diff options
| author | cvs2git | 2006-02-02 08:44:06 (GMT) |
|---|---|---|
| committer | cvs2git | 2012-06-24 12:13:13 (GMT) |
| commit | 69d2b67d486b6a1b0bce2aa8004a6de7126f818a (patch) | |
| tree | 11552f6ac34dac4471f8fde3200522b610f67c0d | |
| parent | ad07ca4fdc7ec5b1d83586c9dbeb383b5976f066 (diff) | |
| download | openssh-69d2b67d486b6a1b0bce2aa8004a6de7126f818a.zip openssh-69d2b67d486b6a1b0bce2aa8004a6de7126f818a.tar.gz | |
This commit was manufactured by cvs2git to create tag 'openssh-4_2p1-2'.openssh-4_2p1-2
Sprout from RA-branch 2006-02-02 08:44:06 UTC cvs2git <feedback@pld-linux.org> 'This commit was manufactured by cvs2git to create branch 'RA-branch'.'
Cherrypick from master 2005-09-02 19:34:57 UTC Arkadiusz Miśkiewicz <arekm@maven.pl> '- updated':
openssh-linux-ipv6.patch -> 1.2
openssh-sigpipe.patch -> 1.7
Delete:
ldappubkey-ossh3.6-v2.patch
openssh-buffer_c_overflow.patch
openssh-chall-sec.patch
openssh-lpk-4.1p1-0.3.6.patch
openssh-owl-realloc.patch
openssh-pam-age.patch
openssh-set_12.patch
| -rw-r--r-- | ldappubkey-ossh3.6-v2.patch | 515 | ||||
| -rw-r--r-- | openssh-buffer_c_overflow.patch | 70 | ||||
| -rw-r--r-- | openssh-chall-sec.patch | 31 | ||||
| -rw-r--r-- | openssh-linux-ipv6.patch | 15 | ||||
| -rw-r--r-- | openssh-lpk-4.1p1-0.3.6.patch | 1822 | ||||
| -rw-r--r-- | openssh-owl-realloc.patch | 122 | ||||
| -rw-r--r-- | openssh-pam-age.patch | 168 | ||||
| -rw-r--r-- | openssh-set_12.patch | 50 | ||||
| -rw-r--r-- | openssh-sigpipe.patch | 14 |
9 files changed, 15 insertions, 2792 deletions
diff --git a/ldappubkey-ossh3.6-v2.patch b/ldappubkey-ossh3.6-v2.patch deleted file mode 100644 index e0adc20..0000000 --- a/ldappubkey-ossh3.6-v2.patch +++ /dev/null @@ -1,515 +0,0 @@ -diff -ru openssh-3.6.1p1/auth2-pubkey.c openssh-3.6.1p1-ldappubkey/auth2-pubkey.c ---- openssh-3.6.1p1/auth2-pubkey.c Thu Jun 6 22:27:56 2002 -+++ openssh-3.6.1p1-ldappubkey/auth2-pubkey.c Thu Apr 17 11:53:03 2003 -@@ -174,12 +174,46 @@ - struct stat st; - Key *found; - char *fp; -+#ifdef WITH_LDAP_PUBKEY -+ lh host; -+#endif - - if (pw == NULL) - return 0; - - /* Temporarily use the user's uid. */ - temporarily_use_uid(pw); -+#ifdef WITH_LDAP_PUBKEY -+ found_key = 0; -+ /* allocate a new key type */ -+ found = key_new(key->type); -+ -+ /* first check if the options is enabled, then try.. */ -+ debug("trying LDAP first uid=%s",pw->pw_name); -+ -+ /* lets add it */ -+ host.url = options.myldap_opt.ldap_server; -+ host.binddn = options.myldap_opt.binddn; -+ host.bindpw = options.myldap_opt.bindpw; -+ host.mgroup = options.myldap_opt.mgroup; -+ -+ if(options.myldap_opt.pubkey_from_ldap -+ &&(key_ldap_read(found,pw->pw_name,&host) != 1)) { -+ debug2("LDAP pubkey failed!!!"); -+ debug2("URL: %s !!",options.myldap_opt.ldap_server); -+ } -+ -+ if (key_equal(found,key)) { -+ found_key = 1; -+ debug("matching key found on LDAP, line %lu",linenum); -+ fp = key_fingerprint(found,SSH_FP_MD5, SSH_FP_HEX); -+ verbose("Found matching %s key: %s",key_type(found),fp); -+ xfree(fp); -+ restore_uid(); -+ key_free(found); -+ return found_key; -+ } -+#endif - - debug("trying public key file %s", file); - -@@ -189,6 +223,7 @@ - restore_uid(); - return 0; - } -+ - /* Open the file containing the authorized keys. */ - f = fopen(file, "r"); - if (!f) { -@@ -196,6 +231,7 @@ - restore_uid(); - return 0; - } -+ - if (options.strict_modes && - secure_filename(f, file, pw, line, sizeof(line)) != 0) { - fclose(f); -@@ -204,8 +240,11 @@ - return 0; - } - -+ /* - found_key = 0; - found = key_new(key->type); -+ old place of found_key = 0; -+ */ - - while (fgets(line, sizeof(line), f)) { - char *cp, *options = NULL; -diff -ru openssh-3.6.1p1/key.c openssh-3.6.1p1-ldappubkey/key.c ---- openssh-3.6.1p1/key.c Mon Feb 24 02:01:41 2003 -+++ openssh-3.6.1p1-ldappubkey/key.c Thu Apr 17 11:48:00 2003 -@@ -36,6 +36,25 @@ - - #include <openssl/evp.h> - -+#ifdef WITH_LDAP_PUBKEY -+#include <ldap.h> -+#include <lber.h> -+ -+#define PORT LDAP_PORT -+#define LINEMAX 1024 -+/* -+ * defined in core.schema, this is a temporary objectclass which can be -+ * used since i m waiting for pkix schema and pubKey attribute (binary as well -+ * so minor changes for this patch), there will be an update about this ;) -+ * the following defs were for test purposes only -+ * i'm still keeping objectclass=strongAuthenticationuser because of the purpose -+ * this patch, and wrongly using cn for each user to store group includes -+ * refere to the README for a better understanding of this. -+ */ -+#define OBJCLASS "objectclass=strongAuthenticationUser" -+#define BASE_REQ "ou=users,dc=foobar,dc=net" -+#endif -+ - #include "xmalloc.h" - #include "key.h" - #include "rsa.h" -@@ -372,6 +391,217 @@ - OPENSSL_free(buf); - return 1; - } -+ -+#ifdef WITH_LDAP_PUBKEY -+/* returns 1 ok, -1 error */ -+int -+/* key_ldap_read(Key *ret, char *uid, char *url, char *binddn, char *bindpw) */ -+key_ldap_read(Key *ret, char *uid, lh *host) -+{ -+ Key *k; -+ LDAP *ld; -+ LDAPMessage *res,*e; -+ LDAPURLDesc *urlstruct; -+ char *a,*urlssl,objbuf[LINEMAX]; -+ struct berval **vals; -+ BerElement *ptr; -+ int version, rc, j, i, success = -1, ssl_size = 0; -+ -+ /* version to 3 */ -+ version = LDAP_VERSION3; -+ -+ /* url based ldap://hostport/dn[?attrs[?scope[?filter[?exts]]]] */ -+ rc = ldap_is_ldap_url(host->url); -+ if (rc < 0) { -+ error("key_ldap_read: ldap_is_ldap_url() -> ldap is not an url"); -+ -+ success = -1; -+ return success; -+ } -+ -+ rc = ldap_url_parse(host->url,&urlstruct); -+ if (rc) { -+ error("key_ldap_read: ldap_url_parse() -> ldap couldn't be parsed"); -+ -+ success = -1; -+ return success; -+ } -+ -+ ssl_size = strlen(urlstruct->lud_scheme)+strlen(urlstruct->lud_host)+10; -+ -+ urlssl = (char *) malloc( ssl_size * sizeof(char) ); -+ if (!urlssl) { -+ error("key_ldap_read: malloc()"); -+ -+ /* free what has been allocated */ -+ ldap_free_urldesc(urlstruct); -+ -+ success = -1; -+ return success; -+ } -+ memset(urlssl,0,ssl_size); -+ snprintf(urlssl,ssl_size,"%s://%s:%d",urlstruct->lud_scheme,urlstruct->lud_host,urlstruct->lud_port); -+ -+ /* open ldap connection */ -+ ld = ldap_init(urlstruct->lud_host,urlstruct->lud_port); -+ if(!ld) { -+ error("key_ldap_read: ldap_init()"); -+ -+ /* free what has been allocated */ -+ free(urlssl); -+ ldap_free_urldesc(urlstruct); -+ -+ success = -1; -+ return success; -+ } -+ -+ /* setting V3 proto otherwise TLS impossible */ -+ if (ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,&version) != LDAP_OPT_SUCCESS) { -+ error("key_ldap_read: ldap couldn't set version for TLS/SSL"); -+ -+ /* free what has been allocated */ -+ free(urlssl); -+ ldap_free_urldesc(urlstruct); -+ -+ success = -1; -+ return success; -+ } -+ /* HERE CHOOSE SSL/TLS use the scheme and look for the magic 's' ;) */ -+ if (urlstruct->lud_scheme[strlen(urlstruct->lud_scheme)-1] == 's') { -+ if (ldap_initialize(&ld, urlssl) != LDAP_SUCCESS) { -+ error("key_ldap_read: ldap_initialize()"); -+ -+ /* free what has been allocated */ -+ free(urlssl); -+ ldap_free_urldesc(urlstruct); -+ -+ success = -1; -+ return success; -+ } -+ } else { -+ if ( (ldap_start_tls_s( ld, NULL, NULL ) != LDAP_SUCCESS)) { -+ ldap_perror( ld, "key_ldap_read: (TLS) ldap_start_tls" ); -+ /* recover to normal connection */ -+ ld = ldap_init(urlstruct->lud_host,urlstruct->lud_port); -+ if(!ld) { -+ error("key_ldap_read: ldap_init()"); -+ -+ /* free what has been allocated */ -+ free(urlssl); -+ ldap_free_urldesc(urlstruct); -+ -+ success = -1; -+ return success; -+ } -+ /* use_ssl=1; */ -+ } -+ } -+ -+ /* anonymous bind pubkey can be retrieved by anybody */ -+ if (ldap_simple_bind_s(ld,host->binddn,host->bindpw) != LDAP_SUCCESS) { -+ error("key_ldap_read: ldap_simple_bind_s()"); -+ -+ /* free what has been allocated */ -+ free(urlssl); -+ ldap_free_urldesc(urlstruct); -+ -+ success = -1; -+ return success; -+ } -+ -+ /* start ldap search */ -+ if (!uid) -+ return success; -+ -+ /* -+ * -+ * The user need to have posixAccount & strongAuthenticationuser attributes -+ * to accept the challenge. -+ * posixAccount & strongAuthenticationuser + uid is member of configured group. -+ * ldap user entries MUST respect our standard description. -+ * objectclass still hardcoded, hope to change this soon . -+ * -+ */ -+ if (host->mgroup) -+ snprintf(objbuf,LINEMAX,"(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(&(cn=*%s*)(uid=%s)))",host->mgroup,uid); -+ else -+ snprintf(objbuf,LINEMAX,"(&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(uid=%s))",uid); -+ -+ /* New filter group inclusive depend on the configuration */ -+ /* (&(objectclass=posixAccount)(objectclass=strongAuthenticationUser)(&(cn=*groupname*)(uid=eau))) */ -+ -+ ldap_search_s(ld,urlstruct->lud_dn,LDAP_SCOPE_SUBTREE,objbuf,NULL,0,&res); -+ i = ldap_count_entries(ld,res); -+ -+ for(e=ldap_first_entry(ld,res); e != NULL; e=ldap_next_entry(ld,e)) { -+ ldap_get_dn(ld,e); -+ for(a=ldap_first_attribute(ld,e,&ptr);a!=NULL;a=ldap_next_attribute(ld,e,ptr)) -+ { -+ if(strncmp(a,"userCertificate",15) == 0) { -+ vals=ldap_get_values_len(ld,e,a); -+ for(j = 0; vals[j] != NULL; j++) { -+ /* value is here :) vals[j] */ -+ k = key_from_blob((unsigned char *)vals[j]->bv_val,(int)vals[j]->bv_len); -+ -+ if (!k) { -+ error("key_read: key_from_blob LDAP failed"); -+ -+ ldap_value_free_len(vals); -+ ldap_free_urldesc(urlstruct); -+ free(urlssl); -+ -+ return (-1); -+ } -+ -+ /* i dont have type ?!?!?! */ -+ if (k->type != KEY_DSA) { -+ error("key_read: type mismatch: encoding error"); -+ -+ ldap_value_free_len(vals); -+ ldap_free_urldesc(urlstruct); -+ free(urlssl); -+ key_free(k); -+ -+ return (-1); -+ } -+ -+ if (ret->type == KEY_RSA) { -+ error("LDAP doesnt handle RSA keys yet"); -+ -+ /* freeing everything */ -+ ldap_value_free_len(vals); -+ ldap_free_urldesc(urlstruct); -+ free(urlssl); -+ key_free(k); -+ -+ return (-1); -+ } else { -+ if (ret->dsa != NULL) -+ DSA_free(ret->dsa); -+ ret->dsa = k->dsa; -+ k->dsa = NULL; -+ DSA_print_fp(stderr,ret->dsa,8); -+ -+ /* freeing everything */ -+ ldap_value_free_len(vals); -+ ldap_free_urldesc(urlstruct); -+ free(urlssl); -+ key_free(k); -+ -+ success = 1; -+ return success; -+ } -+ } -+ ldap_value_free_len(vals); -+ key_free(k); -+ } -+ } -+ } -+ ldap_free_urldesc(urlstruct); -+ free(urlssl); -+ return success; -+} -+#endif - - /* returns 1 ok, -1 error */ - int -diff -ru openssh-3.6.1p1/key.h openssh-3.6.1p1-ldappubkey/key.h ---- openssh-3.6.1p1/key.h Mon Feb 24 02:01:41 2003 -+++ openssh-3.6.1p1-ldappubkey/key.h Thu Apr 17 11:48:05 2003 -@@ -64,6 +64,18 @@ - char *key_type(Key *); - int key_write(Key *, FILE *); - int key_read(Key *, char **); -+#ifdef WITH_LDAP_PUBKEY -+/* next step is to handle fallback on ldap servers */ -+typedef struct ldaphost { -+ char *url; /* LDAP infos in URL format */ -+ char *binddn; /* bind DN */ -+ char *bindpw; /* obvious :> */ -+ char *mgroup; /* server group name */ -+ struct ldaphost *next; -+} lh; -+ -+int key_ldap_read(Key *, char *, lh *); -+#endif - u_int key_size(Key *); - - Key *key_generate(int, u_int); -diff -ru openssh-3.6.1p1/servconf.c openssh-3.6.1p1-ldappubkey/servconf.c ---- openssh-3.6.1p1/servconf.c Mon Feb 24 02:04:34 2003 -+++ openssh-3.6.1p1-ldappubkey/servconf.c Thu Apr 17 12:04:42 2003 -@@ -123,6 +123,13 @@ - options->client_alive_count_max = -1; - options->authorized_keys_file = NULL; - options->authorized_keys_file2 = NULL; -+#ifdef WITH_LDAP_PUBKEY -+ options->myldap_opt.pubkey_from_ldap = -1; -+ options->myldap_opt.ldap_server = NULL; -+ options->myldap_opt.binddn = NULL; -+ options->myldap_opt.bindpw = NULL; -+ options->myldap_opt.mgroup = NULL; -+#endif - - /* Needs to be accessable in many places */ - use_privsep = -1; -@@ -255,6 +262,18 @@ - } - if (options->authorized_keys_file == NULL) - options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; -+#ifdef WITH_LDAP_PUBKEY -+ if (options->myldap_opt.pubkey_from_ldap == -1) -+ options->myldap_opt.pubkey_from_ldap = 0; -+ if (options->myldap_opt.ldap_server == NULL) -+ options->myldap_opt.ldap_server = _DEFAULT_LDAP_PUBKEY_SERVER; -+ if (options->myldap_opt.binddn == NULL) -+ options->myldap_opt.binddn = _DEFAULT_BINDDN; -+ if (options->myldap_opt.bindpw == NULL) -+ options->myldap_opt.bindpw = _DEFAULT_BINDPW; -+ if (options->myldap_opt.mgroup == NULL) -+ options->myldap_opt.mgroup = _DEFAULT_MGROUP; -+#endif - - /* Turn privilege separation on by default */ - if (use_privsep == -1) -@@ -303,6 +322,9 @@ - sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, - sUsePrivilegeSeparation, - sDeprecated, sUnsupported -+#ifdef WITH_LDAP_PUBKEY -+ ,sPubkey_from_ldap, sLdap_server, sBinddn, sBindpw, sMgroup -+#endif - } ServerOpCodes; - - /* Textual representation of the tokens. */ -@@ -379,6 +401,13 @@ - { "clientalivecountmax", sClientAliveCountMax }, - { "authorizedkeysfile", sAuthorizedKeysFile }, - { "authorizedkeysfile2", sAuthorizedKeysFile2 }, -+#ifdef WITH_LDAP_PUBKEY -+ { "pubkeyfromldap", sPubkey_from_ldap }, -+ { "ldapserver", sLdap_server }, -+ { "binddn", sBinddn }, -+ { "bindpw", sBindpw }, -+ { "mygroup", sMgroup }, -+#endif - { "useprivilegeseparation", sUsePrivilegeSeparation}, - { NULL, sBadOption } - }; -@@ -915,6 +944,54 @@ - while (arg) - arg = strdelim(&cp); - break; -+#ifdef WITH_LDAP_PUBKEY -+ case sPubkey_from_ldap: -+ intptr = &options->myldap_opt.pubkey_from_ldap; -+ goto parse_flag; -+ case sLdap_server: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing ldap server",filename,linenum); -+ arg[strlen(arg)-1] = '\0'; -+ options->myldap_opt.ldap_server=xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sBinddn: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing binddn",filename,linenum); -+ arg[strlen(arg)-1] = '\0'; -+ options->myldap_opt.binddn = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sBindpw: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing bindpw",filename,linenum); -+ arg[strlen(arg)-1] = '\0'; -+ options->myldap_opt.bindpw=xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sMgroup: -+ p = line; -+ while (*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing groupname",filename, linenum); -+ arg[strlen(arg) - 1] = '\0'; -+ options->myldap_opt.mgroup = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+#endif - - default: - fatal("%s line %d: Missing handler for opcode %s (%d)", -diff -ru openssh-3.6.1p1/servconf.h openssh-3.6.1p1-ldappubkey/servconf.h ---- openssh-3.6.1p1/servconf.h Thu Aug 1 03:28:39 2002 -+++ openssh-3.6.1p1-ldappubkey/servconf.h Thu Apr 17 11:57:48 2003 -@@ -32,6 +32,22 @@ - #define PERMIT_NO_PASSWD 2 - #define PERMIT_YES 3 - -+#ifdef WITH_LDAP_PUBKEY -+#define _DEFAULT_LDAP_PUBKEY_SERVER "localhost" -+#define _DEFAULT_BASEDN "ou=People,dc=company,dc=net" -+#define _DEFAULT_BINDDN NULL -+#define _DEFAULT_BINDPW NULL -+#define _DEFAULT_MGROUP NULL -+ -+typedef struct { -+ int pubkey_from_ldap; -+ char *ldap_server; /* ldap URL format where pubkeys are */ -+ char *binddn; /* ldap base dn where users resides */ -+ char *bindpw; /* ldap bind passwd */ -+ char *mgroup; /* ldap server group name, NULL if deactivated */ -+} ldap_opt; -+#endif -+ - - typedef struct { - u_int num_ports; -@@ -132,6 +148,9 @@ - char *authorized_keys_file; /* File containing public keys */ - char *authorized_keys_file2; - int use_pam; /* Enable auth via PAM */ -+#ifdef WITH_LDAP_PUBKEY -+ ldap_opt myldap_opt; -+#endif - } ServerOptions; - - void initialize_server_options(ServerOptions *); -diff -ru openssh-3.6.1p1/sshd_config openssh-3.6.1p1-ldappubkey/sshd_config ---- openssh-3.6.1p1/sshd_config Fri Sep 27 05:21:58 2002 -+++ openssh-3.6.1p1-ldappubkey/sshd_config Thu Apr 17 12:21:43 2003 -@@ -89,5 +89,13 @@ - #Banner /some/path - #VerifyReverseMapping no - -+# here is the new patched ldap related tokens -+# entries in your LDAP must be posixAccount & strongAuthenticationUser -+pubkeyfromldap yes -+ldapserver ldap://localhost/ou=users,dc=cuckoos,dc=net -+binddn cn=Manager,dc=cuckoos,dc=net -+bindpw secret -+mygroup unixmail -+ - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server diff --git a/openssh-buffer_c_overflow.patch b/openssh-buffer_c_overflow.patch deleted file mode 100644 index c5249de..0000000 --- a/openssh-buffer_c_overflow.patch +++ /dev/null @@ -1,70 +0,0 @@ ---- openssh-3.2.3p1/buffer.c 26 Jun 2002 08:54:18 -0000 1.16 -+++ openssh-3.2.3p1/buffer.c 16 Sep 2003 21:02:39 -0000 1.18 -@@ -23,8 +23,11 @@ - void - buffer_init(Buffer *buffer) - { -- buffer->alloc = 4096; -- buffer->buf = xmalloc(buffer->alloc); -+ const u_int len = 4096; -+ -+ buffer->alloc = 0; -+ buffer->buf = xmalloc(len); -+ buffer->alloc = len; - buffer->offset = 0; - buffer->end = 0; - } -@@ -34,8 +37,10 @@ - void - buffer_free(Buffer *buffer) - { -- memset(buffer->buf, 0, buffer->alloc); -- xfree(buffer->buf); -+ if (buffer->alloc > 0) { -+ memset(buffer->buf, 0, buffer->alloc); -+ xfree(buffer->buf); -+ } - } - - /* -@@ -69,6 +74,7 @@ - void * - buffer_append_space(Buffer *buffer, u_int len) - { -+ u_int newlen; - void *p; - - if (len > 0x100000) -@@ -95,8 +101,13 @@ - goto restart; - } - /* Increase the size of the buffer and retry. */ -- buffer->alloc += len + 32768; -- buffer->buf = xrealloc(buffer->buf, buffer->alloc); -+ -+ newlen = buffer->alloc + len + 32768; -+ if (newlen > 0xa00000) -+ fatal("buffer_append_space: alloc %u not supported", -+ newlen); -+ buffer->buf = xrealloc(buffer->buf, newlen); -+ buffer->alloc = newlen; - goto restart; - /* NOTREACHED */ - } ---- openssh-3.2.3p1/channels.c 29 Aug 2003 10:04:36 -0000 1.194 -+++ openssh-3.2.3p1/channels.c 16 Sep 2003 21:02:40 -0000 1.195 -@@ -233,9 +233,13 @@ - if (found == -1) { - /* There are no free slots. Take last+1 slot and expand the array. */ - found = channels_alloc; -+ if (channels_alloc > 10000) -+ fatal("channel_new: internal error: channels_alloc %d " -+ "too big.", channels_alloc); -+ channels = xrealloc(channels, -+ (channels_alloc + 10) * sizeof(Channel *)); - channels_alloc += 10; - debug2("channel: expanding %d", channels_alloc); -- channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); - for (i = found; i < channels_alloc; i++) - channels[i] = NULL; - } diff --git a/openssh-chall-sec.patch b/openssh-chall-sec.patch deleted file mode 100644 index d973b0c..0000000 --- a/openssh-chall-sec.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -uNr openssh-3.2.3p1.orig/auth2-chall.c openssh-3.2.3p1/auth2-chall.c ---- openssh-3.2.3p1.orig/auth2-chall.c Fri Mar 22 03:30:43 2002 -+++ openssh-3.2.3p1/auth2-chall.c Thu Jun 27 01:32:12 2002 -@@ -256,6 +256,8 @@ - - authctxt->postponed = 0; /* reset */ - nresp = packet_get_int(); -+ if (nresp > 100) -+ fatal("input_userauth_info_response: nresp too big %u", nresp); - if (nresp > 0) { - response = xmalloc(nresp * sizeof(char*)); - for (i = 0; i < nresp; i++) -diff -uNr openssh-3.2.3p1.orig/auth2-pam.c openssh-3.2.3p1/auth2-pam.c ---- openssh-3.2.3p1.orig/auth2-pam.c Tue Jan 22 13:43:13 2002 -+++ openssh-3.2.3p1/auth2-pam.c Thu Jun 27 01:32:12 2002 -@@ -140,6 +140,15 @@ - nresp = packet_get_int(); /* Number of responses. */ - debug("got %d responses", nresp); - -+ -+ if (nresp != context_pam2.num_expected) -+ fatal("%s: Received incorrect number of responses " -+ "(expected %u, received %u)", __func__, nresp, -+ context_pam2.num_expected); -+ -+ if (nresp > 100) -+ fatal("%s: too many replies", __func__); -+ - for (i = 0; i < nresp; i++) { - int j = context_pam2.prompts[i]; - diff --git a/openssh-linux-ipv6.patch b/openssh-linux-ipv6.patch index 6594cbf..3557fdc 100644 --- a/openssh-linux-ipv6.patch +++ b/openssh-linux-ipv6.patch @@ -1,10 +1,11 @@ ---- openssh.orig/configure.ac 2006-02-02 09:07:47.000000000 +0100 -+++ openssh/configure.ac 2006-02-02 09:11:17.000000000 +0100 -@@ -313,7 +313,6 @@ +diff -Naur openssh-3.1p1/configure.ac openssh-3.1p1-p/configure.ac +--- openssh-3.1p1/configure.ac Mon Mar 25 12:19:11 2002 ++++ openssh-3.1p1-p/configure.ac Mon Mar 25 12:19:42 2002 +@@ -121,7 +121,6 @@ no_dev_ptmx=1 check_for_libcrypt_later=1 check_for_openpty_ctty_bug=1 -- AC_DEFINE(DONT_TRY_OTHER_AF, 1, [Workaround more Linux IPv6 quirks]) - AC_DEFINE(PAM_TTY_KLUDGE, 1, - [Work around problematic Linux PAM modules handling of PAM_TTY]) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!", +- AC_DEFINE(DONT_TRY_OTHER_AF) + AC_DEFINE(PAM_TTY_KLUDGE) + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") + AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) diff --git a/openssh-lpk-4.1p1-0.3.6.patch b/openssh-lpk-4.1p1-0.3.6.patch deleted file mode 100644 index ca65015..0000000 --- a/openssh-lpk-4.1p1-0.3.6.patch +++ /dev/null @@ -1,1822 +0,0 @@ -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/Makefile.in openssh-4.1p1-lpk/Makefile.in ---- openssh-4.1p1/Makefile.in 2005-02-26 00:12:38.000000000 +0100 -+++ openssh-4.1p1-lpk/Makefile.in 2005-07-07 18:14:03.000000000 +0200 -@@ -86,7 +86,7 @@ - auth-krb5.o \ - auth2-gss.o gss-serv.o gss-serv-krb5.o \ - loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ -- audit.o audit-bsm.o -+ audit.o audit-bsm.o ldapauth.o - - MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out - MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5 -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/README.lpk openssh-4.1p1-lpk/README.lpk ---- openssh-4.1p1/README.lpk 1970-01-01 01:00:00.000000000 +0100 -+++ openssh-4.1p1-lpk/README.lpk 2005-07-07 18:14:03.000000000 +0200 -@@ -0,0 +1,260 @@ -+OpenSSH LDAP PUBLIC KEY PATCH -+Copyright (c) 2003 Eric AUGE (eau@phear.org) -+All rights reserved. -+ -+Redistribution and use in source and binary forms, with or without -+modification, are permitted provided that the following conditions -+are met: -+1. Redistributions of source code must retain the above copyright -+ notice, this list of conditions and the following disclaimer. -+2. Redistributions in binary form must reproduce the above copyright -+ notice, this list of conditions and the following disclaimer in the -+ documentation and/or other materials provided with the distribution. -+3. The name of the author may not be used to endorse or promote products -+ derived from this software without specific prior written permission. -+ -+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ -+purposes of this patch: -+ -+This patch would help to have authentication centralization policy -+using ssh public key authentication. -+This patch could be an alternative to other "secure" authentication system -+working in a similar way (Kerberos, SecurID, etc...), except the fact -+that it's based on OpenSSH and its public key abilities. -+ -+>> FYI: << -+'uid': means unix accounts existing on the current server -+'lpkServerGroup:' mean server group configured on the current server ('lpkServerGroup' in sshd_config) -+ -+example schema: -+ -+ -+ server1 (uid: eau,rival,toto) (lpkServerGroup: unix) -+ ___________ / -+ / \ --- - server3 (uid: eau, titi) (lpkServerGroup: unix) -+ | LDAP Server | \ -+ | eau ,rival | server2 (uid: rival, eau) (lpkServerGroup: unix) -+ | titi ,toto | -+ | userx,.... | server5 (uid: eau) (lpkServerGroup: mail) -+ \___________/ \ / -+ ----- - server4 (uid: eau, rival) (no group configured) -+ \ -+ etc... -+ -+- WHAT WE NEED : -+ -+ * configured LDAP server somewhere on the network (i.e. OpenLDAP) -+ * patched sshd (with this patch ;) -+ * LDAP user(/group) entry (look at users.ldif (& groups.ldif)): -+ User entry: -+ - attached to the 'ldapPublicKey' objectclass -+ - attached to the 'posixAccount' objectclass -+ - with a filled 'sshPublicKey' attribute -+ Example: -+ dn: uid=eau,ou=users,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: person -+ objectclass: organizationalPerson -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ description: Eric AUGE Account -+ userPassword: blah -+ cn: Eric AUGE -+ sn: Eric AUGE -+ uid: eau -+ uidNumber: 1034 -+ gidNumber: 1 -+ homeDirectory: /export/home/eau -+ sshPublicKey: ssh-dss AAAAB3... -+ sshPublicKey: ssh-dss AAAAM5... -+ -+ Group entry: -+ - attached to the 'posixGroup' objectclass -+ - with a 'cn' groupname attribute -+ - with multiple 'memberUid' attributes filled with usernames allowed in this group -+ Example: -+ # few members -+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: posixGroup -+ description: Unix based servers group -+ cn: unix -+ gidNumber: 1002 -+ memberUid: eau -+ memberUid: user1 -+ memberUid: user2 -+ -+ -+- HOW IT WORKS : -+ -+ * without patch -+ If a user wants to authenticate to log in a server the sshd, will first look for authentication method allowed (RSAauth,kerberos,etc..) -+ and if RSAauth and tickets based auth fails, it will fallback to standard password authentication (if enabled). -+ -+ * with the patch -+ If a user want to authenticate to log in a server, the sshd will first look for auth method including LDAP pubkey, if the ldappubkey options is enabled. -+ It will do an ldapsearch to get the public key directly from the LDAP instead of reading it from the server filesystem. -+ (usually in $HOME/.ssh/authorized_keys) -+ -+ If groups are enabled, it will also check if the user that wants to login is in the group of the server he is trying to log into. -+ If it fails, it falls back on RSA auth files ($HOME/.ssh/authorized_keys), etc.. and finally to standard password authentication (if enabled). -+ -+ 7 tokens are added to sshd_config : -+ # here is the new patched ldap related tokens -+ # entries in your LDAP must be posixAccount & strongAuthenticationUser & posixGroup -+ UseLPK yes # look the pub key into LDAP -+ LpkServers ldap://10.31.32.5/ ldap://10.31.32.4 ldap://10.31.32.3 # which LDAP server for users ? (URL format) -+ LpkUserDN ou=users,dc=foobar,dc=net # which base DN for users ? -+ LpkGroupDN ou=groups,dc=foobar,dc=net # which base DN for groups ? -+ LpkBindDN cn=manager,dc=foobar,dc=net # which bind DN ? -+ LpkBindPw asecret # bind DN credidentials -+ LpkServerGroup agroupname # the group the server is part of -+ -+ Right now i'm using anonymous binding to get public keys, because getting public keys of someone doesn't impersonate him¸ but there is some -+ flaws you have to take care of. -+ -+- HOW TO INSERT A USER/KEY INTO AN LDAP ENTRY -+ -+ * my way (there is plenty :) -+ - create ldif file (i.e. users.ldif) -+ - cat ~/.ssh/id_dsa.pub OR cat ~/.ssh/id_rsa.pub OR cat ~/.ssh/identity.pub -+ - my way in 4 steps : -+ Example: -+ -+ # you add this to the user entry in the LDIF file : -+ [...] -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ [...] -+ sshPubliKey: ssh-dss AAAABDh12DDUR2... -+ [...] -+ -+ # insert your entry and you're done :) -+ ldapadd -D balblabla -w bleh < file.ldif -+ -+ all standard options can be present in the 'sshPublicKey' attribute. -+ -+- WHY : -+ -+ Simply because, i was looking for a way to centralize all sysadmins authentication, easily, without completely using LDAP -+ as authentication method (like pam_ldap etc..). -+ -+ After looking into Kerberos, SecurID, and other centralized secure authentications systems, the use of RSA and LDAP to get -+ public key for authentication allows us to control who has access to which server (the user needs an account and to be in 'strongAuthenticationUser' -+ objectclass within LDAP and part of the group the SSH server is in). -+ -+ Passwords update are no longer a nightmare for a server farm (key pair passphrase is stored on each user's box and private key is locally encrypted using his passphrase -+ so each user can change it as much as he wants). -+ -+ Blocking a user account can be done directly from the LDAP (if sshd is using RSAAuth + ldap only). -+ -+- RULES : -+ Entry in the LDAP server must respect 'posixAccount' and 'ldapPublicKey' which are defined in core.schema. -+ and the additionnal lpk.schema. -+ -+ This patch could allow a smooth transition between standard auth (/etc/passwd) and complete LDAP based authentication -+ (pamldap, nss_ldap, etc..). -+ -+ This can be an alternative to other (old?/expensive?) authentication methods (Kerberos/SecurID/..). -+ -+ Referring to schema at the beginning of this file if user 'eau' is only in group 'unix' -+ 'eau' would ONLY access 'server1', 'server2', 'server3' AND 'server4' BUT NOT 'server5'. -+ If you then modify the LDAP 'mail' group entry to add 'memberUid: eau' THEN user 'eau' would be able -+ to log in 'server5' (i hope you got the idea, my english is bad :). -+ -+ Each server's sshd is patched and configured to ask the public key and the group infos in the LDAP -+ server. -+ When you want to allow a new user to have access to the server parc, you just add him an account on -+ your servers, you add his public key into his entry on the LDAP server, it's done. -+ -+ Because sshds are looking public keys into the LDAP directly instead of a file ($HOME/.ssh/authorized_keys). -+ -+ When the user needs to change his passphrase he can do it directly from his workstation by changing -+ his own key set lock passphrase, and all servers are automatically aware. -+ -+ With a CAREFUL LDAP server configuration you could allow a user to add/delete/modify his own entry himself -+ so he can add/modify/delete himself his public key when needed. -+ -+ FLAWS : -+ LDAP must be well configured, getting the public key of some user is not a problem, but if anonymous LDAP -+ allow write to users dn, somebody could replace someuser's public key by its own and impersonate some -+ of your users in all your server farm be VERY CAREFUL. -+ -+ MITM attack when sshd is requesting the public key, could lead to a compromise of your servers allowing login -+ as the impersonnated user. -+ -+ If LDAP server is down then, fallback on passwd auth. -+ -+ the ldap code part has not been well audited yet. -+ -+- LDAP USER ENTRY EXAMPLES (LDIF Format, look in users.ldif) -+ --- CUT HERE --- -+ dn: uid=jdoe,ou=users,dc=foobar,dc=net -+ objectclass: top -+ objectclass: person -+ objectclass: organizationalPerson -+ objectclass: posixAccount -+ objectclass: ldapPublicKey -+ description: My account -+ cn: John Doe -+ sn: John Doe -+ uid: jdoe -+ uidNumber: 100 -+ gidNumber: 100 -+ homeDirectory: /home/jdoe -+ sshPublicKey: ssh-dss AAAAB3NzaC1kc3MAAAEBAOvL8pREUg9wSy/8+hQJ54YF3AXkB0OZrXB.... -+ [...] -+ --- CUT HERE --- -+ -+- LDAP GROUP ENTRY EXAMPLES (LDIF Format, look in groups.ldif) -+ --- CUT HERE --- -+ dn: cn=unix,ou=groups,dc=cuckoos,dc=net -+ objectclass: top -+ objectclass: posixGroup -+ description: Unix based servers group -+ cn: unix -+ gidNumber: 1002 -+ memberUid: jdoe -+ memberUid: user1 -+ memberUid: user2 -+ [...] -+ --- CUT HERE --- -+ -+>> FYI: << -+Multiple 'sshPublicKey' in a user entry are allowed, as well as multiple 'memberUid' attributes in a group entry -+ -+- COMPILING: -+ 1. Apply the patch -+ 1. ./configure --with-your-options --with-libs="-lldap" --with-ldflags="-L/path/to/your/openldap/lib" --with-cppflags="-I/path/to/your/openldap/include -DWITH_LDAP_PUBKEY" -+ 3. make -+ 4. it's done. -+ -+- BLA : -+ I hope this could help, and i hope to be clear enough,, or give ideas. questions/comments/improvements are welcome. -+ -+- TODO : -+ - filters in the LDAP URL so ppl can choose on others criteria as well -+ - TLS support -+ - auto provisionning -+ - new schema (snu@opendarwin.org idea) -+ -+- CONTRIBUTORS/IDEAS/GREETS : -+ - Falk Siemonsmeier -> 3.7 patch port candidate -+ - Jacob Rief -> ideas (group && cleanups) -+ - Michael.Durchgraf@dregis.com -> Bugfixes thanks ;) -+ - frederic.peters@free.fr -> X509 keys LDAP patch (old) -+ - oink -> bugfixes -+ - finlay dobbie -> new fresh start with this guy :) -+ -+- CONTACT : -+ - Eric AUGE <eau@phear.org>, <eau@opendarwin.org> -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/auth-rsa.c openssh-4.1p1-lpk/auth-rsa.c ---- openssh-4.1p1/auth-rsa.c 2004-12-11 03:39:50.000000000 +0100 -+++ openssh-4.1p1-lpk/auth-rsa.c 2005-07-07 18:14:03.000000000 +0200 -@@ -160,10 +160,96 @@ - u_long linenum = 0; - struct stat st; - Key *key; -+#ifdef WITH_LDAP_PUBKEY -+ ldap_key_t * k; -+ int i = 0; -+#endif - - /* Temporarily use the user's uid. */ - temporarily_use_uid(pw); - -+#ifdef WITH_LDAP_PUBKEY -+ /* here is the job */ -+ key = key_new(KEY_RSA1); -+ -+ if (options.lpk.on) { -+ debug("[LDAP] trying LDAP first uid=%s", pw->pw_name); -+ if ( ldap_ismember(&options.lpk, pw->pw_name) > 0) { -+ if ( (k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { -+ for (i = 0 ; i < k->num ; i++) { -+ char *cp, *options = NULL; -+ -+ for (cp = k->keys[i]; *cp == ' ' || *cp == '\t'; cp++) -+ ; -+ if (!*cp || *cp == '\n' || *cp == '#') -+ continue; -+ -+ /* -+ * Check if there are options for this key, and if so, -+ * save their starting address and skip the option part -+ * for now. If there are no options, set the starting -+ * address to NULL. -+ */ -+ if (*cp < '0' || *cp > '9') { -+ int quoted = 0; -+ options = cp; -+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { -+ if (*cp == '\\' && cp[1] == '"') -+ cp++; /* Skip both */ -+ else if (*cp == '"') -+ quoted = !quoted; -+ } -+ } else -+ options = NULL; -+ -+ /* Parse the key from the line. */ -+ if (hostfile_read_key(&cp, &bits, key) == 0) { -+ debug("[LDAP] line %d: non ssh1 key syntax", i); -+ continue; -+ } -+ /* cp now points to the comment part. */ -+ -+ /* Check if the we have found the desired key (identified by its modulus). */ -+ if (BN_cmp(key->rsa->n, client_n) != 0) -+ continue; -+ -+ /* check the real bits */ -+ if (bits != BN_num_bits(key->rsa->n)) -+ logit("[LDAP] Warning: ldap, line %lu: keysize mismatch: " -+ "actual %d vs. announced %d.", (unsigned long)i, BN_num_bits(key->rsa->n), bits); -+ -+ /* We have found the desired key. */ -+ /* -+ * If our options do not allow this key to be used, -+ * do not send challenge. -+ */ -+ if (!auth_parse_options(pw, options, "[LDAP]", (unsigned long) i)) -+ continue; -+ -+ /* break out, this key is allowed */ -+ allowed = 1; -+ -+ /* add the return stuff etc... */ -+ /* Restore the privileged uid. */ -+ restore_uid(); -+ -+ /* return key if allowed */ -+ if (allowed && rkey != NULL) -+ *rkey = key; -+ else -+ key_free(key); -+ -+ ldap_keys_free(k); -+ return (allowed); -+ } -+ } else { -+ logit("[LDAP] no keys found for '%s'!", pw->pw_name); -+ } -+ } else { -+ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); -+ } -+ } -+#endif - /* The authorized keys. */ - file = authorized_keys_file(pw); - debug("trying public RSA key file %s", file); -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/auth2-pubkey.c openssh-4.1p1-lpk/auth2-pubkey.c ---- openssh-4.1p1/auth2-pubkey.c 2004-12-11 03:39:50.000000000 +0100 -+++ openssh-4.1p1-lpk/auth2-pubkey.c 2005-07-07 18:14:03.000000000 +0200 -@@ -43,6 +43,10 @@ - #include "monitor_wrap.h" - #include "misc.h" - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - /* import */ - extern ServerOptions options; - extern u_char *session_id2; -@@ -176,10 +180,79 @@ - struct stat st; - Key *found; - char *fp; -+#ifdef WITH_LDAP_PUBKEY -+ ldap_key_t * k; -+ int i = 0; -+#endif - - /* Temporarily use the user's uid. */ - temporarily_use_uid(pw); - -+#ifdef WITH_LDAP_PUBKEY -+ found_key = 0; -+ /* allocate a new key type */ -+ found = key_new(key->type); -+ -+ /* first check if the options is enabled, then try.. */ -+ if (options.lpk.on) { -+ debug("[LDAP] trying LDAP first uid=%s",pw->pw_name); -+ if (ldap_ismember(&options.lpk, pw->pw_name) > 0) { -+ if ((k = ldap_getuserkey(&options.lpk, pw->pw_name)) != NULL) { -+ /* Skip leading whitespace, empty and comment lines. */ -+ for (i = 0 ; i < k->num ; i++) { -+ /* dont forget if multiple keys to reset options */ -+ char *cp, *options = NULL; -+ -+ for (cp = (char *)k->keys[i]; *cp == ' ' || *cp == '\t'; cp++) -+ ; -+ if (!*cp || *cp == '\n' || *cp == '#') -+ continue; -+ -+ if (key_read(found, &cp) != 1) { -+ /* no key? check if there are options for this key */ -+ int quoted = 0; -+ debug2("[LDAP] user_key_allowed: check options: '%s'", cp); -+ options = cp; -+ for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { -+ if (*cp == '\\' && cp[1] == '"') -+ cp++; /* Skip both */ -+ else if (*cp == '"') -+ quoted = !quoted; -+ } -+ /* Skip remaining whitespace. */ -+ for (; *cp == ' ' || *cp == '\t'; cp++) -+ ; -+ if (key_read(found, &cp) != 1) { -+ debug2("[LDAP] user_key_allowed: advance: '%s'", cp); -+ /* still no key? advance to next line*/ -+ continue; -+ } -+ } -+ -+ if (key_equal(found, key) && -+ auth_parse_options(pw, options, file, linenum) == 1) { -+ found_key = 1; -+ debug("[LDAP] matching key found"); -+ fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); -+ verbose("[LDAP] Found matching %s key: %s", key_type(found), fp); -+ -+ /* restoring memory */ -+ ldap_keys_free(k); -+ xfree(fp); -+ restore_uid(); -+ key_free(found); -+ return found_key; -+ break; -+ } -+ }/* end of LDAP for() */ -+ } else { -+ logit("[LDAP] no keys found for '%s'!", pw->pw_name); -+ } -+ } else { -+ logit("[LDAP] '%s' is not in '%s'", pw->pw_name, options.lpk.sgroup); -+ } -+ } -+#endif - debug("trying public key file %s", file); - - /* Fail quietly if file does not exist */ -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/config.h.in openssh-4.1p1-lpk/config.h.in ---- openssh-4.1p1/config.h.in 2005-05-25 14:26:09.000000000 +0200 -+++ openssh-4.1p1-lpk/config.h.in 2005-07-07 18:14:03.000000000 +0200 -@@ -274,6 +274,9 @@ - /* Define if you want TCP Wrappers support */ - #undef LIBWRAP - -+/* Define if you want LDAP support */ -+#undef WITH_LDAP_PUBKEY -+ - /* Define if your libraries define login() */ - #undef HAVE_LOGIN - -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/configure openssh-4.1p1-lpk/configure ---- openssh-4.1p1/configure 2005-05-25 14:26:12.000000000 +0200 -+++ openssh-4.1p1-lpk/configure 2005-07-07 18:14:35.000000000 +0200 -@@ -873,6 +873,7 @@ - --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) - --with-libedit[=PATH] Enable libedit support for sftp - --with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm) -+ --with-ldap[=PATH] Enable LDAP support (optionally in PATH) - --with-pam Enable PAM support - --with-ssl-dir=PATH Specify path to OpenSSL installation - --with-rand-helper Use subprocess to gather strong randomness -@@ -10521,6 +10522,88 @@ - - fi; - -+# Check whether user wants LDAP support -+LDAP_MSG="no" -+ -+# Check whether --with-ldap or --without-ldap was given. -+if test "${with_ldap+set}" = set; then -+ withval="$with_ldap" -+ -+ if test "x$withval" != "xno" ; then -+ -+ if test "x$withval" != "xyes" ; then -+ CPPFLAGS="$CPPFLAGS -I${withval}/include" -+ LDFLAGS="$LDFLAGS -L${withval}/lib" -+ fi -+ -+ cat >>confdefs.h <<\_ACEOF -+#define WITH_LDAP_PUBKEY 1 -+_ACEOF -+ -+ LIBS="-lldap $LIBS" -+ LDAP_MSG="yes" -+ -+ echo "$as_me:$LINENO: checking for LDAP support" >&5 -+echo $ECHO_N "checking for LDAP support... $ECHO_C" >&6 -+ cat >conftest.$ac_ext <<_ACEOF -+/* confdefs.h. */ -+_ACEOF -+cat confdefs.h >>conftest.$ac_ext -+cat >>conftest.$ac_ext <<_ACEOF -+/* end confdefs.h. */ -+#include <sys/types.h> -+ #include <ldap.h> -+int -+main () -+{ -+(void)ldap_init(0, 0); -+ ; -+ return 0; -+} -+_ACEOF -+rm -f conftest.$ac_objext -+if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 -+ (eval $ac_compile) 2>conftest.er1 -+ ac_status=$? -+ grep -v '^ *+' conftest.er1 >conftest.err -+ rm -f conftest.er1 -+ cat conftest.err >&5 -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); } && -+ { ac_try='test -z "$ac_c_werror_flag" -+ || test ! -s conftest.err' -+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -+ (eval $ac_try) 2>&5 -+ ac_status=$? -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); }; } && -+ { ac_try='test -s conftest.$ac_objext' -+ { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 -+ (eval $ac_try) 2>&5 -+ ac_status=$? -+ echo "$as_me:$LINENO: \$? = $ac_status" >&5 -+ (exit $ac_status); }; }; then -+ echo "$as_me:$LINENO: result: yes" >&5 -+echo "${ECHO_T}yes" >&6 -+else -+ echo "$as_me: failed program was:" >&5 -+sed 's/^/| /' conftest.$ac_ext >&5 -+ -+ -+ echo "$as_me:$LINENO: result: no" >&5 -+echo "${ECHO_T}no" >&6 -+ { { echo "$as_me:$LINENO: error: ** Incomplete or missing ldap libraries **" >&5 -+echo "$as_me: error: ** Incomplete or missing ldap libraries **" >&2;} -+ { (exit 1); exit 1; }; } -+ -+ -+fi -+rm -f conftest.err conftest.$ac_objext conftest.$ac_ext -+ fi -+ -+ -+fi; -+ - - - -@@ -26280,6 +26363,7 @@ - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " LDAP support: $LDAP_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/configure.ac openssh-4.1p1-lpk/configure.ac ---- openssh-4.1p1/configure.ac 2005-04-24 09:52:23.000000000 +0200 -+++ openssh-4.1p1-lpk/configure.ac 2005-07-07 18:14:03.000000000 +0200 -@@ -910,6 +910,37 @@ - esac ] - ) - -+# Check whether user wants LDAP support -+LDAP_MSG="no" -+AC_ARG_WITH(ldap, -+ [ --with-ldap[[=PATH]] Enable LDAP support (optionally in PATH)], -+ [ -+ if test "x$withval" != "xno" ; then -+ -+ if test "x$withval" != "xyes" ; then -+ CPPFLAGS="$CPPFLAGS -I${withval}/include" -+ LDFLAGS="$LDFLAGS -L${withval}/lib" -+ fi -+ -+ AC_DEFINE(WITH_LDAP_PUBKEY) -+ LIBS="-lldap $LIBS" -+ LDAP_MSG="yes" -+ -+ AC_MSG_CHECKING([for LDAP support]) -+ AC_TRY_COMPILE( -+ [#include <sys/types.h> -+ #include <ldap.h>], -+ [(void)ldap_init(0, 0);], -+ [AC_MSG_RESULT(yes)], -+ [ -+ AC_MSG_RESULT(no) -+ AC_MSG_ERROR([** Incomplete or missing ldap libraries **]) -+ ] -+ ) -+ fi -+ ] -+) -+ - dnl Checks for library functions. Please keep in alphabetical order - AC_CHECK_FUNCS(\ - arc4random __b64_ntop b64_ntop __b64_pton b64_pton bcopy \ -@@ -3191,6 +3222,7 @@ - echo " Smartcard support: $SCARD_MSG" - echo " S/KEY support: $SKEY_MSG" - echo " TCP Wrappers support: $TCPW_MSG" -+echo " LDAP support: $LDAP_MSG" - echo " MD5 password support: $MD5_MSG" - echo " libedit support: $LIBEDIT_MSG" - echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/ldapauth.c openssh-4.1p1-lpk/ldapauth.c ---- openssh-4.1p1/ldapauth.c 1970-01-01 01:00:00.000000000 +0100 -+++ openssh-4.1p1-lpk/ldapauth.c 2005-07-07 18:14:03.000000000 +0200 -@@ -0,0 +1,547 @@ -+/* -+ * $Id$ -+ */ -+ -+/* -+ * -+ * Copyright (c) 2005, Eric AUGE <eau@phear.org> -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. -+ * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -+ * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, -+ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ * -+ */ -+ -+#include "includes.h" -+ -+#ifdef WITH_LDAP_PUBKEY -+ -+#include <stdio.h> -+#include <stdlib.h> -+#include <unistd.h> -+#include <string.h> -+ -+#include "ldapauth.h" -+#include "log.h" -+ -+static char *attrs[] = { -+ PUBKEYATTR, -+ NULL -+}; -+ -+/* filter building infos */ -+#define FILTER_GROUP_PREFIX "(&(objectclass=posixGroup)" -+#define FILTER_OR_PREFIX "(|" -+#define FILTER_OR_SUFFIX ")" -+#define FILTER_CN_PREFIX "(cn=" -+#define FILTER_CN_SUFFIX ")" -+#define FILTER_UID_FORMAT "(memberUid=%s)" -+#define FILTER_GROUP_SUFFIX ")" -+#define FILTER_GROUP_SIZE(group) (size_t) (strlen(group)+(ldap_count_group(group)*5)+52) -+ -+/* just filter building stuff */ -+#define REQUEST_GROUP_SIZE(filter, uid) (size_t) (strlen(filter)+strlen(uid)+1) -+#define REQUEST_GROUP(buffer, prefilter, pwname) \ -+ buffer = (char *) calloc(REQUEST_GROUP_SIZE(prefilter, pwname), sizeof(char)); \ -+ if (!buffer) { \ -+ perror("calloc()"); \ -+ return FAILURE; \ -+ } \ -+ snprintf(buffer, REQUEST_GROUP_SIZE(prefilter,pwname), prefilter, pwname) -+/* -+XXX OLD group building macros -+#define REQUEST_GROUP_SIZE(grp, uid) (size_t) (strlen(grp)+strlen(uid)+46) -+#define REQUEST_GROUP(buffer,pwname,grp) \ -+ buffer = (char *) calloc(REQUEST_GROUP_SIZE(grp, pwname), sizeof(char)); \ -+ if (!buffer) { \ -+ perror("calloc()"); \ -+ return FAILURE; \ -+ } \ -+ snprintf(buffer,REQUEST_GROUP_SIZE(grp,pwname),"(&(objectclass=posixGroup)(cn=%s)(memberUid=%s))",grp,pwname) -+ */ -+ -+#define REQUEST_USER_SIZE(uid) (size_t) (strlen(uid)+64) -+#define REQUEST_USER(buffer, pwname) \ -+ buffer = (char *) calloc(REQUEST_USER_SIZE(pwname), sizeof(char)); \ -+ if (!buffer) { \ -+ perror("calloc()"); \ -+ return NULL; \ -+ } \ -+ snprintf(buffer,REQUEST_USER_SIZE(pwname),"(&(objectclass=posixAccount)(objectclass=ldapPublicKey)(uid=%s))",pwname) -+ -+/* some portable and working tokenizer, lame though */ -+static int tokenize(char ** o, size_t size, char * input) { -+ unsigned int i = 0, num; -+ char * charset = " \t"; -+ char * ptr = input; -+ -+ /* leading white spaces are ignored */ -+ num = strspn(ptr, charset); -+ ptr += num; -+ -+ while ((num = strcspn(ptr, charset))) { -+ if (i < size-1) { -+ o[i++] = ptr; -+ ptr += num; -+ if (*ptr) -+ *ptr++ = '\0'; -+ } -+ } -+ o[i] = NULL; -+ return SUCCESS; -+} -+ -+void ldap_close(ldap_opt_t * ldap) { -+ -+ if (!ldap) -+ return; -+ -+ if ( ldap_unbind(ldap->ld) < 0) -+ ldap_perror(ldap->ld, "ldap_unbind()"); -+ -+ ldap->ld = NULL; -+ FLAG_SET_DISCONNECTED(ldap->flags); -+ -+ return; -+} -+ -+/* init && bind */ -+int ldap_connect(ldap_opt_t * ldap) { -+ int version = LDAP_VERSION3; -+ -+ if (!ldap->servers) -+ return FAILURE; -+ -+ /* Connection Init and setup */ -+ ldap->ld = ldap_init(ldap->servers, LDAP_PORT); -+ if (!ldap->ld) { -+ ldap_perror(ldap->ld, "ldap_init()"); -+ return FAILURE; -+ } -+ -+ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION)"); -+ return FAILURE; -+ } -+ -+ /* Timeouts setup */ -+ if (ldap_set_option(ldap->ld, LDAP_OPT_NETWORK_TIMEOUT, &ldap->b_timeout) != LDAP_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT)"); -+ } -+ if (ldap_set_option(ldap->ld, LDAP_OPT_TIMEOUT, &ldap->s_timeout) != LDAP_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option(LDAP_OPT_TIMEOUT)"); -+ } -+ -+ /* TLS support */ -+ if ( (ldap->tls == -1) || (ldap->tls == 1) ) { -+ if (ldap_start_tls_s(ldap->ld, NULL, NULL ) != LDAP_SUCCESS) { -+ /* failed then reinit the initial connect */ -+ ldap_perror(ldap->ld, "ldap_connect: (TLS) ldap_start_tls()"); -+ if (ldap->tls == 1) -+ return FAILURE; -+ -+ ldap->ld = ldap_init(ldap->servers, LDAP_PORT); -+ if (!ldap->ld) { -+ ldap_perror(ldap->ld, "ldap_init()"); -+ return FAILURE; -+ } -+ -+ if ( ldap_set_option(ldap->ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_OPT_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_set_option()"); -+ return FAILURE; -+ } -+ } -+ } -+ -+ -+ if ( ldap_simple_bind_s(ldap->ld, ldap->binddn, ldap->bindpw) != LDAP_SUCCESS) { -+ ldap_perror(ldap->ld, "ldap_simple_bind_s()"); -+ return FAILURE; -+ } -+ -+ /* says it is connected */ -+ FLAG_SET_CONNECTED(ldap->flags); -+ -+ return SUCCESS; -+} -+ -+/* must free allocated ressource */ -+static char * ldap_build_host(char *host, int port) { -+ unsigned int size = strlen(host)+11; -+ char * h = (char *) calloc (size, sizeof(char)); -+ int rc; -+ if (!h) -+ return NULL; -+ -+ rc = snprintf(h, size, "%s:%d ", host, port); -+ if (rc == -1) -+ return NULL; -+ return h; -+} -+ -+static int ldap_count_group(char * input) { -+ char * charset = " \t"; -+ char * ptr = input; -+ unsigned int count = 0; -+ unsigned int num; -+ -+ num = strspn(ptr, charset); -+ ptr += num; -+ -+ while ((num = strcspn(ptr, charset))) { -+ count++; -+ ptr += num; -+ ptr++; -+ } -+ -+ return count; -+} -+ -+/* format filter */ -+char * ldap_parse_groups(char * groups) { -+ unsigned int buffer_size = FILTER_GROUP_SIZE(groups); -+ char * buffer = (char *) calloc(buffer_size, sizeof(char)); -+ char * g = NULL; -+ char * garray[32]; -+ unsigned int i = 0; -+ -+ if ((!groups)||(!buffer)) -+ return NULL; -+ -+ g = strdup(groups); -+ if (!g) { -+ free(buffer); -+ return NULL; -+ } -+ -+ /* first separate into n tokens */ -+ if ( tokenize(garray, sizeof(garray)/sizeof(*garray), g) < 0) { -+ free(g); -+ free(buffer); -+ return NULL; -+ } -+ -+ /* build the final filter format */ -+ strlcat(buffer, FILTER_GROUP_PREFIX, buffer_size); -+ strlcat(buffer, FILTER_OR_PREFIX, buffer_size); -+ i = 0; -+ while (garray[i]) { -+ strlcat(buffer, FILTER_CN_PREFIX, buffer_size); -+ strlcat(buffer, garray[i], buffer_size); -+ strlcat(buffer, FILTER_CN_SUFFIX, buffer_size); -+ i++; -+ } -+ strlcat(buffer, FILTER_OR_SUFFIX, buffer_size); -+ strlcat(buffer, FILTER_UID_FORMAT, buffer_size); -+ strlcat(buffer, FILTER_GROUP_SUFFIX, buffer_size); -+ -+ free(g); -+ return buffer; -+} -+ -+/* a bit dirty but leak free */ -+char * ldap_parse_servers(char * servers) { -+ char * s = NULL; -+ char * tmp = NULL, *urls[32]; -+ unsigned int num = 0 , i = 0 , asize = 0; -+ LDAPURLDesc *urld[32]; -+ -+ if (!servers) -+ return NULL; -+ -+ /* local copy of the arg */ -+ s = strdup(servers); -+ if (!s) -+ return NULL; -+ -+ /* first separate into URL tokens */ -+ if ( tokenize(urls, sizeof(urls)/sizeof(*urls), s) < 0) -+ return NULL; -+ -+ i = 0; -+ while (urls[i]) { -+ if ( ldap_is_ldap_url(urls[i]) ) { -+ if (ldap_url_parse(urls[i], &urld[i]) != 0) -+ return NULL; -+ } -+ i++; -+ } -+ -+ /* now free(s) */ -+ free (s); -+ -+ /* how much memory do we need */ -+ num = i; -+ for (i = 0 ; i < num ; i++) -+ asize += strlen(urld[i]->lud_host)+11; -+ -+ /* alloc */ -+ s = (char *) calloc( asize+1 , sizeof(char)); -+ if (!s) { -+ for (i = 0 ; i < num ; i++) -+ ldap_free_urldesc(urld[i]); -+ return NULL; -+ } -+ -+ /* then build the final host string */ -+ for (i = 0 ; i < num ; i++) { -+ /* built host part */ -+ tmp = ldap_build_host(urld[i]->lud_host, urld[i]->lud_port); -+ strncat(s, tmp, strlen(tmp)); -+ ldap_free_urldesc(urld[i]); -+ free(tmp); -+ } -+ -+ return s; -+} -+ -+void ldap_options_print(ldap_opt_t * ldap) { -+ printf("ldap options:\n"); -+ printf("servers: %s\n", ldap->servers); -+ if (ldap->u_basedn) -+ printf("user basedn: %s\n", ldap->u_basedn); -+ if (ldap->g_basedn) -+ printf("group basedn: %s\n", ldap->g_basedn); -+ if (ldap->binddn) -+ printf("binddn: %s\n", ldap->binddn); -+ if (ldap->bindpw) -+ printf("bindpw: %s\n", ldap->bindpw); -+ if (ldap->sgroup) -+ printf("group: %s\n", ldap->sgroup); -+} -+ -+void ldap_options_free(ldap_opt_t * l) { -+ if (!l) -+ return; -+ if (l->servers) -+ free(l->servers); -+ if (l->u_basedn) -+ free(l->u_basedn); -+ if (l->g_basedn) -+ free(l->g_basedn); -+ if (l->binddn) -+ free(l->binddn); -+ if (l->bindpw) -+ free(l->bindpw); -+ if (l->sgroup) -+ free(l->sgroup); -+ if (l->fgroup) -+ free(l->fgroup); -+ if (l->l_conf) -+ free(l->l_conf); -+ free(l); -+} -+ -+/* free keys */ -+void ldap_keys_free(ldap_key_t * k) { -+ ldap_value_free(k->keys); -+ free(k); -+ return; -+} -+ -+ldap_key_t * ldap_getuserkey(ldap_opt_t *l, char * user) { -+ ldap_key_t * k = (ldap_key_t *) calloc (1, sizeof(ldap_key_t)); -+ LDAPMessage *res, *e; -+ char * filter; -+ int i; -+ -+ if ((!k) || (!l)) -+ return NULL; -+ -+ /* Am i still connected ? RETRY n times */ -+ /* XXX TODO: setup some conf value for retrying */ -+ if (!(l->flags & FLAG_CONNECTED)) -+ for (i = 0 ; i < 2 ; i++) -+ if (ldap_connect(l) == 0) -+ break; -+ -+ /* build filter for LDAP request */ -+ REQUEST_USER(filter, user); -+ -+ if ( ldap_search_st( l->ld, -+ l->u_basedn, -+ LDAP_SCOPE_SUBTREE, -+ filter, -+ attrs, 0, &l->s_timeout, &res ) != LDAP_SUCCESS) { -+ -+ ldap_perror(l->ld, "ldap_search_st()"); -+ -+ free(filter); -+ free(k); -+ -+ /* XXX error on search, timeout etc.. close ask for reconnect */ -+ ldap_close(l); -+ -+ return NULL; -+ } -+ -+ /* free */ -+ free(filter); -+ -+ /* check if any results */ -+ i = ldap_count_entries(l->ld,res); -+ if (i <= 0) { -+ ldap_msgfree(res); -+ free(k); -+ return NULL; -+ } -+ -+ if (i > 1) -+ printf("[LDAP] duplicate entries, using the FIRST entry returned\n"); -+ -+ e = ldap_first_entry(l->ld, res); -+ k->keys = ldap_get_values(l->ld, e, PUBKEYATTR); -+ k->num = ldap_count_values(k->keys); -+ -+ ldap_msgfree(res); -+ return k; -+} -+ -+ -+/* -1 if trouble -+ 0 if user is NOT member of current server group -+ 1 if user IS MEMBER of current server group -+ */ -+int ldap_ismember(ldap_opt_t * l, char * user) { -+ LDAPMessage *res; -+ char * filter; -+ int i; -+ -+ if ((!l->sgroup) || !(l->g_basedn)) -+ return 1; -+ -+ /* Am i still connected ? RETRY n times */ -+ /* XXX TODO: setup some conf value for retrying */ -+ if (!(l->flags & FLAG_CONNECTED)) -+ for (i = 0 ; i < 2 ; i++) -+ if (ldap_connect(l) == 0) -+ break; -+ -+ /* build filter for LDAP request */ -+ REQUEST_GROUP(filter, l->fgroup, user); -+ -+ if (ldap_search_st( l->ld, -+ l->g_basedn, -+ LDAP_SCOPE_SUBTREE, -+ filter, -+ NULL, 0, &l->s_timeout, &res) != LDAP_SUCCESS) { -+ -+ ldap_perror(l->ld, "ldap_search_st()"); -+ -+ free(filter); -+ -+ /* XXX error on search, timeout etc.. close ask for reconnect */ -+ ldap_close(l); -+ -+ return FAILURE; -+ } -+ -+ free(filter); -+ -+ /* check if any results */ -+ if (ldap_count_entries(l->ld, res) > 0) { -+ ldap_msgfree(res); -+ return 1; -+ } -+ -+ ldap_msgfree(res); -+ return 0; -+} -+ -+/* -+ * ldap.conf simple parser -+ * XXX TODO: sanity checks -+ * must either -+ * - free the previous ldap_opt_before replacing entries -+ * - free each necessary previously parsed elements -+ * ret: -+ * -1 on FAILURE, 0 on SUCCESS -+ */ -+int ldap_parse_lconf(ldap_opt_t * l) { -+ FILE * lcd; /* ldap.conf descriptor */ -+ char buf[BUFSIZ]; -+ char * s = NULL, * k = NULL, * v = NULL; -+ int li, len; -+ -+ lcd = fopen (l->l_conf, "r"); -+ if (lcd == NULL) { -+ /* debug("Cannot open %s", l->l_conf); */ -+ perror("ldap_parse_lconf()"); -+ return FAILURE; -+ } -+ -+ while (fgets (buf, sizeof (buf), lcd) != NULL) { -+ -+ if (*buf == '\n' || *buf == '#') -+ continue; -+ -+ k = buf; -+ v = k; -+ while (*v != '\0' && *v != ' ' && *v != '\t') -+ v++; -+ -+ if (*v == '\0') -+ continue; -+ -+ *(v++) = '\0'; -+ -+ while (*v == ' ' || *v == '\t') -+ v++; -+ -+ li = strlen (v) - 1; -+ while (v[li] == ' ' || v[li] == '\t' || v[li] == '\n') -+ --li; -+ v[li + 1] = '\0'; -+ -+ if (!strcasecmp (k, "uri")) { -+ if ((l->servers = ldap_parse_servers(strdup (v))) == NULL) { -+ fatal("error in ldap servers"); -+ return FAILURE; -+ } -+ -+ } -+ else if (!strcasecmp (k, "base")) { -+ s = strchr (v, '?'); -+ if (s != NULL) { -+ len = s - v; -+ l->u_basedn = malloc (len + 1); -+ strncpy (l->u_basedn, v, len); -+ l->u_basedn[len] = '\0'; -+ } else { -+ l->u_basedn = strdup (v); -+ } -+ } -+ else if (!strcasecmp (k, "binddn")) { -+ l->binddn = strdup (v); -+ } -+ else if (!strcasecmp (k, "bindpw")) { -+ l->bindpw = strdup (v); -+ } -+ else if (!strcasecmp (k, "timelimit")) { -+ l->s_timeout.tv_sec = atoi (v); -+ } -+ else if (!strcasecmp (k, "bind_timelimit")) { -+ l->b_timeout.tv_sec = atoi (v); -+ } -+ else if (!strcasecmp (k, "ssl")) { -+ if (!strcasecmp (v, "start_tls")) -+ l->tls = 1; -+ } -+ } -+ -+ fclose (lcd); -+ return SUCCESS; -+} -+ -+#endif /* WITH_LDAP_PUBKEY */ -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/ldapauth.h openssh-4.1p1-lpk/ldapauth.h ---- openssh-4.1p1/ldapauth.h 1970-01-01 01:00:00.000000000 +0100 -+++ openssh-4.1p1-lpk/ldapauth.h 2005-07-07 18:14:03.000000000 +0200 -@@ -0,0 +1,119 @@ -+/* -+ * $Id$ -+ */ -+ -+/* -+ * -+ * Copyright (c) 2005, Eric AUGE <eau@phear.org> -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. -+ * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -+ * Neither the name of the phear.org nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, -+ * BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -+ * IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ * -+ */ -+ -+#ifndef LDAPAUTH_H -+#define LDAPAUTH_H -+ -+#include <string.h> -+#include <time.h> -+#include <ldap.h> -+#include <lber.h> -+ -+/* tokens in use for config */ -+#define _DEFAULT_LPK_TOKEN "UseLPK" -+#define _DEFAULT_SRV_TOKEN "LpkServers" -+#define _DEFAULT_USR_TOKEN "LpkUserDN" -+#define _DEFAULT_GRP_TOKEN "LpkGroupDN" -+#define _DEFAULT_BDN_TOKEN "LpkBindDN" -+#define _DEFAULT_BPW_TOKEN "LpkBindPw" -+#define _DEFAULT_MYG_TOKEN "LpkServerGroup" -+#define _DEFAULT_TLS_TOKEN "LpkForceTLS" -+#define _DEFAULT_BTI_TOKEN "LpkBindTimelimit" -+#define _DEFAULT_STI_TOKEN "LpkSearchTimelimit" -+#define _DEFAULT_LDP_TOKEN "LpkLdapConf" -+ -+/* default options */ -+#define _DEFAULT_LPK_ON 0 -+#define _DEFAULT_LPK_SERVERS NULL -+#define _DEFAULT_LPK_UDN NULL -+#define _DEFAULT_LPK_GDN NULL -+#define _DEFAULT_LPK_BINDDN NULL -+#define _DEFAULT_LPK_BINDPW NULL -+#define _DEFAULT_LPK_SGROUP NULL -+#define _DEFAULT_LPK_TLS -1 -+#define _DEFAULT_LPK_BTIMEOUT 10 -+#define _DEFAULT_LPK_STIMEOUT 10 -+#define _DEFAULT_LPK_LDP NULL -+ -+/* flags */ -+#define FLAG_EMPTY 0x00000000 -+#define FLAG_CONNECTED 0x00000001 -+ -+/* flag macros */ -+#define FLAG_SET_EMPTY(x) x&=(FLAG_EMPTY) -+#define FLAG_SET_CONNECTED(x) x|=(FLAG_CONNECTED) -+#define FLAG_SET_DISCONNECTED(x) x&=~(FLAG_CONNECTED) -+ -+/* defines */ -+#define FAILURE -1 -+#define SUCCESS 0 -+#define PUBKEYATTR "sshPublicKey" -+ -+/* -+ * -+ * defined files path -+ * (should be relocated to pathnames.h, -+ * if one day it's included within the tree) -+ * -+ */ -+#define _PATH_LDAP_CONFIG_FILE "/etc/ldap.conf" -+ -+/* structures */ -+typedef struct ldap_options { -+ int on; /* Use it or NOT */ -+ LDAP * ld; /* LDAP file desc */ -+ char * servers; /* parsed servers for ldaplib failover handling */ -+ char * u_basedn; /* user basedn */ -+ char * g_basedn; /* group basedn */ -+ char * binddn; /* binddn */ -+ char * bindpw; /* bind password */ -+ char * sgroup; /* server group */ -+ char * fgroup; /* group filter */ -+ char * l_conf; /* use ldap.conf */ -+ int tls; /* TLS only */ -+ struct timeval b_timeout; /* bind timeout */ -+ struct timeval s_timeout; /* search timeout */ -+ unsigned int flags; /* misc flags (reconnection, future use?) */ -+} ldap_opt_t; -+ -+typedef struct ldap_keys { -+ char ** keys; /* the public keys retrieved */ -+ unsigned int num; /* number of keys */ -+} ldap_key_t; -+ -+ -+/* function headers */ -+void ldap_close(ldap_opt_t *); -+int ldap_connect(ldap_opt_t *); -+char * ldap_parse_groups(char *); -+char * ldap_parse_servers(char *); -+void ldap_options_print(ldap_opt_t *); -+void ldap_options_free(ldap_opt_t *); -+void ldap_keys_free(ldap_key_t *); -+int ldap_parse_lconf(ldap_opt_t *); -+ldap_key_t * ldap_getuserkey(ldap_opt_t *, char *); -+int ldap_ismember(ldap_opt_t *, char *); -+ -+#endif -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/lpk-user-example.txt openssh-4.1p1-lpk/lpk-user-example.txt ---- openssh-4.1p1/lpk-user-example.txt 1970-01-01 01:00:00.000000000 +0100 -+++ openssh-4.1p1-lpk/lpk-user-example.txt 2005-07-07 18:14:03.000000000 +0200 -@@ -0,0 +1,117 @@ -+ -+Post to ML -> User Made Quick Install Doc. -+Contribution from John Lane <john@lane.uk.net> -+ -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -+ -+OpenSSH LDAP keystore Patch -+=========================== -+ -+NOTE: these notes are a transcript of a specific installation -+ they work for me, your specifics may be different! -+ from John Lane March 17th 2005 john@lane.uk.net -+ -+This is a patch to OpenSSH 4.0p1 to allow it to obtain users' public keys -+from their LDAP record as an alternative to ~/.ssh/authorized_keys. -+ -+(Assuming here that necessary build stuff is in $BUILD) -+ -+cd $BUILD/openssh-4.0p1 -+patch -Np1 -i $BUILD/openssh-lpk-4.0p1-0.3.patch -+mkdir -p /var/empty && -+./configure --prefix=/usr --sysconfdir=/etc/ssh \ -+ --libexecdir=/usr/sbin --with-md5-passwords --with-pam \ -+ --with-libs="-lldap" --with-cppflags="-DWITH_LDAP_PUBKEY" -+Now do. -+make && -+make install -+ -+Add the following config to /etc/ssh/ssh_config -+UseLPK yes -+LpkServers ldap://myhost.mydomain.com -+LpkUserDN ou=People,dc=mydomain,dc=com -+ -+We need to tell sshd about the SSL keys during boot, as root's -+environment does not exist at that time. Edit /etc/rc.d/init.d/sshd. -+Change the startup code from this: -+ echo "Starting SSH Server..." -+ loadproc /usr/sbin/sshd -+ ;; -+to this: -+ echo "Starting SSH Server..." -+ LDAPRC="/root/.ldaprc" loadproc /usr/sbin/sshd -+ ;; -+ -+Re-start the sshd daemon: -+/etc/rc.d/init.d/sshd restart -+ -+Install the additional LDAP schema -+cp $BUILD/openssh-lpk-0.2.schema /etc/openldap/schema/openssh.schema -+ -+Now add the openSSH LDAP schema to /etc/openldap/slapd.conf: -+Add the following to the end of the existing block of schema includes -+include /etc/openldap/schema/openssh.schema -+ -+Re-start the LDAP server: -+/etc/rc.d/init.d/slapd restart -+ -+To add one or more public keys to a user, eg "testuser" : -+ldapsearch -x -W -Z -LLL -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D -+"uid=testuser,ou=People,dc=mydomain,dc=com" > /tmp/testuser -+ -+append the following to this /tmp/testuser file -+objectclass: ldapPublicKey -+sshPublicKey: ssh-rsa -+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KS -+qIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z8XwSsuAoR1t86t+5dlI -+7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -+ -+Then do a modify: -+ldapmodify -x -D "uid=testuser,ou=People,dc=mydomain,dc=com" -W -f -+/tmp/testuser -Z -+Enter LDAP Password: -+modifying entry "uid=testuser,ou=People,dc=mydomain,dc=com" -+And check the modify is ok: -+ldapsearch -x -W -Z -b "uid=testuser,ou=People,dc=mydomain,dc=com" -D -+"uid=testuser,ou=People,dc=mydomain,dc=com" -+Enter LDAP Password: -+# extended LDIF -+# -+# LDAPv3 -+# base <uid=testuser,ou=People,dc=mydomain,dc=com> with scope sub -+# filter: (objectclass=*) -+# requesting: ALL -+# -+ -+# testuser, People, mydomain.com -+dn: uid=testuser,ou=People,dc=mydomain,dc=com -+uid: testuser -+cn: testuser -+objectClass: account -+objectClass: posixAccount -+objectClass: top -+objectClass: shadowAccount -+objectClass: ldapPublicKey -+shadowLastChange: 12757 -+shadowMax: 99999 -+shadowWarning: 7 -+loginShell: /bin/bash -+uidNumber: 9999 -+gidNumber: 501 -+homeDirectory: /home/testuser -+userPassword:: e1NTSEF9UDgwV1hnM1VjUDRJK0k1YnFiL1d4ZUJObXlZZ3Z3UTU= -+sshPublicKey: ssh-rsa -+AAAAB3NzaC1yc2EAAAABJQAAAIB3dsrwqXqD7E4zYYrxwdDKBUQxKMioXy9pxFVai64kAPxjU9KSqIo7QfkjslfsjflksjfldfkjsldfjLX/5zkzRmT28I5piGzunPv17S89z -+8XwSsuAoR1t86t+5dlI7eZE/gVbn2UQkQq7+kdDTS2yXV6VnC52N/kKLG3ciBkBAw== General Purpose RSA Key -+ -+# search result -+search: 3 -+result: 0 Success -+ -+# numResponses: 2 -+# numEntries: 1 -+ -+Now start a ssh session to user "testuser" from usual ssh client (e.g. -+puTTY). Login should succeed. -+ -+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/openssh-lpk.schema openssh-4.1p1-lpk/openssh-lpk.schema ---- openssh-4.1p1/openssh-lpk.schema 1970-01-01 01:00:00.000000000 +0100 -+++ openssh-4.1p1-lpk/openssh-lpk.schema 2005-07-07 23:50:55.000000000 +0200 -@@ -0,0 +1,21 @@ -+# -+# $Id$ -+# -+# LDAP Public Key Patch schema for use with openssh-ldappubkey -+# Author: Eric AUGE <eau@phear.org> -+# -+# Based on the proposal of : Mark Ruijter -+# -+ -+ -+# octetString SYNTAX -+attributetype ( 1.3.6.1.4.1.22054.500.1.1.1.13 NAME 'sshPublicKey' -+ DESC 'MANDATORY: OpenSSH Public key' -+ EQUALITY octetStringMatch -+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) -+ -+# printableString SYNTAX yes|no -+objectclass ( 1.3.6.1.4.1.22054.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY -+ DESC 'MANDATORY: OpenSSH LPK objectclass' -+ MUST ( sshPublicKey $ uid ) -+ ) -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/servconf.c openssh-4.1p1-lpk/servconf.c ---- openssh-4.1p1/servconf.c 2005-03-14 13:08:12.000000000 +0100 -+++ openssh-4.1p1-lpk/servconf.c 2005-07-07 18:14:03.000000000 +0200 -@@ -23,6 +23,10 @@ - #include "kex.h" - #include "mac.h" - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - static void add_listen_addr(ServerOptions *, char *, u_short); - static void add_one_listen_addr(ServerOptions *, char *, u_short); - -@@ -101,7 +105,23 @@ - options->authorized_keys_file = NULL; - options->authorized_keys_file2 = NULL; - options->num_accept_env = 0; -- -+#ifdef WITH_LDAP_PUBKEY -+ /* XXX dirty */ -+ options->lpk.ld = NULL; -+ options->lpk.on = -1; -+ options->lpk.servers = NULL; -+ options->lpk.u_basedn = NULL; -+ options->lpk.g_basedn = NULL; -+ options->lpk.binddn = NULL; -+ options->lpk.bindpw = NULL; -+ options->lpk.sgroup = NULL; -+ options->lpk.fgroup = NULL; -+ options->lpk.l_conf = NULL; -+ options->lpk.tls = -1; -+ options->lpk.b_timeout.tv_sec = 0; -+ options->lpk.s_timeout.tv_sec = 0; -+ options->lpk.flags = FLAG_EMPTY; -+#endif - /* Needs to be accessable in many places */ - use_privsep = -1; - } -@@ -229,7 +249,30 @@ - } - if (options->authorized_keys_file == NULL) - options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; -- -+#ifdef WITH_LDAP_PUBKEY -+ if (options->lpk.on == -1) -+ options->lpk.on = _DEFAULT_LPK_ON; -+ if (options->lpk.servers == NULL) -+ options->lpk.servers = _DEFAULT_LPK_SERVERS; -+ if (options->lpk.u_basedn == NULL) -+ options->lpk.u_basedn = _DEFAULT_LPK_UDN; -+ if (options->lpk.g_basedn == NULL) -+ options->lpk.g_basedn = _DEFAULT_LPK_GDN; -+ if (options->lpk.binddn == NULL) -+ options->lpk.binddn = _DEFAULT_LPK_BINDDN; -+ if (options->lpk.bindpw == NULL) -+ options->lpk.bindpw = _DEFAULT_LPK_BINDPW; -+ if (options->lpk.sgroup == NULL) -+ options->lpk.sgroup = _DEFAULT_LPK_SGROUP; -+ if (options->lpk.tls == -1) -+ options->lpk.tls = _DEFAULT_LPK_TLS; -+ if (options->lpk.b_timeout.tv_sec == 0) -+ options->lpk.b_timeout.tv_sec = _DEFAULT_LPK_BTIMEOUT; -+ if (options->lpk.s_timeout.tv_sec == 0) -+ options->lpk.s_timeout.tv_sec = _DEFAULT_LPK_STIMEOUT; -+ if (options->lpk.l_conf == NULL) -+ options->lpk.l_conf = _DEFAULT_LPK_LDP; -+#endif - /* Turn privilege separation on by default */ - if (use_privsep == -1) - use_privsep = 1; -@@ -273,6 +316,12 @@ - sGssAuthentication, sGssCleanupCreds, sAcceptEnv, - sUsePrivilegeSeparation, - sDeprecated, sUnsupported -+#ifdef WITH_LDAP_PUBKEY -+ ,sLdapPublickey, sLdapServers, sLdapUserDN -+ ,sLdapGroupDN, sBindDN, sBindPw, sMyGroup -+ ,sForceTLS, sBindTimeout, sSearchTimeout -+ ,sLdapConf -+#endif - } ServerOpCodes; - - /* Textual representation of the tokens. */ -@@ -371,6 +420,19 @@ - { "clientalivecountmax", sClientAliveCountMax }, - { "authorizedkeysfile", sAuthorizedKeysFile }, - { "authorizedkeysfile2", sAuthorizedKeysFile2 }, -+#ifdef WITH_LDAP_PUBKEY -+ { _DEFAULT_LPK_TOKEN, sLdapPublickey }, -+ { _DEFAULT_SRV_TOKEN, sLdapServers }, -+ { _DEFAULT_USR_TOKEN, sLdapUserDN }, -+ { _DEFAULT_GRP_TOKEN, sLdapGroupDN }, -+ { _DEFAULT_BDN_TOKEN, sBindDN }, -+ { _DEFAULT_BPW_TOKEN, sBindPw }, -+ { _DEFAULT_MYG_TOKEN, sMyGroup }, -+ { _DEFAULT_TLS_TOKEN, sForceTLS }, -+ { _DEFAULT_BTI_TOKEN, sBindTimeout }, -+ { _DEFAULT_STI_TOKEN, sSearchTimeout }, -+ { _DEFAULT_LDP_TOKEN, sLdapConf }, -+#endif - { "useprivilegeseparation", sUsePrivilegeSeparation}, - { "acceptenv", sAcceptEnv }, - { NULL, sBadOption } -@@ -949,6 +1011,116 @@ - while (arg) - arg = strdelim(&cp); - break; -+#ifdef WITH_LDAP_PUBKEY -+ case sLdapPublickey: -+ intptr = &options->lpk.on; -+ goto parse_flag; -+ case sLdapServers: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing ldap server",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ if ((options->lpk.servers = ldap_parse_servers(arg)) == NULL) -+ fatal("%s line %d: error in ldap servers", filename, linenum); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sLdapUserDN: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing ldap server",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.u_basedn = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sLdapGroupDN: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing ldap server",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.g_basedn = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sBindDN: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing binddn",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.binddn = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sBindPw: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while(*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing bindpw",filename,linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.bindpw = xstrdup(arg); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sMyGroup: -+ p = line; -+ while (*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing groupname",filename, linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.sgroup = xstrdup(arg); -+ if (options->lpk.sgroup) -+ options->lpk.fgroup = ldap_parse_groups(options->lpk.sgroup); -+ memset(arg,0,strlen(arg)); -+ break; -+ case sForceTLS: -+ intptr = &options->lpk.tls; -+ arg = strdelim(&cp); -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing yes/no argument.", -+ filename, linenum); -+ value = 0; /* silence compiler */ -+ if (strcmp(arg, "yes") == 0) -+ value = 1; -+ else if (strcmp(arg, "no") == 0) -+ value = 0; -+ else if (strcmp(arg, "try") == 0) -+ value = -1; -+ else -+ fatal("%s line %d: Bad yes/no argument: %s", -+ filename, linenum, arg); -+ if (*intptr == -1) -+ *intptr = value; -+ break; -+ case sBindTimeout: -+ intptr = (int *) &options->lpk.b_timeout.tv_sec; -+ goto parse_int; -+ case sSearchTimeout: -+ intptr = (int *) &options->lpk.s_timeout.tv_sec; -+ goto parse_int; -+ break; -+ case sLdapConf: -+ /* arg = strdelim(&cp); */ -+ p = line; -+ while (*p++); -+ arg = p; -+ if (!arg || *arg == '\0') -+ fatal("%s line %d: missing LpkLdapConf", filename, linenum); -+ arg[strlen(arg)] = '\0'; -+ options->lpk.l_conf = xstrdup(arg); -+ memset(arg, 0, strlen(arg)); -+ break; -+#endif - - default: - fatal("%s line %d: Missing handler for opcode %s (%d)", -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/servconf.h openssh-4.1p1-lpk/servconf.h ---- openssh-4.1p1/servconf.h 2005-01-20 00:57:56.000000000 +0100 -+++ openssh-4.1p1-lpk/servconf.h 2005-07-07 18:14:03.000000000 +0200 -@@ -18,6 +18,10 @@ - - #include "buffer.h" - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - #define MAX_PORTS 256 /* Max # ports. */ - - #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ -@@ -134,6 +138,9 @@ - char *authorized_keys_file; /* File containing public keys */ - char *authorized_keys_file2; - int use_pam; /* Enable auth via PAM */ -+#ifdef WITH_LDAP_PUBKEY -+ ldap_opt_t lpk; -+#endif - } ServerOptions; - - void initialize_server_options(ServerOptions *); -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/sshd.c openssh-4.1p1-lpk/sshd.c ---- openssh-4.1p1/sshd.c 2005-03-31 13:39:25.000000000 +0200 -+++ openssh-4.1p1-lpk/sshd.c 2005-07-07 18:14:03.000000000 +0200 -@@ -93,6 +93,10 @@ - int deny_severity = LOG_WARNING; - #endif /* LIBWRAP */ - -+#ifdef WITH_LDAP_PUBKEY -+#include "ldapauth.h" -+#endif -+ - #ifndef O_NOCTTY - #define O_NOCTTY 0 - #endif -@@ -1076,6 +1080,16 @@ - exit(1); - } - -+#ifdef WITH_LDAP_PUBKEY -+ /* ldap_options_print(&options.lpk); */ -+ /* XXX initialize/check ldap connection and set *LD */ -+ if (options.lpk.on) { -+ if (options.lpk.l_conf && (ldap_parse_lconf(&options.lpk) < 0) ) -+ error("[LDAP] could not parse %s", options.lpk.l_conf); -+ if (ldap_connect(&options.lpk) < 0) -+ error("[LDAP] could not initialize ldap connection"); -+ } -+#endif - debug("sshd version %.100s", SSH_RELEASE); - - /* load private host keys */ -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/sshd_config openssh-4.1p1-lpk/sshd_config ---- openssh-4.1p1/sshd_config 2005-01-20 00:57:56.000000000 +0100 -+++ openssh-4.1p1-lpk/sshd_config 2005-07-07 18:14:03.000000000 +0200 -@@ -99,6 +99,20 @@ - - # no default banner path - #Banner /some/path -+ -+# here is the new patched ldap related tokens -+# entries in your LDAP must have posixAccount & ldapPublicKey objectclass -+#UseLPK yes -+#LpkLdapConf /etc/ldap.conf -+#LpkServers ldap://127.0.0.4 ldap://127.0.0.3 ldap://127.0.0.1/ -+#LpkUserDN ou=users,dc=phear,dc=org -+#LpkGroupDN ou=groups,dc=phear,dc=org -+#LpkBindDN cn=Manager,dc=phear,dc=org -+#LpkBindPw secret -+#LpkServerGroup mail -+#LpkForceTLS no -+#LpkSearchTimelimit 3 -+#LpkBindTimelimit 3 - - # override default of no subsystems - Subsystem sftp /usr/libexec/sftp-server -diff -Nru -x Makefile -x 'buildpkg.*' -x opensshd.init -x 'ssh_prng_*' openssh-4.1p1/sshd_config.5 openssh-4.1p1-lpk/sshd_config.5 ---- openssh-4.1p1/sshd_config.5 2005-03-31 13:33:51.000000000 +0200 -+++ openssh-4.1p1-lpk/sshd_config.5 2005-07-07 18:14:03.000000000 +0200 -@@ -760,6 +760,58 @@ - program. - The default is - .Pa /usr/X11R6/bin/xauth . -+.It Cm UseLPK -+Specifies whether LDAP public key retrieval must be used or not. It allow -+an easy centralisation of public keys within an LDAP directory. The argument must be -+.Dq yes -+or -+.Dq no . -+.It Cm LpkLdapConf -+Specifies whether LDAP Public keys should parse the specified ldap.conf file -+instead of sshd_config Tokens. The argument must be a valid path to an ldap.conf -+file like -+.Pa /etc/ldap.conf -+.It Cm LpkServers -+Specifies LDAP one or more [:space:] separated server's url the following form may be used: -+.Pp -+LpkServers ldaps://127.0.0.1 ldap://127.0.0.2 ldap://127.0.0.3 -+.It Cm LpkUserDN -+Specifies the LDAP user DN. -+.Pp -+LpkUserDN ou=users,dc=phear,dc=org -+.It Cm LpkGroupDN -+Specifies the LDAP groups DN. -+.Pp -+LpkGroupDN ou=groups,dc=phear,dc=org -+.It Cm LpkBindDN -+Specifies the LDAP bind DN to use if necessary. -+.Pp -+LpkBindDN cn=Manager,dc=phear,dc=org -+.It Cm LpkBindPw -+Specifies the LDAP bind credential. -+.Pp -+LpkBindPw secret -+.It Cm LpkServerGroup -+Specifies one or more [:space:] separated group the server is part of. -+.Pp -+LpkServerGroup unix mail prod -+.It Cm LpkForceTLS -+Specifies if the LDAP server connection must be tried, forced or not used. The argument must be -+.Dq yes -+or -+.Dq no -+or -+.Dq try . -+.It Cm LpkSearchTimelimit -+Sepcifies the search time limit before the search is considered over. value is -+in seconds. -+.Pp -+LpkSearchTimelimit 3 -+.It Cm LpkBindTimelimit -+Sepcifies the bind time limit before the connection is considered dead. value is -+in seconds. -+.Pp -+LpkBindTimelimit 3 - .El - .Ss Time Formats - .Nm sshd diff --git a/openssh-owl-realloc.patch b/openssh-owl-realloc.patch deleted file mode 100644 index 9225e45..0000000 --- a/openssh-owl-realloc.patch +++ /dev/null @@ -1,122 +0,0 @@ -Taken from RH (applies to 3.2.3p1 clearly). -Patch from Owl, adjusted to apply to 3.1p1. -diff -urp openssh-3.6.1p2.orig/deattack.c openssh-3.6.1p2/deattack.c ---- openssh-3.6.1p2.orig/deattack.c Tue Mar 5 01:53:05 2002 -+++ openssh-3.6.1p2/deattack.c Wed Sep 17 00:18:30 2003 -@@ -100,12 +100,12 @@ detect_attack(u_char *buf, u_int32_t len - - if (h == NULL) { - debug("Installing crc compensation attack detector."); -+ h = (u_int16_t *) xmalloc(l * HASH_ENTRYSIZE); - n = l; -- h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); - } else { - if (l > n) { -+ h = (u_int16_t *) xrealloc(h, l * HASH_ENTRYSIZE); - n = l; -- h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); - } - } - -diff -urp openssh-3.6.1p2.orig/misc.c openssh-3.6.1p2/misc.c ---- openssh-3.6.1p2.orig/misc.c Mon Dec 23 02:44:36 2002 -+++ openssh-3.6.1p2/misc.c Wed Sep 17 00:50:27 2003 -@@ -308,18 +308,21 @@ addargs(arglist *args, char *fmt, ...) - { - va_list ap; - char buf[1024]; -+ int nalloc; - - va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), fmt, ap); - va_end(ap); - -+ nalloc = args->nalloc; - if (args->list == NULL) { -- args->nalloc = 32; -+ nalloc = 32; - args->num = 0; -- } else if (args->num+2 >= args->nalloc) -- args->nalloc *= 2; -+ } else if (args->num+2 >= nalloc) -+ nalloc *= 2; - -- args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); -+ args->list = xrealloc(args->list, nalloc * sizeof(char *)); -+ args->nalloc = nalloc; - args->list[args->num++] = xstrdup(buf); - args->list[args->num] = NULL; - } -diff -urp openssh-3.6.1p2.orig/session.c openssh-3.6.1p2/session.c ---- openssh-3.6.1p2.orig/session.c Fri Mar 21 01:18:09 2003 -+++ openssh-3.6.1p2/session.c Wed Sep 17 00:34:35 2003 -@@ -844,8 +844,9 @@ static void - child_set_env(char ***envp, u_int *envsizep, const char *name, - const char *value) - { -- u_int i, namelen; - char **env; -+ u_int envsize; -+ u_int i, namelen; - - /* - * Find the slot where the value should be stored. If the variable -@@ -804,9 +805,13 @@ child_set_env(char ***envp, u_int *envsi - xfree(env[i]); - } else { - /* New variable. Expand if necessary. */ -- if (i >= (*envsizep) - 1) { -- (*envsizep) += 50; -- env = (*envp) = xrealloc(env, (*envsizep) * sizeof(char *)); -+ envsize = *envsizep; -+ if (i >= envsize - 1) { -+ if (envsize >= 1000) -+ fatal("child_set_env: too many env vars"); -+ envsize += 50; -+ env = (*envp) = xrealloc(env, envsize * sizeof(char *)); -+ *envsizep = envsize; - } - /* Need to set the NULL pointer at end of array beyond the new slot. */ - env[i + 1] = NULL; -diff -urp openssh-3.6.1p2.orig/ssh-agent.c openssh-3.6.1p2/ssh-agent.c ---- openssh-3.6.1p2.orig/ssh-agent.c Sat Mar 15 00:37:09 2003 -+++ openssh-3.6.1p2/ssh-agent.c Wed Sep 17 00:42:15 2003 -@@ -620,6 +620,6 @@ process_message(SocketEntry *e) - static void - new_socket(sock_type type, int fd) - { -- u_int i, old_alloc; -+ u_int i, old_alloc, new_alloc; - if (fcntl(fd, F_SETFL, O_NONBLOCK) < 0) - error("fcntl O_NONBLOCK: %s", strerror(errno)); -@@ -630,23 +630,24 @@ new_socket(sock_type type, int fd) - for (i = 0; i < sockets_alloc; i++) - if (sockets[i].type == AUTH_UNUSED) { - sockets[i].fd = fd; -- sockets[i].type = type; - buffer_init(&sockets[i].input); - buffer_init(&sockets[i].output); -+ sockets[i].type = type; - return; - } - old_alloc = sockets_alloc; -- sockets_alloc += 10; -+ new_alloc = sockets_alloc + 10; - if (sockets) -- sockets = xrealloc(sockets, sockets_alloc * sizeof(sockets[0])); -+ sockets = xrealloc(sockets, new_alloc * sizeof(sockets[0])); - else -- sockets = xmalloc(sockets_alloc * sizeof(sockets[0])); -- for (i = old_alloc; i < sockets_alloc; i++) -+ sockets = xmalloc(new_alloc * sizeof(sockets[0])); -+ for (i = old_alloc; i < new_alloc; i++) - sockets[i].type = AUTH_UNUSED; -- sockets[old_alloc].type = type; -+ sockets_alloc = new_alloc; - sockets[old_alloc].fd = fd; - buffer_init(&sockets[old_alloc].input); - buffer_init(&sockets[old_alloc].output); -+ sockets[old_alloc].type = type; - } - - static int diff --git a/openssh-pam-age.patch b/openssh-pam-age.patch deleted file mode 100644 index 78aeb63..0000000 --- a/openssh-pam-age.patch +++ /dev/null @@ -1,168 +0,0 @@ -diff -ur openssh-3.2.3p1/auth-pam.c openssh-3.2.3p1.new/auth-pam.c ---- openssh-3.2.3p1/auth-pam.c Wed May 8 04:27:56 2002 -+++ openssh-3.2.3p1.new/auth-pam.c Fri Jun 28 14:48:26 2002 -@@ -59,6 +59,7 @@ - static int password_change_required = 0; - /* remember whether the last pam_authenticate() succeeded or not */ - static int was_authenticated = 0; -+static int acct_mgmt_retval = -1; - - /* Remember what has been initialised */ - static int session_opened = 0; -@@ -72,10 +73,40 @@ - } - - /* start an authentication run */ --int do_pam_authenticate(int flags) -+int do_pam_authenticate(int flags, int can_age_pw_here) - { - int retval = pam_authenticate(__pamh, flags); -+ -+ was_authenticated = (retval == PAM_SUCCESS); -+ if (retval != PAM_SUCCESS) -+ return retval; -+ -+ acct_mgmt_retval = pam_acct_mgmt(__pamh, 0); -+ -+ if (acct_mgmt_retval == PAM_SUCCESS) -+ return PAM_SUCCESS; -+ -+ was_authenticated = 0; -+ if (acct_mgmt_retval != PAM_NEW_AUTHTOK_REQD) -+ return acct_mgmt_retval; -+ -+ /* (acct_mgmt_retval == PAM_NEW_AUTHTOK_REQD) */ -+ /* PAM auth token (password) is expired */ -+ -+ /* -+ * USERAUTH_PASSWORD_CHANGEREQ is not currently -+ * supported. Password aged users using password -+ * userauth are thrown out here. -+ */ -+ if (!can_age_pw_here) -+ return PAM_NEW_AUTHTOK_REQD; -+ -+ debug("do_pam_authenticate() - doing password aging"); -+ retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - was_authenticated = (retval == PAM_SUCCESS); -+ if (retval == PAM_SUCCESS) -+ acct_mgmt_retval = PAM_SUCCESS; -+ - return retval; - } - -@@ -220,7 +251,8 @@ - - pamstate = INITIAL_LOGIN; - pam_retval = do_pam_authenticate( -- options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); -+ options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0, -+ 0); - if (pam_retval == PAM_SUCCESS) { - debug("PAM Password authentication accepted for " - "user \"%.100s\"", pw->pw_name); -@@ -248,19 +280,22 @@ - PAM_STRERROR(__pamh, pam_retval)); - } - -- pam_retval = pam_acct_mgmt(__pamh, 0); -+ /* do_pam_authenticate() may have called pam_acct_mgmt() already */ -+ pam_retval = acct_mgmt_retval; - debug2("pam_acct_mgmt() = %d", pam_retval); -+ if (pam_retval == -1) -+ pam_retval = pam_acct_mgmt(__pamh, 0); -+ - switch (pam_retval) { - case PAM_SUCCESS: - /* This is what we want */ - break; --#if 0 - case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, NEW_AUTHTOK_MSG); - /* flag that password change is necessary */ - password_change_required = 1; -+ return(0); /* Sorry, no TTY password aging */ - break; --#endif - default: - log("PAM rejected by account configuration[%d]: " - "%.200s", pam_retval, PAM_STRERROR(__pamh, -@@ -324,27 +359,6 @@ - return password_change_required; - } - --/* -- * Have user change authentication token if pam_acct_mgmt() indicated -- * it was expired. This needs to be called after an interactive -- * session is established and the user's pty is connected to -- * stdin/stout/stderr. -- */ --void do_pam_chauthtok(void) --{ -- int pam_retval; -- -- do_pam_set_conv(&conv); -- -- if (password_change_required) { -- pamstate = OTHER; -- pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -- if (pam_retval != PAM_SUCCESS) -- fatal("PAM pam_chauthtok failed[%d]: %.200s", -- pam_retval, PAM_STRERROR(__pamh, pam_retval)); -- } --} -- - /* Cleanly shutdown PAM */ - void finish_pam(void) - { -diff -ur openssh-3.2.3p1/auth-pam.h openssh-3.2.3p1.new/auth-pam.h ---- openssh-3.2.3p1/auth-pam.h Thu Apr 4 21:02:28 2002 -+++ openssh-3.2.3p1.new/auth-pam.h Fri Jun 28 14:46:18 2002 -@@ -9,13 +9,12 @@ - void finish_pam(void); - int auth_pam_password(Authctxt *authctxt, const char *password); - char **fetch_pam_environment(void); --int do_pam_authenticate(int flags); -+int do_pam_authenticate(int flags, int can_age_pw_here); - int do_pam_account(char *username, char *remote_user); - void do_pam_session(char *username, const char *ttyname); - void do_pam_setcred(int init); - void print_pam_messages(void); - int is_pam_password_change_required(void); --void do_pam_chauthtok(void); - void do_pam_set_conv(struct pam_conv *); - void message_cat(char **p, const char *a); - -diff -ur openssh-3.2.3p1/auth2-pam.c openssh-3.2.3p1.new/auth2-pam.c ---- openssh-3.2.3p1/auth2-pam.c Fri Jun 28 14:48:46 2002 -+++ openssh-3.2.3p1.new/auth2-pam.c Fri Jun 28 14:46:18 2002 -@@ -42,7 +42,7 @@ - - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, - &input_userauth_info_response_pam); -- retval = (do_pam_authenticate(0) == PAM_SUCCESS); -+ retval = (do_pam_authenticate(0, 1) == PAM_SUCCESS); - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); - - return retval; -diff -ur openssh-3.2.3p1/session.c openssh-3.2.3p1.new/session.c ---- openssh-3.2.3p1/session.c Mon May 13 02:48:58 2002 -+++ openssh-3.2.3p1.new/session.c Fri Jun 28 14:46:18 2002 -@@ -645,17 +645,6 @@ - options.verify_reverse_mapping), - (struct sockaddr *)&from); - --#ifdef USE_PAM -- /* -- * If password change is needed, do it now. -- * This needs to occur before the ~/.hushlogin check. -- */ -- if (is_pam_password_change_required()) { -- print_pam_messages(); -- do_pam_chauthtok(); -- } --#endif -- - if (check_quietlogin(s, command)) - return; - diff --git a/openssh-set_12.patch b/openssh-set_12.patch deleted file mode 100644 index 0a29ccf..0000000 --- a/openssh-set_12.patch +++ /dev/null @@ -1,50 +0,0 @@ ---- openssh-2.9.9p2/scp.c.orig Thu Sep 20 02:57:56 2001 -+++ openssh-2.9.9p2/scp.c Fri Sep 28 05:29:09 2001 -@@ -242,9 +242,11 @@ - addargs(&args, "-oClearAllForwardings yes"); - - fflag = tflag = 0; -- while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:o:F:")) != -1) -+ while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q1246S:o:F:")) != -1) - switch (ch) { - /* User-visible flags. */ -+ case '1': -+ case '2': - case '4': - case '6': - case 'C': -@@ -961,7 +963,7 @@ - usage() - { - (void) fprintf(stderr, -- "usage: scp [-pqrvBC46] [-F config] [-S ssh] [-P port] [-c cipher] [-i identity]\n" -+ "usage: scp [-pqrvBC1246] [-F config] [-S ssh] [-P port] [-c cipher] [-i identity]\n" - " [-o option] f1 f2\n" - " or: scp [options] f1 ... fn directory\n"); - exit(1); ---- openssh-2.9.9p2/scp.1.orig Tue Sep 18 07:56:57 2001 -+++ openssh-2.9.9p2/scp.1 Fri Sep 28 05:30:54 2001 -@@ -19,7 +19,7 @@ - .Nd secure copy (remote file copy program) - .Sh SYNOPSIS - .Nm scp --.Op Fl pqrvBC46 -+.Op Fl pqrvBC1246 - .Op Fl F Ar ssh_config - .Op Fl S Ar program - .Op Fl P Ar port -@@ -125,6 +125,14 @@ - command-line flag. For example, forcing the use of protocol - version 1 is specified using - .Ic scp -oProtocol=1 . -+.It Fl 1 -+Forces -+.Nm -+to use SSH1 only. -+.It Fl 2 -+Forces -+.Nm -+to use SSH2 only. - .It Fl 4 - Forces - .Nm diff --git a/openssh-sigpipe.patch b/openssh-sigpipe.patch index b533146..139fb31 100644 --- a/openssh-sigpipe.patch +++ b/openssh-sigpipe.patch @@ -33,15 +33,15 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 -b bind_address --- openssh-4.0p1/ssh.1.orig 2005-03-09 01:00:06.000000000 +0100 +++ openssh-4.0p1/ssh.1 2005-03-10 15:10:40.000000000 +0100 -@@ -43,7 +43,7 @@ - .Nd OpenSSH SSH client (remote login program) +@@ -44,7 +44,7 @@ .Sh SYNOPSIS .Nm ssh + .Bk -words -.Op Fl 1246AaCfgkMNnqsTtVvXxY +.Op Fl 1246AaBCfgkMNnqsTtVvXxY .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec - .Oo Fl D\ \& + .Op Fl D Ar port @@ -425,6 +425,10 @@ on the local machine as the source address of the connection. @@ -71,15 +71,15 @@ diff -urN openssh-3.9p1.org/ssh.0 openssh-3.9p1/ssh.0 fprintf(stderr, -"usage: ssh [-1246AaCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" +"usage: ssh [-1246AaBCfgkMNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n" - " [-D [bind_address:]port] [-e escape_char] [-F configfile]\n" + " [-D port] [-e escape_char] [-F configfile]\n" " [-i identity_file] [-L [bind_address:]port:host:hostport]\n" " [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]\n" -@@ -244,7 +247,7 @@ +@@ -240,7 +243,7 @@ again: while ((opt = getopt(ac, av, -- "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVw:XY")) != -1) { -+ "1246ab:c:e:fgi:kl:m:no:p:qstvxABCD:F:I:L:MNO:PR:S:TVw:XY")) != -1) { +- "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:MNO:PR:S:TVXY")) != -1) { ++ "1246ab:c:e:fgi:kl:m:no:p:qstvxABCD:F:I:L:MNO:PR:S:TVXY")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; |