head	1.27;
access;
symbols
	RELEASE_7_4_0:1.26
	RELEASE_8_2_0:1.26
	RELEASE_6_EOL:1.26
	RELEASE_8_1_0:1.26
	RELEASE_7_3_0:1.26
	RELEASE_8_0_0:1.26
	RELEASE_7_2_0:1.26
	RELEASE_7_1_0:1.26
	RELEASE_6_4_0:1.26
	RELEASE_5_EOL:1.26
	RELEASE_7_0_0:1.26
	RELEASE_6_3_0:1.26
	PRE_XORG_7:1.26
	RELEASE_4_EOL:1.26
	RELEASE_6_2_0:1.26
	RELEASE_6_1_0:1.26
	RELEASE_5_5_0:1.26
	RELEASE_6_0_0:1.26
	RELEASE_5_4_0:1.26
	RELEASE_4_11_0:1.26
	RELEASE_5_3_0:1.26
	RELEASE_4_10_0:1.26
	RELEASE_5_2_1:1.26
	RELEASE_5_2_0:1.26
	RELEASE_4_9_0:1.26
	RELEASE_5_1_0:1.26
	RELEASE_4_8_0:1.26
	RELEASE_5_0_0:1.26
	RELEASE_4_7_0:1.26
	RELEASE_4_6_2:1.23
	RELEASE_4_6_1:1.23
	ssh_1_2_33:1.26
	ssh_1_2_32:1.26
	ssh_1_2_31:1.26
	ssh_1_2_30:1.25
	ssh_1_2_29:1.25
	ssh_1_2_28:1.24
	ssh_1_2_27:1.23
	RELEASE_4_6_0:1.23
	RELEASE_5_0_DP1:1.23
	RELEASE_4_5_0:1.23
	RELEASE_4_4_0:1.23
	RELEASE_4_3_0:1.23
	RELEASE_4_2_0:1.23
	RELEASE_4_1_1:1.23
	RELEASE_4_1_0:1.23
	RELEASE_3_5_0:1.23
	RELEASE_4_0_0:1.23
	RELEASE_3_4_0:1.22
	RELEASE_3_3_0:1.22
	RELEASE_3_2_0:1.21
	RELEASE_3_1_0:1.21
	RELEASE_2_2_8:1.21
	RELEASE_3_0_0:1.21
	RELEASE_2_2_7:1.21
	RELEASE_2_2_6:1.20
	RELEASE_2_2_5:1.17
	RELEASE_2_2_1:1.10
	RELEASE_2_2_2:1.16;
locks; strict;
comment	@# @;


1.27
date	2011.05.01.20.14.19;	author bapt;	state dead;
branches;
next	1.26;

1.26
date	2002.06.29.21.31.50;	author obrien;	state Exp;
branches;
next	1.25;

1.25
date	2002.06.29.21.21.55;	author obrien;	state Exp;
branches;
next	1.24;

1.24
date	2002.06.29.18.13.36;	author obrien;	state Exp;
branches;
next	1.23;

1.23
date	2000.01.14.19.37.34;	author torstenb;	state Exp;
branches;
next	1.22;

1.22
date	99.06.15.20.13.55;	author sada;	state Exp;
branches;
next	1.21;

1.21
date	98.06.12.07.55.13;	author dima;	state Exp;
branches;
next	1.20;

1.20
date	98.01.22.13.37.55;	author ache;	state Exp;
branches;
next	1.19;

1.19
date	98.01.22.12.04.15;	author ache;	state Exp;
branches;
next	1.18;

1.18
date	98.01.20.23.50.15;	author imp;	state Exp;
branches;
next	1.17;

1.17
date	97.06.11.11.09.00;	author ache;	state Exp;
branches;
next	1.16;

1.16
date	97.05.10.19.03.09;	author davidn;	state Exp;
branches;
next	1.15;

1.15
date	97.05.02.20.20.49;	author ache;	state Exp;
branches;
next	1.14;

1.14
date	97.04.25.05.01.05;	author peter;	state Exp;
branches;
next	1.13;

1.13
date	97.04.16.21.07.36;	author ache;	state Exp;
branches;
next	1.12;

1.12
date	97.04.16.19.48.26;	author ache;	state Exp;
branches;
next	1.11;

1.11
date	97.03.28.23.30.33;	author ache;	state Exp;
branches;
next	1.10;

1.10
date	97.02.27.00.44.32;	author ache;	state Exp;
branches;
next	1.9;

1.9
date	96.11.12.01.47.39;	author ache;	state Exp;
branches;
next	1.8;

1.8
date	96.11.12.00.13.38;	author ache;	state Exp;
branches;
next	1.7;

1.7
date	96.10.24.23.46.12;	author ache;	state dead;
branches;
next	1.6;

1.6
date	96.10.16.04.56.07;	author ache;	state Exp;
branches;
next	1.5;

1.5
date	96.07.18.11.33.46;	author torstenb;	state Exp;
branches;
next	1.4;

1.4
date	96.07.16.00.33.17;	author ache;	state Exp;
branches;
next	1.3;

1.3
date	96.06.07.04.33.25;	author peter;	state Exp;
branches;
next	1.2;

1.2
date	96.02.07.05.35.16;	author pst;	state Exp;
branches;
next	1.1;

1.1
date	96.02.06.02.57.10;	author pst;	state Exp;
branches;
next	;


desc
@@


1.27
log
@Remove unmaintained expired ports from security

2011-05-01 security/aafid2: Upstream disapear and distfile is no more available
2011-05-01 security/bjorb: Upstream disapear and distfile is no more available
2011-05-01 security/borzoi: Upstream disapear and distfile is no more available
2011-05-01 security/cmd5checkpw: Upstream disapear and distfile is no more available
2011-05-01 security/cops: Upstream disapear and distfile is no more available
2011-05-01 security/find_ddos: Upstream disapear and distfile is no more available
2011-05-01 security/ftpmap: Upstream disapear and distfile is no more available
2011-05-01 security/hafiye: Upstream disapear and distfile is no more available
2011-05-01 security/ident2: Upstream disapear and distfile is no more available
2011-05-01 security/liedentd: Upstream disapear and distfile is no more available
2011-05-01 security/pam_pop3: Upstream disapear and distfile is no more available
2011-05-01 security/poc: Upstream disapear and distfile is no more available
2011-05-01 security/portscanner: Upstream disapear and distfile is no more available
2011-05-01 security/ppgen: Upstream disapear and distfile is no more available
2011-05-01 security/qident: Upstream disapear and distfile is no more available
2011-05-01 security/quintuple-agent: Upstream disapear and distfile is no more available
2011-05-01 security/rc5pipe: Upstream disapear and distfile is no more available
2011-05-01 security/rid: Upstream disapear and distfile is no more available
2011-05-01 security/ssh: Upstream disapear and distfile is no more available
2011-05-01 security/tea-total: Upstream disapear and distfile is no more available
2011-05-01 security/uberkey: Upstream disapear and distfile is no more available
@
text
@--- sshd.c.orig	Mon Jul  3 19:07:35 2000
+++ sshd.c	Sat Jun 29 22:25:41 2002
@@@@ -567,6 +567,19 @@@@
 /* Name of the server configuration file. */
 char *config_file_name = SERVER_CONFIG_FILE;
 
+/* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
+   Default value is AF_UNSPEC means both IPv4 and IPv6. */
+#ifdef ENABLE_IPV6
+int IPv4or6 = AF_UNSPEC;
+#else
+int IPv4or6 = AF_INET;
+#endif
+
+#ifdef ENABLE_LOG_AUTH
+char *unauthenticated_user = NULL;
+int log_auth_flag = 0;
+#endif /* ENABLE_LOG_AUTH */
+
 /* Debug mode flag.  This can be set on the command line.  If debug
    mode is enabled, extra debugging output will be sent to the system
    log, the daemon will not go to background, and will exit after processing
@@@@ -590,7 +603,17 @@@@
 
 /* This is set to the socket that the server is listening; this is used in
    the SIGHUP signal handler. */
-int listen_sock;
+#define	MAX_LISTEN_SOCKS	16
+int listen_socks[MAX_LISTEN_SOCKS];
+int num_listen_socks = 0;
+void close_listen_socks()
+{
+  int i;
+
+  for (i = 0; i < num_listen_socks; i++)
+    close(listen_socks[i]);
+  num_listen_socks = -1;
+}
 
 /* This is not really needed, and could be eliminated if server-specific
    and client-specific code were removed from newchannels.c */
@@@@ -680,7 +703,7 @@@@
 void sighup_restart(void)
 {
   log_msg("Received SIGHUP; restarting.");
-  close(listen_sock);
+  close_listen_socks();
   execvp(saved_argv[0], saved_argv);
   log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", 
       saved_argv[0], strerror(errno));
@@@@ -694,7 +717,7 @@@@
 RETSIGTYPE sigterm_handler(int sig)
 {
   log_msg("Received signal %d; terminating.", sig);
-  close(listen_sock);
+  close_listen_socks();
   exit(255);
 }
 
@@@@ -773,7 +796,7 @@@@
   int perm_denied = 0;
   int ret;
   fd_set fdset;
-  struct sockaddr_in sin;
+  struct sockaddr_storage from;
   char buf[100]; /* Must not be larger than remote_version. */
   char remote_version[100]; /* Must be at least as big as buf. */
   char *comment;
@@@@ -783,6 +806,9 @@@@
   struct linger linger;
 #endif /* SO_LINGER */
   int done;
+  struct addrinfo *ai;
+  char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+  int listen_sock, maxfd;
   
   /* Save argv[0]. */
   saved_argv = av;
@@@@ -801,10 +827,26 @@@@
   initialize_server_options(&options);
 
   /* Parse command-line arguments. */
-  while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
+  while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
+#ifdef ENABLE_IPV6
+	"6"
+#endif
+	)) != EOF)
     {
       switch (opt)
         {
+	case '4':
+#ifdef ENABLE_IPV6
+	  IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
+#else
+	  IPv4or6 = AF_INET;
+#endif
+	  break;
+#ifdef ENABLE_IPV6
+	case '6':
+	  IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
+	  break;
+#endif
         case 'f':
           config_file_name = optarg;
           break;
@@@@ -821,7 +863,7 @@@@
           options.server_key_bits = atoi(optarg);
           break;
         case 'p':
-          options.port = atoi(optarg);
+	  options.ports[options.num_ports++] = atoi(optarg);
           break;
         case 'g':
           options.login_grace_time = atoi(optarg);
@@@@ -843,6 +885,10 @@@@
           fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
           fprintf(stderr, "Usage: %s [options]\n", av0);
           fprintf(stderr, "Options:\n");
+	  fprintf(stderr, "  -4         Use IPv4 only\n");
+#ifdef ENABLE_IPV6
+	  fprintf(stderr, "  -6         Use IPv6 only\n");
+#endif
           fprintf(stderr, "  -f file    Configuration file (default %s/sshd_config)\n", ETCDIR);
           fprintf(stderr, "  -d         Debugging mode\n");
           fprintf(stderr, "  -i         Started from inetd\n");
@@@@ -871,16 +917,15 @@@@
       fprintf(stderr, "fatal: Bad server key size.\n");
       exit(1);
     }
-  if (options.port < 1 || options.port > 65535)
-    {
-      fprintf(stderr, "fatal: Bad port number.\n");
-      exit(1);
-    }
   if (options.umask != -1)
     {
       umask(options.umask);
     }
 
+#ifdef ENABLE_LOG_AUTH
+  log_auth_flag = options.log_auth;
+#endif /* ENABLE_LOG_AUTH */
+
   /* Check that there are no remaining arguments. */
   if (optind < ac)
     {
@@@@ -1048,10 +1093,13 @@@@
     }
   else
     {
+  for (ai = options.listen_addrs; ai; ai = ai->ai_next)
+    {
       /* Create socket for listening. */
-      listen_sock = socket(AF_INET, SOCK_STREAM, 0);
+      listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
       if (listen_sock < 0)
         fatal("socket: %.100s", strerror(errno));
+      listen_socks[num_listen_socks] = listen_sock;
 
       /* Set socket options.  We try to make the port reusable and have it
          close as fast as possible without waiting in unnecessary wait states
@@@@ -1065,21 +1113,30 @@@@
                  sizeof(linger));
 #endif /* SO_LINGER */
 
-      /* Initialize the socket address. */
-      memset(&sin, 0, sizeof(sin));
-      sin.sin_family = AF_INET;
-      sin.sin_addr = options.listen_addr;
-      sin.sin_port = htons(options.port);
+      getnameinfo(ai->ai_addr, ai->ai_addrlen,
+		  ntop, sizeof(ntop), strport, sizeof(strport),
+		  NI_NUMERICHOST|NI_NUMERICSERV);
 
       /* Bind the socket to the desired port. */
-      if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
+      if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
         {
-          error("bind: %.100s", strerror(errno));
-          shutdown(listen_sock, 2);
+	  error("Bind to port %s on %s failed: %.200s.",
+		strport, ntop, strerror(errno));
           close(listen_sock);
-          fatal("Bind to port %d failed: %.200s.", options.port,
-                strerror(errno));
+	  continue;
         }
+      num_listen_socks++;
+
+      /* Start listening on the port. */
+      log_msg("Server listening on %s port %s.", ntop, strport);
+      if (listen(listen_sock, 5) < 0)
+	fatal("listen: %.100s", strerror(errno));
+
+      } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
+      freeaddrinfo(options.listen_addrs);
+
+      if (!num_listen_socks)
+	fatal("Cannot bind all addresses.");
 
       if (!debug_flag)
         {
@@@@ -1095,11 +1152,6 @@@@
             }
         }
 
-      /* Start listening on the port. */
-      log_msg("Server listening on port %d.", options.port);
-      if (listen(listen_sock, 5) < 0)
-        fatal("listen: %.100s", strerror(errno));
-
       /* Generate an rsa key. */
       log_msg("Generating %d bit RSA key.", options.server_key_bits);
       rsa_generate_key(&sensitive_data.private_key, &public_key,
@@@@ -1153,18 +1205,28 @@@@
           
           /* Wait in select until there is a connection. */
           FD_ZERO(&fdset);
-          FD_SET(listen_sock, &fdset);
-          ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
-          if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
+	  maxfd = 0;
+	  for (i = 0; i < num_listen_socks; i++)
+	    {
+	      FD_SET(listen_socks[i], &fdset);
+	      if (listen_socks[i] > maxfd)
+		maxfd = listen_socks[i];
+	    }
+	  ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
+	  if (ret < 0)
             {
               if (errno == EINTR)
                 continue;
               error("select: %.100s", strerror(errno));
               continue;
             }
-          
-          aux = sizeof(sin);
-          newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
+
+      for (i = 0; i < num_listen_socks; i++)
+	{
+	  if (!FD_ISSET(listen_socks[i], &fdset))
+	    continue;
+	  aux = sizeof(from);
+	  newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
           if (newsock < 0)
             {
               if (errno == EINTR)
@@@@ -1180,7 +1242,7 @@@@
               /* In debugging mode.  Close the listening socket, and start
                  processing the connection without forking. */
               debug("Server will not fork when running in debugging mode.");
-              close(listen_sock);
+	      close_listen_socks();
               sock_in = newsock;
               sock_out = newsock;
               pid = getpid();
@@@@ -1209,7 +1271,7 @@@@
                      the accepted socket.  Reinitialize logging (since our
                      pid has changed).  We break out of the loop to handle
                      the connection. */
-                  close(listen_sock);
+		  close_listen_socks();
                   sock_in = newsock;
                   sock_out = newsock;
 #ifdef LIBWRAP
@@@@ -1247,6 +1309,10 @@@@
           
           /* Close the new socket (the child is now taking care of it). */
           close(newsock);
+        } /* for (i = 0; i < num_host_socks; i++) */
+	  /* child process check (or debug mode) */
+	  if (num_listen_socks < 0)
+	    break;
         }
     }
   
@@@@ -2219,6 +2285,9 @@@@
     krb5_parse_name(ssh_context, user, &client);
 #endif /* defined(KERBEROS) && defined(KRB5) */
                          
+#ifdef ENABLE_LOG_AUTH
+  unauthenticated_user = user;
+#endif /* ENABLE_LOG_AUTH */
   /* Verify that the user is a valid user.  We disallow usernames starting
      with any characters that are commonly used to start NIS entries. */
   pw = getpwnam(user);
@@@@ -2236,7 +2305,7 @@@@
   pwcopy.pw_class = xstrdup(pw->pw_class);
   pwcopy.pw_change = pw->pw_change;
   pwcopy.pw_expire = pw->pw_expire;
-#endif /*  __bsdi__  && _BSDI_VERSION >= 199510 */
+#endif /*  (__bsdi__  && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
   pwcopy.pw_dir = xstrdup(pw->pw_dir);
   pwcopy.pw_shell = xstrdup(pw->pw_shell);
   pw = &pwcopy;
@@@@ -2274,6 +2343,11 @@@@
     {
       /* Authentication with empty password succeeded. */
       debug("Login for user %.100s accepted without authentication.", user);
+#ifdef ENABLE_LOG_AUTH
+      log_auth("%.100s from %.700s (%s)",
+	       user, get_canonical_hostname(),
+	       "empty password accepted");
+#endif /* ENABLE_LOG_AUTH */
       authentication_type = SSH_AUTH_PASSWORD;
       authenticated = 1;
       /* Success packet will be sent after loop below. */
@@@@ -2348,6 +2422,11 @@@@
                   /* Client has successfully authenticated to us. */
                   log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
                           tkt_user, user, get_canonical_hostname());
+#ifdef ENABLE_LOG_AUTH
+		  log_auth("%.100s from %.700s (%s)",
+			   user, get_canonical_hostname(),
+			   "kerberos authentication accepted");
+#endif /* ENABLE_LOG_AUTH */
                   authentication_type = SSH_AUTH_KERBEROS;
                   authenticated = 1;
                   break;
@@@@ -2396,6 +2475,11 @@@@
               /* Authentication accepted. */
               log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
                   user, client_user, get_canonical_hostname());
+#ifdef ENABLE_LOG_AUTH
+	      log_auth("%.100s from %.100s@@%.700s (%s)",
+		       user, client_user, get_canonical_hostname(),
+		       "rhosts authentication accepted");
+#endif /* ENABLE_LOG_AUTH */
               authentication_type = SSH_AUTH_RHOSTS;
               authenticated = 1;
               remote_user_name = client_user;
@@@@ -2455,6 +2539,11 @@@@
                               options.strict_modes))
             {
               /* Authentication accepted. */
+#ifdef ENABLE_LOG_AUTH
+	      log_auth("%.100s from %.100s@@%.700s (%s)",
+		       user, client_user, get_canonical_hostname(),
+                       "rhosts with RSA host authentication accepted");
+#endif /* ENABLE_LOG_AUTH */
               authentication_type = SSH_AUTH_RHOSTS_RSA;
               authenticated = 1;
               remote_user_name = client_user;
@@@@ -2488,6 +2577,11 @@@@
                 /* Successful authentication. */
                 mpz_clear(&n);
                 log_msg("RSA authentication for %.100s accepted.", user);
+#ifdef ENABLE_LOG_AUTH
+		log_auth("%.100s from %.700s (%s)",
+			 user, get_canonical_hostname(),
+			 "RSA user authentication accepted");
+#endif /* ENABLE_LOG_AUTH */
                 authentication_type = SSH_AUTH_RSA;
                 authenticated = 1;
                 break;
@@@@ -2622,6 +2716,11 @@@@
               auth_close();
               memset(password, 0, strlen(password));
               xfree(password);
+#ifdef ENABLE_LOG_AUTH
+	      log_auth("%.100s from @@%.700s (%s)",
+		       user, get_canonical_hostname(),
+                       "TIS authentication accepted");
+#endif /* ENABLE_LOG_AUTH */
               authentication_type = SSH_AUTH_TIS;
               authenticated = 1;
               break;
@@@@ -2682,6 +2781,11 @@@@
               memset(password, 0, strlen(password));
               xfree(password);
               log_msg("Password authentication for %.100s accepted.", user);
+#ifdef ENABLE_LOG_AUTH
+	      log_auth("%.100s from %.700s (%s)",
+		       user, get_canonical_hostname(),
+		       "password authentication accepted");
+#endif /* ENABLE_LOG_AUTH */
               authentication_type = SSH_AUTH_PASSWORD;
               authenticated = 1;
               break;
@@@@ -2722,6 +2826,11 @@@@
     }
 
   /* Check if the user is logging in as root and root logins are disallowed. */
+#ifdef ENABLE_LOG_AUTH
+  if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
+      (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
+    log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
+#endif /* ENABLE_LOG_AUTH */
   if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
     {
       if (authentication_type == SSH_AUTH_PASSWORD)
@@@@ -2789,6 +2898,9 @@@@
   packet_start(SSH_SMSG_SUCCESS);
   packet_send();
   packet_write_wait();
+#ifdef ENABLE_LOG_AUTH
+  unauthenticated_user = NULL;
+#endif /* ENABLE_LOG_AUTH */
 
   /* Perform session preparation. */
   do_authenticated(pw);
@@@@ -3383,15 +3495,16 @@@@
   char line[256];
   struct stat st;
   int quiet_login;
-  struct sockaddr_in from;
+  struct sockaddr_storage from;
   int fromlen;
   struct pty_cleanup_context cleanup_context;
 #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
   login_cap_t *lc;
+  time_t warnpassword, warnexpire;
 #endif
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 
+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
   struct timeval tp;
-#endif /*  __bsdi__ && _BSDI_VERSION >= 199510 */
+#endif /*  __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
 
   /* We no longer need the child running on user's privileges. */
   userfile_uninit();
@@@@ -3490,7 +3603,7 @@@@
 
       /* Record that there was a login on that terminal. */
       record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, 
-                   &from);
+		   (struct sockaddr *)&from);
 
 #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
       lc = login_getclass(pw->pw_class);
@@@@ -3549,6 +3662,14 @@@@
                    "The Regents of the University of California. ",
                    "All rights reserved.");
         }
+#ifdef HAVE_LOGIN_CAP_H
+#define DEFAULT_WARN	(2L * 7L * 86400L)	/* Two weeks */
+
+	warnpassword = login_getcaptime(lc, "warnpassword",
+	    DEFAULT_WARN, DEFAULT_WARN);
+	warnexpire = login_getcaptime(lc, "warnexpire",
+	    DEFAULT_WARN, DEFAULT_WARN);
+#endif
 #endif
 
       /* Print /etc/motd unless a command was specified or printing it was
@@@@ -3572,7 +3693,7 @@@@
                 fputs(line, stdout);
               fclose(f);
             }
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
           if (pw->pw_change || pw->pw_expire)
             (void)gettimeofday(&tp, (struct timezone *)NULL);
           if (pw->pw_change)
@@@@ -3979,6 +4100,7 @@@@
   char *user_shell;
   char *remote_ip;
   int remote_port;
+  int local_port;
 #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
   login_cap_t *lc;
   char *real_shell;
@@@@ -4025,7 +4147,7 @@@@
           while (fgets(buf, sizeof(buf), f))
             fputs(buf, stderr);
           fclose(f);
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
           if (pw->pw_uid != UID_ROOT &&
               !login_getcapbool(lc, "ignorenologin", 0))
             exit(254);
@@@@ -4084,6 +4206,7 @@@@
   user_shell = xstrdup(pw->pw_shell);
   remote_ip = xstrdup(get_remote_ipaddr());
   remote_port = get_remote_port();
+  local_port = get_local_port();
 
   /* Close the connection descriptors; note that this is the child, and the 
      server will still have the socket open, and it is important that we
@@@@ -4103,7 +4226,6 @@@@
   /* Close any extra file descriptors.  Note that there may still be
      descriptors left by system functions.  They will be closed later. */
   endpwent();
-  endhostent();
 
   /* Set dummy encryption key to clear information about the key from
      memory.  This key will never be used. */
@@@@ -4360,7 +4482,7 @@@@
 
   /* Set SSH_CLIENT. */
   snprintf(buf, sizeof(buf),
-           "%.50s %d %d", remote_ip, remote_port, options.port);
+           "%.50s %d %d", remote_ip, remote_port, local_port);
   child_set_env(&env, &envsize, "SSH_CLIENT", buf);
 
   /* Set SSH_TTY if we have a pty. */
@@@@ -4533,7 +4655,8 @@@@
                 int i;
                 char name[255], *p;
                 char line[256];
-                struct hostent *hp;
+		struct addrinfo hints, *ai, *aitop;
+		char ntop[ADDRSTRLEN];
                 
                 strncpy(name, display, sizeof(name));
                 name[sizeof(name) - 1] = '\0';
@@@@ -4550,7 +4673,10 @@@@
                 /* Moved this call here to avoid a nasty buf in SunOS
                    4.1.4 libc where gethostbyname closes an unrelated
                    file descriptor. */
-                hp = gethostbyname(name);
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = IPv4or6;
+		if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
+		  aitop = 0;
 
                 snprintf(line, sizeof(line),
                          "%.200s -q -", options.xauth_path);
@@@@ -4568,21 +4694,24 @@@@
                                 cp - display, display, cp, auth_proto,
                                 auth_data);
 #endif
-                        if (hp)
+                        if (aitop)
                           {
-                            for(i = 0; hp->h_addr_list[i]; i++)
+			    for (ai = aitop; ai; ai = ai->ai_next)
                               {
+				getnameinfo(ai->ai_addr, ai->ai_addrlen,
+					    ntop, sizeof(ntop), NULL, 0,
+					    NI_NUMERICHOST);
+				if (strchr(ntop, ':'))
+				  continue; /* XXX - xauth doesn't accept it */
                                 if (debug_flag)
                                   {
                                     fprintf(stderr, "Running %s add %s%s %s %s\n",
                                             options.xauth_path,
-                                            inet_ntoa(*((struct in_addr *)
-                                                        hp->h_addr_list[i])),
+					    ntop,
                                             cp, auth_proto, auth_data);
                                   }
                                 fprintf(f, "add %s%s %s %s\n",
-                                        inet_ntoa(*((struct in_addr *)
-                                                    hp->h_addr_list[i])),
+					ntop,
                                         cp, auth_proto, auth_data);
                               }
                           }
@@@@ -4632,7 +4761,11 @@@@
                   struct stat mailbuf;
                   
                   if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
+#ifdef __FreeBSD__
+                    ;
+#else
                     printf("No mail.\n");
+#endif
                   else if (mailbuf.st_atime > mailbuf.st_mtime)
                     printf("You have mail.\n");
                   else
@


1.26
log
@Update to version 1.2.31.
@
text
@@


1.25
log
@Update to version 1.2.29.
@
text
@a404 9
@@@@ -2962,7 +3074,7 @@@@
 #ifdef UF_OPAQUE
                                       UF_OPAQUE |
 #endif /* UF_OPAQUE */
-                                      0)) < 0)
+                                      0) < 0)
                             {
                               debug("chflags failed for %s, error: %s",
                                     ttyname, strerror(errno));
@


1.24
log
@Update to version 1.2.28.
@
text
@d1 2
a2 2
--- sshd.c.orig	Mon Jul  3 10:07:35 2000
+++ sshd.c	Fri Jun 21 17:57:21 2002
d405 9
@


1.23
log
@Add IPv6 support to ssh.
The IPv6 patch was obtained from the kame repository and has been
been writen by KIKUCHI Takahiro <kick@@kyoto.wide.ad.jp>

Due to the whole mess with different patches it was necessary to include
both the IPv6 patch and patch-ssh-1.2.27-bsd.tty.chown in ${PATCHDIR}.
Since both patches modify the configure script it was also necessary
to rebuild it via autoconf from configure.in. I've decided to use
USE_AUTOCONF instead of including the re-build configure script in
${FILESDIR}

Obtained from:	KAME/WIDE
@
text
@d1 564
a564 809
*** sshd.c.orig	Tue Jan 11 20:40:10 2000
--- sshd.c	Tue Jan 11 20:40:07 2000
***************
*** 553,558 ****
--- 553,571 ----
  /* Name of the server configuration file. */
  char *config_file_name = SERVER_CONFIG_FILE;
  
+ /* Flag indicating whether IPv4 or IPv6.  This can be set on the command line.
+    Default value is AF_UNSPEC means both IPv4 and IPv6. */
+ #ifdef ENABLE_IPV6
+ int IPv4or6 = AF_UNSPEC;
+ #else
+ int IPv4or6 = AF_INET;
+ #endif
+ 
+ #ifdef ENABLE_LOG_AUTH
+ char *unauthenticated_user = NULL;
+ int log_auth_flag = 0;
+ #endif /* ENABLE_LOG_AUTH */
+ 
  /* Debug mode flag.  This can be set on the command line.  If debug
     mode is enabled, extra debugging output will be sent to the system
     log, the daemon will not go to background, and will exit after processing
***************
*** 576,582 ****
  
  /* This is set to the socket that the server is listening; this is used in
     the SIGHUP signal handler. */
! int listen_sock;
  
  /* This is not really needed, and could be eliminated if server-specific
     and client-specific code were removed from newchannels.c */
--- 589,605 ----
  
  /* This is set to the socket that the server is listening; this is used in
     the SIGHUP signal handler. */
! #define	MAX_LISTEN_SOCKS	16
! int listen_socks[MAX_LISTEN_SOCKS];
! int num_listen_socks = 0;
! void close_listen_socks()
! {
!   int i;
! 
!   for (i = 0; i < num_listen_socks; i++)
!     close(listen_socks[i]);
!   num_listen_socks = -1;
! }
  
  /* This is not really needed, and could be eliminated if server-specific
     and client-specific code were removed from newchannels.c */
***************
*** 666,672 ****
  void sighup_restart(void)
  {
    log_msg("Received SIGHUP; restarting.");
!   close(listen_sock);
    execvp(saved_argv[0], saved_argv);
    log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", 
        saved_argv[0], strerror(errno));
--- 689,695 ----
  void sighup_restart(void)
  {
    log_msg("Received SIGHUP; restarting.");
!   close_listen_socks();
    execvp(saved_argv[0], saved_argv);
    log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", 
        saved_argv[0], strerror(errno));
***************
*** 680,686 ****
  RETSIGTYPE sigterm_handler(int sig)
  {
    log_msg("Received signal %d; terminating.", sig);
!   close(listen_sock);
    exit(255);
  }
  
--- 703,709 ----
  RETSIGTYPE sigterm_handler(int sig)
  {
    log_msg("Received signal %d; terminating.", sig);
!   close_listen_socks();
    exit(255);
  }
  
***************
*** 759,765 ****
    int perm_denied = 0;
    int ret;
    fd_set fdset;
!   struct sockaddr_in sin;
    char buf[100]; /* Must not be larger than remote_version. */
    char remote_version[100]; /* Must be at least as big as buf. */
    char *comment;
--- 782,788 ----
    int perm_denied = 0;
    int ret;
    fd_set fdset;
!   struct sockaddr_storage from;
    char buf[100]; /* Must not be larger than remote_version. */
    char remote_version[100]; /* Must be at least as big as buf. */
    char *comment;
***************
*** 769,774 ****
--- 792,800 ----
    struct linger linger;
  #endif /* SO_LINGER */
    int done;
+   struct addrinfo *ai;
+   char ntop[ADDRSTRLEN], strport[PORTSTRLEN];
+   int listen_sock, maxfd;
    
    /* Save argv[0]. */
    saved_argv = av;
***************
*** 787,796 ****
    initialize_server_options(&options);
  
    /* Parse command-line arguments. */
!   while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF)
      {
        switch (opt)
          {
          case 'f':
            config_file_name = optarg;
            break;
--- 813,838 ----
    initialize_server_options(&options);
  
    /* Parse command-line arguments. */
!   while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4"
! #ifdef ENABLE_IPV6
! 	"6"
! #endif
! 	)) != EOF)
      {
        switch (opt)
          {
+ 	case '4':
+ #ifdef ENABLE_IPV6
+ 	  IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET;
+ #else
+ 	  IPv4or6 = AF_INET;
+ #endif
+ 	  break;
+ #ifdef ENABLE_IPV6
+ 	case '6':
+ 	  IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6;
+ 	  break;
+ #endif
          case 'f':
            config_file_name = optarg;
            break;
***************
*** 807,813 ****
            options.server_key_bits = atoi(optarg);
            break;
          case 'p':
!           options.port = atoi(optarg);
            break;
          case 'g':
            options.login_grace_time = atoi(optarg);
--- 849,855 ----
            options.server_key_bits = atoi(optarg);
            break;
          case 'p':
! 	  options.ports[options.num_ports++] = atoi(optarg);
            break;
          case 'g':
            options.login_grace_time = atoi(optarg);
***************
*** 829,834 ****
--- 871,880 ----
            fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE);
            fprintf(stderr, "Usage: %s [options]\n", av0);
            fprintf(stderr, "Options:\n");
+ 	  fprintf(stderr, "  -4         Use IPv4 only\n");
+ #ifdef ENABLE_IPV6
+ 	  fprintf(stderr, "  -6         Use IPv6 only\n");
+ #endif
            fprintf(stderr, "  -f file    Configuration file (default %s/sshd_config)\n", ETCDIR);
            fprintf(stderr, "  -d         Debugging mode\n");
            fprintf(stderr, "  -i         Started from inetd\n");
***************
*** 857,872 ****
        fprintf(stderr, "fatal: Bad server key size.\n");
        exit(1);
      }
-   if (options.port < 1 || options.port > 65535)
-     {
-       fprintf(stderr, "fatal: Bad port number.\n");
-       exit(1);
-     }
    if (options.umask != -1)
      {
        umask(options.umask);
      }
  
    /* Check that there are no remaining arguments. */
    if (optind < ac)
      {
--- 903,917 ----
        fprintf(stderr, "fatal: Bad server key size.\n");
        exit(1);
      }
    if (options.umask != -1)
      {
        umask(options.umask);
      }
  
+ #ifdef ENABLE_LOG_AUTH
+   log_auth_flag = options.log_auth;
+ #endif /* ENABLE_LOG_AUTH */
+ 
    /* Check that there are no remaining arguments. */
    if (optind < ac)
      {
***************
*** 1034,1043 ****
      }
    else
      {
        /* Create socket for listening. */
!       listen_sock = socket(AF_INET, SOCK_STREAM, 0);
        if (listen_sock < 0)
          fatal("socket: %.100s", strerror(errno));
  
        /* Set socket options.  We try to make the port reusable and have it
           close as fast as possible without waiting in unnecessary wait states
--- 1079,1091 ----
      }
    else
      {
+   for (ai = options.listen_addrs; ai; ai = ai->ai_next)
+     {
        /* Create socket for listening. */
!       listen_sock = socket(ai->ai_family, SOCK_STREAM, 0);
        if (listen_sock < 0)
          fatal("socket: %.100s", strerror(errno));
+       listen_socks[num_listen_socks] = listen_sock;
  
        /* Set socket options.  We try to make the port reusable and have it
           close as fast as possible without waiting in unnecessary wait states
***************
*** 1051,1071 ****
                   sizeof(linger));
  #endif /* SO_LINGER */
  
!       /* Initialize the socket address. */
!       memset(&sin, 0, sizeof(sin));
!       sin.sin_family = AF_INET;
!       sin.sin_addr = options.listen_addr;
!       sin.sin_port = htons(options.port);
  
        /* Bind the socket to the desired port. */
!       if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0)
          {
!           error("bind: %.100s", strerror(errno));
!           shutdown(listen_sock, 2);
            close(listen_sock);
!           fatal("Bind to port %d failed: %.200s.", options.port,
!                 strerror(errno));
          }
  
        if (!debug_flag)
          {
--- 1099,1128 ----
                   sizeof(linger));
  #endif /* SO_LINGER */
  
!       getnameinfo(ai->ai_addr, ai->ai_addrlen,
! 		  ntop, sizeof(ntop), strport, sizeof(strport),
! 		  NI_NUMERICHOST|NI_NUMERICSERV);
  
        /* Bind the socket to the desired port. */
!       if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0)
          {
! 	  error("Bind to port %s on %s failed: %.200s.",
! 		strport, ntop, strerror(errno));
            close(listen_sock);
! 	  continue;
          }
+       num_listen_socks++;
+ 
+       /* Start listening on the port. */
+       log_msg("Server listening on %s port %s.", ntop, strport);
+       if (listen(listen_sock, 5) < 0)
+ 	fatal("listen: %.100s", strerror(errno));
+ 
+       } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */
+       freeaddrinfo(options.listen_addrs);
+ 
+       if (!num_listen_socks)
+ 	fatal("Cannot bind all addresses.");
  
        if (!debug_flag)
          {
***************
*** 1081,1091 ****
              }
          }
  
-       /* Start listening on the port. */
-       log_msg("Server listening on port %d.", options.port);
-       if (listen(listen_sock, 5) < 0)
-         fatal("listen: %.100s", strerror(errno));
- 
        /* Generate an rsa key. */
        log_msg("Generating %d bit RSA key.", options.server_key_bits);
        rsa_generate_key(&sensitive_data.private_key, &public_key,
--- 1138,1143 ----
***************
*** 1139,1156 ****
            
            /* Wait in select until there is a connection. */
            FD_ZERO(&fdset);
!           FD_SET(listen_sock, &fdset);
!           ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL);
!           if (ret < 0 || !FD_ISSET(listen_sock, &fdset))
              {
                if (errno == EINTR)
                  continue;
                error("select: %.100s", strerror(errno));
                continue;
              }
!           
!           aux = sizeof(sin);
!           newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux);
            if (newsock < 0)
              {
                if (errno == EINTR)
--- 1191,1218 ----
            
            /* Wait in select until there is a connection. */
            FD_ZERO(&fdset);
! 	  maxfd = 0;
! 	  for (i = 0; i < num_listen_socks; i++)
! 	    {
! 	      FD_SET(listen_socks[i], &fdset);
! 	      if (listen_socks[i] > maxfd)
! 		maxfd = listen_socks[i];
! 	    }
! 	  ret = select(maxfd + 1, &fdset, NULL, NULL, NULL);
! 	  if (ret < 0)
              {
                if (errno == EINTR)
                  continue;
                error("select: %.100s", strerror(errno));
                continue;
              }
! 
!       for (i = 0; i < num_listen_socks; i++)
! 	{
! 	  if (!FD_ISSET(listen_socks[i], &fdset))
! 	    continue;
! 	  aux = sizeof(from);
! 	  newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux);
            if (newsock < 0)
              {
                if (errno == EINTR)
***************
*** 1166,1172 ****
                /* In debugging mode.  Close the listening socket, and start
                   processing the connection without forking. */
                debug("Server will not fork when running in debugging mode.");
!               close(listen_sock);
                sock_in = newsock;
                sock_out = newsock;
                pid = getpid();
--- 1228,1234 ----
                /* In debugging mode.  Close the listening socket, and start
                   processing the connection without forking. */
                debug("Server will not fork when running in debugging mode.");
! 	      close_listen_socks();
                sock_in = newsock;
                sock_out = newsock;
                pid = getpid();
***************
*** 1195,1201 ****
                       the accepted socket.  Reinitialize logging (since our
                       pid has changed).  We break out of the loop to handle
                       the connection. */
!                   close(listen_sock);
                    sock_in = newsock;
                    sock_out = newsock;
  #ifdef LIBWRAP
--- 1257,1263 ----
                       the accepted socket.  Reinitialize logging (since our
                       pid has changed).  We break out of the loop to handle
                       the connection. */
! 		  close_listen_socks();
                    sock_in = newsock;
                    sock_out = newsock;
  #ifdef LIBWRAP
***************
*** 1233,1238 ****
--- 1295,1304 ----
            
            /* Close the new socket (the child is now taking care of it). */
            close(newsock);
+         } /* for (i = 0; i < num_host_socks; i++) */
+ 	  /* child process check (or debug mode) */
+ 	  if (num_listen_socks < 0)
+ 	    break;
          }
      }
    
***************
*** 2205,2210 ****
--- 2271,2279 ----
      krb5_parse_name(ssh_context, user, &client);
  #endif /* defined(KERBEROS) && defined(KRB5) */
                           
+ #ifdef ENABLE_LOG_AUTH
+   unauthenticated_user = user;
+ #endif /* ENABLE_LOG_AUTH */
    /* Verify that the user is a valid user.  We disallow usernames starting
       with any characters that are commonly used to start NIS entries. */
    pw = getpwnam(user);
***************
*** 2222,2228 ****
    pwcopy.pw_class = xstrdup(pw->pw_class);
    pwcopy.pw_change = pw->pw_change;
    pwcopy.pw_expire = pw->pw_expire;
! #endif /*  __bsdi__  && _BSDI_VERSION >= 199510 */
    pwcopy.pw_dir = xstrdup(pw->pw_dir);
    pwcopy.pw_shell = xstrdup(pw->pw_shell);
    pw = &pwcopy;
--- 2291,2297 ----
    pwcopy.pw_class = xstrdup(pw->pw_class);
    pwcopy.pw_change = pw->pw_change;
    pwcopy.pw_expire = pw->pw_expire;
! #endif /*  (__bsdi__  && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */
    pwcopy.pw_dir = xstrdup(pw->pw_dir);
    pwcopy.pw_shell = xstrdup(pw->pw_shell);
    pw = &pwcopy;
***************
*** 2260,2265 ****
--- 2329,2339 ----
      {
        /* Authentication with empty password succeeded. */
        debug("Login for user %.100s accepted without authentication.", user);
+ #ifdef ENABLE_LOG_AUTH
+       log_auth("%.100s from %.700s (%s)",
+ 	       user, get_canonical_hostname(),
+ 	       "empty password accepted");
+ #endif /* ENABLE_LOG_AUTH */
        authentication_type = SSH_AUTH_PASSWORD;
        authenticated = 1;
        /* Success packet will be sent after loop below. */
***************
*** 2334,2339 ****
--- 2408,2418 ----
                    /* Client has successfully authenticated to us. */
                    log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s",
                            tkt_user, user, get_canonical_hostname());
+ #ifdef ENABLE_LOG_AUTH
+ 		  log_auth("%.100s from %.700s (%s)",
+ 			   user, get_canonical_hostname(),
+ 			   "kerberos authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
                    authentication_type = SSH_AUTH_KERBEROS;
                    authenticated = 1;
                    break;
***************
*** 2382,2387 ****
--- 2461,2471 ----
                /* Authentication accepted. */
                log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.",
                    user, client_user, get_canonical_hostname());
+ #ifdef ENABLE_LOG_AUTH
+ 	      log_auth("%.100s from %.100s@@%.700s (%s)",
+ 		       user, client_user, get_canonical_hostname(),
+ 		       "rhosts authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
                authentication_type = SSH_AUTH_RHOSTS;
                authenticated = 1;
                remote_user_name = client_user;
***************
*** 2441,2446 ****
--- 2525,2535 ----
                                options.strict_modes))
              {
                /* Authentication accepted. */
+ #ifdef ENABLE_LOG_AUTH
+ 	      log_auth("%.100s from %.100s@@%.700s (%s)",
+ 		       user, client_user, get_canonical_hostname(),
+                        "rhosts with RSA host authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
                authentication_type = SSH_AUTH_RHOSTS_RSA;
                authenticated = 1;
                remote_user_name = client_user;
***************
*** 2474,2479 ****
--- 2563,2573 ----
                  /* Successful authentication. */
                  mpz_clear(&n);
                  log_msg("RSA authentication for %.100s accepted.", user);
+ #ifdef ENABLE_LOG_AUTH
+ 		log_auth("%.100s from %.700s (%s)",
+ 			 user, get_canonical_hostname(),
+ 			 "RSA user authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
                  authentication_type = SSH_AUTH_RSA;
                  authenticated = 1;
                  break;
***************
*** 2608,2613 ****
--- 2702,2712 ----
                auth_close();
                memset(password, 0, strlen(password));
                xfree(password);
+ #ifdef ENABLE_LOG_AUTH
+ 	      log_auth("%.100s from @@%.700s (%s)",
+ 		       user, get_canonical_hostname(),
+                        "TIS authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
                authentication_type = SSH_AUTH_TIS;
                authenticated = 1;
                break;
***************
*** 2668,2673 ****
--- 2767,2777 ----
                memset(password, 0, strlen(password));
                xfree(password);
                log_msg("Password authentication for %.100s accepted.", user);
+ #ifdef ENABLE_LOG_AUTH
+ 	      log_auth("%.100s from %.700s (%s)",
+ 		       user, get_canonical_hostname(),
+ 		       "password authentication accepted");
+ #endif /* ENABLE_LOG_AUTH */
                authentication_type = SSH_AUTH_PASSWORD;
                authenticated = 1;
                break;
***************
*** 2708,2713 ****
--- 2812,2822 ----
      }
  
    /* Check if the user is logging in as root and root logins are disallowed. */
+ #ifdef ENABLE_LOG_AUTH
+   if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) ||
+       (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command))
+     log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
+ #endif /* ENABLE_LOG_AUTH */
    if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1)
      {
        if (authentication_type == SSH_AUTH_PASSWORD)
***************
*** 2775,2780 ****
--- 2884,2892 ----
    packet_start(SSH_SMSG_SUCCESS);
    packet_send();
    packet_write_wait();
+ #ifdef ENABLE_LOG_AUTH
+   unauthenticated_user = NULL;
+ #endif /* ENABLE_LOG_AUTH */
  
    /* Perform session preparation. */
    do_authenticated(pw);
***************
*** 3280,3294 ****
    char line[256];
    struct stat st;
    int quiet_login;
!   struct sockaddr_in from;
    int fromlen;
    struct pty_cleanup_context cleanup_context;
  #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
    login_cap_t *lc;
  #endif
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 
    struct timeval tp;
! #endif /*  __bsdi__ && _BSDI_VERSION >= 199510 */
  
    /* We no longer need the child running on user's privileges. */
    userfile_uninit();
--- 3392,3407 ----
    char line[256];
    struct stat st;
    int quiet_login;
!   struct sockaddr_storage from;
    int fromlen;
    struct pty_cleanup_context cleanup_context;
  #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
    login_cap_t *lc;
+   time_t warnpassword, warnexpire;
  #endif
! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
    struct timeval tp;
! #endif /*  __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */
  
    /* We no longer need the child running on user's privileges. */
    userfile_uninit();
***************
*** 3387,3393 ****
  
        /* Record that there was a login on that terminal. */
        record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, 
!                    &from);
  
  #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
        lc = login_getclass(pw->pw_class);
--- 3500,3506 ----
  
        /* Record that there was a login on that terminal. */
        record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, 
! 		   (struct sockaddr *)&from);
  
  #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
        lc = login_getclass(pw->pw_class);
***************
*** 3446,3451 ****
--- 3559,3572 ----
                     "The Regents of the University of California. ",
                     "All rights reserved.");
          }
+ #ifdef HAVE_LOGIN_CAP_H
+ #define DEFAULT_WARN	(2L * 7L * 86400L)	/* Two weeks */
+ 
+ 	warnpassword = login_getcaptime(lc, "warnpassword",
+ 	    DEFAULT_WARN, DEFAULT_WARN);
+ 	warnexpire = login_getcaptime(lc, "warnexpire",
+ 	    DEFAULT_WARN, DEFAULT_WARN);
+ #endif
  #endif
  
        /* Print /etc/motd unless a command was specified or printing it was
***************
*** 3469,3475 ****
                  fputs(line, stdout);
                fclose(f);
              }
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
            if (pw->pw_change || pw->pw_expire)
              (void)gettimeofday(&tp, (struct timezone *)NULL);
            if (pw->pw_change)
--- 3590,3596 ----
                  fputs(line, stdout);
                fclose(f);
              }
! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510)
            if (pw->pw_change || pw->pw_expire)
              (void)gettimeofday(&tp, (struct timezone *)NULL);
            if (pw->pw_change)
***************
*** 3876,3881 ****
--- 3997,4003 ----
    char *user_shell;
    char *remote_ip;
    int remote_port;
+   int local_port;
  #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)
    login_cap_t *lc;
    char *real_shell;
***************
*** 3922,3928 ****
            while (fgets(buf, sizeof(buf), f))
              fputs(buf, stderr);
            fclose(f);
! #if defined (__bsdi__) && _BSDI_VERSION >= 199510
            if (pw->pw_uid != UID_ROOT &&
                !login_getcapbool(lc, "ignorenologin", 0))
              exit(254);
--- 4044,4050 ----
            while (fgets(buf, sizeof(buf), f))
              fputs(buf, stderr);
            fclose(f);
! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
            if (pw->pw_uid != UID_ROOT &&
                !login_getcapbool(lc, "ignorenologin", 0))
              exit(254);
***************
*** 3981,3986 ****
--- 4103,4109 ----
    user_shell = xstrdup(pw->pw_shell);
    remote_ip = xstrdup(get_remote_ipaddr());
    remote_port = get_remote_port();
+   local_port = get_local_port();
  
    /* Close the connection descriptors; note that this is the child, and the 
       server will still have the socket open, and it is important that we
***************
*** 4000,4006 ****
    /* Close any extra file descriptors.  Note that there may still be
       descriptors left by system functions.  They will be closed later. */
    endpwent();
-   endhostent();
  
    /* Set dummy encryption key to clear information about the key from
       memory.  This key will never be used. */
--- 4123,4128 ----
***************
*** 4257,4263 ****
  
    /* Set SSH_CLIENT. */
    snprintf(buf, sizeof(buf),
!            "%.50s %d %d", remote_ip, remote_port, options.port);
    child_set_env(&env, &envsize, "SSH_CLIENT", buf);
  
    /* Set SSH_TTY if we have a pty. */
--- 4379,4385 ----
  
    /* Set SSH_CLIENT. */
    snprintf(buf, sizeof(buf),
!            "%.50s %d %d", remote_ip, remote_port, local_port);
    child_set_env(&env, &envsize, "SSH_CLIENT", buf);
  
    /* Set SSH_TTY if we have a pty. */
***************
*** 4426,4432 ****
                  int i;
                  char name[255], *p;
                  char line[256];
!                 struct hostent *hp;
                  
                  strncpy(name, display, sizeof(name));
                  name[sizeof(name) - 1] = '\0';
--- 4548,4555 ----
                  int i;
                  char name[255], *p;
                  char line[256];
! 		struct addrinfo hints, *ai, *aitop;
! 		char ntop[ADDRSTRLEN];
                  
                  strncpy(name, display, sizeof(name));
                  name[sizeof(name) - 1] = '\0';
***************
*** 4443,4449 ****
                  /* Moved this call here to avoid a nasty buf in SunOS
                     4.1.4 libc where gethostbyname closes an unrelated
                     file descriptor. */
!                 hp = gethostbyname(name);
  
                  snprintf(line, sizeof(line),
                           "%.200s -q -", options.xauth_path);
--- 4566,4575 ----
                  /* Moved this call here to avoid a nasty buf in SunOS
                     4.1.4 libc where gethostbyname closes an unrelated
                     file descriptor. */
! 		memset(&hints, 0, sizeof(hints));
! 		hints.ai_family = IPv4or6;
! 		if (getaddrinfo(name, NULL, &hints, &aitop) != 0)
! 		  aitop = 0;
  
                  snprintf(line, sizeof(line),
                           "%.200s -q -", options.xauth_path);
***************
*** 4461,4481 ****
                                  cp - display, display, cp, auth_proto,
                                  auth_data);
  #endif
!                         if (hp)
                            {
!                             for(i = 0; hp->h_addr_list[i]; i++)
                                {
                                  if (debug_flag)
                                    {
                                      fprintf(stderr, "Running %s add %s%s %s %s\n",
                                              options.xauth_path,
!                                             inet_ntoa(*((struct in_addr *)
!                                                         hp->h_addr_list[i])),
                                              cp, auth_proto, auth_data);
                                    }
                                  fprintf(f, "add %s%s %s %s\n",
!                                         inet_ntoa(*((struct in_addr *)
!                                                     hp->h_addr_list[i])),
                                          cp, auth_proto, auth_data);
                                }
                            }
--- 4587,4610 ----
                                  cp - display, display, cp, auth_proto,
                                  auth_data);
  #endif
!                         if (aitop)
                            {
! 			    for (ai = aitop; ai; ai = ai->ai_next)
                                {
+ 				getnameinfo(ai->ai_addr, ai->ai_addrlen,
+ 					    ntop, sizeof(ntop), NULL, 0,
+ 					    NI_NUMERICHOST);
+ 				if (strchr(ntop, ':'))
+ 				  continue; /* XXX - xauth doesn't accept it */
                                  if (debug_flag)
                                    {
                                      fprintf(stderr, "Running %s add %s%s %s %s\n",
                                              options.xauth_path,
! 					    ntop,
                                              cp, auth_proto, auth_data);
                                    }
                                  fprintf(f, "add %s%s %s %s\n",
! 					ntop,
                                          cp, auth_proto, auth_data);
                                }
                            }
***************
*** 4525,4531 ****
--- 4654,4664 ----
                    struct stat mailbuf;
                    
                    if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
+ #ifdef __FreeBSD__
+                     ;
+ #else
                      printf("No mail.\n");
+ #endif
                    else if (mailbuf.st_atime > mailbuf.st_mtime)
                      printf("You have mail.\n");
                    else
@


1.22
log
@PR:	ports/12037
Submitted by:	Issei Suzuki <issei@@jp.FreeBSD.ORG>
Upgrade to 1.2.27.
# I'm not maintainer but it seems that torstenb is too busy to
# look the PR and many people want new version ssh port.
@
text
@d1 419
a419 2
*** sshd.c.orig	Wed May 12 20:19:29 1999
--- sshd.c	Sun Jun  6 02:37:18 1999
d429 1
a429 1
--- 2222,2228 ----
d438 130
a567 1
*** 3285,3294 ****
d578 6
a583 1
--- 3285,3295 ----
d596 17
d614 1
a614 1
--- 3447,3460 ----
d638 1
a638 1
--- 3478,3484 ----
d647 10
d665 1
a665 1
--- 3931,3937 ----
d674 123
d798 1
a798 1
--- 4534,4544 ----
@


1.21
log
@1.2.22 -> 1.2.25

Somebody needs to go through patch-af to check it, since I'm not sure
about some of the stuff.

This version fixes a security flaw in previous version.
@
text
@d1 2
a2 2
*** sshd.c.WAS	Thu Jun 11 23:11:47 1998
--- sshd.c	Thu Jun 11 23:30:30 1998
d4 1
a4 1
*** 2014,2020 ****
d12 1
a12 1
--- 2014,2020 ----
d21 1
a21 1
*** 3045,3054 ****
d30 3
a32 3
  #ifdef HAVE_OSF1_C2_SECURITY
    {
--- 3045,3055 ----
d42 2
a43 2
  #ifdef HAVE_OSF1_C2_SECURITY
    {
d45 5
a49 5
*** 3183,3188 ****
--- 3184,3197 ----
  		   "The Regents of the University of California. ",
  		   "All rights reserved.");
  	}
d62 4
a65 4
*** 3206,3212 ****
  		fputs(line, stdout);
  	      fclose(f);
  	    }
d67 7
a73 7
  	  if (pw->pw_change || pw->pw_expire)
  	    (void)gettimeofday(&tp, (struct timezone *)NULL);
  	  if (pw->pw_change)
--- 3215,3221 ----
  		fputs(line, stdout);
  	      fclose(f);
  	    }
d75 8
a82 8
  	  if (pw->pw_change || pw->pw_expire)
  	    (void)gettimeofday(&tp, (struct timezone *)NULL);
  	  if (pw->pw_change)
***************
*** 3575,3581 ****
  	  while (fgets(buf, sizeof(buf), f))
  	    fputs(buf, stderr);
  	  fclose(f);
d84 7
a90 7
  	  if (pw->pw_uid != UID_ROOT &&
  	      !login_getcapbool(lc, "ignorenologin", 0))
  	    exit(254);
--- 3584,3590 ----
  	  while (fgets(buf, sizeof(buf), f))
  	    fputs(buf, stderr);
  	  fclose(f);
d92 9
a100 9
  	  if (pw->pw_uid != UID_ROOT &&
  	      !login_getcapbool(lc, "ignorenologin", 0))
  	    exit(254);
***************
*** 4121,4127 ****
--- 4130,4140 ----
  		  struct stat mailbuf;
  		  
  		  if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
d102 1
a102 1
+ 		    ;
d104 1
a104 1
  		    printf("No mail.\n");
d106 3
a108 3
  		  else if (mailbuf.st_atime > mailbuf.st_mtime)
  		    printf("You have mail.\n");
  		  else
@


1.20
log
@Don't print "No mail" for FreeBSD , just print nothing
@
text
@d1 108
a108 394
--- sshd.c.orig	Tue Jan 20 15:24:10 1998
+++ sshd.c	Thu Jan 22 16:29:19 1998
@@@@ -428,6 +428,10 @@@@
 #include "firewall.h"	/* TIS authsrv authentication */
 #endif
 
+#ifdef HAVE_LOGIN_CAP_H
+#include <login_cap.h>
+#endif
+
 #ifdef _PATH_BSHELL
 #define DEFAULT_SHELL		_PATH_BSHELL
 #else
@@@@ -1594,6 +1598,38 @@@@
     endspent();
   }
 #endif /* HAVE_ETC_SHADOW */
+#ifdef __FreeBSD__
+  {
+    time_t currtime;
+
+    if (pwd->pw_change || pwd->pw_expire)
+ 	currtime = time(NULL);
+
+    /*
+     * Check for an expired password
+     */
+    if (pwd->pw_change && pwd->pw_change <= currtime)
+      {
+	debug("Account %.100s's password is too old - forced to change.",
+	      user);
+	if (options.forced_passwd_change)
+	  forced_command = "/usr/bin/passwd";
+	else
+	  {
+	    return 0;
+	  }
+      }
+    
+    /*
+     * Check for expired account
+     */
+    if (pwd->pw_expire && pwd->pw_expire <= currtime)
+      {
+	debug("Account %.100s has expired - access denied.", user);
+	return 0;
+      }
+  }
+#else   /* !FreeBSD */
   /*
    * Check if account is locked. Check if encrypted password starts
    * with "*LK*".
@@@@ -1605,6 +1641,7 @@@@
 	return 0;
       }
   }
+#endif /* !FreeBSD */
 #ifdef CHECK_ETC_SHELLS
   {
     int  invalid = 1;
@@@@ -1819,8 +1856,10 @@@@
   pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
   pwcopy.pw_uid = pw->pw_uid;
   pwcopy.pw_gid = pw->pw_gid;
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined (HAVE_LOGIN_CAP_H) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
   pwcopy.pw_class = xstrdup(pw->pw_class);
+#endif /*  __bsdi__  && _BSDI_VERSION >= 199510 */
+#if defined (__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
   pwcopy.pw_change = pw->pw_change;
   pwcopy.pw_expire = pw->pw_expire;
 #endif /*  __bsdi__  && _BSDI_VERSION >= 199510 */
@@@@ -2793,9 +2832,13 @@@@
   struct sockaddr_in from;
   int fromlen;
   struct pty_cleanup_context cleanup_context;
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 
+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
   struct timeval tp;
 #endif /*  __bsdi__ && _BSDI_VERSION >= 199510 */
+#ifdef HAVE_LOGIN_CAP_H
+  login_cap_t *lc;
+  time_t warnpassword, warnexpire;
+#endif
 
   /* We no longer need the child running on user's privileges. */
   userfile_uninit();
@@@@ -2867,10 +2910,18 @@@@
       record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, 
 		   &from);
 
+#ifdef HAVE_LOGIN_CAP_H
+      lc = login_getclass(pw->pw_class);
+      quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
+      if (!quiet_login) {
+#endif
       /* Check if .hushlogin exists.  Note that we cannot use userfile
          here because we are in the child. */
       sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
       quiet_login = stat(line, &st) >= 0;
+#ifdef HAVE_LOGIN_CAP_H
+      }
+#endif
       
       /* If the user has logged in before, display the time of last login. 
          However, don't display anything extra if a command has been 
@@@@ -2890,6 +2941,38 @@@@
 	  else
 	    printf("Last login: %s from %s\r\n", time_string, buf);
 	}
+#ifdef __FreeBSD__
+      if (command == NULL && !quiet_login)
+	{
+#ifdef HAVE_LOGIN_CAP_H
+	  char *cw;
+	  FILE *f;
+
+	  cw = login_getcapstr(lc, "copyright", NULL, NULL);
+	  if (cw != NULL && (f = fopen(cw, "r")) != NULL)
+	    {
+	      while (fgets(line, sizeof(line), f))
+		fputs(line, stdout);
+	      fclose(f);
+	    }
+	  else
+#endif
+	    printf("%s\n\t%s  %s\n\n",
+	    "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+	    "The Regents of the University of California. ",
+	    "All rights reserved.");
+	}
+#endif
+
+#ifdef HAVE_LOGIN_CAP_H
+#define DEFAULT_WARN  (2L * 7L * 86400L)  /* Two weeks */
+
+      warnpassword = login_getcaptime(lc, "warnpassword",
+				   DEFAULT_WARN, DEFAULT_WARN);
+      warnexpire = login_getcaptime(lc, "warnexpire",
+				     DEFAULT_WARN, DEFAULT_WARN);
+      login_close(lc);
+#endif
 
       /* Print /etc/motd unless a command was specified or printing it was
 	 disabled in server options.  Note that some machines appear to
@@@@ -2900,14 +2983,18 @@@@
 	  FILE *f;
 
 	  /* Print /etc/motd if it exists. */
-	  f = fopen("/etc/motd", "r");
+#ifdef HAVE_LOGIN_CAP_H
+	  f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r");
+#else
+  	  f = fopen("/etc/motd", "r");
+#endif
 	  if (f)
 	    {
 	      while (fgets(line, sizeof(line), f))
 		fputs(line, stdout);
 	      fclose(f);
 	    }
-#if defined (__bsdi__) && _BSDI_VERSION >= 199510
+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510)
 	  if (pw->pw_change || pw->pw_expire)
 	    (void)gettimeofday(&tp, (struct timezone *)NULL);
 	  if (pw->pw_change)
@@@@ -2915,7 +3002,11 @@@@
 	      fprintf(stderr,"Sorry -- your password has expired.\n");
 	      exit(254);
 	    } else if (pw->pw_change - tp.tv_sec <
+#ifdef HAVE_LOGIN_CAP_H
+		       warnpassword)
+#else
 		       2 * DAYSPERWEEK * SECSPERDAY)
+#endif
 	      fprintf(stderr,"Warning: your password expires on %s",
 		      ctime(&pw->pw_change));
 	  if (pw->pw_expire)
@@@@ -2923,7 +3014,11 @@@@
 	      fprintf(stderr,"Sorry -- your account has expired.\n");
 	      exit(254);
 	    } else if (pw->pw_expire - tp.tv_sec <
+#ifdef HAVE_LOGIN_CAP_H
+		       warnexpire)
+#else
 		       2 * DAYSPERWEEK * SECSPERDAY)
+#endif
 	      fprintf(stderr,"Warning: your account expires on %s",
 		      ctime(&pw->pw_expire));
 #endif /* __bsdi__ & _BSDI_VERSION >= 199510   */
@@@@ -3182,6 +3277,13 @@@@
 #if defined (__bsdi__) && _BSDI_VERSION >= 199510
   login_cap_t *lc = 0;
 #endif /* __bsdi__  && _BSDI_VERSION >= 199510  */
+#ifdef HAVE_LOGIN_CAP_H
+  login_cap_t *lc;
+  char *real_shell;
+  
+  lc = login_getclass(pw->pw_class);
+  auth_checknologin(lc);
+#else /* !HAVE_LOGIN_CAP_H */
 
   /* Check /etc/nologin. */
   f = fopen("/etc/nologin", "r");
@@@@ -3199,10 +3301,16 @@@@
       if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0))
 	exit(254);
 #else 
+#ifdef HAVE_LOGIN_CAP_H
+      if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0))
+	exit(254);
+#else
       if (pw->pw_uid != UID_ROOT)
 	exit(254);
+#endif
 #endif /* __bsdi__  && _BSDI_VERSION >= 199510 */ 
     }
+#endif /* HAVE_LOGIN_CAP_H */
 
   if (command != NULL)
     {
@@@@ -3216,6 +3324,7 @@@@
 	log_msg("executing remote command as user %.200s", pw->pw_name);
     }
   
+#ifndef HAVE_LOGIN_CAP_H
 #ifdef HAVE_SETLOGIN
   /* Set login name in the kernel.  Warning: setsid() must be called before
      this. */
@@@@ -3236,6 +3345,7 @@@@
   if (setpcred((char *)pw->pw_name, NULL))
     log_msg("setpcred %.100s: %.100s", strerror(errno));
 #endif /* HAVE_USERSEC_H */
+#endif /* !HAVE_LOGIN_CAP_H */
 
   /* Save some data that will be needed so that we can do certain cleanups
      before we switch to user's uid.  (We must clear all sensitive data 
@@@@ -3306,6 +3416,66 @@@@
   if (command != NULL || !options.use_login)
 #endif /* USELOGIN */
     {
+#ifdef HAVE_LOGIN_CAP_H
+      char *p, *s, **tmpenv;
+
+      /* Initialize the new environment.
+       */
+      envsize = 64;
+      env = xmalloc(envsize * sizeof(char *));
+      env[0] = NULL;
+
+      child_set_env(&env, &envsize, "PATH", DEFAULT_PATH);
+
+#ifdef MAIL_SPOOL_DIRECTORY
+      sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
+      child_set_env(&env, &envsize, "MAIL", buf);
+#else /* MAIL_SPOOL_DIRECTORY */
+#ifdef MAIL_SPOOL_FILE
+      sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
+      child_set_env(&env, &envsize, "MAIL", buf);
+#endif /* MAIL_SPOOL_FILE */
+#endif /* MAIL_SPOOL_DIRECTORY */
+
+      /* Let it inherit timezone if we have one. */
+      if (getenv("TZ"))
+	child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+      /* Save previous environment array
+       */
+      tmpenv = environ;
+      environ = env;
+
+      /* Set the user's login environment
+       */
+      if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
+	{
+	  perror("setusercontext");
+	  exit(1);
+	}
+
+      p = getenv("PATH");
+      s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR));
+      *s = '\0';
+      if (p != NULL)
+	{
+	  strcat(s, p);
+	  strcat(s, ":");
+	}
+      strcat(s, SSH_BINDIR);
+
+      env = environ;
+      environ = tmpenv; /* Restore parent environment */
+      for (envsize = 0; env[envsize] != NULL; ++envsize)
+	;
+      /* Reallocate this to what is expected */
+      envsize = (envsize < 100) ? 100 : envsize + 16;
+      env = xrealloc(env, envsize * sizeof(char *));
+
+      child_set_env(&env, &envsize, "PATH", s);
+      xfree(s);
+
+#else /* !HAVE_LOGIN_CAP_H */
       /* Set uid, gid, and groups. */
       if (getuid() == UID_ROOT || geteuid() == UID_ROOT)
 	{ 
@@@@ -3337,6 +3507,7 @@@@
       
       if (getuid() != user_uid || geteuid() != user_uid)
 	fatal("Failed to set uids to %d.", (int)user_uid);
+#endif /* HAVE_LOGIN_CAP_H */
     }
   
   /* Reset signals to their default settings before starting the user
@@@@ -3364,11 +3535,16 @@@@
      and means /bin/sh. */
   shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell;
 
+#ifdef HAVE_LOGIN_CAP_H
+  real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell);
+  login_close(lc);
+#else /* !HAVE_LOGIN_CAP_H */
   /* Initialize the environment.  In the first part we allocate space for
      all environment variables. */
   envsize = 100;
   env = xmalloc(envsize * sizeof(char *));
   env[0] = NULL;
+#endif /* HAVE_LOGIN_CAP_H */
 
 #ifdef USELOGIN
   if (command != NULL || !options.use_login)
@@@@ -3378,6 +3554,8 @@@@
       child_set_env(&env, &envsize, "HOME", user_dir);
       child_set_env(&env, &envsize, "USER", user_name);
       child_set_env(&env, &envsize, "LOGNAME", user_name);
+
+#ifndef HAVE_LOGIN_CAP_H
       child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
       
 #ifdef MAIL_SPOOL_DIRECTORY
@@@@ -3389,6 +3567,7 @@@@
       child_set_env(&env, &envsize, "MAIL", buf);
 #endif /* MAIL_SPOOL_FILE */
 #endif /* MAIL_SPOOL_DIRECTORY */
+#endif  /* !HAVE_LOGIN_CAP_H */
       
 #ifdef HAVE_ETC_DEFAULT_LOGIN
       /* Read /etc/default/login; this exists at least on Solaris 2.x.  Note
@@@@ -3404,9 +3583,11 @@@@
     child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
 		  original_command);
   
+#ifndef HAVE_LOGIN_CAP_H
   /* Let it inherit timezone if we have one. */
   if (getenv("TZ"))
     child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+#endif /* !HAVE_LOGIN_CAP_H */
   
   /* Set custom environment options from RSA authentication. */
   while (custom_environment) 
@@@@ -3632,7 +3813,11 @@@@
 		  struct stat mailbuf;
 		  
 		  if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0)
+#ifdef __FreeBSD__
+		    ;
+#else
 		    printf("No mail.\n");
+#endif
 		  else if (mailbuf.st_atime > mailbuf.st_mtime)
 		    printf("You have mail.\n");
 		  else
@@@@ -3647,7 +3832,11 @@@@
 	  /* Execute the shell. */
 	  argv[0] = buf;
 	  argv[1] = NULL;
+#ifdef HAVE_LOGIN_CAP_H
+	  execve(real_shell, argv, env);
+#else
 	  execve(shell, argv, env);
+#endif /* HAVE_LOGIN_CAP_H */
 	  /* Executing the shell failed. */
 	  perror(shell);
 	  exit(1);
@@@@ -3668,7 +3857,11 @@@@
   argv[1] = "-c";
   argv[2] = (char *)command;
   argv[3] = NULL;
+#ifdef HAVE_LOGIN_CAP_H
+  execve(real_shell, argv, env);
+#else
   execve(shell, argv, env);
+#endif /* HAVE_LOGIN_CAP_H */
   perror(shell);
   exit(1);
 }
@


1.19
log
@Fix .hushlogin support
Remove FreeBSD mail check, now done elsewhere in the code
Use bsdi code to warn about expired/changed passwords
Move misplaced login_close up
@
text
@d2 1
a2 1
+++ sshd.c	Thu Jan 22 14:55:40 1998
d359 13
a371 1
@@@@ -3647,7 +3828,11 @@@@
d383 1
a383 1
@@@@ -3668,7 +3853,11 @@@@
@


1.18
log
@Upgrade to ssh 1.2.22.  Please send problems with the upgrade to me.
1.2.22 fixes a security hole with ssh-agent, so users are encouraged
to upgrade.

OK'd by: Torsten Blum (torstenb@@freebsd.org)
@
text
@d1 2
a2 2
--- sshd.c~	Tue Jan 20 05:24:10 1998
+++ sshd.c	Tue Jan 20 14:50:40 1998
d14 1
a14 2
@@@@ -1593,7 +1597,39 @@@@
       }
d17 1
a17 2
-#endif /* HAVE_ETC_SHADOW */
+#endif /* HAVE_ETC_SHADOW */
d61 1
a61 3
@@@@ -1817,6 +1854,9 @@@@
   memset(&pwcopy, 0, sizeof(pwcopy));
   pwcopy.pw_name = xstrdup(pw->pw_name);
a62 3
+#ifdef HAVE_LOGIN_CAP_H
+  pwcopy.pw_class = xstrdup(pw->pw_class);
+#endif
d65 14
a78 3
 #if defined (__bsdi__) && _BSDI_VERSION >= 199510
@@@@ -2796,6 +2836,9 @@@@
 #if defined (__bsdi__) && _BSDI_VERSION >= 199510 
d83 1
d88 1
a88 1
@@@@ -2867,11 +2910,19 @@@@
d94 2
a96 1
+
a100 1
       
d102 1
a102 1
+      quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
d104 1
a104 1
+
d107 1
a107 2
 	 specified (so that ssh can be used to execute commands on a remote
@@@@ -2890,6 +2941,28 @@@@
d133 10
d146 1
a146 1
@@@@ -2900,13 +2973,40 @@@@
d162 13
a174 12
+#ifdef __FreeBSD__
+      if (command == NULL && !quiet_login)
+	{
+#ifdef broken_HAVE_LOGIN_CAP_H
+	  char *mp = getenv("MAIL");
+
+	  if (mp != NULL)
+	    {
+		strncpy(line, mp, sizeof line);
+		line[sizeof line - 1] = '\0';
+	    }
+	  else
d176 7
a182 7
+	  sprintf(line, "%s/%.200s", _PATH_MAILDIR, pw->pw_name);
+	  if (stat(line, &st) == 0 && st.st_size != 0)
+	    printf("You have %smail.\n",
+		   (st.st_mtime > st.st_atime) ? "new " : "");
+	}
+#endif
+
d184 3
a186 1
+      login_close(lc);
d188 4
a191 4
 #if defined (__bsdi__) && _BSDI_VERSION >= 199510
 	  if (pw->pw_change || pw->pw_expire)
 	    (void)gettimeofday(&tp, (struct timezone *)NULL);
@@@@ -3182,6 +3282,13 @@@@
d205 2
a206 1
@@@@ -3203,6 +3310,7 @@@@
d208 8
@


1.17
log
@Handle expired and changed password timeouts now
@
text
@d1 24
a24 26
*** sshd.c.orig	Wed Apr 23 04:40:08 1997
--- sshd.c	Wed Jun 11 14:56:57 1997
***************
*** 400,405 ****
--- 400,409 ----
  #include "firewall.h"	/* TIS authsrv authentication */
  #endif
  
+ #ifdef HAVE_LOGIN_CAP_H
+ #include <login_cap.h>
+ #endif
+ 
  #ifdef _PATH_BSHELL
  #define DEFAULT_SHELL		_PATH_BSHELL
  #else
***************
*** 1542,1547 ****
--- 1546,1583 ----
      endspent();
    }
  #endif /* HAVE_ETC_SHADOW */
+ #ifdef __FreeBSD__
+   {
+     time_t currtime;
+ 
+     if (pwd->pw_change || pwd->pw_expire)
d26 331
a356 396
+ 
+     /*
+      * Check for an expired password
+      */
+     if (pwd->pw_change && pwd->pw_change <= currtime)
+       {
+ 	debug("Account %.100s's password is too old - forced to change.",
+ 	      user);
+ 	if (options.forced_passwd_change)
+ 	  forced_command = "/usr/bin/passwd";
+ 	else
+ 	  {
+ 	    return 0;
+ 	  }
+       }
+     
+     /*
+      * Check for expired account
+      */
+     if (pwd->pw_expire && pwd->pw_expire <= currtime)
+       {
+ 	debug("Account %.100s has expired - access denied.", user);
+ 	return 0;
+       }
+   }
+ #else   /* !FreeBSD */
    /*
     * Check if account is locked. Check if encrypted password starts
     * with "*LK*".
***************
*** 1553,1558 ****
--- 1589,1595 ----
  	return 0;
        }
    }
+ #endif  /* !FreeBSD */
  #ifdef CHECK_ETC_SHELLS
    {
      int  invalid = 1;
***************
*** 1698,1703 ****
--- 1735,1743 ----
    memset(&pwcopy, 0, sizeof(pwcopy));
    pwcopy.pw_name = xstrdup(pw->pw_name);
    pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
+ #ifdef HAVE_LOGIN_CAP_H
+   pwcopy.pw_class = xstrdup(pw->pw_class);
+ #endif
    pwcopy.pw_uid = pw->pw_uid;
    pwcopy.pw_gid = pw->pw_gid;
    pwcopy.pw_dir = xstrdup(pw->pw_dir);
***************
*** 2654,2659 ****
--- 2694,2702 ----
    struct sockaddr_in from;
    int fromlen;
    struct pty_cleanup_context cleanup_context;
+ #ifdef HAVE_LOGIN_CAP_H
+   login_cap_t *lc;
+ #endif
  
    /* We no longer need the child running on user's privileges. */
    userfile_uninit();
***************
*** 2725,2735 ****
        record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, 
  		   &from);
  
        /* Check if .hushlogin exists.  Note that we cannot use userfile
           here because we are in the child. */
        sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
        quiet_login = stat(line, &st) >= 0;
!       
        /* If the user has logged in before, display the time of last login. 
           However, don't display anything extra if a command has been 
  	 specified (so that ssh can be used to execute commands on a remote
--- 2768,2786 ----
        record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, 
  		   &from);
  
+ #ifdef HAVE_LOGIN_CAP_H
+       lc = login_getclass(pw->pw_class);
+ #endif
+ 
        /* Check if .hushlogin exists.  Note that we cannot use userfile
           here because we are in the child. */
        sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
        quiet_login = stat(line, &st) >= 0;
! 
! #ifdef HAVE_LOGIN_CAP_H
!       quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
! #endif
! 
        /* If the user has logged in before, display the time of last login. 
           However, don't display anything extra if a command has been 
  	 specified (so that ssh can be used to execute commands on a remote
***************
*** 2749,2754 ****
--- 2800,2828 ----
  	    printf("Last login: %s from %s\r\n", time_string, buf);
  	}
  
+ #ifdef __FreeBSD__
+       if (command == NULL && !quiet_login)
+ 	{
+ #ifdef HAVE_LOGIN_CAP_H
+ 	  char *cw;
+ 	  FILE *f;
+ 
+ 	  cw = login_getcapstr(lc, "copyright", NULL, NULL);
+ 	  if (cw != NULL && (f = fopen(cw, "r")) != NULL)
+ 	    {
+ 	      while (fgets(line, sizeof(line), f))
+ 		fputs(line, stdout);
+ 	      fclose(f);
+ 	    }
+ 	  else
+ #endif
+ 	    printf("%s\n\t%s  %s\n\n",
+ 	    "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+ 	    "The Regents of the University of California. ",
+ 	    "All rights reserved.");
+ 	}
+ #endif
+       
        /* Print /etc/motd unless a command was specified or printing it was
  	 disabled in server options.  Note that some machines appear to
  	 print it in /etc/profile or similar. */
***************
*** 2758,2764 ****
--- 2832,2842 ----
  	  FILE *f;
  
  	  /* Print /etc/motd if it exists. */
+ #ifdef HAVE_LOGIN_CAP_H
+ 	  f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r");
+ #else
  	  f = fopen("/etc/motd", "r");
+ #endif
  	  if (f)
  	    {
  	      while (fgets(line, sizeof(line), f))
***************
*** 2766,2771 ****
--- 2844,2872 ----
  	      fclose(f);
  	    }
  	}
+ #ifdef __FreeBSD__
+       if (command == NULL && !quiet_login)
+ 	{
+ #ifdef broken_HAVE_LOGIN_CAP_H
+ 	  char *mp = getenv("MAIL");
+ 
+ 	  if (mp != NULL)
+ 	    {
+ 		strncpy(line, mp, sizeof line);
+ 		line[sizeof line - 1] = '\0';
+ 	    }
+ 	  else
+ #endif
+ 	  sprintf(line, "%s/%.200s", _PATH_MAILDIR, pw->pw_name);
+ 	  if (stat(line, &st) == 0 && st.st_size != 0)
+ 	    printf("You have %smail.\n",
+ 		   (st.st_mtime > st.st_atime) ? "new " : "");
+ 	}
+ #endif
+ 
+ #ifdef HAVE_LOGIN_CAP_H
+       login_close(lc);
+ #endif
  
        /* Do common processing for the child, such as execing the command. */
        do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
***************
*** 3017,3023 ****
    char *user_shell;
    char *remote_ip;
    int remote_port;
!   
    /* Check /etc/nologin. */
    f = fopen("/etc/nologin", "r");
    if (f)
--- 3118,3130 ----
    char *user_shell;
    char *remote_ip;
    int remote_port;
! #ifdef HAVE_LOGIN_CAP_H
!   login_cap_t *lc;
!   char *real_shell;
!   
!   lc = login_getclass(pw->pw_class);
!   auth_checknologin(lc);
! #else /* !HAVE_LOGIN_CAP_H */
    /* Check /etc/nologin. */
    f = fopen("/etc/nologin", "r");
    if (f)
***************
*** 3031,3036 ****
--- 3138,3144 ----
        if (pw->pw_uid != UID_ROOT)
  	exit(254);
      }
+ #endif /* HAVE_LOGIN_CAP_H */
  
    if (command != NULL)
      {
***************
*** 3043,3049 ****
        else
  	log_msg("executing remote command as user %.200s", pw->pw_name);
      }
!   
  #ifdef HAVE_SETLOGIN
    /* Set login name in the kernel.  Warning: setsid() must be called before
       this. */
--- 3151,3158 ----
        else
  	log_msg("executing remote command as user %.200s", pw->pw_name);
      }
! 
! #ifndef HAVE_LOGIN_CAP_H
  #ifdef HAVE_SETLOGIN
    /* Set login name in the kernel.  Warning: setsid() must be called before
       this. */
***************
*** 3064,3069 ****
--- 3173,3179 ----
    if (setpcred((char *)pw->pw_name, NULL))
      log_msg("setpcred %.100s: %.100s", strerror(errno));
  #endif /* HAVE_USERSEC_H */
+ #endif /* !HAVE_LOGIN_CAP_H */
  
    /* Save some data that will be needed so that we can do certain cleanups
       before we switch to user's uid.  (We must clear all sensitive data 
***************
*** 3134,3139 ****
--- 3244,3309 ----
    if (command != NULL || !options.use_login)
  #endif /* USELOGIN */
      {
+ #ifdef HAVE_LOGIN_CAP_H
+       char *p, *s, **tmpenv;
+ 
+       /* Initialize the new environment.
+        */
+       envsize = 64;
+       env = xmalloc(envsize * sizeof(char *));
+       env[0] = NULL;
+ 
+       child_set_env(&env, &envsize, "PATH", DEFAULT_PATH);
+ 
+ #ifdef MAIL_SPOOL_DIRECTORY
+       sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
+       child_set_env(&env, &envsize, "MAIL", buf);
+ #else /* MAIL_SPOOL_DIRECTORY */
+ #ifdef MAIL_SPOOL_FILE
+       sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
+       child_set_env(&env, &envsize, "MAIL", buf);
+ #endif /* MAIL_SPOOL_FILE */
+ #endif /* MAIL_SPOOL_DIRECTORY */
+ 
+       /* Let it inherit timezone if we have one. */
+       if (getenv("TZ"))
+ 	child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ 
+       /* Save previous environment array
+        */
+       tmpenv = environ;
+       environ = env;
+ 
+       /* Set the user's login environment
+        */
+       if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
+ 	{
+ 	  perror("setusercontext");
+ 	  exit(1);
+ 	}
+ 
+       p = getenv("PATH");
+       s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR));
+       *s = '\0';
+       if (p != NULL)
+ 	{
+ 	  strcat(s, p);
+ 	  strcat(s, ":");
+ 	}
+       strcat(s, SSH_BINDIR);
+ 
+       env = environ;
+       environ = tmpenv; /* Restore parent environment */
+       for (envsize = 0; env[envsize] != NULL; ++envsize)
+ 	;
+       /* Reallocate this to what is expected */
+       envsize = (envsize < 100) ? 100 : envsize + 16;
+       env = xrealloc(env, envsize * sizeof(char *));
+ 
+       child_set_env(&env, &envsize, "PATH", s);
+       xfree(s);
+ 
+ #else /* !HAVE_LOGIN_CAP_H */
        /* Set uid, gid, and groups. */
        if (getuid() == UID_ROOT || geteuid() == UID_ROOT)
  	{ 
***************
*** 3165,3170 ****
--- 3335,3341 ----
        
        if (getuid() != user_uid || geteuid() != user_uid)
  	fatal("Failed to set uids to %d.", (int)user_uid);
+ #endif /* HAVE_LOGIN_CAP_H */
      }
    
    /* Reset signals to their default settings before starting the user
***************
*** 3175,3185 ****
--- 3346,3361 ----
       and means /bin/sh. */
    shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell;
  
+ #ifdef HAVE_LOGIN_CAP_H
+   real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell);
+   login_close(lc);
+ #else /* !HAVE_LOGIN_CAP_H */
    /* Initialize the environment.  In the first part we allocate space for
       all environment variables. */
    envsize = 100;
    env = xmalloc(envsize * sizeof(char *));
    env[0] = NULL;
+ #endif /* HAVE_LOGIN_CAP_H */
  
  #ifdef USELOGIN
    if (command != NULL || !options.use_login)
***************
*** 3189,3194 ****
--- 3365,3372 ----
        child_set_env(&env, &envsize, "HOME", user_dir);
        child_set_env(&env, &envsize, "USER", user_name);
        child_set_env(&env, &envsize, "LOGNAME", user_name);
+ 
+ #ifndef HAVE_LOGIN_CAP_H
        child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
        
  #ifdef MAIL_SPOOL_DIRECTORY
***************
*** 3200,3205 ****
--- 3378,3384 ----
        child_set_env(&env, &envsize, "MAIL", buf);
  #endif /* MAIL_SPOOL_FILE */
  #endif /* MAIL_SPOOL_DIRECTORY */
+ #endif  /* !HAVE_LOGIN_CAP_H */
        
  #ifdef HAVE_ETC_DEFAULT_LOGIN
        /* Read /etc/default/login; this exists at least on Solaris 2.x.  Note
***************
*** 3215,3223 ****
--- 3394,3404 ----
      child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
  		  original_command);
    
+ #ifndef HAVE_LOGIN_CAP_H
    /* Let it inherit timezone if we have one. */
    if (getenv("TZ"))
      child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ #endif /* !HAVE_LOGIN_CAP_H */
    
    /* Set custom environment options from RSA authentication. */
    while (custom_environment) 
***************
*** 3437,3443 ****
--- 3618,3628 ----
  	  /* Execute the shell. */
  	  argv[0] = buf;
  	  argv[1] = NULL;
+ #ifdef HAVE_LOGIN_CAP_H
+ 	  execve(real_shell, argv, env);
+ #else
  	  execve(shell, argv, env);
+ #endif /* HAVE_LOGIN_CAP_H */
  	  /* Executing the shell failed. */
  	  perror(shell);
  	  exit(1);
***************
*** 3458,3464 ****
--- 3643,3653 ----
    argv[1] = "-c";
    argv[2] = (char *)command;
    argv[3] = NULL;
+ #ifdef HAVE_LOGIN_CAP_H
+   execve(real_shell, argv, env);
+ #else
    execve(shell, argv, env);
+ #endif /* HAVE_LOGIN_CAP_H */
    perror(shell);
    exit(1);
  }
@


1.16
log
@login_getclass() -> login_getpwclass().
@
text
@d2 1
a2 1
--- sshd.c	Sat May  3 00:04:30 1997
d17 51
d69 1
a69 1
--- 1702,1710 ----
d81 1
a81 1
--- 2661,2669 ----
d104 1
a104 1
--- 2735,2753 ----
d126 1
a126 1
--- 2767,2795 ----
d158 1
a158 1
--- 2799,2809 ----
d172 1
a172 1
--- 2811,2839 ----
d211 1
a211 1
--- 3085,3097 ----
d227 1
a227 1
--- 3105,3111 ----
d244 1
a244 1
--- 3118,3125 ----
d255 1
a255 1
--- 3140,3146 ----
d265 1
a265 1
--- 3211,3276 ----
d334 1
a334 1
--- 3302,3308 ----
d344 1
a344 1
--- 3313,3328 ----
d363 1
a363 1
--- 3332,3339 ----
d374 1
a374 1
--- 3345,3351 ----
d384 1
a384 1
--- 3361,3371 ----
d398 1
a398 1
--- 3585,3595 ----
d412 1
a412 1
--- 3610,3620 ----
@


1.15
log
@Fix 3 error with login.conf
1) pw->pw_class was always zero since not copied
2) login_getuserclass() used instead of login_getclass(), so
default class always returned
3) env pointer can be redefined at the moment of setusercontext() call
@
text
@d58 1
a58 1
+       lc = login_getclass(pw);
d168 1
a168 1
!   lc = login_getclass(pw);
@


1.14
log
@Update from ssh-1.2.19 to ssh-1.2.20.  All patches applied still, I just
regenerated them to fix the line numbers.  Also, I added two commented out
options in Makefile, one to tell sshd that a group writeable homedir
is OK because all users are in their own group, and the other is to allow
an unencrypted connection (which is dangerous since it can lead to
compromise of keys), but on a secure network it's damn useful for backups
etc.
@
text
@d1 2
a2 2
*** sshd.c.orig	Wed Apr 23 08:40:08 1997
--- sshd.c	Fri Apr 25 12:40:20 1997
d17 12
d30 1
a30 1
--- 2658,2666 ----
d53 1
a53 1
--- 2732,2750 ----
d75 1
a75 1
--- 2764,2792 ----
d107 1
a107 1
--- 2796,2806 ----
d121 1
a121 1
--- 2808,2836 ----
d160 1
a160 1
--- 3082,3094 ----
d168 1
a168 1
!   lc = login_getuserclass(pw);
d176 1
a176 1
--- 3102,3108 ----
d193 1
a193 1
--- 3115,3122 ----
d204 1
a204 1
--- 3137,3143 ----
d214 1
a214 1
--- 3208,3271 ----
a220 3
+       /* Save previous environment array
+        */
+       tmpenv = environ;
d224 1
a224 1
+       environ = env = xmalloc(envsize * sizeof(char *));
d243 5
d283 1
a283 1
--- 3297,3303 ----
d293 1
a293 1
--- 3308,3323 ----
d312 1
a312 1
--- 3327,3334 ----
d323 1
a323 1
--- 3340,3346 ----
d333 1
a333 1
--- 3356,3366 ----
d347 1
a347 1
--- 3580,3590 ----
d361 1
a361 1
--- 3605,3615 ----
@


1.13
log
@Disable extended LOGIN_CAP $MAIL processing until it will be fixed
properly. In old variant /var/mail/root was always checked instead of
/var/mail/<user>
@
text
@d1 2
a2 2
*** sshd.c.orig	Sun Apr  6 03:57:00 1997
--- sshd.c	Wed Apr 16 23:27:28 1997
d4 2
a5 2
*** 379,384 ****
--- 379,388 ----
d17 2
a18 2
*** 2617,2622 ****
--- 2621,2629 ----
d29 1
a29 1
*** 2688,2698 ****
d41 1
a41 1
--- 2695,2713 ----
d62 2
a63 2
*** 2712,2717 ****
--- 2727,2755 ----
d94 2
a95 2
*** 2721,2727 ****
--- 2759,2769 ----
d108 2
a109 2
*** 2729,2734 ****
--- 2771,2799 ----
d140 1
a140 1
*** 2986,2992 ****
d148 1
a148 1
--- 3051,3063 ----
d163 2
a164 2
*** 3000,3005 ****
--- 3071,3077 ----
d173 1
a173 1
*** 3012,3018 ****
d181 1
a181 1
--- 3084,3091 ----
d191 2
a192 2
*** 3033,3038 ****
--- 3106,3112 ----
d201 2
a202 2
*** 3103,3108 ****
--- 3177,3240 ----
d268 2
a269 2
*** 3134,3139 ****
--- 3266,3272 ----
d278 2
a279 2
*** 3144,3154 ****
--- 3277,3292 ----
d297 2
a298 2
*** 3158,3163 ****
--- 3296,3303 ----
d308 2
a309 2
*** 3169,3174 ****
--- 3309,3315 ----
d318 2
a319 2
*** 3184,3192 ****
--- 3325,3335 ----
d332 2
a333 2
*** 3406,3412 ****
--- 3549,3559 ----
d346 2
a347 2
*** 3427,3433 ****
--- 3574,3584 ----
@


1.12
log
@Upgrade to 1.2.19
@
text
@d116 1
a116 1
+ #ifdef HAVE_LOGIN_CAP_H
@


1.11
log
@Upgrade to 1.2.18
@
text
@d1 2
a2 2
*** sshd.c.orig	Thu Mar 27 09:04:08 1997
--- sshd.c	Sat Mar 29 02:11:03 1997
d4 2
a5 2
*** 370,375 ****
--- 370,379 ----
d17 47
a63 2
*** 2697,2702 ****
--- 2701,2716 ----
d70 14
a83 1
+ 	  printf("%s\n\t%s  %s\n\n",
d85 2
a86 2
+ 		    "The Regents of the University of California. ",
+ 		    "All rights reserved.");
d94 16
a109 2
*** 2714,2719 ****
--- 2728,2742 ----
d116 10
d132 4
d140 1
a140 1
*** 2969,2975 ****
d148 1
a148 1
--- 2992,3004 ----
d163 2
a164 2
*** 2983,2988 ****
--- 3012,3018 ----
d173 1
a173 1
*** 2995,3001 ****
d181 1
a181 1
--- 3025,3032 ----
d191 2
a192 2
*** 3016,3021 ****
--- 3047,3053 ----
d201 2
a202 2
*** 3086,3091 ****
--- 3118,3181 ----
d268 2
a269 2
*** 3117,3122 ****
--- 3207,3213 ----
d278 2
a279 2
*** 3127,3137 ****
--- 3218,3233 ----
d297 2
a298 2
*** 3141,3146 ****
--- 3237,3244 ----
d308 2
a309 2
*** 3152,3157 ****
--- 3250,3256 ----
d318 2
a319 2
*** 3167,3175 ****
--- 3266,3276 ----
d332 2
a333 2
*** 3389,3395 ****
--- 3490,3500 ----
d346 2
a347 2
*** 3410,3416 ****
--- 3515,3525 ----
@


1.10
log
@Add LOGIN_CAP abilities
Submitted by: davidn
@
text
@d1 2
a2 2
*** sshd.c.orig	Wed Oct 30 15:27:55 1996
--- sshd.c	Fri Jan 31 00:36:15 1997
d4 3
a6 3
*** 298,303 ****
--- 298,307 ----
  extern char *setlimits();
d17 2
a18 2
*** 2108,2113 ****
--- 2112,2127 ----
d36 2
a37 2
*** 2124,2129 ****
--- 2138,2152 ----
d54 1
a54 1
*** 2376,2382 ****
d62 1
a62 1
--- 2399,2412 ----
a67 1
!   char **tmpenv;
d77 3
a79 3
*** 2390,2395 ****
--- 2420,2426 ----
        if (pw->pw_uid != 0)
d87 1
a87 1
*** 2402,2408 ****
d95 1
a95 1
--- 2433,2440 ----
d105 2
a106 2
*** 2417,2422 ****
--- 2449,2455 ----
d110 1
a110 1
+ #endif /* HAVE_LOGIN_CAP_H */
d115 5
a119 5
*** 2474,2479 ****
--- 2507,2553 ----
        close(i);
      }
  
d121 12
a132 14
+   /* Save previous environment array
+    */
+   tmpenv = environ;
+   /* Initialize the new environment.
+    */
+   envsize = 64;
+   environ = env = xmalloc(envsize * sizeof(char *));
+   env[0] = NULL;
+ 
+   child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
+ 
+   /* Let it inherit timezone if we have one. */
+   if (getenv("TZ"))
+     child_set_env(&env, &envsize, "TZ", getenv("TZ"));
d135 2
a136 2
+   sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
+   child_set_env(&env, &envsize, "MAIL", buf);
d139 2
a140 2
+   sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
+   child_set_env(&env, &envsize, "MAIL", buf);
d144 33
a176 14
+   /* Set the user's login environment
+    */
+   if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
+     {
+       perror("setgid");
+       exit(1);
+     }
+   env = environ;
+   environ = tmpenv; /* Restore parent environment */
+   for (envsize = 0; env[envsize] != NULL; ++envsize)
+     ;
+   /* Reallocate this to what is expected */
+   envsize = (envsize < 100) ? 100 : envsize + 16;
+   env = xrealloc(env, envsize * sizeof(char *));
d178 9
a186 9
    /* At this point, this process should no longer be holding any confidential
       information, as changing uid below will permit the user to attach with
       a debugger on some machines. */
***************
*** 2514,2519 ****
--- 2588,2594 ----
  
    if (getuid() != user_uid || geteuid() != user_uid)
      fatal("Failed to set uids to %d.", (int)user_uid);
d188 2
a189 1
  
a190 1
       process. */
d192 2
a193 2
*** 2523,2538 ****
--- 2598,2621 ----
d199 1
d208 8
a215 4
    /* Set basic environment. */
    child_set_env(&env, &envsize, "USER", user_name);
    child_set_env(&env, &envsize, "LOGNAME", user_name);
    child_set_env(&env, &envsize, "HOME", user_dir);
d217 8
a224 10
+ #ifdef HAVE_LOGIN_CAP_H
+   login_close(lc);
+ #else /* !HAVE_LOGIN_CAP_H */
    child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
  
    /* Let it inherit timezone if we have one. */
***************
*** 2548,2553 ****
--- 2631,2637 ----
    child_set_env(&env, &envsize, "MAIL", buf);
d227 2
a228 2
+ #endif /* HAVE_LOGIN_CAP_H */
  
d230 1
a230 1
    /* Read /etc/default/login; this exists at least on Solaris 2.x.  Note
d232 19
a250 5
*** 2710,2716 ****
--- 2794,2804 ----
        /* Execute the shell. */
        argv[0] = buf;
        argv[1] = NULL;
d252 1
a252 1
+       execve(real_shell, argv, env);
d254 1
a254 1
        execve(shell, argv, env);
d256 3
a258 3
        /* Executing the shell failed. */
        perror(shell);
        exit(1);
d260 2
a261 2
*** 2722,2728 ****
--- 2810,2820 ----
@


1.9
log
@Remove my ptys patch, because this code is unused, openpty is used instead

Mimic login more closely now:
1) Put usual Copyright line
2) You have mail
@
text
@d1 2
a2 2
*** sshd.c.orig	Fri Oct  4 17:00:42 1996
--- sshd.c	Tue Nov 12 04:23:15 1996
d4 15
a18 2
*** 2083,2088 ****
--- 2083,2098 ----
d36 2
a37 2
*** 2099,2104 ****
--- 2109,2123 ----
d53 187
@


1.8
log
@Use BSD naming convention for pty names, it fixes two problems:
1) Too many false open syscalls on pty allocation
2) (more serious) ssh not use about half of available ptys
@
text
@d1 2
a2 2
*** pty.c.bak	Fri Oct  4 17:00:42 1996
--- pty.c	Tue Nov 12 03:00:54 1996
d4 24
a27 5
*** 306,314 ****
--- 306,319 ----
  #else			/* not SCO UNIX */
    char buf[64];
    int i;
d29 7
a35 6
+   const char *ptymajors = "pqrsPQRS";
+   const char *ptyminors = "0123456789abcdefghijklmnopqrstuv";
+ #else
    const char *ptymajors = 
      "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
    const char *ptyminors = "0123456789abcdef";
a36 2
    int num_minors = strlen(ptyminors);
    int num_ptys = strlen(ptymajors) * num_minors;
d38 2
@


1.7
log
@Use system shared libgmp now
@
text
@d1 2
a2 2
*** Makefile.in.orig	Fri Oct  4 17:00:43 1996
--- Makefile.in	Wed Oct 16 06:40:44 1996
d4 15
a18 2
*** 159,170 ****
  SHELL = /bin/sh
a19 61
  GMPDIR 		= gmp-2.0.2
! GMPLIBS 	= -L$(GMPDIR) -lgmp
! GMPDEP 		= $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
  
  ZLIBDIR		= zlib-1.0.3
! ZLIBDEP		= $(ZLIBDIR)/libz.a
! ZLIBLIBS	= -L$(ZLIBDIR) -lz
  
  RSAREFDIR	= rsaref2
  RSAREFSRCDIR 	= $(RSAREFDIR)/source
--- 159,174 ----
  SHELL = /bin/sh
  
  GMPDIR 		= gmp-2.0.2
! GMPINCDIR	= $(GMPDIR)
! GMPLIBDIR	= $(GMPDIR)
! GMPDEP		= $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
! GMPLIBS		= -L$(GMPLIBDIR) -lgmp
  
  ZLIBDIR		= zlib-1.0.3
! ZLIBINCDIR	= $(ZLIBDIR)
! ZLIBLIBDIR	= $(ZLIBDIR)
! ZLIBDEP		= $(ZLIBINCDIR)/zlib.h $(ZLIBLIBDIR)/libz.a
! ZLIBLIBS	= -L$(ZLIBLIBDIR) -lz
  
  RSAREFDIR	= rsaref2
  RSAREFSRCDIR 	= $(RSAREFDIR)/source
***************
*** 248,254 ****
  	$(CC) -o rfc-pg rfc-pg.c
  
  .c.o:
! 	$(CC) -c -I. -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
  
  sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
  	-rm -f sshd
--- 252,258 ----
  	$(CC) -o rfc-pg rfc-pg.c
  
  .c.o:
! 	$(CC) -c -I. -I$(GMPINCDIR) -I$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
  
  sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
  	-rm -f sshd
***************
*** 297,303 ****
  $(GMPDIR)/libgmp.a:
  	cd $(GMPDIR); $(MAKE)
  
! $(ZLIBDEP):
  	-if test '!' -d $(ZLIBDIR); then \
  	  mkdir $(ZLIBDIR); \
  	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
--- 301,307 ----
  $(GMPDIR)/libgmp.a:
  	cd $(GMPDIR); $(MAKE)
  
! $(ZLIBDIR)/libz.a:
  	-if test '!' -d $(ZLIBDIR); then \
  	  mkdir $(ZLIBDIR); \
  	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
@


1.6
log
@Upgrade to official 1.2.16
Fix PLIST
@
text
@@


1.5
log
@Back out andrews change - 1.2.14.1 is not an official ssh release.
@
text
@d1 67
a67 41
--- Makefile.in.orig	Thu Jun  6 19:39:35 1996
+++ Makefile.in	Fri Jun  7 11:58:02 1996
@@@@ -137,12 +137,16 @@@@
 SHELL = /bin/sh
 
 GMPDIR 		= gmp-1.3.2
-GMPLIBS 	= -L$(GMPDIR) -lgmp
-GMPDEP 		= $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
+GMPINCDIR	= $(GMPDIR)
+GMPLIBDIR	= $(GMPDIR)
+GMPDEP 		= $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
+GMPLIBS 	= -L$(GMPLIBDIR) -lgmp
 
 ZLIBDIR		= zlib095
-ZLIBDEP		= $(ZLIBDIR)/libz.a
-ZLIBLIBS	= -L$(ZLIBDIR) -lz
+ZLIBINCDIR	= $(ZLIBDIR)
+ZLIBLIBDIR	= $(ZLIBDIR)
+ZLIBDEP		= $(ZLIBINCDIR)/zlib.h $(ZLIBLIBDIR)/libz.a
+ZLIBLIBS	= -L$(ZLIBLIBDIR) -lz
 
 RSAREFDIR	= rsaref2
 RSAREFSRCDIR 	= $(RSAREFDIR)/source
@@@@ -223,7 +227,7 @@@@
 	$(CC) -o rfc-pg rfc-pg.c
 
 .c.o:
-	$(CC) -c -I. -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
+	$(CC) -c -I. -I$(GMPINCDIR) -I$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
 
 sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
 	-rm -f sshd
@@@@ -282,7 +286,7 @@@@
               CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(GMPDIR) \
 	       -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)"
 
-$(ZLIBDEP):
+$(ZLIBDIR)/libz.a:
 	-if test '!' -d $(ZLIBDIR); then \
 	  mkdir $(ZLIBDIR); \
 	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
@


1.4
log
@Upgrade to 1.2.14.1
Misc bugfixes
@
text
@d1 41
a41 67
*** Makefile.in.orig	Fri Jul 12 13:13:34 1996
--- Makefile.in	Tue Jul 16 02:45:04 1996
***************
*** 144,155 ****
  SHELL = /bin/sh
  
  GMPDIR 		= gmp-1.3.2
! GMPLIBS 	= -L$(GMPDIR) -lgmp
! GMPDEP 		= $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
  
  ZLIBDIR		= zlib-1.0.3
! ZLIBDEP		= $(ZLIBDIR)/libz.a
! ZLIBLIBS	= -L$(ZLIBDIR) -lz
  
  RSAREFDIR	= rsaref2
  RSAREFSRCDIR 	= $(RSAREFDIR)/source
--- 144,159 ----
  SHELL = /bin/sh
  
  GMPDIR 		= gmp-1.3.2
! GMPINCDIR	= $(GMPDIR)
! GMPLIBDIR	= $(GMPDIR)
! GMPLIBS		= -L$(GMPLIBDIR) -lgmp
! GMPDEP		= $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
  
  ZLIBDIR		= zlib-1.0.3
! ZLIBINCDIR	= $(ZLIBDIR)
! ZLIBLIBDIR	= $(ZLIBDIR)
! ZLIBDEP		= $(ZLIBINCDIR)/zlib.h $(ZLIBLIBDIR)/libz.a
! ZLIBLIBS	= -L$(ZLIBLIBDIR) -lz
  
  RSAREFDIR	= rsaref2
  RSAREFSRCDIR 	= $(RSAREFDIR)/source
***************
*** 232,238 ****
  	$(CC) -o rfc-pg rfc-pg.c
  
  .c.o:
! 	$(CC) -c -I. -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
  
  sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
  	-rm -f sshd
--- 236,242 ----
  	$(CC) -o rfc-pg rfc-pg.c
  
  .c.o:
! 	$(CC) -c -I. -I$(GMPINCDIR) -I$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
  
  sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
  	-rm -f sshd
***************
*** 291,297 ****
                CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(GMPDIR) \
  	       -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)"
  
! $(ZLIBDEP):
  	-if test '!' -d $(ZLIBDIR); then \
  	  mkdir $(ZLIBDIR); \
  	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
--- 295,301 ----
                CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(GMPDIR) \
  	       -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)"
  
! $(ZLIBDIR)/libz.a:
  	-if test '!' -d $(ZLIBDIR); then \
  	  mkdir $(ZLIBDIR); \
  	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
@


1.3
log
@Update ssh-1.2.13 -> ssh-1.2.14
ssh-askpass no longer uses wish, so chop the make rules that attempt to
locate it.
Go further to try and protect the ssh_host_key, since it's critical to
the operation and security of the machine.
@
text
@d1 67
a67 41
--- Makefile.in.orig	Thu Jun  6 19:39:35 1996
+++ Makefile.in	Fri Jun  7 11:58:02 1996
@@@@ -137,12 +137,16 @@@@
 SHELL = /bin/sh
 
 GMPDIR 		= gmp-1.3.2
-GMPLIBS 	= -L$(GMPDIR) -lgmp
-GMPDEP 		= $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
+GMPINCDIR	= $(GMPDIR)
+GMPLIBDIR	= $(GMPDIR)
+GMPDEP 		= $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
+GMPLIBS 	= -L$(GMPLIBDIR) -lgmp
 
 ZLIBDIR		= zlib095
-ZLIBDEP		= $(ZLIBDIR)/libz.a
-ZLIBLIBS	= -L$(ZLIBDIR) -lz
+ZLIBINCDIR	= $(ZLIBDIR)
+ZLIBLIBDIR	= $(ZLIBDIR)
+ZLIBDEP		= $(ZLIBINCDIR)/zlib.h $(ZLIBLIBDIR)/libz.a
+ZLIBLIBS	= -L$(ZLIBLIBDIR) -lz
 
 RSAREFDIR	= rsaref2
 RSAREFSRCDIR 	= $(RSAREFDIR)/source
@@@@ -223,7 +227,7 @@@@
 	$(CC) -o rfc-pg rfc-pg.c
 
 .c.o:
-	$(CC) -c -I. -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
+	$(CC) -c -I. -I$(GMPINCDIR) -I$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $(X_CFLAGS) $<
 
 sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
 	-rm -f sshd
@@@@ -282,7 +286,7 @@@@
               CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(GMPDIR) \
 	       -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)"
 
-$(ZLIBDEP):
+$(ZLIBDIR)/libz.a:
 	-if test '!' -d $(ZLIBDIR); then \
 	  mkdir $(ZLIBDIR); \
 	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
@


1.2
log
@Fix patch typo.

Found by: Andrzej Tobola <san@@iem.pw.edu.pl>
@
text
@d1 41
a41 74
This patch has been submitted to the author, it allows one to disconnect
ssh from the supplied libgmp and libz.  The next patch (patch-ag) actually
uses these disconnect points to hook us into the system libraries.

The rationale for splitting them up was that the previous patch (patch-ae)
that these two patches replace was unmaintainable and overly drastic.

*** Makefile.in	Thu Jan 25 17:58:10 1996
--- Makefile.in	Mon Feb  5 18:36:09 1996
***************
*** 114,125 ****
  SHELL = /bin/sh
  
  GMPDIR 		= gmp-1.3.2
! GMPLIBS 	= -L$(GMPDIR) -lgmp
! GMPDEP 		= $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
  
  ZLIBDIR		= zlib095
! ZLIBDEP		= $(ZLIBDIR)/libz.a
! ZLIBLIBS	= -L$(ZLIBDIR) -lz
  
  RSAREFDIR	= rsaref2
  RSAREFSRCDIR 	= $(RSAREFDIR)/source
--- 114,129 ----
  SHELL = /bin/sh
  
  GMPDIR 		= gmp-1.3.2
! GMPINCDIR	= $(GMPDIR)
! GMPLIBDIR	= $(GMPDIR)
! GMPDEP 		= $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
! GMPLIBS 	= -L$(GMPLIBDIR) -lgmp
  
  ZLIBDIR		= zlib095
! ZLIBINCDIR	= $(ZLIBDIR)
! ZLIBLIBDIR	= $(ZLIBDIR)
! ZLIBDEP		= $(ZLIBINCDIR)/zlib.h $(ZLIBLIBDIR)/libz.a
! ZLIBLIBS	= -L$(ZLIBLIBDIR) -lz
  
  RSAREFDIR	= rsaref2
  RSAREFSRCDIR 	= $(RSAREFDIR)/source
***************
*** 186,192 ****
  	$(CC) -o rfc-pg rfc-pg.c
  
  .c.o:
! 	$(CC) -c -I. -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $<
  
  sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
  	-rm -f sshd
--- 190,196 ----
  	$(CC) -o rfc-pg rfc-pg.c
  
  .c.o:
! 	$(CC) -c -I. -I$(GMPINCDIR) -I$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DBINDIR=\"$(bindir)\" $(CFLAGS) $<
  
  sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
  	-rm -f sshd
***************
*** 247,253 ****
                CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(GMPDIR) \
  	       -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)"
  
! $(ZLIBDEP):
  	-if test '!' -d $(ZLIBDIR); then \
  	  mkdir $(ZLIBDIR); \
  	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
--- 251,257 ----
                CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(GMPDIR) \
  	       -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)"
  
! $(ZLIBDIR)/libz.a:
  	-if test '!' -d $(ZLIBDIR); then \
  	  mkdir $(ZLIBDIR); \
  	  cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
@


1.1
log
@Upgrade to snapshot of ssh.  1.1.12a was recalled due to even worse
security problems.

Also re-do the method we use for disconnecting ourselves from the supplied
gmp and z libraries so that this can be maintained in the future (sigh!).
@
text
@d36 1
a36 1
! ZLIBDEP		= $(ZLIBINCDIR)/libz.h $(ZLIBLIBDIR)/libz.a
@
