diff options
26 files changed, 184 insertions, 925 deletions
| diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 48f7fe45fd8b..ba63f71b0661 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -6,8 +6,7 @@  #  PORTNAME=	OpenSSH -PORTVERSION=	2.2.0 -PORTREVISION=	2 +PORTVERSION=	2.9  CATEGORIES=	security  MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \  		ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \ @@ -15,7 +14,7 @@ MASTER_SITES=	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \  DISTNAME=	openssh-${PORTVERSION}  EXTRACT_SUFX=	.tgz -MAINTAINER=	ports@FreeBSD.org +MAINTAINER=	dirk.meyer@dinoex.sub.org  USE_OPENSSL=	YES @@ -62,23 +61,11 @@ post-extract:  	@${CP} ${FILESDIR}/getnameinfo.c ${WRKSRC}/lib/  	@${CP} ${FILESDIR}/netdb.h ${WRKSRC}/  .endif -	@${MKDIR} ${WRKSRC}/pam_ssh -	@${CP} ${FILESDIR}/pam_ssh_Makefile ${WRKSRC}/pam_ssh/Makefile -	@${CP} ${FILESDIR}/pam_ssh.c ${WRKSRC}/pam_ssh/  post-patch:  	@${PERL} -pi -e 's:__PREFIX__:${PREFIX}:g' ${WRKSRC}/ssh.h	\ -		${WRKSRC}/sshd_config ${WRKSRC}/pam_ssh/pam_ssh.c	\ -		${WRKSRC}/sshd.sh - -.if ${PAM} == yes -PLIST=		${WRKDIR}/PLIST - -do-configure: -	@${CP} ${PKGDIR}/pkg-plist ${PLIST} -	@${ECHO} "@cwd /usr" >> ${PLIST} -	@${ECHO} "lib/pam_ssh.so" >> ${PLIST} -.endif +		${WRKSRC}/sshd_config ${WRKSRC}/sshd.sh \ +		${WRKSRC}/pathnames.h  post-install:  .if !exists(${PREFIX}/etc/ssh_host_key) diff --git a/security/openssh/distinfo b/security/openssh/distinfo index a6aa659575ed..3025d4d125f2 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1 +1 @@ -MD5 (openssh-2.2.0.tgz) = 8ecfebc800f1c0646cbe09231a012764 +MD5 (openssh-2.9.tgz) = 80b842f8bae8786b2a8b81ba8a09772a diff --git a/security/openssh/files/pam_ssh.c b/security/openssh/files/pam_ssh.c deleted file mode 100644 index 4068bafd9d7c..000000000000 --- a/security/openssh/files/pam_ssh.c +++ /dev/null @@ -1,496 +0,0 @@ -/*- - * Copyright (c) 1999 Andrew J. Korty - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - *    notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - *    notice, this list of conditions and the following disclaimer in the - *    documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - * - */ - - -#include <sys/param.h> -#include <sys/queue.h> - -#include <fcntl.h> -#include <paths.h> -#include <pwd.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#define	PAM_SM_AUTH -#define	PAM_SM_SESSION -#include <security/pam_modules.h> -#include <security/pam_mod_misc.h> - -#include <openssl/dsa.h> - -#include "includes.h" -#include "rsa.h" -#include "key.h" -#include "ssh.h" -#include "authfd.h" -#include "authfile.h" - -#define	MODULE_NAME	"pam_ssh" -#define	NEED_PASSPHRASE	"Need passphrase for %s (%s).\nEnter passphrase: " -#define	PATH_SSH_AGENT	"__PREFIX__/bin/ssh-agent" - - -void -rsa_cleanup(pam_handle_t *pamh, void *data, int error_status) -{ -	if (data) -		RSA_free(data); -} - - -void -ssh_cleanup(pam_handle_t *pamh, void *data, int error_status) -{ -	if (data) -		free(data); -} - - -/* - * The following set of functions allow the module to manipulate the - * environment without calling the putenv() or setenv() stdlib functions. - * At least one version of these functions, on the first call, copies - * the environment into dynamically-allocated memory and then augments - * it.  On subsequent calls, the realloc() call is used to grow the - * previously allocated buffer.  Problems arise when the "environ" - * variable is changed to point to static memory after putenv()/setenv() - * have been called. - *  - * We don't use putenv() or setenv() in case the application subsequently - * manipulates environ, (e.g., to clear the environment by pointing - * environ at an array of one element equal to NULL). - */ - -SLIST_HEAD(env_head, env_entry); - -struct env_entry { -	char			*ee_env; -	SLIST_ENTRY(env_entry)	 ee_entries; -}; - -typedef struct env { -	char		**e_environ_orig; -	char		**e_environ_new; -	int		  e_count; -	struct env_head	  e_head; -	int		  e_committed; -} ENV; - -extern char **environ; - - -static ENV * -env_new(void) -{ -	ENV	*self; - -	if (!(self = malloc(sizeof (ENV)))) { -		syslog(LOG_CRIT, "%m"); -		return NULL; -	} -	SLIST_INIT(&self->e_head); -	self->e_count = 0; -	self->e_committed = 0; -	return self; -} - - -static int -env_put(ENV *self, char *s) -{ -	struct env_entry	*env; - -	if (!(env = malloc(sizeof (struct env_entry))) || -	    !(env->ee_env = strdup(s))) { -		syslog(LOG_CRIT, "%m"); -		return PAM_SERVICE_ERR; -	} -	SLIST_INSERT_HEAD(&self->e_head, env, ee_entries); -	++self->e_count; -	return PAM_SUCCESS; -} - - -static void -env_swap(ENV *self, int which) -{ -	environ = which ? self->e_environ_new : self->e_environ_orig; -} - - -static int -env_commit(ENV *self) -{ -	int			  n; -	struct env_entry	 *p; -	char 			**v; - -	for (v = environ, n = 0; v && *v; v++, n++) -		; -	if (!(v = malloc((n + self->e_count + 1) * sizeof (char *)))) { -		syslog(LOG_CRIT, "%m"); -		return PAM_SERVICE_ERR; -	} -	self->e_committed = 1; -	(void)memcpy(v, environ, n * sizeof (char *)); -	SLIST_FOREACH(p, &self->e_head, ee_entries) -		v[n++] = p->ee_env; -	v[n] = NULL; -	self->e_environ_orig = environ; -	self->e_environ_new = v; -	env_swap(self, 1); -	return PAM_SUCCESS; -} - - -static void -env_destroy(ENV *self) -{ -	struct env_entry	 *p; - -	env_swap(self, 0); -	SLIST_FOREACH(p, &self->e_head, ee_entries) { -		free(p->ee_env); -		free(p); -	} -	if (self->e_committed) -		free(self->e_environ_new); -	free(self); -} - - -void -env_cleanup(pam_handle_t *pamh, void *data, int error_status) -{ -	if (data) -		env_destroy(data); -} - - -typedef struct passwd PASSWD; - -PAM_EXTERN int -pam_sm_authenticate( -	pam_handle_t	 *pamh, -	int		  flags, -	int		  argc, -	const char	**argv) -{ -	char		*comment_priv;		/* on private key */ -	char		*comment_pub;		/* on public key */ -	char		*identity;		/* user's identity file */ -	Key		 key;			/* user's private key */ -	int		 options;		/* module options */ -	const char	*pass;			/* passphrase */ -	char		*prompt;		/* passphrase prompt */ -	Key		 public_key;		/* user's public key */ -	const PASSWD	*pwent;			/* user's passwd entry */ -	PASSWD		*pwent_keep;		/* our own copy */ -	int		 retval;		/* from calls */ -	uid_t		 saved_uid;		/* caller's uid */ -	const char	*user;			/* username */ - -	options = 0; -	while (argc--) -		pam_std_option(&options, *argv++); -	if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) -		return retval; -	if (!((pwent = getpwnam(user)) && pwent->pw_dir)) { -		/* delay? */ -		return PAM_AUTH_ERR; -	} -	/* locate the user's private key file */ -	if (!asprintf(&identity, "%s/%s", pwent->pw_dir, -	    SSH_CLIENT_IDENTITY)) { -		syslog(LOG_CRIT, "%s: %m", MODULE_NAME); -		return PAM_SERVICE_ERR; -	} -	/* -	 * Fail unless we can load the public key.  Change to the -	 * owner's UID to appease load_public_key(). -	 */ -	key.type = KEY_RSA; -	key.rsa = RSA_new(); -	public_key.type = KEY_RSA; -	public_key.rsa = RSA_new(); -	saved_uid = getuid(); -	(void)setreuid(pwent->pw_uid, saved_uid); -	retval = load_public_key(identity, &public_key, &comment_pub); -	(void)setuid(saved_uid); -	if (!retval) { -		free(identity); -		return PAM_AUTH_ERR; -	} -	RSA_free(public_key.rsa); -	/* build the passphrase prompt */ -	retval = asprintf(&prompt, NEED_PASSPHRASE, identity, comment_pub); -	free(comment_pub); -	if (!retval) { -		syslog(LOG_CRIT, "%s: %m", MODULE_NAME); -		free(identity); -		return PAM_SERVICE_ERR; -	} -	/* pass prompt message to application and receive passphrase */ -	retval = pam_get_pass(pamh, &pass, prompt, options); -	free(prompt); -	if (retval != PAM_SUCCESS) { -		free(identity); -		return retval; -	} -	/* -	 * Try to decrypt the private key with the passphrase provided. -	 * If success, the user is authenticated. -	 */ -	(void)setreuid(pwent->pw_uid, saved_uid); -	retval = load_private_key(identity, pass, &key, &comment_priv); -	free(identity); -	(void)setuid(saved_uid); -	if (!retval) -		return PAM_AUTH_ERR; -	/* -	 * Save the key and comment to pass to ssh-agent in the session -	 * phase. -	 */ -	if ((retval = pam_set_data(pamh, "ssh_private_key", key.rsa, -	    rsa_cleanup)) != PAM_SUCCESS) { -		RSA_free(key.rsa); -		free(comment_priv); -		return retval; -	} -	if ((retval = pam_set_data(pamh, "ssh_key_comment", comment_priv, -	    ssh_cleanup)) != PAM_SUCCESS) { -		free(comment_priv); -		return retval; -	} -	/* -	 * Copy the passwd entry (in case successive calls are made) -	 * and save it for the session phase. -	 */ -	if (!(pwent_keep = malloc(sizeof *pwent))) { -		syslog(LOG_CRIT, "%m"); -		return PAM_SERVICE_ERR; -	} -	(void)memcpy(pwent_keep, pwent, sizeof *pwent_keep); -	if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, -	    ssh_cleanup)) != PAM_SUCCESS) { -		free(pwent_keep); -		return retval; -	} -	return PAM_SUCCESS; -} - - -PAM_EXTERN int -pam_sm_setcred( -	pam_handle_t	 *pamh, -	int		  flags, -	int		  argc, -	const char	**argv) -{ -	return PAM_SUCCESS; -} - - -typedef AuthenticationConnection AC; - -PAM_EXTERN int -pam_sm_open_session( -	pam_handle_t	 *pamh, -	int		  flags, -	int		  argc, -	const char	**argv) -{ -	AC		*ac;			/* to ssh-agent */ -	char		*comment;		/* on private key */ -	char		*env_end;		/* end of env */ -	char		*env_file;		/* to store env */ -	FILE		*env_fp;		/* env_file handle */ -	Key		 key;			/* user's private key */ -	FILE		*pipe;			/* ssh-agent handle */ -	const PASSWD	*pwent;			/* user's passwd entry */ -	int		 retval;		/* from calls */ -	uid_t		 saved_uid;		/* caller's uid */ -	ENV		*ssh_env;		/* env handle */ -	const char	*tty;			/* tty or display name */ -	char		 hname[MAXHOSTNAMELEN];	/* local hostname */ -	char		 parse[BUFSIZ];		/* commands output */ - -	/* dump output of ssh-agent in ~/.ssh */ -	if ((retval = pam_get_data(pamh, "ssh_passwd_entry", -	    (const void **)&pwent)) != PAM_SUCCESS) -		return retval; -	/* use the tty or X display name in the filename */ -	if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty)) -	    != PAM_SUCCESS) -		return retval; -	if (*tty == ':' && gethostname(hname, sizeof hname) == 0) { -		if (asprintf(&env_file, "%s/.ssh/agent-%s%s", -		    pwent->pw_dir, hname, tty) == -1) { -			syslog(LOG_CRIT, "%s: %m", MODULE_NAME); -			return PAM_SERVICE_ERR; -		} -	} else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwent->pw_dir, -	    tty) == -1) { -		syslog(LOG_CRIT, "%s: %m", MODULE_NAME); -		return PAM_SERVICE_ERR; -	} -	/* save the filename so we can delete the file on session close */ -	if ((retval = pam_set_data(pamh, "ssh_agent_env", env_file, -	    ssh_cleanup)) != PAM_SUCCESS) { -		free(env_file); -		return retval; -	} -	/* start the agent as the user */ -	saved_uid = geteuid(); -	(void)seteuid(pwent->pw_uid); -	env_fp = fopen(env_file, "w"); -	pipe = popen(PATH_SSH_AGENT, "r"); -	(void)seteuid(saved_uid); -	if (!pipe) { -		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT); -		if (env_fp) -			(void)fclose(env_fp); -		return PAM_SESSION_ERR; -	} -	if (!(ssh_env = env_new())) -		return PAM_SESSION_ERR; -	if ((retval = pam_set_data(pamh, "ssh_env_handle", ssh_env, -	    env_cleanup)) != PAM_SUCCESS) -		return retval; -	while (fgets(parse, sizeof parse, pipe)) { -		if (env_fp) -			(void)fputs(parse, env_fp); -		/* -		 * Save environment for application with pam_putenv() -		 * but also with env_* functions for our own call to -		 * ssh_get_authentication_connection(). -		 */ -		if (strchr(parse, '=') && (env_end = strchr(parse, ';'))) { -			*env_end = '\0'; -			/* pass to the application ... */ -			if (!((retval = pam_putenv(pamh, parse)) == -			    PAM_SUCCESS)) { -				(void)pclose(pipe); -				if (env_fp) -					(void)fclose(env_fp); -				env_destroy(ssh_env); -				return PAM_SERVICE_ERR; -			} -			env_put(ssh_env, parse); -		} -	} -	if (env_fp) -		(void)fclose(env_fp); -	switch (retval = pclose(pipe)) { -	case -1: -		syslog(LOG_ERR, "%s: %s: %m", MODULE_NAME, PATH_SSH_AGENT); -		env_destroy(ssh_env); -		return PAM_SESSION_ERR; -	case 0: -		break; -	case 127: -		syslog(LOG_ERR, "%s: cannot execute %s", MODULE_NAME, -		    PATH_SSH_AGENT); -		env_destroy(ssh_env); -		return PAM_SESSION_ERR; -	default: -		syslog(LOG_ERR, "%s: %s exited with status %d", -		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval)); -		env_destroy(ssh_env); -		return PAM_SESSION_ERR; -	} -	key.type = KEY_RSA; -	/* connect to the agent and hand off the private key */ -	if ((retval = pam_get_data(pamh, "ssh_private_key", -	    (const void **)&key.rsa)) != PAM_SUCCESS || -	    (retval = pam_get_data(pamh, "ssh_key_comment", -	    (const void **)&comment)) != PAM_SUCCESS || -	    (retval = env_commit(ssh_env)) != PAM_SUCCESS) { -		env_destroy(ssh_env); -		return retval; -	} -	if (!(ac = ssh_get_authentication_connection())) { -		syslog(LOG_ERR, "%s: could not connect to agent", -		    MODULE_NAME); -		env_destroy(ssh_env); -		return PAM_SESSION_ERR; -	} -	retval = ssh_add_identity(ac, &key, comment); -	ssh_close_authentication_connection(ac); -	env_swap(ssh_env, 0); -	return retval ? PAM_SUCCESS : PAM_SESSION_ERR; -} - - -PAM_EXTERN int -pam_sm_close_session( -	pam_handle_t	 *pamh, -	int		  flags, -	int		  argc, -	const char	**argv) -{ -	const char	*env_file;	/* ssh-agent environment */ -	int	 	 retval;	/* from calls */ -	ENV		*ssh_env;	/* env handle */ - -	if ((retval = pam_get_data(pamh, "ssh_env_handle", -	    (const void **)&ssh_env)) != PAM_SUCCESS) -		return retval; -	env_swap(ssh_env, 1); -	/* kill the agent */ -	retval = system(PATH_SSH_AGENT " -k"); -	env_destroy(ssh_env); -	switch (retval) { -	case -1: -		syslog(LOG_ERR, "%s: %s -k: %m", MODULE_NAME, -		    PATH_SSH_AGENT); -		return PAM_SESSION_ERR; -	case 0: -		break; -	case 127: -		syslog(LOG_ERR, "%s: cannot execute %s -k", MODULE_NAME, -		    PATH_SSH_AGENT); -		return PAM_SESSION_ERR; -	default: -		syslog(LOG_ERR, "%s: %s -k exited with status %d", -		    MODULE_NAME, PATH_SSH_AGENT, WEXITSTATUS(retval)); -		return PAM_SESSION_ERR; -	} -	/* retrieve environment filename, then remove the file */ -	if ((retval = pam_get_data(pamh, "ssh_agent_env", -	    (const void **)&env_file)) != PAM_SUCCESS) -		return retval; -	(void)unlink(env_file); -	return PAM_SUCCESS; -} - - -PAM_MODULE_ENTRY(MODULE_NAME); diff --git a/security/openssh/files/pam_ssh_Makefile b/security/openssh/files/pam_ssh_Makefile deleted file mode 100644 index 3ab738647e57..000000000000 --- a/security/openssh/files/pam_ssh_Makefile +++ /dev/null @@ -1,15 +0,0 @@ -# PAM module for SSH -# $FreeBSD$ -.PATH:		${.CURDIR}/.. - -LIB=		pam_ssh -DESTDIR= -SHLIB_NAME=	pam_ssh.so -SRCS=		log-client.c pam_ssh.c -CFLAGS+=	-Wall -DPADD+=		${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} ${LIBGCC_PIC} -LDADD+=		${CRYPTOLIBS} -lutil -lz -lgcc_pic -INTERNALLIB=	yes -INTERNALSTATICLIB=yes - -.include <bsd.lib.mk> diff --git a/security/openssh/files/patch-aa b/security/openssh/files/patch-aa index 34873db4f8d2..d6e6c1fa3506 100644 --- a/security/openssh/files/patch-aa +++ b/security/openssh/files/patch-aa @@ -1,15 +1,13 @@ ---- Makefile.orig	Wed Feb 23 06:18:58 2000 -+++ Makefile	Wed Feb 23 06:22:22 2000 -@@ -1,13 +1,17 @@ - #	$OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ +--- Makefile.orig	Sun Feb  4 12:11:53 2001 ++++ Makefile	Sat May 26 16:03:54 2001 +@@ -1,14 +1,15 @@ + #	$OpenBSD: Makefile,v 1.8 2001/02/04 11:11:53 djm Exp $   .include <bsd.own.mk>  +.include "Makefile.inc" - SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp -+.if ${PAM} == yes -+SUBDIR+=	pam_ssh -+.endif + SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \ + 	ssh-keyscan sftp   distribution:  -	install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ diff --git a/security/openssh/files/patch-ad b/security/openssh/files/patch-ad index 497f53dda38c..1987f6c152cc 100644 --- a/security/openssh/files/patch-ad +++ b/security/openssh/files/patch-ad @@ -1,11 +1,11 @@ ---- lib/Makefile.orig	Sat Aug 19 17:34:44 2000 -+++ lib/Makefile	Sat Nov  4 16:41:11 2000 -@@ -5,7 +5,12 @@ - 	cipher.c compat.c compress.c crc32.c deattack.c \ +--- lib/Makefile.orig	Tue Apr  3 21:53:30 2001 ++++ lib/Makefile	Sat May 26 14:39:03 2001 +@@ -8,7 +8,12 @@   	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \   	rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ --	key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c -+	key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c \ + 	key.c dispatch.c kex.c mac.c uuencode.c misc.c \ +-	cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c ++	cli.c rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \  +	strlcpy.c strlcat.c  +  +.if defined(COMPAT_GETADDRINFO) @@ -14,11 +14,11 @@   NOPROFILE= yes   NOPIC=	yes -@@ -14,6 +19,7 @@ +@@ -17,6 +22,7 @@   	@echo -n   .include <bsd.own.mk>  +.include "../Makefile.inc" - .if (${KERBEROS} == "yes") + .if (${KERBEROS:L} == "yes")   CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV diff --git a/security/openssh/files/patch-ae b/security/openssh/files/patch-ae index 33c57f42e6fc..91b4d3f1ebdd 100644 --- a/security/openssh/files/patch-ae +++ b/security/openssh/files/patch-ae @@ -1,8 +1,8 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/login.c	Tue Nov 23 18:55:14 1999 -+++ ./login.c	Tue Nov 23 19:35:08 1999 -@@ -20,7 +20,11 @@ +--- sshlogin.c.orig	Sat Mar 24 17:43:27 2001 ++++ sshlogin.c	Sat May 26 14:42:30 2001 +@@ -41,7 +41,11 @@   #include "includes.h" - RCSID("$Id: login.c,v 1.8 1999/11/23 22:25:54 markus Exp $"); + RCSID("$OpenBSD: sshlogin.c,v 1.2 2001/03/24 16:43:27 stevesk Exp $");  +#ifdef __FreeBSD__  +#include <libutil.h> @@ -10,5 +10,5 @@   #include <util.h>  +#endif /* __FreeBSD__ */   #include <utmp.h> - #include "ssh.h" -  + #include "sshlogin.h" + #include "log.h" diff --git a/security/openssh/files/patch-ag b/security/openssh/files/patch-ag index 366125f8eb1b..7f0fa7e85871 100644 --- a/security/openssh/files/patch-ag +++ b/security/openssh/files/patch-ag @@ -1,6 +1,6 @@ ---- ssh/Makefile.orig	Thu Jun 29 14:35:47 2000 -+++ ssh/Makefile	Sat Nov  4 16:58:41 2000 -@@ -5,8 +5,8 @@ +--- ssh/Makefile.orig	Sat Apr 14 18:33:20 2001 ++++ ssh/Makefile	Sat May 26 14:54:24 2001 +@@ -7,8 +7,8 @@   BINMODE?=4555 @@ -11,26 +11,26 @@   LINKS=	${BINDIR}/ssh ${BINDIR}/slogin   MLINKS=	ssh.1 slogin.1 -@@ -14,10 +14,11 @@ +@@ -16,10 +16,11 @@   	sshconnect.c sshconnect1.c sshconnect2.c   .include <bsd.own.mk> # for AFS  +.include "../Makefile.inc" - .if (${KERBEROS} == "yes") + .if (${KERBEROS:L} == "yes")  -CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV  -LDADD+=	 -lkrb  +CFLAGS+= -DKRB4 -I/usr/include/kerberosIV  +LDADD+=	 -lkrb -lcom_err   DPADD+=	 ${LIBKRB} - .if (${AFS} == "yes") + .if (${AFS:L} == "yes")   CFLAGS+= -DAFS -@@ -27,6 +28,7 @@ +@@ -29,6 +30,7 @@   .endif # KERBEROS   .include <bsd.prog.mk>  +.include "../Makefile.inc" --LDADD+=	-lutil -lz -lcrypto -+LDADD+=	-lutil -lz ${CRYPTOLIBS} - DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ} +-LDADD+=	-lcrypto -lz ++LDADD+=	${CRYPTOLIBS} -lz + DPADD+=	${LIBCRYPTO} ${LIBZ} diff --git a/security/openssh/files/patch-ah b/security/openssh/files/patch-ah index a31814e3b0c0..e8998f956c92 100644 --- a/security/openssh/files/patch-ah +++ b/security/openssh/files/patch-ah @@ -1,6 +1,6 @@ ---- ssh-add/Makefile.orig	Thu Jun 29 14:35:47 2000 -+++ ssh-add/Makefile	Sat Nov  4 17:01:50 2000 -@@ -5,12 +5,12 @@ +--- ssh-add/Makefile.orig	Sun Mar  4 01:51:25 2001 ++++ ssh-add/Makefile	Sat May 26 14:56:29 2001 +@@ -7,12 +7,12 @@   BINMODE?=555 @@ -9,10 +9,10 @@  +BINDIR=	/bin  +MAN1=	ssh-add.1 - SRCS=	ssh-add.c log-client.c + SRCS=	ssh-add.c   .include <bsd.prog.mk> --LDADD+=	-lcrypto -lutil -lz -+LDADD+=	${CRYPTOLIBS} -lutil -lz - DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} +-LDADD+=	-lcrypto ++LDADD+=	${CRYPTOLIBS} + DPADD+= ${LIBCRYPTO} diff --git a/security/openssh/files/patch-ai b/security/openssh/files/patch-ai index ed25eab56559..c1a75662404e 100644 --- a/security/openssh/files/patch-ai +++ b/security/openssh/files/patch-ai @@ -1,6 +1,6 @@ ---- ssh-agent/Makefile.orig	Thu Jun 29 14:35:48 2000 -+++ ssh-agent/Makefile	Sat Nov  4 17:06:34 2000 -@@ -5,12 +5,12 @@ +--- ssh-agent/Makefile.orig	Sun Mar  4 01:51:25 2001 ++++ ssh-agent/Makefile	Sat May 26 14:58:48 2001 +@@ -7,12 +7,12 @@   BINMODE?=555 @@ -9,10 +9,10 @@  +BINDIR=	/bin  +MAN1=	ssh-agent.1 - SRCS=	ssh-agent.c log-client.c + SRCS=	ssh-agent.c   .include <bsd.prog.mk> --LDADD+=	-lcrypto -lutil -lz -+LDADD+=	${CRYPTOLIBS} -lutil -lz - DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} +-LDADD+=	-lcrypto ++LDADD+=	${CRYPTOLIBS} + DPADD+=	${LIBCRYPTO} diff --git a/security/openssh/files/patch-aj b/security/openssh/files/patch-aj index d48741d214ae..1ed89ae0966e 100644 --- a/security/openssh/files/patch-aj +++ b/security/openssh/files/patch-aj @@ -1,6 +1,6 @@ ---- ssh-keygen/Makefile.orig	Thu Jun 29 14:35:48 2000 -+++ ssh-keygen/Makefile	Sat Nov  4 17:06:49 2000 -@@ -5,12 +5,12 @@ +--- ssh-keygen/Makefile.orig	Sun Mar  4 01:51:26 2001 ++++ ssh-keygen/Makefile	Sat May 26 15:02:25 2001 +@@ -7,12 +7,12 @@   BINMODE?=555 @@ -9,10 +9,10 @@  +BINDIR=	/bin  +MAN1=	ssh-keygen.1 - SRCS=	ssh-keygen.c log-client.c + SRCS=	ssh-keygen.c   .include <bsd.prog.mk> --LDADD+=	-lcrypto -lutil -lz -+LDADD+=	${CRYPTOLIBS} -lutil -lz - DPADD+=	${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} +-LDADD+=	-lcrypto ++LDADD+=	${CRYPTOLIBS} + DPADD+=	${LIBCRYPTO} diff --git a/security/openssh/files/patch-ak b/security/openssh/files/patch-ak index d139441788fd..a55517683cfa 100644 --- a/security/openssh/files/patch-ak +++ b/security/openssh/files/patch-ak @@ -1,6 +1,6 @@ ---- ssh.c.orig	Tue May 30 23:36:40 2000 -+++ ssh.c	Tue Jun 20 16:15:29 2000 -@@ -156,6 +156,9 @@ +--- ssh.c.orig	Tue Apr 17 14:55:04 2001 ++++ ssh.c	Sat May 26 15:05:28 2001 +@@ -199,6 +199,9 @@   	log("Using rsh.  WARNING: Connection will not be encrypted.");   	/* Build argument list for rsh. */   	i = 0; @@ -10,15 +10,3 @@   	args[i++] = _PATH_RSH;   	/* host may have to come after user on some systems */   	args[i++] = host; -@@ -482,6 +485,11 @@ - 	pwcopy.pw_gid = pw->pw_gid; - 	pwcopy.pw_dir = xstrdup(pw->pw_dir); - 	pwcopy.pw_shell = xstrdup(pw->pw_shell); -+#ifdef __FreeBSD__ -+	pwcopy.pw_class = xstrdup(pw->pw_class); -+ 	pwcopy.pw_expire = pw->pw_expire; -+ 	pwcopy.pw_change = pw->pw_change; -+#endif /* __FreeBSD__ */ - 	pw = &pwcopy; -  - 	/* Initialize "log" output.  Since we are the client all output diff --git a/security/openssh/files/patch-al b/security/openssh/files/patch-al index dac933a7a42b..149d5fa222ac 100644 --- a/security/openssh/files/patch-al +++ b/security/openssh/files/patch-al @@ -1,20 +1,20 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh.h	Sun Nov 28 16:47:46 1999 -+++ ssh.h	Sun Nov 28 17:00:07 1999 -@@ -61,7 +61,7 @@ +--- pathnames.h.orig	Thu Apr 12 21:15:24 2001 ++++ pathnames.h	Sat May 26 15:11:30 2001 +@@ -12,7 +12,7 @@ +  * called by a name other than "ssh" or "Secure Shell".    */ - #define SSH_SERVICE_NAME	"ssh" --#define ETCDIR			"/etc" -+#define ETCDIR			"__PREFIX__/etc" - #define PIDDIR			"/var/run" +-#define ETCDIR				"/etc" ++#define ETCDIR				"__PREFIX__/etc" + #define _PATH_SSH_PIDDIR		"/var/run"   /* -@@ -78,7 +78,7 @@ - #define SERVER_CONFIG_FILE	ETCDIR "/sshd_config" - #define HOST_CONFIG_FILE	ETCDIR "/ssh_config" +@@ -33,7 +33,7 @@ + #define _PATH_HOST_RSA_KEY_FILE		ETCDIR "/ssh_host_rsa_key" + #define _PATH_DH_PRIMES			ETCDIR "/primes" --#define SSH_PROGRAM		"/usr/bin/ssh" -+#define SSH_PROGRAM		"__PREFIX__/bin/ssh" +-#define _PATH_SSH_PROGRAM		"/usr/bin/ssh" ++#define _PATH_SSH_PROGRAM		"__PREFIX__/bin/ssh"   /*    * The process id of the daemon listening for connections is saved here to diff --git a/security/openssh/files/patch-ao b/security/openssh/files/patch-ao index 96aaa0db0b3f..d81a41d4bc82 100644 --- a/security/openssh/files/patch-ao +++ b/security/openssh/files/patch-ao @@ -1,29 +1,35 @@ ---- sshd_config.orig	Fri Aug  4 16:30:35 2000 -+++ sshd_config	Sat Nov  4 17:32:28 2000 -@@ -4,12 +4,11 @@ +--- sshd_config.orig	Sat May 26 14:48:18 2001 ++++ sshd_config	Sat May 26 15:15:11 2001 +@@ -7,13 +7,13 @@   #Protocol 2,1   #ListenAddress 0.0.0.0   #ListenAddress ::  -HostKey /etc/ssh_host_key +-HostKey /etc/ssh_host_rsa_key +-HostKey /etc/ssh_host_dsa_key  +HostKey /usr/local/etc/ssh_host_key ++HostKey /usr/local/etc/ssh_host_rsa_key ++HostKey /usr/local/etc/ssh_host_dsa_key   ServerKeyBits 768  -LoginGraceTime 600  +LoginGraceTime 120   KeyRegenerationInterval 3600  -PermitRootLogin yes --#  +PermitRootLogin no + #   # Don't read ~/.rhosts and ~/.shosts files   IgnoreRhosts yes - # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -@@ -48,7 +47,7 @@ +@@ -57,10 +57,10 @@   #KerberosTgtPassing yes   #CheckMail yes  -#UseLogin no  +UseLogin no --#Subsystem	sftp	/usr/local/sbin/sftpd  -#MaxStartups 10:30:60 -+Subsystem	sftp	/usr/local/sbin/sftpd  +MaxStartups 10:30:60 + #Banner /etc/issue.net + #ReverseMappingCheck yes +  +-Subsystem	sftp	/usr/libexec/sftp-server ++Subsystem	sftp	/usr/local/libexec/sftp-server diff --git a/security/openssh/files/patch-ap b/security/openssh/files/patch-ap index a5d51a23cafd..67fc4dcb4f6b 100644 --- a/security/openssh/files/patch-ap +++ b/security/openssh/files/patch-ap @@ -1,50 +1,11 @@ -Index: clientloop.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/clientloop.c,v -retrieving revision 1.1.1.3 -diff -u -r1.1.1.3 clientloop.c ---- clientloop.c	2000/09/10 08:29:25	1.1.1.3 -+++ clientloop.c	2000/11/14 03:15:02 -@@ -75,6 +75,8 @@ - #include "buffer.h" - #include "bufaux.h" +--- clientloop.c.orig	Fri Apr 20 09:17:51 2001 ++++ clientloop.c	Sat May 26 15:18:51 2001 +@@ -1131,7 +1131,7 @@ -+extern Options options; -+ - /* Flag indicating that stdin should be redirected from /dev/null. */ - extern int stdin_null_flag; -  -@@ -793,7 +795,6 @@ - int - client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id) - { --	extern Options options; - 	double start_time, total_time; - 	int len; - 	char buf[100]; -@@ -1036,7 +1037,7 @@ - 	debug("client_input_channel_open: ctype %s rchan %d win %d max %d", - 	    ctype, rchan, rwindow, rmaxpack); -  --	if (strcmp(ctype, "x11") == 0) { -+	if (strcmp(ctype, "x11") == 0 && options.forward_x11) { - 		int sock; - 		char *originator; - 		int originator_port; -@@ -1108,11 +1109,14 @@ - 	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation); - 	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); - 	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open); --	dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request); - 	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status); - 	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data); - 	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data); --	dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open); -+ -+	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ? -+	    &auth_input_open_request : NULL); -+	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ? -+	    &x11_input_open : NULL); - } - void - client_init_dispatch_15() + 	if (strcmp(ctype, "forwarded-tcpip") == 0) { + 		c = client_request_forwarded_tcpip(ctype, rchan); +-	} else if (strcmp(ctype, "x11") == 0) { ++	} else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { + 		c = client_request_x11(ctype, rchan); + 	} else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { + 		c = client_request_agent(ctype, rchan); diff --git a/security/openssh/files/patch-as b/security/openssh/files/patch-as index b65bcb5e6e6a..779f890a1493 100644 --- a/security/openssh/files/patch-as +++ b/security/openssh/files/patch-as @@ -1,14 +1,14 @@ ---- pty.c.orig	Thu Dec 23 01:13:10 1999 -+++ pty.c	Thu Dec 23 01:14:05 1999 -@@ -16,7 +16,11 @@ +--- sshpty.c.orig	Sun Mar  4 02:46:30 2001 ++++ sshpty.c	Sat May 26 15:21:34 2001 +@@ -14,7 +14,11 @@   #include "includes.h" - RCSID("$Id: pty.c,v 1.11 1999/12/11 09:35:46 markus Exp $"); + RCSID("$OpenBSD: sshpty.c,v 1.1 2001/03/04 01:46:30 djm Exp $");  +#ifdef __FreeBSD__  +#include <libutil.h>  +#else   #include <util.h>  +#endif - #include "pty.h" - #include "ssh.h" + #include "sshpty.h" + #include "log.h" diff --git a/security/openssh/files/patch-au b/security/openssh/files/patch-au index fb814278d586..9a63dcabe805 100644 --- a/security/openssh/files/patch-au +++ b/security/openssh/files/patch-au @@ -1,8 +1,8 @@ ---- /home/bright/ssh/ssh/session.c	Sun Aug 27 20:50:54 2000 -+++ session.c	Fri Feb  9 11:19:14 2001 -@@ -28,6 +28,12 @@ - #include "auth.h" - #include "auth-options.h" +--- session.c.orig	Tue Apr 17 21:34:25 2001 ++++ session.c	Sat May 26 15:45:15 2001 +@@ -58,6 +58,12 @@ + #include "canohost.h" + #include "session.h"  +#ifdef __FreeBSD__  +#include <libutil.h> @@ -10,10 +10,10 @@  +#include <time.h>  +#endif /* __FreeBSD__ */  + - #ifdef HAVE_LOGIN_CAP - #include <login_cap.h> - #endif -@@ -413,6 +419,13 @@ + /* types */ +  + #define TTYSZ 64 +@@ -461,6 +467,13 @@   		log_init(__progname, options.log_level, options.log_facility, log_stderr);   		/* @@ -22,12 +22,12 @@  +		 */  +		if (command != NULL)  +			options.use_login = 0; -+		 ++  +		/*   		 * Create a new session and process group since the 4.4BSD   		 * setlogin() affects the entire process group.   		 */ -@@ -516,6 +529,13 @@ +@@ -566,6 +579,13 @@   		/* Child.  Reinitialize the log because the pid has changed. */   		log_init(__progname, options.log_level, options.log_facility, log_stderr); @@ -37,22 +37,26 @@  +		 */  +		if (command != NULL)  +			options.use_login = 0; -+		 ++   		/* Close the master side of the pseudo tty. */   		close(ptyfd); -@@ -602,6 +622,7 @@ +@@ -639,6 +659,11 @@   	time_t last_login_time;   	struct passwd * pw = s->pw;   	pid_t pid = getpid(); ++#ifdef HAVE_LOGIN_CAP ++	FILE *f; ++	char buf[256];  +	char *fname; ++#endif /* HAVE_LOGIN_CAP */   	/*   	 * Get IP address of client. If the connection is not a socket, let -@@ -644,6 +665,20 @@ - 		else - 			printf("Last login: %s from %s\r\n", time_string, buf); +@@ -679,6 +704,21 @@ + 			printf("Last login: %s from %s\r\n", time_string, hostname);   	} +   +#ifdef HAVE_LOGIN_CAP  +	if (!options.use_login) {  +		fname = login_getcapstr(lc, "copyright", NULL, NULL); @@ -67,10 +71,11 @@  +	    "All rights reserved.");  +	}  +#endif /* HAVE_LOGIN_CAP */ - 	if (options.print_motd) { - #ifdef HAVE_LOGIN_CAP - 		f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", -@@ -949,7 +984,7 @@ ++ + 	do_motd(); + } +  +@@ -1027,7 +1067,7 @@   	 * initgroups, because at least on Solaris 2.3 it leaves file   	 * descriptors open.   	 */ @@ -79,11 +84,10 @@   		close(i);   	/* Change current directory to the user\'s home directory. */ -@@ -973,7 +1008,27 @@ +@@ -1051,6 +1091,26 @@   	 * in this order).   	 */   	if (!options.use_login) { --		if (stat(SSH_USER_RC, &st) >= 0) {  +#ifdef __FreeBSD__  +		/*  +		 * If the password change time is set and has passed, give the @@ -104,7 +108,6 @@  +			}  +		}  +#endif /* __FreeBSD__ */ -+                if (stat(SSH_USER_RC, &st) >= 0) { + 		/* ignore _PATH_SSH_USER_RC for subsystems */ + 		if (!s->is_subsystem && (stat(_PATH_SSH_USER_RC, &st) >= 0)) {   			if (debug_flag) - 				fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); -  diff --git a/security/openssh/files/patch-aw b/security/openssh/files/patch-aw deleted file mode 100644 index dd187964ac7d..000000000000 --- a/security/openssh/files/patch-aw +++ /dev/null @@ -1,14 +0,0 @@ ---- auth1.c.orig	Thu Apr 20 17:21:58 2000 -+++ auth1.c	Thu Apr 20 17:50:06 2000 -@@ -523,6 +532,11 @@ - 	pwcopy.pw_gid = pw->pw_gid; - 	pwcopy.pw_dir = xstrdup(pw->pw_dir); - 	pwcopy.pw_shell = xstrdup(pw->pw_shell); -+#ifdef __FreeBSD__ -+	pwcopy.pw_class = xstrdup(pw->pw_class); -+	pwcopy.pw_expire = pw->pw_expire; -+	pwcopy.pw_change = pw->pw_change; -+#endif /* __FreeBSD__ */ - 	pw = &pwcopy; -  - 	/* diff --git a/security/openssh/files/patch-ay b/security/openssh/files/patch-ay deleted file mode 100644 index 2b16a5b1eb73..000000000000 --- a/security/openssh/files/patch-ay +++ /dev/null @@ -1,14 +0,0 @@ ---- auth2.c.orig	Tue Jun 27 14:20:06 2000 -+++ auth2.c	Tue Jun 27 14:21:20 2000 -@@ -357,6 +357,11 @@ - 		copy->pw_gid = pw->pw_gid; - 		copy->pw_dir = xstrdup(pw->pw_dir); - 		copy->pw_shell = xstrdup(pw->pw_shell); -+#ifdef __FreeBSD__ -+		copy->pw_class = xstrdup(pw->pw_class); -+		copy->pw_expire = pw->pw_expire; -+		copy->pw_change = pw->pw_change; -+#endif /* __FreeBSD__ */ - 		authctxt->valid = 1; - 	} else { - 		if (strcmp(u, authctxt->user) != 0 || diff --git a/security/openssh/files/patch-az b/security/openssh/files/patch-az deleted file mode 100644 index ee3b06692feb..000000000000 --- a/security/openssh/files/patch-az +++ /dev/null @@ -1,11 +0,0 @@ ---- /home/bright/ssh/ssh/deattack.c	Fri Aug 18 19:17:12 2000 -+++ deattack.c	Fri Feb  9 10:58:54 2001 -@@ -84,7 +84,7 @@ - detect_attack(unsigned char *buf, u_int32_t len, unsigned char *IV) - { - 	static u_int16_t *h = (u_int16_t *) NULL; --	static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE; -+	static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE; - 	register u_int32_t i, j; - 	u_int32_t l; - 	register unsigned char *c; diff --git a/security/openssh/files/patch-bleichenbacher b/security/openssh/files/patch-bleichenbacher deleted file mode 100644 index 1cceb1edb8b6..000000000000 --- a/security/openssh/files/patch-bleichenbacher +++ /dev/null @@ -1,189 +0,0 @@ -Index: rsa.h -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/rsa.h,v -retrieving revision 1.2.2.2 -diff -u -r1.2.2.2 rsa.h ---- rsa.h	2000/10/28 23:00:49	1.2.2.2 -+++ rsa.h	2001/02/12 04:03:40 -@@ -32,6 +32,6 @@ - int rsa_alive __P((void)); -  - void rsa_public_encrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); --void rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); -+int rsa_private_decrypt __P((BIGNUM * out, BIGNUM * in, RSA * prv)); -  - #endif				/* RSA_H */ -Index: ssh-agent.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/ssh-agent.c,v -retrieving revision 1.2.2.5 -diff -u -r1.2.2.5 ssh-agent.c ---- ssh-agent.c	2001/02/04 20:24:33	1.2.2.5 -+++ ssh-agent.c	2001/02/12 04:03:40 -@@ -194,7 +194,8 @@ - 	private = lookup_private_key(key, NULL, 1); - 	if (private != NULL) { - 		/* Decrypt the challenge using the private key. */ --		rsa_private_decrypt(challenge, challenge, private->rsa); -+		if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0) -+			goto failure; -  - 		/* The response is MD5 of decrypted challenge plus session id. */ - 		len = BN_num_bytes(challenge); -Index: sshconnect1.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/sshconnect1.c,v -retrieving revision 1.2.2.3 -diff -u -r1.2.2.3 sshconnect1.c ---- sshconnect1.c	2001/01/12 04:25:58	1.2.2.3 -+++ sshconnect1.c	2001/02/12 04:03:40 -@@ -152,14 +152,17 @@ - 	int i, len; -  - 	/* Decrypt the challenge using the private key. */ --	rsa_private_decrypt(challenge, challenge, prv); -+	/* XXX think about Bleichenbacher, too */ -+	if (rsa_private_decrypt(challenge, challenge, prv) <= 0) -+		packet_disconnect( -+		    "respond_to_rsa_challenge: rsa_private_decrypt failed"); -  - 	/* Compute the response. */ - 	/* The response is MD5 of decrypted challenge plus session id. */ - 	len = BN_num_bytes(challenge); - 	if (len <= 0 || len > sizeof(buf)) --		packet_disconnect("respond_to_rsa_challenge: bad challenge length %d", --				  len); -+		packet_disconnect( -+		    "respond_to_rsa_challenge: bad challenge length %d", len); -  - 	memset(buf, 0, sizeof(buf)); - 	BN_bn2bin(challenge, buf + sizeof(buf) - len); -Index: sshd.c -=================================================================== -RCS file: /usr2/ncvs/src/crypto/openssh/sshd.c,v -retrieving revision 1.6.2.5 -diff -u -r1.6.2.5 sshd.c ---- sshd.c	2001/01/18 22:36:53	1.6.2.5 -+++ sshd.c	2001/02/12 04:09:43 -@@ -1108,6 +1108,7 @@ - { - 	int i, len; - 	int plen, slen; -+	int rsafail = 0; - 	BIGNUM *session_key_int; - 	unsigned char session_key[SSH_SESSION_KEY_LENGTH]; - 	unsigned char cookie[8]; -@@ -1229,7 +1230,7 @@ - 	 * with larger modulus first). - 	 */ - 	if (BN_cmp(sensitive_data.private_key->n, sensitive_data.host_key->n) > 0) { --		/* Private key has bigger modulus. */ -+		/* Server key has bigger modulus. */ - 		if (BN_num_bits(sensitive_data.private_key->n) < - 		    BN_num_bits(sensitive_data.host_key->n) + SSH_KEY_BITS_RESERVED) { - 			fatal("do_connection: %s: private_key %d < host_key %d + SSH_KEY_BITS_RESERVED %d", -@@ -1238,10 +1239,12 @@ - 			      BN_num_bits(sensitive_data.host_key->n), - 			      SSH_KEY_BITS_RESERVED); - 		} --		rsa_private_decrypt(session_key_int, session_key_int, --				    sensitive_data.private_key); --		rsa_private_decrypt(session_key_int, session_key_int, --				    sensitive_data.host_key); -+		if (rsa_private_decrypt(session_key_int, session_key_int, -+		    sensitive_data.private_key) <= 0) -+			rsafail++; -+		if (rsa_private_decrypt(session_key_int, session_key_int, -+		    sensitive_data.host_key) <= 0) -+			rsafail++; - 	} else { - 		/* Host key has bigger modulus (or they are equal). */ - 		if (BN_num_bits(sensitive_data.host_key->n) < -@@ -1252,10 +1255,12 @@ - 			      BN_num_bits(sensitive_data.private_key->n), - 			      SSH_KEY_BITS_RESERVED); - 		} --		rsa_private_decrypt(session_key_int, session_key_int, --				    sensitive_data.host_key); --		rsa_private_decrypt(session_key_int, session_key_int, --				    sensitive_data.private_key); -+		if (rsa_private_decrypt(session_key_int, session_key_int, -+		    sensitive_data.host_key) < 0) -+			rsafail++; -+		if (rsa_private_decrypt(session_key_int, session_key_int, -+		    sensitive_data.private_key) < 0) -+			rsafail++; - 	} -  - 	compute_session_id(session_id, cookie, -@@ -1270,14 +1275,29 @@ - 	 * least significant 256 bits of the integer; the first byte of the - 	 * key is in the highest bits. - 	 */ --	BN_mask_bits(session_key_int, sizeof(session_key) * 8); --	len = BN_num_bytes(session_key_int); --	if (len < 0 || len > sizeof(session_key)) --		fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d", --		      get_remote_ipaddr(), --		      len, sizeof(session_key)); --	memset(session_key, 0, sizeof(session_key)); --	BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); -+	if (!rsafail) { -+		BN_mask_bits(session_key_int, sizeof(session_key) * 8); -+		len = BN_num_bytes(session_key_int); -+		if (len < 0 || len > sizeof(session_key)) { -+			error("do_connection: bad session key len from %s: " -+			    "session_key_int %d > sizeof(session_key) %d", -+			    get_remote_ipaddr(), len, sizeof(session_key)); -+			rsafail++; -+		} else { -+			memset(session_key, 0, sizeof(session_key)); -+			BN_bn2bin(session_key_int, -+			    session_key + sizeof(session_key) - len); -+		} -+	} -+	if (rsafail) { -+		log("do_connection: generating a fake encryption key"); -+		for (i = 0; i < SSH_SESSION_KEY_LENGTH; i++) { -+			if (i % 4 == 0) -+				rand = arc4random(); -+			session_key[i] = rand & 0xff; -+			rand >>= 8; -+		} -+	} -  - 	/* Destroy the decrypted integer.  It is no longer needed. */ - 	BN_clear_free(session_key_int); ---- rsa.c.orig	Mon Jun 19 18:39:44 2000 -+++ rsa.c	Mon Feb 12 00:04:02 2001 -@@ -135,7 +135,7 @@ - 	xfree(inbuf); - } -  --void -+int - rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) - { - 	unsigned char *inbuf, *outbuf; -@@ -149,15 +149,16 @@ - 	BN_bn2bin(in, inbuf); -  - 	if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key, --	    RSA_PKCS1_PADDING)) <= 0) --		fatal("rsa_private_decrypt() failed"); -- --	BN_bin2bn(outbuf, len, out); -- -+	    RSA_PKCS1_PADDING)) <= 0) { -+		error("rsa_private_decrypt() failed"); -+	} else { -+		BN_bin2bn(outbuf, len, out); -+	} - 	memset(outbuf, 0, olen); - 	memset(inbuf, 0, ilen); - 	xfree(outbuf); - 	xfree(inbuf); -+	return len; - } -  - /* Set whether to output verbose messages during key generation. */ diff --git a/security/openssh/files/patch-misc.c b/security/openssh/files/patch-misc.c new file mode 100644 index 000000000000..0f8ef065fec0 --- /dev/null +++ b/security/openssh/files/patch-misc.c @@ -0,0 +1,13 @@ +--- misc.c.orig	Thu Apr 12 22:09:37 2001 ++++ misc.c	Sat May 26 15:39:25 2001 +@@ -111,6 +111,10 @@ + 	copy->pw_class = xstrdup(pw->pw_class); + 	copy->pw_dir = xstrdup(pw->pw_dir); + 	copy->pw_shell = xstrdup(pw->pw_shell); ++#ifdef __FreeBSD__ ++	copy->pw_expire = pw->pw_expire; ++	copy->pw_change = pw->pw_change; ++#endif /* __FreeBSD__ */ + 	return copy; + } +  diff --git a/security/openssh/files/patch-sftp-Makefile b/security/openssh/files/patch-sftp-Makefile new file mode 100644 index 000000000000..9e1fd8f50b28 --- /dev/null +++ b/security/openssh/files/patch-sftp-Makefile @@ -0,0 +1,13 @@ +--- sftp/Makefile.orig	Mon Apr 16 04:31:52 2001 ++++ sftp/Makefile	Sat May 26 15:49:42 2001 +@@ -7,8 +7,8 @@ +  + BINMODE?=555 +  +-BINDIR=	/usr/bin +-MAN=	sftp.1 ++BINDIR=	/bin ++MAN1=	sftp.1 +  + SRCS=	sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c scp-common.c +  diff --git a/security/openssh/files/patch-sftp-server-Makefile b/security/openssh/files/patch-sftp-server-Makefile new file mode 100644 index 000000000000..560dd2da2a5d --- /dev/null +++ b/security/openssh/files/patch-sftp-server-Makefile @@ -0,0 +1,13 @@ +--- sftp-server/Makefile.orig	Sun Mar  4 00:59:36 2001 ++++ sftp-server/Makefile	Sat May 26 15:47:57 2001 +@@ -7,8 +7,8 @@ +  + BINMODE?=555 +  +-BINDIR=	/usr/libexec +-MAN=	sftp-server.8 ++BINDIR=	/libexec ++MAN8=	sftp-server.8 +  + SRCS=	sftp-server.c sftp-common.c +  diff --git a/security/openssh/files/patch-ssh-keyscan-Makefile b/security/openssh/files/patch-ssh-keyscan-Makefile new file mode 100644 index 000000000000..0b5026539dd8 --- /dev/null +++ b/security/openssh/files/patch-ssh-keyscan-Makefile @@ -0,0 +1,13 @@ +--- ssh-keyscan/Makefile.orig	Sun Mar  4 00:59:39 2001 ++++ ssh-keyscan/Makefile	Sat May 26 16:14:05 2001 +@@ -7,8 +7,8 @@ +  + BINMODE?=555 +  +-BINDIR=	/usr/bin +-MAN=	ssh-keyscan.1 ++BINDIR=	/bin ++MAN1=	ssh-keyscan.1 +  + SRCS=	ssh-keyscan.c +  diff --git a/security/openssh/pkg-plist b/security/openssh/pkg-plist index cf97946b5b9a..30451a93d84d 100644 --- a/security/openssh/pkg-plist +++ b/security/openssh/pkg-plist @@ -1,13 +1,16 @@  bin/scp +bin/sftp  bin/slogin  bin/ssh  bin/ssh-add  bin/ssh-agent  bin/ssh-keygen +bin/ssh-keyscan  etc/rc.d/sshd.sh  etc/ssh_config  etc/sshd_config  sbin/sshd +libexec/sftp-server  @exec if [ ! -f %D/etc/ssh_host_key ]; then echo ">> Generating a secret RSA host key."; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi  @exec if [ ! -f %D/etc/ssh_host_dsa_key ]; then echo ">> Generating a secret DSA host key."; %D/bin/ssh-keygen -d -N "" -f %D/etc/ssh_host_dsa_key; fi  @exec if [ ! -x %D/etc/rc.d/sshd.sh ]; then echo "#!/bin/sh" > %D/etc/rc.d/sshd.sh && exec echo "[ -x %D/sbin/sshd ] && %D/sbin/sshd && echo -n ' sshd'" >> %D/etc/rc.d/sshd.sh && exec chmod 0555 %D/etc/rc.d/sshd.sh; fi | 
