diff options
| author | hubertf <hubertf> | 1997-12-14 16:17:14 +0000 |
|---|---|---|
| committer | hubertf <hubertf> | 1997-12-14 16:17:14 +0000 |
| commit | 80956e3e0b20ef2c1f0154d4ad853722247d111a (patch) | |
| tree | 382869867dbf6faa175f20f1f3cfddd1c93bded3 /security/ssh/patches | |
| parent | ac13a97706de36acc3e1738333867c2cbfebbae3 (diff) | |
| download | pkgsrc-80956e3e0b20ef2c1f0154d4ad853722247d111a.tar.gz | |
Secure Shell package; Originally taken from FreeBSD, hacked by agc and
finished by me.
Diffstat (limited to 'security/ssh/patches')
| -rw-r--r-- | security/ssh/patches/patch-aa | 19 | ||||
| -rw-r--r-- | security/ssh/patches/patch-ab | 51 | ||||
| -rw-r--r-- | security/ssh/patches/patch-ac | 92 | ||||
| -rw-r--r-- | security/ssh/patches/patch-ae | 19 | ||||
| -rw-r--r-- | security/ssh/patches/patch-af | 423 | ||||
| -rw-r--r-- | security/ssh/patches/patch-ah | 14 | ||||
| -rw-r--r-- | security/ssh/patches/patch-ai | 40 | ||||
| -rw-r--r-- | security/ssh/patches/patch-aj | 40 | ||||
| -rw-r--r-- | security/ssh/patches/patch-al | 27 | ||||
| -rw-r--r-- | security/ssh/patches/patch-ao | 13 |
10 files changed, 738 insertions, 0 deletions
diff --git a/security/ssh/patches/patch-aa b/security/ssh/patches/patch-aa new file mode 100644 index 00000000000..83e9968ac31 --- /dev/null +++ b/security/ssh/patches/patch-aa @@ -0,0 +1,19 @@ +*** make-ssh-known-hosts.pl.in.orig Wed Apr 23 08:40:05 1997 +--- make-ssh-known-hosts.pl.in Fri Apr 25 12:38:21 1997 +*************** +*** 87,93 **** + $debug = 5; + $defserver = ''; + $bell='\a'; +! $public_key = '/etc/ssh_host_key.pub'; + $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; + $timeout = 60; + $ping_timeout = 3; +--- 87,93 ---- + $debug = 5; + $defserver = ''; + $bell='\a'; +! $public_key = '@ETCDIR@/ssh_host_key.pub'; + $private_ssh_known_hosts = "/tmp/ssh_known_hosts$$"; + $timeout = 60; + $ping_timeout = 3; diff --git a/security/ssh/patches/patch-ab b/security/ssh/patches/patch-ab new file mode 100644 index 00000000000..dba02a731c0 --- /dev/null +++ b/security/ssh/patches/patch-ab @@ -0,0 +1,51 @@ +*** configure.orig Wed Apr 23 08:40:06 1997 +--- configure Fri Apr 25 12:38:54 1997 +*************** +*** 1757,1768 **** + + export CFLAGS CC + +- # Socket pairs appear to be broken on several systems. I don't know exactly +- # where, so I'll use pipes everywhere for now. +- cat >> confdefs.h <<\EOF +- #define USE_PIPES 1 +- EOF +- + + echo $ac_n "checking that the compiler works""... $ac_c" 1>&6 + echo "configure:1769: checking that the compiler works" >&5 +--- 1757,1762 ---- +*************** +*** 2759,2765 **** + + fi + +! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +--- 2753,2759 ---- + + fi + +! for ac_hdr in unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +*************** +*** 7031,7037 **** + + cat >> $CONFIG_STATUS <<EOF + +! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile"} + EOF + cat >> $CONFIG_STATUS <<\EOF + for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then +--- 7025,7031 ---- + + cat >> $CONFIG_STATUS <<EOF + +! CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 make-ssh-known-hosts.pl"} + EOF + cat >> $CONFIG_STATUS <<\EOF + for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then diff --git a/security/ssh/patches/patch-ac b/security/ssh/patches/patch-ac new file mode 100644 index 00000000000..6027311b99d --- /dev/null +++ b/security/ssh/patches/patch-ac @@ -0,0 +1,92 @@ +--- Makefile.in.orig Fri Aug 22 01:28:42 1997 ++++ Makefile.in Mon Nov 24 15:14:18 1997 +@@ -263,8 +263,10 @@ + GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a + + ZLIBDIR = zlib-1.0.4 +-ZLIBDEP = $(ZLIBDIR)/libz.a +-ZLIBLIBS = -L$(ZLIBDIR) -lz ++ZLIBINCDIR = /usr/include ++ZLIBLIBDIR = /usr/lib ++ZLIBDEP = $(ZLIBINCDIR)/libz.a ++ZLIBLIBS = -L$(ZLIBLIBDIR) -lz + + RSAREFDIR = rsaref2 + RSAREFSRCDIR = $(RSAREFDIR)/source +@@ -368,7 +370,7 @@ + $(CC) -o rfc-pg rfc-pg.o + + .c.o: +- $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< ++ $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBINCDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< + + sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) + -rm -f sshd +@@ -416,14 +418,14 @@ + $(GMPDIR)/libgmp.a: + cd $(GMPDIR); $(MAKE) + +-$(ZLIBDEP): +- -if test '!' -d $(ZLIBDIR); then \ +- mkdir $(ZLIBDIR); \ +- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ +- fi +- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ +- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ +- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a ++#$(ZLIBDEP): ++# -if test '!' -d $(ZLIBDIR); then \ ++# mkdir $(ZLIBDIR); \ ++# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ ++# fi ++# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ ++# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ ++# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a + + $(RSAREFSRCDIR)/librsaref.a: + -if test '!' -d $(RSAREFDIR); then \ +@@ -480,7 +482,7 @@ + # (otherwise it can only log in as the user it runs as, and must be + # bound to a non-privileged port). Also, password authentication may + # not be available if non-root and using shadow passwords. +-install: $(PROGRAMS) make-dirs generate-host-key install-configs ++install: $(PROGRAMS) make-dirs install-configs + -rm -f $(install_prefix)$(bindir)/ssh.old + -mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old + -chmod 755 $(install_prefix)$(bindir)/ssh.old +@@ -591,13 +593,13 @@ + -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg + cd $(GMPDIR); $(MAKE) clean + # cd $(RSAREFSRCDIR); rm -f *.o *.a +- cd $(ZLIBDIR); $(MAKE) clean ++# cd $(ZLIBDIR); $(MAKE) clean + + distclean: clean + -rm -f Makefile config.status config.cache config.log config.h + -rm -f ssh.1 sshd.8 make-ssh-known-hosts.1 + cd $(GMPDIR); $(MAKE) distclean +- cd $(ZLIBDIR); $(MAKE) distclean ++# cd $(ZLIBDIR); $(MAKE) distclean + + dist: dist-free + +@@ -632,8 +634,8 @@ + gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) + # tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -) + # cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a +- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) +- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS ++# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) ++# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS + + dist-free-make-tar: + tar pcf $(DISTNAME).tar $(DISTNAME) +@@ -656,7 +658,7 @@ + (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null + + depend: +- $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS) ++ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS) + + tags: + -rm -f TAGS diff --git a/security/ssh/patches/patch-ae b/security/ssh/patches/patch-ae new file mode 100644 index 00000000000..6c0ffecd0dd --- /dev/null +++ b/security/ssh/patches/patch-ae @@ -0,0 +1,19 @@ +*** server_config.sample.orig Thu Mar 27 09:04:06 1997 +--- server_config.sample Fri Mar 28 15:45:53 1997 +*************** +*** 16,22 **** + FascistLogging no + PrintMotd yes + KeepAlive yes +! SyslogFacility DAEMON + RhostsAuthentication no + RhostsRSAAuthentication yes + RSAAuthentication yes +--- 16,22 ---- + FascistLogging no + PrintMotd yes + KeepAlive yes +! SyslogFacility AUTH + RhostsAuthentication no + RhostsRSAAuthentication yes + RSAAuthentication yes diff --git a/security/ssh/patches/patch-af b/security/ssh/patches/patch-af new file mode 100644 index 00000000000..736cd569902 --- /dev/null +++ b/security/ssh/patches/patch-af @@ -0,0 +1,423 @@ +*** sshd.c.orig Wed Apr 23 04:40:08 1997 +--- sshd.c Wed Jun 11 14:56:57 1997 +*************** +*** 400,405 **** +--- 400,409 ---- + #include "firewall.h" /* TIS authsrv authentication */ + #endif + ++ #ifdef HAVE_LOGIN_CAP_H ++ #include <login_cap.h> ++ #endif ++ + #ifdef _PATH_BSHELL + #define DEFAULT_SHELL _PATH_BSHELL + #else +*************** +*** 1542,1547 **** +--- 1546,1583 ---- + endspent(); + } + #endif /* HAVE_ETC_SHADOW */ ++ #ifdef __FreeBSD__ ++ { ++ time_t currtime; ++ ++ if (pwd->pw_change || pwd->pw_expire) ++ currtime = time(NULL); ++ ++ /* ++ * Check for an expired password ++ */ ++ if (pwd->pw_change && pwd->pw_change <= currtime) ++ { ++ debug("Account %.100s's password is too old - forced to change.", ++ user); ++ if (options.forced_passwd_change) ++ forced_command = "/usr/bin/passwd"; ++ else ++ { ++ return 0; ++ } ++ } ++ ++ /* ++ * Check for expired account ++ */ ++ if (pwd->pw_expire && pwd->pw_expire <= currtime) ++ { ++ debug("Account %.100s has expired - access denied.", user); ++ return 0; ++ } ++ } ++ #else /* !FreeBSD */ + /* + * Check if account is locked. Check if encrypted password starts + * with "*LK*". +*************** +*** 1553,1558 **** +--- 1589,1595 ---- + return 0; + } + } ++ #endif /* !FreeBSD */ + #ifdef CHECK_ETC_SHELLS + { + int invalid = 1; +*************** +*** 1698,1703 **** +--- 1735,1743 ---- + memset(&pwcopy, 0, sizeof(pwcopy)); + pwcopy.pw_name = xstrdup(pw->pw_name); + pwcopy.pw_passwd = xstrdup(pw->pw_passwd); ++ #ifdef HAVE_LOGIN_CAP_H ++ pwcopy.pw_class = xstrdup(pw->pw_class); ++ #endif + pwcopy.pw_uid = pw->pw_uid; + pwcopy.pw_gid = pw->pw_gid; + pwcopy.pw_dir = xstrdup(pw->pw_dir); +*************** +*** 2654,2659 **** +--- 2694,2702 ---- + struct sockaddr_in from; + int fromlen; + struct pty_cleanup_context cleanup_context; ++ #ifdef HAVE_LOGIN_CAP_H ++ login_cap_t *lc; ++ #endif + + /* We no longer need the child running on user's privileges. */ + userfile_uninit(); +*************** +*** 2725,2735 **** + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, + &from); + + /* Check if .hushlogin exists. Note that we cannot use userfile + here because we are in the child. */ + sprintf(line, "%.200s/.hushlogin", pw->pw_dir); + quiet_login = stat(line, &st) >= 0; +! + /* If the user has logged in before, display the time of last login. + However, don't display anything extra if a command has been + specified (so that ssh can be used to execute commands on a remote +--- 2768,2786 ---- + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, + &from); + ++ #ifdef HAVE_LOGIN_CAP_H ++ lc = login_getclass(pw->pw_class); ++ #endif ++ + /* Check if .hushlogin exists. Note that we cannot use userfile + here because we are in the child. */ + sprintf(line, "%.200s/.hushlogin", pw->pw_dir); + quiet_login = stat(line, &st) >= 0; +! +! #ifdef HAVE_LOGIN_CAP_H +! quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); +! #endif +! + /* If the user has logged in before, display the time of last login. + However, don't display anything extra if a command has been + specified (so that ssh can be used to execute commands on a remote +*************** +*** 2749,2754 **** +--- 2800,2828 ---- + printf("Last login: %s from %s\r\n", time_string, buf); + } + ++ #ifdef __FreeBSD__ ++ if (command == NULL && !quiet_login) ++ { ++ #ifdef HAVE_LOGIN_CAP_H ++ char *cw; ++ FILE *f; ++ ++ cw = login_getcapstr(lc, "copyright", NULL, NULL); ++ if (cw != NULL && (f = fopen(cw, "r")) != NULL) ++ { ++ while (fgets(line, sizeof(line), f)) ++ fputs(line, stdout); ++ fclose(f); ++ } ++ else ++ #endif ++ printf("%s\n\t%s %s\n\n", ++ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", ++ "The Regents of the University of California. ", ++ "All rights reserved."); ++ } ++ #endif ++ + /* Print /etc/motd unless a command was specified or printing it was + disabled in server options. Note that some machines appear to + print it in /etc/profile or similar. */ +*************** +*** 2758,2764 **** +--- 2832,2842 ---- + FILE *f; + + /* Print /etc/motd if it exists. */ ++ #ifdef HAVE_LOGIN_CAP_H ++ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r"); ++ #else + f = fopen("/etc/motd", "r"); ++ #endif + if (f) + { + while (fgets(line, sizeof(line), f)) +*************** +*** 2766,2771 **** +--- 2844,2872 ---- + fclose(f); + } + } ++ #ifdef __FreeBSD__ ++ if (command == NULL && !quiet_login) ++ { ++ #ifdef broken_HAVE_LOGIN_CAP_H ++ char *mp = getenv("MAIL"); ++ ++ if (mp != NULL) ++ { ++ strncpy(line, mp, sizeof line); ++ line[sizeof line - 1] = '\0'; ++ } ++ else ++ #endif ++ sprintf(line, "%s/%.200s", _PATH_MAILDIR, pw->pw_name); ++ if (stat(line, &st) == 0 && st.st_size != 0) ++ printf("You have %smail.\n", ++ (st.st_mtime > st.st_atime) ? "new " : ""); ++ } ++ #endif ++ ++ #ifdef HAVE_LOGIN_CAP_H ++ login_close(lc); ++ #endif + + /* Do common processing for the child, such as execing the command. */ + do_child(command, pw, term, display, auth_proto, auth_data, ttyname); +*************** +*** 3017,3023 **** + char *user_shell; + char *remote_ip; + int remote_port; +! + /* Check /etc/nologin. */ + f = fopen("/etc/nologin", "r"); + if (f) +--- 3118,3130 ---- + char *user_shell; + char *remote_ip; + int remote_port; +! #ifdef HAVE_LOGIN_CAP_H +! login_cap_t *lc; +! char *real_shell; +! +! lc = login_getclass(pw->pw_class); +! auth_checknologin(lc); +! #else /* !HAVE_LOGIN_CAP_H */ + /* Check /etc/nologin. */ + f = fopen("/etc/nologin", "r"); + if (f) +*************** +*** 3031,3036 **** +--- 3138,3144 ---- + if (pw->pw_uid != UID_ROOT) + exit(254); + } ++ #endif /* HAVE_LOGIN_CAP_H */ + + if (command != NULL) + { +*************** +*** 3043,3049 **** + else + log_msg("executing remote command as user %.200s", pw->pw_name); + } +! + #ifdef HAVE_SETLOGIN + /* Set login name in the kernel. Warning: setsid() must be called before + this. */ +--- 3151,3158 ---- + else + log_msg("executing remote command as user %.200s", pw->pw_name); + } +! +! #ifndef HAVE_LOGIN_CAP_H + #ifdef HAVE_SETLOGIN + /* Set login name in the kernel. Warning: setsid() must be called before + this. */ +*************** +*** 3064,3069 **** +--- 3173,3179 ---- + if (setpcred((char *)pw->pw_name, NULL)) + log_msg("setpcred %.100s: %.100s", strerror(errno)); + #endif /* HAVE_USERSEC_H */ ++ #endif /* !HAVE_LOGIN_CAP_H */ + + /* Save some data that will be needed so that we can do certain cleanups + before we switch to user's uid. (We must clear all sensitive data +*************** +*** 3134,3139 **** +--- 3244,3309 ---- + if (command != NULL || !options.use_login) + #endif /* USELOGIN */ + { ++ #ifdef HAVE_LOGIN_CAP_H ++ char *p, *s, **tmpenv; ++ ++ /* Initialize the new environment. ++ */ ++ envsize = 64; ++ env = xmalloc(envsize * sizeof(char *)); ++ env[0] = NULL; ++ ++ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH); ++ ++ #ifdef MAIL_SPOOL_DIRECTORY ++ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name); ++ child_set_env(&env, &envsize, "MAIL", buf); ++ #else /* MAIL_SPOOL_DIRECTORY */ ++ #ifdef MAIL_SPOOL_FILE ++ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE); ++ child_set_env(&env, &envsize, "MAIL", buf); ++ #endif /* MAIL_SPOOL_FILE */ ++ #endif /* MAIL_SPOOL_DIRECTORY */ ++ ++ /* Let it inherit timezone if we have one. */ ++ if (getenv("TZ")) ++ child_set_env(&env, &envsize, "TZ", getenv("TZ")); ++ ++ /* Save previous environment array ++ */ ++ tmpenv = environ; ++ environ = env; ++ ++ /* Set the user's login environment ++ */ ++ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0) ++ { ++ perror("setusercontext"); ++ exit(1); ++ } ++ ++ p = getenv("PATH"); ++ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR)); ++ *s = '\0'; ++ if (p != NULL) ++ { ++ strcat(s, p); ++ strcat(s, ":"); ++ } ++ strcat(s, SSH_BINDIR); ++ ++ env = environ; ++ environ = tmpenv; /* Restore parent environment */ ++ for (envsize = 0; env[envsize] != NULL; ++envsize) ++ ; ++ /* Reallocate this to what is expected */ ++ envsize = (envsize < 100) ? 100 : envsize + 16; ++ env = xrealloc(env, envsize * sizeof(char *)); ++ ++ child_set_env(&env, &envsize, "PATH", s); ++ xfree(s); ++ ++ #else /* !HAVE_LOGIN_CAP_H */ + /* Set uid, gid, and groups. */ + if (getuid() == UID_ROOT || geteuid() == UID_ROOT) + { +*************** +*** 3165,3170 **** +--- 3335,3341 ---- + + if (getuid() != user_uid || geteuid() != user_uid) + fatal("Failed to set uids to %d.", (int)user_uid); ++ #endif /* HAVE_LOGIN_CAP_H */ + } + + /* Reset signals to their default settings before starting the user +*************** +*** 3175,3185 **** +--- 3346,3361 ---- + and means /bin/sh. */ + shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell; + ++ #ifdef HAVE_LOGIN_CAP_H ++ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell); ++ login_close(lc); ++ #else /* !HAVE_LOGIN_CAP_H */ + /* Initialize the environment. In the first part we allocate space for + all environment variables. */ + envsize = 100; + env = xmalloc(envsize * sizeof(char *)); + env[0] = NULL; ++ #endif /* HAVE_LOGIN_CAP_H */ + + #ifdef USELOGIN + if (command != NULL || !options.use_login) +*************** +*** 3189,3194 **** +--- 3365,3372 ---- + child_set_env(&env, &envsize, "HOME", user_dir); + child_set_env(&env, &envsize, "USER", user_name); + child_set_env(&env, &envsize, "LOGNAME", user_name); ++ ++ #ifndef HAVE_LOGIN_CAP_H + child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR); + + #ifdef MAIL_SPOOL_DIRECTORY +*************** +*** 3200,3205 **** +--- 3378,3384 ---- + child_set_env(&env, &envsize, "MAIL", buf); + #endif /* MAIL_SPOOL_FILE */ + #endif /* MAIL_SPOOL_DIRECTORY */ ++ #endif /* !HAVE_LOGIN_CAP_H */ + + #ifdef HAVE_ETC_DEFAULT_LOGIN + /* Read /etc/default/login; this exists at least on Solaris 2.x. Note +*************** +*** 3215,3223 **** +--- 3394,3404 ---- + child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", + original_command); + ++ #ifndef HAVE_LOGIN_CAP_H + /* Let it inherit timezone if we have one. */ + if (getenv("TZ")) + child_set_env(&env, &envsize, "TZ", getenv("TZ")); ++ #endif /* !HAVE_LOGIN_CAP_H */ + + /* Set custom environment options from RSA authentication. */ + while (custom_environment) +*************** +*** 3437,3443 **** +--- 3618,3628 ---- + /* Execute the shell. */ + argv[0] = buf; + argv[1] = NULL; ++ #ifdef HAVE_LOGIN_CAP_H ++ execve(real_shell, argv, env); ++ #else + execve(shell, argv, env); ++ #endif /* HAVE_LOGIN_CAP_H */ + /* Executing the shell failed. */ + perror(shell); + exit(1); +*************** +*** 3458,3464 **** +--- 3643,3653 ---- + argv[1] = "-c"; + argv[2] = (char *)command; + argv[3] = NULL; ++ #ifdef HAVE_LOGIN_CAP_H ++ execve(real_shell, argv, env); ++ #else + execve(shell, argv, env); ++ #endif /* HAVE_LOGIN_CAP_H */ + perror(shell); + exit(1); + } diff --git a/security/ssh/patches/patch-ah b/security/ssh/patches/patch-ah new file mode 100644 index 00000000000..c06b14c7541 --- /dev/null +++ b/security/ssh/patches/patch-ah @@ -0,0 +1,14 @@ +*** config.h.in.orig Wed Apr 23 08:40:06 1997 +--- config.h.in Fri Apr 25 12:40:48 1997 +*************** +*** 527,532 **** +--- 527,535 ---- + /* Define if you have the <lastlog.h> header file. */ + #undef HAVE_LASTLOG_H + ++ /* Define if you have the <login_cap.h> header file. */ ++ #undef HAVE_LOGIN_CAP_H ++ + /* Define if you have the <machine/endian.h> header file. */ + #undef HAVE_MACHINE_ENDIAN_H + diff --git a/security/ssh/patches/patch-ai b/security/ssh/patches/patch-ai new file mode 100644 index 00000000000..241dbf31f7d --- /dev/null +++ b/security/ssh/patches/patch-ai @@ -0,0 +1,40 @@ +*** userfile.c.orig Thu Mar 27 09:04:13 1997 +--- userfile.c Sat Mar 29 01:16:51 1997 +*************** +*** 166,171 **** +--- 166,175 ---- + #endif + + ++ #ifdef HAVE_LOGIN_CAP_H ++ #include <login_cap.h> ++ #endif ++ + /* Protocol message types. */ + #define USERFILE_OPEN 1 + #define USERFILE_OPEN_REPLY 2 +*************** +*** 626,631 **** +--- 630,641 ---- + /* Child. We will start serving request. */ + if (uid != geteuid() || uid != getuid()) + { ++ #ifdef HAVE_LOGIN_CAP_H ++ struct passwd * pw = getpwuid(uid); ++ login_cap_t * lc = login_getuserclass(pw); ++ if (setusercontext(lc, pw, uid, LOGIN_SETALL&~(LOGIN_SETLOGIN|LOGIN_SETPATH|LOGIN_SETENV)) < 0) ++ fatal("setusercontext: %s", strerror(errno)); ++ #else + if (setgid(gid) < 0) + fatal("setgid: %s", strerror(errno)); + +*************** +*** 636,641 **** +--- 646,652 ---- + + if (setuid(uid) < 0) + fatal("setuid: %s", strerror(errno)); ++ #endif /* HAVE_LOGIN_CAP_H */ + } + + /* Enter the server main loop. */ diff --git a/security/ssh/patches/patch-aj b/security/ssh/patches/patch-aj new file mode 100644 index 00000000000..60f7495697f --- /dev/null +++ b/security/ssh/patches/patch-aj @@ -0,0 +1,40 @@ +*** configure.in.orig Wed Apr 23 08:40:06 1997 +--- configure.in Fri Apr 25 12:41:26 1997 +*************** +*** 616,624 **** + + export CFLAGS CC + +! # Socket pairs appear to be broken on several systems. I don't know exactly +! # where, so I'll use pipes everywhere for now. +! AC_DEFINE(USE_PIPES) + + AC_MSG_CHECKING([that the compiler works]) + AC_TRY_RUN([ main(int ac, char **av) { return 0; } ], +--- 616,624 ---- + + export CFLAGS CC + +! dnl # Socket pairs appear to be broken on several systems. I don't know exactly +! dnl # where, so I'll use pipes everywhere for now. +! dnl AC_DEFINE(USE_PIPES) + + AC_MSG_CHECKING([that the compiler works]) + AC_TRY_RUN([ main(int ac, char **av) { return 0; } ], +*************** +*** 671,677 **** + + AC_HEADER_STDC + AC_HEADER_SYS_WAIT +! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h) + AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h) + AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h) + AC_HEADER_TIME +--- 671,677 ---- + + AC_HEADER_STDC + AC_HEADER_SYS_WAIT +! AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h login_cap.h utmp.h shadow.h) + AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h) + AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h) + AC_HEADER_TIME diff --git a/security/ssh/patches/patch-al b/security/ssh/patches/patch-al new file mode 100644 index 00000000000..1da799c26ac --- /dev/null +++ b/security/ssh/patches/patch-al @@ -0,0 +1,27 @@ +*** sshconnect.c.orig Wed Apr 23 08:40:11 1997 +--- sshconnect.c Fri Apr 25 12:41:59 1997 +*************** +*** 311,316 **** +--- 311,322 ---- + { + struct sockaddr_in sin; + int p; ++ #if defined(__FreeBSD__) && !defined(SOCKS) ++ p = 1023; /* Compat with old FreeBSD */ ++ sock = rresvport(&p); ++ if (sock < 0) ++ fatal("rresvport: %.100s", strerror(errno)); ++ #else + for (p = 1023; p > 512; p--) + { + sock = socket(AF_INET, SOCK_STREAM, 0); +*************** +*** 338,343 **** +--- 344,350 ---- + } + fatal("bind: %.100s", strerror(errno)); + } ++ #endif + debug("Allocated local port %d.", p); + } + else diff --git a/security/ssh/patches/patch-ao b/security/ssh/patches/patch-ao new file mode 100644 index 00000000000..5072ce4d394 --- /dev/null +++ b/security/ssh/patches/patch-ao @@ -0,0 +1,13 @@ +--- newchannels.c.orig Tue Apr 22 17:40:11 1997 ++++ newchannels.c Sat Jul 19 11:42:06 1997 +@@ -2139,6 +2139,10 @@ + ssh-agent connections on your system */ + old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + ++ /* Make sure the socket doesn't already exist, left over from a system ++ crash perhaps. */ ++ unlink(channel_forwarded_auth_socket_name); ++ + if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0) + packet_disconnect("Agent socket bind failed: %.100s", strerror(errno)); + |