diff options
author | Dima Ruban <dima@FreeBSD.org> | 1998-06-12 07:55:14 +0000 |
---|---|---|
committer | Dima Ruban <dima@FreeBSD.org> | 1998-06-12 07:55:14 +0000 |
commit | 64e630d83b270be14e7925de47e1c6983b6d8028 (patch) | |
tree | 1423c8c8b67a2d4659015c4c3b52bceccc4b930b /security | |
parent | 6c276731a82cbcab7a3b3dbb09862c0fb7ba8b97 (diff) | |
download | ports-64e630d83b270be14e7925de47e1c6983b6d8028.tar.gz ports-64e630d83b270be14e7925de47e1c6983b6d8028.zip |
1.2.22 -> 1.2.25
Somebody needs to go through patch-af to check it, since I'm not sure
about some of the stuff.
This version fixes a security flaw in previous version.
Notes
Notes:
svn path=/head/; revision=11400
Diffstat (limited to 'security')
-rw-r--r-- | security/ssh/Makefile | 30 | ||||
-rw-r--r-- | security/ssh/distinfo | 2 | ||||
-rw-r--r-- | security/ssh/files/patch-ac | 62 | ||||
-rw-r--r-- | security/ssh/files/patch-af | 502 | ||||
-rw-r--r-- | security/ssh/pkg-plist | 16 | ||||
-rw-r--r-- | security/ssh2/Makefile | 30 | ||||
-rw-r--r-- | security/ssh2/distinfo | 2 | ||||
-rw-r--r-- | security/ssh2/files/patch-ac | 62 | ||||
-rw-r--r-- | security/ssh2/files/patch-af | 502 | ||||
-rw-r--r-- | security/ssh2/pkg-plist | 16 |
10 files changed, 352 insertions, 872 deletions
diff --git a/security/ssh/Makefile b/security/ssh/Makefile index a0944bedf576..0376792c88d3 100644 --- a/security/ssh/Makefile +++ b/security/ssh/Makefile @@ -1,15 +1,15 @@ # New ports collection makefile for: ssh -# Version required: 1.2.22 +# Version required: 1.2.25 # Date created: 30 Jul 1995 # Whom: torstenb@FreeBSD.ORG # -# $Id: Makefile,v 1.53 1998/05/22 06:05:43 mph Exp $ +# $Id: Makefile,v 1.54 1998/05/23 08:53:38 obrien Exp $ # # Maximal ssh package requires YES values for # USE_PERL, USE_TCPWRAP # -DISTNAME= ssh-1.2.22 +DISTNAME= ssh-1.2.25 CATEGORIES= security net MASTER_SITES= ftp://ftp.funet.fi/pub/unix/security/login/ssh/ @@ -32,10 +32,11 @@ MASTER_SITES= \ # Download by hand from http://www.cryptography.org/cgi-bin/crypto.cgi/ssh/ # and put in distfiles directory. # -.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES -PATCHFILES=ssh-1.2.22-patchkit -PATCH_DIST_STRIP=-p1 -.endif +# Disabled for now, since there's not such a patchkit for 1.2.25 version. +#.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES +#PATCHFILES=ssh-1.2.22-patchkit +#PATCH_DIST_STRIP=-p1 +#.endif RESTRICTED= "Crypto; export-controlled" IS_INTERACTIVE= YES @@ -70,9 +71,9 @@ CONFIGURE_ARGS+= --with-secureid CONFIGURE_ARGS+= --without-idea .endif -MAN1= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 \ - make-ssh-known-hosts.1 -MAN8= sshd.8 +MAN1= scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \ + make-ssh-known-hosts1.1 +MAN8= sshd1.8 pre-patch: @@ -103,8 +104,17 @@ post-install: ${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \ fi .if !defined(NOMANCOMPRESS) + for file in make-ssh-known-hosts scp ssh-add ssh-agent \ + ssh-keygen ssh; do \ + rm -f ${PREFIX}/man/man1/$${file}.1; \ + ln -sf $${file}1.1.gz ${PREFIX}/man/man1/$${file}.1.gz; \ + done rm -f ${PREFIX}/man/man1/slogin.1 + rm -f ${PREFIX}/man/man1/slogin1.1 + rm -f ${PREFIX}/man/man8/sshd.8 ln -sf ssh.1.gz ${PREFIX}/man/man1/slogin.1.gz + ln -sf ssh1.1.gz ${PREFIX}/man/man1/slogin1.1.gz + ln -sf sshd1.8.gz ${PREFIX}/man/man8/sshd.8.gz .endif @if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \ echo "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \ diff --git a/security/ssh/distinfo b/security/ssh/distinfo index c7ab762b4ddf..7ccf3ba2900e 100644 --- a/security/ssh/distinfo +++ b/security/ssh/distinfo @@ -1,3 +1,3 @@ -MD5 (ssh-1.2.22.tar.gz) = 011f2b6d1935c59be0dae299db4ed7fa +MD5 (ssh-1.2.25.tar.gz) = f16c579f8d60d2f0eaabd3c30e46ca2c MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d MD5 (ssh-1.2.22-patchkit) = 5228897d59be91ad3ae88e992d61cd50 diff --git a/security/ssh/files/patch-ac b/security/ssh/files/patch-ac index 9c56f8aded01..884c43b96929 100644 --- a/security/ssh/files/patch-ac +++ b/security/ssh/files/patch-ac @@ -1,7 +1,7 @@ -*** Makefile.in.orig Tue Sep 16 01:59:13 1997 ---- Makefile.in Tue Sep 16 02:06:08 1997 +*** Makefile.in.orig Thu Jun 11 07:01:13 1998 +--- Makefile.in Thu Jun 11 20:48:59 1998 *************** -*** 259,270 **** +*** 287,298 **** SHELL = /bin/sh GMPDIR = gmp-2.0.2-ssh-2 @@ -14,7 +14,7 @@ RSAREFDIR = rsaref2 RSAREFSRCDIR = $(RSAREFDIR)/source ---- 259,275 ---- +--- 287,303 ---- SHELL = /bin/sh GMPDIR = gmp-2.0.2-ssh-2 @@ -33,7 +33,7 @@ RSAREFDIR = rsaref2 RSAREFSRCDIR = $(RSAREFDIR)/source *************** -*** 368,374 **** +*** 397,403 **** $(CC) -o rfc-pg rfc-pg.o .c.o: @@ -41,7 +41,7 @@ sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) -rm -f sshd ---- 373,379 ---- +--- 402,408 ---- $(CC) -o rfc-pg rfc-pg.o .c.o: @@ -50,7 +50,7 @@ sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) -rm -f sshd *************** -*** 411,429 **** +*** 440,458 **** sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts chmod +x make-ssh-known-hosts @@ -70,7 +70,7 @@ $(RSAREFSRCDIR)/librsaref.a: -if test '!' -d $(RSAREFDIR); then \ ---- 416,434 ---- +--- 445,463 ---- sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts chmod +x make-ssh-known-hosts @@ -91,24 +91,24 @@ $(RSAREFSRCDIR)/librsaref.a: -if test '!' -d $(RSAREFDIR); then \ *************** -*** 480,486 **** +*** 509,515 **** # (otherwise it can only log in as the user it runs as, and must be # bound to a non-privileged port). Also, password authentication may # not be available if non-root and using shadow passwords. ! install: $(PROGRAMS) make-dirs generate-host-key install-configs - -rm -f $(install_prefix)$(bindir)/ssh.old - -mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old - -chmod 755 $(install_prefix)$(bindir)/ssh.old ---- 485,491 ---- + -rm -f $(install_prefix)$(bindir)/ssh1.old + -mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old + -chmod 755 $(install_prefix)$(bindir)/ssh1.old +--- 514,520 ---- # (otherwise it can only log in as the user it runs as, and must be # bound to a non-privileged port). Also, password authentication may # not be available if non-root and using shadow passwords. ! install: $(PROGRAMS) make-dirs install-configs - -rm -f $(install_prefix)$(bindir)/ssh.old - -mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old - -chmod 755 $(install_prefix)$(bindir)/ssh.old + -rm -f $(install_prefix)$(bindir)/ssh1.old + -mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old + -chmod 755 $(install_prefix)$(bindir)/ssh1.old *************** -*** 589,603 **** +*** 665,679 **** clean: -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg @@ -122,9 +122,9 @@ ! cd $(GMPDIR); $(MAKE) distclean ! cd $(ZLIBDIR); $(MAKE) distclean - dist: dist-free + dist: dist-commercial ---- 594,608 ---- +--- 670,684 ---- clean: -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg @@ -138,12 +138,12 @@ ! # cd $(GMPDIR); $(MAKE) distclean ! # cd $(ZLIBDIR); $(MAKE) distclean - dist: dist-free + dist: dist-commercial *************** -*** 628,639 **** - # - #endif F_SECURE_COMMERCIAL +*** 702,713 **** + -mkdir $(DISTNAME) + cp $(DISTFILES) $(DISTNAME) for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done ! (cd $(GMPDIR); make dist) ! gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) @@ -152,11 +152,11 @@ ! (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) ! cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS - dist-free-make-tar: - tar pcf $(DISTNAME).tar $(DISTNAME) ---- 633,644 ---- + #ifdef F_SECURE_COMMERCIAL # - #endif F_SECURE_COMMERCIAL +--- 707,718 ---- + -mkdir $(DISTNAME) + cp $(DISTFILES) $(DISTNAME) for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done ! # (cd $(GMPDIR); make dist) ! # gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) @@ -165,10 +165,10 @@ ! # (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) ! # cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS - dist-free-make-tar: - tar pcf $(DISTNAME).tar $(DISTNAME) + #ifdef F_SECURE_COMMERCIAL + # *************** -*** 656,662 **** +*** 735,741 **** (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null depend: @@ -176,7 +176,7 @@ tags: -rm -f TAGS ---- 661,667 ---- +--- 740,746 ---- (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null depend: diff --git a/security/ssh/files/patch-af b/security/ssh/files/patch-af index 0dfba6e1e2f0..f0cea2252274 100644 --- a/security/ssh/files/patch-af +++ b/security/ssh/files/patch-af @@ -1,394 +1,108 @@ ---- sshd.c.orig Tue Jan 20 15:24:10 1998 -+++ sshd.c Thu Jan 22 16:29:19 1998 -@@ -428,6 +428,10 @@ - #include "firewall.h" /* TIS authsrv authentication */ - #endif - -+#ifdef HAVE_LOGIN_CAP_H -+#include <login_cap.h> -+#endif -+ - #ifdef _PATH_BSHELL - #define DEFAULT_SHELL _PATH_BSHELL - #else -@@ -1594,6 +1598,38 @@ - endspent(); - } - #endif /* HAVE_ETC_SHADOW */ -+#ifdef __FreeBSD__ -+ { -+ time_t currtime; -+ -+ if (pwd->pw_change || pwd->pw_expire) -+ currtime = time(NULL); -+ -+ /* -+ * Check for an expired password -+ */ -+ if (pwd->pw_change && pwd->pw_change <= currtime) -+ { -+ debug("Account %.100s's password is too old - forced to change.", -+ user); -+ if (options.forced_passwd_change) -+ forced_command = "/usr/bin/passwd"; -+ else -+ { -+ return 0; -+ } -+ } -+ -+ /* -+ * Check for expired account -+ */ -+ if (pwd->pw_expire && pwd->pw_expire <= currtime) -+ { -+ debug("Account %.100s has expired - access denied.", user); -+ return 0; -+ } -+ } -+#else /* !FreeBSD */ - /* - * Check if account is locked. Check if encrypted password starts - * with "*LK*". -@@ -1605,6 +1641,7 @@ - return 0; - } - } -+#endif /* !FreeBSD */ - #ifdef CHECK_ETC_SHELLS - { - int invalid = 1; -@@ -1819,8 +1856,10 @@ - pwcopy.pw_passwd = xstrdup(pw->pw_passwd); - pwcopy.pw_uid = pw->pw_uid; - pwcopy.pw_gid = pw->pw_gid; --#if defined (__bsdi__) && _BSDI_VERSION >= 199510 -+#if defined (HAVE_LOGIN_CAP_H) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - pwcopy.pw_class = xstrdup(pw->pw_class); -+#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -+#if defined (__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - pwcopy.pw_change = pw->pw_change; - pwcopy.pw_expire = pw->pw_expire; - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -@@ -2793,9 +2832,13 @@ - struct sockaddr_in from; - int fromlen; - struct pty_cleanup_context cleanup_context; --#if defined (__bsdi__) && _BSDI_VERSION >= 199510 -+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - struct timeval tp; - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -+#ifdef HAVE_LOGIN_CAP_H -+ login_cap_t *lc; -+ time_t warnpassword, warnexpire; -+#endif - - /* We no longer need the child running on user's privileges. */ - userfile_uninit(); -@@ -2867,10 +2910,18 @@ - record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, - &from); - -+#ifdef HAVE_LOGIN_CAP_H -+ lc = login_getclass(pw->pw_class); -+ quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); -+ if (!quiet_login) { -+#endif - /* Check if .hushlogin exists. Note that we cannot use userfile - here because we are in the child. */ - sprintf(line, "%.200s/.hushlogin", pw->pw_dir); - quiet_login = stat(line, &st) >= 0; -+#ifdef HAVE_LOGIN_CAP_H -+ } -+#endif - - /* If the user has logged in before, display the time of last login. - However, don't display anything extra if a command has been -@@ -2890,6 +2941,38 @@ - else - printf("Last login: %s from %s\r\n", time_string, buf); - } -+#ifdef __FreeBSD__ -+ if (command == NULL && !quiet_login) -+ { -+#ifdef HAVE_LOGIN_CAP_H -+ char *cw; -+ FILE *f; -+ -+ cw = login_getcapstr(lc, "copyright", NULL, NULL); -+ if (cw != NULL && (f = fopen(cw, "r")) != NULL) -+ { -+ while (fgets(line, sizeof(line), f)) -+ fputs(line, stdout); -+ fclose(f); -+ } -+ else -+#endif -+ printf("%s\n\t%s %s\n\n", -+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", -+ "The Regents of the University of California. ", -+ "All rights reserved."); -+ } -+#endif -+ -+#ifdef HAVE_LOGIN_CAP_H -+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -+ -+ warnpassword = login_getcaptime(lc, "warnpassword", -+ DEFAULT_WARN, DEFAULT_WARN); -+ warnexpire = login_getcaptime(lc, "warnexpire", -+ DEFAULT_WARN, DEFAULT_WARN); -+ login_close(lc); -+#endif - - /* Print /etc/motd unless a command was specified or printing it was - disabled in server options. Note that some machines appear to -@@ -2900,14 +2983,18 @@ - FILE *f; - - /* Print /etc/motd if it exists. */ -- f = fopen("/etc/motd", "r"); -+#ifdef HAVE_LOGIN_CAP_H -+ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r"); -+#else -+ f = fopen("/etc/motd", "r"); -+#endif - if (f) - { - while (fgets(line, sizeof(line), f)) - fputs(line, stdout); - fclose(f); - } --#if defined (__bsdi__) && _BSDI_VERSION >= 199510 -+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - if (pw->pw_change || pw->pw_expire) - (void)gettimeofday(&tp, (struct timezone *)NULL); - if (pw->pw_change) -@@ -2915,7 +3002,11 @@ - fprintf(stderr,"Sorry -- your password has expired.\n"); - exit(254); - } else if (pw->pw_change - tp.tv_sec < -+#ifdef HAVE_LOGIN_CAP_H -+ warnpassword) -+#else - 2 * DAYSPERWEEK * SECSPERDAY) -+#endif - fprintf(stderr,"Warning: your password expires on %s", - ctime(&pw->pw_change)); - if (pw->pw_expire) -@@ -2923,7 +3014,11 @@ - fprintf(stderr,"Sorry -- your account has expired.\n"); - exit(254); - } else if (pw->pw_expire - tp.tv_sec < -+#ifdef HAVE_LOGIN_CAP_H -+ warnexpire) -+#else - 2 * DAYSPERWEEK * SECSPERDAY) -+#endif - fprintf(stderr,"Warning: your account expires on %s", - ctime(&pw->pw_expire)); - #endif /* __bsdi__ & _BSDI_VERSION >= 199510 */ -@@ -3182,6 +3277,13 @@ - #if defined (__bsdi__) && _BSDI_VERSION >= 199510 - login_cap_t *lc = 0; - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -+#ifdef HAVE_LOGIN_CAP_H -+ login_cap_t *lc; -+ char *real_shell; -+ -+ lc = login_getclass(pw->pw_class); -+ auth_checknologin(lc); -+#else /* !HAVE_LOGIN_CAP_H */ - - /* Check /etc/nologin. */ - f = fopen("/etc/nologin", "r"); -@@ -3199,10 +3301,16 @@ - if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0)) - exit(254); - #else -+#ifdef HAVE_LOGIN_CAP_H -+ if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0)) -+ exit(254); -+#else - if (pw->pw_uid != UID_ROOT) - exit(254); -+#endif - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ - } -+#endif /* HAVE_LOGIN_CAP_H */ - - if (command != NULL) - { -@@ -3216,6 +3324,7 @@ - log_msg("executing remote command as user %.200s", pw->pw_name); - } - -+#ifndef HAVE_LOGIN_CAP_H - #ifdef HAVE_SETLOGIN - /* Set login name in the kernel. Warning: setsid() must be called before - this. */ -@@ -3236,6 +3345,7 @@ - if (setpcred((char *)pw->pw_name, NULL)) - log_msg("setpcred %.100s: %.100s", strerror(errno)); - #endif /* HAVE_USERSEC_H */ -+#endif /* !HAVE_LOGIN_CAP_H */ - - /* Save some data that will be needed so that we can do certain cleanups - before we switch to user's uid. (We must clear all sensitive data -@@ -3306,6 +3416,66 @@ - if (command != NULL || !options.use_login) - #endif /* USELOGIN */ - { -+#ifdef HAVE_LOGIN_CAP_H -+ char *p, *s, **tmpenv; -+ -+ /* Initialize the new environment. -+ */ -+ envsize = 64; -+ env = xmalloc(envsize * sizeof(char *)); -+ env[0] = NULL; -+ -+ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH); -+ -+#ifdef MAIL_SPOOL_DIRECTORY -+ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name); -+ child_set_env(&env, &envsize, "MAIL", buf); -+#else /* MAIL_SPOOL_DIRECTORY */ -+#ifdef MAIL_SPOOL_FILE -+ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE); -+ child_set_env(&env, &envsize, "MAIL", buf); -+#endif /* MAIL_SPOOL_FILE */ -+#endif /* MAIL_SPOOL_DIRECTORY */ -+ -+ /* Let it inherit timezone if we have one. */ -+ if (getenv("TZ")) -+ child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+ -+ /* Save previous environment array -+ */ -+ tmpenv = environ; -+ environ = env; -+ -+ /* Set the user's login environment -+ */ -+ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0) -+ { -+ perror("setusercontext"); -+ exit(1); -+ } -+ -+ p = getenv("PATH"); -+ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR)); -+ *s = '\0'; -+ if (p != NULL) -+ { -+ strcat(s, p); -+ strcat(s, ":"); -+ } -+ strcat(s, SSH_BINDIR); -+ -+ env = environ; -+ environ = tmpenv; /* Restore parent environment */ -+ for (envsize = 0; env[envsize] != NULL; ++envsize) -+ ; -+ /* Reallocate this to what is expected */ -+ envsize = (envsize < 100) ? 100 : envsize + 16; -+ env = xrealloc(env, envsize * sizeof(char *)); -+ -+ child_set_env(&env, &envsize, "PATH", s); -+ xfree(s); -+ -+#else /* !HAVE_LOGIN_CAP_H */ - /* Set uid, gid, and groups. */ - if (getuid() == UID_ROOT || geteuid() == UID_ROOT) - { -@@ -3337,6 +3507,7 @@ - - if (getuid() != user_uid || geteuid() != user_uid) - fatal("Failed to set uids to %d.", (int)user_uid); -+#endif /* HAVE_LOGIN_CAP_H */ - } - - /* Reset signals to their default settings before starting the user -@@ -3364,11 +3535,16 @@ - and means /bin/sh. */ - shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell; - -+#ifdef HAVE_LOGIN_CAP_H -+ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell); -+ login_close(lc); -+#else /* !HAVE_LOGIN_CAP_H */ - /* Initialize the environment. In the first part we allocate space for - all environment variables. */ - envsize = 100; - env = xmalloc(envsize * sizeof(char *)); - env[0] = NULL; -+#endif /* HAVE_LOGIN_CAP_H */ - - #ifdef USELOGIN - if (command != NULL || !options.use_login) -@@ -3378,6 +3554,8 @@ - child_set_env(&env, &envsize, "HOME", user_dir); - child_set_env(&env, &envsize, "USER", user_name); - child_set_env(&env, &envsize, "LOGNAME", user_name); -+ -+#ifndef HAVE_LOGIN_CAP_H - child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR); - - #ifdef MAIL_SPOOL_DIRECTORY -@@ -3389,6 +3567,7 @@ - child_set_env(&env, &envsize, "MAIL", buf); - #endif /* MAIL_SPOOL_FILE */ - #endif /* MAIL_SPOOL_DIRECTORY */ -+#endif /* !HAVE_LOGIN_CAP_H */ - - #ifdef HAVE_ETC_DEFAULT_LOGIN - /* Read /etc/default/login; this exists at least on Solaris 2.x. Note -@@ -3404,9 +3583,11 @@ - child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", - original_command); - -+#ifndef HAVE_LOGIN_CAP_H - /* Let it inherit timezone if we have one. */ - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+#endif /* !HAVE_LOGIN_CAP_H */ - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) -@@ -3632,7 +3813,11 @@ - struct stat mailbuf; - - if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) -+#ifdef __FreeBSD__ -+ ; -+#else - printf("No mail.\n"); -+#endif - else if (mailbuf.st_atime > mailbuf.st_mtime) - printf("You have mail.\n"); - else -@@ -3647,7 +3832,11 @@ - /* Execute the shell. */ - argv[0] = buf; - argv[1] = NULL; -+#ifdef HAVE_LOGIN_CAP_H -+ execve(real_shell, argv, env); -+#else - execve(shell, argv, env); -+#endif /* HAVE_LOGIN_CAP_H */ - /* Executing the shell failed. */ - perror(shell); - exit(1); -@@ -3668,7 +3857,11 @@ - argv[1] = "-c"; - argv[2] = (char *)command; - argv[3] = NULL; -+#ifdef HAVE_LOGIN_CAP_H -+ execve(real_shell, argv, env); -+#else - execve(shell, argv, env); -+#endif /* HAVE_LOGIN_CAP_H */ - perror(shell); - exit(1); - } +*** sshd.c.WAS Thu Jun 11 23:11:47 1998 +--- sshd.c Thu Jun 11 23:30:30 1998 +*************** +*** 2014,2020 **** + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +--- 2014,2020 ---- + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +*************** +*** 3045,3054 **** + struct pty_cleanup_context cleanup_context; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + #endif +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + struct timeval tp; +! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ + + #ifdef HAVE_OSF1_C2_SECURITY + { +--- 3045,3055 ---- + struct pty_cleanup_context cleanup_context; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; ++ time_t warnpassword, warnexpire; + #endif +! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + struct timeval tp; +! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */ + + #ifdef HAVE_OSF1_C2_SECURITY + { +*************** +*** 3183,3188 **** +--- 3184,3197 ---- + "The Regents of the University of California. ", + "All rights reserved."); + } ++ #ifdef HAVE_LOGIN_CAP_H ++ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ ++ ++ warnpassword = login_getcaptime(lc, "warnpassword", ++ DEFAULT_WARN, DEFAULT_WARN); ++ warnexpire = login_getcaptime(lc, "warnexpire", ++ DEFAULT_WARN, DEFAULT_WARN); ++ #endif + #endif + + /* Print /etc/motd unless a command was specified or printing it was +*************** +*** 3206,3212 **** + fputs(line, stdout); + fclose(f); + } +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (pw->pw_change) +--- 3215,3221 ---- + fputs(line, stdout); + fclose(f); + } +! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (pw->pw_change) +*************** +*** 3575,3581 **** + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + if (pw->pw_uid != UID_ROOT && + !login_getcapbool(lc, "ignorenologin", 0)) + exit(254); +--- 3584,3590 ---- + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_uid != UID_ROOT && + !login_getcapbool(lc, "ignorenologin", 0)) + exit(254); +*************** +*** 4121,4127 **** +--- 4130,4140 ---- + struct stat mailbuf; + + if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) ++ #ifdef __FreeBSD__ ++ ; ++ #else + printf("No mail.\n"); ++ #endif + else if (mailbuf.st_atime > mailbuf.st_mtime) + printf("You have mail.\n"); + else diff --git a/security/ssh/pkg-plist b/security/ssh/pkg-plist index c632301bd8c8..ff4c33783eb0 100644 --- a/security/ssh/pkg-plist +++ b/security/ssh/pkg-plist @@ -1,23 +1,39 @@ etc/rc.d/sshd.sh bin/scp +bin/scp1 bin/ssh +bin/ssh1 @exec ln -fs %f %B/slogin @unexec rm -f %B/slogin bin/ssh-add +bin/ssh-add1 bin/ssh-agent +bin/ssh-agent1 bin/ssh-askpass +bin/ssh-askpass1 bin/ssh-keygen +bin/ssh-keygen1 bin/make-ssh-known-hosts +bin/make-ssh-known-hosts1 etc/ssh_config etc/sshd_config man/man1/make-ssh-known-hosts.1.gz +man/man1/make-ssh-known-hosts1.1.gz man/man1/scp.1.gz +man/man1/scp1.1.gz man/man1/ssh-add.1.gz +man/man1/ssh-add1.1.gz man/man1/ssh-agent.1.gz +man/man1/ssh-agent1.1.gz man/man1/ssh-keygen.1.gz +man/man1/ssh-keygen1.1.gz man/man1/ssh.1.gz +man/man1/ssh1.1.gz @exec ln -fs %f %B/slogin.1.gz @unexec rm -f %B/slogin.1.gz +@unexec rm -f %B/slogin1.1.gz man/man8/sshd.8.gz +man/man8/sshd1.8.gz sbin/sshd +sbin/sshd1 @exec if [ ! -f %D/etc/ssh_host_key ]; then echo "Generating a secret host key.." ; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi diff --git a/security/ssh2/Makefile b/security/ssh2/Makefile index a0944bedf576..0376792c88d3 100644 --- a/security/ssh2/Makefile +++ b/security/ssh2/Makefile @@ -1,15 +1,15 @@ # New ports collection makefile for: ssh -# Version required: 1.2.22 +# Version required: 1.2.25 # Date created: 30 Jul 1995 # Whom: torstenb@FreeBSD.ORG # -# $Id: Makefile,v 1.53 1998/05/22 06:05:43 mph Exp $ +# $Id: Makefile,v 1.54 1998/05/23 08:53:38 obrien Exp $ # # Maximal ssh package requires YES values for # USE_PERL, USE_TCPWRAP # -DISTNAME= ssh-1.2.22 +DISTNAME= ssh-1.2.25 CATEGORIES= security net MASTER_SITES= ftp://ftp.funet.fi/pub/unix/security/login/ssh/ @@ -32,10 +32,11 @@ MASTER_SITES= \ # Download by hand from http://www.cryptography.org/cgi-bin/crypto.cgi/ssh/ # and put in distfiles directory. # -.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES -PATCHFILES=ssh-1.2.22-patchkit -PATCH_DIST_STRIP=-p1 -.endif +# Disabled for now, since there's not such a patchkit for 1.2.25 version. +#.if defined(FAST_DES_PATCHKIT) && ${FAST_DES_PATCHKIT} == YES +#PATCHFILES=ssh-1.2.22-patchkit +#PATCH_DIST_STRIP=-p1 +#.endif RESTRICTED= "Crypto; export-controlled" IS_INTERACTIVE= YES @@ -70,9 +71,9 @@ CONFIGURE_ARGS+= --with-secureid CONFIGURE_ARGS+= --without-idea .endif -MAN1= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 \ - make-ssh-known-hosts.1 -MAN8= sshd.8 +MAN1= scp1.1 ssh-add1.1 ssh-agent1.1 ssh-keygen1.1 ssh1.1 \ + make-ssh-known-hosts1.1 +MAN8= sshd1.8 pre-patch: @@ -103,8 +104,17 @@ post-install: ${PREFIX}/bin/ssh-keygen -f ${PREFIX}/etc/ssh_host_key -N ""; \ fi .if !defined(NOMANCOMPRESS) + for file in make-ssh-known-hosts scp ssh-add ssh-agent \ + ssh-keygen ssh; do \ + rm -f ${PREFIX}/man/man1/$${file}.1; \ + ln -sf $${file}1.1.gz ${PREFIX}/man/man1/$${file}.1.gz; \ + done rm -f ${PREFIX}/man/man1/slogin.1 + rm -f ${PREFIX}/man/man1/slogin1.1 + rm -f ${PREFIX}/man/man8/sshd.8 ln -sf ssh.1.gz ${PREFIX}/man/man1/slogin.1.gz + ln -sf ssh1.1.gz ${PREFIX}/man/man1/slogin1.1.gz + ln -sf sshd1.8.gz ${PREFIX}/man/man8/sshd.8.gz .endif @if [ ! -f ${PREFIX}/etc/rc.d/sshd.sh ]; then \ echo "Installing ${PREFIX}/etc/rc.d/sshd.sh startup file."; \ diff --git a/security/ssh2/distinfo b/security/ssh2/distinfo index c7ab762b4ddf..7ccf3ba2900e 100644 --- a/security/ssh2/distinfo +++ b/security/ssh2/distinfo @@ -1,3 +1,3 @@ -MD5 (ssh-1.2.22.tar.gz) = 011f2b6d1935c59be0dae299db4ed7fa +MD5 (ssh-1.2.25.tar.gz) = f16c579f8d60d2f0eaabd3c30e46ca2c MD5 (rsaref2.tar.gz) = 0b474c97bf1f1c0d27e5a95f1239c08d MD5 (ssh-1.2.22-patchkit) = 5228897d59be91ad3ae88e992d61cd50 diff --git a/security/ssh2/files/patch-ac b/security/ssh2/files/patch-ac index 9c56f8aded01..884c43b96929 100644 --- a/security/ssh2/files/patch-ac +++ b/security/ssh2/files/patch-ac @@ -1,7 +1,7 @@ -*** Makefile.in.orig Tue Sep 16 01:59:13 1997 ---- Makefile.in Tue Sep 16 02:06:08 1997 +*** Makefile.in.orig Thu Jun 11 07:01:13 1998 +--- Makefile.in Thu Jun 11 20:48:59 1998 *************** -*** 259,270 **** +*** 287,298 **** SHELL = /bin/sh GMPDIR = gmp-2.0.2-ssh-2 @@ -14,7 +14,7 @@ RSAREFDIR = rsaref2 RSAREFSRCDIR = $(RSAREFDIR)/source ---- 259,275 ---- +--- 287,303 ---- SHELL = /bin/sh GMPDIR = gmp-2.0.2-ssh-2 @@ -33,7 +33,7 @@ RSAREFDIR = rsaref2 RSAREFSRCDIR = $(RSAREFDIR)/source *************** -*** 368,374 **** +*** 397,403 **** $(CC) -o rfc-pg rfc-pg.o .c.o: @@ -41,7 +41,7 @@ sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) -rm -f sshd ---- 373,379 ---- +--- 402,408 ---- $(CC) -o rfc-pg rfc-pg.o .c.o: @@ -50,7 +50,7 @@ sshd: $(SSHD_OBJS) $(GMPDEP) $(RSAREFDEP) $(ZLIBDEP) -rm -f sshd *************** -*** 411,429 **** +*** 440,458 **** sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts chmod +x make-ssh-known-hosts @@ -70,7 +70,7 @@ $(RSAREFSRCDIR)/librsaref.a: -if test '!' -d $(RSAREFDIR); then \ ---- 416,434 ---- +--- 445,463 ---- sed "s#&PERL&#$(PERL)#" <$(srcdir)/make-ssh-known-hosts.pl >make-ssh-known-hosts chmod +x make-ssh-known-hosts @@ -91,24 +91,24 @@ $(RSAREFSRCDIR)/librsaref.a: -if test '!' -d $(RSAREFDIR); then \ *************** -*** 480,486 **** +*** 509,515 **** # (otherwise it can only log in as the user it runs as, and must be # bound to a non-privileged port). Also, password authentication may # not be available if non-root and using shadow passwords. ! install: $(PROGRAMS) make-dirs generate-host-key install-configs - -rm -f $(install_prefix)$(bindir)/ssh.old - -mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old - -chmod 755 $(install_prefix)$(bindir)/ssh.old ---- 485,491 ---- + -rm -f $(install_prefix)$(bindir)/ssh1.old + -mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old + -chmod 755 $(install_prefix)$(bindir)/ssh1.old +--- 514,520 ---- # (otherwise it can only log in as the user it runs as, and must be # bound to a non-privileged port). Also, password authentication may # not be available if non-root and using shadow passwords. ! install: $(PROGRAMS) make-dirs install-configs - -rm -f $(install_prefix)$(bindir)/ssh.old - -mv $(install_prefix)$(bindir)/ssh $(install_prefix)$(bindir)/ssh.old - -chmod 755 $(install_prefix)$(bindir)/ssh.old + -rm -f $(install_prefix)$(bindir)/ssh1.old + -mv $(install_prefix)$(bindir)/ssh1 $(install_prefix)$(bindir)/ssh1.old + -chmod 755 $(install_prefix)$(bindir)/ssh1.old *************** -*** 589,603 **** +*** 665,679 **** clean: -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg @@ -122,9 +122,9 @@ ! cd $(GMPDIR); $(MAKE) distclean ! cd $(ZLIBDIR); $(MAKE) distclean - dist: dist-free + dist: dist-commercial ---- 594,608 ---- +--- 670,684 ---- clean: -rm -f *.o gmon.out *core $(PROGRAMS) rfc-pg @@ -138,12 +138,12 @@ ! # cd $(GMPDIR); $(MAKE) distclean ! # cd $(ZLIBDIR); $(MAKE) distclean - dist: dist-free + dist: dist-commercial *************** -*** 628,639 **** - # - #endif F_SECURE_COMMERCIAL +*** 702,713 **** + -mkdir $(DISTNAME) + cp $(DISTFILES) $(DISTNAME) for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done ! (cd $(GMPDIR); make dist) ! gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) @@ -152,11 +152,11 @@ ! (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) ! cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS - dist-free-make-tar: - tar pcf $(DISTNAME).tar $(DISTNAME) ---- 633,644 ---- + #ifdef F_SECURE_COMMERCIAL # - #endif F_SECURE_COMMERCIAL +--- 707,718 ---- + -mkdir $(DISTNAME) + cp $(DISTFILES) $(DISTNAME) for i in $(DISTSRCS); do cp $(srcdir)/$$i $(DISTNAME); done ! # (cd $(GMPDIR); make dist) ! # gzip -cd $(GMPDIR)/$(GMPDIR).tar.gz | (cd $(DISTNAME); tar pxf - ) @@ -165,10 +165,10 @@ ! # (cd $(srcdir); tar pcf - $(ZLIBDIR) )| (cd $(DISTNAME); tar pxf -) ! # cd $(DISTNAME)/$(ZLIBDIR); rm -f *.o *.a; rm -rf CVS - dist-free-make-tar: - tar pcf $(DISTNAME).tar $(DISTNAME) + #ifdef F_SECURE_COMMERCIAL + # *************** -*** 656,662 **** +*** 735,741 **** (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null depend: @@ -176,7 +176,7 @@ tags: -rm -f TAGS ---- 661,667 ---- +--- 740,746 ---- (echo "s/\.$$old_version\"/.$$new_version\"/g"; echo w; echo q) | ed $(srcdir)/version.h >/dev/null depend: diff --git a/security/ssh2/files/patch-af b/security/ssh2/files/patch-af index 0dfba6e1e2f0..f0cea2252274 100644 --- a/security/ssh2/files/patch-af +++ b/security/ssh2/files/patch-af @@ -1,394 +1,108 @@ ---- sshd.c.orig Tue Jan 20 15:24:10 1998 -+++ sshd.c Thu Jan 22 16:29:19 1998 -@@ -428,6 +428,10 @@ - #include "firewall.h" /* TIS authsrv authentication */ - #endif - -+#ifdef HAVE_LOGIN_CAP_H -+#include <login_cap.h> -+#endif -+ - #ifdef _PATH_BSHELL - #define DEFAULT_SHELL _PATH_BSHELL - #else -@@ -1594,6 +1598,38 @@ - endspent(); - } - #endif /* HAVE_ETC_SHADOW */ -+#ifdef __FreeBSD__ -+ { -+ time_t currtime; -+ -+ if (pwd->pw_change || pwd->pw_expire) -+ currtime = time(NULL); -+ -+ /* -+ * Check for an expired password -+ */ -+ if (pwd->pw_change && pwd->pw_change <= currtime) -+ { -+ debug("Account %.100s's password is too old - forced to change.", -+ user); -+ if (options.forced_passwd_change) -+ forced_command = "/usr/bin/passwd"; -+ else -+ { -+ return 0; -+ } -+ } -+ -+ /* -+ * Check for expired account -+ */ -+ if (pwd->pw_expire && pwd->pw_expire <= currtime) -+ { -+ debug("Account %.100s has expired - access denied.", user); -+ return 0; -+ } -+ } -+#else /* !FreeBSD */ - /* - * Check if account is locked. Check if encrypted password starts - * with "*LK*". -@@ -1605,6 +1641,7 @@ - return 0; - } - } -+#endif /* !FreeBSD */ - #ifdef CHECK_ETC_SHELLS - { - int invalid = 1; -@@ -1819,8 +1856,10 @@ - pwcopy.pw_passwd = xstrdup(pw->pw_passwd); - pwcopy.pw_uid = pw->pw_uid; - pwcopy.pw_gid = pw->pw_gid; --#if defined (__bsdi__) && _BSDI_VERSION >= 199510 -+#if defined (HAVE_LOGIN_CAP_H) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - pwcopy.pw_class = xstrdup(pw->pw_class); -+#endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -+#if defined (__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - pwcopy.pw_change = pw->pw_change; - pwcopy.pw_expire = pw->pw_expire; - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -@@ -2793,9 +2832,13 @@ - struct sockaddr_in from; - int fromlen; - struct pty_cleanup_context cleanup_context; --#if defined (__bsdi__) && _BSDI_VERSION >= 199510 -+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - struct timeval tp; - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -+#ifdef HAVE_LOGIN_CAP_H -+ login_cap_t *lc; -+ time_t warnpassword, warnexpire; -+#endif - - /* We no longer need the child running on user's privileges. */ - userfile_uninit(); -@@ -2867,10 +2910,18 @@ - record_login(pid, ttyname, pw->pw_name, pw->pw_uid, hostname, - &from); - -+#ifdef HAVE_LOGIN_CAP_H -+ lc = login_getclass(pw->pw_class); -+ quiet_login = login_getcapbool(lc, "hushlogin", quiet_login); -+ if (!quiet_login) { -+#endif - /* Check if .hushlogin exists. Note that we cannot use userfile - here because we are in the child. */ - sprintf(line, "%.200s/.hushlogin", pw->pw_dir); - quiet_login = stat(line, &st) >= 0; -+#ifdef HAVE_LOGIN_CAP_H -+ } -+#endif - - /* If the user has logged in before, display the time of last login. - However, don't display anything extra if a command has been -@@ -2890,6 +2941,38 @@ - else - printf("Last login: %s from %s\r\n", time_string, buf); - } -+#ifdef __FreeBSD__ -+ if (command == NULL && !quiet_login) -+ { -+#ifdef HAVE_LOGIN_CAP_H -+ char *cw; -+ FILE *f; -+ -+ cw = login_getcapstr(lc, "copyright", NULL, NULL); -+ if (cw != NULL && (f = fopen(cw, "r")) != NULL) -+ { -+ while (fgets(line, sizeof(line), f)) -+ fputs(line, stdout); -+ fclose(f); -+ } -+ else -+#endif -+ printf("%s\n\t%s %s\n\n", -+ "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", -+ "The Regents of the University of California. ", -+ "All rights reserved."); -+ } -+#endif -+ -+#ifdef HAVE_LOGIN_CAP_H -+#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ -+ -+ warnpassword = login_getcaptime(lc, "warnpassword", -+ DEFAULT_WARN, DEFAULT_WARN); -+ warnexpire = login_getcaptime(lc, "warnexpire", -+ DEFAULT_WARN, DEFAULT_WARN); -+ login_close(lc); -+#endif - - /* Print /etc/motd unless a command was specified or printing it was - disabled in server options. Note that some machines appear to -@@ -2900,14 +2983,18 @@ - FILE *f; - - /* Print /etc/motd if it exists. */ -- f = fopen("/etc/motd", "r"); -+#ifdef HAVE_LOGIN_CAP_H -+ f = fopen(login_getcapstr(lc, "welcome", "/etc/motd", "/etc/motd"), "r"); -+#else -+ f = fopen("/etc/motd", "r"); -+#endif - if (f) - { - while (fgets(line, sizeof(line), f)) - fputs(line, stdout); - fclose(f); - } --#if defined (__bsdi__) && _BSDI_VERSION >= 199510 -+#if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) - if (pw->pw_change || pw->pw_expire) - (void)gettimeofday(&tp, (struct timezone *)NULL); - if (pw->pw_change) -@@ -2915,7 +3002,11 @@ - fprintf(stderr,"Sorry -- your password has expired.\n"); - exit(254); - } else if (pw->pw_change - tp.tv_sec < -+#ifdef HAVE_LOGIN_CAP_H -+ warnpassword) -+#else - 2 * DAYSPERWEEK * SECSPERDAY) -+#endif - fprintf(stderr,"Warning: your password expires on %s", - ctime(&pw->pw_change)); - if (pw->pw_expire) -@@ -2923,7 +3014,11 @@ - fprintf(stderr,"Sorry -- your account has expired.\n"); - exit(254); - } else if (pw->pw_expire - tp.tv_sec < -+#ifdef HAVE_LOGIN_CAP_H -+ warnexpire) -+#else - 2 * DAYSPERWEEK * SECSPERDAY) -+#endif - fprintf(stderr,"Warning: your account expires on %s", - ctime(&pw->pw_expire)); - #endif /* __bsdi__ & _BSDI_VERSION >= 199510 */ -@@ -3182,6 +3277,13 @@ - #if defined (__bsdi__) && _BSDI_VERSION >= 199510 - login_cap_t *lc = 0; - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ -+#ifdef HAVE_LOGIN_CAP_H -+ login_cap_t *lc; -+ char *real_shell; -+ -+ lc = login_getclass(pw->pw_class); -+ auth_checknologin(lc); -+#else /* !HAVE_LOGIN_CAP_H */ - - /* Check /etc/nologin. */ - f = fopen("/etc/nologin", "r"); -@@ -3199,10 +3301,16 @@ - if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0)) - exit(254); - #else -+#ifdef HAVE_LOGIN_CAP_H -+ if (pw->pw_uid != UID_ROOT && !login_getcapbool(lc, "ignorenologin", 0)) -+ exit(254); -+#else - if (pw->pw_uid != UID_ROOT) - exit(254); -+#endif - #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ - } -+#endif /* HAVE_LOGIN_CAP_H */ - - if (command != NULL) - { -@@ -3216,6 +3324,7 @@ - log_msg("executing remote command as user %.200s", pw->pw_name); - } - -+#ifndef HAVE_LOGIN_CAP_H - #ifdef HAVE_SETLOGIN - /* Set login name in the kernel. Warning: setsid() must be called before - this. */ -@@ -3236,6 +3345,7 @@ - if (setpcred((char *)pw->pw_name, NULL)) - log_msg("setpcred %.100s: %.100s", strerror(errno)); - #endif /* HAVE_USERSEC_H */ -+#endif /* !HAVE_LOGIN_CAP_H */ - - /* Save some data that will be needed so that we can do certain cleanups - before we switch to user's uid. (We must clear all sensitive data -@@ -3306,6 +3416,66 @@ - if (command != NULL || !options.use_login) - #endif /* USELOGIN */ - { -+#ifdef HAVE_LOGIN_CAP_H -+ char *p, *s, **tmpenv; -+ -+ /* Initialize the new environment. -+ */ -+ envsize = 64; -+ env = xmalloc(envsize * sizeof(char *)); -+ env[0] = NULL; -+ -+ child_set_env(&env, &envsize, "PATH", DEFAULT_PATH); -+ -+#ifdef MAIL_SPOOL_DIRECTORY -+ sprintf(buf, "%.200s/%.50s", MAIL_SPOOL_DIRECTORY, user_name); -+ child_set_env(&env, &envsize, "MAIL", buf); -+#else /* MAIL_SPOOL_DIRECTORY */ -+#ifdef MAIL_SPOOL_FILE -+ sprintf(buf, "%.200s/%.50s", user_dir, MAIL_SPOOL_FILE); -+ child_set_env(&env, &envsize, "MAIL", buf); -+#endif /* MAIL_SPOOL_FILE */ -+#endif /* MAIL_SPOOL_DIRECTORY */ -+ -+ /* Let it inherit timezone if we have one. */ -+ if (getenv("TZ")) -+ child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+ -+ /* Save previous environment array -+ */ -+ tmpenv = environ; -+ environ = env; -+ -+ /* Set the user's login environment -+ */ -+ if (setusercontext(lc, pw, user_uid, LOGIN_SETALL) < 0) -+ { -+ perror("setusercontext"); -+ exit(1); -+ } -+ -+ p = getenv("PATH"); -+ s = xmalloc((p != NULL ? strlen(p) + 1 : 0) + sizeof(SSH_BINDIR)); -+ *s = '\0'; -+ if (p != NULL) -+ { -+ strcat(s, p); -+ strcat(s, ":"); -+ } -+ strcat(s, SSH_BINDIR); -+ -+ env = environ; -+ environ = tmpenv; /* Restore parent environment */ -+ for (envsize = 0; env[envsize] != NULL; ++envsize) -+ ; -+ /* Reallocate this to what is expected */ -+ envsize = (envsize < 100) ? 100 : envsize + 16; -+ env = xrealloc(env, envsize * sizeof(char *)); -+ -+ child_set_env(&env, &envsize, "PATH", s); -+ xfree(s); -+ -+#else /* !HAVE_LOGIN_CAP_H */ - /* Set uid, gid, and groups. */ - if (getuid() == UID_ROOT || geteuid() == UID_ROOT) - { -@@ -3337,6 +3507,7 @@ - - if (getuid() != user_uid || geteuid() != user_uid) - fatal("Failed to set uids to %d.", (int)user_uid); -+#endif /* HAVE_LOGIN_CAP_H */ - } - - /* Reset signals to their default settings before starting the user -@@ -3364,11 +3535,16 @@ - and means /bin/sh. */ - shell = (user_shell[0] == '\0') ? DEFAULT_SHELL : user_shell; - -+#ifdef HAVE_LOGIN_CAP_H -+ real_shell = login_getcapstr(lc, "shell", (char*)shell, (char*)shell); -+ login_close(lc); -+#else /* !HAVE_LOGIN_CAP_H */ - /* Initialize the environment. In the first part we allocate space for - all environment variables. */ - envsize = 100; - env = xmalloc(envsize * sizeof(char *)); - env[0] = NULL; -+#endif /* HAVE_LOGIN_CAP_H */ - - #ifdef USELOGIN - if (command != NULL || !options.use_login) -@@ -3378,6 +3554,8 @@ - child_set_env(&env, &envsize, "HOME", user_dir); - child_set_env(&env, &envsize, "USER", user_name); - child_set_env(&env, &envsize, "LOGNAME", user_name); -+ -+#ifndef HAVE_LOGIN_CAP_H - child_set_env(&env, &envsize, "PATH", DEFAULT_PATH ":" SSH_BINDIR); - - #ifdef MAIL_SPOOL_DIRECTORY -@@ -3389,6 +3567,7 @@ - child_set_env(&env, &envsize, "MAIL", buf); - #endif /* MAIL_SPOOL_FILE */ - #endif /* MAIL_SPOOL_DIRECTORY */ -+#endif /* !HAVE_LOGIN_CAP_H */ - - #ifdef HAVE_ETC_DEFAULT_LOGIN - /* Read /etc/default/login; this exists at least on Solaris 2.x. Note -@@ -3404,9 +3583,11 @@ - child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", - original_command); - -+#ifndef HAVE_LOGIN_CAP_H - /* Let it inherit timezone if we have one. */ - if (getenv("TZ")) - child_set_env(&env, &envsize, "TZ", getenv("TZ")); -+#endif /* !HAVE_LOGIN_CAP_H */ - - /* Set custom environment options from RSA authentication. */ - while (custom_environment) -@@ -3632,7 +3813,11 @@ - struct stat mailbuf; - - if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) -+#ifdef __FreeBSD__ -+ ; -+#else - printf("No mail.\n"); -+#endif - else if (mailbuf.st_atime > mailbuf.st_mtime) - printf("You have mail.\n"); - else -@@ -3647,7 +3832,11 @@ - /* Execute the shell. */ - argv[0] = buf; - argv[1] = NULL; -+#ifdef HAVE_LOGIN_CAP_H -+ execve(real_shell, argv, env); -+#else - execve(shell, argv, env); -+#endif /* HAVE_LOGIN_CAP_H */ - /* Executing the shell failed. */ - perror(shell); - exit(1); -@@ -3668,7 +3857,11 @@ - argv[1] = "-c"; - argv[2] = (char *)command; - argv[3] = NULL; -+#ifdef HAVE_LOGIN_CAP_H -+ execve(real_shell, argv, env); -+#else - execve(shell, argv, env); -+#endif /* HAVE_LOGIN_CAP_H */ - perror(shell); - exit(1); - } +*** sshd.c.WAS Thu Jun 11 23:11:47 1998 +--- sshd.c Thu Jun 11 23:30:30 1998 +*************** +*** 2014,2020 **** + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +--- 2014,2020 ---- + pwcopy.pw_class = xstrdup(pw->pw_class); + pwcopy.pw_change = pw->pw_change; + pwcopy.pw_expire = pw->pw_expire; +! #endif /* (__bsdi__ && _BSDI_VERSION >= 199510) || (__FreeBSD__ && HAVE_LOGIN_CAP_H) */ + pwcopy.pw_dir = xstrdup(pw->pw_dir); + pwcopy.pw_shell = xstrdup(pw->pw_shell); + pw = &pwcopy; +*************** +*** 3045,3054 **** + struct pty_cleanup_context cleanup_context; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; + #endif +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + struct timeval tp; +! #endif /* __bsdi__ && _BSDI_VERSION >= 199510 */ + + #ifdef HAVE_OSF1_C2_SECURITY + { +--- 3045,3055 ---- + struct pty_cleanup_context cleanup_context; + #if defined (__FreeBSD__) && defined(HAVE_LOGIN_CAP_H) + login_cap_t *lc; ++ time_t warnpassword, warnexpire; + #endif +! #if defined(__FreeBSD__) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + struct timeval tp; +! #endif /* __FreeBSD__ || (__bsdi__ && _BSDI_VERSION >= 199510) */ + + #ifdef HAVE_OSF1_C2_SECURITY + { +*************** +*** 3183,3188 **** +--- 3184,3197 ---- + "The Regents of the University of California. ", + "All rights reserved."); + } ++ #ifdef HAVE_LOGIN_CAP_H ++ #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ ++ ++ warnpassword = login_getcaptime(lc, "warnpassword", ++ DEFAULT_WARN, DEFAULT_WARN); ++ warnexpire = login_getcaptime(lc, "warnexpire", ++ DEFAULT_WARN, DEFAULT_WARN); ++ #endif + #endif + + /* Print /etc/motd unless a command was specified or printing it was +*************** +*** 3206,3212 **** + fputs(line, stdout); + fclose(f); + } +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (pw->pw_change) +--- 3215,3221 ---- + fputs(line, stdout); + fclose(f); + } +! #if defined(__FreeBSD__) || (defined(__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_change || pw->pw_expire) + (void)gettimeofday(&tp, (struct timezone *)NULL); + if (pw->pw_change) +*************** +*** 3575,3581 **** + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +! #if defined (__bsdi__) && _BSDI_VERSION >= 199510 + if (pw->pw_uid != UID_ROOT && + !login_getcapbool(lc, "ignorenologin", 0)) + exit(254); +--- 3584,3590 ---- + while (fgets(buf, sizeof(buf), f)) + fputs(buf, stderr); + fclose(f); +! #if (defined(__FreeBSD__) && defined(HAVE_LOGIN_CAP_H)) || (defined (__bsdi__) && _BSDI_VERSION >= 199510) + if (pw->pw_uid != UID_ROOT && + !login_getcapbool(lc, "ignorenologin", 0)) + exit(254); +*************** +*** 4121,4127 **** +--- 4130,4140 ---- + struct stat mailbuf; + + if (stat(mailbox, &mailbuf) == -1 || mailbuf.st_size == 0) ++ #ifdef __FreeBSD__ ++ ; ++ #else + printf("No mail.\n"); ++ #endif + else if (mailbuf.st_atime > mailbuf.st_mtime) + printf("You have mail.\n"); + else diff --git a/security/ssh2/pkg-plist b/security/ssh2/pkg-plist index c632301bd8c8..ff4c33783eb0 100644 --- a/security/ssh2/pkg-plist +++ b/security/ssh2/pkg-plist @@ -1,23 +1,39 @@ etc/rc.d/sshd.sh bin/scp +bin/scp1 bin/ssh +bin/ssh1 @exec ln -fs %f %B/slogin @unexec rm -f %B/slogin bin/ssh-add +bin/ssh-add1 bin/ssh-agent +bin/ssh-agent1 bin/ssh-askpass +bin/ssh-askpass1 bin/ssh-keygen +bin/ssh-keygen1 bin/make-ssh-known-hosts +bin/make-ssh-known-hosts1 etc/ssh_config etc/sshd_config man/man1/make-ssh-known-hosts.1.gz +man/man1/make-ssh-known-hosts1.1.gz man/man1/scp.1.gz +man/man1/scp1.1.gz man/man1/ssh-add.1.gz +man/man1/ssh-add1.1.gz man/man1/ssh-agent.1.gz +man/man1/ssh-agent1.1.gz man/man1/ssh-keygen.1.gz +man/man1/ssh-keygen1.1.gz man/man1/ssh.1.gz +man/man1/ssh1.1.gz @exec ln -fs %f %B/slogin.1.gz @unexec rm -f %B/slogin.1.gz +@unexec rm -f %B/slogin1.1.gz man/man8/sshd.8.gz +man/man8/sshd1.8.gz sbin/sshd +sbin/sshd1 @exec if [ ! -f %D/etc/ssh_host_key ]; then echo "Generating a secret host key.." ; %D/bin/ssh-keygen -N "" -f %D/etc/ssh_host_key; fi |