AIX openssh patches

Matt Richards v2matt at btv.ibm.com
Thu Jan 20 06:00:19 EST 2000


Thus spake David Rankin (drankin at bohemians.lexington.ky.us):

> On Wed, Jan 19, 2000 at 12:33:55PM -0500, Matt Richards wrote:
> 
> > I have a few patches for AIX. The patchfile is attached below. The patch
> > has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25, 
> > with openssl-0.94, using RSAref.
> 
> These are a good set of patches, but I propose that these be implemented
> a bit differently (and yes, I'll be happy to do it, it'll just take a day
> or so).
> 
> 1> Don't use --with-aixauthenticate. Instead, autodetect AIX 4 and use
> it without prompting.
> 
> 2> Instead of the _AIX defines, I'd prefer to see #define used for each
> differing item (i.e. unsigned long versus int, __inline versus inline, etc.),
> preferably autodetecting using autoconf. I'll work on making this cleaner.
> 
> 3> The Dante and SOCKS4/5 implementations are 99% alike. Rather than defining
> the R* functions in config.h, I'd rather roll them all into one spot, where
> they are now.
> 
> Any objections?
> 
> David

Not at all, I like your suggestions.

I did make a mistake in the inline. The configure script works fine
for inline, just need to include config.h in cipher.c in order to get
the inline define. I've updated the patch to reflect this.

Is it feasible to have a configure switch to turn off using priviledged
ports, even is the user has priviledges?


*** acconfig.h.DIST	Tue Jan 11 09:38:15 2000
--- acconfig.h	Tue Jan 11 12:11:02 2000
***************
*** 12,17 ****
--- 12,23 ----
  /* Define if you want to disable PAM support */
  #undef DISABLE_PAM
  
+ /* Define if you want to disable AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+ 
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+ 
  /* Define if you want to disable lastlog support */
  #undef DISABLE_LASTLOG
  
***************
*** 29,34 ****
--- 35,69 ----
  
  /* Define if using the Dante SOCKS library. */
  #undef HAVE_DANTE
+ 
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+ 
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+ 
+ 
  
  /* Define if your ssl headers are included with #include <ssl/header.h>  */
  #undef HAVE_SSL
*** auth-passwd.c.DIST	Tue Jan 11 09:19:33 2000
--- auth-passwd.c	Tue Jan 11 09:45:13 2000
***************
*** 18,23 ****
--- 18,27 ----
  #include "servconf.h"
  #include "xmalloc.h"
  
+ #ifdef WITH_AIXAUTHENTICATE
+ #include <login.h>
+ #endif
+ 
  #ifdef HAVE_SHADOW_H
  # include <shadow.h>
  #endif
***************
*** 40,45 ****
--- 44,55 ----
  	struct spwd *spw;
  #endif
  
+ #ifdef WITH_AIXAUTHENTICATE
+ 	char *authmsg;
+ 	char *loginmsg;
+ 	int reenter = 1;
+ #endif
+ 
  	/* deny if no user. */
  	if (pw == NULL)
  		return 0;
***************
*** 55,60 ****
--- 65,79 ----
  			return ret;
  		/* Fall back to ordinary passwd authentication. */
  	}
+ #endif
+ #ifdef WITH_AIXAUTHENTICATE
+ 
+ 	if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+ 	     (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+               return 1;
+ 	else 
+ 	      return 0;
+ 	
  #endif
  #ifdef KRB4
  	if (options.kerberos_authentication == 1) {
*** bsd-misc.c.DIST	Tue Jan 11 09:48:36 2000
--- bsd-misc.c	Wed Jan 19 13:10:11 2000
***************
*** 47,52 ****
--- 47,55 ----
  #include <sys/socket.h>
  #include <sys/un.h>
  #include <fcntl.h>
+ #ifdef _AIX
+ #include <stddef.h>
+ #endif
  
  #include "xmalloc.h"
  #include "ssh.h"
***************
*** 56,61 ****
--- 59,68 ----
  #define offsetof(type, member) ((size_t) &((type *)0)->member)
  #endif
  
+ #ifdef USE_SYSRANDOM
+ #include <time.h>
+ #endif
+ 
  #ifndef HAVE_ARC4RANDOM
  
  typedef struct
***************
*** 135,140 ****
--- 142,157 ----
  
  void get_random_bytes(unsigned char *buf, int len)
  {
+ 
+ #ifdef USE_SYSRANDOM 
+ 	int index;
+ 
+ 	srandom(time(NULL) + getpid());
+ 
+ 	for (index = 0; index < len+1; index++) {
+              buf[index] = rand()%255;
+ 	}
+ #else /* USE_SYSRANDOM */
  	static int random_pool;
  	int c;
  #ifdef HAVE_EGD
***************
*** 184,189 ****
--- 201,207 ----
  		fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));
  	
  	close(random_pool);
+ #endif /* USE_SYSRANDOM */
  }
  #endif /* !HAVE_ARC4RANDOM */
  
*** canohost.c.DIST	Wed Jan 19 11:00:42 2000
--- canohost.c	Wed Jan 19 11:01:09 2000
***************
*** 29,35 ****
  get_remote_hostname(int socket)
  {
  	struct sockaddr_in from;
! 	int fromlen, i;
  	struct hostent *hp;
  	char name[MAXHOSTNAMELEN];
  
--- 29,40 ----
  get_remote_hostname(int socket)
  {
  	struct sockaddr_in from;
! #ifdef _AIX
! 	unsigned long fromlen;
! #else
! 	int fromlen;
! #endif
! 	int i;
  	struct hostent *hp;
  	char name[MAXHOSTNAMELEN];
  
***************
*** 116,122 ****
  	{
  		unsigned char options[200], *ucp;
  		char text[1024], *cp;
! 		int option_size, ipproto;
  		struct protoent *ip;
  
  		if ((ip = getprotobyname("ip")) != NULL)
--- 121,132 ----
  	{
  		unsigned char options[200], *ucp;
  		char text[1024], *cp;
! #ifdef _AIX
! 		unsigned long option_size;
! #else
! 		int option_size;
! #endif
! 		int ipproto;
  		struct protoent *ip;
  
  		if ((ip = getprotobyname("ip")) != NULL)
***************
*** 149,155 ****
--- 159,169 ----
  peer_connection_is_on_socket()
  {
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  	int in = packet_get_connection_in();
  	int out = packet_get_connection_out();
  
***************
*** 197,203 ****
  get_remote_ipaddr()
  {
  	struct sockaddr_in from;
! 	int fromlen, socket;
  
  	/* Check whether we have chached the name. */
  	if (canonical_host_ip != NULL)
--- 211,222 ----
  get_remote_ipaddr()
  {
  	struct sockaddr_in from;
! #ifdef _AIX
! 	unsigned long fromlen;
! #else
! 	int fromlen;
! #endif
! 	int socket;
  
  	/* Check whether we have chached the name. */
  	if (canonical_host_ip != NULL)
***************
*** 231,237 ****
--- 250,260 ----
  get_peer_port(int sock)
  {
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  
  	/* Get IP address of client. */
  	fromlen = sizeof(from);
*** channels.c.DIST	Tue Jan 11 12:16:35 2000
--- channels.c	Wed Jan 19 11:01:32 2000
***************
*** 374,380 ****
  channel_after_select(fd_set * readset, fd_set * writeset)
  {
  	struct sockaddr addr;
! 	int addrlen, newsock, i, newch, len;
  	Channel *ch;
  	char buf[16384], *remote_hostname;
  
--- 374,385 ----
  channel_after_select(fd_set * readset, fd_set * writeset)
  {
  	struct sockaddr addr;
! #ifdef _AIX
! 	unsigned long addrlen;
! #else
! 	int addrlen;
! #endif
! 	int newsock, i, newch, len;
  	Channel *ch;
  	char buf[16384], *remote_hostname;
  
***************
*** 1005,1011 ****
  	struct sockaddr_in sin;
  	char *host, *originator_string;
  	struct hostent *hp;
! 	int host_len, originator_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
--- 1010,1016 ----
  	struct sockaddr_in sin;
  	char *host, *originator_string;
  	struct hostent *hp;
! 	unsigned int host_len, originator_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
***************
*** 1257,1263 ****
  	struct sockaddr_in sin;
  	char buf[1024], *cp, *remote_host;
  	struct hostent *hp;
! 	int remote_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
--- 1262,1268 ----
  	struct sockaddr_in sin;
  	char buf[1024], *cp, *remote_host;
  	struct hostent *hp;
! 	unsigned int remote_len;
  
  	/* Get remote channel number. */
  	remote_channel = packet_get_int();
*** cipher.c.DIST	Tue Jan 11 09:45:57 2000
--- cipher.c	Wed Jan 19 13:29:04 2000
***************
*** 16,21 ****
--- 16,22 ----
  
  #include "ssh.h"
  #include "cipher.h"
+ #include "config.h"
  
  #ifdef HAVE_OPENSSL
  #include <openssl/md5.h>
*** config.h.in.DIST	Tue Jan 11 09:40:43 2000
--- config.h.in	Wed Jan 19 11:01:42 2000
***************
*** 15,20 ****
--- 15,26 ----
  /* Define if you want to disable PAM support */
  #undef DISABLE_PAM
  
+ /* Define if you want AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+ 
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+ 
  /* Define if you want to disable lastlog support */
  #undef DISABLE_LASTLOG
  
***************
*** 33,38 ****
--- 39,72 ----
  /* Define if using the Dante SOCKS library. */
  #undef HAVE_DANTE
  
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+ 
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+ 
+ 
  /* Define if your ssl headers are included with #include <ssl/header.h>  */
  #undef HAVE_SSL
  
***************
*** 295,298 ****
  
  #include "defines.h"
  
! #endif _CONFIG_H
--- 329,332 ----
  
  #include "defines.h"
  
! #endif
*** configure.DIST	Tue Jan 11 09:20:43 2000
--- configure	Tue Jan 11 12:09:34 2000
***************
*** 16,21 ****
--- 16,23 ----
  ac_help="$ac_help
    --without-pam           Disable PAM support "
  ac_help="$ac_help
+   --with-aixauthenticate  Use AIX4's authenticate function"
+ ac_help="$ac_help
    --with-gnome-askpass    Build the GNOME passphrase requester (default=no)"
  ac_help="$ac_help
    --with-random=FILE      read randomness from FILE (default=/dev/urandom)"
***************
*** 26,31 ****
--- 28,39 ----
  ac_help="$ac_help
    --with-dante=DIR        Use Dante SOCKS lib (default is system library path)"
  ac_help="$ac_help
+   --with-socks            Compile with SOCKS firewall traversal support."
+ ac_help="$ac_help
+   --with-socks5[=PATH]    Compile with SOCKS5 firewall traversal support."
+ ac_help="$ac_help
+   --with-socks4[=PATH]    Compile with SOCKS4 firewall traversal support."
+ ac_help="$ac_help
    --with-kerberos4=PATH   Enable Kerberos 4 support"
  ac_help="$ac_help
    --with-afs=PATH         Enable AFS support"
***************
*** 2245,2250 ****
--- 2253,2282 ----
  rm -f conftest* 
  fi
  
+ # check for the AIX authenticate
+ echo $ac_n "checking whether to use AIX authenticate""... $ac_c" 1>&6
+ echo "configure:XXXX: checking whether to use AIX authenticate" >&5
+ # Check whether --with-aixauthenticate or --without-aixauthenticate was given.
+ if test "${with_aixauthenticate+set}" = set; then
+   withval="$with_aixauthenticate"
+      case "$withval" in
+        yes)
+          echo "$ac_t""yes" 1>&6
+ 	 cat >> confdefs.h <<\EOF
+ #define WITH_AIXAUTHENTICATE 1
+ EOF
+          LIBS="$LIBS -ls"
+          ;;
+        *)
+          echo "$ac_t""no" 1>&6
+          ;;
+       esac
+ else
+      echo "$ac_t""no" 1>&6
+ 
+ fi
+ 
+ 
  echo $ac_n "checking whether to build GNOME ssh-askpass""... $ac_c" 1>&6
  echo "configure:2250: checking whether to build GNOME ssh-askpass" >&5
  # Check whether --with-gnome-askpass or --without-gnome-askpass was given.
***************
*** 2335,2345 ****
  
  fi
  
  
- if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then
- 	{ echo "configure: error: No random device found, and no EGD random pool specified" 1>&2; exit 1; }
  fi
  
  echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
  echo "configure:2345: checking whether utmp.h has ut_host field" >&5
  cat > conftest.$ac_ext <<EOF
--- 2367,2382 ----
  
  fi
  
+ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL";then
+     echo $ac_n "using system random" 1>&6
+     cat >> confdefs.h <<\EOF
+ #define USE_SYSRANDOM 1
+ EOF
  
  fi
  
+ 
+ 
  echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
  echo "configure:2345: checking whether utmp.h has ut_host field" >&5
  cat > conftest.$ac_ext <<EOF
***************
*** 2606,2611 ****
--- 2643,2970 ----
  			LIBS="$LIBS -lsocks"
  		fi
  	
+ 
+ fi
+ 
+ 
+ # Check whether --with-socks or --without-socks was given.
+ if test "${with_socks+set}" = set; then
+   withval="$with_socks"
+    case "$withval" in
+   no)
+     echo "$ac_t""no" 1>&6
+     ;;
+   yes)
+     echo "$ac_t""yes" 1>&6
+     echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+ echo "configure:6842: checking for SOCKSconnect in -lsocks5" >&5
+ ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   ac_save_LIBS="$LIBS"
+ LIBS="-lsocks5  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6850 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+     builtin and then its argument prototype would still apply.  */
+ char SOCKSconnect();
+ 
+ int main() {
+ SOCKSconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+ 
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+   echo "$ac_t""yes" 1>&6
+   
+ 	    socks=5
+ 	    LIBS="-lsocks5 $LIBS"
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ 	echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+ echo "configure:6883: checking for Rconnect in -lsocks" >&5
+ ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+   echo $ac_n "(cached) $ac_c" 1>&6
+ else
+   ac_save_LIBS="$LIBS"
+ LIBS="-lsocks  $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6891 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error.  */
+ /* We use char because int might match the return type of a gcc2
+     builtin and then its argument prototype would still apply.  */
+ char Rconnect();
+ 
+ int main() {
+ Rconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+   eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+ 
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+   echo "$ac_t""yes" 1>&6
+   
+ 	    socks=4
+ 	    LIBS="-lsocks $LIBS"
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ 		{ echo "configure: error: Could not find socks library.  You must first install socks." 1>&2; exit 1; }  
+ fi
+   
+ fi
+ 
+     ;;
+   esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 
+ fi
+ 
+ 
+ if test "x$socks" = "x"; then
+ 	echo $ac_n "checking whether to support SOCKS5""... $ac_c" 1>&6
+ echo "configure:6938: checking whether to support SOCKS5" >&5
+ 	# Check whether --with-socks5 or --without-socks5 was given.
+ if test "${with_socks5+set}" = set; then
+   withval="$with_socks5"
+    case "$withval" in
+ 	  no)
+ 	    echo "$ac_t""no" 1>&6
+ 	    ;;
+ 	  *)
+ 	    echo "$ac_t""yes" 1>&6
+ 	    socks=5
+ 	    if test "x$withval" = "xyes"; then
+ 	      withval="-lsocks5"
+ 	    else
+ 	      if test -d "$withval"; then
+ 		if test -d "$withval/include"; then
+ 		  CFLAGS="$CFLAGS -I$withval/include"
+ 		else
+ 		  CFLAGS="$CFLAGS -I$withval"
+ 		fi
+ 	        if test -d "$withval/lib"; then
+ 		  withval="-L$withval/lib -lsocks5"
+ 		else
+ 		  withval="-L$withval -lsocks5"
+ 		fi
+ 	      fi
+ 	    fi
+ 	    LIBS="$withval $LIBS"
+ 	    # If Socks was compiled with Kerberos support, we will need
+ 	    # to link against kerberos libraries.  Temporarily append
+ 	    # to LIBS.  This is harmless if there is no kerberos support.
+ 	    TMPLIBS="$LIBS"
+ 	    LIBS="$LIBS $KERBEROS_LIBS"
+ 	    cat > conftest.$ac_ext <<EOF
+ #line 6972 "configure"
+ #include "confdefs.h"
+ 
+ int main() {
+  SOCKSconnect(); 
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6979: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   :
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+    { echo "configure: error: Could not find the $withval library.  You must first install socks5." 1>&2; exit 1; } 
+ fi
+ rm -f conftest*
+ 	    LIBS="$TMPLIBS"
+ 	    ;;
+ 	  esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 	
+ fi
+ 
+ fi
+ 
+ if test "x$socks" = "x"; then
+ 	echo $ac_n "checking whether to support SOCKS4""... $ac_c" 1>&6
+ echo "configure:7000: checking whether to support SOCKS4" >&5
+ 	# Check whether --with-socks4 or --without-socks4 was given.
+ if test "${with_socks4+set}" = set; then
+   withval="$with_socks4"
+    case "$withval" in
+ 	  no)
+ 	    echo "$ac_t""no" 1>&6
+ 	    ;;
+ 	  *)
+ 	    echo "$ac_t""yes" 1>&6
+ 	    socks=4
+ 	    if test "x$withval" = "xyes"; then
+ 	      withval="-lsocks"
+ 	    else
+ 	      if test -d "$withval"; then
+ 	        withval="-L$withval -lsocks"
+ 	      fi
+ 	    fi
+ 	    LIBS="$withval $LIBS"
+ 	    cat > conftest.$ac_ext <<EOF
+ #line 7020 "configure"
+ #include "confdefs.h"
+ 
+ int main() {
+  Rconnect(); 
+ ; return 0; }
+ EOF
+ if { (eval echo configure:7027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+   :
+ else
+   echo "configure: failed program was:" >&5
+   cat conftest.$ac_ext >&5
+   rm -rf conftest*
+    { echo "configure: error: Could not find the $withval library.  You must first install socks." 1>&2; exit 1; } 
+ fi
+ rm -f conftest*
+ 	    ;;
+ 	  esac 
+ else
+   echo "$ac_t""no" 1>&6
+ 	
+ fi
+ 
+ fi
+ 
+ 
+ 
+ if test "x$socks" = "x4"; then
+     cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define SOCKS4 1
+ EOF
+ 
+ fi
+ 
+ if test "x$socks" = "x5"; then
+     cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define SOCKS5 1
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rconnect SOCKSconnect
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgetsockname SOCKSgetsockname
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgetpeername SOCKSgetpeername
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rbind SOCKSbind
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Raccept SOCKSaccept
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rselect SOCKSselect
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrecvfrom SOCKSrecvfrom
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rsendto SOCKSsendto
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrecv SOCKSrecv
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rsend SOCKSsend
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rread SOCKSread
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rwrite SOCKSwrite
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rrresvport SOCKSrresvport
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rshutdown SOCKSshutdown
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rclose SOCKSclose
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rdup SOCKSdup
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rdup2 SOCKSdup2
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rfclose SOCKSfclose
+ EOF
+ 
+     cat >> confdefs.h <<\EOF
+ #define Rgethostbyname SOCKSgethostbyname
+ EOF
  
  fi
  
*** configure.in.DIST	Tue Jan 11 09:39:21 2000
--- configure.in	Tue Jan 11 09:40:15 2000
***************
*** 234,239 ****
--- 234,256 ----
  	) 
  fi
  
+ AC_ARG_WITH(aixauthenticate,
+ [  --with-aixauthenticate     Include AIX authenticate support
+   --without-aixauthenticate   Don't include AIX authenticate support (default)],
+ [ case "$withval" in
+   yes)
+     AC_MSG_RESULT(yes)
+     AC_DEFINE(WITH_AIXAUTHENTICATE)
+     LIBS="$LIBS -ls"
+     ;;
+   *)
+     AC_MSG_RESULT(no)
+     ;;
+   esac ],
+   AC_MSG_RESULT(no)
+ )
+ 
+ 
  AC_MSG_CHECKING([whether to build GNOME ssh-askpass])
  dnl Check whether user wants GNOME ssh-askpass
  AC_ARG_WITH(gnome-askpass,
*** ssh-agent.c.DIST	Mon Jan  3 07:41:05 2000
--- ssh-agent.c	Wed Jan 19 11:01:59 2000
***************
*** 416,422 ****
  after_select(fd_set *readset, fd_set *writeset)
  {
  	unsigned int i;
! 	int len, sock;
  	char buf[1024];
  	struct sockaddr_un sunaddr;
  
--- 416,427 ----
  after_select(fd_set *readset, fd_set *writeset)
  {
  	unsigned int i;
! #ifdef _AIX
! 	unsigned long len;
! #else
! 	int len;
! #endif
! 	int sock;
  	char buf[1024];
  	struct sockaddr_un sunaddr;
  
*** ssh-keygen.c.DIST	Wed Nov 24 19:54:59 1999
--- ssh-keygen.c	Wed Jan 19 11:02:18 2000
***************
*** 101,107 ****
  		if (f && fgets(line, sizeof(line), f)) {
  			cp = line;
  			line[strlen(line) - 1] = '\0';
! 			if (auth_rsa_read_key(&cp, &dummy, e, n)) {
  				public_key->e = e;
  				public_key->n = n;
  				comment = xstrdup(cp ? cp : "no comment");
--- 101,107 ----
  		if (f && fgets(line, sizeof(line), f)) {
  			cp = line;
  			line[strlen(line) - 1] = '\0';
! 			if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
  				public_key->e = e;
  				public_key->n = n;
  				comment = xstrdup(cp ? cp : "no comment");
*** ssh.c.DIST	Tue Jan 11 12:13:59 2000
--- ssh.c	Tue Jan 11 12:15:16 2000
***************
*** 207,212 ****
--- 207,216 ----
  	/* Save our own name. */
  	av0 = av[0];
  
+ #ifdef SOCKS
+ 	SOCKSinit(av0);
+ #endif /* SOCKS */
+ 
  	/* Initialize option structure to indicate that no values have been set. */
  	initialize_options(&options);
  
*** sshconnect.c.DIST	Tue Jan 11 09:54:21 2000
--- sshconnect.c	Wed Jan 19 13:24:11 2000
***************
*** 142,172 ****
  int
  ssh_create_socket(uid_t original_real_uid, int privileged)
  {
! 	int sock;
  
! 	/*
! 	 * If we are running as root and want to connect to a privileged
! 	 * port, bind our own socket to a privileged port.
! 	 */
! 	if (privileged) {
! 		int p = IPPORT_RESERVED - 1;
  
! 		sock = rresvport(&p);
! 		if (sock < 0)
! 			fatal("rresvport: %.100s", strerror(errno));
! 		debug("Allocated local port %d.", p);
! 	} else {
! 		/*
! 		 * Just create an ordinary socket on arbitrary port.  We use
! 		 * the user's uid to create the socket.
! 		 */
! 		temporarily_use_uid(original_real_uid);
! 		sock = socket(AF_INET, SOCK_STREAM, 0);
! 		if (sock < 0)
! 			fatal("socket: %.100s", strerror(errno));
! 		restore_uid();
! 	}
! 	return sock;
  }
  
  /*
--- 142,193 ----
  int
  ssh_create_socket(uid_t original_real_uid, int privileged)
  {
!   int sock;
  
!   /* If we are running as root and want to connect to a privileged port,
!      bind our own socket to a privileged port. */
!   if (privileged)
!     {
!       struct sockaddr_in sin;
!       int p;
!       for (p = 1023; p > 512; p--)
!         {
!           sock = socket(AF_INET, SOCK_STREAM, 0);
!           if (sock < 0)
!             fatal("socket: %.100s", strerror(errno));
!           
!           /* Initialize the desired sockaddr_in structure. */
!           memset(&sin, 0, sizeof(sin));
!           sin.sin_family = AF_INET;
!           sin.sin_addr.s_addr = INADDR_ANY;
!           sin.sin_port = htons(p);
  
!           /* Try to bind the socket to the privileged port. */
! #if defined(SOCKS)
!           if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
!             break; /* Success. */
! #else /* SOCKS */
!           if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
!             break; /* Success. */
! #endif /* SOCKS */
!           if (errno == EADDRINUSE)
!             {
!               close(sock);
!               continue;
!             }
!           fatal("bind: %.100s", strerror(errno));
!         }
!       debug("Allocated local port %d.", p);
!     }
!   else
!     { 
!       /* Just create an ordinary socket on arbitrary port.  */
!       sock = socket(AF_INET, SOCK_STREAM, 0);
!       if (sock < 0)
!         fatal("socket: %.100s", strerror(errno));
!     }
!   return sock;
! 
  }
  
  /*
***************
*** 241,247 ****
--- 262,272 ----
  			 * tcp_wrappers showing the remote uid as root.
  			 */
  			temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ 	               if (Rconnect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #else
  			if (connect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #endif
  			    >= 0) {
  				/* Successful connect. */
  				restore_uid();
***************
*** 257,263 ****
--- 282,292 ----
  			/* Not a valid numeric inet address. */
  			/* Map host name to an address. */
  			if (!hp)
+ #if defined(SOCKS5)
+ 				hp = Rgethostbyname(host);
+ #else
  				hp = gethostbyname(host);
+ #endif
  			if (!hp)
  				fatal("Bad host name: %.100s", host);
  			if (!hp->h_addr_list[0])
***************
*** 287,293 ****
--- 316,326 ----
  				 * root.
  				 */
  				temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ 				if (Rconnect(sock, (struct sockaddr *) hostaddr,
+ #else
  				if (connect(sock, (struct sockaddr *) hostaddr,
+ #endif
  					    sizeof(*hostaddr)) >= 0) {
  					/* Successful connection. */
  					restore_uid();
***************
*** 916,922 ****
  		debug("No challenge for skey authentication.");
  		return 0;
  	}
! 	challenge = packet_get_string(&payload_len);
  	if (options.cipher == SSH_CIPHER_NONE)
  		log("WARNING: Encryption is disabled! "
  		    "Reponse will be transmitted in clear text.");
--- 949,955 ----
  		debug("No challenge for skey authentication.");
  		return 0;
  	}
! 	challenge = packet_get_string((unsigned int *)&payload_len);
  	if (options.cipher == SSH_CIPHER_NONE)
  		log("WARNING: Encryption is disabled! "
  		    "Reponse will be transmitted in clear text.");
*** sshd.c.DIST	Tue Jan 11 09:55:44 2000
--- sshd.c	Wed Jan 19 11:05:02 2000
***************
*** 277,283 ****
  {
  	extern char *optarg;
  	extern int optind;
! 	int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
  	int remote_major, remote_minor;
  	int silentrsa = 0;
  	struct pollfd fds;
--- 277,288 ----
  {
  	extern char *optarg;
  	extern int optind;
! #ifdef _AIX
! 	unsigned long aux;
! #else
! 	int aux;
! #endif
! 	int opt, sock_in, sock_out, newsock, i, pid, on = 1;
  	int remote_major, remote_minor;
  	int silentrsa = 0;
  	struct pollfd fds;
***************
*** 988,994 ****
  	packet_read_expect(&plen, SSH_CMSG_USER);
  
  	/* Get the user name. */
! 	user = packet_get_string(&ulen);
  	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
  
  	/* Destroy the private and public keys.  They will no longer be needed. */
--- 993,999 ----
  	packet_read_expect(&plen, SSH_CMSG_USER);
  
  	/* Get the user name. */
! 	user = packet_get_string((unsigned int*)&ulen);
  	packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);
  
  	/* Destroy the private and public keys.  They will no longer be needed. */
***************
*** 997,1002 ****
--- 1002,1008 ----
  	RSA_free(sensitive_data.host_key);
  
  	setproctitle("%s", user);
+ 
  	/* Do the authentication. */
  	do_authentication(user);
  }
***************
*** 1084,1089 ****
--- 1090,1099 ----
  {
  	struct passwd *pw, pwcopy;
  
+ #ifdef _AIX
+ 	char *loginmsg;
+ #endif
+ 
  #ifdef AFS
  	/* If machine has AFS, set process authentication group. */
  	if (k_hasafs()) {
***************
*** 1092,1097 ****
--- 1102,1109 ----
  	}
  #endif /* AFS */
  
+ 	pw = (struct passwd *) malloc (sizeof(struct passwd));
+ 
  	/* Verify that the user is a valid user. */
  	pw = getpwnam(user);
  	if (!pw || !allowed_user(pw))
***************
*** 1133,1138 ****
--- 1145,1151 ----
  		/* Authentication with empty password succeeded. */
  		log("Login for user %s from %.100s, accepted without authentication.",
  		    pw->pw_name, get_remote_ipaddr());
+ 
  	} else {
  		/* Loop until the user has been authenticated or the
  		   connection is closed, do_authloop() returns only if
***************
*** 1142,1148 ****
  
  	/* Check if the user is logging in as root and root logins are disallowed. */
  	if (pw->pw_uid == 0 && !options.permit_root_login) {
! 		if (forced_command)
  			log("Root login accepted for forced command.");
  		else
  			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
--- 1155,1161 ----
  
  	/* Check if the user is logging in as root and root logins are disallowed. */
  	if (pw->pw_uid == 0 && !options.permit_root_login) {
! 		if (forced_command)  
  			log("Root login accepted for forced command.");
  		else
  			packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
***************
*** 1149,1154 ****
--- 1162,1170 ----
  					  get_canonical_hostname());
  	}
  	/* The user has been authenticated and accepted. */
+ #ifdef _AIX
+ 	loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ #endif
  	packet_start(SSH_SMSG_SUCCESS);
  	packet_send();
  	packet_write_wait();
***************
*** 1178,1183 ****
--- 1194,1200 ----
  	int type = 0;
  	void (*authlog) (const char *fmt,...) = verbose;
  
+ 
  	/* Indicate that authentication is needed. */
  	packet_start(SSH_SMSG_FAILURE);
  	packet_send();
***************
*** 1261,1267 ****
  			 * authentication is insecure. (Another is
  			 * IP-spoofing on a local network.)
  			 */
! 			client_user = packet_get_string(&ulen);
  			packet_integrity_check(plen, 4 + ulen, type);
  
  			/* Try to authenticate using /etc/hosts.equiv and
--- 1278,1284 ----
  			 * authentication is insecure. (Another is
  			 * IP-spoofing on a local network.)
  			 */
! 			client_user = packet_get_string((unsigned int *)&ulen);
  			packet_integrity_check(plen, 4 + ulen, type);
  
  			/* Try to authenticate using /etc/hosts.equiv and
***************
*** 1281,1287 ****
  			 * trust the client; root on the client machine can
  			 * claim to be any user.
  			 */
! 			client_user = packet_get_string(&ulen);
  
  			/* Get the client host key. */
  			client_host_key_e = BN_new();
--- 1298,1304 ----
  			 * trust the client; root on the client machine can
  			 * claim to be any user.
  			 */
! 			client_user = packet_get_string((unsigned int *)&ulen);
  
  			/* Get the client host key. */
  			client_host_key_e = BN_new();
***************
*** 1326,1332 ****
  			 * transmitted over the encrypted channel so it is
  			 * not visible to an outside observer.
  			 */
! 			password = packet_get_string(&dlen);
  			packet_integrity_check(plen, 4 + dlen, type);
  
  #ifdef USE_PAM
--- 1343,1349 ----
  			 * transmitted over the encrypted channel so it is
  			 * not visible to an outside observer.
  			 */
! 			password = packet_get_string((unsigned int *)&dlen);
  			packet_integrity_check(plen, 4 + dlen, type);
  
  #ifdef USE_PAM
***************
*** 1405,1430 ****
  #ifdef USE_PAM
  			if (!do_pam_account(pw->pw_name, client_user))
  			{
! 				if (client_user != NULL)
  					xfree(client_user);
  
  				do_fake_authloop(pw->pw_name);
  			}
  #endif /* USE_PAM */
  			return;
! 		}
  
! 		if (client_user != NULL)
  			xfree(client_user);
  
  		if (attempt > AUTH_FAIL_MAX)
  			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
  
  		/* Send a message indicating that the authentication attempt failed. */
  		packet_start(SSH_SMSG_FAILURE);
  		packet_send();
  		packet_write_wait();
  	}
  }
  
  /*
--- 1422,1463 ----
  #ifdef USE_PAM
  			if (!do_pam_account(pw->pw_name, client_user))
  			{
! 				if (client_user != NULL) {
  					xfree(client_user);
+ 					client_user = NULL;
+ 				}
  
  				do_fake_authloop(pw->pw_name);
  			}
  #endif /* USE_PAM */
  			return;
! 		} 
  
! /* HEAP*/
! #if 1
! 		if (client_user != NULL) {
  			xfree(client_user);
+ 			client_user = NULL;
+ 		}
+ #endif
  
  		if (attempt > AUTH_FAIL_MAX)
  			packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
  
  		/* Send a message indicating that the authentication attempt failed. */
+ #ifdef _AIX 
+ 		if (strncmp(get_authname(type),"password",
+ 			      strlen(get_authname(type))) == 0)
+ 	          loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ #endif
+ 
  		packet_start(SSH_SMSG_FAILURE);
  		packet_send();
  		packet_write_wait();
  	}
+ 
+ 
+ 
  }
  
  /*
***************
*** 1603,1609 ****
  				      ttyname, tty_mode, strerror(errno));
  
  			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
! 			term = packet_get_string(&dlen);
  			packet_integrity_check(dlen, strlen(term), type);
  			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
  			/* Remaining bytes */
--- 1636,1642 ----
  				      ttyname, tty_mode, strerror(errno));
  
  			/* Get TERM from the packet.  Note that the value may be of arbitrary length. */
! 			term = packet_get_string((unsigned int *)&dlen);
  			packet_integrity_check(dlen, strlen(term), type);
  			/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
  			/* Remaining bytes */
***************
*** 1648,1655 ****
  				packet_disconnect("Protocol error: X11 display already set.");
  			{
  				int proto_len, data_len;
! 				proto = packet_get_string(&proto_len);
! 				data = packet_get_string(&data_len);
  				packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
  			}
  			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
--- 1681,1688 ----
  				packet_disconnect("Protocol error: X11 display already set.");
  			{
  				int proto_len, data_len;
! 				proto = packet_get_string((unsigned int *)&proto_len);
! 				data = packet_get_string((unsigned int *)&data_len);
  				packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
  			}
  			if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
***************
*** 1732,1738 ****
  			/* Get command from the packet. */
  			{
  				int dlen;
! 				command = packet_get_string(&dlen);
  				debug("Executing command '%.500s'", command);
  				packet_integrity_check(plen, 4 + dlen, type);
  			}
--- 1765,1771 ----
  			/* Get command from the packet. */
  			{
  				int dlen;
! 				command = packet_get_string((unsigned int *)&dlen);
  				debug("Executing command '%.500s'", command);
  				packet_integrity_check(plen, 4 + dlen, type);
  			}
***************
*** 1936,1942 ****
--- 1969,1979 ----
  	struct stat st;
  	int quiet_login;
  	struct sockaddr_in from;
+ #ifdef _AIX
+ 	unsigned long fromlen;
+ #else
  	int fromlen;
+ #endif
  	struct pty_cleanup_context cleanup_context;
  
  	/* Get remote host name. */
***************
*** 2328,2333 ****
--- 2365,2380 ----
  	if (display)
  		child_set_env(&env, &envsize, "DISPLAY", display);
  
+ 	{
+            char *authstate,*krb5cc;
+ 
+ 	   if ((authstate = getenv("AUTHSTATE")) != NULL)
+ 		 child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+ 
+ 	   if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ 		 child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ 	}
+ 
  #ifdef KRB4
  	{
  		extern char *ticket;
***************
*** 2348,2353 ****
--- 2395,2402 ----
  	if (auth_get_socket_name() != NULL)
  		child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
  			      auth_get_socket_name());
+ 
+ 	read_environment_file(&env,&envsize,"/etc/environment");
  
  	/* read $HOME/.ssh/environment. */
  	if (!options.use_login) {




-- 
Matt Richards





More information about the openssh-unix-dev mailing list