ports/150493: Update for: security%2Fopenssh-portable port from 5.2p1 to 5.6p1
John Hein
jhein at symmetricom.com
Thu Sep 23 16:50:04 UTC 2010
The following reply was made to PR ports/150493; it has been noted by GNATS.
From: John Hein <jhein at symmetricom.com>
To: bug-followup at FreeBSD.org, magik at roorback.net
Cc:
Subject: Re: ports/150493: Update for: security%2Fopenssh-portable port from 5.2p1 to 5.6p1
Date: Thu, 23 Sep 2010 10:35:30 -0600
--PCGpoR0gWV
Content-Type: text/plain; charset=us-ascii
Content-Description: message body text
Content-Transfer-Encoding: 7bit
I have come up with a patchset independently.
If Grzegorz Blach wants to maintain this port, that's okay
with me. But this new patchset here addresses a few missing
details in Grzegorz's original submission. Or I'm willing
to maintain, too (I'll defer to Grzegorz if he would like to
do it). Either way, we should get this port updated since
it is quite out of date.
This patch set included here:
- removes more old opensc related patches.
- does not remove patches pulled from des@ changes in
src/crypto/openssh that are still valid.
- points to upstream hpn patch instead of including a local copy
- does not remove GSSAPI, LPK or FILECONTROL options, but does
mark them BROKEN for now - upstream for each seems still active,
so the port here can just be updated when upstream catches up.
We can also patch the patches ourselves for 5.6 (or maintained a
tweaked local copy), but I prefer to update the port to 5.6p1 first
and then separately commit those updates. It makes following the
history of changes in CVS much easier.
- remove PATCH_DIST_STRIP - it's unecessary and portlint hates it
- I think the post-patch version.h changes in the original patchset
in this PR are wrong. The upstream patches (for hpn and filecontrol)
have changes for version.h that seem to work fine unchanged,
even applied together. Also the HAVE_LPK part that
adds SSH_HPN seems wrong.
I have two patchsets. The second just refreshes old files/patch-*
even though they apply cleanly against 5.6p1 - it could be considered
optional. I'll send the second set separately.
Here is the 'Description' that I was going to submit as a PR
until I found this PR...
=======================
security/openssh-portable has not been update in a long time
(currently 5.2p1 which is 1.5+ years old). There are significant
nice feature updates and fixes in 5.6p1.
Attached are two patchsets. Then main one is enough to get
the port updated and working. But see comments at the top
of the patchset.
The second patchset just refreshes the remaining patches that still
apply cleaning to 5.6p1 files. It's probably a good idea to apply
it when committing to the port, but it's not strictly necessary.
And I would commit them separately just for the sake of clarity
in the commit logs.
Actually, I'll send the second patchset in a separate submission
to avoid confusing PR patch detection tools.
=======================
Attached is the first patchset including a decent description of
the changes at the top of the patch...
--PCGpoR0gWV
Content-Type: text/plain; name="patches-5.6p1"
Content-Description: patches to update security/openssh-portable from its current 5.2p1 to 5.6p1
Content-Disposition: inline;
filename="patches-5.6p1"
Content-Transfer-Encoding: quoted-printable
Port change details:
-------------------------------
Update openssh-portable from 5.2p1 to 5.6p1. [1]
Refresh local patches that don't apply cleanly. This is mostly
just mechanical due to code motion. But the
ChallengeResponseAuthentication description in sshd=5Fconfig.5 has
been updated upstream to include a reference to PAM (which was in
the local patch in a slightly different form). The base patch for
this includes 'See also UsePAM', which I included. However, that
may not be necessary given the upstream context now (base is at
5.4).
The latest GSSAPI key exchange patch is for 5.3. It does not apply
to 5.6, although it is very close to applying. Mark BROKEN until
updated officially upstream.
The latest LPK patch is for 5.4. It does not apply
to 5.6, although it is very close to applying. Mark BROKEN until
updated officially upstream. Also remove local patches
which tried to resolve conflicts between HPN and LPK. They
can be reworked when upstream gets up to date with 5.6
The latest sftpfilecontrol patch is for 5.4. It does not apply
to 5.6, although it is very close to applying. Mark BROKEN until
updated officially upstream.
Ssh.bin is gone (old smartcard code obsoleted by PKCS#11 support).
Remove OPENSC* options and associated patch files.
-------------------------------
[1] Features summary from 2010-08-23 announcement at
http://lists.mindrot.org/pipermail/openssh-unix-announce/2010-August/00=
0100.html
-------------------------------
Changes since OpenSSH 5.5
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
Features:
* Added a ControlPersist option to ssh=5Fconfig(5) that automatically
starts a background ssh(1) multiplex master when connecting. This
connection can stay alive indefinitely, or can be set to
automatically close after a user-specified duration of inactivity.
* Hostbased authentication may now use certificate host keys. CA keys
must be specified in a known=5Fhosts file using the @cert-authority
marker as described in sshd(8).
* ssh-keygen(1) now supports signing certificate using a CA key that
has been stored in a PKCS#11 token.
* ssh(1) will now log the hostname and address that we connected to at=
LogLevel=3Dverbose after authentication is successful to mitigate
"phishing" attacks by servers with trusted keys that accept
authentication silently and automatically before presenting fake
password/passphrase prompts.
Note that, for such an attack to be successful, the user must have
disabled StrictHostKeyChecking (enabled by default) or an attacker
must have access to a trusted host key for the destination server.
* Expand %h to the hostname in ssh=5Fconfig Hostname options. While th=
is
sounds useless, it is actually handy for working with unqualified
hostnames:
=20
Host *.*
Hostname %h
Host *
Hostname %h.example.org
=20
* Allow ssh-keygen(1) to import (-i) and export (-e) of PEM and PKCS#8=
keys in addition to RFC4716 (SSH.COM) encodings via a new -m option=20=
(bz#1749)
* sshd(8) will now queue debug messages for bad ownership or
permissions on the user's keyfiles encountered during authentication=
and will send them after authentication has successfully completed.
These messages may be viewed in ssh(1) at LogLevel=3Ddebug or higher=
=2E
* ssh(1) connection multiplexing now supports remote forwarding with
dynamic port allocation and can report the allocated port back to
the user:
LPORT=3D`ssh -S muxsocket -R0:localhost:25 -O forward somehost`
* sshd(8) now supports indirection in matching of principal names
listed in certificates. By default, if a certificate has an
embedded principals list then the username on the server must match
one of the names in the list for it to be accepted for
authentication.
sshd(8) now has a new AuthorizedPrincipalsFile option to specify a
file containing a list of names that may be accepted in place of the=
username when authorizing a certificate trusted via the
sshd=5Fconfig(5) TrustedCAKeys option. Similarly, authentication
using a CA trusted in ~/.ssh/authorized=5Fkeys now accepts a
principals=3D"name1[,name2,...]" to specify a list of permitted name=
s.
=20
If either option is absent, the current behaviour of requiring the
username to appear in principals continues to apply. These options
are useful for role accounts, disjoint account namespaces and
"user at realm"-style naming policies in certificates.
=20
* Additional sshd=5Fconfig(5) options are now valid inside Match block=
s:
AuthorizedKeysFile
AuthorizedPrincipalsFile
HostbasedUsesNameFromPacketOnly
PermitTunnel
* Revised the format of certificate keys. The new format, identified a=
s
ssh-{dss,rsa}-cert-v01 at openssh.com includes the following changes=
:
=20
- Adding a serial number field. This may be specified by the CA at=
the time of certificate signing.
- Moving the nonce field to the beginning of the certificate where=
it can better protect against chosen-prefix attacks on the
signature hash (currently infeasible against the SHA1 hash used)=
=20
- Renaming the "constraints" field to "critical options"
=20
- Addng a new non-critical "extensions" field. The "permit-*"
options are now extensions, rather than critical options to
permit non-OpenSSH implementation of this key format to degrade
gracefully when encountering keys with options they do not
recognize.
=20
The older format is still supported for authentication and may still=
be used when signing certificates (use "ssh-keygen -t v00 ...").
The v00 format, introduced in OpenSSH 5.4, will be supported for at
least one year from this release, after which it will be deprecated
and removed.
=20
BugFixes:
* The PKCS#11 code now retries a lookup for a private key if there is
no matching key with CKA=5FSIGN attribute enabled; this fixes fixes
MuscleCard support (bz#1736)
=20
* Unbreak strdelim() skipping past quoted strings (bz#1757). For
example, the following directive was not parsed correctly:
AllowUsers "blah blah" blah
* sftp(1): fix swapped args in upload=5Fdir=5Finternal(), breaking
recursive upload depth checks and causing verbose printing of
transfers to always be turned on (bz#1797)
* Fix a longstanding problem where if you suspend scp(1) at the
password/passphrase prompt the terminal mode is not restored.
* Fix a PKCS#11 crash on some smartcards by validating the length
returned for C=5FGetAttributValue (bz#1773)
* sftp(1): fix ls in working directories that contain globbing
characters in their pathnames (bz#1655)
* Print warning for missing home directory when ChrootDirectory=3Dnone=
(bz#1564)
* sftp(1): fix a memory leak in do=5Frealpath() error path (bz#1771)
* ssk-keygen(1): Standardise error messages when attempting to open
private key files to include "progname: filename: error reason"
(bz#1783)
* Replace verbose and overflow-prone Linebuf code with
read=5Fkeyfile=5Fline() (bz#1565)
* Include the user name on "subsystem request for ..." log messages
* ssh(1) and sshd(8): remove hardcoded limit of 100 permitopen clauses=
and port forwards per direction (bz#1327)
* sshd(8): ignore stderr output from subsystems to avoid hangs if a
subsystem or shell initialisation writes to stderr (bz#1750)
* Skip the initial check for access with an empty password when
PermitEmptyPasswords=3Dno (bz#1638)
* sshd(8): fix logspam when key options (from=3D"..." especially) deny=
non-matching keys (bz#1765)
* ssh-keygen(1): display a more helpful error message when $HOME is
inaccessible while trying to create .ssh directory (bz#1740)
* ssh(1): fix hang when terminating a mux slave using ~. (bz#1758)
* ssh-keygen(1): refuse to generate keys longer than
OPENSSL=5F[RD]SA=5FMAX=5FMODULUS=5FBITS, since we would refuse to us=
e
them anyway (bz#1516)
* Suppress spurious tty warning when using -O and stdin is not a tty
(bz#1746)
* Kill channel when pty allocation requests fail. Fixed stuck client
if the server refuses pty allocation (bz#1698)
Portable OpenSSH Bugfixes:
* sshd(8): increase the maximum username length for login recording
to 512 characters (bz#1579)
* Initialize the values to be returned from PAM to sane values in
case the PAM method doesn't write to them. (bz#1795)=20
* Let configure find OpenSSL libraries in a lib64 subdirectory.
(bz#1756)
-------------------------------
Index: Makefile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /base/FreeBSD-CVS/ports/security/openssh-portable/Makefile,v
retrieving revision 1.149
diff -u -p -r1.149 Makefile
--- Makefile=0931 Aug 2010 02:46:43 -0000=091.149
+++ Makefile=0923 Sep 2010 15:38:15 -0000
@@ -6,8 +6,8 @@
#
=20
PORTNAME=3D=09openssh
-DISTVERSION=3D=095.2p1
-PORTREVISION=3D=092
+DISTVERSION=3D=095.6p1
+PORTREVISION=3D=090
PORTEPOCH=3D=091
CATEGORIES=3D=09security ipv6
.if defined(OPENSSH=5FSNAPSHOT)
@@ -61,8 +61,6 @@ OPTIONS=3D=09PAM=09=09"Enable pam(3) support"=09=09=09=
=09=09GSSAPI=09=09"Enable GSSAPI support (req: KERBEROS)"=09=09off \
=09=09KERB=5FGSSAPI=09"Enable Kerberos/GSSAPI patch (req: GSSAPI)"=09o=
ff \
=09=09OPENSSH=5FCHROOT=09"Enable CHROOT support"=09=09=09=09off \
-=09=09OPENSC=09=09"Enable OpenSC smartcard support"=09=09off \
-=09=09OPENSCPINPATCH=09"Enable OpenSC PIN patch"=09=09=09off \
=09=09HPN=09=09"Enable HPN-SSH patch"=09=09=09=09off \
=09=09LPK=09=09"Enable LDAP Public Key (LPK) patch"=09=09off \
=09=09X509=09=09"Enable x509 certificate patch"=09=09=09off \
@@ -75,8 +73,8 @@ OPTIONS=3D=09PAM=09=09"Enable pam(3) support"=09=09=09=
BROKEN=3D=09=09does not build
.endif
=20
-.if defined(WITH=5FX509) && ( defined(WITH=5FHPN) || defined(WITH=5FLP=
K))
-BROKEN=3D=09=09X509 patch incompatible with HPN and LPK patches
+.if defined(WITH=5FX509) && defined(WITH=5FHPN)
+BROKEN=3D=09=09X509 patches and HPN patches do not apply cleanly toget=
her
.endif
=20
.if defined(WITH=5FX509) && defined(WITH=5FKERB=5FGSSAPI)
@@ -110,7 +108,9 @@ CONFIGURE=5FARGS+=3D=09--with-audit=3Dbsm
.if !defined(WITHOUT=5FKERBEROS)
.if defined(KRB5=5FHOME) && exists(${KRB5=5FHOME}) || defined(WITH=5FG=
SSAPI)
.if defined(WITH=5FKERB=5FGSSAPI)
-PATCH=5FDIST=5FSTRIP=3D=09-p0
+# Latest GSSAPI patch is against 5.3 and does not apply
+# cleanly against 5.6p1, but it's close.
+BROKEN=3D=09=09=09upstream GSSAPI key exchange patch is not up to date=
for OpenSSH 5.6p1
PATCH=5FSITES+=3D=09=09http://www.sxw.org.uk/computing/patches/
PATCHFILES+=3D=09=09openssh-5.2p1-gsskex-all-20090726.patch
.endif
@@ -145,48 +145,30 @@ CONFIGURE=5FARGS+=3D=09--with-ssl-dir=3D${OPENSS
CFLAGS+=3D=09=09-DCHROOT
.endif
=20
-.if defined(WITH=5FOPENSC)
-LIB=5FDEPENDS+=3D=09=09opensc.2:${PORTSDIR}/security/opensc
-CONFIGURE=5FARGS+=3D=09--with-opensc=3D${LOCALBASE}
-.endif
-
-# See http://bugzilla.mindrot.org/show=5Fbug.cgi=3Fid=3D608
-.if defined(WITH=5FOPENSCPINPATCH)
-EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/scardpin.patch
-.endif
-
.if defined(WITH=5FHPN)
-EXTRA=5FPATCHES+=3D=09${FILESDIR}/openssh-5.2p1-hpn13v6.diff
+PATCH=5FSITES+=3D=09=09http://www.psc.edu/networking/projects/hpn-ssh/=
+PATCHFILES+=3D=09=09openssh-5.6p1-hpn13v10.diff
.endif
=20
-# See http://dev.inversepath.com/trac/openssh-lpk
+# See http://code.google.com/p/openssh-lpk/wiki/Main
+# and svn repo described here:
+# http://code.google.com/p/openssh-lpk/source/checkout
.if defined(WITH=5FLPK)
-EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/contrib-openssh-lpk-5.1p1-0.3.10.=
patch
+# Latest LPK patch is against 5.4p1 and does not apply
+# cleanly against 5.6p1, but it's close.
+BROKEN=3D=09=09=09latest upstream LDAP public key patch is not up to d=
ate for OpenSSH 5.6p1
+EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/contrib-openssh-lpk-5.4p1-0.3.13.=
patch
USE=5FOPENLDAP=3D=09=09yes
-CPPFLAGS+=3D=09=09"-I${LOCALBASE}/include -DWITH=5FLDAP=5FPUBKEY"
+CPPFLAGS+=3D=09=09-I${LOCALBASE}/include
CONFIGURE=5FARGS+=3D=09--with-libs=3D'-lldap' --with-ldflags=3D'-L${LO=
CALBASE}/lib' \
-=09=09=09--with-cppflags=3D'-I${LOCALBASE}/include -DWITH=5FLDAP=5FPUB=
KEY'
-.endif
-
-# resolve some patches incompatibility between LPK and HPN patches
-
-.if defined(WITH=5FHPN) && defined(WITH=5FLPK)
-EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/lpk+hpn-servconf.c.patch
-.elif defined(WITH=5FHPN) && !defined(WITH=5FLPK)
-EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/openssh-5.2p1-hpn13v6-servconf.c.=
diff
-.elif defined(WITH=5FLPK) && !defined(WITH=5FHPN)
-EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/contrib-openssh-lpk-5.1p1-0.3.10-=
servconf.c.patch
-.endif
-
-.if defined(WITH=5FLPK) && ${ARCH} =3D=3D "amd64"
-EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/contrib-openssh-5.1=5Fp1-lpk-64bi=
t.patch
+=09=09=09--with-cppflags=3D'${CPPFLAGS}' --with=5Fldap=3Dyes
.endif
=20
# See http://www.roumenpetrov.info/openssh/
.if defined(WITH=5FX509)
PATCH=5FDIST=5FSTRIP=3D=09-p1
-PATCH=5FSITES+=3D=09=09http://www.roumenpetrov.info/openssh/x509-6.2/
-PATCHFILES+=3D=09=09openssh-5.2p1+x509-6.2.diff.gz
+PATCH=5FSITES+=3D=09=09http://www.roumenpetrov.info/openssh/x509-6.2.3=
/
+PATCHFILES+=3D=09=09openssh-5.6p1+x509-6.2.3.diff.gz
PLIST=5FSUB+=3D=09=09X509=3D""
.else
PLIST=5FSUB+=3D=09=09X509=3D"@comment "
@@ -194,6 +176,9 @@ PLIST=5FSUB+=3D=09=09X509=3D"@comment "
=20
# See http://sftpfilecontrol.sourceforge.net/
.if defined(WITH=5FFILECONTROL)
+# Latest sftpfilecontrol patch is against 5.4p1 which does not apply
+# cleanly against 5.6p1, but it's close.
+BROKEN=3D=09=09=09latest upstream sftp file control public key patch i=
s not up to date for OpenSSH 5.6p1
EXTRA=5FPATCHES+=3D=09=09${FILESDIR}/openssh-${DISTVERSION}.sftpfileco=
ntrol-v1.3.patch
.endif
=20
Index: distinfo
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /base/FreeBSD-CVS/ports/security/openssh-portable/distinfo,v
retrieving revision 1.51
diff -u -p -r1.51 distinfo
--- distinfo=0918 Sep 2009 14:05:52 -0000=091.51
+++ distinfo=0923 Sep 2010 15:14:09 -0000
@@ -1,9 +1,9 @@
-MD5 (openssh-5.2p1.tar.gz) =3D ada79c7328a8551bdf55c95e631e7dad
-SHA256 (openssh-5.2p1.tar.gz) =3D 4023710c37d0b3d79e6299cb79b6de2a31db=
7d581fe59e775a5351784034ecae
-SIZE (openssh-5.2p1.tar.gz) =3D 1016612
-MD5 (openssh-5.2p1+x509-6.2.diff.gz) =3D 8dbbfb743226864f6bb49b56e7777=
6d9
-SHA256 (openssh-5.2p1+x509-6.2.diff.gz) =3D 72cfb1e232b6ae0a9df6e8539a=
9f6b53db7c0a2141cf2e4dd65b407748fa9f34
-SIZE (openssh-5.2p1+x509-6.2.diff.gz) =3D 153010
-MD5 (openssh-5.2p1-gsskex-all-20090726.patch) =3D e5c116b4bc3f4b816206=
e8403dd08af7
-SHA256 (openssh-5.2p1-gsskex-all-20090726.patch) =3D 6eb297d6fa74be332=
3c5e4f53df5b6e1f4edf6bf394e3e707c075846886e18e7
-SIZE (openssh-5.2p1-gsskex-all-20090726.patch) =3D 90959
+MD5 (openssh-5.6p1.tar.gz) =3D e6ee52e47c768bf0ec42a232b5d18fb0
+SHA256 (openssh-5.6p1.tar.gz) =3D 538af53b2b8162c21a293bb004ae2bdb141a=
bd250f61b4cea55244749f3c6c2b
+SIZE (openssh-5.6p1.tar.gz) =3D 1117952
+MD5 (openssh-5.6p1+x509-6.2.3.diff.gz) =3D a4be654ef64279e9deab6bd68d6=
dce66
+SHA256 (openssh-5.6p1+x509-6.2.3.diff.gz) =3D 90977eded2ae5e71bc3b84aa=
d8597442074742d78d471087d020e58dd58342ad
+SIZE (openssh-5.6p1+x509-6.2.3.diff.gz) =3D 168109
+MD5 (openssh-5.6p1-hpn13v10.diff.gz) =3D d8bf6387791699f09bfb5e9c732db=
9d2
+SHA256 (openssh-5.6p1-hpn13v10.diff.gz) =3D 6a9ee815e8ffcc9068c3dce4ad=
4f2898fc0db6b768a3152280aceb8c06c8b450
+SIZE (openssh-5.6p1-hpn13v10.diff.gz) =3D 22988
Index: pkg-plist
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /base/FreeBSD-CVS/ports/security/openssh-portable/pkg-plist,v=
retrieving revision 1.17
diff -u -p -r1.17 pkg-plist
--- pkg-plist=0916 Dec 2009 16:43:21 -0000=091.17
+++ pkg-plist=0930 Aug 2010 15:10:37 -0000
@@ -21,7 +21,6 @@ etc/ssh/sshd=5Fconfig-dist
%%NOTBASE%%%%X509%%@dirrmtry etc/ssh/ca
%%NOTBASE%%@dirrmtry etc/ssh
sbin/sshd
-share/Ssh.bin
libexec/sftp-server
libexec/ssh-keysign
@exec if [ ! -d %%EMPTYDIR%% ]; then mkdir -p %%EMPTYDIR%% ; fi
Index: files/patch-session.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /base/FreeBSD-CVS/ports/security/openssh-portable/files/patch=
-session.c,v
retrieving revision 1.25
diff -u -p -r1.25 patch-session.c
--- files/patch-session.c=0924 Mar 2009 17:26:18 -0000=091.25
+++ files/patch-session.c=0925 Aug 2010 23:31:57 -0000
@@ -1,6 +1,6 @@
---- session.c.orig=092008-11-07 09:06:00.463747629 +0800
-+++ session.c=092008-11-07 23:35:15.063890103 +0800
-@@ -884,6 +884,24 @@
+--- session.c.orig=092010-06-25 18:00:15.000000000 -0600
++++ session.c=092010-08-25 17:31:35.000000000 -0600
+@@ -893,6 +893,24 @@
{
=09FILE *f;
=09char buf[256];
@@ -25,9 +25,9 @@
=20
=09if (options.print=5Fmotd) {
#ifdef HAVE=5FLOGIN=5FCAP
-@@ -1113,6 +1131,9 @@
+@@ -1122,6 +1140,9 @@
=09struct passwd *pw =3D s->pw;
- #ifndef HAVE=5FLOGIN=5FCAP
+ #if !defined (HAVE=5FLOGIN=5FCAP) && !defined (HAVE=5FCYGWIN)
=09char *path =3D NULL;
+#else
+=09extern char **environ;
@@ -35,7 +35,7 @@
#endif
=20
=09/* Initialize the environment. */
-@@ -1134,6 +1155,9 @@
+@@ -1143,6 +1164,9 @@
=09}
#endif
=20
@@ -45,7 +45,7 @@
#ifdef GSSAPI
=09/* Allow any GSSAPI methods that we've used to alter
=09 * the childs environment as they see fit
-@@ -1153,11 +1177,22 @@
+@@ -1162,11 +1186,22 @@
=09=09child=5Fset=5Fenv(&env, &envsize, "LOGIN", pw->pw=5Fname);
#endif
=09=09child=5Fset=5Fenv(&env, &envsize, "HOME", pw->pw=5Fdir);
@@ -72,7 +72,7 @@
#else /* HAVE=5FLOGIN=5FCAP */
# ifndef HAVE=5FCYGWIN
=09=09/*
-@@ -1178,15 +1213,9 @@
+@@ -1187,15 +1222,9 @@
# endif /* HAVE=5FCYGWIN */
#endif /* HAVE=5FLOGIN=5FCAP */
=20
@@ -88,7 +88,7 @@
=20
=09/* Set custom environment options from RSA authentication. */
=09if (!options.use=5Flogin) {
-@@ -1452,6 +1481,9 @@
+@@ -1467,6 +1496,9 @@
void
do=5Fsetusercontext(struct passwd *pw)
{
@@ -98,7 +98,7 @@
=09char *chroot=5Fpath, *tmp;
=20
#ifdef WITH=5FSELINUX
-@@ -1477,8 +1509,25 @@
+@@ -1487,8 +1519,25 @@
=09=09=09do=5Fpam=5Fsetcred(use=5Fprivsep);
=09=09}
# endif /* USE=5FPAM */
@@ -125,7 +125,7 @@
=09=09=09perror("unable to set user context");
=09=09=09exit(1);
=09=09}
-@@ -1736,6 +1785,10 @@
+@@ -1761,6 +1810,10 @@
=09 */
=09environ =3D env;
=20
@@ -136,13 +136,13 @@
#if defined(KRB5) && defined(USE=5FAFS)
=09/*
=09 * At this point, we check to see if AFS is active and if we have
-@@ -1765,9 +1818,6 @@
+@@ -1790,9 +1843,6 @@
=09/* Change current directory to the user's home directory. */
=09if (chdir(pw->pw=5Fdir) < 0) {
=09=09/* Suppress missing homedir warning for chroot case */
-#ifdef HAVE=5FLOGIN=5FCAP
-=09=09r =3D login=5Fgetcapbool(lc, "requirehome", 0);
-#endif
- =09=09if (r || options.chroot=5Fdirectory =3D=3D NULL)
+ =09=09if (r || options.chroot=5Fdirectory =3D=3D NULL ||
+ =09=09 strcasecmp(options.chroot=5Fdirectory, "none") =3D=3D 0)
=09=09=09fprintf(stderr, "Could not chdir to home "
- =09=09=09 "directory %s: %s\n", pw->pw=5Fdir,
Index: files/patch-ssh.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /base/FreeBSD-CVS/ports/security/openssh-portable/files/patch=
-ssh.c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-ssh.c
--- files/patch-ssh.c=091 Oct 2006 02:15:00 -0000=091.1
+++ files/patch-ssh.c=0925 Aug 2010 23:58:01 -0000
@@ -1,10 +1,13 @@
---- ssh.c.orig=09Sat Sep 2 02:32:40 2006
-+++ ssh.c=09Sat Sep 30 10:38:05 2006
-@@ -639,6 +640,23 @@
+$FreeBSD$
+
+Make the same change to use the canonical hostname as the base FreeBSD=
ssh.
+
+--- ssh.c.orig=092010-08-16 09:59:31.000000000 -0600
++++ ssh.c=092010-08-25 17:55:01.000000000 -0600
+@@ -699,6 +699,23 @@
+ =09=09 "h", host, (char *)NULL);
+ =09}
=20
- =09if (options.hostname !=3D NULL)
- =09=09host =3D options.hostname;
-+
+=09/* Find canonic host name. */
+=09if (strchr(host, '.') =3D=3D 0) {
+=09=09struct addrinfo hints;
@@ -21,6 +24,7 @@
+=09=09=09freeaddrinfo(ai);
+=09=09}
+=09}
++
+ =09if (options.local=5Fcommand !=3D NULL) {
+ =09=09char thishost[NI=5FMAXHOST];
=20
- =09/* force lowercase for hostkey matching */
- =09if (options.host=5Fkey=5Falias !=3D NULL) {
Index: files/patch-sshd=5Fconfig.5
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /base/FreeBSD-CVS/ports/security/openssh-portable/files/patch=
-sshd=5Fconfig.5,v
retrieving revision 1.1
diff -u -p -r1.1 patch-sshd=5Fconfig.5
--- files/patch-sshd=5Fconfig.5=091 Oct 2006 02:15:00 -0000=091.1
+++ files/patch-sshd=5Fconfig.5=0931 Aug 2010 11:28:35 -0000
@@ -1,26 +1,17 @@
---- sshd=5Fconfig.5.orig=09Tue Aug 29 22:06:34 2006
-+++ sshd=5Fconfig.5=09Sat Sep 30 10:39:07 2006
-@@ -169,9 +170,16 @@
- By default, no banner is displayed.
+--- sshd=5Fconfig.5.orig=092010-07-01 21:37:17.000000000 -0600
++++ sshd=5Fconfig.5=092010-08-31 05:27:27.000000000 -0600
+@@ -223,7 +223,9 @@
.It Cm ChallengeResponseAuthentication
- Specifies whether challenge-response authentication is allowed.
--All authentication styles from
--.Xr login.conf 5
--are supported.
-+Specifically, in
-+.Fx ,
-+this controls the use of PAM (see
-+.Xr pam 3 )
-+for authentication.
-+Note that this affects the effectiveness of the
-+.Cm PasswordAuthentication
-+and
-+.Cm PermitRootLogin
-+variables.
+ Specifies whether challenge-response authentication is allowed (e.g. =
via
+ PAM or though authentication styles supported in
+-.Xr login.conf 5 )
++.Xr login.conf 5 ) .
++See also
++.Cm UsePAM .
The default is
.Dq yes .
- .It Cm Ciphers
-@@ -554,7 +560,22 @@
+ .It Cm ChrootDirectory
+@@ -714,7 +716,22 @@
.It Cm PasswordAuthentication
Specifies whether password authentication is allowed.
The default is
@@ -43,7 +34,7 @@
.It Cm PermitEmptyPasswords
When password authentication is allowed, it specifies whether the
server allows login to accounts with empty password strings.
-@@ -597,7 +618,14 @@
+@@ -757,7 +774,14 @@
or
.Dq no .
The default is
@@ -59,9 +50,9 @@
.Pp
If this option is set to
.Dq without-password ,
-@@ -704,7 +732,9 @@
- .Dq yes .
- Note that this option applies to protocol version 2 only.
+@@ -869,7 +893,9 @@
+ Note that if this file is not readable, then public key authenticatio=
n will
+ be refused for all users.
.It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
@@ -70,7 +61,7 @@
with successful RSA host authentication is allowed.
The default is
.Dq no .
-@@ -814,7 +844,7 @@
+@@ -1009,7 +1035,7 @@
.Xr sshd 8
as a non-root user.
The default is
@@ -79,7 +70,7 @@
.It Cm UsePrivilegeSeparation
Specifies whether
.Xr sshd 8
-@@ -839,7 +874,7 @@
+@@ -1034,7 +1060,7 @@
or
.Dq no .
The default is
Index: files/contrib-openssh-5.1=5Fp1-lpk-64bit.patch
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/contrib-openssh-5.1=5Fp1-lpk-64bit.patch
diff -N files/contrib-openssh-5.1=5Fp1-lpk-64bit.patch
--- files/contrib-openssh-5.1=5Fp1-lpk-64bit.patch=0921 Jun 2009 20:36:=
15 -0000=091.1
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,44 +0,0 @@
-diff -Nuar --exclude '*.rej' servconf.c.orig servconf.c
---- servconf.c.orig=092008-08-23 15:02:47.000000000 -0700
-+++ servconf.c=092008-08-23 15:04:21.000000000 -0700
-@@ -701,6 +701,7 @@
- =09int cmdline =3D 0, *intptr, value, n;
- =09SyslogFacility *log=5Ffacility=5Fptr;
- =09LogLevel *log=5Flevel=5Fptr;
-+ =09unsigned long lvalue, *longptr;
- =09ServerOpCodes opcode;
- =09u=5Fshort port;
- =09u=5Fint i, flags =3D 0;
-@@ -715,6 +716,7 @@
- =09if (!arg || !*arg || *arg =3D=3D '#')
- =09=09return 0;
- =09intptr =3D NULL;
-+=09longptr =3D NULL;
- =09charptr =3D NULL;
- =09opcode =3D parse=5Ftoken(arg, filename, linenum, &flags);
-=20
-@@ -1449,11 +1451,20 @@
- =09=09=09*intptr =3D value;
- =09=09break;
- =09case sBindTimeout:
--=09=09intptr =3D (int *) &options->lpk.b=5Ftimeout.tv=5Fsec;
--=09=09goto parse=5Fint;
-+=09=09longptr =3D (unsigned long *) &options->lpk.b=5Ftimeout.tv=5Fse=
c;
-+parse=5Fulong:
-+=09=09arg =3D strdelim(&cp);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%s line %d: missing integer value.",
-+=09=09=09 filename, linenum);
-+=09=09lvalue =3D atol(arg);
-+=09=09if (*activep && *longptr =3D=3D -1)
-+=09=09=09*longptr =3D lvalue;
-+=09=09break;
-+
- =09case sSearchTimeout:
--=09=09intptr =3D (int *) &options->lpk.s=5Ftimeout.tv=5Fsec;
--=09=09goto parse=5Fint;
-+=09=09longptr =3D (unsigned long *) &options->lpk.s=5Ftimeout.tv=5Fse=
c;
-+=09=09goto parse=5Fulong;
- =09=09break;
- =09case sLdapConf:
- =09=09arg =3D cp;
Index: files/contrib-openssh-lpk-5.1p1-0.3.10-servconf.c.patch
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/contrib-openssh-lpk-5.1p1-0.3.10-servconf.c.patch
diff -N files/contrib-openssh-lpk-5.1p1-0.3.10-servconf.c.patch
--- files/contrib-openssh-lpk-5.1p1-0.3.10-servconf.c.patch=0921 Jun 20=
09 20:36:15 -0000=091.1
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,213 +0,0 @@
---- servconf.c.orig=092009-05-26 15:13:32.000000000 +0400
-+++ servconf.c=092009-05-26 15:24:39.000000000 +0400
-@@ -42,6 +42,10 @@
- #include "channels.h"
- #include "groupaccess.h"
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+#include "ldapauth.h"
-+#endif
-+
- static void add=5Flisten=5Faddr(ServerOptions *, char *, int);
- static void add=5Fone=5Flisten=5Faddr(ServerOptions *, char *, int);
-=20
-@@ -128,6 +132,24 @@
- =09options->adm=5Fforced=5Fcommand =3D NULL;
- =09options->chroot=5Fdirectory =3D NULL;
- =09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D -1;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+ =09/* XXX dirty */
-+ =09options->lpk.ld =3D NULL;
-+ =09options->lpk.on =3D -1;
-+ =09options->lpk.servers =3D NULL;
-+ =09options->lpk.u=5Fbasedn =3D NULL;
-+ =09options->lpk.g=5Fbasedn =3D NULL;
-+ =09options->lpk.binddn =3D NULL;
-+ =09options->lpk.bindpw =3D NULL;
-+ =09options->lpk.sgroup =3D NULL;
-+ =09options->lpk.filter =3D NULL;
-+ =09options->lpk.fgroup =3D NULL;
-+ =09options->lpk.l=5Fconf =3D NULL;
-+ =09options->lpk.tls =3D -1;
-+ =09options->lpk.b=5Ftimeout.tv=5Fsec =3D -1;
-+ =09options->lpk.s=5Ftimeout.tv=5Fsec =3D -1;
-+ =09options->lpk.flags =3D FLAG=5FEMPTY;
-+#endif
- }
-=20
- void
-@@ -265,6 +287,32 @@
- =09=09options->permit=5Ftun =3D SSH=5FTUNMODE=5FNO;
- =09if (options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D=3D -=
1)
- =09=09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D 0;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09if (options->lpk.on =3D=3D -1)
-+=09 options->lpk.on =3D =5FDEFAULT=5FLPK=5FON;
-+=09if (options->lpk.servers =3D=3D NULL)
-+=09 options->lpk.servers =3D =5FDEFAULT=5FLPK=5FSERVERS;
-+=09if (options->lpk.u=5Fbasedn =3D=3D NULL)
-+=09 options->lpk.u=5Fbasedn =3D =5FDEFAULT=5FLPK=5FUDN;
-+=09if (options->lpk.g=5Fbasedn =3D=3D NULL)
-+=09 options->lpk.g=5Fbasedn =3D =5FDEFAULT=5FLPK=5FGDN;
-+=09if (options->lpk.binddn =3D=3D NULL)
-+=09 options->lpk.binddn =3D =5FDEFAULT=5FLPK=5FBINDDN;
-+=09if (options->lpk.bindpw =3D=3D NULL)
-+=09 options->lpk.bindpw =3D =5FDEFAULT=5FLPK=5FBINDPW;
-+=09if (options->lpk.sgroup =3D=3D NULL)
-+=09 options->lpk.sgroup =3D =5FDEFAULT=5FLPK=5FSGROUP;
-+=09if (options->lpk.filter =3D=3D NULL)
-+=09 options->lpk.filter =3D =5FDEFAULT=5FLPK=5FFILTER;
-+=09if (options->lpk.tls =3D=3D -1)
-+=09 options->lpk.tls =3D =5FDEFAULT=5FLPK=5FTLS;
-+=09if (options->lpk.b=5Ftimeout.tv=5Fsec =3D=3D -1)
-+=09 options->lpk.b=5Ftimeout.tv=5Fsec =3D =5FDEFAULT=5FLPK=5FBTIME=
OUT;
-+=09if (options->lpk.s=5Ftimeout.tv=5Fsec =3D=3D -1)
-+=09 options->lpk.s=5Ftimeout.tv=5Fsec =3D =5FDEFAULT=5FLPK=5FSTIME=
OUT;
-+=09if (options->lpk.l=5Fconf =3D=3D NULL)
-+=09 options->lpk.l=5Fconf =3D =5FDEFAULT=5FLPK=5FLDP;
-+#endif
-=20
- =09/* Turn privilege separation on by default */
- =09if (use=5Fprivsep =3D=3D -1)
-@@ -311,6 +359,12 @@
- =09sUsePrivilegeSeparation, sAllowAgentForwarding,
- =09sZeroKnowledgePasswordAuthentication,
- =09sDeprecated, sUnsupported
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09,sLdapPublickey, sLdapServers, sLdapUserDN
-+=09,sLdapGroupDN, sBindDN, sBindPw, sMyGroup
-+=09,sLdapFilter, sForceTLS, sBindTimeout
-+=09,sSearchTimeout, sLdapConf
-+#endif
- } ServerOpCodes;
-=20
- #define SSHCFG=5FGLOBAL=090x01=09/* allowed in main section of sshd=5F=
config */
-@@ -421,6 +475,20 @@
- =09{ "clientalivecountmax", sClientAliveCountMax, SSHCFG=5FGLOBAL },
- =09{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG=5FGLOBAL },
- =09{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG=5FGLOBAL },
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09{ =5FDEFAULT=5FLPK=5FTOKEN, sLdapPublickey, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FSRV=5FTOKEN, sLdapServers, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FUSR=5FTOKEN, sLdapUserDN, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FGRP=5FTOKEN, sLdapGroupDN, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FBDN=5FTOKEN, sBindDN, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FBPW=5FTOKEN, sBindPw, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FMYG=5FTOKEN, sMyGroup, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FFIL=5FTOKEN, sLdapFilter, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FTLS=5FTOKEN, sForceTLS, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FBTI=5FTOKEN, sBindTimeout, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FSTI=5FTOKEN, sSearchTimeout, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FLDP=5FTOKEN, sLdapConf, SSHCFG=5FGLOBAL },
-+#endif
- =09{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG=5FGLOB=
AL },
- =09{ "acceptenv", sAcceptEnv, SSHCFG=5FGLOBAL },
- =09{ "permittunnel", sPermitTunnel, SSHCFG=5FGLOBAL },
-@@ -1311,6 +1379,107 @@
- =09=09while (arg)
- =09=09 arg =3D strdelim(&cp);
- =09=09break;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09case sLdapPublickey:
-+=09=09intptr =3D &options->lpk.on;
-+=09=09goto parse=5Fflag;
-+=09case sLdapServers:
-+=09=09/* arg =3D strdelim(&cp); */
-+=09=09p =3D line;
-+=09=09while(*p++);
-+=09=09arg =3D p;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing ldap server",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09if ((options->lpk.servers =3D ldap=5Fparse=5Fservers(arg)) =3D=3D=
NULL)
-+=09=09 fatal("%s line %d: error in ldap servers", filename, linenu=
m);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sLdapUserDN:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing ldap server",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.u=5Fbasedn =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sLdapGroupDN:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing ldap server",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.g=5Fbasedn =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sBindDN:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing binddn",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.binddn =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sBindPw:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing bindpw",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.bindpw =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sMyGroup:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing groupname",filename, linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.sgroup =3D xstrdup(arg);
-+=09=09if (options->lpk.sgroup)
-+=09=09 options->lpk.fgroup =3D ldap=5Fparse=5Fgroups(options->lpk.=
sgroup);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sLdapFilter:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing filter",filename, linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.filter =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sForceTLS:
-+=09=09intptr =3D &options->lpk.tls;
-+=09=09arg =3D strdelim(&cp);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%s line %d: missing yes/no argument.",
-+=09=09=09 filename, linenum);
-+=09=09value =3D 0;=09/* silence compiler */
-+=09=09if (strcmp(arg, "yes") =3D=3D 0)
-+=09=09=09value =3D 1;
-+=09=09else if (strcmp(arg, "no") =3D=3D 0)
-+=09=09=09value =3D 0;
-+=09=09else if (strcmp(arg, "try") =3D=3D 0)
-+=09=09=09value =3D -1;
-+=09=09else
-+=09=09=09fatal("%s line %d: Bad yes/no argument: %s",
-+=09=09=09=09filename, linenum, arg);
-+=09=09if (*intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+=09case sBindTimeout:
-+=09=09intptr =3D (int *) &options->lpk.b=5Ftimeout.tv=5Fsec;
-+=09=09goto parse=5Fint;
-+=09case sSearchTimeout:
-+=09=09intptr =3D (int *) &options->lpk.s=5Ftimeout.tv=5Fsec;
-+=09=09goto parse=5Fint;
-+=09=09break;
-+=09case sLdapConf:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing LpkLdapConf", filename, linenum)=
;
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.l=5Fconf =3D xstrdup(arg);
-+=09=09memset(arg, 0, strlen(arg));
-+=09=09break;
-+#endif
-=20
- =09default:
- =09=09fatal("%s line %d: Missing handler for opcode %s (%d)",
Index: files/contrib-openssh-lpk-5.1p1-0.3.10.patch
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/contrib-openssh-lpk-5.1p1-0.3.10.patch
diff -N files/contrib-openssh-lpk-5.1p1-0.3.10.patch
--- files/contrib-openssh-lpk-5.1p1-0.3.10.patch=0921 Jun 2009 20:36:15=
-0000=091.1
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,1682 +0,0 @@
-This is a forward-port of the OpenSSH LPK support patch.
-
-It adds support for storing OpenSSH public keys in LDAP. It also suppo=
rts
-grouping of machines in the LDAP data to limit users to specific machi=
nes.
-
-The latest homepage for the LPK project is:
-http://code.google.com/p/openssh-lpk/
-
-The 0.3.10 version of the patch includes a fix for 64-bit platforms, a=
s
-discovered by Gentoo, where the bind timeout and search timeout values=
were not
-being parsed correctly: http://bugs.gentoo.org/210110
-
-Forward-ported-from: openssh-lpk-5.1p1-0.3.9.patch
-Signed-off-by: Robin H. Johnson <robbat2 at gentoo.org>
-
-diff -Nuar --exclude '*.orig' --exclude '*.rej' auth2-pubkey.c auth2-p=
ubkey.c
---- auth2-pubkey.c=092008-07-03 19:54:25.000000000 -0700
-+++ auth2-pubkey.c=092008-08-23 15:02:47.000000000 -0700
-@@ -55,6 +55,10 @@
- #include "monitor=5Fwrap.h"
- #include "misc.h"
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+#include "ldapauth.h"
-+#endif
-+
- /* import */
- extern ServerOptions options;
- extern u=5Fchar *session=5Fid2;
-@@ -187,10 +191,79 @@
- =09u=5Flong linenum =3D 0;
- =09Key *found;
- =09char *fp;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09ldap=5Fkey=5Ft * k;
-+=09unsigned int i =3D 0;
-+#endif
-=20
- =09/* Temporarily use the user's uid. */
- =09temporarily=5Fuse=5Fuid(pw);
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+ =09found=5Fkey =3D 0;
-+ =09/* allocate a new key type */
-+ =09found =3D key=5Fnew(key->type);
-+=20
-+ =09/* first check if the options is enabled, then try.. */
-+=09if (options.lpk.on) {
-+=09 debug("[LDAP] trying LDAP first uid=3D%s",pw->pw=5Fname);
-+=09 if (ldap=5Fismember(&options.lpk, pw->pw=5Fname) > 0) {
-+=09=09if ((k =3D ldap=5Fgetuserkey(&options.lpk, pw->pw=5Fname)) !=3D=
NULL) {
-+=09=09 /* Skip leading whitespace, empty and comment lines. */
-+=09=09 for (i =3D 0 ; i < k->num ; i++) {
-+=09=09=09/* dont forget if multiple keys to reset options */
-+=09=09=09char *cp, *options =3D NULL;
-+
-+=09=09=09for (cp =3D (char *)k->keys[i]->bv=5Fval; *cp =3D=3D ' ' || =
*cp =3D=3D '\t'; cp++)
-+=09=09=09 ;
-+=09=09=09if (!*cp || *cp =3D=3D '\n' || *cp =3D=3D '#')
-+=09=09=09 continue;
-+
-+=09=09=09if (key=5Fread(found, &cp) !=3D 1) {
-+=09=09=09 /* no key=3F check if there are options for this key */=
-+=09=09=09 int quoted =3D 0;
-+=09=09=09 debug2("[LDAP] user=5Fkey=5Fallowed: check options: '%s'=
", cp);
-+=09=09=09 options =3D cp;
-+=09=09=09 for (; *cp && (quoted || (*cp !=3D ' ' && *cp !=3D '\t')=
); cp++) {
-+=09=09=09=09if (*cp =3D=3D '\\' && cp[1] =3D=3D '"')
-+=09=09=09=09 cp++;=09/* Skip both */
-+=09=09=09=09else if (*cp =3D=3D '"')
-+=09=09=09=09 quoted =3D !quoted;
-+=09=09=09 }
-+=09=09=09 /* Skip remaining whitespace. */
-+=09=09=09 for (; *cp =3D=3D ' ' || *cp =3D=3D '\t'; cp++)
-+=09=09=09=09;
-+=09=09=09 if (key=5Fread(found, &cp) !=3D 1) {
-+=09=09=09=09debug2("[LDAP] user=5Fkey=5Fallowed: advance: '%s'", cp);=
-+=09=09=09=09/* still no key=3F advance to next line*/
-+=09=09=09=09continue;
-+=09=09=09 }
-+=09=09=09}
-+
-+=09=09=09if (key=5Fequal(found, key) &&
-+=09=09=09=09auth=5Fparse=5Foptions(pw, options, file, linenum) =3D=3D=
1) {
-+=09=09=09 found=5Fkey =3D 1;
-+=09=09=09 debug("[LDAP] matching key found");
-+=09=09=09 fp =3D key=5Ffingerprint(found, SSH=5FFP=5FMD5, SSH=5FFP=
=5FHEX);
-+=09=09=09 verbose("[LDAP] Found matching %s key: %s", key=5Ftype(f=
ound), fp);
-+
-+=09=09=09 /* restoring memory */
-+=09=09=09 ldap=5Fkeys=5Ffree(k);
-+=09=09=09 xfree(fp);
-+=09=09=09 restore=5Fuid();
-+=09=09=09 key=5Ffree(found);
-+=09=09=09 return found=5Fkey;
-+=09=09=09 break;
-+=09=09=09}
-+=09=09 }/* end of LDAP for() */
-+=09=09} else {
-+=09=09 logit("[LDAP] no keys found for '%s'!", pw->pw=5Fname);
-+=09=09}
-+=09 } else {
-+=09=09logit("[LDAP] '%s' is not in '%s'", pw->pw=5Fname, options.lpk.=
sgroup);
-+=09 }
-+=09}
-+#endif
- =09debug("trying public key file %s", file);
- =09f =3D auth=5Fopenkeyfile(file, pw, options.strict=5Fmodes);
-=20
-diff -Nuar --exclude '*.orig' --exclude '*.rej' auth-rsa.c auth-rsa.c
---- auth-rsa.c=092008-07-02 05:37:30.000000000 -0700
-+++ auth-rsa.c=092008-08-23 15:02:47.000000000 -0700
-@@ -174,10 +174,96 @@
- =09FILE *f;
- =09u=5Flong linenum =3D 0;
- =09Key *key;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09ldap=5Fkey=5Ft * k;
-+=09unsigned int i =3D 0;
-+#endif
-=20
- =09/* Temporarily use the user's uid. */
- =09temporarily=5Fuse=5Fuid(pw);
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09/* here is the job */
-+=09key =3D key=5Fnew(KEY=5FRSA1);
-+
-+=09if (options.lpk.on) {
-+=09 debug("[LDAP] trying LDAP first uid=3D%s", pw->pw=5Fname);
-+=09 if ( ldap=5Fismember(&options.lpk, pw->pw=5Fname) > 0) {
-+=09=09if ( (k =3D ldap=5Fgetuserkey(&options.lpk, pw->pw=5Fname)) !=3D=
NULL) {
-+=09=09 for (i =3D 0 ; i < k->num ; i++) {
-+=09=09=09char *cp, *options =3D NULL;
-+
-+=09=09=09for (cp =3D k->keys[i]->bv=5Fval; *cp =3D=3D ' ' || *cp =3D=3D=
'\t'; cp++)
-+=09=09=09 ;
-+=09=09=09if (!*cp || *cp =3D=3D '\n' || *cp =3D=3D '#')
-+=09=09=09 continue;
-+
-+=09=09=09/*
-+=09=09=09* Check if there are options for this key, and if so,
-+=09=09=09* save their starting address and skip the option part
-+=09=09=09* for now. If there are no options, set the starting
-+=09=09=09* address to NULL.
-+=09=09=09 */
-+=09=09=09if (*cp < '0' || *cp > '9') {
-+=09=09=09 int quoted =3D 0;
-+=09=09=09 options =3D cp;
-+=09=09=09 for (; *cp && (quoted || (*cp !=3D ' ' && *cp !=3D '\t')=
); cp++) {
-+=09=09=09=09if (*cp =3D=3D '\\' && cp[1] =3D=3D '"')
-+=09=09=09=09 cp++;=09/* Skip both */
-+=09=09=09=09else if (*cp =3D=3D '"')
-+=09=09=09=09 quoted =3D !quoted;
-+=09=09=09 }
-+=09=09=09} else
-+=09=09=09 options =3D NULL;
-+
-+=09=09=09/* Parse the key from the line. */
-+=09=09=09if (hostfile=5Fread=5Fkey(&cp, &bits, key) =3D=3D 0) {
-+=09=09=09 debug("[LDAP] line %d: non ssh1 key syntax", i);
-+=09=09=09 continue;
-+=09=09=09}
-+=09=09=09/* cp now points to the comment part. */
-+
-+=09=09=09/* Check if the we have found the desired key (identified by=
its modulus). */
-+=09=09=09if (BN=5Fcmp(key->rsa->n, client=5Fn) !=3D 0)
-+=09=09=09 continue;
-+
-+=09=09=09/* check the real bits */
-+=09=09=09if (bits !=3D (unsigned int)BN=5Fnum=5Fbits(key->rsa->n))
-+=09=09=09 logit("[LDAP] Warning: ldap, line %lu: keysize mismatch:=
"
-+=09=09=09=09 "actual %d vs. announced %d.", (unsigned long)i, BN=5F=
num=5Fbits(key->rsa->n), bits);
-+
-+=09=09=09/* We have found the desired key. */
-+=09=09=09/*
-+=09=09=09* If our options do not allow this key to be used,
-+=09=09=09* do not send challenge.
-+=09=09=09 */
-+=09=09=09if (!auth=5Fparse=5Foptions(pw, options, "[LDAP]", (unsigned=
long) i))
-+=09=09=09 continue;
-+
-+=09=09=09/* break out, this key is allowed */
-+=09=09=09allowed =3D 1;
-+
-+=09=09=09/* add the return stuff etc... */
-+=09=09=09/* Restore the privileged uid. */
-+=09=09=09restore=5Fuid();
-+
-+=09=09=09/* return key if allowed */
-+=09=09=09if (allowed && rkey !=3D NULL)
-+=09=09=09 *rkey =3D key;
-+=09=09=09else
-+=09=09=09 key=5Ffree(key);
-+
-+=09=09=09ldap=5Fkeys=5Ffree(k);
-+=09=09=09return (allowed);
-+=09=09 }
-+=09=09} else {
-+=09=09 logit("[LDAP] no keys found for '%s'!", pw->pw=5Fname);
-+=09=09}
-+=09 } else {
-+=09=09logit("[LDAP] '%s' is not in '%s'", pw->pw=5Fname, options.lpk.=
sgroup);
-+=09 }
-+=09}
-+#endif
- =09/* The authorized keys. */
- =09file =3D authorized=5Fkeys=5Ffile(pw);
- =09debug("trying public RSA key file %s", file);
-diff -Nuar --exclude '*.orig' --exclude '*.rej' config.h.in config.h.i=
n
---- config.h.in=092008-07-21 01:30:49.000000000 -0700
-+++ config.h.in=092008-08-23 15:02:47.000000000 -0700
-@@ -560,6 +560,9 @@
- /* Define to 1 if you have the <linux/if=5Ftun.h> header file. */
- #undef HAVE=5FLINUX=5FIF=5FTUN=5FH
-=20
-+/* Define if you want LDAP support */
-+#undef WITH=5FLDAP=5FPUBKEY
-+
- /* Define if your libraries define login() */
- #undef HAVE=5FLOGIN
-=20
-diff -Nuar --exclude '*.orig' --exclude '*.rej' configure configure
---- configure=092008-07-21 01:30:50.000000000 -0700
-+++ configure=092008-08-23 15:02:47.000000000 -0700
-@@ -1340,6 +1340,7 @@
- --with-tcp-wrappers[=3DPATH] Enable tcpwrappers support (optionally=
in PATH)
- --with-libedit[=3DPATH] Enable libedit support for sftp
- --with-audit=3Dmodule Enable EXPERIMENTAL audit support (module=
s=3Ddebug,bsm)
-+ --with-ldap[=3DPATH] Enable LDAP pubkey support (optionally in=
PATH)
- --with-ssl-dir=3DPATH Specify path to OpenSSL installation
- --without-openssl-header-check Disable OpenSSL version consistency =
check
- --with-ssl-engine Enable OpenSSL (hardware) ENGINE support
-@@ -12568,6 +12569,85 @@
- fi
-=20
-=20
-+# Check whether user wants LDAP support
-+LDAP=5FMSG=3D"no"
-+
-+# Check whether --with-ldap was given.
-+if test "${with=5Fldap+set}" =3D set; then
-+ withval=3D$with=5Fldap;
-+=09=09if test "x$withval" !=3D "xno" ; then
-+
-+=09=09=09if test "x$withval" !=3D "xyes" ; then
-+=09=09=09=09CPPFLAGS=3D"$CPPFLAGS -I${withval}/include"
-+=09=09=09=09LDFLAGS=3D"$LDFLAGS -L${withval}/lib"
-+=09=09=09fi
-+
-+
-+cat >>confdefs.h <<\=5FACEOF
-+#define WITH=5FLDAP=5FPUBKEY 1
-+=5FACEOF
-+
-+=09=09=09LIBS=3D"-lldap $LIBS"
-+=09=09=09LDAP=5FMSG=3D"yes"
-+
-+=09=09=09{ echo "$as=5Fme:$LINENO: checking for LDAP support" >&5
-+echo $ECHO=5FN "checking for LDAP support... $ECHO=5FC" >&6; }
-+=09=09=09cat >conftest.$ac=5Fext <<=5FACEOF
-+/* confdefs.h. */
-+=5FACEOF
-+cat confdefs.h >>conftest.$ac=5Fext
-+cat >>conftest.$ac=5Fext <<=5FACEOF
-+/* end confdefs.h. */
-+#include <sys/types.h>
-+=09=09=09=09 #include <ldap.h>
-+int
-+main ()
-+{
-+(void)ldap=5Finit(0, 0);
-+ ;
-+ return 0;
-+}
-+=5FACEOF
-+rm -f conftest.$ac=5Fobjext
-+if { (ac=5Ftry=3D"$ac=5Fcompile"
-+case "(($ac=5Ftry" in
-+ *\"* | *\`* | *\\*) ac=5Ftry=5Fecho=3D\$ac=5Ftry;;
-+ *) ac=5Ftry=5Fecho=3D$ac=5Ftry;;
-+esac
-+eval "echo \"\$as=5Fme:$LINENO: $ac=5Ftry=5Fecho\"") >&5
-+ (eval "$ac=5Fcompile") 2>conftest.er1
-+ ac=5Fstatus=3D$=3F
-+ grep -v '^ *+' conftest.er1 >conftest.err
-+ rm -f conftest.er1
-+ cat conftest.err >&5
-+ echo "$as=5Fme:$LINENO: \$=3F =3D $ac=5Fstatus" >&5
-+ (exit $ac=5Fstatus); } && {
-+=09 test -z "$ac=5Fc=5Fwerror=5Fflag" ||
-+=09 test ! -s conftest.err
-+ } && test -s conftest.$ac=5Fobjext; then
-+ { echo "$as=5Fme:$LINENO: result: yes" >&5
-+echo "${ECHO=5FT}yes" >&6; }
-+else
-+ echo "$as=5Fme: failed program was:" >&5
-+sed 's/^/| /' conftest.$ac=5Fext >&5
-+
-+
-+=09=09=09=09 { echo "$as=5Fme:$LINENO: result: no" >&5
-+echo "${ECHO=5FT}no" >&6; }
-+=09=09=09=09=09{ { echo "$as=5Fme:$LINENO: error: ** Incomplete or mi=
ssing ldap libraries **" >&5
-+echo "$as=5Fme: error: ** Incomplete or missing ldap libraries **" >&=
2;}
-+ { (exit 1); exit 1; }; }
-+
-+
-+fi
-+
-+rm -f core conftest.err conftest.$ac=5Fobjext conftest.$ac=5Fext
-+=09=09fi
-+
-+
-+fi
-+
-+
-=20
-=20
-=20
-@@ -30135,6 +30215,7 @@
- echo " Smartcard support: $SCARD=5FMSG"
- echo " S/KEY support: $SKEY=5FMSG"
- echo " TCP Wrappers support: $TCPW=5FMSG"
-+echo " LDAP support: $LDAP=5FMSG"
- echo " MD5 password support: $MD5=5FMSG"
- echo " libedit support: $LIBEDIT=5FMSG"
- echo " Solaris process contract support: $SPC=5FMSG"
-diff -Nuar --exclude '*.orig' --exclude '*.rej' configure.ac configure=
.ac
---- configure.ac=092008-07-09 04:07:19.000000000 -0700
-+++ configure.ac=092008-08-23 15:02:47.000000000 -0700
-@@ -1299,6 +1299,37 @@
- =09esac ]
- )
-=20
-+# Check whether user wants LDAP support
-+LDAP=5FMSG=3D"no"
-+AC=5FARG=5FWITH(ldap,
-+=09[ --with-ldap[[=3DPATH]] Enable LDAP pubkey support (optiona=
lly in PATH)],
-+=09[
-+=09=09if test "x$withval" !=3D "xno" ; then
-+
-+=09=09=09if test "x$withval" !=3D "xyes" ; then
-+=09=09=09=09CPPFLAGS=3D"$CPPFLAGS -I${withval}/include"
-+=09=09=09=09LDFLAGS=3D"$LDFLAGS -L${withval}/lib"
-+=09=09=09fi
-+
-+=09=09=09AC=5FDEFINE([WITH=5FLDAP=5FPUBKEY], 1, [Enable LDAP pubkey s=
upport])
-+=09=09=09LIBS=3D"-lldap $LIBS"
-+=09=09=09LDAP=5FMSG=3D"yes"
-+=09
-+=09=09=09AC=5FMSG=5FCHECKING([for LDAP support])
-+=09=09=09AC=5FTRY=5FCOMPILE(
-+=09=09=09=09[#include <sys/types.h>
-+=09=09=09=09 #include <ldap.h>],
-+=09=09=09=09[(void)ldap=5Finit(0, 0);],
-+=09=09=09=09[AC=5FMSG=5FRESULT(yes)],
-+=09=09=09=09[
-+=09=09=09=09 AC=5FMSG=5FRESULT(no)=20
-+=09=09=09=09=09AC=5FMSG=5FERROR([** Incomplete or missing ldap librar=
ies **])
-+=09=09=09=09]
-+ =09)
-+=09=09fi
-+=09]
-+)
-+
- dnl Checks for library functions. Please keep in alphabetical orde=
r
- AC=5FCHECK=5FFUNCS( \
- =09arc4random \
-@@ -4137,6 +4168,7 @@
- echo " Smartcard support: $SCARD=5FMSG"
- echo " S/KEY support: $SKEY=5FMSG"
- echo " TCP Wrappers support: $TCPW=5FMSG"
-+echo " LDAP support: $LDAP=5FMSG"
- echo " MD5 password support: $MD5=5FMSG"
- echo " libedit support: $LIBEDIT=5FMSG"
- echo " Solaris process contract support: $SPC=5FMSG"
-diff -Nuar --exclude '*.orig' --exclude '*.rej' ldapauth.c ldapauth.c
---- ldapauth.c=091969-12-31 16:00:00.000000000 -0800
-+++ ldapauth.c=092008-08-23 15:02:47.000000000 -0700
-@@ -0,0 +1,575 @@
-+/*=20
-+ * $Id: openssh-lpk-4.3p1-0.3.7.patch,v 1.3 2006/04/18 15:29:09 eau E=
xp $
-+ */
-+
-+/*
-+ *
-+ * Copyright (c) 2005, Eric AUGE <eau at phear.org>
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without=
modification, are permitted provided that the following conditions are=
met:
-+ *
-+ * Redistributions of source code must retain the above copyright not=
ice, this list of conditions and the following disclaimer.
-+ * Redistributions in binary form must reproduce the above copyright =
notice, this list of conditions and the following disclaimer in the doc=
umentation and/or other materials provided with the distribution.
-+ * Neither the name of the phear.org nor the names of its contributor=
s may be used to endorse or promote products derived from this software=
without specific prior written permission.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTOR=
S "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,=20
-+ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND =
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.=20
-+ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FO=
R ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,=20
-+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREME=
NT OF SUBSTITUTE GOODS OR SERVICES;=20
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER C=
AUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI=
LITY,=20
-+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT=
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUC=
H DAMAGE.
-+ *
-+ *
-+ */
-+
-+#include "includes.h"
-+
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <unistd.h>
-+#include <string.h>
-+
-+#include "ldapauth.h"
-+#include "log.h"
-+
-+static char *attrs[] =3D {
-+ PUBKEYATTR,
-+ NULL
-+};
-+
-+/* filter building infos */
-+#define FILTER=5FGROUP=5FPREFIX "(&(objectclass=3DposixGroup)"
-+#define FILTER=5FOR=5FPREFIX "(|"
-+#define FILTER=5FOR=5FSUFFIX ")"
-+#define FILTER=5FCN=5FPREFIX "(cn=3D"
-+#define FILTER=5FCN=5FSUFFIX ")"
-+#define FILTER=5FUID=5FFORMAT "(memberUid=3D%s)"
-+#define FILTER=5FGROUP=5FSUFFIX ")"
-+#define FILTER=5FGROUP=5FSIZE(group) (size=5Ft) (strlen(group)+(ldap=5F=
count=5Fgroup(group)*5)+52)
-+
-+/* just filter building stuff */
-+#define REQUEST=5FGROUP=5FSIZE(filter, uid) (size=5Ft) (strlen(filter=
)+strlen(uid)+1)
-+#define REQUEST=5FGROUP(buffer, prefilter, pwname) \
-+ buffer =3D (char *) calloc(REQUEST=5FGROUP=5FSIZE(prefilter, pwna=
me), sizeof(char)); \
-+ if (!buffer) { \
-+ perror("calloc()"); \
-+ return FAILURE; \
-+ } \
-+ snprintf(buffer, REQUEST=5FGROUP=5FSIZE(prefilter,pwname), prefil=
ter, pwname)
-+/*
-+XXX OLD group building macros
-+#define REQUEST=5FGROUP=5FSIZE(grp, uid) (size=5Ft) (strlen(grp)+strl=
en(uid)+46)
-+#define REQUEST=5FGROUP(buffer,pwname,grp) \
-+ buffer =3D (char *) calloc(REQUEST=5FGROUP=5FSIZE(grp, pwname), s=
izeof(char)); \
-+ if (!buffer) { \
-+ perror("calloc()"); \
-+ return FAILURE; \
-+ } \
-+ snprintf(buffer,REQUEST=5FGROUP=5FSIZE(grp,pwname),"(&(objectclas=
s=3DposixGroup)(cn=3D%s)(memberUid=3D%s))",grp,pwname)
-+ */
-+
-+/*
-+XXX stock upstream version without extra filter support
-+#define REQUEST=5FUSER=5FSIZE(uid) (size=5Ft) (strlen(uid)+64)
-+#define REQUEST=5FUSER(buffer, pwname) \
-+ buffer =3D (char *) calloc(REQUEST=5FUSER=5FSIZE(pwname), sizeof(=
char)); \
-+ if (!buffer) { \
-+ perror("calloc()"); \
-+ return NULL; \
-+ } \
-+ snprintf(buffer,REQUEST=5FUSER=5FSIZE(pwname),"(&(objectclass=3Dp=
osixAccount)(objectclass=3DldapPublicKey)(uid=3D%s))",pwname)
-+ */
-+
-+#define REQUEST=5FUSER=5FSIZE(uid, filter) (size=5Ft) (strlen(uid)+64=
+(filter !=3D NULL =3F strlen(filter) : 0))
-+#define REQUEST=5FUSER(buffer, pwname, customfilter) \
-+ buffer =3D (char *) calloc(REQUEST=5FUSER=5FSIZE(pwname, customfi=
lter), sizeof(char)); \
-+ if (!buffer) { \
-+ perror("calloc()"); \
-+ return NULL; \
-+ } \
-+ snprintf(buffer, REQUEST=5FUSER=5FSIZE(pwname, customfilter), \
-+ =09"(&(objectclass=3DposixAccount)(objectclass=3DldapPublicKey)(u=
id=3D%s)%s)", \
-+=09pwname, (customfilter !=3D NULL =3F customfilter : ""))
-+
-+/* some portable and working tokenizer, lame though */
-+static int tokenize(char ** o, size=5Ft size, char * input) {
-+ unsigned int i =3D 0, num;
-+ const char * charset =3D " \t";
-+ char * ptr =3D input;
-+
-+ /* leading white spaces are ignored */
-+ num =3D strspn(ptr, charset);
-+ ptr +=3D num;
-+
-+ while ((num =3D strcspn(ptr, charset))) {
-+ if (i < size-1) {
-+ o[i++] =3D ptr;
-+ ptr +=3D num;
-+ if (*ptr)
-+ *ptr++ =3D '\0';
-+ }
-+ }
-+ o[i] =3D NULL;
-+ return SUCCESS;
-+}
-+
-+void ldap=5Fclose(ldap=5Fopt=5Ft * ldap) {
-+
-+ if (!ldap)
-+ return;
-+
-+ if ( ldap=5Funbind=5Fext(ldap->ld, NULL, NULL) < 0)
-+=09ldap=5Fperror(ldap->ld, "ldap=5Funbind()");
-+
-+ ldap->ld =3D NULL;
-+ FLAG=5FSET=5FDISCONNECTED(ldap->flags);
-+
-+ return;
-+}
-+
-+/* init && bind */
-+int ldap=5Fconnect(ldap=5Fopt=5Ft * ldap) {
-+ int version =3D LDAP=5FVERSION3;
-+
-+ if (!ldap->servers)
-+ return FAILURE;
-+
-+ /* Connection Init and setup */
-+ ldap->ld =3D ldap=5Finit(ldap->servers, LDAP=5FPORT);
-+ if (!ldap->ld) {
-+ ldap=5Fperror(ldap->ld, "ldap=5Finit()");
-+ return FAILURE;
-+ }
-+
-+ if ( ldap=5Fset=5Foption(ldap->ld, LDAP=5FOPT=5FPROTOCOL=5FVERSIO=
N, &version) !=3D LDAP=5FOPT=5FSUCCESS) {
-+ ldap=5Fperror(ldap->ld, "ldap=5Fset=5Foption(LDAP=5FOPT=5FPRO=
TOCOL=5FVERSION)");
-+ return FAILURE;
-+ }
-+
-+ /* Timeouts setup */
-+ if (ldap=5Fset=5Foption(ldap->ld, LDAP=5FOPT=5FNETWORK=5FTIMEOUT,=
&ldap->b=5Ftimeout) !=3D LDAP=5FSUCCESS) {
-+ ldap=5Fperror(ldap->ld, "ldap=5Fset=5Foption(LDAP=5FOPT=5FNET=
WORK=5FTIMEOUT)");
-+ }
-+ if (ldap=5Fset=5Foption(ldap->ld, LDAP=5FOPT=5FTIMEOUT, &ldap->s=5F=
timeout) !=3D LDAP=5FSUCCESS) {
-+ ldap=5Fperror(ldap->ld, "ldap=5Fset=5Foption(LDAP=5FOPT=5FTIM=
EOUT)");
-+ }
-+
-+ /* TLS support */
-+ if ( (ldap->tls =3D=3D -1) || (ldap->tls =3D=3D 1) ) {
-+ if (ldap=5Fstart=5Ftls=5Fs(ldap->ld, NULL, NULL ) !=3D LDAP=5F=
SUCCESS) {
-+ /* failed then reinit the initial connect */
-+ ldap=5Fperror(ldap->ld, "ldap=5Fconnect: (TLS) ldap=5Fsta=
rt=5Ftls()");
-+ if (ldap->tls =3D=3D 1)
-+ return FAILURE;
-+
-+ ldap->ld =3D ldap=5Finit(ldap->servers, LDAP=5FPORT);
-+ if (!ldap->ld) {=20
-+ ldap=5Fperror(ldap->ld, "ldap=5Finit()");
-+ return FAILURE;
-+ }
-+
-+ if ( ldap=5Fset=5Foption(ldap->ld, LDAP=5FOPT=5FPROTOCOL=5F=
VERSION, &version) !=3D LDAP=5FOPT=5FSUCCESS) {
-+ ldap=5Fperror(ldap->ld, "ldap=5Fset=5Foption()");
-+ return FAILURE;
-+ }
-+ }
-+ }
-+
-+
-+ if ( ldap=5Fsimple=5Fbind=5Fs(ldap->ld, ldap->binddn, ldap->bindp=
w) !=3D LDAP=5FSUCCESS) {
-+ ldap=5Fperror(ldap->ld, "ldap=5Fsimple=5Fbind=5Fs()");
-+ return FAILURE;
-+ }
-+
-+ /* says it is connected */
-+ FLAG=5FSET=5FCONNECTED(ldap->flags);
-+
-+ return SUCCESS;
-+}
-+
-+/* must free allocated ressource */
-+static char * ldap=5Fbuild=5Fhost(char *host, int port) {
-+ unsigned int size =3D strlen(host)+11;
-+ char * h =3D (char *) calloc (size, sizeof(char));
-+ int rc;
-+ if (!h)
-+ return NULL;
-+
-+ rc =3D snprintf(h, size, "%s:%d ", host, port);
-+ if (rc =3D=3D -1)
-+ return NULL;
-+ return h;
-+}
-+
-+static int ldap=5Fcount=5Fgroup(const char * input) {
-+ const char * charset =3D " \t";
-+ const char * ptr =3D input;
-+ unsigned int count =3D 0;
-+ unsigned int num;
-+
-+ num =3D strspn(ptr, charset);
-+ ptr +=3D num;
-+
-+ while ((num =3D strcspn(ptr, charset))) {
-+ count++;
-+ ptr +=3D num;
-+ ptr++;
-+ }
-+
-+ return count;
-+}
-+
-+/* format filter */
-+char * ldap=5Fparse=5Fgroups(const char * groups) {
-+ unsigned int buffer=5Fsize =3D FILTER=5FGROUP=5FSIZE(groups);
-+ char * buffer =3D (char *) calloc(buffer=5Fsize, sizeof(char));
-+ char * g =3D NULL;
-+ char * garray[32];
-+ unsigned int i =3D 0;
-+
-+ if ((!groups)||(!buffer))
-+ return NULL;
-+
-+ g =3D strdup(groups);
-+ if (!g) {
-+ free(buffer);
-+ return NULL;
-+ }
-+
-+ /* first separate into n tokens */
-+ if ( tokenize(garray, sizeof(garray)/sizeof(*garray), g) < 0) {
-+ free(g);
-+ free(buffer);
-+ return NULL;
-+ }
-+
-+ /* build the final filter format */
-+ strlcat(buffer, FILTER=5FGROUP=5FPREFIX, buffer=5Fsize);
-+ strlcat(buffer, FILTER=5FOR=5FPREFIX, buffer=5Fsize);
-+ i =3D 0;
-+ while (garray[i]) {
-+ strlcat(buffer, FILTER=5FCN=5FPREFIX, buffer=5Fsize);
-+ strlcat(buffer, garray[i], buffer=5Fsize);
-+ strlcat(buffer, FILTER=5FCN=5FSUFFIX, buffer=5Fsize);
-+ i++;
-+ }
-+ strlcat(buffer, FILTER=5FOR=5FSUFFIX, buffer=5Fsize);
-+ strlcat(buffer, FILTER=5FUID=5FFORMAT, buffer=5Fsize);
-+ strlcat(buffer, FILTER=5FGROUP=5FSUFFIX, buffer=5Fsize);
-+
-+ free(g);
-+ return buffer;
-+}
-+
-+/* a bit dirty but leak free */
-+char * ldap=5Fparse=5Fservers(const char * servers) {
-+ char * s =3D NULL;
-+ char * tmp =3D NULL, *urls[32];
-+ unsigned int num =3D 0 , i =3D 0 , asize =3D 0;
-+ LDAPURLDesc *urld[32];
-+
-+ if (!servers)
-+ return NULL;
-+
-+ /* local copy of the arg */
-+ s =3D strdup(servers);
-+ if (!s)
-+ return NULL;
-+
-+ /* first separate into URL tokens */
-+ if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0)
-+ return NULL;
-+
-+ i =3D 0;
-+ while (urls[i]) {
-+ if (! ldap=5Fis=5Fldap=5Furl(urls[i]) ||
-+ (ldap=5Furl=5Fparse(urls[i], &urld[i]) !=3D 0)) {
-+ return NULL;
-+ }
-+ i++;
-+ }
-+
-+ /* now free(s) */
-+ free (s);
-+
-+ /* how much memory do we need */
-+ num =3D i;
-+ for (i =3D 0 ; i < num ; i++)
-+ asize +=3D strlen(urld[i]->lud=5Fhost)+11;
-+
-+ /* alloc */
-+ s =3D (char *) calloc( asize+1 , sizeof(char));
-+ if (!s) {
-+ for (i =3D 0 ; i < num ; i++)
-+ ldap=5Ffree=5Furldesc(urld[i]);
-+ return NULL;
-+ }
-+
-+ /* then build the final host string */
-+ for (i =3D 0 ; i < num ; i++) {
-+ /* built host part */
-+ tmp =3D ldap=5Fbuild=5Fhost(urld[i]->lud=5Fhost, urld[i]->lud=
=5Fport);
-+ strncat(s, tmp, strlen(tmp));
-+ ldap=5Ffree=5Furldesc(urld[i]);
-+ free(tmp);
-+ }
-+
-+ return s;
-+}
-+
-+void ldap=5Foptions=5Fprint(ldap=5Fopt=5Ft * ldap) {
-+ debug("ldap options:");
-+ debug("servers: %s", ldap->servers);
-+ if (ldap->u=5Fbasedn)
-+ debug("user basedn: %s", ldap->u=5Fbasedn);
-+ if (ldap->g=5Fbasedn)
-+ debug("group basedn: %s", ldap->g=5Fbasedn);
-+ if (ldap->binddn)
-+ debug("binddn: %s", ldap->binddn);
-+ if (ldap->bindpw)
-+ debug("bindpw: %s", ldap->bindpw);
-+ if (ldap->sgroup)
-+ debug("group: %s", ldap->sgroup);
-+ if (ldap->filter)
-+ debug("filter: %s", ldap->filter);
-+}
-+
-+void ldap=5Foptions=5Ffree(ldap=5Fopt=5Ft * l) {
-+ if (!l)
-+ return;
-+ if (l->servers)
-+ free(l->servers);
-+ if (l->u=5Fbasedn)
-+ free(l->u=5Fbasedn);
-+ if (l->g=5Fbasedn)
-+ free(l->g=5Fbasedn);
-+ if (l->binddn)
-+ free(l->binddn);
-+ if (l->bindpw)
-+ free(l->bindpw);
-+ if (l->sgroup)
-+ free(l->sgroup);
-+ if (l->fgroup)
-+ free(l->fgroup);
-+ if (l->filter)
-+ free(l->filter);
-+ if (l->l=5Fconf)
-+ free(l->l=5Fconf);
-+ free(l);
-+}
-+
-+/* free keys */
-+void ldap=5Fkeys=5Ffree(ldap=5Fkey=5Ft * k) {
-+ ldap=5Fvalue=5Ffree=5Flen(k->keys);
-+ free(k);
-+ return;
-+}
-+
-+ldap=5Fkey=5Ft * ldap=5Fgetuserkey(ldap=5Fopt=5Ft *l, const char * us=
er) {
-+ ldap=5Fkey=5Ft * k =3D (ldap=5Fkey=5Ft *) calloc (1, sizeof(ldap=5F=
key=5Ft));
-+ LDAPMessage *res, *e;
-+ char * filter;
-+ int i;
-+
-+ if ((!k) || (!l))
-+ return NULL;
-+
-+ /* Am i still connected =3F RETRY n times */
-+ /* XXX TODO: setup some conf value for retrying */
-+ if (!(l->flags & FLAG=5FCONNECTED))
-+ for (i =3D 0 ; i < 2 ; i++)
-+ if (ldap=5Fconnect(l) =3D=3D 0)
-+ break;
-+
-+ /* quick check for attempts to be evil */
-+ if ((strchr(user, '(') !=3D NULL) || (strchr(user, ')') !=3D NULL=
) ||
-+ (strchr(user, '*') !=3D NULL) || (strchr(user, '\\') !=3D NUL=
L))
-+ return NULL;
-+
-+ /* build filter for LDAP request */
-+ REQUEST=5FUSER(filter, user, l->filter);
-+
-+ if ( ldap=5Fsearch=5Fst( l->ld,
-+ l->u=5Fbasedn,
-+ LDAP=5FSCOPE=5FSUBTREE,
-+ filter,
-+ attrs, 0, &l->s=5Ftimeout, &res ) !=3D LDAP=5FSUCCESS) {
-+ =20
-+ ldap=5Fperror(l->ld, "ldap=5Fsearch=5Fst()");
-+
-+ free(filter);
-+ free(k);
-+
-+ /* XXX error on search, timeout etc.. close ask for reconnect=
*/
-+ ldap=5Fclose(l);
-+
-+ return NULL;
-+ }=20
-+
-+ /* free */
-+ free(filter);
-+
-+ /* check if any results */
-+ i =3D ldap=5Fcount=5Fentries(l->ld,res);
-+ if (i <=3D 0) {
-+ ldap=5Fmsgfree(res);
-+ free(k);
-+ return NULL;
-+ }
-+
-+ if (i > 1)
-+ debug("[LDAP] duplicate entries, using the FIRST entry return=
ed");
-+
-+ e =3D ldap=5Ffirst=5Fentry(l->ld, res);
-+ k->keys =3D ldap=5Fget=5Fvalues=5Flen(l->ld, e, PUBKEYATTR);
-+ k->num =3D ldap=5Fcount=5Fvalues=5Flen(k->keys);
-+
-+ ldap=5Fmsgfree(res);
-+ return k;
-+}
-+
-+
-+/* -1 if trouble
-+ 0 if user is NOT member of current server group
-+ 1 if user IS MEMBER of current server group=20
-+ */
-+int ldap=5Fismember(ldap=5Fopt=5Ft * l, const char * user) {
-+ LDAPMessage *res;
-+ char * filter;
-+ int i;
-+
-+ if ((!l->sgroup) || !(l->g=5Fbasedn))
-+ return 1;
-+
-+ /* Am i still connected =3F RETRY n times */
-+ /* XXX TODO: setup some conf value for retrying */
-+ if (!(l->flags & FLAG=5FCONNECTED))=20
-+ for (i =3D 0 ; i < 2 ; i++)
-+ if (ldap=5Fconnect(l) =3D=3D 0)
-+ break;
-+
-+ /* quick check for attempts to be evil */
-+ if ((strchr(user, '(') !=3D NULL) || (strchr(user, ')') !=3D NULL=
) ||
-+ (strchr(user, '*') !=3D NULL) || (strchr(user, '\\') !=3D NUL=
L))
-+ return FAILURE;
-+
-+ /* build filter for LDAP request */
-+ REQUEST=5FGROUP(filter, l->fgroup, user);
-+
-+ if (ldap=5Fsearch=5Fst( l->ld,=20
-+ l->g=5Fbasedn,
-+ LDAP=5FSCOPE=5FSUBTREE,
-+ filter,
-+ NULL, 0, &l->s=5Ftimeout, &res) !=3D LDAP=5FSUCCESS) {
-+ =20
-+ ldap=5Fperror(l->ld, "ldap=5Fsearch=5Fst()");
-+
-+ free(filter);
-+
-+ /* XXX error on search, timeout etc.. close ask for reconnect=
*/
-+ ldap=5Fclose(l);
-+
-+ return FAILURE;
-+ }
-+
-+ free(filter);
-+
-+ /* check if any results */
-+ if (ldap=5Fcount=5Fentries(l->ld, res) > 0) {
-+ ldap=5Fmsgfree(res);
-+ return 1;
-+ }
-+
-+ ldap=5Fmsgfree(res);
-+ return 0;
-+}
-+
-+/*
-+ * ldap.conf simple parser
-+ * XXX TODO: sanity checks
-+ * must either
-+ * - free the previous ldap=5Fopt=5Fbefore replacing entries
-+ * - free each necessary previously parsed elements
-+ * ret:
-+ * -1 on FAILURE, 0 on SUCCESS
-+ */
-+int ldap=5Fparse=5Flconf(ldap=5Fopt=5Ft * l) {
-+ FILE * lcd; /* ldap.conf descriptor */
-+ char buf[BUFSIZ];
-+ char * s =3D NULL, * k =3D NULL, * v =3D NULL;
-+ int li, len;
-+
-+ lcd =3D fopen (l->l=5Fconf, "r");
-+ if (lcd =3D=3D NULL) {
-+ /* debug("Cannot open %s", l->l=5Fconf); */
-+ perror("ldap=5Fparse=5Flconf()");
-+ return FAILURE;
-+ }
-+ =20
-+ while (fgets (buf, sizeof (buf), lcd) !=3D NULL) {
-+
-+ if (*buf =3D=3D '\n' || *buf =3D=3D '#')
-+ continue;
-+
-+ k =3D buf;
-+ v =3D k;
-+ while (*v !=3D '\0' && *v !=3D ' ' && *v !=3D '\t')
-+ v++;
-+
-+ if (*v =3D=3D '\0')
-+ continue;
-+
-+ *(v++) =3D '\0';
-+
-+ while (*v =3D=3D ' ' || *v =3D=3D '\t')
-+ v++;
-+
-+ li =3D strlen (v) - 1;
-+ while (v[li] =3D=3D ' ' || v[li] =3D=3D '\t' || v[li] =3D=3D =
'\n')
-+ --li;
-+ v[li + 1] =3D '\0';
-+
-+ if (!strcasecmp (k, "uri")) {
-+ if ((l->servers =3D ldap=5Fparse=5Fservers(v)) =3D=3D NUL=
L) {
-+ fatal("error in ldap servers");
-+ return FAILURE;
-+ }
-+
-+ }
-+ else if (!strcasecmp (k, "base")) {=20
-+ s =3D strchr (v, '=3F');
-+ if (s !=3D NULL) {
-+ len =3D s - v;
-+ l->u=5Fbasedn =3D malloc (len + 1);
-+ strncpy (l->u=5Fbasedn, v, len);
-+ l->u=5Fbasedn[len] =3D '\0';
-+ } else {
-+ l->u=5Fbasedn =3D strdup (v);
-+ }
-+ }
-+ else if (!strcasecmp (k, "binddn")) {
-+ l->binddn =3D strdup (v);
-+ }
-+ else if (!strcasecmp (k, "bindpw")) {
-+ l->bindpw =3D strdup (v);
-+ }
-+ else if (!strcasecmp (k, "timelimit")) {
-+ l->s=5Ftimeout.tv=5Fsec =3D atoi (v);
-+ }
-+ else if (!strcasecmp (k, "bind=5Ftimelimit")) {
-+ l->b=5Ftimeout.tv=5Fsec =3D atoi (v);
-+ }
-+ else if (!strcasecmp (k, "ssl")) {
-+ if (!strcasecmp (v, "start=5Ftls"))
-+ l->tls =3D 1;
-+ }
-+ }
-+
-+ fclose (lcd);
-+ return SUCCESS;
-+}
-+
-+#endif /* WITH=5FLDAP=5FPUBKEY */
-diff -Nuar --exclude '*.orig' --exclude '*.rej' ldapauth.h ldapauth.h
---- ldapauth.h=091969-12-31 16:00:00.000000000 -0800
-+++ ldapauth.h=092008-08-23 15:02:47.000000000 -0700
-@@ -0,0 +1,124 @@
-+/*
-+ * $Id: openssh-lpk-4.3p1-0.3.7.patch,v 1.3 2006/04/18 15:29:09 eau E=
xp $=20
-+ */
-+
-+/*
-+ *
-+ * Copyright (c) 2005, Eric AUGE <eau at phear.org>
-+ * All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without=
modification, are permitted provided that the following conditions are=
met:
-+ *
-+ * Redistributions of source code must retain the above copyright not=
ice, this list of conditions and the following disclaimer.
-+ * Redistributions in binary form must reproduce the above copyright =
notice, this list of conditions and the following disclaimer in the doc=
umentation and/or other materials provided with the distribution.
-+ * Neither the name of the phear.org nor the names of its contributor=
s may be used to endorse or promote products derived from this software=
without specific prior written permission.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTOR=
S "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,=20
-+ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND =
FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.=20
-+ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FO=
R ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,=20
-+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREME=
NT OF SUBSTITUTE GOODS OR SERVICES;=20
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER C=
AUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABI=
LITY,=20
-+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT=
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUC=
H DAMAGE.
-+ *
-+ *
-+ */
-+
-+#ifndef LDAPAUTH=5FH
-+#define LDAPAUTH=5FH
-+
-+#define LDAP=5FDEPRECATED 1
-+
-+#include <string.h>
-+#include <time.h>
-+#include <ldap.h>
-+#include <lber.h>
-+
-+/* tokens in use for config */
-+#define =5FDEFAULT=5FLPK=5FTOKEN "UseLPK"
-+#define =5FDEFAULT=5FSRV=5FTOKEN "LpkServers"
-+#define =5FDEFAULT=5FUSR=5FTOKEN "LpkUserDN"
-+#define =5FDEFAULT=5FGRP=5FTOKEN "LpkGroupDN"
-+#define =5FDEFAULT=5FBDN=5FTOKEN "LpkBindDN"
-+#define =5FDEFAULT=5FBPW=5FTOKEN "LpkBindPw"
-+#define =5FDEFAULT=5FMYG=5FTOKEN "LpkServerGroup"
-+#define =5FDEFAULT=5FFIL=5FTOKEN "LpkFilter"
-+#define =5FDEFAULT=5FTLS=5FTOKEN "LpkForceTLS"
-+#define =5FDEFAULT=5FBTI=5FTOKEN "LpkBindTimelimit"
-+#define =5FDEFAULT=5FSTI=5FTOKEN "LpkSearchTimelimit"
-+#define =5FDEFAULT=5FLDP=5FTOKEN "LpkLdapConf"
-+
-+/* default options */
-+#define =5FDEFAULT=5FLPK=5FON 0
-+#define =5FDEFAULT=5FLPK=5FSERVERS NULL
-+#define =5FDEFAULT=5FLPK=5FUDN NULL
-+#define =5FDEFAULT=5FLPK=5FGDN NULL
-+#define =5FDEFAULT=5FLPK=5FBINDDN NULL
-+#define =5FDEFAULT=5FLPK=5FBINDPW NULL
-+#define =5FDEFAULT=5FLPK=5FSGROUP NULL
-+#define =5FDEFAULT=5FLPK=5FFILTER NULL
-+#define =5FDEFAULT=5FLPK=5FTLS -1
-+#define =5FDEFAULT=5FLPK=5FBTIMEOUT 10
-+#define =5FDEFAULT=5FLPK=5FSTIMEOUT 10
-+#define =5FDEFAULT=5FLPK=5FLDP NULL
-+
-+/* flags */
-+#define FLAG=5FEMPTY=09 0x00000000
-+#define FLAG=5FCONNECTED=09 0x00000001
-+
-+/* flag macros */
-+#define FLAG=5FSET=5FEMPTY(x)=09=09x&=3D(FLAG=5FEMPTY)
-+#define FLAG=5FSET=5FCONNECTED(x)=09=09x|=3D(FLAG=5FCONNECTED)
-+#define FLAG=5FSET=5FDISCONNECTED(x)=09x&=3D~(FLAG=5FCONNECTED)
-+
-+/* defines */
-+#define FAILURE -1
-+#define SUCCESS 0
-+#define PUBKEYATTR "sshPublicKey"
-+
-+/*=20
-+ *
-+ * defined files path=20
-+ * (should be relocated to pathnames.h,
-+ * if one day it's included within the tree)=20
-+ *
-+ */
-+#define =5FPATH=5FLDAP=5FCONFIG=5FFILE "/etc/ldap.conf"
-+
-+/* structures */
-+typedef struct ldap=5Foptions {
-+ int on;=09=09=09/* Use it or NOT */
-+ LDAP * ld;=09=09=09/* LDAP file desc */
-+ char * servers;=09=09/* parsed servers for ldaplib failover handl=
ing */
-+ char * u=5Fbasedn;=09=09/* user basedn */
-+ char * g=5Fbasedn;=09=09/* group basedn */
-+ char * binddn;=09=09/* binddn */
-+ char * bindpw;=09=09/* bind password */
-+ char * sgroup;=09=09/* server group */
-+ char * fgroup;=09=09/* group filter */
-+ char * filter;=09=09/* additional filter */
-+ char * l=5Fconf;=09=09/* use ldap.conf */
-+ int tls;=09=09=09/* TLS only */
-+ struct timeval b=5Ftimeout; /* bind timeout */
-+ struct timeval s=5Ftimeout; /* search timeout */
-+ unsigned int flags;=09=09/* misc flags (reconnection, future use=3F=
) */
-+} ldap=5Fopt=5Ft;
-+
-+typedef struct ldap=5Fkeys {
-+ struct berval ** keys;=09/* the public keys retrieved */
-+ unsigned int num;=09=09/* number of keys */
-+} ldap=5Fkey=5Ft;
-+
-+
-+/* function headers */
-+void ldap=5Fclose(ldap=5Fopt=5Ft *);
-+int ldap=5Fconnect(ldap=5Fopt=5Ft *);
-+char * ldap=5Fparse=5Fgroups(const char *);
-+char * ldap=5Fparse=5Fservers(const char *);
-+void ldap=5Foptions=5Fprint(ldap=5Fopt=5Ft *);
-+void ldap=5Foptions=5Ffree(ldap=5Fopt=5Ft *);
-+void ldap=5Fkeys=5Ffree(ldap=5Fkey=5Ft *);
-+int ldap=5Fparse=5Flconf(ldap=5Fopt=5Ft *);
-+ldap=5Fkey=5Ft * ldap=5Fgetuserkey(ldap=5Fopt=5Ft *, const char *);
-+int ldap=5Fismember(ldap=5Fopt=5Ft *, const char *);
-+
-+#endif
-diff -Nuar --exclude '*.orig' --exclude '*.rej' lpk-user-example.txt l=
pk-user-example.txt
---- lpk-user-example.txt=091969-12-31 16:00:00.000000000 -0800
-+++ lpk-user-example.txt=092008-08-23 15:02:47.000000000 -0700
-@@ -0,0 +1,117 @@
-+
-+Post to ML -> User Made Quick Install Doc.
-+Contribution from John Lane <john at lane.uk.net>
-+
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+++++++
-+
-+OpenSSH LDAP keystore Patch
-+=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
-+
-+NOTE: these notes are a transcript of a specific installation
-+ they work for me, your specifics may be different!
-+ from John Lane March 17th 2005 john at lane.uk.net
-+
-+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public =
keys
-+from their LDAP record as an alternative to ~/.ssh/authorized=5Fkeys.=
-+
-+(Assuming here that necessary build stuff is in $BUILD)
-+
-+cd $BUILD/openssh-4.0p1
-+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch
-+mkdir -p /var/empty &&
-+./configure --prefix=3D/usr --sysconfdir=3D/etc/ssh \
-+ --libexecdir=3D/usr/sbin --with-md5-passwords --with-pam \
-+ --with-libs=3D"-lldap" --with-cppflags=3D"-DWITH=5FLDAP=5FPUBKEY"=
-+Now do.
-+make &&
-+make install
-+
-+Add the following config to /etc/ssh/ssh=5Fconfig
-+UseLPK yes
-+LpkServers ldap://myhost.mydomain.com
-+LpkUserDN ou=3DPeople,dc=3Dmydomain,dc=3Dcom
-+
-+We need to tell sshd about the SSL keys during boot, as root's
-+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd.
-+Change the startup code from this:
-+ echo "Starting SSH Server..."
-+ loadproc /usr/sbin/sshd
-+ ;;
-+to this:
-+ echo "Starting SSH Server..."
-+ LDAPRC=3D"/root/.ldaprc" loadproc /usr/sbin/sshd
-+ ;;
-+
-+Re-start the sshd daemon:
-+/etc/rc.d/init.d/sshd restart
-+
-+Install the additional LDAP schema
-+cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema=
-+
-+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf:
-+Add the following to the end of the existing block of schema includes=
-+include /etc/openldap/schema/openssh.schema
-+
-+Re-start the LDAP server:
-+/etc/rc.d/init.d/slapd restart
-+
-+To add one or more public keys to a user, eg "testuser" :
-+ldapsearch -x -W -Z -LLL -b "uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain=
,dc=3Dcom" -D
-+"uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain,dc=3Dcom" > /tmp/testuser
-+
-+append the following to this /tmp/testuser file
-+objectclass: ldapPublicKey
-+sshPublicKey: ssh-rsa
-+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kA=
PxjU9KS
-+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t8=
6t+5dlI
-+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw=3D=3D General Purpose =
RSA Key
-+
-+Then do a modify:
-+ldapmodify -x -D "uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain,dc=3Dcom" =
-W -f
-+/tmp/testuser -Z
-+Enter LDAP Password:
-+modifying entry "uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain,dc=3Dcom"
-+And check the modify is ok:
-+ldapsearch -x -W -Z -b "uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain,dc=3D=
com" -D
-+"uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain,dc=3Dcom"
-+Enter LDAP Password:
-+# extended LDIF
-+#
-+# LDAPv3
-+# base <uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain,dc=3Dcom> with scope=
sub
-+# filter: (objectclass=3D*)
-+# requesting: ALL
-+#
-+
-+# testuser, People, mydomain.com
-+dn: uid=3Dtestuser,ou=3DPeople,dc=3Dmydomain,dc=3Dcom
-+uid: testuser
-+cn: testuser
-+objectClass: account
-+objectClass: posixAccount
-+objectClass: top
-+objectClass: shadowAccount
-+objectClass: ldapPublicKey
-+shadowLastChange: 12757
-+shadowMax: 99999
-+shadowWarning: 7
-+loginShell: /bin/bash
-+uidNumber: 9999
-+gidNumber: 501
-+homeDirectory: /home/testuser
-+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU=3D=
-+sshPublicKey: ssh-rsa
-+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kA=
PxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z
-+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw=3D=3D=
General Purpose RSA Key
-+
-+# search result
-+search: 3
-+result: 0 Success
-+
-+# numResponses: 2
-+# numEntries: 1
-+
-+Now start a ssh session to user "testuser" from usual ssh client (e.g=
=2E
-+puTTY). Login should succeed.
-+
-++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+++++++
-diff -Nuar --exclude '*.orig' --exclude '*.rej' Makefile.in Makefile.i=
n
---- Makefile.in=092008-07-08 07:21:12.000000000 -0700
-+++ Makefile.in=092008-08-23 15:02:47.000000000 -0700
-@@ -86,7 +86,7 @@
- =09auth-krb5.o \
- =09auth2-gss.o gss-serv.o gss-serv-krb5.o \
- =09loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
--=09audit.o audit-bsm.o platform.o sftp-server.o sftp-common.o
-+=09audit.o audit-bsm.o platform.o ldapauth.o sftp-server.o sftp-commo=
n.o
-=20
- MANPAGES=09=3D moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out s=
sh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.ou=
t sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd=5Fconfig.5.ou=
t ssh=5Fconfig.5.out
- MANPAGES=5FIN=09=3D moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1=
ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-=
keysign.8 sshd=5Fconfig.5 ssh=5Fconfig.5
-diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-lpk=5Fopenldap=
.schema openssh-lpk=5Fopenldap.schema
---- openssh-lpk=5Fopenldap.schema=091969-12-31 16:00:00.000000000 -080=
0
-+++ openssh-lpk=5Fopenldap.schema=092008-08-23 15:02:47.000000000 -070=
0
-@@ -0,0 +1,19 @@
-+#
-+# LDAP Public Key Patch schema for use with openssh-ldappubkey
-+# Author: Eric AUGE <eau at phear.org>
-+#=20
-+# Based on the proposal of : Mark Ruijter
-+#
-+
-+
-+# octetString SYNTAX
-+attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'=20=
-+=09DESC 'MANDATORY: OpenSSH Public key'=20
-+=09EQUALITY octetStringMatch
-+=09SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-+
-+# printableString SYNTAX yes|no
-+objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP =
top AUXILIARY
-+=09DESC 'MANDATORY: OpenSSH LPK objectclass'
-+=09MUST ( sshPublicKey $ uid )=20
-+=09)
-diff -Nuar --exclude '*.orig' --exclude '*.rej' openssh-lpk=5Fsun.sche=
ma openssh-lpk=5Fsun.schema
---- openssh-lpk=5Fsun.schema=091969-12-31 16:00:00.000000000 -0800
-+++ openssh-lpk=5Fsun.schema=092008-08-23 15:02:47.000000000 -0700
-@@ -0,0 +1,21 @@
-+#
-+# LDAP Public Key Patch schema for use with openssh-ldappubkey
-+# Author: Eric AUGE <eau at phear.org>
-+#=20
-+# Schema for Sun Directory Server.
-+# Based on the original schema, modified by Stefan Fischer.
-+#
-+
-+dn: cn=3Dschema
-+
-+# octetString SYNTAX
-+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'=20=
-+=09DESC 'MANDATORY: OpenSSH Public key'=20
-+=09EQUALITY octetStringMatch
-+=09SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-+
-+# printableString SYNTAX yes|no
-+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' S=
UP top AUXILIARY
-+=09DESC 'MANDATORY: OpenSSH LPK objectclass'
-+=09MUST ( sshPublicKey $ uid )=20
-+=09)
-diff -Nuar --exclude '*.orig' --exclude '*.rej' README.lpk README.lpk
---- README.lpk=091969-12-31 16:00:00.000000000 -0800
-+++ README.lpk=092008-08-23 15:02:47.000000000 -0700
-@@ -0,0 +1,267 @@
-+OpenSSH LDAP PUBLIC KEY PATCH=20
-+Copyright (c) 2003 Eric AUGE (eau at phear.org)
-+All rights reserved.
-+
-+Redistribution and use in source and binary forms, with or without
-+modification, are permitted provided that the following conditions
-+are met:
-+1. Redistributions of source code must retain the above copyright
-+ notice, this list of conditions and the following disclaimer.
-+2. Redistributions in binary form must reproduce the above copyright
-+ notice, this list of conditions and the following disclaimer in th=
e
-+ documentation and/or other materials provided with the distributio=
n.
-+3. The name of the author may not be used to endorse or promote produ=
cts
-+ derived from this software without specific prior written permissi=
on.
-+
-+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRAN=
TIES
-+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIME=
D.
-+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, =
BUT
-+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF =
USE,
-+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY=
-+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE=
OF
-+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+
-+purposes of this patch:
-+
-+This patch would help to have authentication centralization policy
-+using ssh public key authentication.
-+This patch could be an alternative to other "secure" authentication s=
ystem
-+working in a similar way (Kerberos, SecurID, etc...), except the fact=
=20
-+that it's based on OpenSSH and its public key abilities.
-+
-+>> FYI: <<
-+'uid': means unix accounts existing on the current server
-+'lpkServerGroup:' mean server group configured on the current server =
('lpkServerGroup' in sshd=5Fconfig)
-+
-+example schema:
-+
-+
-+ server1 (uid: eau,rival,toto) (lpkS=
erverGroup: unix)
-+ =5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F /
-+ / \ --- - server3 (uid: eau, titi) (lpkServe=
rGroup: unix)
-+ | LDAP Server | \
-+=09 | eau ,rival | server2 (uid: rival, eau) (lpkServerGrou=
p: unix)
-+=09 | titi ,toto |
-+=09 | userx,.... | server5 (uid: eau) (lpkServerGroup:=
mail)
-+ \=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F/ \ /
-+=09 ----- - server4 (uid: eau, rival) (no grou=
p configured)
-+=09=09=09 \
-+=09=09=09=09 etc...
-+
-+- WHAT WE NEED :
-+
-+ * configured LDAP server somewhere on the network (i.e. OpenLDAP)
-+ * patched sshd (with this patch ;)
-+ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)):
-+ User entry:
-+=09- attached to the 'ldapPublicKey' objectclass
-+=09- attached to the 'posixAccount' objectclass
-+=09- with a filled 'sshPublicKey' attribute=20
-+=09Example:
-+=09=09dn: uid=3Deau,ou=3Dusers,dc=3Dcuckoos,dc=3Dnet
-+=09=09objectclass: top
-+=09=09objectclass: person
-+=09=09objectclass: organizationalPerson
-+=09=09objectclass: posixAccount
-+=09=09objectclass: ldapPublicKey
-+=09=09description: Eric AUGE Account
-+=09=09userPassword: blah
-+=09=09cn: Eric AUGE
-+=09=09sn: Eric AUGE
-+=09=09uid: eau
-+=09=09uidNumber: 1034
-+=09=09gidNumber: 1
-+=09=09homeDirectory: /export/home/eau
-+=09=09sshPublicKey: ssh-dss AAAAB3...
-+=09=09sshPublicKey: ssh-dss AAAAM5...
-+
-+=09Group entry:
-+=09- attached to the 'posixGroup' objectclass
-+=09- with a 'cn' groupname attribute
-+=09- with multiple 'memberUid' attributes filled with usernames allow=
ed in this group
-+=09Example:
-+=09=09# few members
-+=09=09dn: cn=3Dunix,ou=3Dgroups,dc=3Dcuckoos,dc=3Dnet
-+=09=09objectclass: top
-+=09=09objectclass: posixGroup
-+=09=09description: Unix based servers group
-+=09=09cn: unix
-+=09=09gidNumber: 1002
-+=09=09memberUid: eau
-+=09=09memberUid: user1
-+=09=09memberUid: user2
-+
-+
-+- HOW IT WORKS :
-+
-+ * without patch
-+ If a user wants to authenticate to log in a server the sshd, will f=
irst look for authentication method allowed (RSAauth,kerberos,etc..)
-+ and if RSAauth and tickets based auth fails, it will fallback to st=
andard password authentication (if enabled).
-+
-+ * with the patch
-+ If a user want to authenticate to log in a server, the sshd will fi=
rst look for auth method including LDAP pubkey, if the ldappubkey optio=
ns is enabled.
-+ It will do an ldapsearch to get the public key directly from the LD=
AP instead of reading it from the server filesystem.=20
-+ (usually in $HOME/.ssh/authorized=5Fkeys)
-+
-+ If groups are enabled, it will also check if the user that wants to=
login is in the group of the server he is trying to log into.
-+ If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized=
=5Fkeys), etc.. and finally to standard password authentication (if ena=
bled).
-+
-+ 7 tokens are added to sshd=5Fconfig :
-+ # here is the new patched ldap related tokens
-+ # entries in your LDAP must be posixAccount & strongAuthenticationU=
ser & posixGroup
-+ UseLPK yes=09=09=09=09=09=09=09=09# look the pub key into LDAP
-+ LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3=09=
# which LDAP server for users =3F (URL format)
-+ LpkUserDN ou=3Dusers,dc=3Dfoobar,dc=3Dnet=09=09=09=09=09# which ba=
se DN for users =3F
-+ LpkGroupDN ou=3Dgroups,dc=3Dfoobar,dc=3Dnet=09=09=09=09=09# which b=
ase DN for groups =3F=20
-+ LpkBindDN cn=3Dmanager,dc=3Dfoobar,dc=3Dnet=09=09=09=09=09# which b=
ind DN =3F
-+ LpkBindPw asecret=09=09=09=09=09=09=09# bind DN credidentials
-+ LpkServerGroup agroupname=09=09=09=09=09=09# the group the server i=
s part of
-+
-+ Right now i'm using anonymous binding to get public keys, because g=
etting public keys of someone doesn't impersonate him=B8 but there is s=
ome
-+ flaws you have to take care of.
-+
-+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY
-+
-+ * my way (there is plenty :)
-+ - create ldif file (i.e. users.ldif)
-+ - cat ~/.ssh/id=5Fdsa.pub OR cat ~/.ssh/id=5Frsa.pub OR cat ~/.ssh/=
identity.pub
-+ - my way in 4 steps :
-+ Example:
-+
-+ # you add this to the user entry in the LDIF file :
-+ [...]
-+ objectclass: posixAccount
-+ objectclass: ldapPublicKey
-+ [...]
-+ sshPubliKey: ssh-dss AAAABDh12DDUR2...
-+ [...]
-+
-+ # insert your entry and you're done :)
-+ ldapadd -D balblabla -w bleh < file.ldif=20
-+ =20
-+ all standard options can be present in the 'sshPublicKey' attribute=
=2E
-+
-+- WHY :
-+
-+ Simply because, i was looking for a way to centralize all sysadmins=
authentication, easily, without completely using LDAP=20
-+ as authentication method (like pam=5Fldap etc..). =20
-+ =20
-+ After looking into Kerberos, SecurID, and other centralized secure =
authentications systems, the use of RSA and LDAP to get=20
-+ public key for authentication allows us to control who has access t=
o which server (the user needs an account and to be in 'strongAuthentic=
ationUser'
-+ objectclass within LDAP and part of the group the SSH server is in)=
.=20
-+
-+ Passwords update are no longer a nightmare for a server farm (key p=
air passphrase is stored on each user's box and private key is locally =
encrypted using his passphrase=20
-+ so each user can change it as much as he wants).=20
-+
-+ Blocking a user account can be done directly from the LDAP (if sshd=
is using RSAAuth + ldap only).
-+
-+- RULES : =20
-+ Entry in the LDAP server must respect 'posixAccount' and 'ldapPubli=
cKey' which are defined in core.schema.=20
-+ and the additionnal lpk.schema.
-+
-+ This patch could allow a smooth transition between standard auth (/=
etc/passwd) and complete LDAP based authentication=20
-+ (pamldap, nss=5Fldap, etc..).
-+
-+ This can be an alternative to other (old=3F/expensive=3F) authentic=
ation methods (Kerberos/SecurID/..).
-+ =20
-+ Referring to schema at the beginning of this file if user 'eau' is =
only in group 'unix'
-+ 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server=
4' BUT NOT 'server5'.
-+ If you then modify the LDAP 'mail' group entry to add 'memberUid: e=
au' THEN user 'eau' would be able
-+ to log in 'server5' (i hope you got the idea, my english is bad :).=
-+
-+ Each server's sshd is patched and configured to ask the public key =
and the group infos in the LDAP
-+ server.
-+ When you want to allow a new user to have access to the server parc=
, you just add him an account on=20
-+ your servers, you add his public key into his entry on the LDAP ser=
ver, it's done.=20
-+
-+ Because sshds are looking public keys into the LDAP directly instea=
d of a file ($HOME/.ssh/authorized=5Fkeys).
-+
-+ When the user needs to change his passphrase he can do it directly =
from his workstation by changing=20
-+ his own key set lock passphrase, and all servers are automatically =
aware.
-+=20
-+ With a CAREFUL LDAP server configuration you could allow a user to =
add/delete/modify his own entry himself
-+ so he can add/modify/delete himself his public key when needed.
-+
-+=AD FLAWS :
-+ LDAP must be well configured, getting the public key of some user i=
s not a problem, but if anonymous LDAP=20
-+ allow write to users dn, somebody could replace someuser's public k=
ey by its own and impersonate some=20
-+ of your users in all your server farm be VERY CAREFUL.
-+ =20
-+ MITM attack when sshd is requesting the public key, could lead to a=
compromise of your servers allowing login=20
-+ as the impersonnated user.
-+
-+ If LDAP server is down then, fallback on passwd auth.
-+ =20
-+ the ldap code part has not been well audited yet.
-+
-+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif)
-+ --- CUT HERE ---
-+ dn: uid=3Djdoe,ou=3Dusers,dc=3Dfoobar,dc=3Dnet
-+ objectclass: top
-+ objectclass: person
-+ objectclass: organizationalPerson
-+ objectclass: posixAccount
-+ objectclass: ldapPublicKey
-+ description: My account
-+ cn: John Doe
-+ sn: John Doe
-+ uid: jdoe
-+ uidNumber: 100
-+ gidNumber: 100
-+ homeDirectory: /home/jdoe
-+ sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54Y=
F3AXkB0OZrXB....
-+ [...]
-+ --- CUT HERE ---
-+
-+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif)
-+ --- CUT HERE ---
-+ dn: cn=3Dunix,ou=3Dgroups,dc=3Dcuckoos,dc=3Dnet
-+ objectclass: top
-+ objectclass: posixGroup
-+ description: Unix based servers group
-+ cn: unix
-+ gidNumber: 1002
-+ memberUid: jdoe
-+ memberUid: user1
-+ memberUid: user2
-+ [...]
-+ --- CUT HERE ---
-+
-+>> FYI: <<=20
-+Multiple 'sshPublicKey' in a user entry are allowed, as well as multi=
ple 'memberUid' attributes in a group entry
-+
-+- COMPILING:
-+ 1. Apply the patch
-+ 2. ./configure --with-your-options --with-ldap=3D/prefix/to/ldap=5F=
libs=5Fand=5Fincludes
-+ 3. make
-+ 4. it's done.
-+
-+- BLA :
-+ I hope this could help, and i hope to be clear enough,, or give ide=
as. questions/comments/improvements are welcome.
-+ =20
-+- TODO :
-+ Redesign differently.
-+
-+- DOCS/LINK :
-+ http://pacsec.jp/core05/psj05-barisani-en.pdf
-+ http://fritz.potsdam.edu/projects/openssh-lpk/
-+ http://fritz.potsdam.edu/projects/sshgate/
-+ http://dev.inversepath.com/trac/openssh-lpk
-+ http://lam.sf.net/ ( http://lam.sourceforge.net/documentation/suppo=
rtedSchemas.htm )
-+
-+- CONTRIBUTORS/IDEAS/GREETS :
-+ - Falk Siemonsmeier.
-+ - Jacob Rief.
-+ - Michael Durchgraf.
-+ - frederic peters.
-+ - Finlay dobbie.
-+ - Stefan Fisher.
-+ - Robin H. Johnson.
-+ - Adrian Bridgett.
-+
-+- CONTACT :
-+ - Eric AUGE <eau at phear.org>
-+ - Andrea Barisani <andrea at inversepath.com>
-
-diff -Nuar --exclude '*.orig' --exclude '*.rej' servconf.h servconf.h
---- servconf.h=092008-06-10 06:01:51.000000000 -0700
-+++ servconf.h=092008-08-23 15:02:47.000000000 -0700
-@@ -16,6 +16,10 @@
- #ifndef SERVCONF=5FH
- #define SERVCONF=5FH
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+#include "ldapauth.h"
-+#endif
-+
- #define MAX=5FPORTS=09=09256=09/* Max # ports. */
-=20
- #define MAX=5FALLOW=5FUSERS=09=09256=09/* Max # users on allow list. =
*/
-@@ -145,6 +149,9 @@
- =09int=09use=5Fpam;=09=09/* Enable auth via PAM */
-=20
- =09int=09permit=5Ftun;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+ ldap=5Fopt=5Ft lpk;
-+#endif
-=20
- =09int=09num=5Fpermitted=5Fopens;
-=20
-diff -Nuar --exclude '*.orig' --exclude '*.rej' sshd.c sshd.c
---- sshd.c=092008-07-11 00:36:49.000000000 -0700
-+++ sshd.c=092008-08-23 15:02:47.000000000 -0700
-@@ -127,6 +127,10 @@
- int deny=5Fseverity;
- #endif /* LIBWRAP */
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+#include "ldapauth.h"
-+#endif
-+
- #ifndef O=5FNOCTTY
- #define O=5FNOCTTY=090
- #endif
-@@ -1484,6 +1488,16 @@
- =09=09exit(1);
- =09}
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+ /* ldap=5Foptions=5Fprint(&options.lpk); */
-+ /* XXX initialize/check ldap connection and set *LD */
-+ if (options.lpk.on) {
-+ if (options.lpk.l=5Fconf && (ldap=5Fparse=5Flconf(&options.lp=
k) < 0) )
-+ error("[LDAP] could not parse %s", options.lpk.l=5Fconf);=
-+ if (ldap=5Fconnect(&options.lpk) < 0)
-+ error("[LDAP] could not initialize ldap connection");
-+ }
-+#endif
- =09debug("sshd version %.100s", SSH=5FRELEASE);
-=20
- =09/* Store privilege separation user for later use if required. */
-diff -Nuar --exclude '*.orig' --exclude '*.rej' sshd=5Fconfig sshd=5Fc=
onfig
---- sshd=5Fconfig=092008-07-02 05:35:43.000000000 -0700
-+++ sshd=5Fconfig=092008-08-23 15:02:47.000000000 -0700
-@@ -109,6 +109,21 @@
- # no default banner path
- #Banner none
-=20
-+# here are the new patched ldap related tokens
-+# entries in your LDAP must have posixAccount & ldapPublicKey objectc=
lass
-+#UseLPK yes
-+#LpkLdapConf /etc/ldap.conf
-+#LpkServers ldap://10.1.7.1/ ldap://10.1.7.2/
-+#LpkUserDN ou=3Dusers,dc=3Dphear,dc=3Dorg
-+#LpkGroupDN ou=3Dgroups,dc=3Dphear,dc=3Dorg
-+#LpkBindDN cn=3DManager,dc=3Dphear,dc=3Dorg
-+#LpkBindPw secret
-+#LpkServerGroup mail
-+#LpkFilter (hostAccess=3Dmaster.phear.org)
-+#LpkForceTLS no
-+#LpkSearchTimelimit 3
-+#LpkBindTimelimit 3
-+
- # override default of no subsystems
- Subsystem=09sftp=09/usr/libexec/sftp-server
-=20
-diff -Nuar --exclude '*.orig' --exclude '*.rej' sshd=5Fconfig.5 sshd=5F=
config.5
---- sshd=5Fconfig.5=092008-07-02 05:35:43.000000000 -0700
-+++ sshd=5Fconfig.5=092008-08-23 15:02:47.000000000 -0700
-@@ -1003,6 +1003,62 @@
- program.
- The default is
- .Pa /usr/X11R6/bin/xauth .
-+.It Cm UseLPK
-+Specifies whether LDAP public key retrieval must be used or not. It a=
llow
-+an easy centralisation of public keys within an LDAP directory. The a=
rgument must be
-+.Dq yes
-+or
-+.Dq no .
-+.It Cm LpkLdapConf
-+Specifies whether LDAP Public keys should parse the specified ldap.co=
nf file
-+instead of sshd=5Fconfig Tokens. The argument must be a valid path to=
an ldap.conf
-+file like
-+.Pa /etc/ldap.conf
-+.It Cm LpkServers
-+Specifies LDAP one or more [:space:] separated server's url the follo=
wing form may be used:
-+.Pp
-+LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3
-+.It Cm LpkUserDN
-+Specifies the LDAP user DN.
-+.Pp
-+LpkUserDN ou=3Dusers,dc=3Dphear,dc=3Dorg
-+.It Cm LpkGroupDN
-+Specifies the LDAP groups DN.
-+.Pp
-+LpkGroupDN ou=3Dgroups,dc=3Dphear,dc=3Dorg
-+.It Cm LpkBindDN
-+Specifies the LDAP bind DN to use if necessary.
-+.Pp
-+LpkBindDN cn=3DManager,dc=3Dphear,dc=3Dorg
-+.It Cm LpkBindPw
-+Specifies the LDAP bind credential.=20
-+.Pp
-+LpkBindPw secret
-+.It Cm LpkServerGroup
-+Specifies one or more [:space:] separated group the server is part of=
.=20
-+.Pp
-+LpkServerGroup unix mail prod
-+.It Cm LpkFilter
-+Specifies an additional LDAP filter to use for finding SSH keys
-+.Pp
-+LpkFilter (hostAccess=3Dmaster.phear.org)
-+.It Cm LpkForceTLS
-+Specifies if the LDAP server connection must be tried, forced or not =
used. The argument must be=20
-+.Dq yes
-+or
-+.Dq no
-+or
-+.Dq try .
-+.It Cm LpkSearchTimelimit
-+Sepcifies the search time limit before the search is considered over.=
value is
-+in seconds.
-+.Pp
-+LpkSearchTimelimit 3
-+.It Cm LpkBindTimelimit
-+Sepcifies the bind time limit before the connection is considered dea=
d. value is
-+in seconds.
-+.Pp
-+LpkBindTimelimit 3
- .El
- .Sh TIME FORMATS
- .Xr sshd 8
Index: files/lpk+hpn-servconf.c.patch
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/lpk+hpn-servconf.c.patch
diff -N files/lpk+hpn-servconf.c.patch
--- files/lpk+hpn-servconf.c.patch=0921 Jun 2009 20:36:15 -0000=091.1
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,307 +0,0 @@
---- servconf.c.orig=092009-05-26 15:13:32.000000000 +0400
-+++ servconf.c=092009-05-26 18:09:30.000000000 +0400
-@@ -42,6 +42,10 @@
- #include "channels.h"
- #include "groupaccess.h"
-=20
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+#include "ldapauth.h"
-+#endif
-+
- static void add=5Flisten=5Faddr(ServerOptions *, char *, int);
- static void add=5Fone=5Flisten=5Faddr(ServerOptions *, char *, int);
-=20
-@@ -128,11 +132,38 @@
- =09options->adm=5Fforced=5Fcommand =3D NULL;
- =09options->chroot=5Fdirectory =3D NULL;
- =09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D -1;
-+=09options->none=5Fenabled =3D -1;
-+=09options->tcp=5Frcv=5Fbuf=5Fpoll =3D -1;
-+=09options->hpn=5Fdisabled =3D -1;
-+=09options->hpn=5Fbuffer=5Fsize =3D -1;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+ =09/* XXX dirty */
-+ =09options->lpk.ld =3D NULL;
-+ =09options->lpk.on =3D -1;
-+ =09options->lpk.servers =3D NULL;
-+ =09options->lpk.u=5Fbasedn =3D NULL;
-+ =09options->lpk.g=5Fbasedn =3D NULL;
-+ =09options->lpk.binddn =3D NULL;
-+ =09options->lpk.bindpw =3D NULL;
-+ =09options->lpk.sgroup =3D NULL;
-+ =09options->lpk.filter =3D NULL;
-+ =09options->lpk.fgroup =3D NULL;
-+ =09options->lpk.l=5Fconf =3D NULL;
-+ =09options->lpk.tls =3D -1;
-+ =09options->lpk.b=5Ftimeout.tv=5Fsec =3D -1;
-+ =09options->lpk.s=5Ftimeout.tv=5Fsec =3D -1;
-+ =09options->lpk.flags =3D FLAG=5FEMPTY;
-+#endif
- }
-=20
- void
- fill=5Fdefault=5Fserver=5Foptions(ServerOptions *options)
- {
-+=09/* needed for hpn socket tests */
-+=09int sock;
-+=09int socksize;
-+=09int socksizelen =3D sizeof(int);
-+
- =09/* Portable-specific options */
- =09if (options->use=5Fpam =3D=3D -1)
- =09=09options->use=5Fpam =3D 1;
-@@ -265,6 +296,68 @@
- =09=09options->permit=5Ftun =3D SSH=5FTUNMODE=5FNO;
- =09if (options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D=3D -=
1)
- =09=09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D 0;
-+=09if (options->hpn=5Fdisabled =3D=3D -1)=20
-+=09=09options->hpn=5Fdisabled =3D 0;
-+
-+=09if (options->hpn=5Fbuffer=5Fsize =3D=3D -1) {
-+=09=09/* option not explicitly set. Now we have to figure out */
-+=09=09/* what value to use */
-+=09=09if (options->hpn=5Fdisabled =3D=3D 1) {
-+=09=09=09options->hpn=5Fbuffer=5Fsize =3D CHAN=5FSES=5FWINDOW=5FDEFAU=
LT;
-+=09=09} else {
-+=09=09=09/* get the current RCV size and set it to that */
-+=09=09=09/*create a socket but don't connect it */
-+=09=09=09/* we use that the get the rcv socket size */
-+=09=09=09sock =3D socket(AF=5FINET, SOCK=5FSTREAM, 0);
-+=09=09=09getsockopt(sock, SOL=5FSOCKET, SO=5FRCVBUF,=20
-+=09=09=09=09 &socksize, &socksizelen);
-+=09=09=09close(sock);
-+=09=09=09options->hpn=5Fbuffer=5Fsize =3D socksize;
-+=09=09=09debug ("HPN Buffer Size: %d", options->hpn=5Fbuffer=5Fsize);=
-+=09=09=09
-+=09=09}=20
-+=09} else {
-+=09=09/* we have to do this incase the user sets both values in a con=
tradictory */
-+=09=09/* manner. hpn=5Fdisabled overrrides hpn=5Fbuffer=5Fsize*/
-+=09=09if (options->hpn=5Fdisabled <=3D 0) {
-+=09=09=09if (options->hpn=5Fbuffer=5Fsize =3D=3D 0)
-+=09=09=09=09options->hpn=5Fbuffer=5Fsize =3D 1;
-+=09=09=09/* limit the maximum buffer to 64MB */
-+=09=09=09if (options->hpn=5Fbuffer=5Fsize > 64*1024) {
-+=09=09=09=09options->hpn=5Fbuffer=5Fsize =3D 64*1024*1024;
-+=09=09=09} else {
-+=09=09=09=09options->hpn=5Fbuffer=5Fsize *=3D 1024;
-+=09=09=09}
-+=09=09} else
-+=09=09=09options->hpn=5Fbuffer=5Fsize =3D CHAN=5FTCP=5FWINDOW=5FDEFAU=
LT;
-+=09}
-+
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09if (options->lpk.on =3D=3D -1)
-+=09 options->lpk.on =3D =5FDEFAULT=5FLPK=5FON;
-+=09if (options->lpk.servers =3D=3D NULL)
-+=09 options->lpk.servers =3D =5FDEFAULT=5FLPK=5FSERVERS;
-+=09if (options->lpk.u=5Fbasedn =3D=3D NULL)
-+=09 options->lpk.u=5Fbasedn =3D =5FDEFAULT=5FLPK=5FUDN;
-+=09if (options->lpk.g=5Fbasedn =3D=3D NULL)
-+=09 options->lpk.g=5Fbasedn =3D =5FDEFAULT=5FLPK=5FGDN;
-+=09if (options->lpk.binddn =3D=3D NULL)
-+=09 options->lpk.binddn =3D =5FDEFAULT=5FLPK=5FBINDDN;
-+=09if (options->lpk.bindpw =3D=3D NULL)
-+=09 options->lpk.bindpw =3D =5FDEFAULT=5FLPK=5FBINDPW;
-+=09if (options->lpk.sgroup =3D=3D NULL)
-+=09 options->lpk.sgroup =3D =5FDEFAULT=5FLPK=5FSGROUP;
-+=09if (options->lpk.filter =3D=3D NULL)
-+=09 options->lpk.filter =3D =5FDEFAULT=5FLPK=5FFILTER;
-+=09if (options->lpk.tls =3D=3D -1)
-+=09 options->lpk.tls =3D =5FDEFAULT=5FLPK=5FTLS;
-+=09if (options->lpk.b=5Ftimeout.tv=5Fsec =3D=3D -1)
-+=09 options->lpk.b=5Ftimeout.tv=5Fsec =3D =5FDEFAULT=5FLPK=5FBTIME=
OUT;
-+=09if (options->lpk.s=5Ftimeout.tv=5Fsec =3D=3D -1)
-+=09 options->lpk.s=5Ftimeout.tv=5Fsec =3D =5FDEFAULT=5FLPK=5FSTIME=
OUT;
-+=09if (options->lpk.l=5Fconf =3D=3D NULL)
-+=09 options->lpk.l=5Fconf =3D =5FDEFAULT=5FLPK=5FLDP;
-+#endif
-=20
- =09/* Turn privilege separation on by default */
- =09if (use=5Fprivsep =3D=3D -1)
-@@ -310,7 +403,14 @@
- =09sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- =09sUsePrivilegeSeparation, sAllowAgentForwarding,
- =09sZeroKnowledgePasswordAuthentication,
-+=09sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
- =09sDeprecated, sUnsupported
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09,sLdapPublickey, sLdapServers, sLdapUserDN
-+=09,sLdapGroupDN, sBindDN, sBindPw, sMyGroup
-+=09,sLdapFilter, sForceTLS, sBindTimeout
-+=09,sSearchTimeout, sLdapConf
-+#endif
- } ServerOpCodes;
-=20
- #define SSHCFG=5FGLOBAL=090x01=09/* allowed in main section of sshd=5F=
config */
-@@ -421,6 +521,20 @@
- =09{ "clientalivecountmax", sClientAliveCountMax, SSHCFG=5FGLOBAL },
- =09{ "authorizedkeysfile", sAuthorizedKeysFile, SSHCFG=5FGLOBAL },
- =09{ "authorizedkeysfile2", sAuthorizedKeysFile2, SSHCFG=5FGLOBAL },
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09{ =5FDEFAULT=5FLPK=5FTOKEN, sLdapPublickey, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FSRV=5FTOKEN, sLdapServers, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FUSR=5FTOKEN, sLdapUserDN, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FGRP=5FTOKEN, sLdapGroupDN, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FBDN=5FTOKEN, sBindDN, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FBPW=5FTOKEN, sBindPw, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FMYG=5FTOKEN, sMyGroup, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FFIL=5FTOKEN, sLdapFilter, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FTLS=5FTOKEN, sForceTLS, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FBTI=5FTOKEN, sBindTimeout, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FSTI=5FTOKEN, sSearchTimeout, SSHCFG=5FGLOBAL },
-+=09{ =5FDEFAULT=5FLDP=5FTOKEN, sLdapConf, SSHCFG=5FGLOBAL },
-+#endif
- =09{ "useprivilegeseparation", sUsePrivilegeSeparation, SSHCFG=5FGLOB=
AL },
- =09{ "acceptenv", sAcceptEnv, SSHCFG=5FGLOBAL },
- =09{ "permittunnel", sPermitTunnel, SSHCFG=5FGLOBAL },
-@@ -428,6 +542,10 @@
- =09{ "permitopen", sPermitOpen, SSHCFG=5FALL },
- =09{ "forcecommand", sForceCommand, SSHCFG=5FALL },
- =09{ "chrootdirectory", sChrootDirectory, SSHCFG=5FALL },
-+=09{ "noneenabled", sNoneEnabled },
-+=09{ "hpndisabled", sHPNDisabled },
-+=09{ "hpnbuffersize", sHPNBufferSize },
-+=09{ "tcprcvbufpoll", sTcpRcvBufPoll },
- =09{ NULL, sBadOption, 0 }
- };
-=20
-@@ -454,6 +572,7 @@
-=20
- =09for (i =3D 0; keywords[i].name; i++)
- =09=09if (strcasecmp(cp, keywords[i].name) =3D=3D 0) {
-+=09=09 debug ("Config token is %s", keywords[i].name);
- =09=09=09*flags =3D keywords[i].flags;
- =09=09=09return keywords[i].opcode;
- =09=09}
-@@ -851,6 +970,22 @@
- =09=09=09*intptr =3D value;
- =09=09break;
-=20
-+=09case sNoneEnabled:
-+=09=09intptr =3D &options->none=5Fenabled;
-+=09=09goto parse=5Fflag;
-+
-+=09case sTcpRcvBufPoll:
-+=09=09intptr =3D &options->tcp=5Frcv=5Fbuf=5Fpoll;
-+=09=09goto parse=5Fflag;
-+
-+=09case sHPNDisabled:
-+=09=09intptr =3D &options->hpn=5Fdisabled;
-+=09=09goto parse=5Fflag;
-+
-+=09case sHPNBufferSize:
-+=09=09intptr =3D &options->hpn=5Fbuffer=5Fsize;
-+=09=09goto parse=5Fint;
-+
- =09case sIgnoreUserKnownHosts:
- =09=09intptr =3D &options->ignore=5Fuser=5Fknown=5Fhosts;
- =09=09goto parse=5Fflag;
-@@ -1311,6 +1446,107 @@
- =09=09while (arg)
- =09=09 arg =3D strdelim(&cp);
- =09=09break;
-+#ifdef WITH=5FLDAP=5FPUBKEY
-+=09case sLdapPublickey:
-+=09=09intptr =3D &options->lpk.on;
-+=09=09goto parse=5Fflag;
-+=09case sLdapServers:
-+=09=09/* arg =3D strdelim(&cp); */
-+=09=09p =3D line;
-+=09=09while(*p++);
-+=09=09arg =3D p;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing ldap server",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09if ((options->lpk.servers =3D ldap=5Fparse=5Fservers(arg)) =3D=3D=
NULL)
-+=09=09 fatal("%s line %d: error in ldap servers", filename, linenu=
m);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sLdapUserDN:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing ldap server",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.u=5Fbasedn =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sLdapGroupDN:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing ldap server",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.g=5Fbasedn =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sBindDN:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing binddn",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.binddn =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sBindPw:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing bindpw",filename,linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.bindpw =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sMyGroup:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing groupname",filename, linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.sgroup =3D xstrdup(arg);
-+=09=09if (options->lpk.sgroup)
-+=09=09 options->lpk.fgroup =3D ldap=5Fparse=5Fgroups(options->lpk.=
sgroup);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sLdapFilter:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing filter",filename, linenum);
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.filter =3D xstrdup(arg);
-+=09=09memset(arg,0,strlen(arg));
-+=09=09break;
-+=09case sForceTLS:
-+=09=09intptr =3D &options->lpk.tls;
-+=09=09arg =3D strdelim(&cp);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%s line %d: missing yes/no argument.",
-+=09=09=09 filename, linenum);
-+=09=09value =3D 0;=09/* silence compiler */
-+=09=09if (strcmp(arg, "yes") =3D=3D 0)
-+=09=09=09value =3D 1;
-+=09=09else if (strcmp(arg, "no") =3D=3D 0)
-+=09=09=09value =3D 0;
-+=09=09else if (strcmp(arg, "try") =3D=3D 0)
-+=09=09=09value =3D -1;
-+=09=09else
-+=09=09=09fatal("%s line %d: Bad yes/no argument: %s",
-+=09=09=09=09filename, linenum, arg);
-+=09=09if (*intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+=09case sBindTimeout:
-+=09=09intptr =3D (int *) &options->lpk.b=5Ftimeout.tv=5Fsec;
-+=09=09goto parse=5Fint;
-+=09case sSearchTimeout:
-+=09=09intptr =3D (int *) &options->lpk.s=5Ftimeout.tv=5Fsec;
-+=09=09goto parse=5Fint;
-+=09=09break;
-+=09case sLdapConf:
-+=09=09arg =3D cp;
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09 fatal("%s line %d: missing LpkLdapConf", filename, linenum)=
;
-+=09=09arg[strlen(arg)] =3D '\0';
-+=09=09options->lpk.l=5Fconf =3D xstrdup(arg);
-+=09=09memset(arg, 0, strlen(arg));
-+=09=09break;
-+#endif
-=20
- =09default:
- =09=09fatal("%s line %d: Missing handler for opcode %s (%d)",
Index: files/openssh-5.2p1-hpn13v6-servconf.c.diff
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/openssh-5.2p1-hpn13v6-servconf.c.diff
diff -N files/openssh-5.2p1-hpn13v6-servconf.c.diff
--- files/openssh-5.2p1-hpn13v6-servconf.c.diff=0921 Jun 2009 20:36:15 =
-0000=091.1
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,117 +0,0 @@
-diff -NupwB servconf.c servconf.c
---- servconf.c=092009-01-28 00:31:23.000000000 -0500
-+++ servconf.c=092009-05-14 12:36:10.000000000 -0400
-@@ -128,11 +128,20 @@ initialize=5Fserver=5Foptions(ServerOptions=20
- =09options->adm=5Fforced=5Fcommand =3D NULL;
- =09options->chroot=5Fdirectory =3D NULL;
- =09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D -1;
-+=09options->none=5Fenabled =3D -1;
-+=09options->tcp=5Frcv=5Fbuf=5Fpoll =3D -1;
-+=09options->hpn=5Fdisabled =3D -1;
-+=09options->hpn=5Fbuffer=5Fsize =3D -1;
- }
-=20
- void
- fill=5Fdefault=5Fserver=5Foptions(ServerOptions *options)
- {
-+=09/* needed for hpn socket tests */
-+=09int sock;
-+=09int socksize;
-+=09int socksizelen =3D sizeof(int);
-+
- =09/* Portable-specific options */
- =09if (options->use=5Fpam =3D=3D -1)
- =09=09options->use=5Fpam =3D 0;
-@@ -262,6 +271,42 @@ fill=5Fdefault=5Fserver=5Foptions(ServerOption
- =09if (options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D=3D -=
1)
- =09=09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D 0;
-=20
-+=09if (options->hpn=5Fdisabled =3D=3D -1)=20
-+=09=09options->hpn=5Fdisabled =3D 0;
-+
-+=09if (options->hpn=5Fbuffer=5Fsize =3D=3D -1) {
-+=09=09/* option not explicitly set. Now we have to figure out */
-+=09=09/* what value to use */
-+=09=09if (options->hpn=5Fdisabled =3D=3D 1) {
-+=09=09=09options->hpn=5Fbuffer=5Fsize =3D CHAN=5FSES=5FWINDOW=5FDEFAU=
LT;
-+=09=09} else {
-+=09=09=09/* get the current RCV size and set it to that */
-+=09=09=09/*create a socket but don't connect it */
-+=09=09=09/* we use that the get the rcv socket size */
-+=09=09=09sock =3D socket(AF=5FINET, SOCK=5FSTREAM, 0);
-+=09=09=09getsockopt(sock, SOL=5FSOCKET, SO=5FRCVBUF,=20
-+=09=09=09=09 &socksize, &socksizelen);
-+=09=09=09close(sock);
-+=09=09=09options->hpn=5Fbuffer=5Fsize =3D socksize;
-+=09=09=09debug ("HPN Buffer Size: %d", options->hpn=5Fbuffer=5Fsize);=
-+=09=09=09
-+=09=09}=20
-+=09} else {
-+=09=09/* we have to do this incase the user sets both values in a con=
tradictory */
-+=09=09/* manner. hpn=5Fdisabled overrrides hpn=5Fbuffer=5Fsize*/
-+=09=09if (options->hpn=5Fdisabled <=3D 0) {
-+=09=09=09if (options->hpn=5Fbuffer=5Fsize =3D=3D 0)
-+=09=09=09=09options->hpn=5Fbuffer=5Fsize =3D 1;
-+=09=09=09/* limit the maximum buffer to 64MB */
-+=09=09=09if (options->hpn=5Fbuffer=5Fsize > 64*1024) {
-+=09=09=09=09options->hpn=5Fbuffer=5Fsize =3D 64*1024*1024;
-+=09=09=09} else {
-+=09=09=09=09options->hpn=5Fbuffer=5Fsize *=3D 1024;
-+=09=09=09}
-+=09=09} else
-+=09=09=09options->hpn=5Fbuffer=5Fsize =3D CHAN=5FTCP=5FWINDOW=5FDEFAU=
LT;
-+=09}
-+
- =09/* Turn privilege separation on by default */
- =09if (use=5Fprivsep =3D=3D -1)
- =09=09use=5Fprivsep =3D 1;
-@@ -306,6 +351,7 @@ typedef enum {
- =09sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
- =09sUsePrivilegeSeparation, sAllowAgentForwarding,
- =09sZeroKnowledgePasswordAuthentication,
-+=09sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
- =09sDeprecated, sUnsupported
- } ServerOpCodes;
-=20
-@@ -424,6 +470,10 @@ static struct {
- =09{ "permitopen", sPermitOpen, SSHCFG=5FALL },
- =09{ "forcecommand", sForceCommand, SSHCFG=5FALL },
- =09{ "chrootdirectory", sChrootDirectory, SSHCFG=5FALL },
-+=09{ "noneenabled", sNoneEnabled },
-+=09{ "hpndisabled", sHPNDisabled },
-+=09{ "hpnbuffersize", sHPNBufferSize },
-+=09{ "tcprcvbufpoll", sTcpRcvBufPoll },
- =09{ NULL, sBadOption, 0 }
- };
-=20
-@@ -450,6 +500,7 @@ parse=5Ftoken(const char *cp, const char *
-=20
- =09for (i =3D 0; keywords[i].name; i++)
- =09=09if (strcasecmp(cp, keywords[i].name) =3D=3D 0) {
-+=09=09 debug ("Config token is %s", keywords[i].name);
- =09=09=09*flags =3D keywords[i].flags;
- =09=09=09return keywords[i].opcode;
- =09=09}
-@@ -847,6 +898,22 @@ process=5Fserver=5Fconfig=5Fline(ServerOptions
- =09=09=09*intptr =3D value;
- =09=09break;
-=20
-+=09case sNoneEnabled:
-+=09=09intptr =3D &options->none=5Fenabled;
-+=09=09goto parse=5Fflag;
-+
-+=09case sTcpRcvBufPoll:
-+=09=09intptr =3D &options->tcp=5Frcv=5Fbuf=5Fpoll;
-+=09=09goto parse=5Fflag;
-+
-+=09case sHPNDisabled:
-+=09=09intptr =3D &options->hpn=5Fdisabled;
-+=09=09goto parse=5Fflag;
-+
-+=09case sHPNBufferSize:
-+=09=09intptr =3D &options->hpn=5Fbuffer=5Fsize;
-+=09=09goto parse=5Fint;
-+
- =09case sIgnoreUserKnownHosts:
- =09=09intptr =3D &options->ignore=5Fuser=5Fknown=5Fhosts;
- =09=09goto parse=5Fflag;
Index: files/openssh-5.2p1-hpn13v6.diff
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/openssh-5.2p1-hpn13v6.diff
diff -N files/openssh-5.2p1-hpn13v6.diff
--- files/openssh-5.2p1-hpn13v6.diff=0921 Jun 2009 20:36:15 -0000=091.1=
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,3576 +0,0 @@
-diff -NupwB auth2.c auth2.c
---- auth2.c=092008-11-05 00:20:46.000000000 -0500
-+++ auth2.c=092009-05-14 12:36:10.000000000 -0400
-@@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-+#include "canohost.h"
-=20
- #ifdef GSSAPI
- #include "ssh-gss.h"
-@@ -75,6 +76,9 @@ extern Authmethod method=5Fgssapi;
- extern Authmethod method=5Fjpake;
- #endif
-=20
-+static int log=5Fflag =3D 0;
-+
-+
- Authmethod *authmethods[] =3D {
- =09&method=5Fnone,
- =09&method=5Fpubkey,
-@@ -225,6 +229,11 @@ input=5Fuserauth=5Frequest(int type, u=5Fint32
- =09service =3D packet=5Fget=5Fstring(NULL);
- =09method =3D packet=5Fget=5Fstring(NULL);
- =09debug("userauth-request for user %s service %s method %s", user, s=
ervice, method);
-+=09if (!log=5Fflag) {
-+=09=09logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",=20
-+=09=09 get=5Fremote=5Fipaddr(), get=5Fremote=5Fport(), user);
-+=09=09log=5Fflag =3D 1;
-+=09}
- =09debug("attempt %d failures %d", authctxt->attempt, authctxt->failu=
res);
-=20
- =09if ((style =3D strchr(user, ':')) !=3D NULL)
-diff -NupwB buffer.c buffer.c
---- buffer.c=092006-08-04 22:39:39.000000000 -0400
-+++ buffer.c=092009-05-14 12:36:10.000000000 -0400
-@@ -127,7 +127,7 @@ restart:
-=20
- =09/* Increase the size of the buffer and retry. */
- =09newlen =3D roundup(buffer->alloc + len, BUFFER=5FALLOCSZ);
--=09if (newlen > BUFFER=5FMAX=5FLEN)
-+=09if (newlen > BUFFER=5FMAX=5FLEN=5FHPN)
- =09=09fatal("buffer=5Fappend=5Fspace: alloc %u not supported",
- =09=09 newlen);
- =09buffer->buf =3D xrealloc(buffer->buf, 1, newlen);
-diff -NupwB buffer.h buffer.h
---- buffer.h=092008-05-19 00:59:37.000000000 -0400
-+++ buffer.h=092009-05-14 12:36:10.000000000 -0400
-@@ -16,6 +16,9 @@
- #ifndef BUFFER=5FH
- #define BUFFER=5FH
-=20
-+/* move the following to a more appropriate place and name */
-+#define BUFFER=5FMAX=5FLEN=5FHPN 0x4000000 /* 64MB */
-+
- typedef struct {
- =09u=5Fchar=09*buf;=09=09/* Buffer for data. */
- =09u=5Fint=09 alloc;=09=09/* Number of bytes allocated for data. */
-diff -NupwB channels.c channels.c
---- channels.c=092009-02-14 00:28:21.000000000 -0500
-+++ channels.c=092009-05-14 12:36:10.000000000 -0400
-@@ -169,8 +169,14 @@ static void port=5Fopen=5Fhelper(Channel *c,
- static int connect=5Fnext(struct channel=5Fconnect *);
- static void channel=5Fconnect=5Fctx=5Ffree(struct channel=5Fconnect *=
);
-=20
-+
-+static int hpn=5Fdisabled =3D 0;
-+static int hpn=5Fbuffer=5Fsize =3D 2 * 1024 * 1024;
-+
- /* -- channel core */
-=20
-+
-+
- Channel *
- channel=5Fby=5Fid(int id)
- {
-@@ -308,6 +314,7 @@ channel=5Fnew(char *ctype, int type, int r
- =09c->local=5Fwindow=5Fmax =3D window;
- =09c->local=5Fconsumed =3D 0;
- =09c->local=5Fmaxpacket =3D maxpack;
-+=09c->dynamic=5Fwindow =3D 0;
- =09c->remote=5Fid =3D -1;
- =09c->remote=5Fname =3D xstrdup(remote=5Fname);
- =09c->remote=5Fwindow =3D 0;
-@@ -798,11 +805,35 @@ channel=5Fpre=5Fopen=5F13(Channel *c, fd=5Fset *=
- =09=09FD=5FSET(c->sock, writeset);
- }
-=20
-+int channel=5Ftcpwinsz () {
-+ u=5Fint32=5Ft tcpwinsz =3D 0;
-+ socklen=5Ft optsz =3D sizeof(tcpwinsz);
-+=09int ret =3D -1;
-+
-+=09/* if we aren't on a socket return 128KB*/
-+=09if(!packet=5Fconnection=5Fis=5Fon=5Fsocket())=20
-+=09 return(128*1024);
-+=09ret =3D getsockopt(packet=5Fget=5Fconnection=5Fin(),
-+=09=09=09 SOL=5FSOCKET, SO=5FRCVBUF, &tcpwinsz, &optsz);
-+=09/* return no more than 64MB */
-+=09if ((ret =3D=3D 0) && tcpwinsz > BUFFER=5FMAX=5FLEN=5FHPN)
-+=09 tcpwinsz =3D BUFFER=5FMAX=5FLEN=5FHPN;
-+=09debug2("tcpwinsz: %d for connection: %d", tcpwinsz,=20
-+=09 packet=5Fget=5Fconnection=5Fin());
-+=09return(tcpwinsz);
-+}
-+
- static void
- channel=5Fpre=5Fopen(Channel *c, fd=5Fset *readset, fd=5Fset *writese=
t)
- {
- =09u=5Fint limit =3D compat20 =3F c->remote=5Fwindow : packet=5Fget=5F=
maxsize();
-=20
-+ /* check buffer limits */
-+=09if ((!c->tcpwinsz) || (c->dynamic=5Fwindow > 0))
-+ =09 c->tcpwinsz =3D channel=5Ftcpwinsz();
-+=09
-+=09limit =3D MIN(limit, 2 * c->tcpwinsz);
-+=09
- =09if (c->istate =3D=3D CHAN=5FINPUT=5FOPEN &&
- =09 limit > 0 &&
- =09 buffer=5Flen(&c->input) < limit &&
-@@ -1759,14 +1790,21 @@ channel=5Fcheck=5Fwindow(Channel *c)
- =09 c->local=5Fmaxpacket*3) ||
- =09 c->local=5Fwindow < c->local=5Fwindow=5Fmax/2) &&
- =09 c->local=5Fconsumed > 0) {
-+=09=09u=5Fint addition =3D 0;
-+=09=09/* adjust max window size if we are in a dynamic environment */=
-+=09=09if (c->dynamic=5Fwindow && (c->tcpwinsz > c->local=5Fwindow=5Fm=
ax)) {
-+=09=09=09/* grow the window somewhat aggressively to maintain pressur=
e */
-+=09=09=09addition =3D 1.5*(c->tcpwinsz - c->local=5Fwindow=5Fmax);
-+=09=09=09c->local=5Fwindow=5Fmax +=3D addition;
-+=09=09}
- =09=09packet=5Fstart(SSH2=5FMSG=5FCHANNEL=5FWINDOW=5FADJUST);
- =09=09packet=5Fput=5Fint(c->remote=5Fid);
--=09=09packet=5Fput=5Fint(c->local=5Fconsumed);
-+=09=09packet=5Fput=5Fint(c->local=5Fconsumed + addition);
- =09=09packet=5Fsend();
- =09=09debug2("channel %d: window %d sent adjust %d",
- =09=09 c->self, c->local=5Fwindow,
- =09=09 c->local=5Fconsumed);
--=09=09c->local=5Fwindow +=3D c->local=5Fconsumed;
-+=09=09c->local=5Fwindow +=3D c->local=5Fconsumed + addition;
- =09=09c->local=5Fconsumed =3D 0;
- =09}
- =09return 1;
-@@ -1969,11 +2007,12 @@ channel=5Fafter=5Fselect(fd=5Fset *readset, fd=
-=20
-=20
- /* If there is data to send to the connection, enqueue some of it now=
. */
--void
-+int
- channel=5Foutput=5Fpoll(void)
- {
- =09Channel *c;
- =09u=5Fint i, len;
-+=09int packet=5Flength =3D 0;
-=20
- =09for (i =3D 0; i < channels=5Falloc; i++) {
- =09=09c =3D channels[i];
-@@ -2013,7 +2052,7 @@ channel=5Foutput=5Fpoll(void)
- =09=09=09=09=09packet=5Fstart(SSH2=5FMSG=5FCHANNEL=5FDATA);
- =09=09=09=09=09packet=5Fput=5Fint(c->remote=5Fid);
- =09=09=09=09=09packet=5Fput=5Fstring(data, dlen);
--=09=09=09=09=09packet=5Fsend();
-+=09=09=09=09=09packet=5Flength =3D packet=5Fsend();
- =09=09=09=09=09c->remote=5Fwindow -=3D dlen + 4;
- =09=09=09=09=09xfree(data);
- =09=09=09=09}
-@@ -2043,7 +2082,7 @@ channel=5Foutput=5Fpoll(void)
- =09=09=09=09 SSH2=5FMSG=5FCHANNEL=5FDATA : SSH=5FMSG=5FCHANNEL=5FD=
ATA);
- =09=09=09=09packet=5Fput=5Fint(c->remote=5Fid);
- =09=09=09=09packet=5Fput=5Fstring(buffer=5Fptr(&c->input), len);
--=09=09=09=09packet=5Fsend();
-+=09=09=09=09packet=5Flength =3D packet=5Fsend();
- =09=09=09=09buffer=5Fconsume(&c->input, len);
- =09=09=09=09c->remote=5Fwindow -=3D len;
- =09=09=09}
-@@ -2078,12 +2117,13 @@ channel=5Foutput=5Fpoll(void)
- =09=09=09packet=5Fput=5Fint(c->remote=5Fid);
- =09=09=09packet=5Fput=5Fint(SSH2=5FEXTENDED=5FDATA=5FSTDERR);
- =09=09=09packet=5Fput=5Fstring(buffer=5Fptr(&c->extended), len);
--=09=09=09packet=5Fsend();
-+=09=09=09packet=5Flength =3D packet=5Fsend();
- =09=09=09buffer=5Fconsume(&c->extended, len);
- =09=09=09c->remote=5Fwindow -=3D len;
- =09=09=09debug2("channel %d: sent ext data %d", c->self, len);
- =09=09}
- =09}
-+=09return (packet=5Flength);
- }
-=20
-=20
-@@ -2459,6 +2499,15 @@ channel=5Fset=5Faf(int af)
- =09IPv4or6 =3D af;
- }
-=20
-+
-+void=20
-+channel=5Fset=5Fhpn(int external=5Fhpn=5Fdisabled, int external=5Fhpn=
=5Fbuffer=5Fsize)
-+{
-+ =09hpn=5Fdisabled =3D external=5Fhpn=5Fdisabled;
-+=09hpn=5Fbuffer=5Fsize =3D external=5Fhpn=5Fbuffer=5Fsize;
-+=09debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn=5Fdisabled, hpn=
=5Fbuffer=5Fsize);
-+}
-+
- static int
- channel=5Fsetup=5Ffwd=5Flistener(int type, const char *listen=5Faddr,=
- u=5Fshort listen=5Fport, int *allocated=5Flisten=5Fport,
-@@ -2610,9 +2659,15 @@ channel=5Fsetup=5Ffwd=5Flistener(int type, con
- =09=09}
-=20
- =09=09/* Allocate a channel number for the socket. */
-+=09=09/* explicitly test for hpn disabled option. if true use smaller=
window size */
-+=09=09if (hpn=5Fdisabled)
- =09=09c =3D channel=5Fnew("port listener", type, sock, sock, -1,
- =09=09 CHAN=5FTCP=5FWINDOW=5FDEFAULT, CHAN=5FTCP=5FPACKET=5FDEFAUL=
T,
- =09=09 0, "port listener", 1);
-+ =09=09else
-+ =09=09=09c =3D channel=5Fnew("port listener", type, sock, sock, -1,
-+ =09=09 =09 hpn=5Fbuffer=5Fsize, CHAN=5FTCP=5FPACKET=5FDEFAULT,
-+ =09=09 =09 0, "port listener", 1);=20
- =09=09c->path =3D xstrdup(host);
- =09=09c->host=5Fport =3D port=5Fto=5Fconnect;
- =09=09c->listening=5Fport =3D listen=5Fport;
-@@ -3151,10 +3206,17 @@ x11=5Fcreate=5Fdisplay=5Finet(int x11=5Fdispla=
y=5F
- =09*chanids =3D xcalloc(num=5Fsocks + 1, sizeof(**chanids));
- =09for (n =3D 0; n < num=5Fsocks; n++) {
- =09=09sock =3D socks[n];
-+=09=09/* Is this really necassary=3F */
-+=09=09if (hpn=5Fdisabled)=20
- =09=09nc =3D channel=5Fnew("x11 listener",
- =09=09 SSH=5FCHANNEL=5FX11=5FLISTENER, sock, sock, -1,
- =09=09 CHAN=5FX11=5FWINDOW=5FDEFAULT, CHAN=5FX11=5FPACKET=5FDEFAUL=
T,
- =09=09 0, "X11 inet listener", 1);
-+=09=09else=20
-+=09=09=09nc =3D channel=5Fnew("x11 listener",
-+=09=09=09 SSH=5FCHANNEL=5FX11=5FLISTENER, sock, sock, -1,
-+=09=09=09 hpn=5Fbuffer=5Fsize, CHAN=5FX11=5FPACKET=5FDEFAULT,
-+=09=09=09 0, "X11 inet listener", 1);
- =09=09nc->single=5Fconnection =3D single=5Fconnection;
- =09=09(*chanids)[n] =3D nc->self;
- =09}
-diff -NupwB channels.h channels.h
---- channels.h=092009-02-14 00:28:21.000000000 -0500
-+++ channels.h=092009-05-14 12:36:10.000000000 -0400
-@@ -115,8 +115,10 @@ struct Channel {
- =09u=5Fint=09local=5Fwindow=5Fmax;
- =09u=5Fint=09local=5Fconsumed;
- =09u=5Fint=09local=5Fmaxpacket;
-+=09int=09dynamic=5Fwindow;
- =09int extended=5Fusage;
- =09int=09single=5Fconnection;
-+=09u=5Fint =09tcpwinsz;=09
-=20
- =09char *ctype;=09=09/* type */
-=20
-@@ -146,9 +148,11 @@ struct Channel {
-=20
- /* default window/packet sizes for tcp/x11-fwd-channel */
- #define CHAN=5FSES=5FPACKET=5FDEFAULT=09(32*1024)
--#define CHAN=5FSES=5FWINDOW=5FDEFAULT=09(64*CHAN=5FSES=5FPACKET=5FDEF=
AULT)
-+#define CHAN=5FSES=5FWINDOW=5FDEFAULT=09(4*CHAN=5FSES=5FPACKET=5FDEFA=
ULT)
-+
- #define CHAN=5FTCP=5FPACKET=5FDEFAULT=09(32*1024)
--#define CHAN=5FTCP=5FWINDOW=5FDEFAULT=09(64*CHAN=5FTCP=5FPACKET=5FDEF=
AULT)
-+#define CHAN=5FTCP=5FWINDOW=5FDEFAULT=09(4*CHAN=5FTCP=5FPACKET=5FDEFA=
ULT)
-+
- #define CHAN=5FX11=5FPACKET=5FDEFAULT=09(16*1024)
- #define CHAN=5FX11=5FWINDOW=5FDEFAULT=09(4*CHAN=5FX11=5FPACKET=5FDEFA=
ULT)
-=20
-@@ -221,7 +225,7 @@ void=09 channel=5Finput=5Fstatus=5Fconfirm(int,=20=
-=20
- void=09 channel=5Fprepare=5Fselect(fd=5Fset **, fd=5Fset **, int *, u=
=5Fint*, int);
- void channel=5Fafter=5Fselect(fd=5Fset *, fd=5Fset *);
--void channel=5Foutput=5Fpoll(void);
-+int channel=5Foutput=5Fpoll(void);
-=20
- int channel=5Fnot=5Fvery=5Fmuch=5Fbuffered=5Fdata(void);
- void channel=5Fclose=5Fall(void);
-@@ -277,4 +281,7 @@ void=09 chan=5Frcvd=5Fieof(Channel *);
- void=09 chan=5Fwrite=5Ffailed(Channel *);
- void=09 chan=5Fobuf=5Fempty(Channel *);
-=20
-+/* hpn handler */
-+void channel=5Fset=5Fhpn(int, int);
-+
- #endif
-diff -NupwB cipher.c cipher.c
---- cipher.c=092009-01-28 00:38:41.000000000 -0500
-+++ cipher.c=092009-05-14 12:36:10.000000000 -0400
-@@ -55,6 +55,7 @@ extern const EVP=5FCIPHER *evp=5Fssh1=5Fbf(voi
- extern const EVP=5FCIPHER *evp=5Fssh1=5F3des(void);
- extern void ssh1=5F3des=5Fiv(EVP=5FCIPHER=5FCTX *, int, u=5Fchar *, i=
nt);
- extern const EVP=5FCIPHER *evp=5Faes=5F128=5Fctr(void);
-+extern const EVP=5FCIPHER *evp=5Faes=5Fctr=5Fmt(void);
- extern void ssh=5Faes=5Fctr=5Fiv(EVP=5FCIPHER=5FCTX *, int, u=5Fchar =
*, u=5Fint);
-=20
- struct Cipher {
-@@ -82,9 +83,9 @@ struct Cipher {
- =09{ "aes256-cbc",=09=09SSH=5FCIPHER=5FSSH2, 16, 32, 0, 1, EVP=5Faes=5F=
256=5Fcbc },
- =09{ "rijndael-cbc at lysator.liu.se",
- =09=09=09=09SSH=5FCIPHER=5FSSH2, 16, 32, 0, 1, EVP=5Faes=5F256=5Fcbc =
},
--=09{ "aes128-ctr",=09=09SSH=5FCIPHER=5FSSH2, 16, 16, 0, 0, evp=5Faes=5F=
128=5Fctr },
--=09{ "aes192-ctr",=09=09SSH=5FCIPHER=5FSSH2, 16, 24, 0, 0, evp=5Faes=5F=
128=5Fctr },
--=09{ "aes256-ctr",=09=09SSH=5FCIPHER=5FSSH2, 16, 32, 0, 0, evp=5Faes=5F=
128=5Fctr },
-+=09{ "aes128-ctr",=09=09SSH=5FCIPHER=5FSSH2, 16, 16, 0, 0, evp=5Faes=5F=
ctr=5Fmt },
-+=09{ "aes192-ctr",=09=09SSH=5FCIPHER=5FSSH2, 16, 24, 0, 0, evp=5Faes=5F=
ctr=5Fmt },
-+=09{ "aes256-ctr",=09=09SSH=5FCIPHER=5FSSH2, 16, 32, 0, 0, evp=5Faes=5F=
ctr=5Fmt },
- #ifdef USE=5FCIPHER=5FACSS
- =09{ "acss at openssh.org",=09SSH=5FCIPHER=5FSSH2, 16, 5, 0, 0, EVP=5Fac=
ss },
- #endif
-@@ -163,7 +164,8 @@ ciphers=5Fvalid(const char *names)
- =09for ((p =3D strsep(&cp, CIPHER=5FSEP)); p && *p !=3D '\0';
- =09 (p =3D strsep(&cp, CIPHER=5FSEP))) {
- =09=09c =3D cipher=5Fby=5Fname(p);
--=09=09if (c =3D=3D NULL || c->number !=3D SSH=5FCIPHER=5FSSH2) {
-+=09=09if (c =3D=3D NULL || (c->number !=3D SSH=5FCIPHER=5FSSH2 &&=20
-+c->number !=3D SSH=5FCIPHER=5FNONE)) {
- =09=09=09debug("bad cipher %s [%s]", p, names);
- =09=09=09xfree(cipher=5Flist);
- =09=09=09return 0;
-@@ -337,6 +339,7 @@ cipher=5Fget=5Fkeyiv(CipherContext *cc, u=5Fch
- =09int evplen;
-=20
- =09switch (c->number) {
-+=09case SSH=5FCIPHER=5FNONE:
- =09case SSH=5FCIPHER=5FSSH2:
- =09case SSH=5FCIPHER=5FDES:
- =09case SSH=5FCIPHER=5FBLOWFISH:
-@@ -371,6 +374,7 @@ cipher=5Fset=5Fkeyiv(CipherContext *cc, u=5Fch
- =09int evplen =3D 0;
-=20
- =09switch (c->number) {
-+=09case SSH=5FCIPHER=5FNONE:
- =09case SSH=5FCIPHER=5FSSH2:
- =09case SSH=5FCIPHER=5FDES:
- =09case SSH=5FCIPHER=5FBLOWFISH:
-diff -NupwB cipher-ctr-mt.c cipher-ctr-mt.c
---- cipher-ctr-mt.c=091969-12-31 19:00:00.000000000 -0500
-+++ cipher-ctr-mt.c=092009-05-14 12:36:10.000000000 -0400
-@@ -0,0 +1,473 @@
-+/*
-+ * OpenSSH Multi-threaded AES-CTR Cipher
-+ *
-+ * Author: Benjamin Bennett <ben at psc.edu>
-+ * Copyright (c) 2008 Pittsburgh Supercomputing Center. All rights re=
served.
-+ *
-+ * Based on original OpenSSH AES-CTR cipher. Small portions remain un=
changed,
-+ * Copyright (c) 2003 Markus Friedl <markus at openbsd.org>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for =
any
-+ * purpose with or without fee is hereby granted, provided that the a=
bove
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARR=
ANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABL=
E FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAM=
AGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN=
AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING O=
UT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+
-+#include <stdarg.h>
-+#include <string.h>
-+
-+#include <openssl/evp.h>
-+
-+#include "xmalloc.h"
-+#include "log.h"
-+
-+/* compatibility with old or broken OpenSSL versions */
-+#include "openbsd-compat/openssl-compat.h"
-+
-+#ifndef USE=5FBUILTIN=5FRIJNDAEL
-+#include <openssl/aes.h>
-+#endif
-+
-+#include <pthread.h>
-+
-+/*-------------------- TUNABLES --------------------*/
-+/* Number of pregen threads to use */
-+#define CIPHER=5FTHREADS=092
-+
-+/* Number of keystream queues */
-+#define NUMKQ=09=09(CIPHER=5FTHREADS + 2)
-+
-+/* Length of a keystream queue */
-+#define KQLEN=09=094096
-+
-+/* Processor cacheline length */
-+#define CACHELINE=5FLEN=0964
-+
-+/* Collect thread stats and print at cancellation when in debug mode =
*/
-+/* #define CIPHER=5FTHREAD=5FSTATS */
-+
-+/* Use single-byte XOR instead of 8-byte XOR */
-+/* #define CIPHER=5FBYTE=5FXOR */
-+/*-------------------- END TUNABLES --------------------*/
-+
-+
-+const EVP=5FCIPHER *evp=5Faes=5Fctr=5Fmt(void);
-+
-+#ifdef CIPHER=5FTHREAD=5FSTATS
-+/*
-+ * Struct to collect thread stats
-+ */
-+struct thread=5Fstats {
-+=09u=5Fint=09fills;
-+=09u=5Fint=09skips;
-+=09u=5Fint=09waits;
-+=09u=5Fint=09drains;
-+};
-+
-+/*
-+ * Debug print the thread stats
-+ * Use with pthread=5Fcleanup=5Fpush for displaying at thread cancell=
ation
-+ */
-+static void
-+thread=5Floop=5Fstats(void *x)
-+{
-+=09struct thread=5Fstats *s =3D x;
-+
-+=09debug("tid %lu - %u fills, %u skips, %u waits", pthread=5Fself(),
-+=09=09=09s->fills, s->skips, s->waits);
-+}
-+
-+ #define STATS=5FSTRUCT(s)=09struct thread=5Fstats s
-+ #define STATS=5FINIT(s)=09=09{ memset(&s, 0, sizeof(s)); }
-+ #define STATS=5FFILL(s)=09=09{ s.fills++; }
-+ #define STATS=5FSKIP(s)=09=09{ s.skips++; }
-+ #define STATS=5FWAIT(s)=09=09{ s.waits++; }
-+ #define STATS=5FDRAIN(s)=09=09{ s.drains++; }
-+#else
-+ #define STATS=5FSTRUCT(s)
-+ #define STATS=5FINIT(s)
-+ #define STATS=5FFILL(s)
-+ #define STATS=5FSKIP(s)
-+ #define STATS=5FWAIT(s)
-+ #define STATS=5FDRAIN(s)
-+#endif
-+
-+/* Keystream Queue state */
-+enum {
-+=09KQINIT,
-+=09KQEMPTY,
-+=09KQFILLING,
-+=09KQFULL,
-+=09KQDRAINING
-+};
-+
-+/* Keystream Queue struct */
-+struct kq {
-+=09u=5Fchar=09=09keys[KQLEN][AES=5FBLOCK=5FSIZE];
-+=09u=5Fchar=09=09ctr[AES=5FBLOCK=5FSIZE];
-+=09u=5Fchar=09=09pad0[CACHELINE=5FLEN];
-+=09volatile int=09qstate;
-+=09pthread=5Fmutex=5Ft=09lock;
-+=09pthread=5Fcond=5Ft=09cond;
-+=09u=5Fchar=09=09pad1[CACHELINE=5FLEN];
-+};
-+
-+/* Context struct */
-+struct ssh=5Faes=5Fctr=5Fctx
-+{
-+=09struct kq=09q[NUMKQ];
-+=09AES=5FKEY=09=09aes=5Fctx;
-+=09STATS=5FSTRUCT(stats);
-+=09u=5Fchar=09=09aes=5Fcounter[AES=5FBLOCK=5FSIZE];
-+=09pthread=5Ft=09tid[CIPHER=5FTHREADS];
-+=09int=09=09state;
-+=09int=09=09qidx;
-+=09int=09=09ridx;
-+};
-+
-+/* <friedl>
-+ * increment counter 'ctr',
-+ * the counter is of size 'len' bytes and stored in network-byte-orde=
r.
-+ * (LSB at ctr[len-1], MSB at ctr[0])
-+ */
-+static void
-+ssh=5Fctr=5Finc(u=5Fchar *ctr, u=5Fint len)
-+{
-+=09int i;
-+
-+=09for (i =3D len - 1; i >=3D 0; i--)
-+=09=09if (++ctr[i])=09/* continue on overflow */
-+=09=09=09return;
-+}
-+
-+/*
-+ * Add num to counter 'ctr'
-+ */
-+static void
-+ssh=5Fctr=5Fadd(u=5Fchar *ctr, uint32=5Ft num, u=5Fint len)
-+{
-+=09int i;
-+=09uint16=5Ft n;
-+
-+=09for (n =3D 0, i =3D len - 1; i >=3D 0 && (num || n); i--) {
-+=09=09n =3D ctr[i] + (num & 0xff) + n;
-+=09=09num >>=3D 8;
-+=09=09ctr[i] =3D n & 0xff;
-+=09=09n >>=3D 8;
-+=09}
-+}
-+
-+/*
-+ * Threads may be cancelled in a pthread=5Fcond=5Fwait, we must free =
the mutex
-+ */
-+static void
-+thread=5Floop=5Fcleanup(void *x)
-+{
-+=09pthread=5Fmutex=5Funlock((pthread=5Fmutex=5Ft *)x);
-+}
-+
-+/*
-+ * The life of a pregen thread:
-+ * Find empty keystream queues and fill them using their counter.
-+ * When done, update counter for the next fill.
-+ */
-+static void *
-+thread=5Floop(void *x)
-+{
-+=09AES=5FKEY key;
-+=09STATS=5FSTRUCT(stats);
-+=09struct ssh=5Faes=5Fctr=5Fctx *c =3D x;
-+=09struct kq *q;
-+=09int i;
-+=09int qidx;
-+
-+=09/* Threads stats on cancellation */
-+=09STATS=5FINIT(stats);
-+#ifdef CIPHER=5FTHREAD=5FSTATS
-+=09pthread=5Fcleanup=5Fpush(thread=5Floop=5Fstats, &stats);
-+#endif
-+
-+=09/* Thread local copy of AES key */
-+=09memcpy(&key, &c->aes=5Fctx, sizeof(key));
-+
-+=09/*
-+=09 * Handle the special case of startup, one thread must fill
-+ =09 * the first KQ then mark it as draining. Lock held throughout.
-+ =09 */
-+=09if (pthread=5Fequal(pthread=5Fself(), c->tid[0])) {
-+=09=09q =3D &c->q[0];
-+=09=09pthread=5Fmutex=5Flock(&q->lock);
-+=09=09if (q->qstate =3D=3D KQINIT) {
-+=09=09=09for (i =3D 0; i < KQLEN; i++) {
-+=09=09=09=09AES=5Fencrypt(q->ctr, q->keys[i], &key);
-+=09=09=09=09ssh=5Fctr=5Finc(q->ctr, AES=5FBLOCK=5FSIZE);
-+=09=09=09}
-+=09=09=09ssh=5Fctr=5Fadd(q->ctr, KQLEN * (NUMKQ - 1), AES=5FBLOCK=5FS=
IZE);
-+=09=09=09q->qstate =3D KQDRAINING;
-+=09=09=09STATS=5FFILL(stats);
-+=09=09=09pthread=5Fcond=5Fbroadcast(&q->cond);
-+=09=09}
-+=09=09pthread=5Fmutex=5Funlock(&q->lock);
-+=09}
-+=09else=20
-+=09=09STATS=5FSKIP(stats);
-+
-+=09/*
-+ =09 * Normal case is to find empty queues and fill them, skipping ov=
er
-+ =09 * queues already filled by other threads and stopping to wait fo=
r
-+ =09 * a draining queue to become empty.
-+ =09 *
-+ =09 * Multiple threads may be waiting on a draining queue and awoken=
-+ =09 * when empty. The first thread to wake will mark it as filling,=
-+ =09 * others will move on to fill, skip, or wait on the next queue.
-+ =09 */
-+=09for (qidx =3D 1;; qidx =3D (qidx + 1) % NUMKQ) {
-+=09=09/* Check if I was cancelled, also checked in cond=5Fwait */
-+=09=09pthread=5Ftestcancel();
-+
-+=09=09/* Lock queue and block if its draining */
-+=09=09q =3D &c->q[qidx];
-+=09=09pthread=5Fmutex=5Flock(&q->lock);
-+=09=09pthread=5Fcleanup=5Fpush(thread=5Floop=5Fcleanup, &q->lock);
-+=09=09while (q->qstate =3D=3D KQDRAINING || q->qstate =3D=3D KQINIT) =
{
-+=09=09=09STATS=5FWAIT(stats);
-+=09=09=09pthread=5Fcond=5Fwait(&q->cond, &q->lock);
-+=09=09}
-+=09=09pthread=5Fcleanup=5Fpop(0);
-+
-+=09=09/* If filling or full, somebody else got it, skip */
-+=09=09if (q->qstate !=3D KQEMPTY) {
-+=09=09=09pthread=5Fmutex=5Funlock(&q->lock);
-+=09=09=09STATS=5FSKIP(stats);
-+=09=09=09continue;
-+=09=09}
-+
-+=09=09/*
-+ =09=09 * Empty, let's fill it.
-+ =09=09 * Queue lock is relinquished while we do this so others
-+ =09=09 * can see that it's being filled.
-+ =09=09 */
-+=09=09q->qstate =3D KQFILLING;
-+=09=09pthread=5Fmutex=5Funlock(&q->lock);
-+=09=09for (i =3D 0; i < KQLEN; i++) {
-+=09=09=09AES=5Fencrypt(q->ctr, q->keys[i], &key);
-+=09=09=09ssh=5Fctr=5Finc(q->ctr, AES=5FBLOCK=5FSIZE);
-+=09=09}
-+
-+=09=09/* Re-lock, mark full and signal consumer */
-+=09=09pthread=5Fmutex=5Flock(&q->lock);
-+=09=09ssh=5Fctr=5Fadd(q->ctr, KQLEN * (NUMKQ - 1), AES=5FBLOCK=5FSIZE=
);
-+=09=09q->qstate =3D KQFULL;
-+=09=09STATS=5FFILL(stats);
-+=09=09pthread=5Fcond=5Fsignal(&q->cond);
-+=09=09pthread=5Fmutex=5Funlock(&q->lock);
-+=09}
-+
-+#ifdef CIPHER=5FTHREAD=5FSTATS
-+=09/* Stats */
-+=09pthread=5Fcleanup=5Fpop(1);
-+#endif
-+
-+=09return NULL;
-+}
-+
-+static int
-+ssh=5Faes=5Fctr(EVP=5FCIPHER=5FCTX *ctx, u=5Fchar *dest, const u=5Fch=
ar *src,
-+ u=5Fint len)
-+{
-+=09struct ssh=5Faes=5Fctr=5Fctx *c;
-+=09struct kq *q, *oldq;
-+=09int ridx;
-+=09u=5Fchar *buf;
-+
-+=09if (len =3D=3D 0)
-+=09=09return (1);
-+=09if ((c =3D EVP=5FCIPHER=5FCTX=5Fget=5Fapp=5Fdata(ctx)) =3D=3D NULL=
)
-+=09=09return (0);
-+
-+=09q =3D &c->q[c->qidx];
-+=09ridx =3D c->ridx;
-+
-+=09/* src already padded to block multiple */
-+=09while (len > 0) {
-+=09=09buf =3D q->keys[ridx];
-+
-+#ifdef CIPHER=5FBYTE=5FXOR
-+=09=09dest[0] =3D src[0] ^ buf[0];
-+=09=09dest[1] =3D src[1] ^ buf[1];
-+=09=09dest[2] =3D src[2] ^ buf[2];
-+=09=09dest[3] =3D src[3] ^ buf[3];
-+=09=09dest[4] =3D src[4] ^ buf[4];
-+=09=09dest[5] =3D src[5] ^ buf[5];
-+=09=09dest[6] =3D src[6] ^ buf[6];
-+=09=09dest[7] =3D src[7] ^ buf[7];
-+=09=09dest[8] =3D src[8] ^ buf[8];
-+=09=09dest[9] =3D src[9] ^ buf[9];
-+=09=09dest[10] =3D src[10] ^ buf[10];
-+=09=09dest[11] =3D src[11] ^ buf[11];
-+=09=09dest[12] =3D src[12] ^ buf[12];
-+=09=09dest[13] =3D src[13] ^ buf[13];
-+=09=09dest[14] =3D src[14] ^ buf[14];
-+=09=09dest[15] =3D src[15] ^ buf[15];
-+#else
-+=09=09*(uint64=5Ft *)dest =3D *(uint64=5Ft *)src ^ *(uint64=5Ft *)buf=
;
-+=09=09*(uint64=5Ft *)(dest + 8) =3D *(uint64=5Ft *)(src + 8) ^
-+=09=09=09=09=09=09*(uint64=5Ft *)(buf + 8);
-+#endif
-+
-+=09=09dest +=3D 16;
-+=09=09src +=3D 16;
-+=09=09len -=3D 16;
-+=09=09ssh=5Fctr=5Finc(ctx->iv, AES=5FBLOCK=5FSIZE);
-+
-+=09=09/* Increment read index, switch queues on rollover */
-+=09=09if ((ridx =3D (ridx + 1) % KQLEN) =3D=3D 0) {
-+=09=09=09oldq =3D q;
-+
-+=09=09=09/* Mark next queue draining, may need to wait */
-+=09=09=09c->qidx =3D (c->qidx + 1) % NUMKQ;
-+=09=09=09q =3D &c->q[c->qidx];
-+=09=09=09pthread=5Fmutex=5Flock(&q->lock);
-+=09=09=09while (q->qstate !=3D KQFULL) {
-+=09=09=09=09STATS=5FWAIT(c->stats);
-+=09=09=09=09pthread=5Fcond=5Fwait(&q->cond, &q->lock);
-+=09=09=09}
-+=09=09=09q->qstate =3D KQDRAINING;
-+=09=09=09pthread=5Fmutex=5Funlock(&q->lock);
-+
-+=09=09=09/* Mark consumed queue empty and signal producers */
-+=09=09=09pthread=5Fmutex=5Flock(&oldq->lock);
-+=09=09=09oldq->qstate =3D KQEMPTY;
-+=09=09=09STATS=5FDRAIN(c->stats);
-+=09=09=09pthread=5Fcond=5Fbroadcast(&oldq->cond);
-+=09=09=09pthread=5Fmutex=5Funlock(&oldq->lock);
-+=09=09}
-+=09}
-+=09c->ridx =3D ridx;
-+=09return (1);
-+}
-+
-+#define HAVE=5FNONE 0
-+#define HAVE=5FKEY 1
-+#define HAVE=5FIV 2
-+static int
-+ssh=5Faes=5Fctr=5Finit(EVP=5FCIPHER=5FCTX *ctx, const u=5Fchar *key, =
const u=5Fchar *iv,
-+ int enc)
-+{
-+=09struct ssh=5Faes=5Fctr=5Fctx *c;
-+=09int i;
-+
-+=09if ((c =3D EVP=5FCIPHER=5FCTX=5Fget=5Fapp=5Fdata(ctx)) =3D=3D NULL=
) {
-+=09=09c =3D xmalloc(sizeof(*c));
-+
-+=09=09c->state =3D HAVE=5FNONE;
-+=09=09for (i =3D 0; i < NUMKQ; i++) {
-+=09=09=09pthread=5Fmutex=5Finit(&c->q[i].lock, NULL);
-+=09=09=09pthread=5Fcond=5Finit(&c->q[i].cond, NULL);
-+=09=09}
-+
-+=09=09STATS=5FINIT(c->stats);
-+=09=09
-+=09=09EVP=5FCIPHER=5FCTX=5Fset=5Fapp=5Fdata(ctx, c);
-+=09}
-+
-+=09if (c->state =3D=3D (HAVE=5FKEY | HAVE=5FIV)) {
-+=09=09/* Cancel pregen threads */
-+=09=09for (i =3D 0; i < CIPHER=5FTHREADS; i++)
-+=09=09=09pthread=5Fcancel(c->tid[i]);
-+=09=09for (i =3D 0; i < CIPHER=5FTHREADS; i++)
-+=09=09=09pthread=5Fjoin(c->tid[i], NULL);
-+=09=09/* Start over getting key & iv */
-+=09=09c->state =3D HAVE=5FNONE;
-+=09}
-+
-+=09if (key !=3D NULL) {
-+=09=09AES=5Fset=5Fencrypt=5Fkey(key, EVP=5FCIPHER=5FCTX=5Fkey=5Flengt=
h(ctx) * 8,
-+=09=09 &c->aes=5Fctx);
-+=09=09c->state |=3D HAVE=5FKEY;
-+=09}
-+
-+=09if (iv !=3D NULL) {
-+=09=09memcpy(ctx->iv, iv, AES=5FBLOCK=5FSIZE);
-+=09=09c->state |=3D HAVE=5FIV;
-+=09}
-+
-+=09if (c->state =3D=3D (HAVE=5FKEY | HAVE=5FIV)) {
-+=09=09/* Clear queues */
-+=09=09memcpy(c->q[0].ctr, ctx->iv, AES=5FBLOCK=5FSIZE);
-+=09=09c->q[0].qstate =3D KQINIT;
-+=09=09for (i =3D 1; i < NUMKQ; i++) {
-+=09=09=09memcpy(c->q[i].ctr, ctx->iv, AES=5FBLOCK=5FSIZE);
-+=09=09=09ssh=5Fctr=5Fadd(c->q[i].ctr, i * KQLEN, AES=5FBLOCK=5FSIZE);=
-+=09=09=09c->q[i].qstate =3D KQEMPTY;
-+=09=09}
-+=09=09c->qidx =3D 0;
-+=09=09c->ridx =3D 0;
-+
-+=09=09/* Start threads */
-+=09=09for (i =3D 0; i < CIPHER=5FTHREADS; i++) {
-+=09=09=09pthread=5Fcreate(&c->tid[i], NULL, thread=5Floop, c);
-+=09=09}
-+=09=09pthread=5Fmutex=5Flock(&c->q[0].lock);
-+=09=09while (c->q[0].qstate !=3D KQDRAINING)
-+=09=09=09pthread=5Fcond=5Fwait(&c->q[0].cond, &c->q[0].lock);
-+=09=09pthread=5Fmutex=5Funlock(&c->q[0].lock);
-+=09=09
-+=09}
-+=09return (1);
-+}
-+
-+static int
-+ssh=5Faes=5Fctr=5Fcleanup(EVP=5FCIPHER=5FCTX *ctx)
-+{
-+=09struct ssh=5Faes=5Fctr=5Fctx *c;
-+=09int i;
-+
-+=09if ((c =3D EVP=5FCIPHER=5FCTX=5Fget=5Fapp=5Fdata(ctx)) !=3D NULL) =
{
-+#ifdef CIPHER=5FTHREAD=5FSTATS
-+=09=09debug("main thread: %u drains, %u waits", c->stats.drains,
-+=09=09=09=09c->stats.waits);
-+#endif
-+=09=09/* Cancel pregen threads */
-+=09=09for (i =3D 0; i < CIPHER=5FTHREADS; i++)
-+=09=09=09pthread=5Fcancel(c->tid[i]);
-+=09=09for (i =3D 0; i < CIPHER=5FTHREADS; i++)
-+=09=09=09pthread=5Fjoin(c->tid[i], NULL);
-+
-+=09=09memset(c, 0, sizeof(*c));
-+=09=09xfree(c);
-+=09=09EVP=5FCIPHER=5FCTX=5Fset=5Fapp=5Fdata(ctx, NULL);
-+=09}
-+=09return (1);
-+}
-+
-+/* <friedl> */
-+const EVP=5FCIPHER *
-+evp=5Faes=5Fctr=5Fmt(void)
-+{
-+=09static EVP=5FCIPHER aes=5Fctr;
-+
-+=09memset(&aes=5Fctr, 0, sizeof(EVP=5FCIPHER));
-+=09aes=5Fctr.nid =3D NID=5Fundef;
-+=09aes=5Fctr.block=5Fsize =3D AES=5FBLOCK=5FSIZE;
-+=09aes=5Fctr.iv=5Flen =3D AES=5FBLOCK=5FSIZE;
-+=09aes=5Fctr.key=5Flen =3D 16;
-+=09aes=5Fctr.init =3D ssh=5Faes=5Fctr=5Finit;
-+=09aes=5Fctr.cleanup =3D ssh=5Faes=5Fctr=5Fcleanup;
-+=09aes=5Fctr.do=5Fcipher =3D ssh=5Faes=5Fctr;
-+#ifndef SSH=5FOLD=5FEVP
-+=09aes=5Fctr.flags =3D EVP=5FCIPH=5FCBC=5FMODE | EVP=5FCIPH=5FVARIABL=
E=5FLENGTH |
-+=09 EVP=5FCIPH=5FALWAYS=5FCALL=5FINIT | EVP=5FCIPH=5FCUSTOM=5FIV;
-+#endif
-+=09return (&aes=5Fctr);
-+}
-diff -NupwB clientloop.c clientloop.c
---- clientloop.c=092009-02-14 00:28:21.000000000 -0500
-+++ clientloop.c=092009-05-14 12:36:10.000000000 -0400
-@@ -1688,9 +1688,15 @@ client=5Frequest=5Fx11(const char *request=5Ft
- =09sock =3D x11=5Fconnect=5Fdisplay();
- =09if (sock < 0)
- =09=09return NULL;
-+=09/* again is this really necessary for X11=3F */
-+=09if (options.hpn=5Fdisabled)=20
- =09c =3D channel=5Fnew("x11",
- =09 SSH=5FCHANNEL=5FX11=5FOPEN, sock, sock, -1,
- =09 CHAN=5FTCP=5FWINDOW=5FDEFAULT, CHAN=5FX11=5FPACKET=5FDEFAULT, =
0, "x11", 1);
-+=09else=20
-+=09=09c =3D channel=5Fnew("x11",
-+=09=09 SSH=5FCHANNEL=5FX11=5FOPEN, sock, sock, -1,
-+=09=09 options.hpn=5Fbuffer=5Fsize, CHAN=5FX11=5FPACKET=5FDEFAULT,=
0, "x11", 1);
- =09c->force=5Fdrain =3D 1;
- =09return c;
- }
-@@ -1710,9 +1716,15 @@ client=5Frequest=5Fagent(const char *request
- =09sock =3D ssh=5Fget=5Fauthentication=5Fsocket();
- =09if (sock < 0)
- =09=09return NULL;
-+=09if (options.hpn=5Fdisabled)=20
- =09c =3D channel=5Fnew("authentication agent connection",
- =09 SSH=5FCHANNEL=5FOPEN, sock, sock, -1,
--=09 CHAN=5FX11=5FWINDOW=5FDEFAULT, CHAN=5FTCP=5FPACKET=5FDEFAULT, =
0,
-+=09=09 CHAN=5FX11=5FWINDOW=5FDEFAULT, CHAN=5FTCP=5FWINDOW=5FDEFAUL=
T, 0,
-+=09=09 "authentication agent connection", 1);
-+ else
-+=09c =3D channel=5Fnew("authentication agent connection",
-+=09 SSH=5FCHANNEL=5FOPEN, sock, sock, -1,
-+ options.hpn=5Fbuffer=5Fsize, options.hpn=5Fbuffer=5F=
size, 0,
- =09 "authentication agent connection", 1);
- =09c->force=5Fdrain =3D 1;
- =09return c;
-@@ -1740,10 +1752,18 @@ client=5Frequest=5Ftun=5Ffwd(int tun=5Fmode, i=
nt
- =09=09return -1;
- =09}
-=20
-+=09if(options.hpn=5Fdisabled)
-+=09c =3D channel=5Fnew("tun", SSH=5FCHANNEL=5FOPENING, fd, fd, -1,
-+=09=09=09=09CHAN=5FTCP=5FWINDOW=5FDEFAULT, CHAN=5FTCP=5FPACKET=5FDEFA=
ULT,
-+=09=09=09=090, "tun", 1);
-+=09else
- =09c =3D channel=5Fnew("tun", SSH=5FCHANNEL=5FOPENING, fd, fd, -1,
--=09 CHAN=5FTCP=5FWINDOW=5FDEFAULT, CHAN=5FTCP=5FPACKET=5FDEFAULT, =
0, "tun", 1);
-+=09=09=09=09options.hpn=5Fbuffer=5Fsize, CHAN=5FTCP=5FPACKET=5FDEFAUL=
T,
-+=09=09=09=090, "tun", 1);
- =09c->datagram =3D 1;
-=20
-+
-+
- #if defined(SSH=5FTUN=5FFILTER)
- =09if (options.tun=5Fopen =3D=3D SSH=5FTUNMODE=5FPOINTOPOINT)
- =09=09channel=5Fregister=5Ffilter(c->self, sys=5Ftun=5Finfilter,
-diff -NupwB compat.c compat.c
---- compat.c=092008-11-03 03:20:14.000000000 -0500
-+++ compat.c=092009-05-14 12:36:10.000000000 -0400
-@@ -170,6 +170,15 @@ compat=5Fdatafellows(const char *version)
- =09=09 strlen(check[i].pat), 0) =3D=3D 1) {
- =09=09=09debug("match: %s pat %s", version, check[i].pat);
- =09=09=09datafellows =3D check[i].bugs;
-+=09=09=09/* Check to see if the remote side is OpenSSH and not HPN */=
-+=09=09=09if(strstr(version,"OpenSSH") !=3D NULL)
-+=09=09=09{
-+=09=09=09=09if (strstr(version,"hpn") =3D=3D NULL)
-+=09=09=09=09{
-+=09=09=09=09=09datafellows |=3D SSH=5FBUG=5FLARGEWINDOW;
-+=09=09=09=09=09debug("Remote is NON-HPN aware");
-+=09=09=09=09}
-+=09=09=09}
- =09=09=09return;
- =09=09}
- =09}
-diff -NupwB compat.h compat.h
---- compat.h=092008-11-03 03:20:14.000000000 -0500
-+++ compat.h=092009-05-14 12:36:10.000000000 -0400
-@@ -58,6 +58,7 @@
- #define SSH=5FOLD=5FFORWARD=5FADDR=090x01000000
- #define SSH=5FBUG=5FRFWD=5FADDR=090x02000000
- #define SSH=5FNEW=5FOPENSSH=09=090x04000000
-+#define SSH=5FBUG=5FLARGEWINDOW 0x08000000
-=20
- void enable=5Fcompat13(void);
- void enable=5Fcompat20(void);
-Common subdirectories: contrib and contrib
-diff -NupwB HPN-README HPN-README
---- HPN-README=091969-12-31 19:00:00.000000000 -0500
-+++ HPN-README=092009-05-14 12:36:10.000000000 -0400
-@@ -0,0 +1,128 @@
-+Notes:
-+
-+MULTI-THREADED CIPHER:
-+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This=
will allow ssh installations
-+on hosts with multiple cores to use more than one processing core dur=
ing encryption.=20
-+Tests have show significant throughput performance increases when usi=
ng MTR-AES-CTR up=20
-+to and including a full gigabit per second on quad core systems. It s=
hould be possible to=20
-+achieve full line rate on dual core systems but OS and data managemen=
t overhead makes this
-+more difficult to achieve. The cipher stream from MTR-AES-CTR is enti=
rely compatible with single=20
-+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backwa=
rd compatible. Optimal=20
-+performance requires the MTR-AES-CTR mode be enabled on both ends of =
the connection.=20
-+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same w=
ay with the same
-+nomenclature.=20
-+Use examples: =09ssh -caes128-ctr you at host.com
-+=09=09scp -oCipher=3Daes256-ctr file you at host.com:~/file
-+
-+NONE CIPHER:
-+To use the NONE option you must have the NoneEnabled switch set on th=
e server and
-+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the c=
lient. The NONE
-+feature works with ALL ssh subsystems (as far as we can tell) *AS LON=
G AS* a tty is not=20
-+spawned. If a user uses the -T switch to prevent a tty being created =
the NONE cipher will
-+be disabled.=20
-+
-+The performance increase will only be as good as the network and TCP =
stack tuning
-+on the reciever side of the connection allows. As a rule of thumb a u=
ser will need=20
-+at least 10Mb/s connection with a 100ms RTT to see a doubling of perf=
ormance. The
-+HPN-SSH home page describes this in greater detail.=20
-+
-+http://www.psc.edu/networking/projects/hpn-ssh
-+
-+BUFFER SIZES:
-+
-+If HPN is disabled the receive buffer size will be set to the=20
-+OpenSSH default of 64K.
-+
-+If an HPN system connects to a nonHPN system the receive buffer will
-+be set to the HPNBufferSize value. The default is 2MB but user adjust=
able.
-+
-+If an HPN to HPN connection is established a number of different thin=
gs might
-+happen based on the user options and conditions.=20
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf N=
OT Set=20
-+HPN Buffer Size =3D up to 64MB=20
-+This is the default state. The HPN buffer size will grow to a maximum=
of 64MB=20
-+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB =
is=20
-+geared towards 10GigE transcontinental connections.=20
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf =
NOT Set
-+HPN Buffer Size =3D TCP receive buffer value.=20
-+Users on non-autotuning systesm should disable TCPRcvBufPoll in the=20=
-+ssh=5Fcofig and sshd=5Fconfig
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT =
Set
-+HPN Buffer Size =3D minmum of TCP receive buffer and HPNBufferSize.=20=
-+This would be the system defined TCP receive buffer (RWIN).
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
-+HPN Buffer Size =3D minmum of TCPRcvBuf and HPNBufferSize.=20
-+Generally there is no need to set both.
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT S=
et
-+HPN Buffer Size =3D grows to HPNBufferSize
-+The buffer will grow up to the maximum size specified here.=20
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
-+HPN Buffer Size =3D minmum of TCPRcvBuf and HPNBufferSize.=20
-+Generally there is no need to set both of these, especially on autotu=
ning=20
-+systems. However, if the users wishes to override the autotuning this=
would be=20
-+one way to do it.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf S=
ET
-+HPN Buffer Size =3D TCPRcvBuf.=20
-+This will override autotuning and set the TCP recieve buffer to the u=
ser defined=20
-+value.
-+
-+
-+HPN Specific Configuration options
-+
-+TcpRcvBuf=3D[int]KB client
-+ set the TCP socket receive buffer to n Kilobytes. It can be set=
up to the=20
-+maximum socket size allowed by the system. This is useful in situatio=
ns where=20
-+the tcp receive window is set low but the maximum buffer size is set=20=
-+higher (as is typical). This works on a per TCP connection basis. You=
can also=20
-+use this to artifically limit the transfer rate of the connection. In=
these=20
-+cases the throughput will be no more than n/RTT. The minimum buffer s=
ize is 1KB.=20
-+Default is the current system wide tcp receive buffer size.
-+
-+TcpRcvBufPoll=3D[yes/no] client/server
-+ enable of disable the polling of the tcp receive buffer through=
the life=20
-+of the connection. You would want to make sure that this option is en=
abled=20
-+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS =
Vista)=20
-+default is yes.
-+
-+NoneEnabled=3D[yes/no] client/server
-+ enable or disable the use of the None cipher. Care must always =
be used=20
-+when enabling this as it will allow users to send data in the clear. =
However,=20
-+it is important to note that authentication information remains encry=
pted=20
-+even if this option is enabled. Set to no by default.
-+
-+NoneSwitch=3D[yes/no] client
-+ Switch the encryption cipher being used to the None cipher after=
-+authentication takes place. NoneEnabled must be enabled on both the c=
lient
-+and server side of the connection. When the connection switches to th=
e NONE
-+cipher a warning is sent to STDERR. The connection attempt will fail =
with an
-+error if a client requests a NoneSwitch from the server that does not=
explicitly
-+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
-+interactive (shell) sessions and it will fail silently. Set to no by =
default.
-+
-+HPNDisabled=3D[yes/no] client/server
-+ In some situations, such as transfers on a local area network, t=
he impact=20
-+of the HPN code produces a net decrease in performance. In these case=
s it is=20
-+helpful to disable the HPN functionality. By default HPNDisabled is s=
et to no.=20
-+
-+HPNBufferSize=3D[int]KB client/server
-+ This is the default buffer size the HPN functionality uses when =
interacting
-+with nonHPN SSH installations. Conceptually this is similar to the Tc=
pRcvBuf
-+option as applied to the internal SSH flow control. This value can ra=
nge from=20
-+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cau=
se performance
-+problems depending on the length of the network path. The default siz=
e of this buffer
-+is 2MB.
-+
-+
-+Credits: This patch was conceived, designed, and led by Chris Rapier =
(rapier at psc.edu)
-+ The majority of the actual coding for versions up to HPN12v1=
was performed
-+ by Michael Stevens (mstevens at andrew.cmu.edu). The MT-AES-CTR=
cipher was=20
-+=09 implemented by Ben Bennet (ben at psc.edu). This work was financed, =
in part,
-+ by Cisco System, Inc., the National Library of Medicine,=20
-+=09 and the National Science Foundation.=20
-diff -NupwB kex.c kex.c
---- kex.c=092008-11-03 03:19:12.000000000 -0500
-+++ kex.c=092009-05-14 12:36:10.000000000 -0400
-@@ -48,6 +48,7 @@
- #include "match.h"
- #include "dispatch.h"
- #include "monitor.h"
-+#include "canohost.h"
-=20
- #define KEX=5FCOOKIE=5FLEN=0916
-=20
-@@ -64,7 +65,8 @@ static void kex=5Fkexinit=5Ffinish(Kex *);
- static void kex=5Fchoose=5Fconf(Kex *);
-=20
- /* put algorithm proposal into buffer */
--static void
-+/* used in sshconnect.c as well as kex.c */
-+void
- kex=5Fprop2buf(Buffer *b, char *proposal[PROPOSAL=5FMAX])
- {
- =09u=5Fint i;
-@@ -376,6 +378,13 @@ kex=5Fchoose=5Fconf(Kex *kex)
- =09int nenc, nmac, ncomp;
- =09u=5Fint mode, ctos, need;
- =09int first=5Fkex=5Ffollows, type;
-+=09int log=5Fflag =3D 0;
-+
-+=09int auth=5Fflag;
-+
-+=09auth=5Fflag =3D packet=5Fauthentication=5Fstate();
-+
-+=09debug ("AUTH STATE IS %d", auth=5Fflag);
-=20
- =09my =3D kex=5Fbuf2prop(&kex->my, NULL);
- =09peer =3D kex=5Fbuf2prop(&kex->peer, &first=5Fkex=5Ffollows);
-@@ -400,11 +409,34 @@ kex=5Fchoose=5Fconf(Kex *kex)
- =09=09choose=5Fenc (&newkeys->enc, cprop[nenc], sprop[nenc]);
- =09=09choose=5Fmac (&newkeys->mac, cprop[nmac], sprop[nmac]);
- =09=09choose=5Fcomp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
-+=09=09debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
-+=09=09if (strcmp(newkeys->enc.name, "none") =3D=3D 0) {
-+=09=09=09=09debug("Requesting NONE. Authflag is %d", auth=5Fflag);=09=
=09=09
-+=09=09=09if (auth=5Fflag =3D=3D 1) {
-+=09=09=09=09debug("None requested post authentication.");
-+=09=09=09} else {
-+=09=09=09=09fatal("Pre-authentication none cipher requests are not al=
lowed.");
-+=09=09=09}
-+=09=09}=20
- =09=09debug("kex: %s %s %s %s",
- =09=09 ctos =3F "client->server" : "server->client",
- =09=09 newkeys->enc.name,
- =09=09 newkeys->mac.name,
- =09=09 newkeys->comp.name);
-+=09=09/* client starts withctos =3D 0 && log flag =3D 0 and no log*/
-+=09=09/* 2nd client pass ctos=3D1 and flag =3D 1 so no log*/
-+=09=09/* server starts with ctos =3D1 && log=5Fflag =3D 0 so log */
-+=09=09/* 2nd sever pass ctos =3D 1 && log flag =3D 1 so no log*/
-+=09=09/* -cjr*/
-+=09=09if (ctos && !log=5Fflag) {
-+=09=09=09logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;=
Comp: %s",
-+=09=09=09 get=5Fremote=5Fipaddr(),
-+=09=09=09 get=5Fremote=5Fport(),
-+=09=09=09 newkeys->enc.name,
-+=09=09=09 newkeys->mac.name,
-+=09=09=09 newkeys->comp.name);
-+=09=09}
-+=09=09log=5Fflag =3D 1;
- =09}
- =09choose=5Fkex(kex, cprop[PROPOSAL=5FKEX=5FALGS], sprop[PROPOSAL=5FK=
EX=5FALGS]);
- =09choose=5Fhostkeyalg(kex, cprop[PROPOSAL=5FSERVER=5FHOST=5FKEY=5FAL=
GS],
-diff -NupwB kex.h kex.h
---- kex.h=092007-06-11 00:01:42.000000000 -0400
-+++ kex.h=092009-05-14 12:36:10.000000000 -0400
-@@ -127,6 +127,8 @@ struct Kex {
- =09void=09(*kex[KEX=5FMAX])(Kex *);
- };
-=20
-+void kex=5Fprop2buf(Buffer *, char *proposal[PROPOSAL=5FMAX]);
-+
- Kex=09*kex=5Fsetup(char *[PROPOSAL=5FMAX]);
- void=09 kex=5Ffinish(Kex *);
-=20
-diff -NupwB Makefile.in Makefile.in
---- Makefile.in=092008-11-05 00:20:46.000000000 -0500
-+++ Makefile.in=092009-05-14 12:36:10.000000000 -0400
-@@ -43,7 +43,7 @@ CC=3D at CC@
- LD=3D at LD@
- CFLAGS=3D at CFLAGS@
- CPPFLAGS=3D-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
--LIBS=3D at LIBS@
-+LIBS=3D at LIBS@ -lpthread
- SSHDLIBS=3D at SSHDLIBS@
- LIBEDIT=3D at LIBEDIT@
- AR=3D at AR@
-@@ -64,7 +64,7 @@ TARGETS=3Dssh$(EXEEXT) sshd$(EXEEXT) ssh-a
-=20
- LIBSSH=5FOBJS=3Dacss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o =
\
- =09canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
--=09cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
-+=09cipher-bf1.o cipher-ctr.o cipher-ctr-mt.o cipher-3des1.o cleanup.o=
\
- =09compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
- =09log.o match.o md-sha256.o moduli.o nchan.o packet.o \
- =09readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
-diff -NupwB myproposal.h myproposal.h
---- myproposal.h=092009-01-28 00:33:31.000000000 -0500
-+++ myproposal.h=092009-05-14 12:36:10.000000000 -0400
-@@ -47,6 +47,8 @@
- =09"arcfour256,arcfour128," \
- =09"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
- =09"aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se"
-+#define KEX=5FENCRYPT=5FINCLUDE=5FNONE KEX=5FDEFAULT=5FENCRYPT \
-+=09",none"
- #define=09KEX=5FDEFAULT=5FMAC \
- =09"hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160," \
- =09"hmac-ripemd160 at openssh.com," \
-Common subdirectories: openbsd-compat and openbsd-compat
-diff -NupwB packet.c packet.c
---- packet.c=092009-02-14 00:35:01.000000000 -0500
-+++ packet.c=092009-05-14 12:36:10.000000000 -0400
-@@ -775,7 +775,7 @@ packet=5Fenable=5Fdelayed=5Fcompress(void)
- /*
- * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
- */
--static void
-+static int
- packet=5Fsend2=5Fwrapped(void)
- {
- =09u=5Fchar type, *cp, *macbuf =3D NULL;
-@@ -888,11 +888,13 @@ packet=5Fsend2=5Fwrapped(void)
- =09=09set=5Fnewkeys(MODE=5FOUT);
- =09else if (type =3D=3D SSH2=5FMSG=5FUSERAUTH=5FSUCCESS && server=5Fs=
ide)
- =09=09packet=5Fenable=5Fdelayed=5Fcompress();
-+=09return(packet=5Flength);
- }
-=20
--static void
-+static int
- packet=5Fsend2(void)
- {
-+ static int packet=5Flength =3D 0;
- =09static int rekeying =3D 0;
- =09struct packet *p;
- =09u=5Fchar type, *cp;
-@@ -910,7 +912,7 @@ packet=5Fsend2(void)
- =09=09=09memcpy(&p->payload, &outgoing=5Fpacket, sizeof(Buffer));
- =09=09=09buffer=5Finit(&outgoing=5Fpacket);
- =09=09=09TAILQ=5FINSERT=5FTAIL(&outgoing, p, next);
--=09=09=09return;
-+=09=09=09return(sizeof(Buffer));
- =09=09}
- =09}
-=20
-@@ -918,7 +920,7 @@ packet=5Fsend2(void)
- =09if (type =3D=3D SSH2=5FMSG=5FKEXINIT)
- =09=09rekeying =3D 1;
-=20
--=09packet=5Fsend2=5Fwrapped();
-+=09packet=5Flength =3D packet=5Fsend2=5Fwrapped();
-=20
- =09/* after a NEWKEYS message we can send the complete queue */
- =09if (type =3D=3D SSH2=5FMSG=5FNEWKEYS) {
-@@ -931,19 +933,22 @@ packet=5Fsend2(void)
- =09=09=09 sizeof(Buffer));
- =09=09=09TAILQ=5FREMOVE(&outgoing, p, next);
- =09=09=09xfree(p);
--=09=09=09packet=5Fsend2=5Fwrapped();
-+=09=09=09packet=5Flength +=3D packet=5Fsend2=5Fwrapped();
- =09=09}
- =09}
-+=09return(packet=5Flength);
- }
-=20
--void
-+int
- packet=5Fsend(void)
- {
-+ int packet=5Flen =3D 0;
- =09if (compat20)
--=09=09packet=5Fsend2();
-+=09=09packet=5Flen =3D packet=5Fsend2();
- =09else
- =09=09packet=5Fsend1();
- =09DBG(debug("packet=5Fsend done"));
-+=09return(packet=5Flen);
- }
-=20
- /*
-@@ -1544,23 +1549,25 @@ packet=5Fdisconnect(const char *fmt,...)
-=20
- /* Checks if there is any buffered output, and tries to write some of=
the output. */
-=20
--void
-+int
- packet=5Fwrite=5Fpoll(void)
- {
--=09int len =3D buffer=5Flen(&output);
-+=09int len =3D 0;
-+=09len =3D buffer=5Flen(&output);
-=20
- =09if (len > 0) {
- =09=09len =3D write(connection=5Fout, buffer=5Fptr(&output), len);
- =09=09if (len =3D=3D -1) {
- =09=09=09if (errno =3D=3D EINTR || errno =3D=3D EAGAIN ||
- =09=09=09 errno =3D=3D EWOULDBLOCK)
--=09=09=09=09return;
-+=09=09=09=09return (0);
- =09=09=09fatal("Write failed: %.100s", strerror(errno));
- =09=09}
- =09=09if (len =3D=3D 0)
- =09=09=09fatal("Write connection closed");
- =09=09buffer=5Fconsume(&output, len);
- =09}
-+=09return(len);
- }
-=20
-=20
-@@ -1569,16 +1576,17 @@ packet=5Fwrite=5Fpoll(void)
- * written.
- */
-=20
--void
-+int
- packet=5Fwrite=5Fwait(void)
- {
- =09fd=5Fset *setp;
- =09int ret, ms=5Fremain;
- =09struct timeval start, timeout, *timeoutp =3D NULL;
-+=09u=5Fint bytes=5Fsent =3D 0;
-=20
- =09setp =3D (fd=5Fset *)xcalloc(howmany(connection=5Fout + 1, NFDBITS=
),
- =09 sizeof(fd=5Fmask));
--=09packet=5Fwrite=5Fpoll();
-+=09bytes=5Fsent +=3D packet=5Fwrite=5Fpoll();
- =09while (packet=5Fhave=5Fdata=5Fto=5Fwrite()) {
- =09=09memset(setp, 0, howmany(connection=5Fout + 1, NFDBITS) *
- =09=09 sizeof(fd=5Fmask));
-@@ -1612,7 +1620,7 @@ packet=5Fwrite=5Fwait(void)
- =09=09=09 "waiting to write", get=5Fremote=5Fipaddr());
- =09=09=09cleanup=5Fexit(255);
- =09=09}
--=09=09packet=5Fwrite=5Fpoll();
-+=09=09bytes=5Fsent +=3D packet=5Fwrite=5Fpoll();
- =09}
- =09xfree(setp);
- }
-@@ -1736,12 +1744,24 @@ packet=5Fsend=5Fignore(int nbytes)
- =09}
- }
-=20
-+int rekey=5Frequested =3D 0;
-+void
-+packet=5Frequest=5Frekeying(void)
-+{
-+=09rekey=5Frequested =3D 1;
-+}
-+
- #define MAX=5FPACKETS=09(1U<<31)
- int
- packet=5Fneed=5Frekeying(void)
- {
- =09if (datafellows & SSH=5FBUG=5FNOREKEY)
- =09=09return 0;
-+=09if (rekey=5Frequested =3D=3D 1)
-+=09{
-+=09=09rekey=5Frequested =3D 0;
-+=09=09return 1;
-+=09}
- =09return
- =09 (p=5Fsend.packets > MAX=5FPACKETS) ||
- =09 (p=5Fread.packets > MAX=5FPACKETS) ||
-@@ -1766,3 +1786,9 @@ packet=5Fset=5Fauthenticated(void)
- {
- =09after=5Fauthentication =3D 1;
- }
-+
-+int
-+packet=5Fauthentication=5Fstate(void)
-+{
-+=09return(after=5Fauthentication);
-+}
-diff -NupwB packet.h packet.h
---- packet.h=092008-07-11 03:36:48.000000000 -0400
-+++ packet.h=092009-05-14 12:36:10.000000000 -0400
-@@ -20,6 +20,9 @@
-=20
- #include <openssl/bn.h>
-=20
-+void
-+packet=5Frequest=5Frekeying(void);
-+
- void packet=5Fset=5Fconnection(int, int);
- void packet=5Fset=5Ftimeout(int, int);
- void packet=5Fset=5Fnonblocking(void);
-@@ -35,6 +38,7 @@ void packet=5Fset=5Finteractive(int);
- int packet=5Fis=5Finteractive(void);
- void packet=5Fset=5Fserver(void);
- void packet=5Fset=5Fauthenticated(void);
-+int=09 packet=5Fauthentication=5Fstate(void);
-=20
- void packet=5Fstart(u=5Fchar);
- void packet=5Fput=5Fchar(int ch);
-@@ -44,7 +48,7 @@ void packet=5Fput=5Fbignum2(BIGNUM * val
- void packet=5Fput=5Fstring(const void *buf, u=5Fint len);
- void packet=5Fput=5Fcstring(const char *str);
- void packet=5Fput=5Fraw(const void *buf, u=5Fint len);
--void packet=5Fsend(void);
-+int packet=5Fsend(void);
-=20
- int packet=5Fread(void);
- void packet=5Fread=5Fexpect(int type);
-@@ -73,8 +77,8 @@ void=09 packet=5Fset=5Fstate(int, u=5Fint32=5Ft, u
- int=09 packet=5Fget=5Fssh1=5Fcipher(void);
- void=09 packet=5Fset=5Fiv(int, u=5Fchar *);
-=20
--void packet=5Fwrite=5Fpoll(void);
--void packet=5Fwrite=5Fwait(void);
-+int packet=5Fwrite=5Fpoll(void);
-+int packet=5Fwrite=5Fwait(void);
- int packet=5Fhave=5Fdata=5Fto=5Fwrite(void);
- int packet=5Fnot=5Fvery=5Fmuch=5Fdata=5Fto=5Fwrite(void);
-=20
-diff -NupwB progressmeter.c progressmeter.c
---- progressmeter.c=092006-08-04 22:39:40.000000000 -0400
-+++ progressmeter.c=092009-05-14 12:36:10.000000000 -0400
-@@ -68,6 +68,8 @@ static time=5Ft last=5Fupdate;=09/* last progr
- static char *file;=09=09/* name of the file being transferred */
- static off=5Ft end=5Fpos;=09=09/* ending position of transfer */
- static off=5Ft cur=5Fpos;=09=09/* transfer position as of last refres=
h */
-+static off=5Ft last=5Fpos;
-+static off=5Ft max=5Fdelta=5Fpos =3D 0;
- static volatile off=5Ft *counter;=09/* progress counter */
- static long stalled;=09=09/* how long we have been stalled */
- static int bytes=5Fper=5Fsecond;=09/* current speed in bytes per seco=
nd */
-@@ -128,12 +130,17 @@ refresh=5Fprogress=5Fmeter(void)
- =09int hours, minutes, seconds;
- =09int i, len;
- =09int file=5Flen;
-+=09off=5Ft delta=5Fpos;
-=20
- =09transferred =3D *counter - cur=5Fpos;
- =09cur=5Fpos =3D *counter;
- =09now =3D time(NULL);
- =09bytes=5Fleft =3D end=5Fpos - cur=5Fpos;
-=20
-+=09delta=5Fpos =3D cur=5Fpos - last=5Fpos;
-+=09if (delta=5Fpos > max=5Fdelta=5Fpos)=20
-+=09=09max=5Fdelta=5Fpos =3D delta=5Fpos;
-+
- =09if (bytes=5Fleft > 0)
- =09=09elapsed =3D now - last=5Fupdate;
- =09else {
-@@ -158,7 +165,7 @@ refresh=5Fprogress=5Fmeter(void)
-=20
- =09/* filename */
- =09buf[0] =3D '\0';
--=09file=5Flen =3D win=5Fsize - 35;
-+=09file=5Flen =3D win=5Fsize - 45;
- =09if (file=5Flen > 0) {
- =09=09len =3D snprintf(buf, file=5Flen + 1, "\r%s", file);
- =09=09if (len < 0)
-@@ -175,7 +182,8 @@ refresh=5Fprogress=5Fmeter(void)
- =09=09percent =3D ((float)cur=5Fpos / end=5Fpos) * 100;
- =09else
- =09=09percent =3D 100;
--=09snprintf(buf + strlen(buf), win=5Fsize - strlen(buf),
-+
-+=09snprintf(buf + strlen(buf), win=5Fsize - strlen(buf-8),
- =09 " %3d%% ", percent);
-=20
- =09/* amount transferred */
-@@ -188,6 +196,15 @@ refresh=5Fprogress=5Fmeter(void)
- =09 (off=5Ft)bytes=5Fper=5Fsecond);
- =09strlcat(buf, "/s ", win=5Fsize);
-=20
-+=09/* instantaneous rate */
-+=09if (bytes=5Fleft > 0)
-+=09=09format=5Frate(buf + strlen(buf), win=5Fsize - strlen(buf),
-+=09=09=09 delta=5Fpos);
-+=09else
-+=09=09format=5Frate(buf + strlen(buf), win=5Fsize - strlen(buf),
-+=09=09=09 max=5Fdelta=5Fpos);
-+=09strlcat(buf, "/s ", win=5Fsize);
-+
- =09/* ETA */
- =09if (!transferred)
- =09=09stalled +=3D elapsed;
-@@ -224,6 +241,7 @@ refresh=5Fprogress=5Fmeter(void)
-=20
- =09atomicio(vwrite, STDOUT=5FFILENO, buf, win=5Fsize - 1);
- =09last=5Fupdate =3D now;
-+=09last=5Fpos =3D cur=5Fpos;
- }
-=20
- /*ARGSUSED*/
-diff -NupwB readconf.c readconf.c
---- readconf.c=092009-02-14 00:28:21.000000000 -0500
-+++ readconf.c=092009-05-14 12:36:10.000000000 -0400
-@@ -131,6 +131,8 @@ typedef enum {
- =09oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
- =09oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- =09oVisualHostKey, oZeroKnowledgePasswordAuthentication,
-+=09oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisable=
d,
-+=09oHPNBufferSize,
- =09oDeprecated, oUnsupported
- } OpCodes;
-=20
-@@ -234,6 +236,12 @@ static struct {
- #else
- =09{ "zeroknowledgepasswordauthentication", oUnsupported },
- #endif
-+=09{ "noneenabled", oNoneEnabled },
-+=09{ "tcprcvbufpoll", oTcpRcvBufPoll },
-+=09{ "tcprcvbuf", oTcpRcvBuf },
-+=09{ "noneswitch", oNoneSwitch },
-+=09{ "hpndisabled", oHPNDisabled },
-+=09{ "hpnbuffersize", oHPNBufferSize },
-=20
- =09{ NULL, oBadOption }
- };
-@@ -465,6 +473,37 @@ parse=5Fflag:
- =09=09intptr =3D &options->check=5Fhost=5Fip;
- =09=09goto parse=5Fflag;
-=20
-+=09case oNoneEnabled:
-+=09=09intptr =3D &options->none=5Fenabled;
-+=09=09goto parse=5Fflag;
-+=20
-+=09/* we check to see if the command comes from the */
-+=09/* command line or not. If it does then enable it */
-+=09/* otherwise fail. NONE should never be a default configuration */=
-+=09case oNoneSwitch:
-+=09=09if(strcmp(filename,"command-line")=3D=3D0)
-+=09=09{=09=09
-+=09=09 intptr =3D &options->none=5Fswitch;
-+=09=09 goto parse=5Fflag;
-+=09=09} else {
-+=09=09 error("NoneSwitch is found in %.200s.\nYou may only use thi=
s configuration option from the command line", filename);
-+=09=09 error("Continuing...");
-+=09=09 debug("NoneSwitch directive found in %.200s.", filename);
-+=09=09 return 0;
-+=09 }
-+
-+=09case oHPNDisabled:
-+=09=09intptr =3D &options->hpn=5Fdisabled;
-+=09=09goto parse=5Fflag;
-+
-+=09case oHPNBufferSize:
-+=09=09intptr =3D &options->hpn=5Fbuffer=5Fsize;
-+=09=09goto parse=5Fint;
-+
-+=09case oTcpRcvBufPoll:
-+=09=09intptr =3D &options->tcp=5Frcv=5Fbuf=5Fpoll;
-+=09=09goto parse=5Fflag;
-+
- =09case oVerifyHostKeyDNS:
- =09=09intptr =3D &options->verify=5Fhost=5Fkey=5Fdns;
- =09=09goto parse=5Fyesnoask;
-@@ -643,6 +682,10 @@ parse=5Fint:
- =09=09intptr =3D &options->connection=5Fattempts;
- =09=09goto parse=5Fint;
-=20
-+=09case oTcpRcvBuf:
-+=09=09intptr =3D &options->tcp=5Frcv=5Fbuf;
-+=09=09goto parse=5Fint;
-+
- =09case oCipher:
- =09=09intptr =3D &options->cipher;
- =09=09arg =3D strdelim(&s);
-@@ -1065,6 +1108,12 @@ initialize=5Foptions(Options * options)
- =09options->permit=5Flocal=5Fcommand =3D -1;
- =09options->visual=5Fhost=5Fkey =3D -1;
- =09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D -1;
-+=09options->none=5Fswitch =3D -1;
-+=09options->none=5Fenabled =3D -1;
-+=09options->hpn=5Fdisabled =3D -1;
-+=09options->hpn=5Fbuffer=5Fsize =3D -1;
-+=09options->tcp=5Frcv=5Fbuf=5Fpoll =3D -1;
-+=09options->tcp=5Frcv=5Fbuf =3D -1;
- }
-=20
- /*
-@@ -1187,6 +1236,29 @@ fill=5Fdefault=5Foptions(Options * options)
- =09=09options->server=5Falive=5Finterval =3D 0;
- =09if (options->server=5Falive=5Fcount=5Fmax =3D=3D -1)
- =09=09options->server=5Falive=5Fcount=5Fmax =3D 3;
-+=09if (options->none=5Fswitch =3D=3D -1)
-+=09 options->none=5Fswitch =3D 0;
-+=09if (options->hpn=5Fdisabled =3D=3D -1)
-+=09 options->hpn=5Fdisabled =3D 0;
-+=09if (options->hpn=5Fbuffer=5Fsize > -1)
-+=09{
-+=09 /* if a user tries to set the size to 0 set it to 1KB */
-+=09=09if (options->hpn=5Fbuffer=5Fsize =3D=3D 0)
-+=09=09options->hpn=5Fbuffer=5Fsize =3D 1024;
-+=09=09/*limit the buffer to 64MB*/
-+=09=09if (options->hpn=5Fbuffer=5Fsize > 65536)
-+=09=09{
-+=09=09=09options->hpn=5Fbuffer=5Fsize =3D 65536*1024;
-+=09=09=09debug("User requested buffer larger than 64MB. Request rever=
ted to 64MB");
-+=09=09}
-+=09=09debug("hpn=5Fbuffer=5Fsize set to %d", options->hpn=5Fbuffer=5F=
size);
-+=09}
-+=09if (options->tcp=5Frcv=5Fbuf =3D=3D 0)
-+=09=09options->tcp=5Frcv=5Fbuf =3D 1;
-+=09if (options->tcp=5Frcv=5Fbuf > -1)=20
-+=09=09options->tcp=5Frcv=5Fbuf *=3D1024;
-+=09if (options->tcp=5Frcv=5Fbuf=5Fpoll =3D=3D -1)
-+=09=09options->tcp=5Frcv=5Fbuf=5Fpoll =3D 1;
- =09if (options->control=5Fmaster =3D=3D -1)
- =09=09options->control=5Fmaster =3D 0;
- =09if (options->hash=5Fknown=5Fhosts =3D=3D -1)
-diff -NupwB readconf.c.orig readconf.c.orig
---- readconf.c.orig=091969-12-31 19:00:00.000000000 -0500
-+++ readconf.c.orig=092009-02-14 00:28:21.000000000 -0500
-@@ -0,0 +1,1310 @@
-+/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
-+/*
-+ * Author: Tatu Ylonen <ylo at cs.hut.fi>
-+ * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-+ * All rights reserved
-+ * Functions for reading the configuration files.
-+ *
-+ * As far as I am concerned, the code I have written for this softwar=
e
-+ * can be used freely for any purpose. Any derived versions of this
-+ * software must be clearly marked as such, and if the derived work i=
s
-+ * incompatible with the protocol description in the RFC file, it mus=
t be
-+ * called by a name other than "ssh" or "Secure Shell".
-+ */
-+
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/socket.h>
-+
-+#include <netinet/in.h>
-+
-+#include <ctype.h>
-+#include <errno.h>
-+#include <netdb.h>
-+#include <signal.h>
-+#include <stdarg.h>
-+#include <stdio.h>
-+#include <string.h>
-+#include <unistd.h>
-+
-+#include "xmalloc.h"
-+#include "ssh.h"
-+#include "compat.h"
-+#include "cipher.h"
-+#include "pathnames.h"
-+#include "log.h"
-+#include "key.h"
-+#include "readconf.h"
-+#include "match.h"
-+#include "misc.h"
-+#include "buffer.h"
-+#include "kex.h"
-+#include "mac.h"
-+
-+/* Format of the configuration file:
-+
-+ # Configuration data is parsed as follows:
-+ # 1. command line options
-+ # 2. user-specific file
-+ # 3. system-wide file
-+ # Any configuration value is only changed the first time it is set=
=2E
-+ # Thus, host-specific definitions should be at the beginning of th=
e
-+ # configuration file, and defaults at the end.
-+
-+ # Host-specific declarations. These may override anything above. =
A single
-+ # host may match multiple declarations; these are processed in the=
order
-+ # that they are given in.
-+
-+ Host *.ngs.fi ngs.fi
-+ User foo
-+
-+ Host fake.com
-+ HostName another.host.name.real.org
-+ User blaah
-+ Port 34289
-+ ForwardX11 no
-+ ForwardAgent no
-+
-+ Host books.com
-+ RemoteForward 9999 shadows.cs.hut.fi:9999
-+ Cipher 3des
-+
-+ Host fascist.blob.com
-+ Port 23123
-+ User tylonen
-+ PasswordAuthentication no
-+
-+ Host puukko.hut.fi
-+ User t35124p
-+ ProxyCommand ssh-proxy %h %p
-+
-+ Host *.fr
-+ PublicKeyAuthentication no
-+
-+ Host *.su
-+ Cipher none
-+ PasswordAuthentication no
-+
-+ Host vpn.fake.com
-+ Tunnel yes
-+ TunnelDevice 3
-+
-+ # Defaults for various options
-+ Host *
-+ ForwardAgent no
-+ ForwardX11 no
-+ PasswordAuthentication yes
-+ RSAAuthentication yes
-+ RhostsRSAAuthentication yes
-+ StrictHostKeyChecking yes
-+ TcpKeepAlive no
-+ IdentityFile ~/.ssh/identity
-+ Port 22
-+ EscapeChar ~
-+
-+*/
-+
-+/* Keyword tokens. */
-+
-+typedef enum {
-+=09oBadOption,
-+=09oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
-+=09oExitOnForwardFailure,
-+=09oPasswordAuthentication, oRSAAuthentication,
-+=09oChallengeResponseAuthentication, oXAuthLocation,
-+=09oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalFo=
rward,
-+=09oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand=
,
-+=09oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
-+=09oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-+=09oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
-+=09oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
-+=09oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthenticatio=
n,
-+=09oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAli=
as,
-+=09oDynamicForward, oPreferredAuthentications, oHostbasedAuthenticati=
on,
-+=09oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
-+=09oClearAllForwardings, oNoHostAuthenticationForLocalhost,
-+=09oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout=
,
-+=09oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+=09oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
-+=09oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
-+=09oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-+=09oVisualHostKey, oZeroKnowledgePasswordAuthentication,
-+=09oDeprecated, oUnsupported
-+} OpCodes;
-+
-+/* Textual representations of the tokens. */
-+
-+static struct {
-+=09const char *name;
-+=09OpCodes opcode;
-+} keywords[] =3D {
-+=09{ "forwardagent", oForwardAgent },
-+=09{ "forwardx11", oForwardX11 },
-+=09{ "forwardx11trusted", oForwardX11Trusted },
-+=09{ "exitonforwardfailure", oExitOnForwardFailure },
-+=09{ "xauthlocation", oXAuthLocation },
-+=09{ "gatewayports", oGatewayPorts },
-+=09{ "useprivilegedport", oUsePrivilegedPort },
-+=09{ "rhostsauthentication", oDeprecated },
-+=09{ "passwordauthentication", oPasswordAuthentication },
-+=09{ "kbdinteractiveauthentication", oKbdInteractiveAuthentication },=
-+=09{ "kbdinteractivedevices", oKbdInteractiveDevices },
-+=09{ "rsaauthentication", oRSAAuthentication },
-+=09{ "pubkeyauthentication", oPubkeyAuthentication },
-+=09{ "dsaauthentication", oPubkeyAuthentication },=09=09 /* alias =
*/
-+=09{ "rhostsrsaauthentication", oRhostsRSAAuthentication },
-+=09{ "hostbasedauthentication", oHostbasedAuthentication },
-+=09{ "challengeresponseauthentication", oChallengeResponseAuthenticat=
ion },
-+=09{ "skeyauthentication", oChallengeResponseAuthentication }, /* ali=
as */
-+=09{ "tisauthentication", oChallengeResponseAuthentication }, /* ali=
as */
-+=09{ "kerberosauthentication", oUnsupported },
-+=09{ "kerberostgtpassing", oUnsupported },
-+=09{ "afstokenpassing", oUnsupported },
-+#if defined(GSSAPI)
-+=09{ "gssapiauthentication", oGssAuthentication },
-+=09{ "gssapidelegatecredentials", oGssDelegateCreds },
-+#else
-+=09{ "gssapiauthentication", oUnsupported },
-+=09{ "gssapidelegatecredentials", oUnsupported },
-+#endif
-+=09{ "fallbacktorsh", oDeprecated },
-+=09{ "usersh", oDeprecated },
-+=09{ "identityfile", oIdentityFile },
-+=09{ "identityfile2", oIdentityFile },=09=09=09/* obsolete */
-+=09{ "identitiesonly", oIdentitiesOnly },
-+=09{ "hostname", oHostName },
-+=09{ "hostkeyalias", oHostKeyAlias },
-+=09{ "proxycommand", oProxyCommand },
-+=09{ "port", oPort },
-+=09{ "cipher", oCipher },
-+=09{ "ciphers", oCiphers },
-+=09{ "macs", oMacs },
-+=09{ "protocol", oProtocol },
-+=09{ "remoteforward", oRemoteForward },
-+=09{ "localforward", oLocalForward },
-+=09{ "user", oUser },
-+=09{ "host", oHost },
-+=09{ "escapechar", oEscapeChar },
-+=09{ "globalknownhostsfile", oGlobalKnownHostsFile },
-+=09{ "globalknownhostsfile2", oGlobalKnownHostsFile2 },=09/* obsolete=
*/
-+=09{ "userknownhostsfile", oUserKnownHostsFile },
-+=09{ "userknownhostsfile2", oUserKnownHostsFile2 },=09/* obsolete */
-+=09{ "connectionattempts", oConnectionAttempts },
-+=09{ "batchmode", oBatchMode },
-+=09{ "checkhostip", oCheckHostIP },
-+=09{ "stricthostkeychecking", oStrictHostKeyChecking },
-+=09{ "compression", oCompression },
-+=09{ "compressionlevel", oCompressionLevel },
-+=09{ "tcpkeepalive", oTCPKeepAlive },
-+=09{ "keepalive", oTCPKeepAlive },=09=09=09=09/* obsolete */
-+=09{ "numberofpasswordprompts", oNumberOfPasswordPrompts },
-+=09{ "loglevel", oLogLevel },
-+=09{ "dynamicforward", oDynamicForward },
-+=09{ "preferredauthentications", oPreferredAuthentications },
-+=09{ "hostkeyalgorithms", oHostKeyAlgorithms },
-+=09{ "bindaddress", oBindAddress },
-+#ifdef SMARTCARD
-+=09{ "smartcarddevice", oSmartcardDevice },
-+#else
-+=09{ "smartcarddevice", oUnsupported },
-+#endif
-+=09{ "clearallforwardings", oClearAllForwardings },
-+=09{ "enablesshkeysign", oEnableSSHKeysign },
-+=09{ "verifyhostkeydns", oVerifyHostKeyDNS },
-+=09{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLoca=
lhost },
-+=09{ "rekeylimit", oRekeyLimit },
-+=09{ "connecttimeout", oConnectTimeout },
-+=09{ "addressfamily", oAddressFamily },
-+=09{ "serveraliveinterval", oServerAliveInterval },
-+=09{ "serveralivecountmax", oServerAliveCountMax },
-+=09{ "sendenv", oSendEnv },
-+=09{ "controlpath", oControlPath },
-+=09{ "controlmaster", oControlMaster },
-+=09{ "hashknownhosts", oHashKnownHosts },
-+=09{ "tunnel", oTunnel },
-+=09{ "tunneldevice", oTunnelDevice },
-+=09{ "localcommand", oLocalCommand },
-+=09{ "permitlocalcommand", oPermitLocalCommand },
-+=09{ "visualhostkey", oVisualHostKey },
-+#ifdef JPAKE
-+=09{ "zeroknowledgepasswordauthentication",
-+=09 oZeroKnowledgePasswordAuthentication },
-+#else
-+=09{ "zeroknowledgepasswordauthentication", oUnsupported },
-+#endif
-+
-+=09{ NULL, oBadOption }
-+};
-+
-+/*
-+ * Adds a local TCP/IP port forward to options. Never returns if the=
re is an
-+ * error.
-+ */
-+
-+void
-+add=5Flocal=5Fforward(Options *options, const Forward *newfwd)
-+{
-+=09Forward *fwd;
-+#ifndef NO=5FIPPORT=5FRESERVED=5FCONCEPT
-+=09extern uid=5Ft original=5Freal=5Fuid;
-+=09if (newfwd->listen=5Fport < IPPORT=5FRESERVED && original=5Freal=5F=
uid !=3D 0)
-+=09=09fatal("Privileged ports can only be forwarded by root.");
-+#endif
-+=09if (options->num=5Flocal=5Fforwards >=3D SSH=5FMAX=5FFORWARDS=5FPE=
R=5FDIRECTION)
-+=09=09fatal("Too many local forwards (max %d).", SSH=5FMAX=5FFORWARDS=
=5FPER=5FDIRECTION);
-+=09fwd =3D &options->local=5Fforwards[options->num=5Flocal=5Fforwards=
++];
-+
-+=09fwd->listen=5Fhost =3D newfwd->listen=5Fhost;
-+=09fwd->listen=5Fport =3D newfwd->listen=5Fport;
-+=09fwd->connect=5Fhost =3D newfwd->connect=5Fhost;
-+=09fwd->connect=5Fport =3D newfwd->connect=5Fport;
-+}
-+
-+/*
-+ * Adds a remote TCP/IP port forward to options. Never returns if th=
ere is
-+ * an error.
-+ */
-+
-+void
-+add=5Fremote=5Fforward(Options *options, const Forward *newfwd)
-+{
-+=09Forward *fwd;
-+=09if (options->num=5Fremote=5Fforwards >=3D SSH=5FMAX=5FFORWARDS=5FP=
ER=5FDIRECTION)
-+=09=09fatal("Too many remote forwards (max %d).",
-+=09=09 SSH=5FMAX=5FFORWARDS=5FPER=5FDIRECTION);
-+=09fwd =3D &options->remote=5Fforwards[options->num=5Fremote=5Fforwar=
ds++];
-+
-+=09fwd->listen=5Fhost =3D newfwd->listen=5Fhost;
-+=09fwd->listen=5Fport =3D newfwd->listen=5Fport;
-+=09fwd->connect=5Fhost =3D newfwd->connect=5Fhost;
-+=09fwd->connect=5Fport =3D newfwd->connect=5Fport;
-+}
-+
-+static void
-+clear=5Fforwardings(Options *options)
-+{
-+=09int i;
-+
-+=09for (i =3D 0; i < options->num=5Flocal=5Fforwards; i++) {
-+=09=09if (options->local=5Fforwards[i].listen=5Fhost !=3D NULL)
-+=09=09=09xfree(options->local=5Fforwards[i].listen=5Fhost);
-+=09=09xfree(options->local=5Fforwards[i].connect=5Fhost);
-+=09}
-+=09options->num=5Flocal=5Fforwards =3D 0;
-+=09for (i =3D 0; i < options->num=5Fremote=5Fforwards; i++) {
-+=09=09if (options->remote=5Fforwards[i].listen=5Fhost !=3D NULL)
-+=09=09=09xfree(options->remote=5Fforwards[i].listen=5Fhost);
-+=09=09xfree(options->remote=5Fforwards[i].connect=5Fhost);
-+=09}
-+=09options->num=5Fremote=5Fforwards =3D 0;
-+=09options->tun=5Fopen =3D SSH=5FTUNMODE=5FNO;
-+}
-+
-+/*
-+ * Returns the number of the token pointed to by cp or oBadOption.
-+ */
-+
-+static OpCodes
-+parse=5Ftoken(const char *cp, const char *filename, int linenum)
-+{
-+=09u=5Fint i;
-+
-+=09for (i =3D 0; keywords[i].name; i++)
-+=09=09if (strcasecmp(cp, keywords[i].name) =3D=3D 0)
-+=09=09=09return keywords[i].opcode;
-+
-+=09error("%s: line %d: Bad configuration option: %s",
-+=09 filename, linenum, cp);
-+=09return oBadOption;
-+}
-+
-+/*
-+ * Processes a single option line as used in the configuration files.=
This
-+ * only sets those values that have not already been set.
-+ */
-+#define WHITESPACE " \t\r\n"
-+
-+int
-+process=5Fconfig=5Fline(Options *options, const char *host,
-+=09=09 char *line, const char *filename, int linenum,
-+=09=09 int *activep)
-+{
-+=09char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[25=
6];
-+=09int opcode, *intptr, value, value2, scale;
-+=09LogLevel *log=5Flevel=5Fptr;
-+=09long long orig, val64;
-+=09size=5Ft len;
-+=09Forward fwd;
-+
-+=09/* Strip trailing whitespace */
-+=09for (len =3D strlen(line) - 1; len > 0; len--) {
-+=09=09if (strchr(WHITESPACE, line[len]) =3D=3D NULL)
-+=09=09=09break;
-+=09=09line[len] =3D '\0';
-+=09}
-+
-+=09s =3D line;
-+=09/* Get the keyword. (Each line is supposed to begin with a keyword=
). */
-+=09if ((keyword =3D strdelim(&s)) =3D=3D NULL)
-+=09=09return 0;
-+=09/* Ignore leading whitespace. */
-+=09if (*keyword =3D=3D '\0')
-+=09=09keyword =3D strdelim(&s);
-+=09if (keyword =3D=3D NULL || !*keyword || *keyword =3D=3D '\n' || *k=
eyword =3D=3D '#')
-+=09=09return 0;
-+
-+=09opcode =3D parse=5Ftoken(keyword, filename, linenum);
-+
-+=09switch (opcode) {
-+=09case oBadOption:
-+=09=09/* don't panic, but count bad options */
-+=09=09return -1;
-+=09=09/* NOTREACHED */
-+=09case oConnectTimeout:
-+=09=09intptr =3D &options->connection=5Ftimeout;
-+parse=5Ftime:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%s line %d: missing time value.",
-+=09=09=09 filename, linenum);
-+=09=09if ((value =3D convtime(arg)) =3D=3D -1)
-+=09=09=09fatal("%s line %d: invalid time value.",
-+=09=09=09 filename, linenum);
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oForwardAgent:
-+=09=09intptr =3D &options->forward=5Fagent;
-+parse=5Fflag:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing yes/no argument.", filename, =
linenum);
-+=09=09value =3D 0;=09/* To avoid compiler warning... */
-+=09=09if (strcmp(arg, "yes") =3D=3D 0 || strcmp(arg, "true") =3D=3D 0=
)
-+=09=09=09value =3D 1;
-+=09=09else if (strcmp(arg, "no") =3D=3D 0 || strcmp(arg, "false") =3D=
=3D 0)
-+=09=09=09value =3D 0;
-+=09=09else
-+=09=09=09fatal("%.200s line %d: Bad yes/no argument.", filename, line=
num);
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oForwardX11:
-+=09=09intptr =3D &options->forward=5Fx11;
-+=09=09goto parse=5Fflag;
-+
-+=09case oForwardX11Trusted:
-+=09=09intptr =3D &options->forward=5Fx11=5Ftrusted;
-+=09=09goto parse=5Fflag;
-+
-+=09case oGatewayPorts:
-+=09=09intptr =3D &options->gateway=5Fports;
-+=09=09goto parse=5Fflag;
-+
-+=09case oExitOnForwardFailure:
-+=09=09intptr =3D &options->exit=5Fon=5Fforward=5Ffailure;
-+=09=09goto parse=5Fflag;
-+
-+=09case oUsePrivilegedPort:
-+=09=09intptr =3D &options->use=5Fprivileged=5Fport;
-+=09=09goto parse=5Fflag;
-+
-+=09case oPasswordAuthentication:
-+=09=09intptr =3D &options->password=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oZeroKnowledgePasswordAuthentication:
-+=09=09intptr =3D &options->zero=5Fknowledge=5Fpassword=5Fauthenticati=
on;
-+=09=09goto parse=5Fflag;
-+
-+=09case oKbdInteractiveAuthentication:
-+=09=09intptr =3D &options->kbd=5Finteractive=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oKbdInteractiveDevices:
-+=09=09charptr =3D &options->kbd=5Finteractive=5Fdevices;
-+=09=09goto parse=5Fstring;
-+
-+=09case oPubkeyAuthentication:
-+=09=09intptr =3D &options->pubkey=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oRSAAuthentication:
-+=09=09intptr =3D &options->rsa=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oRhostsRSAAuthentication:
-+=09=09intptr =3D &options->rhosts=5Frsa=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oHostbasedAuthentication:
-+=09=09intptr =3D &options->hostbased=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oChallengeResponseAuthentication:
-+=09=09intptr =3D &options->challenge=5Fresponse=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oGssAuthentication:
-+=09=09intptr =3D &options->gss=5Fauthentication;
-+=09=09goto parse=5Fflag;
-+
-+=09case oGssDelegateCreds:
-+=09=09intptr =3D &options->gss=5Fdeleg=5Fcreds;
-+=09=09goto parse=5Fflag;
-+
-+=09case oBatchMode:
-+=09=09intptr =3D &options->batch=5Fmode;
-+=09=09goto parse=5Fflag;
-+
-+=09case oCheckHostIP:
-+=09=09intptr =3D &options->check=5Fhost=5Fip;
-+=09=09goto parse=5Fflag;
-+
-+=09case oVerifyHostKeyDNS:
-+=09=09intptr =3D &options->verify=5Fhost=5Fkey=5Fdns;
-+=09=09goto parse=5Fyesnoask;
-+
-+=09case oStrictHostKeyChecking:
-+=09=09intptr =3D &options->strict=5Fhost=5Fkey=5Fchecking;
-+parse=5Fyesnoask:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing yes/no/ask argument.",
-+=09=09=09 filename, linenum);
-+=09=09value =3D 0;=09/* To avoid compiler warning... */
-+=09=09if (strcmp(arg, "yes") =3D=3D 0 || strcmp(arg, "true") =3D=3D 0=
)
-+=09=09=09value =3D 1;
-+=09=09else if (strcmp(arg, "no") =3D=3D 0 || strcmp(arg, "false") =3D=
=3D 0)
-+=09=09=09value =3D 0;
-+=09=09else if (strcmp(arg, "ask") =3D=3D 0)
-+=09=09=09value =3D 2;
-+=09=09else
-+=09=09=09fatal("%.200s line %d: Bad yes/no/ask argument.", filename, =
linenum);
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oCompression:
-+=09=09intptr =3D &options->compression;
-+=09=09goto parse=5Fflag;
-+
-+=09case oTCPKeepAlive:
-+=09=09intptr =3D &options->tcp=5Fkeep=5Falive;
-+=09=09goto parse=5Fflag;
-+
-+=09case oNoHostAuthenticationForLocalhost:
-+=09=09intptr =3D &options->no=5Fhost=5Fauthentication=5Ffor=5Flocalho=
st;
-+=09=09goto parse=5Fflag;
-+
-+=09case oNumberOfPasswordPrompts:
-+=09=09intptr =3D &options->number=5Fof=5Fpassword=5Fprompts;
-+=09=09goto parse=5Fint;
-+
-+=09case oCompressionLevel:
-+=09=09intptr =3D &options->compression=5Flevel;
-+=09=09goto parse=5Fint;
-+
-+=09case oRekeyLimit:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (arg[0] < '0' || arg[0] > '9')
-+=09=09=09fatal("%.200s line %d: Bad number.", filename, linenum);
-+=09=09orig =3D val64 =3D strtoll(arg, &endofnumber, 10);
-+=09=09if (arg =3D=3D endofnumber)
-+=09=09=09fatal("%.200s line %d: Bad number.", filename, linenum);
-+=09=09switch (toupper(*endofnumber)) {
-+=09=09case '\0':
-+=09=09=09scale =3D 1;
-+=09=09=09break;
-+=09=09case 'K':
-+=09=09=09scale =3D 1<<10;
-+=09=09=09break;
-+=09=09case 'M':
-+=09=09=09scale =3D 1<<20;
-+=09=09=09break;
-+=09=09case 'G':
-+=09=09=09scale =3D 1<<30;
-+=09=09=09break;
-+=09=09default:
-+=09=09=09fatal("%.200s line %d: Invalid RekeyLimit suffix",
-+=09=09=09 filename, linenum);
-+=09=09}
-+=09=09val64 *=3D scale;
-+=09=09/* detect integer wrap and too-large limits */
-+=09=09if ((val64 / scale) !=3D orig || val64 > UINT=5FMAX)
-+=09=09=09fatal("%.200s line %d: RekeyLimit too large",
-+=09=09=09 filename, linenum);
-+=09=09if (val64 < 16)
-+=09=09=09fatal("%.200s line %d: RekeyLimit too small",
-+=09=09=09 filename, linenum);
-+=09=09if (*activep && options->rekey=5Flimit =3D=3D -1)
-+=09=09=09options->rekey=5Flimit =3D (u=5Fint32=5Ft)val64;
-+=09=09break;
-+
-+=09case oIdentityFile:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (*activep) {
-+=09=09=09intptr =3D &options->num=5Fidentity=5Ffiles;
-+=09=09=09if (*intptr >=3D SSH=5FMAX=5FIDENTITY=5FFILES)
-+=09=09=09=09fatal("%.200s line %d: Too many identity files specified =
(max %d).",
-+=09=09=09=09 filename, linenum, SSH=5FMAX=5FIDENTITY=5FFILES);
-+=09=09=09charptr =3D &options->identity=5Ffiles[*intptr];
-+=09=09=09*charptr =3D xstrdup(arg);
-+=09=09=09*intptr =3D *intptr + 1;
-+=09=09}
-+=09=09break;
-+
-+=09case oXAuthLocation:
-+=09=09charptr=3D&options->xauth=5Flocation;
-+=09=09goto parse=5Fstring;
-+
-+=09case oUser:
-+=09=09charptr =3D &options->user;
-+parse=5Fstring:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (*activep && *charptr =3D=3D NULL)
-+=09=09=09*charptr =3D xstrdup(arg);
-+=09=09break;
-+
-+=09case oGlobalKnownHostsFile:
-+=09=09charptr =3D &options->system=5Fhostfile;
-+=09=09goto parse=5Fstring;
-+
-+=09case oUserKnownHostsFile:
-+=09=09charptr =3D &options->user=5Fhostfile;
-+=09=09goto parse=5Fstring;
-+
-+=09case oGlobalKnownHostsFile2:
-+=09=09charptr =3D &options->system=5Fhostfile2;
-+=09=09goto parse=5Fstring;
-+
-+=09case oUserKnownHostsFile2:
-+=09=09charptr =3D &options->user=5Fhostfile2;
-+=09=09goto parse=5Fstring;
-+
-+=09case oHostName:
-+=09=09charptr =3D &options->hostname;
-+=09=09goto parse=5Fstring;
-+
-+=09case oHostKeyAlias:
-+=09=09charptr =3D &options->host=5Fkey=5Falias;
-+=09=09goto parse=5Fstring;
-+
-+=09case oPreferredAuthentications:
-+=09=09charptr =3D &options->preferred=5Fauthentications;
-+=09=09goto parse=5Fstring;
-+
-+=09case oBindAddress:
-+=09=09charptr =3D &options->bind=5Faddress;
-+=09=09goto parse=5Fstring;
-+
-+=09case oSmartcardDevice:
-+=09=09charptr =3D &options->smartcard=5Fdevice;
-+=09=09goto parse=5Fstring;
-+
-+=09case oProxyCommand:
-+=09=09charptr =3D &options->proxy=5Fcommand;
-+parse=5Fcommand:
-+=09=09if (s =3D=3D NULL)
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09len =3D strspn(s, WHITESPACE "=3D");
-+=09=09if (*activep && *charptr =3D=3D NULL)
-+=09=09=09*charptr =3D xstrdup(s + len);
-+=09=09return 0;
-+
-+=09case oPort:
-+=09=09intptr =3D &options->port;
-+parse=5Fint:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (arg[0] < '0' || arg[0] > '9')
-+=09=09=09fatal("%.200s line %d: Bad number.", filename, linenum);
-+
-+=09=09/* Octal, decimal, or hex format=3F */
-+=09=09value =3D strtol(arg, &endofnumber, 0);
-+=09=09if (arg =3D=3D endofnumber)
-+=09=09=09fatal("%.200s line %d: Bad number.", filename, linenum);
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oConnectionAttempts:
-+=09=09intptr =3D &options->connection=5Fattempts;
-+=09=09goto parse=5Fint;
-+
-+=09case oCipher:
-+=09=09intptr =3D &options->cipher;
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09value =3D cipher=5Fnumber(arg);
-+=09=09if (value =3D=3D -1)
-+=09=09=09fatal("%.200s line %d: Bad cipher '%s'.",
-+=09=09=09 filename, linenum, arg =3F arg : "<NONE>");
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oCiphers:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (!ciphers=5Fvalid(arg))
-+=09=09=09fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
-+=09=09=09 filename, linenum, arg =3F arg : "<NONE>");
-+=09=09if (*activep && options->ciphers =3D=3D NULL)
-+=09=09=09options->ciphers =3D xstrdup(arg);
-+=09=09break;
-+
-+=09case oMacs:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (!mac=5Fvalid(arg))
-+=09=09=09fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
-+=09=09=09 filename, linenum, arg =3F arg : "<NONE>");
-+=09=09if (*activep && options->macs =3D=3D NULL)
-+=09=09=09options->macs =3D xstrdup(arg);
-+=09=09break;
-+
-+=09case oHostKeyAlgorithms:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (!key=5Fnames=5Fvalid2(arg))
-+=09=09=09fatal("%.200s line %d: Bad protocol 2 host key algorithms '%=
s'.",
-+=09=09=09 filename, linenum, arg =3F arg : "<NONE>");
-+=09=09if (*activep && options->hostkeyalgorithms =3D=3D NULL)
-+=09=09=09options->hostkeyalgorithms =3D xstrdup(arg);
-+=09=09break;
-+
-+=09case oProtocol:
-+=09=09intptr =3D &options->protocol;
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09value =3D proto=5Fspec(arg);
-+=09=09if (value =3D=3D SSH=5FPROTO=5FUNKNOWN)
-+=09=09=09fatal("%.200s line %d: Bad protocol spec '%s'.",
-+=09=09=09 filename, linenum, arg =3F arg : "<NONE>");
-+=09=09if (*activep && *intptr =3D=3D SSH=5FPROTO=5FUNKNOWN)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oLogLevel:
-+=09=09log=5Flevel=5Fptr =3D &options->log=5Flevel;
-+=09=09arg =3D strdelim(&s);
-+=09=09value =3D log=5Flevel=5Fnumber(arg);
-+=09=09if (value =3D=3D SYSLOG=5FLEVEL=5FNOT=5FSET)
-+=09=09=09fatal("%.200s line %d: unsupported log level '%s'",
-+=09=09=09 filename, linenum, arg =3F arg : "<NONE>");
-+=09=09if (*activep && *log=5Flevel=5Fptr =3D=3D SYSLOG=5FLEVEL=5FNOT=5F=
SET)
-+=09=09=09*log=5Flevel=5Fptr =3D (LogLevel) value;
-+=09=09break;
-+
-+=09case oLocalForward:
-+=09case oRemoteForward:
-+=09case oDynamicForward:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (arg =3D=3D NULL || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing port argument.",
-+=09=09=09 filename, linenum);
-+
-+=09=09if (opcode =3D=3D oLocalForward ||
-+=09=09 opcode =3D=3D oRemoteForward) {
-+=09=09=09arg2 =3D strdelim(&s);
-+=09=09=09if (arg2 =3D=3D NULL || *arg2 =3D=3D '\0')
-+=09=09=09=09fatal("%.200s line %d: Missing target argument.",
-+=09=09=09=09 filename, linenum);
-+
-+=09=09=09/* construct a string for parse=5Fforward */
-+=09=09=09snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
-+=09=09} else if (opcode =3D=3D oDynamicForward) {
-+=09=09=09strlcpy(fwdarg, arg, sizeof(fwdarg));
-+=09=09}
-+
-+=09=09if (parse=5Fforward(&fwd, fwdarg,
-+=09=09 opcode =3D=3D oDynamicForward =3F 1 : 0,
-+=09=09 opcode =3D=3D oRemoteForward =3F 1 : 0) =3D=3D 0)
-+=09=09=09fatal("%.200s line %d: Bad forwarding specification.",
-+=09=09=09 filename, linenum);
-+
-+=09=09if (*activep) {
-+=09=09=09if (opcode =3D=3D oLocalForward ||
-+=09=09=09 opcode =3D=3D oDynamicForward)
-+=09=09=09=09add=5Flocal=5Fforward(options, &fwd);
-+=09=09=09else if (opcode =3D=3D oRemoteForward)
-+=09=09=09=09add=5Fremote=5Fforward(options, &fwd);
-+=09=09}
-+=09=09break;
-+
-+=09case oClearAllForwardings:
-+=09=09intptr =3D &options->clear=5Fforwardings;
-+=09=09goto parse=5Fflag;
-+
-+=09case oHost:
-+=09=09*activep =3D 0;
-+=09=09while ((arg =3D strdelim(&s)) !=3D NULL && *arg !=3D '\0')
-+=09=09=09if (match=5Fpattern(host, arg)) {
-+=09=09=09=09debug("Applying options for %.100s", arg);
-+=09=09=09=09*activep =3D 1;
-+=09=09=09=09break;
-+=09=09=09}
-+=09=09/* Avoid garbage check below, as strdelim is done. */
-+=09=09return 0;
-+
-+=09case oEscapeChar:
-+=09=09intptr =3D &options->escape=5Fchar;
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09if (arg[0] =3D=3D '^' && arg[2] =3D=3D 0 &&
-+=09=09 (u=5Fchar) arg[1] >=3D 64 && (u=5Fchar) arg[1] < 128)
-+=09=09=09value =3D (u=5Fchar) arg[1] & 31;
-+=09=09else if (strlen(arg) =3D=3D 1)
-+=09=09=09value =3D (u=5Fchar) arg[0];
-+=09=09else if (strcmp(arg, "none") =3D=3D 0)
-+=09=09=09value =3D SSH=5FESCAPECHAR=5FNONE;
-+=09=09else {
-+=09=09=09fatal("%.200s line %d: Bad escape character.",
-+=09=09=09 filename, linenum);
-+=09=09=09/* NOTREACHED */
-+=09=09=09value =3D 0;=09/* Avoid compiler warning. */
-+=09=09}
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oAddressFamily:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%s line %d: missing address family.",
-+=09=09=09 filename, linenum);
-+=09=09intptr =3D &options->address=5Ffamily;
-+=09=09if (strcasecmp(arg, "inet") =3D=3D 0)
-+=09=09=09value =3D AF=5FINET;
-+=09=09else if (strcasecmp(arg, "inet6") =3D=3D 0)
-+=09=09=09value =3D AF=5FINET6;
-+=09=09else if (strcasecmp(arg, "any") =3D=3D 0)
-+=09=09=09value =3D AF=5FUNSPEC;
-+=09=09else
-+=09=09=09fatal("Unsupported AddressFamily \"%s\"", arg);
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oEnableSSHKeysign:
-+=09=09intptr =3D &options->enable=5Fssh=5Fkeysign;
-+=09=09goto parse=5Fflag;
-+
-+=09case oIdentitiesOnly:
-+=09=09intptr =3D &options->identities=5Fonly;
-+=09=09goto parse=5Fflag;
-+
-+=09case oServerAliveInterval:
-+=09=09intptr =3D &options->server=5Falive=5Finterval;
-+=09=09goto parse=5Ftime;
-+
-+=09case oServerAliveCountMax:
-+=09=09intptr =3D &options->server=5Falive=5Fcount=5Fmax;
-+=09=09goto parse=5Fint;
-+
-+=09case oSendEnv:
-+=09=09while ((arg =3D strdelim(&s)) !=3D NULL && *arg !=3D '\0') {
-+=09=09=09if (strchr(arg, '=3D') !=3D NULL)
-+=09=09=09=09fatal("%s line %d: Invalid environment name.",
-+=09=09=09=09 filename, linenum);
-+=09=09=09if (!*activep)
-+=09=09=09=09continue;
-+=09=09=09if (options->num=5Fsend=5Fenv >=3D MAX=5FSEND=5FENV)
-+=09=09=09=09fatal("%s line %d: too many send env.",
-+=09=09=09=09 filename, linenum);
-+=09=09=09options->send=5Fenv[options->num=5Fsend=5Fenv++] =3D
-+=09=09=09 xstrdup(arg);
-+=09=09}
-+=09=09break;
-+
-+=09case oControlPath:
-+=09=09charptr =3D &options->control=5Fpath;
-+=09=09goto parse=5Fstring;
-+
-+=09case oControlMaster:
-+=09=09intptr =3D &options->control=5Fmaster;
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing ControlMaster argument.",
-+=09=09=09 filename, linenum);
-+=09=09value =3D 0;=09/* To avoid compiler warning... */
-+=09=09if (strcmp(arg, "yes") =3D=3D 0 || strcmp(arg, "true") =3D=3D 0=
)
-+=09=09=09value =3D SSHCTL=5FMASTER=5FYES;
-+=09=09else if (strcmp(arg, "no") =3D=3D 0 || strcmp(arg, "false") =3D=
=3D 0)
-+=09=09=09value =3D SSHCTL=5FMASTER=5FNO;
-+=09=09else if (strcmp(arg, "auto") =3D=3D 0)
-+=09=09=09value =3D SSHCTL=5FMASTER=5FAUTO;
-+=09=09else if (strcmp(arg, "ask") =3D=3D 0)
-+=09=09=09value =3D SSHCTL=5FMASTER=5FASK;
-+=09=09else if (strcmp(arg, "autoask") =3D=3D 0)
-+=09=09=09value =3D SSHCTL=5FMASTER=5FAUTO=5FASK;
-+=09=09else
-+=09=09=09fatal("%.200s line %d: Bad ControlMaster argument.",
-+=09=09=09 filename, linenum);
-+=09=09if (*activep && *intptr =3D=3D -1)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oHashKnownHosts:
-+=09=09intptr =3D &options->hash=5Fknown=5Fhosts;
-+=09=09goto parse=5Fflag;
-+
-+=09case oTunnel:
-+=09=09intptr =3D &options->tun=5Fopen;
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%s line %d: Missing yes/point-to-point/"
-+=09=09=09 "ethernet/no argument.", filename, linenum);
-+=09=09value =3D 0;=09/* silence compiler */
-+=09=09if (strcasecmp(arg, "ethernet") =3D=3D 0)
-+=09=09=09value =3D SSH=5FTUNMODE=5FETHERNET;
-+=09=09else if (strcasecmp(arg, "point-to-point") =3D=3D 0)
-+=09=09=09value =3D SSH=5FTUNMODE=5FPOINTOPOINT;
-+=09=09else if (strcasecmp(arg, "yes") =3D=3D 0)
-+=09=09=09value =3D SSH=5FTUNMODE=5FDEFAULT;
-+=09=09else if (strcasecmp(arg, "no") =3D=3D 0)
-+=09=09=09value =3D SSH=5FTUNMODE=5FNO;
-+=09=09else
-+=09=09=09fatal("%s line %d: Bad yes/point-to-point/ethernet/"
-+=09=09=09 "no argument: %s", filename, linenum, arg);
-+=09=09if (*activep)
-+=09=09=09*intptr =3D value;
-+=09=09break;
-+
-+=09case oTunnelDevice:
-+=09=09arg =3D strdelim(&s);
-+=09=09if (!arg || *arg =3D=3D '\0')
-+=09=09=09fatal("%.200s line %d: Missing argument.", filename, linenum=
);
-+=09=09value =3D a2tun(arg, &value2);
-+=09=09if (value =3D=3D SSH=5FTUNID=5FERR)
-+=09=09=09fatal("%.200s line %d: Bad tun device.", filename, linenum);=
-+=09=09if (*activep) {
-+=09=09=09options->tun=5Flocal =3D value;
-+=09=09=09options->tun=5Fremote =3D value2;
-+=09=09}
-+=09=09break;
-+
-+=09case oLocalCommand:
-+=09=09charptr =3D &options->local=5Fcommand;
-+=09=09goto parse=5Fcommand;
-+
-+=09case oPermitLocalCommand:
-+=09=09intptr =3D &options->permit=5Flocal=5Fcommand;
-+=09=09goto parse=5Fflag;
-+
-+=09case oVisualHostKey:
-+=09=09intptr =3D &options->visual=5Fhost=5Fkey;
-+=09=09goto parse=5Fflag;
-+
-+=09case oDeprecated:
-+=09=09debug("%s line %d: Deprecated option \"%s\"",
-+=09=09 filename, linenum, keyword);
-+=09=09return 0;
-+
-+=09case oUnsupported:
-+=09=09error("%s line %d: Unsupported option \"%s\"",
-+=09=09 filename, linenum, keyword);
-+=09=09return 0;
-+
-+=09default:
-+=09=09fatal("process=5Fconfig=5Fline: Unimplemented opcode %d", opcod=
e);
-+=09}
-+
-+=09/* Check that there is no garbage at end of line. */
-+=09if ((arg =3D strdelim(&s)) !=3D NULL && *arg !=3D '\0') {
-+=09=09fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
-+=09=09 filename, linenum, arg);
-+=09}
-+=09return 0;
-+}
-+
-+
-+/*
-+ * Reads the config file and modifies the options accordingly. Optio=
ns
-+ * should already be initialized before this call. This never return=
s if
-+ * there is an error. If the file does not exist, this returns 0.
-+ */
-+
-+int
-+read=5Fconfig=5Ffile(const char *filename, const char *host, Options =
*options,
-+ int checkperm)
-+{
-+=09FILE *f;
-+=09char line[1024];
-+=09int active, linenum;
-+=09int bad=5Foptions =3D 0;
-+
-+=09if ((f =3D fopen(filename, "r")) =3D=3D NULL)
-+=09=09return 0;
-+
-+=09if (checkperm) {
-+=09=09struct stat sb;
-+
-+=09=09if (fstat(fileno(f), &sb) =3D=3D -1)
-+=09=09=09fatal("fstat %s: %s", filename, strerror(errno));
-+=09=09if (((sb.st=5Fuid !=3D 0 && sb.st=5Fuid !=3D getuid()) ||
-+=09=09 (sb.st=5Fmode & 022) !=3D 0))
-+=09=09=09fatal("Bad owner or permissions on %s", filename);
-+=09}
-+
-+=09debug("Reading configuration data %.200s", filename);
-+
-+=09/*
-+=09 * Mark that we are now processing the options. This flag is turn=
ed
-+=09 * on/off by Host specifications.
-+=09 */
-+=09active =3D 1;
-+=09linenum =3D 0;
-+=09while (fgets(line, sizeof(line), f)) {
-+=09=09/* Update line number counter. */
-+=09=09linenum++;
-+=09=09if (process=5Fconfig=5Fline(options, host, line, filename, line=
num, &active) !=3D 0)
-+=09=09=09bad=5Foptions++;
-+=09}
-+=09fclose(f);
-+=09if (bad=5Foptions > 0)
-+=09=09fatal("%s: terminating, %d bad configuration options",
-+=09=09 filename, bad=5Foptions);
-+=09return 1;
-+}
-+
-+/*
-+ * Initializes options to special values that indicate that they have=
not yet
-+ * been set. Read=5Fconfig=5Ffile will only set options with this va=
lue. Options
-+ * are processed in the following order: command line, user config fi=
le,
-+ * system config file. Last, fill=5Fdefault=5Foptions is called.
-+ */
-+
-+void
-+initialize=5Foptions(Options * options)
-+{
-+=09memset(options, 'X', sizeof(*options));
-+=09options->forward=5Fagent =3D -1;
-+=09options->forward=5Fx11 =3D -1;
-+=09options->forward=5Fx11=5Ftrusted =3D -1;
-+=09options->exit=5Fon=5Fforward=5Ffailure =3D -1;
-+=09options->xauth=5Flocation =3D NULL;
-+=09options->gateway=5Fports =3D -1;
-+=09options->use=5Fprivileged=5Fport =3D -1;
-+=09options->rsa=5Fauthentication =3D -1;
-+=09options->pubkey=5Fauthentication =3D -1;
-+=09options->challenge=5Fresponse=5Fauthentication =3D -1;
-+=09options->gss=5Fauthentication =3D -1;
-+=09options->gss=5Fdeleg=5Fcreds =3D -1;
-+=09options->password=5Fauthentication =3D -1;
-+=09options->kbd=5Finteractive=5Fauthentication =3D -1;
-+=09options->kbd=5Finteractive=5Fdevices =3D NULL;
-+=09options->rhosts=5Frsa=5Fauthentication =3D -1;
-+=09options->hostbased=5Fauthentication =3D -1;
-+=09options->batch=5Fmode =3D -1;
-+=09options->check=5Fhost=5Fip =3D -1;
-+=09options->strict=5Fhost=5Fkey=5Fchecking =3D -1;
-+=09options->compression =3D -1;
-+=09options->tcp=5Fkeep=5Falive =3D -1;
-+=09options->compression=5Flevel =3D -1;
-+=09options->port =3D -1;
-+=09options->address=5Ffamily =3D -1;
-+=09options->connection=5Fattempts =3D -1;
-+=09options->connection=5Ftimeout =3D -1;
-+=09options->number=5Fof=5Fpassword=5Fprompts =3D -1;
-+=09options->cipher =3D -1;
-+=09options->ciphers =3D NULL;
-+=09options->macs =3D NULL;
-+=09options->hostkeyalgorithms =3D NULL;
-+=09options->protocol =3D SSH=5FPROTO=5FUNKNOWN;
-+=09options->num=5Fidentity=5Ffiles =3D 0;
-+=09options->hostname =3D NULL;
-+=09options->host=5Fkey=5Falias =3D NULL;
-+=09options->proxy=5Fcommand =3D NULL;
-+=09options->user =3D NULL;
-+=09options->escape=5Fchar =3D -1;
-+=09options->system=5Fhostfile =3D NULL;
-+=09options->user=5Fhostfile =3D NULL;
-+=09options->system=5Fhostfile2 =3D NULL;
-+=09options->user=5Fhostfile2 =3D NULL;
-+=09options->num=5Flocal=5Fforwards =3D 0;
-+=09options->num=5Fremote=5Fforwards =3D 0;
-+=09options->clear=5Fforwardings =3D -1;
-+=09options->log=5Flevel =3D SYSLOG=5FLEVEL=5FNOT=5FSET;
-+=09options->preferred=5Fauthentications =3D NULL;
-+=09options->bind=5Faddress =3D NULL;
-+=09options->smartcard=5Fdevice =3D NULL;
-+=09options->enable=5Fssh=5Fkeysign =3D - 1;
-+=09options->no=5Fhost=5Fauthentication=5Ffor=5Flocalhost =3D - 1;
-+=09options->identities=5Fonly =3D - 1;
-+=09options->rekey=5Flimit =3D - 1;
-+=09options->verify=5Fhost=5Fkey=5Fdns =3D -1;
-+=09options->server=5Falive=5Finterval =3D -1;
-+=09options->server=5Falive=5Fcount=5Fmax =3D -1;
-+=09options->num=5Fsend=5Fenv =3D 0;
-+=09options->control=5Fpath =3D NULL;
-+=09options->control=5Fmaster =3D -1;
-+=09options->hash=5Fknown=5Fhosts =3D -1;
-+=09options->tun=5Fopen =3D -1;
-+=09options->tun=5Flocal =3D -1;
-+=09options->tun=5Fremote =3D -1;
-+=09options->local=5Fcommand =3D NULL;
-+=09options->permit=5Flocal=5Fcommand =3D -1;
-+=09options->visual=5Fhost=5Fkey =3D -1;
-+=09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D -1;
-+}
-+
-+/*
-+ * Called after processing other sources of option data, this fills t=
hose
-+ * options for which no value has been specified with their default v=
alues.
-+ */
-+
-+void
-+fill=5Fdefault=5Foptions(Options * options)
-+{
-+=09int len;
-+
-+=09if (options->forward=5Fagent =3D=3D -1)
-+=09=09options->forward=5Fagent =3D 0;
-+=09if (options->forward=5Fx11 =3D=3D -1)
-+=09=09options->forward=5Fx11 =3D 0;
-+=09if (options->forward=5Fx11=5Ftrusted =3D=3D -1)
-+=09=09options->forward=5Fx11=5Ftrusted =3D 0;
-+=09if (options->exit=5Fon=5Fforward=5Ffailure =3D=3D -1)
-+=09=09options->exit=5Fon=5Fforward=5Ffailure =3D 0;
-+=09if (options->xauth=5Flocation =3D=3D NULL)
-+=09=09options->xauth=5Flocation =3D =5FPATH=5FXAUTH;
-+=09if (options->gateway=5Fports =3D=3D -1)
-+=09=09options->gateway=5Fports =3D 0;
-+=09if (options->use=5Fprivileged=5Fport =3D=3D -1)
-+=09=09options->use=5Fprivileged=5Fport =3D 0;
-+=09if (options->rsa=5Fauthentication =3D=3D -1)
-+=09=09options->rsa=5Fauthentication =3D 1;
-+=09if (options->pubkey=5Fauthentication =3D=3D -1)
-+=09=09options->pubkey=5Fauthentication =3D 1;
-+=09if (options->challenge=5Fresponse=5Fauthentication =3D=3D -1)
-+=09=09options->challenge=5Fresponse=5Fauthentication =3D 1;
-+=09if (options->gss=5Fauthentication =3D=3D -1)
-+=09=09options->gss=5Fauthentication =3D 0;
-+=09if (options->gss=5Fdeleg=5Fcreds =3D=3D -1)
-+=09=09options->gss=5Fdeleg=5Fcreds =3D 0;
-+=09if (options->password=5Fauthentication =3D=3D -1)
-+=09=09options->password=5Fauthentication =3D 1;
-+=09if (options->kbd=5Finteractive=5Fauthentication =3D=3D -1)
-+=09=09options->kbd=5Finteractive=5Fauthentication =3D 1;
-+=09if (options->rhosts=5Frsa=5Fauthentication =3D=3D -1)
-+=09=09options->rhosts=5Frsa=5Fauthentication =3D 0;
-+=09if (options->hostbased=5Fauthentication =3D=3D -1)
-+=09=09options->hostbased=5Fauthentication =3D 0;
-+=09if (options->batch=5Fmode =3D=3D -1)
-+=09=09options->batch=5Fmode =3D 0;
-+=09if (options->check=5Fhost=5Fip =3D=3D -1)
-+=09=09options->check=5Fhost=5Fip =3D 1;
-+=09if (options->strict=5Fhost=5Fkey=5Fchecking =3D=3D -1)
-+=09=09options->strict=5Fhost=5Fkey=5Fchecking =3D 2;=09/* 2 is defaul=
t */
-+=09if (options->compression =3D=3D -1)
-+=09=09options->compression =3D 0;
-+=09if (options->tcp=5Fkeep=5Falive =3D=3D -1)
-+=09=09options->tcp=5Fkeep=5Falive =3D 1;
-+=09if (options->compression=5Flevel =3D=3D -1)
-+=09=09options->compression=5Flevel =3D 6;
-+=09if (options->port =3D=3D -1)
-+=09=09options->port =3D 0;=09/* Filled in ssh=5Fconnect. */
-+=09if (options->address=5Ffamily =3D=3D -1)
-+=09=09options->address=5Ffamily =3D AF=5FUNSPEC;
-+=09if (options->connection=5Fattempts =3D=3D -1)
-+=09=09options->connection=5Fattempts =3D 1;
-+=09if (options->number=5Fof=5Fpassword=5Fprompts =3D=3D -1)
-+=09=09options->number=5Fof=5Fpassword=5Fprompts =3D 3;
-+=09/* Selected in ssh=5Flogin(). */
-+=09if (options->cipher =3D=3D -1)
-+=09=09options->cipher =3D SSH=5FCIPHER=5FNOT=5FSET;
-+=09/* options->ciphers, default set in myproposals.h */
-+=09/* options->macs, default set in myproposals.h */
-+=09/* options->hostkeyalgorithms, default set in myproposals.h */
-+=09if (options->protocol =3D=3D SSH=5FPROTO=5FUNKNOWN)
-+=09=09options->protocol =3D SSH=5FPROTO=5F1|SSH=5FPROTO=5F2;
-+=09if (options->num=5Fidentity=5Ffiles =3D=3D 0) {
-+=09=09if (options->protocol & SSH=5FPROTO=5F1) {
-+=09=09=09len =3D 2 + strlen(=5FPATH=5FSSH=5FCLIENT=5FIDENTITY) + 1;
-+=09=09=09options->identity=5Ffiles[options->num=5Fidentity=5Ffiles] =3D=
-+=09=09=09 xmalloc(len);
-+=09=09=09snprintf(options->identity=5Ffiles[options->num=5Fidentity=5F=
files++],
-+=09=09=09 len, "~/%.100s", =5FPATH=5FSSH=5FCLIENT=5FIDENTITY);
-+=09=09}
-+=09=09if (options->protocol & SSH=5FPROTO=5F2) {
-+=09=09=09len =3D 2 + strlen(=5FPATH=5FSSH=5FCLIENT=5FID=5FRSA) + 1;
-+=09=09=09options->identity=5Ffiles[options->num=5Fidentity=5Ffiles] =3D=
-+=09=09=09 xmalloc(len);
-+=09=09=09snprintf(options->identity=5Ffiles[options->num=5Fidentity=5F=
files++],
-+=09=09=09 len, "~/%.100s", =5FPATH=5FSSH=5FCLIENT=5FID=5FRSA);
-+
-+=09=09=09len =3D 2 + strlen(=5FPATH=5FSSH=5FCLIENT=5FID=5FDSA) + 1;
-+=09=09=09options->identity=5Ffiles[options->num=5Fidentity=5Ffiles] =3D=
-+=09=09=09 xmalloc(len);
-+=09=09=09snprintf(options->identity=5Ffiles[options->num=5Fidentity=5F=
files++],
-+=09=09=09 len, "~/%.100s", =5FPATH=5FSSH=5FCLIENT=5FID=5FDSA);
-+=09=09}
-+=09}
-+=09if (options->escape=5Fchar =3D=3D -1)
-+=09=09options->escape=5Fchar =3D '~';
-+=09if (options->system=5Fhostfile =3D=3D NULL)
-+=09=09options->system=5Fhostfile =3D =5FPATH=5FSSH=5FSYSTEM=5FHOSTFIL=
E;
-+=09if (options->user=5Fhostfile =3D=3D NULL)
-+=09=09options->user=5Fhostfile =3D =5FPATH=5FSSH=5FUSER=5FHOSTFILE;
-+=09if (options->system=5Fhostfile2 =3D=3D NULL)
-+=09=09options->system=5Fhostfile2 =3D =5FPATH=5FSSH=5FSYSTEM=5FHOSTFI=
LE2;
-+=09if (options->user=5Fhostfile2 =3D=3D NULL)
-+=09=09options->user=5Fhostfile2 =3D =5FPATH=5FSSH=5FUSER=5FHOSTFILE2;=
-+=09if (options->log=5Flevel =3D=3D SYSLOG=5FLEVEL=5FNOT=5FSET)
-+=09=09options->log=5Flevel =3D SYSLOG=5FLEVEL=5FINFO;
-+=09if (options->clear=5Fforwardings =3D=3D 1)
-+=09=09clear=5Fforwardings(options);
-+=09if (options->no=5Fhost=5Fauthentication=5Ffor=5Flocalhost =3D=3D -=
1)
-+=09=09options->no=5Fhost=5Fauthentication=5Ffor=5Flocalhost =3D 0;
-+=09if (options->identities=5Fonly =3D=3D -1)
-+=09=09options->identities=5Fonly =3D 0;
-+=09if (options->enable=5Fssh=5Fkeysign =3D=3D -1)
-+=09=09options->enable=5Fssh=5Fkeysign =3D 0;
-+=09if (options->rekey=5Flimit =3D=3D -1)
-+=09=09options->rekey=5Flimit =3D 0;
-+=09if (options->verify=5Fhost=5Fkey=5Fdns =3D=3D -1)
-+=09=09options->verify=5Fhost=5Fkey=5Fdns =3D 0;
-+=09if (options->server=5Falive=5Finterval =3D=3D -1)
-+=09=09options->server=5Falive=5Finterval =3D 0;
-+=09if (options->server=5Falive=5Fcount=5Fmax =3D=3D -1)
-+=09=09options->server=5Falive=5Fcount=5Fmax =3D 3;
-+=09if (options->control=5Fmaster =3D=3D -1)
-+=09=09options->control=5Fmaster =3D 0;
-+=09if (options->hash=5Fknown=5Fhosts =3D=3D -1)
-+=09=09options->hash=5Fknown=5Fhosts =3D 0;
-+=09if (options->tun=5Fopen =3D=3D -1)
-+=09=09options->tun=5Fopen =3D SSH=5FTUNMODE=5FNO;
-+=09if (options->tun=5Flocal =3D=3D -1)
-+=09=09options->tun=5Flocal =3D SSH=5FTUNID=5FANY;
-+=09if (options->tun=5Fremote =3D=3D -1)
-+=09=09options->tun=5Fremote =3D SSH=5FTUNID=5FANY;
-+=09if (options->permit=5Flocal=5Fcommand =3D=3D -1)
-+=09=09options->permit=5Flocal=5Fcommand =3D 0;
-+=09if (options->visual=5Fhost=5Fkey =3D=3D -1)
-+=09=09options->visual=5Fhost=5Fkey =3D 0;
-+=09if (options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D=3D -=
1)
-+=09=09options->zero=5Fknowledge=5Fpassword=5Fauthentication =3D 0;
-+=09/* options->local=5Fcommand should not be set by default */
-+=09/* options->proxy=5Fcommand should not be set by default */
-+=09/* options->user will be set in the main program if appropriate */=
-+=09/* options->hostname will be set in the main program if appropriat=
e */
-+=09/* options->host=5Fkey=5Falias should not be set by default */
-+=09/* options->preferred=5Fauthentications will be set in ssh */
-+}
-+
-+/*
-+ * parse=5Fforward
-+ * parses a string containing a port forwarding specification of the =
form:
-+ * dynamicfwd =3D=3D 0
-+ *=09[listenhost:]listenport:connecthost:connectport
-+ * dynamicfwd =3D=3D 1
-+ *=09[listenhost:]listenport
-+ * returns number of arguments parsed or zero on error
-+ */
-+int
-+parse=5Fforward(Forward *fwd, const char *fwdspec, int dynamicfwd, in=
t remotefwd)
-+{
-+=09int i;
-+=09char *p, *cp, *fwdarg[4];
-+
-+=09memset(fwd, '\0', sizeof(*fwd));
-+
-+=09cp =3D p =3D xstrdup(fwdspec);
-+
-+=09/* skip leading spaces */
-+=09while (isspace(*cp))
-+=09=09cp++;
-+
-+=09for (i =3D 0; i < 4; ++i)
-+=09=09if ((fwdarg[i] =3D hpdelim(&cp)) =3D=3D NULL)
-+=09=09=09break;
-+
-+=09/* Check for trailing garbage */
-+=09if (cp !=3D NULL)
-+=09=09i =3D 0;=09/* failure */
-+
-+=09switch (i) {
-+=09case 1:
-+=09=09fwd->listen=5Fhost =3D NULL;
-+=09=09fwd->listen=5Fport =3D a2port(fwdarg[0]);
-+=09=09fwd->connect=5Fhost =3D xstrdup("socks");
-+=09=09break;
-+
-+=09case 2:
-+=09=09fwd->listen=5Fhost =3D xstrdup(cleanhostname(fwdarg[0]));
-+=09=09fwd->listen=5Fport =3D a2port(fwdarg[1]);
-+=09=09fwd->connect=5Fhost =3D xstrdup("socks");
-+=09=09break;
-+
-+=09case 3:
-+=09=09fwd->listen=5Fhost =3D NULL;
-+=09=09fwd->listen=5Fport =3D a2port(fwdarg[0]);
-+=09=09fwd->connect=5Fhost =3D xstrdup(cleanhostname(fwdarg[1]));
-+=09=09fwd->connect=5Fport =3D a2port(fwdarg[2]);
-+=09=09break;
-+
-+=09case 4:
-+=09=09fwd->listen=5Fhost =3D xstrdup(cleanhostname(fwdarg[0]));
-+=09=09fwd->listen=5Fport =3D a2port(fwdarg[1]);
-+=09=09fwd->connect=5Fhost =3D xstrdup(cleanhostname(fwdarg[2]));
-+=09=09fwd->connect=5Fport =3D a2port(fwdarg[3]);
-+=09=09break;
-+=09default:
-+=09=09i =3D 0; /* failure */
-+=09}
-+
-+=09xfree(p);
-+
-+=09if (dynamicfwd) {
-+=09=09if (!(i =3D=3D 1 || i =3D=3D 2))
-+=09=09=09goto fail=5Ffree;
-+=09} else {
-+=09=09if (!(i =3D=3D 3 || i =3D=3D 4))
-+=09=09=09goto fail=5Ffree;
-+=09=09if (fwd->connect=5Fport <=3D 0)
-+=09=09=09goto fail=5Ffree;
-+=09}
-+
-+=09if (fwd->listen=5Fport < 0 || (!remotefwd && fwd->listen=5Fport =3D=
=3D 0))
-+=09=09goto fail=5Ffree;
-+
-+=09if (fwd->connect=5Fhost !=3D NULL &&
-+=09 strlen(fwd->connect=5Fhost) >=3D NI=5FMAXHOST)
-+=09=09goto fail=5Ffree;
-+=09if (fwd->listen=5Fhost !=3D NULL &&
-+=09 strlen(fwd->listen=5Fhost) >=3D NI=5FMAXHOST)
-+=09=09goto fail=5Ffree;
-+
-+
-+=09return (i);
-+
-+ fail=5Ffree:
-+=09if (fwd->connect=5Fhost !=3D NULL) {
-+=09=09xfree(fwd->connect=5Fhost);
-+=09=09fwd->connect=5Fhost =3D NULL;
-+=09}
-+=09if (fwd->listen=5Fhost !=3D NULL) {
-+=09=09xfree(fwd->listen=5Fhost);
-+=09=09fwd->listen=5Fhost =3D NULL;
-+=09}
-+=09return (0);
-+}
-diff -NupwB readconf.h readconf.h
---- readconf.h=092009-02-14 00:28:21.000000000 -0500
-+++ readconf.h=092009-05-14 12:36:10.000000000 -0400
-@@ -57,6 +57,11 @@ typedef struct {
- =09int compression=5Flevel;=09/* Compression level 1 (fast) to 9
- =09=09=09=09=09 * (best). */
- =09int tcp=5Fkeep=5Falive;=09/* Set SO=5FKEEPALIVE. */
-+ int tcp=5Frcv=5Fbuf; /* user switch to set tcp recv buffe=
r */
-+=09int=09tcp=5Frcv=5Fbuf=5Fpoll; /* Option to poll recv buf every win=
dow transfer */
-+=09int =09hpn=5Fdisabled; =09 /* Switch to disable HPN buffer managem=
ent */
-+=09int=09hpn=5Fbuffer=5Fsize; /* User definable size for HPN buffer w=
indow */
-+
- =09LogLevel log=5Flevel;=09/* Level for logging. */
-=20
- =09int port;=09=09/* Port to connect. */
-@@ -102,6 +107,8 @@ typedef struct {
-=20
- =09int=09enable=5Fssh=5Fkeysign;
- =09int64=5Ft rekey=5Flimit;
-+=09int none=5Fswitch; /* Use none cipher */
-+=09int none=5Fenabled; /* Allow none to be used */
- =09int=09no=5Fhost=5Fauthentication=5Ffor=5Flocalhost;
- =09int=09identities=5Fonly;
- =09int=09server=5Falive=5Finterval;
-diff -NupwB readconf.h.orig readconf.h.orig
---- readconf.h.orig=091969-12-31 19:00:00.000000000 -0500
-+++ readconf.h.orig=092009-02-14 00:28:21.000000000 -0500
-@@ -0,0 +1,145 @@
-+/* $OpenBSD: readconf.h,v 1.78 2009/02/12 03:00:56 djm Exp $ */
-+
-+/*
-+ * Author: Tatu Ylonen <ylo at cs.hut.fi>
-+ * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-+ * All rights reserved
-+ * Functions for reading the configuration file.
-+ *
-+ * As far as I am concerned, the code I have written for this softwar=
e
-+ * can be used freely for any purpose. Any derived versions of this
-+ * software must be clearly marked as such, and if the derived work i=
s
-+ * incompatible with the protocol description in the RFC file, it mus=
t be
-+ * called by a name other than "ssh" or "Secure Shell".
-+ */
-+
-+#ifndef READCONF=5FH
-+#define READCONF=5FH
-+
-+/* Data structure for representing a forwarding request. */
-+
-+typedef struct {
-+=09char=09 *listen=5Fhost;=09=09/* Host (address) to listen on. */
-+=09int=09 listen=5Fport;=09=09/* Port to forward. */
-+=09char=09 *connect=5Fhost;=09=09/* Host to connect. */
-+=09int=09 connect=5Fport;=09=09/* Port to connect on connect=5Fhost.=
*/
-+} Forward;
-+/* Data structure for representing option data. */
-+
-+#define MAX=5FSEND=5FENV=09256
-+
-+typedef struct {
-+=09int forward=5Fagent;=09/* Forward authentication agent. */
-+=09int forward=5Fx11;=09/* Forward X11 display. */
-+=09int forward=5Fx11=5Ftrusted;=09/* Trust Forward X11 display. *=
/
-+=09int exit=5Fon=5Fforward=5Ffailure;=09/* Exit if bind(2) fails =
for -L/-R */
-+=09char *xauth=5Flocation;=09/* Location for xauth program */
-+=09int gateway=5Fports;=09/* Allow remote connects to forwarded p=
orts. */
-+=09int use=5Fprivileged=5Fport;=09/* Don't use privileged port if=
false. */
-+=09int rhosts=5Frsa=5Fauthentication;=09/* Try rhosts with RSA
-+=09=09=09=09=09=09 * authentication. */
-+=09int rsa=5Fauthentication;=09/* Try RSA authentication. */
-+=09int pubkey=5Fauthentication;=09/* Try ssh2 pubkey authenticati=
on. */
-+=09int hostbased=5Fauthentication;=09/* ssh2's rhosts=5Frsa */
-+=09int challenge=5Fresponse=5Fauthentication;
-+=09=09=09=09=09/* Try S/Key or TIS, authentication. */
-+=09int gss=5Fauthentication;=09/* Try GSS authentication */
-+=09int gss=5Fdeleg=5Fcreds;=09/* Delegate GSS credentials */
-+=09int password=5Fauthentication;=09/* Try password
-+=09=09=09=09=09=09 * authentication. */
-+=09int kbd=5Finteractive=5Fauthentication; /* Try keyboard-intera=
ctive auth. */
-+=09char=09*kbd=5Finteractive=5Fdevices; /* Keyboard-interactive auth =
devices. */
-+=09int zero=5Fknowledge=5Fpassword=5Fauthentication;=09/* Try jpa=
ke */
-+=09int batch=5Fmode;=09/* Batch mode: do not ask for passwords. *=
/
-+=09int check=5Fhost=5Fip;=09/* Also keep track of keys for IP add=
ress */
-+=09int strict=5Fhost=5Fkey=5Fchecking;=09/* Strict host key check=
ing. */
-+=09int compression;=09/* Compress packets in both directions. */
-+=09int compression=5Flevel;=09/* Compression level 1 (fast) to 9
-+=09=09=09=09=09 * (best). */
-+=09int tcp=5Fkeep=5Falive;=09/* Set SO=5FKEEPALIVE. */
-+=09LogLevel log=5Flevel;=09/* Level for logging. */
-+
-+=09int port;=09=09/* Port to connect. */
-+=09int address=5Ffamily;
-+=09int connection=5Fattempts;=09/* Max attempts (seconds) before
-+=09=09=09=09=09 * giving up */
-+=09int connection=5Ftimeout;=09/* Max time (seconds) before
-+=09=09=09=09=09 * aborting connection attempt */
-+=09int number=5Fof=5Fpassword=5Fprompts;=09/* Max number of passw=
ord
-+=09=09=09=09=09=09 * prompts. */
-+=09int cipher;=09=09/* Cipher to use. */
-+=09char *ciphers;=09/* SSH2 ciphers in order of preference. */
-+=09char *macs;=09=09/* SSH2 macs in order of preference. */
-+=09char *hostkeyalgorithms;=09/* SSH2 server key types in order of =
preference. */
-+=09int=09protocol;=09/* Protocol in order of preference. */
-+=09char *hostname;=09/* Real host to connect. */
-+=09char *host=5Fkey=5Falias;=09/* hostname alias for .ssh/known=5Fh=
osts */
-+=09char *proxy=5Fcommand;=09/* Proxy command for connecting the hos=
t. */
-+=09char *user;=09=09/* User to log in as. */
-+=09int escape=5Fchar;=09/* Escape character; -2 =3D none */
-+
-+=09char *system=5Fhostfile;/* Path for /etc/ssh/ssh=5Fknown=5Fhosts=
. */
-+=09char *user=5Fhostfile;=09/* Path for $HOME/.ssh/known=5Fhosts. *=
/
-+=09char *system=5Fhostfile2;
-+=09char *user=5Fhostfile2;
-+=09char *preferred=5Fauthentications;
-+=09char *bind=5Faddress;=09/* local socket address for connection t=
o sshd */
-+=09char *smartcard=5Fdevice; /* Smartcard reader device */
-+=09int=09verify=5Fhost=5Fkey=5Fdns;=09/* Verify host key using DNS */=
-+
-+=09int num=5Fidentity=5Ffiles;=09/* Number of files for RSA/DSA i=
dentities. */
-+=09char *identity=5Ffiles[SSH=5FMAX=5FIDENTITY=5FFILES];
-+=09Key *identity=5Fkeys[SSH=5FMAX=5FIDENTITY=5FFILES];
-+
-+=09/* Local TCP/IP forward requests. */
-+=09int num=5Flocal=5Fforwards;
-+=09Forward local=5Fforwards[SSH=5FMAX=5FFORWARDS=5FPER=5FDIRECTION];
-+
-+=09/* Remote TCP/IP forward requests. */
-+=09int num=5Fremote=5Fforwards;
-+=09Forward remote=5Fforwards[SSH=5FMAX=5FFORWARDS=5FPER=5FDIRECTION];=
-+=09int=09clear=5Fforwardings;
-+
-+=09int=09enable=5Fssh=5Fkeysign;
-+=09int64=5Ft rekey=5Flimit;
-+=09int=09no=5Fhost=5Fauthentication=5Ffor=5Flocalhost;
-+=09int=09identities=5Fonly;
-+=09int=09server=5Falive=5Finterval;
-+=09int=09server=5Falive=5Fcount=5Fmax;
-+
-+=09int num=5Fsend=5Fenv;
-+=09char *send=5Fenv[MAX=5FSEND=5FENV];
-+
-+=09char=09*control=5Fpath;
-+=09int=09control=5Fmaster;
-+
-+=09int=09hash=5Fknown=5Fhosts;
-+
-+=09int=09tun=5Fopen;=09/* tun(4) */
-+=09int tun=5Flocal;=09/* force tun device (optional) */
-+=09int tun=5Fremote;=09/* force tun device (optional) */
-+
-+=09char=09*local=5Fcommand;
-+=09int=09permit=5Flocal=5Fcommand;
-+=09int=09visual=5Fhost=5Fkey;
-+
-+} Options;
-+
-+#define SSHCTL=5FMASTER=5FNO=090
-+#define SSHCTL=5FMASTER=5FYES=091
-+#define SSHCTL=5FMASTER=5FAUTO=092
-+#define SSHCTL=5FMASTER=5FASK=093
-+#define SSHCTL=5FMASTER=5FAUTO=5FASK=094
-+
-+void initialize=5Foptions(Options *);
-+void fill=5Fdefault=5Foptions(Options *);
-+int=09 read=5Fconfig=5Ffile(const char *, const char *, Options *, in=
t);
-+int=09 parse=5Fforward(Forward *, const char *, int, int);
-+
-+int
-+process=5Fconfig=5Fline(Options *, const char *, char *, const char *=
, int, int *);
-+
-+void=09 add=5Flocal=5Fforward(Options *, const Forward *);
-+void=09 add=5Fremote=5Fforward(Options *, const Forward *);
-+
-+#endif=09=09=09=09/* READCONF=5FH */
-Common subdirectories: regress and regress
-Common subdirectories: scard and scard
-diff -NupwB scp.c scp.c
---- scp.c=092008-11-03 03:23:45.000000000 -0500
-+++ scp.c=092009-05-14 12:36:10.000000000 -0400
-@@ -632,7 +632,7 @@ source(int argc, char **argv)
- =09off=5Ft i, statbytes;
- =09size=5Ft amt;
- =09int fd =3D -1, haderr, indx;
--=09char *last, *name, buf[2048], encname[MAXPATHLEN];
-+=09char *last, *name, buf[16384], encname[MAXPATHLEN];
- =09int len;
-=20
- =09for (indx =3D 0; indx < argc; ++indx) {
-@@ -868,7 +868,7 @@ sink(int argc, char **argv)
- =09mode=5Ft mode, omode, mask;
- =09off=5Ft size, statbytes;
- =09int setimes, targisdir, wrerrno =3D 0;
--=09char ch, *cp, *np, *targ, *why, *vect[1], buf[2048];
-+=09char ch, *cp, *np, *targ, *why, *vect[1], buf[16384];
- =09struct timeval tv[2];
-=20
- #define=09atime=09tv[0]
-diff -NupwB servconf.h servconf.h
---- servconf.h=092009-01-28 00:31:23.000000000 -0500
-+++ servconf.h=092009-05-14 12:36:10.000000000 -0400
-@@ -145,6 +145,10 @@ typedef struct {
- =09char *adm=5Fforced=5Fcommand;
-=20
- =09int=09use=5Fpam;=09=09/* Enable auth via PAM */
-+ int none=5Fenabled; /* enable NONE cipher switc=
h */
-+ int tcp=5Frcv=5Fbuf=5Fpoll; /* poll tcp rcv window =
in autotuning kernels*/
-+=09int=09hpn=5Fdisabled;=09=09/* disable hpn functionality. false by =
default */
-+=09int=09hpn=5Fbuffer=5Fsize;=09/* set the hpn buffer size - default =
3MB */
-=20
- =09int=09permit=5Ftun;
-=20
-diff -NupwB serverloop.c serverloop.c
---- serverloop.c=092009-02-14 00:33:09.000000000 -0500
-+++ serverloop.c=092009-05-14 12:36:10.000000000 -0400
-@@ -93,10 +93,10 @@ static int fdin;=09=09/* Descriptor for stdi
- static int fdout;=09=09/* Descriptor for stdout (for reading);
- =09=09=09=09 May be same number as fdin. */
- static int fderr;=09=09/* Descriptor for stderr. May be -1. */
--static long stdin=5Fbytes =3D 0;=09/* Number of bytes written to stdi=
n. */
--static long stdout=5Fbytes =3D 0;=09/* Number of stdout bytes sent to=
client. */
--static long stderr=5Fbytes =3D 0;=09/* Number of stderr bytes sent to=
client. */
--static long fdout=5Fbytes =3D 0;=09/* Number of stdout bytes read fro=
m program. */
-+static u=5Flong stdin=5Fbytes =3D 0;=09/* Number of bytes written to =
stdin. */
-+static u=5Flong stdout=5Fbytes =3D 0;=09/* Number of stdout bytes sen=
t to client. */
-+static u=5Flong stderr=5Fbytes =3D 0;=09/* Number of stderr bytes sen=
t to client. */
-+static u=5Flong fdout=5Fbytes =3D 0;=09/* Number of stdout bytes read=
from program. */
- static int stdin=5Feof =3D 0;=09/* EOF message received from client. =
*/
- static int fdout=5Feof =3D 0;=09/* EOF encountered reading from fdout=
. */
- static int fderr=5Feof =3D 0;=09/* EOF encountered readung from fderr=
. */
-@@ -121,6 +121,20 @@ static volatile sig=5Fatomic=5Ft received=5Fsi
- static void server=5Finit=5Fdispatch(void);
-=20
- /*
-+ * Returns current time in seconds from Jan 1, 1970 with the maximum
-+ * available resolution.
-+ */
-+
-+static double
-+get=5Fcurrent=5Ftime(void)
-+{
-+=09struct timeval tv;
-+=09gettimeofday(&tv, NULL);
-+=09return (double) tv.tv=5Fsec + (double) tv.tv=5Fusec / 1000000.0;
-+}
-+
-+
-+/*
- * we write to this pipe if a SIGCHLD is caught in order to avoid
- * the race between select() and child=5Fterminated
- */
-@@ -410,6 +424,7 @@ process=5Finput(fd=5Fset *readset)
- =09=09} else {
- =09=09=09/* Buffer any received data. */
- =09=09=09packet=5Fprocess=5Fincoming(buf, len);
-+=09=09=09fdout=5Fbytes +=3D len;
- =09=09}
- =09}
- =09if (compat20)
-@@ -432,6 +447,7 @@ process=5Finput(fd=5Fset *readset)
- =09=09} else {
- =09=09=09buffer=5Fappend(&stdout=5Fbuffer, buf, len);
- =09=09=09fdout=5Fbytes +=3D len;
-+=09=09=09debug ("FD out now: %ld", fdout=5Fbytes);
- =09=09}
- =09}
- =09/* Read and buffer any available stderr data from the program. */
-@@ -499,7 +515,7 @@ process=5Foutput(fd=5Fset *writeset)
- =09}
- =09/* Send any buffered packet data to the client. */
- =09if (FD=5FISSET(connection=5Fout, writeset))
--=09=09packet=5Fwrite=5Fpoll();
-+=09=09stdin=5Fbytes +=3D packet=5Fwrite=5Fpoll();
- }
-=20
- /*
-@@ -816,8 +832,10 @@ server=5Floop2(Authctxt *authctxt)
- {
- =09fd=5Fset *readset =3D NULL, *writeset =3D NULL;
- =09int rekeying =3D 0, max=5Ffd, nalloc =3D 0;
-+=09double start=5Ftime, total=5Ftime;
-=20
- =09debug("Entering interactive session for SSH2.");
-+=09start=5Ftime =3D get=5Fcurrent=5Ftime();
-=20
- =09mysignal(SIGCHLD, sigchld=5Fhandler);
- =09child=5Fterminated =3D 0;
-@@ -879,6 +897,11 @@ server=5Floop2(Authctxt *authctxt)
-=20
- =09/* free remaining sessions, e.g. remove wtmp entries */
- =09session=5Fdestroy=5Fall(NULL);
-+=09total=5Ftime =3D get=5Fcurrent=5Ftime() - start=5Ftime;
-+=09logit("SSH: Server;LType: Throughput;Remote: %s-%d;IN: %lu;OUT: %l=
u;Duration: %.1f;tPut=5Fin: %.1f;tPut=5Fout: %.1f",
-+=09 get=5Fremote=5Fipaddr(), get=5Fremote=5Fport(),
-+=09 stdin=5Fbytes, fdout=5Fbytes, total=5Ftime, stdin=5Fbytes / =
total=5Ftime,=20
-+=09 fdout=5Fbytes / total=5Ftime);
- }
-=20
- static void
-@@ -994,8 +1017,12 @@ server=5Frequest=5Ftun(void)
- =09sock =3D tun=5Fopen(tun, mode);
- =09if (sock < 0)
- =09=09goto done;
-+=09if (options.hpn=5Fdisabled)
- =09c =3D channel=5Fnew("tun", SSH=5FCHANNEL=5FOPEN, sock, sock, -1,
- =09 CHAN=5FTCP=5FWINDOW=5FDEFAULT, CHAN=5FTCP=5FPACKET=5FDEFAULT, =
0, "tun", 1);
-+=09else
-+=09=09c =3D channel=5Fnew("tun", SSH=5FCHANNEL=5FOPEN, sock, sock, -1=
,
-+=09=09 options.hpn=5Fbuffer=5Fsize, CHAN=5FTCP=5FPACKET=5FDEFAULT,=
0, "tun", 1);
- =09c->datagram =3D 1;
- #if defined(SSH=5FTUN=5FFILTER)
- =09if (mode =3D=3D SSH=5FTUNMODE=5FPOINTOPOINT)
-@@ -1031,6 +1058,8 @@ server=5Frequest=5Fsession(void)
- =09c =3D channel=5Fnew("session", SSH=5FCHANNEL=5FLARVAL,
- =09 -1, -1, -1, /*window size*/0, CHAN=5FSES=5FPACKET=5FDEFAULT,
- =09 0, "server-session", 1);
-+=09if ((options.tcp=5Frcv=5Fbuf=5Fpoll) && (!options.hpn=5Fdisabled))=
-+=09=09c->dynamic=5Fwindow =3D 1;
- =09if (session=5Fopen(the=5Fauthctxt, c->self) !=3D 1) {
- =09=09debug("session open failed, free channel %d", c->self);
- =09=09channel=5Ffree(c);
-diff -NupwB session.c session.c
---- session.c=092009-01-28 00:29:49.000000000 -0500
-+++ session.c=092009-05-14 12:36:10.000000000 -0400
-@@ -230,6 +230,7 @@ auth=5Finput=5Frequest=5Fforwarding(struct pas
- =09}
-=20
- =09/* Allocate a channel for the authentication agent socket. */
-+=09/* this shouldn't matter if its hpn or not - cjr */
- =09nc =3D channel=5Fnew("auth socket",
- =09 SSH=5FCHANNEL=5FAUTH=5FSOCKET, sock, sock, -1,
- =09 CHAN=5FX11=5FWINDOW=5FDEFAULT, CHAN=5FX11=5FPACKET=5FDEFAULT,
-@@ -2301,10 +2302,16 @@ session=5Fset=5Ffds(Session *s, int fdin, in
- =09 */
- =09if (s->chanid =3D=3D -1)
- =09=09fatal("no channel for session %d", s->self);
-+=09if (options.hpn=5Fdisabled)
- =09channel=5Fset=5Ffds(s->chanid,
- =09 fdout, fdin, fderr,
- =09 fderr =3D=3D -1 =3F CHAN=5FEXTENDED=5FIGNORE : CHAN=5FEXTENDED=
=5FREAD,
- =09 1, is=5Ftty, CHAN=5FSES=5FWINDOW=5FDEFAULT);
-+=09else=20
-+=09=09channel=5Fset=5Ffds(s->chanid,
-+=09=09 fdout, fdin, fderr,
-+=09 fderr =3D=3D -1 =3F CHAN=5FEXTENDED=5FIGNORE : CHAN=5F=
EXTENDED=5FREAD,
-+=09=09 1, is=5Ftty, options.hpn=5Fbuffer=5Fsize);
- }
-=20
- /*
-diff -NupwB sftp.1 sftp.1
---- sftp.1=092009-01-28 00:14:09.000000000 -0500
-+++ sftp.1=092009-05-14 12:36:10.000000000 -0400
-@@ -203,7 +203,8 @@ This option may be useful in debugging t
- Specify how many requests may be outstanding at any one time.
- Increasing this may slightly improve file transfer speed
- but will increase memory usage.
--The default is 64 outstanding requests.
-+The default is 256 outstanding requests providing for 8MB=20
-+of outstanding data with a 32KB buffer.
- .It Fl S Ar program
- Name of the
- .Ar program
-diff -NupwB sftp.c sftp.c
---- sftp.c=092009-02-14 00:26:19.000000000 -0500
-+++ sftp.c=092009-05-14 12:36:10.000000000 -0400
-@@ -75,7 +75,7 @@ int batchmode =3D 0;
- size=5Ft copy=5Fbuffer=5Flen =3D 32768;
-=20
- /* Number of concurrent outstanding requests */
--size=5Ft num=5Frequests =3D 64;
-+size=5Ft num=5Frequests =3D 256;
-=20
- /* PID of ssh transport process */
- static pid=5Ft sshpid =3D -1;
-diff -NupwB ssh.c ssh.c
---- ssh.c=092009-02-14 00:28:21.000000000 -0500
-+++ ssh.c=092009-05-14 12:36:10.000000000 -0400
-@@ -492,9 +492,6 @@ main(int ac, char **av)
- =09=09=09no=5Fshell=5Fflag =3D 1;
- =09=09=09no=5Ftty=5Fflag =3D 1;
- =09=09=09break;
--=09=09case 'T':
--=09=09=09no=5Ftty=5Fflag =3D 1;
--=09=09=09break;
- =09=09case 'o':
- =09=09=09dummy =3D 1;
- =09=09=09line =3D xstrdup(optarg);
-@@ -503,6 +500,13 @@ main(int ac, char **av)
- =09=09=09=09exit(255);
- =09=09=09xfree(line);
- =09=09=09break;
-+=09=09case 'T':
-+=09=09=09no=5Ftty=5Fflag =3D 1;
-+=09=09=09/* ensure that the user doesn't try to backdoor a */
-+=09=09=09/* null cipher switch on an interactive session */
-+=09=09=09/* so explicitly disable it no matter what */
-+=09=09=09options.none=5Fswitch=3D0;
-+=09=09=09break;
- =09=09case 's':
- =09=09=09subsystem=5Fflag =3D 1;
- =09=09=09break;
-@@ -1142,6 +1146,9 @@ ssh=5Fsession2=5Fopen(void)
- {
- =09Channel *c;
- =09int window, packetmax, in, out, err;
-+=09int sock;
-+=09int socksize;
-+=09int socksizelen =3D sizeof(int);
-=20
- =09if (stdin=5Fnull=5Fflag) {
- =09=09in =3D open(=5FPATH=5FDEVNULL, O=5FRDONLY);
-@@ -1162,9 +1169,75 @@ ssh=5Fsession2=5Fopen(void)
- =09if (!isatty(err))
- =09=09set=5Fnonblock(err);
-=20
--=09window =3D CHAN=5FSES=5FWINDOW=5FDEFAULT;
-+=09/* we need to check to see if what they want to do about buffer */=
-+=09/* sizes here. In a hpn to nonhpn connection we want to limit */
-+=09/* the window size to something reasonable in case the far side */=
-+=09/* has the large window bug. In hpn to hpn connection we want to *=
/
-+=09/* use the max window size but allow the user to override it */
-+=09/* lastly if they disabled hpn then use the ssh std window size */=
-+
-+=09/* so why don't we just do a getsockopt() here and set the */
-+=09/* ssh window to that=3F In the case of a autotuning receive */
-+=09/* window the window would get stuck at the initial buffer */
-+=09/* size generally less than 96k. Therefore we need to set the */
-+=09/* maximum ssh window size to the maximum hpn buffer size */
-+=09/* unless the user has specifically set the tcprcvbufpoll */
-+=09/* to no. In which case we *can* just set the window to the */
-+=09/* minimum of the hpn buffer size and tcp receive buffer size */
-+=09
-+=09if (tty=5Fflag)
-+=09=09options.hpn=5Fbuffer=5Fsize =3D CHAN=5FSES=5FWINDOW=5FDEFAULT;
-+=09else
-+=09=09options.hpn=5Fbuffer=5Fsize =3D 2*1024*1024;
-+
-+=09if (datafellows & SSH=5FBUG=5FLARGEWINDOW)=20
-+=09{
-+=09=09debug("HPN to Non-HPN Connection");
-+=09}=20
-+=09else=20
-+=09{
-+=09=09if (options.tcp=5Frcv=5Fbuf=5Fpoll <=3D 0)=20
-+=09=09{
-+=09=09=09sock =3D socket(AF=5FINET, SOCK=5FSTREAM, 0);
-+=09=09=09getsockopt(sock, SOL=5FSOCKET, SO=5FRCVBUF,=20
-+=09=09=09=09 &socksize, &socksizelen);
-+=09=09=09close(sock);
-+=09=09=09debug("socksize %d", socksize);
-+=09=09=09options.hpn=5Fbuffer=5Fsize =3D socksize;
-+=09=09=09debug ("HPNBufferSize set to TCP RWIN: %d", options.hpn=5Fbu=
ffer=5Fsize);
-+=09=09}=20
-+=09=09else
-+=09=09{
-+=09=09=09if (options.tcp=5Frcv=5Fbuf > 0)=20
-+=09=09=09{
-+=09=09=09=09/*create a socket but don't connect it */
-+=09=09=09=09/* we use that the get the rcv socket size */
-+=09=09=09=09sock =3D socket(AF=5FINET, SOCK=5FSTREAM, 0);
-+=09=09=09=09/* if they are using the tcp=5Frcv=5Fbuf option */
-+=09=09=09=09/* attempt to set the buffer size to that */
-+=09=09=09=09if (options.tcp=5Frcv=5Fbuf)=20
-+=09=09=09=09=09setsockopt(sock, SOL=5FSOCKET, SO=5FRCVBUF, (void *)&o=
ptions.tcp=5Frcv=5Fbuf,=20
-+=09=09=09=09=09=09 sizeof(options.tcp=5Frcv=5Fbuf));
-+=09=09=09=09getsockopt(sock, SOL=5FSOCKET, SO=5FRCVBUF,=20
-+=09=09=09=09=09 &socksize, &socksizelen);
-+=09=09=09=09close(sock);
-+=09=09=09=09debug("socksize %d", socksize);
-+=09=09=09=09options.hpn=5Fbuffer=5Fsize =3D socksize;
-+=09=09=09=09debug ("HPNBufferSize set to user TCPRcvBuf: %d", options=
.hpn=5Fbuffer=5Fsize);
-+=09=09=09}
-+ =09=09}
-+=09=09
-+=09}
-+
-+=09debug("Final hpn=5Fbuffer=5Fsize =3D %d", options.hpn=5Fbuffer=5Fs=
ize);
-+
-+=09window =3D options.hpn=5Fbuffer=5Fsize;
-+
-+=09channel=5Fset=5Fhpn(options.hpn=5Fdisabled, options.hpn=5Fbuffer=5F=
size);
-+
- =09packetmax =3D CHAN=5FSES=5FPACKET=5FDEFAULT;
- =09if (tty=5Fflag) {
-+=09=09window =3D 4*CHAN=5FSES=5FPACKET=5FDEFAULT;
- =09=09window >>=3D 1;
- =09=09packetmax >>=3D 1;
- =09}
-@@ -1172,7 +1245,10 @@ ssh=5Fsession2=5Fopen(void)
- =09 "session", SSH=5FCHANNEL=5FOPENING, in, out, err,
- =09 window, packetmax, CHAN=5FEXTENDED=5FWRITE,
- =09 "client-session", /*nonblock*/0);
--
-+=09if ((options.tcp=5Frcv=5Fbuf=5Fpoll > 0) && (!options.hpn=5Fdisabl=
ed)) {
-+=09=09c->dynamic=5Fwindow =3D 1;
-+=09=09debug ("Enabled Dynamic Window Scaling\n");
-+=09}
- =09debug3("ssh=5Fsession2=5Fopen: channel=5Fnew: %d", c->self);
-=20
- =09channel=5Fsend=5Fopen(c->self);
-diff -NupwB sshconnect2.c sshconnect2.c
---- sshconnect2.c=092008-11-05 00:20:47.000000000 -0500
-+++ sshconnect2.c=092009-05-14 12:36:10.000000000 -0400
-@@ -78,6 +78,12 @@
- extern char *client=5Fversion=5Fstring;
- extern char *server=5Fversion=5Fstring;
- extern Options options;
-+extern Kex *xxx=5Fkex;
-+
-+/* tty=5Fflag is set in ssh.c. use this in ssh=5Fuserauth2 */
-+/* if it is set then prevent the switch to the null cipher */
-+
-+extern int tty=5Fflag;
-=20
- /*
- * SSH2 key exchange
-@@ -350,6 +356,28 @@ ssh=5Fuserauth2(const char *local=5Fuser, co
- =09pubkey=5Fcleanup(&authctxt);
- =09dispatch=5Frange(SSH2=5FMSG=5FUSERAUTH=5FMIN, SSH2=5FMSG=5FUSERAUT=
H=5FMAX, NULL);
-=20
-+=09/* if the user wants to use the none cipher do it */
-+=09/* post authentication and only if the right conditions are met */=
-+=09/* both of the NONE commands must be true and there must be no */
-+=09/* tty allocated */
-+=09if ((options.none=5Fswitch =3D=3D 1) && (options.none=5Fenabled =3D=
=3D 1))=20
-+=09{
-+=09=09if (!tty=5Fflag) /* no null on tty sessions */
-+=09=09{
-+=09=09=09debug("Requesting none rekeying...");
-+=09=09=09myproposal[PROPOSAL=5FENC=5FALGS=5FSTOC] =3D "none";
-+=09=09=09myproposal[PROPOSAL=5FENC=5FALGS=5FCTOS] =3D "none";
-+=09=09=09kex=5Fprop2buf(&xxx=5Fkex->my,myproposal);
-+=09=09=09packet=5Frequest=5Frekeying();
-+=09=09=09fprintf(stderr, "WARNING: ENABLED NONE CIPHER\n");
-+=09=09}
-+=09=09else
-+=09=09{
-+=09=09=09/* requested NONE cipher when in a tty */
-+=09=09=09debug("Cannot switch to NONE cipher with tty allocated");
-+=09=09=09fprintf(stderr, "NONE cipher switch disabled when a TTY is a=
llocated\n");
-+=09=09}
-+=09}
- =09debug("Authentication succeeded (%s).", authctxt.method->name);
- }
-=20
-diff -NupwB sshconnect.c sshconnect.c
---- sshconnect.c=092009-02-01 06:19:54.000000000 -0500
-+++ sshconnect.c=092009-05-14 12:36:10.000000000 -0400
-@@ -165,6 +165,31 @@ ssh=5Fproxy=5Fconnect(const char *host, u=5Fsh
- }
-=20
- /*
-+ * Set TCP receive buffer if requested.
-+ * Note: tuning needs to happen after the socket is
-+ * created but before the connection happens
-+ * so winscale is negotiated properly -cjr
-+ */
-+static void
-+ssh=5Fset=5Fsocket=5Frecvbuf(int sock)
-+{
-+=09void *buf =3D (void *)&options.tcp=5Frcv=5Fbuf;
-+=09int sz =3D sizeof(options.tcp=5Frcv=5Fbuf);
-+=09int socksize;
-+=09int socksizelen =3D sizeof(int);
-+
-+=09debug("setsockopt Attempting to set SO=5FRCVBUF to %d", options.tc=
p=5Frcv=5Fbuf);
-+=09if (setsockopt(sock, SOL=5FSOCKET, SO=5FRCVBUF, buf, sz) >=3D 0) {=
-+=09 getsockopt(sock, SOL=5FSOCKET, SO=5FRCVBUF, &socksize, &socksize=
len);
-+=09 debug("setsockopt SO=5FRCVBUF: %.100s %d", strerror(errno), sock=
size);
-+=09}
-+=09else
-+=09=09error("Couldn't set socket receive buffer to %d: %.100s",
-+=09=09 options.tcp=5Frcv=5Fbuf, strerror(errno));
-+}
-+
-+
-+/*
- * Creates a (possibly privileged) socket for use as the ssh connecti=
on.
- */
- static int
-@@ -187,12 +212,18 @@ ssh=5Fcreate=5Fsocket(int privileged, struct
- =09=09=09 strerror(errno));
- =09=09else
- =09=09=09debug("Allocated local port %d.", p);
-+
-+=09=09if (options.tcp=5Frcv=5Fbuf > 0)
-+=09=09=09ssh=5Fset=5Fsocket=5Frecvbuf(sock);=09=09
- =09=09return sock;
- =09}
- =09sock =3D socket(ai->ai=5Ffamily, ai->ai=5Fsocktype, ai->ai=5Fproto=
col);
- =09if (sock < 0)
- =09=09error("socket: %.100s", strerror(errno));
-=20
-+=09if (options.tcp=5Frcv=5Fbuf > 0)
-+=09=09ssh=5Fset=5Fsocket=5Frecvbuf(sock);
-+=09
- =09/* Bind the socket to an alternative local IP address */
- =09if (options.bind=5Faddress =3D=3D NULL)
- =09=09return sock;
-@@ -536,7 +567,7 @@ ssh=5Fexchange=5Fidentification(int timeout=5F
- =09snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s",
- =09 compat20 =3F PROTOCOL=5FMAJOR=5F2 : PROTOCOL=5FMAJOR=5F1,
- =09 compat20 =3F PROTOCOL=5FMINOR=5F2 : minor1,
--=09 SSH=5FVERSION, compat20 =3F "\r\n" : "\n");
-+=09 SSH=5FRELEASE, compat20 =3F "\r\n" : "\n");
- =09if (atomicio(vwrite, connection=5Fout, buf, strlen(buf)) !=3D strl=
en(buf))
- =09=09fatal("write: %.100s", strerror(errno));
- =09client=5Fversion=5Fstring =3D xstrdup(buf);
-diff -NupwB sshd.c sshd.c
---- sshd.c=092009-01-28 00:31:23.000000000 -0500
-+++ sshd.c=092009-05-14 12:36:10.000000000 -0400
-@@ -136,6 +136,9 @@ int deny=5Fseverity;
- #define REEXEC=5FCONFIG=5FPASS=5FFD=09=09(STDERR=5FFILENO + 3)
- #define REEXEC=5FMIN=5FFREE=5FFD=09=09(STDERR=5FFILENO + 4)
-=20
-+int myflag =3D 0;
-+
-+
- extern char *=5F=5Fprogname;
-=20
- /* Server configuration options. */
-@@ -415,7 +418,7 @@ sshd=5Fexchange=5Fidentification(int sock=5Fin
- =09=09minor =3D PROTOCOL=5FMINOR=5F1;
- =09}
- =09snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
--=09 SSH=5FVERSION, newline);
-+=09 SSH=5FRELEASE, newline);
- =09server=5Fversion=5Fstring =3D xstrdup(buf);
-=20
- =09/* Send our protocol version identification. */
-@@ -466,6 +469,9 @@ sshd=5Fexchange=5Fidentification(int sock=5Fin
- =09}
- =09debug("Client protocol version %d.%d; client software version %.10=
0s",
- =09 remote=5Fmajor, remote=5Fminor, remote=5Fversion);
-+=09logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Cl=
ient: %.100s",
-+=09 get=5Fremote=5Fipaddr(), get=5Fremote=5Fport(),
-+=09 remote=5Fmajor, remote=5Fminor, remote=5Fversion);
-=20
- =09compat=5Fdatafellows(remote=5Fversion);
-=20
-@@ -944,6 +950,8 @@ server=5Flisten(void)
- =09int ret, listen=5Fsock, on =3D 1;
- =09struct addrinfo *ai;
- =09char ntop[NI=5FMAXHOST], strport[NI=5FMAXSERV];
-+=09int socksize;
-+=09int socksizelen =3D sizeof(int);
-=20
- =09for (ai =3D options.listen=5Faddrs; ai; ai =3D ai->ai=5Fnext) {
- =09=09if (ai->ai=5Ffamily !=3D AF=5FINET && ai->ai=5Ffamily !=3D AF=5F=
INET6)
-@@ -990,6 +998,11 @@ server=5Flisten(void)
-=20
- =09=09debug("Bind to port %s on %s.", strport, ntop);
-=20
-+=09=09getsockopt(listen=5Fsock, SOL=5FSOCKET, SO=5FRCVBUF,=20
-+=09=09=09=09 &socksize, &socksizelen);
-+=09=09debug("Server TCP RWIN socket size: %d", socksize);
-+=09=09debug("HPN Buffer Size: %d", options.hpn=5Fbuffer=5Fsize);
-+
- =09=09/* Bind the socket to the desired port. */
- =09=09if (bind(listen=5Fsock, ai->ai=5Faddr, ai->ai=5Faddrlen) < 0) {=
- =09=09=09error("Bind to port %s on %s failed: %.200s.",
-@@ -1817,6 +1830,9 @@ main(int ac, char **av)
- =09/* Log the connection. */
- =09verbose("Connection from %.500s port %d", remote=5Fip, remote=5Fpo=
rt);
-=20
-+=09/* set the HPN options for the child */
-+=09channel=5Fset=5Fhpn(options.hpn=5Fdisabled, options.hpn=5Fbuffer=5F=
size);
-+
- =09/*
- =09 * We don't want to listen forever unless the other side
- =09 * successfully authenticates itself. So we set up an alarm which=
is
-@@ -2171,9 +2187,15 @@ do=5Fssh2=5Fkex(void)
- {
- =09Kex *kex;
-=20
-+=09myflag++;
-+=09debug ("MYFLAG IS %d", myflag);
- =09if (options.ciphers !=3D NULL) {
- =09=09myproposal[PROPOSAL=5FENC=5FALGS=5FCTOS] =3D
- =09=09myproposal[PROPOSAL=5FENC=5FALGS=5FSTOC] =3D options.ciphers;
-+=09} else if (options.none=5Fenabled =3D=3D 1) {
-+=09=09debug ("WARNING: None cipher enabled");
-+=09=09myproposal[PROPOSAL=5FENC=5FALGS=5FCTOS] =3D
-+=09=09myproposal[PROPOSAL=5FENC=5FALGS=5FSTOC] =3D KEX=5FENCRYPT=5FIN=
CLUDE=5FNONE;
- =09}
- =09myproposal[PROPOSAL=5FENC=5FALGS=5FCTOS] =3D
- =09 compat=5Fcipher=5Fproposal(myproposal[PROPOSAL=5FENC=5FALGS=5F=
CTOS]);
-diff -NupwB sshd=5Fconfig sshd=5Fconfig
---- sshd=5Fconfig=092008-07-02 08:35:43.000000000 -0400
-+++ sshd=5Fconfig=092009-05-14 12:36:10.000000000 -0400
-@@ -112,6 +112,20 @@ Protocol 2
- # override default of no subsystems
- Subsystem=09sftp=09/usr/libexec/sftp-server
-=20
-+# the following are HPN related configuration options
-+# tcp receive buffer polling. disable in non autotuning kernels
-+#TcpRcvBufPoll yes
-+=20
-+# allow the use of the none cipher
-+#NoneEnabled no
-+
-+# disable hpn performance boosts.=20
-+#HPNDisabled no
-+
-+# buffer size for hpn to non-hpn connections
-+#HPNBufferSize 2048
-+
-+
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
- #=09X11Forwarding no
-diff -NupwB version.h version.h
---- version.h=092009-02-22 19:09:26.000000000 -0500
-+++ version.h=092009-05-14 12:42:05.000000000 -0400
-@@ -3,4 +3,5 @@
- #define SSH=5FVERSION=09"OpenSSH=5F5.2"
-=20
- #define SSH=5FPORTABLE=09"p1"
--#define SSH=5FRELEASE=09SSH=5FVERSION SSH=5FPORTABLE
-+#define SSH=5FHPN "-hpn13v6"
-+#define SSH=5FRELEASE=09SSH=5FVERSION SSH=5FPORTABLE SSH=5FHPN
Index: files/openssh-5.2p1.sftpfilecontrol-v1.3.patch
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/openssh-5.2p1.sftpfilecontrol-v1.3.patch
diff -N files/openssh-5.2p1.sftpfilecontrol-v1.3.patch
--- files/openssh-5.2p1.sftpfilecontrol-v1.3.patch=0931 Aug 2010 02:46:=
44 -0000=091.1
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,488 +0,0 @@
-Sftpfilecontrol Patch v1.3
-A patch to provide control over umask, chmod, chown, and chgrp in the =
sftp-server that comes with openssh.
-This patch is derived from the sftplogging patch.
-
-Original patch by Michael Martinez <sftpfilecontrol at gmail.com>
-Copyright (c) 2002 - 2009, Michael Martinez
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without mod=
ification, are permitted provided that the
-following conditions are met:
-
-- Redistributions of source code must retain the above copyright notic=
e, this list of conditions and the following disclaimer.
-- Redistributions in binary form must reproduce the above copyright no=
tice, this list of conditions and the following disclaimer in the docum=
entation and/or other materials provided with the distribution.
-- Neither the name of Michael Martinez nor the names of its contributo=
rs may be used to endorse or promote products derived from this softwar=
e without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "A=
S IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILI=
TY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE L=
IABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMIT=
ED TO, PROCUREMENT OF SUBSTITUTE GOODS
-OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) =
HOWEVER CAUSED AND ON ANY THEORY OF
-LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING N=
EGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF=
SUCH DAMAGE.
-
-Patch source using: patch -p0 < /path/to/patch
-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D
-Only in .: Makefile
-Common subdirectories: gautom4te-2.53.cache and autom4te-2.53.cache
-Common subdirectories: gcontrib and contrib
-Common subdirectories: gopenbsd-compat and openbsd-compat
-Common subdirectories: gregress and regress
-Common subdirectories: gscard and scard
-diff -u gversion.h version.h
---- gversion.h Mon Feb 23 17:24:15 2004
-+++ version.h=09Tues Apr 5 09:43:35 2005
-@@ -5,2 +5,2 @@
--#define SSH=5FPORTABLE=09"p1"
-+#define SSH=5FPORTABLE=09"p1+sftpfilecontrol-v1.3"
- #define SSH=5FRELEASE=09SSH=5FVERSION SSH=5FPORTABLE
-diff -u gservconf.c servconf.c
---- gservconf.c=09Thu Sep 5 00:35:15 2002
-+++ servconf.c=09Wed Jan 29 09:43:35 2003
-@@ -119,4 +119,10 @@
- =09options->authorized=5Fkeys=5Ffile =3D NULL;
- =09options->authorized=5Fkeys=5Ffile2 =3D NULL;
-+
-+ =09memset(options->sftp=5Fumask, 0, SFTP=5FUMASK=5FLENGTH);
-+
-+=09options->sftp=5Fpermit=5Fchmod =3D SFTP=5FPERMIT=5FNOT=5FSET;
-+=09options->sftp=5Fpermit=5Fchown =3D SFTP=5FPERMIT=5FNOT=5FSET;
-+
- =09options->num=5Faccept=5Fenv =3D 0;
- =09options->permit=5Ftun =3D -1;
-@@ -108,6 +108,6 @@
- void
- fill=5Fdefault=5Fserver=5Foptions(ServerOptions *options)
- {
--=09/* Portable-specific options */
-+/* Portable-specific options */
-=09if (options->use=5Fpam =3D=3D -1)
-=09=09options->use=5Fpam =3D 1;
-@@ -225,6 +225,16 @@
- =09if (options->authorized=5Fkeys=5Ffile =3D=3D NULL)
- =09=09options->authorized=5Fkeys=5Ffile =3D =5FPATH=5FSSH=5FUSER=5FPE=
RMITTED=5FKEYS;
-=20
-+=09/* Don't set sftp-server umask */
-+=09if (!options->sftp=5Fumask)
-+=09=09memset(options->sftp=5Fumask, 0, SFTP=5FUMASK=5FLENGTH);
-+
-+=09/* allow sftp client to issue chmod, chown / chgrp commands */
-+=09if (options->sftp=5Fpermit=5Fchmod =3D=3D SFTP=5FPERMIT=5FNOT=5FSE=
T)
-+=09=09options->sftp=5Fpermit=5Fchmod =3D SFTP=5FPERMIT=5FYES;
-+=09if (options->sftp=5Fpermit=5Fchown =3D=3D SFTP=5FPERMIT=5FNOT=5FSE=
T)
-+=09=09options->sftp=5Fpermit=5Fchown =3D SFTP=5FPERMIT=5FYES;
-+
- =09/* Turn privilege separation on by default */
- =09if (use=5Fprivsep =3D=3D -1)
- =09=09use=5Fprivsep =3D 1;
-@@ -264,4 +264,6 @@
-=09sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
-=09sUsePrivilegeSeparation, sAllowAgentForwarding,
-+=09sSftpUmask,
-+=09sSftpPermitChown, sSftpPermitChmod,
-=09sDeprecated, sUnsupported
- } ServerOpCodes;
-@@ -431,3 +431,6 @@
- =09{ "acceptenv", sAcceptEnv, SSHCFG=5FGLOBAL },
-+=09{ "sftpumask", sSftpUmask},
-+=09{ "sftppermitchmod", sSftpPermitChmod},
-+=09{ "sftppermitchown", sSftpPermitChown},
- =09{ "permittunnel", sPermitTunnel, SSHCFG=5FGLOBAL },
- =09{ "match", sMatch, SSHCFG=5FALL },
-@@ -640,8 +640,10 @@
- =09char *cp, **charptr, *arg, *p;
- =09int cmdline =3D 0, *intptr, value, n;
-=09SyslogFacility *log=5Ffacility=5Fptr;
-=09LogLevel *log=5Flevel=5Fptr;
-+=09unsigned int umaskvalue =3D 0;
-+=09char *umaskptr;
-=09ServerOpCodes opcode;
-=09int port;
-=09u=5Fint i, flags =3D 0;
-=09size=5Ft len;
-@@ -1149,6 +1149,32 @@
- =09case sBanner:
- =09=09charptr =3D &options->banner;
- =09=09goto parse=5Ffilename;
-
-+
-+ case sSftpUmask:
-+ arg =3D strdelim(&cp);
-+=09=09umaskptr =3D arg;
-+ while (*arg && *arg >=3D '0' && *arg <=3D '9')
-+ umaskvalue =3D umaskvalue * 8 + *arg++ - '0';
-+ if (*arg || umaskvalue > 0777)
-+ fatal("%s line %d: bad value for umask",
-+=09=09=09 filename, linenum);
-+=09=09else {
-+=09=09=09while (*umaskptr && *umaskptr =3D=3D '0')
-+=09=09=09=09=09*umaskptr++;
-+=09=09=09strncpy(options->sftp=5Fumask, umaskptr,
-+=09=09=09=09SFTP=5FUMASK=5FLENGTH);
-+=09=09}
-+
-+ break;
-+
-+ case sSftpPermitChmod:
-+ intptr =3D &options->sftp=5Fpermit=5Fchmod;
-+ goto parse=5Fflag;
-+
-+ case sSftpPermitChown:
-+ intptr =3D &options->sftp=5Fpermit=5Fchown;
-+ goto parse=5Fflag;
-+
- =09/*
- =09 * These options can contain %X options expanded at
-@@ -1290,6 +1290,7 @@
- =09if ((arg =3D strdelim(&cp)) !=3D NULL && *arg !=3D '\0')
- =09=09fatal("%s line %d: garbage at end of line; \"%.200s\".",
- =09=09 filename, linenum, arg);
-+
- =09return 0;
- }
-=20
-diff -u gservconf.h servconf.h
---- gservconf.h=09Wed Jul 31 21:28:39 2002
-+++ servconf.h=09Wed Jan 29 09:41:06 2003
-@@ -35,4 +35,11 @@
- #define PERMIT=5FNO=5FPASSWD=092
- #define PERMIT=5FYES=09=093
-=20
-+/* sftp-server umask control */
-+#define SFTP=5FUMASK=5FLENGTH=095
-+
-+/* sftp-server client priviledge */
-+#define SFTP=5FPERMIT=5FNOT=5FSET=09-1
-+#define SFTP=5FPERMIT=5FNO=09=090
-+#define SFTP=5FPERMIT=5FYES=09=091
- #define DEFAULT=5FAUTH=5FFAIL=5FMAX=096=09/* Default for MaxAuthTries=
*/
-@@ -145,2 +145,5 @@
-=09int=09use=5Fpam;=09=09/* Enable auth via PAM */
-+=09char=09sftp=5Fumask[SFTP=5FUMASK=5FLENGTH];=09=09/* Sftp Umask */
-+=09int=09sftp=5Fpermit=5Fchmod;
-+=09int=09sftp=5Fpermit=5Fchown;
-=09int=09permit=5Ftun;
-diff -u gsession.c session.c
---- gsession.c=09Wed Sep 25 20:38:50 2002
-+++ session.c=09Wed Jan 29 09:44:18 2003
-@@ -111,6 +111,8 @@
- login=5Fcap=5Ft *lc;
- #endif
-=20
-+static char *sftpumask;
-+
- /* Name and directory of socket for authentication agent forwarding. =
*/
- static char *auth=5Fsock=5Fname =3D NULL;
- static char *auth=5Fsock=5Fdir =3D NULL;
-@@ -957,6 +966,7 @@
- =09env =3D xmalloc(envsize * sizeof(char *));
- =09env[0] =3D NULL;
-=20
-+
- #ifdef HAVE=5FCYGWIN
- =09/*
- =09 * The Windows environment contains some setting which are
-@@ -1083,6 +1093,43 @@
- =09if (auth=5Fsock=5Fname !=3D NULL)
- =09=09child=5Fset=5Fenv(&env, &envsize, SSH=5FAUTHSOCKET=5FENV=5FNAME=
,
- =09=09 auth=5Fsock=5Fname);
-+
-+=09/* SFTP=5FUMASK */
-+
-+=09if (options.sftp=5Fumask[0] =3D=3D '\0')
-+=09=09child=5Fset=5Fenv(&env, &envsize, "SFTP=5FUMASK",=20
-+=09=09=09"" );
-+=09else {
-+=09=09if (!(sftpumask =3D calloc(SFTP=5FUMASK=5FLENGTH,1))) {
-+
-+logit("session.c: unabled to allocate memory for SftpUmask. SftpUmask=
control \
-+will be turned off.");
-+
-+=09=09child=5Fset=5Fenv(&env, &envsize, "SFTP=5FUMASK",=20
-+=09=09=09"" );
-+=09=09} else {
-+=09=09=09strncpy(sftpumask, options.sftp=5Fumask,
-+=09=09=09=09SFTP=5FUMASK=5FLENGTH);
-+=09=09=09child=5Fset=5Fenv(&env, &envsize, "SFTP=5FUMASK",=20
-+=09=09=09=09sftpumask );
-+=09=09}
-+=09}
-+
-+ /* SFTP=5FPERMIT=5FCHMOD */
-+ if (options.sftp=5Fpermit=5Fchmod =3D=3D -1 )
-+ child=5Fset=5Fenv(&env, &envsize, "SFTP=5FPERMIT=5FCH=
MOD", "-1");
-+ else if (options.sftp=5Fpermit=5Fchmod =3D=3D 0)
-+ child=5Fset=5Fenv(&env, &envsize, "SFTP=5FPERMIT=5FCH=
MOD", "0");
-+ else
-+ child=5Fset=5Fenv(&env, &envsize, "SFTP=5FPERMIT=5FCH=
MOD", "1");
-+
-+ /* SFTP=5FPERMIT=5FCHOWN */
-+ if (options.sftp=5Fpermit=5Fchown =3D=3D -1 )
-+ child=5Fset=5Fenv(&env, &envsize, "SFTP=5FPERMIT=5FCH=
OWN", "-1");
-+ else if (options.sftp=5Fpermit=5Fchown =3D=3D 0)
-+ child=5Fset=5Fenv(&env, &envsize, "SFTP=5FPERMIT=5FCH=
OWN", "0");
-+ else
-+ child=5Fset=5Fenv(&env, &envsize, "SFTP=5FPERMIT=5FCH=
OWN", "1");
-=20
- =09/* read $HOME/.ssh/environment. */
- =09if (options.permit=5Fuser=5Fenv && !options.use=5Flogin) {
-diff -u gsftp-server.8 sftp-server.8
---- gsftp-server.8=09Mon Jun 25 00:45:35 2001
-+++ sftp-server.8=09Wed Jan 29 10:11:28 2003
-@@ -51,3 +51,12 @@
- See
- .Xr sshd=5Fconfig 5
-+for more information.=20
-+The administrator may exert control over the file and directory
-+permission and ownership, with
-+.Cm SftpUmask ,
-+.Cm SftpPermitChmod ,
-+and
-+.Cm SftpPermitChown
-+. See
-+.Xr sshd=5Fconfig 5
- for more information.
-@@ -75,8 +75,9 @@=20
- .Sh SEE ALSO
- .Xr sftp 1 ,
- .Xr ssh 1 ,
- .Xr sshd=5Fconfig 5 ,
--.Xr sshd 8
-+.Xr sshd 8,
-+.Xr sshd=5Fconfig 5
- .Rs
- .%A T. Ylonen
- .%A S. Lehtinen
-diff -u gsshd.c sshd.c
---- gsshd.c Wed Sep 11 19:54:27 2002
-+++ sshd.c Mon Nov 10 11:26:45 2003
-@@ -379,4 +379,3 @@
-=09}
--=09snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s%s", major, minor,
--=09 SSH=5FVERSION, newline);
-+=09snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH=5F=
RELEASE);
-=09server=5Fversion=5Fstring =3D xstrdup(buf);
-diff -u gsftp-server.c sftp-server.c
---- gsftp-server.c Wed Sep 11 19:54:27 2002
-+++ sftp-server.c Mon Nov 10 11:26:45 2003
-@@ -51,3 +51,9 @@
- #define get=5Fstring(lenp) =09=09buffer=5Fget=5Fstring(&iqueue, lenp)=
;
-=20
-+/* SFTP=5FUMASK */
-+static mode=5Ft setumask =3D 0;
-+
-+static int permit=5Fchmod =3D 1;
-+static int permit=5Fchown =3D 1;
-+
- /* Our verbosity */
-@@ -500,5 +500,12 @@
- =09flags =3D flags=5Ffrom=5Fportable(pflags);
- =09mode =3D (a->flags & SSH2=5FFILEXFER=5FATTR=5FPERMISSIONS) =3F a->=
perm : 0666;
-+
-+=09if (setumask !=3D 0) {
-+=09=09logit("setting file creation mode to 0666 and umask to %o", set=
umask);
-+=09=09mode =3D 0666;
-+=09=09umask(setumask);
-+=09}
-+
- =09logit("open \"%s\" flags %s mode 0%o",
- =09 name, string=5Ffrom=5Fportable(pflags), mode);
- =09fd =3D open(name, flags, mode);
-@@ -512,6 +512,7 @@
- =09=09=09status =3D SSH2=5FFX=5FOK;
- =09=09}
- =09}
-+=09logit("open %s", name);
- =09if (status !=3D SSH2=5FFX=5FOK)
- =09=09send=5Fstatus(id, status);
- =09xfree(name);
-@@ -703,6 +703,8 @@
-=09name =3D get=5Fstring(NULL);
-=09a =3D get=5Fattrib();
-=09debug("request %u: setstat name \"%s\"", id, name);
-+=20
-=09if (a->flags & SSH2=5FFILEXFER=5FATTR=5FSIZE) {
-+logit("process=5Fsetstat: truncate");
-=09=09logit("set \"%s\" size %llu",
-=09=09 name, (unsigned long long)a->size);
-@@ -708,9 +708,15 @@
-=09=09=09status =3D errno=5Fto=5Fportable(errno);
-=09}
-=09if (a->flags & SSH2=5FFILEXFER=5FATTR=5FPERMISSIONS) {
--=09=09logit("set \"%s\" mode %04o", name, a->perm);
--=09=09ret =3D chmod(name, a->perm & 07777);
--=09=09if (ret =3D=3D -1)
--=09=09=09status =3D errno=5Fto=5Fportable(errno);
-+=09=09if (permit=5Fchmod =3D=3D 1) {
-+=09=09=09ret =3D chmod(name, a->perm & 0777);
-+=09=09=09if (ret =3D=3D -1)
-+=09=09=09=09status =3D errno=5Fto=5Fportable(errno);
-+=09=09=09else
-+=09=09=09=09logit("chmod'ed %s", name);
-+=09=09} else {
-+=09=09=09status =3D SSH2=5FFX=5FPERMISSION=5FDENIED;
-+=09=09=09logit("chmod %s: operation prohibited by sftp-server configu=
ration.", name);
-+=09=09}
-=09}
-=09if (a->flags & SSH2=5FFILEXFER=5FATTR=5FACMODTIME) {
-@@ -727,7 +727,12 @@
-=09if (a->flags & SSH2=5FFILEXFER=5FATTR=5FUIDGID) {
--=09=09logit("set \"%s\" owner %lu group %lu", name,
--=09=09 (u=5Flong)a->uid, (u=5Flong)a->gid);
--=09=09ret =3D chown(name, a->uid, a->gid);
--=09=09if (ret =3D=3D -1)
--=09=09=09status =3D errno=5Fto=5Fportable(errno);
-+=09=09if (permit=5Fchown =3D=3D 1) {
-+=09=09=09ret =3D chown(name, a->uid, a->gid);
-+=09=09=09if (ret =3D=3D -1)
-+=09=09=09=09status =3D errno=5Fto=5Fportable(errno);
-+=09=09=09else
-+=09=09=09=09logit("chown'ed %s.", name);
-+=09=09} else {
-+=09=09=09status =3D SSH2=5FFX=5FPERMISSION=5FDENIED;
-+=09=09=09logit("chown %s: operation prohibited by sftp-server configu=
ration.", name);
-+=09=09}
-=09}
-@@ -752,5 +752,6 @@
-=09=09if (a->flags & SSH2=5FFILEXFER=5FATTR=5FPERMISSIONS) {
-=09=09=09logit("set \"%s\" mode %04o", name, a->perm);
-+=09=09=09if (permit=5Fchmod =3D=3D 1) {
- #ifdef HAVE=5FFCHMOD
-=09=09=09ret =3D fchmod(fd, a->perm & 0777);
- #else
-@@ -757,8 +757,14 @@
-=09=09=09ret =3D chmod(name, a->perm & 0777);
- #endif
-=09=09=09if (ret =3D=3D -1)
-=09=09=09=09status =3D errno=5Fto=5Fportable(errno);
-+=09=09=09else
-+=09=09=09=09logit("chmod: succeeded.");
-+=09=09 } else { /* permit=5Fchmod */
-+ status =3D SSH2=5FFX=5FPERMISSION=5FDENIED;
-+=09=09=09logit("chmod: operation prohibited by sftp-server configurat=
ion.");
-+=09=09 } /* permit=5Fchmod */
-=09=09}
-=09=09if (a->flags & SSH2=5FFILEXFER=5FATTR=5FACMODTIME) {
-=09=09=09char buf[64];
-=09=09=09time=5Ft t =3D a->mtime;
-@@ -777,14 +777,21 @@
-=09=09if (a->flags & SSH2=5FFILEXFER=5FATTR=5FUIDGID) {
-=09=09=09logit("set \"%s\" owner %lu group %lu", name,
-=09=09=09 (u=5Flong)a->uid, (u=5Flong)a->gid);
-+=09=09=09if (permit=5Fchown =3D=3D 1) {
- #ifdef HAVE=5FFCHOWN
-=09=09=09ret =3D fchown(fd, a->uid, a->gid);
- #else
-=09=09=09ret =3D chown(name, a->uid, a->gid);
- #endif
-=09=09=09if (ret =3D=3D -1)
-=09=09=09=09status =3D errno=5Fto=5Fportable(errno);
-+=09=09=09else
-+=09=09=09=09logit("chown: succeeded");
-+=09=09 } else { /* permit=5Fchown */
-+=09=09=09status =3D SSH2=5FFX=5FPERMISSION=5FDENIED;
-+=09=09=09logit("chown: operation prohibited by sftp-server configurat=
ion.");
-+=09=09 } /* permit=5Fchown */
-=09=09}
-=09}
-=09send=5Fstatus(id, status);
- }
-@@ -916,6 +916,13 @@
-=09a =3D get=5Fattrib();
-=09mode =3D (a->flags & SSH2=5FFILEXFER=5FATTR=5FPERMISSIONS) =3F
-=09 a->perm & 07777 : 0777;
-+
-+ if (setumask !=3D 0) {
-+ logit("setting directory creation mode to 0777 and um=
ask to %o.", setumask);
-+ mode =3D 0777;
-+ umask(setumask);
-+ }
-+
-=09debug3("request %u: mkdir", id);
-=09logit("mkdir name \"%s\" mode 0%o", name, mode);
-=09ret =3D mkdir(name, mode);
-@@ -1210,4 +1210,6 @@
-=09fd=5Fset *rset, *wset;
-=09int in, out, max, ch, skipargs =3D 0, log=5Fstderr =3D 0;
-+=09unsigned int val =3D 0;
-+=09char *umask=5Fenv;
-=09ssize=5Ft len, olen, set=5Fsize;
-=09SyslogFacility log=5Ffacility =3D SYSLOG=5FFACILITY=5FAUTH;
-@@ -1271,4 +1271,33 @@
-=09handle=5Finit();
-
-+=09/* Umask control */
-+
-+=09umask=5Fenv =3D getenv("SFTP=5FUMASK");
-+=09if ( umask=5Fenv && *umask=5Fenv !=3D NULL )
-+=09{
-+=09=09while (*umask=5Fenv && *umask=5Fenv >=3D '0' && *umask=5Fenv <=3D=
'9')
-+=09=09=09val =3D val * 8 + *umask=5Fenv++ - '0';
-+
-+=09=09if (*umask=5Fenv || val > 0777 || val =3D=3D 0) {
-+=09=09=09logit("bad value %o for SFTP=5FUMASK, turning umask control =
off.", val);
-+=09=09=09setumask =3D 0;
-+=09=09} else {
-+=09=09=09logit("umask control is on.");
-+=09=09=09setumask =3D val;
-+=09=09};
-+=09} else setumask =3D 0;
-+
-+
-+=09/* Sensitive client commands */
-+=09
-+ if ( (getenv("SFTP=5FPERMIT=5FCHMOD") !=3D NULL) && (atoi(get=
env("SFTP=5FPERMIT=5FCHMOD")) !=3D 1) ) {
-+=09=09permit=5Fchmod =3D 0;
-+ logit("client is not permitted to chmod.");
-+=09};
-+ if ( (getenv("SFTP=5FPERMIT=5FCHOWN") !=3D NULL) && (atoi(get=
env("SFTP=5FPERMIT=5FCHOWN")) !=3D 1) ) {
-+=09=09permit=5Fchown =3D 0;
-+ logit("client is not permitted to chown.");
-+=09};
-+=09
-=09in =3D dup(STDIN=5FFILENO);
-=09out =3D dup(STDOUT=5FFILENO);
-Only in : ssh=5Fprng=5Fcmds
-diff -u gsshd=5Fconfig sshd=5Fconfig
---- gsshd=5Fconfig=09Thu Sep 26 23:21:58 2002
-+++ sshd=5Fconfig=09Wed Jan 29 10:08:39 2003
-@@ -91,5 +91,11 @@
- # override default of no subsystems
- Subsystem=09sftp=09/usr/libexec/sftp-server
-
-+# sftp-server umask control
-+#SftpUmask
-+
-+#SftpPermitChmod yes
-+#SftpPermitChown yes
-+
- # Example of overriding settings on a per-user basis
- #Match User anoncvs
-diff -u gsshd=5Fconfig.5 sshd=5Fconfig.5
---- gsshd=5Fconfig.5=09Wed Sep 18 21:51:22 2002
-+++ sshd=5Fconfig.5=09Wed Jan 29 10:10:03 2003
-@@ -558,5 +562,21 @@
- .It Cm ServerKeyBits
- Defines the number of bits in the ephemeral protocol version 1 server=
key.
- The minimum value is 512, and the default is 1024.
-+.It Cm SftpPermitChmod
-+Specifies whether the sftp-server allows the sftp client to execute c=
hmod=20
-+commands on the server. The default is yes.
-+.It Cm SftpPermitChown
-+Specifies whether the sftp-server allows the sftp client to execute c=
hown
-+or chgrp commands on the server. Turning this value on means that the=
client
-+is allowed to execute both chown and chgrp commands. Turning it off m=
eans that
-+the client is prohibited from executing either chown or chgrp.
-+ The default is yes.
-+.It Cm SftpUmask
-+Specifies an optional umask for=20
-+.Nm sftp-server
-+subsystem transactions. If a umask is given, this umask will override=
all system,=20
-+environment or sftp client permission modes. If
-+no umask or an invalid umask is given, file creation mode defaults to=
the permission
-+mode specified by the sftp client. The default is for no umask.
- .It Cm StrictModes
- Specifies whether
-/* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */
-
-#define SSH=5FVERSION "OpenSSH=5F5.2p1"
Index: files/scardpin.patch
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: files/scardpin.patch
diff -N files/scardpin.patch
--- files/scardpin.patch=0930 Aug 2007 15:40:39 -0000=091.2
+++ /dev/null=091 Jan 1970 00:00:00 -0000
@@ -1,134 +0,0 @@
-#
-# https://bugzilla.mindrot.org/show=5Fbug.cgi=3Fid=3D608
-#
-Index: scard-opensc.c
-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-RCS file: /cvs/openssh/scard-opensc.c,v
-retrieving revision 1.12
-diff -u -r1.12 scard-opensc.c
---- scard-opensc.c=0925 Aug 2003 00:58:26 -0000=091.12
-+++ scard-opensc.c=0927 Aug 2003 11:42:02 -0000
-@@ -38,6 +38,8 @@
- #include "readpass.h"
- #include "scard.h"
-=20
-+int ask=5Ffor=5Fpin=3D0;
-+
- #if OPENSSL=5FVERSION=5FNUMBER < 0x00907000L && defined(CRYPTO=5FLOCK=
=5FENGINE)
- #define USE=5FENGINE
- #define RSA=5Fget=5Fdefault=5Fmethod RSA=5Fget=5Fdefault=5Fopenssl=5F=
method
-@@ -119,6 +121,7 @@
- =09struct sc=5Fpkcs15=5Fprkey=5Finfo *key;
- =09struct sc=5Fpkcs15=5Fobject *pin=5Fobj;
- =09struct sc=5Fpkcs15=5Fpin=5Finfo *pin;
-+=09char *passphrase =3D NULL;
-=20
- =09priv =3D (struct sc=5Fpriv=5Fdata *) RSA=5Fget=5Fapp=5Fdata(rsa);
- =09if (priv =3D=3D NULL)
-@@ -156,24 +159,47 @@
- =09=09goto err;
- =09}
- =09pin =3D pin=5Fobj->data;
-+
-+=09if (sc=5Fpin)
-+=09=09passphrase =3D sc=5Fpin;
-+=09else if (ask=5Ffor=5Fpin) {
-+=09=09/* we need a pin but don't have one =3D> ask for the pin */
-+=09=09char prompt[64];
-+
-+=09=09snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ",
-+=09=09=09key=5Fobj->label =3F key=5Fobj->label : "smartcard key");
-+=09=09passphrase =3D read=5Fpassphrase(prompt, 0);
-+=09=09if (!passphrase || !strcmp(passphrase, ""))
-+=09=09=09goto err;
-+=09} else=20
-+=09=09/* no pin =3D> error */
-+=09=09goto err;
-+
- =09r =3D sc=5Flock(card);
- =09if (r) {
- =09=09error("Unable to lock smartcard: %s", sc=5Fstrerror(r));
- =09=09goto err;
- =09}
--=09if (sc=5Fpin !=3D NULL) {
--=09=09r =3D sc=5Fpkcs15=5Fverify=5Fpin(p15card, pin, sc=5Fpin,
--=09=09=09=09=09 strlen(sc=5Fpin));
--=09=09if (r) {
--=09=09=09sc=5Funlock(card);
--=09=09=09error("PIN code verification failed: %s",
--=09=09=09 sc=5Fstrerror(r));
--=09=09=09goto err;
--=09=09}
-+=09r =3D sc=5Fpkcs15=5Fverify=5Fpin(p15card, pin, passphrase,
-+=09=09=09=09 strlen(passphrase));
-+=09if (r) {
-+=09=09sc=5Funlock(card);
-+=09=09error("PIN code verification failed: %s",
-+=09=09 sc=5Fstrerror(r));
-+=09=09goto err;
- =09}
-+
- =09*key=5Fobj=5Fout =3D key=5Fobj;
-+=09if (!sc=5Fpin) {
-+=09=09memset(passphrase, 0, strlen(passphrase));
-+=09=09xfree(passphrase);
-+=09}
- =09return 0;
- err:
-+=09if (!sc=5Fpin && passphrase) {
-+=09=09memset(passphrase, 0, strlen(passphrase));
-+=09=09xfree(passphrase);
-+=09}
- =09sc=5Fclose();
- =09return -1;
- }
-Index: scard.c
-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-RCS file: /cvs/openssh/scard.c,v
-retrieving revision 1.27
-diff -u -r1.27 scard.c
---- scard.c=0918 Jun 2003 10:28:40 -0000=091.27
-+++ scard.c=0927 Aug 2003 11:42:02 -0000
-@@ -35,6 +35,9 @@
- #include "readpass.h"
- #include "scard.h"
-=20
-+/* currently unused */
-+int ask=5Ffor=5Fpin =3D 0;
-+
- #if OPENSSL=5FVERSION=5FNUMBER < 0x00907000L
- #define USE=5FENGINE
- #define RSA=5Fget=5Fdefault=5Fmethod RSA=5Fget=5Fdefault=5Fopenssl=5F=
method
-Index: scard.h
-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-RCS file: /cvs/openssh/scard.h,v
-retrieving revision 1.10
-diff -u -r1.10 scard.h
---- scard.h=0918 Jun 2003 10:28:40 -0000=091.10
-+++ scard.h=0927 Aug 2003 11:42:02 -0000
-@@ -33,6 +33,8 @@
- #define SCARD=5FERROR=5FNOCARD=09-2
- #define SCARD=5FERROR=5FAPPLET=09-3
-=20
-+extern int ask=5Ffor=5Fpin;
-+
- Key=09**sc=5Fget=5Fkeys(const char *, const char *);
- void=09 sc=5Fclose(void);
- int=09 sc=5Fput=5Fkey(Key *, const char *);
-Index: ssh.c
-=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
-RCS file: /cvs/openssh/ssh.c,v
-retrieving revision 1.180
-diff -u -r1.180 ssh.c
---- ssh.c=0921 Aug 2003 23:34:41 -0000=091.180
-+++ ssh.c=0927 Aug 2003 11:42:02 -0000
-@@ -1155,6 +1155,9 @@
- #ifdef SMARTCARD
- =09Key **keys;
-=20
-+=09if (!options.batch=5Fmode)
-+=09=09ask=5Ffor=5Fpin =3D 1;
-+
- =09if (options.smartcard=5Fdevice !=3D NULL &&
- =09 options.num=5Fidentity=5Ffiles < SSH=5FMAX=5FIDENTITY=5FFILES =
&&
- =09 (keys =3D sc=5Fget=5Fkeys(options.smartcard=5Fdevice, NULL)) !=
=3D NULL ) {
--PCGpoR0gWV--
More information about the freebsd-ports-bugs
mailing list