OpenSSH 7.9 Potentially-incompatible changes ================================ * ssh(1), sshd(8): the setting of the new CASignatureAlgorithms option (see below) bans the use of DSA keys as certificate authorities. * sshd(8): the authentication success/failure log message has changed format slightly. It now includes the certificate fingerprint (previously it included only key ID and CA key fingerprint). New Features ------------ * ssh(1), sshd(8): allow most port numbers to be specified using service names from getservbyname(3) (typically /etc/services). * ssh(1): allow the IdentityAgent configuration directive to accept environment variable names. This supports the use of multiple agent sockets without needing to use fixed paths. * sshd(8): support signalling sessions via the SSH protocol. A limited subset of signals is supported and only for login or command sessions (i.e. not subsystems) that were not subject to a forced command via authorized_keys or sshd_config. bz#1424 * ssh(1): support "ssh -Q sig" to list supported signature options. Also "ssh -Q help" to show the full set of supported queries. * ssh(1), sshd(8): add a CASignatureAlgorithms option for the client and server configs to allow control over which signature formats are allowed for CAs to sign certificates. For example, this allows banning CAs that sign certificates using the RSA-SHA1 signature algorithm. * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to revoke keys specified by SHA256 hash. * ssh-keygen(1): allow creation of key revocation lists directly from base64-encoded SHA256 fingerprints. This supports revoking keys using only the information contained in sshd(8) authentication log messages. Bugfixes -------- * ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when attempting to load PEM private keys while using an incorrect passphrase. bz#2901 * sshd(8): when a channel closed message is received from a client, close the stderr file descriptor at the same time stdout is closed. This avoids stuck processes if they were waiting for stderr to close and were insensitive to stdin/out closing. bz#2863 * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11 forwarding timeout and support X11 forwarding indefinitely. Previously the behaviour of ForwardX11Timeout=0 was undefined. * sshd(8): when compiled with GSSAPI support, cache supported method OIDs regardless of whether GSSAPI authentication is enabled in the main section of sshd_config. This avoids sandbox violations if GSSAPI authentication was later enabled in a Match block. bz#2107 * sshd(8): do not fail closed when configured with a text key revocation list that contains a too-short key. bz#2897 * ssh(1): treat connections with ProxyJump specified the same as ones with a ProxyCommand set with regards to hostname canonicalisation (i.e. don't try to canonicalise the hostname unless CanonicalizeHostname is set to 'always'). bz#2896 * ssh(1): fix regression in OpenSSH 7.8 that could prevent public- key authentication using certificates hosted in a ssh-agent(1) or against sshd(8) from OpenSSH <7.8. Portability ----------- * All: support building against the openssl-1.1 API (releases 1.1.0g and later). The openssl-1.0 API will remain supported at least until OpenSSL terminates security patch support for that API version. * sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox; apparently required by some glibc/OpenSSL combinations. * sshd(8): handle getgrouplist(3) returning more than _SC_NGROUPS_MAX groups. Some platforms consider this limit more as a guideline. OpenSSH 7.8: Potentially-incompatible changes ================================ * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format. The OpenSSH format, supported in OpenSSH releases since 2014 and described in the PROTOCOL.key file in the source distribution, offers substantially better protection against offline password guessing and supports key comments in private keys. If necessary, it is possible to write old PEM-style keys by adding "-m PEM" to ssh-keygen's arguments when generating or updating a key. * sshd(8): remove internal support for S/Key multiple factor authentication. S/Key may still be used via PAM or BSD auth. * ssh(1): remove vestigal support for running ssh(1) as setuid. This used to be required for hostbased authentication and the (long gone) rhosts-style authentication, but has not been necessary for a long time. Attempting to execute ssh as a setuid binary, or with uid != effective uid will now yield a fatal error at runtime. * sshd(8): the semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms "rsa-sha2-256", "rsa-sha2-512" and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures (no action is required for configurations that accept the default for these options). * sshd(8): the precedence of session environment variables has changed. ~/.ssh/environment and environment="..." options in authorized_keys files can no longer override SSH_* variables set implicitly by sshd. * ssh(1)/sshd(8): the default IPQoS used by ssh/sshd has changed. They will now use DSCP AF21 for interactive traffic and CS1 for bulk. For a detailed rationale, please see the commit message: https://cvsweb.openbsd.org/src/usr.bin/ssh/readconf.c#rev1.284 New Features ------------ * ssh(1)/sshd(8): add new signature algorithms "rsa-sha2-256-cert- v01@openssh.com" and "rsa-sha2-512-cert-v01@openssh.com" to explicitly force use of RSA/SHA2 signatures in authentication. * sshd(8): extend the PermitUserEnvironment option to accept a whitelist of environment variable names in addition to global "yes" or "no" settings. * sshd(8): add a PermitListen directive to sshd_config(5) and a corresponding permitlisten= authorized_keys option that control which listen addresses and port numbers may be used by remote forwarding (ssh -R ...). * sshd(8): add some countermeasures against timing attacks used for account validation/enumeration. sshd will enforce a minimum time or each failed authentication attempt consisting of a global 5ms minimum plus an additional per-user 0-4ms delay derived from a host secret. * sshd(8): add a SetEnv directive to allow an administrator to explicitly specify environment variables in sshd_config. Variables set by SetEnv override the default and client-specified environment. * ssh(1): add a SetEnv directive to request that the server sets an environment variable in the session. Similar to the existing SendEnv option, these variables are set subject to server configuration. * ssh(1): allow "SendEnv -PATTERN" to clear environment variables previously marked for sending to the server. bz#1285 * ssh(1)/sshd(8): make UID available as a %-expansion everywhere that the username is available currently. bz#2870 * ssh(1): allow setting ProxyJump=none to disable ProxyJump functionality. bz#2869 Bugfixes -------- * sshd(8): avoid observable differences in request parsing that could be used to determine whether a target user is valid. * all: substantial internal refactoring * ssh(1)/sshd(8): fix some memory leaks; bz#2366 * ssh(1): fix a pwent clobber (introduced in openssh-7.7) that could occur during key loading, manifesting as crash on some platforms. * sshd_config(5): clarify documentation for AuthenticationMethods option; bz#2663 * ssh(1): ensure that the public key algorithm sent in a public key SSH_MSG_USERAUTH_REQUEST matches the content of the signature blob. Previously, these could be inconsistent when a legacy or non-OpenSSH ssh-agent returned a RSA/SHA1 signature when asked to make a RSA/SHA2 signature. * sshd(8): fix failures to read authorized_keys caused by faulty supplemental group caching. bz#2873 * scp(1): apply umask to directories, fixing potential mkdir/chmod race when copying directory trees bz#2839 * ssh-keygen(1): return correct exit code when searching for and hashing known_hosts entries in a single operation; bz#2772 * ssh(1): prefer the ssh binary pointed to via argv[0] to $PATH when re-executing ssh for ProxyJump. bz#2831 * sshd(8): do not ban PTY allocation when a sshd session is restricted because the user password is expired as it breaks password change dialog. (regression in openssh-7.7). * ssh(1)/sshd(8): fix error reporting from select() failures. * ssh(1): improve documentation for -w (tunnel) flag, emphasising that -w implicitly sets Tunnel=point-to-point. bz#2365 * ssh-agent(1): implement EMFILE mitigation for ssh-agent. ssh-agent will no longer spin when its file descriptor limit is exceeded. bz#2576 * ssh(1)/sshd(8): disable SSH2_MSG_DEBUG messages for Twisted Conch clients. Twisted Conch versions that lack a version number in their identification strings will mishandle these messages when running on Python 2.x (https://twistedmatrix.com/trac/ticket/9422) * sftp(1): notify user immediately when underlying ssh process dies expectedly. bz#2719 * ssh(1)/sshd(8): fix tunnel forwarding; regression in 7.7 release. bz#2855 * ssh-agent(1): don't kill ssh-agent's listening socket entirely if it fails to accept(2) a connection. bz#2837 * sshd(8): relax checking of authorized_keys environment="..." options to allow underscores in variable names (regression introduced in 7.7). bz#2851 * ssh(1): add some missing options in the configuration dump output (ssh -G). bz#2835 Portability ----------- * sshd(8): Expose details of completed authentication to PAM auth modules via SSH_AUTH_INFO_0 in the PAM environment. bz#2408 * Fix compilation problems caused by fights between zlib and OpenSSL colliding uses of "free_func" * Improve detection of unsupported compiler options. Recently these may have manifested as "unsupported -Wl,-z,retpoline" warnings during linking. * sshd(8): some sandbox support for Linux/s390 bz#2752. * regress tests: unbreak key-options.sh test on platforms without openpty(3). bz#2856 * use getrandom(2) for PRNG seeding when built without OpenSSL. OpenSSH 7.7: Potentially-incompatible changes ================================ * ssh(1)/sshd(8): Drop compatibility support for some very old SSH implementations, including ssh.com <=2.* and OpenSSH <= 3.*. These versions were all released in or before 2001 and predate the final SSH RFCs. The support in question isn't necessary for RFC-compliant SSH implementations. New Features ------------ * All: Add experimental support for PQC XMSS keys (Extended Hash- Based Signatures) based on the algorithm described in https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 The XMSS signature code is experimental and not compiled in by default. * sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux). * sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present. * sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present. * sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys. * ssh(1): Add a BindInterface option to allow binding the outgoing connection to an interface's address (basically a more usable BindAddress) * ssh(1): Expose device allocated for tun/tap forwarding via a new %T expansion for LocalCommand. This allows LocalCommand to be used to prepare the interface. * sshd(8): Expose the device allocated for tun/tap forwarding via a new SSH_TUNNEL environment variable. This allows automatic setup of the interface and surrounding network configuration automatically on the server. * ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path. Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm. * ssh-keygen(1): Allow certificate validity intervals that specify only a start or stop time (instead of both or neither). * sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. lcd will change to the local user's home directory as usual. cd will change to the starting directory for session (because the protocol offers no way to obtain the remote user's home directory). bz#2760 * sshd(8): When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria. Bugfixes -------- * ssh(1)/sshd(8): More strictly check signature types during key exchange against what was negotiated. Prevents downgrade of RSA signatures made with SHA-256/512 to SHA-1. * sshd(8): Fix support for client that advertise a protocol version of "1.99" (indicating that they are prepared to accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 support. bz#2810 * ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a rsa-sha2-256/512 signature was requested. This condition is possible when an old or non-OpenSSH agent is in use. bz#2799 * ssh-agent(1): Fix regression introduced in 7.6 that caused ssh-agent to fatally exit if presented an invalid signature request message. * sshd_config(5): Accept yes/no flag options case-insensitively, as has been the case in ssh_config(5) for a long time. bz#2664 * ssh(1): Improve error reporting for failures during connection. Under some circumstances misleading errors were being shown. bz#2814 * ssh-keyscan(1): Add -D option to allow printing of results directly in SSHFP format. bz#2821 * regress tests: fix PuTTY interop test broken in last release's SSHv1 removal. bz#2823 * ssh(1): Compatibility fix for some servers that erroneously drop the connection when the IUTF8 (RFC8160) option is sent. * scp(1): Disable RemoteCommand and RequestTTY in the ssh session started by scp (sftp was already doing this.) * ssh-keygen(1): Refuse to create a certificate with an unusable number of principals. * ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the public key during key generation. Previously it would silently ignore errors writing the comment and terminating newline. * ssh(1): Do not modify hostname arguments that are addresses by automatically forcing them to lower-case. Instead canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts. bz#2763 * ssh(1): Don't accept junk after "yes" or "no" responses to hostkey prompts. bz#2803 * sftp(1): Have sftp print a warning about shell cleanliness when decoding the first packet fails, which is usually caused by shells polluting stdout of non-interactive startups. bz#2800 * ssh(1)/sshd(8): Switch timers in packet code from using wall-clock time to monotonic time, allowing the packet layer to better function over a clock step and avoiding possible integer overflows during steps. * Numerous manual page fixes and improvements. Portability ----------- * sshd(8): Correctly detect MIPS ABI in use at configure time. Fixes sandbox violations on some environments. * sshd(8): Remove UNICOS support. The hardware and software are literal museum pieces and support in sshd is too intrusive to justify maintaining. * All: Build and link with "retpoline" flags when available to mitigate the "branch target injection" style (variant 2) of the Spectre branch-prediction vulnerability. * All: Add auto-generated dependency information to Makefile. * Numerous fixed to the RPM spec files.diff -r1.256 -r1.257 pkgsrc/security/openssh/Makefile
(tnn)
@@ -1,18 +1,17 @@ | @@ -1,18 +1,17 @@ | |||
1 | # $NetBSD: Makefile,v 1.256 2018/08/22 09:46:19 wiz Exp $ | 1 | # $NetBSD: Makefile,v 1.257 2019/01/18 20:13:36 tnn Exp $ | |
2 | 2 | |||
3 | DISTNAME= openssh-7.6p1 | 3 | DISTNAME= openssh-7.9p1 | |
4 | PKGNAME= ${DISTNAME:S/p1/.1/} | 4 | PKGNAME= ${DISTNAME:S/p1/.1/} | |
5 | PKGREVISION= 1 | |||
6 | CATEGORIES= security | 5 | CATEGORIES= security | |
7 | MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} | 6 | MASTER_SITES= ${MASTER_SITE_OPENBSD:=OpenSSH/portable/} | |
8 | 7 | |||
9 | MAINTAINER= pkgsrc-users@NetBSD.org | 8 | MAINTAINER= pkgsrc-users@NetBSD.org | |
10 | HOMEPAGE= http://www.openssh.com/ | 9 | HOMEPAGE= http://www.openssh.com/ | |
11 | COMMENT= Open Source Secure shell client and server (remote login program) | 10 | COMMENT= Open Source Secure shell client and server (remote login program) | |
12 | LICENSE= modified-bsd | 11 | LICENSE= modified-bsd | |
13 | 12 | |||
14 | CONFLICTS= sftp-[0-9]* | 13 | CONFLICTS= sftp-[0-9]* | |
15 | CONFLICTS+= ssh-[0-9]* ssh6-[0-9]* | 14 | CONFLICTS+= ssh-[0-9]* ssh6-[0-9]* | |
16 | CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]* | 15 | CONFLICTS+= ssh2-[0-9]* ssh2-nox11-[0-9]* | |
17 | CONFLICTS+= openssh+gssapi-[0-9]* | 16 | CONFLICTS+= openssh+gssapi-[0-9]* | |
18 | CONFLICTS+= lsh>2.0 | 17 | CONFLICTS+= lsh>2.0 |
@@ -1,30 +1,29 @@ | @@ -1,30 +1,29 @@ | |||
1 | $NetBSD: distinfo,v 1.105 2017/10/04 11:44:14 wiz Exp $ | 1 | $NetBSD: distinfo,v 1.106 2019/01/18 20:13:36 tnn Exp $ | |
2 | 2 | |||
3 | SHA1 (openssh-7.6p1.tar.gz) = a6984bc2c72192bed015c8b879b35dd9f5350b3b | 3 | SHA1 (openssh-7.9p1.tar.gz) = 993aceedea8ecabb1d0dd7293508a361891c4eaa | |
4 | RMD160 (openssh-7.6p1.tar.gz) = 486ae743f51ffbf8197d564aab9ae54f9e2ac9da | 4 | RMD160 (openssh-7.9p1.tar.gz) = 236617fb9c04dcca12f9d56b5975efda4e798f53 | |
5 | SHA512 (openssh-7.6p1.tar.gz) = de17fdcb8239401f76740c8d689a8761802f6df94e68d953f3c70b9f4f8bdb403617c48c1d01cc8c368d88e9d50aee540bf03d5a36687dfb39dfd28d73029d72 | 5 | SHA512 (openssh-7.9p1.tar.gz) = 0412c9c429c9287f0794023951469c8e6ec833cdb55821bfa0300dd90d0879ff60484f620cffd93372641ab69bf0b032c2d700ccc680950892725fb631b7708e | |
6 | Size (openssh-7.6p1.tar.gz) = 1489788 bytes | 6 | Size (openssh-7.9p1.tar.gz) = 1565384 bytes | |
7 | SHA1 (patch-Makefile.in) = 98960119bda68a663214c8880484552f1207bcfc | 7 | SHA1 (patch-Makefile.in) = 13502b825c13c98b2ba3b84ff4bae9aa664b76b1 | |
8 | SHA1 (patch-auth-passwd.c) = 5205ca4d15dbcd3f4c574f0a2fb7713ae69af5f7 | 8 | SHA1 (patch-auth-passwd.c) = f2906091185c84d0dbb26e6b8fa0de30934816bd | |
9 | SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4 | 9 | SHA1 (patch-auth-rhosts.c) = a5e6131e63b83a7e8a06cd80f22def449d6bc2c4 | |
10 | SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039 | 10 | SHA1 (patch-auth.c) = cd13f8b31b45d668c5e09eca098b17ec8a7c1039 | |
11 | SHA1 (patch-auth2.c) = efc1eb6d28cb6ec2bd87723943f3e36c612d93aa | 11 | SHA1 (patch-auth2.c) = c57e5fe3d6fed73e6b26a8e4e4c63f36d8e20535 | |
12 | SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e | 12 | SHA1 (patch-clientloop.c) = 4e88fbd14db33f003eb93c30c682a017e102196e | |
13 | SHA1 (patch-config.h.in) = 7406f10b568d2b8237ee575922ce712658d90d59 | 13 | SHA1 (patch-config.h.in) = 926507ea281568e06385e16cbd3c8b907f2baa3f | |
14 | SHA1 (patch-configure.ac) = 8ff27fcf7391722732386a574e3a4d41c4209222 | 14 | SHA1 (patch-configure.ac) = c8ee9d49a4989c5dfe02a89e0d3a8a4e16c32b9d | |
15 | SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4 | 15 | SHA1 (patch-defines.h) = bd8687a9a2857f3b8d15ae94095f27f9344003c4 | |
16 | SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda | 16 | SHA1 (patch-includes.h) = c4a7622af6fbcd098d18d257724dca6aaeea4fda | |
17 | SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c | 17 | SHA1 (patch-loginrec.c) = 28082deb14258fe63cbecad8ac96afc016de439c | |
18 | SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae | 18 | SHA1 (patch-openbsd-compat_bsd-openpty.c) = 80e076a18a0f9ba211ecd4bc5853ce01899568ae | |
19 | SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4 | 19 | SHA1 (patch-openbsd-compat_openbsd-compat.h) = bedbede16ab2fe918419c994ba15a20167b411b4 | |
20 | SHA1 (patch-openbsd-compat_port-tun.c) = 690dfb1f945d186dd3de5bea70ed8fab86e590ee | 20 | SHA1 (patch-openbsd-compat_port-tun.c) = 4b1b55b7fdc319e011d249ee336301b17a589228 | |
21 | SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5 | 21 | SHA1 (patch-platform.c) = f8f211dbc5e596c0f82eb86324d18a84c6151ec5 | |
22 | SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75 | 22 | SHA1 (patch-sandbox-darwin.c) = c9a1fe2e4dbf98e929d983b4206a244e0e354b75 | |
23 | SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1 | 23 | SHA1 (patch-scp.c) = 9c2317b0f796641903a826db355ba06595a26ea1 | |
24 | SHA1 (patch-session.c) = c67d649dc66a65ff39d701135a2f2dab6ba2fb93 | 24 | SHA1 (patch-session.c) = 2538d6f825bff1be325207285cdfac89f73ff264 | |
25 | SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778 | 25 | SHA1 (patch-sftp-common.c) = 6819aa040c8f1caa30a704cf6f0588e498df8778 | |
26 | SHA1 (patch-ssh.c) = 6877d8205d999906c14240d4d112b084609927ca | |||
27 | SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1 | 26 | SHA1 (patch-sshd.8) = 5bf48cd27cef8e8810b9dc7115f5180102a345d1 | |
28 | SHA1 (patch-sshd.c) = 040ac961247fdd55bd09b85e65b905b63bc24f7d | 27 | SHA1 (patch-sshd.c) = 1944283a09772f767044e46acf5329bfad5dae3c | |
29 | SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938 | 28 | SHA1 (patch-sshpty.c) = cb691d4fbde808927f2fbcc12b87ad983cf21938 | |
30 | SHA1 (patch-uidswap.c) = 68c4f5ffab7f4c5c9c00b7443a74b2da52809b7e | 29 | SHA1 (patch-uidswap.c) = 6c68624cfd6ff3c2386008ff336c4d7da78195f4 |
@@ -1,27 +1,31 @@ | @@ -1,27 +1,31 @@ | |||
1 | $NetBSD: patch-Makefile.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $ | 1 | $NetBSD: patch-Makefile.in,v 1.6 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | Removed install-sysconf as we handle that phase through post-install | 3 | Removed install-sysconf as we handle that phase through post-install | |
4 | 4 | |||
5 | --- Makefile.in.orig 2015-08-21 04:49:03.000000000 +0000 | 5 | --- Makefile.in.orig 2018-10-17 00:01:20.000000000 +0000 | |
6 | +++ Makefile.in | 6 | +++ Makefile.in | |
7 | @@ -2,5 +2,5 @@ | 7 | @@ -1,5 +1,5 @@ | |
8 | 8 | # uncomment if you run a non bourne compatible shell. Ie. csh | ||
9 | # uncomment if you run a non bourne compatable shell. Ie. csh | |||
10 | -#SHELL = @SH@ | 9 | -#SHELL = @SH@ | |
11 | +SHELL = @SH@ | 10 | +SHELL = @SH@ | |
12 | 11 | |||
13 | AUTORECONF=autoreconf | 12 | AUTORECONF=autoreconf | |
14 | @@ -23,5 +23,5 @@ DESTDIR= | 13 | ||
14 | @@ -20,7 +20,7 @@ top_srcdir=@top_srcdir@ | |||
15 | DESTDIR= | |||
15 | VPATH=@srcdir@ | 16 | VPATH=@srcdir@ | |
16 | SSH_PROGRAM=@bindir@/ssh | 17 | SSH_PROGRAM=@bindir@/ssh | |
17 | -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | 18 | -ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | |
18 | +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | 19 | +#ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass | |
19 | SFTP_SERVER=$(libexecdir)/sftp-server | 20 | SFTP_SERVER=$(libexecdir)/sftp-server | |
20 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | 21 | SSH_KEYSIGN=$(libexecdir)/ssh-keysign | |
21 | @@ -288,5 +288,5 @@ distprep: catman-do | 22 | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper | |
23 | @@ -320,7 +320,7 @@ distprep: catman-do depend-check | |||
24 | -rm -rf autom4te.cache .depend.bak | |||
22 | 25 | |||
23 | install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config | 26 | install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config | |
24 | -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf | 27 | -install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf | |
25 | +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | 28 | +install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | |
26 | install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | 29 | install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files | |
27 | 30 | |||
31 | check-config: |
@@ -1,37 +1,37 @@ | @@ -1,37 +1,37 @@ | |||
1 | $NetBSD: patch-config.h.in,v 1.5 2016/01/18 12:53:26 jperkin Exp $ | 1 | $NetBSD: patch-config.h.in,v 1.6 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | * Added Interix and define new path to if_tun.h. | 3 | * Added Interix and define new path to if_tun.h. | |
4 | * Revive tcp_wrappers support. | 4 | * Revive tcp_wrappers support. | |
5 | 5 | |||
6 | --- config.h.in.orig 2015-08-21 05:09:20.000000000 +0000 | 6 | --- config.h.in.orig 2018-10-19 01:06:33.000000000 +0000 | |
7 | +++ config.h.in | 7 | +++ config.h.in | |
8 | @@ -640,6 +640,9 @@ | 8 | @@ -741,6 +741,9 @@ | |
9 | /* define if you have int64_t data type */ | 9 | /* define if you have int64_t data type */ | |
10 | #undef HAVE_INT64_T | 10 | #undef HAVE_INT64_T | |
11 | 11 | |||
12 | +/* Define if you are on Interix */ | 12 | +/* Define if you are on Interix */ | |
13 | +#undef HAVE_INTERIX | 13 | +#undef HAVE_INTERIX | |
14 | + | 14 | + | |
15 | /* Define to 1 if the system has the type `intmax_t'. */ | 15 | /* Define to 1 if the system has the type `intmax_t'. */ | |
16 | #undef HAVE_INTMAX_T | 16 | #undef HAVE_INTMAX_T | |
17 | 17 | |||
18 | @@ -799,6 +802,9 @@ | 18 | @@ -910,6 +913,9 @@ | |
19 | /* Define to 1 if you have the <net/if_tun.h> header file. */ | 19 | /* Define to 1 if you have the <net/route.h> header file. */ | |
20 | #undef HAVE_NET_IF_TUN_H | 20 | #undef HAVE_NET_ROUTE_H | |
21 | 21 | |||
22 | +/* Define to 1 if you have the <net/tun/if_tun.h> header file. */ | 22 | +/* Define to 1 if you have the <net/tun/if_tun.h> header file. */ | |
23 | +#undef HAVE_NET_TUN_IF_TUN_H | 23 | +#undef HAVE_NET_TUN_IF_TUN_H | |
24 | + | 24 | + | |
25 | /* Define if you are on NeXT */ | 25 | /* Define if you are on NeXT */ | |
26 | #undef HAVE_NEXT | 26 | #undef HAVE_NEXT | |
27 | 27 | |||
28 | @@ -1394,6 +1400,9 @@ | 28 | @@ -1617,6 +1623,9 @@ | |
29 | /* Define if pututxline updates lastlog too */ | 29 | /* Define if pututxline updates lastlog too */ | |
30 | #undef LASTLOG_WRITE_PUTUTXLINE | 30 | #undef LASTLOG_WRITE_PUTUTXLINE | |
31 | 31 | |||
32 | +/* Define if you want TCP Wrappers support */ | 32 | +/* Define if you want TCP Wrappers support */ | |
33 | +#undef LIBWRAP | 33 | +#undef LIBWRAP | |
34 | + | 34 | + | |
35 | /* Define to whatever link() returns for "not supported" if it doesn't return | 35 | /* Define to whatever link() returns for "not supported" if it doesn't return | |
36 | EOPNOTSUPP. */ | 36 | EOPNOTSUPP. */ | |
37 | #undef LINK_OPNOTSUPP_ERRNO | 37 | #undef LINK_OPNOTSUPP_ERRNO |
@@ -1,76 +1,77 @@ | @@ -1,76 +1,77 @@ | |||
1 | $NetBSD: patch-uidswap.c,v 1.5 2016/01/18 12:53:26 jperkin Exp $ | 1 | $NetBSD: patch-uidswap.c,v 1.6 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | Interix support | 3 | Interix support | |
4 | 4 | |||
5 | --- uidswap.c.orig 2015-08-21 04:49:03.000000000 +0000 | 5 | --- uidswap.c.orig 2018-10-17 00:01:20.000000000 +0000 | |
6 | +++ uidswap.c | 6 | +++ uidswap.c | |
7 | @@ -67,13 +67,13 @@ temporarily_use_uid(struct passwd *pw) | 7 | @@ -68,13 +68,13 @@ temporarily_use_uid(struct passwd *pw) | |
8 | (u_int)pw->pw_uid, (u_int)pw->pw_gid, | 8 | (u_int)pw->pw_uid, (u_int)pw->pw_gid, | |
9 | (u_int)saved_euid, (u_int)saved_egid); | 9 | (u_int)saved_euid, (u_int)saved_egid); | |
10 | #ifndef HAVE_CYGWIN | 10 | #ifndef HAVE_CYGWIN | |
11 | - if (saved_euid != 0) { | 11 | - if (saved_euid != 0) { | |
12 | + if (saved_euid != ROOTUID) { | 12 | + if (saved_euid != ROOTUID) { | |
13 | privileged = 0; | 13 | privileged = 0; | |
14 | return; | 14 | return; | |
15 | } | 15 | } | |
16 | #endif | 16 | #endif | |
17 | #else | 17 | #else | |
18 | - if (geteuid() != 0) { | 18 | - if (geteuid() != 0) { | |
19 | + if (geteuid() != ROOTUID) { | 19 | + if (geteuid() != ROOTUID) { | |
20 | privileged = 0; | 20 | privileged = 0; | |
21 | return; | 21 | return; | |
22 | } | 22 | } | |
23 | @@ -96,9 +96,11 @@ temporarily_use_uid(struct passwd *pw) | 23 | @@ -98,10 +98,11 @@ temporarily_use_uid(struct passwd *pw) | |
24 | 24 | |||
25 | /* set and save the user's groups */ | 25 | /* set and save the user's groups */ | |
26 | if (user_groupslen == -1) { | 26 | if (user_groupslen == -1 || user_groups_uid != pw->pw_uid) { | |
27 | +#ifndef HAVE_INTERIX | 27 | +#ifndef HAVE_INTERIX | |
28 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) | 28 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) | |
29 | fatal("initgroups: %s: %.100s", pw->pw_name, | 29 | fatal("initgroups: %s: %.100s", pw->pw_name, | |
30 | strerror(errno)); | 30 | strerror(errno)); | |
31 | - | |||
31 | +#endif | 32 | +#endif | |
32 | ||||
33 | user_groupslen = getgroups(0, NULL); | 33 | user_groupslen = getgroups(0, NULL); | |
34 | if (user_groupslen < 0) | 34 | if (user_groupslen < 0) | |
35 | @@ -112,9 +114,11 @@ temporarily_use_uid(struct passwd *pw) | 35 | fatal("getgroups: %.100s", strerror(errno)); | |
36 | free(user_groups); | 36 | @@ -116,9 +117,11 @@ temporarily_use_uid(struct passwd *pw) | |
37 | } | 37 | } | |
38 | user_groups_uid = pw->pw_uid; | |||
38 | } | 39 | } | |
39 | +#ifndef HAVE_INTERIX | 40 | +#ifndef HAVE_INTERIX | |
40 | /* Set the effective uid to the given (unprivileged) uid. */ | 41 | /* Set the effective uid to the given (unprivileged) uid. */ | |
41 | if (setgroups(user_groupslen, user_groups) < 0) | 42 | if (setgroups(user_groupslen, user_groups) < 0) | |
42 | fatal("setgroups: %.100s", strerror(errno)); | 43 | fatal("setgroups: %.100s", strerror(errno)); | |
43 | +#endif | 44 | +#endif | |
44 | #ifndef SAVED_IDS_WORK_WITH_SETEUID | 45 | #ifndef SAVED_IDS_WORK_WITH_SETEUID | |
45 | /* Propagate the privileged gid to all of our gids. */ | 46 | /* Propagate the privileged gid to all of our gids. */ | |
46 | if (setgid(getegid()) < 0) | 47 | if (setgid(getegid()) < 0) | |
47 | @@ -187,8 +191,10 @@ restore_uid(void) | 48 | @@ -166,8 +169,10 @@ restore_uid(void) | |
48 | setgid(getgid()); | 49 | setgid(getgid()); | |
49 | #endif /* SAVED_IDS_WORK_WITH_SETEUID */ | 50 | #endif /* SAVED_IDS_WORK_WITH_SETEUID */ | |
50 | 51 | |||
51 | +#ifndef HAVE_INTERIX | 52 | +#ifndef HAVE_INTERIX | |
52 | if (setgroups(saved_egroupslen, saved_egroups) < 0) | 53 | if (setgroups(saved_egroupslen, saved_egroups) < 0) | |
53 | fatal("setgroups: %.100s", strerror(errno)); | 54 | fatal("setgroups: %.100s", strerror(errno)); | |
54 | +#endif | 55 | +#endif | |
55 | temporarily_use_uid_effective = 0; | 56 | temporarily_use_uid_effective = 0; | |
56 | } | 57 | } | |
57 | 58 | |||
58 | @@ -211,6 +217,10 @@ permanently_set_uid(struct passwd *pw) | 59 | @@ -190,6 +195,10 @@ permanently_set_uid(struct passwd *pw) | |
59 | debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, | 60 | debug("permanently_set_uid: %u/%u", (u_int)pw->pw_uid, | |
60 | (u_int)pw->pw_gid); | 61 | (u_int)pw->pw_gid); | |
61 | 62 | |||
62 | +#if defined(HAVE_INTERIX) | 63 | +#if defined(HAVE_INTERIX) | |
63 | + if (setuser(pw->pw_name, NULL, SU_COMPLETE)) | 64 | + if (setuser(pw->pw_name, NULL, SU_COMPLETE)) | |
64 | + fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | 65 | + fatal("setuser %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | |
65 | +#else | 66 | +#else | |
66 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) | 67 | if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) < 0) | |
67 | fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | 68 | fatal("setresgid %u: %.100s", (u_int)pw->pw_gid, strerror(errno)); | |
68 | 69 | |||
69 | @@ -247,6 +257,7 @@ permanently_set_uid(struct passwd *pw) | 70 | @@ -226,6 +235,7 @@ permanently_set_uid(struct passwd *pw) | |
70 | (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) | 71 | (setuid(old_uid) != -1 || seteuid(old_uid) != -1)) | |
71 | fatal("%s: was able to restore old [e]uid", __func__); | 72 | fatal("%s: was able to restore old [e]uid", __func__); | |
72 | #endif | 73 | #endif | |
73 | +#endif /* HAVE_INTERIX */ | 74 | +#endif /* HAVE_INTERIX */ | |
74 | 75 | |||
75 | /* Verify UID drop was successful */ | 76 | /* Verify UID drop was successful */ | |
76 | if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { | 77 | if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) { |
@@ -1,28 +1,27 @@ | @@ -1,28 +1,27 @@ | |||
1 | $NetBSD: patch-auth-passwd.c,v 1.4 2016/09/18 17:30:11 taca Exp $ | 1 | $NetBSD: patch-auth-passwd.c,v 1.5 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | Replace uid 0 with ROOTUID macro | |
4 | 4 | |||
5 | --- auth-passwd.c.orig 2016-07-27 22:54:27.000000000 +0000 | 5 | --- auth-passwd.c.orig 2018-10-17 00:01:20.000000000 +0000 | |
6 | +++ auth-passwd.c | 6 | +++ auth-passwd.c | |
7 | @@ -93,7 +93,7 @@ auth_password(Authctxt *authctxt, const | 7 | @@ -87,7 +87,7 @@ auth_password(struct ssh *ssh, const cha | |
8 | return 0; | 8 | return 0; | |
9 | 9 | |||
10 | #ifndef HAVE_CYGWIN | 10 | #ifndef HAVE_CYGWIN | |
11 | - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) | 11 | - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) | |
12 | + if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES) | 12 | + if (pw->pw_uid == ROOTUID && options.permit_root_login != PERMIT_YES) | |
13 | ok = 0; | 13 | ok = 0; | |
14 | #endif | 14 | #endif | |
15 | if (*password == '\0' && options.permit_empty_passwd == 0) | 15 | if (*password == '\0' && options.permit_empty_passwd == 0) | |
16 | @@ -128,7 +128,12 @@ auth_password(Authctxt *authctxt, const | 16 | @@ -122,7 +122,11 @@ auth_password(struct ssh *ssh, const cha | |
17 | authctxt->force_pwchange = 1; | 17 | authctxt->force_pwchange = 1; | |
18 | } | 18 | } | |
19 | #endif | 19 | #endif | |
20 | + | |||
21 | +#ifdef HAVE_INTERIX | 20 | +#ifdef HAVE_INTERIX | |
22 | + result = (!setuser(pw->pw_name, password, SU_CHECK)); | 21 | + result = (!setuser(pw->pw_name, password, SU_CHECK)); | |
23 | +#else | 22 | +#else | |
24 | result = sys_auth_passwd(authctxt, password); | 23 | result = sys_auth_passwd(ssh, password); | |
25 | +#endif | 24 | +#endif | |
26 | if (authctxt->force_pwchange) | 25 | if (authctxt->force_pwchange) | |
27 | disable_forwarding(); | 26 | auth_restrict_session(ssh); | |
28 | return (result && ok); | 27 | return (result && ok); |
@@ -1,15 +1,15 @@ | @@ -1,15 +1,15 @@ | |||
1 | $NetBSD: patch-auth2.c,v 1.6 2016/01/18 12:53:26 jperkin Exp $ | 1 | $NetBSD: patch-auth2.c,v 1.7 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | Replace uid 0 with ROOTUID macro | 3 | Replace uid 0 with ROOTUID macro | |
4 | 4 | |||
5 | --- auth2.c.orig 2015-08-21 04:49:03.000000000 +0000 | 5 | --- auth2.c.orig 2018-10-17 00:01:20.000000000 +0000 | |
6 | +++ auth2.c | 6 | +++ auth2.c | |
7 | @@ -302,7 +302,7 @@ userauth_finish(Authctxt *authctxt, int | 7 | @@ -352,7 +352,7 @@ userauth_finish(struct ssh *ssh, int aut | |
8 | fatal("INTERNAL ERROR: authenticated and postponed"); | 8 | fatal("INTERNAL ERROR: authenticated and postponed"); | |
9 | 9 | |||
10 | /* Special handling for root */ | 10 | /* Special handling for root */ | |
11 | - if (authenticated && authctxt->pw->pw_uid == 0 && | 11 | - if (authenticated && authctxt->pw->pw_uid == 0 && | |
12 | + if (authenticated && authctxt->pw->pw_uid == ROOTUID && | 12 | + if (authenticated && authctxt->pw->pw_uid == ROOTUID && | |
13 | !auth_root_allowed(method)) { | 13 | !auth_root_allowed(ssh, method)) { | |
14 | authenticated = 0; | 14 | authenticated = 0; | |
15 | #ifdef SSH_AUDIT_EVENTS | 15 | #ifdef SSH_AUDIT_EVENTS |
@@ -1,57 +1,57 @@ | @@ -1,57 +1,57 @@ | |||
1 | $NetBSD: patch-configure.ac,v 1.6 2017/05/31 09:30:22 jperkin Exp $ | 1 | $NetBSD: patch-configure.ac,v 1.7 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | * Various fixes regarding portability | 3 | * Various fixes regarding portability | |
4 | * Revive tcp_wrappers support. | 4 | * Revive tcp_wrappers support. | |
5 | 5 | |||
6 | --- configure.ac.orig 2017-03-20 02:39:27.000000000 +0000 | 6 | --- configure.ac.orig 2018-10-17 00:01:20.000000000 +0000 | |
7 | +++ configure.ac | 7 | +++ configure.ac | |
8 | @@ -306,6 +306,9 @@ AC_ARG_WITH([rpath], | 8 | @@ -293,6 +293,9 @@ AC_ARG_WITH([rpath], | |
9 | ] | 9 | ] | |
10 | ) | 10 | ) | |
11 | 11 | |||
12 | +# pkgsrc handles any rpath settings this package needs | 12 | +# pkgsrc handles any rpath settings this package needs | |
13 | +need_dash_r= | 13 | +need_dash_r= | |
14 | + | 14 | + | |
15 | # Allow user to specify flags | 15 | # Allow user to specify flags | |
16 | AC_ARG_WITH([cflags], | 16 | AC_ARG_WITH([cflags], | |
17 | [ --with-cflags Specify additional flags to pass to compiler], | 17 | [ --with-cflags Specify additional flags to pass to compiler], | |
18 | @@ -379,6 +382,7 @@ AC_CHECK_HEADERS([ \ | 18 | @@ -386,6 +389,7 @@ AC_CHECK_HEADERS([ \ | |
19 | maillock.h \ | 19 | maillock.h \ | |
20 | ndir.h \ | 20 | ndir.h \ | |
21 | net/if_tun.h \ | 21 | net/if_tun.h \ | |
22 | + net/tun/if_tun.h \ | 22 | + net/tun/if_tun.h \ | |
23 | netdb.h \ | 23 | netdb.h \ | |
24 | netgroup.h \ | 24 | netgroup.h \ | |
25 | pam/pam_appl.h \ | 25 | pam/pam_appl.h \ | |
26 | @@ -695,6 +699,15 @@ main() { if (NSVersionOfRunTimeLibrary(" | 26 | @@ -736,6 +740,15 @@ main() { if (NSVersionOfRunTimeLibrary(" | |
27 | ;; | 27 | ;; | |
28 | esac | 28 | esac | |
29 | ;; | 29 | ;; | |
30 | +*-*-interix*) | 30 | +*-*-interix*) | |
31 | + AC_DEFINE(HAVE_INTERIX) | 31 | + AC_DEFINE(HAVE_INTERIX) | |
32 | + AC_DEFINE(DISABLE_FD_PASSING) | 32 | + AC_DEFINE(DISABLE_FD_PASSING) | |
33 | + AC_DEFINE(DISABLE_SHADOW) | 33 | + AC_DEFINE(DISABLE_SHADOW) | |
34 | + AC_DEFINE(IP_TOS_IS_BROKEN) | 34 | + AC_DEFINE(IP_TOS_IS_BROKEN) | |
35 | + AC_DEFINE(MISSING_HOWMANY) | 35 | + AC_DEFINE(MISSING_HOWMANY) | |
36 | + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) | 36 | + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) | |
37 | + AC_DEFINE(USE_PIPES) | 37 | + AC_DEFINE(USE_PIPES) | |
38 | + ;; | 38 | + ;; | |
39 | *-*-irix5*) | 39 | *-*-irix5*) | |
40 | PATH="$PATH:/usr/etc" | 40 | PATH="$PATH:/usr/etc" | |
41 | AC_DEFINE([BROKEN_INET_NTOA], [1], | 41 | AC_DEFINE([BROKEN_INET_NTOA], [1], | |
42 | @@ -1470,6 +1483,62 @@ AC_ARG_WITH([skey], | 42 | @@ -1493,6 +1506,62 @@ else | |
43 | ] | 43 | AC_MSG_RESULT([no]) | |
44 | ) | 44 | fi | |
45 | 45 | |||
46 | +# Check whether user wants TCP wrappers support | 46 | +# Check whether user wants TCP wrappers support | |
47 | +TCPW_MSG="no" | 47 | +TCPW_MSG="no" | |
48 | +AC_ARG_WITH([tcp-wrappers], | 48 | +AC_ARG_WITH([tcp-wrappers], | |
49 | + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | 49 | + [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)], | |
50 | + [ | 50 | + [ | |
51 | + if test "x$withval" != "xno" ; then | 51 | + if test "x$withval" != "xno" ; then | |
52 | + saved_LIBS="$LIBS" | 52 | + saved_LIBS="$LIBS" | |
53 | + saved_LDFLAGS="$LDFLAGS" | 53 | + saved_LDFLAGS="$LDFLAGS" | |
54 | + saved_CPPFLAGS="$CPPFLAGS" | 54 | + saved_CPPFLAGS="$CPPFLAGS" | |
55 | + if test -n "${withval}" && \ | 55 | + if test -n "${withval}" && \ | |
56 | + test "x${withval}" != "xyes"; then | 56 | + test "x${withval}" != "xyes"; then | |
57 | + if test -d "${withval}/lib"; then | 57 | + if test -d "${withval}/lib"; then | |
@@ -92,50 +92,50 @@ $NetBSD: patch-configure.ac,v 1.6 2017/0 | @@ -92,50 +92,50 @@ $NetBSD: patch-configure.ac,v 1.6 2017/0 | |||
92 | + TCPW_MSG="yes" | 92 | + TCPW_MSG="yes" | |
93 | + ], [ | 93 | + ], [ | |
94 | + AC_MSG_ERROR([*** libwrap missing]) | 94 | + AC_MSG_ERROR([*** libwrap missing]) | |
95 | + | 95 | + | |
96 | + ]) | 96 | + ]) | |
97 | + LIBS="$saved_LIBS" | 97 | + LIBS="$saved_LIBS" | |
98 | + fi | 98 | + fi | |
99 | + ] | 99 | + ] | |
100 | +) | 100 | +) | |
101 | + | 101 | + | |
102 | # Check whether user wants to use ldns | 102 | # Check whether user wants to use ldns | |
103 | LDNS_MSG="no" | 103 | LDNS_MSG="no" | |
104 | AC_ARG_WITH(ldns, | 104 | AC_ARG_WITH(ldns, | |
105 | @@ -4979,9 +5048,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | 105 | @@ -5189,9 +5258,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | |
106 | ]) | 106 | ]) | |
107 | if test -z "$conf_wtmpx_location"; then | 107 | if test -z "$conf_wtmpx_location"; then | |
108 | if test x"$system_wtmpx_path" = x"no" ; then | 108 | if test x"$system_wtmpx_path" = x"no" ; then | |
109 | - AC_DEFINE([DISABLE_WTMPX]) | 109 | - AC_DEFINE([DISABLE_WTMPX]) | |
110 | + for f in /var/log/wtmpx; do | 110 | + for f in /var/log/wtmpx; do | |
111 | + if test -f $f ; then | 111 | + if test -f $f ; then | |
112 | + conf_wtmpx_location=$f | 112 | + conf_wtmpx_location=$f | |
113 | + fi | 113 | + fi | |
114 | + done | 114 | + done | |
115 | + if test -z "$conf_wtmpx_location"; then | 115 | + if test -z "$conf_wtmpx_location"; then | |
116 | + AC_DEFINE(DISABLE_WTMPX) | 116 | + AC_DEFINE(DISABLE_WTMPX) | |
117 | + fi | 117 | + fi | |
118 | fi | 118 | fi | |
119 | -else | 119 | -else | |
120 | +fi | 120 | +fi | |
121 | +if test -n "$conf_wtmpx_location"; then | 121 | +if test -n "$conf_wtmpx_location"; then | |
122 | AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"], | 122 | AC_DEFINE_UNQUOTED([CONF_WTMPX_FILE], ["$conf_wtmpx_location"], | |
123 | [Define if you want to specify the path to your wtmpx file]) | 123 | [Define if you want to specify the path to your wtmpx file]) | |
124 | fi | 124 | fi | |
125 | @@ -5069,7 +5146,7 @@ echo "OpenSSH has been configured with t | 125 | @@ -5283,7 +5360,7 @@ echo "OpenSSH has been configured with t | |
126 | echo " User binaries: $B" | 126 | echo " User binaries: $B" | |
127 | echo " System binaries: $C" | 127 | echo " System binaries: $C" | |
128 | echo " Configuration files: $D" | 128 | echo " Configuration files: $D" | |
129 | -echo " Askpass program: $E" | 129 | -echo " Askpass program: $E" | |
130 | +echo " Askpass program: ${ASKPASS_PROGRAM}" | 130 | +echo " Askpass program: ${ASKPASS_PROGRAM}" | |
131 | echo " Manual pages: $F" | 131 | echo " Manual pages: $F" | |
132 | echo " PID file: $G" | 132 | echo " PID file: $G" | |
133 | echo " Privilege separation chroot path: $H" | 133 | echo " Privilege separation chroot path: $H" | |
134 | @@ -5093,6 +5170,7 @@ echo " KerberosV support | 134 | @@ -5305,6 +5382,7 @@ echo " PAM support | |
135 | echo " OSF SIA support: $SIA_MSG" | |||
136 | echo " KerberosV support: $KRB5_MSG" | |||
135 | echo " SELinux support: $SELINUX_MSG" | 137 | echo " SELinux support: $SELINUX_MSG" | |
136 | echo " Smartcard support: $SCARD_MSG" | |||
137 | echo " S/KEY support: $SKEY_MSG" | |||
138 | +echo " TCP Wrappers support: $TCPW_MSG" | 138 | +echo " TCP Wrappers support: $TCPW_MSG" | |
139 | echo " MD5 password support: $MD5_MSG" | 139 | echo " MD5 password support: $MD5_MSG" | |
140 | echo " libedit support: $LIBEDIT_MSG" | 140 | echo " libedit support: $LIBEDIT_MSG" | |
141 | echo " libldns support: $LDNS_MSG" | 141 | echo " libldns support: $LDNS_MSG" |
@@ -1,40 +1,45 @@ | @@ -1,40 +1,45 @@ | |||
1 | $NetBSD: patch-openbsd-compat_port-tun.c,v 1.3 2016/01/18 12:53:26 jperkin Exp $ | 1 | $NetBSD: patch-openbsd-compat_port-tun.c,v 1.4 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | if_tun.h can be found in net/tun | 3 | if_tun.h can be found in net/tun | |
4 | 4 | |||
5 | --- openbsd-compat/port-tun.c.orig 2015-08-21 04:49:03.000000000 +0000 | 5 | --- openbsd-compat/port-net.c.orig 2018-10-17 00:01:20.000000000 +0000 | |
6 | +++ openbsd-compat/port-tun.c | 6 | +++ openbsd-compat/port-net.c | |
7 | @@ -111,6 +111,10 @@ sys_tun_open(int tun, int mode) | 7 | @@ -1,3 +1,4 @@ | |
8 | + | |||
9 | /* | |||
10 | * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org> | |||
11 | * | |||
12 | @@ -200,6 +201,10 @@ sys_tun_open(int tun, int mode, char **i | |||
8 | #include <sys/socket.h> | 13 | #include <sys/socket.h> | |
9 | #include <net/if.h> | 14 | #include <net/if.h> | |
10 | 15 | |||
11 | +#ifdef HAVE_NET_TUN_IF_TUN_H | 16 | +#ifdef HAVE_NET_TUN_IF_TUN_H | |
12 | +#include <net/tun/if_tun.h> | 17 | +#include <net/tun/if_tun.h> | |
13 | +#endif | 18 | +#endif | |
14 | + | 19 | + | |
15 | #ifdef HAVE_NET_IF_TUN_H | 20 | #ifdef HAVE_NET_IF_TUN_H | |
16 | #include <net/if_tun.h> | 21 | #include <net/if_tun.h> | |
17 | #endif | 22 | #endif | |
18 | @@ -120,7 +124,10 @@ sys_tun_open(int tun, int mode) | 23 | @@ -209,7 +214,10 @@ sys_tun_open(int tun, int mode, char **i | |
19 | { | 24 | { | |
20 | struct ifreq ifr; | 25 | struct ifreq ifr; | |
21 | char name[100]; | 26 | char name[100]; | |
22 | - int fd = -1, sock, flag; | 27 | - int fd = -1, sock, flag; | |
23 | + int fd = -1, sock; | 28 | + int fd = -1, sock; | |
24 | +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | 29 | +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | |
25 | + int flag; | 30 | + int flag; | |
26 | +#endif | 31 | +#endif | |
27 | const char *tunbase = "tun"; | 32 | const char *tunbase = "tun"; | |
28 | 33 | |||
29 | if (mode == SSH_TUNMODE_ETHERNET) { | 34 | if (ifname != NULL) | |
30 | @@ -154,9 +161,9 @@ sys_tun_open(int tun, int mode) | 35 | @@ -246,9 +254,9 @@ sys_tun_open(int tun, int mode, char **i | |
31 | return (-1); | 36 | return (-1); | |
32 | } | 37 | } | |
33 | 38 | |||
34 | +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | 39 | +#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | |
35 | /* Turn on tunnel headers */ | 40 | /* Turn on tunnel headers */ | |
36 | flag = 1; | 41 | flag = 1; | |
37 | -#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | 42 | -#if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF) | |
38 | if (mode != SSH_TUNMODE_ETHERNET && | 43 | if (mode != SSH_TUNMODE_ETHERNET && | |
39 | ioctl(fd, TUNSIFHEAD, &flag) == -1) { | 44 | ioctl(fd, TUNSIFHEAD, &flag) == -1) { | |
40 | debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd, | 45 | debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd, |
@@ -1,66 +1,65 @@ | @@ -1,66 +1,65 @@ | |||
1 | $NetBSD: patch-session.c,v 1.8 2016/12/30 04:43:16 taca Exp $ | 1 | $NetBSD: patch-session.c,v 1.9 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | * Interix support. | 3 | * Interix support. | |
4 | 4 | |||
5 | --- session.c.orig 2016-12-19 04:59:41.000000000 +0000 | 5 | --- session.c.orig 2018-10-17 00:01:20.000000000 +0000 | |
6 | +++ session.c | 6 | +++ session.c | |
7 | @@ -934,7 +934,7 @@ read_etc_default_login(char ***env, u_in | 7 | @@ -959,7 +959,7 @@ read_etc_default_login(char ***env, u_in | |
8 | if (tmpenv == NULL) | 8 | if (tmpenv == NULL) | |
9 | return; | 9 | return; | |
10 | 10 | |||
11 | - if (uid == 0) | 11 | - if (uid == 0) | |
12 | + if (uid == ROOTUID) | 12 | + if (uid == ROOTUID) | |
13 | var = child_get_env(tmpenv, "SUPATH"); | 13 | var = child_get_env(tmpenv, "SUPATH"); | |
14 | else | 14 | else | |
15 | var = child_get_env(tmpenv, "PATH"); | 15 | var = child_get_env(tmpenv, "PATH"); | |
16 | @@ -1042,7 +1042,7 @@ do_setup_env(Session *s, const char *she | 16 | @@ -1077,7 +1077,7 @@ do_setup_env(struct ssh *ssh, Session *s | |
17 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ | 17 | # endif /* HAVE_ETC_DEFAULT_LOGIN */ | |
18 | if (path == NULL || *path == '\0') { | 18 | if (path == NULL || *path == '\0') { | |
19 | child_set_env(&env, &envsize, "PATH", | 19 | child_set_env(&env, &envsize, "PATH", | |
20 | - s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); | 20 | - s->pw->pw_uid == 0 ? SUPERUSER_PATH : _PATH_STDPATH); | |
21 | + s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH); | 21 | + s->pw->pw_uid == ROOTUID ? SUPERUSER_PATH : _PATH_STDPATH); | |
22 | } | 22 | } | |
23 | # endif /* HAVE_CYGWIN */ | 23 | # endif /* HAVE_CYGWIN */ | |
24 | #endif /* HAVE_LOGIN_CAP */ | 24 | #endif /* HAVE_LOGIN_CAP */ | |
25 | @@ -1154,6 +1154,18 @@ do_setup_env(Session *s, const char *she | 25 | @@ -1209,6 +1209,17 @@ do_setup_env(struct ssh *ssh, Session *s | |
26 | strcmp(pw->pw_dir, "/") ? pw->pw_dir : ""); | 26 | child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", | |
27 | read_environment_file(&env, &envsize, buf); | 27 | original_command); | |
28 | } | 28 | ||
29 | + | |||
30 | +#ifdef HAVE_INTERIX | 29 | +#ifdef HAVE_INTERIX | |
31 | + { | 30 | + { | |
32 | + /* copy standard Windows environment, then apply changes */ | 31 | + /* copy standard Windows environment, then apply changes */ | |
33 | + env_t *winenv = env_login(pw); | 32 | + env_t *winenv = env_login(pw); | |
34 | + env_putarray(winenv, env, ENV_OVERRIDE); | 33 | + env_putarray(winenv, env, ENV_OVERRIDE); | |
35 | + | 34 | + | |
36 | + /* swap over to altered environment as a traditional array */ | 35 | + /* swap over to altered environment as a traditional array */ | |
37 | + env = env_array(winenv); | 36 | + env = env_array(winenv); | |
38 | + } | 37 | + } | |
39 | +#endif | 38 | +#endif | |
40 | + | 39 | + | |
41 | if (debug_flag) { | 40 | if (debug_flag) { | |
42 | /* dump the environment */ | 41 | /* dump the environment */ | |
43 | fprintf(stderr, "Environment:\n"); | 42 | fprintf(stderr, "Environment:\n"); | |
44 | @@ -1345,11 +1357,13 @@ do_setusercontext(struct passwd *pw) | 43 | @@ -1400,11 +1411,13 @@ do_setusercontext(struct passwd *pw) | |
45 | perror("setgid"); | 44 | perror("setgid"); | |
46 | exit(1); | 45 | exit(1); | |
47 | } | 46 | } | |
48 | +# if !defined(HAVE_INTERIX) | 47 | +# if !defined(HAVE_INTERIX) | |
49 | /* Initialize the group list. */ | 48 | /* Initialize the group list. */ | |
50 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) { | 49 | if (initgroups(pw->pw_name, pw->pw_gid) < 0) { | |
51 | perror("initgroups"); | 50 | perror("initgroups"); | |
52 | exit(1); | 51 | exit(1); | |
53 | } | 52 | } | |
54 | +# endif /* !HAVE_INTERIX */ | 53 | +# endif /* !HAVE_INTERIX */ | |
55 | endgrent(); | 54 | endgrent(); | |
56 | #endif | 55 | #endif | |
57 | 56 | |||
58 | @@ -2148,7 +2162,7 @@ session_pty_cleanup2(Session *s) | 57 | @@ -2275,7 +2288,7 @@ session_pty_cleanup2(Session *s) | |
59 | record_logout(s->pid, s->tty, s->pw->pw_name); | 58 | record_logout(s->pid, s->tty, s->pw->pw_name); | |
60 | 59 | |||
61 | /* Release the pseudo-tty. */ | 60 | /* Release the pseudo-tty. */ | |
62 | - if (getuid() == 0) | 61 | - if (getuid() == 0) | |
63 | + if (getuid() == ROOTUID) | 62 | + if (getuid() == ROOTUID) | |
64 | pty_release(s->tty); | 63 | pty_release(s->tty); | |
65 | 64 | |||
66 | /* | 65 | /* |
@@ -1,143 +1,143 @@ | @@ -1,143 +1,143 @@ | |||
1 | $NetBSD: patch-sshd.c,v 1.9 2017/10/04 11:44:14 wiz Exp $ | 1 | $NetBSD: patch-sshd.c,v 1.10 2019/01/18 20:13:37 tnn Exp $ | |
2 | 2 | |||
3 | * Interix support | 3 | * Interix support | |
4 | * Revive tcp_wrappers support. | 4 | * Revive tcp_wrappers support. | |
5 | 5 | |||
6 | --- sshd.c.orig 2017-10-02 19:34:26.000000000 +0000 | 6 | --- sshd.c.orig 2018-10-17 00:01:20.000000000 +0000 | |
7 | +++ sshd.c | 7 | +++ sshd.c | |
8 | @@ -122,6 +122,13 @@ | 8 | @@ -123,6 +123,13 @@ | |
9 | #include "version.h" | 9 | #include "version.h" | |
10 | #include "ssherr.h" | 10 | #include "ssherr.h" | |
11 | 11 | |||
12 | +#ifdef LIBWRAP | 12 | +#ifdef LIBWRAP | |
13 | +#include <tcpd.h> | 13 | +#include <tcpd.h> | |
14 | +#include <syslog.h> | 14 | +#include <syslog.h> | |
15 | +int allow_severity; | 15 | +int allow_severity; | |
16 | +int deny_severity; | 16 | +int deny_severity; | |
17 | +#endif /* LIBWRAP */ | 17 | +#endif /* LIBWRAP */ | |
18 | + | 18 | + | |
19 | /* Re-exec fds */ | 19 | /* Re-exec fds */ | |
20 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | 20 | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) | |
21 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | 21 | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) | |
22 | @@ -219,7 +226,11 @@ int *startup_pipes = NULL; | 22 | @@ -225,7 +232,11 @@ int *startup_pipes = NULL; | |
23 | int startup_pipe; /* in child */ | 23 | int startup_pipe; /* in child */ | |
24 | 24 | |||
25 | /* variables used for privilege separation */ | 25 | /* variables used for privilege separation */ | |
26 | +#ifdef HAVE_INTERIX | 26 | +#ifdef HAVE_INTERIX | |
27 | +int use_privsep = 0; | 27 | +int use_privsep = 0; | |
28 | +#else | 28 | +#else | |
29 | int use_privsep = -1; | 29 | int use_privsep = -1; | |
30 | +#endif | 30 | +#endif | |
31 | struct monitor *pmonitor = NULL; | 31 | struct monitor *pmonitor = NULL; | |
32 | int privsep_is_preauth = 1; | 32 | int privsep_is_preauth = 1; | |
33 | static int privsep_chroot = 1; | 33 | static int privsep_chroot = 1; | |
34 | @@ -550,10 +561,15 @@ privsep_preauth_child(void) | 34 | @@ -556,10 +567,15 @@ privsep_preauth_child(void) | |
35 | /* Drop our privileges */ | 35 | /* Drop our privileges */ | |
36 | debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, | 36 | debug3("privsep user:group %u:%u", (u_int)privsep_pw->pw_uid, | |
37 | (u_int)privsep_pw->pw_gid); | 37 | (u_int)privsep_pw->pw_gid); | |
38 | +#ifdef HAVE_INTERIX | 38 | +#ifdef HAVE_INTERIX | |
39 | + if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE)) | 39 | + if (setuser(privsep_pw->pw_name, NULL, SU_COMPLETE)) | |
40 | + fatal("setuser: %.100s", strerror(errno)); | 40 | + fatal("setuser: %.100s", strerror(errno)); | |
41 | +#else | 41 | +#else | |
42 | gidset[0] = privsep_pw->pw_gid; | 42 | gidset[0] = privsep_pw->pw_gid; | |
43 | if (setgroups(1, gidset) < 0) | 43 | if (setgroups(1, gidset) < 0) | |
44 | fatal("setgroups: %.100s", strerror(errno)); | 44 | fatal("setgroups: %.100s", strerror(errno)); | |
45 | permanently_set_uid(privsep_pw); | 45 | permanently_set_uid(privsep_pw); | |
46 | +#endif /* HAVE_INTERIX */ | 46 | +#endif /* HAVE_INTERIX */ | |
47 | } | 47 | } | |
48 | } | 48 | } | |
49 | 49 | |||
50 | @@ -617,10 +633,17 @@ privsep_preauth(Authctxt *authctxt) | 50 | @@ -623,10 +639,17 @@ privsep_preauth(Authctxt *authctxt) | |
51 | /* Arrange for logging to be sent to the monitor */ | 51 | /* Arrange for logging to be sent to the monitor */ | |
52 | set_log_handler(mm_log_handler, pmonitor); | 52 | set_log_handler(mm_log_handler, pmonitor); | |
53 | 53 | |||
54 | +#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ | 54 | +#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__ | |
55 | + /* We need to do this before we chroot() so we can read sshd.sb */ | 55 | + /* We need to do this before we chroot() so we can read sshd.sb */ | |
56 | + if (box != NULL) | 56 | + if (box != NULL) | |
57 | + ssh_sandbox_child(box); | 57 | + ssh_sandbox_child(box); | |
58 | +#endif | 58 | +#endif | |
59 | privsep_preauth_child(); | 59 | privsep_preauth_child(); | |
60 | setproctitle("%s", "[net]"); | 60 | setproctitle("%s", "[net]"); | |
61 | +#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__ | 61 | +#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__ | |
62 | if (box != NULL) | 62 | if (box != NULL) | |
63 | ssh_sandbox_child(box); | 63 | ssh_sandbox_child(box); | |
64 | +#endif | 64 | +#endif | |
65 | 65 | |||
66 | return 0; | 66 | return 0; | |
67 | } | 67 | } | |
68 | @@ -632,7 +655,7 @@ privsep_postauth(Authctxt *authctxt) | 68 | @@ -638,7 +661,7 @@ privsep_postauth(Authctxt *authctxt) | |
69 | #ifdef DISABLE_FD_PASSING | 69 | #ifdef DISABLE_FD_PASSING | |
70 | if (1) { | 70 | if (1) { | |
71 | #else | 71 | #else | |
72 | - if (authctxt->pw->pw_uid == 0) { | 72 | - if (authctxt->pw->pw_uid == 0) { | |
73 | + if (authctxt->pw->pw_uid == ROOTUID) { | 73 | + if (authctxt->pw->pw_uid == ROOTUID) { | |
74 | #endif | 74 | #endif | |
75 | /* File descriptor passing is broken or root login */ | 75 | /* File descriptor passing is broken or root login */ | |
76 | use_privsep = 0; | 76 | use_privsep = 0; | |
77 | @@ -1393,8 +1416,10 @@ main(int ac, char **av) | 77 | @@ -1504,8 +1527,10 @@ main(int ac, char **av) | |
78 | av = saved_argv; | 78 | av = saved_argv; | |
79 | #endif | 79 | #endif | |
80 | 80 | |||
81 | - if (geteuid() == 0 && setgroups(0, NULL) == -1) | 81 | - if (geteuid() == 0 && setgroups(0, NULL) == -1) | |
82 | +#ifndef HAVE_INTERIX | 82 | +#ifndef HAVE_INTERIX | |
83 | + if (geteuid() == ROOTUID && setgroups(0, NULL) == -1) | 83 | + if (geteuid() == ROOTUID && setgroups(0, NULL) == -1) | |
84 | debug("setgroups(): %.200s", strerror(errno)); | 84 | debug("setgroups(): %.200s", strerror(errno)); | |
85 | +#endif | 85 | +#endif | |
86 | 86 | |||
87 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | 87 | /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ | |
88 | sanitise_stdfd(); | 88 | sanitise_stdfd(); | |
89 | @@ -1636,7 +1661,7 @@ main(int ac, char **av) | 89 | @@ -1730,7 +1755,7 @@ main(int ac, char **av) | |
90 | ); | 90 | ); | |
91 | 91 | |||
92 | /* Store privilege separation user for later use if required. */ | 92 | /* Store privilege separation user for later use if required. */ | |
93 | - privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0); | 93 | - privsep_chroot = use_privsep && (getuid() == 0 || geteuid() == 0); | |
94 | + privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID); | 94 | + privsep_chroot = use_privsep && (getuid() == ROOTUID || geteuid() == ROOTUID); | |
95 | if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { | 95 | if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) { | |
96 | if (privsep_chroot || options.kerberos_authentication) | 96 | if (privsep_chroot || options.kerberos_authentication) | |
97 | fatal("Privilege separation user %s does not exist", | 97 | fatal("Privilege separation user %s does not exist", | |
98 | @@ -1769,7 +1794,7 @@ main(int ac, char **av) | 98 | @@ -1871,7 +1896,7 @@ main(int ac, char **av) | |
99 | (st.st_uid != getuid () || | 99 | (st.st_uid != getuid () || | |
100 | (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) | 100 | (st.st_mode & (S_IWGRP|S_IWOTH)) != 0)) | |
101 | #else | 101 | #else | |
102 | - if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | 102 | - if (st.st_uid != 0 || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | |
103 | + if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | 103 | + if (st.st_uid != ROOTUID || (st.st_mode & (S_IWGRP|S_IWOTH)) != 0) | |
104 | #endif | 104 | #endif | |
105 | fatal("%s must be owned by root and not group or " | 105 | fatal("%s must be owned by root and not group or " | |
106 | "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); | 106 | "world-writable.", _PATH_PRIVSEP_CHROOT_DIR); | |
107 | @@ -1792,8 +1817,10 @@ main(int ac, char **av) | 107 | @@ -1899,8 +1924,10 @@ main(int ac, char **av) | |
108 | * to create a file, and we can't control the code in every | 108 | * to create a file, and we can't control the code in every | |
109 | * module which might be used). | 109 | * module which might be used). | |
110 | */ | 110 | */ | |
111 | +#ifndef HAVE_INTERIX | 111 | +#ifndef HAVE_INTERIX | |
112 | if (setgroups(0, NULL) < 0) | 112 | if (setgroups(0, NULL) < 0) | |
113 | debug("setgroups() failed: %.200s", strerror(errno)); | 113 | debug("setgroups() failed: %.200s", strerror(errno)); | |
114 | +#endif | 114 | +#endif | |
115 | 115 | |||
116 | if (rexec_flag) { | 116 | if (rexec_flag) { | |
117 | rexec_argv = xcalloc(rexec_argc + 2, sizeof(char *)); | 117 | if (rexec_argc < 0) | |
118 | @@ -1981,6 +2008,25 @@ main(int ac, char **av) | 118 | @@ -2093,6 +2120,25 @@ main(int ac, char **av) | |
119 | audit_connection_from(remote_ip, remote_port); | 119 | audit_connection_from(remote_ip, remote_port); | |
120 | #endif | 120 | #endif | |
121 | 121 | |||
122 | +#ifdef LIBWRAP | 122 | +#ifdef LIBWRAP | |
123 | + allow_severity = options.log_facility|LOG_INFO; | 123 | + allow_severity = options.log_facility|LOG_INFO; | |
124 | + deny_severity = options.log_facility|LOG_WARNING; | 124 | + deny_severity = options.log_facility|LOG_WARNING; | |
125 | + /* Check whether logins are denied from this host. */ | 125 | + /* Check whether logins are denied from this host. */ | |
126 | + if (packet_connection_is_on_socket()) { | 126 | + if (packet_connection_is_on_socket()) { | |
127 | + struct request_info req; | 127 | + struct request_info req; | |
128 | + | 128 | + | |
129 | + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | 129 | + request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0); | |
130 | + fromhost(&req); | 130 | + fromhost(&req); | |
131 | + | 131 | + | |
132 | + if (!hosts_access(&req)) { | 132 | + if (!hosts_access(&req)) { | |
133 | + debug("Connection refused by tcp wrapper"); | 133 | + debug("Connection refused by tcp wrapper"); | |
134 | + refuse(&req); | 134 | + refuse(&req); | |
135 | + /* NOTREACHED */ | 135 | + /* NOTREACHED */ | |
136 | + fatal("libwrap refuse returns"); | 136 | + fatal("libwrap refuse returns"); | |
137 | + } | 137 | + } | |
138 | + } | 138 | + } | |
139 | +#endif /* LIBWRAP */ | 139 | +#endif /* LIBWRAP */ | |
140 | + | 140 | + | |
141 | rdomain = ssh_packet_rdomain_in(ssh); | |||
142 | ||||
141 | /* Log the connection. */ | 143 | /* Log the connection. */ | |
142 | laddr = get_local_ipaddr(sock_in); | |||
143 | verbose("Connection from %s port %d on %s port %d", |