mirror of
https://github.com/freebsd/freebsd-src
synced 2024-07-22 02:37:15 +00:00
Pull in all the OpenSSH bits that we'd previously left out because we
didn't use them. This will make future merges from the vendor tree much easier. Approved by: re (gjb)
This commit is contained in:
commit
ce3adf4362
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=255774
459
crypto/openssh/Makefile.in
Normal file
459
crypto/openssh/Makefile.in
Normal file
|
@ -0,0 +1,459 @@
|
||||||
|
# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $
|
||||||
|
|
||||||
|
# uncomment if you run a non bourne compatable shell. Ie. csh
|
||||||
|
#SHELL = @SH@
|
||||||
|
|
||||||
|
AUTORECONF=autoreconf
|
||||||
|
|
||||||
|
prefix=@prefix@
|
||||||
|
exec_prefix=@exec_prefix@
|
||||||
|
bindir=@bindir@
|
||||||
|
sbindir=@sbindir@
|
||||||
|
libexecdir=@libexecdir@
|
||||||
|
datadir=@datadir@
|
||||||
|
datarootdir=@datarootdir@
|
||||||
|
mandir=@mandir@
|
||||||
|
mansubdir=@mansubdir@
|
||||||
|
sysconfdir=@sysconfdir@
|
||||||
|
piddir=@piddir@
|
||||||
|
srcdir=@srcdir@
|
||||||
|
top_srcdir=@top_srcdir@
|
||||||
|
|
||||||
|
DESTDIR=
|
||||||
|
VPATH=@srcdir@
|
||||||
|
SSH_PROGRAM=@bindir@/ssh
|
||||||
|
ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
|
||||||
|
SFTP_SERVER=$(libexecdir)/sftp-server
|
||||||
|
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
|
||||||
|
SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
|
||||||
|
PRIVSEP_PATH=@PRIVSEP_PATH@
|
||||||
|
SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
|
||||||
|
STRIP_OPT=@STRIP_OPT@
|
||||||
|
|
||||||
|
PATHS= -DSSHDIR=\"$(sysconfdir)\" \
|
||||||
|
-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
|
||||||
|
-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
|
||||||
|
-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
|
||||||
|
-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
|
||||||
|
-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
|
||||||
|
-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
|
||||||
|
-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
|
||||||
|
|
||||||
|
CC=@CC@
|
||||||
|
LD=@LD@
|
||||||
|
CFLAGS=@CFLAGS@
|
||||||
|
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
|
||||||
|
LIBS=@LIBS@
|
||||||
|
K5LIBS=@K5LIBS@
|
||||||
|
GSSLIBS=@GSSLIBS@
|
||||||
|
SSHLIBS=@SSHLIBS@
|
||||||
|
SSHDLIBS=@SSHDLIBS@
|
||||||
|
LIBEDIT=@LIBEDIT@
|
||||||
|
AR=@AR@
|
||||||
|
AWK=@AWK@
|
||||||
|
RANLIB=@RANLIB@
|
||||||
|
INSTALL=@INSTALL@
|
||||||
|
PERL=@PERL@
|
||||||
|
SED=@SED@
|
||||||
|
ENT=@ENT@
|
||||||
|
XAUTH_PATH=@XAUTH_PATH@
|
||||||
|
LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
|
||||||
|
EXEEXT=@EXEEXT@
|
||||||
|
MANFMT=@MANFMT@
|
||||||
|
|
||||||
|
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
|
||||||
|
|
||||||
|
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||||
|
canohost.o channels.o cipher.o cipher-aes.o \
|
||||||
|
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||||
|
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||||
|
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||||
|
readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
|
||||||
|
atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
|
||||||
|
monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
|
||||||
|
kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
|
||||||
|
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||||
|
jpake.o schnorr.o ssh-pkcs11.o krl.o
|
||||||
|
|
||||||
|
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||||
|
sshconnect.o sshconnect1.o sshconnect2.o mux.o \
|
||||||
|
roaming_common.o roaming_client.o
|
||||||
|
|
||||||
|
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
|
||||||
|
audit.o audit-bsm.o audit-linux.o platform.o \
|
||||||
|
sshpty.o sshlogin.o servconf.o serverloop.o \
|
||||||
|
auth.o auth1.o auth2.o auth-options.o session.o \
|
||||||
|
auth-chall.o auth2-chall.o groupaccess.o \
|
||||||
|
auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
|
||||||
|
auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
|
||||||
|
monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
|
||||||
|
auth-krb5.o \
|
||||||
|
auth2-gss.o gss-serv.o gss-serv-krb5.o \
|
||||||
|
loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
|
||||||
|
sftp-server.o sftp-common.o \
|
||||||
|
roaming_common.o roaming_serv.o \
|
||||||
|
sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
|
||||||
|
sandbox-seccomp-filter.o
|
||||||
|
|
||||||
|
MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
|
||||||
|
MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
|
||||||
|
MANTYPE = @MANTYPE@
|
||||||
|
|
||||||
|
CONFIGFILES=sshd_config.out ssh_config.out moduli.out
|
||||||
|
CONFIGFILES_IN=sshd_config ssh_config moduli
|
||||||
|
|
||||||
|
PATHSUBS = \
|
||||||
|
-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
|
||||||
|
-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
|
||||||
|
-e 's|/usr/libexec|$(libexecdir)|g' \
|
||||||
|
-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
|
||||||
|
-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
|
||||||
|
-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
|
||||||
|
-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
|
||||||
|
-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
|
||||||
|
-e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
|
||||||
|
-e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
|
||||||
|
-e 's|/var/empty|$(PRIVSEP_PATH)|g' \
|
||||||
|
-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
|
||||||
|
|
||||||
|
FIXPATHSCMD = $(SED) $(PATHSUBS)
|
||||||
|
FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
|
||||||
|
@UNSUPPORTED_ALGORITHMS@
|
||||||
|
|
||||||
|
all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
|
||||||
|
|
||||||
|
$(LIBSSH_OBJS): Makefile.in config.h
|
||||||
|
$(SSHOBJS): Makefile.in config.h
|
||||||
|
$(SSHDOBJS): Makefile.in config.h
|
||||||
|
|
||||||
|
.c.o:
|
||||||
|
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||||
|
|
||||||
|
LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
|
||||||
|
$(LIBCOMPAT): always
|
||||||
|
(cd openbsd-compat && $(MAKE))
|
||||||
|
always:
|
||||||
|
|
||||||
|
libssh.a: $(LIBSSH_OBJS)
|
||||||
|
$(AR) rv $@ $(LIBSSH_OBJS)
|
||||||
|
$(RANLIB) $@
|
||||||
|
|
||||||
|
ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
|
||||||
|
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
|
||||||
|
|
||||||
|
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
|
||||||
|
$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
|
||||||
|
|
||||||
|
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
|
||||||
|
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
|
||||||
|
$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
|
||||||
|
$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
|
||||||
|
$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
|
||||||
|
$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
|
||||||
|
$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
|
||||||
|
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
|
||||||
|
$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o
|
||||||
|
$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT)
|
||||||
|
|
||||||
|
# test driver for the loginrec code - not built by default
|
||||||
|
logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o
|
||||||
|
$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS)
|
||||||
|
|
||||||
|
$(MANPAGES): $(MANPAGES_IN)
|
||||||
|
if test "$(MANTYPE)" = "cat"; then \
|
||||||
|
manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
|
||||||
|
else \
|
||||||
|
manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
|
||||||
|
fi; \
|
||||||
|
if test "$(MANTYPE)" = "man"; then \
|
||||||
|
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
|
||||||
|
$(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
|
||||||
|
else \
|
||||||
|
$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
$(CONFIGFILES): $(CONFIGFILES_IN)
|
||||||
|
conffile=`echo $@ | sed 's/.out$$//'`; \
|
||||||
|
$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
|
||||||
|
|
||||||
|
# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
|
||||||
|
moduli:
|
||||||
|
echo
|
||||||
|
|
||||||
|
# special case target for umac128
|
||||||
|
umac128.o: umac.c
|
||||||
|
$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
|
||||||
|
-DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
|
||||||
|
-Dumac_update=umac128_update -Dumac_final=umac128_final \
|
||||||
|
-Dumac_delete=umac128_delete
|
||||||
|
|
||||||
|
clean: regressclean
|
||||||
|
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
|
||||||
|
rm -f *.out core survey
|
||||||
|
(cd openbsd-compat && $(MAKE) clean)
|
||||||
|
|
||||||
|
distclean: regressclean
|
||||||
|
rm -f *.o *.a $(TARGETS) logintest config.cache config.log
|
||||||
|
rm -f *.out core opensshd.init openssh.xml
|
||||||
|
rm -f Makefile buildpkg.sh config.h config.status
|
||||||
|
rm -f survey.sh openbsd-compat/regress/Makefile *~
|
||||||
|
rm -rf autom4te.cache
|
||||||
|
(cd openbsd-compat && $(MAKE) distclean)
|
||||||
|
if test -d pkg ; then \
|
||||||
|
rm -fr pkg ; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
veryclean: distclean
|
||||||
|
rm -f configure config.h.in *.0
|
||||||
|
|
||||||
|
cleandir: veryclean
|
||||||
|
|
||||||
|
mrproper: veryclean
|
||||||
|
|
||||||
|
realclean: veryclean
|
||||||
|
|
||||||
|
catman-do:
|
||||||
|
@for f in $(MANPAGES_IN) ; do \
|
||||||
|
base=`echo $$f | sed 's/\..*$$//'` ; \
|
||||||
|
echo "$$f -> $$base.0" ; \
|
||||||
|
$(MANFMT) $$f | cat -v | sed -e 's/.\^H//g' \
|
||||||
|
>$$base.0 ; \
|
||||||
|
done
|
||||||
|
|
||||||
|
distprep: catman-do
|
||||||
|
$(AUTORECONF)
|
||||||
|
-rm -rf autom4te.cache
|
||||||
|
|
||||||
|
install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
|
||||||
|
install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
|
||||||
|
install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
|
||||||
|
|
||||||
|
check-config:
|
||||||
|
-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
|
||||||
|
|
||||||
|
install-files:
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
|
||||||
|
(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
|
$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
|
$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
|
$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
|
$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||||
|
$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||||
|
$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||||
|
$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
|
||||||
|
$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
|
||||||
|
$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
|
||||||
|
$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
||||||
|
$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||||
|
$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||||
|
$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
|
$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/slogin
|
||||||
|
ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||||
|
ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||||
|
|
||||||
|
install-sysconf:
|
||||||
|
if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
|
||||||
|
fi
|
||||||
|
@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
|
||||||
|
$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
|
||||||
|
else \
|
||||||
|
echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
|
||||||
|
fi
|
||||||
|
@if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
|
||||||
|
$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
|
||||||
|
else \
|
||||||
|
echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
|
||||||
|
fi
|
||||||
|
@if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
|
||||||
|
if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
|
||||||
|
echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
|
||||||
|
mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
|
||||||
|
else \
|
||||||
|
$(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \
|
||||||
|
fi ; \
|
||||||
|
else \
|
||||||
|
echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
|
||||||
|
fi
|
||||||
|
|
||||||
|
host-key: ssh-keygen$(EXEEXT)
|
||||||
|
@if [ -z "$(DESTDIR)" ] ; then \
|
||||||
|
if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
|
||||||
|
echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
|
||||||
|
else \
|
||||||
|
./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
|
||||||
|
fi ; \
|
||||||
|
if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
|
||||||
|
echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
|
||||||
|
else \
|
||||||
|
./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
|
||||||
|
fi ; \
|
||||||
|
if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
|
||||||
|
echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
|
||||||
|
else \
|
||||||
|
./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
|
||||||
|
fi ; \
|
||||||
|
if [ -z "@COMMENT_OUT_ECC@" ] ; then \
|
||||||
|
if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
|
||||||
|
echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
|
||||||
|
else \
|
||||||
|
./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
|
||||||
|
fi ; \
|
||||||
|
fi ; \
|
||||||
|
fi ;
|
||||||
|
|
||||||
|
host-key-force: ssh-keygen$(EXEEXT)
|
||||||
|
./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
|
||||||
|
./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
|
||||||
|
./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
|
||||||
|
test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
|
||||||
|
|
||||||
|
uninstallall: uninstall
|
||||||
|
-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
|
||||||
|
-rm -f $(DESTDIR)$(sysconfdir)/sshd_config
|
||||||
|
-rmdir $(DESTDIR)$(sysconfdir)
|
||||||
|
-rmdir $(DESTDIR)$(bindir)
|
||||||
|
-rmdir $(DESTDIR)$(sbindir)
|
||||||
|
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
|
||||||
|
-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
|
||||||
|
-rmdir $(DESTDIR)$(mandir)
|
||||||
|
-rmdir $(DESTDIR)$(libexecdir)
|
||||||
|
|
||||||
|
uninstall:
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/slogin
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
|
||||||
|
-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
|
||||||
|
-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
|
||||||
|
|
||||||
|
regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
|
||||||
|
[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
|
||||||
|
[ -f `pwd`/regress/Makefile ] || \
|
||||||
|
ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
|
||||||
|
$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
|
||||||
|
$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
|
||||||
|
|
||||||
|
tests interop-tests: $(TARGETS) regress/modpipe$(EXEEXT)
|
||||||
|
BUILDDIR=`pwd`; \
|
||||||
|
TEST_SHELL="@TEST_SHELL@"; \
|
||||||
|
TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
|
||||||
|
TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
|
||||||
|
TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
|
||||||
|
TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
|
||||||
|
TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
|
||||||
|
TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
|
||||||
|
TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
|
||||||
|
TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
|
||||||
|
TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
|
||||||
|
TEST_SSH_PLINK="plink"; \
|
||||||
|
TEST_SSH_PUTTYGEN="puttygen"; \
|
||||||
|
TEST_SSH_CONCH="conch"; \
|
||||||
|
TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
|
||||||
|
TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
|
||||||
|
TEST_SSH_SHA256="@TEST_SSH_SHA256@" ; \
|
||||||
|
cd $(srcdir)/regress || exit $$?; \
|
||||||
|
$(MAKE) \
|
||||||
|
.OBJDIR="$${BUILDDIR}/regress" \
|
||||||
|
.CURDIR="`pwd`" \
|
||||||
|
BUILDDIR="$${BUILDDIR}" \
|
||||||
|
OBJ="$${BUILDDIR}/regress/" \
|
||||||
|
PATH="$${BUILDDIR}:$${PATH}" \
|
||||||
|
TEST_SHELL="$${TEST_SHELL}" \
|
||||||
|
TEST_SSH_SSH="$${TEST_SSH_SSH}" \
|
||||||
|
TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
|
||||||
|
TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
|
||||||
|
TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
|
||||||
|
TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
|
||||||
|
TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
|
||||||
|
TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
|
||||||
|
TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
|
||||||
|
TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
|
||||||
|
TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
|
||||||
|
TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
|
||||||
|
TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
|
||||||
|
TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
|
||||||
|
TEST_SSH_ECC="$${TEST_SSH_ECC}" \
|
||||||
|
TEST_SSH_SHA256="$${TEST_SSH_SHA256}" \
|
||||||
|
EXEEXT="$(EXEEXT)" \
|
||||||
|
$@ && echo all tests passed
|
||||||
|
|
||||||
|
compat-tests: $(LIBCOMPAT)
|
||||||
|
(cd openbsd-compat/regress && $(MAKE))
|
||||||
|
|
||||||
|
regressclean:
|
||||||
|
if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
|
||||||
|
(cd regress && $(MAKE) clean) \
|
||||||
|
fi
|
||||||
|
|
||||||
|
survey: survey.sh ssh
|
||||||
|
@$(SHELL) ./survey.sh > survey
|
||||||
|
@echo 'The survey results have been placed in the file "survey" in the'
|
||||||
|
@echo 'current directory. Please review the file then send with'
|
||||||
|
@echo '"make send-survey".'
|
||||||
|
|
||||||
|
send-survey: survey
|
||||||
|
mail portable-survey@mindrot.org <survey
|
||||||
|
|
||||||
|
package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
|
||||||
|
if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
|
||||||
|
sh buildpkg.sh; \
|
||||||
|
fi
|
||||||
|
|
677
crypto/openssh/buildpkg.sh.in
Normal file
677
crypto/openssh/buildpkg.sh.in
Normal file
|
@ -0,0 +1,677 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# Fake Root Solaris/SVR4/SVR5 Build System - Prototype
|
||||||
|
#
|
||||||
|
# The following code has been provide under Public Domain License. I really
|
||||||
|
# don't care what you use it for. Just as long as you don't complain to me
|
||||||
|
# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
|
||||||
|
#
|
||||||
|
umask 022
|
||||||
|
#
|
||||||
|
# Options for building the package
|
||||||
|
# You can create a openssh-config.local with your customized options
|
||||||
|
#
|
||||||
|
REMOVE_FAKE_ROOT_WHEN_DONE=yes
|
||||||
|
#
|
||||||
|
# uncommenting TEST_DIR and using
|
||||||
|
# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
|
||||||
|
# and
|
||||||
|
# PKGNAME=tOpenSSH should allow testing a package without interfering
|
||||||
|
# with a real OpenSSH package on a system. This is not needed on systems
|
||||||
|
# that support the -R option to pkgadd.
|
||||||
|
#TEST_DIR=/var/tmp # leave commented out for production build
|
||||||
|
PKGNAME=OpenSSH
|
||||||
|
# revisions within the same version (REV=a)
|
||||||
|
#REV=
|
||||||
|
SYSVINIT_NAME=opensshd
|
||||||
|
AWK=${AWK:="nawk"}
|
||||||
|
MAKE=${MAKE:="make"}
|
||||||
|
SSHDUID=67 # Default privsep uid
|
||||||
|
SSHDGID=67 # Default privsep gid
|
||||||
|
# uncomment these next three as needed
|
||||||
|
#PERMIT_ROOT_LOGIN=no
|
||||||
|
#X11_FORWARDING=yes
|
||||||
|
#USR_LOCAL_IS_SYMLINK=yes
|
||||||
|
# System V init run levels
|
||||||
|
SYSVINITSTART=S98
|
||||||
|
SYSVINITSTOPT=K30
|
||||||
|
# We will source these if they exist
|
||||||
|
POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
|
||||||
|
POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
|
||||||
|
# We'll be one level deeper looking for these
|
||||||
|
PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
|
||||||
|
PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local
|
||||||
|
PKG_PREREMOVE_LOCAL=../pkg-preremove.local
|
||||||
|
PKG_POSTREMOVE_LOCAL=../pkg-postremove.local
|
||||||
|
PKG_REQUEST_LOCAL=../pkg-request.local
|
||||||
|
# end of sourced files
|
||||||
|
#
|
||||||
|
OPENSSHD=opensshd.init
|
||||||
|
OPENSSH_MANIFEST=openssh.xml
|
||||||
|
OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
|
||||||
|
SMF_METHOD_DIR=/lib/svc/method/site
|
||||||
|
SMF_MANIFEST_DIR=/var/svc/manifest/site
|
||||||
|
|
||||||
|
PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
|
||||||
|
PATH_USERADD_PROG=@PATH_USERADD_PROG@
|
||||||
|
PATH_PASSWD_PROG=@PATH_PASSWD_PROG@
|
||||||
|
#
|
||||||
|
# list of system directories we do NOT want to change owner/group/perms
|
||||||
|
# when installing our package
|
||||||
|
SYSTEM_DIR="/etc \
|
||||||
|
/etc/init.d \
|
||||||
|
/etc/rcS.d \
|
||||||
|
/etc/rc0.d \
|
||||||
|
/etc/rc1.d \
|
||||||
|
/etc/rc2.d \
|
||||||
|
/etc/opt \
|
||||||
|
/lib \
|
||||||
|
/lib/svc \
|
||||||
|
/lib/svc/method \
|
||||||
|
/lib/svc/method/site \
|
||||||
|
/opt \
|
||||||
|
/opt/bin \
|
||||||
|
/usr \
|
||||||
|
/usr/bin \
|
||||||
|
/usr/lib \
|
||||||
|
/usr/sbin \
|
||||||
|
/usr/share \
|
||||||
|
/usr/share/man \
|
||||||
|
/usr/share/man/man1 \
|
||||||
|
/usr/share/man/man8 \
|
||||||
|
/usr/local \
|
||||||
|
/usr/local/bin \
|
||||||
|
/usr/local/etc \
|
||||||
|
/usr/local/libexec \
|
||||||
|
/usr/local/man \
|
||||||
|
/usr/local/man/man1 \
|
||||||
|
/usr/local/man/man8 \
|
||||||
|
/usr/local/sbin \
|
||||||
|
/usr/local/share \
|
||||||
|
/var \
|
||||||
|
/var/opt \
|
||||||
|
/var/run \
|
||||||
|
/var/svc \
|
||||||
|
/var/svc/manifest \
|
||||||
|
/var/svc/manifest/site \
|
||||||
|
/var/tmp \
|
||||||
|
/tmp"
|
||||||
|
|
||||||
|
# We may need to build as root so we make sure PATH is set up
|
||||||
|
# only set the path if it's not set already
|
||||||
|
[ -d /opt/bin ] && {
|
||||||
|
echo $PATH | grep ":/opt/bin" > /dev/null 2>&1
|
||||||
|
[ $? -ne 0 ] && PATH=$PATH:/opt/bin
|
||||||
|
}
|
||||||
|
[ -d /usr/local/bin ] && {
|
||||||
|
echo $PATH | grep ":/usr/local/bin" > /dev/null 2>&1
|
||||||
|
[ $? -ne 0 ] && PATH=$PATH:/usr/local/bin
|
||||||
|
}
|
||||||
|
[ -d /usr/ccs/bin ] && {
|
||||||
|
echo $PATH | grep ":/usr/ccs/bin" > /dev/null 2>&1
|
||||||
|
[ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin
|
||||||
|
}
|
||||||
|
export PATH
|
||||||
|
#
|
||||||
|
|
||||||
|
[ -f Makefile ] || {
|
||||||
|
echo "Please run this script from your build directory"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# we will look for openssh-config.local to override the above options
|
||||||
|
[ -s ./openssh-config.local ] && . ./openssh-config.local
|
||||||
|
|
||||||
|
START=`pwd`
|
||||||
|
FAKE_ROOT=$START/pkg
|
||||||
|
|
||||||
|
## Fill in some details, like prefix and sysconfdir
|
||||||
|
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir
|
||||||
|
do
|
||||||
|
eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
|
||||||
|
done
|
||||||
|
|
||||||
|
## Are we using Solaris' SMF?
|
||||||
|
DO_SMF=0
|
||||||
|
if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
|
||||||
|
then
|
||||||
|
DO_SMF=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Collect value of privsep user
|
||||||
|
for confvar in SSH_PRIVSEP_USER
|
||||||
|
do
|
||||||
|
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
|
||||||
|
done
|
||||||
|
|
||||||
|
## Set privsep defaults if not defined
|
||||||
|
if [ -z "$SSH_PRIVSEP_USER" ]
|
||||||
|
then
|
||||||
|
SSH_PRIVSEP_USER=sshd
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Extract common info requires for the 'info' part of the package.
|
||||||
|
VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
|
||||||
|
|
||||||
|
ARCH=`uname -m`
|
||||||
|
DEF_MSG="\n"
|
||||||
|
OS_VER=`uname -v`
|
||||||
|
SCRIPT_SHELL=/sbin/sh
|
||||||
|
UNAME_R=`uname -r`
|
||||||
|
UNAME_S=`uname -s`
|
||||||
|
case ${UNAME_S} in
|
||||||
|
SunOS) UNAME_S=Solaris
|
||||||
|
OS_VER=${UNAME_R}
|
||||||
|
ARCH=`uname -p`
|
||||||
|
RCS_D=yes
|
||||||
|
DEF_MSG="(default: n)"
|
||||||
|
;;
|
||||||
|
SCO_SV) case ${UNAME_R} in
|
||||||
|
3.2) UNAME_S=OpenServer5
|
||||||
|
OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'`
|
||||||
|
;;
|
||||||
|
5) UNAME_S=OpenServer6
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
SCRIPT_SHELL=/bin/sh
|
||||||
|
RC1_D=no
|
||||||
|
DEF_MSG="(default: n)"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
case `basename $0` in
|
||||||
|
buildpkg.sh)
|
||||||
|
## Start by faking root install
|
||||||
|
echo "Faking root install..."
|
||||||
|
[ -d $FAKE_ROOT ] && rm -fr $FAKE_ROOT
|
||||||
|
mkdir $FAKE_ROOT
|
||||||
|
${MAKE} install-nokeys DESTDIR=$FAKE_ROOT
|
||||||
|
if [ $? -gt 0 ]
|
||||||
|
then
|
||||||
|
echo "Fake root install failed, stopping."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Setup our run level stuff while we are at it.
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
# For Solaris' SMF, /lib/svc/method/site is the preferred place
|
||||||
|
# for start/stop scripts that aren't supplied with the OS, and
|
||||||
|
# similarly /var/svc/manifest/site for manifests.
|
||||||
|
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
|
||||||
|
mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
|
||||||
|
|
||||||
|
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
|
||||||
|
chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
|
||||||
|
|
||||||
|
cat ${OPENSSH_MANIFEST} | \
|
||||||
|
sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
|
||||||
|
-e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
|
||||||
|
> $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||||
|
chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||||
|
else
|
||||||
|
mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
|
||||||
|
|
||||||
|
cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||||
|
chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ "${PERMIT_ROOT_LOGIN}" = no ] && \
|
||||||
|
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
|
||||||
|
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||||
|
[ "${X11_FORWARDING}" = yes ] && \
|
||||||
|
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
|
||||||
|
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||||
|
# fix PrintMotd
|
||||||
|
perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
|
||||||
|
$FAKE_ROOT${sysconfdir}/sshd_config
|
||||||
|
|
||||||
|
# We don't want to overwrite config files on multiple installs
|
||||||
|
mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
|
||||||
|
mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
|
||||||
|
|
||||||
|
# local tweeks here
|
||||||
|
[ -s "${POST_MAKE_INSTALL_FIXES}" ] && . ${POST_MAKE_INSTALL_FIXES}
|
||||||
|
|
||||||
|
cd $FAKE_ROOT
|
||||||
|
|
||||||
|
## Ok, this is outright wrong, but it will work. I'm tired of pkgmk
|
||||||
|
## whining.
|
||||||
|
for i in *; do
|
||||||
|
PROTO_ARGS="$PROTO_ARGS $i=/$i";
|
||||||
|
done
|
||||||
|
|
||||||
|
## Build info file
|
||||||
|
echo "Building pkginfo file..."
|
||||||
|
cat > pkginfo << _EOF
|
||||||
|
PKG=$PKGNAME
|
||||||
|
NAME="OpenSSH Portable for ${UNAME_S}"
|
||||||
|
DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh."
|
||||||
|
VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html"
|
||||||
|
ARCH=$ARCH
|
||||||
|
VERSION=$VERSION$REV
|
||||||
|
CATEGORY="Security,application"
|
||||||
|
BASEDIR=/
|
||||||
|
CLASSES="none"
|
||||||
|
PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS
|
||||||
|
echo "Building depend file..."
|
||||||
|
touch depend
|
||||||
|
|
||||||
|
## Build space file
|
||||||
|
echo "Building space file..."
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
# XXX Is this necessary? If not, remove space line from mk-proto.awk.
|
||||||
|
touch space
|
||||||
|
else
|
||||||
|
cat > space << _EOF
|
||||||
|
# extra space required by start/stop links added by installf
|
||||||
|
# in postinstall
|
||||||
|
$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1
|
||||||
|
$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
|
||||||
|
_EOF
|
||||||
|
[ "$RC1_D" = no ] || \
|
||||||
|
echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||||
|
[ "$RCS_D" = yes ] && \
|
||||||
|
echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
|
||||||
|
fi
|
||||||
|
|
||||||
|
## Build preinstall file
|
||||||
|
echo "Building preinstall file..."
|
||||||
|
cat > preinstall << _EOF
|
||||||
|
#! ${SCRIPT_SHELL}
|
||||||
|
#
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
# local preinstall changes here
|
||||||
|
[ -s "${PKG_PREINSTALL_LOCAL}" ] && . ${PKG_PREINSTALL_LOCAL}
|
||||||
|
|
||||||
|
cat >> preinstall << _EOF
|
||||||
|
#
|
||||||
|
if [ "\${PRE_INS_STOP}" = "yes" ]
|
||||||
|
then
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
svcadm disable $OPENSSH_FMRI
|
||||||
|
else
|
||||||
|
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
## Build postinstall file
|
||||||
|
echo "Building postinstall file..."
|
||||||
|
cat > postinstall << _EOF
|
||||||
|
#! ${SCRIPT_SHELL}
|
||||||
|
#
|
||||||
|
[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ] || \\
|
||||||
|
cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
|
||||||
|
\${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
|
||||||
|
[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ] || \\
|
||||||
|
cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
|
||||||
|
\${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
|
||||||
|
|
||||||
|
# make rc?.d dirs only if we are doing a test install
|
||||||
|
[ -n "${TEST_DIR}" ] && [ $DO_SMF -ne 1 ] && {
|
||||||
|
[ "$RCS_D" = yes ] && mkdir -p ${TEST_DIR}/etc/rcS.d
|
||||||
|
mkdir -p ${TEST_DIR}/etc/rc0.d
|
||||||
|
[ "$RC1_D" = no ] || mkdir -p ${TEST_DIR}/etc/rc1.d
|
||||||
|
mkdir -p ${TEST_DIR}/etc/rc2.d
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
# Delete the existing service, if it exists, then import the
|
||||||
|
# new one.
|
||||||
|
if svcs $OPENSSH_FMRI > /dev/null 2>&1
|
||||||
|
then
|
||||||
|
svccfg delete -f $OPENSSH_FMRI
|
||||||
|
fi
|
||||||
|
# NOTE, The manifest disables sshd by default.
|
||||||
|
svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
|
||||||
|
else
|
||||||
|
if [ "\${USE_SYM_LINKS}" = yes ]
|
||||||
|
then
|
||||||
|
[ "$RCS_D" = yes ] && \\
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||||
|
[ "$RC1_D" = no ] || \\
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
|
||||||
|
else
|
||||||
|
[ "$RCS_D" = yes ] && \\
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||||
|
[ "$RC1_D" = no ] || \\
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||||
|
installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
|
||||||
|
[ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys
|
||||||
|
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
# local postinstall changes here
|
||||||
|
[ -s "${PKG_POSTINSTALL_LOCAL}" ] && . ${PKG_POSTINSTALL_LOCAL}
|
||||||
|
|
||||||
|
cat >> postinstall << _EOF
|
||||||
|
installf -f ${PKGNAME}
|
||||||
|
|
||||||
|
# Use chroot to handle PKG_INSTALL_ROOT
|
||||||
|
if [ ! -z "\${PKG_INSTALL_ROOT}" ]
|
||||||
|
then
|
||||||
|
chroot="chroot \${PKG_INSTALL_ROOT}"
|
||||||
|
fi
|
||||||
|
# If this is a test build, we will skip the groupadd/useradd/passwd commands
|
||||||
|
if [ ! -z "${TEST_DIR}" ]
|
||||||
|
then
|
||||||
|
chroot=echo
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "PrivilegeSeparation user always required."
|
||||||
|
if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
|
||||||
|
then
|
||||||
|
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
|
||||||
|
SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\`
|
||||||
|
SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\`
|
||||||
|
else
|
||||||
|
DO_PASSWD=yes
|
||||||
|
fi
|
||||||
|
[ -z "\$SSH_PRIVSEP_GROUP" ] && SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER
|
||||||
|
|
||||||
|
# group required?
|
||||||
|
if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null
|
||||||
|
then
|
||||||
|
echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists."
|
||||||
|
else
|
||||||
|
DO_GROUP=yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
# create group if required
|
||||||
|
[ "\$DO_GROUP" = yes ] && {
|
||||||
|
# Use gid of 67 if possible
|
||||||
|
if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
|
||||||
|
then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
sshdgid="-g $SSHDGID"
|
||||||
|
fi
|
||||||
|
echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP."
|
||||||
|
\$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create user if required
|
||||||
|
[ "\$DO_PASSWD" = yes ] && {
|
||||||
|
# Use uid of 67 if possible
|
||||||
|
if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
|
||||||
|
then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
sshduid="-u $SSHDUID"
|
||||||
|
fi
|
||||||
|
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
|
||||||
|
\$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
|
||||||
|
\$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ "\${POST_INS_START}" = "yes" ]
|
||||||
|
then
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
svcadm enable $OPENSSH_FMRI
|
||||||
|
else
|
||||||
|
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
## Build preremove file
|
||||||
|
echo "Building preremove file..."
|
||||||
|
cat > preremove << _EOF
|
||||||
|
#! ${SCRIPT_SHELL}
|
||||||
|
#
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
svcadm disable $OPENSSH_FMRI
|
||||||
|
else
|
||||||
|
${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
|
||||||
|
fi
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
# local preremove changes here
|
||||||
|
[ -s "${PKG_PREREMOVE_LOCAL}" ] && . ${PKG_PREREMOVE_LOCAL}
|
||||||
|
|
||||||
|
cat >> preremove << _EOF
|
||||||
|
exit 0
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
## Build postremove file
|
||||||
|
echo "Building postremove file..."
|
||||||
|
cat > postremove << _EOF
|
||||||
|
#! ${SCRIPT_SHELL}
|
||||||
|
#
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
if svcs $OPENSSH_FMRI > /dev/null 2>&1
|
||||||
|
then
|
||||||
|
svccfg delete -f $OPENSSH_FMRI
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
# local postremove changes here
|
||||||
|
[ -s "${PKG_POSTREMOVE_LOCAL}" ] && . ${PKG_POSTREMOVE_LOCAL}
|
||||||
|
|
||||||
|
cat >> postremove << _EOF
|
||||||
|
exit 0
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
## Build request file
|
||||||
|
echo "Building request file..."
|
||||||
|
cat > request << _EOF
|
||||||
|
trap 'exit 3' 15
|
||||||
|
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
[ -x /usr/bin/ckyorn ] || cat >> request << _EOF
|
||||||
|
|
||||||
|
ckyorn() {
|
||||||
|
# for some strange reason OpenServer5 has no ckyorn
|
||||||
|
# We build a striped down version here
|
||||||
|
|
||||||
|
DEFAULT=n
|
||||||
|
PROMPT="Yes or No [yes,no,?,quit]"
|
||||||
|
HELP_PROMPT=" Enter y or yes if your answer is yes; n or no if your answer is no."
|
||||||
|
USAGE="usage: ckyorn [options]
|
||||||
|
where options may include:
|
||||||
|
-d default
|
||||||
|
-h help
|
||||||
|
-p prompt
|
||||||
|
"
|
||||||
|
|
||||||
|
if [ \$# != 0 ]
|
||||||
|
then
|
||||||
|
while getopts d:p:h: c
|
||||||
|
do
|
||||||
|
case \$c in
|
||||||
|
h) HELP_PROMPT="\$OPTARG" ;;
|
||||||
|
d) DEFAULT=\$OPTARG ;;
|
||||||
|
p) PROMPT=\$OPTARG ;;
|
||||||
|
\\?) echo "\$USAGE" 1>&2
|
||||||
|
exit 1 ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
shift \`expr \$OPTIND - 1\`
|
||||||
|
fi
|
||||||
|
|
||||||
|
while true
|
||||||
|
do
|
||||||
|
echo "\${PROMPT}\\c " 1>&2
|
||||||
|
read key
|
||||||
|
[ -z "\$key" ] && key=\$DEFAULT
|
||||||
|
case \$key in
|
||||||
|
[n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S]) echo "\${key}\\c"
|
||||||
|
exit 0 ;;
|
||||||
|
\\?) echo \$HELP_PROMPT 1>&2 ;;
|
||||||
|
q|quit) echo "q\\c" 1>&2
|
||||||
|
exit 3 ;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
if [ $DO_SMF -eq 1 ]
|
||||||
|
then
|
||||||
|
# This could get hairy, as the running sshd may not be under SMF.
|
||||||
|
# We'll assume an earlier version of OpenSSH started via SMF.
|
||||||
|
cat >> request << _EOF
|
||||||
|
PRE_INS_STOP=no
|
||||||
|
POST_INS_START=no
|
||||||
|
# determine if should restart the daemon
|
||||||
|
if [ -s ${piddir}/sshd.pid ] && \\
|
||||||
|
/usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
|
||||||
|
then
|
||||||
|
ans=\`ckyorn -d n \\
|
||||||
|
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
|
||||||
|
case \$ans in
|
||||||
|
[y,Y]*) PRE_INS_STOP=yes
|
||||||
|
POST_INS_START=yes
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
else
|
||||||
|
|
||||||
|
# determine if we should start sshd
|
||||||
|
ans=\`ckyorn -d n \\
|
||||||
|
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
|
||||||
|
case \$ans in
|
||||||
|
[y,Y]*) POST_INS_START=yes ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# make parameters available to installation service,
|
||||||
|
# and so to any other packaging scripts
|
||||||
|
cat >\$1 <<!
|
||||||
|
PRE_INS_STOP='\$PRE_INS_STOP'
|
||||||
|
POST_INS_START='\$POST_INS_START'
|
||||||
|
!
|
||||||
|
|
||||||
|
_EOF
|
||||||
|
else
|
||||||
|
cat >> request << _EOF
|
||||||
|
USE_SYM_LINKS=no
|
||||||
|
PRE_INS_STOP=no
|
||||||
|
POST_INS_START=no
|
||||||
|
# Use symbolic links?
|
||||||
|
ans=\`ckyorn -d n \\
|
||||||
|
-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
|
||||||
|
case \$ans in
|
||||||
|
[y,Y]*) USE_SYM_LINKS=yes ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
# determine if should restart the daemon
|
||||||
|
if [ -s ${piddir}/sshd.pid -a -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
|
||||||
|
then
|
||||||
|
ans=\`ckyorn -d n \\
|
||||||
|
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
|
||||||
|
case \$ans in
|
||||||
|
[y,Y]*) PRE_INS_STOP=yes
|
||||||
|
POST_INS_START=yes
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
else
|
||||||
|
|
||||||
|
# determine if we should start sshd
|
||||||
|
ans=\`ckyorn -d n \\
|
||||||
|
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
|
||||||
|
case \$ans in
|
||||||
|
[y,Y]*) POST_INS_START=yes ;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
# make parameters available to installation service,
|
||||||
|
# and so to any other packaging scripts
|
||||||
|
cat >\$1 <<!
|
||||||
|
USE_SYM_LINKS='\$USE_SYM_LINKS'
|
||||||
|
PRE_INS_STOP='\$PRE_INS_STOP'
|
||||||
|
POST_INS_START='\$POST_INS_START'
|
||||||
|
!
|
||||||
|
|
||||||
|
_EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
# local request changes here
|
||||||
|
[ -s "${PKG_REQUEST_LOCAL}" ] && . ${PKG_REQUEST_LOCAL}
|
||||||
|
|
||||||
|
cat >> request << _EOF
|
||||||
|
exit 0
|
||||||
|
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
## Next Build our prototype
|
||||||
|
echo "Building prototype file..."
|
||||||
|
cat >mk-proto.awk << _EOF
|
||||||
|
BEGIN { print "i pkginfo"; print "i depend"; \\
|
||||||
|
print "i preinstall"; print "i postinstall"; \\
|
||||||
|
print "i preremove"; print "i postremove"; \\
|
||||||
|
print "i request"; print "i space"; \\
|
||||||
|
split("$SYSTEM_DIR",sys_files); }
|
||||||
|
{
|
||||||
|
for (dir in sys_files) { if ( \$3 != sys_files[dir] )
|
||||||
|
{ if ( \$1 == "s" )
|
||||||
|
{ \$5=""; \$6=""; }
|
||||||
|
else
|
||||||
|
{ \$5="root"; \$6="sys"; }
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{ \$4="?"; \$5="?"; \$6="?"; break;}
|
||||||
|
} }
|
||||||
|
{ print; }
|
||||||
|
_EOF
|
||||||
|
|
||||||
|
find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
|
||||||
|
pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype
|
||||||
|
|
||||||
|
# /usr/local is a symlink on some systems
|
||||||
|
[ "${USR_LOCAL_IS_SYMLINK}" = yes ] && {
|
||||||
|
grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
|
||||||
|
mv prototype.new prototype
|
||||||
|
}
|
||||||
|
|
||||||
|
## Step back a directory and now build the package.
|
||||||
|
cd ..
|
||||||
|
# local prototype tweeks here
|
||||||
|
[ -s "${POST_PROTOTYPE_EDITS}" ] && . ${POST_PROTOTYPE_EDITS}
|
||||||
|
|
||||||
|
echo "Building package.."
|
||||||
|
pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
|
||||||
|
echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
|
||||||
|
;;
|
||||||
|
|
||||||
|
justpkg.sh)
|
||||||
|
rm -fr ${FAKE_ROOT}/${PKGNAME}
|
||||||
|
grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp
|
||||||
|
mv $$tmp $FAKE_ROOT/pkginfo
|
||||||
|
cat >> $FAKE_ROOT/pkginfo << _EOF
|
||||||
|
PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
|
||||||
|
_EOF
|
||||||
|
pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
|
||||||
|
echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ] && rm -rf $FAKE_ROOT
|
||||||
|
exit 0
|
||||||
|
|
1793
crypto/openssh/config.sub
vendored
Executable file
1793
crypto/openssh/config.sub
vendored
Executable file
File diff suppressed because it is too large
Load diff
18897
crypto/openssh/configure
vendored
Executable file
18897
crypto/openssh/configure
vendored
Executable file
File diff suppressed because it is too large
Load diff
4669
crypto/openssh/configure.ac
Normal file
4669
crypto/openssh/configure.ac
Normal file
File diff suppressed because it is too large
Load diff
17
crypto/openssh/contrib/Makefile
Normal file
17
crypto/openssh/contrib/Makefile
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
PKG_CONFIG = pkg-config
|
||||||
|
|
||||||
|
all:
|
||||||
|
@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
|
||||||
|
|
||||||
|
gnome-ssh-askpass1: gnome-ssh-askpass1.c
|
||||||
|
$(CC) `gnome-config --cflags gnome gnomeui` \
|
||||||
|
gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
|
||||||
|
`gnome-config --libs gnome gnomeui`
|
||||||
|
|
||||||
|
gnome-ssh-askpass2: gnome-ssh-askpass2.c
|
||||||
|
$(CC) `$(PKG_CONFIG) --cflags gtk+-2.0` \
|
||||||
|
gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
|
||||||
|
`$(PKG_CONFIG) --libs gtk+-2.0 x11`
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
|
70
crypto/openssh/contrib/README
Normal file
70
crypto/openssh/contrib/README
Normal file
|
@ -0,0 +1,70 @@
|
||||||
|
Other patches and addons for OpenSSH. Please send submissions to
|
||||||
|
djm@mindrot.org
|
||||||
|
|
||||||
|
Externally maintained
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
SSH Proxy Command -- connect.c
|
||||||
|
|
||||||
|
Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
|
||||||
|
which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
|
||||||
|
https CONNECT style proxy server. His page for connect.c has extensive
|
||||||
|
documentation on its use as well as compiled versions for Win32.
|
||||||
|
|
||||||
|
http://www.taiyo.co.jp/~gotoh/ssh/connect.html
|
||||||
|
|
||||||
|
|
||||||
|
X11 SSH Askpass:
|
||||||
|
|
||||||
|
Jim Knoble <jmknoble@pobox.com> has written an excellent X11
|
||||||
|
passphrase requester. This is highly recommended:
|
||||||
|
|
||||||
|
http://www.jmknoble.net/software/x11-ssh-askpass/
|
||||||
|
|
||||||
|
|
||||||
|
In this directory
|
||||||
|
-----------------
|
||||||
|
|
||||||
|
ssh-copy-id:
|
||||||
|
|
||||||
|
Phil Hands' <phil@hands.com> shell script to automate the process of adding
|
||||||
|
your public key to a remote machine's ~/.ssh/authorized_keys file.
|
||||||
|
|
||||||
|
gnome-ssh-askpass[12]:
|
||||||
|
|
||||||
|
A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
|
||||||
|
"make gnome-ssh-askpass2" to build.
|
||||||
|
|
||||||
|
sshd.pam.generic:
|
||||||
|
|
||||||
|
A generic PAM config file which may be useful on your system. YMMV
|
||||||
|
|
||||||
|
sshd.pam.freebsd:
|
||||||
|
|
||||||
|
A PAM config file which works with FreeBSD's PAM port. Contributed by
|
||||||
|
Dominik Brettnacher <domi@saargate.de>
|
||||||
|
|
||||||
|
findssl.sh:
|
||||||
|
|
||||||
|
Search for all instances of OpenSSL headers and libraries and print their
|
||||||
|
versions. This is intended to help diagnose OpenSSH's "OpenSSL headers do not
|
||||||
|
match your library" errors.
|
||||||
|
|
||||||
|
aix:
|
||||||
|
Files to build an AIX native (installp or SMIT installable) package.
|
||||||
|
|
||||||
|
caldera:
|
||||||
|
RPM spec file and scripts for building Caldera OpenLinuix packages
|
||||||
|
|
||||||
|
cygwin:
|
||||||
|
Support files for Cygwin
|
||||||
|
|
||||||
|
hpux:
|
||||||
|
Support files for HP-UX
|
||||||
|
|
||||||
|
redhat:
|
||||||
|
RPM spec file and scripts for building Redhat packages
|
||||||
|
|
||||||
|
suse:
|
||||||
|
RPM spec file and scripts for building SuSE packages
|
||||||
|
|
50
crypto/openssh/contrib/aix/README
Normal file
50
crypto/openssh/contrib/aix/README
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
Overview:
|
||||||
|
|
||||||
|
This directory contains files to build an AIX native (installp or SMIT
|
||||||
|
installable) openssh package.
|
||||||
|
|
||||||
|
|
||||||
|
Directions:
|
||||||
|
|
||||||
|
(optional) create config.local in your build dir
|
||||||
|
./configure [options]
|
||||||
|
contrib/aix/buildbff.sh
|
||||||
|
|
||||||
|
The file config.local or the environment is read to set the following options
|
||||||
|
(default first):
|
||||||
|
PERMIT_ROOT_LOGIN=[no|yes]
|
||||||
|
X11_FORWARDING=[no|yes]
|
||||||
|
AIX_SRC=[no|yes]
|
||||||
|
|
||||||
|
Acknowledgements:
|
||||||
|
|
||||||
|
The contents of this directory are based on Ben Lindstrom's Solaris
|
||||||
|
buildpkg.sh. Ben also supplied inventory.sh.
|
||||||
|
|
||||||
|
Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
|
||||||
|
and for comparison with the output from this script, however no code
|
||||||
|
from lppbuild is included and it is not required for operation.
|
||||||
|
|
||||||
|
SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
|
||||||
|
PrivSep account handling fixes contributed by W. Earl Allen.
|
||||||
|
|
||||||
|
|
||||||
|
Other notes:
|
||||||
|
|
||||||
|
The script treats all packages as USR packages (not ROOT+USR when
|
||||||
|
appropriate). It seems to work, though......
|
||||||
|
|
||||||
|
If there are any patches to this that have not yet been integrated they
|
||||||
|
may be found at http://www.zip.com.au/~dtucker/openssh/.
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer:
|
||||||
|
|
||||||
|
It is hoped that it is useful but there is no warranty. If it breaks
|
||||||
|
you get to keep both pieces.
|
||||||
|
|
||||||
|
|
||||||
|
- Darren Tucker (dtucker at zip dot com dot au)
|
||||||
|
2002/03/01
|
||||||
|
|
||||||
|
$Id: README,v 1.4 2003/08/25 05:01:04 dtucker Exp $
|
381
crypto/openssh/contrib/aix/buildbff.sh
Executable file
381
crypto/openssh/contrib/aix/buildbff.sh
Executable file
|
@ -0,0 +1,381 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
|
||||||
|
# $Id: buildbff.sh,v 1.13 2011/05/05 03:48:41 djm Exp $
|
||||||
|
#
|
||||||
|
# Author: Darren Tucker (dtucker at zip dot com dot au)
|
||||||
|
# This file is placed in the public domain and comes with absolutely
|
||||||
|
# no warranty.
|
||||||
|
#
|
||||||
|
# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Tunable configuration settings
|
||||||
|
# create a "config.local" in your build directory or set
|
||||||
|
# environment variables to override these.
|
||||||
|
#
|
||||||
|
[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
|
||||||
|
[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
|
||||||
|
[ -z "$AIX_SRC" ] && AIX_SRC=no
|
||||||
|
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
startdir=`pwd`
|
||||||
|
|
||||||
|
perl -v >/dev/null || (echo perl required; exit 1)
|
||||||
|
|
||||||
|
# Path to inventory.sh: same place as buildbff.sh
|
||||||
|
if echo $0 | egrep '^/'
|
||||||
|
then
|
||||||
|
inventory=`dirname $0`/inventory.sh # absolute path
|
||||||
|
else
|
||||||
|
inventory=`pwd`/`dirname $0`/inventory.sh # relative path
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# We still support running from contrib/aix, but this is deprecated
|
||||||
|
#
|
||||||
|
if pwd | egrep 'contrib/aix$'
|
||||||
|
then
|
||||||
|
echo "Changing directory to `pwd`/../.."
|
||||||
|
echo "Please run buildbff.sh from your build directory in future."
|
||||||
|
cd ../..
|
||||||
|
contribaix=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f Makefile ]
|
||||||
|
then
|
||||||
|
echo "Makefile not found (did you run configure?)"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Directories used during build:
|
||||||
|
# current dir = $objdir directory you ran ./configure in.
|
||||||
|
# $objdir/$PKGDIR/ directory package files are constructed in
|
||||||
|
# $objdir/$PKGDIR/root/ package root ($FAKE_ROOT)
|
||||||
|
#
|
||||||
|
objdir=`pwd`
|
||||||
|
PKGNAME=openssh
|
||||||
|
PKGDIR=package
|
||||||
|
|
||||||
|
#
|
||||||
|
# Collect local configuration settings to override defaults
|
||||||
|
#
|
||||||
|
if [ -s ./config.local ]
|
||||||
|
then
|
||||||
|
echo Reading local settings from config.local
|
||||||
|
. ./config.local
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Fill in some details from Makefile, like prefix and sysconfdir
|
||||||
|
# the eval also expands variables like sysconfdir=${prefix}/etc
|
||||||
|
# provided they are eval'ed in the correct order
|
||||||
|
#
|
||||||
|
for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
|
||||||
|
do
|
||||||
|
eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
|
||||||
|
done
|
||||||
|
|
||||||
|
#
|
||||||
|
# Collect values of privsep user and privsep path
|
||||||
|
# currently only found in config.h
|
||||||
|
#
|
||||||
|
for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
|
||||||
|
do
|
||||||
|
eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
|
||||||
|
done
|
||||||
|
|
||||||
|
# Set privsep defaults if not defined
|
||||||
|
if [ -z "$SSH_PRIVSEP_USER" ]
|
||||||
|
then
|
||||||
|
SSH_PRIVSEP_USER=sshd
|
||||||
|
fi
|
||||||
|
if [ -z "$PRIVSEP_PATH" ]
|
||||||
|
then
|
||||||
|
PRIVSEP_PATH=/var/empty
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Clean package build directory
|
||||||
|
rm -rf $objdir/$PKGDIR
|
||||||
|
FAKE_ROOT=$objdir/$PKGDIR/root
|
||||||
|
mkdir -p $FAKE_ROOT
|
||||||
|
|
||||||
|
# Start by faking root install
|
||||||
|
echo "Faking root install..."
|
||||||
|
cd $objdir
|
||||||
|
make install-nokeys DESTDIR=$FAKE_ROOT
|
||||||
|
|
||||||
|
if [ $? -gt 0 ]
|
||||||
|
then
|
||||||
|
echo "Fake root install failed, stopping."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copy informational files to include in package
|
||||||
|
#
|
||||||
|
cp $srcdir/LICENCE $objdir/$PKGDIR/
|
||||||
|
cp $srcdir/README* $objdir/$PKGDIR/
|
||||||
|
|
||||||
|
#
|
||||||
|
# Extract common info requires for the 'info' part of the package.
|
||||||
|
# AIX requires 4-part version numbers
|
||||||
|
#
|
||||||
|
VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
|
||||||
|
MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
|
||||||
|
MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
|
||||||
|
PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
|
||||||
|
PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
|
||||||
|
[ "$PATCH" = "" ] && PATCH=0
|
||||||
|
[ "$PORTABLE" = "" ] && PORTABLE=0
|
||||||
|
BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
|
||||||
|
|
||||||
|
echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set ssh and sshd parameters as per config.local
|
||||||
|
#
|
||||||
|
if [ "${PERMIT_ROOT_LOGIN}" = no ]
|
||||||
|
then
|
||||||
|
perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
|
||||||
|
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||||
|
fi
|
||||||
|
if [ "${X11_FORWARDING}" = yes ]
|
||||||
|
then
|
||||||
|
perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
|
||||||
|
$FAKE_ROOT/${sysconfdir}/sshd_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# Rename config files; postinstall script will copy them if necessary
|
||||||
|
for cfgfile in ssh_config sshd_config
|
||||||
|
do
|
||||||
|
mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
|
||||||
|
done
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate lpp control files.
|
||||||
|
# working dir is $FAKE_ROOT but files are generated in dir above
|
||||||
|
# and moved into place just before creation of .bff
|
||||||
|
#
|
||||||
|
cd $FAKE_ROOT
|
||||||
|
echo Generating LPP control files
|
||||||
|
find . ! -name . -print >../openssh.al
|
||||||
|
$inventory >../openssh.inventory
|
||||||
|
|
||||||
|
cat <<EOD >../openssh.copyright
|
||||||
|
This software is distributed under a BSD-style license.
|
||||||
|
For the full text of the license, see /usr/lpp/openssh/LICENCE
|
||||||
|
EOD
|
||||||
|
|
||||||
|
#
|
||||||
|
# openssh.size file allows filesystem expansion as required
|
||||||
|
# generate list of directories containing files
|
||||||
|
# then calculate disk usage for each directory and store in openssh.size
|
||||||
|
#
|
||||||
|
files=`find . -type f -print`
|
||||||
|
dirs=`for file in $files; do dirname $file; done | sort -u`
|
||||||
|
for dir in $dirs
|
||||||
|
do
|
||||||
|
du $dir
|
||||||
|
done > ../openssh.size
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create postinstall script
|
||||||
|
#
|
||||||
|
cat <<EOF >>../openssh.post_i
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
echo Creating configs from defaults if necessary.
|
||||||
|
for cfgfile in ssh_config sshd_config
|
||||||
|
do
|
||||||
|
if [ ! -f $sysconfdir/\$cfgfile ]
|
||||||
|
then
|
||||||
|
echo "Creating \$cfgfile from default"
|
||||||
|
cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
|
||||||
|
else
|
||||||
|
echo "\$cfgfile already exists."
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
echo
|
||||||
|
|
||||||
|
# Create PrivilegeSeparation user and group if not present
|
||||||
|
echo Checking for PrivilegeSeparation user and group.
|
||||||
|
if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
|
||||||
|
then
|
||||||
|
echo "PrivSep group $SSH_PRIVSEP_USER already exists."
|
||||||
|
else
|
||||||
|
echo "Creating PrivSep group $SSH_PRIVSEP_USER."
|
||||||
|
mkgroup -A $SSH_PRIVSEP_USER
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create user if required
|
||||||
|
if lsuser "$SSH_PRIVSEP_USER" >/dev/null
|
||||||
|
then
|
||||||
|
echo "PrivSep user $SSH_PRIVSEP_USER already exists."
|
||||||
|
else
|
||||||
|
echo "Creating PrivSep user $SSH_PRIVSEP_USER."
|
||||||
|
mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
|
||||||
|
fi
|
||||||
|
|
||||||
|
if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
|
||||||
|
then
|
||||||
|
echo UsePrivilegeSeparation not enabled, privsep directory not required.
|
||||||
|
else
|
||||||
|
# create chroot directory if required
|
||||||
|
if [ -d $PRIVSEP_PATH ]
|
||||||
|
then
|
||||||
|
echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
|
||||||
|
else
|
||||||
|
echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
|
||||||
|
mkdir $PRIVSEP_PATH
|
||||||
|
chown 0 $PRIVSEP_PATH
|
||||||
|
chgrp 0 $PRIVSEP_PATH
|
||||||
|
chmod 755 $PRIVSEP_PATH
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
|
||||||
|
# Generate keys unless they already exist
|
||||||
|
echo Creating host keys if required.
|
||||||
|
if [ -f "$sysconfdir/ssh_host_key" ] ; then
|
||||||
|
echo "$sysconfdir/ssh_host_key already exists, skipping."
|
||||||
|
else
|
||||||
|
$bindir/ssh-keygen -t rsa1 -f $sysconfdir/ssh_host_key -N ""
|
||||||
|
fi
|
||||||
|
if [ -f $sysconfdir/ssh_host_dsa_key ] ; then
|
||||||
|
echo "$sysconfdir/ssh_host_dsa_key already exists, skipping."
|
||||||
|
else
|
||||||
|
$bindir/ssh-keygen -t dsa -f $sysconfdir/ssh_host_dsa_key -N ""
|
||||||
|
fi
|
||||||
|
if [ -f $sysconfdir/ssh_host_rsa_key ] ; then
|
||||||
|
echo "$sysconfdir/ssh_host_rsa_key already exists, skipping."
|
||||||
|
else
|
||||||
|
$bindir/ssh-keygen -t rsa -f $sysconfdir/ssh_host_rsa_key -N ""
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
|
||||||
|
# Set startup command depending on SRC support
|
||||||
|
if [ "$AIX_SRC" = "yes" ]
|
||||||
|
then
|
||||||
|
echo Creating SRC sshd subsystem.
|
||||||
|
rmssys -s sshd 2>&1 >/dev/null
|
||||||
|
mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
|
||||||
|
startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
|
||||||
|
oldstartcmd="$sbindir/sshd"
|
||||||
|
else
|
||||||
|
startupcmd="$sbindir/sshd"
|
||||||
|
oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If migrating to or from SRC, change previous startup command
|
||||||
|
# otherwise add to rc.tcpip
|
||||||
|
if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
|
||||||
|
then
|
||||||
|
if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
|
||||||
|
then
|
||||||
|
chmod 0755 /etc/rc.tcpip.new
|
||||||
|
mv /etc/rc.tcpip /etc/rc.tcpip.old && \
|
||||||
|
mv /etc/rc.tcpip.new /etc/rc.tcpip
|
||||||
|
else
|
||||||
|
echo "Updating /etc/rc.tcpip failed, please check."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
# Add to system startup if required
|
||||||
|
if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
|
||||||
|
then
|
||||||
|
echo "sshd found in rc.tcpip, not adding."
|
||||||
|
else
|
||||||
|
echo "Adding sshd to rc.tcpip"
|
||||||
|
echo >>/etc/rc.tcpip
|
||||||
|
echo "# Start sshd" >>/etc/rc.tcpip
|
||||||
|
echo "\$startupcmd" >>/etc/rc.tcpip
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create liblpp.a and move control files into it
|
||||||
|
#
|
||||||
|
echo Creating liblpp.a
|
||||||
|
(
|
||||||
|
cd ..
|
||||||
|
for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
|
||||||
|
do
|
||||||
|
ar -r liblpp.a $i
|
||||||
|
rm $i
|
||||||
|
done
|
||||||
|
)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create lpp_name
|
||||||
|
#
|
||||||
|
# This will end up looking something like:
|
||||||
|
# 4 R I OpenSSH {
|
||||||
|
# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
|
||||||
|
# [
|
||||||
|
# %
|
||||||
|
# /usr/local/bin 8073
|
||||||
|
# /usr/local/etc 189
|
||||||
|
# /usr/local/libexec 185
|
||||||
|
# /usr/local/man/man1 145
|
||||||
|
# /usr/local/man/man8 83
|
||||||
|
# /usr/local/sbin 2105
|
||||||
|
# /usr/local/share 3
|
||||||
|
# %
|
||||||
|
# ]
|
||||||
|
# }
|
||||||
|
|
||||||
|
echo Creating lpp_name
|
||||||
|
cat <<EOF >../lpp_name
|
||||||
|
4 R I $PKGNAME {
|
||||||
|
$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
|
||||||
|
[
|
||||||
|
%
|
||||||
|
EOF
|
||||||
|
|
||||||
|
for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
|
||||||
|
do
|
||||||
|
# get size in 512 byte blocks
|
||||||
|
if [ -d $FAKE_ROOT/$i ]
|
||||||
|
then
|
||||||
|
size=`du $FAKE_ROOT/$i | awk '{print $1}'`
|
||||||
|
echo "$i $size" >>../lpp_name
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
echo '%' >>../lpp_name
|
||||||
|
echo ']' >>../lpp_name
|
||||||
|
echo '}' >>../lpp_name
|
||||||
|
|
||||||
|
#
|
||||||
|
# Move pieces into place
|
||||||
|
#
|
||||||
|
mkdir -p usr/lpp/openssh
|
||||||
|
mv ../liblpp.a usr/lpp/openssh
|
||||||
|
mv ../lpp_name .
|
||||||
|
|
||||||
|
#
|
||||||
|
# Now invoke backup to create .bff file
|
||||||
|
# note: lpp_name needs to be the first file so we generate the
|
||||||
|
# file list on the fly and feed it to backup using -i
|
||||||
|
#
|
||||||
|
echo Creating $PKGNAME-$VERSION.bff with backup...
|
||||||
|
rm -f $PKGNAME-$VERSION.bff
|
||||||
|
(
|
||||||
|
echo "./lpp_name"
|
||||||
|
find . ! -name lpp_name -a ! -name . -print
|
||||||
|
) | backup -i -q -f ../$PKGNAME-$VERSION.bff $filelist
|
||||||
|
|
||||||
|
#
|
||||||
|
# Move package into final location and clean up
|
||||||
|
#
|
||||||
|
mv ../$PKGNAME-$VERSION.bff $startdir
|
||||||
|
cd $startdir
|
||||||
|
rm -rf $objdir/$PKGDIR
|
||||||
|
|
||||||
|
echo $0: done.
|
||||||
|
|
63
crypto/openssh/contrib/aix/inventory.sh
Executable file
63
crypto/openssh/contrib/aix/inventory.sh
Executable file
|
@ -0,0 +1,63 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# inventory.sh
|
||||||
|
# $Id: inventory.sh,v 1.6 2003/11/21 12:48:56 djm Exp $
|
||||||
|
#
|
||||||
|
# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
|
||||||
|
# This file is placed into the public domain.
|
||||||
|
#
|
||||||
|
# This will produce an AIX package inventory file, which looks like:
|
||||||
|
#
|
||||||
|
# /usr/local/bin:
|
||||||
|
# class=apply,inventory,openssh
|
||||||
|
# owner=root
|
||||||
|
# group=system
|
||||||
|
# mode=755
|
||||||
|
# type=DIRECTORY
|
||||||
|
# /usr/local/bin/slogin:
|
||||||
|
# class=apply,inventory,openssh
|
||||||
|
# owner=root
|
||||||
|
# group=system
|
||||||
|
# mode=777
|
||||||
|
# type=SYMLINK
|
||||||
|
# target=ssh
|
||||||
|
# /usr/local/share/Ssh.bin:
|
||||||
|
# class=apply,inventory,openssh
|
||||||
|
# owner=root
|
||||||
|
# group=system
|
||||||
|
# mode=644
|
||||||
|
# type=FILE
|
||||||
|
# size=VOLATILE
|
||||||
|
# checksum=VOLATILE
|
||||||
|
|
||||||
|
find . ! -name . -print | perl -ne '{
|
||||||
|
chomp;
|
||||||
|
if ( -l $_ ) {
|
||||||
|
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
|
||||||
|
} else {
|
||||||
|
($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Start to display inventory information
|
||||||
|
$name = $_;
|
||||||
|
$name =~ s|^.||; # Strip leading dot from path
|
||||||
|
print "$name:\n";
|
||||||
|
print "\tclass=apply,inventory,openssh\n";
|
||||||
|
print "\towner=root\n";
|
||||||
|
print "\tgroup=system\n";
|
||||||
|
printf "\tmode=%lo\n", $mod & 07777; # Mask perm bits
|
||||||
|
|
||||||
|
if ( -l $_ ) {
|
||||||
|
# Entry is SymLink
|
||||||
|
print "\ttype=SYMLINK\n";
|
||||||
|
printf "\ttarget=%s\n", readlink($_);
|
||||||
|
} elsif ( -f $_ ) {
|
||||||
|
# Entry is File
|
||||||
|
print "\ttype=FILE\n";
|
||||||
|
print "\tsize=$sz\n";
|
||||||
|
print "\tchecksum=VOLATILE\n";
|
||||||
|
} elsif ( -d $_ ) {
|
||||||
|
# Entry is Directory
|
||||||
|
print "\ttype=DIRECTORY\n";
|
||||||
|
}
|
||||||
|
}'
|
20
crypto/openssh/contrib/aix/pam.conf
Normal file
20
crypto/openssh/contrib/aix/pam.conf
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
#
|
||||||
|
# PAM configuration file /etc/pam.conf
|
||||||
|
# Example for OpenSSH on AIX 5.2
|
||||||
|
#
|
||||||
|
|
||||||
|
# Authentication Management
|
||||||
|
sshd auth required /usr/lib/security/pam_aix
|
||||||
|
OTHER auth required /usr/lib/security/pam_aix
|
||||||
|
|
||||||
|
# Account Management
|
||||||
|
sshd account required /usr/lib/security/pam_aix
|
||||||
|
OTHER account required /usr/lib/security/pam_aix
|
||||||
|
|
||||||
|
# Password Management
|
||||||
|
sshd password required /usr/lib/security/pam_aix
|
||||||
|
OTHER password required /usr/lib/security/pam_aix
|
||||||
|
|
||||||
|
# Session Management
|
||||||
|
sshd session required /usr/lib/security/pam_aix
|
||||||
|
OTHER session required /usr/lib/security/pam_aix
|
366
crypto/openssh/contrib/caldera/openssh.spec
Normal file
366
crypto/openssh/contrib/caldera/openssh.spec
Normal file
|
@ -0,0 +1,366 @@
|
||||||
|
|
||||||
|
# Some of this will need re-evaluation post-LSB. The SVIdir is there
|
||||||
|
# because the link appeared broken. The rest is for easy compilation,
|
||||||
|
# the tradeoff open to discussion. (LC957)
|
||||||
|
|
||||||
|
%define SVIdir /etc/rc.d/init.d
|
||||||
|
%{!?_defaultdocdir:%define _defaultdocdir %{_prefix}/share/doc/packages}
|
||||||
|
%{!?SVIcdir:%define SVIcdir /etc/sysconfig/daemons}
|
||||||
|
|
||||||
|
%define _mandir %{_prefix}/share/man/en
|
||||||
|
%define _sysconfdir /etc/ssh
|
||||||
|
%define _libexecdir %{_libdir}/ssh
|
||||||
|
|
||||||
|
# Do we want to disable root_login? (1=yes 0=no)
|
||||||
|
%define no_root_login 0
|
||||||
|
|
||||||
|
#old cvs stuff. please update before use. may be deprecated.
|
||||||
|
%define use_stable 1
|
||||||
|
%define version 6.3p1
|
||||||
|
%if %{use_stable}
|
||||||
|
%define cvs %{nil}
|
||||||
|
%define release 1
|
||||||
|
%else
|
||||||
|
%define cvs cvs20050315
|
||||||
|
%define release 0r1
|
||||||
|
%endif
|
||||||
|
%define xsa x11-ssh-askpass
|
||||||
|
%define askpass %{xsa}-1.2.4.1
|
||||||
|
|
||||||
|
# OpenSSH privilege separation requires a user & group ID
|
||||||
|
%define sshd_uid 67
|
||||||
|
%define sshd_gid 67
|
||||||
|
|
||||||
|
Name : openssh
|
||||||
|
Version : %{version}%{cvs}
|
||||||
|
Release : %{release}
|
||||||
|
Group : System/Network
|
||||||
|
|
||||||
|
Summary : OpenSSH free Secure Shell (SSH) implementation.
|
||||||
|
Summary(de) : OpenSSH - freie Implementation der Secure Shell (SSH).
|
||||||
|
Summary(es) : OpenSSH implementación libre de Secure Shell (SSH).
|
||||||
|
Summary(fr) : Implémentation libre du shell sécurisé OpenSSH (SSH).
|
||||||
|
Summary(it) : Implementazione gratuita OpenSSH della Secure Shell.
|
||||||
|
Summary(pt) : Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
|
||||||
|
Summary(pt_BR) : Implementação livre OpenSSH do protocolo Secure Shell (SSH).
|
||||||
|
|
||||||
|
Copyright : BSD
|
||||||
|
Packager : Raymund Will <ray@caldera.de>
|
||||||
|
URL : http://www.openssh.com/
|
||||||
|
|
||||||
|
Obsoletes : ssh, ssh-clients, openssh-clients
|
||||||
|
|
||||||
|
BuildRoot : /tmp/%{name}-%{version}
|
||||||
|
BuildRequires : XFree86-imake
|
||||||
|
|
||||||
|
# %{use_stable}==1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
|
||||||
|
# %{use_stable}==0: :pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
|
||||||
|
Source0: see-above:/.../openssh-%{version}.tar.gz
|
||||||
|
%if %{use_stable}
|
||||||
|
Source1: see-above:/.../openssh-%{version}.tar.gz.asc
|
||||||
|
%endif
|
||||||
|
Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz
|
||||||
|
Source3: http://www.openssh.com/faq.html
|
||||||
|
|
||||||
|
%Package server
|
||||||
|
Group : System/Network
|
||||||
|
Requires : openssh = %{version}
|
||||||
|
Obsoletes : ssh-server
|
||||||
|
|
||||||
|
Summary : OpenSSH Secure Shell protocol server (sshd).
|
||||||
|
Summary(de) : OpenSSH Secure Shell Protocol-Server (sshd).
|
||||||
|
Summary(es) : Servidor del protocolo OpenSSH Secure Shell (sshd).
|
||||||
|
Summary(fr) : Serveur de protocole du shell sécurisé OpenSSH (sshd).
|
||||||
|
Summary(it) : Server OpenSSH per il protocollo Secure Shell (sshd).
|
||||||
|
Summary(pt) : Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
|
||||||
|
Summary(pt_BR) : Servidor do protocolo Secure Shell OpenSSH (sshd).
|
||||||
|
|
||||||
|
|
||||||
|
%Package askpass
|
||||||
|
Group : System/Network
|
||||||
|
Requires : openssh = %{version}
|
||||||
|
URL : http://www.jmknoble.net/software/x11-ssh-askpass/
|
||||||
|
Obsoletes : ssh-extras
|
||||||
|
|
||||||
|
Summary : OpenSSH X11 pass-phrase dialog.
|
||||||
|
Summary(de) : OpenSSH X11 Passwort-Dialog.
|
||||||
|
Summary(es) : Aplicación de petición de frase clave OpenSSH X11.
|
||||||
|
Summary(fr) : Dialogue pass-phrase X11 d'OpenSSH.
|
||||||
|
Summary(it) : Finestra di dialogo X11 per la frase segreta di OpenSSH.
|
||||||
|
Summary(pt) : Diálogo de pedido de senha para X11 do OpenSSH.
|
||||||
|
Summary(pt_BR) : Diálogo de pedido de senha para X11 do OpenSSH.
|
||||||
|
|
||||||
|
|
||||||
|
%Description
|
||||||
|
OpenSSH (Secure Shell) provides access to a remote system. It replaces
|
||||||
|
telnet, rlogin, rexec, and rsh, and provides secure encrypted
|
||||||
|
communications between two untrusted hosts over an insecure network.
|
||||||
|
X11 connections and arbitrary TCP/IP ports can also be forwarded over
|
||||||
|
the secure channel.
|
||||||
|
|
||||||
|
%Description -l de
|
||||||
|
OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
|
||||||
|
telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
|
||||||
|
Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
|
||||||
|
Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
|
||||||
|
über den sicheren Channel weitergeleitet werden.
|
||||||
|
|
||||||
|
%Description -l es
|
||||||
|
OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
|
||||||
|
telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
|
||||||
|
entre dos equipos entre los que no se ha establecido confianza a través de una
|
||||||
|
red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
|
||||||
|
ser canalizadas sobre el canal seguro.
|
||||||
|
|
||||||
|
%Description -l fr
|
||||||
|
OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
|
||||||
|
telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
|
||||||
|
securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
|
||||||
|
connexions X11 et des ports TCP/IP arbitraires peuvent également être
|
||||||
|
transmis sur le canal sécurisé.
|
||||||
|
|
||||||
|
%Description -l it
|
||||||
|
OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
|
||||||
|
Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
|
||||||
|
e crittate tra due host non fidati su una rete non sicura. Le connessioni
|
||||||
|
X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
|
||||||
|
un canale sicuro.
|
||||||
|
|
||||||
|
%Description -l pt
|
||||||
|
OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
|
||||||
|
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
|
||||||
|
entre duas máquinas sem confiança mútua sobre uma rede insegura.
|
||||||
|
Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
|
||||||
|
pelo canal seguro.
|
||||||
|
|
||||||
|
%Description -l pt_BR
|
||||||
|
O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
|
||||||
|
telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
|
||||||
|
entre duas máquinas sem confiança mútua sobre uma rede insegura.
|
||||||
|
Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
|
||||||
|
pelo canal seguro.
|
||||||
|
|
||||||
|
%Description server
|
||||||
|
This package installs the sshd, the server portion of OpenSSH.
|
||||||
|
|
||||||
|
%Description -l de server
|
||||||
|
Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
|
||||||
|
|
||||||
|
%Description -l es server
|
||||||
|
Este paquete instala sshd, la parte servidor de OpenSSH.
|
||||||
|
|
||||||
|
%Description -l fr server
|
||||||
|
Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
|
||||||
|
|
||||||
|
%Description -l it server
|
||||||
|
Questo pacchetto installa sshd, il server di OpenSSH.
|
||||||
|
|
||||||
|
%Description -l pt server
|
||||||
|
Este pacote intala o sshd, o servidor do OpenSSH.
|
||||||
|
|
||||||
|
%Description -l pt_BR server
|
||||||
|
Este pacote intala o sshd, o servidor do OpenSSH.
|
||||||
|
|
||||||
|
%Description askpass
|
||||||
|
This package contains an X11-based pass-phrase dialog used per
|
||||||
|
default by ssh-add(1). It is based on %{askpass}
|
||||||
|
by Jim Knoble <jmknoble@pobox.com>.
|
||||||
|
|
||||||
|
|
||||||
|
%Prep
|
||||||
|
%setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
|
||||||
|
%if ! %{use_stable}
|
||||||
|
autoreconf
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%Build
|
||||||
|
CFLAGS="$RPM_OPT_FLAGS" \
|
||||||
|
%configure \
|
||||||
|
--with-pam \
|
||||||
|
--with-tcp-wrappers \
|
||||||
|
--with-privsep-path=%{_var}/empty/sshd \
|
||||||
|
#leave this line for easy edits.
|
||||||
|
|
||||||
|
%__make
|
||||||
|
|
||||||
|
cd %{askpass}
|
||||||
|
%configure \
|
||||||
|
#leave this line for easy edits.
|
||||||
|
|
||||||
|
xmkmf
|
||||||
|
%__make includes
|
||||||
|
%__make
|
||||||
|
|
||||||
|
|
||||||
|
%Install
|
||||||
|
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
|
||||||
|
|
||||||
|
make install DESTDIR=%{buildroot}
|
||||||
|
%makeinstall -C %{askpass} \
|
||||||
|
BINDIR=%{_libexecdir} \
|
||||||
|
MANPATH=%{_mandir} \
|
||||||
|
DESTDIR=%{buildroot}
|
||||||
|
|
||||||
|
# OpenLinux specific configuration
|
||||||
|
mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
|
||||||
|
mkdir -p %{buildroot}%{_var}/empty/sshd
|
||||||
|
|
||||||
|
# enabling X11 forwarding on the server is convenient and okay,
|
||||||
|
# on the client side it's a potential security risk!
|
||||||
|
%__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
|
||||||
|
%{buildroot}%{_sysconfdir}/sshd_config
|
||||||
|
|
||||||
|
%if %{no_root_login}
|
||||||
|
%__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
|
||||||
|
%{buildroot}%{_sysconfdir}/sshd_config
|
||||||
|
%endif
|
||||||
|
|
||||||
|
install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
|
||||||
|
# FIXME: disabled, find out why this doesn't work with nis
|
||||||
|
%__perl -pi -e 's:(.*pam_limits.*):#$1:' \
|
||||||
|
%{buildroot}/etc/pam.d/sshd
|
||||||
|
|
||||||
|
install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
|
||||||
|
|
||||||
|
# the last one is needless, but more future-proof
|
||||||
|
find %{buildroot}%{SVIdir} -type f -exec \
|
||||||
|
%__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
|
||||||
|
s:\@sysconfdir\@:%{_sysconfdir}:g; \
|
||||||
|
s:/usr/sbin:%{_sbindir}:g'\
|
||||||
|
\{\} \;
|
||||||
|
|
||||||
|
cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
|
||||||
|
IDENT=sshd
|
||||||
|
DESCRIPTIVE="OpenSSH secure shell daemon"
|
||||||
|
# This service will be marked as 'skipped' on boot if there
|
||||||
|
# is no host key. Use ssh-host-keygen to generate one
|
||||||
|
ONBOOT="yes"
|
||||||
|
OPTIONS=""
|
||||||
|
EoD
|
||||||
|
|
||||||
|
SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
|
||||||
|
install -m 0755 contrib/caldera/ssh-host-keygen $SKG
|
||||||
|
# Fix up some path names in the keygen toy^Hol
|
||||||
|
%__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
|
||||||
|
s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
|
||||||
|
%{buildroot}%{_sbindir}/ssh-host-keygen
|
||||||
|
|
||||||
|
# This looks terrible. Expect it to change.
|
||||||
|
# install remaining docs
|
||||||
|
DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
|
||||||
|
mkdir -p $DocD/%{askpass}
|
||||||
|
cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD
|
||||||
|
install -p -m 0444 %{SOURCE3} $DocD/faq.html
|
||||||
|
cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad} $DocD/%{askpass}
|
||||||
|
%if %{use_stable}
|
||||||
|
cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
|
||||||
|
%else
|
||||||
|
cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
|
||||||
|
ln -s %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
|
||||||
|
%endif
|
||||||
|
|
||||||
|
find %{buildroot}%{_mandir} -type f -not -name '*.gz' -print0 | xargs -0r %__gzip -9nf
|
||||||
|
rm %{buildroot}%{_mandir}/man1/slogin.1 && \
|
||||||
|
ln -s %{_mandir}/man1/ssh.1.gz \
|
||||||
|
%{buildroot}%{_mandir}/man1/slogin.1.gz
|
||||||
|
|
||||||
|
|
||||||
|
%Clean
|
||||||
|
#%{rmDESTDIR}
|
||||||
|
[ %{buildroot} != "/" ] && rm -rf %{buildroot}
|
||||||
|
|
||||||
|
%Post
|
||||||
|
# Generate host key when none is present to get up and running,
|
||||||
|
# both client and server require this for host-based auth!
|
||||||
|
# ssh-host-keygen checks for existing keys.
|
||||||
|
/usr/sbin/ssh-host-keygen
|
||||||
|
: # to protect the rpm database
|
||||||
|
|
||||||
|
%pre server
|
||||||
|
%{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
|
||||||
|
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
|
||||||
|
-c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
|
||||||
|
: # to protect the rpm database
|
||||||
|
|
||||||
|
%Post server
|
||||||
|
if [ -x %{LSBinit}-install ]; then
|
||||||
|
%{LSBinit}-install sshd
|
||||||
|
else
|
||||||
|
lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
|
||||||
|
fi
|
||||||
|
|
||||||
|
! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
|
||||||
|
: # to protect the rpm database
|
||||||
|
|
||||||
|
|
||||||
|
%PreUn server
|
||||||
|
[ "$1" = 0 ] || exit 0
|
||||||
|
! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
|
||||||
|
if [ -x %{LSBinit}-remove ]; then
|
||||||
|
%{LSBinit}-remove sshd
|
||||||
|
else
|
||||||
|
lisa --SysV-init remove sshd $1
|
||||||
|
fi
|
||||||
|
: # to protect the rpm database
|
||||||
|
|
||||||
|
%Files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%dir %{_sysconfdir}
|
||||||
|
%config %{_sysconfdir}/ssh_config
|
||||||
|
%{_bindir}/scp
|
||||||
|
%{_bindir}/sftp
|
||||||
|
%{_bindir}/ssh
|
||||||
|
%{_bindir}/slogin
|
||||||
|
%{_bindir}/ssh-add
|
||||||
|
%attr(2755,root,nobody) %{_bindir}/ssh-agent
|
||||||
|
%{_bindir}/ssh-keygen
|
||||||
|
%{_bindir}/ssh-keyscan
|
||||||
|
%dir %{_libexecdir}
|
||||||
|
%attr(4711,root,root) %{_libexecdir}/ssh-keysign
|
||||||
|
%{_libexecdir}/ssh-pkcs11-helper
|
||||||
|
%{_sbindir}/ssh-host-keygen
|
||||||
|
%dir %{_defaultdocdir}/%{name}-%{version}
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/CREDITS
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/ChangeLog
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/LICENCE
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/OVERVIEW
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/README*
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/TODO
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/faq.html
|
||||||
|
%{_mandir}/man1/*
|
||||||
|
%{_mandir}/man8/ssh-keysign.8.gz
|
||||||
|
%{_mandir}/man8/ssh-pkcs11-helper.8.gz
|
||||||
|
%{_mandir}/man5/ssh_config.5.gz
|
||||||
|
|
||||||
|
%Files server
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%dir %{_var}/empty/sshd
|
||||||
|
%config %{SVIdir}/sshd
|
||||||
|
%config /etc/pam.d/sshd
|
||||||
|
%config %{_sysconfdir}/moduli
|
||||||
|
%config %{_sysconfdir}/sshd_config
|
||||||
|
%config %{SVIcdir}/sshd
|
||||||
|
%{_libexecdir}/sftp-server
|
||||||
|
%{_sbindir}/sshd
|
||||||
|
%{_mandir}/man5/moduli.5.gz
|
||||||
|
%{_mandir}/man5/sshd_config.5.gz
|
||||||
|
%{_mandir}/man8/sftp-server.8.gz
|
||||||
|
%{_mandir}/man8/sshd.8.gz
|
||||||
|
|
||||||
|
%Files askpass
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%{_libexecdir}/ssh-askpass
|
||||||
|
%{_libexecdir}/x11-ssh-askpass
|
||||||
|
%{_defaultdocdir}/%{name}-%{version}/%{askpass}
|
||||||
|
|
||||||
|
|
||||||
|
%ChangeLog
|
||||||
|
* Tue Jan 18 2011 Tim Rice <tim@multitalents.net>
|
||||||
|
- Use CFLAGS from Makefile instead of RPM so build completes.
|
||||||
|
- Signatures were changed to .asc since 4.1p1.
|
||||||
|
|
||||||
|
* Mon Jan 01 1998 ...
|
||||||
|
Template Version: 1.31
|
||||||
|
|
||||||
|
$Id: openssh.spec,v 1.80 2013/07/25 02:34:00 djm Exp $
|
36
crypto/openssh/contrib/caldera/ssh-host-keygen
Executable file
36
crypto/openssh/contrib/caldera/ssh-host-keygen
Executable file
|
@ -0,0 +1,36 @@
|
||||||
|
#! /bin/sh
|
||||||
|
#
|
||||||
|
# $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
|
||||||
|
#
|
||||||
|
# This script is normally run only *once* for a given host
|
||||||
|
# (in a given period of time) -- on updates/upgrades/recovery
|
||||||
|
# the ssh_host_key* files _should_ be retained! Otherwise false
|
||||||
|
# "man-in-the-middle-attack" alerts will frighten unsuspecting
|
||||||
|
# clients...
|
||||||
|
|
||||||
|
keydir=@sysconfdir@
|
||||||
|
keygen=@sshkeygen@
|
||||||
|
|
||||||
|
if [ -f $keydir/ssh_host_key -o \
|
||||||
|
-f $keydir/ssh_host_key.pub ]; then
|
||||||
|
echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
|
||||||
|
else
|
||||||
|
echo "Generating SSH1 RSA host key."
|
||||||
|
$keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f $keydir/ssh_host_rsa_key -o \
|
||||||
|
-f $keydir/ssh_host_rsa_key.pub ]; then
|
||||||
|
echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
|
||||||
|
else
|
||||||
|
echo "Generating SSH2 RSA host key."
|
||||||
|
$keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f $keydir/ssh_host_dsa_key -o \
|
||||||
|
-f $keydir/ssh_host_dsa_key.pub ]; then
|
||||||
|
echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
|
||||||
|
else
|
||||||
|
echo "Generating SSH2 DSA host key."
|
||||||
|
$keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
|
||||||
|
fi
|
125
crypto/openssh/contrib/caldera/sshd.init
Executable file
125
crypto/openssh/contrib/caldera/sshd.init
Executable file
|
@ -0,0 +1,125 @@
|
||||||
|
#! /bin/bash
|
||||||
|
#
|
||||||
|
# $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
|
||||||
|
#
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides:
|
||||||
|
# Required-Start: $network
|
||||||
|
# Required-Stop:
|
||||||
|
# Default-Start: 3 4 5
|
||||||
|
# Default-Stop: 0 1 2 6
|
||||||
|
# Description: sshd
|
||||||
|
# Bring up/down the OpenSSH secure shell daemon.
|
||||||
|
### END INIT INFO
|
||||||
|
#
|
||||||
|
# Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
|
||||||
|
# Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
|
||||||
|
# Modified for OpenLinux by Raymund Will <ray@caldera.de>
|
||||||
|
|
||||||
|
NAME=sshd
|
||||||
|
DAEMON=/usr/sbin/$NAME
|
||||||
|
# Hack-Alert(TM)! This is necessary to get around the 'reload'-problem
|
||||||
|
# created by recent OpenSSH daemon/ssd combinations. See Caldera internal
|
||||||
|
# PR [linux/8278] for details...
|
||||||
|
PIDF=/var/run/$NAME.pid
|
||||||
|
NAME=$DAEMON
|
||||||
|
|
||||||
|
_status() {
|
||||||
|
[ -z "$1" ] || local pidf="$1"
|
||||||
|
local ret=-1
|
||||||
|
local pid
|
||||||
|
if [ -n "$pidf" ] && [ -r "$pidf" ]; then
|
||||||
|
pid=$(head -1 $pidf)
|
||||||
|
else
|
||||||
|
pid=$(pidof $NAME)
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -e $SVIlock ]; then
|
||||||
|
# no lock-file => not started == stopped?
|
||||||
|
ret=3
|
||||||
|
elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
|
||||||
|
# pid-file given but not present or no pid => died, but was not stopped
|
||||||
|
ret=2
|
||||||
|
elif [ -r /proc/$pid/cmdline ] &&
|
||||||
|
echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
|
||||||
|
# pid-file given and present or pid found => check process...
|
||||||
|
# but don't compare exe, as this will fail after an update!
|
||||||
|
# compares OK => all's well, that ends well...
|
||||||
|
ret=0
|
||||||
|
else
|
||||||
|
# no such process or exe does not match => stale pid-file or process died
|
||||||
|
# just recently...
|
||||||
|
ret=1
|
||||||
|
fi
|
||||||
|
return $ret
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source function library (and set vital variables).
|
||||||
|
. @SVIdir@/functions
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
[ ! -e $SVIlock ] || exit 0
|
||||||
|
[ -x $DAEMON ] || exit 5
|
||||||
|
SVIemptyConfig @sysconfdir@/sshd_config && exit 6
|
||||||
|
|
||||||
|
if [ ! \( -f @sysconfdir@/ssh_host_key -a \
|
||||||
|
-f @sysconfdir@/ssh_host_key.pub \) -a \
|
||||||
|
! \( -f @sysconfdir@/ssh_host_rsa_key -a \
|
||||||
|
-f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
|
||||||
|
! \( -f @sysconfdir@/ssh_host_dsa_key -a \
|
||||||
|
-f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
|
||||||
|
|
||||||
|
echo "$SVIsubsys: host key not initialized: skipped!"
|
||||||
|
echo "$SVIsubsys: use ssh-host-keygen to generate one!"
|
||||||
|
exit 6
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo -n "Starting $SVIsubsys services: "
|
||||||
|
ssd -S -x $DAEMON -n $NAME -- $OPTIONS
|
||||||
|
ret=$?
|
||||||
|
|
||||||
|
echo "."
|
||||||
|
touch $SVIlock
|
||||||
|
;;
|
||||||
|
|
||||||
|
stop)
|
||||||
|
[ -e $SVIlock ] || exit 0
|
||||||
|
|
||||||
|
echo -n "Stopping $SVIsubsys services: "
|
||||||
|
ssd -K -p $PIDF -n $NAME
|
||||||
|
ret=$?
|
||||||
|
|
||||||
|
echo "."
|
||||||
|
rm -f $SVIlock
|
||||||
|
;;
|
||||||
|
|
||||||
|
force-reload|reload)
|
||||||
|
[ -e $SVIlock ] || exit 0
|
||||||
|
|
||||||
|
echo "Reloading $SVIsubsys configuration files: "
|
||||||
|
ssd -K --signal 1 -q -p $PIDF -n $NAME
|
||||||
|
ret=$?
|
||||||
|
echo "done."
|
||||||
|
;;
|
||||||
|
|
||||||
|
restart)
|
||||||
|
$0 stop
|
||||||
|
$0 start
|
||||||
|
ret=$?
|
||||||
|
;;
|
||||||
|
|
||||||
|
status)
|
||||||
|
_status $PIDF
|
||||||
|
ret=$?
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
|
||||||
|
ret=2
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $ret
|
||||||
|
|
8
crypto/openssh/contrib/caldera/sshd.pam
Normal file
8
crypto/openssh/contrib/caldera/sshd.pam
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth required /lib/security/pam_pwdb.so shadow nodelay
|
||||||
|
account required /lib/security/pam_nologin.so
|
||||||
|
account required /lib/security/pam_pwdb.so
|
||||||
|
password required /lib/security/pam_cracklib.so
|
||||||
|
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
||||||
|
session required /lib/security/pam_pwdb.so
|
||||||
|
session required /lib/security/pam_limits.so
|
77
crypto/openssh/contrib/cygwin/Makefile
Normal file
77
crypto/openssh/contrib/cygwin/Makefile
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
srcdir=../..
|
||||||
|
copyidsrcdir=..
|
||||||
|
prefix=/usr
|
||||||
|
exec_prefix=$(prefix)
|
||||||
|
bindir=$(prefix)/bin
|
||||||
|
datadir=$(prefix)/share
|
||||||
|
mandir=$(datadir)/man
|
||||||
|
docdir=$(datadir)/doc
|
||||||
|
sshdocdir=$(docdir)/openssh
|
||||||
|
cygdocdir=$(docdir)/Cygwin
|
||||||
|
sysconfdir=/etc
|
||||||
|
defaultsdir=$(sysconfdir)/defaults/etc
|
||||||
|
inetdefdir=$(defaultsdir)/inetd.d
|
||||||
|
PRIVSEP_PATH=/var/empty
|
||||||
|
INSTALL=/usr/bin/install -c
|
||||||
|
|
||||||
|
DESTDIR=
|
||||||
|
|
||||||
|
all:
|
||||||
|
@echo
|
||||||
|
@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
|
||||||
|
@echo "Be sure having DESTDIR set correctly!"
|
||||||
|
@echo
|
||||||
|
|
||||||
|
move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(defaultsdir)
|
||||||
|
mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
|
||||||
|
mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
|
||||||
|
|
||||||
|
remove-empty-dir:
|
||||||
|
rm -rf $(DESTDIR)$(PRIVSEP_PATH)
|
||||||
|
|
||||||
|
install-inetd-config:
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(inetdefdir)
|
||||||
|
$(INSTALL) -m 644 sshd-inetd $(DESTDIR)$(inetdefdir)/sshd-inetd
|
||||||
|
|
||||||
|
install-sshdoc:
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
|
||||||
|
-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
|
||||||
|
|
||||||
|
install-cygwindoc: README
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
|
||||||
|
$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
|
||||||
|
|
||||||
|
install-doc: install-sshdoc install-cygwindoc
|
||||||
|
|
||||||
|
install-scripts: ssh-host-config ssh-user-config
|
||||||
|
$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
|
||||||
|
$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
|
||||||
|
$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
|
||||||
|
|
||||||
|
install-copy-id: $(copyidsrcdir)/ssh-copy-id $(copyidsrcdir)/ssh-copy-id.1
|
||||||
|
$(INSTALL) -m 755 $(copyidsrcdir)/ssh-copy-id $(DESTDIR)$(bindir)/ssh-copy-id
|
||||||
|
$(INSTALL) -m 644 $(copyidsrcdir)/ssh-copy-id.1 $(DESTDIR)$(mandir)/man1/ssh-copy-id.1
|
||||||
|
|
||||||
|
gzip-man-pages:
|
||||||
|
rm $(DESTDIR)$(mandir)/man1/slogin.1
|
||||||
|
gzip $(DESTDIR)$(mandir)/man1/*.1
|
||||||
|
gzip $(DESTDIR)$(mandir)/man5/*.5
|
||||||
|
gzip $(DESTDIR)$(mandir)/man8/*.8
|
||||||
|
cd $(DESTDIR)$(mandir)/man1 && ln -s ssh.1.gz slogin.1.gz
|
||||||
|
|
||||||
|
cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts install-copy-id gzip-man-pages
|
||||||
|
@echo "Cygwin specific configuration finished."
|
91
crypto/openssh/contrib/cygwin/README
Normal file
91
crypto/openssh/contrib/cygwin/README
Normal file
|
@ -0,0 +1,91 @@
|
||||||
|
This package describes important Cygwin specific stuff concerning OpenSSH.
|
||||||
|
|
||||||
|
The binary package is usually built for recent Cygwin versions and might
|
||||||
|
not run on older versions. Please check http://cygwin.com/ for information
|
||||||
|
about current Cygwin releases.
|
||||||
|
|
||||||
|
==================
|
||||||
|
Host configuration
|
||||||
|
==================
|
||||||
|
|
||||||
|
If you are installing OpenSSH the first time, you can generate global config
|
||||||
|
files and server keys, as well as installing sshd as a service, by running
|
||||||
|
|
||||||
|
/usr/bin/ssh-host-config
|
||||||
|
|
||||||
|
Note that this binary archive doesn't contain default config files in /etc.
|
||||||
|
That files are only created if ssh-host-config is started.
|
||||||
|
|
||||||
|
To support testing and unattended installation ssh-host-config got
|
||||||
|
some options:
|
||||||
|
|
||||||
|
usage: ssh-host-config [OPTION]...
|
||||||
|
Options:
|
||||||
|
--debug -d Enable shell's debug output.
|
||||||
|
--yes -y Answer all questions with "yes" automatically.
|
||||||
|
--no -n Answer all questions with "no" automatically.
|
||||||
|
--cygwin -c <options> Use "options" as value for CYGWIN environment var.
|
||||||
|
--port -p <n> sshd listens on port n.
|
||||||
|
--user -u <account> privileged user for service, default 'cyg_server'.
|
||||||
|
--pwd -w <passwd> Use "pwd" as password for privileged user.
|
||||||
|
--privileged On Windows XP, require privileged user
|
||||||
|
instead of LocalSystem for sshd service.
|
||||||
|
|
||||||
|
Installing sshd as daemon via ssh-host-config is recommended.
|
||||||
|
|
||||||
|
Alternatively you can start sshd via inetd, if you have the inetutils
|
||||||
|
package installed. Just run ssh-host-config, but answer "no" when asked
|
||||||
|
to install sshd as service. The ssh-host-config script also adds the
|
||||||
|
required lines to /etc/inetd.conf and /etc/services.
|
||||||
|
|
||||||
|
==================
|
||||||
|
User configuration
|
||||||
|
==================
|
||||||
|
|
||||||
|
Any user can simplify creating the own private and public keys by running
|
||||||
|
|
||||||
|
/usr/bin/ssh-user-config
|
||||||
|
|
||||||
|
To support testing and unattended installation ssh-user-config got
|
||||||
|
some options as well:
|
||||||
|
|
||||||
|
usage: ssh-user-config [OPTION]...
|
||||||
|
Options:
|
||||||
|
--debug -d Enable shell's debug output.
|
||||||
|
--yes -y Answer all questions with "yes" automatically.
|
||||||
|
--no -n Answer all questions with "no" automatically.
|
||||||
|
--passphrase -p word Use "word" as passphrase automatically.
|
||||||
|
|
||||||
|
Please note that OpenSSH does never use the value of $HOME to
|
||||||
|
search for the users configuration files! It always uses the
|
||||||
|
value of the pw_dir field in /etc/passwd as the home directory.
|
||||||
|
If no home diretory is set in /etc/passwd, the root directory
|
||||||
|
is used instead!
|
||||||
|
|
||||||
|
================
|
||||||
|
Building OpenSSH
|
||||||
|
================
|
||||||
|
|
||||||
|
Building from source is easy. Just unpack the source archive, cd to that
|
||||||
|
directory, and call cygport:
|
||||||
|
|
||||||
|
cygport openssh.cygport almostall
|
||||||
|
|
||||||
|
You must have installed the following packages to be able to build OpenSSH
|
||||||
|
with the aforementioned cygport script:
|
||||||
|
|
||||||
|
zlib
|
||||||
|
crypt
|
||||||
|
openssl-devel
|
||||||
|
libwrap-devel
|
||||||
|
libedit-devel
|
||||||
|
libkrb5-devel
|
||||||
|
|
||||||
|
Please send requests, error reports etc. to cygwin@cygwin.com.
|
||||||
|
|
||||||
|
|
||||||
|
Have fun,
|
||||||
|
|
||||||
|
Corinna Vinschen
|
||||||
|
Cygwin Developer
|
||||||
|
Red Hat Inc.
|
758
crypto/openssh/contrib/cygwin/ssh-host-config
Normal file
758
crypto/openssh/contrib/cygwin/ssh-host-config
Normal file
|
@ -0,0 +1,758 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
|
||||||
|
#
|
||||||
|
# This file is part of the Cygwin port of OpenSSH.
|
||||||
|
#
|
||||||
|
# Permission to use, copy, modify, and distribute this software for any
|
||||||
|
# purpose with or without fee is hereby granted, provided that the above
|
||||||
|
# copyright notice and this permission notice appear in all copies.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||||
|
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||||
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||||
|
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
|
||||||
|
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Initialization
|
||||||
|
# ======================================================================
|
||||||
|
|
||||||
|
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
|
||||||
|
|
||||||
|
# List of apps used. This is checkad for existance in csih_sanity_check
|
||||||
|
# Don't use *any* transient commands before sourcing the csih helper script,
|
||||||
|
# otherwise the sanity checks are short-circuited.
|
||||||
|
declare -a csih_required_commands=(
|
||||||
|
/usr/bin/basename coreutils
|
||||||
|
/usr/bin/cat coreutils
|
||||||
|
/usr/bin/chmod coreutils
|
||||||
|
/usr/bin/dirname coreutils
|
||||||
|
/usr/bin/id coreutils
|
||||||
|
/usr/bin/mv coreutils
|
||||||
|
/usr/bin/rm coreutils
|
||||||
|
/usr/bin/cygpath cygwin
|
||||||
|
/usr/bin/mount cygwin
|
||||||
|
/usr/bin/ps cygwin
|
||||||
|
/usr/bin/setfacl cygwin
|
||||||
|
/usr/bin/umount cygwin
|
||||||
|
/usr/bin/cmp diffutils
|
||||||
|
/usr/bin/grep grep
|
||||||
|
/usr/bin/awk gawk
|
||||||
|
/usr/bin/ssh-keygen openssh
|
||||||
|
/usr/sbin/sshd openssh
|
||||||
|
/usr/bin/sed sed
|
||||||
|
)
|
||||||
|
csih_sanity_check_server=yes
|
||||||
|
source ${CSIH_SCRIPT}
|
||||||
|
|
||||||
|
PROGNAME=$(/usr/bin/basename $0)
|
||||||
|
_tdir=$(/usr/bin/dirname $0)
|
||||||
|
PROGDIR=$(cd $_tdir && pwd)
|
||||||
|
|
||||||
|
# Subdirectory where the new package is being installed
|
||||||
|
PREFIX=/usr
|
||||||
|
|
||||||
|
# Directory where the config files are stored
|
||||||
|
SYSCONFDIR=/etc
|
||||||
|
LOCALSTATEDIR=/var
|
||||||
|
|
||||||
|
port_number=22
|
||||||
|
privsep_configured=no
|
||||||
|
privsep_used=yes
|
||||||
|
cygwin_value=""
|
||||||
|
user_account=
|
||||||
|
password_value=
|
||||||
|
opt_force=no
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: create_host_keys
|
||||||
|
# ======================================================================
|
||||||
|
create_host_keys() {
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
|
||||||
|
then
|
||||||
|
csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
|
||||||
|
if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
|
||||||
|
then
|
||||||
|
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
|
||||||
|
then
|
||||||
|
csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
|
||||||
|
if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
|
||||||
|
then
|
||||||
|
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
|
||||||
|
then
|
||||||
|
csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
|
||||||
|
if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
|
||||||
|
then
|
||||||
|
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
|
||||||
|
then
|
||||||
|
csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
|
||||||
|
if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
|
||||||
|
then
|
||||||
|
csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
return $ret
|
||||||
|
} # --- End of create_host_keys --- #
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: update_services_file
|
||||||
|
# ======================================================================
|
||||||
|
update_services_file() {
|
||||||
|
local _my_etcdir="/ssh-host-config.$$"
|
||||||
|
local _win_etcdir
|
||||||
|
local _services
|
||||||
|
local _spaces
|
||||||
|
local _serv_tmp
|
||||||
|
local _wservices
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
_win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
|
||||||
|
_services="${_my_etcdir}/services"
|
||||||
|
_spaces=" #"
|
||||||
|
_serv_tmp="${_my_etcdir}/srv.out.$$"
|
||||||
|
|
||||||
|
/usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
|
||||||
|
|
||||||
|
# Depends on the above mount
|
||||||
|
_wservices=`cygpath -w "${_services}"`
|
||||||
|
|
||||||
|
# Remove sshd 22/port from services
|
||||||
|
if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
|
||||||
|
then
|
||||||
|
/usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
|
||||||
|
if [ -f "${_serv_tmp}" ]
|
||||||
|
then
|
||||||
|
if /usr/bin/mv "${_serv_tmp}" "${_services}"
|
||||||
|
then
|
||||||
|
csih_inform "Removing sshd from ${_wservices}"
|
||||||
|
else
|
||||||
|
csih_warning "Removing sshd from ${_wservices} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
/usr/bin/rm -f "${_serv_tmp}"
|
||||||
|
else
|
||||||
|
csih_warning "Removing sshd from ${_wservices} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Add ssh 22/tcp and ssh 22/udp to services
|
||||||
|
if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
|
||||||
|
then
|
||||||
|
if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh 22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh 22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
|
||||||
|
then
|
||||||
|
if /usr/bin/mv "${_serv_tmp}" "${_services}"
|
||||||
|
then
|
||||||
|
csih_inform "Added ssh to ${_wservices}"
|
||||||
|
else
|
||||||
|
csih_warning "Adding ssh to ${_wservices} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
/usr/bin/rm -f "${_serv_tmp}"
|
||||||
|
else
|
||||||
|
csih_warning "Adding ssh to ${_wservices} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
/usr/bin/umount "${_my_etcdir}"
|
||||||
|
return $ret
|
||||||
|
} # --- End of update_services_file --- #
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: sshd_privsep
|
||||||
|
# MODIFIES: privsep_configured privsep_used
|
||||||
|
# ======================================================================
|
||||||
|
sshd_privsep() {
|
||||||
|
local sshdconfig_tmp
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
if [ "${privsep_configured}" != "yes" ]
|
||||||
|
then
|
||||||
|
csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
|
||||||
|
csih_inform "However, this requires a non-privileged account called 'sshd'."
|
||||||
|
csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
|
||||||
|
if csih_request "Should privilege separation be used?"
|
||||||
|
then
|
||||||
|
privsep_used=yes
|
||||||
|
if ! csih_create_unprivileged_user sshd
|
||||||
|
then
|
||||||
|
csih_error_recoverable "Couldn't create user 'sshd'!"
|
||||||
|
csih_error_recoverable "Privilege separation set to 'no' again!"
|
||||||
|
csih_error_recoverable "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||||
|
let ++ret
|
||||||
|
privsep_used=no
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
privsep_used=no
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create default sshd_config from skeleton files in /etc/defaults/etc or
|
||||||
|
# modify to add the missing privsep configuration option
|
||||||
|
if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
|
||||||
|
sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
|
||||||
|
/usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
|
||||||
|
s/^#Port 22/Port ${port_number}/
|
||||||
|
s/^#StrictModes yes/StrictModes no/" \
|
||||||
|
< ${SYSCONFDIR}/sshd_config \
|
||||||
|
> "${sshdconfig_tmp}"
|
||||||
|
if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
|
||||||
|
then
|
||||||
|
csih_warning "Setting privilege separation to 'yes' failed!"
|
||||||
|
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
elif [ "${privsep_configured}" != "yes" ]
|
||||||
|
then
|
||||||
|
echo >> ${SYSCONFDIR}/sshd_config
|
||||||
|
if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
|
||||||
|
then
|
||||||
|
csih_warning "Setting privilege separation to 'yes' failed!"
|
||||||
|
csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
return $ret
|
||||||
|
} # --- End of sshd_privsep --- #
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: update_inetd_conf
|
||||||
|
# ======================================================================
|
||||||
|
update_inetd_conf() {
|
||||||
|
local _inetcnf="${SYSCONFDIR}/inetd.conf"
|
||||||
|
local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
|
||||||
|
local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
|
||||||
|
local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
|
||||||
|
local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
|
||||||
|
local _with_comment=1
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
if [ -d "${_inetcnf_dir}" ]
|
||||||
|
then
|
||||||
|
# we have inetutils-1.5 inetd.d support
|
||||||
|
if [ -f "${_inetcnf}" ]
|
||||||
|
then
|
||||||
|
/usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
|
||||||
|
|
||||||
|
# check for sshd OR ssh in top-level inetd.conf file, and remove
|
||||||
|
# will be replaced by a file in inetd.d/
|
||||||
|
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||||
|
then
|
||||||
|
/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||||
|
if [ -f "${_inetcnf_tmp}" ]
|
||||||
|
then
|
||||||
|
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
|
||||||
|
then
|
||||||
|
csih_inform "Removed ssh[d] from ${_inetcnf}"
|
||||||
|
else
|
||||||
|
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
/usr/bin/rm -f "${_inetcnf_tmp}"
|
||||||
|
else
|
||||||
|
csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
csih_install_config "${_sshd_inetd_conf}" "${SYSCONFDIR}/defaults"
|
||||||
|
if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
if [ "${_with_comment}" -eq 0 ]
|
||||||
|
then
|
||||||
|
/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||||
|
else
|
||||||
|
/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
|
||||||
|
fi
|
||||||
|
if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
|
||||||
|
then
|
||||||
|
csih_inform "Updated ${_sshd_inetd_conf}"
|
||||||
|
else
|
||||||
|
csih_warning "Updating ${_sshd_inetd_conf} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
elif [ -f "${_inetcnf}" ]
|
||||||
|
then
|
||||||
|
/usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
|
||||||
|
|
||||||
|
# check for sshd in top-level inetd.conf file, and remove
|
||||||
|
# will be replaced by a file in inetd.d/
|
||||||
|
if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
|
||||||
|
then
|
||||||
|
/usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
|
||||||
|
if [ -f "${_inetcnf_tmp}" ]
|
||||||
|
then
|
||||||
|
if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
|
||||||
|
then
|
||||||
|
csih_inform "Removed sshd from ${_inetcnf}"
|
||||||
|
else
|
||||||
|
csih_warning "Removing sshd from ${_inetcnf} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
/usr/bin/rm -f "${_inetcnf_tmp}"
|
||||||
|
else
|
||||||
|
csih_warning "Removing sshd from ${_inetcnf} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Add ssh line to inetd.conf
|
||||||
|
if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
|
||||||
|
then
|
||||||
|
if [ "${_with_comment}" -eq 0 ]
|
||||||
|
then
|
||||||
|
echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
||||||
|
else
|
||||||
|
echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
|
||||||
|
fi
|
||||||
|
if [ $? -eq 0 ]
|
||||||
|
then
|
||||||
|
csih_inform "Added ssh to ${_inetcnf}"
|
||||||
|
else
|
||||||
|
csih_warning "Adding ssh to ${_inetcnf} failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
return $ret
|
||||||
|
} # --- End of update_inetd_conf --- #
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: check_service_files_ownership
|
||||||
|
# Checks that the files in /etc and /var belong to the right owner
|
||||||
|
# ======================================================================
|
||||||
|
check_service_files_ownership() {
|
||||||
|
local run_service_as=$1
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
if [ -z "${run_service_as}" ]
|
||||||
|
then
|
||||||
|
accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
|
||||||
|
if [ "${accnt_name}" = "LocalSystem" ]
|
||||||
|
then
|
||||||
|
# Convert "LocalSystem" to "SYSTEM" as is the correct account name
|
||||||
|
accnt_name="SYSTEM:"
|
||||||
|
elif [[ "${accnt_name}" =~ ^\.\\ ]]
|
||||||
|
then
|
||||||
|
# Convert "." domain to local machine name
|
||||||
|
accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
|
||||||
|
fi
|
||||||
|
run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
|
||||||
|
if [ -z "${run_service_as}" ]
|
||||||
|
then
|
||||||
|
csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
|
||||||
|
csih_warning "As a result, this script cannot make sure that the files used"
|
||||||
|
csih_warning "by the sshd service belong to the user running the service."
|
||||||
|
csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
|
||||||
|
csih_warning "file is in a good shape."
|
||||||
|
return 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
|
||||||
|
do
|
||||||
|
if [ -f "$i" ]
|
||||||
|
then
|
||||||
|
if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Couldn't change owner of $i!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
|
||||||
|
then
|
||||||
|
if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
if [ $ret -ne 0 ]
|
||||||
|
then
|
||||||
|
csih_warning "Couldn't change owner of important files to ${run_service_as}!"
|
||||||
|
csih_warning "This may cause the sshd service to fail! Please make sure that"
|
||||||
|
csih_warning "you have suufficient permissions to change the ownership of files"
|
||||||
|
csih_warning "and try to run the ssh-host-config script again."
|
||||||
|
fi
|
||||||
|
return $ret
|
||||||
|
} # --- End of check_service_files_ownership --- #
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: install_service
|
||||||
|
# Install sshd as a service
|
||||||
|
# ======================================================================
|
||||||
|
install_service() {
|
||||||
|
local run_service_as
|
||||||
|
local password
|
||||||
|
local ret=0
|
||||||
|
|
||||||
|
echo
|
||||||
|
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_inform "Sshd service is already installed."
|
||||||
|
check_service_files_ownership "" || let ret+=$?
|
||||||
|
else
|
||||||
|
echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
|
||||||
|
if csih_request "(Say \"no\" if it is already installed as a service)"
|
||||||
|
then
|
||||||
|
csih_get_cygenv "${cygwin_value}"
|
||||||
|
|
||||||
|
if ( csih_is_nt2003 || [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
|
||||||
|
then
|
||||||
|
csih_inform "On Windows Server 2003, Windows Vista, and above, the"
|
||||||
|
csih_inform "SYSTEM account cannot setuid to other users -- a capability"
|
||||||
|
csih_inform "sshd requires. You need to have or to create a privileged"
|
||||||
|
csih_inform "account. This script will help you do so."
|
||||||
|
echo
|
||||||
|
|
||||||
|
[ "${opt_force}" = "yes" ] && opt_f=-f
|
||||||
|
[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
|
||||||
|
csih_select_privileged_username ${opt_f} ${opt_u} sshd
|
||||||
|
|
||||||
|
if ! csih_create_privileged_user "${password_value}"
|
||||||
|
then
|
||||||
|
csih_error_recoverable "There was a serious problem creating a privileged user."
|
||||||
|
csih_request "Do you want to proceed anyway?" || exit 1
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Never returns empty if NT or above
|
||||||
|
run_service_as=$(csih_service_should_run_as)
|
||||||
|
|
||||||
|
if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
|
||||||
|
then
|
||||||
|
password="${csih_PRIVILEGED_PASSWORD}"
|
||||||
|
if [ -z "${password}" ]
|
||||||
|
then
|
||||||
|
csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
|
||||||
|
password="${csih_value}"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# At this point, we either have $run_service_as = "system" and
|
||||||
|
# $password is empty, or $run_service_as is some privileged user and
|
||||||
|
# (hopefully) $password contains the correct password. So, from here
|
||||||
|
# out, we use '-z "${password}"' to discriminate the two cases.
|
||||||
|
|
||||||
|
csih_check_user "${run_service_as}"
|
||||||
|
|
||||||
|
if [ -n "${csih_cygenv}" ]
|
||||||
|
then
|
||||||
|
cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
|
||||||
|
fi
|
||||||
|
if [ -z "${password}" ]
|
||||||
|
then
|
||||||
|
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
|
||||||
|
-a "-D" -y tcpip "${cygwin_env[@]}"
|
||||||
|
then
|
||||||
|
echo
|
||||||
|
csih_inform "The sshd service has been installed under the LocalSystem"
|
||||||
|
csih_inform "account (also known as SYSTEM). To start the service now, call"
|
||||||
|
csih_inform "\`net start sshd' or \`cygrunsrv -S sshd'. Otherwise, it"
|
||||||
|
csih_inform "will start automatically after the next reboot."
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
|
||||||
|
-a "-D" -y tcpip "${cygwin_env[@]}" \
|
||||||
|
-u "${run_service_as}" -w "${password}"
|
||||||
|
then
|
||||||
|
/usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
|
||||||
|
echo
|
||||||
|
csih_inform "The sshd service has been installed under the '${run_service_as}'"
|
||||||
|
csih_inform "account. To start the service now, call \`net start sshd' or"
|
||||||
|
csih_inform "\`cygrunsrv -S sshd'. Otherwise, it will start automatically"
|
||||||
|
csih_inform "after the next reboot."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
check_service_files_ownership "${run_service_as}" || let ret+=$?
|
||||||
|
else
|
||||||
|
csih_error_recoverable "Installing sshd as a service failed!"
|
||||||
|
let ++ret
|
||||||
|
fi
|
||||||
|
fi # user allowed us to install as service
|
||||||
|
fi # service not yet installed
|
||||||
|
return $ret
|
||||||
|
} # --- End of install_service --- #
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Main Entry Point
|
||||||
|
# ======================================================================
|
||||||
|
|
||||||
|
# Check how the script has been started. If
|
||||||
|
# (1) it has been started by giving the full path and
|
||||||
|
# that path is /etc/postinstall, OR
|
||||||
|
# (2) Otherwise, if the environment variable
|
||||||
|
# SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
|
||||||
|
# then set auto_answer to "no". This allows automatic
|
||||||
|
# creation of the config files in /etc w/o overwriting
|
||||||
|
# them if they already exist. In both cases, color
|
||||||
|
# escape sequences are suppressed, so as to prevent
|
||||||
|
# cluttering setup's logfiles.
|
||||||
|
if [ "$PROGDIR" = "/etc/postinstall" ]
|
||||||
|
then
|
||||||
|
csih_auto_answer="no"
|
||||||
|
csih_disable_color
|
||||||
|
opt_force=yes
|
||||||
|
fi
|
||||||
|
if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
|
||||||
|
then
|
||||||
|
csih_auto_answer="no"
|
||||||
|
csih_disable_color
|
||||||
|
opt_force=yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Parse options
|
||||||
|
# ======================================================================
|
||||||
|
while :
|
||||||
|
do
|
||||||
|
case $# in
|
||||||
|
0)
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
option=$1
|
||||||
|
shift
|
||||||
|
|
||||||
|
case "${option}" in
|
||||||
|
-d | --debug )
|
||||||
|
set -x
|
||||||
|
csih_trace_on
|
||||||
|
;;
|
||||||
|
|
||||||
|
-y | --yes )
|
||||||
|
csih_auto_answer=yes
|
||||||
|
opt_force=yes
|
||||||
|
;;
|
||||||
|
|
||||||
|
-n | --no )
|
||||||
|
csih_auto_answer=no
|
||||||
|
opt_force=yes
|
||||||
|
;;
|
||||||
|
|
||||||
|
-c | --cygwin )
|
||||||
|
cygwin_value="$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
|
||||||
|
-p | --port )
|
||||||
|
port_number=$1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
|
||||||
|
-u | --user )
|
||||||
|
user_account="$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
|
||||||
|
-w | --pwd )
|
||||||
|
password_value="$1"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
|
||||||
|
--privileged )
|
||||||
|
csih_FORCE_PRIVILEGED_USER=yes
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "usage: ${progname} [OPTION]..."
|
||||||
|
echo
|
||||||
|
echo "This script creates an OpenSSH host configuration."
|
||||||
|
echo
|
||||||
|
echo "Options:"
|
||||||
|
echo " --debug -d Enable shell's debug output."
|
||||||
|
echo " --yes -y Answer all questions with \"yes\" automatically."
|
||||||
|
echo " --no -n Answer all questions with \"no\" automatically."
|
||||||
|
echo " --cygwin -c <options> Use \"options\" as value for CYGWIN environment var."
|
||||||
|
echo " --port -p <n> sshd listens on port n."
|
||||||
|
echo " --user -u <account> privileged user for service, default 'cyg_server'."
|
||||||
|
echo " --pwd -w <passwd> Use \"pwd\" as password for privileged user."
|
||||||
|
echo " --privileged On Windows XP, require privileged user"
|
||||||
|
echo " instead of LocalSystem for sshd service."
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Action!
|
||||||
|
# ======================================================================
|
||||||
|
|
||||||
|
# Check for running ssh/sshd processes first. Refuse to do anything while
|
||||||
|
# some ssh processes are still running
|
||||||
|
if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
|
||||||
|
then
|
||||||
|
echo
|
||||||
|
csih_error "There are still ssh processes running. Please shut them down first."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make sure the user is running in an administrative context
|
||||||
|
admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
|
||||||
|
if [ "${admin}" != "yes" ]
|
||||||
|
then
|
||||||
|
echo
|
||||||
|
csih_warning "Running this script typically requires administrator privileges!"
|
||||||
|
csih_warning "However, it seems your account does not have these privileges."
|
||||||
|
csih_warning "Here's the list of groups in your user token:"
|
||||||
|
echo
|
||||||
|
for i in $(/usr/bin/id -G)
|
||||||
|
do
|
||||||
|
/usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \" \" \$1; }" /etc/group
|
||||||
|
done
|
||||||
|
echo
|
||||||
|
csih_warning "This usually means you're running this script from a non-admin"
|
||||||
|
csih_warning "desktop session, or in a non-elevated shell under UAC control."
|
||||||
|
echo
|
||||||
|
csih_warning "Make sure you have the appropriate privileges right now,"
|
||||||
|
csih_warning "otherwise parts of this script will probably fail!"
|
||||||
|
echo
|
||||||
|
echo -e "${_csih_QUERY_STR} Are you sure you want to continue? (Say \"no\" if you're not sure"
|
||||||
|
if ! csih_request "you have the required privileges)"
|
||||||
|
then
|
||||||
|
echo
|
||||||
|
csih_inform "Ok. Exiting. Make sure to switch to an administrative account"
|
||||||
|
csih_inform "or to start this script from an elevated shell."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo
|
||||||
|
|
||||||
|
warning_cnt=0
|
||||||
|
|
||||||
|
# Check for ${SYSCONFDIR} directory
|
||||||
|
csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
|
||||||
|
if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Can't set permissions on ${SYSCONFDIR}!"
|
||||||
|
let ++warning_cnt
|
||||||
|
fi
|
||||||
|
if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
|
||||||
|
let ++warning_cnt
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check for /var/log directory
|
||||||
|
csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
|
||||||
|
if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
|
||||||
|
let ++warning_cnt
|
||||||
|
fi
|
||||||
|
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
|
||||||
|
let ++warning_cnt
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create /var/log/lastlog if not already exists
|
||||||
|
if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
|
||||||
|
then
|
||||||
|
echo
|
||||||
|
csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
|
||||||
|
"Cannot create ssh host configuration."
|
||||||
|
fi
|
||||||
|
if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
|
||||||
|
then
|
||||||
|
/usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
|
||||||
|
if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
|
||||||
|
let ++warning_cnt
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Create /var/empty file used as chroot jail for privilege separation
|
||||||
|
csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
|
||||||
|
if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
|
||||||
|
let ++warning_cnt
|
||||||
|
fi
|
||||||
|
if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
|
||||||
|
let ++warning_cnt
|
||||||
|
fi
|
||||||
|
|
||||||
|
# host keys
|
||||||
|
create_host_keys || let warning_cnt+=$?
|
||||||
|
|
||||||
|
# handle ssh_config
|
||||||
|
csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
|
||||||
|
if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
if [ "${port_number}" != "22" ]
|
||||||
|
then
|
||||||
|
csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
|
||||||
|
echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
|
||||||
|
echo " Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# handle sshd_config (and privsep)
|
||||||
|
csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
|
||||||
|
if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
|
||||||
|
then
|
||||||
|
/usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
|
||||||
|
fi
|
||||||
|
sshd_privsep || let warning_cnt+=$?
|
||||||
|
|
||||||
|
update_services_file || let warning_cnt+=$?
|
||||||
|
update_inetd_conf || let warning_cnt+=$?
|
||||||
|
install_service || let warning_cnt+=$?
|
||||||
|
|
||||||
|
echo
|
||||||
|
if [ $warning_cnt -eq 0 ]
|
||||||
|
then
|
||||||
|
csih_inform "Host configuration finished. Have fun!"
|
||||||
|
else
|
||||||
|
csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
|
||||||
|
csih_warning "Make sure that all problems reported are fixed,"
|
||||||
|
csih_warning "then re-run ssh-host-config."
|
||||||
|
fi
|
||||||
|
exit $warning_cnt
|
266
crypto/openssh/contrib/cygwin/ssh-user-config
Normal file
266
crypto/openssh/contrib/cygwin/ssh-user-config
Normal file
|
@ -0,0 +1,266 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# ssh-user-config, Copyright 2000-2008 Red Hat Inc.
|
||||||
|
#
|
||||||
|
# This file is part of the Cygwin port of OpenSSH.
|
||||||
|
#
|
||||||
|
# Permission to use, copy, modify, and distribute this software for any
|
||||||
|
# purpose with or without fee is hereby granted, provided that the above
|
||||||
|
# copyright notice and this permission notice appear in all copies.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
||||||
|
# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||||
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
|
||||||
|
# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
||||||
|
# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
||||||
|
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR
|
||||||
|
# THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Initialization
|
||||||
|
# ======================================================================
|
||||||
|
PROGNAME=$(basename -- $0)
|
||||||
|
_tdir=$(dirname -- $0)
|
||||||
|
PROGDIR=$(cd $_tdir && pwd)
|
||||||
|
|
||||||
|
CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
|
||||||
|
|
||||||
|
# Subdirectory where the new package is being installed
|
||||||
|
PREFIX=/usr
|
||||||
|
|
||||||
|
# Directory where the config files are stored
|
||||||
|
SYSCONFDIR=/etc
|
||||||
|
|
||||||
|
source ${CSIH_SCRIPT}
|
||||||
|
|
||||||
|
auto_passphrase="no"
|
||||||
|
passphrase=""
|
||||||
|
pwdhome=
|
||||||
|
with_passphrase=
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: create_identity
|
||||||
|
# optionally create identity of type argument in ~/.ssh
|
||||||
|
# optionally add result to ~/.ssh/authorized_keys
|
||||||
|
# ======================================================================
|
||||||
|
create_identity() {
|
||||||
|
local file="$1"
|
||||||
|
local type="$2"
|
||||||
|
local name="$3"
|
||||||
|
if [ ! -f "${pwdhome}/.ssh/${file}" ]
|
||||||
|
then
|
||||||
|
if csih_request "Shall I create a ${name} identity file for you?"
|
||||||
|
then
|
||||||
|
csih_inform "Generating ${pwdhome}/.ssh/${file}"
|
||||||
|
if [ "${with_passphrase}" = "yes" ]
|
||||||
|
then
|
||||||
|
ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null
|
||||||
|
else
|
||||||
|
ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
|
||||||
|
fi
|
||||||
|
if csih_request "Do you want to use this identity to login to this machine?"
|
||||||
|
then
|
||||||
|
csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
|
||||||
|
cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
} # === End of create_ssh1_identity() === #
|
||||||
|
readonly -f create_identity
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: check_user_homedir
|
||||||
|
# Perform various checks on the user's home directory
|
||||||
|
# SETS GLOBAL VARIABLE:
|
||||||
|
# pwdhome
|
||||||
|
# ======================================================================
|
||||||
|
check_user_homedir() {
|
||||||
|
local uid=$(id -u)
|
||||||
|
pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
|
||||||
|
if [ "X${pwdhome}" = "X" ]
|
||||||
|
then
|
||||||
|
csih_error_multi \
|
||||||
|
"There is no home directory set for you in ${SYSCONFDIR}/passwd." \
|
||||||
|
'Setting $HOME is not sufficient!'
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -d "${pwdhome}" ]
|
||||||
|
then
|
||||||
|
csih_error_multi \
|
||||||
|
"${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
|
||||||
|
'but it is not a valid directory. Cannot create user identity files.'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If home is the root dir, set home to empty string to avoid error messages
|
||||||
|
# in subsequent parts of that script.
|
||||||
|
if [ "X${pwdhome}" = "X/" ]
|
||||||
|
then
|
||||||
|
# But first raise a warning!
|
||||||
|
csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
|
||||||
|
if csih_request "Would you like to proceed anyway?"
|
||||||
|
then
|
||||||
|
pwdhome=''
|
||||||
|
else
|
||||||
|
csih_warning "Exiting. Configuration is not complete"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
|
||||||
|
then
|
||||||
|
echo
|
||||||
|
csih_warning 'group and other have been revoked write permission to your home'
|
||||||
|
csih_warning "directory ${pwdhome}."
|
||||||
|
csih_warning 'This is required by OpenSSH to allow public key authentication using'
|
||||||
|
csih_warning 'the key files stored in your .ssh subdirectory.'
|
||||||
|
csih_warning 'Revert this change ONLY if you know what you are doing!'
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
} # === End of check_user_homedir() === #
|
||||||
|
readonly -f check_user_homedir
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: check_user_dot_ssh_dir
|
||||||
|
# Perform various checks on the ~/.ssh directory
|
||||||
|
# PREREQUISITE:
|
||||||
|
# pwdhome -- check_user_homedir()
|
||||||
|
# ======================================================================
|
||||||
|
check_user_dot_ssh_dir() {
|
||||||
|
if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
|
||||||
|
then
|
||||||
|
csih_error "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files."
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -e "${pwdhome}/.ssh" ]
|
||||||
|
then
|
||||||
|
mkdir "${pwdhome}/.ssh"
|
||||||
|
if [ ! -e "${pwdhome}/.ssh" ]
|
||||||
|
then
|
||||||
|
csih_error "Creating users ${pwdhome}/.ssh directory failed"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
} # === End of check_user_dot_ssh_dir() === #
|
||||||
|
readonly -f check_user_dot_ssh_dir
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Routine: fix_authorized_keys_perms
|
||||||
|
# Corrects the permissions of ~/.ssh/authorized_keys
|
||||||
|
# PREREQUISITE:
|
||||||
|
# pwdhome -- check_user_homedir()
|
||||||
|
# ======================================================================
|
||||||
|
fix_authorized_keys_perms() {
|
||||||
|
if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
|
||||||
|
then
|
||||||
|
if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
|
||||||
|
then
|
||||||
|
csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
|
||||||
|
csih_warning "failed. Please care for the correct permissions. The minimum requirement"
|
||||||
|
csih_warning "is, the owner needs read permissions."
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
} # === End of fix_authorized_keys_perms() === #
|
||||||
|
readonly -f fix_authorized_keys_perms
|
||||||
|
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Main Entry Point
|
||||||
|
# ======================================================================
|
||||||
|
|
||||||
|
# Check how the script has been started. If
|
||||||
|
# (1) it has been started by giving the full path and
|
||||||
|
# that path is /etc/postinstall, OR
|
||||||
|
# (2) Otherwise, if the environment variable
|
||||||
|
# SSH_USER_CONFIG_AUTO_ANSWER_NO is set
|
||||||
|
# then set auto_answer to "no". This allows automatic
|
||||||
|
# creation of the config files in /etc w/o overwriting
|
||||||
|
# them if they already exist. In both cases, color
|
||||||
|
# escape sequences are suppressed, so as to prevent
|
||||||
|
# cluttering setup's logfiles.
|
||||||
|
if [ "$PROGDIR" = "/etc/postinstall" ]
|
||||||
|
then
|
||||||
|
csih_auto_answer="no"
|
||||||
|
csih_disable_color
|
||||||
|
fi
|
||||||
|
if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
|
||||||
|
then
|
||||||
|
csih_auto_answer="no"
|
||||||
|
csih_disable_color
|
||||||
|
fi
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Parse options
|
||||||
|
# ======================================================================
|
||||||
|
while :
|
||||||
|
do
|
||||||
|
case $# in
|
||||||
|
0)
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
option=$1
|
||||||
|
shift
|
||||||
|
|
||||||
|
case "$option" in
|
||||||
|
-d | --debug )
|
||||||
|
set -x
|
||||||
|
csih_trace_on
|
||||||
|
;;
|
||||||
|
|
||||||
|
-y | --yes )
|
||||||
|
csih_auto_answer=yes
|
||||||
|
;;
|
||||||
|
|
||||||
|
-n | --no )
|
||||||
|
csih_auto_answer=no
|
||||||
|
;;
|
||||||
|
|
||||||
|
-p | --passphrase )
|
||||||
|
with_passphrase="yes"
|
||||||
|
passphrase=$1
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "usage: ${PROGNAME} [OPTION]..."
|
||||||
|
echo
|
||||||
|
echo "This script creates an OpenSSH user configuration."
|
||||||
|
echo
|
||||||
|
echo "Options:"
|
||||||
|
echo " --debug -d Enable shell's debug output."
|
||||||
|
echo " --yes -y Answer all questions with \"yes\" automatically."
|
||||||
|
echo " --no -n Answer all questions with \"no\" automatically."
|
||||||
|
echo " --passphrase -p word Use \"word\" as passphrase automatically."
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
# ======================================================================
|
||||||
|
# Action!
|
||||||
|
# ======================================================================
|
||||||
|
|
||||||
|
# Check passwd file
|
||||||
|
if [ ! -f ${SYSCONFDIR}/passwd ]
|
||||||
|
then
|
||||||
|
csih_error_multi \
|
||||||
|
"${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
|
||||||
|
'first using mkpasswd. Check if it contains an entry for you and' \
|
||||||
|
'please care for the home directory in your entry as well.'
|
||||||
|
fi
|
||||||
|
|
||||||
|
check_user_homedir
|
||||||
|
check_user_dot_ssh_dir
|
||||||
|
create_identity id_rsa rsa "SSH2 RSA"
|
||||||
|
create_identity id_dsa dsa "SSH2 DSA"
|
||||||
|
create_identity id_ecdsa ecdsa "SSH2 ECDSA"
|
||||||
|
create_identity identity rsa1 "(deprecated) SSH1 RSA"
|
||||||
|
fix_authorized_keys_perms
|
||||||
|
|
||||||
|
echo
|
||||||
|
csih_inform "Configuration finished. Have fun!"
|
||||||
|
|
||||||
|
|
4
crypto/openssh/contrib/cygwin/sshd-inetd
Normal file
4
crypto/openssh/contrib/cygwin/sshd-inetd
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
# This file can be used to enable sshd as a slave of the inetd service
|
||||||
|
# To do so, the line below should be uncommented.
|
||||||
|
@COMMENT@ ssh stream tcp nowait root /usr/sbin/sshd sshd -i
|
||||||
|
|
186
crypto/openssh/contrib/findssl.sh
Executable file
186
crypto/openssh/contrib/findssl.sh
Executable file
|
@ -0,0 +1,186 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# $Id: findssl.sh,v 1.4 2007/02/19 11:44:25 dtucker Exp $
|
||||||
|
#
|
||||||
|
# findssl.sh
|
||||||
|
# Search for all instances of OpenSSL headers and libraries
|
||||||
|
# and print their versions.
|
||||||
|
# Intended to help diagnose OpenSSH's "OpenSSL headers do not
|
||||||
|
# match your library" errors.
|
||||||
|
#
|
||||||
|
# Written by Darren Tucker (dtucker at zip dot com dot au)
|
||||||
|
# This file is placed in the public domain.
|
||||||
|
#
|
||||||
|
# Release history:
|
||||||
|
# 2002-07-27: Initial release.
|
||||||
|
# 2002-08-04: Added public domain notice.
|
||||||
|
# 2003-06-24: Incorporated readme, set library paths. First cvs version.
|
||||||
|
# 2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole.
|
||||||
|
#
|
||||||
|
# "OpenSSL headers do not match your library" are usually caused by
|
||||||
|
# OpenSSH's configure picking up an older version of OpenSSL headers
|
||||||
|
# or libraries. You can use the following # procedure to help identify
|
||||||
|
# the cause.
|
||||||
|
#
|
||||||
|
# The output of configure will tell you the versions of the OpenSSL
|
||||||
|
# headers and libraries that were picked up, for example:
|
||||||
|
#
|
||||||
|
# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
|
||||||
|
# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
|
||||||
|
# checking whether OpenSSL's headers match the library... no
|
||||||
|
# configure: error: Your OpenSSL headers do not match your library
|
||||||
|
#
|
||||||
|
# Now run findssl.sh. This should identify the headers and libraries
|
||||||
|
# present and their versions. You should be able to identify the
|
||||||
|
# libraries and headers used and adjust your CFLAGS or remove incorrect
|
||||||
|
# versions. The output will show OpenSSL's internal version identifier
|
||||||
|
# and should look something like:
|
||||||
|
|
||||||
|
# $ ./findssl.sh
|
||||||
|
# Searching for OpenSSL header files.
|
||||||
|
# 0x0090604fL /usr/include/openssl/opensslv.h
|
||||||
|
# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
|
||||||
|
#
|
||||||
|
# Searching for OpenSSL shared library files.
|
||||||
|
# 0x0090602fL /lib/libcrypto.so.0.9.6b
|
||||||
|
# 0x0090602fL /lib/libcrypto.so.2
|
||||||
|
# 0x0090581fL /usr/lib/libcrypto.so.0
|
||||||
|
# 0x0090602fL /usr/lib/libcrypto.so
|
||||||
|
# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
|
||||||
|
# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
|
||||||
|
# 0x0090600fL /usr/lib/libcrypto.so.1
|
||||||
|
#
|
||||||
|
# Searching for OpenSSL static library files.
|
||||||
|
# 0x0090602fL /usr/lib/libcrypto.a
|
||||||
|
# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
|
||||||
|
#
|
||||||
|
# In this example, I gave configure no extra flags, so it's picking up
|
||||||
|
# the OpenSSL header from /usr/include/openssl (90604f) and the library
|
||||||
|
# from /usr/lib/ (90602f).
|
||||||
|
|
||||||
|
#
|
||||||
|
# Adjust these to suit your compiler.
|
||||||
|
# You may also need to set the *LIB*PATH environment variables if
|
||||||
|
# DEFAULT_LIBPATH is not correct for your system.
|
||||||
|
#
|
||||||
|
CC=gcc
|
||||||
|
STATIC=-static
|
||||||
|
|
||||||
|
#
|
||||||
|
# Cleanup on interrupt
|
||||||
|
#
|
||||||
|
trap 'rm -f conftest.c' INT HUP TERM
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set up conftest C source
|
||||||
|
#
|
||||||
|
rm -f findssl.log
|
||||||
|
cat >conftest.c <<EOD
|
||||||
|
#include <stdio.h>
|
||||||
|
int main(){printf("0x%08xL\n", SSLeay());}
|
||||||
|
EOD
|
||||||
|
|
||||||
|
#
|
||||||
|
# Set default library paths if not already set
|
||||||
|
#
|
||||||
|
DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
|
||||||
|
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
|
||||||
|
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
|
||||||
|
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
|
||||||
|
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
|
||||||
|
|
||||||
|
# not all platforms have a 'which' command
|
||||||
|
if which ls >/dev/null 2>/dev/null; then
|
||||||
|
: which is defined
|
||||||
|
else
|
||||||
|
which () {
|
||||||
|
saveIFS="$IFS"
|
||||||
|
IFS=:
|
||||||
|
for p in $PATH; do
|
||||||
|
if test -x "$p/$1" -a -f "$p/$1"; then
|
||||||
|
IFS="$saveIFS"
|
||||||
|
echo "$p/$1"
|
||||||
|
return 0
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
IFS="$saveIFS"
|
||||||
|
return 1
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# Search for OpenSSL headers and print versions
|
||||||
|
#
|
||||||
|
echo Searching for OpenSSL header files.
|
||||||
|
if [ -x "`which locate`" ]
|
||||||
|
then
|
||||||
|
headers=`locate opensslv.h`
|
||||||
|
else
|
||||||
|
headers=`find / -name opensslv.h -print 2>/dev/null`
|
||||||
|
fi
|
||||||
|
|
||||||
|
for header in $headers
|
||||||
|
do
|
||||||
|
ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
|
||||||
|
echo "$ver $header"
|
||||||
|
done
|
||||||
|
echo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Search for shared libraries.
|
||||||
|
# Relies on shared libraries looking like "libcrypto.s*"
|
||||||
|
#
|
||||||
|
echo Searching for OpenSSL shared library files.
|
||||||
|
if [ -x "`which locate`" ]
|
||||||
|
then
|
||||||
|
libraries=`locate libcrypto.s`
|
||||||
|
else
|
||||||
|
libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
|
||||||
|
fi
|
||||||
|
|
||||||
|
for lib in $libraries
|
||||||
|
do
|
||||||
|
(echo "Trying libcrypto $lib" >>findssl.log
|
||||||
|
dir=`dirname $lib`
|
||||||
|
LIBPATH="$dir:$LIBPATH"
|
||||||
|
LD_LIBRARY_PATH="$dir:$LIBPATH"
|
||||||
|
LIBRARY_PATH="$dir:$LIBPATH"
|
||||||
|
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
|
||||||
|
${CC} -o conftest conftest.c $lib 2>>findssl.log
|
||||||
|
if [ -x ./conftest ]
|
||||||
|
then
|
||||||
|
ver=`./conftest 2>/dev/null`
|
||||||
|
rm -f ./conftest
|
||||||
|
echo "$ver $lib"
|
||||||
|
fi)
|
||||||
|
done
|
||||||
|
echo
|
||||||
|
|
||||||
|
#
|
||||||
|
# Search for static OpenSSL libraries and print versions
|
||||||
|
#
|
||||||
|
echo Searching for OpenSSL static library files.
|
||||||
|
if [ -x "`which locate`" ]
|
||||||
|
then
|
||||||
|
libraries=`locate libcrypto.a`
|
||||||
|
else
|
||||||
|
libraries=`find / -name libcrypto.a -print 2>/dev/null`
|
||||||
|
fi
|
||||||
|
|
||||||
|
for lib in $libraries
|
||||||
|
do
|
||||||
|
libdir=`dirname $lib`
|
||||||
|
echo "Trying libcrypto $lib" >>findssl.log
|
||||||
|
${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
|
||||||
|
if [ -x ./conftest ]
|
||||||
|
then
|
||||||
|
ver=`./conftest 2>/dev/null`
|
||||||
|
rm -f ./conftest
|
||||||
|
echo "$ver $lib"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
#
|
||||||
|
# Clean up
|
||||||
|
#
|
||||||
|
rm -f conftest.c
|
171
crypto/openssh/contrib/gnome-ssh-askpass1.c
Normal file
171
crypto/openssh/contrib/gnome-ssh-askpass1.c
Normal file
|
@ -0,0 +1,171 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This is a simple GNOME SSH passphrase grabber. To use it, set the
|
||||||
|
* environment variable SSH_ASKPASS to point to the location of
|
||||||
|
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
|
||||||
|
*
|
||||||
|
* There is only two run-time options: if you set the environment variable
|
||||||
|
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
|
||||||
|
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
|
||||||
|
* pointer will be grabbed too. These may have some benefit to security if
|
||||||
|
* you don't trust your X server. We grab the keyboard always.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Compile with:
|
||||||
|
*
|
||||||
|
* cc `gnome-config --cflags gnome gnomeui` \
|
||||||
|
* gnome-ssh-askpass1.c -o gnome-ssh-askpass \
|
||||||
|
* `gnome-config --libs gnome gnomeui`
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <gnome.h>
|
||||||
|
#include <X11/Xlib.h>
|
||||||
|
#include <gdk/gdkx.h>
|
||||||
|
|
||||||
|
void
|
||||||
|
report_failed_grab (void)
|
||||||
|
{
|
||||||
|
GtkWidget *err;
|
||||||
|
|
||||||
|
err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
|
||||||
|
"A malicious client may be eavesdropping on your session.",
|
||||||
|
GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
|
||||||
|
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||||
|
gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
|
||||||
|
|
||||||
|
gnome_dialog_run_and_close(GNOME_DIALOG(err));
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
passphrase_dialog(char *message)
|
||||||
|
{
|
||||||
|
char *passphrase;
|
||||||
|
char **messages;
|
||||||
|
int result, i, grab_server, grab_pointer;
|
||||||
|
GtkWidget *dialog, *entry, *label;
|
||||||
|
|
||||||
|
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||||
|
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
|
||||||
|
|
||||||
|
dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
|
||||||
|
GNOME_STOCK_BUTTON_CANCEL, NULL);
|
||||||
|
|
||||||
|
messages = g_strsplit(message, "\\n", 0);
|
||||||
|
if (messages)
|
||||||
|
for(i = 0; messages[i]; i++) {
|
||||||
|
label = gtk_label_new(messages[i]);
|
||||||
|
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
|
||||||
|
label, FALSE, FALSE, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
entry = gtk_entry_new();
|
||||||
|
gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
|
||||||
|
FALSE, 0);
|
||||||
|
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||||
|
gtk_widget_grab_focus(entry);
|
||||||
|
|
||||||
|
/* Center window and prepare for grab */
|
||||||
|
gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
|
||||||
|
gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
|
||||||
|
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||||
|
gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
|
||||||
|
gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
|
||||||
|
gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
|
||||||
|
GNOME_PAD);
|
||||||
|
gtk_widget_show_all(dialog);
|
||||||
|
|
||||||
|
/* Grab focus */
|
||||||
|
if (grab_server)
|
||||||
|
XGrabServer(GDK_DISPLAY());
|
||||||
|
if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
|
||||||
|
NULL, NULL, GDK_CURRENT_TIME))
|
||||||
|
goto nograb;
|
||||||
|
if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
|
||||||
|
goto nograbkb;
|
||||||
|
|
||||||
|
/* Make <enter> close dialog */
|
||||||
|
gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
|
||||||
|
|
||||||
|
/* Run dialog */
|
||||||
|
result = gnome_dialog_run(GNOME_DIALOG(dialog));
|
||||||
|
|
||||||
|
/* Ungrab */
|
||||||
|
if (grab_server)
|
||||||
|
XUngrabServer(GDK_DISPLAY());
|
||||||
|
if (grab_pointer)
|
||||||
|
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||||
|
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
|
||||||
|
gdk_flush();
|
||||||
|
|
||||||
|
/* Report passphrase if user selected OK */
|
||||||
|
passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
|
||||||
|
if (result == 0)
|
||||||
|
puts(passphrase);
|
||||||
|
|
||||||
|
/* Zero passphrase in memory */
|
||||||
|
memset(passphrase, '\0', strlen(passphrase));
|
||||||
|
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
|
||||||
|
|
||||||
|
gnome_dialog_close(GNOME_DIALOG(dialog));
|
||||||
|
return (result == 0 ? 0 : -1);
|
||||||
|
|
||||||
|
/* At least one grab failed - ungrab what we got, and report
|
||||||
|
the failure to the user. Note that XGrabServer() cannot
|
||||||
|
fail. */
|
||||||
|
nograbkb:
|
||||||
|
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||||
|
nograb:
|
||||||
|
if (grab_server)
|
||||||
|
XUngrabServer(GDK_DISPLAY());
|
||||||
|
gnome_dialog_close(GNOME_DIALOG(dialog));
|
||||||
|
|
||||||
|
report_failed_grab();
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
char *message;
|
||||||
|
int result;
|
||||||
|
|
||||||
|
gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
|
||||||
|
|
||||||
|
if (argc == 2)
|
||||||
|
message = argv[1];
|
||||||
|
else
|
||||||
|
message = "Enter your OpenSSH passphrase:";
|
||||||
|
|
||||||
|
setvbuf(stdout, 0, _IONBF, 0);
|
||||||
|
result = passphrase_dialog(message);
|
||||||
|
|
||||||
|
return (result);
|
||||||
|
}
|
223
crypto/openssh/contrib/gnome-ssh-askpass2.c
Normal file
223
crypto/openssh/contrib/gnome-ssh-askpass2.c
Normal file
|
@ -0,0 +1,223 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2000-2002 Damien Miller. All rights reserved.
|
||||||
|
*
|
||||||
|
* Redistribution and use in source and binary forms, with or without
|
||||||
|
* modification, are permitted provided that the following conditions
|
||||||
|
* are met:
|
||||||
|
* 1. Redistributions of source code must retain the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer.
|
||||||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
* notice, this list of conditions and the following disclaimer in the
|
||||||
|
* documentation and/or other materials provided with the distribution.
|
||||||
|
*
|
||||||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This is a simple GNOME SSH passphrase grabber. To use it, set the
|
||||||
|
* environment variable SSH_ASKPASS to point to the location of
|
||||||
|
* gnome-ssh-askpass before calling "ssh-add < /dev/null".
|
||||||
|
*
|
||||||
|
* There is only two run-time options: if you set the environment variable
|
||||||
|
* "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
|
||||||
|
* the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
|
||||||
|
* pointer will be grabbed too. These may have some benefit to security if
|
||||||
|
* you don't trust your X server. We grab the keyboard always.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#define GRAB_TRIES 16
|
||||||
|
#define GRAB_WAIT 250 /* milliseconds */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Compile with:
|
||||||
|
*
|
||||||
|
* cc -Wall `pkg-config --cflags gtk+-2.0` \
|
||||||
|
* gnome-ssh-askpass2.c -o gnome-ssh-askpass \
|
||||||
|
* `pkg-config --libs gtk+-2.0`
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <X11/Xlib.h>
|
||||||
|
#include <gtk/gtk.h>
|
||||||
|
#include <gdk/gdkx.h>
|
||||||
|
|
||||||
|
static void
|
||||||
|
report_failed_grab (const char *what)
|
||||||
|
{
|
||||||
|
GtkWidget *err;
|
||||||
|
|
||||||
|
err = gtk_message_dialog_new(NULL, 0,
|
||||||
|
GTK_MESSAGE_ERROR,
|
||||||
|
GTK_BUTTONS_CLOSE,
|
||||||
|
"Could not grab %s. "
|
||||||
|
"A malicious client may be eavesdropping "
|
||||||
|
"on your session.", what);
|
||||||
|
gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
|
||||||
|
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(err))->label),
|
||||||
|
TRUE);
|
||||||
|
|
||||||
|
gtk_dialog_run(GTK_DIALOG(err));
|
||||||
|
|
||||||
|
gtk_widget_destroy(err);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
ok_dialog(GtkWidget *entry, gpointer dialog)
|
||||||
|
{
|
||||||
|
g_return_if_fail(GTK_IS_DIALOG(dialog));
|
||||||
|
gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
passphrase_dialog(char *message)
|
||||||
|
{
|
||||||
|
const char *failed;
|
||||||
|
char *passphrase, *local;
|
||||||
|
int result, grab_tries, grab_server, grab_pointer;
|
||||||
|
GtkWidget *dialog, *entry;
|
||||||
|
GdkGrabStatus status;
|
||||||
|
|
||||||
|
grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
|
||||||
|
grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
|
||||||
|
grab_tries = 0;
|
||||||
|
|
||||||
|
dialog = gtk_message_dialog_new(NULL, 0,
|
||||||
|
GTK_MESSAGE_QUESTION,
|
||||||
|
GTK_BUTTONS_OK_CANCEL,
|
||||||
|
"%s",
|
||||||
|
message);
|
||||||
|
|
||||||
|
entry = gtk_entry_new();
|
||||||
|
gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
|
||||||
|
FALSE, 0);
|
||||||
|
gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
|
||||||
|
gtk_widget_grab_focus(entry);
|
||||||
|
gtk_widget_show(entry);
|
||||||
|
|
||||||
|
gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
|
||||||
|
gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
|
||||||
|
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||||
|
gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
|
||||||
|
TRUE);
|
||||||
|
|
||||||
|
/* Make <enter> close dialog */
|
||||||
|
gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
|
||||||
|
g_signal_connect(G_OBJECT(entry), "activate",
|
||||||
|
G_CALLBACK(ok_dialog), dialog);
|
||||||
|
|
||||||
|
gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
|
||||||
|
|
||||||
|
/* Grab focus */
|
||||||
|
gtk_widget_show_now(dialog);
|
||||||
|
if (grab_pointer) {
|
||||||
|
for(;;) {
|
||||||
|
status = gdk_pointer_grab(
|
||||||
|
(GTK_WIDGET(dialog))->window, TRUE, 0, NULL,
|
||||||
|
NULL, GDK_CURRENT_TIME);
|
||||||
|
if (status == GDK_GRAB_SUCCESS)
|
||||||
|
break;
|
||||||
|
usleep(GRAB_WAIT * 1000);
|
||||||
|
if (++grab_tries > GRAB_TRIES) {
|
||||||
|
failed = "mouse";
|
||||||
|
goto nograb;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for(;;) {
|
||||||
|
status = gdk_keyboard_grab((GTK_WIDGET(dialog))->window,
|
||||||
|
FALSE, GDK_CURRENT_TIME);
|
||||||
|
if (status == GDK_GRAB_SUCCESS)
|
||||||
|
break;
|
||||||
|
usleep(GRAB_WAIT * 1000);
|
||||||
|
if (++grab_tries > GRAB_TRIES) {
|
||||||
|
failed = "keyboard";
|
||||||
|
goto nograbkb;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if (grab_server) {
|
||||||
|
gdk_x11_grab_server();
|
||||||
|
}
|
||||||
|
|
||||||
|
result = gtk_dialog_run(GTK_DIALOG(dialog));
|
||||||
|
|
||||||
|
/* Ungrab */
|
||||||
|
if (grab_server)
|
||||||
|
XUngrabServer(GDK_DISPLAY());
|
||||||
|
if (grab_pointer)
|
||||||
|
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||||
|
gdk_keyboard_ungrab(GDK_CURRENT_TIME);
|
||||||
|
gdk_flush();
|
||||||
|
|
||||||
|
/* Report passphrase if user selected OK */
|
||||||
|
passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
|
||||||
|
if (result == GTK_RESPONSE_OK) {
|
||||||
|
local = g_locale_from_utf8(passphrase, strlen(passphrase),
|
||||||
|
NULL, NULL, NULL);
|
||||||
|
if (local != NULL) {
|
||||||
|
puts(local);
|
||||||
|
memset(local, '\0', strlen(local));
|
||||||
|
g_free(local);
|
||||||
|
} else {
|
||||||
|
puts(passphrase);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Zero passphrase in memory */
|
||||||
|
memset(passphrase, '\b', strlen(passphrase));
|
||||||
|
gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
|
||||||
|
memset(passphrase, '\0', strlen(passphrase));
|
||||||
|
g_free(passphrase);
|
||||||
|
|
||||||
|
gtk_widget_destroy(dialog);
|
||||||
|
return (result == GTK_RESPONSE_OK ? 0 : -1);
|
||||||
|
|
||||||
|
/* At least one grab failed - ungrab what we got, and report
|
||||||
|
the failure to the user. Note that XGrabServer() cannot
|
||||||
|
fail. */
|
||||||
|
nograbkb:
|
||||||
|
gdk_pointer_ungrab(GDK_CURRENT_TIME);
|
||||||
|
nograb:
|
||||||
|
if (grab_server)
|
||||||
|
XUngrabServer(GDK_DISPLAY());
|
||||||
|
gtk_widget_destroy(dialog);
|
||||||
|
|
||||||
|
report_failed_grab(failed);
|
||||||
|
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
char *message;
|
||||||
|
int result;
|
||||||
|
|
||||||
|
gtk_init(&argc, &argv);
|
||||||
|
|
||||||
|
if (argc > 1) {
|
||||||
|
message = g_strjoinv(" ", argv + 1);
|
||||||
|
} else {
|
||||||
|
message = g_strdup("Enter your OpenSSH passphrase:");
|
||||||
|
}
|
||||||
|
|
||||||
|
setvbuf(stdout, 0, _IONBF, 0);
|
||||||
|
result = passphrase_dialog(message);
|
||||||
|
g_free(message);
|
||||||
|
|
||||||
|
return (result);
|
||||||
|
}
|
45
crypto/openssh/contrib/hpux/README
Normal file
45
crypto/openssh/contrib/hpux/README
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
README for OpenSSH HP-UX contrib files
|
||||||
|
Kevin Steves <stevesk@pobox.com>
|
||||||
|
|
||||||
|
sshd: configuration file for sshd.rc
|
||||||
|
sshd.rc: SSH startup script
|
||||||
|
egd: configuration file for egd.rc
|
||||||
|
egd.rc: EGD (entropy gathering daemon) startup script
|
||||||
|
|
||||||
|
To install:
|
||||||
|
|
||||||
|
sshd.rc:
|
||||||
|
|
||||||
|
o Verify paths in sshd.rc match your local installation
|
||||||
|
(WHAT_PATH and WHAT_PID)
|
||||||
|
o Customize sshd if needed (SSHD_ARGS)
|
||||||
|
o Install:
|
||||||
|
|
||||||
|
# cp sshd /etc/rc.config.d
|
||||||
|
# chmod 444 /etc/rc.config.d/sshd
|
||||||
|
# cp sshd.rc /sbin/init.d
|
||||||
|
# chmod 555 /sbin/init.d/sshd.rc
|
||||||
|
# ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
|
||||||
|
# ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
|
||||||
|
|
||||||
|
egd.rc:
|
||||||
|
|
||||||
|
o Verify egd.pl path in egd.rc matches your local installation
|
||||||
|
(WHAT_PATH)
|
||||||
|
o Customize egd if needed (EGD_ARGS and EGD_LOG)
|
||||||
|
o Add pseudo account:
|
||||||
|
|
||||||
|
# groupadd egd
|
||||||
|
# useradd -g egd egd
|
||||||
|
# mkdir -p /etc/opt/egd
|
||||||
|
# chown egd:egd /etc/opt/egd
|
||||||
|
# chmod 711 /etc/opt/egd
|
||||||
|
|
||||||
|
o Install:
|
||||||
|
|
||||||
|
# cp egd /etc/rc.config.d
|
||||||
|
# chmod 444 /etc/rc.config.d/egd
|
||||||
|
# cp egd.rc /sbin/init.d
|
||||||
|
# chmod 555 /sbin/init.d/egd.rc
|
||||||
|
# ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
|
||||||
|
# ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd
|
15
crypto/openssh/contrib/hpux/egd
Normal file
15
crypto/openssh/contrib/hpux/egd
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# EGD_START: Set to 1 to start entropy gathering daemon
|
||||||
|
# EGD_ARGS: Command line arguments to pass to egd
|
||||||
|
# EGD_LOG: EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
|
||||||
|
#
|
||||||
|
# To configure the egd environment:
|
||||||
|
|
||||||
|
# groupadd egd
|
||||||
|
# useradd -g egd egd
|
||||||
|
# mkdir -p /etc/opt/egd
|
||||||
|
# chown egd:egd /etc/opt/egd
|
||||||
|
# chmod 711 /etc/opt/egd
|
||||||
|
|
||||||
|
EGD_START=1
|
||||||
|
EGD_ARGS='/etc/opt/egd/entropy'
|
||||||
|
EGD_LOG=
|
98
crypto/openssh/contrib/hpux/egd.rc
Executable file
98
crypto/openssh/contrib/hpux/egd.rc
Executable file
|
@ -0,0 +1,98 @@
|
||||||
|
#!/sbin/sh
|
||||||
|
|
||||||
|
#
|
||||||
|
# egd.rc: EGD start-up and shutdown script
|
||||||
|
#
|
||||||
|
|
||||||
|
# Allowed exit values:
|
||||||
|
# 0 = success; causes "OK" to show up in checklist.
|
||||||
|
# 1 = failure; causes "FAIL" to show up in checklist.
|
||||||
|
# 2 = skip; causes "N/A" to show up in the checklist.
|
||||||
|
# Use this value if execution of this script is overridden
|
||||||
|
# by the use of a control variable, or if this script is not
|
||||||
|
# appropriate to execute for some other reason.
|
||||||
|
# 3 = reboot; causes the system to be rebooted after execution.
|
||||||
|
|
||||||
|
# Input and output:
|
||||||
|
# stdin is redirected from /dev/null
|
||||||
|
#
|
||||||
|
# stdout and stderr are redirected to the /etc/rc.log file
|
||||||
|
# during checklist mode, or to the console in raw mode.
|
||||||
|
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
PATH=/usr/sbin:/usr/bin:/sbin
|
||||||
|
export PATH
|
||||||
|
|
||||||
|
WHAT='EGD (entropy gathering daemon)'
|
||||||
|
WHAT_PATH=/opt/perl/bin/egd.pl
|
||||||
|
WHAT_CONFIG=/etc/rc.config.d/egd
|
||||||
|
WHAT_LOG=/etc/opt/egd/egd.log
|
||||||
|
|
||||||
|
# NOTE: If your script executes in run state 0 or state 1, then /usr might
|
||||||
|
# not be available. Do not attempt to access commands or files in
|
||||||
|
# /usr unless your script executes in run state 2 or greater. Other
|
||||||
|
# file systems typically not mounted until run state 2 include /var
|
||||||
|
# and /opt.
|
||||||
|
|
||||||
|
rval=0
|
||||||
|
|
||||||
|
# Check the exit value of a command run by this script. If non-zero, the
|
||||||
|
# exit code is echoed to the log file and the return value of this script
|
||||||
|
# is set to indicate failure.
|
||||||
|
|
||||||
|
set_return() {
|
||||||
|
x=$?
|
||||||
|
if [ $x -ne 0 ]; then
|
||||||
|
echo "EXIT CODE: $x"
|
||||||
|
rval=1 # script FAILed
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
'start_msg')
|
||||||
|
echo "Starting $WHAT"
|
||||||
|
;;
|
||||||
|
|
||||||
|
'stop_msg')
|
||||||
|
echo "Stopping $WHAT"
|
||||||
|
;;
|
||||||
|
|
||||||
|
'start')
|
||||||
|
if [ -f $WHAT_CONFIG ] ; then
|
||||||
|
. $WHAT_CONFIG
|
||||||
|
else
|
||||||
|
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
|
||||||
|
EGD_LOG=${EGD_LOG:-$WHAT_LOG}
|
||||||
|
su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
|
||||||
|
echo $WHAT started
|
||||||
|
set_return
|
||||||
|
else
|
||||||
|
rval=2
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
'stop')
|
||||||
|
pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
|
||||||
|
if [ "X$pid" != "X" ]; then
|
||||||
|
if kill "$pid"; then
|
||||||
|
echo "$WHAT stopped"
|
||||||
|
else
|
||||||
|
rval=1
|
||||||
|
echo "Unable to stop $WHAT"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
set_return
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "usage: $0 {start|stop|start_msg|stop_msg}"
|
||||||
|
rval=1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $rval
|
5
crypto/openssh/contrib/hpux/sshd
Normal file
5
crypto/openssh/contrib/hpux/sshd
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
# SSHD_START: Set to 1 to start SSH daemon
|
||||||
|
# SSHD_ARGS: Command line arguments to pass to sshd
|
||||||
|
#
|
||||||
|
SSHD_START=1
|
||||||
|
SSHD_ARGS=
|
90
crypto/openssh/contrib/hpux/sshd.rc
Executable file
90
crypto/openssh/contrib/hpux/sshd.rc
Executable file
|
@ -0,0 +1,90 @@
|
||||||
|
#!/sbin/sh
|
||||||
|
|
||||||
|
#
|
||||||
|
# sshd.rc: SSH daemon start-up and shutdown script
|
||||||
|
#
|
||||||
|
|
||||||
|
# Allowed exit values:
|
||||||
|
# 0 = success; causes "OK" to show up in checklist.
|
||||||
|
# 1 = failure; causes "FAIL" to show up in checklist.
|
||||||
|
# 2 = skip; causes "N/A" to show up in the checklist.
|
||||||
|
# Use this value if execution of this script is overridden
|
||||||
|
# by the use of a control variable, or if this script is not
|
||||||
|
# appropriate to execute for some other reason.
|
||||||
|
# 3 = reboot; causes the system to be rebooted after execution.
|
||||||
|
|
||||||
|
# Input and output:
|
||||||
|
# stdin is redirected from /dev/null
|
||||||
|
#
|
||||||
|
# stdout and stderr are redirected to the /etc/rc.log file
|
||||||
|
# during checklist mode, or to the console in raw mode.
|
||||||
|
|
||||||
|
PATH=/usr/sbin:/usr/bin:/sbin
|
||||||
|
export PATH
|
||||||
|
|
||||||
|
WHAT='OpenSSH'
|
||||||
|
WHAT_PATH=/opt/openssh/sbin/sshd
|
||||||
|
WHAT_PID=/var/run/sshd.pid
|
||||||
|
WHAT_CONFIG=/etc/rc.config.d/sshd
|
||||||
|
|
||||||
|
# NOTE: If your script executes in run state 0 or state 1, then /usr might
|
||||||
|
# not be available. Do not attempt to access commands or files in
|
||||||
|
# /usr unless your script executes in run state 2 or greater. Other
|
||||||
|
# file systems typically not mounted until run state 2 include /var
|
||||||
|
# and /opt.
|
||||||
|
|
||||||
|
rval=0
|
||||||
|
|
||||||
|
# Check the exit value of a command run by this script. If non-zero, the
|
||||||
|
# exit code is echoed to the log file and the return value of this script
|
||||||
|
# is set to indicate failure.
|
||||||
|
|
||||||
|
set_return() {
|
||||||
|
x=$?
|
||||||
|
if [ $x -ne 0 ]; then
|
||||||
|
echo "EXIT CODE: $x"
|
||||||
|
rval=1 # script FAILed
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
'start_msg')
|
||||||
|
echo "Starting $WHAT"
|
||||||
|
;;
|
||||||
|
|
||||||
|
'stop_msg')
|
||||||
|
echo "Stopping $WHAT"
|
||||||
|
;;
|
||||||
|
|
||||||
|
'start')
|
||||||
|
if [ -f $WHAT_CONFIG ] ; then
|
||||||
|
. $WHAT_CONFIG
|
||||||
|
else
|
||||||
|
echo "ERROR: $WHAT_CONFIG defaults file MISSING"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
|
||||||
|
$WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
|
||||||
|
set_return
|
||||||
|
else
|
||||||
|
rval=2
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
|
||||||
|
'stop')
|
||||||
|
if kill `cat $WHAT_PID`; then
|
||||||
|
echo "$WHAT stopped"
|
||||||
|
else
|
||||||
|
rval=1
|
||||||
|
echo "Unable to stop $WHAT"
|
||||||
|
fi
|
||||||
|
set_return
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "usage: $0 {start|stop|start_msg|stop_msg}"
|
||||||
|
rval=1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $rval
|
1
crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh
Normal file
1
crypto/openssh/contrib/redhat/gnome-ssh-askpass.csh
Normal file
|
@ -0,0 +1 @@
|
||||||
|
setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass
|
2
crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh
Executable file
2
crypto/openssh/contrib/redhat/gnome-ssh-askpass.sh
Executable file
|
@ -0,0 +1,2 @@
|
||||||
|
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
|
||||||
|
export SSH_ASKPASS
|
812
crypto/openssh/contrib/redhat/openssh.spec
Normal file
812
crypto/openssh/contrib/redhat/openssh.spec
Normal file
|
@ -0,0 +1,812 @@
|
||||||
|
%define ver 6.3p1
|
||||||
|
%define rel 1
|
||||||
|
|
||||||
|
# OpenSSH privilege separation requires a user & group ID
|
||||||
|
%define sshd_uid 74
|
||||||
|
%define sshd_gid 74
|
||||||
|
|
||||||
|
# Version of ssh-askpass
|
||||||
|
%define aversion 1.2.4.1
|
||||||
|
|
||||||
|
# Do we want to disable building of x11-askpass? (1=yes 0=no)
|
||||||
|
%define no_x11_askpass 0
|
||||||
|
|
||||||
|
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
|
||||||
|
%define no_gnome_askpass 0
|
||||||
|
|
||||||
|
# Do we want to link against a static libcrypto? (1=yes 0=no)
|
||||||
|
%define static_libcrypto 0
|
||||||
|
|
||||||
|
# Do we want smartcard support (1=yes 0=no)
|
||||||
|
%define scard 0
|
||||||
|
|
||||||
|
# Use GTK2 instead of GNOME in gnome-ssh-askpass
|
||||||
|
%define gtk2 1
|
||||||
|
|
||||||
|
# Is this build for RHL 6.x?
|
||||||
|
%define build6x 0
|
||||||
|
|
||||||
|
# Do we want kerberos5 support (1=yes 0=no)
|
||||||
|
%define kerberos5 1
|
||||||
|
|
||||||
|
# Reserve options to override askpass settings with:
|
||||||
|
# rpm -ba|--rebuild --define 'skip_xxx 1'
|
||||||
|
%{?skip_x11_askpass:%define no_x11_askpass 1}
|
||||||
|
%{?skip_gnome_askpass:%define no_gnome_askpass 1}
|
||||||
|
|
||||||
|
# Add option to build without GTK2 for older platforms with only GTK+.
|
||||||
|
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
|
||||||
|
# rpm -ba|--rebuild --define 'no_gtk2 1'
|
||||||
|
%{?no_gtk2:%define gtk2 0}
|
||||||
|
|
||||||
|
# Is this a build for RHL 6.x or earlier?
|
||||||
|
%{?build_6x:%define build6x 1}
|
||||||
|
|
||||||
|
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
|
||||||
|
%if %{build6x}
|
||||||
|
%define _sysconfdir /etc
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Options for static OpenSSL link:
|
||||||
|
# rpm -ba|--rebuild --define "static_openssl 1"
|
||||||
|
%{?static_openssl:%define static_libcrypto 1}
|
||||||
|
|
||||||
|
# Options for Smartcard support: (needs libsectok and openssl-engine)
|
||||||
|
# rpm -ba|--rebuild --define "smartcard 1"
|
||||||
|
%{?smartcard:%define scard 1}
|
||||||
|
|
||||||
|
# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
|
||||||
|
%define rescue 0
|
||||||
|
%{?build_rescue:%define rescue 1}
|
||||||
|
|
||||||
|
# Turn off some stuff for resuce builds
|
||||||
|
%if %{rescue}
|
||||||
|
%define kerberos5 0
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Summary: The OpenSSH implementation of SSH protocol versions 1 and 2.
|
||||||
|
Name: openssh
|
||||||
|
Version: %{ver}
|
||||||
|
%if %{rescue}
|
||||||
|
Release: %{rel}rescue
|
||||||
|
%else
|
||||||
|
Release: %{rel}
|
||||||
|
%endif
|
||||||
|
URL: http://www.openssh.com/portable.html
|
||||||
|
Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
|
||||||
|
%if ! %{no_x11_askpass}
|
||||||
|
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
|
||||||
|
%endif
|
||||||
|
License: BSD
|
||||||
|
Group: Applications/Internet
|
||||||
|
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
|
||||||
|
Obsoletes: ssh
|
||||||
|
%if %{build6x}
|
||||||
|
PreReq: initscripts >= 5.00
|
||||||
|
%else
|
||||||
|
Requires: initscripts >= 5.20
|
||||||
|
%endif
|
||||||
|
BuildRequires: perl, openssl-devel, tcp_wrappers
|
||||||
|
BuildRequires: /bin/login
|
||||||
|
%if ! %{build6x}
|
||||||
|
BuildPreReq: glibc-devel, pam
|
||||||
|
%else
|
||||||
|
BuildRequires: /usr/include/security/pam_appl.h
|
||||||
|
%endif
|
||||||
|
%if ! %{no_x11_askpass}
|
||||||
|
BuildRequires: /usr/include/X11/Xlib.h
|
||||||
|
%endif
|
||||||
|
%if ! %{no_gnome_askpass}
|
||||||
|
BuildRequires: pkgconfig
|
||||||
|
%endif
|
||||||
|
%if %{kerberos5}
|
||||||
|
BuildRequires: krb5-devel
|
||||||
|
BuildRequires: krb5-libs
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%package clients
|
||||||
|
Summary: OpenSSH clients.
|
||||||
|
Requires: openssh = %{version}-%{release}
|
||||||
|
Group: Applications/Internet
|
||||||
|
Obsoletes: ssh-clients
|
||||||
|
|
||||||
|
%package server
|
||||||
|
Summary: The OpenSSH server daemon.
|
||||||
|
Group: System Environment/Daemons
|
||||||
|
Obsoletes: ssh-server
|
||||||
|
Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
|
||||||
|
%if ! %{build6x}
|
||||||
|
Requires: /etc/pam.d/system-auth
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%package askpass
|
||||||
|
Summary: A passphrase dialog for OpenSSH and X.
|
||||||
|
Group: Applications/Internet
|
||||||
|
Requires: openssh = %{version}-%{release}
|
||||||
|
Obsoletes: ssh-extras
|
||||||
|
|
||||||
|
%package askpass-gnome
|
||||||
|
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
|
||||||
|
Group: Applications/Internet
|
||||||
|
Requires: openssh = %{version}-%{release}
|
||||||
|
Obsoletes: ssh-extras
|
||||||
|
|
||||||
|
%description
|
||||||
|
SSH (Secure SHell) is a program for logging into and executing
|
||||||
|
commands on a remote machine. SSH is intended to replace rlogin and
|
||||||
|
rsh, and to provide secure encrypted communications between two
|
||||||
|
untrusted hosts over an insecure network. X11 connections and
|
||||||
|
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||||
|
|
||||||
|
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
|
||||||
|
it up to date in terms of security and features, as well as removing
|
||||||
|
all patented algorithms to separate libraries.
|
||||||
|
|
||||||
|
This package includes the core files necessary for both the OpenSSH
|
||||||
|
client and server. To make this package useful, you should also
|
||||||
|
install openssh-clients, openssh-server, or both.
|
||||||
|
|
||||||
|
%description clients
|
||||||
|
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||||
|
into and executing commands on a remote machine. This package includes
|
||||||
|
the clients necessary to make encrypted connections to SSH servers.
|
||||||
|
You'll also need to install the openssh package on OpenSSH clients.
|
||||||
|
|
||||||
|
%description server
|
||||||
|
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||||
|
into and executing commands on a remote machine. This package contains
|
||||||
|
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
|
||||||
|
securely connect to your SSH server. You also need to have the openssh
|
||||||
|
package installed.
|
||||||
|
|
||||||
|
%description askpass
|
||||||
|
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||||
|
into and executing commands on a remote machine. This package contains
|
||||||
|
an X11 passphrase dialog for OpenSSH.
|
||||||
|
|
||||||
|
%description askpass-gnome
|
||||||
|
OpenSSH is a free version of SSH (Secure SHell), a program for logging
|
||||||
|
into and executing commands on a remote machine. This package contains
|
||||||
|
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
|
||||||
|
environment.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
|
||||||
|
%if ! %{no_x11_askpass}
|
||||||
|
%setup -q -a 1
|
||||||
|
%else
|
||||||
|
%setup -q
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%build
|
||||||
|
%if %{rescue}
|
||||||
|
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if %{kerberos5}
|
||||||
|
K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
|
||||||
|
echo K5DIR=$K5DIR
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%configure \
|
||||||
|
--sysconfdir=%{_sysconfdir}/ssh \
|
||||||
|
--libexecdir=%{_libexecdir}/openssh \
|
||||||
|
--datadir=%{_datadir}/openssh \
|
||||||
|
--with-tcp-wrappers \
|
||||||
|
--with-rsh=%{_bindir}/rsh \
|
||||||
|
--with-default-path=/usr/local/bin:/bin:/usr/bin \
|
||||||
|
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
|
||||||
|
--with-privsep-path=%{_var}/empty/sshd \
|
||||||
|
--with-md5-passwords \
|
||||||
|
%if %{scard}
|
||||||
|
--with-smartcard \
|
||||||
|
%endif
|
||||||
|
%if %{rescue}
|
||||||
|
--without-pam \
|
||||||
|
%else
|
||||||
|
--with-pam \
|
||||||
|
%endif
|
||||||
|
%if %{kerberos5}
|
||||||
|
--with-kerberos5=$K5DIR \
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
|
%if %{static_libcrypto}
|
||||||
|
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
|
||||||
|
%endif
|
||||||
|
|
||||||
|
make
|
||||||
|
|
||||||
|
%if ! %{no_x11_askpass}
|
||||||
|
pushd x11-ssh-askpass-%{aversion}
|
||||||
|
%configure --libexecdir=%{_libexecdir}/openssh
|
||||||
|
xmkmf -a
|
||||||
|
make
|
||||||
|
popd
|
||||||
|
%endif
|
||||||
|
|
||||||
|
# Define a variable to toggle gnome1/gtk2 building. This is necessary
|
||||||
|
# because RPM doesn't handle nested %if statements.
|
||||||
|
%if %{gtk2}
|
||||||
|
gtk2=yes
|
||||||
|
%else
|
||||||
|
gtk2=no
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if ! %{no_gnome_askpass}
|
||||||
|
pushd contrib
|
||||||
|
if [ $gtk2 = yes ] ; then
|
||||||
|
make gnome-ssh-askpass2
|
||||||
|
mv gnome-ssh-askpass2 gnome-ssh-askpass
|
||||||
|
else
|
||||||
|
make gnome-ssh-askpass1
|
||||||
|
mv gnome-ssh-askpass1 gnome-ssh-askpass
|
||||||
|
fi
|
||||||
|
popd
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%install
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
|
||||||
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
|
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
|
||||||
|
|
||||||
|
make install DESTDIR=$RPM_BUILD_ROOT
|
||||||
|
|
||||||
|
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||||
|
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
|
||||||
|
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
|
||||||
|
%if %{build6x}
|
||||||
|
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
|
%else
|
||||||
|
install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
|
%endif
|
||||||
|
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
|
||||||
|
|
||||||
|
%if ! %{no_x11_askpass}
|
||||||
|
install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
|
||||||
|
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if ! %{no_gnome_askpass}
|
||||||
|
install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if ! %{scard}
|
||||||
|
rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if ! %{no_gnome_askpass}
|
||||||
|
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||||
|
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||||
|
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
|
||||||
|
%endif
|
||||||
|
|
||||||
|
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
|
||||||
|
|
||||||
|
%clean
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
|
%triggerun server -- ssh-server
|
||||||
|
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
|
||||||
|
touch /var/run/sshd.restart
|
||||||
|
fi
|
||||||
|
|
||||||
|
%triggerun server -- openssh-server < 2.5.0p1
|
||||||
|
# Count the number of HostKey and HostDsaKey statements we have.
|
||||||
|
gawk 'BEGIN {IGNORECASE=1}
|
||||||
|
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
|
||||||
|
END {exit sawhostkey}' /etc/ssh/sshd_config
|
||||||
|
# And if we only found one, we know the client was relying on the old default
|
||||||
|
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
|
||||||
|
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
|
||||||
|
# one nullifies the default, which would have loaded both.
|
||||||
|
if [ $? -eq 1 ] ; then
|
||||||
|
echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
|
||||||
|
echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
|
||||||
|
fi
|
||||||
|
|
||||||
|
%triggerpostun server -- ssh-server
|
||||||
|
if [ "$1" != 0 ] ; then
|
||||||
|
/sbin/chkconfig --add sshd
|
||||||
|
if test -f /var/run/sshd.restart ; then
|
||||||
|
rm -f /var/run/sshd.restart
|
||||||
|
/sbin/service sshd start > /dev/null 2>&1 || :
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
%pre server
|
||||||
|
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
|
||||||
|
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
|
||||||
|
-g sshd -M -r sshd 2>/dev/null || :
|
||||||
|
|
||||||
|
%post server
|
||||||
|
/sbin/chkconfig --add sshd
|
||||||
|
|
||||||
|
%postun server
|
||||||
|
/sbin/service sshd condrestart > /dev/null 2>&1 || :
|
||||||
|
|
||||||
|
%preun server
|
||||||
|
if [ "$1" = 0 ]
|
||||||
|
then
|
||||||
|
/sbin/service sshd stop > /dev/null 2>&1 || :
|
||||||
|
/sbin/chkconfig --del sshd
|
||||||
|
fi
|
||||||
|
|
||||||
|
%files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
|
||||||
|
%attr(0755,root,root) %{_bindir}/scp
|
||||||
|
%attr(0644,root,root) %{_mandir}/man1/scp.1*
|
||||||
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||||
|
%if ! %{rescue}
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||||
|
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
|
||||||
|
%attr(0755,root,root) %dir %{_libexecdir}/openssh
|
||||||
|
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
|
||||||
|
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||||
|
%endif
|
||||||
|
%if %{scard}
|
||||||
|
%attr(0755,root,root) %dir %{_datadir}/openssh
|
||||||
|
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%files clients
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
|
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
|
||||||
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||||
|
%attr(-,root,root) %{_bindir}/slogin
|
||||||
|
%attr(-,root,root) %{_mandir}/man1/slogin.1*
|
||||||
|
%if ! %{rescue}
|
||||||
|
%attr(2755,root,nobody) %{_bindir}/ssh-agent
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||||
|
%attr(0755,root,root) %{_bindir}/sftp
|
||||||
|
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if ! %{rescue}
|
||||||
|
%files server
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%dir %attr(0111,root,root) %{_var}/empty/sshd
|
||||||
|
%attr(0755,root,root) %{_sbindir}/sshd
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
|
||||||
|
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
|
||||||
|
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
|
||||||
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
|
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||||
|
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if ! %{no_x11_askpass}
|
||||||
|
%files askpass
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%doc x11-ssh-askpass-%{aversion}/README
|
||||||
|
%doc x11-ssh-askpass-%{aversion}/ChangeLog
|
||||||
|
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-askpass
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%if ! %{no_gnome_askpass}
|
||||||
|
%files askpass-gnome
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
|
||||||
|
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Wed Jul 14 2010 Tim Rice <tim@multitalents.net>
|
||||||
|
- test for skip_x11_askpass (line 77) should have been for no_x11_askpass
|
||||||
|
|
||||||
|
* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
|
||||||
|
- Remove noip6 option. This may be controlled at run-time in client config
|
||||||
|
file using new AddressFamily directive
|
||||||
|
|
||||||
|
* Mon May 12 2003 Damien Miller <djm@mindrot.org>
|
||||||
|
- Don't install profile.d scripts when not building with GNOME/GTK askpass
|
||||||
|
(patch from bet@rahul.net)
|
||||||
|
|
||||||
|
* Wed Oct 01 2002 Damien Miller <djm@mindrot.org>
|
||||||
|
- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
|
||||||
|
|
||||||
|
* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
|
||||||
|
- Use contrib/ Makefile for building askpass programs
|
||||||
|
|
||||||
|
* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
|
||||||
|
- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
|
||||||
|
- Add new {ssh,sshd}_config.5 manpages
|
||||||
|
- Add new ssh-keysign program and remove setuid from ssh client
|
||||||
|
|
||||||
|
* Fri May 10 2002 Damien Miller <djm@mindrot.org>
|
||||||
|
- Merge in spec changes from RedHat, reorgansie a little
|
||||||
|
- Add Privsep user, group and directory
|
||||||
|
|
||||||
|
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
|
||||||
|
- bump and grind (through the build system)
|
||||||
|
|
||||||
|
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
|
||||||
|
- require sharutils for building (mindrot #137)
|
||||||
|
- require db1-devel only when building for 6.x (#55105), which probably won't
|
||||||
|
work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
|
||||||
|
- require pam-devel by file (not by package name) again
|
||||||
|
- add Markus's patch to compile with OpenSSL 0.9.5a (from
|
||||||
|
http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
|
||||||
|
building for 6.x
|
||||||
|
|
||||||
|
* Thu Mar 7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
|
||||||
|
- update to 3.1p1
|
||||||
|
|
||||||
|
* Tue Mar 5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
|
||||||
|
- update to SNAP-20020305
|
||||||
|
- drop debug patch, fixed upstream
|
||||||
|
|
||||||
|
* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
|
||||||
|
- update to SNAP-20020220 for testing purposes (you've been warned, if there's
|
||||||
|
anything to be warned about, gss patches won't apply, I don't mind)
|
||||||
|
|
||||||
|
* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
|
||||||
|
- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
|
||||||
|
exchange, authentication, and named key support
|
||||||
|
|
||||||
|
* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
|
||||||
|
- remove dependency on db1-devel, which has just been swallowed up whole
|
||||||
|
by gnome-libs-devel
|
||||||
|
|
||||||
|
* Sun Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- adjust build dependencies so that build6x actually works right (fix
|
||||||
|
from Hugo van der Kooij)
|
||||||
|
|
||||||
|
* Tue Dec 4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
|
||||||
|
- update to 3.0.2p1
|
||||||
|
|
||||||
|
* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
|
||||||
|
- update to 3.0.1p1
|
||||||
|
|
||||||
|
* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- update to current CVS (not for use in distribution)
|
||||||
|
|
||||||
|
* Thu Nov 8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
|
||||||
|
- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
|
||||||
|
3.0p1 spec file and init script
|
||||||
|
|
||||||
|
* Wed Nov 7 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- update to 3.0p1
|
||||||
|
- update to x11-ssh-askpass 1.2.4.1
|
||||||
|
- change build dependency on a file from pam-devel to the pam-devel package
|
||||||
|
- replace primes with moduli
|
||||||
|
|
||||||
|
* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
|
||||||
|
- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
|
||||||
|
|
||||||
|
* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
|
||||||
|
- Merge changes to rescue build from current sysadmin survival cd
|
||||||
|
|
||||||
|
* Thu Sep 6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
|
||||||
|
- fix scp's server's reporting of file sizes, and build with the proper
|
||||||
|
preprocessor define to get large-file capable open(), stat(), etc.
|
||||||
|
(sftp has been doing this correctly all along) (#51827)
|
||||||
|
- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
|
||||||
|
- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
|
||||||
|
- mark profile.d scriptlets as config files (#42337)
|
||||||
|
- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
|
||||||
|
- change a couple of log() statements to debug() statements (#50751)
|
||||||
|
- pull cvs patch to add -t flag to sshd (#28611)
|
||||||
|
- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
|
||||||
|
|
||||||
|
* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
|
||||||
|
- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
|
||||||
|
|
||||||
|
* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- pull cvs patch to fix remote port forwarding with protocol 2
|
||||||
|
|
||||||
|
* Thu Aug 9 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- pull cvs patch to add session initialization to no-pty sessions
|
||||||
|
- pull cvs patch to not cut off challengeresponse auth needlessly
|
||||||
|
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
|
||||||
|
it by default on a system that doesn't have X installed (#49263)
|
||||||
|
|
||||||
|
* Wed Aug 8 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
|
||||||
|
|
||||||
|
* Mon Aug 6 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- pass OPTIONS correctly to initlog (#50151)
|
||||||
|
|
||||||
|
* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- switch to x11-ssh-askpass 1.2.2
|
||||||
|
|
||||||
|
* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- rebuild in new environment
|
||||||
|
|
||||||
|
* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- disable the gssapi patch
|
||||||
|
|
||||||
|
* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- update to 2.9p2
|
||||||
|
- refresh to a new version of the gssapi patch
|
||||||
|
|
||||||
|
* Thu Jun 7 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- change Copyright: BSD to License: BSD
|
||||||
|
- add Markus Friedl's unverified patch for the cookie file deletion problem
|
||||||
|
so that we can verify it
|
||||||
|
- drop patch to check if xauth is present (was folded into cookie patch)
|
||||||
|
- don't apply gssapi patches for the errata candidate
|
||||||
|
- clear supplemental groups list at startup
|
||||||
|
|
||||||
|
* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- fix an error parsing the new default sshd_config
|
||||||
|
- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
|
||||||
|
dealing with comments right
|
||||||
|
|
||||||
|
* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
|
||||||
|
to be removed before the next beta cycle because it's a big departure
|
||||||
|
from the upstream version
|
||||||
|
|
||||||
|
* Thu May 3 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- finish marking strings in the init script for translation
|
||||||
|
- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
|
||||||
|
at startup (change merged from openssh.com init script, originally by
|
||||||
|
Pekka Savola)
|
||||||
|
- refuse to do X11 forwarding if xauth isn't there, handy if you enable
|
||||||
|
it by default on a system that doesn't have X installed
|
||||||
|
|
||||||
|
* Wed May 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- update to 2.9
|
||||||
|
- drop various patches that came from or went upstream or to or from CVS
|
||||||
|
|
||||||
|
* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
|
||||||
|
|
||||||
|
* Sun Apr 8 2001 Preston Brown <pbrown@redhat.com>
|
||||||
|
- remove explicit openssl requirement, fixes builddistro issue
|
||||||
|
- make initscript stop() function wait until sshd really dead to avoid
|
||||||
|
races in condrestart
|
||||||
|
|
||||||
|
* Mon Apr 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- mention that challengereponse supports PAM, so disabling password doesn't
|
||||||
|
limit users to pubkey and rsa auth (#34378)
|
||||||
|
- bypass the daemon() function in the init script and call initlog directly,
|
||||||
|
because daemon() won't start a daemon it detects is already running (like
|
||||||
|
open connections)
|
||||||
|
- require the version of openssl we had when we were built
|
||||||
|
|
||||||
|
* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- make do_pam_setcred() smart enough to know when to establish creds and
|
||||||
|
when to reinitialize them
|
||||||
|
- add in a couple of other fixes from Damien for inclusion in the errata
|
||||||
|
|
||||||
|
* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- update to 2.5.2p2
|
||||||
|
- call setcred() again after initgroups, because the "creds" could actually
|
||||||
|
be group memberships
|
||||||
|
|
||||||
|
* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
|
||||||
|
- don't enable challenge-response by default until we find a way to not
|
||||||
|
have too many userauth requests (we may make up to six pubkey and up to
|
||||||
|
three password attempts as it is)
|
||||||
|
- remove build dependency on rsh to match openssh.com's packages more closely
|
||||||
|
|
||||||
|
* Sat Mar 3 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- remove dependency on openssl -- would need to be too precise
|
||||||
|
|
||||||
|
* Fri Mar 2 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- rebuild in new environment
|
||||||
|
|
||||||
|
* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Revert the patch to move pam_open_session.
|
||||||
|
- Init script and spec file changes from Pekka Savola. (#28750)
|
||||||
|
- Patch sftp to recognize '-o protocol' arguments. (#29540)
|
||||||
|
|
||||||
|
* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Chuck the closing patch.
|
||||||
|
- Add a trigger to add host keys for protocol 2 to the config file, now that
|
||||||
|
configuration file syntax requires us to specify it with HostKey if we
|
||||||
|
specify any other HostKey values, which we do.
|
||||||
|
|
||||||
|
* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Redo patch to move pam_open_session after the server setuid()s to the user.
|
||||||
|
- Rework the nopam patch to use be picked up by autoconf.
|
||||||
|
|
||||||
|
* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update for 2.5.1p1.
|
||||||
|
- Add init script mods from Pekka Savola.
|
||||||
|
- Tweak the init script to match the CVS contrib script more closely.
|
||||||
|
- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
|
||||||
|
adding id_rsa.
|
||||||
|
|
||||||
|
* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update for 2.5.0p1.
|
||||||
|
- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
|
||||||
|
- Resync with parts of Damien Miller's openssh.spec from CVS, including
|
||||||
|
update of x11 askpass to 1.2.0.
|
||||||
|
- Only require openssl (don't prereq) because we generate keys in the init
|
||||||
|
script now.
|
||||||
|
|
||||||
|
* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Don't open a PAM session until we've forked and become the user (#25690).
|
||||||
|
- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
|
||||||
|
host the user is attempting a login from.
|
||||||
|
- Resync with parts of Damien Miller's openssh.spec from CVS.
|
||||||
|
- Don't expose KbdInt responses in debug messages (from CVS).
|
||||||
|
- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
|
||||||
|
|
||||||
|
* Wed Feb 7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
|
||||||
|
- i18n-tweak to initscript.
|
||||||
|
|
||||||
|
* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- More gettextizing.
|
||||||
|
- Close all files after going into daemon mode (needs more testing).
|
||||||
|
- Extract patch from CVS to handle auth banners (in the client).
|
||||||
|
- Extract patch from CVS to handle compat weirdness.
|
||||||
|
|
||||||
|
* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Finish with the gettextizing.
|
||||||
|
|
||||||
|
* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Fix a bug in auth2-pam.c (#23877)
|
||||||
|
- Gettextize the init script.
|
||||||
|
|
||||||
|
* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Incorporate a switch for using PAM configs for 6.x, just in case.
|
||||||
|
|
||||||
|
* Tue Dec 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Incorporate Bero's changes for a build specifically for rescue CDs.
|
||||||
|
|
||||||
|
* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
|
||||||
|
succeeded, to allow public-key authentication after a failure with "none"
|
||||||
|
authentication. (#21268)
|
||||||
|
|
||||||
|
* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to x11-askpass 1.1.1. (#21301)
|
||||||
|
- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
|
||||||
|
|
||||||
|
* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Merge multiple PAM text messages into subsequent prompts when possible when
|
||||||
|
doing keyboard-interactive authentication.
|
||||||
|
|
||||||
|
* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Disable the built-in MD5 password support. We're using PAM.
|
||||||
|
- Take a crack at doing keyboard-interactive authentication with PAM, and
|
||||||
|
enable use of it in the default client configuration so that the client
|
||||||
|
will try it when the server disallows password authentication.
|
||||||
|
- Build with debugging flags. Build root policies strip all binaries anyway.
|
||||||
|
|
||||||
|
* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Use DESTDIR instead of %%makeinstall.
|
||||||
|
- Remove /usr/X11R6/bin from the path-fixing patch.
|
||||||
|
|
||||||
|
* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Add the primes file from the latest snapshot to the main package (#20884).
|
||||||
|
- Add the dev package to the prereq list (#19984).
|
||||||
|
- Remove the default path and mimic login's behavior in the server itself.
|
||||||
|
|
||||||
|
* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Resync with conditional options in Damien Miller's .spec file for an errata.
|
||||||
|
- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
|
||||||
|
|
||||||
|
* Tue Nov 7 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to OpenSSH 2.3.0p1.
|
||||||
|
- Update to x11-askpass 1.1.0.
|
||||||
|
- Enable keyboard-interactive authentication.
|
||||||
|
|
||||||
|
* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to ssh-askpass-x11 1.0.3.
|
||||||
|
- Change authentication related messages to be private (#19966).
|
||||||
|
|
||||||
|
* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Patch ssh-keygen to be able to list signatures for DSA public key files
|
||||||
|
it generates.
|
||||||
|
|
||||||
|
* Thu Oct 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always
|
||||||
|
build PAM authentication in.
|
||||||
|
- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
|
||||||
|
- Clean out no-longer-used patches.
|
||||||
|
- Patch ssh-add to try to add both identity and id_dsa, and to error only
|
||||||
|
when neither exists.
|
||||||
|
|
||||||
|
* Mon Oct 2 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update x11-askpass to 1.0.2. (#17835)
|
||||||
|
- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will
|
||||||
|
always find them in the right place. (#17909)
|
||||||
|
- Set the default path to be the same as the one supplied by /bin/login, but
|
||||||
|
add /usr/X11R6/bin. (#17909)
|
||||||
|
- Try to handle obsoletion of ssh-server more cleanly. Package names
|
||||||
|
are different, but init script name isn't. (#17865)
|
||||||
|
|
||||||
|
* Wed Sep 6 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to 2.2.0p1. (#17835)
|
||||||
|
- Tweak the init script to allow proper restarting. (#18023)
|
||||||
|
|
||||||
|
* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to 20000823 snapshot.
|
||||||
|
- Change subpackage requirements from %%{version} to %%{version}-%%{release}
|
||||||
|
- Back out the pipe patch.
|
||||||
|
|
||||||
|
* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to 2.1.1p4, which includes fixes for config file parsing problems.
|
||||||
|
- Move the init script back.
|
||||||
|
- Add Damien's quick fix for wackiness.
|
||||||
|
|
||||||
|
* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
|
||||||
|
|
||||||
|
* Thu Jul 6 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Move condrestart to server postun.
|
||||||
|
- Move key generation to init script.
|
||||||
|
- Actually use the right patch for moving the key generation to the init script.
|
||||||
|
- Clean up the init script a bit.
|
||||||
|
|
||||||
|
* Wed Jul 5 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
|
||||||
|
|
||||||
|
* Sun Jul 2 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to 2.1.1p2.
|
||||||
|
- Use of strtok() considered harmful.
|
||||||
|
|
||||||
|
* Sat Jul 1 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Get the build root out of the man pages.
|
||||||
|
|
||||||
|
* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Add and use condrestart support in the init script.
|
||||||
|
- Add newer initscripts as a prereq.
|
||||||
|
|
||||||
|
* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Build in new environment (release 2)
|
||||||
|
- Move -clients subpackage to Applications/Internet group
|
||||||
|
|
||||||
|
* Fri Jun 9 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Update to 2.2.1p1
|
||||||
|
|
||||||
|
* Sat Jun 3 2000 Nalin Dahyabhai <nalin@redhat.com>
|
||||||
|
- Patch to build with neither RSA nor RSAref.
|
||||||
|
- Miscellaneous FHS-compliance tweaks.
|
||||||
|
- Fix for possibly-compressed man pages.
|
||||||
|
|
||||||
|
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Updated for new location
|
||||||
|
- Updated for new gnome-ssh-askpass build
|
||||||
|
|
||||||
|
* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
|
||||||
|
- Added Jim Knoble's <jmknoble@pobox.com> askpass
|
||||||
|
|
||||||
|
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
|
||||||
|
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
|
||||||
|
|
||||||
|
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
|
||||||
|
- Added 'Obsoletes' directives
|
||||||
|
|
||||||
|
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Use make install
|
||||||
|
- Subpackages
|
||||||
|
|
||||||
|
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Added links for slogin
|
||||||
|
- Fixed perms on manpages
|
||||||
|
|
||||||
|
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Renamed init script
|
||||||
|
|
||||||
|
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Back to old binary names
|
||||||
|
|
||||||
|
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Use autoconf
|
||||||
|
- New binary names
|
||||||
|
|
||||||
|
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
|
106
crypto/openssh/contrib/redhat/sshd.init
Executable file
106
crypto/openssh/contrib/redhat/sshd.init
Executable file
|
@ -0,0 +1,106 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Init file for OpenSSH server daemon
|
||||||
|
#
|
||||||
|
# chkconfig: 2345 55 25
|
||||||
|
# description: OpenSSH server daemon
|
||||||
|
#
|
||||||
|
# processname: sshd
|
||||||
|
# config: /etc/ssh/ssh_host_key
|
||||||
|
# config: /etc/ssh/ssh_host_key.pub
|
||||||
|
# config: /etc/ssh/ssh_random_seed
|
||||||
|
# config: /etc/ssh/sshd_config
|
||||||
|
# pidfile: /var/run/sshd.pid
|
||||||
|
|
||||||
|
# source function library
|
||||||
|
. /etc/rc.d/init.d/functions
|
||||||
|
|
||||||
|
# pull in sysconfig settings
|
||||||
|
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||||
|
|
||||||
|
RETVAL=0
|
||||||
|
prog="sshd"
|
||||||
|
|
||||||
|
# Some functions to make the below more readable
|
||||||
|
SSHD=/usr/sbin/sshd
|
||||||
|
PID_FILE=/var/run/sshd.pid
|
||||||
|
|
||||||
|
do_restart_sanity_check()
|
||||||
|
{
|
||||||
|
$SSHD -t
|
||||||
|
RETVAL=$?
|
||||||
|
if [ $RETVAL -ne 0 ]; then
|
||||||
|
failure $"Configuration file or keys are invalid"
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
start()
|
||||||
|
{
|
||||||
|
# Create keys if necessary
|
||||||
|
/usr/bin/ssh-keygen -A
|
||||||
|
if [ -x /sbin/restorecon ]; then
|
||||||
|
/sbin/restorecon /etc/ssh/ssh_host_key.pub
|
||||||
|
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
|
||||||
|
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
|
||||||
|
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo -n $"Starting $prog:"
|
||||||
|
$SSHD $OPTIONS && success || failure
|
||||||
|
RETVAL=$?
|
||||||
|
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
stop()
|
||||||
|
{
|
||||||
|
echo -n $"Stopping $prog:"
|
||||||
|
killproc $SSHD -TERM
|
||||||
|
RETVAL=$?
|
||||||
|
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
reload()
|
||||||
|
{
|
||||||
|
echo -n $"Reloading $prog:"
|
||||||
|
killproc $SSHD -HUP
|
||||||
|
RETVAL=$?
|
||||||
|
echo
|
||||||
|
}
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
start
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
stop
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
stop
|
||||||
|
start
|
||||||
|
;;
|
||||||
|
reload)
|
||||||
|
reload
|
||||||
|
;;
|
||||||
|
condrestart)
|
||||||
|
if [ -f /var/lock/subsys/sshd ] ; then
|
||||||
|
do_restart_sanity_check
|
||||||
|
if [ $RETVAL -eq 0 ] ; then
|
||||||
|
stop
|
||||||
|
# avoid race
|
||||||
|
sleep 3
|
||||||
|
start
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status $SSHD
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
|
||||||
|
RETVAL=1
|
||||||
|
esac
|
||||||
|
exit $RETVAL
|
172
crypto/openssh/contrib/redhat/sshd.init.old
Executable file
172
crypto/openssh/contrib/redhat/sshd.init.old
Executable file
|
@ -0,0 +1,172 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# Init file for OpenSSH server daemon
|
||||||
|
#
|
||||||
|
# chkconfig: 2345 55 25
|
||||||
|
# description: OpenSSH server daemon
|
||||||
|
#
|
||||||
|
# processname: sshd
|
||||||
|
# config: /etc/ssh/ssh_host_key
|
||||||
|
# config: /etc/ssh/ssh_host_key.pub
|
||||||
|
# config: /etc/ssh/ssh_random_seed
|
||||||
|
# config: /etc/ssh/sshd_config
|
||||||
|
# pidfile: /var/run/sshd.pid
|
||||||
|
|
||||||
|
# source function library
|
||||||
|
. /etc/rc.d/init.d/functions
|
||||||
|
|
||||||
|
# pull in sysconfig settings
|
||||||
|
[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
|
||||||
|
|
||||||
|
RETVAL=0
|
||||||
|
prog="sshd"
|
||||||
|
|
||||||
|
# Some functions to make the below more readable
|
||||||
|
KEYGEN=/usr/bin/ssh-keygen
|
||||||
|
SSHD=/usr/sbin/sshd
|
||||||
|
RSA1_KEY=/etc/ssh/ssh_host_key
|
||||||
|
RSA_KEY=/etc/ssh/ssh_host_rsa_key
|
||||||
|
DSA_KEY=/etc/ssh/ssh_host_dsa_key
|
||||||
|
PID_FILE=/var/run/sshd.pid
|
||||||
|
|
||||||
|
my_success() {
|
||||||
|
local msg
|
||||||
|
if [ $# -gt 1 ]; then
|
||||||
|
msg="$2"
|
||||||
|
else
|
||||||
|
msg="done"
|
||||||
|
fi
|
||||||
|
case "`type -type success`" in
|
||||||
|
function)
|
||||||
|
success "$1"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo -n "${msg}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
my_failure() {
|
||||||
|
local msg
|
||||||
|
if [ $# -gt 1 ]; then
|
||||||
|
msg="$2"
|
||||||
|
else
|
||||||
|
msg="FAILED"
|
||||||
|
fi
|
||||||
|
case "`type -type failure`" in
|
||||||
|
function)
|
||||||
|
failure "$1"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo -n "${msg}"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
do_rsa1_keygen() {
|
||||||
|
if [ ! -s $RSA1_KEY ]; then
|
||||||
|
echo -n "Generating SSH1 RSA host key: "
|
||||||
|
if $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
|
||||||
|
chmod 600 $RSA1_KEY
|
||||||
|
chmod 644 $RSA1_KEY.pub
|
||||||
|
my_success "RSA1 key generation"
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
my_failure "RSA1 key generation"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
do_rsa_keygen() {
|
||||||
|
if [ ! -s $RSA_KEY ]; then
|
||||||
|
echo -n "Generating SSH2 RSA host key: "
|
||||||
|
if $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
|
||||||
|
chmod 600 $RSA_KEY
|
||||||
|
chmod 644 $RSA_KEY.pub
|
||||||
|
my_success "RSA key generation"
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
my_failure "RSA key generation"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
do_dsa_keygen() {
|
||||||
|
if [ ! -s $DSA_KEY ]; then
|
||||||
|
echo -n "Generating SSH2 DSA host key: "
|
||||||
|
if $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
|
||||||
|
chmod 600 $DSA_KEY
|
||||||
|
chmod 644 $DSA_KEY.pub
|
||||||
|
my_success "DSA key generation"
|
||||||
|
echo
|
||||||
|
else
|
||||||
|
my_failure "DSA key generation"
|
||||||
|
echo
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
do_restart_sanity_check() {
|
||||||
|
$SSHD -t
|
||||||
|
RETVAL=$?
|
||||||
|
if [ ! "$RETVAL" = 0 ]; then
|
||||||
|
my_failure "Configuration file or keys"
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
# Create keys if necessary
|
||||||
|
do_rsa1_keygen;
|
||||||
|
do_rsa_keygen;
|
||||||
|
do_dsa_keygen;
|
||||||
|
|
||||||
|
echo -n "Starting sshd: "
|
||||||
|
if [ ! -f $PID_FILE ] ; then
|
||||||
|
sshd $OPTIONS
|
||||||
|
RETVAL=$?
|
||||||
|
if [ "$RETVAL" = "0" ] ; then
|
||||||
|
my_success "sshd startup" "sshd"
|
||||||
|
touch /var/lock/subsys/sshd
|
||||||
|
else
|
||||||
|
my_failure "sshd startup" ""
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
echo -n "Shutting down sshd: "
|
||||||
|
if [ -f $PID_FILE ] ; then
|
||||||
|
killproc sshd
|
||||||
|
RETVAL=$?
|
||||||
|
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
|
||||||
|
fi
|
||||||
|
echo
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
do_restart_sanity_check
|
||||||
|
$0 stop
|
||||||
|
$0 start
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
condrestart)
|
||||||
|
if [ -f /var/lock/subsys/sshd ] ; then
|
||||||
|
do_restart_sanity_check
|
||||||
|
$0 stop
|
||||||
|
$0 start
|
||||||
|
RETVAL=$?
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
status sshd
|
||||||
|
RETVAL=$?
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Usage: sshd {start|stop|restart|status|condrestart}"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit $RETVAL
|
6
crypto/openssh/contrib/redhat/sshd.pam
Normal file
6
crypto/openssh/contrib/redhat/sshd.pam
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth required pam_stack.so service=system-auth
|
||||||
|
account required pam_nologin.so
|
||||||
|
account required pam_stack.so service=system-auth
|
||||||
|
password required pam_stack.so service=system-auth
|
||||||
|
session required pam_stack.so service=system-auth
|
8
crypto/openssh/contrib/redhat/sshd.pam.old
Normal file
8
crypto/openssh/contrib/redhat/sshd.pam.old
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth required /lib/security/pam_pwdb.so shadow nodelay
|
||||||
|
auth required /lib/security/pam_nologin.so
|
||||||
|
account required /lib/security/pam_pwdb.so
|
||||||
|
password required /lib/security/pam_cracklib.so
|
||||||
|
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
|
||||||
|
session required /lib/security/pam_pwdb.so
|
||||||
|
session required /lib/security/pam_limits.so
|
30
crypto/openssh/contrib/solaris/README
Executable file
30
crypto/openssh/contrib/solaris/README
Executable file
|
@ -0,0 +1,30 @@
|
||||||
|
The following is a new package build script for Solaris. This is being
|
||||||
|
introduced into OpenSSH 3.0 and above in hopes of simplifying the build
|
||||||
|
process. As of 3.1p2 the script should work on all platforms that have
|
||||||
|
SVR4 style package tools.
|
||||||
|
|
||||||
|
The build process is called a 'dummy install'.. Which means the software does
|
||||||
|
a "make install-nokeys DESTDIR=[fakeroot]". This way all manpages should
|
||||||
|
be handled correctly and key are defered until the first time the sshd
|
||||||
|
is started.
|
||||||
|
|
||||||
|
Directions:
|
||||||
|
|
||||||
|
1. make -F Makefile.in distprep (Only if you are getting from the CVS tree)
|
||||||
|
2. ./configure --with-pam [..any other options you want..]
|
||||||
|
3. look at the top of buildpkg.sh for the configurable options and put
|
||||||
|
any changes you want in openssh-config.local. Additional customizations
|
||||||
|
can be done to the build process by creating one or more of the following
|
||||||
|
scripts that will be sourced by buildpkg.sh.
|
||||||
|
pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh
|
||||||
|
pkg-preinstall.local pkg-postinstall.local pkg-preremove.local
|
||||||
|
pkg-postremove.local pkg-request.local
|
||||||
|
4. Run "make package"
|
||||||
|
|
||||||
|
If all goes well you should have a solaris package ready to be installed.
|
||||||
|
|
||||||
|
If you have any problems with this script please post them to
|
||||||
|
openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
|
||||||
|
|
||||||
|
- Ben Lindstrom
|
||||||
|
|
300
crypto/openssh/contrib/ssh-copy-id
Normal file
300
crypto/openssh/contrib/ssh-copy-id
Normal file
|
@ -0,0 +1,300 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
|
||||||
|
# 2013 Martin Kletzander <mkletzan@redhat.com>
|
||||||
|
# 2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
|
||||||
|
# 2010 Eric Moret <eric.moret@gmail.com>
|
||||||
|
# 2009 Xr <xr@i-jeuxvideo.com>
|
||||||
|
# 2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
|
||||||
|
# 2004 Reini Urban <rurban@x-ray.at>
|
||||||
|
# 2003 Colin Watson <cjwatson@debian.org>
|
||||||
|
# All rights reserved.
|
||||||
|
#
|
||||||
|
# Redistribution and use in source and binary forms, with or without
|
||||||
|
# modification, are permitted provided that the following conditions
|
||||||
|
# are met:
|
||||||
|
# 1. Redistributions of source code must retain the above copyright
|
||||||
|
# notice, this list of conditions and the following disclaimer.
|
||||||
|
# 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
# notice, this list of conditions and the following disclaimer in the
|
||||||
|
# documentation and/or other materials provided with the distribution.
|
||||||
|
#
|
||||||
|
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
|
||||||
|
# Shell script to install your public key(s) on a remote machine
|
||||||
|
# See the ssh-copy-id(1) man page for details
|
||||||
|
|
||||||
|
# check that we have something mildly sane as our shell, or try to find something better
|
||||||
|
if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
|
||||||
|
then
|
||||||
|
SANE_SH=${SANE_SH:-/usr/bin/ksh}
|
||||||
|
if printf 'true ^ false\n' | "$SANE_SH"
|
||||||
|
then
|
||||||
|
printf "'%s' seems viable.\n" "$SANE_SH"
|
||||||
|
exec "$SANE_SH" "$0" "$@"
|
||||||
|
else
|
||||||
|
cat <<-EOF
|
||||||
|
oh dear.
|
||||||
|
|
||||||
|
If you have a more recent shell available, that supports \$(...) etc.
|
||||||
|
please try setting the environment variable SANE_SH to the path of that
|
||||||
|
shell, and then retry running this script. If that works, please report
|
||||||
|
a bug describing your setup, and the shell you used to make it work.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
DEFAULT_PUB_ID_FILE=$(ls -t ${HOME}/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
|
||||||
|
|
||||||
|
usage () {
|
||||||
|
printf 'Usage: %s [-h|-?|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
|
||||||
|
# escape any single quotes in an argument
|
||||||
|
quote() {
|
||||||
|
printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
|
||||||
|
}
|
||||||
|
|
||||||
|
use_id_file() {
|
||||||
|
local L_ID_FILE="$1"
|
||||||
|
|
||||||
|
if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
|
||||||
|
PUB_ID_FILE="$L_ID_FILE"
|
||||||
|
else
|
||||||
|
PUB_ID_FILE="$L_ID_FILE.pub"
|
||||||
|
fi
|
||||||
|
|
||||||
|
PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
|
||||||
|
|
||||||
|
# check that the files are readable
|
||||||
|
for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
|
||||||
|
ErrMSG=$( { : < $f ; } 2>&1 ) || {
|
||||||
|
printf "\n%s: ERROR: failed to open ID file '%s': %s\n\n" "$0" "$f" "$(printf "%s\n" "$ErrMSG" | sed -e 's/.*: *//')"
|
||||||
|
exit 1
|
||||||
|
}
|
||||||
|
done
|
||||||
|
GET_ID="cat \"$PUB_ID_FILE\""
|
||||||
|
}
|
||||||
|
|
||||||
|
if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
|
||||||
|
GET_ID="ssh-add -L"
|
||||||
|
fi
|
||||||
|
|
||||||
|
while test "$#" -gt 0
|
||||||
|
do
|
||||||
|
[ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
|
||||||
|
printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
|
||||||
|
usage
|
||||||
|
}
|
||||||
|
|
||||||
|
OPT= OPTARG=
|
||||||
|
# implement something like getopt to avoid Solaris pain
|
||||||
|
case "$1" in
|
||||||
|
-i?*|-o?*|-p?*)
|
||||||
|
OPT="$(printf -- "$1"|cut -c1-2)"
|
||||||
|
OPTARG="$(printf -- "$1"|cut -c3-)"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-o|-p)
|
||||||
|
OPT="$1"
|
||||||
|
OPTARG="$2"
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
-i)
|
||||||
|
OPT="$1"
|
||||||
|
test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
|
||||||
|
OPTARG="$2"
|
||||||
|
shift
|
||||||
|
}
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
-n|-h|-\?)
|
||||||
|
OPT="$1"
|
||||||
|
OPTARG=
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--)
|
||||||
|
shift
|
||||||
|
while test "$#" -gt 0
|
||||||
|
do
|
||||||
|
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
-*)
|
||||||
|
printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
|
||||||
|
shift
|
||||||
|
continue
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
case "$OPT" in
|
||||||
|
-i)
|
||||||
|
SEEN_OPT_I="yes"
|
||||||
|
use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
|
||||||
|
;;
|
||||||
|
-o|-p)
|
||||||
|
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
|
||||||
|
;;
|
||||||
|
-n)
|
||||||
|
DRY_RUN=1
|
||||||
|
;;
|
||||||
|
-h|-\?)
|
||||||
|
usage
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
eval set -- "$SAVEARGS"
|
||||||
|
|
||||||
|
if [ $# = 0 ] ; then
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
if [ $# != 1 ] ; then
|
||||||
|
printf '%s: ERROR: Too many arguments. Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
|
||||||
|
usage
|
||||||
|
fi
|
||||||
|
|
||||||
|
# drop trailing colon
|
||||||
|
USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
|
||||||
|
# tack the hostname onto SSH_OPTS
|
||||||
|
SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
|
||||||
|
# and populate "$@" for later use (only way to get proper quoting of options)
|
||||||
|
eval set -- "$SSH_OPTS"
|
||||||
|
|
||||||
|
if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
|
||||||
|
use_id_file "$PUB_ID_FILE"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$(eval $GET_ID)" ] ; then
|
||||||
|
printf '%s: ERROR: No identities found\n' "$0" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
|
||||||
|
# and has the side effect of setting $NEW_IDS
|
||||||
|
populate_new_ids() {
|
||||||
|
local L_SUCCESS="$1"
|
||||||
|
|
||||||
|
# repopulate "$@" inside this function
|
||||||
|
eval set -- "$SSH_OPTS"
|
||||||
|
|
||||||
|
umask 0177
|
||||||
|
local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
|
||||||
|
if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
|
||||||
|
echo "mktemp failed" 1>&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
trap "rm -f $L_TMP_ID_FILE ${L_TMP_ID_FILE}.pub" EXIT TERM INT QUIT
|
||||||
|
printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
|
||||||
|
NEW_IDS=$(
|
||||||
|
eval $GET_ID | {
|
||||||
|
while read ID ; do
|
||||||
|
printf '%s\n' "$ID" > $L_TMP_ID_FILE
|
||||||
|
|
||||||
|
# the next line assumes $PRIV_ID_FILE only set if using a single id file - this
|
||||||
|
# assumption will break if we implement the possibility of multiple -i options.
|
||||||
|
# The point being that if file based, ssh needs the private key, which it cannot
|
||||||
|
# find if only given the contents of the .pub file in an unrelated tmpfile
|
||||||
|
ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
|
||||||
|
-o PreferredAuthentications=publickey \
|
||||||
|
-o IdentitiesOnly=yes "$@" exit 2>$L_TMP_ID_FILE.stderr </dev/null
|
||||||
|
if [ "$?" = "$L_SUCCESS" ] ; then
|
||||||
|
: > $L_TMP_ID_FILE
|
||||||
|
else
|
||||||
|
grep 'Permission denied' $L_TMP_ID_FILE.stderr >/dev/null || {
|
||||||
|
sed -e 's/^/ERROR: /' <$L_TMP_ID_FILE.stderr >$L_TMP_ID_FILE
|
||||||
|
cat >/dev/null #consume the other keys, causing loop to end
|
||||||
|
}
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat $L_TMP_ID_FILE
|
||||||
|
done
|
||||||
|
}
|
||||||
|
)
|
||||||
|
rm -f $L_TMP_ID_FILE* && trap - EXIT TERM INT QUIT
|
||||||
|
|
||||||
|
if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
|
||||||
|
printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if [ -z "$NEW_IDS" ] ; then
|
||||||
|
printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n\n' "$0" >&2
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
|
||||||
|
}
|
||||||
|
|
||||||
|
REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
|
||||||
|
sed -ne 's/.*remote software version //p')
|
||||||
|
|
||||||
|
case "$REMOTE_VERSION" in
|
||||||
|
NetScreen*)
|
||||||
|
populate_new_ids 1
|
||||||
|
for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
|
||||||
|
KEY_NO=$(($KEY_NO + 1))
|
||||||
|
printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
|
||||||
|
printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
[ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
|
||||||
|
if [ $? = 255 ] ; then
|
||||||
|
printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
|
||||||
|
else
|
||||||
|
ADDED=$(($ADDED + 1))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ -z "$ADDED" ] ; then
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
# Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
|
||||||
|
populate_new_ids 0
|
||||||
|
[ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
|
||||||
|
umask 077 ;
|
||||||
|
mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
|
||||||
|
if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi" \
|
||||||
|
|| exit 1
|
||||||
|
ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if [ "$DRY_RUN" ] ; then
|
||||||
|
cat <<-EOF
|
||||||
|
=-=-=-=-=-=-=-=
|
||||||
|
Would have added the following key(s):
|
||||||
|
|
||||||
|
$NEW_IDS
|
||||||
|
=-=-=-=-=-=-=-=
|
||||||
|
EOF
|
||||||
|
else
|
||||||
|
cat <<-EOF
|
||||||
|
|
||||||
|
Number of key(s) added: $ADDED
|
||||||
|
|
||||||
|
Now try logging into the machine, with: "ssh $SSH_OPTS"
|
||||||
|
and check to make sure that only the key(s) you wanted were added.
|
||||||
|
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
# =-=-=-=
|
186
crypto/openssh/contrib/ssh-copy-id.1
Normal file
186
crypto/openssh/contrib/ssh-copy-id.1
Normal file
|
@ -0,0 +1,186 @@
|
||||||
|
.ig \" -*- nroff -*-
|
||||||
|
Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without
|
||||||
|
modification, are permitted provided that the following conditions
|
||||||
|
are met:
|
||||||
|
1. Redistributions of source code must retain the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer.
|
||||||
|
2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
notice, this list of conditions and the following disclaimer in the
|
||||||
|
documentation and/or other materials provided with the distribution.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
..
|
||||||
|
.Dd $Mdocdate: June 17 2010 $
|
||||||
|
.Dt SSH-COPY-ID 1
|
||||||
|
.Os
|
||||||
|
.Sh NAME
|
||||||
|
.Nm ssh-copy-id
|
||||||
|
.Nd use locally available keys to authorise logins on a remote machine
|
||||||
|
.Sh SYNOPSIS
|
||||||
|
.Nm
|
||||||
|
.Op Fl n
|
||||||
|
.Op Fl i Op Ar identity_file
|
||||||
|
.Op Fl p Ar port
|
||||||
|
.Op Fl o Ar ssh_option
|
||||||
|
.Op Ar user Ns @ Ns
|
||||||
|
.Ar hostname
|
||||||
|
.Nm
|
||||||
|
.Fl h | Fl ?
|
||||||
|
.br
|
||||||
|
.Sh DESCRIPTION
|
||||||
|
.Nm
|
||||||
|
is a script that uses
|
||||||
|
.Xr ssh 1
|
||||||
|
to log into a remote machine (presumably using a login password,
|
||||||
|
so password authentication should be enabled, unless you've done some
|
||||||
|
clever use of multiple identities). It assembles a list of one or more
|
||||||
|
fingerprints (as described below) and tries to log in with each key, to
|
||||||
|
see if any of them are already installed (of course, if you are not using
|
||||||
|
.Xr ssh-agent 1
|
||||||
|
this may result in you being repeatedly prompted for pass-phrases).
|
||||||
|
It then assembles a list of those that failed to log in, and using ssh,
|
||||||
|
enables logins with those keys on the remote server. By default it adds
|
||||||
|
the keys by appending them to the remote user's
|
||||||
|
.Pa ~/.ssh/authorized_keys
|
||||||
|
(creating the file, and directory, if necessary). It is also capable
|
||||||
|
of detecting if the remote system is a NetScreen, and using its
|
||||||
|
.Ql set ssh pka-dsa key ...
|
||||||
|
command instead.
|
||||||
|
.Pp
|
||||||
|
The options are as follows:
|
||||||
|
.Bl -tag -width Ds
|
||||||
|
.It Fl i Ar identity_file
|
||||||
|
Use only the key(s) contained in
|
||||||
|
.Ar identity_file
|
||||||
|
(rather than looking for identities via
|
||||||
|
.Xr ssh-add 1
|
||||||
|
or in the
|
||||||
|
.Ic default_ID_file ) .
|
||||||
|
If the filename does not end in
|
||||||
|
.Pa .pub
|
||||||
|
this is added. If the filename is omitted, the
|
||||||
|
.Ic default_ID_file
|
||||||
|
is used.
|
||||||
|
.Pp
|
||||||
|
Note that this can be used to ensure that the keys copied have the
|
||||||
|
comment one prefers and/or extra options applied, by ensuring that the
|
||||||
|
key file has these set as preferred before the copy is attempted.
|
||||||
|
.It Fl n
|
||||||
|
do a dry-run. Instead of installing keys on the remote system simply
|
||||||
|
prints the key(s) that would have been installed.
|
||||||
|
.It Fl h , Fl ?
|
||||||
|
Print Usage summary
|
||||||
|
.It Fl p Ar port , Fl o Ar ssh_option
|
||||||
|
These two options are simply passed through untouched, along with their
|
||||||
|
argument, to allow one to set the port or other
|
||||||
|
.Xr ssh 1
|
||||||
|
options, respectively.
|
||||||
|
.Pp
|
||||||
|
Rather than specifying these as command line options, it is often better to use (per-host) settings in
|
||||||
|
.Xr ssh 1 Ns 's
|
||||||
|
configuration file:
|
||||||
|
.Xr ssh_config 5 .
|
||||||
|
.El
|
||||||
|
.Pp
|
||||||
|
Default behaviour without
|
||||||
|
.Fl i ,
|
||||||
|
is to check if
|
||||||
|
.Ql ssh-add -L
|
||||||
|
provides any output, and if so those keys are used. Note that this results in
|
||||||
|
the comment on the key being the filename that was given to
|
||||||
|
.Xr ssh-add 1
|
||||||
|
when the key was loaded into your
|
||||||
|
.Xr ssh-agent 1
|
||||||
|
rather than the comment contained in that file, which is a bit of a shame.
|
||||||
|
Otherwise, if
|
||||||
|
.Xr ssh-add 1
|
||||||
|
provides no keys contents of the
|
||||||
|
.Ic default_ID_file
|
||||||
|
will be used.
|
||||||
|
.Pp
|
||||||
|
The
|
||||||
|
.Ic default_ID_file
|
||||||
|
is the most recent file that matches:
|
||||||
|
.Pa ~/.ssh/id*.pub ,
|
||||||
|
(excluding those that match
|
||||||
|
.Pa ~/.ssh/*-cert.pub )
|
||||||
|
so if you create a key that is not the one you want
|
||||||
|
.Nm
|
||||||
|
to use, just use
|
||||||
|
.Xr touch 1
|
||||||
|
on your preferred key's
|
||||||
|
.Pa .pub
|
||||||
|
file to reinstate it as the most recent.
|
||||||
|
.Pp
|
||||||
|
.Sh EXAMPLES
|
||||||
|
If you have already installed keys from one system on a lot of remote
|
||||||
|
hosts, and you then create a new key, on a new client machine, say,
|
||||||
|
it can be difficult to keep track of which systems on which you've
|
||||||
|
installed the new key. One way of dealing with this is to load both
|
||||||
|
the new key and old key(s) into your
|
||||||
|
.Xr ssh-agent 1 .
|
||||||
|
Load the new key first, without the
|
||||||
|
.Fl c
|
||||||
|
option, then load one or more old keys into the agent, possibly by
|
||||||
|
ssh-ing to the client machine that has that old key, using the
|
||||||
|
.Fl A
|
||||||
|
option to allow agent forwarding:
|
||||||
|
.Pp
|
||||||
|
.D1 user@newclient$ ssh-add
|
||||||
|
.D1 user@newclient$ ssh -A old.client
|
||||||
|
.D1 user@oldl$ ssh-add -c
|
||||||
|
.D1 No ... prompt for pass-phrase ...
|
||||||
|
.D1 user@old$ logoff
|
||||||
|
.D1 user@newclient$ ssh someserver
|
||||||
|
.Pp
|
||||||
|
now, if the new key is installed on the server, you'll be allowed in
|
||||||
|
unprompted, whereas if you only have the old key(s) enabled, you'll be
|
||||||
|
asked for confirmation, which is your cue to log back out and run
|
||||||
|
.Pp
|
||||||
|
.D1 user@newclient$ ssh-copy-id -i someserver
|
||||||
|
.Pp
|
||||||
|
The reason you might want to specify the -i option in this case is to
|
||||||
|
ensure that the comment on the installed key is the one from the
|
||||||
|
.Pa .pub
|
||||||
|
file, rather than just the filename that was loaded into you agent.
|
||||||
|
It also ensures that only the id you intended is installed, rather than
|
||||||
|
all the keys that you have in your
|
||||||
|
.Xr ssh-agent 1 .
|
||||||
|
Of course, you can specify another id, or use the contents of the
|
||||||
|
.Xr ssh-agent 1
|
||||||
|
as you prefer.
|
||||||
|
.Pp
|
||||||
|
Having mentioned
|
||||||
|
.Xr ssh-add 1 Ns 's
|
||||||
|
.Fl c
|
||||||
|
option, you might consider using this whenever using agent forwarding
|
||||||
|
to avoid your key being hijacked, but it is much better to instead use
|
||||||
|
.Xr ssh 1 Ns 's
|
||||||
|
.Ar ProxyCommand
|
||||||
|
and
|
||||||
|
.Fl W
|
||||||
|
option,
|
||||||
|
to bounce through remote servers while always doing direct end-to-end
|
||||||
|
authentication. This way the middle hop(s) don't get access to your
|
||||||
|
.Xr ssh-agent 1 .
|
||||||
|
A web search for
|
||||||
|
.Ql ssh proxycommand nc
|
||||||
|
should prove enlightening (N.B. the modern approach is to use the
|
||||||
|
.Fl W
|
||||||
|
option, rather than
|
||||||
|
.Xr nc 1 ) .
|
||||||
|
.Sh "SEE ALSO"
|
||||||
|
.Xr ssh 1 ,
|
||||||
|
.Xr ssh-agent 1 ,
|
||||||
|
.Xr sshd 8
|
5
crypto/openssh/contrib/sshd.pam.freebsd
Normal file
5
crypto/openssh/contrib/sshd.pam.freebsd
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
sshd auth required pam_unix.so try_first_pass
|
||||||
|
sshd account required pam_unix.so
|
||||||
|
sshd password required pam_permit.so
|
||||||
|
sshd session required pam_permit.so
|
||||||
|
|
8
crypto/openssh/contrib/sshd.pam.generic
Normal file
8
crypto/openssh/contrib/sshd.pam.generic
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
#%PAM-1.0
|
||||||
|
auth required /lib/security/pam_unix.so shadow nodelay
|
||||||
|
account required /lib/security/pam_nologin.so
|
||||||
|
account required /lib/security/pam_unix.so
|
||||||
|
password required /lib/security/pam_cracklib.so
|
||||||
|
password required /lib/security/pam_unix.so shadow nullok use_authtok
|
||||||
|
session required /lib/security/pam_unix.so
|
||||||
|
session required /lib/security/pam_limits.so
|
246
crypto/openssh/contrib/suse/openssh.spec
Normal file
246
crypto/openssh/contrib/suse/openssh.spec
Normal file
|
@ -0,0 +1,246 @@
|
||||||
|
# Default values for additional components
|
||||||
|
%define build_x11_askpass 1
|
||||||
|
|
||||||
|
# Define the UID/GID to use for privilege separation
|
||||||
|
%define sshd_gid 65
|
||||||
|
%define sshd_uid 71
|
||||||
|
|
||||||
|
# The version of x11-ssh-askpass to use
|
||||||
|
%define xversion 1.2.4.1
|
||||||
|
|
||||||
|
# Allow the ability to override defaults with -D skip_xxx=1
|
||||||
|
%{?skip_x11_askpass:%define build_x11_askpass 0}
|
||||||
|
|
||||||
|
Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
|
||||||
|
Name: openssh
|
||||||
|
Version: 6.3p1
|
||||||
|
URL: http://www.openssh.com/
|
||||||
|
Release: 1
|
||||||
|
Source0: openssh-%{version}.tar.gz
|
||||||
|
Source1: x11-ssh-askpass-%{xversion}.tar.gz
|
||||||
|
License: BSD
|
||||||
|
Group: Productivity/Networking/SSH
|
||||||
|
BuildRoot: %{_tmppath}/openssh-%{version}-buildroot
|
||||||
|
PreReq: openssl
|
||||||
|
Obsoletes: ssh
|
||||||
|
Provides: ssh
|
||||||
|
#
|
||||||
|
# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
|
||||||
|
# building prerequisites -- stuff for
|
||||||
|
# OpenSSL (openssl-devel),
|
||||||
|
# TCP Wrappers (tcpd-devel),
|
||||||
|
# and Gnome (glibdev, gtkdev, and gnlibsd)
|
||||||
|
#
|
||||||
|
BuildPrereq: openssl
|
||||||
|
BuildPrereq: tcpd-devel
|
||||||
|
BuildPrereq: zlib-devel
|
||||||
|
#BuildPrereq: glibdev
|
||||||
|
#BuildPrereq: gtkdev
|
||||||
|
#BuildPrereq: gnlibsd
|
||||||
|
|
||||||
|
%package askpass
|
||||||
|
Summary: A passphrase dialog for OpenSSH and the X window System.
|
||||||
|
Group: Productivity/Networking/SSH
|
||||||
|
Requires: openssh = %{version}
|
||||||
|
Obsoletes: ssh-extras
|
||||||
|
Provides: openssh:${_libdir}/ssh/ssh-askpass
|
||||||
|
|
||||||
|
%if %{build_x11_askpass}
|
||||||
|
BuildPrereq: XFree86-devel
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%description
|
||||||
|
Ssh (Secure Shell) is a program for logging into a remote machine and for
|
||||||
|
executing commands in a remote machine. It is intended to replace
|
||||||
|
rlogin and rsh, and provide secure encrypted communications between
|
||||||
|
two untrusted hosts over an insecure network. X11 connections and
|
||||||
|
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||||
|
|
||||||
|
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
|
||||||
|
up to date in terms of security and features, as well as removing all
|
||||||
|
patented algorithms to seperate libraries (OpenSSL).
|
||||||
|
|
||||||
|
This package includes all files necessary for both the OpenSSH
|
||||||
|
client and server.
|
||||||
|
|
||||||
|
%description askpass
|
||||||
|
Ssh (Secure Shell) is a program for logging into a remote machine and for
|
||||||
|
executing commands in a remote machine. It is intended to replace
|
||||||
|
rlogin and rsh, and provide secure encrypted communications between
|
||||||
|
two untrusted hosts over an insecure network. X11 connections and
|
||||||
|
arbitrary TCP/IP ports can also be forwarded over the secure channel.
|
||||||
|
|
||||||
|
OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
|
||||||
|
up to date in terms of security and features, as well as removing all
|
||||||
|
patented algorithms to seperate libraries (OpenSSL).
|
||||||
|
|
||||||
|
This package contains an X Window System passphrase dialog for OpenSSH.
|
||||||
|
|
||||||
|
%changelog
|
||||||
|
* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
|
||||||
|
- Removed accidental inclusion of --without-zlib-version-check
|
||||||
|
* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
|
||||||
|
- Overhaul to deal with newer versions of SuSE and OpenSSH
|
||||||
|
* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
|
||||||
|
- Glob manpages to catch compressed files
|
||||||
|
* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Updated for new location
|
||||||
|
- Updated for new gnome-ssh-askpass build
|
||||||
|
* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
|
||||||
|
- Made symlink to gnome-ssh-askpass called ssh-askpass
|
||||||
|
* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
|
||||||
|
- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
|
||||||
|
/var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
|
||||||
|
his released tarfile
|
||||||
|
- Changed permissions on ssh_config in the install procedure to 644 from 600
|
||||||
|
even though it was correct in the %files section and thus right in the RPMs
|
||||||
|
- Postinstall script for the server now only prints "Generating SSH host
|
||||||
|
key..." if we need to actually do this, in order to eliminate a confusing
|
||||||
|
message if an SSH host key is already in place
|
||||||
|
- Marked all manual pages as %doc(umentation)
|
||||||
|
* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
|
||||||
|
- Added flag to configure daemon with TCP Wrappers support
|
||||||
|
- Added building prerequisites (works in RPM 3.0 and newer)
|
||||||
|
* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
|
||||||
|
- Made this package correct for SuSE.
|
||||||
|
- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
|
||||||
|
with SuSE, and lib_pwdb.so isn't installed by default.
|
||||||
|
* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
|
||||||
|
- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
|
||||||
|
* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
|
||||||
|
- Added 'Obsoletes' directives
|
||||||
|
* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Use make install
|
||||||
|
- Subpackages
|
||||||
|
* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Added links for slogin
|
||||||
|
- Fixed perms on manpages
|
||||||
|
* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Renamed init script
|
||||||
|
* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Back to old binary names
|
||||||
|
* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Use autoconf
|
||||||
|
- New binary names
|
||||||
|
* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
|
||||||
|
- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
|
||||||
|
%if %{build_x11_askpass}
|
||||||
|
%setup -q -a 1
|
||||||
|
%else
|
||||||
|
%setup -q
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%build
|
||||||
|
CFLAGS="$RPM_OPT_FLAGS" \
|
||||||
|
%configure --prefix=/usr \
|
||||||
|
--sysconfdir=%{_sysconfdir}/ssh \
|
||||||
|
--mandir=%{_mandir} \
|
||||||
|
--with-privsep-path=/var/lib/empty \
|
||||||
|
--with-pam \
|
||||||
|
--with-tcp-wrappers \
|
||||||
|
--libexecdir=%{_libdir}/ssh
|
||||||
|
make
|
||||||
|
|
||||||
|
%if %{build_x11_askpass}
|
||||||
|
cd x11-ssh-askpass-%{xversion}
|
||||||
|
%configure --mandir=/usr/X11R6/man \
|
||||||
|
--libexecdir=%{_libdir}/ssh
|
||||||
|
xmkmf -a
|
||||||
|
make
|
||||||
|
cd ..
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%install
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
make install DESTDIR=$RPM_BUILD_ROOT/
|
||||||
|
install -d $RPM_BUILD_ROOT/etc/pam.d/
|
||||||
|
install -d $RPM_BUILD_ROOT/etc/init.d/
|
||||||
|
install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
|
||||||
|
install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
|
||||||
|
install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
|
||||||
|
install -m744 contrib/suse/sysconfig.ssh \
|
||||||
|
$RPM_BUILD_ROOT/var/adm/fillup-templates
|
||||||
|
|
||||||
|
%if %{build_x11_askpass}
|
||||||
|
cd x11-ssh-askpass-%{xversion}
|
||||||
|
make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
|
||||||
|
rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%clean
|
||||||
|
rm -rf $RPM_BUILD_ROOT
|
||||||
|
|
||||||
|
%pre
|
||||||
|
/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
|
||||||
|
/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
|
||||||
|
|
||||||
|
%post
|
||||||
|
/usr/bin/ssh-keygen -A
|
||||||
|
%{fillup_and_insserv -n -y ssh sshd}
|
||||||
|
%run_permissions
|
||||||
|
|
||||||
|
%verifyscript
|
||||||
|
%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%stop_on_removal sshd
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%restart_on_update sshd
|
||||||
|
%{insserv_cleanup}
|
||||||
|
|
||||||
|
%files
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%doc ChangeLog OVERVIEW README* PROTOCOL*
|
||||||
|
%doc TODO CREDITS LICENCE
|
||||||
|
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
|
||||||
|
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
|
||||||
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
|
||||||
|
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
|
||||||
|
%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
|
||||||
|
%attr(0755,root,root) %config /etc/init.d/sshd
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh-keygen
|
||||||
|
%attr(0755,root,root) %{_bindir}/scp
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh
|
||||||
|
%attr(-,root,root) %{_bindir}/slogin
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh-agent
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh-add
|
||||||
|
%attr(0755,root,root) %{_bindir}/ssh-keyscan
|
||||||
|
%attr(0755,root,root) %{_bindir}/sftp
|
||||||
|
%attr(0755,root,root) %{_sbindir}/sshd
|
||||||
|
%attr(0755,root,root) %dir %{_libdir}/ssh
|
||||||
|
%attr(0755,root,root) %{_libdir}/ssh/sftp-server
|
||||||
|
%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
|
||||||
|
%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
|
||||||
|
%attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man5/moduli.5*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man8/ssh-pkcs11-helper.8*
|
||||||
|
%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
|
||||||
|
%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
|
||||||
|
|
||||||
|
%if %{build_x11_askpass}
|
||||||
|
%files askpass
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%doc x11-ssh-askpass-%{xversion}/README
|
||||||
|
%doc x11-ssh-askpass-%{xversion}/ChangeLog
|
||||||
|
%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
|
||||||
|
%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
|
||||||
|
%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
|
||||||
|
%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
|
||||||
|
%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
|
||||||
|
%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
|
||||||
|
%endif
|
5
crypto/openssh/contrib/suse/rc.config.sshd
Normal file
5
crypto/openssh/contrib/suse/rc.config.sshd
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
#
|
||||||
|
# Start the Secure Shell (SSH) Daemon?
|
||||||
|
#
|
||||||
|
START_SSHD="yes"
|
||||||
|
|
121
crypto/openssh/contrib/suse/rc.sshd
Normal file
121
crypto/openssh/contrib/suse/rc.sshd
Normal file
|
@ -0,0 +1,121 @@
|
||||||
|
#! /bin/sh
|
||||||
|
# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
|
||||||
|
#
|
||||||
|
# Author: Jiri Smid <feedback@suse.de>
|
||||||
|
#
|
||||||
|
# /etc/init.d/sshd
|
||||||
|
#
|
||||||
|
# and symbolic its link
|
||||||
|
#
|
||||||
|
# /usr/sbin/rcsshd
|
||||||
|
#
|
||||||
|
### BEGIN INIT INFO
|
||||||
|
# Provides: sshd
|
||||||
|
# Required-Start: $network $remote_fs
|
||||||
|
# Required-Stop: $network $remote_fs
|
||||||
|
# Default-Start: 3 5
|
||||||
|
# Default-Stop: 0 1 2 6
|
||||||
|
# Description: Start the sshd daemon
|
||||||
|
### END INIT INFO
|
||||||
|
|
||||||
|
SSHD_BIN=/usr/sbin/sshd
|
||||||
|
test -x $SSHD_BIN || exit 5
|
||||||
|
|
||||||
|
SSHD_SYSCONFIG=/etc/sysconfig/ssh
|
||||||
|
test -r $SSHD_SYSCONFIG || exit 6
|
||||||
|
. $SSHD_SYSCONFIG
|
||||||
|
|
||||||
|
SSHD_PIDFILE=/var/run/sshd.init.pid
|
||||||
|
|
||||||
|
. /etc/rc.status
|
||||||
|
|
||||||
|
# Shell functions sourced from /etc/rc.status:
|
||||||
|
# rc_check check and set local and overall rc status
|
||||||
|
# rc_status check and set local and overall rc status
|
||||||
|
# rc_status -v ditto but be verbose in local rc status
|
||||||
|
# rc_status -v -r ditto and clear the local rc status
|
||||||
|
# rc_failed set local and overall rc status to failed
|
||||||
|
# rc_reset clear local rc status (overall remains)
|
||||||
|
# rc_exit exit appropriate to overall rc status
|
||||||
|
|
||||||
|
# First reset status of this service
|
||||||
|
rc_reset
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
# Generate any missing host keys
|
||||||
|
ssh-keygen -A
|
||||||
|
echo -n "Starting SSH daemon"
|
||||||
|
## Start daemon with startproc(8). If this fails
|
||||||
|
## the echo return value is set appropriate.
|
||||||
|
|
||||||
|
startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE"
|
||||||
|
|
||||||
|
# Remember status and be verbose
|
||||||
|
rc_status -v
|
||||||
|
;;
|
||||||
|
stop)
|
||||||
|
echo -n "Shutting down SSH daemon"
|
||||||
|
## Stop daemon with killproc(8) and if this fails
|
||||||
|
## set echo the echo return value.
|
||||||
|
|
||||||
|
killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
|
||||||
|
|
||||||
|
# Remember status and be verbose
|
||||||
|
rc_status -v
|
||||||
|
;;
|
||||||
|
try-restart)
|
||||||
|
## Stop the service and if this succeeds (i.e. the
|
||||||
|
## service was running before), start it again.
|
||||||
|
$0 status >/dev/null && $0 restart
|
||||||
|
|
||||||
|
# Remember status and be quiet
|
||||||
|
rc_status
|
||||||
|
;;
|
||||||
|
restart)
|
||||||
|
## Stop the service and regardless of whether it was
|
||||||
|
## running or not, start it again.
|
||||||
|
$0 stop
|
||||||
|
$0 start
|
||||||
|
|
||||||
|
# Remember status and be quiet
|
||||||
|
rc_status
|
||||||
|
;;
|
||||||
|
force-reload|reload)
|
||||||
|
## Signal the daemon to reload its config. Most daemons
|
||||||
|
## do this on signal 1 (SIGHUP).
|
||||||
|
|
||||||
|
echo -n "Reload service sshd"
|
||||||
|
|
||||||
|
killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
|
||||||
|
|
||||||
|
rc_status -v
|
||||||
|
|
||||||
|
;;
|
||||||
|
status)
|
||||||
|
echo -n "Checking for service sshd "
|
||||||
|
## Check status with checkproc(8), if process is running
|
||||||
|
## checkproc will return with exit status 0.
|
||||||
|
|
||||||
|
# Status has a slightly different for the status command:
|
||||||
|
# 0 - service running
|
||||||
|
# 1 - service dead, but /var/run/ pid file exists
|
||||||
|
# 2 - service dead, but /var/lock/ lock file exists
|
||||||
|
# 3 - service not running
|
||||||
|
|
||||||
|
checkproc -p $SSHD_PIDFILE $SSHD_BIN
|
||||||
|
|
||||||
|
rc_status -v
|
||||||
|
;;
|
||||||
|
probe)
|
||||||
|
## Optional: Probe for the necessity of a reload,
|
||||||
|
## give out the argument which is required for a reload.
|
||||||
|
|
||||||
|
test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
rc_exit
|
9
crypto/openssh/contrib/suse/sysconfig.ssh
Normal file
9
crypto/openssh/contrib/suse/sysconfig.ssh
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
## Path: Network/Remote access/SSH
|
||||||
|
## Description: SSH server settings
|
||||||
|
## Type: string
|
||||||
|
## Default: ""
|
||||||
|
## ServiceRestart: sshd
|
||||||
|
#
|
||||||
|
# Options for sshd
|
||||||
|
#
|
||||||
|
SSHD_OPTS=""
|
251
crypto/openssh/install-sh
Executable file
251
crypto/openssh/install-sh
Executable file
|
@ -0,0 +1,251 @@
|
||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# install - install a program, script, or datafile
|
||||||
|
# This comes from X11R5 (mit/util/scripts/install.sh).
|
||||||
|
#
|
||||||
|
# Copyright 1991 by the Massachusetts Institute of Technology
|
||||||
|
#
|
||||||
|
# Permission to use, copy, modify, distribute, and sell this software and its
|
||||||
|
# documentation for any purpose is hereby granted without fee, provided that
|
||||||
|
# the above copyright notice appear in all copies and that both that
|
||||||
|
# copyright notice and this permission notice appear in supporting
|
||||||
|
# documentation, and that the name of M.I.T. not be used in advertising or
|
||||||
|
# publicity pertaining to distribution of the software without specific,
|
||||||
|
# written prior permission. M.I.T. makes no representations about the
|
||||||
|
# suitability of this software for any purpose. It is provided "as is"
|
||||||
|
# without express or implied warranty.
|
||||||
|
#
|
||||||
|
# Calling this script install-sh is preferred over install.sh, to prevent
|
||||||
|
# `make' implicit rules from creating a file called install from it
|
||||||
|
# when there is no Makefile.
|
||||||
|
#
|
||||||
|
# This script is compatible with the BSD install script, but was written
|
||||||
|
# from scratch. It can only install one file at a time, a restriction
|
||||||
|
# shared with many OS's install programs.
|
||||||
|
|
||||||
|
|
||||||
|
# set DOITPROG to echo to test this script
|
||||||
|
|
||||||
|
# Don't use :- since 4.3BSD and earlier shells don't like it.
|
||||||
|
doit="${DOITPROG-}"
|
||||||
|
|
||||||
|
|
||||||
|
# put in absolute paths if you don't have them in your path; or use env. vars.
|
||||||
|
|
||||||
|
mvprog="${MVPROG-mv}"
|
||||||
|
cpprog="${CPPROG-cp}"
|
||||||
|
chmodprog="${CHMODPROG-chmod}"
|
||||||
|
chownprog="${CHOWNPROG-chown}"
|
||||||
|
chgrpprog="${CHGRPPROG-chgrp}"
|
||||||
|
stripprog="${STRIPPROG-strip}"
|
||||||
|
rmprog="${RMPROG-rm}"
|
||||||
|
mkdirprog="${MKDIRPROG-mkdir}"
|
||||||
|
|
||||||
|
transformbasename=""
|
||||||
|
transform_arg=""
|
||||||
|
instcmd="$mvprog"
|
||||||
|
chmodcmd="$chmodprog 0755"
|
||||||
|
chowncmd=""
|
||||||
|
chgrpcmd=""
|
||||||
|
stripcmd=""
|
||||||
|
rmcmd="$rmprog -f"
|
||||||
|
mvcmd="$mvprog"
|
||||||
|
src=""
|
||||||
|
dst=""
|
||||||
|
dir_arg=""
|
||||||
|
|
||||||
|
while [ x"$1" != x ]; do
|
||||||
|
case $1 in
|
||||||
|
-c) instcmd="$cpprog"
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
-d) dir_arg=true
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
-m) chmodcmd="$chmodprog $2"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
-o) chowncmd="$chownprog $2"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
-g) chgrpcmd="$chgrpprog $2"
|
||||||
|
shift
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
-s) stripcmd="$stripprog"
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
-t=*) transformarg=`echo $1 | sed 's/-t=//'`
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
|
||||||
|
*) if [ x"$src" = x ]
|
||||||
|
then
|
||||||
|
src=$1
|
||||||
|
else
|
||||||
|
# this colon is to work around a 386BSD /bin/sh bug
|
||||||
|
:
|
||||||
|
dst=$1
|
||||||
|
fi
|
||||||
|
shift
|
||||||
|
continue;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ x"$src" = x ]
|
||||||
|
then
|
||||||
|
echo "install: no input file specified"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
true
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ x"$dir_arg" != x ]; then
|
||||||
|
dst=$src
|
||||||
|
src=""
|
||||||
|
|
||||||
|
if [ -d $dst ]; then
|
||||||
|
instcmd=:
|
||||||
|
chmodcmd=""
|
||||||
|
else
|
||||||
|
instcmd=mkdir
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
|
||||||
|
# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
|
||||||
|
# might cause directories to be created, which would be especially bad
|
||||||
|
# if $src (and thus $dsttmp) contains '*'.
|
||||||
|
|
||||||
|
if [ -f $src -o -d $src ]
|
||||||
|
then
|
||||||
|
true
|
||||||
|
else
|
||||||
|
echo "install: $src does not exist"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ x"$dst" = x ]
|
||||||
|
then
|
||||||
|
echo "install: no destination specified"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
true
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If destination is a directory, append the input filename; if your system
|
||||||
|
# does not like double slashes in filenames, you may need to add some logic
|
||||||
|
|
||||||
|
if [ -d $dst ]
|
||||||
|
then
|
||||||
|
dst="$dst"/`basename $src`
|
||||||
|
else
|
||||||
|
true
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
## this sed command emulates the dirname command
|
||||||
|
dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
|
||||||
|
|
||||||
|
# Make sure that the destination directory exists.
|
||||||
|
# this part is taken from Noah Friedman's mkinstalldirs script
|
||||||
|
|
||||||
|
# Skip lots of stat calls in the usual case.
|
||||||
|
if [ ! -d "$dstdir" ]; then
|
||||||
|
defaultIFS='
|
||||||
|
'
|
||||||
|
IFS="${IFS-${defaultIFS}}"
|
||||||
|
|
||||||
|
oIFS="${IFS}"
|
||||||
|
# Some sh's can't handle IFS=/ for some reason.
|
||||||
|
IFS='%'
|
||||||
|
set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
|
||||||
|
IFS="${oIFS}"
|
||||||
|
|
||||||
|
pathcomp=''
|
||||||
|
|
||||||
|
while [ $# -ne 0 ] ; do
|
||||||
|
pathcomp="${pathcomp}${1}"
|
||||||
|
shift
|
||||||
|
|
||||||
|
if [ ! -d "${pathcomp}" ] ;
|
||||||
|
then
|
||||||
|
$mkdirprog "${pathcomp}"
|
||||||
|
else
|
||||||
|
true
|
||||||
|
fi
|
||||||
|
|
||||||
|
pathcomp="${pathcomp}/"
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ x"$dir_arg" != x ]
|
||||||
|
then
|
||||||
|
$doit $instcmd $dst &&
|
||||||
|
|
||||||
|
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
|
||||||
|
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
|
||||||
|
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
|
||||||
|
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
|
||||||
|
else
|
||||||
|
|
||||||
|
# If we're going to rename the final executable, determine the name now.
|
||||||
|
|
||||||
|
if [ x"$transformarg" = x ]
|
||||||
|
then
|
||||||
|
dstfile=`basename $dst`
|
||||||
|
else
|
||||||
|
dstfile=`basename $dst $transformbasename |
|
||||||
|
sed $transformarg`$transformbasename
|
||||||
|
fi
|
||||||
|
|
||||||
|
# don't allow the sed command to completely eliminate the filename
|
||||||
|
|
||||||
|
if [ x"$dstfile" = x ]
|
||||||
|
then
|
||||||
|
dstfile=`basename $dst`
|
||||||
|
else
|
||||||
|
true
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make a temp file name in the proper directory.
|
||||||
|
|
||||||
|
dsttmp=$dstdir/#inst.$$#
|
||||||
|
|
||||||
|
# Move or copy the file name to the temp name
|
||||||
|
|
||||||
|
$doit $instcmd $src $dsttmp &&
|
||||||
|
|
||||||
|
trap "rm -f ${dsttmp}" 0 &&
|
||||||
|
|
||||||
|
# and set any options; do chmod last to preserve setuid bits
|
||||||
|
|
||||||
|
# If any of these fail, we abort the whole thing. If we want to
|
||||||
|
# ignore errors from any of these, just make sure not to ignore
|
||||||
|
# errors from the above "$doit $instcmd $src $dsttmp" command.
|
||||||
|
|
||||||
|
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
|
||||||
|
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
|
||||||
|
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
|
||||||
|
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
|
||||||
|
|
||||||
|
# Now rename the file to the real destination.
|
||||||
|
|
||||||
|
$doit $rmcmd -f $dstdir/$dstfile &&
|
||||||
|
$doit $mvcmd $dsttmp $dstdir/$dstfile
|
||||||
|
|
||||||
|
fi &&
|
||||||
|
|
||||||
|
|
||||||
|
exit 0
|
370
crypto/openssh/mdoc2man.awk
Normal file
370
crypto/openssh/mdoc2man.awk
Normal file
|
@ -0,0 +1,370 @@
|
||||||
|
#!/usr/bin/awk
|
||||||
|
#
|
||||||
|
# $Id: mdoc2man.awk,v 1.9 2009/10/24 00:52:42 dtucker Exp $
|
||||||
|
#
|
||||||
|
# Version history:
|
||||||
|
# v4+ Adapted for OpenSSH Portable (see cvs Id and history)
|
||||||
|
# v3, I put the program under a proper license
|
||||||
|
# Dan Nelson <dnelson@allantgroup.com> added .An, .Aq and fixed a typo
|
||||||
|
# v2, fixed to work on GNU awk --posix and MacOS X
|
||||||
|
# v1, first attempt, didn't work on MacOS X
|
||||||
|
#
|
||||||
|
# Copyright (c) 2003 Peter Stuge <stuge-mdoc2man@cdy.org>
|
||||||
|
#
|
||||||
|
# Permission to use, copy, modify, and distribute this software for any
|
||||||
|
# purpose with or without fee is hereby granted, provided that the above
|
||||||
|
# copyright notice and this permission notice appear in all copies.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
|
||||||
|
|
||||||
|
BEGIN {
|
||||||
|
optlist=0
|
||||||
|
oldoptlist=0
|
||||||
|
nospace=0
|
||||||
|
synopsis=0
|
||||||
|
reference=0
|
||||||
|
block=0
|
||||||
|
ext=0
|
||||||
|
extopt=0
|
||||||
|
literal=0
|
||||||
|
prenl=0
|
||||||
|
breakw=0
|
||||||
|
line=""
|
||||||
|
}
|
||||||
|
|
||||||
|
function wtail() {
|
||||||
|
retval=""
|
||||||
|
while(w<nwords) {
|
||||||
|
if(length(retval))
|
||||||
|
retval=retval OFS
|
||||||
|
retval=retval words[++w]
|
||||||
|
}
|
||||||
|
return retval
|
||||||
|
}
|
||||||
|
|
||||||
|
function add(str) {
|
||||||
|
for(;prenl;prenl--)
|
||||||
|
line=line "\n"
|
||||||
|
line=line str
|
||||||
|
}
|
||||||
|
|
||||||
|
! /^\./ {
|
||||||
|
for(;prenl;prenl--)
|
||||||
|
print ""
|
||||||
|
print
|
||||||
|
if(literal)
|
||||||
|
print ".br"
|
||||||
|
next
|
||||||
|
}
|
||||||
|
|
||||||
|
/^\.\\"/ { next }
|
||||||
|
|
||||||
|
{
|
||||||
|
option=0
|
||||||
|
parens=0
|
||||||
|
angles=0
|
||||||
|
sub("^\\.","")
|
||||||
|
nwords=split($0,words)
|
||||||
|
for(w=1;w<=nwords;w++) {
|
||||||
|
skip=0
|
||||||
|
if(match(words[w],"^Li|Pf$")) {
|
||||||
|
skip=1
|
||||||
|
} else if(match(words[w],"^Xo$")) {
|
||||||
|
skip=1
|
||||||
|
ext=1
|
||||||
|
if(length(line)&&!(match(line," $")||prenl))
|
||||||
|
add(OFS)
|
||||||
|
} else if(match(words[w],"^Xc$")) {
|
||||||
|
skip=1
|
||||||
|
ext=0
|
||||||
|
if(!extopt)
|
||||||
|
prenl++
|
||||||
|
w=nwords
|
||||||
|
} else if(match(words[w],"^Bd$")) {
|
||||||
|
skip=1
|
||||||
|
if(match(words[w+1],"-literal")) {
|
||||||
|
literal=1
|
||||||
|
prenl++
|
||||||
|
w=nwords
|
||||||
|
}
|
||||||
|
} else if(match(words[w],"^Ed$")) {
|
||||||
|
skip=1
|
||||||
|
literal=0
|
||||||
|
} else if(match(words[w],"^Ns$")) {
|
||||||
|
skip=1
|
||||||
|
if(!nospace)
|
||||||
|
nospace=1
|
||||||
|
sub(" $","",line)
|
||||||
|
} else if(match(words[w],"^No$")) {
|
||||||
|
skip=1
|
||||||
|
sub(" $","",line)
|
||||||
|
add(words[++w])
|
||||||
|
} else if(match(words[w],"^Dq$")) {
|
||||||
|
skip=1
|
||||||
|
add("``")
|
||||||
|
add(words[++w])
|
||||||
|
while(w<nwords&&!match(words[w+1],"^[\\.,]"))
|
||||||
|
add(OFS words[++w])
|
||||||
|
add("''")
|
||||||
|
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||||
|
nospace=1
|
||||||
|
} else if(match(words[w],"^Sq|Ql$")) {
|
||||||
|
skip=1
|
||||||
|
add("`" words[++w] "'")
|
||||||
|
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||||
|
nospace=1
|
||||||
|
} else if(match(words[w],"^Oo$")) {
|
||||||
|
skip=1
|
||||||
|
extopt=1
|
||||||
|
if(!nospace)
|
||||||
|
nospace=1
|
||||||
|
add("[")
|
||||||
|
} else if(match(words[w],"^Oc$")) {
|
||||||
|
skip=1
|
||||||
|
extopt=0
|
||||||
|
add("]")
|
||||||
|
}
|
||||||
|
if(!skip) {
|
||||||
|
if(!nospace&&length(line)&&!(match(line," $")||prenl))
|
||||||
|
add(OFS)
|
||||||
|
if(nospace==1)
|
||||||
|
nospace=0
|
||||||
|
}
|
||||||
|
if(match(words[w],"^Dd$")) {
|
||||||
|
if(match(words[w+1],"^\\$Mdocdate:")) {
|
||||||
|
w++;
|
||||||
|
if(match(words[w+4],"^\\$$")) {
|
||||||
|
words[w+4] = ""
|
||||||
|
}
|
||||||
|
}
|
||||||
|
date=wtail()
|
||||||
|
next
|
||||||
|
} else if(match(words[w],"^Dt$")) {
|
||||||
|
id=wtail()
|
||||||
|
next
|
||||||
|
} else if(match(words[w],"^Ux$")) {
|
||||||
|
add("UNIX")
|
||||||
|
skip=1
|
||||||
|
} else if(match(words[w],"^Ox$")) {
|
||||||
|
add("OpenBSD")
|
||||||
|
skip=1
|
||||||
|
} else if(match(words[w],"^Os$")) {
|
||||||
|
add(".TH " id " \"" date "\" \"" wtail() "\"")
|
||||||
|
} else if(match(words[w],"^Sh$")) {
|
||||||
|
add(".SH")
|
||||||
|
synopsis=match(words[w+1],"SYNOPSIS")
|
||||||
|
} else if(match(words[w],"^Xr$")) {
|
||||||
|
add("\\fB" words[++w] "\\fP(" words[++w] ")" words[++w])
|
||||||
|
} else if(match(words[w],"^Rs$")) {
|
||||||
|
split("",refauthors)
|
||||||
|
nrefauthors=0
|
||||||
|
reftitle=""
|
||||||
|
refissue=""
|
||||||
|
refdate=""
|
||||||
|
refopt=""
|
||||||
|
refreport=""
|
||||||
|
reference=1
|
||||||
|
next
|
||||||
|
} else if(match(words[w],"^Re$")) {
|
||||||
|
prenl++
|
||||||
|
for(i=nrefauthors-1;i>0;i--) {
|
||||||
|
add(refauthors[i])
|
||||||
|
if(i>1)
|
||||||
|
add(", ")
|
||||||
|
}
|
||||||
|
if(nrefauthors>1)
|
||||||
|
add(" and ")
|
||||||
|
if(nrefauthors>0)
|
||||||
|
add(refauthors[0] ", ")
|
||||||
|
add("\\fI" reftitle "\\fP")
|
||||||
|
if(length(refissue))
|
||||||
|
add(", " refissue)
|
||||||
|
if(length(refreport)) {
|
||||||
|
add(", " refreport)
|
||||||
|
}
|
||||||
|
if(length(refdate))
|
||||||
|
add(", " refdate)
|
||||||
|
if(length(refopt))
|
||||||
|
add(", " refopt)
|
||||||
|
add(".")
|
||||||
|
reference=0
|
||||||
|
} else if(reference) {
|
||||||
|
if(match(words[w],"^%A$")) { refauthors[nrefauthors++]=wtail() }
|
||||||
|
if(match(words[w],"^%T$")) {
|
||||||
|
reftitle=wtail()
|
||||||
|
sub("^\"","",reftitle)
|
||||||
|
sub("\"$","",reftitle)
|
||||||
|
}
|
||||||
|
if(match(words[w],"^%N$")) { refissue=wtail() }
|
||||||
|
if(match(words[w],"^%D$")) { refdate=wtail() }
|
||||||
|
if(match(words[w],"^%O$")) { refopt=wtail() }
|
||||||
|
if(match(words[w],"^%R$")) { refreport=wtail() }
|
||||||
|
} else if(match(words[w],"^Nm$")) {
|
||||||
|
if(synopsis) {
|
||||||
|
add(".br")
|
||||||
|
prenl++
|
||||||
|
}
|
||||||
|
n=words[++w]
|
||||||
|
if(!length(name))
|
||||||
|
name=n
|
||||||
|
if(!length(n))
|
||||||
|
n=name
|
||||||
|
add("\\fB" n "\\fP")
|
||||||
|
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||||
|
nospace=1
|
||||||
|
} else if(match(words[w],"^Nd$")) {
|
||||||
|
add("\\- " wtail())
|
||||||
|
} else if(match(words[w],"^Fl$")) {
|
||||||
|
add("\\fB\\-" words[++w] "\\fP")
|
||||||
|
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||||
|
nospace=1
|
||||||
|
} else if(match(words[w],"^Ar$")) {
|
||||||
|
add("\\fI")
|
||||||
|
if(w==nwords)
|
||||||
|
add("file ...\\fP")
|
||||||
|
else {
|
||||||
|
add(words[++w] "\\fP")
|
||||||
|
while(match(words[w+1],"^\\|$"))
|
||||||
|
add(OFS words[++w] " \\fI" words[++w] "\\fP")
|
||||||
|
}
|
||||||
|
if(!nospace&&match(words[w+1],"^[\\.,]"))
|
||||||
|
nospace=1
|
||||||
|
} else if(match(words[w],"^Cm$")) {
|
||||||
|
add("\\fB" words[++w] "\\fP")
|
||||||
|
while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
|
||||||
|
add(words[++w])
|
||||||
|
} else if(match(words[w],"^Op$")) {
|
||||||
|
option=1
|
||||||
|
if(!nospace)
|
||||||
|
nospace=1
|
||||||
|
add("[")
|
||||||
|
} else if(match(words[w],"^Pp$")) {
|
||||||
|
prenl++
|
||||||
|
} else if(match(words[w],"^An$")) {
|
||||||
|
prenl++
|
||||||
|
} else if(match(words[w],"^Ss$")) {
|
||||||
|
add(".SS")
|
||||||
|
} else if(match(words[w],"^Pa$")&&!option) {
|
||||||
|
add("\\fI")
|
||||||
|
w++
|
||||||
|
if(match(words[w],"^\\."))
|
||||||
|
add("\\&")
|
||||||
|
add(words[w] "\\fP")
|
||||||
|
while(w<nwords&&match(words[w+1],"^[\\.,:;)]"))
|
||||||
|
add(words[++w])
|
||||||
|
} else if(match(words[w],"^Dv$")) {
|
||||||
|
add(".BR")
|
||||||
|
} else if(match(words[w],"^Em|Ev$")) {
|
||||||
|
add(".IR")
|
||||||
|
} else if(match(words[w],"^Pq$")) {
|
||||||
|
add("(")
|
||||||
|
nospace=1
|
||||||
|
parens=1
|
||||||
|
} else if(match(words[w],"^Aq$")) {
|
||||||
|
add("<")
|
||||||
|
nospace=1
|
||||||
|
angles=1
|
||||||
|
} else if(match(words[w],"^S[xy]$")) {
|
||||||
|
add(".B " wtail())
|
||||||
|
} else if(match(words[w],"^Ic$")) {
|
||||||
|
plain=1
|
||||||
|
add("\\fB")
|
||||||
|
while(w<nwords) {
|
||||||
|
w++
|
||||||
|
if(match(words[w],"^Op$")) {
|
||||||
|
w++
|
||||||
|
add("[")
|
||||||
|
words[nwords]=words[nwords] "]"
|
||||||
|
}
|
||||||
|
if(match(words[w],"^Ar$")) {
|
||||||
|
add("\\fI" words[++w] "\\fP")
|
||||||
|
} else if(match(words[w],"^[\\.,]")) {
|
||||||
|
sub(" $","",line)
|
||||||
|
if(plain) {
|
||||||
|
add("\\fP")
|
||||||
|
plain=0
|
||||||
|
}
|
||||||
|
add(words[w])
|
||||||
|
} else {
|
||||||
|
if(!plain) {
|
||||||
|
add("\\fB")
|
||||||
|
plain=1
|
||||||
|
}
|
||||||
|
add(words[w])
|
||||||
|
}
|
||||||
|
if(!nospace)
|
||||||
|
add(OFS)
|
||||||
|
}
|
||||||
|
sub(" $","",line)
|
||||||
|
if(plain)
|
||||||
|
add("\\fP")
|
||||||
|
} else if(match(words[w],"^Bl$")) {
|
||||||
|
oldoptlist=optlist
|
||||||
|
if(match(words[w+1],"-bullet"))
|
||||||
|
optlist=1
|
||||||
|
else if(match(words[w+1],"-enum")) {
|
||||||
|
optlist=2
|
||||||
|
enum=0
|
||||||
|
} else if(match(words[w+1],"-tag"))
|
||||||
|
optlist=3
|
||||||
|
else if(match(words[w+1],"-item"))
|
||||||
|
optlist=4
|
||||||
|
else if(match(words[w+1],"-bullet"))
|
||||||
|
optlist=1
|
||||||
|
w=nwords
|
||||||
|
} else if(match(words[w],"^El$")) {
|
||||||
|
optlist=oldoptlist
|
||||||
|
} else if(match(words[w],"^Bk$")) {
|
||||||
|
if(match(words[w+1],"-words")) {
|
||||||
|
w++
|
||||||
|
breakw=1
|
||||||
|
}
|
||||||
|
} else if(match(words[w],"^Ek$")) {
|
||||||
|
breakw=0
|
||||||
|
} else if(match(words[w],"^It$")&&optlist) {
|
||||||
|
if(optlist==1)
|
||||||
|
add(".IP \\(bu")
|
||||||
|
else if(optlist==2)
|
||||||
|
add(".IP " ++enum ".")
|
||||||
|
else if(optlist==3) {
|
||||||
|
add(".TP")
|
||||||
|
prenl++
|
||||||
|
if(match(words[w+1],"^Pa$|^Ev$")) {
|
||||||
|
add(".B")
|
||||||
|
w++
|
||||||
|
}
|
||||||
|
} else if(optlist==4)
|
||||||
|
add(".IP")
|
||||||
|
} else if(match(words[w],"^Sm$")) {
|
||||||
|
if(match(words[w+1],"off"))
|
||||||
|
nospace=2
|
||||||
|
else if(match(words[w+1],"on"))
|
||||||
|
nospace=0
|
||||||
|
w++
|
||||||
|
} else if(!skip) {
|
||||||
|
add(words[w])
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if(match(line,"^\\.[^a-zA-Z]"))
|
||||||
|
sub("^\\.","",line)
|
||||||
|
if(parens)
|
||||||
|
add(")")
|
||||||
|
if(angles)
|
||||||
|
add(">")
|
||||||
|
if(option)
|
||||||
|
add("]")
|
||||||
|
if(ext&&!extopt&&!match(line," $"))
|
||||||
|
add(OFS)
|
||||||
|
if(!ext&&!extopt&&length(line)) {
|
||||||
|
print line
|
||||||
|
prenl=0
|
||||||
|
line=""
|
||||||
|
}
|
||||||
|
}
|
74
crypto/openssh/moduli.0
Normal file
74
crypto/openssh/moduli.0
Normal file
|
@ -0,0 +1,74 @@
|
||||||
|
MODULI(5) OpenBSD Programmer's Manual MODULI(5)
|
||||||
|
|
||||||
|
NAME
|
||||||
|
moduli - Diffie-Hellman moduli
|
||||||
|
|
||||||
|
DESCRIPTION
|
||||||
|
The /etc/moduli file contains prime numbers and generators for use by
|
||||||
|
sshd(8) in the Diffie-Hellman Group Exchange key exchange method.
|
||||||
|
|
||||||
|
New moduli may be generated with ssh-keygen(1) using a two-step process.
|
||||||
|
An initial candidate generation pass, using ssh-keygen -G, calculates
|
||||||
|
numbers that are likely to be useful. A second primality testing pass,
|
||||||
|
using ssh-keygen -T, provides a high degree of assurance that the numbers
|
||||||
|
are prime and are safe for use in Diffie-Hellman operations by sshd(8).
|
||||||
|
This moduli format is used as the output from each pass.
|
||||||
|
|
||||||
|
The file consists of newline-separated records, one per modulus,
|
||||||
|
containing seven space-separated fields. These fields are as follows:
|
||||||
|
|
||||||
|
timestamp The time that the modulus was last processed as
|
||||||
|
YYYYMMDDHHMMSS.
|
||||||
|
|
||||||
|
type Decimal number specifying the internal structure of
|
||||||
|
the prime modulus. Supported types are:
|
||||||
|
|
||||||
|
0 Unknown, not tested.
|
||||||
|
2 "Safe" prime; (p-1)/2 is also prime.
|
||||||
|
4 Sophie Germain; 2p+1 is also prime.
|
||||||
|
|
||||||
|
Moduli candidates initially produced by ssh-keygen(1)
|
||||||
|
are Sophie Germain primes (type 4). Further primality
|
||||||
|
testing with ssh-keygen(1) produces safe prime moduli
|
||||||
|
(type 2) that are ready for use in sshd(8). Other
|
||||||
|
types are not used by OpenSSH.
|
||||||
|
|
||||||
|
tests Decimal number indicating the type of primality tests
|
||||||
|
that the number has been subjected to represented as a
|
||||||
|
bitmask of the following values:
|
||||||
|
|
||||||
|
0x00 Not tested.
|
||||||
|
0x01 Composite number - not prime.
|
||||||
|
0x02 Sieve of Eratosthenes.
|
||||||
|
0x04 Probabilistic Miller-Rabin primality tests.
|
||||||
|
|
||||||
|
The ssh-keygen(1) moduli candidate generation uses the
|
||||||
|
Sieve of Eratosthenes (flag 0x02). Subsequent
|
||||||
|
ssh-keygen(1) primality tests are Miller-Rabin tests
|
||||||
|
(flag 0x04).
|
||||||
|
|
||||||
|
trials Decimal number indicating the number of primality
|
||||||
|
trials that have been performed on the modulus.
|
||||||
|
|
||||||
|
size Decimal number indicating the size of the prime in
|
||||||
|
bits.
|
||||||
|
|
||||||
|
generator The recommended generator for use with this modulus
|
||||||
|
(hexadecimal).
|
||||||
|
|
||||||
|
modulus The modulus itself in hexadecimal.
|
||||||
|
|
||||||
|
When performing Diffie-Hellman Group Exchange, sshd(8) first estimates
|
||||||
|
the size of the modulus required to produce enough Diffie-Hellman output
|
||||||
|
to sufficiently key the selected symmetric cipher. sshd(8) then randomly
|
||||||
|
selects a modulus from /etc/moduli that best meets the size requirement.
|
||||||
|
|
||||||
|
SEE ALSO
|
||||||
|
ssh-keygen(1), sshd(8)
|
||||||
|
|
||||||
|
STANDARDS
|
||||||
|
M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for
|
||||||
|
the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
|
||||||
|
2006.
|
||||||
|
|
||||||
|
OpenBSD 5.4 September 26, 2012 OpenBSD 5.4
|
99
crypto/openssh/nchan.ms
Normal file
99
crypto/openssh/nchan.ms
Normal file
|
@ -0,0 +1,99 @@
|
||||||
|
.\" $OpenBSD: nchan.ms,v 1.8 2003/11/21 11:57:03 djm Exp $
|
||||||
|
.\"
|
||||||
|
.\"
|
||||||
|
.\" Copyright (c) 1999 Markus Friedl. All rights reserved.
|
||||||
|
.\"
|
||||||
|
.\" Redistribution and use in source and binary forms, with or without
|
||||||
|
.\" modification, are permitted provided that the following conditions
|
||||||
|
.\" are met:
|
||||||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer.
|
||||||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||||||
|
.\" documentation and/or other materials provided with the distribution.
|
||||||
|
.\"
|
||||||
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
.\"
|
||||||
|
.TL
|
||||||
|
OpenSSH Channel Close Protocol 1.5 Implementation
|
||||||
|
.SH
|
||||||
|
Channel Input State Diagram
|
||||||
|
.PS
|
||||||
|
reset
|
||||||
|
l=1
|
||||||
|
s=1.2
|
||||||
|
ellipsewid=s*ellipsewid
|
||||||
|
boxwid=s*boxwid
|
||||||
|
ellipseht=s*ellipseht
|
||||||
|
S1: ellipse "INPUT" "OPEN"
|
||||||
|
move right 2*l from last ellipse.e
|
||||||
|
S4: ellipse "INPUT" "CLOSED"
|
||||||
|
move down l from last ellipse.s
|
||||||
|
S3: ellipse "INPUT" "WAIT" "OCLOSED"
|
||||||
|
move down l from 1st ellipse.s
|
||||||
|
S2: ellipse "INPUT" "WAIT" "DRAIN"
|
||||||
|
arrow "" "rcvd OCLOSE/" "shutdown_read" "send IEOF" from S1.e to S4.w
|
||||||
|
arrow "ibuf_empty/" "send IEOF" from S2.e to S3.w
|
||||||
|
arrow from S1.s to S2.n
|
||||||
|
box invis "read_failed/" "shutdown_read" with .e at last arrow.c
|
||||||
|
arrow from S3.n to S4.s
|
||||||
|
box invis "rcvd OCLOSE/" "-" with .w at last arrow.c
|
||||||
|
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||||
|
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||||
|
arrow from S2.ne to S4.sw
|
||||||
|
box invis "rcvd OCLOSE/ " with .e at last arrow.c
|
||||||
|
box invis " send IEOF" with .w at last arrow.c
|
||||||
|
.PE
|
||||||
|
.SH
|
||||||
|
Channel Output State Diagram
|
||||||
|
.PS
|
||||||
|
S1: ellipse "OUTPUT" "OPEN"
|
||||||
|
move right 2*l from last ellipse.e
|
||||||
|
S3: ellipse "OUTPUT" "WAIT" "IEOF"
|
||||||
|
move down l from last ellipse.s
|
||||||
|
S4: ellipse "OUTPUT" "CLOSED"
|
||||||
|
move down l from 1st ellipse.s
|
||||||
|
S2: ellipse "OUTPUT" "WAIT" "DRAIN"
|
||||||
|
arrow "" "write_failed/" "shutdown_write" "send OCLOSE" from S1.e to S3.w
|
||||||
|
arrow "obuf_empty ||" "write_failed/" "shutdown_write" "send OCLOSE" from S2.e to S4.w
|
||||||
|
arrow from S1.s to S2.n
|
||||||
|
box invis "rcvd IEOF/" "-" with .e at last arrow.c
|
||||||
|
arrow from S3.s to S4.n
|
||||||
|
box invis "rcvd IEOF/" "-" with .w at last arrow.c
|
||||||
|
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||||
|
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||||
|
.PE
|
||||||
|
.SH
|
||||||
|
Notes
|
||||||
|
.PP
|
||||||
|
The input buffer is filled with data from the socket
|
||||||
|
(the socket represents the local consumer/producer of the
|
||||||
|
forwarded channel).
|
||||||
|
The data is then sent over the INPUT-end (transmit-end) of the channel to the
|
||||||
|
remote peer.
|
||||||
|
Data sent by the peer is received on the OUTPUT-end (receive-end),
|
||||||
|
saved in the output buffer and written to the socket.
|
||||||
|
.PP
|
||||||
|
If the local protocol instance has forwarded all data on the
|
||||||
|
INPUT-end of the channel, it sends an IEOF message to the peer.
|
||||||
|
If the peer receives the IEOF and has consumed all
|
||||||
|
data he replies with an OCLOSE.
|
||||||
|
When the local instance receives the OCLOSE
|
||||||
|
he considers the INPUT-half of the channel closed.
|
||||||
|
The peer has his OUTOUT-half closed.
|
||||||
|
.PP
|
||||||
|
A channel can be deallocated by a protocol instance
|
||||||
|
if both the INPUT- and the OUTOUT-half on his
|
||||||
|
side of the channel are closed.
|
||||||
|
Note that when an instance is unable to consume the
|
||||||
|
received data, he is permitted to send an OCLOSE
|
||||||
|
before the matching IEOF is received.
|
88
crypto/openssh/nchan2.ms
Normal file
88
crypto/openssh/nchan2.ms
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
.\" $OpenBSD: nchan2.ms,v 1.4 2008/05/15 23:52:24 djm Exp $
|
||||||
|
.\"
|
||||||
|
.\" Copyright (c) 2000 Markus Friedl. All rights reserved.
|
||||||
|
.\"
|
||||||
|
.\" Redistribution and use in source and binary forms, with or without
|
||||||
|
.\" modification, are permitted provided that the following conditions
|
||||||
|
.\" are met:
|
||||||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer.
|
||||||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||||||
|
.\" documentation and/or other materials provided with the distribution.
|
||||||
|
.\"
|
||||||
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||||
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||||
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||||
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||||
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||||
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||||
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||||
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
.\"
|
||||||
|
.TL
|
||||||
|
OpenSSH Channel Close Protocol 2.0 Implementation
|
||||||
|
.SH
|
||||||
|
Channel Input State Diagram
|
||||||
|
.PS
|
||||||
|
reset
|
||||||
|
l=1
|
||||||
|
s=1.2
|
||||||
|
ellipsewid=s*ellipsewid
|
||||||
|
boxwid=s*boxwid
|
||||||
|
ellipseht=s*ellipseht
|
||||||
|
S1: ellipse "INPUT" "OPEN"
|
||||||
|
move right 2*l from last ellipse.e
|
||||||
|
S3: ellipse invis
|
||||||
|
move down l from last ellipse.s
|
||||||
|
S4: ellipse "INPUT" "CLOSED"
|
||||||
|
move down l from 1st ellipse.s
|
||||||
|
S2: ellipse "INPUT" "WAIT" "DRAIN"
|
||||||
|
arrow from S1.e to S4.n
|
||||||
|
box invis "rcvd CLOSE/" "shutdown_read" with .sw at last arrow.c
|
||||||
|
arrow "ibuf_empty ||" "rcvd CLOSE/" "send EOF" "" from S2.e to S4.w
|
||||||
|
arrow from S1.s to S2.n
|
||||||
|
box invis "read_failed ||" "rcvd EOW/" "shutdown_read" with .e at last arrow.c
|
||||||
|
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||||
|
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||||
|
.PE
|
||||||
|
.SH
|
||||||
|
Channel Output State Diagram
|
||||||
|
.PS
|
||||||
|
S1: ellipse "OUTPUT" "OPEN"
|
||||||
|
move right 2*l from last ellipse.e
|
||||||
|
S3: ellipse invis
|
||||||
|
move down l from last ellipse.s
|
||||||
|
S4: ellipse "OUTPUT" "CLOSED"
|
||||||
|
move down l from 1st ellipse.s
|
||||||
|
S2: ellipse "OUTPUT" "WAIT" "DRAIN"
|
||||||
|
arrow from S1.e to S4.n
|
||||||
|
box invis "write_failed/" "shutdown_write" "send EOW" with .sw at last arrow.c
|
||||||
|
arrow "obuf_empty ||" "write_failed/" "shutdown_write" "" from S2.e to S4.w
|
||||||
|
arrow from S1.s to S2.n
|
||||||
|
box invis "rcvd EOF ||" "rcvd CLOSE/" "-" with .e at last arrow.c
|
||||||
|
ellipse wid .9*ellipsewid ht .9*ellipseht at S4
|
||||||
|
arrow "start" "" from S1.w+(-0.5,0) to S1.w
|
||||||
|
.PE
|
||||||
|
.SH
|
||||||
|
Notes
|
||||||
|
.PP
|
||||||
|
The input buffer is filled with data from the socket
|
||||||
|
(the socket represents the local consumer/producer of the
|
||||||
|
forwarded channel).
|
||||||
|
The data is then sent over the INPUT-end (transmit-end) of the channel to the
|
||||||
|
remote peer.
|
||||||
|
Data sent by the peer is received on the OUTPUT-end (receive-end),
|
||||||
|
saved in the output buffer and written to the socket.
|
||||||
|
.PP
|
||||||
|
If the local protocol instance has forwarded all data on the
|
||||||
|
INPUT-end of the channel, it sends an EOF message to the peer.
|
||||||
|
.PP
|
||||||
|
A CLOSE message is sent to the peer if
|
||||||
|
both the INPUT- and the OUTOUT-half of the local
|
||||||
|
end of the channel are closed.
|
||||||
|
.PP
|
||||||
|
The channel can be deallocated by a protocol instance
|
||||||
|
if a CLOSE message he been both sent and received.
|
42
crypto/openssh/openbsd-compat/Makefile.in
Normal file
42
crypto/openssh/openbsd-compat/Makefile.in
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
# $Id: Makefile.in,v 1.51 2013/05/10 06:28:56 dtucker Exp $
|
||||||
|
|
||||||
|
sysconfdir=@sysconfdir@
|
||||||
|
piddir=@piddir@
|
||||||
|
srcdir=@srcdir@
|
||||||
|
top_srcdir=@top_srcdir@
|
||||||
|
|
||||||
|
VPATH=@srcdir@
|
||||||
|
CC=@CC@
|
||||||
|
LD=@LD@
|
||||||
|
CFLAGS=@CFLAGS@
|
||||||
|
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
|
||||||
|
LIBS=@LIBS@
|
||||||
|
AR=@AR@
|
||||||
|
RANLIB=@RANLIB@
|
||||||
|
INSTALL=@INSTALL@
|
||||||
|
LDFLAGS=-L. @LDFLAGS@
|
||||||
|
|
||||||
|
OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o
|
||||||
|
|
||||||
|
COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
|
||||||
|
|
||||||
|
PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
|
||||||
|
|
||||||
|
.c.o:
|
||||||
|
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
|
||||||
|
|
||||||
|
all: libopenbsd-compat.a
|
||||||
|
|
||||||
|
$(COMPAT): ../config.h
|
||||||
|
$(OPENBSD): ../config.h
|
||||||
|
$(PORTS): ../config.h
|
||||||
|
|
||||||
|
libopenbsd-compat.a: $(COMPAT) $(OPENBSD) $(PORTS)
|
||||||
|
$(AR) rv $@ $(COMPAT) $(OPENBSD) $(PORTS)
|
||||||
|
$(RANLIB) $@
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *.o *.a core
|
||||||
|
|
||||||
|
distclean: clean
|
||||||
|
rm -f Makefile *~
|
38
crypto/openssh/openbsd-compat/regress/Makefile.in
Normal file
38
crypto/openssh/openbsd-compat/regress/Makefile.in
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
|
||||||
|
|
||||||
|
sysconfdir=@sysconfdir@
|
||||||
|
piddir=@piddir@
|
||||||
|
srcdir=@srcdir@
|
||||||
|
top_srcdir=@top_srcdir@
|
||||||
|
|
||||||
|
VPATH=@srcdir@
|
||||||
|
CC=@CC@
|
||||||
|
LD=@LD@
|
||||||
|
CFLAGS=@CFLAGS@
|
||||||
|
CPPFLAGS=-I. -I.. -I$(srcdir) -I$(srcdir)/.. @CPPFLAGS@ @DEFS@
|
||||||
|
EXEEXT=@EXEEXT@
|
||||||
|
LIBCOMPAT=../libopenbsd-compat.a
|
||||||
|
LIBS=@LIBS@
|
||||||
|
LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
|
||||||
|
|
||||||
|
TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
|
||||||
|
strtonumtest$(EXEEXT)
|
||||||
|
|
||||||
|
all: t-exec ${OTHERTESTS}
|
||||||
|
|
||||||
|
%$(EXEEXT): %.c
|
||||||
|
$(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
|
||||||
|
|
||||||
|
t-exec: $(TESTPROGS)
|
||||||
|
@echo running compat regress tests
|
||||||
|
@for TEST in ""$?; do \
|
||||||
|
echo "run test $${TEST}" ... 1>&2; \
|
||||||
|
./$${TEST}$(EXEEXT) || exit $$? ; \
|
||||||
|
done
|
||||||
|
@echo finished compat regress tests
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *.o *.a core $(TESTPROGS) valid.out
|
||||||
|
|
||||||
|
distclean: clean
|
||||||
|
rm -f Makefile *~
|
63
crypto/openssh/openbsd-compat/regress/closefromtest.c
Normal file
63
crypto/openssh/openbsd-compat/regress/closefromtest.c
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2006 Darren Tucker
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
#define NUM_OPENS 10
|
||||||
|
|
||||||
|
int closefrom(int);
|
||||||
|
|
||||||
|
void
|
||||||
|
fail(char *msg)
|
||||||
|
{
|
||||||
|
fprintf(stderr, "closefrom: %s\n", msg);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(void)
|
||||||
|
{
|
||||||
|
int i, max, fds[NUM_OPENS];
|
||||||
|
char buf[512];
|
||||||
|
|
||||||
|
for (i = 0; i < NUM_OPENS; i++)
|
||||||
|
if ((fds[i] = open("/dev/null", O_RDONLY)) == -1)
|
||||||
|
exit(0); /* can't test */
|
||||||
|
max = i - 1;
|
||||||
|
|
||||||
|
/* should close last fd only */
|
||||||
|
closefrom(fds[max]);
|
||||||
|
if (close(fds[max]) != -1)
|
||||||
|
fail("failed to close highest fd");
|
||||||
|
|
||||||
|
/* make sure we can still use remaining descriptors */
|
||||||
|
for (i = 0; i < max; i++)
|
||||||
|
if (read(fds[i], buf, sizeof(buf)) == -1)
|
||||||
|
fail("closed descriptors it should not have");
|
||||||
|
|
||||||
|
/* should close all fds */
|
||||||
|
closefrom(fds[0]);
|
||||||
|
for (i = 0; i < NUM_OPENS; i++)
|
||||||
|
if (close(fds[i]) != -1)
|
||||||
|
fail("failed to close from lowest fd");
|
||||||
|
return 0;
|
||||||
|
}
|
73
crypto/openssh/openbsd-compat/regress/snprintftest.c
Normal file
73
crypto/openssh/openbsd-compat/regress/snprintftest.c
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2005 Darren Tucker
|
||||||
|
* Copyright (c) 2005 Damien Miller
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#define BUFSZ 2048
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
static int failed = 0;
|
||||||
|
|
||||||
|
static void
|
||||||
|
fail(const char *m)
|
||||||
|
{
|
||||||
|
fprintf(stderr, "snprintftest: %s\n", m);
|
||||||
|
failed = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
int x_snprintf(char *str, size_t count, const char *fmt, ...)
|
||||||
|
{
|
||||||
|
size_t ret;
|
||||||
|
va_list ap;
|
||||||
|
|
||||||
|
va_start(ap, fmt);
|
||||||
|
ret = vsnprintf(str, count, fmt, ap);
|
||||||
|
va_end(ap);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(void)
|
||||||
|
{
|
||||||
|
char b[5];
|
||||||
|
char *src;
|
||||||
|
|
||||||
|
snprintf(b,5,"123456789");
|
||||||
|
if (b[4] != '\0')
|
||||||
|
fail("snprintf does not correctly terminate long strings");
|
||||||
|
|
||||||
|
/* check for read overrun on unterminated string */
|
||||||
|
if ((src = malloc(BUFSZ)) == NULL) {
|
||||||
|
fail("malloc failed");
|
||||||
|
} else {
|
||||||
|
memset(src, 'a', BUFSZ);
|
||||||
|
snprintf(b, sizeof(b), "%.*s", 1, src);
|
||||||
|
if (strcmp(b, "a") != 0)
|
||||||
|
fail("failed with length limit '%%.s'");
|
||||||
|
}
|
||||||
|
|
||||||
|
/* check that snprintf and vsnprintf return sane values */
|
||||||
|
if (snprintf(b, 1, "%s %d", "hello", 12345) != 11)
|
||||||
|
fail("snprintf does not return required length");
|
||||||
|
if (x_snprintf(b, 1, "%s %d", "hello", 12345) != 11)
|
||||||
|
fail("vsnprintf does not return required length");
|
||||||
|
|
||||||
|
return failed;
|
||||||
|
}
|
45
crypto/openssh/openbsd-compat/regress/strduptest.c
Normal file
45
crypto/openssh/openbsd-compat/regress/strduptest.c
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2005 Darren Tucker
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
static int fail = 0;
|
||||||
|
|
||||||
|
void
|
||||||
|
test(const char *a)
|
||||||
|
{
|
||||||
|
char *b;
|
||||||
|
|
||||||
|
b = strdup(a);
|
||||||
|
if (b == 0) {
|
||||||
|
fail = 1;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (strcmp(a, b) != 0)
|
||||||
|
fail = 1;
|
||||||
|
free(b);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(void)
|
||||||
|
{
|
||||||
|
test("");
|
||||||
|
test("a");
|
||||||
|
test("\0");
|
||||||
|
test("abcdefghijklmnopqrstuvwxyz");
|
||||||
|
return fail;
|
||||||
|
}
|
80
crypto/openssh/openbsd-compat/regress/strtonumtest.c
Normal file
80
crypto/openssh/openbsd-compat/regress/strtonumtest.c
Normal file
|
@ -0,0 +1,80 @@
|
||||||
|
/* $OpenBSD: strtonumtest.c,v 1.1 2004/08/03 20:38:36 otto Exp $ */
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2004 Otto Moerbeek <otto@drijf.net>
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* OPENBSD ORIGINAL: regress/lib/libc/strtonum/strtonumtest.c */
|
||||||
|
|
||||||
|
#include <limits.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
/* LLONG_MAX is known as LONGLONG_MAX on AIX */
|
||||||
|
#if defined(LONGLONG_MAX) && !defined(LLONG_MAX)
|
||||||
|
# define LLONG_MAX LONGLONG_MAX
|
||||||
|
# define LLONG_MIN LONGLONG_MIN
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* LLONG_MAX is known as LONG_LONG_MAX on HP-UX */
|
||||||
|
#if defined(LONG_LONG_MAX) && !defined(LLONG_MAX)
|
||||||
|
# define LLONG_MAX LONG_LONG_MAX
|
||||||
|
# define LLONG_MIN LONG_LONG_MIN
|
||||||
|
#endif
|
||||||
|
|
||||||
|
long long strtonum(const char *, long long, long long, const char **);
|
||||||
|
|
||||||
|
int fail;
|
||||||
|
|
||||||
|
void
|
||||||
|
test(const char *p, long long lb, long long ub, int ok)
|
||||||
|
{
|
||||||
|
long long val;
|
||||||
|
const char *q;
|
||||||
|
|
||||||
|
val = strtonum(p, lb, ub, &q);
|
||||||
|
if (ok && q != NULL) {
|
||||||
|
fprintf(stderr, "%s [%lld-%lld] ", p, lb, ub);
|
||||||
|
fprintf(stderr, "NUMBER NOT ACCEPTED %s\n", q);
|
||||||
|
fail = 1;
|
||||||
|
} else if (!ok && q == NULL) {
|
||||||
|
fprintf(stderr, "%s [%lld-%lld] %lld ", p, lb, ub, val);
|
||||||
|
fprintf(stderr, "NUMBER ACCEPTED\n");
|
||||||
|
fail = 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
int main(int argc, char *argv[])
|
||||||
|
{
|
||||||
|
test("1", 0, 10, 1);
|
||||||
|
test("0", -2, 5, 1);
|
||||||
|
test("0", 2, 5, 0);
|
||||||
|
test("0", 2, LLONG_MAX, 0);
|
||||||
|
test("-2", 0, LLONG_MAX, 0);
|
||||||
|
test("0", -5, LLONG_MAX, 1);
|
||||||
|
test("-3", -3, LLONG_MAX, 1);
|
||||||
|
test("-9223372036854775808", LLONG_MIN, LLONG_MAX, 1);
|
||||||
|
test("9223372036854775807", LLONG_MIN, LLONG_MAX, 1);
|
||||||
|
test("-9223372036854775809", LLONG_MIN, LLONG_MAX, 0);
|
||||||
|
test("9223372036854775808", LLONG_MIN, LLONG_MAX, 0);
|
||||||
|
test("1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
|
||||||
|
test("-1000000000000000000000000", LLONG_MIN, LLONG_MAX, 0);
|
||||||
|
test("-2", 10, -1, 0);
|
||||||
|
test("-2", -10, -1, 1);
|
||||||
|
test("-20", -10, -1, 0);
|
||||||
|
test("20", -10, -1, 0);
|
||||||
|
|
||||||
|
return (fail);
|
||||||
|
}
|
||||||
|
|
90
crypto/openssh/openssh.xml.in
Normal file
90
crypto/openssh/openssh.xml.in
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
<?xml version='1.0'?>
|
||||||
|
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
|
||||||
|
<!--
|
||||||
|
Copyright (c) 2006 Chad Mynhier.
|
||||||
|
|
||||||
|
Permission to use, copy, modify, and distribute this software for any
|
||||||
|
purpose with or without fee is hereby granted, provided that the above
|
||||||
|
copyright notice and this permission notice appear in all copies.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<service_bundle type='manifest' name='OpenSSH server'>
|
||||||
|
|
||||||
|
<service
|
||||||
|
name='site/__SYSVINIT_NAME__'
|
||||||
|
type='service'
|
||||||
|
version='1'>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
We default to disabled so administrator can decide to enable or not.
|
||||||
|
-->
|
||||||
|
<create_default_instance enabled='false'/>
|
||||||
|
|
||||||
|
<single_instance/>
|
||||||
|
|
||||||
|
<dependency
|
||||||
|
name='filesystem-local'
|
||||||
|
grouping='require_all'
|
||||||
|
restart_on='none'
|
||||||
|
type='service'>
|
||||||
|
<service_fmri value='svc:/system/filesystem/local'/>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
|
<dependency
|
||||||
|
name='network'
|
||||||
|
grouping='require_all'
|
||||||
|
restart_on='none'
|
||||||
|
type='service'>
|
||||||
|
<service_fmri value='svc:/milestone/network'/>
|
||||||
|
</dependency>
|
||||||
|
|
||||||
|
<dependent
|
||||||
|
name='multi-user-server'
|
||||||
|
restart_on='none'
|
||||||
|
grouping='optional_all'>
|
||||||
|
<service_fmri value='svc:/milestone/multi-user-server'/>
|
||||||
|
</dependent>
|
||||||
|
|
||||||
|
<exec_method
|
||||||
|
name='start'
|
||||||
|
type='method'
|
||||||
|
exec='__SMF_METHOD_DIR__/__SYSVINIT_NAME__ start'
|
||||||
|
timeout_seconds='60'>
|
||||||
|
<method_context/>
|
||||||
|
</exec_method>
|
||||||
|
|
||||||
|
<exec_method
|
||||||
|
name='stop'
|
||||||
|
type='method'
|
||||||
|
exec=':kill'
|
||||||
|
timeout_seconds='60'>
|
||||||
|
<method_context/>
|
||||||
|
</exec_method>
|
||||||
|
|
||||||
|
<property_group
|
||||||
|
name='startd'
|
||||||
|
type='framework'>
|
||||||
|
<propval name='ignore_error' type='astring' value='core,signal'/>
|
||||||
|
</property_group>
|
||||||
|
|
||||||
|
<template>
|
||||||
|
<common_name>
|
||||||
|
<loctext xml:lang='C'>OpenSSH server</loctext>
|
||||||
|
</common_name>
|
||||||
|
<documentation>
|
||||||
|
<manpage
|
||||||
|
title='sshd'
|
||||||
|
section='1M'
|
||||||
|
manpath='@prefix@/man'/>
|
||||||
|
</documentation>
|
||||||
|
</template>
|
||||||
|
</service>
|
||||||
|
</service_bundle>
|
88
crypto/openssh/opensshd.init.in
Executable file
88
crypto/openssh/opensshd.init.in
Executable file
|
@ -0,0 +1,88 @@
|
||||||
|
#!@STARTUP_SCRIPT_SHELL@
|
||||||
|
# Donated code that was put under PD license.
|
||||||
|
#
|
||||||
|
# Stripped PRNGd out of it for the time being.
|
||||||
|
|
||||||
|
umask 022
|
||||||
|
|
||||||
|
CAT=@CAT@
|
||||||
|
KILL=@KILL@
|
||||||
|
|
||||||
|
prefix=@prefix@
|
||||||
|
sysconfdir=@sysconfdir@
|
||||||
|
piddir=@piddir@
|
||||||
|
|
||||||
|
SSHD=$prefix/sbin/sshd
|
||||||
|
PIDFILE=$piddir/sshd.pid
|
||||||
|
PidFile=`grep "^PidFile" ${sysconfdir}/sshd_config | tr "=" " " | awk '{print $2}'`
|
||||||
|
[ X$PidFile = X ] || PIDFILE=$PidFile
|
||||||
|
SSH_KEYGEN=$prefix/bin/ssh-keygen
|
||||||
|
HOST_KEY_RSA1=$sysconfdir/ssh_host_key
|
||||||
|
HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
|
||||||
|
HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
|
||||||
|
@COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key
|
||||||
|
|
||||||
|
|
||||||
|
checkkeys() {
|
||||||
|
if [ ! -f $HOST_KEY_RSA1 ]; then
|
||||||
|
${SSH_KEYGEN} -t rsa1 -f ${HOST_KEY_RSA1} -N ""
|
||||||
|
fi
|
||||||
|
if [ ! -f $HOST_KEY_DSA ]; then
|
||||||
|
${SSH_KEYGEN} -t dsa -f ${HOST_KEY_DSA} -N ""
|
||||||
|
fi
|
||||||
|
if [ ! -f $HOST_KEY_RSA ]; then
|
||||||
|
${SSH_KEYGEN} -t rsa -f ${HOST_KEY_RSA} -N ""
|
||||||
|
fi
|
||||||
|
@COMMENT_OUT_ECC@ if [ ! -f $HOST_KEY_ECDSA ]; then
|
||||||
|
@COMMENT_OUT_ECC@ ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N ""
|
||||||
|
@COMMENT_OUT_ECC@ fi
|
||||||
|
}
|
||||||
|
|
||||||
|
stop_service() {
|
||||||
|
if [ -r $PIDFILE -a ! -z ${PIDFILE} ]; then
|
||||||
|
PID=`${CAT} ${PIDFILE}`
|
||||||
|
fi
|
||||||
|
if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then
|
||||||
|
${KILL} ${PID}
|
||||||
|
else
|
||||||
|
echo "Unable to read PID file"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
start_service() {
|
||||||
|
# XXX We really should check if the service is already going, but
|
||||||
|
# XXX we will opt out at this time. - Bal
|
||||||
|
|
||||||
|
# Check to see if we have keys that need to be made
|
||||||
|
checkkeys
|
||||||
|
|
||||||
|
# Start SSHD
|
||||||
|
echo "starting $SSHD... \c" ; $SSHD
|
||||||
|
|
||||||
|
sshd_rc=$?
|
||||||
|
if [ $sshd_rc -ne 0 ]; then
|
||||||
|
echo "$0: Error ${sshd_rc} starting ${SSHD}... bailing."
|
||||||
|
exit $sshd_rc
|
||||||
|
fi
|
||||||
|
echo done.
|
||||||
|
}
|
||||||
|
|
||||||
|
case $1 in
|
||||||
|
|
||||||
|
'start')
|
||||||
|
start_service
|
||||||
|
;;
|
||||||
|
|
||||||
|
'stop')
|
||||||
|
stop_service
|
||||||
|
;;
|
||||||
|
|
||||||
|
'restart')
|
||||||
|
stop_service
|
||||||
|
start_service
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "$0: usage: $0 {start|stop|restart}"
|
||||||
|
;;
|
||||||
|
esac
|
169
crypto/openssh/regress/Makefile
Normal file
169
crypto/openssh/regress/Makefile
Normal file
|
@ -0,0 +1,169 @@
|
||||||
|
# $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
|
||||||
|
|
||||||
|
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
|
||||||
|
tests: $(REGRESS_TARGETS)
|
||||||
|
|
||||||
|
# Interop tests are not run by default
|
||||||
|
interop interop-tests: t-exec-interop
|
||||||
|
|
||||||
|
clean:
|
||||||
|
for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
|
||||||
|
test -z "${SUDO}" || ${SUDO} rm -f ${SUDO_CLEAN}
|
||||||
|
rm -rf $(OBJ).putty
|
||||||
|
|
||||||
|
distclean: clean
|
||||||
|
|
||||||
|
LTESTS= connect \
|
||||||
|
proxy-connect \
|
||||||
|
connect-privsep \
|
||||||
|
proto-version \
|
||||||
|
proto-mismatch \
|
||||||
|
exit-status \
|
||||||
|
envpass \
|
||||||
|
transfer \
|
||||||
|
banner \
|
||||||
|
rekey \
|
||||||
|
stderr-data \
|
||||||
|
stderr-after-eof \
|
||||||
|
broken-pipe \
|
||||||
|
try-ciphers \
|
||||||
|
yes-head \
|
||||||
|
login-timeout \
|
||||||
|
agent \
|
||||||
|
agent-getpeereid \
|
||||||
|
agent-timeout \
|
||||||
|
agent-ptrace \
|
||||||
|
keyscan \
|
||||||
|
keygen-change \
|
||||||
|
keygen-convert \
|
||||||
|
key-options \
|
||||||
|
scp \
|
||||||
|
sftp \
|
||||||
|
sftp-chroot \
|
||||||
|
sftp-cmds \
|
||||||
|
sftp-badcmds \
|
||||||
|
sftp-batch \
|
||||||
|
sftp-glob \
|
||||||
|
reconfigure \
|
||||||
|
dynamic-forward \
|
||||||
|
forwarding \
|
||||||
|
multiplex \
|
||||||
|
reexec \
|
||||||
|
brokenkeys \
|
||||||
|
cfgmatch \
|
||||||
|
addrmatch \
|
||||||
|
localcommand \
|
||||||
|
forcecommand \
|
||||||
|
portnum \
|
||||||
|
keytype \
|
||||||
|
kextype \
|
||||||
|
cert-hostkey \
|
||||||
|
cert-userkey \
|
||||||
|
host-expand \
|
||||||
|
keys-command \
|
||||||
|
forward-control \
|
||||||
|
integrity \
|
||||||
|
krl
|
||||||
|
|
||||||
|
INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
|
||||||
|
#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
|
||||||
|
|
||||||
|
#LTESTS= cipher-speed
|
||||||
|
|
||||||
|
USER!= id -un
|
||||||
|
CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
|
||||||
|
t8.out t8.out.pub t9.out t9.out.pub \
|
||||||
|
authorized_keys_${USER} known_hosts pidfile testdata \
|
||||||
|
ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
|
||||||
|
rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
|
||||||
|
rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
|
||||||
|
ls.copy banner.in banner.out empty.in \
|
||||||
|
scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
|
||||||
|
sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv \
|
||||||
|
known_hosts-cert host_ca_key* cert_host_key* cert_user_key* \
|
||||||
|
putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
|
||||||
|
key.rsa-* key.dsa-* key.ecdsa-* \
|
||||||
|
authorized_principals_${USER} expect actual ready \
|
||||||
|
sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
|
||||||
|
ssh.log failed-ssh.log sshd.log failed-sshd.log \
|
||||||
|
regress.log failed-regress.log ssh-log-wrapper.sh
|
||||||
|
|
||||||
|
SUDO_CLEAN+= /var/run/testdata_${USER} /var/run/keycommand_${USER}
|
||||||
|
|
||||||
|
# Enable all malloc(3) randomisations and checks
|
||||||
|
TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
|
||||||
|
|
||||||
|
TEST_SSH_SSHKEYGEN?=ssh-keygen
|
||||||
|
|
||||||
|
CPPFLAGS=-I..
|
||||||
|
|
||||||
|
t1:
|
||||||
|
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
|
||||||
|
tr '\n' '\r' <${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_cr.prv
|
||||||
|
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_cr.prv | diff - ${.CURDIR}/rsa_openssh.prv
|
||||||
|
awk '{print $$0 "\r"}' ${.CURDIR}/rsa_ssh2.prv > ${.OBJDIR}/rsa_ssh2_crnl.prv
|
||||||
|
${TEST_SSH_SSHKEYGEN} -if ${.OBJDIR}/rsa_ssh2_crnl.prv | diff - ${.CURDIR}/rsa_openssh.prv
|
||||||
|
|
||||||
|
t2:
|
||||||
|
cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out
|
||||||
|
chmod 600 $(OBJ)/t2.out
|
||||||
|
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub
|
||||||
|
|
||||||
|
t3:
|
||||||
|
${TEST_SSH_SSHKEYGEN} -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/t3.out
|
||||||
|
${TEST_SSH_SSHKEYGEN} -if $(OBJ)/t3.out | diff - ${.CURDIR}/rsa_openssh.pub
|
||||||
|
|
||||||
|
t4:
|
||||||
|
${TEST_SSH_SSHKEYGEN} -lf ${.CURDIR}/rsa_openssh.pub |\
|
||||||
|
awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
|
||||||
|
|
||||||
|
t5:
|
||||||
|
${TEST_SSH_SSHKEYGEN} -Bf ${.CURDIR}/rsa_openssh.pub |\
|
||||||
|
awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
|
||||||
|
|
||||||
|
t6:
|
||||||
|
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
|
||||||
|
${TEST_SSH_SSHKEYGEN} -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
|
||||||
|
chmod 600 $(OBJ)/t6.out1
|
||||||
|
${TEST_SSH_SSHKEYGEN} -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
|
||||||
|
|
||||||
|
$(OBJ)/t7.out:
|
||||||
|
${TEST_SSH_SSHKEYGEN} -q -t rsa -N '' -f $@
|
||||||
|
|
||||||
|
t7: $(OBJ)/t7.out
|
||||||
|
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t7.out > /dev/null
|
||||||
|
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t7.out > /dev/null
|
||||||
|
|
||||||
|
$(OBJ)/t8.out:
|
||||||
|
${TEST_SSH_SSHKEYGEN} -q -t dsa -N '' -f $@
|
||||||
|
|
||||||
|
t8: $(OBJ)/t8.out
|
||||||
|
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t8.out > /dev/null
|
||||||
|
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t8.out > /dev/null
|
||||||
|
|
||||||
|
$(OBJ)/t9.out:
|
||||||
|
test "${TEST_SSH_ECC}" != yes || \
|
||||||
|
${TEST_SSH_SSHKEYGEN} -q -t ecdsa -N '' -f $@
|
||||||
|
|
||||||
|
t9: $(OBJ)/t9.out
|
||||||
|
test "${TEST_SSH_ECC}" != yes || \
|
||||||
|
${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t9.out > /dev/null
|
||||||
|
test "${TEST_SSH_ECC}" != yes || \
|
||||||
|
${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null
|
||||||
|
|
||||||
|
t-exec: ${LTESTS:=.sh}
|
||||||
|
@if [ "x$?" = "x" ]; then exit 0; fi; \
|
||||||
|
for TEST in ""$?; do \
|
||||||
|
echo "run test $${TEST}" ... 1>&2; \
|
||||||
|
(env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
|
||||||
|
done
|
||||||
|
|
||||||
|
t-exec-interop: ${INTEROP_TESTS:=.sh}
|
||||||
|
@if [ "x$?" = "x" ]; then exit 0; fi; \
|
||||||
|
for TEST in ""$?; do \
|
||||||
|
echo "run test $${TEST}" ... 1>&2; \
|
||||||
|
(env SUDO="${SUDO}" TEST_ENV=${TEST_ENV} ${TEST_SHELL} ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
|
||||||
|
done
|
||||||
|
|
||||||
|
# Not run by default
|
||||||
|
interop: ${INTEROP_TARGETS}
|
104
crypto/openssh/regress/README.regress
Normal file
104
crypto/openssh/regress/README.regress
Normal file
|
@ -0,0 +1,104 @@
|
||||||
|
Overview.
|
||||||
|
|
||||||
|
$ ./configure && make tests
|
||||||
|
|
||||||
|
You'll see some progress info. A failure will cause either the make to
|
||||||
|
abort or the driver script to report a "FATAL" failure.
|
||||||
|
|
||||||
|
The test consists of 2 parts. The first is the file-based tests which is
|
||||||
|
driven by the Makefile, and the second is a set of network or proxycommand
|
||||||
|
based tests, which are driven by a driver script (test-exec.sh) which is
|
||||||
|
called multiple times by the Makefile.
|
||||||
|
|
||||||
|
Failures in the first part will cause the Makefile to return an error.
|
||||||
|
Failures in the second part will print a "FATAL" message for the failed
|
||||||
|
test and continue.
|
||||||
|
|
||||||
|
OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
|
||||||
|
suite is based on OpenBSD's with modifications.
|
||||||
|
|
||||||
|
|
||||||
|
Environment variables.
|
||||||
|
|
||||||
|
SUDO: path to sudo command, if desired. Note that some systems (notably
|
||||||
|
systems using PAM) require sudo to execute some tests.
|
||||||
|
TEST_SSH_TRACE: set to "yes" for verbose output from tests
|
||||||
|
TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
|
||||||
|
TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD
|
||||||
|
SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER
|
||||||
|
OBJ: used by test scripts to access build dir.
|
||||||
|
TEST_SHELL: shell used for running the test scripts.
|
||||||
|
TEST_SSH_PORT: TCP port to be used for the listening tests.
|
||||||
|
TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config
|
||||||
|
before running each test.
|
||||||
|
TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config
|
||||||
|
before running each test.
|
||||||
|
|
||||||
|
|
||||||
|
Individual tests.
|
||||||
|
|
||||||
|
You can run an individual test from the top-level Makefile, eg:
|
||||||
|
$ make tests LTESTS=agent-timeout
|
||||||
|
|
||||||
|
If you need to manipulate the environment more you can invoke test-exec.sh
|
||||||
|
directly if you set up the path to find the binaries under test and the
|
||||||
|
test scripts themselves, for example:
|
||||||
|
|
||||||
|
$ cd regress
|
||||||
|
$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
|
||||||
|
agent-timeout.sh
|
||||||
|
ok agent timeout test
|
||||||
|
|
||||||
|
|
||||||
|
Files.
|
||||||
|
|
||||||
|
test-exec.sh: the main test driver. Sets environment, creates config files
|
||||||
|
and keys and runs the specified test.
|
||||||
|
|
||||||
|
At the time of writing, the individual tests are:
|
||||||
|
agent-timeout.sh: agent timeout test
|
||||||
|
agent.sh: simple agent test
|
||||||
|
broken-pipe.sh: broken pipe test
|
||||||
|
connect-privsep.sh: proxy connect with privsep
|
||||||
|
connect.sh: simple connect
|
||||||
|
exit-status.sh: remote exit status
|
||||||
|
forwarding.sh: local and remote forwarding
|
||||||
|
keygen-change.sh: change passphrase for key
|
||||||
|
keyscan.sh: keyscan
|
||||||
|
proto-mismatch.sh: protocol version mismatch
|
||||||
|
proto-version.sh: sshd version with different protocol combinations
|
||||||
|
proxy-connect.sh: proxy connect
|
||||||
|
sftp.sh: basic sftp put/get
|
||||||
|
ssh-com-client.sh: connect with ssh.com client
|
||||||
|
ssh-com-keygen.sh: ssh.com key import
|
||||||
|
ssh-com-sftp.sh: basic sftp put/get with ssh.com server
|
||||||
|
ssh-com.sh: connect to ssh.com server
|
||||||
|
stderr-after-eof.sh: stderr data after eof
|
||||||
|
stderr-data.sh: stderr data transfer
|
||||||
|
transfer.sh: transfer data
|
||||||
|
try-ciphers.sh: try ciphers
|
||||||
|
yes-head.sh: yes pipe head
|
||||||
|
|
||||||
|
|
||||||
|
Problems?
|
||||||
|
|
||||||
|
Run the failing test with shell tracing (-x) turned on:
|
||||||
|
$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
|
||||||
|
|
||||||
|
Failed tests can be difficult to diagnose. Suggestions:
|
||||||
|
- run the individual test via ./test-exec.sh `pwd` [testname]
|
||||||
|
- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
|
||||||
|
auth.debug (eg to /var/log/authlog).
|
||||||
|
|
||||||
|
|
||||||
|
Known Issues.
|
||||||
|
|
||||||
|
- Similarly, if you do not have "scp" in your system's $PATH then the
|
||||||
|
multiplex scp tests will fail (since the system's shell startup scripts
|
||||||
|
will determine where the shell started by sshd will look for scp).
|
||||||
|
|
||||||
|
- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
|
||||||
|
test to fail. The old behaviour can be restored by setting (and
|
||||||
|
exporting) _POSIX2_VERSION=199209 before running the tests.
|
||||||
|
|
||||||
|
$Id: README.regress,v 1.12 2011/05/05 03:48:42 djm Exp $
|
56
crypto/openssh/regress/addrmatch.sh
Executable file
56
crypto/openssh/regress/addrmatch.sh
Executable file
|
@ -0,0 +1,56 @@
|
||||||
|
# $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="address match"
|
||||||
|
|
||||||
|
mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
|
||||||
|
run_trial()
|
||||||
|
{
|
||||||
|
user="$1"; addr="$2"; host="$3"; laddr="$4"; lport="$5"
|
||||||
|
expected="$6"; descr="$7"
|
||||||
|
|
||||||
|
verbose "test $descr for $user $addr $host"
|
||||||
|
result=`${SSHD} -f $OBJ/sshd_proxy -T \
|
||||||
|
-C user=${user},addr=${addr},host=${host},laddr=${laddr},lport=${lport} | \
|
||||||
|
awk '/^forcecommand/ {print $2}'`
|
||||||
|
if [ "$result" != "$expected" ]; then
|
||||||
|
fail "failed '$descr' expected $expected got $result"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||||
|
cat >>$OBJ/sshd_proxy <<EOD
|
||||||
|
ForceCommand nomatch
|
||||||
|
Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com
|
||||||
|
ForceCommand match1
|
||||||
|
Match Address 1.1.1.1,::1,!::3,2000::/16
|
||||||
|
ForceCommand match2
|
||||||
|
Match LocalAddress 127.0.0.1,::1
|
||||||
|
ForceCommand match3
|
||||||
|
Match LocalPort 5678
|
||||||
|
ForceCommand match4
|
||||||
|
EOD
|
||||||
|
|
||||||
|
run_trial user 192.168.0.1 somehost 1.2.3.4 1234 match1 "first entry"
|
||||||
|
run_trial user 192.168.30.1 somehost 1.2.3.4 1234 nomatch "negative match"
|
||||||
|
run_trial user 19.0.0.1 somehost 1.2.3.4 1234 nomatch "no match"
|
||||||
|
run_trial user 10.255.255.254 somehost 1.2.3.4 1234 match1 "list middle"
|
||||||
|
run_trial user 192.168.30.1 192.168.0.1 1.2.3.4 1234 nomatch "faked IP in hostname"
|
||||||
|
run_trial user 1.1.1.1 somehost.example.com 1.2.3.4 1234 match2 "bare IP4 address"
|
||||||
|
run_trial user 19.0.0.1 somehost 127.0.0.1 1234 match3 "localaddress"
|
||||||
|
run_trial user 19.0.0.1 somehost 1.2.3.4 5678 match4 "localport"
|
||||||
|
|
||||||
|
if test "$TEST_SSH_IPV6" != "no"; then
|
||||||
|
run_trial user ::1 somehost.example.com ::2 1234 match2 "bare IP6 address"
|
||||||
|
run_trial user ::2 somehost.exaple.com ::2 1234 nomatch "deny IPv6"
|
||||||
|
run_trial user ::3 somehost ::2 1234 nomatch "IP6 negated"
|
||||||
|
run_trial user ::4 somehost ::2 1234 nomatch "IP6 no match"
|
||||||
|
run_trial user 2000::1 somehost ::2 1234 match2 "IP6 network"
|
||||||
|
run_trial user 2001::1 somehost ::2 1234 nomatch "IP6 network"
|
||||||
|
run_trial user ::5 somehost ::1 1234 match3 "IP6 localaddress"
|
||||||
|
run_trial user ::5 somehost ::2 5678 match4 "IP6 localport"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||||
|
rm $OBJ/sshd_proxy_bak
|
45
crypto/openssh/regress/agent-getpeereid.sh
Normal file
45
crypto/openssh/regress/agent-getpeereid.sh
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# $OpenBSD: agent-getpeereid.sh,v 1.5 2013/05/17 10:33:09 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="disallow agent attach from other uid"
|
||||||
|
|
||||||
|
UNPRIV=nobody
|
||||||
|
ASOCK=${OBJ}/agent
|
||||||
|
SSH_AUTH_SOCK=/nonexistent
|
||||||
|
|
||||||
|
if config_defined HAVE_GETPEEREID HAVE_GETPEERUCRED HAVE_SO_PEERCRED ; then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
echo "skipped (not supported on this platform)"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
if [ -z "$SUDO" ]; then
|
||||||
|
echo "skipped: need SUDO to switch to uid $UNPRIV"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "start agent"
|
||||||
|
eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "could not start ssh-agent: exit code $r"
|
||||||
|
else
|
||||||
|
chmod 644 ${SSH_AUTH_SOCK}
|
||||||
|
|
||||||
|
ssh-add -l > /dev/null 2>&1
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 1 ]; then
|
||||||
|
fail "ssh-add failed with $r != 1"
|
||||||
|
fi
|
||||||
|
|
||||||
|
< /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l 2>/dev/null
|
||||||
|
r=$?
|
||||||
|
if [ $r -lt 2 ]; then
|
||||||
|
fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "kill agent"
|
||||||
|
${SSHAGENT} -k > /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f ${OBJ}/agent
|
69
crypto/openssh/regress/agent-pkcs11.sh
Executable file
69
crypto/openssh/regress/agent-pkcs11.sh
Executable file
|
@ -0,0 +1,69 @@
|
||||||
|
# $OpenBSD: agent-pkcs11.sh,v 1.1 2010/02/08 10:52:47 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="pkcs11 agent test"
|
||||||
|
|
||||||
|
TEST_SSH_PIN=""
|
||||||
|
TEST_SSH_PKCS11=/usr/local/lib/soft-pkcs11.so.0.0
|
||||||
|
|
||||||
|
# setup environment for soft-pkcs11 token
|
||||||
|
SOFTPKCS11RC=$OBJ/pkcs11.info
|
||||||
|
export SOFTPKCS11RC
|
||||||
|
# prevent ssh-agent from calling ssh-askpass
|
||||||
|
SSH_ASKPASS=/usr/bin/true
|
||||||
|
export SSH_ASKPASS
|
||||||
|
unset DISPLAY
|
||||||
|
|
||||||
|
# start command w/o tty, so ssh-add accepts pin from stdin
|
||||||
|
notty() {
|
||||||
|
perl -e 'use POSIX; POSIX::setsid();
|
||||||
|
if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
|
||||||
|
}
|
||||||
|
|
||||||
|
trace "start agent"
|
||||||
|
eval `${SSHAGENT} -s` > /dev/null
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "could not start ssh-agent: exit code $r"
|
||||||
|
else
|
||||||
|
trace "generating key/cert"
|
||||||
|
rm -f $OBJ/pkcs11.key $OBJ/pkcs11.crt
|
||||||
|
openssl genrsa -out $OBJ/pkcs11.key 2048 > /dev/null 2>&1
|
||||||
|
chmod 600 $OBJ/pkcs11.key
|
||||||
|
openssl req -key $OBJ/pkcs11.key -new -x509 \
|
||||||
|
-out $OBJ/pkcs11.crt -text -subj '/CN=pkcs11 test' > /dev/null
|
||||||
|
printf "a\ta\t$OBJ/pkcs11.crt\t$OBJ/pkcs11.key" > $SOFTPKCS11RC
|
||||||
|
# add to authorized keys
|
||||||
|
${SSHKEYGEN} -y -f $OBJ/pkcs11.key > $OBJ/authorized_keys_$USER
|
||||||
|
|
||||||
|
trace "add pkcs11 key to agent"
|
||||||
|
echo ${TEST_SSH_PIN} | notty ${SSHADD} -s ${TEST_SSH_PKCS11} > /dev/null 2>&1
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "ssh-add -s failed: exit code $r"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "pkcs11 list via agent"
|
||||||
|
${SSHADD} -l > /dev/null 2>&1
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "ssh-add -l failed: exit code $r"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "pkcs11 connect via agent"
|
||||||
|
${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 5 ]; then
|
||||||
|
fail "ssh connect failed (exit code $r)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "remove pkcs11 keys"
|
||||||
|
echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "ssh-add -e failed: exit code $r"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "kill agent"
|
||||||
|
${SSHAGENT} -k > /dev/null
|
||||||
|
fi
|
53
crypto/openssh/regress/agent-ptrace.sh
Normal file
53
crypto/openssh/regress/agent-ptrace.sh
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
# $OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="disallow agent ptrace attach"
|
||||||
|
|
||||||
|
if have_prog uname ; then
|
||||||
|
case `uname` in
|
||||||
|
AIX|CYGWIN*|OSF1)
|
||||||
|
echo "skipped (not supported on this platform)"
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
fi
|
||||||
|
|
||||||
|
if have_prog gdb ; then
|
||||||
|
: ok
|
||||||
|
else
|
||||||
|
echo "skipped (gdb not found)"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if test -z "$SUDO" ; then
|
||||||
|
echo "skipped (SUDO not set)"
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
$SUDO chown 0 ${SSHAGENT}
|
||||||
|
$SUDO chgrp 0 ${SSHAGENT}
|
||||||
|
$SUDO chmod 2755 ${SSHAGENT}
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "start agent"
|
||||||
|
eval `${SSHAGENT} -s` > /dev/null
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "could not start ssh-agent: exit code $r"
|
||||||
|
else
|
||||||
|
# ls -l ${SSH_AUTH_SOCK}
|
||||||
|
gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
|
||||||
|
quit
|
||||||
|
EOF
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "gdb failed: exit code $?"
|
||||||
|
fi
|
||||||
|
egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out
|
||||||
|
r=$?
|
||||||
|
rm -f ${OBJ}/gdb.out
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "ptrace succeeded?: exit code $r"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "kill agent"
|
||||||
|
${SSHAGENT} -k > /dev/null
|
||||||
|
fi
|
36
crypto/openssh/regress/agent-timeout.sh
Normal file
36
crypto/openssh/regress/agent-timeout.sh
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# $OpenBSD: agent-timeout.sh,v 1.2 2013/05/17 01:16:09 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="agent timeout test"
|
||||||
|
|
||||||
|
SSHAGENT_TIMEOUT=10
|
||||||
|
|
||||||
|
trace "start agent"
|
||||||
|
eval `${SSHAGENT} -s` > /dev/null
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "could not start ssh-agent: exit code $r"
|
||||||
|
else
|
||||||
|
trace "add keys with timeout"
|
||||||
|
for t in rsa rsa1; do
|
||||||
|
${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-add did succeed exit code 0"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
n=`${SSHADD} -l 2> /dev/null | wc -l`
|
||||||
|
trace "agent has $n keys"
|
||||||
|
if [ $n -ne 2 ]; then
|
||||||
|
fail "ssh-add -l did not return 2 keys: $n"
|
||||||
|
fi
|
||||||
|
trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds"
|
||||||
|
sleep ${SSHAGENT_TIMEOUT}
|
||||||
|
sleep ${SSHAGENT_TIMEOUT}
|
||||||
|
${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-add -l still returns keys after timeout"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "kill agent"
|
||||||
|
${SSHAGENT} -k > /dev/null
|
||||||
|
fi
|
75
crypto/openssh/regress/agent.sh
Normal file
75
crypto/openssh/regress/agent.sh
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
# $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="simple agent test"
|
||||||
|
|
||||||
|
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
|
||||||
|
if [ $? -ne 2 ]; then
|
||||||
|
fail "ssh-add -l did not fail with exit code 2"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "start agent"
|
||||||
|
eval `${SSHAGENT} -s` > /dev/null
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "could not start ssh-agent: exit code $r"
|
||||||
|
else
|
||||||
|
${SSHADD} -l > /dev/null 2>&1
|
||||||
|
if [ $? -ne 1 ]; then
|
||||||
|
fail "ssh-add -l did not fail with exit code 1"
|
||||||
|
fi
|
||||||
|
trace "overwrite authorized keys"
|
||||||
|
printf '' > $OBJ/authorized_keys_$USER
|
||||||
|
for t in rsa rsa1; do
|
||||||
|
# generate user key for agent
|
||||||
|
rm -f $OBJ/$t-agent
|
||||||
|
${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
|
||||||
|
fail "ssh-keygen for $t-agent failed"
|
||||||
|
# add to authorized keys
|
||||||
|
cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
# add privat key to agent
|
||||||
|
${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-add did succeed exit code 0"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
${SSHADD} -l > /dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-add -l failed: exit code $?"
|
||||||
|
fi
|
||||||
|
# the same for full pubkey output
|
||||||
|
${SSHADD} -L > /dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-add -L failed: exit code $?"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "simple connect via agent"
|
||||||
|
for p in 1 2; do
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
|
||||||
|
if [ $? -ne 5$p ]; then
|
||||||
|
fail "ssh connect with protocol $p failed (exit code $?)"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
trace "agent forwarding"
|
||||||
|
for p in 1 2; do
|
||||||
|
${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
|
||||||
|
fi
|
||||||
|
${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
|
||||||
|
"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
|
||||||
|
if [ $? -ne 5$p ]; then
|
||||||
|
fail "agent fwd proto $p failed (exit code $?)"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
trace "delete all agent keys"
|
||||||
|
${SSHADD} -D > /dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-add -D failed: exit code $?"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "kill agent"
|
||||||
|
${SSHAGENT} -k > /dev/null
|
||||||
|
fi
|
44
crypto/openssh/regress/banner.sh
Normal file
44
crypto/openssh/regress/banner.sh
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="banner"
|
||||||
|
echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
|
||||||
|
touch $OBJ/empty.in
|
||||||
|
|
||||||
|
trace "test missing banner file"
|
||||||
|
verbose "test $tid: missing banner file"
|
||||||
|
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
|
||||||
|
cmp $OBJ/empty.in $OBJ/banner.out ) || \
|
||||||
|
fail "missing banner file"
|
||||||
|
|
||||||
|
for s in 0 10 100 1000 10000 100000 ; do
|
||||||
|
if [ "$s" = "0" ]; then
|
||||||
|
# create empty banner
|
||||||
|
touch $OBJ/banner.in
|
||||||
|
elif [ "$s" = "10" ]; then
|
||||||
|
# create 10-byte banner file
|
||||||
|
echo "abcdefghi" >$OBJ/banner.in
|
||||||
|
else
|
||||||
|
# increase size 10x
|
||||||
|
cp $OBJ/banner.in $OBJ/banner.out
|
||||||
|
for i in 0 1 2 3 4 5 6 7 8 ; do
|
||||||
|
cat $OBJ/banner.out >> $OBJ/banner.in
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "test banner size $s"
|
||||||
|
verbose "test $tid: size $s"
|
||||||
|
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
|
||||||
|
cmp $OBJ/banner.in $OBJ/banner.out ) || \
|
||||||
|
fail "banner size $s mismatch"
|
||||||
|
done
|
||||||
|
|
||||||
|
trace "test suppress banner (-q)"
|
||||||
|
verbose "test $tid: suppress banner (-q)"
|
||||||
|
( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
|
||||||
|
cmp $OBJ/empty.in $OBJ/banner.out ) || \
|
||||||
|
fail "suppress banner (-q)"
|
||||||
|
|
||||||
|
rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
|
15
crypto/openssh/regress/broken-pipe.sh
Normal file
15
crypto/openssh/regress/broken-pipe.sh
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
# $OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="broken pipe test"
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "protocol $p"
|
||||||
|
for i in 1 2 3 4; do
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "broken pipe returns $r for protocol $p"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
23
crypto/openssh/regress/brokenkeys.sh
Normal file
23
crypto/openssh/regress/brokenkeys.sh
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="broken keys"
|
||||||
|
|
||||||
|
KEYS="$OBJ/authorized_keys_${USER}"
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
mv ${KEYS} ${KEYS}.bak
|
||||||
|
|
||||||
|
# Truncated key
|
||||||
|
echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
|
||||||
|
cat ${KEYS}.bak >> ${KEYS}
|
||||||
|
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
|
||||||
|
${SSH} -2 -F $OBJ/ssh_config somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh connect with protocol $p failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
mv ${KEYS}.bak ${KEYS}
|
||||||
|
|
256
crypto/openssh/regress/cert-hostkey.sh
Executable file
256
crypto/openssh/regress/cert-hostkey.sh
Executable file
|
@ -0,0 +1,256 @@
|
||||||
|
# $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="certified host keys"
|
||||||
|
|
||||||
|
# used to disable ECC based tests on platforms without ECC
|
||||||
|
ecdsa=""
|
||||||
|
if test "x$TEST_SSH_ECC" = "xyes"; then
|
||||||
|
ecdsa=ecdsa
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
|
||||||
|
HOSTS='localhost-with-alias,127.0.0.1,::1'
|
||||||
|
|
||||||
|
# Create a CA key and add it to known hosts
|
||||||
|
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/host_ca_key ||\
|
||||||
|
fail "ssh-keygen of host_ca_key failed"
|
||||||
|
(
|
||||||
|
printf '@cert-authority '
|
||||||
|
printf "$HOSTS "
|
||||||
|
cat $OBJ/host_ca_key.pub
|
||||||
|
) > $OBJ/known_hosts-cert
|
||||||
|
|
||||||
|
# Generate and sign host keys
|
||||||
|
for ktype in rsa dsa $ecdsa ; do
|
||||||
|
verbose "$tid: sign host ${ktype} cert"
|
||||||
|
# Generate and sign a host key
|
||||||
|
${SSHKEYGEN} -q -N '' -t ${ktype} \
|
||||||
|
-f $OBJ/cert_host_key_${ktype} || \
|
||||||
|
fail "ssh-keygen of cert_host_key_${ktype} failed"
|
||||||
|
${SSHKEYGEN} -h -q -s $OBJ/host_ca_key \
|
||||||
|
-I "regress host key for $USER" \
|
||||||
|
-n $HOSTS $OBJ/cert_host_key_${ktype} ||
|
||||||
|
fail "couldn't sign cert_host_key_${ktype}"
|
||||||
|
# v00 ecdsa certs do not exist
|
||||||
|
test "${ktype}" = "ecdsa" && continue
|
||||||
|
cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
|
||||||
|
cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
|
||||||
|
${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
|
||||||
|
-I "regress host key for $USER" \
|
||||||
|
-n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
|
||||||
|
fail "couldn't sign cert_host_key_${ktype}_v00"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Basic connect tests
|
||||||
|
for privsep in yes no ; do
|
||||||
|
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
|
||||||
|
verbose "$tid: host ${ktype} cert connect privsep $privsep"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||||
|
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||||
|
echo UsePrivilegeSeparation $privsep
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-F $OBJ/ssh_proxy somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Revoked certificates with key present
|
||||||
|
(
|
||||||
|
printf '@cert-authority '
|
||||||
|
printf "$HOSTS "
|
||||||
|
cat $OBJ/host_ca_key.pub
|
||||||
|
printf '@revoked '
|
||||||
|
printf "* "
|
||||||
|
cat $OBJ/cert_host_key_rsa.pub
|
||||||
|
if test "x$TEST_SSH_ECC" = "xyes"; then
|
||||||
|
printf '@revoked '
|
||||||
|
printf "* "
|
||||||
|
cat $OBJ/cert_host_key_ecdsa.pub
|
||||||
|
fi
|
||||||
|
printf '@revoked '
|
||||||
|
printf "* "
|
||||||
|
cat $OBJ/cert_host_key_dsa.pub
|
||||||
|
printf '@revoked '
|
||||||
|
printf "* "
|
||||||
|
cat $OBJ/cert_host_key_rsa_v00.pub
|
||||||
|
printf '@revoked '
|
||||||
|
printf "* "
|
||||||
|
cat $OBJ/cert_host_key_dsa_v00.pub
|
||||||
|
) > $OBJ/known_hosts-cert
|
||||||
|
for privsep in yes no ; do
|
||||||
|
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do
|
||||||
|
verbose "$tid: host ${ktype} revoked cert privsep $privsep"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||||
|
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||||
|
echo UsePrivilegeSeparation $privsep
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Revoked CA
|
||||||
|
(
|
||||||
|
printf '@cert-authority '
|
||||||
|
printf "$HOSTS "
|
||||||
|
cat $OBJ/host_ca_key.pub
|
||||||
|
printf '@revoked '
|
||||||
|
printf "* "
|
||||||
|
cat $OBJ/host_ca_key.pub
|
||||||
|
) > $OBJ/known_hosts-cert
|
||||||
|
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||||
|
verbose "$tid: host ${ktype} revoked cert"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||||
|
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Create a CA key and add it to known hosts
|
||||||
|
(
|
||||||
|
printf '@cert-authority '
|
||||||
|
printf "$HOSTS "
|
||||||
|
cat $OBJ/host_ca_key.pub
|
||||||
|
) > $OBJ/known_hosts-cert
|
||||||
|
|
||||||
|
test_one() {
|
||||||
|
ident=$1
|
||||||
|
result=$2
|
||||||
|
sign_opts=$3
|
||||||
|
|
||||||
|
for kt in rsa rsa_v00 ; do
|
||||||
|
case $kt in
|
||||||
|
*_v00) args="-t v00" ;;
|
||||||
|
*) args="" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
verbose "$tid: host cert connect $ident $kt expect $result"
|
||||||
|
${SSHKEYGEN} -q -s $OBJ/host_ca_key \
|
||||||
|
-I "regress host key for $USER" \
|
||||||
|
$sign_opts $args \
|
||||||
|
$OBJ/cert_host_key_${kt} ||
|
||||||
|
fail "couldn't sign cert_host_key_${kt}"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo HostKey $OBJ/cert_host_key_${kt}
|
||||||
|
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
rc=$?
|
||||||
|
if [ "x$result" = "xsuccess" ] ; then
|
||||||
|
if [ $rc -ne 0 ]; then
|
||||||
|
fail "ssh cert connect $ident failed unexpectedly"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $rc -eq 0 ]; then
|
||||||
|
fail "ssh cert connect $ident succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
test_one "user-certificate" failure "-n $HOSTS"
|
||||||
|
test_one "empty principals" success "-h"
|
||||||
|
test_one "wrong principals" failure "-h -n foo"
|
||||||
|
test_one "cert not yet valid" failure "-h -V20200101:20300101"
|
||||||
|
test_one "cert expired" failure "-h -V19800101:19900101"
|
||||||
|
test_one "cert valid interval" success "-h -V-1w:+2w"
|
||||||
|
test_one "cert has constraints" failure "-h -Oforce-command=false"
|
||||||
|
|
||||||
|
# Check downgrade of cert to raw key when no CA found
|
||||||
|
for v in v01 v00 ; do
|
||||||
|
for ktype in rsa dsa $ecdsa ; do
|
||||||
|
# v00 ecdsa certs do not exist.
|
||||||
|
test "${v}${ktype}" = "v00ecdsa" && continue
|
||||||
|
rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
|
||||||
|
verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
|
||||||
|
# Generate and sign a host key
|
||||||
|
${SSHKEYGEN} -q -N '' -t ${ktype} \
|
||||||
|
-f $OBJ/cert_host_key_${ktype} || \
|
||||||
|
fail "ssh-keygen of cert_host_key_${ktype} failed"
|
||||||
|
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/host_ca_key \
|
||||||
|
-I "regress host key for $USER" \
|
||||||
|
-n $HOSTS $OBJ/cert_host_key_${ktype} ||
|
||||||
|
fail "couldn't sign cert_host_key_${ktype}"
|
||||||
|
(
|
||||||
|
printf "$HOSTS "
|
||||||
|
cat $OBJ/cert_host_key_${ktype}.pub
|
||||||
|
) > $OBJ/known_hosts-cert
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo HostKey $OBJ/cert_host_key_${ktype}
|
||||||
|
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-F $OBJ/ssh_proxy somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Wrong certificate
|
||||||
|
(
|
||||||
|
printf '@cert-authority '
|
||||||
|
printf "$HOSTS "
|
||||||
|
cat $OBJ/host_ca_key.pub
|
||||||
|
) > $OBJ/known_hosts-cert
|
||||||
|
for v in v01 v00 ; do
|
||||||
|
for kt in rsa dsa $ecdsa ; do
|
||||||
|
# v00 ecdsa certs do not exist.
|
||||||
|
test "${v}${ktype}" = "v00ecdsa" && continue
|
||||||
|
rm -f $OBJ/cert_host_key*
|
||||||
|
# Self-sign key
|
||||||
|
${SSHKEYGEN} -q -N '' -t ${kt} \
|
||||||
|
-f $OBJ/cert_host_key_${kt} || \
|
||||||
|
fail "ssh-keygen of cert_host_key_${kt} failed"
|
||||||
|
${SSHKEYGEN} -t ${v} -h -q -s $OBJ/cert_host_key_${kt} \
|
||||||
|
-I "regress host key for $USER" \
|
||||||
|
-n $HOSTS $OBJ/cert_host_key_${kt} ||
|
||||||
|
fail "couldn't sign cert_host_key_${kt}"
|
||||||
|
verbose "$tid: host ${kt} connect wrong cert"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo HostKey $OBJ/cert_host_key_${kt}
|
||||||
|
echo HostCertificate $OBJ/cert_host_key_${kt}-cert.pub
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
|
||||||
|
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect $ident succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
|
355
crypto/openssh/regress/cert-userkey.sh
Executable file
355
crypto/openssh/regress/cert-userkey.sh
Executable file
|
@ -0,0 +1,355 @@
|
||||||
|
# $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="certified user keys"
|
||||||
|
|
||||||
|
# used to disable ECC based tests on platforms without ECC
|
||||||
|
ecdsa=""
|
||||||
|
if test "x$TEST_SSH_ECC" = "xyes"; then
|
||||||
|
ecdsa=ecdsa
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
|
||||||
|
# Create a CA key
|
||||||
|
${SSHKEYGEN} -q -N '' -t rsa -f $OBJ/user_ca_key ||\
|
||||||
|
fail "ssh-keygen of user_ca_key failed"
|
||||||
|
|
||||||
|
# Generate and sign user keys
|
||||||
|
for ktype in rsa dsa $ecdsa ; do
|
||||||
|
verbose "$tid: sign user ${ktype} cert"
|
||||||
|
${SSHKEYGEN} -q -N '' -t ${ktype} \
|
||||||
|
-f $OBJ/cert_user_key_${ktype} || \
|
||||||
|
fail "ssh-keygen of cert_user_key_${ktype} failed"
|
||||||
|
${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
|
||||||
|
-z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
|
||||||
|
fail "couldn't sign cert_user_key_${ktype}"
|
||||||
|
# v00 ecdsa certs do not exist
|
||||||
|
test "${ktype}" = "ecdsa" && continue
|
||||||
|
cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
|
||||||
|
cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
|
||||||
|
${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
|
||||||
|
"regress user key for $USER" \
|
||||||
|
-n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
|
||||||
|
fail "couldn't sign cert_user_key_${ktype}_v00"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Test explicitly-specified principals
|
||||||
|
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||||
|
for privsep in yes no ; do
|
||||||
|
_prefix="${ktype} privsep $privsep"
|
||||||
|
|
||||||
|
# Setup for AuthorizedPrincipalsFile
|
||||||
|
rm -f $OBJ/authorized_keys_$USER
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "UsePrivilegeSeparation $privsep"
|
||||||
|
echo "AuthorizedPrincipalsFile " \
|
||||||
|
"$OBJ/authorized_principals_%u"
|
||||||
|
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
# Missing authorized_principals
|
||||||
|
verbose "$tid: ${_prefix} missing authorized_principals"
|
||||||
|
rm -f $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Empty authorized_principals
|
||||||
|
verbose "$tid: ${_prefix} empty authorized_principals"
|
||||||
|
echo > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Wrong authorized_principals
|
||||||
|
verbose "$tid: ${_prefix} wrong authorized_principals"
|
||||||
|
echo gregorsamsa > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Correct authorized_principals
|
||||||
|
verbose "$tid: ${_prefix} correct authorized_principals"
|
||||||
|
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# authorized_principals with bad key option
|
||||||
|
verbose "$tid: ${_prefix} authorized_principals bad key opt"
|
||||||
|
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# authorized_principals with command=false
|
||||||
|
verbose "$tid: ${_prefix} authorized_principals command=false"
|
||||||
|
echo 'command="false" mekmitasdigoat' > \
|
||||||
|
$OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
# authorized_principals with command=true
|
||||||
|
verbose "$tid: ${_prefix} authorized_principals command=true"
|
||||||
|
echo 'command="true" mekmitasdigoat' > \
|
||||||
|
$OBJ/authorized_principals_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Setup for principals= key option
|
||||||
|
rm -f $OBJ/authorized_principals_$USER
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "UsePrivilegeSeparation $privsep"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
# Wrong principals list
|
||||||
|
verbose "$tid: ${_prefix} wrong principals key option"
|
||||||
|
(
|
||||||
|
printf 'cert-authority,principals="gregorsamsa" '
|
||||||
|
cat $OBJ/user_ca_key.pub
|
||||||
|
) > $OBJ/authorized_keys_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Correct principals list
|
||||||
|
verbose "$tid: ${_prefix} correct principals key option"
|
||||||
|
(
|
||||||
|
printf 'cert-authority,principals="mekmitasdigoat" '
|
||||||
|
cat $OBJ/user_ca_key.pub
|
||||||
|
) > $OBJ/authorized_keys_$USER
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
basic_tests() {
|
||||||
|
auth=$1
|
||||||
|
if test "x$auth" = "xauthorized_keys" ; then
|
||||||
|
# Add CA to authorized_keys
|
||||||
|
(
|
||||||
|
printf 'cert-authority '
|
||||||
|
cat $OBJ/user_ca_key.pub
|
||||||
|
) > $OBJ/authorized_keys_$USER
|
||||||
|
else
|
||||||
|
echo > $OBJ/authorized_keys_$USER
|
||||||
|
extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||||
|
for privsep in yes no ; do
|
||||||
|
_prefix="${ktype} privsep $privsep $auth"
|
||||||
|
# Simple connect
|
||||||
|
verbose "$tid: ${_prefix} connect"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "UsePrivilegeSeparation $privsep"
|
||||||
|
echo "$extra_sshd"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Revoked keys
|
||||||
|
verbose "$tid: ${_prefix} revoked key"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "UsePrivilegeSeparation $privsep"
|
||||||
|
echo "RevokedKeys $OBJ/cert_user_key_revoked"
|
||||||
|
echo "$extra_sshd"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
cp $OBJ/cert_user_key_${ktype}.pub \
|
||||||
|
$OBJ/cert_user_key_revoked
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpecedly"
|
||||||
|
fi
|
||||||
|
verbose "$tid: ${_prefix} revoked via KRL"
|
||||||
|
rm $OBJ/cert_user_key_revoked
|
||||||
|
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
|
||||||
|
$OBJ/cert_user_key_${ktype}.pub
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpecedly"
|
||||||
|
fi
|
||||||
|
verbose "$tid: ${_prefix} empty KRL"
|
||||||
|
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cert connect failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Revoked CA
|
||||||
|
verbose "$tid: ${ktype} $auth revoked CA key"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "RevokedKeys $OBJ/user_ca_key.pub"
|
||||||
|
echo "$extra_sshd"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
|
||||||
|
somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect succeeded unexpecedly"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
verbose "$tid: $auth CA does not authenticate"
|
||||||
|
(
|
||||||
|
cat $OBJ/sshd_proxy_bak
|
||||||
|
echo "$extra_sshd"
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
verbose "$tid: ensure CA key does not authenticate user"
|
||||||
|
${SSH} -2i $OBJ/user_ca_key \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect with CA key succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
basic_tests authorized_keys
|
||||||
|
basic_tests TrustedUserCAKeys
|
||||||
|
|
||||||
|
test_one() {
|
||||||
|
ident=$1
|
||||||
|
result=$2
|
||||||
|
sign_opts=$3
|
||||||
|
auth_choice=$4
|
||||||
|
auth_opt=$5
|
||||||
|
|
||||||
|
if test "x$auth_choice" = "x" ; then
|
||||||
|
auth_choice="authorized_keys TrustedUserCAKeys"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for auth in $auth_choice ; do
|
||||||
|
for ktype in rsa rsa_v00 ; do
|
||||||
|
case $ktype in
|
||||||
|
*_v00) keyv="-t v00" ;;
|
||||||
|
*) keyv="" ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||||
|
if test "x$auth" = "xauthorized_keys" ; then
|
||||||
|
# Add CA to authorized_keys
|
||||||
|
(
|
||||||
|
printf "cert-authority${auth_opt} "
|
||||||
|
cat $OBJ/user_ca_key.pub
|
||||||
|
) > $OBJ/authorized_keys_$USER
|
||||||
|
else
|
||||||
|
echo > $OBJ/authorized_keys_$USER
|
||||||
|
echo "TrustedUserCAKeys $OBJ/user_ca_key.pub" \
|
||||||
|
>> $OBJ/sshd_proxy
|
||||||
|
if test "x$auth_opt" != "x" ; then
|
||||||
|
echo $auth_opt >> $OBJ/sshd_proxy
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
verbose "$tid: $ident auth $auth expect $result $ktype"
|
||||||
|
${SSHKEYGEN} -q -s $OBJ/user_ca_key \
|
||||||
|
-I "regress user key for $USER" \
|
||||||
|
$sign_opts $keyv \
|
||||||
|
$OBJ/cert_user_key_${ktype} ||
|
||||||
|
fail "couldn't sign cert_user_key_${ktype}"
|
||||||
|
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} \
|
||||||
|
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
|
||||||
|
rc=$?
|
||||||
|
if [ "x$result" = "xsuccess" ] ; then
|
||||||
|
if [ $rc -ne 0 ]; then
|
||||||
|
fail "$ident failed unexpectedly"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $rc -eq 0 ]; then
|
||||||
|
fail "$ident succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
test_one "correct principal" success "-n ${USER}"
|
||||||
|
test_one "host-certificate" failure "-n ${USER} -h"
|
||||||
|
test_one "wrong principals" failure "-n foo"
|
||||||
|
test_one "cert not yet valid" failure "-n ${USER} -V20200101:20300101"
|
||||||
|
test_one "cert expired" failure "-n ${USER} -V19800101:19900101"
|
||||||
|
test_one "cert valid interval" success "-n ${USER} -V-1w:+2w"
|
||||||
|
test_one "wrong source-address" failure "-n ${USER} -Osource-address=10.0.0.0/8"
|
||||||
|
test_one "force-command" failure "-n ${USER} -Oforce-command=false"
|
||||||
|
|
||||||
|
# Behaviour is different here: TrustedUserCAKeys doesn't allow empty principals
|
||||||
|
test_one "empty principals" success "" authorized_keys
|
||||||
|
test_one "empty principals" failure "" TrustedUserCAKeys
|
||||||
|
|
||||||
|
# Check explicitly-specified principals: an empty principals list in the cert
|
||||||
|
# should always be refused.
|
||||||
|
|
||||||
|
# AuthorizedPrincipalsFile
|
||||||
|
rm -f $OBJ/authorized_keys_$USER
|
||||||
|
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
|
||||||
|
test_one "AuthorizedPrincipalsFile principals" success "-n mekmitasdigoat" \
|
||||||
|
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
|
||||||
|
test_one "AuthorizedPrincipalsFile no principals" failure "" \
|
||||||
|
TrustedUserCAKeys "AuthorizedPrincipalsFile $OBJ/authorized_principals_%u"
|
||||||
|
|
||||||
|
# principals= key option
|
||||||
|
rm -f $OBJ/authorized_principals_$USER
|
||||||
|
test_one "principals key option principals" success "-n mekmitasdigoat" \
|
||||||
|
authorized_keys ',principals="mekmitasdigoat"'
|
||||||
|
test_one "principals key option no principals" failure "" \
|
||||||
|
authorized_keys ',principals="mekmitasdigoat"'
|
||||||
|
|
||||||
|
# Wrong certificate
|
||||||
|
cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||||
|
for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do
|
||||||
|
case $ktype in
|
||||||
|
*_v00) args="-t v00" ;;
|
||||||
|
*) args="" ;;
|
||||||
|
esac
|
||||||
|
# Self-sign
|
||||||
|
${SSHKEYGEN} $args -q -s $OBJ/cert_user_key_${ktype} -I \
|
||||||
|
"regress user key for $USER" \
|
||||||
|
-n $USER $OBJ/cert_user_key_${ktype} ||
|
||||||
|
fail "couldn't sign cert_user_key_${ktype}"
|
||||||
|
verbose "$tid: user ${ktype} connect wrong cert"
|
||||||
|
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
|
||||||
|
somehost true >/dev/null 2>&1
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh cert connect $ident succeeded unexpectedly"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
|
||||||
|
rm -f $OBJ/authorized_principals_$USER
|
||||||
|
|
126
crypto/openssh/regress/cfgmatch.sh
Normal file
126
crypto/openssh/regress/cfgmatch.sh
Normal file
|
@ -0,0 +1,126 @@
|
||||||
|
# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="sshd_config match"
|
||||||
|
|
||||||
|
pidfile=$OBJ/remote_pid
|
||||||
|
fwdport=3301
|
||||||
|
fwd="-L $fwdport:127.0.0.1:$PORT"
|
||||||
|
|
||||||
|
echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
|
||||||
|
echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
|
||||||
|
|
||||||
|
start_client()
|
||||||
|
{
|
||||||
|
rm -f $pidfile
|
||||||
|
${SSH} -q -$p $fwd "$@" somehost \
|
||||||
|
exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
|
||||||
|
>>$TEST_REGRESS_LOGFILE 2>&1 &
|
||||||
|
client_pid=$!
|
||||||
|
# Wait for remote end
|
||||||
|
n=0
|
||||||
|
while test ! -f $pidfile ; do
|
||||||
|
sleep 1
|
||||||
|
n=`expr $n + 1`
|
||||||
|
if test $n -gt 60; then
|
||||||
|
kill $client_pid
|
||||||
|
fatal "timeout waiting for background ssh"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
stop_client()
|
||||||
|
{
|
||||||
|
pid=`cat $pidfile`
|
||||||
|
if [ ! -z "$pid" ]; then
|
||||||
|
kill $pid
|
||||||
|
fi
|
||||||
|
wait
|
||||||
|
}
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
|
||||||
|
echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
|
||||||
|
echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
|
||||||
|
|
||||||
|
grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
|
||||||
|
echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
|
||||||
|
echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
|
||||||
|
echo "Match user $USER" >>$OBJ/sshd_proxy
|
||||||
|
echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
|
||||||
|
echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
|
||||||
|
echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
#set -x
|
||||||
|
|
||||||
|
# Test Match + PermitOpen in sshd_config. This should be permitted
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "match permitopen localhost proto $p"
|
||||||
|
start_client -F $OBJ/ssh_config
|
||||||
|
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
|
||||||
|
fail "match permitopen permit proto $p"
|
||||||
|
stop_client
|
||||||
|
done
|
||||||
|
|
||||||
|
# Same but from different source. This should not be permitted
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "match permitopen proxy proto $p"
|
||||||
|
start_client -F $OBJ/ssh_proxy
|
||||||
|
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
|
||||||
|
fail "match permitopen deny proto $p"
|
||||||
|
stop_client
|
||||||
|
done
|
||||||
|
|
||||||
|
# Retry previous with key option, should also be denied.
|
||||||
|
printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
|
||||||
|
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
|
||||||
|
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "match permitopen proxy w/key opts proto $p"
|
||||||
|
start_client -F $OBJ/ssh_proxy
|
||||||
|
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
|
||||||
|
fail "match permitopen deny w/key opt proto $p"
|
||||||
|
stop_client
|
||||||
|
done
|
||||||
|
|
||||||
|
# Test both sshd_config and key options permitting the same dst/port pair.
|
||||||
|
# Should be permitted.
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "match permitopen localhost proto $p"
|
||||||
|
start_client -F $OBJ/ssh_config
|
||||||
|
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
|
||||||
|
fail "match permitopen permit proto $p"
|
||||||
|
stop_client
|
||||||
|
done
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||||
|
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
|
||||||
|
echo "Match User $USER" >>$OBJ/sshd_proxy
|
||||||
|
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
|
||||||
|
|
||||||
|
# Test that a Match overrides a PermitOpen in the global section
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "match permitopen proxy w/key opts proto $p"
|
||||||
|
start_client -F $OBJ/ssh_proxy
|
||||||
|
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
|
||||||
|
fail "match override permitopen proto $p"
|
||||||
|
stop_client
|
||||||
|
done
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||||
|
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
|
||||||
|
echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
|
||||||
|
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
|
||||||
|
|
||||||
|
# Test that a rule that doesn't match doesn't override, plus test a
|
||||||
|
# PermitOpen entry that's not at the start of the list
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "nomatch permitopen proxy w/key opts proto $p"
|
||||||
|
start_client -F $OBJ/ssh_proxy
|
||||||
|
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
|
||||||
|
fail "nomatch override permitopen proto $p"
|
||||||
|
stop_client
|
||||||
|
done
|
58
crypto/openssh/regress/cipher-speed.sh
Normal file
58
crypto/openssh/regress/cipher-speed.sh
Normal file
|
@ -0,0 +1,58 @@
|
||||||
|
# $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="cipher speed"
|
||||||
|
|
||||||
|
getbytes ()
|
||||||
|
{
|
||||||
|
sed -n -e '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' \
|
||||||
|
-e '/copied/s/.*s, \(.* MB.s\).*/\1/p'
|
||||||
|
}
|
||||||
|
|
||||||
|
tries="1 2"
|
||||||
|
|
||||||
|
ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
|
||||||
|
arcfour128 arcfour256 arcfour
|
||||||
|
aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
|
||||||
|
aes128-ctr aes192-ctr aes256-ctr"
|
||||||
|
config_defined OPENSSL_HAVE_EVPGCM && \
|
||||||
|
ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
|
||||||
|
macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
|
||||||
|
hmac-sha1-96 hmac-md5-96"
|
||||||
|
config_defined HAVE_EVP_SHA256 && \
|
||||||
|
macs="$macs hmac-sha2-256 hmac-sha2-512"
|
||||||
|
|
||||||
|
for c in $ciphers; do n=0; for m in $macs; do
|
||||||
|
trace "proto 2 cipher $c mac $m"
|
||||||
|
for x in $tries; do
|
||||||
|
printf "%-60s" "$c/$m:"
|
||||||
|
( ${SSH} -o 'compression no' \
|
||||||
|
-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
|
||||||
|
exec sh -c \'"dd of=/dev/null obs=32k"\' \
|
||||||
|
< ${DATA} ) 2>&1 | getbytes
|
||||||
|
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh -2 failed with mac $m cipher $c"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# No point trying all MACs for GCM since they are ignored.
|
||||||
|
case $c in
|
||||||
|
aes*-gcm@openssh.com) test $n -gt 0 && break;;
|
||||||
|
esac
|
||||||
|
n=`expr $n + 1`
|
||||||
|
done; done
|
||||||
|
|
||||||
|
ciphers="3des blowfish"
|
||||||
|
for c in $ciphers; do
|
||||||
|
trace "proto 1 cipher $c"
|
||||||
|
for x in $tries; do
|
||||||
|
printf "%-60s" "$c:"
|
||||||
|
( ${SSH} -o 'compression no' \
|
||||||
|
-F $OBJ/ssh_proxy -1 -c $c somehost \
|
||||||
|
exec sh -c \'"dd of=/dev/null obs=32k"\' \
|
||||||
|
< ${DATA} ) 2>&1 | getbytes
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh -1 failed with cipher $c"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
28
crypto/openssh/regress/conch-ciphers.sh
Executable file
28
crypto/openssh/regress/conch-ciphers.sh
Executable file
|
@ -0,0 +1,28 @@
|
||||||
|
# $OpenBSD: conch-ciphers.sh,v 1.3 2013/05/17 04:29:14 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="conch ciphers"
|
||||||
|
|
||||||
|
if test "x$REGRESS_INTEROP_CONCH" != "xyes" ; then
|
||||||
|
echo "conch interop tests not enabled"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
for c in aes256-ctr aes256-cbc aes192-ctr aes192-cbc aes128-ctr aes128-cbc \
|
||||||
|
cast128-cbc blowfish 3des-cbc ; do
|
||||||
|
verbose "$tid: cipher $c"
|
||||||
|
rm -f ${COPY}
|
||||||
|
# XXX the 2nd "cat" seems to be needed because of buggy FD handling
|
||||||
|
# in conch
|
||||||
|
${CONCH} --identity $OBJ/rsa --port $PORT --user $USER -e none \
|
||||||
|
--known-hosts $OBJ/known_hosts --notty --noagent --nox11 -n \
|
||||||
|
127.0.0.1 "cat ${DATA}" 2>/dev/null | cat > ${COPY}
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh cat $DATA failed"
|
||||||
|
fi
|
||||||
|
cmp ${DATA} ${COPY} || fail "corrupted copy"
|
||||||
|
done
|
||||||
|
rm -f ${COPY}
|
||||||
|
|
36
crypto/openssh/regress/connect-privsep.sh
Normal file
36
crypto/openssh/regress/connect-privsep.sh
Normal file
|
@ -0,0 +1,36 @@
|
||||||
|
# $OpenBSD: connect-privsep.sh,v 1.4 2012/07/02 14:37:06 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="proxy connect with privsep"
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
|
||||||
|
echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh privsep+proxyconnect protocol $p failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
|
||||||
|
echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
# XXX replace this with fail once sandbox has stabilised
|
||||||
|
warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Because sandbox is sensitive to changes in libc, especially malloc, retest
|
||||||
|
# with every malloc.conf option (and none).
|
||||||
|
for m in '' A F G H J P R S X Z '<' '>'; do
|
||||||
|
for p in 1 2; do
|
||||||
|
env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
13
crypto/openssh/regress/connect.sh
Normal file
13
crypto/openssh/regress/connect.sh
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# $OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="simple connect"
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh connect with protocol $p failed"
|
||||||
|
fi
|
||||||
|
done
|
14
crypto/openssh/regress/dsa_ssh2.prv
Normal file
14
crypto/openssh/regress/dsa_ssh2.prv
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
|
||||||
|
Subject: ssh-keygen test
|
||||||
|
Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
|
||||||
|
P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
|
||||||
|
AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR
|
||||||
|
Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg
|
||||||
|
x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv
|
||||||
|
MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt
|
||||||
|
F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1
|
||||||
|
kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik
|
||||||
|
ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6
|
||||||
|
75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV
|
||||||
|
zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A==
|
||||||
|
---- END SSH2 ENCRYPTED PRIVATE KEY ----
|
13
crypto/openssh/regress/dsa_ssh2.pub
Normal file
13
crypto/openssh/regress/dsa_ssh2.pub
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---- BEGIN SSH2 PUBLIC KEY ----
|
||||||
|
Subject: ssh-keygen test
|
||||||
|
Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
|
||||||
|
AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8
|
||||||
|
NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l
|
||||||
|
ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo
|
||||||
|
0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE
|
||||||
|
MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk
|
||||||
|
JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC
|
||||||
|
eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv
|
||||||
|
JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1
|
||||||
|
ixaVivLt8RgTwGF99uI=
|
||||||
|
---- END SSH2 PUBLIC KEY ----
|
59
crypto/openssh/regress/dynamic-forward.sh
Normal file
59
crypto/openssh/regress/dynamic-forward.sh
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
# $OpenBSD: dynamic-forward.sh,v 1.10 2013/05/17 04:29:14 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="dynamic forwarding"
|
||||||
|
|
||||||
|
FWDPORT=`expr $PORT + 1`
|
||||||
|
|
||||||
|
if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
|
||||||
|
proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
|
||||||
|
elif have_prog connect; then
|
||||||
|
proxycmd="connect -S 127.0.0.1:$FWDPORT -"
|
||||||
|
else
|
||||||
|
echo "skipped (no suitable ProxyCommand found)"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
trace "will use ProxyCommand $proxycmd"
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
n=0
|
||||||
|
error="1"
|
||||||
|
trace "start dynamic forwarding, fork to background"
|
||||||
|
while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
|
||||||
|
n=`expr $n + 1`
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
|
||||||
|
-oExitOnForwardFailure=yes somehost exec sh -c \
|
||||||
|
\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
|
||||||
|
error=$?
|
||||||
|
if [ "$error" -ne 0 ]; then
|
||||||
|
trace "forward failed proto $p attempt $n err $error"
|
||||||
|
sleep $n
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ "$error" -ne 0 ]; then
|
||||||
|
fatal "failed to start dynamic forwarding proto $p"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for s in 4 5; do
|
||||||
|
for h in 127.0.0.1 localhost; do
|
||||||
|
trace "testing ssh protocol $p socks version $s host $h"
|
||||||
|
${SSH} -F $OBJ/ssh_config \
|
||||||
|
-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
|
||||||
|
somehost cat $DATA > $OBJ/ls.copy
|
||||||
|
test -f $OBJ/ls.copy || fail "failed copy $DATA"
|
||||||
|
cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ -f $OBJ/remote_pid ]; then
|
||||||
|
remote=`cat $OBJ/remote_pid`
|
||||||
|
trace "terminate remote shell, pid $remote"
|
||||||
|
if [ $remote -gt 1 ]; then
|
||||||
|
kill -HUP $remote
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
fail "no pid file: $OBJ/remote_pid"
|
||||||
|
fi
|
||||||
|
done
|
60
crypto/openssh/regress/envpass.sh
Normal file
60
crypto/openssh/regress/envpass.sh
Normal file
|
@ -0,0 +1,60 @@
|
||||||
|
# $OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="environment passing"
|
||||||
|
|
||||||
|
# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST)
|
||||||
|
|
||||||
|
# Prepare a custom config to test for a configuration parsing bug fixed in 4.0
|
||||||
|
cat << EOF > $OBJ/ssh_proxy_envpass
|
||||||
|
Host test-sendenv-confparse-bug
|
||||||
|
SendEnv *
|
||||||
|
EOF
|
||||||
|
cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass
|
||||||
|
|
||||||
|
trace "pass env, don't accept"
|
||||||
|
verbose "test $tid: pass env, don't accept"
|
||||||
|
_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \
|
||||||
|
sh << 'EOF'
|
||||||
|
test -z "$_TEST_ENV"
|
||||||
|
EOF
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "environment found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "don't pass env, accept"
|
||||||
|
verbose "test $tid: don't pass env, accept"
|
||||||
|
_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \
|
||||||
|
sh << 'EOF'
|
||||||
|
test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B"
|
||||||
|
EOF
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "environment found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "pass single env, accept single env"
|
||||||
|
verbose "test $tid: pass single env, accept single env"
|
||||||
|
_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \
|
||||||
|
otherhost sh << 'EOF'
|
||||||
|
test X"$_XXX_TEST" = X"blah"
|
||||||
|
EOF
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "environment not found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
trace "pass multiple env, accept multiple env"
|
||||||
|
verbose "test $tid: pass multiple env, accept multiple env"
|
||||||
|
_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \
|
||||||
|
-F $OBJ/ssh_proxy_envpass otherhost \
|
||||||
|
sh << 'EOF'
|
||||||
|
test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2"
|
||||||
|
EOF
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "environment not found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
rm -f $OBJ/ssh_proxy_envpass
|
24
crypto/openssh/regress/exit-status.sh
Normal file
24
crypto/openssh/regress/exit-status.sh
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# $OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="remote exit status"
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
for s in 0 1 4 5 44; do
|
||||||
|
trace "proto $p status $s"
|
||||||
|
verbose "test $tid: proto $p status $s"
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne $s ]; then
|
||||||
|
fail "exit code mismatch for protocol $p: $r != $s"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# same with early close of stdout/err
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
|
||||||
|
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne $s ]; then
|
||||||
|
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
42
crypto/openssh/regress/forcecommand.sh
Normal file
42
crypto/openssh/regress/forcecommand.sh
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
# $OpenBSD: forcecommand.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="forced command"
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
|
||||||
|
printf 'command="true" ' >$OBJ/authorized_keys_$USER
|
||||||
|
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
printf 'command="true" ' >>$OBJ/authorized_keys_$USER
|
||||||
|
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "forced command in key option proto $p"
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
|
||||||
|
fail "forced command in key proto $p"
|
||||||
|
done
|
||||||
|
|
||||||
|
printf 'command="false" ' >$OBJ/authorized_keys_$USER
|
||||||
|
cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
printf 'command="false" ' >>$OBJ/authorized_keys_$USER
|
||||||
|
cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||||
|
echo "ForceCommand true" >> $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "forced command in sshd_config overrides key option proto $p"
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
|
||||||
|
fail "forced command in key proto $p"
|
||||||
|
done
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
||||||
|
echo "ForceCommand false" >> $OBJ/sshd_proxy
|
||||||
|
echo "Match User $USER" >> $OBJ/sshd_proxy
|
||||||
|
echo " ForceCommand true" >> $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "forced command with match proto $p"
|
||||||
|
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
|
||||||
|
fail "forced command in key proto $p"
|
||||||
|
done
|
168
crypto/openssh/regress/forward-control.sh
Executable file
168
crypto/openssh/regress/forward-control.sh
Executable file
|
@ -0,0 +1,168 @@
|
||||||
|
# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="sshd control of local and remote forwarding"
|
||||||
|
|
||||||
|
LFWD_PORT=3320
|
||||||
|
RFWD_PORT=3321
|
||||||
|
CTL=$OBJ/ctl-sock
|
||||||
|
READY=$OBJ/ready
|
||||||
|
|
||||||
|
wait_for_file_to_appear() {
|
||||||
|
_path=$1
|
||||||
|
_n=0
|
||||||
|
while test ! -f $_path ; do
|
||||||
|
test $_n -eq 1 && trace "waiting for $_path to appear"
|
||||||
|
_n=`expr $_n + 1`
|
||||||
|
test $_n -ge 20 && return 1
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
wait_for_process_to_exit() {
|
||||||
|
_pid=$1
|
||||||
|
_n=0
|
||||||
|
while kill -0 $_pid 2>/dev/null ; do
|
||||||
|
test $_n -eq 1 && trace "waiting for $_pid to exit"
|
||||||
|
_n=`expr $_n + 1`
|
||||||
|
test $_n -ge 20 && return 1
|
||||||
|
sleep 1
|
||||||
|
done
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
# usage: check_lfwd protocol Y|N message
|
||||||
|
check_lfwd() {
|
||||||
|
_proto=$1
|
||||||
|
_expected=$2
|
||||||
|
_message=$3
|
||||||
|
rm -f $READY
|
||||||
|
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
|
||||||
|
-L$LFWD_PORT:127.0.0.1:$PORT \
|
||||||
|
-o ExitOnForwardFailure=yes \
|
||||||
|
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
|
||||||
|
>/dev/null 2>&1 &
|
||||||
|
_sshpid=$!
|
||||||
|
wait_for_file_to_appear $READY || \
|
||||||
|
fatal "check_lfwd ssh fail: $_message"
|
||||||
|
${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
|
||||||
|
-oConnectionAttempts=4 host true >/dev/null 2>&1
|
||||||
|
_result=$?
|
||||||
|
kill $_sshpid `cat $READY` 2>/dev/null
|
||||||
|
wait_for_process_to_exit $_sshpid
|
||||||
|
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
|
||||||
|
fail "check_lfwd failed (expecting success): $_message"
|
||||||
|
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
|
||||||
|
fail "check_lfwd succeeded (expecting failure): $_message"
|
||||||
|
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
|
||||||
|
fatal "check_lfwd invalid argument \"$_expected\""
|
||||||
|
else
|
||||||
|
verbose "check_lfwd done (expecting $_expected): $_message"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# usage: check_rfwd protocol Y|N message
|
||||||
|
check_rfwd() {
|
||||||
|
_proto=$1
|
||||||
|
_expected=$2
|
||||||
|
_message=$3
|
||||||
|
rm -f $READY
|
||||||
|
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
|
||||||
|
-R$RFWD_PORT:127.0.0.1:$PORT \
|
||||||
|
-o ExitOnForwardFailure=yes \
|
||||||
|
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
|
||||||
|
>/dev/null 2>&1 &
|
||||||
|
_sshpid=$!
|
||||||
|
wait_for_file_to_appear $READY
|
||||||
|
_result=$?
|
||||||
|
if test $_result -eq 0 ; then
|
||||||
|
${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
|
||||||
|
-oConnectionAttempts=4 host true >/dev/null 2>&1
|
||||||
|
_result=$?
|
||||||
|
kill $_sshpid `cat $READY` 2>/dev/null
|
||||||
|
wait_for_process_to_exit $_sshpid
|
||||||
|
fi
|
||||||
|
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
|
||||||
|
fail "check_rfwd failed (expecting success): $_message"
|
||||||
|
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
|
||||||
|
fail "check_rfwd succeeded (expecting failure): $_message"
|
||||||
|
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
|
||||||
|
fatal "check_rfwd invalid argument \"$_expected\""
|
||||||
|
else
|
||||||
|
verbose "check_rfwd done (expecting $_expected): $_message"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
|
||||||
|
cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
|
||||||
|
|
||||||
|
# Sanity check: ensure the default config allows forwarding
|
||||||
|
for p in 1 2 ; do
|
||||||
|
check_lfwd $p Y "proto $p, default configuration"
|
||||||
|
check_rfwd $p Y "proto $p, default configuration"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
|
||||||
|
all_tests() {
|
||||||
|
_tcpfwd=$1
|
||||||
|
_plain_lfwd=$2
|
||||||
|
_plain_rfwd=$3
|
||||||
|
_nopermit_lfwd=$4
|
||||||
|
_nopermit_rfwd=$5
|
||||||
|
_permit_lfwd=$6
|
||||||
|
_permit_rfwd=$7
|
||||||
|
_badfwd=127.0.0.1:22
|
||||||
|
_goodfwd=127.0.0.1:${PORT}
|
||||||
|
for _proto in 1 2 ; do
|
||||||
|
cp ${OBJ}/authorized_keys_${USER}.bak \
|
||||||
|
${OBJ}/authorized_keys_${USER}
|
||||||
|
_prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
|
||||||
|
# No PermitOpen
|
||||||
|
( cat ${OBJ}/sshd_proxy.bak ;
|
||||||
|
echo "AllowTcpForwarding $_tcpfwd" ) \
|
||||||
|
> ${OBJ}/sshd_proxy
|
||||||
|
check_lfwd $_proto $_plain_lfwd "$_prefix"
|
||||||
|
check_rfwd $_proto $_plain_rfwd "$_prefix"
|
||||||
|
# PermitOpen via sshd_config that doesn't match
|
||||||
|
( cat ${OBJ}/sshd_proxy.bak ;
|
||||||
|
echo "AllowTcpForwarding $_tcpfwd" ;
|
||||||
|
echo "PermitOpen $_badfwd" ) \
|
||||||
|
> ${OBJ}/sshd_proxy
|
||||||
|
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
|
||||||
|
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
|
||||||
|
# PermitOpen via sshd_config that does match
|
||||||
|
( cat ${OBJ}/sshd_proxy.bak ;
|
||||||
|
echo "AllowTcpForwarding $_tcpfwd" ;
|
||||||
|
echo "PermitOpen $_badfwd $_goodfwd" ) \
|
||||||
|
> ${OBJ}/sshd_proxy
|
||||||
|
# NB. permitopen via authorized_keys should have same
|
||||||
|
# success/fail as via sshd_config
|
||||||
|
# permitopen via authorized_keys that doesn't match
|
||||||
|
sed "s/^/permitopen=\"$_badfwd\" /" \
|
||||||
|
< ${OBJ}/authorized_keys_${USER}.bak \
|
||||||
|
> ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
|
||||||
|
( cat ${OBJ}/sshd_proxy.bak ;
|
||||||
|
echo "AllowTcpForwarding $_tcpfwd" ) \
|
||||||
|
> ${OBJ}/sshd_proxy
|
||||||
|
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
|
||||||
|
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
|
||||||
|
# permitopen via authorized_keys that does match
|
||||||
|
sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
|
||||||
|
< ${OBJ}/authorized_keys_${USER}.bak \
|
||||||
|
> ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
|
||||||
|
( cat ${OBJ}/sshd_proxy.bak ;
|
||||||
|
echo "AllowTcpForwarding $_tcpfwd" ) \
|
||||||
|
> ${OBJ}/sshd_proxy
|
||||||
|
check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
|
||||||
|
check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
# no-permitopen mismatch-permitopen match-permitopen
|
||||||
|
# AllowTcpForwarding local remote local remote local remote
|
||||||
|
all_tests yes Y Y N Y Y Y
|
||||||
|
all_tests local Y N N N Y N
|
||||||
|
all_tests remote N Y N Y N Y
|
||||||
|
all_tests no N N N N N N
|
121
crypto/openssh/regress/forwarding.sh
Normal file
121
crypto/openssh/regress/forwarding.sh
Normal file
|
@ -0,0 +1,121 @@
|
||||||
|
# $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="local and remote forwarding"
|
||||||
|
|
||||||
|
DATA=/bin/ls${EXEEXT}
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
base=33
|
||||||
|
last=$PORT
|
||||||
|
fwd=""
|
||||||
|
for j in 0 1 2; do
|
||||||
|
for i in 0 1 2; do
|
||||||
|
a=$base$j$i
|
||||||
|
b=`expr $a + 50`
|
||||||
|
c=$last
|
||||||
|
# fwd chain: $a -> $b -> $c
|
||||||
|
fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c"
|
||||||
|
last=$a
|
||||||
|
done
|
||||||
|
done
|
||||||
|
for p in 1 2; do
|
||||||
|
q=`expr 3 - $p`
|
||||||
|
trace "start forwarding, fork to background"
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
|
||||||
|
|
||||||
|
trace "transfer over forwarded channels and check result"
|
||||||
|
${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
|
||||||
|
somehost cat ${DATA} > ${COPY}
|
||||||
|
test -f ${COPY} || fail "failed copy of ${DATA}"
|
||||||
|
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
|
||||||
|
|
||||||
|
sleep 10
|
||||||
|
done
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
for d in L R; do
|
||||||
|
trace "exit on -$d forward failure, proto $p"
|
||||||
|
|
||||||
|
# this one should succeed
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config \
|
||||||
|
-$d ${base}01:127.0.0.1:$PORT \
|
||||||
|
-$d ${base}02:127.0.0.1:$PORT \
|
||||||
|
-$d ${base}03:127.0.0.1:$PORT \
|
||||||
|
-$d ${base}04:127.0.0.1:$PORT \
|
||||||
|
-oExitOnForwardFailure=yes somehost true
|
||||||
|
if [ $? != 0 ]; then
|
||||||
|
fail "connection failed, should not"
|
||||||
|
else
|
||||||
|
# this one should fail
|
||||||
|
${SSH} -q -$p -F $OBJ/ssh_config \
|
||||||
|
-$d ${base}01:127.0.0.1:$PORT \
|
||||||
|
-$d ${base}02:127.0.0.1:$PORT \
|
||||||
|
-$d ${base}03:127.0.0.1:$PORT \
|
||||||
|
-$d ${base}01:127.0.0.1:$PORT \
|
||||||
|
-$d ${base}04:127.0.0.1:$PORT \
|
||||||
|
-oExitOnForwardFailure=yes somehost true
|
||||||
|
r=$?
|
||||||
|
if [ $r != 255 ]; then
|
||||||
|
fail "connection not termintated, but should ($r)"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "simple clear forwarding proto $p"
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
|
||||||
|
|
||||||
|
trace "clear local forward proto $p"
|
||||||
|
${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
|
||||||
|
-oClearAllForwardings=yes somehost sleep 10
|
||||||
|
if [ $? != 0 ]; then
|
||||||
|
fail "connection failed with cleared local forwarding"
|
||||||
|
else
|
||||||
|
# this one should fail
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
|
||||||
|
>>$TEST_REGRESS_LOGFILE 2>&1 && \
|
||||||
|
fail "local forwarding not cleared"
|
||||||
|
fi
|
||||||
|
sleep 10
|
||||||
|
|
||||||
|
trace "clear remote forward proto $p"
|
||||||
|
${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
|
||||||
|
-oClearAllForwardings=yes somehost sleep 10
|
||||||
|
if [ $? != 0 ]; then
|
||||||
|
fail "connection failed with cleared remote forwarding"
|
||||||
|
else
|
||||||
|
# this one should fail
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
|
||||||
|
>>$TEST_REGRESS_LOGFILE 2>&1 && \
|
||||||
|
fail "remote forwarding not cleared"
|
||||||
|
fi
|
||||||
|
sleep 10
|
||||||
|
done
|
||||||
|
|
||||||
|
for p in 2; do
|
||||||
|
trace "stdio forwarding proto $p"
|
||||||
|
cmd="${SSH} -$p -F $OBJ/ssh_config"
|
||||||
|
$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
|
||||||
|
somehost true
|
||||||
|
if [ $? != 0 ]; then
|
||||||
|
fail "stdio forwarding proto $p"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
|
||||||
|
echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
|
||||||
|
for p in 1 2; do
|
||||||
|
trace "config file: start forwarding, fork to background"
|
||||||
|
${SSH} -$p -F $OBJ/ssh_config -f somehost sleep 10
|
||||||
|
|
||||||
|
trace "config file: transfer over forwarded channels and check result"
|
||||||
|
${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
|
||||||
|
somehost cat ${DATA} > ${COPY}
|
||||||
|
test -f ${COPY} || fail "failed copy of ${DATA}"
|
||||||
|
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
|
||||||
|
|
||||||
|
wait
|
||||||
|
done
|
18
crypto/openssh/regress/host-expand.sh
Executable file
18
crypto/openssh/regress/host-expand.sh
Executable file
|
@ -0,0 +1,18 @@
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="expand %h and %n"
|
||||||
|
|
||||||
|
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
|
||||||
|
printf 'LocalCommand printf "%%%%s\\n" "%%n" "%%h"\n' >> $OBJ/ssh_proxy
|
||||||
|
|
||||||
|
cat >$OBJ/expect <<EOE
|
||||||
|
somehost
|
||||||
|
127.0.0.1
|
||||||
|
EOE
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
verbose "test $tid: proto $p"
|
||||||
|
${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
|
||||||
|
diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
|
||||||
|
done
|
||||||
|
|
76
crypto/openssh/regress/integrity.sh
Executable file
76
crypto/openssh/regress/integrity.sh
Executable file
|
@ -0,0 +1,76 @@
|
||||||
|
# $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="integrity"
|
||||||
|
|
||||||
|
# start at byte 2900 (i.e. after kex) and corrupt at different offsets
|
||||||
|
# XXX the test hangs if we modify the low bytes of the packet length
|
||||||
|
# XXX and ssh tries to read...
|
||||||
|
tries=10
|
||||||
|
startoffset=2900
|
||||||
|
macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
|
||||||
|
hmac-sha1-96 hmac-md5-96
|
||||||
|
hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
|
||||||
|
umac-64-etm@openssh.com umac-128-etm@openssh.com
|
||||||
|
hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com"
|
||||||
|
config_defined HAVE_EVP_SHA256 &&
|
||||||
|
macs="$macs hmac-sha2-256 hmac-sha2-512
|
||||||
|
hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
|
||||||
|
# The following are not MACs, but ciphers with integrated integrity. They are
|
||||||
|
# handled specially below.
|
||||||
|
config_defined OPENSSL_HAVE_EVPGCM && \
|
||||||
|
macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
|
||||||
|
|
||||||
|
# avoid DH group exchange as the extra traffic makes it harder to get the
|
||||||
|
# offset into the stream right.
|
||||||
|
echo "KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman-group1-sha1" \
|
||||||
|
>> $OBJ/ssh_proxy
|
||||||
|
|
||||||
|
# sshd-command for proxy (see test-exec.sh)
|
||||||
|
cmd="$SUDO sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSHD_LOGFILE} -i -f $OBJ/sshd_proxy"
|
||||||
|
|
||||||
|
for m in $macs; do
|
||||||
|
trace "test $tid: mac $m"
|
||||||
|
elen=0
|
||||||
|
epad=0
|
||||||
|
emac=0
|
||||||
|
ecnt=0
|
||||||
|
skip=0
|
||||||
|
for off in `jot $tries $startoffset`; do
|
||||||
|
skip=`expr $skip - 1`
|
||||||
|
if [ $skip -gt 0 ]; then
|
||||||
|
# avoid modifying the high bytes of the length
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
# modify output from sshd at offset $off
|
||||||
|
pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
|
||||||
|
case $m in
|
||||||
|
aes*gcm*) macopt="-c $m";;
|
||||||
|
*) macopt="-m $m";;
|
||||||
|
esac
|
||||||
|
verbose "test $tid: $m @$off"
|
||||||
|
${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
|
||||||
|
999.999.999.999 'printf "%4096s" " "' >/dev/null
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
fail "ssh -m $m succeeds with bit-flip at $off"
|
||||||
|
fi
|
||||||
|
ecnt=`expr $ecnt + 1`
|
||||||
|
output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
|
||||||
|
tr -s '\r\n' '.')
|
||||||
|
case "$output" in
|
||||||
|
Bad?packet*) elen=`expr $elen + 1`; skip=3;;
|
||||||
|
Corrupted?MAC* | Decryption?integrity?check?failed*)
|
||||||
|
emac=`expr $emac + 1`; skip=0;;
|
||||||
|
padding*) epad=`expr $epad + 1`; skip=0;;
|
||||||
|
*) fail "unexpected error mac $m at $off";;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
|
||||||
|
if [ $emac -eq 0 ]; then
|
||||||
|
fail "$m: no mac errors"
|
||||||
|
fi
|
||||||
|
expect=`expr $ecnt - $epad - $elen`
|
||||||
|
if [ $emac -ne $expect ]; then
|
||||||
|
fail "$m: expected $expect mac errors, got $emac"
|
||||||
|
fi
|
||||||
|
done
|
30
crypto/openssh/regress/kextype.sh
Executable file
30
crypto/openssh/regress/kextype.sh
Executable file
|
@ -0,0 +1,30 @@
|
||||||
|
# $OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="login with different key exchange algorithms"
|
||||||
|
|
||||||
|
TIME=/usr/bin/time
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||||
|
|
||||||
|
if test "$TEST_SSH_ECC" = "yes"; then
|
||||||
|
kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521"
|
||||||
|
fi
|
||||||
|
if test "$TEST_SSH_SHA256" = "yes"; then
|
||||||
|
kextypes="$kextypes diffie-hellman-group-exchange-sha256"
|
||||||
|
fi
|
||||||
|
kextypes="$kextypes diffie-hellman-group-exchange-sha1"
|
||||||
|
kextypes="$kextypes diffie-hellman-group14-sha1"
|
||||||
|
kextypes="$kextypes diffie-hellman-group1-sha1"
|
||||||
|
|
||||||
|
tries="1 2 3 4"
|
||||||
|
for k in $kextypes; do
|
||||||
|
verbose "kex $k"
|
||||||
|
for i in $tries; do
|
||||||
|
${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh kex $k"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
71
crypto/openssh/regress/key-options.sh
Executable file
71
crypto/openssh/regress/key-options.sh
Executable file
|
@ -0,0 +1,71 @@
|
||||||
|
# $OpenBSD: key-options.sh,v 1.2 2008/06/30 08:07:34 djm Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="key options"
|
||||||
|
|
||||||
|
origkeys="$OBJ/authkeys_orig"
|
||||||
|
authkeys="$OBJ/authorized_keys_${USER}"
|
||||||
|
cp $authkeys $origkeys
|
||||||
|
|
||||||
|
# Test command= forced command
|
||||||
|
for p in 1 2; do
|
||||||
|
for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
|
||||||
|
sed "s/.*/$c &/" $origkeys >$authkeys
|
||||||
|
verbose "key option proto $p $c"
|
||||||
|
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
|
||||||
|
if [ "$r" = "foo" ]; then
|
||||||
|
fail "key option forced command not restricted"
|
||||||
|
fi
|
||||||
|
if [ "$r" != "bar" ]; then
|
||||||
|
fail "key option forced command not executed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Test no-pty
|
||||||
|
sed 's/.*/no-pty &/' $origkeys >$authkeys
|
||||||
|
for p in 1 2; do
|
||||||
|
verbose "key option proto $p no-pty"
|
||||||
|
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
|
||||||
|
if [ -f "$r" ]; then
|
||||||
|
fail "key option failed proto $p no-pty (pty $r)"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Test environment=
|
||||||
|
echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
|
||||||
|
sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
|
||||||
|
for p in 1 2; do
|
||||||
|
verbose "key option proto $p environment"
|
||||||
|
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
|
||||||
|
if [ "$r" != "bar" ]; then
|
||||||
|
fail "key option environment not set"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# Test from= restriction
|
||||||
|
start_sshd
|
||||||
|
for p in 1 2; do
|
||||||
|
for f in 127.0.0.1 '127.0.0.0\/8'; do
|
||||||
|
cat $origkeys >$authkeys
|
||||||
|
${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "key option proto $p failed without restriction"
|
||||||
|
fi
|
||||||
|
|
||||||
|
sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
|
||||||
|
from=`head -1 $authkeys | cut -f1 -d ' '`
|
||||||
|
verbose "key option proto $p $from"
|
||||||
|
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
|
||||||
|
if [ "$r" = "true" ]; then
|
||||||
|
fail "key option proto $p $from not restricted"
|
||||||
|
fi
|
||||||
|
|
||||||
|
r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
|
||||||
|
if [ "$r" != "true" ]; then
|
||||||
|
fail "key option proto $p $from not allowed but should be"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
rm -f "$origkeys"
|
23
crypto/openssh/regress/keygen-change.sh
Normal file
23
crypto/openssh/regress/keygen-change.sh
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# $OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="change passphrase for key"
|
||||||
|
|
||||||
|
S1="secret1"
|
||||||
|
S2="2secret"
|
||||||
|
|
||||||
|
for t in rsa dsa rsa1; do
|
||||||
|
# generate user key for agent
|
||||||
|
trace "generating $t key"
|
||||||
|
rm -f $OBJ/$t-key
|
||||||
|
${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
|
||||||
|
if [ $? -eq 0 ]; then
|
||||||
|
${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh-keygen -p failed for $t-key"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
fail "ssh-keygen for $t-key failed"
|
||||||
|
fi
|
||||||
|
rm -f $OBJ/$t-key $OBJ/$t-key.pub
|
||||||
|
done
|
33
crypto/openssh/regress/keygen-convert.sh
Executable file
33
crypto/openssh/regress/keygen-convert.sh
Executable file
|
@ -0,0 +1,33 @@
|
||||||
|
# $OpenBSD: keygen-convert.sh,v 1.1 2009/11/09 04:20:04 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="convert keys"
|
||||||
|
|
||||||
|
for t in rsa dsa; do
|
||||||
|
# generate user key for agent
|
||||||
|
trace "generating $t key"
|
||||||
|
rm -f $OBJ/$t-key
|
||||||
|
${SSHKEYGEN} -q -N "" -t $t -f $OBJ/$t-key
|
||||||
|
|
||||||
|
trace "export $t private to rfc4716 public"
|
||||||
|
${SSHKEYGEN} -q -e -f $OBJ/$t-key >$OBJ/$t-key-rfc || \
|
||||||
|
fail "export $t private to rfc4716 public"
|
||||||
|
|
||||||
|
trace "export $t public to rfc4716 public"
|
||||||
|
${SSHKEYGEN} -q -e -f $OBJ/$t-key.pub >$OBJ/$t-key-rfc.pub || \
|
||||||
|
fail "$t public to rfc4716 public"
|
||||||
|
|
||||||
|
cmp $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub || \
|
||||||
|
fail "$t rfc4716 exports differ between public and private"
|
||||||
|
|
||||||
|
trace "import $t rfc4716 public"
|
||||||
|
${SSHKEYGEN} -q -i -f $OBJ/$t-key-rfc >$OBJ/$t-rfc-imported || \
|
||||||
|
fail "$t import rfc4716 public"
|
||||||
|
|
||||||
|
cut -f1,2 -d " " $OBJ/$t-key.pub >$OBJ/$t-key-nocomment.pub
|
||||||
|
cmp $OBJ/$t-key-nocomment.pub $OBJ/$t-rfc-imported || \
|
||||||
|
fail "$t imported differs from original"
|
||||||
|
|
||||||
|
rm -f $OBJ/$t-key $OBJ/$t-key.pub $OBJ/$t-key-rfc $OBJ/$t-key-rfc.pub \
|
||||||
|
$OBJ/$t-rfc-imported $OBJ/$t-key-nocomment.pub
|
||||||
|
done
|
39
crypto/openssh/regress/keys-command.sh
Executable file
39
crypto/openssh/regress/keys-command.sh
Executable file
|
@ -0,0 +1,39 @@
|
||||||
|
# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="authorized keys from command"
|
||||||
|
|
||||||
|
if test -z "$SUDO" ; then
|
||||||
|
echo "skipped (SUDO not set)"
|
||||||
|
echo "need SUDO to create file in /var/run, test won't work without"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Establish a AuthorizedKeysCommand in /var/run where it will have
|
||||||
|
# acceptable directory permissions.
|
||||||
|
KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
|
||||||
|
cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
|
||||||
|
#!/bin/sh
|
||||||
|
test "x\$1" != "x${LOGNAME}" && exit 1
|
||||||
|
exec cat "$OBJ/authorized_keys_${LOGNAME}"
|
||||||
|
_EOF
|
||||||
|
$SUDO chmod 0755 "$KEY_COMMAND"
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
|
||||||
|
(
|
||||||
|
grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
|
||||||
|
echo AuthorizedKeysFile none
|
||||||
|
echo AuthorizedKeysCommand $KEY_COMMAND
|
||||||
|
echo AuthorizedKeysCommandUser ${LOGNAME}
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
|
||||||
|
if [ -x $KEY_COMMAND ]; then
|
||||||
|
${SSH} -F $OBJ/ssh_proxy somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "connect failed"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
$SUDO rm -f $KEY_COMMAND
|
19
crypto/openssh/regress/keyscan.sh
Normal file
19
crypto/openssh/regress/keyscan.sh
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# $OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="keyscan"
|
||||||
|
|
||||||
|
# remove DSA hostkey
|
||||||
|
rm -f ${OBJ}/host.dsa
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
for t in rsa1 rsa dsa; do
|
||||||
|
trace "keyscan type $t"
|
||||||
|
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
|
||||||
|
> /dev/null 2>&1
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne 0 ]; then
|
||||||
|
fail "ssh-keyscan -t $t failed with: $r"
|
||||||
|
fi
|
||||||
|
done
|
55
crypto/openssh/regress/keytype.sh
Executable file
55
crypto/openssh/regress/keytype.sh
Executable file
|
@ -0,0 +1,55 @@
|
||||||
|
# $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="login with different key types"
|
||||||
|
|
||||||
|
TIME=`which time 2>/dev/null`
|
||||||
|
if test ! -x "$TIME"; then
|
||||||
|
TIME=""
|
||||||
|
fi
|
||||||
|
|
||||||
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
||||||
|
cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
|
||||||
|
|
||||||
|
ktypes="dsa-1024 rsa-2048 rsa-3072"
|
||||||
|
if test "$TEST_SSH_ECC" = "yes"; then
|
||||||
|
ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521"
|
||||||
|
fi
|
||||||
|
|
||||||
|
for kt in $ktypes; do
|
||||||
|
rm -f $OBJ/key.$kt
|
||||||
|
bits=`echo ${kt} | awk -F- '{print $2}'`
|
||||||
|
type=`echo ${kt} | awk -F- '{print $1}'`
|
||||||
|
printf "keygen $type, $bits bits:\t"
|
||||||
|
${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type -f $OBJ/key.$kt ||\
|
||||||
|
fail "ssh-keygen for type $type, $bits bits failed"
|
||||||
|
done
|
||||||
|
|
||||||
|
tries="1 2 3"
|
||||||
|
for ut in $ktypes; do
|
||||||
|
htypes=$ut
|
||||||
|
#htypes=$ktypes
|
||||||
|
for ht in $htypes; do
|
||||||
|
trace "ssh connect, userkey $ut, hostkey $ht"
|
||||||
|
(
|
||||||
|
grep -v HostKey $OBJ/sshd_proxy_bak
|
||||||
|
echo HostKey $OBJ/key.$ht
|
||||||
|
) > $OBJ/sshd_proxy
|
||||||
|
(
|
||||||
|
grep -v IdentityFile $OBJ/ssh_proxy_bak
|
||||||
|
echo IdentityFile $OBJ/key.$ut
|
||||||
|
) > $OBJ/ssh_proxy
|
||||||
|
(
|
||||||
|
printf 'localhost-with-alias,127.0.0.1,::1 '
|
||||||
|
cat $OBJ/key.$ht.pub
|
||||||
|
) > $OBJ/known_hosts
|
||||||
|
cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
|
||||||
|
for i in $tries; do
|
||||||
|
printf "userkey $ut, hostkey ${ht}:\t"
|
||||||
|
${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh userkey $ut, hostkey $ht failed"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
done
|
||||||
|
done
|
157
crypto/openssh/regress/krl.sh
Executable file
157
crypto/openssh/regress/krl.sh
Executable file
|
@ -0,0 +1,157 @@
|
||||||
|
# $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="key revocation lists"
|
||||||
|
|
||||||
|
# If we don't support ecdsa keys then this tell will be much slower.
|
||||||
|
ECDSA=ecdsa
|
||||||
|
if test "x$TEST_SSH_ECC" != "xyes"; then
|
||||||
|
ECDSA=rsa
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Do most testing with ssh-keygen; it uses the same verification code as sshd.
|
||||||
|
|
||||||
|
# Old keys will interfere with ssh-keygen.
|
||||||
|
rm -f $OBJ/revoked-* $OBJ/krl-*
|
||||||
|
|
||||||
|
# Generate a CA key
|
||||||
|
$SSHKEYGEN -t $ECDSA -f $OBJ/revoked-ca -C "" -N "" > /dev/null ||
|
||||||
|
fatal "$SSHKEYGEN CA failed"
|
||||||
|
|
||||||
|
# A specification that revokes some certificates by serial numbers
|
||||||
|
# The serial pattern is chosen to ensure the KRL includes list, range and
|
||||||
|
# bitmap sections.
|
||||||
|
cat << EOF >> $OBJ/revoked-serials
|
||||||
|
serial: 1-4
|
||||||
|
serial: 10
|
||||||
|
serial: 15
|
||||||
|
serial: 30
|
||||||
|
serial: 50
|
||||||
|
serial: 999
|
||||||
|
# The following sum to 500-799
|
||||||
|
serial: 500
|
||||||
|
serial: 501
|
||||||
|
serial: 502
|
||||||
|
serial: 503-600
|
||||||
|
serial: 700-797
|
||||||
|
serial: 798
|
||||||
|
serial: 799
|
||||||
|
serial: 599-701
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# A specification that revokes some certificated by key ID.
|
||||||
|
touch $OBJ/revoked-keyid
|
||||||
|
for n in 1 2 3 4 10 15 30 50 `jot 500 300` 999 1000 1001 1002; do
|
||||||
|
# Fill in by-ID revocation spec.
|
||||||
|
echo "id: revoked $n" >> $OBJ/revoked-keyid
|
||||||
|
done
|
||||||
|
|
||||||
|
keygen() {
|
||||||
|
N=$1
|
||||||
|
f=$OBJ/revoked-`printf "%04d" $N`
|
||||||
|
# Vary the keytype. We use mostly ECDSA since this is fastest by far.
|
||||||
|
keytype=$ECDSA
|
||||||
|
case $N in
|
||||||
|
2 | 10 | 510 | 1001) keytype=rsa;;
|
||||||
|
4 | 30 | 520 | 1002) keytype=dsa;;
|
||||||
|
esac
|
||||||
|
$SSHKEYGEN -t $keytype -f $f -C "" -N "" > /dev/null \
|
||||||
|
|| fatal "$SSHKEYGEN failed"
|
||||||
|
# Sign cert
|
||||||
|
$SSHKEYGEN -s $OBJ/revoked-ca -z $n -I "revoked $N" $f >/dev/null 2>&1 \
|
||||||
|
|| fatal "$SSHKEYGEN sign failed"
|
||||||
|
echo $f
|
||||||
|
}
|
||||||
|
|
||||||
|
# Generate some keys.
|
||||||
|
verbose "$tid: generating test keys"
|
||||||
|
REVOKED_SERIALS="1 4 10 50 500 510 520 799 999"
|
||||||
|
for n in $REVOKED_SERIALS ; do
|
||||||
|
f=`keygen $n`
|
||||||
|
REVOKED_KEYS="$REVOKED_KEYS ${f}.pub"
|
||||||
|
REVOKED_CERTS="$REVOKED_CERTS ${f}-cert.pub"
|
||||||
|
done
|
||||||
|
NOTREVOKED_SERIALS="5 9 14 16 29 30 49 51 499 800 1000 1001"
|
||||||
|
NOTREVOKED=""
|
||||||
|
for n in $NOTREVOKED_SERIALS ; do
|
||||||
|
NOTREVOKED_KEYS="$NOTREVOKED_KEYS ${f}.pub"
|
||||||
|
NOTREVOKED_CERTS="$NOTREVOKED_CERTS ${f}-cert.pub"
|
||||||
|
done
|
||||||
|
|
||||||
|
genkrls() {
|
||||||
|
OPTS=$1
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-empty - </dev/null \
|
||||||
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-keys $REVOKED_KEYS \
|
||||||
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-cert $REVOKED_CERTS \
|
||||||
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-all $REVOKED_KEYS $REVOKED_CERTS \
|
||||||
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-ca $OBJ/revoked-ca.pub \
|
||||||
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
# KRLs from serial/key-id spec need the CA specified.
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial $OBJ/revoked-serials \
|
||||||
|
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid $OBJ/revoked-keyid \
|
||||||
|
>/dev/null 2>&1 && fatal "$SSHKEYGEN KRL succeeded unexpectedly"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-serial -s $OBJ/revoked-ca $OBJ/revoked-serials \
|
||||||
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
$SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
|
||||||
|
>/dev/null || fatal "$SSHKEYGEN KRL failed"
|
||||||
|
}
|
||||||
|
|
||||||
|
verbose "$tid: generating KRLs"
|
||||||
|
genkrls
|
||||||
|
|
||||||
|
check_krl() {
|
||||||
|
KEY=$1
|
||||||
|
KRL=$2
|
||||||
|
EXPECT_REVOKED=$3
|
||||||
|
TAG=$4
|
||||||
|
$SSHKEYGEN -Qf $KRL $KEY >/dev/null
|
||||||
|
result=$?
|
||||||
|
if test "x$EXPECT_REVOKED" = "xyes" -a $result -eq 0 ; then
|
||||||
|
fatal "key $KEY not revoked by KRL $KRL: $TAG"
|
||||||
|
elif test "x$EXPECT_REVOKED" = "xno" -a $result -ne 0 ; then
|
||||||
|
fatal "key $KEY unexpectedly revoked by KRL $KRL: $TAG"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
test_all() {
|
||||||
|
FILES=$1
|
||||||
|
TAG=$2
|
||||||
|
KEYS_RESULT=$3
|
||||||
|
ALL_RESULT=$4
|
||||||
|
SERIAL_RESULT=$5
|
||||||
|
KEYID_RESULT=$6
|
||||||
|
CERTS_RESULT=$7
|
||||||
|
CA_RESULT=$8
|
||||||
|
verbose "$tid: checking revocations for $TAG"
|
||||||
|
for f in $FILES ; do
|
||||||
|
check_krl $f $OBJ/krl-empty no "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-keys $KEYS_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-all $ALL_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-serial $SERIAL_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-keyid $KEYID_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-cert $CERTS_RESULT "$TAG"
|
||||||
|
check_krl $f $OBJ/krl-ca $CA_RESULT "$TAG"
|
||||||
|
done
|
||||||
|
}
|
||||||
|
# keys all serial keyid certs CA
|
||||||
|
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
|
||||||
|
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
|
||||||
|
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
|
||||||
|
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
|
||||||
|
|
||||||
|
# Check update. Results should be identical.
|
||||||
|
verbose "$tid: testing KRL update"
|
||||||
|
for f in $OBJ/krl-keys $OBJ/krl-cert $OBJ/krl-all \
|
||||||
|
$OBJ/krl-ca $OBJ/krl-serial $OBJ/krl-keyid ; do
|
||||||
|
cp -f $OBJ/krl-empty $f
|
||||||
|
genkrls -u
|
||||||
|
done
|
||||||
|
# keys all serial keyid certs CA
|
||||||
|
test_all "$REVOKED_KEYS" "revoked keys" yes yes no no no no
|
||||||
|
test_all "$UNREVOKED_KEYS" "unrevoked keys" no no no no no no
|
||||||
|
test_all "$REVOKED_CERTS" "revoked certs" yes yes yes yes yes yes
|
||||||
|
test_all "$UNREVOKED_CERTS" "unrevoked certs" no no no no no yes
|
15
crypto/openssh/regress/localcommand.sh
Executable file
15
crypto/openssh/regress/localcommand.sh
Executable file
|
@ -0,0 +1,15 @@
|
||||||
|
# $OpenBSD: localcommand.sh,v 1.2 2013/05/17 10:24:48 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="localcommand"
|
||||||
|
|
||||||
|
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
|
||||||
|
echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
|
||||||
|
|
||||||
|
for p in 1 2; do
|
||||||
|
verbose "test $tid: proto $p localcommand"
|
||||||
|
a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true`
|
||||||
|
if [ "$a" != "foo" ] ; then
|
||||||
|
fail "$tid proto $p"
|
||||||
|
fi
|
||||||
|
done
|
29
crypto/openssh/regress/login-timeout.sh
Normal file
29
crypto/openssh/regress/login-timeout.sh
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
# $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="connect after login grace timeout"
|
||||||
|
|
||||||
|
trace "test login grace with privsep"
|
||||||
|
echo "LoginGraceTime 10s" >> $OBJ/sshd_config
|
||||||
|
echo "MaxStartups 1" >> $OBJ/sshd_config
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
|
||||||
|
sleep 15
|
||||||
|
${SSH} -F $OBJ/ssh_config somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh connect after login grace timeout failed with privsep"
|
||||||
|
fi
|
||||||
|
|
||||||
|
$SUDO kill `$SUDO cat $PIDFILE`
|
||||||
|
|
||||||
|
trace "test login grace without privsep"
|
||||||
|
echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
|
||||||
|
sleep 15
|
||||||
|
${SSH} -F $OBJ/ssh_config somehost true
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "ssh connect after login grace timeout failed without privsep"
|
||||||
|
fi
|
175
crypto/openssh/regress/modpipe.c
Executable file
175
crypto/openssh/regress/modpipe.c
Executable file
|
@ -0,0 +1,175 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2012 Damien Miller <djm@mindrot.org>
|
||||||
|
*
|
||||||
|
* Permission to use, copy, modify, and distribute this software for any
|
||||||
|
* purpose with or without fee is hereby granted, provided that the above
|
||||||
|
* copyright notice and this permission notice appear in all copies.
|
||||||
|
*
|
||||||
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||||
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||||
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||||
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||||
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||||
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||||
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
|
||||||
|
|
||||||
|
#include "includes.h"
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include "openbsd-compat/getopt_long.c"
|
||||||
|
|
||||||
|
static void err(int, const char *, ...) __attribute__((format(printf, 2, 3)));
|
||||||
|
static void errx(int, const char *, ...) __attribute__((format(printf, 2, 3)));
|
||||||
|
|
||||||
|
static void
|
||||||
|
err(int r, const char *fmt, ...)
|
||||||
|
{
|
||||||
|
va_list args;
|
||||||
|
|
||||||
|
va_start(args, fmt);
|
||||||
|
fprintf(stderr, "%s: ", strerror(errno));
|
||||||
|
vfprintf(stderr, fmt, args);
|
||||||
|
fputc('\n', stderr);
|
||||||
|
va_end(args);
|
||||||
|
exit(r);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
errx(int r, const char *fmt, ...)
|
||||||
|
{
|
||||||
|
va_list args;
|
||||||
|
|
||||||
|
va_start(args, fmt);
|
||||||
|
vfprintf(stderr, fmt, args);
|
||||||
|
fputc('\n', stderr);
|
||||||
|
va_end(args);
|
||||||
|
exit(r);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
usage(void)
|
||||||
|
{
|
||||||
|
fprintf(stderr, "Usage: modpipe -w [-m modspec ...] < in > out\n");
|
||||||
|
fprintf(stderr, "modspec is one of:\n");
|
||||||
|
fprintf(stderr, " xor:offset:value - XOR \"value\" at \"offset\"\n");
|
||||||
|
fprintf(stderr, " andor:offset:val1:val2 - AND \"val1\" then OR \"val2\" at \"offset\"\n");
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
#define MAX_MODIFICATIONS 256
|
||||||
|
struct modification {
|
||||||
|
enum { MOD_XOR, MOD_AND_OR } what;
|
||||||
|
u_int64_t offset;
|
||||||
|
u_int8_t m1, m2;
|
||||||
|
};
|
||||||
|
|
||||||
|
static void
|
||||||
|
parse_modification(const char *s, struct modification *m)
|
||||||
|
{
|
||||||
|
char what[16+1];
|
||||||
|
int n, m1, m2;
|
||||||
|
|
||||||
|
bzero(m, sizeof(*m));
|
||||||
|
if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i",
|
||||||
|
what, &m->offset, &m1, &m2)) < 3)
|
||||||
|
errx(1, "Invalid modification spec \"%s\"", s);
|
||||||
|
if (strcasecmp(what, "xor") == 0) {
|
||||||
|
if (n > 3)
|
||||||
|
errx(1, "Invalid modification spec \"%s\"", s);
|
||||||
|
if (m1 < 0 || m1 > 0xff)
|
||||||
|
errx(1, "Invalid XOR modification value");
|
||||||
|
m->what = MOD_XOR;
|
||||||
|
m->m1 = m1;
|
||||||
|
} else if (strcasecmp(what, "andor") == 0) {
|
||||||
|
if (n != 4)
|
||||||
|
errx(1, "Invalid modification spec \"%s\"", s);
|
||||||
|
if (m1 < 0 || m1 > 0xff)
|
||||||
|
errx(1, "Invalid AND modification value");
|
||||||
|
if (m2 < 0 || m2 > 0xff)
|
||||||
|
errx(1, "Invalid OR modification value");
|
||||||
|
m->what = MOD_AND_OR;
|
||||||
|
m->m1 = m1;
|
||||||
|
m->m2 = m2;
|
||||||
|
} else
|
||||||
|
errx(1, "Invalid modification type \"%s\"", what);
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
int ch;
|
||||||
|
u_char buf[8192];
|
||||||
|
size_t total;
|
||||||
|
ssize_t r, s, o;
|
||||||
|
struct modification mods[MAX_MODIFICATIONS];
|
||||||
|
u_int i, wflag = 0, num_mods = 0;
|
||||||
|
|
||||||
|
while ((ch = getopt(argc, argv, "wm:")) != -1) {
|
||||||
|
switch (ch) {
|
||||||
|
case 'm':
|
||||||
|
if (num_mods >= MAX_MODIFICATIONS)
|
||||||
|
errx(1, "Too many modifications");
|
||||||
|
parse_modification(optarg, &(mods[num_mods++]));
|
||||||
|
break;
|
||||||
|
case 'w':
|
||||||
|
wflag = 1;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
usage();
|
||||||
|
/* NOTREACHED */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for (total = 0;;) {
|
||||||
|
r = s = read(STDIN_FILENO, buf, sizeof(buf));
|
||||||
|
if (r == 0)
|
||||||
|
break;
|
||||||
|
if (r < 0) {
|
||||||
|
if (errno == EAGAIN || errno == EINTR)
|
||||||
|
continue;
|
||||||
|
err(1, "read");
|
||||||
|
}
|
||||||
|
for (i = 0; i < num_mods; i++) {
|
||||||
|
if (mods[i].offset < total ||
|
||||||
|
mods[i].offset >= total + s)
|
||||||
|
continue;
|
||||||
|
switch (mods[i].what) {
|
||||||
|
case MOD_XOR:
|
||||||
|
buf[mods[i].offset - total] ^= mods[i].m1;
|
||||||
|
break;
|
||||||
|
case MOD_AND_OR:
|
||||||
|
buf[mods[i].offset - total] &= mods[i].m1;
|
||||||
|
buf[mods[i].offset - total] |= mods[i].m2;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
for (o = 0; o < s; o += r) {
|
||||||
|
r = write(STDOUT_FILENO, buf, s - o);
|
||||||
|
if (r == 0)
|
||||||
|
break;
|
||||||
|
if (r < 0) {
|
||||||
|
if (errno == EAGAIN || errno == EINTR)
|
||||||
|
continue;
|
||||||
|
err(1, "write");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
total += s;
|
||||||
|
}
|
||||||
|
/* Warn if modifications not reached in input stream */
|
||||||
|
r = 0;
|
||||||
|
for (i = 0; wflag && i < num_mods; i++) {
|
||||||
|
if (mods[i].offset < total)
|
||||||
|
continue;
|
||||||
|
r = 1;
|
||||||
|
fprintf(stderr, "modpipe: warning - mod %u not reached\n", i);
|
||||||
|
}
|
||||||
|
return r;
|
||||||
|
}
|
143
crypto/openssh/regress/multiplex.sh
Normal file
143
crypto/openssh/regress/multiplex.sh
Normal file
|
@ -0,0 +1,143 @@
|
||||||
|
# $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
CTL=/tmp/openssh.regress.ctl-sock.$$
|
||||||
|
|
||||||
|
tid="connection multiplexing"
|
||||||
|
|
||||||
|
if config_defined DISABLE_FD_PASSING ; then
|
||||||
|
echo "skipped (not supported on this platform)"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
P=3301 # test port
|
||||||
|
|
||||||
|
wait_for_mux_master_ready()
|
||||||
|
{
|
||||||
|
for i in 1 2 3 4 5; do
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost \
|
||||||
|
>/dev/null 2>&1 && return 0
|
||||||
|
sleep $i
|
||||||
|
done
|
||||||
|
fatal "mux master never becomes ready"
|
||||||
|
}
|
||||||
|
|
||||||
|
start_sshd
|
||||||
|
|
||||||
|
start_mux_master()
|
||||||
|
{
|
||||||
|
trace "start master, fork to background"
|
||||||
|
${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \
|
||||||
|
-E $TEST_REGRESS_LOGFILE 2>&1 &
|
||||||
|
MASTER_PID=$!
|
||||||
|
wait_for_mux_master_ready
|
||||||
|
}
|
||||||
|
|
||||||
|
start_mux_master
|
||||||
|
|
||||||
|
verbose "test $tid: envpass"
|
||||||
|
trace "env passing over multiplexed connection"
|
||||||
|
_XXX_TEST=blah ${SSH} -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF'
|
||||||
|
test X"$_XXX_TEST" = X"blah"
|
||||||
|
EOF
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
fail "environment not found"
|
||||||
|
fi
|
||||||
|
|
||||||
|
verbose "test $tid: transfer"
|
||||||
|
rm -f ${COPY}
|
||||||
|
trace "ssh transfer over multiplexed connection and check result"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S$CTL otherhost cat ${DATA} > ${COPY}
|
||||||
|
test -f ${COPY} || fail "ssh -Sctl: failed copy ${DATA}"
|
||||||
|
cmp ${DATA} ${COPY} || fail "ssh -Sctl: corrupted copy of ${DATA}"
|
||||||
|
|
||||||
|
rm -f ${COPY}
|
||||||
|
trace "ssh transfer over multiplexed connection and check result"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL otherhost cat ${DATA} > ${COPY}
|
||||||
|
test -f ${COPY} || fail "ssh -S ctl: failed copy ${DATA}"
|
||||||
|
cmp ${DATA} ${COPY} || fail "ssh -S ctl: corrupted copy of ${DATA}"
|
||||||
|
|
||||||
|
rm -f ${COPY}
|
||||||
|
trace "sftp transfer over multiplexed connection and check result"
|
||||||
|
echo "get ${DATA} ${COPY}" | \
|
||||||
|
${SFTP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost >>$TEST_REGRESS_LOGFILE 2>&1
|
||||||
|
test -f ${COPY} || fail "sftp: failed copy ${DATA}"
|
||||||
|
cmp ${DATA} ${COPY} || fail "sftp: corrupted copy of ${DATA}"
|
||||||
|
|
||||||
|
rm -f ${COPY}
|
||||||
|
trace "scp transfer over multiplexed connection and check result"
|
||||||
|
${SCP} -S ${SSH} -F $OBJ/ssh_config -oControlPath=$CTL otherhost:${DATA} ${COPY} >>$TEST_REGRESS_LOGFILE 2>&1
|
||||||
|
test -f ${COPY} || fail "scp: failed copy ${DATA}"
|
||||||
|
cmp ${DATA} ${COPY} || fail "scp: corrupted copy of ${DATA}"
|
||||||
|
|
||||||
|
rm -f ${COPY}
|
||||||
|
|
||||||
|
for s in 0 1 4 5 44; do
|
||||||
|
trace "exit status $s over multiplexed connection"
|
||||||
|
verbose "test $tid: status $s"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne $s ]; then
|
||||||
|
fail "exit code mismatch for protocol $p: $r != $s"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# same with early close of stdout/err
|
||||||
|
trace "exit status $s with early close over multiplexed connection"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -n otherhost \
|
||||||
|
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
|
||||||
|
r=$?
|
||||||
|
if [ $r -ne $s ]; then
|
||||||
|
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
verbose "test $tid: cmd check"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|
||||||
|
|| fail "check command failed"
|
||||||
|
|
||||||
|
verbose "test $tid: cmd forward local"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
|
||||||
|
|| fail "request local forward failed"
|
||||||
|
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||||
|
|| fail "connect to local forward port failed"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
|
||||||
|
|| fail "cancel local forward failed"
|
||||||
|
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||||
|
&& fail "local forward port still listening"
|
||||||
|
|
||||||
|
verbose "test $tid: cmd forward remote"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
|
||||||
|
|| fail "request remote forward failed"
|
||||||
|
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||||
|
|| fail "connect to remote forwarded port failed"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
|
||||||
|
|| fail "cancel remote forward failed"
|
||||||
|
${SSH} -F $OBJ/ssh_config -p$P otherhost true \
|
||||||
|
&& fail "remote forward port still listening"
|
||||||
|
|
||||||
|
verbose "test $tid: cmd exit"
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|
||||||
|
|| fail "send exit command failed"
|
||||||
|
|
||||||
|
# Wait for master to exit
|
||||||
|
wait $MASTER_PID
|
||||||
|
kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
|
||||||
|
|
||||||
|
# Restart master and test -O stop command with master using -N
|
||||||
|
verbose "test $tid: cmd stop"
|
||||||
|
trace "restart master, fork to background"
|
||||||
|
start_mux_master
|
||||||
|
|
||||||
|
# start a long-running command then immediately request a stop
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL otherhost "sleep 10; exit 0" \
|
||||||
|
>>$TEST_REGRESS_LOGFILE 2>&1 &
|
||||||
|
SLEEP_PID=$!
|
||||||
|
${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
|
||||||
|
|| fail "send stop command failed"
|
||||||
|
|
||||||
|
# wait until both long-running command and master have exited.
|
||||||
|
wait $SLEEP_PID
|
||||||
|
[ $! != 0 ] || fail "waiting for concurrent command"
|
||||||
|
wait $MASTER_PID
|
||||||
|
[ $! != 0 ] || fail "waiting for master stop"
|
||||||
|
kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed"
|
34
crypto/openssh/regress/portnum.sh
Executable file
34
crypto/openssh/regress/portnum.sh
Executable file
|
@ -0,0 +1,34 @@
|
||||||
|
# $OpenBSD: portnum.sh,v 1.2 2013/05/17 10:34:30 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="port number parsing"
|
||||||
|
|
||||||
|
badport() {
|
||||||
|
port=$1
|
||||||
|
verbose "$tid: invalid port $port"
|
||||||
|
if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
|
||||||
|
fail "$tid accepted invalid port $port"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
goodport() {
|
||||||
|
port=$1
|
||||||
|
verbose "$tid: valid port $port"
|
||||||
|
if ${SSH} -F $OBJ/ssh_proxy -p $port somehost true 2>/dev/null ; then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
fail "$tid rejected valid port $port"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
badport 0
|
||||||
|
badport 65536
|
||||||
|
badport 131073
|
||||||
|
badport 2000blah
|
||||||
|
badport blah2000
|
||||||
|
|
||||||
|
goodport 1
|
||||||
|
goodport 22
|
||||||
|
goodport 2222
|
||||||
|
goodport 22222
|
||||||
|
goodport 65535
|
||||||
|
|
19
crypto/openssh/regress/proto-mismatch.sh
Normal file
19
crypto/openssh/regress/proto-mismatch.sh
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
# $OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="protocol version mismatch"
|
||||||
|
|
||||||
|
mismatch ()
|
||||||
|
{
|
||||||
|
server=$1
|
||||||
|
client=$2
|
||||||
|
banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
|
||||||
|
r=$?
|
||||||
|
trace "sshd prints ${banner}"
|
||||||
|
if [ $r -ne 255 ]; then
|
||||||
|
fail "sshd prints ${banner} and accepts connect with version ${client}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
mismatch 2 SSH-1.5-HALLO
|
||||||
|
mismatch 1 SSH-2.0-HALLO
|
34
crypto/openssh/regress/proto-version.sh
Normal file
34
crypto/openssh/regress/proto-version.sh
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
# $OpenBSD: proto-version.sh,v 1.4 2013/05/17 00:37:40 dtucker Exp $
|
||||||
|
# Placed in the Public Domain.
|
||||||
|
|
||||||
|
tid="sshd version with different protocol combinations"
|
||||||
|
|
||||||
|
# we just start sshd in inetd mode and check the banner
|
||||||
|
check_version ()
|
||||||
|
{
|
||||||
|
version=$1
|
||||||
|
expect=$2
|
||||||
|
banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
|
||||||
|
case ${banner} in
|
||||||
|
SSH-1.99-*)
|
||||||
|
proto=199
|
||||||
|
;;
|
||||||
|
SSH-2.0-*)
|
||||||
|
proto=20
|
||||||
|
;;
|
||||||
|
SSH-1.5-*)
|
||||||
|
proto=15
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
proto=0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
if [ ${expect} -ne ${proto} ]; then
|
||||||
|
fail "wrong protocol version ${banner} for ${version}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_version 2,1 199
|
||||||
|
check_version 1,2 199
|
||||||
|
check_version 2 20
|
||||||
|
check_version 1 15
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue