summaryrefslogtreecommitdiff
path: root/security/ssh/files/patch-af
diff options
context:
space:
mode:
Diffstat (limited to 'security/ssh/files/patch-af')
-rw-r--r--security/ssh/files/patch-af564
1 files changed, 0 insertions, 564 deletions
diff --git a/security/ssh/files/patch-af b/security/ssh/files/patch-af
deleted file mode 100644
index e9f2a66f0dbd..000000000000
--- a/security/ssh/files/patch-af
+++ /dev/null
@@ -1,564 +0,0 @@
---- sshd.c.orig Mon Jul 3 19:07:35 2000
-+++ sshd.c Sat Jun 29 22:25:41 2002
-@@ -567,6 +567,19 @@
- /* Name of the server configuration file. */
- char *config_file_name = SERVER_CONFIG_FILE;
-
-+/* Flag indicating whether IPv4 or IPv6. This can be set on the command line.
-+ Default value is AF_UNSPEC means both IPv4 and IPv6. */
-+#ifdef ENABLE_IPV6
-+int IPv4or6 = AF_UNSPEC;
-+#else
-+int IPv4or6 = AF_INET;
-+#endif
-+
-+#ifdef ENABLE_LOG_AUTH
-+char *unauthenticated_user = NULL;
-+int log_auth_flag = 0;
-+#endif /* ENABLE_LOG_AUTH */
-+
- /* Debug mode flag. This can be set on the command line. If debug
- mode is enabled, extra debugging output will be sent to the system
- log, the daemon will not go to background, and will exit after processing
-@@ -590,7 +603,17 @@
-
- /* This is set to the socket that the server is listening; this is used in
- the SIGHUP signal handler. */
--int listen_sock;
-+#define MAX_LISTEN_SOCKS 16
-+int listen_socks[MAX_LISTEN_SOCKS];
-+int num_listen_socks = 0;
-+void close_listen_socks()
-+{
-+ int i;
-+
-+ for (i = 0; i < num_listen_socks; i++)
-+ close(listen_socks[i]);
-+ num_listen_socks = -1;
-+}
-
- /* This is not really needed, and could be eliminated if server-specific
- and client-specific code were removed from newchannels.c */
-@@ -680,7 +703,7 @@
- void sighup_restart(void)
- {
- log_msg("Received SIGHUP; restarting.");
-- close(listen_sock);
-+ close_listen_socks();
- execvp(saved_argv[0], saved_argv);
- log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.",
- saved_argv[0], strerror(errno));
-@@ -694,7 +717,7 @@
- RETSIGTYPE sigterm_handler(int sig)
- {
- log_msg("Received signal %d; terminating.", sig);
-- close(listen_sock);
-+ close_listen_socks();
- exit(255);
- }
-
-@@ -773,7 +796,7 @@
- int perm_denied = 0;
- int ret;
- fd_set fdset;
-- struct sockaddr_in sin;
-+ struct sockaddr_storage from;
- char buf[100]; /* Must not be larger than remote_version. */
- char remote_version[100]; /* Must be at least as big as buf. */
- char *comment;
-@@ -783,6 +806,9 @@
- struct linger linger;
- #endif /* SO_LINGER */
- int done;
-+ struct addrinfo *ai;
-+ char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
-+ int listen_sock, maxfd;
-
- /* Save argv[0]. */
- saved_argv = av;
-@@ -801,10 +827,26 @@
- initialize_server_options(&options);
-
- /* Parse command-line arguments. */
-- while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
-+ while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
-+#ifdef ENABLE_IPV6
-+ "6"
-+#endif
-+ )) != EOF)
- {
- switch (opt)
- {
-+ case '4':
-+#ifdef ENABLE_IPV6
-+ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
-+#else
-+ IPv4or6 = AF_INET;
-+#endif
-+ break;
-+#ifdef ENABLE_IPV6
-+ case '6':
-+ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
-+ break;
-+#endif
- case 'f':
- config_file_name = optarg;
- break;
-@@ -821,7 +863,7 @@
- options.server_key_bits = atoi(optarg);
- break;
- case 'p':
-- options.port = atoi(optarg);
-+ options.ports[options.num_ports++] = atoi(optarg);
- break;
- case 'g':
- options.login_grace_time = atoi(optarg);
-@@ -843,6 +885,10 @@
- fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
- fprintf(stderr, "Usage: %s [options]\n", av0);
- fprintf(stderr, "Options:\n");
-+ fprintf(stderr, " -4 Use IPv4 only\n");
-+#ifdef ENABLE_IPV6
-+ fprintf(stderr, " -6 Use IPv6 only\n");
-+#endif
- fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR);
- fprintf(stderr, " -d Debugging mode\n");
- fprintf(stderr, " -i Started from inetd\n");
-@@ -871,16 +917,15 @@
- fprintf(stderr, "fatal: Bad server key size.\n");
- exit(1);
- }
-- if (options.port < 1 || options.port > 65535)
-- {
-- fprintf(stderr, "fatal: Bad port number.\n");
-- exit(1);
-- }
- if (options.umask != -1)
- {
- umask(options.umask);
- }
-
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth_flag = options.log_auth;
-+#endif /* ENABLE_LOG_AUTH */
-+
- /* Check that there are no remaining arguments. */
- if (optind < ac)
- {
-@@ -1048,10 +1093,13 @@
- }
- else
- {
-+ for (ai = options.listen_addrs; ai; ai = ai->ai_next)
-+ {
- /* Create socket for listening. */
-- listen_sock = socket(AF_INET, SOCK_STREAM, 0);
-+ listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
- if (listen_sock < 0)
- fatal("socket: %.100s", strerror(errno));
-+ listen_socks[num_listen_socks] = listen_sock;
-
- /* Set socket options. We try to make the port reusable and have it
- close as fast as possible without waiting in unnecessary wait states
-@@ -1065,21 +1113,30 @@
- sizeof(linger));
- #endif /* SO_LINGER */
-
-- /* Initialize the socket address. */
-- memset(&sin, 0, sizeof(sin));
-- sin.sin_family = AF_INET;
-- sin.sin_addr = options.listen_addr;
-- sin.sin_port = htons(options.port);
-+ getnameinfo(ai->ai_addr, ai->ai_addrlen,
-+ ntop, sizeof(ntop), strport, sizeof(strport),
-+ NI_NUMERICHOST|NI_NUMERICSERV);
-
- /* Bind the socket to the desired port. */
-- if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
-+ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
- {
-- error("bind: %.100s", strerror(errno));
-- shutdown(listen_sock, 2);
-+ error("Bind to port %s on %s failed: %.200s.",
-+ strport, ntop, strerror(errno));
- close(listen_sock);
-- fatal("Bind to port %d failed: %.200s.", options.port,
-- strerror(errno));
-+ continue;
- }
-+ num_listen_socks++;
-+
-+ /* Start listening on the port. */
-+ log_msg("Server listening on %s port %s.", ntop, strport);
-+ if (listen(listen_sock, 5) < 0)
-+ fatal("listen: %.100s", strerror(errno));
-+
-+ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
-+ freeaddrinfo(options.listen_addrs);
-+
-+ if (!num_listen_socks)
-+ fatal("Cannot bind all addresses.");
-
- if (!debug_flag)
- {
-@@ -1095,11 +1152,6 @@
- }
- }
-
-- /* Start listening on the port. */
-- log_msg("Server listening on port %d.", options.port);
-- if (listen(listen_sock, 5) < 0)
-- fatal("listen: %.100s", strerror(errno));
--
- /* Generate an rsa key. */
- log_msg("Generating %d bit RSA key.", options.server_key_bits);
- rsa_generate_key(&sensitive_data.private_key, &public_key,
-@@ -1153,18 +1205,28 @@
-
- /* Wait in select until there is a connection. */
- FD_ZERO(&fdset);
-- FD_SET(listen_sock, &fdset);
-- ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
-- if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
-+ maxfd = 0;
-+ for (i = 0; i < num_listen_socks; i++)
-+ {
-+ FD_SET(listen_socks[i], &fdset);
-+ if (listen_socks[i] > maxfd)
-+ maxfd = listen_socks[i];
-+ }
-+ ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
-+ if (ret < 0)
- {
- if (errno == EINTR)
- continue;
- error("select: %.100s", strerror(errno));
- continue;
- }
--
-- aux = sizeof(sin);
-- newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
-+
-+ for (i = 0; i < num_listen_socks; i++)
-+ {
-+ if (!FD_ISSET(listen_socks[i], &fdset))
-+ continue;
-+ aux = sizeof(from);
-+ newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
- if (newsock < 0)
- {
- if (errno == EINTR)
-@@ -1180,7 +1242,7 @@
- /* In debugging mode. Close the listening socket, and start
- processing the connection without forking. */
- debug("Server will not fork when running in debugging mode.");
-- close(listen_sock);
-+ close_listen_socks();
- sock_in = newsock;
- sock_out = newsock;
- pid = getpid();
-@@ -1209,7 +1271,7 @@
- the accepted socket. Reinitialize logging (since our
- pid has changed). We break out of the loop to handle
- the connection. */
-- close(listen_sock);
-+ close_listen_socks();
- sock_in = newsock;
- sock_out = newsock;
- #ifdef LIBWRAP
-@@ -1247,6 +1309,10 @@
-
- /* Close the new socket (the child is now taking care of it). */
- close(newsock);
-+ } /* for (i = 0; i < num_host_socks; i++) */
-+ /* child process check (or debug mode) */
-+ if (num_listen_socks < 0)
-+ break;
- }
- }
-
-@@ -2219,6 +2285,9 @@
- krb5_parse_name(ssh_context, user, &client);
- #endif /* defined(KERBEROS) && defined(KRB5) */
-
-+#ifdef ENABLE_LOG_AUTH
-+ unauthenticated_user = user;
-+#endif /* ENABLE_LOG_AUTH */
- /* Verify that the user is a valid user. We disallow usernames starting
- with any characters that are commonly used to start NIS entries. */
- pw = getpwnam(user);
-@@ -2236,7 +2305,7 @@
- pwcopy.pw_class = xstrdup(pw->pw_class);
- pwcopy.pw_change = pw->pw_change;
- pwcopy.pw_expire = pw->pw_expire;
--#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
-+#endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
- pwcopy.pw_dir = xstrdup(pw->pw_dir);
- pwcopy.pw_shell = xstrdup(pw->pw_shell);
- pw = &pwcopy;
-@@ -2274,6 +2343,11 @@
- {
- /* Authentication with empty password succeeded. */
- debug("Login for user %.100s accepted without authentication.", user);
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "empty password accepted");
-+#endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_PASSWORD;
- authenticated = 1;
- /* Success packet will be sent after loop below. */
-@@ -2348,6 +2422,11 @@
- /* Client has successfully authenticated to us. */
- log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
- tkt_user, user, get_canonical_hostname());
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "kerberos authentication accepted");
-+#endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_KERBEROS;
- authenticated = 1;
- break;
-@@ -2396,6 +2475,11 @@
- /* Authentication accepted. */
- log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
- user, client_user, get_canonical_hostname());
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.100s@%.700s (%s)",
-+ user, client_user, get_canonical_hostname(),
-+ "rhosts authentication accepted");
-+#endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_RHOSTS;
- authenticated = 1;
- remote_user_name = client_user;
-@@ -2455,6 +2539,11 @@
- options.strict_modes))
- {
- /* Authentication accepted. */
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.100s@%.700s (%s)",
-+ user, client_user, get_canonical_hostname(),
-+ "rhosts with RSA host authentication accepted");
-+#endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_RHOSTS_RSA;
- authenticated = 1;
- remote_user_name = client_user;
-@@ -2488,6 +2577,11 @@
- /* Successful authentication. */
- mpz_clear(&n);
- log_msg("RSA authentication for %.100s accepted.", user);
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "RSA user authentication accepted");
-+#endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_RSA;
- authenticated = 1;
- break;
-@@ -2622,6 +2716,11 @@
- auth_close();
- memset(password, 0, strlen(password));
- xfree(password);
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from @%.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "TIS authentication accepted");
-+#endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_TIS;
- authenticated = 1;
- break;
-@@ -2682,6 +2781,11 @@
- memset(password, 0, strlen(password));
- xfree(password);
- log_msg("Password authentication for %.100s accepted.", user);
-+#ifdef ENABLE_LOG_AUTH
-+ log_auth("%.100s from %.700s (%s)",
-+ user, get_canonical_hostname(),
-+ "password authentication accepted");
-+#endif /* ENABLE_LOG_AUTH */
- authentication_type = SSH_AUTH_PASSWORD;
- authenticated = 1;
- break;
-@@ -2722,6 +2826,11 @@
- }
-
- /* Check if the user is logging in as root and root logins are disallowed. */
-+#ifdef ENABLE_LOG_AUTH
-+ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
-+ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
-+ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
-+#endif /* ENABLE_LOG_AUTH */
- if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
- {
- if (authentication_type == SSH_AUTH_PASSWORD)
-@@ -2789,6 +2898,9 @@
- packet_start(SSH_SMSG_SUCCESS);
- packet_send();
- packet_write_wait();
-+#ifdef ENABLE_LOG_AUTH
-+ unauthenticated_user = NULL;
-+#endif /* ENABLE_LOG_AUTH */
-
- /* Perform session preparation. */
- do_authenticated(pw);
-@@ -3383,15 +3495,16 @@
- char line[256];
- struct stat st;
- int quiet_login;
-- struct sockaddr_in from;
-+ struct sockaddr_storage from;
- int fromlen;
- struct pty_cleanup_context cleanup_context;
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- login_cap_t *lc;
-+ time_t warnpassword, warnexpire;
- #endif
--#if defined (__bsdi__) && _BSDI_VERSION >= 199510
-+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
- struct timeval tp;
--#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */
-+#endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
-
- /* We no longer need the child running on user's privileges. */
- userfile_uninit();
-@@ -3490,7 +3603,7 @@
-
- /* Record that there was a login on that terminal. */
- record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
-- &from);
-+ (struct sockaddr *)&from);
-
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- lc = login_getclass(pw->pw_class);
-@@ -3549,6 +3662,14 @@
- "The Regents of the University of California. ",
- "All rights reserved.");
- }
-+#ifdef HAVE_LOGIN_CAP_H
-+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
-+
-+ warnpassword = login_getcaptime(lc, "warnpassword",
-+ DEFAULT_WARN, DEFAULT_WARN);
-+ warnexpire = login_getcaptime(lc, "warnexpire",
-+ DEFAULT_WARN, DEFAULT_WARN);
-+#endif
- #endif
-
- /* Print /etc/motd unless a command was specified or printing it was
-@@ -3572,7 +3693,7 @@
- fputs(line, stdout);
- fclose(f);
- }
--#if defined (__bsdi__) && _BSDI_VERSION >= 199510
-+#if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
- if (pw->pw_change || pw->pw_expire)
- (void)gettimeofday(&tp, (struct timezone *)NULL);
- if (pw->pw_change)
-@@ -3979,6 +4100,7 @@
- char *user_shell;
- char *remote_ip;
- int remote_port;
-+ int local_port;
- #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
- login_cap_t *lc;
- char *real_shell;
-@@ -4025,7 +4147,7 @@
- while (fgets(buf, sizeof(buf), f))
- fputs(buf, stderr);
- fclose(f);
--#if defined (__bsdi__) && _BSDI_VERSION >= 199510
-+#if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
- if (pw->pw_uid != UID_ROOT &&
- !login_getcapbool(lc, "ignorenologin", 0))
- exit(254);
-@@ -4084,6 +4206,7 @@
- user_shell = xstrdup(pw->pw_shell);
- remote_ip = xstrdup(get_remote_ipaddr());
- remote_port = get_remote_port();
-+ local_port = get_local_port();
-
- /* Close the connection descriptors; note that this is the child, and the
- server will still have the socket open, and it is important that we
-@@ -4103,7 +4226,6 @@
- /* Close any extra file descriptors. Note that there may still be
- descriptors left by system functions. They will be closed later. */
- endpwent();
-- endhostent();
-
- /* Set dummy encryption key to clear information about the key from
- memory. This key will never be used. */
-@@ -4360,7 +4482,7 @@
-
- /* Set SSH_CLIENT. */
- snprintf(buf, sizeof(buf),
-- "%.50s %d %d", remote_ip, remote_port, options.port);
-+ "%.50s %d %d", remote_ip, remote_port, local_port);
- child_set_env(&env, &envsize, "SSH_CLIENT", buf);
-
- /* Set SSH_TTY if we have a pty. */
-@@ -4533,7 +4655,8 @@
- int i;
- char name[255], *p;
- char line[256];
-- struct hostent *hp;
-+ struct addrinfo hints, *ai, *aitop;
-+ char ntop[ADDRSTRLEN];
-
- strncpy(name, display, sizeof(name));
- name[sizeof(name) - 1] = '\0';
-@@ -4550,7 +4673,10 @@
- /* Moved this call here to avoid a nasty buf in SunOS
- 4.1.4 libc where gethostbyname closes an unrelated
- file descriptor. */
-- hp = gethostbyname(name);
-+ memset(&hints, 0, sizeof(hints));
-+ hints.ai_family = IPv4or6;
-+ if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
-+ aitop = 0;
-
- snprintf(line, sizeof(line),
- "%.200s -q -", options.xauth_path);
-@@ -4568,21 +4694,24 @@
- cp - display, display, cp, auth_proto,
- auth_data);
- #endif
-- if (hp)
-+ if (aitop)
- {
-- for(i = 0; hp->h_addr_list[i]; i++)
-+ for (ai = aitop; ai; ai = ai->ai_next)
- {
-+ getnameinfo(ai->ai_addr, ai->ai_addrlen,
-+ ntop, sizeof(ntop), NULL, 0,
-+ NI_NUMERICHOST);
-+ if (strchr(ntop, ':'))
-+ continue; /* XXX - xauth doesn't accept it */
- if (debug_flag)
- {
- fprintf(stderr, "Running %s add %s%s %s %s\n",
- options.xauth_path,
-- inet_ntoa(*((struct in_addr *)
-- hp->h_addr_list[i])),
-+ ntop,
- cp, auth_proto, auth_data);
- }
- fprintf(f, "add %s%s %s %s\n",
-- inet_ntoa(*((struct in_addr *)
-- hp->h_addr_list[i])),
-+ ntop,
- cp, auth_proto, auth_data);
- }
- }
-@@ -4632,7 +4761,11 @@
- struct stat mailbuf;
-
- if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
-+#ifdef __FreeBSD__
-+ ;
-+#else
- printf("No mail.\n");
-+#endif
- else if (mailbuf.st_atime > mailbuf.st_mtime)
- printf("You have mail.\n");
- else
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-31 22:29:24 +0000