diff options
| author | Damien Miller <djm@mindrot.org> | 2001-04-29 22:03:41 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2001-04-29 22:03:41 +1000 |
| commit | 0b814c1e9a0e5284750dbe000260e1dd86164636 (patch) | |
| tree | 2ea316922cd800242dbbf3fce89ae5d45d02eb80 | |
| parent | efff9b959de23481152acc4a77e69ace895c2a44 (diff) | |
- (djm) Add Theo Schlossnagle's <jesus@omniti.com> SecurID patch to contrib/
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | contrib/SecurID.diff | 4101 |
2 files changed, 4103 insertions, 1 deletions
@@ -1,5 +1,6 @@ 20010429 - (bal) Updated INSTALL. PCRE moved to a new place. + - (djm) Add Theo Schlossnagle's <jesus@omniti.com> SecurID patch to contrib/ 20010427 - (bal) Fixed uidswap.c so it should work on non-posix complient systems. @@ -5270,4 +5271,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.1179.2.1 2001/04/28 17:31:23 mouring Exp $ +$Id: ChangeLog,v 1.1179.2.2 2001/04/29 12:03:41 djm Exp $ diff --git a/contrib/SecurID.diff b/contrib/SecurID.diff new file mode 100644 index 00000000..fcbb7378 --- /dev/null +++ b/contrib/SecurID.diff @@ -0,0 +1,4101 @@ +diff -ruN openssh-2.9p1-orig/Makefile.in openssh-2.9p1/Makefile.in +--- openssh-2.9p1-orig/Makefile.in Fri Apr 27 10:31:08 2001 ++++ openssh-2.9p1/Makefile.in Sun Apr 29 21:59:59 2001 +@@ -49,7 +49,7 @@ + + SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o + +-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o ++SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-securid.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o + + MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out + MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 +diff -ruN openssh-2.9p1-orig/README.SecurID openssh-2.9p1/README.SecurID +--- openssh-2.9p1-orig/README.SecurID Thu Jan 1 10:00:00 1970 ++++ openssh-2.9p1/README.SecurID Sun Apr 29 21:59:59 2001 +@@ -0,0 +1,90 @@ ++/* ++ * Author: Theo Schlossnagle <jesus@omniti.com> ++ * Copyright (c) 2000,2001 Theo Schlossnagle <jesus@omniti.com> ++ * All rights reserved ++ * Created: September 21, 2000 ++ * License: OpenSSH License. See the license for OpenSSH for more details. ++ * ++ * April 24, 2001: ++ * Updated to 2.9.0p1 -- jesus@omniti.com ++ * added autoconf clauses to fault if sdiclient.a and headers aren't there. ++ * ++ * April 21, 2001: ++ * Updated to 2.5.2p2 -- jesus@omniti.com ++ * Incorporated some bug fixes from Anders Olsen to fix next-token code. ++ * ++ * March 19, 2001: ++ * Updated to 2.5.2p1 -- jesus@omniti.com ++ * ++ * December 20, 2000: ++ * Updated to 2.3.0p1 -- jesus@omniti.com ++ * ++ * Jan 9th, 2001: ++ * Added SecurIDUsersFile, SecurIDIgnoreShell, AllowNonSecurID directives ++ * to the sshd_config file. These parameters are documented in the man page. ++ * This provides a more logical seperationg between fail-through due to system ++ * failure and fall-through by configuration. (fall-through vs. fail-through) ++ * -- jesus@omniti.com ++ */ ++ ++Seems like a few people are interested. So here is the patch. ++ ++This has only been tested on UNICIES that support PAM. There is untested ++(only 5 lines) code in auth-passwd.c that should provide the same ++functionality for normal (non-PAM) password verifications. ++ ++The patch is logical quite small, the physical patch bulky because it contains ++all the line number changes in "configure" after running autoconf on the ++modified configure.in file (in which I changed maybe 10 lines -- Yuk.) ++ ++The sshd man page has been patched too :-) Read it for the two new options ++relating to SecurID. ++ ++How it works: ++ ++0) apply patch ;-) ++1) copy sdi headers (in SecurID example directory) into either a standard ++include place (like /usr/local/include) or into the openssh source tree ++or add the --with-cflags=-I/path/to/ace/examples (where the include files are) ++2) copy the sdiclient.a file (same dir) into the openssh source tree. ++ ++Make sure that /var/ace contains your sdconf.rec, etc. If you installed ++SecurID client or server on a machine it should be this way already. If you ++used a non-standard install location do a "ln -s /path/to/ace/data /var/ace" ++ ++3) add --with-securid --with-pam to the configure flags. This module rides on ++the PAM authentication mechanism. ++ ++It will trigger if a user has a shell in /etc/passwd that ends with "sdshell" ++and it snags your shell the same way sdshell does. Users with other shells ++will log in as if SecurID didn't exist. ++ ++Done: ++ o Normal passcode verification ++ o Enter next token for verification ++ (use ssh -v to see the *useful* debgging messages) ++ ++ssh -v will let you know if: ++ o your code was accepted. ++ o your code was rejected. ++ o you are required to wait for the next token and enter that. ++ ++TODO: ++ o Handle PIN creation and changing (as their are by default three log in ++attempts, it should be straight forward to integrate in these additions -- ++both of these operations require exactly three user inputs.) ++ o Add sshd_config parameter to specify the VAR_ACE location (forced to ++/var/ace OR VAR_ACE environment variable now.) ++ o Make autoconf find the headers in logical places and add a long-option to ++give it a hint. I am an "autoconf idiot"... The small changes I made were ++challenging enough :) ++ ++ ++DISCLAIMER: ++ I works for me (yes, in production). If you get locked out of a production ++system becuase you replaced your sshd with this one, feeling really dumb is ++YOUR responsibility NOT mine. It is not my fault :-D ++ ++Hope this is useful! scp (and all other tools that can use ssh like rsync and ++cvs) will work now!!!! Hooray! ++ +diff -ruN openssh-2.9p1-orig/acconfig.h openssh-2.9p1/acconfig.h +--- openssh-2.9p1-orig/acconfig.h Fri Apr 6 03:15:08 2001 ++++ openssh-2.9p1/acconfig.h Sun Apr 29 21:59:59 2001 +@@ -187,6 +187,9 @@ + /* Define if you want S/Key support */ + #undef SKEY + ++/* Define if you want SecurID support */ ++#undef SECURID ++ + /* Define if you want TCP Wrappers support */ + #undef LIBWRAP + +diff -ruN openssh-2.9p1-orig/auth-pam.c openssh-2.9p1/auth-pam.c +--- openssh-2.9p1-orig/auth-pam.c Tue Apr 24 04:38:37 2001 ++++ openssh-2.9p1/auth-pam.c Sun Apr 29 21:59:59 2001 +@@ -170,7 +170,6 @@ + + return PAM_SUCCESS; + } +- + /* Called at exit to cleanly shutdown PAM */ + void do_pam_cleanup_proc(void *context) + { +@@ -213,7 +212,19 @@ + return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; +- ++#ifdef SECURID ++ if (options.securid_authentication == 1) { ++ int ret; ++ debug("Attempting SecurID authentication user \"%.100s\"", pw->pw_name); ++ ret = auth_securid_password(pw, password); ++ if (ret >= 0) ++ return ret; ++ /* Only returns < 0 if the account is not a SecurID account */ ++ /* Fall back to ordinary passwd authentication. */ ++ } else { ++ debug("SecurID disabled in server config. Using PAM."); ++ } ++#endif + __pampasswd = password; + + pamstate = INITIAL_LOGIN; +diff -ruN openssh-2.9p1-orig/auth-passwd.c openssh-2.9p1/auth-passwd.c +--- openssh-2.9p1-orig/auth-passwd.c Wed Apr 25 22:50:19 2001 ++++ openssh-2.9p1/auth-passwd.c Sun Apr 29 21:59:59 2001 +@@ -147,6 +147,15 @@ + } + #endif + ++#ifdef SECURID ++ if (options.securid_authentication == 1) { ++ int ret = auth_securid_password(pw, password); ++ if (ret >= 0) ++ return ret; ++ /* Only returns < 0 if the account is not a SecurID account */ ++ /* Fall back to ordinary passwd authentication. */ ++ } ++#endif + #ifdef WITH_AIXAUTHENTICATE + return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + #endif +diff -ruN openssh-2.9p1-orig/auth-securid.c openssh-2.9p1/auth-securid.c +--- openssh-2.9p1-orig/auth-securid.c Thu Jan 1 10:00:00 1970 ++++ openssh-2.9p1/auth-securid.c Sun Apr 29 21:59:59 2001 +@@ -0,0 +1,189 @@ ++/* ++ * Author: Theo Schlossnagle <jesus@omniti.com> ++ * Copyright (c) 2000 Theo Schlossnagle <jesus@omniti.com> ++ * All rights reserved ++ * Created: September 21, 2000 ++ * This file contains the code to process a SecurID authentication ++ * including the "next token" request. ++ */ ++ ++#include "includes.h" ++ ++RCSID("$OpenBSD: auth-securid.c,v 1.0 2000/09/21 01:39:38 jesus Exp $"); ++ ++#include "packet.h" ++#include "ssh.h" ++#include "log.h" ++#include "servconf.h" ++#include "xmalloc.h" ++ ++#ifdef WITH_AIXAUTHENTICATE ++# include <login.h> ++#endif ++#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW ++# include <hpsecurity.h> ++# include <prot.h> ++#endif ++#ifdef HAVE_SHADOW_H ++# include <shadow.h> ++#endif ++#ifdef HAVE_GETPWANAM ++# include <sys/label.h> ++# include <sys/audit.h> ++# include <pwdadj.h> ++#endif ++#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) ++# include "md5crypt.h" ++#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ ++ ++#ifdef SECURID ++#include "sdi_athd.h" ++#include "sdconf.h" ++#include "sdacmvls.h" ++ ++union config_record configure; ++#endif ++ ++/* ++ * Tries to authenticate the user using password. Returns true if ++ * authentication succeeds. ++ */ ++#define INBUFFLEN 256 ++ ++int ++securid_usersfile_find(const char *pw_name) ++{ ++ extern ServerOptions options; ++ FILE *inf; ++ char inbuff[INBUFFLEN]; ++ struct stat fileinfo; ++ int retval = 0; ++ ++ if(!options.securid_usersfile) { ++ error("In securid_usersfile_find() with NULL filename!"); ++ return -1; ++ } ++ if(lstat(options.securid_usersfile, &fileinfo)) { ++ error("Cannot open %s: %s", ++ options.securid_usersfile, strerror(errno)); ++ return -1; ++ } ++ if(fileinfo.st_mode & (S_IWOTH|S_IWGRP)) { ++ error("SecurIDUsersFile is writeable by group and other"); ++ return -1; ++ } ++ if(!(inf = fopen(options.securid_usersfile, "r"))) { ++ error("Cannot open %s: %s", ++ options.securid_usersfile, strerror(errno)); ++ return -1; ++ } ++ while(fgets(inbuff,INBUFFLEN-1,inf) != NULL) { ++ if(inbuff[strlen(inbuff) - 1] == '\n') ++ inbuff[strlen(inbuff) - 1] = '\0'; ++ retval = !strcmp(inbuff,pw_name); ++ if(retval) break; ++ } ++ fclose(inf); ++ if(retval) return 1; ++ debug2("Failed to find %s in %s", ++ pw_name, options.securid_usersfile); ++ return 0; ++} ++int ++auth_securid_password(struct passwd * pw, const char *password) ++{ ++ static int state = 0; /* This tells us where we expect a ++ 0 "PIN" ++ 1 "Next Token" ++ */ ++ int doauth; ++ char *ecp; ++ extern ServerOptions options; ++#ifndef SECURID ++ return -1; ++#else ++ /* Add static for the nexttoken case -- Anders Olsen 20010409 */ ++ static struct SD_CLIENT sd_dat, *sd; ++ ++ /* Check for users with no sdshell and pass them by. */ ++ if(options.securid_usersfile) { ++ doauth = securid_usersfile_find(pw->pw_name); ++ if(doauth == 0) { /* file is there, user is not */ ++ if(options.allow_nonsecurid) return -1; ++ return 0; ++ } else if(doauth < 0) { /* File not there or bad perms! */ ++ error("Failing SecurID login attempt"); ++ return 0; /* Fail */ ++ } ++ } else { ++ /* No users securid_usersfile ++ so use shells that end in sdshell */ ++ if (!((ecp = strstr(pw->pw_shell, "sdshell")) && ++ (*(ecp+8)=='\0'))) ++ if(options.allow_nonsecurid) return -1; ++ else ++ return 0; ++ } ++ /* sd_check on with an empty password causes segfault against some ++ versions of sdiclient -- Anders Olsen 20010409 */ ++ if (*password == '\0') { ++ debug2("auth_securid_password: empty password, skipping"); ++ return 0; ++ } ++ /* Don't reopen session to securid-server is nexttoken ++ -- Adres Olsen 20010410 */ ++ if (state == 0) { ++ int ret; ++ memset(&sd_dat, 0, sizeof(sd_dat)); /* clear struct */ ++ sd = &sd_dat; ++ ++ if(creadcfg()) { ++ /* Can't read sdconf.rec! Gotta bail */ ++ packet_send_debug("Couldn't read sdconf.rec."); ++ if(options.securid_fallback) return -1; ++ return 0; ++ } ++ if(sd_init(sd)) { ++ /* Can't establish client/server comms! Gotta bail */ ++ packet_send_debug("Couldn't establish client/server communications."); ++ if(options.securid_fallback) return -1; ++ return 0; ++ } ++ /* Auth PIN... */ ++ ret = sd_check(password, pw->pw_name, sd); ++ if(ret == ACM_OK) { ++ goto success; ++ } ++ if(ret == ACM_ACCESS_DENIED) { ++ packet_send_debug("SecurID passcode rejected."); ++ return 0; /* Failed! */ ++ } ++ if(ret == ACM_NEXT_CODE_REQUIRED) { ++ packet_send_debug("SecurID needs next token."); ++ state = 1; /* Process next try as sd_next */ ++ return 0; /* Fail, so ssh will prmpt again */ ++ } ++ } else { ++ /* Auth next token... */ ++ int ret; ++ state = 0; /* Set back to PIN mode */ ++ ret = sd_next(password, sd); ++ if(ret == ACM_OK) { ++ goto success; ++ } ++ packet_send_debug("SecurID passcode rejected."); ++ return 0; /* Failed */ ++ } ++ packet_send_debug("Unhandled sdcheck() return code."); ++ return 0; /* Failed! */ ++ ++success: ++ /* We don't free pw->pw_shell here, becuase we don't know how it was ++ allocated... Besides it is a very small, one-time leak if we did ++ need to free it. */ ++ if(!options.securid_ignore_shell) ++ pw->pw_shell = strdup(sd->shell); ++ packet_send_debug("SecurID passcode accepted."); ++ return 1; /* Success */ ++#endif ++} +diff -ruN openssh-2.9p1-orig/config.h.in openssh-2.9p1/config.h.in +--- openssh-2.9p1-orig/config.h.in Sun Apr 29 21:49:45 2001 ++++ openssh-2.9p1/config.h.in Sun Apr 29 22:00:53 2001 +@@ -193,6 +193,9 @@ + /* Define if you want S/Key support */ + #undef SKEY + ++/* Define if you want SecurID support */ ++#undef SECURID ++ + /* Define if you want TCP Wrappers support */ + #undef LIBWRAP + +diff -ruN openssh-2.9p1-orig/configure openssh-2.9p1/configure +--- openssh-2.9p1-orig/configure Sun Apr 29 21:49:46 2001 ++++ openssh-2.9p1/configure Sun Apr 29 22:00:56 2001 +@@ -24,6 +24,8 @@ + ac_help="$ac_help + --with-skey=PATH Enable S/Key support" + ac_help="$ac_help ++ --with-securid Enable SecurID support" ++ac_help="$ac_help + --with-tcp-wrappers Enable tcpwrappers support" + ac_help="$ac_help + --with-pam Enable PAM support " +@@ -599,7 +601,7 @@ + # Extract the first word of "gcc", so it can be a program name with args. + set dummy gcc; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:603: checking for $ac_word" >&5 ++echo "configure:605: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -629,7 +631,7 @@ + # Extract the first word of "cc", so it can be a program name with args. + set dummy cc; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:633: checking for $ac_word" >&5 ++echo "configure:635: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -680,7 +682,7 @@ + # Extract the first word of "cl", so it can be a program name with args. + set dummy cl; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:684: checking for $ac_word" >&5 ++echo "configure:686: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -712,7 +714,7 @@ + fi + + echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 +-echo "configure:716: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ++echo "configure:718: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 + + ac_ext=c + # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. +@@ -723,12 +725,12 @@ + + cat > conftest.$ac_ext << EOF + +-#line 727 "configure" ++#line 729 "configure" + #include "confdefs.h" + + main(){return(0);} + EOF +-if { (eval echo configure:732: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++if { (eval echo configure:734: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + ac_cv_prog_cc_works=yes + # If we can't run a trivial program, we are probably using a cross compiler. + if (./conftest; exit) 2>/dev/null; then +@@ -754,12 +756,12 @@ + { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } + fi + echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 +-echo "configure:758: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 ++echo "configure:760: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 + echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 + cross_compiling=$ac_cv_prog_cc_cross + + echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 +-echo "configure:763: checking whether we are using GNU C" >&5 ++echo "configure:765: checking whether we are using GNU C" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -768,7 +770,7 @@ + yes; + #endif + EOF +-if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:772: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ++if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:774: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then + ac_cv_prog_gcc=yes + else + ac_cv_prog_gcc=no +@@ -787,7 +789,7 @@ + ac_save_CFLAGS="$CFLAGS" + CFLAGS= + echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 +-echo "configure:791: checking whether ${CC-cc} accepts -g" >&5 ++echo "configure:793: checking whether ${CC-cc} accepts -g" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -844,7 +846,7 @@ + fi + + echo $ac_n "checking host system type""... $ac_c" 1>&6 +-echo "configure:848: checking host system type" >&5 ++echo "configure:850: checking host system type" >&5 + + host_alias=$host + case "$host_alias" in +@@ -865,14 +867,14 @@ + echo "$ac_t""$host" 1>&6 + + echo $ac_n "checking whether byte ordering is bigendian""... $ac_c" 1>&6 +-echo "configure:869: checking whether byte ordering is bigendian" >&5 ++echo "configure:871: checking whether byte ordering is bigendian" >&5 + if eval "test \"`echo '$''{'ac_cv_c_bigendian'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + ac_cv_c_bigendian=unknown + # See if sys/param.h defines the BYTE_ORDER macro. + cat > conftest.$ac_ext <<EOF +-#line 876 "configure" ++#line 878 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/param.h> +@@ -883,11 +885,11 @@ + #endif + ; return 0; } + EOF +-if { (eval echo configure:887: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:889: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + # It does; now see whether it defined to BIG_ENDIAN or not. + cat > conftest.$ac_ext <<EOF +-#line 891 "configure" ++#line 893 "configure" + #include "confdefs.h" + #include <sys/types.h> + #include <sys/param.h> +@@ -898,7 +900,7 @@ + #endif + ; return 0; } + EOF +-if { (eval echo configure:902: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:904: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_c_bigendian=yes + else +@@ -918,7 +920,7 @@ + { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } + else + cat > conftest.$ac_ext <<EOF +-#line 922 "configure" ++#line 924 "configure" + #include "confdefs.h" + main () { + /* Are we little or big endian? From Harbison&Steele. */ +@@ -931,7 +933,7 @@ + exit (u.c[sizeof (long) - 1] == 1); + } + EOF +-if { (eval echo configure:935: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null ++if { (eval echo configure:937: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null + then + ac_cv_c_bigendian=no + else +@@ -957,7 +959,7 @@ + + # Checks for programs. + echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 +-echo "configure:961: checking how to run the C preprocessor" >&5 ++echo "configure:963: checking how to run the C preprocessor" >&5 + # On Suns, sometimes $CPP names a directory. + if test -n "$CPP" && test -d "$CPP"; then + CPP= +@@ -972,13 +974,13 @@ + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. + cat > conftest.$ac_ext <<EOF +-#line 976 "configure" ++#line 978 "configure" + #include "confdefs.h" + #include <assert.h> + Syntax Error + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:982: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++{ (eval echo configure:984: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } + ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + : +@@ -989,13 +991,13 @@ + rm -rf conftest* + CPP="${CC-cc} -E -traditional-cpp" + cat > conftest.$ac_ext <<EOF +-#line 993 "configure" ++#line 995 "configure" + #include "confdefs.h" + #include <assert.h> + Syntax Error + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:999: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++{ (eval echo configure:1001: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } + ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + : +@@ -1006,13 +1008,13 @@ + rm -rf conftest* + CPP="${CC-cc} -nologo -E" + cat > conftest.$ac_ext <<EOF +-#line 1010 "configure" ++#line 1012 "configure" + #include "confdefs.h" + #include <assert.h> + Syntax Error + EOF + ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" +-{ (eval echo configure:1016: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ++{ (eval echo configure:1018: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } + ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` + if test -z "$ac_err"; then + : +@@ -1039,7 +1041,7 @@ + # Extract the first word of "ranlib", so it can be a program name with args. + set dummy ranlib; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1043: checking for $ac_word" >&5 ++echo "configure:1045: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1078,7 +1080,7 @@ + # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" + # ./install, which can be erroneously created by make from ./install.sh. + echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 +-echo "configure:1082: checking for a BSD compatible install" >&5 ++echo "configure:1084: checking for a BSD compatible install" >&5 + if test -z "$INSTALL"; then + if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1133,7 +1135,7 @@ + # Extract the first word of "ar", so it can be a program name with args. + set dummy ar; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1137: checking for $ac_word" >&5 ++echo "configure:1139: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1170,7 +1172,7 @@ + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1174: checking for $ac_word" >&5 ++echo "configure:1176: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1209,7 +1211,7 @@ + # Extract the first word of "ent", so it can be a program name with args. + set dummy ent; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1213: checking for $ac_word" >&5 ++echo "configure:1215: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_ENT'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1247,7 +1249,7 @@ + # Extract the first word of "$ac_prog", so it can be a program name with args. + set dummy $ac_prog; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1251: checking for $ac_word" >&5 ++echo "configure:1253: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_FILEPRIV'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1286,7 +1288,7 @@ + # Extract the first word of "bash", so it can be a program name with args. + set dummy bash; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1290: checking for $ac_word" >&5 ++echo "configure:1292: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1321,7 +1323,7 @@ + # Extract the first word of "ksh", so it can be a program name with args. + set dummy ksh; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1325: checking for $ac_word" >&5 ++echo "configure:1327: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1356,7 +1358,7 @@ + # Extract the first word of "sh", so it can be a program name with args. + set dummy sh; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1360: checking for $ac_word" >&5 ++echo "configure:1362: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_TEST_MINUS_S_SH'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1404,7 +1406,7 @@ + # Extract the first word of "login", so it can be a program name with args. + set dummy login; ac_word=$2 + echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +-echo "configure:1408: checking for $ac_word" >&5 ++echo "configure:1410: checking for $ac_word" >&5 + if eval "test \"`echo '$''{'ac_cv_path_LOGIN_PROGRAM_FALLBACK'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else +@@ -1451,21 +1453,21 @@ + + # C Compiler features + echo $ac_n "checking for inline""... $ac_c" 1>&6 +-echo "configure:1455: checking for inline" >&5 ++echo "configure:1457: checking for inline" >&5 + if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + ac_cv_c_inline=no + for ac_kw in inline __inline__ __inline; do + cat > conftest.$ac_ext <<EOF +-#line 1462 "configure" ++#line 1464 "configure" + #include "confdefs.h" + + int main() { + } $ac_kw foo() { + ; return 0; } + EOF +-if { (eval echo configure:1469: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then ++if { (eval echo configure:1471: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + ac_cv_c_inline=$ac_kw; break + else +@@ -1504,12 +1506,12 @@ + blibpath="/usr/lib:/lib:/usr/local/lib" + fi + echo $ac_n "checking for authenticate""... $ac_c" 1>&6 +-echo "configure:1508: checking for authenticate" >&5 ++echo "configure:1510: checking for authenticate" >&5 + if eval "test \"`echo '$''{'ac_cv_func_authenticate'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 1513 "configure" ++#line 1515 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char authenticate(); below. */ +@@ -1532,7 +1534,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:1536: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++if { (eval echo configure:1538: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_authenticate=yes" + else +@@ -1671,12 +1673,12 @@ + EOF + + echo $ac_n "checking for jlimit_startjob""... $ac_c" 1>&6 +-echo "configure:1675: checking for jlimit_startjob" >&5 ++echo "configure:1677: checking for jlimit_startjob" >&5 + if eval "test \"`echo '$''{'ac_cv_func_jlimit_startjob'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 1680 "configure" ++#line 1682 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char jlimit_startjob(); below. */ +@@ -1699,7 +1701,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:1703: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++if { (eval echo configure:1705: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_jlimit_startjob=yes" + else +@@ -1748,7 +1750,7 @@ + + SONY=1 + echo $ac_n "checking for xatexit in -liberty""... $ac_c" 1>&6 +-echo "configure:1752: checking for xatexit in -liberty" >&5 ++echo "configure:1754: checking for xatexit in -liberty" >&5 + ac_lib_var=`echo iberty'_'xatexit | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -1756,7 +1758,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-liberty $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 1760 "configure" ++#line 1762 "configure" + #include "confdefs.h" + /* Override any gcc2 internal prototype to avoid an error. */ + /* We use char because int might match the return type of a gcc2 +@@ -1767,7 +1769,7 @@ + xatexit() + ; return 0; } + EOF +-if { (eval echo configure:1771: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++if { (eval echo configure:1773: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_lib_$ac_lib_var=yes" + else +@@ -1834,7 +1836,7 @@ + # hardwire lastlog location (can't detect it on some versions) + conf_lastlog_location="/var/adm/lastlog" + echo $ac_n "checking for obsolete utmp and wtmp in solaris2.x""... $ac_c" 1>&6 +-echo "configure:1838: checking for obsolete utmp and wtmp in solaris2.x" >&5 ++echo "configure:1840: checking for obsolete utmp and wtmp in solaris2.x" >&5 + sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` + if test "$sol2ver" -ge 8; then + echo "$ac_t""yes" 1>&6 +@@ -1855,12 +1857,12 @@ + for ac_func in getpwanam + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:1859: checking for $ac_func" >&5 ++echo "configure:1861: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 1864 "configure" ++#line 1866 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -1883,7 +1885,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:1887: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++if { (eval echo configure:1889: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -2007,12 +2009,12 @@ + for ac_func in getluid setluid + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:2011: checking for $ac_func" >&5 ++echo "configure:2013: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2016 "configure" ++#line 2018 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -2035,7 +2037,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:2039: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++if { (eval echo configure:2041: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -2086,12 +2088,12 @@ + for ac_func in getluid setluid + do + echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 +-echo "configure:2090: checking for $ac_func" >&5 ++echo "configure:2092: checking for $ac_func" >&5 + if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 + else + cat > conftest.$ac_ext <<EOF +-#line 2095 "configure" ++#line 2097 "configure" + #include "confdefs.h" + /* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func(); below. */ +@@ -2114,7 +2116,7 @@ + + ; return 0; } + EOF +-if { (eval echo configure:2118: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ++if { (eval echo configure:2120: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then + rm -rf conftest* + eval "ac_cv_func_$ac_func=yes" + else +@@ -2143,7 +2145,7 @@ + *-dec-osf*) + if test ! -z "USE_SIA" ; then + echo $ac_n "checking for Digital Unix Security Integration Architecture""... $ac_c" 1>&6 +-echo "configure:2147: checking for Digital Unix Security Integration Architecture" >&5 ++echo "configure:2149: checking for Digital Unix Security Integration Architecture" >&5 + if test -f /etc/sia/matrix.conf; then + echo "$ac_t""yes" 1>&6 + cat >> confdefs.h <<\EOF +@@ -2214,7 +2216,7 @@ + + + echo $ac_n "checking for pcre_info in -lpcre""... $ac_c" 1>&6 +-echo "configure:2218: checking for pcre_info in -lpcre" >&5 ++echo "configure:2220: checking for pcre_info in -lpcre" >&5 + ac_lib_var=`echo pcre'_'pcre_info | sed 'y%./+-%__p_%'` + if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +@@ -2222,7 +2224,7 @@ + ac_save_LIBS="$LIBS" + LIBS="-lpcre $LIBS" + cat > conftest.$ac_ext <<EOF +-#line 2226 "configure" ++#line 2228 "configure" |