+++ /dev/null
-diff -urN openssh-3.4p1-owl-always-auth/Makefile.in openssh-3.4p1/Makefile.in
---- openssh-3.4p1-owl-always-auth/Makefile.in Wed Jun 26 03:45:42 2002
-+++ openssh-3.4p1/Makefile.in Mon Jul 1 23:11:30 2002
-@@ -64,7 +64,7 @@
-
- SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
-
--SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
-+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth2-hostbased.o auth2-kbdint.o auth2-none.o auth2-passwd.o auth2-pubkey.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o appl_userpass.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o monitor_mm.o monitor.o
-
- MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
- MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
-diff -urN openssh-3.4p1-owl-always-auth/_pam_userpass.h openssh-3.4p1/_pam_userpass.h
---- openssh-3.4p1-owl-always-auth/_pam_userpass.h Thu Jan 1 03:00:00 1970
-+++ openssh-3.4p1/_pam_userpass.h Mon Jul 1 23:11:30 2002
-@@ -0,0 +1,12 @@
-+#ifndef __PAM_USERPASS_H
-+#define __PAM_USERPASS_H
-+
-+#define USERPASS_AGENT_ID "userpass"
-+#define USERPASS_AGENT_ID_LENGTH 8
-+
-+#define USERPASS_USER_MASK 0x03
-+#define USERPASS_USER_REQUIRED 1
-+#define USERPASS_USER_KNOWN 2
-+#define USERPASS_USER_FIXED 3
-+
-+#endif
-diff -urN openssh-3.4p1-owl-always-auth/appl_userpass.c openssh-3.4p1/appl_userpass.c
---- openssh-3.4p1-owl-always-auth/appl_userpass.c Thu Jan 1 03:00:00 1970
-+++ openssh-3.4p1/appl_userpass.c Mon Jul 1 23:11:30 2002
-@@ -0,0 +1,59 @@
-+#include <string.h>
-+#include <stdlib.h>
-+
-+#include <security/pam_appl.h>
-+#include <security/pam_client.h>
-+
-+#ifndef PAM_BP_RCONTROL
-+/* Linux-PAM prior to 0.74 */
-+#define PAM_BP_RCONTROL PAM_BP_CONTROL
-+#define PAM_BP_WDATA PAM_BP_DATA
-+#define PAM_BP_RDATA PAM_BP_DATA
-+#endif
-+
-+#include "_pam_userpass.h"
-+#include "pam_userpass.h"
-+
-+int pam_userpass_conv(int num_msg, const struct pam_message **msg,
-+ struct pam_response **resp, void *appdata_ptr)
-+{
-+ pam_userpass_t *userpass = (pam_userpass_t *)appdata_ptr;
-+ pamc_bp_t prompt;
-+ const char *input;
-+ char *output;
-+ char flags;
-+
-+ if (num_msg != 1 || msg[0]->msg_style != PAM_BINARY_PROMPT)
-+ return PAM_CONV_ERR;
-+
-+ prompt = (pamc_bp_t)msg[0]->msg;
-+ input = PAM_BP_RDATA(prompt);
-+
-+ if (PAM_BP_RCONTROL(prompt) != PAM_BPC_SELECT ||
-+ strncmp(input, USERPASS_AGENT_ID "/", USERPASS_AGENT_ID_LENGTH + 1))
-+ return PAM_CONV_ERR;
-+
-+ flags = input[USERPASS_AGENT_ID_LENGTH + 1];
-+ input += USERPASS_AGENT_ID_LENGTH + 1 + 1;
-+
-+ if ((flags & USERPASS_USER_MASK) == USERPASS_USER_FIXED &&
-+ strcmp(input, userpass->user))
-+ return PAM_CONV_AGAIN;
-+
-+ if (!(*resp = malloc(sizeof(struct pam_response))))
-+ return PAM_CONV_ERR;
-+
-+ prompt = NULL;
-+ PAM_BP_RENEW(&prompt, PAM_BPC_DONE,
-+ strlen(userpass->user) + 1 + strlen(userpass->pass));
-+ output = PAM_BP_WDATA(prompt);
-+
-+ strcpy(output, userpass->user);
-+ output += strlen(output) + 1;
-+ memcpy(output, userpass->pass, strlen(userpass->pass));
-+
-+ (*resp)[0].resp_retcode = 0;
-+ (*resp)[0].resp = (char *)prompt;
-+
-+ return PAM_SUCCESS;
-+}
-diff -urN openssh-3.4p1-owl-always-auth/auth-pam.c openssh-3.4p1/auth-pam.c
---- openssh-3.4p1-owl-always-auth/auth-pam.c Mon Jul 1 23:09:55 2002
-+++ openssh-3.4p1/auth-pam.c Mon Jul 1 23:38:11 2002
-@@ -34,6 +34,9 @@
- #include "canohost.h"
- #include "readpass.h"
-
-+#include <security/pam_misc.h>
-+#include "pam_userpass.h"
-+
- extern char *__progname;
-
- RCSID("$Id$");
-@@ -45,13 +48,13 @@
- struct pam_response **resp, void *appdata_ptr);
-
- /* module-local variables */
-+static pam_userpass_t userpass;
- static struct pam_conv conv = {
- do_pam_conversation,
-- NULL
-+ &userpass
- };
- static char *__pam_msg = NULL;
- static pam_handle_t *__pamh = NULL;
--static const char *__pampasswd = NULL;
-
- /* states for do_pam_conversation() */
- enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
-@@ -83,18 +86,45 @@
- * PAM conversation function.
- * There are two states this can run in.
- *
-- * INITIAL_LOGIN mode simply feeds the password from the client into
-- * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
-- * messages with into __pam_msg. This is used during initial
-- * authentication to bypass the normal PAM password prompt.
-+ * INITIAL_LOGIN mode simply feeds the username and the password from
-+ * the client into PAM via Linux-PAM binary prompts and queues any text
-+ * messages for printing later.
- *
-- * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase()
-- * and outputs messages to stderr. This mode is used if pam_chauthtok()
-- * is called to update expired passwords.
-+ * OTHER mode is a regular PAM conversation. This mode is used if
-+ * pam_chauthtok() is called to update expired passwords.
- */
- static int do_pam_conversation(int num_msg, const struct pam_message **msg,
- struct pam_response **resp, void *appdata_ptr)
- {
-+ if (pamstate == INITIAL_LOGIN) {
-+ int i, status;
-+
-+ status = pam_userpass_conv(num_msg, msg, resp, appdata_ptr);
-+ if (status != PAM_CONV_ERR)
-+ return status;
-+
-+ if (!(*resp = malloc(num_msg * sizeof(struct pam_response))))
-+ return PAM_CONV_ERR;
-+ for (i = 0; i < num_msg; i++) {
-+ switch (msg[i]->msg_style) {
-+ case PAM_ERROR_MSG:
-+ case PAM_TEXT_INFO:
-+ message_cat(&__pam_msg, msg[i]->msg);
-+ (*resp)[i].resp_retcode = PAM_SUCCESS;
-+ (*resp)[i].resp = NULL;
-+ continue;
-+ default:
-+ free(*resp);
-+ *resp = NULL;
-+ return PAM_CONV_ERR;
-+ }
-+ }
-+ return PAM_SUCCESS;
-+ }
-+
-+ return misc_conv(num_msg, msg, resp, appdata_ptr);
-+
-+#if 0
- struct pam_response *reply;
- int count;
- char buf[1024];
-@@ -170,6 +200,7 @@
- *resp = reply;
-
- return PAM_SUCCESS;
-+#endif
- }
-
- /* Called at exit to cleanly shutdown PAM */
-@@ -221,7 +252,8 @@
- if (*password == '\0' && options.permit_empty_passwd == 0)
- return 0;
-
-- __pampasswd = password;
-+ userpass.user = pw ? pw->pw_name : "ILLEGAL USER";
-+ userpass.pass = password;
-
- pamstate = INITIAL_LOGIN;
- pam_retval = do_pam_authenticate(
-diff -urN openssh-3.4p1-owl-always-auth/pam_userpass.h openssh-3.4p1/pam_userpass.h
---- openssh-3.4p1-owl-always-auth/pam_userpass.h Thu Jan 1 03:00:00 1970
-+++ openssh-3.4p1/pam_userpass.h Mon Jul 1 23:11:30 2002
-@@ -0,0 +1,14 @@
-+#ifndef _PAM_USERPASS_H
-+#define _PAM_USERPASS_H
-+
-+#include <security/pam_appl.h>
-+
-+typedef struct {
-+ const char *user;
-+ const char *pass;
-+} pam_userpass_t;
-+
-+extern int pam_userpass_conv(int num_msg, const struct pam_message **msg,
-+ struct pam_response **resp, void *appdata_ptr);
-+
-+#endif
+++ /dev/null
-diff -Naur openssh-2.1.1p1/auth-pam.c openssh-2.1.1p1-p/auth-pam.c
---- openssh-2.1.1p1/auth-pam.c Wed May 31 03:20:12 2000
-+++ openssh-2.1.1p1-p/auth-pam.c Mon Jun 12 16:31:42 2000
-@@ -18,6 +18,8 @@
- #define NEW_AUTHTOK_MSG \
- "Warning: You password has expired, please change it now"
-
-+extern char *forced_command;
-+
- /* Callbacks */
- static int pamconv(int num_msg, const struct pam_message **msg,
- struct pam_response **resp, void *appdata_ptr);
-@@ -123,6 +125,9 @@
- debug("PAM Password authentication accepted for user \"%.100s\"",
- pw->pw_name);
- return 1;
-+ } else if (pam_retval == PAM_NEW_AUTHTOK_REQD) {
-+ debug("PAM (expired)Password authentication accepted for user \"%.100s\"", pw->pw_name);
-+ return 1;
- } else {
- debug("PAM Password authentication for \"%.100s\" failed: %s",
- pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
-@@ -159,6 +164,9 @@
- break;
- case PAM_NEW_AUTHTOK_REQD:
- pam_msg_cat(NEW_AUTHTOK_MSG);
-+ forced_command = xmalloc(strlen("/usr/bin/passwd") + 1);
-+ strcpy(forced_command, "/usr/bin/passwd");
-+/* pam_retval = pam_chauthtok((pam_handle_t *)pamh, PAM_CHANGE_EXPIRED_AUTHTOK); */
- break;
- default:
- log("PAM rejected by account configuration: %.200s",
-@@ -184,10 +192,9 @@
- }
-
- pam_retval = pam_open_session((pam_handle_t *)pamh, 0);
-- if (pam_retval != PAM_SUCCESS) {
-+ if ((pam_retval != PAM_SUCCESS) && (pam_retval != PAM_NEW_AUTHTOK_REQD))
- fatal("PAM session setup failed: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
-- }
- }
-
- /* Set PAM credentials */
-@@ -197,10 +204,9 @@
-
- debug("PAM establishing creds");
- pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED);
-- if (pam_retval != PAM_SUCCESS) {
-+ if ((pam_retval != PAM_SUCCESS) && (pam_retval != PAM_NEW_AUTHTOK_REQD))
- fatal("PAM setcred failed: %.200s",
- PAM_STRERROR((pam_handle_t *)pamh, pam_retval));
-- }
- }
-
- /* Cleanly shutdown PAM */
+++ /dev/null
---- 1/buffer.c~ Tue Sep 16 16:18:17 2003
-+++ 1/buffer.c Tue Sep 16 16:26:59 2003
-@@ -69,6 +69,7 @@
- void *
- buffer_append_space(Buffer *buffer, u_int len)
- {
-+ u_int newlen;
- void *p;
-
- /* If the buffer is empty, start using it from the beginning. */
-@@ -95,8 +96,11 @@
- goto restart;
- }
- /* Increase the size of the buffer and retry. */
-- buffer->alloc += len + 32768;
-- buffer->buf = xrealloc(buffer->buf, buffer->alloc);
-+ newlen = buffer->alloc + len + 32768;
-+ if (newlen > 0xa00000)
-+ fatal("buffer_append_space: alloc %u not supported", newlen);
-+ buffer->buf = xrealloc(buffer->buf, newlen);
-+ buffer->alloc = newlen;
- goto restart;
- /* NOTREACHED */
- }
+++ /dev/null
-diff -ur openssh-3.2.3p1/auth-pam.c openssh-3.2.3p1.new/auth-pam.c
---- openssh-3.2.3p1/auth-pam.c Wed May 8 04:27:56 2002
-+++ openssh-3.2.3p1.new/auth-pam.c Fri Jun 28 14:48:26 2002
-@@ -59,6 +59,7 @@
- static int password_change_required = 0;
- /* remember whether the last pam_authenticate() succeeded or not */
- static int was_authenticated = 0;
-+static int acct_mgmt_retval = -1;
-
- /* Remember what has been initialised */
- static int session_opened = 0;
-@@ -72,10 +73,40 @@
- }
-
- /* start an authentication run */
--int do_pam_authenticate(int flags)
-+int do_pam_authenticate(int flags, int can_age_pw_here)
- {
- int retval = pam_authenticate(__pamh, flags);
-+
-+ was_authenticated = (retval == PAM_SUCCESS);
-+ if (retval != PAM_SUCCESS)
-+ return retval;
-+
-+ acct_mgmt_retval = pam_acct_mgmt(__pamh, 0);
-+
-+ if (acct_mgmt_retval == PAM_SUCCESS)
-+ return PAM_SUCCESS;
-+
-+ was_authenticated = 0;
-+ if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD)
-+ return acct_mgmt_retval;
-+
-+ /* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */
-+ /* PAM auth token (password) is expired */
-+
-+ /*
-+ * USERAUTH_PASSWORD_CHANGEREQ is not currently
-+ * supported. Password aged users using password
-+ * userauth are thrown out here.
-+ */
-+ if (!can_age_pw_here)
-+ return PAM_NEW_AUTHTOK_REQD;
-+
-+ debug("do_pam_authenticate() - doing password aging");
-+ retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
- was_authenticated = (retval == PAM_SUCCESS);
-+ if (retval == PAM_SUCCESS)
-+ acct_mgmt_retval = PAM_SUCCESS;
-+
- return retval;
- }
-
-@@ -220,7 +251,8 @@
-
- pamstate = INITIAL_LOGIN;
- pam_retval = do_pam_authenticate(
-- options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
-+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0,
-+ 0);
- if (pam_retval == PAM_SUCCESS) {
- debug("PAM Password authentication accepted for "
- "user \"%.100s\"", pw->pw_name);
-@@ -248,19 +280,22 @@
- PAM_STRERROR(__pamh, pam_retval));
- }
-
-- pam_retval = pam_acct_mgmt(__pamh, 0);
-+ /* do_pam_authenticate() may have called pam_acct_mgmt() already */
-+ pam_retval = acct_mgmt_retval;
- debug2("pam_acct_mgmt() = %d", pam_retval);
-+ if (pam_retval == -1)
-+ pam_retval = pam_acct_mgmt(__pamh, 0);
-+
- switch (pam_retval) {
- case PAM_SUCCESS:
- /* This is what we want */
- break;
--#if 0
- case PAM_NEW_AUTHTOK_REQD:
- message_cat(&__pam_msg, NEW_AUTHTOK_MSG);
- /* flag that password change is necessary */
- password_change_required = 1;
-+ return(0); /* Sorry, no TTY password aging */
- break;
--#endif
- default:
- log("PAM rejected by account configuration[%d]: "
- "%.200s", pam_retval, PAM_STRERROR(__pamh,
-@@ -324,27 +359,6 @@
- return password_change_required;
- }
-
--/*
-- * Have user change authentication token if pam_acct_mgmt() indicated
-- * it was expired. This needs to be called after an interactive
-- * session is established and the user's pty is connected to
-- * stdin/stout/stderr.
-- */
--void do_pam_chauthtok(void)
--{
-- int pam_retval;
--
-- do_pam_set_conv(&conv);
--
-- if (password_change_required) {
-- pamstate = OTHER;
-- pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
-- if (pam_retval != PAM_SUCCESS)
-- fatal("PAM pam_chauthtok failed[%d]: %.200s",
-- pam_retval, PAM_STRERROR(__pamh, pam_retval));
-- }
--}
--
- /* Cleanly shutdown PAM */
- void finish_pam(void)
- {
-diff -ur openssh-3.2.3p1/auth-pam.h openssh-3.2.3p1.new/auth-pam.h
---- openssh-3.2.3p1/auth-pam.h Thu Apr 4 21:02:28 2002
-+++ openssh-3.2.3p1.new/auth-pam.h Fri Jun 28 14:46:18 2002
-@@ -9,13 +9,12 @@
- void finish_pam(void);
- int auth_pam_password(Authctxt *authctxt, const char *password);
- char **fetch_pam_environment(void);
--int do_pam_authenticate(int flags);
-+int do_pam_authenticate(int flags, int can_age_pw_here);
- int do_pam_account(char *username, char *remote_user);
- void do_pam_session(char *username, const char *ttyname);
- void do_pam_setcred(int init);
- void print_pam_messages(void);
- int is_pam_password_change_required(void);
--void do_pam_chauthtok(void);
- void do_pam_set_conv(struct pam_conv *);
- void message_cat(char **p, const char *a);
-
-diff -ur openssh-3.2.3p1/auth2-pam.c openssh-3.2.3p1.new/auth2-pam.c
---- openssh-3.2.3p1/auth2-pam.c Fri Jun 28 14:48:46 2002
-+++ openssh-3.2.3p1.new/auth2-pam.c Fri Jun 28 14:46:18 2002
-@@ -42,7 +42,7 @@
-
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
- &input_userauth_info_response_pam);
-- retval = (do_pam_authenticate(0) == PAM_SUCCESS);
-+ retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS);
- dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
-
- return retval;
-diff -ur openssh-3.2.3p1/session.c openssh-3.2.3p1.new/session.c
---- openssh-3.2.3p1/session.c Mon May 13 02:48:58 2002
-+++ openssh-3.2.3p1.new/session.c Fri Jun 28 14:46:18 2002
-@@ -645,17 +645,6 @@
- options.verify_reverse_mapping),
- (struct sockaddr *)&from);
-
--#ifdef USE_PAM
-- /*
-- * If password change is needed, do it now.
-- * This needs to occur before the ~/.hushlogin check.
-- */
-- if (is_pam_password_change_required()) {
-- print_pam_messages();
-- do_pam_chauthtok();
-- }
--#endif
--
- if (check_quietlogin(s, command))
- return;
-
+++ /dev/null
-diff -ur openssh-3.2.3p1.orig/session.c openssh-3.2.3p1/session.c
---- openssh-3.2.3p1.orig/session.c Mon May 13 02:48:58 2002
-+++ openssh-3.2.3p1/session.c Thu May 30 21:33:40 2002
-@@ -340,6 +340,44 @@
- }
- }
-
-+struct _user_limits_struct {
-+ int supported;
-+ struct rlimit limit;
-+};
-+
-+static int _save_limits(struct _user_limits_struct *pl)
-+{
-+ int i, r;
-+ int retval = 0;
-+
-+ for(i = 0; i < RLIM_NLIMITS; i++) {
-+ pl[i].supported = 0;
-+ pl[i].limit.rlim_cur = RLIM_INFINITY;
-+ pl[i].limit.rlim_max = RLIM_INFINITY;
-+ r = getrlimit(i, &pl[i].limit);
-+ if (r == -1) {
-+ if (errno != EINVAL) {
-+ retval = -1;
-+ }
-+ } else {
-+ pl[i].supported = 1;
-+ }
-+ }
-+
-+ return retval;
-+}
-+
-+static void _restore_limits(struct _user_limits_struct *pl)
-+{
-+ int i;
-+ int status;
-+
-+ for (i=0; i<RLIM_NLIMITS; i++) {
-+ if (pl[i].supported)
-+ status |= setrlimit(i, &pl[i].limit);
-+ }
-+}
-+
- /*
- * This is called to fork and execute a command when we have no tty. This
- * will call do_child from the child, and server_loop from the parent after
-@@ -349,6 +387,9 @@
- do_exec_no_pty(Session *s, const char *command)
- {
- int pid;
-+#if defined(USE_PAM)
-+ struct _user_limits_struct pl[RLIM_NLIMITS];
-+#endif /* USE_PAM */
-
- #ifdef USE_PIPES
- int pin[2], pout[2], perr[2];
-@@ -370,6 +411,7 @@
- session_proctitle(s);
-
- #if defined(USE_PAM)
-+ _save_limits(pl);
- do_pam_session(s->pw->pw_name, NULL);
- do_pam_setcred(1);
- if (is_pam_password_change_required())
-@@ -430,6 +472,9 @@
- do_child(s, command);
- /* NOTREACHED */
- }
-+#if defined(USE_PAM)
-+ _restore_limits(pl);
-+#endif /* USE_PAM */
- #ifdef HAVE_CYGWIN
- if (is_winnt)
- cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
-@@ -481,6 +526,9 @@
- {
- int fdout, ptyfd, ttyfd, ptymaster;
- pid_t pid;
-+#if defined(USE_PAM)
-+ struct _user_limits_struct pl[RLIM_NLIMITS];
-+#endif /* USE_PAM */
-
- if (s == NULL)
- fatal("do_exec_pty: no session");
-@@ -488,6 +536,7 @@
- ttyfd = s->ttyfd;
-
- #if defined(USE_PAM)
-+ _save_limits(pl);
- do_pam_session(s->pw->pw_name, s->tty);
- do_pam_setcred(1);
- #endif
-@@ -528,6 +577,9 @@
- do_child(s, command);
- /* NOTREACHED */
- }
-+#if defined(USE_PAM)
-+ _restore_limits(pl);
-+#endif /* USE_PAM */
- #ifdef HAVE_CYGWIN
- if (is_winnt)
- cygwin_set_impersonation_token(INVALID_HANDLE_VALUE);
+++ /dev/null
---- openssh-3.7.1p1/auth-pam.c~ Tue Sep 16 08:00:52 2003
-+++ openssh-3.7.1p1/auth-pam.c Thu Sep 18 17:25:02 2003
-@@ -599,6 +599,8 @@
- pam_chauthtok_conv(int n, const struct pam_message **msg,
- struct pam_response **resp, void *data)
- {
-+ return misc_conv(n, msg, resp, data);
-+#if 0
- char input[PAM_MAX_MSG_SIZE];
- int i;
-
-@@ -635,6 +637,7 @@
- xfree(*resp);
- *resp = NULL;
- return (PAM_CONV_ERR);
-+#endif
- }
-
- /*
+++ /dev/null
-diff -Nur openssh-3.2.3p1.orig/clientloop.c openssh-3.2.3p1-alive/clientloop.c
---- openssh-3.2.3p1.orig/clientloop.c Tue Apr 23 13:09:46 2002
-+++ openssh-3.2.3p1-alive/clientloop.c Sun Oct 13 18:32:06 2002
-@@ -321,6 +321,9 @@
- client_wait_until_can_do_something(fd_set **readsetp, fd_set **writesetp,
- int *maxfdp, int *nallocp, int rekeying)
- {
-+ struct timeval tv, *tvp;
-+ int ret;
-+
- /* Add any selections by the channel mechanism. */
- channel_prepare_select(readsetp, writesetp, maxfdp, nallocp, rekeying);
-
-@@ -362,13 +365,30 @@
- /*
- * Wait for something to happen. This will suspend the process until
- * some selected descriptor can be read, written, or has some other
-- * event pending. Note: if you want to implement SSH_MSG_IGNORE
-- * messages to fool traffic analysis, this might be the place to do
-- * it: just have a random timeout for the select, and send a random
-- * SSH_MSG_IGNORE packet when the timeout expires.
-+ * event pending.
-+ * Set a random timeout for the select, and send a random SSH_MSG_IGNORE
-+ * packet when the timeout expires to fool traffic analysis.
- */
-
-- if (select((*maxfdp)+1, *readsetp, *writesetp, NULL, NULL) < 0) {
-+ if (options.bogus_traffic_interval_max) {
-+ u_int32_t rand = arc4random();
-+ u_int64_t timeusec;
-+ static u_int64_t timebase = 0;
-+
-+ if (!timebase)
-+ timebase = (options.bogus_traffic_interval_max -
-+ options.bogus_traffic_interval_min) * 1000000;
-+ timeusec = timebase * rand / 0xffffffffUL;
-+ timeusec += options.bogus_traffic_interval_min * 1000000;
-+ tv.tv_sec = timeusec / 1000000;
-+ tv.tv_usec = timeusec % 1000000;
-+ tvp = &tv;
-+ debug2("Will send SSH_MSG_IGNORE in %lu.%lu s", tv.tv_sec, tv.tv_usec);
-+ }
-+ else tvp = NULL;
-+
-+ ret = select((*maxfdp)+1, *readsetp, *writesetp, NULL, tvp);
-+ if (ret < 0) {
- char buf[100];
-
- /*
-@@ -386,6 +406,12 @@
- buffer_append(&stderr_buffer, buf, strlen(buf));
- quit_pending = 1;
- }
-+ else if (ret == 0) { /* timeout */
-+ u_int32_t rand = arc4random();
-+ packet_send_ignore((rand & 0x3f) + 1);
-+ packet_send();
-+ packet_write_wait();
-+ }
- }
-
- static void
-diff -Nur openssh-3.2.3p1.orig/readconf.c openssh-3.2.3p1-alive/readconf.c
---- openssh-3.2.3p1.orig/readconf.c Tue Feb 5 02:26:35 2002
-+++ openssh-3.2.3p1-alive/readconf.c Sun Oct 13 17:57:46 2002
-@@ -115,7 +115,8 @@
- oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
- oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
- oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
-- oClearAllForwardings, oNoHostAuthenticationForLocalhost
-+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
-+ oBogusTrafficIntervalMax, oBogusTrafficIntervalMin
- } OpCodes;
-
- /* Textual representations of the tokens. */
-@@ -178,6 +179,8 @@
- { "compression", oCompression },
- { "compressionlevel", oCompressionLevel },
- { "keepalive", oKeepAlives },
-+ { "BogusTrafficIntervalMax", oBogusTrafficIntervalMax },
-+ { "BogusTrafficIntervalMin", oBogusTrafficIntervalMin },
- { "numberofpasswordprompts", oNumberOfPasswordPrompts },
- { "loglevel", oLogLevel },
- { "dynamicforward", oDynamicForward },
-@@ -420,6 +423,42 @@
- intptr = &options->no_host_authentication_for_localhost;
- goto parse_flag;
-
-+ case oBogusTrafficIntervalMax:
-+ intptr = &options->bogus_traffic_interval_max;
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (arg[0] < '0' || arg[0] > '9')
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+
-+ /* Octal, decimal, or hex format? */
-+ value = strtol(arg, &endofnumber, 0);
-+ if (arg == endofnumber)
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ if (options->bogus_traffic_interval_min >= value)
-+ fatal("%.200s line %d: Bad value.", filename, linenum);
-+ break;
-+
-+ case oBogusTrafficIntervalMin:
-+ intptr = &options->bogus_traffic_interval_min;
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (arg[0] < '0' || arg[0] > '9')
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+
-+ /* Octal, decimal, or hex format? */
-+ value = strtol(arg, &endofnumber, 0);
-+ if (arg == endofnumber)
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ if (options->bogus_traffic_interval_max <= value)
-+ fatal("%.200s line %d: Bad value.", filename, linenum);
-+ break;
-+
- case oNumberOfPasswordPrompts:
- intptr = &options->number_of_password_prompts;
- goto parse_int;
-@@ -772,6 +811,8 @@
- options->strict_host_key_checking = -1;
- options->compression = -1;
- options->keepalives = -1;
-+ options->bogus_traffic_interval_max = -1;
-+ options->bogus_traffic_interval_min = -1;
- options->compression_level = -1;
- options->port = -1;
- options->connection_attempts = -1;
-@@ -863,6 +904,10 @@
- options->compression = 0;
- if (options->keepalives == -1)
- options->keepalives = 1;
-+ if (options->bogus_traffic_interval_max == -1)
-+ options->bogus_traffic_interval_max = 0;
-+ if (options->bogus_traffic_interval_min == -1)
-+ options->bogus_traffic_interval_min = 0;
- if (options->compression_level == -1)
- options->compression_level = 6;
- if (options->port == -1)
-diff -Nur openssh-3.2.3p1.orig/readconf.h openssh-3.2.3p1-alive/readconf.h
---- openssh-3.2.3p1.orig/readconf.h Tue Mar 5 02:53:05 2002
-+++ openssh-3.2.3p1-alive/readconf.h Sun Oct 13 19:09:02 2002
-@@ -63,6 +63,16 @@
- int compression_level; /* Compression level 1 (fast) to 9
- * (best). */
- int keepalives; /* Set SO_KEEPALIVE. */
-+ int bogus_traffic_interval_max;/*
-+ * max time value of SSH_MSG_IGNORE
-+ * interval
-+ */
-+ int bogus_traffic_interval_min;/*
-+ * min time value of SSH_MSG_IGNORE
-+ * interval
-+ */
-+ int pam_authentication_via_kbd_int;
-+
- LogLevel log_level; /* Level for logging. */
-
- int port; /* Port to connect. */
+++ /dev/null
---- openssh-3.3p1/scp.c.orig Fri Jun 21 02:41:52 2002
-+++ openssh-3.3p1/scp.c Sun Jun 23 21:29:30 2002
-@@ -233,9 +233,11 @@
- addargs(&args, "-oClearAllForwardings yes");
-
- fflag = tflag = 0;
-- while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1)
-+ while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q1246S:o:F:")) != -1)
- switch (ch) {
- /* User-visible flags. */
-+ case '1':
-+ case '2':
- case '4':
- case '6':
- case 'C':
-@@ -955,7 +957,7 @@
- usage(void)
- {
- (void) fprintf(stderr,
-- "usage: scp [-pqrvBC46] [-F config] [-S program] [-P port]\n"
-+ "usage: scp [-pqrvBC1246] [-F config] [-S program] [-P port]\n"
- " [-c cipher] [-i identity] [-o option]\n"
- " [[user@]host1:]file1 [...] [[user@]host2:]file2\n");
- exit(1);
---- openssh-2.9.9p2/scp.1.orig Tue Sep 18 07:56:57 2001
-+++ openssh-2.9.9p2/scp.1 Fri Sep 28 05:30:54 2001
-@@ -19,7 +19,7 @@
- .Nd secure copy (remote file copy program)
- .Sh SYNOPSIS
- .Nm scp
--.Op Fl pqrvBC46
-+.Op Fl pqrvBC1246
- .Op Fl F Ar ssh_config
- .Op Fl S Ar program
- .Op Fl P Ar port
-@@ -125,6 +125,14 @@
- command-line flag. For example, forcing the use of protocol
- version 1 is specified using
- .Ic scp -oProtocol=1 .
-+.It Fl 1
-+Forces
-+.Nm
-+to use SSH1 only.
-+.It Fl 2
-+Forces
-+.Nm
-+to use SSH2 only.
- .It Fl 4
- Forces
- .Nm