diff -uNr ../openssh-1.2.3/CVS/Entries ./CVS/Entries --- ../openssh-1.2.3/CVS/Entries Mon Mar 6 23:34:11 2000 +++ ./CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,93 +0,0 @@ -D/sshd//// -D/ssh-add//// -D/ssh-agent//// -D/ssh-keygen//// -D/scp//// -D/lib//// -/COPYING.Ylonen/1.6/Tue Oct 5 06:45:38 1999// -/Makefile/1.5/Wed Nov 3 00:45:05 1999// -/RFC.nroff/1.1/Mon Sep 27 07:53:15 1999// -/OVERVIEW/1.5/Sat Nov 20 10:38:24 1999// -/README/1.2/Sat Nov 20 10:38:31 1999// -D/ssh//// -/Makefile.inc/1.11/Wed Dec 15 04:54:49 1999// -/auth-krb4.c/1.11/Thu Dec 16 18:06:03 1999// -/auth-rh-rsa.c/1.10/Thu Dec 16 18:06:03 1999// -/auth-skey.c/1.5/Thu Dec 16 18:06:03 1999// -/authfd.c/1.16/Thu Dec 16 18:06:03 1999// -/authfile.c/1.11/Thu Dec 16 18:06:03 1999// -/bufaux.c/1.7/Thu Dec 16 18:06:03 1999// -/buffer.c/1.4/Thu Dec 16 18:06:03 1999// -/clientloop.c/1.14/Thu Dec 16 18:06:03 1999// -/compat.c/1.5/Thu Dec 16 18:06:03 1999// -/compress.c/1.4/Thu Dec 16 18:06:03 1999// -/crc32.c/1.4/Thu Dec 16 18:06:03 1999// -/deattack.c/1.6/Thu Dec 16 18:06:03 1999// -/fingerprint.c/1.4/Thu Dec 16 18:06:03 1999// -/match.c/1.4/Thu Dec 16 18:06:04 1999// -/mpaux.c/1.9/Thu Dec 16 18:06:04 1999// -/radix.c/1.6/Thu Dec 16 18:06:04 1999// -/serverloop.c/1.14/Thu Dec 16 18:06:04 1999// -/ssh-add.c/1.15/Thu Dec 16 18:06:04 1999// -/tildexpand.c/1.6/Thu Dec 16 18:06:05 1999// -/ttymodes.c/1.5/Thu Dec 16 18:06:05 1999// -/uidswap.c/1.5/Thu Dec 16 18:06:05 1999// -/xmalloc.c/1.5/Thu Dec 16 18:06:05 1999// -/authfd.h/1.6/Thu Dec 16 18:06:12 1999// -/bufaux.h/1.4/Thu Dec 16 18:06:12 1999// -/buffer.h/1.3/Thu Dec 16 18:06:12 1999// -/channels.h/1.6/Thu Dec 16 18:06:12 1999// -/cipher.h/1.10/Thu Dec 16 18:06:12 1999// -/compat.h/1.4/Thu Dec 16 18:06:12 1999// -/compress.h/1.3/Thu Dec 16 18:06:12 1999// -/crc32.h/1.4/Thu Dec 16 18:06:12 1999// -/deattack.h/1.3/Thu Dec 16 18:06:12 1999// -/fingerprint.h/1.3/Thu Dec 16 18:06:12 1999// -/getput.h/1.2/Thu Dec 16 18:06:12 1999// -/mpaux.h/1.5/Thu Dec 16 18:06:12 1999// -/nchan.h/1.5/Thu Dec 16 18:06:12 1999// -/readconf.h/1.13/Thu Dec 16 18:06:12 1999// -/rsa.h/1.4/Thu Dec 16 18:06:12 1999// -/ssh_config/1.3/Thu Dec 16 18:06:12 1999// -/ttymodes.h/1.6/Thu Dec 16 18:06:12 1999// -/uidswap.h/1.2/Thu Dec 16 18:06:12 1999// -/xmalloc.h/1.2/Thu Dec 16 18:06:12 1999// -/auth-passwd.c/1.14/Wed Dec 29 20:46:27 1999// -/auth-rhosts.c/1.12/Wed Dec 29 20:46:27 1999// -/ssh-agent.c/1.25/Mon Jan 3 15:28:00 2000// -/log.c/1.7/Tue Jan 4 00:08:24 2000// -/login.c/1.11/Tue Jan 4 00:08:24 2000// -/servconf.h/1.15/Tue Jan 4 00:08:24 2000// -/sshd_config/1.15/Tue Jan 4 00:08:24 2000// -/canohost.c/1.11/Tue Jan 4 15:11:17 2000// -/packet.h/1.9/Tue Jan 4 19:45:19 2000// -/scp.1/1.5/Tue Jan 4 19:45:19 2000// -/nchan.c/1.10/Mon Jan 10 15:57:26 2000// -/nchan.ms/1.5/Mon Jan 10 23:39:09 2000// -/readpass.c/1.9/Fri Jan 21 21:16:00 2000// -/ssh-add.1/1.10/Sat Jan 22 08:52:34 2000// -/ssh-agent.1/1.9/Sat Jan 22 08:52:34 2000// -/ssh-keygen.1/1.11/Sat Jan 22 08:52:34 2000// -/channels.c/1.38/Mon Jan 24 20:42:04 2000// -/scp.c/1.25/Tue Jan 25 02:11:17 2000// -/atomicio.c/1.2/Tue Feb 1 23:55:47 2000// -/ssh.h/1.33/Tue Feb 1 23:55:48 2000// -/ssh-keygen.c/1.16/Fri Feb 4 16:21:21 2000// -/packet.c/1.22/Sat Feb 5 19:19:04 2000// -/auth-rsa.c/1.18/Fri Feb 11 15:22:17 2000// -/pty.c/1.12/Thu Feb 17 14:27:14 2000// -/pty.h/1.5/Thu Feb 17 14:27:14 2000// -/hostfile.c/1.13/Fri Feb 18 10:33:17 2000// -/sshconnect.c/1.56/Fri Feb 18 10:33:17 2000// -/rsa.c/1.12/Mon Feb 21 22:07:32 2000// -/cipher.c/1.19/Tue Feb 22 16:12:43 2000// -/servconf.c/1.30/Thu Feb 24 18:24:49 2000// -/sshd.8/1.34/Thu Feb 24 18:24:49 2000// -/includes.h/1.11/Sun Feb 27 18:48:11 2000// -/log-client.c/1.7/Sun Feb 27 18:50:09 2000// -/log-server.c/1.12/Sun Feb 27 18:50:09 2000// -/readconf.c/1.23/Mon Feb 28 22:16:45 2000// -/ssh.c/1.41/Mon Feb 28 22:16:45 2000// -/ssh.1/1.39/Sat Mar 4 16:39:15 2000// -/sshd.c/1.90/Mon Mar 6 21:11:17 2000// -/version.h/1.7/Mon Mar 6 21:33:59 2000// diff -uNr ../openssh-1.2.3/CVS/Repository ./CVS/Repository --- ../openssh-1.2.3/CVS/Repository Sun Sep 26 19:56:06 1999 +++ ./CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh diff -uNr ../openssh-1.2.3/CVS/Root ./CVS/Root --- ../openssh-1.2.3/CVS/Root Mon Dec 6 22:57:56 1999 +++ ./CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/Makefile ./Makefile --- ../openssh-1.2.3/Makefile Wed Nov 3 02:45:05 1999 +++ ./Makefile Thu Apr 20 02:31:16 2000 @@ -1,13 +1,16 @@ # $OpenBSD: Makefile,v 1.5 1999/10/25 20:27:26 markus Exp $ -.include - SUBDIR= lib ssh sshd ssh-add ssh-keygen ssh-agent scp distribution: - install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ + install -c -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \ ${DESTDIR}/etc/ssh_config - install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ + install -c -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \ ${DESTDIR}/etc/sshd_config + +tar: cleandir + cd .. && pax -w openssh-1.2.3-bsdi | gzip >openssh-1.2.3-bsdi.tar.gz + -diff -uNr ../openssh-1.2.3 . >../openssh-1.2.3-bsdi.diff + cp -p README.BSDI .. .include diff -uNr ../openssh-1.2.3/Makefile.inc ./Makefile.inc --- ../openssh-1.2.3/Makefile.inc Wed Dec 15 06:54:49 1999 +++ ./Makefile.inc Thu Apr 20 02:30:52 2000 @@ -1,11 +1,5 @@ -CFLAGS+= -I${.CURDIR}/.. - -.include - -.if exists(${.CURDIR}/../lib/${__objdir}) -LDADD+= -L${.CURDIR}/../lib/${__objdir} -lssh -DPADD+= ${.CURDIR}/../lib/${__objdir}/libssh.a -.else -LDADD+= -L${.CURDIR}/../lib -lssh -DPADD+= ${.CURDIR}/../lib/libssh.a -.endif +BINDIR?= /usr/local/bin +MANDIR= /usr/local/man/cat +CFLAGS+= -I${.CURDIR}/.. -I/usr/local/include +LDFLAGS+= -L${.OBJDIR}/../lib -L/usr/local/lib +DPADD+= ${.OBJDIR}/../lib/libssh.a diff -uNr ../openssh-1.2.3/README.BSDI ./README.BSDI --- ../openssh-1.2.3/README.BSDI Thu Jan 1 02:00:00 1970 +++ ./README.BSDI Wed May 10 15:08:52 2000 @@ -0,0 +1,65 @@ +Copyright (c) 1999, 2000 + Vadim Vygonets . All rights reserved. + +This is a port of OpenSSH 1.2.3 to BSD/OS 3.x and 4.0. + +This port owes a great deal to Brian Feldman +and his port of OpenSSH from the FreeBSD ports collection. Most +notably, ConnectionsPerPeriod was incorporated from there. + +This port also incorporates my patches to auth-passwd.c of ssh +1.2.26 (BSD authentication). I also tried to incorporate login +capabilities handling throughout sshd. The code was partly based +on Brian Feldman's code and partly on my older code. I tried to +make the code still compatible with FreeBSD, but, having no +FreeBSD machine, I cannot guarrantee anything. + +*** Important note: sshd is now installed in /usr/local/sbin. I + strongly advise that you remove /usr/local/bin/sshd to avoid + confusion. + +2000-05-10: SSH and OpenSSH on BSDI used to lose PATH somewhere + between setusercontext() and exec() of shell. It's + very weird to me that noone reported it before. + Fixed. + +================================================================= += INSTALLATION = +================================================================= + +IF YOU DON'T LIVE IN A FREE COUNTRY, DON'T BLAME ME IF YOU GET +ARRESTED FOR USING THESE INSTRUCTIONS. I don't care, alright? +Please also note that I can get arrested, too. + +You need OpenSSL 0.9.4. You can get it from: + http://www.openssl.org/ +I had problems with OpenSSL 0.9.5a (RSA appears to be dead). + +Note that if you live in the USA and/or are a USA citizen +(consult your lawyer for details) you will have to use the RSAREF +library from RSA Security Inc. (http://www.rsa.com/). See the +file INSTALL in the OpenSSL distribution for some details. The +rest of this instruction e-sheet[tm] assumes that you don't have +to use RSAREF. + +If you intend to use OpenSSL on an 80386 machine (as opposed to +i486 or higher), consult the file INSTALL in the OpenSSL +distribution. The rest of this file assumes that you are rich. + +Compile and install OpenSSL with the following commands: + $ ./config --prefix=/usr/local --openssldir=/usr/local/lib/openssl + $ make + $ make test + $ su + # make install + +OpenSSH expects to find OpenSSL header files in subdirectory ssl. +Calm it by doing: + # cd /usr/local/include + # ln -s openssl ssl + +Compile OpenSSH by doing: + $ make + +Install OpenSSH: + # make install diff -uNr ../openssh-1.2.3/auth-passwd.c ./auth-passwd.c --- ../openssh-1.2.3/auth-passwd.c Wed Dec 29 22:46:27 1999 +++ ./auth-passwd.c Thu Apr 20 02:30:52 2000 @@ -19,6 +19,23 @@ * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ +#ifdef LOGIN_CAP /* BSDI and FreeBSD <=3 ? */ +int +auth_password(struct passwd *pw, const char *password, + login_cap_t *lc, char *style) +{ + char *challenge; + int status; + + /* style is already definitive */ + auth_setopt("auth_type", "auth-ssh"); + challenge = auth_value("challenge"); + status = auth_response(pw->pw_name, lc->lc_class, style, "response", + NULL, challenge ? challenge : "", (char *)password); + return (status > 0) && (status & AUTH_OKAY); +} +#else /* LOGIN_CAP */ + int auth_password(struct passwd * pw, const char *password) { @@ -60,3 +77,4 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw->pw_passwd) == 0); } +#endif /* LOGIN_CAP */ diff -uNr ../openssh-1.2.3/channels.c ./channels.c --- ../openssh-1.2.3/channels.c Mon Jan 24 22:42:04 2000 +++ ./channels.c Thu Apr 20 02:30:52 2000 @@ -31,6 +31,10 @@ #include "nchan.h" #include "compat.h" +#ifndef INADDR_LOOPBACK +#define INADDR_LOOPBACK (u_int32_t)0x7f000001 /* 127.0.0.1 */ +#endif + /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 diff -uNr ../openssh-1.2.3/includes.h ./includes.h --- ../openssh-1.2.3/includes.h Sun Feb 27 20:48:11 2000 +++ ./includes.h Thu Apr 20 02:30:52 2000 @@ -24,12 +24,12 @@ #include #include #include -#include #include #include #include #include #include +#include #include #include @@ -38,7 +38,6 @@ #include #include -#include #include #include #include @@ -65,5 +64,32 @@ * client program. Socketpairs do not seem to work on all systems. */ #define USE_PIPES 1 + +#if defined(__FreeBSD__) && __FreeBSD__ <= 3 || defined(__bsdi__) +/* + * Data types. + */ +#ifndef __bsdi__ +typedef u_char sa_family_t; +typedef int socklen_t; +#endif /* !__bsdi__ */ + +/* + * bsd-api-new-02a: protocol-independent placeholder for socket addresses + */ +#define _SS_MAXSIZE 128 +#define _SS_ALIGNSIZE (sizeof(int64_t)) +#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_char) * 2) +#define _SS_PAD2SIZE (_SS_MAXSIZE - sizeof(u_char) * 2 - \ + _SS_PAD1SIZE - _SS_ALIGNSIZE) + +struct sockaddr_storage { + u_char ss_len; /* address length */ + sa_family_t ss_family; /* address family */ + char __ss_pad1[_SS_PAD1SIZE]; + int64_t __ss_align; /* force desired structure storage alignment */ + char __ss_pad2[_SS_PAD2SIZE]; +}; +#endif #endif /* INCLUDES_H */ diff -uNr ../openssh-1.2.3/lib/CVS/Entries ./lib/CVS/Entries --- ../openssh-1.2.3/lib/CVS/Entries Mon Dec 6 23:47:11 1999 +++ ./lib/CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,2 +0,0 @@ -/Makefile/1.5/Mon Dec 6 21:17:50 1999// -D diff -uNr ../openssh-1.2.3/lib/CVS/Repository ./lib/CVS/Repository --- ../openssh-1.2.3/lib/CVS/Repository Mon Oct 25 22:42:26 1999 +++ ./lib/CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh/lib diff -uNr ../openssh-1.2.3/lib/CVS/Root ./lib/CVS/Root --- ../openssh-1.2.3/lib/CVS/Root Mon Dec 6 22:57:57 1999 +++ ./lib/CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/lib/Makefile ./lib/Makefile --- ../openssh-1.2.3/lib/Makefile Mon Dec 6 23:17:50 1999 +++ ./lib/Makefile Thu Apr 20 02:30:52 2000 @@ -4,22 +4,13 @@ SRCS= authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \ cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \ hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ - rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c + rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ + strlcat.c strlcpy.c arc4random.c mkdtemp.c timersub.c NOPROFILE= yes NOPIC= yes install: @echo -n - -.include - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -.if (${AFS} == "yes") -CFLAGS+= -DAFS -SRCS+= radix.c -.endif # AFS -.endif # KERBEROS .include diff -uNr ../openssh-1.2.3/lib/arc4random.c ./lib/arc4random.c --- ../openssh-1.2.3/lib/arc4random.c Thu Jan 1 02:00:00 1970 +++ ./lib/arc4random.c Thu Apr 20 02:30:52 2000 @@ -0,0 +1,196 @@ +/* $OpenBSD: arc4random.c,v 1.5 1999/09/28 01:24:48 deraadt Exp $ */ + +/* + * Arc4 random number generator for OpenBSD. + * Copyright 1996 David Mazieres . + * + * Modification and redistribution in source and binary forms is + * permitted provided that due credit is given to the author and the + * OpenBSD project (for instance by leaving this copyright notice + * intact). + */ + +/* + * This code is derived from section 17.1 of Applied Cryptography, + * second edition, which describes a stream cipher allegedly + * compatible with RSA Labs "RC4" cipher (the actual description of + * which is a trade secret). The same algorithm is used as a stream + * cipher called "arcfour" in Tatu Ylonen's ssh package. + * + * Here the stream cipher has been modified always to include the time + * when initializing the state. That makes it impossible to + * regenerate the same random sequence twice, so this can't be used + * for encryption, but will generate good random numbers. + * + * RC4 is a registered trademark of RSA Laboratories. + */ + +#include +#include +#include +#include +#include +#include +#include + +#ifdef __GNUC__ +#define inline __inline +#else /* !__GNUC__ */ +#define inline +#endif /* !__GNUC__ */ + +struct arc4_stream { + u_int8_t i; + u_int8_t j; + u_int8_t s[256]; +}; + +int rs_initialized; +static struct arc4_stream rs; + +static inline void +arc4_init(as) + struct arc4_stream *as; +{ + int n; + + for (n = 0; n < 256; n++) + as->s[n] = n; + as->i = 0; + as->j = 0; +} + +static inline void +arc4_addrandom(as, dat, datlen) + struct arc4_stream *as; + u_char *dat; + int datlen; +{ + int n; + u_int8_t si; + + as->i--; + for (n = 0; n < 256; n++) { + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si + dat[n % datlen]); + as->s[as->i] = as->s[as->j]; + as->s[as->j] = si; + } + as->j = as->i; +} + +static void +arc4_stir(as) + struct arc4_stream *as; +{ + int fd; + struct { + struct timeval tv; + u_int rnd[(128 - sizeof(struct timeval)) / sizeof(u_int)]; + } rdat; + + gettimeofday(&rdat.tv, NULL); +#if 0 + fd = open("/dev/arandom", O_RDONLY); + if (fd != -1) { + read(fd, rdat.rnd, sizeof(rdat.rnd)); + close(fd); + } else { + int i, mib[2]; + size_t len; + + /* Device could not be opened, we might be chrooted, take + * randomness from sysctl. */ + + mib[0] = CTL_KERN; + mib[1] = KERN_ARND; + + for (i = 0; i < sizeof(rdat.rnd) / sizeof(u_int); i ++) { + len = sizeof(u_int); + if (sysctl(mib, 2, &rdat.rnd[i], &len, NULL, 0) == -1) + break; + } + } +#endif + /* fd < 0 or failed sysctl ? Ah, what the heck. We'll just take + * whatever was on the stack... */ + + arc4_addrandom(as, (void *) &rdat, sizeof(rdat)); +} + +static inline u_int8_t +arc4_getbyte(as) + struct arc4_stream *as; +{ + u_int8_t si, sj; + + as->i = (as->i + 1); + si = as->s[as->i]; + as->j = (as->j + si); + sj = as->s[as->j]; + as->s[as->i] = sj; + as->s[as->j] = si; + return (as->s[(si + sj) & 0xff]); +} + +static inline u_int32_t +arc4_getword(as) + struct arc4_stream *as; +{ + u_int32_t val; + val = arc4_getbyte(as) << 24; + val |= arc4_getbyte(as) << 16; + val |= arc4_getbyte(as) << 8; + val |= arc4_getbyte(as); + return val; +} + +void +arc4random_stir() +{ + if (!rs_initialized) { + arc4_init(&rs); + rs_initialized = 1; + } + arc4_stir(&rs); +} + +void +arc4random_addrandom(dat, datlen) + u_char *dat; + int datlen; +{ + if (!rs_initialized) + arc4random_stir(); + arc4_addrandom(&rs, dat, datlen); +} + +u_int32_t +arc4random() +{ + if (!rs_initialized) + arc4random_stir(); + return arc4_getword(&rs); +} + +#if 0 +/*-------- Test code for i386 --------*/ +#include +#include +int +main(int argc, char **argv) +{ + const int iter = 1000000; + int i; + pctrval v; + + v = rdtsc(); + for (i = 0; i < iter; i++) + arc4random(); + v = rdtsc() - v; + v /= iter; + + printf("%qd cycles\n", v); +} +#endif diff -uNr ../openssh-1.2.3/lib/mkdtemp.c ./lib/mkdtemp.c --- ../openssh-1.2.3/lib/mkdtemp.c Thu Jan 1 02:00:00 1970 +++ ./lib/mkdtemp.c Thu Apr 20 02:30:52 2000 @@ -0,0 +1,159 @@ +/* + * Copyright (c) 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char rcsid[] = "$OpenBSD: mktemp.c,v 1.13 1998/06/30 23:03:13 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include +#include +#include +#include +#include +#include +#include + +static int _gettemp __P((char *, int *, int, int)); + +char * +mkdtemp(path) + char *path; +{ + return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL); +} + +static int +_gettemp(path, doopen, domkdir, slen) + char *path; + register int *doopen; + int domkdir; + int slen; +{ + register char *start, *trv, *suffp; + struct stat sbuf; + int pid, rval; + + if (doopen && domkdir) { + errno = EINVAL; + return(0); + } + + for (trv = path; *trv; ++trv) + ; + trv -= slen; + suffp = trv; + --trv; + if (trv < path) { + errno = EINVAL; + return (0); + } + pid = getpid(); + while (*trv == 'X' && pid != 0) { + *trv-- = (pid % 10) + '0'; + pid /= 10; + } + while (*trv == 'X') { + char c; + + pid = (arc4random() & 0xffff) % (26+26); + if (pid < 26) + c = pid + 'A'; + else + c = (pid - 26) + 'a'; + *trv-- = c; + } + start = trv + 1; + + /* + * check the target directory; if you have six X's and it + * doesn't exist this runs for a *very* long time. + */ + if (doopen || domkdir) { + for (;; --trv) { + if (trv <= path) + break; + if (*trv == '/') { + *trv = '\0'; + rval = stat(path, &sbuf); + *trv = '/'; + if (rval != 0) + return(0); + if (!S_ISDIR(sbuf.st_mode)) { + errno = ENOTDIR; + return(0); + } + break; + } + } + } + + for (;;) { + if (doopen) { + if ((*doopen = + open(path, O_CREAT|O_EXCL|O_RDWR, 0600)) >= 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (domkdir) { + if (mkdir(path, 0700) == 0) + return(1); + if (errno != EEXIST) + return(0); + } else if (lstat(path, &sbuf)) + return(errno == ENOENT ? 1 : 0); + + /* tricky little algorithm for backward compatibility */ + for (trv = start;;) { + if (!*trv) + return (0); + if (*trv == 'Z') { + if (trv == suffp) + return (0); + *trv++ = 'a'; + } else { + if (isdigit(*trv)) + *trv = 'a'; + else if (*trv == 'z') /* inc from z to A */ + *trv = 'A'; + else { + if (trv == suffp) + return (0); + ++*trv; + } + break; + } + } + } + /*NOTREACHED*/ +} diff -uNr ../openssh-1.2.3/lib/strlcat.c ./lib/strlcat.c --- ../openssh-1.2.3/lib/strlcat.c Thu Jan 1 02:00:00 1970 +++ ./lib/strlcat.c Thu Apr 20 02:30:52 2000 @@ -0,0 +1,71 @@ +/* $OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcat.c,v 1.2 1999/06/17 16:28:58 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Appends src to string dst of size siz (unlike strncat, siz is the + * full size of dst, not space left). At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcat(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + size_t dlen; + + /* Find the end of dst and adjust bytes left but don't go past end */ + while (*d != '\0' && n-- != 0) + d++; + dlen = d - dst; + n = siz - dlen; + + if (n == 0) + return(dlen + strlen(s)); + while (*s != '\0') { + if (n != 1) { + *d++ = *s; + n--; + } + s++; + } + *d = '\0'; + + return(dlen + (s - src)); /* count does not include NUL */ +} diff -uNr ../openssh-1.2.3/lib/strlcpy.c ./lib/strlcpy.c --- ../openssh-1.2.3/lib/strlcpy.c Thu Jan 1 02:00:00 1970 +++ ./lib/strlcpy.c Thu Apr 20 02:30:52 2000 @@ -0,0 +1,68 @@ +/* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ + +/* + * Copyright (c) 1998 Todd C. Miller + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +/* + * Copy src to string dst of size siz. At most siz-1 characters + * will be copied. Always NUL terminates (unless siz == 0). + * Returns strlen(src); if retval >= siz, truncation occurred. + */ +size_t strlcpy(dst, src, siz) + char *dst; + const char *src; + size_t siz; +{ + register char *d = dst; + register const char *s = src; + register size_t n = siz; + + /* Copy as many bytes as will fit */ + if (n != 0 && --n != 0) { + do { + if ((*d++ = *s++) == 0) + break; + } while (--n != 0); + } + + /* Not enough room in dst, add NUL and traverse rest of src */ + if (n == 0) { + if (siz != 0) + *d = '\0'; /* NUL-terminate dst */ + while (*s++) + ; + } + + return(s - src - 1); /* count does not include NUL */ +} diff -uNr ../openssh-1.2.3/lib/timersub.c ./lib/timersub.c --- ../openssh-1.2.3/lib/timersub.c Thu Jan 1 02:00:00 1970 +++ ./lib/timersub.c Thu Apr 20 02:30:52 2000 @@ -0,0 +1,54 @@ +/* + * Copyright (c) 1999 + * Vadim Vygonets . All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Vadim Vygonets nor the names of his contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY VADIM VYGONETS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL VADIM VYGONETS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* If you want it in public domain, contact me. */ + +/* + * void + * timersub(const struct timeval *a, const struct timeval *b, + * struct timeval *result); + * + * Does result = a - b with timeval. + * Originally written for OpenSSH (it was easier than to find the source). + * I really really hope this function must be void. + */ + +#include + +void +timersub(const struct timeval *a, const struct timeval *b, + struct timeval *result) +{ + result->tv_sec = a->tv_sec - b->tv_sec; + result->tv_usec = a->tv_usec - b->tv_usec; + if (result->tv_usec < 0) { + result->tv_usec += 1000000; + result->tv_sec--; + } +} diff -uNr ../openssh-1.2.3/login.c ./login.c --- ../openssh-1.2.3/login.c Tue Jan 4 02:08:24 2000 +++ ./login.c Thu Apr 20 02:30:52 2000 @@ -20,7 +20,13 @@ #include "includes.h" RCSID("$Id: login.c,v 1.11 2000/01/04 00:07:59 markus Exp $"); +#ifndef __bsdi__ +#ifdef __FreeBSD__ +#include +#else #include +#endif /* __FreeBSD__ */ +#endif /* __bsdi__ */ #include #include "ssh.h" diff -uNr ../openssh-1.2.3/packet.h ./packet.h --- ../openssh-1.2.3/packet.h Tue Jan 4 21:45:19 2000 +++ ./packet.h Thu Apr 20 02:30:52 2000 @@ -20,6 +20,12 @@ #include +#ifndef SHUT_RD +#define SHUT_RD 0 +#define SHUT_WR 1 +#define SHUT_RDWR 2 +#endif + /* * Sets the socket used for communication. Disables encryption until * packet_set_encryption_key is called. It is permissible that fd_in and diff -uNr ../openssh-1.2.3/pty.c ./pty.c --- ../openssh-1.2.3/pty.c Thu Feb 17 16:27:14 2000 +++ ./pty.c Thu Apr 20 02:30:52 2000 @@ -16,7 +16,13 @@ #include "includes.h" RCSID("$Id: pty.c,v 1.12 2000/02/15 16:52:58 markus Exp $"); +#ifndef __bsdi__ +#ifdef __FreeBSD__ +#include +#else #include +#endif /* __FreeBSD__ */ +#endif /* __bsdi__ */ #include "pty.h" #include "ssh.h" diff -uNr ../openssh-1.2.3/scp/CVS/Entries ./scp/CVS/Entries --- ../openssh-1.2.3/scp/CVS/Entries Mon Dec 6 23:47:11 1999 +++ ./scp/CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,2 +0,0 @@ -/Makefile/1.7/Mon Dec 6 21:17:40 1999// -D diff -uNr ../openssh-1.2.3/scp/CVS/Repository ./scp/CVS/Repository --- ../openssh-1.2.3/scp/CVS/Repository Sun Sep 26 23:33:31 1999 +++ ./scp/CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh/scp diff -uNr ../openssh-1.2.3/scp/CVS/Root ./scp/CVS/Root --- ../openssh-1.2.3/scp/CVS/Root Mon Dec 6 22:57:57 1999 +++ ./scp/CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/scp/Makefile ./scp/Makefile --- ../openssh-1.2.3/scp/Makefile Mon Dec 6 23:17:40 1999 +++ ./scp/Makefile Thu Apr 20 02:30:53 2000 @@ -3,16 +3,11 @@ PROG= scp BINOWN= root -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else BINMODE?=555 -.endif -BINDIR= /usr/bin MAN= scp.1 SRCS= scp.c +LDADD+= -lssh .include diff -uNr ../openssh-1.2.3/servconf.c ./servconf.c --- ../openssh-1.2.3/servconf.c Thu Feb 24 20:24:49 2000 +++ ./servconf.c Thu Apr 20 02:30:53 2000 @@ -67,6 +67,8 @@ options->num_deny_users = 0; options->num_allow_groups = 0; options->num_deny_groups = 0; + options->connections_per_period = 0; + options->connections_period = 0; } void @@ -159,7 +161,7 @@ sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, - sIgnoreUserKnownHosts + sIgnoreUserKnownHosts, sConnectionsPerPeriod } ServerOpCodes; /* Textual representation of the tokens. */ @@ -207,6 +209,7 @@ { "denyusers", sDenyUsers }, { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, + { "connectionsperperiod", sConnectionsPerPeriod }, { NULL, 0 } }; @@ -316,7 +319,11 @@ filename, linenum); exit(1); } - value = atoi(cp); + if (sscanf(cp, " %d ", &value) != 1) { + fprintf(stderr, "%s line %d: invalid integer value.\n", + filename, linenum); + exit(1); + } if (*intptr == -1) *intptr = value; break; @@ -506,63 +513,65 @@ case sAllowUsers: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_allow_users >= MAX_ALLOW_USERS) { - fprintf(stderr, "%s line %d: too many allow users.\n", - filename, linenum); - exit(1); - } + if (options->num_allow_users >= MAX_ALLOW_USERS) + fatal("%.200s line %d: too many allow users.\n", filename, + linenum); options->allow_users[options->num_allow_users++] = xstrdup(cp); } break; case sDenyUsers: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_deny_users >= MAX_DENY_USERS) { - fprintf(stderr, "%s line %d: too many deny users.\n", - filename, linenum); - exit(1); - } + if (options->num_deny_users >= MAX_DENY_USERS) + fatal("%.200s line %d: too many deny users.\n", filename, + linenum); options->deny_users[options->num_deny_users++] = xstrdup(cp); } break; case sAllowGroups: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_allow_groups >= MAX_ALLOW_GROUPS) { - fprintf(stderr, "%s line %d: too many allow groups.\n", - filename, linenum); - exit(1); - } + if (options->num_allow_groups >= MAX_ALLOW_GROUPS) + fatal("%.200s line %d: too many allow groups.\n", filename, + linenum); options->allow_groups[options->num_allow_groups++] = xstrdup(cp); } break; case sDenyGroups: while ((cp = strtok(NULL, WHITESPACE))) { - if (options->num_deny_groups >= MAX_DENY_GROUPS) { - fprintf(stderr, "%s line %d: too many deny groups.\n", - filename, linenum); - exit(1); - } + if (options->num_deny_groups >= MAX_DENY_GROUPS) + fatal("%.200s line %d: too many deny groups.\n", filename, + linenum); options->deny_groups[options->num_deny_groups++] = xstrdup(cp); } break; + case sConnectionsPerPeriod: + cp = strtok(NULL, WHITESPACE); + if (cp == NULL) + fatal("%.200s line %d: missing (>= 0) number argument.\n", + filename, linenum); + if (sscanf(cp, " %u/%u ", &options->connections_per_period, + &options->connections_period) != 2) + fatal("%.200s line %d: invalid numerical argument(s).\n", + filename, linenum); + if (options->connections_per_period != 0 && + options->connections_period == 0) + fatal("%.200s line %d: invalid connections period.\n", + filename, linenum); + break; + default: - fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n", + fatal("%.200s line %d: Missing handler for opcode %s (%d)\n", filename, linenum, cp, opcode); - exit(1); - } - if (strtok(NULL, WHITESPACE) != NULL) { - fprintf(stderr, "%s line %d: garbage at end of line.\n", - filename, linenum); - exit(1); } + if (strtok(NULL, WHITESPACE) != NULL) + fatal("%.200s line %d: garbage at end of line.\n", filename, + linenum); } fclose(f); - if (bad_options > 0) { - fprintf(stderr, "%s: terminating, %d bad configuration options\n", + if (bad_options > 0) + fatal("%.200s: terminating, %d bad configuration options\n", filename, bad_options); - exit(1); - } } diff -uNr ../openssh-1.2.3/servconf.h ./servconf.h --- ../openssh-1.2.3/servconf.h Tue Jan 4 02:08:24 2000 +++ ./servconf.h Thu Apr 20 02:30:53 2000 @@ -87,6 +87,12 @@ char *allow_groups[MAX_ALLOW_GROUPS]; unsigned int num_deny_groups; char *deny_groups[MAX_DENY_GROUPS]; + unsigned int connections_per_period; /* + * If not 0, number of sshd + * connections accepted per + * connections_period. + */ + unsigned int connections_period; } ServerOptions; /* * Initializes the server options to special values that indicate that they diff -uNr ../openssh-1.2.3/ssh/CVS/Entries ./ssh/CVS/Entries --- ../openssh-1.2.3/ssh/CVS/Entries Mon Dec 6 23:47:12 1999 +++ ./ssh/CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,2 +0,0 @@ -/Makefile/1.22/Mon Dec 6 21:17:38 1999// -D diff -uNr ../openssh-1.2.3/ssh/CVS/Repository ./ssh/CVS/Repository --- ../openssh-1.2.3/ssh/CVS/Repository Wed Nov 24 00:56:15 1999 +++ ./ssh/CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh/ssh diff -uNr ../openssh-1.2.3/ssh/CVS/Root ./ssh/CVS/Root --- ../openssh-1.2.3/ssh/CVS/Root Mon Dec 6 22:57:57 1999 +++ ./ssh/CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/ssh/Makefile ./ssh/Makefile --- ../openssh-1.2.3/ssh/Makefile Mon Dec 6 23:17:38 1999 +++ ./ssh/Makefile Thu Apr 20 02:30:53 2000 @@ -3,34 +3,15 @@ PROG= ssh BINOWN= root -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else BINMODE?=4555 -.endif -BINDIR= /usr/bin MAN= ssh.1 LINKS= ${BINDIR}/ssh ${BINDIR}/slogin MLINKS= ssh.1 slogin.1 SRCS= ssh.c sshconnect.c log-client.c readconf.c clientloop.c -.include # for AFS - -.if (${KERBEROS} == "yes") -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -.endif # KERBEROS - .include -LDADD+= -lutil -lz -lcrypto +LDADD+= -lssh -lutil -lz -lcrypto DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} diff -uNr ../openssh-1.2.3/ssh-add/CVS/Entries ./ssh-add/CVS/Entries --- ../openssh-1.2.3/ssh-add/CVS/Entries Mon Dec 6 23:47:12 1999 +++ ./ssh-add/CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,2 +0,0 @@ -/Makefile/1.16/Mon Dec 6 21:17:15 1999// -D diff -uNr ../openssh-1.2.3/ssh-add/CVS/Repository ./ssh-add/CVS/Repository --- ../openssh-1.2.3/ssh-add/CVS/Repository Sun Sep 26 23:33:30 1999 +++ ./ssh-add/CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh/ssh-add diff -uNr ../openssh-1.2.3/ssh-add/CVS/Root ./ssh-add/CVS/Root --- ../openssh-1.2.3/ssh-add/CVS/Root Mon Dec 6 22:57:58 1999 +++ ./ssh-add/CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/ssh-add/Makefile ./ssh-add/Makefile --- ../openssh-1.2.3/ssh-add/Makefile Mon Dec 6 23:17:15 1999 +++ ./ssh-add/Makefile Thu Apr 20 02:30:53 2000 @@ -3,19 +3,13 @@ PROG= ssh-add BINOWN= root -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else BINMODE?=555 -.endif -BINDIR= /usr/bin MAN= ssh-add.1 SRCS= ssh-add.c log-client.c .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -uNr ../openssh-1.2.3/ssh-agent/CVS/Entries ./ssh-agent/CVS/Entries --- ../openssh-1.2.3/ssh-agent/CVS/Entries Fri Nov 19 21:13:39 1999 +++ ./ssh-agent/CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,2 +0,0 @@ -/Makefile/1.13/Wed Nov 3 00:45:11 1999// -D diff -uNr ../openssh-1.2.3/ssh-agent/CVS/Repository ./ssh-agent/CVS/Repository --- ../openssh-1.2.3/ssh-agent/CVS/Repository Sun Sep 26 23:33:30 1999 +++ ./ssh-agent/CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh/ssh-agent diff -uNr ../openssh-1.2.3/ssh-agent/CVS/Root ./ssh-agent/CVS/Root --- ../openssh-1.2.3/ssh-agent/CVS/Root Mon Dec 6 22:57:58 1999 +++ ./ssh-agent/CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/ssh-agent/Makefile ./ssh-agent/Makefile --- ../openssh-1.2.3/ssh-agent/Makefile Wed Nov 3 02:45:11 1999 +++ ./ssh-agent/Makefile Thu Apr 20 02:30:53 2000 @@ -3,19 +3,13 @@ PROG= ssh-agent BINOWN= root -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else BINMODE?=555 -.endif -BINDIR= /usr/bin MAN= ssh-agent.1 SRCS= ssh-agent.c log-client.c .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -uNr ../openssh-1.2.3/ssh-keygen/CVS/Entries ./ssh-keygen/CVS/Entries --- ../openssh-1.2.3/ssh-keygen/CVS/Entries Fri Nov 19 21:13:39 1999 +++ ./ssh-keygen/CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,2 +0,0 @@ -/Makefile/1.13/Wed Nov 3 00:45:11 1999// -D diff -uNr ../openssh-1.2.3/ssh-keygen/CVS/Repository ./ssh-keygen/CVS/Repository --- ../openssh-1.2.3/ssh-keygen/CVS/Repository Sun Sep 26 23:33:31 1999 +++ ./ssh-keygen/CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh/ssh-keygen diff -uNr ../openssh-1.2.3/ssh-keygen/CVS/Root ./ssh-keygen/CVS/Root --- ../openssh-1.2.3/ssh-keygen/CVS/Root Mon Dec 6 22:57:58 1999 +++ ./ssh-keygen/CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/ssh-keygen/Makefile ./ssh-keygen/Makefile --- ../openssh-1.2.3/ssh-keygen/Makefile Wed Nov 3 02:45:11 1999 +++ ./ssh-keygen/Makefile Thu Apr 20 02:30:53 2000 @@ -3,19 +3,13 @@ PROG= ssh-keygen BINOWN= root -.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ - ${MACHINE_ARCH} == "hppa") -BINMODE=0000 -.else BINMODE?=555 -.endif -BINDIR= /usr/bin MAN= ssh-keygen.1 SRCS= ssh-keygen.c log-client.c .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBDES} ${LIBUTIL} ${LIBZ} diff -uNr ../openssh-1.2.3/ssh.c ./ssh.c --- ../openssh-1.2.3/ssh.c Tue Feb 29 00:16:45 2000 +++ ./ssh.c Wed May 10 15:29:15 2000 @@ -132,6 +132,9 @@ log("Using rsh. WARNING: Connection will not be encrypted."); /* Build argument list for rsh. */ i = 0; +#ifndef _PATH_RSH +#define _PATH_RSH "/usr/bin/rsh" +#endif args[i++] = _PATH_RSH; /* host may have to come after user on some systems */ args[i++] = host; diff -uNr ../openssh-1.2.3/ssh.h ./ssh.h --- ../openssh-1.2.3/ssh.h Wed Feb 2 01:55:48 2000 +++ ./ssh.h Thu Apr 20 02:30:53 2000 @@ -78,7 +78,11 @@ #define SERVER_CONFIG_FILE ETCDIR "/sshd_config" #define HOST_CONFIG_FILE ETCDIR "/ssh_config" +#ifdef __bsdi__ +#define SSH_PROGRAM "/usr/local/bin/ssh" +#else #define SSH_PROGRAM "/usr/bin/ssh" +#endif /* * The process id of the daemon listening for connections is saved here to @@ -244,6 +248,14 @@ #define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */ #define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */ +#if defined(__FreeBSD__) || defined(__bsdi__) +#define LOGIN_CAP +#endif + +#ifdef LOGIN_CAP +#include +#endif + /*------------ definitions for login.c -------------*/ /* @@ -320,7 +332,12 @@ * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ +#ifdef LOGIN_CAP +int auth_password(struct passwd * pw, const char *password, + login_cap_t *lc, char *style); +#else int auth_password(struct passwd * pw, const char *password); +#endif /* * Performs the RSA authentication dialog with the client. This returns 0 if diff -uNr ../openssh-1.2.3/sshconnect.c ./sshconnect.c --- ../openssh-1.2.3/sshconnect.c Fri Feb 18 12:33:17 2000 +++ ./sshconnect.c Thu Apr 20 02:30:53 2000 @@ -148,7 +148,11 @@ */ if (privileged) { int p = IPPORT_RESERVED - 1; +#ifdef __bsdi__ + sock = rresvport(&p); +#else /* __bsdi__ */ sock = rresvport_af(&p, family); +#endif /* __bsdi__ */ if (sock < 0) error("rresvport: af=%d %.100s", family, strerror(errno)); else @@ -1085,9 +1089,11 @@ case AF_INET: local = (ntohl(((struct sockaddr_in *)hostaddr)->sin_addr.s_addr) >> 24) == IN_LOOPBACKNET; break; +#ifdef INET6 case AF_INET6: local = IN6_IS_ADDR_LOOPBACK(&(((struct sockaddr_in6 *)hostaddr)->sin6_addr)); break; +#endif default: local = 0; break; diff -uNr ../openssh-1.2.3/sshd/CVS/Entries ./sshd/CVS/Entries --- ../openssh-1.2.3/sshd/CVS/Entries Wed Mar 1 22:00:50 2000 +++ ./sshd/CVS/Entries Thu Jan 1 02:00:00 1970 @@ -1,2 +0,0 @@ -/Makefile/1.23/Wed Mar 1 18:58:07 2000// -D diff -uNr ../openssh-1.2.3/sshd/CVS/Repository ./sshd/CVS/Repository --- ../openssh-1.2.3/sshd/CVS/Repository Sun Sep 26 23:33:30 1999 +++ ./sshd/CVS/Repository Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -src/usr.bin/ssh/sshd diff -uNr ../openssh-1.2.3/sshd/CVS/Root ./sshd/CVS/Root --- ../openssh-1.2.3/sshd/CVS/Root Mon Dec 6 22:57:58 1999 +++ ./sshd/CVS/Root Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -/cvs diff -uNr ../openssh-1.2.3/sshd/Makefile ./sshd/Makefile --- ../openssh-1.2.3/sshd/Makefile Wed Mar 1 20:58:07 2000 +++ ./sshd/Makefile Thu Apr 20 02:30:53 2000 @@ -3,43 +3,13 @@ PROG= sshd BINOWN= root BINMODE=555 -BINDIR= /usr/sbin +BINDIR= /usr/local/sbin MAN= sshd.8 SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ pty.c log-server.c login.c servconf.c serverloop.c -.include # for KERBEROS and AFS - -.if (${KERBEROS} == "yes") -.if (${AFS} == "yes") -CFLAGS+= -DAFS -LDADD+= -lkafs -DPADD+= ${LIBKRBAFS} -.endif # AFS -CFLAGS+= -DKRB4 -I/usr/include/kerberosIV -SRCS+= auth-krb4.c -LDADD+= -lkrb -DPADD+= ${LIBKRB} -.endif # KERBEROS - -.if (${SKEY} == "yes") -SRCS+= auth-skey.c -.endif - .include -LDADD+= -lcrypto -lutil -lz +LDADD+= -lssh -lcrypto -lutil -lz DPADD+= ${LIBCRYPTO} ${LIBUTIL} ${LIBZ} - -.if (${TCP_WRAPPERS} == "yes") -CFLAGS+= -DLIBWRAP -LDADD+= -lwrap -DPADD+= ${LIBWRAP} -.endif - -.if (${SKEY} == "yes") -CFLAGS+= -DSKEY -LDADD+= -lskey -DPADD+= ${SKEY} -.endif diff -uNr ../openssh-1.2.3/sshd.8 ./sshd.8 --- ../openssh-1.2.3/sshd.8 Thu Feb 24 20:24:49 2000 +++ ./sshd.8 Thu Apr 20 02:30:53 2000 @@ -228,6 +228,31 @@ should check for new mail for interactive logins. The default is .Dq no . +.It Cm ConnectionsPerPeriod +This keyword allows for rate-limiting of connections, and +is followed by two numbers in the format +.Dq n/s , +where +.Ar n +is the number of connections from a certain address group +accepted per period of +.Ar s +seconds. Any connection after the number +.Ar n +connection in the period of +.Ar s +seconds will be dropped, and an informational message will be logged. +A connection will belong to a certain group, of which there are 13 +by default, according to its IP address. +The default for this keyword is +.Dq 0/0 , +and rate-limiting can be explicitly turned off by using an +.Ar n +parameter of +.Ql 0 +and any +.Ar s +parameter. .It Cm DenyGroups This keyword can be followed by a number of group names, separated by spaces. Users whose primary group matches one of the patterns @@ -470,8 +495,9 @@ If the login is on a tty, records login time. .It Checks -.Pa /etc/nologin ; -if it exists, prints contents and quits +.Pa /etc/nologin and +.Pa /var/run/nologin ; +if one exists, it prints the contents and quits (unless root). .It Changes to run with normal user privileges. diff -uNr ../openssh-1.2.3/sshd.c ./sshd.c --- ../openssh-1.2.3/sshd.c Mon Mar 6 23:11:17 2000 +++ ./sshd.c Wed May 10 16:44:01 2000 @@ -24,6 +24,11 @@ #include "servconf.h" #include "uidswap.h" #include "compat.h" +#include + +#ifndef __bsdi__ +#include +#endif /* __bsdi__ */ #ifdef LIBWRAP #include @@ -32,6 +37,17 @@ int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ +#ifdef LOGIN_CAP +#ifdef __FreeBSD__ +#include +#endif /* __FreeBSD__ */ +#include +#ifdef __bsdi__ +#define login_getpwclass(pw) login_getclass((pw)->pw_class) +#define login_getclassbyname(foo, bar) NULL /* No idea what it does. */ +#endif /* __bsdi__ */ +#endif /* LOGIN_CAP */ + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif @@ -126,11 +142,53 @@ the private key. */ RSA *public_key; +/* These are used to implement connections_per_period. */ +struct magic_connection { + struct timeval connections_begin; + unsigned int connections_this_period; +} *magic_connections; +/* Magic number, too! TODO: this doesn't have to be static. */ +const size_t MAGIC_CONNECTIONS_SIZE = 1; + +static __inline int +magic_hash(struct sockaddr_storage *sa) { + + return 0; +} + +/* Prototypes for various functions defined in lib/ somewhere. */ +#ifdef __bsdi__ +u_int32_t arc4random(void); +void arc4random_stir(void); +size_t strlcpy(char *dst, const char *src, size_t siz); +size_t strlcat(char *dst, const char *src, size_t siz); +char * mkdtemp(char *path); +void timersub(const struct timeval *a, const struct timeval *b, + struct timeval *result); +#endif /* __bsdi__ */ + /* Prototypes for various functions defined later in this file. */ void do_ssh_kex(); void do_authentication(); +#ifdef LOGIN_CAP +void do_authloop(struct passwd * pw, login_cap_t *lc, char *style); +#else /* LOGIN_CAP */ void do_authloop(struct passwd * pw); +#endif /* LOGIN_CAP */ void do_fake_authloop(char *user); +#ifdef LOGIN_CAP +void do_authenticated(struct passwd * pw, login_cap_t *lc); +void do_exec_pty(const char *command, int ptyfd, int ttyfd, + const char *ttyname, struct passwd * pw, const char *term, + const char *display, const char *auth_proto, + const char *auth_data, login_cap_t *lc); +void do_exec_no_pty(const char *command, struct passwd * pw, + const char *display, const char *auth_proto, + const char *auth_data, login_cap_t *lc); +void do_child(const char *command, struct passwd * pw, const char *term, + const char *display, const char *auth_proto, + const char *auth_data, const char *ttyname, login_cap_t *lc); +#else /* LOGIN_CAP */ void do_authenticated(struct passwd * pw); void do_exec_pty(const char *command, int ptyfd, int ttyfd, const char *ttyname, struct passwd * pw, const char *term, @@ -142,6 +200,7 @@ void do_child(const char *command, struct passwd * pw, const char *term, const char *display, const char *auth_proto, const char *auth_data, const char *ttyname); +#endif /* LOGIN_CAP */ /* * Remove local Xauthority file. @@ -319,8 +378,10 @@ { extern char *optarg; extern int optind; - int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, pid, on = 1; + int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, pid = -1, + on = 1; socklen_t fromlen; + int connections_per_period_exceeded = 0; int remote_major, remote_minor; int silentrsa = 0; fd_set *fdset; @@ -640,6 +701,12 @@ fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask); fdset = (fd_set *)xmalloc(fdsetsz); + /* Initialize the magic_connections table. It's magical! */ + magic_connections = calloc(MAGIC_CONNECTIONS_SIZE, + sizeof(struct magic_connection)); + if (magic_connections == NULL) + fatal("calloc: %s", strerror(errno)); + /* * Stay listening for connections until the system crashes or * the daemon is killed with a signal. @@ -671,9 +738,31 @@ error("newsock del O_NONBLOCK: %s", strerror(errno)); continue; } + if (options.connections_per_period != 0) { + struct timeval diff, connections_end; + struct magic_connection *mc; + + (void)gettimeofday(&connections_end, NULL); + mc = &magic_connections[magic_hash(&from)]; + timersub(&connections_end, &mc->connections_begin, &diff); + if (diff.tv_sec >= options.connections_period) { + /* + * Slide the window forward only after completely + * leaving it. + */ + mc->connections_begin = connections_end; + mc->connections_this_period = 1; + } else { + if (++mc->connections_this_period > + options.connections_per_period) + connections_per_period_exceeded = 1; + } + } + /* - * Got connection. Fork a child to handle it, unless - * we are in debugging mode. + * Got connection. Fork a child to handle it unless + * we are in debugging mode or the maximum number of + * connections per period has been exceeded. */ if (debug_flag) { /* @@ -687,6 +776,12 @@ sock_out = newsock; pid = getpid(); break; + } else if (connections_per_period_exceeded) { + log("Connection rate limit of %u/%us has been exceeded; " + "dropping connection from %s.", + options.connections_per_period, options.connections_period, + ntop); + connections_per_period_exceeded = 0; } else { /* * Normal production daemon. Fork, and have @@ -1171,6 +1266,16 @@ return 0; } } +#ifdef LOGIN_CAP + /* Fail if the account's expiration time has passed. */ + if (pw->pw_expire != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_expire) + return 0; + } +#endif /* LOGIN_CAP */ /* We found no reason not to let this user try to log on... */ return 1; } @@ -1185,6 +1290,10 @@ struct passwd *pw, pwcopy; int plen, ulen; char *user; +#ifdef LOGIN_CAP + login_cap_t *lc; + char *style; +#endif /* LOGIN_CAP */ /* Get the name of the user that we wish to log in as. */ packet_read_expect(&plen, SSH_CMSG_USER); @@ -1203,10 +1312,27 @@ } #endif /* AFS */ +#ifdef LOGIN_CAP + if ((style = strchr(user, ':')) != NULL) + *style++ = '\0'; +#endif /* LOGIN_CAP */ + /* Verify that the user is a valid user. */ pw = getpwnam(user); + +#ifdef LOGIN_CAP + lc = login_getpwclass(pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, pw); + auth_setopt("auth_type", "auth-ssh"); + style = login_getstyle(lc, style, "auth-ssh"); + if (!pw || !lc || !style || !allowed_user(pw)) + do_fake_authloop(user); +#else /* LOGIN_CAP */ if (!pw || !allowed_user(pw)) do_fake_authloop(user); +#endif /* LOGIN_CAP */ + xfree(user); /* Take a copy of the returned structure. */ @@ -1217,6 +1343,12 @@ pwcopy.pw_gid = pw->pw_gid; pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); +#ifdef LOGIN_CAP + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_expire = pw->pw_expire; + pwcopy.pw_change = pw->pw_change; +#endif /* LOGIN_CAP */ + pw = &pwcopy; /* @@ -1233,7 +1365,12 @@ #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ - auth_password(pw, "")) { +#ifdef LOGIN_CAP + auth_password(pw, "", lc, style) +#else /* LOGIN_CAP */ + auth_password(pw, "") +#endif /* LOGIN_CAP */ + ) { /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", pw->pw_name, get_remote_ipaddr()); @@ -1241,7 +1378,11 @@ /* Loop until the user has been authenticated or the connection is closed, do_authloop() returns only if authentication is successfull */ +#ifdef LOGIN_CAP + do_authloop(pw, lc, style); +#else /* LOGIN_CAP */ do_authloop(pw); +#endif /* LOGIN_CAP */ } /* Check if the user is logging in as root and root logins are disallowed. */ @@ -1258,7 +1399,12 @@ packet_write_wait(); /* Perform session preparation. */ +#ifdef LOGIN_CAP + do_authenticated(pw, lc); + login_close(lc); /* Probably not ever reached. */ +#else /* LOGIN_CAP */ do_authenticated(pw); +#endif /* LOGIN_CAP */ } #define AUTH_FAIL_MAX 6 @@ -1270,7 +1416,11 @@ * return if authentication is successfull */ void +#ifdef LOGIN_CAP +do_authloop(struct passwd * pw, login_cap_t *lc, char *style) +#else /* LOGIN_CAP */ do_authloop(struct passwd * pw) +#endif /* LOGIN_CAP */ { int attempt = 0; unsigned int bits; @@ -1436,7 +1586,11 @@ packet_integrity_check(plen, 4 + dlen, type); /* Try authentication with the password. */ +#ifdef LOGIN_CAP + authenticated = auth_password(pw, password, lc, style); +#else /* LOGIN_CAP */ authenticated = auth_password(pw, password); +#endif /* LOGIN_CAP */ memset(password, 0, strlen(password)); xfree(password); @@ -1620,7 +1774,11 @@ * are requested, etc. */ void +#ifdef LOGIN_CAP +do_authenticated(struct passwd * pw, login_cap_t *lc) +#else /* LOGIN_CAP */ do_authenticated(struct passwd * pw) +#endif /* LOGIN_CAP */ { int type; int compression_level = 0, enable_compression_after_reply = 0; @@ -1797,10 +1955,19 @@ goto do_forced_command; debug("Forking shell."); packet_integrity_check(plen, 0, type); +#ifdef LOGIN_CAP + if (have_pty) + do_exec_pty(NULL, ptyfd, ttyfd, ttyname, pw, + term, display, proto, data, lc); + else + do_exec_no_pty(NULL, pw, display, proto, + data, lc); +#else /* LOGIN_CAP */ if (have_pty) do_exec_pty(NULL, ptyfd, ttyfd, ttyname, pw, term, display, proto, data); else do_exec_no_pty(NULL, pw, display, proto, data); +#endif /* LOGIN_CAP */ return; case SSH_CMSG_EXEC_CMD: @@ -1817,10 +1984,19 @@ debug("Executing command '%.500s'", command); packet_integrity_check(plen, 4 + dlen, type); } +#ifdef LOGIN_CAP + if (have_pty) + do_exec_pty(command, ptyfd, ttyfd, ttyname, pw, + term, display, proto, data, lc); + else + do_exec_no_pty(command, pw, display, proto, + data, lc); +#else /* LOGIN_CAP */ if (have_pty) do_exec_pty(command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data); else do_exec_no_pty(command, pw, display, proto, data); +#endif /* LOGIN_CAP */ xfree(command); return; @@ -1858,10 +2034,19 @@ * Execute it. */ debug("Executing forced command: %.900s", forced_command); +#ifdef LOGIN_CAP + if (have_pty) + do_exec_pty(forced_command, ptyfd, ttyfd, ttyname, pw, + term, display, proto, data, lc); + else + do_exec_no_pty(forced_command, pw, display, proto, + data, lc); +#else /* LOGIN_CAP */ if (have_pty) do_exec_pty(forced_command, ptyfd, ttyfd, ttyname, pw, term, display, proto, data); else do_exec_no_pty(forced_command, pw, display, proto, data); +#endif /* LOGIN_CAP */ return; } } @@ -1872,9 +2057,15 @@ * setting up file descriptors and such. */ void +#ifdef LOGIN_CAP +do_exec_no_pty(const char *command, struct passwd * pw, + const char *display, const char *auth_proto, + const char *auth_data, login_cap_t *lc) +#else /* LOGIN_CAP */ do_exec_no_pty(const char *command, struct passwd * pw, const char *display, const char *auth_proto, const char *auth_data) +#endif /* LOGIN_CAP */ { int pid; @@ -1945,7 +2136,12 @@ #endif /* USE_PIPES */ /* Do processing for the child (exec command etc). */ +#ifdef LOGIN_CAP + do_child(command, pw, NULL, display, auth_proto, auth_data, + NULL, lc); +#else /* LOGIN_CAP */ do_child(command, pw, NULL, display, auth_proto, auth_data, NULL); +#endif /* LOGIN_CAP */ /* NOTREACHED */ } if (pid < 0) @@ -1980,10 +2176,17 @@ * lastlog, and other such operations. */ void +#ifdef LOGIN_CAP +do_exec_pty(const char *command, int ptyfd, int ttyfd, + const char *ttyname, struct passwd * pw, const char *term, + const char *display, const char *auth_proto, + const char *auth_data, login_cap_t *lc) +#else /* LOGIN_CAP */ do_exec_pty(const char *command, int ptyfd, int ttyfd, const char *ttyname, struct passwd * pw, const char *term, const char *display, const char *auth_proto, const char *auth_data) +#endif /* LOGIN_CAP */ { int pid, fdout; int ptymaster; @@ -1997,6 +2200,9 @@ struct sockaddr_storage from; socklen_t fromlen; struct pty_cleanup_context cleanup_context; +#ifdef LOGIN_CAP + char *fname; +#endif /* LOGIN_CAP */ /* Get remote host name. */ hostname = get_canonical_hostname(); @@ -2061,6 +2267,10 @@ /* Check if .hushlogin exists. */ snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; +#ifdef LOGIN_CAP + quiet_login = quiet_login || + login_getcapbool(lc, "hushlogin", quiet_login); +#endif /* LOGIN_CAP */ /* * If the user has logged in before, display the time of last @@ -2084,6 +2294,34 @@ else printf("Last login: %s from %s\r\n", time_string, buf); } +#ifdef LOGIN_CAP + if (command == NULL && !quiet_login && !options.use_login) { +#ifdef __bsdi__ + (void)printf( + "Copyright 1992, 1993, 1994, 1995, 1996, 1997 " + "Berkeley Software Design, Inc.\n"); + (void)printf("%s\n\t%s %s\n\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); + if ((fname = + login_getcapstr(lc, "copyright", NULL, NULL)) + != NULL) + auth_cat(fname); +#else /* __bsdi__ */ + fname = login_getcapstr(lc, "copyright", NULL, NULL); + if (fname != NULL && (f = fopen(fname, "r")) != NULL) { + while (fgets(line, sizeof(line), f) != NULL) + fputs(line, stdout); + fclose(f); + } else + (void)printf("%s\n\t%s %s\n", + "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", + "The Regents of the University of California. ", + "All rights reserved."); +#endif /* __bsdi__ */ + } +#endif /* LOGIN_CAP */ /* * Print /etc/motd unless a command was specified or printing * it was disabled in server options or login(1) will be @@ -2092,8 +2330,14 @@ */ if (command == NULL && options.print_motd && !quiet_login && !options.use_login) { - /* Print /etc/motd if it exists. */ +#ifdef LOGIN_CAP + fname = login_getcapstr(lc, "welcome", NULL, NULL); + if (fname == NULL || (f = fopen(fname, "r")) == NULL) + f = fopen("/etc/motd", "r"); +#else /* LOGIN_CAP */ f = fopen("/etc/motd", "r"); +#endif /* LOGIN_CAP */ + /* Print /etc/motd if it exists. */ if (f) { while (fgets(line, sizeof(line), f)) fputs(line, stdout); @@ -2101,7 +2345,11 @@ } } /* Do common processing for the child, such as execing the command. */ +#ifdef LOGIN_CAP + do_child(command, pw, term, display, auth_proto, auth_data, ttyname, lc); +#else /* LOGIN_CAP */ do_child(command, pw, term, display, auth_proto, auth_data, ttyname); +#endif /* LOGIN_CAP */ /* NOTREACHED */ } if (pid < 0) @@ -2237,11 +2485,18 @@ * ids, and executing the command or shell. */ void +#ifdef LOGIN_CAP +do_child(const char *command, struct passwd * pw, const char *term, + const char *display, const char *auth_proto, + const char *auth_data, const char *ttyname, login_cap_t *lc) +#else /* LOGIN_CAP */ do_child(const char *command, struct passwd * pw, const char *term, const char *display, const char *auth_proto, const char *auth_data, const char *ttyname) +#endif /* LOGIN_CAP */ { - const char *shell, *cp = NULL; + char *shell; + const char *cp = NULL; char buf[256]; FILE *f; unsigned int envsize, i; @@ -2250,23 +2505,61 @@ struct stat st; char *argv[10]; +#ifdef __bsdi__ + /* On BSDI, let nologin be handled by libc. */ + auth_checknologin(lc); + /* + * XXX + * I don't see any reason why the following should be incorrect. + * It seems like if there is a command, /usr/bin/login is not + * used anyway. There is some code below which does several + * initializations (e.g., sets UID and GID, PATH, argv[0], etc.) + * only if options.use_login is not set, because if it's set + * then login will do it for us. _But_ I think we _must_ do these + * things if command is set. + * -- Vadik 2000-05-10 + */ + if (command) + options.use_login = 0; +#else /* __bsdi */ f = fopen("/etc/nologin", "r"); +#ifdef __FreeBSD__ + if (f == NULL) + f = fopen("/var/run/nologin", "r"); +#endif /* __FreeBSD__ */ if (f) { /* /etc/nologin exists. Print its contents and exit. */ - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stderr); - fclose(f); - if (pw->pw_uid != 0) - exit(254); +#ifdef LOGIN_CAP + /* On FreeBSD, etc., allow overriding nologin via login.conf. */ + if (!login_getcapbool(lc, "ignorenologin", 0)) { +#else /* LOGIN_CAP */ + if (1) { +#endif /* LOGIN_CAP */ + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); + if (pw->pw_uid != 0) + exit(254); + } + } +#endif /* __bsdi__ */ +#ifndef LOGIN_CAP /* Set login name in the kernel. */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#endif /* !LOGIN_CAP */ /* Set uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ if (!options.use_login) { +#ifdef LOGIN_CAP + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) == -1) { + perror("setusercontext"); + exit(1); + } +#else /* LOGIN_CAP */ if (getuid() == 0 || geteuid() == 0) { if (setgid(pw->pw_gid) < 0) { perror("setgid"); @@ -2284,12 +2577,20 @@ } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %d.", (int) pw->pw_uid); +#endif /* LOGIN_CAP */ } /* * Get the shell from the password data. An empty shell field is * legal, and means /bin/sh. */ +#ifdef LOGIN_CAP + shell = pw->pw_shell; + shell = login_getcapstr(lc, "shell", shell, shell); + if (shell[0] == '\0') + shell = _PATH_BSHELL; +#else /* LOGIN_CAP */ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; +#endif /* LOGIN_CAP */ #ifdef AFS /* Try to get AFS tokens for the local cell. */ @@ -2313,7 +2614,18 @@ child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); child_set_env(&env, &envsize, "HOME", pw->pw_dir); +#ifdef __bsdi__ + /* In BSDI, PATH is already in the environment after + setusercontext(). Put it in child's environment. */ + child_set_env(&env, &envsize, "PATH", getenv("PATH")); +#else /* __bsdi__ */ +#ifdef LOGIN_CAP + child_set_env(&env, &envsize, "PATH", + login_getpath(lc, "path", _PATH_STDPATH)); +#else /* LOGIN_CAP */ child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); +#endif /* LOGIN_CAP */ +#endif /* __bsdi__ */ snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); @@ -2403,13 +2715,17 @@ */ endpwent(); +#ifdef LOGIN_CAP + login_close(lc); +#endif /* LOGIN_CAP */ + /* * Close any extra open file descriptors so that we don\'t have them * hanging around in clients. Note that we want to do this after * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ - for (i = 3; i < 64; i++) + for (i = 3; i < getdtablesize(); i++) close(i); /* Change current directory to the user\'s home directory. */ @@ -2428,6 +2744,26 @@ * in this order). */ if (!options.use_login) { +#if defined (__FreeBSD__) || defined(__bsdi__) + /* + * If the password change time is set and has passed, give the + * user a password expiry notice and chance to change it. + */ + if (pw->pw_change != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_change) { + (void)printf( + "Sorry -- your password has expired.\n"); + syslog(LOG_INFO, + "%s Password expired - forcing change", + pw->pw_name); + if (system("/usr/bin/passwd") != 0) + perror("/usr/bin/passwd"); + } + } +#endif /* __FreeBSD__ || __bsdi__ */ if (stat(SSH_USER_RC, &st) >= 0) { if (debug_flag) fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC); @@ -2535,6 +2871,21 @@ argv[0] = (char *) cp; argv[1] = "-c"; argv[2] = (char *) command; +#ifdef __bsdi__ + /* + * Dirty hack. scp is installed in /usr/local/bin, so it's not + * in $PATH by default. To make scp work, canonicalize command + * if it starts with "scp\s". What makes it worse is that + * everything is hardcoded. Oh well. I'm lazy. + * -- Vadik 2000-05-10 + */ + if (strncmp(command, "scp", 3) == 0 && + isspace(command[3])) { + argv[2] = xmalloc(strlen(command) + sizeof("/usr/local/bin/")); + strcpy(argv[2], "/usr/local/bin/"); + strcat(argv[2], command); + } +#endif /* __bsdi__ */ argv[3] = NULL; execve(shell, argv, env); perror(shell); diff -uNr ../openssh-1.2.3/sshd_config ./sshd_config --- ../openssh-1.2.3/sshd_config Tue Jan 4 02:08:24 2000 +++ ./sshd_config Thu Apr 20 02:30:54 2000 @@ -7,7 +7,9 @@ ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 -PermitRootLogin yes +PermitRootLogin no +# Rate-limit sshd connections to 5 connections per 10 seconds +ConnectionsPerPeriod 5/10 # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes diff -uNr ../openssh-1.2.3/version.h~ ./version.h~ --- ../openssh-1.2.3/version.h~ Mon Jan 24 01:35:07 2000 +++ ./version.h~ Thu Jan 1 02:00:00 1970 @@ -1 +0,0 @@ -#define SSH_VERSION "OpenSSH-1.2.2"