From c512ae8ac925c933208cd6c71172336ffe482637 Mon Sep 17 00:00:00 2001 From: Brian Feldman Date: Sat, 4 Nov 2000 23:04:25 +0000 Subject: [PATCH] Update to OpenSSH 2.2.0. This is an end-of-life update for the ports-based OpenSSH. OpenSSH has been in the base system for more than long enough to justify not having to maintain two separate FreeBSD versions of OpenSSH. --- security/openssh/Makefile | 2 +- security/openssh/distinfo | 2 +- security/openssh/files/pam_ssh.c | 2 +- security/openssh/files/patch-ad | 12 +- security/openssh/files/patch-af | 19 +-- security/openssh/files/patch-ag | 25 ++-- security/openssh/files/patch-ah | 19 +-- security/openssh/files/patch-ai | 22 +-- security/openssh/files/patch-aj | 22 +-- security/openssh/files/patch-am | 15 ++- security/openssh/files/patch-an | 101 -------------- security/openssh/files/patch-ao | 25 ++-- security/openssh/files/patch-ap | 63 --------- security/openssh/files/patch-ar | 32 ----- security/openssh/files/patch-au | 225 ++++++------------------------- security/openssh/files/patch-av | 16 +-- 16 files changed, 109 insertions(+), 493 deletions(-) delete mode 100644 security/openssh/files/patch-ap diff --git a/security/openssh/Makefile b/security/openssh/Makefile index 0e77130e5ad7..ec4187926bd3 100644 --- a/security/openssh/Makefile +++ b/security/openssh/Makefile @@ -6,7 +6,7 @@ # PORTNAME= OpenSSH -PORTVERSION= 2.1.1 +PORTVERSION= 2.2.0 CATEGORIES= security MASTER_SITES= ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ \ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ \ diff --git a/security/openssh/distinfo b/security/openssh/distinfo index f01380f39a67..a6aa659575ed 100644 --- a/security/openssh/distinfo +++ b/security/openssh/distinfo @@ -1 +1 @@ -MD5 (openssh-2.1.1.tgz) = ed323003ae30bfb9bd1e2a899a32e765 +MD5 (openssh-2.2.0.tgz) = 8ecfebc800f1c0646cbe09231a012764 diff --git a/security/openssh/files/pam_ssh.c b/security/openssh/files/pam_ssh.c index 7ee0788c4144..4068bafd9d7c 100644 --- a/security/openssh/files/pam_ssh.c +++ b/security/openssh/files/pam_ssh.c @@ -443,7 +443,7 @@ pam_sm_open_session( env_destroy(ssh_env); return PAM_SESSION_ERR; } - retval = ssh_add_identity(ac, key.rsa, comment); + retval = ssh_add_identity(ac, &key, comment); ssh_close_authentication_connection(ac); env_swap(ssh_env, 0); return retval ? PAM_SUCCESS : PAM_SESSION_ERR; diff --git a/security/openssh/files/patch-ad b/security/openssh/files/patch-ad index 165f5ae2379e..497f53dda38c 100644 --- a/security/openssh/files/patch-ad +++ b/security/openssh/files/patch-ad @@ -1,12 +1,12 @@ ---- lib/Makefile.orig Wed May 17 01:20:16 2000 -+++ lib/Makefile Tue Jun 20 16:14:06 2000 +--- lib/Makefile.orig Sat Aug 19 17:34:44 2000 ++++ lib/Makefile Sat Nov 4 16:41:11 2000 @@ -5,7 +5,12 @@ - cipher.c compat.c compress.c crc32.c deattack.c fingerprint.c \ + cipher.c compat.c compress.c crc32.c deattack.c \ hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \ rsa.c tildexpand.c ttymodes.c uidswap.c xmalloc.c atomicio.c \ -- key.c dispatch.c dsa.c kex.c hmac.c uuencode.c aux.c -+ key.c dispatch.c dsa.c kex.c hmac.c uuencode.c aux.c \ -+ strlcat.c strlcpy.c +- key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c ++ key.c dispatch.c dsa.c kex.c hmac.c uuencode.c util.c \ ++ strlcpy.c strlcat.c + +.if defined(COMPAT_GETADDRINFO) +SRCS+= getaddrinfo.c getnameinfo.c name6.c rcmd.c bindresvport.c diff --git a/security/openssh/files/patch-af b/security/openssh/files/patch-af index 4e7ebf6d6cba..0c181dd81cd0 100644 --- a/security/openssh/files/patch-af +++ b/security/openssh/files/patch-af @@ -1,20 +1,11 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/scp/Makefile Mon Oct 25 16:27:26 1999 -+++ ./scp/Makefile Tue Nov 23 19:23:58 1999 -@@ -2,16 +2,9 @@ +--- scp/Makefile.orig Thu Jun 29 14:35:46 2000 ++++ scp/Makefile Sat Nov 4 16:44:18 2000 +@@ -5,8 +5,8 @@ + + BINMODE?=555 - PROG= scp - BINOWN= root -- --.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ -- ${MACHINE_ARCH} == "hppa") --BINMODE=0000 --.else --BINMODE?=555 --.endif -- -BINDIR= /usr/bin -MAN= scp.1 -+BINMODE=555 +BINDIR= /bin +MAN1= scp.1 diff --git a/security/openssh/files/patch-ag b/security/openssh/files/patch-ag index d9170272757b..366125f8eb1b 100644 --- a/security/openssh/files/patch-ag +++ b/security/openssh/files/patch-ag @@ -1,26 +1,17 @@ ---- ssh/Makefile.orig Wed Apr 26 17:31:58 2000 -+++ ssh/Makefile Sun Jul 30 15:09:14 2000 -@@ -2,16 +2,10 @@ +--- ssh/Makefile.orig Thu Jun 29 14:35:47 2000 ++++ ssh/Makefile Sat Nov 4 16:58:41 2000 +@@ -5,8 +5,8 @@ - PROG= ssh - BINOWN= root -+BINMODE=4555 -+BINDIR= /bin -+MAN1= ssh.1 + BINMODE?=4555 --.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ -- ${MACHINE_ARCH} == "hppa") --BINMODE=0000 --.else --BINMODE?=4555 --.endif -- -BINDIR= /usr/bin -MAN= ssh.1 ++BINDIR= /bin ++MAN1= ssh.1 LINKS= ${BINDIR}/ssh ${BINDIR}/slogin MLINKS= ssh.1 slogin.1 -@@ -19,10 +13,11 @@ +@@ -14,10 +14,11 @@ sshconnect.c sshconnect1.c sshconnect2.c .include # for AFS @@ -34,7 +25,7 @@ DPADD+= ${LIBKRB} .if (${AFS} == "yes") CFLAGS+= -DAFS -@@ -32,6 +27,7 @@ +@@ -27,6 +28,7 @@ .endif # KERBEROS .include diff --git a/security/openssh/files/patch-ah b/security/openssh/files/patch-ah index 95b32a341276..a31814e3b0c0 100644 --- a/security/openssh/files/patch-ah +++ b/security/openssh/files/patch-ah @@ -1,20 +1,11 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh-add/Makefile Wed Oct 27 12:54:48 1999 -+++ ./ssh-add/Makefile Tue Nov 23 19:26:48 1999 -@@ -2,20 +2,13 @@ +--- ssh-add/Makefile.orig Thu Jun 29 14:35:47 2000 ++++ ssh-add/Makefile Sat Nov 4 17:01:50 2000 +@@ -5,12 +5,12 @@ + + BINMODE?=555 - PROG= ssh-add - BINOWN= root -- --.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ -- ${MACHINE_ARCH} == "hppa") --BINMODE=0000 --.else --BINMODE?=555 --.endif -- -BINDIR= /usr/bin -MAN= ssh-add.1 -+BINMODE=555 +BINDIR= /bin +MAN1= ssh-add.1 diff --git a/security/openssh/files/patch-ai b/security/openssh/files/patch-ai index 519c4e727f15..ed25eab56559 100644 --- a/security/openssh/files/patch-ai +++ b/security/openssh/files/patch-ai @@ -1,21 +1,13 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh-agent/Makefile Wed Oct 27 12:54:49 1999 -+++ ./ssh-agent/Makefile Tue Nov 23 19:27:38 1999 -@@ -2,20 +2,13 @@ +--- ssh-agent/Makefile.orig Thu Jun 29 14:35:48 2000 ++++ ssh-agent/Makefile Sat Nov 4 17:06:34 2000 +@@ -5,12 +5,12 @@ + + BINMODE?=555 - PROG= ssh-agent - BINOWN= root -- --.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ -- ${MACHINE_ARCH} == "hppa") --BINMODE=0000 --.else --BINMODE?=555 --.endif -- -BINDIR= /usr/bin -+BINMODE=555 +-MAN= ssh-agent.1 +BINDIR= /bin - MAN= ssh-agent.1 ++MAN1= ssh-agent.1 SRCS= ssh-agent.c log-client.c diff --git a/security/openssh/files/patch-aj b/security/openssh/files/patch-aj index 9f9c0fcd64da..d48741d214ae 100644 --- a/security/openssh/files/patch-aj +++ b/security/openssh/files/patch-aj @@ -1,21 +1,13 @@ ---- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/ssh-keygen/Makefile Wed Oct 27 12:54:49 1999 -+++ ./ssh-keygen/Makefile Tue Nov 23 19:28:07 1999 -@@ -2,20 +2,13 @@ +--- ssh-keygen/Makefile.orig Thu Jun 29 14:35:48 2000 ++++ ssh-keygen/Makefile Sat Nov 4 17:06:49 2000 +@@ -5,12 +5,12 @@ + + BINMODE?=555 - PROG= ssh-keygen - BINOWN= root -- --.if (${MACHINE_ARCH} == "alpha" || ${MACHINE_ARCH} == "powerpc" || \ -- ${MACHINE_ARCH} == "hppa") --BINMODE=0000 --.else --BINMODE?=555 --.endif -- -BINDIR= /usr/bin -+BINMODE=555 +-MAN= ssh-keygen.1 +BINDIR= /bin - MAN= ssh-keygen.1 ++MAN1= ssh-keygen.1 SRCS= ssh-keygen.c log-client.c diff --git a/security/openssh/files/patch-am b/security/openssh/files/patch-am index fee853eadee2..8c88701f8682 100644 --- a/security/openssh/files/patch-am +++ b/security/openssh/files/patch-am @@ -1,6 +1,6 @@ ---- sshd/Makefile.orig Wed Apr 26 17:31:57 2000 -+++ sshd/Makefile Sun Jul 30 15:09:25 2000 -@@ -3,14 +3,15 @@ +--- sshd/Makefile.orig Sun Aug 20 14:42:41 2000 ++++ sshd/Makefile Sat Nov 4 17:08:36 2000 +@@ -3,8 +3,8 @@ PROG= sshd BINOWN= root BINMODE=555 @@ -8,17 +8,18 @@ -MAN= sshd.8 +BINDIR= /sbin +MAN8= sshd.8 + CFLAGS+=-DHAVE_LOGIN_CAP SRCS= sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \ - pty.c log-server.c login.c servconf.c serverloop.c \ - auth.c auth1.c auth2.c session.c +@@ -12,6 +12,7 @@ + auth.c auth1.c auth2.c auth-options.c session.c .include # for KERBEROS and AFS +.include "../Makefile.inc" .if (${KERBEROS} == "yes") .if (${AFS} == "yes") -@@ -18,9 +19,9 @@ +@@ -19,9 +20,9 @@ LDADD+= -lkafs DPADD+= ${LIBKRBAFS} .endif # AFS @@ -30,7 +31,7 @@ DPADD+= ${LIBKRB} .endif # KERBEROS -@@ -30,7 +31,7 @@ +@@ -31,7 +32,7 @@ .include diff --git a/security/openssh/files/patch-an b/security/openssh/files/patch-an index 47a60fb490e0..b26ba76bfa14 100644 --- a/security/openssh/files/patch-an +++ b/security/openssh/files/patch-an @@ -14,104 +14,3 @@ #ifndef O_NOCTTY #define O_NOCTTY 0 #endif -@@ -134,6 +141,32 @@ - unsigned char *session_id2 = NULL; - int session_id2_len = 0; - -+/* These are used to implement connections_per_period. */ -+struct magic_connection { -+ struct timeval connections_begin; -+ unsigned int connections_this_period; -+} *magic_connections; -+/* Magic number, too! TODO: this doesn't have to be static. */ -+const size_t MAGIC_CONNECTIONS_SIZE = 1; -+ -+static __inline int -+magic_hash(struct sockaddr_storage *sa) { -+ -+ return 0; -+} -+ -+static __inline struct timeval -+timevaldiff(struct timeval *tv1, struct timeval *tv2) { -+ struct timeval diff; -+ int carry; -+ -+ carry = tv1->tv_usec > tv2->tv_usec; -+ diff.tv_sec = tv2->tv_sec - tv1->tv_sec - (carry ? 0 : 1); -+ diff.tv_usec = tv2->tv_usec - tv1->tv_usec + (carry ? 1000000 : 0); -+ -+ return diff; -+} -+ - /* Prototypes for various functions defined later in this file. */ - void do_ssh1_kex(); - void do_ssh2_kex(); -@@ -418,6 +451,7 @@ - int opt, sock_in = 0, sock_out = 0, newsock, i, fdsetsz, on = 1; - pid_t pid; - socklen_t fromlen; -+ int connections_per_period_exceeded = 0; - int silent = 0; - fd_set *fdset; - struct sockaddr_storage from; -@@ -763,6 +797,12 @@ - fdsetsz = howmany(maxfd, NFDBITS) * sizeof(fd_mask); - fdset = (fd_set *)xmalloc(fdsetsz); - -+ /* Initialize the magic_connections table. It's magical! */ -+ magic_connections = calloc(MAGIC_CONNECTIONS_SIZE, -+ sizeof(struct magic_connection)); -+ if (magic_connections == NULL) -+ fatal("calloc: %s", strerror(errno)); -+ - /* - * Stay listening for connections until the system crashes or - * the daemon is killed with a signal. -@@ -794,9 +834,31 @@ - error("newsock del O_NONBLOCK: %s", strerror(errno)); - continue; - } -+ if (options.connections_per_period != 0) { -+ struct timeval diff, connections_end; -+ struct magic_connection *mc; -+ -+ (void)gettimeofday(&connections_end, NULL); -+ mc = &magic_connections[magic_hash(&from)]; -+ diff = timevaldiff(&mc->connections_begin, &connections_end); -+ if (diff.tv_sec >= options.connections_period) { -+ /* -+ * Slide the window forward only after completely -+ * leaving it. -+ */ -+ mc->connections_begin = connections_end; -+ mc->connections_this_period = 1; -+ } else { -+ if (++mc->connections_this_period > -+ options.connections_per_period) -+ connections_per_period_exceeded = 1; -+ } -+ } -+ - /* -- * Got connection. Fork a child to handle it, unless -- * we are in debugging mode. -+ * Got connection. Fork a child to handle it unless -+ * we are in debugging mode or the maximum number of -+ * connections per period has been exceeded. - */ - if (debug_flag) { - /* -@@ -810,6 +872,12 @@ - sock_out = newsock; - pid = getpid(); - break; -+ } else if (connections_per_period_exceeded) { -+ log("Connection rate limit of %u/%us has been exceeded; " -+ "dropping connection from %s.", -+ options.connections_per_period, options.connections_period, -+ ntop); -+ connections_per_period_exceeded = 0; - } else { - /* - * Normal production daemon. Fork, and have diff --git a/security/openssh/files/patch-ao b/security/openssh/files/patch-ao index 0e5eac8dee2b..96aaa0db0b3f 100644 --- a/security/openssh/files/patch-ao +++ b/security/openssh/files/patch-ao @@ -1,20 +1,29 @@ ---- sshd_config.orig Fri Jan 7 01:27:30 2000 -+++ sshd_config Fri Jan 7 01:31:01 2000 -@@ -3,12 +3,13 @@ - Port 22 +--- sshd_config.orig Fri Aug 4 16:30:35 2000 ++++ sshd_config Sat Nov 4 17:32:28 2000 +@@ -4,12 +4,11 @@ + #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: -HostKey /etc/ssh_host_key -+HostKey __PREFIX__/etc/ssh_host_key ++HostKey /usr/local/etc/ssh_host_key ServerKeyBits 768 -LoginGraceTime 600 -+LoginGraceTime 60 ++LoginGraceTime 120 KeyRegenerationInterval 3600 -PermitRootLogin yes -# +PermitRootLogin no -+# Rate-limit sshd connections to 5 connections per 10 seconds -+ConnectionsPerPeriod 5/10 # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +@@ -48,7 +47,7 @@ + #KerberosTgtPassing yes + + #CheckMail yes +-#UseLogin no ++UseLogin no + +-#Subsystem sftp /usr/local/sbin/sftpd +-#MaxStartups 10:30:60 ++Subsystem sftp /usr/local/sbin/sftpd ++MaxStartups 10:30:60 diff --git a/security/openssh/files/patch-ap b/security/openssh/files/patch-ap deleted file mode 100644 index d3c63bea1620..000000000000 --- a/security/openssh/files/patch-ap +++ /dev/null @@ -1,63 +0,0 @@ ---- servconf.c.orig Tue May 9 02:12:15 2000 -+++ servconf.c Fri May 12 07:13:13 2000 -@@ -74,6 +74,8 @@ - options->ciphers = NULL; - options->protocol = SSH_PROTO_UNKNOWN; - options->gateway_ports = -1; -+ options->connections_per_period = 0; -+ options->connections_period = 0; - } - - void -@@ -172,7 +174,7 @@ - #ifdef SKEY - sSkeyAuthentication, - #endif -- sPasswordAuthentication, sListenAddress, -+ sPasswordAuthentication, sListenAddress, sConnectionsPerPeriod, - sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, - sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, - sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, -@@ -231,6 +233,7 @@ - { "ciphers", sCiphers }, - { "protocol", sProtocol }, - { "gatewayports", sGatewayPorts }, -+ { "connectionsperperiod", sConnectionsPerPeriod }, - { NULL, 0 } - }; - -@@ -340,7 +343,11 @@ - filename, linenum); - exit(1); - } -- value = atoi(cp); -+ if (sscanf(cp, " %d ", &value) != 1) { -+ fprintf(stderr, "%s line %d: invalid integer value.\n", -+ filename, linenum); -+ exit(1); -+ } - if (*intptr == -1) - *intptr = value; - break; -@@ -584,6 +591,21 @@ - filename, linenum); - options->deny_groups[options->num_deny_groups++] = xstrdup(cp); - } -+ break; -+ -+ case sConnectionsPerPeriod: -+ cp = strtok(NULL, WHITESPACE); -+ if (cp == NULL) -+ fatal("%.200s line %d: missing (>= 0) number argument.\n", -+ filename, linenum); -+ if (sscanf(cp, " %u/%u ", &options->connections_per_period, -+ &options->connections_period) != 2) -+ fatal("%.200s line %d: invalid numerical argument(s).\n", -+ filename, linenum); -+ if (options->connections_per_period != 0 && -+ options->connections_period == 0) -+ fatal("%.200s line %d: invalid connections period.\n", -+ filename, linenum); - break; - - case sCiphers: diff --git a/security/openssh/files/patch-ar b/security/openssh/files/patch-ar index 2795e96d082a..18d5e5dd73f6 100644 --- a/security/openssh/files/patch-ar +++ b/security/openssh/files/patch-ar @@ -1,37 +1,5 @@ --- /usr/ports/distfiles/OpenSSH-1.2/src/usr.bin/ssh/sshd.8 Tue Nov 23 18:58:38 1999 +++ sshd.8 Sun Dec 5 22:59:58 1999 -@@ -220,6 +220,31 @@ - should check for new mail for interactive logins. - The default is - .Dq no . -+.It Cm ConnectionsPerPeriod -+This keyword allows for rate-limiting of connections, and -+is followed by two numbers in the format -+.Dq n/s , -+where -+.Ar n -+is the number of connections from a certain address group -+accepted per period of -+.Ar s -+seconds. Any connection after the number -+.Ar n -+connection in the period of -+.Ar s -+seconds will be dropped, and an informational message will be logged. -+A connection will belong to a certain group, of which there are 13 -+by default, according to its IP address. -+The default for this keyword is -+.Dq 0/0 , -+and rate-limiting can be explicitly turned off by using an -+.Ar n -+parameter of -+.Ql 0 -+and any -+.Ar s -+parameter. - .It Cm DenyGroups - This keyword can be followed by a number of group names, separated - by spaces. Users whose primary group matches one of the patterns @@ -453,8 +478,9 @@ If the login is on a tty, records login time. .It diff --git a/security/openssh/files/patch-au b/security/openssh/files/patch-au index f0076dd0e146..82de5814915d 100644 --- a/security/openssh/files/patch-au +++ b/security/openssh/files/patch-au @@ -1,25 +1,20 @@ ---- session.c.orig Mon Jun 5 12:53:40 2000 -+++ session.c Tue Jun 20 16:20:37 2000 -@@ -27,6 +27,18 @@ - #include "ssh2.h" +--- session.c.orig Sun Aug 27 23:50:54 2000 ++++ session.c Sat Nov 4 17:39:43 2000 +@@ -28,6 +28,13 @@ #include "auth.h" + #include "auth-options.h" +#ifdef __FreeBSD__ +#include +#include +#include +#include -+#define LOGIN_CAP +#endif /* __FreeBSD__ */ + -+#ifdef LOGIN_CAP -+#include -+#endif /* LOGIN_CAP */ -+ - /* types */ - - #define TTYSZ 64 -@@ -401,6 +413,13 @@ + #ifdef HAVE_LOGIN_CAP + #include + #endif +@@ -413,6 +420,13 @@ log_init(__progname, options.log_level, options.log_facility, log_stderr); /* @@ -33,35 +28,8 @@ * Create a new session and process group since the 4.4BSD * setlogin() affects the entire process group. */ -@@ -502,6 +521,10 @@ - struct sockaddr_storage from; - struct stat st; - time_t last_login_time; -+#ifdef LOGIN_CAP -+ login_cap_t *lc; -+ char *fname; -+#endif /* LOGIN_CAP */ - - if (s == NULL) - fatal("do_exec_pty: no session"); -@@ -511,15 +534,6 @@ - /* Get remote host name. */ - hostname = get_canonical_hostname(); - -- /* -- * Get the time when the user last logged in. Buf will be set to -- * contain the hostname the last login was from. -- */ -- if (!options.use_login) { -- last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, -- buf, sizeof(buf)); -- } -- - /* Fork the child. */ - if ((pid = fork()) == 0) { - pid = getpid(); -@@ -528,6 +542,22 @@ - changed. */ +@@ -516,6 +530,13 @@ + /* Child. Reinitialize the log because the pid has changed. */ log_init(__progname, options.log_level, options.log_facility, log_stderr); + /* @@ -71,154 +39,39 @@ + if (command != NULL) + options.use_login = 0; + -+ /* -+ * Get the time when the user last logged in. Buf will be set -+ * to * contain the hostname the last login was from. -+ */ -+ if (!options.use_login) { -+ last_login_time = get_last_login_time(pw->pw_uid, -+ pw->pw_name, buf, sizeof(buf)); -+ } -+ /* Close the master side of the pseudo tty. */ close(ptyfd); -@@ -571,6 +601,12 @@ - /* Check if .hushlogin exists. */ - snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); - quiet_login = stat(line, &st) >= 0; -+#ifdef LOGIN_CAP -+ lc = login_getpwclass(pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, pw); -+ quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); -+#endif /* LOGIN_CAP */ - - /* - * If the user has logged in before, display the time of last -@@ -594,6 +630,20 @@ - else - printf("Last login: %s from %s\r\n", time_string, buf); - } -+#ifdef LOGIN_CAP -+ if (command == NULL && !quiet_login && !options.use_login) { -+ fname = login_getcapstr(lc, "copyright", NULL, NULL); -+ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { -+ while (fgets(line, sizeof(line), f) != NULL) -+ fputs(line, stdout); -+ fclose(f); -+ } else -+ (void)printf("%s\n\t%s %s\n", -+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", -+ "The Regents of the University of California. ", -+ "All rights reserved."); -+ } -+#endif /* LOGIN_CAP */ - /* - * Print /etc/motd unless a command was specified or printing - * it was disabled in server options or login(1) will be -@@ -603,7 +653,18 @@ - if (command == NULL && options.print_motd && !quiet_login && - !options.use_login) { - /* Print /etc/motd if it exists. */ -+#ifdef LOGIN_CAP -+ fname = login_getcapstr(lc, "welcome", NULL, NULL); -+ login_close(lc); -+ if (fname != NULL) { -+ f = fopen(fname, "r"); -+ if (f == NULL) -+ f = fopen("/etc/motd", "r"); -+ } else -+ f = fopen("/etc/motd", "r"); -+#else /* LOGIN_CAP */ - f = fopen("/etc/motd", "r"); -+#endif /* LOGIN_CAP */ - if (f) { - while (fgets(line, sizeof(line), f)) - fputs(line, stdout); -@@ -746,13 +807,29 @@ - extern char **environ; - struct stat st; - char *argv[10]; -+#ifdef LOGIN_CAP -+ login_cap_t *lc; -+ -+ lc = login_getpwclass(pw); -+ if (lc == NULL) -+ lc = login_getclassbyname(NULL, pw); -+ #endif /* LOGIN_CAP */ - - /* login(1) is only called if we execute the login shell */ - if (options.use_login && command != NULL) - options.use_login = 0; - - f = fopen("/etc/nologin", "r"); -+#ifdef __FreeBSD__ -+ if (f == NULL) -+ f = fopen("/var/run/nologin", "r"); -+#endif /* __FreeBSD__ */ -+#ifdef LOGIN_CAP -+ /* on FreeBSD, etc., allow overriding nologin via login.conf. */ -+ if (f != NULL && !login_getcapbool(lc, "ignorenologin", 0)) { -+#else /* LOGIN_CAP */ - if (f) { -+#endif /* LOGIN_CAP */ - /* /etc/nologin exists. Print its contents and exit. */ - while (fgets(buf, sizeof(buf), f)) - fputs(buf, stderr); -@@ -768,6 +845,13 @@ - /* Login(1) does this as well, and it needs uid 0 for the "-h" - switch, so we let login(1) to this for us. */ - if (!options.use_login) { -+#ifdef LOGIN_CAP -+ if (setclasscontext(pw->pw_class, LOGIN_SETPRIORITY | -+ LOGIN_SETRESOURCES | LOGIN_SETUMASK) == -1) { -+ perror("setclasscontext"); -+ exit(1); -+ } -+#endif /* LOGIN_CAP */ - if (getuid() == 0 || geteuid() == 0) { - if (setgid(pw->pw_gid) < 0) { - perror("setgid"); -@@ -790,7 +874,14 @@ - * Get the shell from the password data. An empty shell field is - * legal, and means /bin/sh. - */ -+#ifdef LOGIN_CAP -+ shell = pw->pw_shell; -+ shell = login_getcapstr(lc, "shell", shell, shell); -+ if (shell[0] == '\0') -+ shell = _PATH_BSHELL; -+#else /* LOGIN_CAP */ - shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; -+#endif /* LOGIN_CAP */ - - #ifdef AFS - /* Try to get AFS tokens for the local cell. */ -@@ -814,7 +905,12 @@ - child_set_env(&env, &envsize, "USER", pw->pw_name); - child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); - child_set_env(&env, &envsize, "HOME", pw->pw_dir); -+#ifdef LOGIN_CAP -+ child_set_env(&env, &envsize, "PATH", -+ login_getpath(lc, "path", _PATH_STDPATH)); -+#else /* LOGIN_CAP */ - child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); -+#endif /* LOGIN_CAP */ - - snprintf(buf, sizeof buf, "%.200s/%.50s", - _PATH_MAILDIR, pw->pw_name); -@@ -904,6 +1000,9 @@ - * descriptors left by system functions. They will be closed later. - */ - endpwent(); -+#ifdef LOGIN_CAP -+ login_close(lc); -+#endif /* LOGIN_CAP */ +@@ -602,6 +623,7 @@ + time_t last_login_time; + struct passwd * pw = s->pw; + pid_t pid = getpid(); ++ char *fname; /* - * Close any extra open file descriptors so that we don\'t have them -@@ -911,7 +1010,7 @@ + * Get IP address of client. If the connection is not a socket, let +@@ -644,6 +666,20 @@ + else + printf("Last login: %s from %s\r\n", time_string, buf); + } ++#ifdef HAVE_LOGIN_CAP ++ if (!options.use_login) { ++ fname = login_getcapstr(lc, "copyright", NULL, NULL); ++ if (fname != NULL && (f = fopen(fname, "r")) != NULL) { ++ while (fgets(buf, sizeof(buf), f) != NULL) ++ fputs(buf, stdout); ++ fclose(f); ++ } else ++ (void)printf("%s\n\t%s %s\n", ++ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", ++ "The Regents of the University of California. ", ++ "All rights reserved."); ++ } ++#endif /* HAVE_LOGIN_CAP */ + if (options.print_motd) { + #ifdef HAVE_LOGIN_CAP + f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", +@@ -949,7 +985,7 @@ * initgroups, because at least on Solaris 2.3 it leaves file * descriptors open. */ @@ -227,7 +80,7 @@ close(i); /* Change current directory to the user\'s home directory. */ -@@ -930,7 +1029,27 @@ +@@ -973,7 +1009,27 @@ * in this order). */ if (!options.use_login) { diff --git a/security/openssh/files/patch-av b/security/openssh/files/patch-av index d781357fb1da..146643ad6122 100644 --- a/security/openssh/files/patch-av +++ b/security/openssh/files/patch-av @@ -1,18 +1,10 @@ ---- auth.c.orif Thu Apr 20 17:21:58 2000 -+++ auth.c Thu Apr 20 17:50:06 2000 -@@ -26,7 +26,6 @@ - #include "session.h" - #include "dispatch.h" - -- - /* import */ - extern ServerOptions options; - extern char *forced_command; -@@ -106,6 +105,16 @@ +--- auth.c.orig Sat Nov 4 17:30:17 2000 ++++ auth.c Sat Nov 4 17:29:00 2000 +@@ -111,6 +111,16 @@ return 0; } } -+#ifdef __FreeBSD__ ++#ifdef __FreeBSD__ + /* Fail if the account's expiration time has passed. */ + if (pw->pw_expire != 0) { + struct timeval tv;