cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

+ ssh (1.2.21)

Browse Source
This commit is contained in:
todd 1997-11-17 05:58:40 +00:00
parent 4e0d806217
commit 36b5df795d
15 changed files with 1101 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

133
security/ssh/Makefile Normal file
View File

@ -0,0 +1,133 @@
# New ports collection makefile for: ssh
# Version required: 1.2.21
# Date created: 16 Nov 1997
# Whom: todd@OpenBSD.ORG
#
# $OpenBSD: Makefile,v 1.1 1997/11/17 05:58:40 todd Exp $
#
# Maximal ssh package requires YES values for
# USE_PERL, USE_TCPWRAP
#
DISTNAME= ssh-1.2.21
CATEGORIES= security net
MASTER_SITES= ftp://ftp.funet.fi/pub/unix/security/login/ssh/
MAINTAINER= torstenb@FreeBSD.ORG
# You can set USA_RESIDENT appropriately in /etc/make.conf if this bugs you..
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
DISTFILES= ${DISTNAME}.tar.gz rsaref2.tar.gz
MASTER_SITES= \
ftp://ftp.funet.fi/pub/unix/security/login/ssh/ \
ftp://ftp.cs.hut.fi/pub/ssh/ \
ftp://nic.funet.fi/pub/crypt/mirrors/ftp.dsi.unimi.it/applied-crypto/ \
ftp://rzsun2.informatik.uni-hamburg.de/pub/virus/crypt/ripem/ \
ftp://ftp.dsi.unimi.it/pub/security/crypt/math/ \
ftp://ftp.univie.ac.at/security/crypt/cryptography/asymmetric/rsa/ \
ftp://isdec.vc.cvut.cz/pub/security/unimi/crypt/applied-crypto/
.endif
RESTRICTED= "Crypto; export-controlled"
IS_INTERACTIVE= YES
GNU_CONFIGURE= YES
CONFIGURE_ARGS= --prefix=${PREFIX} --with-etcdir=${PREFIX}/etc/ssh
#Uncomment if all your users are in their own group and their homedir
#is writeable by that group. Beware the security implications!
#CONFIGURE_ARGS+= --enable-group-writeability
#Uncomment if you want to allow ssh to emulate an unencrypted rsh connection
#over a secure medium. This is normally dangerous since it can lead to the
#disclosure keys and passwords.
#CONFIGURE_ARGS+= --with-none
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
CONFIGURE_ARGS+= --with-rsaref
.endif
# Include support for the SecureID card
# Warning: untested !
.if defined(USE_SECUREID) && ${USE_SECUREID} == YES
CONFIGURE_ARGS+= --with-secureid
.endif
# Don't use IDEA. IDEA can be freely used for non-commercial use. However,
# commercial use may require a licence in a number of countries
# Warning: untested !
.if defined(DONT_USE_IDEA) && ${DONT_USE_IDEA} == YES
CONFIGURE_ARGS+= --without-idea
.endif
MAN1= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 \
make-ssh-known-hosts.1
MAN8= sshd.8
pre-patch:
@${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \
${WRKSRC}/make-ssh-known-hosts.pl.in
fetch-depends:
.if !defined(USA_RESIDENT) || ${USA_RESIDENT} != YES && ${USA_RESIDENT} != NO
@echo
@echo You must set variable USA_RESIDENT to YES if you are a USA
@echo resident or NO otherwise.
@echo If you are a USA resident you have to get the RSAREF2
@echo library \(RSA Inc. holds a patent on RSA and public key
@echo cypto in general - using RSA implementations other than
@echo RSAREF will violate the US patent law\)
@echo and extract it to ${WRKSRC}.
@false
.endif
post-extract:
.if defined(USA_RESIDENT) && ${USA_RESIDENT} == YES
@mv ${WRKDIR}/rsaref2 ${WRKSRC}/rsaref2
.endif
post-install:
@if [ ! -f ${PREFIX}/etc/ssh_host_key ]; then \
echo "Generating a secret host key..."; \
${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \
fi
.if !defined(NOMANCOMPRESS)
rm -f ${PREFIX}/man/man1/slogin.1
ln -sf ssh.1.gz ${PREFIX}/man/man1/slogin.1.gz
.endif
@if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \
echo "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \
echo "#!/bin/sh" > ${PREFIX}/etc/rc.d/sshd.sh; \
echo "[ -x /usr/local/sbin/sshd ] && /usr/local/sbin/sshd && echo -n ' sshd'" >> ${PREFIX}/etc/rc.d/sshd.sh; \
chmod 751 ${PREFIX}/etc/rc.d/sshd.sh; \
fi
.include <bsd.port.mk>
# Following stuff must be after <bsd.port.mk> to expand exists() properly
.if defined(USE_PERL) && ${USE_PERL} == YES || \
exists(${PREFIX}/bin/perl5.00401) && \
(!defined(USE_PERL) || ${USE_PERL} != NO)
BUILD_DEPENDS+= perl5.00401:${PORTSDIR}/lang/perl5
CONFIGURE_ENV+= PERL=${PREFIX}/bin/perl5.00401
.else
CONFIGURE_ENV+= PERL=/replace_it_with_PERL_path
.endif
# Include tcp-wrapper support (call remote identd)
.if defined(USE_TCPWRAP) && ${USE_TCPWRAP} == YES || \
exists(${PREFIX}/lib/libwrap.a) && \
(!defined(USE_TCPWRAP) || ${USE_TCPWRAP} != NO)
CONFIGURE_ENV+= LDFLAGS=-L${PREFIX}/lib CFLAGS="${CFLAGS} -I${PREFIX}/include"
CONFIGURE_ARGS+= --with-libwrap
LIB_DEPENDS+= wrap\\.7\\.:${PORTSDIR}/security/tcp_wrapper
.endif
# Include SOCKS firewall support
.if defined(USE_SOCKS) && ${USE_SOCKS} == YES
CONFIGURE_ARGS+= --with-socks="-L${PREFIX}/lib -lsocks5"
.endif

2
security/ssh/files/md5 Normal file
View File

@ -0,0 +1,2 @@
MD5 (ssh-1.2.21.tar.gz) = 881f612cd3598b5370545ab2ad808795
MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d

19
security/ssh/patches/patch-aa Normal file
View File

@ -0,0 +1,19 @@
*** make-ssh-known-hosts.pl.in.orig Wed Apr 23 08:40:05 1997
--- make-ssh-known-hosts.pl.in Fri Apr 25 12:38:21 1997
***************
*** 87,93 ****
$debug = 5;
$defserver = '';
$bell='\a';
! $public_key = '/etc/ssh_host_key.pub';
$private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
$timeout = 60;
$ping_timeout = 3;
--- 87,93 ----
$debug = 5;
$defserver = '';
$bell='\a';
! $public_key = '@ETCDIR@/ssh_host_key.pub';
$private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
$timeout = 60;
$ping_timeout = 3;

62
security/ssh/patches/patch-ab Normal file
View File

@ -0,0 +1,62 @@
*** configure.orig Wed Apr 23 08:40:06 1997
--- configure Fri Apr 25 12:38:54 1997
***************
*** 1757,1768 ****
export CFLAGS CC
- # Socket pairs appear to be broken on several systems. I don't know exactly
- # where, so I'll use pipes everywhere for now.
- cat >> confdefs.h <<\EOF
- #define USE_PIPES 1
- EOF
-
echo $ac_n "checking that the compiler works""... $ac_c" 1>&6
echo "configure:1769: checking that the compiler works" >&5
--- 1757,1762 ----
***************
*** 2759,2765 ****
fi
! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
--- 2753,2759 ----
fi
! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h
do
ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
***************
*** 7031,7037 ****
cat >> $CONFIG_STATUS <<EOF
! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile"}
EOF
cat >> $CONFIG_STATUS <<\EOF
for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
--- 7025,7031 ----
cat >> $CONFIG_STATUS <<EOF
! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl"}
EOF
cat >> $CONFIG_STATUS <<\EOF
for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
***************
*** 7235,7240 ****
--- 7229,7236 ----
done
for ac_config_dir in gmp-2.0.2-ssh-2; do
+
+ continue # XXX don't configure gmp
# Do not complain, so a configure script can configure whichever
# parts of a large source tree are present.

186
security/ssh/patches/patch-ac Normal file
View File

@ -0,0 +1,186 @@
*** Makefile.in.orig Tue Sep 16 01:59:13 1997
--- Makefile.in Tue Sep 16 02:06:08 1997
***************
*** 259,270 ****
SHELL = /bin/sh
GMPDIR = gmp-2.0.2-ssh-2
! GMPLIBS = -L$(GMPDIR) -lgmp
! GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a
ZLIBDIR = zlib-1.0.4
! ZLIBDEP = $(ZLIBDIR)/libz.a
! ZLIBLIBS = -L$(ZLIBDIR) -lz
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
--- 259,275 ----
SHELL = /bin/sh
GMPDIR = gmp-2.0.2-ssh-2
! # We have the same libgmp in the system, so use it instead
! GMPINCDIR = /usr/include
! GMPLIBDIR = /usr/lib
! GMPLIBS = -L$(GMPLIBDIR) -lgmp
! GMPDEP = $(GMPINCDIR)/gmp.h $(GMPLIBDIR)/libgmp.a
ZLIBDIR = zlib-1.0.4
! ZLIBINCDIR = /usr/include
! ZLIBLIBDIR = /usr/lib
! ZLIBDEP = $(ZLIBINCDIR)/libz.a
! ZLIBLIBS = -L$(ZLIBLIBDIR) -lz
RSAREFDIR = rsaref2
RSAREFSRCDIR = $(RSAREFDIR)/source
***************
*** 368,374 ****
$(CC) -o rfc-pg rfc-pg.o
.c.o:
! $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
--- 373,379 ----
$(CC) -o rfc-pg rfc-pg.o
.c.o:
! $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPINCDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $<
sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP)
-rm -f sshd
***************
*** 411,429 ****
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
! GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
! mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
! $(GMPDIR)/libgmp.a:
! cd $(GMPDIR); $(MAKE)
!
! $(ZLIBDEP):
! -if test '!' -d $(ZLIBDIR); then \
! mkdir $(ZLIBDIR); \
! cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
! fi
! cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
! CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
! -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
$(RSAREFSRCDIR)/librsaref.a:
-if test '!' -d $(RSAREFDIR); then \
--- 416,434 ----
sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts
chmod +x make-ssh-known-hosts
! #GMP_COPY_SOURCES = mpz_gcd.c mpz_powm.c mpz_pow_ui.c mpz_add.c mpz_sub.c \
! # mpz_mul.c mpz_cmp.c mpz_sqrtrem.c
! #$(GMPDIR)/libgmp.a:
! # cd $(GMPDIR); $(MAKE)
! #
! #$(ZLIBDEP):
! # -if test '!' -d $(ZLIBDIR); then \
! # mkdir $(ZLIBDIR); \
! # cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \
! # fi
! # cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \
! # CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \
! # -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a
$(RSAREFSRCDIR)/librsaref.a:
-if test '!' -d $(RSAREFDIR); then \
***************
*** 480,486 ****
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
! install: $(PROGRAMS) make-dirs generate-host-key install-configs
-rm -f $(install_prefix)$(bindir)/ssh.old
-mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old
-chmod 755 $(install_prefix)$(bindir)/ssh.old
--- 485,491 ----
# (otherwise it can only log in as the user it runs as, and must be
# bound to a non-privileged port). Also, password authentication may
# not be available if non-root and using shadow passwords.
! install: $(PROGRAMS) make-dirs install-configs
-rm -f $(install_prefix)$(bindir)/ssh.old
-mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old
-chmod 755 $(install_prefix)$(bindir)/ssh.old
***************
*** 589,603 ****
clean:
-rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
! cd $(GMPDIR); $(MAKE) clean
# cd $(RSAREFSRCDIR); rm -f *.o *.a
! cd $(ZLIBDIR); $(MAKE) clean
distclean: clean
-rm -f Makefile config.status config.cache config.log config.h
-rm -f ssh.1 sshd.8 make-ssh-known-hosts.1
! cd $(GMPDIR); $(MAKE) distclean
! cd $(ZLIBDIR); $(MAKE) distclean
dist: dist-free
--- 594,608 ----
clean:
-rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg
! # cd $(GMPDIR); $(MAKE) clean
# cd $(RSAREFSRCDIR); rm -f *.o *.a
! # cd $(ZLIBDIR); $(MAKE) clean
distclean: clean
-rm -f Makefile config.status config.cache config.log config.h
-rm -f ssh.1 sshd.8 make-ssh-known-hosts.1
! # cd $(GMPDIR); $(MAKE) distclean
! # cd $(ZLIBDIR); $(MAKE) distclean
dist: dist-free
***************
*** 628,639 ****
#
#endif F_SECURE_COMMERCIAL
for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
! (cd $(GMPDIR); make dist)
! gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
# tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -)
# cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a
! (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
! cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
dist-free-make-tar:
tar pcf $(DISTNAME).tar $(DISTNAME)
--- 633,644 ----
#
#endif F_SECURE_COMMERCIAL
for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done
! # (cd $(GMPDIR); make dist)
! # gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - )
# tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -)
# cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a
! # (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -)
! # cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS
dist-free-make-tar:
tar pcf $(DISTNAME).tar $(DISTNAME)
***************
*** 656,662 ****
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:
! $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS)
tags:
-rm -f TAGS
--- 661,667 ----
(echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null
depend:
! $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS)
tags:
-rm -f TAGS

19
security/ssh/patches/patch-ae Normal file
View File

@ -0,0 +1,19 @@
*** server_config.sample.orig Thu Mar 27 09:04:06 1997
--- server_config.sample Fri Mar 28 15:45:53 1997
***************
*** 16,22 ****
FascistLogging no
PrintMotd yes
KeepAlive yes
! SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
--- 16,22 ----
FascistLogging no
PrintMotd yes
KeepAlive yes
! SyslogFacility AUTH
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes

423
security/ssh/patches/patch-af Normal file
View File

@ -0,0 +1,423 @@
*** sshd.c.orig Wed Apr 23 04:40:08 1997
--- sshd.c Wed Jun 11 14:56:57 1997
***************
*** 400,405 ****
--- 400,409 ----
#include "firewall.h" /* TIS authsrv authentication */
#endif
+ #ifdef HAVE_LOGIN_CAP_H
+ #include <login_cap.h>
+ #endif
+
#ifdef _PATH_BSHELL
#define DEFAULT_SHELL _PATH_BSHELL
#else
***************
*** 1542,1547 ****
--- 1546,1583 ----
endspent();
}
#endif /* HAVE_ETC_SHADOW */
+ #ifdef __FreeBSD__
+ {
+ time_t currtime;
+
+ if (pwd->pw_change || pwd->pw_expire)
+ currtime = time(NULL);
+
+ /*
+ * Check for an expired password
+ */
+ if (pwd->pw_change && pwd->pw_change <= currtime)
+ {
+ debug("Account %.100s's password is too old - forced to change.",
+ user);
+ if (options.forced_passwd_change)
+ forced_command = "/usr/bin/passwd";
+ else
+ {
+ return 0;
+ }
+ }
+
+ /*
+ * Check for expired account
+ */
+ if (pwd->pw_expire && pwd->pw_expire <= currtime)
+ {
+ debug("Account %.100s has expired - access denied.", user);
+ return 0;
+ }
+ }
+ #else /* !FreeBSD */
/*
* Check if account is locked. Check if encrypted password starts
* with "*LK*".
***************
*** 1553,1558 ****
--- 1589,1595 ----
return 0;
}
}
+ #endif /* !FreeBSD */
#ifdef CHECK_ETC_SHELLS
{
int invalid = 1;
***************
*** 1698,1703 ****
--- 1735,1743 ----
memset(&pwcopy, 0, sizeof(pwcopy));
pwcopy.pw_name = xstrdup(pw->pw_name);
pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
+ #ifdef HAVE_LOGIN_CAP_H
+ pwcopy.pw_class = xstrdup(pw->pw_class);
+ #endif
pwcopy.pw_uid = pw->pw_uid;
pwcopy.pw_gid = pw->pw_gid;
pwcopy.pw_dir = xstrdup(pw->pw_dir);
***************
*** 2654,2659 ****
--- 2694,2702 ----
struct sockaddr_in from;
int fromlen;
struct pty_cleanup_context cleanup_context;
+ #ifdef HAVE_LOGIN_CAP_H
+ login_cap_t *lc;
+ #endif
/* We no longer need the child running on user's privileges. */
userfile_uninit();
***************
*** 2725,2735 ****
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
&from);
/* Check if .hushlogin exists. Note that we cannot use userfile
here because we are in the child. */
sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
!
/* If the user has logged in before, display the time of last login.
However, don't display anything extra if a command has been
specified (so that ssh can be used to execute commands on a remote
--- 2768,2786 ----
record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname,
&from);
+ #ifdef HAVE_LOGIN_CAP_H
+ lc = login_getclass(pw->pw_class);
+ #endif
+
/* Check if .hushlogin exists. Note that we cannot use userfile
here because we are in the child. */
sprintf(line, "%.200s/.hushlogin", pw->pw_dir);
quiet_login = stat(line, &st) >= 0;
!
! #ifdef HAVE_LOGIN_CAP_H
! quiet_login = login_getcapbool(lc, "hushlogin", quiet_login);
! #endif
!
/* If the user has logged in before, display the time of last login.
However, don't display anything extra if a command has been
specified (so that ssh can be used to execute commands on a remote
***************
*** 2749,2754 ****
--- 2800,2828 ----
printf("Last login: %s from %s\r\n", time_string, buf);
}
+ #ifdef __FreeBSD__
+ if (command == NULL && !quiet_login)
+ {
+ #ifdef HAVE_LOGIN_CAP_H
+ char *cw;
+ FILE *f;
+
+ cw = login_getcapstr(lc, "copyright", NULL, NULL);
+ if (cw != NULL && (f = fopen(cw, "r")) != NULL)
+ {
+ while (fgets(line, sizeof(line), f))
+ fputs(line, stdout);
+ fclose(f);
+ }
+ else
+ #endif
+ printf("%s\n\t%s %s\n\n",
+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+ "The Regents of the University of California. ",
+ "All rights reserved.");
+ }
+ #endif
+
/* Print /etc/motd unless a command was specified or printing it was
disabled in server options. Note that some machines appear to
print it in /etc/profile or similar. */
***************
*** 2758,2764 ****
--- 2832,2842 ----
FILE *f;
/* Print /etc/motd if it exists. */
+ #ifdef HAVE_LOGIN_CAP_H
+ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r");
+ #else
f = fopen("/etc/motd", "r");
+ #endif
if (f)
{
while (fgets(line, sizeof(line), f))
***************
*** 2766,2771 ****
--- 2844,2872 ----
fclose(f);
}
}
+ #ifdef __FreeBSD__
+ if (command == NULL && !quiet_login)
+ {
+ #ifdef broken_HAVE_LOGIN_CAP_H
+ char *mp = getenv("MAIL");
+
+ if (mp != NULL)
+ {
+ strncpy(line, mp, sizeof line);
+ line[sizeof line - 1] = '\0';
+ }
+ else
+ #endif
+ sprintf(line, "%s/%.200s", _PATH_MAILDIR, pw->pw_name);
+ if (stat(line, &st) == 0 && st.st_size != 0)
+ printf("You have %smail.\n",
+ (st.st_mtime > st.st_atime) ? "new " : "");
+ }
+ #endif
+
+ #ifdef HAVE_LOGIN_CAP_H
+ login_close(lc);
+ #endif
/* Do common processing for the child, such as execing the command. */
do_child(command, pw, term, display, auth_proto, auth_data, ttyname);
***************
*** 3017,3023 ****
char *user_shell;
char *remote_ip;
int remote_port;
!
/* Check /etc/nologin. */
f = fopen("/etc/nologin", "r");
if (f)
--- 3118,3130 ----
char *user_shell;
char *remote_ip;
int remote_port;
! #ifdef HAVE_LOGIN_CAP_H
! login_cap_t *lc;
! char *real_shell;
!
! lc = login_getclass(pw->pw_class);
! auth_checknologin(lc);
! #else /* !HAVE_LOGIN_CAP_H */
/* Check /etc/nologin. */
f = fopen("/etc/nologin", "r");
if (f)
***************
*** 3031,3036 ****
--- 3138,3144 ----
if (pw->pw_uid != UID_ROOT)
exit(254);
}
+ #endif /* HAVE_LOGIN_CAP_H */
if (command != NULL)
{
***************
*** 3043,3049 ****
else
log_msg("executing remote command as user %.200s", pw->pw_name);
}
!
#ifdef HAVE_SETLOGIN
/* Set login name in the kernel. Warning: setsid() must be called before
this. */
--- 3151,3158 ----
else
log_msg("executing remote command as user %.200s", pw->pw_name);
}
!
! #ifndef HAVE_LOGIN_CAP_H
#ifdef HAVE_SETLOGIN
/* Set login name in the kernel. Warning: setsid() must be called before
this. */
***************
*** 3064,3069 ****
--- 3173,3179 ----
if (setpcred((char *)pw->pw_name, NULL))
log_msg("setpcred %.100s: %.100s", strerror(errno));
#endif /* HAVE_USERSEC_H */
+ #endif /* !HAVE_LOGIN_CAP_H */
/* Save some data that will be needed so that we can do certain cleanups
before we switch to user's uid. (We must clear all sensitive data
***************
*** 3134,3139 ****
--- 3244,3309 ----
if (command != NULL || !options.use_login)
#endif /* USELOGIN */
{
+ #ifdef HAVE_LOGIN_CAP_H
+ char *p, *s, **tmpenv;
+
+ /* Initialize the new environment.
+ */
+ envsize = 64;
+ env = xmalloc(envsize * sizeof(char *));
+ env[0] = NULL;
+
+ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH);
+
+ #ifdef MAIL_SPOOL_DIRECTORY
+ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name);
+ child_set_env(&env, &envsize, "MAIL", buf);
+ #else /* MAIL_SPOOL_DIRECTORY */
+ #ifdef MAIL_SPOOL_FILE
+ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE);
+ child_set_env(&env, &envsize, "MAIL", buf);
+ #endif /* MAIL_SPOOL_FILE */
+ #endif /* MAIL_SPOOL_DIRECTORY */
+
+ /* Let it inherit timezone if we have one. */
+ if (getenv("TZ"))
+ child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
+ /* Save previous environment array
+ */
+ tmpenv = environ;
+ environ = env;
+
+ /* Set the user's login environment
+ */
+ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0)
+ {
+ perror("setusercontext");
+ exit(1);
+ }
+
+ p = getenv("PATH");
+ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR));
+ *s = '\0';
+ if (p != NULL)
+ {
+ strcat(s, p);
+ strcat(s, ":");
+ }
+ strcat(s, SSH_BINDIR);
+
+ env = environ;
+ environ = tmpenv; /* Restore parent environment */
+ for (envsize = 0; env[envsize] != NULL; ++envsize)
+ ;
+ /* Reallocate this to what is expected */
+ envsize = (envsize < 100) ? 100 : envsize + 16;
+ env = xrealloc(env, envsize * sizeof(char *));
+
+ child_set_env(&env, &envsize, "PATH", s);
+ xfree(s);
+
+ #else /* !HAVE_LOGIN_CAP_H */
/* Set uid, gid, and groups. */
if (getuid() == UID_ROOT || geteuid() == UID_ROOT)
{
***************
*** 3165,3170 ****
--- 3335,3341 ----
if (getuid() != user_uid || geteuid() != user_uid)
fatal("Failed to set uids to %d.", (int)user_uid);
+ #endif /* HAVE_LOGIN_CAP_H */
}
/* Reset signals to their default settings before starting the user
***************
*** 3175,3185 ****
--- 3346,3361 ----
and means /bin/sh. */
shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell;
+ #ifdef HAVE_LOGIN_CAP_H
+ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell);
+ login_close(lc);
+ #else /* !HAVE_LOGIN_CAP_H */
/* Initialize the environment. In the first part we allocate space for
all environment variables. */
envsize = 100;
env = xmalloc(envsize * sizeof(char *));
env[0] = NULL;
+ #endif /* HAVE_LOGIN_CAP_H */
#ifdef USELOGIN
if (command != NULL || !options.use_login)
***************
*** 3189,3194 ****
--- 3365,3372 ----
child_set_env(&env, &envsize, "HOME", user_dir);
child_set_env(&env, &envsize, "USER", user_name);
child_set_env(&env, &envsize, "LOGNAME", user_name);
+
+ #ifndef HAVE_LOGIN_CAP_H
child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR);
#ifdef MAIL_SPOOL_DIRECTORY
***************
*** 3200,3205 ****
--- 3378,3384 ----
child_set_env(&env, &envsize, "MAIL", buf);
#endif /* MAIL_SPOOL_FILE */
#endif /* MAIL_SPOOL_DIRECTORY */
+ #endif /* !HAVE_LOGIN_CAP_H */
#ifdef HAVE_ETC_DEFAULT_LOGIN
/* Read /etc/default/login; this exists at least on Solaris 2.x. Note
***************
*** 3215,3223 ****
--- 3394,3404 ----
child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND",
original_command);
+ #ifndef HAVE_LOGIN_CAP_H
/* Let it inherit timezone if we have one. */
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ #endif /* !HAVE_LOGIN_CAP_H */
/* Set custom environment options from RSA authentication. */
while (custom_environment)
***************
*** 3437,3443 ****
--- 3618,3628 ----
/* Execute the shell. */
argv[0] = buf;
argv[1] = NULL;
+ #ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+ #else
execve(shell, argv, env);
+ #endif /* HAVE_LOGIN_CAP_H */
/* Executing the shell failed. */
perror(shell);
exit(1);
***************
*** 3458,3464 ****
--- 3643,3653 ----
argv[1] = "-c";
argv[2] = (char *)command;
argv[3] = NULL;
+ #ifdef HAVE_LOGIN_CAP_H
+ execve(real_shell, argv, env);
+ #else
execve(shell, argv, env);
+ #endif /* HAVE_LOGIN_CAP_H */
perror(shell);
exit(1);
}

14
security/ssh/patches/patch-ah Normal file
View File

@ -0,0 +1,14 @@
*** config.h.in.orig Wed Apr 23 08:40:06 1997
--- config.h.in Fri Apr 25 12:40:48 1997
***************
*** 527,532 ****
--- 527,535 ----
/* Define if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
+ /* Define if you have the <login_cap.h> header file. */
+ #undef HAVE_LOGIN_CAP_H
+
/* Define if you have the <machine/endian.h> header file. */
#undef HAVE_MACHINE_ENDIAN_H

40
security/ssh/patches/patch-ai Normal file
View File

@ -0,0 +1,40 @@
*** userfile.c.orig Thu Mar 27 09:04:13 1997
--- userfile.c Sat Mar 29 01:16:51 1997
***************
*** 166,171 ****
--- 166,175 ----
#endif
+ #ifdef HAVE_LOGIN_CAP_H
+ #include <login_cap.h>
+ #endif
+
/* Protocol message types. */
#define USERFILE_OPEN 1
#define USERFILE_OPEN_REPLY 2
***************
*** 626,631 ****
--- 630,641 ----
/* Child. We will start serving request. */
if (uid != geteuid() || uid != getuid())
{
+ #ifdef HAVE_LOGIN_CAP_H
+ struct passwd * pw = getpwuid(uid);
+ login_cap_t * lc = login_getuserclass(pw);
+ if (setusercontext(lc, pw, uid, LOGIN_SETALL&~(LOGIN_SETLOGIN|LOGIN_SETPATH|LOGIN_SETENV)) < 0)
+ fatal("setusercontext: %s", strerror(errno));
+ #else
if (setgid(gid) < 0)
fatal("setgid: %s", strerror(errno));
***************
*** 636,641 ****
--- 646,652 ----
if (setuid(uid) < 0)
fatal("setuid: %s", strerror(errno));
+ #endif /* HAVE_LOGIN_CAP_H */
}
/* Enter the server main loop. */

40
security/ssh/patches/patch-aj Normal file
View File

@ -0,0 +1,40 @@
*** configure.in.orig Wed Apr 23 08:40:06 1997
--- configure.in Fri Apr 25 12:41:26 1997
***************
*** 616,624 ****
export CFLAGS CC
! # Socket pairs appear to be broken on several systems. I don't know exactly
! # where, so I'll use pipes everywhere for now.
! AC_DEFINE(USE_PIPES)
AC_MSG_CHECKING([that the compiler works])
AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
--- 616,624 ----
export CFLAGS CC
! dnl # Socket pairs appear to be broken on several systems. I don't know exactly
! dnl # where, so I'll use pipes everywhere for now.
! dnl AC_DEFINE(USE_PIPES)
AC_MSG_CHECKING([that the compiler works])
AC_TRY_RUN([ main(int ac, char **av) { return 0; } ],
***************
*** 671,677 ****
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h)
AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
AC_HEADER_TIME
--- 671,677 ----
AC_HEADER_STDC
AC_HEADER_SYS_WAIT
! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h)
AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h)
AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h)
AC_HEADER_TIME

27
security/ssh/patches/patch-al Normal file
View File

@ -0,0 +1,27 @@
*** sshconnect.c.orig Wed Apr 23 08:40:11 1997
--- sshconnect.c Fri Apr 25 12:41:59 1997
***************
*** 311,316 ****
--- 311,322 ----
{
struct sockaddr_in sin;
int p;
+ #if defined(__FreeBSD__) && !defined(SOCKS)
+ p = 1023; /* Compat with old FreeBSD */
+ sock = rresvport(&p);
+ if (sock < 0)
+ fatal("rresvport: %.100s", strerror(errno));
+ #else
for (p = 1023; p > 512; p--)
{
sock = socket(AF_INET, SOCK_STREAM, 0);
***************
*** 338,343 ****
--- 344,350 ----
}
fatal("bind: %.100s", strerror(errno));
}
+ #endif
debug("Allocated local port %d.", p);
}
else

13
security/ssh/patches/patch-ao Normal file
View File

@ -0,0 +1,13 @@
--- newchannels.c.orig Tue Apr 22 17:40:11 1997
+++ newchannels.c Sat Jul 19 11:42:06 1997
@@ -2139,6 +2139,10 @@
ssh-agent connections on your system */
old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH);
+ /* Make sure the socket doesn't already exist, left over from a system
+ crash perhaps. */
+ unlink(channel_forwarded_auth_socket_name);
+
if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0)
packet_disconnect("Agent socket bind failed: %.100s", strerror(errno));

1
security/ssh/pkg/COMMENT Normal file
View File

@ -0,0 +1 @@
Secure shell client and server (remote login program).

99
security/ssh/pkg/DESCR Normal file
View File

@ -0,0 +1,99 @@
Secure Shell is a program to log into another computer over a network,
to execute commands in a remote machine, and to move files from one
machine to another. It provides strong authentication and secure
communications over insecure channels. It is inteded as a replacement
for rlogin, rsh, and rcp.
FEATURES
o Complete replacement for rlogin, rsh, and rcp.
o Strong authentication. Closes several security holes (e.g., IP,
routing, and DNS spoofing). New authentication methods: .rhosts
together with RSA based host authentication, and pure RSA
authentication.
o Improved privacy. All communications are automatically and
transparently encrypted. RSA is used for key exchange, and a
conventional cipher (normally IDEA, DES, or triple-DES) for
encrypting the session. Encryption is started before
authentication, and no passwords or other information is
transmitted in the clear. Encryption is also used to protect
against spoofed packets.
o Secure X11 sessions. The program automatically sets DISPLAY on
the server machine, and forwards any X11 connections over the
secure channel. Fake Xauthority information is automatically
generated and forwarded to the remote machine; the local client
automatically examines incoming X11 connections and replaces the
fake authorization data with the real data (never telling the
remote machine the real information).
o Arbitrary TCP/IP ports can be redirected through the encrypted channel
in both directions (e.g., for e-cash transactions).
o No retraining needed for normal users; everything happens
automatically, and old .rhosts files will work with strong
authentication if administration installs host key files.
o Never trusts the network. Minimal trust on the remote side of
the connection. Minimal trust on domain name servers. Pure RSA
authentication never trusts anything but the private key.
o Client RSA-authenticates the server machine in the beginning of
every connection to prevent trojan horses (by routing or DNS
spoofing) and man-in-the-middle attacks, and the server
RSA-authenticates the client machine before accepting .rhosts or
/etc/hosts.equiv authentication (to prevent DNS, routing, or
IP-spoofing).
o Host authentication key distribution can be centrally by the
administration, automatically when the first connection is made
to a machine (the key obtained on the first connection will be
recorded and used for authentication in the future), or manually
by each user for his/her own use. The central and per-user host
key repositories are both used and complement each other. Host
keys can be generated centrally or automatically when the software
is installed. Host authentication keys are typically 1024 bits.
o Any user can create any number of user authentication RSA keys for
his/her own use. Each user has a file which lists the RSA public
keys for which proof of possession of the corresponding private
key is accepted as authentication. User authentication keys are
typically 1024 bits.
o The server program has its own server RSA key which is
automatically regenerated every hour. This key is never saved in
any file. Exchanged session keys are encrypted using both the
server key and the server host key. The purpose of the separate
server key is to make it impossible to decipher a captured session by
breaking into the server machine at a later time; one hour from
the connection even the server machine cannot decipher the session
key. The key regeneration interval is configurable. The server
key is normally 768 bits.
o An authentication agent, running in the user's laptop or local
workstation, can be used to hold the user's RSA authentication
keys. Ssh automatically forwards the connection to the
authentication agent over any connections, and there is no need to
store the RSA authentication keys on any machine in the network
(except the user's own local machine). The authentication
protocols never reveal the keys; they can only be used to verify
that the user's agent has a certain key. Eventually the agent
could rely on a smart card to perform all authentication
computations.
o The software can be installed and used (with restricted
functionality) even without root privileges.
o The client is customizable in system-wide and per-user
configuration files. Most aspects of the client's operation can
be configured. Different options can be specified on a per-host basis.
o Automatically executes conventional rsh (after displaying a
warning) if the server machine is not running sshd.
o Optional compression of all data with gzip (including forwarded X11
and TCP/IP port data), which may result in significant speedups on
slow connections.

23
security/ssh/pkg/PLIST Normal file
View File

@ -0,0 +1,23 @@
etc/rc.d/sshd.sh
bin/scp
bin/ssh
@exec ln -fs %f %B/slogin
@unexec rm -f %B/slogin
bin/ssh-add
bin/ssh-agent
bin/ssh-askpass
bin/ssh-keygen
bin/make-ssh-known-hosts
etc/ssh_config
etc/sshd_config
man/man1/make-ssh-known-hosts.1.gz
man/man1/scp.1.gz
man/man1/ssh-add.1.gz
man/man1/ssh-agent.1.gz
man/man1/ssh-keygen.1.gz
man/man1/ssh.1.gz
@exec ln -fs %f %B/slogin.1.gz
@unexec rm -f %B/slogin.1.gz
man/man8/sshd.8.gz
sbin/sshd
@exec if [ ! -f %D/etc/ssh_host_key ]; then echo "Generating a secret host key.." ; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi