Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssh/dist Resolve conflicts
details: https://anonhg.NetBSD.org/src/rev/fe9874be7c9e
branches: trunk
changeset: 758925:fe9874be7c9e
user: adam <adam%NetBSD.org@localhost>
date: Sun Nov 21 18:29:48 2010 +0000
description:
Resolve conflicts
diffstat:
crypto/external/bsd/openssh/dist/README.smartcard | 73 -
crypto/external/bsd/openssh/dist/addrmatch.c | 82 +-
crypto/external/bsd/openssh/dist/auth-options.c | 295 ++-
crypto/external/bsd/openssh/dist/auth-options.h | 7 +-
crypto/external/bsd/openssh/dist/auth-rh-rsa.c | 9 +-
crypto/external/bsd/openssh/dist/auth-rhosts.c | 14 +-
crypto/external/bsd/openssh/dist/auth-rsa.c | 16 +-
crypto/external/bsd/openssh/dist/auth.c | 121 +-
crypto/external/bsd/openssh/dist/auth.h | 10 +-
crypto/external/bsd/openssh/dist/auth1.c | 8 +-
crypto/external/bsd/openssh/dist/auth2-hostbased.c | 38 +-
crypto/external/bsd/openssh/dist/auth2-none.c | 8 +-
crypto/external/bsd/openssh/dist/auth2-pubkey.c | 206 +-
crypto/external/bsd/openssh/dist/authfd.c | 38 +-
crypto/external/bsd/openssh/dist/authfd.h | 5 +-
crypto/external/bsd/openssh/dist/authfile.c | 142 +-
crypto/external/bsd/openssh/dist/authfile.h | 7 +-
crypto/external/bsd/openssh/dist/bufaux.c | 38 +-
crypto/external/bsd/openssh/dist/buffer.c | 12 +-
crypto/external/bsd/openssh/dist/buffer.h | 11 +-
crypto/external/bsd/openssh/dist/canohost.c | 24 +-
crypto/external/bsd/openssh/dist/channels.c | 363 ++-
crypto/external/bsd/openssh/dist/channels.h | 31 +-
crypto/external/bsd/openssh/dist/clientloop.c | 167 +-
crypto/external/bsd/openssh/dist/clientloop.h | 17 +-
crypto/external/bsd/openssh/dist/dh.c | 8 +-
crypto/external/bsd/openssh/dist/dns.c | 12 +-
crypto/external/bsd/openssh/dist/dns.h | 8 +-
crypto/external/bsd/openssh/dist/hostfile.c | 105 +-
crypto/external/bsd/openssh/dist/hostfile.h | 9 +-
crypto/external/bsd/openssh/dist/jpake.c | 6 +-
crypto/external/bsd/openssh/dist/kex.c | 17 +-
crypto/external/bsd/openssh/dist/kex.h | 9 +-
crypto/external/bsd/openssh/dist/kexdhs.c | 23 +-
crypto/external/bsd/openssh/dist/kexgexs.c | 24 +-
crypto/external/bsd/openssh/dist/key.c | 748 ++++++-
crypto/external/bsd/openssh/dist/key.h | 40 +-
crypto/external/bsd/openssh/dist/match.h | 6 +-
crypto/external/bsd/openssh/dist/misc.c | 39 +-
crypto/external/bsd/openssh/dist/misc.h | 5 +-
crypto/external/bsd/openssh/dist/monitor.c | 27 +-
crypto/external/bsd/openssh/dist/monitor_fdpass.c | 25 +-
crypto/external/bsd/openssh/dist/monitor_wrap.c | 23 +-
crypto/external/bsd/openssh/dist/mux.c | 2031 +++++++++++++++----
crypto/external/bsd/openssh/dist/myproposal.h | 11 +-
crypto/external/bsd/openssh/dist/nchan.c | 25 +-
crypto/external/bsd/openssh/dist/packet.c | 8 +-
crypto/external/bsd/openssh/dist/pathnames.h | 7 +-
crypto/external/bsd/openssh/dist/readconf.c | 92 +-
crypto/external/bsd/openssh/dist/readconf.h | 14 +-
crypto/external/bsd/openssh/dist/roaming_common.c | 59 +-
crypto/external/bsd/openssh/dist/scard.c | 572 -----
crypto/external/bsd/openssh/dist/scard.h | 40 -
crypto/external/bsd/openssh/dist/scard/Makefile | 20 -
crypto/external/bsd/openssh/dist/scard/Ssh.bin.uu | 17 -
crypto/external/bsd/openssh/dist/scard/Ssh.java | 164 -
crypto/external/bsd/openssh/dist/scp.1 | 8 +-
crypto/external/bsd/openssh/dist/scp.c | 43 +-
crypto/external/bsd/openssh/dist/servconf.c | 99 +-
crypto/external/bsd/openssh/dist/servconf.h | 11 +-
crypto/external/bsd/openssh/dist/session.c | 119 +-
crypto/external/bsd/openssh/dist/sftp-client.c | 308 ++-
crypto/external/bsd/openssh/dist/sftp-client.h | 23 +-
crypto/external/bsd/openssh/dist/sftp-common.c | 33 +-
crypto/external/bsd/openssh/dist/sftp-common.h | 6 +-
crypto/external/bsd/openssh/dist/sftp-server.8 | 27 +-
crypto/external/bsd/openssh/dist/sftp-server.c | 123 +-
crypto/external/bsd/openssh/dist/sftp.1 | 95 +-
crypto/external/bsd/openssh/dist/sftp.c | 860 ++++++--
crypto/external/bsd/openssh/dist/ssh-add.1 | 34 +-
crypto/external/bsd/openssh/dist/ssh-add.c | 68 +-
crypto/external/bsd/openssh/dist/ssh-agent.1 | 24 +-
crypto/external/bsd/openssh/dist/ssh-agent.c | 163 +-
crypto/external/bsd/openssh/dist/ssh-dss.c | 12 +-
crypto/external/bsd/openssh/dist/ssh-keygen.1 | 276 ++-
crypto/external/bsd/openssh/dist/ssh-keygen.c | 1172 +++++++++--
crypto/external/bsd/openssh/dist/ssh-keyscan.1 | 6 +-
crypto/external/bsd/openssh/dist/ssh-keyscan.c | 169 +-
crypto/external/bsd/openssh/dist/ssh-keysign.8 | 17 +-
crypto/external/bsd/openssh/dist/ssh-keysign.c | 12 +-
crypto/external/bsd/openssh/dist/ssh-rsa.c | 21 +-
crypto/external/bsd/openssh/dist/ssh.1 | 186 +-
crypto/external/bsd/openssh/dist/ssh.c | 375 ++-
crypto/external/bsd/openssh/dist/ssh.h | 7 +-
crypto/external/bsd/openssh/dist/ssh2.h | 14 +-
crypto/external/bsd/openssh/dist/ssh_config | 5 +-
crypto/external/bsd/openssh/dist/ssh_config.5 | 117 +-
crypto/external/bsd/openssh/dist/sshconnect.c | 110 +-
crypto/external/bsd/openssh/dist/sshconnect2.c | 77 +-
crypto/external/bsd/openssh/dist/sshd.8 | 145 +-
crypto/external/bsd/openssh/dist/sshd.c | 139 +-
crypto/external/bsd/openssh/dist/sshd_config | 10 +-
crypto/external/bsd/openssh/dist/sshd_config.5 | 96 +-
crypto/external/bsd/openssh/dist/sshpty.h | 8 +-
crypto/external/bsd/openssh/dist/sshtty.c | 27 +-
crypto/external/bsd/openssh/dist/version.h | 6 +-
96 files changed, 7903 insertions(+), 3084 deletions(-)
diffs (truncated from 18005 to 300 lines):
diff -r 889d2ada2c05 -r fe9874be7c9e crypto/external/bsd/openssh/dist/README.smartcard
--- a/crypto/external/bsd/openssh/dist/README.smartcard Sun Nov 21 17:59:36 2010 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,73 +0,0 @@
-How to use smartcards with OpenSSH?
-
-OpenSSH contains experimental support for authentication using
-Cyberflex smartcards and TODOS card readers. To enable this you
-need to:
-
-(1) enable SMARTCARD support in OpenSSH:
-
- $ vi /usr/src/usr.bin/ssh/Makefile.inc
- and uncomment
- CFLAGS+= -DSMARTCARD
- LDADD+= -lsectok
-
-(2) If you have used a previous version of ssh with your card, you
- must remove the old applet and keys.
-
- $ sectok
- sectok> login -d
- sectok> junload Ssh.bin
- sectok> delete 0012
- sectok> delete sh
- sectok> quit
-
-(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
-
- $ sectok
- sectok> login -d
- sectok> jload /usr/libdata/ssh/Ssh.bin
- sectok> setpass
- Enter new AUT0 passphrase:
- Re-enter passphrase:
- sectok> quit
-
- Do not forget the passphrase. There is no way to
- recover if you do.
-
- IMPORTANT WARNING: If you attempt to login with the
- wrong passphrase three times in a row, you will
- destroy your card.
-
-(4) load a RSA key to the card:
-
- $ ssh-keygen -f /path/to/rsakey -U 1
- (where 1 is the reader number, you can also try 0)
-
- In spite of the name, this does not generate a key.
- It just loads an already existing key on to the card.
-
-(5) tell the ssh client to use the card reader:
-
- $ ssh -I 1 otherhost
-
-(6) or tell the agent (don't forget to restart) to use the smartcard:
-
- $ ssh-add -s 1
-
-(7) Optional: If you don't want to use a card passphrase, change the
- acl on the private key file:
-
- $ sectok
- sectok> login -d
- sectok> acl 0012 world: w
- world: w
- AUT0: w inval
- sectok> quit
-
- If you do this, anyone who has access to your card
- can assume your identity. This is not recommended.
-
--markus,
-Tue Jul 17 23:54:51 CEST 2001
-
-$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $
diff -r 889d2ada2c05 -r fe9874be7c9e crypto/external/bsd/openssh/dist/addrmatch.c
--- a/crypto/external/bsd/openssh/dist/addrmatch.c Sun Nov 21 17:59:36 2010 +0000
+++ b/crypto/external/bsd/openssh/dist/addrmatch.c Sun Nov 21 18:29:48 2010 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: addrmatch.c,v 1.2 2009/06/07 22:38:46 christos Exp $ */
-/* $OpenBSD: addrmatch.c,v 1.4 2008/12/10 03:55:20 stevesk Exp $ */
+/* $NetBSD: addrmatch.c,v 1.3 2010/11/21 18:29:48 adam Exp $ */
+/* $OpenBSD: addrmatch.c,v 1.5 2010/02/26 20:29:54 djm Exp $ */
/*
* Copyright (c) 2004-2008 Damien Miller <djm%mindrot.org@localhost>
@@ -18,7 +18,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: addrmatch.c,v 1.2 2009/06/07 22:38:46 christos Exp $");
+__RCSID("$NetBSD: addrmatch.c,v 1.3 2010/11/21 18:29:48 adam Exp $");
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
@@ -125,6 +125,8 @@
switch (af) {
case AF_INET:
n->af = AF_INET;
+ if (l == 0)
+ return 0;
n->v4.s_addr = htonl((0xffffffff << (32 - l)) & 0xffffffff);
return 0;
case AF_INET6:
@@ -421,3 +423,77 @@
return ret;
}
+
+/*
+ * Match "addr" against list CIDR list "_list". Lexical wildcards and
+ * negation are not supported. If "addr" == NULL, will verify structure
+ * of "_list".
+ *
+ * Returns 1 on match found (never returned when addr == NULL).
+ * Returns 0 on if no match found, or no errors found when addr == NULL.
+ * Returns -1 on error
+ */
+int
+addr_match_cidr_list(const char *addr, const char *_list)
+{
+ char *list, *cp, *o;
+ struct xaddr try_addr, match_addr;
+ u_int masklen;
+ int ret = 0, r;
+
+ if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
+ debug2("%s: couldn't parse address %.100s", __func__, addr);
+ return 0;
+ }
+ if ((o = list = strdup(_list)) == NULL)
+ return -1;
+ while ((cp = strsep(&list, ",")) != NULL) {
+ if (*cp == '\0') {
+ error("%s: empty entry in list \"%.100s\"",
+ __func__, o);
+ ret = -1;
+ break;
+ }
+
+ /*
+ * NB. This function is called in pre-auth with untrusted data,
+ * so be extra paranoid about junk reaching getaddrino (via
+ * addr_pton_cidr).
+ */
+
+ /* Stop junk from reaching getaddrinfo. +3 is for masklen */
+ if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
+ error("%s: list entry \"%.100s\" too long",
+ __func__, cp);
+ ret = -1;
+ break;
+ }
+#define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
+ if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
+ error("%s: list entry \"%.100s\" contains invalid "
+ "characters", __func__, cp);
+ ret = -1;
+ }
+
+ /* Prefer CIDR address matching */
+ r = addr_pton_cidr(cp, &match_addr, &masklen);
+ if (r == -1) {
+ error("Invalid network entry \"%.100s\"", cp);
+ ret = -1;
+ break;
+ } else if (r == -2) {
+ error("Inconsistent mask length for "
+ "network \"%.100s\"", cp);
+ ret = -1;
+ break;
+ } else if (r == 0 && addr != NULL) {
+ if (addr_netmatch(&try_addr, &match_addr,
+ masklen) == 0)
+ ret = 1;
+ continue;
+ }
+ }
+ xfree(o);
+
+ return ret;
+}
diff -r 889d2ada2c05 -r fe9874be7c9e crypto/external/bsd/openssh/dist/auth-options.c
--- a/crypto/external/bsd/openssh/dist/auth-options.c Sun Nov 21 17:59:36 2010 +0000
+++ b/crypto/external/bsd/openssh/dist/auth-options.c Sun Nov 21 18:29:48 2010 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: auth-options.c,v 1.2 2009/06/07 22:38:46 christos Exp $ */
-/* $OpenBSD: auth-options.c,v 1.44 2009/01/22 10:09:16 djm Exp $ */
+/* $NetBSD: auth-options.c,v 1.3 2010/11/21 18:29:48 adam Exp $ */
+/* $OpenBSD: auth-options.c,v 1.52 2010/05/20 23:46:02 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo%cs.hut.fi@localhost>
* Copyright (c) 1995 Tatu Ylonen <ylo%cs.hut.fi@localhost>, Espoo, Finland
@@ -12,7 +12,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: auth-options.c,v 1.2 2009/06/07 22:38:46 christos Exp $");
+__RCSID("$NetBSD: auth-options.c,v 1.3 2010/11/21 18:29:48 adam Exp $");
#include <sys/types.h>
#include <sys/queue.h>
@@ -29,10 +29,10 @@
#include "canohost.h"
#include "buffer.h"
#include "channels.h"
-#include "auth-options.h"
#include "servconf.h"
#include "misc.h"
#include "key.h"
+#include "auth-options.h"
#include "hostfile.h"
#include "auth.h"
#ifdef GSSAPI
@@ -46,6 +46,7 @@
int no_x11_forwarding_flag = 0;
int no_pty_flag = 0;
int no_user_rc = 0;
+int key_is_cert_authority = 0;
/* "command=" option. */
char *forced_command = NULL;
@@ -56,6 +57,9 @@
/* "tunnel=" option. */
int forced_tun_device = -1;
+/* "principals=" option. */
+char *authorized_principals = NULL;
+
extern ServerOptions options;
void
@@ -66,6 +70,7 @@
no_pty_flag = 0;
no_x11_forwarding_flag = 0;
no_user_rc = 0;
+ key_is_cert_authority = 0;
while (custom_environment) {
struct envstring *ce = custom_environment;
custom_environment = ce->next;
@@ -76,9 +81,12 @@
xfree(forced_command);
forced_command = NULL;
}
+ if (authorized_principals) {
+ xfree(authorized_principals);
+ authorized_principals = NULL;
+ }
forced_tun_device = -1;
channel_clear_permitted_opens();
- auth_debug_reset();
}
/*
@@ -98,6 +106,12 @@
return 1;
while (*opts && *opts != ' ' && *opts != '\t') {
+ cp = "cert-authority";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ key_is_cert_authority = 1;
+ opts += strlen(cp);
+ goto next_option;
+ }
cp = "no-port-forwarding";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
auth_debug_add("Port forwarding disabled.");
@@ -136,6 +150,8 @@
cp = "command=\"";
if (strncasecmp(opts, cp, strlen(cp)) == 0) {
opts += strlen(cp);
+ if (forced_command != NULL)
+ xfree(forced_command);
forced_command = xmalloc(strlen(opts) + 1);
i = 0;
while (*opts) {
@@ -162,6 +178,38 @@
opts++;
goto next_option;
}
+ cp = "principals=\"";
+ if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+ opts += strlen(cp);
+ if (authorized_principals != NULL)
+ xfree(authorized_principals);
+ authorized_principals = xmalloc(strlen(opts) + 1);
+ i = 0;
+ while (*opts) {
+ if (*opts == '"')
+ break;
+ if (*opts == '\\' && opts[1] == '"') {
+ opts += 2;
+ authorized_principals[i++] = '"';
+ continue;
+ }
+ authorized_principals[i++] = *opts++;
+ }
+ if (!*opts) {
Home |
Main Index |
Thread Index |
Old Index