diff options
Diffstat (limited to 'security/ssh6')
53 files changed, 11354 insertions, 0 deletions
diff --git a/security/ssh6/Makefile b/security/ssh6/Makefile new file mode 100644 index 00000000000..0a8a0a24854 --- /dev/null +++ b/security/ssh6/Makefile @@ -0,0 +1,201 @@ +# $NetBSD: Makefile,v 1.1 2000/03/20 02:25:30 itojun Exp $ +# FreeBSD Id: Makefile,v 1.47 1997/11/10 22:04:42 dima Exp +# + +DISTNAME= ssh-1.2.27 +PKGNAME= ssh6-1.2.27 +CATEGORIES= security net +MASTER_SITES= ftp://ftp.cs.hut.fi/pub/ssh/ \ + ftp://ftp.funet.fi/pub/unix/security/login/ssh/ \ + ftp://ftp.cert.dfn.de/pub/tools/net/ssh/ +DISTFILES= ${DISTNAME}${EXTRACT_SUFX} + +MAINTAINER= packages@netbsd.org +HOMEPAGE= http://www.cs.hut.fi/ssh/ + +CONFLICTS= openssh-[0-9]* ssh-* + +EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} +RESTRICTED= "Crypto; export-controlled" +MIRROR_DISTFILE= no +LICENSE= no-commercial-use + +CFLAGS= -O2 +GNU_CONFIGURE= YES + +.include "../../mk/bsd.prefs.mk" + +# Use SSH_CONF_DIR from /etc/mk.conf, if defined; otherwise default to /etc +SSH_CONF_DIR?= /etc + +CONFIGURE_ARGS+= --with-etcdir=${SSH_CONF_DIR} --with-libwrap + +#Uncomment if all your users are in their own group and their homedir +#is writeable by that group. Beware the security implications! +#CONFIGURE_ARGS+= --enable-group-writeability + +#Uncomment if you want to allow ssh to emulate an unencrypted rsh connection +#over a secure medium. This is normally dangerous since it can lead to the +#disclosure keys and passwords. +#CONFIGURE_ARGS+= --with-none + +.if defined(USE_RSAREF2) && ${USE_RSAREF2} == YES +DEPENDS+= rsaref-2.0p3:../../security/rsaref +CONFIGURE_ARGS+= --with-rsaref="${LOCALBASE}/lib" +CONFIGURE_ENV+= LDFLAGS="-Wl,-R${LOCALBASE}/lib" +CFLAGS+= -I${LOCALBASE}/include +.endif + +# Include support for the SecureID card +# Warning: untested ! +.if defined(USE_SECUREID) && ${USE_SECUREID} == YES +CONFIGURE_ARGS+= --with-secureid +.endif + +# If rsh is elsewhere to /usr/bin/rsh +.if defined(SSH_RSHPATH) +CONFIGURE_ARGS+= --with-rsh=${SSH_RSHPATH} +.endif + +# By default, use IDEA. IDEA can be freely used for non-commercial use. +# However, commercial use may require a license in a number of countries. +# +USE_IDEA?= YES + +# Handle deprecated option SSH_DONT_USE_IDEA. +# +.if defined(SSH_DONT_USE_IDEA) && ${SSH_DONT_USE_IDEA} == YES +USE_IDEA= NO +.endif + +.if ${USE_IDEA} != "YES" +CONFIGURE_ARGS+= --without-idea +.endif + +# Include SOCKS firewall support +.if defined(USE_SOCKS) && (${USE_SOCKS} == 4 || ${USE_SOCKS} == 5) +BROKEN= SOCKS support currently unavailable +CONFIGURE_ARGS+= --with-socks${USE_SOCKS}="-L${LOCALBASE}/lib -lsocks${USE_SOCKS}" +CFLAGS+= -I${LOCALBASE}/include +.if ${USE_SOCKS} == 4 +DEPENDS+= socks4-2.2:../../net/socks4 +.else +DEPENDS+= socks5-1.0.2:../../net/socks5 +.endif +.endif + +# The original Kerberos v4 patches were fetched from +# http://www.monkey.org/~dugsong/ssh-afs/ +# PATCH_SITES+= ftp://ftp.monkey.org/pub/users/dugsong/ +# PATCHFILES+= ssh-1.2.27-afs-kerberos.patch-1 +# MD5 (ssh-1.2.27-afs-kerberos.patch-1) = d440f74958d9c3805b76dbc13e97e87d + +.if defined(KERBEROS) && ${KERBEROS} == 4 +USE_KERBEROS= yes +CONFIGURE_ARGS+= --with-krb4=/usr +.endif + +.if defined(KERBEROS) && ${KERBEROS} == 5 +USE_KERBEROS= yes +CONFIGURE_ARGS+=--with-krb5=/usr +.else +CONFIGURE_ARGS+=--without-krb5 +.endif + +# Find X11 libraries with xpkgwedge +.if defined(USE_LOCALBASE_FOR_X11) +CONFIGURE_ARGS+= --x-libraries=${X11BASE}/lib --x-includes=${X11BASE}/include +.endif + +# Enable support for TIS authentication server +.if defined(USE_TIS) && ${USE_TIS} == YES +CONFIGURE_ARGS+= --with-tis=${LOCALBASE} +.endif + +# Don't install "ssh" setuid +.if !defined(SSH_SUID) || ${SSH_SUID} != YES +CONFIGURE_ARGS+= --disable-suid-ssh +.endif + +# Make libwrap also compare against forwards (off by default) +.if defined(LIBWRAP_FWD) && ${LIBWRAP_FWD} == YES +CFLAGS+= -DLIBWRAP_FWD +.endif + +# The original IPv6 patches were fetched from +# PATCH_SITES+= ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ +# PATCHFILES+= ssh-1.2.27-IPv6-1.5-patch.gz +# MD5 (ssh-1.2.27-IPv6-1.5-patch.gz) = b854131fe8aa025abeef32cecfe1b037 + +.if defined(USE_INET6) && ${USE_INET6} == YES +CONFIGURE_ARGS+= --enable-ipv6 +.else +CONFIGURE_ARGS+= --disable-ipv6 +.endif + +# be more effective on M68060 machines +.if defined(M68060) +CONFIGURE_ARGS+= --disable-asm +CFLAGS+= -m68060 +.endif + +DEINSTALL_FILE= ${WRKDIR}/DEINSTALL +MESSAGE_FILE= ${WRKDIR}/MESSAGE +PLIST_SRC= ${WRKDIR}/PLIST + +pre-patch: + @${MV} -f ${WRKSRC}/make-ssh-known-hosts.pl \ + ${WRKSRC}/make-ssh-known-hosts.pl.in + @# SSH DES and AFS/Kerberos DES conflict. + @${MV} -f ${WRKSRC}/des.h ${WRKSRC}/ssh-des.h + +fetch-depends: +.if !defined(USE_RSAREF2) || ${USE_RSAREF2} != YES && ${USE_RSAREF2} != NO + @${ECHO} + @${ECHO} The variable USE_RSAREF2 must be set to either YES or NO + @${ECHO} in order to build this package. USA residents that are + @${ECHO} not licensees of the RSA algorithm MUST set this variable + @${ECHO} to YES. Users outside the USA MUST set this variable to + @${ECHO} NO. Licensees may choose -- NO is faster. + @${ECHO} + @${ECHO} You may also want to set USE_IDEA to NO if this program + @${ECHO} will be used for a commercial purpose. There are other + @${ECHO} configure options\; look at the pkg Makefile for more info. + @${FALSE} +.endif + +post-patch: + @# Make sure that "automake" is never run. + @${FIND} ${WRKSRC} -name Makefile.in -print | xargs ${TOUCH} ${TOUCH_FLAGS} + +post-build: + @cd ${PKGDIR}; \ + for FILE in DEINSTALL MESSAGE PLIST ${FILESDIR}/sshd.sh; do \ + ${SED} -e 's#@SSH_CONF_DIR@#${SSH_CONF_DIR}#g' \ + -e 's#@PREFIX@#${PREFIX}#g' \ + <$${FILE} >${WRKDIR}/`basename $${FILE}`; \ + done + @if [ -x ${WRKSRC}/ssh-askpass ]; then \ + ${ECHO} bin/ssh-askpass >>${PLIST_SRC}; \ + ${ECHO} bin/ssh-askpass1 >>${PLIST_SRC}; \ + fi + +post-install: + @${MKDIR} ${PREFIX}/share/examples/ssh + @${MKDIR} ${WRKDIR}${SSH_CONF_DIR} + (cd ${WRKSRC}; ${SETENV} ${MAKE_ENV} ${MAKE_PROGRAM} ${MAKE_FLAGS} \ + -f ${MAKEFILE} install_prefix=${WRKDIR} install-configs) + ${INSTALL_DATA} ${WRKDIR}${SSH_CONF_DIR}/ssh_config \ + ${WRKDIR}${SSH_CONF_DIR}/sshd_config ${PREFIX}/share/examples/ssh + @${RM} -rf ${WRKDIR}${SSH_CONF_DIR} + @if [ ! -f ${SSH_CONF_DIR}/ssh_host_key ]; then \ + ${ECHO} "Generating a secret host key..."; \ + ${PREFIX}/bin/ssh-keygen \ + -f ${SSH_CONF_DIR}/ssh_host_key -N ""; \ + fi + ${INSTALL_SCRIPT} ${WRKDIR}/sshd.sh ${PREFIX}/etc/rc.d/sshd.sh + +BUILD_DEFS+= USE_IDEA SSH_CONF_DIR SSH_SUID USE_RSAREF2 +BUILD_DEFS+= LIBWRAP_FWD M68060 USE_SOCKS USE_INET6 + +.include "../../mk/bsd.pkg.mk" diff --git a/security/ssh6/files/md5 b/security/ssh6/files/md5 new file mode 100644 index 00000000000..cbd628bf2ec --- /dev/null +++ b/security/ssh6/files/md5 @@ -0,0 +1,3 @@ +$NetBSD: md5,v 1.1 2000/03/20 02:25:31 itojun Exp $ + +MD5 (ssh-1.2.27.tar.gz) = c22bc000bee0f7d6f4845eab72a81395 diff --git a/security/ssh6/files/patch-sum b/security/ssh6/files/patch-sum new file mode 100644 index 00000000000..aff928664fd --- /dev/null +++ b/security/ssh6/files/patch-sum @@ -0,0 +1,46 @@ +# $NetBSD: patch-sum,v 1.1 2000/03/20 02:25:31 itojun Exp $ + +MD5 (patch-aa) = 39a4c82d2b89aae61df69a50f7aaa813 +MD5 (patch-ab) = 36dc0eb7feba0554674242b39082a09b +MD5 (patch-ac) = 3b37e0f4ecc7fa49512d02bc7044269f +MD5 (patch-ad) = 60483c735ff0e3c47e640002be0cee75 +MD5 (patch-ae) = c0f6b7f8e55442cc311ec00a7deea9a1 +MD5 (patch-af) = 1931160b8c6cebe641b4325aaeffad05 +MD5 (patch-ag) = 47b5e06663afddebbf2998e72f59dde2 +MD5 (patch-ah) = 7b6fe18163413b4f70195cb082ff51f5 +MD5 (patch-ai) = ab4a72deaa42a6ae7bf14ec554ed104f +MD5 (patch-aj) = f84243bc83b7f0210ba021cc68ba6746 +MD5 (patch-al) = 00d14d38c42bae1c8c597855e1054e2c +MD5 (patch-am) = fd4e766e57c58645714fdab8ed55da5d +MD5 (patch-an) = 135b09a36c66aaf25a476dcb659efcf7 +MD5 (patch-ao) = 98e2eb418ee7f5ad544c32c7d5569ea2 +MD5 (patch-ap) = 99049fb6deb9bab8950723b7430a89a4 +MD5 (patch-aq) = 6af8d097a297182328216440e306effa +MD5 (patch-ar) = f402ab7533811e42e6df38ee9dfb2e84 +MD5 (patch-as) = f1f3fc3e5dae2461fffd2e6555f3077c +MD5 (patch-at) = 8f7b4464fb25bf7871191c1aa8de4b30 +MD5 (patch-au) = 5106bb8fd152358b6696491066805df1 +MD5 (patch-av) = b3f9909bd6a5cc387e929d16f89884c0 +MD5 (patch-aw) = 91ad583415323fd97b46415050b0781a +MD5 (patch-ax) = 98084f72d9d51a8635711c5ba2f8b945 +MD5 (patch-ay) = bad6d73e938bcf379559d756e05e17b2 +MD5 (patch-az) = 8cb2b06a1f27a7976c96498489313ab3 +MD5 (patch-ba) = 4a896f7bd31a506ce863341b177b348c +MD5 (patch-bb) = a40ead1d10647afb6b4f6a13ea4a4229 +MD5 (patch-bc) = de9333a77b5f7f4be537fca1009d818c +MD5 (patch-bd) = 3164bf79351963ad8525b1d1c4045355 +MD5 (patch-be) = 5a903a9bacc892a91d5e6d0f7e19c08e +MD5 (patch-bf) = 3f141908ccb754e791b8b7c6b47285bb +MD5 (patch-bg) = 49092f0f234f9a96909d11d5eb285bb3 +MD5 (patch-bh) = 92eac2ff64ef86261e1cadf331e16091 +MD5 (patch-bi) = 64d9543d3839c0d14c8a4abfafa4557c +MD5 (patch-bj) = 1f05b41165b267045f5c0a683be2054a +MD5 (patch-bk) = 232d88ebcc4acdbb5242751696a0d9ec +MD5 (patch-bl) = 82a4d98c20e38fa515e94df98d99104b +MD5 (patch-bm) = adf57ea5144422880878e5a8c41c4565 +MD5 (patch-bn) = b952c31778b8d95772234c21c1ede892 +MD5 (patch-bo) = 9db4ecae0a7bd795d9eeefb7c3386f73 +MD5 (patch-bp) = b519463adf568f2ca2f6720a2055289e +MD5 (patch-bq) = 2ac652937d1957d3d1d050516938c76c +MD5 (patch-br) = 73c8bfe4215d67e9803b338cc5169b1f +MD5 (patch-la) = 3584ccc61783fe0758d82b5ab82a658e diff --git a/security/ssh6/files/sshd.sh b/security/ssh6/files/sshd.sh new file mode 100644 index 00000000000..71b70f624e4 --- /dev/null +++ b/security/ssh6/files/sshd.sh @@ -0,0 +1,14 @@ +#!/bin/sh +# +# $NetBSD: sshd.sh,v 1.1 2000/03/20 02:25:32 itojun Exp $ +# +if [ ! -f @SSH_CONF_DIR@/ssh_host_key ] +then + @PREFIX@/bin/ssh-keygen -f @SSH_CONF_DIR@/ssh_host_key -N '' +fi +if [ -x @PREFIX@/sbin/sshd -a -f @SSH_CONF_DIR@/sshd_config ] +then + @PREFIX@/sbin/sshd + echo -n ' sshd' +fi +exit 0 diff --git a/security/ssh6/patches/patch-aa b/security/ssh6/patches/patch-aa new file mode 100644 index 00000000000..ce78efc7efb --- /dev/null +++ b/security/ssh6/patches/patch-aa @@ -0,0 +1,36 @@ +$NetBSD: patch-aa,v 1.1 2000/03/20 02:25:32 itojun Exp $ + +--- rsaglue.c.orig Wed May 12 07:19:28 1999 ++++ rsaglue.c Fri Nov 12 08:40:02 1999 +@@ -71,8 +71,7 @@ + interface without modifying RSAREF. */ + + #define _MD5_H_ /* Kludge to prevent inclusion of rsaref md5.h. */ +-#include "rsaref2/source/global.h" +-#include "rsaref2/source/rsaref.h" ++#include <rsaref/rsaref.h> + + /* Convert an integer from gmp to rsaref representation. */ + +@@ -139,6 +138,10 @@ + + input_bits = mpz_sizeinbase(input, 2); + input_len = (input_bits + 7) / 8; ++ if (input_len > MAX_RSA_MODULUS_LEN) ++ fatal("Input data has too many bits for RSAREF to handle (max %d).", ++ MAX_RSA_MODULUS_BITS); ++ + gmp_to_rsaref(input_data, input_len, input); + + rsaref_public_key(&public_key, key); +@@ -172,6 +175,10 @@ + + input_bits = mpz_sizeinbase(input, 2); + input_len = (input_bits + 7) / 8; ++ if (input_len > MAX_RSA_MODULUS_LEN) ++ fatal("Input data has too many bits for RSAREF to handle (max %d).", ++ MAX_RSA_MODULUS_BITS); ++ + gmp_to_rsaref(input_data, input_len, input); + + rsaref_private_key(&private_key, key); diff --git a/security/ssh6/patches/patch-ab b/security/ssh6/patches/patch-ab new file mode 100644 index 00000000000..008abcfada0 --- /dev/null +++ b/security/ssh6/patches/patch-ab @@ -0,0 +1,551 @@ +$NetBSD: patch-ab,v 1.1 2000/03/20 02:25:33 itojun Exp $ + +--- configure.in.orig Wed May 12 20:20:02 1999 ++++ configure.in Sat Mar 18 13:21:59 2000 +@@ -30,8 +30,132 @@ + fi + + AC_PROG_CC ++AC_PROG_CPP + AC_ISC_POSIX + ++AC_MSG_CHECKING([whether to enable ipv6]) ++AC_ARG_ENABLE(ipv6, ++[ --enable-ipv6 Enable ipv6 (with ipv4) support ++ --disable-ipv6 Disable ipv6 support], ++[ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ipv6=no ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_IPV6) ++ ipv6=yes ++ ;; ++ esac ], ++ ++ AC_TRY_RUN([ /* AF_INET6 avalable check */ ++#include <sys/types.h> ++#include <sys/socket.h> ++main() ++{ ++ if (socket(AF_INET6, SOCK_STREAM, 0) < 0) ++ exit(1); ++ else ++ exit(0); ++} ++], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_IPV6) ++ ipv6=yes, ++ AC_MSG_RESULT(no) ++ ipv6=no, ++ AC_MSG_RESULT(no) ++ ipv6=no ++)) ++ ++ipv6type=unknown ++ipv6lib=none ++ ++if test "$ipv6" = "yes"; then ++ AC_MSG_CHECKING([ipv6 stack type]) ++ for i in inria kame linux toshiba v6d zeta; do ++ case $i in ++ inria) ++ dnl http://www.kame.net/ ++ AC_EGREP_CPP(yes, [dnl ++#include <netinet/in.h> ++#ifdef IPV6_INRIA_VERSION ++yes ++#endif], ++ [ipv6type=$i; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ kame) ++ dnl http://www.kame.net/ ++ AC_EGREP_CPP(yes, [dnl ++#include <netinet/in.h> ++#ifdef __KAME__ ++yes ++#endif], ++ [ipv6type=$i; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ linux) ++ dnl http://www.v6.linux.or.jp/ ++ if test -d /usr/inet6; then ++ ipv6type=$i ++ ipv6lib=inet6 ++ ipv6libdir=/usr/inet6/lib ++ CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS" ++ fi ++ ;; ++ toshiba) ++ AC_EGREP_CPP(yes, [dnl ++#include <sys/param.h> ++#ifdef _TOSHIBA_INET6 ++yes ++#endif], ++ [ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ v6d) ++ AC_EGREP_CPP(yes, [dnl ++#include </usr/local/v6/include/sys/v6config.h> ++#ifdef __V6D__ ++yes ++#endif], ++ [ipv6type=$i; ++ ipv6lib=v6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS"]) ++ ;; ++ zeta) ++ AC_EGREP_CPP(yes, [dnl ++#include <sys/param.h> ++#ifdef _ZETA_MINAMI_INET6 ++yes ++#endif], ++ [ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS"]) ++ ;; ++ esac ++ if test "$ipv6type" != "unknown"; then ++ break ++ fi ++ done ++ AC_MSG_RESULT($ipv6type) ++fi ++ ++if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then ++ if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then ++ LIBS="-L$ipv6libdir -l$ipv6lib $LIBS" ++ else ++ echo 'Fatal: no $ipv6lib library found. cannot continue.' ++ echo "You need to fetch lib$ipv6lib.a from appropriate" ++ echo 'ipv6 kit and compile beforehand.' ++ exit 1 ++ fi ++fi ++ + AC_DEFINE_UNQUOTED(HOSTTYPE, "$host") + + case "$host" in +@@ -42,11 +166,12 @@ + ;; + *-*-solaris*) + # solaris stuff. appro@fy.chalmers.se +- AC_DEFINE(SECURE_RPC) +- AC_DEFINE(SECURE_NFS) ++# this stuff breaks AFS/Kerberos. YUCK. ++# AC_DEFINE(SECURE_RPC) ++# AC_DEFINE(SECURE_NFS) + # NIS+ is forced so that we don't have to recompile + # if we move to NIS+. appro@fy.chalmers.se +- AC_DEFINE(NIS_PLUS) ++# AC_DEFINE(NIS_PLUS) + ;; + *-*-sunos*) + os_sunos=yes +@@ -311,9 +436,9 @@ + + export CFLAGS CC + +-# Socket pairs appear to be broken on several systems. I don't know exactly +-# where, so I'll use pipes everywhere for now. +-AC_DEFINE(USE_PIPES) ++dnl # Socket pairs appear to be broken on several systems. I don't know exactly ++dnl # where, so I'll use pipes everywhere for now. ++dnl AC_DEFINE(USE_PIPES) + + AC_MSG_CHECKING([that the compiler works]) + AC_TRY_RUN([ main(int ac, char **av) { return 0; } ], +@@ -370,7 +495,7 @@ + AC_HEADER_STDC + AC_HEADER_SYS_WAIT + AC_CHECK_HEADERS(unistd.h rusage.h sys/time.h lastlog.h utmp.h shadow.h) +-AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h machine/endian.h) ++AC_CHECK_HEADERS(sgtty.h sys/select.h sys/ioctl.h sys/filio.h machine/endian.h) + AC_CHECK_HEADERS(paths.h usersec.h utime.h netinet/in_systm.h) + AC_CHECK_HEADERS(netinet/in_system.h netinet/ip.h netinet/tcp.h ulimit.h) + AC_CHECK_HEADERS(sys/resource.h login_cap.h sys/stream.h sys/conf.h) +@@ -399,6 +524,16 @@ + [ AC_DEFINE(HAVE_INCOMPATIBLE_SIGINFO) + AC_MSG_RESULT(yes)] , AC_MSG_RESULT(no)) + ++AC_MSG_CHECKING([whether sys/socket.h have struct sockaddr_storage]) ++AC_EGREP_HEADER(sockaddr_storage, sys/socket.h, ++ [ AC_DEFINE(HAVE_SOCKADDR_STORAGE) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++AC_MSG_CHECKING([whether sys/socket.h have __ss_family]) ++AC_EGREP_HEADER(__ss_family, sys/socket.h, ++ [ AC_DEFINE(HAVE_NEW_SS_FAMILY) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++AC_MSG_CHECKING([whether sys/socket.h have sa_len]) ++AC_EGREP_HEADER(sa_len, sys/socket.h, ++ [ AC_DEFINE(HAVE_SOCKADDR_LEN) AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) ++ + AC_CHECK_LIB(c, crypt, [true], AC_CHECK_LIB(crypt, crypt)) + AC_CHECK_LIB(sec, getspnam) + AC_CHECK_LIB(seq, get_process_stats) +@@ -436,6 +571,107 @@ + + AC_REPLACE_FUNCS(strerror memmove remove random putenv crypt socketpair snprintf) + ++AC_MSG_CHECKING(getaddrinfo bug) ++AC_TRY_RUN([ ++#include <sys/types.h> ++#include <netdb.h> ++#include <string.h> ++#include <sys/socket.h> ++#include <netinet/in.h> ++ ++main() ++{ ++ int passive, gaierr, inet4 = 0, inet6 = 0; ++ struct addrinfo hints, *ai, *aitop; ++ char straddr[INET6_ADDRSTRLEN], strport[16]; ++ ++ for (passive = 0; passive <= 1; passive++) { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_UNSPEC; ++ hints.ai_flags = passive ? AI_PASSIVE : 0; ++ hints.ai_socktype = SOCK_STREAM; ++ if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) { ++ (void)gai_strerror(gaierr); ++ goto bad; ++ } ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (ai->ai_addr == NULL || ++ ai->ai_addrlen == 0 || ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ straddr, sizeof(straddr), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV) != 0) { ++ goto bad; ++ } ++ if (strcmp(strport, "54321") != 0) { ++ goto bad; ++ } ++ switch (ai->ai_family) { ++ case AF_INET: ++ if (passive) { ++ if (strcmp(straddr, "0.0.0.0") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "127.0.0.1") != 0) { ++ goto bad; ++ } ++ } ++ inet4++; ++ break; ++ case AF_INET6: ++ if (passive) { ++ if (strcmp(straddr, "::") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "::1") != 0) { ++ goto bad; ++ } ++ } ++ inet6++; ++ break; ++ case AF_UNSPEC: ++ goto bad; ++ break; ++ default: ++ /* another family support? */ ++ break; ++ } ++ } ++ } ++ ++ if (inet4 != 0 && inet4 != 2) ++ goto bad; ++ if (inet6 != 0 && inet6 != 2) ++ goto bad; ++ ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(0); ++ ++ bad: ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(1); ++} ++], ++AC_MSG_RESULT(good) ++buggygetaddrinfo=no, ++AC_MSG_RESULT(buggy) ++buggygetaddrinfo=yes, ++AC_MSG_RESULT(buggy) ++buggygetaddrinfo=yes) ++ ++if test "$buggygetaddrinfo" = "yes"; then ++ if test "$ipv6" = "yes"; then ++ echo 'Fatal: You must get working getaddrinfo() function.' ++ echo ' or you can specify "--disable-ipv6"'. ++ exit 1 ++ else ++ AC_REPLACE_FUNCS(getaddrinfo getnameinfo) ++ fi ++fi ++ + AC_PROG_LN_S + AC_PROG_INSTALL + AC_CHECK_PROG(AR, ar, ar, echo) +@@ -903,8 +1139,8 @@ + fi + AC_MSG_RESULT(Assuming TIS headers and libraries are in $withval.) + AC_DEFINE(HAVE_TIS) +- CFLAGS="$CFLAGS -I$withval -DHAVE_TIS" +- LIBS="-L$withval -lauth -lfwall $LIBS" ++ CFLAGS="$CFLAGS -I$withval/include -DHAVE_TIS" ++ LIBS="-L$withval/lib -lauth -lfwall $LIBS" + AC_MSG_WARN(Remember to read README.TIS. The connection between sshd and TIS authentication + server is clear text!) + ;; +@@ -912,55 +1148,117 @@ + AC_MSG_RESULT(no) + ) + +-AC_MSG_CHECKING(whether to use Kerberos) +-AC_ARG_WITH(kerberos5, +-[ --with-kerberos5=[KRB_PREFIX] Compile in Kerberos5 support.], ++AC_MSG_CHECKING(whether to use Kerberos v4) ++AC_ARG_WITH(krb4, ++[ --with-krb4[=PATH] Compile in Kerberos v4 support.], + [ case "$withval" in + yes) +- with_kerberos5=/usr/local ++ with_krb4=/usr/kerberos + ;; + esac ], +-[ with_kerberos5=no ] ++[ with_krb4=no ] + ) +-case "$with_kerberos5" in ++case "$with_krb4" in + no) + AC_MSG_RESULT(no) + ;; + *) + AC_MSG_RESULT(yes) +- AC_DEFINE(KERBEROS) +- AC_DEFINE(KRB5) +- KERBEROS_ROOT="$with_kerberos5" +- KERBEROS_INCS="-I${KERBEROS_ROOT}/include" +- KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err" +- AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm") ++ AC_DEFINE(KRB4) ++ KERBEROS_ROOT="$with_krb4" ++ KERBEROS_INCS="-I${KERBEROS_ROOT}/include/kerberosIV" ++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lkrb -ldes" + KERBEROS_OBJS="auth-kerberos.o" ++ AC_CHECK_LIB(resolv, dn_expand, KERBEROS_LIBS="$KERBEROS_LIBS -lresolv") ++ dnl Check whether or not the AFS lifetime conversion routines exist. ++ AC_MSG_CHECKING(whether AFS lifetime conversion routines are present) ++ keeplibs="$LIBS" ++ keepcflags="$CFLAGS" ++ LIBS="-L${KERBEROS_ROOT}/lib -lkrb -ldes $LIBS" ++ CFLAGS="-I${KERBEROS_ROOT}/include $CFLAGS" ++ AC_TRY_LINK([#include <krb.h>], [ krb_life_to_time(10, 10);], ++ [AC_MSG_RESULT(yes) ++ AC_DEFINE(HAVE_KRB_LIFE_TO_TIME)], ++ [AC_MSG_RESULT(no)]) ++ LIBS="$keeplibs" ++ CFLAGS="$keepcflags" + ;; + esac +-AC_SUBST(KERBEROS_ROOT) +-AC_SUBST(KERBEROS_INCS) +-AC_SUBST(KERBEROS_LIBS) +-AC_SUBST(KERBEROS_OBJS) +- +-AC_MSG_CHECKING(whether to enable passing the Kerberos TGT) +-AC_ARG_ENABLE(kerberos-tgt-passing, +-[ --enable-kerberos-tgt-passing Pass Kerberos ticket-granting-ticket.], +-[ case "$enableval" in ++ ++AC_MSG_CHECKING(whether to use Kerberos v5) ++AC_ARG_WITH(krb5, ++[ --with-krb5[=PATH] Compile in Kerberos v5 support.], ++[ case "$withval" in ++ yes) ++ with_krb5=/usr/local ++ ;; ++ esac ], ++[ with_krb5=no ] ++) ++case "$with_krb5" in + no) + AC_MSG_RESULT(no) + ;; + *) +- if test "$with_kerberos5" = no ; then ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(KRB5) ++ KERBEROS_ROOT="$with_krb5" ++ KERBEROS_INCS="-I${KERBEROS_ROOT}/include/krb5" ++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" ++ AC_CHECK_LIB(ndbm, dbm_open, KERBEROS_LIBS="$KERBEROS_LIBS -lndbm") ++ KERBEROS_OBJS="auth-kerberos.o" ++ ;; ++esac ++ ++AC_MSG_CHECKING(whether to use AFS) ++AC_ARG_WITH(afs, ++[ --with-afs Compile in AFS support (requires KTH krb4).], ++if test "$with_afs" = no; then + AC_MSG_RESULT(no) +- AC_MSG_WARN("Passing Kerberos TGT requires Kerberos5 support.") + else + AC_MSG_RESULT(yes) +- AC_DEFINE(KERBEROS_TGT_PASSING) ++ AC_DEFINE(AFS) ++ if test "$with_krb4" = no; then ++ AC_MSG_RESULT(no) ++ AC_MSG_WARN("AFS requires Kerberos v4 support.") ++ else ++ KERBEROS_LIBS="${KERBEROS_LIBS} -lkafs" ++ if test -n "$os_aix"; then ++ KERBEROS_LIBS="${KERBEROS_LIBS} -lld" + fi ++ fi ++fi ++) ++AC_SUBST(KERBEROS_ROOT)dnl ++AC_SUBST(KERBEROS_INCS)dnl ++AC_SUBST(KERBEROS_LIBS)dnl ++AC_SUBST(KERBEROS_OBJS)dnl ++ ++AC_MSG_CHECKING(whether to use Hesiod) ++AC_ARG_WITH(hesiod, ++[ --with-hesiod[=PATH] Compile in Hesiod support.], ++[ case "$withval" in ++ yes) ++ with_hesiod=/usr/local/athena + ;; + esac ], +- AC_MSG_RESULT(no) ++[ with_hesiod=no ] + ) ++case "$with_hesiod" in ++no) ++ AC_MSG_RESULT(no) ++ ;; ++*) ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(HESIOD) ++ HESIOD_ROOT="$with_hesiod" ++ HESIOD_INCS="-I${HESIOD_ROOT}/include" ++ HESIOD_LIBS="-L${HESIOD_ROOT}/lib -lhesiod" ++ ;; ++esac ++AC_SUBST(HESIOD_ROOT)dnl ++AC_SUBST(HESIOD_INCS)dnl ++AC_SUBST(HESIOD_LIBS)dnl + + AC_MSG_CHECKING(whether to use libwrap) + AC_ARG_WITH(libwrap, +@@ -970,11 +1268,19 @@ + AC_MSG_RESULT(no) + ;; + yes) +- AC_MSG_RESULT(yes) +- AC_CHECK_LIB(wrap, request_init, [ +- AC_DEFINE(LIBWRAP) +- WRAPLIBS="-lwrap" +- AC_DEFINE(HAVE_LIBWRAP) ]) ++ WRAPLIBS="-lwrap" ++ OLDLIBS="$LIBS" ++ LIBS="$WRAPLIBS $LIBS" ++ AC_TRY_LINK([ int allow_severity; int deny_severity; ], ++ [ request_init(); ], [ ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(LIBWRAP) ++ AC_DEFINE(HAVE_LIBWRAP) ++ ], [ ++ AC_MSG_RESULT(no) ++ WRAPLIBS="" ++ ]) ++ LIBS="$OLDLIBS" + ;; + *) + AC_MSG_RESULT(yes) +@@ -1227,14 +1533,14 @@ + [ case "$enableval" in + no) + AC_MSG_RESULT(no) +- SSHINSTALLMODE=0711 ++ SSHINSTALLMODE=0511 + ;; + *) AC_MSG_RESULT(yes) +- SSHINSTALLMODE=04711 ++ SSHINSTALLMODE=04511 + ;; + esac ], + AC_MSG_RESULT(yes) +- SSHINSTALLMODE=04711 ++ SSHINSTALLMODE=04511 + ) + + AC_MSG_CHECKING(whether to enable TCP_NODELAY) +@@ -1252,6 +1558,38 @@ + AC_DEFINE(ENABLE_TCP_NODELAY) + ) + ++AC_MSG_CHECKING(whether to enable another port try support) ++AC_ARG_ENABLE(another-port-try, ++[ --enable-another-port-try Enable another port try support (default) ++ --disable-another-port-try Disable another port try support], ++[ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY) ++ ;; ++ esac ], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_ANOTHER_PORT_TRY) ++) ++ ++AC_MSG_CHECKING(whether to enable logging auth info support) ++AC_ARG_ENABLE(log-auth, ++[ --enable-log-auth Enable logging auth info support (default) ++ --disable-log-auth Disable logging auth info support], ++[ case "$enableval" in ++ no) ++ AC_MSG_RESULT(no) ++ ;; ++ *) AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_LOG_AUTH) ++ ;; ++ esac ], ++ AC_MSG_RESULT(yes) ++ AC_DEFINE(ENABLE_LOG_AUTH) ++) ++ + AC_MSG_CHECKING(whether to enable SO_LINGER) + AC_ARG_ENABLE(so-linger, + [ --enable-so-linger Enable setting SO_LINGER socket option], +@@ -1311,6 +1649,8 @@ + AC_DEFINE(SCP_ALL_STATISTICS_ENABLED) + ) + ++CFLAGS="$CPPFLAGS $CFLAGS" ++ + # We include this here only to make it visible in --help; this is only used + # in the gmp subdirectory. + AC_ARG_ENABLE(asm, +@@ -1336,4 +1676,4 @@ + AC_SUBST(SSHDCONFOBJS) + AC_SUBST(SSHINSTALLMODE) + +-AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile) ++AC_OUTPUT(Makefile sshd.8 ssh.1 make-ssh-known-hosts.pl make-ssh-known-hosts.1 zlib-1.0.4/Makefile) diff --git a/security/ssh6/patches/patch-ac b/security/ssh6/patches/patch-ac new file mode 100644 index 00000000000..fdb68c7f0fb --- /dev/null +++ b/security/ssh6/patches/patch-ac @@ -0,0 +1,202 @@ +$NetBSD: patch-ac,v 1.1 2000/03/20 02:25:33 itojun Exp $ + +--- Makefile.in.orig Wed May 12 13:19:31 1999 ++++ Makefile.in Sun Jan 23 00:22:03 2000 +@@ -264,7 +264,7 @@ + CFLAGS = @CFLAGS@ + LDFLAGS = @LDFLAGS@ + DEFS = @DEFS@ $(COMMERCIAL) +-LIBS = @LIBS@ ++LIBS = @LIBS@ @HESIOD_LIBS@ + LIBOBJS = @LIBOBJS@ + CONFOBJS = @CONFOBJS@ + SSHCONFOBJS = @SSHCONFOBJS@ +@@ -285,6 +285,9 @@ + KERBEROS_LIBS = @KERBEROS_LIBS@ + KERBEROS_OBJS = @KERBEROS_OBJS@ + ++HESIOD_ROOT = @HESIOD_ROOT@ ++HESIOD_INCS = @HESIOD_INCS@ ++ + RSAREFDEP = @RSAREFDEP@ + + WRAPLIBS = @WRAPLIBS@ +@@ -304,7 +307,8 @@ + GMPLIBS = -L$(GMPDIR) -lgmp + GMPDEP = $(GMPDIR)/gmp.h $(GMPDIR)/libgmp.a + +-ZLIBDIR = zlib-1.0.4 ++#ZLIBDIR = zlib-1.0.4 ++ZLIBDIR = /usr/lib + ZLIBDEP = $(ZLIBDIR)/libz.a + ZLIBLIBS = -L$(ZLIBDIR) -lz + +@@ -314,7 +318,7 @@ + X_CFLAGS = @X_CFLAGS@ + X_LIBS = @X_LIBS@ + X_PRE_LIBS = @X_PRE_LIBS@ +-X_EXTRA_LIBS = @X_EXTRA_LIBS@ ++X_EXTRA_LIBS = @X_EXTRA_LIBS@ -R$(X11BASE)/lib + + XLIBS = $(X_LIBS) $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS) $(LIBS) + +@@ -322,7 +326,7 @@ + rsa.o randoms.o md5.o buffer.o emulate.o packet.o compress.o \ + xmalloc.o ttymodes.o newchannels.o bufaux.o authfd.o authfile.o \ + crc32.o rsaglue.o cipher.o des.o match.o arcfour.o mpaux.o \ +- userfile.o signals.o blowfish.o deattack.o ++ userfile.o signals.o blowfish.o deattack.o radix.o + SSHD_OBJS = sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o \ + log-server.o login.o hostfile.o canohost.o servconf.o tildexpand.o \ + serverloop.o $(COMMON_OBJS) $(KERBEROS_OBJS) $(SSHDCONFOBJS) +@@ -411,7 +415,7 @@ + $(CC) -o rfc-pg rfc-pg.o + + .c.o: +- $(CC) -c -I. $(KERBEROS_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< ++ $(CC) -c -I. $(KERBEROS_INCS) $(HESIOD_INCS) -I$(srcdir)/$(GMPDIR) -I$(srcdir)/$(ZLIBDIR) $(DEFS) -DHOST_KEY_FILE=\"$(HOST_KEY_FILE)\" -DHOST_CONFIG_FILE=\"$(HOST_CONFIG_FILE)\" -DSERVER_CONFIG_FILE=\"$(SERVER_CONFIG_FILE)\" -DSSH_PROGRAM=\"$(SSH_PROGRAM)\" -DETCDIR=\"$(etcdir)\" -DPIDDIR=\"$(piddir)\" -DSSH_BINDIR=\"$(bindir)\" -DTIS_MAP_FILE=\"$(TIS_MAP_FILE)\" $(CFLAGS) $(X_CFLAGS) $< + + sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) + -rm -f sshd +@@ -459,14 +463,14 @@ + $(GMPDIR)/libgmp.a: + cd $(GMPDIR); $(MAKE) + +-$(ZLIBDEP): +- -if test '!' -d $(ZLIBDIR); then \ +- mkdir $(ZLIBDIR); \ +- cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ +- fi +- cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ +- CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ +- -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a ++#$(ZLIBDEP): ++# -if test '!' -d $(ZLIBDIR); then \ ++# mkdir $(ZLIBDIR); \ ++# cp $(srcdir)/$(ZLIBDIR)/Makefile $(ZLIBDIR); \ ++# fi ++# cd $(ZLIBDIR); $(MAKE) VPATH=$(srcdir)/$(ZLIBDIR):../$(srcdir)/$(ZLIBDIR) \ ++# CC="$(CC)" CFLAGS="$(CFLAGS) -I. -I$(srcdir)/$(ZLIBDIR) \ ++# -I../$(srcdir)/$(GMPDIR)" RANLIB="$(RANLIB)" libz.a + + $(RSAREFSRCDIR)/librsaref.a: + -if test '!' -d $(RSAREFDIR); then \ +@@ -523,10 +527,10 @@ + # (otherwise it can only log in as the user it runs as, and must be + # bound to a non-privileged port). Also, password authentication may + # not be available if non-root and using shadow passwords. +-install: $(PROGRAMS) make-dirs generate-host-key install-configs ++install: $(PROGRAMS) make-dirs install-configs + -rm -f $(install_prefix)$(bindir)/ssh1.old +- -chmod 755 $(install_prefix)$(bindir)/ssh1 +- -chmod 755 $(install_prefix)$(bindir)/ssh ++ -chmod 555 $(install_prefix)$(bindir)/ssh1 ++ -chmod 555 $(install_prefix)$(bindir)/ssh + -mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old + $(INSTALL_PROGRAM) -o root -m $(SSH_INSTALL_MODE) ssh $(install_prefix)$(bindir)/ssh1 + -if test -f $(install_prefix)$(bindir)/ssh2; then \ +@@ -549,7 +553,7 @@ + -for p in $(NORMAL_PROGRAMS) $(X_PROGRAMS) $(OTHER_PROGRAMS); do \ + rm -f $(install_prefix)$(bindir)/$${p}1.old ; \ + mv $(install_prefix)$(bindir)/$${p}1 $(install_prefix)$(bindir)/$${p}1.old; \ +- $(INSTALL_PROGRAM) -m 0755 $$p $(install_prefix)$(bindir)/$${p}1; \ ++ $(INSTALL_PROGRAM) $$p $(install_prefix)$(bindir)/$${p}1; \ + if test -f $(install_prefix)$(bindir)/$${p}2; then \ + echo "Ssh version 2 $$p utility found, installation doesn't touch $$p link"; \ + else \ +@@ -566,7 +570,7 @@ + rm -f $(install_prefix)$(bindir)/$${p}1.old ; \ + mv $(install_prefix)$(bindir)/$${p}1 $(install_prefix)$(bindir)/$${p}1.old; \ + $(INSTALL_DATA) $$p $(install_prefix)$(bindir)/$${p}1; \ +- chmod 755 $(install_prefix)$(bindir)/$${p}1; \ ++ chmod 555 $(install_prefix)$(bindir)/$${p}1; \ + if test -f $(install_prefix)$(bindir)/$${p}2; then \ + echo "Ssh version 2 $$p utility found, installation doesn't touch $$p link"; \ + else \ +@@ -582,7 +586,7 @@ + -for p in $(SBIN_PROGRAMS); do \ + rm -f $(install_prefix)$(sbindir)/$${p}1.old ; \ + mv $(install_prefix)$(sbindir)/$${p}1 $(install_prefix)$(sbindir)/$${p}1.old; \ +- $(INSTALL_PROGRAM) -m 0755 $$p $(install_prefix)$(sbindir)/$${p}1; \ ++ $(INSTALL_PROGRAM) $$p $(install_prefix)$(sbindir)/$${p}1; \ + if test -f $(install_prefix)$(sbindir)/$${p}2; then \ + echo "Ssh version 2 $$p utility found, installation doesn't touch $$p link"; \ + else \ +@@ -596,7 +600,7 @@ + $(install_prefix)$(sbindir)/`echo $$p | sed '$(transform)'`; fi;\ + done + -for p in $(MAN1PAGES); do \ +- $(INSTALL_DATA) -m 0644 $(srcdir)/$$p.1 $(install_prefix)$(man1dir)/$${p}1.1 ; \ ++ $(INSTALL_DATA) $(srcdir)/$$p.1 $(install_prefix)$(man1dir)/$${p}1.1 ; \ + rm -f $(install_prefix)$(man1dir)/$$p.1 ;\ + $(LN_S) $${p}1.1 $(install_prefix)$(man1dir)/$$p.1 ;\ + if test "`echo $$p | sed '$(transform)'`" '!=' $$p; then \ +@@ -615,7 +619,7 @@ + $(install_prefix)$(man1dir)/`echo slogin.1 | sed '$(transform)'`; \ + fi + -for p in $(MAN1GENERATED); do \ +- $(INSTALL_DATA) -m 0644 $$p.1 $(install_prefix)$(man1dir)/$${p}1.1 ; \ ++ $(INSTALL_DATA) $$p.1 $(install_prefix)$(man1dir)/$${p}1.1 ; \ + rm -f $(install_prefix)$(man1dir)/$$p.1 ; \ + $(LN_S) $${p}1.1 $(install_prefix)$(man1dir)/$$p.1 ; \ + if test "`echo $$p | sed '$(transform)'`" '!=' $$p; then \ +@@ -625,7 +629,7 @@ + fi; \ + done + -for p in $(MAN8GENERATED); do \ +- $(INSTALL_DATA) -m 0644 $$p.8 $(install_prefix)$(man8dir)/$${p}1.8; \ ++ $(INSTALL_DATA) $$p.8 $(install_prefix)$(man8dir)/$${p}1.8; \ + rm -f $(install_prefix)$(man8dir)/$$p.8 ; \ + $(LN_S) $${p}1.8 $(install_prefix)$(man8dir)/$$p.8 ; \ + if test "`echo $$p | sed '$(transform)'`" '!=' $$p; then \ +@@ -636,12 +640,12 @@ + + install-configs: + -if test '!' -f $(install_prefix)$(HOST_CONFIG_FILE); then \ +- $(INSTALL_DATA) -m 0644 $(srcdir)/host_config.sample \ ++ $(INSTALL_DATA) $(srcdir)/host_config.sample \ + $(install_prefix)$(HOST_CONFIG_FILE); fi + -if test '!' -f $(install_prefix)$(SERVER_CONFIG_FILE); then \ + cat $(srcdir)/server_config.sample | \ + sed "s#_ETCDIR_#$(etcdir)#g" >/tmp/ssh_inst.$$$$; \ +- $(INSTALL_DATA) -m 0644 /tmp/ssh_inst.$$$$ \ ++ $(INSTALL_DATA) /tmp/ssh_inst.$$$$ \ + $(install_prefix)$(SERVER_CONFIG_FILE); \ + rm -f /tmp/ssh_inst.$$$$; fi + +@@ -681,13 +685,13 @@ + -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg + cd $(GMPDIR); $(MAKE) clean + # cd $(RSAREFSRCDIR); rm -f *.o *.a +- cd $(ZLIBDIR); $(MAKE) clean ++# cd $(ZLIBDIR); $(MAKE) clean + + distclean: clean + -rm -f Makefile config.status config.cache config.log config.h + -rm -f ssh.1 sshd.8 make-ssh-known-hosts.1 + cd $(GMPDIR); $(MAKE) distclean +- cd $(ZLIBDIR); $(MAKE) distclean ++# cd $(ZLIBDIR); $(MAKE) distclean + + dist: dist-free + +@@ -720,8 +724,8 @@ + gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) + # tar cf - $(RSAREFDIR) | (cd $(DISTNAME); tar xf -) + # cd $(DISTNAME)/$(RSAREFSRCDIR); rm -f *.o *.a +- (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) +- cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS ++# (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) ++# cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS + + #ifdef F_SECURE_COMMERCIAL + # +@@ -749,7 +753,7 @@ + (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null + + depend: +- $(MAKEDEP) -I$(srcdir) -I. -I$(GMPDIR) -I$(ZLIBDIR) $(DEFS) $(SRCS) ++ $(MAKEDEP) -I$(srcdir) -I. $(DEFS) $(SRCS) + + tags: + -rm -f TAGS diff --git a/security/ssh6/patches/patch-ad b/security/ssh6/patches/patch-ad new file mode 100644 index 00000000000..ac6458a2d38 --- /dev/null +++ b/security/ssh6/patches/patch-ad @@ -0,0 +1,13 @@ +$NetBSD: patch-ad,v 1.1 2000/03/20 02:25:33 itojun Exp $ + +--- make-ssh-known-hosts.pl.in.orig Tue Mar 17 21:37:38 1998 ++++ make-ssh-known-hosts.pl.in Tue Mar 17 21:44:18 1998 +@@ -1,5 +1,7 @@ +-#! &PERL& -w ++: + # -*- perl -*- ++eval 'exec perl -S "$0" ${1+"$@"}' ++ if $running_under_some_shell; + ###################################################################### + # make-ssh-known-hosts.pl -- Make ssh-known-hosts file + # Copyright (c) 1995 Tero Kivinen diff --git a/security/ssh6/patches/patch-ae b/security/ssh6/patches/patch-ae new file mode 100644 index 00000000000..d39deee0653 --- /dev/null +++ b/security/ssh6/patches/patch-ae @@ -0,0 +1,21 @@ +$NetBSD: patch-ae,v 1.1 2000/03/20 02:25:34 itojun Exp $ + +--- server_config.sample.orig Wed May 12 07:18:51 1999 ++++ server_config.sample Fri Dec 24 22:38:35 1999 +@@ -1,7 +1,6 @@ + # This is ssh server systemwide configuration file. + + Port 22 +-ListenAddress 0.0.0.0 + HostKey _ETCDIR_/ssh_host_key + RandomSeed _ETCDIR_/ssh_random_seed + ServerKeyBits 768 +@@ -16,7 +15,7 @@ + FascistLogging no + PrintMotd yes + KeepAlive yes +-SyslogFacility DAEMON ++SyslogFacility AUTH + RhostsAuthentication no + RhostsRSAAuthentication yes + RSAAuthentication yes diff --git a/security/ssh6/patches/patch-af b/security/ssh6/patches/patch-af new file mode 100644 index 00000000000..e810b0e51e0 --- /dev/null +++ b/security/ssh6/patches/patch-af @@ -0,0 +1,1141 @@ +$NetBSD: patch-af,v 1.1 2000/03/20 02:25:34 itojun Exp $ + +--- sshd.c.orig Wed May 12 13:19:29 1999 ++++ sshd.c Mon Mar 6 15:19:36 2000 +@@ -511,7 +511,7 @@ + #include "firewall.h" /* TIS authsrv authentication */ + #endif + +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + #include <login_cap.h> + #endif + +@@ -537,15 +537,26 @@ + #define O_NOCTTY 0 + #endif + +-#ifdef KERBEROS + #ifdef KRB5 + #include <krb5.h> + /* Global the contexts */ + krb5_context ssh_context = 0; + krb5_auth_context auth_context = 0; + #endif /* KRB5 */ +-char *ticket = "none\0"; +-#endif /* KERBEROS */ ++ ++#ifdef KRB4 ++#include <sys/param.h> ++#include <krb.h> ++#ifdef AFS ++#include <kafs.h> ++/* Local Xauthority file. */ ++char *xauthfile = NULL; ++#endif /* AFS */ ++#endif /* KRB4 */ ++ ++#if defined(KRB5) || defined(KRB4) ++char *ticket = NULL; ++#endif /* KRB5 || KRB4 */ + + /* Server configuration options. */ + ServerOptions options; +@@ -553,6 +564,19 @@ + /* Name of the server configuration file. */ + char *config_file_name = SERVER_CONFIG_FILE; + ++/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. ++ Default value is AF_UNSPEC means both IPv4 and IPv6. */ ++#ifdef ENABLE_IPV6 ++int IPv4or6 = AF_UNSPEC; ++#else ++int IPv4or6 = AF_INET; ++#endif ++ ++#ifdef ENABLE_LOG_AUTH ++char *unauthenticated_user = NULL; ++int log_auth_flag = 0; ++#endif /* ENABLE_LOG_AUTH */ ++ + /* Debug mode flag. This can be set on the command line. If debug + mode is enabled, extra debugging output will be sent to the system + log, the daemon will not go to background, and will exit after processing +@@ -576,7 +600,17 @@ + + /* This is set to the socket that the server is listening; this is used in + the SIGHUP signal handler. */ +-int listen_sock; ++#define MAX_LISTEN_SOCKS 16 ++int listen_socks[MAX_LISTEN_SOCKS]; ++int num_listen_socks = 0; ++void close_listen_socks() ++{ ++ int i; ++ ++ for (i = 0; i < num_listen_socks; i++) ++ close(listen_socks[i]); ++ num_listen_socks = -1; ++} + + /* This is not really needed, and could be eliminated if server-specific + and client-specific code were removed from newchannels.c */ +@@ -649,7 +683,6 @@ + const char *display, const char *auth_proto, + const char *auth_data, const char *ttyname); + +- + /* Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP; + the effect is to reread the configuration file (and to regenerate + the server key). */ +@@ -666,7 +699,7 @@ + void sighup_restart(void) + { + log_msg("Received SIGHUP; restarting."); +- close(listen_sock); ++ close_listen_socks(); + execvp(saved_argv[0], saved_argv); + log_msg("RESTART FAILED: av[0]='%.100s', error: %.100s.", + saved_argv[0], strerror(errno)); +@@ -680,7 +713,7 @@ + RETSIGTYPE sigterm_handler(int sig) + { + log_msg("Received signal %d; terminating.", sig); +- close(listen_sock); ++ close_listen_socks(); + exit(255); + } + +@@ -759,7 +792,7 @@ + int perm_denied = 0; + int ret; + fd_set fdset; +- struct sockaddr_in sin; ++ struct sockaddr_storage from; + char buf[100]; /* Must not be larger than remote_version. */ + char remote_version[100]; /* Must be at least as big as buf. */ + char *comment; +@@ -769,6 +802,9 @@ + struct linger linger; + #endif /* SO_LINGER */ + int done; ++ struct addrinfo *ai; ++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; ++ int listen_sock, maxfd; + + /* Save argv[0]. */ + saved_argv = av; +@@ -787,10 +823,26 @@ + initialize_server_options(&options); + + /* Parse command-line arguments. */ +- while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:")) != EOF) ++ while ((opt = getopt(ac, av, "f:p:b:k:h:g:diqV:4" ++#ifdef ENABLE_IPV6 ++ "6" ++#endif ++ )) != EOF) + { + switch (opt) + { ++ case '4': ++#ifdef ENABLE_IPV6 ++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; ++#else ++ IPv4or6 = AF_INET; ++#endif ++ break; ++#ifdef ENABLE_IPV6 ++ case '6': ++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; ++ break; ++#endif + case 'f': + config_file_name = optarg; + break; +@@ -807,7 +859,7 @@ + options.server_key_bits = atoi(optarg); + break; + case 'p': +- options.port = atoi(optarg); ++ options.ports[options.num_ports++] = atoi(optarg); + break; + case 'g': + options.login_grace_time = atoi(optarg); +@@ -829,6 +881,10 @@ + fprintf(stderr, "sshd version %s [%s]\n", SSH_VERSION, HOSTTYPE); + fprintf(stderr, "Usage: %s [options]\n", av0); + fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -4 Use IPv4 only\n"); ++#ifdef ENABLE_IPV6 ++ fprintf(stderr, " -6 Use IPv6 only\n"); ++#endif + fprintf(stderr, " -f file Configuration file (default %s/sshd_config)\n", ETCDIR); + fprintf(stderr, " -d Debugging mode\n"); + fprintf(stderr, " -i Started from inetd\n"); +@@ -857,16 +913,15 @@ + fprintf(stderr, "fatal: Bad server key size.\n"); + exit(1); + } +- if (options.port < 1 || options.port > 65535) +- { +- fprintf(stderr, "fatal: Bad port number.\n"); +- exit(1); +- } + if (options.umask != -1) + { + umask(options.umask); + } + ++#ifdef ENABLE_LOG_AUTH ++ log_auth_flag = options.log_auth; ++#endif /* ENABLE_LOG_AUTH */ ++ + /* Check that there are no remaining arguments. */ + if (optind < ac) + { +@@ -1034,10 +1089,13 @@ + } + else + { ++ for (ai = options.listen_addrs; ai; ai = ai->ai_next) ++ { + /* Create socket for listening. */ +- listen_sock = socket(AF_INET, SOCK_STREAM, 0); ++ listen_sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (listen_sock < 0) + fatal("socket: %.100s", strerror(errno)); ++ listen_socks[num_listen_socks] = listen_sock; + + /* Set socket options. We try to make the port reusable and have it + close as fast as possible without waiting in unnecessary wait states +@@ -1051,21 +1109,30 @@ + sizeof(linger)); + #endif /* SO_LINGER */ + +- /* Initialize the socket address. */ +- memset(&sin, 0, sizeof(sin)); +- sin.sin_family = AF_INET; +- sin.sin_addr = options.listen_addr; +- sin.sin_port = htons(options.port); ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); + + /* Bind the socket to the desired port. */ +- if (bind(listen_sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) ++ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +- error("bind: %.100s", strerror(errno)); +- shutdown(listen_sock, 2); ++ error("Bind to port %s on %s failed: %.200s.", ++ strport, ntop, strerror(errno)); + close(listen_sock); +- fatal("Bind to port %d failed: %.200s.", options.port, +- strerror(errno)); ++ continue; + } ++ num_listen_socks++; ++ ++ /* Start listening on the port. */ ++ log_msg("Server listening on %s port %s.", ntop, strport); ++ if (listen(listen_sock, 5) < 0) ++ fatal("listen: %.100s", strerror(errno)); ++ ++ } /* for (ai = options.listen_addrs; ai; ai = ai->ai_next) */ ++ freeaddrinfo(options.listen_addrs); ++ ++ if (!num_listen_socks) ++ fatal("Cannot bind all addresses."); + + if (!debug_flag) + { +@@ -1081,11 +1148,6 @@ + } + } + +- /* Start listening on the port. */ +- log_msg("Server listening on port %d.", options.port); +- if (listen(listen_sock, 5) < 0) +- fatal("listen: %.100s", strerror(errno)); +- + /* Generate an rsa key. */ + log_msg("Generating %d bit RSA key.", options.server_key_bits); + rsa_generate_key(&sensitive_data.private_key, &public_key, +@@ -1115,7 +1177,6 @@ + /* Arrange SIGCHLD to be caught. */ + signal(SIGCHLD, main_sigchld_handler); + +-#ifdef KERBEROS + #ifdef KRB5 + /* Initialize contexts and setup replay cache */ + if (!ssh_context) +@@ -1128,7 +1189,6 @@ + krb5_init_ets(ssh_context); + } + #endif +-#endif + + /* Stay listening for connections until the system crashes or the + daemon is killed with a signal. */ +@@ -1139,9 +1199,15 @@ + + /* Wait in select until there is a connection. */ + FD_ZERO(&fdset); +- FD_SET(listen_sock, &fdset); +- ret = select(listen_sock + 1, &fdset, NULL, NULL, NULL); +- if (ret < 0 || !FD_ISSET(listen_sock, &fdset)) ++ maxfd = 0; ++ for (i = 0; i < num_listen_socks; i++) ++ { ++ FD_SET(listen_socks[i], &fdset); ++ if (listen_socks[i] > maxfd) ++ maxfd = listen_socks[i]; ++ } ++ ret = select(maxfd + 1, &fdset, NULL, NULL, NULL); ++ if (ret < 0) + { + if (errno == EINTR) + continue; +@@ -1149,8 +1215,12 @@ + continue; + } + +- aux = sizeof(sin); +- newsock = accept(listen_sock, (struct sockaddr *)&sin, &aux); ++ for (i = 0; i < num_listen_socks; i++) ++ { ++ if (!FD_ISSET(listen_socks[i], &fdset)) ++ continue; ++ aux = sizeof(from); ++ newsock = accept(listen_socks[i], (struct sockaddr *)&from, &aux); + if (newsock < 0) + { + if (errno == EINTR) +@@ -1166,7 +1236,7 @@ + /* In debugging mode. Close the listening socket, and start + processing the connection without forking. */ + debug("Server will not fork when running in debugging mode."); +- close(listen_sock); ++ close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + pid = getpid(); +@@ -1195,7 +1265,7 @@ + the accepted socket. Reinitialize logging (since our + pid has changed). We break out of the loop to handle + the connection. */ +- close(listen_sock); ++ close_listen_socks(); + sock_in = newsock; + sock_out = newsock; + #ifdef LIBWRAP +@@ -1233,6 +1303,10 @@ + + /* Close the new socket (the child is now taking care of it). */ + close(newsock); ++ } /* for (i = 0; i < num_host_socks; i++) */ ++ /* child process check (or debug mode) */ ++ if (num_listen_socks < 0) ++ break; + } + } + +@@ -1407,6 +1481,16 @@ + /* Try to remove authentication socket and directory */ + auth_delete_socket(NULL); + ++#ifdef KRB4 ++ /* Cleanup user's ticket cache file. */ ++ if (options.kerberos_ticket_cleanup) ++ (void) dest_tkt(); ++#ifdef AFS ++ /* Cleanup user's local Xauthority file. */ ++ if (xauthfile) unlink(xauthfile); ++#endif /* AFS */ ++#endif /* KRB4 */ ++ + /* The connection has been terminated. */ + log_msg("Closing connection to %.100s", get_remote_ipaddr()); + packet_close(); +@@ -1470,17 +1554,17 @@ + if (options.tis_authentication) + auth_mask |= 1 << SSH_AUTH_TIS; + #endif +-#ifdef KERBEROS +-#ifdef KRB5 ++#if defined(KRB4) || defined(KRB5) + if (options.kerberos_authentication) + auth_mask |= 1 << SSH_AUTH_KERBEROS; + #endif +-#endif +-#ifdef KERBEROS_TGT_PASSING +-#ifdef KRB5 ++#if defined(AFS) || defined(KRB5) + if (options.kerberos_tgt_passing) + auth_mask |= 1 << SSH_PASS_KERBEROS_TGT; + #endif ++#ifdef AFS ++ if (options.afs_token_passing) ++ auth_mask |= 1 << SSH_PASS_AFS_TOKEN; + #endif + if (options.password_authentication) + auth_mask |= 1 << SSH_AUTH_PASSWORD; +@@ -1677,7 +1761,7 @@ + /* XXX No days_before_password_expires calculation here */ + } + #endif /* HAVE_USERSEC_H */ +-#ifdef HAVE_ETC_SHADOW ++#if defined(HAVE_ETC_SHADOW) && !defined(KRB4) && !defined(KRB5) + { + struct spwd *sp; + +@@ -1783,56 +1867,62 @@ + endspent(); + } + #endif /* HAVE_ETC_SHADOW */ +-#ifdef __FreeBSD__ +- { ++/* Net2,BSD4.4,BSD/OS,NetBSD,FreeBSD and OpenBSD all define BSD4_4 ++ man passwd(5) says that format has changed since BSD4.3 ++ */ ++#ifdef BSD4_4 ++ if(pwd->pw_change || pwd->pw_expire) { + time_t currtime; + +- if (pwd->pw_change || pwd->pw_expire) + currtime = time(NULL); + + /* + * Check for an expired password + */ +- if (pwd->pw_change && pwd->pw_change <= currtime) ++ ++ if (pwd->pw_change) + { +- debug("Account %.100s's password is too old - forced to change.", +- user); +- if (options.forced_passwd_change) ++ /* PASSWD_CHGNOW seems to be -1 for now but... */ ++ if ( ++#if defined(PASSWD_CHGNOW) && PASSWD_CHGNOW > 0 ++ pwd->pw_change == PASSWD_CHGNOW || ++#endif ++ pwd->pw_change <= currtime) + { +- forced_command = xmalloc(sizeof(PASSWD_PATH) + strlen(user) + 2); +- snprintf(forced_command, sizeof(PASSWD_PATH) + strlen(user) + 2, +- "%.100s %.100s", PASSWD_PATH, user); ++ packet_send_debug("Password has expired"); ++ if(options.forced_passwd_change) ++ { ++ debug("Account %.99s's password is too old - change forced.", ++ user); ++ forced_command = xmalloc(sizeof(PASSWD_PATH) + ++ strlen(user) + 1); ++ sprintf(forced_command, "%s %s", PASSWD_PATH, user); + } + else + { + return 0; + } + } +- else +- { +- if (pwd->pw_change) +- { ++#ifdef PASSWD_CHGNOW ++ if(pwd->pw_change != PASSWD_CHGNOW) + days_before_password_expires = (pwd->pw_change - currtime) / 86400; +- } ++#endif + } + + /* + * Check for expired account + */ +- if (pwd->pw_expire && pwd->pw_expire <= currtime) ++ if (pwd->pw_expire) + { +- debug("Account %.100s has expired - access denied.", user); ++ if (pwd->pw_expire <= currtime) ++ { ++ packet_send_debug("Account has expired"); + return 0; + } +- else +- { +- if (pwd->pw_expire) +- { + days_before_account_expires = (pwd->pw_expire - currtime) / 86400; + } + } +- } +-#endif /* !FreeBSD */ ++#endif /* !BSD4_4 */ + + #ifdef HAVE_HPUX_TCB_AUTH + { +@@ -2039,7 +2129,7 @@ + } + } + +- /* Check whether logins are deneid for this group. */ ++ /* Check whether logins are denied for this group. */ + grp = getgrgid(pwd->pw_gid); + if (grp) + group = grp->gr_name; +@@ -2151,12 +2241,12 @@ + unsigned int client_host_key_bits; + MP_INT client_host_key_e, client_host_key_n; + int password_attempts = 0; +-#if defined(KERBEROS) && defined(KRB5) ++#ifdef KRB5 + char kuser[256]; + krb5_principal client = 0, tkt_client = 0; + krb5_data krb5data; +-#endif /* defined(KERBEROS) && defined(KRB5) */ +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#endif /* KRB5 */ ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + const char *hostname; + const char *ipaddr; +@@ -2167,10 +2257,18 @@ + ipaddr = get_remote_ipaddr(); + #endif /* HAVE_LOGIN_CAP_H */ + ++#ifdef AFS ++ /* If machine has AFS, set process authentication group. */ ++ if (k_hasafs()) { ++ k_setpag(); ++ k_unlog(); ++ } ++#endif /* AFS */ ++ + if (strlen(user) > 255) + do_authentication_fail_loop(); + +-#if defined(KERBEROS) && defined(KRB5) ++#ifdef KRB5 + /* For KRB5 allow the user to input fully qualified name i.e. + "username@realm" as the local user name. Then use this name to call + out to krb5_aname_to_localname to find if there is a localname +@@ -2203,8 +2301,11 @@ + } + else + krb5_parse_name(ssh_context, user, &client); +-#endif /* defined(KERBEROS) && defined(KRB5) */ ++#endif /* KRB5 */ + ++#ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = user; ++#endif /* ENABLE_LOG_AUTH */ + /* Verify that the user is a valid user. We disallow usernames starting + with any characters that are commonly used to start NIS entries. */ + pw = getpwnam(user); +@@ -2218,11 +2319,11 @@ + pwcopy.pw_passwd = xstrdup(pw->pw_passwd); + pwcopy.pw_uid = pw->pw_uid; + pwcopy.pw_gid = pw->pw_gid; +-#if (defined (__bsdi__) && _BSDI_VERSION >= 199510) || (defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) ++#ifdef BSD4_4 + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ ++#endif /* BSD4_4 */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +@@ -2241,11 +2342,11 @@ + + debug("Attempting authentication for %.100s.", user); + +-#if defined (KERBEROS) && defined (KRB5) ++ /* If the user has no password, accept authentication immediately. */ ++#ifdef KRB5 + if (!options.kerberos_authentication && options.password_authentication && + auth_password(user, "", 0)) +-#else /* defined(KERBEROS) && defined(KRB5) */ +- /* If the user has no password, accept authentication immediately. */ ++#else /* KRB5 */ + #if defined (HAVE_SIA) + /* For SIA, only call auth_password() here if the user really + has no password. Otherwise, the call would generate misleading +@@ -2254,12 +2355,21 @@ + if (options.password_authentication && sia_no_password(user) && + auth_password(user, "")) + #else /* defined(HAVE_SIA) */ +- if (options.password_authentication && auth_password(user, "")) ++ if (options.password_authentication && ++#ifdef KRB4 ++ options.kerberos_or_local_passwd && ++#endif /* KRB4 */ ++ auth_password(user, "")) + #endif /* defined(HAVE_SIA) */ +-#endif /* defined(KERBEROS) && defined(KRB5) */ ++#endif /* KRB5 */ + { + /* Authentication with empty password succeeded. */ + debug("Login for user %.100s accepted without authentication.", user); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "empty password accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + /* Success packet will be sent after loop below. */ +@@ -2281,34 +2391,61 @@ + /* Process the packet. */ + switch (type) + { +-#ifdef KERBEROS_TGT_PASSING +-#ifdef KRB5 ++#if defined(KRB5) || defined(AFS) + case SSH_CMSG_HAVE_KERBEROS_TGT: ++#ifdef KRB5 + if (!options.kerberos_tgt_passing || + (!(options.kerberos_authentication || + options.password_authentication || + options.rsa_authentication))) ++#else /* KRB5 */ ++ if (!options.kerberos_tgt_passing) ++#endif /* KRB5 */ + { + packet_get_all(); + log_msg("Kerberos tgt passing disabled."); + break; + } +- ++#ifdef KRB5 + /* Accept Kerberos tgt. */ + krb5data.data = packet_get_string((unsigned int *) &krb5data.length); + +- if (!auth_kerberos_tgt(user, &krb5data, client) || ++ if (!auth_krb5_tgt(user, &krb5data, client) || + !krb5_kuserok(ssh_context, client, user)){ + log_msg("Kerberos tgt REFUSED for %.100s", user); + debug("Kerberos tgt REFUSED for %.100s", user); + } + free(krb5data.data); +-#endif ++#else /* KRB5 */ ++ { ++ /* Accept Kerberos tgt. */ ++ char *tgt = packet_get_string(NULL); ++ if (!auth_kerberos_tgt(pw, tgt)) ++ debug("Kerberos tgt REFUSED for %s", user); ++ xfree(tgt); ++ } ++#endif /* KRB5 */ + continue; +-#endif /* KERBEROS_TGT_PASSING */ ++#endif /* KRB5 || AFS */ + +-#ifdef KERBEROS +-#ifdef KRB5 ++#ifdef AFS ++ case SSH_CMSG_HAVE_AFS_TOKEN: ++ if (!k_hasafs() || !options.afs_token_passing) { ++ packet_get_all(); ++ log_msg("AFS token passing disabled."); ++ break; ++ } ++ else { ++ /* Accept AFS token. */ ++ char *token_string = packet_get_string(NULL); ++ if (!auth_afs_token(user, pw->pw_uid, token_string)) ++ debug("AFS token REFUSED for %s", user); ++ xfree(token_string); ++ continue; ++ } ++#endif /* AFS */ ++ ++#if defined(KRB4) || defined(KRB5) + case SSH_CMSG_AUTH_KERBEROS: + if (!options.kerberos_authentication) + { +@@ -2316,9 +2453,10 @@ + log_msg("Kerberos authentication disabled."); + break; + } ++#ifdef KRB5 + /* Try Kerberos authentication. */ + krb5data.data = packet_get_string((unsigned int *) &krb5data.length); +- if (auth_kerberos(user, &krb5data, &tkt_client)) ++ if (auth_krb5(user, &krb5data, &tkt_client)) + { + char *tkt_user; + +@@ -2334,6 +2472,11 @@ + /* Client has successfully authenticated to us. */ + log_msg("Kerberos authentication accepted %.100s for login to account %.100s from %.200s", + tkt_user, user, get_canonical_hostname()); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "kerberos authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_KERBEROS; + authenticated = 1; + break; +@@ -2347,11 +2490,31 @@ + } + free(tkt_user); + } +-#endif /* KRB5 */ +- debug("Kerberos authentication failed for %.100s from %.200s", +- user, get_canonical_hostname()); ++#else /* !KRB5 XXX - how to make these coexist? */ ++ else { ++ /* Try Kerberos v4 authentication. */ ++ KTEXT_ST auth; ++ char *tkt_user = NULL; ++ char *kdata = packet_get_string((unsigned int *)&auth.length); ++ ++ memcpy(auth.dat, kdata, auth.length); ++ xfree(kdata); ++ ++ if (auth_krb4(user, &auth, &tkt_user)) { ++ /* Client has successfully authenticated to us. */ ++ log_msg("Kerberos authentication accepted %s for account " ++ "%.100s from %.200s", tkt_user, user, ++ get_canonical_hostname()); ++ authentication_type = SSH_AUTH_KERBEROS; ++ authenticated = 1; ++ xfree(tkt_user); + break; +-#endif /* KERBEROS */ ++ } ++ log_msg("Kerberos authentication failed for account " ++ "%.100s from %.200s", user, get_canonical_hostname()); ++ } ++#endif /* KRB5 */ ++#endif /* KRB5 || KRB4 */ + + case SSH_CMSG_AUTH_RHOSTS: + if (!options.rhosts_authentication) +@@ -2382,6 +2545,11 @@ + /* Authentication accepted. */ + log_msg("Rhosts authentication accepted for %.100s, remote %.100s on %.700s.", + user, client_user, get_canonical_hostname()); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS; + authenticated = 1; + remote_user_name = client_user; +@@ -2441,6 +2609,11 @@ + options.strict_modes)) + { + /* Authentication accepted. */ ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.100s@%.700s (%s)", ++ user, client_user, get_canonical_hostname(), ++ "rhosts with RSA host authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RHOSTS_RSA; + authenticated = 1; + remote_user_name = client_user; +@@ -2474,6 +2647,11 @@ + /* Successful authentication. */ + mpz_clear(&n); + log_msg("RSA authentication for %.100s accepted.", user); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "RSA user authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_RSA; + authenticated = 1; + break; +@@ -2568,7 +2746,7 @@ + if (!strncmp(buf, "challenge ", 10) || + !strncmp(buf, "chalnecho ", 10)) { + snprintf(prompt, sizeof(prompt), +- "Challenge \"%.100s\": ",&buf[10]); ++ "%.100s",&buf[10]); + debug("TIS challenge %.500s", buf); + packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); + packet_put_string(prompt, strlen(prompt)); +@@ -2608,6 +2786,11 @@ + auth_close(); + memset(password, 0, strlen(password)); + xfree(password); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from @%.700s (%s)", ++ user, get_canonical_hostname(), ++ "TIS authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_TIS; + authenticated = 1; + break; +@@ -2657,17 +2840,22 @@ + password_attempts++; + + /* Try authentication with the password. */ +-#if defined(KERBEROS) && defined(KRB5) ++#ifdef KRB5 + if (auth_password(user, password, client)) +-#else /* defined(KERBEROS) && defined(KRB5) */ ++#else /* KRB5 */ + if (auth_password(user, password)) +-#endif /* defined(KERBEROS) && defined(KRB5) */ ++#endif /* KRB5 */ + { + /* Successful authentication. */ + /* Clear the password from memory. */ + memset(password, 0, strlen(password)); + xfree(password); + log_msg("Password authentication for %.100s accepted.", user); ++#ifdef ENABLE_LOG_AUTH ++ log_auth("%.100s from %.700s (%s)", ++ user, get_canonical_hostname(), ++ "password authentication accepted"); ++#endif /* ENABLE_LOG_AUTH */ + authentication_type = SSH_AUTH_PASSWORD; + authenticated = 1; + break; +@@ -2688,7 +2876,7 @@ + if (authenticated) + break; + +-#ifdef KERBEROS ++#if defined(KRB5) + /* If you forwarded a ticket you get one shot for proper + authentication. */ + /* If tgt was passed unlink file */ +@@ -2699,7 +2887,7 @@ + else + ticket = NULL; + } +-#endif /* KERBEROS */ ++#endif /* KRB5 */ + + /* Send a message indicating that the authentication attempt failed. */ + packet_start(SSH_SMSG_FAILURE); +@@ -2708,6 +2896,11 @@ + } + + /* Check if the user is logging in as root and root logins are disallowed. */ ++#ifdef ENABLE_LOG_AUTH ++ if ((pw->pw_uid == UID_ROOT && options.permit_root_login == 1) || ++ (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && !forced_command)) ++ log_auth("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); ++#endif /* ENABLE_LOG_AUTH */ + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1) + { + if (authentication_type == SSH_AUTH_PASSWORD) +@@ -2724,7 +2917,7 @@ + get_canonical_hostname()); + } + +-#if defined (__FreeBSD__) && defined (HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined (HAVE_LOGIN_CAP_H) + + lc = login_getclass(pw->pw_class); + +@@ -2775,6 +2968,9 @@ + packet_start(SSH_SMSG_SUCCESS); + packet_send(); + packet_write_wait(); ++#ifdef ENABLE_LOG_AUTH ++ unauthenticated_user = NULL; ++#endif /* ENABLE_LOG_AUTH */ + + /* Perform session preparation. */ + do_authenticated(pw); +@@ -2965,6 +3161,21 @@ + display = x11_create_display_inet(screen); + if (!display) + goto fail; ++#ifdef AFS ++ /* Setup to have a local .Xauthority, if homedir is in AFS. */ ++ { ++ struct stat st; ++ char cell[64], *xauthdir = "/ticket"; ++ ++ if (k_hasafs() && k_afs_cell_of_file(pw->pw_dir, cell, sizeof(cell)) == 0) { ++ xauthfile = xmalloc(MAXPATHLEN); ++ if (stat(xauthdir, &st) < 0) ++ xauthdir = "/tmp"; ++ snprintf(xauthfile, MAXPATHLEN, "%s/Xauth%d_%d", xauthdir, ++ pw->pw_uid, getpid()); ++ } ++ } ++#endif /* AFS */ + break; + #else /* XAUTH_PATH */ + /* No xauth program; we won't accept forwarding with spoofing. */ +@@ -3280,15 +3491,12 @@ + char line[256]; + struct stat st; + int quiet_login; +- struct sockaddr_in from; ++ struct sockaddr_storage from; + int fromlen; + struct pty_cleanup_context cleanup_context; +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + #endif +-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 +- struct timeval tp; +-#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ + + /* We no longer need the child running on user's privileges. */ + userfile_uninit(); +@@ -3387,9 +3595,9 @@ + + /* Record that there was a login on that terminal. */ + record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, +- &from); ++ (struct sockaddr *)&from); + +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + lc = login_getclass(pw->pw_class); + #endif + +@@ -3398,7 +3606,7 @@ + snprintf(line, sizeof(line), "%.200s/.hushlogin", pw->pw_dir); + quiet_login = stat(line, &st) >= 0; + +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); + #endif + +@@ -3425,7 +3633,7 @@ + } + #endif /* HAVE_SIA */ + +-#ifdef __FreeBSD__ ++#if defined(__FreeBSD__) || defined(__NetBSD__) + if (command == NULL && !quiet_login) + { + #ifdef HAVE_LOGIN_CAP_H +@@ -3457,7 +3665,7 @@ + FILE *f; + + /* Print /etc/motd if it exists. */ +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), + "r"); + #else +@@ -3469,33 +3677,9 @@ + fputs(line, stdout); + fclose(f); + } +-#if defined (__bsdi__) && _BSDI_VERSION >= 199510 +- if (pw->pw_change || pw->pw_expire) +- (void)gettimeofday(&tp, (struct timezone *)NULL); +- if (pw->pw_change) +- { +- if (tp.tv_sec >= pw->pw_change) +- { +- fprintf(stderr,"Sorry -- your password has expired.\n"); +- exit(254); +- } +- days_before_password_expires = (pw->pw_change - tp.tv_sec) / +- 86400; +- } +- if (pw->pw_expire) +- { +- if (tp.tv_sec >= pw->pw_expire) +- { +- fprintf(stderr,"Sorry -- your account has expired.\n"); +- exit(254); +- } +- days_before_account_expires = (pw->pw_expire - tp.tv_sec) / +- 86400; +- } +-#endif /* __bsdi__ & _BSDI_VERSION >= 199510 */ + } + +-#if defined (__FreeBSD__) && defined HAVE_LOGIN_CAP_H ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined HAVE_LOGIN_CAP_H + login_close(lc); + #endif + +@@ -3876,6 +4060,7 @@ + char *user_shell; + char *remote_ip; + int remote_port; ++ int local_port; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + char *real_shell; +@@ -3883,8 +4068,11 @@ + lc = login_getclass(pw->pw_class); + auth_checknologin(lc); + #else /* !HAVE_LOGIN_CAP_H */ +-#if defined (__bsdi__) && _BSDI_VERSION > 199510 ++#if ( defined (__bsdi__) && _BSDI_VERSION > 199510 ) || (defined(HAVE_LOGIN_CAP_H) && defined(__NetBSD__)) + login_cap_t *lc = 0; ++#if defined(__NetBSD__) ++ char *real_shell; ++#endif + + if ((lc = login_getclass(pw->pw_class)) == NULL) + { +@@ -3981,6 +4169,7 @@ + user_shell = xstrdup(pw->pw_shell); + remote_ip = xstrdup(get_remote_ipaddr()); + remote_port = get_remote_port(); ++ local_port = get_local_port(); + + /* Close the connection descriptors; note that this is the child, and the + server will still have the socket open, and it is important that we +@@ -4000,7 +4189,6 @@ + /* Close any extra file descriptors. Note that there may still be + descriptors left by system functions. They will be closed later. */ + endpwent(); +- endhostent(); + + /* Set dummy encryption key to clear information about the key from + memory. This key will never be used. */ +@@ -4019,7 +4207,7 @@ + if (command != NULL || !options.use_login) + #endif /* USELOGIN */ + { +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + char *p, *s, **tmpenv; + + /* Initialize the new environment. +@@ -4180,10 +4368,23 @@ + and means /bin/sh. */ + shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell; + +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell); + login_close(lc); + #endif /* HAVE_LOGIN_CAP_H */ ++ ++#ifdef AFS ++ /* Try to get AFS tokens for the local cell. */ ++ if (k_hasafs()) { ++ char cell[64]; ++ ++ if (k_afs_cell_of_file(user_dir, cell, sizeof(cell)) == 0) ++ krb_afslog(cell, 0); ++ ++ krb_afslog(0, 0); ++ } ++#endif /* AFS */ ++ + /* Initialize the environment if not already done. In the first part we + allocate space for all environment variables. */ + if (env == NULL) +@@ -4257,7 +4458,7 @@ + + /* Set SSH_CLIENT. */ + snprintf(buf, sizeof(buf), +- "%.50s %d %d", remote_ip, remote_port, options.port); ++ "%.50s %d %d", remote_ip, remote_port, local_port); + child_set_env(&env, &envsize, "SSH_CLIENT", buf); + + /* Set SSH_TTY if we have a pty. */ +@@ -4290,13 +4491,21 @@ + } + #endif + +-#ifdef KERBEROS +- /* Set KRBTKFILE to point to our ticket */ ++ /* Set KRBTKFILE to point to our ticket. */ + #ifdef KRB5 + if (ticket) + child_set_env(&env, &envsize, "KRB5CCNAME", ticket); + #endif /* KRB5 */ +-#endif /* KERBEROS */ ++#ifdef KRB4 /* XXX - how to make these coexist? */ ++ if (ticket) ++ child_set_env(&env, &envsize, "KRBTKFILE", ticket); ++ ++#ifdef AFS ++ /* Set XAUTHORITY to a local file, if homedir is in AFS. */ ++ if (xauthfile) ++ child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); ++#endif /* AFS */ ++#endif /* KRB4 */ + + /* Set variable for forwarded authentication connection, if we have one. */ + if (auth_get_socket_name() != NULL) +@@ -4426,7 +4635,8 @@ + int i; + char name[255], *p; + char line[256]; +- struct hostent *hp; ++ struct addrinfo hints, *ai, *aitop; ++ char ntop[ADDRSTRLEN]; + + strncpy(name, display, sizeof(name)); + name[sizeof(name) - 1] = '\0'; +@@ -4443,7 +4653,10 @@ + /* Moved this call here to avoid a nasty buf in SunOS + 4.1.4 libc where gethostbyname closes an unrelated + file descriptor. */ +- hp = gethostbyname(name); ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) ++ aitop = 0; + + snprintf(line, sizeof(line), + "%.200s -q -", options.xauth_path); +@@ -4461,21 +4674,24 @@ + cp - display, display, cp, auth_proto, + auth_data); + #endif +- if (hp) ++ if (aitop) + { +- for(i = 0; hp->h_addr_list[i]; i++) ++ for (ai = aitop; ai; ai = ai->ai_next) + { ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), NULL, 0, ++ NI_NUMERICHOST); ++ if (strchr(ntop, ':')) ++ continue; /* XXX - xauth doesn't accept it */ + if (debug_flag) + { + fprintf(stderr, "Running %s add %s%s %s %s\n", + options.xauth_path, +- inet_ntoa(*((struct in_addr *) +- hp->h_addr_list[i])), ++ ntop, + cp, auth_proto, auth_data); + } + fprintf(f, "add %s%s %s %s\n", +- inet_ntoa(*((struct in_addr *) +- hp->h_addr_list[i])), ++ ntop, + cp, auth_proto, auth_data); + } + } +@@ -4554,7 +4770,7 @@ + /* Execute the shell. */ + argv[0] = buf; + argv[1] = NULL; +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + execve(real_shell, argv, env); + #else + execve(shell, argv, env); +@@ -4579,7 +4795,7 @@ + argv[1] = "-c"; + argv[2] = (char *)command; + argv[3] = NULL; +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + execve(real_shell, argv, env); + #else + execve(shell, argv, env); diff --git a/security/ssh6/patches/patch-ag b/security/ssh6/patches/patch-ag new file mode 100644 index 00000000000..89413623cb0 --- /dev/null +++ b/security/ssh6/patches/patch-ag @@ -0,0 +1,97 @@ +$NetBSD: patch-ag,v 1.1 2000/03/20 02:25:34 itojun Exp $ + +--- log-server.c.orig Wed May 12 07:19:26 1999 ++++ log-server.c Sat Dec 25 00:17:29 1999 +@@ -146,6 +146,25 @@ + syslog(LOG_INFO, "log: %.500s", buf); + } + ++#ifdef ENABLE_LOG_AUTH ++void log_auth(const char *fmt, ...) ++{ ++ char buf[1024]; ++ va_list args; ++ extern int log_auth_flag; ++ if (!log_auth_flag) ++ return; ++ if (log_quiet) ++ return; ++ va_start(args, fmt); ++ vsprintf(buf, fmt, args); ++ va_end(args); ++ if (log_on_stderr) ++ fprintf(stderr, "log: %s\n", buf); ++ syslog(LOG_INFO|LOG_AUTH, "%.500s", buf); ++} ++#endif /* ENABLE_LOG_AUTH */ ++ + /* Converts portable syslog severity to machine-specific syslog severity. */ + + static int syslog_severity(int severity) +@@ -265,9 +284,12 @@ + { + struct fatal_cleanup *cu, *next_cu; + static int fatal_called = 0; +-#ifdef KERBEROS ++#if defined(KRB4) || defined(KRB5) + extern char *ticket; +-#endif ++#ifdef AFS ++ extern char *xauthfile; ++#endif /* AFS */ ++#endif /* KRB4 || KRB5 */ + + if (!fatal_called) + { +@@ -281,19 +303,27 @@ + (unsigned long)cu->proc, (unsigned long)cu->context); + (*cu->proc)(cu->context); + } +-#ifdef KERBEROS ++#if defined(KRB4) || defined(KRB5) + /* If you forwarded a ticket you get one shot for proper + authentication. */ + /* If tgt was passed unlink file */ + if (ticket) + { + if (strcmp(ticket,"none")) ++#ifdef KRB5 + /* ticket -> FILE:path */ + unlink(ticket + 5); ++#else /* KRB4 */ ++ unlink(ticket); ++#endif + else + ticket = NULL; + } +-#endif /* KERBEROS */ ++#ifdef AFS ++ /* If local XAUTHORITY was created, remove it. */ ++ if (xauthfile) unlink(xauthfile); ++#endif /* AFS */ ++#endif /* KRB4 || KRB5 */ + } + } + +@@ -322,6 +352,9 @@ + { + char buf[1024]; + va_list args; ++#ifdef ENABLE_LOG_AUTH ++ extern char *unauthenticated_user; ++#endif /* ENABLE_LOG_AUTH */ + + if (log_quiet) + exit(1); +@@ -331,6 +364,11 @@ + if (log_on_stderr) + fprintf(stderr, "fatal: %s\n", buf); + syslog(syslog_severity(severity), "fatal: %.500s", buf); ++#ifdef ENABLE_LOG_AUTH ++ if (unauthenticated_user) ++ log_auth("LOGIN FAILED %.100s from %.200s", ++ unauthenticated_user, get_canonical_hostname()); ++#endif /* ENABLE_LOG_AUTH */ + + do_fatal_cleanups(); + diff --git a/security/ssh6/patches/patch-ah b/security/ssh6/patches/patch-ah new file mode 100644 index 00000000000..5082a050db4 --- /dev/null +++ b/security/ssh6/patches/patch-ah @@ -0,0 +1,34 @@ +$NetBSD: patch-ah,v 1.1 2000/03/20 02:25:35 itojun Exp $ + +--- packet.c.orig Wed May 12 07:19:27 1999 ++++ packet.c Fri Dec 24 21:50:42 1999 +@@ -829,6 +829,7 @@ + { + /* Set IP options for an interactive connection. Use IPTOS_LOWDELAY + and TCP_NODELAY. */ ++#if 0 + #ifdef IPTOS_LOWDELAY + int lowdelay = IPTOS_LOWDELAY; + if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *)&lowdelay, +@@ -840,11 +841,13 @@ + sizeof(on)) < 0) + error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); + #endif /* TCP_NODELAY */ ++#endif /* 0 */ + } + else + { + /* Set IP options for a non-interactive connection. Use + IPTOS_THROUGHPUT. */ ++#if 0 + #ifdef IPTOS_THROUGHPUT + int throughput = IPTOS_THROUGHPUT; + if (setsockopt(connection_in, IPPROTO_IP, IP_TOS, (void *)&throughput, +@@ -856,6 +859,7 @@ + sizeof(off)) < 0) + error("setsockopt TCP_NODELAY: %.100s", strerror(errno)); + #endif /* TCP_NODELAY */ ++#endif /* 0 */ + } + } + diff --git a/security/ssh6/patches/patch-ai b/security/ssh6/patches/patch-ai new file mode 100644 index 00000000000..4e955bb9340 --- /dev/null +++ b/security/ssh6/patches/patch-ai @@ -0,0 +1,172 @@ +$NetBSD: patch-ai,v 1.1 2000/03/20 02:25:35 itojun Exp $ + +--- scp.c.orig Wed May 12 07:19:28 1999 ++++ scp.c Fri Dec 24 21:54:17 1999 +@@ -180,6 +180,19 @@ + #define STDERR_FILENO 2 + #endif + ++#ifdef AFS ++/* This is set to non-zero to disable authentication forwarding. */ ++int nofwd = 0; ++#endif /* AFS */ ++ ++/* This is set to non-zero if IPv4 is desired. */ ++int IPv4 = 0; ++ ++#ifdef ENABLE_IPV6 ++/* This is set to non-zero if IPv6 is desired. */ ++int IPv6 = 0; ++#endif ++ + /* This is set to non-zero to enable verbose mode. */ + int verbose = 0; + +@@ -295,8 +308,17 @@ + } + args[i++] = "-x"; + args[i++] = "-a"; ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ args[i++] = "-A"; ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + args[i++] = "-oFallBackToRsh no"; + args[i++] = "-oClearAllForwardings yes"; ++ if (IPv4) ++ args[i++] = "-4"; ++#ifdef ENABLE_IPV6 ++ if (IPv6) ++ args[i++] = "-6"; ++#endif + if (verbose) + args[i++] = "-v"; + if (compress) +@@ -305,6 +327,10 @@ + args[i++] = "-P"; + if (batchmode) + args[i++] = "-oBatchMode yes"; ++#ifdef AFS ++ if (nofwd) ++ args[i++] = "-k"; ++#endif /* AFS */ + if (cipher != NULL) + { + args[i++] = "-c"; +@@ -441,8 +467,23 @@ + statistics = 0; + + fflag = tflag = 0; +- while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:")) != EOF) ++ while ((ch = getopt(argc, argv, "aAqQdfprtvBCL1c:i:P:o:S:4" ++#ifdef AFS ++ "k" ++#endif ++#ifdef ENABLE_IPV6 ++ "6" ++#endif ++ )) != EOF) + switch(ch) { /* User-visible flags. */ ++ case '4': ++ IPv4 = 1; ++ break; ++#ifdef ENABLE_IPV6 ++ case '6': ++ IPv6 = 1; ++ break; ++#endif + case 'S': + ssh_program = optarg; + break; +@@ -490,6 +531,11 @@ + case 'r': + iamrecursive = 1; + break; ++#ifdef AFS ++ case 'k': ++ nofwd = 1; ++ break; ++#endif /* AFS */ + /* Server options. */ + case 'd': + targetshouldbedirectory = 1; +@@ -589,6 +635,17 @@ + exit(errs != 0); + } + ++char * ++cleanhostname(host) ++ char *host; ++{ ++ if (*host == '[' && host[strlen(host) - 1] == ']') { ++ host[strlen(host) - 1] = '\0'; ++ return (host + 1); ++ } else ++ return host; ++} ++ + void + toremote(targ, argc, argv) + char *targ, *argv[]; +@@ -644,6 +701,7 @@ + bp = xmalloc(len); + if (host) { + *host++ = 0; ++ host = cleanhostname(host); + suser = argv[i]; + if (*suser == '\0') + suser = pwd->pw_name; +@@ -655,13 +713,15 @@ + suser, host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); +- } else ++ } else { ++ host = cleanhostname(argv[i]); + (void)snprintf(bp, len, + "exec %s%s %s -x -o'FallBackToRsh no' -o'ClearAllForwardings yes' -n %s %s %s '%s%s%s:%s'", + ssh_program, verbose ? " -v" : "", options, +- argv[i], cmd, src, ++ host, cmd, src, + tuser ? tuser : "", tuser ? "@" : "", + thost, targ); ++ } + if (verbose) + fprintf(stderr, "Executing: %s\n", bp); + if (system(bp)) errs++; +@@ -671,7 +731,7 @@ + len = strlen(targ) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -t %s", cmd, targ); +- host = thost; ++ host = cleanhostname(thost); + if (do_cmd(host, tuser, + bp, &remin, &remout) < 0) + exit(1); +@@ -721,6 +781,7 @@ + else if (!okname(suser)) + continue; + } ++ host = cleanhostname(host); + len = strlen(src) + CMDNEEDS + 20; + bp = xmalloc(len); + (void)snprintf(bp, len, "%s -f %s", cmd, src); +@@ -1365,11 +1426,19 @@ + colon(cp) + char *cp; + { ++ int flag = 0; ++ + if (*cp == ':') /* Leading colon is part of file name. */ + return (0); ++ if (*cp == '[') ++ flag = 1; + + for (; *cp; ++cp) { +- if (*cp == ':') ++ if (*cp == '@' && *(cp+1) == '[') ++ flag = 1; ++ if (*cp == ']' && *(cp+1) == ':' && flag) ++ return (cp+1); ++ if (*cp == ':' && !flag) + return (cp); + if (*cp == '/') + return (0); diff --git a/security/ssh6/patches/patch-aj b/security/ssh6/patches/patch-aj new file mode 100644 index 00000000000..b0e0efdf021 --- /dev/null +++ b/security/ssh6/patches/patch-aj @@ -0,0 +1,4533 @@ +$NetBSD: patch-aj,v 1.1 2000/03/20 02:25:35 itojun Exp $ + +--- configure.orig Wed May 12 20:20:06 1999 ++++ configure Sat Mar 18 13:22:06 2000 +@@ -1,7 +1,7 @@ + #! /bin/sh + + # Guess values for system-dependent variables and create Makefiles. +-# Generated automatically using autoconf version 2.12 ++# Generated automatically using autoconf version 2.13 + # Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc. + # + # This configure script is free software; the Free Software Foundation +@@ -12,6 +12,9 @@ + ac_default_prefix=/usr/local + # Any additions from configure.in: + ac_help="$ac_help ++ --enable-ipv6 Enable ipv6 (with ipv4) support ++ --disable-ipv6 Disable ipv6 support" ++ac_help="$ac_help + --enable-deprecated-linux-pw-encrypt + Enable using of deprecated linx pw_encrypt function." + ac_help="$ac_help +@@ -49,9 +52,13 @@ + ac_help="$ac_help + --with-tis[=DIR] Enable support for TIS authentication server." + ac_help="$ac_help +- --with-kerberos5=[KRB_PREFIX] Compile in Kerberos5 support." ++ --with-krb4[=PATH] Compile in Kerberos v4 support." ++ac_help="$ac_help ++ --with-krb5[=PATH] Compile in Kerberos v5 support." ++ac_help="$ac_help ++ --with-afs Compile in AFS support (requires KTH krb4)." + ac_help="$ac_help +- --enable-kerberos-tgt-passing Pass Kerberos ticket-granting-ticket." ++ --with-hesiod[=PATH] Compile in Hesiod support." + ac_help="$ac_help + --with-libwrap[=PATH] Compile in libwrap (tcp_wrappers) support." + ac_help="$ac_help +@@ -83,6 +90,12 @@ + ac_help="$ac_help + --disable-tcp-nodelay Disable TCP_NODELAY socket option" + ac_help="$ac_help ++ --enable-another-port-try Enable another port try support (default) ++ --disable-another-port-try Disable another port try support" ++ac_help="$ac_help ++ --enable-log-auth Enable logging auth info support (default) ++ --disable-log-auth Disable logging auth info support" ++ac_help="$ac_help + --enable-so-linger Enable setting SO_LINGER socket option" + ac_help="$ac_help + --without-scp-stats Without scp statistics code" +@@ -130,6 +143,7 @@ + # Initialize some other variables. + subdirs= + MFLAGS= MAKEFLAGS= ++SHELL=${CONFIG_SHELL-/bin/sh} + # Maximum number of lines to put in a shell here document. + ac_max_here_lines=12 + +@@ -413,7 +427,7 @@ + verbose=yes ;; + + -version | --version | --versio | --versi | --vers) +- echo "configure generated by autoconf version 2.12" ++ echo "configure generated by autoconf version 2.13" + exit 0 ;; + + -with-* | --with-*) +@@ -583,9 +597,11 @@ + # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. + ac_cpp='$CPP $CPPFLAGS' + ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +-ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' ++ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' + cross_compiling=$ac_cv_prog_cc_cross + ++ac_exeext= ++ac_objext=o + if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then + # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu. + if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then +@@ -626,33 +642,33 @@ + + + # Make sure we can run config.sub. +-if $ac_config_sub sun4 >/dev/null 2>&1; then : ++if ${CONFIG_SHELL-/bin/sh} $ac_config_sub sun4 >/dev/null 2>&1; then : + else { echo "configure: error: can not run $ac_config_sub" 1>&2; exit 1; } + fi + + echo $ac_n "checking host system type""... $ac_c" 1>&6 +-echo "configure:635: checking host system type" >&5 ++echo "configure:651: checking host system type" >&5 + + host_alias=$host + case "$host_alias" in + NONE) + case $nonopt in + NONE) +- if host_alias=`$ac_config_guess`; then : ++ if host_alias=`${CONFIG_SHELL-/bin/sh} $ac_config_guess`; then : + else { echo "configure: error: can not guess host type; you must specify one" 1>&2; exit 1; } + fi ;; + *) host_alias=$nonopt ;; + esac ;; + esac + +-host=`$ac_config_sub $host_alias` ++host=`${CONFIG_SHELL-/bin/sh} $ac_config_sub $host_alias` + host_cpu=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` + host_vendor=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` + host_os=`echo $host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` + echo "$ac_t""$host" 1>&6 + + echo $ac_n "checking cached information""... $ac_c" 1>&6 +-echo "configure:656: checking cached information" >&5 ++echo "configure:672: checking cached information" >&5 + hostcheck="$host" + if eval "test \"`echo '$''{'ac_cv_hostcheck'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -671,15 +687,16 @@ + # Extract the first word of "gcc", so it can be a program name with args. + set dummy gcc; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:675: checking for $ac_word" >&5 ++echo "configure:691: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. + else +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_CC="gcc" +@@ -700,16 +717,17 @@ + # Extract the first word of "cc", so it can be a program name with args. + set dummy cc; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:704: checking for $ac_word" >&5 ++echo "configure:721: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. + else +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_prog_rejected=no +- for ac_dir in $PATH; do ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then +@@ -744,25 +762,61 @@ + echo "$ac_t""no" 1>&6 + fi + ++ if test -z "$CC"; then ++ case "`uname -s`" in ++ *win32* | *WIN32*) ++ # Extract the first word of "cl", so it can be a program name with args. ++set dummy cl; ac_word=$2 ++echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 ++echo "configure:772: checking for $ac_word" >&5 ++if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then ++ echo $ac_n "(cached) $ac_c" 1>&6 ++else ++ if test -n "$CC"; then ++ ac_cv_prog_CC="$CC" # Let the user override the test. ++else ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do ++ test -z "$ac_dir" && ac_dir=. ++ if test -f $ac_dir/$ac_word; then ++ ac_cv_prog_CC="cl" ++ break ++ fi ++ done ++ IFS="$ac_save_ifs" ++fi ++fi ++CC="$ac_cv_prog_CC" ++if test -n "$CC"; then ++ echo "$ac_t""$CC" 1>&6 ++else ++ echo "$ac_t""no" 1>&6 ++fi ++ ;; ++ esac ++ fi + test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; } + fi + + echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 +-echo "configure:752: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ++echo "configure:804: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 + + ac_ext=c + # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. + ac_cpp='$CPP $CPPFLAGS' + ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' +-ac_link='${CC-cc} -o conftest $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' ++ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' + cross_compiling=$ac_cv_prog_cc_cross + +-cat > conftest.$ac_ext <<EOF +-#line 762 "configure" ++cat > conftest.$ac_ext << EOF ++ ++#line 815 "configure" + #include "confdefs.h" ++ + main(){return(0);} + EOF +-if { (eval echo configure:766: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:820: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + ac_cv_prog_cc_works=yes + # If we can't run a trivial program, we are probably using a cross compiler. + if (./conftest; exit) 2>/dev/null; then +@@ -776,18 +830,24 @@ + ac_cv_prog_cc_works=no + fi + rm -fr conftest* ++ac_ext=c ++# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. ++ac_cpp='$CPP $CPPFLAGS' ++ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5' ++ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5' ++cross_compiling=$ac_cv_prog_cc_cross + + echo "$ac_t""$ac_cv_prog_cc_works" 1>&6 + if test $ac_cv_prog_cc_works = no; then + { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } + fi + echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 +-echo "configure:786: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 ++echo "configure:846: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 + echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 + cross_compiling=$ac_cv_prog_cc_cross + + echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 +-echo "configure:791: checking whether we are using GNU C" >&5 ++echo "configure:851: checking whether we are using GNU C" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -796,7 +856,7 @@ + yes; + #endif + EOF +-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:800: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ++if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:860: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then + ac_cv_prog_gcc=yes + else + ac_cv_prog_gcc=no +@@ -807,11 +867,15 @@ + + if test $ac_cv_prog_gcc = yes; then + GCC=yes +- ac_test_CFLAGS="${CFLAGS+set}" +- ac_save_CFLAGS="$CFLAGS" +- CFLAGS= +- echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 +-echo "configure:815: checking whether ${CC-cc} accepts -g" >&5 ++else ++ GCC= ++fi ++ ++ac_test_CFLAGS="${CFLAGS+set}" ++ac_save_CFLAGS="$CFLAGS" ++CFLAGS= ++echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 ++echo "configure:879: checking whether ${CC-cc} accepts -g" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -826,20 +890,104 @@ + fi + + echo "$ac_t""$ac_cv_prog_cc_g" 1>&6 +- if test "$ac_test_CFLAGS" = set; then +- CFLAGS="$ac_save_CFLAGS" +- elif test $ac_cv_prog_cc_g = yes; then ++if test "$ac_test_CFLAGS" = set; then ++ CFLAGS="$ac_save_CFLAGS" ++elif test $ac_cv_prog_cc_g = yes; then ++ if test "$GCC" = yes; then + CFLAGS="-g -O2" + else ++ CFLAGS="-g" ++ fi ++else ++ if test "$GCC" = yes; then + CFLAGS="-O2" ++ else ++ CFLAGS= + fi ++fi ++ ++echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 ++echo "configure:911: checking how to run the C preprocessor" >&5 ++# On Suns, sometimes $CPP names a directory. ++if test -n "$CPP" && test -d "$CPP"; then ++ CPP= ++fi ++if test -z "$CPP"; then ++if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then ++ echo $ac_n "(cached) $ac_c" 1>&6 + else +- GCC= +- test "${CFLAGS+set}" = set || CFLAGS="-g" ++ # This must be in double quotes, not single quotes, because CPP may get ++ # substituted into the Makefile and "${CC-cc}" will confuse make. ++ CPP="${CC-cc} -E" ++ # On the NeXT, cc -E runs the code through the compiler's parser, ++ # not just through cpp. ++ cat > conftest.$ac_ext <<EOF ++#line 926 "configure" ++#include "confdefs.h" ++#include <assert.h> ++Syntax Error ++EOF ++ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ++{ (eval echo configure:932: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` ++if test -z "$ac_err"; then ++ : ++else ++ echo "$ac_err" >&5 ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -rf conftest* ++ CPP="${CC-cc} -E -traditional-cpp" ++ cat > conftest.$ac_ext <<EOF ++#line 943 "configure" ++#include "confdefs.h" ++#include <assert.h> ++Syntax Error ++EOF ++ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ++{ (eval echo configure:949: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` ++if test -z "$ac_err"; then ++ : ++else ++ echo "$ac_err" >&5 ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -rf conftest* ++ CPP="${CC-cc} -nologo -E" ++ cat > conftest.$ac_ext <<EOF ++#line 960 "configure" ++#include "confdefs.h" ++#include <assert.h> ++Syntax Error ++EOF ++ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" ++{ (eval echo configure:966: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` ++if test -z "$ac_err"; then ++ : ++else ++ echo "$ac_err" >&5 ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -rf conftest* ++ CPP=/lib/cpp ++fi ++rm -f conftest* ++fi ++rm -f conftest* ++fi ++rm -f conftest* ++ ac_cv_prog_CPP="$CPP" ++fi ++ CPP="$ac_cv_prog_CPP" ++else ++ ac_cv_prog_CPP="$CPP" + fi ++echo "$ac_t""$CPP" 1>&6 + + echo $ac_n "checking for POSIXized ISC""... $ac_c" 1>&6 +-echo "configure:843: checking for POSIXized ISC" >&5 ++echo "configure:991: checking for POSIXized ISC" >&5 + if test -d /etc/conf/kconfig.d && + grep _POSIX_VERSION /usr/include/sys/unistd.h >/dev/null 2>&1 + then +@@ -860,6 +1008,202 @@ + fi + + ++echo $ac_n "checking whether to enable ipv6""... $ac_c" 1>&6 ++echo "configure:1013: checking whether to enable ipv6" >&5 ++# Check whether --enable-ipv6 or --disable-ipv6 was given. ++if test "${enable_ipv6+set}" = set; then ++ enableval="$enable_ipv6" ++ case "$enableval" in ++ no) ++ echo "$ac_t""no" 1>&6 ++ ipv6=no ++ ;; ++ *) echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define ENABLE_IPV6 1 ++EOF ++ ++ ipv6=yes ++ ;; ++ esac ++else ++ if test "$cross_compiling" = yes; then ++ echo "$ac_t""no" 1>&6 ++ ipv6=no ++ ++else ++ cat > conftest.$ac_ext <<EOF ++#line 1037 "configure" ++#include "confdefs.h" ++ /* AF_INET6 avalable check */ ++#include <sys/types.h> ++#include <sys/socket.h> ++main() ++{ ++ if (socket(AF_INET6, SOCK_STREAM, 0) < 0) ++ exit(1); ++ else ++ exit(0); ++} ++ ++EOF ++if { (eval echo configure:1051: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null ++then ++ echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define ENABLE_IPV6 1 ++EOF ++ ++ ipv6=yes ++else ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -fr conftest* ++ echo "$ac_t""no" 1>&6 ++ ipv6=no ++fi ++rm -fr conftest* ++fi ++ ++fi ++ ++ ++ipv6type=unknown ++ipv6lib=none ++ ++if test "$ipv6" = "yes"; then ++ echo $ac_n "checking ipv6 stack type""... $ac_c" 1>&6 ++echo "configure:1077: checking ipv6 stack type" >&5 ++ for i in inria kame linux toshiba v6d zeta; do ++ case $i in ++ inria) ++ cat > conftest.$ac_ext <<EOF ++#line 1082 "configure" ++#include "confdefs.h" ++dnl ++#include <netinet/in.h> ++#ifdef IPV6_INRIA_VERSION ++yes ++#endif ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "yes" >/dev/null 2>&1; then ++ rm -rf conftest* ++ ipv6type=$i; ++ CPPFLAGS="-DINET6 $CPPFLAGS" ++fi ++rm -f conftest* ++ ++ ;; ++ kame) ++ cat > conftest.$ac_ext <<EOF ++#line 1101 "configure" ++#include "confdefs.h" ++dnl ++#include <netinet/in.h> ++#ifdef __KAME__ ++yes ++#endif ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "yes" >/dev/null 2>&1; then ++ rm -rf conftest* ++ ipv6type=$i; ++ CPPFLAGS="-DINET6 $CPPFLAGS" ++fi ++rm -f conftest* ++ ++ ;; ++ linux) ++ if test -d /usr/inet6; then ++ ipv6type=$i ++ ipv6lib=inet6 ++ ipv6libdir=/usr/inet6/lib ++ CPPFLAGS="-DINET6 -I/usr/inet6/include $CPPFLAGS" ++ fi ++ ;; ++ toshiba) ++ cat > conftest.$ac_ext <<EOF ++#line 1128 "configure" ++#include "confdefs.h" ++dnl ++#include <sys/param.h> ++#ifdef _TOSHIBA_INET6 ++yes ++#endif ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "yes" >/dev/null 2>&1; then ++ rm -rf conftest* ++ ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS" ++fi ++rm -f conftest* ++ ++ ;; ++ v6d) ++ cat > conftest.$ac_ext <<EOF ++#line 1149 "configure" ++#include "confdefs.h" ++dnl ++#include </usr/local/v6/include/sys/v6config.h> ++#ifdef __V6D__ ++yes ++#endif ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "yes" >/dev/null 2>&1; then ++ rm -rf conftest* ++ ipv6type=$i; ++ ipv6lib=v6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-I/usr/local/v6/include $CPPFLAGS" ++fi ++rm -f conftest* ++ ++ ;; ++ zeta) ++ cat > conftest.$ac_ext <<EOF ++#line 1170 "configure" ++#include "confdefs.h" ++dnl ++#include <sys/param.h> ++#ifdef _ZETA_MINAMI_INET6 ++yes ++#endif ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "yes" >/dev/null 2>&1; then ++ rm -rf conftest* ++ ipv6type=$i; ++ ipv6lib=inet6; ++ ipv6libdir=/usr/local/v6/lib; ++ CPPFLAGS="-DINET6 $CPPFLAGS" ++fi ++rm -f conftest* ++ ++ ;; ++ esac ++ if test "$ipv6type" != "unknown"; then ++ break ++ fi ++ done ++ echo "$ac_t""$ipv6type" 1>&6 ++fi ++ ++if test "$ipv6" = "yes" -a "$ipv6lib" != "none"; then ++ if test -d $ipv6libdir -a -f $ipv6libdir/lib$ipv6lib.a; then ++ LIBS="-L$ipv6libdir -l$ipv6lib $LIBS" ++ else ++ echo 'Fatal: no $ipv6lib library found. cannot continue.' ++ echo "You need to fetch lib$ipv6lib.a from appropriate" ++ echo 'ipv6 kit and compile beforehand.' ++ exit 1 ++ fi ++fi ++ + cat >> confdefs.h <<EOF + #define HOSTTYPE "$host" + EOF +@@ -876,20 +1220,12 @@ + ;; + *-*-solaris*) + # solaris stuff. appro@fy.chalmers.se +- cat >> confdefs.h <<\EOF +-#define SECURE_RPC 1 +-EOF +- +- cat >> confdefs.h <<\EOF +-#define SECURE_NFS 1 +-EOF +- ++# this stuff breaks AFS/Kerberos. YUCK. ++# AC_DEFINE(SECURE_RPC) ++# AC_DEFINE(SECURE_NFS) + # NIS+ is forced so that we don't have to recompile + # if we move to NIS+. appro@fy.chalmers.se +- cat >> confdefs.h <<\EOF +-#define NIS_PLUS 1 +-EOF +- ++# AC_DEFINE(NIS_PLUS) + ;; + *-*-sunos*) + os_sunos=yes +@@ -931,14 +1267,14 @@ + no_shadows_password_checking=yes + # We want support for <proj.h> eivind@ii.uib.no + cat > conftest.$ac_ext <<EOF +-#line 935 "configure" ++#line 1271 "configure" + #include "confdefs.h" + #include <proj.h> + int main() { + int foo = MAXPROJNAMELEN; + ; return 0; } + EOF +-if { (eval echo configure:942: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:1278: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + cat >> confdefs.h <<\EOF + #define HAVE_SGI_PROJ_H 1 +@@ -953,7 +1289,7 @@ + *-ibm-aix3.2|*-ibm-aix3.2.0|*-ibm-aix3.2.1|*-ibm-aix3.2.2|*-ibm-aix3.2.3|*-ibm-aix3.2.4) + os_aix=yes + echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 +-echo "configure:957: checking for getuserattr in -ls" >&5 ++echo "configure:1293: checking for getuserattr in -ls" >&5 + ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -961,7 +1297,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-ls $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 965 "configure" ++#line 1301 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -972,7 +1308,7 @@ + getuserattr() + ; return 0; } + EOF +-if { (eval echo configure:976: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1312: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1004,7 +1340,7 @@ + no_utmpx=yes + os_aix=yes + echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 +-echo "configure:1008: checking for getuserattr in -ls" >&5 ++echo "configure:1344: checking for getuserattr in -ls" >&5 + ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1012,7 +1348,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-ls $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1016 "configure" ++#line 1352 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1023,7 +1359,7 @@ + getuserattr() + ; return 0; } + EOF +-if { (eval echo configure:1027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1363: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1054,7 +1390,7 @@ + *-ibm-aix*) + os_aix=yes + echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 +-echo "configure:1058: checking for getuserattr in -ls" >&5 ++echo "configure:1394: checking for getuserattr in -ls" >&5 + ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1062,7 +1398,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-ls $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1066 "configure" ++#line 1402 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1073,7 +1409,7 @@ + getuserattr() + ; return 0; } + EOF +-if { (eval echo configure:1077: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1413: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1123,7 +1459,7 @@ + # Ultrix shadow passwords implemented in auth-passwd.c. + no_shadows_password_checking=yes + echo $ac_n "checking for authenticate_user in -lauth""... $ac_c" 1>&6 +-echo "configure:1127: checking for authenticate_user in -lauth" >&5 ++echo "configure:1463: checking for authenticate_user in -lauth" >&5 + ac_lib_var=`echo auth'_'authenticate_user | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1131,7 +1467,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lauth $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1135 "configure" ++#line 1471 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1142,7 +1478,7 @@ + authenticate_user() + ; return 0; } + EOF +-if { (eval echo configure:1146: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1482: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1170,14 +1506,14 @@ + fi + + cat > conftest.$ac_ext <<EOF +-#line 1174 "configure" ++#line 1510 "configure" + #include "confdefs.h" + #include <syslog.h> + int main() { + int foo = LOG_DAEMON; + ; return 0; } + EOF +-if { (eval echo configure:1181: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:1517: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + : + else + echo "configure: failed program was:" >&5 +@@ -1215,7 +1551,7 @@ + CFLAGS="$CFLAGS -Ae -D_HPUX_SOURCE" + fi + echo $ac_n "checking for HPUX tcb auth option""... $ac_c" 1>&6 +-echo "configure:1219: checking for HPUX tcb auth option" >&5 ++echo "configure:1555: checking for HPUX tcb auth option" >&5 + if test -f /tcb/files/auth/system/pw_id_map; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +@@ -1227,7 +1563,7 @@ + echo "$ac_t""no" 1>&6 + fi + echo $ac_n "checking for keyserv""... $ac_c" 1>&6 +-echo "configure:1231: checking for keyserv" >&5 ++echo "configure:1567: checking for keyserv" >&5 + if test -f /usr/sbin/keyserv; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +@@ -1256,7 +1592,7 @@ + # The man page says that we need -lsecurity -ldb -laud -lm to quickstart + # programs using enchanced security. + echo $ac_n "checking for set_auth_parameters in -lsecurity""... $ac_c" 1>&6 +-echo "configure:1260: checking for set_auth_parameters in -lsecurity" >&5 ++echo "configure:1596: checking for set_auth_parameters in -lsecurity" >&5 + ac_lib_var=`echo security'_'set_auth_parameters | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1264,7 +1600,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lsecurity $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1268 "configure" ++#line 1604 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1275,7 +1611,7 @@ + set_auth_parameters() + ; return 0; } + EOF +-if { (eval echo configure:1279: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1615: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1303,7 +1639,7 @@ + fi + + echo $ac_n "checking for audgen in -laud""... $ac_c" 1>&6 +-echo "configure:1307: checking for audgen in -laud" >&5 ++echo "configure:1643: checking for audgen in -laud" >&5 + ac_lib_var=`echo aud'_'audgen | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1311,7 +1647,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-laud $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1315 "configure" ++#line 1651 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1322,7 +1658,7 @@ + audgen() + ; return 0; } + EOF +-if { (eval echo configure:1326: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1662: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1350,7 +1686,7 @@ + fi + + echo $ac_n "checking for dbopen in -ldb""... $ac_c" 1>&6 +-echo "configure:1354: checking for dbopen in -ldb" >&5 ++echo "configure:1690: checking for dbopen in -ldb" >&5 + ac_lib_var=`echo db'_'dbopen | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1358,7 +1694,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-ldb $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1362 "configure" ++#line 1698 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1369,7 +1705,7 @@ + dbopen() + ; return 0; } + EOF +-if { (eval echo configure:1373: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1709: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1397,7 +1733,7 @@ + fi + + echo $ac_n "checking for sin in -lm""... $ac_c" 1>&6 +-echo "configure:1401: checking for sin in -lm" >&5 ++echo "configure:1737: checking for sin in -lm" >&5 + ac_lib_var=`echo m'_'sin | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1405,7 +1741,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lm $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1409 "configure" ++#line 1745 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1416,7 +1752,7 @@ + sin() + ; return 0; } + EOF +-if { (eval echo configure:1420: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1756: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1446,12 +1782,12 @@ + for ac_func in setluid + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:1450: checking for $ac_func" >&5 ++echo "configure:1786: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 1455 "configure" ++#line 1791 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -1474,7 +1810,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:1478: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1814: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -1507,7 +1843,7 @@ + OLD_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -I." + cat > conftest.$ac_ext <<EOF +-#line 1511 "configure" ++#line 1847 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/security.h> +@@ -1516,7 +1852,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:1520: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:1856: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + : + else + echo "configure: failed program was:" >&5 +@@ -1545,12 +1881,12 @@ + *-*-linux*|*-*-mklinux*) + CFLAGS="-D_GNU_SOURCE $CFLAGS" + echo $ac_n "checking for getspnam""... $ac_c" 1>&6 +-echo "configure:1549: checking for getspnam" >&5 ++echo "configure:1885: checking for getspnam" >&5 + if eval "test \"`echo '$''{'ac_cv_func_getspnam'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 1554 "configure" ++#line 1890 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char getspnam(); below. */ +@@ -1573,7 +1909,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:1577: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1913: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_getspnam=yes" + else +@@ -1594,7 +1930,7 @@ + + if test $ac_cv_func_getspnam = no; then + echo $ac_n "checking for getspnam in -lshadow""... $ac_c" 1>&6 +-echo "configure:1598: checking for getspnam in -lshadow" >&5 ++echo "configure:1934: checking for getspnam in -lshadow" >&5 + ac_lib_var=`echo shadow'_'getspnam | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1602,7 +1938,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lshadow $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1606 "configure" ++#line 1942 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1613,7 +1949,7 @@ + getspnam() + ; return 0; } + EOF +-if { (eval echo configure:1617: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:1953: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1651,12 +1987,12 @@ + for ac_func in pw_encrypt + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:1655: checking for $ac_func" >&5 ++echo "configure:1991: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 1660 "configure" ++#line 1996 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -1679,7 +2015,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:1683: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:2019: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -1705,7 +2041,7 @@ + + if test $ac_cv_func_pw_encrypt = no; then + echo $ac_n "checking for pw_encrypt in -lshadow""... $ac_c" 1>&6 +-echo "configure:1709: checking for pw_encrypt in -lshadow" >&5 ++echo "configure:2045: checking for pw_encrypt in -lshadow" >&5 + ac_lib_var=`echo shadow'_'pw_encrypt | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1713,7 +2049,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lshadow $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1717 "configure" ++#line 2053 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1724,7 +2060,7 @@ + pw_encrypt() + ; return 0; } + EOF +-if { (eval echo configure:1728: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:2064: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1748,7 +2084,7 @@ + + fi + echo $ac_n "checking whether to enable pw_encrypt""... $ac_c" 1>&6 +-echo "configure:1752: checking whether to enable pw_encrypt" >&5 ++echo "configure:2088: checking whether to enable pw_encrypt" >&5 + # Check whether --enable-deprecated-linux-pw-encrypt or --disable-deprecated-linux-pw-encrypt was given. + if test "${enable_deprecated_linux_pw_encrypt+set}" = set; then + enableval="$enable_deprecated_linux_pw_encrypt" +@@ -1825,7 +2161,7 @@ + EOF + + echo $ac_n "checking for openlog in -lgen""... $ac_c" 1>&6 +-echo "configure:1829: checking for openlog in -lgen" >&5 ++echo "configure:2165: checking for openlog in -lgen" >&5 + ac_lib_var=`echo gen'_'openlog | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1833,7 +2169,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lgen $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1837 "configure" ++#line 2173 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1844,7 +2180,7 @@ + openlog() + ; return 0; } + EOF +-if { (eval echo configure:1848: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:2184: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1874,7 +2210,7 @@ + ;; + *-*-sysv4*) + echo $ac_n "checking for openlog in -lgen""... $ac_c" 1>&6 +-echo "configure:1878: checking for openlog in -lgen" >&5 ++echo "configure:2214: checking for openlog in -lgen" >&5 + ac_lib_var=`echo gen'_'openlog | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1882,7 +2218,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lgen $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1886 "configure" ++#line 2222 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1893,7 +2229,7 @@ + openlog() + ; return 0; } + EOF +-if { (eval echo configure:1897: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:2233: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1989,24 +2325,18 @@ + + export CFLAGS CC + +-# Socket pairs appear to be broken on several systems. I don't know exactly +-# where, so I'll use pipes everywhere for now. +-cat >> confdefs.h <<\EOF +-#define USE_PIPES 1 +-EOF +- + + echo $ac_n "checking that the compiler works""... $ac_c" 1>&6 +-echo "configure:2001: checking that the compiler works" >&5 ++echo "configure:2331: checking that the compiler works" >&5 + if test "$cross_compiling" = yes; then + { echo "configure: error: Could not compile and run even a trivial ANSI C program - check CC." 1>&2; exit 1; } + else + cat > conftest.$ac_ext <<EOF +-#line 2006 "configure" ++#line 2336 "configure" + #include "confdefs.h" + main(int ac, char **av) { return 0; } + EOF +-if { (eval echo configure:2010: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:2340: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + echo "$ac_t""yes" 1>&6 + else +@@ -2023,18 +2353,18 @@ + if test -z "$no_pipe"; then + if test -n "$GCC"; then + echo $ac_n "checking if the compiler understands -pipe""... $ac_c" 1>&6 +-echo "configure:2027: checking if the compiler understands -pipe" >&5 ++echo "configure:2357: checking if the compiler understands -pipe" >&5 + OLDCC="$CC" + CC="$CC -pipe" + cat > conftest.$ac_ext <<EOF +-#line 2031 "configure" ++#line 2361 "configure" + #include "confdefs.h" + + int main() { + + ; return 0; } + EOF +-if { (eval echo configure:2038: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:2368: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + echo "$ac_t""yes" 1>&6 + else +@@ -2049,7 +2379,7 @@ + fi + + echo $ac_n "checking whether to enable -Wall""... $ac_c" 1>&6 +-echo "configure:2053: checking whether to enable -Wall" >&5 ++echo "configure:2383: checking whether to enable -Wall" >&5 + # Check whether --enable-warnings or --disable-warnings was given. + if test "${enable_warnings+set}" = set; then + enableval="$enable_warnings" +@@ -2063,12 +2393,12 @@ + + + echo $ac_n "checking return type of signal handlers""... $ac_c" 1>&6 +-echo "configure:2067: checking return type of signal handlers" >&5 ++echo "configure:2397: checking return type of signal handlers" >&5 + if eval "test \"`echo '$''{'ac_cv_type_signal'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2072 "configure" ++#line 2402 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <signal.h> +@@ -2085,7 +2415,7 @@ + int i; + ; return 0; } + EOF +-if { (eval echo configure:2089: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:2419: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_type_signal=void + else +@@ -2103,74 +2433,13 @@ + EOF + + +-echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 +-echo "configure:2108: checking how to run the C preprocessor" >&5 +-# On Suns, sometimes $CPP names a directory. +-if test -n "$CPP" && test -d "$CPP"; then +- CPP= +-fi +-if test -z "$CPP"; then +-if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then +- echo $ac_n "(cached) $ac_c" 1>&6 +-else +- # This must be in double quotes, not single quotes, because CPP may get +- # substituted into the Makefile and "${CC-cc}" will confuse make. +- CPP="${CC-cc} -E" +- # On the NeXT, cc -E runs the code through the compiler's parser, +- # not just through cpp. +- cat > conftest.$ac_ext <<EOF +-#line 2123 "configure" +-#include "confdefs.h" +-#include <assert.h> +-Syntax Error +-EOF +-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:2129: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` +-if test -z "$ac_err"; then +- : +-else +- echo "$ac_err" >&5 +- echo "configure: failed program was:" >&5 +- cat conftest.$ac_ext >&5 +- rm -rf conftest* +- CPP="${CC-cc} -E -traditional-cpp" +- cat > conftest.$ac_ext <<EOF +-#line 2140 "configure" +-#include "confdefs.h" +-#include <assert.h> +-Syntax Error +-EOF +-ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:2146: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` +-if test -z "$ac_err"; then +- : +-else +- echo "$ac_err" >&5 +- echo "configure: failed program was:" >&5 +- cat conftest.$ac_ext >&5 +- rm -rf conftest* +- CPP=/lib/cpp +-fi +-rm -f conftest* +-fi +-rm -f conftest* +- ac_cv_prog_CPP="$CPP" +-fi +- CPP="$ac_cv_prog_CPP" +-else +- ac_cv_prog_CPP="$CPP" +-fi +-echo "$ac_t""$CPP" 1>&6 +- + echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6 +-echo "configure:2169: checking for ANSI C header files" >&5 ++echo "configure:2438: checking for ANSI C header files" >&5 + if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2174 "configure" ++#line 2443 "configure" + #include "confdefs.h" + #include <stdlib.h> + #include <stdarg.h> +@@ -2178,8 +2447,8 @@ + #include <float.h> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:2182: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:2451: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + ac_cv_header_stdc=yes +@@ -2195,7 +2464,7 @@ + if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. + cat > conftest.$ac_ext <<EOF +-#line 2199 "configure" ++#line 2468 "configure" + #include "confdefs.h" + #include <string.h> + EOF +@@ -2213,7 +2482,7 @@ + if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. + cat > conftest.$ac_ext <<EOF +-#line 2217 "configure" ++#line 2486 "configure" + #include "confdefs.h" + #include <stdlib.h> + EOF +@@ -2234,7 +2503,7 @@ + : + else + cat > conftest.$ac_ext <<EOF +-#line 2238 "configure" ++#line 2507 "configure" + #include "confdefs.h" + #include <ctype.h> + #define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +@@ -2245,7 +2514,7 @@ + exit (0); } + + EOF +-if { (eval echo configure:2249: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:2518: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + : + else +@@ -2269,12 +2538,12 @@ + fi + + echo $ac_n "checking for size_t""... $ac_c" 1>&6 +-echo "configure:2273: checking for size_t" >&5 ++echo "configure:2542: checking for size_t" >&5 + if eval "test \"`echo '$''{'ac_cv_type_size_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2278 "configure" ++#line 2547 "configure" + #include "confdefs.h" + #include <sys/types.h> + #if STDC_HEADERS +@@ -2283,7 +2552,7 @@ + #endif + EOF + if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | +- egrep "size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then ++ egrep "(^|[^a-zA-Z_0-9])size_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_size_t=yes + else +@@ -2302,12 +2571,12 @@ + fi + + echo $ac_n "checking for uid_t in sys/types.h""... $ac_c" 1>&6 +-echo "configure:2306: checking for uid_t in sys/types.h" >&5 ++echo "configure:2575: checking for uid_t in sys/types.h" >&5 + if eval "test \"`echo '$''{'ac_cv_type_uid_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2311 "configure" ++#line 2580 "configure" + #include "confdefs.h" + #include <sys/types.h> + EOF +@@ -2336,12 +2605,12 @@ + fi + + echo $ac_n "checking for off_t""... $ac_c" 1>&6 +-echo "configure:2340: checking for off_t" >&5 ++echo "configure:2609: checking for off_t" >&5 + if eval "test \"`echo '$''{'ac_cv_type_off_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2345 "configure" ++#line 2614 "configure" + #include "confdefs.h" + #include <sys/types.h> + #if STDC_HEADERS +@@ -2350,7 +2619,7 @@ + #endif + EOF + if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | +- egrep "off_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then ++ egrep "(^|[^a-zA-Z_0-9])off_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_off_t=yes + else +@@ -2369,12 +2638,12 @@ + fi + + echo $ac_n "checking for mode_t""... $ac_c" 1>&6 +-echo "configure:2373: checking for mode_t" >&5 ++echo "configure:2642: checking for mode_t" >&5 + if eval "test \"`echo '$''{'ac_cv_type_mode_t'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2378 "configure" ++#line 2647 "configure" + #include "confdefs.h" + #include <sys/types.h> + #if STDC_HEADERS +@@ -2383,7 +2652,7 @@ + #endif + EOF + if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | +- egrep "mode_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then ++ egrep "(^|[^a-zA-Z_0-9])mode_t[^a-zA-Z_0-9]" >/dev/null 2>&1; then + rm -rf conftest* + ac_cv_type_mode_t=yes + else +@@ -2402,12 +2671,12 @@ + fi + + echo $ac_n "checking for st_blksize in struct stat""... $ac_c" 1>&6 +-echo "configure:2406: checking for st_blksize in struct stat" >&5 ++echo "configure:2675: checking for st_blksize in struct stat" >&5 + if eval "test \"`echo '$''{'ac_cv_struct_st_blksize'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2411 "configure" ++#line 2680 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/stat.h> +@@ -2415,7 +2684,7 @@ + struct stat s; s.st_blksize; + ; return 0; } + EOF +-if { (eval echo configure:2419: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:2688: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_struct_st_blksize=yes + else +@@ -2437,12 +2706,12 @@ + + + echo $ac_n "checking for working const""... $ac_c" 1>&6 +-echo "configure:2441: checking for working const" >&5 ++echo "configure:2710: checking for working const" >&5 + if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2446 "configure" ++#line 2715 "configure" + #include "confdefs.h" + + int main() { +@@ -2491,7 +2760,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:2495: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:2764: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_c_const=yes + else +@@ -2512,21 +2781,21 @@ + fi + + echo $ac_n "checking for inline""... $ac_c" 1>&6 +-echo "configure:2516: checking for inline" >&5 ++echo "configure:2785: checking for inline" >&5 + if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + ac_cv_c_inline=no + for ac_kw in inline __inline__ __inline; do + cat > conftest.$ac_ext <<EOF +-#line 2523 "configure" ++#line 2792 "configure" + #include "confdefs.h" + + int main() { + } $ac_kw foo() { + ; return 0; } + EOF +-if { (eval echo configure:2530: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:2799: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_c_inline=$ac_kw; break + else +@@ -2552,14 +2821,14 @@ + esac + + echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6 +-echo "configure:2556: checking whether byte ordering is bigendian" >&5 ++echo "configure:2825: checking whether byte ordering is bigendian" >&5 + if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + ac_cv_c_bigendian=unknown + # See if sys/param.h defines the BYTE_ORDER macro. + cat > conftest.$ac_ext <<EOF +-#line 2563 "configure" ++#line 2832 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/param.h> +@@ -2570,11 +2839,11 @@ + #endif + ; return 0; } + EOF +-if { (eval echo configure:2574: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:2843: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + # It does; now see whether it defined to BIG_ENDIAN or not. + cat > conftest.$ac_ext <<EOF +-#line 2578 "configure" ++#line 2847 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/param.h> +@@ -2585,7 +2854,7 @@ + #endif + ; return 0; } + EOF +-if { (eval echo configure:2589: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:2858: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_c_bigendian=yes + else +@@ -2605,7 +2874,7 @@ + { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } + else + cat > conftest.$ac_ext <<EOF +-#line 2609 "configure" ++#line 2878 "configure" + #include "confdefs.h" + main () { + /* Are we little or big endian? From Harbison&Steele. */ +@@ -2618,7 +2887,7 @@ + exit (u.c[sizeof (long) - 1] == 1); + } + EOF +-if { (eval echo configure:2622: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:2891: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + ac_cv_c_bigendian=no + else +@@ -2642,7 +2911,7 @@ + fi + + echo $ac_n "checking size of long""... $ac_c" 1>&6 +-echo "configure:2646: checking size of long" >&5 ++echo "configure:2915: checking size of long" >&5 + if eval "test \"`echo '$''{'ac_cv_sizeof_long'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -2650,7 +2919,7 @@ + ac_cv_sizeof_long=4 + else + cat > conftest.$ac_ext <<EOF +-#line 2654 "configure" ++#line 2923 "configure" + #include "confdefs.h" + #include <stdio.h> + main() +@@ -2661,7 +2930,7 @@ + exit(0); + } + EOF +-if { (eval echo configure:2665: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:2934: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + ac_cv_sizeof_long=`cat conftestval` + else +@@ -2681,7 +2950,7 @@ + + + echo $ac_n "checking size of int""... $ac_c" 1>&6 +-echo "configure:2685: checking size of int" >&5 ++echo "configure:2954: checking size of int" >&5 + if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -2689,7 +2958,7 @@ + ac_cv_sizeof_int=4 + else + cat > conftest.$ac_ext <<EOF +-#line 2693 "configure" ++#line 2962 "configure" + #include "confdefs.h" + #include <stdio.h> + main() +@@ -2700,7 +2969,7 @@ + exit(0); + } + EOF +-if { (eval echo configure:2704: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:2973: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + ac_cv_sizeof_int=`cat conftestval` + else +@@ -2720,7 +2989,7 @@ + + + echo $ac_n "checking size of short""... $ac_c" 1>&6 +-echo "configure:2724: checking size of short" >&5 ++echo "configure:2993: checking size of short" >&5 + if eval "test \"`echo '$''{'ac_cv_sizeof_short'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -2728,7 +2997,7 @@ + ac_cv_sizeof_short=2 + else + cat > conftest.$ac_ext <<EOF +-#line 2732 "configure" ++#line 3001 "configure" + #include "confdefs.h" + #include <stdio.h> + main() +@@ -2739,7 +3008,7 @@ + exit(0); + } + EOF +-if { (eval echo configure:2743: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:3012: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + ac_cv_sizeof_short=`cat conftestval` + else +@@ -2764,18 +3033,18 @@ + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +-echo "configure:2768: checking for $ac_hdr" >&5 ++echo "configure:3037: checking for $ac_hdr" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2773 "configure" ++#line 3042 "configure" + #include "confdefs.h" + #include <$ac_hdr> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:2778: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3047: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -2807,18 +3076,18 @@ + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +-echo "configure:2811: checking for $ac_hdr" >&5 ++echo "configure:3080: checking for $ac_hdr" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2816 "configure" ++#line 3085 "configure" + #include "confdefs.h" + #include <$ac_hdr> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:2821: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3090: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -2844,9 +3113,9 @@ + done + + echo $ac_n "checking whether utmpx have ut_syslen field""... $ac_c" 1>&6 +-echo "configure:2848: checking whether utmpx have ut_syslen field" >&5 ++echo "configure:3117: checking whether utmpx have ut_syslen field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 2850 "configure" ++#line 3119 "configure" + #include "confdefs.h" + #include <utmpx.h> + EOF +@@ -2867,12 +3136,12 @@ + fi + + echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6 +-echo "configure:2871: checking for ANSI C header files" >&5 ++echo "configure:3140: checking for ANSI C header files" >&5 + if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2876 "configure" ++#line 3145 "configure" + #include "confdefs.h" + #include <stdlib.h> + #include <stdarg.h> +@@ -2880,8 +3149,8 @@ + #include <float.h> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:2884: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3153: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + ac_cv_header_stdc=yes +@@ -2897,7 +3166,7 @@ + if test $ac_cv_header_stdc = yes; then + # SunOS 4.x string.h does not declare mem*, contrary to ANSI. + cat > conftest.$ac_ext <<EOF +-#line 2901 "configure" ++#line 3170 "configure" + #include "confdefs.h" + #include <string.h> + EOF +@@ -2915,7 +3184,7 @@ + if test $ac_cv_header_stdc = yes; then + # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. + cat > conftest.$ac_ext <<EOF +-#line 2919 "configure" ++#line 3188 "configure" + #include "confdefs.h" + #include <stdlib.h> + EOF +@@ -2936,7 +3205,7 @@ + : + else + cat > conftest.$ac_ext <<EOF +-#line 2940 "configure" ++#line 3209 "configure" + #include "confdefs.h" + #include <ctype.h> + #define ISLOWER(c) ('a' <= (c) && (c) <= 'z') +@@ -2947,7 +3216,7 @@ + exit (0); } + + EOF +-if { (eval echo configure:2951: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:3220: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + : + else +@@ -2971,12 +3240,12 @@ + fi + + echo $ac_n "checking for sys/wait.h that is POSIX.1 compatible""... $ac_c" 1>&6 +-echo "configure:2975: checking for sys/wait.h that is POSIX.1 compatible" >&5 ++echo "configure:3244: checking for sys/wait.h that is POSIX.1 compatible" >&5 + if eval "test \"`echo '$''{'ac_cv_header_sys_wait_h'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2980 "configure" ++#line 3249 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/wait.h> +@@ -2992,7 +3261,7 @@ + s = WIFEXITED (s) ? WEXITSTATUS (s) : 1; + ; return 0; } + EOF +-if { (eval echo configure:2996: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:3265: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_header_sys_wait_h=yes + else +@@ -3016,18 +3285,18 @@ + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +-echo "configure:3020: checking for $ac_hdr" >&5 ++echo "configure:3289: checking for $ac_hdr" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3025 "configure" ++#line 3294 "configure" + #include "confdefs.h" + #include <$ac_hdr> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:3030: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3299: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -3052,22 +3321,22 @@ + fi + done + +-for ac_hdr in sgtty.h sys/select.h sys/ioctl.h machine/endian.h ++for ac_hdr in sgtty.h sys/select.h sys/ioctl.h sys/filio.h machine/endian.h + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +-echo "configure:3060: checking for $ac_hdr" >&5 ++echo "configure:3329: checking for $ac_hdr" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3065 "configure" ++#line 3334 "configure" + #include "confdefs.h" + #include <$ac_hdr> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:3070: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3339: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -3096,18 +3365,18 @@ + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +-echo "configure:3100: checking for $ac_hdr" >&5 ++echo "configure:3369: checking for $ac_hdr" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3105 "configure" ++#line 3374 "configure" + #include "confdefs.h" + #include <$ac_hdr> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:3110: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3379: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -3136,18 +3405,18 @@ + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +-echo "configure:3140: checking for $ac_hdr" >&5 ++echo "configure:3409: checking for $ac_hdr" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3145 "configure" ++#line 3414 "configure" + #include "confdefs.h" + #include <$ac_hdr> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:3150: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3419: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -3176,18 +3445,18 @@ + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 +-echo "configure:3180: checking for $ac_hdr" >&5 ++echo "configure:3449: checking for $ac_hdr" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3185 "configure" ++#line 3454 "configure" + #include "confdefs.h" + #include <$ac_hdr> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:3190: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3459: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -3213,12 +3482,12 @@ + done + + echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6 +-echo "configure:3217: checking whether time.h and sys/time.h may both be included" >&5 ++echo "configure:3486: checking whether time.h and sys/time.h may both be included" >&5 + if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3222 "configure" ++#line 3491 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/time.h> +@@ -3227,7 +3496,7 @@ + struct tm *tp; + ; return 0; } + EOF +-if { (eval echo configure:3231: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:3500: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_header_time=yes + else +@@ -3252,12 +3521,12 @@ + do + ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for $ac_hdr that defines DIR""... $ac_c" 1>&6 +-echo "configure:3256: checking for $ac_hdr that defines DIR" >&5 ++echo "configure:3525: checking for $ac_hdr that defines DIR" >&5 + if eval "test \"`echo '$''{'ac_cv_header_dirent_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3261 "configure" ++#line 3530 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <$ac_hdr> +@@ -3265,7 +3534,7 @@ + DIR *dirp = 0; + ; return 0; } + EOF +-if { (eval echo configure:3269: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:3538: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + eval "ac_cv_header_dirent_$ac_safe=yes" + else +@@ -3290,7 +3559,7 @@ + # Two versions of opendir et al. are in -ldir and -lx on SCO Xenix. + if test $ac_header_dirent = dirent.h; then + echo $ac_n "checking for opendir in -ldir""... $ac_c" 1>&6 +-echo "configure:3294: checking for opendir in -ldir" >&5 ++echo "configure:3563: checking for opendir in -ldir" >&5 + ac_lib_var=`echo dir'_'opendir | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3298,7 +3567,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-ldir $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3302 "configure" ++#line 3571 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3309,7 +3578,7 @@ + opendir() + ; return 0; } + EOF +-if { (eval echo configure:3313: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:3582: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3331,7 +3600,7 @@ + + else + echo $ac_n "checking for opendir in -lx""... $ac_c" 1>&6 +-echo "configure:3335: checking for opendir in -lx" >&5 ++echo "configure:3604: checking for opendir in -lx" >&5 + ac_lib_var=`echo x'_'opendir | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3339,7 +3608,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lx $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3343 "configure" ++#line 3612 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3350,7 +3619,7 @@ + opendir() + ; return 0; } + EOF +-if { (eval echo configure:3354: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:3623: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3373,12 +3642,12 @@ + fi + + echo $ac_n "checking whether stat file-mode macros are broken""... $ac_c" 1>&6 +-echo "configure:3377: checking whether stat file-mode macros are broken" >&5 ++echo "configure:3646: checking whether stat file-mode macros are broken" >&5 + if eval "test \"`echo '$''{'ac_cv_header_stat_broken'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3382 "configure" ++#line 3651 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/stat.h> +@@ -3429,19 +3698,19 @@ + fi + + echo $ac_n "checking whether sys/types.h defines makedev""... $ac_c" 1>&6 +-echo "configure:3433: checking whether sys/types.h defines makedev" >&5 ++echo "configure:3702: checking whether sys/types.h defines makedev" >&5 + if eval "test \"`echo '$''{'ac_cv_header_sys_types_h_makedev'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3438 "configure" ++#line 3707 "configure" + #include "confdefs.h" + #include <sys/types.h> + int main() { + return makedev(0, 0); + ; return 0; } + EOF +-if { (eval echo configure:3445: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:3714: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + ac_cv_header_sys_types_h_makedev=yes + else +@@ -3459,18 +3728,18 @@ + if test $ac_cv_header_sys_types_h_makedev = no; then + ac_safe=`echo "sys/mkdev.h" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for sys/mkdev.h""... $ac_c" 1>&6 +-echo "configure:3463: checking for sys/mkdev.h" >&5 ++echo "configure:3732: checking for sys/mkdev.h" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3468 "configure" ++#line 3737 "configure" + #include "confdefs.h" + #include <sys/mkdev.h> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:3473: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3742: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -3497,18 +3766,18 @@ + if test $ac_cv_header_sys_mkdev_h = no; then + ac_safe=`echo "sys/sysmacros.h" | sed 'y%./+-%__p_%'` + echo $ac_n "checking for sys/sysmacros.h""... $ac_c" 1>&6 +-echo "configure:3501: checking for sys/sysmacros.h" >&5 ++echo "configure:3770: checking for sys/sysmacros.h" >&5 + if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 3506 "configure" ++#line 3775 "configure" + #include "confdefs.h" + #include <sys/sysmacros.h> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:3511: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:3780: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + eval "ac_cv_header_$ac_safe=yes" +@@ -3535,9 +3804,9 @@ + fi + + echo $ac_n "checking whether utmp have ut_pid field""... $ac_c" 1>&6 +-echo "configure:3539: checking whether utmp have ut_pid field" >&5 ++echo "configure:3808: checking whether utmp have ut_pid field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 3541 "configure" ++#line 3810 "configure" + #include "confdefs.h" + #include <utmp.h> + EOF +@@ -3556,9 +3825,9 @@ + rm -f conftest* + + echo $ac_n "checking whether utmp have ut_name field""... $ac_c" 1>&6 +-echo "configure:3560: checking whether utmp have ut_name field" >&5 ++echo "configure:3829: checking whether utmp have ut_name field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 3562 "configure" ++#line 3831 "configure" + #include "confdefs.h" + #include <utmp.h> + EOF +@@ -3577,9 +3846,9 @@ + rm -f conftest* + + echo $ac_n "checking whether utmp have ut_id field""... $ac_c" 1>&6 +-echo "configure:3581: checking whether utmp have ut_id field" >&5 ++echo "configure:3850: checking whether utmp have ut_id field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 3583 "configure" ++#line 3852 "configure" + #include "confdefs.h" + #include <utmp.h> + EOF +@@ -3598,9 +3867,9 @@ + rm -f conftest* + + echo $ac_n "checking whether utmp have ut_host field""... $ac_c" 1>&6 +-echo "configure:3602: checking whether utmp have ut_host field" >&5 ++echo "configure:3871: checking whether utmp have ut_host field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 3604 "configure" ++#line 3873 "configure" + #include "confdefs.h" + #include <utmp.h> + EOF +@@ -3619,9 +3888,9 @@ + rm -f conftest* + + echo $ac_n "checking whether utmp have ut_addr field""... $ac_c" 1>&6 +-echo "configure:3623: checking whether utmp have ut_addr field" >&5 ++echo "configure:3892: checking whether utmp have ut_addr field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 3625 "configure" ++#line 3894 "configure" + #include "confdefs.h" + #include <utmp.h> + EOF +@@ -3640,9 +3909,9 @@ + rm -f conftest* + + echo $ac_n "checking whether you have incompatible SIGINFO macro""... $ac_c" 1>&6 +-echo "configure:3644: checking whether you have incompatible SIGINFO macro" >&5 ++echo "configure:3913: checking whether you have incompatible SIGINFO macro" >&5 + cat > conftest.$ac_ext <<EOF +-#line 3646 "configure" ++#line 3915 "configure" + #include "confdefs.h" + #include <sys/siginfo.h> + SIGINFO(p,1) +@@ -3662,8 +3931,69 @@ + rm -f conftest* + + ++echo $ac_n "checking whether sys/socket.h have struct sockaddr_storage""... $ac_c" 1>&6 ++echo "configure:3936: checking whether sys/socket.h have struct sockaddr_storage" >&5 ++cat > conftest.$ac_ext <<EOF ++#line 3938 "configure" ++#include "confdefs.h" ++#include <sys/socket.h> ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "sockaddr_storage" >/dev/null 2>&1; then ++ rm -rf conftest* ++ cat >> confdefs.h <<\EOF ++#define HAVE_SOCKADDR_STORAGE 1 ++EOF ++ echo "$ac_t""yes" 1>&6 ++else ++ rm -rf conftest* ++ echo "$ac_t""no" 1>&6 ++fi ++rm -f conftest* ++ ++echo $ac_n "checking whether sys/socket.h have __ss_family""... $ac_c" 1>&6 ++echo "configure:3956: checking whether sys/socket.h have __ss_family" >&5 ++cat > conftest.$ac_ext <<EOF ++#line 3958 "configure" ++#include "confdefs.h" ++#include <sys/socket.h> ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "__ss_family" >/dev/null 2>&1; then ++ rm -rf conftest* ++ cat >> confdefs.h <<\EOF ++#define HAVE_NEW_SS_FAMILY 1 ++EOF ++ echo "$ac_t""yes" 1>&6 ++else ++ rm -rf conftest* ++ echo "$ac_t""no" 1>&6 ++fi ++rm -f conftest* ++ ++echo $ac_n "checking whether sys/socket.h have sa_len""... $ac_c" 1>&6 ++echo "configure:3976: checking whether sys/socket.h have sa_len" >&5 ++cat > conftest.$ac_ext <<EOF ++#line 3978 "configure" ++#include "confdefs.h" ++#include <sys/socket.h> ++EOF ++if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | ++ egrep "sa_len" >/dev/null 2>&1; then ++ rm -rf conftest* ++ cat >> confdefs.h <<\EOF ++#define HAVE_SOCKADDR_LEN 1 ++EOF ++ echo "$ac_t""yes" 1>&6 ++else ++ rm -rf conftest* ++ echo "$ac_t""no" 1>&6 ++fi ++rm -f conftest* ++ ++ + echo $ac_n "checking for crypt in -lc""... $ac_c" 1>&6 +-echo "configure:3667: checking for crypt in -lc" >&5 ++echo "configure:3997: checking for crypt in -lc" >&5 + ac_lib_var=`echo c'_'crypt | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3671,7 +4001,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lc $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3675 "configure" ++#line 4005 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3682,7 +4012,7 @@ + crypt() + ; return 0; } + EOF +-if { (eval echo configure:3686: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4016: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3701,7 +4031,7 @@ + else + echo "$ac_t""no" 1>&6 + echo $ac_n "checking for crypt in -lcrypt""... $ac_c" 1>&6 +-echo "configure:3705: checking for crypt in -lcrypt" >&5 ++echo "configure:4035: checking for crypt in -lcrypt" >&5 + ac_lib_var=`echo crypt'_'crypt | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3709,7 +4039,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lcrypt $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3713 "configure" ++#line 4043 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3720,7 +4050,7 @@ + crypt() + ; return 0; } + EOF +-if { (eval echo configure:3724: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4054: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3750,7 +4080,7 @@ + fi + + echo $ac_n "checking for getspnam in -lsec""... $ac_c" 1>&6 +-echo "configure:3754: checking for getspnam in -lsec" >&5 ++echo "configure:4084: checking for getspnam in -lsec" >&5 + ac_lib_var=`echo sec'_'getspnam | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3758,7 +4088,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lsec $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3762 "configure" ++#line 4092 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3769,7 +4099,7 @@ + getspnam() + ; return 0; } + EOF +-if { (eval echo configure:3773: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4103: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3797,7 +4127,7 @@ + fi + + echo $ac_n "checking for get_process_stats in -lseq""... $ac_c" 1>&6 +-echo "configure:3801: checking for get_process_stats in -lseq" >&5 ++echo "configure:4131: checking for get_process_stats in -lseq" >&5 + ac_lib_var=`echo seq'_'get_process_stats | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3805,7 +4135,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lseq $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3809 "configure" ++#line 4139 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3816,7 +4146,7 @@ + get_process_stats() + ; return 0; } + EOF +-if { (eval echo configure:3820: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4150: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3844,7 +4174,7 @@ + fi + + echo $ac_n "checking for bcopy in -lbsd""... $ac_c" 1>&6 +-echo "configure:3848: checking for bcopy in -lbsd" >&5 ++echo "configure:4178: checking for bcopy in -lbsd" >&5 + ac_lib_var=`echo bsd'_'bcopy | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3852,7 +4182,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lbsd $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3856 "configure" ++#line 4186 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3863,7 +4193,7 @@ + bcopy() + ; return 0; } + EOF +-if { (eval echo configure:3867: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4197: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3892,7 +4222,7 @@ + + if test -z "$no_libnsl"; then + echo $ac_n "checking for main in -lnsl""... $ac_c" 1>&6 +-echo "configure:3896: checking for main in -lnsl" >&5 ++echo "configure:4226: checking for main in -lnsl" >&5 + ac_lib_var=`echo nsl'_'main | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3900,14 +4230,14 @@ + ac_save_LIBS="$LIBS" + LIBS="-lnsl $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3904 "configure" ++#line 4234 "configure" + #include "confdefs.h" + + int main() { + main() + ; return 0; } + EOF +-if { (eval echo configure:3911: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4241: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3937,7 +4267,7 @@ + fi + if test -n "$test_libinet"; then + echo $ac_n "checking for inet_network in -linet""... $ac_c" 1>&6 +-echo "configure:3941: checking for inet_network in -linet" >&5 ++echo "configure:4271: checking for inet_network in -linet" >&5 + ac_lib_var=`echo inet'_'inet_network | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3945,7 +4275,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-linet $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3949 "configure" ++#line 4279 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -3956,7 +4286,7 @@ + inet_network() + ; return 0; } + EOF +-if { (eval echo configure:3960: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4290: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -3986,7 +4316,7 @@ + fi + if test -z "$no_libsocket"; then + echo $ac_n "checking for socket in -lsocket""... $ac_c" 1>&6 +-echo "configure:3990: checking for socket in -lsocket" >&5 ++echo "configure:4320: checking for socket in -lsocket" >&5 + ac_lib_var=`echo socket'_'socket | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -3994,7 +4324,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lsocket $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 3998 "configure" ++#line 4328 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -4005,7 +4335,7 @@ + socket() + ; return 0; } + EOF +-if { (eval echo configure:4009: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4339: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -4035,7 +4365,7 @@ + fi + if test -z "$no_libsun"; then + echo $ac_n "checking for getpwnam in -lsun""... $ac_c" 1>&6 +-echo "configure:4039: checking for getpwnam in -lsun" >&5 ++echo "configure:4369: checking for getpwnam in -lsun" >&5 + ac_lib_var=`echo sun'_'getpwnam | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -4043,7 +4373,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lsun $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 4047 "configure" ++#line 4377 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -4054,7 +4384,7 @@ + getpwnam() + ; return 0; } + EOF +-if { (eval echo configure:4058: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4388: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -4084,7 +4414,7 @@ + fi + if test -z "$no_libbsd"; then + echo $ac_n "checking for openpty in -lbsd""... $ac_c" 1>&6 +-echo "configure:4088: checking for openpty in -lbsd" >&5 ++echo "configure:4418: checking for openpty in -lbsd" >&5 + ac_lib_var=`echo bsd'_'openpty | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -4092,7 +4422,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lbsd $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 4096 "configure" ++#line 4426 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -4103,7 +4433,7 @@ + openpty() + ; return 0; } + EOF +-if { (eval echo configure:4107: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4437: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -4132,7 +4462,7 @@ + + fi + echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 +-echo "configure:4136: checking for login in -lutil" >&5 ++echo "configure:4466: checking for login in -lutil" >&5 + ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -4140,7 +4470,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lutil $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 4144 "configure" ++#line 4474 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -4151,41 +4481,99 @@ + login() + ; return 0; } + EOF +-if { (eval echo configure:4155: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4485: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* +- eval "ac_cv_lib_$ac_lib_var=no" ++ eval "ac_cv_lib_$ac_lib_var=no" ++fi ++rm -f conftest* ++LIBS="$ac_save_LIBS" ++ ++fi ++if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then ++ echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define HAVE_LIBUTIL_LOGIN 1 ++EOF ++ ++ LIBS="$LIBS -lutil" ++else ++ echo "$ac_t""no" 1>&6 ++fi ++ ++ ++if test -z "$no_vhangup"; then ++ for ac_func in vhangup ++do ++echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 ++echo "configure:4514: checking for $ac_func" >&5 ++if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then ++ echo $ac_n "(cached) $ac_c" 1>&6 ++else ++ cat > conftest.$ac_ext <<EOF ++#line 4519 "configure" ++#include "confdefs.h" ++/* System header to define __stub macros and hopefully few prototypes, ++ which can conflict with char $ac_func(); below. */ ++#include <assert.h> ++/* Override any gcc2 internal prototype to avoid an error. */ ++/* We use char because int might match the return type of a gcc2 ++ builtin and then its argument prototype would still apply. */ ++char $ac_func(); ++ ++int main() { ++ ++/* The GNU C library defines this for functions which it implements ++ to always fail with ENOSYS. Some functions are actually named ++ something starting with __ and the normal name is an alias. */ ++#if defined (__stub_$ac_func) || defined (__stub___$ac_func) ++choke me ++#else ++$ac_func(); ++#endif ++ ++; return 0; } ++EOF ++if { (eval echo configure:4542: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++ rm -rf conftest* ++ eval "ac_cv_func_$ac_func=yes" ++else ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -rf conftest* ++ eval "ac_cv_func_$ac_func=no" + fi + rm -f conftest* +-LIBS="$ac_save_LIBS" +- + fi +-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then ++ ++if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then + echo "$ac_t""yes" 1>&6 +- cat >> confdefs.h <<\EOF +-#define HAVE_LIBUTIL_LOGIN 1 ++ ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'` ++ cat >> confdefs.h <<EOF ++#define $ac_tr_func 1 + EOF +- +- LIBS="$LIBS -lutil" ++ + else + echo "$ac_t""no" 1>&6 + fi ++done + ++fi + +-if test -z "$no_vhangup"; then +- for ac_func in vhangup ++if test -z "$no_setsid"; then ++ for ac_func in setsid + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:4184: checking for $ac_func" >&5 ++echo "configure:4572: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 4189 "configure" ++#line 4577 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -4208,7 +4596,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:4212: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4600: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -4234,16 +4622,15 @@ + + fi + +-if test -z "$no_setsid"; then +- for ac_func in setsid ++for ac_func in gettimeofday times getrusage ftruncate revoke makeutx + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:4242: checking for $ac_func" >&5 ++echo "configure:4629: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 4247 "configure" ++#line 4634 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -4266,7 +4653,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:4270: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4657: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -4290,17 +4677,15 @@ + fi + done + +-fi +- +-for ac_func in gettimeofday times getrusage ftruncate revoke makeutx ++for ac_func in strchr memcpy setlogin openpty _getpty clock fchmod ulimit + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:4299: checking for $ac_func" >&5 ++echo "configure:4684: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 4304 "configure" ++#line 4689 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -4323,7 +4708,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:4327: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4712: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -4347,15 +4732,15 @@ + fi + done + +-for ac_func in strchr memcpy setlogin openpty _getpty clock fchmod ulimit ++for ac_func in gethostname getdtablesize umask innetgr initgroups setpgrp + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:4354: checking for $ac_func" >&5 ++echo "configure:4739: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 4359 "configure" ++#line 4744 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -4378,7 +4763,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:4382: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4767: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -4402,15 +4787,15 @@ + fi + done + +-for ac_func in gethostname getdtablesize umask innetgr initgroups setpgrp ++for ac_func in setpgid daemon waitpid ttyslot authenticate getpt isastream + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:4409: checking for $ac_func" >&5 ++echo "configure:4794: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 4414 "configure" ++#line 4799 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -4433,7 +4818,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:4437: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4822: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -4457,15 +4842,16 @@ + fi + done + +-for ac_func in setpgid daemon waitpid ttyslot authenticate getpt isastream ++ ++for ac_func in strerror memmove remove random putenv crypt socketpair snprintf + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:4464: checking for $ac_func" >&5 ++echo "configure:4850: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 4469 "configure" ++#line 4855 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -4488,7 +4874,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:4492: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:4878: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -4509,19 +4895,135 @@ + + else + echo "$ac_t""no" 1>&6 ++LIBOBJS="$LIBOBJS ${ac_func}.${ac_objext}" + fi + done + + +-for ac_func in strerror memmove remove random putenv crypt socketpair snprintf ++ ++echo $ac_n "checking getaddrinfo bug""... $ac_c" 1>&6 ++echo "configure:4906: checking getaddrinfo bug" >&5 ++if test "$cross_compiling" = yes; then ++ echo "$ac_t""buggy" 1>&6 ++buggygetaddrinfo=yes ++else ++ cat > conftest.$ac_ext <<EOF ++#line 4912 "configure" ++#include "confdefs.h" ++ ++#include <sys/types.h> ++#include <netdb.h> ++#include <string.h> ++#include <sys/socket.h> ++#include <netinet/in.h> ++ ++main() ++{ ++ int passive, gaierr, inet4 = 0, inet6 = 0; ++ struct addrinfo hints, *ai, *aitop; ++ char straddr[INET6_ADDRSTRLEN], strport[16]; ++ ++ for (passive = 0; passive <= 1; passive++) { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = AF_UNSPEC; ++ hints.ai_flags = passive ? AI_PASSIVE : 0; ++ hints.ai_socktype = SOCK_STREAM; ++ if ((gaierr = getaddrinfo(NULL, "54321", &hints, &aitop)) != 0) { ++ (void)gai_strerror(gaierr); ++ goto bad; ++ } ++ for (ai = aitop; ai; ai = ai->ai_next) { ++ if (ai->ai_addr == NULL || ++ ai->ai_addrlen == 0 || ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ straddr, sizeof(straddr), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV) != 0) { ++ goto bad; ++ } ++ if (strcmp(strport, "54321") != 0) { ++ goto bad; ++ } ++ switch (ai->ai_family) { ++ case AF_INET: ++ if (passive) { ++ if (strcmp(straddr, "0.0.0.0") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "127.0.0.1") != 0) { ++ goto bad; ++ } ++ } ++ inet4++; ++ break; ++ case AF_INET6: ++ if (passive) { ++ if (strcmp(straddr, "::") != 0) { ++ goto bad; ++ } ++ } else { ++ if (strcmp(straddr, "::1") != 0) { ++ goto bad; ++ } ++ } ++ inet6++; ++ break; ++ case AF_UNSPEC: ++ goto bad; ++ break; ++ default: ++ /* another family support? */ ++ break; ++ } ++ } ++ } ++ ++ if (inet4 != 0 && inet4 != 2) ++ goto bad; ++ if (inet6 != 0 && inet6 != 2) ++ goto bad; ++ ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(0); ++ ++ bad: ++ if (aitop) ++ freeaddrinfo(aitop); ++ exit(1); ++} ++ ++EOF ++if { (eval echo configure:4998: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null ++then ++ echo "$ac_t""good" 1>&6 ++buggygetaddrinfo=no ++else ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -fr conftest* ++ echo "$ac_t""buggy" 1>&6 ++buggygetaddrinfo=yes ++fi ++rm -fr conftest* ++fi ++ ++ ++if test "$buggygetaddrinfo" = "yes"; then ++ if test "$ipv6" = "yes"; then ++ echo 'Fatal: You must get working getaddrinfo() function.' ++ echo ' or you can specify "--disable-ipv6"'. ++ exit 1 ++ else ++ for ac_func in getaddrinfo getnameinfo + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:4520: checking for $ac_func" >&5 ++echo "configure:5022: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 4525 "configure" ++#line 5027 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -4544,7 +5046,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:4548: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5050: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -4565,14 +5067,16 @@ + + else + echo "$ac_t""no" 1>&6 +-LIBOBJS="$LIBOBJS ${ac_func}.o" ++LIBOBJS="$LIBOBJS ${ac_func}.${ac_objext}" + fi + done + + ++ fi ++fi + + echo $ac_n "checking whether ln -s works""... $ac_c" 1>&6 +-echo "configure:4576: checking whether ln -s works" >&5 ++echo "configure:5080: checking whether ln -s works" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_LN_S'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -4599,28 +5103,30 @@ + # SunOS /usr/etc/install + # IRIX /sbin/install + # AIX /bin/install ++# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag + # AFS /usr/afsws/bin/install, which mishandles nonexistent args + # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" + # ./install, which can be erroneously created by make from ./install.sh. + echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 +-echo "configure:4607: checking for a BSD compatible install" >&5 ++echo "configure:5112: checking for a BSD compatible install" >&5 + if test -z "$INSTALL"; then + if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +- IFS="${IFS= }"; ac_save_IFS="$IFS"; IFS="${IFS}:" ++ IFS="${IFS= }"; ac_save_IFS="$IFS"; IFS=":" + for ac_dir in $PATH; do + # Account for people who put trailing slashes in PATH elements. + case "$ac_dir/" in + /|./|.//|/etc/*|/usr/sbin/*|/usr/etc/*|/sbin/*|/usr/afsws/bin/*|/usr/ucb/*) ;; + *) + # OSF1 and SCO ODT 3.0 have their own names for install. +- for ac_prog in ginstall installbsd scoinst install; do ++ # Don't use installbsd from OSF since it installs stuff as root ++ # by default. ++ for ac_prog in ginstall scoinst install; do + if test -f $ac_dir/$ac_prog; then + if test $ac_prog = install && + grep dspmsg $ac_dir/$ac_prog >/dev/null 2>&1; then + # AIX install. It has an incompatible calling convention. +- # OSF/1 installbsd also uses dspmsg, but is usable. + : + else + ac_cv_path_install="$ac_dir/$ac_prog -c" +@@ -4650,20 +5156,23 @@ + # It thinks the first close brace ends the variable substitution. + test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' + ++test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}' ++ + test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' + + # Extract the first word of "ar", so it can be a program name with args. + set dummy ar; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:4659: checking for $ac_word" >&5 ++echo "configure:5167: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + if test -n "$AR"; then + ac_cv_prog_AR="$AR" # Let the user override the test. + else +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_AR="ar" +@@ -4685,15 +5194,16 @@ + # Extract the first word of "ranlib", so it can be a program name with args. + set dummy ranlib; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:4689: checking for $ac_word" >&5 ++echo "configure:5198: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. + else +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_RANLIB="ranlib" +@@ -4719,15 +5229,16 @@ + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:4723: checking for $ac_word" >&5 ++echo "configure:5233: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_MAKEDEP'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + if test -n "$MAKEDEP"; then + ac_cv_prog_MAKEDEP="$MAKEDEP" # Let the user override the test. + else +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_prog_MAKEDEP="$ac_prog" +@@ -4754,7 +5265,7 @@ + # Uses ac_ vars as temps to allow command line to override cache and checks. + # --without-x overrides everything else, but does not touch the cache. + echo $ac_n "checking for X""... $ac_c" 1>&6 +-echo "configure:4758: checking for X" >&5 ++echo "configure:5269: checking for X" >&5 + + # Check whether --with-x or --without-x was given. + if test "${with_x+set}" = set; then +@@ -4816,13 +5327,13 @@ + + # First, try using that file with no special directory specified. + cat > conftest.$ac_ext <<EOF +-#line 4820 "configure" ++#line 5331 "configure" + #include "confdefs.h" + #include <$x_direct_test_include> + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:4825: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +-ac_err=`grep -v '^ *+' conftest.out` ++{ (eval echo configure:5336: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + rm -rf conftest* + # We can compile using X headers with no special include directory. +@@ -4890,14 +5401,14 @@ + ac_save_LIBS="$LIBS" + LIBS="-l$x_direct_test_library $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 4894 "configure" ++#line 5405 "configure" + #include "confdefs.h" + + int main() { + ${x_direct_test_function}() + ; return 0; } + EOF +-if { (eval echo configure:4901: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5412: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + LIBS="$ac_save_LIBS" + # We can link X programs with no special library path. +@@ -5003,17 +5514,17 @@ + case "`(uname -sr) 2>/dev/null`" in + "SunOS 5"*) + echo $ac_n "checking whether -R must be followed by a space""... $ac_c" 1>&6 +-echo "configure:5007: checking whether -R must be followed by a space" >&5 ++echo "configure:5518: checking whether -R must be followed by a space" >&5 + ac_xsave_LIBS="$LIBS"; LIBS="$LIBS -R$x_libraries" + cat > conftest.$ac_ext <<EOF +-#line 5010 "configure" ++#line 5521 "configure" + #include "confdefs.h" + + int main() { + + ; return 0; } + EOF +-if { (eval echo configure:5017: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5528: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + ac_R_nospace=yes + else +@@ -5029,14 +5540,14 @@ + else + LIBS="$ac_xsave_LIBS -R $x_libraries" + cat > conftest.$ac_ext <<EOF +-#line 5033 "configure" ++#line 5544 "configure" + #include "confdefs.h" + + int main() { + + ; return 0; } + EOF +-if { (eval echo configure:5040: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5551: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + ac_R_space=yes + else +@@ -5068,7 +5579,7 @@ + # libraries were built with DECnet support. And karl@cs.umb.edu says + # the Alpha needs dnet_stub (dnet does not exist). + echo $ac_n "checking for dnet_ntoa in -ldnet""... $ac_c" 1>&6 +-echo "configure:5072: checking for dnet_ntoa in -ldnet" >&5 ++echo "configure:5583: checking for dnet_ntoa in -ldnet" >&5 + ac_lib_var=`echo dnet'_'dnet_ntoa | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -5076,7 +5587,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-ldnet $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5080 "configure" ++#line 5591 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5087,7 +5598,7 @@ + dnet_ntoa() + ; return 0; } + EOF +-if { (eval echo configure:5091: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5602: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5109,7 +5620,7 @@ + + if test $ac_cv_lib_dnet_dnet_ntoa = no; then + echo $ac_n "checking for dnet_ntoa in -ldnet_stub""... $ac_c" 1>&6 +-echo "configure:5113: checking for dnet_ntoa in -ldnet_stub" >&5 ++echo "configure:5624: checking for dnet_ntoa in -ldnet_stub" >&5 + ac_lib_var=`echo dnet_stub'_'dnet_ntoa | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -5117,7 +5628,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-ldnet_stub $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5121 "configure" ++#line 5632 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5128,7 +5639,7 @@ + dnet_ntoa() + ; return 0; } + EOF +-if { (eval echo configure:5132: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5643: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5157,12 +5668,12 @@ + # The nsl library prevents programs from opening the X display + # on Irix 5.2, according to dickey@clark.net. + echo $ac_n "checking for gethostbyname""... $ac_c" 1>&6 +-echo "configure:5161: checking for gethostbyname" >&5 ++echo "configure:5672: checking for gethostbyname" >&5 + if eval "test \"`echo '$''{'ac_cv_func_gethostbyname'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 5166 "configure" ++#line 5677 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char gethostbyname(); below. */ +@@ -5185,7 +5696,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:5189: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5700: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_gethostbyname=yes" + else +@@ -5206,7 +5717,7 @@ + + if test $ac_cv_func_gethostbyname = no; then + echo $ac_n "checking for gethostbyname in -lnsl""... $ac_c" 1>&6 +-echo "configure:5210: checking for gethostbyname in -lnsl" >&5 ++echo "configure:5721: checking for gethostbyname in -lnsl" >&5 + ac_lib_var=`echo nsl'_'gethostbyname | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -5214,7 +5725,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lnsl $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5218 "configure" ++#line 5729 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5225,7 +5736,7 @@ + gethostbyname() + ; return 0; } + EOF +-if { (eval echo configure:5229: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5740: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5255,12 +5766,12 @@ + # -lsocket must be given before -lnsl if both are needed. + # We assume that if connect needs -lnsl, so does gethostbyname. + echo $ac_n "checking for connect""... $ac_c" 1>&6 +-echo "configure:5259: checking for connect" >&5 ++echo "configure:5770: checking for connect" >&5 + if eval "test \"`echo '$''{'ac_cv_func_connect'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 5264 "configure" ++#line 5775 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char connect(); below. */ +@@ -5283,7 +5794,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:5287: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5798: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_connect=yes" + else +@@ -5304,7 +5815,7 @@ + + if test $ac_cv_func_connect = no; then + echo $ac_n "checking for connect in -lsocket""... $ac_c" 1>&6 +-echo "configure:5308: checking for connect in -lsocket" >&5 ++echo "configure:5819: checking for connect in -lsocket" >&5 + ac_lib_var=`echo socket'_'connect | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -5312,7 +5823,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lsocket $X_EXTRA_LIBS $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5316 "configure" ++#line 5827 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5323,7 +5834,7 @@ + connect() + ; return 0; } + EOF +-if { (eval echo configure:5327: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5838: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5347,12 +5858,12 @@ + + # gomez@mi.uni-erlangen.de says -lposix is necessary on A/UX. + echo $ac_n "checking for remove""... $ac_c" 1>&6 +-echo "configure:5351: checking for remove" >&5 ++echo "configure:5862: checking for remove" >&5 + if eval "test \"`echo '$''{'ac_cv_func_remove'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 5356 "configure" ++#line 5867 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char remove(); below. */ +@@ -5375,7 +5886,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:5379: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5890: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_remove=yes" + else +@@ -5396,7 +5907,7 @@ + + if test $ac_cv_func_remove = no; then + echo $ac_n "checking for remove in -lposix""... $ac_c" 1>&6 +-echo "configure:5400: checking for remove in -lposix" >&5 ++echo "configure:5911: checking for remove in -lposix" >&5 + ac_lib_var=`echo posix'_'remove | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -5404,7 +5915,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lposix $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5408 "configure" ++#line 5919 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5415,7 +5926,7 @@ + remove() + ; return 0; } + EOF +-if { (eval echo configure:5419: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5930: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5439,12 +5950,12 @@ + + # BSDI BSD/OS 2.1 needs -lipc for XOpenDisplay. + echo $ac_n "checking for shmat""... $ac_c" 1>&6 +-echo "configure:5443: checking for shmat" >&5 ++echo "configure:5954: checking for shmat" >&5 + if eval "test \"`echo '$''{'ac_cv_func_shmat'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 5448 "configure" ++#line 5959 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char shmat(); below. */ +@@ -5467,7 +5978,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:5471: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:5982: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_shmat=yes" + else +@@ -5488,7 +5999,7 @@ + + if test $ac_cv_func_shmat = no; then + echo $ac_n "checking for shmat in -lipc""... $ac_c" 1>&6 +-echo "configure:5492: checking for shmat in -lipc" >&5 ++echo "configure:6003: checking for shmat in -lipc" >&5 + ac_lib_var=`echo ipc'_'shmat | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -5496,7 +6007,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lipc $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5500 "configure" ++#line 6011 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5507,7 +6018,7 @@ + shmat() + ; return 0; } + EOF +-if { (eval echo configure:5511: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:6022: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5540,15 +6051,15 @@ + # libraries we check for below, so use a different variable. + # --interran@uluru.Stanford.EDU, kb@cs.umb.edu. + echo $ac_n "checking for IceConnectionNumber in -lICE""... $ac_c" 1>&6 +-echo "configure:5544: checking for IceConnectionNumber in -lICE" >&5 ++echo "configure:6055: checking for IceConnectionNumber in -lICE" >&5 + ac_lib_var=`echo ICE'_'IceConnectionNumber | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + ac_save_LIBS="$LIBS" +-LIBS="-lICE $LIBS" ++LIBS="-lICE $X_EXTRA_LIBS $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5552 "configure" ++#line 6063 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5559,7 +6070,7 @@ + IceConnectionNumber() + ; return 0; } + EOF +-if { (eval echo configure:5563: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:6074: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5587,7 +6098,7 @@ + # Extract the first word of "passwd", so it can be a program name with args. + set dummy passwd; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:5591: checking for $ac_word" >&5 ++echo "configure:6102: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_PASSWD_PATH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -5595,9 +6106,13 @@ + /*) + ac_cv_path_PASSWD_PATH="$PASSWD_PATH" # Let the user override the test with a path. + ;; ++ ?:/*) ++ ac_cv_path_PASSWD_PATH="$PASSWD_PATH" # Let the user override the test with a dos path. ++ ;; + *) +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_PASSWD_PATH="$ac_dir/$ac_word" +@@ -5625,7 +6140,7 @@ + # Extract the first word of "xauth", so it can be a program name with args. + set dummy xauth; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:5629: checking for $ac_word" >&5 ++echo "configure:6144: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_XAUTH_PATH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -5633,9 +6148,13 @@ + /*) + ac_cv_path_XAUTH_PATH="$XAUTH_PATH" # Let the user override the test with a path. + ;; ++ ?:/*) ++ ac_cv_path_XAUTH_PATH="$XAUTH_PATH" # Let the user override the test with a dos path. ++ ;; + *) +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_XAUTH_PATH="$ac_dir/$ac_word" +@@ -5669,7 +6188,7 @@ + X_PROGRAMS="ssh-askpass" + fi + echo $ac_n "checking for X11 unix domain socket directory""... $ac_c" 1>&6 +-echo "configure:5673: checking for X11 unix domain socket directory" >&5 ++echo "configure:6192: checking for X11 unix domain socket directory" >&5 + + if test '!' -d /tmp/.X11-unix; then + if test -d /var/X/.X11-unix; then +@@ -5698,7 +6217,7 @@ + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:5702: checking for $ac_word" >&5 ++echo "configure:6221: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -5706,9 +6225,13 @@ + /*) + ac_cv_path_PERL="$PERL" # Let the user override the test with a path. + ;; ++ ?:/*) ++ ac_cv_path_PERL="$PERL" # Let the user override the test with a dos path. ++ ;; + *) +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_PERL="$ac_dir/$ac_word" +@@ -5739,12 +6262,12 @@ + for ac_func in getpseudotty + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:5743: checking for $ac_func" >&5 ++echo "configure:6266: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 5748 "configure" ++#line 6271 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -5767,7 +6290,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:5771: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:6294: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -5792,7 +6315,7 @@ + done + + echo $ac_n "checking for pseudo ttys""... $ac_c" 1>&6 +-echo "configure:5796: checking for pseudo ttys" >&5 ++echo "configure:6319: checking for pseudo ttys" >&5 + if test -c /dev/getpty && test $ac_cv_func_getpseudotty = yes + then + cat >> confdefs.h <<\EOF +@@ -5832,7 +6355,7 @@ + fi + + echo $ac_n "checking for /etc/default/login""... $ac_c" 1>&6 +-echo "configure:5836: checking for /etc/default/login" >&5 ++echo "configure:6359: checking for /etc/default/login" >&5 + if test -f /etc/default/login; then + cat >> confdefs.h <<\EOF + #define HAVE_ETC_DEFAULT_LOGIN 1 +@@ -5845,7 +6368,7 @@ + + if test -z "$no_shadows_password_checking"; then + echo $ac_n "checking for shadow passwords""... $ac_c" 1>&6 +-echo "configure:5849: checking for shadow passwords" >&5 ++echo "configure:6372: checking for shadow passwords" >&5 + if test -f /etc/shadow; then + # If we don't have shadow.h, this might be some nonstandard + # kludging... So better check it out. +@@ -5859,7 +6382,7 @@ + # have getspent in a system library. However, a libshadow.a library + # contaning these is publicly available. + echo $ac_n "checking for getspent in -lshadow""... $ac_c" 1>&6 +-echo "configure:5863: checking for getspent in -lshadow" >&5 ++echo "configure:6386: checking for getspent in -lshadow" >&5 + ac_lib_var=`echo shadow'_'getspent | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -5867,7 +6390,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lshadow $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 5871 "configure" ++#line 6394 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -5878,7 +6401,7 @@ + getspent() + ; return 0; } + EOF +-if { (eval echo configure:5882: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:6405: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -5906,9 +6429,9 @@ + fi + + echo $ac_n "checking whether spwd have sp_expire field""... $ac_c" 1>&6 +-echo "configure:5910: checking whether spwd have sp_expire field" >&5 ++echo "configure:6433: checking whether spwd have sp_expire field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 5912 "configure" ++#line 6435 "configure" + #include "confdefs.h" + #include <shadow.h> + EOF +@@ -5927,9 +6450,9 @@ + rm -f conftest* + + echo $ac_n "checking whether spwd have sp_inact field""... $ac_c" 1>&6 +-echo "configure:5931: checking whether spwd have sp_inact field" >&5 ++echo "configure:6454: checking whether spwd have sp_inact field" >&5 + cat > conftest.$ac_ext <<EOF +-#line 5933 "configure" ++#line 6456 "configure" + #include "confdefs.h" + #include <shadow.h> + EOF +@@ -5968,7 +6491,7 @@ + fi + + echo $ac_n "checking location of mail spool files""... $ac_c" 1>&6 +-echo "configure:5972: checking location of mail spool files" >&5 ++echo "configure:6495: checking location of mail spool files" >&5 + for dir in /var/spool/mail /var/mail /usr/spool/mail /usr/mail FILE + do + if test "$dir" = "FILE"; then +@@ -6007,7 +6530,7 @@ + done + + echo $ac_n "checking location of utmp""... $ac_c" 1>&6 +-echo "configure:6011: checking location of utmp" >&5 ++echo "configure:6534: checking location of utmp" >&5 + if test -f /var/run/utmp; then + cat >> confdefs.h <<\EOF + #define SSH_UTMP "/var/run/utmp" +@@ -6043,7 +6566,7 @@ + fi + + echo $ac_n "checking location of wtmp""... $ac_c" 1>&6 +-echo "configure:6047: checking location of wtmp" >&5 ++echo "configure:6570: checking location of wtmp" >&5 + if test -f /var/log/wtmp; then + cat >> confdefs.h <<\EOF + #define SSH_WTMP "/var/log/wtmp" +@@ -6077,7 +6600,7 @@ + fi + + echo $ac_n "checking location of lastlog""... $ac_c" 1>&6 +-echo "configure:6081: checking location of lastlog" >&5 ++echo "configure:6604: checking location of lastlog" >&5 + if test -f /var/log/lastlog || test -d /var/log/lastlog; then + cat >> confdefs.h <<\EOF + #define SSH_LASTLOG "/var/log/lastlog" +@@ -6132,7 +6655,7 @@ + fi + + echo $ac_n "checking whether $LASTLOG is a directory""... $ac_c" 1>&6 +-echo "configure:6136: checking whether $LASTLOG is a directory" >&5 ++echo "configure:6659: checking whether $LASTLOG is a directory" >&5 + if test -d $LASTLOG + then + echo "$ac_t""yes" 1>&6 +@@ -6145,7 +6668,7 @@ + fi + + echo $ac_n "checking whether to include the IDEA encryption algorithm""... $ac_c" 1>&6 +-echo "configure:6149: checking whether to include the IDEA encryption algorithm" >&5 ++echo "configure:6672: checking whether to include the IDEA encryption algorithm" >&5 + # Check whether --with-idea or --without-idea was given. + if test "${with_idea+set}" = set; then + withval="$with_idea" +@@ -6179,7 +6702,7 @@ + + + echo $ac_n "checking whether to include the Blowfish encryption algorithm""... $ac_c" 1>&6 +-echo "configure:6183: checking whether to include the Blowfish encryption algorithm" >&5 ++echo "configure:6706: checking whether to include the Blowfish encryption algorithm" >&5 + # Check whether --with-blowfish or --without-blowfish was given. + if test "${with_blowfish+set}" = set; then + withval="$with_blowfish" +@@ -6206,7 +6729,7 @@ + + + echo $ac_n "checking whether to include the DES encryption algorithm""... $ac_c" 1>&6 +-echo "configure:6210: checking whether to include the DES encryption algorithm" >&5 ++echo "configure:6733: checking whether to include the DES encryption algorithm" >&5 + # Check whether --with-des or --without-des was given. + if test "${with_des+set}" = set; then + withval="$with_des" +@@ -6229,7 +6752,7 @@ + + + echo $ac_n "checking whether to include the ARCFOUR encryption algorithm""... $ac_c" 1>&6 +-echo "configure:6233: checking whether to include the ARCFOUR encryption algorithm" >&5 ++echo "configure:6756: checking whether to include the ARCFOUR encryption algorithm" >&5 + # Check whether --with-arcfour or --without-arcfour was given. + if test "${with_arcfour+set}" = set; then + withval="$with_arcfour" +@@ -6252,7 +6775,7 @@ + + + echo $ac_n "checking whether to include the none encryption algorithm""... $ac_c" 1>&6 +-echo "configure:6256: checking whether to include the none encryption algorithm" >&5 ++echo "configure:6779: checking whether to include the none encryption algorithm" >&5 + # Check whether --with-none or --without-none was given. + if test "${with_none+set}" = set; then + withval="$with_none" +@@ -6275,7 +6798,7 @@ + + + echo $ac_n "checking whether to use login""... $ac_c" 1>&6 +-echo "configure:6279: checking whether to use login" >&5 ++echo "configure:6802: checking whether to use login" >&5 + # Check whether --with-login or --without-login was given. + if test "${with_login+set}" = set; then + withval="$with_login" +@@ -6290,7 +6813,7 @@ + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:6294: checking for $ac_word" >&5 ++echo "configure:6817: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_PATH_LOGIN'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -6298,9 +6821,13 @@ + /*) + ac_cv_path_PATH_LOGIN="$PATH_LOGIN" # Let the user override the test with a path. + ;; ++ ?:/*) ++ ac_cv_path_PATH_LOGIN="$PATH_LOGIN" # Let the user override the test with a dos path. ++ ;; + *) +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_PATH_LOGIN="$ac_dir/$ac_word" +@@ -6349,7 +6876,7 @@ + + + echo $ac_n "checking whether to use rsh""... $ac_c" 1>&6 +-echo "configure:6353: checking whether to use rsh" >&5 ++echo "configure:6880: checking whether to use rsh" >&5 + # Check whether --with-rsh or --without-rsh was given. + if test "${with_rsh+set}" = set; then + withval="$with_rsh" +@@ -6364,7 +6891,7 @@ + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:6368: checking for $ac_word" >&5 ++echo "configure:6895: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_RSH_PATH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -6372,9 +6899,13 @@ + /*) + ac_cv_path_RSH_PATH="$RSH_PATH" # Let the user override the test with a path. + ;; ++ ?:/*) ++ ac_cv_path_RSH_PATH="$RSH_PATH" # Let the user override the test with a dos path. ++ ;; + *) +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_RSH_PATH="$ac_dir/$ac_word" +@@ -6416,7 +6947,7 @@ + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:6420: checking for $ac_word" >&5 ++echo "configure:6951: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_RSH_PATH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -6424,9 +6955,13 @@ + /*) + ac_cv_path_RSH_PATH="$RSH_PATH" # Let the user override the test with a path. + ;; ++ ?:/*) ++ ac_cv_path_RSH_PATH="$RSH_PATH" # Let the user override the test with a dos path. ++ ;; + *) +- IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS="${IFS}:" +- for ac_dir in $PATH; do ++ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" ++ ac_dummy="$PATH" ++ for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_RSH_PATH="$ac_dir/$ac_word" +@@ -6465,7 +7000,7 @@ + + # Code to permit setting default path for users (alden@math.ohio-state.edu) + echo $ac_n "checking default path""... $ac_c" 1>&6 +-echo "configure:6469: checking default path" >&5 ++echo "configure:7004: checking default path" >&5 + # Check whether --with-path or --without-path was given. + if test "${with_path+set}" = set; then + withval="$with_path" +@@ -6488,7 +7023,7 @@ + + + echo $ac_n "checking etcdir""... $ac_c" 1>&6 +-echo "configure:6492: checking etcdir" >&5 ++echo "configure:7027: checking etcdir" >&5 + # Check whether --with-etcdir or --without-etcdir was given. + if test "${with_etcdir+set}" = set; then + withval="$with_etcdir" +@@ -6513,7 +7048,7 @@ + + + echo $ac_n "checking whether to use nologin.allow file to override nologin""... $ac_c" 1>&6 +-echo "configure:6517: checking whether to use nologin.allow file to override nologin" >&5 ++echo "configure:7052: checking whether to use nologin.allow file to override nologin" >&5 + # Check whether --with-nologin-allow or --without-nologin-allow was given. + if test "${with_nologin_allow+set}" = set; then + withval="$with_nologin_allow" +@@ -6543,7 +7078,7 @@ + + + echo $ac_n "checking whether to support SecurID""... $ac_c" 1>&6 +-echo "configure:6547: checking whether to support SecurID" >&5 ++echo "configure:7082: checking whether to support SecurID" >&5 + # Check whether --with-securid or --without-securid was given. + if test "${with_securid+set}" = set; then + withval="$with_securid" +@@ -6586,7 +7121,7 @@ + + + echo $ac_n "checking whether to support TIS authentication server""... $ac_c" 1>&6 +-echo "configure:6590: checking whether to support TIS authentication server" >&5 ++echo "configure:7125: checking whether to support TIS authentication server" >&5 + # Check whether --with-tis or --without-tis was given. + if test "${with_tis+set}" = set; then + withval="$with_tis" +@@ -6604,8 +7139,8 @@ + #define HAVE_TIS 1 + EOF + +- CFLAGS="$CFLAGS -I$withval -DHAVE_TIS" +- LIBS="-L$withval -lauth -lfwall $LIBS" ++ CFLAGS="$CFLAGS -I$withval/include -DHAVE_TIS" ++ LIBS="-L$withval/lib -lauth -lfwall $LIBS" + echo "configure: warning: Remember to read README.TIS. The connection between sshd and TIS authentication + server is clear text!" 1>&2 + ;; +@@ -6616,40 +7151,138 @@ + fi + + +-echo $ac_n "checking whether to use Kerberos""... $ac_c" 1>&6 +-echo "configure:6621: checking whether to use Kerberos" >&5 +-# Check whether --with-kerberos5 or --without-kerberos5 was given. +-if test "${with_kerberos5+set}" = set; then +- withval="$with_kerberos5" ++echo $ac_n "checking whether to use Kerberos v4""... $ac_c" 1>&6 ++echo "configure:7156: checking whether to use Kerberos v4" >&5 ++# Check whether --with-krb4 or --without-krb4 was given. ++if test "${with_krb4+set}" = set; then ++ withval="$with_krb4" + case "$withval" in + yes) +- with_kerberos5=/usr/local ++ with_krb4=/usr/kerberos + ;; + esac + else +- with_kerberos5=no ++ with_krb4=no + + fi + +-case "$with_kerberos5" in ++case "$with_krb4" in + no) + echo "$ac_t""no" 1>&6 + ;; + *) + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +-#define KERBEROS 1 ++#define KRB4 1 ++EOF ++ ++ KERBEROS_ROOT="$with_krb4" ++ KERBEROS_INCS="-I${KERBEROS_ROOT}/include/kerberosIV" ++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lkrb -ldes" ++ KERBEROS_OBJS="auth-kerberos.o" ++ echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 ++echo "configure:7185: checking for dn_expand in -lresolv" >&5 ++ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` ++if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then ++ echo $ac_n "(cached) $ac_c" 1>&6 ++else ++ ac_save_LIBS="$LIBS" ++LIBS="-lresolv $LIBS" ++cat > conftest.$ac_ext <<EOF ++#line 7193 "configure" ++#include "confdefs.h" ++/* Override any gcc2 internal prototype to avoid an error. */ ++/* We use char because int might match the return type of a gcc2 ++ builtin and then its argument prototype would still apply. */ ++char dn_expand(); ++ ++int main() { ++dn_expand() ++; return 0; } ++EOF ++if { (eval echo configure:7204: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++ rm -rf conftest* ++ eval "ac_cv_lib_$ac_lib_var=yes" ++else ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -rf conftest* ++ eval "ac_cv_lib_$ac_lib_var=no" ++fi ++rm -f conftest* ++LIBS="$ac_save_LIBS" ++ ++fi ++if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then ++ echo "$ac_t""yes" 1>&6 ++ KERBEROS_LIBS="$KERBEROS_LIBS -lresolv" ++else ++ echo "$ac_t""no" 1>&6 ++fi ++ ++ echo $ac_n "checking whether AFS lifetime conversion routines are present""... $ac_c" 1>&6 ++echo "configure:7225: checking whether AFS lifetime conversion routines are present" >&5 ++ keeplibs="$LIBS" ++ keepcflags="$CFLAGS" ++ LIBS="-L${KERBEROS_ROOT}/lib -lkrb -ldes $LIBS" ++ CFLAGS="-I${KERBEROS_ROOT}/include $CFLAGS" ++ cat > conftest.$ac_ext <<EOF ++#line 7231 "configure" ++#include "confdefs.h" ++#include <krb.h> ++int main() { ++ krb_life_to_time(10, 10); ++; return 0; } ++EOF ++if { (eval echo configure:7238: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++ rm -rf conftest* ++ echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define HAVE_KRB_LIFE_TO_TIME 1 + EOF + ++else ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -rf conftest* ++ echo "$ac_t""no" 1>&6 ++fi ++rm -f conftest* ++ LIBS="$keeplibs" ++ CFLAGS="$keepcflags" ++ ;; ++esac ++ ++echo $ac_n "checking whether to use Kerberos v5""... $ac_c" 1>&6 ++echo "configure:7258: checking whether to use Kerberos v5" >&5 ++# Check whether --with-krb5 or --without-krb5 was given. ++if test "${with_krb5+set}" = set; then ++ withval="$with_krb5" ++ case "$withval" in ++ yes) ++ with_krb5=/usr/local ++ ;; ++ esac ++else ++ with_krb5=no ++ ++fi ++ ++case "$with_krb5" in ++ no) ++ echo "$ac_t""no" 1>&6 ++ ;; ++ *) ++ echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF + #define KRB5 1 + EOF + +- KERBEROS_ROOT="$with_kerberos5" +- KERBEROS_INCS="-I${KERBEROS_ROOT}/include" +- KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lcrypto -lcom_err" ++ KERBEROS_ROOT="$with_krb5" ++ KERBEROS_INCS="-I${KERBEROS_ROOT}/include/krb5" ++ KERBEROS_LIBS="-L${KERBEROS_ROOT}/lib -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" + echo $ac_n "checking for dbm_open in -lndbm""... $ac_c" 1>&6 +-echo "configure:6653: checking for dbm_open in -lndbm" >&5 ++echo "configure:7286: checking for dbm_open in -lndbm" >&5 + ac_lib_var=`echo ndbm'_'dbm_open | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -6657,7 +7290,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lndbm $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 6661 "configure" ++#line 7294 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -6668,7 +7301,7 @@ + dbm_open() + ; return 0; } + EOF +-if { (eval echo configure:6672: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:7305: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -6692,40 +7325,66 @@ + ;; + esac + +- +- +- +- +-echo $ac_n "checking whether to enable passing the Kerberos TGT""... $ac_c" 1>&6 +-echo "configure:6701: checking whether to enable passing the Kerberos TGT" >&5 +-# Check whether --enable-kerberos-tgt-passing or --disable-kerberos-tgt-passing was given. +-if test "${enable_kerberos_tgt_passing+set}" = set; then +- enableval="$enable_kerberos_tgt_passing" +- case "$enableval" in +- no) +- echo "$ac_t""no" 1>&6 +- ;; +- *) +- if test "$with_kerberos5" = no ; then ++echo $ac_n "checking whether to use AFS""... $ac_c" 1>&6 ++echo "configure:7330: checking whether to use AFS" >&5 ++# Check whether --with-afs or --without-afs was given. ++if test "${with_afs+set}" = set; then ++ withval="$with_afs" ++ if test "$with_afs" = no; then + echo "$ac_t""no" 1>&6 +- echo "configure: warning: "Passing Kerberos TGT requires Kerberos5 support."" 1>&2 + else + echo "$ac_t""yes" 1>&6 +- cat >> confdefs.h <<\EOF +-#define KERBEROS_TGT_PASSING 1 ++ cat >> confdefs.h <<\EOF ++#define AFS 1 + EOF + ++ if test "$with_krb4" = no; then ++ echo "$ac_t""no" 1>&6 ++ echo "configure: warning: "AFS requires Kerberos v4 support."" 1>&2 ++ else ++ KERBEROS_LIBS="${KERBEROS_LIBS} -lkafs" ++ if test -n "$os_aix"; then ++ KERBEROS_LIBS="${KERBEROS_LIBS} -lld" + fi ++ fi ++fi ++ ++fi ++ ++ ++echo $ac_n "checking whether to use Hesiod""... $ac_c" 1>&6 ++echo "configure:7357: checking whether to use Hesiod" >&5 ++# Check whether --with-hesiod or --without-hesiod was given. ++if test "${with_hesiod+set}" = set; then ++ withval="$with_hesiod" ++ case "$withval" in ++ yes) ++ with_hesiod=/usr/local/athena + ;; + esac + else +- echo "$ac_t""no" 1>&6 ++ with_hesiod=no + + fi + ++case "$with_hesiod" in ++no) ++ echo "$ac_t""no" 1>&6 ++ ;; ++*) ++ echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define HESIOD 1 ++EOF ++ ++ HESIOD_ROOT="$with_hesiod" ++ HESIOD_INCS="-I${HESIOD_ROOT}/include" ++ HESIOD_LIBS="-L${HESIOD_ROOT}/lib -lhesiod" ++ ;; ++esac + + echo $ac_n "checking whether to use libwrap""... $ac_c" 1>&6 +-echo "configure:6729: checking whether to use libwrap" >&5 ++echo "configure:7388: checking whether to use libwrap" >&5 + # Check whether --with-libwrap or --without-libwrap was given. + if test "${with_libwrap+set}" = set; then + withval="$with_libwrap" +@@ -6734,56 +7393,41 @@ + echo "$ac_t""no" 1>&6 + ;; + yes) +- echo "$ac_t""yes" 1>&6 +- echo $ac_n "checking for request_init in -lwrap""... $ac_c" 1>&6 +-echo "configure:6740: checking for request_init in -lwrap" >&5 +-ac_lib_var=`echo wrap'_'request_init | sed 'y%./+-%__p_%'` +-if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then +- echo $ac_n "(cached) $ac_c" 1>&6 +-else +- ac_save_LIBS="$LIBS" +-LIBS="-lwrap $LIBS" +-cat > conftest.$ac_ext <<EOF +-#line 6748 "configure" ++ WRAPLIBS="-lwrap" ++ OLDLIBS="$LIBS" ++ LIBS="$WRAPLIBS $LIBS" ++ cat > conftest.$ac_ext <<EOF ++#line 7401 "configure" + #include "confdefs.h" +-/* Override any gcc2 internal prototype to avoid an error. */ +-/* We use char because int might match the return type of a gcc2 +- builtin and then its argument prototype would still apply. */ +-char request_init(); +- ++ int allow_severity; int deny_severity; + int main() { +-request_init() ++ request_init(); + ; return 0; } + EOF +-if { (eval echo configure:6759: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then +- rm -rf conftest* +- eval "ac_cv_lib_$ac_lib_var=yes" +-else +- echo "configure: failed program was:" >&5 +- cat conftest.$ac_ext >&5 ++if { (eval echo configure:7408: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* +- eval "ac_cv_lib_$ac_lib_var=no" +-fi +-rm -f conftest* +-LIBS="$ac_save_LIBS" +- +-fi +-if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then +- echo "$ac_t""yes" 1>&6 + +- cat >> confdefs.h <<\EOF ++ echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF + #define LIBWRAP 1 + EOF + +- WRAPLIBS="-lwrap" +- cat >> confdefs.h <<\EOF ++ cat >> confdefs.h <<\EOF + #define HAVE_LIBWRAP 1 + EOF +- ++ ++ + else +- echo "$ac_t""no" 1>&6 ++ echo "configure: failed program was:" >&5 ++ cat conftest.$ac_ext >&5 ++ rm -rf conftest* ++ ++ echo "$ac_t""no" 1>&6 ++ WRAPLIBS="" ++ + fi +- ++rm -f conftest* ++ LIBS="$OLDLIBS" + ;; + *) + echo "$ac_t""yes" 1>&6 +@@ -6799,14 +7443,14 @@ + OLDLIBS="$LIBS" + LIBS="$WRAPLIBS $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 6803 "configure" ++#line 7447 "configure" + #include "confdefs.h" + int allow_severity; int deny_severity; + int main() { + hosts_access(); + ; return 0; } + EOF +-if { (eval echo configure:6810: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:7454: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + : + else + echo "configure: failed program was:" >&5 +@@ -6827,7 +7471,7 @@ + + + echo $ac_n "checking whether to support SOCKS""... $ac_c" 1>&6 +-echo "configure:6831: checking whether to support SOCKS" >&5 ++echo "configure:7475: checking whether to support SOCKS" >&5 + # Check whether --with-socks or --without-socks was given. + if test "${with_socks+set}" = set; then + withval="$with_socks" +@@ -6838,7 +7482,7 @@ + yes) + echo "$ac_t""yes" 1>&6 + echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6 +-echo "configure:6842: checking for SOCKSconnect in -lsocks5" >&5 ++echo "configure:7486: checking for SOCKSconnect in -lsocks5" >&5 + ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -6846,7 +7490,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lsocks5 $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 6850 "configure" ++#line 7494 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -6857,7 +7501,7 @@ + SOCKSconnect() + ; return 0; } + EOF +-if { (eval echo configure:6861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:7505: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -6879,7 +7523,7 @@ + echo "$ac_t""no" 1>&6 + + echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6 +-echo "configure:6883: checking for Rconnect in -lsocks" >&5 ++echo "configure:7527: checking for Rconnect in -lsocks" >&5 + ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -6887,7 +7531,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lsocks $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 6891 "configure" ++#line 7535 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -6898,7 +7542,7 @@ + Rconnect() + ; return 0; } + EOF +-if { (eval echo configure:6902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:7546: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -6934,7 +7578,7 @@ + + if test "x$socks" = "x"; then + echo $ac_n "checking whether to support SOCKS5""... $ac_c" 1>&6 +-echo "configure:6938: checking whether to support SOCKS5" >&5 ++echo "configure:7582: checking whether to support SOCKS5" >&5 + # Check whether --with-socks5 or --without-socks5 was given. + if test "${with_socks5+set}" = set; then + withval="$with_socks5" +@@ -6968,14 +7612,14 @@ + TMPLIBS="$LIBS" + LIBS="$LIBS $KERBEROS_LIBS" + cat > conftest.$ac_ext <<EOF +-#line 6972 "configure" ++#line 7616 "configure" + #include "confdefs.h" + + int main() { + SOCKSconnect(); + ; return 0; } + EOF +-if { (eval echo configure:6979: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:7623: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + : + else + echo "configure: failed program was:" >&5 +@@ -6996,7 +7640,7 @@ + + if test "x$socks" = "x"; then + echo $ac_n "checking whether to support SOCKS4""... $ac_c" 1>&6 +-echo "configure:7000: checking whether to support SOCKS4" >&5 ++echo "configure:7644: checking whether to support SOCKS4" >&5 + # Check whether --with-socks4 or --without-socks4 was given. + if test "${with_socks4+set}" = set; then + withval="$with_socks4" +@@ -7016,14 +7660,14 @@ + fi + LIBS="$withval $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 7020 "configure" ++#line 7664 "configure" + #include "confdefs.h" + + int main() { + Rconnect(); + ; return 0; } + EOF +-if { (eval echo configure:7027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then ++if { (eval echo configure:7671: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + : + else + echo "configure: failed program was:" >&5 +@@ -7150,7 +7794,7 @@ + fi + + echo $ac_n "checking whether to use rsaref""... $ac_c" 1>&6 +-echo "configure:7154: checking whether to use rsaref" >&5 ++echo "configure:7798: checking whether to use rsaref" >&5 + # Check whether --with-rsaref or --without-rsaref was given. + if test "${with_rsaref+set}" = set; then + withval="$with_rsaref" +@@ -7184,7 +7828,7 @@ + + # This allows group writeability in userfile_check_owner_permissions() + echo $ac_n "checking whether to allow group writeability""... $ac_c" 1>&6 +-echo "configure:7188: checking whether to allow group writeability" >&5 ++echo "configure:7832: checking whether to allow group writeability" >&5 + # Check whether --enable-group-writeability or --disable-group-writeability was given. + if test "${enable_group_writeability+set}" = set; then + enableval="$enable_group_writeability" +@@ -7200,7 +7844,7 @@ + + + echo $ac_n "checking whether to disable forwardings in server""... $ac_c" 1>&6 +-echo "configure:7204: checking whether to disable forwardings in server" >&5 ++echo "configure:7848: checking whether to disable forwardings in server" >&5 + # Check whether --enable-server-port-forwardings or --disable-server-port-forwardings was given. + if test "${enable_server_port_forwardings+set}" = set; then + enableval="$enable_server_port_forwardings" +@@ -7222,7 +7866,7 @@ + + + echo $ac_n "checking whether to disable forwardings in client""... $ac_c" 1>&6 +-echo "configure:7226: checking whether to disable forwardings in client" >&5 ++echo "configure:7870: checking whether to disable forwardings in client" >&5 + # Check whether --enable-client-port-forwardings or --disable-client-port-forwardings was given. + if test "${enable_client_port_forwardings+set}" = set; then + enableval="$enable_client_port_forwardings" +@@ -7244,7 +7888,7 @@ + + + echo $ac_n "checking whether to disable X11 forwarding in server""... $ac_c" 1>&6 +-echo "configure:7248: checking whether to disable X11 forwarding in server" >&5 ++echo "configure:7892: checking whether to disable X11 forwarding in server" >&5 + # Check whether --enable-server-x11-forwarding or --disable-server-x11-forwarding was given. + if test "${enable_server_x11_forwarding+set}" = set; then + enableval="$enable_server_x11_forwarding" +@@ -7266,7 +7910,7 @@ + + + echo $ac_n "checking whether to disable X11 forwarding in client""... $ac_c" 1>&6 +-echo "configure:7270: checking whether to disable X11 forwarding in client" >&5 ++echo "configure:7914: checking whether to disable X11 forwarding in client" >&5 + # Check whether --enable-client-x11-forwarding or --disable-client-x11-forwarding was given. + if test "${enable_client_x11_forwarding+set}" = set; then + enableval="$enable_client_x11_forwarding" +@@ -7288,28 +7932,28 @@ + + + echo $ac_n "checking whether to install ssh as suid root""... $ac_c" 1>&6 +-echo "configure:7292: checking whether to install ssh as suid root" >&5 ++echo "configure:7936: checking whether to install ssh as suid root" >&5 + # Check whether --enable-suid-ssh or --disable-suid-ssh was given. + if test "${enable_suid_ssh+set}" = set; then + enableval="$enable_suid_ssh" + case "$enableval" in + no) + echo "$ac_t""no" 1>&6 +- SSHINSTALLMODE=0711 ++ SSHINSTALLMODE=0511 + ;; + *) echo "$ac_t""yes" 1>&6 +- SSHINSTALLMODE=04711 ++ SSHINSTALLMODE=04511 + ;; + esac + else + echo "$ac_t""yes" 1>&6 +- SSHINSTALLMODE=04711 ++ SSHINSTALLMODE=04511 + + fi + + + echo $ac_n "checking whether to enable TCP_NODELAY""... $ac_c" 1>&6 +-echo "configure:7313: checking whether to enable TCP_NODELAY" >&5 ++echo "configure:7957: checking whether to enable TCP_NODELAY" >&5 + # Check whether --enable-tcp-nodelay or --disable-tcp-nodelay was given. + if test "${enable_tcp_nodelay+set}" = set; then + enableval="$enable_tcp_nodelay" +@@ -7334,8 +7978,60 @@ + fi + + ++echo $ac_n "checking whether to enable another port try support""... $ac_c" 1>&6 ++echo "configure:7983: checking whether to enable another port try support" >&5 ++# Check whether --enable-another-port-try or --disable-another-port-try was given. ++if test "${enable_another_port_try+set}" = set; then ++ enableval="$enable_another_port_try" ++ case "$enableval" in ++ no) ++ echo "$ac_t""no" 1>&6 ++ ;; ++ *) echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define ENABLE_ANOTHER_PORT_TRY 1 ++EOF ++ ++ ;; ++ esac ++else ++ echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define ENABLE_ANOTHER_PORT_TRY 1 ++EOF ++ ++ ++fi ++ ++ ++echo $ac_n "checking whether to enable logging auth info support""... $ac_c" 1>&6 ++echo "configure:8009: checking whether to enable logging auth info support" >&5 ++# Check whether --enable-log-auth or --disable-log-auth was given. ++if test "${enable_log_auth+set}" = set; then ++ enableval="$enable_log_auth" ++ case "$enableval" in ++ no) ++ echo "$ac_t""no" 1>&6 ++ ;; ++ *) echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define ENABLE_LOG_AUTH 1 ++EOF ++ ++ ;; ++ esac ++else ++ echo "$ac_t""yes" 1>&6 ++ cat >> confdefs.h <<\EOF ++#define ENABLE_LOG_AUTH 1 ++EOF ++ ++ ++fi ++ ++ + echo $ac_n "checking whether to enable SO_LINGER""... $ac_c" 1>&6 +-echo "configure:7339: checking whether to enable SO_LINGER" >&5 ++echo "configure:8035: checking whether to enable SO_LINGER" >&5 + # Check whether --enable-so-linger or --disable-so-linger was given. + if test "${enable_so_linger+set}" = set; then + enableval="$enable_so_linger" +@@ -7357,7 +8053,7 @@ + + + echo $ac_n "checking whether to include scp statistics at all""... $ac_c" 1>&6 +-echo "configure:7361: checking whether to include scp statistics at all" >&5 ++echo "configure:8057: checking whether to include scp statistics at all" >&5 + # Check whether --with-scp-stats or --without-scp-stats was given. + if test "${with_scp_stats+set}" = set; then + withval="$with_scp_stats" +@@ -7383,7 +8079,7 @@ + + + echo $ac_n "checking whether to enable scp statistics""... $ac_c" 1>&6 +-echo "configure:7387: checking whether to enable scp statistics" >&5 ++echo "configure:8083: checking whether to enable scp statistics" >&5 + # Check whether --enable-scp-stats or --disable-scp-stats was given. + if test "${enable_scp_stats+set}" = set; then + enableval="$enable_scp_stats" +@@ -7409,7 +8105,7 @@ + + + echo $ac_n "checking whether to enable scp statistics for all files""... $ac_c" 1>&6 +-echo "configure:7413: checking whether to enable scp statistics for all files" >&5 ++echo "configure:8109: checking whether to enable scp statistics for all files" >&5 + # Check whether --enable-all-scp-stats or --disable-all-scp-stats was given. + if test "${enable_all_scp_stats+set}" = set; then + enableval="$enable_all_scp_stats" +@@ -7434,6 +8130,8 @@ + fi + + ++CFLAGS="$CPPFLAGS $CFLAGS" ++ + # We include this here only to make it visible in --help; this is only used + # in the gmp subdirectory. + # Check whether --enable-asm or --disable-asm was given. +@@ -7445,7 +8143,7 @@ + + PIDDIR="/var/run" + echo $ac_n "checking where to put sshd.pid""... $ac_c" 1>&6 +-echo "configure:7449: checking where to put sshd.pid" >&5 ++echo "configure:8147: checking where to put sshd.pid" >&5 + if test '!' -d $PIDDIR; then + PIDDIR="$ETCDIR" + fi +@@ -7505,7 +8203,7 @@ + # Ultrix sh set writes to stderr and can't be redirected directly, + # and sets the high bit in the cache file unless we assign to the vars. + (set) 2>&1 | +- case `(ac_space=' '; set) 2>&1` in ++ case `(ac_space=' '; set | grep ac_space) 2>&1` in + *ac_space=\ *) + # `set' does not quote correctly, so add quotes (double-quote substitution + # turns \\\\ into \\, and sed turns \\ into \). +@@ -7572,7 +8270,7 @@ + echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion" + exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;; + -version | --version | --versio | --versi | --vers | --ver | --ve | --v) +- echo "$CONFIG_STATUS generated by autoconf version 2.12" ++ echo "$CONFIG_STATUS generated by autoconf version 2.13" + exit 0 ;; + -help | --help | --hel | --he | --h) + echo "\$ac_cs_usage"; exit 0 ;; +@@ -7583,7 +8281,7 @@ + ac_given_srcdir=$srcdir + ac_given_INSTALL="$INSTALL" + +-trap 'rm -fr `echo "Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 ++trap 'rm -fr `echo "Makefile sshd.8 ssh.1 make-ssh-known-hosts.pl make-ssh-known-hosts.1 zlib-1.0.4/Makefile config.h" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15 + EOF + cat >> $CONFIG_STATUS <<EOF + +@@ -7592,9 +8290,11 @@ + s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF + $ac_vpsub + $extrasub ++s%@SHELL@%$SHELL%g + s%@CFLAGS@%$CFLAGS%g + s%@CPPFLAGS@%$CPPFLAGS%g + s%@CXXFLAGS@%$CXXFLAGS%g ++s%@FFLAGS@%$FFLAGS%g + s%@DEFS@%$DEFS%g + s%@LDFLAGS@%$LDFLAGS%g + s%@LIBS@%$LIBS%g +@@ -7623,6 +8323,7 @@ + s%@LIBOBJS@%$LIBOBJS%g + s%@LN_S@%$LN_S%g + s%@INSTALL_PROGRAM@%$INSTALL_PROGRAM%g ++s%@INSTALL_SCRIPT@%$INSTALL_SCRIPT%g + s%@INSTALL_DATA@%$INSTALL_DATA%g + s%@AR@%$AR%g + s%@RANLIB@%$RANLIB%g +@@ -7641,6 +8342,9 @@ + s%@KERBEROS_INCS@%$KERBEROS_INCS%g + s%@KERBEROS_LIBS@%$KERBEROS_LIBS%g + s%@KERBEROS_OBJS@%$KERBEROS_OBJS%g ++s%@HESIOD_ROOT@%$HESIOD_ROOT%g ++s%@HESIOD_INCS@%$HESIOD_INCS%g ++s%@HESIOD_LIBS@%$HESIOD_LIBS%g + s%@WRAPLIBS@%$WRAPLIBS%g + s%@subdirs@%$subdirs%g + s%@ETCDIR@%$ETCDIR%g +@@ -7691,7 +8395,7 @@ + + cat >> $CONFIG_STATUS <<EOF + +-CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.1 zlib-1.0.4/Makefile"} ++CONFIG_FILES=\${CONFIG_FILES-"Makefile sshd.8 ssh.1 make-ssh-known-hosts.pl make-ssh-known-hosts.1 zlib-1.0.4/Makefile"} + EOF + cat >> $CONFIG_STATUS <<\EOF + for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then diff --git a/security/ssh6/patches/patch-al b/security/ssh6/patches/patch-al new file mode 100644 index 00000000000..2f1118214b0 --- /dev/null +++ b/security/ssh6/patches/patch-al @@ -0,0 +1,70 @@ +$NetBSD: patch-al,v 1.1 2000/03/20 02:25:36 itojun Exp $ + +--- gmp-2.0.2-ssh-2/longlong.h.orig Wed Apr 29 19:32:35 1998 ++++ gmp-2.0.2-ssh-2/longlong.h Tue Dec 14 23:03:54 1999 +@@ -190,26 +190,40 @@ + "rI" ((USItype)(bh)), \ + "r" ((USItype)(al)), \ + "rI" ((USItype)(bl))) ++#if defined(__ARM_ARCH_3M__) || defined(__ARM_ARCH_4__) || defined(__ARM_ARCH_4T__) ++/* Use umull if available */ + #define umul_ppmm(xh, xl, a, b) \ + __asm__ ("%@ Inlined umul_ppmm +- mov %|r0, %2, lsr #16 +- mov %|r2, %3, lsr #16 +- bic %|r1, %2, %|r0, lsl #16 +- bic %|r2, %3, %|r2, lsl #16 +- mul %1, %|r1, %|r2 +- mul %|r2, %|r0, %|r2 +- mul %|r1, %0, %|r1 +- mul %0, %|r0, %0 +- adds %|r1, %|r2, %|r1 ++ umull %0, %1, %2, %3" \ ++ : "=&r" ((USItype) (xl)), \ ++ "=&r" ((USItype) (xh)) \ ++ : "r" ((USItype) (a)), \ ++ "r" ((USItype) (b))) ++#define UMUL_TIME 4 ++#else /* umull */ ++#define umul_ppmm(xh, xl, a, b) \ ++do {register USItype __t0, __t1, __t2; \ ++ __asm__ ("%@ Inlined umul_ppmm ++ mov %2, %5, lsr #16 ++ mov %0, %6, lsr #16 ++ bic %3, %5, %2, lsl #16 ++ bic %4, %6, %0, lsl #16 ++ mul %1, %3, %4 ++ mul %4, %2, %4 ++ mul %3, %0, %3 ++ mul %0, %2, %0 ++ adds %3, %4, %3 + addcs %0, %0, #65536 +- adds %1, %1, %|r1, lsl #16 +- adc %0, %0, %|r1, lsr #16" \ +- : "=&r" ((USItype)(xh)), \ +- "=r" ((USItype)(xl)) \ +- : "r" ((USItype)(a)), \ +- "r" ((USItype)(b)) \ +- : "r0", "r1", "r2") ++ adds %1, %1, %3, lsl #16 ++ adc %0, %0, %3, lsr #16" \ ++ : "=&r" ((USItype) (xh)), \ ++ "=r" ((USItype) (xl)), \ ++ "=&r" (__t0), "=&r" (__t1), "=r" (__t2) \ ++ : "r" ((USItype) (a)), \ ++ "r" ((USItype) (b)));} while (0) ++ + #define UMUL_TIME 20 ++#endif /* umull */ + #define UDIV_TIME 100 + #endif /* __arm__ */ + +@@ -719,7 +733,7 @@ + "g" ((USItype)(d))); \ + (r) = __xx.__i.__l; (q) = __xx.__i.__h; }) + #define count_trailing_zeros(count,x) \ +- do { ++ do { \ + __asm__ ("ffsd %2,%0" \ + : "=r" ((USItype) (count)) \ + : "0" ((USItype) 0), \ diff --git a/security/ssh6/patches/patch-am b/security/ssh6/patches/patch-am new file mode 100644 index 00000000000..7b087b3913f --- /dev/null +++ b/security/ssh6/patches/patch-am @@ -0,0 +1,36 @@ +$NetBSD: patch-am,v 1.1 2000/03/20 02:25:36 itojun Exp $ + +--- gmp-2.0.2-ssh-2/configure.in.orig Mon Feb 22 01:59:06 1999 ++++ gmp-2.0.2-ssh-2/configure.in Fri Jul 16 17:38:35 1999 +@@ -122,6 +122,20 @@ + path="x86" + syntax_alternatives="$syntax_alternatives ELF_SYNTAX BSD_SYNTAX INTEL_SYNTAX" + ;; ++ i[3456]86*-*-*netbsd* | pentium-*-*netbsd* | pentiumpro-*-*netbsd*) ++ if $CC -E - -dM </dev/null | grep -q __ELF__; then ++ syntax_alternatives="$syntax_alternatives ELF_SYNTAX" # ELF ++ else ++ syntax_alternatives="$syntax_alternatives BSD_SYNTAX" # a.out ++ x86_broken_align=yes ++ fi ++ case "${host}" in ++ i[34]86*-*-*netbsd*) ++ path="x86" ;; ++ i[56]86*-*-*netbsd* | pentium-*-*netbsd* | pentiumpro-*-*netbsd*) ++ path="x86/pentium x86" ;; ++ esac ++ ;; + i[34]86*-*-linuxaout* | i[34]86*-*-linuxoldld* | \ + i[34]86*-*-*bsd*) # 386/486 running BSD or Linux with a.out + path="x86" +@@ -221,6 +235,10 @@ + ;; + sh2-*-*) + path="sh/sh2 sh" ++ ;; ++ mips*-*-netbsd*) ++ path="mips2" ++ SFLAGS="-Wa,-KPIC" + ;; + mips[34]*-*-*) + path="mips3" diff --git a/security/ssh6/patches/patch-an b/security/ssh6/patches/patch-an new file mode 100644 index 00000000000..e8d6a5fd02e --- /dev/null +++ b/security/ssh6/patches/patch-an @@ -0,0 +1,43 @@ +$NetBSD: patch-an,v 1.1 2000/03/20 02:25:36 itojun Exp $ + +--- gmp-2.0.2-ssh-2/gmp-impl.h.orig Fri Mar 27 18:06:09 1998 ++++ gmp-2.0.2-ssh-2/gmp-impl.h Thu Mar 4 10:20:02 1999 +@@ -281,7 +281,6 @@ + + #if SIZEOF_INT >= 4 /* otherwise fails on 16-bit machines */ + #if defined (__alpha) \ +- || (defined (__arm__) && defined (__ARMWEL__)) \ + || defined (__clipper__) \ + || defined (__cris) \ + || defined (__i386__) \ +@@ -304,7 +303,7 @@ + }; + #else /* Need this as an #else since the tests aren't made exclusive. */ + #if defined (__a29k__) || defined (_AM29K) \ +- || defined (__arm__) \ ++ || (defined (__arm__) && defined (__ARMEB__)) \ + || (defined (__convex__) && defined (_IEEE_FLOAT_)) \ + || defined (__i370__) || defined (__mvs__) \ + || defined (__mc68000__) || defined (__mc68020__) || defined (__NeXT__)\ +@@ -330,6 +329,21 @@ + } s; + double d; + }; ++#define _GMP_IEEE_FLOATS 1 ++#else ++#if defined (__arm__) ++union ieee_double_extract ++{ ++ struct ++ { ++ unsigned int manh:20; ++ unsigned int exp:11; ++ unsigned int sig:1; ++ unsigned int manl:32; ++ } s; ++ double d; ++}; ++#endif + #endif + #endif + #endif /* SIZEOF_INT >= 4 */ diff --git a/security/ssh6/patches/patch-ao b/security/ssh6/patches/patch-ao new file mode 100644 index 00000000000..a17f4ceb4bd --- /dev/null +++ b/security/ssh6/patches/patch-ao @@ -0,0 +1,22 @@ +$NetBSD: patch-ao,v 1.1 2000/03/20 02:25:36 itojun Exp $ + +--- gmp-2.0.2-ssh-2/aclocal.m4.orig Wed Jul 8 18:40:42 1998 ++++ gmp-2.0.2-ssh-2/aclocal.m4 Mon May 10 23:50:28 1999 +@@ -20,7 +20,7 @@ + dnl AM_INIT_AUTOMAKE(package,version, [no-define]) + + AC_DEFUN(AM_INIT_AUTOMAKE, +-[AC_REQUIRE([AM_PROG_INSTALL]) ++[AC_REQUIRE([AC_PROG_INSTALL]) + PACKAGE=[$1] + AC_SUBST(PACKAGE) + VERSION=[$2] +@@ -46,7 +46,7 @@ + + # serial 1 + +-AC_DEFUN(AM_PROG_INSTALL, ++AC_DEFUN(AC_PROG_INSTALL, + [AC_REQUIRE([AC_PROG_INSTALL]) + test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL_PROGRAM}' + AC_SUBST(INSTALL_SCRIPT)dnl diff --git a/security/ssh6/patches/patch-ap b/security/ssh6/patches/patch-ap new file mode 100644 index 00000000000..0b6585eab3e --- /dev/null +++ b/security/ssh6/patches/patch-ap @@ -0,0 +1,36 @@ +$NetBSD: patch-ap,v 1.1 2000/03/20 02:25:37 itojun Exp $ + +--- gmp-2.0.2-ssh-2/configure.orig Wed May 12 07:19:35 1999 ++++ gmp-2.0.2-ssh-2/configure Fri Jul 16 17:38:30 1999 +@@ -1855,6 +1855,20 @@ + path="x86" + syntax_alternatives="$syntax_alternatives ELF_SYNTAX BSD_SYNTAX INTEL_SYNTAX" + ;; ++ i[3456]86*-*-*netbsd* | pentium-*-*netbsd* | pentiumpro-*-*netbsd*) ++ if $CC -E - -dM </dev/null | grep -q __ELF__; then ++ syntax_alternatives="$syntax_alternatives ELF_SYNTAX" # ELF ++ else ++ syntax_alternatives="$syntax_alternatives BSD_SYNTAX" # a.out ++ x86_broken_align=yes ++ fi ++ case "${host}" in ++ i[34]86*-*-*netbsd*) ++ path="x86" ;; ++ i[56]86*-*-*netbsd* | pentium-*-*netbsd* | pentiumpro-*-*netbsd*) ++ path="x86/pentium x86" ;; ++ esac ++ ;; + i[34]86*-*-linuxaout* | i[34]86*-*-linuxoldld* | \ + i[34]86*-*-*bsd*) # 386/486 running BSD or Linux with a.out + path="x86" +@@ -1954,6 +1968,10 @@ + ;; + sh2-*-*) + path="sh/sh2 sh" ++ ;; ++ mips*-*-netbsd*) ++ path="mips2" ++ SFLAGS="-Wa,-KPIC" + ;; + mips[34]*-*-*) + path="mips3" diff --git a/security/ssh6/patches/patch-aq b/security/ssh6/patches/patch-aq new file mode 100644 index 00000000000..0fa31c89a33 --- /dev/null +++ b/security/ssh6/patches/patch-aq @@ -0,0 +1,462 @@ +$NetBSD: patch-aq,v 1.1 2000/03/20 02:25:37 itojun Exp $ + +--- newchannels.c.orig Wed May 12 07:19:27 1999 ++++ newchannels.c Fri Dec 24 22:01:15 1999 +@@ -274,7 +274,7 @@ + #include "authfd.h" + #include "emulate.h" + #include "servconf.h" +-#ifdef LIBWRAP ++#if defined(LIBWRAP) && defined(LIBWRAP_FWD) + #include <tcpd.h> + #include <syslog.h> + #ifdef NEED_SYS_SYSLOG_H +@@ -922,6 +922,7 @@ + /* This is our fake X11 server socket. */ + if (FD_ISSET(ch->sock, readset)) + { ++ int on = 1; + debug("X11 connection requested."); + addrlen = sizeof(addr); + newsock = accept(ch->sock, &addr, &addrlen); +@@ -930,11 +931,12 @@ + error("accept: %.100s", strerror(errno)); + break; + } ++ setsockopt(newsock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)); + remote_hostname = get_remote_hostname(newsock); + snprintf(buf, sizeof(buf), "X11 connection from %.200s port %d", + remote_hostname, get_peer_port(newsock)); + xfree(remote_hostname); +-#ifdef LIBWRAP ++#if defined(LIBWRAP) && defined(LIBWRAP_FWD) + { + struct request_info req; + struct servent *serv; +@@ -986,7 +988,7 @@ + ch->listening_port, remote_hostname, + get_peer_port(newsock)); + xfree(remote_hostname); +-#ifdef LIBWRAP ++#if defined(LIBWRAP) && defined(LIBWRAP_FWD) + { + struct request_info req; + struct servent *serv; +@@ -1405,13 +1407,29 @@ + int host_port, int gatewayports) + { + int ch, sock; +- struct sockaddr_in sin; ++ struct addrinfo hints, *ai, *aitop; ++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; + + if (strlen(host) > sizeof(channels[0].path) - 1) + packet_disconnect("Forward host name too long."); + ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_flags = gatewayports ? AI_PASSIVE : 0; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", port); ++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) ++ packet_disconnect("getaddrinfo: fatal error"); ++ ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { ++ ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); ++ + /* Create a port to listen for the host. */ +- sock = socket(AF_INET, SOCK_STREAM, 0); ++ sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + packet_disconnect("socket: %.100s", strerror(errno)); + +@@ -1421,21 +1439,10 @@ + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +- /* Initialize socket address. */ +- memset(&sin, 0, sizeof(sin)); +- sin.sin_family = AF_INET; +- if (gatewayports) +- sin.sin_addr.s_addr = INADDR_ANY; +- else +-#ifdef BROKEN_INET_ADDR +- sin.sin_addr.s_addr = inet_network("127.0.0.1"); +-#else /* BROKEN_INET_ADDR */ +- sin.sin_addr.s_addr = inet_addr("127.0.0.1"); +-#endif /* BROKEN_INET_ADDR */ +- sin.sin_port = htons(port); +- ++ debug("Listening on %s port %s.", ntop, strport); ++ + /* Bind the socket to the address. */ +- if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) ++ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) + packet_disconnect("bind: %.100s", strerror(errno)); + + /* Start listening for connections on the socket. */ +@@ -1448,6 +1455,9 @@ + strcpy(channels[ch].path, host); /* note: host name stored here */ + channels[ch].host_port = host_port; /* port on host to connect to */ + channels[ch].listening_port = port; /* port being listened */ ++ ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); + } + + /* Initiate forwarding of connections to port "port" on remote host through +@@ -1636,9 +1646,10 @@ + void channel_input_port_open(void) + { + int remote_channel, sock, newch, host_port, i; +- struct sockaddr_in sin; + char *host, *originator_string; +- struct hostent *hp; ++ struct addrinfo hints, *ai, *aitop; ++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; ++ int gaierr; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +@@ -1678,36 +1689,15 @@ + } + } + +- memset(&sin, 0, sizeof(sin)); +-#ifdef BROKEN_INET_ADDR +- sin.sin_addr.s_addr = inet_network(host); +-#else /* BROKEN_INET_ADDR */ +- sin.sin_addr.s_addr = inet_addr(host); +-#endif /* BROKEN_INET_ADDR */ +- if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", host_port); ++ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) + { +- /* It was a valid numeric host address. */ +- sin.sin_family = AF_INET; +- } +- else +- { +- /* Look up the host address from the name servers. */ +- hp = gethostbyname(host); +- if (!hp) +- { +- error("%.100s: unknown host.", host); +- goto fail; +- } +- if (!hp->h_addr_list[0]) +- { +- error("%.100s: host has no IP address.", host); +- goto fail; +- } +- sin.sin_family = hp->h_addrtype; +- memcpy(&sin.sin_addr, hp->h_addr_list[0], +- sizeof(sin.sin_addr)); ++ error("%.100s: unknown host (%s)", host, gai_strerror(gaierr)); ++ goto fail; + } +- sin.sin_port = htons(host_port); + + #ifdef F_SECURE_COMMERCIAL + +@@ -1744,8 +1734,15 @@ + + #endif /* F_SECURE_COMMERCIAL */ + ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { ++ ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); ++ + /* Create the socket. */ +- sock = socket(sin.sin_family, SOCK_STREAM, 0); ++ sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +@@ -1753,15 +1750,25 @@ + } + + /* Connect to the host/port. */ +- if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) ++ if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +- error("connect %.100s:%d: %.100s", host, host_port, +- strerror(errno)); ++ debug("connect %.100s port %s: %.100s", ntop, strport, strerror(errno)); + close(sock); ++ continue; /* fail -- try next */ ++ } ++ break; /* success */ ++ ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); ++ ++ if (!ai) ++ { ++ error("connect %.100s:%d: failed.", host, host_port); + goto fail; + } + + /* Successful connection. */ ++ debug("Connecting to %.200s [%.100s] port %s.", host, ntop, strport); + + #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN) + (void)fcntl(sock, F_SETFL, O_NONBLOCK); +@@ -1803,7 +1810,10 @@ + { + extern ServerOptions options; + int display_number, port, sock; +- struct sockaddr_in sin; ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++#define NUM_SOCKS 10 ++ int gaierr, n, nn, num_socks = 0, socks[NUM_SOCKS]; + char buf[512]; + #ifdef HAVE_GETHOSTNAME + char hostname[257]; +@@ -1817,12 +1827,21 @@ + for (display_number = options.x11_display_offset; display_number < MAX_DISPLAYS; display_number++) + { + port = 6000 + display_number; +- memset(&sin, 0, sizeof(sin)); +- sin.sin_family = AF_INET; +- sin.sin_addr.s_addr = INADDR_ANY; +- sin.sin_port = htons(port); ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_flags = AI_PASSIVE; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", port); ++ if ((gaierr = getaddrinfo(NULL, strport, &hints, &aitop)) != 0) ++ { ++ error("getaddrinfo: %.100s", gai_strerror(gaierr)); ++ return NULL; ++ } ++ ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { + +- sock = socket(AF_INET, SOCK_STREAM, 0); ++ sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { + error("socket: %.100s", strerror(errno)); +@@ -1835,13 +1854,26 @@ + (void)fcntl(sock, F_SETFL, O_NDELAY); + #endif /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ + +- if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) ++ if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { + debug("bind port %d: %.100s", port, strerror(errno)); + shutdown(sock, 2); + close(sock); +- continue; ++ for (n = 0; n < num_socks; n++) ++ { ++ shutdown(socks[n], 2); ++ close(socks[n]); ++ } ++ num_socks = 0; ++ break; + } ++ ++ socks[num_socks++] = sock; ++ if (num_socks == NUM_SOCKS) ++ break; ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ ++ if (num_socks > 0) + break; + } + if (display_number >= MAX_DISPLAYS) +@@ -1851,13 +1883,22 @@ + } + + /* Start listening for connections on the socket. */ ++ for (n = 0; n < num_socks; n++) ++ { ++ sock = socks[n]; + if (listen(sock, 5) < 0) + { + error("listen: %.100s", strerror(errno)); + shutdown(sock, 2); + close(sock); ++ for (nn = 0; nn < n; nn++) ++ { ++ shutdown(socks[nn], 2); ++ close(socks[nn]); ++ } + return NULL; + } ++ } /* for (n = 0; n < num_socks; n++) */ + + /* Set up a suitable value for the DISPLAY variable. */ + #ifdef NONSTANDARD_IP_ADDRESS_X11_KLUDGE +@@ -1868,10 +1909,11 @@ + if (gethostname(hostname, sizeof(hostname)) < 0) + fatal("gethostname: %.100s", strerror(errno)); + { +- struct hostent *hp; +- struct in_addr addr; +- hp = gethostbyname(hostname); +- if (hp == NULL || !hp->h_addr_list[0]) ++ struct addrinfo hints, *ai; ++ char ntop[ADDRSTRLEN]; ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ if (getaddrinfo(hostname, NULL, &hints, &ai) != 0 || !ai) + { + error("Could not get server IP address for %.200s.", hostname); + packet_send_debug("Could not get server IP address for %.200s.", +@@ -1880,9 +1922,10 @@ + close(sock); + return NULL; + } +- memcpy(&addr, hp->h_addr_list[0], sizeof(addr)); ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); + snprintf(buf, sizeof(buf), +- "%.100s:%d.%d", inet_ntoa(addr), display_number, ++ "%.100s:%d.%d", ntop, display_number, + screen_number); + } + #else /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ +@@ -1900,8 +1943,12 @@ + #endif /* NONSTANDARD_IP_ADDRESS_X11_KLUDGE */ + + /* Allocate a channel for the socket. */ ++ for (n = 0; n < num_socks; n++) ++ { ++ sock = socks[n]; + (void)channel_allocate(SSH_CHANNEL_X11_LISTENER, sock, + xstrdup("X11 inet listener")); ++ } /* for (n = 0; n < num_socks; n++) */ + + /* Return a suitable value for the DISPLAY environment variable. */ + return xstrdup(buf); +@@ -1916,9 +1963,10 @@ + int remote_channel, display_number, sock, newch; + const char *display; + struct sockaddr_un ssun; +- struct sockaddr_in sin; + char buf[255], *cp, *remote_host; +- struct hostent *hp; ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++ int gaierr; + + /* Get remote channel number. */ + remote_channel = packet_get_int(); +@@ -2058,59 +2106,54 @@ + goto fail; + } + +- /* Try to parse the host name as a numeric IP address. */ +- memset(&sin, 0, sizeof(sin)); +-#ifdef BROKEN_INET_ADDR +- sin.sin_addr.s_addr = inet_network(buf); +-#else /* BROKEN_INET_ADDR */ +- sin.sin_addr.s_addr = inet_addr(buf); +-#endif /* BROKEN_INET_ADDR */ +- if ((sin.sin_addr.s_addr & 0xffffffff) != 0xffffffff) ++ /* Look up the host address */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", 6000 + display_number); ++ if ((gaierr = getaddrinfo(buf, strport, &hints, &aitop)) != 0) + { +- /* It was a valid numeric host address. */ +- sin.sin_family = AF_INET; ++ error("%.100s: unknown host. (%s)", buf, gai_strerror(gaierr)); ++ goto fail; + } +- else ++ ++ for (ai = aitop; ai; ai = ai->ai_next) + { +- /* Not a numeric IP address. */ +- /* Look up the host address from the name servers. */ +- hp = gethostbyname(buf); +- if (!hp) +- { +- error("%.100s: unknown host.", buf); +- goto fail; +- } +- if (!hp->h_addr_list[0]) +- { +- error("%.100s: host has no IP address.", buf); +- goto fail; +- } +- sin.sin_family = hp->h_addrtype; +- memcpy(&sin.sin_addr, hp->h_addr_list[0], +- sizeof(sin.sin_addr)); +- } +- /* Set port number. */ +- sin.sin_port = htons(6000 + display_number); + + /* Create a socket. */ +- sock = socket(sin.sin_family, SOCK_STREAM, 0); ++ sock = socket(ai->ai_family, SOCK_STREAM, 0); + if (sock < 0) + { +- error("socket: %.100s", strerror(errno)); +- goto fail; ++ debug("socket: %.100s", strerror(errno)); ++ continue; + } + /* Connect it to the display. */ +- if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0) ++ if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) + { +- error("connect %.100s:%d: %.100s", buf, 6000 + display_number, ++ debug("connect %.100s:%d: %.100s", buf, 6000 + display_number, + strerror(errno)); + close(sock); ++ continue; ++ } ++ /* Success */ ++ break; ++ ++ } /* (ai = aitop, ai; ai = ai->ai_next) */ ++ freeaddrinfo(aitop); ++ if (!ai) ++ { ++ error("connect %.100s:%d: %.100s", buf, 6000 + display_number, ++ strerror(errno)); + goto fail; + } + + success: + /* We have successfully obtained a connection to the real X display. */ +- ++ { ++ int on = 1; ++ setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)); ++ } ++ + #if defined(O_NONBLOCK) && !defined(O_NONBLOCK_BROKEN) + (void)fcntl(sock, F_SETFL, O_NONBLOCK); + #else /* O_NONBLOCK && !O_NONBLOCK_BROKEN */ +@@ -2412,6 +2455,10 @@ + ssh-agent connections on your system */ + old_umask = umask(S_IRUSR|S_IXUSR|S_IRGRP|S_IXGRP|S_IROTH|S_IXOTH); + ++ /* Make sure the socket doesn't already exist, left over from a system ++ crash perhaps. */ ++ unlink(channel_forwarded_auth_socket_name); ++ + if (bind(sock, (struct sockaddr *)&sunaddr, AF_UNIX_SIZE(sunaddr)) < 0) + packet_disconnect("Agent socket bind failed: %.100s", strerror(errno)); + diff --git a/security/ssh6/patches/patch-ar b/security/ssh6/patches/patch-ar new file mode 100644 index 00000000000..25e7a654299 --- /dev/null +++ b/security/ssh6/patches/patch-ar @@ -0,0 +1,60 @@ +$NetBSD: patch-ar,v 1.1 2000/03/20 02:25:38 itojun Exp $ + +--- acconfig.h.orig Wed May 12 07:19:23 1999 ++++ acconfig.h Fri Dec 24 21:50:38 1999 +@@ -247,16 +247,23 @@ + /* Define this if your gettimeofday doesn't have TZ parameter */ + #undef HAVE_NO_TZ_IN_GETTIMEOFDAY + +-/* Define this if you want to compile in Kerberos support. */ +-#undef KERBEROS +- + /* Define this if you want to compile in Kerberos V5 support. +- KERBEROS must be compiled in as well. This can be done at configure +- time with the --with-kerberos5 argument*/ ++ This can be done at configure time with the --with-krb5 argument. */ + #undef KRB5 + +-/* Define this if you want to pass the Kerberos TGT. */ +-#undef KERBEROS_TGT_PASSING ++/* Define this if you want to compile in Kerberos V4 support. ++ This can be done at configure time with the --with-krb4 argument. */ ++#undef KRB4 ++ ++/* Define this if you what to build ssh with Hesiod support. */ ++#undef HESIOD ++ ++/* Define this if you want to compile in AFS support. ++ This can be done at configure time with the --with-afs argument. */ ++#undef AFS ++ ++/* Define this if you have the AFS lifetime conversion routines. */ ++#undef HAVE_KRB_LIFE_TO_TIME + + /* Define this if you dont have SIGINFO as signal but some other macro */ + #undef HAVE_INCOMPATIBLE_SIGINFO +@@ -273,6 +280,24 @@ + /* File used to override /etc/nologin on a per-user basis. The default is + /etc/nologin.allow. */ + #undef NOLOGIN_ALLOW ++ ++/* Define this if you have struct sockaddr_storage. */ ++#undef HAVE_SOCKADDR_STORAGE ++ ++/* Define this if you have __sa_family in struct sockaddr_storage. */ ++#undef HAVE_NEW_SS_FAMILY ++ ++/* Define this if you have ss_len in struct sockaddr. */ ++#undef HAVE_SOCKADDR_LEN ++ ++/* Define this if you want to enable IPv6 support. */ ++#undef ENABLE_IPV6 ++ ++/* Define this if you want to enable another port try support. */ ++#undef ENABLE_ANOTHER_PORT_TRY ++ ++/* Define this if you want to enable logging auth info support. */ ++#undef ENABLE_LOG_AUTH + + /* Where to find the X11 socket */ + #undef X11_DIR diff --git a/security/ssh6/patches/patch-as b/security/ssh6/patches/patch-as new file mode 100644 index 00000000000..19eeaaa17f3 --- /dev/null +++ b/security/ssh6/patches/patch-as @@ -0,0 +1,249 @@ +$NetBSD: patch-as,v 1.1 2000/03/20 02:25:40 itojun Exp $ + +--- auth-kerberos.c.orig Wed May 12 07:19:23 1999 ++++ auth-kerberos.c Fri Dec 24 21:50:38 1999 +@@ -38,14 +38,13 @@ + #include "xmalloc.h" + #include "ssh.h" + +-#ifdef KERBEROS +-#if defined (KRB5) ++#ifdef KRB5 + #include <krb5.h> + + extern krb5_context ssh_context; + extern krb5_auth_context auth_context; + +-int auth_kerberos(char *server_user, krb5_data *auth, krb5_principal *client) ++int auth_krb5(char *server_user, krb5_data *auth, krb5_principal *client) + { + krb5_error_code problem; + krb5_ticket *ticket; +@@ -163,11 +162,115 @@ + return 1; + } + #endif /* KRB5 */ +-#endif /* KERBEROS */ + +-#ifdef KERBEROS_TGT_PASSING +-#if defined (KRB5) +-int auth_kerberos_tgt( char *server_user, krb5_data *krb5data) ++#ifdef KRB4 ++#include <sys/param.h> ++#include <krb.h> ++ ++int ssh_tf_init(uid_t uid) ++{ ++ extern char *ticket; ++ char *tkt_root = TKT_ROOT; ++ struct stat st; ++ int fd; ++ ++ /* Set unique ticket string manually since we're still root. */ ++ ticket = xmalloc(MAXPATHLEN); ++#ifdef AFS ++ if (lstat("/ticket", &st) != -1) ++ tkt_root = "/ticket/"; ++#endif /* AFS */ ++ snprintf(ticket, MAXPATHLEN, "%s%d_%d", tkt_root, uid, getpid()); ++ (void) krb_set_tkt_string(ticket); ++ ++ /* Make sure we own this ticket file, and we created it. */ ++ if (lstat(ticket, &st) < 0 && errno == ENOENT) { ++ /* good, no ticket file exists. create it. */ ++ if ((fd = open(ticket, O_RDWR|O_CREAT|O_EXCL, 0600)) != -1) { ++ close(fd); ++ return 1; ++ } ++ } ++ else { ++ /* file exists. make sure server_user owns it (e.g. just passed ticket), ++ and that it isn't a symlink, and that it is mode 600. */ ++ if (st.st_mode == (S_IFREG|S_IRUSR|S_IWUSR) && st.st_uid == uid) ++ return 1; ++ } ++ /* Failure. */ ++ log_msg("WARNING: bad ticket file %s", ticket); ++ return 0; ++} ++ ++int auth_krb4(const char *server_user, KTEXT auth, char **client) ++{ ++ AUTH_DAT adat = { 0 }; ++ KTEXT_ST reply; ++ char instance[INST_SZ]; ++ int r, s; ++ u_long cksum; ++ Key_schedule schedule; ++ struct sockaddr_in local, foreign; ++ ++ s = packet_get_connection_in(); ++ ++ r = sizeof(local); ++ memset(&local, 0, sizeof(local)); ++ if (getsockname(s, (struct sockaddr *) &local, &r) < 0) ++ debug("getsockname failed: %.100s", strerror(errno)); ++ r = sizeof(foreign); ++ memset(&foreign, 0, sizeof(foreign)); ++ if (getpeername(s, (struct sockaddr *)&foreign, &r) < 0) ++ debug("getpeername failed: %.100s", strerror(errno)); ++ ++ instance[0] = '*'; instance[1] = 0; ++ ++ /* Get the encrypted request, challenge, and session key. */ ++ if (r = krb_rd_req(auth, KRB4_SERVICE_NAME, instance, 0, &adat, "")) { ++ packet_send_debug("Kerberos V4 krb_rd_req: %s", krb_err_txt[r]); ++ return 0; ++ } ++ des_key_sched((des_cblock *)adat.session, schedule); ++ ++ *client = xmalloc(MAX_K_NAME_SZ); ++ (void) snprintf(*client, MAX_K_NAME_SZ, "%s%s%s@%s", adat.pname, ++ *adat.pinst ? "." : "", adat.pinst, adat.prealm); ++ ++ /* Check ~/.klogin authorization now. */ ++ if (kuserok(&adat, (char *)server_user) != KSUCCESS) { ++ packet_send_debug("Kerberos V4 .klogin authorization failed!"); ++ log_msg("Kerberos V4 .klogin authorization failed for %s to account %s", ++ *client, server_user); ++ return 0; ++ } ++ /* Increment the checksum, and return it encrypted with the session key. */ ++ cksum = adat.checksum + 1; ++ cksum = htonl(cksum); ++ ++ /* If we can't successfully encrypt the checksum, we send back an empty ++ message, admitting our failure. */ ++ if ((r = krb_mk_priv((u_char *)&cksum, reply.dat, sizeof(cksum)+1, ++ schedule, &adat.session, &local, &foreign)) < 0) { ++ packet_send_debug("Kerberos V4 mk_priv: (%d) %s", r, krb_err_txt[r]); ++ reply.dat[0] = 0; ++ reply.length = 0; ++ } ++ else ++ reply.length = r; ++ ++ /* Clear session key. */ ++ memset(&adat.session, 0, sizeof(&adat.session)); ++ ++ packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); ++ packet_put_string((char *) reply.dat, reply.length); ++ packet_send(); ++ packet_write_wait(); ++ return 1; ++} ++#endif /* KRB4 */ ++ ++#ifdef KRB5 ++int auth_krb5_tgt( char *server_user, krb5_data *krb5data) + { + krb5_creds **creds; + krb5_error_code retval; +@@ -177,7 +280,7 @@ + extern char *ticket; + static krb5_principal rcache_server = 0; + static krb5_rcache rcache; +- struct sockaddr_in local, foreign; ++ struct sockaddr_storage local, foreign; + krb5_address *local_addr, *remote_addr; + int s; + +@@ -267,5 +370,97 @@ + + } + #endif /* KRB5 */ +-#endif /* KERBEROS_TGT_PASSING */ + ++ ++#ifdef AFS ++#include <kafs.h> ++ ++int auth_kerberos_tgt(struct passwd *pw, const char *string) ++{ ++ CREDENTIALS creds; ++ extern char *ticket; ++ int r; ++ ++ if (!radix_to_creds(string, &creds)) { ++ log_msg("Protocol error decoding Kerberos V4 tgt"); ++ packet_send_debug("Protocol error decoding Kerberos V4 tgt"); ++ goto auth_kerberos_tgt_failure; ++ } ++ if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ ++ strcpy(creds.service, "krbtgt"); ++ ++ if (strcmp(creds.service, "krbtgt")) { ++ log_msg("Kerberos V4 tgt (%s%s%s@%s) rejected for uid %d", ++ creds.pname, creds.pinst[0] ? "." : "", creds.pinst, creds.realm, ++ pw->pw_uid); ++ packet_send_debug("Kerberos V4 tgt (%s%s%s@%s) rejected for uid %d", ++ creds.pname, creds.pinst[0] ? "." : "", creds.pinst, ++ creds.realm, pw->pw_uid); ++ goto auth_kerberos_tgt_failure; ++ } ++ if (!ssh_tf_init(pw->pw_uid) || ++ (r = in_tkt(creds.pname, creds.pinst)) || ++ (r = save_credentials(creds.service,creds.instance,creds.realm, ++ creds.session,creds.lifetime,creds.kvno, ++ &creds.ticket_st,creds.issue_date))) { ++ xfree(ticket); ++ ticket = NULL; ++ packet_send_debug("Kerberos V4 tgt refused: couldn't save credentials"); ++ goto auth_kerberos_tgt_failure; ++ } ++ /* Successful authentication, passed all checks. */ ++ chown(ticket, pw->pw_uid, pw->pw_gid); ++ packet_send_debug("Kerberos V4 tgt accepted (%s.%s@%s, %s%s%s@%s)", ++ creds.service,creds.instance,creds.realm, ++ creds.pname,creds.pinst[0] ? "." : "", ++ creds.pinst,creds.realm); ++ ++ packet_start(SSH_SMSG_SUCCESS); ++ packet_send(); ++ packet_write_wait(); ++ return 1; ++ ++auth_kerberos_tgt_failure: ++ memset(&creds, 0, sizeof(creds)); ++ packet_start(SSH_SMSG_FAILURE); ++ packet_send(); ++ packet_write_wait(); ++ return 0; ++} ++ ++int auth_afs_token(char *server_user, uid_t uid, const char *string) ++{ ++ CREDENTIALS creds; ++ ++ if (!radix_to_creds(string, &creds)) { ++ log_msg("Protocol error decoding AFS token"); ++ packet_send_debug("Protocol error decoding AFS token"); ++ packet_start(SSH_SMSG_FAILURE); ++ packet_send(); ++ packet_write_wait(); ++ return 0; ++ } ++ if (strncmp(creds.service, "", 1) == 0) /* backward compatibility */ ++ strcpy(creds.service, "afs"); ++ ++ if (strncmp(creds.pname, "AFS ID ", 7) == 0) ++ uid = atoi(creds.pname + 7); ++ ++ if (kafs_settoken(creds.realm, uid, &creds)) { ++ log_msg("AFS token (%s@%s) rejected for uid %d", creds.pname, ++ creds.realm, uid); ++ packet_send_debug("AFS token (%s@%s) rejected for uid %d", creds.pname, ++ creds.realm, uid); ++ packet_start(SSH_SMSG_FAILURE); ++ packet_send(); ++ packet_write_wait(); ++ return 0; ++ } ++ packet_send_debug("AFS token accepted (%s@%s, %s@%s)", creds.service, ++ creds.realm, creds.pname, creds.realm); ++ packet_start(SSH_SMSG_SUCCESS); ++ packet_send(); ++ packet_write_wait(); ++ return 1; ++} ++#endif /* AFS */ diff --git a/security/ssh6/patches/patch-at b/security/ssh6/patches/patch-at new file mode 100644 index 00000000000..b1af8c0962d --- /dev/null +++ b/security/ssh6/patches/patch-at @@ -0,0 +1,191 @@ +$NetBSD: patch-at,v 1.1 2000/03/20 02:25:40 itojun Exp $ + +--- auth-passwd.c.orig Wed May 12 07:19:23 1999 ++++ auth-passwd.c Fri Dec 24 21:50:04 1999 +@@ -301,29 +301,25 @@ + static int securid_initialized = 0; + #endif /* HAVE_SECURID */ + +-#ifdef KERBEROS +-#if defined(KRB5) ++#ifdef KRB5 + #include <krb5.h> + extern krb5_context ssh_context; + extern krb5_auth_context auth_context; +-#else +-#include <krb.h> + #endif /* KRB5 */ +-#endif /* KERBEROS */ + +-#ifdef AFS +-#include <afs/param.h> +-#include <afs/kautils.h> +-#endif /* AFS */ ++#ifdef KRB4 ++#include <sys/param.h> ++#include <krb.h> ++#endif /* KRB4 */ + +-#if defined(KERBEROS) || defined(AFS_KERBEROS) ++#if defined(KRB4) || defined(KRB5) + extern char *ticket; +-#endif /* KERBEROS || AFS_KERBEROS */ ++#endif /* KRB4 || KRB5 */ + + /* Tries to authenticate the user using password. Returns true if + authentication succeeds. */ + +-#if defined(KERBEROS) && defined(KRB5) ++#ifdef KRB5 + /* + * This routine with some modification is from the MIT V5B6 appl/bsd/login.c + * +@@ -479,16 +475,16 @@ + 0 }; + #endif + krb5_preauthtype * preauth = preauth_list; +-#endif /* KERBEROS */ ++#endif /* KRB5 */ + + /* Tries to authenticate the user using password. Returns true if + authentication succeeds. */ +-#ifdef KERBEROS ++#ifdef KRB5 + int auth_password(const char *server_user, const char *password, + krb5_principal client) +-#else /* KERBEROS */ ++#else /* KRB5 */ + int auth_password(const char *server_user, const char *password) +-#endif /* KERBEROS */ ++#endif /* KRB5 */ + { + #if defined(_AIX) && defined(HAVE_AUTHENTICATE) + char *message; +@@ -505,7 +501,7 @@ + } + #else /* _AIX41 && HAVE_AUTHENTICATE */ + +-#ifdef KERBEROS ++#ifdef KRB5 + krb5_error_code problem; + int krb5_options = KDC_OPT_RENEWABLE | KDC_OPT_FORWARDABLE; + krb5_deltat rlife = 0; +@@ -515,7 +511,7 @@ + krb5_ccache ccache; + char ccname[80]; + int results; +-#endif /* KERBEROS */ ++#endif /* KRB5 */ + extern ServerOptions options; + extern char *crypt(const char *key, const char *salt); + struct passwd *pw; +@@ -537,10 +533,9 @@ + saved_pw_name = xstrdup(pw->pw_name); + saved_pw_passwd = xstrdup(pw->pw_passwd); + +-#if defined(KERBEROS) ++#if defined(KRB5) + if (options.kerberos_authentication) + { +-#if defined(KRB5) + snprintf(ccname, sizeof(ccname), "FILE:/tmp/krb5cc_l%d", getpid()); + + if (problem = krb5_cc_resolve(ssh_context, ccname, &ccache)) +@@ -658,9 +653,96 @@ + return 0; + } + } ++ } + #endif /* KRB5 */ ++#ifdef KRB4 ++ if (options.kerberos_authentication) ++ { ++ AUTH_DAT adata; ++ KTEXT_ST tkt; ++ struct hostent *hp; ++ unsigned long faddr; ++ char localhost[MAXHOSTNAMELEN]; /* local host name */ ++ char phost[INST_SZ]; /* host instance */ ++ char realm[REALM_SZ]; /* local Kerberos realm */ ++ int r; ++ ++ /* Try Kerberos password authentication only for non-root ++ users and only if Kerberos is installed. */ ++ if (pw->pw_uid != 0 && krb_get_lrealm(realm, 0) == KSUCCESS) { ++ ++ /* Set up our ticket file. */ ++ if (!ssh_tf_init(pw->pw_uid)) { ++ log_msg("Couldn't initialize Kerberos ticket file for %s!", ++ server_user); ++ goto kerberos_auth_failure; ++ } ++ /* Try to get TGT using our password. */ ++ if ((r = krb_get_pw_in_tkt((char *)server_user, "", realm, "krbtgt", ++ realm, DEFAULT_TKT_LIFE, (char *)password)) != INTK_OK) { ++ packet_send_debug("Kerberos V4 password authentication for %s " ++ "failed: %s", server_user, krb_err_txt[r]); ++ goto kerberos_auth_failure; ++ } ++ /* Successful authentication. */ ++ chown(ticket, pw->pw_uid, pw->pw_gid); ++ ++ (void) gethostname(localhost, sizeof(localhost)); ++ (void) strncpy(phost, (char *)krb_get_phost(localhost), INST_SZ); ++ phost[INST_SZ-1] = 0; ++ ++ /* Now that we have a TGT, try to get a local "rcmd" ticket to ++ ensure that we are not talking to a bogus Kerberos server. */ ++ r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); ++ ++ if (r == KSUCCESS) { ++ if (!(hp = gethostbyname(localhost))) { ++ log_msg("Couldn't get local host address!"); ++ goto kerberos_auth_failure; ++ } ++ memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr)); ++ ++ /* Verify our "rcmd" ticket. */ ++ r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, ""); ++ if (r == RD_AP_UNDEC) { ++ /* Probably didn't have a srvtab on localhost. Allow login. */ ++ log_msg("Kerberos V4 TGT for %s unverifiable, no srvtab? " ++ "krb_rd_req: %s", server_user, krb_err_txt[r]); ++ } ++ else if (r != KSUCCESS) { ++ log_msg("Kerberos V4 %s ticket unverifiable: %s", ++ KRB4_SERVICE_NAME, krb_err_txt[r]); ++ goto kerberos_auth_failure; ++ } ++ } ++ else if (r == KDC_PR_UNKNOWN) { ++ /* Allow login if no rcmd service exists, but log the error. */ ++ log_msg("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " ++ "not registered, or srvtab is wrong?", server_user, ++ krb_err_txt[r], KRB4_SERVICE_NAME, phost); ++ } ++ else { ++ /* TGT is bad, forget it. Possibly spoofed. */ ++ packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for" ++ "%s: %s", server_user, krb_err_txt[r]); ++ goto kerberos_auth_failure; ++ } ++ ++ /* Authentication succeeded. */ ++ return 1; ++ ++ kerberos_auth_failure: ++ (void) dest_tkt(); ++ xfree(ticket); ++ ticket = NULL; ++ if (!options.kerberos_or_local_passwd ) return 0; ++ } ++ else /* Logging in as root or no local Kerberos realm. */ ++ packet_send_debug("Unable to authenticate to Kerberos."); ++ ++ /* Fall back to ordinary passwd authentication. */ + } +-#endif /* KERBEROS */ ++#endif /* KRB4 */ + + #ifdef HAVE_SECURID + /* Support for Security Dynamics SecurId card. diff --git a/security/ssh6/patches/patch-au b/security/ssh6/patches/patch-au new file mode 100644 index 00000000000..f83de5cc11f --- /dev/null +++ b/security/ssh6/patches/patch-au @@ -0,0 +1,77 @@ +$NetBSD: patch-au,v 1.1 2000/03/20 02:25:40 itojun Exp $ + +--- login.c.orig Wed May 12 07:19:26 1999 ++++ login.c Fri Dec 24 22:01:25 1999 +@@ -255,7 +255,7 @@ + were more standardized. */ + + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +- const char *host, struct sockaddr_in *addr) ++ const char *host, struct sockaddr *addr) + { + int fd; + +@@ -271,7 +271,22 @@ + struct utmp u, u2; + off_t offset; + const char *utmp, *wtmp; ++#endif ++#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_LASTLOG_H) || defined(HAVE_LASTLOG) ++ char myname[MAXHOSTNAMELEN]; ++ char shost[MAXHOSTNAMELEN]; ++ char *p = NULL, *q = NULL; ++ ++ memset(shost, 0, sizeof(shost)); ++ gethostname(myname, MAXHOSTNAMELEN); ++ if (((p = memchr(myname, '.', MAXHOSTNAMELEN)) != NULL) ++ && ((q = strchr(host, '.')) != NULL) ++ && (strncmp(p, q, MAXHOSTNAMELEN - (p - myname)) == 0)) { ++ strncpy(shost, host, q - host); ++ } ++#endif + ++#if defined(HAVE_UTMP_H) && !defined(HAVE_UTMPX_H) + /* Construct an utmp/wtmp entry. */ + memset(&u, 0, sizeof(u)); + #ifdef DEAD_PROCESS +@@ -301,17 +316,21 @@ + strncpy(u.ut_user, user, sizeof(u.ut_user)); + #endif /* HAVE_NAME_IN_UTMP */ + #ifdef HAVE_HOST_IN_UTMP +- strncpy(u.ut_host, host, sizeof(u.ut_host)); +-#ifdef __FreeBSD__ +- if (strlen(host) > sizeof(u.ut_host)) { ++ if ((*shost != '\0') && (strlen(shost) <= sizeof(u.ut_host))) ++ strncpy(u.ut_host, shost, sizeof(u.ut_host)); ++#ifndef HAVE_ADDR_IN_UTMP ++ else if (strlen(host) > sizeof(u.ut_host)) + strncpy(u.ut_host, get_remote_ipaddr(), sizeof(u.ut_host)); +- } +-#endif /* __FreeBSD__ */ ++#endif /* HAVE_ADDR_IN_UTMP */ ++ else ++ strncpy(u.ut_host, host, sizeof(u.ut_host)); + #endif /* HAVE_HOST_IN_UTMP */ + #ifdef HAVE_ADDR_IN_UTMP ++#if 0 /* XXX */ + if (addr) + memcpy(&u.ut_addr, &addr->sin_addr, sizeof(u.ut_addr)); + else ++#endif /* XXX */ + memset(&u.ut_addr, 0, sizeof(u.ut_addr)); + #endif + +@@ -490,7 +509,12 @@ + /* Update lastlog. */ + ll.ll_time = time(NULL); + strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line)); +- strncpy(ll.ll_host, host, sizeof(ll.ll_host)); ++ if ((*shost != '\0') && (strlen(shost) <= sizeof(ll.ll_host))) ++ strncpy(ll.ll_host, shost, sizeof(ll.ll_host)); ++ else if (strlen(host) > sizeof(ll.ll_host)) ++ strncpy(ll.ll_host, get_remote_ipaddr(), sizeof(ll.ll_host)); ++ else ++ strncpy(ll.ll_host, host, sizeof(ll.ll_host)); + #ifdef LASTLOG_IS_DIR + snprintf(lastlogfile, sizeof(lastlogfile), + "%.100s/%.100s", lastlog, user); diff --git a/security/ssh6/patches/patch-av b/security/ssh6/patches/patch-av new file mode 100644 index 00000000000..503077e2446 --- /dev/null +++ b/security/ssh6/patches/patch-av @@ -0,0 +1,13 @@ +$NetBSD: patch-av,v 1.1 2000/03/20 02:25:40 itojun Exp $ + +--- serverloop.c.orig Wed May 12 13:19:28 1999 ++++ serverloop.c Sat May 15 04:33:35 1999 +@@ -446,7 +446,7 @@ + if (ret == 0) /* Nothing read, timeout expired */ + { + /* Check if idle_timeout expired ? */ +- if (idle_timeout != 0 && !child_terminated && ++ if (idle_timeout != 0 && !child_terminated && idle_time_last && + time(NULL) - idle_time_last > idle_timeout) + { + /* Yes, kill the child */ diff --git a/security/ssh6/patches/patch-aw b/security/ssh6/patches/patch-aw new file mode 100644 index 00000000000..1bafdf94611 --- /dev/null +++ b/security/ssh6/patches/patch-aw @@ -0,0 +1,269 @@ +$NetBSD: patch-aw,v 1.1 2000/03/20 02:25:41 itojun Exp $ + +--- canohost.c.orig Wed May 12 07:19:24 1999 ++++ canohost.c Fri Dec 24 21:50:38 1999 +@@ -59,10 +59,11 @@ + + char *get_remote_hostname(int socket) + { +- struct sockaddr_in from; ++ struct sockaddr_storage from; + int fromlen, i; +- struct hostent *hp; ++ struct addrinfo hints, *ai, *aitop; + char name[255]; ++ char ntop[ADDRSTRLEN], ntop2[ADDRSTRLEN]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +@@ -73,14 +74,16 @@ + strcpy(name, "UNKNOWN"); + goto check_ip_options; + } ++ ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); + + /* Map the IP address to a host name. */ +- hp = gethostbyaddr((char *)&from.sin_addr, sizeof(struct in_addr), +- from.sin_family); +- if (hp) ++ if (getnameinfo((struct sockaddr *)&from, fromlen, ++ name, sizeof(name), ++ NULL, 0, NI_NAMEREQD) == 0) + { + /* Got host name. */ +- strncpy(name, hp->h_name, sizeof(name)); + name[sizeof(name) - 1] = '\0'; + + /* Convert it to all lowercase (which is expected by the rest of this +@@ -95,25 +98,30 @@ + Mapping from name to IP address can be trusted better (but can still + be fooled if the intruder has access to the name server of the + domain). */ +- hp = gethostbyname(name); +- if (!hp) ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = from.__ss_family; ++ if (getaddrinfo(name, NULL, &hints, &aitop) != 0) + { + log_msg("reverse mapping checking gethostbyname for %.700s failed - POSSIBLE BREAKIN ATTEMPT!", name); +- strcpy(name, inet_ntoa(from.sin_addr)); ++ strcpy(name, ntop); + goto check_ip_options; + } + /* Look for the address from the list of addresses. */ +- for (i = 0; hp->h_addr_list[i]; i++) +- if (memcmp(hp->h_addr_list[i], &from.sin_addr, sizeof(from.sin_addr)) +- == 0) +- break; ++ for (ai = aitop; ai; ai = ai->ai_next) ++ { ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop2, sizeof(ntop2), NULL, 0, NI_NUMERICHOST); ++ if (strcmp(ntop, ntop2) == 0) ++ break; ++ } ++ freeaddrinfo(aitop); + /* If we reached the end of the list, the address was not there. */ +- if (!hp->h_addr_list[i]) ++ if (!ai) + { + /* Address not found for the host name. */ + log_msg("Address %.100s maps to %.600s, but this does not map back to the address - POSSIBLE BREAKIN ATTEMPT!", +- inet_ntoa(from.sin_addr), name); +- strcpy(name, inet_ntoa(from.sin_addr)); ++ ntop, name); ++ strcpy(name, ntop); + goto check_ip_options; + } + /* Address was found for the host name. We accept the host name. */ +@@ -121,7 +129,7 @@ + else + { + /* Host name not found. Use ascii representation of the address. */ +- strcpy(name, inet_ntoa(from.sin_addr)); ++ strcpy(name, ntop); + log_msg("Could not reverse map address %.100s.", name); + } + +@@ -136,6 +144,7 @@ + Notice also that if we just dropped source routing here, the other + side could use IP spoofing to do rest of the interaction and could still + bypass security. So we exit here if we detect any IP options. */ ++ if (from.__ss_family == AF_INET) /* IP options -- IPv4 only */ + { + unsigned char options[200], *ucp; + char text[1024], *cp; +@@ -157,9 +166,9 @@ + for (ucp = options; option_size > 0; ucp++, option_size--, cp += 3) + sprintf(cp, " %2.2x", *ucp); + log_msg("Connection from %.100s with IP options:%.800s", +- inet_ntoa(from.sin_addr), text); ++ ntop, text); + packet_disconnect("Connection from %.100s with IP options:%.800s", +- inet_ntoa(from.sin_addr), text); ++ ntop, text); + } + } + #endif +@@ -177,7 +186,7 @@ + const char *get_canonical_hostname(void) + { + int fromlen, tolen; +- struct sockaddr_in from, to; ++ struct sockaddr_storage from, to; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_name != NULL) +@@ -200,8 +209,7 @@ + &tolen) < 0) + goto no_ip_addr; + +- if (from.sin_family == AF_INET && to.sin_family == AF_INET && +- memcmp(&from, &to, sizeof(from)) == 0) ++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_ip_addr; + + no_ip_addr: +@@ -221,8 +229,9 @@ + + const char *get_remote_ipaddr(void) + { +- struct sockaddr_in from, to; ++ struct sockaddr_storage from, to; + int fromlen, tolen, socket; ++ char ntop[ADDRSTRLEN]; + + /* Check if we have previously retrieved this same name. */ + if (canonical_host_ip != NULL) +@@ -245,8 +254,7 @@ + &tolen) < 0) + goto no_ip_addr; + +- if (from.sin_family == AF_INET && to.sin_family == AF_INET && +- memcmp(&from, &to, sizeof(from)) == 0) ++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_ip_addr; + + no_ip_addr: +@@ -269,7 +277,9 @@ + } + + /* Get the IP address in ascii. */ +- canonical_host_ip = xstrdup(inet_ntoa(from.sin_addr)); ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ ntop, sizeof(ntop), NULL, 0, NI_NUMERICHOST); ++ canonical_host_ip = xstrdup(ntop); + + /* Return ip address string. */ + return canonical_host_ip; +@@ -279,8 +289,9 @@ + + int get_peer_port(int sock) + { +- struct sockaddr_in from; ++ struct sockaddr_storage from; + int fromlen; ++ char strport[PORTSTRLEN]; + + /* Get IP address of client. */ + fromlen = sizeof(from); +@@ -292,7 +303,9 @@ + } + + /* Return port number. */ +- return ntohs(from.sin_port); ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ NULL, 0, strport, sizeof(strport), NI_NUMERICSERV); ++ return atoi(strport); + } + + /* Returns the port number of the remote host. */ +@@ -301,7 +314,7 @@ + { + int socket; + int fromlen, tolen; +- struct sockaddr_in from, to; ++ struct sockaddr_storage from, to; + + /* If two different descriptors, check if they are internet-domain, and + have the same address. */ +@@ -319,8 +332,7 @@ + &tolen) < 0) + goto no_ip_addr; + +- if (from.sin_family == AF_INET && to.sin_family == AF_INET && +- memcmp(&from, &to, sizeof(from)) == 0) ++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) + goto return_port; + + no_ip_addr: +@@ -335,3 +347,67 @@ + /* Get and return the peer port number. */ + return get_peer_port(socket); + } ++ ++/* Returns the port of the local of the socket. */ ++ ++int get_sock_port(int sock) ++{ ++ struct sockaddr_storage from; ++ int fromlen; ++ char strport[PORTSTRLEN]; ++ ++ /* Get IP address of client. */ ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) ++ { ++ error("getsockname failed: %.100s", strerror(errno)); ++ return 0; ++ } ++ ++ /* Return port number. */ ++ getnameinfo((struct sockaddr *)&from, fromlen, ++ NULL, 0, strport, sizeof(strport), NI_NUMERICSERV); ++ return atoi(strport); ++} ++ ++/* Returns the port number of the local host. */ ++ ++int get_local_port() ++{ ++ int socket; ++ int fromlen, tolen; ++ struct sockaddr_storage from, to; ++ ++ /* If two different descriptors, check if they are internet-domain, and ++ have the same address. */ ++ if (packet_get_connection_in() != packet_get_connection_out()) ++ { ++ fromlen = sizeof(from); ++ memset(&from, 0, sizeof(from)); ++ if (getsockname(packet_get_connection_in(), (struct sockaddr *)&from, ++ &fromlen) < 0) ++ goto no_ip_addr; ++ ++ tolen = sizeof(to); ++ memset(&to, 0, sizeof(to)); ++ if (getsockname(packet_get_connection_out(), (struct sockaddr *)&to, ++ &tolen) < 0) ++ goto no_ip_addr; ++ ++ if (fromlen == tolen && memcmp(&from, &to, fromlen) == 0) ++ goto return_port; ++ ++ no_ip_addr: ++ return 65535; ++ } ++ ++ return_port: ++ ++ /* Get client socket. */ ++ socket = packet_get_connection_in(); ++ ++ /* Get and return the local port number. */ ++ return get_sock_port(socket); ++} ++ diff --git a/security/ssh6/patches/patch-ax b/security/ssh6/patches/patch-ax new file mode 100644 index 00000000000..8385f6c5884 --- /dev/null +++ b/security/ssh6/patches/patch-ax @@ -0,0 +1,60 @@ +$NetBSD: patch-ax,v 1.1 2000/03/20 02:25:41 itojun Exp $ + +--- cipher.c.orig Wed May 12 07:19:24 1999 ++++ cipher.c Fri Dec 24 21:50:04 1999 +@@ -213,7 +213,7 @@ + used. */ + if (keylen < 8) + error("Key length %d is insufficient for DES.", keylen); +- des_set_key(padded, &context->u.des.key); ++ ssh_des_set_key(padded, &context->u.des.key); + memset(context->u.des.iv, 0, sizeof(context->u.des.iv)); + break; + #endif /* WITH_DES */ +@@ -224,12 +224,12 @@ + used (first and last keys are the same). */ + if (keylen < 16) + error("Key length %d is insufficient for 3DES.", keylen); +- des_set_key(padded, &context->u.des3.key1); +- des_set_key(padded + 8, &context->u.des3.key2); ++ ssh_des_set_key(padded, &context->u.des3.key1); ++ ssh_des_set_key(padded + 8, &context->u.des3.key2); + if (keylen <= 16) +- des_set_key(padded, &context->u.des3.key3); ++ ssh_des_set_key(padded, &context->u.des3.key3); + else +- des_set_key(padded + 16, &context->u.des3.key3); ++ ssh_des_set_key(padded + 16, &context->u.des3.key3); + memset(context->u.des3.iv1, 0, sizeof(context->u.des3.iv1)); + memset(context->u.des3.iv2, 0, sizeof(context->u.des3.iv2)); + memset(context->u.des3.iv3, 0, sizeof(context->u.des3.iv3)); +@@ -274,12 +274,12 @@ + + #ifdef WITH_DES + case SSH_CIPHER_DES: +- des_cbc_encrypt(&context->u.des.key, context->u.des.iv, dest, src, len); ++ ssh_des_cbc_encrypt(&context->u.des.key, context->u.des.iv, dest, src, len); + break; + #endif /* WITH_DES */ + + case SSH_CIPHER_3DES: +- des_3cbc_encrypt(&context->u.des3.key1, context->u.des3.iv1, ++ ssh_des_3cbc_encrypt(&context->u.des3.key1, context->u.des3.iv1, + &context->u.des3.key2, context->u.des3.iv2, + &context->u.des3.key3, context->u.des3.iv3, + dest, src, len); +@@ -322,12 +322,12 @@ + + #ifdef WITH_DES + case SSH_CIPHER_DES: +- des_cbc_decrypt(&context->u.des.key, context->u.des.iv, dest, src, len); ++ ssh_des_cbc_decrypt(&context->u.des.key, context->u.des.iv, dest, src, len); + break; + #endif /* WITH_DES */ + + case SSH_CIPHER_3DES: +- des_3cbc_decrypt(&context->u.des3.key1, context->u.des3.iv1, ++ ssh_des_3cbc_decrypt(&context->u.des3.key1, context->u.des3.iv1, + &context->u.des3.key2, context->u.des3.iv2, + &context->u.des3.key3, context->u.des3.iv3, + dest, src, len); diff --git a/security/ssh6/patches/patch-ay b/security/ssh6/patches/patch-ay new file mode 100644 index 00000000000..b9fcf7e9813 --- /dev/null +++ b/security/ssh6/patches/patch-ay @@ -0,0 +1,13 @@ +$NetBSD: patch-ay,v 1.1 2000/03/20 02:25:41 itojun Exp $ + +--- cipher.h.orig Wed May 12 07:19:25 1999 ++++ cipher.h Fri Dec 24 21:50:04 1999 +@@ -58,7 +58,7 @@ + #ifndef WITHOUT_IDEA + #include "idea.h" + #endif /* WITHOUT_IDEA */ +-#include "des.h" ++#include "ssh-des.h" + #ifdef WITH_ARCFOUR + #include "arcfour.h" + #endif /* WITH_ARCFOUR */ diff --git a/security/ssh6/patches/patch-az b/security/ssh6/patches/patch-az new file mode 100644 index 00000000000..1f44c3117bb --- /dev/null +++ b/security/ssh6/patches/patch-az @@ -0,0 +1,102 @@ +$NetBSD: patch-az,v 1.1 2000/03/20 02:25:41 itojun Exp $ + +--- config.h.in.orig Wed May 12 07:20:04 1999 ++++ config.h.in Fri Dec 24 21:50:38 1999 +@@ -244,12 +244,6 @@ + /* Support for Secure RPC */ + #undef SECURE_RPC + +-/* Support for Secure NFS */ +-#undef SECURE_NFS +- +-/* Support for NIS+ */ +-#undef NIS_PLUS +- + /* Define this to disable all port forwardings in server (except X11) */ + #undef SSHD_NO_PORT_FORWARDING + +@@ -296,16 +290,23 @@ + /* Define this if your gettimeofday doesn't have TZ parameter */ + #undef HAVE_NO_TZ_IN_GETTIMEOFDAY + +-/* Define this if you want to compile in Kerberos support. */ +-#undef KERBEROS +- + /* Define this if you want to compile in Kerberos V5 support. +- KERBEROS must be compiled in as well. This can be done at configure +- time with the --with-kerberos5 argument*/ ++ This can be done at configure time with the --with-krb5 argument. */ + #undef KRB5 + +-/* Define this if you want to pass the Kerberos TGT. */ +-#undef KERBEROS_TGT_PASSING ++/* Define this if you want to compile in Kerberos V4 support. ++ This can be done at configure time with the --with-krb4 argument. */ ++#undef KRB4 ++ ++/* Define this if you what to build ssh with Hesiod support. */ ++#undef HESIOD ++ ++/* Define this if you want to compile in AFS support. ++ This can be done at configure time with the --with-afs argument. */ ++#undef AFS ++ ++/* Define this if you have the AFS lifetime conversion routines. */ ++#undef HAVE_KRB_LIFE_TO_TIME + + /* Define this if you dont have SIGINFO as signal but some other macro */ + #undef HAVE_INCOMPATIBLE_SIGINFO +@@ -323,6 +324,24 @@ + /etc/nologin.allow. */ + #undef NOLOGIN_ALLOW + ++/* Define this if you have struct sockaddr_storage. */ ++#undef HAVE_SOCKADDR_STORAGE ++ ++/* Define this if you have __sa_family in struct sockaddr_storage. */ ++#undef HAVE_NEW_SS_FAMILY ++ ++/* Define this if you have ss_len in struct sockaddr. */ ++#undef HAVE_SOCKADDR_LEN ++ ++/* Define this if you want to enable IPv6 support. */ ++#undef ENABLE_IPV6 ++ ++/* Define this if you want to enable another port try support. */ ++#undef ENABLE_ANOTHER_PORT_TRY ++ ++/* Define this if you want to enable logging auth info support. */ ++#undef ENABLE_LOG_AUTH ++ + /* Where to find the X11 socket */ + #undef X11_DIR + +@@ -375,12 +394,18 @@ + /* Define if you have the ftruncate function. */ + #undef HAVE_FTRUNCATE + ++/* Define if you have the getaddrinfo function. */ ++#undef HAVE_GETADDRINFO ++ + /* Define if you have the getdtablesize function. */ + #undef HAVE_GETDTABLESIZE + + /* Define if you have the gethostname function. */ + #undef HAVE_GETHOSTNAME + ++/* Define if you have the getnameinfo function. */ ++#undef HAVE_GETNAMEINFO ++ + /* Define if you have the getpseudotty function. */ + #undef HAVE_GETPSEUDOTTY + +@@ -518,6 +543,9 @@ + + /* Define if you have the <sys/dir.h> header file. */ + #undef HAVE_SYS_DIR_H ++ ++/* Define if you have the <sys/filio.h> header file. */ ++#undef HAVE_SYS_FILIO_H + + /* Define if you have the <sys/ioctl.h> header file. */ + #undef HAVE_SYS_IOCTL_H diff --git a/security/ssh6/patches/patch-ba b/security/ssh6/patches/patch-ba new file mode 100644 index 00000000000..8bfa55d1459 --- /dev/null +++ b/security/ssh6/patches/patch-ba @@ -0,0 +1,137 @@ +$NetBSD: patch-ba,v 1.1 2000/03/20 02:25:42 itojun Exp $ + +--- des.c.orig Wed May 12 07:19:25 1999 ++++ des.c Fri Dec 24 21:50:04 1999 +@@ -38,7 +38,7 @@ + + #include "includes.h" + #include "getput.h" +-#include "des.h" ++#include "ssh-des.h" + + /* Table for key generation. This used to be in sk.h. */ + /* Copyright (C) 1993 Eric Young - see README for more details */ +@@ -400,7 +400,7 @@ + /* This part is based on code that used to be in ecb_enc.c. */ + /* Copyright (C) 1993 Eric Young - see README for more details */ + +-void des_encrypt(word32 l, word32 r, word32 *output, DESContext *ks, ++void ssh_des_encrypt(word32 l, word32 r, word32 *output, DESContext *ks, + int encrypt) + { + register word32 t,u; +@@ -452,7 +452,7 @@ + #define HPERM_OP(a,t,n,m) ((t)=((((a)<<(16-(n)))^(a))&(m)),\ + (a)=(a)^(t)^(t>>(16-(n)))) + +-void des_set_key(unsigned char *key, DESContext *ks) ++void ssh_des_set_key(unsigned char *key, DESContext *ks) + { + register word32 c, d, t, s, shifts; + register int i; +@@ -507,7 +507,7 @@ + } + } + +-void des_cbc_encrypt(DESContext *ks, unsigned char *iv, ++void ssh_des_cbc_encrypt(DESContext *ks, unsigned char *iv, + unsigned char *dest, const unsigned char *src, + unsigned int len) + { +@@ -523,7 +523,7 @@ + { + iv0 ^= GET_32BIT_LSB_FIRST(src + i); + iv1 ^= GET_32BIT_LSB_FIRST(src + i + 4); +- des_encrypt(iv0, iv1, out, ks, 1); ++ ssh_des_encrypt(iv0, iv1, out, ks, 1); + iv0 = out[0]; + iv1 = out[1]; + PUT_32BIT_LSB_FIRST(dest + i, iv0); +@@ -533,7 +533,7 @@ + PUT_32BIT_LSB_FIRST(iv + 4, iv1); + } + +-void des_cbc_decrypt(DESContext *ks, unsigned char *iv, ++void ssh_des_cbc_decrypt(DESContext *ks, unsigned char *iv, + unsigned char *dest, const unsigned char *src, + unsigned int len) + { +@@ -549,7 +549,7 @@ + { + d0 = GET_32BIT_LSB_FIRST(src + i); + d1 = GET_32BIT_LSB_FIRST(src + i + 4); +- des_encrypt(d0, d1, out, ks, 0); ++ ssh_des_encrypt(d0, d1, out, ks, 0); + iv0 ^= out[0]; + iv1 ^= out[1]; + PUT_32BIT_LSB_FIRST(dest + i, iv0); +@@ -561,38 +561,38 @@ + PUT_32BIT_LSB_FIRST(iv + 4, iv1); + } + +-void des_3cbc_encrypt(DESContext *ks1, unsigned char *iv1, ++void ssh_des_3cbc_encrypt(DESContext *ks1, unsigned char *iv1, + DESContext *ks2, unsigned char *iv2, + DESContext *ks3, unsigned char *iv3, + unsigned char *dest, const unsigned char *src, + unsigned int len) + { +- des_cbc_encrypt(ks1, iv1, dest, src, len); +- des_cbc_decrypt(ks2, iv2, dest, dest, len); +- des_cbc_encrypt(ks3, iv3, dest, dest, len); ++ ssh_des_cbc_encrypt(ks1, iv1, dest, src, len); ++ ssh_des_cbc_decrypt(ks2, iv2, dest, dest, len); ++ ssh_des_cbc_encrypt(ks3, iv3, dest, dest, len); + } + +-void des_3cbc_decrypt(DESContext *ks1, unsigned char *iv1, ++void ssh_des_3cbc_decrypt(DESContext *ks1, unsigned char *iv1, + DESContext *ks2, unsigned char *iv2, + DESContext *ks3, unsigned char *iv3, + unsigned char *dest, const unsigned char *src, + unsigned int len) + { +- des_cbc_decrypt(ks3, iv3, dest, src, len); +- des_cbc_encrypt(ks2, iv2, dest, dest, len); +- des_cbc_decrypt(ks1, iv1, dest, dest, len); ++ ssh_des_cbc_decrypt(ks3, iv3, dest, src, len); ++ ssh_des_cbc_encrypt(ks2, iv2, dest, dest, len); ++ ssh_des_cbc_decrypt(ks1, iv1, dest, dest, len); + } + +-#ifdef DES_TEST ++#ifdef SSH_DES_TEST + +-void des_encrypt_buf(DESContext *ks, unsigned char *out, ++void ssh_des_encrypt_buf(DESContext *ks, unsigned char *out, + const unsigned char *in, int encrypt) + { + word32 in0, in1, output[0]; + + in0 = GET_32BIT_LSB_FIRST(in); + in1 = GET_32BIT_LSB_FIRST(in + 4); +- des_encrypt(in0, in1, output, ks, encrypt); ++ ssh_des_encrypt(in0, in1, output, ks, encrypt); + PUT_32BIT_LSB_FIRST(out, output[0]); + PUT_32BIT_LSB_FIRST(out + 4, output[1]); + } +@@ -634,15 +634,15 @@ + } + result[i] = value; + } +- des_set_key(key, &ks); +- des_encrypt_buf(&ks, output, data, 1); ++ ssh_des_set_key(key, &ks); ++ ssh_des_encrypt_buf(&ks, output, data, 1); + if (memcmp(output, result, 8) != 0) + fprintf(stderr, "Encrypt failed: %s", line); +- des_encrypt_buf(&ks, output, result, 0); ++ ssh_des_encrypt_buf(&ks, output, result, 0); + if (memcmp(output, data, 8) != 0) + fprintf(stderr, "Decrypt failed: %s", line); + } + exit(0); + } +-#endif /* DES_TEST */ ++#endif /* SSH_DES_TEST */ + diff --git a/security/ssh6/patches/patch-bb b/security/ssh6/patches/patch-bb new file mode 100644 index 00000000000..936d7522631 --- /dev/null +++ b/security/ssh6/patches/patch-bb @@ -0,0 +1,64 @@ +$NetBSD: patch-bb,v 1.1 2000/03/20 02:25:42 itojun Exp $ + +--- ssh-des.h.orig Wed May 12 07:19:25 1999 ++++ ssh-des.h Fri Dec 24 21:50:04 1999 +@@ -25,8 +25,8 @@ + * $Endlog$ + */ + +-#ifndef DES_H +-#define DES_H ++#ifndef SSH_DES_H ++#define SSH_DES_H + + typedef struct + { +@@ -35,40 +35,40 @@ + + /* Sets the des key for the context. Initializes the context. The least + significant bit of each byte of the key is ignored as parity. */ +-void des_set_key(unsigned char *key, DESContext *ks); ++void ssh_des_set_key(unsigned char *key, DESContext *ks); + + /* Encrypts 32 bits in l,r, and stores the result in output[0] and output[1]. + Performs encryption if encrypt is non-zero, and decryption if it is zero. +- The key context must have been initialized previously with des_set_key. */ +-void des_encrypt(word32 l, word32 r, word32 *output, DESContext *ks, ++ The key context must have been initialized previously with ssh_des_set_key. */ ++void ssh_des_encrypt(word32 l, word32 r, word32 *output, DESContext *ks, + int encrypt); + + /* Encrypts len bytes from src to dest in CBC modes. Len must be a multiple + of 8. iv will be modified at end to a value suitable for continuing + encryption. */ +-void des_cbc_encrypt(DESContext *ks, unsigned char *iv, unsigned char *dest, ++void ssh_des_cbc_encrypt(DESContext *ks, unsigned char *iv, unsigned char *dest, + const unsigned char *src, unsigned int len); + + /* Decrypts len bytes from src to dest in CBC modes. Len must be a multiple + of 8. iv will be modified at end to a value suitable for continuing + decryption. */ +-void des_cbc_decrypt(DESContext *ks, unsigned char *iv, unsigned char *dest, ++void ssh_des_cbc_decrypt(DESContext *ks, unsigned char *iv, unsigned char *dest, + const unsigned char *src, unsigned int len); + + /* Encrypts in CBC mode using triple-DES. */ +-void des_3cbc_encrypt(DESContext *ks1, unsigned char *iv1, ++void ssh_des_3cbc_encrypt(DESContext *ks1, unsigned char *iv1, + DESContext *ks2, unsigned char *iv2, + DESContext *ks3, unsigned char *iv3, + unsigned char *dest, const unsigned char *src, + unsigned int len); + + /* Decrypts in CBC mode using triple-DES. */ +-void des_3cbc_decrypt(DESContext *ks1, unsigned char *iv1, ++void ssh_des_3cbc_decrypt(DESContext *ks1, unsigned char *iv1, + DESContext *ks2, unsigned char *iv2, + DESContext *ks3, unsigned char *iv3, + unsigned char *dest, const unsigned char *src, + unsigned int len); + +-#endif /* DES_H */ ++#endif /* SSH_DES_H */ + + diff --git a/security/ssh6/patches/patch-bc b/security/ssh6/patches/patch-bc new file mode 100644 index 00000000000..d3ed2bdddbe --- /dev/null +++ b/security/ssh6/patches/patch-bc @@ -0,0 +1,16 @@ +$NetBSD: patch-bc,v 1.1 2000/03/20 02:25:42 itojun Exp $ + +--- match.c.orig Wed May 12 07:19:27 1999 ++++ match.c Fri Dec 24 21:50:42 1999 +@@ -129,6 +129,11 @@ + is_ip_pattern = 0; + break; + } ++ for(p = pattern; *p; p++) ++ if (!(isxdigit(*p) || *p == ':' || *p == '?' || *p == '*')) ++ break; ++ if (ip && !*p) ++ is_ip_pattern = 1; + if (is_ip_pattern) + { + return match_pattern(ip, pattern); diff --git a/security/ssh6/patches/patch-bd b/security/ssh6/patches/patch-bd new file mode 100644 index 00000000000..0a5b9816623 --- /dev/null +++ b/security/ssh6/patches/patch-bd @@ -0,0 +1,121 @@ +$NetBSD: patch-bd,v 1.1 2000/03/20 02:25:42 itojun Exp $ + +--- readconf.c.orig Wed May 12 07:19:27 1999 ++++ readconf.c Fri Dec 24 21:50:42 1999 +@@ -170,7 +170,13 @@ + oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, + oBatchMode, oStrictHostKeyChecking, oCompression, oCompressionLevel, + oKeepAlives, oUsePrivilegedPort, oKerberosAuthentication, ++#ifdef AFS ++ oAFSTokenPassing, ++#endif /* AFS */ + oKerberosTgtPassing, oClearAllForwardings, oNumberOfPasswordPrompts, ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ oAnotherPort, ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + oXauthPath, oGatewayPorts, oPasswordPromptLogin, oPasswordPromptHost + } OpCodes; + +@@ -194,6 +200,9 @@ + { "hostname", oHostName }, + { "proxycommand", oProxyCommand }, + { "port", oPort }, ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ { "anotherport", oAnotherPort }, ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + { "cipher", oCipher }, + { "remoteforward", oRemoteForward }, + { "localforward", oLocalForward }, +@@ -213,6 +222,9 @@ + { "useprivilegedport", oUsePrivilegedPort }, + { "kerberosauthentication", oKerberosAuthentication }, + { "kerberostgtpassing", oKerberosTgtPassing }, ++#ifdef AFS ++ { "afstokenpassing", oAFSTokenPassing }, ++#endif /* AFS */ + { "clearallforwardings", oClearAllForwardings }, + { "numberofpasswordprompts", oNumberOfPasswordPrompts }, + { "xauthlocation", oXauthPath }, +@@ -354,6 +366,12 @@ + intptr = &options->kerberos_tgt_passing; + goto parse_flag; + ++#ifdef AFS ++ case oAFSTokenPassing: ++ intptr = &options->afs_token_passing; ++ goto parse_flag; ++#endif /* AFS */ ++ + case oFallBackToRsh: + intptr = &options->fallback_to_rsh; + goto parse_flag; +@@ -497,6 +515,12 @@ + *intptr = value; + break; + ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ case oAnotherPort: ++ intptr = &options->another_port; ++ goto parse_int; ++#endif /* ENABLE_ANOTHER_PORT_TRY */ ++ + case oConnectionAttempts: + intptr = &options->connection_attempts; + goto parse_int; +@@ -678,6 +702,9 @@ + options->rsa_authentication = -1; + options->kerberos_authentication = -1; + options->kerberos_tgt_passing = -1; ++#ifdef AFS ++ options->afs_token_passing = -1; ++#endif /* AFS */ + options->tis_authentication = -1; + options->password_authentication = -1; + options->rhosts_rsa_authentication = -1; +@@ -689,6 +716,9 @@ + options->keepalives = -1; + options->compression_level = -1; + options->port = -1; ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ options->another_port = -1; ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + options->connection_attempts = -1; + options->number_of_password_prompts = -1; + options->password_prompt_login = -1; +@@ -724,17 +754,19 @@ + if (options->rsa_authentication == -1) + options->rsa_authentication = 1; + if (options->kerberos_authentication == -1) +-#if defined(KERBEROS) && defined(KRB5) ++#if defined(KRB4) || defined(KRB5) + options->kerberos_authentication = 1; +-#else /* defined(KERBEROS) && defined(KRB5) */ ++#else + options->kerberos_authentication = 0; +-#endif /* defined(KERBEROS) && defined(KRB5) */ ++#endif /* defined(KRB4) || defined(KRB5) */ + if (options->kerberos_tgt_passing == -1) +-#if defined(KERBEROS_TGT_PASSING) && defined(KRB5) ++#if defined(AFS) + options->kerberos_tgt_passing = 1; +-#else /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */ ++ if (options->afs_token_passing == -1) ++ options->afs_token_passing = 1; ++#else + options->kerberos_tgt_passing = 0; +-#endif /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */ ++#endif /* AFS */ + if (options->tis_authentication == -1) + options->tis_authentication = 0; + if (options->password_authentication == -1) +@@ -759,6 +791,10 @@ + options->compression_level = 6; + if (options->port == -1) + options->port = 0; /* Filled in ssh_connect. */ ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ if (options->another_port == -1) ++ options->another_port = 0; ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + if (options->connection_attempts == -1) + options->connection_attempts = 4; + if (options->number_of_password_prompts == -1) diff --git a/security/ssh6/patches/patch-be b/security/ssh6/patches/patch-be new file mode 100644 index 00000000000..28b6c7a34c3 --- /dev/null +++ b/security/ssh6/patches/patch-be @@ -0,0 +1,24 @@ +$NetBSD: patch-be,v 1.1 2000/03/20 02:25:42 itojun Exp $ + +--- readconf.h.orig Wed May 12 07:19:27 1999 ++++ readconf.h Fri Dec 24 21:50:42 1999 +@@ -85,6 +85,9 @@ + int rsa_authentication; /* Try RSA authentication. */ + int kerberos_authentication; /* Try Kerberos authentication. */ + int kerberos_tgt_passing; /* Try Kerberos tgt passing. */ ++#ifdef AFS ++ int afs_token_passing; /* Try AFS token passing. */ ++#endif /* AFS */ + int tis_authentication; /* Try TIS authsrv authentication. */ + int password_authentication; /* Try password authentication. */ + int fallback_to_rsh; /* Use rsh if cannot connect with ssh. */ +@@ -98,6 +101,9 @@ + int use_privileged_port; /* Use privileged port */ + + int port; /* Port to connect. */ ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port; /* Port to connect for -A option. */ ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + int connection_attempts; /* Max attempts (seconds) before giving up */ + int number_of_password_prompts; /* Max number of password prompts */ + int password_prompt_login; /* Show remote login at password prompt */ diff --git a/security/ssh6/patches/patch-bf b/security/ssh6/patches/patch-bf new file mode 100644 index 00000000000..8175d7fea02 --- /dev/null +++ b/security/ssh6/patches/patch-bf @@ -0,0 +1,250 @@ +$NetBSD: patch-bf,v 1.1 2000/03/20 02:25:42 itojun Exp $ + +--- servconf.c.orig Wed May 12 07:19:28 1999 ++++ servconf.c Fri Dec 24 21:50:42 1999 +@@ -81,8 +81,8 @@ + void initialize_server_options(ServerOptions *options) + { + memset(options, 0, sizeof(*options)); +- options->port = -1; +- options->listen_addr.s_addr = INADDR_ANY; ++ options->num_ports = 0; ++ options->listen_addrs = NULL; + options->host_key_file = NULL; + options->random_seed_file = NULL; + options->pid_file = NULL; +@@ -92,6 +92,9 @@ + options->permit_root_login = -1; + options->ignore_rhosts = -1; + options->ignore_root_rhosts = -1; ++#ifdef ENABLE_LOG_AUTH ++ options->log_auth = -1; ++#endif /* ENABLE_LOG_AUTH */ + options->quiet_mode = -1; + options->fascist_logging = -1; + options->print_motd = -1; +@@ -106,6 +109,12 @@ + options->kerberos_authentication = -1; + options->kerberos_or_local_passwd = -1; + options->kerberos_tgt_passing = -1; ++#if defined(KRB4) ++ options->kerberos_ticket_cleanup = -1; ++#endif /* KRB4 */ ++#ifdef AFS ++ options->afs_token_passing = -1; ++#endif + options->tis_authentication = -1; + options->allow_tcp_forwarding = -1; + options->password_authentication = -1; +@@ -138,16 +147,31 @@ + + void fill_default_server_options(ServerOptions *options) + { +- if (options->port == -1) ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++ int i; ++ ++ if (options->num_ports == 0) ++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT; ++ if (options->listen_addrs == NULL) + { +- struct servent *sp; +- +- sp = getservbyname(SSH_SERVICE_NAME, "tcp"); +- if (sp) +- options->port = ntohs(sp->s_port); +- else +- options->port = SSH_DEFAULT_PORT; +- endservent(); ++ for (i = 0; i < options->num_ports; i++) ++ { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_flags = AI_PASSIVE; ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", options->ports[i]); ++ if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) ++ { ++ fprintf(stderr, "fatal: getaddrinfo: Cannot get anyaddr.\n"); ++ exit(1); ++ } ++ for (ai = aitop; ai->ai_next; ai = ai->ai_next); ++ ai->ai_next = options->listen_addrs; ++ options->listen_addrs = aitop; ++ } ++ /* freeaddrinfo(options->listen_addrs) in sshd.c */ + } + if (options->host_key_file == NULL) + options->host_key_file = HOST_KEY_FILE; +@@ -190,19 +214,27 @@ + if (options->rsa_authentication == -1) + options->rsa_authentication = 1; + if (options->kerberos_authentication == -1) +-#if defined(KERBEROS) && defined(KRB5) ++#if defined(KRB4) || defined(KRB5) + options->kerberos_authentication = 1; +-#else /* defined(KERBEROS) && defined(KRB5) */ ++#else + options->kerberos_authentication = 0; +-#endif /* defined(KERBEROS) && defined(KRB5) */ ++#endif /* defined(KRB4 || KRB5 */ + if (options->kerberos_or_local_passwd == -1) + options->kerberos_or_local_passwd = 0; + if (options->kerberos_tgt_passing == -1) +-#if defined(KERBEROS_TGT_PASSING) && defined(KRB5) ++#if defined(AFS) || defined(KRB5) + options->kerberos_tgt_passing = 1; +-#else /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */ ++#else + options->kerberos_tgt_passing = 0; +-#endif /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */ ++#endif /* AFS || KRB5 */ ++#if defined(KRB4) ++ if (options->kerberos_ticket_cleanup == -1) ++ options->kerberos_ticket_cleanup = 1; ++#endif /* KRB4 */ ++#ifdef AFS ++ if (options->afs_token_passing == -1) ++ options->afs_token_passing = 1; ++#endif /* AFS */ + if (options->allow_tcp_forwarding == -1) + options->allow_tcp_forwarding = 1; + if (options->tis_authentication == -1) +@@ -243,13 +275,23 @@ + { + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sQuietMode, sFascistLogging, sLogFacility, ++#ifdef ENABLE_LOG_AUTH ++ sLogAuth, ++#endif /* ENABLE_LOG_AUTH */ + sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, + sTISAuthentication, sPasswordAuthentication, sAllowHosts, sDenyHosts, + sListenAddress, sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, + sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sPidFile, + sForcedPasswd, sForcedEmptyPasswd, sUmask, sSilentDeny, sIdleTimeout, + sUseLogin, sKerberosAuthentication, sKerberosOrLocalPasswd, +- sKerberosTgtPassing, sAllowTcpForwarding, sAllowUsers, sDenyUsers, ++ sKerberosTgtPassing, ++#ifdef KRB4 ++ sKerberosTicketCleanup, ++#ifdef AFS ++ sAFSTokenPassing, ++#endif /* AFS */ ++#endif /* KRB4 */ ++ sAllowTcpForwarding, sAllowUsers, sDenyUsers, + sXauthPath, sCheckMail, sDenyGroups, sAllowGroups, sIgnoreRootRhosts, + sAllowSHosts, sDenySHosts, sPasswordExpireWarningDays, + sAccountExpireWarningDays +@@ -275,6 +317,9 @@ + { "quietmode", sQuietMode }, + { "fascistlogging", sFascistLogging }, + { "syslogfacility", sLogFacility }, ++#ifdef ENABLE_LOG_AUTH ++ { "logauth", sLogAuth }, ++#endif /* ENABLE_LOG_AUTH */ + { "rhostsauthentication", sRhostsAuthentication }, + { "rhostsrsaauthentication", sRhostsRSAAuthentication }, + { "rsaauthentication", sRSAAuthentication }, +@@ -313,6 +358,12 @@ + { "kerberosauthentication", sKerberosAuthentication }, + { "kerberosorlocalpasswd", sKerberosOrLocalPasswd }, + { "kerberostgtpassing", sKerberosTgtPassing }, ++#ifdef KRB4 ++ { "kerberosticketcleanup", sKerberosTicketCleanup }, ++#endif ++#ifdef AFS ++ { "afstokenpassing", sAFSTokenPassing }, ++#endif + { "allowtcpforwarding", sAllowTcpForwarding }, + { "xauthlocation", sXauthPath }, + { "checkmail", sCheckMail }, +@@ -367,6 +418,9 @@ + char *cp, **charptr; + int linenum, *intptr, i, value; + ServerOpCodes opcode; ++ struct addrinfo hints, *ai, *aitop; ++ char strport[PORTSTRLEN]; ++ int gaierr; + + f = fopen(filename, "r"); + if (!f) +@@ -389,7 +443,14 @@ + switch (opcode) + { + case sPort: +- intptr = &options->port; ++ if (options->num_ports >= MAX_PORTS) ++ { ++ fprintf(stderr, "%s line %d: too many ports.\n", ++ filename, linenum); ++ exit(1); ++ } ++ options->ports[options->num_ports] = -1; ++ intptr = &options->ports[options->num_ports++]; + parse_int: + cp = strtok(NULL, WHITESPACE); + if (!cp) +@@ -452,11 +513,25 @@ + filename, linenum); + exit(1); + } +-#ifdef BROKEN_INET_ADDR +- options->listen_addr.s_addr = inet_network(cp); +-#else /* BROKEN_INET_ADDR */ +- options->listen_addr.s_addr = inet_addr(cp); +-#endif /* BROKEN_INET_ADDR */ ++ if (options->num_ports == 0) ++ options->ports[options->num_ports++] = SSH_DEFAULT_PORT; ++ for (i = 0; i < options->num_ports; i++) ++ { ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", options->ports[i]); ++ if ((gaierr = getaddrinfo(cp, strport, &hints, &aitop)) != 0) ++ { ++ fprintf(stderr, "%s line %d: bad addr or host. (%s)\n", ++ filename, linenum, gai_strerror(gaierr)); ++ exit(1); ++ } ++ for (ai = aitop; ai->ai_next; ai = ai->ai_next); ++ ai->ai_next = options->listen_addrs; ++ options->listen_addrs = aitop; ++ } ++ strtok(cp, WHITESPACE); /* getaddrinfo() may use strtok() */ + break; + + case sHostKeyFile: +@@ -532,6 +607,12 @@ + *intptr = value; + break; + ++#ifdef ENABLE_LOG_AUTH ++ case sLogAuth: ++ intptr = &options->log_auth; ++ goto parse_flag; ++#endif /* ENABLE_LOG_AUTH */ ++ + case sIgnoreRhosts: + intptr = &options->ignore_rhosts; + goto parse_flag; +@@ -571,6 +652,18 @@ + case sKerberosTgtPassing: + intptr = &options->kerberos_tgt_passing; + goto parse_flag; ++ ++#ifdef KRB4 ++ case sKerberosTicketCleanup: ++ intptr = &options->kerberos_ticket_cleanup; ++ goto parse_flag; ++#endif /* KRB4 */ ++ ++#ifdef AFS ++ case sAFSTokenPassing: ++ intptr = &options->afs_token_passing; ++ goto parse_flag; ++#endif /* AFS */ + + case sAllowTcpForwarding: + intptr = &options->allow_tcp_forwarding; diff --git a/security/ssh6/patches/patch-bg b/security/ssh6/patches/patch-bg new file mode 100644 index 00000000000..70c06ba297c --- /dev/null +++ b/security/ssh6/patches/patch-bg @@ -0,0 +1,48 @@ +$NetBSD: patch-bg,v 1.1 2000/03/20 02:25:43 itojun Exp $ + +--- servconf.h.orig Wed May 12 07:19:28 1999 ++++ servconf.h Fri Dec 24 21:50:42 1999 +@@ -64,6 +64,8 @@ + #ifndef SERVCONF_H + #define SERVCONF_H + ++#define MAX_PORTS 256 /* Max # hosts on allow list. */ ++ + #define MAX_ALLOW_SHOSTS 256 /* Max # hosts on allow shosts list. */ + #define MAX_DENY_SHOSTS 256 /* Max # hosts on deny shosts list. */ + #define MAX_ALLOW_HOSTS 256 /* Max # hosts on allow list. */ +@@ -82,8 +84,9 @@ + + typedef struct + { +- int port; /* Port number to listen on. */ +- struct in_addr listen_addr; /* Address on which the server listens. */ ++ unsigned int num_ports; ++ int ports[MAX_PORTS]; /* Port number to listen on. */ ++ struct addrinfo *listen_addrs;/* Addresses on which the server listens. */ + char *host_key_file; /* File containing host key. */ + char *random_seed_file; /* File containing random seed. */ + char *pid_file; /* File containing process ID number. */ +@@ -91,6 +94,9 @@ + int login_grace_time; /* Disconnect if no auth in this time (sec). */ + int key_regeneration_time; /* Server key lifetime (seconds). */ + int permit_root_login; /* 0 = forced cmd only, 1 = no pwd, 2 = yes. */ ++#ifdef ENABLE_LOG_AUTH ++ int log_auth; /* If true, log authentication info. */ ++#endif /* ENABLE_LOG_AUTH */ + int ignore_rhosts; /* Ignore .rhosts and .shosts. */ + int ignore_root_rhosts; /* Ignore .rhosts and .shosts for root, + defaults to ignore_rhosts if not given. */ +@@ -111,6 +117,12 @@ + password authentication mechanism, such + as SecurID or /etc/passwd */ + int kerberos_tgt_passing; /* If true, permit Kerberos tgt passing. */ ++#ifdef KRB4 ++ int kerberos_ticket_cleanup; /* If true, destroy ticket file on logout. */ ++#endif /* KRB4 */ ++#ifdef AFS ++ int afs_token_passing; /* If true, permit AFS token passing. */ ++#endif /* AFS */ + int allow_tcp_forwarding; + int tis_authentication; /* If true, permit TIS authsrv auth. */ + int password_authentication; /* If true, permit password authentication. */ diff --git a/security/ssh6/patches/patch-bh b/security/ssh6/patches/patch-bh new file mode 100644 index 00000000000..adb8ead9c62 --- /dev/null +++ b/security/ssh6/patches/patch-bh @@ -0,0 +1,31 @@ +$NetBSD: patch-bh,v 1.1 2000/03/20 02:25:43 itojun Exp $ + +--- ssh.1.in.orig Wed May 12 07:19:30 1999 ++++ ssh.1.in Fri Dec 24 21:50:04 1999 +@@ -470,7 +470,7 @@ + .ne 3 + .TP + .B \-k +-Disables forwarding of the kerberos tickets. This may ++Disables forwarding of Kerberos tickets / AFS tokens. This may + also be specified on a per-host basis in the configuration file. + .ne 3 + .TP +@@ -770,11 +770,15 @@ + + .TP + .B KerberosAuthentication +-Specifies whether Kerberos V5 authentication will be used. ++Specifies whether Kerberos authentication will be used. + + .TP + .B KerberosTgtPassing +-Specifies whether a Kerberos V5 TGT will be forwarded to the server. ++Specifies whether a Kerberos TGT will be forwarded to the server. ++ ++.TP ++.B AFSTokenPassing ++Specifies whether an AFS token will be forwarded to the server. + + .TP + .B LocalForward diff --git a/security/ssh6/patches/patch-bi b/security/ssh6/patches/patch-bi new file mode 100644 index 00000000000..4ac4b1379f2 --- /dev/null +++ b/security/ssh6/patches/patch-bi @@ -0,0 +1,108 @@ +$NetBSD: patch-bi,v 1.1 2000/03/20 02:25:43 itojun Exp $ + +--- ssh.c.orig Wed May 12 07:19:28 1999 ++++ ssh.c Fri Dec 24 21:50:42 1999 +@@ -218,6 +218,14 @@ + other functions. */ + RandomState random_state; + ++/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. ++ Default value is AF_UNSPEC means both IPv4 and IPv6. */ ++#ifdef ENABLE_IPV6 ++int IPv4or6 = AF_UNSPEC; ++#else ++int IPv4or6 = AF_INET; ++#endif ++ + /* Flag indicating whether debug mode is on. This can be set on the + command line. */ + int debug_flag = 0; +@@ -277,12 +285,19 @@ + { + fprintf(stderr, "Usage: %s [options] host [command]\n", av0); + fprintf(stderr, "Options:\n"); ++ fprintf(stderr, " -4 Use IPv4 only.\n"); ++#ifdef ENABLE_IPV6 ++ fprintf(stderr, " -6 Use IPv6 only.\n"); ++#endif ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ fprintf(stderr, " -A Try to connect to another port before original port.\n"); ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + fprintf(stderr, " -l user Log in using this user name.\n"); + fprintf(stderr, " -n Redirect input from /dev/null.\n"); + fprintf(stderr, " -a Disable authentication agent forwarding.\n"); +-#if defined(KERBEROS_TGT_PASSING) && defined(KRB5) +- fprintf(stderr, " -k Disable Kerberos ticket passing.\n"); +-#endif /* defined(KERBEROS_TGT_PASSING) && defined(KRB5) */ ++#ifdef AFS ++ fprintf(stderr, " -k Disable Kerberos ticket and AFS token passing.\n"); ++#endif /* AFS */ + #ifndef SSH_NO_X11_FORWARDING + fprintf(stderr, " -x Disable X11 connection forwarding.\n"); + #endif +@@ -413,6 +428,9 @@ + #ifdef SIGWINCH + struct winsize ws; + #endif /* SIGWINCH */ ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port_flag = 0; ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + + /* Save the original real uid. It will be needed later (uid-swapping may + clobber the real uid). */ +@@ -522,6 +540,26 @@ + } + switch (opt) + { ++ case '4': ++#ifdef ENABLE_IPV6 ++ IPv4or6 = (IPv4or6 == AF_INET6) ? AF_UNSPEC : AF_INET; ++#else ++ IPv4or6 = AF_INET; ++#endif ++ break; ++ ++#ifdef ENABLE_IPV6 ++ case '6': ++ IPv4or6 = (IPv4or6 == AF_INET) ? AF_UNSPEC : AF_INET6; ++ break; ++#endif ++ ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ case 'A': ++ another_port_flag = 1; ++ break; ++#endif /* ENABLE_ANOTHER_PORT_TRY */ ++ + case 'n': + stdin_null_flag = 1; + break; +@@ -541,6 +579,9 @@ + + case 'k': + options.kerberos_tgt_passing = 0; ++#ifdef AFS ++ options.afs_token_passing = 0; ++#endif /* AFS */ + break; + + case 'i': +@@ -789,11 +830,18 @@ + { + use_privileged_port = 0; + } ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ if (!another_port_flag) ++ options.another_port = 0; ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + /* Open a connection to the remote host. This needs root privileges if + rhosts_authentication is true. Note that the random_state is not + yet used by this call, although a pointer to it is stored, and thus it + need not be initialized. */ + ok = ssh_connect(host, options.port, options.connection_attempts, ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ options.another_port, ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + !use_privileged_port, + original_real_uid, options.proxy_command, &random_state); + diff --git a/security/ssh6/patches/patch-bj b/security/ssh6/patches/patch-bj new file mode 100644 index 00000000000..8fe80602685 --- /dev/null +++ b/security/ssh6/patches/patch-bj @@ -0,0 +1,156 @@ +$NetBSD: patch-bj,v 1.1 2000/03/20 02:25:43 itojun Exp $ + +--- ssh.h.orig Wed May 12 07:19:28 1999 ++++ ssh.h Fri Dec 24 21:50:42 1999 +@@ -176,6 +176,16 @@ + #include "randoms.h" + #include "cipher.h" + ++#ifdef HESIOD ++#include <hesiod.h> ++ ++#define getpwnam(a) hes_getpwnam(a) ++#define getpwuid(a) hes_getpwuid(a) ++ ++extern struct passwd *hes_getpwnam(const char *name); ++extern struct passwd *hes_getpwuid(uid_t uid); ++#endif /* HESIOD */ ++ + /* The default cipher used if IDEA is not supported by the remote host. + It is recommended that this be one of the mandatory ciphers (DES, 3DES), + though that is not required. */ +@@ -307,12 +317,13 @@ + protocol.) */ + #define SSH_SESSION_KEY_LENGTH 32 + +-#ifdef KERBEROS + #ifdef KRB5 + #include <krb5.h> +-#define KRB_SERVICE_NAME "host" ++#define KRB5_SERVICE_NAME "host" + #endif /* KRB5 */ +-#endif /* KERBEROS */ ++#ifdef KRB4 ++#define KRB4_SERVICE_NAME "rcmd" ++#endif /* KRB4 */ + + /* Authentication methods. New types can be added, but old types should not + be removed for compatibility. The maximum allowed value is 31. */ +@@ -336,6 +347,10 @@ + + /* If you add new methods add them after this using random number between 16-31 + so if someone else adds also new methods you dont use same number. */ ++#ifdef AFS ++#define SSH_PASS_AFS_TOKEN 21 ++#endif /* AFS */ ++ + + /* Protocol flags. These are bit masks. */ + #define SSH_PROTOFLAG_SCREEN_NUMBER 1 /* X11 forwarding includes screen */ +@@ -410,7 +425,9 @@ + /* If ou add new messages add them starting from something after 64, better to + use some random number between 64-127 so if someone else adds something else + you dont use same numbers */ +- ++#ifdef AFS ++#define SSH_CMSG_HAVE_AFS_TOKEN 65 ++#endif /* AFS */ + + /* define this and debug() will print local hostname */ + #define LOCAL_HOSTNAME_IN_DEBUG 1 +@@ -430,7 +447,7 @@ + /* Records that the user has logged in. This does many things normally + done by login(1). */ + void record_login(int pid, const char *ttyname, const char *user, uid_t uid, +- const char *host, struct sockaddr_in *addr); ++ const char *host, struct sockaddr *addr); + + /* Records that the user has logged out. This does many thigs normally + done by login(1) or init. */ +@@ -447,6 +464,9 @@ + connection is successful, this calls packet_set_connection for the + connection. */ + int ssh_connect(const char *host, int port, int connection_attempts, ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port, ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state); + +@@ -479,12 +499,12 @@ + + /* Tries to authenticate the user using password. Returns true if + authentication succeeds. */ +-#if defined(KERBEROS) && defined(KRB5) ++#ifdef KRB5 + int auth_password(const char *server_user, const char *password, + krb5_principal client); +-#else /* defined(KERBEROS) && defined(KRB5) */ ++#else /* KRB5 */ + int auth_password(const char *server_user, const char *password); +-#endif /* defined(KERBEROS) && defined(KRB5) */ ++#endif /* KRB5 */ + + /* Performs the RSA authentication dialog with the client. This returns + 0 if the client could not be authenticated, and 1 if authentication was +@@ -872,5 +892,60 @@ + #else + #define UID_ROOT 0 + #endif ++ ++#ifdef HAVE_SOCKADDR_STORAGE ++#ifndef HAVE_NEW_SS_FAMILY ++#define __ss_len ss_len ++#define __ss_family ss_family ++#endif ++#else ++#define _SS_MAXSIZE 128 /* Implementation specific max size */ ++#define _SS_ALIGNSIZE (sizeof(int)) ++#define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) ++#define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ ++ _SS_PAD1SIZE + _SS_ALIGNSIZE)) ++struct sockaddr_storage { ++#ifdef HAVE_SOCKADDR_LEN ++ u_char __ss_len; ++ u_char __ss_family; ++#else ++ u_short __ss_family; ++#endif ++ char __ss_pad1[_SS_PAD1SIZE]; ++ int __ss_align; ++ char __ss_pad2[_SS_PAD2SIZE]; ++}; ++#endif ++ ++#ifdef INET6_ADDRSTRLEN ++#define ADDRSTRLEN INET6_ADDRSTRLEN ++#else ++#define ADDRSTRLEN 46 ++#endif ++ ++#define PORTSTRLEN 16 ++ ++/* AF_UNSPEC or AF_INET or AF_INET6 */ ++extern int IPv4or6; ++ ++#ifndef ENABLE_IPV6 ++/* dummy value for old netdb.h */ ++#ifndef AI_PASSIVE ++#define AI_PASSIVE 1 ++#define NI_NUMERICHOST 2 ++#define NI_NAMEREQD 4 ++#define NI_NUMERICSERV 8 ++struct addrinfo { ++ int ai_flags; /* AI_PASSIVE, AI_CANONNAME */ ++ int ai_family; /* PF_xxx */ ++ int ai_socktype; /* SOCK_xxx */ ++ int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ ++ size_t ai_addrlen; /* length of ai_addr */ ++ char *ai_canonname; /* canonical name for hostname */ ++ struct sockaddr *ai_addr; /* binary address */ ++ struct addrinfo *ai_next; /* next structure in linked list */ ++}; ++#endif ++#endif /* not ENABLE_IPV6 */ + + #endif /* SSH_H */ diff --git a/security/ssh6/patches/patch-bk b/security/ssh6/patches/patch-bk new file mode 100644 index 00000000000..738624dd945 --- /dev/null +++ b/security/ssh6/patches/patch-bk @@ -0,0 +1,691 @@ +$NetBSD: patch-bk,v 1.1 2000/03/20 02:25:43 itojun Exp $ + +--- sshconnect.c- Wed May 12 20:19:29 1999 ++++ sshconnect.c Mon Mar 20 09:20:32 2000 +@@ -215,7 +215,6 @@ + #include "userfile.h" + #include "emulate.h" + +-#ifdef KERBEROS + #ifdef KRB5 + #include <krb5.h> + +@@ -223,7 +222,19 @@ + krb5_context ssh_context = 0; + krb5_auth_context auth_context = 0; + #endif /* KRB5 */ +-#endif /* KERBEROS */ ++ ++#ifdef KRB4 ++#include <krb.h> ++#ifdef AFS ++#if defined(HAVE_SYS_IOCTL_H) && SunOS != 4 ++#include <sys/ioctl.h> ++#endif ++#ifdef HAVE_SYS_FILIO_H ++#include <sys/filio.h> ++#endif ++#include <kafs.h> ++#endif /* AFS */ ++#endif /* KRB4 */ + + /* Session id for the current session. */ + unsigned char session_id[16]; +@@ -337,7 +348,7 @@ + + /* Creates a (possibly privileged) socket for use as the ssh connection. */ + +-int ssh_create_socket(uid_t original_real_uid, int privileged) ++int ssh_create_socket(uid_t original_real_uid, int privileged, int family) + { + int sock; + +@@ -345,43 +356,62 @@ + bind our own socket to a privileged port. */ + if (privileged) + { +- struct sockaddr_in sin; ++ struct addrinfo hints, *ai = NULL; ++ int errgai; ++ char strport[PORTSTRLEN]; + int p; + for (p = 1023; p > 512; p--) + { +- sock = socket(AF_INET, SOCK_STREAM, 0); ++ sock = socket(family, SOCK_STREAM, 0); + if (sock < 0) +- fatal("socket: %.100s", strerror(errno)); ++ { ++ error("socket: %.100s", strerror(errno)); ++ continue; ++ } + +- /* Initialize the desired sockaddr_in structure. */ +- memset(&sin, 0, sizeof(sin)); +- sin.sin_family = AF_INET; +- sin.sin_addr.s_addr = INADDR_ANY; +- sin.sin_port = htons(p); ++ /* Initialize the desired addrinfo structure. */ ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = family; ++ hints.ai_flags = AI_PASSIVE; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", p); ++ if ((errgai = getaddrinfo(NULL, strport, &hints, &ai)) != 0) ++ { ++ error("getaddrinfo: %.100s", gai_strerror(errgai)); ++ close(sock); ++ continue; ++ } + + /* Try to bind the socket to the privileged port. */ + #if defined(SOCKS) +- if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) ++ if (Rbind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + break; /* Success. */ + #else /* SOCKS */ +- if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) ++ if (bind(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + break; /* Success. */ + #endif /* SOCKS */ + if (errno == EADDRINUSE) + { + close(sock); ++ if (ai) ++ { ++ freeaddrinfo(ai); ++ ai = NULL; ++ } + continue; + } +- fatal("bind: %.100s", strerror(errno)); ++ error("bind: %.100s", strerror(errno)); + } + debug("Allocated local port %d.", p); ++ if (ai) ++ freeaddrinfo(ai); + } + else + { + /* Just create an ordinary socket on arbitrary port. */ +- sock = socket(AF_INET, SOCK_STREAM, 0); ++ sock = socket(family, SOCK_STREAM, 0); + if (sock < 0) +- fatal("socket: %.100s", strerror(errno)); ++ error("socket: %.100s", strerror(errno)); + } + return sock; + } +@@ -396,14 +426,19 @@ + the daemon. */ + + int ssh_connect(const char *host, int port, int connection_attempts, ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ int another_port, ++#endif /* ENABLE_ANOTHER_PORT_TRY */ + int anonymous, uid_t original_real_uid, + const char *proxy_command, RandomState *random_state) + { + int sock = -1, attempt, i; + int on = 1; + struct servent *sp; +- struct hostent *hp; +- struct sockaddr_in hostaddr; ++ struct addrinfo hints, *ai, *aitop, *aitmp; ++ struct sockaddr_storage hostaddr; ++ char ntop[ADDRSTRLEN], strport[PORTSTRLEN]; ++ int gaierr; + #if defined(SO_LINGER) && defined(ENABLE_SO_LINGER) + struct linger linger; + #endif /* SO_LINGER */ +@@ -421,10 +456,6 @@ + port = SSH_DEFAULT_PORT; + } + +- /* Map localhost to ip-address locally */ +- if (strcmp(host, "localhost") == 0) +- host = "127.0.0.1"; +- + /* If a proxy command is given, connect using it. */ + if (proxy_command != NULL && *proxy_command) + return ssh_proxy_connect(host, port, original_real_uid, proxy_command, +@@ -432,9 +463,28 @@ + + /* No proxy command. */ + +- /* No host lookup made yet. */ +- hp = NULL; +- ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", port); ++ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) ++ fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); ++ ++#ifdef ENABLE_ANOTHER_PORT_TRY ++ if (another_port) ++ { ++ aitmp = aitop; ++ memset(&hints, 0, sizeof(hints)); ++ hints.ai_family = IPv4or6; ++ hints.ai_socktype = SOCK_STREAM; ++ sprintf(strport, "%d", another_port); ++ if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) ++ fatal("Bad host name: %.100s (%s)", host, gai_strerror(gaierr)); ++ for (ai = aitop; ai->ai_next; ai = ai->ai_next); ++ ai->ai_next = aitmp; ++ } ++#endif /* ENABLE_ANOTHER_PORT_TRY */ ++ + /* Try to connect several times. On some machines, the first time will + sometimes fail. In general socket code appears to behave quite + magically on many machines. */ +@@ -443,103 +493,29 @@ + if (attempt > 0) + debug("Trying again..."); + +- /* Try to parse the host name as a numeric inet address. */ +- memset(&hostaddr, 0, sizeof(hostaddr)); +- hostaddr.sin_family = AF_INET; +- hostaddr.sin_port = htons(port); +-#ifdef BROKEN_INET_ADDR +- hostaddr.sin_addr.s_addr = inet_network(host); +-#else /* BROKEN_INET_ADDR */ +- hostaddr.sin_addr.s_addr = inet_addr(host); +-#endif /* BROKEN_INET_ADDR */ +- if ((hostaddr.sin_addr.s_addr & 0xffffffff) != 0xffffffff) +- { +- /* Create a socket. */ +- sock = ssh_create_socket(original_real_uid, +- !anonymous && geteuid() == UID_ROOT); +- +- /* Valid numeric IP address */ +- debug("Connecting to %.100s port %d.", +- inet_ntoa(hostaddr.sin_addr), port); +- +- /* Connect to the host. */ +-#if defined(SOCKS) +- if (Rconnect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) +-#else /* SOCKS */ +- if (connect(sock, (struct sockaddr *)&hostaddr, sizeof(hostaddr)) +-#endif /* SOCKS */ +- >= 0) +- { +- /* Successful connect. */ +- break; +- } +- debug("connect: %.100s", strerror(errno)); +- +- /* Destroy the failed socket. */ +- shutdown(sock, 2); +- close(sock); +- } +- else +- { +- /* Not a valid numeric inet address. */ +- /* Map host name to an address. */ +- if (!hp) +- { +- struct hostent *hp_static; +- +-#if defined(SOCKS5) +- hp_static = Rgethostbyname(host); +-#else +- hp_static = gethostbyname(host); +-#endif +- if (hp_static) +- { +- hp = xmalloc(sizeof(struct hostent)); +- memcpy(hp, hp_static, sizeof(struct hostent)); +- +- /* Copy list of addresses, not just pointers. +- We don't use h_name & h_aliases so leave them as is */ +- for (i = 0; hp_static->h_addr_list[i]; i++) +- ; /* count them */ +- hp->h_addr_list = xmalloc((i + 1) * +- sizeof(hp_static->h_addr_list[0])); +- for (i = 0; hp_static->h_addr_list[i]; i++) +- { +- hp->h_addr_list[i] = xmalloc(hp->h_length); +- memcpy(hp->h_addr_list[i], hp_static->h_addr_list[i], +- hp->h_length); +- } +- hp->h_addr_list[i] = NULL; /* last one */ +- } +- } +- if (!hp) +- fatal("Bad host name: %.100s", host); +- if (!hp->h_addr_list[0]) +- fatal("Host does not have an IP address: %.100s", host); +- + /* Loop through addresses for this host, and try each one in + sequence until the connection succeeds. */ +- for (i = 0; hp->h_addr_list[i]; i++) ++ for (ai = aitop; ai; ai = ai->ai_next) + { +- /* Set the address to connect to. */ +- hostaddr.sin_family = hp->h_addrtype; +- memcpy(&hostaddr.sin_addr, hp->h_addr_list[i], +- sizeof(hostaddr.sin_addr)); ++ getnameinfo(ai->ai_addr, ai->ai_addrlen, ++ ntop, sizeof(ntop), strport, sizeof(strport), ++ NI_NUMERICHOST|NI_NUMERICSERV); + +- debug("Connecting to %.200s [%.100s] port %d.", +- host, inet_ntoa(hostaddr.sin_addr), port); ++ debug("Connecting to %.200s [%.100s] port %s.", ++ host, ntop, strport); + + /* Create a socket for connecting. */ + sock = ssh_create_socket(original_real_uid, +- !anonymous && geteuid() == UID_ROOT); ++ !anonymous && geteuid() == UID_ROOT, ++ ai->ai_family); ++ if (sock < 0) ++ continue; + + /* Connect to the host. */ + #if defined(SOCKS) +- if (Rconnect(sock, (struct sockaddr *)&hostaddr, +- sizeof(hostaddr)) >= 0) ++ if (Rconnect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + #else /* SOCKS */ +- if (connect(sock, (struct sockaddr *)&hostaddr, +- sizeof(hostaddr)) >= 0) ++ if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) + #endif /* SOCKS */ + { + /* Successful connection. */ +@@ -552,22 +528,15 @@ + returned an error. */ + shutdown(sock, 2); + close(sock); +- } +- if (hp->h_addr_list[i]) ++ } /* for (ai = aitop; ai; ai = ai->ai_next) */ ++ if (ai) + break; /* Successful connection. */ +- } + + /* Sleep a moment before retrying. */ + sleep(1); + } + +- if (hp) +- { +- for (i = 0; hp->h_addr_list[i]; i++) +- xfree(hp->h_addr_list[i]); +- xfree(hp->h_addr_list); +- xfree(hp); +- } ++ freeaddrinfo(aitop); + + /* Return failure if we didn't get a successful connection. */ + if (attempt >= connection_attempts) +@@ -932,10 +901,9 @@ + return 0; + } + +-#ifdef KERBEROS ++#ifdef KRB5 + int try_kerberos_authentication(void) + { +-#ifdef KRB5 + char *remotehost; + krb5_data auth; + krb5_error_code r; +@@ -946,7 +914,7 @@ + int ap_opts, ret_stat = 0; + krb5_keyblock *session_key = 0; + krb5_ap_rep_enc_part *repl = 0; +- struct sockaddr_in local, foreign; ++ struct sockaddr_storage local, foreign; + + memset(&auth, 0 , sizeof(auth)); + remotehost = (char *) get_canonical_hostname(); +@@ -1084,15 +1052,118 @@ + krb5_free_ap_rep_enc_part(ssh_context, repl); + + return(ret_stat); ++} + #endif /* KRB5 */ ++ ++#ifdef KRB4 ++int try_kerberos_authentication() ++{ ++ KTEXT_ST auth; /* Kerberos data */ ++ char *reply; ++ char inst[INST_SZ]; ++ char *realm; ++ char *service; ++ CREDENTIALS cred; ++ int r, type; ++ Key_schedule schedule; ++ u_long checksum, cksum; ++ MSG_DAT msg_data; ++ struct sockaddr_in local, foreign; ++ struct stat st; ++ ++ /* Don't do anything if we don't have any tickets. */ ++ if (stat(tkt_string(), &st) < 0) return 0; ++ ++ strncpy(inst, (char *) krb_get_phost(get_canonical_hostname()), INST_SZ); ++ ++ realm = (char *)krb_realmofhost(get_canonical_hostname()); ++ if (!realm) { ++ debug("Kerberos V4: no realm for %s", get_canonical_hostname()); ++ return 0; ++ } ++ /* This can really be anything. */ ++ checksum = (u_long) getpid(); ++ ++ if (r = krb_mk_req(&auth, KRB4_SERVICE_NAME, inst, realm, checksum)) { ++ debug("Kerberos V4 krb_mk_req failed: %s", krb_err_txt[r]); ++ return 0; ++ } ++ /* Get session key to decrypt the server's reply with. */ ++ if (r = krb_get_cred(KRB4_SERVICE_NAME, inst, realm, &cred)) { ++ debug("get_cred failed: %s", krb_err_txt[r]); ++ return 0; ++ } ++ des_key_sched((des_cblock *)cred.session, schedule); ++ ++ /* Send authentication info to server. */ ++ packet_start(SSH_CMSG_AUTH_KERBEROS); ++ packet_put_string((char *)auth.dat, auth.length); ++ packet_send(); ++ packet_write_wait(); ++ ++ /* zero the buffer */ ++ (void) memset(auth.dat, 0, MAX_KTXT_LEN); ++ ++ r = sizeof(local); ++ memset(&local, 0, sizeof(local)); ++ if (getsockname(packet_get_connection_in(), ++ (struct sockaddr *) &local, &r) < 0) ++ debug("getsockname failed: %.100s", strerror(errno)); ++ ++ r = sizeof(foreign); ++ memset(&foreign, 0, sizeof(foreign)); ++ if (getpeername(packet_get_connection_in(), ++ (struct sockaddr *)&foreign, &r) < 0) ++ debug("getpeername failed: %.100s", strerror(errno)); ++ ++ /* Get server reply. */ ++ type = packet_read(); ++ switch(type) { ++ ++ case SSH_SMSG_FAILURE: /* Should really be SSH_SMSG_AUTH_KERBEROS_FAILURE */ ++ debug("Kerberos V4 authentication failed."); ++ return 0; ++ break; ++ ++ case SSH_SMSG_AUTH_KERBEROS_RESPONSE: /* SSH_SMSG_AUTH_KERBEROS_SUCCESS */ ++ debug("Kerberos V4 authentication accepted."); ++ ++ /* Get server's response. */ ++ reply = packet_get_string((unsigned int *)&auth.length); ++ memcpy(auth.dat, reply, auth.length); ++ xfree(reply); ++ ++ /* If his response isn't properly encrypted with the session key, ++ and the decrypted checksum fails to match, he's bogus. Bail out. */ ++ if (r = krb_rd_priv(auth.dat, auth.length, schedule, &cred.session, ++ &foreign, &local, &msg_data)) { ++ debug("Kerberos V4 krb_rd_priv failed: %s", krb_err_txt[r]); ++ packet_disconnect("Kerberos V4 challenge failed!"); ++ } ++ /* fetch the (incremented) checksum that we supplied in the request */ ++ (void)memcpy((char *)&cksum, (char *)msg_data.app_data, sizeof(cksum)); ++ cksum = ntohl(cksum); ++ ++ /* If it matches, we're golden. */ ++ if (cksum == checksum + 1) { ++ debug("Kerberos V4 challenge successful."); ++ return 1; ++ } ++ else ++ packet_disconnect("Kerberos V4 challenge failed!"); ++ break; ++ ++ default: ++ packet_disconnect("Protocol error on Kerberos V4 response: %d", type); ++ } + } +-#endif /* KERBEROS */ ++#endif /* KRB4 */ ++ + +-#ifdef KERBEROS_TGT_PASSING + /* Forward our local Kerberos tgt to the server. */ ++#ifdef KRB5 + int send_kerberos_tgt(void) + { +-#ifdef KRB5 + char *remotehost; + krb5_principal client; + krb5_principal server; +@@ -1172,22 +1243,117 @@ + krb5_free_principal(ssh_context, client); + krb5_free_principal(ssh_context, server); + +- type = packet_read(); +- if (type == SSH_SMSG_SUCCESS) +- { +- debug("Kerberos V5 TGT passing was successful."); +- return 1; +- } +- else +- if (type != SSH_SMSG_FAILURE) +- packet_disconnect("Protocol error on Kerberos tgt response: %d", type); +- else +- debug("Kerberos V5 TGT passing failed."); +- +- return 0; ++ return 1; ++} + #endif /* KRB5 */ ++ ++#ifdef AFS ++int send_kerberos_tgt() ++{ ++ CREDENTIALS *creds; ++ char pname[ANAME_SZ], pinst[INST_SZ], prealm[REALM_SZ]; ++ int r, type; ++ unsigned char buffer[8192]; ++ struct stat st; ++ ++ /* Don't do anything if we don't have any tickets. */ ++ if (stat(tkt_string(), &st) < 0) return 0; ++ ++ creds = xmalloc(sizeof(CREDENTIALS)); ++ ++ if ((r=krb_get_tf_fullname(TKT_FILE,pname,pinst,prealm)) != KSUCCESS) { ++ debug("Kerberos V4 tf_fullname failed: %s",krb_err_txt[r]); ++ return 0; ++ } ++ if ((r=krb_get_cred("krbtgt", prealm, prealm, creds)) != GC_OK) { ++ debug("Kerberos V4 get_cred failed: %s", krb_err_txt[r]); ++ return 0; ++ } ++ if (time(0) > ++#ifdef HAVE_KRB_LIFE_TO_TIME ++ (unsigned long)krb_life_to_time(creds->issue_date, creds->lifetime)) { ++#else ++ (creds->issue_date + ((unsigned char)creds->lifetime * 5 * 60))) { ++#endif /* HAVE_KRB_LIFE_TO_TIME */ ++ debug("Kerberos V4 ticket expired: %s", TKT_FILE); ++ return 0; ++ } ++ ++ creds_to_radix(creds, buffer); ++ xfree(creds); ++ ++ packet_start(SSH_CMSG_HAVE_KERBEROS_TGT); ++ packet_put_string((char *)buffer, strlen(buffer)); ++ packet_send(); ++ packet_write_wait(); ++ ++ return 1; ++} ++ ++/* Forwards our AFS tokens to the server. */ ++void send_afs_tokens(void) ++{ ++ CREDENTIALS creds; ++ struct ViceIoctl parms; ++ struct ClearToken ct; ++ int i, type; ++ int len; ++ char buf[2048], *p, *server_cell; ++ unsigned char buffer[8192]; ++ ++ /* Move over ktc_GetToken, here's something leaner. */ ++ for (i = 0; i < 100; i++) { /* just in case */ ++ parms.in = (char *)&i; ++ parms.in_size = sizeof(i); ++ parms.out = buf; ++ parms.out_size = sizeof(buf); ++ if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) break; ++ p = buf; ++ ++ /* Get secret token. */ ++ memcpy(&creds.ticket_st.length, p, sizeof(unsigned int)); ++ if (creds.ticket_st.length > MAX_KTXT_LEN) break; ++ p += sizeof(unsigned int); ++ memcpy(creds.ticket_st.dat, p, creds.ticket_st.length); ++ p += creds.ticket_st.length; ++ ++ /* Get clear token. */ ++ memcpy(&len, p, sizeof(len)); ++ if (len != sizeof(struct ClearToken)) break; ++ p += sizeof(len); ++ memcpy(&ct, p, len); ++ p += len; ++ p += sizeof(len); /* primary flag */ ++ server_cell = p; ++ ++ /* Flesh out our credentials. */ ++ strcpy(creds.service, "afs"); ++ creds.instance[0] = '\0'; ++ strncpy(creds.realm, server_cell, REALM_SZ); ++ memcpy(creds.session, ct.HandShakeKey, DES_KEY_SZ); ++ creds.issue_date = ct.BeginTimestamp; ++ creds.lifetime = krb_time_to_life(creds.issue_date, ct.EndTimestamp); ++ creds.kvno = ct.AuthHandle; ++ snprintf(creds.pname, sizeof(creds.pname), "AFS ID %d", ct.ViceId); ++ creds.pinst[0] = '\0'; ++ ++ /* Encode token, ship it off. */ ++ if (!creds_to_radix(&creds, buffer)) break; ++ packet_start(SSH_CMSG_HAVE_AFS_TOKEN); ++ packet_put_string((char *)buffer, strlen(buffer)); ++ packet_send(); ++ packet_write_wait(); ++ ++ /* Roger, Roger. Clearance, Clarence. What's your vector, Victor? */ ++ type = packet_read(); ++ ++ if (type == SSH_SMSG_FAILURE) ++ debug("AFS token for cell %s rejected.", server_cell); ++ else if (type != SSH_SMSG_SUCCESS) ++ packet_disconnect("Protocol error on AFS token response: %d", type); ++ } + } +-#endif /* KERBEROS_TGT_PASSING */ ++#endif /* AFS */ + + /* Waits for the server identification string, and sends our own identification + string. */ +@@ -1285,14 +1451,12 @@ + unsigned char check_bytes[8]; + unsigned int supported_ciphers, supported_authentications, protocol_flags; + HostStatus host_status; +-#ifdef KERBEROS + #ifdef KRB5 + char *kuser; + krb5_ccache ccache; + krb5_error_code problem; + krb5_principal client; +-#endif +-#endif ++#endif /* KRB5 */ + + /* Convert the user-supplied hostname into all lowercase. */ + host = xstrdup(orighost); +@@ -1595,7 +1759,6 @@ + + debug("Received encrypted confirmation."); + +-#ifdef KERBEROS + #ifdef KRB5 + if (!ssh_context) + { +@@ -1629,7 +1792,6 @@ + debug("Kerberos V5: could not get default ccache."); + } + #endif /* KRB5 */ +-#endif /* KERBEROS */ + + /* Send the name of the user to log in as on the server. */ + packet_start(SSH_CMSG_USER); +@@ -1647,24 +1809,39 @@ + packet_disconnect("Protocol error: got %d in response to SSH_CMSG_USER", + type); + +-#ifdef KERBEROS_TGT_PASSING ++#if defined(KRB5) || defined(AFS) + /* Try Kerberos tgt passing if the server supports it. */ + if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) && + options->kerberos_tgt_passing) + { + if (options->cipher == SSH_CIPHER_NONE) + log_msg("WARNING: Encryption is disabled! Ticket will be transmitted in the clear!"); +- (void)send_kerberos_tgt(); ++ if (send_kerberos_tgt()) ++ { ++ type = packet_read(); ++ if (type == SSH_SMSG_FAILURE) ++ debug("Kerberos TGT passing failed."); ++ else if (type != SSH_SMSG_SUCCESS) ++ packet_disconnect("Protocol error on Kerberos tgt response: %d", type); ++ } + } +-#endif /* KERBEROS_TGT_PASSING */ ++#endif /* KRB5 || AFS */ ++ ++#ifdef AFS ++ /* Try AFS token passing if the server supports it. */ ++ if ((supported_authentications & (1 << SSH_PASS_AFS_TOKEN)) && ++ options->afs_token_passing && k_hasafs()) { ++ if (options->cipher == SSH_CIPHER_NONE) ++ log_msg("WARNING: Encryption is disabled! Token will be transmitted in the clear!"); ++ send_afs_tokens(); ++ } ++#endif /* AFS */ + +-#ifdef KERBEROS +-#ifdef KRB5 ++#if defined(KRB4) || defined(KRB5) + if ((supported_authentications & (1 << SSH_AUTH_KERBEROS)) && + options->kerberos_authentication) + { +- debug("Trying Kerberos V5 authentication."); +-#endif ++ debug("Trying Kerberos authentication."); + if (try_kerberos_authentication()) { + /* The server should respond with success or failure. */ + type = packet_read(); +@@ -1673,10 +1850,8 @@ + if (type != SSH_SMSG_FAILURE) + packet_disconnect("Protocol error: got %d in response to Kerberos auth", type); + } +-#ifdef KRB5 + } +-#endif +-#endif /* KERBEROS */ ++#endif /* KRB4 || KRB5 */ + + /* Use rhosts authentication if running in privileged socket and we do not + wish to remain anonymous. */ diff --git a/security/ssh6/patches/patch-bl b/security/ssh6/patches/patch-bl new file mode 100644 index 00000000000..a9c52c45a21 --- /dev/null +++ b/security/ssh6/patches/patch-bl @@ -0,0 +1,37 @@ +$NetBSD: patch-bl,v 1.1 2000/03/20 02:25:43 itojun Exp $ + +--- sshd.8.in.orig Wed May 12 07:19:31 1999 ++++ sshd.8.in Fri Dec 24 21:50:05 1999 +@@ -529,10 +529,10 @@ + + .TP + .B KerberosAuthentication +-Specifies whether Kerberos V5 authentication is allowed. This can ++Specifies whether Kerberos authentication is allowed. This can + be in the form of a Kerberos ticket, or if PasswordAuthentication + is yes, the password provided by the user will be validated through +-the Kerberos KDC or DCE Security Server. Default is yes. ++the Kerberos KDC / AFS kaserver / DCE Security Server. Default is yes. + + .TP + .B KerberosOrLocalPasswd +@@ -542,8 +542,18 @@ + + .TP + .B KerberosTgtPassing +-Specifies whether a Kerberos V5 TGT may be forwarded to the server. ++Specifies whether a Kerberos TGT may be forwarded to the server. + Default is yes. ++ ++.TP ++.B AFSTokenPassing ++Specifies whether an AFS token may be forwarded to the server. ++Default is yes. ++ ++.TP ++.B KerberosTicketCleanup ++Specifies whether to automatically destroy the user's Kerberos v4 ++ticket cache file on logout. Default is yes. + + .TP + .B KeyRegenerationInterval diff --git a/security/ssh6/patches/patch-bm b/security/ssh6/patches/patch-bm new file mode 100644 index 00000000000..82083d8fdde --- /dev/null +++ b/security/ssh6/patches/patch-bm @@ -0,0 +1,176 @@ +$NetBSD: patch-bm,v 1.1 2000/03/20 02:25:43 itojun Exp $ + +--- README-IPv6.orig Wed Dec 31 19:00:00 1969 ++++ README-IPv6 Fri Dec 24 21:50:38 1999 +@@ -0,0 +1,171 @@ ++ssh-1.2.27-IPv6 version 1.5 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * ssh-1.2.27-IPv6 can handle both IPv4 and IPv6. ++ ++ To enable sshd/ssh to handle both IPv4 and IPv6, ++ ++ ./configure --enable-ipv6 ++ ++ Otherwise sshd/ssh handle IPv4 only as same as original ssh. ++ ++ * You can have multiple ListenAddress lines in /etc/sshd_config. ++ It means that sshd can listen multiple addresses. ++ ++ Example1: sshd will bind on these four adresses. ++ ++ ListenAddress 202.249.17.50 ++ ListenAddress 202.249.17.137 ++ ListenAddress 3ffe:501:c0b::1 ++ ListenAddress 3ffe:501:c0b:20:2a0:c9ff:fe3e:f5fc ++ ++ Example2: as same as example1. ++ (Because bertemu.rcac.tdi.co.jp has these four addresses.) ++ ++ ListenAddress bertemu.rcac.tdi.co.jp ++ ++ Example3: sshd will bind on any address both IPv4 and IPv6. ++ ++ ListenAddress :: ++ ListenAddress 0.0.0.0 ++ ++ Example4: as same as example3. ++ ++ No ListenAddress line in /etc/sshd_config. ++ ++ * You don't mind whether the host has IPv4 or IPv6 address. ++ You can also specify using only IPv4 (or only IPv6). ++ ++ Example1: ssh will try all IPv4 and IPv6 addresses that the host has. ++ ++ ssh host ++ ++ Example2: ssh will try all IPv4 addresses that the host has. ++ ++ ssh -4 host ++ ++ Example3: ssh will try all IPv6 addresses that the host has. ++ ++ ssh -6 host ++ ++ * You can have multiple Port lines in /etc/sshd_config and -p options. ++ It means that sshd can listen multiple ports, not only port 22. ++ ++ For example, you run sshd that listens port 22 and port 722, ++ and you can use port 22 for slogin and port 722 for scp. ++ It's useful if you have preference for interactive traffic in the router. ++ ++ You can have "AnotherPort 722" line in /etc/ssh_config or your ++ config file (maybe ~/.ssh/config). In this case, ssh with -A option ++ try to connect to port 722 at first, and try to connect to original ++ port (maybe port 22) if port 722 fails. scp executes ssh with -A option. ++ ++ * IPv6 supported platform ++ ++ IPv6 feature is available on follwing platforms now. ++ ++ kame -- http://www.kame.net/ (used to be called Hydrangea) ++ v6d -- http://onoe2.sm.sony.co.jp/ipv6/ (IPv6 daemon) ++ ++ On the other environments you can compile and run ssh-1.2.27-IPv6 if ++ you have a good getaddrinfo() in your library. ++ ++ * How to get ssh-1.2.27-IPv6 ++ ++ You can get tar.gz or patch to ssh-1.2.27.tar.gz: ++ ++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5.tar.gz ++ ftp://ftp.kyoto.wide.ad.jp/IPv6/ssh/ssh-1.2.27-IPv6-1.5-patch.gz ++ ++ * How to install ssh-1.2.27-IPv6 ++ ++ Apply ssh-1.2.27-IPv6-1.5-patch to ssh-1.2.27.tar.gz (or use ++ ssh-1.2.27-IPv6-1.5.tar.gz) and then see INSTALL file of ssh-1.2.27. ++ ++ If you want to enable ssh to handle IPv6, for example, ++ ++ % ./configure --enable-ipv6 ++ % make ++ % make install ++ ++ and you will be able to enjoy ssh handling both IPv6 and IPv4. ++ ++ * Change Log ++ ++ v1.5 1999-05-15 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * for ssh-1.2.27 ++ * supported scp with bracketed ipv6 ip address ++ * used struct sockaddr_storage instead of union sockunion ++ ++ v1.4 1998-08-21 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed ipv6 address checking bug at match_host() in match.c ++ * cleanup comparing ip address at get_remote_hostname() in canohost.c ++ ++ v1.3 1998-08-14 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed ipv6 address checking bug at match_host() in match.c ++ pointed out by Kenji Rikitake <kenji@k2r.org> ++ ++ v1.2.2 1998-08-07 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed IPv6 enable checking bug in configure.in ++ ++ v1.2.1 1998-08-05 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * fixed AuthLog enable handling bug ++ ++ v1.2 1998-08-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * for ssh-1.2.26 ++ ++ v1.1.5 1998-06-13 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * supported AuthLog (logging authenticated info) in /etc/sshd_config ++ ++ v1.1.4 1998-06-11 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * supported multiple Port lines in /etc/sshd_config ++ * supported AnotherPort line in /etc/ssh_config ++ * supported -A option of ssh for another port try ++ ++ v1.1.3 1998-06-01 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * X11 connection forwarding IPv6 support ++ * removeed all hostent and sockaddr_in from *.c ++ ++ v1.1.2 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * configuration support for v6d. ++ ++ v1.1.1 1998-05-31 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * add getaddinfo.c, getnameinfo.c and gai.h (delete fakelibinet6.c) ++ * configure checks whether getaddrinfo exists or not. ++ ++ v1.1 1998-05-31 KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * add fakelibinet6.c (including getaddrinfo and getnameinfo) ++ * compilation support on non-IPv6 environment. ++ * fixed port forwarding bug ++ ++ v1.0.1 1998-05-30 Jun-ichiro itojun Itoh <itojun@itojun.org> ++ ++ * add ENABLE_IPV6 flag. ++ * configuration support --enable-ipv6 for IPv6 platforms. ++ ++ v1.0 1998-05-30 created by KIKUCHI Takahiro <kick@kyoto.wide.ad.jp> ++ ++ * first release ++ * IPv6 support except X11 connection forwarding ++ ++ * Guideline for making this patch ++ ++ * protocol family independent (using AF_UNSPEC) ++ * use getaddrinfo and getnameinfo (see RFC2133) ++ * don't use sockaddr_in and AF_INET (but option -4 uses AF_INET) ++ * don't use sockaddr_in6 and AF_INET6 (but option -6 uses AF_INET6) ++ * don't use gethostbyname, gethostbyaddr and hostent ++ * listen to all addresses for all available protocol family ++ * try to connect to all addresses for all available protocol family ++ diff --git a/security/ssh6/patches/patch-bn b/security/ssh6/patches/patch-bn new file mode 100644 index 00000000000..c46a09a8385 --- /dev/null +++ b/security/ssh6/patches/patch-bn @@ -0,0 +1,49 @@ +$NetBSD: patch-bn,v 1.1 2000/03/20 02:25:44 itojun Exp $ + +--- README.AFS-KERBEROS.orig Wed Dec 31 19:00:00 1969 ++++ README.AFS-KERBEROS Fri Dec 24 21:50:03 1999 +@@ -0,0 +1,44 @@ ++ ++ssh-1.2.27-afs-kerberos.patch-1 ++AFS, Kerberos v4 support for SSH ++ ++Here are the extra flags to configure, and what they do: ++ ++--with-krb4[=PATH] Compile in Kerberos v4 support: ++ Kerberos v4 authentication ++ Kerberos v4 password authentication ++ Kerberos v4 ~/.klogin authorization ++ ++These are all enabled by the 'KerberosAuthentication' config option. ++Kerberos v4 and Kerberos v5 support are mutually exclusive for now. ++PATH default is /usr/kerberos. ++ ++--with-hesiod[=PATH] Compile in support for Hesiod: ++ getpwnam(), getpwuid() replacements ++ ++--with-afs Compile in AFS support (requires KTH krb4): ++ ticket/token passing ++ process authentication groups ++ local Xauthority files (for AFS home dirs) ++ /ticket TKT_ROOT directory (if it exists) ++ ++Binaries built with AFS support will work just fine on non-AFS machines! ++You will need to use the KTH krb4 libs (ftp://ftp.pdc.kth.se/pub/krb/src), ++or just their libkafs, also available separately from CMU as libkrbafs ++(http://andrew2.andrew.cmu.edu/dist/krbafs.html). ++ ++Additional Kerberos client and server config options (and their defaults): ++ ++ KerberosAuthentication yes ++ KerberosOrLocalPasswd no ++ KerberosTgtPassing yes ++ AFSTokenPassing yes ++ KerberosTicketCleanup yes ++ ++See sshd(8) and ssh(1) for details. ++ ++The latest version of this patch can be found at ++ ++ http://www.monkey.org/~dugsong/ssh-afs-kerberos.html ++ ++dugsong@monkey.org diff --git a/security/ssh6/patches/patch-bo b/security/ssh6/patches/patch-bo new file mode 100644 index 00000000000..7061e6500cb --- /dev/null +++ b/security/ssh6/patches/patch-bo @@ -0,0 +1,17 @@ +$NetBSD: patch-bo,v 1.1 2000/03/20 02:25:44 itojun Exp $ + +--- gai.h.orig Wed Dec 31 19:00:00 1969 ++++ gai.h Fri Dec 24 21:50:41 1999 +@@ -0,0 +1,12 @@ ++/* ++ * fake library for ssh ++ * ++ * This file is included in getaddrinfo.c and getnameinfo.c. ++ * See getaddrinfo.c and getnameinfo.c. ++ */ ++ ++/* for old netdb.h */ ++#ifndef EAI_NODATA ++#define EAI_NODATA 1 ++#define EAI_MEMORY 2 ++#endif diff --git a/security/ssh6/patches/patch-bp b/security/ssh6/patches/patch-bp new file mode 100644 index 00000000000..97c6ac152fe --- /dev/null +++ b/security/ssh6/patches/patch-bp @@ -0,0 +1,120 @@ +$NetBSD: patch-bp,v 1.1 2000/03/20 02:25:44 itojun Exp $ + +--- getaddrinfo.c.orig Wed Dec 31 19:00:00 1969 ++++ getaddrinfo.c Fri Dec 24 21:50:41 1999 +@@ -0,0 +1,115 @@ ++/* ++ * fake library for ssh ++ * ++ * This file includes getaddrinfo(), freeaddrinfo() and gai_strerror(). ++ * These funtions are defined in rfc2133. ++ * ++ * But these functions are not implemented correctly. The minimum subset ++ * is implemented for ssh use only. For exapmle, this routine assumes ++ * that ai_family is AF_INET. Don't use it for another purpose. ++ * ++ * In the case not using 'configure --enable-ipv6', this getaddrinfo.c ++ * will be used if you have broken getaddrinfo or no getaddrinfo. ++ */ ++ ++#include "includes.h" ++#include "ssh.h" ++ ++#include "gai.h" ++ ++static struct addrinfo * ++malloc_ai(port, addr) ++int port; ++u_long addr; ++{ ++ struct addrinfo *ai; ++ ++ if (ai = (struct addrinfo *)malloc(sizeof(struct addrinfo) + ++ sizeof(struct sockaddr_in))) { ++ memset(ai, 0, sizeof(struct addrinfo) + sizeof(struct sockaddr_in)); ++ ai->ai_addr = (struct sockaddr *)(ai + 1); ++ /* XXX -- ssh doesn't use sa_len */ ++ ai->ai_addrlen = sizeof(struct sockaddr_in); ++ ai->ai_addr->sa_family = ai->ai_family = AF_INET; ++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_port = port; ++ ((struct sockaddr_in *)(ai)->ai_addr)->sin_addr.s_addr = addr; ++ return ai; ++ } else { ++ return NULL; ++ } ++} ++ ++char * ++gai_strerror(ecode) ++int ecode; ++{ ++ switch (ecode) { ++ case EAI_NODATA: ++ return "no address associated with hostname."; ++ case EAI_MEMORY: ++ return "memory allocation failure."; ++ default: ++ return "unknown error."; ++ } ++} ++ ++void ++freeaddrinfo(ai) ++struct addrinfo *ai; ++{ ++ struct addrinfo *next; ++ ++ do { ++ next = ai->ai_next; ++ free(ai); ++ } while (ai = next); ++} ++ ++int ++getaddrinfo(hostname, servname, hints, res) ++const char *hostname, *servname; ++const struct addrinfo *hints; ++struct addrinfo **res; ++{ ++ struct addrinfo *cur, *prev = NULL; ++ struct hostent *hp; ++ int i, port; ++ ++ if (servname) ++ port = htons(atoi(servname)); ++ else ++ port = 0; ++ if (hints && hints->ai_flags & AI_PASSIVE) ++ if (*res = malloc_ai(port, htonl(0x00000000))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if (!hostname) ++ if (*res = malloc_ai(port, htonl(0x7f000001))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if (inet_addr(hostname) != -1) ++ if (*res = malloc_ai(port, inet_addr(hostname))) ++ return 0; ++ else ++ return EAI_MEMORY; ++ if ((hp = gethostbyname(hostname)) && ++ hp->h_name && hp->h_name[0] && hp->h_addr_list[0]) { ++ for (i = 0; hp->h_addr_list[i]; i++) ++ if (cur = malloc_ai(port, ++ ((struct in_addr *)hp->h_addr_list[i])->s_addr)) { ++ if (prev) ++ prev->ai_next = cur; ++ else ++ *res = cur; ++ prev = cur; ++ } else { ++ if (*res) ++ freeaddrinfo(*res); ++ return EAI_MEMORY; ++ } ++ return 0; ++ } ++ return EAI_NODATA; ++} diff --git a/security/ssh6/patches/patch-bq b/security/ssh6/patches/patch-bq new file mode 100644 index 00000000000..dbd8fdc7bdd --- /dev/null +++ b/security/ssh6/patches/patch-bq @@ -0,0 +1,66 @@ +$NetBSD: patch-bq,v 1.1 2000/03/20 02:25:44 itojun Exp $ + +--- getnameinfo.c.orig Wed Dec 31 19:00:00 1969 ++++ getnameinfo.c Fri Dec 24 21:50:41 1999 +@@ -0,0 +1,61 @@ ++/* ++ * fake library for ssh ++ * ++ * This file includes getnameinfo(). ++ * These funtions are defined in rfc2133. ++ * ++ * But these functions are not implemented correctly. The minimum subset ++ * is implemented for ssh use only. For exapmle, this routine assumes ++ * that ai_family is AF_INET. Don't use it for another purpose. ++ * ++ * In the case not using 'configure --enable-ipv6', this getnameinfo.c ++ * will be used if you have broken getnameinfo or no getnameinfo. ++ */ ++ ++#include "includes.h" ++#include "ssh.h" ++ ++#include "gai.h" ++ ++int ++getnameinfo(sa, salen, host, hostlen, serv, servlen, flags) ++const struct sockaddr *sa; ++size_t salen; ++char *host; ++size_t hostlen; ++char *serv; ++size_t servlen; ++int flags; ++{ ++ struct sockaddr_in *sin = (struct sockaddr_in *)sa; ++ struct hostent *hp; ++ char tmpserv[16]; ++ ++ if (serv) { ++ sprintf(tmpserv, "%d", ntohs(sin->sin_port)); ++ if (strlen(tmpserv) > servlen) ++ return EAI_MEMORY; ++ else ++ strcpy(serv, tmpserv); ++ } ++ if (host) ++ if (flags & NI_NUMERICHOST) ++ if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) ++ return EAI_MEMORY; ++ else { ++ strcpy(host, inet_ntoa(sin->sin_addr)); ++ return 0; ++ } ++ else ++ if (hp = gethostbyaddr((char *)&sin->sin_addr, sizeof(struct in_addr), ++ AF_INET)) ++ if (strlen(hp->h_name) > hostlen) ++ return EAI_MEMORY; ++ else { ++ strcpy(host, hp->h_name); ++ return 0; ++ } ++ else ++ return EAI_NODATA; ++ return 0; ++} diff --git a/security/ssh6/patches/patch-br b/security/ssh6/patches/patch-br new file mode 100644 index 00000000000..5bb65d934e6 --- /dev/null +++ b/security/ssh6/patches/patch-br @@ -0,0 +1,272 @@ +$NetBSD: patch-br,v 1.1 2000/03/20 02:25:44 itojun Exp $ + +--- radix.c.orig Wed Dec 31 19:00:00 1969 ++++ radix.c Fri Dec 24 21:50:04 1999 +@@ -0,0 +1,267 @@ ++/* ++ radix.c ++ ++ base-64 encoding pinched from lynx2-7-2, who pinched it from rpem. ++ Originally written by Mark Riordan 12 August 1990 and 17 Feb 1991 ++ and placed in the public domain. ++ ++ dugsong@UMICH.EDU ++*/ ++ ++#include "includes.h" ++ ++#ifdef AFS ++#include <krb.h> ++#include <kafs.h> ++ ++char six2pr[64] = { ++ 'A','B','C','D','E','F','G','H','I','J','K','L','M', ++ 'N','O','P','Q','R','S','T','U','V','W','X','Y','Z', ++ 'a','b','c','d','e','f','g','h','i','j','k','l','m', ++ 'n','o','p','q','r','s','t','u','v','w','x','y','z', ++ '0','1','2','3','4','5','6','7','8','9','+','/' ++}; ++ ++unsigned char pr2six[256]; ++ ++int uuencode(unsigned char *bufin, unsigned int nbytes, char *bufcoded) ++{ ++ /* ENC is the basic 1 character encoding function to make a char printing */ ++#define ENC(c) six2pr[c] ++ ++ register char *outptr = bufcoded; ++ unsigned int i; ++ ++ for (i=0; i<nbytes; i += 3) { ++ *(outptr++) = ENC(*bufin >> 2); /* c1 */ ++ *(outptr++) = ENC(((*bufin << 4) & 060) | ((bufin[1] >> 4) & 017)); /*c2*/ ++ *(outptr++) = ENC(((bufin[1] << 2) & 074) | ((bufin[2] >> 6) & 03));/*c3*/ ++ *(outptr++) = ENC(bufin[2] & 077); /* c4 */ ++ bufin += 3; ++ } ++ if (i == nbytes+1) { ++ outptr[-1] = '='; ++ } else if (i == nbytes+2) { ++ outptr[-1] = '='; ++ outptr[-2] = '='; ++ } ++ *outptr = '\0'; ++ return(outptr - bufcoded); ++} ++ ++int uudecode(char *bufcoded, unsigned char *bufplain, int outbufsize) ++{ ++ /* single character decode */ ++#define DEC(c) pr2six[c] ++#define MAXVAL 63 ++ ++ static int first = 1; ++ int nbytesdecoded, j; ++ register char *bufin = bufcoded; ++ register unsigned char *bufout = bufplain; ++ register int nprbytes; ++ ++ /* If this is the first call, initialize the mapping table. */ ++ if (first) { ++ first = 0; ++ for(j=0; j<256; j++) pr2six[j] = MAXVAL+1; ++ for(j=0; j<64; j++) pr2six[(unsigned char)six2pr[j]] = (unsigned char)j; ++ } ++ ++ /* Strip leading whitespace. */ ++ while (*bufcoded==' ' || *bufcoded == '\t') bufcoded++; ++ ++ /* Figure out how many characters are in the input buffer. ++ If this would decode into more bytes than would fit into ++ the output buffer, adjust the number of input bytes downwards. */ ++ bufin = bufcoded; ++ while (pr2six[(unsigned char)*(bufin++)] <= MAXVAL); ++ nprbytes = bufin - bufcoded - 1; ++ nbytesdecoded = ((nprbytes+3)/4) * 3; ++ if (nbytesdecoded > outbufsize) ++ nprbytes = (outbufsize*4)/3; ++ ++ bufin = bufcoded; ++ ++ while (nprbytes > 0) { ++ *(bufout++) = (unsigned char) (DEC(*bufin) << 2 | DEC(bufin[1]) >> 4); ++ *(bufout++) = (unsigned char) (DEC(bufin[1]) << 4 | DEC(bufin[2]) >> 2); ++ *(bufout++) = (unsigned char) (DEC(bufin[2]) << 6 | DEC(bufin[3])); ++ bufin += 4; ++ nprbytes -= 4; ++ } ++ if (nprbytes & 03) { ++ if (pr2six[bufin[-2]] > MAXVAL) ++ nbytesdecoded -= 2; ++ else ++ nbytesdecoded -= 1; ++ } ++ return(nbytesdecoded); ++} ++ ++typedef unsigned char my_u_char; ++typedef unsigned int my_u_int32_t; ++typedef unsigned short my_u_short; ++ ++/* Nasty macros from BIND-4.9.2 */ ++ ++#define GETSHORT(s, cp) { \ ++ register my_u_char *t_cp = (my_u_char*)(cp); \ ++ (s) = (((my_u_short)t_cp[0]) << 8) \ ++ | (((my_u_short)t_cp[1])) \ ++ ; \ ++ (cp) += 2; \ ++} ++ ++#define GETLONG(l, cp) { \ ++ register my_u_char *t_cp = (my_u_char*)(cp); \ ++ (l) = (((my_u_int32_t)t_cp[0]) << 24) \ ++ | (((my_u_int32_t)t_cp[1]) << 16) \ ++ | (((my_u_int32_t)t_cp[2]) << 8) \ ++ | (((my_u_int32_t)t_cp[3])) \ ++ ; \ ++ (cp) += 4; \ ++} ++ ++#define PUTSHORT(s, cp) { \ ++ register my_u_short t_s = (my_u_short)(s); \ ++ register my_u_char *t_cp = (my_u_char*)(cp); \ ++ *t_cp++ = t_s >> 8; \ ++ *t_cp = t_s; \ ++ (cp) += 2; \ ++} ++ ++#define PUTLONG(l, cp) { \ ++ register my_u_int32_t t_l = (my_u_int32_t)(l); \ ++ register my_u_char *t_cp = (my_u_char*)(cp); \ ++ *t_cp++ = t_l >> 24; \ ++ *t_cp++ = t_l >> 16; \ ++ *t_cp++ = t_l >> 8; \ ++ *t_cp = t_l; \ ++ (cp) += 4; \ ++} ++ ++#define GETSTRING(s, p, p_l) { \ ++ register char* p_targ = (p) + p_l; \ ++ register char* s_c = (s); \ ++ register char* p_c = (p); \ ++ while (*p_c && (p_c < p_targ)) { \ ++ *s_c++ = *p_c++; \ ++ } \ ++ if (p_c == p_targ) { \ ++ return 1; \ ++ } \ ++ *s_c = *p_c++; \ ++ (p_l) = (p_l) - (p_c - (p)); \ ++ (p) = p_c; \ ++} ++ ++ ++int creds_to_radix(CREDENTIALS *creds, unsigned char *buf) ++{ ++ char *p, *s; ++ int len; ++ char temp[2048]; ++ ++ p = temp; ++ *p++ = 1; /* version */ ++ s = creds->service; while (*s) *p++ = *s++; *p++ = *s; ++ s = creds->instance; while (*s) *p++ = *s++; *p++ = *s; ++ s = creds->realm; while (*s) *p++ = *s++; *p++ = *s; ++ ++ s = creds->pname; while (*s) *p++ = *s++; *p++ = *s; ++ s = creds->pinst; while (*s) *p++ = *s++; *p++ = *s; ++ /* Null string to repeat the realm. */ ++ *p++ = '\0'; ++ ++ PUTLONG(creds->issue_date,p); ++ { ++ unsigned long endTime ; ++#ifdef HAVE_KRB_LIFE_TO_TIME ++ endTime = (unsigned long)krb_life_to_time(creds->issue_date, ++ creds->lifetime); ++#else /* !HAVE_KRB_LIFE_TO_TIME */ ++ endTime = creds->issue_date + ((unsigned char)(creds->lifetime))*5*60; ++#endif /* !HAVE_KRB_LIFE_TO_TIME */ ++ PUTLONG(endTime,p); ++ } ++ ++ memcpy(p,&creds->session, sizeof(creds->session)); ++ p += sizeof(creds->session); ++ ++ PUTSHORT(creds->kvno,p); ++ PUTLONG(creds->ticket_st.length,p); ++ ++ memcpy(p,creds->ticket_st.dat, creds->ticket_st.length); ++ p += creds->ticket_st.length; ++ len = p - temp; ++ ++ return(uuencode(temp, len, buf)); ++} ++ ++int radix_to_creds(char *buf, CREDENTIALS *creds) ++{ ++ ++ char *p, *s; ++ int len, tl, status; ++ char version; ++ char temp[2048]; ++ ++ if (!(len = uudecode(buf, temp, sizeof(temp)))) ++ return 0; ++ ++ p = temp; ++ ++ /* check version and length! */ ++ if (len < 1) return 0; ++ version = *p; p++; len--; ++ ++ GETSTRING(creds->service, p, len); ++ GETSTRING(creds->instance, p, len); ++ GETSTRING(creds->realm, p, len); ++ ++ GETSTRING(creds->pname, p, len); ++ GETSTRING(creds->pinst, p, len); ++ /* Ignore possibly different realm. */ ++ while (*p && len) p++, len--; ++ if (len == 0) return 0; ++ p++, len--; ++ ++ /* Enough space for remaining fixed-length parts? */ ++ if (len < (4 + 4 + sizeof(creds->session) + 2 + 4)) ++ return 0; ++ ++ GETLONG(creds->issue_date,p); ++ len -= 4; ++ { ++ unsigned long endTime; ++ GETLONG(endTime,p); ++ len -= 4; ++#ifdef HAVE_KRB_LIFE_TO_TIME ++ creds->lifetime = krb_time_to_life(creds->issue_date, endTime); ++#else ++ creds->lifetime = ((endTime - creds->issue_date) + 5*60 - 1) / (5*60); ++#endif ++ } ++ ++ memcpy(&creds->session, p, sizeof(creds->session)); ++ p += sizeof(creds->session); ++ len -= sizeof(creds->session); ++ ++ GETSHORT(creds->kvno,p); ++ len -= 2; ++ GETLONG(creds->ticket_st.length,p); ++ len -= 4; ++ ++ tl = creds->ticket_st.length; ++ if (tl < 0 || tl > len || tl > sizeof(creds->ticket_st.dat)) ++ return 0; ++ ++ memcpy(creds->ticket_st.dat, p, tl); ++ p += tl; ++ len -= tl; ++ ++ return 1; ++} ++ ++#endif /* AFS */ diff --git a/security/ssh6/patches/patch-la b/security/ssh6/patches/patch-la new file mode 100644 index 00000000000..feaa3c05026 --- /dev/null +++ b/security/ssh6/patches/patch-la @@ -0,0 +1,28 @@ +$NetBSD: patch-la,v 1.1 2000/03/20 02:25:44 itojun Exp $ + +--- userfile.c.orig Mon Mar 6 15:18:17 2000 ++++ userfile.c Mon Mar 6 15:18:25 2000 +@@ -180,7 +180,7 @@ + #endif + + +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + #include <login_cap.h> + #endif + +@@ -644,9 +644,13 @@ + /* Child. We will start serving request. */ + if (uid != geteuid() || uid != getuid()) + { +-#if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) ++#if (defined (__FreeBSD__) || defined(__NetBSD__)) && defined(HAVE_LOGIN_CAP_H) + struct passwd * pw = getpwuid(uid); ++#if defined(__NetBSD__) ++ login_cap_t * lc = login_getpwclass(pw); ++#else + login_cap_t * lc = login_getuserclass(pw); ++#endif + if (setusercontext(lc, pw, uid, + LOGIN_SETALL & ~(LOGIN_SETLOGIN | LOGIN_SETPATH | + LOGIN_SETENV)) < 0) diff --git a/security/ssh6/pkg/COMMENT b/security/ssh6/pkg/COMMENT new file mode 100644 index 00000000000..9432614680e --- /dev/null +++ b/security/ssh6/pkg/COMMENT @@ -0,0 +1 @@ +Secure shell client and server (remote login program) diff --git a/security/ssh6/pkg/DEINSTALL b/security/ssh6/pkg/DEINSTALL new file mode 100644 index 00000000000..0774f8db341 --- /dev/null +++ b/security/ssh6/pkg/DEINSTALL @@ -0,0 +1,18 @@ +#! /bin/sh +# +# $NetBSD: DEINSTALL,v 1.1 2000/03/20 02:25:47 itojun Exp $ +# + +case "$2" in + DEINSTALL) cat <<EOF + +============================================================= +Note that ssh configuration, key, and random-seed files +(@SSH_CONF_DIR@/ssh*) are not removed in the deinstallation +process. You should remove those by hand, if you no longer +need them. +============================================================= + +EOF + ;; +esac diff --git a/security/ssh6/pkg/DESCR b/security/ssh6/pkg/DESCR new file mode 100644 index 00000000000..5c76294d0b0 --- /dev/null +++ b/security/ssh6/pkg/DESCR @@ -0,0 +1,98 @@ +SSH (Secure Shell) is a program to log into another computer over a +network, to execute commands in a remote machine, and to move files +from one machine to another. It provides strong authentication and +secure communications over insecure channels. It is intended as a +replacement for rlogin, rsh, rcp, and rdist. + +FEATURES + + o Strong authentication. Closes several security holes (e.g., IP, + routing, and DNS spoofing). New authentication methods: .rhosts + together with RSA based host authentication, and pure RSA + authentication. + + o Improved privacy. All communications are automatically and + transparently encrypted. RSA is used for key exchange, and a + conventional cipher (normally IDEA, Blowfish, or triple-DES) for + encrypting the session. Encryption is started before + authentication, and no passwords or other information is + transmitted in the clear. Encryption is also used to protect + against spoofed packets. + + o Secure X11 sessions. The program automatically sets DISPLAY on + the server machine, and forwards any X11 connections over the + secure channel. Fake Xauthority information is automatically + generated and forwarded to the remote machine; the local client + automatically examines incoming X11 connections and replaces the + fake authorization data with the real data (never telling the + remote machine the real information). + + o Arbitrary TCP/IP ports can be redirected through the encrypted channel + in both directions (e.g., for e-cash transactions). + + o No retraining needed for normal users; everything happens + automatically, and old .rhosts files will work with strong + authentication if administration installs host key files. + + o Never trusts the network. Minimal trust on the remote side of + the connection. Minimal trust on domain name servers. Pure RSA + authentication never trusts anything but the private key. + + o Client RSA-authenticates the server machine in the beginning of + every connection to prevent trojan horses (by routing or DNS + spoofing) and man-in-the-middle attacks, and the server + RSA-authenticates the client machine before accepting .rhosts or + /etc/hosts.equiv authentication (to prevent DNS, routing, or + IP-spoofing). + + o Host authentication key distribution can be centrally by the + administration, automatically when the first connection is made + to a machine (the key obtained on the first connection will be + recorded and used for authentication in the future), or manually + by each user for his/her own use. The central and per-user host + key repositories are both used and complement each other. Host + keys can be generated centrally or automatically when the software + is installed. Host authentication keys are typically 1024 bits. + + o Any user can create any number of user authentication RSA keys for + his/her own use. Each user has a file which lists the RSA public + keys for which proof of possession of the corresponding private + key is accepted as authentication. User authentication keys are + typically 1024 bits. + + o The server program has its own server RSA key which is + automatically regenerated every hour. This key is never saved in + any file. Exchanged session keys are encrypted using both the + server key and the server host key. The purpose of the separate + server key is to make it impossible to decipher a captured session by + breaking into the server machine at a later time; one hour from + the connection even the server machine cannot decipher the session + key. The key regeneration interval is configurable. The server + key is normally 768 bits. + + o An authentication agent, running in the user's laptop or local + workstation, can be used to hold the user's RSA authentication + keys. Ssh automatically forwards the connection to the + authentication agent over any connections, and there is no need to + store the RSA authentication keys on any machine in the network + (except the user's own local machine). The authentication + protocols never reveal the keys; they can only be used to verify + that the user's agent has a certain key. Eventually the agent + could rely on a smart card to perform all authentication + computations. + + o The software can be installed and used (with restricted + functionality) even without root privileges. + + o The client is customizable in system-wide and per-user + configuration files. Most aspects of the client's operation can + be configured. Different options can be specified on a per-host basis. + + o Automatically executes conventional rsh (after displaying a + warning) if the server machine is not running sshd. + + o Optional compression of all data with gzip (including forwarded X11 + and TCP/IP port data), which may result in significant speedups on + slow connections. + + o Complete replacement for rlogin, rsh, and rcp. diff --git a/security/ssh6/pkg/MESSAGE b/security/ssh6/pkg/MESSAGE new file mode 100644 index 00000000000..41d28c28b6b --- /dev/null +++ b/security/ssh6/pkg/MESSAGE @@ -0,0 +1,19 @@ +========================================================================== +$NetBSD: MESSAGE,v 1.1 2000/03/20 02:25:47 itojun Exp $ + +If "starter" configuration files were installed (in @SSH_CONF_DIR@) +when the package was installed, be sure to examine them (and the man pages +for ssh and sshd) to determine whether you want to make any changes. + +Copies of the example configuration files are installed in +@PREFIX@/share/examples/ssh, so those can still be used for reference +after you have made changes to those installed in @SSH_CONF_DIR@, or if +you had existing configuration files, which would not be overwritten in +the installation process. + +In general, you will want to set up /etc/rc.local to start sshd at boot +time. Something like the following should do the job: + +# Run sshd if installed and configured +@PREFIX@/etc/rc.d/sshd.sh +========================================================================== diff --git a/security/ssh6/pkg/PLIST b/security/ssh6/pkg/PLIST new file mode 100644 index 00000000000..4aa3393b9cf --- /dev/null +++ b/security/ssh6/pkg/PLIST @@ -0,0 +1,40 @@ +@comment $NetBSD: PLIST,v 1.1 2000/03/20 02:25:48 itojun Exp $ +bin/ssh +bin/ssh1 +bin/scp +bin/scp1 +bin/slogin +bin/ssh-add +bin/ssh-add1 +bin/ssh-agent +bin/ssh-agent1 +bin/ssh-keygen +bin/ssh-keygen1 +bin/make-ssh-known-hosts +bin/make-ssh-known-hosts1 +etc/rc.d/sshd.sh +man/man1/make-ssh-known-hosts1.1 +man/man1/make-ssh-known-hosts.1 +man/man1/scp.1 +man/man1/scp1.1 +man/man1/ssh-add.1 +man/man1/ssh-add1.1 +man/man1/ssh-agent.1 +man/man1/ssh-agent1.1 +man/man1/ssh-keygen.1 +man/man1/ssh-keygen1.1 +man/man1/ssh.1 +man/man1/ssh1.1 +man/man1/slogin.1 +man/man1/slogin1.1 +man/man8/sshd.8 +man/man8/sshd1.8 +sbin/sshd +sbin/sshd1 +share/examples/ssh/ssh_config +share/examples/ssh/sshd_config +@exec if [ ! -d @SSH_CONF_DIR@ ]; then echo "Creating directory @SSH_CONF_DIR@ for ssh config files.." ; mkdir -p @SSH_CONF_DIR@; fi +@exec if [ ! -f @SSH_CONF_DIR@/ssh_config ]; then echo "Installing example ssh_config in @SSH_CONF_DIR@.." ; /usr/bin/install -c -o root -g wheel -m 0644 %D/share/examples/ssh/ssh_config @SSH_CONF_DIR@; fi +@exec if [ ! -f @SSH_CONF_DIR@/sshd_config ]; then echo "Installing example sshd_config in @SSH_CONF_DIR@.." ; /usr/bin/install -c -o root -g wheel -m 0644 %D/share/examples/ssh/sshd_config @SSH_CONF_DIR@; fi +@exec if [ ! -f @SSH_CONF_DIR@/ssh_host_key ]; then echo "Generating a secret host key in @SSH_CONF_DIR@.." ; %D/bin/ssh-keygen -N "" -f @SSH_CONF_DIR@/ssh_host_key; fi +@dirrm share/examples/ssh |