags = AI_CANONNAME; ++ hints.ai_socktype = SOCK_STREAM; ++ errgai = getaddrinfo(host, NULL, &hints, &ai); ++ if (errgai == 0) { ++ if (ai->ai_canonname != NULL) ++ host = xstrdup(ai->ai_canonname); ++ freeaddrinfo(ai); ++ } ++ } + + /* force lowercase for hostkey matching */ + if (options.host_key_alias != NULL) { diff --git a/security/openssh-portable/files/patch-ssh_config b/security/openssh-portable/files/patch-ssh_config new file mode 100644 index 000000000000..a5fd64b5b081 --- /dev/null +++ b/security/openssh-portable/files/patch-ssh_config @@ -0,0 +1,11 @@ +--- ssh_config.orig Tue Jun 13 00:01:10 2006 ++++ ssh_config Sat Sep 30 10:39:07 2006 +@@ -27,7 +28,7 @@ + # GSSAPIAuthentication no + # GSSAPIDelegateCredentials no + # BatchMode no +-# CheckHostIP yes ++# CheckHostIP no + # AddressFamily any + # ConnectTimeout 0 + # StrictHostKeyChecking ask diff --git a/security/openssh-portable/files/patch-ssh_config.5 b/security/openssh-portable/files/patch-ssh_config.5 new file mode 100644 index 000000000000..98a6ec25f6bf --- /dev/null +++ b/security/openssh-portable/files/patch-ssh_config.5 @@ -0,0 +1,11 @@ +--- ssh_config.5.orig Fri Aug 4 22:34:51 2006 ++++ ssh_config.5 Sat Sep 30 10:39:07 2006 +@@ -165,7 +166,7 @@ + .Dq no , + the check will not be executed. + The default is +-.Dq yes . ++.Dq no . + .It Cm Cipher + Specifies the cipher to use for encrypting the session + in protocol version 1. diff --git a/security/openssh-portable/files/patch-sshd.8 b/security/openssh-portable/files/patch-sshd.8 new file mode 100644 index 000000000000..b9854e39c405 --- /dev/null +++ b/security/openssh-portable/files/patch-sshd.8 @@ -0,0 +1,33 @@ +--- sshd.8.orig Tue Aug 29 22:07:01 2006 ++++ sshd.8 Sat Sep 30 20:05:16 2006 +@@ -65,7 +65,7 @@ + .Nm + listens for connections from clients. + It is normally started at boot from +-.Pa /etc/rc . ++.Pa %%PREFIX%%/etc/rc.d/%%RC_SCRIPT_NAME%% . + It forks a new + daemon for each incoming connection. + The forked daemons handle +@@ -342,8 +342,9 @@ + If the login is on a tty, records login time. + .It + Checks +-.Pa /etc/nologin ; +-if it exists, prints contents and quits ++.Pa /etc/nologin and ++.Pa /var/run/nologin ; ++if one exists, it prints the contents and quits + (unless root). + .It + Changes to run with normal user privileges. +@@ -365,7 +366,8 @@ + exists, runs it; else if + .Pa /etc/ssh/sshrc + exists, runs +-it; otherwise runs xauth. ++it; otherwise runs ++.Xr xauth 1 . + The + .Dq rc + files are given the X11 diff --git a/security/openssh-portable/files/patch-sshd.c b/security/openssh-portable/files/patch-sshd.c index 09665a42d7bd..392cd2082571 100644 --- a/security/openssh-portable/files/patch-sshd.c +++ b/security/openssh-portable/files/patch-sshd.c @@ -1,20 +1,23 @@ ---- sshd.c.orig Wed Jun 26 01:24:19 2002 -+++ sshd.c Thu Jul 25 06:32:37 2002 -@@ -53,6 +53,10 @@ +--- sshd.c.patch Sun Sep 17 01:04:46 2006 ++++ sshd.c Sat Sep 30 10:38:05 2006 +@@ -80,6 +81,13 @@ #include <prot.h> #endif +#ifdef __FreeBSD__ +#include <resolv.h> ++#ifdef GSSAPI ++#include <gssapi.h> ++#endif +#endif + + #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" - #include "ssh2.h" -@@ -1409,6 +1413,17 @@ - setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, &on, - sizeof(on)) < 0) - error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); +@@ -1697,6 +1705,29 @@ + signal(SIGQUIT, SIG_DFL); + signal(SIGCHLD, SIG_DFL); + signal(SIGINT, SIG_DFL); + +#ifdef __FreeBSD__ + /* @@ -25,6 +28,18 @@ + debug("res_init()"); + res_init(); + } ++#ifdef GSSAPI ++ /* ++ * Force GSS-API to parse its configuration and load any ++ * mechanism plugins. ++ */ ++ { ++ gss_OID_set mechs; ++ OM_uint32 minor_status; ++ gss_indicate_mechs(&minor_status, &mechs); ++ gss_release_oid_set(&minor_status, &mechs); ++ } ++#endif +#endif /* diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config index 0d7486dcb83b..91729f01e928 100644 --- a/security/openssh-portable/files/patch-sshd_config +++ b/security/openssh-portable/files/patch-sshd_config @@ -1,18 +1,49 @@ ---- sshd_config.orig Mon May 24 02:36:24 2004 -+++ sshd_config Mon Sep 20 05:04:48 2004 -@@ -34,6 +34,7 @@ +--- sshd_config.orig Mon Jul 24 01:06:47 2006 ++++ sshd_config Sat Sep 30 21:52:31 2006 +@@ -34,7 +34,7 @@ + # Authentication: #LoginGraceTime 2m - #PermitRootLogin yes -+PermitRootLogin no +-#PermitRootLogin yes ++#PermitRootLogin no #StrictModes yes #MaxAuthTries 6 -@@ -57,6 +58,7 @@ +@@ -52,11 +52,11 @@ + # Don't read the user's ~/.rhosts and ~/.shosts files + #IgnoreRhosts yes - # Change to no to disable s/key passwords +-# To disable tunneled clear text passwords, change to no here! +-#PasswordAuthentication yes ++# Change to yes to enable built-in password authentication. ++#PasswordAuthentication no + #PermitEmptyPasswords no + +-# Change to no to disable s/key passwords ++# Change to no to disable PAM authentication #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no # Kerberos options - #KerberosAuthentication no +@@ -69,7 +69,7 @@ + #GSSAPIAuthentication no + #GSSAPICleanupCredentials yes + +-# Set this to 'yes' to enable PAM authentication, account processing, ++# Set this to 'no' to disable PAM authentication, account processing, + # and session processing. If this is enabled, PAM authentication will + # be allowed through the ChallengeResponseAuthentication and + # PasswordAuthentication. Depending on your PAM configuration, +@@ -78,11 +78,11 @@ + # If you just want the PAM account and session checks to run without + # PAM authentication, then enable this but set PasswordAuthentication + # and ChallengeResponseAuthentication to 'no'. +-#UsePAM no ++#UsePAM yes + + #AllowTcpForwarding yes + #GatewayPorts no +-#X11Forwarding no ++#X11Forwarding yes + #X11DisplayOffset 10 + #X11UseLocalhost yes + #PrintMotd yes diff --git a/security/openssh-portable/files/patch-sshd_config.5 b/security/openssh-portable/files/patch-sshd_config.5 new file mode 100644 index 000000000000..6ccd1c7f2d53 --- /dev/null +++ b/security/openssh-portable/files/patch-sshd_config.5 @@ -0,0 +1,90 @@ +--- sshd_config.5.orig Tue Aug 29 22:06:34 2006 ++++ sshd_config.5 Sat Sep 30 10:39:07 2006 +@@ -169,9 +170,16 @@ + By default, no banner is displayed. + .It Cm ChallengeResponseAuthentication + Specifies whether challenge-response authentication is allowed. +-All authentication styles from +-.Xr login.conf 5 +-are supported. ++Specifically, in ++.Fx , ++this controls the use of PAM (see ++.Xr pam 3 ) ++for authentication. ++Note that this affects the effectiveness of the ++.Cm PasswordAuthentication ++and ++.Cm PermitRootLogin ++variables. + The default is + .Dq yes . + .It Cm Ciphers +@@ -554,7 +560,22 @@ + .It Cm PasswordAuthentication + Specifies whether password authentication is allowed. + The default is ++.Dq no , ++unless ++.Nm sshd ++was built without PAM support, in which case the default is + .Dq yes . ++Note that if ++.Cm ChallengeResponseAuthentication ++is ++.Dq yes , ++and the PAM authentication policy for ++.Nm sshd ++includes ++.Xr pam_unix 8 , ++password authentication will be allowed through the challenge-response ++mechanism regardless of the value of ++.Cm PasswordAuthentication . + .It Cm PermitEmptyPasswords + When password authentication is allowed, it specifies whether the + server allows login to accounts with empty password strings. +@@ -597,7 +618,14 @@ + or + .Dq no . + The default is +-.Dq yes . ++.Dq no . ++Note that if ++.Cm ChallengeResponseAuthentication ++is ++.Dq yes , ++the root user may be allowed in with its password even if ++.Cm PermitRootLogin is set to ++.Dq without-password . + .Pp + If this option is set to + .Dq without-password , +@@ -704,7 +732,9 @@ + .Dq yes . + Note that this option applies to protocol version 2 only. + .It Cm RhostsRSAAuthentication +-Specifies whether rhosts or /etc/hosts.equiv authentication together ++Specifies whether rhosts or ++.Pa /etc/hosts.equiv ++authentication together + with successful RSA host authentication is allowed. + The default is + .Dq no . +@@ -814,7 +844,7 @@ + .Xr sshd 8 + as a non-root user. + The default is +-.Dq no . ++.Dq yes . + .It Cm UsePrivilegeSeparation + Specifies whether + .Xr sshd 8 +@@ -839,7 +874,7 @@ + or + .Dq no . + The default is +-.Dq no . ++.Dq yes . + .Pp + When X11 forwarding is enabled, there may be additional exposure to + the server and to client displays if the diff --git a/security/openssh-portable/files/patch-sshpty.c b/security/openssh-portable/files/patch-sshpty.c deleted file mode 100644 index d8cd703dcec7..000000000000 --- a/security/openssh-portable/files/patch-sshpty.c +++ /dev/null @@ -1,12 +0,0 @@ ---- sshpty.c.orig Wed Jan 21 07:07:17 2004 -+++ sshpty.c Wed Feb 25 11:58:54 2004 -@@ -17,6 +17,9 @@ - #ifdef HAVE_UTIL_H - # include <util.h> - #endif /* HAVE_UTIL_H */ -+#ifdef HAVE_LIBUTIL_H -+#include <libutil.h> -+#endif - - #include "sshpty.h" - #include "log.h" diff --git a/security/openssh-portable/files/servconf.c.patch b/security/openssh-portable/files/servconf.c.patch deleted file mode 100644 index dde0a6947e60..000000000000 --- a/security/openssh-portable/files/servconf.c.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- servconf.c.orig Sat Mar 23 11:02:41 2002 -+++ servconf.c Sat Mar 23 11:07:39 2002 -@@ -17,12 +17,12 @@ - #endif - #if defined(KRB5) - #ifdef HEIMDAL --#include <krb.h> -+#include <krb5.h> - #else - /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V - * keytab */ --#define KEYFILE "/etc/krb5.keytab" - #endif -+#define KEYFILE "/etc/krb5.keytab" - #endif - #ifdef AFS - #include <kafs.h> |