tyler.durden/Win32-OpenSSH
1
0
Fork 0
mirror of https://github.com/PowerShell/Win32-OpenSSH.git synced 2025-07-20 20:44:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Source snapshot from Powershell\openssh-portable

Browse Source
This commit is contained in:
Manoj Ampalam 2016-11-29 14:50:13 -08:00
parent 6411a23af7
commit 7c62169a93
430 changed files with 13774 additions and 100814 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.cvsignore
View File

@ -1,28 +0,0 @@
*.0
*.out
Makefile
autom4te.cache
buildit.sh
buildpkg.sh
config.cache
config.h
config.h.in
config.log
config.status
configure
openssh.xml
opensshd.init
scp
sftp
sftp-server
ssh
ssh-add
ssh-agent
ssh-keygen
ssh-keyscan
ssh-keysign
ssh-pkcs11-helper
sshd
stamp-h.in
survey
survey.sh

31
.gitattributes vendored
View File

@ -1,31 +0,0 @@
# Auto detect text files and perform LF normalization
* text=auto
# Custom for Visual Studio
*.cs diff=csharp
# Standard to msysgit
*.doc diff=astextplain
*.DOC diff=astextplain
*.docx diff=astextplain
*.DOCX diff=astextplain
*.dot diff=astextplain
*.DOT diff=astextplain
*.pdf diff=astextplain
*.PDF diff=astextplain
*.rtf diff=astextplain
*.RTF diff=astextplain
# conditions for Win32-OpenSSH
*.sh text eol=lf
config.sub text eol=lf
fixalgorithms text eol=lf
runconfigure text eol=lf
configure text eol=lf
config.guess text eol=lf
config.sub text eol=lf
win32_build text eol=lf
win32_config.guess text eol=lf
win32_config.sub text eol=lf

321
.gitignore vendored
View File

@ -1,37 +1,14 @@
#################
## Eclipse
#################
################################################################################
# This .gitignore file was automatically created by Microsoft(R) Visual Studio.
################################################################################
*.pydevproject
.project
.metadata
bin/
tmp/
*.tmp
*.bak
*.swp
*~.nib
local.properties
.classpath
.settings/
.loadpath
# External tool builders
.externalToolBuilders/
# Locally stored "Eclipse launch configurations"
*.launch
# CDT-specific
.cproject
# PDT-specific
.buildpath
#################
## Visual Studio
#################
/bin/x64/Debug
/contrib/win32/openssh/.vs/Win32-OpenSSH/v14
/contrib/win32/openssh/lib
/contrib/win32/openssh/Win32/Debug/config/config.tlog
/contrib/win32/openssh/Win32/Debug/libssh/libssh.tlog
/contrib/win32/openssh/Win32/Debug/libssh
/config.h
## Ignore Visual Studio temporary files, build results, and
## files generated by popular Visual Studio add-ons.
@ -39,23 +16,51 @@ local.properties
# User-specific files
*.suo
*.user
*.userosscache
*.sln.docstates
# Build results
# User-specific files (MonoDevelop/Xamarin Studio)
*.userprefs
# Build results
[Dd]ebug/
[Dd]ebugPublic/
[Rr]elease/
[Rr]eleases/
x64/
build/
x86/
bld/
[Bb]in/
[Oo]bj/
[Ll]og/
# Visual Studio 2015 cache/options directory
.vs/
# Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/
# MSTest test Results
[Tt]est[Rr]esult*/
[Bb]uild[Ll]og.*
# NUNIT
*.VisualState.xml
TestResult.xml
# Build Results of an ATL Project
[Dd]ebugPS/
[Rr]eleasePS/
dlldata.c
# DNX
project.lock.json
project.fragment.lock.json
artifacts/
Properties/launchSettings.json
*_i.c
*_p.c
*_i.h
*.ilk
*.meta
*.obj
@ -75,21 +80,33 @@ build/
*.vssscc
.builds
*.pidb
*.log
*.svclog
*.scc
*.c.bak
*.h.bak
# Chutzpah Test files
_Chutzpah*
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Visual Studio profiler
*.psess
*.vsp
*.vspx
*.sap
# TFS 2012 Local Workspace
$tf/
# Guidance Automation Toolkit
*.gpState
@ -97,6 +114,10 @@ ipch/
# ReSharper is a .NET coding add-in
_ReSharper*/
*.[Rr]e[Ss]harper
*.DotSettings.user
# JustCode is a .NET coding add-in
.JustCode
# TeamCity is a build add-in
_TeamCity*
@ -104,9 +125,21 @@ _TeamCity*
# DotCover is a Code Coverage Tool
*.dotCover
# Visual Studio code coverage results
*.coverage
*.coveragexml
# NCrunch
*.ncrunch*
_NCrunch_*
.*crunch*.local.xml
nCrunchTemp_*
# MightyMoose
*.mm.*
AutoTest.Net/
# Web workbench (sass)
.sass-cache/
# Installshield output folder
[Ee]xpress/
@ -125,169 +158,129 @@ DocProject/Help/html
publish/
# Publish Web Output
*.Publish.xml
*.[Pp]ublish.xml
*.azurePubxml
# TODO: Comment the next line if you want to checkin your web deploy settings
# but database connection strings (with potential passwords) will be unencrypted
*.pubxml
*.publishproj
# NuGet Packages Directory
## TODO: If you have NuGet Package Restore enabled, uncomment the next line
#packages/
# Microsoft Azure Web App publish settings. Comment the next line if you want to
# checkin your Azure Web App publish settings, but sensitive information contained
# in these scripts will be unencrypted
PublishScripts/
# Windows Azure Build Output
csx
# NuGet Packages
*.nupkg
# The packages folder can be ignored because of Package Restore
**/packages/*
# except build/, which is used as an MSBuild target.
!**/packages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/packages/repositories.config
# NuGet v3's project.json files produces more ignoreable files
*.nuget.props
*.nuget.targets
# Microsoft Azure Build Output
csx/
*.build.csdef
# Windows Store app package directory
# Microsoft Azure Emulator
ecf/
rcf/
# Windows Store app package directories and files
AppPackages/
BundleArtifacts/
Package.StoreAssociation.xml
_pkginfo.txt
# Visual Studio cache files
# files ending in .cache can be ignored
*.[Cc]ache
# but keep track of directories ending in .cache
!*.[Cc]ache/
# Others
sql/
*.Cache
ClientBin/
[Ss]tyle[Cc]op.*
~$*
*~
*.dbmdl
*.[Pp]ublish.xml
*.dbproj.schemaview
*.jfm
*.pfx
*.publishsettings
node_modules/
orleans.codegen.cs
# Since there are multiple workflows, uncomment next line to ignore bower_components
# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
#bower_components/
# RIA/Silverlight projects
Generated_Code/
# Backup & report files from converting an old project file to a newer
# Visual Studio version. Backup files are not needed, because we have git ;-)
# Backup & report files from converting an old project file
# to a newer Visual Studio version. Backup files are not needed,
# because we have git ;-)
_UpgradeReport_Files/
Backup*/
UpgradeLog*.XML
UpgradeLog*.htm
# SQL Server files
App_Data/*.mdf
App_Data/*.ldf
*.mdf
*.ldf
#############
## Windows detritus
#############
# Business Intelligence projects
*.rdl.data
*.bim.layout
*.bim_*.settings
# Windows image file caches
Thumbs.db
ehthumbs.db
# Microsoft Fakes
FakesAssemblies/
# Folder config file
Desktop.ini
# GhostDoc plugin setting file
*.GhostDoc.xml
# Recycle Bin used on file shares
$RECYCLE.BIN/
# Node.js Tools for Visual Studio
.ntvs_analysis.dat
# Mac crap
.DS_Store
# Visual Studio 6 build log
*.plg
# Visual Studio 6 workspace options file
*.opt
#############
## Python
#############
# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
*.vbw
*.py[cod]
# Visual Studio LightSwitch build output
**/*.HTMLClient/GeneratedArtifacts
**/*.DesktopClient/GeneratedArtifacts
**/*.DesktopClient/ModelManifest.xml
**/*.Server/GeneratedArtifacts
**/*.Server/ModelManifest.xml
_Pvt_Extensions
# Packages
*.egg
*.egg-info
dist/
build/
eggs/
parts/
var/
sdist/
develop-eggs/
.installed.cfg
# Paket dependency manager
.paket/paket.exe
paket-files/
# Installer logs
pip-log.txt
# FAKE - F# Make
.fake/
# Unit test / coverage reports
.coverage
.tox
# JetBrains Rider
.idea/
*.sln.iml
#Translations
*.mo
# CodeRush
.cr/
#Mr Developer
.mr.developer.cfg
# Python Tools for Visual Studio (PTVS)
__pycache__/
*.pyc
##################
# Win32-OpenSSH
##################
*.o
*.dll
*.exe
*.out
*.a
#Makefile
config.status
openssh.xml
opensshd.init
survey.sh
buildpkg.sh
ssh_host_rsa_key.pub
ssh_host_rsa_key
ssh_host_rsa_key
ssh_host_rsa_key
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_ecdsa_key.pub
ssh_host_ecdsa_key
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
ssh_host_rsa_key.pub
id_rsa.pub
id_rsa
id_dsa.pub
id_dsa
is_rsa
is_rsa.pub
regress/t10.out.pub
regress/t12.out.pub
regress/t6.out1
regress/t8.out.pub
regress/t9.out.pub
regress/t6.out1
regress/t10.out.pub
regress/t10.out.pub
regress/t6.out1
Makefile
openbsd-compat/Makefile
openbsd-compat/regress/Makefile
contrib/win32/win32compat/Makefile
regress/rsa_ssh2_cr.prv
regress/rsa_ssh2_crnl.prv
regress/t7.out.pub
regress/t6.out2
config.h
config.h.in
configure
config.h.tail
config.sub
config.guess
Makefile.in
#temp key files
d2utmpa*
configure
contrib/win32/openssh/Win32-OpenSSH.VC.opendb
contrib/win32/openssh/Win32-OpenSSH.VC.db
*.opendb
*.db
# Visual C++ cache files
ipch/
*.aps
*.ncb
*.opendb
*.opensdf
*.sdf
*.cachefile
*.VC.db
*.VC.VC.opendb
# Cake - Uncomment if you are using it
# tools/

11
.skipped-commit-ids Normal file
View File

@ -0,0 +1,11 @@
321065a95a7ccebdd5fd08482a1e19afbf524e35 Update DH groups
d4f699a421504df35254cf1c6f1a7c304fb907ca Remove 1k bit groups
aafe246655b53b52bc32c8a24002bc262f4230f7 Remove intermediate moduli
8fa9cd1dee3c3339ae329cf20fb591db6d605120 put back SSH1 for 6.9
f31327a48dd4103333cc53315ec53fe65ed8a17a Generate new moduli
edbfde98c40007b7752a4ac106095e060c25c1ef Regen moduli
052fd565e3ff2d8cec3bc957d1788f50c827f8e2 Switch to tame-based sandbox
7cf73737f357492776223da1c09179fa6ba74660 Remove moduli <2k
180d84674be1344e45a63990d60349988187c1ae Update moduli
f6ae971186ba68d066cd102e57d5b0b2c211a5ee systrace is dead.
96c5054e3e1f170c6276902d5bc65bb3b87a2603 remove DEBUGLIBS from Makefile

1723
ChangeLog
View File

File diff suppressed because it is too large Load Diff

5
INSTALL
View File

@ -7,14 +7,15 @@ OpenSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
http://www.gzip.org/zlib/
libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/
LibreSSL/OpenSSL should be compiled as a position-independent library
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
If you must use a non-position-independent libcrypto, then you may need
to configure OpenSSH --without-pie.
to configure OpenSSH --without-pie. Note that because of API changes,
OpenSSL 1.1.x is not currently supported.
The remaining items are optional.

227
INSTALL.win32
View File

@ -1,227 +0,0 @@
STEP 1: Prepare the Cygwin environment
======================================
1. Download the Cygwin installer from www.cygwin.com
2. Launch the Cygwin installer, and ensure that packages listed below are selected as 'install':
devel/mingw-*
devel/mingw64-*
perl/*
devel/make: GNU Tool
devel/autoconf
devel/autoconf-2.69-2
See REFERENCE VERSIONS below for the detailed list of packages used for reference build.
STEP 2: Compile
===============
Build with Cygwin 32-bit
------------------------
1. Ensure that are you using correct mingw32 toolchain. You must have administrative rights.
To do that, create symbolic links:
/bin/i686-pc-mingw32-* |-> /bin/*
or run the <openssh_dir>/scripts/set-mingw32.sh script from the Cygwin /bin directory
2. Prepare the 32-bit libssl.a and libcrypto.a libraries and the openssl headers.
These libraries are used by 32-bit openssh and 32-bit ssh-lsa.
- Download OpenSSL sources from http://www.openssl.org/source/.
Version used as reference build is openssl-1.0.1e.
- Compile sources by running:
$./Configure mingw
$make
3. Prepare 32-bit libz.a and zlib.dll.
- Download ZLIB sources from http://www.zlib.net
Version used as reference build is 1.2.8.
- Compile sources by running:
make -f win32/Makefile.gcc
4. Build 32-bit OpenSSH:
Run the following commands under a Cygwin shell in the openssh directory:
$autoreconf
$./configure --build=i686-pc-mingw32
--host=i686-pc-mingw32
--with-ssl-dir=<OPENSSL_DIR>
--with-zlib=<ZLIB_DIR>
--with-kerberos5
where <OPENSSL_DIR> is a directory where openssl sources are extracted and <ZLIB_DIR> is a directory where zlib sources are extracted
$cat config.h.tail >> config.h
Build one of SSH family tool:
Run:
$make <program>
where <program> is any of the OpenSSH tools ported to Win32.
sftp.exe available starting from openssh-5.9p1-win32
ssh-agent.exe available starting from openssh-4.7p1-win32
ssh-add.exe available starting from openssh-4.7p1-win32
ssh-keygen.exe available starting from openssh-4.7p1-win32
sftp-server.exe available starting from openssh-4.7p1-win32
ssh.exe
sshd.exe
4. Build 32-bit ssh-lsa for native RSA/DSA key authorization
Move to <openssh_directory>contribwin32win32compatlsa directory and run:
$export LIBSSL_PATH="/home/nars/openssl-1.0.1e"
$make -f Makefile.mingw32
- This command should produce the 32-bit ssh-lsa.dll file.
Build with Cygwin 64-bit
------------------------
1. Build 32-bit openssl, zlib and openssh following 1-4 steps from 32-bit instruction. OpenSSH tools are always 32-bit.
2. Ensure that you are using correct mingw64 toolchain. You must have administrative rights.
To do that you must create symbolic links:
/bin/x86_64-w64-mingw32-* |-> /bin/*
or run <openssh_dir>/scripts/set-mingw64.sh from the Cygwin /bin directory.
3. Prepare the 64-bit libssl.a and libcrypto.a libraries and the openssl headers. These libraries are used by 64-bit ssh-lsa.
- Move clean OpenSSL sources into another directory, e.g. openssl-64.
- Compile sources by running:
$./Configure mingw64
$make
4. Build 64-bit ssh-lsa for native RSA/DSA key authorization
- Move to <openssh_directory>contribwin32win32compatlsa directory and run:
$export LIBSSL_PATH="/home/nars/openssl-1.0.1e"
$make -f Makefile.mingw32
- This command should produce 64-bit ssh-lsa.dll file.
STEP 3 - Install ssh-lsa on system where sshd server is running
===============================================================
- Copy the ssh-lsa.dll to the %WINDIR%/System32 directory.
IMPORTANT NOTE:
If your Windows is at 64-bit, be sure that you use a 64-bit file manager to copy ssh-lsa.dll, otherwise this dll will be not visible on the 64-bit OS.
For example:
- Drag and drop file using Windows explorer.
Or:
- Run copy ssh-lsa.dll c:/windows/system32 under a cmd.exe console.
- Then, by using the regedit tool, add 'ssh-lsa' string to the end of the registry key below:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages
Reboot the machine.
REFERENCE VERSIONS
==================
CYGWIN PACKAGES
---------------
13-1 Devel/autoconf: Wrapper for autoconf command
2.13-12 Devel/autoconf2.1: Stable version of the automatic configure builder
2.69-2 Devel/autoconf2.5: An extensible package of m4 macros shell scripts
to automatically configure software code packages
2.23.51-1 Devel/binutils: The GNU assembler, linker and binary utilites
4.8.2-1 Devel/libgcc1: GCC C runtime library
4.8.2-1 Devel/libssp0: GCC Stack-smashing Protection runtime library
4.8.2-1 Devel/libstdc++6: GCC C++ runtime library
4.0-2 Devel/make: The GNU version of 'make' utility
2.23.1-1 Devel/mingw-binutils: Bintutils for MinGW.org win32 toolchain (util)
4.7.3-1 Devel/mingw-gcc-core
4.7.3-1 Devel/mingw-gcc-g++
4.7.3-1 Devel/mingw-gcc-obj
20110507-2 Devel/mingw-pthreads: Libpthread for MinGW.org
4.0-1 Devel/mingw-runtime: MinGW.org MSVC & compiler runtime header and libraries
4.0-1 Devel/mingw-w32api
2.22.52-1 Devel/mingw64-i686-binutils
4.7.3-1 Devel/mingw64-i686-gcc-core
4.7.3-1 Devel/mingw64-i686-gcc-g++
3.0.0-1 Devel/mingw64-i686-headers
20100619-5 Devel/mingw64-i686-pthreads
3.0.0-1 Devel/mingw64-i686-runtime
3.0b_svn5935-1 Devel/mingw64-winpthreads
2.22.52-1 Devel/mingw64-x86_64-binutils
4.7.3-1 Devel/mingw64-x86_64-gcc
4.7.3-1 Devel/mingw64-x86_64-core
4.7.3-1 Devel/mingw64-x86_64-g++
3.0.0-1 Devel/mingw64-x86_64-headers
20100619-5 Devel/mingw64-x86_64-pthreads
3.0.0-1 Devel/mingw64-x86_64-runtime
3.0b-svn5935-1 Devel/mingw64-x86_64-winpthreads
5.14.2-3 Perl/perl
OpenSSL
-------
openssl-1.0.1e
ZLIB
----
zlib-1.2.8

111
Makefile.in
View File

@ -82,7 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
compat.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
@ -91,11 +91,11 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o openssl-dh.o openssl-bn.o
kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
platform-pledge.o platform-tracing.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
roaming_common.o roaming_client.o
sshconnect.o sshconnect1.o sshconnect2.o mux.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
audit.o audit-bsm.o audit-linux.o platform.o \
@ -108,9 +108,9 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
auth2-gss.o gss-serv.o gss-serv-krb5.o \
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
sftp-server.o sftp-common.o \
roaming_common.o roaming_serv.o \
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
sandbox-seccomp-filter.o sandbox-capsicum.o
sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
sandbox-solaris.o
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -178,14 +178,14 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -223,7 +223,7 @@ umac128.o: umac.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
-DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
-Dumac_update=umac128_update -Dumac_final=umac128_final \
-Dumac_delete=umac128_delete
-Dumac_delete=umac128_delete -Dumac_ctx=umac128_ctx
clean: regressclean
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
@ -240,6 +240,8 @@ clean: regressclean
rm -f regress/unittests/hostkeys/test_hostkeys
rm -f regress/unittests/kex/*.o
rm -f regress/unittests/kex/test_kex
rm -f regress/misc/kexfuzz/*.o
rm -f regress/misc/kexfuzz/kexfuzz
(cd openbsd-compat && $(MAKE) clean)
distclean: regressclean
@ -260,6 +262,7 @@ distclean: regressclean
rm -f regress/unittests/hostkeys/test_hostkeys
rm -f regress/unittests/kex/*.o
rm -f regress/unittests/kex/test_kex
rm -f regress/unittests/misc/kexfuzz
(cd openbsd-compat && $(MAKE) distclean)
if test -d pkg ; then \
rm -fr pkg ; \
@ -327,10 +330,6 @@ install-files:
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(bindir)/slogin
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
install-sysconf:
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
@ -359,41 +358,19 @@ install-sysconf:
host-key: ssh-keygen$(EXEEXT)
@if [ -z "$(DESTDIR)" ] ; then \
if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
else \
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
fi ; \
if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
else \
./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
fi ; \
if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
else \
./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
fi ; \
if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
else \
./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
fi ; \
if [ -z "@COMMENT_OUT_ECC@" ] ; then \
if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
else \
./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
fi ; \
fi ; \
fi ;
./ssh-keygen -A; \
fi
host-key-force: ssh-keygen$(EXEEXT)
./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \
fi
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
if ./ssh -Q key | grep ecdsa >/dev/null ; then \
./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""; \
fi
uninstallall: uninstall
-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
@ -407,7 +384,6 @@ uninstallall: uninstall
-rmdir $(DESTDIR)$(libexecdir)
uninstall:
-rm -f $(DESTDIR)$(bindir)/slogin
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
@ -430,7 +406,6 @@ uninstall:
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
regress-prep:
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
@ -447,19 +422,27 @@ regress-prep:
mkdir -p `pwd`/regress/unittests/hostkeys
[ -d `pwd`/regress/unittests/kex ] || \
mkdir -p `pwd`/regress/unittests/kex
[ -d `pwd`/regress/misc/kexfuzz ] || \
mkdir -p `pwd`/regress/misc/kexfuzz
[ -f `pwd`/regress/Makefile ] || \
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
REGRESSLIBS=libssh.a $(LIBCOMPAT)
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c $(REGRESSLIBS)
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/setuid-allowed.c \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c $(REGRESSLIBS)
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/netcat.c \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c $(REGRESSLIBS)
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/check-perm.c \
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
UNITTESTS_TEST_HELPER_OBJS=\
@ -510,8 +493,7 @@ regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
UNITTESTS_TEST_KEX_OBJS=\
regress/unittests/kex/tests.o \
regress/unittests/kex/test_kex.o \
roaming_dummy.o
regress/unittests/kex/test_kex.o
regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
regress/unittests/test_helper/libtest_helper.a libssh.a
@ -530,17 +512,25 @@ regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
regress/unittests/test_helper/libtest_helper.a \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
REGRESS_BINARIES=\
regress/modpipe$(EXEEXT) \
MISC_KEX_FUZZ_OBJS=\
regress/misc/kexfuzz/kexfuzz.o
regress/misc/kexfuzz/kexfuzz$(EXEEXT): ${MISC_KEX_FUZZ_OBJS} libssh.a
$(LD) -o $@ $(LDFLAGS) $(MISC_KEX_FUZZ_OBJS) \
-lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
regress-binaries: regress/modpipe$(EXEEXT) \
regress/setuid-allowed$(EXEEXT) \
regress/netcat$(EXEEXT) \
regress/check-perm$(EXEEXT) \
regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
regress/unittests/sshkey/test_sshkey$(EXEEXT) \
regress/unittests/bitmap/test_bitmap$(EXEEXT) \
regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
regress/unittests/kex/test_kex$(EXEEXT)
regress/unittests/kex/test_kex$(EXEEXT) \
regress/misc/kexfuzz/kexfuzz$(EXEEXT)
tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS)
BUILDDIR=`pwd`; \
TEST_SSH_SCP="$${BUILDDIR}/scp"; \
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
@ -565,6 +555,7 @@ tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
OBJ="$${BUILDDIR}/regress/" \
PATH="$${BUILDDIR}:$${PATH}" \
TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
TEST_MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
TEST_SSH_SCP="$${TEST_SSH_SCP}" \
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \

4
PROTOCOL
View File

@ -247,6 +247,8 @@ to request that the server make a connection to a Unix domain socket.
uint32 initial window size
uint32 maximum packet size
string socket path
string reserved
uint32 reserved
Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
server when the client has previously send the server a streamlocal-forward
@ -452,4 +454,4 @@ respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
"1".
$OpenBSD: PROTOCOL,v 1.29 2015/07/17 03:09:19 djm Exp $
$OpenBSD: PROTOCOL,v 1.30 2016/04/08 06:35:54 djm Exp $

24
PROTOCOL.agent
View File

@ -206,6 +206,28 @@ ECDSA certificates may be added with:
string key_comment
constraint[] key_constraints
ED25519 keys may be added using the following request
byte SSH2_AGENTC_ADD_IDENTITY or
SSH2_AGENTC_ADD_ID_CONSTRAINED
string "ssh-ed25519"
string ed25519_public_key
string ed25519_private_key || ed25519_public_key
string key_comment
constraint[] key_constraints
ED25519 certificates may be added with:
byte SSH2_AGENTC_ADD_IDENTITY or
SSH2_AGENTC_ADD_ID_CONSTRAINED
string "ssh-ed25519-cert-v01@openssh.com"
string certificate
string ed25519_public_key
string ed25519_private_key || ed25519_public_key
string key_comment
constraint[] key_constraints
For both ssh-ed25519 and ssh-ed25519-cert-v01@openssh.com keys, the private
key has the public key appended (for historical reasons).
RSA keys may be added with this request:
byte SSH2_AGENTC_ADD_IDENTITY or
@ -557,4 +579,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
SSH_AGENT_CONSTRAIN_LIFETIME 1
SSH_AGENT_CONSTRAIN_CONFIRM 2
$OpenBSD: PROTOCOL.agent,v 1.8 2015/05/08 03:56:51 djm Exp $
$OpenBSD: PROTOCOL.agent,v 1.11 2016/05/19 07:45:32 djm Exp $

42
PROTOCOL.certkeys
View File

@ -100,9 +100,9 @@ DSA certificate
ECDSA certificate
string "ecdsa-sha2-nistp256@openssh.com" |
"ecdsa-sha2-nistp384@openssh.com" |
"ecdsa-sha2-nistp521@openssh.com"
string "ecdsa-sha2-nistp256-v01@openssh.com" |
"ecdsa-sha2-nistp384-v01@openssh.com" |
"ecdsa-sha2-nistp521-v01@openssh.com"
string nonce
string curve
string public_key
@ -118,6 +118,23 @@ ECDSA certificate
string signature key
string signature
ED25519 certificate
string "ssh-ed25519-cert-v01@openssh.com"
string nonce
string pk
uint64 serial
uint32 type
string key id
string valid principals
uint64 valid after
uint64 valid before
string critical options
string extensions
string reserved
string signature key
string signature
The nonce field is a CA-provided random bitstring of arbitrary length
(but typically 16 or 32 bytes) included to make attacks that depend on
inducing collisions in the signature hash infeasible.
@ -129,6 +146,9 @@ p, q, g, y are the DSA parameters as described in FIPS-186-2.
curve and public key are respectively the ECDSA "[identifier]" and "Q"
defined in section 3.1 of RFC5656.
pk is the encoded Ed25519 public key as defined by
draft-josefsson-eddsa-ed25519-03.
serial is an optional certificate serial number set by the CA to
provide an abbreviated way to refer to certificates from that CA.
If a CA does not wish to number its certificates it must set this
@ -146,7 +166,7 @@ strings packed inside it. These principals list the names for which this
certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
zero-length "valid principals" field means the certificate is valid for
any principal of the specified type. XXX DNS wildcards?
any principal of the specified type.
"valid after" and "valid before" specify a validity period for the
certificate. Each represents a time in seconds since 1970-01-01
@ -183,7 +203,7 @@ signature is computed over all preceding fields from the initial string
up to, and including the signature key. Signatures are computed and
encoded according to the rules defined for the CA's public key algorithm
(RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
types).
types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
Critical options
----------------
@ -203,8 +223,9 @@ option-specific information (see below). All options are
"critical", if an implementation does not recognise a option
then the validating party should refuse to accept the certificate.
The supported options and the contents and structure of their
data fields are:
No critical options are defined for host certificates at present. The
supported user certificate options and the contents and structure of
their data fields are:
Name Format Description
-----------------------------------------------------------------------------
@ -233,8 +254,9 @@ as is the requirement that each name appear only once.
If an implementation does not recognise an extension, then it should
ignore it.
The supported extensions and the contents and structure of their data
fields are:
No extensions are defined for host certificates at present. The
supported user certificate extensions and the contents and structure of
their data fields are:
Name Format Description
-----------------------------------------------------------------------------
@ -262,4 +284,4 @@ permit-user-rc empty Flag indicating that execution of
of this script will not be permitted if
this option is not present.
$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $
$OpenBSD: PROTOCOL.certkeys,v 1.10 2016/05/03 10:27:59 djm Exp $

4
PROTOCOL.chacha20poly1305
View File

@ -34,6 +34,8 @@ Detailed Construction
The chacha20-poly1305@openssh.com cipher requires 512 bits of key
material as output from the SSH key exchange. This forms two 256 bit
keys (K_1 and K_2), used by two separate instances of chacha20.
The first 256 bits consitute K_2 and the second 256 bits become
K_1.
The instance keyed by K_1 is a stream cipher that is used only
to encrypt the 4 byte packet length field. The second instance,
@ -101,5 +103,5 @@ References
[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $
$OpenBSD: PROTOCOL.chacha20poly1305,v 1.3 2016/05/03 13:10:24 djm Exp $

3
README
View File

@ -1,5 +1,4 @@
See http://www.openssh.com/txt/release-7.1 for the release notes.
See https://github.com/PowerShell/Win32-OpenSSH/wiki for build/deployment information
See http://www.openssh.com/txt/release-7.3p1 for the release notes.
Please read http://www.openssh.com/report.html for bug reporting
instructions and note that we do not use Github for bug reporting or

13
README.md
View File

@ -1,13 +0,0 @@
# OpenSSH
Win32 port of OpenSSH
See the [wiki](https://github.com/PowerShell/Win32-OpenSSH/wiki) for installation instructions and help
[First release announcement](http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-update.aspx
)
### Chocolatey
[![](http://img.shields.io/chocolatey/dt/win32-openssh.svg)](https://chocolatey.org/packages/win32-openssh) [![](http://img.shields.io/chocolatey/v/win32-openssh.svg)](https://chocolatey.org/packages/win32-openssh)

3
README.platform
View File

@ -36,6 +36,9 @@ loginrestrictions() function, in particular that the user has the
"rlogin" attribute set. This check is not done for the root account,
instead the PermitRootLogin setting in sshd_config is used.
If you are using the IBM compiler you probably want to use CC=xlc rather
than the default of cc.
Cygwin
------

180
README.win32
View File

@ -1,180 +0,0 @@
README.win32
openssh-5.9p1-win32-3
- Added the INSTALL.win32 to the package. It provides installation
instructions for the OpenSSH win32 port.
openssh-5.9p1-win32-2
- Adjusted sources to compile with mingw-gcc 4.7.
openssh-5.9p1-win32-1
Implemented:
- Ported statvfs and fstatvfs extensions in sftp-server on
Windows.
- Added support for Windows domain accounts.
- Added support for network logon if interactive one failed on Windows.
- Implemented Kerberos authentication using MIT/Kerberos and native
SSPI/Kerberos.
- Disabled stdin echo while reading password on Windows.
- sshd doesn't need lsa, when target user is owner of sshd
process on Windows.
- integrated ssh-lsa with openssh tree.
Bug fixes:
- Fixed resource leaks in sshd on Windows.
- Fixed possible hang up in ssh on Windows.
- Fixed clean up of Winsta0 DACL on server side.
- Added 'PamLibrary' option to sshd_config. This option changes
default path to libpam.so. if no specified default path is used.
- Ported -oAuthorizedKeysFile to Windows.
- Fixed path expanding under SYSTEM account on Windows.
- Fixed block issue when the same socket used for stdin and stdout in
sftp-server on Windows.
- Fixed possible heap corruption on file copying in sftp-server.
- Fixed possible connection drop, when copying big files in
sftp-server on Windows.
- Removed one redundant code page conversion in sftp-server on Windows.
- Fixed access to root directory in sftp-server on Windows.
- Fixed wrong exit code in SERVICE_CONTROL_STOP handler on Windows.
- Changed encoding local characters while formatting error messages on
Windows.
- Speeded up retreving HANDLE's type, when socket used on Windows.
- Set stdout to binary mode as default if pipe is used in ssh on
Windows.
openssh-5.9p1-win32
- Updated to OpenSSH version 5.9p1.
- The openSSH SFTP client has been ported to Win 32.
openssh-4.7p1-win32-1
- The following tools have been ported to Win32: ssh-agent, ssh-add,
sftp-server program and ssh-keygen. All the basic functionalities
related to the creation of the key-pairs are fully supported. The
managing of the known_hosts file is missing.
- Added support to SSH client for MIT Kerberos for Windows and for
authorization based on smartcard devices.
- Updated SSH server to support login also when the account doesn't
have administrative privileges.
- Added support for native RSA/DSA key authorization via ssh-lsa.
Installing this tool requires administrative privileges and
a reboot of the machine.
- The ProxyCommand option is now supported on Win32.
- Added support for installing SSHD as a service by means of sc.exe
command line tool for Windows. Since command line parameters are not
passed to the SSHD process, a default sshd_config file is searched
in the following locations: in the installation directory where
sshd.exe is located (e.g. C:\sshd); the directory 'etc' under
the installation directory (e.g. C:\sshd\etc), and the directory 'etc'
in the installation directory (e.g C:\etc).
- Improved SSH server to be fully operative on Windows Vista. SSHD can
work on Windows XP without SP1.
- Improved logging facilities of SSHD: now all instances of the SSH
server log to the same file and SSHD creates a minidump file if a
crash occurs.
- Solved problem with processes that may be left running when the SSHD
service is stopped or after an abnormal closure of the SSH session.
- Fixed some memory leaks.
- Fixed possible crashes of SSHD when a great number of connections is
established.
- Fixed possible hanging of the SSHD service that may occurr when the
SSH session is closing and when reading a passphrase.
- Fixed logging behavior of SSH client. Now when the client is run in
debug mode, output of packet dumps can be redirected to a file.
Solved other issues occurring when packet dumps when standard error
is redirected.
- Fixed a problem related to the inheritance of handles in SSHD.
- Fixed a bug in the session_get() function causing a segmentation
fault of SSHD.
- Fixed the closure of startup pipes. This solves a problem which was
limiting the number of sessions to 10.
- Fixed a problem causing a delay in establishing the connection when
SSHD is started as a Win32 service. Speeded-up login.
- Disabled the privilege separation on Win32.
- Solved issues preventing the correct detection of home directory
either on Windows 7 and when the user domain is set to NULL.
- Fixed a segmentation fault of SSHD on Windows 7 at 64bit.
- Added the setting of the USERPROFILE variable to the value detected
just after a successful login.
openssh-5.4p1-win32
- Updated to OpenSSH version 5.4p1.
openssh-4.7p1-win32
- Added the Win32 compat layer.
- The Win32 layer provides support for: User identity and password
management functions like getuid(),setuid(),getpw*() and others;
string management functions like strcasecmp(), strncasecmp() and
other functions such as gettimeofday() and gethomedir(); management
of file descriptors, file handlers and sockets in an unified way;
file descriptor and sockets functions such as fstat(), fdopen(),
open(), dup(),dup2(), pipe(),create(),shutdown(),accept(),read(),
write(),close(), socket(), setsockopt(),getsockopt(), getpeername(),
getsockname(), ioctlsocket(), listen(),bind(),connect(), and others;
the select() function which can work on sockets, files, pipes and
console handlers; Windows users authentication.
- Introduced some changes to the OpenSSH code for: supporting the
CreateProcess() function replacing fork() and allowing compilation
on Win32 platform.
- Open Issues: SSHD cannot be installed as a Windows service by means
of Win32 administrative tools; if SSHD is running as a Windows
service, it requires that property 'Allow service to interact with
desktop' is set; to allow the connecting user to be authenticated by
SSHD, it is necessary that the user belongs to the 'Administrators'
group; if the connecting user has been authorized with public key
authentication, the GetUserName() function always returns 'SYSTEM'
instead of the username; possible crashes may occur during autho-
rization phase when SSHD is running on Vista; port of the ssh-keygen
tool is not available in this version.

97
aclocal.m4 vendored
View File

@ -1,4 +1,4 @@
dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $
dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $
dnl
dnl OpenSSH-specific autoconf macros
dnl
@ -8,19 +8,104 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
dnl 'check_flag'.
AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
AC_MSG_CHECKING([if $CC supports $1])
AC_MSG_CHECKING([if $CC supports compile flag $1])
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $1"
CFLAGS="$CFLAGS $WERROR $1"
_define_flag="$2"
test "x$_define_flag" = "x" && _define_flag="$1"
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
[ AC_MSG_RESULT([yes])
CFLAGS="$saved_CFLAGS $_define_flag"],
AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv) {
/* Some math to catch -ftrapv problems in the toolchain */
int i = 123 * argc, j = 456 + argc, k = 789 - argc;
float l = i * 2.1;
double m = l / 0.5;
long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
exit(0);
}
]])],
[
if `grep -i "unrecognized option" conftest.err >/dev/null`
then
AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS"
else
AC_MSG_RESULT([yes])
CFLAGS="$saved_CFLAGS $_define_flag"
fi],
[ AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS" ]
)
}])
dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
dnl 'check_flag'.
AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS $WERROR $1"
_define_flag="$2"
test "x$_define_flag" = "x" && _define_flag="$1"
AC_LINK_IFELSE([AC_LANG_SOURCE([[
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv) {
/* Some math to catch -ftrapv problems in the toolchain */
int i = 123 * argc, j = 456 + argc, k = 789 - argc;
float l = i * 2.1;
double m = l / 0.5;
long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
exit(0);
}
]])],
[
if `grep -i "unrecognized option" conftest.err >/dev/null`
then
AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS"
else
AC_MSG_RESULT([yes])
CFLAGS="$saved_CFLAGS $_define_flag"
fi],
[ AC_MSG_RESULT([no])
CFLAGS="$saved_CFLAGS" ]
)
}])
dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag])
dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
dnl 'check_flag'.
AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
AC_MSG_CHECKING([if $LD supports link flag $1])
saved_LDFLAGS="$LDFLAGS"
LDFLAGS="$LDFLAGS $WERROR $1"
_define_flag="$2"
test "x$_define_flag" = "x" && _define_flag="$1"
AC_LINK_IFELSE([AC_LANG_SOURCE([[
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv) {
/* Some math to catch -ftrapv problems in the toolchain */
int i = 123 * argc, j = 456 + argc, k = 789 - argc;
float l = i * 2.1;
double m = l / 0.5;
long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
exit(0);
}
]])],
[ AC_MSG_RESULT([yes])
LDFLAGS="$saved_LDFLAGS $_define_flag"],
[ AC_MSG_RESULT([no])
LDFLAGS="$saved_LDFLAGS" ]
)
}])
dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
dnl Does AC_EGREP_HEADER on 'header' for the string 'field'

267
acss.c
View File

@ -1,267 +0,0 @@
/* $Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
/*
* Copyright (c) 2004 The OpenBSD project
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#include <string.h>
#include <openssl/evp.h>
#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
#include "acss.h"
/* decryption sbox */
static unsigned char sboxdec[] = {
0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
};
/* encryption sbox */
static unsigned char sboxenc[] = {
0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75,
0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b,
0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21,
0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f,
0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5,
0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab,
0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0,
0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2,
0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74,
0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76,
0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20,
0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22,
0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4,
0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6,
0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1,
0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf,
0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25,
0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b,
0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71,
0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f,
0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5,
0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb,
0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0,
0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2,
0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24,
0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26,
0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70,
0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72,
0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4,
0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6,
0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1,
0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff
};
static unsigned char reverse[] = {
0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
};
/*
* Two linear feedback shift registers are used:
*
* lfsr17: polynomial of degree 17, primitive modulo 2 (listed in Schneier)
* x^15 + x + 1
* lfsr25: polynomial of degree 25, not know if primitive modulo 2
* x^13 + x^5 + x^4 + x^1 + 1
*
* Output bits are discarded, instead the feedback bits are added to produce
* the cipher stream. Depending on the mode, feedback bytes may be inverted
* bit-wise before addition.
*
* The lfsrs are seeded with bytes from the raw key:
*
* lfsr17: byte 0[0:7] at bit 9
* byte 1[0:7] at bit 0
*
* lfsr25: byte 2[0:4] at bit 16
* byte 2[5:7] at bit 22
* byte 3[0:7] at bit 8
* byte 4[0:7] at bit 0
*
* To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in
* lfsr25.
*
*/
int
acss(ACSS_KEY *key, unsigned long len, const unsigned char *in,
unsigned char *out)
{
unsigned long i;
unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp;
lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0;
/* keystream is sum of lfsrs */
for (i = 0; i < len; i++) {
lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14);
key->lfsr17 = (key->lfsr17 >> 8)
^ (lfsr17tmp << 9)
^ (lfsr17tmp << 12)
^ (lfsr17tmp << 15);
key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */
lfsr25tmp = key->lfsr25
^ (key->lfsr25 >> 3)
^ (key->lfsr25 >> 4)
^ (key->lfsr25 >> 12);
key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17);
key->lfsr25 &= 0x1ffffff; /* 25 bit LFSR */
lfsrsumtmp = key->lfsrsum;
/* addition */
switch (key->mode) {
case ACSS_AUTHENTICATE:
case ACSS_DATA:
key->lfsrsum = 0xff & ~(key->lfsr17 >> 9);
key->lfsrsum += key->lfsr25 >> 17;
break;
case ACSS_SESSIONKEY:
key->lfsrsum = key->lfsr17 >> 9;
key->lfsrsum += key->lfsr25 >> 17;
break;
case ACSS_TITLEKEY:
key->lfsrsum = key->lfsr17 >> 9;
key->lfsrsum += 0xff & ~(key->lfsr25 >> 17);
break;
default:
return 1;
}
key->lfsrsum += (lfsrsumtmp >> 8);
if (key->encrypt) {
out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff];
} else {
out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff;
}
}
return 0;
}
static void
acss_seed(ACSS_KEY *key)
{
int i;
/* if available, mangle with subkey */
if (key->subkey_avilable) {
for (i = 0; i < ACSS_KEYSIZE; i++)
key->seed[i] = reverse[key->data[i] ^ key->subkey[i]];
} else {
for (i = 0; i < ACSS_KEYSIZE; i++)
key->seed[i] = reverse[key->data[i]];
}
/* seed lfsrs */
key->lfsr17 = key->seed[1]
| (key->seed[0] << 9)
| (1 << 8); /* inject 1 at bit 9 */
key->lfsr25 = key->seed[4]
| (key->seed[3] << 8)
| ((key->seed[2] & 0x1f) << 16)
| ((key->seed[2] & 0xe0) << 17)
| (1 << 21); /* inject 1 at bit 22 */
key->lfsrsum = 0;
}
void
acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode)
{
memcpy(key->data, data, sizeof(key->data));
memset(key->subkey, 0, sizeof(key->subkey));
if (enc != -1)
key->encrypt = enc;
key->mode = mode;
key->subkey_avilable = 0;
acss_seed(key);
}
void
acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey)
{
memcpy(key->subkey, subkey, sizeof(key->subkey));
key->subkey_avilable = 1;
acss_seed(key);
}
#endif

47
acss.h
View File

@ -1,47 +0,0 @@
/* $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
/*
* Copyright (c) 2004 The OpenBSD project
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#ifndef _ACSS_H_
#define _ACSS_H_
/* 40bit key */
#define ACSS_KEYSIZE 5
/* modes of acss */
#define ACSS_AUTHENTICATE 0
#define ACSS_SESSIONKEY 1
#define ACSS_TITLEKEY 2
#define ACSS_DATA 3
typedef struct acss_key_st {
unsigned int lfsr17; /* current state of lfsrs */
unsigned int lfsr25;
unsigned int lfsrsum;
unsigned char seed[ACSS_KEYSIZE];
unsigned char data[ACSS_KEYSIZE];
unsigned char subkey[ACSS_KEYSIZE];
int encrypt; /* XXX make these bit flags? */
int mode;
int seeded;
int subkey_avilable;
} ACSS_KEY;
void acss_setkey(ACSS_KEY *, const unsigned char *, int, int);
void acss_setsubkey(ACSS_KEY *, const unsigned char *);
int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *);
#endif /* ifndef _ACSS_H_ */

42
appveyor.yml Normal file
View File

@ -0,0 +1,42 @@
version: 0.0.4.0.{build}
image: Visual Studio 2015
branches:
only:
- V_7_3w
init:
- ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
build_script:
- ps: |
Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
Invoke-AppVeyorBuild
after_build:
- ps: |
Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
Install-OpenSSH
- ps: Write-Verbose "Restart computer ..."
- ps: Restart-Computer -ComputerName localhost -Force
- ps: Start-Sleep -s 5 # Needs to be proceeded with -ps: as it's interpreted by AppVeyor
- ps: Write-Verbose "Restart computer completed"
before_test:
- ps: |
Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
Install-TestDependencies
test_script:
- cmd: |
"%ProgramFiles%\PowerShell\6.0.0.12\powershell.exe" -Command "Import-Module \"%APPVEYOR_BUILD_FOLDER%\contrib\win32\openssh\AppVeyor.psm1\";Run-OpenSSHTests"
after_test:
- ps: |
Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
Upload-OpenSSHTestResults
on_finish:
- ps: |
Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
Publish-Artifact

2
atomicio.c
View File

@ -54,7 +54,7 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
{
char *s = _s;
size_t pos = 0;
int res;
ssize_t res;
struct pollfd pfd;
#ifndef BROKEN_READ_COMPARISON

1
audit-bsm.c
View File

@ -35,7 +35,6 @@
/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
#include "includes.h"
#if defined(USE_BSM_AUDIT)
#include <sys/types.h>

28
audit-linux.c
View File

@ -36,17 +36,17 @@
#include "log.h"
#include "audit.h"
#include "canohost.h"
#include "packet.h"
const char* audit_username(void);
const char *audit_username(void);
int
linux_audit_record_event(int uid, const char *username,
const char *hostname, const char *ip, const char *ttyn, int success)
linux_audit_record_event(int uid, const char *username, const char *hostname,
const char *ip, const char *ttyn, int success)
{
int audit_fd, rc, saved_errno;
audit_fd = audit_open();
if (audit_fd < 0) {
if ((audit_fd = audit_open()) < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
errno == EAFNOSUPPORT)
return 1; /* No audit support in kernel */
@ -58,6 +58,7 @@ linux_audit_record_event(int uid, const char *username,
username == NULL ? uid : -1, hostname, ip, ttyn, success);
saved_errno = errno;
close(audit_fd);
/*
* Do not report error if the error is EPERM and sshd is run as non
* root user.
@ -65,7 +66,8 @@ linux_audit_record_event(int uid, const char *username,
if ((rc == -EPERM) && (geteuid() != 0))
rc = 0;
errno = saved_errno;
return (rc >= 0);
return rc >= 0;
}
/* Below is the sshd audit API code */
@ -73,8 +75,8 @@ linux_audit_record_event(int uid, const char *username,
void
audit_connection_from(const char *host, int port)
{
}
/* not implemented */
}
void
audit_run_command(const char *command)
@ -85,8 +87,8 @@ audit_run_command(const char *command)
void
audit_session_open(struct logininfo *li)
{
if (linux_audit_record_event(li->uid, NULL, li->hostname,
NULL, li->line, 1) == 0)
if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL,
li->line, 1) == 0)
fatal("linux_audit_write_entry failed: %s", strerror(errno));
}
@ -99,6 +101,8 @@ audit_session_close(struct logininfo *li)
void
audit_event(ssh_audit_event_t event)
{
struct ssh *ssh = active_state; /* XXX */
switch(event) {
case SSH_AUTH_SUCCESS:
case SSH_CONNECTION_CLOSE:
@ -106,7 +110,6 @@ audit_event(ssh_audit_event_t event)
case SSH_LOGIN_EXCEED_MAXTRIES:
case SSH_LOGIN_ROOT_DENIED:
break;
case SSH_AUTH_FAIL_NONE:
case SSH_AUTH_FAIL_PASSWD:
case SSH_AUTH_FAIL_KBDINT:
@ -115,12 +118,11 @@ audit_event(ssh_audit_event_t event)
case SSH_AUTH_FAIL_GSSAPI:
case SSH_INVALID_USER:
linux_audit_record_event(-1, audit_username(), NULL,
get_remote_ipaddr(), "sshd", 0);
ssh_remote_ipaddr(ssh), "sshd", 0);
break;
default:
debug("%s: unhandled event %d", __func__, event);
break;
}
}
#endif /* USE_LINUX_AUDIT */

12
auth-bsdauth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
/* $OpenBSD: auth-bsdauth.c,v 1.14 2015/10/20 23:24:25 mmcc Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
*
@ -24,14 +24,6 @@
*/
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <stdarg.h>
@ -111,7 +103,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
if (!authctxt->valid)
return -1;
if (authctxt->as == 0)
if (authctxt->as == NULL)
error("bsdauth_respond: no bsd auth session");
if (numresponses != 1)

14
auth-krb5.c
View File

@ -1,8 +1,8 @@
/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
/* $OpenBSD: auth-krb5.c,v 1.22 2016/05/04 14:22:33 markus Exp $ */
/*
* Kerberos v5 authentication and ticket-passing routines.
*
* $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
* From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
*/
/*
* Copyright (c) 2002 Daniel Kouril. All rights reserved.
@ -30,22 +30,12 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <pwd.h>
#include <stdarg.h>
#include "xmalloc.h"
#include "ssh.h"
#include "ssh1.h"
#include "packet.h"
#include "log.h"
#include "buffer.h"

121
auth-options.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
/* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -12,15 +12,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <netdb.h>
@ -38,6 +29,7 @@
#include "ssherr.h"
#include "log.h"
#include "canohost.h"
#include "packet.h"
#include "sshbuf.h"
#include "misc.h"
#include "channels.h"
@ -84,18 +76,44 @@ auth_clear_options(void)
free(ce->s);
free(ce);
}
if (forced_command) {
free(forced_command);
forced_command = NULL;
}
if (authorized_principals) {
free(authorized_principals);
authorized_principals = NULL;
}
forced_tun_device = -1;
channel_clear_permitted_opens();
}
/*
* Match flag 'opt' in *optsp, and if allow_negate is set then also match
* 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
* if negated option matches.
* If the option or negated option matches, then *optsp is updated to
* point to the first character after the option and, if 'msg' is not NULL
* then a message based on it added via auth_debug_add().
*/
static int
match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
{
size_t opt_len = strlen(opt);
char *opts = *optsp;
int negate = 0;
if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
opts += 3;
negate = 1;
}
if (strncasecmp(opts, opt, opt_len) == 0) {
*optsp = opts + opt_len;
if (msg != NULL) {
auth_debug_add("%s %s.", msg,
negate ? "disabled" : "enabled");
}
return negate ? 0 : 1;
}
return -1;
}
/*
* return 1 if access is granted, 0 if not.
* side effect: sets key option flags
@ -103,8 +121,9 @@ auth_clear_options(void)
int
auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
{
struct ssh *ssh = active_state; /* XXX */
const char *cp;
int i;
int i, r;
/* reset options */
auth_clear_options();
@ -113,51 +132,47 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
return 1;
while (*opts && *opts != ' ' && *opts != '\t') {
cp = "cert-authority";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
key_is_cert_authority = 1;
opts += strlen(cp);
if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
key_is_cert_authority = r;
goto next_option;
}
cp = "no-port-forwarding";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
auth_debug_add("Port forwarding disabled.");
if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
auth_debug_add("Key is restricted.");
no_port_forwarding_flag = 1;
opts += strlen(cp);
goto next_option;
}
cp = "no-agent-forwarding";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
auth_debug_add("Agent forwarding disabled.");
no_agent_forwarding_flag = 1;
opts += strlen(cp);
goto next_option;
}
cp = "no-X11-forwarding";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
auth_debug_add("X11 forwarding disabled.");
no_x11_forwarding_flag = 1;
opts += strlen(cp);
goto next_option;
}
cp = "no-pty";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
auth_debug_add("Pty allocation disabled.");
no_pty_flag = 1;
opts += strlen(cp);
no_user_rc = 1;
goto next_option;
}
cp = "no-user-rc";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
auth_debug_add("User rc file execution disabled.");
no_user_rc = 1;
opts += strlen(cp);
if ((r = match_flag("port-forwarding", 1, &opts,
"Port forwarding")) != -1) {
no_port_forwarding_flag = r != 1;
goto next_option;
}
if ((r = match_flag("agent-forwarding", 1, &opts,
"Agent forwarding")) != -1) {
no_agent_forwarding_flag = r != 1;
goto next_option;
}
if ((r = match_flag("x11-forwarding", 1, &opts,
"X11 forwarding")) != -1) {
no_x11_forwarding_flag = r != 1;
goto next_option;
}
if ((r = match_flag("pty", 1, &opts,
"PTY allocation")) != -1) {
no_pty_flag = r != 1;
goto next_option;
}
if ((r = match_flag("user-rc", 1, &opts,
"User rc execution")) != -1) {
no_user_rc = r != 1;
goto next_option;
}
cp = "command=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
if (forced_command != NULL)
free(forced_command);
forced_command = xmalloc(strlen(opts) + 1);
i = 0;
@ -188,7 +203,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
cp = "principals=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
if (authorized_principals != NULL)
free(authorized_principals);
authorized_principals = xmalloc(strlen(opts) + 1);
i = 0;
@ -261,9 +275,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
}
cp = "from=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
const char *remote_ip = get_remote_ipaddr();
const char *remote_host = get_canonical_hostname(
options.use_dns);
const char *remote_ip = ssh_remote_ipaddr(ssh);
const char *remote_host = auth_get_canonical_hostname(
ssh, options.use_dns);
char *patterns = xmalloc(strlen(opts) + 1);
opts += strlen(cp);
@ -445,6 +459,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
char **cert_forced_command,
int *cert_source_address_done)
{
struct ssh *ssh = active_state; /* XXX */
char *command, *allowed;
const char *remote_ip;
char *name = NULL;
@ -518,7 +533,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
free(allowed);
goto out;
}
remote_ip = get_remote_ipaddr();
remote_ip = ssh_remote_ipaddr(ssh);
result = addr_match_cidr_list(remote_ip,
allowed);
free(allowed);
@ -575,7 +590,6 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
free(*cert_forced_command);
*cert_forced_command = NULL;
}
if (name != NULL)
free(name);
sshbuf_free(data);
sshbuf_free(c);
@ -620,7 +634,6 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
no_user_rc |= cert_no_user_rc;
/* CA-specified forced command supersedes key option */
if (cert_forced_command != NULL) {
if (forced_command != NULL)
free(forced_command);
forced_command = cert_forced_command;
}

116
auth-pam.c
View File

@ -45,16 +45,9 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
/* Based on FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des */
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include "includes.h"
#include <sys/types.h>
#include <sys/stat.h>
@ -75,9 +68,9 @@
/* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
#ifdef PAM_SUN_CODEBASE
# define sshpam_const /* Solaris, HP-UX, AIX */
# define sshpam_const /* Solaris, HP-UX, SunOS */
#else
# define sshpam_const const /* LinuxPAM, OpenPAM */
# define sshpam_const const /* LinuxPAM, OpenPAM, AIX */
#endif
/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */
@ -161,9 +154,12 @@ sshpam_sigchld_handler(int sig)
<= 0) {
/* PAM thread has not exitted, privsep slave must have */
kill(cleanup_ctxt->pam_thread, SIGTERM);
if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
<= 0)
return; /* could not wait */
while (waitpid(cleanup_ctxt->pam_thread,
&sshpam_thread_status, 0) == -1) {
if (errno == EINTR)
continue;
return;
}
}
if (WIFSIGNALED(sshpam_thread_status) &&
WTERMSIG(sshpam_thread_status) == SIGTERM)
@ -224,7 +220,11 @@ pthread_join(sp_pthread_t thread, void **value)
if (sshpam_thread_status != -1)
return (sshpam_thread_status);
signal(SIGCHLD, sshpam_oldsig);
waitpid(thread, &status, 0);
while (waitpid(thread, &status, 0) == -1) {
if (errno == EINTR)
continue;
fatal("%s: waitpid: %s", __func__, strerror(errno));
}
return (status);
}
#endif
@ -236,10 +236,10 @@ static int sshpam_authenticated = 0;
static int sshpam_session_open = 0;
static int sshpam_cred_established = 0;
static int sshpam_account_status = -1;
static int sshpam_maxtries_reached = 0;
static char **sshpam_env = NULL;
static Authctxt *sshpam_authctxt = NULL;
static const char *sshpam_password = NULL;
static char badpw[] = "\b\n\r\177INCORRECT";
/* Some PAM implementations don't implement this */
#ifndef HAVE_PAM_GETENVLIST
@ -372,17 +372,6 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
for (i = 0; i < n; ++i) {
switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
case PAM_PROMPT_ECHO_OFF:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
goto fail;
if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
goto fail;
if (buffer_get_char(&buffer) != PAM_AUTHTOK)
goto fail;
reply[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_PROMPT_ECHO_ON:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
@ -396,12 +385,6 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
reply[i].resp = buffer_get_string(&buffer, NULL);
break;
case PAM_ERROR_MSG:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
if (ssh_msg_send(ctxt->pam_csock,
PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
goto fail;
break;
case PAM_TEXT_INFO:
buffer_put_cstring(&buffer,
PAM_MSG_MEMBER(msg, i, msg));
@ -475,6 +458,8 @@ sshpam_thread(void *ctxtp)
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
sshpam_err = pam_authenticate(sshpam_handle, flags);
if (sshpam_err == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
@ -526,6 +511,8 @@ sshpam_thread(void *ctxtp)
/* XXX - can't do much about an error here */
if (sshpam_err == PAM_ACCT_EXPIRED)
ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
else if (sshpam_maxtries_reached)
ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
else
ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
buffer_free(&buffer);
@ -631,6 +618,7 @@ sshpam_init(Authctxt *authctxt)
extern char *__progname;
const char *pam_rhost, *pam_user, *user = authctxt->user;
const char **ptr_pam_user = &pam_user;
struct ssh *ssh = active_state; /* XXX */
if (sshpam_handle != NULL) {
/* We already have a PAM context; check if the user matches */
@ -651,7 +639,7 @@ sshpam_init(Authctxt *authctxt)
sshpam_handle = NULL;
return (-1);
}
pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns);
debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
if (sshpam_err != PAM_SUCCESS) {
@ -722,6 +710,7 @@ static int
sshpam_query(void *ctx, char **name, char **info,
u_int *num, char ***prompts, u_int **echo_on)
{
struct ssh *ssh = active_state; /* XXX */
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
size_t plen;
@ -764,7 +753,11 @@ sshpam_query(void *ctx, char **name, char **info,
free(msg);
break;
case PAM_ACCT_EXPIRED:
case PAM_MAXTRIES:
if (type == PAM_ACCT_EXPIRED)
sshpam_account_status = 0;
if (type == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
/* FALLTHROUGH */
case PAM_AUTH_ERR:
debug3("PAM: %s", pam_strerror(sshpam_handle, type));
@ -804,7 +797,7 @@ sshpam_query(void *ctx, char **name, char **info,
error("PAM: %s for %s%.100s from %.100s", msg,
sshpam_authctxt->valid ? "" : "illegal user ",
sshpam_authctxt->user,
get_remote_name_or_ip(utmp_len, options.use_dns));
auth_get_canonical_hostname(ssh, options.use_dns));
/* FALLTHROUGH */
default:
*num = 0;
@ -817,12 +810,35 @@ sshpam_query(void *ctx, char **name, char **info,
return (-1);
}
/*
* Returns a junk password of identical length to that the user supplied.
* Used to mitigate timing attacks against crypt(3)/PAM stacks that
* vary processing time in proportion to password length.
*/
static char *
fake_password(const char *wire_password)
{
const char junk[] = "\b\n\r\177INCORRECT";
char *ret = NULL;
size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
if (l >= INT_MAX)
fatal("%s: password length too long: %zu", __func__, l);
ret = malloc(l + 1);
for (i = 0; i < l; i++)
ret[i] = junk[i % (sizeof(junk) - 1)];
ret[i] = '\0';
return ret;
}
/* XXX - see also comment in auth-chall.c:verify_response */
static int
sshpam_respond(void *ctx, u_int num, char **resp)
{
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
char *fake;
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
@ -843,8 +859,11 @@ sshpam_respond(void *ctx, u_int num, char **resp)
(sshpam_authctxt->pw->pw_uid != 0 ||
options.permit_root_login == PERMIT_YES))
buffer_put_cstring(&buffer, *resp);
else
buffer_put_cstring(&buffer, badpw);
else {
fake = fake_password(*resp);
buffer_put_cstring(&buffer, fake);
free(fake);
}
if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
buffer_free(&buffer);
return (-1);
@ -1188,6 +1207,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
{
int flags = (options.permit_empty_passwd == 0 ?
PAM_DISALLOW_NULL_AUTHTOK : 0);
char *fake = NULL;
if (!options.use_pam || sshpam_handle == NULL)
fatal("PAM: %s called when PAM disabled or failed to "
@ -1203,7 +1223,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
*/
if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
options.permit_root_login != PERMIT_YES))
sshpam_password = badpw;
sshpam_password = fake = fake_password(password);
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
@ -1213,6 +1233,9 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
sshpam_err = pam_authenticate(sshpam_handle, flags);
sshpam_password = NULL;
free(fake);
if (sshpam_err == PAM_MAXTRIES)
sshpam_set_maxtries_reached(1);
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
@ -1224,4 +1247,21 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
return 0;
}
}
int
sshpam_get_maxtries_reached(void)
{
return sshpam_maxtries_reached;
}
void
sshpam_set_maxtries_reached(int reached)
{
if (reached == 0 || sshpam_maxtries_reached)
return;
sshpam_maxtries_reached = 1;
options.password_authentication = 0;
options.kbd_interactive_authentication = 0;
options.challenge_response_authentication = 0;
}
#endif /* USE_PAM */

2
auth-pam.h
View File

@ -45,6 +45,8 @@ void free_pam_environment(char **);
void sshpam_thread_cleanup(void);
void sshpam_cleanup(void);
int sshpam_auth_passwd(Authctxt *, const char *);
int sshpam_get_maxtries_reached(void);
void sshpam_set_maxtries_reached(int);
int is_pam_session_open(void);
#endif /* USE_PAM */

35
auth-passwd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -37,18 +37,6 @@
*/
#include "includes.h"
#ifdef WIN32_FIXME
#include "xmalloc.h"
#endif
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
@ -78,6 +66,8 @@ extern login_cap_t *lc;
#define DAY (24L * 60 * 60) /* 1 day in seconds */
#define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */
#define MAX_PASSWORD_LEN 1024
void
disable_forwarding(void)
{
@ -99,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password)
static int expire_checked = 0;
#endif
if (strlen(password) > MAX_PASSWORD_LEN)
return 0;
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
@ -201,7 +194,9 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
}
}
#elif defined(WIN32_FIXME)
#endif
#ifdef WINDOWS
extern int auth_sock;
int sys_auth_passwd(Authctxt *authctxt, const char *password)
{
@ -246,7 +241,7 @@ int
sys_auth_passwd(Authctxt *authctxt, const char *password)
{
struct passwd *pw = authctxt->pw;
char *encrypted_password;
char *encrypted_password, *salt = NULL;
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
@ -255,9 +250,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return (1);
/* Encrypt the candidate password using the proper salt. */
encrypted_password = xcrypt(password,
(pw_password[0] && pw_password[1]) ? pw_password : "xx");
/*
* Encrypt the candidate password using the proper salt, or pass a
* NULL and let xcrypt pick one.
*/
if (authctxt->valid && pw_password[0] && pw_password[1])
salt = pw_password;
encrypted_password = xcrypt(password, salt);
/*
* Authentication is accepted if the encrypted passwords

16
auth-rh-rsa.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-rh-rsa.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
/* $OpenBSD: auth-rh-rsa.c,v 1.45 2016/03/07 19:02:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -15,11 +15,6 @@
#include "includes.h"
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#ifdef WITH_SSH1
#include <sys/types.h>
@ -47,8 +42,8 @@
extern ServerOptions options;
int
auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
Key *client_host_key)
auth_rhosts_rsa_key_allowed(struct passwd *pw, const char *cuser,
const char *chost, Key *client_host_key)
{
HostStatus host_status;
@ -73,7 +68,8 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
int
auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
{
char *chost;
struct ssh *ssh = active_state; /* XXX */
const char *chost;
struct passwd *pw = authctxt->pw;
debug("Trying rhosts with RSA host authentication for client user %.100s",
@ -83,7 +79,7 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
client_host_key->rsa == NULL)
return 0;
chost = (char *)get_canonical_hostname(options.use_dns);
chost = auth_get_canonical_hostname(ssh, options.use_dns);
debug("Rhosts RSA authentication: canonical host %.900s", chost);
if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {

21
auth-rhosts.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth-rhosts.c,v 1.46 2014/12/23 22:42:48 djm Exp $ */
/* $OpenBSD: auth-rhosts.c,v 1.47 2016/03/07 19:02:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -16,15 +16,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <sys/stat.h>
@ -39,14 +30,15 @@
#include <unistd.h>
#include "packet.h"
#include "buffer.h"
#include "uidswap.h"
#include "pathnames.h"
#include "log.h"
#include "misc.h"
#include "buffer.h" /* XXX */
#include "key.h" /* XXX */
#include "servconf.h"
#include "canohost.h"
#include "key.h"
#include "sshkey.h"
#include "hostfile.h"
#include "auth.h"
@ -203,10 +195,11 @@ check_rhosts_file(const char *filename, const char *hostname,
int
auth_rhosts(struct passwd *pw, const char *client_user)
{
struct ssh *ssh = active_state; /* XXX */
const char *hostname, *ipaddr;
hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
hostname = auth_get_canonical_hostname(ssh, options.use_dns);
ipaddr = ssh_remote_ipaddr(ssh);
return auth_rhosts2(pw, client_user, hostname, ipaddr);
}

9
auth-rsa.c
View File

@ -16,15 +16,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#ifdef WITH_SSH1
#include <sys/types.h>

9
auth-skey.c
View File

@ -25,15 +25,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#ifdef SKEY
#include <sys/types.h>

152
auth.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */
/* $OpenBSD: auth.c,v 1.115 2016/06/15 00:40:40 dtucker Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -27,6 +27,7 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
@ -50,6 +51,7 @@
#include <string.h>
#include <unistd.h>
#include <limits.h>
#include <netdb.h>
#include "xmalloc.h"
#include "match.h"
@ -97,6 +99,7 @@ int auth_debug_init;
int
allowed_user(struct passwd * pw)
{
struct ssh *ssh = active_state; /* XXX */
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
u_int i;
@ -184,8 +187,8 @@ allowed_user(struct passwd * pw)
if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
options.num_deny_groups > 0 || options.num_allow_groups > 0) {
hostname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
hostname = auth_get_canonical_hostname(ssh, options.use_dns);
ipaddr = ssh_remote_ipaddr(ssh);
}
/* Return false if user is listed in DenyUsers */
@ -276,6 +279,7 @@ void
auth_log(Authctxt *authctxt, int authenticated, int partial,
const char *method, const char *submethod)
{
struct ssh *ssh = active_state; /* XXX */
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;
@ -302,8 +306,8 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
authctxt->valid ? "" : "invalid user ",
authctxt->user,
get_remote_ipaddr(),
get_remote_port(),
ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh),
compat20 ? "ssh2" : "ssh1",
authctxt->info != NULL ? ": " : "",
authctxt->info != NULL ? authctxt->info : "");
@ -316,11 +320,12 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
strncmp(method, "keyboard-interactive", 20) == 0 ||
strcmp(method, "challenge-response") == 0))
record_failed_login(authctxt->user,
get_canonical_hostname(options.use_dns), "ssh");
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
# ifdef WITH_AIXAUTHENTICATE
if (authenticated)
sys_auth_record_login(authctxt->user,
get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
&loginmsg);
# endif
#endif
#ifdef SSH_AUDIT_EVENTS
@ -333,12 +338,14 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
void
auth_maxtries_exceeded(Authctxt *authctxt)
{
struct ssh *ssh = active_state; /* XXX */
error("maximum authentication attempts exceeded for "
"%s%.100s from %.200s port %d %s",
authctxt->valid ? "" : "invalid user ",
authctxt->user,
get_remote_ipaddr(),
get_remote_port(),
ssh_remote_ipaddr(ssh),
ssh_remote_port(ssh),
compat20 ? "ssh2" : "ssh1");
packet_disconnect("Too many authentication failures");
/* NOTREACHED */
@ -350,6 +357,8 @@ auth_maxtries_exceeded(Authctxt *authctxt)
int
auth_root_allowed(const char *method)
{
struct ssh *ssh = active_state; /* XXX */
switch (options.permit_root_login) {
case PERMIT_YES:
return 1;
@ -366,7 +375,8 @@ auth_root_allowed(const char *method)
}
break;
}
logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
logit("ROOT LOGIN REFUSED FROM %.200s port %d",
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
return 0;
}
@ -378,7 +388,6 @@ auth_root_allowed(const char *method)
*
* This returns a buffer allocated by xmalloc.
*/
char *
expand_authorized_keys(const char *filename, struct passwd *pw)
{
@ -620,6 +629,7 @@ auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
struct passwd *
getpwnamallow(const char *user)
{
struct ssh *ssh = active_state; /* XXX */
#ifdef HAVE_LOGIN_CAP
extern login_cap_t *lc;
#ifdef BSD_AUTH
@ -655,11 +665,11 @@ getpwnamallow(const char *user)
}
#endif
if (pw == NULL) {
logit("Invalid user %.100s from %.100s",
user, get_remote_ipaddr());
logit("Invalid user %.100s from %.100s port %d",
user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
#ifdef CUSTOM_FAILED_LOGIN
record_failed_login(user,
get_canonical_hostname(options.use_dns), "ssh");
auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
#endif
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_INVALID_USER);
@ -789,3 +799,117 @@ fakepw(void)
return (&fake);
}
/*
* Returns the remote DNS hostname as a string. The returned string must not
* be freed. NB. this will usually trigger a DNS query the first time it is
* called.
* This function does additional checks on the hostname to mitigate some
* attacks on legacy rhosts-style authentication.
* XXX is RhostsRSAAuthentication vulnerable to these?
* XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
*/
static char *
remote_hostname(struct ssh *ssh)
{
struct sockaddr_storage from;
socklen_t fromlen;
struct addrinfo hints, *ai, *aitop;
char name[NI_MAXHOST], ntop2[NI_MAXHOST];
const char *ntop = ssh_remote_ipaddr(ssh);
/* Get IP address of client. */
fromlen = sizeof(from);
memset(&from, 0, sizeof(from));
if (getpeername(ssh_packet_get_connection_in(ssh),
(struct sockaddr *)&from, &fromlen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
return strdup(ntop);
}
ipv64_normalise_mapped(&from, &fromlen);
if (from.ss_family == AF_INET6)
fromlen = sizeof(struct sockaddr_in6);
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
return strdup(ntop);
}
/*
* if reverse lookup result looks like a numeric hostname,
* someone is trying to trick us by PTR record like following:
* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
*/
memset(&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
name, ntop);
freeaddrinfo(ai);
return strdup(ntop);
}
/* Names are stored in lowercase. */
lowercase(name);
/*
* Map it back to an IP address and check that the given
* address actually is an address of this host. This is
* necessary because anyone with access to a name server can
* define arbitrary names for an IP address. Mapping from
* name to IP address can be trusted better (but can still be
* fooled if the intruder has access to the name server of
* the domain).
*/
memset(&hints, 0, sizeof(hints));
hints.ai_family = from.ss_family;
hints.ai_socktype = SOCK_STREAM;
if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
logit("reverse mapping checking getaddrinfo for %.700s "
"[%s] failed.", name, ntop);
return strdup(ntop);
}
/* Look for the address from the list of addresses. */
for (ai = aitop; ai; ai = ai->ai_next) {
if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
(strcmp(ntop, ntop2) == 0))
break;
}
freeaddrinfo(aitop);
/* If we reached the end of the list, the address was not there. */
if (ai == NULL) {
/* Address not found for the host name. */
logit("Address %.100s maps to %.600s, but this does not "
"map back to the address.", ntop, name);
return strdup(ntop);
}
return strdup(name);
}
/*
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
* several times.
*/
const char *
auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
{
static char *dnsname;
if (!use_dns)
return ssh_remote_ipaddr(ssh);
else if (dnsname != NULL)
return dnsname;
else {
dnsname = remote_hostname(ssh);
return dnsname;
}
}

16
auth.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth.h,v 1.84 2015/05/08 06:41:56 djm Exp $ */
/* $OpenBSD: auth.h,v 1.88 2016/05/04 14:04:40 markus Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -42,10 +42,8 @@
#include <krb5.h>
#endif
#ifdef WIN32_FIXME
#include <windows.h>
#ifdef WINDOWS
#include <windows.h>
#endif
struct ssh;
@ -130,7 +128,8 @@ BIGNUM *auth_rsa_generate_challenge(Key *);
int auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
int auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
int auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
int auth_rhosts_rsa_key_allowed(struct passwd *, const char *,
const char *, Key *);
int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
int user_key_allowed(struct passwd *, Key *, int);
void pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
@ -197,13 +196,14 @@ int verify_response(Authctxt *, const char *);
void abandon_challenge_response(Authctxt *);
char *expand_authorized_keys(const char *, struct passwd *pw);
char *authorized_principals_file(struct passwd *);
FILE *auth_openkeyfile(const char *, struct passwd *, int);
FILE *auth_openprincipals(const char *, struct passwd *, int);
int auth_key_is_revoked(Key *);
const char *auth_get_canonical_hostname(struct ssh *, int);
HostStatus
check_key_in_hostfiles(struct passwd *, Key *, const char *,
const char *, const char *);
@ -216,7 +216,7 @@ Key *get_hostkey_private_by_type(int, int, struct ssh *);
int get_hostkey_index(Key *, int, struct ssh *);
int ssh1_session_key(BIGNUM *);
int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
const u_char *, size_t, u_int);
const u_char *, size_t, const char *, u_int);
/* debug messages during authentication */
void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

10
auth1.c
View File

@ -12,16 +12,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#ifdef WITH_SSH1
#include <sys/types.h>

6
auth2-chall.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
/* $OpenBSD: auth2-chall.c,v 1.44 2016/05/02 08:49:03 djm Exp $ */
/*
* Copyright (c) 2001 Markus Friedl. All rights reserved.
* Copyright (c) 2001 Per Allansson. All rights reserved.
@ -122,8 +122,8 @@ kbdint_alloc(const char *devs)
buffer_append(&b, devices[i]->name,
strlen(devices[i]->name));
}
buffer_append(&b, "\0", 1);
kbdintctxt->devices = xstrdup(buffer_ptr(&b));
if ((kbdintctxt->devices = sshbuf_dup_string(&b)) == NULL)
fatal("%s: sshbuf_dup_string failed", __func__);
buffer_free(&b);
} else {
kbdintctxt->devices = xstrdup(devs);

9
auth2-gss.c
View File

@ -26,15 +26,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#ifdef GSSAPI
#include <sys/types.h>

16
auth2-hostbased.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-hostbased.c,v 1.25 2015/05/04 06:10:48 djm Exp $ */
/* $OpenBSD: auth2-hostbased.c,v 1.26 2016/03/07 19:02:43 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -25,15 +25,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <pwd.h>
@ -169,6 +160,7 @@ int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Key *key)
{
struct ssh *ssh = active_state; /* XXX */
const char *resolvedname, *ipaddr, *lookup, *reason;
HostStatus host_status;
int len;
@ -177,8 +169,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
if (auth_key_is_revoked(key))
return 0;
resolvedname = get_canonical_hostname(options.use_dns);
ipaddr = get_remote_ipaddr();
resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);
ipaddr = ssh_remote_ipaddr(ssh);
debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,
chost, resolvedname, ipaddr);

563
auth2-jpake.c
View File

@ -1,563 +0,0 @@
/* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */
/*
* Copyright (c) 2008 Damien Miller. All rights reserved.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/*
* Server side of zero-knowledge password auth using J-PAKE protocol
* as described in:
*
* F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
* 16th Workshop on Security Protocols, Cambridge, April 2008
*
* http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
*/
#ifdef JPAKE
#include <sys/types.h>
#include <sys/param.h>
#include <pwd.h>
#include <stdio.h>
#include <string.h>
#include <login_cap.h>
#include <openssl/bn.h>
#include <openssl/evp.h>
#include "xmalloc.h"
#include "ssh2.h"
#include "key.h"
#include "hostfile.h"
#include "auth.h"
#include "buffer.h"
#include "packet.h"
#include "dispatch.h"
#include "log.h"
#include "servconf.h"
#include "auth-options.h"
#include "canohost.h"
#ifdef GSSAPI
#include "ssh-gss.h"
#endif
#include "monitor_wrap.h"
#include "schnorr.h"
#include "jpake.h"
/*
* XXX options->permit_empty_passwd (at the moment, they will be refused
* anyway because they will mismatch on fake salt.
*/
/* Dispatch handlers */
static void input_userauth_jpake_client_step1(int, u_int32_t, void *);
static void input_userauth_jpake_client_step2(int, u_int32_t, void *);
static void input_userauth_jpake_client_confirm(int, u_int32_t, void *);
static int auth2_jpake_start(Authctxt *);
/* import */
extern ServerOptions options;
extern u_char *session_id2;
extern u_int session_id2_len;
/*
* Attempt J-PAKE authentication.
*/
static int
userauth_jpake(Authctxt *authctxt)
{
int authenticated = 0;
packet_check_eom();
debug("jpake-01@openssh.com requested");
if (authctxt->user != NULL) {
if (authctxt->jpake_ctx == NULL)
authctxt->jpake_ctx = jpake_new();
if (options.zero_knowledge_password_authentication)
authenticated = auth2_jpake_start(authctxt);
}
return authenticated;
}
Authmethod method_jpake = {
"jpake-01@openssh.com",
userauth_jpake,
&options.zero_knowledge_password_authentication
};
/* Clear context and callbacks */
void
auth2_jpake_stop(Authctxt *authctxt)
{
/* unregister callbacks */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
if (authctxt->jpake_ctx != NULL) {
jpake_free(authctxt->jpake_ctx);
authctxt->jpake_ctx = NULL;
}
}
/* Returns 1 if 'c' is a valid crypt(3) salt character, 0 otherwise */
static int
valid_crypt_salt(int c)
{
if (c >= 'A' && c <= 'Z')
return 1;
if (c >= 'a' && c <= 'z')
return 1;
if (c >= '.' && c <= '9')
return 1;
return 0;
}
/*
* Derive fake salt as H(username || first_private_host_key)
* This provides relatively stable fake salts for non-existent
* users and avoids the jpake method becoming an account validity
* oracle.
*/
static void
derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
{
u_char *digest;
u_int digest_len;
Buffer b;
Key *k;
buffer_init(&b);
buffer_put_cstring(&b, username);
if ((k = get_hostkey_by_index(0)) == NULL ||
(k->flags & KEY_FLAG_EXT))
fatal("%s: no hostkeys", __func__);
switch (k->type) {
case KEY_RSA1:
case KEY_RSA:
if (k->rsa->p == NULL || k->rsa->q == NULL)
fatal("%s: RSA key missing p and/or q", __func__);
buffer_put_bignum2(&b, k->rsa->p);
buffer_put_bignum2(&b, k->rsa->q);
break;
case KEY_DSA:
if (k->dsa->priv_key == NULL)
fatal("%s: DSA key missing priv_key", __func__);
buffer_put_bignum2(&b, k->dsa->priv_key);
break;
case KEY_ECDSA:
if (EC_KEY_get0_private_key(k->ecdsa) == NULL)
fatal("%s: ECDSA key missing priv_key", __func__);
buffer_put_bignum2(&b, EC_KEY_get0_private_key(k->ecdsa));
break;
default:
fatal("%s: unknown key type %d", __func__, k->type);
}
if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
&digest, &digest_len) != 0)
fatal("%s: hash_buffer", __func__);
buffer_free(&b);
if (len > digest_len)
fatal("%s: not enough bytes for rawsalt (want %u have %u)",
__func__, len, digest_len);
memcpy(rawsalt, digest, len);
bzero(digest, digest_len);
xfree(digest);
}
/* ASCII an integer [0, 64) for inclusion in a password/salt */
static char
pw_encode64(u_int i64)
{
const u_char e64[] =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
return e64[i64 % 64];
}
/* Generate ASCII salt bytes for user */
static char *
makesalt(u_int want, const char *user)
{
u_char rawsalt[32];
static char ret[33];
u_int i;
if (want > sizeof(ret) - 1)
fatal("%s: want %u", __func__, want);
derive_rawsalt(user, rawsalt, sizeof(rawsalt));
bzero(ret, sizeof(ret));
for (i = 0; i < want; i++)
ret[i] = pw_encode64(rawsalt[i]);
bzero(rawsalt, sizeof(rawsalt));
return ret;
}
/*
* Select the system's default password hashing scheme and generate
* a stable fake salt under it for use by a non-existent account.
* Prevents jpake method being used to infer the validity of accounts.
*/
static void
fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme)
{
char *rounds_s, *style;
long long rounds;
login_cap_t *lc;
if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL &&
(lc = login_getclass(NULL)) == NULL)
fatal("%s: login_getclass failed", __func__);
style = login_getcapstr(lc, "localcipher", NULL, NULL);
if (style == NULL)
style = xstrdup("blowfish,6");
login_close(lc);
if ((rounds_s = strchr(style, ',')) != NULL)
*rounds_s++ = '\0';
rounds = strtonum(rounds_s, 1, 1<<31, NULL);
if (strcmp(style, "md5") == 0) {
xasprintf(salt, "$1$%s$", makesalt(8, authctxt->user));
*scheme = xstrdup("md5");
} else if (strcmp(style, "old") == 0) {
*salt = xstrdup(makesalt(2, authctxt->user));
*scheme = xstrdup("crypt");
} else if (strcmp(style, "newsalt") == 0) {
rounds = MAX(rounds, 7250);
rounds = MIN(rounds, (1<<24) - 1);
xasprintf(salt, "_%c%c%c%c%s",
pw_encode64(rounds), pw_encode64(rounds >> 6),
pw_encode64(rounds >> 12), pw_encode64(rounds >> 18),
makesalt(4, authctxt->user));
*scheme = xstrdup("crypt-extended");
} else {
/* Default to blowfish */
rounds = MAX(rounds, 3);
rounds = MIN(rounds, 31);
xasprintf(salt, "$2a$%02lld$%s", rounds,
makesalt(22, authctxt->user));
*scheme = xstrdup("bcrypt");
}
xfree(style);
debug3("%s: fake %s salt for user %s: %s",
__func__, *scheme, authctxt->user, *salt);
}
/*
* Fetch password hashing scheme, password salt and derive shared secret
* for user. If user does not exist, a fake but stable and user-unique
* salt will be returned.
*/
void
auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
char **hash_scheme, char **salt)
{
char *cp;
u_char *secret;
u_int secret_len, salt_len;
#ifdef JPAKE_DEBUG
debug3("%s: valid %d pw %.5s...", __func__,
authctxt->valid, authctxt->pw->pw_passwd);
#endif
*salt = NULL;
*hash_scheme = NULL;
if (authctxt->valid) {
if (strncmp(authctxt->pw->pw_passwd, "$2$", 3) == 0 &&
strlen(authctxt->pw->pw_passwd) > 28) {
/*
* old-variant bcrypt:
* "$2$", 2 digit rounds, "$", 22 bytes salt
*/
salt_len = 3 + 2 + 1 + 22 + 1;
*salt = xmalloc(salt_len);
strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
*hash_scheme = xstrdup("bcrypt");
} else if (strncmp(authctxt->pw->pw_passwd, "$2a$", 4) == 0 &&
strlen(authctxt->pw->pw_passwd) > 29) {
/*
* current-variant bcrypt:
* "$2a$", 2 digit rounds, "$", 22 bytes salt
*/
salt_len = 4 + 2 + 1 + 22 + 1;
*salt = xmalloc(salt_len);
strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
*hash_scheme = xstrdup("bcrypt");
} else if (strncmp(authctxt->pw->pw_passwd, "$1$", 3) == 0 &&
strlen(authctxt->pw->pw_passwd) > 5) {
/*
* md5crypt:
* "$1$", salt until "$"
*/
cp = strchr(authctxt->pw->pw_passwd + 3, '$');
if (cp != NULL) {
salt_len = (cp - authctxt->pw->pw_passwd) + 1;
*salt = xmalloc(salt_len);
strlcpy(*salt, authctxt->pw->pw_passwd,
salt_len);
*hash_scheme = xstrdup("md5crypt");
}
} else if (strncmp(authctxt->pw->pw_passwd, "_", 1) == 0 &&
strlen(authctxt->pw->pw_passwd) > 9) {
/*
* BSDI extended crypt:
* "_", 4 digits count, 4 chars salt
*/
salt_len = 1 + 4 + 4 + 1;
*salt = xmalloc(salt_len);
strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
*hash_scheme = xstrdup("crypt-extended");
} else if (strlen(authctxt->pw->pw_passwd) == 13 &&
valid_crypt_salt(authctxt->pw->pw_passwd[0]) &&
valid_crypt_salt(authctxt->pw->pw_passwd[1])) {
/*
* traditional crypt:
* 2 chars salt
*/
salt_len = 2 + 1;
*salt = xmalloc(salt_len);
strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
*hash_scheme = xstrdup("crypt");
}
if (*salt == NULL) {
debug("%s: unrecognised crypt scheme for user %s",
__func__, authctxt->pw->pw_name);
}
}
if (*salt == NULL)
fake_salt_and_scheme(authctxt, salt, hash_scheme);
if (hash_buffer(authctxt->pw->pw_passwd,
strlen(authctxt->pw->pw_passwd), EVP_sha256(),
&secret, &secret_len) != 0)
fatal("%s: hash_buffer", __func__);
if ((*s = BN_bin2bn(secret, secret_len, NULL)) == NULL)
fatal("%s: BN_bin2bn (secret)", __func__);
#ifdef JPAKE_DEBUG
debug3("%s: salt = %s (len %u)", __func__,
*salt, (u_int)strlen(*salt));
debug3("%s: scheme = %s", __func__, *hash_scheme);
JPAKE_DEBUG_BN((*s, "%s: s = ", __func__));
#endif
bzero(secret, secret_len);
xfree(secret);
}
/*
* Begin authentication attempt.
* Note, sets authctxt->postponed while in subprotocol
*/
static int
auth2_jpake_start(Authctxt *authctxt)
{
struct jpake_ctx *pctx = authctxt->jpake_ctx;
u_char *x3_proof, *x4_proof;
u_int x3_proof_len, x4_proof_len;
char *salt, *hash_scheme;
debug("%s: start", __func__);
PRIVSEP(jpake_step1(pctx->grp,
&pctx->server_id, &pctx->server_id_len,
&pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
&x3_proof, &x3_proof_len,
&x4_proof, &x4_proof_len));
PRIVSEP(auth2_jpake_get_pwdata(authctxt, &pctx->s,
&hash_scheme, &salt));
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1);
packet_put_cstring(hash_scheme);
packet_put_cstring(salt);
packet_put_string(pctx->server_id, pctx->server_id_len);
packet_put_bignum2(pctx->g_x3);
packet_put_bignum2(pctx->g_x4);
packet_put_string(x3_proof, x3_proof_len);
packet_put_string(x4_proof, x4_proof_len);
packet_send();
packet_write_wait();
bzero(hash_scheme, strlen(hash_scheme));
bzero(salt, strlen(salt));
xfree(hash_scheme);
xfree(salt);
bzero(x3_proof, x3_proof_len);
bzero(x4_proof, x4_proof_len);
xfree(x3_proof);
xfree(x4_proof);
/* Expect step 1 packet from peer */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1,
input_userauth_jpake_client_step1);
authctxt->postponed = 1;
return 0;
}
/* ARGSUSED */
static void
input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
struct jpake_ctx *pctx = authctxt->jpake_ctx;
u_char *x1_proof, *x2_proof, *x4_s_proof;
u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
/* Disable this message */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
/* Fetch step 1 values */
if ((pctx->g_x1 = BN_new()) == NULL ||
(pctx->g_x2 = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
pctx->client_id = packet_get_string(&pctx->client_id_len);
packet_get_bignum2(pctx->g_x1);
packet_get_bignum2(pctx->g_x2);
x1_proof = packet_get_string(&x1_proof_len);
x2_proof = packet_get_string(&x2_proof_len);
packet_check_eom();
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
PRIVSEP(jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
pctx->g_x1, pctx->g_x2, pctx->x4,
pctx->client_id, pctx->client_id_len,
pctx->server_id, pctx->server_id_len,
x1_proof, x1_proof_len,
x2_proof, x2_proof_len,
&pctx->b,
&x4_s_proof, &x4_s_proof_len));
bzero(x1_proof, x1_proof_len);
bzero(x2_proof, x2_proof_len);
xfree(x1_proof);
xfree(x2_proof);
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
/* Send values for step 2 */
packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2);
packet_put_bignum2(pctx->b);
packet_put_string(x4_s_proof, x4_s_proof_len);
packet_send();
packet_write_wait();
bzero(x4_s_proof, x4_s_proof_len);
xfree(x4_s_proof);
/* Expect step 2 packet from peer */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2,
input_userauth_jpake_client_step2);
}
/* ARGSUSED */
static void
input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
struct jpake_ctx *pctx = authctxt->jpake_ctx;
u_char *x2_s_proof;
u_int x2_s_proof_len;
/* Disable this message */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
if ((pctx->a = BN_new()) == NULL)
fatal("%s: BN_new", __func__);
/* Fetch step 2 values */
packet_get_bignum2(pctx->a);
x2_s_proof = packet_get_string(&x2_s_proof_len);
packet_check_eom();
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
/* Derive shared key and calculate confirmation hash */
PRIVSEP(jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
pctx->server_id, pctx->server_id_len,
pctx->client_id, pctx->client_id_len,
session_id2, session_id2_len,
x2_s_proof, x2_s_proof_len,
&pctx->k,
&pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len));
bzero(x2_s_proof, x2_s_proof_len);
xfree(x2_s_proof);
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
/* Send key confirmation proof */
packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM);
packet_put_string(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
packet_send();
packet_write_wait();
/* Expect confirmation from peer */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM,
input_userauth_jpake_client_confirm);
}
/* ARGSUSED */
static void
input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt)
{
Authctxt *authctxt = ctxt;
struct jpake_ctx *pctx = authctxt->jpake_ctx;
int authenticated = 0;
/* Disable this message */
dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
pctx->h_k_cid_sessid = packet_get_string(&pctx->h_k_cid_sessid_len);
packet_check_eom();
if (!use_privsep)
JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
/* Verify expected confirmation hash */
if (PRIVSEP(jpake_check_confirm(pctx->k,
pctx->client_id, pctx->client_id_len,
session_id2, session_id2_len,
pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len)) == 1)
authenticated = authctxt->valid ? 1 : 0;
else
debug("%s: confirmation mismatch", __func__);
/* done */
authctxt->postponed = 0;
jpake_free(authctxt->jpake_ctx);
authctxt->jpake_ctx = NULL;
userauth_finish(authctxt, authenticated, method_jpake.name);
}
#endif /* JPAKE */

9
auth2-none.c
View File

@ -25,15 +25,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/uio.h>

47
auth2-pubkey.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */
/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -25,15 +25,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
@ -96,19 +87,19 @@ userauth_pubkey(Authctxt *authctxt)
{
Buffer b;
Key *key = NULL;
char *pkalg, *userstyle;
char *pkalg, *userstyle, *fp = NULL;
u_char *pkblob, *sig;
u_int alen, blen, slen;
int have_sig, pktype;
int authenticated = 0;
if (!authctxt->valid) {
debug2("userauth_pubkey: disabled because of invalid user");
debug2("%s: disabled because of invalid user", __func__);
return 0;
}
have_sig = packet_get_char();
if (datafellows & SSH_BUG_PKAUTH) {
debug2("userauth_pubkey: SSH_BUG_PKAUTH");
debug2("%s: SSH_BUG_PKAUTH", __func__);
/* no explicit pkalg given */
pkblob = packet_get_string(&blen);
buffer_init(&b);
@ -123,18 +114,18 @@ userauth_pubkey(Authctxt *authctxt)
pktype = key_type_from_name(pkalg);
if (pktype == KEY_UNSPEC) {
/* this is perfectly legal */
logit("userauth_pubkey: unsupported public key algorithm: %s",
pkalg);
logit("%s: unsupported public key algorithm: %s",
__func__, pkalg);
goto done;
}
key = key_from_blob(pkblob, blen);
if (key == NULL) {
error("userauth_pubkey: cannot decode key: %s", pkalg);
error("%s: cannot decode key: %s", __func__, pkalg);
goto done;
}
if (key->type != pktype) {
error("userauth_pubkey: type mismatch for decoded key "
"(received %d, expected %d)", key->type, pktype);
error("%s: type mismatch for decoded key "
"(received %d, expected %d)", __func__, key->type, pktype);
goto done;
}
if (key_type_plain(key->type) == KEY_RSA &&
@ -143,6 +134,7 @@ userauth_pubkey(Authctxt *authctxt)
"signature scheme");
goto done;
}
fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
if (auth2_userkey_already_used(authctxt, key)) {
logit("refusing previously-used %s key", key_type(key));
goto done;
@ -155,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
}
if (have_sig) {
debug3("%s: have signature for %s %s",
__func__, sshkey_type(key), fp);
sig = packet_get_string(&slen);
packet_check_eom();
buffer_init(&b);
@ -216,6 +210,7 @@ userauth_pubkey(Authctxt *authctxt)
break;
}
debug3("auth agent authenticated %s", authctxt->pw->pw_name);
break;
}
@ -247,7 +242,8 @@ userauth_pubkey(Authctxt *authctxt)
#endif /* else #ifdef WIN32_FIXME. */
} else {
debug("test whether pkalg/pkblob are acceptable");
debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
__func__, sshkey_type(key), fp);
packet_check_eom();
/* XXX fake reply and always send PK_OK ? */
@ -277,11 +273,12 @@ userauth_pubkey(Authctxt *authctxt)
if (authenticated != 1)
auth_clear_options();
done:
debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
if (key != NULL)
key_free(key);
free(pkalg);
free(pkblob);
free(fp);
return authenticated;
}
@ -796,7 +793,6 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
* Checks whether key is allowed in authorized_keys-format file,
* returns 1 if the key is allowed or 0 otherwise.
*/
static int
check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
@ -880,8 +876,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
free(fp);
continue;
}
verbose("Accepted certificate ID \"%s\" "
verbose("Accepted certificate ID \"%s\" (serial %llu) "
"signed by %s CA %s via %s", key->cert->key_id,
(unsigned long long)key->cert->serial,
key_type(found), fp, file);
free(fp);
found_key = 1;
@ -959,8 +956,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (auth_cert_options(key, pw) != 0)
goto out;
verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
"%s CA %s via %s", key->cert->key_id,
(unsigned long long)key->cert->serial,
key_type(key->cert->signature_key), ca_fp,
options.trusted_user_ca_keys);
ret = 1;

15
auth2.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: auth2.c,v 1.135 2015/01/19 20:07:45 markus Exp $ */
/* $OpenBSD: auth2.c,v 1.136 2016/05/02 08:49:03 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
@ -25,15 +25,6 @@
#include "includes.h"
/*
* We support only client side kerberos on Windows.
*/
#ifdef WIN32_FIXME
#undef GSSAPI
#undef KRB5
#endif
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/uio.h>
@ -433,8 +424,8 @@ authmethods_get(Authctxt *authctxt)
buffer_append(&b, authmethods[i]->name,
strlen(authmethods[i]->name));
}
buffer_append(&b, "\0", 1);
list = xstrdup(buffer_ptr(&b));
if ((list = sshbuf_dup_string(&b)) == NULL)
fatal("%s: sshbuf_dup_string failed", __func__);
buffer_free(&b);
return list;
}

24
authfd.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -161,7 +161,11 @@ ssh_get_authentication_socket(int *fdp)
}
/* Communicate with agent: send request and read reply */
#ifdef WINDOWS
int
#else
static int
#endif
ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
{
int r;
@ -466,11 +470,24 @@ ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
}
#endif
/* encode signature algoritm in flag bits, so we can keep the msg format */
static u_int
agent_encode_alg(struct sshkey *key, const char *alg)
{
if (alg != NULL && key->type == KEY_RSA) {
if (strcmp(alg, "rsa-sha2-256") == 0)
return SSH_AGENT_RSA_SHA2_256;
else if (strcmp(alg, "rsa-sha2-512") == 0)
return SSH_AGENT_RSA_SHA2_512;
}
return 0;
}
/* ask agent to sign data, returns err.h code on error, 0 on success */
int
ssh_agent_sign(int sock, struct sshkey *key,
u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat)
const u_char *data, size_t datalen, const char *alg, u_int compat)
{
struct sshbuf *msg;
u_char *blob = NULL, type;
@ -489,12 +506,13 @@ ssh_agent_sign(int sock, struct sshkey *key,
return SSH_ERR_ALLOC_FAIL;
if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
goto out;
flags |= agent_encode_alg(key, alg);
if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 ||
(r = sshbuf_put_string(msg, blob, blen)) != 0 ||
(r = sshbuf_put_string(msg, data, datalen)) != 0 ||
(r = sshbuf_put_u32(msg, flags)) != 0)
goto out;
if ((r = ssh_request_reply(sock, msg, msg) != 0))
if ((r = ssh_request_reply(sock, msg, msg)) != 0)
goto out;
if ((r = sshbuf_get_u8(msg, &type)) != 0)
goto out;

6
authfd.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfd.h,v 1.38 2015/01/14 20:05:27 djm Exp $ */
/* $OpenBSD: authfd.h,v 1.39 2015/12/04 16:41:28 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -41,7 +41,7 @@ int ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
u_char session_id[16], u_char response[16]);
int ssh_agent_sign(int sock, struct sshkey *key,
u_char **sigp, size_t *lenp,
const u_char *data, size_t datalen, u_int compat);
const u_char *data, size_t datalen, const char *alg, u_int compat);
/* Messages for the authentication agent connection. */
#define SSH_AGENTC_REQUEST_RSA_IDENTITIES 1
@ -86,5 +86,7 @@ int ssh_agent_sign(int sock, struct sshkey *key,
#define SSH_COM_AGENT2_FAILURE 102
#define SSH_AGENT_OLD_SIGNATURE 0x01
#define SSH_AGENT_RSA_SHA2_256 0x02
#define SSH_AGENT_RSA_SHA2_512 0x04
#endif /* AUTHFD_H */

28
authfile.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: authfile.c,v 1.116 2015/07/09 09:49:46 markus Exp $ */
/* $OpenBSD: authfile.c,v 1.121 2016/04/09 12:39:30 djm Exp $ */
/*
* Copyright (c) 2000, 2013 Markus Friedl. All rights reserved.
*
@ -149,6 +149,7 @@ sshkey_load_public_rsa1(int fd, struct sshkey **keyp, char **commentp)
struct sshbuf *b = NULL;
int r;
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
@ -205,12 +206,12 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase,
{
int fd, r;
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
if ((fd = open(filename, O_RDONLY)) < 0) {
if (perm_ok != NULL)
*perm_ok = 0;
return SSH_ERR_SYSTEM_ERROR;
@ -237,6 +238,8 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
struct sshbuf *buffer = NULL;
int r;
if (keyp != NULL)
*keyp = NULL;
if ((buffer = sshbuf_new()) == NULL) {
r = SSH_ERR_ALLOC_FAIL;
goto out;
@ -249,7 +252,6 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
/* success */
r = 0;
out:
if (buffer != NULL)
sshbuf_free(buffer);
return r;
}
@ -262,6 +264,7 @@ sshkey_load_private(const char *filename, const char *passphrase,
struct sshbuf *buffer = NULL;
int r, fd;
if (keyp != NULL)
*keyp = NULL;
if (commentp != NULL)
*commentp = NULL;
@ -278,13 +281,12 @@ sshkey_load_private(const char *filename, const char *passphrase,
goto out;
}
if ((r = sshkey_load_file(fd, buffer)) != 0 ||
(r = sshkey_parse_private_fileblob(buffer, passphrase, filename,
keyp, commentp)) != 0)
(r = sshkey_parse_private_fileblob(buffer, passphrase, keyp,
commentp)) != 0)
goto out;
r = 0;
out:
close(fd);
if (buffer != NULL)
sshbuf_free(buffer);
return r;
}
@ -416,6 +418,7 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp)
char *file = NULL;
int r = SSH_ERR_INTERNAL_ERROR;
if (keyp != NULL)
*keyp = NULL;
if (asprintf(&file, "%s-cert.pub", filename) == -1)
@ -426,15 +429,14 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp)
}
if ((r = sshkey_try_load_public(pub, file, NULL)) != 0)
goto out;
/* success */
if (keyp != NULL) {
*keyp = pub;
pub = NULL;
}
r = 0;
out:
if (file != NULL)
free(file);
if (pub != NULL)
sshkey_free(pub);
return r;
}
@ -447,6 +449,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
struct sshkey *key = NULL, *cert = NULL;
int r;
if (keyp != NULL)
*keyp = NULL;
switch (type) {
@ -477,12 +480,12 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
(r = sshkey_cert_copy(cert, key)) != 0)
goto out;
r = 0;
if (keyp != NULL) {
*keyp = key;
key = NULL;
}
out:
if (key != NULL)
sshkey_free(key);
if (cert != NULL)
sshkey_free(cert);
return r;
}
@ -544,7 +547,6 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type,
}
r = SSH_ERR_KEY_NOT_FOUND;
out:
if (pub != NULL)
sshkey_free(pub);
fclose(f);
return r;

2
bitmap.c
View File

@ -53,7 +53,7 @@ void
bitmap_free(struct bitmap *b)
{
if (b != NULL && b->d != NULL) {
memset(b->d, 0, b->len);
explicit_bzero(b->d, b->len);
free(b->d);
}
free(b);

1
bufaux.c
View File

@ -257,4 +257,3 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
fatal("%s: %s", __func__, ssh_err(ret));
}

9
build.sh
View File

@ -1,9 +0,0 @@
autoreconf
./configure --build=i686-pc-mingw32 --host=i686-pc-mingw32 --with-ssl-dir=../openssl-1.0.1e --with-kerberos5 --with-zlib=../zlib-1.2.8
cat config.h.tail >> config.h
make ssh.exe
make sshd.exe
make sftp.exe
make sftp-server.exe
make ssh-agent.exe

20
buildpkg.sh.in
View File

@ -337,17 +337,17 @@ then
else
if [ "\${USE_SYM_LINKS}" = yes ]
then
[ "$RCS_D" = yes ] && \
[ "$RCS_D" = yes ] && \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
[ "$RC1_D" = no ] || \
[ "$RC1_D" = no ] || \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
else
[ "$RCS_D" = yes ] && \
[ "$RCS_D" = yes ] && \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
[ "$RC1_D" = no ] || \
[ "$RC1_D" = no ] || \\
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
fi
@ -538,10 +538,10 @@ then
PRE_INS_STOP=no
POST_INS_START=no
# determine if should restart the daemon
if [ -s ${piddir}/sshd.pid ] && \
if [ -s ${piddir}/sshd.pid ] && \\
/usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
then
ans=\`ckyorn -d n \
ans=\`ckyorn -d n \\
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) PRE_INS_STOP=yes
@ -552,7 +552,7 @@ then
else
# determine if we should start sshd
ans=\`ckyorn -d n \
ans=\`ckyorn -d n \\
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) POST_INS_START=yes ;;
@ -573,7 +573,7 @@ USE_SYM_LINKS=no
PRE_INS_STOP=no
POST_INS_START=no
# Use symbolic links?
ans=\`ckyorn -d n \
ans=\`ckyorn -d n \\
-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) USE_SYM_LINKS=yes ;;
@ -582,7 +582,7 @@ esac
# determine if should restart the daemon
if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
then
ans=\`ckyorn -d n \
ans=\`ckyorn -d n \\
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) PRE_INS_STOP=yes
@ -593,7 +593,7 @@ then
else
# determine if we should start sshd
ans=\`ckyorn -d n \
ans=\`ckyorn -d n \\
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
case \$ans in
[y,Y]*) POST_INS_START=yes ;;

262
canohost.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: canohost.c,v 1.72 2015/03/01 15:44:40 millert Exp $ */
/* $OpenBSD: canohost.c,v 1.73 2016/03/07 19:02:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,147 +35,6 @@
#include "canohost.h"
#include "misc.h"
static void check_ip_options(int, char *);
static char *canonical_host_ip = NULL;
static int cached_port = -1;
/*
* Return the canonical name of the host at the other end of the socket. The
* caller should free the returned string.
*/
static char *
get_remote_hostname(int sock, int use_dns)
{
struct sockaddr_storage from;
socklen_t fromlen;
struct addrinfo hints, *ai, *aitop;
char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
/* Get IP address of client. */
fromlen = sizeof(from);
memset(&from, 0, sizeof(from));
if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
debug("getpeername failed: %.100s", strerror(errno));
cleanup_exit(255);
}
if (from.ss_family == AF_INET)
check_ip_options(sock, ntop);
ipv64_normalise_mapped(&from, &fromlen);
if (from.ss_family == AF_INET6)
fromlen = sizeof(struct sockaddr_in6);
if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
NULL, 0, NI_NUMERICHOST) != 0)
fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
if (!use_dns)
return xstrdup(ntop);
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
return xstrdup(ntop);
}
/*
* if reverse lookup result looks like a numeric hostname,
* someone is trying to trick us by PTR record like following:
* 1.1.1.10.in-addr.arpa. IN PTR 2.3.4.5
*/
memset(&hints, 0, sizeof(hints));
hints.ai_socktype = SOCK_DGRAM; /*dummy*/
hints.ai_flags = AI_NUMERICHOST;
if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
name, ntop);
freeaddrinfo(ai);
return xstrdup(ntop);
}
/* Names are stores in lowercase. */
lowercase(name);
/*
* Map it back to an IP address and check that the given
* address actually is an address of this host. This is
* necessary because anyone with access to a name server can
* define arbitrary names for an IP address. Mapping from
* name to IP address can be trusted better (but can still be
* fooled if the intruder has access to the name server of
* the domain).
*/
memset(&hints, 0, sizeof(hints));
hints.ai_family = from.ss_family;
hints.ai_socktype = SOCK_STREAM;
if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
logit("reverse mapping checking getaddrinfo for %.700s "
"[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
return xstrdup(ntop);
}
/* Look for the address from the list of addresses. */
for (ai = aitop; ai; ai = ai->ai_next) {
if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
(strcmp(ntop, ntop2) == 0))
break;
}
freeaddrinfo(aitop);
/* If we reached the end of the list, the address was not there. */
if (!ai) {
/* Address not found for the host name. */
logit("Address %.100s maps to %.600s, but this does not "
"map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
ntop, name);
return xstrdup(ntop);
}
return xstrdup(name);
}
/*
* If IP options are supported, make sure there are none (log and
* disconnect them if any are found). Basically we are worried about
* source routing; it can be used to pretend you are somebody
* (ip-address) you are not. That itself may be "almost acceptable"
* under certain circumstances, but rhosts autentication is useless
* if source routing is accepted. Notice also that if we just dropped
* source routing here, the other side could use IP spoofing to do
* rest of the interaction and could still bypass security. So we
* exit here if we detect any IP options.
*/
/* IPv4 only */
static void
check_ip_options(int sock, char *ipaddr)
{
#ifdef IP_OPTIONS
u_char options[200];
char text[sizeof(options) * 3 + 1];
socklen_t option_size, i;
int ipproto;
struct protoent *ip;
if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
else
ipproto = IPPROTO_IP;
option_size = sizeof(options);
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
&option_size) >= 0 && option_size != 0) {
text[0] = '\0';
for (i = 0; i < option_size; i++)
snprintf(text + i*3, sizeof(text) - i*3,
" %2.2x", options[i]);
fatal("Connection from %.100s with IP options:%.800s",
ipaddr, text);
}
#endif /* IP_OPTIONS */
}
void
ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
{
@ -201,38 +60,6 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
a4->sin_port = port;
}
/*
* Return the canonical name of the host in the other side of the current
* connection. The host name is cached, so it is efficient to call this
* several times.
*/
const char *
get_canonical_hostname(int use_dns)
{
char *host;
static char *canonical_host_name = NULL;
static char *remote_ip = NULL;
/* Check if we have previously retrieved name with same option. */
if (use_dns && canonical_host_name != NULL)
return canonical_host_name;
if (!use_dns && remote_ip != NULL)
return remote_ip;
/* Get the real hostname if socket; otherwise return UNKNOWN. */
if (packet_connection_is_on_socket())
host = get_remote_hostname(packet_get_connection_in(), use_dns);
else
host = "UNKNOWN";
if (use_dns)
canonical_host_name = host;
else
remote_ip = host;
return host;
}
/*
* Returns the local/remote IP-address/hostname of socket as a string.
* The returned string must be freed.
@ -250,12 +77,10 @@ get_socket_address(int sock, int remote, int flags)
memset(&addr, 0, sizeof(addr));
if (remote) {
if (getpeername(sock, (struct sockaddr *)&addr, &addrlen)
< 0)
if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) != 0)
return NULL;
} else {
if (getsockname(sock, (struct sockaddr *)&addr, &addrlen)
< 0)
if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) != 0)
return NULL;
}
@ -271,7 +96,7 @@ get_socket_address(int sock, int remote, int flags)
/* Get the address in ascii. */
if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop,
sizeof(ntop), NULL, 0, flags)) != 0) {
error("get_socket_address: getnameinfo %d failed: %s",
error("%s: getnameinfo %d failed: %s", __func__,
flags, ssh_gai_strerror(r));
return NULL;
}
@ -316,7 +141,8 @@ get_local_name(int fd)
/* Handle the case where we were passed a pipe */
if (gethostname(myname, sizeof(myname)) == -1) {
verbose("get_local_name: gethostname: %s", strerror(errno));
verbose("%s: gethostname: %s", __func__, strerror(errno));
host = xstrdup("UNKNOWN");
} else {
host = xstrdup(myname);
}
@ -324,51 +150,9 @@ get_local_name(int fd)
return host;
}
void
clear_cached_addr(void)
{
free(canonical_host_ip);
canonical_host_ip = NULL;
cached_port = -1;
}
/*
* Returns the IP-address of the remote host as a string. The returned
* string must not be freed.
*/
const char *
get_remote_ipaddr(void)
{
/* Check whether we have cached the ipaddr. */
if (canonical_host_ip == NULL) {
if (packet_connection_is_on_socket()) {
canonical_host_ip =
get_peer_ipaddr(packet_get_connection_in());
if (canonical_host_ip == NULL)
cleanup_exit(255);
} else {
/* If not on socket, return UNKNOWN. */
canonical_host_ip = xstrdup("UNKNOWN");
}
}
return canonical_host_ip;
}
const char *
get_remote_name_or_ip(u_int utmp_len, int use_dns)
{
static const char *remote = "";
if (utmp_len > 0)
remote = get_canonical_hostname(use_dns);
if (utmp_len == 0 || strlen(remote) > utmp_len)
remote = get_remote_ipaddr();
return remote;
}
/* Returns the local/remote port for the socket. */
int
static int
get_sock_port(int sock, int local)
{
struct sockaddr_storage from;
@ -402,27 +186,11 @@ get_sock_port(int sock, int local)
/* Return port number. */
if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
strport, sizeof(strport), NI_NUMERICSERV)) != 0)
fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s",
fatal("%s: getnameinfo NI_NUMERICSERV failed: %s", __func__,
ssh_gai_strerror(r));
return atoi(strport);
}
/* Returns remote/local port number for the current connection. */
static int
get_port(int local)
{
/*
* If the connection is not a socket, return 65535. This is
* intentionally chosen to be an unprivileged port number.
*/
if (!packet_connection_is_on_socket())
return 65535;
/* Get socket and return the port number. */
return get_sock_port(packet_get_connection_in(), local);
}
int
get_peer_port(int sock)
{
@ -430,17 +198,7 @@ get_peer_port(int sock)
}
int
get_remote_port(void)
get_local_port(int sock)
{
/* Cache to avoid getpeername() on a dead connection */
if (cached_port == -1)
cached_port = get_port(0);
return cached_port;
}
int
get_local_port(void)
{
return get_port(1);
return get_sock_port(sock, 1);
}

13
canohost.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */
/* $OpenBSD: canohost.h,v 1.12 2016/03/07 19:02:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -12,18 +12,15 @@
* called by a name other than "ssh" or "Secure Shell".
*/
const char *get_canonical_hostname(int);
const char *get_remote_ipaddr(void);
const char *get_remote_name_or_ip(u_int, int);
#ifndef _CANOHOST_H
#define _CANOHOST_H
char *get_peer_ipaddr(int);
int get_peer_port(int);
char *get_local_ipaddr(int);
char *get_local_name(int);
int get_local_port(int);
int get_remote_port(void);
int get_local_port(void);
int get_sock_port(int, int);
void clear_cached_addr(void);
#endif /* _CANOHOST_H */
void ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);

74
channels.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: channels.c,v 1.347 2015/07/01 02:26:31 djm Exp $ */
/* $OpenBSD: channels.c,v 1.351 2016/07/19 11:38:53 dtucker Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -41,7 +41,6 @@
#include "includes.h"
#include <sys/types.h>
#include <sys/param.h> /* MIN MAX */
#include <sys/stat.h>
@ -84,7 +83,6 @@
#include "authfd.h"
#include "pathnames.h"
/* -- channel core */
/*
@ -140,6 +138,9 @@ static int num_adm_permitted_opens = 0;
/* special-case port number meaning allow any port */
#define FWD_PERMIT_ANY_PORT 0
/* special-case wildcard meaning allow any host */
#define FWD_PERMIT_ANY_HOST "*"
/*
* If this is true, all opens are permitted. This is the case on the server
* on which we have to trust the client anyway, and the user could do
@ -664,7 +665,7 @@ channel_open_message(void)
case SSH_CHANNEL_INPUT_DRAINING:
case SSH_CHANNEL_OUTPUT_DRAINING:
snprintf(buf, sizeof buf,
" #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n",
" #%d %.300s (t%d r%d i%u/%d o%u/%d fd %d/%d cc %d)\r\n",
c->self, c->remote_name,
c->type, c->remote_id,
c->istate, buffer_len(&c->input),
@ -1371,9 +1372,8 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
errno = oerrno;
}
if (newsock < 0) {
if (errno != EINTR && errno != EWOULDBLOCK
&& errno != ECONNABORTED
)
if (errno != EINTR && errno != EWOULDBLOCK &&
errno != ECONNABORTED)
error("accept: %.100s", strerror(errno));
if (errno == EMFILE || errno == ENFILE)
c->notbefore = monotime() + 1;
@ -1419,7 +1419,7 @@ port_open_helper(Channel *c, char *rtype)
{
char buf[1024];
char *local_ipaddr = get_local_ipaddr(c->sock);
int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1);
int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
char *remote_ipaddr = get_peer_ipaddr(c->sock);
int remote_port = get_peer_port(c->sock);
@ -1540,9 +1540,8 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
addrlen = sizeof(addr);
newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
if (newsock < 0) {
if (errno != EINTR && errno != EWOULDBLOCK
&& errno != ECONNABORTED
)
if (errno != EINTR && errno != EWOULDBLOCK &&
errno != ECONNABORTED)
error("accept: %.100s", strerror(errno));
if (errno == EMFILE || errno == ENFILE)
c->notbefore = monotime() + 1;
@ -1908,13 +1907,13 @@ read_mux(Channel *c, u_int need)
if (buffer_len(&c->input) < need) {
rlen = need - buffer_len(&c->input);
len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF));
if (len < 0 && (errno == EINTR || errno == EAGAIN))
return buffer_len(&c->input);
if (len <= 0) {
if (errno != EINTR && errno != EAGAIN) {
debug2("channel %d: ctl read<=0 rfd %d len %d",
c->self, c->rfd, len);
chan_read_failed(c);
return 0;
}
} else
buffer_append(&c->input, buf, len);
}
@ -2212,9 +2211,6 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
u_int n, sz, nfdset;
n = MAX(*maxfdp, channel_max_fd);
/*
* Winsock can't support this sort of fdset reallocation
*/
nfdset = howmany(n+1, NFDBITS);
/* Explicitly test here, because xrealloc isn't always called */
@ -2228,9 +2224,7 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
*writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask));
*nallocp = sz;
}
*maxfdp = n;
memset(*readsetp, 0, sz);
memset(*writesetp, 0, sz);
@ -2376,6 +2370,7 @@ channel_output_poll(void)
}
}
/* -- protocol input */
/* ARGSUSED */
@ -2431,12 +2426,10 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
}
c->local_window -= win_len;
}
if (c->datagram)
buffer_put_string(&c->output, data, data_len);
else {
else
buffer_append(&c->output, data, data_len);
}
packet_check_eom();
return 0;
}
@ -2449,10 +2442,6 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
char *data;
u_int data_len, tcode;
Channel *c;
#ifdef WIN32_FIXME
char *respbuf = NULL;
size_t resplen = 0;
#endif
/* Get the channel number and verify it. */
id = packet_get_int();
@ -2488,20 +2477,7 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
}
debug2("channel %d: rcvd ext data %d", c->self, data_len);
c->local_window -= data_len;
#ifndef WIN32_FIXME//N
buffer_append(&c->extended, data, data_len);
#else
if (c->client_tty) {
if (telProcessNetwork(data, data_len, &respbuf, &resplen) > 0) // run it by ANSI engine if it is the ssh client
buffer_append(&c->extended, data, data_len);
if (respbuf != NULL) {
sshbuf_put(&c->input, respbuf, resplen);
}
}
else
buffer_append(&c->extended, data, data_len);
#endif
free(data);
return 0;
}
@ -2971,7 +2947,7 @@ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 &&
allocated_listen_port != NULL &&
*allocated_listen_port == 0) {
*allocated_listen_port = get_sock_port(sock, 1);
*allocated_listen_port = get_local_port(sock);
debug("Allocated listen port %d",
*allocated_listen_port);
}
@ -3334,7 +3310,8 @@ open_match(ForwardPermission *allowed_open, const char *requestedhost,
if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
allowed_open->port_to_connect != requestedport)
return 0;
if (strcmp(allowed_open->host_to_connect, requestedhost) != 0)
if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
strcmp(allowed_open->host_to_connect, requestedhost) != 0)
return 0;
return 1;
}
@ -3899,7 +3876,6 @@ channel_connect_to_path(const char *path, char *ctype, char *rname)
void
channel_send_window_changes(void)
{
u_int i;
struct winsize ws;
@ -3908,20 +3884,11 @@ channel_send_window_changes(void)
channels[i]->type != SSH_CHANNEL_OPEN)
continue;
#ifndef WIN32_FIXME
if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
continue
#else
{
CONSOLE_SCREEN_BUFFER_INFO c_info;
/* TODO - Fix this for multiple channels*/
if (!GetConsoleScreenBufferInfo(GetStdHandle(STD_OUTPUT_HANDLE), &c_info))
continue;
ws.ws_col = c_info.dwSize.X;
ws.ws_row = c_info.dwSize.Y;
ws.ws_xpixel = 640;
ws.ws_ypixel = 480;
}
#endif
if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
continue;
channel_request_start(i, "window-change", 0);
packet_put_int((u_int)ws.ws_col);
packet_put_int((u_int)ws.ws_row);
@ -3931,7 +3898,6 @@ channel_send_window_changes(void)
}
}
/* -- X11 forwarding */
/*

1
channels.h
View File

@ -228,7 +228,6 @@ void channel_cancel_cleanup(int);
int channel_close_fd(int *);
void channel_send_window_changes(void);
/* protocol handler */
int channel_input_close(int, u_int32_t, void *);

86
cipher-acss.c
View File

@ -1,86 +0,0 @@
/*
* Copyright (c) 2004 The OpenBSD project
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include "includes.h"
#include <openssl/evp.h>
#include <string.h>
#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
#include "acss.h"
#include "openbsd-compat/openssl-compat.h"
#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data)
typedef struct {
ACSS_KEY ks;
} EVP_ACSS_KEY;
#define EVP_CTRL_SET_ACSS_MODE 0xff06
#define EVP_CTRL_SET_ACSS_SUBKEY 0xff07
static int
acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
const unsigned char *iv, int enc)
{
acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
return 1;
}
static int
acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
LIBCRYPTO_EVP_INL_TYPE inl)
{
acss(&data(ctx)->ks,inl,in,out);
return 1;
}
static int
acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
{
switch(type) {
case EVP_CTRL_SET_ACSS_MODE:
data(ctx)->ks.mode = arg;
return 1;
case EVP_CTRL_SET_ACSS_SUBKEY:
acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr);
return 1;
default:
return -1;
}
}
const EVP_CIPHER *
evp_acss(void)
{
static EVP_CIPHER acss_cipher;
memset(&acss_cipher, 0, sizeof(EVP_CIPHER));
acss_cipher.nid = NID_undef;
acss_cipher.block_size = 1;
acss_cipher.key_len = 5;
acss_cipher.init = acss_init_key;
acss_cipher.do_cipher = acss_ciph;
acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY);
acss_cipher.ctrl = acss_ctrl;
return (&acss_cipher);
}
#endif

4
cipher-bf1.c
View File

@ -20,7 +20,7 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_BF)
#include <sys/types.h>
@ -100,4 +100,4 @@ evp_ssh1_bf(void)
ssh1_bf.key_len = 32;
return (&ssh1_bf);
}
#endif /* WITH_OPENSSL */
#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_NO_BF) */

79
cipher.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: cipher.c,v 1.100 2015/01/14 10:29:45 djm Exp $ */
/* $OpenBSD: cipher.c,v 1.101 2015/12/10 17:08:40 mmcc Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -43,7 +43,6 @@
#include <stdarg.h>
#include <stdio.h>
#include "cipher.h"
#include "misc.h"
#include "sshbuf.h"
@ -52,12 +51,6 @@
#include "openbsd-compat/openssl-compat.h"
#ifdef USE_MSCNG
#undef WITH_OPENSSL
#endif
#ifdef WITH_SSH1
extern const EVP_CIPHER *evp_ssh1_bf(void);
extern const EVP_CIPHER *evp_ssh1_3des(void);
@ -88,18 +81,26 @@ static const struct sshcipher ciphers[] = {
#ifdef WITH_SSH1
{ "des", SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
# ifndef OPENSSL_NO_BF
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
# endif /* OPENSSL_NO_BF */
#endif /* WITH_SSH1 */
#ifdef WITH_OPENSSL
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
# ifndef OPENSSL_NO_BF
{ "blowfish-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
# endif /* OPENSSL_NO_BF */
# ifndef OPENSSL_NO_CAST
{ "cast128-cbc",
SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
# endif /* OPENSSL_NO_CAST */
# ifndef OPENSSL_NO_RC4
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
{ "arcfour128", SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
{ "arcfour256", SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
# endif /* OPENSSL_NO_RC4 */
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
@ -115,19 +116,9 @@ static const struct sshcipher ciphers[] = {
SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
# endif /* OPENSSL_HAVE_EVPGCM */
#else /* WITH_OPENSSL */
#ifdef USE_MSCNG
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CTR, NULL },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CTR, NULL },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CTR, NULL },
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CBC, NULL },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CBC, NULL },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CBC, NULL },
#else
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
#endif
{ "none", SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL },
#endif /* WITH_OPENSSL */
{ "chacha20-poly1305@openssh.com",
@ -310,8 +301,6 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
int do_encrypt)
{
#ifdef WITH_OPENSSL
int ret = SSH_ERR_INTERNAL_ERROR;
const EVP_CIPHER *type;
@ -335,25 +324,11 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
return chachapoly_init(&cc->cp_ctx, key, keylen);
}
#ifndef WITH_OPENSSL
#ifdef USE_MSCNG
/* cng shares cipher flag with NONE. Make sure the NONE cipher isn't requested */
if ((cc->cipher->flags & CFLAG_NONE) == 0)
{
if (cng_cipher_init(&cc->cng_ctx,key,keylen,iv, ivlen,cc->cipher->flags))
return SSH_ERR_LIBCRYPTO_ERROR;
return 0;
}
#else
if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
aesctr_ivsetup(&cc->ac_ctx, iv);
return 0;
}
#endif
if ((cc->cipher->flags & CFLAG_NONE) != 0)
return 0;
return SSH_ERR_INVALID_ARGUMENT;
@ -386,7 +361,6 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
if (cipher->discard_len > 0) {
if ((junk = malloc(cipher->discard_len)) == NULL ||
(discard = malloc(cipher->discard_len)) == NULL) {
if (junk != NULL)
free(junk);
ret = SSH_ERR_ALLOC_FAIL;
goto bad;
@ -406,7 +380,6 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
return 0;
}
/*
* cipher_crypt() operates as following:
* Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
@ -421,34 +394,11 @@ int
cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
const u_char *src, u_int len, u_int aadlen, u_int authlen)
{
#ifdef USE_MSCNG
int ret = 0;
#endif
if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src,
len, aadlen, authlen, cc->encrypt);
}
#ifndef WITH_OPENSSL
#ifdef USE_MSCNG
/* cng shares cipher flag with NONE. Make sure the NONE cipher isn't requested */
if ((cc->cipher->flags & CFLAG_NONE) == 0)
{
if (aadlen)
memcpy(dest, src, aadlen);
if (cc->encrypt)
ret = cng_cipher_encrypt(&cc->cng_ctx,dest+aadlen, len, src+aadlen,len);
else
ret = cng_cipher_decrypt(&cc->cng_ctx,dest+aadlen, len, src+aadlen, len);
if (ret != len){
return SSH_ERR_LIBCRYPTO_ERROR;
}
return 0;
}
#else
if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
if (aadlen)
memcpy(dest, src, aadlen);
@ -456,9 +406,6 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
dest + aadlen, len);
return 0;
}
#endif
if ((cc->cipher->flags & CFLAG_NONE) != 0) {
memcpy(dest, src, aadlen + len);
return 0;
@ -531,10 +478,6 @@ cipher_cleanup(struct sshcipher_ctx *cc)
#ifdef WITH_OPENSSL
else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
return SSH_ERR_LIBCRYPTO_ERROR;
#endif
#ifdef USE_MSCNG
else
cng_cipher_cleanup(&cc->cng_ctx);
#endif
return 0;
}
@ -690,7 +633,7 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
int
cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
{
#ifdef WITH_OPENSSL
#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_RC4)
const struct sshcipher *c = cc->cipher;
int plen = 0;
@ -709,7 +652,7 @@ cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
void
cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat)
{
#ifdef WITH_OPENSSL
#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_RC4)
const struct sshcipher *c = cc->cipher;
int plen;

8
cipher.h
View File

@ -41,9 +41,7 @@
#include <openssl/evp.h>
#include "cipher-chachapoly.h"
#include "cipher-aesctr.h"
#ifdef USE_MSCNG
#include "contrib/win32/win32compat/cng_cipher.h"
#endif
/*
* Cipher types for SSH-1. New types can be added, but old types should not
* be removed for compatibility. The maximum allowed value is 31.
@ -72,10 +70,6 @@ struct sshcipher_ctx {
struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
struct aesctr_ctx ac_ctx; /* XXX union with evp? */
const struct sshcipher *cipher;
#ifdef USE_MSCNG
struct ssh_cng_cipher_ctx cng_ctx;
#endif
};
u_int cipher_mask_ssh1(int);

221
clientloop.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
/* $OpenBSD: clientloop.c,v 1.286 2016/07/23 02:54:08 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -111,7 +111,6 @@
#include "sshpty.h"
#include "match.h"
#include "msg.h"
#include "roaming.h"
#include "ssherr.h"
#include "hostfile.h"
@ -132,6 +131,9 @@ extern int stdin_null_flag;
/* Flag indicating that no shell has been requested */
extern int no_shell_flag;
/* Flag indicating that ssh should daemonise after authentication is complete */
extern int fork_after_authentication_flag;
/* Control socket */
extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */
@ -177,8 +179,6 @@ static u_int x11_refuse_time; /* If >0, refuse x11 opens after this time. */
static void client_init_dispatch(void);
int session_ident = -1;
int session_resumed = 0;
/* Track escape per proto2 channel */
struct escape_filter_ctx {
int escape_pending;
@ -296,6 +296,9 @@ client_x11_display_valid(const char *display)
{
size_t i, dlen;
if (display == NULL)
return 0;
dlen = strlen(display);
for (i = 0; i < dlen; i++) {
if (!isalnum((u_char)display[i]) &&
@ -309,35 +312,34 @@ client_x11_display_valid(const char *display)
#define SSH_X11_PROTO "MIT-MAGIC-COOKIE-1"
#define X11_TIMEOUT_SLACK 60
void
int
client_x11_get_proto(const char *display, const char *xauth_path,
u_int trusted, u_int timeout, char **_proto, char **_data)
{
char cmd[1024];
char line[512];
char xdisplay[512];
char cmd[1024], line[512], xdisplay[512];
char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
static char proto[512], data[512];
FILE *f;
int got_data = 0, generated = 0, do_unlink = 0, i;
char *xauthdir, *xauthfile;
int got_data = 0, generated = 0, do_unlink = 0, i, r;
struct stat st;
u_int now, x11_timeout_real;
xauthdir = xauthfile = NULL;
*_proto = proto;
*_data = data;
proto[0] = data[0] = '\0';
proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
debug("No xauth program.");
} else if (!client_x11_display_valid(display)) {
logit("DISPLAY '%s' invalid, falling back to fake xauth data",
if (!client_x11_display_valid(display)) {
if (display != NULL)
logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
display);
} else {
if (display == NULL) {
debug("x11_get_proto: DISPLAY not set");
return;
return -1;
}
if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
debug("No xauth program.");
xauth_path = NULL;
}
if (xauth_path != NULL) {
/*
* Handle FamilyLocal case where $DISPLAY does
* not match an authorization entry. For this we
@ -346,46 +348,61 @@ client_x11_get_proto(const char *display, const char *xauth_path,
* is not perfect.
*/
if (strncmp(display, "localhost:", 10) == 0) {
snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
display + 10);
if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
display + 10)) < 0 ||
(size_t)r >= sizeof(xdisplay)) {
error("%s: display name too long", __func__);
return -1;
}
display = xdisplay;
}
if (trusted == 0) {
xauthdir = xmalloc(PATH_MAX);
xauthfile = xmalloc(PATH_MAX);
mktemp_proto(xauthdir, PATH_MAX);
/*
* Generate an untrusted X11 auth cookie.
*
* The authentication cookie should briefly outlive
* ssh's willingness to forward X11 connections to
* avoid nasty fail-open behaviour in the X server.
*/
mktemp_proto(xauthdir, sizeof(xauthdir));
if (mkdtemp(xauthdir) == NULL) {
error("%s: mkdtemp: %s",
__func__, strerror(errno));
return -1;
}
do_unlink = 1;
if ((r = snprintf(xauthfile, sizeof(xauthfile),
"%s/xauthfile", xauthdir)) < 0 ||
(size_t)r >= sizeof(xauthfile)) {
error("%s: xauthfile path too long", __func__);
unlink(xauthfile);
rmdir(xauthdir);
return -1;
}
if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
x11_timeout_real = UINT_MAX;
else
x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
if (mkdtemp(xauthdir) != NULL) {
do_unlink = 1;
snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
xauthdir);
snprintf(cmd, sizeof(cmd),
if ((r = snprintf(cmd, sizeof(cmd),
"%s -f %s generate %s " SSH_X11_PROTO
" untrusted timeout %u 2>" _PATH_DEVNULL,
xauth_path, xauthfile, display,
x11_timeout_real);
debug2("x11_get_proto: %s", cmd);
x11_timeout_real)) < 0 ||
(size_t)r >= sizeof(cmd))
fatal("%s: cmd too long", __func__);
debug2("%s: %s", __func__, cmd);
if (x11_refuse_time == 0) {
now = monotime() + 1;
if (UINT_MAX - timeout < now)
x11_refuse_time = UINT_MAX;
else
x11_refuse_time = now + timeout;
channel_set_x11_refuse_time(
x11_refuse_time);
channel_set_x11_refuse_time(x11_refuse_time);
}
if (system(cmd) == 0)
generated = 1;
}
}
/*
* When in untrusted mode, we read the cookie only if it was
@ -406,17 +423,20 @@ client_x11_get_proto(const char *display, const char *xauth_path,
got_data = 1;
if (f)
pclose(f);
} else
error("Warning: untrusted X11 forwarding setup failed: "
"xauth key data not generated");
}
}
if (do_unlink) {
unlink(xauthfile);
rmdir(xauthdir);
}
free(xauthdir);
free(xauthfile);
/* Don't fall back to fake X11 data for untrusted forwarding */
if (!trusted && !got_data) {
error("Warning: untrusted X11 forwarding setup failed: "
"xauth key data not generated");
return -1;
}
/*
* If we didn't get authentication data, just make up some
@ -440,6 +460,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
rnd >>= 8;
}
}
return 0;
}
/*
@ -537,7 +559,6 @@ client_make_packets_from_stdin_data(void)
static void
client_check_window_change(void)
{
struct winsize ws;
if (! received_window_change_signal)
@ -550,7 +571,6 @@ client_check_window_change(void)
if (compat20) {
channel_send_window_changes();
} else {
#ifndef WIN32_FIXME
if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
return;
packet_start(SSH_CMSG_WINDOW_SIZE);
@ -559,7 +579,6 @@ client_check_window_change(void)
packet_put_int((u_int)ws.ws_xpixel);
packet_put_int((u_int)ws.ws_ypixel);
packet_send();
#endif
}
}
@ -748,7 +767,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
static void
client_process_net_input(fd_set *readset)
{
int len, cont = 0;
int len;
char buf[SSH_IOBUFSZ];
/*
@ -757,8 +776,8 @@ client_process_net_input(fd_set *readset)
*/
if (FD_ISSET(connection_in, readset)) {
/* Read as much as possible. */
len = roaming_read(connection_in, buf, sizeof(buf), &cont);
if (len == 0 && cont == 0) {
len = read(connection_in, buf, sizeof(buf));
if (len == 0) {
/*
* Received EOF. The remote host has closed the
* connection.
@ -907,7 +926,6 @@ process_cmdline(void)
leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
handler = signal(SIGINT, SIG_IGN);
cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
if (s == NULL)
goto out;
@ -1487,32 +1505,6 @@ client_simple_escape_filter(Channel *c, char *buf, int len)
buf, len);
}
#ifdef WIN32_FIXME
u_char * client_ansi_parser_filter(Channel *c, u_char **buf, u_int *len) {
/* TODO - account for error/extended stream*/
char *respbuf = NULL;
size_t resplen = 0;
if (c->client_tty) {
if (telProcessNetwork(buffer_ptr(&c->output), buffer_len(&c->output), &respbuf, &resplen) == 0)
buffer_clear(&c->output);
if (respbuf != NULL) {
sshbuf_put(&c->input, respbuf, resplen);
buffer_clear(&c->output);
}
*buf = buffer_ptr(&c->output);
*len = buffer_len(&c->output);
return *buf;
}
else {
*buf = buffer_ptr(&c->output);
*len = buffer_len(&c->output);
return *buf;
}
}
#endif
static void
client_channel_closed(int id, void *arg)
{
@ -1533,13 +1525,44 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
{
fd_set *readset = NULL, *writeset = NULL;
double start_time, total_time;
int r, max_fd = 0, max_fd2 = 0, len, rekeying = 0;
int r, max_fd = 0, max_fd2 = 0, len;
u_int64_t ibytes, obytes;
u_int nalloc = 0;
char buf[100];
debug("Entering interactive session.");
if (options.control_master &&
!option_clear_or_none(options.control_path)) {
debug("pledge: id");
if (pledge("stdio rpath wpath cpath unix inet dns recvfd proc exec id tty",
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else if (options.forward_x11 || options.permit_local_command) {
debug("pledge: exec");
if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty",
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else if (options.update_hostkeys) {
debug("pledge: filesystem full");
if (pledge("stdio rpath wpath cpath unix inet dns proc tty",
NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else if (!option_clear_or_none(options.proxy_command) ||
fork_after_authentication_flag) {
debug("pledge: proc");
if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
} else {
debug("pledge: network");
if (pledge("stdio unix inet dns tty", NULL) == -1)
fatal("%s pledge(): %s", __func__, strerror(errno));
}
start_time = get_current_time();
/* Initialize variables. */
@ -1578,7 +1601,6 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
* Set signal handlers, (e.g. to restore non-blocking mode)
* but don't overwrite SIG_IGN, matches behaviour from rsh(1)
*/
if (signal(SIGHUP, SIG_IGN) != SIG_IGN)
signal(SIGHUP, signal_handler);
if (signal(SIGINT, SIG_IGN) != SIG_IGN)
@ -1597,11 +1619,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
if (session_ident != -1) {
if (escape_char_arg != SSH_ESCAPECHAR_NONE) {
channel_register_filter(session_ident,
#ifdef WIN32_FIXME
client_simple_escape_filter, client_ansi_parser_filter,
#else
client_simple_escape_filter, NULL,
#endif
client_filter_cleanup,
client_new_escape_filter_ctx(
escape_char_arg));
@ -1623,10 +1641,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
if (compat20 && session_closed && !channel_still_open())
break;
rekeying = (active_state->kex != NULL && !active_state->kex->done);
if (rekeying) {
if (ssh_packet_is_rekeying(active_state)) {
debug("rekeying in progress");
} else if (need_rekeying) {
/* manual rekey request */
debug("need rekeying");
if ((r = kex_start_rekex(active_state)) != 0)
fatal("%s: kex_start_rekex: %s", __func__,
ssh_err(r));
need_rekeying = 0;
} else {
/*
* Make packets of buffered stdin data, and buffer
@ -1657,23 +1680,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
*/
max_fd2 = max_fd;
client_wait_until_can_do_something(&readset, &writeset,
&max_fd2, &nalloc, rekeying);
&max_fd2, &nalloc, ssh_packet_is_rekeying(active_state));
if (quit_pending)
break;
/* Do channel operations unless rekeying in progress. */
if (!rekeying) {
if (!ssh_packet_is_rekeying(active_state))
channel_after_select(readset, writeset);
if (need_rekeying || packet_need_rekeying()) {
debug("need rekeying");
active_state->kex->done = 0;
if ((r = kex_send_kexinit(active_state)) != 0)
fatal("%s: kex_send_kexinit: %s",
__func__, ssh_err(r));
need_rekeying = 0;
}
}
/* Buffer input from the connection. */
client_process_net_input(readset);
@ -1691,14 +1705,6 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
client_process_output(writeset);
}
if (session_resumed) {
connection_in = packet_get_connection_in();
connection_out = packet_get_connection_out();
max_fd = MAX(max_fd, connection_out);
max_fd = MAX(max_fd, connection_in);
session_resumed = 0;
}
/*
* Send as much buffered packet data as possible to the
* sender.
@ -1792,7 +1798,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
}
/* Clear and free any buffers. */
memset(buf, 0, sizeof(buf));
explicit_bzero(buf, sizeof(buf));
buffer_free(&stdin_buffer);
buffer_free(&stdout_buffer);
buffer_free(&stderr_buffer);
@ -2570,18 +2576,15 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
options.ip_qos_interactive, options.ip_qos_bulk);
if (want_tty) {
#ifndef WIN32_FIXME
struct winsize ws;
/* Store window size in the packet. */
if (ioctl(in_fd, TIOCGWINSZ, &ws) < 0)
memset(&ws, 0, sizeof(ws));
#endif /* !WIN32_FIXME */
channel_request_start(id, "pty-req", 1);
client_expect_confirm(id, "PTY allocation", CONFIRM_TTY);
#ifndef WIN32_FIXME
packet_put_cstring(term != NULL ? term : "");
packet_put_int((u_int)ws.ws_col);
packet_put_int((u_int)ws.ws_row);
@ -2591,14 +2594,6 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
tiop = get_saved_tio();
tty_make_modes(-1, tiop);
#else
packet_put_cstring(term != NULL ? term : "ansi");
packet_put_int((u_int) ScreenX);
packet_put_int((u_int) ScrollBottom);
packet_put_int((u_int) 640);
packet_put_int((u_int) 480);
tty_make_modes(-1, NULL);
#endif /* else !WIN32_FIXME */
packet_send();
/* XXX wait for reply */
c->client_tty = 1;

4
clientloop.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -39,7 +39,7 @@
/* Client side main loop for the interactive session. */
int client_loop(int, int, int);
void client_x11_get_proto(const char *, const char *, u_int, u_int,
int client_x11_get_proto(const char *, const char *, u_int, u_int,
char **, char **);
void client_global_request_reply_fwd(int, u_int32_t, void *);
void client_session2_setup(int, int, int, const char *, struct termios *,

2
compat.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: compat.c,v 1.97 2015/08/19 23:21:42 djm Exp $ */
/* $OpenBSD: compat.c,v 1.99 2016/05/24 02:31:57 dtucker Exp $ */
/*
* Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved.
*

169
compress.c
View File

@ -1,169 +0,0 @@
/* $OpenBSD: compress.c,v 1.26 2010/09/08 04:13:31 deraadt Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* Interface to packet compression for ssh.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#include "includes.h"
#include <sys/types.h>
#include <stdarg.h>
#include "log.h"
#include "buffer.h"
#include "compress.h"
#ifndef WIN32_ZLIB_NO
#include <zlib.h>
#endif
z_stream incoming_stream;
z_stream outgoing_stream;
static int compress_init_send_called = 0;
static int compress_init_recv_called = 0;
static int inflate_failed = 0;
static int deflate_failed = 0;
/*
* Initializes compression; level is compression level from 1 to 9
* (as in gzip).
*/
void
buffer_compress_init_send(int level)
{
if (compress_init_send_called == 1)
deflateEnd(&outgoing_stream);
compress_init_send_called = 1;
debug("Enabling compression at level %d.", level);
if (level < 1 || level > 9)
fatal("Bad compression level %d.", level);
deflateInit(&outgoing_stream, level);
}
void
buffer_compress_init_recv(void)
{
if (compress_init_recv_called == 1)
inflateEnd(&incoming_stream);
compress_init_recv_called = 1;
inflateInit(&incoming_stream);
}
/* Frees any data structures allocated for compression. */
void
buffer_compress_uninit(void)
{
debug("compress outgoing: raw data %llu, compressed %llu, factor %.2f",
(unsigned long long)outgoing_stream.total_in,
(unsigned long long)outgoing_stream.total_out,
outgoing_stream.total_in == 0 ? 0.0 :
(double) outgoing_stream.total_out / outgoing_stream.total_in);
debug("compress incoming: raw data %llu, compressed %llu, factor %.2f",
(unsigned long long)incoming_stream.total_out,
(unsigned long long)incoming_stream.total_in,
incoming_stream.total_out == 0 ? 0.0 :
(double) incoming_stream.total_in / incoming_stream.total_out);
if (compress_init_recv_called == 1 && inflate_failed == 0)
inflateEnd(&incoming_stream);
if (compress_init_send_called == 1 && deflate_failed == 0)
deflateEnd(&outgoing_stream);
}
/*
* Compresses the contents of input_buffer into output_buffer. All packets
* compressed using this function will form a single compressed data stream;
* however, data will be flushed at the end of every call so that each
* output_buffer can be decompressed independently (but in the appropriate
* order since they together form a single compression stream) by the
* receiver. This appends the compressed data to the output buffer.
*/
void
buffer_compress(Buffer * input_buffer, Buffer * output_buffer)
{
u_char buf[4096];
int status;
/* This case is not handled below. */
if (buffer_len(input_buffer) == 0)
return;
/* Input is the contents of the input buffer. */
outgoing_stream.next_in = buffer_ptr(input_buffer);
outgoing_stream.avail_in = buffer_len(input_buffer);
/* Loop compressing until deflate() returns with avail_out != 0. */
do {
/* Set up fixed-size output buffer. */
outgoing_stream.next_out = buf;
outgoing_stream.avail_out = sizeof(buf);
/* Compress as much data into the buffer as possible. */
status = deflate(&outgoing_stream, Z_PARTIAL_FLUSH);
switch (status) {
case Z_OK:
/* Append compressed data to output_buffer. */
buffer_append(output_buffer, buf,
sizeof(buf) - outgoing_stream.avail_out);
break;
default:
deflate_failed = 1;
fatal("buffer_compress: deflate returned %d", status);
/* NOTREACHED */
}
} while (outgoing_stream.avail_out == 0);
}
/*
* Uncompresses the contents of input_buffer into output_buffer. All packets
* uncompressed using this function will form a single compressed data
* stream; however, data will be flushed at the end of every call so that
* each output_buffer. This must be called for the same size units that the
* buffer_compress was called, and in the same order that buffers compressed
* with that. This appends the uncompressed data to the output buffer.
*/
void
buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer)
{
u_char buf[4096];
int status;
incoming_stream.next_in = buffer_ptr(input_buffer);
incoming_stream.avail_in = buffer_len(input_buffer);
for (;;) {
/* Set up fixed-size output buffer. */
incoming_stream.next_out = buf;
incoming_stream.avail_out = sizeof(buf);
status = inflate(&incoming_stream, Z_PARTIAL_FLUSH);
switch (status) {
case Z_OK:
buffer_append(output_buffer, buf,
sizeof(buf) - incoming_stream.avail_out);
break;
case Z_BUF_ERROR:
/*
* Comments in zlib.h say that we should keep calling
* inflate() until we get an error. This appears to
* be the error that we get.
*/
return;
default:
inflate_failed = 1;
fatal("buffer_uncompress: inflate returned %d", status);
/* NOTREACHED */
}
}
}

25
compress.h
View File

@ -1,25 +0,0 @@
/* $OpenBSD: compress.h,v 1.12 2006/03/25 22:22:43 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
* Interface to packet compression for ssh.
*
* As far as I am concerned, the code I have written for this software
* can be used freely for any purpose. Any derived versions of this
* software must be clearly marked as such, and if the derived work is
* incompatible with the protocol description in the RFC file, it must be
* called by a name other than "ssh" or "Secure Shell".
*/
#ifndef COMPRESS_H
#define COMPRESS_H
void buffer_compress_init_send(int);
void buffer_compress_init_recv(void);
void buffer_compress_uninit(void);
void buffer_compress(Buffer *, Buffer *);
void buffer_uncompress(Buffer *, Buffer *);
#endif /* COMPRESS_H */

1707
config.h.in
View File

File diff suppressed because it is too large Load Diff

36863
configure vendored
View File

File diff suppressed because it is too large Load Diff

204
configure.ac
View File

@ -140,7 +140,7 @@ else
fi
AC_ARG_WITH([ssh1],
[ --without-ssh1 Enable support for SSH protocol 1],
[ --with-ssh1 Enable support for SSH protocol 1],
[
if test "x$withval" = "xyes" ; then
if test "x$openssl" = "xno" ; then
@ -373,6 +373,7 @@ AC_CHECK_HEADERS([ \
dirent.h \
endian.h \
elf.h \
err.h \
features.h \
fcntl.h \
floatingpoint.h \
@ -381,6 +382,7 @@ AC_CHECK_HEADERS([ \
ia.h \
iaf.h \
inttypes.h \
langinfo.h \
limits.h \
locale.h \
login.h \
@ -433,6 +435,7 @@ AC_CHECK_HEADERS([ \
utmp.h \
utmpx.h \
vis.h \
wchar.h \
])
# lastlog.h requires sys/time.h to be included first on Solaris
@ -469,6 +472,11 @@ AC_CHECK_HEADERS([sys/un.h], [], [], [
SIA_MSG="no"
SPC_MSG="no"
SP_MSG="no"
SPP_MSG="no"
# Support for Solaris/Illumos privileges (this test is used by both
# the --with-solaris-privs option and --with-sandbox=solaris).
SOLARIS_PRIVS="no"
# Check for some target-specific stuff
case "$host" in
@ -575,13 +583,12 @@ case "$host" in
LIBS="$LIBS /usr/lib/textreadmode.o"
AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
[Define to disable UID restoration test])
AC_DEFINE([DISABLE_SHADOW], [1],
[Define if you want to disable shadow passwords])
AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
[Define if X11 doesn't support AF_UNIX sockets on that system])
AC_DEFINE([NO_IPPORT_RESERVED_CONCEPT], [1],
[Define if the concept of ports only accessible to
superusers isn't known])
AC_DEFINE([DISABLE_FD_PASSING], [1],
[Define if your platform needs to skip post auth
file descriptor passing])
@ -637,6 +644,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
supported by bsd-setproctitle.c])
AC_CHECK_FUNCS([sandbox_init])
AC_CHECK_HEADERS([sandbox.h])
AC_CHECK_LIB([sandbox], [sandbox_apply], [
SSHDLIBS="$SSHDLIBS -lsandbox"
])
;;
*-*-dragonfly*)
SSHDLIBS="$SSHDLIBS -lcrypt"
@ -787,6 +797,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
aarch64*-*)
seccomp_audit_arch=AUDIT_ARCH_AARCH64
;;
s390x-*)
seccomp_audit_arch=AUDIT_ARCH_S390X
;;
s390-*)
seccomp_audit_arch=AUDIT_ARCH_S390
;;
powerpc64-*)
seccomp_audit_arch=AUDIT_ARCH_PPC64
;;
powerpc64le-*)
seccomp_audit_arch=AUDIT_ARCH_PPC64LE
;;
mips-*)
seccomp_audit_arch=AUDIT_ARCH_MIPS
;;
mipsel-*)
seccomp_audit_arch=AUDIT_ARCH_MIPSEL
;;
mips64-*)
seccomp_audit_arch=AUDIT_ARCH_MIPS64
;;
mips64el-*)
seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
;;
esac
if test "x$seccomp_audit_arch" != "x" ; then
AC_MSG_RESULT(["$seccomp_audit_arch"])
@ -805,14 +839,13 @@ mips-sony-bsd|mips-sony-newsos4)
if test "x$withval" != "xno" ; then
need_dash_r=1
fi
CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
AC_CHECK_HEADER([net/if_tap.h], ,
AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
[Prepend the address family to IP tunnel traffic])
TEST_MALLOC_OPTIONS="AJRX"
AC_DEFINE([BROKEN_STRNVIS], [1],
[NetBSD strnvis argument order is swapped compared to OpenBSD])
AC_DEFINE([BROKEN_READ_COMPARISON], [1],
[NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
;;
@ -823,8 +856,6 @@ mips-sony-bsd|mips-sony-newsos4)
AC_CHECK_HEADER([net/if_tap.h], ,
AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
AC_DEFINE([BROKEN_STRNVIS], [1],
[FreeBSD strnvis argument order is swapped compared to OpenBSD])
TEST_MALLOC_OPTIONS="AJRX"
# Preauth crypto occasionally uses file descriptors for crypto offload
# and will crash if they cannot be opened.
@ -889,13 +920,17 @@ mips-sony-bsd|mips-sony-newsos4)
else
AC_MSG_RESULT([no])
fi
AC_CHECK_FUNCS([setpflags])
AC_CHECK_FUNCS([setppriv])
AC_CHECK_FUNCS([priv_basicset])
AC_CHECK_HEADERS([priv.h])
AC_ARG_WITH([solaris-contracts],
[ --with-solaris-contracts Enable Solaris process contracts (experimental)],
[
AC_CHECK_LIB([contract], [ct_tmpl_activate],
[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
[Define if you have Solaris process contracts])
SSHDLIBS="$SSHDLIBS -lcontract"
LIBS="$LIBS -lcontract"
SPC_MSG="yes" ], )
],
)
@ -905,10 +940,29 @@ mips-sony-bsd|mips-sony-newsos4)
AC_CHECK_LIB([project], [setproject],
[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
[Define if you have Solaris projects])
SSHDLIBS="$SSHDLIBS -lproject"
LIBS="$LIBS -lproject"
SP_MSG="yes" ], )
],
)
AC_ARG_WITH([solaris-privs],
[ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
[
AC_MSG_CHECKING([for Solaris/Illumos privilege support])
if test "x$ac_cv_func_setppriv" = "xyes" -a \
"x$ac_cv_header_priv_h" = "xyes" ; then
SOLARIS_PRIVS=yes
AC_MSG_RESULT([found])
AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
[Define to disable UID restoration test])
AC_DEFINE([USE_SOLARIS_PRIVS], [1],
[Define if you have Solaris privileges])
SPP_MSG="yes"
else
AC_MSG_RESULT([not found])
AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
fi
],
)
TEST_SHELL=$SHELL # let configure find us a capable shell
;;
*-*-sunos4*)
@ -1122,7 +1176,6 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
dnl Checks for header files.
# Checks for libraries.
AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])
AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
dnl IRIX and Solaris 2.5.1 have dirname() in libgen
@ -1286,8 +1339,10 @@ AC_SEARCH_LIBS([openpty], [util bsd])
AC_SEARCH_LIBS([updwtmp], [util bsd])
AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
# On some platforms, inet_ntop may be found in libresolv or libnsl.
# On some platforms, inet_ntop and gethostbyname may be found in libresolv
# or libnsl.
AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
AC_FUNC_STRFTIME
@ -1345,6 +1400,9 @@ g.gl_statv = NULL;
AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
AC_CHECK_DECL([VIS_ALL], ,
AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
@ -1633,6 +1691,8 @@ AC_CHECK_FUNCS([ \
closefrom \
dirfd \
endgrent \
err \
errx \
explicit_bzero \
fchmod \
fchown \
@ -1659,7 +1719,6 @@ AC_CHECK_FUNCS([ \
inet_ntop \
innetgr \
login_getcapbool \
mblen \
md5_crypt \
memmove \
memset_s \
@ -1669,6 +1728,7 @@ AC_CHECK_FUNCS([ \
nsleep \
ogetaddrinfo \
openlog_r \
pledge \
poll \
prctl \
pstat \
@ -1723,8 +1783,15 @@ AC_CHECK_FUNCS([ \
vasprintf \
vsnprintf \
waitpid \
warn \
])
dnl Wide character support. Linux man page says it needs _XOPEN_SOURCE.
saved_CFLAGS="$CFLAGS"
CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
CFLAGS="$saved_CFLAGS"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
[[ #include <ctype.h> ]],
@ -1732,8 +1799,18 @@ AC_LINK_IFELSE(
[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
])
disable_pkcs11=
AC_ARG_ENABLE([pkcs11],
[ --disable-pkcs11 disable PKCS#11 support code [no]],
[
if test "x$enableval" = "xno" ; then
disable_pkcs11=1
fi
]
)
# PKCS11 depends on OpenSSL.
if test "x$openssl" = "xyes" ; then
if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
# PKCS#11 support requires dlopen() and co
AC_SEARCH_LIBS([dlopen], [dl],
[AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
@ -2252,6 +2329,41 @@ if test "x$check_for_conflicting_getspnam" = "x1"; then
)
fi
dnl NetBSD added an strnvis and unfortunately made it incompatible with the
dnl existing one in OpenBSD and Linux's libbsd (the former having existed
dnl for over ten years). Despite this incompatibility being reported during
dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
dnl implementation. Try to detect this mess, and assume the only safe option
dnl if we're cross compiling.
dnl
dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
dnl NetBSD: 2012, strnvis(char *dst, size_t dlen, const char *src, int flag);
if test "x$ac_cv_func_strnvis" = "xyes"; then
AC_MSG_CHECKING([for working strnvis])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <vis.h>
static void sighandler(int sig) { _exit(1); }
]], [[
char dst[16];
signal(SIGSEGV, sighandler);
if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
exit(0);
exit(1)
]])],
[AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no])
AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
[AC_MSG_WARN([cross compiling: assuming broken])
AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
)
fi
AC_FUNC_GETPGRP
# Search for OpenSSL
@ -2309,10 +2421,10 @@ openssl_engine=no
AC_ARG_WITH([ssl-engine],
[ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
[
if test "x$withval" != "xno" ; then
if test "x$openssl" = "xno" ; then
AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
fi
if test "x$withval" != "xno" ; then
openssl_engine=yes
fi
]
@ -2345,6 +2457,7 @@ if test "x$openssl" = "xyes" ; then
AC_MSG_CHECKING([OpenSSL header version])
AC_RUN_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <openssl/opensslv.h>
@ -2357,7 +2470,9 @@ if test "x$openssl" = "xyes" ; then
if(fd == NULL)
exit(1);
if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
if ((rc = fprintf(fd, "%08lx (%s)\n",
(unsigned long)OPENSSL_VERSION_NUMBER,
OPENSSL_VERSION_TEXT)) < 0)
exit(1);
exit(0);
@ -2392,8 +2507,8 @@ if test "x$openssl" = "xyes" ; then
if(fd == NULL)
exit(1);
if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
SSLeay_version(SSLEAY_VERSION))) <0)
if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
SSLeay_version(SSLEAY_VERSION))) < 0)
exit(1);
exit(0);
@ -2424,6 +2539,7 @@ if test "x$openssl" = "xyes" ; then
[AC_LANG_PROGRAM([[
#include <string.h>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
]], [[
exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
]])],
@ -2567,7 +2683,8 @@ if test "x$openssl" = "xyes" ; then
[
AC_MSG_RESULT([no])
unsupported_algorithms="$unsupported_cipers \
aes128-gcm@openssh.com aes256-gcm@openssh.com"
aes128-gcm@openssh.com \
aes256-gcm@openssh.com"
]
)
@ -2610,16 +2727,18 @@ if test "x$openssl" = "xyes" ; then
# Search for SHA256 support in libc and/or OpenSSL
AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
[unsupported_algorithms="$unsupported_algorithms \
hmac-sha2-256 hmac-sha2-512 \
hmac-sha2-256 \
hmac-sha2-512 \
diffie-hellman-group-exchange-sha256 \
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
hmac-sha2-256-etm@openssh.com \
hmac-sha2-512-etm@openssh.com"
]
)
# Search for RIPE-MD support in OpenSSL
AC_CHECK_FUNCS([EVP_ripemd160], ,
[unsupported_algorithms="$unsupported_algorithms \
hmac-ripemd160
hmac-ripemd160@openssh.com
hmac-ripemd160 \
hmac-ripemd160@openssh.com \
hmac-ripemd160-etm@openssh.com"
]
)
@ -2720,24 +2839,30 @@ if test "x$openssl" = "xyes" ; then
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
unsupported_algorithms="$unsupported_algorithms \
ecdsa-sha2-nistp256 \
ecdh-sha2-nistp256 \
ecdsa-sha2-nistp256-cert-v01@openssh.com"
fi
if test x$enable_nistp384 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
unsupported_algorithms="$unsupported_algorithms \
ecdsa-sha2-nistp384 \
ecdh-sha2-nistp384 \
ecdsa-sha2-nistp384-cert-v01@openssh.com"
fi
if test x$enable_nistp521 = x1; then
AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
TEST_SSH_ECC=yes
COMMENT_OUT_ECC=""
else
unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
unsupported_algorithms="$unsupported_algorithms \
ecdh-sha2-nistp521 \
ecdsa-sha2-nistp521 \
ecdsa-sha2-nistp521-cert-v01@openssh.com"
fi
AC_SUBST([TEST_SSH_ECC])
@ -2998,7 +3123,7 @@ fi
# Decide which sandbox style to use
sandbox_arg=""
AC_ARG_WITH([sandbox],
[ --with-sandbox=style Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
[ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
[
if test "x$withval" = "xyes" ; then
sandbox_arg=""
@ -3094,7 +3219,13 @@ AC_RUN_IFELSE(
[AC_MSG_WARN([cross compiling: assuming yes])]
)
if test "x$sandbox_arg" = "xsystrace" || \
if test "x$sandbox_arg" = "xpledge" || \
( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
test "x$ac_cv_func_pledge" != "xyes" && \
AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
SANDBOX_STYLE="pledge"
AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
elif test "x$sandbox_arg" = "xsystrace" || \
( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
test "x$have_systr_policy_kill" != "x1" && \
AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
@ -3147,6 +3278,10 @@ elif test "x$sandbox_arg" = "xrlimit" || \
AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
SANDBOX_STYLE="rlimit"
AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
elif test "x$sandbox_arg" = "xsolaris" || \
( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
SANDBOX_STYLE="solaris"
AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
SANDBOX_STYLE="none"
@ -3970,7 +4105,10 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
#include <arpa/nameser.h>
#include <resolv.h>
extern struct __res_state _res;
]], [[ ]])],
]], [[
struct __res_state *volatile p = &_res; /* force resolution of _res */
return 0;
]],)],
[AC_MSG_RESULT([yes])
AC_DEFINE([HAVE__RES_EXTERN], [1],
[Define if you have struct __res_state _res as an extern])
@ -4063,7 +4201,6 @@ AC_ARG_WITH([kerberos5],
[K5LIBS="$K5LIBS -ldes"])
], [ AC_MSG_RESULT([no])
K5LIBS="-lkrb5 -lk5crypto -lcom_err"
])
AC_SEARCH_LIBS([dn_expand], [resolv])
@ -4933,6 +5070,7 @@ echo " MD5 password support: $MD5_MSG"
echo " libedit support: $LIBEDIT_MSG"
echo " Solaris process contract support: $SPC_MSG"
echo " Solaris project support: $SP_MSG"
echo " Solaris privilege support: $SPP_MSG"
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
echo " BSD Auth support: $BSD_AUTH_MSG"

8
contrib/Makefile
View File

@ -1,15 +1,17 @@
PKG_CONFIG = pkg-config
all:
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
gnome-ssh-askpass1: gnome-ssh-askpass1.c
$(CC) `gnome-config --cflags gnome gnomeui` \
$(CC) $(CFLAGS) `gnome-config --cflags gnome gnomeui` \
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
`gnome-config --libs gnome gnomeui`
gnome-ssh-askpass2: gnome-ssh-askpass2.c
$(CC) `pkg-config --cflags gtk+-2.0` \
$(CC) $(CFLAGS) `$(PKG_CONFIG) --cflags gtk+-2.0` \
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
`pkg-config --libs gtk+-2.0 x11`
`$(PKG_CONFIG) --libs gtk+-2.0 x11`
clean:
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass

2
contrib/README
View File

@ -11,7 +11,7 @@ which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
https CONNECT style proxy server. His page for connect.c has extensive
documentation on its use as well as compiled versions for Win32.
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
https://bitbucket.org/gotoh/connect/wiki/Home
X11 SSH Askpass:

366
contrib/caldera/openssh.spec
View File

@ -1,366 +0,0 @@
# Some of this will need re-evaluation post-LSB. The SVIdir is there
# because the link appeared broken. The rest is for easy compilation,
# the tradeoff open to discussion. (LC957)
%define SVIdir /etc/rc.d/init.d
%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages}
%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons}
%define _mandir %{_prefix}/share/man/en
%define _sysconfdir /etc/ssh
%define _libexecdir %{_libdir}/ssh
# Do we want to disable root_login? (1=yes 0=no)
%define no_root_login 0
#old cvs stuff. please update before use. may be deprecated.
%define use_stable 1
%define version 5.9p1
%if %{use_stable}
%define cvs %{nil}
%define release 1
%else
%define cvs cvs20050315
%define release 0r1
%endif
%define xsa x11-ssh-askpass
%define askpass %{xsa}-1.2.4.1
# OpenSSH privilege separation requires a user & group ID
%define sshd_uid 67
%define sshd_gid 67
Name : openssh
Version : %{version}%{cvs}
Release : %{release}
Group : System/Network
Summary : OpenSSH free Secure Shell (SSH) implementation.
Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH).
Summary(es) : OpenSSH implementación libre de Secure Shell (SSH).
Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH).
Summary(it) : Implementazione gratuita OpenSSH della Secure Shell.
Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH).
Copyright : BSD
Packager : Raymund Will <ray@caldera.de>
URL : http://www.openssh.com/
Obsoletes : ssh, ssh-clients, openssh-clients
BuildRoot : /tmp/%{name}-%{version}
BuildRequires : XFree86-imake
# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
Source0: see-above:/.../openssh-%{version}.tar.gz
%if %{use_stable}
Source1: see-above:/.../openssh-%{version}.tar.gz.asc
%endif
Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz
Source3: http://www.openssh.com/faq.html
%Package server
Group : System/Network
Requires : openssh = %{version}
Obsoletes : ssh-server
Summary : OpenSSH Secure Shell protocol server (sshd).
Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd).
Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd).
Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd).
Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd).
Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd).
%Package askpass
Group : System/Network
Requires : openssh = %{version}
URL : http://www.jmknoble.net/software/x11-ssh-askpass/
Obsoletes : ssh-extras
Summary : OpenSSH X11 pass-phrase dialog.
Summary(de) : OpenSSH X11 Passwort-Dialog.
Summary(es) : Aplicación de petición de frase clave OpenSSH X11.
Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH.
Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH.
Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH.
Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH.
%Description
OpenSSH (Secure Shell) provides access to a remote system. It replaces
telnet, rlogin, rexec, and rsh, and provides secure encrypted
communications between two untrusted hosts over an insecure network.
X11 connections and arbitrary TCP/IP ports can also be forwarded over
the secure channel.
%Description -l de
OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
über den sicheren Channel weitergeleitet werden.
%Description -l es
OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
entre dos equipos entre los que no se ha establecido confianza a través de una
red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
ser canalizadas sobre el canal seguro.
%Description -l fr
OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
connexions X11 et des ports TCP/IP arbitraires peuvent également être
transmis sur le canal sécurisé.
%Description -l it
OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
e crittate tra due host non fidati su una rete non sicura. Le connessioni
X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
un canale sicuro.
%Description -l pt
OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
entre duas máquinas sem confiança mútua sobre uma rede insegura.
Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
pelo canal seguro.
%Description -l pt_BR
O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
entre duas máquinas sem confiança mútua sobre uma rede insegura.
Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
pelo canal seguro.
%Description server
This package installs the sshd, the server portion of OpenSSH.
%Description -l de server
Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
%Description -l es server
Este paquete instala sshd, la parte servidor de OpenSSH.
%Description -l fr server
Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
%Description -l it server
Questo pacchetto installa sshd, il server di OpenSSH.
%Description -l pt server
Este pacote intala o sshd, o servidor do OpenSSH.
%Description -l pt_BR server
Este pacote intala o sshd, o servidor do OpenSSH.
%Description askpass
This package contains an X11-based pass-phrase dialog used per
default by ssh-add(1). It is based on %{askpass}
by Jim Knoble <jmknoble@pobox.com>.
%Prep
%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
%if ! %{use_stable}
autoreconf
%endif
%Build
CFLAGS="$RPM_OPT_FLAGS" \
%configure \
--with-pam \
--with-tcp-wrappers \
--with-privsep-path=%{_var}/empty/sshd \
#leave this line for easy edits.
%__make
cd %{askpass}
%configure \
#leave this line for easy edits.
xmkmf
%__make includes
%__make
%Install
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
make install DESTDIR=%{buildroot}
%makeinstall -C %{askpass} \
BINDIR=%{_libexecdir} \
MANPATH=%{_mandir} \
DESTDIR=%{buildroot}
# OpenLinux specific configuration
mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
mkdir -p %{buildroot}%{_var}/empty/sshd
# enabling X11 forwarding on the server is convenient and okay,
# on the client side it's a potential security risk!
%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
%{buildroot}%{_sysconfdir}/sshd_config
%if %{no_root_login}
%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
%{buildroot}%{_sysconfdir}/sshd_config
%endif
install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
# FIXME: disabled, find out why this doesn't work with nis
%__perl -pi -e 's:(.*pam_limits.*):#$1:' \
%{buildroot}/etc/pam.d/sshd
install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
# the last one is needless, but more future-proof
find %{buildroot}%{SVIdir} -type f -exec \
%__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
s:\@sysconfdir\@:%{_sysconfdir}:g; \
s:/usr/sbin:%{_sbindir}:g'\
\{\} \;
cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
IDENT=sshd
DESCRIPTIVE="OpenSSH secure shell daemon"
# This service will be marked as 'skipped' on boot if there
# is no host key. Use ssh-host-keygen to generate one
ONBOOT="yes"
OPTIONS=""
EoD
SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
install -m 0755 contrib/caldera/ssh-host-keygen $SKG
# Fix up some path names in the keygen toy^Hol
%__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
%{buildroot}%{_sbindir}/ssh-host-keygen
# This looks terrible. Expect it to change.
# install remaining docs
DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
mkdir -p $DocD/%{askpass}
cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD
install -p -m 0444 %{SOURCE3} $DocD/faq.html
cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
%if %{use_stable}
cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
%else
cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
%endif
find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf
rm %{buildroot}%{_mandir}/man1/slogin.1 && \
ln -s %{_mandir}/man1/ssh.1.gz \
%{buildroot}%{_mandir}/man1/slogin.1.gz
%Clean
#%{rmDESTDIR}
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
%Post
# Generate host key when none is present to get up and running,
# both client and server require this for host-based auth!
# ssh-host-keygen checks for existing keys.
/usr/sbin/ssh-host-keygen
: # to protect the rpm database
%pre server
%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
: # to protect the rpm database
%Post server
if [ -x %{LSBinit}-install ]; then
%{LSBinit}-install sshd
else
lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
fi
! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
: # to protect the rpm database
%PreUn server
[ "$1" = 0 ] || exit 0
! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
if [ -x %{LSBinit}-remove ]; then
%{LSBinit}-remove sshd
else
lisa --SysV-init remove sshd $1
fi
: # to protect the rpm database
%Files
%defattr(-,root,root)
%dir %{_sysconfdir}
%config %{_sysconfdir}/ssh_config
%{_bindir}/scp
%{_bindir}/sftp
%{_bindir}/ssh
%{_bindir}/slogin
%{_bindir}/ssh-add
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%{_bindir}/ssh-keygen
%{_bindir}/ssh-keyscan
%dir %{_libexecdir}
%attr(4711,root,root) %{_libexecdir}/ssh-keysign
%{_libexecdir}/ssh-pkcs11-helper
%{_sbindir}/ssh-host-keygen
%dir %{_defaultdocdir}/%{name}-%{version}
%{_defaultdocdir}/%{name}-%{version}/CREDITS
%{_defaultdocdir}/%{name}-%{version}/ChangeLog
%{_defaultdocdir}/%{name}-%{version}/LICENCE
%{_defaultdocdir}/%{name}-%{version}/OVERVIEW
%{_defaultdocdir}/%{name}-%{version}/README*
%{_defaultdocdir}/%{name}-%{version}/TODO
%{_defaultdocdir}/%{name}-%{version}/faq.html
%{_mandir}/man1/*
%{_mandir}/man8/ssh-keysign.8.gz
%{_mandir}/man8/ssh-pkcs11-helper.8.gz
%{_mandir}/man5/ssh_config.5.gz
%Files server
%defattr(-,root,root)
%dir %{_var}/empty/sshd
%config %{SVIdir}/sshd
%config /etc/pam.d/sshd
%config %{_sysconfdir}/moduli
%config %{_sysconfdir}/sshd_config
%config %{SVIcdir}/sshd
%{_libexecdir}/sftp-server
%{_sbindir}/sshd
%{_mandir}/man5/moduli.5.gz
%{_mandir}/man5/sshd_config.5.gz
%{_mandir}/man8/sftp-server.8.gz
%{_mandir}/man8/sshd.8.gz
%Files askpass
%defattr(-,root,root)
%{_libexecdir}/ssh-askpass
%{_libexecdir}/x11-ssh-askpass
%{_defaultdocdir}/%{name}-%{version}/%{askpass}
%ChangeLog
* Tue Jan 18 2011 Tim Rice <tim@multitalents.net>
- Use CFLAGS from Makefile instead of RPM so build completes.
- Signatures were changed to .asc since 4.1p1.
* Mon Jan 01 1998 ...
Template Version: 1.31
$Id: openssh.spec,v 1.75.2.1 2011/09/05 00:28:11 djm Exp $

36
contrib/caldera/ssh-host-keygen
View File

@ -1,36 +0,0 @@
#! /bin/sh
#
# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
#
# This script is normally run only *once* for a given host
# (in a given period of time) -- on updates/upgrades/recovery
# the ssh_host_key* files _should_ be retained! Otherwise false
# "man-in-the-middle-attack" alerts will frighten unsuspecting
# clients...
keydir=@sysconfdir@
keygen=@sshkeygen@
if [ -f $keydir/ssh_host_key -o \
-f $keydir/ssh_host_key.pub ]; then
echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
else
echo "Generating SSH1 RSA host key."
$keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
fi
if [ -f $keydir/ssh_host_rsa_key -o \
-f $keydir/ssh_host_rsa_key.pub ]; then
echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
else
echo "Generating SSH2 RSA host key."
$keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
fi
if [ -f $keydir/ssh_host_dsa_key -o \
-f $keydir/ssh_host_dsa_key.pub ]; then
echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
else
echo "Generating SSH2 DSA host key."
$keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
fi

125
contrib/caldera/sshd.init
View File

@ -1,125 +0,0 @@
#! /bin/bash
#
# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
#
### BEGIN INIT INFO
# Provides:
# Required-Start: $network
# Required-Stop:
# Default-Start: 3 4 5
# Default-Stop: 0 1 2 6
# Description: sshd
# Bring up/down the OpenSSH secure shell daemon.
### END INIT INFO
#
# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
# Modified for OpenLinux by Raymund Will <ray@caldera.de>
NAME=sshd
DAEMON=/usr/sbin/$NAME
# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem
# created by recent OpenSSH daemon/ssd combinations. See Caldera internal
# PR [linux/8278] for details...
PIDF=/var/run/$NAME.pid
NAME=$DAEMON
_status() {
[ -z "$1" ] || local pidf="$1"
local ret=-1
local pid
if [ -n "$pidf" ] && [ -r "$pidf" ]; then
pid=$(head -1 $pidf)
else
pid=$(pidof $NAME)
fi
if [ ! -e $SVIlock ]; then
# no lock-file => not started == stopped?
ret=3
elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
# pid-file given but not present or no pid => died, but was not stopped
ret=2
elif [ -r /proc/$pid/cmdline ] &&
echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
# pid-file given and present or pid found => check process...
# but don't compare exe, as this will fail after an update!
# compares OK => all's well, that ends well...
ret=0
else
# no such process or exe does not match => stale pid-file or process died
# just recently...
ret=1
fi
return $ret
}
# Source function library (and set vital variables).
. @SVIdir@/functions
case "$1" in
start)
[ ! -e $SVIlock ] || exit 0
[ -x $DAEMON ] || exit 5
SVIemptyConfig @sysconfdir@/sshd_config && exit 6
if [ ! \( -f @sysconfdir@/ssh_host_key -a \
-f @sysconfdir@/ssh_host_key.pub \) -a \
! \( -f @sysconfdir@/ssh_host_rsa_key -a \
-f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
! \( -f @sysconfdir@/ssh_host_dsa_key -a \
-f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
echo "$SVIsubsys: host key not initialized: skipped!"
echo "$SVIsubsys: use ssh-host-keygen to generate one!"
exit 6
fi
echo -n "Starting $SVIsubsys services: "
ssd -S -x $DAEMON -n $NAME -- $OPTIONS
ret=$?
echo "."
touch $SVIlock
;;
stop)
[ -e $SVIlock ] || exit 0
echo -n "Stopping $SVIsubsys services: "
ssd -K -p $PIDF -n $NAME
ret=$?
echo "."
rm -f $SVIlock
;;
force-reload|reload)
[ -e $SVIlock ] || exit 0
echo "Reloading $SVIsubsys configuration files: "
ssd -K --signal 1 -q -p $PIDF -n $NAME
ret=$?
echo "done."
;;
restart)
$0 stop
$0 start
ret=$?
;;
status)
_status $PIDF
ret=$?
;;
*)
echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
ret=2
;;
esac
exit $ret

8
contrib/caldera/sshd.pam
View File

@ -1,8 +0,0 @@
#%PAM-1.0
auth required /lib/security/pam_pwdb.so shadow nodelay
account required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
session required /lib/security/pam_limits.so

29
contrib/cygwin/Makefile
View File

@ -36,21 +36,20 @@ install-inetd-config:
install-sshdoc:
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
$(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
-$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
-$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
-$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
-$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
-$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
-$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
install-cygwindoc: README
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)

212
contrib/cygwin/README
View File

@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might
not run on older versions. Please check http://cygwin.com/ for information
about current Cygwin releases.
Build instructions are at the end of the file.
===========================================================================
Important change since 3.7.1p2-2:
The ssh-host-config file doesn't create the /etc/ssh_config and
/etc/sshd_config files from builtin here-scripts anymore, but it uses
skeleton files installed in /etc/defaults/etc.
Also it now tries hard to create appropriate permissions on files.
Same applies for ssh-user-config.
After creating the sshd service with ssh-host-config, it's advisable to
call ssh-user-config for all affected users, also already exising user
configurations. In the latter case, file and directory permissions are
checked and changed, if requireed to match the host configuration.
Important note for Windows 2003 Server users:
---------------------------------------------
2003 Server has a funny new feature. When starting services under SYSTEM
account, these services have nearly all user rights which SYSTEM holds...
except for the "Create a token object" right, which is needed to allow
public key authentication :-(
There's no way around this, except for creating a substitute account which
has the appropriate privileges. Basically, this account should be member
of the administrators group, plus it should have the following user rights:
Create a token object
Logon as a service
Replace a process level token
Increase Quota
The ssh-host-config script asks you, if it should create such an account,
called "sshd_server". If you say "no" here, you're on your own. Please
follow the instruction in ssh-host-config exactly if possible. Note that
ssh-user-config sets the permissions on 2003 Server machines dependent of
whether a sshd_server account exists or not.
===========================================================================
===========================================================================
Important change since 3.4p1-2:
This version adds privilege separation as default setting, see
/usr/doc/openssh/README.privsep. According to that document the
privsep feature requires a non-privileged account called 'sshd'.
The new ssh-host-config file which is part of this version asks
to create 'sshd' as local user if you want to use privilege
separation. If you confirm, it creates that NT user and adds
the necessary entry to /etc/passwd.
On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
since that feature doesn't make any sense on a system which doesn't
differ between privileged and unprivileged users.
The new ssh-host-config script also adds the /var/empty directory
needed by privilege separation. When creating the /var/empty directory
by yourself, please note that in contrast to the README.privsep document
the owner sshould not be "root" but the user which is running sshd. So,
in the standard configuration this is SYSTEM. The ssh-host-config script
chowns /var/empty accordingly.
===========================================================================
===========================================================================
Important change since 3.0.1p1-2:
This version introduces the ability to register sshd as service on
Windows 9x/Me systems. This is done only when the options -D and/or
-d are not given.
===========================================================================
===========================================================================
Important change since 2.9p2:
Since Cygwin is able to switch user context without password beginning
with version 1.3.2, OpenSSH now allows to do so when it's running under
a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
allow that feature.
===========================================================================
===========================================================================
Important change since 2.3.0p1:
When using `ntea' or `ntsec' you now have to care for the ownership
and permission bits of your host key files and your private key files.
The host key files have to be owned by the NT account which starts
sshd. The user key files have to be owned by the user. The permission
bits of the private key files (host and user) have to be at least
rw------- (0600)!
Note that this is forced under `ntsec' only if the files are on a NTFS
filesystem (which is recommended) due to the lack of any basic security
features of the FAT/FAT32 filesystems.
===========================================================================
==================
Host configuration
==================
If you are installing OpenSSH the first time, you can generate global config
files and server keys by running
files and server keys, as well as installing sshd as a service, by running
/usr/bin/ssh-host-config
Note that this binary archive doesn't contain default config files in /etc.
That files are only created if ssh-host-config is started.
If you are updating your installation you may run the above ssh-host-config
as well to move your configuration files to the new location and to
erase the files at the old location.
To support testing and unattended installation ssh-host-config got
some options:
@ -122,18 +25,28 @@ Options:
--yes -y Answer all questions with "yes" automatically.
--no -n Answer all questions with "no" automatically.
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
--name -N <name> sshd windows service name.
--port -p <n> sshd listens on port n.
--pwd -w <passwd> Use "pwd" as password for user 'sshd_server'.
--user -u <account> privileged user for service, default 'cyg_server'.
--pwd -w <passwd> Use "pwd" as password for privileged user.
--privileged On Windows XP, require privileged user
instead of LocalSystem for sshd service.
Additionally ssh-host-config now asks if it should install sshd as a
service when running under NT/W2K. This requires cygrunsrv installed.
Installing sshd as daemon via ssh-host-config is recommended.
You can create the private and public keys for a user now by running
Alternatively you can start sshd via inetd, if you have the inetutils
package installed. Just run ssh-host-config, but answer "no" when asked
to install sshd as service. The ssh-host-config script also adds the
required lines to /etc/inetd.conf and /etc/services.
==================
User configuration
==================
Any user can simplify creating the own private and public keys by running
/usr/bin/ssh-user-config
under the users account.
To support testing and unattended installation ssh-user-config got
some options as well:
@ -144,88 +57,29 @@ Options:
--no -n Answer all questions with "no" automatically.
--passphrase -p word Use "word" as passphrase automatically.
Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
(results in very slow deamon startup!) or from the command line (recommended
on 9X/ME).
If you start sshd as deamon via cygrunsrv.exe you MUST give the
"-D" option to sshd. Otherwise the service can't get started at all.
If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
following line to your inetd.conf file:
ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
Moreover you'll have to add the following line to your
${SYSTEMROOT}/system32/drivers/etc/services file:
ssh 22/tcp #SSH daemon
Please note that OpenSSH does never use the value of $HOME to
search for the users configuration files! It always uses the
value of the pw_dir field in /etc/passwd as the home directory.
If no home diretory is set in /etc/passwd, the root directory
is used instead!
You may use all features of the CYGWIN=ntsec setting the same
way as they are used by Cygwin's login(1) port:
================
Building OpenSSH
================
The pw_gecos field may contain an additional field, that begins
with (upper case!) "U-", followed by the domain and the username
separated by a backslash.
CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
BTW: The field separator in pw_gecos is the comma.
The username in pw_name itself may be any nice name:
Building from source is easy. Just unpack the source archive, cd to that
directory, and call cygport:
domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
cygport openssh.cygport all
Now you may use `domuser' as your login name with telnet!
This is possible additionally for local users, if you don't like
your NT login name ;-) You only have to leave out the domain:
You must have installed the following packages to be able to build OpenSSH
with the aforementioned cygport script:
locuser::1104:513:John Doe,U-user,S-1-5-21-...
Note that the CYGWIN=ntsec setting is required for public key authentication.
SSH2 server and user keys are generated by the `ssh-*-config' scripts
as well.
If you want to build from source, the following options to
configure are used for the Cygwin binary distribution:
--prefix=/usr \
--sysconfdir=/etc \
--libexecdir='${sbindir}' \
--localstatedir=/var \
--datadir='${prefix}/share' \
--mandir='${datadir}/man' \
--infodir='${datadir}/info'
--with-tcp-wrappers
--with-libedit
If you want to create a Cygwin package, equivalent to the one
in the Cygwin binary distribution, install like this:
mkdir /tmp/cygwin-ssh
cd ${builddir}
make install DESTDIR=/tmp/cygwin-ssh
cd ${srcdir}/contrib/cygwin
make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
cd /tmp/cygwin-ssh
find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
You must have installed the following packages to be able to build OpenSSH:
- zlib
- openssl-devel
If you want to build with --with-tcp-wrappers, you also need the package
- tcp_wrappers
If you want to build with --with-libedit, you also need the package
- libedit-devel
zlib
crypt
openssl-devel
libedit-devel
libkrb5-devel
Please send requests, error reports etc. to cygwin@cygwin.com.

275
contrib/cygwin/ssh-host-config
View File

@ -1,6 +1,6 @@
#!/bin/bash
#
# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
@ -34,9 +34,9 @@ declare -a csih_required_commands=(
/usr/bin/mv coreutils
/usr/bin/rm coreutils
/usr/bin/cygpath cygwin
/usr/bin/mkpasswd cygwin
/usr/bin/mount cygwin
/usr/bin/ps cygwin
/usr/bin/setfacl cygwin
/usr/bin/umount cygwin
/usr/bin/cmp diffutils
/usr/bin/grep grep
@ -59,62 +59,16 @@ PREFIX=/usr
SYSCONFDIR=/etc
LOCALSTATEDIR=/var
sshd_config_configured=no
port_number=22
privsep_configured=no
service_name=sshd
strictmodes=yes
privsep_used=yes
cygwin_value=""
user_account=
password_value=
opt_force=no
# ======================================================================
# Routine: create_host_keys
# ======================================================================
create_host_keys() {
local ret=0
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
then
csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
then
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
let ++ret
fi
fi
return $ret
} # --- End of create_host_keys --- #
# ======================================================================
# Routine: update_services_file
# ======================================================================
@ -137,28 +91,8 @@ update_services_file() {
# Depends on the above mount
_wservices=`cygpath -w "${_services}"`
# Remove sshd 22/port from services
if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
then
/usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
if [ -f "${_serv_tmp}" ]
then
if /usr/bin/mv "${_serv_tmp}" "${_services}"
then
csih_inform "Removing sshd from ${_wservices}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
let ++ret
fi
/usr/bin/rm -f "${_serv_tmp}"
else
csih_warning "Removing sshd from ${_wservices} failed!"
let ++ret
fi
fi
# Add ssh 22/tcp and ssh 22/udp to services
if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
then
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
then
@ -179,18 +113,46 @@ update_services_file() {
return $ret
} # --- End of update_services_file --- #
# ======================================================================
# Routine: sshd_strictmodes
# MODIFIES: strictmodes
# ======================================================================
sshd_strictmodes() {
if [ "${sshd_config_configured}" != "yes" ]
then
echo
csih_inform "StrictModes is set to 'yes' by default."
csih_inform "This is the recommended setting, but it requires that the POSIX"
csih_inform "permissions of the user's home directory, the user's .ssh"
csih_inform "directory, and the user's ssh key files are tight so that"
csih_inform "only the user has write permissions."
csih_inform "On the other hand, StrictModes don't work well with default"
csih_inform "Windows permissions of a home directory mounted with the"
csih_inform "'noacl' option, and they don't work at all if the home"
csih_inform "directory is on a FAT or FAT32 partition."
if ! csih_request "Should StrictModes be used?"
then
strictmodes=no
fi
fi
return 0
}
# ======================================================================
# Routine: sshd_privsep
# MODIFIES: privsep_configured privsep_used
# MODIFIES: privsep_used
# ======================================================================
sshd_privsep() {
local sshdconfig_tmp
local ret=0
if [ "${privsep_configured}" != "yes" ]
if [ "${sshd_config_configured}" != "yes" ]
then
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
csih_inform "However, this requires a non-privileged account called 'sshd'."
echo
csih_inform "Privilege separation is set to 'sandbox' by default since"
csih_inform "OpenSSH 6.1. This is unsupported by Cygwin and has to be set"
csih_inform "to 'yes' or 'no'."
csih_inform "However, using privilege separation requires a non-privileged account"
csih_inform "called 'sshd'."
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
if csih_request "Should privilege separation be used?"
then
@ -207,36 +169,53 @@ sshd_privsep() {
privsep_used=no
fi
fi
return $ret
} # --- End of sshd_privsep --- #
# Create default sshd_config from skeleton files in /etc/defaults/etc or
# modify to add the missing privsep configuration option
if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
# ======================================================================
# Routine: sshd_config_tweak
# ======================================================================
sshd_config_tweak() {
local ret=0
# Modify sshd_config
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
s/^#Port 22/Port ${port_number}/
s/^#StrictModes yes/StrictModes no/" \
< ${SYSCONFDIR}/sshd_config \
> "${sshdconfig_tmp}"
if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
if [ "${port_number}" -ne 22 ]
then
csih_warning "Setting privilege separation to 'yes' failed!"
/usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting listening port to ${port_number} failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
elif [ "${privsep_configured}" != "yes" ]
fi
if [ "${strictmodes}" = "no" ]
then
echo >> ${SYSCONFDIR}/sshd_config
if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
/usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting privilege separation to 'yes' failed!"
csih_warning "Setting StrictModes to 'no' failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
if [ "${sshd_config_configured}" != "yes" ]
then
/usr/bin/sed -i -e "
s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
${SYSCONFDIR}/sshd_config
if [ $? -ne 0 ]
then
csih_warning "Setting privilege separation failed!"
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
let ++ret
fi
fi
return $ret
} # --- End of sshd_privsep --- #
} # --- End of sshd_config_tweak --- #
# ======================================================================
# Routine: update_inetd_conf
@ -255,11 +234,11 @@ update_inetd_conf() {
# we have inetutils-1.5 inetd.d support
if [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
/usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
# check for sshd OR ssh in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
then
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
@ -284,9 +263,9 @@ update_inetd_conf() {
then
if [ "${_with_comment}" -eq 0 ]
then
/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
else
/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
fi
if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
then
@ -299,13 +278,13 @@ update_inetd_conf() {
elif [ -f "${_inetcnf}" ]
then
/usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
/usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
# check for sshd in top-level inetd.conf file, and remove
# will be replaced by a file in inetd.d/
if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
then
/usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
/usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
if [ -f "${_inetcnf_tmp}" ]
then
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@ -353,24 +332,31 @@ check_service_files_ownership() {
if [ -z "${run_service_as}" ]
then
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
/usr/bin/sed -ne 's/^Account *: *//gp')
if [ "${accnt_name}" = "LocalSystem" ]
then
# Convert "LocalSystem" to "SYSTEM" as is the correct account name
accnt_name="SYSTEM:"
elif [[ "${accnt_name}" =~ ^\.\\ ]]
run_service_as="SYSTEM"
else
dom="${accnt_name%%\\*}"
accnt_name="${accnt_name#*\\}"
if [ "${dom}" = '.' ]
then
# Convert "." domain to local machine name
accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
# Check local account
run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
/usr/bin/awk -F: '{print $1;}')
else
# Check domain
run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
/usr/bin/awk -F: '{print $1;}')
fi
fi
run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
if [ -z "${run_service_as}" ]
then
csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
csih_warning "Couldn't determine name of user running sshd service from account database!"
csih_warning "As a result, this script cannot make sure that the files used"
csih_warning "by the sshd service belong to the user running the service."
csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
csih_warning "file is in a good shape."
return 1
fi
fi
@ -423,7 +409,7 @@ install_service() {
local ret=0
echo
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
then
csih_inform "Sshd service is already installed."
check_service_files_ownership "" || let ret+=$?
@ -479,7 +465,7 @@ install_service() {
fi
if [ -z "${password}" ]
then
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}"
then
echo
@ -489,19 +475,20 @@ install_service() {
csih_inform "will start automatically after the next reboot."
fi
else
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
-a "-D" -y tcpip "${cygwin_env[@]}" \
-u "${run_service_as}" -w "${password}"
then
/usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
echo
csih_inform "The sshd service has been installed under the '${run_service_as}'"
csih_inform "account. To start the service now, call \`net start sshd' or"
csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
csih_inform "account. To start the service now, call \`net start ${service_name}' or"
csih_inform "\`cygrunsrv -S ${service_name}'. Otherwise, it will start automatically"
csih_inform "after the next reboot."
fi
fi
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
then
check_service_files_ownership "${run_service_as}" || let ret+=$?
else
@ -575,6 +562,11 @@ do
shift
;;
-N | --name )
service_name=$1
shift
;;
-p | --port )
port_number=$1
shift
@ -604,10 +596,11 @@ do
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
echo " --name -N <name> sshd windows service name."
echo " --port -p <n> sshd listens on port n."
echo " --user -u <account> privileged user for service."
echo " --user -u <account> privileged user for service, default 'cyg_server'."
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
echo " --privileged On Windows NT/2k/XP, require privileged user"
echo " --privileged On Windows XP, require privileged user"
echo " instead of LocalSystem for sshd service."
echo
exit 1
@ -637,10 +630,7 @@ then
csih_warning "However, it seems your account does not have these privileges."
csih_warning "Here's the list of groups in your user token:"
echo
for i in $(/usr/bin/id -G)
do
/usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
done
/usr/bin/id -Gnz | xargs -0n1 echo " "
echo
csih_warning "This usually means you're running this script from a non-admin"
csih_warning "desktop session, or in a non-elevated shell under UAC control."
@ -662,32 +652,6 @@ echo
warning_cnt=0
# Check for ${SYSCONFDIR} directory
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${SYSCONFDIR}!"
let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
then
csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
let ++warning_cnt
fi
# Check for /var/log directory
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
then
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
let ++warning_cnt
fi
# Create /var/log/lastlog if not already exists
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
then
@ -712,14 +676,10 @@ then
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
let ++warning_cnt
fi
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
then
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
let ++warning_cnt
fi
# host keys
create_host_keys || let warning_cnt+=$?
# generate missing host keys
csih_inform "Generating missing SSH host keys"
/usr/bin/ssh-keygen -A || let warning_cnt+=$?
# handle ssh_config
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
@ -737,10 +697,11 @@ fi
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
then
/usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
sshd_config_configured=yes
fi
sshd_strictmodes || let warning_cnt+=$?
sshd_privsep || let warning_cnt+=$?
sshd_config_tweak || let warning_cnt+=$?
update_services_file || let warning_cnt+=$?
update_inetd_conf || let warning_cnt+=$?
install_service || let warning_cnt+=$?

33
contrib/cygwin/ssh-user-config
View File

@ -1,6 +1,6 @@
#!/bin/bash
#
# ssh-user-config, Copyright 2000-2008 Red Hat Inc.
# ssh-user-config, Copyright 2000-2014 Red Hat Inc.
#
# This file is part of the Cygwin port of OpenSSH.
#
@ -75,19 +75,18 @@ readonly -f create_identity
# pwdhome
# ======================================================================
check_user_homedir() {
local uid=$(id -u)
pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
pwdhome=$(getent passwd $UID | awk -F: '{ print $6; }')
if [ "X${pwdhome}" = "X" ]
then
csih_error_multi \
"There is no home directory set for you in ${SYSCONFDIR}/passwd." \
"There is no home directory set for you in the account database." \
'Setting $HOME is not sufficient!'
fi
if [ ! -d "${pwdhome}" ]
then
csih_error_multi \
"${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
"${pwdhome} is set in the account database as your home directory" \
'but it is not a valid directory. Cannot create user identity files.'
fi
@ -96,7 +95,7 @@ check_user_homedir() {
if [ "X${pwdhome}" = "X/" ]
then
# But first raise a warning!
csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
csih_warning "Your home directory in the account database is set to root (/). This is not recommended!"
if csih_request "Would you like to proceed anyway?"
then
pwdhome=''
@ -106,7 +105,7 @@ check_user_homedir() {
fi
fi
if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
if [ -d "${pwdhome}" -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
then
echo
csih_warning 'group and other have been revoked write permission to your home'
@ -149,9 +148,10 @@ readonly -f check_user_dot_ssh_dir
# pwdhome -- check_user_homedir()
# ======================================================================
fix_authorized_keys_perms() {
if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
if [ -e "${pwdhome}/.ssh/authorized_keys" ]
then
if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
setfacl -b "${pwdhome}/.ssh/authorized_keys" 2>/dev/null || echo -n
if ! chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys"
then
csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
csih_warning "failed. Please care for the correct permissions. The minimum requirement"
@ -222,10 +222,6 @@ do
shift
;;
--privileged )
csih_FORCE_PRIVILEGED_USER=yes
;;
*)
echo "usage: ${PROGNAME} [OPTION]..."
echo
@ -236,8 +232,6 @@ do
echo " --yes -y Answer all questions with \"yes\" automatically."
echo " --no -n Answer all questions with \"no\" automatically."
echo " --passphrase -p word Use \"word\" as passphrase automatically."
echo " --privileged On Windows NT/2k/XP, assume privileged user"
echo " instead of LocalSystem for sshd service."
echo
exit 1
;;
@ -249,15 +243,6 @@ done
# Action!
# ======================================================================
# Check passwd file
if [ ! -f ${SYSCONFDIR}/passwd ]
then
csih_error_multi \
"${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
'first using mkpasswd. Check if it contains an entry for you and' \
'please care for the home directory in your entry as well.'
fi
check_user_homedir
check_user_dot_ssh_dir
create_identity id_rsa rsa "SSH2 RSA"

14
contrib/redhat/openssh.spec
View File

@ -1,4 +1,4 @@
%define ver 5.9p1
%define ver 7.3p1
%define rel 1
# OpenSSH privilege separation requires a user & group ID
@ -86,10 +86,10 @@ PreReq: initscripts >= 5.00
%else
Requires: initscripts >= 5.20
%endif
BuildRequires: perl, openssl-devel, tcp_wrappers
BuildRequires: perl, openssl-devel
BuildRequires: /bin/login
%if ! %{build6x}
BuildPreReq: glibc-devel, pam
BuildRequires: glibc-devel, pam
%else
BuildRequires: /usr/include/security/pam_appl.h
%endif
@ -184,7 +184,7 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
%if %{kerberos5}
K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
K5DIR=`rpm -ql krb5-devel | grep 'include/krb5\.h' | sed 's,\/include\/krb5.h,,'`
echo K5DIR=$K5DIR
%endif
@ -192,8 +192,6 @@ echo K5DIR=$K5DIR
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-tcp-wrappers \
--with-rsh=%{_bindir}/rsh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
@ -335,7 +333,7 @@ fi
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING*
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
@ -360,8 +358,6 @@ fi
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%attr(-,root,root) %{_bindir}/slogin
%attr(-,root,root) %{_mandir}/man1/slogin.1*
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add

8
contrib/redhat/sshd.init
View File

@ -29,7 +29,7 @@ do_restart_sanity_check()
{
$SSHD -t
RETVAL=$?
if [ ! "$RETVAL" = 0 ]; then
if [ $RETVAL -ne 0 ]; then
failure $"Configuration file or keys are invalid"
echo
fi
@ -49,7 +49,7 @@ start()
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
@ -58,7 +58,7 @@ stop()
echo -n $"Stopping $prog:"
killproc $SSHD -TERM
RETVAL=$?
[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
echo
}
@ -87,7 +87,7 @@ case "$1" in
condrestart)
if [ -f /var/lock/subsys/sshd ] ; then
do_restart_sanity_check
if [ "$RETVAL" = 0 ] ; then
if [ $RETVAL -eq 0 ] ; then
stop
# avoid race
sleep 3

351
contrib/ssh-copy-id
View File

@ -1,54 +1,317 @@
#!/bin/sh
# Shell script to install your public key on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
# 2013 Martin Kletzander <mkletzan@redhat.com>
# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
# 2010 Eric Moret <eric.moret@gmail.com>
# 2009 Xr <xr@i-jeuxvideo.com>
# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
# 2004 Reini Urban <rurban@x-ray.at>
# 2003 Colin Watson <cjwatson@debian.org>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
ID_FILE="${HOME}/.ssh/id_rsa.pub"
# Shell script to install your public key(s) on a remote machine
# See the ssh-copy-id(1) man page for details
if [ "-i" = "$1" ]; then
shift
# check if we have 2 parameters left, if so the first is the new ID file
if [ -n "$2" ]; then
if expr "$1" : ".*\.pub" > /dev/null ; then
ID_FILE="$1"
# check that we have something mildly sane as our shell, or try to find something better
if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
then
SANE_SH=${SANE_SH:-/usr/bin/ksh}
if printf 'true ^ false\n' | "$SANE_SH"
then
printf "'%s' seems viable.\n" "$SANE_SH"
exec "$SANE_SH" "$0" "$@"
else
ID_FILE="$1.pub"
cat <<-EOF
oh dear.
If you have a more recent shell available, that supports \$(...) etc.
please try setting the environment variable SANE_SH to the path of that
shell, and then retry running this script. If that works, please report
a bug describing your setup, and the shell you used to make it work.
EOF
printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
exit 1
fi
shift # and this should leave $1 as the target name
fi
DEFAULT_PUB_ID_FILE="$HOME/$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)"
usage () {
printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2
printf '\t-n: dry run -- no keys are actually copied\n' >&2
printf '\t-h|-?: print this help\n' >&2
exit 1
}
# escape any single quotes in an argument
quote() {
printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
}
use_id_file() {
local L_ID_FILE="$1"
if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
PUB_ID_FILE="$L_ID_FILE"
else
PUB_ID_FILE="$L_ID_FILE.pub"
fi
[ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
# check that the files are readable
for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
local L_PRIVMSG=""
[ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG=" (to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
exit 1
}
done
printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2
GET_ID="cat \"$PUB_ID_FILE\""
}
if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
GET_ID="ssh-add -L"
fi
while test "$#" -gt 0
do
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
usage
}
OPT= OPTARG=
# implement something like getopt to avoid Solaris pain
case "$1" in
-i?*|-o?*|-p?*)
OPT="$(printf -- "$1"|cut -c1-2)"
OPTARG="$(printf -- "$1"|cut -c3-)"
shift
;;
-o|-p)
OPT="$1"
OPTARG="$2"
shift 2
;;
-i)
OPT="$1"
test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
OPTARG="$2"
shift
}
shift
;;
-f|-n|-h|-\?)
OPT="$1"
OPTARG=
shift
;;
--)
shift
while test "$#" -gt 0
do
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
shift
done
break
;;
-*)
printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
usage
;;
*)
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
shift
continue
;;
esac
case "$OPT" in
-i)
SEEN_OPT_I="yes"
use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
;;
-o|-p)
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
;;
-f)
FORCED=1
;;
-n)
DRY_RUN=1
;;
-h|-\?)
usage
;;
esac
done
eval set -- "$SAVEARGS"
if [ $# = 0 ] ; then
usage
fi
if [ $# != 1 ] ; then
printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
usage
fi
# drop trailing colon
USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
# tack the hostname onto SSH_OPTS
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
# and populate "$@" for later use (only way to get proper quoting of options)
eval set -- "$SSH_OPTS"
if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
use_id_file "$PUB_ID_FILE"
fi
if [ -z "$(eval $GET_ID)" ] ; then
printf '%s: ERROR: No identities found\n' "$0" >&2
exit 1
fi
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
# and has the side effect of setting $NEW_IDS
populate_new_ids() {
local L_SUCCESS="$1"
if [ "$FORCED" ] ; then
NEW_IDS=$(eval $GET_ID)
return
fi
# repopulate "$@" inside this function
eval set -- "$SSH_OPTS"
umask 0177
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
printf '%s: ERROR: mktemp failed\n' "$0" >&2
exit 1
fi
local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
trap "$L_CLEANUP" EXIT TERM INT QUIT
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
NEW_IDS=$(
eval $GET_ID | {
while read ID || [ "$ID" ] ; do
printf '%s\n' "$ID" > "$L_TMP_ID_FILE"
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
# assumption will break if we implement the possibility of multiple -i options.
# The point being that if file based, ssh needs the private key, which it cannot
# find if only given the contents of the .pub file in an unrelated tmpfile
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
-o ControlPath=none \
-o LogLevel=INFO \
-o PreferredAuthentications=publickey \
-o IdentitiesOnly=yes "$@" exit 2>"$L_TMP_ID_FILE.stderr" </dev/null
if [ "$?" = "$L_SUCCESS" ] ; then
: > "$L_TMP_ID_FILE"
else
grep 'Permission denied' "$L_TMP_ID_FILE.stderr" >/dev/null || {
sed -e 's/^/ERROR: /' <"$L_TMP_ID_FILE.stderr" >"$L_TMP_ID_FILE"
cat >/dev/null #consume the other keys, causing loop to end
}
fi
cat "$L_TMP_ID_FILE"
done
}
)
eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
exit 1
fi
if [ -z "$NEW_IDS" ] ; then
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
exit 0
fi
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
}
REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 |
sed -ne 's/.*remote software version //p')
case "$REMOTE_VERSION" in
NetScreen*)
populate_new_ids 1
for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
KEY_NO=$(($KEY_NO + 1))
printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
continue
}
[ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
if [ $? = 255 ] ; then
printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
else
ADDED=$(($ADDED + 1))
fi
done
if [ -z "$ADDED" ] ; then
exit 1
fi
;;
*)
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
populate_new_ids 0
# in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; 'cd' to be at $HOME; and all on one line, because tcsh.
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
|| exit 1
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
;;
esac
if [ "$DRY_RUN" ] ; then
cat <<-EOF
=-=-=-=-=-=-=-=
Would have added the following key(s):
$NEW_IDS
=-=-=-=-=-=-=-=
EOF
else
if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then
GET_ID="$GET_ID ssh-add -L"
fi
cat <<-EOF
Number of key(s) added: $ADDED
Now try logging into the machine, with: "ssh $SSH_OPTS"
and check to make sure that only the key(s) you wanted were added.
EOF
fi
if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
GET_ID="cat \"${ID_FILE}\""
fi
if [ -z "`eval $GET_ID`" ]; then
echo "$0: ERROR: No identities found" >&2
exit 1
fi
if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
exit 1
fi
# strip any trailing colon
host=`echo $1 | sed 's/:$//'`
{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
cat <<EOF
Now try logging into the machine, with "ssh '$host'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
EOF
# =-=-=-=

256
contrib/ssh-copy-id.1
View File

@ -1,75 +1,191 @@
.ig \" -*- nroff -*-
Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>
Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
Permission is granted to make and distribute verbatim copies of
this manual provided the copyright notice and this permission notice
are preserved on all copies.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
Permission is granted to copy and distribute modified versions of this
manual under the conditions for verbatim copying, provided that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.
Permission is granted to copy and distribute translations of this
manual into another language, under the above conditions for modified
versions, except that this permission notice may be included in
translations approved by the Free Software Foundation instead of in
the original English.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
..
.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"
.SH NAME
ssh-copy-id \- install your public key in a remote machine's authorized_keys
.SH SYNOPSIS
.B ssh-copy-id [-i [identity_file]]
.I "[user@]machine"
.Dd $Mdocdate: June 17 2010 $
.Dt SSH-COPY-ID 1
.Os
.Sh NAME
.Nm ssh-copy-id
.Nd use locally available keys to authorise logins on a remote machine
.Sh SYNOPSIS
.Nm
.Op Fl f
.Op Fl n
.Op Fl i Op Ar identity_file
.Op Fl p Ar port
.Op Fl o Ar ssh_option
.Op Ar user Ns @ Ns
.Ar hostname
.Nm
.Fl h | Fl ?
.br
.SH DESCRIPTION
.BR ssh-copy-id
is a script that uses ssh to log into a remote machine and
append the indicated identity file to that machine's
.B ~/.ssh/authorized_keys
file.
.PP
If the
.B -i
option is given then the identity file (defaults to
.BR ~/.ssh/id_rsa.pub )
is used, regardless of whether there are any keys in your
.BR ssh-agent .
Otherwise, if this:
.PP
.B " ssh-add -L"
.PP
provides any output, it uses that in preference to the identity file.
.PP
If the
.B -i
option is used, or the
.B ssh-add
produced no output, then it uses the contents of the identity
file. Once it has one or more fingerprints (by whatever means) it
uses ssh to append them to
.B ~/.ssh/authorized_keys
on the remote machine (creating the file, and directory, if necessary.)
.SH NOTES
This program does not modify the permissions of any
pre-existing files or directories. Therefore, if the remote
.B sshd
has
.B StrictModes
set in its
configuration, then the user's home,
.B ~/.ssh
folder, and
.B ~/.ssh/authorized_keys
file may need to have group writability disabled manually, e.g. via
.B " chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys"
on the remote machine.
.SH "SEE ALSO"
.BR ssh (1),
.BR ssh-agent (1),
.BR sshd (8)
.Sh DESCRIPTION
.Nm
is a script that uses
.Xr ssh 1
to log into a remote machine (presumably using a login password,
so password authentication should be enabled, unless you've done some
clever use of multiple identities). It assembles a list of one or more
fingerprints (as described below) and tries to log in with each key, to
see if any of them are already installed (of course, if you are not using
.Xr ssh-agent 1
this may result in you being repeatedly prompted for pass-phrases).
It then assembles a list of those that failed to log in, and using ssh,
enables logins with those keys on the remote server. By default it adds
the keys by appending them to the remote user's
.Pa ~/.ssh/authorized_keys
(creating the file, and directory, if necessary). It is also capable
of detecting if the remote system is a NetScreen, and using its
.Ql set ssh pka-dsa key ...
command instead.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Fl i Ar identity_file
Use only the key(s) contained in
.Ar identity_file
(rather than looking for identities via
.Xr ssh-add 1
or in the
.Ic default_ID_file ) .
If the filename does not end in
.Pa .pub
this is added. If the filename is omitted, the
.Ic default_ID_file
is used.
.Pp
Note that this can be used to ensure that the keys copied have the
comment one prefers and/or extra options applied, by ensuring that the
key file has these set as preferred before the copy is attempted.
.It Fl f
Forced mode: doesn't check if the keys are present on the remote server.
This means that it does not need the private key. Of course, this can result
in more than one copy of the key being installed on the remote system.
.It Fl n
do a dry-run. Instead of installing keys on the remote system simply
prints the key(s) that would have been installed.
.It Fl h , Fl ?
Print Usage summary
.It Fl p Ar port , Fl o Ar ssh_option
These two options are simply passed through untouched, along with their
argument, to allow one to set the port or other
.Xr ssh 1
options, respectively.
.Pp
Rather than specifying these as command line options, it is often better to use (per-host) settings in
.Xr ssh 1 Ns 's
configuration file:
.Xr ssh_config 5 .
.El
.Pp
Default behaviour without
.Fl i ,
is to check if
.Ql ssh-add -L
provides any output, and if so those keys are used. Note that this results in
the comment on the key being the filename that was given to
.Xr ssh-add 1
when the key was loaded into your
.Xr ssh-agent 1
rather than the comment contained in that file, which is a bit of a shame.
Otherwise, if
.Xr ssh-add 1
provides no keys contents of the
.Ic default_ID_file
will be used.
.Pp
The
.Ic default_ID_file
is the most recent file that matches:
.Pa ~/.ssh/id*.pub ,
(excluding those that match
.Pa ~/.ssh/*-cert.pub )
so if you create a key that is not the one you want
.Nm
to use, just use
.Xr touch 1
on your preferred key's
.Pa .pub
file to reinstate it as the most recent.
.Pp
.Sh EXAMPLES
If you have already installed keys from one system on a lot of remote
hosts, and you then create a new key, on a new client machine, say,
it can be difficult to keep track of which systems on which you've
installed the new key. One way of dealing with this is to load both
the new key and old key(s) into your
.Xr ssh-agent 1 .
Load the new key first, without the
.Fl c
option, then load one or more old keys into the agent, possibly by
ssh-ing to the client machine that has that old key, using the
.Fl A
option to allow agent forwarding:
.Pp
.D1 user@newclient$ ssh-add
.D1 user@newclient$ ssh -A old.client
.D1 user@oldl$ ssh-add -c
.D1 No ... prompt for pass-phrase ...
.D1 user@old$ logoff
.D1 user@newclient$ ssh someserver
.Pp
now, if the new key is installed on the server, you'll be allowed in
unprompted, whereas if you only have the old key(s) enabled, you'll be
asked for confirmation, which is your cue to log back out and run
.Pp
.D1 user@newclient$ ssh-copy-id -i someserver
.Pp
The reason you might want to specify the -i option in this case is to
ensure that the comment on the installed key is the one from the
.Pa .pub
file, rather than just the filename that was loaded into you agent.
It also ensures that only the id you intended is installed, rather than
all the keys that you have in your
.Xr ssh-agent 1 .
Of course, you can specify another id, or use the contents of the
.Xr ssh-agent 1
as you prefer.
.Pp
Having mentioned
.Xr ssh-add 1 Ns 's
.Fl c
option, you might consider using this whenever using agent forwarding
to avoid your key being hijacked, but it is much better to instead use
.Xr ssh 1 Ns 's
.Ar ProxyCommand
and
.Fl W
option,
to bounce through remote servers while always doing direct end-to-end
authentication. This way the middle hop(s) don't get access to your
.Xr ssh-agent 1 .
A web search for
.Ql ssh proxycommand nc
should prove enlightening (N.B. the modern approach is to use the
.Fl W
option, rather than
.Xr nc 1 ) .
.Sh "SEE ALSO"
.Xr ssh 1 ,
.Xr ssh-agent 1 ,
.Xr sshd 8

7
contrib/suse/openssh.spec
View File

@ -13,7 +13,7 @@
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
Name: openssh
Version: 5.9p1
Version: 7.3p1
URL: http://www.openssh.com/
Release: 1
Source0: openssh-%{version}.tar.gz
@ -28,11 +28,9 @@ Provides: ssh
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
# building prerequisites -- stuff for
# OpenSSL (openssl-devel),
# TCP Wrappers (tcpd-devel),
# and Gnome (glibdev, gtkdev, and gnlibsd)
#
BuildPrereq: openssl
BuildPrereq: tcpd-devel
BuildPrereq: zlib-devel
#BuildPrereq: glibdev
#BuildPrereq: gtkdev
@ -140,7 +138,6 @@ CFLAGS="$RPM_OPT_FLAGS" \
--mandir=%{_mandir} \
--with-privsep-path=/var/lib/empty \
--with-pam \
--with-tcp-wrappers \
--libexecdir=%{_libdir}/ssh
make
@ -205,7 +202,6 @@ rm -rf $RPM_BUILD_ROOT
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %{_bindir}/scp
%attr(0755,root,root) %{_bindir}/ssh
%attr(-,root,root) %{_bindir}/slogin
%attr(0755,root,root) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
@ -217,7 +213,6 @@ rm -rf $RPM_BUILD_ROOT
%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*

8
contrib/suse/rc.sshd
View File

@ -49,7 +49,7 @@ case "$1" in
## Start daemon with startproc(8). If this fails
## the echo return value is set appropriate.
startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
# Remember status and be verbose
rc_status -v
@ -59,7 +59,7 @@ case "$1" in
## Stop daemon with killproc(8) and if this fails
## set echo the echo return value.
killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd
killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
# Remember status and be verbose
rc_status -v
@ -87,7 +87,7 @@ case "$1" in
echo -n "Reload service sshd"
killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd
killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
rc_status -v
@ -103,7 +103,7 @@ case "$1" in
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running
checkproc -p $SSHD_PIDFILE /usr/sbin/sshd
checkproc -p $SSHD_PIDFILE $SSHD_BIN
rc_status -v
;;

84
contrib/win32/openssh/VSWithBuildTools.xml Normal file
View File

@ -0,0 +1,84 @@
<?xml version="1.0" encoding="utf-8"?>
<AdminDeploymentCustomizations xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/wix/2011/AdminDeployment">
<BundleCustomizations TargetDir="C:\Program Files (x86)\Microsoft Visual Studio 14.0" NoCacheOnlyMode="default" NoWeb="default" NoRefresh="default" SuppressRefreshPrompt="default" Feed="default" />
<SelectableItemCustomizations>
<SelectableItemCustomization Id="VSUV3RTMV1" Hidden="no" Selected="yes" FriendlyName="Visual Studio 2015 Update 3" />
<SelectableItemCustomization Id="MicroUpdateV3.1" Selected="yes" FriendlyName="Update for Microsoft Visual Studio 2015 (KB3165756)" />
<SelectableItemCustomization Id="NativeLanguageSupport_VCV1" Hidden="no" Selected="yes" FriendlyName="Common Tools for Visual C++ 2015" />
<SelectableItemCustomization Id="Win81SDK_HiddenV1" Hidden="no" Selected="yes" FriendlyName="Windows 8.1 SDK and Universal CRT SDK" />
<SelectableItemCustomization Id="PythonToolsForVisualStudioV6" Hidden="no" Selected="no" FriendlyName="Python Tools for Visual Studio (June 2016)" />
<SelectableItemCustomization Id="WebToolsV1" Hidden="no" Selected="no" FriendlyName="Microsoft Web Developer Tools" />
<SelectableItemCustomization Id="Windows10_ToolsAndSDKV12" Hidden="no" Selected="yes" FriendlyName="Tools (1.4) and Windows 10 SDK (10.0.10586)" />
<SelectableItemCustomization Id="Win10_EmulatorV2" Hidden="no" Selected="no" FriendlyName="Emulators for Windows 10 Mobile (10.0.10586)" />
<SelectableItemCustomization Id="XamarinVSCoreV4" Hidden="no" Selected="no" FriendlyName="C#/.NET (Xamarin v4.1.0)" />
<SelectableItemCustomization Id="XamarinPT_V1" Selected="no" FriendlyName="Xamarin Preparation Tool" />
<SelectableItemCustomization Id="AndroidNDKV1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R10E, 32 bits)" />
<SelectableItemCustomization Id="AndroidNDK_32_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R10E, 32 bits)" />
<SelectableItemCustomization Id="AndroidSDKV1" Hidden="no" Selected="no" FriendlyName="Android SDK" />
<SelectableItemCustomization Id="AndroidSDK_API1921V1" Hidden="no" Selected="no" FriendlyName="Android SDK Setup (API Level 19 and 21)" />
<SelectableItemCustomization Id="AndroidSDK_API23V1" Hidden="no" Selected="no" FriendlyName="Android SDK Setup (API Level 23)" />
<SelectableItemCustomization Id="JavaJDKV1" Hidden="no" Selected="no" FriendlyName="Java SE Development Kit (7.0.550.13)" />
<SelectableItemCustomization Id="Node.jsV1" Hidden="no" Selected="no" FriendlyName="Joyent Node.js" />
<SelectableItemCustomization Id="VSEmu_AndroidV1.0.60404.1" Hidden="no" Selected="no" FriendlyName="Microsoft Visual Studio Emulator for Android (April 2016)" />
<SelectableItemCustomization Id="ToolsForWin81_WP80_WP81V1" Hidden="no" Selected="no" FriendlyName="Tools and Windows SDKs" />
<SelectableItemCustomization Id="GitForWindowsx64V5" Hidden="no" Selected="yes" FriendlyName="Git for Windows" />
<SelectableItemCustomization Id="GitForWindowsx86V5" Hidden="no" Selected="yes" FriendlyName="Git for Windows" />
<SelectableItemCustomization Id="GitHubVSV1" Hidden="no" Selected="yes" FriendlyName="GitHub Extension for Visual Studio" />
<SelectableItemCustomization Id="VS_SDK_GroupV5" Hidden="no" Selected="yes" FriendlyName="Visual Studio Extensibility Tools Update 3" />
<SelectableItemCustomization Id="VS_SDK_Breadcrumb_GroupV5" Selected="yes" FriendlyName="Visual Studio Extensibility Tools Update 3" />
<SelectableItemCustomization Id="Win10_VSToolsV12" Hidden="no" Selected="no" FriendlyName="Tools for Universal Windows Apps (1.4) and Windows 10 SDK (10.0.10586)" />
<SelectableItemCustomization Id="Win10SDK_HiddenV3" Selected="yes" FriendlyName="Windows 10 SDK (10.0.10586)" />
<SelectableItemCustomization Id="JavaScript_HiddenV1" Selected="no" FriendlyName="JavaScript Project System for Visual Studio" />
<SelectableItemCustomization Id="JavaScript_HiddenV11" Selected="no" FriendlyName="JavaScript Project System for Visual Studio" />
<SelectableItemCustomization Id="MDDJSDependencyHiddenV1" Selected="no" FriendlyName="MDDJSDependencyHidden" />
<SelectableItemCustomization Id="AppInsightsToolsVisualStudioHiddenRTMV1" Selected="no" FriendlyName="Application Insights Tools" />
<SelectableItemCustomization Id="AppInsightsToolsVisualStudioHiddenVSU3RTMV1" Selected="no" FriendlyName="Developer Analytics Tools v7.0.2" />
<SelectableItemCustomization Id="BlissHidden" Selected="no" FriendlyName="BlissHidden" />
<SelectableItemCustomization Id="HelpHidden" Selected="yes" FriendlyName="HelpHidden" />
<SelectableItemCustomization Id="JavaScript" Selected="yes" FriendlyName="JavascriptHidden" />
<SelectableItemCustomization Id="NetFX4Hidden" Selected="no" FriendlyName="NetFX4Hidden" />
<SelectableItemCustomization Id="NetFX45Hidden" Selected="no" FriendlyName="NetFX45Hidden" />
<SelectableItemCustomization Id="NetFX451MTPackHidden" Selected="no" FriendlyName="NetFX451MTPackHidden" />
<SelectableItemCustomization Id="NetFX451MTPackCoreHidden" Selected="no" FriendlyName="NetFX451MTPackCoreHidden" />
<SelectableItemCustomization Id="NetFX452MTPackHidden" Selected="no" FriendlyName="NetFX452MTPackHidden" />
<SelectableItemCustomization Id="NetFX46MTPackHidden" Selected="no" FriendlyName="NetFX46MTPackHidden" />
<SelectableItemCustomization Id="PortableDTPHidden" Selected="yes" FriendlyName="PortableDTPHidden" />
<SelectableItemCustomization Id="PreEmptiveDotfuscatorHidden" Selected="no" FriendlyName="PreEmptiveDotfuscatorHidden" />
<SelectableItemCustomization Id="PreEmptiveAnalyticsHidden" Selected="no" FriendlyName="PreEmptiveAnalyticsHidden" />
<SelectableItemCustomization Id="ProfilerHidden" Selected="no" FriendlyName="ProfilerHidden" />
<SelectableItemCustomization Id="RoslynLanguageServicesHidden" Selected="no" FriendlyName="RoslynLanguageServicesHidden" />
<SelectableItemCustomization Id="SDKTools3Hidden" Selected="no" FriendlyName="SDKTools3Hidden" />
<SelectableItemCustomization Id="SDKTools4Hidden" Selected="no" FriendlyName="SDKTools4Hidden" />
<SelectableItemCustomization Id="WCFDataServicesHidden" Selected="no" FriendlyName="WCFDataServicesHidden" />
<SelectableItemCustomization Id="VSUV1PreReqV1" Selected="no" FriendlyName="Visual Studio 2015 Update 1 Prerequisite" />
<SelectableItemCustomization Id="MicroUpdateV3" Selected="no" FriendlyName="MicroUpdate 3.0 for Visual Studio 2015 Update 3" />
<SelectableItemCustomization Id="NativeLanguageSupport_MFCV1" Hidden="no" Selected="no" FriendlyName="Microsoft Foundation Classes for C++" />
<SelectableItemCustomization Id="NativeLanguageSupport_XPV1" Hidden="no" Selected="no" FriendlyName="Windows XP Support for C++" />
<SelectableItemCustomization Id="FSharpV1" Hidden="no" Selected="no" FriendlyName="Visual F#" />
<SelectableItemCustomization Id="ClickOnceV1" Hidden="no" Selected="no" FriendlyName="ClickOnce Publishing Tools" />
<SelectableItemCustomization Id="SQLV1" Hidden="no" Selected="no" FriendlyName="Microsoft SQL Server Data Tools" />
<SelectableItemCustomization Id="PowerShellToolsV1" Hidden="no" Selected="no" FriendlyName="PowerShell Tools for Visual Studio" />
<SelectableItemCustomization Id="SilverLight_Developer_KitV1" Hidden="no" Selected="no" FriendlyName="Silverlight Development Kit" />
<SelectableItemCustomization Id="Win10_EmulatorV1" Selected="no" FriendlyName="Emulators for Windows 10 Mobile (10.0.10240)" />
<SelectableItemCustomization Id="MDDJSCoreV11" Hidden="no" Selected="no" FriendlyName="HTML/JavaScript (Apache Cordova) Update 10" />
<SelectableItemCustomization Id="AndroidNDK11C_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R11C, 32 bits)" />
<SelectableItemCustomization Id="AndroidNDK11C_32_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R11C, 32 bits)" />
<SelectableItemCustomization Id="AndroidNDK11C_64_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R11C, 64 bits)" />
<SelectableItemCustomization Id="AndroidNDK_64_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R10E, 64 bits)" />
<SelectableItemCustomization Id="AndroidSDK_API22V1" Hidden="no" Selected="no" FriendlyName="Android SDK Setup (API Level 22)" />
<SelectableItemCustomization Id="AntV1" Hidden="no" Selected="no" FriendlyName="Apache Ant (1.9.3)" />
<SelectableItemCustomization Id="L_MDDCPlusPlus_iOS_V7" Hidden="no" Selected="no" FriendlyName="Visual C++ iOS Development (Update 3)" />
<SelectableItemCustomization Id="L_MDDCPlusPlus_Android_V7" Hidden="no" Selected="no" FriendlyName="Visual C++ Android Development (Update 3)" />
<SelectableItemCustomization Id="L_MDDCPlusPlus_ClangC2_V5" Hidden="no" Selected="no" FriendlyName="Clang with Microsoft CodeGen (May 2016)" />
<SelectableItemCustomization Id="L_IncrediBuild_V1" Selected="no" FriendlyName="IncrediBuild" />
<SelectableItemCustomization Id="WebSocket4NetV1" Hidden="no" Selected="no" FriendlyName="WebSocket4Net" />
<SelectableItemCustomization Id="WindowsPhone81EmulatorsV1" Hidden="no" Selected="no" FriendlyName="Emulators for Windows Phone 8.1" />
<SelectableItemCustomization Id="Win10SDK_HiddenV1" Hidden="no" Selected="no" FriendlyName="Windows 10 SDK (10.0.10240)" />
<SelectableItemCustomization Id="Win10SDK_HiddenV2" Selected="no" FriendlyName="Windows 10 SDK (10.0.10586)" />
<SelectableItemCustomization Id="Win10SDK_VisibleV1" Hidden="no" Selected="no" FriendlyName="Windows 10 SDK 10.0.10240" />
<SelectableItemCustomization Id="UWPPatch_KB3073097_HiddenV3" Selected="no" FriendlyName="KB3073097" />
<SelectableItemCustomization Id="AppInsightsToolsVSWinExpressHiddenVSU3RTMV1" Selected="no" FriendlyName="Developer Analytics Tools v7.0.2" />
<SelectableItemCustomization Id="AppInsightsToolsVWDExpressHiddenVSU3RTMV1" Selected="no" FriendlyName="Developer Analytics Tools v7.0.2" />
</SelectableItemCustomizations>
</AdminDeploymentCustomizations>

127
contrib/win32/openssh/Win32-OpenSSH.sln
View File

@ -67,13 +67,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "config", "config.vcxproj",
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-lsa", "ssh-lsa.vcxproj", "{02FB3D98-6516-42C6-9762-98811A99960F}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "win32compatUnittests", "win32compatUnittests.vcxproj", "{780CAFE4-4BC5-407B-B3A6-71C4114826A7}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "win32iocompat", "win32iocompat.vcxproj", "{0D02F0F0-013B-4EE3-906D-86517F3822C0}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-shellhost", "ssh-shellhost.vcxproj", "{C0AE8A30-E4FA-49CE-A2B5-0C072C77EC64}"
@ -104,6 +97,62 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "scp", "scp.vcxproj", "{29B9
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-bitmap", "unittest-bitmap.vcxproj", "{D901596E-76C7-4608-9CFA-2B42A9FD7250}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-kex", "unittest-kex.vcxproj", "{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-sshbuf", "unittest-sshbuf.vcxproj", "{CD9740CE-C96E-49B3-823F-012E09D17806}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-win32compat", "unittest-win32compat.vcxproj", "{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-utf8", "unittest-utf8.vcxproj", "{114CAA59-46C0-4B87-BA86-C1946A68101D}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-hostkeys", "unittest-hostkeys.vcxproj", "{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-sshkey", "unittest-sshkey.vcxproj", "{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}"
ProjectSection(ProjectDependencies) = postProject
{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
EndProjectSection
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
@ -192,14 +241,6 @@ Global
{02FB3D98-6516-42C6-9762-98811A99960F}.Release|x64.Build.0 = Release|x64
{02FB3D98-6516-42C6-9762-98811A99960F}.Release|x86.ActiveCfg = Release|Win32
{02FB3D98-6516-42C6-9762-98811A99960F}.Release|x86.Build.0 = Release|Win32
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x64.ActiveCfg = Debug|x64
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x64.Build.0 = Debug|x64
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x86.ActiveCfg = Debug|Win32
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x86.Build.0 = Debug|Win32
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x64.ActiveCfg = Release|x64
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x64.Build.0 = Release|x64
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x86.ActiveCfg = Release|Win32
{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x86.Build.0 = Release|Win32
{0D02F0F0-013B-4EE3-906D-86517F3822C0}.Debug|x64.ActiveCfg = Debug|x64
{0D02F0F0-013B-4EE3-906D-86517F3822C0}.Debug|x64.Build.0 = Debug|x64
{0D02F0F0-013B-4EE3-906D-86517F3822C0}.Debug|x86.ActiveCfg = Debug|Win32
@ -240,6 +281,62 @@ Global
{29B98ADF-1285-49CE-BF6C-AA92C5D2FB24}.Release|x64.Build.0 = Release|x64
{29B98ADF-1285-49CE-BF6C-AA92C5D2FB24}.Release|x86.ActiveCfg = Release|Win32
{29B98ADF-1285-49CE-BF6C-AA92C5D2FB24}.Release|x86.Build.0 = Release|Win32
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x64.ActiveCfg = Debug|x64
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x64.Build.0 = Debug|x64
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x86.ActiveCfg = Debug|Win32
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x86.Build.0 = Debug|Win32
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x64.ActiveCfg = Release|x64
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x64.Build.0 = Release|x64
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x86.ActiveCfg = Release|Win32
{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x86.Build.0 = Release|Win32
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x64.ActiveCfg = Debug|x64
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x64.Build.0 = Debug|x64
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x86.ActiveCfg = Debug|Win32
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x86.Build.0 = Debug|Win32
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x64.ActiveCfg = Release|x64
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x64.Build.0 = Release|x64
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x86.ActiveCfg = Release|Win32
{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x86.Build.0 = Release|Win32
{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x64.ActiveCfg = Debug|x64
{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x64.Build.0 = Debug|x64
{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x86.ActiveCfg = Debug|Win32
{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x86.Build.0 = Debug|Win32
{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x64.ActiveCfg = Release|x64
{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x64.Build.0 = Release|x64
{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x86.ActiveCfg = Release|Win32
{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x86.Build.0 = Release|Win32
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x64.ActiveCfg = Debug|x64
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x64.Build.0 = Debug|x64
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x86.ActiveCfg = Debug|Win32
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x86.Build.0 = Debug|Win32
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x64.ActiveCfg = Release|x64
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x64.Build.0 = Release|x64
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x86.ActiveCfg = Release|Win32
{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x86.Build.0 = Release|Win32
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x64.ActiveCfg = Debug|x64
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x64.Build.0 = Debug|x64
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x86.ActiveCfg = Debug|Win32
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x86.Build.0 = Debug|Win32
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x64.ActiveCfg = Release|x64
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x64.Build.0 = Release|x64
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x86.ActiveCfg = Release|Win32
{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x86.Build.0 = Release|Win32
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x64.ActiveCfg = Debug|x64
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x64.Build.0 = Debug|x64
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x86.ActiveCfg = Debug|Win32
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x86.Build.0 = Debug|Win32
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x64.ActiveCfg = Release|x64
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x64.Build.0 = Release|x64
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x86.ActiveCfg = Release|Win32
{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x86.Build.0 = Release|Win32
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x64.ActiveCfg = Debug|x64
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x64.Build.0 = Debug|x64
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x86.ActiveCfg = Debug|Win32
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x86.Build.0 = Debug|Win32
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x64.ActiveCfg = Release|x64
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x64.Build.0 = Release|x64
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x86.ActiveCfg = Release|Win32
{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

619
contrib/win32/openssh/appveyor.psm1 Normal file
View File

@ -0,0 +1,619 @@
$ErrorActionPreference = 'Stop'
Import-Module $PSScriptRoot\build.psm1
$repoRoot = Get-RepositoryRoot
# Sets a build variable
Function Set-BuildVariable
{
param(
[Parameter(Mandatory=$true)]
[string]
$Name,
[Parameter(Mandatory=$true)]
[string]
$Value
)
if($env:AppVeyor)
{
Set-AppveyorBuildVariable @PSBoundParameters
}
else
{
Set-Item env:/$name -Value $Value
}
}
# Emulates running all of AppVeyor but locally
# should not be used on AppVeyor
function Invoke-AppVeyorFull
{
param(
[switch] $APPVEYOR_SCHEDULED_BUILD,
[switch] $CleanRepo
)
if($CleanRepo)
{
Clear-PSRepo
}
if($env:APPVEYOR)
{
throw "This function is to simulate appveyor, but not to be run from appveyor!"
}
if($APPVEYOR_SCHEDULED_BUILD)
{
$env:APPVEYOR_SCHEDULED_BUILD = 'True'
}
try {
Invoke-AppVeyorBuild
Install-OpenSSH
Install-TestDependencies
& "$env:ProgramFiles\PowerShell\6.0.0.12\powershell.exe" -Command {Import-Module $($repoRoot.FullName)\contrib\win32\openssh\AppVeyor.psm1;Run-OpenSSHTests -uploadResults}
Run-OpenSSHTests
Publish-Artifact
}
finally {
if($APPVEYOR_SCHEDULED_BUILD -and $env:APPVEYOR_SCHEDULED_BUILD)
{
Remove-Item env:APPVEYOR_SCHEDULED_BUILD
}
}
}
# Implements the AppVeyor 'build_script' step
function Invoke-AppVeyorBuild
{
Start-SSHBuild -Configuration Release -NativeHostArch x64 -Verbose
Start-SSHBuild -Configuration Debug -NativeHostArch x64 -Verbose
Start-SSHBuild -Configuration Release -NativeHostArch x86 -Verbose
Start-SSHBuild -Configuration Debug -NativeHostArch x86 -Verbose
}
<#
.Synopsis
This function invokes msiexec.exe to install PSCore on the AppVeyor build machine
#>
function Invoke-MSIEXEC
{
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[string] $InstallFile
)
Write-Verbose "Installing $InstallFile..."
$arguments = @(
"/i"
"`"$InstallFile`""
"/qn"
"/norestart"
)
$process = Start-Process -FilePath msiexec.exe -ArgumentList $arguments -Wait -PassThru
if ($process.ExitCode -eq 0){
Write-Output "$InstallFile has been successfully installed"
}
else {
Write-Output "installer exit code $($process.ExitCode) for file $($InstallFile)"
}
return $process.ExitCode
}
<#
.Synopsis
This function installs PSCore MSI on the AppVeyor build machine
#>
function Install-PSCoreFromGithub
{
$downloadLocation = Download-PSCoreMSI
Write-Output "Installing PSCore ..."
if(-not [string]::IsNullOrEmpty($downloadLocation))
{
$processExitCode = Invoke-MSIEXEC -InstallFile $downloadLocation
Write-Output "Process exitcode: $processExitCode"
}
}
<#
.Synopsis
Retuns MSI location for PSCore for Win10, Windows 8.1 and 2012 R2
#>
function Get-PSCoreMSIDownloadURL
{
$osversion = [String][Environment]::OSVersion.Version
Write-Host "osversion:$osversion"
if($osversion.StartsWith("6"))
{
if ($($env:PROCESSOR_ARCHITECTURE).Contains('64'))
{
return 'https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.12/PowerShell_6.0.0.12-alpha.12-win81-x64.msi'
}
else
{
return ''
}
}
elseif ($osversion.Contains("10.0"))
{
if ($($env:PROCESSOR_ARCHITECTURE).Contains('64'))
{
return 'https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.12/PowerShell_6.0.0.12-alpha.12-win10-x64.msi'
}
else
{
return ''
}
}
}
<#
.Synopsis
This functions downloads MSI and returns the path where the file is downloaded.
#>
function Download-PSCoreMSI
{
$url = Get-PSCoreMSIDownloadURL
if([string]::IsNullOrEmpty($url))
{
Write-Output "url is empty"
return ''
}
$parsed = $url.Substring($url.LastIndexOf("/") + 1)
if(-not (Test-path "$env:SystemDrive\PScore" -PathType Container))
{
New-Item -ItemType Directory -Force -Path "$env:SystemDrive\PScore" | out-null
}
$downloadLocation = "$env:SystemDrive\PScore\$parsed"
if(-not (Test-path $downloadLocation -PathType Leaf))
{
Invoke-WebRequest -Uri $url -OutFile $downloadLocation -ErrorVariable v
}
if ($v)
{
throw "Failed to download PSCore MSI package from $url"
}
else
{
return $downloadLocation
}
}
<#
.SYNOPSIS
This function installs the tools required by our tests
1) Pester for running the tests
2) sysinternals required by the tests on windows.
#>
function Install-TestDependencies
{
[CmdletBinding()]
param ()
$isModuleAvailable = Get-Module 'Pester' -ListAvailable
if (-not ($isModuleAvailable))
{
Write-Output 'Installing Pester...'
choco install Pester -y --force
}
if ( -not (Test-Path "$env:ProgramData\chocolatey\lib\sysinternals\tools" ) ) {
Write-Output "sysinternals not present. Installing sysinternals."
choco install sysinternals -y
}
Write-Output "Installing pscore..."
Install-PSCoreFromGithub
}
<#
.Synopsis
Deploy all required files to a location and install the binaries
#>
function Install-OpenSSH
{
[CmdletBinding()]
param
(
[string] $OpenSSHDir = "$env:SystemDrive\OpenSSH",
[ValidateSet('Debug', 'Release')]
[string]$Configuration = "Debug",
[ValidateSet('x86', 'x64', '')]
[string]$NativeHostArch = ""
)
Build-Win32OpenSSHPackage @PSBoundParameters
Push-Location $OpenSSHDir
&( "$OpenSSHDir\install-sshd.ps1")
.\ssh-keygen.exe -A
Start-Service ssh-agent
&( "$OpenSSHDir\install-sshlsa.ps1")
Set-Service sshd -StartupType Automatic
Set-Service ssh-agent -StartupType Automatic
Start-Service sshd
Pop-Location
}
<#
.Synopsis
uninstalled sshd and sshla
#>
function UnInstall-OpenSSH
{
[CmdletBinding()]
param
(
[string] $OpenSSHDir = "$env:SystemDrive\OpenSSH"
)
Push-Location $OpenSSHDir
Stop-Service sshd
&( "$OpenSSHDir\uninstall-sshd.ps1")
&( "$OpenSSHDir\uninstall-sshlsa.ps1")
Pop-Location
}
<#
.Synopsis
Deploy all required files to build a package and create zip file.
#>
function Build-Win32OpenSSHPackage
{
[CmdletBinding()]
param
(
[string] $OpenSSHDir = "$env:SystemDrive\OpenSSH",
[ValidateSet('Debug', 'Release')]
[string]$Configuration = "Debug",
[ValidateSet('x86', 'x64', '')]
[string]$NativeHostArch = ""
)
if (-not (Test-Path -Path $OpenSSHDir -PathType Container))
{
New-Item -Path $OpenSSHDir -ItemType Directory -Force -ErrorAction Stop
}
[string] $platform = $env:PROCESSOR_ARCHITECTURE
if(-not [String]::IsNullOrEmpty($NativeHostArch))
{
$folderName = $NativeHostArch
if($NativeHostArch -eq 'x86')
{
$folderName = "Win32"
}
}
else
{
if($platform -ieq "AMD64")
{
$folderName = "x64"
}
else
{
$folderName = "Win32"
}
}
[System.IO.DirectoryInfo] $repositoryRoot = Get-RepositoryRoot
$sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "bin\$folderName\$Configuration"
Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHDir -Include *.exe,*.dll -Exclude *unittest*.* -Force -ErrorAction Stop
$sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "contrib\win32\openssh"
Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHDir -Include *.ps1,sshd_config -Exclude AnalyzeCodeDiff.ps1 -Force -ErrorAction Stop
$packageName = "rktools.2003"
$rktoolsPath = "${env:ProgramFiles(x86)}\Windows Resource Kits\Tools\ntrights.exe"
if (-not (Test-Path -Path $rktoolsPath))
{
Write-Information -MessageData "$packageName not present. Installing $packageName."
choco install $packageName -y --force
}
Copy-Item -Path $rktoolsPath -Destination $OpenSSHDir -Force -ErrorAction Stop
$packageFolder = $env:SystemDrive
if ($env:APPVEYOR_BUILD_FOLDER)
{
$packageFolder = $env:APPVEYOR_BUILD_FOLDER
}
$package = "$packageFolder\Win32OpenSSH$Configuration$folderName.zip"
$allPackage = "$packageFolder\Win32OpenSSH*.zip"
if (Test-Path $allPackage)
{
Remove-Item -Path $allPackage -Force -ErrorAction SilentlyContinue
}
Add-Type -assemblyname System.IO.Compression.FileSystem
[System.IO.Compression.ZipFile]::CreateFromDirectory($OpenSSHDir, $package)
}
<#
.Synopsis
After build and test run completes, upload all artifacts from the build machine.
#>
function Deploy-OpenSSHTests
{
[CmdletBinding()]
param
(
[string] $OpenSSHTestDir = "$env:SystemDrive\OpenSSH",
[ValidateSet('Debug', 'Release')]
[string]$Configuration = "Debug",
[ValidateSet('x86', 'x64', '')]
[string]$NativeHostArch = ""
)
if (-not (Test-Path -Path $OpenSSHTestDir -PathType Container))
{
New-Item -Path $OpenSSHTestDir -ItemType Directory -Force -ErrorAction Stop
}
[string] $platform = $env:PROCESSOR_ARCHITECTURE
if(-not [String]::IsNullOrEmpty($NativeHostArch))
{
$folderName = $NativeHostArch
if($NativeHostArch -eq 'x86')
{
$folderName = "Win32"
}
}
else
{
if($platform -ieq "AMD64")
{
$folderName = "x64"
}
else
{
$folderName = "Win32"
}
}
[System.IO.DirectoryInfo] $repositoryRoot = Get-RepositoryRoot
$sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "regress\pesterTests"
Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHTestDir -Include *.ps1,*.psm1 -Force -ErrorAction Stop
$sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "bin\$folderName\$Configuration"
Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHTestDir -Exclude ssh-agent.exe, sshd.exe -Force -ErrorAction Stop
}
<#
.Synopsis
Adds a build log to the list of published artifacts.
.Description
If a build log exists, it is renamed to reflect the associated CLR runtime then added to the list of
artifacts to publish. If it doesn't exist, a warning is written and the file is skipped.
The rename is needed since publishing overwrites the artifact if it already exists.
.Parameter artifacts
An array list to add the fully qualified build log path
.Parameter buildLog
The build log file produced by the build.
#>
function Add-BuildLog
{
param
(
[ValidateNotNull()]
[System.Collections.ArrayList] $artifacts,
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string] $buildLog
)
if (Test-Path -Path $buildLog)
{
Write-Output "Adding $buildLog to local artifacts"
$null = $artifacts.Add($buildLog)
Write-Output "Adding $buildLog to local artifacts- completed"
}
else
{
Write-Warning "Skip publishing build log. $buildLog does not exist"
}
}
<#
.Synopsis
Publishes package build artifacts.
.Parameter artifacts
An array list to add the fully qualified build log path
.Parameter packageFile
Path to the package
#>
function Add-Artifact
{
param
(
[ValidateNotNull()]
[System.Collections.ArrayList] $artifacts,
[string] $FileToAdd = "$env:SystemDrive\Win32OpenSSH*.zip"
)
$files = Get-ChildItem -Path $FileToAdd -ErrorAction Ignore
if ($files -ne $null)
{
$files | % {
Write-Output "Adding $($_.FullName) to local artifacts"
$null = $artifacts.Add($_.FullName)
Write-Output "Adding $($_.FullName) to local artifacts- completed"
}
}
else
{
Write-Warning "Skip publishing package artifacts. $FileToAdd does not exist"
}
}
<#
.Synopsis
After build and test run completes, upload all artifacts from the build machine.
#>
function Publish-Artifact
{
Write-Output "Publishing project artifacts"
[System.Collections.ArrayList] $artifacts = [System.Collections.ArrayList]::new()
$packageFolder = $env:SystemDrive
if ($env:APPVEYOR_BUILD_FOLDER)
{
$packageFolder = $env:APPVEYOR_BUILD_FOLDER
}
Add-Artifact -artifacts $artifacts -FileToAdd "$packageFolder\Win32OpenSSH*.zip"
Add-Artifact -artifacts $artifacts -FileToAdd "$packageFolder\OpenSSH\UnitTestResults.txt"
# Get the build.log file for each build configuration
#Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Release -NativeHostArch x86)
#Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Debug -NativeHostArch x86)
#Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Release -NativeHostArch x64)
Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Debug -NativeHostArch x64)
foreach ($artifact in $artifacts)
{
Write-Output "Publishing $artifact as Appveyor artifact"
# NOTE: attempt to publish subsequent artifacts even if the current one fails
Push-AppveyorArtifact $artifact -ErrorAction "Continue"
}
}
<#
.Synopsis
Run OpenSSH pester tests.
#>
function Run-OpenSSHPesterTest
{
param($testRoot, $outputXml)
# Discover all CI tests and run them.
Push-Location $testRoot
Write-Output "Running OpenSSH Pester tests..."
$testFolders = Get-ChildItem *.tests.ps1 -Recurse | ForEach-Object{ Split-Path $_.FullName} | Sort-Object -Unique
Invoke-Pester $testFolders -OutputFormat NUnitXml -OutputFile $outputXml -Tag 'CI'
Pop-Location
}
<#
.Synopsis
Run unit tests.
#>
function Run-OpenSSHUnitTest
{
param($testRoot, $unitTestOutputFile)
# Discover all CI tests and run them.
Push-Location $testRoot
Write-Output "Running OpenSSH unit tests..."
if (Test-Path $unitTestOutputFile)
{
Remove-Item -Path $unitTestOutputFile -Force -ErrorAction SilentlyContinue
}
$unitTestFiles = Get-ChildItem -Path "$testRoot\unittest*.exe"
$testFailed = $false
if ($unitTestFiles -ne $null)
{
$unitTestFiles | % {
Write-Output "Running OpenSSH unit $($_.FullName)..."
& $_.FullName >> $unitTestOutputFile
$errorCode = $LASTEXITCODE
if ($errorCode -ne 0)
{
$testFailed = $true
Write-Output "$($_.FullName) test failed for OpenSSH.`nExitCode: $error"
}
}
if($testFailed)
{
throw "SSH unit tests failed"
}
}
Pop-Location
}
<#
.Synopsis
Runs the tests for this repo
.Parameter testResultsFile
The name of the xml file to write pester results.
The default value is '.\testResults.xml'
.Parameter uploadResults
Uploads the tests results.
.Example
.\RunTests.ps1
Runs the tests and creates the default 'testResults.xml'
.Example
.\RunTests.ps1 -uploadResults
Runs the tests and creates teh default 'testResults.xml' and uploads it to appveyor.
#>
function Run-OpenSSHTests
{
[CmdletBinding()]
param
(
[string] $testResultsFile = "$env:SystemDrive\OpenSSH\TestResults.xml",
[string] $unitTestResultsFile = "$env:SystemDrive\OpenSSH\UnitTestResults.txt",
[string] $testInstallFolder = "$env:SystemDrive\OpenSSH"
)
Deploy-OpenSSHTests -OpenSSHTestDir $testInstallFolder
# Run all pester tests.
Run-OpenSSHPesterTest -testRoot $testInstallFolder -outputXml $testResultsFile
$xml = [xml](Get-Content -raw $testResultsFile)
if ([int]$xml.'test-results'.failures -gt 0)
{
throw "$($xml.'test-results'.failures) tests in regress\pesterTests failed"
}
# Writing out warning when the $Error.Count is non-zero. Tests Should clean $Error after success.
if ($Error.Count -gt 0)
{
$Error| Out-File "$env:SystemDrive\OpenSSH\TestError.txt" -Append
}
Run-OpenSSHUnitTest -testRoot $testInstallFolder -unitTestOutputFile $unitTestResultsFile
}
function Upload-OpenSSHTestResults
{
[CmdletBinding()]
param
(
[string] $testResultsFile = "$env:SystemDrive\OpenSSH\TestResults.xml"
)
if ($env:APPVEYOR_JOB_ID)
{
(New-Object 'System.Net.WebClient').UploadFile("https://ci.appveyor.com/api/testresults/nunit/$($env:APPVEYOR_JOB_ID)", (Resolve-Path $testResultsFile))
}
}

383
contrib/win32/openssh/build.psm1 Normal file
View File

@ -0,0 +1,383 @@

Set-StrictMode -Version Latest
[string] $script:platform = $env:PROCESSOR_ARCHITECTURE
[string] $script:vcPath = $null
[System.IO.DirectoryInfo] $script:OpenSSHRoot = $null
[bool] $script:Verbose = $false
[string] $script:BuildLogFile = $null
<#
Called by Write-BuildMsg to write to the build log, if it exists.
#>
function Write-Log
{
param
(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string] $Message
)
# write it to the log file, if present.
if (-not ([string]::IsNullOrEmpty($script:BuildLogFile)))
{
Add-Content -Path $script:BuildLogFile -Value $Message
}
}
<#
.Synopsis
Writes a build message.
.Parameter Message
The message to write.
.Parameter AsInfo
Writes a user message using Write-Information.
.Parameter AsVerbose
Writes a message using Write-Verbose and to the build log if -Verbose was specified to Start-DscBuild.
.Parameter AsWarning
Writes a message using Write-Warning and to the build log.
.Parameter AsError
Writes a message using Write-Error and to the build log.
.Parameter Silent
Writes the message only to the log.
.Parameter ErrorAction
Determines if the script is terminated when errors are written.
This parameter is ignored when -Silent is specified.
.Example
Write-BuildMsg -AsInfo 'Starting the build'
Writes an informational message to the log and to the user
.Example
Write-BuildMsg -AsError 'Terminating build' -Silent
Writes an error message only to the log
.Example
Write-BuildMsg -AsError 'Terminating build' -ErrorAction Stop
Writes an error message to the log and the user and terminates the build.
.Example
Write-BuildMsg -AsInfo 'Nuget is already installed' -Silent:(-not $script:Verbose)
Writes an informational message to the log. If -Verbose was specified, also
writes to message to the user.
#>
function Write-BuildMsg
{
[CmdletBinding()]
param
(
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[string] $Message,
[Parameter(ParameterSetName='Info')]
[switch] $AsInfo,
[Parameter(ParameterSetName='Verbose')]
[switch] $AsVerbose,
[Parameter(ParameterSetName='Warning')]
[switch] $AsWarning,
[Parameter(ParameterSetName='Error')]
[switch] $AsError,
[switch] $Silent
)
if ($AsVerbose)
{
if ($script:Verbose)
{
Write-Log -Message "VERBOSE: $message"
if (-not $Silent)
{
Write-Verbose -Message $message -Verbose
}
}
return
}
if ($AsInfo)
{
Write-Log -Message "INFO: $message"
if (-not $Silent)
{
Write-Information -MessageData $message -InformationAction Continue
}
return
}
if ($AsWarning)
{
Write-Log -Message "WARNING: $message"
if (-not $Silent)
{
Write-Warning -Message $message
}
return
}
if ($AsError)
{
Write-Log -Message "ERROR: $message"
if (-not $Silent)
{
Write-Error -Message $message
}
return
}
# if we reached here, no output type switch was specified.
Write-BuildMsg -AsError -ErrorAction Stop -Message 'Write-BuildMsg was called without selecting an output type.'
}
<#
.Synopsis
Verifies all tools and dependencies required for building Open SSH are installed on the machine.
#>
function Start-SSHBootstrap
{
Set-StrictMode -Version Latest
Write-BuildMsg -AsInfo -Message "Checking tools and dependencies"
$machinePath = [Environment]::GetEnvironmentVariable('Path', 'MACHINE')
$newMachineEnvironmentPath = $machinePath
# NOTE: Unless -Verbose is specified, most informational output will only go to the log file.
[bool] $silent = -not $script:Verbose
# Install chocolatey
$chocolateyPath = "$env:AllUsersProfile\chocolatey\bin"
if(Get-Command "choco" -ErrorAction SilentlyContinue)
{
Write-BuildMsg -AsVerbose -Message "Chocolatey is already installed. Skipping installation." -Silent:$silent
}
else
{
Write-BuildMsg -AsInfo -Message "Chocolatey not present. Installing chocolatey."
Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
if (-not ($machinePath.ToLower().Contains($chocolateyPath.ToLower())))
{
Write-BuildMsg -AsVerbose -Message "Adding $chocolateyPath to Path environment variable"
$newMachineEnvironmentPath += ";$chocolateyPath"
$env:Path += ";$chocolateyPath"
}
else
{
Write-BuildMsg -AsVerbose -Message "$chocolateyPath already present in Path environment variable"
}
}
# Add git\cmd to the path
$gitCmdPath = "$env:ProgramFiles\git\cmd"
if (-not ($machinePath.ToLower().Contains($gitCmdPath.ToLower())))
{
Write-BuildMsg -AsVerbose -Message "Adding $gitCmdPath to Path environment variable"
$newMachineEnvironmentPath = "$gitCmdPath;$newMachineEnvironmentPath"
}
else
{
Write-BuildMsg -AsVerbose -Message "$gitCmdPath already present in Path environment variable" -Silent:$silent
}
$nativeMSBuildPath = "${env:ProgramFiles(x86)}\MSBuild\14.0\bin"
if($script:platform -ieq "AMD64")
{
$nativeMSBuildPath += "\amd64"
}
if (-not ($machinePath.ToLower().Contains($nativeMSBuildPath.ToLower())))
{
Write-BuildMsg -AsVerbose -Message "Adding $nativeMSBuildPath to Path environment variable"
$newMachineEnvironmentPath += ";$nativeMSBuildPath"
$env:Path += ";$nativeMSBuildPath"
}
else
{
Write-BuildMsg -AsVerbose -Message "$nativeMSBuildPath already present in Path environment variable" -Silent:$silent
}
# Update machine environment path
if ($newMachineEnvironmentPath -ne $machinePath)
{
[Environment]::SetEnvironmentVariable('Path', $newMachineEnvironmentPath, 'MACHINE')
}
# install nasm
$packageName = "nasm"
$nasmPath = "${env:ProgramFiles(x86)}\NASM"
if (-not (Test-Path -Path $nasmPath -PathType Container))
{
Write-BuildMsg -AsInfo -Message "$packageName not present. Installing $packageName."
choco install $packageName -y --force --execution-timeout 10000
}
else
{
Write-BuildMsg -AsVerbose -Message "$packageName present. Skipping installation." -Silent:$silent
}
# Install Visual Studio 2015 Community
$packageName = "VisualStudio2015Community"
$VSPackageInstalled = Get-ItemProperty "HKLM:\software\WOW6432Node\Microsoft\VisualStudio\14.0\setup\vs" -ErrorAction SilentlyContinue
if ($null -eq $VSPackageInstalled)
{
Write-BuildMsg -AsInfo -Message "$packageName not present. Installing $packageName."
$adminFilePath = "$script:OpenSSHRoot\contrib\win32\openssh\VSWithBuildTools.xml"
choco install $packageName -packageParameters "--AdminFile $adminFilePath" -y --force --execution-timeout 10000
}
else
{
Write-BuildMsg -AsVerbose -Message "$packageName present. Skipping installation." -Silent:$silent
}
# Install Windows 8.1 SDK
$packageName = "windows-sdk-8.1"
$sdkPath = "C:\Program Files (x86)\Windows Kits\8.1\bin\x86\register_app.vbs"
if (-not (Test-Path -Path $sdkPath))
{
Write-BuildMsg -AsInfo -Message "Windows 8.1 SDK not present. Installing $packageName."
choco install $packageName -y --force
}
else
{
Write-BuildMsg -AsInfo -Message "$packageName present. Skipping installation." -Silent:$silent
}
# Require restarting PowerShell session
if ($null -eq $VSPackageInstalled)
{
Write-Host "To apply changes, please close this PowerShell window, open a new one and call Start-SSHBuild or Start-DscBootstrap again." -ForegroundColor Black -BackgroundColor Yellow
Write-Host -NoNewLine 'Press any key to close this PowerShell window...' -ForegroundColor Black -BackgroundColor Yellow
$null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown')
exit
}
# Ensure the VS C toolset is installed
if ($null -eq $env:VS140COMNTOOLS)
{
Write-BuildMsg -AsError -ErrorAction Stop -Message "Cannot find Visual Studio 2015 Environment variable VS140COMNTOOlS"
}
$item = Get-Item(Join-Path -Path $env:VS140COMNTOOLS -ChildPath '../../vc')
$script:vcPath = $item.FullName
Write-BuildMsg -AsVerbose -Message "vcPath: $script:vcPath"
if ((Test-Path -Path "$script:vcPath\vcvarsall.bat") -eq $false)
{
Write-BuildMsg -AsError -ErrorAction Stop -Message "Could not find Visual Studio vcvarsall.bat at" + $script:vcPath
}
}
function Start-SSHBuild
{
[CmdletBinding(SupportsShouldProcess=$false)]
param
(
[ValidateSet('x86', 'x64')]
[string]$NativeHostArch = "x64",
[ValidateSet('Debug', 'Release', '')]
[string]$Configuration = "Debug"
)
Set-StrictMode -Version Latest
$script:BuildLogFile = $null
[System.IO.DirectoryInfo] $repositoryRoot = Get-RepositoryRoot
# Get openssh-portable root
$script:OpenSSHRoot = Get-Item -Path $repositoryRoot.FullName
if($PSBoundParameters.ContainsKey("Verbose"))
{
$script:Verbose = ($PSBoundParameters['Verbose']).IsPresent
}
$script:BuildLogFile = Get-BuildLogFile -root $repositoryRoot.FullName -Configuration $Configuration -NativeHostArch $NativeHostArch
if (Test-Path -Path $script:BuildLogFile)
{
Remove-Item -Path $script:BuildLogFile
}
Write-BuildMsg -AsInfo -Message "Starting Open SSH build."
Write-BuildMsg -AsInfo -Message "Build Log: $($script:BuildLogFile)"
Start-SSHBootstrap
$msbuildCmd = "msbuild.exe"
$solutionFile = Get-SolutionFile -root $repositoryRoot.FullName
$cmdMsg = @("${solutionFile}", "/p:Platform=${NativeHostArch}", "/p:Configuration=${Configuration}", "/fl", "/flp:LogFile=${script:BuildLogFile}`;Append`;Verbosity=diagnostic")
Write-Information -MessageData $msbuildCmd
Write-Information -MessageData $cmdMsg
& $msbuildCmd $cmdMsg
$errorCode = $LASTEXITCODE
if ($errorCode -ne 0)
{
Write-BuildMsg -AsError -ErrorAction Stop -Message "Build failed for OpenSSH.`nExitCode: $error"
}
Write-BuildMsg -AsVerbose -Message "Finished Open SSH build."
}
function Get-BuildLogFile
{
param
(
[Parameter(Mandatory=$true)]
[ValidateNotNull()]
[System.IO.DirectoryInfo] $root,
[ValidateSet('x86', 'x64')]
[string]$NativeHostArch = "x64",
[ValidateSet('Debug', 'Release', '')]
[string]$Configuration = "Debug"
)
return Join-Path -Path $root -ChildPath "contrib\win32\openssh\OpenSSH$($Configuration)$($NativeHostArch).log"
}
function Get-SolutionFile
{
param
(
[Parameter(Mandatory=$true)]
[ValidateNotNull()]
[System.IO.DirectoryInfo] $root
)
return Join-Path -Path $root -ChildPath "contrib\win32\openssh\Win32-OpenSSH.sln"
}
<#
.Synopsis
Finds the root of the git repository
.Outputs
A System.IO.DirectoryInfo for the location of the root.
.Inputs
None
.Notes
FileNotFoundException is thrown if the current directory does not contain a CMakeLists.txt file.
#>
function Get-RepositoryRoot
{
Set-StrictMode -Version Latest
$currentDir = (Get-Item -Path $PSCommandPath).Directory
while ($null -ne $currentDir.Parent)
{
$path = Join-Path -Path $currentDir.FullName -ChildPath '.git'
if (Test-Path -Path $path)
{
return $currentDir
}
$currentDir = $currentDir.Parent
}
throw new-object System.IO.DirectoryNotFoundException("Could not find the root of the GIT repository")
}
Export-ModuleMember -Function Start-SSHBuild, Get-RepositoryRoot, Get-BuildLogFile

25
contrib/win32/openssh/config.h.vs
View File

@ -218,7 +218,8 @@
/* #undef HAVE_B64_PTON */
/* Define if you have the basename function. */
#define HAVE_BASENAME 1
/* For Windows, this is defined in dirent.h, but that header is not included in sftp.c */
/* #define HAVE_BASENAME */
/* Define to 1 if you have the `bcopy' function. */
/* #undef HAVE_BCOPY */
@ -336,7 +337,7 @@
/* #undef HAVE_DIRFD */
/* Define to 1 if you have the `dirname' function. */
#define HAVE_DIRNAME 1
/* #define HAVE_DIRNAME 1 */
/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
#define HAVE_DSA_GENERATE_PARAMETERS_EX 1
@ -770,7 +771,7 @@
/* #undef HAVE_READPASSPHRASE_H */
/* Define to 1 if you have the `realpath' function. */
#define HAVE_REALPATH 1
/* #define HAVE_REALPATH 1 */
/* Define to 1 if you have the `recvmsg' function. */
/* #undef HAVE_RECVMSG */
@ -1642,13 +1643,12 @@
#undef HAVE_SYS_SYSMACROS_H
#undef HAVE_SYS_MMAN_H
#undef HAVE_SYS_UN_H
#define _STRUCT_WINSIZE 1
#define HAVE_TCGETPGRP 1
#undef HAVE_TIME
#define HAVE_TRUNCATE 1
#define HAVE_VIS_H 1
#define MISSING_FD_MASK 1
@ -1680,14 +1680,6 @@
#define WIN32_ZLIB_NO 1
#define USE_MSCNG 1
#ifndef ssize_t
#ifdef _WIN64
typedef __int64 ssize_t;
#else
typedef long ssize_t;
#endif
#endif
#define HAVE_STRTOULL 1
#define HAVE_USLEEP 1
@ -1704,11 +1696,10 @@ typedef long ssize_t;
//#define SHUT_WR 1
//#define SHUT_RD 0
#define HAVE_EXPLICIT_BZERO
#define WIN32_ZLIB_NO 1
#define HAVE_MBTOWC 1
#include <signal.h>
#include <io.h>
@ -1724,6 +1715,10 @@ typedef long ssize_t;
// works remotely over SSH like they operate in a local machine
//#define WIN32_PRAGMA_REMCON
#define umac128_new umac_new
#define umac128_update umac_update
#define umac_final umac128_final
#define umac_delete umac128_delete
#define HAVE_MBLEN 1

5
contrib/win32/openssh/keygen.vcxproj
View File

@ -150,7 +150,7 @@
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>No</GenerateDebugInformation>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>win32iocompat.lib;bcrypt.lib;Netapi32.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -173,7 +173,7 @@
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>No</GenerateDebugInformation>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>win32iocompat.lib;bcrypt.lib;Netapi32.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -183,6 +183,7 @@
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="$(OpenSSH-Src-Path)ssh-keygen.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc" />

3
contrib/win32/openssh/keygen.vcxproj.filters
View File

@ -18,6 +18,9 @@
<ClCompile Include="$(OpenSSH-Src-Path)ssh-keygen.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc">

73
contrib/win32/openssh/libssh.vcxproj
View File

@ -190,8 +190,12 @@
<ClCompile Include="$(OpenSSH-Src-Path)compat.c" />
<ClCompile Include="$(OpenSSH-Src-Path)crc32.c" />
<ClCompile Include="$(OpenSSH-Src-Path)deattack.c" />
<ClCompile Include="$(OpenSSH-Src-Path)dh.c" />
<ClCompile Include="$(OpenSSH-Src-Path)digest-libc.c" />
<ClCompile Include="$(OpenSSH-Src-Path)dh.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)digest-libc.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)dispatch.c" />
<ClCompile Include="$(OpenSSH-Src-Path)dns.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ed25519.c" />
@ -203,19 +207,34 @@
<ClCompile Include="$(OpenSSH-Src-Path)hash.c" />
<ClCompile Include="$(OpenSSH-Src-Path)hmac.c" />
<ClCompile Include="$(OpenSSH-Src-Path)hostfile.c" />
<ClCompile Include="$(OpenSSH-Src-Path)jpake.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kex.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexc25519.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexc25519c.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexc25519s.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexdh.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexdhc.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexdhs.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexecdh.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexecdhc.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexecdhs.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexgex.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexgexc.c" />
<ClCompile Include="$(OpenSSH-Src-Path)kexdh.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kexdhc.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kexdhs.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kexecdh.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kexecdhc.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kexecdhs.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kexgex.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kexgexc.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)key.c" />
<ClCompile Include="$(OpenSSH-Src-Path)krl.c" />
<ClCompile Include="$(OpenSSH-Src-Path)log.c" />
@ -233,15 +252,22 @@
<ClCompile Include="$(OpenSSH-Src-Path)progressmeter.c" />
<ClCompile Include="$(OpenSSH-Src-Path)readpass.c" />
<ClCompile Include="$(OpenSSH-Src-Path)rijndael.c" />
<ClCompile Include="$(OpenSSH-Src-Path)rsa.c" />
<ClCompile Include="$(OpenSSH-Src-Path)rsa.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sc25519.c" />
<ClCompile Include="$(OpenSSH-Src-Path)schnorr.c" />
<ClCompile Include="$(OpenSSH-Src-Path)smult_curve25519_ref.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-dss.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-ecdsa.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-dss.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)ssh-ecdsa.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)ssh-ed25519.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-pkcs11.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-rsa.c" />
<ClCompile Include="$(OpenSSH-Src-Path)ssh-rsa.c">
<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)sshbuf-getput-basic.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sshbuf-getput-crypto.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sshbuf-misc.c" />
@ -252,20 +278,13 @@
<ClCompile Include="$(OpenSSH-Src-Path)ttymodes.c" />
<ClCompile Include="$(OpenSSH-Src-Path)uidswap.c" />
<ClCompile Include="$(OpenSSH-Src-Path)umac.c" />
<ClCompile Include="$(OpenSSH-Src-Path)umac128.c">
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)uuencode.c" />
<ClCompile Include="$(OpenSSH-Src-Path)verify.c" />
<ClCompile Include="$(OpenSSH-Src-Path)xmalloc.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openssl-bn.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openssl-dh.c">
<ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
</ClCompile>
<ClCompile Include="..\..\..\openssl-epoint.c" />
<ClCompile Include="..\..\..\platform-pledge.c" />
<ClCompile Include="..\..\..\platform-tracing.c" />
<ClCompile Include="..\..\..\platform.c" />
<ClCompile Include="..\..\..\sandbox-pledge.c" />
<ClCompile Include="..\..\..\utf8.c" />
</ItemGroup>
<ItemGroup>

25
contrib/win32/openssh/libssh.vcxproj.filters
View File

@ -126,9 +126,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)hostfile.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)jpake.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)kex.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -222,9 +219,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)sc25519.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)schnorr.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)smult_curve25519_ref.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -273,9 +267,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)umac.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)umac128.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)uuencode.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -285,16 +276,22 @@
<ClCompile Include="$(OpenSSH-Src-Path)xmalloc.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openssl-bn.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openssl-dh.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\openssl-epoint.c">
<ClCompile Include="..\..\..\utf8.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\utf8.c">
<ClCompile Include="..\..\..\platform-pledge.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\sandbox-pledge.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\platform.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\platform-tracing.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>

4
contrib/win32/openssh/openbsd_compat.vcxproj
View File

@ -26,7 +26,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bcrypt_pbkdf.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bindresvport.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\blowfish.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-arc4random.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-asprintf.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-closefrom.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-cray.c" />
@ -47,7 +46,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fmt_scaled.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getcwd.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getgrouplist.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt_long.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getrrsetbyname-ldns.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\inet_aton.c" />
@ -73,7 +71,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strlcat.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strlcpy.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strmode.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strnlen.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strptime.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strsep.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strtoll.c" />
@ -84,6 +81,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\vis.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\xcrypt.c" />
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\xmmap.c" />
<ClCompile Include="..\..\..\openbsd-compat\glob.c" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\base64.h" />

12
contrib/win32/openssh/openbsd_compat.vcxproj.filters
View File

@ -33,9 +33,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\blowfish.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-arc4random.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-asprintf.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -96,9 +93,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getgrouplist.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt_long.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -174,9 +168,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strmode.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strnlen.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strptime.c">
<Filter>Source Files</Filter>
</ClCompile>
@ -207,6 +198,9 @@
<ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\xmmap.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="..\..\..\openbsd-compat\glob.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\base64.h">

11
contrib/win32/openssh/paths.targets
View File

@ -4,10 +4,11 @@
<OpenSSH-Src-Path>$(SolutionDir)..\..\..\</OpenSSH-Src-Path>
<OpenSSH-Bin-Path>$(SolutionDir)..\..\..\bin\</OpenSSH-Bin-Path>
<OpenSSH-Lib-Path>$(SolutionDir)lib\</OpenSSH-Lib-Path>
<OpenSSL-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\</OpenSSL-Path>
<OpenSSL-Win32-Release-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\Win32\Release\</OpenSSL-Win32-Release-Path>
<OpenSSL-Win32-Debug-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\Win32\Debug\</OpenSSL-Win32-Debug-Path>
<OpenSSL-x64-Release-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\x64\Release\</OpenSSL-x64-Release-Path>
<OpenSSL-x64-Debug-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\x64\Debug\</OpenSSL-x64-Debug-Path>
<OpenSSL-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d</OpenSSL-Path>
<OpenSSL-Win32-Release-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\Win32\Release\</OpenSSL-Win32-Release-Path>
<OpenSSL-Win32-Debug-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\Win32\Debug\</OpenSSL-Win32-Debug-Path>
<OpenSSL-x64-Release-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\x64\Release\</OpenSSL-x64-Release-Path>
<OpenSSL-x64-Debug-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\x64\Debug\</OpenSSL-x64-Debug-Path>
<!-- <UseOpenSSL>false</UseOpenSSL> -->
</PropertyGroup>
</Project>

10
contrib/win32/openssh/scp.vcxproj
View File

@ -21,7 +21,7 @@
</ItemGroup>
<ItemGroup>
<ClCompile Include="$(OpenSSH-Src-Path)scp.c" />
<ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc" />
@ -117,7 +117,6 @@
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>
@ -137,7 +136,6 @@
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>
@ -157,11 +155,10 @@
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>No</GenerateDebugInformation>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>
@ -181,11 +178,10 @@
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>No</GenerateDebugInformation>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>

2
contrib/win32/openssh/scp.vcxproj.filters
View File

@ -18,7 +18,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)scp.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c">
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>

3
contrib/win32/openssh/sftp-server.vcxproj
View File

@ -23,7 +23,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sftp-server-main.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sftp-server.c" />
<ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc" />
@ -120,7 +120,6 @@
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>

3
contrib/win32/openssh/sftp-server.vcxproj.filters
View File

@ -24,9 +24,6 @@
<ClCompile Include="$(OpenSSH-Src-Path)sftp-server.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc">

10
contrib/win32/openssh/sftp.vcxproj
View File

@ -25,7 +25,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sftp-glob.c" />
<ClCompile Include="$(OpenSSH-Src-Path)sftp.c" />
<ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c" />
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="version.rc" />
@ -122,7 +122,6 @@
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>
@ -143,7 +142,6 @@
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>
@ -163,11 +161,10 @@
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>
@ -187,11 +184,10 @@
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>false</GenerateDebugInformation>
<GenerateDebugInformation>true</GenerateDebugInformation>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
</Link>

2
contrib/win32/openssh/sftp.vcxproj.filters
View File

@ -30,7 +30,7 @@
<ClCompile Include="$(OpenSSH-Src-Path)sftp.c">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c">
<ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>

Some files were not shown because too many files have changed in this diff Show More