diff options
| author |   Daniel Ahlberg <aliz@gentoo.org> | 2004-08-18 21:55:16 +0000 |
|---|---|---|
| committer | Daniel Ahlberg <aliz@gentoo.org> | 2004-08-18 21:55:16 +0000 |
| commit | 37de71e54d87f1e1aa844e7d3643dabc0fe64a27 (patch) | |
| tree | fb0f73f4ecfb8cfb7b8cdb29aa6d97011c0bc480 /net-misc/openssh | |
| parent | fix linker script fix thingie thing thing (Manifest recommit) (diff) | |
| download | gentoo-2-37de71e54d87f1e1aa844e7d3643dabc0fe64a27.tar.gz gentoo-2-37de71e54d87f1e1aa844e7d3643dabc0fe64a27.tar.bz2 gentoo-2-37de71e54d87f1e1aa844e7d3643dabc0fe64a27.zip | |
Closing #60417 and #60758
Diffstat (limited to 'net-misc/openssh')
| -rw-r--r-- | net-misc/openssh/ChangeLog | 11 | ||||
| -rw-r--r-- | net-misc/openssh/Manifest | 62 | ||||
| -rw-r--r-- | net-misc/openssh/files/digest-openssh-3.8.1_p1-r2 | 1 | ||||
| -rw-r--r-- | net-misc/openssh/files/digest-openssh-3.9_p1 | 1 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.8.1p1-sftplogging-1.2-gentoo.patch | 755 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-chroot.patch | 74 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-largekey.patch | 130 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-opensc.patch | 131 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch | 755 | ||||
| -rw-r--r-- | net-misc/openssh/files/openssh-3.9_p1-skey.patch | 11 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-3.8.1_p1-r2.ebuild | 8 | ||||
| -rw-r--r-- | net-misc/openssh/openssh-3.9_p1.ebuild | 138 |
12 files changed, 2038 insertions, 39 deletions
diff --git a/net-misc/openssh/ChangeLog b/net-misc/openssh/ChangeLog index 3714a87bfe9c..0e76caca6c49 100644 --- a/net-misc/openssh/ChangeLog +++ b/net-misc/openssh/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for net-misc/openssh # Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.96 2004/08/16 10:40:40 aliz Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/ChangeLog,v 1.97 2004/08/18 21:55:16 aliz Exp $ + + 18 Aug 2004; Daniel Ahlberg <aliz@gentoo.org> openssh-3.8.1_p1-r2.ebuild: + Fixed sftplogging patch, closing #60417 again. + +*openssh-3.9_p1 (18 Aug 2004) + + 18 Aug 2004; Daniel Ahlberg <aliz@gentoo.org> openssh-3.8.1_p1-r2.ebuild, + openssh-3.9_p1.ebuild: + Version bump, closing #60758. 16 Aug 2004; Daniel Ahlberg <aliz@gentoo.org> files/openssh-3.8.1_p1-largekey.patch: diff --git a/net-misc/openssh/Manifest b/net-misc/openssh/Manifest index 8040780d1341..5560c13afb6a 100644 --- a/net-misc/openssh/Manifest +++ b/net-misc/openssh/Manifest @@ -1,42 +1,40 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - -MD5 f78b9f309f2b163d659ef02c192bd99a ChangeLog 14363 -MD5 0feff9b09e482567359625301bddce1c metadata.xml 1329 MD5 ec96fb49d91d5e77e391b92b93b76488 openssh-3.7.1_p2-r1.ebuild 4086 -MD5 2fc7548ab51d3e0db127dd23f4f2c5f8 openssh-3.7.1_p2-r2.ebuild 4605 +MD5 e03d5b76db7eed6a83a4c849a5249363 openssh-3.8.1_p1-r1.ebuild 4204 MD5 07179e41e3c7d022657732605478a8bd openssh-3.8.1_p1.ebuild 4030 +MD5 f69491b28daa2588bbbfe1df94ef55e7 openssh-3.9_p1.ebuild 4243 +MD5 2fc7548ab51d3e0db127dd23f4f2c5f8 openssh-3.7.1_p2-r2.ebuild 4605 +MD5 303f5f5974a5114bf40f38325967b074 openssh-3.8.1_p1-r2.ebuild 4215 +MD5 a9f5537aa581a28a9b6c1f0ac1e06896 ChangeLog 14654 +MD5 0feff9b09e482567359625301bddce1c metadata.xml 1329 MD5 685c84b3f8cc4608d391deb65fd75198 openssh-3.8_p1.ebuild 4198 -MD5 e03d5b76db7eed6a83a4c849a5249363 openssh-3.8.1_p1-r1.ebuild 4204 -MD5 6c6cba60e3f770193f24e3f9354f2e03 openssh-3.8.1_p1-r2.ebuild 4382 -MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r2 142 -MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r1 142 -MD5 2cb187d8f60994c5e1b5fef2bcb6e85d files/openssh-3.5_p1-gentoo-sshd-gcc3.patch 315 -MD5 9e179b1c0e3a139a5a9067c6e5bd6595 files/openssh-3.7.1_p1-selinux.diff 3389 -MD5 b31110303673214476c57e1bed28e1ce files/openssh-skeychallenge-args.diff 925 -MD5 b86ae0c43a704c4ee2abd2ce5c955f8f files/sshd.pam 294 -MD5 0a1428803057b7d25e624c6b297980d8 files/sshd.rc6 1281 -MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.7.1_p2-chroot.patch 2884 -MD5 e62c6cfae268e95fb406080c91713c1a files/digest-openssh-3.8_p1 138 -MD5 47853493e53ca7d4ac9942d6a76fb855 files/openssh-3.7.1_p2-kerberos.patch 1190 -MD5 9b53f18685eeb54c381c9bd11b9b80cc files/openssh-3.7.1_p2-skey.patch 326 -MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.8_p1-chroot.patch 2884 MD5 f3838696f97d8942b708798fa021c688 files/openssh-3.8_p1-kerberos.patch 745 -MD5 319cf9de283116bf886d3aab3d036249 files/openssh-3.8_p1-resolv_functions.patch 422 MD5 5e42c267d017c8bcf5a68a8b16398736 files/openssh-3.8_p1-skey.patch 326 -MD5 7c16095191b5dc9d653dcb658650c88c files/digest-openssh-3.8.1_p1 141 +MD5 2cb187d8f60994c5e1b5fef2bcb6e85d files/openssh-3.5_p1-gentoo-sshd-gcc3.patch 315 +MD5 e62c6cfae268e95fb406080c91713c1a files/digest-openssh-3.8_p1 138 +MD5 aea1862566d745a6263e0b4f318de80e files/digest-openssh-3.9_p1 65 MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.8.1_p1-chroot.patch 2884 +MD5 5e42c267d017c8bcf5a68a8b16398736 files/openssh-3.9_p1-skey.patch 326 +MD5 9e179b1c0e3a139a5a9067c6e5bd6595 files/openssh-3.7.1_p1-selinux.diff 3389 MD5 f3838696f97d8942b708798fa021c688 files/openssh-3.8.1_p1-kerberos.patch 745 -MD5 319cf9de283116bf886d3aab3d036249 files/openssh-3.8.1_p1-resolv_functions.patch 422 -MD5 5e42c267d017c8bcf5a68a8b16398736 files/openssh-3.8.1_p1-skey.patch 326 +MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.8_p1-chroot.patch 2884 MD5 7c16095191b5dc9d653dcb658650c88c files/digest-openssh-3.8.1_p1-r1 141 -MD5 682d18c6b2348b1ab15b31b56d905b2d files/digest-openssh-3.8.1_p1-r2 223 +MD5 7c16095191b5dc9d653dcb658650c88c files/digest-openssh-3.8.1_p1-r2 141 +MD5 7c16095191b5dc9d653dcb658650c88c files/digest-openssh-3.8.1_p1 141 +MD5 9a7321e9cbe9b8851ee71a85322bab27 files/openssh-3.8.1p1-sftplogging-1.2-gentoo.patch 23240 MD5 33b0a1a9cf8349c411da7e97e3a5df64 files/openssh-3.8.1_p1-opensc.patch 3499 +MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.7.1_p2-chroot.patch 2884 +MD5 b31110303673214476c57e1bed28e1ce files/openssh-skeychallenge-args.diff 925 MD5 e95d63b8ba5af76772f92fec4544fa3d files/openssh-3.8.1_p1-largekey.patch 2986 ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.9.10 (GNU/Linux) - -iD8DBQFBIhdvHTu7gpaalycRAgqJAJ9fNVnsW0uauHQ488ugLjQeWTotdACdGMeJ -SwWV/NVZj3uWRE8FCeflS9U= -=yrr+ ------END PGP SIGNATURE----- +MD5 9b53f18685eeb54c381c9bd11b9b80cc files/openssh-3.7.1_p2-skey.patch 326 +MD5 47853493e53ca7d4ac9942d6a76fb855 files/openssh-3.7.1_p2-kerberos.patch 1190 +MD5 8f72054fc8c55107b5bf7ce13a8ad083 files/openssh-3.9_p1-chroot.patch 2884 +MD5 b86ae0c43a704c4ee2abd2ce5c955f8f files/sshd.pam 294 +MD5 0a1428803057b7d25e624c6b297980d8 files/sshd.rc6 1281 +MD5 319cf9de283116bf886d3aab3d036249 files/openssh-3.8_p1-resolv_functions.patch 422 +MD5 5e42c267d017c8bcf5a68a8b16398736 files/openssh-3.8.1_p1-skey.patch 326 +MD5 e7a7b68069e34f966baa81fe2ce239a5 files/openssh-3.9_p1-largekey.patch 3105 +MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r1 142 +MD5 2f8fc1bd837220c9708d9d8b0730fe2c files/digest-openssh-3.7.1_p2-r2 142 +MD5 33b0a1a9cf8349c411da7e97e3a5df64 files/openssh-3.9_p1-opensc.patch 3499 +MD5 205d23485d062d360fa7f50cc7d28be6 files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch 23272 +MD5 319cf9de283116bf886d3aab3d036249 files/openssh-3.8.1_p1-resolv_functions.patch 422 diff --git a/net-misc/openssh/files/digest-openssh-3.8.1_p1-r2 b/net-misc/openssh/files/digest-openssh-3.8.1_p1-r2 index 897b31698959..a63345a1d3fc 100644 --- a/net-misc/openssh/files/digest-openssh-3.8.1_p1-r2 +++ b/net-misc/openssh/files/digest-openssh-3.8.1_p1-r2 @@ -1,3 +1,2 @@ MD5 1dbfd40ae683f822ae917eebf171ca42 openssh-3.8.1p1.tar.gz 817932 -MD5 07854840618861cc01850892fcdeb096 openssh-3.8.1p1.sftplogging-v1.2.patch 24963 MD5 52e42ecdf2b0498220661d4bf1cfaeae openssh-3.8.1p1+x509h.diff.gz 143652 diff --git a/net-misc/openssh/files/digest-openssh-3.9_p1 b/net-misc/openssh/files/digest-openssh-3.9_p1 new file mode 100644 index 000000000000..73509d99cfb7 --- /dev/null +++ b/net-misc/openssh/files/digest-openssh-3.9_p1 @@ -0,0 +1 @@ +MD5 8e1774d0b52aff08f817f3987442a16e openssh-3.9p1.tar.gz 854027 diff --git a/net-misc/openssh/files/openssh-3.8.1p1-sftplogging-1.2-gentoo.patch b/net-misc/openssh/files/openssh-3.8.1p1-sftplogging-1.2-gentoo.patch new file mode 100644 index 000000000000..3e9dd1f4e798 --- /dev/null +++ b/net-misc/openssh/files/openssh-3.8.1p1-sftplogging-1.2-gentoo.patch @@ -0,0 +1,755 @@ +diff -ru openssh-3.8.1p1/servconf.c openssh-3.8.1p1_sftp/servconf.c +--- openssh-3.8.1p1/servconf.c 2004-01-23 11:03:10.000000000 +0000 ++++ openssh-3.8.1p1_sftp/servconf.c 2004-08-18 21:28:18.564861272 +0000 +@@ -102,6 +102,15 @@ + options->authorized_keys_file = NULL; + options->authorized_keys_file2 = NULL; + ++ options->log_sftp = LOG_SFTP_NOT_SET; ++ options->sftp_log_facility = SYSLOG_FACILITY_NOT_SET; ++ options->sftp_log_level = SYSLOG_LEVEL_NOT_SET; ++ ++ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH); ++ ++ options->sftp_permit_chmod = SFTP_PERMIT_NOT_SET; ++ options->sftp_permit_chown = SFTP_PERMIT_NOT_SET; ++ + /* Needs to be accessable in many places */ + use_privsep = -1; + } +@@ -109,7 +118,7 @@ + void + fill_default_server_options(ServerOptions *options) + { +- /* Portable-specific options */ ++/* Portable-specific options */ + if (options->use_pam == -1) + options->use_pam = 0; + +@@ -228,6 +237,24 @@ + if (options->authorized_keys_file == NULL) + options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + ++ /* Turn sftp-server logging off by default */ ++ if (options->log_sftp == LOG_SFTP_NOT_SET) ++ options->log_sftp = LOG_SFTP_NO; ++ if (options->sftp_log_facility == SYSLOG_FACILITY_NOT_SET) ++ options->sftp_log_facility = SYSLOG_FACILITY_AUTH; ++ if (options->sftp_log_level == SYSLOG_LEVEL_NOT_SET) ++ options->sftp_log_level = SYSLOG_LEVEL_INFO; ++ ++ /* Don't set sftp-server umask */ ++ if (!options->sftp_umask) ++ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH); ++ ++ /* allow sftp client to issue chmod, chown / chgrp commands */ ++ if (options->sftp_permit_chmod == SFTP_PERMIT_NOT_SET) ++ options->sftp_permit_chmod = SFTP_PERMIT_YES; ++ if (options->sftp_permit_chown == SFTP_PERMIT_NOT_SET) ++ options->sftp_permit_chown = SFTP_PERMIT_YES; ++ + /* Turn privilege separation on by default */ + if (use_privsep == -1) + use_privsep = 1; +@@ -249,6 +276,9 @@ + /* Portable-specific options */ + sUsePAM, + /* Standard Options */ ++ sLogSftp, sSftpLogFacility, sSftpLogLevel, ++ sSftpUmask, ++ sSftpPermitChown, sSftpPermitChmod, + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sLogFacility, sLogLevel, + sRhostsRSAAuthentication, sRSAAuthentication, +@@ -334,6 +364,12 @@ + { "printmotd", sPrintMotd }, + { "printlastlog", sPrintLastLog }, + { "ignorerhosts", sIgnoreRhosts }, ++ { "logsftp", sLogSftp}, ++ { "sftplogfacility", sSftpLogFacility}, ++ { "sftploglevel", sSftpLogLevel}, ++ { "sftpumask", sSftpUmask}, ++ { "sftppermitchmod", sSftpPermitChmod}, ++ { "sftppermitchown", sSftpPermitChown}, + { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, + { "x11forwarding", sX11Forwarding }, + { "x11displayoffset", sX11DisplayOffset }, +@@ -431,6 +467,8 @@ + char *cp, **charptr, *arg, *p; + int *intptr, value, i, n; + ServerOpCodes opcode; ++ unsigned int umaskvalue = 0; ++ char *umaskptr; + + cp = line; + arg = strdelim(&cp); +@@ -871,6 +909,58 @@ + case sBanner: + charptr = &options->banner; + goto parse_filename; ++ ++ case sLogSftp: ++ intptr = &options->log_sftp; ++ goto parse_flag; ++ ++ case sSftpLogFacility: ++ intptr = (int *) &options->sftp_log_facility; ++ arg = strdelim(&cp); ++ value = log_facility_number(arg); ++ if (value == SYSLOG_FACILITY_NOT_SET) ++ fatal("%.200s line %d: unsupported log facility '%s'", ++ filename, linenum, arg ? arg : "<NONE>"); ++ if (*intptr == -1) ++ *intptr = (SyslogFacility) value; ++ break; ++ ++ case sSftpLogLevel: ++ intptr = (int *) &options->sftp_log_level; ++ arg = strdelim(&cp); ++ value = log_level_number(arg); ++ if (value == SYSLOG_LEVEL_NOT_SET) ++ fatal("%.200s line %d: unsupported log level '%s'", ++ filename, linenum, arg ? arg : "<NONE>"); ++ if (*intptr == -1) ++ *intptr = (LogLevel) value; ++ break; ++ ++ case sSftpUmask: ++ arg = strdelim(&cp); ++ umaskptr = arg; ++ while (*arg && *arg >= '0' && *arg <= '9') ++ umaskvalue = umaskvalue * 8 + *arg++ - '0'; ++ if (*arg || umaskvalue > 0777) ++ fatal("%s line %d: bad value for umask", ++ filename, linenum); ++ else { ++ while (*umaskptr && *umaskptr == '0') ++ *umaskptr++; ++ strncpy(options->sftp_umask, umaskptr, ++ SFTP_UMASK_LENGTH); ++ } ++ ++ break; ++ ++ case sSftpPermitChmod: ++ intptr = &options->sftp_permit_chmod; ++ goto parse_flag; ++ ++ case sSftpPermitChown: ++ intptr = &options->sftp_permit_chown; ++ goto parse_flag; ++ + /* + * These options can contain %X options expanded at + * connect time, so that you can specify paths like: +@@ -913,6 +1003,7 @@ + if ((arg = strdelim(&cp)) != NULL && *arg != '\0') + fatal("%s line %d: garbage at end of line; \"%.200s\".", + filename, linenum, arg); ++ + return 0; + } + +Only in openssh-3.8.1p1_sftp/: servconf.c.orig +diff -ru openssh-3.8.1p1/servconf.h openssh-3.8.1p1_sftp/servconf.h +--- openssh-3.8.1p1/servconf.h 2003-12-31 00:37:34.000000000 +0000 ++++ openssh-3.8.1p1_sftp/servconf.h 2004-08-18 21:30:53.354147322 +0000 +@@ -13,6 +13,19 @@ + * called by a name other than "ssh" or "Secure Shell". + */ + ++/* sftp-server logging */ ++#define LOG_SFTP_NOT_SET -1 ++#define LOG_SFTP_NO 0 ++#define LOG_SFTP_YES 1 ++ ++/* sftp-server umask control */ ++#define SFTP_UMASK_LENGTH 5 ++ ++/* sftp-server client priviledge */ ++#define SFTP_PERMIT_NOT_SET -1 ++#define SFTP_PERMIT_NO 0 ++#define SFTP_PERMIT_YES 1 ++ + #ifndef SERVCONF_H + #define SERVCONF_H + +@@ -94,6 +107,12 @@ + int use_login; /* If true, login(1) is used */ + int compression; /* If true, compression is allowed */ + int allow_tcp_forwarding; ++ int log_sftp; /* perform sftp-server logging */ ++ SyslogFacility sftp_log_facility; /* Facility for sftp subsystem logging. */ ++ LogLevel sftp_log_level; /* Level for sftp subsystem logging. */ ++ char sftp_umask[SFTP_UMASK_LENGTH]; /* Sftp Umask */ ++ int sftp_permit_chmod; ++ int sftp_permit_chown; + u_int num_allow_users; + char *allow_users[MAX_ALLOW_USERS]; + u_int num_deny_users; +Only in openssh-3.8.1p1_sftp/: servconf.h.orig +diff -ru openssh-3.8.1p1/session.c openssh-3.8.1p1_sftp/session.c +--- openssh-3.8.1p1/session.c 2004-04-16 12:47:55.000000000 +0000 ++++ openssh-3.8.1p1_sftp/session.c 2004-08-18 21:06:14.440083846 +0000 +@@ -112,6 +112,15 @@ + + static int is_child = 0; + ++/* so SFTP_LOG_FACILITY and SFTP_LOG_LEVEL can be passed through the ++ environment to the sftp-server subsystem. */ ++static const char *sysfac_to_int[] = { "0", "1", "2", "3", "4", "5", "6", ++ "7", "8", "9", "10", "11", "-1" }; ++static const char *syslevel_to_int[] = { "0", "1", "2", "3", "4", "5", "6", ++ "7", "-1" }; ++ ++static char *sftpumask; ++ + /* Name and directory of socket for authentication agent forwarding. */ + static char *auth_sock_name = NULL; + static char *auth_sock_dir = NULL; +@@ -979,6 +988,7 @@ + env = xmalloc(envsize * sizeof(char *)); + env[0] = NULL; + ++ + #ifdef HAVE_CYGWIN + /* + * The Windows environment contains some setting which are +@@ -1119,6 +1129,67 @@ + child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, + auth_sock_name); + ++ /* LOG_SFTP */ ++ if (options.log_sftp == -1 ) ++ child_set_env(&env, &envsize, "LOG_SFTP", "-1"); ++ else if (options.log_sftp == 0) ++ child_set_env(&env, &envsize, "LOG_SFTP", "0"); ++ else ++ child_set_env(&env, &envsize, "LOG_SFTP", "1"); ++ ++ /* SFTP_LOG_FACILITY */ ++ if (options.sftp_log_facility < 0) ++ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY", ++ "-1"); ++ else ++ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY", ++ sysfac_to_int[options.sftp_log_facility]); ++ ++ /* SFTP_LOG_LEVEL */ ++ if (options.sftp_log_level < 0) ++ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL", ++ "-1"); ++ else ++ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL", ++ syslevel_to_int[options.sftp_log_level]); ++ ++ /* SFTP_UMASK */ ++ ++ if (options.sftp_umask[0] == '\0') ++ child_set_env(&env, &envsize, "SFTP_UMASK", ++ "" ); ++ else { ++ if (!(sftpumask = calloc(SFTP_UMASK_LENGTH,1))) { ++ ++logit("session.c: unabled to allocate memory for SftpUmask. SftpUmask control \ ++will be turned off."); ++ ++ child_set_env(&env, &envsize, "SFTP_UMASK", ++ "" ); ++ } else { ++ strncpy(sftpumask, options.sftp_umask, ++ SFTP_UMASK_LENGTH); ++ child_set_env(&env, &envsize, "SFTP_UMASK", ++ sftpumask ); ++ } ++ } ++ ++ /* SFTP_PERMIT_CHMOD */ ++ if (options.sftp_permit_chmod == -1 ) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "-1"); ++ else if (options.sftp_permit_chmod == 0) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "0"); ++ else ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "1"); ++ ++ /* SFTP_PERMIT_CHOWN */ ++ if (options.sftp_permit_chown == -1 ) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "-1"); ++ else if (options.sftp_permit_chown == 0) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "0"); ++ else ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "1"); ++ + /* read $HOME/.ssh/environment. */ + if (options.permit_user_env && !options.use_login) { + snprintf(buf, sizeof buf, "%.200s/.ssh/environment", +Only in openssh-3.8.1p1_sftp/: session.c.orig +diff -ru openssh-3.8.1p1/sftp-server.8 openssh-3.8.1p1_sftp/sftp-server.8 +--- openssh-3.8.1p1/sftp-server.8 2003-10-15 05:50:43.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sftp-server.8 2004-08-18 21:06:14.441083601 +0000 +@@ -42,12 +42,27 @@ + option. + See + .Xr sshd_config 5 ++for more information. Sftp-server transactions may be logged ++using the ++.Cm LogSftp , ++.Cm SftpLogFacility , ++and ++.Cm SftpLogLevel ++options. The administrator may exert control over the file and directory ++permission and ownership, with ++.Cm SftpUmask , ++.Cm SftpPermitChmod , ++and ++.Cm SftpPermitChown ++. See ++.Xr sshd_config 5 + for more information. + .Sh SEE ALSO + .Xr sftp 1 , + .Xr ssh 1 , + .Xr sshd_config 5 , +-.Xr sshd 8 ++.Xr sshd 8, ++.Xr sshd_config 5 + .Rs + .%A T. Ylonen + .%A S. Lehtinen +diff -ru openssh-3.8.1p1/sftp-server.c openssh-3.8.1p1_sftp/sftp-server.c +--- openssh-3.8.1p1/sftp-server.c 2004-02-23 22:19:15.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sftp-server.c 2004-08-18 21:06:14.443083113 +0000 +@@ -31,6 +31,13 @@ + #define get_string(lenp) buffer_get_string(&iqueue, lenp); + #define TRACE debug + ++/* SFTP_UMASK */ ++static mode_t setumask = 0; ++ ++static int permit_chmod = 1; ++static int permit_chown = 1; ++static int permit_logging = 0; ++ + #ifdef HAVE___PROGNAME + extern char *__progname; + #else +@@ -385,6 +392,14 @@ + a = get_attrib(); + flags = flags_from_portable(pflags); + mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; ++ ++ if (setumask != 0) { ++ if ( permit_logging == 1 ) ++ logit("setting file creation mode to 0666 and umask to %o", setumask); ++ mode = 0666; ++ umask(setumask); ++ } ++ + TRACE("open id %u name %s flags %d mode 0%o", id, name, pflags, mode); + fd = open(name, flags, mode); + if (fd < 0) { +@@ -398,6 +413,8 @@ + status = SSH2_FX_OK; + } + } ++ if ( permit_logging == 1 ) ++ logit("open %s", name); + if (status != SSH2_FX_OK) + send_status(id, status); + xfree(name); +@@ -434,6 +451,7 @@ + (u_int64_t)off, len); + if (len > sizeof buf) { + len = sizeof buf; ++ if ( permit_logging == 1 ) + logit("read change len %d", len); + } + fd = handle_to_fd(handle); +@@ -453,6 +471,8 @@ + } + } + } ++ if ( permit_logging == 1 ) ++ logit("reading file"); + if (status != SSH2_FX_OK) + send_status(id, status); + } +@@ -487,10 +507,13 @@ + } else if (ret == len) { + status = SSH2_FX_OK; + } else { ++ if ( permit_logging == 1 ) + logit("nothing at all written"); + } + } + } ++ if ( permit_logging == 1 ) ++ logit("writing file"); + send_status(id, status); + xfree(data); + } +@@ -583,24 +606,46 @@ + a = get_attrib(); + TRACE("setstat id %u name %s", id, name); + if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { ++if ( permit_logging == 1 ) ++logit("process_setstat: truncate"); + ret = truncate(name, a->size); + if (ret == -1) + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { +- ret = chmod(name, a->perm & 0777); +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (permit_chmod == 1) { ++ ret = chmod(name, a->perm & 0777); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chmod'ed %s", name); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chmod %s: operation prohibited by sftp-server configuration.", name); ++ } + } + if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { ++if ( permit_logging == 1 ) ++logit("process_setstat: utimes"); + ret = utimes(name, attrib_to_tv(a)); + if (ret == -1) + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { +- ret = chown(name, a->uid, a->gid); +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (permit_chown == 1) { ++ ret = chown(name, a->uid, a->gid); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chown'ed %s.", name); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chown %s: operation prohibited by sftp-server configuration.", name); ++ } + } + send_status(id, status); + xfree(name); +@@ -615,6 +660,9 @@ + int status = SSH2_FX_OK; + char *name; + ++if ( permit_logging == 1 ) ++logit("process_fsetstat"); ++ + id = get_int(); + handle = get_handle(); + a = get_attrib(); +@@ -625,20 +673,33 @@ + status = SSH2_FX_FAILURE; + } else { + if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { ++if ( permit_logging == 1 ) ++logit("process_fsetstat: ftruncate"); + ret = ftruncate(fd, a->size); + if (ret == -1) + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { ++ if (permit_chmod == 1) { + #ifdef HAVE_FCHMOD +- ret = fchmod(fd, a->perm & 0777); ++ ret = fchmod(fd, a->perm & 0777); + #else +- ret = chmod(name, a->perm & 0777); ++ ret = chmod(name, a->perm & 0777); + #endif +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chmod: succeeded."); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chmod: operation prohibited by sftp-server configuration."); ++ } + } + if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { ++if ( permit_logging == 1 ) ++logit("process_fsetstat: utimes"); + #ifdef HAVE_FUTIMES + ret = futimes(fd, attrib_to_tv(a)); + #else +@@ -648,13 +709,22 @@ + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { ++ if (permit_chown == 1) { + #ifdef HAVE_FCHOWN +- ret = fchown(fd, a->uid, a->gid); ++ ret = fchown(fd, a->uid, a->gid); + #else +- ret = chown(name, a->uid, a->gid); ++ ret = chown(name, a->uid, a->gid); + #endif +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chown: succeeded"); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chown: operation prohibited by sftp-server configuration."); ++ } + } + } + send_status(id, status); +@@ -684,6 +754,8 @@ + } + + } ++ if ( permit_logging == 1 ) ++ logit("opendir %s", path); + if (status != SSH2_FX_OK) + send_status(id, status); + xfree(path); +@@ -757,6 +829,8 @@ + TRACE("remove id %u name %s", id, name); + ret = unlink(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; ++ if ( permit_logging == 1 ) ++ logit("remove file %s", name); + send_status(id, status); + xfree(name); + } +@@ -774,9 +848,19 @@ + a = get_attrib(); + mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? + a->perm & 0777 : 0777; ++ ++ if (setumask != 0) { ++ if ( permit_logging == 1 ) ++ logit("setting directory creation mode to 0777 and umask to %o.", setumask); ++ mode = 0777; ++ umask(setumask); ++ } ++ + TRACE("mkdir id %u name %s mode 0%o", id, name, mode); + ret = mkdir(name, mode); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; ++ if ( permit_logging == 1 ) ++ logit("mkdir %s", name); + send_status(id, status); + xfree(name); + } +@@ -793,6 +877,8 @@ + TRACE("rmdir id %u name %s", id, name); + ret = rmdir(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; ++ if ( permit_logging == 1 ) ++ logit("rmdir %s", name); + send_status(id, status); + xfree(name); + } +@@ -819,6 +905,8 @@ + s.name = s.long_name = resolvedname; + send_names(id, 1, &s); + } ++ if ( permit_logging == 1 ) ++ logit("realpath %s", path); + xfree(path); + } + +@@ -854,6 +942,8 @@ + status = SSH2_FX_OK; + } + send_status(id, status); ++ if ( permit_logging == 1 ) ++ logit("rename old %s new %s", oldpath, newpath); + xfree(oldpath); + xfree(newpath); + } +@@ -879,6 +969,8 @@ + s.name = s.long_name = link; + send_names(id, 1, &s); + } ++ if ( permit_logging == 1 ) ++ logit("readlink %s", path); + xfree(path); + } + +@@ -897,6 +989,8 @@ + ret = symlink(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + send_status(id, status); ++ if ( permit_logging == 1 ) ++ logit("symlink old %s new %s", oldpath, newpath); + xfree(oldpath); + xfree(newpath); + } +@@ -1018,6 +1112,8 @@ + { + fd_set *rset, *wset; + int in, out, max; ++ unsigned int val = 0; ++ char *umask_env; + ssize_t len, olen, set_size; + + /* XXX should use getopt */ +@@ -1025,10 +1121,53 @@ + __progname = ssh_get_progname(av[0]); + handle_init(); + ++ /* Transaction logging */ ++ ++ if (atoi(getenv("LOG_SFTP")) == 1) ++ { ++ permit_logging = 1; ++ log_init("sftp-server", atoi(getenv("SFTP_LOG_LEVEL")), ++ atoi(getenv("SFTP_LOG_FACILITY")), 0); ++ }; ++ ++ + #ifdef DEBUG_SFTP_SERVER + log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); + #endif + ++ if ( permit_logging == 1 ) ++ logit("Starting sftp-server logging for user %s.", getenv("USER")); ++ ++ /* Umask control */ ++ ++ umask_env = getenv("SFTP_UMASK"); ++ while (*umask_env && *umask_env >= '0' && *umask_env <= '9') ++ val = val * 8 + *umask_env++ - '0'; ++ ++ if (*umask_env || val > 0777 || val == 0) { ++ if ( permit_logging == 1 ) ++ logit("bad value %o for SFTP_UMASK, turning umask control off.", val); ++ setumask = 0; ++ } else { ++ if ( permit_logging == 1 ) ++ logit("umask control is on."); ++ setumask = val; ++ }; ++ ++ ++ /* Sensitive client commands */ ++ ++ if (atoi(getenv("SFTP_PERMIT_CHMOD")) != 1) { ++ permit_chmod = 0; ++ if ( permit_logging == 1 ) ++ logit("client is not permitted to chmod."); ++ }; ++ if (atoi(getenv("SFTP_PERMIT_CHOWN")) != 1) { ++ permit_chown = 0; ++ if ( permit_logging == 1 ) ++ logit("client is not permitted to chown."); ++ }; ++ + in = dup(STDIN_FILENO); + out = dup(STDOUT_FILENO); + +@@ -1071,6 +1210,8 @@ + len = read(in, buf, sizeof buf); + if (len == 0) { + debug("read eof"); ++ if ( permit_logging == 1 ) ++ logit("sftp-server finished."); + exit(0); + } else if (len < 0) { + error("read error"); +Only in openssh-3.8.1p1_sftp/: sftp-server.c.orig +diff -ru openssh-3.8.1p1/sshd_config openssh-3.8.1p1_sftp/sshd_config +--- openssh-3.8.1p1/sshd_config 2003-12-31 00:38:32.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sshd_config 2004-08-18 21:06:14.443083113 +0000 +@@ -95,3 +95,14 @@ + + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server ++ ++# sftp-server logging ++#LogSftp no ++#SftpLogFacility AUTH ++#SftpLogLevel INFO ++ ++# sftp-server umask control ++#SftpUmask ++ ++#SftpPermitChmod yes ++#SftpPermitChown yes +diff -ru openssh-3.8.1p1/sshd_config.5 openssh-3.8.1p1_sftp/sshd_config.5 +--- openssh-3.8.1p1/sshd_config.5 2004-04-14 03:04:36.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sshd_config.5 2004-08-18 21:06:14.444082869 +0000 +@@ -379,6 +379,10 @@ + DEBUG and DEBUG1 are equivalent. + DEBUG2 and DEBUG3 each specify higher levels of debugging output. + Logging with a DEBUG level violates the privacy of users and is not recommended. ++.It Cm LogSftp ++Specifies whether to perform logging of ++.Nm sftp-server ++subsystem transactions. Must be "yes" or "no." The default value is "no." + .It Cm MACs + Specifies the available MAC (message authentication code) algorithms. + The MAC algorithm is used in protocol version 2 +@@ -533,6 +537,37 @@ + .It Cm ServerKeyBits + Defines the number of bits in the ephemeral protocol version 1 server key. + The minimum value is 512, and the default is 768. ++.It Cm SftpLogFacility ++Gives the facility code that is used when logging ++.Nm sftp-server . ++transactions. The possible values are: DAEMON, USER, AUTH, LOCAL0, ++LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++The default is AUTH. ++.It Cm SftpLogLevel ++Gives the verbosity level that is used when logging messages from ++.Nm sftp-server . ++The possible values are: ++QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. ++The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 ++and DEBUG3 each specify higher levels of debugging output. ++Logging with a DEBUG level violates the privacy of users ++and is not recommended. ++.It Cm SftpPermitChmod ++Specifies whether the sftp-server allows the sftp client to execute chmod ++commands on the server. The default is yes. ++.It Cm SftpPermitChown ++Specifies whether the sftp-server allows the sftp client to execute chown ++or chgrp commands on the server. Turning this value on means that the client ++is allowed to execute both chown and chgrp commands. Turning it off means that ++the client is prohibited from executing either chown or chgrp. ++ The default is yes. ++.It Cm SftpUmask ++Specifies an optional umask for ++.Nm sftp-server ++subsystem transactions. If a umask is given, this umask will override all system, ++environment or sftp client permission modes. If ++no umask or an invalid umask is given, file creation mode defaults to the permission ++mode specified by the sftp client. The default is for no umask. + .It Cm StrictModes + Specifies whether + .Nm sshd +Only in openssh-3.8.1p1_sftp/: sshd_config.5.orig +Only in openssh-3.8.1p1_sftp/: sshd_config.orig +diff -ru openssh-3.8.1p1/version.h openssh-3.8.1p1_sftp/version.h +--- openssh-3.8.1p1/version.h 2004-03-21 22:39:10.000000000 +0000 ++++ openssh-3.8.1p1_sftp/version.h 2004-08-18 21:06:14.436084823 +0000 +@@ -1,3 +1,3 @@ + /* $OpenBSD: version.h,v 1.41 2004/03/20 10:40:59 markus Exp $ */ + +-#define SSH_VERSION "OpenSSH_3.8.1p1" ++#define SSH_VERSION "OpenSSH_3.8.1p1+sftplogging-v1.2" +Only in openssh-3.8.1p1_sftp/: version.h.orig diff --git a/net-misc/openssh/files/openssh-3.9_p1-chroot.patch b/net-misc/openssh/files/openssh-3.9_p1-chroot.patch new file mode 100644 index 000000000000..13625995a88e --- /dev/null +++ b/net-misc/openssh/files/openssh-3.9_p1-chroot.patch @@ -0,0 +1,74 @@ +################################################################################ +################################################################################ +# # +# Original patch by Ricardo Cerqueira <rmcc@clix.pt> # +# # +# Updated by James Dennis <james@firstaidmusic.com> for openssh-3.7.1p2 # +# # +# A patch to cause sshd to chroot when it encounters the magic token # +# '/./' in a users home directory. The directory portion before the # +# token is the directory to chroot() to, the portion after the # +# token is the user's home directory relative to the new root. # +# # +# Patch source using: patch -p0 < /path/to/patch # +# # +# Systems with a bad diff (doesn't understand -u or -N) should use gnu diff. # +# Solaris may store this as gdiff under /opt/sfw/bin. I can't say much about # +# other systems (unless you email me your experiences!). # +# # +################################################################################ +################################################################################ + +diff -uNr openssh-3.7.1p2/session.c openssh-3.7.1p2-chroot/session.c +--- openssh-3.7.1p2/session.c Tue Sep 23 04:59:08 2003 ++++ openssh-3.7.1p2-chroot/session.c Fri Sep 26 13:42:52 2003 +@@ -58,6 +58,8 @@ + #include "session.h" + #include "monitor_wrap.h" + ++#define CHROOT ++ + #ifdef GSSAPI + #include "ssh-gss.h" + #endif +@@ -1231,6 +1233,12 @@ + void + do_setusercontext(struct passwd *pw) + { ++ ++#ifdef CHROOT ++ char *user_dir; ++ char *new_root; ++#endif /* CHROOT */ ++ + #ifndef HAVE_CYGWIN + if (getuid() == 0 || geteuid() == 0) + #endif /* HAVE_CYGWIN */ +@@ -1268,6 +1276,27 @@ + exit(1); + } + endgrent(); ++ ++#ifdef CHROOT ++ user_dir = xstrdup(pw->pw_dir); ++ new_root = user_dir + 1; ++ ++ while((new_root = strchr(new_root, '.')) != NULL) { ++ new_root--; ++ if(strncmp(new_root, "/./", 3) == 0) { ++ *new_root = '\0'; ++ new_root += 2; ++ ++ if(chroot(user_dir) != 0) ++ fatal("Couldn't chroot to user directory % s", user_dir); ++ pw->pw_dir = new_root; ++ break; ++ } ++ new_root += 2; ++ } ++#endif /* CHROOT */ ++ ++ + # ifdef USE_PAM + /* + * PAM credentials may take the form of supplementary groups. diff --git a/net-misc/openssh/files/openssh-3.9_p1-largekey.patch b/net-misc/openssh/files/openssh-3.9_p1-largekey.patch new file mode 100644 index 000000000000..2804782a458a --- /dev/null +++ b/net-misc/openssh/files/openssh-3.9_p1-largekey.patch @@ -0,0 +1,130 @@ +diff -uNr openssh-3.8.1p1/auth2-pubkey.c openssh-3.8.1p1-hugekeys/auth2-pubkey.c +--- openssh-3.8.1p1/auth2-pubkey.c 2004-01-21 01:02:50.000000000 +0100 ++++ openssh-3.8.1p1-hugekeys/auth2-pubkey.c 2004-06-24 13:53:28.493574960 +0200 +@@ -32,6 +32,7 @@ + #include "bufaux.h" + #include "auth.h" + #include "key.h" ++#include "authfile.h" + #include "pathnames.h" + #include "uidswap.h" + #include "auth-options.h" +@@ -167,7 +168,8 @@ + static int + user_key_allowed2(struct passwd *pw, Key *key, char *file) + { +- char line[8192]; ++ size_t size; ++ char *line; + int found_key = 0; + FILE *f; + u_long linenum = 0; +@@ -204,7 +204,10 @@ + found_key = 0; + found = key_new(key->type); + +- while (fgets(line, sizeof(line), f)) { ++ size = 4096; ++ line = xmalloc(size); ++ ++ while (read_whole_line(&line, &size, f)) { + char *cp, *key_options = NULL; + linenum++; + /* Skip leading whitespace, empty and comment lines. */ +@@ -245,6 +250,9 @@ + break; + } + } ++ ++ xfree(line); ++ + restore_uid(); + fclose(f); + key_free(found); +diff -uNr openssh-3.8.1p1/authfile.c openssh-3.8.1p1-hugekeys/authfile.c +--- openssh-3.8.1p1/authfile.c 2003-09-22 13:01:27.000000000 +0200 ++++ openssh-3.8.1p1-hugekeys/authfile.c 2004-06-24 13:49:28.425070920 +0200 +@@ -588,17 +588,50 @@ + return prv; + } + ++char * ++read_whole_line(char **line, size_t *size, FILE *f) ++{ ++ char *ln = *line; ++ size_t i, sz = *size; ++ ++ if (!ln) { ++ fatal("read_whole_line: NULL pointer given as line argument"); ++ } ++ ++ for (i = 0; ln[sz - 2] = '\0', fgets(ln + i, sz - i, f); i = sz - 1, sz <<= 1) { ++ if (ln[sz - 2]) { ++ ln = xrealloc(ln, sz << 1); ++ continue; ++ } ++ ++ *line = ln; ++ *size = sz; ++ ++ return ln; ++ } ++ ++ return NULL; ++} ++ + static int + key_try_load_public(Key *k, const char *filename, char **commentp) + { + FILE *f; +- char line[4096]; ++ size_t size; ++ char *line; + char *cp; + + f = fopen(filename, "r"); + if (f != NULL) { +- while (fgets(line, sizeof(line), f)) { +- line[sizeof(line)-1] = '\0'; ++ size = 4096; ++ line = xmalloc(size); ++ ++ while (read_whole_line(&line, &size, f)) { ++ /* FIXME: is this useful? fgets already stores a '\0' ++ * after the last character in the buffer... ++ */ ++ line[size-1] = '\0'; ++ + cp = line; + switch (*cp) { + case '#': +@@ -613,11 +646,15 @@ + if (key_read(k, &cp) == 1) { + if (commentp) + *commentp=xstrdup(filename); ++ ++ xfree(line); + fclose(f); + return 1; + } + } + } ++ ++ xfree(line); + fclose(f); + } + return 0; +diff -uNr openssh-3.8.1p1/authfile.h openssh-3.8.1p1-hugekeys/authfile.h +--- openssh-3.8.1p1/authfile.h 2002-06-06 21:57:34.000000000 +0200 ++++ openssh-3.8.1p1-hugekeys/authfile.h 2004-06-24 13:42:59.556187976 +0200 +@@ -15,6 +15,8 @@ + #ifndef AUTHFILE_H + #define AUTHFILE_H + ++char *read_whole_line(char **, size_t *, FILE *); ++ + int key_save_private(Key *, const char *, const char *, const char *); + Key *key_load_public(const char *, char **); + Key *key_load_public_type(int, const char *, char **); +--- /tmp/auth2-pubkey.c 2004-08-18 19:57:44.991708913 +0000 ++++ auth2-pubkey.c 2004-08-18 19:58:19.241405296 +0000 diff --git a/net-misc/openssh/files/openssh-3.9_p1-opensc.patch b/net-misc/openssh/files/openssh-3.9_p1-opensc.patch new file mode 100644 index 000000000000..92f8d8d6232b --- /dev/null +++ b/net-misc/openssh/files/openssh-3.9_p1-opensc.patch @@ -0,0 +1,131 @@ +Index: scard-opensc.c +=================================================================== +RCS file: /cvs/openssh/scard-opensc.c,v +retrieving revision 1.12 +diff -u -r1.12 scard-opensc.c +--- scard-opensc.c 25 Aug 2003 00:58:26 -0000 1.12 ++++ scard-opensc.c 27 Aug 2003 11:42:02 -0000 +@@ -38,6 +38,8 @@ + #include "readpass.h" + #include "scard.h" + ++int ask_for_pin=0; ++ + #if OPENSSL_VERSION_NUMBER < 0x00907000L && defined(CRYPTO_LOCK_ENGINE) + #define USE_ENGINE + #define RSA_get_default_method RSA_get_default_openssl_method +@@ -119,6 +121,7 @@ + struct sc_pkcs15_prkey_info *key; + struct sc_pkcs15_object *pin_obj; + struct sc_pkcs15_pin_info *pin; ++ char *passphrase = NULL; + + priv = (struct sc_priv_data *) RSA_get_app_data(rsa); + if (priv == NULL) +@@ -156,24 +159,47 @@ + goto err; + } + pin = pin_obj->data; ++ ++ if (sc_pin) ++ passphrase = sc_pin; ++ else if (ask_for_pin) { ++ /* we need a pin but don't have one => ask for the pin */ ++ char prompt[64]; ++ ++ snprintf(prompt, sizeof(prompt), "Enter PIN for %s: ", ++ key_obj->label ? key_obj->label : "smartcard key"); ++ passphrase = read_passphrase(prompt, 0); ++ if (!passphrase || !strcmp(passphrase, "")) ++ goto err; ++ } else ++ /* no pin => error */ ++ goto err; ++ + r = sc_lock(card); + if (r) { + error("Unable to lock smartcard: %s", sc_strerror(r)); + goto err; + } +- if (sc_pin != NULL) { +- r = sc_pkcs15_verify_pin(p15card, pin, sc_pin, +- strlen(sc_pin)); +- if (r) { +- sc_unlock(card); +- error("PIN code verification failed: %s", +- sc_strerror(r)); +- goto err; +- } ++ r = sc_pkcs15_verify_pin(p15card, pin, passphrase, ++ strlen(passphrase)); ++ if (r) { ++ sc_unlock(card); ++ error("PIN code verification failed: %s", ++ sc_strerror(r)); ++ goto err; + } ++ + *key_obj_out = key_obj; ++ if (!sc_pin) { ++ memset(passphrase, 0, strlen(passphrase)); ++ xfree(passphrase); ++ } + return 0; + err: ++ if (!sc_pin && passphrase) { ++ memset(passphrase, 0, strlen(passphrase)); ++ xfree(passphrase); ++ } + sc_close(); + return -1; + } +Index: scard.c +=================================================================== +RCS file: /cvs/openssh/scard.c,v +retrieving revision 1.27 +diff -u -r1.27 scard.c +--- scard.c 18 Jun 2003 10:28:40 -0000 1.27 ++++ scard.c 27 Aug 2003 11:42:02 -0000 +@@ -35,6 +35,9 @@ + #include "readpass.h" + #include "scard.h" + ++/* currently unused */ ++int ask_for_pin = 0; ++ + #if OPENSSL_VERSION_NUMBER < 0x00907000L + #define USE_ENGINE + #define RSA_get_default_method RSA_get_default_openssl_method +Index: scard.h +=================================================================== +RCS file: /cvs/openssh/scard.h,v +retrieving revision 1.10 +diff -u -r1.10 scard.h +--- scard.h 18 Jun 2003 10:28:40 -0000 1.10 ++++ scard.h 27 Aug 2003 11:42:02 -0000 +@@ -33,6 +33,8 @@ + #define SCARD_ERROR_NOCARD -2 + #define SCARD_ERROR_APPLET -3 + ++extern int ask_for_pin; ++ + Key **sc_get_keys(const char *, const char *); + void sc_close(void); + int sc_put_key(Key *, const char *); +Index: ssh.c +=================================================================== +RCS file: /cvs/openssh/ssh.c,v +retrieving revision 1.180 +diff -u -r1.180 ssh.c +--- ssh.c 21 Aug 2003 23:34:41 -0000 1.180 ++++ ssh.c 27 Aug 2003 11:42:02 -0000 +@@ -1155,6 +1155,9 @@ + #ifdef SMARTCARD + Key **keys; + ++ if (!options.batch_mode) ++ ask_for_pin = 1; ++ + if (options.smartcard_device != NULL && + options.num_identity_files < SSH_MAX_IDENTITY_FILES && + (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL ) { diff --git a/net-misc/openssh/files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch b/net-misc/openssh/files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch new file mode 100644 index 000000000000..b573f3531800 --- /dev/null +++ b/net-misc/openssh/files/openssh-3.9_p1-sftplogging-1.2-gentoo.patch @@ -0,0 +1,755 @@ +diff -ru openssh-3.8.1p1/servconf.c openssh-3.8.1p1_sftp/servconf.c +--- openssh-3.8.1p1/servconf.c 2004-01-23 11:03:10.000000000 +0000 ++++ openssh-3.8.1p1_sftp/servconf.c 2004-08-18 21:28:18.564861272 +0000 +@@ -102,6 +102,15 @@ + options->authorized_keys_file = NULL; + options->authorized_keys_file2 = NULL; + ++ options->log_sftp = LOG_SFTP_NOT_SET; ++ options->sftp_log_facility = SYSLOG_FACILITY_NOT_SET; ++ options->sftp_log_level = SYSLOG_LEVEL_NOT_SET; ++ ++ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH); ++ ++ options->sftp_permit_chmod = SFTP_PERMIT_NOT_SET; ++ options->sftp_permit_chown = SFTP_PERMIT_NOT_SET; ++ + /* Needs to be accessable in many places */ + use_privsep = -1; + } +@@ -109,7 +118,7 @@ + void + fill_default_server_options(ServerOptions *options) + { +- /* Portable-specific options */ ++/* Portable-specific options */ + if (options->use_pam == -1) + options->use_pam = 0; + +@@ -228,6 +237,24 @@ + if (options->authorized_keys_file == NULL) + options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + ++ /* Turn sftp-server logging off by default */ ++ if (options->log_sftp == LOG_SFTP_NOT_SET) ++ options->log_sftp = LOG_SFTP_NO; ++ if (options->sftp_log_facility == SYSLOG_FACILITY_NOT_SET) ++ options->sftp_log_facility = SYSLOG_FACILITY_AUTH; ++ if (options->sftp_log_level == SYSLOG_LEVEL_NOT_SET) ++ options->sftp_log_level = SYSLOG_LEVEL_INFO; ++ ++ /* Don't set sftp-server umask */ ++ if (!options->sftp_umask) ++ memset(options->sftp_umask, 0, SFTP_UMASK_LENGTH); ++ ++ /* allow sftp client to issue chmod, chown / chgrp commands */ ++ if (options->sftp_permit_chmod == SFTP_PERMIT_NOT_SET) ++ options->sftp_permit_chmod = SFTP_PERMIT_YES; ++ if (options->sftp_permit_chown == SFTP_PERMIT_NOT_SET) ++ options->sftp_permit_chown = SFTP_PERMIT_YES; ++ + /* Turn privilege separation on by default */ + if (use_privsep == -1) + use_privsep = 1; +@@ -249,6 +276,9 @@ + /* Portable-specific options */ + sUsePAM, + /* Standard Options */ ++ sLogSftp, sSftpLogFacility, sSftpLogLevel, ++ sSftpUmask, ++ sSftpPermitChown, sSftpPermitChmod, + sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, + sPermitRootLogin, sLogFacility, sLogLevel, + sRhostsRSAAuthentication, sRSAAuthentication, +@@ -334,6 +364,12 @@ + { "printmotd", sPrintMotd }, + { "printlastlog", sPrintLastLog }, + { "ignorerhosts", sIgnoreRhosts }, ++ { "logsftp", sLogSftp}, ++ { "sftplogfacility", sSftpLogFacility}, ++ { "sftploglevel", sSftpLogLevel}, ++ { "sftpumask", sSftpUmask}, ++ { "sftppermitchmod", sSftpPermitChmod}, ++ { "sftppermitchown", sSftpPermitChown}, + { "ignoreuserknownhosts", sIgnoreUserKnownHosts }, + { "x11forwarding", sX11Forwarding }, + { "x11displayoffset", sX11DisplayOffset }, +@@ -431,6 +467,8 @@ + char *cp, **charptr, *arg, *p; + int *intptr, value, i, n; + ServerOpCodes opcode; ++ unsigned int umaskvalue = 0; ++ char *umaskptr; + + cp = line; + arg = strdelim(&cp); +@@ -871,6 +909,58 @@ + case sBanner: + charptr = &options->banner; + goto parse_filename; ++ ++ case sLogSftp: ++ intptr = &options->log_sftp; ++ goto parse_flag; ++ ++ case sSftpLogFacility: ++ intptr = (int *) &options->sftp_log_facility; ++ arg = strdelim(&cp); ++ value = log_facility_number(arg); ++ if (value == SYSLOG_FACILITY_NOT_SET) ++ fatal("%.200s line %d: unsupported log facility '%s'", ++ filename, linenum, arg ? arg : "<NONE>"); ++ if (*intptr == -1) ++ *intptr = (SyslogFacility) value; ++ break; ++ ++ case sSftpLogLevel: ++ intptr = (int *) &options->sftp_log_level; ++ arg = strdelim(&cp); ++ value = log_level_number(arg); ++ if (value == SYSLOG_LEVEL_NOT_SET) ++ fatal("%.200s line %d: unsupported log level '%s'", ++ filename, linenum, arg ? arg : "<NONE>"); ++ if (*intptr == -1) ++ *intptr = (LogLevel) value; ++ break; ++ ++ case sSftpUmask: ++ arg = strdelim(&cp); ++ umaskptr = arg; ++ while (*arg && *arg >= '0' && *arg <= '9') ++ umaskvalue = umaskvalue * 8 + *arg++ - '0'; ++ if (*arg || umaskvalue > 0777) ++ fatal("%s line %d: bad value for umask", ++ filename, linenum); ++ else { ++ while (*umaskptr && *umaskptr == '0') ++ *umaskptr++; ++ strncpy(options->sftp_umask, umaskptr, ++ SFTP_UMASK_LENGTH); ++ } ++ ++ break; ++ ++ case sSftpPermitChmod: ++ intptr = &options->sftp_permit_chmod; ++ goto parse_flag; ++ ++ case sSftpPermitChown: ++ intptr = &options->sftp_permit_chown; ++ goto parse_flag; ++ + /* + * These options can contain %X options expanded at + * connect time, so that you can specify paths like: +@@ -913,6 +1003,7 @@ + if ((arg = strdelim(&cp)) != NULL && *arg != '\0') + fatal("%s line %d: garbage at end of line; \"%.200s\".", + filename, linenum, arg); ++ + return 0; + } + +Only in openssh-3.8.1p1_sftp/: servconf.c.orig +diff -ru openssh-3.8.1p1/servconf.h openssh-3.8.1p1_sftp/servconf.h +--- openssh-3.8.1p1/servconf.h 2003-12-31 00:37:34.000000000 +0000 ++++ openssh-3.8.1p1_sftp/servconf.h 2004-08-18 21:30:53.354147322 +0000 +@@ -13,6 +13,19 @@ + * called by a name other than "ssh" or "Secure Shell". + */ + ++/* sftp-server logging */ ++#define LOG_SFTP_NOT_SET -1 ++#define LOG_SFTP_NO 0 ++#define LOG_SFTP_YES 1 ++ ++/* sftp-server umask control */ ++#define SFTP_UMASK_LENGTH 5 ++ ++/* sftp-server client priviledge */ ++#define SFTP_PERMIT_NOT_SET -1 ++#define SFTP_PERMIT_NO 0 ++#define SFTP_PERMIT_YES 1 ++ + #ifndef SERVCONF_H + #define SERVCONF_H + +@@ -94,6 +107,12 @@ + int use_login; /* If true, login(1) is used */ + int compression; /* If true, compression is allowed */ + int allow_tcp_forwarding; ++ int log_sftp; /* perform sftp-server logging */ ++ SyslogFacility sftp_log_facility; /* Facility for sftp subsystem logging. */ ++ LogLevel sftp_log_level; /* Level for sftp subsystem logging. */ ++ char sftp_umask[SFTP_UMASK_LENGTH]; /* Sftp Umask */ ++ int sftp_permit_chmod; ++ int sftp_permit_chown; + u_int num_allow_users; + char *allow_users[MAX_ALLOW_USERS]; + u_int num_deny_users; +Only in openssh-3.8.1p1_sftp/: servconf.h.orig +diff -ru openssh-3.8.1p1/session.c openssh-3.8.1p1_sftp/session.c +--- openssh-3.8.1p1/session.c 2004-04-16 12:47:55.000000000 +0000 ++++ openssh-3.8.1p1_sftp/session.c 2004-08-18 21:06:14.440083846 +0000 +@@ -112,6 +112,15 @@ + + static int is_child = 0; + ++/* so SFTP_LOG_FACILITY and SFTP_LOG_LEVEL can be passed through the ++ environment to the sftp-server subsystem. */ ++static const char *sysfac_to_int[] = { "0", "1", "2", "3", "4", "5", "6", ++ "7", "8", "9", "10", "11", "-1" }; ++static const char *syslevel_to_int[] = { "0", "1", "2", "3", "4", "5", "6", ++ "7", "-1" }; ++ ++static char *sftpumask; ++ + /* Name and directory of socket for authentication agent forwarding. */ + static char *auth_sock_name = NULL; + static char *auth_sock_dir = NULL; +@@ -979,6 +988,7 @@ + env = xmalloc(envsize * sizeof(char *)); + env[0] = NULL; + ++ + #ifdef HAVE_CYGWIN + /* + * The Windows environment contains some setting which are +@@ -1119,6 +1129,67 @@ + child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, + auth_sock_name); + ++ /* LOG_SFTP */ ++ if (options.log_sftp == -1 ) ++ child_set_env(&env, &envsize, "LOG_SFTP", "-1"); ++ else if (options.log_sftp == 0) ++ child_set_env(&env, &envsize, "LOG_SFTP", "0"); ++ else ++ child_set_env(&env, &envsize, "LOG_SFTP", "1"); ++ ++ /* SFTP_LOG_FACILITY */ ++ if (options.sftp_log_facility < 0) ++ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY", ++ "-1"); ++ else ++ child_set_env(&env, &envsize, "SFTP_LOG_FACILITY", ++ sysfac_to_int[options.sftp_log_facility]); ++ ++ /* SFTP_LOG_LEVEL */ ++ if (options.sftp_log_level < 0) ++ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL", ++ "-1"); ++ else ++ child_set_env(&env, &envsize, "SFTP_LOG_LEVEL", ++ syslevel_to_int[options.sftp_log_level]); ++ ++ /* SFTP_UMASK */ ++ ++ if (options.sftp_umask[0] == '\0') ++ child_set_env(&env, &envsize, "SFTP_UMASK", ++ "" ); ++ else { ++ if (!(sftpumask = calloc(SFTP_UMASK_LENGTH,1))) { ++ ++logit("session.c: unabled to allocate memory for SftpUmask. SftpUmask control \ ++will be turned off."); ++ ++ child_set_env(&env, &envsize, "SFTP_UMASK", ++ "" ); ++ } else { ++ strncpy(sftpumask, options.sftp_umask, ++ SFTP_UMASK_LENGTH); ++ child_set_env(&env, &envsize, "SFTP_UMASK", ++ sftpumask ); ++ } ++ } ++ ++ /* SFTP_PERMIT_CHMOD */ ++ if (options.sftp_permit_chmod == -1 ) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "-1"); ++ else if (options.sftp_permit_chmod == 0) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "0"); ++ else ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHMOD", "1"); ++ ++ /* SFTP_PERMIT_CHOWN */ ++ if (options.sftp_permit_chown == -1 ) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "-1"); ++ else if (options.sftp_permit_chown == 0) ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "0"); ++ else ++ child_set_env(&env, &envsize, "SFTP_PERMIT_CHOWN", "1"); ++ + /* read $HOME/.ssh/environment. */ + if (options.permit_user_env && !options.use_login) { + snprintf(buf, sizeof buf, "%.200s/.ssh/environment", +Only in openssh-3.8.1p1_sftp/: session.c.orig +diff -ru openssh-3.8.1p1/sftp-server.8 openssh-3.8.1p1_sftp/sftp-server.8 +--- openssh-3.8.1p1/sftp-server.8 2003-10-15 05:50:43.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sftp-server.8 2004-08-18 21:06:14.441083601 +0000 +@@ -42,12 +42,27 @@ + option. + See + .Xr sshd_config 5 ++for more information. Sftp-server transactions may be logged ++using the ++.Cm LogSftp , ++.Cm SftpLogFacility , ++and ++.Cm SftpLogLevel ++options. The administrator may exert control over the file and directory ++permission and ownership, with ++.Cm SftpUmask , ++.Cm SftpPermitChmod , ++and ++.Cm SftpPermitChown ++. See ++.Xr sshd_config 5 + for more information. + .Sh SEE ALSO + .Xr sftp 1 , + .Xr ssh 1 , + .Xr sshd_config 5 , +-.Xr sshd 8 ++.Xr sshd 8, ++.Xr sshd_config 5 + .Rs + .%A T. Ylonen + .%A S. Lehtinen +diff -ru openssh-3.8.1p1/sftp-server.c openssh-3.8.1p1_sftp/sftp-server.c +--- openssh-3.8.1p1/sftp-server.c 2004-02-23 22:19:15.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sftp-server.c 2004-08-18 21:06:14.443083113 +0000 +@@ -31,6 +31,13 @@ + #define get_string(lenp) buffer_get_string(&iqueue, lenp); + #define TRACE debug + ++/* SFTP_UMASK */ ++static mode_t setumask = 0; ++ ++static int permit_chmod = 1; ++static int permit_chown = 1; ++static int permit_logging = 0; ++ + extern char *__progname; + + /* input and output queue */ +@@ -385,6 +392,14 @@ + a = get_attrib(); + flags = flags_from_portable(pflags); + mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; ++ ++ if (setumask != 0) { ++ if ( permit_logging == 1 ) ++ logit("setting file creation mode to 0666 and umask to %o", setumask); ++ mode = 0666; ++ umask(setumask); ++ } ++ + TRACE("open id %u name %s flags %d mode 0%o", id, name, pflags, mode); + fd = open(name, flags, mode); + if (fd < 0) { +@@ -398,6 +413,8 @@ + status = SSH2_FX_OK; + } + } ++ if ( permit_logging == 1 ) ++ logit("open %s", name); + if (status != SSH2_FX_OK) + send_status(id, status); + xfree(name); +@@ -434,6 +451,7 @@ + (u_int64_t)off, len); + if (len > sizeof buf) { + len = sizeof buf; ++ if ( permit_logging == 1 ) + logit("read change len %d", len); + } + fd = handle_to_fd(handle); +@@ -453,6 +471,8 @@ + } + } + } ++ if ( permit_logging == 1 ) ++ logit("reading file"); + if (status != SSH2_FX_OK) + send_status(id, status); + } +@@ -487,10 +507,13 @@ + } else if (ret == len) { + status = SSH2_FX_OK; + } else { ++ if ( permit_logging == 1 ) + logit("nothing at all written"); + } + } + } ++ if ( permit_logging == 1 ) ++ logit("writing file"); + send_status(id, status); + xfree(data); + } +@@ -583,24 +606,46 @@ + a = get_attrib(); + TRACE("setstat id %u name %s", id, name); + if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { ++if ( permit_logging == 1 ) ++logit("process_setstat: truncate"); + ret = truncate(name, a->size); + if (ret == -1) + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { +- ret = chmod(name, a->perm & 0777); +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (permit_chmod == 1) { ++ ret = chmod(name, a->perm & 0777); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chmod'ed %s", name); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chmod %s: operation prohibited by sftp-server configuration.", name); ++ } + } + if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { ++if ( permit_logging == 1 ) ++logit("process_setstat: utimes"); + ret = utimes(name, attrib_to_tv(a)); + if (ret == -1) + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { +- ret = chown(name, a->uid, a->gid); +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (permit_chown == 1) { ++ ret = chown(name, a->uid, a->gid); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chown'ed %s.", name); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chown %s: operation prohibited by sftp-server configuration.", name); ++ } + } + send_status(id, status); + xfree(name); +@@ -615,6 +660,9 @@ + int status = SSH2_FX_OK; + char *name; + ++if ( permit_logging == 1 ) ++logit("process_fsetstat"); ++ + id = get_int(); + handle = get_handle(); + a = get_attrib(); +@@ -625,20 +673,33 @@ + status = SSH2_FX_FAILURE; + } else { + if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { ++if ( permit_logging == 1 ) ++logit("process_fsetstat: ftruncate"); + ret = ftruncate(fd, a->size); + if (ret == -1) + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { ++ if (permit_chmod == 1) { + #ifdef HAVE_FCHMOD +- ret = fchmod(fd, a->perm & 0777); ++ ret = fchmod(fd, a->perm & 0777); + #else +- ret = chmod(name, a->perm & 0777); ++ ret = chmod(name, a->perm & 0777); + #endif +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chmod: succeeded."); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chmod: operation prohibited by sftp-server configuration."); ++ } + } + if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { ++if ( permit_logging == 1 ) ++logit("process_fsetstat: utimes"); + #ifdef HAVE_FUTIMES + ret = futimes(fd, attrib_to_tv(a)); + #else +@@ -648,13 +709,22 @@ + status = errno_to_portable(errno); + } + if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { ++ if (permit_chown == 1) { + #ifdef HAVE_FCHOWN +- ret = fchown(fd, a->uid, a->gid); ++ ret = fchown(fd, a->uid, a->gid); + #else +- ret = chown(name, a->uid, a->gid); ++ ret = chown(name, a->uid, a->gid); + #endif +- if (ret == -1) +- status = errno_to_portable(errno); ++ if (ret == -1) ++ status = errno_to_portable(errno); ++ else ++ if ( permit_logging == 1 ) ++ logit("chown: succeeded"); ++ } else { ++ status = SSH2_FX_PERMISSION_DENIED; ++ if ( permit_logging == 1 ) ++ logit("chown: operation prohibited by sftp-server configuration."); ++ } + } + } + send_status(id, status); +@@ -684,6 +754,8 @@ + } + + } ++ if ( permit_logging == 1 ) ++ logit("opendir %s", path); + if (status != SSH2_FX_OK) + send_status(id, status); + xfree(path); +@@ -757,6 +829,8 @@ + TRACE("remove id %u name %s", id, name); + ret = unlink(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; ++ if ( permit_logging == 1 ) ++ logit("remove file %s", name); + send_status(id, status); + xfree(name); + } +@@ -774,9 +848,19 @@ + a = get_attrib(); + mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? + a->perm & 0777 : 0777; ++ ++ if (setumask != 0) { ++ if ( permit_logging == 1 ) ++ logit("setting directory creation mode to 0777 and umask to %o.", setumask); ++ mode = 0777; ++ umask(setumask); ++ } ++ + TRACE("mkdir id %u name %s mode 0%o", id, name, mode); + ret = mkdir(name, mode); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; ++ if ( permit_logging == 1 ) ++ logit("mkdir %s", name); + send_status(id, status); + xfree(name); + } +@@ -793,6 +877,8 @@ + TRACE("rmdir id %u name %s", id, name); + ret = rmdir(name); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; ++ if ( permit_logging == 1 ) ++ logit("rmdir %s", name); + send_status(id, status); + xfree(name); + } +@@ -819,6 +905,8 @@ + s.name = s.long_name = resolvedname; + send_names(id, 1, &s); + } ++ if ( permit_logging == 1 ) ++ logit("realpath %s", path); + xfree(path); + } + +@@ -854,6 +942,8 @@ + status = SSH2_FX_OK; + } + send_status(id, status); ++ if ( permit_logging == 1 ) ++ logit("rename old %s new %s", oldpath, newpath); + xfree(oldpath); + xfree(newpath); + } +@@ -879,6 +969,8 @@ + s.name = s.long_name = link; + send_names(id, 1, &s); + } ++ if ( permit_logging == 1 ) ++ logit("readlink %s", path); + xfree(path); + } + +@@ -897,6 +989,8 @@ + ret = symlink(oldpath, newpath); + status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + send_status(id, status); ++ if ( permit_logging == 1 ) ++ logit("symlink old %s new %s", oldpath, newpath); + xfree(oldpath); + xfree(newpath); + } +@@ -1018,6 +1112,8 @@ + { + fd_set *rset, *wset; + int in, out, max; ++ unsigned int val = 0; ++ char *umask_env; + ssize_t len, olen, set_size; + + /* XXX should use getopt */ +@@ -1025,10 +1121,53 @@ + __progname = ssh_get_progname(av[0]); + handle_init(); + ++ /* Transaction logging */ ++ ++ if (atoi(getenv("LOG_SFTP")) == 1) ++ { ++ permit_logging = 1; ++ log_init("sftp-server", atoi(getenv("SFTP_LOG_LEVEL")), ++ atoi(getenv("SFTP_LOG_FACILITY")), 0); ++ }; ++ ++ + #ifdef DEBUG_SFTP_SERVER + log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); + #endif + ++ if ( permit_logging == 1 ) ++ logit("Starting sftp-server logging for user %s.", getenv("USER")); ++ ++ /* Umask control */ ++ ++ umask_env = getenv("SFTP_UMASK"); ++ while (*umask_env && *umask_env >= '0' && *umask_env <= '9') ++ val = val * 8 + *umask_env++ - '0'; ++ ++ if (*umask_env || val > 0777 || val == 0) { ++ if ( permit_logging == 1 ) ++ logit("bad value %o for SFTP_UMASK, turning umask control off.", val); ++ setumask = 0; ++ } else { ++ if ( permit_logging == 1 ) ++ logit("umask control is on."); ++ setumask = val; ++ }; ++ ++ ++ /* Sensitive client commands */ ++ ++ if (atoi(getenv("SFTP_PERMIT_CHMOD")) != 1) { ++ permit_chmod = 0; ++ if ( permit_logging == 1 ) ++ logit("client is not permitted to chmod."); ++ }; ++ if (atoi(getenv("SFTP_PERMIT_CHOWN")) != 1) { ++ permit_chown = 0; ++ if ( permit_logging == 1 ) ++ logit("client is not permitted to chown."); ++ }; ++ + in = dup(STDIN_FILENO); + out = dup(STDOUT_FILENO); + +@@ -1071,6 +1210,8 @@ + len = read(in, buf, sizeof buf); + if (len == 0) { + debug("read eof"); ++ if ( permit_logging == 1 ) ++ logit("sftp-server finished."); + exit(0); + } else if (len < 0) { + error("read error"); +Only in openssh-3.8.1p1_sftp/: sftp-server.c.orig +diff -ru openssh-3.8.1p1/sshd_config openssh-3.8.1p1_sftp/sshd_config +--- openssh-3.8.1p1/sshd_config 2003-12-31 00:38:32.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sshd_config 2004-08-18 21:06:14.443083113 +0000 +@@ -95,3 +95,14 @@ + + # override default of no subsystems + Subsystem sftp /usr/libexec/sftp-server ++ ++# sftp-server logging ++#LogSftp no ++#SftpLogFacility AUTH ++#SftpLogLevel INFO ++ ++# sftp-server umask control ++#SftpUmask ++ ++#SftpPermitChmod yes ++#SftpPermitChown yes +diff -ru openssh-3.8.1p1/sshd_config.5 openssh-3.8.1p1_sftp/sshd_config.5 +--- openssh-3.8.1p1/sshd_config.5 2004-04-14 03:04:36.000000000 +0000 ++++ openssh-3.8.1p1_sftp/sshd_config.5 2004-08-18 21:06:14.444082869 +0000 +@@ -379,6 +379,10 @@ + DEBUG and DEBUG1 are equivalent. + DEBUG2 and DEBUG3 each specify higher levels of debugging output. + Logging with a DEBUG level violates the privacy of users and is not recommended. ++.It Cm LogSftp ++Specifies whether to perform logging of ++.Nm sftp-server ++subsystem transactions. Must be "yes" or "no." The default value is "no." + .It Cm MACs + Specifies the available MAC (message authentication code) algorithms. + The MAC algorithm is used in protocol version 2 +@@ -533,6 +537,37 @@ + .It Cm ServerKeyBits + Defines the number of bits in the ephemeral protocol version 1 server key. + The minimum value is 512, and the default is 768. ++.It Cm SftpLogFacility ++Gives the facility code that is used when logging ++.Nm sftp-server . ++transactions. The possible values are: DAEMON, USER, AUTH, LOCAL0, ++LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. ++The default is AUTH. ++.It Cm SftpLogLevel ++Gives the verbosity level that is used when logging messages from ++.Nm sftp-server . ++The possible values are: ++QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2 and DEBUG3. ++The default is INFO. DEBUG and DEBUG1 are equivalent. DEBUG2 ++and DEBUG3 each specify higher levels of debugging output. ++Logging with a DEBUG level violates the privacy of users ++and is not recommended. ++.It Cm SftpPermitChmod ++Specifies whether the sftp-server allows the sftp client to execute chmod ++commands on the server. The default is yes. ++.It Cm SftpPermitChown ++Specifies whether the sftp-server allows the sftp client to execute chown ++or chgrp commands on the server. Turning this value on means that the client ++is allowed to execute both chown and chgrp commands. Turning it off means that ++the client is prohibited from executing either chown or chgrp. ++ The default is yes. ++.It Cm SftpUmask ++Specifies an optional umask for ++.Nm sftp-server ++subsystem transactions. If a umask is given, this umask will override all system, ++environment or sftp client permission modes. If ++no umask or an invalid umask is given, file creation mode defaults to the permission ++mode specified by the sftp client. The default is for no umask. + .It Cm StrictModes + Specifies whether + .Nm sshd +Only in openssh-3.8.1p1_sftp/: sshd_config.5.orig +Only in openssh-3.8.1p1_sftp/: sshd_config.orig +diff -ru openssh-3.8.1p1/version.h openssh-3.8.1p1_sftp/version.h +--- openssh-3.8.1p1/version.h 2004-03-21 22:39:10.000000000 +0000 ++++ openssh-3.8.1p1_sftp/version.h 2004-08-18 21:06:14.436084823 +0000 +@@ -1,3 +1,3 @@ + /* $OpenBSD: version.h,v 1.41 2004/03/20 10:40:59 markus Exp $ */ + +-#define SSH_VERSION "OpenSSH_3.9p1" ++#define SSH_VERSION "OpenSSH_3.9p1+sftplogging-v1.2" +Only in openssh-3.8.1p1_sftp/: version.h.orig diff --git a/net-misc/openssh/files/openssh-3.9_p1-skey.patch b/net-misc/openssh/files/openssh-3.9_p1-skey.patch new file mode 100644 index 000000000000..133635574c8d --- /dev/null +++ b/net-misc/openssh/files/openssh-3.9_p1-skey.patch @@ -0,0 +1,11 @@ +--- configure.ac 2004-02-24 21:07:25.510177659 +0000 ++++ configure.ac 2004-02-24 21:03:30.717786642 +0000 +@@ -721,7 +721,7 @@ + [ + #include <stdio.h> + #include <skey.h> +-int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); } ++int main() { char *ff = "true"; ff=""; exit(0); } + ], + [AC_MSG_RESULT(yes)], + [ diff --git a/net-misc/openssh/openssh-3.8.1_p1-r2.ebuild b/net-misc/openssh/openssh-3.8.1_p1-r2.ebuild index af2e6de94098..a99458f27ad3 100644 --- a/net-misc/openssh/openssh-3.8.1_p1-r2.ebuild +++ b/net-misc/openssh/openssh-3.8.1_p1-r2.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.8.1_p1-r2.ebuild,v 1.1 2004/08/15 10:09:44 aliz Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.8.1_p1-r2.ebuild,v 1.2 2004/08/18 21:55:16 aliz Exp $ inherit eutils flag-o-matic ccc gnuconfig @@ -8,7 +8,6 @@ inherit eutils flag-o-matic ccc gnuconfig # and _p? releases. PARCH=${P/_/} -SFTPLOG_PATCH_VER="1.2" X509_PATCH="${PARCH}+x509h.diff.gz" SELINUX_PATCH="openssh-3.7.1_p1-selinux.diff" @@ -16,7 +15,6 @@ S=${WORKDIR}/${PARCH} DESCRIPTION="Port of OpenBSD's free SSH release" HOMEPAGE="http://www.openssh.com/" SRC_URI="mirror://openssh/${PARCH}.tar.gz - sftplogging? ( http://sftplogging.sourceforge.net/download/v${SFTPLOG_PATCH_VER}/${PARCH}.sftplogging-v${SFTPLOG_PATCH_VER}.patch ) X509? ( http://roumenpetrov.info/openssh/x509h/${X509_PATCH} )" LICENSE="as-is" @@ -48,12 +46,12 @@ src_unpack() { epatch ${FILESDIR}/${P}-resolv_functions.patch epatch ${FILESDIR}/${P}-largekey.patch - use sftplogging && epatch ${DISTDIR}/${PARCH}.sftplogging-v${SFTPLOG_PATCH_VER}.patch + use X509 && epatch ${DISTDIR}/${X509_PATCH} + use sftplogging && epatch ${FILESDIR}/${PARCH}-sftplogging-1.2-gentoo.patch use selinux && epatch ${FILESDIR}/${SELINUX_PATCH} use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch use skey && epatch ${FILESDIR}/${P}-skey.patch use chroot && epatch ${FILESDIR}/${P}-chroot.patch - use X509 && epatch ${DISTDIR}/${X509_PATCH} use smartcard && epatch ${FILESDIR}/${P}-opensc.patch } diff --git a/net-misc/openssh/openssh-3.9_p1.ebuild b/net-misc/openssh/openssh-3.9_p1.ebuild new file mode 100644 index 000000000000..9132ea65c3d3 --- /dev/null +++ b/net-misc/openssh/openssh-3.9_p1.ebuild @@ -0,0 +1,138 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/openssh/openssh-3.9_p1.ebuild,v 1.1 2004/08/18 21:55:16 aliz Exp $ + +inherit eutils flag-o-matic ccc gnuconfig + +# Make it more portable between straight releases +# and _p? releases. +PARCH=${P/_/} + +SFTPLOG_PATCH_VER="1.2" +X509_PATCH="${PARCH}+x509h.diff.gz" + +S=${WORKDIR}/${PARCH} +DESCRIPTION="Port of OpenBSD's free SSH release" +HOMEPAGE="http://www.openssh.com/" +SRC_URI="mirror://openssh/${PARCH}.tar.gz" +# X509? ( http://roumenpetrov.info/openssh/x509h/${X509_PATCH} )" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~arm ~hppa ~amd64 ~ia64 ~ppc64 ~s390" +IUSE="ipv6 static pam tcpd kerberos skey selinux chroot X509 ldap smartcard uclibc sftplogging" + +RDEPEND="virtual/libc + pam? ( >=sys-libs/pam-0.73 + >=sys-apps/shadow-4.0.2-r2 ) + !mips? ( kerberos? ( virtual/krb5 ) ) + selinux? ( sys-libs/libselinux ) + !ppc64? ( skey? ( >=app-admin/skey-1.1.5-r1 ) ) + >=dev-libs/openssl-0.9.6d + >=sys-libs/zlib-1.1.4 + x86? ( smartcard? ( dev-libs/opensc ) ) + !ppc64? ( tcpd? ( >=sys-apps/tcp-wrappers-7.6 ) )" +DEPEND="${RDEPEND} + virtual/os-headers + dev-lang/perl + !uclibc? ( sys-apps/groff ) + >=sys-apps/sed-4 + sys-devel/autoconf" +PROVIDE="virtual/ssh" + +pkg_setup() { + if use X509 || use selinux; then + eerror "No updated patch available for ${P}." + die + fi +} + +src_unpack() { + unpack ${PARCH}.tar.gz ; cd ${S} + + epatch ${FILESDIR}/${P}-largekey.patch + + use sftplogging && epatch ${FILESDIR}/${P}-sftplogging-1.2-gentoo.patch + use alpha && epatch ${FILESDIR}/${PN}-3.5_p1-gentoo-sshd-gcc3.patch + use skey && epatch ${FILESDIR}/${P}-skey.patch + use chroot && epatch ${FILESDIR}/${P}-chroot.patch +# use X509 && epatch ${DISTDIR}/${X509_PATCH} +# use selinux && epatch ${FILESDIR}/${SELINUX_PATCH} + use smartcard && epatch ${FILESDIR}/${P}-opensc.patch +} + +src_compile() { + addwrite /dev/ptmx + gnuconfig_update + + # make sure .sbss is large enough + use skey && use alpha && append-ldflags -mlarge-data + use ldap && filter-flags -funroll-loops + use selinux && append-flags "-DWITH_SELINUX" + use static && append-ldflags -static + export LDFLAGS + + local myconf="\ + $( use_with tcpd tcp-wrappers ) \ + $( use_with pam ) \ + $( use_with skey )" + + use ipv6 || myconf="${myconf} --with-ipv4-default" + use kerberos && myconf="${myconf} --with-kerberos5=/usr" || \ + myconf="${myconf} --without-kerberos5" + + econf \ + --sysconfdir=/etc/ssh \ + --libexecdir=/usr/lib/misc \ + --datadir=/usr/share/openssh \ + --disable-suid-ssh \ + --with-privsep-path=/var/empty \ + --with-privsep-user=sshd \ + --with-md5-passwords \ + `use_with tcpd tcp-wrappers` \ + `use_with pam` \ + `use_with skey` \ + `use_with smartcard opensc` \ + ${myconf} \ + || die "bad configure" + +# use static && { +# # statically link to libcrypto -- good for the boot cd +# sed -i "s:-lcrypto:/usr/lib/libcrypto.a:g" Makefile +# } + + emake || die "compile problem" +} + +src_install() { + make install-files DESTDIR=${D} || die + chmod 600 ${D}/etc/ssh/sshd_config + dodoc ChangeLog CREDITS OVERVIEW README* TODO sshd_config + use pam && ( insinto /etc/pam.d ; newins ${FILESDIR}/sshd.pam sshd ) + exeinto /etc/init.d ; newexe ${FILESDIR}/sshd.rc6 sshd + keepdir /var/empty + dosed "/^#Protocol /s:.*:Protocol 2:" /etc/ssh/sshd_config + use pam && dosed "/^#UsePAM /s:.*:UsePAM yes:" /etc/ssh/sshd_config +} + +pkg_postinst() { + enewgroup sshd 22 + enewuser sshd 22 /bin/false /var/empty sshd + + ewarn "Remember to merge your config files in /etc/ssh/ and then" + ewarn "restart sshd: '/etc/init.d/sshd restart'." + ewarn + einfo "As of version 3.4 the default is to enable the UsePrivelegeSeparation" + einfo "functionality, but please ensure that you do not explicitly disable" + einfo "this in your configuration as disabling it opens security holes" + einfo + einfo "This revision has removed your sshd user id and replaced it with a" + einfo "new one with UID 22. If you have any scripts or programs that" + einfo "that referenced the old UID directly, you will need to update them." + einfo + use pam >/dev/null 2>&1 && { + einfo "Please be aware users need a valid shell in /etc/passwd" + einfo "in order to be allowed to login." + einfo + } +} |