diff options
author | luigi <luigi@FreeBSD.org> | 2001-04-22 22:03:04 +0800 |
---|---|---|
committer | luigi <luigi@FreeBSD.org> | 2001-04-22 22:03:04 +0800 |
commit | 2f612469577c6ce604f93dbfeedabfb762a18bf1 (patch) | |
tree | 33c0667078e520b11f1539d93f2f4c72d42090f1 /picobsd | |
parent | 2bff668263065545bb43ee257008e56da062e7e1 (diff) | |
download | freebsd-ports-graphics-2f612469577c6ce604f93dbfeedabfb762a18bf1.tar.gz freebsd-ports-graphics-2f612469577c6ce604f93dbfeedabfb762a18bf1.tar.zst freebsd-ports-graphics-2f612469577c6ce604f93dbfeedabfb762a18bf1.zip |
New port: stripped-down ssh version to be used in picobsd images.
"stripped down" refers to the fact that we build a single binary
which includes ssh, sshd and scp functionality without having
to bring in 3 copies of mostly the same code.
Requests to add this category and this port have been posted
on the ports list and directly to satoshi over the past few
months. I assume no reply means no problem.
Diffstat (limited to 'picobsd')
38 files changed, 4801 insertions, 0 deletions
diff --git a/picobsd/ssh-picobsd/Makefile b/picobsd/ssh-picobsd/Makefile new file mode 100644 index 00000000000..2b113731dfe --- /dev/null +++ b/picobsd/ssh-picobsd/Makefile @@ -0,0 +1,74 @@ +# New ports collection makefile for: ssh-picobsd +# Date created: 21 Apr 2001 +# Whom: luigi@FreeBSD.org +# +# $FreeBSD$ +# +# A small version of ssh for picobsd. A single binary does ssh,sshd and scp +# + +PORTNAME= ssh +PORTVERSION= 1.2.27 # Note, 1.2.30 is under a more restrictive license +PORTREVISION= 1 +CATEGORIES= security picobsd +MASTER_SITES= ftp://ftp.cs.engr.uky.edu/cs/software/ \ + ftp://ftp.cs.umn.edu/dept/users/rybski/ \ + ftp://ftp.net.ohio-state.edu/disk/d/security/ssh/ \ + ftp://ftp.cronyx.ru/.w2/mirror/ssh/old/ \ + ftp://ftp.nsysu.edu.tw/Unix/Security/ssh/old/ \ + ftp://ftp.tokyonet.ad.jp/.da0/security/ssh/old/ \ + ftp://ftp.comp.hkbu.edu.hk/.6/unix/ \ + ftp://ftp.dei.uc.pt/.disk2/Crypto/SSH/old/ + +MAINTAINER= luigi@FreeBSD.org + +NO_CDROM= "Picobsd only" +NO_PACKAGE= "This is only useful to build picobsd images" + +USE_AUTOCONF= YES +GNU_CONFIGURE= YES +USE_PERL5= YES +CONFIGURE_ENV+= PERL=${PERL5} + +CONFIGURE_ARGS+= --with-etcdir=${PREFIX}/etc + +# Uncomment if all your users are in their own group and their homedir +# is writeable by that group. Beware the security implications! +# +#CONFIGURE_ARGS+= --enable-group-writeability + +# Uncomment if you want to allow ssh to emulate an unencrypted rsh connection +# over a secure medium (i.e. allow SSH connections without encryption). +# This is normally dangerous since it can lead to the disclosure of keys +# and passwords. +# +#CONFIGURE_ARGS+= --with-none + +.if defined(KRB5_HOME) && exists(${KRB5_HOME}) +CONFIGURE_ARGS+=--with-kerberos5=${KRB5_HOME} --enable-kerberos-tgt-passing \ + --disable-suid-ssh +.endif + +# Include support for the SecureID card +# Warning: untested ! +# +.if defined(WITH_SECUREID) +CONFIGURE_ARGS+= --with-secureid +.endif + +# Don't use IDEA. IDEA can be freely used for non-commercial use. However, +# commercial use may require a licence in a number of countries. Since SSH +# itself may not be used for commercial purposes without a license, we +# enable IDEA by default since the user would already be getting himself +# into trouble. + +pre-patch: + @${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \ + ${WRKSRC}/make-ssh-known-hosts.pl.in + +.include <bsd.port.pre.mk> + +# no IDEA, tcpwrap, IPV6, SOCKS, x11 for picobsd +CONFIGURE_ARGS+= --disable-ipv6 --without-x --without-idea + +.include <bsd.port.post.mk> diff --git a/picobsd/ssh-picobsd/distinfo b/picobsd/ssh-picobsd/distinfo new file mode 100644 index 00000000000..bf690165936 --- /dev/null +++ b/picobsd/ssh-picobsd/distinfo @@ -0,0 +1 @@ +MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395 diff --git a/picobsd/ssh-picobsd/files/patch-aa b/picobsd/ssh-picobsd/files/patch-aa new file mode 100644 index 00000000000..3386fc8d68a --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-aa @@ -0,0 +1,19 @@ +*** make-ssh-known-hosts.pl.in.orig Wed May 12 20:18:51 1999 +--- make-ssh-known-hosts.pl.in Sun Jun 6 02:30:08 1999 +*************** +*** 98,104 **** + $debug = 5; + $defserver = ''; + $bell='\a'; +! $public_key = '/etc/ssh_host_key.pub'; + $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; + $timeout = 60; + $ping_timeout = 3; +--- 98,104 ---- + $debug = 5; + $defserver = ''; + $bell='\a'; +! $public_key = '@ETCDIR@/ssh_host_key.pub'; + $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; + $timeout = 60; + $ping_timeout = 3; diff --git a/picobsd/ssh-picobsd/files/patch-ac b/picobsd/ssh-picobsd/files/patch-ac new file mode 100644 index 00000000000..1f4163606c0 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ac @@ -0,0 +1,121 @@ +--- Makefile.in.orig Wed May 12 04:19:31 1999 ++++ Makefile.in Sun Sep 17 01:39:40 2000 +@@ -301,12 +301,17 @@ + SHELL = /bin/sh + + GMPDIR = gmp-2.0.2-ssh-2 +-GMPLIBS = -L$(GMPDIR) -lgmp +-GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a ++# We have the same libgmp in the system, so use it instead ++GMPINCDIR = /usr/include ++GMPLIBDIR = /usr/lib ++GMPLIBS = -lgmp ++GMPDEP = $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a + + ZLIBDIR = zlib-1.0.4 +-ZLIBDEP = $(ZLIBDIR)/libz.a +-ZLIBLIBS = -L$(ZLIBDIR) -lz ++ZLIBINCDIR = /usr/include ++ZLIBLIBDIR = /usr/lib ++ZLIBDEP = $(ZLIBINCDIR)/libz.a ++ZLIBLIBS = -lz + + RSAREFDIR = rsaref2 + RSAREFSRCDIR = $(RSAREFDIR)/source +@@ -411,7 +416,7 @@ + $(CC) -o rfc-pg rfc-pg.o + + .c.o: +- $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< ++ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< + + sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) + -rm -f sshd +@@ -454,19 +459,19 @@ + sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts + chmod +x make-ssh-known-hosts + +-GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \ +- mpz_mul.c mpz_cmp.c mpz_sqrtrem.c +-$(GMPDIR)/libgmp.a: +- cd $(GMPDIR); $(MAKE) +- +-$(ZLIBDEP): +- -if test '!' -d $(ZLIBDIR); then \ +- mkdir $(ZLIBDIR); \ +- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ +- fi +- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ +- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ +- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a ++#GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \ ++# mpz_mul.c mpz_cmp.c mpz_sqrtrem.c ++#$(GMPDIR)/libgmp.a: ++# cd $(GMPDIR); $(MAKE) ++# ++#$(ZLIBDEP): ++# -if test '!' -d $(ZLIBDIR); then \ ++# mkdir $(ZLIBDIR); \ ++# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ ++# fi ++# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ ++# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ ++# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a + + $(RSAREFSRCDIR)/librsaref.a: + -if test '!' -d $(RSAREFDIR); then \ +@@ -523,7 +528,7 @@ + # (otherwise it can only log in as the user it runs as, and must be + # bound to a non-privileged port). Also, password authentication may + # not be available if non-root and using shadow passwords. +-install: $(PROGRAMS) make-dirs generate-host-key install-configs ++install: $(PROGRAMS) make-dirs install-configs + -rm -f $(install_prefix)$(bindir)/ssh1.old + -chmod 755 $(install_prefix)$(bindir)/ssh1 + -chmod 755 $(install_prefix)$(bindir)/ssh +@@ -679,15 +684,15 @@ + + clean: + -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg +- cd $(GMPDIR); $(MAKE) clean ++# cd $(GMPDIR); $(MAKE) clean + # cd $(RSAREFSRCDIR); rm -f *.o *.a +- cd $(ZLIBDIR); $(MAKE) clean ++# cd $(ZLIBDIR); $(MAKE) clean + + distclean: clean + -rm -f Makefile config.status config.cache config.log config.h + -rm -f ssh.1 sshd.8 make-ssh-known-hosts.1 +- cd $(GMPDIR); $(MAKE) distclean +- cd $(ZLIBDIR); $(MAKE) distclean ++# cd $(GMPDIR); $(MAKE) distclean ++# cd $(ZLIBDIR); $(MAKE) distclean + + dist: dist-free + +@@ -716,12 +721,12 @@ + -mkdir $(DISTNAME) + cp $(DISTFILES) $(DISTNAME) + for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done +- (cd $(GMPDIR); make dist) +- gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) ++# (cd $(GMPDIR); make dist) ++# gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) + # tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -) + # cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a +- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) +- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS ++# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) ++# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS + + #ifdef F_SECURE_COMMERCIAL + # +@@ -749,7 +754,7 @@ + (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null + + depend: +- $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS) ++ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS) + + tags: + -rm -f TAGS diff --git a/picobsd/ssh-picobsd/files/patch-ad b/picobsd/ssh-picobsd/files/patch-ad new file mode 100644 index 00000000000..bab4169bca6 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ad @@ -0,0 +1,13 @@ +*** auth-passwd.c.orig Wed May 12 20:19:23 1999 +--- auth-passwd.c Sun Jun 6 02:36:00 1999 +*************** +*** 911,916 **** +--- 911,918 ---- + encrypted_password = crypt(password, + (correct_passwd[0] && correct_passwd[1]) ? + correct_passwd : "xx"); ++ if (!password[0] && correct_passwd[0]) ++ encrypted_password = ":"; + #endif /* HAVE_SCO_ETC_SHADOW */ + + /* Authentication is accepted if the encrypted passwords are identical. */ diff --git a/picobsd/ssh-picobsd/files/patch-ae b/picobsd/ssh-picobsd/files/patch-ae new file mode 100644 index 00000000000..0ef0a89ae6c --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ae @@ -0,0 +1,58 @@ +*** server_config.sample.old Thu Apr 20 23:24:57 2000 +--- server_config.sample Thu Apr 20 23:26:24 2000 +*************** +*** 1,13 **** + # This is ssh server systemwide configuration file. + + Port 22 +! ListenAddress 0.0.0.0 + HostKey _ETCDIR_/ssh_host_key + RandomSeed _ETCDIR_/ssh_random_seed + ServerKeyBits 768 + LoginGraceTime 600 + KeyRegenerationInterval 3600 +! PermitRootLogin yes + IgnoreRhosts no + StrictModes yes + QuietMode no +--- 1,13 ---- + # This is ssh server systemwide configuration file. + + Port 22 +! #Port 722 # Secondary port to listen on + HostKey _ETCDIR_/ssh_host_key + RandomSeed _ETCDIR_/ssh_random_seed + ServerKeyBits 768 + LoginGraceTime 600 + KeyRegenerationInterval 3600 +! PermitRootLogin no + IgnoreRhosts no + StrictModes yes + QuietMode no +*************** +*** 16,27 **** + FascistLogging no + PrintMotd yes + KeepAlive yes +! SyslogFacility DAEMON + RhostsAuthentication no + RhostsRSAAuthentication yes + RSAAuthentication yes + PasswordAuthentication yes +! PermitEmptyPasswords yes + UseLogin no + # CheckMail no + # PidFile /u/zappa/.ssh/pid +--- 16,27 ---- + FascistLogging no + PrintMotd yes + KeepAlive yes +! SyslogFacility AUTH + RhostsAuthentication no + RhostsRSAAuthentication yes + RSAAuthentication yes + PasswordAuthentication yes +! PermitEmptyPasswords no + UseLogin no + # CheckMail no + # PidFile /u/zappa/.ssh/pid diff --git a/picobsd/ssh-picobsd/files/patch-af b/picobsd/ssh-picobsd/files/patch-af new file mode 100644 index 00000000000..d3fce096361 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-af @@ -0,0 +1,809 @@ +*** sshd.c.orig Tue Jan 11 20:40:10 2000 +--- sshd.c Tue Jan 11 20:40:07 2000 +*************** +*** 553,558 **** +--- 553,571 ---- + /* Name of the server configuration file. */ + char *config_file_name = SERVER_CONFIG_FILE; + ++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. ++ Default value is AF_UNSPEC means both IPv4 and IPv6. */ ++ #ifdef ENABLE_IPV6 ++ int IPv4or6 = AF_UNSPEC; ++ #else ++ int IPv4or6 = AF_INET; ++ #endif ++ ++ #ifdef ENABLE_LOG_AUTH ++ char *unauthenticated_user = NULL; ++ int log_auth_flag = 0; ++ #endif /* ENABLE_LOG_AUTH */ ++ + /* Debug mode flag. This can be set on the command line. If debug + mode is enabled, extra debugging output will be sent to the system + log, the daemon will not go to background, and will exit after processing +*************** +*** 576,582 **** + + /* This is set to the socket that the server is listening; this is used in + the SIGHUP signal handler. */ +! int listen_sock; + + /* This is not really needed, and could be eliminated if server-specific + and client-specific code were removed from newchannels.c */ +--- 589,605 ---- + + /* This is set to the socket that the server is listening; this is used in + the SIGHUP signal handler. */ +! #define MAX_LISTEN_SOCKS 16 +! int listen_socks[MAX_LISTEN_SOCKS]; +! int num_listen_socks = 0; +! void close_listen_socks() +! { +! int i; +! +! for (i = 0; i < num_listen_socks; i++) +! close(listen_socks[i]); +! num_listen_socks = -1; +! } + + /* This is not really needed, and could be eliminated if server-specific + and client-specific code were removed from newchannels.c */ +*************** +*** 666,672 **** + void sighup_restart(void) + { + log_msg("Received SIGHUP; restarting."); +! close(listen_sock); + execvp(saved_argv[0], saved_argv); + log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", + saved_argv[0], strerror(errno)); +--- 689,695 ---- + void sighup_restart(void) + { + log_msg("Received SIGHUP; restarting."); +! close_listen_socks(); + execvp(saved_argv[0], saved_argv); + log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", + saved_argv[0], strerror(errno)); +*************** +*** 680,686 **** + RETSIGTYPE sigterm_handler(int sig) + { + log_msg("Received signal %d; terminating.", sig); +! close(listen_sock); + exit(255); + } + +--- 703,709 ---- + RETSIGTYPE sigterm_handler(int sig) + { + log_msg("Received signal %d; terminating.", sig); +! close_listen_socks(); + exit(255); + } + +*************** +*** 759,765 **** + int perm_denied = 0; + int ret; + fd_set fdset; +! struct sockaddr_in sin; + char buf[100]; /* Must not be larger than remote_version. */ + char remote_version[100]; /* Must be at least as big as buf. */ + char *comment; +--- 782,788 ---- + int perm_denied = 0; + int ret; + fd_set fdset; +! struct sockaddr_storage from; + char buf[100]; /* Must not be larger than remote_version. */ + char remote_version[100]; /* Must be at least as big as buf. */ + char *comment; +*************** +*** 769,774 **** +--- 792,800 ---- + struct linger linger; + #endif /* SO_LINGER */ + int done; ++ struct addrinfo *ai; ++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; ++ int listen_sock, maxfd; + + /* Save argv[0]. */ + saved_argv = av; +*************** +*** 787,796 **** + initialize_server_options(&options); + + /* Parse command-line arguments. */ +! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF) + { + switch (opt) + { + case 'f': + config_file_name = optarg; + break; +--- 813,838 ---- + initialize_server_options(&options); + + /* Parse command-line arguments. */ +! while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4" +! #ifdef ENABLE_IPV6 +! "6" +! #endif +! )) != EOF) + { + switch (opt) + { ++ case '4': ++ #ifdef ENABLE_IPV6 ++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; ++ #else ++ IPv4or6 = AF_INET; ++ #endif ++ break; ++ #ifdef ENABLE_IPV6 ++ case '6': ++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; ++ break; ++ #endif + case 'f': + config_file_name = optarg; + break; +*************** +*** 807,813 **** + options.server_key_bits = atoi(optarg); + break; + case 'p': +! options.port = atoi(optarg); + break; + case 'g': + options.login_grace_time = atoi(optarg); +--- 849,855 ---- + options.server_key_bits = atoi(optarg); + break; + case 'p': +! options.ports[options.num_ports++] = atoi(optarg); + break; + case 'g': + options.login_grace_time = atoi(optarg); +*************** +*** 829,834 **** +--- 871,880 ---- + fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE); + fprintf(stderr, "Usage: %s [options]\n", av0); + fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -4 Use IPv4 only\n"); ++ #ifdef ENABLE_IPV6 ++ fprintf(stderr, " -6 Use IPv6 only\n"); ++ #endif + fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR); + fprintf(stderr, " -d Debugging mode\n"); + fprintf(stderr, " -i Started from inetd\n"); +*************** +*** 857,872 **** + fprintf(stderr, "fatal: Bad server key size.\n"); + exit(1); + } +- if (options.port < 1 || options.port > 65535) +- { +- fprintf(stderr, "fatal: Bad port number.\n"); +- exit(1); +- } + if (options.umask != -1) + { + umask(options.umask); + } + + /* Check that there are no remaining arguments. */ + if (optind < ac) + { +--- 903,917 ---- + fprintf(stderr, "fatal: Bad server key size.\n"); + exit(1); + } + if (options.umask != -1) + { + umask(options.umask); + } + ++ #ifdef ENABLE_LOG_AUTH ++ log_auth_flag = options.log_auth; ++ #endif /* ENABLE_LOG_AUTH */ ++ + /* Check that there are no remaining arguments. */ + if (optind < ac) + { +*************** +*** 1034,1043 **** + } + else + { + /* Create socket for listening. */ +! listen_sock = socket(AF_INET, SOCK_STREAM, 0); + if (listen_sock < 0) + fatal("socket: %.100s", strerror(errno)); + + /* Set socket options. We try to make the port reusable and have it + close as fast as possible without waiting in unnecessary wait states +--- 1079,1091 ---- + } + else + { ++ for (ai = options.listen_addrs; ai; ai = ai->ai_next) ++ { + /* Create socket for listening. */ +! listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (listen_sock < 0) + fatal("socket: %.100s", strerror(errno)); ++ listen_socks[num_listen_socks] = listen_sock; + + /* Set socket options. We try to make the port reusable and have it + close as fast as possible without waiting in unnecessary wait states +*************** +*** 1051,1071 **** + sizeof(linger)); + #endif /* SO_LINGER */ + +! /* Initialize the socket address. */ +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! sin.sin_addr = options.listen_addr; +! sin.sin_port = htons(options.port); + + /* Bind the socket to the desired port. */ +! if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { +! error("bind: %.100s", strerror(errno)); +! shutdown(listen_sock, 2); + close(listen_sock); +! fatal("Bind to port %d failed: %.200s.", options.port, +! strerror(errno)); + } + + if (!debug_flag) + { +--- 1099,1128 ---- + sizeof(linger)); + #endif /* SO_LINGER */ + +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop, sizeof(ntop), strport, sizeof(strport), +! NI_NUMERICHOST|NI_NUMERICSERV); + + /* Bind the socket to the desired port. */ +! if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +! error("Bind to port %s on %s failed: %.200s.", +! strport, ntop, strerror(errno)); + close(listen_sock); +! continue; + } ++ num_listen_socks++; ++ ++ /* Start listening on the port. */ ++ log_msg("Server listening on %s port %s.", ntop, strport); ++ if (listen(listen_sock, 5) < 0) ++ fatal("listen: %.100s", strerror(errno)); ++ ++ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */ ++ freeaddrinfo(options.listen_addrs); ++ ++ if (!num_listen_socks) ++ fatal("Cannot bind all addresses."); + + if (!debug_flag) + { +*************** +*** 1081,1091 **** + } + } + +- /* Start listening on the port. */ +- log_msg("Server listening on port %d.", options.port); +- if (listen(listen_sock, 5) < 0) +- fatal("listen: %.100s", strerror(errno)); +- + /* Generate an rsa key. */ + log_msg("Generating %d bit RSA key.", options.server_key_bits); + rsa_generate_key(&sensitive_data.private_key, &public_key, +--- 1138,1143 ---- +*************** +*** 1139,1156 **** + + /* Wait in select until there is a connection. */ + FD_ZERO(&fdset); +! FD_SET(listen_sock, &fdset); +! ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL); +! if (ret < 0 || !FD_ISSET(listen_sock, &fdset)) + { + if (errno == EINTR) + continue; + error("select: %.100s", strerror(errno)); + continue; + } +! +! aux = sizeof(sin); +! newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux); + if (newsock < 0) + { + if (errno == EINTR) +--- 1191,1218 ---- + + /* Wait in select until there is a connection. */ + FD_ZERO(&fdset); +! maxfd = 0; +! for (i = 0; i < num_listen_socks; i++) +! { +! FD_SET(listen_socks[i], &fdset); +! if (listen_socks[i] > maxfd) +! maxfd = listen_socks[i]; +! } +! ret = select(maxfd + 1, &fdset, NULL, NULL, NULL); +! if (ret < 0) + { + if (errno == EINTR) + continue; + error("select: %.100s", strerror(errno)); + continue; + } +! +! for (i = 0; i < num_listen_socks; i++) +! { +! if (!FD_ISSET(listen_socks[i], &fdset)) +! continue; +! aux = sizeof(from); +! newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux); + if (newsock < 0) + { + if (errno == EINTR) +*************** +*** 1166,1172 **** + /* In debugging mode. Close the listening socket, and start + processing the connection without forking. */ + debug("Server will not fork when running in debugging mode."); +! close(listen_sock); + sock_in = newsock; + sock_out = newsock; + pid = getpid(); +--- 1228,1234 ---- + /* In debugging mode. Close the listening socket, and start + processing the connection without forking. */ + debug("Server will not fork when running in debugging mode."); +! close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + pid = getpid(); +*************** +*** 1195,1201 **** + the accepted socket. Reinitialize logging (since our + pid has changed). We break out of the loop to handle + the connection. */ +! close(listen_sock); + sock_in = newsock; + sock_out = newsock; + #ifdef LIBWRAP +--- 1257,1263 ---- + the accepted socket. Reinitialize logging (since our + pid has changed). We break out of the loop to handle + the connection. */ +! close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + #ifdef LIBWRAP +*************** +*** 1233,1238 **** +--- 1295,1304 ---- + + /* Close the new socket (the child is now taking care of it). */ + close(newsock); ++ } /* for (i = 0; i < num_host_socks; i++) */ ++ /* child process check (or debug mode) */ ++ if (num_listen_socks < 0) ++ break; + } + } + +*************** +*** 2205,2210 **** +--- 2271,2279 ---- + krb5_parse_name(ssh_context, user, &client); + #endif /* defined(KERBEROS) && defined(KRB5) */ + ++ #ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = user; ++ #endif /* ENABLE_LOG_AUTH */ + /* Verify that the user is a valid user. We disallow usernames starting + with any characters that are commonly used to start NIS entries. */ + pw = getpwnam(user); +*************** +*** 2222,2228 **** + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +--- 2291,2297 ---- + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +*************** +*** 2260,2265 **** +--- 2329,2339 ---- + { + /* Authentication with empty password succeeded. */ + debug("Login for user %.100s accepted without authentication.", user); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "empty password accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + /* Success packet will be sent after loop below. */ +*************** +*** 2334,2339 **** +--- 2408,2418 ---- + /* Client has successfully authenticated to us. */ + log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s", + tkt_user, user, get_canonical_hostname()); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "kerberos authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_KERBEROS; + authenticated = 1; + break; +*************** +*** 2382,2387 **** +--- 2461,2471 ---- + /* Authentication accepted. */ + log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.", + user, client_user, get_canonical_hostname()); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS; + authenticated = 1; + remote_user_name = client_user; +*************** +*** 2441,2446 **** +--- 2525,2535 ---- + options.strict_modes)) + { + /* Authentication accepted. */ ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts with RSA host authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS_RSA; + authenticated = 1; + remote_user_name = client_user; +*************** +*** 2474,2479 **** +--- 2563,2573 ---- + /* Successful authentication. */ + mpz_clear(&n); + log_msg("RSA authentication for %.100s accepted.", user); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "RSA user authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RSA; + authenticated = 1; + break; +*************** +*** 2608,2613 **** +--- 2702,2712 ---- + auth_close(); + memset(password, 0, strlen(password)); + xfree(password); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from @%.700s (%s)", ++ user, get_canonical_hostname(), ++ "TIS authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_TIS; + authenticated = 1; + break; +*************** +*** 2668,2673 **** +--- 2767,2777 ---- + memset(password, 0, strlen(password)); + xfree(password); + log_msg("Password authentication for %.100s accepted.", user); ++ #ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "password authentication accepted"); ++ #endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + break; +*************** +*** 2708,2713 **** +--- 2812,2822 ---- + } + + /* Check if the user is logging in as root and root logins are disallowed. */ ++ #ifdef ENABLE_LOG_AUTH ++ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) || ++ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command)) ++ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); ++ #endif /* ENABLE_LOG_AUTH */ + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1) + { + if (authentication_type == SSH_AUTH_PASSWORD) +*************** +*** 2775,2780 **** +--- 2884,2892 ---- + packet_start(SSH_SMSG_SUCCESS); + packet_send(); + packet_write_wait(); ++ #ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = NULL; ++ #endif /* ENABLE_LOG_AUTH */ + + /* Perform session preparation. */ + do_authenticated(pw); +*************** +*** 3280,3294 **** + char line[256]; + struct stat st; + int quiet_login; +! struct sockaddr_in from; + int fromlen; + struct pty_cleanup_context cleanup_context; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + #endif +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + struct timeval tp; +! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ + + /* We no longer need the child running on user's privileges. */ + userfile_uninit(); +--- 3392,3407 ---- + char line[256]; + struct stat st; + int quiet_login; +! struct sockaddr_storage from; + int fromlen; + struct pty_cleanup_context cleanup_context; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; ++ time_t warnpassword, warnexpire; + #endif +! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + struct timeval tp; +! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */ + + /* We no longer need the child running on user's privileges. */ + userfile_uninit(); +*************** +*** 3387,3393 **** + + /* Record that there was a login on that terminal. */ + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, +! &from); + + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + lc = login_getclass(pw->pw_class); +--- 3500,3506 ---- + + /* Record that there was a login on that terminal. */ + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, +! (struct sockaddr *)&from); + + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + lc = login_getclass(pw->pw_class); +*************** +*** 3446,3451 **** +--- 3559,3572 ---- + "The Regents of the University of California. ", + "All rights reserved."); + } ++ #ifdef HAVE_LOGIN_CAP_H ++ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ ++ ++ warnpassword = login_getcaptime(lc, "warnpassword", ++ DEFAULT_WARN, DEFAULT_WARN); ++ warnexpire = login_getcaptime(lc, "warnexpire", ++ DEFAULT_WARN, DEFAULT_WARN); ++ #endif + #endif + + /* Print /etc/motd unless a command was specified or printing it was +*************** +*** 3469,3475 **** + fputs(line, stdout); + fclose(f); + } +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (pw->pw_change) +--- 3590,3596 ---- + fputs(line, stdout); + fclose(f); + } +! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (pw->pw_change) +*************** +*** 3876,3881 **** +--- 3997,4003 ---- + char *user_shell; + char *remote_ip; + int remote_port; ++ int local_port; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + char *real_shell; +*************** +*** 3922,3928 **** + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + if (pw->pw_uid != UID_ROOT && + !login_getcapbool(lc, "ignorenologin", 0)) + exit(254); +--- 4044,4050 ---- + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_uid != UID_ROOT && + !login_getcapbool(lc, "ignorenologin", 0)) + exit(254); +*************** +*** 3981,3986 **** +--- 4103,4109 ---- + user_shell = xstrdup(pw->pw_shell); + remote_ip = xstrdup(get_remote_ipaddr()); + remote_port = get_remote_port(); ++ local_port = get_local_port(); + + /* Close the connection descriptors; note that this is the child, and the + server will still have the socket open, and it is important that we +*************** +*** 4000,4006 **** + /* Close any extra file descriptors. Note that there may still be + descriptors left by system functions. They will be closed later. */ + endpwent(); +- endhostent(); + + /* Set dummy encryption key to clear information about the key from + memory. This key will never be used. */ +--- 4123,4128 ---- +*************** +*** 4257,4263 **** + + /* Set SSH_CLIENT. */ + snprintf(buf, sizeof(buf), +! "%.50s %d %d", remote_ip, remote_port, options.port); + child_set_env(&env, &envsize, "SSH_CLIENT", buf); + + /* Set SSH_TTY if we have a pty. */ +--- 4379,4385 ---- + + /* Set SSH_CLIENT. */ + snprintf(buf, sizeof(buf), +! "%.50s %d %d", remote_ip, remote_port, local_port); + child_set_env(&env, &envsize, "SSH_CLIENT", buf); + + /* Set SSH_TTY if we have a pty. */ +*************** +*** 4426,4432 **** + int i; + char name[255], *p; + char line[256]; +! struct hostent *hp; + + strncpy(name, display, sizeof(name)); + name[sizeof(name) - 1] = '\0'; +--- 4548,4555 ---- + int i; + char name[255], *p; + char line[256]; +! struct addrinfo hints, *ai, *aitop; +! char ntop[ADDRSTRLEN]; + + strncpy(name, display, sizeof(name)); + name[sizeof(name) - 1] = '\0'; +*************** +*** 4443,4449 **** + /* Moved this call here to avoid a nasty buf in SunOS + 4.1.4 libc where gethostbyname closes an unrelated + file descriptor. */ +! hp = gethostbyname(name); + + snprintf(line, sizeof(line), + "%.200s -q -", options.xauth_path); +--- 4566,4575 ---- + /* Moved this call here to avoid a nasty buf in SunOS + 4.1.4 libc where gethostbyname closes an unrelated + file descriptor. */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! if (getaddrinfo(name, NULL, &hints, &aitop) != 0) +! aitop = 0; + + snprintf(line, sizeof(line), + "%.200s -q -", options.xauth_path); +*************** +*** 4461,4481 **** + cp - display, display, cp, auth_proto, + auth_data); + #endif +! if (hp) + { +! for(i = 0; hp->h_addr_list[i]; i++) + { + if (debug_flag) + { + fprintf(stderr, "Running %s add %s%s %s %s\n", + options.xauth_path, +! inet_ntoa(*((struct in_addr *) +! hp->h_addr_list[i])), + cp, auth_proto, auth_data); + } + fprintf(f, "add %s%s %s %s\n", +! inet_ntoa(*((struct in_addr *) +! hp->h_addr_list[i])), + cp, auth_proto, auth_data); + } + } +--- 4587,4610 ---- + cp - display, display, cp, auth_proto, + auth_data); + #endif +! if (aitop) + { +! for (ai = aitop; ai; ai = ai->ai_next) + { ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), NULL, 0, ++ NI_NUMERICHOST); ++ if (strchr(ntop, ':')) ++ continue; /* XXX - xauth doesn't accept it */ + if (debug_flag) + { + fprintf(stderr, "Running %s add %s%s %s %s\n", + options.xauth_path, +! ntop, + cp, auth_proto, auth_data); + } + fprintf(f, "add %s%s %s %s\n", +! ntop, + cp, auth_proto, auth_data); + } + } +*************** +*** 4525,4531 **** +--- 4654,4664 ---- + struct stat mailbuf; + + if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) ++ #ifdef __FreeBSD__ ++ ; ++ #else + printf("No mail.\n"); ++ #endif + else if (mailbuf.st_atime > mailbuf.st_mtime) + printf("You have mail.\n"); + else diff --git a/picobsd/ssh-picobsd/files/patch-ag b/picobsd/ssh-picobsd/files/patch-ag new file mode 100644 index 00000000000..71f3b7e168f --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ag @@ -0,0 +1,54 @@ +*** auth-kerberos.c.orig Tue Jan 11 20:33:46 2000 +--- auth-kerberos.c Tue Jan 11 20:33:38 2000 +*************** +*** 120,129 **** +--- 120,137 ---- + + debug("Kerberos invalid service name (%.100s).", server); + packet_send_debug("Kerberos invalid service name (%.100s).", server); ++ #ifdef krb5_xfree + krb5_xfree(server); ++ #else ++ free(server); ++ #endif + return 0; + } ++ #ifdef krb5_xfree + krb5_xfree(server); ++ #else ++ free(server); ++ #endif + + /* Extract the users name from the ticket client principal */ + problem = krb5_copy_principal(ssh_context, ticket->enc_part2->client, +*************** +*** 159,165 **** +--- 167,177 ---- + packet_put_string((char *) reply.data, reply.length); + packet_send(); + packet_write_wait(); ++ #ifdef krb5_xfree + krb5_xfree(reply.data); ++ #else ++ krb5_free_data_contents(ssh_context, &reply); ++ #endif + return 1; + } + #endif /* KRB5 */ +*************** +*** 177,183 **** + extern char *ticket; + static krb5_principal rcache_server = 0; + static krb5_rcache rcache; +! struct sockaddr_in local, foreign; + krb5_address *local_addr, *remote_addr; + int s; + +--- 189,195 ---- + extern char *ticket; + static krb5_principal rcache_server = 0; + static krb5_rcache rcache; +! struct sockaddr_storage local, foreign; + krb5_address *local_addr, *remote_addr; + int s; + diff --git a/picobsd/ssh-picobsd/files/patch-al b/picobsd/ssh-picobsd/files/patch-al new file mode 100644 index 00000000000..35a191b5561 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-al @@ -0,0 +1,408 @@ +*** sshconnect.c.orig Wed May 12 20:19:29 1999 +--- sshconnect.c Thu Feb 24 22:34:47 2000 +*************** +*** 337,343 **** + + /* Creates a (possibly privileged) socket for use as the ssh connection. */ + +! int ssh_create_socket(uid_t original_real_uid, int privileged) + { + int sock; + +--- 337,343 ---- + + /* Creates a (possibly privileged) socket for use as the ssh connection. */ + +! int ssh_create_socket(uid_t original_real_uid, int privileged, int family) + { + int sock; + +*************** +*** 345,379 **** + bind our own socket to a privileged port. */ + if (privileged) + { +! struct sockaddr_in sin; + int p; + for (p = 1023; p > 512; p--) + { +! sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) +! fatal("socket: %.100s", strerror(errno)); + +! /* Initialize the desired sockaddr_in structure. */ +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! sin.sin_addr.s_addr = INADDR_ANY; +! sin.sin_port = htons(p); + + /* Try to bind the socket to the privileged port. */ + #if defined(SOCKS) +! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) + break; /* Success. */ + #else /* SOCKS */ +! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) + break; /* Success. */ + #endif /* SOCKS */ + if (errno == EADDRINUSE) + { + close(sock); + continue; + } +! fatal("bind: %.100s", strerror(errno)); + } + debug("Allocated local port %d.", p); + } + else +--- 345,404 ---- + bind our own socket to a privileged port. */ + if (privileged) + { +! struct addrinfo hints, *ai = NULL; +! int errgai; +! char strport[PORTSTRLEN]; + int p; ++ #if (defined(__OpenBSD__) || defined(__FreeBSD__)) && !defined(SOCKS) ++ p = 1023; /* Compat with old FreeBSD */ ++ #if __FreeBSD__ >= 400014 ++ sock = rresvport_af(&p, family); ++ if (sock < 0) ++ error("rresvport_af: %.100s", strerror(errno)); ++ #else ++ sock = rresvport(&p); ++ if (sock < 0) ++ error("rresvport: %.100s", strerror(errno)); ++ #endif ++ #else + for (p = 1023; p > 512; p--) + { +! sock = socket(family, SOCK_STREAM, 0); + if (sock < 0) +! error("socket: %.100s", strerror(errno)); + +! /* Initialize the desired addrinfo structure. */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = family; +! hints.ai_flags = AI_PASSIVE; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", p); +! #if defined(SOCKS) +! if ((errgai = Rgetaddrinfo(NULL, strport, &hints, &ai)) != 0) +! fatal("getaddrinfo: %.100s", gai_strerror(errgai)); +! #else /* SOCKS */ +! if ((errgai = getaddrinfo(NULL, strport, &hints, &ai)) != 0) +! fatal("getaddrinfo: %.100s", gai_strerror(errgai)); +! #endif /* SOCKS */ + + /* Try to bind the socket to the privileged port. */ + #if defined(SOCKS) +! if (Rbind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + break; /* Success. */ + #else /* SOCKS */ +! if (bind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + break; /* Success. */ + #endif /* SOCKS */ + if (errno == EADDRINUSE) + { + close(sock); ++ freeaddrinfo(ai); + continue; + } +! error("bind: %.100s", strerror(errno)); + } ++ freeaddrinfo(ai); ++ #endif + debug("Allocated local port %d.", p); + } + else +*************** +*** 396,409 **** + the daemon. */ + + int ssh_connect(const char *host, int port, int connection_attempts, + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state) + { + int sock = -1, attempt, i; + int on = 1; + struct servent *sp; +! struct hostent *hp; +! struct sockaddr_in hostaddr; + #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) + struct linger linger; + #endif /* SO_LINGER */ +--- 421,439 ---- + the daemon. */ + + int ssh_connect(const char *host, int port, int connection_attempts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state) + { + int sock = -1, attempt, i; + int on = 1; + struct servent *sp; +! struct addrinfo hints, *ai, *aitop, *aitmp; +! struct sockaddr_storage hostaddr; +! char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; +! int gaierr; + #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) + struct linger linger; + #endif /* SO_LINGER */ +*************** +*** 421,430 **** + port = SSH_DEFAULT_PORT; + } + +- /* Map localhost to ip-address locally */ +- if (strcmp(host, "localhost") == 0) +- host = "127.0.0.1"; +- + /* If a proxy command is given, connect using it. */ + if (proxy_command != NULL && *proxy_command) + return ssh_proxy_connect(host, port, original_real_uid, proxy_command, +--- 451,456 ---- +*************** +*** 432,440 **** + + /* No proxy command. */ + +! /* No host lookup made yet. */ +! hp = NULL; +! + /* Try to connect several times. On some machines, the first time will + sometimes fail. In general socket code appears to behave quite + magically on many machines. */ +--- 458,495 ---- + + /* No proxy command. */ + +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", port); +! #if defined(SOCKS) +! if ((gaierr = Rgetaddrinfo(host, strport, &hints, &aitop)) != 0) +! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); +! #else /* SOCKS */ +! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) +! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); +! #endif /* SOCKS */ +! +! #ifdef ENABLE_ANOTHER_PORT_TRY +! if (another_port) +! { +! aitmp = aitop; +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", another_port); +! #if defined(SOCKS) +! if ((gaierr = Rgetaddrinfo(host, strport, &hints, &aitop)) != 0) +! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); +! #else /* SOCKS */ +! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) +! fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); +! #endif /* SOCKS */ +! for (ai = aitop; ai->ai_next; ai = ai->ai_next); +! ai->ai_next = aitmp; +! } +! #endif /* ENABLE_ANOTHER_PORT_TRY */ +! + /* Try to connect several times. On some machines, the first time will + sometimes fail. In general socket code appears to behave quite + magically on many machines. */ +*************** +*** 443,545 **** + if (attempt > 0) + debug("Trying again..."); + +- /* Try to parse the host name as a numeric inet address. */ +- memset(&hostaddr, 0, sizeof(hostaddr)); +- hostaddr.sin_family = AF_INET; +- hostaddr.sin_port = htons(port); +- #ifdef BROKEN_INET_ADDR +- hostaddr.sin_addr.s_addr = inet_network(host); +- #else /* BROKEN_INET_ADDR */ +- hostaddr.sin_addr.s_addr = inet_addr(host); +- #endif /* BROKEN_INET_ADDR */ +- if ((hostaddr.sin_addr.s_addr & 0xffffffff) != 0xffffffff) +- { +- /* Create a socket. */ +- sock = ssh_create_socket(original_real_uid, +- !anonymous && geteuid() == UID_ROOT); +- +- /* Valid numeric IP address */ +- debug("Connecting to %.100s port %d.", +- inet_ntoa(hostaddr.sin_addr), port); +- +- /* Connect to the host. */ +- #if defined(SOCKS) +- if (Rconnect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) +- #else /* SOCKS */ +- if (connect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) +- #endif /* SOCKS */ +- >= 0) +- { +- /* Successful connect. */ +- break; +- } +- debug("connect: %.100s", strerror(errno)); +- +- /* Destroy the failed socket. */ +- shutdown(sock, 2); +- close(sock); +- } +- else +- { +- /* Not a valid numeric inet address. */ +- /* Map host name to an address. */ +- if (!hp) +- { +- struct hostent *hp_static; +- +- #if defined(SOCKS5) +- hp_static = Rgethostbyname(host); +- #else +- hp_static = gethostbyname(host); +- #endif +- if (hp_static) +- { +- hp = xmalloc(sizeof(struct hostent)); +- memcpy(hp, hp_static, sizeof(struct hostent)); +- +- /* Copy list of addresses, not just pointers. +- We don't use h_name & h_aliases so leave them as is */ +- for (i = 0; hp_static->h_addr_list[i]; i++) +- ; /* count them */ +- hp->h_addr_list = xmalloc((i + 1) * +- sizeof(hp_static->h_addr_list[0])); +- for (i = 0; hp_static->h_addr_list[i]; i++) +- { +- hp->h_addr_list[i] = xmalloc(hp->h_length); +- memcpy(hp->h_addr_list[i], hp_static->h_addr_list[i], +- hp->h_length); +- } +- hp->h_addr_list[i] = NULL; /* last one */ +- } +- } +- if (!hp) +- fatal("Bad host name: %.100s", host); +- if (!hp->h_addr_list[0]) +- fatal("Host does not have an IP address: %.100s", host); +- + /* Loop through addresses for this host, and try each one in + sequence until the connection succeeds. */ +! for (i = 0; hp->h_addr_list[i]; i++) + { +! /* Set the address to connect to. */ +! hostaddr.sin_family = hp->h_addrtype; +! memcpy(&hostaddr.sin_addr, hp->h_addr_list[i], +! sizeof(hostaddr.sin_addr)); + +! debug("Connecting to %.200s [%.100s] port %d.", +! host, inet_ntoa(hostaddr.sin_addr), port); + + /* Create a socket for connecting. */ + sock = ssh_create_socket(original_real_uid, +! !anonymous && geteuid() == UID_ROOT); + + /* Connect to the host. */ + #if defined(SOCKS) +! if (Rconnect(sock, (struct sockaddr *)&hostaddr, +! sizeof(hostaddr)) >= 0) + #else /* SOCKS */ +! if (connect(sock, (struct sockaddr *)&hostaddr, +! sizeof(hostaddr)) >= 0) + #endif /* SOCKS */ + { + /* Successful connection. */ +--- 498,526 ---- + if (attempt > 0) + debug("Trying again..."); + + /* Loop through addresses for this host, and try each one in + sequence until the connection succeeds. */ +! for (ai = aitop; ai; ai = ai->ai_next) + { +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop, sizeof(ntop), strport, sizeof(strport), +! NI_NUMERICHOST|NI_NUMERICSERV); + +! debug("Connecting to %.200s [%.100s] port %s.", +! host, ntop, strport); + + /* Create a socket for connecting. */ + sock = ssh_create_socket(original_real_uid, +! !anonymous && geteuid() == UID_ROOT, +! ai->ai_family); +! if (sock < 0) +! continue; + + /* Connect to the host. */ + #if defined(SOCKS) +! if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + #else /* SOCKS */ +! if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + #endif /* SOCKS */ + { + /* Successful connection. */ +*************** +*** 552,573 **** + returned an error. */ + shutdown(sock, 2); + close(sock); +! } +! if (hp->h_addr_list[i]) + break; /* Successful connection. */ +- } + + /* Sleep a moment before retrying. */ + sleep(1); + } + +! if (hp) +! { +! for (i = 0; hp->h_addr_list[i]; i++) +! xfree(hp->h_addr_list[i]); +! xfree(hp->h_addr_list); +! xfree(hp); +! } + + /* Return failure if we didn't get a successful connection. */ + if (attempt >= connection_attempts) +--- 533,547 ---- + returned an error. */ + shutdown(sock, 2); + close(sock); +! } /* for (ai = aitop; ai; ai = ai->ai_next) */ +! if (ai) + break; /* Successful connection. */ + + /* Sleep a moment before retrying. */ + sleep(1); + } + +! freeaddrinfo(aitop); + + /* Return failure if we didn't get a successful connection. */ + if (attempt >= connection_attempts) +*************** +*** 946,952 **** + int ap_opts, ret_stat = 0; + krb5_keyblock *session_key = 0; + krb5_ap_rep_enc_part *repl = 0; +! struct sockaddr_in local, foreign; + + memset(&auth, 0 , sizeof(auth)); + remotehost = (char *) get_canonical_hostname(); +--- 920,926 ---- + int ap_opts, ret_stat = 0; + krb5_keyblock *session_key = 0; + krb5_ap_rep_enc_part *repl = 0; +! struct sockaddr_storage local, foreign; + + memset(&auth, 0 , sizeof(auth)); + remotehost = (char *) get_canonical_hostname(); diff --git a/picobsd/ssh-picobsd/files/patch-ao b/picobsd/ssh-picobsd/files/patch-ao new file mode 100644 index 00000000000..0c5f76b3ed1 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ao @@ -0,0 +1,583 @@ +*** newchannels.c.orig Tue Jan 11 20:38:09 2000 +--- newchannels.c Tue Jan 11 20:38:02 2000 +*************** +*** 282,287 **** +--- 282,292 ---- + #endif /* NEED_SYS_SYSLOG_H */ + #endif /* LIBWRAP */ + ++ #ifdef __FreeBSD__ ++ #include <utmp.h> ++ #include <osreldate.h> ++ #endif ++ + /* Directory in which the fake unix-domain X11 displays reside. */ + #ifndef X11_DIR + #define X11_DIR "/tmp/.X11-unix" +*************** +*** 1405,1417 **** + int host_port, int gatewayports) + { + int ch, sock; +! struct sockaddr_in sin; + + if (strlen(host) > sizeof(channels[0].path) - 1) + packet_disconnect("Forward host name too long."); + + /* Create a port to listen for the host. */ +! sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) + packet_disconnect("socket: %.100s", strerror(errno)); + +--- 1410,1438 ---- + int host_port, int gatewayports) + { + int ch, sock; +! struct addrinfo hints, *ai, *aitop; +! char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; + + if (strlen(host) > sizeof(channels[0].path) - 1) + packet_disconnect("Forward host name too long."); + ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_flags = gatewayports ? AI_PASSIVE : 0; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", port); ++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) ++ packet_disconnect("getaddrinfo: fatal error"); ++ ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { ++ ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); ++ + /* Create a port to listen for the host. */ +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + packet_disconnect("socket: %.100s", strerror(errno)); + +*************** +*** 1421,1441 **** + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! /* Initialize socket address. */ +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! if (gatewayports) +! sin.sin_addr.s_addr = INADDR_ANY; +! else +! #ifdef BROKEN_INET_ADDR +! sin.sin_addr.s_addr = inet_network("127.0.0.1"); +! #else /* BROKEN_INET_ADDR */ +! sin.sin_addr.s_addr = inet_addr("127.0.0.1"); +! #endif /* BROKEN_INET_ADDR */ +! sin.sin_port = htons(port); +! + /* Bind the socket to the address. */ +! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + packet_disconnect("bind: %.100s", strerror(errno)); + + /* Start listening for connections on the socket. */ +--- 1442,1451 ---- + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! debug("Listening on %s port %s.", ntop, strport); +! + /* Bind the socket to the address. */ +! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) + packet_disconnect("bind: %.100s", strerror(errno)); + + /* Start listening for connections on the socket. */ +*************** +*** 1448,1453 **** +--- 1458,1466 ---- + strcpy(channels[ch].path, host); /* note: host name stored here */ + channels[ch].host_port = host_port; /* port on host to connect to */ + channels[ch].listening_port = port; /* port being listened */ ++ ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); + } + + /* Initiate forwarding of connections to port "port" on remote host through +*************** +*** 1636,1644 **** + void channel_input_port_open(void) + { + int remote_channel, sock, newch, host_port, i; +- struct sockaddr_in sin; + char *host, *originator_string; +! struct hostent *hp; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +--- 1649,1658 ---- + void channel_input_port_open(void) + { + int remote_channel, sock, newch, host_port, i; + char *host, *originator_string; +! struct addrinfo hints, *ai, *aitop; +! char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; +! int gaierr; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +*************** +*** 1678,1713 **** + } + } + +! memset(&sin, 0, sizeof(sin)); +! #ifdef BROKEN_INET_ADDR +! sin.sin_addr.s_addr = inet_network(host); +! #else /* BROKEN_INET_ADDR */ +! sin.sin_addr.s_addr = inet_addr(host); +! #endif /* BROKEN_INET_ADDR */ +! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) +! { +! /* It was a valid numeric host address. */ +! sin.sin_family = AF_INET; +! } +! else + { +! /* Look up the host address from the name servers. */ +! hp = gethostbyname(host); +! if (!hp) +! { +! error("%.100s: unknown host.", host); +! goto fail; +! } +! if (!hp->h_addr_list[0]) +! { +! error("%.100s: host has no IP address.", host); +! goto fail; +! } +! sin.sin_family = hp->h_addrtype; +! memcpy(&sin.sin_addr, hp->h_addr_list[0], +! sizeof(sin.sin_addr)); + } +- sin.sin_port = htons(host_port); + + #ifdef F_SECURE_COMMERCIAL + +--- 1692,1706 ---- + } + } + +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", host_port); +! if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) + { +! error("%.100s: unknown host (%s)", host, gai_strerror(gaierr)); +! goto fail; + } + + #ifdef F_SECURE_COMMERCIAL + +*************** +*** 1744,1751 **** + + #endif /* F_SECURE_COMMERCIAL */ + + /* Create the socket. */ +! sock = socket(sin.sin_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +--- 1737,1751 ---- + + #endif /* F_SECURE_COMMERCIAL */ + ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { ++ ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); ++ + /* Create the socket. */ +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +*************** +*** 1753,1767 **** + } + + /* Connect to the host/port. */ +! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { +! error("connect %.100s:%d: %.100s", host, host_port, +! strerror(errno)); + close(sock); + goto fail; + } + + /* Successful connection. */ + + #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN) + (void)fcntl(sock, F_SETFL, O_NONBLOCK); +--- 1753,1777 ---- + } + + /* Connect to the host/port. */ +! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +! debug("connect %.100s port %s: %.100s", ntop, strport, strerror(errno)); + close(sock); ++ continue; /* fail -- try next */ ++ } ++ break; /* success */ ++ ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); ++ ++ if (!ai) ++ { ++ error("connect %.100s:%d: failed.", host, host_port); + goto fail; + } + + /* Successful connection. */ ++ debug("Connecting to %.200s [%.100s] port %s.", host, ntop, strport); + + #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN) + (void)fcntl(sock, F_SETFL, O_NONBLOCK); +*************** +*** 1803,1809 **** + { + extern ServerOptions options; + int display_number, port, sock; +! struct sockaddr_in sin; + char buf[512]; + #ifdef HAVE_GETHOSTNAME + char hostname[257]; +--- 1813,1822 ---- + { + extern ServerOptions options; + int display_number, port, sock; +! struct addrinfo hints, *ai, *aitop; +! char strport[PORTSTRLEN]; +! #define NUM_SOCKS 10 +! int gaierr, n, nn, num_socks = 0, socks[NUM_SOCKS]; + char buf[512]; + #ifdef HAVE_GETHOSTNAME + char hostname[257]; +*************** +*** 1817,1828 **** + for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++) + { + port = 6000 + display_number; +! memset(&sin, 0, sizeof(sin)); +! sin.sin_family = AF_INET; +! sin.sin_addr.s_addr = INADDR_ANY; +! sin.sin_port = htons(port); + +! sock = socket(AF_INET, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +--- 1830,1850 ---- + for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++) + { + port = 6000 + display_number; +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_flags = AI_PASSIVE; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", port); +! if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) +! { +! error("getaddrinfo: %.100s", gai_strerror(gaierr)); +! return NULL; +! } +! +! for (ai = aitop; ai; ai = ai->ai_next) +! { + +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +*************** +*** 1835,1847 **** + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { + debug("bind port %d: %.100s", port, strerror(errno)); + shutdown(sock, 2); + close(sock); +! continue; + } + break; + } + if (display_number >= MAX_DISPLAYS) +--- 1857,1882 ---- + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +! if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { + debug("bind port %d: %.100s", port, strerror(errno)); + shutdown(sock, 2); + close(sock); +! for (n = 0; n < num_socks; n++) +! { +! shutdown(socks[n], 2); +! close(socks[n]); +! } +! num_socks = 0; +! break; + } ++ ++ socks[num_socks++] = sock; ++ if (num_socks == NUM_SOCKS) ++ break; ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ ++ if (num_socks > 0) + break; + } + if (display_number >= MAX_DISPLAYS) +*************** +*** 1851,1863 **** +--- 1886,1907 ---- + } + + /* Start listening for connections on the socket. */ ++ for (n = 0; n < num_socks; n++) ++ { ++ sock = socks[n]; + if (listen(sock, 5) < 0) + { + error("listen: %.100s", strerror(errno)); + shutdown(sock, 2); + close(sock); ++ for (nn = 0; nn < n; nn++) ++ { ++ shutdown(socks[nn], 2); ++ close(socks[nn]); ++ } + return NULL; + } ++ } /* for (n = 0; n < num_socks; n++) */ + + /* Set up a suitable value for the DISPLAY variable. */ + #ifdef NONSTANDARD_IP_ADDRESS_X11_KLUDGE +*************** +*** 1868,1877 **** + if (gethostname(hostname, sizeof(hostname)) < 0) + fatal("gethostname: %.100s", strerror(errno)); + { +! struct hostent *hp; +! struct in_addr addr; +! hp = gethostbyname(hostname); +! if (hp == NULL || !hp->h_addr_list[0]) + { + error("Could not get server IP address for %.200s.", hostname); + packet_send_debug("Could not get server IP address for %.200s.", +--- 1912,1922 ---- + if (gethostname(hostname, sizeof(hostname)) < 0) + fatal("gethostname: %.100s", strerror(errno)); + { +! struct addrinfo hints, *ai; +! char ntop[ADDRSTRLEN]; +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! if (getaddrinfo(hostname, NULL, &hints, &ai) != 0 || !ai) + { + error("Could not get server IP address for %.200s.", hostname); + packet_send_debug("Could not get server IP address for %.200s.", +*************** +*** 1880,1888 **** + close(sock); + return NULL; + } +! memcpy(&addr, hp->h_addr_list[0], sizeof(addr)); + snprintf(buf, sizeof(buf), +! "%.100s:%d.%d", inet_ntoa(addr), display_number, + screen_number); + } + #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ +--- 1925,1934 ---- + close(sock); + return NULL; + } +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); + snprintf(buf, sizeof(buf), +! "%.100s:%d.%d", ntop, display_number, + screen_number); + } + #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ +*************** +*** 1891,1896 **** +--- 1937,1945 ---- + fatal("gethostname: %.100s", strerror(errno)); + snprintf(buf, sizeof(buf), + "%.400s:%d.%d", hostname, display_number, screen_number); ++ #if __FreeBSD_version >= 320000 ++ trimdomain(buf, UT_HOSTSIZE); ++ #endif + #else /* HAVE_GETHOSTNAME */ + if (uname(&uts) < 0) + fatal("uname: %.100s", strerror(errno)); +*************** +*** 1900,1907 **** +--- 1949,1960 ---- + #endif /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ + + /* Allocate a channel for the socket. */ ++ for (n = 0; n < num_socks; n++) ++ { ++ sock = socks[n]; + (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock, + xstrdup("X11 inet listener")); ++ } /* for (n = 0; n < num_socks; n++) */ + + /* Return a suitable value for the DISPLAY environment variable. */ + return xstrdup(buf); +*************** +*** 1916,1924 **** + int remote_channel, display_number, sock, newch; + const char *display; + struct sockaddr_un ssun; +- struct sockaddr_in sin; + char buf[255], *cp, *remote_host; +! struct hostent *hp; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +--- 1969,1978 ---- + int remote_channel, display_number, sock, newch; + const char *display; + struct sockaddr_un ssun; + char buf[255], *cp, *remote_host; +! struct addrinfo hints, *ai, *aitop; +! char strport[PORTSTRLEN]; +! int gaierr; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +*************** +*** 2058,2110 **** + goto fail; + } + +! /* Try to parse the host name as a numeric IP address. */ +! memset(&sin, 0, sizeof(sin)); +! #ifdef BROKEN_INET_ADDR +! sin.sin_addr.s_addr = inet_network(buf); +! #else /* BROKEN_INET_ADDR */ +! sin.sin_addr.s_addr = inet_addr(buf); +! #endif /* BROKEN_INET_ADDR */ +! if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) + { +! /* It was a valid numeric host address. */ +! sin.sin_family = AF_INET; + } +! else + { +- /* Not a numeric IP address. */ +- /* Look up the host address from the name servers. */ +- hp = gethostbyname(buf); +- if (!hp) +- { +- error("%.100s: unknown host.", buf); +- goto fail; +- } +- if (!hp->h_addr_list[0]) +- { +- error("%.100s: host has no IP address.", buf); +- goto fail; +- } +- sin.sin_family = hp->h_addrtype; +- memcpy(&sin.sin_addr, hp->h_addr_list[0], +- sizeof(sin.sin_addr)); +- } +- /* Set port number. */ +- sin.sin_port = htons(6000 + display_number); + + /* Create a socket. */ +! sock = socket(sin.sin_family, SOCK_STREAM, 0); + if (sock < 0) + { +! error("socket: %.100s", strerror(errno)); +! goto fail; + } + /* Connect it to the display. */ +! if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) + { +! error("connect %.100s:%d: %.100s", buf, 6000 + display_number, + strerror(errno)); + close(sock); + goto fail; + } + +--- 2112,2155 ---- + goto fail; + } + +! /* Look up the host address */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", 6000 + display_number); +! if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) + { +! error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); +! goto fail; + } +! +! for (ai = aitop; ai; ai = ai->ai_next) + { + + /* Create a socket. */ +! sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { +! debug("socket: %.100s", strerror(errno)); +! continue; + } + /* Connect it to the display. */ +! if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +! debug("connect %.100s:%d: %.100s", buf, 6000 + display_number, + strerror(errno)); + close(sock); ++ continue; ++ } ++ /* Success */ ++ break; ++ ++ } /* (ai = aitop, ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); ++ if (!ai) ++ { ++ error("connect %.100s:%d: %.100s", buf, 6000 + display_number, ++ strerror(errno)); + goto fail; + } + +*************** +*** 2412,2417 **** +--- 2457,2466 ---- + ssh-agent connections on your system */ + old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + ++ /* Make sure the socket doesn't already exist, left over from a system ++ crash perhaps. */ ++ unlink(channel_forwarded_auth_socket_name); ++ + if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0) + packet_disconnect("Agent socket bind failed: %.100s", strerror(errno)); + diff --git a/picobsd/ssh-picobsd/files/patch-aw b/picobsd/ssh-picobsd/files/patch-aw new file mode 100644 index 00000000000..697f32393bf --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-aw @@ -0,0 +1,73 @@ +*** login.c.orig Tue Jan 11 20:36:37 2000 +--- login.c Tue Jan 11 20:36:34 2000 +*************** +*** 117,122 **** +--- 117,125 ---- + #include <hpsecurity.h> + #include <prot.h> + #endif /* HAVE_HPUX_TCB_AUTH */ ++ #ifdef __FreeBSD__ ++ #include <osreldate.h> ++ #endif + #include "ssh.h" + + /* Returns the time when the user last logged in. Returns 0 if the +*************** +*** 255,261 **** + were more standardized. */ + + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr_in *addr) + { + int fd; + +--- 258,264 ---- + were more standardized. */ + + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr *addr) + { + int fd; + +*************** +*** 301,317 **** + strncpy(u.ut_user, user, sizeof(u.ut_user)); + #endif /* HAVE_NAME_IN_UTMP */ + #ifdef HAVE_HOST_IN_UTMP +- strncpy(u.ut_host, host, sizeof(u.ut_host)); + #ifdef __FreeBSD__ + if (strlen(host) > sizeof(u.ut_host)) { + strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host)); +! } + #endif /* __FreeBSD__ */ + #endif /* HAVE_HOST_IN_UTMP */ + #ifdef HAVE_ADDR_IN_UTMP + if (addr) + memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr)); + else + memset(&u.ut_addr, 0, sizeof(u.ut_addr)); + #endif + +--- 304,325 ---- + strncpy(u.ut_user, user, sizeof(u.ut_user)); + #endif /* HAVE_NAME_IN_UTMP */ + #ifdef HAVE_HOST_IN_UTMP + #ifdef __FreeBSD__ ++ #if __FreeBSD_version >= 320000 ++ trimdomain(host, sizeof u.ut_host); ++ #endif + if (strlen(host) > sizeof(u.ut_host)) { + strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host)); +! } else + #endif /* __FreeBSD__ */ ++ strncpy(u.ut_host, host, sizeof(u.ut_host)); + #endif /* HAVE_HOST_IN_UTMP */ + #ifdef HAVE_ADDR_IN_UTMP ++ #if 0 /* XXX */ + if (addr) + memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr)); + else ++ #endif /* XXX */ + memset(&u.ut_addr, 0, sizeof(u.ut_addr)); + #endif + diff --git a/picobsd/ssh-picobsd/files/patch-ax b/picobsd/ssh-picobsd/files/patch-ax new file mode 100644 index 00000000000..c4a114fc306 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ax @@ -0,0 +1,25 @@ +--- rsaglue.c.orig Tue Nov 9 11:12:32 1999 ++++ rsaglue.c Tue Nov 9 11:17:58 1999 +@@ -139,6 +139,10 @@ + + input_bits = mpz_sizeinbase(input, 2); + input_len = (input_bits + 7) / 8; ++ if(input_bits > MAX_RSA_MODULUS_BITS) ++ fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).", ++ input_bits, MAX_RSA_MODULUS_BITS); ++ + gmp_to_rsaref(input_data, input_len, input); + + rsaref_public_key(&public_key, key); +@@ -172,6 +176,10 @@ + + input_bits = mpz_sizeinbase(input, 2); + input_len = (input_bits + 7) / 8; ++ if(input_bits > MAX_RSA_MODULUS_BITS) ++ fatal("Received session key too long (%d bits, %d max) (malicious?).", ++ input_bits, MAX_RSA_MODULUS_BITS); ++ + gmp_to_rsaref(input_data, input_len, input); + + rsaref_private_key(&private_key, key); + diff --git a/picobsd/ssh-picobsd/files/patch-ay b/picobsd/ssh-picobsd/files/patch-ay new file mode 100644 index 00000000000..71daac2ca4a --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ay @@ -0,0 +1,20 @@ +--- rsaglue.c 1999/12/10 23:27:25 1.8 ++++ rsaglue.c 2001/02/03 09:42:05 +@@ -264,7 +268,15 @@ + mpz_clear(&aux); + + if (value[0] != 0 || value[1] != 2) +- fatal("Bad result from rsa_private_decrypt"); ++ { ++ static time_t last_kill_time = 0; ++ if (time(NULL) - last_kill_time > 60 && getppid() != 1) ++ { ++ last_kill_time = time(NULL); ++ kill(getppid(), SIGALRM); ++ } ++ fatal("Bad result from rsa_private_decrypt"); ++ } + + for (i = 2; i < len && value[i]; i++) + ; + diff --git a/picobsd/ssh-picobsd/files/patch-az b/picobsd/ssh-picobsd/files/patch-az new file mode 100644 index 00000000000..e09b6edda90 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-az @@ -0,0 +1,12 @@ +--- deattack.c-old Wed Feb 7 19:45:16 2001 ++++ deattack.c Wed Feb 7 19:54:11 2001 +@@ -79,7 +79,7 @@ + detect_attack(unsigned char *buf, word32 len, unsigned char *IV) + { + static word16 *h = (word16 *) NULL; +- static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE; ++ static word32 n = HASH_MINSIZE / HASH_ENTRYSIZE; + register word32 i, j; + word32 l; + register unsigned char *c; + diff --git a/picobsd/ssh-picobsd/files/patch-ba b/picobsd/ssh-picobsd/files/patch-ba new file mode 100644 index 00000000000..69ad90067e8 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ba @@ -0,0 +1,176 @@ +*** README-IPv6.orig Mon Jan 10 22:56:13 2000 +--- README-IPv6 Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,171 ---- ++ ssh-1.2.27-IPv6 version 1.5 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * ssh-1.2.27-IPv6 can handle both IPv4 and IPv6. ++ ++ To enable sshd/ssh to handle both IPv4 and IPv6, ++ ++ ./configure --enable-ipv6 ++ ++ Otherwise sshd/ssh handle IPv4 only as same as original ssh. ++ ++ * You can have multiple ListenAddress lines in /etc/sshd_config. ++ It means that sshd can listen multiple addresses. ++ ++ Example1: sshd will bind on these four adresses. ++ ++ ListenAddress 202.249.17.50 ++ ListenAddress 202.249.17.137 ++ ListenAddress 3ffe:501:c0b::1 ++ ListenAddress 3ffe:501:c0b:20:2a0:c9ff:fe3e:f5fc ++ ++ Example2: as same as example1. ++ (Because bertemu.rcac.tdi.co.jp has these four addresses.) ++ ++ ListenAddress bertemu.rcac.tdi.co.jp ++ ++ Example3: sshd will bind on any address both IPv4 and IPv6. ++ ++ ListenAddress :: ++ ListenAddress 0.0.0.0 ++ ++ Example4: as same as example3. ++ ++ No ListenAddress line in /etc/sshd_config. ++ ++ * You don't mind whether the host has IPv4 or IPv6 address. ++ You can also specify using only IPv4 (or only IPv6). ++ ++ Example1: ssh will try all IPv4 and IPv6 addresses that the host has. ++ ++ ssh host ++ ++ Example2: ssh will try all IPv4 addresses that the host has. ++ ++ ssh -4 host ++ ++ Example3: ssh will try all IPv6 addresses that the host has. ++ ++ ssh -6 host ++ ++ * You can have multiple Port lines in /etc/sshd_config and -p options. ++ It means that sshd can listen multiple ports, not only port 22. ++ ++ For example, you run sshd that listens port 22 and port 722, ++ and you can use port 22 for slogin and port 722 for scp. ++ It's useful if you have preference for interactive traffic in the router. ++ ++ You can have "AnotherPort 722" line in /etc/ssh_config or your ++ config file (maybe ~/.ssh/config). In this case, ssh with -A option ++ try to connect to port 722 at first, and try to connect to original ++ port (maybe port 22) if port 722 fails. scp executes ssh with -A option. ++ ++ * IPv6 supported platform ++ ++ IPv6 feature is available on follwing platforms now. ++ ++ kame -- http://www.kame.net/ (used to be called Hydrangea) ++ v6d -- http://onoe2.sm.sony.co.jp/ipv6/ (IPv6 daemon) ++ ++ On the other environments you can compile and run ssh-1.2.27-IPv6 if ++ you have a good getaddrinfo() in your library. ++ ++ * How to get ssh-1.2.27-IPv6 ++ ++ You can get tar.gz or patch to ssh-1.2.27.tar.gz: ++ ++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5.tar.gz ++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5-patch.gz ++ ++ * How to install ssh-1.2.27-IPv6 ++ ++ Apply ssh-1.2.27-IPv6-1.5-patch to ssh-1.2.27.tar.gz (or use ++ ssh-1.2.27-IPv6-1.5.tar.gz) and then see INSTALL file of ssh-1.2.27. ++ ++ If you want to enable ssh to handle IPv6, for example, ++ ++ % ./configure --enable-ipv6 ++ % make ++ % make install ++ ++ and you will be able to enjoy ssh handling both IPv6 and IPv4. ++ ++ * Change Log ++ ++ v1.5 1999-05-15 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * for ssh-1.2.27 ++ * supported scp with bracketed ipv6 ip address ++ * used struct sockaddr_storage instead of union sockunion ++ ++ v1.4 1998-08-21 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed ipv6 address checking bug at match_host() in match.c ++ * cleanup comparing ip address at get_remote_hostname() in canohost.c ++ ++ v1.3 1998-08-14 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed ipv6 address checking bug at match_host() in match.c ++ pointed out by Kenji Rikitake <kenji@k2r.org> ++ ++ v1.2.2 1998-08-07 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed IPv6 enable checking bug in configure.in ++ ++ v1.2.1 1998-08-05 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed AuthLog enable handling bug ++ ++ v1.2 1998-08-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * for ssh-1.2.26 ++ ++ v1.1.5 1998-06-13 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * supported AuthLog (logging authenticated info) in /etc/sshd_config ++ ++ v1.1.4 1998-06-11 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * supported multiple Port lines in /etc/sshd_config ++ * supported AnotherPort line in /etc/ssh_config ++ * supported -A option of ssh for another port try ++ ++ v1.1.3 1998-06-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * X11 connection forwarding IPv6 support ++ * removeed all hostent and sockaddr_in from *.c ++ ++ v1.1.2 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * configuration support for v6d. ++ ++ v1.1.1 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * add getaddinfo.c, getnameinfo.c and gai.h (delete fakelibinet6.c) ++ * configure checks whether getaddrinfo exists or not. ++ ++ v1.1 1998-05-31 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * add fakelibinet6.c (including getaddrinfo and getnameinfo) ++ * compilation support on non-IPv6 environment. ++ * fixed port forwarding bug ++ ++ v1.0.1 1998-05-30 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * add ENABLE_IPV6 flag. ++ * configuration support --enable-ipv6 for IPv6 platforms. ++ ++ v1.0 1998-05-30 created by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * first release ++ * IPv6 support except X11 connection forwarding ++ ++ * Guideline for making this patch ++ ++ * protocol family independent (using AF_UNSPEC) ++ * use getaddrinfo and getnameinfo (see RFC2133) ++ * don't use sockaddr_in and AF_INET (but option -4 uses AF_INET) ++ * don't use sockaddr_in6 and AF_INET6 (but option -6 uses AF_INET6) ++ * don't use gethostbyname, gethostbyaddr and hostent ++ * listen to all addresses for all available protocol family ++ * try to connect to all addresses for all available protocol family ++ diff --git a/picobsd/ssh-picobsd/files/patch-bb b/picobsd/ssh-picobsd/files/patch-bb new file mode 100644 index 00000000000..945e1fd83b2 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bb @@ -0,0 +1,29 @@ +*** acconfig.h.orig Wed May 12 13:19:23 1999 +--- acconfig.h Mon Jan 10 22:56:13 2000 +*************** +*** 274,279 **** +--- 274,297 ---- + /etc/nologin.allow. */ + #undef NOLOGIN_ALLOW + ++ /* Define this if you have struct sockaddr_storage. */ ++ #undef HAVE_SOCKADDR_STORAGE ++ ++ /* Define this if you have __sa_family in struct sockaddr_storage. */ ++ #undef HAVE_NEW_SS_FAMILY ++ ++ /* Define this if you have ss_len in struct sockaddr. */ ++ #undef HAVE_SOCKADDR_LEN ++ ++ /* Define this if you want to enable IPv6 support. */ ++ #undef ENABLE_IPV6 ++ ++ /* Define this if you want to enable another port try support. */ ++ #undef ENABLE_ANOTHER_PORT_TRY ++ ++ /* Define this if you want to enable logging auth info support. */ ++ #undef ENABLE_LOG_AUTH ++ + /* Where to find the X11 socket */ + #undef X11_DIR + diff --git a/picobsd/ssh-picobsd/files/patch-bc b/picobsd/ssh-picobsd/files/patch-bc new file mode 100644 index 00000000000..63b079f2e35 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bc @@ -0,0 +1,401 @@ +*** canohost.c.orig Wed May 12 13:19:24 1999 +--- canohost.c Mon Jan 10 22:56:13 2000 +*************** +*** 59,68 **** + + char *get_remote_hostname(int socket) + { +! struct sockaddr_in from; + int fromlen, i; +! struct hostent *hp; + char name[255]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +--- 59,69 ---- + + char *get_remote_hostname(int socket) + { +! struct sockaddr_storage from; + int fromlen, i; +! struct addrinfo hints, *ai, *aitop; + char name[255]; ++ char ntop[ADDRSTRLEN], ntop2[ADDRSTRLEN]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +*************** +*** 73,86 **** + strcpy(name, "UNKNOWN"); + goto check_ip_options; + } + + /* Map the IP address to a host name. */ +! hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr), +! from.sin_family); +! if (hp) + { + /* Got host name. */ +- strncpy(name, hp->h_name, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + + /* Convert it to all lowercase (which is expected by the rest of this +--- 74,89 ---- + strcpy(name, "UNKNOWN"); + goto check_ip_options; + } ++ ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); + + /* Map the IP address to a host name. */ +! if (getnameinfo((struct sockaddr *)&from, fromlen, +! name, sizeof(name), +! NULL, 0, NI_NAMEREQD) == 0) + { + /* Got host name. */ + name[sizeof(name) - 1] = '\0'; + + /* Convert it to all lowercase (which is expected by the rest of this +*************** +*** 95,119 **** + Mapping from name to IP address can be trusted better (but can still + be fooled if the intruder has access to the name server of the + domain). */ +! hp = gethostbyname(name); +! if (!hp) + { + log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name); +! strcpy(name, inet_ntoa(from.sin_addr)); + goto check_ip_options; + } + /* Look for the address from the list of addresses. */ +! for (i = 0; hp->h_addr_list[i]; i++) +! if (memcmp(hp->h_addr_list[i], &from.sin_addr, sizeof(from.sin_addr)) +! == 0) +! break; + /* If we reached the end of the list, the address was not there. */ +! if (!hp->h_addr_list[i]) + { + /* Address not found for the host name. */ + log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!", +! inet_ntoa(from.sin_addr), name); +! strcpy(name, inet_ntoa(from.sin_addr)); + goto check_ip_options; + } + /* Address was found for the host name. We accept the host name. */ +--- 98,127 ---- + Mapping from name to IP address can be trusted better (but can still + be fooled if the intruder has access to the name server of the + domain). */ +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = from.__ss_family; +! if (getaddrinfo(name, NULL, &hints, &aitop) != 0) + { + log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name); +! strcpy(name, ntop); + goto check_ip_options; + } + /* Look for the address from the list of addresses. */ +! for (ai = aitop; ai; ai = ai->ai_next) +! { +! getnameinfo(ai->ai_addr, ai->ai_addrlen, +! ntop2, sizeof(ntop2), NULL, 0, NI_NUMERICHOST); +! if (strcmp(ntop, ntop2) == 0) +! break; +! } +! freeaddrinfo(aitop); + /* If we reached the end of the list, the address was not there. */ +! if (!ai) + { + /* Address not found for the host name. */ + log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!", +! ntop, name); +! strcpy(name, ntop); + goto check_ip_options; + } + /* Address was found for the host name. We accept the host name. */ +*************** +*** 121,127 **** + else + { + /* Host name not found. Use ascii representation of the address. */ +! strcpy(name, inet_ntoa(from.sin_addr)); + log_msg("Could not reverse map address %.100s.", name); + } + +--- 129,135 ---- + else + { + /* Host name not found. Use ascii representation of the address. */ +! strcpy(name, ntop); + log_msg("Could not reverse map address %.100s.", name); + } + +*************** +*** 136,141 **** +--- 144,150 ---- + Notice also that if we just dropped source routing here, the other + side could use IP spoofing to do rest of the interaction and could still + bypass security. So we exit here if we detect any IP options. */ ++ if (from.__ss_family == AF_INET) /* IP options -- IPv4 only */ + { + unsigned char options[200], *ucp; + char text[1024], *cp; +*************** +*** 157,165 **** + for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3) + sprintf(cp, " %2.2x", *ucp); + log_msg("Connection from %.100s with IP options:%.800s", +! inet_ntoa(from.sin_addr), text); + packet_disconnect("Connection from %.100s with IP options:%.800s", +! inet_ntoa(from.sin_addr), text); + } + } + #endif +--- 166,174 ---- + for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3) + sprintf(cp, " %2.2x", *ucp); + log_msg("Connection from %.100s with IP options:%.800s", +! ntop, text); + packet_disconnect("Connection from %.100s with IP options:%.800s", +! ntop, text); + } + } + #endif +*************** +*** 177,183 **** + const char *get_canonical_hostname(void) + { + int fromlen, tolen; +! struct sockaddr_in from, to; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_name != NULL) +--- 186,192 ---- + const char *get_canonical_hostname(void) + { + int fromlen, tolen; +! struct sockaddr_storage from, to; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_name != NULL) +*************** +*** 200,207 **** + &tolen) < 0) + goto no_ip_addr; + +! if (from.sin_family == AF_INET && to.sin_family == AF_INET && +! memcmp(&from, &to, sizeof(from)) == 0) + goto return_ip_addr; + + no_ip_addr: +--- 209,215 ---- + &tolen) < 0) + goto no_ip_addr; + +! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_ip_addr; + + no_ip_addr: +*************** +*** 221,228 **** + + const char *get_remote_ipaddr(void) + { +! struct sockaddr_in from, to; + int fromlen, tolen, socket; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_ip != NULL) +--- 229,237 ---- + + const char *get_remote_ipaddr(void) + { +! struct sockaddr_storage from, to; + int fromlen, tolen, socket; ++ char ntop[ADDRSTRLEN]; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_ip != NULL) +*************** +*** 245,252 **** + &tolen) < 0) + goto no_ip_addr; + +! if (from.sin_family == AF_INET && to.sin_family == AF_INET && +! memcmp(&from, &to, sizeof(from)) == 0) + goto return_ip_addr; + + no_ip_addr: +--- 254,260 ---- + &tolen) < 0) + goto no_ip_addr; + +! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_ip_addr; + + no_ip_addr: +*************** +*** 269,275 **** + } + + /* Get the IP address in ascii. */ +! canonical_host_ip = xstrdup(inet_ntoa(from.sin_addr)); + + /* Return ip address string. */ + return canonical_host_ip; +--- 277,285 ---- + } + + /* Get the IP address in ascii. */ +! getnameinfo((struct sockaddr *)&from, fromlen, +! ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); +! canonical_host_ip = xstrdup(ntop); + + /* Return ip address string. */ + return canonical_host_ip; +*************** +*** 279,286 **** + + int get_peer_port(int sock) + { +! struct sockaddr_in from; + int fromlen; + + /* Get IP address of client. */ + fromlen = sizeof(from); +--- 289,297 ---- + + int get_peer_port(int sock) + { +! struct sockaddr_storage from; + int fromlen; ++ char strport[PORTSTRLEN]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +*************** +*** 292,298 **** + } + + /* Return port number. */ +! return ntohs(from.sin_port); + } + + /* Returns the port number of the remote host. */ +--- 303,311 ---- + } + + /* Return port number. */ +! getnameinfo((struct sockaddr *)&from, fromlen, +! NULL, 0, strport, sizeof(strport), NI_NUMERICSERV); +! return atoi(strport); + } + + /* Returns the port number of the remote host. */ +*************** +*** 301,307 **** + { + int socket; + int fromlen, tolen; +! struct sockaddr_in from, to; + + /* If two different descriptors, check if they are internet-domain, and + have the same address. */ +--- 314,320 ---- + { + int socket; + int fromlen, tolen; +! struct sockaddr_storage from, to; + + /* If two different descriptors, check if they are internet-domain, and + have the same address. */ +*************** +*** 319,326 **** + &tolen) < 0) + goto no_ip_addr; + +! if (from.sin_family == AF_INET && to.sin_family == AF_INET && +! memcmp(&from, &to, sizeof(from)) == 0) + goto return_port; + + no_ip_addr: +--- 332,338 ---- + &tolen) < 0) + goto no_ip_addr; + +! if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_port; + + no_ip_addr: +*************** +*** 335,337 **** +--- 347,413 ---- + /* Get and return the peer port number. */ + return get_peer_port(socket); + } ++ ++ /* Returns the port of the local of the socket. */ ++ ++ int get_sock_port(int sock) ++ { ++ struct sockaddr_storage from; ++ int fromlen; ++ char strport[PORTSTRLEN]; ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) ++ { ++ error("getsockname failed: %.100s", strerror(errno)); ++ return 0; ++ } ++ ++ /* Return port number. */ ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ NULL, 0, strport, sizeof(strport), NI_NUMERICSERV); ++ return atoi(strport); ++ } ++ ++ /* Returns the port number of the local host. */ ++ ++ int get_local_port() ++ { ++ int socket; ++ int fromlen, tolen; ++ struct sockaddr_storage from, to; ++ ++ /* If two different descriptors, check if they are internet-domain, and ++ have the same address. */ ++ if (packet_get_connection_in() != packet_get_connection_out()) ++ { ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getsockname(packet_get_connection_in(), (struct sockaddr *)&from, ++ &fromlen) < 0) ++ goto no_ip_addr; ++ ++ tolen = sizeof(to); ++ memset(&to, 0, sizeof(to)); ++ if (getsockname(packet_get_connection_out(), (struct sockaddr *)&to, ++ &tolen) < 0) ++ goto no_ip_addr; ++ ++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) ++ goto return_port; ++ ++ no_ip_addr: ++ return 65535; ++ } ++ ++ return_port: ++ ++ /* Get client socket. */ ++ socket = packet_get_connection_in(); ++ ++ /* Get and return the local port number. */ ++ return get_sock_port(socket); ++ } ++ diff --git a/picobsd/ssh-picobsd/files/patch-bd b/picobsd/ssh-picobsd/files/patch-bd new file mode 100644 index 00000000000..7cb3c119c21 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bd @@ -0,0 +1,60 @@ +*** config.h.in.orig Wed May 12 13:20:04 1999 +--- config.h.in Thu Feb 24 17:12:10 2000 +*************** +*** 285,290 **** +--- 285,292 ---- + #undef Rdup2 + #undef Rfclose + #undef Rgethostbyname ++ #undef Rgetaddrinfo ++ + + /* Set this to allow group writeability of $HOME, .ssh and authorized_keys */ + #undef ALLOW_GROUP_WRITEABILITY +*************** +*** 323,328 **** +--- 325,348 ---- + /etc/nologin.allow. */ + #undef NOLOGIN_ALLOW + ++ /* Define this if you have struct sockaddr_storage. */ ++ #undef HAVE_SOCKADDR_STORAGE ++ ++ /* Define this if you have __sa_family in struct sockaddr_storage. */ ++ #undef HAVE_NEW_SS_FAMILY ++ ++ /* Define this if you have ss_len in struct sockaddr. */ ++ #undef HAVE_SOCKADDR_LEN ++ ++ /* Define this if you want to enable IPv6 support. */ ++ #undef ENABLE_IPV6 ++ ++ /* Define this if you want to enable another port try support. */ ++ #undef ENABLE_ANOTHER_PORT_TRY ++ ++ /* Define this if you want to enable logging auth info support. */ ++ #undef ENABLE_LOG_AUTH ++ + /* Where to find the X11 socket */ + #undef X11_DIR + +*************** +*** 375,385 **** +--- 395,411 ---- + /* Define if you have the ftruncate function. */ + #undef HAVE_FTRUNCATE + ++ /* Define if you have the getaddrinfo function. */ ++ #undef HAVE_GETADDRINFO ++ + /* Define if you have the getdtablesize function. */ + #undef HAVE_GETDTABLESIZE + + /* Define if you have the gethostname function. */ + #undef HAVE_GETHOSTNAME ++ ++ /* Define if you have the getnameinfo function. */ ++ #undef HAVE_GETNAMEINFO + + /* Define if you have the getpseudotty function. */ + #undef HAVE_GETPSEUDOTTY diff --git a/picobsd/ssh-picobsd/files/patch-be b/picobsd/ssh-picobsd/files/patch-be new file mode 100644 index 00000000000..4a13d5dccb4 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-be @@ -0,0 +1,370 @@ +--- configure.in.orig Wed May 12 04:20:02 1999 ++++ configure.in Wed Apr 19 01:02:34 2000 +@@ -30,8 +30,140 @@ + fi + + AC_PROG_CC ++AC_PROG_CPP + AC_ISC_POSIX + ++AC_MSG_CHECKING([whether to enable ipv6]) ++AC_ARG_ENABLE(ipv6, ++[ --enable-ipv6 Enable ipv6 (with ipv4) support ++ --disable-ipv6 Disable ipv6 support], ++[ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ipv6=no ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_IPV6) ++ ipv6=yes ++ ;; ++ esac ], ++ ++ AC_TRY_RUN([ /* AF_INET6 avalable check */ ++#include <sys/types.h> ++#include <sys/socket.h> ++main() ++{ ++ if (socket(AF_INET6, SOCK_STREAM, 0) < 0) ++ exit(1); ++ else ++ exit(0); ++} ++], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_IPV6) ++ ipv6=yes, ++ AC_MSG_RESULT(no) ++ ipv6=no, ++ AC_MSG_RESULT(no) ++ ipv6=no ++)) ++ ++ipv6type=unknown ++ipv6lib=none ++ ++if test "$ipv6" = "yes"; then ++ AC_MSG_CHECKING([ipv6 stack type]) ++ for i in inria kame linux toshiba v6d zeta; do ++ case $i in ++ inria) ++ dnl http://www.kame.net/ ++ AC_EGREP_CPP(yes, [dnl ++#include <netinet/in.h> ++#ifdef IPV6_INRIA_VERSION ++yes ++#endif], ++ [ipv6type=$i; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ kame) ++ dnl http://www.kame.net/ ++ AC_EGREP_CPP(yes, [dnl ++#include <netinet/in.h> ++#ifdef __KAME__ ++yes ++#endif], ++ [ipv6type=$i; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ linux) ++ dnl http://www.v6.linux.or.jp/ ++ if test -d /usr/inet6; then ++ ipv6type=$i ++ ipv6lib=inet6 ++ ipv6libdir=/usr/inet6/lib ++ CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS" ++ fi ++ ;; ++ toshiba) ++ AC_EGREP_CPP(yes, [dnl ++#include <sys/param.h> ++#ifdef _TOSHIBA_INET6 ++yes ++#endif], ++ [ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ v6d) ++ AC_EGREP_CPP(yes, [dnl ++#include </usr/local/v6/include/sys/v6config.h> ++#ifdef __V6D__ ++yes ++#endif], ++ [ipv6type=$i; ++ ipv6lib=v6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS"]) ++ ;; ++ zeta) ++ AC_EGREP_CPP(yes, [dnl ++#include <sys/param.h> ++#ifdef _ZETA_MINAMI_INET6 ++yes ++#endif], ++ [ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ esac ++ if test "$ipv6type" != "unknown"; then ++ break ++ fi ++ done ++ AC_MSG_RESULT($ipv6type) ++fi ++ ++if test "$ipv6" = "yes" -a -f /usr/local/v6/lib/libinet6.a; then ++ ac_inet6_LDFLAGS="inet6" ++ ipv6libdir=/usr/local/v6/lib ++ LDFLAGS="$LDFLAGS -L/usr/local/v6/lib" ++ AC_CHECK_LIB(inet6, getaddrinfo, , ipv6lib="$ac_inet6_LDFLAGS") ++fi ++ ++ ++if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then ++ if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then ++ LIBS="-L$ipv6libdir -l$ipv6lib $LIBS" ++ else ++ echo 'Fatal: no $ipv6lib library found. cannot continue.' ++ echo "You need to fetch lib$ipv6lib.a from appropriate" ++ echo 'ipv6 kit and compile beforehand.' ++ exit 1 ++ fi ++fi ++ + AC_DEFINE_UNQUOTED(HOSTTYPE, "$host") + + case "$host" in +@@ -313,7 +445,7 @@ + + # Socket pairs appear to be broken on several systems. I don't know exactly + # where, so I'll use pipes everywhere for now. +-AC_DEFINE(USE_PIPES) ++# AC_DEFINE(USE_PIPES) + + AC_MSG_CHECKING([that the compiler works]) + AC_TRY_RUN([ main(int ac, char **av) { return 0; } ], +@@ -369,7 +501,7 @@ + + AC_HEADER_STDC + AC_HEADER_SYS_WAIT +-AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h) ++AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h) + AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h) + AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h) + AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h) +@@ -399,6 +531,16 @@ + [ AC_DEFINE(HAVE_INCOMPATIBLE_SIGINFO) + AC_MSG_RESULT(yes)] , AC_MSG_RESULT(no)) + ++AC_MSG_CHECKING([whether sys/socket.h have struct sockaddr_storage]) ++AC_EGREP_HEADER(sockaddr_storage, sys/socket.h, ++ [ AC_DEFINE(HAVE_SOCKADDR_STORAGE) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++AC_MSG_CHECKING([whether sys/socket.h have __ss_family]) ++AC_EGREP_HEADER(__ss_family, sys/socket.h, ++ [ AC_DEFINE(HAVE_NEW_SS_FAMILY) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++AC_MSG_CHECKING([whether sys/socket.h have sa_len]) ++AC_EGREP_HEADER(sa_len, sys/socket.h, ++ [ AC_DEFINE(HAVE_SOCKADDR_LEN) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++ + AC_CHECK_LIB(c, crypt, [true], AC_CHECK_LIB(crypt, crypt)) + AC_CHECK_LIB(sec, getspnam) + AC_CHECK_LIB(seq, get_process_stats) +@@ -436,6 +578,107 @@ + + AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf) + ++AC_MSG_CHECKING(getaddrinfo bug) ++AC_TRY_RUN([ ++#include <sys/types.h> ++#include <netdb.h> ++#include <string.h> ++#include <sys/socket.h> ++#include <netinet/in.h> ++ ++main() ++{ ++ int passive, gaierr, inet4 = 0, inet6 = 0; ++ struct addrinfo hints, *ai, *aitop; ++ char straddr[INET6_ADDRSTRLEN], strport[16]; ++ ++ for (passive = 0; passive <= 1; passive++) { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_UNSPEC; ++ hints.ai_flags = passive ? AI_PASSIVE : 0; ++ hints.ai_socktype = SOCK_STREAM; ++ if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) { ++ (void)gai_strerror(gaierr); ++ goto bad; ++ } ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (ai->ai_addr == NULL || ++ ai->ai_addrlen == 0 || ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ straddr, sizeof(straddr), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV) != 0) { ++ goto bad; ++ } ++ if (strcmp(strport, "54321") != 0) { ++ goto bad; ++ } ++ switch (ai->ai_family) { ++ case AF_INET: ++ if (passive) { ++ if (strcmp(straddr, "0.0.0.0") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "127.0.0.1") != 0) { ++ goto bad; ++ } ++ } ++ inet4++; ++ break; ++ case AF_INET6: ++ if (passive) { ++ if (strcmp(straddr, "::") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "::1") != 0) { ++ goto bad; ++ } ++ } ++ inet6++; ++ break; ++ case AF_UNSPEC: ++ goto bad; ++ break; ++ default: ++ /* another family support? */ ++ break; ++ } ++ } ++ } ++ ++ if (!(inet4 == 0 || inet4 == 2)) ++ goto bad; ++ if (!(inet6 == 0 || inet6 == 2)) ++ goto bad; ++ ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(0); ++ ++ bad: ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(1); ++} ++], ++AC_MSG_RESULT(good) ++buggygetaddrinfo=no, ++AC_MSG_RESULT(buggy) ++buggygetaddrinfo=yes, ++AC_MSG_RESULT(buggy) ++buggygetaddrinfo=yes) ++ ++if test "$buggygetaddrinfo" = "yes"; then ++ if test "$ipv6" = "yes"; then ++ echo 'Fatal: You must get working getaddrinfo() function.' ++ echo ' or you can specify "--disable-ipv6"'. ++ exit 1 ++ else ++ AC_REPLACE_FUNCS(getaddrinfo getnameinfo) ++ fi ++fi ++ + AC_PROG_LN_S + AC_PROG_INSTALL + AC_CHECK_PROG(AR, ar, ar, echo) +@@ -932,7 +1175,11 @@ + AC_DEFINE(KRB5) + KERBEROS_ROOT="$with_kerberos5" + KERBEROS_INCS="-I${KERBEROS_ROOT}/include" +- KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err" ++ if test -f ${KERBEROS_ROOT}/lib/libk5crypto.a ; then ++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" ++ else ++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err" ++ fi + AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm") + KERBEROS_OBJS="auth-kerberos.o" + ;; +@@ -1123,6 +1370,7 @@ + AC_DEFINE(Rdup2,SOCKSdup2) + AC_DEFINE(Rfclose,SOCKSfclose) + AC_DEFINE(Rgethostbyname,SOCKSgethostbyname) ++ AC_DEFINE(Rgetaddrinfo,SOCKSgetaddrinfo) + fi + + AC_MSG_CHECKING(whether to use rsaref) +@@ -1252,6 +1500,38 @@ + AC_DEFINE(ENABLE_TCP_NODELAY) + ) + ++AC_MSG_CHECKING(whether to enable another port try support) ++AC_ARG_ENABLE(another-port-try, ++[ --enable-another-port-try Enable another port try support (default) ++ --disable-another-port-try Disable another port try support], ++[ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY) ++ ;; ++ esac ], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY) ++) ++ ++AC_MSG_CHECKING(whether to enable logging auth info support) ++AC_ARG_ENABLE(log-auth, ++[ --enable-log-auth Enable logging auth info support (default) ++ --disable-log-auth Disable logging auth info support], ++[ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_LOG_AUTH) ++ ;; ++ esac ], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_LOG_AUTH) ++) ++ + AC_MSG_CHECKING(whether to enable SO_LINGER) + AC_ARG_ENABLE(so-linger, + [ --enable-so-linger Enable setting SO_LINGER socket option], +@@ -1311,6 +1591,8 @@ + AC_DEFINE(SCP_ALL_STATISTICS_ENABLED) + ) + ++CFLAGS="$CPPFLAGS $CFLAGS" ++ + # We include this here only to make it visible in --help; this is only used + # in the gmp subdirectory. + AC_ARG_ENABLE(asm, +@@ -1324,7 +1606,7 @@ + fi + AC_MSG_RESULT($PIDDIR) + +-AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2) ++#AC_CONFIG_SUBDIRS(gmp-2.0.2-ssh-2) + + AC_ARG_PROGRAM + +@@ -1336,4 +1618,4 @@ + AC_SUBST(SSHDCONFOBJS) + AC_SUBST(SSHINSTALLMODE) + +-AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile) ++AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl) diff --git a/picobsd/ssh-picobsd/files/patch-bf b/picobsd/ssh-picobsd/files/patch-bf new file mode 100644 index 00000000000..d8d53bc4553 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bf @@ -0,0 +1,17 @@ +*** gai.h.orig Mon Jan 10 22:56:13 2000 +--- gai.h Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,12 ---- ++ /* ++ * fake library for ssh ++ * ++ * This file is included in getaddrinfo.c and getnameinfo.c. ++ * See getaddrinfo.c and getnameinfo.c. ++ */ ++ ++ /* for old netdb.h */ ++ #ifndef EAI_NODATA ++ #define EAI_NODATA 1 ++ #define EAI_MEMORY 2 ++ #endif diff --git a/picobsd/ssh-picobsd/files/patch-bg b/picobsd/ssh-picobsd/files/patch-bg new file mode 100644 index 00000000000..689982094b9 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bg @@ -0,0 +1,120 @@ +*** getaddrinfo.c.orig Mon Jan 10 22:56:13 2000 +--- getaddrinfo.c Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,115 ---- ++ /* ++ * fake library for ssh ++ * ++ * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror(). ++ * These funtions are defined in rfc2133. ++ * ++ * But these functions are not implemented correctly. The minimum subset ++ * is implemented for ssh use only. For exapmle, this routine assumes ++ * that ai_family is AF_INET. Don't use it for another purpose. ++ * ++ * In the case not using 'configure --enable-ipv6', this getaddrinfo.c ++ * will be used if you have broken getaddrinfo or no getaddrinfo. ++ */ ++ ++ #include "includes.h" ++ #include "ssh.h" ++ ++ #include "gai.h" ++ ++ static struct addrinfo * ++ malloc_ai(port, addr) ++ int port; ++ u_long addr; ++ { ++ struct addrinfo *ai; ++ ++ if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) + ++ sizeof(struct sockaddr_in))) { ++ memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in)); ++ ai->ai_addr = (struct sockaddr *)(ai + 1); ++ /* XXX -- ssh doesn't use sa_len */ ++ ai->ai_addrlen = sizeof(struct sockaddr_in); ++ ai->ai_addr->sa_family = ai->ai_family = AF_INET; ++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; ++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; ++ return ai; ++ } else { ++ return NULL; ++ } ++ } ++ ++ char * ++ gai_strerror(ecode) ++ int ecode; ++ { ++ switch (ecode) { ++ case EAI_NODATA: ++ return "no address associated with hostname."; ++ case EAI_MEMORY: ++ return "memory allocation failure."; ++ default: ++ return "unknown error."; ++ } ++ } ++ ++ void ++ freeaddrinfo(ai) ++ struct addrinfo *ai; ++ { ++ struct addrinfo *next; ++ ++ do { ++ next = ai->ai_next; ++ free(ai); ++ } while (ai = next); ++ } ++ ++ int ++ getaddrinfo(hostname, servname, hints, res) ++ const char *hostname, *servname; ++ const struct addrinfo *hints; ++ struct addrinfo **res; ++ { ++ struct addrinfo *cur, *prev = NULL; ++ struct hostent *hp; ++ int i, port; ++ ++ if (servname) ++ port = htons(atoi(servname)); ++ else ++ port = 0; ++ if (hints && hints->ai_flags & AI_PASSIVE) ++ if (*res = malloc_ai(port, htonl(0x00000000))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if (!hostname) ++ if (*res = malloc_ai(port, htonl(0x7f000001))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if (inet_addr(hostname) != -1) ++ if (*res = malloc_ai(port, inet_addr(hostname))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if ((hp = gethostbyname(hostname)) && ++ hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { ++ for (i = 0; hp->h_addr_list[i]; i++) ++ if (cur = malloc_ai(port, ++ ((struct in_addr *)hp->h_addr_list[i])->s_addr)) { ++ if (prev) ++ prev->ai_next = cur; ++ else ++ *res = cur; ++ prev = cur; ++ } else { ++ if (*res) ++ freeaddrinfo(*res); ++ return EAI_MEMORY; ++ } ++ return 0; ++ } ++ return EAI_NODATA; ++ } diff --git a/picobsd/ssh-picobsd/files/patch-bh b/picobsd/ssh-picobsd/files/patch-bh new file mode 100644 index 00000000000..3e50aaeda09 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bh @@ -0,0 +1,66 @@ +*** getnameinfo.c.orig Mon Jan 10 22:56:13 2000 +--- getnameinfo.c Mon Jan 10 22:56:13 2000 +*************** +*** 0 **** +--- 1,61 ---- ++ /* ++ * fake library for ssh ++ * ++ * This file includes getnameinfo(). ++ * These funtions are defined in rfc2133. ++ * ++ * But these functions are not implemented correctly. The minimum subset ++ * is implemented for ssh use only. For exapmle, this routine assumes ++ * that ai_family is AF_INET. Don't use it for another purpose. ++ * ++ * In the case not using 'configure --enable-ipv6', this getnameinfo.c ++ * will be used if you have broken getnameinfo or no getnameinfo. ++ */ ++ ++ #include "includes.h" ++ #include "ssh.h" ++ ++ #include "gai.h" ++ ++ int ++ getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) ++ const struct sockaddr *sa; ++ size_t salen; ++ char *host; ++ size_t hostlen; ++ char *serv; ++ size_t servlen; ++ int flags; ++ { ++ struct sockaddr_in *sin = (struct sockaddr_in *)sa; ++ struct hostent *hp; ++ char tmpserv[16]; ++ ++ if (serv) { ++ sprintf(tmpserv, "%d", ntohs(sin->sin_port)); ++ if (strlen(tmpserv) > servlen) ++ return EAI_MEMORY; ++ else ++ strcpy(serv, tmpserv); ++ } ++ if (host) ++ if (flags & NI_NUMERICHOST) ++ if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) ++ return EAI_MEMORY; ++ else { ++ strcpy(host, inet_ntoa(sin->sin_addr)); ++ return 0; ++ } ++ else ++ if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr), ++ AF_INET)) ++ if (strlen(hp->h_name) > hostlen) ++ return EAI_MEMORY; ++ else { ++ strcpy(host, hp->h_name); ++ return 0; ++ } ++ else ++ return EAI_NODATA; ++ return 0; ++ } diff --git a/picobsd/ssh-picobsd/files/patch-bi b/picobsd/ssh-picobsd/files/patch-bi new file mode 100644 index 00000000000..77ff392db91 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bi @@ -0,0 +1,56 @@ +*** log-server.c.orig Wed May 12 13:19:26 1999 +--- log-server.c Mon Jan 10 22:56:13 2000 +*************** +*** 146,151 **** +--- 146,170 ---- + syslog(LOG_INFO, "log: %.500s", buf); + } + ++ #ifdef ENABLE_LOG_AUTH ++ void log_auth(const char *fmt, ...) ++ { ++ char buf[1024]; ++ va_list args; ++ extern int log_auth_flag; ++ if (!log_auth_flag) ++ return; ++ if (log_quiet) ++ return; ++ va_start(args, fmt); ++ vsprintf(buf, fmt, args); ++ va_end(args); ++ if (log_on_stderr) ++ fprintf(stderr, "log: %s\n", buf); ++ syslog(LOG_INFO|LOG_AUTH, "%.500s", buf); ++ } ++ #endif /* ENABLE_LOG_AUTH */ ++ + /* Converts portable syslog severity to machine-specific syslog severity. */ + + static int syslog_severity(int severity) +*************** +*** 322,327 **** +--- 341,349 ---- + { + char buf[1024]; + va_list args; ++ #ifdef ENABLE_LOG_AUTH ++ extern char *unauthenticated_user; ++ #endif /* ENABLE_LOG_AUTH */ + + if (log_quiet) + exit(1); +*************** +*** 331,336 **** +--- 353,363 ---- + if (log_on_stderr) + fprintf(stderr, "fatal: %s\n", buf); + syslog(syslog_severity(severity), "fatal: %.500s", buf); ++ #ifdef ENABLE_LOG_AUTH ++ if (unauthenticated_user) ++ log_auth("LOGIN FAILED %.100s from %.200s", ++ unauthenticated_user, get_canonical_hostname()); ++ #endif /* ENABLE_LOG_AUTH */ + + do_fatal_cleanups(); + diff --git a/picobsd/ssh-picobsd/files/patch-bj b/picobsd/ssh-picobsd/files/patch-bj new file mode 100644 index 00000000000..fb897af4865 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bj @@ -0,0 +1,16 @@ +*** match.c.orig Wed May 12 13:19:27 1999 +--- match.c Mon Jan 10 22:56:13 2000 +*************** +*** 129,134 **** +--- 129,139 ---- + is_ip_pattern = 0; + break; + } ++ for(p = pattern; *p; p++) ++ if (!(isxdigit(*p) || *p == ':' || *p == '?' || *p == '*')) ++ break; ++ if (ip && !*p) ++ is_ip_pattern = 1; + if (is_ip_pattern) + { + return match_pattern(ip, pattern); diff --git a/picobsd/ssh-picobsd/files/patch-bl b/picobsd/ssh-picobsd/files/patch-bl new file mode 100644 index 00000000000..60296a9735b --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bl @@ -0,0 +1,66 @@ +*** readconf.c.orig Wed May 12 13:19:27 1999 +--- readconf.c Mon Jan 10 22:56:13 2000 +*************** +*** 171,176 **** +--- 171,179 ---- + oBatchMode, oStrictHostKeyChecking, oCompression, oCompressionLevel, + oKeepAlives, oUsePrivilegedPort, oKerberosAuthentication, + oKerberosTgtPassing, oClearAllForwardings, oNumberOfPasswordPrompts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ oAnotherPort, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + oXauthPath, oGatewayPorts, oPasswordPromptLogin, oPasswordPromptHost + } OpCodes; + +*************** +*** 194,199 **** +--- 197,205 ---- + { "hostname", oHostName }, + { "proxycommand", oProxyCommand }, + { "port", oPort }, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ { "anotherport", oAnotherPort }, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + { "cipher", oCipher }, + { "remoteforward", oRemoteForward }, + { "localforward", oLocalForward }, +*************** +*** 497,502 **** +--- 503,514 ---- + *intptr = value; + break; + ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ case oAnotherPort: ++ intptr = &options->another_port; ++ goto parse_int; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ ++ + case oConnectionAttempts: + intptr = &options->connection_attempts; + goto parse_int; +*************** +*** 689,694 **** +--- 701,709 ---- + options->keepalives = -1; + options->compression_level = -1; + options->port = -1; ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ options->another_port = -1; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + options->connection_attempts = -1; + options->number_of_password_prompts = -1; + options->password_prompt_login = -1; +*************** +*** 759,764 **** +--- 774,783 ---- + options->compression_level = 6; + if (options->port == -1) + options->port = 0; /* Filled in ssh_connect. */ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ if (options->another_port == -1) ++ options->another_port = 0; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + if (options->connection_attempts == -1) + options->connection_attempts = 4; + if (options->number_of_password_prompts == -1) diff --git a/picobsd/ssh-picobsd/files/patch-bm b/picobsd/ssh-picobsd/files/patch-bm new file mode 100644 index 00000000000..a394777b484 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bm @@ -0,0 +1,14 @@ +*** readconf.h.orig Wed May 12 13:19:27 1999 +--- readconf.h Mon Jan 10 22:56:13 2000 +*************** +*** 98,103 **** +--- 98,106 ---- + int use_privileged_port; /* Use privileged port */ + + int port; /* Port to connect. */ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port; /* Port to connect for -A option. */ ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + int connection_attempts; /* Max attempts (seconds) before giving up */ + int number_of_password_prompts; /* Max number of password prompts */ + int password_prompt_login; /* Show remote login at password prompt */ diff --git a/picobsd/ssh-picobsd/files/patch-bn b/picobsd/ssh-picobsd/files/patch-bn new file mode 100644 index 00000000000..7f625fcea26 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bn @@ -0,0 +1,191 @@ +*** scp.c.orig Wed May 12 13:19:28 1999 +--- scp.c Mon Jan 10 22:56:13 2000 +*************** +*** 180,185 **** +--- 180,193 ---- + #define STDERR_FILENO 2 + #endif + ++ /* This is set to non-zero if IPv4 is desired. */ ++ int IPv4 = 0; ++ ++ #ifdef ENABLE_IPV6 ++ /* This is set to non-zero if IPv6 is desired. */ ++ int IPv6 = 0; ++ #endif ++ + /* This is set to non-zero to enable verbose mode. */ + int verbose = 0; + +*************** +*** 295,302 **** +--- 303,319 ---- + } + args[i++] = "-x"; + args[i++] = "-a"; ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ args[i++] = "-A"; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + args[i++] = "-oFallBackToRsh no"; + args[i++] = "-oClearAllForwardings yes"; ++ if (IPv4) ++ args[i++] = "-4"; ++ #ifdef ENABLE_IPV6 ++ if (IPv6) ++ args[i++] = "-6"; ++ #endif + if (verbose) + args[i++] = "-v"; + if (compress) +*************** +*** 441,448 **** + statistics = 0; + + fflag = tflag = 0; +! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:")) != EOF) + switch(ch) { /* User-visible flags. */ + case 'S': + ssh_program = optarg; + break; +--- 458,477 ---- + statistics = 0; + + fflag = tflag = 0; +! while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:4" +! #ifdef ENABLE_IPV6 +! "6" +! #endif +! )) != EOF) + switch(ch) { /* User-visible flags. */ ++ case '4': ++ IPv4 = 1; ++ break; ++ #ifdef ENABLE_IPV6 ++ case '6': ++ IPv6 = 1; ++ break; ++ #endif + case 'S': + ssh_program = optarg; + break; +*************** +*** 589,594 **** +--- 618,634 ---- + exit(errs != 0); + } + ++ char * ++ cleanhostname(host) ++ char *host; ++ { ++ if (*host == '[' && host[strlen(host) - 1] == ']') { ++ host[strlen(host) - 1] = '\0'; ++ return (host + 1); ++ } else ++ return host; ++ } ++ + void + toremote(targ, argc, argv) + char *targ, *argv[]; +*************** +*** 644,649 **** +--- 684,690 ---- + bp = xmalloc(len); + if (host) { + *host++ = 0; ++ host = cleanhostname(host); + suser = argv[i]; + if (*suser == '\0') + suser = pwd->pw_name; +*************** +*** 655,667 **** + suser, host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); +! } else + (void)snprintf(bp, len, + "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'", + ssh_program, verbose ? " -v" : "", options, +! argv[i], cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); + if (verbose) + fprintf(stderr, "Executing: %s\n", bp); + if (system(bp)) errs++; +--- 696,710 ---- + suser, host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); +! } else { +! host = cleanhostname(argv[i]); + (void)snprintf(bp, len, + "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'", + ssh_program, verbose ? " -v" : "", options, +! host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); ++ } + if (verbose) + fprintf(stderr, "Executing: %s\n", bp); + if (system(bp)) errs++; +*************** +*** 671,677 **** + len = strlen(targ) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -t %s", cmd, targ); +! host = thost; + if (do_cmd(host, tuser, + bp, &remin, &remout) < 0) + exit(1); +--- 714,720 ---- + len = strlen(targ) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -t %s", cmd, targ); +! host = cleanhostname(thost); + if (do_cmd(host, tuser, + bp, &remin, &remout) < 0) + exit(1); +*************** +*** 721,726 **** +--- 764,770 ---- + else if (!okname(suser)) + continue; + } ++ host = cleanhostname(host); + len = strlen(src) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -f %s", cmd, src); +*************** +*** 1365,1375 **** + colon(cp) + char *cp; + { + if (*cp == ':') /* Leading colon is part of file name. */ + return (0); + + for (; *cp; ++cp) { +! if (*cp == ':') + return (cp); + if (*cp == '/') + return (0); +--- 1409,1427 ---- + colon(cp) + char *cp; + { ++ int flag = 0; ++ + if (*cp == ':') /* Leading colon is part of file name. */ + return (0); ++ if (*cp == '[') ++ flag = 1; + + for (; *cp; ++cp) { +! if (*cp == '@' && *(cp+1) == '[') +! flag = 1; +! if (*cp == ']' && *(cp+1) == ':' && flag) +! return (cp+1); +! if (*cp == ':' && !flag) + return (cp); + if (*cp == '/') + return (0); diff --git a/picobsd/ssh-picobsd/files/patch-bo b/picobsd/ssh-picobsd/files/patch-bo new file mode 100644 index 00000000000..886720df255 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bo @@ -0,0 +1,197 @@ +*** servconf.c.orig Wed May 12 13:19:28 1999 +--- servconf.c Mon Jan 10 22:56:13 2000 +*************** +*** 81,88 **** + void initialize_server_options(ServerOptions *options) + { + memset(options, 0, sizeof(*options)); +! options->port = -1; +! options->listen_addr.s_addr = INADDR_ANY; + options->host_key_file = NULL; + options->random_seed_file = NULL; + options->pid_file = NULL; +--- 81,88 ---- + void initialize_server_options(ServerOptions *options) + { + memset(options, 0, sizeof(*options)); +! options->num_ports = 0; +! options->listen_addrs = NULL; + options->host_key_file = NULL; + options->random_seed_file = NULL; + options->pid_file = NULL; +*************** +*** 92,97 **** +--- 92,100 ---- + options->permit_root_login = -1; + options->ignore_rhosts = -1; + options->ignore_root_rhosts = -1; ++ #ifdef ENABLE_LOG_AUTH ++ options->log_auth = -1; ++ #endif /* ENABLE_LOG_AUTH */ + options->quiet_mode = -1; + options->fascist_logging = -1; + options->print_motd = -1; +*************** +*** 138,153 **** + + void fill_default_server_options(ServerOptions *options) + { +! if (options->port == -1) + { +! struct servent *sp; +! +! sp = getservbyname(SSH_SERVICE_NAME, "tcp"); +! if (sp) +! options->port = ntohs(sp->s_port); +! else +! options->port = SSH_DEFAULT_PORT; +! endservent(); + } + if (options->host_key_file == NULL) + options->host_key_file = HOST_KEY_FILE; +--- 141,171 ---- + + void fill_default_server_options(ServerOptions *options) + { +! struct addrinfo hints, *ai, *aitop; +! char strport[PORTSTRLEN]; +! int i; +! +! if (options->num_ports == 0) +! options->ports[options->num_ports++] = SSH_DEFAULT_PORT; +! if (options->listen_addrs == NULL) + { +! for (i = 0; i < options->num_ports; i++) +! { +! memset(&hints, 0, sizeof(hints)); +! hints.ai_flags = AI_PASSIVE; +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", options->ports[i]); +! if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) +! { +! fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n"); +! exit(1); +! } +! for (ai = aitop; ai->ai_next; ai = ai->ai_next); +! ai->ai_next = options->listen_addrs; +! options->listen_addrs = aitop; +! } +! /* freeaddrinfo(options->listen_addrs) in sshd.c */ + } + if (options->host_key_file == NULL) + options->host_key_file = HOST_KEY_FILE; +*************** +*** 243,248 **** +--- 261,269 ---- + { + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility, ++ #ifdef ENABLE_LOG_AUTH ++ sLogAuth, ++ #endif /* ENABLE_LOG_AUTH */ + sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, + sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts, + sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, +*************** +*** 275,280 **** +--- 296,304 ---- + { "quietmode", sQuietMode }, + { "fascistlogging", sFascistLogging }, + { "syslogfacility", sLogFacility }, ++ #ifdef ENABLE_LOG_AUTH ++ { "logauth", sLogAuth }, ++ #endif /* ENABLE_LOG_AUTH */ + { "rhostsauthentication", sRhostsAuthentication }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication }, + { "rsaauthentication", sRSAAuthentication }, +*************** +*** 367,372 **** +--- 391,399 ---- + char *cp, **charptr; + int linenum, *intptr, i, value; + ServerOpCodes opcode; ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++ int gaierr; + + f = fopen(filename, "r"); + if (!f) +*************** +*** 389,395 **** + switch (opcode) + { + case sPort: +! intptr = &options->port; + parse_int: + cp = strtok(NULL, WHITESPACE); + if (!cp) +--- 416,429 ---- + switch (opcode) + { + case sPort: +! if (options->num_ports >= MAX_PORTS) +! { +! fprintf(stderr, "%s line %d: too many ports.\n", +! filename, linenum); +! exit(1); +! } +! options->ports[options->num_ports] = -1; +! intptr = &options->ports[options->num_ports++]; + parse_int: + cp = strtok(NULL, WHITESPACE); + if (!cp) +*************** +*** 452,462 **** + filename, linenum); + exit(1); + } +! #ifdef BROKEN_INET_ADDR +! options->listen_addr.s_addr = inet_network(cp); +! #else /* BROKEN_INET_ADDR */ +! options->listen_addr.s_addr = inet_addr(cp); +! #endif /* BROKEN_INET_ADDR */ + break; + + case sHostKeyFile: +--- 486,510 ---- + filename, linenum); + exit(1); + } +! if (options->num_ports == 0) +! options->ports[options->num_ports++] = SSH_DEFAULT_PORT; +! for (i = 0; i < options->num_ports; i++) +! { +! memset(&hints, 0, sizeof(hints)); +! hints.ai_family = IPv4or6; +! hints.ai_socktype = SOCK_STREAM; +! sprintf(strport, "%d", options->ports[i]); +! if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0) +! { +! fprintf(stderr, "%s line %d: bad addr or host. (%s)\n", +! filename, linenum, gai_strerror(gaierr)); +! exit(1); +! } +! for (ai = aitop; ai->ai_next; ai = ai->ai_next); +! ai->ai_next = options->listen_addrs; +! options->listen_addrs = aitop; +! } +! strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */ + break; + + case sHostKeyFile: +*************** +*** 531,536 **** +--- 579,590 ---- + if (*intptr == -1) + *intptr = value; + break; ++ ++ #ifdef ENABLE_LOG_AUTH ++ case sLogAuth: ++ intptr = &options->log_auth; ++ goto parse_flag; ++ #endif /* ENABLE_LOG_AUTH */ + + case sIgnoreRhosts: + intptr = &options->ignore_rhosts; diff --git a/picobsd/ssh-picobsd/files/patch-bp b/picobsd/ssh-picobsd/files/patch-bp new file mode 100644 index 00000000000..40b10db36c4 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bp @@ -0,0 +1,45 @@ +*** servconf.h.orig Wed May 12 13:19:28 1999 +--- servconf.h Mon Jan 10 22:56:13 2000 +*************** +*** 64,69 **** +--- 64,71 ---- + #ifndef SERVCONF_H + #define SERVCONF_H + ++ #define MAX_PORTS 256 /* Max # hosts on allow list. */ ++ + #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */ + #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */ + #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */ +*************** +*** 82,89 **** + + typedef struct + { +! int port; /* Port number to listen on. */ +! struct in_addr listen_addr; /* Address on which the server listens. */ + char *host_key_file; /* File containing host key. */ + char *random_seed_file; /* File containing random seed. */ + char *pid_file; /* File containing process ID number. */ +--- 84,92 ---- + + typedef struct + { +! unsigned int num_ports; +! int ports[MAX_PORTS]; /* Port number to listen on. */ +! struct addrinfo *listen_addrs;/* Addresses on which the server listens. */ + char *host_key_file; /* File containing host key. */ + char *random_seed_file; /* File containing random seed. */ + char *pid_file; /* File containing process ID number. */ +*************** +*** 91,96 **** +--- 94,102 ---- + int login_grace_time; /* Disconnect if no auth in this time (sec). */ + int key_regeneration_time; /* Server key lifetime (seconds). */ + int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */ ++ #ifdef ENABLE_LOG_AUTH ++ int log_auth; /* If true, log authentication info. */ ++ #endif /* ENABLE_LOG_AUTH */ + int ignore_rhosts; /* Ignore .rhosts and .shosts. */ + int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root, + defaults to ignore_rhosts if not given. */ diff --git a/picobsd/ssh-picobsd/files/patch-br b/picobsd/ssh-picobsd/files/patch-br new file mode 100644 index 00000000000..28dd08a5be5 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-br @@ -0,0 +1,97 @@ +*** ssh.c.orig Wed May 12 13:19:28 1999 +--- ssh.c Mon Jan 10 22:56:13 2000 +*************** +*** 218,223 **** +--- 218,231 ---- + other functions. */ + RandomState random_state; + ++ /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. ++ Default value is AF_UNSPEC means both IPv4 and IPv6. */ ++ #ifdef ENABLE_IPV6 ++ int IPv4or6 = AF_UNSPEC; ++ #else ++ int IPv4or6 = AF_INET; ++ #endif ++ + /* Flag indicating whether debug mode is on. This can be set on the + command line. */ + int debug_flag = 0; +*************** +*** 277,282 **** +--- 285,297 ---- + { + fprintf(stderr, "Usage: %s [options] host [command]\n", av0); + fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -4 Use IPv4 only.\n"); ++ #ifdef ENABLE_IPV6 ++ fprintf(stderr, " -6 Use IPv6 only.\n"); ++ #endif ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ fprintf(stderr, " -A Try to connect to another port before original port.\n"); ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + fprintf(stderr, " -l user Log in using this user name.\n"); + fprintf(stderr, " -n Redirect input from /dev/null.\n"); + fprintf(stderr, " -a Disable authentication agent forwarding.\n"); +*************** +*** 413,418 **** +--- 428,436 ---- + #ifdef SIGWINCH + struct winsize ws; + #endif /* SIGWINCH */ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port_flag = 0; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + + /* Save the original real uid. It will be needed later (uid-swapping may + clobber the real uid). */ +*************** +*** 522,527 **** +--- 540,565 ---- + } + switch (opt) + { ++ case '4': ++ #ifdef ENABLE_IPV6 ++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; ++ #else ++ IPv4or6 = AF_INET; ++ #endif ++ break; ++ ++ #ifdef ENABLE_IPV6 ++ case '6': ++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; ++ break; ++ #endif ++ ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ case 'A': ++ another_port_flag = 1; ++ break; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ ++ + case 'n': + stdin_null_flag = 1; + break; +*************** +*** 789,799 **** +--- 827,844 ---- + { + use_privileged_port = 0; + } ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ if (!another_port_flag) ++ options.another_port = 0; ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + /* Open a connection to the remote host. This needs root privileges if + rhosts_authentication is true. Note that the random_state is not + yet used by this call, although a pointer to it is stored, and thus it + need not be initialized. */ + ok = ssh_connect(host, options.port, options.connection_attempts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ options.another_port, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + !use_privileged_port, + original_real_uid, options.proxy_command, &random_state); + diff --git a/picobsd/ssh-picobsd/files/patch-bs b/picobsd/ssh-picobsd/files/patch-bs new file mode 100644 index 00000000000..ec0e1a86ef9 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-bs @@ -0,0 +1,94 @@ +*** ssh.h.orig Wed May 12 13:19:28 1999 +--- ssh.h Mon Jan 10 22:56:13 2000 +*************** +*** 430,436 **** + /* Records that the user has logged in. This does many things normally + done by login(1). */ + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr_in *addr); + + /* Records that the user has logged out. This does many thigs normally + done by login(1) or init. */ +--- 430,436 ---- + /* Records that the user has logged in. This does many things normally + done by login(1). */ + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +! const char *host, struct sockaddr *addr); + + /* Records that the user has logged out. This does many thigs normally + done by login(1) or init. */ +*************** +*** 447,452 **** +--- 447,455 ---- + connection is successful, this calls packet_set_connection for the + connection. */ + int ssh_connect(const char *host, int port, int connection_attempts, ++ #ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port, ++ #endif /* ENABLE_ANOTHER_PORT_TRY */ + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state); + +*************** +*** 872,876 **** +--- 875,934 ---- + #else + #define UID_ROOT 0 + #endif ++ ++ #ifdef HAVE_SOCKADDR_STORAGE ++ #ifndef HAVE_NEW_SS_FAMILY ++ #define __ss_len ss_len ++ #define __ss_family ss_family ++ #endif ++ #else ++ #define _SS_MAXSIZE 128 /* Implementation specific max size */ ++ #define _SS_ALIGNSIZE (sizeof(int)) ++ #define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) ++ #define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ ++ _SS_PAD1SIZE + _SS_ALIGNSIZE)) ++ struct sockaddr_storage { ++ #ifdef HAVE_SOCKADDR_LEN ++ u_char __ss_len; ++ u_char __ss_family; ++ #else ++ u_short __ss_family; ++ #endif ++ char __ss_pad1[_SS_PAD1SIZE]; ++ int __ss_align; ++ char __ss_pad2[_SS_PAD2SIZE]; ++ }; ++ #endif ++ ++ #ifdef INET6_ADDRSTRLEN ++ #define ADDRSTRLEN INET6_ADDRSTRLEN ++ #else ++ #define ADDRSTRLEN 46 ++ #endif ++ ++ #define PORTSTRLEN 16 ++ ++ /* AF_UNSPEC or AF_INET or AF_INET6 */ ++ extern int IPv4or6; ++ ++ #ifndef ENABLE_IPV6 ++ /* dummy value for old netdb.h */ ++ #ifndef AI_PASSIVE ++ #define AI_PASSIVE 1 ++ #define NI_NUMERICHOST 2 ++ #define NI_NAMEREQD 4 ++ #define NI_NUMERICSERV 8 ++ struct addrinfo { ++ int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ ++ int ai_family; /* PF_xxx */ ++ int ai_socktype; /* SOCK_xxx */ ++ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ ++ size_t ai_addrlen; /* length of ai_addr */ ++ char *ai_canonname; /* canonical name for hostname */ ++ struct sockaddr *ai_addr; /* binary address */ ++ struct addrinfo *ai_next; /* next structure in linked list */ ++ }; ++ #endif ++ #endif /* not ENABLE_IPV6 */ + + #endif /* SSH_H */ diff --git a/picobsd/ssh-picobsd/files/patch-xa b/picobsd/ssh-picobsd/files/patch-xa new file mode 100644 index 00000000000..a775ff6820d --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-xa @@ -0,0 +1,167 @@ +Note that this patch has been incorporated into the port due to problems +with patching a autoconf generated configure script. The script itself contains +linenumbers and in case of two patches against that script the second one fails +because it expects something that the first patch has already changed. The +only clean way is to re-generate it with autoconf. *sigh* +This patch was fetched from +http://www.ssh.org/patches/patch-ssh-1.2.27-bsd.tty.chown + - torstenb@FreeBSD.org, Tue Jan 11 21:36:46 CET 2000 + + +Patch for problem with tty ownership with chflags and chown in BSD 4.4 +variants. Fixes a security bug in tty allocation. + +This patch works for ssh-1.2.27. + +Apply with the following commands: + +% cd /wherever/you/hold/your/sources/ssh-1.2.27 +% patch -p1 -l < /path/to/where/you/saved/patch-ssh-1.2.27-bsd.tty.chown +% ./configure --whatever-config-flags-you-use +% make clean +% make +% su +Password: *********** +# make install +# kill -HUP `cat /var/run/sshd.pid` + +You should be all set. + +Sami Lehtinen <sjl@ssh.fi> + +--begin patch-- +diff -u --recursive -X /u/sjl/bin/diff-src-db auth-passwd.c.orig auth-passwd.c +--- auth-passwd.c.orig Wed May 12 14:19:23 1999 ++++ auth-passwd.c Wed Aug 11 19:49:32 1999 +@@ -613,7 +613,13 @@ + /* get_name pulls out just the name not the + type */ + strcpy(ccname + 5, krb5_cc_get_name(ssh_context, ccache)); +- (void) chown(ccname + 5, pw->pw_uid, pw->pw_gid); ++ if (chown(ccname + 5, pw->pw_uid, pw->pw_gid) < 0) ++ { ++ log_msg("Kerberos: chown failed for %s, error: %s", ++ ccname + 5, strerror(errno)); ++ packet_send_debug("Kerberos: chown failed for %s", ccname + 5); ++ goto errout; ++ } + + /* If tgt was passed unlink file */ + if (ticket) +diff -u --recursive -X /u/sjl/bin/diff-src-db config.h.in.orig config.h.in +--- config.h.in.orig Wed May 12 14:20:04 1999 ++++ config.h.in Wed Aug 11 20:20:51 1999 +@@ -360,6 +360,9 @@ + /* Define if you have the authenticate function. */ + #undef HAVE_AUTHENTICATE + ++/* Define if you have the chflags function. */ ++#undef HAVE_CHFLAGS ++ + /* Define if you have the clock function. */ + #undef HAVE_CLOCK + +diff -u --recursive -X /u/sjl/bin/diff-src-db configure.in.orig configure.in +--- configure.in.orig Wed May 12 14:20:02 1999 ++++ configure.in Wed Aug 11 20:05:13 1999 +@@ -433,6 +433,7 @@ + AC_CHECK_FUNCS(strchr memcpy setlogin openpty _getpty clock fchmod ulimit) + AC_CHECK_FUNCS(gethostname getdtablesize umask innetgr initgroups setpgrp) + AC_CHECK_FUNCS(setpgid daemon waitpid ttyslot authenticate getpt isastream) ++AC_CHECK_FUNCS(chflags) + + AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf) + +diff -u --recursive -X /u/sjl/bin/diff-src-db sshd.c.orig sshd.c +--- sshd.c.orig Wed May 12 14:19:29 1999 ++++ sshd.c Wed Aug 11 20:26:31 1999 +@@ -2897,9 +2897,87 @@ + tty_mode = S_IRUSR|S_IWUSR|S_IWGRP|S_IWOTH; + } + ++ retry_chown: ++ + /* Change ownership of the tty. */ +- (void)chown(ttyname, pw->pw_uid, tty_gid); +- (void)chmod(ttyname, tty_mode); ++ if (chown(ttyname, pw->pw_uid, tty_gid) < 0) ++ { ++ /* chown failed. Atleast two possibilities. Either we are not ++ running as root, in which case this is OK, or we are running ++ on BSD, and somebody has put some flags to the tty. */ ++ ++ /* Check whether we are root or not.*/ ++ if (getuid() != UID_ROOT) ++ { ++ /* We are not, and then this is OK. */ ++ debug("chown failed (but we're not root anyway) for " ++ "%s, error %s", ttyname, strerror(errno)); ++ } ++ else ++ { ++#ifdef HAVE_CHFLAGS ++ static int retrying = 0; ++ struct stat st; ++ ++ if (!retrying) ++ { ++ debug("chown failed for %s, error: %s. Removing " ++ "user-settable flags, and retrying.", ++ ttyname, strerror(errno)); ++ ++ if (stat(ttyname, &st) < 0) ++ { ++ error("stat failed for %s, error: %s", ++ ttyname, strerror(errno)); ++ } ++ else ++ { ++ debug("Removing user-settable flags with " ++ "chflags."); ++ /* Remove user definable flags. */ ++ if (chflags(ttyname, st.st_flags & ++ ~(UF_NODUMP | UF_IMMUTABLE | ++ UF_APPEND | UF_OPAQUE)) < 0) ++ { ++ debug("chflags failed for %s, error: %s", ++ ttyname, strerror(errno)); ++ } ++ else ++ { ++ debug("Retrying..."); ++ retrying = 1; ++ goto retry_chown; ++ } ++ } ++ } ++ else ++ { ++ debug("chown failed even with retry. error: %s", ++ strerror(errno)); ++ } ++ ++#endif /* HAVE_CHFLAGS */ ++ error("ssh_pty_allocate_and_fork: chown failed for %s.", ++ ttyname); ++ goto fail; ++ } ++ } ++ ++ if (chmod(ttyname, tty_mode) < 0) ++ { ++ if (getuid() != UID_ROOT) ++ { ++ /* We are not, and then this is (probably) OK. */ ++ debug("chmod failed (but we're not root anyway) for " ++ "%s, error %s", ttyname, strerror(errno)); ++ } ++ else ++ { ++ error("ssh_pty_allocate_and_fork: chmod %s: %s", ++ ttyname, strerror(errno)); ++ goto fail; ++ } ++ } + + /* Get TERM from the packet. Note that the value may be of arbitrary + length. */ diff --git a/picobsd/ssh-picobsd/files/patch-ya b/picobsd/ssh-picobsd/files/patch-ya new file mode 100644 index 00000000000..28df9da5090 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-ya @@ -0,0 +1,54 @@ +--- Makefile.in.1 Thu Dec 21 18:39:10 2000 ++++ Makefile.in Thu Dec 21 18:44:34 2000 +@@ -267,6 +267,7 @@ + LIBS = @LIBS@ + LIBOBJS = @LIBOBJS@ + CONFOBJS = @CONFOBJS@ ++CONFOBJS = # force none. + SSHCONFOBJS = @SSHCONFOBJS@ + SSHDCONFOBJS = @SSHDCONFOBJS@ + +@@ -324,16 +325,21 @@ + XLIBS = $(X_LIBS) $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) $(LIBS) + + COMMON_OBJS = $(LIBOBJS) $(CONFOBJS) \ ++ log-server.o \ + rsa.o randoms.o md5.o buffer.o emulate.o packet.o compress.o \ + xmalloc.o ttymodes.o newchannels.o bufaux.o authfd.o authfile.o \ + crc32.o rsaglue.o cipher.o des.o match.o arcfour.o mpaux.o \ +- userfile.o signals.o blowfish.o deattack.o ++ userfile.o signals.o blowfish.o deattack.o \ ++ canohost.o ++ + SSHD_OBJS = sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o \ +- log-server.o login.o hostfile.o canohost.o servconf.o tildexpand.o \ +- serverloop.o $(COMMON_OBJS) $(KERBEROS_OBJS) $(SSHDCONFOBJS) +-SSH_OBJS = ssh.o sshconnect.o log-client.o readconf.o hostfile.o readpass.o \ +- tildexpand.o clientloop.o canohost.o $(COMMON_OBJS) $(SSHCONFOBJS) +-KEYGEN_OBJS = ssh-keygen.o log-client.o readpass.o rsa.o randoms.o md5.o \ ++ login.o hostfile.o servconf.o tildexpand.o \ ++ serverloop.o \ ++ ssh.o sshconnect.o log-client.o readconf.o readpass.o \ ++ clientloop.o \ ++ scp.o \ ++ $(COMMON_OBJS) $(SSHCONFOBJS) ++KEYGEN_OBJS = ssh-keygen.o log-server.o readpass.o rsa.o randoms.o md5.o \ + buffer.o xmalloc.o authfile.o cipher.o des.o arcfour.o mpaux.o \ + bufaux.o userfile.o signals.o blowfish.o $(LIBOBJS) $(CONFOBJS) + AGENT_OBJS = ssh-agent.o log-client.o rsa.o randoms.o md5.o buffer.o \ +@@ -403,7 +409,6 @@ + #endif F_SECURE_COMMERCIAL + SCRIPT_PROGRAMS = make-ssh-known-hosts + SBIN_PROGRAMS = sshd +-PROGRAMS = ssh $(SBIN_PROGRAMS) $(NORMAL_PROGRAMS) $(SCRIPT_PROGRAMS) \ +-$(X_PROGRAMS) $(OTHER_PROGRAMS) ++PROGRAMS = $(SBIN_PROGRAMS) + SSH_PROGRAM = $(bindir)/ssh1 + +@@ -759,3 +765,6 @@ + tags: + -rm -f TAGS + find config.h $(srcdir) -name '*.[chly]' -print | xargs etags -a ++ ++obj: ++ echo "-- fake target for picobsd --" diff --git a/picobsd/ssh-picobsd/files/patch-yb b/picobsd/ssh-picobsd/files/patch-yb new file mode 100644 index 00000000000..6139703ded6 --- /dev/null +++ b/picobsd/ssh-picobsd/files/patch-yb @@ -0,0 +1,260 @@ +diff -ubwr work/ssh-1.2.27/log-client.c work.luigi/ssh-1.2.27/log-client.c +--- log-client.c Wed May 12 04:19:26 1999 ++++ log-client.c Wed Dec 6 18:27:30 2000 +@@ -50,6 +50,7 @@ + * $Endlog$ + */ + ++#if 0 /* XXX luigi */ + #include "includes.h" + #include "xmalloc.h" + #include "ssh.h" +@@ -216,3 +217,4 @@ + va_end(args); + exit(255); + } ++#endif /* XXX luigi */ +diff -ubwr work/ssh-1.2.27/log-server.c work.luigi/ssh-1.2.27/log-server.c +--- log-server.c Wed Dec 6 18:47:50 2000 ++++ log-server.c Wed Dec 6 19:02:53 2000 +@@ -69,6 +69,36 @@ + static int log_debug = 0; + static int log_quiet = 0; + static int log_on_stderr = 0; ++/* ++ * lr 001206 ++ * ++ * try to put here all logging and error handling functions ++ * ++ ++fatal: ++ scp.c ++ ssh-askpass.c ++ log-server.c ++ log-client.c ++ * ++ */ ++ ++enum { SCP, ASKPASS, SERVER, CLIENT } fatal_mode ; ++char *unauthenticated_user = NULL; /* from sshd.c */ ++int log_auth_flag = 0; /* from sshd.c */ ++int allow_severity = LOG_INFO; ++int deny_severity = LOG_WARNING; ++int debug_flag = 0; ++ ++uid_t original_real_uid = 0; ++ ++/* from ssh.c */ ++#ifdef ENABLE_IPV6 ++int IPv4or6 = AF_UNSPEC; ++#else ++int IPv4or6 = AF_INET; ++#endif ++ + + /* Initialize the log. + av0 program name (should be argv[0]) +@@ -325,6 +355,10 @@ + + if (log_quiet) + exit(1); ++ ++ if (fatal_mode == CLIENT) ++ do_fatal_cleanups(); ++ + va_start(args, fmt); + vsnprintf(buf, sizeof(buf), fmt, args); + va_end(args); +@@ -332,6 +366,7 @@ + fprintf(stderr, "fatal: %s\n", buf); + syslog(LOG_ERR, "fatal: %.500s", buf); + ++ if (fatal_mode == SERVER) + do_fatal_cleanups(); + + exit(1); +diff -ubwr work/ssh-1.2.27/newchannels.c work.luigi/ssh-1.2.27/newchannels.c +--- newchannels.c Wed Dec 6 18:47:49 2000 ++++ newchannels.c Wed Dec 6 18:44:06 2000 +@@ -274,6 +274,7 @@ + #include "authfd.h" + #include "emulate.h" + #include "servconf.h" ++ServerOptions options; /* from sshd */ + #ifdef LIBWRAP + #include <tcpd.h> + #include <syslog.h> +diff -ubwr work/ssh-1.2.27/scp.c work.luigi/ssh-1.2.27/scp.c +--- scp.c Wed Dec 6 18:47:51 2000 ++++ scp.c Wed Dec 6 19:09:39 2000 +@@ -363,6 +363,7 @@ + return 0; + } + ++#if 0 /* XXX luigi */ + void fatal(const char *fmt, ...) + { + va_list ap; +@@ -374,7 +375,7 @@ + fprintf(stderr, "%s\n", buf); + exit(255); + } +- ++#endif + /* This stuff used to be in BSD rcp extern.h. */ + + typedef struct { +@@ -408,10 +409,10 @@ + void source(int, char *[]); + void tolocal(int, char *[]); + void toremote(char *, int, char *[]); +-void usage(void); ++void scp_usage(void); + + int +-main(argc, argv) ++scp_main(argc, argv) + int argc; + char *argv[]; + { +@@ -555,7 +556,7 @@ + break; + case '?': + default: +- usage(); ++ scp_usage(); + } + argc -= optind; + argv += optind; +@@ -578,7 +579,7 @@ + } + + if (argc < 2) +- usage(); ++ scp_usage(); + if (argc > 2) + targetshouldbedirectory = 1; + +@@ -1336,7 +1337,7 @@ + } + + void +-usage(void) ++scp_usage(void) + { + (void)fprintf(stderr, + "usage: scp [-qQaAprvBCL] [-S path-to-ssh] [-o ssh-options] [-P port] [-c cipher] [-i identity] f1 f2; or: scp [options] f1 ... fn directory\n"); +diff -ubwr work/ssh-1.2.27/ssh.c work.luigi/ssh-1.2.27/ssh.c +--- ssh.c Wed Dec 6 18:47:51 2000 ++++ ssh.c Wed Dec 6 19:03:25 2000 +@@ -209,8 +209,8 @@ + #ifdef NEED_SYS_SYSLOG_H + #include <sys/syslog.h> + #endif /* NEED_SYS_SYSLOG_H */ +-int allow_severity = LOG_INFO; +-int deny_severity = LOG_WARNING; ++extern int allow_severity ; ++extern int deny_severity; + #endif /* LIBWRAP */ + + /* Random number generator state. This is initialized in ssh_login, and +@@ -220,15 +220,11 @@ + + /* Flag indicating whether IPv4 or IPv6. This can be set on the command line. + Default value is AF_UNSPEC means both IPv4 and IPv6. */ +-#ifdef ENABLE_IPV6 +-int IPv4or6 = AF_UNSPEC; +-#else +-int IPv4or6 = AF_INET; +-#endif ++extern int IPv4or6 ; + + /* Flag indicating whether debug mode is on. This can be set on the + command line. */ +-int debug_flag = 0; ++extern int debug_flag; + + /* Flag indicating whether quiet mode is on. */ + int quiet_flag = 0; +@@ -414,7 +410,7 @@ + + /* Main program for the ssh client. */ + +-int main(int ac, char **av) ++int ssh_main(int ac, char **av) + { + int i, opt, optind, type, exit_status, ok, fwd_port, fwd_host_port; + int authfd; +diff -ubwr work/ssh-1.2.27/sshd.c work.luigi/ssh-1.2.27/sshd.c +--- sshd.c Wed Dec 6 18:47:52 2000 ++++ sshd.c Wed Dec 6 19:08:18 2000 +@@ -488,8 +488,8 @@ + #ifdef NEED_SYS_SYSLOG_H + #include <sys/syslog.h> + #endif /* NEED_SYS_SYSLOG_H */ +-int allow_severity = LOG_INFO; +-int deny_severity = LOG_WARNING; ++extern int allow_severity ; ++extern int deny_severity ; + #endif /* LIBWRAP */ + + #ifdef CRAY +@@ -548,29 +548,23 @@ + #endif /* KERBEROS */ + + /* Server configuration options. */ +-ServerOptions options; ++extern ServerOptions options; + + /* Name of the server configuration file. */ + char *config_file_name = SERVER_CONFIG_FILE; + +-/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. +- Default value is AF_UNSPEC means both IPv4 and IPv6. */ +-#ifdef ENABLE_IPV6 +-int IPv4or6 = AF_UNSPEC; +-#else +-int IPv4or6 = AF_INET; +-#endif ++extern int IPv4or6; + + #ifdef ENABLE_LOG_AUTH +-char *unauthenticated_user = NULL; +-int log_auth_flag = 0; ++extern char *unauthenticated_user ; ++extern int log_auth_flag ; + #endif /* ENABLE_LOG_AUTH */ + + /* Debug mode flag. This can be set on the command line. If debug + mode is enabled, extra debugging output will be sent to the system + log, the daemon will not go to background, and will exit after processing + the first connection. */ +-int debug_flag = 0; ++extern int debug_flag ; + + /* Flag indicating that the daemon is being started from inetd. */ + int inetd_flag = 0; +@@ -603,7 +597,7 @@ + + /* This is not really needed, and could be eliminated if server-specific + and client-specific code were removed from newchannels.c */ +-uid_t original_real_uid = 0; ++extern uid_t original_real_uid ; + + /* Flags set in auth-rsa from authorized_keys flags. These are set in + auth-rsa.c. */ +@@ -796,6 +790,14 @@ + char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; + int listen_sock, maxfd; + ++ { int l = strlen(av[0]); /* do ssh if necessary */ ++ if (l < 3) /* assume ssh */ ++ return ssh_main(ac, av); ++ if (!strcmp( av[0] + l - 3, "ssh")) ++ return ssh_main(ac, av); ++ if (!strcmp( av[0] + l - 3, "scp")) ++ return scp_main(ac, av); ++ } + /* Save argv[0]. */ + saved_argv = av; + if (strchr(av[0], '/')) diff --git a/picobsd/ssh-picobsd/files/sshd.sh b/picobsd/ssh-picobsd/files/sshd.sh new file mode 100644 index 00000000000..dd882003037 --- /dev/null +++ b/picobsd/ssh-picobsd/files/sshd.sh @@ -0,0 +1,27 @@ +#!/bin/sh +case "$1" in + start) + !!PREFIX!!/sbin/sshd + echo -n ' sshd' + ;; + stop) + if [ -f /var/run/sshd.pid ]; then + kill -TERM `cat /var/run/sshd.pid` + rm -f /var/run/sshd.pid + echo -n ' sshd' + fi + ;; + restart) + if [ -f /var/run/sshd.pid ]; then + kill -HUP `cat /var/run/sshd.pid` + echo 'sshd restarted' + fi + ;; + -h) + echo "Usage: `basename $0` { start | stop | restart }" + ;; + *) + !!PREFIX!!/sbin/sshd + echo -n ' sshd' + ;; +esac diff --git a/picobsd/ssh-picobsd/pkg-comment b/picobsd/ssh-picobsd/pkg-comment new file mode 100644 index 00000000000..5bdd6e93c31 --- /dev/null +++ b/picobsd/ssh-picobsd/pkg-comment @@ -0,0 +1 @@ +Secure shell client, server and remote copy (for picobsd) diff --git a/picobsd/ssh-picobsd/pkg-descr b/picobsd/ssh-picobsd/pkg-descr new file mode 100644 index 00000000000..9c1a410f46f --- /dev/null +++ b/picobsd/ssh-picobsd/pkg-descr @@ -0,0 +1,7 @@ +Secure Shell is a program to log into another computer over a network, +to execute commands in a remote machine, and to move files from one +machine to another. It provides strong authentication and secure +communications over insecure channels. It is intended as a replacement +for rlogin, rsh, and rcp. +This port builds the three programs ssh, sshd and scp as a single binary, +and is intended for use with picobsd images. diff --git a/picobsd/ssh-picobsd/pkg-plist b/picobsd/ssh-picobsd/pkg-plist new file mode 100644 index 00000000000..e69de29bb2d --- /dev/null +++ b/picobsd/ssh-picobsd/pkg-plist |