AIX openssh patches
Matt Richards
v2matt at btv.ibm.com
Thu Jan 20 04:33:55 EST 2000
I have a few patches for AIX. The patchfile is attached below. The patch
has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25,
with openssl-0.94, using RSAref.
1) authenticate support - this function allows the system to determine
authentification. Whatever the system allows for login, authenticate
will too. It doesn't matter whether it is AFS, DFS, SecureID, local.
2) loginsuccess - this function will log to /etc/security/lastlog as
well as clear the failed logins.
3) loginfailed - this function will increase the number of failed logins
and update /etc/security/lastlog and /etc/security/failedlogins.
4) loginrestrictions - this function will determine if a user is allowed
to login (ie too many failed logins, account disabled, etc). This
function is used in conjunction with authenticate.
5) SOCKS5 and SOCKS4 support.
6) Support for the system random function instead of egd or /dev/urandom.
There is one fix that should be put in. In sshd.c, function do_authloop,
client_user needs to be set to NULL after the xfree. There is a double free
happening here.
*** acconfig.h.DIST Tue Jan 11 09:38:15 2000
--- acconfig.h Tue Jan 11 12:11:02 2000
***************
*** 12,17 ****
--- 12,23 ----
/* Define if you want to disable PAM support */
#undef DISABLE_PAM
+ /* Define if you want to disable AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG
***************
*** 29,34 ****
--- 35,69 ----
/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE
+
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+
+
/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL
*** auth-passwd.c.DIST Tue Jan 11 09:19:33 2000
--- auth-passwd.c Tue Jan 11 09:45:13 2000
***************
*** 18,23 ****
--- 18,27 ----
#include "servconf.h"
#include "xmalloc.h"
+ #ifdef WITH_AIXAUTHENTICATE
+ #include <login.h>
+ #endif
+
#ifdef HAVE_SHADOW_H
# include <shadow.h>
#endif
***************
*** 40,45 ****
--- 44,55 ----
struct spwd *spw;
#endif
+ #ifdef WITH_AIXAUTHENTICATE
+ char *authmsg;
+ char *loginmsg;
+ int reenter = 1;
+ #endif
+
/* deny if no user. */
if (pw == NULL)
return 0;
***************
*** 55,60 ****
--- 65,79 ----
return ret;
/* Fall back to ordinary passwd authentication. */
}
+ #endif
+ #ifdef WITH_AIXAUTHENTICATE
+
+ if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+ (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+ return 1;
+ else
+ return 0;
+
#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
*** bsd-misc.c.DIST Tue Jan 11 09:48:36 2000
--- bsd-misc.c Wed Jan 19 08:29:59 2000
***************
*** 52,61 ****
--- 52,67 ----
#include "ssh.h"
#include "bsd-misc.h"
+ #if 0
#ifndef offsetof
#define offsetof(type, member) ((size_t) &((type *)0)->member)
#endif
+ #endif
+ #ifdef USE_SYSRANDOM
+ #include <time.h>
+ #endif
+
#ifndef HAVE_ARC4RANDOM
typedef struct
***************
*** 135,140 ****
--- 141,156 ----
void get_random_bytes(unsigned char *buf, int len)
{
+
+ #ifdef USE_SYSRANDOM
+ int index;
+
+ srandom(time(NULL) + getpid());
+
+ for (index = 0; index < len+1; index++) {
+ buf[index] = rand()%255;
+ }
+ #else /* USE_SYSRANDOM */
static int random_pool;
int c;
#ifdef HAVE_EGD
***************
*** 184,189 ****
--- 200,206 ----
fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
close(random_pool);
+ #endif /* USE_SYSRANDOM */
}
#endif /* !HAVE_ARC4RANDOM */
*** canohost.c.DIST Wed Jan 19 11:00:42 2000
--- canohost.c Wed Jan 19 11:01:09 2000
***************
*** 29,35 ****
get_remote_hostname(int socket)
{
struct sockaddr_in from;
! int fromlen, i;
struct hostent *hp;
char name[MAXHOSTNAMELEN];
--- 29,40 ----
get_remote_hostname(int socket)
{
struct sockaddr_in from;
! #ifdef _AIX
! unsigned long fromlen;
! #else
! int fromlen;
! #endif
! int i;
struct hostent *hp;
char name[MAXHOSTNAMELEN];
***************
*** 116,122 ****
{
unsigned char options[200], *ucp;
char text[1024], *cp;
! int option_size, ipproto;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
--- 121,132 ----
{
unsigned char options[200], *ucp;
char text[1024], *cp;
! #ifdef _AIX
! unsigned long option_size;
! #else
! int option_size;
! #endif
! int ipproto;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
***************
*** 149,155 ****
--- 159,169 ----
peer_connection_is_on_socket()
{
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif
int in = packet_get_connection_in();
int out = packet_get_connection_out();
***************
*** 197,203 ****
get_remote_ipaddr()
{
struct sockaddr_in from;
! int fromlen, socket;
/* Check whether we have chached the name. */
if (canonical_host_ip != NULL)
--- 211,222 ----
get_remote_ipaddr()
{
struct sockaddr_in from;
! #ifdef _AIX
! unsigned long fromlen;
! #else
! int fromlen;
! #endif
! int socket;
/* Check whether we have chached the name. */
if (canonical_host_ip != NULL)
***************
*** 231,237 ****
--- 250,260 ----
get_peer_port(int sock)
{
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif
/* Get IP address of client. */
fromlen = sizeof(from);
*** channels.c.DIST Tue Jan 11 12:16:35 2000
--- channels.c Wed Jan 19 11:01:32 2000
***************
*** 374,380 ****
channel_after_select(fd_set * readset, fd_set * writeset)
{
struct sockaddr addr;
! int addrlen, newsock, i, newch, len;
Channel *ch;
char buf[16384], *remote_hostname;
--- 374,385 ----
channel_after_select(fd_set * readset, fd_set * writeset)
{
struct sockaddr addr;
! #ifdef _AIX
! unsigned long addrlen;
! #else
! int addrlen;
! #endif
! int newsock, i, newch, len;
Channel *ch;
char buf[16384], *remote_hostname;
***************
*** 1005,1011 ****
struct sockaddr_in sin;
char *host, *originator_string;
struct hostent *hp;
! int host_len, originator_len;
/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1010,1016 ----
struct sockaddr_in sin;
char *host, *originator_string;
struct hostent *hp;
! unsigned int host_len, originator_len;
/* Get remote channel number. */
remote_channel = packet_get_int();
***************
*** 1257,1263 ****
struct sockaddr_in sin;
char buf[1024], *cp, *remote_host;
struct hostent *hp;
! int remote_len;
/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1262,1268 ----
struct sockaddr_in sin;
char buf[1024], *cp, *remote_host;
struct hostent *hp;
! unsigned int remote_len;
/* Get remote channel number. */
remote_channel = packet_get_int();
*** cipher.c.DIST Tue Jan 11 09:45:57 2000
--- cipher.c Tue Jan 11 09:46:35 2000
***************
*** 111,117 ****
void (*cipher_attack_detected) (const char *fmt,...) = fatal;
! static inline void
detect_cbc_attack(const unsigned char *src,
unsigned int len)
{
--- 111,122 ----
void (*cipher_attack_detected) (const char *fmt,...) = fatal;
! #ifdef _AIX
! static __inline
! #else
! static inline
! #endif
! void
detect_cbc_attack(const unsigned char *src,
unsigned int len)
{
*** config.h.in.DIST Tue Jan 11 09:40:43 2000
--- config.h.in Wed Jan 19 11:01:42 2000
***************
*** 15,20 ****
--- 15,26 ----
/* Define if you want to disable PAM support */
#undef DISABLE_PAM
+ /* Define if you want AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG
***************
*** 33,38 ****
--- 39,72 ----
/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+
+
/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL
***************
*** 295,298 ****
#include "defines.h"
! #endif _CONFIG_H
--- 329,332 ----
#include "defines.h"
! #endif
*** configure.DIST Tue Jan 11 09:20:43 2000
--- configure Tue Jan 11 12:09:34 2000
***************
*** 16,21 ****
--- 16,23 ----
ac_help="$ac_help
--without-pam Disable PAM support "
ac_help="$ac_help
+ --with-aixauthenticate Use AIX4's authenticate function"
+ ac_help="$ac_help
--with-gnome-askpass Build the GNOME passphrase requester (default=no)"
ac_help="$ac_help
--with-random=FILE read randomness from FILE (default=/dev/urandom)"
***************
*** 26,31 ****
--- 28,39 ----
ac_help="$ac_help
--with-dante=DIR Use Dante SOCKS lib (default is system library path)"
ac_help="$ac_help
+ --with-socks Compile with SOCKS firewall traversal support."
+ ac_help="$ac_help
+ --with-socks5[=PATH] Compile with SOCKS5 firewall traversal support."
+ ac_help="$ac_help
+ --with-socks4[=PATH] Compile with SOCKS4 firewall traversal support."
+ ac_help="$ac_help
--with-kerberos4=PATH Enable Kerberos 4 support"
ac_help="$ac_help
--with-afs=PATH Enable AFS support"
***************
*** 2245,2250 ****
--- 2253,2282 ----
rm -f conftest*
fi
+ # check for the AIX authenticate
+ echo $ac_n "checking whether to use AIX authenticate""... $ac_c" 1>&6
+ echo "configure:XXXX: checking whether to use AIX authenticate" >&5
+ # Check whether --with-aixauthenticate or --without-aixauthenticate was given.
+ if test "${with_aixauthenticate+set}" = set; then
+ withval="$with_aixauthenticate"
+ case "$withval" in
+ yes)
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
+ #define WITH_AIXAUTHENTICATE 1
+ EOF
+ LIBS="$LIBS -ls"
+ ;;
+ *)
+ echo "$ac_t""no" 1>&6
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+
echo $ac_n "checking whether to build GNOME ssh-askpass""... $ac_c" 1>&6
echo "configure:2250: checking whether to build GNOME ssh-askpass" >&5
# Check whether --with-gnome-askpass or --without-gnome-askpass was given.
***************
*** 2335,2345 ****
fi
- if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then
- { echo "configure: error: No random device found, and no EGD random pool specified" 1>&2; exit 1; }
fi
echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
echo "configure:2345: checking whether utmp.h has ut_host field" >&5
cat > conftest.$ac_ext <<EOF
--- 2367,2382 ----
fi
+ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL";then
+ echo $ac_n "using system random" 1>&6
+ cat >> confdefs.h <<\EOF
+ #define USE_SYSRANDOM 1
+ EOF
fi
+
+
echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
echo "configure:2345: checking whether utmp.h has ut_host field" >&5
cat > conftest.$ac_ext <<EOF
***************
*** 2606,2611 ****
--- 2643,2970 ----
LIBS="$LIBS -lsocks"
fi
+
+ fi
+
+
+ # Check whether --with-socks or --without-socks was given.
+ if test "${with_socks+set}" = set; then
+ withval="$with_socks"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ yes)
+ echo "$ac_t""yes" 1>&6
+ echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+ echo "configure:6842: checking for SOCKSconnect in -lsocks5" >&5
+ ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocks5 $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6850 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ char SOCKSconnect();
+
+ int main() {
+ SOCKSconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+
+ socks=5
+ LIBS="-lsocks5 $LIBS"
+ else
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+ echo "configure:6883: checking for Rconnect in -lsocks" >&5
+ ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocks $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6891 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ char Rconnect();
+
+ int main() {
+ Rconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+
+ socks=4
+ LIBS="-lsocks $LIBS"
+ else
+ echo "$ac_t""no" 1>&6
+
+ { echo "configure: error: Could not find socks library. You must first install socks." 1>&2; exit 1; }
+ fi
+
+ fi
+
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+
+ if test "x$socks" = "x"; then
+ echo $ac_n "checking whether to support SOCKS5""... $ac_c" 1>&6
+ echo "configure:6938: checking whether to support SOCKS5" >&5
+ # Check whether --with-socks5 or --without-socks5 was given.
+ if test "${with_socks5+set}" = set; then
+ withval="$with_socks5"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ *)
+ echo "$ac_t""yes" 1>&6
+ socks=5
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks5"
+ else
+ if test -d "$withval"; then
+ if test -d "$withval/include"; then
+ CFLAGS="$CFLAGS -I$withval/include"
+ else
+ CFLAGS="$CFLAGS -I$withval"
+ fi
+ if test -d "$withval/lib"; then
+ withval="-L$withval/lib -lsocks5"
+ else
+ withval="-L$withval -lsocks5"
+ fi
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ # If Socks was compiled with Kerberos support, we will need
+ # to link against kerberos libraries. Temporarily append
+ # to LIBS. This is harmless if there is no kerberos support.
+ TMPLIBS="$LIBS"
+ LIBS="$LIBS $KERBEROS_LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6972 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ SOCKSconnect();
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6979: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ { echo "configure: error: Could not find the $withval library. You must first install socks5." 1>&2; exit 1; }
+ fi
+ rm -f conftest*
+ LIBS="$TMPLIBS"
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+ fi
+
+ if test "x$socks" = "x"; then
+ echo $ac_n "checking whether to support SOCKS4""... $ac_c" 1>&6
+ echo "configure:7000: checking whether to support SOCKS4" >&5
+ # Check whether --with-socks4 or --without-socks4 was given.
+ if test "${with_socks4+set}" = set; then
+ withval="$with_socks4"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ *)
+ echo "$ac_t""yes" 1>&6
+ socks=4
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks"
+ else
+ if test -d "$withval"; then
+ withval="-L$withval -lsocks"
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 7020 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ Rconnect();
+ ; return 0; }
+ EOF
+ if { (eval echo configure:7027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ { echo "configure: error: Could not find the $withval library. You must first install socks." 1>&2; exit 1; }
+ fi
+ rm -f conftest*
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+ fi
+
+
+
+ if test "x$socks" = "x4"; then
+ cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define SOCKS4 1
+ EOF
+
+ fi
+
+ if test "x$socks" = "x5"; then
+ cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define SOCKS5 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rconnect SOCKSconnect
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgetsockname SOCKSgetsockname
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgetpeername SOCKSgetpeername
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rbind SOCKSbind
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Raccept SOCKSaccept
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rselect SOCKSselect
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrecvfrom SOCKSrecvfrom
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rsendto SOCKSsendto
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrecv SOCKSrecv
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rsend SOCKSsend
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rread SOCKSread
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rwrite SOCKSwrite
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrresvport SOCKSrresvport
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rshutdown SOCKSshutdown
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rclose SOCKSclose
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rdup SOCKSdup
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rdup2 SOCKSdup2
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rfclose SOCKSfclose
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgethostbyname SOCKSgethostbyname
+ EOF
fi
*** configure.in.DIST Tue Jan 11 09:39:21 2000
--- configure.in Tue Jan 11 09:40:15 2000
***************
*** 234,239 ****
--- 234,256 ----
)
fi
+ AC_ARG_WITH(aixauthenticate,
+ [ --with-aixauthenticate Include AIX authenticate support
+ --without-aixauthenticate Don't include AIX authenticate support (default)],
+ [ case "$withval" in
+ yes)
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(WITH_AIXAUTHENTICATE)
+ LIBS="$LIBS -ls"
+ ;;
+ *)
+ AC_MSG_RESULT(no)
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+ )
+
+
AC_MSG_CHECKING([whether to build GNOME ssh-askpass])
dnl Check whether user wants GNOME ssh-askpass
AC_ARG_WITH(gnome-askpass,
*** ssh-agent.c.DIST Mon Jan 3 07:41:05 2000
--- ssh-agent.c Wed Jan 19 11:01:59 2000
***************
*** 416,422 ****
after_select(fd_set *readset, fd_set *writeset)
{
unsigned int i;
! int len, sock;
char buf[1024];
struct sockaddr_un sunaddr;
--- 416,427 ----
after_select(fd_set *readset, fd_set *writeset)
{
unsigned int i;
! #ifdef _AIX
! unsigned long len;
! #else
! int len;
! #endif
! int sock;
char buf[1024];
struct sockaddr_un sunaddr;
*** ssh-keygen.c.DIST Wed Nov 24 19:54:59 1999
--- ssh-keygen.c Wed Jan 19 11:02:18 2000
***************
*** 101,107 ****
if (f && fgets(line, sizeof(line), f)) {
cp = line;
line[strlen(line) - 1] = '\0';
! if (auth_rsa_read_key(&cp, &dummy, e, n)) {
public_key->e = e;
public_key->n = n;
comment = xstrdup(cp ? cp : "no comment");
--- 101,107 ----
if (f && fgets(line, sizeof(line), f)) {
cp = line;
line[strlen(line) - 1] = '\0';
! if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
public_key->e = e;
public_key->n = n;
comment = xstrdup(cp ? cp : "no comment");
*** ssh.c.DIST Tue Jan 11 12:13:59 2000
--- ssh.c Tue Jan 11 12:15:16 2000
***************
*** 207,212 ****
--- 207,216 ----
/* Save our own name. */
av0 = av[0];
+ #ifdef SOCKS
+ SOCKSinit(av0);
+ #endif /* SOCKS */
+
/* Initialize option structure to indicate that no values have been set. */
initialize_options(&options);
*** sshconnect.c.DIST Tue Jan 11 09:54:21 2000
--- sshconnect.c Wed Jan 19 11:03:46 2000
***************
*** 142,172 ****
int
ssh_create_socket(uid_t original_real_uid, int privileged)
{
! int sock;
! /*
! * If we are running as root and want to connect to a privileged
! * port, bind our own socket to a privileged port.
! */
! if (privileged) {
! int p = IPPORT_RESERVED - 1;
! sock = rresvport(&p);
! if (sock < 0)
! fatal("rresvport: %.100s", strerror(errno));
! debug("Allocated local port %d.", p);
! } else {
! /*
! * Just create an ordinary socket on arbitrary port. We use
! * the user's uid to create the socket.
! */
! temporarily_use_uid(original_real_uid);
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
! restore_uid();
! }
! return sock;
}
/*
--- 142,193 ----
int
ssh_create_socket(uid_t original_real_uid, int privileged)
{
! int sock;
! /* If we are running as root and want to connect to a privileged port,
! bind our own socket to a privileged port. */
! if (0)
! {
! struct sockaddr_in sin;
! int p;
! for (p = 1023; p > 512; p--)
! {
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
!
! /* Initialize the desired sockaddr_in structure. */
! memset(&sin, 0, sizeof(sin));
! sin.sin_family = AF_INET;
! sin.sin_addr.s_addr = INADDR_ANY;
! sin.sin_port = htons(p);
! /* Try to bind the socket to the privileged port. */
! #if defined(SOCKS)
! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
! break; /* Success. */
! #else /* SOCKS */
! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
! break; /* Success. */
! #endif /* SOCKS */
! if (errno == EADDRINUSE)
! {
! close(sock);
! continue;
! }
! fatal("bind: %.100s", strerror(errno));
! }
! debug("Allocated local port %d.", p);
! }
! else
! {
! /* Just create an ordinary socket on arbitrary port. */
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
! }
! return sock;
!
}
/*
***************
*** 241,247 ****
--- 262,272 ----
* tcp_wrappers showing the remote uid as root.
*/
temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ if (Rconnect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #else
if (connect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #endif
>= 0) {
/* Successful connect. */
restore_uid();
***************
*** 257,263 ****
--- 282,292 ----
/* Not a valid numeric inet address. */
/* Map host name to an address. */
if (!hp)
+ #if defined(SOCKS5)
+ hp = Rgethostbyname(host);
+ #else
hp = gethostbyname(host);
+ #endif
if (!hp)
fatal("Bad host name: %.100s", host);
if (!hp->h_addr_list[0])
***************
*** 287,293 ****
--- 316,326 ----
* root.
*/
temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ if (Rconnect(sock, (struct sockaddr *) hostaddr,
+ #else
if (connect(sock, (struct sockaddr *) hostaddr,
+ #endif
sizeof(*hostaddr)) >= 0) {
/* Successful connection. */
restore_uid();
***************
*** 916,922 ****
debug("No challenge for skey authentication.");
return 0;
}
! challenge = packet_get_string(&payload_len);
if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! "
"Reponse will be transmitted in clear text.");
--- 949,955 ----
debug("No challenge for skey authentication.");
return 0;
}
! challenge = packet_get_string((unsigned int *)&payload_len);
if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! "
"Reponse will be transmitted in clear text.");
*** sshd.c.DIST Tue Jan 11 09:55:44 2000
--- sshd.c Wed Jan 19 11:05:02 2000
***************
*** 277,283 ****
{
extern char *optarg;
extern int optind;
! int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
int remote_major, remote_minor;
int silentrsa = 0;
struct pollfd fds;
--- 277,288 ----
{
extern char *optarg;
extern int optind;
! #ifdef _AIX
! unsigned long aux;
! #else
! int aux;
! #endif
! int opt, sock_in, sock_out, newsock, i, pid, on = 1;
int remote_major, remote_minor;
int silentrsa = 0;
struct pollfd fds;
***************
*** 988,994 ****
packet_read_expect(&plen, SSH_CMSG_USER);
/* Get the user name. */
! user = packet_get_string(&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
/* Destroy the private and public keys. They will no longer be needed. */
--- 993,999 ----
packet_read_expect(&plen, SSH_CMSG_USER);
/* Get the user name. */
! user = packet_get_string((unsigned int*)&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
/* Destroy the private and public keys. They will no longer be needed. */
***************
*** 997,1002 ****
--- 1002,1008 ----
RSA_free(sensitive_data.host_key);
setproctitle("%s", user);
+
/* Do the authentication. */
do_authentication(user);
}
***************
*** 1084,1089 ****
--- 1090,1099 ----
{
struct passwd *pw, pwcopy;
+ #ifdef _AIX
+ char *loginmsg;
+ #endif
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
***************
*** 1092,1097 ****
--- 1102,1109 ----
}
#endif /* AFS */
+ pw = (struct passwd *) malloc (sizeof(struct passwd));
+
/* Verify that the user is a valid user. */
pw = getpwnam(user);
if (!pw || !allowed_user(pw))
***************
*** 1133,1138 ****
--- 1145,1151 ----
/* Authentication with empty password succeeded. */
log("Login for user %s from %.100s, accepted without authentication.",
pw->pw_name, get_remote_ipaddr());
+
} else {
/* Loop until the user has been authenticated or the
connection is closed, do_authloop() returns only if
***************
*** 1142,1148 ****
/* Check if the user is logging in as root and root logins are disallowed. */
if (pw->pw_uid == 0 && !options.permit_root_login) {
! if (forced_command)
log("Root login accepted for forced command.");
else
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
--- 1155,1161 ----
/* Check if the user is logging in as root and root logins are disallowed. */
if (pw->pw_uid == 0 && !options.permit_root_login) {
! if (forced_command)
log("Root login accepted for forced command.");
else
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
***************
*** 1149,1154 ****
--- 1162,1170 ----
get_canonical_hostname());
}
/* The user has been authenticated and accepted. */
+ #ifdef _AIX
+ loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ #endif
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
***************
*** 1178,1183 ****
--- 1194,1200 ----
int type = 0;
void (*authlog) (const char *fmt,...) = verbose;
+
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
***************
*** 1261,1267 ****
* authentication is insecure. (Another is
* IP-spoofing on a local network.)
*/
! client_user = packet_get_string(&ulen);
packet_integrity_check(plen, 4 + ulen, type);
/* Try to authenticate using /etc/hosts.equiv and
--- 1278,1284 ----
* authentication is insecure. (Another is
* IP-spoofing on a local network.)
*/
! client_user = packet_get_string((unsigned int *)&ulen);
packet_integrity_check(plen, 4 + ulen, type);
/* Try to authenticate using /etc/hosts.equiv and
***************
*** 1281,1287 ****
* trust the client; root on the client machine can
* claim to be any user.
*/
! client_user = packet_get_string(&ulen);
/* Get the client host key. */
client_host_key_e = BN_new();
--- 1298,1304 ----
* trust the client; root on the client machine can
* claim to be any user.
*/
! client_user = packet_get_string((unsigned int *)&ulen);
/* Get the client host key. */
client_host_key_e = BN_new();
***************
*** 1326,1332 ****
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
! password = packet_get_string(&dlen);
packet_integrity_check(plen, 4 + dlen, type);
#ifdef USE_PAM
--- 1343,1349 ----
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
! password = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(plen, 4 + dlen, type);
#ifdef USE_PAM
***************
*** 1405,1430 ****
#ifdef USE_PAM
if (!do_pam_account(pw->pw_name, client_user))
{
! if (client_user != NULL)
xfree(client_user);
do_fake_authloop(pw->pw_name);
}
#endif /* USE_PAM */
return;
! }
! if (client_user != NULL)
xfree(client_user);
if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
/* Send a message indicating that the authentication attempt failed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
}
/*
--- 1422,1463 ----
#ifdef USE_PAM
if (!do_pam_account(pw->pw_name, client_user))
{
! if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }
do_fake_authloop(pw->pw_name);
}
#endif /* USE_PAM */
return;
! }
! /* HEAP*/
! #if 1
! if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }
+ #endif
if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
/* Send a message indicating that the authentication attempt failed. */
+ #ifdef _AIX
+ if (strncmp(get_authname(type),"password",
+ strlen(get_authname(type))) == 0)
+ loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ #endif
+
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
+
+
+
}
/*
***************
*** 1603,1609 ****
ttyname, tty_mode, strerror(errno));
/* Get TERM from the packet. Note that the value may be of arbitrary length. */
! term = packet_get_string(&dlen);
packet_integrity_check(dlen, strlen(term), type);
/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
/* Remaining bytes */
--- 1636,1642 ----
ttyname, tty_mode, strerror(errno));
/* Get TERM from the packet. Note that the value may be of arbitrary length. */
! term = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(dlen, strlen(term), type);
/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
/* Remaining bytes */
***************
*** 1648,1655 ****
packet_disconnect("Protocol error: X11 display already set.");
{
int proto_len, data_len;
! proto = packet_get_string(&proto_len);
! data = packet_get_string(&data_len);
packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
}
if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
--- 1681,1688 ----
packet_disconnect("Protocol error: X11 display already set.");
{
int proto_len, data_len;
! proto = packet_get_string((unsigned int *)&proto_len);
! data = packet_get_string((unsigned int *)&data_len);
packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
}
if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
***************
*** 1732,1738 ****
/* Get command from the packet. */
{
int dlen;
! command = packet_get_string(&dlen);
debug("Executing command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
--- 1765,1771 ----
/* Get command from the packet. */
{
int dlen;
! command = packet_get_string((unsigned int *)&dlen);
debug("Executing command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
***************
*** 1936,1942 ****
--- 1969,1979 ----
struct stat st;
int quiet_login;
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif
struct pty_cleanup_context cleanup_context;
/* Get remote host name. */
***************
*** 2328,2333 ****
--- 2365,2380 ----
if (display)
child_set_env(&env, &envsize, "DISPLAY", display);
+ {
+ char *authstate,*krb5cc;
+
+ if ((authstate = getenv("AUTHSTATE")) != NULL)
+ child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+ if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ }
+
#ifdef KRB4
{
extern char *ticket;
***************
*** 2348,2353 ****
--- 2395,2402 ----
if (auth_get_socket_name() != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_get_socket_name());
+
+ read_environment_file(&env,&envsize,"/etc/environment");
/* read $HOME/.ssh/environment. */
if (!options.use_login) {
--
Matt Richards
More information about the openssh-unix-dev
mailing list