From owner-svn-src-head@FreeBSD.ORG Wed Apr 28 10:36:34 2010 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0CB3106566C; Wed, 28 Apr 2010 10:36:34 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 399F68FC1A; Wed, 28 Apr 2010 10:36:34 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o3SAaYwc001953; Wed, 28 Apr 2010 10:36:34 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o3SAaXTB001927; Wed, 28 Apr 2010 10:36:33 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201004281036.o3SAaXTB001927@svn.freebsd.org> From: Dag-Erling Smorgrav Date: Wed, 28 Apr 2010 10:36:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r207319 - in head/crypto/openssh: . openbsd-compat X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2010 10:36:34 -0000 Author: des Date: Wed Apr 28 10:36:33 2010 New Revision: 207319 URL: http://svn.freebsd.org/changeset/base/207319 Log: Upgrade to OpenSSH 5.5p1. Modified: head/crypto/openssh/ChangeLog head/crypto/openssh/README head/crypto/openssh/auth-options.c head/crypto/openssh/auth2-pubkey.c head/crypto/openssh/channels.c head/crypto/openssh/clientloop.c head/crypto/openssh/config.h head/crypto/openssh/config.h.in head/crypto/openssh/defines.h head/crypto/openssh/key.c head/crypto/openssh/key.h head/crypto/openssh/loginrec.c head/crypto/openssh/logintest.c head/crypto/openssh/openbsd-compat/bsd-arc4random.c head/crypto/openssh/servconf.c head/crypto/openssh/session.c head/crypto/openssh/ssh-keygen.1 head/crypto/openssh/ssh-keygen.c head/crypto/openssh/ssh-pkcs11-helper.c head/crypto/openssh/ssh.1 head/crypto/openssh/ssh_config head/crypto/openssh/ssh_config.5 head/crypto/openssh/sshd_config head/crypto/openssh/sshd_config.5 head/crypto/openssh/version.h Directory Properties: head/crypto/openssh/ (props changed) Modified: head/crypto/openssh/ChangeLog ============================================================================== --- head/crypto/openssh/ChangeLog Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/ChangeLog Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,120 @@ -20100307 +20100410 + - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo + back so we disable the IPv6 tests if we don't have it. + +20100409 + - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong + ones. Based on a patch from Roumen Petrov. + - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we + have it and the path is not provided to --with-libedit. Based on a patch + from Iain Morgan. + - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable + utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@ + +20100326 + - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection + for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson + - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally + by Ingo Weinhold via Scott McCreary, ok djm@ + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2010/03/25 23:38:28 + [servconf.c] + from portable: getcwd(NULL, 0) doesn't work on all platforms, so + use a stack buffer; ok dtucker@ + - djm@cvs.openbsd.org 2010/03/26 00:26:58 + [ssh.1] + mention that -S none disables connection sharing; from Colin Watson + - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - + set up SELinux execution context before chroot() call. From Russell + Coker via Colin watson; bz#1726 ok dtucker@ + - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721 + ok dtucker@ + - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using + pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). + - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys; + bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@ + - (dtucker) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2010/03/26 01:06:13 + [ssh_config.5] + Reformat default value of PreferredAuthentications entry (current + formatting implies ", " is acceptable as a separator, which it's not. + ok djm@ + +20100324 + - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory + containing the services file explicitely case-insensitive. This allows to + tweak the Windows services file reliably. Patch from vinschen at redhat. + +20100321 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2010/03/08 09:41:27 + [ssh-keygen.1] + sort the list of constraints (to -O); ok djm + - jmc@cvs.openbsd.org 2010/03/10 07:40:35 + [ssh-keygen.1] + typos; from Ross Richardson + closes prs 6334 and 6335 + - djm@cvs.openbsd.org 2010/03/10 23:27:17 + [auth2-pubkey.c] + correct certificate logging and make it more consistent between + authorized_keys and TrustedCAKeys; ok markus@ + - djm@cvs.openbsd.org 2010/03/12 01:06:25 + [servconf.c] + unbreak AuthorizedKeys option with a $HOME-relative path; reported by + vinschen AT redhat.com, ok dtucker@ + - markus@cvs.openbsd.org 2010/03/12 11:37:40 + [servconf.c] + do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths + free() (not xfree()) the buffer returned by getcwd() + - djm@cvs.openbsd.org 2010/03/13 21:10:38 + [clientloop.c] + protocol conformance fix: send language tag when disconnecting normally; + spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ + - djm@cvs.openbsd.org 2010/03/13 21:45:46 + [ssh-keygen.1] + Certificates are named *-cert.pub, not *_cert.pub; committing a diff + from stevesk@ ok me + - jmc@cvs.openbsd.org 2010/03/13 23:38:13 + [ssh-keygen.1] + fix a formatting error (args need quoted); noted by stevesk + - stevesk@cvs.openbsd.org 2010/03/15 19:40:02 + [key.c key.h ssh-keygen.c] + also print certificate type (user or host) for ssh-keygen -L + ok djm kettenis + - stevesk@cvs.openbsd.org 2010/03/16 15:46:52 + [auth-options.c] + spelling in error message. ok djm kettenis + - djm@cvs.openbsd.org 2010/03/16 16:36:49 + [version.h] + crank version to openssh-5.5 since we have a few fixes since 5.4; + requested deraadt@ kettenis@ + - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Crank version numbers + +20100314 + - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix + compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot + AT fefe.de + - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for + ssh-pkcs11-helper to repair static builds (we do the same for + ssh-keyscan). Reported by felix-mindrot AT fefe.de + +20100312 + - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) + - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. + Patch from Corinna Vinschen. + - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install + on a Cygwin installation. Patch from Corinna Vinschen. + +20100311 + - (tim) [contrib/suse/openssh.spec] crank version number here too. + report by imorgan AT nas.nasa.gov + +20100309 + - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO + so setting it in CFLAGS correctly skips IPv6 tests. + +20100428 - (djm) OpenBSD CVS Sync - djm@cvs.openbsd.org 2010/03/07 22:16:01 [ssh-keygen.c] Modified: head/crypto/openssh/README ============================================================================== --- head/crypto/openssh/README Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/README Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -See http://www.openssh.com/txt/release-5.4 for the release notes. +See http://www.openssh.com/txt/release-5.5 for the release notes. - A Japanese translation of this document and of the OpenSSH FAQ is - available at http://www.unixuser.org/~haruyama/security/openssh/index.html @@ -62,4 +62,4 @@ References - [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9 [7] http://www.openssh.com/faq.html -$Id: README,v 1.72 2010/03/07 22:41:02 djm Exp $ +$Id: README,v 1.73 2010/03/21 19:11:55 djm Exp $ Modified: head/crypto/openssh/auth-options.c ============================================================================== --- head/crypto/openssh/auth-options.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/auth-options.c Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -/* $OpenBSD: auth-options.c,v 1.48 2010/03/07 11:57:13 dtucker Exp $ */ +/* $OpenBSD: auth-options.c,v 1.49 2010/03/16 15:46:52 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -434,7 +434,7 @@ auth_cert_constraints(Buffer *c_orig, st goto out; } if (strlen(command) != clen) { - error("force-command constrain contains \\0"); + error("force-command constraint contains \\0"); goto out; } if (cert_forced_command != NULL) { @@ -454,7 +454,7 @@ auth_cert_constraints(Buffer *c_orig, st goto out; } if (strlen(allowed) != clen) { - error("source-address constrain contains \\0"); + error("source-address constraint contains \\0"); goto out; } if (cert_source_address_done++) { Modified: head/crypto/openssh/auth2-pubkey.c ============================================================================== --- head/crypto/openssh/auth2-pubkey.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/auth2-pubkey.c Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -/* $OpenBSD: auth2-pubkey.c,v 1.21 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: auth2-pubkey.c,v 1.22 2010/03/10 23:27:17 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -240,22 +240,26 @@ user_key_allowed2(struct passwd *pw, Key continue; if (!key_equal(found, key->cert->signature_key)) continue; - debug("matching CA found: file %s, line %lu", - file, linenum); fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); - verbose("Found matching %s CA: %s", - key_type(found), fp); - xfree(fp); + debug("matching CA found: file %s, line %lu, %s %s", + file, linenum, key_type(found), fp); if (key_cert_check_authority(key, 0, 0, pw->pw_name, &reason) != 0) { + xfree(fp); error("%s", reason); auth_debug_add("%s", reason); continue; } if (auth_cert_constraints(&key->cert->constraints, - pw) != 0) + pw) != 0) { + xfree(fp); continue; + } + verbose("Accepted certificate ID \"%s\" " + "signed by %s CA %s via %s", key->cert->key_id, + key_type(found), fp, file); + xfree(fp); found_key = 1; break; } else if (!key_is_cert_authority && key_equal(found, key)) { @@ -281,15 +285,15 @@ user_key_allowed2(struct passwd *pw, Key static int user_cert_trusted_ca(struct passwd *pw, Key *key) { - char *key_fp, *ca_fp; + char *ca_fp; const char *reason; int ret = 0; if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL) return 0; - key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); - ca_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); + ca_fp = key_fingerprint(key->cert->signature_key, + SSH_FP_MD5, SSH_FP_HEX); if (key_in_file(key->cert->signature_key, options.trusted_user_ca_keys, 1) != 1) { @@ -306,13 +310,12 @@ user_cert_trusted_ca(struct passwd *pw, if (auth_cert_constraints(&key->cert->constraints, pw) != 0) goto out; - verbose("%s certificate %s allowed by trusted %s key %s", - key_type(key), key_fp, key_type(key->cert->signature_key), ca_fp); + verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s", + key->cert->key_id, key_type(key->cert->signature_key), ca_fp, + options.trusted_user_ca_keys); ret = 1; out: - if (key_fp != NULL) - xfree(key_fp); if (ca_fp != NULL) xfree(ca_fp); return ret; Modified: head/crypto/openssh/channels.c ============================================================================== --- head/crypto/openssh/channels.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/channels.c Wed Apr 28 10:36:33 2010 (r207319) @@ -3252,7 +3252,11 @@ x11_create_display_inet(int x11_display_ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); if (sock < 0) { - if ((errno != EINVAL) && (errno != EAFNOSUPPORT)) { + if ((errno != EINVAL) && (errno != EAFNOSUPPORT) +#ifdef EPFNOSUPPORT + && (errno != EPFNOSUPPORT) +#endif + ) { error("socket: %.100s", strerror(errno)); freeaddrinfo(aitop); return -1; Modified: head/crypto/openssh/clientloop.c ============================================================================== --- head/crypto/openssh/clientloop.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/clientloop.c Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -/* $OpenBSD: clientloop.c,v 1.218 2010/01/28 00:21:18 djm Exp $ */ +/* $OpenBSD: clientloop.c,v 1.219 2010/03/13 21:10:38 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1484,6 +1484,7 @@ client_loop(int have_pty, int escape_cha packet_start(SSH2_MSG_DISCONNECT); packet_put_int(SSH2_DISCONNECT_BY_APPLICATION); packet_put_cstring("disconnected by user"); + packet_put_cstring(""); /* language tag */ packet_send(); packet_write_wait(); } Modified: head/crypto/openssh/config.h ============================================================================== --- head/crypto/openssh/config.h Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/config.h Wed Apr 28 10:36:33 2010 (r207319) @@ -124,7 +124,7 @@ #define DISABLE_WTMPX 1 /* Enable for PKCS#11 support */ -#define ENABLE_PKCS11 +#define ENABLE_PKCS11 /**/ /* Builtin PRNG command timeout */ #define ENTROPY_TIMEOUT_MSEC 200 @@ -456,6 +456,9 @@ /* Define to 1 if you have the `getutxline' function. */ #define HAVE_GETUTXLINE 1 +/* Define to 1 if you have the `getutxuser' function. */ +#define HAVE_GETUTXUSER 1 + /* Define to 1 if you have the `get_default_context_with_level' function. */ /* #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL */ @@ -552,6 +555,9 @@ /* Define if system has libiaf that supports set_id */ /* #undef HAVE_LIBIAF */ +/* Define to 1 if you have the `network' library (-lnetwork). */ +/* #undef HAVE_LIBNETWORK */ + /* Define to 1 if you have the `nsl' library (-lnsl). */ /* #undef HAVE_LIBNSL */ @@ -805,6 +811,9 @@ /* Define to 1 if you have the `setutent' function. */ /* #undef HAVE_SETUTENT */ +/* Define to 1 if you have the `setutxdb' function. */ +#define HAVE_SETUTXDB 1 + /* Define to 1 if you have the `setutxent' function. */ #define HAVE_SETUTXENT 1 @@ -1416,8 +1425,8 @@ /* Define if you want SELinux support. */ /* #undef WITH_SELINUX */ -/* Define to 1 if your processor stores words with the most significant byte - first (like Motorola and SPARC, unlike Intel and VAX). */ +/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most + significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ #if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 #elif ! defined __LITTLE_ENDIAN__ Modified: head/crypto/openssh/config.h.in ============================================================================== --- head/crypto/openssh/config.h.in Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/config.h.in Wed Apr 28 10:36:33 2010 (r207319) @@ -80,9 +80,6 @@ /* Define if you want to specify the path to your lastlog file */ #undef CONF_LASTLOG_FILE -/* Define if you want to specify the path to your utmpx file */ -#undef CONF_UTMPX_FILE - /* Define if you want to specify the path to your utmp file */ #undef CONF_UTMP_FILE @@ -455,6 +452,9 @@ /* Define to 1 if you have the `getutxline' function. */ #undef HAVE_GETUTXLINE +/* Define to 1 if you have the `getutxuser' function. */ +#undef HAVE_GETUTXUSER + /* Define to 1 if you have the `get_default_context_with_level' function. */ #undef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL @@ -551,6 +551,9 @@ /* Define if system has libiaf that supports set_id */ #undef HAVE_LIBIAF +/* Define to 1 if you have the `network' library (-lnetwork). */ +#undef HAVE_LIBNETWORK + /* Define to 1 if you have the `nsl' library (-lnsl). */ #undef HAVE_LIBNSL @@ -804,6 +807,9 @@ /* Define to 1 if you have the `setutent' function. */ #undef HAVE_SETUTENT +/* Define to 1 if you have the `setutxdb' function. */ +#undef HAVE_SETUTXDB + /* Define to 1 if you have the `setutxent' function. */ #undef HAVE_SETUTXENT Modified: head/crypto/openssh/defines.h ============================================================================== --- head/crypto/openssh/defines.h Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/defines.h Wed Apr 28 10:36:33 2010 (r207319) @@ -25,7 +25,7 @@ #ifndef _DEFINES_H #define _DEFINES_H -/* $Id: defines.h,v 1.159 2010/01/13 23:44:34 tim Exp $ */ +/* $Id: defines.h,v 1.160 2010/04/09 08:13:27 dtucker Exp $ */ /* Constants */ Modified: head/crypto/openssh/key.c ============================================================================== --- head/crypto/openssh/key.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/key.c Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -/* $OpenBSD: key.c,v 1.85 2010/03/04 01:44:57 djm Exp $ */ +/* $OpenBSD: key.c,v 1.86 2010/03/15 19:40:02 stevesk Exp $ */ /* * read_bignum(): * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -802,6 +802,19 @@ key_type(const Key *k) } const char * +key_cert_type(const Key *k) +{ + switch (k->cert->type) { + case SSH2_CERT_TYPE_USER: + return "user"; + case SSH2_CERT_TYPE_HOST: + return "host"; + default: + return "unknown"; + } +} + +const char * key_ssh_name(const Key *k) { switch (k->type) { Modified: head/crypto/openssh/key.h ============================================================================== --- head/crypto/openssh/key.h Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/key.h Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -/* $OpenBSD: key.h,v 1.28 2010/02/26 20:29:54 djm Exp $ */ +/* $OpenBSD: key.h,v 1.29 2010/03/15 19:40:02 stevesk Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. @@ -82,6 +82,7 @@ int key_equal(const Key *, const Key * char *key_fingerprint(Key *, enum fp_type, enum fp_rep); u_char *key_fingerprint_raw(Key *, enum fp_type, u_int *); const char *key_type(const Key *); +const char *key_cert_type(const Key *); int key_write(const Key *, FILE *); int key_read(Key *, char **); u_int key_size(const Key *); Modified: head/crypto/openssh/loginrec.c ============================================================================== --- head/crypto/openssh/loginrec.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/loginrec.c Wed Apr 28 10:36:33 2010 (r207319) @@ -510,6 +510,10 @@ getlast_entry(struct logininfo *li) #ifdef USE_LASTLOG return(lastlog_get_entry(li)); #else /* !USE_LASTLOG */ +#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \ + defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER) + return (utmpx_get_entry(li)); +#endif #if 1 return (utmpx_get_entry(li)); @@ -1614,7 +1618,8 @@ lastlog_get_entry(struct logininfo *li) #endif /* HAVE_GETLASTLOGXBYNAME */ #endif /* USE_LASTLOG */ -#if 1 +#if defined(USE_UTMPX) && defined(HAVE_SETUTXDB) && \ + defined(UTXDB_LASTLOGIN) && defined(HAVE_GETUTXUSER) int utmpx_get_entry(struct logininfo *li) { @@ -1637,7 +1642,7 @@ utmpx_get_entry(struct logininfo *li) endutxent(); return (1); } -#endif +#endif /* USE_UTMPX && HAVE_SETUTXDB && UTXDB_LASTLOGIN && HAVE_GETUTXUSER */ #ifdef USE_BTMP /* Modified: head/crypto/openssh/logintest.c ============================================================================== --- head/crypto/openssh/logintest.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/logintest.c Wed Apr 28 10:36:33 2010 (r207319) @@ -264,7 +264,7 @@ showOptions(void) printf("\tUSE_UTMP (UTMP_FILE=%s)\n", UTMP_FILE); #endif #ifdef USE_UTMPX - printf("\tUSE_UTMPX (UTMPX_FILE=%s)\n", UTMPX_FILE); + printf("\tUSE_UTMPX\n"); #endif #ifdef USE_WTMP printf("\tUSE_WTMP (WTMP_FILE=%s)\n", WTMP_FILE); Modified: head/crypto/openssh/openbsd-compat/bsd-arc4random.c ============================================================================== --- head/crypto/openssh/openbsd-compat/bsd-arc4random.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/openbsd-compat/bsd-arc4random.c Wed Apr 28 10:36:33 2010 (r207319) @@ -84,7 +84,7 @@ arc4random_stir(void) } #endif /* !HAVE_ARC4RANDOM */ -#ifndef ARC4RANDOM_BUF +#ifndef HAVE_ARC4RANDOM_BUF void arc4random_buf(void *_buf, size_t n) { @@ -102,7 +102,7 @@ arc4random_buf(void *_buf, size_t n) } #endif /* !HAVE_ARC4RANDOM_BUF */ -#ifndef ARC4RANDOM_UNIFORM +#ifndef HAVE_ARC4RANDOM_UNIFORM /* * Calculate a uniformly distributed random number less than upper_bound * avoiding "modulo bias". Modified: head/crypto/openssh/servconf.c ============================================================================== --- head/crypto/openssh/servconf.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/servconf.c Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.c,v 1.204 2010/03/04 10:36:03 djm Exp $ */ +/* $OpenBSD: servconf.c,v 1.207 2010/03/25 23:38:28 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -474,15 +474,14 @@ parse_token(const char *cp, const char * char * derelativise_path(const char *path) { - char *expanded, *ret, *cwd; + char *expanded, *ret, cwd[MAXPATHLEN]; expanded = tilde_expand_filename(path, getuid()); if (*expanded == '/') return expanded; - if ((cwd = getcwd(NULL, 0)) == NULL) + if (getcwd(cwd, sizeof(cwd)) == NULL) fatal("%s: getcwd: %s", __func__, strerror(errno)); xasprintf(&ret, "%s/%s", cwd, expanded); - xfree(cwd); xfree(expanded); return ret; } @@ -1227,7 +1226,17 @@ process_server_config_line(ServerOptions charptr = (opcode == sAuthorizedKeysFile) ? &options->authorized_keys_file : &options->authorized_keys_file2; - goto parse_filename; + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: missing file name.", + filename, linenum); + if (*activep && *charptr == NULL) { + *charptr = tilde_expand_filename(arg, getuid()); + /* increase optional counter */ + if (intptr != NULL) + *intptr = *intptr + 1; + } + break; case sClientAliveInterval: intptr = &options->client_alive_interval; Modified: head/crypto/openssh/session.c ============================================================================== --- head/crypto/openssh/session.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/session.c Wed Apr 28 10:36:33 2010 (r207319) @@ -1581,6 +1581,10 @@ do_setusercontext(struct passwd *pw) } #endif /* HAVE_SETPCRED */ +#ifdef WITH_SELINUX + ssh_selinux_setup_exec_context(pw->pw_name); +#endif + if (options.chroot_directory != NULL && strcasecmp(options.chroot_directory, "none") != 0) { tmp = tilde_expand_filename(options.chroot_directory, @@ -1605,10 +1609,6 @@ do_setusercontext(struct passwd *pw) if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); - -#ifdef WITH_SELINUX - ssh_selinux_setup_exec_context(pw->pw_name); -#endif } static void Modified: head/crypto/openssh/ssh-keygen.1 ============================================================================== --- head/crypto/openssh/ssh-keygen.1 Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/ssh-keygen.1 Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.88 2010/03/08 00:28:55 djm Exp $ +.\" $OpenBSD: ssh-keygen.1,v 1.92 2010/03/13 23:38:13 jmc Exp $ .\" $FreeBSD$ .\" .\" -*- nroff -*- @@ -38,7 +38,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 8 2010 +.Dd March 13 2010 .Dt SSH-KEYGEN 1 .Os .Sh NAME @@ -308,8 +308,15 @@ Please see the section for details. The constraints that are valid for user certificates are: .Bl -tag -width Ds -.It Ic no-x11-forwarding -Disable X11 forwarding (permitted by default). +.It Ic clear +Clear all enabled permissions. +This is useful for clearing the default set of permissions so permissions may +be added individually. +.It Ic force-command Ns = Ns Ar command +Forces the execution of +.Ar command +instead of any shell or command specified by the user when +the certificate is used for authentication. .It Ic no-agent-forwarding Disable .Xr ssh-agent 1 @@ -324,12 +331,8 @@ Disable execution of by .Xr sshd 8 (permitted by default). -.It Ic clear -Clear all enabled permissions. -This is useful for clearing the default set of permissions so permissions may -be added individually. -.It Ic permit-x11-forwarding -Allows X11 forwarding. +.It Ic no-x11-forwarding +Disable X11 forwarding (permitted by default). .It Ic permit-agent-forwarding Allows .Xr ssh-agent 1 @@ -343,14 +346,10 @@ Allows execution of .Pa ~/.ssh/rc by .Xr sshd 8 . -.It Ic force-command=command -Forces the execution of -.Ar command -instead of any shell or command specified by the user when -the certificate is used for authentication. -.It Ic source-address=address_list -Restrict the source addresses from which the certificate is considered valid -from. +.It Ic permit-x11-forwarding +Allows X11 forwarding. +.It Ic source-address Ns = Ns Ar address_list +Restrict the source addresses from which the certificate is considered valid. The .Ar address_list is a comma-separated list of one or more address/netmask pairs in CIDR @@ -415,7 +414,7 @@ in YYYYMMDDHHMMSS format or a relative t of a minus sign followed by a relative time in the format described in the .Sx TIME FORMATS section of -.Xr ssh_config 5 . +.Xr sshd_config 5 . The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time starting with a plus character. .Pp @@ -520,7 +519,7 @@ To generate a user certificate: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id /path/to/user_key.pub .Pp The resultant certificate will be placed in -.Pa /path/to/user_key_cert.pub . +.Pa /path/to/user_key-cert.pub . A host certificate requires the .Fl h option: @@ -528,7 +527,7 @@ option: .Dl $ ssh-keygen -s /path/to/ca_key -I key_id -h /path/to/host_key.pub .Pp The host certificate will be output to -.Pa /path/to/host_key_cert.pub . +.Pa /path/to/host_key-cert.pub . In both cases, .Ar key_id is a "key identifier" that is logged by the server when the certificate @@ -540,7 +539,7 @@ By default, generated certificates are v To generate a certificate for a specified set of principals: .Pp .Dl $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub -.Dl $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub +.Dl "$ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub" .Pp Additional limitations on the validity and use of user certificates may be specified through certificate constraints. Modified: head/crypto/openssh/ssh-keygen.c ============================================================================== --- head/crypto/openssh/ssh-keygen.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/ssh-keygen.c Wed Apr 28 10:36:33 2010 (r207319) @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh-keygen.c,v 1.184 2010/03/07 22:16:01 djm Exp $ */ +/* $OpenBSD: ssh-keygen.c,v 1.185 2010/03/15 19:40:02 stevesk Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1994 Tatu Ylonen , Espoo, Finland @@ -1393,7 +1393,8 @@ do_show_cert(struct passwd *pw) SSH_FP_MD5, SSH_FP_HEX); printf("%s:\n", identity_file); - printf(" %s certificate %s\n", key_type(key), key_fp); + printf(" %s %s certificate %s\n", key_type(key), + key_cert_type(key), key_fp); printf(" Signed by %s CA %s\n", key_type(key->cert->signature_key), ca_fp); printf(" Key ID \"%s\"\n", key->cert->key_id); Modified: head/crypto/openssh/ssh-pkcs11-helper.c ============================================================================== --- head/crypto/openssh/ssh-pkcs11-helper.c Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/ssh-pkcs11-helper.c Wed Apr 28 10:36:33 2010 (r207319) @@ -17,8 +17,6 @@ #include "includes.h" -#ifdef ENABLE_PKCS11 - #include #ifdef HAVE_SYS_TIME_H # include @@ -39,6 +37,8 @@ #include "authfd.h" #include "ssh-pkcs11.h" +#ifdef ENABLE_PKCS11 + /* borrows code from sftp-server and ssh-agent */ struct pkcs11_keyinfo { Modified: head/crypto/openssh/ssh.1 ============================================================================== --- head/crypto/openssh/ssh.1 Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/ssh.1 Wed Apr 28 10:36:33 2010 (r207319) @@ -34,9 +34,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.302 2010/03/05 10:28:21 djm Exp $ +.\" $OpenBSD: ssh.1,v 1.303 2010/03/26 00:26:58 djm Exp $ .\" $FreeBSD$ -.Dd March 5 2010 +.Dd March 26 2010 .Dt SSH 1 .Os .Sh NAME @@ -560,7 +560,10 @@ argument is the listen port will be dynamically allocated on the server and reported to the client at run time. .It Fl S Ar ctl_path -Specifies the location of a control socket for connection sharing. +Specifies the location of a control socket for connection sharing +or the string +.Dq none +to disable connection sharing. Refer to the description of .Cm ControlPath and Modified: head/crypto/openssh/ssh_config ============================================================================== --- head/crypto/openssh/ssh_config Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/ssh_config Wed Apr 28 10:36:33 2010 (r207319) @@ -46,4 +46,4 @@ # PermitLocalCommand no # VisualHostKey no # ProxyCommand ssh -q -W %h:%p gateway.example.com -# VersionAddendum FreeBSD-20100308 +# VersionAddendum FreeBSD-20100428 Modified: head/crypto/openssh/ssh_config.5 ============================================================================== --- head/crypto/openssh/ssh_config.5 Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/ssh_config.5 Wed Apr 28 10:36:33 2010 (r207319) @@ -34,9 +34,9 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.129 2010/03/05 10:28:21 djm Exp $ +.\" $OpenBSD: ssh_config.5,v 1.130 2010/03/26 01:06:13 dtucker Exp $ .\" $FreeBSD$ -.Dd March 5 2010 +.Dd March 26 2010 .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -735,11 +735,7 @@ This allows a client to prefer one metho over another method (e.g.\& .Cm password ) The default for this option is: -.Do gssapi-with-mic , -hostbased, -publickey, -keyboard-interactive, -password +.Do gssapi-with-mic,hostbased,publickey,keyboard-interactive,password .Dc . .It Cm Protocol Specifies the protocol versions @@ -1087,7 +1083,7 @@ in Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20100308 . +.Dq FreeBSD-20100428 . .It Cm VisualHostKey If this flag is set to .Dq yes , Modified: head/crypto/openssh/sshd_config ============================================================================== --- head/crypto/openssh/sshd_config Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/sshd_config Wed Apr 28 10:36:33 2010 (r207319) @@ -14,7 +14,7 @@ # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. -#VersionAddendum FreeBSD-20100308 +#VersionAddendum FreeBSD-20100428 #Port 22 #AddressFamily any Modified: head/crypto/openssh/sshd_config.5 ============================================================================== --- head/crypto/openssh/sshd_config.5 Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/sshd_config.5 Wed Apr 28 10:36:33 2010 (r207319) @@ -988,7 +988,7 @@ The default is Specifies a string to append to the regular version string to identify OS- or site-specific modifications. The default is -.Dq FreeBSD-20100308 . +.Dq FreeBSD-20100428 . .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's Modified: head/crypto/openssh/version.h ============================================================================== --- head/crypto/openssh/version.h Wed Apr 28 10:33:41 2010 (r207318) +++ head/crypto/openssh/version.h Wed Apr 28 10:36:33 2010 (r207319) @@ -1,12 +1,12 @@ -/* $OpenBSD: version.h,v 1.57 2010/03/07 22:01:32 djm Exp $ */ +/* $OpenBSD: version.h,v 1.58 2010/03/16 16:36:49 djm Exp $ */ /* $FreeBSD$ */ #ifndef SSH_VERSION #define SSH_VERSION (ssh_version_get()) #define SSH_RELEASE (ssh_version_get()) -#define SSH_VERSION_BASE "OpenSSH_5.4p1" -#define SSH_VERSION_ADDENDUM "FreeBSD-20100308" +#define SSH_VERSION_BASE "OpenSSH_5.5p1" +#define SSH_VERSION_ADDENDUM "FreeBSD-20100428" const char *ssh_version_get(void); void ssh_version_set_addendum(const char *);