diff --git a/ChangeLog b/ChangeLog index 55051011f..9c29ac8ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,8 @@ - NetBSD login.c compile fix from David Rankin - Fully set ut_tv if present in utmp or utmpx + - Portability fixes for Irix 5.3 (now compiles OK!) + - autoconf and other misc cleanups 19991227 - Automatically correct paths in manpages and configuration files. Patch diff --git a/INSTALL b/INSTALL index 1521dc6e3..17353d9e1 100644 --- a/INSTALL +++ b/INSTALL @@ -105,6 +105,11 @@ support. You will need libwrap.a and tcpd.h installed. --with-md5-passwords will enable the use of MD5 passwords. Enable this if your operating system uses MD5 passwords without using PAM. +If you need to pass special options to the compiler or linker, you +can specify these as enviornment variables before running ./configure. +For example: + +CFLAGS="-O -m486" LFLAGS="-s" ./configure 3. Configuration ---------------- diff --git a/Makefile.in b/Makefile.in index f4e3ff4eb..2f2e31e81 100644 --- a/Makefile.in +++ b/Makefile.in @@ -85,7 +85,7 @@ gnome-ssh-askpass: gnome-ssh-askpass.c $(CC) $(CFLAGS) $(GNOME_CFLAGS) -o $@ gnome-ssh-askpass.c $(GNOME_LIBS) clean: - rm -f $(OBJS) $(TARGETS) config.status config.cache config.log core \ + rm -f *.o $(TARGETS) config.status config.cache config.log core \ *.1 *.8 sshd_config ssh_config manpages: diff --git a/README b/README index 1186edf25..fcf22f0d0 100644 --- a/README +++ b/README @@ -12,9 +12,9 @@ http://www.openssh.com/ This port consists of the re-introduction of autoconf support, PAM support (for Linux and Solaris), EGD[1] support, and replacements for OpenBSD library functions that are (regrettably) absent from -other unices. This port has been best tested on Linux, though some -Solaris support is beginning to filter in. This version actively -tracks changes in the OpenBSD CVS repository. +other unices. This port has been best tested on Linux, Solaris and +HPUX, though support for AIX and Irix is underway. This version +actively tracks changes in the OpenBSD CVS repository. The PAM support is now more functional than the popular packages of commercial ssh-1.2.x. It checks "account" and "session" modules for diff --git a/TODO b/TODO index 1d07c5c6b..ddd54621b 100644 --- a/TODO +++ b/TODO @@ -4,10 +4,6 @@ - Better documentation -- Port to other platforms - -- Better testing on non-PAM systems - - Replace the horror in acconfig.h which tries to comphensate for the lack of u_intXX_t types. There must be a better way. diff --git a/acconfig.h b/acconfig.h index f3a7225e2..fd9fe1fcb 100644 --- a/acconfig.h +++ b/acconfig.h @@ -6,6 +6,9 @@ /* SSL directory. */ #undef ssldir +/* Define if you want to disable PAM support */ +#undef DISABLE_PAM + /* Define if you want to disable lastlog support */ #undef DISABLE_LASTLOG @@ -115,6 +118,9 @@ /* Specify default $PATH */ #undef USER_PATH +/* Define if the inclusion of crypt.h breaks the build (e.g. Irix 5.x) */ +#undef CRYPT_H_BREAKS_BUILD + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ diff --git a/auth-passwd.c b/auth-passwd.c index 058dde82b..0311a493e 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -9,9 +9,9 @@ #include "includes.h" -#ifndef HAVE_LIBPAM +#ifndef USE_PAM -RCSID("$Id: auth-passwd.c,v 1.11 1999/12/24 23:11:29 damien Exp $"); +RCSID("$Id: auth-passwd.c,v 1.12 1999/12/28 04:09:36 damien Exp $"); #include "packet.h" #include "ssh.h" @@ -19,12 +19,14 @@ RCSID("$Id: auth-passwd.c,v 1.11 1999/12/24 23:11:29 damien Exp $"); #include "xmalloc.h" #ifdef HAVE_SHADOW_H -#include -#endif - -#ifdef HAVE_MD5_PASSWORDS -#include "md5crypt.h" +# include #endif +#if defined(HAVE_CRYPT_H) && !defined(CRYPT_H_BREAKS_BUILD) +# include +#endif /* defined(HAVE_CRYPT_H) && !defined(CRYPT_H_BREAKS_BUILD) */ +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +# include "md5crypt.h" +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ /* * Tries to authenticate the user using password. Returns true if @@ -101,4 +103,4 @@ auth_password(struct passwd * pw, const char *password) /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); } -#endif /* !HAVE_LIBPAM */ +#endif /* !USE_PAM */ diff --git a/configure.in b/configure.in index 6fb5d63c6..274111e2c 100644 --- a/configure.in +++ b/configure.in @@ -56,6 +56,12 @@ case "$host" in *-*-solaris*) AC_DEFINE(USE_UTMPX) ;; +*-*-irix5*) + AC_DEFINE(CRYPT_H_BREAKS_BUILD) +# CFLAGS="$CFLAGS -shared" + no_libsocket=1 + no_libnsl=1 + ;; esac dnl Check for OpenSSL/SSLeay directories. @@ -81,7 +87,6 @@ if test "$ssldir" != "/usr"; then CFLAGS="$CFLAGS -I$ssldir/include" LDFLAGS="$LDFLAGS -L$ssldir/lib" fi -LIBS="$LIBS -lssl -lcrypto" AC_MSG_RESULT($ssldir) dnl Check for RSAref library. @@ -96,28 +101,20 @@ dnl Checks for libraries. AC_CHECK_LIB(crypto, CRYPTO_lock, ,AC_MSG_ERROR([*** libcrypto missing - please install first ***])) AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first ***])) AC_CHECK_LIB(util, login, AC_DEFINE(HAVE_LIBUTIL_LOGIN) LIBS="$LIBS -lutil") -AC_CHECK_LIB(nsl, yp_match, , ) -AC_CHECK_LIB(socket, main, , ) +AC_CHECK_LIB(crypt, crypt, , ) -dnl Use ip address instead of hostname in $DISPLAY -AC_ARG_WITH(pam, - [ --without-pam Disable PAM support ], - [ - if test "x$withval" != "xno" ; then - no_pam=1 - fi - ] -) -if test -z "$no_pam" ; then - AC_CHECK_LIB(dl, dlopen, , ) - AC_CHECK_LIB(pam, pam_authenticate, , ) +if test -z "$no_libsocket" ; then + AC_CHECK_LIB(nsl, yp_match, , ) +fi +if test -z "$no_libnsl" ; then + AC_CHECK_LIB(socket, main, , ) fi dnl Checks for header files. -AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h poll.h pty.h shadow.h sys/bsdtty.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h util.h utmp.h utmpx.h) +AC_CHECK_HEADERS(bstring.h crypt.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/time.h sys/ttcompat.h util.h utmp.h utmpx.h) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random getpagesize _getpty innetgr mkdtemp openpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf) +AC_CHECK_FUNCS(arc4random getpagesize _getpty innetgr md5_crypt mkdtemp openpty setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf) AC_CHECK_FUNC(login, [AC_DEFINE(HAVE_LOGIN)], @@ -180,20 +177,34 @@ AC_TRY_COMPILE( [AC_MSG_RESULT(no)] ) -dnl Check PAM strerror arguments -AC_MSG_CHECKING([whether pam_strerror takes only one argument]) -AC_TRY_COMPILE( +AC_ARG_WITH(pam, + [ --without-pam Disable PAM support ], [ - #include - #include - ], - [(void)pam_strerror((pam_handle_t *)NULL, -1);], - [AC_MSG_RESULT(no)], - [ - AC_DEFINE(HAVE_OLD_PAM) - AC_MSG_RESULT(yes) + if test "x$withval" = "xno" ; then + no_pam=1 + AC_DEFINE(DISABLE_PAM) + fi ] -) +) + +if test -z "$no_pam" -a "x$ac_cv_header_security_pam_appl_h" = "xyes" ; then + AC_CHECK_LIB(dl, dlopen, , ) + LIBS="$LIBS -lpam" + dnl Check PAM strerror arguments + AC_MSG_CHECKING([whether pam_strerror takes only one argument]) + AC_TRY_COMPILE( + [ + #include + #include + ], + [(void)pam_strerror((pam_handle_t *)NULL, -1);], + [AC_MSG_RESULT(no)], + [ + AC_DEFINE(HAVE_OLD_PAM) + AC_MSG_RESULT(yes) + ] + ) +fi AC_MSG_CHECKING([whether to build GNOME ssh-askpass]) dnl Check whether user wants GNOME ssh-askpass @@ -303,16 +314,18 @@ AC_ARG_WITH(lastlog, fi done if test -z "$gotlastlog" ; then - AC_MSG_WARN([*** Cannot find lastlog ***]) + AC_MSG_RESULT(not found) nolastlog=1 else if test "x$gotlastlog" = "xdir" ; then + AC_MSG_RESULT(${lastlog}/) AC_DEFINE(LASTLOG_IS_DIR) AC_MSG_WARN([*** Directory-based lastlogs are not yet supported ***]) nolastlog=1 + else + AC_MSG_RESULT($lastlog) + AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog") fi - AC_MSG_RESULT($lastlog) - AC_DEFINE_UNQUOTED(LASTLOG_LOCATION, "$lastlog") fi ] ) diff --git a/defines.h b/defines.h index 9d5d17f2b..bcab3c080 100644 --- a/defines.h +++ b/defines.h @@ -18,9 +18,13 @@ #endif #ifdef HAVE_MAILLOCK_H -#include +# include /* For _PATH_MAILDIR */ #endif +#ifdef HAVE_SYS_CDEFS_H +# include /* For __P() */ +#endif + #ifndef SHUT_RDWR enum { @@ -205,3 +209,8 @@ enum # define _PATH_RSH RSH_PATH # endif /* RSH_PATH */ #endif /* _PATH_RSH */ + +#if defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) +# define USE_PAM +#endif /* defined(HAVE_SECURITY_PAM_APPL_H) && !defined(DISABLE_PAM) */ + diff --git a/includes.h b/includes.h index 0538bfbc3..7203d08c9 100644 --- a/includes.h +++ b/includes.h @@ -52,9 +52,15 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } #include #include +#ifdef HAVE_BSTRING_H +# include +#endif #ifdef HAVE_NETGROUP_H # include #endif +#ifdef HAVE_NETDB_H +# include +#endif #ifdef HAVE_PATHS_H # include #endif @@ -70,7 +76,7 @@ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } #ifdef HAVE_SYS_BSDTTY_H # include #endif -#ifdef HAVE_LIBPAM +#ifdef USE_PAM # include #endif diff --git a/md5crypt.c b/md5crypt.c index 15af422a6..16bcf33a1 100644 --- a/md5crypt.c +++ b/md5crypt.c @@ -17,7 +17,7 @@ #include "config.h" -#ifdef HAVE_MD5_PASSWORDS +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) #include #include @@ -163,4 +163,4 @@ md5_crypt(const char *pw, const char *salt) return passwd; } -#endif /* HAVE_MD5_PASSWORDS */ +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ diff --git a/md5crypt.h b/md5crypt.h index f1d185721..2e018d878 100644 --- a/md5crypt.h +++ b/md5crypt.h @@ -20,18 +20,11 @@ #include "config.h" -#include -#include - -#ifdef HAVE_OPENSSL -#include -#endif - -#ifdef HAVE_SSL -#include -#endif +#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) int is_md5_salt(const char *salt); char *md5_crypt(const char *pw, const char *salt); +#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ + #endif /* MD5CRYPT_H */ diff --git a/sshd.c b/sshd.c index f5274a425..bc913a2a5 100644 --- a/sshd.c +++ b/sshd.c @@ -11,7 +11,7 @@ */ #include "includes.h" -RCSID("$Id: sshd.c,v 1.45 1999/12/26 23:55:23 damien Exp $"); +RCSID("$Id: sshd.c,v 1.46 1999/12/28 04:09:36 damien Exp $"); #ifdef HAVE_POLL_H # include @@ -143,7 +143,7 @@ void do_child(const char *command, struct passwd * pw, const char *term, const char *display, const char *auth_proto, const char *auth_data, const char *ttyname); -#ifdef HAVE_LIBPAM +#ifdef USE_PAM static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); int do_pam_auth(const char *user, const char *password); @@ -301,7 +301,7 @@ void do_pam_session(char *username, char *ttyname) if (pam_retval != PAM_SUCCESS) fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ /* * Signal handler for SIGHUP. Sshd execs itself when it receives SIGHUP; @@ -952,7 +952,7 @@ main(int ac, char **av) /* The connection has been terminated. */ verbose("Closing connection to %.100s", remote_ip); -#ifdef HAVE_LIBPAM +#ifdef USE_PAM { int retval; @@ -967,7 +967,7 @@ main(int ac, char **av) fatal_remove_cleanup(&pam_cleanup_proc, NULL); } } -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ packet_close(); exit(0); @@ -1285,7 +1285,7 @@ do_authentication(char *user) pwcopy.pw_shell = xstrdup(pw->pw_shell); pw = &pwcopy; -#ifdef HAVE_LIBPAM +#ifdef USE_PAM { int pam_retval; @@ -1313,11 +1313,11 @@ do_authentication(char *user) #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif /* KRB4 */ -#ifdef HAVE_LIBPAM +#ifdef USE_PAM do_pam_auth(pw->pw_name, "")) { -#else /* HAVE_LIBPAM */ +#else /* USE_PAM */ auth_password(pw, "")) { -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ /* Authentication with empty password succeeded. */ log("Login for user %s from %.100s, accepted without authentication.", pw->pw_name, get_remote_ipaddr()); @@ -1457,9 +1457,9 @@ do_authloop(struct passwd * pw) authenticated = auth_rhosts(pw, client_user); snprintf(user, sizeof user, " ruser %s", client_user); -#ifndef HAVE_LIBPAM +#ifndef USE_PAM xfree(client_user); -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ break; case SSH_CMSG_AUTH_RHOSTS_RSA: @@ -1492,9 +1492,9 @@ do_authloop(struct passwd * pw) BN_clear_free(client_host_key_n); snprintf(user, sizeof user, " ruser %s", client_user); -#ifndef HAVE_LIBPAM +#ifndef USE_PAM xfree(client_user); -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ break; case SSH_CMSG_AUTH_RSA: @@ -1523,13 +1523,13 @@ do_authloop(struct passwd * pw) password = packet_get_string(&dlen); packet_integrity_check(plen, 4 + dlen, type); -#ifdef HAVE_LIBPAM +#ifdef USE_PAM /* Do PAM auth with password */ authenticated = do_pam_auth(pw->pw_name, password); -#else /* HAVE_LIBPAM */ +#else /* USE_PAM */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ memset(password, 0, strlen(password)); xfree(password); break; @@ -1595,13 +1595,13 @@ do_authloop(struct passwd * pw) get_remote_port(), user); -#ifndef HAVE_LIBPAM +#ifndef USE_PAM if (authenticated) return; if (attempt > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); -#else /* HAVE_LIBPAM */ +#else /* USE_PAM */ if (authenticated) { do_pam_account(pw->pw_name, client_user); @@ -1617,7 +1617,7 @@ do_authloop(struct passwd * pw) packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); } -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); @@ -1823,10 +1823,10 @@ do_authenticated(struct passwd * pw) /* Indicate that we now have a pty. */ have_pty = 1; -#ifdef HAVE_LIBPAM +#ifdef USE_PAM /* do the pam_open_session since we have the pty */ do_pam_session(pw->pw_name,ttyname); -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ break; @@ -2194,7 +2194,7 @@ do_exec_pty(const char *command, int ptyfd, int ttyfd, snprintf(line, sizeof line, "%.200s/.hushlogin", pw->pw_dir); quiet_login = stat(line, &st) >= 0; -#ifdef HAVE_LIBPAM +#ifdef USE_PAM /* output the results of the pamconv() */ if (!quiet_login && pamconv_msg != NULL) fprintf(stderr, pamconv_msg); @@ -2382,7 +2382,7 @@ do_child(const char *command, struct passwd * pw, const char *term, struct stat st; char *argv[10]; -#ifndef HAVE_LIBPAM /* pam_nologin handles this */ +#ifndef USE_PAM /* pam_nologin handles this */ /* Check /etc/nologin. */ f = fopen("/etc/nologin", "r"); if (f) { @@ -2393,7 +2393,7 @@ do_child(const char *command, struct passwd * pw, const char *term, if (pw->pw_uid != 0) exit(254); } -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ #ifdef HAVE_SETLOGIN /* Set login name in the kernel. */ @@ -2498,7 +2498,7 @@ do_child(const char *command, struct passwd * pw, const char *term, } #endif /* KRB4 */ -#ifdef HAVE_LIBPAM +#ifdef USE_PAM /* Pull in any environment variables that may have been set by PAM. */ { char *equals, var_name[512], var_val[512]; @@ -2517,7 +2517,7 @@ do_child(const char *command, struct passwd * pw, const char *term, } } } -#endif /* HAVE_LIBPAM */ +#endif /* USE_PAM */ if (xauthfile) child_set_env(&env, &envsize, "XAUTHORITY", xauthfile);