Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
AIX openssh patches
v2matt at btv
Jan 19, 2000, 9:33 AM
Post #1 of 10 (2001 views)
Permalink
I have a few patches for AIX. The patchfile is attached below. The patch
has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25,
with openssl-0.94, using RSAref.

1) authenticate support - this function allows the system to determine
authentification. Whatever the system allows for login, authenticate
will too. It doesn't matter whether it is AFS, DFS, SecureID, local.

2) loginsuccess - this function will log to /etc/security/lastlog as
well as clear the failed logins.

3) loginfailed - this function will increase the number of failed logins
and update /etc/security/lastlog and /etc/security/failedlogins.

4) loginrestrictions - this function will determine if a user is allowed
to login (ie too many failed logins, account disabled, etc). This
function is used in conjunction with authenticate.

5) SOCKS5 and SOCKS4 support.

6) Support for the system random function instead of egd or /dev/urandom.


There is one fix that should be put in. In sshd.c, function do_authloop,
client_user needs to be set to NULL after the xfree. There is a double free
happening here.



*** acconfig.h.DIST Tue Jan 11 09:38:15 2000
--- acconfig.h Tue Jan 11 12:11:02 2000
***************
*** 12,17 ****
--- 12,23 ----
/* Define if you want to disable PAM support */
#undef DISABLE_PAM

+ /* Define if you want to disable AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG

***************
*** 29,34 ****
--- 35,69 ----

/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE
+
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+
+

/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL
*** auth-passwd.c.DIST Tue Jan 11 09:19:33 2000
--- auth-passwd.c Tue Jan 11 09:45:13 2000
***************
*** 18,23 ****
--- 18,27 ----
#include "servconf.h"
#include "xmalloc.h"

+ #ifdef WITH_AIXAUTHENTICATE
+ #include <login.h>
+ #endif
+
#ifdef HAVE_SHADOW_H
# include <shadow.h>
#endif
***************
*** 40,45 ****
--- 44,55 ----
struct spwd *spw;
#endif

+ #ifdef WITH_AIXAUTHENTICATE
+ char *authmsg;
+ char *loginmsg;
+ int reenter = 1;
+ #endif
+
/* deny if no user. */
if (pw == NULL)
return 0;
***************
*** 55,60 ****
--- 65,79 ----
return ret;
/* Fall back to ordinary passwd authentication. */
}
+ #endif
+ #ifdef WITH_AIXAUTHENTICATE
+
+ if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+ (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+ return 1;
+ else
+ return 0;
+
#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
*** bsd-misc.c.DIST Tue Jan 11 09:48:36 2000
--- bsd-misc.c Wed Jan 19 08:29:59 2000
***************
*** 52,61 ****
--- 52,67 ----
#include "ssh.h"
#include "bsd-misc.h"

+ #if 0
#ifndef offsetof
#define offsetof(type, member) ((size_t) &((type *)0)->member)
#endif
+ #endif

+ #ifdef USE_SYSRANDOM
+ #include <time.h>
+ #endif
+
#ifndef HAVE_ARC4RANDOM

typedef struct
***************
*** 135,140 ****
--- 141,156 ----

void get_random_bytes(unsigned char *buf, int len)
{
+
+ #ifdef USE_SYSRANDOM
+ int index;
+
+ srandom(time(NULL) + getpid());
+
+ for (index = 0; index < len+1; index++) {
+ buf[index] = rand()%255;
+ }
+ #else /* USE_SYSRANDOM */
static int random_pool;
int c;
#ifdef HAVE_EGD
***************
*** 184,189 ****
--- 200,206 ----
fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));

close(random_pool);
+ #endif /* USE_SYSRANDOM */
}
#endif /* !HAVE_ARC4RANDOM */

*** canohost.c.DIST Wed Jan 19 11:00:42 2000
--- canohost.c Wed Jan 19 11:01:09 2000
***************
*** 29,35 ****
get_remote_hostname(int socket)
{
struct sockaddr_in from;
! int fromlen, i;
struct hostent *hp;
char name[MAXHOSTNAMELEN];

--- 29,40 ----
get_remote_hostname(int socket)
{
struct sockaddr_in from;
! #ifdef _AIX
! unsigned long fromlen;
! #else
! int fromlen;
! #endif
! int i;
struct hostent *hp;
char name[MAXHOSTNAMELEN];

***************
*** 116,122 ****
{
unsigned char options[200], *ucp;
char text[1024], *cp;
! int option_size, ipproto;
struct protoent *ip;

if ((ip = getprotobyname("ip")) != NULL)
--- 121,132 ----
{
unsigned char options[200], *ucp;
char text[1024], *cp;
! #ifdef _AIX
! unsigned long option_size;
! #else
! int option_size;
! #endif
! int ipproto;
struct protoent *ip;

if ((ip = getprotobyname("ip")) != NULL)
***************
*** 149,155 ****
--- 159,169 ----
peer_connection_is_on_socket()
{
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif
int in = packet_get_connection_in();
int out = packet_get_connection_out();

***************
*** 197,203 ****
get_remote_ipaddr()
{
struct sockaddr_in from;
! int fromlen, socket;

/* Check whether we have chached the name. */
if (canonical_host_ip != NULL)
--- 211,222 ----
get_remote_ipaddr()
{
struct sockaddr_in from;
! #ifdef _AIX
! unsigned long fromlen;
! #else
! int fromlen;
! #endif
! int socket;

/* Check whether we have chached the name. */
if (canonical_host_ip != NULL)
***************
*** 231,237 ****
--- 250,260 ----
get_peer_port(int sock)
{
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif

/* Get IP address of client. */
fromlen = sizeof(from);
*** channels.c.DIST Tue Jan 11 12:16:35 2000
--- channels.c Wed Jan 19 11:01:32 2000
***************
*** 374,380 ****
channel_after_select(fd_set * readset, fd_set * writeset)
{
struct sockaddr addr;
! int addrlen, newsock, i, newch, len;
Channel *ch;
char buf[16384], *remote_hostname;

--- 374,385 ----
channel_after_select(fd_set * readset, fd_set * writeset)
{
struct sockaddr addr;
! #ifdef _AIX
! unsigned long addrlen;
! #else
! int addrlen;
! #endif
! int newsock, i, newch, len;
Channel *ch;
char buf[16384], *remote_hostname;

***************
*** 1005,1011 ****
struct sockaddr_in sin;
char *host, *originator_string;
struct hostent *hp;
! int host_len, originator_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1010,1016 ----
struct sockaddr_in sin;
char *host, *originator_string;
struct hostent *hp;
! unsigned int host_len, originator_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
***************
*** 1257,1263 ****
struct sockaddr_in sin;
char buf[1024], *cp, *remote_host;
struct hostent *hp;
! int remote_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1262,1268 ----
struct sockaddr_in sin;
char buf[1024], *cp, *remote_host;
struct hostent *hp;
! unsigned int remote_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
*** cipher.c.DIST Tue Jan 11 09:45:57 2000
--- cipher.c Tue Jan 11 09:46:35 2000
***************
*** 111,117 ****

void (*cipher_attack_detected) (const char *fmt,...) = fatal;

! static inline void
detect_cbc_attack(const unsigned char *src,
unsigned int len)
{
--- 111,122 ----

void (*cipher_attack_detected) (const char *fmt,...) = fatal;

! #ifdef _AIX
! static __inline
! #else
! static inline
! #endif
! void
detect_cbc_attack(const unsigned char *src,
unsigned int len)
{
*** config.h.in.DIST Tue Jan 11 09:40:43 2000
--- config.h.in Wed Jan 19 11:01:42 2000
***************
*** 15,20 ****
--- 15,26 ----
/* Define if you want to disable PAM support */
#undef DISABLE_PAM

+ /* Define if you want AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG

***************
*** 33,38 ****
--- 39,72 ----
/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE

+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+
+
/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL

***************
*** 295,298 ****

#include "defines.h"

! #endif _CONFIG_H
--- 329,332 ----

#include "defines.h"

! #endif
*** configure.DIST Tue Jan 11 09:20:43 2000
--- configure Tue Jan 11 12:09:34 2000
***************
*** 16,21 ****
--- 16,23 ----
ac_help="$ac_help
--without-pam Disable PAM support "
ac_help="$ac_help
+ --with-aixauthenticate Use AIX4's authenticate function"
+ ac_help="$ac_help
--with-gnome-askpass Build the GNOME passphrase requester (default=no)"
ac_help="$ac_help
--with-random=FILE read randomness from FILE (default=/dev/urandom)"
***************
*** 26,31 ****
--- 28,39 ----
ac_help="$ac_help
--with-dante=DIR Use Dante SOCKS lib (default is system library path)"
ac_help="$ac_help
+ --with-socks Compile with SOCKS firewall traversal support."
+ ac_help="$ac_help
+ --with-socks5[=PATH] Compile with SOCKS5 firewall traversal support."
+ ac_help="$ac_help
+ --with-socks4[=PATH] Compile with SOCKS4 firewall traversal support."
+ ac_help="$ac_help
--with-kerberos4=PATH Enable Kerberos 4 support"
ac_help="$ac_help
--with-afs=PATH Enable AFS support"
***************
*** 2245,2250 ****
--- 2253,2282 ----
rm -f conftest*
fi

+ # check for the AIX authenticate
+ echo $ac_n "checking whether to use AIX authenticate""... $ac_c" 1>&6
+ echo "configure:XXXX: checking whether to use AIX authenticate" >&5
+ # Check whether --with-aixauthenticate or --without-aixauthenticate was given.
+ if test "${with_aixauthenticate+set}" = set; then
+ withval="$with_aixauthenticate"
+ case "$withval" in
+ yes)
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
+ #define WITH_AIXAUTHENTICATE 1
+ EOF
+ LIBS="$LIBS -ls"
+ ;;
+ *)
+ echo "$ac_t""no" 1>&6
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+
echo $ac_n "checking whether to build GNOME ssh-askpass""... $ac_c" 1>&6
echo "configure:2250: checking whether to build GNOME ssh-askpass" >&5
# Check whether --with-gnome-askpass or --without-gnome-askpass was given.
***************
*** 2335,2345 ****

fi


- if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then
- { echo "configure: error: No random device found, and no EGD random pool specified" 1>&2; exit 1; }
fi

echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
echo "configure:2345: checking whether utmp.h has ut_host field" >&5
cat > conftest.$ac_ext <<EOF
--- 2367,2382 ----

fi

+ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL";then
+ echo $ac_n "using system random" 1>&6
+ cat >> confdefs.h <<\EOF
+ #define USE_SYSRANDOM 1
+ EOF

fi

+
+
echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
echo "configure:2345: checking whether utmp.h has ut_host field" >&5
cat > conftest.$ac_ext <<EOF
***************
*** 2606,2611 ****
--- 2643,2970 ----
LIBS="$LIBS -lsocks"
fi

+
+ fi
+
+
+ # Check whether --with-socks or --without-socks was given.
+ if test "${with_socks+set}" = set; then
+ withval="$with_socks"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ yes)
+ echo "$ac_t""yes" 1>&6
+ echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+ echo "configure:6842: checking for SOCKSconnect in -lsocks5" >&5
+ ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocks5 $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6850 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ char SOCKSconnect();
+
+ int main() {
+ SOCKSconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+
+ socks=5
+ LIBS="-lsocks5 $LIBS"
+ else
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+ echo "configure:6883: checking for Rconnect in -lsocks" >&5
+ ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocks $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6891 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ char Rconnect();
+
+ int main() {
+ Rconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+
+ socks=4
+ LIBS="-lsocks $LIBS"
+ else
+ echo "$ac_t""no" 1>&6
+
+ { echo "configure: error: Could not find socks library. You must first install socks." 1>&2; exit 1; }
+ fi
+
+ fi
+
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+
+ if test "x$socks" = "x"; then
+ echo $ac_n "checking whether to support SOCKS5""... $ac_c" 1>&6
+ echo "configure:6938: checking whether to support SOCKS5" >&5
+ # Check whether --with-socks5 or --without-socks5 was given.
+ if test "${with_socks5+set}" = set; then
+ withval="$with_socks5"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ *)
+ echo "$ac_t""yes" 1>&6
+ socks=5
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks5"
+ else
+ if test -d "$withval"; then
+ if test -d "$withval/include"; then
+ CFLAGS="$CFLAGS -I$withval/include"
+ else
+ CFLAGS="$CFLAGS -I$withval"
+ fi
+ if test -d "$withval/lib"; then
+ withval="-L$withval/lib -lsocks5"
+ else
+ withval="-L$withval -lsocks5"
+ fi
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ # If Socks was compiled with Kerberos support, we will need
+ # to link against kerberos libraries. Temporarily append
+ # to LIBS. This is harmless if there is no kerberos support.
+ TMPLIBS="$LIBS"
+ LIBS="$LIBS $KERBEROS_LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6972 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ SOCKSconnect();
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6979: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ { echo "configure: error: Could not find the $withval library. You must first install socks5." 1>&2; exit 1; }
+ fi
+ rm -f conftest*
+ LIBS="$TMPLIBS"
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+ fi
+
+ if test "x$socks" = "x"; then
+ echo $ac_n "checking whether to support SOCKS4""... $ac_c" 1>&6
+ echo "configure:7000: checking whether to support SOCKS4" >&5
+ # Check whether --with-socks4 or --without-socks4 was given.
+ if test "${with_socks4+set}" = set; then
+ withval="$with_socks4"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ *)
+ echo "$ac_t""yes" 1>&6
+ socks=4
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks"
+ else
+ if test -d "$withval"; then
+ withval="-L$withval -lsocks"
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 7020 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ Rconnect();
+ ; return 0; }
+ EOF
+ if { (eval echo configure:7027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ { echo "configure: error: Could not find the $withval library. You must first install socks." 1>&2; exit 1; }
+ fi
+ rm -f conftest*
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+ fi
+
+
+
+ if test "x$socks" = "x4"; then
+ cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define SOCKS4 1
+ EOF
+
+ fi
+
+ if test "x$socks" = "x5"; then
+ cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define SOCKS5 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rconnect SOCKSconnect
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgetsockname SOCKSgetsockname
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgetpeername SOCKSgetpeername
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rbind SOCKSbind
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Raccept SOCKSaccept
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rselect SOCKSselect
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrecvfrom SOCKSrecvfrom
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rsendto SOCKSsendto
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrecv SOCKSrecv
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rsend SOCKSsend
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rread SOCKSread
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rwrite SOCKSwrite
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrresvport SOCKSrresvport
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rshutdown SOCKSshutdown
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rclose SOCKSclose
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rdup SOCKSdup
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rdup2 SOCKSdup2
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rfclose SOCKSfclose
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgethostbyname SOCKSgethostbyname
+ EOF

fi

*** configure.in.DIST Tue Jan 11 09:39:21 2000
--- configure.in Tue Jan 11 09:40:15 2000
***************
*** 234,239 ****
--- 234,256 ----
)
fi

+ AC_ARG_WITH(aixauthenticate,
+ [. --with-aixauthenticate Include AIX authenticate support
+ --without-aixauthenticate Don't include AIX authenticate support (default)],
+ [. case "$withval" in
+ yes)
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(WITH_AIXAUTHENTICATE)
+ LIBS="$LIBS -ls"
+ ;;
+ *)
+ AC_MSG_RESULT(no)
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+ )
+
+
AC_MSG_CHECKING([whether to build GNOME ssh-askpass])
dnl Check whether user wants GNOME ssh-askpass
AC_ARG_WITH(gnome-askpass,
*** ssh-agent.c.DIST Mon Jan 3 07:41:05 2000
--- ssh-agent.c Wed Jan 19 11:01:59 2000
***************
*** 416,422 ****
after_select(fd_set *readset, fd_set *writeset)
{
unsigned int i;
! int len, sock;
char buf[1024];
struct sockaddr_un sunaddr;

--- 416,427 ----
after_select(fd_set *readset, fd_set *writeset)
{
unsigned int i;
! #ifdef _AIX
! unsigned long len;
! #else
! int len;
! #endif
! int sock;
char buf[1024];
struct sockaddr_un sunaddr;

*** ssh-keygen.c.DIST Wed Nov 24 19:54:59 1999
--- ssh-keygen.c Wed Jan 19 11:02:18 2000
***************
*** 101,107 ****
if (f && fgets(line, sizeof(line), f)) {
cp = line;
line[strlen(line) - 1] = '\0';
! if (auth_rsa_read_key(&cp, &dummy, e, n)) {
public_key->e = e;
public_key->n = n;
comment = xstrdup(cp ? cp : "no comment");
--- 101,107 ----
if (f && fgets(line, sizeof(line), f)) {
cp = line;
line[strlen(line) - 1] = '\0';
! if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
public_key->e = e;
public_key->n = n;
comment = xstrdup(cp ? cp : "no comment");
*** ssh.c.DIST Tue Jan 11 12:13:59 2000
--- ssh.c Tue Jan 11 12:15:16 2000
***************
*** 207,212 ****
--- 207,216 ----
/* Save our own name. */
av0 = av[0];

+ #ifdef SOCKS
+ SOCKSinit(av0);
+ #endif /* SOCKS */
+
/* Initialize option structure to indicate that no values have been set. */
initialize_options(&options);

*** sshconnect.c.DIST Tue Jan 11 09:54:21 2000
--- sshconnect.c Wed Jan 19 11:03:46 2000
***************
*** 142,172 ****
int
ssh_create_socket(uid_t original_real_uid, int privileged)
{
! int sock;

! /*
! * If we are running as root and want to connect to a privileged
! * port, bind our own socket to a privileged port.
! */
! if (privileged) {
! int p = IPPORT_RESERVED - 1;

! sock = rresvport(&p);
! if (sock < 0)
! fatal("rresvport: %.100s", strerror(errno));
! debug("Allocated local port %d.", p);
! } else {
! /*
! * Just create an ordinary socket on arbitrary port. We use
! * the user's uid to create the socket.
! */
! temporarily_use_uid(original_real_uid);
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
! restore_uid();
! }
! return sock;
}

/*
--- 142,193 ----
int
ssh_create_socket(uid_t original_real_uid, int privileged)
{
! int sock;

! /* If we are running as root and want to connect to a privileged port,
! bind our own socket to a privileged port. */
! if (0)
! {
! struct sockaddr_in sin;
! int p;
! for (p = 1023; p > 512; p--)
! {
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
!
! /* Initialize the desired sockaddr_in structure. */
! memset(&sin, 0, sizeof(sin));
! sin.sin_family = AF_INET;
! sin.sin_addr.s_addr = INADDR_ANY;
! sin.sin_port = htons(p);

! /* Try to bind the socket to the privileged port. */
! #if defined(SOCKS)
! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
! break; /* Success. */
! #else /* SOCKS */
! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
! break; /* Success. */
! #endif /* SOCKS */
! if (errno == EADDRINUSE)
! {
! close(sock);
! continue;
! }
! fatal("bind: %.100s", strerror(errno));
! }
! debug("Allocated local port %d.", p);
! }
! else
! {
! /* Just create an ordinary socket on arbitrary port. */
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
! }
! return sock;
!
}

/*
***************
*** 241,247 ****
--- 262,272 ----
* tcp_wrappers showing the remote uid as root.
*/
temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ if (Rconnect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #else
if (connect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #endif
>= 0) {
/* Successful connect. */
restore_uid();
***************
*** 257,263 ****
--- 282,292 ----
/* Not a valid numeric inet address. */
/* Map host name to an address. */
if (!hp)
+ #if defined(SOCKS5)
+ hp = Rgethostbyname(host);
+ #else
hp = gethostbyname(host);
+ #endif
if (!hp)
fatal("Bad host name: %.100s", host);
if (!hp->h_addr_list[0])
***************
*** 287,293 ****
--- 316,326 ----
* root.
*/
temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ if (Rconnect(sock, (struct sockaddr *) hostaddr,
+ #else
if (connect(sock, (struct sockaddr *) hostaddr,
+ #endif
sizeof(*hostaddr)) >= 0) {
/* Successful connection. */
restore_uid();
***************
*** 916,922 ****
debug("No challenge for skey authentication.");
return 0;
}
! challenge = packet_get_string(&payload_len);
if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! "
"Reponse will be transmitted in clear text.");
--- 949,955 ----
debug("No challenge for skey authentication.");
return 0;
}
! challenge = packet_get_string((unsigned int *)&payload_len);
if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! "
"Reponse will be transmitted in clear text.");
*** sshd.c.DIST Tue Jan 11 09:55:44 2000
--- sshd.c Wed Jan 19 11:05:02 2000
***************
*** 277,283 ****
{
extern char *optarg;
extern int optind;
! int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
int remote_major, remote_minor;
int silentrsa = 0;
struct pollfd fds;
--- 277,288 ----
{
extern char *optarg;
extern int optind;
! #ifdef _AIX
! unsigned long aux;
! #else
! int aux;
! #endif
! int opt, sock_in, sock_out, newsock, i, pid, on = 1;
int remote_major, remote_minor;
int silentrsa = 0;
struct pollfd fds;
***************
*** 988,994 ****
packet_read_expect(&plen, SSH_CMSG_USER);

/* Get the user name. */
! user = packet_get_string(&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);

/* Destroy the private and public keys. They will no longer be needed. */
--- 993,999 ----
packet_read_expect(&plen, SSH_CMSG_USER);

/* Get the user name. */
! user = packet_get_string((unsigned int*)&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);

/* Destroy the private and public keys. They will no longer be needed. */
***************
*** 997,1002 ****
--- 1002,1008 ----
RSA_free(sensitive_data.host_key);

setproctitle("%s", user);
+
/* Do the authentication. */
do_authentication(user);
}
***************
*** 1084,1089 ****
--- 1090,1099 ----
{
struct passwd *pw, pwcopy;

+ #ifdef _AIX
+ char *loginmsg;
+ #endif
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
***************
*** 1092,1097 ****
--- 1102,1109 ----
}
#endif /* AFS */

+ pw = (struct passwd *) malloc (sizeof(struct passwd));
+
/* Verify that the user is a valid user. */
pw = getpwnam(user);
if (!pw || !allowed_user(pw))
***************
*** 1133,1138 ****
--- 1145,1151 ----
/* Authentication with empty password succeeded. */
log("Login for user %s from %.100s, accepted without authentication.",
pw->pw_name, get_remote_ipaddr());
+
} else {
/* Loop until the user has been authenticated or the
connection is closed, do_authloop() returns only if
***************
*** 1142,1148 ****

/* Check if the user is logging in as root and root logins are disallowed. */
if (pw->pw_uid == 0 && !options.permit_root_login) {
! if (forced_command)
log("Root login accepted for forced command.");
else
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
--- 1155,1161 ----

/* Check if the user is logging in as root and root logins are disallowed. */
if (pw->pw_uid == 0 && !options.permit_root_login) {
! if (forced_command)
log("Root login accepted for forced command.");
else
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
***************
*** 1149,1154 ****
--- 1162,1170 ----
get_canonical_hostname());
}
/* The user has been authenticated and accepted. */
+ #ifdef _AIX
+ loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ #endif
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
***************
*** 1178,1183 ****
--- 1194,1200 ----
int type = 0;
void (*authlog) (const char *fmt,...) = verbose;

+
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
***************
*** 1261,1267 ****
* authentication is insecure. (Another is
* IP-spoofing on a local network.)
*/
! client_user = packet_get_string(&ulen);
packet_integrity_check(plen, 4 + ulen, type);

/* Try to authenticate using /etc/hosts.equiv and
--- 1278,1284 ----
* authentication is insecure. (Another is
* IP-spoofing on a local network.)
*/
! client_user = packet_get_string((unsigned int *)&ulen);
packet_integrity_check(plen, 4 + ulen, type);

/* Try to authenticate using /etc/hosts.equiv and
***************
*** 1281,1287 ****
* trust the client; root on the client machine can
* claim to be any user.
*/
! client_user = packet_get_string(&ulen);

/* Get the client host key. */
client_host_key_e = BN_new();
--- 1298,1304 ----
* trust the client; root on the client machine can
* claim to be any user.
*/
! client_user = packet_get_string((unsigned int *)&ulen);

/* Get the client host key. */
client_host_key_e = BN_new();
***************
*** 1326,1332 ****
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
! password = packet_get_string(&dlen);
packet_integrity_check(plen, 4 + dlen, type);

#ifdef USE_PAM
--- 1343,1349 ----
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
! password = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(plen, 4 + dlen, type);

#ifdef USE_PAM
***************
*** 1405,1430 ****
#ifdef USE_PAM
if (!do_pam_account(pw->pw_name, client_user))
{
! if (client_user != NULL)
xfree(client_user);

do_fake_authloop(pw->pw_name);
}
#endif /* USE_PAM */
return;
! }

! if (client_user != NULL)
xfree(client_user);

if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

/* Send a message indicating that the authentication attempt failed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
}

/*
--- 1422,1463 ----
#ifdef USE_PAM
if (!do_pam_account(pw->pw_name, client_user))
{
! if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }

do_fake_authloop(pw->pw_name);
}
#endif /* USE_PAM */
return;
! }

! /* HEAP*/
! #if 1
! if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }
+ #endif

if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

/* Send a message indicating that the authentication attempt failed. */
+ #ifdef _AIX
+ if (strncmp(get_authname(type),"password",
+ strlen(get_authname(type))) == 0)
+ loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ #endif
+
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
+
+
+
}

/*
***************
*** 1603,1609 ****
ttyname, tty_mode, strerror(errno));

/* Get TERM from the packet. Note that the value may be of arbitrary length. */
! term = packet_get_string(&dlen);
packet_integrity_check(dlen, strlen(term), type);
/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
/* Remaining bytes */
--- 1636,1642 ----
ttyname, tty_mode, strerror(errno));

/* Get TERM from the packet. Note that the value may be of arbitrary length. */
! term = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(dlen, strlen(term), type);
/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
/* Remaining bytes */
***************
*** 1648,1655 ****
packet_disconnect("Protocol error: X11 display already set.");
{
int proto_len, data_len;
! proto = packet_get_string(&proto_len);
! data = packet_get_string(&data_len);
packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
}
if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
--- 1681,1688 ----
packet_disconnect("Protocol error: X11 display already set.");
{
int proto_len, data_len;
! proto = packet_get_string((unsigned int *)&proto_len);
! data = packet_get_string((unsigned int *)&data_len);
packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
}
if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
***************
*** 1732,1738 ****
/* Get command from the packet. */
{
int dlen;
! command = packet_get_string(&dlen);
debug("Executing command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
--- 1765,1771 ----
/* Get command from the packet. */
{
int dlen;
! command = packet_get_string((unsigned int *)&dlen);
debug("Executing command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
***************
*** 1936,1942 ****
--- 1969,1979 ----
struct stat st;
int quiet_login;
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif
struct pty_cleanup_context cleanup_context;

/* Get remote host name. */
***************
*** 2328,2333 ****
--- 2365,2380 ----
if (display)
child_set_env(&env, &envsize, "DISPLAY", display);

+ {
+ char *authstate,*krb5cc;
+
+ if ((authstate = getenv("AUTHSTATE")) != NULL)
+ child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+ if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ }
+
#ifdef KRB4
{
extern char *ticket;
***************
*** 2348,2353 ****
--- 2395,2402 ----
if (auth_get_socket_name() != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_get_socket_name());
+
+ read_environment_file(&env,&envsize,"/etc/environment");

/* read $HOME/.ssh/environment. */
if (!options.use_login) {



--
Matt Richards
Re: AIX openssh patches [ In reply to ]
drankin at bohemians
Jan 19, 2000, 10:32 AM
Post #2 of 10 (1987 views)
Permalink
On Wed, Jan 19, 2000 at 12:33:55PM -0500, Matt Richards wrote:

> I have a few patches for AIX. The patchfile is attached below. The patch
> has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25,
> with openssl-0.94, using RSAref.

These are a good set of patches, but I propose that these be implemented
a bit differently (and yes, I'll be happy to do it, it'll just take a day
or so).

1> Don't use --with-aixauthenticate. Instead, autodetect AIX 4 and use
it without prompting.

2> Instead of the _AIX defines, I'd prefer to see #define used for each
differing item (i.e. unsigned long versus int, __inline versus inline, etc.),
preferably autodetecting using autoconf. I'll work on making this cleaner.

3> The Dante and SOCKS4/5 implementations are 99% alike. Rather than defining
the R* functions in config.h, I'd rather roll them all into one spot, where
they are now.

Any objections?

David

> 1) authenticate support - this function allows the system to determine
> authentification. Whatever the system allows for login, authenticate
> will too. It doesn't matter whether it is AFS, DFS, SecureID, local.
>
> 2) loginsuccess - this function will log to /etc/security/lastlog as
> well as clear the failed logins.
>
> 3) loginfailed - this function will increase the number of failed logins
> and update /etc/security/lastlog and /etc/security/failedlogins.
>
> 4) loginrestrictions - this function will determine if a user is allowed
> to login (ie too many failed logins, account disabled, etc). This
> function is used in conjunction with authenticate.
>
> 5) SOCKS5 and SOCKS4 support.

> 6) Support for the system random function instead of egd or /dev/urandom.
--
David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin.
Email: drankin@bohemians.lexington.ky.us Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard
Re: AIX openssh patches [ In reply to ]
v2matt at btv
Jan 19, 2000, 11:00 AM
Post #3 of 10 (1998 views)
Permalink
Thus spake David Rankin (drankin@bohemians.lexington.ky.us):

> On Wed, Jan 19, 2000 at 12:33:55PM -0500, Matt Richards wrote:
>
> > I have a few patches for AIX. The patchfile is attached below. The patch
> > has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25,
> > with openssl-0.94, using RSAref.
>
> These are a good set of patches, but I propose that these be implemented
> a bit differently (and yes, I'll be happy to do it, it'll just take a day
> or so).
>
> 1> Don't use --with-aixauthenticate. Instead, autodetect AIX 4 and use
> it without prompting.
>
> 2> Instead of the _AIX defines, I'd prefer to see #define used for each
> differing item (i.e. unsigned long versus int, __inline versus inline, etc.),
> preferably autodetecting using autoconf. I'll work on making this cleaner.
>
> 3> The Dante and SOCKS4/5 implementations are 99% alike. Rather than defining
> the R* functions in config.h, I'd rather roll them all into one spot, where
> they are now.
>
> Any objections?
>
> David

Not at all, I like your suggestions.

I did make a mistake in the inline. The configure script works fine
for inline, just need to include config.h in cipher.c in order to get
the inline define. I've updated the patch to reflect this.

Is it feasible to have a configure switch to turn off using priviledged
ports, even is the user has priviledges?


*** acconfig.h.DIST Tue Jan 11 09:38:15 2000
--- acconfig.h Tue Jan 11 12:11:02 2000
***************
*** 12,17 ****
--- 12,23 ----
/* Define if you want to disable PAM support */
#undef DISABLE_PAM

+ /* Define if you want to disable AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG

***************
*** 29,34 ****
--- 35,69 ----

/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE
+
+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+
+

/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL
*** auth-passwd.c.DIST Tue Jan 11 09:19:33 2000
--- auth-passwd.c Tue Jan 11 09:45:13 2000
***************
*** 18,23 ****
--- 18,27 ----
#include "servconf.h"
#include "xmalloc.h"

+ #ifdef WITH_AIXAUTHENTICATE
+ #include <login.h>
+ #endif
+
#ifdef HAVE_SHADOW_H
# include <shadow.h>
#endif
***************
*** 40,45 ****
--- 44,55 ----
struct spwd *spw;
#endif

+ #ifdef WITH_AIXAUTHENTICATE
+ char *authmsg;
+ char *loginmsg;
+ int reenter = 1;
+ #endif
+
/* deny if no user. */
if (pw == NULL)
return 0;
***************
*** 55,60 ****
--- 65,79 ----
return ret;
/* Fall back to ordinary passwd authentication. */
}
+ #endif
+ #ifdef WITH_AIXAUTHENTICATE
+
+ if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+ (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+ return 1;
+ else
+ return 0;
+
#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
*** bsd-misc.c.DIST Tue Jan 11 09:48:36 2000
--- bsd-misc.c Wed Jan 19 13:10:11 2000
***************
*** 47,52 ****
--- 47,55 ----
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
+ #ifdef _AIX
+ #include <stddef.h>
+ #endif

#include "xmalloc.h"
#include "ssh.h"
***************
*** 56,61 ****
--- 59,68 ----
#define offsetof(type, member) ((size_t) &((type *)0)->member)
#endif

+ #ifdef USE_SYSRANDOM
+ #include <time.h>
+ #endif
+
#ifndef HAVE_ARC4RANDOM

typedef struct
***************
*** 135,140 ****
--- 142,157 ----

void get_random_bytes(unsigned char *buf, int len)
{
+
+ #ifdef USE_SYSRANDOM
+ int index;
+
+ srandom(time(NULL) + getpid());
+
+ for (index = 0; index < len+1; index++) {
+ buf[index] = rand()%255;
+ }
+ #else /* USE_SYSRANDOM */
static int random_pool;
int c;
#ifdef HAVE_EGD
***************
*** 184,189 ****
--- 201,207 ----
fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno));

close(random_pool);
+ #endif /* USE_SYSRANDOM */
}
#endif /* !HAVE_ARC4RANDOM */

*** canohost.c.DIST Wed Jan 19 11:00:42 2000
--- canohost.c Wed Jan 19 11:01:09 2000
***************
*** 29,35 ****
get_remote_hostname(int socket)
{
struct sockaddr_in from;
! int fromlen, i;
struct hostent *hp;
char name[MAXHOSTNAMELEN];

--- 29,40 ----
get_remote_hostname(int socket)
{
struct sockaddr_in from;
! #ifdef _AIX
! unsigned long fromlen;
! #else
! int fromlen;
! #endif
! int i;
struct hostent *hp;
char name[MAXHOSTNAMELEN];

***************
*** 116,122 ****
{
unsigned char options[200], *ucp;
char text[1024], *cp;
! int option_size, ipproto;
struct protoent *ip;

if ((ip = getprotobyname("ip")) != NULL)
--- 121,132 ----
{
unsigned char options[200], *ucp;
char text[1024], *cp;
! #ifdef _AIX
! unsigned long option_size;
! #else
! int option_size;
! #endif
! int ipproto;
struct protoent *ip;

if ((ip = getprotobyname("ip")) != NULL)
***************
*** 149,155 ****
--- 159,169 ----
peer_connection_is_on_socket()
{
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif
int in = packet_get_connection_in();
int out = packet_get_connection_out();

***************
*** 197,203 ****
get_remote_ipaddr()
{
struct sockaddr_in from;
! int fromlen, socket;

/* Check whether we have chached the name. */
if (canonical_host_ip != NULL)
--- 211,222 ----
get_remote_ipaddr()
{
struct sockaddr_in from;
! #ifdef _AIX
! unsigned long fromlen;
! #else
! int fromlen;
! #endif
! int socket;

/* Check whether we have chached the name. */
if (canonical_host_ip != NULL)
***************
*** 231,237 ****
--- 250,260 ----
get_peer_port(int sock)
{
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif

/* Get IP address of client. */
fromlen = sizeof(from);
*** channels.c.DIST Tue Jan 11 12:16:35 2000
--- channels.c Wed Jan 19 11:01:32 2000
***************
*** 374,380 ****
channel_after_select(fd_set * readset, fd_set * writeset)
{
struct sockaddr addr;
! int addrlen, newsock, i, newch, len;
Channel *ch;
char buf[16384], *remote_hostname;

--- 374,385 ----
channel_after_select(fd_set * readset, fd_set * writeset)
{
struct sockaddr addr;
! #ifdef _AIX
! unsigned long addrlen;
! #else
! int addrlen;
! #endif
! int newsock, i, newch, len;
Channel *ch;
char buf[16384], *remote_hostname;

***************
*** 1005,1011 ****
struct sockaddr_in sin;
char *host, *originator_string;
struct hostent *hp;
! int host_len, originator_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1010,1016 ----
struct sockaddr_in sin;
char *host, *originator_string;
struct hostent *hp;
! unsigned int host_len, originator_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
***************
*** 1257,1263 ****
struct sockaddr_in sin;
char buf[1024], *cp, *remote_host;
struct hostent *hp;
! int remote_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
--- 1262,1268 ----
struct sockaddr_in sin;
char buf[1024], *cp, *remote_host;
struct hostent *hp;
! unsigned int remote_len;

/* Get remote channel number. */
remote_channel = packet_get_int();
*** cipher.c.DIST Tue Jan 11 09:45:57 2000
--- cipher.c Wed Jan 19 13:29:04 2000
***************
*** 16,21 ****
--- 16,22 ----

#include "ssh.h"
#include "cipher.h"
+ #include "config.h"

#ifdef HAVE_OPENSSL
#include <openssl/md5.h>
*** config.h.in.DIST Tue Jan 11 09:40:43 2000
--- config.h.in Wed Jan 19 11:01:42 2000
***************
*** 15,20 ****
--- 15,26 ----
/* Define if you want to disable PAM support */
#undef DISABLE_PAM

+ /* Define if you want AIX4's authenticate function */
+ #undef WITH_AIXAUTHENTICATE
+
+ /* Define if you want to use system random */
+ #undef USE_SYSRANDOM
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG

***************
*** 33,38 ****
--- 39,72 ----
/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE

+ /* Define this if compiling with SOCKS (the firewall traversal library). */
+ #undef SOCKS
+ #undef SOCKS4
+ #undef SOCKS5
+
+ #undef Rconnect
+ #undef Rgetsockname
+ #undef Rgetpeername
+ #undef Rbind
+ #undef Raccept
+ #undef Rlisten
+ #undef Rselect
+ #undef Rrecvfrom
+ #undef Rsendto
+ #undef Rrecv
+ #undef Rsend
+ #undef Rread
+ #undef Rwrite
+ #undef Rrresvport
+ #undef Rshutdown
+ #undef Rlisten
+ #undef Rclose
+ #undef Rdup
+ #undef Rdup2
+ #undef Rfclose
+ #undef Rgethostbyname
+
+
/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL

***************
*** 295,298 ****

#include "defines.h"

! #endif _CONFIG_H
--- 329,332 ----

#include "defines.h"

! #endif
*** configure.DIST Tue Jan 11 09:20:43 2000
--- configure Tue Jan 11 12:09:34 2000
***************
*** 16,21 ****
--- 16,23 ----
ac_help="$ac_help
--without-pam Disable PAM support "
ac_help="$ac_help
+ --with-aixauthenticate Use AIX4's authenticate function"
+ ac_help="$ac_help
--with-gnome-askpass Build the GNOME passphrase requester (default=no)"
ac_help="$ac_help
--with-random=FILE read randomness from FILE (default=/dev/urandom)"
***************
*** 26,31 ****
--- 28,39 ----
ac_help="$ac_help
--with-dante=DIR Use Dante SOCKS lib (default is system library path)"
ac_help="$ac_help
+ --with-socks Compile with SOCKS firewall traversal support."
+ ac_help="$ac_help
+ --with-socks5[=PATH] Compile with SOCKS5 firewall traversal support."
+ ac_help="$ac_help
+ --with-socks4[=PATH] Compile with SOCKS4 firewall traversal support."
+ ac_help="$ac_help
--with-kerberos4=PATH Enable Kerberos 4 support"
ac_help="$ac_help
--with-afs=PATH Enable AFS support"
***************
*** 2245,2250 ****
--- 2253,2282 ----
rm -f conftest*
fi

+ # check for the AIX authenticate
+ echo $ac_n "checking whether to use AIX authenticate""... $ac_c" 1>&6
+ echo "configure:XXXX: checking whether to use AIX authenticate" >&5
+ # Check whether --with-aixauthenticate or --without-aixauthenticate was given.
+ if test "${with_aixauthenticate+set}" = set; then
+ withval="$with_aixauthenticate"
+ case "$withval" in
+ yes)
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
+ #define WITH_AIXAUTHENTICATE 1
+ EOF
+ LIBS="$LIBS -ls"
+ ;;
+ *)
+ echo "$ac_t""no" 1>&6
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+
echo $ac_n "checking whether to build GNOME ssh-askpass""... $ac_c" 1>&6
echo "configure:2250: checking whether to build GNOME ssh-askpass" >&5
# Check whether --with-gnome-askpass or --without-gnome-askpass was given.
***************
*** 2335,2345 ****

fi


- if test -z "$RANDOM_POOL" -a -z "$EGD_POOL"; then
- { echo "configure: error: No random device found, and no EGD random pool specified" 1>&2; exit 1; }
fi

echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
echo "configure:2345: checking whether utmp.h has ut_host field" >&5
cat > conftest.$ac_ext <<EOF
--- 2367,2382 ----

fi

+ if test -z "$RANDOM_POOL" -a -z "$EGD_POOL";then
+ echo $ac_n "using system random" 1>&6
+ cat >> confdefs.h <<\EOF
+ #define USE_SYSRANDOM 1
+ EOF

fi

+
+
echo $ac_n "checking whether utmp.h has ut_host field""... $ac_c" 1>&6
echo "configure:2345: checking whether utmp.h has ut_host field" >&5
cat > conftest.$ac_ext <<EOF
***************
*** 2606,2611 ****
--- 2643,2970 ----
LIBS="$LIBS -lsocks"
fi

+
+ fi
+
+
+ # Check whether --with-socks or --without-socks was given.
+ if test "${with_socks+set}" = set; then
+ withval="$with_socks"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ yes)
+ echo "$ac_t""yes" 1>&6
+ echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+ echo "configure:6842: checking for SOCKSconnect in -lsocks5" >&5
+ ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocks5 $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6850 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ char SOCKSconnect();
+
+ int main() {
+ SOCKSconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6861: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+
+ socks=5
+ LIBS="-lsocks5 $LIBS"
+ else
+ echo "$ac_t""no" 1>&6
+
+ echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+ echo "configure:6883: checking for Rconnect in -lsocks" >&5
+ ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+ if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+ else
+ ac_save_LIBS="$LIBS"
+ LIBS="-lsocks $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6891 "configure"
+ #include "confdefs.h"
+ /* Override any gcc2 internal prototype to avoid an error. */
+ /* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ char Rconnect();
+
+ int main() {
+ Rconnect()
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6902: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+ fi
+ rm -f conftest*
+ LIBS="$ac_save_LIBS"
+
+ fi
+ if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+
+ socks=4
+ LIBS="-lsocks $LIBS"
+ else
+ echo "$ac_t""no" 1>&6
+
+ { echo "configure: error: Could not find socks library. You must first install socks." 1>&2; exit 1; }
+ fi
+
+ fi
+
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+
+ if test "x$socks" = "x"; then
+ echo $ac_n "checking whether to support SOCKS5""... $ac_c" 1>&6
+ echo "configure:6938: checking whether to support SOCKS5" >&5
+ # Check whether --with-socks5 or --without-socks5 was given.
+ if test "${with_socks5+set}" = set; then
+ withval="$with_socks5"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ *)
+ echo "$ac_t""yes" 1>&6
+ socks=5
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks5"
+ else
+ if test -d "$withval"; then
+ if test -d "$withval/include"; then
+ CFLAGS="$CFLAGS -I$withval/include"
+ else
+ CFLAGS="$CFLAGS -I$withval"
+ fi
+ if test -d "$withval/lib"; then
+ withval="-L$withval/lib -lsocks5"
+ else
+ withval="-L$withval -lsocks5"
+ fi
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ # If Socks was compiled with Kerberos support, we will need
+ # to link against kerberos libraries. Temporarily append
+ # to LIBS. This is harmless if there is no kerberos support.
+ TMPLIBS="$LIBS"
+ LIBS="$LIBS $KERBEROS_LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 6972 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ SOCKSconnect();
+ ; return 0; }
+ EOF
+ if { (eval echo configure:6979: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ { echo "configure: error: Could not find the $withval library. You must first install socks5." 1>&2; exit 1; }
+ fi
+ rm -f conftest*
+ LIBS="$TMPLIBS"
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+ fi
+
+ if test "x$socks" = "x"; then
+ echo $ac_n "checking whether to support SOCKS4""... $ac_c" 1>&6
+ echo "configure:7000: checking whether to support SOCKS4" >&5
+ # Check whether --with-socks4 or --without-socks4 was given.
+ if test "${with_socks4+set}" = set; then
+ withval="$with_socks4"
+ case "$withval" in
+ no)
+ echo "$ac_t""no" 1>&6
+ ;;
+ *)
+ echo "$ac_t""yes" 1>&6
+ socks=4
+ if test "x$withval" = "xyes"; then
+ withval="-lsocks"
+ else
+ if test -d "$withval"; then
+ withval="-L$withval -lsocks"
+ fi
+ fi
+ LIBS="$withval $LIBS"
+ cat > conftest.$ac_ext <<EOF
+ #line 7020 "configure"
+ #include "confdefs.h"
+
+ int main() {
+ Rconnect();
+ ; return 0; }
+ EOF
+ if { (eval echo configure:7027: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest; then
+ :
+ else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ { echo "configure: error: Could not find the $withval library. You must first install socks." 1>&2; exit 1; }
+ fi
+ rm -f conftest*
+ ;;
+ esac
+ else
+ echo "$ac_t""no" 1>&6
+
+ fi
+
+ fi
+
+
+
+ if test "x$socks" = "x4"; then
+ cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define SOCKS4 1
+ EOF
+
+ fi
+
+ if test "x$socks" = "x5"; then
+ cat >> confdefs.h <<\EOF
+ #define SOCKS 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define SOCKS5 1
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rconnect SOCKSconnect
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgetsockname SOCKSgetsockname
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgetpeername SOCKSgetpeername
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rbind SOCKSbind
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Raccept SOCKSaccept
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rselect SOCKSselect
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrecvfrom SOCKSrecvfrom
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rsendto SOCKSsendto
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrecv SOCKSrecv
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rsend SOCKSsend
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rread SOCKSread
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rwrite SOCKSwrite
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rrresvport SOCKSrresvport
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rshutdown SOCKSshutdown
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rlisten SOCKSlisten
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rclose SOCKSclose
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rdup SOCKSdup
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rdup2 SOCKSdup2
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rfclose SOCKSfclose
+ EOF
+
+ cat >> confdefs.h <<\EOF
+ #define Rgethostbyname SOCKSgethostbyname
+ EOF

fi

*** configure.in.DIST Tue Jan 11 09:39:21 2000
--- configure.in Tue Jan 11 09:40:15 2000
***************
*** 234,239 ****
--- 234,256 ----
)
fi

+ AC_ARG_WITH(aixauthenticate,
+ [. --with-aixauthenticate Include AIX authenticate support
+ --without-aixauthenticate Don't include AIX authenticate support (default)],
+ [. case "$withval" in
+ yes)
+ AC_MSG_RESULT(yes)
+ AC_DEFINE(WITH_AIXAUTHENTICATE)
+ LIBS="$LIBS -ls"
+ ;;
+ *)
+ AC_MSG_RESULT(no)
+ ;;
+ esac ],
+ AC_MSG_RESULT(no)
+ )
+
+
AC_MSG_CHECKING([whether to build GNOME ssh-askpass])
dnl Check whether user wants GNOME ssh-askpass
AC_ARG_WITH(gnome-askpass,
*** ssh-agent.c.DIST Mon Jan 3 07:41:05 2000
--- ssh-agent.c Wed Jan 19 11:01:59 2000
***************
*** 416,422 ****
after_select(fd_set *readset, fd_set *writeset)
{
unsigned int i;
! int len, sock;
char buf[1024];
struct sockaddr_un sunaddr;

--- 416,427 ----
after_select(fd_set *readset, fd_set *writeset)
{
unsigned int i;
! #ifdef _AIX
! unsigned long len;
! #else
! int len;
! #endif
! int sock;
char buf[1024];
struct sockaddr_un sunaddr;

*** ssh-keygen.c.DIST Wed Nov 24 19:54:59 1999
--- ssh-keygen.c Wed Jan 19 11:02:18 2000
***************
*** 101,107 ****
if (f && fgets(line, sizeof(line), f)) {
cp = line;
line[strlen(line) - 1] = '\0';
! if (auth_rsa_read_key(&cp, &dummy, e, n)) {
public_key->e = e;
public_key->n = n;
comment = xstrdup(cp ? cp : "no comment");
--- 101,107 ----
if (f && fgets(line, sizeof(line), f)) {
cp = line;
line[strlen(line) - 1] = '\0';
! if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
public_key->e = e;
public_key->n = n;
comment = xstrdup(cp ? cp : "no comment");
*** ssh.c.DIST Tue Jan 11 12:13:59 2000
--- ssh.c Tue Jan 11 12:15:16 2000
***************
*** 207,212 ****
--- 207,216 ----
/* Save our own name. */
av0 = av[0];

+ #ifdef SOCKS
+ SOCKSinit(av0);
+ #endif /* SOCKS */
+
/* Initialize option structure to indicate that no values have been set. */
initialize_options(&options);

*** sshconnect.c.DIST Tue Jan 11 09:54:21 2000
--- sshconnect.c Wed Jan 19 13:24:11 2000
***************
*** 142,172 ****
int
ssh_create_socket(uid_t original_real_uid, int privileged)
{
! int sock;

! /*
! * If we are running as root and want to connect to a privileged
! * port, bind our own socket to a privileged port.
! */
! if (privileged) {
! int p = IPPORT_RESERVED - 1;

! sock = rresvport(&p);
! if (sock < 0)
! fatal("rresvport: %.100s", strerror(errno));
! debug("Allocated local port %d.", p);
! } else {
! /*
! * Just create an ordinary socket on arbitrary port. We use
! * the user's uid to create the socket.
! */
! temporarily_use_uid(original_real_uid);
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
! restore_uid();
! }
! return sock;
}

/*
--- 142,193 ----
int
ssh_create_socket(uid_t original_real_uid, int privileged)
{
! int sock;

! /* If we are running as root and want to connect to a privileged port,
! bind our own socket to a privileged port. */
! if (privileged)
! {
! struct sockaddr_in sin;
! int p;
! for (p = 1023; p > 512; p--)
! {
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
!
! /* Initialize the desired sockaddr_in structure. */
! memset(&sin, 0, sizeof(sin));
! sin.sin_family = AF_INET;
! sin.sin_addr.s_addr = INADDR_ANY;
! sin.sin_port = htons(p);

! /* Try to bind the socket to the privileged port. */
! #if defined(SOCKS)
! if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
! break; /* Success. */
! #else /* SOCKS */
! if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0)
! break; /* Success. */
! #endif /* SOCKS */
! if (errno == EADDRINUSE)
! {
! close(sock);
! continue;
! }
! fatal("bind: %.100s", strerror(errno));
! }
! debug("Allocated local port %d.", p);
! }
! else
! {
! /* Just create an ordinary socket on arbitrary port. */
! sock = socket(AF_INET, SOCK_STREAM, 0);
! if (sock < 0)
! fatal("socket: %.100s", strerror(errno));
! }
! return sock;
!
}

/*
***************
*** 241,247 ****
--- 262,272 ----
* tcp_wrappers showing the remote uid as root.
*/
temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ if (Rconnect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #else
if (connect(sock, (struct sockaddr *) hostaddr, sizeof(*hostaddr))
+ #endif
>= 0) {
/* Successful connect. */
restore_uid();
***************
*** 257,263 ****
--- 282,292 ----
/* Not a valid numeric inet address. */
/* Map host name to an address. */
if (!hp)
+ #if defined(SOCKS5)
+ hp = Rgethostbyname(host);
+ #else
hp = gethostbyname(host);
+ #endif
if (!hp)
fatal("Bad host name: %.100s", host);
if (!hp->h_addr_list[0])
***************
*** 287,293 ****
--- 316,326 ----
* root.
*/
temporarily_use_uid(original_real_uid);
+ #if defined(SOCKS)
+ if (Rconnect(sock, (struct sockaddr *) hostaddr,
+ #else
if (connect(sock, (struct sockaddr *) hostaddr,
+ #endif
sizeof(*hostaddr)) >= 0) {
/* Successful connection. */
restore_uid();
***************
*** 916,922 ****
debug("No challenge for skey authentication.");
return 0;
}
! challenge = packet_get_string(&payload_len);
if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! "
"Reponse will be transmitted in clear text.");
--- 949,955 ----
debug("No challenge for skey authentication.");
return 0;
}
! challenge = packet_get_string((unsigned int *)&payload_len);
if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! "
"Reponse will be transmitted in clear text.");
*** sshd.c.DIST Tue Jan 11 09:55:44 2000
--- sshd.c Wed Jan 19 11:05:02 2000
***************
*** 277,283 ****
{
extern char *optarg;
extern int optind;
! int opt, aux, sock_in, sock_out, newsock, i, pid, on = 1;
int remote_major, remote_minor;
int silentrsa = 0;
struct pollfd fds;
--- 277,288 ----
{
extern char *optarg;
extern int optind;
! #ifdef _AIX
! unsigned long aux;
! #else
! int aux;
! #endif
! int opt, sock_in, sock_out, newsock, i, pid, on = 1;
int remote_major, remote_minor;
int silentrsa = 0;
struct pollfd fds;
***************
*** 988,994 ****
packet_read_expect(&plen, SSH_CMSG_USER);

/* Get the user name. */
! user = packet_get_string(&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);

/* Destroy the private and public keys. They will no longer be needed. */
--- 993,999 ----
packet_read_expect(&plen, SSH_CMSG_USER);

/* Get the user name. */
! user = packet_get_string((unsigned int*)&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);

/* Destroy the private and public keys. They will no longer be needed. */
***************
*** 997,1002 ****
--- 1002,1008 ----
RSA_free(sensitive_data.host_key);

setproctitle("%s", user);
+
/* Do the authentication. */
do_authentication(user);
}
***************
*** 1084,1089 ****
--- 1090,1099 ----
{
struct passwd *pw, pwcopy;

+ #ifdef _AIX
+ char *loginmsg;
+ #endif
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
***************
*** 1092,1097 ****
--- 1102,1109 ----
}
#endif /* AFS */

+ pw = (struct passwd *) malloc (sizeof(struct passwd));
+
/* Verify that the user is a valid user. */
pw = getpwnam(user);
if (!pw || !allowed_user(pw))
***************
*** 1133,1138 ****
--- 1145,1151 ----
/* Authentication with empty password succeeded. */
log("Login for user %s from %.100s, accepted without authentication.",
pw->pw_name, get_remote_ipaddr());
+
} else {
/* Loop until the user has been authenticated or the
connection is closed, do_authloop() returns only if
***************
*** 1142,1148 ****

/* Check if the user is logging in as root and root logins are disallowed. */
if (pw->pw_uid == 0 && !options.permit_root_login) {
! if (forced_command)
log("Root login accepted for forced command.");
else
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
--- 1155,1161 ----

/* Check if the user is logging in as root and root logins are disallowed. */
if (pw->pw_uid == 0 && !options.permit_root_login) {
! if (forced_command)
log("Root login accepted for forced command.");
else
packet_disconnect("ROOT LOGIN REFUSED FROM %.200s",
***************
*** 1149,1154 ****
--- 1162,1170 ----
get_canonical_hostname());
}
/* The user has been authenticated and accepted. */
+ #ifdef _AIX
+ loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+ #endif
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
***************
*** 1178,1183 ****
--- 1194,1200 ----
int type = 0;
void (*authlog) (const char *fmt,...) = verbose;

+
/* Indicate that authentication is needed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
***************
*** 1261,1267 ****
* authentication is insecure. (Another is
* IP-spoofing on a local network.)
*/
! client_user = packet_get_string(&ulen);
packet_integrity_check(plen, 4 + ulen, type);

/* Try to authenticate using /etc/hosts.equiv and
--- 1278,1284 ----
* authentication is insecure. (Another is
* IP-spoofing on a local network.)
*/
! client_user = packet_get_string((unsigned int *)&ulen);
packet_integrity_check(plen, 4 + ulen, type);

/* Try to authenticate using /etc/hosts.equiv and
***************
*** 1281,1287 ****
* trust the client; root on the client machine can
* claim to be any user.
*/
! client_user = packet_get_string(&ulen);

/* Get the client host key. */
client_host_key_e = BN_new();
--- 1298,1304 ----
* trust the client; root on the client machine can
* claim to be any user.
*/
! client_user = packet_get_string((unsigned int *)&ulen);

/* Get the client host key. */
client_host_key_e = BN_new();
***************
*** 1326,1332 ****
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
! password = packet_get_string(&dlen);
packet_integrity_check(plen, 4 + dlen, type);

#ifdef USE_PAM
--- 1343,1349 ----
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
! password = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(plen, 4 + dlen, type);

#ifdef USE_PAM
***************
*** 1405,1430 ****
#ifdef USE_PAM
if (!do_pam_account(pw->pw_name, client_user))
{
! if (client_user != NULL)
xfree(client_user);

do_fake_authloop(pw->pw_name);
}
#endif /* USE_PAM */
return;
! }

! if (client_user != NULL)
xfree(client_user);

if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

/* Send a message indicating that the authentication attempt failed. */
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
}

/*
--- 1422,1463 ----
#ifdef USE_PAM
if (!do_pam_account(pw->pw_name, client_user))
{
! if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }

do_fake_authloop(pw->pw_name);
}
#endif /* USE_PAM */
return;
! }

! /* HEAP*/
! #if 1
! if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }
+ #endif

if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

/* Send a message indicating that the authentication attempt failed. */
+ #ifdef _AIX
+ if (strncmp(get_authname(type),"password",
+ strlen(get_authname(type))) == 0)
+ loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+ #endif
+
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
+
+
+
}

/*
***************
*** 1603,1609 ****
ttyname, tty_mode, strerror(errno));

/* Get TERM from the packet. Note that the value may be of arbitrary length. */
! term = packet_get_string(&dlen);
packet_integrity_check(dlen, strlen(term), type);
/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
/* Remaining bytes */
--- 1636,1642 ----
ttyname, tty_mode, strerror(errno));

/* Get TERM from the packet. Note that the value may be of arbitrary length. */
! term = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(dlen, strlen(term), type);
/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
/* Remaining bytes */
***************
*** 1648,1655 ****
packet_disconnect("Protocol error: X11 display already set.");
{
int proto_len, data_len;
! proto = packet_get_string(&proto_len);
! data = packet_get_string(&data_len);
packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
}
if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
--- 1681,1688 ----
packet_disconnect("Protocol error: X11 display already set.");
{
int proto_len, data_len;
! proto = packet_get_string((unsigned int *)&proto_len);
! data = packet_get_string((unsigned int *)&data_len);
packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
}
if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
***************
*** 1732,1738 ****
/* Get command from the packet. */
{
int dlen;
! command = packet_get_string(&dlen);
debug("Executing command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
--- 1765,1771 ----
/* Get command from the packet. */
{
int dlen;
! command = packet_get_string((unsigned int *)&dlen);
debug("Executing command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
***************
*** 1936,1942 ****
--- 1969,1979 ----
struct stat st;
int quiet_login;
struct sockaddr_in from;
+ #ifdef _AIX
+ unsigned long fromlen;
+ #else
int fromlen;
+ #endif
struct pty_cleanup_context cleanup_context;

/* Get remote host name. */
***************
*** 2328,2333 ****
--- 2365,2380 ----
if (display)
child_set_env(&env, &envsize, "DISPLAY", display);

+ {
+ char *authstate,*krb5cc;
+
+ if ((authstate = getenv("AUTHSTATE")) != NULL)
+ child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+ if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ }
+
#ifdef KRB4
{
extern char *ticket;
***************
*** 2348,2353 ****
--- 2395,2402 ----
if (auth_get_socket_name() != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_get_socket_name());
+
+ read_environment_file(&env,&envsize,"/etc/environment");

/* read $HOME/.ssh/environment. */
if (!options.use_login) {




--
Matt Richards
Re: AIX openssh patches [ In reply to ]
markus.friedl at informatik
Jan 19, 2000, 1:29 PM
Post #4 of 10 (1974 views)
Permalink
no. never ever. please don't do this.
netscape+ssl has been broken because of this.
(http://www.cs.berkeley.edu/~daw/my-posts/netscape-cracked)

-markus

On Wed, Jan 19, 2000 at 12:33:55PM -0500, Matt Richards wrote:
> void get_random_bytes(unsigned char *buf, int len)
> {
> +
> + #ifdef USE_SYSRANDOM
> + int index;
> +
> + srandom(time(NULL) + getpid());
> +
> + for (index = 0; index < len+1; index++) {
> + buf[index] = rand()%255;
> + }
> + #else /* USE_SYSRANDOM */
Re: AIX openssh patches [ In reply to ]
drankin at bohemians
Jan 19, 2000, 1:41 PM
Post #5 of 10 (1994 views)
Permalink
On Wed, Jan 19, 2000 at 02:00:19PM -0500, Matt Richards wrote:
(AIX 4 patch discussion truncated.)
> I did make a mistake in the inline. The configure script works fine
> for inline, just need to include config.h in cipher.c in order to get
> the inline define. I've updated the patch to reflect this.

I've attached the revised patch. I don't have SOCKS4 or SOCKS5 to play
with, so if you can test it, that'd be good. As mentioned, AIX users get
WITH_AIXAUTHENTICATE without choice now.

I did not include any of your USE_SYSRANDOM patches into this patch. I looked
at one of the AIX boxes I have access to, and srandom() is pseudorandom,
not truly random (or at least nearly as random as EGD). I don't feel
comfortable in making this an option given the attack possibilities
pseudorandom numbers give. Sorry.

> Is it feasible to have a configure switch to turn off using priviledged
> ports, even is the user has priviledges?

I'd think this is reasonable, although I'm so low on time I can't even
think about working on it.

Note: This patch is against pre27, which probably fixes almost all of
the "unsigned long" versus "int" problems you were seeing.

Index: acconfig.h
===================================================================
RCS file: /usr/local/cvs/openssh/acconfig.h,v
retrieving revision 1.19
diff -u -r1.19 acconfig.h
--- acconfig.h 2000/01/17 19:23:50 1.19
+++ acconfig.h 2000/01/19 21:08:57
@@ -12,6 +12,9 @@
/* Define if you want to disable PAM support */
#undef DISABLE_PAM

+/* Define if you want to disable AIX4's authenticate function */
+#undef WITH_AIXAUTHENTICATE
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG

@@ -29,6 +32,12 @@

/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE
+
+/* Define if using the Socks4 SOCKS library. */
+#undef HAVE_SOCKS4
+
+/* Define if using the Socks5 SOCKS library. */
+#undef HAVE_SOCKS5

/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL
Index: auth-passwd.c
===================================================================
RCS file: /usr/local/cvs/openssh/auth-passwd.c,v
retrieving revision 1.14
diff -u -r1.14 auth-passwd.c
--- auth-passwd.c 2000/01/17 18:39:32 1.14
+++ auth-passwd.c 2000/01/19 20:38:38
@@ -18,6 +18,10 @@
#include "servconf.h"
#include "xmalloc.h"

+#ifdef WITH_AIXAUTHENTICATE
+#include <login.h>
+#endif
+
#ifdef HAVE_SHADOW_H
# include <shadow.h>
#endif
@@ -40,6 +44,12 @@
struct spwd *spw;
#endif

+#ifdef WITH_AIXAUTHENTICATE
+ char *authmsg;
+ char *loginmsg;
+ int reenter = 1;
+#endif
+
/* deny if no user. */
if (pw == NULL)
return 0;
@@ -55,6 +65,15 @@
return ret;
/* Fall back to ordinary passwd authentication. */
}
+#endif
+#ifdef WITH_AIXAUTHENTICATE
+
+ if ( (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0) &&
+ (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) == 0))
+ return 1;
+ else
+ return 0;
+
#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
Index: bsd-misc.c
===================================================================
RCS file: /usr/local/cvs/openssh/bsd-misc.c,v
retrieving revision 1.2
diff -u -r1.2 bsd-misc.c
--- bsd-misc.c 2000/01/17 18:39:33 1.2
+++ bsd-misc.c 2000/01/19 21:14:36
@@ -47,6 +47,9 @@
#include <sys/socket.h>
#include <sys/un.h>
#include <fcntl.h>
+#ifdef _AIX
+#include <stddef.h>
+#endif

#include "xmalloc.h"
#include "ssh.h"
Index: cipher.c
===================================================================
RCS file: /usr/local/cvs/openssh/cipher.c,v
retrieving revision 1.7
diff -u -r1.7 cipher.c
--- cipher.c 2000/01/17 17:27:31 1.7
+++ cipher.c 2000/01/19 20:38:38
@@ -16,6 +16,7 @@

#include "ssh.h"
#include "cipher.h"
+#include "config.h"

#ifdef HAVE_OPENSSL
#include <openssl/md5.h>
Index: config.h.in
===================================================================
RCS file: /usr/local/cvs/openssh/config.h.in,v
retrieving revision 1.22
diff -u -r1.22 config.h.in
--- config.h.in 2000/01/17 19:34:11 1.22
+++ config.h.in 2000/01/19 21:13:52
@@ -15,6 +15,9 @@
/* Define if you want to disable PAM support */
#undef DISABLE_PAM

+/* Define if you want to disable AIX4's authenticate function */
+#undef WITH_AIXAUTHENTICATE
+
/* Define if you want to disable lastlog support */
#undef DISABLE_LASTLOG

@@ -32,6 +35,12 @@

/* Define if using the Dante SOCKS library. */
#undef HAVE_DANTE
+
+/* Define if using the Socks4 SOCKS library. */
+#undef HAVE_SOCKS4
+
+/* Define if using the Socks5 SOCKS library. */
+#undef HAVE_SOCKS5

/* Define if your ssl headers are included with #include <ssl/header.h> */
#undef HAVE_SSL
Index: configure.in
===================================================================
RCS file: /usr/local/cvs/openssh/configure.in,v
retrieving revision 1.22
diff -u -r1.22 configure.in
--- configure.in 2000/01/17 19:34:14 1.22
+++ configure.in 2000/01/19 21:28:41
@@ -55,6 +55,8 @@
case "$host" in
*-*-aix*)
AFS_LIBS="-lld"
+ AC_DEFINE(WITH_AIXAUTHENTICATE)
+ LIBS="$LIBS -ls"
;;
*-*-hpux10*)
if test -z "$GCC"; then
@@ -497,13 +499,53 @@
AC_ARG_WITH(dante,
[. --with-dante=DIR Use Dante SOCKS lib (default is system library path)],
[.
- AC_DEFINE(HAVE_DANTE)
+ SAVELIBS="$LIBS"
+ SOCKSLIBS=""
+ SOCKSLIBPATH=""
if test "x$withval" != "xno" ; then
if test -n $withval ; then
LIBS="$LIBS -L$withval"
+ SOCKSLIBPATH="-L$withval"
fi
- LIBS="$LIBS -lsocks"
+ AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_DANTE) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
fi
+ LIBS="$SAVELIBS $SOCKSLIBS"
+ ]
+)
+
+dnl Compile with SOCKS4 SOCKS library
+AC_ARG_WITH(socks4,
+ [. --with-socks4=DIR Use Socks4 SOCKS lib (default is system library path)],
+ [.
+ SAVELIBS="$LIBS"
+ SOCKSLIBS=""
+ SOCKSLIBPATH=""
+ if test "x$withval" != "xno" ; then
+ if test -n $withval ; then
+ LIBS="$LIBS -L$withval"
+ SOCKSLIBPATH="-L$withval"
+ fi
+ AC_CHECK_LIB(socks, Rconnect, AC_DEFINE(HAVE_SOCKS4) SOCKSLIBS="$SOCKSLIBPATH -lsocks")
+ fi
+ LIBS="$SAVELIBS $SOCKSLIBS"
+ ]
+)
+
+dnl Compile with SOCKS5 SOCKS library
+AC_ARG_WITH(socks5,
+ [. --with-socks5=DIR Use Socks5 SOCKS lib (default is system library path)],
+ [.
+ SAVELIBS="$LIBS"
+ SOCKSLIBS=""
+ SOCKSLIBPATH=""
+ if test "x$withval" != "xno" ; then
+ if test -n $withval ; then
+ LIBS="$LIBS -L$withval"
+ SOCKSLIBPATH="-L$withval"
+ fi
+ AC_CHECK_LIB(socks5, SOCKSconnect, AC_DEFINE(HAVE_SOCKS5) SOCKSLIBS="$SOCKSLIBPATH -lsocks5")
+ fi
+ LIBS="$SAVELIBS $SOCKSLIBS"
]
)

Index: ssh-keygen.c
===================================================================
RCS file: /usr/local/cvs/openssh/ssh-keygen.c,v
retrieving revision 1.7
diff -u -r1.7 ssh-keygen.c
--- ssh-keygen.c 2000/01/17 16:53:27 1.7
+++ ssh-keygen.c 2000/01/19 20:38:39
@@ -101,7 +101,7 @@
if (f && fgets(line, sizeof(line), f)) {
cp = line;
line[strlen(line) - 1] = '\0';
- if (auth_rsa_read_key(&cp, &dummy, e, n)) {
+ if (auth_rsa_read_key(&cp, (unsigned int *)&dummy, e, n)) {
public_key->e = e;
public_key->n = n;
comment = xstrdup(cp ? cp : "no comment");
Index: ssh.c
===================================================================
RCS file: /usr/local/cvs/openssh/ssh.c,v
retrieving revision 1.13
diff -u -r1.13 ssh.c
--- ssh.c 2000/01/17 19:24:17 1.13
+++ ssh.c 2000/01/19 20:38:39
@@ -213,6 +213,10 @@
/* Save our own name. */
av0 = av[0];

+#ifdef SOCKS
+ SOCKSinit(av0);
+#endif /* SOCKS */
+
/* Initialize option structure to indicate that no values have been set. */
initialize_options(&options);

Index: ssh.h
===================================================================
RCS file: /usr/local/cvs/openssh/ssh.h,v
retrieving revision 1.15
diff -u -r1.15 ssh.h
--- ssh.h 2000/01/17 19:24:19 1.15
+++ ssh.h 2000/01/19 21:16:53
@@ -752,7 +752,7 @@
#include "auth-pam.h"
#endif /* USE_PAM */

-#ifdef HAVE_DANTE
+#if defined(HAVE_DANTE) || defined(HAVE_SOCKS4)
/*
* The following defines map the normal socket operations to SOCKSified
* versions coming from the Dante SOCKS package.
@@ -795,6 +795,54 @@
size_t, int, const struct sockaddr *, socklen_t);
ssize_t Rwrite(int , const void *, size_t );
ssize_t Rwritev(int , const struct iovec *, int );
-#endif /* HAVE_DANTE */
+#endif /* HAVE_DANTE || HAVE_SOCKS4 */

+#if defined(HAVE_SOCKS5)
+/*
+ * The following defines map the normal socket operations to SOCKSified
+ * versions coming from the Dante SOCKS package.
+ */
+#define accept SOCKSaccept
+#define bind SOCKSbind
+#define bindresvport SOCKSbindresvport
+#define connect SOCKSconnect
+#define gethostbyname SOCKSgethostbyname
+#define gethostbyname2 SOCKSgethostbyname2
+#define getpeername SOCKSgetpeername
+#define getsockname SOCKSgetsockname
+#define read SOCKSread
+#define readv SOCKSreadv
+#define recv SOCKSrecv
+#define recvmsg SOCKSrecvmsg
+#define recvfrom SOCKSrecvfrom
+#define rresvport SOCKSrresvport
+#define send SOCKSsend
+#define sendmsg SOCKSsendmsg
+#define sendto SOCKSsendto
+#define write SOCKSwrite
+#define writev SOCKSwritev
+int SOCKSaccept (int, struct sockaddr *, socklen_t *);
+int SOCKSbind (int, const struct sockaddr *, socklen_t);
+int SOCKSbindresvport(int , struct sockaddr_in *);
+int SOCKSconnect (int, const struct sockaddr *, socklen_t);
+struct hostent *SOCKSgethostbyname(const char *);
+struct hostent *SOCKSgethostbyname2(const char *, int);
+int SOCKSgetpeername (int, struct sockaddr *, socklen_t *);
+int SOCKSgetsockname (int, struct sockaddr *, socklen_t *);
+ssize_t SOCKSread(int , void *, size_t );
+ssize_t SOCKSreadv(int d, const struct iovec *iov, int iovcnt);
+ssize_t SOCKSrecv (int, void *, size_t, int);
+ssize_t SOCKSrecvfrom (int, void *, size_t, int, struct sockaddr *,
+ socklen_t *);
+ssize_t SOCKSsend (int, const void *, size_t, int);
+ssize_t SOCKSsendmsg (int, const struct msghdr *, int);
+ssize_t SOCKSsendto (int, const void *,
+ size_t, int, const struct sockaddr *, socklen_t);
+ssize_t SOCKSwrite(int , const void *, size_t );
+ssize_t SOCKSwritev(int , const struct iovec *, int );
+#endif /* SOCKS5 */
+
+#if defined(DANTE) || defined(SOCKS4) || defined(SOCKS5)
+#define SOCKS
+#endif /* defined(DANTE) || defined(SOCKS4) || defined(SOCKS5) */
#endif /* SSH_H */
Index: sshconnect.c
===================================================================
RCS file: /usr/local/cvs/openssh/sshconnect.c,v
retrieving revision 1.14
diff -u -r1.14 sshconnect.c
--- sshconnect.c 2000/01/17 19:24:20 1.14
+++ sshconnect.c 2000/01/19 20:38:40
@@ -883,7 +883,7 @@
debug("No challenge for skey authentication.");
return 0;
}
- challenge = packet_get_string(&payload_len);
+ challenge = packet_get_string((unsigned int *)&payload_len);
if (options.cipher == SSH_CIPHER_NONE)
log("WARNING: Encryption is disabled! "
"Reponse will be transmitted in clear text.");
Index: sshd.c
===================================================================
RCS file: /usr/local/cvs/openssh/sshd.c,v
retrieving revision 1.18
diff -u -r1.18 sshd.c
--- sshd.c 2000/01/17 19:24:22 1.18
+++ sshd.c 2000/01/19 21:02:01
@@ -1076,7 +1076,7 @@
packet_read_expect(&plen, SSH_CMSG_USER);

/* Get the user name. */
- user = packet_get_string(&ulen);
+ user = packet_get_string((unsigned int*)&ulen);
packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);

/* Destroy the private and public keys. They will no longer be needed. */
@@ -1172,6 +1172,10 @@
{
struct passwd *pw, pwcopy;

+#ifdef WITH_AIXAUTHENTICATE
+ char *loginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
+
#ifdef AFS
/* If machine has AFS, set process authentication group. */
if (k_hasafs()) {
@@ -1180,6 +1184,8 @@
}
#endif /* AFS */

+ pw = (struct passwd *) malloc (sizeof(struct passwd));
+
/* Verify that the user is a valid user. */
pw = getpwnam(user);
if (!pw || !allowed_user(pw))
@@ -1237,6 +1243,9 @@
get_canonical_hostname());
}
/* The user has been authenticated and accepted. */
+#ifdef WITH_AIXAUTHENTICATE
+ loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg);
+#endif /* WITH_AIXAUTHENTICATE */
packet_start(SSH_SMSG_SUCCESS);
packet_send();
packet_write_wait();
@@ -1349,7 +1358,7 @@
* authentication is insecure. (Another is
* IP-spoofing on a local network.)
*/
- client_user = packet_get_string(&ulen);
+ client_user = packet_get_string((unsigned int *)&ulen);
packet_integrity_check(plen, 4 + ulen, type);

/* Try to authenticate using /etc/hosts.equiv and
@@ -1369,7 +1378,7 @@
* trust the client; root on the client machine can
* claim to be any user.
*/
- client_user = packet_get_string(&ulen);
+ client_user = packet_get_string((unsigned int *)&ulen);

/* Get the client host key. */
client_host_key_e = BN_new();
@@ -1414,7 +1423,7 @@
* transmitted over the encrypted channel so it is
* not visible to an outside observer.
*/
- password = packet_get_string(&dlen);
+ password = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(plen, 4 + dlen, type);

#ifdef USE_PAM
@@ -1493,26 +1502,42 @@
#ifdef USE_PAM
if (!do_pam_account(pw->pw_name, client_user))
{
- if (client_user != NULL)
+ if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }

do_fake_authloop(pw->pw_name);
}
#endif /* USE_PAM */
return;
- }
+ }

- if (client_user != NULL)
+/* HEAP*/
+#if 1
+ if (client_user != NULL) {
xfree(client_user);
+ client_user = NULL;
+ }
+#endif

if (attempt > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);

/* Send a message indicating that the authentication attempt failed. */
+#ifdef WITH_AIXAUTHENTICATE
+ if (strncmp(get_authname(type),"password",
+ strlen(get_authname(type))) == 0)
+ loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+#endif /* WITH_AIXAUTHENTICATE */
+
packet_start(SSH_SMSG_FAILURE);
packet_send();
packet_write_wait();
}
+
+
+
}

/*
@@ -1691,7 +1716,7 @@
ttyname, tty_mode, strerror(errno));

/* Get TERM from the packet. Note that the value may be of arbitrary length. */
- term = packet_get_string(&dlen);
+ term = packet_get_string((unsigned int *)&dlen);
packet_integrity_check(dlen, strlen(term), type);
/* packet_integrity_check(plen, 4 + dlen + 4*4 + n_bytes, type); */
/* Remaining bytes */
@@ -1736,8 +1761,8 @@
packet_disconnect("Protocol error: X11 display already set.");
{
int proto_len, data_len;
- proto = packet_get_string(&proto_len);
- data = packet_get_string(&data_len);
+ proto = packet_get_string((unsigned int *)&proto_len);
+ data = packet_get_string((unsigned int *)&data_len);
packet_integrity_check(plen, 4 + proto_len + 4 + data_len + 4, type);
}
if (packet_get_protocol_flags() & SSH_PROTOFLAG_SCREEN_NUMBER)
@@ -1820,7 +1845,7 @@
/* Get command from the packet. */
{
int dlen;
- command = packet_get_string(&dlen);
+ command = packet_get_string((unsigned int *)&dlen);
debug("Executing command '%.500s'", command);
packet_integrity_check(plen, 4 + dlen, type);
}
@@ -2416,6 +2441,16 @@
if (display)
child_set_env(&env, &envsize, "DISPLAY", display);

+ {
+ char *authstate,*krb5cc;
+
+ if ((authstate = getenv("AUTHSTATE")) != NULL)
+ child_set_env(&env,&envsize,"AUTHSTATE",authstate);
+
+ if ((krb5cc = getenv("KRB5CCNAME")) != NULL)
+ child_set_env(&env,&envsize,"KRB5CCNAME",krb5cc);
+ }
+
#ifdef KRB4
{
extern char *ticket;
@@ -2436,6 +2471,8 @@
if (auth_get_socket_name() != NULL)
child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME,
auth_get_socket_name());
+
+ read_environment_file(&env,&envsize,"/etc/environment");

/* read $HOME/.ssh/environment. */
if (!options.use_login) {
Index: configure
===================================================================
RCS file: /usr/local/cvs/openssh/configure,v
retrieving revision 1.22
diff -u -r1.22 configure
--- configure 2000/01/17 19:34:11 1.22
+++ configure 2000/01/19 21:32:12
@@ -28,6 +28,10 @@
ac_help="$ac_help
--with-dante=DIR Use Dante SOCKS lib (default is system library path)"
ac_help="$ac_help
+ --with-socks4=DIR Use Socks4 SOCKS lib (default is system library path)"
+ac_help="$ac_help
+ --with-socks5=DIR Use Socks5 SOCKS lib (default is system library path)"
+ac_help="$ac_help
--with-kerberos4=PATH Enable Kerberos 4 support"
ac_help="$ac_help
--with-afs=PATH Enable AFS support"
@@ -1236,6 +1240,11 @@
case "$host" in
*-*-aix*)
AFS_LIBS="-lld"
+ cat >> confdefs.h <<\EOF
+#define WITH_AIXAUTHENTICATE 1
+EOF
+
+ LIBS="$LIBS -ls"
;;
*-*-hpux10*)
if test -z "$GCC"; then
@@ -2878,16 +2887,183 @@
if test "${with_dante+set}" = set; then
withval="$with_dante"

- cat >> confdefs.h <<\EOF
+ SAVELIBS="$LIBS"
+ SOCKSLIBS=""
+ SOCKSLIBPATH=""
+ if test "x$withval" != "xno" ; then
+ if test -n $withval ; then
+ LIBS="$LIBS -L$withval"
+ SOCKSLIBPATH="-L$withval"
+ fi
+ echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+echo "configure:2900: checking for Rconnect in -lsocks" >&5
+ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lsocks $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2908 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char Rconnect();
+
+int main() {
+Rconnect()
+; return 0; }
+EOF
+if { (eval echo configure:2919: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
#define HAVE_DANTE 1
EOF
+ SOCKSLIBS="$SOCKSLIBPATH -lsocks"
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+ fi
+ LIBS="$SAVELIBS $SOCKSLIBS"
+

+fi
+
+
+# Check whether --with-socks4 or --without-socks4 was given.
+if test "${with_socks4+set}" = set; then
+ withval="$with_socks4"
+
+ SAVELIBS="$LIBS"
+ SOCKSLIBS=""
+ SOCKSLIBPATH=""
if test "x$withval" != "xno" ; then
if test -n $withval ; then
LIBS="$LIBS -L$withval"
+ SOCKSLIBPATH="-L$withval"
fi
- LIBS="$LIBS -lsocks"
+ echo $ac_n "checking for Rconnect in -lsocks""... $ac_c" 1>&6
+echo "configure:2962: checking for Rconnect in -lsocks" >&5
+ac_lib_var=`echo socks'_'Rconnect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lsocks $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 2970 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char Rconnect();
+
+int main() {
+Rconnect()
+; return 0; }
+EOF
+if { (eval echo configure:2981: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
+#define HAVE_SOCKS4 1
+EOF
+ SOCKSLIBS="$SOCKSLIBPATH -lsocks"
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+ fi
+ LIBS="$SAVELIBS $SOCKSLIBS"
+
+
+fi
+
+
+# Check whether --with-socks5 or --without-socks5 was given.
+if test "${with_socks5+set}" = set; then
+ withval="$with_socks5"
+
+ SAVELIBS="$LIBS"
+ SOCKSLIBS=""
+ SOCKSLIBPATH=""
+ if test "x$withval" != "xno" ; then
+ if test -n $withval ; then
+ LIBS="$LIBS -L$withval"
+ SOCKSLIBPATH="-L$withval"
+ fi
+ echo $ac_n "checking for SOCKSconnect in -lsocks5""... $ac_c" 1>&6
+echo "configure:3024: checking for SOCKSconnect in -lsocks5" >&5
+ac_lib_var=`echo socks5'_'SOCKSconnect | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lsocks5 $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 3032 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char SOCKSconnect();
+
+int main() {
+SOCKSconnect()
+; return 0; }
+EOF
+if { (eval echo configure:3043: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ cat >> confdefs.h <<\EOF
+#define HAVE_SOCKS5 1
+EOF
+ SOCKSLIBS="$SOCKSLIBPATH -lsocks5"
+else
+ echo "$ac_t""no" 1>&6
+fi
+
fi
+ LIBS="$SAVELIBS $SOCKSLIBS"


fi
Re: AIX openssh patches [ In reply to ]
drankin at bohemians
Jan 20, 2000, 2:51 AM
Post #6 of 10 (1984 views)
Permalink
On Thu, Jan 20, 2000 at 09:53:10AM +0200, Jarno Huuskonen wrote:
> > > 1) authenticate support - this function allows the system to determine
> > > authentification. Whatever the system allows for login, authenticate
> > > will too. It doesn't matter whether it is AFS, DFS, SecureID, local.

> > > 2) loginsuccess - this function will log to /etc/security/lastlog as
> > > well as clear the failed logins.

> > > 3) loginfailed - this function will increase the number of failed logins
> > > and update /etc/security/lastlog and /etc/security/failedlogins.

> > > 4) loginrestrictions - this function will determine if a user is allowed
> > > to login (ie too many failed logins, account disabled, etc). This
> > > function is used in conjunction with authenticate.

> Would it be better to call the loginrestrictions (and maybe passwdexpired)
> from allowed_user, because I think now if the user is authenticated with
> eg. RSA then no loginrestrictions check is done ?

This is a good idea, but instead of moving the loginrestrictions() call,
I just added it to allowed_user. Matt, can you test this and see how well
it works?

David


Index: sshd.c
===================================================================
RCS file: /usr/local/cvs/openssh/sshd.c,v
retrieving revision 1.18
diff -u -r1.18 sshd.c
--- sshd.c 2000/01/17 19:24:22 1.18
+++ sshd.c 2000/01/20 10:38:17
@@ -32,6 +32,10 @@
int deny_severity = LOG_WARNING;
#endif /* LIBWRAP */

+#ifdef WITH_AIXAUTHENTICATE
+#include <login.h>
+#endif /* WITH_AIXAUTHENTICATE */
+
#ifndef O_NOCTTY
#define O_NOCTTY 0
#endif
@@ -1102,11 +1106,21 @@
{
struct group *grp;
int i;
+#ifdef WITH_AIXAUTHENTICATE
+ char *loginmsg;
+#endif

/* Shouldn't be called if pw is NULL, but better safe than sorry... */
- if (!pw)
+ if (pw == NULL)
return 0;

+#ifdef WITH_AIXAUTHENTICATE
+ /* On AIX, loginrestrictions() tells us whether the person has been
+ * locked out at the OS level or not. */
+ if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0)
+ return 0;
+#endif /* WITH_AIXAUTHENTICATE
+
/* XXX Should check for valid login shell */

/* Return false if user is listed in DenyUsers */
Re: AIX openssh patches [ In reply to ]
v2matt at btv
Jan 20, 2000, 8:45 AM
Post #7 of 10 (1980 views)
Permalink
Thus spake David Rankin (drankin@bohemians.lexington.ky.us):

> I've attached the revised patch. I don't have SOCKS4 or SOCKS5 to play
> with, so if you can test it, that'd be good. As mentioned, AIX users get
> WITH_AIXAUTHENTICATE without choice now.

I'm having a little problem with the pre27 working with the patches, I
let you know when I find out what's going on.


> I did not include any of your USE_SYSRANDOM patches into this patch. I looked
> at one of the AIX boxes I have access to, and srandom() is pseudorandom,
> not truly random (or at least nearly as random as EGD). I don't feel
> comfortable in making this an option given the attack possibilities
> pseudorandom numbers give. Sorry.

You're absolutely right, I don't know what I was thinking. I just don't
like the idea of a separate process to generate randomness.

Thanks,
Matt
Re: AIX openssh patches [ In reply to ]
drankin at bohemians
Jan 20, 2000, 1:41 PM
Post #8 of 10 (1981 views)
Permalink
On Thu, Jan 20, 2000 at 11:45:39AM -0500, Matt Richards wrote:
> Thus spake David Rankin (drankin@bohemians.lexington.ky.us):

> > I've attached the revised patch. I don't have SOCKS4 or SOCKS5 to play
> > with, so if you can test it, that'd be good. As mentioned, AIX users get
> > WITH_AIXAUTHENTICATE without choice now.

> I'm having a little problem with the pre27 working with the patches, I
> let you know when I find out what's going on.

I think I found out. Our u_int*_t tests don't define u_int8_t. Could
someone a bit more familiar with how that code works hack out a patch for
this?

Thanks,
David

--
David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin.
Email: drankin@bohemians.lexington.ky.us Address/Phone Number: Ask me.
"It is no great thing to be humble when you are brought low; but to be humble
when you are praised is a great and rare accomplishment." St. Bernard
Re: AIX openssh patches [ In reply to ]
v2matt at btv
Jan 21, 2000, 5:55 AM
Post #9 of 10 (1984 views)
Permalink
Thus spake David Rankin (drankin@bohemians.lexington.ky.us):

> I think I found out. Our u_int*_t tests don't define u_int8_t. Could
> someone a bit more familiar with how that code works hack out a patch for
> this?

Actually, its the getaddrinfo in add_listen_addr in servconf.c. I get

fatal: bad addr or host: <NULL> (Host not found)

or

fatal: bad addr or host: 0.0.0.0 (Host not found)

when I specify ListenAddress 0.0.0.0 in sshd_config.

getaddrinfo is returning EAI_NODATA (no address associated with hostname).

--
Matt Richards
Re: AIX openssh patches [ In reply to ]
v2matt at btv
Jan 21, 2000, 12:19 PM
Post #10 of 10 (1983 views)
Permalink
Thus spake David Rankin (drankin@bohemians.lexington.ky.us):

> I think I found out. Our u_int*_t tests don't define u_int8_t. Could
> someone a bit more familiar with how that code works hack out a patch for
> this?


I found out the problem with AIX 4.3 and the patches. AIX4.3 has a
bug in getaddrinfo. The problem is known, but a patch has not been
released yet. So for now, I just commented out

#define HAVE_GETADDRINFO 1

in config.h (after the configure).

I did have to modify ssh.h a little to get the SOCKS4 and SOCKS5
stuff working correctly. The patch is included. Other than that,
ssh worked like a champ for AIX4.3.

I did have that u_int*t problem for AIX4.2, but Andre Lucas' patch
fixed that.


*** ssh.h.DIST Fri Jan 21 14:50:45 2000
--- ssh.h Fri Jan 21 14:45:32 2000
***************
*** 761,771 ****
#define bind Rbind
#define bindresvport Rbindresvport
#define connect Rconnect
- #define gethostbyname Rgethostbyname
#define gethostbyname2 Rgethostbyname2
- #define getpeername Rgetpeername
#define getsockname Rgetsockname
- #define read Rread
#define readv Rreadv
#define recv Rrecv
#define recvmsg Rrecvmsg
--- 761,768 ----
***************
*** 774,781 ****
#define send Rsend
#define sendmsg Rsendmsg
#define sendto Rsendto
- #define write Rwrite
#define writev Rwritev
int Raccept (int, struct sockaddr *, socklen_t *);
int Rbind (int, const struct sockaddr *, socklen_t);
int Rbindresvport(int , struct sockaddr_in *);
--- 771,785 ----
#define send Rsend
#define sendmsg Rsendmsg
#define sendto Rsendto
#define writev Rwritev
+
+ #ifndef HAVE_SOCKS4
+ #define gethostbyname Rgethostbyname
+ #define getpeername Rgetpeername
+ #define write Rwrite
+ #define read Rread
+ #endif
+
int Raccept (int, struct sockaddr *, socklen_t *);
int Rbind (int, const struct sockaddr *, socklen_t);
int Rbindresvport(int , struct sockaddr_in *);
***************
*** 802,815 ****
* The following defines map the normal socket operations to SOCKSified
* versions coming from the Dante SOCKS package.
*/
- #define accept SOCKSaccept
#define bind SOCKSbind
#define bindresvport SOCKSbindresvport
#define connect SOCKSconnect
#define gethostbyname SOCKSgethostbyname
#define gethostbyname2 SOCKSgethostbyname2
- #define getpeername SOCKSgetpeername
- #define getsockname SOCKSgetsockname
#define read SOCKSread
#define readv SOCKSreadv
#define recv SOCKSrecv
--- 806,816 ----


--
Matt Richards

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal