From fad82e8999e790899083f9e22a1841148d746df6 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Tue, 29 Apr 2003 19:12:07 +1000 Subject: - (djm) Add back radix.o (used by AFS support), after it went missing from Makefile many moons ago - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer - (djm) Fix blibpath specification for AIX/gcc - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org --- CREDITS | 4 +-- ChangeLog | 61 +++++--------------------------------------- Makefile.in | 4 +-- auth-pam.c | 20 +++++++-------- auth-passwd.c | 15 +++++++---- auth2-none.c | 2 +- auth2-passwd.c | 8 +++--- configure.ac | 37 +++++++++++++++------------ contrib/caldera/openssh.spec | 4 +-- contrib/redhat/openssh.spec | 6 ++--- contrib/suse/openssh.spec | 2 +- monitor.c | 20 +++++---------- version.h | 2 +- 13 files changed, 70 insertions(+), 115 deletions(-) diff --git a/CREDITS b/CREDITS index 0c866847..8d7b8a48 100644 --- a/CREDITS +++ b/CREDITS @@ -5,7 +5,7 @@ Theo de Raadt, and Dug Song - Creators of OpenSSH Alain St-Denis - Irix fix Alexandre Oliva - AIX fixes -Andre Lucas - new login code, many fixes +Andre Lucas - new login code, many fixes Andreas Steinmetz - Shadow password expiry support Andrew McGill - SCO fixes Andrew Morgan - PAM bugfixes @@ -91,5 +91,5 @@ Apologies to anyone I have missed. Damien Miller -$Id: CREDITS,v 1.67 2002/07/28 20:31:19 stevesk Exp $ +$Id: CREDITS,v 1.67.6.1 2003/04/29 09:12:07 djm Exp $ diff --git a/ChangeLog b/ChangeLog index 3959098e..6ccc4d4e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,56 +1,9 @@ -20030428 - - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit - hacked code. - -20030427 - - (bal) Bug #541: return; was dropped by mistake. Reported by - furrier@iglou.com - - (bal) Since we don't support platforms lacking u_int_64. We may - as well clean out some of those evil #ifdefs - - (bal) auth1.c minor resync while looking at the code. - - (bal) auth2.c same changed as above. - -20030409 - - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report - from matth@eecs.berkeley.edu - - (djm) Make the spec work with Redhat 9.0 (which renames sharutils) - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/04/02 09:48:07 - [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] - [readconf.h serverloop.c sshconnect2.c] - reapply rekeying chage, tested by henning@, ok djm@ - - markus@cvs.openbsd.org 2003/04/02 14:36:26 - [ssh-keysign.c] - potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526 - - itojun@cvs.openbsd.org 2003/04/03 07:25:27 - [progressmeter.c] - $OpenBSD$ - - itojun@cvs.openbsd.org 2003/04/03 10:17:35 - [progressmeter.c] - remove $OpenBSD$, as other *.c does not have it. - - markus@cvs.openbsd.org 2003/04/07 08:29:57 - [monitor_wrap.c] - typo: get correct counters; introduced during rekeying change. - - millert@cvs.openbsd.org 2003/04/07 21:58:05 - [progressmeter.c] - The UCB copyright here is incorrect. This code did not originate - at UCB, it was written by Luke Mewburn. Updated the copyright at - the author's request. markus@ OK - - itojun@cvs.openbsd.org 2003/04/08 20:21:29 - [*.c *.h] - rename log() into logit() to avoid name conflict. markus ok, from - netbsd - - (djm) XXX - Performed locally using: - "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h" - - hin@cvs.openbsd.org 2003/04/09 08:23:52 - [servconf.c] - Don't include when compiling with Kerberos 5 support - - (djm) Fix up missing include for packet.c - - (djm) Fix missed log => logit occurance (reference by function pointer) - -20030402 - - (bal) if IP_TOS is not found or broken don't try to compile in - packet_set_tos() function call. bug #527 +20030429 + - (djm) Add back radix.o (used by AFS support), after it went missing from + Makefile many moons ago + - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer + - (djm) Fix blibpath specification for AIX/gcc + - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org 20030401 - (djm) OpenBSD CVS Sync @@ -1349,4 +1302,4 @@ save auth method before monitor_reset_key_state(); bugzilla bug #284; ok provos@ -$Id: ChangeLog,v 1.2663 2003/04/28 23:30:43 mouring Exp $ +$Id: ChangeLog,v 1.2648.2.1 2003/04/29 09:12:07 djm Exp $ diff --git a/Makefile.in b/Makefile.in index 6702eb96..39bbf344 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.228 2003/03/21 00:34:34 mouring Exp $ +# $Id: Makefile.in,v 1.228.2.1 2003/04/29 09:12:08 djm Exp $ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -62,7 +62,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \ cipher.o compat.o compress.o crc32.o deattack.o fatal.o \ - hostfile.o log.o match.o mpaux.o nchan.o packet.o readpass.o \ + hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o readpass.o \ rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \ key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ diff --git a/auth-pam.c b/auth-pam.c index b29444e8..cb57ba11 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -38,7 +38,7 @@ extern char *__progname; extern int use_privsep; -RCSID("$Id: auth-pam.c,v 1.56 2003/04/09 10:59:48 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.55.4.1 2003/04/29 09:12:08 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now." @@ -182,7 +182,7 @@ void do_pam_cleanup_proc(void *context) if (__pamh && session_opened) { pam_retval = pam_close_session(__pamh, 0); if (pam_retval != PAM_SUCCESS) - logit("Cannot close PAM session[%d]: %.200s", + log("Cannot close PAM session[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } @@ -196,12 +196,12 @@ void do_pam_cleanup_proc(void *context) if (__pamh) { pam_retval = pam_end(__pamh, pam_retval); if (pam_retval != PAM_SUCCESS) - logit("Cannot release PAM authentication[%d]: %.200s", + log("Cannot release PAM authentication[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); } } -/* Attempt password authentation using PAM */ +/* Attempt password authentication using PAM */ int auth_pam_password(Authctxt *authctxt, const char *password) { extern ServerOptions options; @@ -215,13 +215,13 @@ int auth_pam_password(Authctxt *authctxt, const char *password) pamstate = INITIAL_LOGIN; pam_retval = do_pam_authenticate( options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); - if (pam_retval == PAM_SUCCESS) { - debug("PAM Password authentication accepted for " - "user \"%.100s\"", pw->pw_name); + if (pam_retval == PAM_SUCCESS && pw) { + debug("PAM password authentication accepted for " + "%.100s", pw->pw_name); return 1; } else { - debug("PAM Password authentication for \"%.100s\" " - "failed[%d]: %s", pw->pw_name, pam_retval, + debug("PAM password authentication failed for " + "%.100s: %s", pw ? pw->pw_name : "an illegal user", PAM_STRERROR(__pamh, pam_retval)); return 0; } @@ -261,7 +261,7 @@ int do_pam_account(char *username, char *remote_user) break; #endif default: - logit("PAM rejected by account configuration[%d]: " + log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); return(0); diff --git a/auth-passwd.c b/auth-passwd.c index 9901d484..62ea3a52 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -93,6 +93,7 @@ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; + int ok = authctxt->valid; #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) char *encrypted_password; char *pw_password; @@ -115,19 +116,23 @@ auth_password(Authctxt *authctxt, const char *password) /* deny if no user. */ if (pw == NULL) - return 0; + ok = 0; #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) + ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + ok = 0; #if defined(USE_PAM) - return auth_pam_password(authctxt, password); + return auth_pam_password(authctxt, password) && ok; #elif defined(HAVE_OSF_SIA) + if (!ok) + return 0; return auth_sia_password(authctxt, password); #else + if (!ok) + return 0; # ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); diff --git a/auth2-none.c b/auth2-none.c index c07b2dd8..692a2961 100644 --- a/auth2-none.c +++ b/auth2-none.c @@ -100,7 +100,7 @@ userauth_none(Authctxt *authctxt) if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif - return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0); + return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid; } Authmethod method_none = { diff --git a/auth2-passwd.c b/auth2-passwd.c index a8f15161..5026969f 100644 --- a/auth2-passwd.c +++ b/auth2-passwd.c @@ -44,14 +44,14 @@ userauth_passwd(Authctxt *authctxt) u_int len; change = packet_get_char(); if (change) - logit("password change not supported"); + log("password change not supported"); password = packet_get_string(&len); packet_check_eom(); - if (authctxt->valid && + if (PRIVSEP(auth_password(authctxt, password)) == 1 && authctxt->valid #ifdef HAVE_CYGWIN - check_nt_auth(1, authctxt->pw) && + && check_nt_auth(1, authctxt->pw) #endif - PRIVSEP(auth_password(authctxt, password)) == 1) + ) authenticated = 1; memset(password, 0, len); xfree(password); diff --git a/configure.ac b/configure.ac index 47fef0cb..e5a8d6f0 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $ +# $Id: configure.ac,v 1.113.2.1 2003/04/29 09:12:08 djm Exp $ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -57,20 +57,24 @@ case "$host" in AFS_LIBS="-lld" CPPFLAGS="$CPPFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS -L/usr/local/lib" - if (test "$LD" != "gcc" && test -z "$blibpath"); then - AC_MSG_CHECKING([if linkage editor ($LD) accepts -blibpath]) - saved_LDFLAGS="$LDFLAGS" - LDFLAGS="$LDFLAGS -blibpath:/usr/lib:/lib:/usr/local/lib" - AC_TRY_LINK([], - [], - [ - AC_MSG_RESULT(yes) - blibpath="/usr/lib:/lib:/usr/local/lib" - ], - [ AC_MSG_RESULT(no) ] - ) - LDFLAGS="$saved_LDFLAGS" + AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) + if (test -z "$blibpath"); then + blibpath="/usr/lib:/lib:/usr/local/lib" + fi + saved_LDFLAGS="$LDFLAGS" + for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do + if (test -z "$blibflags"); then + LDFLAGS="$saved_LDFLAGS $tryflags$blibpath" + AC_TRY_LINK([], [], [blibflags=$tryflags]) + fi + done + if (test -z "$blibflags"); then + AC_MSG_RESULT(not found) + AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log]) + else + AC_MSG_RESULT($blibflags) fi + LDFLAGS="$saved_LDFLAGS" AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], [AC_CHECK_LIB(s,authenticate, [ AC_DEFINE(WITH_AIXAUTHENTICATE) @@ -618,6 +622,7 @@ AC_CHECK_FUNCS(\ ) AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP)) +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) dnl Make sure strsep prototype is defined before defining HAVE_STRSEP AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)]) @@ -2473,8 +2478,8 @@ fi if test ! -z "$blibpath" ; then - LDFLAGS="$LDFLAGS -blibpath:$blibpath" - AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile]) + LDFLAGS="$LDFLAGS $blibflags$blibpath" + AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile]) fi dnl remove pam and dl because they are in $LIBPAM diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec index 142d30d8..f7fbe15e 100644 --- a/contrib/caldera/openssh.spec +++ b/contrib/caldera/openssh.spec @@ -17,7 +17,7 @@ #old cvs stuff. please update before use. may be deprecated. %define use_stable 1 %if %{use_stable} - %define version 3.6.1p1 + %define version 3.6.1p2 %define cvs %{nil} %define release 2 %else @@ -364,4 +364,4 @@ fi * Mon Jan 01 1998 ... Template Version: 1.31 -$Id: openssh.spec,v 1.42 2003/04/01 11:46:53 djm Exp $ +$Id: openssh.spec,v 1.42.2.1 2003/04/29 09:12:08 djm Exp $ diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec index 11d86a83..e7c3bb12 100644 --- a/contrib/redhat/openssh.spec +++ b/contrib/redhat/openssh.spec @@ -1,5 +1,5 @@ -%define ver 3.6.1p1 -%define rel 2 +%define ver 3.6.1p2 +%define rel 1 # OpenSSH privilege separation requires a user & group ID %define sshd_uid 74 @@ -87,7 +87,7 @@ PreReq: initscripts >= 5.00 %else PreReq: initscripts >= 5.20 %endif -BuildPreReq: perl, openssl-devel, tcp_wrappers +BuildPreReq: perl, openssl-devel, sharutils, tcp_wrappers BuildPreReq: /bin/login %if ! %{build6x} BuildPreReq: glibc-devel, pam diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec index 194dbb7d..707c3a22 100644 --- a/contrib/suse/openssh.spec +++ b/contrib/suse/openssh.spec @@ -1,6 +1,6 @@ Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation Name: openssh -Version: 3.6.1p1 +Version: 3.6.1p2 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz diff --git a/monitor.c b/monitor.c index 46db0e9b..bce9e684 100644 --- a/monitor.c +++ b/monitor.c @@ -25,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: monitor.c,v 1.37 2003/04/02 09:48:07 markus Exp $"); +RCSID("$OpenBSD: monitor.c,v 1.36 2003/04/01 10:22:21 markus Exp $"); #include @@ -606,7 +606,7 @@ mm_answer_authpassword(int socket, Buffer *m) passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ authenticated = options.password_authentication && - authctxt->valid && auth_password(authctxt, passwd); + auth_password(authctxt, passwd) && authctxt->valid; memset(passwd, 0, strlen(passwd)); xfree(passwd); @@ -870,7 +870,7 @@ monitor_valid_userblob(u_char *data, u_int datalen) fail++; p = buffer_get_string(&b, NULL); if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", + log("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); fail++; } @@ -918,7 +918,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser, fail++; p = buffer_get_string(&b, NULL); if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", + log("wrong user name passed to monitor: expected %s != %.100s", authctxt->user, p); fail++; } @@ -1497,8 +1497,6 @@ mm_get_keystate(struct monitor *pmonitor) Buffer m; u_char *blob, *p; u_int bloblen, plen; - u_int32_t seqnr, packets; - u_int64_t blocks; debug3("%s: Waiting for new keys", __func__); @@ -1528,14 +1526,8 @@ mm_get_keystate(struct monitor *pmonitor) xfree(blob); /* Now get sequence numbers for the packets */ - seqnr = buffer_get_int(&m); - blocks = buffer_get_int64(&m); - packets = buffer_get_int(&m); - packet_set_state(MODE_OUT, seqnr, blocks, packets); - seqnr = buffer_get_int(&m); - blocks = buffer_get_int64(&m); - packets = buffer_get_int(&m); - packet_set_state(MODE_IN, seqnr, blocks, packets); + packet_set_seqnr(MODE_OUT, buffer_get_int(&m)); + packet_set_seqnr(MODE_IN, buffer_get_int(&m)); skip: /* Get the key context */ diff --git a/version.h b/version.h index 75a2b255..3b2a35d9 100644 --- a/version.h +++ b/version.h @@ -1,3 +1,3 @@ /* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */ -#define SSH_VERSION "OpenSSH_3.6.1p1" +#define SSH_VERSION "OpenSSH_3.6.1p2" -- cgit v1.2.3