head	1.13;
access;
symbols
	RELEASE_4_5_0:1.12
	RELEASE_4_4_0:1.12
	RELEASE_4_3_0:1.12
	RELEASE_4_2_0:1.11
	RELEASE_4_1_1:1.10
	RELEASE_4_1_0:1.10
	RELEASE_3_5_0:1.10
	RELEASE_4_0_0:1.8
	RELEASE_3_4_0:1.6
	openssh_1_2:1.1.1.1
	OPENBSD:1.1.1;
locks; strict;
comment	@# @;


1.13
date	2002.03.12.17.54.07;	author dinoex;	state dead;
branches;
next	1.12;

1.12
date	2001.02.09.22.37.50;	author kris;	state Exp;
branches;
next	1.11;

1.11
date	2000.11.04.23.04.25;	author green;	state Exp;
branches;
next	1.10;

1.10
date	2000.05.13.17.11.01;	author green;	state Exp;
branches;
next	1.9;

1.9
date	2000.04.20.22.24.18;	author green;	state Exp;
branches;
next	1.8;

1.8
date	2000.02.25.05.35.33;	author green;	state Exp;
branches;
next	1.7;

1.7
date	2000.01.13.23.22.17;	author green;	state Exp;
branches;
next	1.6;

1.6
date	99.12.08.04.06.38;	author green;	state Exp;
branches;
next	1.5;

1.5
date	99.12.06.06.32.21;	author green;	state Exp;
branches;
next	1.4;

1.4
date	99.11.28.22.40.28;	author green;	state Exp;
branches;
next	1.3;

1.3
date	99.11.24.03.36.21;	author green;	state Exp;
branches;
next	1.2;

1.2
date	99.11.17.17.19.27;	author green;	state dead;
branches;
next	1.1;

1.1
date	99.11.08.06.20.53;	author green;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	99.11.08.06.20.53;	author green;	state Exp;
branches;
next	;


desc
@@


1.13
log
@Rename Patches to make navigation much more easier.
@
text
@--- /home/bright/ssh/ssh/sshd.c	Thu Aug 17 13:06:34 2000
+++ sshd.c	Fri Feb  9 11:19:08 2001
@@@@ -49,6 +49,12 @@@@
 int deny_severity = LOG_WARNING;
 #endif /* LIBWRAP */
 
+#ifdef __FreeBSD__
+#include <libutil.h>
+#include <syslog.h>
+#include <time.h>
+#endif /* __FreeBSD__ */
+
 #ifndef O_NOCTTY
 #define O_NOCTTY	0
 #endif
@


1.12
log
@Add patch to deal with possible remote root exploit found by
Michal Zalewski of the Bindview RAZOR Team, and some patches to hopefully
deal with compilation on older versions of FreeBSD.

Submitted by:	alfred
@
text
@@


1.11
log
@Update to OpenSSH 2.2.0.  This is an end-of-life update for the
ports-based OpenSSH.  OpenSSH has been in the base system for more
than long enough to justify not having to maintain two separate
FreeBSD versions of OpenSSH.
@
text
@d1 3
a3 3
--- sshd.c.orig	Wed May  3 19:21:49 2000
+++ sshd.c	Fri May 12 07:11:43 2000
@@@@ -49,6 +49,13 @@@@
a8 1
+#include <poll.h>
@


1.10
log
@Update to OpenSSH 2.1.0.  They _FINALLY_ have distfiles, so now the CVS is
not needed for the port.

Big thanks to Issei-san for doing the majority of the work necessary for
this upgrade!

Submitted by:	Issei Suzuki <issei@@jp.FreeBSD.org>
@
text
@a16 101
@@@@ -134,6 +141,32 @@@@
 unsigned char *session_id2 = NULL;
 int session_id2_len = 0;
 
+/* These are used to implement connections_per_period. */
+struct magic_connection {
+		struct timeval connections_begin;
+		unsigned int connections_this_period;
+} *magic_connections;
+/* Magic number, too!  TODO: this doesn't have to be static. */
+const size_t MAGIC_CONNECTIONS_SIZE = 1;
+
+static __inline int
+magic_hash(struct sockaddr_storage *sa) {
+
+	return 0;
+}
+
+static __inline struct timeval
+timevaldiff(struct timeval *tv1, struct timeval *tv2) {
+	struct timeval diff;
+	int carry;
+
+	carry = tv1->tv_usec > tv2->tv_usec;
+	diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1);
+	diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0);
+
+	return diff;
+}
+
 /* Prototypes for various functions defined later in this file. */
 void do_ssh1_kex();
 void do_ssh2_kex();
@@@@ -418,6 +451,7 @@@@
 	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1;
 	pid_t pid;
 	socklen_t fromlen;
+ 	int connections_per_period_exceeded = 0;
 	int silent = 0;
 	fd_set *fdset;
 	struct sockaddr_storage from;
@@@@ -763,6 +797,12 @@@@
 		fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);
 		fdset = (fd_set *)xmalloc(fdsetsz);
 
+		/* Initialize the magic_connections table.  It's magical! */
+		magic_connections = calloc(MAGIC_CONNECTIONS_SIZE,
+		    sizeof(struct magic_connection));
+		if (magic_connections == NULL)
+			fatal("calloc: %s", strerror(errno));
+
 		/*
 		 * Stay listening for connections until the system crashes or
 		 * the daemon is killed with a signal.
@@@@ -794,9 +834,31 @@@@
 				error("newsock del O_NONBLOCK: %s", strerror(errno));
 				continue;
 			}
+			if (options.connections_per_period != 0) {
+				struct timeval diff, connections_end;
+				struct magic_connection *mc;
+
+				(void)gettimeofday(&connections_end, NULL);
+				mc = &magic_connections[magic_hash(&from)];
+				diff = timevaldiff(&mc->connections_begin, &connections_end);
+				if (diff.tv_sec >= options.connections_period) {
+					/*
+					 * Slide the window forward only after completely
+					 * leaving it.
+					 */
+					mc->connections_begin = connections_end;
+					mc->connections_this_period = 1;
+				} else {
+					if (++mc->connections_this_period >
+					    options.connections_per_period)
+						connections_per_period_exceeded = 1;
+				}
+			}
+					
 			/*
-			 * Got connection.  Fork a child to handle it, unless
-			 * we are in debugging mode.
+			 * Got connection.  Fork a child to handle it unless
+			 * we are in debugging mode or the maximum number of
+			 * connections per period has been exceeded.
 			 */
 			if (debug_flag) {
 				/*
@@@@ -810,6 +872,12 @@@@
 				sock_out = newsock;
 				pid = getpid();
 				break;
+			} else if (connections_per_period_exceeded) {
+				log("Connection rate limit of %u/%us has been exceeded; "
+				    "dropping connection from %s.",
+				    options.connections_per_period, options.connections_period,
+				    ntop);
+				connections_per_period_exceeded = 0;
 			} else {
 				/*
 				 * Normal production daemon.  Fork, and have
@


1.9
log
@Upgrade to version 1.2.3 with a CVS of a few hours ago.  New stuff in
this release is mostly the support for lots of ssh2.  Note that SSH2 is
not fully supported here yet, but it's mostly there; see README.openssh2.
@
text
@d1 3
a3 3
--- sshd.c.orig	Thu Apr 20 17:11:24 2000
+++ sshd.c	Thu Apr 20 17:17:12 2000
@@@@ -48,6 +48,13 @@@@
d17 3
a19 3
@@@@ -128,6 +135,32 @@@@
 /* session identifier, used by RSA-auth */
 unsigned char session_id[16];
d50 1
a50 1
@@@@ -395,6 +428,7 @@@@
d54 2
a55 2
+	int connections_per_period_exceeded = 0;
 	int silentrsa = 0;
d58 1
a58 1
@@@@ -709,6 +743,12 @@@@
d71 1
a71 1
@@@@ -740,9 +780,31 @@@@
d105 1
a105 1
@@@@ -756,6 +818,12 @@@@
@


1.8
log
@Fix a coredump-y bug that crept in recently.
@
text
@d1 3
a3 12
--- sshd.c.orig	Fri Jan  7 01:32:03 2000
+++ sshd.c	Fri Jan  7 01:40:05 2000
@@@@ -26,6 +26,8 @@@@
 #include "servconf.h"
 #include "uidswap.h"
 #include "compat.h"
+#include <poll.h>
+#include <time.h>
 
 #ifdef LIBWRAP
 #include <tcpd.h>
@@@@ -34,6 +36,16 @@@@
d9 1
d11 1
a11 1
+#define	LOGIN_CAP
a13 4
+#ifdef LOGIN_CAP
+#include <login_cap.h>
+#endif /* LOGIN_CAP */
+
d17 3
a19 3
@@@@ -128,6 +140,32 @@@@
    the private key. */
 RSA *public_key;
d48 5
a52 5
 void do_connection();
 void do_authentication(char *user);
@@@@ -301,6 +339,7 @@@@
 	extern int optind;
 	int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, pid, on = 1;
d54 1
a54 2
+ 	int connections_per_period_exceeded = 0;
 	int remote_major, remote_minor;
d57 4
a60 3
@@@@ -620,6 +659,12 @@@@
 		fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask);         
 		fdset = (fd_set *)xmalloc(fdsetsz);                                  
d71 1
a71 1
@@@@ -651,9 +696,31 @@@@
d105 1
a105 1
@@@@ -667,6 +734,12 @@@@
a117 232
@@@@ -1152,6 +1225,14 @@@@
 				return 0;
 		}
 	}
+	/* Fail if the account's expiration time has passed. */
+	if (pw->pw_expire != 0) {
+		struct timeval tv;
+
+		(void)gettimeofday(&tv, NULL);
+		if (tv.tv_sec >= pw->pw_expire)
+			return 0;
+	}
 	/* We found no reason not to let this user try to log on... */
 	return 1;
 }
@@@@ -1187,6 +1268,9 @@@@
 	pwcopy.pw_gid = pw->pw_gid;
 	pwcopy.pw_dir = xstrdup(pw->pw_dir);
 	pwcopy.pw_shell = xstrdup(pw->pw_shell);
+	pwcopy.pw_class = xstrdup(pw->pw_class);
+	pwcopy.pw_expire = pw->pw_expire;
+	pwcopy.pw_change = pw->pw_change;
 	pw = &pwcopy;
 
 	/*
@@@@ -1983,6 +2067,10 @@@@
 	struct sockaddr_storage from;
 	socklen_t fromlen;
 	struct pty_cleanup_context cleanup_context;
+#ifdef LOGIN_CAP
+	login_cap_t *lc;
+	char *fname;
+#endif /* LOGIN_CAP */
 
 	/* Get remote host name. */
 	hostname = get_canonical_hostname();
@@@@ -2047,6 +2135,12 @@@@
 		/* Check if .hushlogin exists. */
 		snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir);
 		quiet_login = stat(line, &st) >= 0;
+#ifdef LOGIN_CAP
+		lc = login_getpwclass(pw);
+		if (lc == NULL)
+			lc = login_getclassbyname(NULL, pw);
+		quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
+#endif /* LOGIN_CAP */
 
 		/*
 		 * If the user has logged in before, display the time of last
@@@@ -2070,6 +2164,20 @@@@
 			else
 				printf("Last login: %s from %s\r\n", time_string, buf);
 		}
+#ifdef LOGIN_CAP
+		if (command == NULL && !quiet_login && !options.use_login) {
+			fname = login_getcapstr(lc, "copyright", NULL, NULL);
+			if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+				while (fgets(line, sizeof(line), f) != NULL)
+					fputs(line, stdout);
+				fclose(f);
+			} else
+				(void)printf("%s\n\t%s %s\n",
+		"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+		    "The Regents of the University of California. ",
+		    "All rights reserved.");
+		}
+#endif /* LOGIN_CAP */
 		/*
 		 * Print /etc/motd unless a command was specified or printing
 		 * it was disabled in server options or login(1) will be
@@@@ -2078,14 +2186,22 @@@@
 		 */
 		if (command == NULL && options.print_motd && !quiet_login &&
 		    !options.use_login) {
-			/* Print /etc/motd if it exists. */
+#ifdef LOGIN_CAP
+			fname = login_getcapstr(lc, "welcome", NULL, NULL);
+			login_close(lc);
+			if (fname == NULL || (f = fopen(fname, "r")) == NULL)
+				f = fopen("/etc/motd", "r");
+#else /* LOGIN_CAP */
 			f = fopen("/etc/motd", "r");
+#endif /* LOGIN_CAP */
+			/* Print /etc/motd if it exists. */
 			if (f) {
 				while (fgets(line, sizeof(line), f))
 					fputs(line, stdout);
 				fclose(f);
 			}
 		}
+
 		/* Do common processing for the child, such as execing the command. */
 		do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
 		/* NOTREACHED */
@@@@ -2221,7 +2337,8 @@@@
 	 const char *display, const char *auth_proto,
 	 const char *auth_data, const char *ttyname)
 {
-	const char *shell, *cp = NULL;
+	char *shell;
+	const char *cp = NULL;
 	char buf[256];
 	FILE *f;
 	unsigned int envsize, i;
@@@@ -2229,15 +2346,34 @@@@
 	extern char **environ;
 	struct stat st;
 	char *argv[10];
+#ifdef LOGIN_CAP
+	login_cap_t *lc;
+
+	lc = login_getpwclass(pw);
+	if (lc == NULL)
+		lc = login_getclassbyname(NULL, pw);
+#endif /* LOGIN_CAP */
 
 	f = fopen("/etc/nologin", "r");
+#ifdef __FreeBSD__
+	if (f == NULL)
+		f = fopen("/var/run/nologin", "r");
+#endif /* __FreeBSD__ */
 	if (f) {
 		/* /etc/nologin exists.  Print its contents and exit. */
-		while (fgets(buf, sizeof(buf), f))
-			fputs(buf, stderr);
-		fclose(f);
-		if (pw->pw_uid != 0)
-			exit(254);
+#ifdef LOGIN_CAP
+		/* On FreeBSD, etc., allow overriding nologin via login.conf. */
+		if (!login_getcapbool(lc, "ignorenologin", 0)) {
+#else /* LOGIN_CAP */
+		if (1) {
+#endif /* LOGIN_CAP */
+			while (fgets(buf, sizeof(buf), f))
+				fputs(buf, stderr);
+			fclose(f);
+			if (pw->pw_uid != 0)
+				exit(254);
+		}
+
 	}
 	/* Set login name in the kernel. */
 	if (setlogin(pw->pw_name) < 0)
@@@@ -2247,6 +2383,13 @@@@
 	/* Login(1) does this as well, and it needs uid 0 for the "-h"
 	   switch, so we let login(1) to this for us. */
 	if (!options.use_login) {
+#ifdef LOGIN_CAP
+		if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY |
+		    LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) {
+			perror("setclasscontext");
+			exit(1);
+		}
+#endif /* LOGIN_CAP */
 		if (getuid() == 0 || geteuid() == 0) {
 			if (setgid(pw->pw_gid) < 0) {
 				perror("setgid");
@@@@ -2269,7 +2412,14 @@@@
 	 * Get the shell from the password data.  An empty shell field is
 	 * legal, and means /bin/sh.
 	 */
+#ifdef LOGIN_CAP
+	shell = pw->pw_shell;
+	shell = login_getcapstr(lc, "shell", shell, shell);
+	if (shell[0] == '\0')
+		shell = _PATH_BSHELL;
+#else /* LOGIN_CAP */
 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
+#endif /* LOGIN_CAP */
 
 #ifdef AFS
 	/* Try to get AFS tokens for the local cell. */
@@@@ -2293,7 +2443,12 @@@@
 		child_set_env(&env, &envsize, "USER", pw->pw_name);
 		child_set_env(&env, &envsize, "LOGNAME", pw->pw_name);
 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+#ifdef LOGIN_CAP
+		child_set_env(&env, &envsize, "PATH",
+		    login_getpath(lc, "path", _PATH_STDPATH));
+#else /* LOGIN_CAP */
 		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+#endif /* LOGIN_CAP */
 
 		snprintf(buf, sizeof buf, "%.200s/%.50s",
 			 _PATH_MAILDIR, pw->pw_name);
@@@@ -2383,13 +2538,17 @@@@
 	 */
 	endpwent();
 
+#ifdef LOGIN_CAP
+ 	login_close(lc);
+#endif /* LOGIN_CAP */
+
 	/*
 	 * Close any extra open file descriptors so that we don\'t have them
 	 * hanging around in clients.  Note that we want to do this after
 	 * initgroups, because at least on Solaris 2.3 it leaves file
 	 * descriptors open.
 	 */
-	for (i = 3; i < 64; i++)
+	for (i = 3; i < getdtablesize(); i++)
 		close(i);
 
 	/* Change current directory to the user\'s home directory. */
@@@@ -2408,6 +2567,26 @@@@
 	 * in this order).
 	 */
 	if (!options.use_login) {
+#ifdef __FreeBSD__
+		/*
+		 * If the password change time is set and has passed, give the
+		 * user a password expiry notice and chance to change it.
+		 */
+		if (pw->pw_change != 0) {
+			struct timeval tv;
+
+			(void)gettimeofday(&tv, NULL);
+			if (tv.tv_sec >= pw->pw_change) {
+				(void)printf(
+				    "Sorry -- your password has expired.\n");
+				syslog(LOG_INFO,
+				    "%s Password expired - forcing change",
+				    pw->pw_name);
+				if (system("/usr/bin/passwd") != 0)
+					perror("/usr/bin/passwd");
+			}
+		}
+#endif /* __FreeBSD__ */
 		if (stat(SSH_USER_RC, &st) >= 0) {
 			if (debug_flag)
 				fprintf(stderr, "Running /bin/sh %s\n", SSH_USER_RC);
@


1.7
log
@Update to a more current OpenSSH, including...

	IPv6 support!!

Thank you very much, Sumikawa san.

Submitted by:	Munechika SUMIKAWA <sumikawa@@ebina.hitachi.co.jp>
@
text
@d42 1
a42 1
+magic_hash(struct sockaddr *sa) {
d92 1
a92 1
+				mc = &magic_connections[magic_hash(ai->ai_addr)];
@


1.6
log
@I've cleaned up ${CVS_DATE} usage a bit (keep spaces correctly), and
updated to today's snapshot of OpenSSH.

Various updates from the latest ${CVS_DATE}, and requisite patch
changes, are the "big new thing".  Nothing major has changed;  the
biggest ones would be using atomicio() in a lot of places and a
fix for a SIGHUP not updating sshd(8)'s configuration until the
next connection.
@
text
@d1 3
a3 3
--- sshd.c.orig	Tue Dec  7 22:56:55 1999
+++ sshd.c	Tue Dec  7 22:58:36 1999
@@@@ -24,6 +24,8 @@@@
d12 1
a12 1
@@@@ -32,6 +34,16 @@@@
d29 1
a29 1
@@@@ -118,6 +130,32 @@@@
d42 1
a42 1
+magic_hash(struct sockaddr_in *sin) {
d62 1
a62 2
@@@@ -278,6 +316,7 @@@@
 	extern char *optarg;
d64 3
a66 2
 	int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
+	int connections_per_period_exceeded = 0;
d69 4
a72 4
 	struct pollfd fds;
@@@@ -543,6 +582,12 @@@@
 		/* Arrange SIGCHLD to be caught. */
 		signal(SIGCHLD, main_sigchld_handler);
d83 2
a84 2
@@@@ -572,9 +617,31 @@@@
 				error("accept: %.100s", strerror(errno));
d92 1
a92 1
+				mc = &magic_connections[magic_hash(&sin)];
d117 1
a117 1
@@@@ -588,6 +655,12 @@@@
d125 1
a125 1
+				    inet_ntoa(sin.sin_addr));
d130 1
a130 1
@@@@ -1065,6 +1138,14 @@@@
d145 1
a145 1
@@@@ -1100,6 +1181,9 @@@@
d155 3
a157 3
@@@@ -1889,6 +1973,10 @@@@
 	struct sockaddr_in from;
 	int fromlen;
d166 1
a166 1
@@@@ -1953,6 +2041,12 @@@@
d179 1
a179 1
@@@@ -1976,6 +2070,20 @@@@
d200 1
a200 1
@@@@ -1984,14 +2092,22 @@@@
d224 1
a224 1
@@@@ -2127,7 +2243,8 @@@@
d234 1
a234 1
@@@@ -2135,15 +2252,34 @@@@
d274 1
a274 1
@@@@ -2153,6 +2289,13 @@@@
d288 1
a288 1
@@@@ -2175,7 +2318,14 @@@@
d303 1
a303 1
@@@@ -2199,7 +2349,12 @@@@
d316 1
a316 1
@@@@ -2289,6 +2444,9 @@@@
d319 1
a319 1
 	endhostent();
d321 1
a321 1
+	login_close(lc);
d323 1
a323 1
 
d326 1
a326 1
@@@@ -2296,7 +2454,7 @@@@
d335 1
a335 1
@@@@ -2315,6 +2473,26 @@@@
@


1.5
log
@In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources.  In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
   So here we are, rate-limiting.  The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
   More work in this area is being done by alfred@@FreeBSD.org and
markus@@OpenBSD.org, at the very least.  This is, essentially, a
stopgap solution;  however, it is a properly implemented and documented
one, and has an easily modifiable framework.
@
text
@d1 3
a3 3
--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.c	Sun Nov 28 16:50:26 1999
+++ sshd.c	Mon Dec  6 00:54:51 1999
@@@@ -24,6 +24,7 @@@@
d7 1
d12 1
a12 1
@@@@ -32,6 +33,16 @@@@
d29 1
a29 1
@@@@ -118,6 +129,32 @@@@
d62 1
a62 1
@@@@ -278,6 +315,7 @@@@
d69 2
a70 2
 	struct sockaddr_in sin;
@@@@ -542,6 +580,12 @@@@
d83 1
a83 1
@@@@ -560,9 +604,31 @@@@
d117 1
a117 1
@@@@ -576,6 +642,12 @@@@
d130 1
a130 1
@@@@ -1048,6 +1120,14 @@@@
d145 1
a145 1
@@@@ -1083,6 +1163,9 @@@@
d155 1
a155 1
@@@@ -1871,6 +1954,10 @@@@
d166 1
a166 1
@@@@ -1935,6 +2022,12 @@@@
d179 1
a179 1
@@@@ -1958,6 +2051,20 @@@@
d200 1
a200 1
@@@@ -1966,14 +2073,22 @@@@
d224 1
a224 1
@@@@ -2109,7 +2224,8 @@@@
d234 1
a234 1
@@@@ -2117,15 +2233,34 @@@@
d274 1
a274 1
@@@@ -2135,6 +2270,13 @@@@
d288 1
a288 1
@@@@ -2157,7 +2299,14 @@@@
d303 1
a303 1
@@@@ -2181,7 +2330,12 @@@@
d316 1
a316 1
@@@@ -2271,6 +2425,9 @@@@
d326 1
a326 1
@@@@ -2278,7 +2435,7 @@@@
d335 1
a335 1
@@@@ -2297,6 +2454,26 @@@@
@


1.4
log
@Update to a current CVS_DATE.  The only real change I see is the (big)
change of KNFization being finalized :)

Patches had to be modified, but should look "better" according to
style(9), now.
@
text
@d2 10
a11 2
+++ sshd.c	Sun Nov 28 17:22:27 1999
@@@@ -32,6 +32,16 @@@@
d28 102
a129 1
@@@@ -1048,6 +1058,14 @@@@
d144 1
a144 1
@@@@ -1083,6 +1101,9 @@@@
d154 1
a154 1
@@@@ -1871,6 +1892,10 @@@@
d165 1
a165 1
@@@@ -1935,6 +1960,12 @@@@
d178 1
a178 1
@@@@ -1958,6 +1989,20 @@@@
d199 1
a199 1
@@@@ -1966,14 +2011,22 @@@@
d223 11
a233 1
@@@@ -2117,15 +2170,34 @@@@
d273 1
a273 1
@@@@ -2135,6 +2207,13 @@@@
d287 1
a287 1
@@@@ -2157,7 +2236,14 @@@@
d302 1
a302 1
@@@@ -2181,7 +2267,12 @@@@
d315 1
a315 1
@@@@ -2271,6 +2362,9 @@@@
d325 1
a325 1
@@@@ -2278,7 +2372,7 @@@@
d334 1
a334 1
@@@@ -2297,6 +2391,26 @@@@
@


1.3
log
@Update the CVS_DATE.  This brings in support for TIS authentication,
obsoleting a couple patches (it's the same code, though, except for
additions).

This also brings in KNFization of everything (please hold the cheering
down :) and made me reroll all my patches.

My patches have been almost entirely rewritten.  The places are the
same, but the code's rewritten.  It fits with the style (KNF) now,
and looks better.

I've also added strlcat.c to the build, which, just like strlcpy.c, is
necessary for compatibility with older libcs.  After strlcat() snuck
into the OpenSSH code recently, this would prevent OpenSSH from
building on (e.g.) FreeBSD 3.2.  Adding it to ssh/lib/ makes it work
yet again :)
@
text
@d1 3
a3 3
--- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.c	Tue Nov 23 18:59:05 1999
+++ ./sshd.c	Tue Nov 23 20:33:18 1999
@@@@ -39,6 +39,16 @@@@
d20 1
a20 1
@@@@ -1008,6 +1018,14 @@@@
d28 3
a30 3
+	(void)gettimeofday(&tv, NULL);
+	if (tv.tv_sec >= pw->pw_expire)
+		return 0;
d35 1
a35 1
@@@@ -1042,6 +1060,9 @@@@
d44 2
a45 2
 	/* If we are not running as root, the user must have the same uid
@@@@ -1790,6 +1811,10 @@@@
d56 1
a56 1
@@@@ -1850,6 +1875,12 @@@@
d67 3
a69 3
 		/* If the user has logged in before, display the time of
 		   last login. However, don't display anything extra if a
@@@@ -1871,12 +1902,31 @@@@
d77 1
a77 1
+				while (fgets(line, sizeof(line), f))
d87 5
a91 4
 		/* Print /etc/motd unless a command was specified or
 		   printing it was disabled in server options or login(1)
 		   will be used.  Note that some machines appear to print
 		   it in /etc/profile or similar. */
d94 1
d99 3
d103 1
a103 2
 			/* Print /etc/motd if it exists. */
 			f = fopen("/etc/motd", "r");
d105 2
a106 1
@@@@ -1885,6 +1935,7 @@@@
d114 1
a114 1
@@@@ -2030,17 +2081,38 @@@@
a125 1
 	/* Check /etc/nologin. */
d132 1
a132 1
-		/* /etc/nologin exists.  Print its contents and exit. */
a137 2
-	}
+		/* /etc/nologin exists. */
d139 1
a139 4
+		/*
+		 * If the user doesn't have "ignorenologin" set, print
+		 * its contents and exit.
+		 */
d141 2
a148 3
+#ifdef LOGIN_CAP
+		}
+#endif /* LOGIN_CAP */
d150 2
d154 1
a154 2
 		error("setlogin failed: %s", strerror(errno));
@@@@ -2049,6 +2121,13 @@@@
d168 4
a171 4
@@@@ -2069,7 +2148,13 @@@@
 	}
 	/* Get the shell from the password data.  An empty shell field is
 	   legal, and means /bin/sh. */
d173 2
a174 1
+	shell = login_getcapstr(lc, "shell", pw->pw_shell, pw->pw_shell);
d183 1
a183 1
@@@@ -2094,7 +2179,12 @@@@
d196 2
a197 2
@@@@ -2189,13 +2279,35 @@@@
 	   later. */
d204 6
a209 4
 	/* Close any extra open file descriptors so that we don\'t have
 	   them hanging around in clients.  Note that we want to do this
 	   after initgroups, because at least on Solaris 2.3 it leaves
 	   file descriptors open. */
d213 6
a218 1
+
d220 6
a225 6
+	/*
+	 * If the password change time is set and has passed, give the
+	 * user a password expiry notice and chance to change it.
+	 */
+	if (pw->pw_change != 0) {
+		struct timeval tv;
d227 10
a236 7
+		(void)gettimeofday(&tv, NULL);
+		if (tv.tv_sec >= pw->pw_change) {
+			(void)printf("Sorry -- your password has expired.\n");
+			syslog(LOG_INFO, "%s Password expired - forcing change",
+			    pw->pw_name);
+			if (system("/usr/bin/passwd") != 0)
+				perror("/usr/bin/passwd");
a237 1
+	}
d239 3
a241 3
 
 	/* Change current directory to the user\'s home directory. */
 	if (chdir(pw->pw_dir) < 0)
@


1.2
log
@Thanks to those who replied!  The include (ssl versus openssl) transform
is now done in post-patch.

Submitted by:	Anton Berezin <tobez@@plab.ku.dk>, Christian Weisgerber <naddy@@unix-ag.uni-kl.de>
@
text
@d1 5
a5 11
diff -ru /home/green/ssh/rsa.h ./rsa.h
--- /home/green/ssh/rsa.h	Wed Sep 29 03:42:00 1999
+++ ./rsa.h	Mon Nov  8 00:06:40 1999
@@@@ -18,8 +18,8 @@@@
 #ifndef RSA_H
 #define RSA_H
 
-#include <ssl/bn.h>
-#include <ssl/rsa.h>
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
d7 226
a232 2
 /* Calls SSL RSA_generate_key, only copies to prv and pub */
 void rsa_generate_key(RSA *prv, RSA *pub, unsigned int bits);
@


1.1
log
@Initial revision
@
text
@@


1.1.1.1
log
@Say hello to OpenSSH!  It's more secure, has a better license, and
is actively maintained by members of the OpenBSD project.
@
text
@@
