aboutsummaryrefslogtreecommitdiffstats
path: root/security/openssh-portable/files
diff options
context:
space:
mode:
authordinoex <dinoex@FreeBSD.org>2003-09-27 02:13:52 +0800
committerdinoex <dinoex@FreeBSD.org>2003-09-27 02:13:52 +0800
commit4eab04811294efc0cd3c903357e6ceca2417ee03 (patch)
treed00df161c3ec682cb5f0c69bb28aab64b4d71788 /security/openssh-portable/files
parentc296481974bcdae841f33e447a8116da1fad1f4a (diff)
downloadfreebsd-ports-gnome-4eab04811294efc0cd3c903357e6ceca2417ee03.tar.gz
freebsd-ports-gnome-4eab04811294efc0cd3c903357e6ceca2417ee03.tar.zst
freebsd-ports-gnome-4eab04811294efc0cd3c903357e6ceca2417ee03.zip
- update to 3.7.1p2
more regressions tests successfull
Diffstat (limited to 'security/openssh-portable/files')
-rw-r--r--security/openssh-portable/files/auth2-pam-freebsd.c626
-rw-r--r--security/openssh-portable/files/patch-Makefile.in11
-rw-r--r--security/openssh-portable/files/patch-auth-chall.c36
-rw-r--r--security/openssh-portable/files/patch-auth-pam.c91
-rw-r--r--security/openssh-portable/files/patch-auth-pam.h13
-rw-r--r--security/openssh-portable/files/patch-auth.c10
-rw-r--r--security/openssh-portable/files/patch-auth1.c20
-rw-r--r--security/openssh-portable/files/patch-auth2-chall.c48
-rw-r--r--security/openssh-portable/files/patch-auth2.c22
-rw-r--r--security/openssh-portable/files/patch-buffer.c111
-rw-r--r--security/openssh-portable/files/patch-deattack.c17
-rw-r--r--security/openssh-portable/files/patch-misc.c28
-rw-r--r--security/openssh-portable/files/patch-monitor.c137
-rw-r--r--security/openssh-portable/files/patch-monitor.h13
-rw-r--r--security/openssh-portable/files/patch-monitor_wrap.c97
-rw-r--r--security/openssh-portable/files/patch-monitor_wrap.h13
-rw-r--r--security/openssh-portable/files/patch-regress-Makefile19
-rw-r--r--security/openssh-portable/files/patch-regress-test-exec.sh8
-rw-r--r--security/openssh-portable/files/patch-session.c116
-rw-r--r--security/openssh-portable/files/patch-ssh-agent.c44
-rw-r--r--security/openssh-portable/files/patch-sshd_config8
-rw-r--r--security/openssh-portable/files/patch-stderr-after-eof.sh11
22 files changed, 82 insertions, 1417 deletions
diff --git a/security/openssh-portable/files/auth2-pam-freebsd.c b/security/openssh-portable/files/auth2-pam-freebsd.c
deleted file mode 100644
index 5bf4d734dd34..000000000000
--- a/security/openssh-portable/files/auth2-pam-freebsd.c
+++ /dev/null
@@ -1,626 +0,0 @@
-/*-
- * Copyright (c) 2002 Networks Associates Technology, Inc.
- * All rights reserved.
- *
- * This software was developed for the FreeBSD Project by ThinkSec AS and
- * NAI Labs, the Security Research Division of Network Associates, Inc.
- * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
- * DARPA CHATS research program.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$FreeBSD: /tmp/pcvs/ports/security/openssh-portable/files/Attic/auth2-pam-freebsd.c,v 1.5 2003-09-26 02:42:39 dinoex Exp $");
-
-#ifdef USE_PAM
-#include <security/pam_appl.h>
-
-#include "auth.h"
-#include "auth-pam.h"
-#include "buffer.h"
-#include "bufaux.h"
-#include "canohost.h"
-#include "log.h"
-#include "monitor_wrap.h"
-#include "msg.h"
-#include "packet.h"
-#include "readpass.h"
-#include "servconf.h"
-#include "ssh2.h"
-#include "xmalloc.h"
-
-#ifdef USE_POSIX_THREADS
-#include <pthread.h>
-#else
-/*
- * Simulate threads with processes.
- */
-typedef pid_t pthread_t;
-
-static void
-pthread_exit(void *value __unused)
-{
- _exit(0);
-}
-
-static int
-pthread_create(pthread_t *thread, const void *attr __unused,
- void *(*thread_start)(void *), void *arg)
-{
- pid_t pid;
-
- switch ((pid = fork())) {
- case -1:
- error("fork(): %s", strerror(errno));
- return (-1);
- case 0:
- thread_start(arg);
- _exit(1);
- default:
- *thread = pid;
- return (0);
- }
-}
-
-static int
-pthread_cancel(pthread_t thread)
-{
- return (kill(thread, SIGTERM));
-}
-
-static int
-pthread_join(pthread_t thread, void **value __unused)
-{
- int status;
-
- waitpid(thread, &status, 0);
- return (status);
-}
-#endif
-
-
-static pam_handle_t *pam_handle;
-static int pam_err;
-static int pam_authenticated;
-static int pam_new_authtok_reqd;
-static int pam_session_open;
-static int pam_cred_established;
-
-struct pam_ctxt {
- pthread_t pam_thread;
- int pam_psock;
- int pam_csock;
- int pam_done;
-};
-
-static void pam_free_ctx(void *);
-
-/*
- * Conversation function for authentication thread.
- */
-static int
-pam_thread_conv(int n,
- const struct pam_message **msg,
- struct pam_response **resp,
- void *data)
-{
- Buffer buffer;
- struct pam_ctxt *ctxt;
- int i;
-
- ctxt = data;
- if (n <= 0 || n > PAM_MAX_NUM_MSG)
- return (PAM_CONV_ERR);
- *resp = xmalloc(n * sizeof **resp);
- buffer_init(&buffer);
- for (i = 0; i < n; ++i) {
- (*resp)[i].resp_retcode = 0;
- (*resp)[i].resp = NULL;
- switch (msg[i]->msg_style) {
- case PAM_PROMPT_ECHO_OFF:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
- ssh_msg_recv(ctxt->pam_csock, &buffer);
- if (buffer_get_char(&buffer) != PAM_AUTHTOK)
- goto fail;
- (*resp)[i].resp = buffer_get_string(&buffer, NULL);
- break;
- case PAM_PROMPT_ECHO_ON:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
- ssh_msg_recv(ctxt->pam_csock, &buffer);
- if (buffer_get_char(&buffer) != PAM_AUTHTOK)
- goto fail;
- (*resp)[i].resp = buffer_get_string(&buffer, NULL);
- break;
- case PAM_ERROR_MSG:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
- break;
- case PAM_TEXT_INFO:
- buffer_put_cstring(&buffer, msg[i]->msg);
- ssh_msg_send(ctxt->pam_csock, msg[i]->msg_style, &buffer);
- break;
- default:
- goto fail;
- }
- buffer_clear(&buffer);
- }
- buffer_free(&buffer);
- return (PAM_SUCCESS);
- fail:
- xfree(*resp);
- *resp = NULL;
- buffer_free(&buffer);
- return (PAM_CONV_ERR);
-}
-
-/*
- * Authentication thread.
- */
-static void *
-pam_thread(void *ctxtp)
-{
- struct pam_ctxt *ctxt = ctxtp;
- Buffer buffer;
- struct pam_conv pam_conv = { pam_thread_conv, ctxt };
-
-#ifndef USE_POSIX_THREADS
- {
- const char *pam_user;
-
- pam_get_item(pam_handle, PAM_USER, (const void **)&pam_user);
- setproctitle("%s [pam]", pam_user);
- }
-#endif
- buffer_init(&buffer);
- pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
- if (pam_err != PAM_SUCCESS)
- goto auth_fail;
- pam_err = pam_authenticate(pam_handle, 0);
- if (pam_err != PAM_SUCCESS)
- goto auth_fail;
- pam_err = pam_acct_mgmt(pam_handle, 0);
- if (pam_err != PAM_SUCCESS && pam_err != PAM_NEW_AUTHTOK_REQD)
- goto auth_fail;
- buffer_put_cstring(&buffer, "OK");
- ssh_msg_send(ctxt->pam_csock, pam_err, &buffer);
- buffer_free(&buffer);
- pthread_exit(NULL);
- auth_fail:
- buffer_put_cstring(&buffer,
- pam_strerror(pam_handle, pam_err));
- ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
- buffer_free(&buffer);
- pthread_exit(NULL);
-}
-
-static void
-pam_thread_cleanup(void *ctxtp)
-{
- struct pam_ctxt *ctxt = ctxtp;
-
- pthread_cancel(ctxt->pam_thread);
- pthread_join(ctxt->pam_thread, NULL);
- close(ctxt->pam_psock);
- close(ctxt->pam_csock);
-}
-
-static int
-pam_null_conv(int n,
- const struct pam_message **msg,
- struct pam_response **resp,
- void *data)
-{
-
- return (PAM_CONV_ERR);
-}
-
-static struct pam_conv null_conv = { pam_null_conv, NULL };
-
-static void
-pam_cleanup(void *arg)
-{
- (void)arg;
- debug("PAM: cleanup");
- pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
- if (pam_cred_established) {
- pam_setcred(pam_handle, PAM_DELETE_CRED);
- pam_cred_established = 0;
- }
- if (pam_session_open) {
- pam_close_session(pam_handle, PAM_SILENT);
- pam_session_open = 0;
- }
- pam_authenticated = pam_new_authtok_reqd = 0;
- pam_end(pam_handle, pam_err);
- pam_handle = NULL;
-}
-
-static int
-pam_init(const char *user)
-{
- extern ServerOptions options;
- extern u_int utmp_len;
- const char *pam_rhost, *pam_user;
-
- if (pam_handle != NULL) {
- /* We already have a PAM context; check if the user matches */
- pam_err = pam_get_item(pam_handle,
- PAM_USER, (const void **)&pam_user);
- if (pam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
- return (0);
- fatal_remove_cleanup(pam_cleanup, NULL);
- pam_end(pam_handle, pam_err);
- pam_handle = NULL;
- }
- debug("PAM: initializing for \"%s\"", user);
- pam_err = pam_start("sshd", user, &null_conv, &pam_handle);
- if (pam_err != PAM_SUCCESS)
- return (-1);
- pam_rhost = get_remote_name_or_ip(utmp_len,
- options.verify_reverse_mapping);
- debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
- pam_err = pam_set_item(pam_handle, PAM_RHOST, pam_rhost);
- if (pam_err != PAM_SUCCESS) {
- pam_end(pam_handle, pam_err);
- pam_handle = NULL;
- return (-1);
- }
- fatal_add_cleanup(pam_cleanup, NULL);
- return (0);
-}
-
-static void *
-pam_init_ctx(Authctxt *authctxt)
-{
- struct pam_ctxt *ctxt;
- int socks[2];
-
- /* Initialize PAM */
- if (pam_init(authctxt->user) == -1) {
- error("PAM: initialization failed");
- return (NULL);
- }
-
- ctxt = xmalloc(sizeof *ctxt);
- ctxt->pam_done = 0;
-
- /* Start the authentication thread */
- if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
- error("PAM: failed create sockets: %s", strerror(errno));
- xfree(ctxt);
- return (NULL);
- }
- ctxt->pam_psock = socks[0];
- ctxt->pam_csock = socks[1];
- if (pthread_create(&ctxt->pam_thread, NULL, pam_thread, ctxt) == -1) {
- error("PAM: failed to start authentication thread: %s",
- strerror(errno));
- close(socks[0]);
- close(socks[1]);
- xfree(ctxt);
- return (NULL);
- }
- fatal_add_cleanup(pam_thread_cleanup, ctxt);
- return (ctxt);
-}
-
-static int
-pam_query(void *ctx, char **name, char **info,
- u_int *num, char ***prompts, u_int **echo_on)
-{
- Buffer buffer;
- struct pam_ctxt *ctxt = ctx;
- size_t plen;
- u_char type;
- char *msg;
-
- buffer_init(&buffer);
- *name = xstrdup("");
- *info = xstrdup("");
- *prompts = xmalloc(sizeof(char *));
- **prompts = NULL;
- plen = 0;
- *echo_on = xmalloc(sizeof(u_int));
- while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
- type = buffer_get_char(&buffer);
- msg = buffer_get_string(&buffer, NULL);
- switch (type) {
- case PAM_PROMPT_ECHO_ON:
- case PAM_PROMPT_ECHO_OFF:
- *num = 1;
- **prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
- plen += sprintf(**prompts + plen, "%s", msg);
- **echo_on = (type == PAM_PROMPT_ECHO_ON);
- xfree(msg);
- return (0);
- case PAM_ERROR_MSG:
- case PAM_TEXT_INFO:
- /* accumulate messages */
- **prompts = xrealloc(**prompts, plen + strlen(msg) + 1);
- plen += sprintf(**prompts + plen, "%s", msg);
- xfree(msg);
- break;
- case PAM_NEW_AUTHTOK_REQD:
- pam_new_authtok_reqd = 1;
- /* FALLTHROUGH */
- case PAM_SUCCESS:
- case PAM_AUTH_ERR:
- if (**prompts != NULL) {
- /* drain any accumulated messages */
-#if 0 /* not compatible with privsep */
- packet_start(SSH2_MSG_USERAUTH_BANNER);
- packet_put_cstring(**prompts);
- packet_put_cstring("");
- packet_send();
- packet_write_wait();
-#endif
- xfree(**prompts);
- **prompts = NULL;
- }
- if (type == PAM_SUCCESS) {
- *num = 0;
- **echo_on = 0;
- ctxt->pam_done = 1;
- xfree(msg);
- return (0);
- }
- error("PAM: %s", msg);
- default:
- *num = 0;
- **echo_on = 0;
- xfree(msg);
- ctxt->pam_done = -1;
- return (-1);
- }
- }
- return (-1);
-}
-
-static int
-pam_respond(void *ctx, u_int num, char **resp)
-{
- Buffer buffer;
- struct pam_ctxt *ctxt = ctx;
- char *msg;
-
- debug2("PAM: %s", __func__);
- switch (ctxt->pam_done) {
- case 1:
- pam_authenticated = 1;
- return (0);
- case 0:
- break;
- default:
- return (-1);
- }
- if (num != 1) {
- error("PAM: expected one response, got %u", num);
- return (-1);
- }
- buffer_init(&buffer);
- buffer_put_cstring(&buffer, *resp);
- ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer);
- buffer_free(&buffer);
- return (1);
-}
-
-static void
-pam_free_ctx(void *ctxtp)
-{
- struct pam_ctxt *ctxt = ctxtp;
-
- fatal_remove_cleanup(pam_thread_cleanup, ctxt);
- pam_thread_cleanup(ctxtp);
- xfree(ctxt);
- /*
- * We don't call pam_cleanup() here because we may need the PAM
- * handle at a later stage, e.g. when setting up a session. It's
- * still on the cleanup list, so pam_end() *will* be called before
- * the server process terminates.
- */
-}
-
-KbdintDevice pam_device = {
- "pam",
- pam_init_ctx,
- pam_query,
- pam_respond,
- pam_free_ctx
-};
-
-KbdintDevice mm_pam_device = {
- "pam",
- mm_pam_init_ctx,
- mm_pam_query,
- mm_pam_respond,
- mm_pam_free_ctx
-};
-
-/*
- * This replaces auth-pam.c
- */
-void
-start_pam(const char *user)
-{
- if (pam_init(user) == -1)
- fatal("PAM: initialisation failed");
-}
-
-void
-finish_pam(void)
-{
- fatal_remove_cleanup(pam_cleanup, NULL);
- pam_cleanup(NULL);
-}
-
-int
-do_pam_account(const char *user, const char *ruser)
-{
- /* XXX */
- return (1);
-}
-
-void
-do_pam_session(const char *user, const char *tty)
-{
- pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
- if (pam_err != PAM_SUCCESS)
- fatal("PAM: failed to set PAM_CONV: %s",
- pam_strerror(pam_handle, pam_err));
- debug("PAM: setting PAM_TTY to \"%s\"", tty);
- pam_err = pam_set_item(pam_handle, PAM_TTY, tty);
- if (pam_err != PAM_SUCCESS)
- fatal("PAM: failed to set PAM_TTY: %s",
- pam_strerror(pam_handle, pam_err));
- pam_err = pam_open_session(pam_handle, 0);
- if (pam_err != PAM_SUCCESS)
- fatal("PAM: pam_open_session(): %s",
- pam_strerror(pam_handle, pam_err));
- pam_session_open = 1;
-}
-
-void
-do_pam_setcred(int init)
-{
- pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&null_conv);
- if (pam_err != PAM_SUCCESS)
- fatal("PAM: failed to set PAM_CONV: %s",
- pam_strerror(pam_handle, pam_err));
- if (init) {
- debug("PAM: establishing credentials");
- pam_err = pam_setcred(pam_handle, PAM_ESTABLISH_CRED);
- } else {
- debug("PAM: reinitializing credentials");
- pam_err = pam_setcred(pam_handle, PAM_REINITIALIZE_CRED);
- }
- if (pam_err == PAM_SUCCESS) {
- pam_cred_established = 1;
- return;
- }
- if (pam_authenticated)
- fatal("PAM: pam_setcred(): %s",
- pam_strerror(pam_handle, pam_err));
- else
- debug("PAM: pam_setcred(): %s",
- pam_strerror(pam_handle, pam_err));
-}
-
-int
-is_pam_password_change_required(void)
-{
- return (pam_new_authtok_reqd);
-}
-
-static int
-pam_chauthtok_conv(int n,
- const struct pam_message **msg,
- struct pam_response **resp,
- void *data)
-{
- char input[PAM_MAX_MSG_SIZE];
- int i;
-
- if (n <= 0 || n > PAM_MAX_NUM_MSG)
- return (PAM_CONV_ERR);
- *resp = xmalloc(n * sizeof **resp);
- for (i = 0; i < n; ++i) {
- switch (msg[i]->msg_style) {
- case PAM_PROMPT_ECHO_OFF:
- (*resp)[i].resp =
- read_passphrase(msg[i]->msg, RP_ALLOW_STDIN);
- (*resp)[i].resp_retcode = PAM_SUCCESS;
- break;
- case PAM_PROMPT_ECHO_ON:
- fputs(msg[i]->msg, stderr);
- fgets(input, sizeof input, stdin);
- (*resp)[i].resp = xstrdup(input);
- (*resp)[i].resp_retcode = PAM_SUCCESS;
- break;
- case PAM_ERROR_MSG:
- case PAM_TEXT_INFO:
- fputs(msg[i]->msg, stderr);
- (*resp)[i].resp_retcode = PAM_SUCCESS;
- break;
- default:
- goto fail;
- }
- }
- return (PAM_SUCCESS);
- fail:
- xfree(*resp);
- *resp = NULL;
- return (PAM_CONV_ERR);
-}
-
-/*
- * XXX this should be done in the authentication phase, but ssh1 doesn't
- * support that
- */
-void
-do_pam_chauthtok(void)
-{
- struct pam_conv pam_conv = { pam_chauthtok_conv, NULL };
-
- if (use_privsep)
- fatal("PAM: chauthtok not supprted with privsep");
- pam_err = pam_set_item(pam_handle, PAM_CONV, (const void *)&pam_conv);
- if (pam_err != PAM_SUCCESS)
- fatal("PAM: failed to set PAM_CONV: %s",
- pam_strerror(pam_handle, pam_err));
- debug("PAM: changing password");
- pam_err = pam_chauthtok(pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
- if (pam_err != PAM_SUCCESS)
- fatal("PAM: pam_chauthtok(): %s",
- pam_strerror(pam_handle, pam_err));
-}
-
-void
-print_pam_messages(void)
-{
- /* XXX */
-}
-
-char **
-fetch_pam_environment(void)
-{
-#ifdef HAVE_PAM_GETENVLIST
- debug("PAM: retrieving environment");
- return (pam_getenvlist(pam_handle));
-#else
- return (NULL);
-#endif
-}
-
-void
-free_pam_environment(char **env)
-{
- char **envp;
-
- for (envp = env; *envp; envp++)
- xfree(*envp);
- xfree(env);
-}
-
-#endif /* USE_PAM */
diff --git a/security/openssh-portable/files/patch-Makefile.in b/security/openssh-portable/files/patch-Makefile.in
deleted file mode 100644
index d354787aeee4..000000000000
--- a/security/openssh-portable/files/patch-Makefile.in
+++ /dev/null
@@ -1,11 +0,0 @@
---- Makefile.in.orig Wed Jun 26 01:45:42 2002
-+++ Makefile.in Mon Jul 22 07:24:41 2002
-@@ -70,6 +70,8 @@
- MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
- MANTYPE = @MANTYPE@
-
-+SSHDOBJS+= auth2-pam-freebsd.o
-+
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
- CONFIGFILES_IN=sshd_config ssh_config moduli
-
diff --git a/security/openssh-portable/files/patch-auth-chall.c b/security/openssh-portable/files/patch-auth-chall.c
deleted file mode 100644
index 067fd559451b..000000000000
--- a/security/openssh-portable/files/patch-auth-chall.c
+++ /dev/null
@@ -1,36 +0,0 @@
---- auth-chall.c Tue Jun 5 20:56:17 2001
-+++ cvs-current/auth-chall.c Wed Sep 24 20:24:27 2003
-@@ -76,7 +77,33 @@
- return 0;
- resp[0] = (char *)response;
- res = device->respond(authctxt->kbdintctxt, 1, resp);
-+ if (res == 1) {
-+ /* postponed - send a null query just in case */
-+ char *name, *info, **prompts;
-+ u_int i, numprompts, *echo_on;
-+
-+ res = device->query(authctxt->kbdintctxt, &name, &info,
-+ &numprompts, &prompts, &echo_on);
-+ if (res == 0) {
-+ for (i = 0; i < numprompts; i++)
-+ xfree(prompts[i]);
-+ xfree(prompts);
-+ xfree(name);
-+ xfree(echo_on);
-+ xfree(info);
-+ }
-+ /* if we received more prompts, we're screwed */
-+ res = (res == 0 && numprompts == 0) ? 0 : -1;
-+ }
- device->free_ctx(authctxt->kbdintctxt);
- authctxt->kbdintctxt = NULL;
- return res ? 0 : 1;
-+}
-+void
-+abandon_challenge_response(Authctxt *authctxt)
-+{
-+ if (authctxt->kbdintctxt != NULL) {
-+ device->free_ctx(authctxt->kbdintctxt);
-+ authctxt->kbdintctxt = NULL;
-+ }
- }
diff --git a/security/openssh-portable/files/patch-auth-pam.c b/security/openssh-portable/files/patch-auth-pam.c
deleted file mode 100644
index 70f9e9053e15..000000000000
--- a/security/openssh-portable/files/patch-auth-pam.c
+++ /dev/null
@@ -1,91 +0,0 @@
---- auth-pam.c.orig Tue Apr 29 11:12:08 2003
-+++ auth-pam.c Thu Sep 25 22:42:45 2003
-@@ -228,7 +228,7 @@
- }
-
- /* Do account management using PAM */
--int do_pam_account(char *username, char *remote_user)
-+int old_do_pam_account(const char *username, const char *remote_user)
- {
- int pam_retval;
-
-@@ -271,7 +271,7 @@
- }
-
- /* Do PAM-specific session initialisation */
--void do_pam_session(char *username, const char *ttyname)
-+void old_do_pam_session(const char *username, const char *ttyname)
- {
- int pam_retval;
-
-@@ -294,7 +294,7 @@
- }
-
- /* Set PAM credentials */
--void do_pam_setcred(int init)
-+void old_do_pam_setcred(int init)
- {
- int pam_retval;
-
-@@ -318,7 +318,7 @@
- }
-
- /* accessor function for file scope static variable */
--int is_pam_password_change_required(void)
-+int old_is_pam_password_change_required(void)
- {
- return password_change_required;
- }
-@@ -329,7 +329,7 @@
- * session is established and the user's pty is connected to
- * stdin/stdout/stderr.
- */
--void do_pam_chauthtok(void)
-+void old_do_pam_chauthtok(void)
- {
- int pam_retval;
-
-@@ -357,14 +357,14 @@
- }
-
- /* Cleanly shutdown PAM */
--void finish_pam(void)
-+void old_finish_pam(void)
- {
- do_pam_cleanup_proc(NULL);
- fatal_remove_cleanup(&do_pam_cleanup_proc, NULL);
- }
-
- /* Start PAM authentication for specified account */
--void start_pam(const char *user)
-+void old_start_pam(const char *user)
- {
- int pam_retval;
- extern ServerOptions options;
-@@ -404,7 +404,7 @@
- }
-
- /* Return list of PAM environment strings */
--char **fetch_pam_environment(void)
-+char **old_fetch_pam_environment(void)
- {
- #ifdef HAVE_PAM_GETENVLIST
- return(pam_getenvlist(__pamh));
-@@ -413,7 +413,7 @@
- #endif /* HAVE_PAM_GETENVLIST */
- }
-
--void free_pam_environment(char **env)
-+void old_free_pam_environment(char **env)
- {
- int i;
-
-@@ -425,7 +425,7 @@
-
- /* Print any messages that have been generated during authentication */
- /* or account checking to stderr */
--void print_pam_messages(void)
-+void old_print_pam_messages(void)
- {
- if (__pam_msg != NULL)
- fputs(__pam_msg, stderr);
diff --git a/security/openssh-portable/files/patch-auth-pam.h b/security/openssh-portable/files/patch-auth-pam.h
deleted file mode 100644
index efa2803ed0c1..000000000000
--- a/security/openssh-portable/files/patch-auth-pam.h
+++ /dev/null
@@ -1,13 +0,0 @@
---- auth-pam.h Tue Jul 23 02:44:07 2002
-+++ cvs-current/auth-pam.h Sat Dec 14 14:52:39 2002
-@@ -37,8 +38,8 @@
- char **fetch_pam_environment(void);
- void free_pam_environment(char **env);
- int do_pam_authenticate(int flags);
--int do_pam_account(char *username, char *remote_user);
--void do_pam_session(char *username, const char *ttyname);
-+int do_pam_account(const char *username, const char *remote_user);
-+void do_pam_session(const char *username, const char *ttyname);
- void do_pam_setcred(int init);
- void print_pam_messages(void);
- int is_pam_password_change_required(void);
diff --git a/security/openssh-portable/files/patch-auth.c b/security/openssh-portable/files/patch-auth.c
index e8f640a16936..76103d45cad0 100644
--- a/security/openssh-portable/files/patch-auth.c
+++ b/security/openssh-portable/files/patch-auth.c
@@ -1,6 +1,6 @@
---- auth.c.orig Tue Mar 5 02:42:43 2002
-+++ auth.c Sun Mar 17 20:53:15 2002
-@@ -193,6 +193,17 @@
+--- auth.c.orig Tue Sep 2 23:32:46 2003
++++ auth.c Tue Sep 16 20:05:44 2003
+@@ -259,6 +259,17 @@
}
#endif /* WITH_AIXAUTHENTICATE */
@@ -18,8 +18,8 @@
/* We found no reason not to let this user try to log on... */
return 1;
}
-@@ -490,7 +480,7 @@
- if (pw == NULL || !allowed_user(pw))
+@@ -531,7 +542,7 @@
+ if (!allowed_user(pw))
return (NULL);
#ifdef HAVE_LOGIN_CAP
- if ((lc = login_getclass(pw->pw_class)) == NULL) {
diff --git a/security/openssh-portable/files/patch-auth1.c b/security/openssh-portable/files/patch-auth1.c
index e8ecdbef3917..95d8d1a627b5 100644
--- a/security/openssh-portable/files/patch-auth1.c
+++ b/security/openssh-portable/files/patch-auth1.c
@@ -1,5 +1,5 @@
---- auth1.c.orig Fri Jun 21 08:21:11 2002
-+++ auth1.c Fri Jun 28 06:57:42 2002
+--- auth1.c.orig Tue Sep 2 23:32:46 2003
++++ auth1.c Tue Sep 16 20:05:44 2003
@@ -26,6 +26,7 @@
#include "session.h"
#include "uidswap.h"
@@ -8,9 +8,9 @@
/* import */
extern ServerOptions options;
-@@ -75,6 +76,18 @@
+@@ -71,6 +72,18 @@
u_int ulen;
- int type = 0;
+ int prev, type = 0;
struct passwd *pw = authctxt->pw;
+#ifdef HAVE_LOGIN_CAP
+ login_cap_t *lc;
@@ -21,14 +21,14 @@
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
-+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
++ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
debug("Attempting authentication for %s%.100s.",
authctxt->valid ? "" : "illegal user ", authctxt->user);
-@@ -282,6 +295,34 @@
- log("Unknown message during authentication: type %d", type);
+@@ -214,6 +227,34 @@
+ logit("Unknown message during authentication: type %d", type);
break;
}
+
@@ -38,12 +38,12 @@
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
++ logit("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
-+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
@@ -53,7 +53,7 @@
+#endif /* HAVE_LOGIN_CAP */
+#ifdef LOGIN_ACCESS
+ if (pw != NULL && !login_access(pw->pw_name, from_host)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
++ logit("Denied connection for %.200s from %.200s [%.200s].",
+ pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
diff --git a/security/openssh-portable/files/patch-auth2-chall.c b/security/openssh-portable/files/patch-auth2-chall.c
deleted file mode 100644
index 77b5778ac6af..000000000000
--- a/security/openssh-portable/files/patch-auth2-chall.c
+++ /dev/null
@@ -1,48 +0,0 @@
---- auth2-chall.c.orig Wed Jun 26 15:58:40 2002
-+++ auth2-chall.c Sun Jun 30 07:12:43 2002
-@@ -41,6 +42,9 @@
- #ifdef BSD_AUTH
- extern KbdintDevice bsdauth_device;
- #else
-+#ifdef USE_PAM
-+extern KbdintDevice pam_device;
-+#endif
- #ifdef SKEY
- extern KbdintDevice skey_device;
- #endif
-@@ -50,6 +54,9 @@
- #ifdef BSD_AUTH
- &bsdauth_device,
- #else
-+#ifdef USE_PAM
-+ &pam_device,
-+#endif
- #ifdef SKEY
- &skey_device,
- #endif
-@@ -323,15 +330,22 @@
- #ifdef BSD_AUTH
- extern KbdintDevice mm_bsdauth_device;
- #endif
-+#ifdef USE_PAM
-+ extern KbdintDevice mm_pam_device;
-+#endif
- #ifdef SKEY
- extern KbdintDevice mm_skey_device;
- #endif
-- /* As long as SSHv1 has devices[0] hard coded this is fine */
-+ int n = 0;
-+
- #ifdef BSD_AUTH
-- devices[0] = &mm_bsdauth_device;
-+ devices[n++] = &mm_bsdauth_device;
- #else
-+#ifdef USE_PAM
-+ devices[n++] = &mm_pam_device;
-+#endif
- #ifdef SKEY
-- devices[0] = &mm_skey_device;
-+ devices[n++] = &mm_skey_device;
- #endif
- #endif
- }
diff --git a/security/openssh-portable/files/patch-auth2.c b/security/openssh-portable/files/patch-auth2.c
index 8d999bf1bbd9..6012ce39d7b8 100644
--- a/security/openssh-portable/files/patch-auth2.c
+++ b/security/openssh-portable/files/patch-auth2.c
@@ -1,14 +1,14 @@
---- auth2.c.orig Fri Jun 21 08:21:11 2002
-+++ auth2.c Fri Jun 28 06:57:56 2002
+--- auth2.c.orig Tue Sep 2 23:32:46 2003
++++ auth2.c Tue Sep 16 20:05:44 2003
@@ -35,6 +35,7 @@
#include "dispatch.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+#include "canohost.h"
- /* import */
- extern ServerOptions options;
-@@ -137,6 +138,15 @@
+ #ifdef GSSAPI
+ #include "ssh-gss.h"
+@@ -143,6 +144,15 @@
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
int authenticated = 0;
@@ -18,13 +18,13 @@
+#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS)
+ const char *from_host, *from_ip;
+
-+ from_host = get_canonical_hostname(options.verify_reverse_mapping);
++ from_host = get_canonical_hostname(options.use_dns);
+ from_ip = get_remote_ipaddr();
+#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */
if (authctxt == NULL)
fatal("input_userauth_request: no authctxt");
-@@ -178,6 +188,41 @@
+@@ -187,6 +197,41 @@
"(%s,%s) -> (%s,%s)",
authctxt->user, authctxt->service, user, service);
}
@@ -35,12 +35,12 @@
+ if (lc == NULL)
+ lc = login_getclassbyname(NULL, authctxt->pw);
+ if (!auth_hostok(lc, from_host, from_ip)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
++ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
+ if (!auth_timeok(lc, time(NULL))) {
-+ log("LOGIN %.200s REFUSED (TIME) FROM %.200s",
++ logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+ authctxt->pw->pw_name, from_host);
+ packet_disconnect("Logins not available right now.");
+ }
@@ -51,7 +51,7 @@
+#ifdef LOGIN_ACCESS
+ if (authctxt->pw != NULL &&
+ !login_access(authctxt->pw->pw_name, from_host)) {
-+ log("Denied connection for %.200s from %.200s [%.200s].",
++ logit("Denied connection for %.200s from %.200s [%.200s].",
+ authctxt->pw->pw_name, from_host, from_ip);
+ packet_disconnect("Sorry, you are not allowed to connect.");
+ }
@@ -65,4 +65,4 @@
+
/* reset state */
auth2_challenge_stop(authctxt);
- authctxt->postponed = 0;
+
diff --git a/security/openssh-portable/files/patch-buffer.c b/security/openssh-portable/files/patch-buffer.c
deleted file mode 100644
index 3bb0201df46a..000000000000
--- a/security/openssh-portable/files/patch-buffer.c
+++ /dev/null
@@ -1,111 +0,0 @@
-Subject: OpenSSH Security Advisory: buffer.adv
-
-This is the 2nd revision of the Advisory.
-
-This document can be found at: http://www.openssh.com/txt/buffer.adv
-
-1. Versions affected:
-
- All versions of OpenSSH's sshd prior to 3.7.1 contain buffer
- management errors. It is uncertain whether these errors are
- potentially exploitable, however, we prefer to see bugs
- fixed proactively.
-
- Other implementations sharing common origin may also have
- these issues.
-
-2. Solution:
-
- Upgrade to OpenSSH 3.7.1 or apply the following patch.
-
-===================================================================
-Appendix A: patch for OpenSSH 3.6.1 and earlier
-
-Index: buffer.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/buffer.c,v
-retrieving revision 1.16
-retrieving revision 1.18
-diff -u -r1.16 -r1.18
---- buffer.c 26 Jun 2002 08:54:18 -0000 1.16
-+++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18
-@@ -23,8 +23,11 @@
- void
- buffer_init(Buffer *buffer)
- {
-- buffer->alloc = 4096;
-- buffer->buf = xmalloc(buffer->alloc);
-+ const u_int len = 4096;
-+
-+ buffer->alloc = 0;
-+ buffer->buf = xmalloc(len);
-+ buffer->alloc = len;
- buffer->offset = 0;
- buffer->end = 0;
- }
-@@ -34,8 +37,11 @@
- void
- buffer_free(Buffer *buffer)
- {
-- memset(buffer->buf, 0, buffer->alloc);
-- xfree(buffer->buf);
-+ if (buffer->alloc > 0) {
-+ memset(buffer->buf, 0, buffer->alloc);
-+ buffer->alloc = 0;
-+ xfree(buffer->buf);
-+ }
- }
-
- /*
-@@ -69,6 +75,7 @@
- void *
- buffer_append_space(Buffer *buffer, u_int len)
- {
-+ u_int newlen;
- void *p;
-
- if (len > 0x100000)
-@@ -98,11 +105,13 @@
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-- buffer->alloc += len + 32768;
-- if (buffer->alloc > 0xa00000)
-+
-+ newlen = buffer->alloc + len + 32768;
-+ if (newlen > 0xa00000)
- fatal("buffer_append_space: alloc %u not supported",
-- buffer->alloc);
-- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
-+ newlen);
-+ buffer->buf = xrealloc(buffer->buf, newlen);
-+ buffer->alloc = newlen;
- goto restart;
- /* NOTREACHED */
- }
-Index: channels.c
-===================================================================
-RCS file: /cvs/src/usr.bin/ssh/channels.c,v
-retrieving revision 1.194
-retrieving revision 1.195
-diff -u -r1.194 -r1.195
---- channels.c 29 Aug 2003 10:04:36 -0000 1.194
-+++ channels.c 16 Sep 2003 21:02:40 -0000 1.195
-@@ -228,12 +228,13 @@
- if (found == -1) {
- /* There are no free slots. Take last+1 slot and expand the array. */
- found = channels_alloc;
-- channels_alloc += 10;
- if (channels_alloc > 10000)
- fatal("channel_new: internal error: channels_alloc %d "
- "too big.", channels_alloc);
-+ channels = xrealloc(channels,
-+ (channels_alloc + 10) * sizeof(Channel *));
-+ channels_alloc += 10;
- debug2("channel: expanding %d", channels_alloc);
-- channels = xrealloc(channels, channels_alloc * sizeof(Channel *));
- for (i = found; i < channels_alloc; i++)
- channels[i] = NULL;
- }
-
-
diff --git a/security/openssh-portable/files/patch-deattack.c b/security/openssh-portable/files/patch-deattack.c
deleted file mode 100644
index 987f1d2f959b..000000000000
--- a/security/openssh-portable/files/patch-deattack.c
+++ /dev/null
@@ -1,17 +0,0 @@
---- deattack.c Tue Mar 5 01:53:05 2002
-+++ deattack.c Wed Sep 17 00:18:30 2003
-@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len
-
- if (h == NULL) {
- debug("Installing crc compensation attack detector.");
-+ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE);
- n = l;
-- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE);
- } else {
- if (l > n) {
-+ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE);
- n = l;
-- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE);
- }
- }
-
diff --git a/security/openssh-portable/files/patch-misc.c b/security/openssh-portable/files/patch-misc.c
deleted file mode 100644
index b40e6d62ba4c..000000000000
--- a/security/openssh-portable/files/patch-misc.c
+++ /dev/null
@@ -1,28 +0,0 @@
---- misc.c Mon Dec 23 02:44:36 2002
-+++ misc.c Wed Sep 17 00:50:27 2003
-@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...)
- {
- va_list ap;
- char buf[1024];
-+ int nalloc;
-
- va_start(ap, fmt);
- vsnprintf(buf, sizeof(buf), fmt, ap);
- va_end(ap);
-
-+ nalloc = args->nalloc;
- if (args->list == NULL) {
-- args->nalloc = 32;
-+ nalloc = 32;
- args->num = 0;
-- } else if (args->num+2 >= args->nalloc)
-- args->nalloc *= 2;
-+ } else if (args->num+2 >= nalloc)
-+ nalloc *= 2;
-
-- args->list = xrealloc(args->list, args->nalloc * sizeof(char *));
-+ args->list = xrealloc(args->list, nalloc * sizeof(char *));
-+ args->nalloc = nalloc;
- args->list[args->num++] = xstrdup(buf);
- args->list[args->num] = NULL;
- }
diff --git a/security/openssh-portable/files/patch-monitor.c b/security/openssh-portable/files/patch-monitor.c
deleted file mode 100644
index cca169c55f02..000000000000
--- a/security/openssh-portable/files/patch-monitor.c
+++ /dev/null
@@ -1,137 +0,0 @@
---- monitor.c.orig Wed Jun 26 15:27:11 2002
-+++ monitor.c Mon Jul 15 21:33:45 2002
-@@ -118,6 +118,10 @@
-
- #ifdef USE_PAM
- int mm_answer_pam_start(int, Buffer *);
-+int mm_answer_pam_init_ctx(int, Buffer *);
-+int mm_answer_pam_query(int, Buffer *);
-+int mm_answer_pam_respond(int, Buffer *);
-+int mm_answer_pam_free_ctx(int, Buffer *);
- #endif
-
- static Authctxt *authctxt;
-@@ -156,6 +160,10 @@
- {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
- #ifdef USE_PAM
- {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
- #endif
- #ifdef BSD_AUTH
- {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
-@@ -198,6 +206,10 @@
- #endif
- #ifdef USE_PAM
- {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
-+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
-+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
-+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
- #endif
- {0, 0, NULL}
- };
-@@ -732,6 +744,101 @@
- xfree(user);
-
- return (0);
-+}
-+
-+static void *pam_ctxt, *pam_authok;
-+extern KbdintDevice pam_device;
-+
-+int
-+mm_answer_pam_init_ctx(int socket, Buffer *m)
-+{
-+
-+ debug3("%s", __func__);
-+ authctxt->user = buffer_get_string(m, NULL);
-+ pam_ctxt = (pam_device.init_ctx)(authctxt);
-+ pam_authok = NULL;
-+ buffer_clear(m);
-+ if (pam_ctxt != NULL) {
-+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
-+ buffer_put_int(m, 1);
-+ } else {
-+ buffer_put_int(m, 0);
-+ }
-+ mm_request_send(socket, MONITOR_ANS_PAM_INIT_CTX, m);
-+ return (0);
-+}
-+
-+int
-+mm_answer_pam_query(int socket, Buffer *m)
-+{
-+ char *name, *info, **prompts;
-+ u_int num, *echo_on;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ pam_authok = NULL;
-+ ret = (pam_device.query)(pam_ctxt, &name, &info, &num, &prompts, &echo_on);
-+ if (num > 1 || name == NULL || info == NULL)
-+ ret = -1;
-+ buffer_clear(m);
-+ buffer_put_int(m, ret);
-+ buffer_put_cstring(m, name);
-+ xfree(name);
-+ buffer_put_cstring(m, info);
-+ xfree(info);
-+ buffer_put_int(m, num);
-+ for (i = 0; i < num; ++i) {
-+ buffer_put_cstring(m, prompts[i]);
-+ xfree(prompts[i]);
-+ buffer_put_int(m, echo_on[i]);
-+ }
-+ if (prompts != NULL)
-+ xfree(prompts);
-+ if (echo_on != NULL)
-+ xfree(echo_on);
-+ mm_request_send(socket, MONITOR_ANS_PAM_QUERY, m);
-+ return (0);
-+}
-+
-+int
-+mm_answer_pam_respond(int socket, Buffer *m)
-+{
-+ char **resp;
-+ u_int num;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ pam_authok = NULL;
-+ num = buffer_get_int(m);
-+ if (num > 0) {
-+ resp = xmalloc(num * sizeof(char *));
-+ for (i = 0; i < num; ++i)
-+ resp[i] = buffer_get_string(m, NULL);
-+ ret = (pam_device.respond)(pam_ctxt, num, resp);
-+ for (i = 0; i < num; ++i)
-+ xfree(resp[i]);
-+ xfree(resp);
-+ } else {
-+ ret = (pam_device.respond)(pam_ctxt, num, NULL);
-+ }
-+ buffer_clear(m);
-+ buffer_put_int(m, ret);
-+ mm_request_send(socket, MONITOR_ANS_PAM_RESPOND, m);
-+ auth_method = "keyboard-interactive/pam";
-+ if (ret == 0)
-+ pam_authok = pam_ctxt;
-+ return (0);
-+}
-+
-+int
-+mm_answer_pam_free_ctx(int socket, Buffer *m)
-+{
-+
-+ debug3("%s", __func__);
-+ (pam_device.free_ctx)(pam_ctxt);
-+ buffer_clear(m);
-+ mm_request_send(socket, MONITOR_ANS_PAM_FREE_CTX, m);
-+ return (pam_authok == pam_ctxt);
- }
- #endif
-
diff --git a/security/openssh-portable/files/patch-monitor.h b/security/openssh-portable/files/patch-monitor.h
deleted file mode 100644
index 2c42831b40ab..000000000000
--- a/security/openssh-portable/files/patch-monitor.h
+++ /dev/null
@@ -1,13 +0,0 @@
---- monitor.h.orig Tue Jun 11 18:42:49 2002
-+++ monitor.h Sun Jun 30 07:13:09 2002
-@@ -50,6 +51,10 @@
- MONITOR_REQ_RSACHALLENGE, MONITOR_ANS_RSACHALLENGE,
- MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE,
- MONITOR_REQ_PAM_START,
-+ MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
-+ MONITOR_REQ_PAM_QUERY, MONITOR_ANS_PAM_QUERY,
-+ MONITOR_REQ_PAM_RESPOND, MONITOR_ANS_PAM_RESPOND,
-+ MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
- MONITOR_REQ_TERM
- };
-
diff --git a/security/openssh-portable/files/patch-monitor_wrap.c b/security/openssh-portable/files/patch-monitor_wrap.c
index 99ad633a6028..7e89d3a40883 100644
--- a/security/openssh-portable/files/patch-monitor_wrap.c
+++ b/security/openssh-portable/files/patch-monitor_wrap.c
@@ -1,95 +1,6 @@
---- monitor_wrap.c.orig Fri Jun 21 02:43:43 2002
-+++ monitor_wrap.c Sun Jun 30 07:13:18 2002
-@@ -664,6 +665,88 @@
-
- buffer_free(&m);
- }
-+
-+void *
-+mm_pam_init_ctx(Authctxt *authctxt)
-+{
-+ Buffer m;
-+ int success;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ buffer_put_cstring(&m, authctxt->user);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_INIT_CTX", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_INIT_CTX, &m);
-+ success = buffer_get_int(&m);
-+ if (success == 0) {
-+ debug3("%s: pam_init_ctx failed", __func__);
-+ buffer_free(&m);
-+ return (NULL);
-+ }
-+ buffer_free(&m);
-+ return (authctxt);
-+}
-+
-+int
-+mm_pam_query(void *ctx, char **name, char **info,
-+ u_int *num, char ***prompts, u_int **echo_on)
-+{
-+ Buffer m;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_QUERY, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_QUERY", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_QUERY, &m);
-+ ret = buffer_get_int(&m);
-+ debug3("%s: pam_query returned %d", __func__, ret);
-+ *name = buffer_get_string(&m, NULL);
-+ *info = buffer_get_string(&m, NULL);
-+ *num = buffer_get_int(&m);
-+ *prompts = xmalloc((*num + 1) * sizeof(char *));
-+ *echo_on = xmalloc((*num + 1) * sizeof(u_int));
-+ for (i = 0; i < *num; ++i) {
-+ (*prompts)[i] = buffer_get_string(&m, NULL);
-+ (*echo_on)[i] = buffer_get_int(&m);
-+ }
-+ buffer_free(&m);
-+ return (ret);
-+}
-+
-+int
-+mm_pam_respond(void *ctx, u_int num, char **resp)
-+{
-+ Buffer m;
-+ int i, ret;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ buffer_put_int(&m, num);
-+ for (i = 0; i < num; ++i)
-+ buffer_put_cstring(&m, resp[i]);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_RESPOND, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_RESPOND", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_RESPOND, &m);
-+ ret = buffer_get_int(&m);
-+ debug3("%s: pam_respond returned %d", __func__, ret);
-+ buffer_free(&m);
-+ return (ret);
-+}
-+
-+void
-+mm_pam_free_ctx(void *ctxtp)
-+{
-+ Buffer m;
-+
-+ debug3("%s", __func__);
-+ buffer_init(&m);
-+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_FREE_CTX, &m);
-+ debug3("%s: waiting for MONITOR_ANS_PAM_FREE_CTX", __func__);
-+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAM_FREE_CTX, &m);
-+ buffer_free(&m);
-+}
- #endif /* USE_PAM */
-
- /* Request process termination */
-@@ -767,6 +850,7 @@
+--- monitor_wrap.c.orig Tue Sep 2 14:51:17 2003
++++ monitor_wrap.c Tue Sep 16 20:05:44 2003
+@@ -894,6 +894,7 @@
return ((authok == 0) ? -1 : 0);
}
@@ -97,7 +8,7 @@
int
mm_skey_query(void *ctx, char **name, char **infotxt,
u_int *numprompts, char ***prompts, u_int **echo_on)
-@@ -829,6 +913,7 @@
+@@ -957,6 +958,7 @@
return ((authok == 0) ? -1 : 0);
}
diff --git a/security/openssh-portable/files/patch-monitor_wrap.h b/security/openssh-portable/files/patch-monitor_wrap.h
deleted file mode 100644
index e4495c7ba12e..000000000000
--- a/security/openssh-portable/files/patch-monitor_wrap.h
+++ /dev/null
@@ -1,13 +0,0 @@
---- monitor_wrap.h.orig Mon May 13 03:07:42 2002
-+++ monitor_wrap.h Sun Jun 30 07:13:18 2002
-@@ -57,6 +58,10 @@
-
- #ifdef USE_PAM
- void mm_start_pam(char *);
-+void *mm_pam_init_ctx(struct Authctxt *);
-+int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **);
-+int mm_pam_respond(void *, u_int, char **);
-+void mm_pam_free_ctx(void *);
- #endif
-
- void mm_terminate(void);
diff --git a/security/openssh-portable/files/patch-regress-Makefile b/security/openssh-portable/files/patch-regress-Makefile
deleted file mode 100644
index 1c22e2d7446e..000000000000
--- a/security/openssh-portable/files/patch-regress-Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
---- regress/Makefile.orig Wed Jan 22 07:53:17 2003
-+++ regress/Makefile Tue Apr 1 05:28:43 2003
-@@ -1,6 +1,6 @@
- # $OpenBSD: Makefile,v 1.20 2003/01/08 23:54:22 djm Exp $
-
--REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7
-+REGRESSTARGETS= t1 t2 t3 t4 t5 t6 t7
-
- CLEANFILES+= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2
-
-@@ -71,7 +71,7 @@
- ssh-keygen -Bf t7.out > /dev/null
-
- .for t in ${LTESTS}
--REGRESS_TARGETS+=t-${t}
-+REGRESSTARGETS+=t-${t}
- t-${t}:
- sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
- .endfor
diff --git a/security/openssh-portable/files/patch-regress-test-exec.sh b/security/openssh-portable/files/patch-regress-test-exec.sh
index 4632f3bb78c7..4abc87c3d4da 100644
--- a/security/openssh-portable/files/patch-regress-test-exec.sh
+++ b/security/openssh-portable/files/patch-regress-test-exec.sh
@@ -1,9 +1,9 @@
---- regress/test-exec.sh.orig Wed May 1 05:17:35 2002
-+++ regress/test-exec.sh Tue Apr 1 06:03:11 2003
-@@ -130,6 +130,8 @@
- PidFile $PIDFILE
+--- regress/test-exec.sh.orig Fri Sep 12 07:32:17 2003
++++ regress/test-exec.sh Tue Sep 16 19:56:13 2003
+@@ -163,6 +163,8 @@
AuthorizedKeysFile $OBJ/authorized_keys_%u
LogLevel QUIET
+ StrictModes no
+ PermitRootLogin yes
+ UsePrivilegeSeparation no
EOF
diff --git a/security/openssh-portable/files/patch-session.c b/security/openssh-portable/files/patch-session.c
index c8baec2e3163..1f038e37cebe 100644
--- a/security/openssh-portable/files/patch-session.c
+++ b/security/openssh-portable/files/patch-session.c
@@ -1,7 +1,7 @@
---- session.c.orig Thu Mar 20 19:18:09 2003
-+++ session.c Wed Sep 17 11:05:26 2003
-@@ -64,6 +64,11 @@
- #define is_winnt (GetVersion() < 0x80000000)
+--- session.c.orig Tue Sep 23 10:59:08 2003
++++ session.c Tue Sep 23 17:29:31 2003
+@@ -62,6 +62,11 @@
+ #include "ssh-gss.h"
#endif
+#ifdef __FreeBSD__
@@ -12,7 +12,7 @@
/* func */
Session *session_new(void);
-@@ -471,6 +476,13 @@
+@@ -411,6 +416,13 @@
log_init(__progname, options.log_level, options.log_facility, log_stderr);
/*
@@ -26,7 +26,7 @@
* Create a new session and process group since the 4.4BSD
* setlogin() affects the entire process group.
*/
-@@ -576,6 +588,9 @@
+@@ -516,6 +528,9 @@
{
int fdout, ptyfd, ttyfd, ptymaster;
pid_t pid;
@@ -36,25 +36,7 @@
if (s == NULL)
fatal("do_exec_pty: no session");
-@@ -583,7 +598,16 @@
- ttyfd = s->ttyfd;
-
- #if defined(USE_PAM)
-- do_pam_session(s->pw->pw_name, s->tty);
-+ /* check if we have a pathname in the ttyname */
-+ shorttty = rindex( s->tty, '/' );
-+ if (shorttty != NULL ) {
-+ /* use only the short filename to check */
-+ shorttty ++;
-+ } else {
-+ /* nothing found, use the whole name found */
-+ shorttty = s->tty;
-+ }
-+ do_pam_session(s->pw->pw_name, shorttty);
- do_pam_setcred(1);
- #endif
-
-@@ -593,6 +617,14 @@
+@@ -535,6 +550,14 @@
/* Child. Reinitialize the log because the pid has changed. */
log_init(__progname, options.log_level, options.log_facility, log_stderr);
@@ -69,7 +51,7 @@
/* Close the master side of the pseudo tty. */
close(ptyfd);
-@@ -726,6 +758,18 @@
+@@ -676,6 +699,18 @@
struct sockaddr_storage from;
struct passwd * pw = s->pw;
pid_t pid = getpid();
@@ -88,7 +70,7 @@
/*
* Get IP address of client. If the connection is not a socket, let
-@@ -759,6 +803,72 @@
+@@ -710,6 +745,72 @@
}
#endif
@@ -107,7 +89,7 @@
+ if (tv.tv_sec >= pw->pw_change) {
+ (void)printf(
+ "Sorry -- your password has expired.\n");
-+ log("%s Password expired - forcing change",
++ logit("%s Password expired - forcing change",
+ pw->pw_name);
+ if (newcommand != NULL)
+ xfree(newcommand);
@@ -124,10 +106,10 @@
+ if (tv.tv_sec >= pw->pw_expire) {
+ (void)printf(
+ "Sorry -- your account has expired.\n");
-+ log(
++ logit(
+ "LOGIN %.200s REFUSED (EXPIRED) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
-+ options.verify_reverse_mapping), s->tty);
++ options.use_dns), s->tty);
+ exit(254);
+ } else if (pw->pw_expire - tv.tv_sec < warntime &&
+ !check_quietlogin(s, command))
@@ -150,10 +132,10 @@
+ }
+ if (!auth_ttyok(lc, shorttty)) {
+ (void)printf("Permission denied.\n");
-+ log(
++ logit(
+ "LOGIN %.200s REFUSED (TTY) FROM %.200s ON TTY %.200s",
+ pw->pw_name, get_remote_name_or_ip(utmp_len,
-+ options.verify_reverse_mapping), s->tty);
++ options.use_dns), s->tty);
+ exit(254);
+ }
+#endif /* HAVE_LOGIN_CAP */
@@ -161,8 +143,8 @@
if (check_quietlogin(s, command))
return;
-@@ -772,7 +882,17 @@
- #endif /* WITH_AIXAUTHENTICATE */
+@@ -726,7 +827,17 @@
+ buffer_free(&loginmsg);
#ifndef NO_SSH_LASTLOG
- if (options.print_lastlog && s->last_login_time != 0) {
@@ -180,7 +162,7 @@
time_string = ctime(&s->last_login_time);
if (strchr(time_string, '\n'))
*strchr(time_string, '\n') = 0;
-@@ -784,7 +904,30 @@
+@@ -738,7 +849,30 @@
}
#endif /* NO_SSH_LASTLOG */
@@ -212,7 +194,7 @@
}
/*
-@@ -800,9 +943,9 @@
+@@ -754,9 +888,9 @@
#ifdef HAVE_LOGIN_CAP
f = fopen(login_getcapstr(lc, "welcome", "/etc/motd",
"/etc/motd"), "r");
@@ -224,7 +206,7 @@
if (f) {
while (fgets(buf, sizeof(buf), f))
fputs(buf, stdout);
-@@ -829,10 +972,10 @@
+@@ -783,10 +917,10 @@
#ifdef HAVE_LOGIN_CAP
if (login_getcapbool(lc, "hushlogin", 0) || stat(buf, &st) >= 0)
return 1;
@@ -237,38 +219,10 @@
return 0;
}
-@@ -844,7 +987,7 @@
- child_set_env(char ***envp, u_int *envsizep, const char *name,
- const char *value)
- {
-- u_int i, namelen;
-+ u_int i, namelen, envsize;
- char **env;
-
- /*
-@@ -862,12 +1005,14 @@
- xfree(env[i]);
- } else {
- /* New variable. Expand if necessary. */
-- if (i >= (*envsizep) - 1) {
-- if (*envsizep >= 1000)
-+ envsize = *envsizep;
-+ if (i >= envsize - 1) {
-+ if (envsize >= 1000)
- fatal("child_set_env: too many env vars,"
- " skipping: %.100s", name);
-- (*envsizep) += 50;
-- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *));
-+ envsize += 50;
-+ env = (*envp) = xrealloc(env, envsize * sizeof(char *));
-+ *envsizep = envsize;
- }
- /* Need to set the NULL pointer at end of array beyond the new slot. */
- env[i + 1] = NULL;
-@@ -952,6 +1097,10 @@
+@@ -973,6 +1107,10 @@
char buf[256];
u_int i, envsize;
- char **env, *laddr;
+ char **env, *laddr, *path = NULL;
+#ifdef HAVE_LOGIN_CAP
+ extern char **environ;
+ char **senv, **var;
@@ -276,7 +230,7 @@
struct passwd *pw = s->pw;
/* Initialize the environment. */
-@@ -959,6 +1108,9 @@
+@@ -980,6 +1118,9 @@
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
@@ -286,7 +240,7 @@
#ifdef HAVE_CYGWIN
/*
* The Windows environment contains some setting which are
-@@ -1003,9 +1155,21 @@
+@@ -1034,9 +1175,21 @@
/* Normal systems set SHELL by default. */
child_set_env(&env, &envsize, "SHELL", shell);
@@ -310,7 +264,7 @@
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
-@@ -1219,7 +1383,7 @@
+@@ -1245,7 +1398,7 @@
setpgid(0, 0);
# endif
if (setusercontext(lc, pw, pw->pw_uid,
@@ -319,7 +273,25 @@
perror("unable to set user context");
exit(1);
}
-@@ -1382,7 +1546,7 @@
+@@ -1275,7 +1428,16 @@
+ * Reestablish them here.
+ */
+ if (options.use_pam) {
+- do_pam_session();
++ /* check if we have a pathname in the ttyname */
++ shorttty = rindex( s->tty, '/' );
++ if (shorttty != NULL ) {
++ /* use only the short filename to check */
++ shorttty ++;
++ } else {
++ /* nothing found, use the whole name found */
++ shorttty = s->tty;
++ }
++ do_pam_session(s->pw->pw_name, shorttty);
+ do_pam_setcred(0);
+ }
+ # endif /* USE_PAM */
+@@ -1411,7 +1573,7 @@
* initgroups, because at least on Solaris 2.3 it leaves file
* descriptors open.
*/
@@ -328,7 +300,7 @@
close(i);
/*
-@@ -1412,6 +1576,31 @@
+@@ -1429,6 +1591,31 @@
exit(1);
#endif
}
diff --git a/security/openssh-portable/files/patch-ssh-agent.c b/security/openssh-portable/files/patch-ssh-agent.c
deleted file mode 100644
index f50ae308e03c..000000000000
--- a/security/openssh-portable/files/patch-ssh-agent.c
+++ /dev/null
@@ -1,44 +0,0 @@
---- ssh-agent.c Sat Mar 15 00:37:09 2003
-+++ ssh-agent.c Wed Sep 17 00:42:15 2003
-@@ -767,7 +767,7 @@ process_message(SocketEntry *e)
- static void
- new_socket(sock_type type, int fd)
- {
-- u_int i, old_alloc;
-+ u_int i, old_alloc, new_alloc;
-
- if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0)
- error("fcntl O_NONBLOCK: %s", strerror(errno));
-@@ -778,25 +778,26 @@ new_socket(sock_type type, int fd)
- for (i = 0; i < sockets_alloc; i++)
- if (sockets[i].type == AUTH_UNUSED) {
- sockets[i].fd = fd;
-- sockets[i].type = type;
- buffer_init(&sockets[i].input);
- buffer_init(&sockets[i].output);
- buffer_init(&sockets[i].request);
-+ sockets[i].type = type;
- return;
- }
- old_alloc = sockets_alloc;
-- sockets_alloc += 10;
-+ new_alloc = sockets_alloc + 10;
- if (sockets)
-- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0]));
-+ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0]));
- else
-- sockets = xmalloc(sockets_alloc * sizeof(sockets[0]));
-- for (i = old_alloc; i < sockets_alloc; i++)
-+ sockets = xmalloc(new_alloc * sizeof(sockets[0]));
-+ for (i = old_alloc; i < new_alloc; i++)
- sockets[i].type = AUTH_UNUSED;
-- sockets[old_alloc].type = type;
-+ sockets_alloc = new_alloc;
- sockets[old_alloc].fd = fd;
- buffer_init(&sockets[old_alloc].input);
- buffer_init(&sockets[old_alloc].output);
- buffer_init(&sockets[old_alloc].request);
-+ sockets[old_alloc].type = type;
- }
-
- static int
diff --git a/security/openssh-portable/files/patch-sshd_config b/security/openssh-portable/files/patch-sshd_config
index 3d84a8c64d0f..ca7fe10a0234 100644
--- a/security/openssh-portable/files/patch-sshd_config
+++ b/security/openssh-portable/files/patch-sshd_config
@@ -1,14 +1,14 @@
---- sshd_config.orig Fri Jun 21 03:11:36 2002
-+++ sshd_config Wed Jul 3 06:20:47 2002
+--- sshd_config.orig Tue Sep 2 14:51:18 2003
++++ sshd_config Tue Sep 16 20:05:44 2003
@@ -34,6 +34,7 @@
- #LoginGraceTime 600
+ #LoginGraceTime 2m
#PermitRootLogin yes
+PermitRootLogin no
#StrictModes yes
#RSAAuthentication yes
-@@ -58,6 +59,7 @@
+@@ -56,6 +57,7 @@
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
diff --git a/security/openssh-portable/files/patch-stderr-after-eof.sh b/security/openssh-portable/files/patch-stderr-after-eof.sh
deleted file mode 100644
index 38969b8d51a3..000000000000
--- a/security/openssh-portable/files/patch-stderr-after-eof.sh
+++ /dev/null
@@ -1,11 +0,0 @@
---- regress/stderr-after-eof.sh.orig Wed May 1 05:17:35 2002
-+++ regress/stderr-after-eof.sh Fri Jul 19 07:22:18 2002
-@@ -7,7 +7,7 @@
- DATA=${OBJ}/data
- COPY=${OBJ}/copy
-
--MD5=md5sum
-+MD5=md5
-
- # setup data
- rm -f ${DATA} ${COPY}