head	1.10;
access;
symbols
	RELEASE_4_5_0:1.9
	RELEASE_4_4_0:1.9
	RELEASE_4_3_0:1.8
	RELEASE_4_2_0:1.8
	RELEASE_4_1_1:1.6
	RELEASE_4_1_0:1.6
	RELEASE_3_5_0:1.6
	RELEASE_4_0_0:1.4
	RELEASE_3_4_0:1.4
	openssh_1_2:1.1.1.1
	OPENBSD:1.1.1;
locks; strict;
comment	@# @;


1.10
date	2002.03.12.17.54.07;	author dinoex;	state dead;
branches;
next	1.9;

1.9
date	2001.06.08.08.03.26;	author dinoex;	state Exp;
branches;
next	1.8;

1.8
date	2000.11.14.04.51.10;	author green;	state Exp;
branches;
next	1.7;

1.7
date	2000.11.04.23.04.25;	author green;	state dead;
branches;
next	1.6;

1.6
date	2000.05.13.17.11.01;	author green;	state Exp;
branches;
next	1.5;

1.5
date	2000.04.20.22.24.18;	author green;	state Exp;
branches;
next	1.4;

1.4
date	99.12.06.06.32.22;	author green;	state Exp;
branches;
next	1.3;

1.3
date	99.11.24.03.36.22;	author green;	state dead;
branches;
next	1.2;

1.2
date	99.11.09.12.43.45;	author green;	state Exp;
branches;
next	1.1;

1.1
date	99.11.08.06.20.53;	author green;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	99.11.08.06.20.53;	author green;	state Exp;
branches;
next	;


desc
@@


1.10
log
@Rename Patches to make navigation much more easier.
@
text
@--- clientloop.c.orig	Fri Apr 20 09:17:51 2001
+++ clientloop.c	Sat May 26 15:18:51 2001
@@@@ -1131,7 +1131,7 @@@@
 
 	if (strcmp(ctype, "forwarded-tcpip") == 0) {
 		c = client_request_forwarded_tcpip(ctype, rchan);
-	} else if (strcmp(ctype, "x11") == 0) {
+	} else if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
 		c = client_request_x11(ctype, rchan);
 	} else if (strcmp(ctype, "auth-agent@@openssh.com") == 0) {
 		c = client_request_agent(ctype, rchan);
@


1.9
log
@- Update from OpenSSH 2.2.0 to OpenSSH 2.9
- Features:
  Possible use of sftp/sftp-server with older FreeBSD releases.
  Use a newer version independently from the Base system.
  Easier to test and fix possible security bugs.
- Bugs:
  build of pam_ssm.so isn't be supported any more
  Any file named "cookie" can be deleted by this and any older "sshd"
  with X11 Forwarding.
@
text
@@


1.8
log
@Add the security fix for inability to actually deny ssh-agent or X11
forwarding requests.
@
text
@d1 3
a3 10
Index: clientloop.c
===================================================================
RCS file: /usr2/ncvs/src/crypto/openssh/clientloop.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 clientloop.c
--- clientloop.c	2000/09/10 08:29:25	1.1.1.3
+++ clientloop.c	2000/11/14 03:15:02
@@@@ -75,6 +75,8 @@@@
 #include "buffer.h"
 #include "bufaux.h"
d5 7
a11 39
+extern Options options;
+
 /* Flag indicating that stdin should be redirected from /dev/null. */
 extern int stdin_null_flag;
 
@@@@ -793,7 +795,6 @@@@
 int
 client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 {
-	extern Options options;
 	double start_time, total_time;
 	int len;
 	char buf[100];
@@@@ -1036,7 +1037,7 @@@@
 	debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
 	    ctype, rchan, rwindow, rmaxpack);
 
-	if (strcmp(ctype, "x11") == 0) {
+	if (strcmp(ctype, "x11") == 0 && options.forward_x11) {
 		int sock;
 		char *originator;
 		int originator_port;
@@@@ -1108,11 +1109,14 @@@@
 	dispatch_set(SSH_MSG_CHANNEL_OPEN_CONFIRMATION, &channel_input_open_confirmation);
 	dispatch_set(SSH_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure);
 	dispatch_set(SSH_MSG_PORT_OPEN, &channel_input_port_open);
-	dispatch_set(SSH_SMSG_AGENT_OPEN, &auth_input_open_request);
 	dispatch_set(SSH_SMSG_EXITSTATUS, &client_input_exit_status);
 	dispatch_set(SSH_SMSG_STDERR_DATA, &client_input_stderr_data);
 	dispatch_set(SSH_SMSG_STDOUT_DATA, &client_input_stdout_data);
-	dispatch_set(SSH_SMSG_X11_OPEN, &x11_input_open);
+
+	dispatch_set(SSH_SMSG_AGENT_OPEN, options.forward_agent ?
+	    &auth_input_open_request : NULL);
+	dispatch_set(SSH_SMSG_X11_OPEN, options.forward_x11 ?
+	    &x11_input_open : NULL);
 }
 void
 client_init_dispatch_15()
@


1.7
log
@Update to OpenSSH 2.2.0.  This is an end-of-life update for the
ports-based OpenSSH.  OpenSSH has been in the base system for more
than long enough to justify not having to maintain two separate
FreeBSD versions of OpenSSH.
@
text
@d1 15
a15 9
--- servconf.c.orig	Tue May  9 02:12:15 2000
+++ servconf.c	Fri May 12 07:13:13 2000
@@@@ -74,6 +74,8 @@@@
 	options->ciphers = NULL;
 	options->protocol = SSH_PROTO_UNKNOWN;
 	options->gateway_ports = -1;
+ 	options->connections_per_period = 0;
+ 	options->connections_period = 0;
 }
d17 11
a27 17
 void
@@@@ -172,7 +174,7 @@@@
 #ifdef SKEY
 	sSkeyAuthentication,
 #endif
-	sPasswordAuthentication, sListenAddress,
+	sPasswordAuthentication, sListenAddress, sConnectionsPerPeriod,
 	sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset,
 	sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail,
 	sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
@@@@ -231,6 +233,7 @@@@
 	{ "ciphers", sCiphers },
 	{ "protocol", sProtocol },
 	{ "gatewayports", sGatewayPorts },
+ 	{ "connectionsperperiod", sConnectionsPerPeriod },
 	{ NULL, 0 }
 };
d29 14
a42 18
@@@@ -340,7 +343,11 @@@@
 					filename, linenum);
 				exit(1);
 			}
-			value = atoi(cp);
+			if (sscanf(cp, " %d ", &value) != 1) {
+				fprintf(stderr, "%s line %d: invalid integer value.\n",
+					filename, linenum);
+				exit(1);
+			}
 			if (*intptr == -1)
 				*intptr = value;
 			break;
@@@@ -584,6 +591,21 @@@@
 					    filename, linenum);
 				options->deny_groups[options->num_deny_groups++] = xstrdup(cp);
 			}
+			break;
d44 7
a50 16
+		case sConnectionsPerPeriod:
+			cp = strtok(NULL, WHITESPACE);
+			if (cp == NULL)
+				fatal("%.200s line %d: missing (>= 0) number argument.\n",
+					filename, linenum);
+			if (sscanf(cp, " %u/%u ", &options->connections_per_period,
+			    &options->connections_period) != 2)
+				fatal("%.200s line %d: invalid numerical argument(s).\n",
+				    filename, linenum);
+			if (options->connections_per_period != 0 &&
+			    options->connections_period == 0)
+				fatal("%.200s line %d: invalid connections period.\n",
+				    filename, linenum);
 			break;
 
 		case sCiphers:
@


1.6
log
@Update to OpenSSH 2.1.0.  They _FINALLY_ have distfiles, so now the CVS is
not needed for the port.

Big thanks to Issei-san for doing the majority of the work necessary for
this upgrade!

Submitted by:	Issei Suzuki <issei@@jp.FreeBSD.org>
@
text
@@


1.5
log
@Upgrade to version 1.2.3 with a CVS of a few hours ago.  New stuff in
this release is mostly the support for lots of ssh2.  Note that SSH2 is
not fully supported here yet, but it's mostly there; see README.openssh2.
@
text
@d1 3
a3 4
--- servconf.c.orig	Thu Apr 20 17:55:11 2000
+++ servconf.c	Thu Apr 20 18:00:08 2000
@@@@ -71,6 +71,8 @@@@
 	options->num_deny_groups = 0;
d6 3
a8 2
+	options->connections_per_period = 0;
+	options->connections_period = 0;
d12 1
a12 1
@@@@ -163,7 +165,7 @@@@
d21 1
a21 2
@@@@ -218,6 +220,7 @@@@
 	{ "denygroups", sDenyGroups },
d24 2
a25 1
+	{ "connectionsperperiod", sConnectionsPerPeriod },
d29 1
a29 1
@@@@ -327,7 +330,11 @@@@
d42 1
a42 1
@@@@ -551,6 +558,21 @@@@
@


1.4
log
@In the meantime (while things are being worked and decided on on the
OpenBSD OpenSSH front), add ConnectionsPerPeriod to prevent DoS via
running the system out of resources.  In reality, this wouldn't
be a full DoS, but would make a system slower, but this is a better
thing to do than let the system get loaded down.
   So here we are, rate-limiting.  The default settings are now:
Five connections are allowed to authenticate (and not be rejected) in
a period of ten seconds.
One minute is given for login grace time.
   More work in this area is being done by alfred@@FreeBSD.org and
markus@@OpenBSD.org, at the very least.  This is, essentially, a
stopgap solution;  however, it is a properly implemented and documented
one, and has an easily modifiable framework.
@
text
@d1 3
a3 5
--- servconf.c.orig	Sun Dec  5 01:48:12 1999
+++ servconf.c	Sun Dec  5 01:57:57 1999
@@@@ -63,6 +63,8 @@@@
 	options->num_deny_users = 0;
 	options->num_allow_groups = 0;
d5 2
d11 7
a17 2
 void 
@@@@ -161,7 +163,7 @@@@
d21 1
a21 8
-	sIgnoreUserKnownHosts
+	sIgnoreUserKnownHosts, sConnectionsPerPeriod
 } ServerOpCodes;
 
 /* Textual representation of the tokens. */
@@@@ -209,6 +211,7 @@@@
 	{ "denyusers", sDenyUsers },
 	{ "allowgroups", sAllowGroups },
d23 2
d29 1
a29 1
@@@@ -270,7 +273,11 @@@@
d42 2
a43 54
@@@@ -466,63 +473,65 @@@@
 
 		case sAllowUsers:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_allow_users >= MAX_ALLOW_USERS) {
-					fprintf(stderr, "%s line %d: too many allow users.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_allow_users >= MAX_ALLOW_USERS)
+					fatal("%.200s line %d: too many allow users.\n", filename,
+					    linenum);
 				options->allow_users[options->num_allow_users++] = xstrdup(cp);
 			}
 			break;
 
 		case sDenyUsers:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_deny_users >= MAX_DENY_USERS) {
-					fprintf(stderr, "%s line %d: too many deny users.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_deny_users >= MAX_DENY_USERS)
+					fatal("%.200s line %d: too many deny users.\n", filename,
+					    linenum);
 				options->deny_users[options->num_deny_users++] = xstrdup(cp);
 			}
 			break;
 
 		case sAllowGroups:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_allow_groups >= MAX_ALLOW_GROUPS) {
-					fprintf(stderr, "%s line %d: too many allow groups.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
+					fatal("%.200s line %d: too many allow groups.\n", filename,
+					    linenum);
 				options->allow_groups[options->num_allow_groups++] = xstrdup(cp);
 			}
 			break;
 
 		case sDenyGroups:
 			while ((cp = strtok(NULL, WHITESPACE))) {
-				if (options->num_deny_groups >= MAX_DENY_GROUPS) {
-					fprintf(stderr, "%s line %d: too many deny groups.\n",
-						filename, linenum);
-					exit(1);
-				}
+				if (options->num_deny_groups >= MAX_DENY_GROUPS)
+					fatal("%.200s line %d: too many deny groups.\n", filename,
+					    linenum);
d46 2
a47 2
 			break;
 
d61 3
a63 26
+			break;
+
 		default:
-			fprintf(stderr, "%s line %d: Missing handler for opcode %s (%d)\n",
+			fatal("%.200s line %d: Missing handler for opcode %s (%d)\n",
 				filename, linenum, cp, opcode);
-			exit(1);
-		}
-		if (strtok(NULL, WHITESPACE) != NULL) {
-			fprintf(stderr, "%s line %d: garbage at end of line.\n",
-				filename, linenum);
-			exit(1);
 		}
+		if (strtok(NULL, WHITESPACE) != NULL)
+			fatal("%.200s line %d: garbage at end of line.\n", filename,
+			    linenum);
 	}
 	fclose(f);
-	if (bad_options > 0) {
-		fprintf(stderr, "%s: terminating, %d bad configuration options\n",
+	if (bad_options > 0)
+		fatal("%.200s: terminating, %d bad configuration options\n",
 			filename, bad_options);
-		exit(1);
-	}
 }
@


1.3
log
@Update the CVS_DATE.  This brings in support for TIS authentication,
obsoleting a couple patches (it's the same code, though, except for
additions).

This also brings in KNFization of everything (please hold the cheering
down :) and made me reroll all my patches.

My patches have been almost entirely rewritten.  The places are the
same, but the code's rewritten.  It fits with the style (KNF) now,
and looks better.

I've also added strlcat.c to the build, which, just like strlcpy.c, is
necessary for compatibility with older libcs.  After strlcat() snuck
into the OpenSSH code recently, this would prevent OpenSSH from
building on (e.g.) FreeBSD 3.2.  Adding it to ssh/lib/ makes it work
yet again :)
@
text
@d1 138
a138 36
--- ssh/Makefile.orig	Tue Oct 26 03:31:00 1999
+++ ssh/Makefile	Tue Nov  9 06:56:24 1999
@@@@ -2,22 +2,17 @@@@
 
 PROG=	ssh
 BINOWN=	root
+BINMODE=4555
 
-.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \
-	${MACHINE_ARCH} == "hppa")
-BINMODE=0000
-.else
-BINMODE?=4555
-.endif
-
-BINDIR=	/usr/bin
-MAN=	ssh.1
+BINDIR=	/bin
+MAN1=	ssh.1
 LINKS=	${BINDIR}/ssh ${BINDIR}/slogin
 MLINKS=	ssh.1 slogin.1
 
 SRCS=	ssh.c sshconnect.c log-client.c readconf.c clientloop.c
 
 .include <bsd.own.mk> # for AFS
+.include "../Makefile.inc"
 
 .if (${KERBEROS} == "yes")
 CFLAGS+= -DKRB4 -I/usr/include/kerberosIV
@@@@ -32,5 +27,5 @@@@
 
 .include <bsd.prog.mk>
 
-LDADD+=	-lutil -lz -lcrypto
+LDADD+=	-lutil -lz ${CRYPTOLIBS}
 DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ}
@


1.2
log
@Make some various cleanups.  Note that I did not add RESTRICTED since this is
in no way cryptographically encumbered code.  The fact that it's
redistributed by me from freefall is completely coincidental.

Submitted by:	obrien, Christian Weisgerber <naddy@@unix-ag.uni-kl.de>
@
text
@@


1.1
log
@Initial revision
@
text
@d1 3
a3 6
diff -ru /home/green/ssh/ssh/Makefile ./ssh/Makefile
--- /home/green/ssh/ssh/Makefile	Tue Oct 26 03:31:00 1999
+++ ./ssh/Makefile	Mon Nov  8 00:13:55 1999
@@@@ -10,14 +10,15 @@@@
 BINMODE?=4555
 .endif
d5 11
d30 1
a30 1
@@@@ -32,5 +33,5 @@@@
@


1.1.1.1
log
@Say hello to OpenSSH!  It's more secure, has a better license, and
is actively maintained by members of the OpenBSD project.
@
text
@@
