5 files deleted
1 files added
19 files modified
| | |
| | | # |
| | | |
| | | BUILD_BITS= 64 |
| | | |
| | | USE_OPENSSL11= yes |
| | | include ../../../make-rules/shared-macros.mk |
| | | |
| | | COMPONENT_NAME= openssh |
| | | COMPONENT_VERSION= 8.1p1 |
| | | COMPONENT_REVISION= 2 |
| | | HUMAN_VERSION= $(COMPONENT_VERSION) |
| | | COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION) |
| | | |
| | | # Version for IPS. The encoding rules are: |
| | | # OpenSSH <x>.<y>p<n> => IPS <x>.<y>.0.<n> |
| | | # OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n> |
| | | IPS_COMPONENT_VERSION= 8.1.0.1 |
| | | |
| | | COMPONENT_VERSION= 8.9.0.1 |
| | | HUMAN_VERSION= 8.9p1 |
| | | COMPONENT_SRC= $(COMPONENT_NAME)-$(HUMAN_VERSION) |
| | | COMPONENT_PROJECT_URL= https://www.openssh.org |
| | | COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz |
| | | COMPONENT_ARCHIVE_HASH= sha256:02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff |
| | | COMPONENT_ARCHIVE_URL= https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE) |
| | | COMPONENT_ARCHIVE_HASH= sha256:fd497654b7ab1686dac672fb83dfb4ba4096e8b5ffcdaccd262380ae58bec5e7 |
| | | COMPONENT_ARCHIVE_URL= https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE) |
| | | COMPONENT_FMRI= network/ssh |
| | | COMPONENT_LICENSE= BSD, BSD-like |
| | | COMPONENT_LICENSE_FILE= LICENCE |
| | | |
| | | include $(WS_MAKE_RULES)/common.mk |
| | | |
| | | GENERATED_MAN_4_PAGES = moduli ssh_config sshd_config |
| | | GENERATED_MAN_1m_PAGES = sftp-server ssh-keysign ssh-pkcs11-helper sshd |
| | | |
| | | # Move man pages to correct section and fix header |
| | | define process-man-rule |
| | | uc=$(shell echo $(3)| tr '[:lower:]' '[:upper:]') |
| | | $(PATCH_STAMPS): $(SOURCE_DIR)/$(1).$(3) |
| | | |
| | | $(SOURCE_DIR)/$(1).$(3): $(SOURCE_DIR)/.unpacked |
| | | cat $(SOURCE_DIR)/$(1).$(2) | $(GSED) -E "s/^(\.Dt +[^ ]+).*$//\1 $$(uc)/" > $$@ |
| | | endef |
| | | |
| | | $(foreach man,$(GENERATED_MAN_4_PAGES),$(eval $(call process-man-rule,$(man),5,4))) |
| | | $(foreach man,$(GENERATED_MAN_1m_PAGES),$(eval $(call process-man-rule,$(man),8,1m))) |
| | | |
| | | COMPONENT_PREP_ACTION = (cd $(@D) ; autoreconf -f -i) |
| | | |
| | | CFLAGS += -DSET_USE_PAM |
| | | CFLAGS += -DNO_UID_RESTORATION_TEST |
| | | CFLAGS += -DDEPRECATE_SUNSSH_OPT |
| | | CFLAGS += -DKRB5_BUILD_FIX |
| | | CFLAGS += -DDTRACE_SFTP |
| | | CFLAGS += -DDISABLE_BANNER |
| | | CFLAGS += -DPAM_ENHANCEMENT |
| | | CFLAGS += -DPAM_BUGFIX |
| | | CFLAGS += -DOPTION_DEFAULT_VALUE |
| | | CFLAGS += -DHAVE_EVP_SHA256 |
| | | CFLAGS += -DPER_SESSION_XAUTHFILE |
| | | CFLAGS += -DDTRACE_SFTP |
| | | CFLAGS += -I/usr/include/kerberosv5/ |
| | | CFLAGS += -DKRB5_BUILD_FIX |
| | | CFLAGS += -DDISABLE_BANNER |
| | | CFLAGS += -DDEPRECATE_SUNSSH_OPT |
| | | CFLAGS += -DOPTION_DEFAULT_VALUE |
| | | CFLAGS += -DSANDBOX_SOLARIS |
| | | #CFLAGS += -DNO_UID_RESTORATION_TEST |
| | | #CFLAGS += -DHAVE_EVP_SHA256 |
| | | CFLAGS += -DPER_SESSION_XAUTHFILE |
| | | CFLAGS += -I$(OPENSSL_INCDIR) |
| | | |
| | | # We need to disable lazyloading of dynamic dependent libraries. During the |
| | | # pre-authentication phase, sshd will chroot to /var/empty which doesn't |
| | |
| | | # libraries that it needs. |
| | | LDFLAGS += -B direct -z nolazyload |
| | | |
| | | CONFIGURE_OPTIONS += --with-ssl-dir=$(OPENSSL_LIBDIR.$(BITS)) |
| | | CONFIGURE_OPTIONS += --with-ssl-engine |
| | | CONFIGURE_OPTIONS += --with-audit=solaris |
| | | CONFIGURE_OPTIONS += --with-libedit |
| | | CONFIGURE_OPTIONS += --with-kerberos5 |
| | |
| | | CONFIGURE_OPTIONS += --with-sandbox=solaris |
| | | CONFIGURE_OPTIONS += --with-solaris-contracts |
| | | CONFIGURE_OPTIONS += --with-solaris-privs |
| | | CONFIGURE_OPTIONS += --with-privsep-user=daemon |
| | | CONFIGURE_OPTIONS += --with-solaris-projects |
| | | CONFIGURE_OPTIONS += --with-tcp-wrappers |
| | | CONFIGURE_OPTIONS += --with-4in6 |
| | | CONFIGURE_OPTIONS += --with-xauth=/usr/bin/xauth |
| | | CONFIGURE_OPTIONS += --enable-strip=no |
| | | CONFIGURE_OPTIONS += --without-rpath |
| | | CONFIGURE_OPTIONS += --disable-lastlog |
| | | CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh |
| | | CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh |
| | | CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh |
| | | CONFIGURE_OPTIONS += --bindir=/usr/bin |
| | | CONFIGURE_OPTIONS += --disable-lastlog |
| | | |
| | | COMPONENT_POST_INSTALL_ACTION += $(INSTALL) -Dm755 $(SOURCE_DIR)/contrib/ssh-copy-id $(PROTOUSRBINDIR)/ssh-copy-id; |
| | | COMPONENT_POST_INSTALL_ACTION += $(INSTALL) -Dm644 $(SOURCE_DIR)/contrib/ssh-copy-id.1 $(PROTOUSRSHAREMAN1DIR)/ssh-copy-id.1; |
| | | |
| | | COMPONENT_TEST_TARGETS = tests |
| | | |
| | | # Manually added dependencies |
| | | # Bogus dependency due to libssp |
| | | REQUIRED_PACKAGES += $(GXX_RUNTIME_PKG) |
| | | REQUIRED_PACKAGES += $(GCC_RUNTIME_PKG) |
| | | |
| | | # Auto-generated dependencies |
| | | REQUIRED_PACKAGES += SUNWcs |
| | | REQUIRED_PACKAGES += library/libedit |
| | | REQUIRED_PACKAGES += library/security/openssl |
| | | REQUIRED_PACKAGES += library/security/openssl-11 |
| | | REQUIRED_PACKAGES += library/zlib |
| | | REQUIRED_PACKAGES += service/security/kerberos-5 |
| | | REQUIRED_PACKAGES += shell/bash |
| | | REQUIRED_PACKAGES += SUNWcs |
| | | REQUIRED_PACKAGES += shell/ksh93 |
| | | REQUIRED_PACKAGES += system/library |
| | | REQUIRED_PACKAGES += system/library/security/gss |
| | | # Bogus dependency due to libssp |
| | | REQUIRED_PACKAGES += $(GXX_RUNTIME_PKG) |
| | |
| | | # |
| | | |
| | | # |
| | | # Copyright 2018 <contributor> |
| | | # Copyright 2022 <contributor> |
| | | # |
| | | |
| | | set name=pkg.fmri value=pkg:/$(COMPONENT_FMRI)@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) |
| | |
| | | file path=usr/lib/ssh/sftp-server |
| | | file path=usr/lib/ssh/ssh-keysign |
| | | file path=usr/lib/ssh/ssh-pkcs11-helper |
| | | file path=usr/lib/ssh/ssh-sk-helper |
| | | file path=usr/lib/ssh/sshd |
| | | file path=usr/share/man/man1/scp.1 |
| | | file path=usr/share/man/man1/sftp.1 |
| | |
| | | file path=usr/share/man/man1/ssh-keygen.1 |
| | | file path=usr/share/man/man1/ssh-keyscan.1 |
| | | file path=usr/share/man/man1/ssh.1 |
| | | file path=usr/share/man/man1m/sftp-server.1m |
| | | file path=usr/share/man/man1m/ssh-keysign.1m |
| | | file path=usr/share/man/man1m/ssh-pkcs11-helper.1m |
| | | file path=usr/share/man/man1m/sshd.1m |
| | | file path=usr/share/man/man4/moduli.4 |
| | | file path=usr/share/man/man4/ssh_config.4 |
| | | file path=usr/share/man/man4/sshd_config.4 |
| | | file path=usr/share/man/man5/moduli.5 |
| | | file path=usr/share/man/man5/ssh_config.5 |
| | | file path=usr/share/man/man5/sshd_config.5 |
| | | file path=usr/share/man/man8/sftp-server.8 |
| | | file path=usr/share/man/man8/ssh-keysign.8 |
| | | file path=usr/share/man/man8/ssh-pkcs11-helper.8 |
| | | file path=usr/share/man/man8/ssh-sk-helper.8 |
| | | file path=usr/share/man/man8/sshd.8 |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c |
| | | --- a~/servconf.c 1970-01-01 00:00:00 |
| | | +++ a/servconf.c 1970-01-01 00:00:00 |
| | | @@ -276,7 +276,12 @@ fill_default_server_options(ServerOption |
| | | @@ -277,7 +277,12 @@ fill_default_server_options(ServerOption |
| | | |
| | | /* Portable-specific options */ |
| | | if (options->use_pam == -1) |
| | |
| | | |
| | | /* Standard Options */ |
| | | if (options->num_host_key_files == 0) { |
| | | @@ -1268,8 +1273,17 @@ process_server_config_line(ServerOptions |
| | | @@ -1328,8 +1333,17 @@ process_server_config_line_depth(ServerO |
| | | switch (opcode) { |
| | | /* Portable-specific options */ |
| | | case sUsePAM: |
| | |
| | | + logit("%s line %d: ignoring UsePAM option value." |
| | | + " This option is always on.", filename, linenum); |
| | | + while (arg) |
| | | + arg = strdelim(&cp); |
| | | + arg = strdelim(&str); |
| | | + break; |
| | | +#else |
| | | intptr = &options->use_pam; |
| | |
| | | Date: Mon, 3 Aug 2015 14:34:41 -0700 |
| | | Subject: [PATCH 03/34] lastlogin |
| | | |
| | | *** old/servconf.c Wed Sep 17 02:54:26 2014 |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.4 a/sshd_config.4 |
| | | --- a~/sshd_config.4 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.4 1970-01-01 00:00:00 |
| | | @@ -1395,8 +1395,8 @@ Specifies whether |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5 |
| | | --- a~/sshd_config.5 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.5 1970-01-01 00:00:00 |
| | | @@ -1485,8 +1485,8 @@ Specifies whether |
| | | .Xr sshd 8 |
| | | should print the date and time of the last user login when a user logs |
| | | in interactively. |
| | | -The default is |
| | | -.Cm yes . |
| | | +On OmniOS this option is always ignored since pam_unix_session(5) |
| | | +On OmniOS this option is always ignored since pam_unix_session(7) |
| | | +reports the last login time. |
| | | .It Cm PrintMotd |
| | | Specifies whether |
| | | .Xr sshd 8 |
| | | @@ -1820,7 +1820,8 @@ This file should be writable by root onl |
| | | @@ -1954,7 +1954,8 @@ This file should be writable by root onl |
| | | .El |
| | | .Sh SEE ALSO |
| | | .Xr sftp-server 8 , |
| | | -.Xr sshd 8 |
| | | +.Xr sshd 8 , |
| | | +.Xr pam_unix_session 5 |
| | | +.Xr pam_unix_session 7 |
| | | .Sh AUTHORS |
| | | .An -nosplit |
| | | OpenSSH is a derivative of the original and free |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in |
| | | --- a~/Makefile.in 1970-01-01 00:00:00 |
| | | +++ a/Makefile.in 1970-01-01 00:00:00 |
| | | @@ -24,6 +24,7 @@ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpas |
| | | SFTP_SERVER=$(libexecdir)/sftp-server |
| | | SSH_KEYSIGN=$(libexecdir)/ssh-keysign |
| | | SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper |
| | | +ROOTDLIBDIR64=$(DESTDIR)/usr/lib/dtrace/64 |
| | | PRIVSEP_PATH=@PRIVSEP_PATH@ |
| | | SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@ |
| | | STRIP_OPT=@STRIP_OPT@ |
| | | @@ -93,6 +94,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
| | | atomicio.o dispatch.o mac.o misc.o utf8.o \ |
| | | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \ |
| | | @@ -103,6 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
| | | monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \ |
| | | ssh-ed25519-sk.o ssh-rsa.o dh.o \ |
| | | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
| | | + sftp_provider.o \ |
| | | ssh-pkcs11.o smult_curve25519_ref.o \ |
| | | poly1305.o chacha.o cipher-chachapoly.o \ |
| | | ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ |
| | | @@ -119,7 +121,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw |
| | | sftp-server.o sftp-common.o sftp-realpath.o \ |
| | | poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ |
| | | ssh-ed25519.o digest-openssl.o digest-libc.o \ |
| | | @@ -131,7 +132,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw |
| | | srclimit.o sftp-server.o sftp-common.o \ |
| | | sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \ |
| | | sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \ |
| | | - sandbox-solaris.o uidswap.o |
| | | + sandbox-solaris.o uidswap.o sftp_provider.o |
| | | - sandbox-solaris.o uidswap.o $(SKOBJS) |
| | | + sandbox-solaris.o uidswap.o sftp_provider.o $(SKOBJS) |
| | | |
| | | MANPAGES = moduli.4.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.1m.out sftp-server.1m.out sftp.1.out ssh-keysign.1m.out ssh-pkcs11-helper.1m.out sshd_config.4.out ssh_config.4.out |
| | | MANPAGES_IN = moduli.4 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.1m sftp-server.1m sftp.1 ssh-keysign.1m ssh-pkcs11-helper.1m sshd_config.4 ssh_config.4 |
| | | @@ -201,8 +203,8 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) |
| | | ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o |
| | | $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) |
| | | SFTP_CLIENT_OBJS=sftp-common.o sftp-client.o sftp-glob.o |
| | | |
| | | -sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o |
| | | - $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
| | | +sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-realpath.o sftp-server-main.o sftp_provider.o |
| | | + $(LD) -o $@ sftp-server.o sftp-common.o sftp-realpath.o sftp-server-main.o sftp_provider.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) |
| | | @@ -151,7 +152,8 @@ SKHELPER_OBJS= ssh-sk-helper.o ssh-sk.o |
| | | |
| | | sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o |
| | | $(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(LIBEDIT) |
| | | @@ -232,9 +234,22 @@ $(CONFIGFILES): $(CONFIGFILES_IN) |
| | | SSHKEYSCAN_OBJS=ssh-keyscan.o $(SKOBJS) |
| | | |
| | | -SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o |
| | | +SFTPSERVER_OBJS=sftp-common.o sftp-server.o sftp-server-main.o sftp_provider.o |
| | | +ROOTDLIBDIR64=$(DESTDIR)/usr/lib/dtrace/64 |
| | | |
| | | SFTP_OBJS= sftp.o progressmeter.o $(SFTP_CLIENT_OBJS) |
| | | |
| | | @@ -269,9 +271,22 @@ $(CONFIGFILES): $(CONFIGFILES_IN) |
| | | moduli: |
| | | echo |
| | | |
| | |
| | | + $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ -c $(srcdir)/sftp-server.c |
| | | + |
| | | clean: regressclean |
| | | rm -f *.o *.a $(TARGETS) logintest config.cache config.log |
| | | rm -f *.o *.lo *.a $(TARGETS) logintest config.cache config.log |
| | | - rm -f *.out core survey |
| | | + rm -f *.out core survey sftp_provider.h |
| | | rm -f regress/check-perm$(EXEEXT) |
| | | rm -f regress/mkdtemp$(EXEEXT) |
| | | rm -f regress/unittests/test_helper/*.a |
| | | @@ -374,6 +389,7 @@ install-files: |
| | | $(INSTALL) -m 644 sftp-server.1m.out $(DESTDIR)$(mandir)/$(mansubdir)1m/sftp-server.1m |
| | | $(INSTALL) -m 644 ssh-keysign.1m.out $(DESTDIR)$(mandir)/$(mansubdir)1m/ssh-keysign.1m |
| | | $(INSTALL) -m 644 ssh-pkcs11-helper.1m.out $(DESTDIR)$(mandir)/$(mansubdir)1m/ssh-pkcs11-helper.1m |
| | | + mkdir -p $(ROOTDLIBDIR64) && cp $(srcdir)/sftp64.d $(ROOTDLIBDIR64)/sftp64.d |
| | | @@ -433,6 +448,7 @@ install-files: |
| | | $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 |
| | | $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8 |
| | | $(INSTALL) -m 644 ssh-sk-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-sk-helper.8 |
| | | + mkdir -p $(ROOTDLIBDIR64) && cp $(srcdir)/sftp64.d $(ROOTDLIBDIR64)/ |
| | | |
| | | install-sysconf: |
| | | $(MKDIR_P) $(DESTDIR)$(sysconfdir) |
| | | diff -wpruN '--exclude=*.orig' a~/sftp-server.c a/sftp-server.c |
| | | --- a~/sftp-server.c 1970-01-01 00:00:00 |
| | | +++ a/sftp-server.c 1970-01-01 00:00:00 |
| | | @@ -50,6 +50,9 @@ |
| | | @@ -54,6 +54,9 @@ |
| | | |
| | | #include "sftp.h" |
| | | #include "sftp-common.h" |
| | |
| | | |
| | | char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ |
| | | |
| | | @@ -742,14 +745,17 @@ process_read(u_int32_t id) |
| | | @@ -790,14 +793,17 @@ process_read(u_int32_t id) |
| | | u_int32_t len; |
| | | int r, handle, fd, ret, status = SSH2_FX_FAILURE; |
| | | u_int64_t off; |
| | |
| | | if ((r = get_handle(iqueue, &handle)) != 0 || |
| | | (r = sshbuf_get_u64(iqueue, &off)) != 0 || |
| | | (r = sshbuf_get_u32(iqueue, &len)) != 0) |
| | | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| | | fatal_fr(r, "parse"); |
| | | |
| | | + fpath = handle_to_name(handle); |
| | | + |
| | | debug("request %u: read \"%s\" (handle %d) off %llu len %d", |
| | | debug("request %u: read \"%s\" (handle %d) off %llu len %u", |
| | | - id, handle_to_name(handle), handle, (unsigned long long)off, len); |
| | | + id, fpath, handle, (unsigned long long)off, len); |
| | | if (len > sizeof buf) { |
| | | len = sizeof buf; |
| | | debug2("read change len %d", len); |
| | | @@ -760,7 +766,13 @@ process_read(u_int32_t id) |
| | | error("process_read: seek failed"); |
| | | status = errno_to_portable(errno); |
| | | } else { |
| | | if ((fd = handle_to_fd(handle)) == -1) |
| | | goto out; |
| | | if (len > SFTP_MAX_READ_LENGTH) { |
| | | @@ -816,6 +822,9 @@ process_read(u_int32_t id) |
| | | strerror(errno)); |
| | | goto out; |
| | | } |
| | | +#ifdef DTRACE_SFTP |
| | | + SFTP_TRANSFER_START_OP("read", fd, fpath, len); |
| | | + SFTP_TRANSFER_START_OP("read", fd, fpath, len); |
| | | +#endif |
| | | ret = read(fd, buf, len); |
| | | if (len == 0) { |
| | | /* weird, but not strictly disallowed */ |
| | | ret = 0; |
| | | @@ -828,11 +837,18 @@ process_read(u_int32_t id) |
| | | status = SSH2_FX_EOF; |
| | | goto out; |
| | | } |
| | | +#ifdef DTRACE_SFTP |
| | | + SFTP_TRANSFER_DONE_OP("read", fd, fpath, ret); |
| | | + SFTP_TRANSFER_DONE_OP("read", fd, fpath, ret); |
| | | +#endif |
| | | if (ret == -1) { |
| | | status = errno_to_portable(errno); |
| | | } else if (ret == 0) { |
| | | @@ -783,14 +795,16 @@ process_write(u_int32_t id) |
| | | send_data(id, buf, ret); |
| | | handle_update_read(handle, ret); |
| | | /* success */ |
| | | status = SSH2_FX_OK; |
| | | out: |
| | | +#ifdef DTRACE_SFTP |
| | | + if (status != SSH2_FX_OK) |
| | | + SFTP_TRANSFER_DONE_OP("read", fd, fpath, ret); |
| | | +#endif |
| | | if (status != SSH2_FX_OK) |
| | | send_status(id, status); |
| | | } |
| | | @@ -844,14 +860,17 @@ process_write(u_int32_t id) |
| | | size_t len; |
| | | int r, handle, fd, ret, status; |
| | | u_char *data; |
| | |
| | | if ((r = get_handle(iqueue, &handle)) != 0 || |
| | | (r = sshbuf_get_u64(iqueue, &off)) != 0 || |
| | | (r = sshbuf_get_string(iqueue, &data, &len)) != 0) |
| | | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
| | | fatal_fr(r, "parse"); |
| | | |
| | | + fpath = handle_to_name(handle); |
| | | + |
| | | debug("request %u: write \"%s\" (handle %d) off %llu len %zu", |
| | | - id, handle_to_name(handle), handle, (unsigned long long)off, len); |
| | | + id, fpath, handle, (unsigned long long)off, len); |
| | | fd = handle_to_fd(handle); |
| | | |
| | | if (fd < 0) |
| | | @@ -802,7 +816,13 @@ process_write(u_int32_t id) |
| | | error("process_write: seek failed"); |
| | | @@ -864,7 +883,13 @@ process_write(u_int32_t id) |
| | | strerror(errno)); |
| | | } else { |
| | | /* XXX ATOMICIO ? */ |
| | | +#ifdef DTRACE_SFTP |
| | |
| | | + SFTP_TRANSFER_DONE_OP("write", fd, fpath, ret); |
| | | +#endif |
| | | if (ret == -1) { |
| | | error("process_write: write failed"); |
| | | status = errno_to_portable(errno); |
| | | error_f("write \"%.100s\": %s", |
| | | diff -wpruN '--exclude=*.orig' a~/sftp64.d a/sftp64.d |
| | | --- a~/sftp64.d 1970-01-01 00:00:00 |
| | | +++ a/sftp64.d 1970-01-01 00:00:00 |
| | |
| | | + * We seem currently unable to depend properly on existing D libraries (like |
| | | + * sftp.d). But the definitions for conninfo_t and sftpinfo_t are stored there |
| | | + * (and have to be, since that's where the real translators live). So we're |
| | | + * forced to define something here to satisfy dtrace(1M), but none of the |
| | | + * forced to define something here to satisfy dtrace(8), but none of the |
| | | + * definitions or translators here are actually used. |
| | | + */ |
| | | +typedef struct sftpinfo { |
| | |
| | | From 09ad0aa54f500a5e3aef488bb4755bd480c4b8fa Mon Sep 17 00:00:00 2001 |
| | | From: oracle <solaris@oracle.com> |
| | | Date: Mon, 3 Aug 2015 14:36:00 -0700 |
| | | Subject: [PATCH 08/34] Add DisableBanner option |
| | | |
| | | diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c |
| | | --- a~/readconf.c 1970-01-01 00:00:00 |
| | | +++ a/readconf.c 1970-01-01 00:00:00 |
| | | @@ -165,6 +165,9 @@ typedef enum { |
| | | @@ -164,6 +164,9 @@ typedef enum { |
| | | oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly, |
| | | oSendEnv, oSetEnv, oControlPath, oControlMaster, oControlPersist, |
| | | oHashKnownHosts, |
| | |
| | | oTunnel, oTunnelDevice, |
| | | oLocalCommand, oPermitLocalCommand, oRemoteCommand, |
| | | oVisualHostKey, |
| | | @@ -286,6 +289,9 @@ static struct { |
| | | @@ -289,6 +292,9 @@ static struct { |
| | | { "controlpersist", oControlPersist }, |
| | | { "hashknownhosts", oHashKnownHosts }, |
| | | { "include", oInclude }, |
| | |
| | | { "tunnel", oTunnel }, |
| | | { "tunneldevice", oTunnelDevice }, |
| | | { "localcommand", oLocalCommand }, |
| | | @@ -828,6 +834,17 @@ static const struct multistate multistat |
| | | { NULL, -1 } |
| | | }; |
| | | @@ -924,6 +930,17 @@ parse_multistate_value(const char *arg, |
| | | return -1; |
| | | } |
| | | |
| | | +#ifdef DISABLE_BANNER |
| | | +static const struct multistate multistate_disablebanner[] = { |
| | |
| | | /* |
| | | * Processes a single option line as used in the configuration files. This |
| | | * only sets those values that have not already been set. |
| | | @@ -1741,6 +1758,13 @@ parse_keytypes: |
| | | @@ -2191,6 +2208,13 @@ parse_pubkey_algos: |
| | | *charptr = xstrdup(arg); |
| | | break; |
| | | |
| | |
| | | case oDeprecated: |
| | | debug("%s line %d: Deprecated option \"%s\"", |
| | | filename, linenum, keyword); |
| | | @@ -1936,6 +1960,9 @@ initialize_options(Options * options) |
| | | options->ip_qos_bulk = -1; |
| | | options->request_tty = -1; |
| | | @@ -2426,6 +2450,9 @@ initialize_options(Options * options) |
| | | options->stdin_null = -1; |
| | | options->fork_after_authentication = -1; |
| | | options->proxy_use_fdpass = -1; |
| | | +#ifdef DISABLE_BANNER |
| | | + options->disable_banner = -1; |
| | |
| | | options->ignored_unknown = NULL; |
| | | options->num_canonical_domains = 0; |
| | | options->num_permitted_cnames = 0; |
| | | @@ -2114,6 +2141,10 @@ fill_default_options(Options * options) |
| | | @@ -2625,6 +2652,10 @@ fill_default_options(Options * options) |
| | | options->canonicalize_fallback_local = 1; |
| | | if (options->canonicalize_hostname == -1) |
| | | options->canonicalize_hostname = SSH_CANONICALISE_NO; |
| | |
| | | +#endif |
| | | if (options->fingerprint_hash == -1) |
| | | options->fingerprint_hash = SSH_FP_HASH_DEFAULT; |
| | | if (options->update_hostkeys == -1) |
| | | #ifdef ENABLE_SK_INTERNAL |
| | | diff -wpruN '--exclude=*.orig' a~/readconf.h a/readconf.h |
| | | --- a~/readconf.h 1970-01-01 00:00:00 |
| | | +++ a/readconf.h 1970-01-01 00:00:00 |
| | | @@ -166,6 +166,9 @@ typedef struct { |
| | | char *jump_extra; |
| | | @@ -177,6 +177,9 @@ typedef struct { |
| | | char *known_hosts_command; |
| | | |
| | | char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ |
| | | +#ifdef DISABLE_BANNER |
| | |
| | | +#endif |
| | | } Options; |
| | | |
| | | #define SSH_CANONICALISE_NO 0 |
| | | @@ -197,6 +200,12 @@ typedef struct { |
| | | #define SSH_PUBKEY_AUTH_NO 0x00 |
| | | @@ -217,6 +220,12 @@ typedef struct { |
| | | #define SSH_STRICT_HOSTKEY_YES 2 |
| | | #define SSH_STRICT_HOSTKEY_ASK 3 |
| | | |
| | |
| | | +#define SSH_DISABLEBANNER_INEXECMODE 2 |
| | | +#endif |
| | | + |
| | | void initialize_options(Options *); |
| | | void fill_default_options(Options *); |
| | | void fill_default_options_for_canonicalization(Options *); |
| | | diff -wpruN '--exclude=*.orig' a~/ssh_config.4 a/ssh_config.4 |
| | | --- a~/ssh_config.4 1970-01-01 00:00:00 |
| | | +++ a/ssh_config.4 1970-01-01 00:00:00 |
| | | @@ -578,6 +578,14 @@ If set to a time in seconds, or a time i |
| | | const char *kex_default_pk_alg(void); |
| | | char *ssh_connection_hash(const char *thishost, const char *host, |
| | | const char *portstr, const char *user); |
| | | diff -wpruN '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5 |
| | | --- a~/ssh_config.5 1970-01-01 00:00:00 |
| | | +++ a/ssh_config.5 1970-01-01 00:00:00 |
| | | @@ -611,6 +611,14 @@ If set to a time in seconds, or a time i |
| | | then the backgrounded master connection will automatically terminate |
| | | after it has remained idle (with no client connections) for the |
| | | specified time. |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/sshconnect2.c a/sshconnect2.c |
| | | --- a~/sshconnect2.c 1970-01-01 00:00:00 |
| | | +++ a/sshconnect2.c 1970-01-01 00:00:00 |
| | | @@ -82,6 +82,10 @@ extern char *client_version_string; |
| | | @@ -85,6 +85,10 @@ extern char *client_version_string; |
| | | extern char *server_version_string; |
| | | extern Options options; |
| | | |
| | |
| | | /* |
| | | * SSH2 key exchange |
| | | */ |
| | | @@ -522,8 +526,28 @@ input_userauth_banner(int type, u_int32_ |
| | | @@ -594,8 +598,28 @@ input_userauth_banner(int type, u_int32_ |
| | | if ((r = sshpkt_get_cstring(ssh, &msg, &len)) != 0 || |
| | | (r = sshpkt_get_cstring(ssh, NULL, NULL)) != 0) |
| | | goto out; |
| | |
| | | From ed82a32f2970ccafe09d94de469de246ac8b795f Mon Sep 17 00:00:00 2001 |
| | | From: oracle <solaris@oracle.com> |
| | | Date: Mon, 3 Aug 2015 14:36:19 -0700 |
| | | Subject: [PATCH 10/34] PAM enhancements for Solaris |
| | | |
| | | diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c |
| | | --- a~/auth-pam.c 1970-01-01 00:00:00 |
| | | +++ a/auth-pam.c 1970-01-01 00:00:00 |
| | | @@ -677,29 +677,141 @@ sshpam_cleanup(void) |
| | | @@ -683,6 +683,66 @@ sshpam_cleanup(void) |
| | | sshpam_handle = NULL; |
| | | } |
| | | |
| | |
| | | static int |
| | | sshpam_init(struct ssh *ssh, Authctxt *authctxt) |
| | | { |
| | | const char *pam_user, *user = authctxt->user; |
| | | const char **ptr_pam_user = &pam_user; |
| | | |
| | | @@ -695,23 +755,76 @@ sshpam_init(struct ssh *ssh, Authctxt *a |
| | | fatal("Username too long from %s port %d", |
| | | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh)); |
| | | #endif |
| | | + |
| | | +#ifdef PAM_ENHANCEMENT |
| | | + const char *pam_service; |
| | | + const char **ptr_pam_service = &pam_service; |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c |
| | | --- a~/auth2.c 1970-01-01 00:00:00 |
| | | +++ a/auth2.c 1970-01-01 00:00:00 |
| | | @@ -296,9 +296,17 @@ input_userauth_request(int type, u_int32 |
| | | @@ -297,9 +297,17 @@ input_userauth_request(int type, u_int32 |
| | | #endif |
| | | } |
| | | #ifdef USE_PAM |
| | |
| | | ssh_packet_set_log_preamble(ssh, "%suser %s", |
| | | authctxt->valid ? "authenticating " : "invalid ", user); |
| | | setproctitle("%s%s", authctxt->valid ? user : "unknown", |
| | | @@ -333,6 +341,18 @@ input_userauth_request(int type, u_int32 |
| | | @@ -334,6 +342,18 @@ input_userauth_request(int type, u_int32 |
| | | /* try to authenticate user */ |
| | | m = authmethod_lookup(authctxt, method); |
| | | if (m != NULL && authctxt->failures < options.max_authtries) { |
| | |
| | | + } |
| | | +#endif |
| | | debug2("input_userauth_request: try method %s", method); |
| | | authenticated = m->userauth(ssh); |
| | | authenticated = m->userauth(ssh, method); |
| | | } |
| | | @@ -356,6 +376,10 @@ userauth_finish(struct ssh *ssh, int aut |
| | | @@ -359,6 +379,10 @@ userauth_finish(struct ssh *ssh, int aut |
| | | char *methods; |
| | | int r, partial = 0; |
| | | |
| | | +#ifdef PAM_ENHANCEMENT |
| | | + debug3("%s: entering", __func__); |
| | | + debug3("%s: entering", __func__); |
| | | +#endif |
| | | + |
| | | if (!authctxt->valid && authenticated) |
| | | fatal("INTERNAL ERROR: authenticated invalid user %s", |
| | | authctxt->user); |
| | | @@ -372,6 +396,25 @@ userauth_finish(struct ssh *ssh, int aut |
| | | if (authenticated) { |
| | | if (!authctxt->valid) { |
| | | fatal("INTERNAL ERROR: authenticated invalid user %s", |
| | | @@ -382,6 +406,25 @@ userauth_finish(struct ssh *ssh, int aut |
| | | } |
| | | |
| | | if (authenticated && options.num_auth_methods != 0) { |
| | |
| | | if (!auth2_update_methods_lists(authctxt, method, submethod)) { |
| | | authenticated = 0; |
| | | partial = 1; |
| | | @@ -389,7 +432,19 @@ userauth_finish(struct ssh *ssh, int aut |
| | | @@ -399,7 +442,19 @@ userauth_finish(struct ssh *ssh, int aut |
| | | return; |
| | | |
| | | #ifdef USE_PAM |
| | |
| | | +#else |
| | | if (options.use_pam && authenticated) { |
| | | +#endif |
| | | int r; |
| | | int r, success = PRIVSEP(do_pam_account()); |
| | | |
| | | if (!PRIVSEP(do_pam_account())) { |
| | | /* If PAM returned a message, send it to the user. */ |
| | | diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c |
| | | --- a~/monitor.c 1970-01-01 00:00:00 |
| | | +++ a/monitor.c 1970-01-01 00:00:00 |
| | |
| | | int mm_answer_authpassword(struct ssh *, int, struct sshbuf *); |
| | | int mm_answer_bsdauthquery(struct ssh *, int, struct sshbuf *); |
| | | int mm_answer_bsdauthrespond(struct ssh *, int, struct sshbuf *); |
| | | @@ -195,10 +198,17 @@ struct mon_table mon_dispatch_proto20[] |
| | | @@ -193,10 +196,17 @@ struct mon_table mon_dispatch_proto20[] |
| | | {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, |
| | | {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, |
| | | {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, |
| | |
| | | {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account}, |
| | | {MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_pam_init_ctx}, |
| | | {MONITOR_REQ_PAM_QUERY, 0, mm_answer_pam_query}, |
| | | @@ -305,6 +315,25 @@ monitor_child_preauth(struct ssh *ssh, s |
| | | @@ -303,6 +313,25 @@ monitor_child_preauth(struct ssh *ssh, s |
| | | |
| | | /* Special handling for multiple required authentications */ |
| | | if (options.num_auth_methods != 0) { |
| | |
| | | if (authenticated && |
| | | !auth2_update_methods_lists(authctxt, |
| | | auth_method, auth_submethod)) { |
| | | @@ -323,8 +352,21 @@ monitor_child_preauth(struct ssh *ssh, s |
| | | @@ -320,8 +349,21 @@ monitor_child_preauth(struct ssh *ssh, s |
| | | !auth_root_allowed(ssh, auth_method)) |
| | | authenticated = 0; |
| | | #ifdef USE_PAM |
| | |
| | | struct sshbuf *m; |
| | | |
| | | if ((m = sshbuf_new()) == NULL) |
| | | @@ -804,6 +846,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in |
| | | @@ -803,6 +845,11 @@ mm_answer_pwnamallow(struct ssh *ssh, in |
| | | monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); |
| | | monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); |
| | | |
| | |
| | | #ifdef USE_PAM |
| | | if (options.use_pam) |
| | | monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); |
| | | @@ -827,6 +874,27 @@ int mm_answer_auth2_read_banner(struct s |
| | | @@ -826,6 +873,27 @@ int mm_answer_auth2_read_banner(struct s |
| | | return (0); |
| | | } |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/monitor_wrap.c a/monitor_wrap.c |
| | | --- a~/monitor_wrap.c 1970-01-01 00:00:00 |
| | | +++ a/monitor_wrap.c 1970-01-01 00:00:00 |
| | | @@ -385,6 +385,24 @@ mm_inform_authserv(char *service, char * |
| | | @@ -395,6 +395,24 @@ mm_inform_authserv(char *service, char * |
| | | sshbuf_free(m); |
| | | } |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c |
| | | --- a~/servconf.c 1970-01-01 00:00:00 |
| | | +++ a/servconf.c 1970-01-01 00:00:00 |
| | | @@ -180,6 +180,18 @@ initialize_server_options(ServerOptions |
| | | @@ -195,6 +195,18 @@ initialize_server_options(ServerOptions |
| | | options->fingerprint_hash = -1; |
| | | options->disable_forwarding = -1; |
| | | options->expose_userauth_info = -1; |
| | |
| | | } |
| | | |
| | | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
| | | @@ -420,6 +432,12 @@ fill_default_server_options(ServerOption |
| | | @@ -434,6 +446,12 @@ fill_default_server_options(ServerOption |
| | | options->ip_qos_bulk = IPTOS_DSCP_CS1; |
| | | if (options->version_addendum == NULL) |
| | | options->version_addendum = xstrdup(""); |
| | |
| | | if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) |
| | | options->fwd_opts.streamlocal_bind_mask = 0177; |
| | | if (options->fwd_opts.streamlocal_bind_unlink == -1) |
| | | @@ -507,6 +525,9 @@ typedef enum { |
| | | @@ -514,6 +532,9 @@ typedef enum { |
| | | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, |
| | | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| | | sHostCertificate, |
| | | sHostCertificate, sInclude, |
| | | +#ifdef PAM_ENHANCEMENT |
| | | + sPAMServicePrefix, sPAMServiceName, |
| | | +#endif |
| | | sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile, |
| | | sAuthorizedPrincipalsCommand, sAuthorizedPrincipalsCommandUser, |
| | | sKexAlgorithms, sCASignatureAlgorithms, sIPQoS, sVersionAddendum, |
| | | @@ -648,6 +669,10 @@ static struct { |
| | | @@ -664,6 +685,10 @@ static struct { |
| | | { "forcecommand", sForceCommand, SSHCFG_ALL }, |
| | | { "chrootdirectory", sChrootDirectory, SSHCFG_ALL }, |
| | | { "hostcertificate", sHostCertificate, SSHCFG_GLOBAL }, |
| | |
| | | { "revokedkeys", sRevokedKeys, SSHCFG_ALL }, |
| | | { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL }, |
| | | { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL }, |
| | | @@ -2191,6 +2216,37 @@ process_server_config_line(ServerOptions |
| | | @@ -2450,6 +2475,37 @@ process_server_config_line_depth(ServerO |
| | | *charptr = xstrdup(arg); |
| | | break; |
| | | |
| | | + case sPAMServicePrefix: |
| | | + arg = strdelim(&cp); |
| | | + arg = strdelim(&str); |
| | | + if (!arg || *arg == '\0') |
| | | + fatal("%s line %d: Missing argument.", |
| | | + filename, linenum); |
| | |
| | | + break; |
| | | + |
| | | + case sPAMServiceName: |
| | | + arg = strdelim(&cp); |
| | | + arg = strdelim(&str); |
| | | + if (!arg || *arg == '\0') |
| | | + fatal("%s line %d: Missing argument.", |
| | | + filename, linenum); |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.h a/servconf.h |
| | | --- a~/servconf.h 1970-01-01 00:00:00 |
| | | +++ a/servconf.h 1970-01-01 00:00:00 |
| | | @@ -62,6 +62,10 @@ struct listenaddr { |
| | | @@ -73,6 +73,10 @@ struct listenaddr { |
| | | struct addrinfo *addrs; |
| | | }; |
| | | |
| | |
| | | typedef struct { |
| | | u_int num_ports; |
| | | u_int ports_from_cmdline; |
| | | @@ -208,6 +212,12 @@ typedef struct { |
| | | @@ -225,6 +229,12 @@ typedef struct { |
| | | u_int num_auth_methods; |
| | | char **auth_methods; |
| | | |
| | |
| | | int fingerprint_hash; |
| | | int expose_userauth_info; |
| | | u_int64_t timing_secret; |
| | | diff -wpruN '--exclude=*.orig' a~/sshd.1m a/sshd.1m |
| | | --- a~/sshd.1m 1970-01-01 00:00:00 |
| | | +++ a/sshd.1m 1970-01-01 00:00:00 |
| | | @@ -966,6 +966,33 @@ concurrently for different ports, this c |
| | | diff -wpruN '--exclude=*.orig' a~/sshd.8 a/sshd.8 |
| | | --- a~/sshd.8 1970-01-01 00:00:00 |
| | | +++ a/sshd.8 1970-01-01 00:00:00 |
| | | @@ -1001,6 +1001,33 @@ concurrently for different ports, this c |
| | | started last). |
| | | The content of this file is not sensitive; it can be world-readable. |
| | | .El |
| | | + |
| | | +.Sh SECURITY |
| | | +sshd uses pam(3PAM) for password and keyboard-interactive methods as well as |
| | | +sshd uses pam(3PAM) for password and keyboard-interactive methods as well as |
| | | +for account management, session management, and the password management for all |
| | | +authentication methods. |
| | | +.Pp |
| | |
| | | .Sh SEE ALSO |
| | | .Xr scp 1 , |
| | | .Xr sftp 1 , |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.4 a/sshd_config.4 |
| | | --- a~/sshd_config.4 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.4 1970-01-01 00:00:00 |
| | | @@ -1205,6 +1205,21 @@ will refuse connection attempts with a p |
| | | if there are currently start (10) unauthenticated connections. |
| | | The probability increases linearly and all connection attempts |
| | | are refused if the number of unauthenticated connections reaches full (60). |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5 |
| | | --- a~/sshd_config.5 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.5 1970-01-01 00:00:00 |
| | | @@ -1276,6 +1276,35 @@ and |
| | | key exchange methods. |
| | | The default is |
| | | .Pa /etc/moduli . |
| | | +.It Cm PAMServiceName |
| | | +Specifies the PAM service name for the PAM session. The PAMServiceName and |
| | | +PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
| | | +start. If this option is set the service name is the same for all user |
| | | +authentication methods. The option has no default value. See PAMServicePrefix |
| | | +Specifies the PAM service name for the PAM session. |
| | | +The |
| | | +.Cm PAMServiceName |
| | | +and |
| | | +.Cm PAMServicePrefix |
| | | +options are mutually exclusive and if both are set, sshd does not start. |
| | | +If this option is set the service name is the same for all user authentication |
| | | +methods. |
| | | +The option has no default value. |
| | | +See |
| | | +.Cm PAMServicePrefix |
| | | +for more information. |
| | | +.It Cm PAMServicePrefix |
| | | +Specifies the PAM service name prefix for service names used for individual |
| | | +user authentication methods. The default is sshd. The PAMServiceName and |
| | | +PAMServicePrefix options are mutually exclusive and if both set, sshd does not |
| | | +start. |
| | | +user authentication methods. |
| | | +The default is sshd. |
| | | +The |
| | | +.Cm PAMServiceName |
| | | +and |
| | | +.Cm PAMServicePrefix |
| | | +options are mutually exclusive and if both are set, sshd does not start. |
| | | +.Pp |
| | | +For example, if this option is set to admincli, the service name for the |
| | | +keyboard-interactive authentication method is admincli-kbdint instead of the |
| | | +default sshd-kbdint. |
| | | +For example, if this option is set to |
| | | +.Cm admincli , |
| | | +the service name for the keyboard-interactive authentication method is |
| | | +.Sy admincli-kbdint |
| | | +instead of the default |
| | | +.Sy sshd-kbdint . |
| | | .It Cm PasswordAuthentication |
| | | Specifies whether password authentication is allowed. |
| | | The default is |
| | | @@ -1640,8 +1655,7 @@ If |
| | | @@ -1774,8 +1803,7 @@ If |
| | | is enabled, you will not be able to run |
| | | .Xr sshd 8 |
| | | as a non-root user. |
| | |
| | | From dad178a7fb894660036982a75b4e1c30e71cbd33 Mon Sep 17 00:00:00 2001 |
| | | From: oracle <solaris@oracle.com> |
| | | Date: Mon, 3 Aug 2015 14:37:01 -0700 |
| | | Subject: [PATCH 13/34] Solaris Auditing support |
| | | |
| | | diff -wpruN '--exclude=*.orig' a~/INSTALL a/INSTALL |
| | | --- a~/INSTALL 1970-01-01 00:00:00 |
| | | +++ a/INSTALL 1970-01-01 00:00:00 |
| | | @@ -98,9 +98,13 @@ http://www.gnu.org/software/autoconf/ |
| | | @@ -106,9 +106,13 @@ http://www.gnu.org/software/automake/ |
| | | |
| | | Basic Security Module (BSM): |
| | | |
| | |
| | | |
| | | makedepend: |
| | | |
| | | @@ -156,8 +160,9 @@ name). |
| | | @@ -174,8 +178,9 @@ name). |
| | | There are a few other options to the configure script: |
| | | |
| | | --with-audit=[module] enable additional auditing via the specified module. |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/Makefile.in a/Makefile.in |
| | | --- a~/Makefile.in 1970-01-01 00:00:00 |
| | | +++ a/Makefile.in 1970-01-01 00:00:00 |
| | | @@ -109,7 +109,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s |
| | | sshconnect.o sshconnect2.o mux.o |
| | | @@ -120,7 +120,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s |
| | | sshconnect.o sshconnect2.o mux.o $(SKOBJS) |
| | | |
| | | SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ |
| | | - audit.o audit-bsm.o audit-linux.o platform.o \ |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/README.platform a/README.platform |
| | | --- a~/README.platform 1970-01-01 00:00:00 |
| | | +++ a/README.platform 1970-01-01 00:00:00 |
| | | @@ -71,8 +71,8 @@ zlib-devel and pam-devel, on Debian base |
| | | @@ -71,10 +71,10 @@ zlib-devel and pam-devel, on Debian base |
| | | libssl-dev, libz-dev and libpam-dev. |
| | | |
| | | |
| | | -Solaris |
| | | -------- |
| | | -If you enable BSM auditing on Solaris, you need to update audit_event(4) |
| | | -for praudit(1m) to give sensible output. The following line needs to be |
| | | +Prior to Solaris 11 |
| | | +------------------- |
| | | If you enable BSM auditing on Solaris, you need to update audit_event(4) |
| | | for praudit(1m) to give sensible output. The following line needs to be |
| | | +If you enable BSM auditing on Solaris, you need to update audit_event(5) |
| | | +for praudit(8) to give sensible output. The following line needs to be |
| | | added to /etc/security/audit_event: |
| | | |
| | | 32800:AUE_openssh:OpenSSH login:lo |
| | | @@ -85,6 +85,9 @@ There is no official registry of 3rd par |
| | | number is already in use on your system, you may change it at build time |
| | | by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/audit-bsm.c a/audit-bsm.c |
| | | --- a~/audit-bsm.c 1970-01-01 00:00:00 |
| | | +++ a/audit-bsm.c 1970-01-01 00:00:00 |
| | | @@ -347,7 +347,7 @@ bsm_audit_bad_login(const char *what) |
| | | @@ -348,7 +348,7 @@ bsm_audit_bad_login(const char *what) |
| | | /* Below is the sshd audit API code */ |
| | | |
| | | void |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac |
| | | --- a~/configure.ac 1970-01-01 00:00:00 |
| | | +++ a/configure.ac 1970-01-01 00:00:00 |
| | | @@ -1603,7 +1603,7 @@ AC_ARG_WITH([libedit], |
| | | @@ -1708,7 +1708,7 @@ AC_ARG_WITH([libedit], |
| | | |
| | | AUDIT_MODULE=none |
| | | AC_ARG_WITH([audit], |
| | |
| | | [ |
| | | AC_MSG_CHECKING([for supported audit module]) |
| | | case "$withval" in |
| | | @@ -1640,6 +1640,13 @@ AC_ARG_WITH([audit], |
| | | @@ -1745,6 +1745,13 @@ AC_ARG_WITH([audit], |
| | | SSHDLIBS="$SSHDLIBS -laudit" |
| | | AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module]) |
| | | ;; |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/defines.h a/defines.h |
| | | --- a~/defines.h 1970-01-01 00:00:00 |
| | | +++ a/defines.h 1970-01-01 00:00:00 |
| | | @@ -655,6 +655,11 @@ struct winsize { |
| | | @@ -715,6 +715,11 @@ struct winsize { |
| | | # define CUSTOM_SSH_AUDIT_EVENTS |
| | | #endif |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/sshd.c a/sshd.c |
| | | --- a~/sshd.c 1970-01-01 00:00:00 |
| | | +++ a/sshd.c 1970-01-01 00:00:00 |
| | | @@ -2055,7 +2055,7 @@ main(int ac, char **av) |
| | | @@ -2166,7 +2166,7 @@ main(int ac, char **av) |
| | | remote_ip = ssh_remote_ipaddr(ssh); |
| | | |
| | | #ifdef SSH_AUDIT_EVENTS |
| | |
| | | #endif |
| | | |
| | | rdomain = ssh_packet_rdomain_in(ssh); |
| | | @@ -2143,8 +2143,10 @@ main(int ac, char **av) |
| | | @@ -2255,8 +2255,10 @@ main(int ac, char **av) |
| | | } |
| | | |
| | | #ifdef SSH_AUDIT_EVENTS |
| | |
| | | |
| | | #ifdef GSSAPI |
| | | if (options.gss_authentication) { |
| | | @@ -2173,6 +2175,10 @@ main(int ac, char **av) |
| | | @@ -2285,6 +2287,10 @@ main(int ac, char **av) |
| | | do_pam_session(ssh); |
| | | } |
| | | #endif |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/auth-pam.c a/auth-pam.c |
| | | --- a~/auth-pam.c 1970-01-01 00:00:00 |
| | | +++ a/auth-pam.c 1970-01-01 00:00:00 |
| | | @@ -1186,6 +1186,20 @@ do_pam_account(void) |
| | | @@ -1200,6 +1200,20 @@ do_pam_account(void) |
| | | return (sshpam_account_status); |
| | | } |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/auth2-hostbased.c a/auth2-hostbased.c |
| | | --- a~/auth2-hostbased.c 1970-01-01 00:00:00 |
| | | +++ a/auth2-hostbased.c 1970-01-01 00:00:00 |
| | | @@ -82,6 +82,9 @@ userauth_hostbased(struct ssh *ssh) |
| | | @@ -81,6 +81,9 @@ userauth_hostbased(struct ssh *ssh, cons |
| | | debug("signature:"); |
| | | sshbuf_dump_data(sig, slen, stderr); |
| | | #endif |
| | |
| | | pktype = sshkey_type_from_name(pkalg); |
| | | if (pktype == KEY_UNSPEC) { |
| | | /* this is perfectly legal */ |
| | | @@ -154,6 +157,13 @@ userauth_hostbased(struct ssh *ssh) |
| | | sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0) |
| | | @@ -153,6 +156,13 @@ userauth_hostbased(struct ssh *ssh, cons |
| | | sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat, NULL)) == 0) |
| | | authenticated = 1; |
| | | |
| | | +#ifdef HAVE_PAM_AUSER |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/auth2.c a/auth2.c |
| | | --- a~/auth2.c 1970-01-01 00:00:00 |
| | | +++ a/auth2.c 1970-01-01 00:00:00 |
| | | @@ -395,6 +395,14 @@ userauth_finish(struct ssh *ssh, int aut |
| | | @@ -405,6 +405,14 @@ userauth_finish(struct ssh *ssh, int aut |
| | | #endif |
| | | } |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/monitor.c a/monitor.c |
| | | --- a~/monitor.c 1970-01-01 00:00:00 |
| | | +++ a/monitor.c 1970-01-01 00:00:00 |
| | | @@ -392,6 +392,12 @@ monitor_child_preauth(struct ssh *ssh, s |
| | | @@ -389,6 +389,12 @@ monitor_child_preauth(struct ssh *ssh, s |
| | | } |
| | | } |
| | | |
| | |
| | | + } |
| | | +#endif |
| | | if (!authctxt->valid) |
| | | fatal("%s: authenticated invalid user", __func__); |
| | | fatal_f("authenticated invalid user"); |
| | | if (strcmp(auth_method, "unknown") == 0) |
| | | @@ -598,14 +604,16 @@ monitor_reset_key_state(void) |
| | | @@ -592,14 +598,16 @@ monitor_reset_key_state(void) |
| | | { |
| | | /* reset state */ |
| | | free(key_blob); |
| | |
| | | hostbased_chost = NULL; |
| | | } |
| | | |
| | | @@ -1077,6 +1085,11 @@ mm_answer_pam_account(struct ssh *ssh, i |
| | | @@ -1075,6 +1083,11 @@ mm_answer_pam_account(struct ssh *ssh, i |
| | | if (!options.use_pam) |
| | | fatal("%s: PAM not enabled", __func__); |
| | | |
| | |
| | | #include "ssh2.h" |
| | | #include "packet.h" |
| | | +#include "digest.h" |
| | | #include "kex.h" |
| | | #include "sshbuf.h" |
| | | #include "log.h" |
| | | #include "misc.h" |
| | | @@ -85,6 +92,15 @@ format_key(const struct sshkey *key) |
| | | @@ -86,6 +93,15 @@ format_key(const struct sshkey *key) |
| | | return ret; |
| | | } |
| | | |
| | |
| | | + const u_char *, size_t); |
| | | + |
| | | static int |
| | | userauth_pubkey(struct ssh *ssh) |
| | | userauth_pubkey(struct ssh *ssh, const char *method) |
| | | { |
| | | @@ -976,6 +992,124 @@ user_key_command_allowed2(struct ssh *ss |
| | | @@ -1032,6 +1048,124 @@ user_key_command_allowed2(struct ssh *ss |
| | | return found_key; |
| | | } |
| | | |
| | |
| | | /* |
| | | * Check whether key authenticates and authorises the user. |
| | | */ |
| | | @@ -1016,6 +1150,10 @@ user_key_allowed(struct ssh *ssh, struct |
| | | @@ -1072,6 +1206,10 @@ user_key_allowed(struct ssh *ssh, struct |
| | | sshauthopt_free(opts); |
| | | opts = NULL; |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c |
| | | --- a~/servconf.c 1970-01-01 00:00:00 |
| | | +++ a/servconf.c 1970-01-01 00:00:00 |
| | | @@ -192,6 +192,7 @@ initialize_server_options(ServerOptions |
| | | @@ -207,6 +207,7 @@ initialize_server_options(ServerOptions |
| | | */ |
| | | options->pam_service_per_authmethod = 1; |
| | | #endif |
| | |
| | | } |
| | | |
| | | /* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
| | | @@ -536,6 +537,7 @@ typedef enum { |
| | | @@ -543,6 +544,7 @@ typedef enum { |
| | | sStreamLocalBindMask, sStreamLocalBindUnlink, |
| | | sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
| | | sExposeAuthInfo, sRDomain, |
| | | sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, |
| | | + sPubKeyPlugin, |
| | | sDeprecated, sIgnore, sUnsupported |
| | | } ServerOpCodes; |
| | | |
| | | @@ -692,6 +694,7 @@ static struct { |
| | | @@ -709,6 +711,7 @@ static struct { |
| | | { "exposeauthinfo", sExposeAuthInfo, SSHCFG_ALL }, |
| | | { "rdomain", sRDomain, SSHCFG_ALL }, |
| | | { "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |
| | | + { "pubkeyplugin", sPubKeyPlugin, SSHCFG_ALL }, |
| | | { "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, |
| | | { NULL, sBadOption, 0 } |
| | | }; |
| | | |
| | | @@ -2247,6 +2250,18 @@ process_server_config_line(ServerOptions |
| | | @@ -2506,6 +2509,18 @@ process_server_config_line_depth(ServerO |
| | | } |
| | | break; |
| | | |
| | |
| | | + * Can't use parse_filename, as we need to support plain |
| | | + * names which dlopen will find on our lib path. |
| | | + */ |
| | | + arg = strdelim(&cp); |
| | | + arg = strdelim(&str); |
| | | + if (!arg || *arg == '\0') |
| | | + fatal("%s line %d: missing file name.", |
| | | + filename, linenum); |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.h a/servconf.h |
| | | --- a~/servconf.h 1970-01-01 00:00:00 |
| | | +++ a/servconf.h 1970-01-01 00:00:00 |
| | | @@ -220,6 +220,7 @@ typedef struct { |
| | | @@ -237,6 +237,7 @@ typedef struct { |
| | | |
| | | int fingerprint_hash; |
| | | int expose_userauth_info; |
| | | + char *pubkey_plugin; |
| | | u_int64_t timing_secret; |
| | | char *sk_provider; |
| | | } ServerOptions; |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac |
| | | --- a~/configure.ac 1970-01-01 00:00:00 |
| | | +++ a/configure.ac 1970-01-01 00:00:00 |
| | | @@ -4318,6 +4318,11 @@ AC_ARG_WITH([kerberos5], |
| | | AC_PATH_TOOL([KRB5CONF], [krb5-config], |
| | | [$KRB5ROOT/bin/krb5-config], |
| | | [$KRB5ROOT/bin:$PATH]) |
| | | + # illumos has GSS but krb5-config doesn't talk about it |
| | | + # Fall back to regular probing for libs |
| | | + if uname -rs | grep 'SunOS 5.11' ; then |
| | | + KRB5CONF=nonexistent |
| | | + fi |
| | | if test -x $KRB5CONF ; then |
| | | K5CFLAGS="`$KRB5CONF --cflags`" |
| | | K5LIBS="`$KRB5CONF --libs`" |
| | | @@ -4359,7 +4364,7 @@ AC_ARG_WITH([kerberos5], |
| | | AC_CHECK_LIB([des], [des_cbc_encrypt], |
| | | [K5LIBS="$K5LIBS -ldes"]) |
| | | ], [ AC_MSG_RESULT([no]) |
| | | - K5LIBS="-lkrb5 -lk5crypto -lcom_err" |
| | | + K5LIBS="-lkrb5" |
| | | ]) |
| | | AC_SEARCH_LIBS([dn_expand], [resolv]) |
| | | @@ -4697,6 +4697,11 @@ AC_ARG_WITH([kerberos5], |
| | | AC_PATH_TOOL([KRB5CONF], [krb5-config], |
| | | [$KRB5ROOT/bin/krb5-config], |
| | | [$KRB5ROOT/bin:$PATH]) |
| | | + # illumos has GSS but krb5-config doesn't talk about it |
| | | + # Fall back to regular probing for libs |
| | | + if uname -rs | grep 'SunOS 5.11' ; then |
| | | + KRB5CONF=nonexistent |
| | | + fi |
| | | if test -x $KRB5CONF ; then |
| | | K5CFLAGS="`$KRB5CONF --cflags`" |
| | | K5LIBS="`$KRB5CONF --libs`" |
| | | @@ -4738,7 +4743,7 @@ AC_ARG_WITH([kerberos5], |
| | | AC_CHECK_LIB([des], [des_cbc_encrypt], |
| | | [K5LIBS="$K5LIBS -ldes"]) |
| | | ], [ AC_MSG_RESULT([no]) |
| | | - K5LIBS="-lkrb5 -lk5crypto -lcom_err" |
| | | + K5LIBS="-lkrb5" |
| | | ]) |
| | | AC_SEARCH_LIBS([dn_expand], [resolv]) |
| | | |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c |
| | | --- a~/servconf.c 1970-01-01 00:00:00 |
| | | +++ a/servconf.c 1970-01-01 00:00:00 |
| | | @@ -36,6 +36,7 @@ |
| | | @@ -37,6 +37,7 @@ |
| | | #include <unistd.h> |
| | | #include <limits.h> |
| | | #include <stdarg.h> |
| | |
| | | #include <errno.h> |
| | | #ifdef HAVE_UTIL_H |
| | | #include <util.h> |
| | | @@ -202,6 +203,64 @@ option_clear_or_none(const char *o) |
| | | @@ -217,6 +218,64 @@ option_clear_or_none(const char *o) |
| | | return o == NULL || strcasecmp(o, "none") == 0; |
| | | } |
| | | |
| | |
| | | static void |
| | | assemble_algorithms(ServerOptions *o) |
| | | { |
| | | @@ -296,6 +355,8 @@ fill_default_server_options(ServerOption |
| | | @@ -297,6 +356,8 @@ fill_default_server_options(ServerOption |
| | | options->use_pam = 0; |
| | | #endif |
| | | |
| | |
| | | /* Standard Options */ |
| | | if (options->num_host_key_files == 0) { |
| | | /* fill default hostkeys for protocols */ |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.4 a/sshd_config.4 |
| | | --- a~/sshd_config.4 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.4 1970-01-01 00:00:00 |
| | | @@ -1177,7 +1177,13 @@ Specifies the maximum number of authenti |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5 |
| | | --- a~/sshd_config.5 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.5 1970-01-01 00:00:00 |
| | | @@ -1238,7 +1238,14 @@ Specifies the maximum number of authenti |
| | | connection. |
| | | Once the number of failures reaches half this value, |
| | | additional failures are logged. |
| | |
| | | +The default is 6, or the value given by |
| | | +.Dq RETRIES= |
| | | +in the file |
| | | +.Dq /etc/default/login , |
| | | +if available (see |
| | | +.Pa /etc/default/login , |
| | | +if available |
| | | +.Po see |
| | | +.Xr login 1 |
| | | +). |
| | | +.Pc . |
| | | .It Cm MaxSessions |
| | | Specifies the maximum number of open shell, login or subsystem (e.g. sftp) |
| | | sessions permitted per network connection. |
| | | @@ -1228,7 +1234,14 @@ The default is |
| | | @@ -1313,7 +1320,14 @@ The default is |
| | | When password authentication is allowed, it specifies whether the |
| | | server allows login to accounts with empty password strings. |
| | | The default is |
| | |
| | | +unless |
| | | +.Dq PASSREQ=YES |
| | | +is present in |
| | | +.Dq /etc/default/login |
| | | +(see |
| | | +.Pa /etc/default/login |
| | | +.Po see |
| | | +.Xr login 1 |
| | | +). |
| | | +.Pc . |
| | | .It Cm PermitListen |
| | | Specifies the addresses/ports on which a remote TCP port forwarding may listen. |
| | | The listen specification must be one of the following forms: |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/compat.c a/compat.c |
| | | --- a~/compat.c 1970-01-01 00:00:00 |
| | | +++ a/compat.c 1970-01-01 00:00:00 |
| | | @@ -54,8 +54,12 @@ compat_datafellows(const char *version) |
| | | @@ -52,8 +52,12 @@ compat_banner(struct ssh *ssh, const cha |
| | | "OpenSSH_3.1*", SSH_BUG_EXTEOF|SSH_OLD_FORWARD_ADDR| |
| | | SSH_BUG_SIGTYPE}, |
| | | { "OpenSSH_3.*", SSH_OLD_FORWARD_ADDR|SSH_BUG_SIGTYPE }, |
| | |
| | | { "OpenSSH_2*," |
| | | "OpenSSH_3*," |
| | | "OpenSSH_4*", SSH_BUG_SIGTYPE }, |
| | | @@ -211,6 +215,31 @@ compat_pkalg_proposal(char *pkalg_prop) |
| | | @@ -184,6 +188,31 @@ compat_pkalg_proposal(struct ssh *ssh, c |
| | | return pkalg_prop; |
| | | } |
| | | |
| | |
| | | +} |
| | | + |
| | | char * |
| | | compat_kex_proposal(char *p) |
| | | compat_kex_proposal(struct ssh *ssh, char *p) |
| | | { |
| | | @@ -226,6 +255,8 @@ compat_kex_proposal(char *p) |
| | | @@ -199,6 +228,8 @@ compat_kex_proposal(struct ssh *ssh, cha |
| | | "diffie-hellman-group-exchange-sha256," |
| | | "diffie-hellman-group-exchange-sha1")) == NULL) |
| | | fatal("match_filter_blacklist failed"); |
| | | fatal("match_filter_denylist failed"); |
| | | + p = append_proposal(p, "diffie-hellman-group14-sha1"); |
| | | + p = append_proposal(p, "diffie-hellman-group1-sha1"); |
| | | } |
| | | debug2("%s: compat KEX proposal: %s", __func__, p); |
| | | debug2_f("compat KEX proposal: %s", p); |
| | | if (*p == '\0') |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c |
| | | --- a~/servconf.c 1970-01-01 00:00:00 |
| | | +++ a/servconf.c 1970-01-01 00:00:00 |
| | | @@ -161,7 +161,7 @@ initialize_server_options(ServerOptions |
| | | @@ -175,7 +175,7 @@ initialize_server_options(ServerOptions |
| | | options->client_alive_interval = -1; |
| | | options->client_alive_count_max = -1; |
| | | options->num_authkeys_files = 0; |
| | |
| | | options->num_setenv = 0; |
| | | options->permit_tun = -1; |
| | | options->permitted_opens = NULL; |
| | | @@ -472,6 +472,33 @@ fill_default_server_options(ServerOption |
| | | @@ -486,6 +486,33 @@ fill_default_server_options(ServerOption |
| | | options->max_sessions = DEFAULT_SESSIONS_MAX; |
| | | if (options->use_dns == -1) |
| | | options->use_dns = 0; |
| | | + if (options->num_accept_env == -1) { |
| | | + options->num_accept_env = 0; |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LANG"); |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LC_ALL"); |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LC_CTYPE"); |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LC_COLLATE"); |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LC_TIME"); |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LC_NUMERIC"); |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LC_MONETARY"); |
| | | + array_append("[default]", 0, "AcceptEnv", |
| | | + opt_array_append("[default]", 0, "AcceptEnv", |
| | | + &options->accept_env, &options->num_accept_env, |
| | | + "LC_MESSAGES"); |
| | | + } |
| | | if (options->client_alive_interval == -1) |
| | | options->client_alive_interval = 0; |
| | | if (options->client_alive_count_max == -1) |
| | | @@ -1974,8 +2001,12 @@ process_server_config_line(ServerOptions |
| | | if (strchr(arg, '=') != NULL) |
| | | @@ -2124,8 +2151,12 @@ process_server_config_line_depth(ServerO |
| | | if (*arg == '\0' || strchr(arg, '=') != NULL) |
| | | fatal("%s line %d: Invalid environment name.", |
| | | filename, linenum); |
| | | + if (options->num_accept_env == -1) |
| | |
| | | continue; |
| | | + if (strcmp(arg, "none") == 0) |
| | | + continue; |
| | | array_append(filename, linenum, "AcceptEnv", |
| | | opt_array_append(filename, linenum, keyword, |
| | | &options->accept_env, &options->num_accept_env, |
| | | arg); |
| | | @@ -2489,7 +2520,7 @@ copy_set_server_options(ServerOptions *d |
| | | @@ -2774,7 +2805,7 @@ copy_set_server_options(ServerOptions *d |
| | | } while(0) |
| | | #define M_CP_STRARRAYOPT(s, num_s) do {\ |
| | | u_int i; \ |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/session.c a/session.c |
| | | --- a~/session.c 1970-01-01 00:00:00 |
| | | +++ a/session.c 1970-01-01 00:00:00 |
| | | @@ -848,6 +848,18 @@ check_quietlogin(Session *s, const char |
| | | @@ -843,6 +843,18 @@ check_quietlogin(Session *s, const char |
| | | } |
| | | |
| | | /* |
| | |
| | | * Reads environment variables from the given file and adds/overrides them |
| | | * into the environment. If the file does not exist, this does nothing. |
| | | * Otherwise, it must consist of empty lines, comments (line starts with '#') |
| | | @@ -1027,6 +1039,16 @@ do_setup_env(struct ssh *ssh, Session *s |
| | | @@ -1026,6 +1038,16 @@ do_setup_env(struct ssh *ssh, Session *s |
| | | ssh_gssapi_do_child(&env, &envsize); |
| | | #endif |
| | | |
| | |
| | | /* Set basic environment. */ |
| | | for (i = 0; i < s->num_env; i++) |
| | | child_set_env(&env, &envsize, s->env[i].name, s->env[i].val); |
| | | @@ -1070,8 +1092,7 @@ do_setup_env(struct ssh *ssh, Session *s |
| | | @@ -1069,8 +1091,7 @@ do_setup_env(struct ssh *ssh, Session *s |
| | | /* Normal systems set SHELL by default. */ |
| | | child_set_env(&env, &envsize, "SHELL", shell); |
| | | |
| | |
| | | # Authentication: |
| | | |
| | | #LoginGraceTime 2m |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.4 a/sshd_config.4 |
| | | --- a~/sshd_config.4 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.4 1970-01-01 00:00:00 |
| | | @@ -86,7 +86,18 @@ directives. |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5 |
| | | --- a~/sshd_config.5 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.5 1970-01-01 00:00:00 |
| | | @@ -86,7 +86,20 @@ directives. |
| | | Be warned that some environment variables could be used to bypass restricted |
| | | user environments. |
| | | For this reason, care should be taken in the use of this directive. |
| | |
| | | +family of environment variables. If any |
| | | +.Cm AcceptEnv |
| | | +directives are present in your config file, they will replace this default |
| | | +(ie, only the variables you list will be passed into the session's |
| | | +.Po |
| | | +ie, only the variables you list will be passed into the session's |
| | | +.Xr environ 7 |
| | | +). You can also use an argument of |
| | | +.Pc . |
| | | +You can also use an argument of |
| | | +.Dq none |
| | | +to specify that no environment variables should be passed. |
| | | .It Cm AddressFamily |
| | |
| | | From accb8ef16ca7b9273135ffb4cdc040383f87bfb9 Mon Sep 17 00:00:00 2001 |
| | | From: Alex Wilson <alex.wilson@joyent.com> |
| | | Date: Wed, 16 Sep 2015 10:54:13 -0700 |
| | | Subject: [PATCH 31/34] Restore tcpwrappers/libwrap support |
| | | |
| | | This reverts commit f9696566fb41320820f3b257ab564fa321bb3751 |
| | | and commit f2719b7c2b8a3b14d778d8a6d8dc729b5174b054. |
| | | --- |
| | | configure.ac | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| | | sshd.1m | 7 +++++++ |
| | | sshd.c | 29 +++++++++++++++++++++++++++++ |
| | | 3 files changed, 93 insertions(+) |
| | | |
| | | diff -wpruN '--exclude=*.orig' a~/configure.ac a/configure.ac |
| | | --- a~/configure.ac 1970-01-01 00:00:00 |
| | | +++ a/configure.ac 1970-01-01 00:00:00 |
| | | @@ -1500,6 +1500,62 @@ else |
| | | @@ -1602,6 +1602,62 @@ else |
| | | AC_MSG_RESULT([no]) |
| | | fi |
| | | |
| | |
| | | # Check whether user wants to use ldns |
| | | LDNS_MSG="no" |
| | | AC_ARG_WITH(ldns, |
| | | @@ -5233,6 +5289,7 @@ echo " PAM support |
| | | @@ -5608,6 +5664,7 @@ echo " PAM support |
| | | echo " OSF SIA support: $SIA_MSG" |
| | | echo " KerberosV support: $KRB5_MSG" |
| | | echo " SELinux support: $SELINUX_MSG" |
| | | +echo " TCP Wrappers support: $TCPW_MSG" |
| | | echo " MD5 password support: $MD5_MSG" |
| | | echo " libedit support: $LIBEDIT_MSG" |
| | | echo " libldns support: $LDNS_MSG" |
| | | diff -wpruN '--exclude=*.orig' a~/sshd.1m a/sshd.1m |
| | | --- a~/sshd.1m 1970-01-01 00:00:00 |
| | | +++ a/sshd.1m 1970-01-01 00:00:00 |
| | | @@ -873,6 +873,12 @@ the user's home directory becomes access |
| | | echo " Solaris process contract support: $SPC_MSG" |
| | | diff -wpruN '--exclude=*.orig' a~/sshd.8 a/sshd.8 |
| | | --- a~/sshd.8 1970-01-01 00:00:00 |
| | | +++ a/sshd.8 1970-01-01 00:00:00 |
| | | @@ -908,6 +908,12 @@ the user's home directory becomes access |
| | | This file should be writable only by the user, and need not be |
| | | readable by anyone else. |
| | | .Pp |
| | |
| | | .It Pa /etc/hosts.equiv |
| | | This file is for host-based authentication (see |
| | | .Xr ssh 1 ) . |
| | | @@ -1002,6 +1008,7 @@ Each SSHv2 userauth type has its own PAM |
| | | @@ -1037,6 +1043,7 @@ Each SSHv2 userauth type has its own PAM |
| | | .Xr ssh-keygen 1 , |
| | | .Xr ssh-keyscan 1 , |
| | | .Xr chroot 2 , |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/sshd.c a/sshd.c |
| | | --- a~/sshd.c 1970-01-01 00:00:00 |
| | | +++ a/sshd.c 1970-01-01 00:00:00 |
| | | @@ -123,6 +123,17 @@ |
| | | #include "version.h" |
| | | #include "ssherr.h" |
| | | @@ -129,6 +129,17 @@ |
| | | #include "srclimit.h" |
| | | #include "dh.h" |
| | | |
| | | +#ifdef LIBWRAP |
| | | +#include <tcpd.h> |
| | |
| | | /* Re-exec fds */ |
| | | #define REEXEC_DEVCRYPTO_RESERVED_FD (STDERR_FILENO + 1) |
| | | #define REEXEC_STARTUP_PIPE_FD (STDERR_FILENO + 2) |
| | | @@ -2076,6 +2087,24 @@ main(int ac, char **av) |
| | | @@ -2187,6 +2198,24 @@ main(int ac, char **av) |
| | | #ifdef SSH_AUDIT_EVENTS |
| | | audit_connection_from(ssh, remote_ip, remote_port); |
| | | #endif |
| | |
| | | diff -wpruN '--exclude=*.orig' a~/readconf.c a/readconf.c |
| | | --- a~/readconf.c 1970-01-01 00:00:00 |
| | | +++ a/readconf.c 1970-01-01 00:00:00 |
| | | @@ -2128,9 +2128,9 @@ fill_default_options(Options * options) |
| | | @@ -2633,9 +2633,9 @@ fill_default_options(Options * options) |
| | | if (options->visual_host_key == -1) |
| | | options->visual_host_key = 0; |
| | | if (options->ip_qos_interactive == -1) |
| | |
| | | + options->ip_qos_bulk = IPTOS_THROUGHPUT; |
| | | if (options->request_tty == -1) |
| | | options->request_tty = REQUEST_TTY_AUTO; |
| | | if (options->proxy_use_fdpass == -1) |
| | | if (options->session_type == -1) |
| | | diff -wpruN '--exclude=*.orig' a~/servconf.c a/servconf.c |
| | | --- a~/servconf.c 1970-01-01 00:00:00 |
| | | +++ a/servconf.c 1970-01-01 00:00:00 |
| | | @@ -516,9 +516,9 @@ fill_default_server_options(ServerOption |
| | | @@ -530,9 +530,9 @@ fill_default_server_options(ServerOption |
| | | if (options->permit_tun == -1) |
| | | options->permit_tun = SSH_TUNMODE_NO; |
| | | if (options->ip_qos_interactive == -1) |
| | |
| | | if (options->version_addendum == NULL) |
| | | options->version_addendum = xstrdup(""); |
| | | |
| | | diff -wpruN '--exclude=*.orig' a~/ssh_config.4 a/ssh_config.4 |
| | | --- a~/ssh_config.4 1970-01-01 00:00:00 |
| | | +++ a/ssh_config.4 1970-01-01 00:00:00 |
| | | @@ -1037,11 +1037,9 @@ If one argument is specified, it is used |
| | | diff -wpruN '--exclude=*.orig' a~/ssh_config.5 a/ssh_config.5 |
| | | --- a~/ssh_config.5 1970-01-01 00:00:00 |
| | | +++ a/ssh_config.5 1970-01-01 00:00:00 |
| | | @@ -1131,11 +1131,9 @@ If one argument is specified, it is used |
| | | If two values are specified, the first is automatically selected for |
| | | interactive sessions and the second for non-interactive sessions. |
| | | The default is |
| | |
| | | for non-interactive sessions. |
| | | .It Cm KbdInteractiveAuthentication |
| | | Specifies whether to use keyboard-interactive authentication. |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.4 a/sshd_config.4 |
| | | --- a~/sshd_config.4 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.4 1970-01-01 00:00:00 |
| | | @@ -847,11 +847,9 @@ If one argument is specified, it is used |
| | | diff -wpruN '--exclude=*.orig' a~/sshd_config.5 a/sshd_config.5 |
| | | --- a~/sshd_config.5 1970-01-01 00:00:00 |
| | | +++ a/sshd_config.5 1970-01-01 00:00:00 |
| | | @@ -882,11 +882,9 @@ If one argument is specified, it is used |
| | | If two values are specified, the first is automatically selected for |
| | | interactive sessions and the second for non-interactive sessions. |
| | | The default is |
New file |
| | |
| | | |
| | | This backs out: |
| | | |
| | | https://github.com/openssh/openssh-portable/commit/e3e62deb549fde215b777d |
| | | use libc SHA256 functions |
| | | |
| | | Since the way that it works around a conflict between libc and openssl's |
| | | SHA256/512 functions only works with openssl 1.0 |
| | | |
| | | diff -wpruN '--exclude=*.orig' a~/regress/misc/sk-dummy/sk-dummy.c a/regress/misc/sk-dummy/sk-dummy.c |
| | | --- a~/regress/misc/sk-dummy/sk-dummy.c 1970-01-01 00:00:00 |
| | | +++ a/regress/misc/sk-dummy/sk-dummy.c 1970-01-01 00:00:00 |
| | | @@ -24,9 +24,6 @@ |
| | | #include <stdio.h> |
| | | #include <stddef.h> |
| | | #include <stdarg.h> |
| | | -#ifdef HAVE_SHA2_H |
| | | -#include <sha2.h> |
| | | -#endif |
| | | |
| | | #include "crypto_api.h" |
| | | #include "sk-api.h" |
| | | @@ -36,9 +33,6 @@ |
| | | #endif |
| | | |
| | | #ifdef WITH_OPENSSL |
| | | -/* We don't use sha2 from OpenSSL and they can conflict with system sha2.h */ |
| | | -#define OPENSSL_NO_SHA |
| | | -#define USE_LIBC_SHA2 /* NetBSD 9 */ |
| | | #include <openssl/opensslv.h> |
| | | #include <openssl/crypto.h> |
| | | #include <openssl/evp.h> |
| | | @@ -326,7 +320,7 @@ sig_ecdsa(const uint8_t *message, size_t |
| | | BIO *bio = NULL; |
| | | EVP_PKEY *pk = NULL; |
| | | EC_KEY *ec = NULL; |
| | | - SHA2_CTX ctx; |
| | | + SHA256_CTX ctx; |
| | | uint8_t apphash[SHA256_DIGEST_LENGTH]; |
| | | uint8_t sighash[SHA256_DIGEST_LENGTH]; |
| | | uint8_t countbuf[4]; |
| | | @@ -356,9 +350,9 @@ sig_ecdsa(const uint8_t *message, size_t |
| | | } |
| | | /* Prepare data to be signed */ |
| | | dump("message", message, message_len); |
| | | - SHA256Init(&ctx); |
| | | - SHA256Update(&ctx, (const u_char *)application, strlen(application)); |
| | | - SHA256Final(apphash, &ctx); |
| | | + SHA256_Init(&ctx); |
| | | + SHA256_Update(&ctx, (const u_char *)application, strlen(application)); |
| | | + SHA256_Final(apphash, &ctx); |
| | | dump("apphash", apphash, sizeof(apphash)); |
| | | countbuf[0] = (counter >> 24) & 0xff; |
| | | countbuf[1] = (counter >> 16) & 0xff; |
| | | @@ -366,12 +360,12 @@ sig_ecdsa(const uint8_t *message, size_t |
| | | countbuf[3] = counter & 0xff; |
| | | dump("countbuf", countbuf, sizeof(countbuf)); |
| | | dump("flags", &flags, sizeof(flags)); |
| | | - SHA256Init(&ctx); |
| | | - SHA256Update(&ctx, apphash, sizeof(apphash)); |
| | | - SHA256Update(&ctx, &flags, sizeof(flags)); |
| | | - SHA256Update(&ctx, countbuf, sizeof(countbuf)); |
| | | - SHA256Update(&ctx, message, message_len); |
| | | - SHA256Final(sighash, &ctx); |
| | | + SHA256_Init(&ctx); |
| | | + SHA256_Update(&ctx, apphash, sizeof(apphash)); |
| | | + SHA256_Update(&ctx, &flags, sizeof(flags)); |
| | | + SHA256_Update(&ctx, countbuf, sizeof(countbuf)); |
| | | + SHA256_Update(&ctx, message, message_len); |
| | | + SHA256_Final(sighash, &ctx); |
| | | dump("sighash", sighash, sizeof(sighash)); |
| | | /* create and encode signature */ |
| | | if ((sig = ECDSA_do_sign(sighash, sizeof(sighash), ec)) == NULL) { |
| | | @@ -417,7 +411,7 @@ sig_ed25519(const uint8_t *message, size |
| | | { |
| | | size_t o; |
| | | int ret = -1; |
| | | - SHA2_CTX ctx; |
| | | + SHA256_CTX ctx; |
| | | uint8_t apphash[SHA256_DIGEST_LENGTH]; |
| | | uint8_t signbuf[sizeof(apphash) + sizeof(flags) + |
| | | sizeof(counter) + SHA256_DIGEST_LENGTH]; |
| | | @@ -435,9 +429,9 @@ sig_ed25519(const uint8_t *message, size |
| | | } |
| | | /* Prepare data to be signed */ |
| | | dump("message", message, message_len); |
| | | - SHA256Init(&ctx); |
| | | - SHA256Update(&ctx, (const u_char *)application, strlen(application)); |
| | | - SHA256Final(apphash, &ctx); |
| | | + SHA256_Init(&ctx); |
| | | + SHA256_Update(&ctx, (const u_char *)application, strlen(application)); |
| | | + SHA256_Final(apphash, &ctx); |
| | | dump("apphash", apphash, sizeof(apphash)); |
| | | |
| | | memcpy(signbuf, apphash, sizeof(apphash)); |
| | | @@ -495,7 +489,7 @@ sk_sign(uint32_t alg, const uint8_t *dat |
| | | { |
| | | struct sk_sign_response *response = NULL; |
| | | int ret = SSH_SK_ERR_GENERAL; |
| | | - SHA2_CTX ctx; |
| | | + SHA256_CTX ctx; |
| | | uint8_t message[32]; |
| | | |
| | | if (sign_response == NULL) { |
| | | @@ -509,9 +503,9 @@ sk_sign(uint32_t alg, const uint8_t *dat |
| | | skdebug(__func__, "calloc response failed"); |
| | | goto out; |
| | | } |
| | | - SHA256Init(&ctx); |
| | | - SHA256Update(&ctx, data, datalen); |
| | | - SHA256Final(message, &ctx); |
| | | + SHA256_Init(&ctx); |
| | | + SHA256_Update(&ctx, data, datalen); |
| | | + SHA256_Final(message, &ctx); |
| | | response->flags = flags; |
| | | response->counter = 0x12345678; |
| | | switch(alg) { |
| | |
| | | "dependencies": [ |
| | | "SUNWcs", |
| | | "library/libedit", |
| | | "library/security/openssl", |
| | | "library/security/openssl-11", |
| | | "library/zlib", |
| | | "service/security/kerberos-5", |
| | | "shell/bash", |
| | | "shell/ksh93", |
| | | "system/library", |
| | | "system/library/g++-7-runtime", |
| | | "system/library/gcc-7-runtime", |
| | |
| | | # |
| | | # When distributing Covered Code, include this CDDL HEADER in each |
| | | # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
| | | # If applicable, add the following below this CDDL HEADER, with the |
| | | # fields enclosed by brackets "[]" replaced with your own identifying |
| | | # If applicable, add the following below this CDDL HEADER, with # fields enclosed by brackets "[]" replaced with your own identifying |
| | | # information: Portions Copyright [yyyy] [name of copyright owner] |
| | | # |
| | | # CDDL HEADER END |
| | |
| | | # Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. |
| | | # |
| | | |
| | | set name=pkg.fmri value=pkg:/service/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) |
| | | set name=pkg.fmri value=pkg:/service/$(COMPONENT_FMRI)@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) |
| | | set name=pkg.summary value="OpenSSH servers and SSH (Secure Shell) services" |
| | | set name=pkg.human-version value=$(HUMAN_VERSION) |
| | | set name=info.classification \ |
| | |
| | | value=org.opensolaris.category.2008:System/Security |
| | | set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) |
| | | set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) |
| | | set name=org.opensolaris.arc-caseid value=PSARC/2012/335 |
| | | set name=org.opensolaris.consolidation value=$(CONSOLIDATION) |
| | | |
| | | license $(COMPONENT_LICENSE_FILE) license='$(COMPONENT_LICENSE)' |
| | | |
| | | dir path=var/empty owner=root group=sys mode=0755 sysattr=readonly |
| | | |
| | | group groupname=sshd gid=22 |
| | | user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \ |
| | | home-dir=/var/empty login-shell=/bin/false uid=22 |
| | | |
| | | depend type=require fmri=pkg:/network/ssh |
| | | |
| | | # We have to preserve original_name as file was once moved to |
| | | # ssh-common and back again |
| | |
| | | file path=usr/lib/ssh/ssh-keysign mode=4555 |
| | | file path=usr/lib/ssh/ssh-pkcs11-helper mode=0555 |
| | | file path=usr/lib/ssh/sshd mode=0555 |
| | | file path=usr/share/man/man1m/sftp-server.1m |
| | | file path=usr/share/man/man1m/ssh-keysign.1m |
| | | file path=usr/share/man/man1m/ssh-pkcs11-helper.1m |
| | | file path=usr/share/man/man1m/sshd.1m |
| | | link path=usr/share/man/man4/authorized_keys.4 target=../man1m/sshd.1m |
| | | file path=usr/share/man/man4/moduli.4 |
| | | file path=usr/share/man/man4/sshd_config.4 |
| | | |
| | | dir path=var/empty owner=root group=sys mode=0755 sysattr=readonly |
| | | |
| | | group groupname=sshd gid=22 |
| | | user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \ |
| | | home-dir=/var/empty login-shell=/bin/false uid=22 |
| | | |
| | | depend type=require fmri=pkg:/network/ssh |
| | | file path=usr/share/man/man8/sftp-server.8 |
| | | file path=usr/share/man/man8/ssh-keysign.8 |
| | | file path=usr/share/man/man8/ssh-pkcs11-helper.8 |
| | | file path=usr/share/man/man8/sshd.8 |
| | | link path=usr/share/man/man4/authorized_keys.5 target=../man8/sshd.8 |
| | | file path=usr/share/man/man5/moduli.5 |
| | | file path=usr/share/man/man5/sshd_config.5 |
| | |
| | | # |
| | | # CDDL HEADER START |
| | | # This file and its contents are supplied under the terms of the |
| | | # Common Development and Distribution License ("CDDL"), version 1.0. |
| | | # You may only use this file in accordance with the terms of version |
| | | # 1.0 of the CDDL. |
| | | # |
| | | # The contents of this file are subject to the terms of the |
| | | # Common Development and Distribution License (the "License"). |
| | | # You may not use this file except in compliance with the License. |
| | | # A full copy of the text of the CDDL should have accompanied this |
| | | # source. A copy of the CDDL is also available via the Internet at |
| | | # http://www.illumos.org/license/CDDL. |
| | | # |
| | | # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE |
| | | # or http://www.opensolaris.org/os/licensing. |
| | | # See the License for the specific language governing permissions |
| | | # and limitations under the License. |
| | | # |
| | | # When distributing Covered Code, include this CDDL HEADER in each |
| | | # file and include the License file at usr/src/OPENSOLARIS.LICENSE. |
| | | # If applicable, add the following below this CDDL HEADER, with the |
| | | # fields enclosed by brackets "[]" replaced with your own identifying |
| | | # information: Portions Copyright [yyyy] [name of copyright owner] |
| | | # |
| | | # CDDL HEADER END |
| | | |
| | | # |
| | | # Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved. |
| | | # Copyright 2018 Till Wegmüller |
| | | # |
| | | |
| | | set name=pkg.fmri value=pkg:/network/ssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) |
| | | # A full copy of the text of the CDDL should have accompanied this |
| | | set name=pkg.fmri \ |
| | | value=pkg:/$(COMPONENT_FMRI)@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) |
| | | set name=pkg.summary value="OpenSSH client and associated utilities" |
| | | set name=pkg.summary value="$(COMPONENT_SUMMARY)" |
| | | set name=pkg.description \ |
| | | value="OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including user name and password) over the wire in unencrypted form. OpenSSH provides the SSH known host mechanism which verifies that the system you connect to is really the one you intended to. OpenSSH provides secure tunneling capabilities and several authentication methods. It also supports forwarding X11 connections and arbitrary TCP ports over the secure channel." |
| | | set name=pkg.human-version value=$(HUMAN_VERSION) |
| | |
| | | value=org.opensolaris.category.2008:System/Security |
| | | set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) |
| | | set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) |
| | | set name=org.opensolaris.arc-caseid value=PSARC/2012/335 |
| | | set name=org.opensolaris.consolidation value=$(CONSOLIDATION) |
| | | |
| | | license $(COMPONENT_LICENSE_FILE) license='$(COMPONENT_LICENSE)' |
| | | |
| | | depend type=conditional fmri=pkg:/x11/session/xauth \ |
| | | predicate=pkg:/x11/library/libxau |
| | | |
| | | depend type=conditional fmri=pkg:/network/ssh-askpass \ |
| | | predicate=pkg:/x11/server/xserver-common |
| | | |
| | | # We have to preserve original_name as file was once moved to |
| | | # ssh-common and back again |
| | |
| | | file path=usr/bin/ssh |
| | | file path=usr/bin/ssh-add |
| | | file path=usr/bin/ssh-agent mode=2555 |
| | | file path=usr/bin/ssh-keyscan |
| | | file path=usr/bin/ssh-keygen |
| | | file path=usr/bin/ssh-copy-id |
| | | file path=usr/bin/ssh-keygen |
| | | file path=usr/bin/ssh-keyscan |
| | | file path=usr/share/man/man1/scp.1 |
| | | file path=usr/share/man/man1/sftp.1 |
| | | file path=usr/share/man/man1/ssh-add.1 |
| | | file path=usr/share/man/man1/ssh-agent.1 |
| | | file path=usr/share/man/man1/ssh-copy-id.1 |
| | | file path=usr/share/man/man1/ssh-keygen.1 |
| | | file path=usr/share/man/man1/ssh-keyscan.1 |
| | | file path=usr/share/man/man1/ssh.1 |
| | | file path=usr/share/man/man1/ssh-copy-id.1 |
| | | file path=usr/share/man/man4/ssh_config.4 |
| | | |
| | | depend type=conditional fmri=pkg:/x11/session/xauth \ |
| | | predicate=pkg:/x11/library/libxau |
| | | |
| | | depend type=conditional fmri=pkg:/network/ssh-askpass \ |
| | | predicate=pkg:/x11/server/xserver-common |
| | | file path=usr/share/man/man5/ssh_config.5 |