svn commit: r197679 - in head: crypto/openssh
crypto/openssh/openbsd-compat secure/libexec/sftp-server
secure/libexec/ssh-keysign secure/usr.bin/scp
secure/usr.bin/sftp secure/usr.bin/ssh secure/us...
Dag-Erling Smorgrav
des at FreeBSD.org
Thu Oct 1 17:12:53 UTC 2009
Author: des
Date: Thu Oct 1 17:12:52 2009
New Revision: 197679
URL: http://svn.freebsd.org/changeset/base/197679
Log:
Upgrade to OpenSSH 5.3p1.
Added:
head/crypto/openssh/roaming.h
- copied unchanged from r197675, vendor-crypto/openssh/dist/roaming.h
head/crypto/openssh/roaming_common.c
- copied unchanged from r197675, vendor-crypto/openssh/dist/roaming_common.c
head/crypto/openssh/roaming_dummy.c
- copied unchanged from r197675, vendor-crypto/openssh/dist/roaming_dummy.c
head/crypto/openssh/schnorr.h
- copied unchanged from r197675, vendor-crypto/openssh/dist/schnorr.h
Modified:
head/crypto/openssh/ (props changed)
head/crypto/openssh/ChangeLog
head/crypto/openssh/README
head/crypto/openssh/README.platform
head/crypto/openssh/auth-pam.c
head/crypto/openssh/auth-passwd.c
head/crypto/openssh/auth-sia.c
head/crypto/openssh/auth1.c
head/crypto/openssh/auth2-jpake.c
head/crypto/openssh/auth2-kbdint.c
head/crypto/openssh/auth2-none.c
head/crypto/openssh/auth2-passwd.c
head/crypto/openssh/auth2-pubkey.c
head/crypto/openssh/auth2.c
head/crypto/openssh/canohost.c
head/crypto/openssh/canohost.h
head/crypto/openssh/channels.c
head/crypto/openssh/clientloop.c
head/crypto/openssh/config.h
head/crypto/openssh/config.h.in
head/crypto/openssh/defines.h
head/crypto/openssh/gss-genr.c
head/crypto/openssh/includes.h
head/crypto/openssh/jpake.c
head/crypto/openssh/jpake.h
head/crypto/openssh/kex.c
head/crypto/openssh/kex.h
head/crypto/openssh/kexdhs.c
head/crypto/openssh/kexgexs.c
head/crypto/openssh/monitor.c
head/crypto/openssh/monitor_mm.c
head/crypto/openssh/monitor_wrap.c
head/crypto/openssh/monitor_wrap.h
head/crypto/openssh/openbsd-compat/bsd-cygwin_util.c
head/crypto/openssh/openbsd-compat/bsd-cygwin_util.h
head/crypto/openssh/openbsd-compat/daemon.c
head/crypto/openssh/openbsd-compat/getrrsetbyname.c
head/crypto/openssh/openbsd-compat/openssl-compat.c
head/crypto/openssh/openbsd-compat/openssl-compat.h
head/crypto/openssh/openbsd-compat/port-aix.c
head/crypto/openssh/openbsd-compat/port-aix.h
head/crypto/openssh/packet.c
head/crypto/openssh/packet.h
head/crypto/openssh/readconf.c
head/crypto/openssh/readconf.h
head/crypto/openssh/schnorr.c
head/crypto/openssh/servconf.c
head/crypto/openssh/serverloop.c
head/crypto/openssh/session.c
head/crypto/openssh/sftp-client.c
head/crypto/openssh/sftp-server.8
head/crypto/openssh/sftp-server.c
head/crypto/openssh/ssh-agent.1
head/crypto/openssh/ssh-agent.c
head/crypto/openssh/ssh-keygen.c
head/crypto/openssh/ssh.1
head/crypto/openssh/ssh.c
head/crypto/openssh/ssh_config
head/crypto/openssh/ssh_config.5
head/crypto/openssh/ssh_namespace.h
head/crypto/openssh/sshconnect.c
head/crypto/openssh/sshconnect.h
head/crypto/openssh/sshconnect2.c
head/crypto/openssh/sshd.8
head/crypto/openssh/sshd.c
head/crypto/openssh/sshd_config
head/crypto/openssh/sshd_config.5
head/crypto/openssh/sshlogin.c
head/crypto/openssh/uuencode.c
head/crypto/openssh/version.h
head/secure/libexec/sftp-server/Makefile
head/secure/libexec/ssh-keysign/Makefile
head/secure/usr.bin/scp/Makefile
head/secure/usr.bin/sftp/Makefile
head/secure/usr.bin/ssh-add/Makefile
head/secure/usr.bin/ssh-agent/Makefile
head/secure/usr.bin/ssh-keygen/Makefile
head/secure/usr.bin/ssh-keyscan/Makefile
head/secure/usr.bin/ssh/Makefile
head/secure/usr.sbin/sshd/Makefile
Modified: head/crypto/openssh/ChangeLog
==============================================================================
--- head/crypto/openssh/ChangeLog Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/ChangeLog Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,3 +1,282 @@
+20090926
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Update for release
+ - (djm) [README] update relnotes URL
+ - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
+ - (djm) Release 5.3p1
+
+20090911
+ - (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
+ 10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
+ from jbasney at ncsa uiuc edu.
+
+20090908
+ - (djm) [serverloop.c] Fix test for server-assigned remote forwarding port
+ (-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@
+
+20090901
+ - (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
+ krb5-config if it's not in the location specified by --with-kerberos5.
+ Patch from jchadima at redhat.
+
+20090829
+ - (dtucker) [README.platform] Add text about development packages, based on
+ text from Chris Pepper in bug #1631.
+
+20090828
+ - dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently
+ causes problems in some Tru64 configurations.
+ - (djm) [sshd_config.5] downgrade mention of login.conf to be an example
+ and mention PAM as another provider for ChallengeResponseAuthentication;
+ bz#1408; ok dtucker@
+ - (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when
+ attempting atomic rename(); ok dtucker@
+ - (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables
+ in argv, so pass them in the environment; ok dtucker@
+ - (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
+ the pty master on Solaris, since it never succeeds and can hang if large
+ amounts of data is sent to the slave (eg a copy-paste). Based on a patch
+ originally from Doke Scott, ok djm@
+ - (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
+ size a compile-time option and set it to 64k on Cygwin, since Corinna
+ reports that it makes a significant difference to performance. ok djm@
+ - (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry.
+
+20090820
+ - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
+ using it since the type conflicts can cause problems on FreeBSD. Patch
+ from Jonathan Chen.
+ - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
+ the setpcred call on AIX to immediately before the permanently_set_uid().
+ Ensures that we still have privileges when we call chroot and
+ pam_open_sesson. Based on a patch from David Leonard.
+
+20090817
+ - (dtucker) [configure.ac] Check for headers before libraries for openssl an
+ zlib, which should make the errors slightly more meaningful on platforms
+ where there's separate "-devel" packages for those.
+ - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make
+ PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders.
+
+20090729
+ - (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error
+ function. Patch from Corinna Vinschen.
+
+20090713
+ - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
+ fits into 16 bits to work around a bug in glibc's resolver where it masks
+ off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
+
+20090712
+ - (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test,
+ prevents configure complaining on older BSDs.
+ - (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch
+ from Corinna Vinschen.
+ - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
+ logout to after the session close. Patch from Anicka Bernathova,
+ originally from Andreas Schwab via Novelll ok djm.
+
+20090707
+ - (dtucker) [contrib/cygwin/ssh-host-config] better support for automated
+ scripts and fix usage of eval. Patch from Corinna Vinschen.
+
+20090705
+ - (dtucker) OpenBSD CVS Sync
+ - andreas at cvs.openbsd.org 2009/06/27 09:29:06
+ [packet.h packet.c]
+ packet_bacup_state() and packet_restore_state() will be used to
+ temporarily save the current state ren resuming a suspended connection.
+ ok markus@
+ - andreas at cvs.openbsd.org 2009/06/27 09:32:43
+ [roaming_common.c roaming.h]
+ It may be necessary to retransmit some data when resuming, so add it
+ to a buffer when roaming is enabled.
+ Most of this code was written by Martin Forssen, maf at appgate dot com.
+ ok markus@
+ - andreas at cvs.openbsd.org 2009/06/27 09:35:06
+ [readconf.h readconf.c]
+ Add client option UseRoaming. It doesn't do anything yet but will
+ control whether the client tries to use roaming if enabled on the
+ server. From Martin Forssen.
+ ok markus@
+ - markus at cvs.openbsd.org 2009/06/30 14:54:40
+ [version.h]
+ crank version; ok deraadt
+ - dtucker at cvs.openbsd.org 2009/07/02 02:11:47
+ [ssh.c]
+ allow for long home dir paths (bz #1615). ok deraadt
+ (based in part on a patch from jchadima at redhat)
+ - stevesk at cvs.openbsd.org 2009/07/05 19:28:33
+ [clientloop.c]
+ only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@
+ ok deraadt@ markus@
+
+20090622
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2009/06/22 05:39:28
+ [monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
+ alphabetize includes; reduces diff vs portable and style(9).
+ ok stevesk djm
+ (Id sync only; these were already in order in -portable)
+
+20090621
+ - (dtucker) OpenBSD CVS Sync
+ - markus at cvs.openbsd.org 2009/03/17 21:37:00
+ [ssh.c]
+ pass correct argv[0] to openlog(); ok djm@
+ - jmc at cvs.openbsd.org 2009/03/19 15:15:09
+ [ssh.1]
+ for "Ciphers", just point the reader to the keyword in ssh_config(5), just
+ as we do for "MACs": this stops us getting out of sync when the lists
+ change;
+ fixes documentation/6102, submitted by Peter J. Philipp
+ alternative fix proposed by djm
+ ok markus
+ - tobias at cvs.openbsd.org 2009/03/23 08:31:19
+ [ssh-agent.c]
+ Fixed a possible out-of-bounds memory access if the environment variable
+ SHELL is shorter than 3 characters.
+ with input by and ok dtucker
+ - tobias at cvs.openbsd.org 2009/03/23 19:38:04
+ [ssh-agent.c]
+ My previous commit didn't fix the problem at all, so stick at my first
+ version of the fix presented to dtucker.
+ Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
+ ok dtucker
+ - sobrado at cvs.openbsd.org 2009/03/26 08:38:39
+ [sftp-server.8 sshd.8 ssh-agent.1]
+ fix a few typographical errors found by spell(1).
+ ok dtucker@, jmc@
+ - stevesk at cvs.openbsd.org 2009/04/13 19:07:44
+ [sshd_config.5]
+ fix possessive; ok djm@
+ - stevesk at cvs.openbsd.org 2009/04/14 16:33:42
+ [sftp-server.c]
+ remove unused option character from getopt() optstring; ok markus@
+ - jj at cvs.openbsd.org 2009/04/14 21:10:54
+ [servconf.c]
+ Fixed a few the-the misspellings in comments. Skipped a bunch in
+ binutils,gcc and so on. ok jmc@
+ - stevesk at cvs.openbsd.org 2009/04/17 19:23:06
+ [session.c]
+ use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server;
+ ok djm@ markus@
+ - stevesk at cvs.openbsd.org 2009/04/17 19:40:17
+ [sshd_config.5]
+ clarify that even internal-sftp needs /dev/log for logging to work; ok
+ markus@
+ - jmc at cvs.openbsd.org 2009/04/18 18:39:10
+ [sshd_config.5]
+ tweak previous; ok stevesk
+ - stevesk at cvs.openbsd.org 2009/04/21 15:13:17
+ [sshd_config.5]
+ clarify we cd to user's home after chroot; ok markus@ on
+ earlier version; tweaks and ok jmc@
+ - andreas at cvs.openbsd.org 2009/05/25 06:48:01
+ [channels.c packet.c clientloop.c packet.h serverloop.c monitor_wrap.c
+ monitor.c]
+ Put the globals in packet.c into a struct and don't access it directly
+ from other files. No functional changes.
+ ok markus@ djm@
+ - andreas at cvs.openbsd.org 2009/05/27 06:31:25
+ [canohost.h canohost.c]
+ Add clear_cached_addr(), needed for upcoming changes allowing the peer
+ address to change.
+ ok markus@
+ - andreas at cvs.openbsd.org 2009/05/27 06:33:39
+ [clientloop.c]
+ Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger
+ change from Martin Forssen, maf at appgate dot com.
+ ok markus@
+ - andreas at cvs.openbsd.org 2009/05/27 06:34:36
+ [kex.c kex.h]
+ Move the KEX_COOKIE_LEN define to kex.h
+ ok markus@
+ - andreas at cvs.openbsd.org 2009/05/27 06:36:07
+ [packet.h packet.c]
+ Add packet_put_int64() and packet_get_int64(), part of a larger change
+ from Martin Forssen.
+ ok markus@
+ - andreas at cvs.openbsd.org 2009/05/27 06:38:16
+ [sshconnect.h sshconnect.c]
+ Un-static ssh_exchange_identification(), part of a larger change from
+ Martin Forssen and needed for upcoming changes.
+ ok markus@
+ - andreas at cvs.openbsd.org 2009/05/28 16:50:16
+ [sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
+ monitor.c Added roaming.h roaming_common.c roaming_dummy.c]
+ Keep track of number of bytes read and written. Needed for upcoming
+ changes. Most code from Martin Forssen, maf at appgate dot com.
+ ok markus@
+ Also, applied appropriate changes to Makefile.in
+ - andreas at cvs.openbsd.org 2009/06/12 20:43:22
+ [monitor.c packet.c]
+ Fix warnings found by chl@ and djm@ and change roaming_atomicio's
+ return type to match atomicio's
+ Diff from djm@, ok markus@
+ - andreas at cvs.openbsd.org 2009/06/12 20:58:32
+ [packet.c]
+ Move some more statics into session_state
+ ok markus@ djm@
+ - dtucker at cvs.openbsd.org 2009/06/21 07:37:15
+ [kexdhs.c kexgexs.c]
+ abort if key_sign fails, preventing possible null deref. Based on report
+ from Paolo Ganci, ok markus@ djm@
+ - dtucker at cvs.openbsd.org 2009/06/21 09:04:03
+ [roaming.h roaming_common.c roaming_dummy.c]
+ Add tags for the benefit of the sync scripts
+ Also: pull in the changes for 1.1->1.2 missed in the previous sync.
+ - (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and
+ header-order changes to reduce diff vs OpenBSD.
+ - (dtucker) [servconf.c sshd.c] More whitespace sync.
+ - (dtucker) [roaming_common.c roaming_dummy.c] Wrap #include <inttypes.h> in
+ ifdef.
+
+20090616
+ - (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t
+ is a struct with a __val member. Fixes build on, eg, Redhat 6.2.
+
+20090504
+ - (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include
+ variable declarations. Should prevent unused warnings anywhere it's set
+ (only Crays as far as I can tell) and be a no-op everywhere else.
+
+20090318
+ - (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem
+ that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005.
+ Based on patch from vinschen at redhat com.
+
+20090308
+ - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
+ auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
+ openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
+ version of Cygwin. Patch from vinschen at redhat com.
+
+20090307
+ - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it
+ exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS
+ has a /dev/random).
+ - (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add
+ EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c
+ to use them. Allows building with older OpenSSL versions.
+ - (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed.
+ - (dtucker) [configure.ac] Missing comma in type list.
+ - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]
+ EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg
+ in openssl 0.9.6) so add an explicit test for it.
+
+20090306
+ - (djm) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2009/03/05 07:18:19
+ [auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c]
+ [sshconnect2.c]
+ refactor the (disabled) Schnorr proof code to make it a little more
+ generally useful
+ - djm at cvs.openbsd.org 2009/03/05 11:30:50
+ [uuencode.c]
+ document what these functions do so I don't ever have to recuse into
+ b64_pton/ntop to remember their return values
+
20090223
- (djm) OpenBSD CVS Sync
- djm at cvs.openbsd.org 2009/02/22 23:50:57
Modified: head/crypto/openssh/README
==============================================================================
--- head/crypto/openssh/README Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/README Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.2 for the release notes.
+See http://www.openssh.com/txt/release-5.3 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
-$Id: README,v 1.70 2009/02/23 00:11:57 djm Exp $
+$Id: README,v 1.70.4.1 2009/09/26 04:11:47 djm Exp $
Modified: head/crypto/openssh/README.platform
==============================================================================
--- head/crypto/openssh/README.platform Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/README.platform Thu Oct 1 17:12:52 2009 (r197679)
@@ -56,6 +56,18 @@ using a third party driver. More informa
http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
+Linux
+-----
+
+Some Linux distributions (including Red Hat/Fedora/CentOS) include
+headers and library links in the -devel RPMs rather than the main
+binary RPMs. If you get an error about headers, or complaining about a
+missing prerequisite then you may need to install the equivalent
+development packages. On Redhat based distros these may be openssl-devel,
+zlib-devel and pam-devel, on Debian based distros these may be
+libssl-dev, libz-dev and libpam-dev.
+
+
Solaris
-------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
@@ -81,4 +93,4 @@ account stacks which will prevent authen
return the output from pam_nologin to the client.
-$Id: README.platform,v 1.9 2007/08/09 04:31:53 dtucker Exp $
+$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $
Modified: head/crypto/openssh/auth-pam.c
==============================================================================
--- head/crypto/openssh/auth-pam.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth-pam.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -602,16 +602,16 @@ sshpam_cleanup(void)
return;
debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
- if (sshpam_cred_established) {
- debug("PAM: deleting credentials");
- pam_setcred(sshpam_handle, PAM_DELETE_CRED);
- sshpam_cred_established = 0;
- }
if (sshpam_session_open) {
debug("PAM: closing session");
pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0;
}
+ if (sshpam_cred_established) {
+ debug("PAM: deleting credentials");
+ pam_setcred(sshpam_handle, PAM_DELETE_CRED);
+ sshpam_cred_established = 0;
+ }
sshpam_authenticated = 0;
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
Modified: head/crypto/openssh/auth-passwd.c
==============================================================================
--- head/crypto/openssh/auth-passwd.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth-passwd.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -102,7 +102,7 @@ auth_password(Authctxt *authctxt, const
}
#endif
#ifdef HAVE_CYGWIN
- if (is_winnt) {
+ {
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
Modified: head/crypto/openssh/auth-sia.c
==============================================================================
--- head/crypto/openssh/auth-sia.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth-sia.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -34,10 +34,6 @@
#include <unistd.h>
#include <stdarg.h>
#include <string.h>
-#include <sys/types.h>
-#include <sys/security.h>
-#include <prot.h>
-#include <time.h>
#include "ssh.h"
#include "key.h"
@@ -53,52 +49,6 @@ extern ServerOptions options;
extern int saved_argc;
extern char **saved_argv;
-static int
-sia_password_change_required(const char *user)
-{
- struct es_passwd *acct;
- time_t pw_life;
- time_t pw_date;
-
- set_auth_parameters(saved_argc, saved_argv);
-
- if ((acct = getespwnam(user)) == NULL) {
- error("Couldn't access protected database entry for %s", user);
- endprpwent();
- return (0);
- }
-
- /* If forced password change flag is set, honor it */
- if (acct->uflg->fg_psw_chg_reqd && acct->ufld->fd_psw_chg_reqd) {
- endprpwent();
- return (1);
- }
-
- /* Obtain password lifetime; if none, it can't have expired */
- if (acct->uflg->fg_expire)
- pw_life = acct->ufld->fd_expire;
- else if (acct->sflg->fg_expire)
- pw_life = acct->sfld->fd_expire;
- else {
- endprpwent();
- return (0);
- }
-
- /* Offset from last change; if none, it must be expired */
- if (acct->uflg->fg_schange)
- pw_date = acct->ufld->fd_schange + pw_life;
- else {
- endprpwent();
- return (1);
- }
-
- endprpwent();
-
- /* If expiration date is prior to now, change password */
-
- return (pw_date <= time((time_t *) NULL));
-}
-
int
sys_auth_passwd(Authctxt *authctxt, const char *pass)
{
@@ -126,9 +76,6 @@ sys_auth_passwd(Authctxt *authctxt, cons
sia_ses_release(&ent);
- authctxt->force_pwchange = sia_password_change_required(
- authctxt->user);
-
return (1);
}
Modified: head/crypto/openssh/auth1.c
==============================================================================
--- head/crypto/openssh/auth1.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth1.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -318,15 +318,7 @@ do_authloop(Authctxt *authctxt)
}
#endif /* _UNICOS */
-#ifdef HAVE_CYGWIN
- if (authenticated &&
- !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
- authctxt->pw)) {
- packet_disconnect("Authentication rejected for uid %d.",
- authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
- authenticated = 0;
- }
-#else
+#ifndef HAVE_CYGWIN
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(meth->name)) {
Modified: head/crypto/openssh/auth2-jpake.c
==============================================================================
--- head/crypto/openssh/auth2-jpake.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth2-jpake.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-jpake.c,v 1.2 2008/11/07 23:34:48 dtucker Exp $ */
+/* $OpenBSD: auth2-jpake.c,v 1.3 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
@@ -42,8 +42,8 @@
#include "ssh2.h"
#include "key.h"
#include "hostfile.h"
-#include "buffer.h"
#include "auth.h"
+#include "buffer.h"
#include "packet.h"
#include "dispatch.h"
#include "log.h"
@@ -55,6 +55,7 @@
#endif
#include "monitor_wrap.h"
+#include "schnorr.h"
#include "jpake.h"
/*
@@ -359,7 +360,7 @@ auth2_jpake_get_pwdata(Authctxt *authctx
}
/*
- * Being authentication attempt.
+ * Begin authentication attempt.
* Note, sets authctxt->postponed while in subprotocol
*/
static int
Modified: head/crypto/openssh/auth2-kbdint.c
==============================================================================
--- head/crypto/openssh/auth2-kbdint.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth2-kbdint.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -58,10 +58,6 @@ userauth_kbdint(Authctxt *authctxt)
xfree(devs);
xfree(lang);
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(0, authctxt->pw) == 0)
- authenticated = 0;
-#endif
return authenticated;
}
Modified: head/crypto/openssh/auth2-none.c
==============================================================================
--- head/crypto/openssh/auth2-none.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth2-none.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -61,10 +61,6 @@ userauth_none(Authctxt *authctxt)
{
none_enabled = 0;
packet_check_eom();
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(1, authctxt->pw) == 0)
- return (0);
-#endif
if (options.password_authentication)
return (PRIVSEP(auth_password(authctxt, "")));
return (0);
Modified: head/crypto/openssh/auth2-passwd.c
==============================================================================
--- head/crypto/openssh/auth2-passwd.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth2-passwd.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -68,10 +68,6 @@ userauth_passwd(Authctxt *authctxt)
logit("password change not supported");
else if (PRIVSEP(auth_password(authctxt, password)) == 1)
authenticated = 1;
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(1, authctxt->pw) == 0)
- authenticated = 0;
-#endif
memset(password, 0, len);
xfree(password);
return authenticated;
Modified: head/crypto/openssh/auth2-pubkey.c
==============================================================================
--- head/crypto/openssh/auth2-pubkey.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth2-pubkey.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -170,10 +170,6 @@ done:
key_free(key);
xfree(pkalg);
xfree(pkblob);
-#ifdef HAVE_CYGWIN
- if (check_nt_auth(0, authctxt->pw) == 0)
- authenticated = 0;
-#endif
return authenticated;
}
Modified: head/crypto/openssh/auth2.c
==============================================================================
--- head/crypto/openssh/auth2.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/auth2.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.120 2008/11/04 08:22:12 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.121 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -36,8 +36,8 @@ __RCSID("$FreeBSD$");
#include <string.h>
#include <unistd.h>
-#include "xmalloc.h"
#include "atomicio.h"
+#include "xmalloc.h"
#include "ssh2.h"
#include "packet.h"
#include "log.h"
Modified: head/crypto/openssh/canohost.c
==============================================================================
--- head/crypto/openssh/canohost.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/canohost.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: canohost.c,v 1.64 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: canohost.c,v 1.65 2009/05/27 06:31:25 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -35,6 +35,8 @@
#include "misc.h"
static void check_ip_options(int, char *);
+static char *canonical_host_ip = NULL;
+static int cached_port = -1;
/*
* Return the canonical name of the host at the other end of the socket. The
@@ -304,6 +306,16 @@ get_local_name(int sock)
return get_socket_address(sock, 0, NI_NAMEREQD);
}
+void
+clear_cached_addr(void)
+{
+ if (canonical_host_ip != NULL) {
+ xfree(canonical_host_ip);
+ canonical_host_ip = NULL;
+ }
+ cached_port = -1;
+}
+
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
@@ -312,8 +324,6 @@ get_local_name(int sock)
const char *
get_remote_ipaddr(void)
{
- static char *canonical_host_ip = NULL;
-
/* Check whether we have cached the ipaddr. */
if (canonical_host_ip == NULL) {
if (packet_connection_is_on_socket()) {
@@ -402,13 +412,11 @@ get_peer_port(int sock)
int
get_remote_port(void)
{
- static int port = -1;
-
/* Cache to avoid getpeername() on a dead connection */
- if (port == -1)
- port = get_port(0);
+ if (cached_port == -1)
+ cached_port = get_port(0);
- return port;
+ return cached_port;
}
int
Modified: head/crypto/openssh/canohost.h
==============================================================================
--- head/crypto/openssh/canohost.h Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/canohost.h Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: canohost.h,v 1.10 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -24,6 +24,6 @@ char *get_local_name(int);
int get_remote_port(void);
int get_local_port(void);
int get_sock_port(int, int);
-
+void clear_cached_addr(void);
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
Modified: head/crypto/openssh/channels.c
==============================================================================
--- head/crypto/openssh/channels.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/channels.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.295 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.296 2009/05/25 06:48:00 andreas Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1653,6 +1653,7 @@ channel_handle_wfd(Channel *c, fd_set *r
}
return -1;
}
+#ifndef BROKEN_TCGETATTR_ICANON
if (compat20 && c->isatty && dlen >= 1 && buf[0] != '\r') {
if (tcgetattr(c->wfd, &tio) == 0 &&
!(tio.c_lflag & ECHO) && (tio.c_lflag & ICANON)) {
@@ -1666,6 +1667,7 @@ channel_handle_wfd(Channel *c, fd_set *r
packet_send();
}
}
+#endif
buffer_consume(&c->output, len);
if (compat20 && len > 0) {
c->local_consumed += len;
@@ -2431,7 +2433,7 @@ channel_input_status_confirm(int type, u
int id;
/* Reset keepalive timeout */
- keep_alive_timeouts = 0;
+ packet_set_alive_timeouts(0);
id = packet_get_int();
packet_check_eom();
Modified: head/crypto/openssh/clientloop.c
==============================================================================
--- head/crypto/openssh/clientloop.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/clientloop.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.209 2009/02/12 03:00:56 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.213 2009/07/05 19:28:33 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -109,6 +109,7 @@
#include "misc.h"
#include "match.h"
#include "msg.h"
+#include "roaming.h"
/* import options */
extern Options options;
@@ -491,13 +492,13 @@ client_global_request_reply(int type, u_
xfree(gc);
}
- keep_alive_timeouts = 0;
+ packet_set_alive_timeouts(0);
}
static void
server_alive_check(void)
{
- if (++keep_alive_timeouts > options.server_alive_count_max) {
+ if (packet_inc_alive_timeouts() > options.server_alive_count_max) {
logit("Timeout, server not responding.");
cleanup_exit(255);
}
@@ -634,8 +635,8 @@ client_suspend_self(Buffer *bin, Buffer
static void
client_process_net_input(fd_set *readset)
{
- int len;
- char buf[8192];
+ int len, cont = 0;
+ char buf[SSH_IOBUFSZ];
/*
* Read input from the server, and add any such data to the buffer of
@@ -643,8 +644,8 @@ client_process_net_input(fd_set *readset
*/
if (FD_ISSET(connection_in, readset)) {
/* Read as much as possible. */
- len = read(connection_in, buf, sizeof(buf));
- if (len == 0) {
+ len = roaming_read(connection_in, buf, sizeof(buf), &cont);
+ if (len == 0 && cont == 0) {
/*
* Received EOF. The remote host has closed the
* connection.
@@ -1128,7 +1129,7 @@ static void
client_process_input(fd_set *readset)
{
int len;
- char buf[8192];
+ char buf[SSH_IOBUFSZ];
/* Read input from stdin. */
if (FD_ISSET(fileno(stdin), readset)) {
@@ -1476,6 +1477,14 @@ client_loop(int have_pty, int escape_cha
/* Stop watching for window change. */
signal(SIGWINCH, SIG_DFL);
+ if (compat20) {
+ packet_start(SSH2_MSG_DISCONNECT);
+ packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
+ packet_put_cstring("disconnected by user");
+ packet_send();
+ packet_write_wait();
+ }
+
channel_free_all();
if (have_pty)
Modified: head/crypto/openssh/config.h
==============================================================================
--- head/crypto/openssh/config.h Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/config.h Thu Oct 1 17:12:52 2009 (r197679)
@@ -69,6 +69,9 @@
/* Define if your snprintf is busted */
/* #undef BROKEN_SNPRINTF */
+/* tcgetattr with ICANON may hang */
+/* #undef BROKEN_TCGETATTR_ICANON */
+
/* updwtmpx is broken (if present) */
/* #undef BROKEN_UPDWTMPX */
@@ -123,9 +126,12 @@
/* Builtin PRNG command timeout */
#define ENTROPY_TIMEOUT_MSEC 200
-/* f_fsid has members */
+/* fsid_t has member val */
/* #undef FSID_HAS_VAL */
+/* fsid_t has member __val */
+/* #undef FSID_HAS___VAL */
+
/* Define to 1 if the `getpgrp' function requires zero arguments. */
#define GETPGRP_VOID 1
@@ -519,6 +525,9 @@
/* Define to 1 if the system has the type `in_addr_t'. */
#define HAVE_IN_ADDR_T 1
+/* Define to 1 if the system has the type `in_port_t'. */
+#define HAVE_IN_PORT_T 1
+
/* Define to 1 if you have the <lastlog.h> header file. */
/* #undef HAVE_LASTLOG_H */
@@ -1227,6 +1236,9 @@
/* Define if X11 doesn't support AF_UNIX sockets on that system */
/* #undef NO_X11_UNIX_SOCKETS */
+/* Define if EVP_DigestUpdate returns void */
+/* #undef OPENSSL_EVP_DIGESTUPDATE_VOID */
+
/* libcrypto is missing AES 192 and 256 bit functions */
/* #undef OPENSSL_LOBOTOMISED_AES */
@@ -1310,6 +1322,9 @@
/* Use audit debugging module */
/* #undef SSH_AUDIT_EVENTS */
+/* Windows is sensitive to read buffer size */
+/* #undef SSH_IOBUFSZ */
+
/* non-privileged user for privilege separation */
#define SSH_PRIVSEP_USER "sshd"
@@ -1398,9 +1413,13 @@
/* Define if you want SELinux support. */
/* #undef WITH_SELINUX */
-/* Define to 1 if your processor stores words with the most significant byte
- first (like Motorola and SPARC, unlike Intel and VAX). */
-/* #undef WORDS_BIGENDIAN */
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+ significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
+#if defined __BIG_ENDIAN__
+# define WORDS_BIGENDIAN 1
+#elif ! defined __LITTLE_ENDIAN__
+/* # undef WORDS_BIGENDIAN */
+#endif
/* Define if xauth is found in your path */
/* #undef XAUTH_PATH */
Modified: head/crypto/openssh/config.h.in
==============================================================================
--- head/crypto/openssh/config.h.in Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/config.h.in Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,5 +1,8 @@
/* config.h.in. Generated from configure.ac by autoheader. */
+/* Define if building universal (internal helper macro) */
+#undef AC_APPLE_UNIVERSAL_BUILD
+
/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
*/
#undef AIX_GETNAMEINFO_HACK
@@ -68,6 +71,9 @@
/* Define if your snprintf is busted */
#undef BROKEN_SNPRINTF
+/* tcgetattr with ICANON may hang */
+#undef BROKEN_TCGETATTR_ICANON
+
/* updwtmpx is broken (if present) */
#undef BROKEN_UPDWTMPX
@@ -122,9 +128,12 @@
/* Builtin PRNG command timeout */
#undef ENTROPY_TIMEOUT_MSEC
-/* f_fsid has members */
+/* fsid_t has member val */
#undef FSID_HAS_VAL
+/* fsid_t has member __val */
+#undef FSID_HAS___VAL
+
/* Define to 1 if the `getpgrp' function requires zero arguments. */
#undef GETPGRP_VOID
@@ -518,6 +527,9 @@
/* Define to 1 if the system has the type `in_addr_t'. */
#undef HAVE_IN_ADDR_T
+/* Define to 1 if the system has the type `in_port_t'. */
+#undef HAVE_IN_PORT_T
+
/* Define to 1 if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
@@ -1226,6 +1238,9 @@
/* Define if X11 doesn't support AF_UNIX sockets on that system */
#undef NO_X11_UNIX_SOCKETS
+/* Define if EVP_DigestUpdate returns void */
+#undef OPENSSL_EVP_DIGESTUPDATE_VOID
+
/* libcrypto is missing AES 192 and 256 bit functions */
#undef OPENSSL_LOBOTOMISED_AES
@@ -1309,6 +1324,9 @@
/* Use audit debugging module */
#undef SSH_AUDIT_EVENTS
+/* Windows is sensitive to read buffer size */
+#undef SSH_IOBUFSZ
+
/* non-privileged user for privilege separation */
#undef SSH_PRIVSEP_USER
@@ -1397,9 +1415,17 @@
/* Define if you want SELinux support. */
#undef WITH_SELINUX
-/* Define to 1 if your processor stores words with the most significant byte
- first (like Motorola and SPARC, unlike Intel and VAX). */
-#undef WORDS_BIGENDIAN
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+ significant byte first (like Motorola and SPARC, unlike Intel). */
+#if defined AC_APPLE_UNIVERSAL_BUILD
+# if defined __BIG_ENDIAN__
+# define WORDS_BIGENDIAN 1
+# endif
+#else
+# ifndef WORDS_BIGENDIAN
+# undef WORDS_BIGENDIAN
+# endif
+#endif
/* Define if xauth is found in your path */
#undef XAUTH_PATH
Modified: head/crypto/openssh/defines.h
==============================================================================
--- head/crypto/openssh/defines.h Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/defines.h Thu Oct 1 17:12:52 2009 (r197679)
@@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
-/* $Id: defines.h,v 1.153 2009/02/01 11:19:54 dtucker Exp $ */
+/* $Id: defines.h,v 1.156 2009/08/28 01:21:07 dtucker Exp $ */
/* Constants */
@@ -300,6 +300,9 @@ struct sockaddr_un {
#ifndef HAVE_IN_ADDR_T
typedef u_int32_t in_addr_t;
#endif
+#ifndef HAVE_IN_PORT_T
+typedef u_int16_t in_port_t;
+#endif
#if defined(BROKEN_SYS_TERMIO_H) && !defined(_STRUCT_WINSIZE)
#define _STRUCT_WINSIZE
@@ -591,6 +594,10 @@ struct winsize {
#define FSID_TO_ULONG(f) \
((((u_int64_t)(f).val[0] & 0xffffffffUL) << 32) | \
((f).val[1] & 0xffffffffUL))
+#elif defined(FSID_HAS___VAL)
+#define FSID_TO_ULONG(f) \
+ ((((u_int64_t)(f).__val[0] & 0xffffffffUL) << 32) | \
+ ((f).__val[1] & 0xffffffffUL))
#else
# define FSID_TO_ULONG(f) ((f))
#endif
@@ -742,4 +749,8 @@ struct winsize {
#define INET6_ADDRSTRLEN 46
#endif
+#ifndef SSH_IOBUFSZ
+# define SSH_IOBUFSZ 8192
+#endif
+
#endif /* _DEFINES_H */
Modified: head/crypto/openssh/gss-genr.c
==============================================================================
--- head/crypto/openssh/gss-genr.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/gss-genr.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-genr.c,v 1.19 2007/06/12 11:56:15 dtucker Exp $ */
+/* $OpenBSD: gss-genr.c,v 1.20 2009/06/22 05:39:28 dtucker Exp $ */
/*
* Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
Modified: head/crypto/openssh/includes.h
==============================================================================
--- head/crypto/openssh/includes.h Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/includes.h Thu Oct 1 17:12:52 2009 (r197679)
@@ -31,7 +31,8 @@
#endif
#if defined(HAVE_GLOB_H) && defined(GLOB_HAS_ALTDIRFUNC) && \
defined(GLOB_HAS_GL_MATCHC) && \
- defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0
+ defined(HAVE_DECL_GLOB_NOMATCH) && HAVE_DECL_GLOB_NOMATCH != 0 && \
+ !defined(BROKEN_GLOB)
# include <glob.h>
#endif
#ifdef HAVE_ENDIAN_H
Modified: head/crypto/openssh/jpake.c
==============================================================================
--- head/crypto/openssh/jpake.c Thu Oct 1 16:25:35 2009 (r197678)
+++ head/crypto/openssh/jpake.c Thu Oct 1 17:12:52 2009 (r197679)
@@ -1,4 +1,4 @@
-/* $OpenBSD: jpake.c,v 1.1 2008/11/04 08:22:12 djm Exp $ */
+/* $OpenBSD: jpake.c,v 1.2 2009/03/05 07:18:19 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
@@ -47,6 +47,7 @@
#include "log.h"
#include "jpake.h"
+#include "schnorr.h"
#ifdef JPAKE
@@ -60,165 +61,10 @@
"98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
"9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
-struct jpake_group *
+struct modp_group *
jpake_default_group(void)
{
- struct jpake_group *ret;
-
- ret = xmalloc(sizeof(*ret));
- ret->p = ret->q = ret->g = NULL;
- if (BN_hex2bn(&ret->p, JPAKE_GROUP_P) == 0 ||
- BN_hex2bn(&ret->g, JPAKE_GROUP_G) == 0)
- fatal("%s: BN_hex2bn", __func__);
- /* Subgroup order is p/2 (p is a safe prime) */
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list