svn commit: r207319 - in head/crypto/openssh: . openbsd-compat
Dag-Erling Smorgrav
des at FreeBSD.org
Wed Apr 28 10:36:34 UTC 2010
Author: des
Date: Wed Apr 28 10:36:33 2010
New Revision: 207319
URL: http://svn.freebsd.org/changeset/base/207319
Log:
Upgrade to OpenSSH 5.5p1.
Modified:
head/crypto/openssh/ChangeLog
head/crypto/openssh/README
head/crypto/openssh/auth-options.c
head/crypto/openssh/auth2-pubkey.c
head/crypto/openssh/channels.c
head/crypto/openssh/clientloop.c
head/crypto/openssh/config.h
head/crypto/openssh/config.h.in
head/crypto/openssh/defines.h
head/crypto/openssh/key.c
head/crypto/openssh/key.h
head/crypto/openssh/loginrec.c
head/crypto/openssh/logintest.c
head/crypto/openssh/openbsd-compat/bsd-arc4random.c
head/crypto/openssh/servconf.c
head/crypto/openssh/session.c
head/crypto/openssh/ssh-keygen.1
head/crypto/openssh/ssh-keygen.c
head/crypto/openssh/ssh-pkcs11-helper.c
head/crypto/openssh/ssh.1
head/crypto/openssh/ssh_config
head/crypto/openssh/ssh_config.5
head/crypto/openssh/sshd_config
head/crypto/openssh/sshd_config.5
head/crypto/openssh/version.h
Directory Properties:
head/crypto/openssh/ (props changed)
Modified: head/crypto/openssh/ChangeLog
==============================================================================
--- head/crypto/openssh/ChangeLog Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/ChangeLog Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,120 @@
-20100307
+20100410
+ - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
+ back so we disable the IPv6 tests if we don't have it.
+
+20100409
+ - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
+ ones. Based on a patch from Roumen Petrov.
+ - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
+ have it and the path is not provided to --with-libedit. Based on a patch
+ from Iain Morgan.
+ - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
+ utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
+
+20100326
+ - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
+ for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
+ - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
+ by Ingo Weinhold via Scott McCreary, ok djm@
+ - (djm) OpenBSD CVS Sync
+ - djm at cvs.openbsd.org 2010/03/25 23:38:28
+ [servconf.c]
+ from portable: getcwd(NULL, 0) doesn't work on all platforms, so
+ use a stack buffer; ok dtucker@
+ - djm at cvs.openbsd.org 2010/03/26 00:26:58
+ [ssh.1]
+ mention that -S none disables connection sharing; from Colin Watson
+ - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
+ set up SELinux execution context before chroot() call. From Russell
+ Coker via Colin watson; bz#1726 ok dtucker@
+ - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
+ ok dtucker@
+ - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
+ pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
+ - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
+ bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker at cvs.openbsd.org 2010/03/26 01:06:13
+ [ssh_config.5]
+ Reformat default value of PreferredAuthentications entry (current
+ formatting implies ", " is acceptable as a separator, which it's not.
+ ok djm@
+
+20100324
+ - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
+ containing the services file explicitely case-insensitive. This allows to
+ tweak the Windows services file reliably. Patch from vinschen at redhat.
+
+20100321
+ - (djm) OpenBSD CVS Sync
+ - jmc at cvs.openbsd.org 2010/03/08 09:41:27
+ [ssh-keygen.1]
+ sort the list of constraints (to -O); ok djm
+ - jmc at cvs.openbsd.org 2010/03/10 07:40:35
+ [ssh-keygen.1]
+ typos; from Ross Richardson
+ closes prs 6334 and 6335
+ - djm at cvs.openbsd.org 2010/03/10 23:27:17
+ [auth2-pubkey.c]
+ correct certificate logging and make it more consistent between
+ authorized_keys and TrustedCAKeys; ok markus@
+ - djm at cvs.openbsd.org 2010/03/12 01:06:25
+ [servconf.c]
+ unbreak AuthorizedKeys option with a $HOME-relative path; reported by
+ vinschen AT redhat.com, ok dtucker@
+ - markus at cvs.openbsd.org 2010/03/12 11:37:40
+ [servconf.c]
+ do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
+ free() (not xfree()) the buffer returned by getcwd()
+ - djm at cvs.openbsd.org 2010/03/13 21:10:38
+ [clientloop.c]
+ protocol conformance fix: send language tag when disconnecting normally;
+ spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
+ - djm at cvs.openbsd.org 2010/03/13 21:45:46
+ [ssh-keygen.1]
+ Certificates are named *-cert.pub, not *_cert.pub; committing a diff
+ from stevesk@ ok me
+ - jmc at cvs.openbsd.org 2010/03/13 23:38:13
+ [ssh-keygen.1]
+ fix a formatting error (args need quoted); noted by stevesk
+ - stevesk at cvs.openbsd.org 2010/03/15 19:40:02
+ [key.c key.h ssh-keygen.c]
+ also print certificate type (user or host) for ssh-keygen -L
+ ok djm kettenis
+ - stevesk at cvs.openbsd.org 2010/03/16 15:46:52
+ [auth-options.c]
+ spelling in error message. ok djm kettenis
+ - djm at cvs.openbsd.org 2010/03/16 16:36:49
+ [version.h]
+ crank version to openssh-5.5 since we have a few fixes since 5.4;
+ requested deraadt@ kettenis@
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Crank version numbers
+
+20100314
+ - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
+ compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
+ AT fefe.de
+ - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
+ ssh-pkcs11-helper to repair static builds (we do the same for
+ ssh-keyscan). Reported by felix-mindrot AT fefe.de
+
+20100312
+ - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir)
+ - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
+ Patch from Corinna Vinschen.
+ - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
+ on a Cygwin installation. Patch from Corinna Vinschen.
+
+20100311
+ - (tim) [contrib/suse/openssh.spec] crank version number here too.
+ report by imorgan AT nas.nasa.gov
+
+20100309
+ - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
+ so setting it in CFLAGS correctly skips IPv6 tests.
+
+20100428
- (djm) OpenBSD CVS Sync
- djm at cvs.openbsd.org 2010/03/07 22:16:01
[ssh-keygen.c]
Modified: head/crypto/openssh/README
==============================================================================
--- head/crypto/openssh/README Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/README Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-5.4 for the release notes.
+See http://www.openssh.com/txt/release-5.5 for the release notes.
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
[7] http://www.openssh.com/faq.html
-$Id: README,v 1.72 2010/03/07 22:41:02 djm Exp $
+$Id: README,v 1.73 2010/03/21 19:11:55 djm Exp $
Modified: head/crypto/openssh/auth-options.c
==============================================================================
--- head/crypto/openssh/auth-options.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/auth-options.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.48 2010/03/07 11:57:13 dtucker Exp $ */
+/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -434,7 +434,7 @@ auth_cert_constraints(Buffer *c_orig, st
goto out;
}
if (strlen(command) != clen) {
- error("force-command constrain contains \\0");
+ error("force-command constraint contains \\0");
goto out;
}
if (cert_forced_command != NULL) {
@@ -454,7 +454,7 @@ auth_cert_constraints(Buffer *c_orig, st
goto out;
}
if (strlen(allowed) != clen) {
- error("source-address constrain contains \\0");
+ error("source-address constraint contains \\0");
goto out;
}
if (cert_source_address_done++) {
Modified: head/crypto/openssh/auth2-pubkey.c
==============================================================================
--- head/crypto/openssh/auth2-pubkey.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/auth2-pubkey.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key
continue;
if (!key_equal(found, key->cert->signature_key))
continue;
- debug("matching CA found: file %s, line %lu",
- file, linenum);
fp = key_fingerprint(found, SSH_FP_MD5,
SSH_FP_HEX);
- verbose("Found matching %s CA: %s",
- key_type(found), fp);
- xfree(fp);
+ debug("matching CA found: file %s, line %lu, %s %s",
+ file, linenum, key_type(found), fp);
if (key_cert_check_authority(key, 0, 0, pw->pw_name,
&reason) != 0) {
+ xfree(fp);
error("%s", reason);
auth_debug_add("%s", reason);
continue;
}
if (auth_cert_constraints(&key->cert->constraints,
- pw) != 0)
+ pw) != 0) {
+ xfree(fp);
continue;
+ }
+ verbose("Accepted certificate ID \"%s\" "
+ "signed by %s CA %s via %s", key->cert->key_id,
+ key_type(found), fp, file);
+ xfree(fp);
found_key = 1;
break;
} else if (!key_is_cert_authority && key_equal(found, key)) {
@@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key
static int
user_cert_trusted_ca(struct passwd *pw, Key *key)
{
- char *key_fp, *ca_fp;
+ char *ca_fp;
const char *reason;
int ret = 0;
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0;
- key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
- ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+ ca_fp = key_fingerprint(key->cert->signature_key,
+ SSH_FP_MD5, SSH_FP_HEX);
if (key_in_file(key->cert->signature_key,
options.trusted_user_ca_keys, 1) != 1) {
@@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw,
if (auth_cert_constraints(&key->cert->constraints, pw) != 0)
goto out;
- verbose("%s certificate %s allowed by trusted %s key %s",
- key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp);
+ verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
+ key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
+ options.trusted_user_ca_keys);
ret = 1;
out:
- if (key_fp != NULL)
- xfree(key_fp);
if (ca_fp != NULL)
xfree(ca_fp);
return ret;
Modified: head/crypto/openssh/channels.c
==============================================================================
--- head/crypto/openssh/channels.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/channels.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -3252,7 +3252,11 @@ x11_create_display_inet(int x11_display_
sock = socket(ai->ai_family, ai->ai_socktype,
ai->ai_protocol);
if (sock < 0) {
- if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) {
+ if ((errno != EINVAL) && (errno != EAFNOSUPPORT)
+#ifdef EPFNOSUPPORT
+ && (errno != EPFNOSUPPORT)
+#endif
+ ) {
error("socket: %.100s", strerror(errno));
freeaddrinfo(aitop);
return -1;
Modified: head/crypto/openssh/clientloop.c
==============================================================================
--- head/crypto/openssh/clientloop.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/clientloop.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.218 2010/01/28 00:21:18 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.219 2010/03/13 21:10:38 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1484,6 +1484,7 @@ client_loop(int have_pty, int escape_cha
packet_start(SSH2_MSG_DISCONNECT);
packet_put_int(SSH2_DISCONNECT_BY_APPLICATION);
packet_put_cstring("disconnected by user");
+ packet_put_cstring(""); /* language tag */
packet_send();
packet_write_wait();
}
Modified: head/crypto/openssh/config.h
==============================================================================
--- head/crypto/openssh/config.h Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/config.h Wed Apr 28 10:36:33 2010 (r207319)
@@ -124,7 +124,7 @@
#define DISABLE_WTMPX 1
/* Enable for PKCS#11 support */
-#define ENABLE_PKCS11
+#define ENABLE_PKCS11 /**/
/* Builtin PRNG command timeout */
#define ENTROPY_TIMEOUT_MSEC 200
@@ -456,6 +456,9 @@
/* Define to 1 if you have the `getutxline' function. */
#define HAVE_GETUTXLINE 1
+/* Define to 1 if you have the `getutxuser' function. */
+#define HAVE_GETUTXUSER 1
+
/* Define to 1 if you have the `get_default_context_with_level' function. */
/* #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL */
@@ -552,6 +555,9 @@
/* Define if system has libiaf that supports set_id */
/* #undef HAVE_LIBIAF */
+/* Define to 1 if you have the `network' library (-lnetwork). */
+/* #undef HAVE_LIBNETWORK */
+
/* Define to 1 if you have the `nsl' library (-lnsl). */
/* #undef HAVE_LIBNSL */
@@ -805,6 +811,9 @@
/* Define to 1 if you have the `setutent' function. */
/* #undef HAVE_SETUTENT */
+/* Define to 1 if you have the `setutxdb' function. */
+#define HAVE_SETUTXDB 1
+
/* Define to 1 if you have the `setutxent' function. */
#define HAVE_SETUTXENT 1
@@ -1416,8 +1425,8 @@
/* Define if you want SELinux support. */
/* #undef WITH_SELINUX */
-/* Define to 1 if your processor stores words with the most significant byte
- first (like Motorola and SPARC, unlike Intel and VAX). */
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+ significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
#if defined __BIG_ENDIAN__
# define WORDS_BIGENDIAN 1
#elif ! defined __LITTLE_ENDIAN__
Modified: head/crypto/openssh/config.h.in
==============================================================================
--- head/crypto/openssh/config.h.in Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/config.h.in Wed Apr 28 10:36:33 2010 (r207319)
@@ -80,9 +80,6 @@
/* Define if you want to specify the path to your lastlog file */
#undef CONF_LASTLOG_FILE
-/* Define if you want to specify the path to your utmpx file */
-#undef CONF_UTMPX_FILE
-
/* Define if you want to specify the path to your utmp file */
#undef CONF_UTMP_FILE
@@ -455,6 +452,9 @@
/* Define to 1 if you have the `getutxline' function. */
#undef HAVE_GETUTXLINE
+/* Define to 1 if you have the `getutxuser' function. */
+#undef HAVE_GETUTXUSER
+
/* Define to 1 if you have the `get_default_context_with_level' function. */
#undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -551,6 +551,9 @@
/* Define if system has libiaf that supports set_id */
#undef HAVE_LIBIAF
+/* Define to 1 if you have the `network' library (-lnetwork). */
+#undef HAVE_LIBNETWORK
+
/* Define to 1 if you have the `nsl' library (-lnsl). */
#undef HAVE_LIBNSL
@@ -804,6 +807,9 @@
/* Define to 1 if you have the `setutent' function. */
#undef HAVE_SETUTENT
+/* Define to 1 if you have the `setutxdb' function. */
+#undef HAVE_SETUTXDB
+
/* Define to 1 if you have the `setutxent' function. */
#undef HAVE_SETUTXENT
Modified: head/crypto/openssh/defines.h
==============================================================================
--- head/crypto/openssh/defines.h Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/defines.h Wed Apr 28 10:36:33 2010 (r207319)
@@ -25,7 +25,7 @@
#ifndef _DEFINES_H
#define _DEFINES_H
-/* $Id: defines.h,v 1.159 2010/01/13 23:44:34 tim Exp $ */
+/* $Id: defines.h,v 1.160 2010/04/09 08:13:27 dtucker Exp $ */
/* Constants */
Modified: head/crypto/openssh/key.c
==============================================================================
--- head/crypto/openssh/key.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/key.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */
+/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */
/*
* read_bignum():
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -802,6 +802,19 @@ key_type(const Key *k)
}
const char *
+key_cert_type(const Key *k)
+{
+ switch (k->cert->type) {
+ case SSH2_CERT_TYPE_USER:
+ return "user";
+ case SSH2_CERT_TYPE_HOST:
+ return "host";
+ default:
+ return "unknown";
+ }
+}
+
+const char *
key_ssh_name(const Key *k)
{
switch (k->type) {
Modified: head/crypto/openssh/key.h
==============================================================================
--- head/crypto/openssh/key.h Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/key.h Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */
+/* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */
/*
* Copyright (c) 2000, 2001 Markus Friedl. All rights reserved.
@@ -82,6 +82,7 @@ int key_equal(const Key *, const Key *
char *key_fingerprint(Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *);
const char *key_type(const Key *);
+const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *);
int key_read(Key *, char **);
u_int key_size(const Key *);
Modified: head/crypto/openssh/loginrec.c
==============================================================================
--- head/crypto/openssh/loginrec.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/loginrec.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -510,6 +510,10 @@ getlast_entry(struct logininfo *li)
#ifdef USE_LASTLOG
return(lastlog_get_entry(li));
#else /* !USE_LASTLOG */
+#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
+ defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
+ return (utmpx_get_entry(li));
+#endif
#if 1
return (utmpx_get_entry(li));
@@ -1614,7 +1618,8 @@ lastlog_get_entry(struct logininfo *li)
#endif /* HAVE_GETLASTLOGXBYNAME */
#endif /* USE_LASTLOG */
-#if 1
+#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \
+ defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER)
int
utmpx_get_entry(struct logininfo *li)
{
@@ -1637,7 +1642,7 @@ utmpx_get_entry(struct logininfo *li)
endutxent();
return (1);
}
-#endif
+#endif /* USE_UTMPX && HAVE_SETUTXDB && UTXDB_LASTLOGIN && HAVE_GETUTXUSER */
#ifdef USE_BTMP
/*
Modified: head/crypto/openssh/logintest.c
==============================================================================
--- head/crypto/openssh/logintest.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/logintest.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -264,7 +264,7 @@ showOptions(void)
printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE);
#endif
#ifdef USE_UTMPX
- printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE);
+ printf("\tUSE_UTMPX\n");
#endif
#ifdef USE_WTMP
printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE);
Modified: head/crypto/openssh/openbsd-compat/bsd-arc4random.c
==============================================================================
--- head/crypto/openssh/openbsd-compat/bsd-arc4random.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/openbsd-compat/bsd-arc4random.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -84,7 +84,7 @@ arc4random_stir(void)
}
#endif /* !HAVE_ARC4RANDOM */
-#ifndef ARC4RANDOM_BUF
+#ifndef HAVE_ARC4RANDOM_BUF
void
arc4random_buf(void *_buf, size_t n)
{
@@ -102,7 +102,7 @@ arc4random_buf(void *_buf, size_t n)
}
#endif /* !HAVE_ARC4RANDOM_BUF */
-#ifndef ARC4RANDOM_UNIFORM
+#ifndef HAVE_ARC4RANDOM_UNIFORM
/*
* Calculate a uniformly distributed random number less than upper_bound
* avoiding "modulo bias".
Modified: head/crypto/openssh/servconf.c
==============================================================================
--- head/crypto/openssh/servconf.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/servconf.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.207 2010/03/25 23:38:28 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -474,15 +474,14 @@ parse_token(const char *cp, const char *
char *
derelativise_path(const char *path)
{
- char *expanded, *ret, *cwd;
+ char *expanded, *ret, cwd[MAXPATHLEN];
expanded = tilde_expand_filename(path, getuid());
if (*expanded == '/')
return expanded;
- if ((cwd = getcwd(NULL, 0)) == NULL)
+ if (getcwd(cwd, sizeof(cwd)) == NULL)
fatal("%s: getcwd: %s", __func__, strerror(errno));
xasprintf(&ret, "%s/%s", cwd, expanded);
- xfree(cwd);
xfree(expanded);
return ret;
}
@@ -1227,7 +1226,17 @@ process_server_config_line(ServerOptions
charptr = (opcode == sAuthorizedKeysFile) ?
&options->authorized_keys_file :
&options->authorized_keys_file2;
- goto parse_filename;
+ arg = strdelim(&cp);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing file name.",
+ filename, linenum);
+ if (*activep && *charptr == NULL) {
+ *charptr = tilde_expand_filename(arg, getuid());
+ /* increase optional counter */
+ if (intptr != NULL)
+ *intptr = *intptr + 1;
+ }
+ break;
case sClientAliveInterval:
intptr = &options->client_alive_interval;
Modified: head/crypto/openssh/session.c
==============================================================================
--- head/crypto/openssh/session.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/session.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -1581,6 +1581,10 @@ do_setusercontext(struct passwd *pw)
}
#endif /* HAVE_SETPCRED */
+#ifdef WITH_SELINUX
+ ssh_selinux_setup_exec_context(pw->pw_name);
+#endif
+
if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
tmp = tilde_expand_filename(options.chroot_directory,
@@ -1605,10 +1609,6 @@ do_setusercontext(struct passwd *pw)
if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
-
-#ifdef WITH_SELINUX
- ssh_selinux_setup_exec_context(pw->pw_name);
-#endif
}
static void
Modified: head/crypto/openssh/ssh-keygen.1
==============================================================================
--- head/crypto/openssh/ssh-keygen.1 Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/ssh-keygen.1 Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $
+.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $
.\" $FreeBSD$
.\"
.\" -*- nroff -*-
@@ -38,7 +38,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd March 8 2010
+.Dd March 13 2010
.Dt SSH-KEYGEN 1
.Os
.Sh NAME
@@ -308,8 +308,15 @@ Please see the
section for details.
The constraints that are valid for user certificates are:
.Bl -tag -width Ds
-.It Ic no-x11-forwarding
-Disable X11 forwarding (permitted by default).
+.It Ic clear
+Clear all enabled permissions.
+This is useful for clearing the default set of permissions so permissions may
+be added individually.
+.It Ic force-command Ns = Ns Ar command
+Forces the execution of
+.Ar command
+instead of any shell or command specified by the user when
+the certificate is used for authentication.
.It Ic no-agent-forwarding
Disable
.Xr ssh-agent 1
@@ -324,12 +331,8 @@ Disable execution of
by
.Xr sshd 8
(permitted by default).
-.It Ic clear
-Clear all enabled permissions.
-This is useful for clearing the default set of permissions so permissions may
-be added individually.
-.It Ic permit-x11-forwarding
-Allows X11 forwarding.
+.It Ic no-x11-forwarding
+Disable X11 forwarding (permitted by default).
.It Ic permit-agent-forwarding
Allows
.Xr ssh-agent 1
@@ -343,14 +346,10 @@ Allows execution of
.Pa ~/.ssh/rc
by
.Xr sshd 8 .
-.It Ic force-command=command
-Forces the execution of
-.Ar command
-instead of any shell or command specified by the user when
-the certificate is used for authentication.
-.It Ic source-address=address_list
-Restrict the source addresses from which the certificate is considered valid
-from.
+.It Ic permit-x11-forwarding
+Allows X11 forwarding.
+.It Ic source-address Ns = Ns Ar address_list
+Restrict the source addresses from which the certificate is considered valid.
The
.Ar address_list
is a comma-separated list of one or more address/netmask pairs in CIDR
@@ -415,7 +414,7 @@ in YYYYMMDDHHMMSS format or a relative t
of a minus sign followed by a relative time in the format described in the
.Sx TIME FORMATS
section of
-.Xr ssh_config 5 .
+.Xr sshd_config 5 .
The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
a relative time starting with a plus character.
.Pp
@@ -520,7 +519,7 @@ To generate a user certificate:
.Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub
.Pp
The resultant certificate will be placed in
-.Pa /path/to/user_key_cert.pub .
+.Pa /path/to/user_key-cert.pub .
A host certificate requires the
.Fl h
option:
@@ -528,7 +527,7 @@ option:
.Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub
.Pp
The host certificate will be output to
-.Pa /path/to/host_key_cert.pub .
+.Pa /path/to/host_key-cert.pub .
In both cases,
.Ar key_id
is a "key identifier" that is logged by the server when the certificate
@@ -540,7 +539,7 @@ By default, generated certificates are v
To generate a certificate for a specified set of principals:
.Pp
.Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub
-.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub
+.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub"
.Pp
Additional limitations on the validity and use of user certificates may
be specified through certificate constraints.
Modified: head/crypto/openssh/ssh-keygen.c
==============================================================================
--- head/crypto/openssh/ssh-keygen.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/ssh-keygen.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.184 2010/03/07 22:16:01 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.185 2010/03/15 19:40:02 stevesk Exp $ */
/*
* Author: Tatu Ylonen <ylo at cs.hut.fi>
* Copyright (c) 1994 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1393,7 +1393,8 @@ do_show_cert(struct passwd *pw)
SSH_FP_MD5, SSH_FP_HEX);
printf("%s:\n", identity_file);
- printf(" %s certificate %s\n", key_type(key), key_fp);
+ printf(" %s %s certificate %s\n", key_type(key),
+ key_cert_type(key), key_fp);
printf(" Signed by %s CA %s\n",
key_type(key->cert->signature_key), ca_fp);
printf(" Key ID \"%s\"\n", key->cert->key_id);
Modified: head/crypto/openssh/ssh-pkcs11-helper.c
==============================================================================
--- head/crypto/openssh/ssh-pkcs11-helper.c Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/ssh-pkcs11-helper.c Wed Apr 28 10:36:33 2010 (r207319)
@@ -17,8 +17,6 @@
#include "includes.h"
-#ifdef ENABLE_PKCS11
-
#include <sys/types.h>
#ifdef HAVE_SYS_TIME_H
# include <sys/time.h>
@@ -39,6 +37,8 @@
#include "authfd.h"
#include "ssh-pkcs11.h"
+#ifdef ENABLE_PKCS11
+
/* borrows code from sftp-server and ssh-agent */
struct pkcs11_keyinfo {
Modified: head/crypto/openssh/ssh.1
==============================================================================
--- head/crypto/openssh/ssh.1 Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/ssh.1 Wed Apr 28 10:36:33 2010 (r207319)
@@ -34,9 +34,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $
+.\" $OpenBSD: ssh.1,v 1.303 2010/03/26 00:26:58 djm Exp $
.\" $FreeBSD$
-.Dd March 5 2010
+.Dd March 26 2010
.Dt SSH 1
.Os
.Sh NAME
@@ -560,7 +560,10 @@ argument is
the listen port will be dynamically allocated on the server and reported
to the client at run time.
.It Fl S Ar ctl_path
-Specifies the location of a control socket for connection sharing.
+Specifies the location of a control socket for connection sharing
+or the string
+.Dq none
+to disable connection sharing.
Refer to the description of
.Cm ControlPath
and
Modified: head/crypto/openssh/ssh_config
==============================================================================
--- head/crypto/openssh/ssh_config Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/ssh_config Wed Apr 28 10:36:33 2010 (r207319)
@@ -46,4 +46,4 @@
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
-# VersionAddendum FreeBSD-20100308
+# VersionAddendum FreeBSD-20100428
Modified: head/crypto/openssh/ssh_config.5
==============================================================================
--- head/crypto/openssh/ssh_config.5 Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/ssh_config.5 Wed Apr 28 10:36:33 2010 (r207319)
@@ -34,9 +34,9 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.130 2010/03/26 01:06:13 dtucker Exp $
.\" $FreeBSD$
-.Dd March 5 2010
+.Dd March 26 2010
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -735,11 +735,7 @@ This allows a client to prefer one metho
over another method (e.g.\&
.Cm password )
The default for this option is:
-.Do gssapi-with-mic ,
-hostbased,
-publickey,
-keyboard-interactive,
-password
+.Do gssapi-with-mic,hostbased,publickey,keyboard-interactive,password
.Dc .
.It Cm Protocol
Specifies the protocol versions
@@ -1087,7 +1083,7 @@ in
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
-.Dq FreeBSD-20100308 .
+.Dq FreeBSD-20100428 .
.It Cm VisualHostKey
If this flag is set to
.Dq yes ,
Modified: head/crypto/openssh/sshd_config
==============================================================================
--- head/crypto/openssh/sshd_config Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/sshd_config Wed Apr 28 10:36:33 2010 (r207319)
@@ -14,7 +14,7 @@
# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.
-#VersionAddendum FreeBSD-20100308
+#VersionAddendum FreeBSD-20100428
#Port 22
#AddressFamily any
Modified: head/crypto/openssh/sshd_config.5
==============================================================================
--- head/crypto/openssh/sshd_config.5 Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/sshd_config.5 Wed Apr 28 10:36:33 2010 (r207319)
@@ -988,7 +988,7 @@ The default is
Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
The default is
-.Dq FreeBSD-20100308 .
+.Dq FreeBSD-20100428 .
.It Cm X11DisplayOffset
Specifies the first display number available for
.Xr sshd 8 Ns 's
Modified: head/crypto/openssh/version.h
==============================================================================
--- head/crypto/openssh/version.h Wed Apr 28 10:33:41 2010 (r207318)
+++ head/crypto/openssh/version.h Wed Apr 28 10:36:33 2010 (r207319)
@@ -1,12 +1,12 @@
-/* $OpenBSD: version.h,v 1.57 2010/03/07 22:01:32 djm Exp $ */
+/* $OpenBSD: version.h,v 1.58 2010/03/16 16:36:49 djm Exp $ */
/* $FreeBSD$ */
#ifndef SSH_VERSION
#define SSH_VERSION (ssh_version_get())
#define SSH_RELEASE (ssh_version_get())
-#define SSH_VERSION_BASE "OpenSSH_5.4p1"
-#define SSH_VERSION_ADDENDUM "FreeBSD-20100308"
+#define SSH_VERSION_BASE "OpenSSH_5.5p1"
+#define SSH_VERSION_ADDENDUM "FreeBSD-20100428"
const char *ssh_version_get(void);
void ssh_version_set_addendum(const char *);
More information about the svn-src-all
mailing list