GC openssh-3.9
authorJoerg Sonnenberger <joerg@dragonflybsd.org>
Sat, 3 Sep 2005 15:09:49 +0000 (15:09 +0000)
committerJoerg Sonnenberger <joerg@dragonflybsd.org>
Sat, 3 Sep 2005 15:09:49 +0000 (15:09 +0000)
271 files changed:
crypto/openssh-3.9p1/CREDITS [deleted file]
crypto/openssh-3.9p1/INSTALL [deleted file]
crypto/openssh-3.9p1/LICENCE [deleted file]
crypto/openssh-3.9p1/README [deleted file]
crypto/openssh-3.9p1/README.DELETED [deleted file]
crypto/openssh-3.9p1/README.DRAGONFLY [deleted file]
crypto/openssh-3.9p1/README.dns [deleted file]
crypto/openssh-3.9p1/README.privsep [deleted file]
crypto/openssh-3.9p1/README.smartcard [deleted file]
crypto/openssh-3.9p1/TODO [deleted file]
crypto/openssh-3.9p1/acss.c [deleted file]
crypto/openssh-3.9p1/acss.h [deleted file]
crypto/openssh-3.9p1/atomicio.c [deleted file]
crypto/openssh-3.9p1/atomicio.h [deleted file]
crypto/openssh-3.9p1/auth-bsdauth.c [deleted file]
crypto/openssh-3.9p1/auth-chall.c [deleted file]
crypto/openssh-3.9p1/auth-krb5.c [deleted file]
crypto/openssh-3.9p1/auth-options.c [deleted file]
crypto/openssh-3.9p1/auth-options.h [deleted file]
crypto/openssh-3.9p1/auth-pam.c [deleted file]
crypto/openssh-3.9p1/auth-pam.h [deleted file]
crypto/openssh-3.9p1/auth-passwd.c [deleted file]
crypto/openssh-3.9p1/auth-rh-rsa.c [deleted file]
crypto/openssh-3.9p1/auth-rhosts.c [deleted file]
crypto/openssh-3.9p1/auth-rsa.c [deleted file]
crypto/openssh-3.9p1/auth-shadow.c [deleted file]
crypto/openssh-3.9p1/auth-sia.c [deleted file]
crypto/openssh-3.9p1/auth-sia.h [deleted file]
crypto/openssh-3.9p1/auth-skey.c [deleted file]
crypto/openssh-3.9p1/auth.c [deleted file]
crypto/openssh-3.9p1/auth.h [deleted file]
crypto/openssh-3.9p1/auth1.c [deleted file]
crypto/openssh-3.9p1/auth2-chall.c [deleted file]
crypto/openssh-3.9p1/auth2-gss.c [deleted file]
crypto/openssh-3.9p1/auth2-hostbased.c [deleted file]
crypto/openssh-3.9p1/auth2-kbdint.c [deleted file]
crypto/openssh-3.9p1/auth2-none.c [deleted file]
crypto/openssh-3.9p1/auth2-passwd.c [deleted file]
crypto/openssh-3.9p1/auth2-pubkey.c [deleted file]
crypto/openssh-3.9p1/auth2.c [deleted file]
crypto/openssh-3.9p1/authfd.c [deleted file]
crypto/openssh-3.9p1/authfd.h [deleted file]
crypto/openssh-3.9p1/authfile.c [deleted file]
crypto/openssh-3.9p1/authfile.h [deleted file]
crypto/openssh-3.9p1/bufaux.c [deleted file]
crypto/openssh-3.9p1/bufaux.h [deleted file]
crypto/openssh-3.9p1/buffer.c [deleted file]
crypto/openssh-3.9p1/buffer.h [deleted file]
crypto/openssh-3.9p1/buildpkg.sh.in [deleted file]
crypto/openssh-3.9p1/canohost.c [deleted file]
crypto/openssh-3.9p1/canohost.h [deleted file]
crypto/openssh-3.9p1/channels.c [deleted file]
crypto/openssh-3.9p1/channels.h [deleted file]
crypto/openssh-3.9p1/cipher-3des1.c [deleted file]
crypto/openssh-3.9p1/cipher-acss.c [deleted file]
crypto/openssh-3.9p1/cipher-aes.c [deleted file]
crypto/openssh-3.9p1/cipher-bf1.c [deleted file]
crypto/openssh-3.9p1/cipher-ctr.c [deleted file]
crypto/openssh-3.9p1/cipher.c [deleted file]
crypto/openssh-3.9p1/cipher.h [deleted file]
crypto/openssh-3.9p1/cleanup.c [deleted file]
crypto/openssh-3.9p1/clientloop.c [deleted file]
crypto/openssh-3.9p1/clientloop.h [deleted file]
crypto/openssh-3.9p1/compat.c [deleted file]
crypto/openssh-3.9p1/compat.h [deleted file]
crypto/openssh-3.9p1/compress.c [deleted file]
crypto/openssh-3.9p1/compress.h [deleted file]
crypto/openssh-3.9p1/crc32.c [deleted file]
crypto/openssh-3.9p1/crc32.h [deleted file]
crypto/openssh-3.9p1/deattack.c [deleted file]
crypto/openssh-3.9p1/deattack.h [deleted file]
crypto/openssh-3.9p1/defines.h [deleted file]
crypto/openssh-3.9p1/dh.c [deleted file]
crypto/openssh-3.9p1/dh.h [deleted file]
crypto/openssh-3.9p1/dispatch.c [deleted file]
crypto/openssh-3.9p1/dispatch.h [deleted file]
crypto/openssh-3.9p1/dns.c [deleted file]
crypto/openssh-3.9p1/dns.h [deleted file]
crypto/openssh-3.9p1/entropy.c [deleted file]
crypto/openssh-3.9p1/entropy.h [deleted file]
crypto/openssh-3.9p1/envpass.sh [deleted file]
crypto/openssh-3.9p1/fatal.c [deleted file]
crypto/openssh-3.9p1/getput.h [deleted file]
crypto/openssh-3.9p1/groupaccess.c [deleted file]
crypto/openssh-3.9p1/groupaccess.h [deleted file]
crypto/openssh-3.9p1/gss-genr.c [deleted file]
crypto/openssh-3.9p1/gss-serv-krb5.c [deleted file]
crypto/openssh-3.9p1/gss-serv.c [deleted file]
crypto/openssh-3.9p1/hostfile.c [deleted file]
crypto/openssh-3.9p1/hostfile.h [deleted file]
crypto/openssh-3.9p1/includes.h [deleted file]
crypto/openssh-3.9p1/kex.c [deleted file]
crypto/openssh-3.9p1/kex.h [deleted file]
crypto/openssh-3.9p1/kexdh.c [deleted file]
crypto/openssh-3.9p1/kexdhc.c [deleted file]
crypto/openssh-3.9p1/kexdhs.c [deleted file]
crypto/openssh-3.9p1/kexgex.c [deleted file]
crypto/openssh-3.9p1/kexgexc.c [deleted file]
crypto/openssh-3.9p1/kexgexs.c [deleted file]
crypto/openssh-3.9p1/key.c [deleted file]
crypto/openssh-3.9p1/key.h [deleted file]
crypto/openssh-3.9p1/log.c [deleted file]
crypto/openssh-3.9p1/log.h [deleted file]
crypto/openssh-3.9p1/log.h.patch [deleted file]
crypto/openssh-3.9p1/log.h_orig [deleted file]
crypto/openssh-3.9p1/loginrec.c [deleted file]
crypto/openssh-3.9p1/loginrec.h [deleted file]
crypto/openssh-3.9p1/logintest.c [deleted file]
crypto/openssh-3.9p1/mac.c [deleted file]
crypto/openssh-3.9p1/mac.h [deleted file]
crypto/openssh-3.9p1/match.c [deleted file]
crypto/openssh-3.9p1/match.h [deleted file]
crypto/openssh-3.9p1/md5crypt.c [deleted file]
crypto/openssh-3.9p1/md5crypt.h [deleted file]
crypto/openssh-3.9p1/misc.c [deleted file]
crypto/openssh-3.9p1/misc.h [deleted file]
crypto/openssh-3.9p1/moduli [deleted file]
crypto/openssh-3.9p1/moduli.c [deleted file]
crypto/openssh-3.9p1/monitor.c [deleted file]
crypto/openssh-3.9p1/monitor.h [deleted file]
crypto/openssh-3.9p1/monitor_fdpass.c [deleted file]
crypto/openssh-3.9p1/monitor_fdpass.h [deleted file]
crypto/openssh-3.9p1/monitor_mm.c [deleted file]
crypto/openssh-3.9p1/monitor_mm.h [deleted file]
crypto/openssh-3.9p1/monitor_wrap.c [deleted file]
crypto/openssh-3.9p1/monitor_wrap.h [deleted file]
crypto/openssh-3.9p1/mpaux.c [deleted file]
crypto/openssh-3.9p1/mpaux.h [deleted file]
crypto/openssh-3.9p1/msg.c [deleted file]
crypto/openssh-3.9p1/msg.h [deleted file]
crypto/openssh-3.9p1/myproposal.h [deleted file]
crypto/openssh-3.9p1/nchan.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/base64.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/base64.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/basename.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bindresvport.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-arc4random.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-closefrom.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-cray.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-cray.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-cygwin_util.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-cygwin_util.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-getpeereid.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-misc.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-misc.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-nextstep.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-nextstep.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-openpty.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-snprintf.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-waitpid.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/bsd-waitpid.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/daemon.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/dirname.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/fake-rfc2553.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/fake-rfc2553.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/getcwd.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/getgrouplist.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/getopt.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/getrrsetbyname.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/getrrsetbyname.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/glob.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/glob.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/inet_aton.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/inet_ntoa.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/inet_ntop.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/mktemp.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/openbsd-compat.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/port-aix.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/port-aix.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/port-irix.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/port-irix.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/readpassphrase.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/readpassphrase.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/realpath.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/rresvport.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/setenv.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/setproctitle.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/sigact.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/sigact.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/strlcat.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/strlcpy.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/strmode.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/strsep.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/strtoul.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/sys-queue.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/sys-tree.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/vis.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/vis.h [deleted file]
crypto/openssh-3.9p1/openbsd-compat/xcrypt.c [deleted file]
crypto/openssh-3.9p1/openbsd-compat/xmmap.c [deleted file]
crypto/openssh-3.9p1/opensshd.init.in [deleted file]
crypto/openssh-3.9p1/packet.c [deleted file]
crypto/openssh-3.9p1/packet.h [deleted file]
crypto/openssh-3.9p1/pathnames.h [deleted file]
crypto/openssh-3.9p1/progressmeter.c [deleted file]
crypto/openssh-3.9p1/progressmeter.h [deleted file]
crypto/openssh-3.9p1/readconf.c [deleted file]
crypto/openssh-3.9p1/readconf.h [deleted file]
crypto/openssh-3.9p1/readpass.c [deleted file]
crypto/openssh-3.9p1/regress/envpass.sh [deleted file]
crypto/openssh-3.9p1/regress/multiplex.sh [deleted file]
crypto/openssh-3.9p1/regress/reexec.sh [deleted file]
crypto/openssh-3.9p1/regress/scp-ssh-wrapper.sh [deleted file]
crypto/openssh-3.9p1/regress/scp.sh [deleted file]
crypto/openssh-3.9p1/rijndael.c [deleted file]
crypto/openssh-3.9p1/rijndael.h [deleted file]
crypto/openssh-3.9p1/rsa.c [deleted file]
crypto/openssh-3.9p1/rsa.h [deleted file]
crypto/openssh-3.9p1/scard-opensc.c [deleted file]
crypto/openssh-3.9p1/scard.c [deleted file]
crypto/openssh-3.9p1/scard.h [deleted file]
crypto/openssh-3.9p1/scp.1 [deleted file]
crypto/openssh-3.9p1/scp.c [deleted file]
crypto/openssh-3.9p1/servconf.c [deleted file]
crypto/openssh-3.9p1/servconf.h [deleted file]
crypto/openssh-3.9p1/serverloop.c [deleted file]
crypto/openssh-3.9p1/serverloop.h [deleted file]
crypto/openssh-3.9p1/session.c [deleted file]
crypto/openssh-3.9p1/session.h [deleted file]
crypto/openssh-3.9p1/sftp-client.c [deleted file]
crypto/openssh-3.9p1/sftp-client.h [deleted file]
crypto/openssh-3.9p1/sftp-common.c [deleted file]
crypto/openssh-3.9p1/sftp-common.h [deleted file]
crypto/openssh-3.9p1/sftp-glob.c [deleted file]
crypto/openssh-3.9p1/sftp-server.8 [deleted file]
crypto/openssh-3.9p1/sftp-server.c [deleted file]
crypto/openssh-3.9p1/sftp.1 [deleted file]
crypto/openssh-3.9p1/sftp.c [deleted file]
crypto/openssh-3.9p1/sftp.h [deleted file]
crypto/openssh-3.9p1/ssh-add.1 [deleted file]
crypto/openssh-3.9p1/ssh-add.c [deleted file]
crypto/openssh-3.9p1/ssh-agent.1 [deleted file]
crypto/openssh-3.9p1/ssh-agent.c [deleted file]
crypto/openssh-3.9p1/ssh-dss.c [deleted file]
crypto/openssh-3.9p1/ssh-gss.h [deleted file]
crypto/openssh-3.9p1/ssh-keygen.1 [deleted file]
crypto/openssh-3.9p1/ssh-keygen.c [deleted file]
crypto/openssh-3.9p1/ssh-keyscan.1 [deleted file]
crypto/openssh-3.9p1/ssh-keyscan.c [deleted file]
crypto/openssh-3.9p1/ssh-keysign.8 [deleted file]
crypto/openssh-3.9p1/ssh-keysign.c [deleted file]
crypto/openssh-3.9p1/ssh-rsa.c [deleted file]
crypto/openssh-3.9p1/ssh.1 [deleted file]
crypto/openssh-3.9p1/ssh.c [deleted file]
crypto/openssh-3.9p1/ssh.h [deleted file]
crypto/openssh-3.9p1/ssh1.h [deleted file]
crypto/openssh-3.9p1/ssh2.h [deleted file]
crypto/openssh-3.9p1/ssh_config [deleted file]
crypto/openssh-3.9p1/ssh_config.5 [deleted file]
crypto/openssh-3.9p1/sshconnect.c [deleted file]
crypto/openssh-3.9p1/sshconnect.h [deleted file]
crypto/openssh-3.9p1/sshconnect1.c [deleted file]
crypto/openssh-3.9p1/sshconnect2.c [deleted file]
crypto/openssh-3.9p1/sshd.8 [deleted file]
crypto/openssh-3.9p1/sshd.c [deleted file]
crypto/openssh-3.9p1/sshd_config [deleted file]
crypto/openssh-3.9p1/sshd_config.5 [deleted file]
crypto/openssh-3.9p1/sshlogin.c [deleted file]
crypto/openssh-3.9p1/sshlogin.h [deleted file]
crypto/openssh-3.9p1/sshpty.c [deleted file]
crypto/openssh-3.9p1/sshpty.h [deleted file]
crypto/openssh-3.9p1/sshtty.c [deleted file]
crypto/openssh-3.9p1/tildexpand.c [deleted file]
crypto/openssh-3.9p1/ttymodes.c [deleted file]
crypto/openssh-3.9p1/ttymodes.h [deleted file]
crypto/openssh-3.9p1/uidswap.c [deleted file]
crypto/openssh-3.9p1/uidswap.h [deleted file]
crypto/openssh-3.9p1/uuencode.c [deleted file]
crypto/openssh-3.9p1/uuencode.h [deleted file]
crypto/openssh-3.9p1/xmalloc.c [deleted file]
crypto/openssh-3.9p1/xmalloc.h [deleted file]

diff --git a/crypto/openssh-3.9p1/CREDITS b/crypto/openssh-3.9p1/CREDITS
deleted file mode 100644 (file)
index 2a77b87..0000000
+++ /dev/null
@@ -1,102 +0,0 @@
-Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
-
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt, and Dug Song - Creators of OpenSSH
-
-Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
-Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
-Andre Lucas <andre@ae-35.com> - new login code, many fixes
-Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
-Andrew McGill <andrewm@datrix.co.za> - SCO fixes
-Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
-Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
-Andy Sloane <andy@guildsoftware.com> - bugfixes
-Aran Cox <acox@cv.telegroup.com> - SCO bugfixes
-Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes
-Ben Lindstrom <mouring@eviladmin.org> - NeXT support
-Ben Taylor <bent@clark.net> - Solaris debugging and fixes
-Bratislav ILICH <bilic@zepter.ru> - Configure fix
-Charles Levert <charles@comm.polymtl.ca> - SunOS 4 & bug fixes
-Chip Salzenberg <chip@valinux.com> - Assorted patches
-Chris Adams <cmadams@hiwaay.net> - OSF SIA support
-Chris Saia <csaia@wtower.com> - SuSE packaging
-Chris, the Young One <cky@pobox.com> - Password auth fixes
-Christos Zoulas <christos@zoulas.com> - Autoconf fixes
-Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
-Corinna Vinschen <vinschen@redhat.com> - Cygwin support
-Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
-Darren Hall <dhall@virage.org> - AIX patches
-Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
-David Agraz <dagraz@jahoopa.com> - Build fixes
-David Del Piero <David.DelPiero@qed.qld.gov.au> - bug fixes
-David Hesprich <darkgrue@gue-tech.org> - Configure fixes
-David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
-Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code.
-Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
-Garrick James <garrick@james.net> - configure fixes
-Gary E. Miller <gem@rellim.com> - SCO support
-Ged Lodder <lodder@yacc.com.au> - HPUX fixes and enhancements
-Gert Doering <gd@hilb1.medat.de> - bug and portability fixes
-HARUYAMA Seigo <haruyama@unixuser.org> - Translations & doc fixes
-Hideaki YOSHIFUJI <yoshfuji@ecei.tohoku.ac.jp> - IPv6 and bug fixes
-Hiroshi Takekawa <takekawa@sr3.t.u-tokyo.ac.jp> - Configure fixes
-Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - KRB4/AFS config patch
-IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes
-Jani Hakala <jahakala@cc.jyu.fi> - Patches
-Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes
-Jim Knoble <jmknoble@pobox.com> - Many patches
-Jonchen (email unknown) - the original author of PAM support of SSH
-Juergen Keil <jk@tools.de> - scp bugfixing
-KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp> - Configure fixes
-Kees Cook <cook@cpoint.net> - scp fixes
-Kenji Miyake <kenji@miyake.org> - Configure fixes
-Kevin Cawlfield <cawlfiel@us.ibm.com> - AIX fixes.
-Kevin O'Connor <kevin_oconnor@standardandpoors.com> - RSAless operation
-Kevin Steves <stevesk@pobox.com> - HP support, bugfixes, improvements
-Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
-Larry Jones <larry.jones@sdrc.com> - Bugfixes
-Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> - Bugfixes
-Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
-Mark D. Baushke <mdb@juniper.net> - bug fixes
-Martin Johansson <fatbob@acc.umu.se> - Linux fixes
-Mark D. Roth <roth+openssh@feep.net> - Features, bug fixes
-Mark Miller <markm@swoon.net> - Bugfixes
-Matt Richards <v2matt@btv.ibm.com> - AIX patches
-Michael Steffens <michael_steffens at hp.com> - HP-UX fixes
-Michael Stone <mstone@cs.loyola.edu> - Irix enhancements
-Nakaji Hiroyuki <nakaji@tutrp.tut.ac.jp> - Sony News-OS patch
-Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
-Nate Itkin <nitkin@europa.com> - SunOS 4.1.x fixes
-Niels Kristian Bech Jensen <nkbj@image.dk> - Assorted patches
-Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> - Security fixes
-Pavel Troller <patrol@omni.sinus.cz> - Bugfixes
-Pekka Savola <pekkas@netcore.fi> - Bugfixes
-Peter Kocks <peter.kocks@baygate.com> - Makefile fixes
-Peter Stuge <stuge@cdy.org> - mdoc2man.awk script
-Phil Hands <phil@hands.com> - Debian scripts, assorted patches
-Phil Karn <karn@ka9q.ampr.org> - Autoconf fixes
-Philippe WILLEM <Philippe.WILLEM@urssaf.fr> - Bugfixes
-Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
-Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
-Robert Dahlem <Robert.Dahlem at siemens.com> - Reliant Unix fixes
-Roumen Petrov <openssh@roumenpetrov.info> - Compile & configure fixes
-SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
-Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes, Compat with MIT KrbV
-Solar Designer <solar@openwall.com> - many patches and technical assistance
-Svante Signell <svante.signell@telia.com> - Bugfixes
-Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
-Tim Rice <tim@multitalents.net> - Portability & SCO fixes
-Tobias Oetiker <oetiker@ee.ethz.ch> - Bugfixes
-Tom Bertelson's <tbert@abac.com> - AIX auth fixes
-Tor-Ake Fransson <torake@hotmail.com> - AIX support
-Tudor Bosman <tudorb@jm.nu> - MD5 password support
-Udo Schweigert <ust@cert.siemens.de> - ReliantUNIX support
-Wendy Palm <wendyp at cray.com> - Cray support.
-Zack Weinberg <zack@wolery.cumb.org> - GNOME askpass enhancement
-
-Apologies to anyone I have missed.
-
-Damien Miller <djm@mindrot.org>
-
-$Id: CREDITS,v 1.79 2004/05/26 23:59:31 dtucker Exp $
-
diff --git a/crypto/openssh-3.9p1/INSTALL b/crypto/openssh-3.9p1/INSTALL
deleted file mode 100644 (file)
index dae1bb1..0000000
+++ /dev/null
@@ -1,203 +0,0 @@
-1. Prerequisites
-----------------
-
-You will need working installations of Zlib and OpenSSL.
-
-Zlib 1.1.4 or greater:
-http://www.gzip.org/zlib/
-
-OpenSSL 0.9.6 or greater:
-http://www.openssl.org/
-
-(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
-Blowfish) do not work correctly.)
-
-OpenSSH can utilise Pluggable Authentication Modules (PAM) if your system
-supports it. PAM is standard on Redhat and Debian Linux, Solaris and
-HP-UX 11.
-
-NB. If you operating system supports /dev/random, you should configure
-OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
-/dev/random. If you don't you will have to rely on ssh-rand-helper, which
-is inferior to a good kernel-based solution.
-
-PAM:
-http://www.kernel.org/pub/linux/libs/pam/
-
-If you wish to build the GNOME passphrase requester, you will need the GNOME
-libraries and headers.
-
-GNOME:
-http://www.gnome.org/
-
-Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
-passphrase requester. This is maintained separately at:
-
-http://www.jmknoble.net/software/x11-ssh-askpass/
-
-PRNGD:
-
-If your system lacks Kernel based random collection, the use of Lutz
-Jaenicke's PRNGd is recommended.
-
-http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
-
-EGD:
-
-The Entropy Gathering Daemon (EGD) is supported if you have a system which
-lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
-
-http://www.lothar.com/tech/crypto/
-
-S/Key Libraries:
-http://www.sparc.spb.su/solaris/skey/
-
-If you wish to use --with-skey then you will need the above library
-installed.  No other current S/Key library is currently known to be
-supported.
-
-2. Building / Installation
---------------------------
-
-To install OpenSSH with default options:
-
-./configure
-make
-make install
-
-This will install the OpenSSH binaries in /usr/local/bin, configuration files
-in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
-installation prefix, use the --prefix option to configure:
-
-./configure --prefix=/opt
-make
-make install
-
-Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
-specific paths, for example:
-
-./configure --prefix=/opt --sysconfdir=/etc/ssh
-make
-make install
-
-This will install the binaries in /opt/{bin,lib,sbin}, but will place the
-configuration files in /etc/ssh.
-
-If you are using PAM, you may need to manually install a PAM control
-file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
-them).  Note that the service name used to start PAM is __progname,
-which is the basename of the path of your sshd (e.g., the service name
-for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
-executable, your PAM configuration may need to be modified.
-
-A generic PAM configuration is included as "contrib/sshd.pam.generic",
-you may need to edit it before using it on your system. If you are
-using a recent version of Red Hat Linux, the config file in
-contrib/redhat/sshd.pam should be more useful.  Failure to install a
-valid PAM file may result in an inability to use password
-authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
-configuration will work with sshd (sshd will match the other service
-name).
-
-There are a few other options to the configure script:
-
---with-pam enables PAM support. If PAM support is compiled in, it must
-also be enabled in sshd_config (refer to the UsePAM directive).
-
---with-prngd-socket=/some/file allows you to enable EGD or PRNGD
-support and to specify a PRNGd socket. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
-
---with-prngd-port=portnum allows you to enable EGD or PRNGD support
-and to specify a EGD localhost TCP port. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
-
---with-lastlog=FILE will specify the location of the lastlog file.
-./configure searches a few locations for lastlog, but may not find
-it if lastlog is installed in a different place.
-
---without-lastlog will disable lastlog support entirely.
-
---with-osfsia, --without-osfsia will enable or disable OSF1's Security
-Integration Architecture.  The default for OSF1 machines is enable.
-
---with-skey=PATH will enable S/Key one time password support. You will
-need the S/Key libraries and header files installed for this to work.
-
---with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
-support. You will need libwrap.a and tcpd.h installed.
-
---with-md5-passwords will enable the use of MD5 passwords. Enable this
-if your operating system uses MD5 passwords and the system crypt() does
-not support them directly (see the crypt(3/3c) man page). If enabled, the
-resulting binary will support both MD5 and traditional crypt passwords.
-
---with-utmpx enables utmpx support. utmpx support is automatic for
-some platforms.
-
---without-shadow disables shadow password support.
-
---with-ipaddr-display forces the use of a numeric IP address in the
-$DISPLAY environment variable. Some broken systems need this.
-
---with-default-path=PATH allows you to specify a default $PATH for sessions
-started by sshd. This replaces the standard path entirely.
-
---with-pid-dir=PATH specifies the directory in which the ssh.pid file is
-created.
-
---with-xauth=PATH specifies the location of the xauth binary
-
---with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
-are installed.
-
---with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
-real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
-
---with-opensc=DIR
---with-sectok=DIR allows for OpenSC or sectok smartcard libraries to
-be used with OpenSSH.  See 'README.smartcard' for more details.
-
-If you need to pass special options to the compiler or linker, you
-can specify these as environment variables before running ./configure.
-For example:
-
-CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
-
-3. Configuration
-----------------
-
-The runtime configuration files are installed by in ${prefix}/etc or
-whatever you specified as your --sysconfdir (/usr/local/etc by default).
-
-The default configuration should be instantly usable, though you should
-review it to ensure that it matches your security requirements.
-
-To generate a host key, run "make host-key". Alternately you can do so
-manually using the following commands:
-
-    ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
-    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
-    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
-
-Replacing /etc/ssh with the correct path to the configuration directory.
-(${prefix}/etc or whatever you specified with --sysconfdir during
-configuration)
-
-If you have configured OpenSSH with EGD support, ensure that EGD is
-running and has collected some Entropy.
-
-For more information on configuration, please refer to the manual pages
-for sshd, ssh and ssh-agent.
-
-4. Problems?
-------------
-
-If you experience problems compiling, installing or running OpenSSH.
-Please refer to the "reporting bugs" section of the webpage at
-http://www.openssh.com/
-
-
-$Id: INSTALL,v 1.64 2004/05/26 23:59:31 dtucker Exp $
diff --git a/crypto/openssh-3.9p1/LICENCE b/crypto/openssh-3.9p1/LICENCE
deleted file mode 100644 (file)
index d8c1573..0000000
+++ /dev/null
@@ -1,332 +0,0 @@
-This file is part of the OpenSSH software.
-
-The licences which components of this software fall under are as
-follows.  First, we will summarize and say that all components
-are under a BSD licence, or a licence more free than that.
-
-OpenSSH contains no GPL code.
-
-1)
-     * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-     *                    All rights reserved
-     *
-     * As far as I am concerned, the code I have written for this software
-     * can be used freely for any purpose.  Any derived versions of this
-     * software must be clearly marked as such, and if the derived work is
-     * incompatible with the protocol description in the RFC file, it must be
-     * called by a name other than "ssh" or "Secure Shell".
-
-    [Tatu continues]
-     *  However, I am not implying to give any licenses to any patents or
-     * copyrights held by third parties, and the software includes parts that
-     * are not under my direct control.  As far as I know, all included
-     * source code is used in accordance with the relevant license agreements
-     * and can be used freely for any purpose (the GNU license being the most
-     * restrictive); see below for details.
-
-    [However, none of that term is relevant at this point in time.  All of
-    these restrictively licenced software components which he talks about
-    have been removed from OpenSSH, i.e.,
-
-     - RSA is no longer included, found in the OpenSSL library
-     - IDEA is no longer included, its use is deprecated
-     - DES is now external, in the OpenSSL library
-     - GMP is no longer used, and instead we call BN code from OpenSSL
-     - Zlib is now external, in a library
-     - The make-ssh-known-hosts script is no longer included
-     - TSS has been removed
-     - MD5 is now external, in the OpenSSL library
-     - RC4 support has been replaced with ARC4 support from OpenSSL
-     - Blowfish is now external, in the OpenSSL library
-
-    [The licence continues]
-
-    Note that any information and cryptographic algorithms used in this
-    software are publicly available on the Internet and at any major
-    bookstore, scientific library, and patent office worldwide.  More
-    information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
-    The legal status of this program is some combination of all these
-    permissions and restrictions.  Use only at your own responsibility.
-    You will be responsible for any legal consequences yourself; I am not
-    making any claims whether possessing or using this is legal or not in
-    your country, and I am not taking any responsibility on your behalf.
-
-
-                           NO WARRANTY
-
-    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-    FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-    OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-    PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-    OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-    TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-    PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-    REPAIR OR CORRECTION.
-
-    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-    WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-    REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-    INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-    OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-    TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-    YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-    PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGES.
-
-2)
-    The 32-bit CRC compensation attack detector in deattack.c was
-    contributed by CORE SDI S.A. under a BSD-style license.
-
-     * Cryptographic attack detector for ssh - source code
-     *
-     * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
-     *
-     * All rights reserved. Redistribution and use in source and binary
-     * forms, with or without modification, are permitted provided that
-     * this copyright notice is retained.
-     *
-     * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-     * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
-     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
-     * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
-     * SOFTWARE.
-     *
-     * Ariel Futoransky <futo@core-sdi.com>
-     * <http://www.core-sdi.com>
-
-3)
-    ssh-keygen was contributed by David Mazieres under a BSD-style
-    license.
-
-     * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
-     *
-     * Modification and redistribution in source and binary forms is
-     * permitted provided that due credit is given to the author and the
-     * OpenBSD project by leaving this copyright notice intact.
-
-4)
-    The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
-    and Paulo Barreto is in the public domain and distributed
-    with the following license:
-
-     * @version 3.0 (December 2000)
-     *
-     * Optimised ANSI C code for the Rijndael cipher (now AES)
-     *
-     * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
-     * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
-     * @author Paulo Barreto <paulo.barreto@terra.com.br>
-     *
-     * This code is hereby placed in the public domain.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
-     * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-     * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-     * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
-     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-     * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-     * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-     * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-     * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-     * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
-     * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-5)
-    One component of the ssh source code is under a 3-clause BSD license,
-    held by the University of California, since we pulled these parts from
-    original Berkeley code.
-
-     * Copyright (c) 1983, 1990, 1992, 1993, 1995
-     *      The Regents of the University of California.  All rights reserved.
-     *
-     * Redistribution and use in source and binary forms, with or without
-     * modification, are permitted provided that the following conditions
-     * are met:
-     * 1. Redistributions of source code must retain the above copyright
-     *    notice, this list of conditions and the following disclaimer.
-     * 2. Redistributions in binary form must reproduce the above copyright
-     *    notice, this list of conditions and the following disclaimer in the
-     *    documentation and/or other materials provided with the distribution.
-     * 3. Neither the name of the University nor the names of its contributors
-     *    may be used to endorse or promote products derived from this software
-     *    without specific prior written permission.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-     * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-     * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-     * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-     * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-     * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-     * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-     * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-     * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-     * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-     * SUCH DAMAGE.
-
-6)
-    Remaining components of the software are provided under a standard
-    2-term BSD licence with the following names as copyright holders:
-
-       Markus Friedl
-       Theo de Raadt
-       Niels Provos
-       Dug Song
-       Aaron Campbell
-       Damien Miller
-       Kevin Steves
-       Daniel Kouril
-       Wesley Griffin
-       Per Allansson
-       Nils Nordman
-       Simon Wilkinson
-
-    Portable OpenSSH additionally includes code from the following copyright
-    holders, also under the 2-term BSD license:
-
-       Ben Lindstrom
-       Tim Rice
-       Andre Lucas
-       Chris Adams
-       Corinna Vinschen
-       Cray Inc.
-       Denis Parker
-       Gert Doering
-       Jakob Schlyter
-       Jason Downs
-       Juha Yrjölä
-       Michael Stone
-       Networks Associates Technology, Inc.
-       Solar Designer
-       Todd C. Miller
-       Wayne Schroeder
-       William Jones
-       Darren Tucker
-
-     * Redistribution and use in source and binary forms, with or without
-     * modification, are permitted provided that the following conditions
-     * are met:
-     * 1. Redistributions of source code must retain the above copyright
-     *    notice, this list of conditions and the following disclaimer.
-     * 2. Redistributions in binary form must reproduce the above copyright
-     *    notice, this list of conditions and the following disclaimer in the
-     *    documentation and/or other materials provided with the distribution.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-8) Portable OpenSSH contains the following additional licenses:
-
-    a) md5crypt.c, md5crypt.h
-
-        * "THE BEER-WARE LICENSE" (Revision 42):
-        * <phk@login.dknet.dk> wrote this file.  As long as you retain this
-        * notice you can do whatever you want with this stuff. If we meet
-        * some day, and you think this stuff is worth it, you can buy me a
-        * beer in return.   Poul-Henning Kamp
-
-    b) snprintf replacement
-
-       * Copyright Patrick Powell 1995
-       * This code is based on code written by Patrick Powell
-       * (papowell@astart.com) It may be used for any purpose as long as this
-       * notice remains intact on all source code distributions
-
-    c) Compatibility code (openbsd-compat)
-
-       Apart from the previously mentioned licenses, various pieces of code
-       in the openbsd-compat/ subdirectory are licensed as follows:
-
-       Some code is licensed under a 3-term BSD license, to the following
-       copyright holders:
-
-       Todd C. Miller
-       Theo de Raadt
-       Damien Miller
-       Eric P. Allman
-       The Regents of the University of California
-
-       * Redistribution and use in source and binary forms, with or without
-       * modification, are permitted provided that the following conditions
-       * are met:
-       * 1. Redistributions of source code must retain the above copyright
-       *    notice, this list of conditions and the following disclaimer.
-       * 2. Redistributions in binary form must reproduce the above copyright
-       *    notice, this list of conditions and the following disclaimer in the
-       *    documentation and/or other materials provided with the distribution.
-       * 3. Neither the name of the University nor the names of its contributors
-       *    may be used to endorse or promote products derived from this software
-       *    without specific prior written permission.
-       *
-       * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-       * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-       * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-       * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-       * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-       * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-       * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-       * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-       * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-       * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-       * SUCH DAMAGE.
-
-       Some code is licensed under an ISC-style license, to the following
-       copyright holders:
-
-       Internet Software Consortium.
-       Todd C. Miller
-
-       * Permission to use, copy, modify, and distribute this software for any
-       * purpose with or without fee is hereby granted, provided that the above
-       * copyright notice and this permission notice appear in all copies.
-       *
-       * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
-       * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
-       * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
-       * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-       * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-       * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-       * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-       Some code is licensed under a MIT-style license to the following
-       copyright holders:
-
-       Free Software Foundation, Inc.
-
-       * Permission is hereby granted, free of charge, to any person obtaining a  *
-       * copy of this software and associated documentation files (the            *
-       * "Software"), to deal in the Software without restriction, including      *
-       * without limitation the rights to use, copy, modify, merge, publish,      *
-       * distribute, distribute with modifications, sublicense, and/or sell       *
-       * copies of the Software, and to permit persons to whom the Software is    *
-       * furnished to do so, subject to the following conditions:                 *
-       *                                                                          *
-       * The above copyright notice and this permission notice shall be included  *
-       * in all copies or substantial portions of the Software.                   *
-       *                                                                          *
-       * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  *
-       * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               *
-       * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   *
-       * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   *
-       * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    *
-       * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    *
-       * THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               *
-       *                                                                          *
-       * Except as contained in this notice, the name(s) of the above copyright   *
-       * holders shall not be used in advertising or otherwise to promote the     *
-       * sale, use or other dealings in this Software without prior written       *
-       * authorization.                                                           *
-       ****************************************************************************/
-
-
-------
-$OpenBSD: LICENCE,v 1.18 2003/11/21 11:57:02 djm Exp $
diff --git a/crypto/openssh-3.9p1/README b/crypto/openssh-3.9p1/README
deleted file mode 100644 (file)
index 8724d8b..0000000
+++ /dev/null
@@ -1,64 +0,0 @@
-See http://www.openssh.com/txt/release-3.8.1 for the release notes.
-
-- A Japanese translation of this document and of the OpenSSH FAQ is
-- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
-- Thanks to HARUYAMA Seigo <haruyama@unixuser.org>
-
-This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
-Unices.
-
-OpenSSH is based on the last free version of Tatu Ylonen's sample
-implementation with all patent-encumbered algorithms removed (to
-external libraries), all known security bugs fixed, new features
-reintroduced and many other clean-ups.  OpenSSH has been created by
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
-and Dug Song. It has a homepage at http://www.openssh.com/
-
-This port consists of the re-introduction of autoconf support, PAM
-support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
-functions that are (regrettably) absent from other unices. This port
-has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
-NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
-
-This version actively tracks changes in the OpenBSD CVS repository.
-
-The PAM support is now more functional than the popular packages of
-commercial ssh-1.2.x. It checks "account" and "session" modules for
-all logins, not just when using password authentication.
-
-OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5].
-
-There is now several mailing lists for this port of OpenSSH. Please
-refer to http://www.openssh.com/list.html for details on how to join.
-
-Please send bug reports and patches to the mailing list
-openssh-unix-dev@mindrot.org. The list is open to posting by
-unsubscribed users.Code contribution are welcomed, but please follow the 
-OpenBSD style guidelines[6].
-
-Please refer to the INSTALL document for information on how to install
-OpenSSH on your system. There are a number of differences between this
-port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7]
-for details and general tips.
-
-Damien Miller <djm@mindrot.org>
-
-Miscellania -
-
-This version of OpenSSH is based upon code retrieved from the OpenBSD
-CVS repository which in turn was based on the last free sample
-implementation released by Tatu Ylonen.
-
-References -
-
-[0] http://www.openssh.com/faq.html
-[1] http://www.lothar.com/tech/crypto/
-[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
-[3] http://www.gzip.org/zlib/
-[4] http://www.openssl.org/
-[5] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris
-    and HP-UX 11)
-[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
-[7] http://www.openssh.com/faq.html
-
-$Id: README,v 1.56 2004/08/14 00:26:30 djm Exp $
diff --git a/crypto/openssh-3.9p1/README.DELETED b/crypto/openssh-3.9p1/README.DELETED
deleted file mode 100644 (file)
index a54fe82..0000000
+++ /dev/null
@@ -1,141 +0,0 @@
-.cvsignore
-ChangeLog
-Makefile.in
-OVERVIEW
-README.DELETED
-README.platform
-RFC.nroff
-WARNING.RNG
-acconfig.h
-aclocal.m4
-config.guess
-config.h.in
-config.sub
-configure
-configure.ac
-contrib
-contrib/Makefile
-contrib/README
-contrib/aix
-contrib/aix/README
-contrib/aix/buildbff.sh
-contrib/aix/inventory.sh
-contrib/aix/pam.conf
-contrib/caldera
-contrib/caldera/openssh.spec
-contrib/caldera/ssh-host-keygen
-contrib/caldera/sshd.init
-contrib/caldera/sshd.pam
-contrib/cygwin
-contrib/cygwin/Makefile
-contrib/cygwin/README
-contrib/cygwin/ssh-host-config
-contrib/cygwin/ssh-user-config
-contrib/findssl.sh
-contrib/gnome-ssh-askpass1.c
-contrib/gnome-ssh-askpass2.c
-contrib/hpux
-contrib/hpux/README
-contrib/hpux/egd
-contrib/hpux/egd.rc
-contrib/hpux/sshd
-contrib/hpux/sshd.rc
-contrib/redhat
-contrib/redhat/gnome-ssh-askpass.csh
-contrib/redhat/gnome-ssh-askpass.sh
-contrib/redhat/openssh.spec
-contrib/redhat/sshd.init
-contrib/redhat/sshd.init.old
-contrib/redhat/sshd.pam
-contrib/redhat/sshd.pam.old
-contrib/solaris
-contrib/solaris/README
-contrib/solaris/buildpkg.sh
-contrib/solaris/opensshd.in
-contrib/ssh-copy-id
-contrib/ssh-copy-id.1
-contrib/sshd.pam.freebsd
-contrib/sshd.pam.generic
-contrib/suse
-contrib/suse/openssh.spec
-contrib/suse/rc.config.sshd
-contrib/suse/rc.sshd
-fixpaths
-fixprogs
-install-sh
-mdoc2man.awk
-mkinstalldirs
-nchan.ms
-nchan2.ms
-openbsd-compat/.cvsignore
-openbsd-compat/Makefile.in
-regress
-regress/Makefile
-regress/README.regress
-regress/agent-getpeereid.sh
-regress/agent-ptrace.sh
-regress/agent-timeout.sh
-regress/agent.sh
-regress/banner.sh
-regress/broken-pipe.sh
-regress/bsd.regress.mk
-regress/connect-privsep.sh
-regress/connect.sh
-regress/dsa_ssh2.prv
-regress/dsa_ssh2.pub
-regress/dynamic-forward.sh
-regress/exit-status.sh
-regress/forwarding.sh
-regress/keygen-change.sh
-regress/keyscan.sh
-regress/login-timeout.sh
-regress/proto-mismatch.sh
-regress/proto-version.sh
-regress/proxy-connect.sh
-regress/reconfigure.sh
-regress/rekey.sh
-regress/rsa_openssh.prv
-regress/rsa_openssh.pub
-regress/rsa_ssh2.prv
-regress/runtests.sh
-regress/sftp-badcmds.sh
-regress/sftp-batch.sh
-regress/sftp-cmds.sh
-regress/sftp.sh
-regress/ssh-com-client.sh
-regress/ssh-com-keygen.sh
-regress/ssh-com-sftp.sh
-regress/ssh-com.sh
-regress/stderr-after-eof.sh
-regress/stderr-data.sh
-regress/t4.ok
-regress/t5.ok
-regress/test-exec.sh
-regress/transfer.sh
-regress/try-ciphers.sh
-regress/yes-head.sh
-scard
-scard/.cvsignore
-scard/Makefile.in
-scard/Ssh.bin
-scard/Ssh.bin.uu
-scard/Ssh.java
-scp.0
-sftp-server.0
-sftp.0
-ssh-add.0
-ssh-agent.0
-ssh-keygen.0
-ssh-keyscan.0
-ssh-keysign.0
-ssh-rand-helper.0
-ssh-rand-helper.8
-ssh-rand-helper.c
-ssh.0
-ssh_config.0
-ssh_prng_cmds.in
-sshd.0
-sshd_config.0
-stamp-h.in
-version.h
-
diff --git a/crypto/openssh-3.9p1/README.DRAGONFLY b/crypto/openssh-3.9p1/README.DRAGONFLY
deleted file mode 100644 (file)
index 6f768a8..0000000
+++ /dev/null
@@ -1,5 +0,0 @@
-Original source can be downloaded from OpenBSD at
-ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.9p1.tar.gz
-
-A list of deleted files is in README.DELETED
-
diff --git a/crypto/openssh-3.9p1/README.dns b/crypto/openssh-3.9p1/README.dns
deleted file mode 100644 (file)
index 9787918..0000000
+++ /dev/null
@@ -1,47 +0,0 @@
-How to verify host keys using OpenSSH and DNS
----------------------------------------------
-
-OpenSSH contains support for verifying host keys using DNS as described in
-draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
-on how to use this feature. Configuring DNS is out of the scope of this
-document.
-
-
-(1) Server: Generate and publish the DNS RR
-
-To create a DNS resource record (RR) containing a fingerprint of the
-public host key, use the following command:
-
-       ssh-keygen -r hostname -f keyfile -g
-
-where "hostname" is your fully qualified hostname and "keyfile" is the
-file containing the public host key file. If you have multiple keys,
-you should generate one RR for each key.
-
-In the example above, ssh-keygen will print the fingerprint in a
-generic DNS RR format parsable by most modern name server
-implementations. If your nameserver has support for the SSHFP RR
-you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
-
-To publish the fingerprint using the DNS you must add the generated RR
-to your DNS zone file and sign your zone.
-
-
-(2) Client: Enable ssh to verify host keys using DNS
-
-To enable the ssh client to verify host keys using DNS, you have to
-add the following option to the ssh configuration file
-($HOME/.ssh/config or /etc/ssh/ssh_config):
-
-    VerifyHostKeyDNS yes
-
-Upon connection the client will try to look up the fingerprint RR
-using DNS. If the fingerprint received from the DNS server matches
-the remote host key, the user will be notified.
-
-
-       Jakob Schlyter
-       Wesley Griffin
-
-
-$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
diff --git a/crypto/openssh-3.9p1/README.privsep b/crypto/openssh-3.9p1/README.privsep
deleted file mode 100644 (file)
index 3240377..0000000
+++ /dev/null
@@ -1,64 +0,0 @@
-Privilege separation, or privsep, is method in OpenSSH by which
-operations that require root privilege are performed by a separate
-privileged monitor process.  Its purpose is to prevent privilege
-escalation by containing corruption to an unprivileged process.
-More information is available at:
-       http://www.citi.umich.edu/u/provos/ssh/privsep.html
-
-Privilege separation is now enabled by default; see the
-UsePrivilegeSeparation option in sshd_config(5).
-
-On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
-compression must be disabled in order for privilege separation to
-function.
-
-When privsep is enabled, during the pre-authentication phase sshd will
-chroot(2) to "/var/empty" and change its privileges to the "sshd" user
-and its primary group.  sshd is a pseudo-account that should not be
-used by other daemons, and must be locked and should contain a
-"nologin" or invalid shell.
-
-You should do something like the following to prepare the privsep
-preauth environment:
-
-       # mkdir /var/empty
-       # chown root:sys /var/empty
-       # chmod 755 /var/empty
-       # groupadd sshd
-       # useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
-
-/var/empty should not contain any files.
-
-configure supports the following options to change the default
-privsep user and chroot directory:
-
-  --with-privsep-path=xxx Path for privilege separation chroot
-  --with-privsep-user=user Specify non-privileged user for privilege separation
-
-Privsep requires operating system support for file descriptor passing.
-Compression will be disabled on systems without a working mmap MAP_ANON.
-
-PAM-enabled OpenSSH is known to function with privsep on Linux.
-It does not function on HP-UX with a trusted system
-configuration.
-
-On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
-part of privsep is supported.  Post-authentication privsep is disabled
-automatically (so you won't see the additional process mentioned below).
-
-Note that for a normal interactive login with a shell, enabling privsep
-will require 1 additional process per login session.
-
-Given the following process listing (from HP-UX):
-
-     UID   PID  PPID  C    STIME TTY       TIME COMMAND
-    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
-    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
- stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
- stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
-
-process 1005 is the sshd process listening for new connections.
-process 6917 is the privileged monitor process, 6919 is the user owned
-sshd process and 6921 is the shell process.
-
-$Id: README.privsep,v 1.14 2004/06/28 03:50:36 tim Exp $
diff --git a/crypto/openssh-3.9p1/README.smartcard b/crypto/openssh-3.9p1/README.smartcard
deleted file mode 100644 (file)
index fdf83ec..0000000
+++ /dev/null
@@ -1,93 +0,0 @@
-How to use smartcards with OpenSSH?
-
-OpenSSH contains experimental support for authentication using
-Cyberflex smartcards and TODOS card readers, in addition to the cards
-with PKCS#15 structure supported by OpenSC. To enable this you
-need to:
-
-Using libsectok:
-
-(1) enable sectok support in OpenSSH:
-
-       $ ./configure --with-sectok
-
-(2) If you have used a previous version of ssh with your card, you
-    must remove the old applet and keys.
-
-       $ sectok
-       sectok> login -d
-       sectok> junload Ssh.bin
-       sectok> delete 0012
-       sectok> delete sh
-       sectok> quit
-
-(3) load the Java Cardlet to the Cyberflex card and set card passphrase:
-
-       $ sectok
-       sectok> login -d
-       sectok> jload /usr/libdata/ssh/Ssh.bin
-       sectok> setpass
-       Enter new AUT0 passphrase:
-       Re-enter passphrase:
-       sectok> quit
-
-       Do not forget the passphrase.  There is no way to
-       recover if you do.
-
-       IMPORTANT WARNING: If you attempt to login with the
-       wrong passphrase three times in a row, you will
-       destroy your card.
-
-(4) load a RSA key to the card:
-
-       $ ssh-keygen -f /path/to/rsakey -U 1
-       (where 1 is the reader number, you can also try 0)
-
-       In spite of the name, this does not generate a key.
-       It just loads an already existing key on to the card.
-
-(5) Optional: If you don't want to use a card passphrase, change the
-    acl on the private key file:
-
-       $ sectok
-       sectok> login -d
-       sectok> acl 0012 world: w
-        world: w
-        AUT0: w inval
-       sectok> quit
-
-       If you do this, anyone who has access to your card
-       can assume your identity.  This is not recommended.
-
-
-Using OpenSC:
-
-(1) install OpenSC:
-
-       Sources and instructions are available from
-       http://www.opensc.org/
-
-(2) enable OpenSC support in OpenSSH:
-
-       $ ./configure --with-opensc[=/path/to/opensc] [options]
-
-(3) load a RSA key to the card:
-
-       Not supported yet.
-
-
-Common operations:
-
-(1) tell the ssh client to use the card reader:
-
-       $ ssh -I 1 otherhost
-
-(2) or tell the agent (don't forget to restart) to use the smartcard:
-
-       $ ssh-add -s 1
-
-
--markus,
-Tue Jul 17 23:54:51 CEST 2001
-
-$OpenBSD: README.smartcard,v 1.9 2003/11/21 11:57:02 djm Exp $
diff --git a/crypto/openssh-3.9p1/TODO b/crypto/openssh-3.9p1/TODO
deleted file mode 100644 (file)
index 1b1d03c..0000000
+++ /dev/null
@@ -1,97 +0,0 @@
-Documentation:
-
-- Update the docs
-  - Update README
-  - Update INSTALL
-  - Merge INSTALL & README.privsep
-
-- Install FAQ?
-
-- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it
-  would be best to use them.
-
-- Create a Documentation/ directory?
-
-Programming:
-
-- Grep for 'XXX' comments and fix
-
-- Link order is incorrect for some systems using Kerberos 4 and AFS. Result
-  is multiple inclusion of DES symbols. Holger Trapp
-  <holger.trapp@hrz.tu-chemnitz.de> reports that changing the configure
-  generated link order from:
-       -lresolv -lkrb -lz -lnsl  -lutil -lkafs -lkrb -ldes -lcrypto
-  to:
-       -lresolv -lkrb -lz -lnsl  -lutil -lcrypto -lkafs -lkrb -ldes
-  fixing the problem.
-
-- Write a test program that calls stat() to search for EGD/PRNGd socket
-  rather than use the (non-portable) "test -S".
-
-- More platforms for for setproctitle() emulation (testing needed)
-
-- Improve PAM support (a pam_lastlog module will cause sshd to exit)
-  and maybe support alternate forms of authentications like OPIE via
-  pam?
-
-- Improve PAM ChallengeResponseAuthentication
- - Informational messages
- - chauthtok
- - Use different PAM service name for kbdint vs regular auth (suggest from
-   Solar Designer)
- - Ability to select which ChallengeResponseAuthentications may be used
-   and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
-
-- Complete Tru64 SIA support
- - It looks like we could merge it into the password auth code to cut down
-   on diff size. Maybe PAM password auth too?
-
-- Finish integrating kernel-level auditing code for IRIX and SOLARIS
-  (Gilbert.r.loomis@saic.com)
-
-- 64-bit builds on HP-UX 11.X (stevesk@pobox.com):
-  - utmp/wtmp get corrupted (something in loginrec?)
-  - can't build with PAM (no 64-bit libpam yet)
-
-Clean up configure/makefiles:
-- Clean up configure.ac - There are a few double #defined variables
-  left to do.  HAVE_LOGIN is one of them.  Consider NOT looking for
-  information in wtmpx or utmpx or any of that stuff if it's not detected
-  from the start
-
-- Fails to compile when cross compile. (vinschen@redhat.com)
-
-- Replace the whole u_intXX_t evilness in acconfig.h with something better???
- - Do it in configure.ac
-
-- Consider splitting the u_intXX_t test for sys/bitype.h  into seperate test
-  to allow people to (right/wrongfully) link against Bind directly.
-
-- Consider splitting configure.ac into seperate files which do logically
-  similar tests. E.g move all the type detection stuff into one file,
-  entropy related stuff into another.
-
-Packaging:
-- Solaris: Update packaging scripts and build new sysv startup scripts
-  Ideally the package metadata should be generated by autoconf.
-  (gilbert.r.loomis@saic.com)
-
-- HP-UX: Provide DEPOT package scripts.
-  (gilbert.r.loomis@saic.com)
-
-PrivSep Issues:
-- mmap() issues.
-  + /dev/zero solution (Solaris)
-  + No/broken MAP_ANON (Irix)
-  + broken /dev/zero parse (Linux)
-- PAM
-  + See above PAM notes
-- AIX
-  + usrinfo() does not set TTY, but only required for legacy systems.  Works
-    with PrivSep.
-- OSF
-  + SIA is broken
-- Cygwin
-  + Privsep for Pre-auth only (no fd passing)
-
-$Id: TODO,v 1.57 2004/02/11 09:44:13 dtucker Exp $
diff --git a/crypto/openssh-3.9p1/acss.c b/crypto/openssh-3.9p1/acss.c
deleted file mode 100644 (file)
index 9364ba9..0000000
+++ /dev/null
@@ -1,264 +0,0 @@
-/*     $Id: acss.c,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-#include <openssl/evp.h>
-
-#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
-
-#include "acss.h"
-
-/* decryption sbox */
-static unsigned char sboxdec[] = {
-       0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76, 
-       0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b, 
-       0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96, 
-       0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b, 
-       0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12, 
-       0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f, 
-       0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90, 
-       0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91, 
-       0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74, 
-       0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75, 
-       0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94, 
-       0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95, 
-       0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10, 
-       0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11, 
-       0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92, 
-       0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f, 
-       0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16, 
-       0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b, 
-       0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6, 
-       0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb, 
-       0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72, 
-       0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f, 
-       0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0, 
-       0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1, 
-       0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14, 
-       0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15, 
-       0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4, 
-       0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5, 
-       0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70, 
-       0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71, 
-       0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2, 
-       0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
-};
-
-/* encryption sbox */
-static unsigned char sboxenc[] = {
-       0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75,
-       0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b,
-       0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21,
-       0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f,
-       0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5,
-       0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab,
-       0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0,
-       0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2,
-       0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74,
-       0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76,
-       0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20,
-       0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22,
-       0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4,
-       0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6,
-       0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1,
-       0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf,
-       0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25,
-       0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b,
-       0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71,
-       0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f,
-       0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5,
-       0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb,
-       0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0,
-       0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2,
-       0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24,
-       0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26,
-       0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70,
-       0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72,
-       0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4,
-       0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6,
-       0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1,
-       0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff
-};
-
-static unsigned char reverse[] = {
-       0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0, 
-       0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0, 
-       0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8, 
-       0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8, 
-       0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4, 
-       0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4, 
-       0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec, 
-       0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc, 
-       0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2, 
-       0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2, 
-       0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea, 
-       0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa, 
-       0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6, 
-       0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6, 
-       0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee, 
-       0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe, 
-       0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1, 
-       0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1, 
-       0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9, 
-       0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9, 
-       0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5, 
-       0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5, 
-       0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed, 
-       0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd, 
-       0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3, 
-       0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3, 
-       0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb, 
-       0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb, 
-       0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7, 
-       0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7, 
-       0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef, 
-       0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff 
-};
-
-/*
- * Two linear feedback shift registers are used:
- *
- * lfsr17:  polynomial of degree 17, primitive modulo 2 (listed in Schneier)
- *          x^15 + x + 1
- * lfsr25:  polynomial of degree 25, not know if primitive modulo 2
- *          x^13 + x^5 + x^4 + x^1 + 1
- *
- * Output bits are discarded, instead the feedback bits are added to produce
- * the cipher stream.  Depending on the mode, feedback bytes may be inverted
- * bit-wise before addition.
- *
- * The lfsrs are seeded with bytes from the raw key:
- *
- * lfsr17:  byte 0[0:7] at bit 9
- *          byte 1[0:7] at bit 0
- *
- * lfsr25:  byte 2[0:4] at bit 16
- *          byte 2[5:7] at bit 22
- *          byte 3[0:7] at bit 8
- *          byte 4[0:7] at bit 0
- *
- * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in
- * lfsr25.
- *
- */
-
-int
-acss(ACSS_KEY *key, unsigned long len, const unsigned char *in,
-    unsigned char *out)
-{
-       unsigned long i;
-       unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp;
-
-       lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0;
-
-       /* keystream is sum of lfsrs */
-       for (i = 0; i < len; i++) {
-               lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14);
-               key->lfsr17 = (key->lfsr17 >> 8)
-                       ^ (lfsr17tmp << 9)
-                       ^ (lfsr17tmp << 12)
-                       ^ (lfsr17tmp << 15);
-               key->lfsr17 &= 0x1ffff; /* 17 bit LFSR */
-
-               lfsr25tmp = key->lfsr25
-                       ^ (key->lfsr25 >> 3)
-                       ^ (key->lfsr25 >> 4)
-                       ^ (key->lfsr25 >> 12);
-               key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17);
-               key->lfsr25 &= 0x1ffffff;       /* 25 bit LFSR */
-
-               lfsrsumtmp = key->lfsrsum;
-
-               /* addition */
-               switch (key->mode) {
-               case ACSS_AUTHENTICATE:
-               case ACSS_DATA:
-                       key->lfsrsum = 0xff & ~(key->lfsr17 >> 9);
-                       key->lfsrsum += key->lfsr25 >> 17;
-                       break;
-               case ACSS_SESSIONKEY:
-                       key->lfsrsum = key->lfsr17 >> 9;
-                       key->lfsrsum += key->lfsr25 >> 17;
-                       break;
-               case ACSS_TITLEKEY:
-                       key->lfsrsum = key->lfsr17 >> 9;
-                       key->lfsrsum += 0xff & ~(key->lfsr25 >> 17);
-                       break;
-               default:
-                       return 1;
-               }
-               key->lfsrsum += (lfsrsumtmp >> 8);
-
-               if (key->encrypt) {
-                       out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff];
-               } else {
-                       out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff;
-               }
-       }
-
-       return 0;
-}
-
-static void
-acss_seed(ACSS_KEY *key)
-{
-       int i;
-
-       /* if available, mangle with subkey */
-       if (key->subkey_avilable) {
-               for (i = 0; i < ACSS_KEYSIZE; i++)
-                       key->seed[i] = reverse[key->data[i] ^ key->subkey[i]];
-       } else {
-               for (i = 0; i < ACSS_KEYSIZE; i++)
-                       key->seed[i] = reverse[key->data[i]];
-       }
-
-       /* seed lfsrs */
-       key->lfsr17 = key->seed[1]
-               | (key->seed[0] << 9)
-               | (1 << 8);     /* inject 1 at bit 9 */
-       key->lfsr25 = key->seed[4]
-               | (key->seed[3] << 8)
-               | ((key->seed[2] & 0x1f) << 16)
-               | ((key->seed[2] & 0xe0) << 17)
-                       | (1 << 21);    /* inject 1 at bit 22 */
-
-       key->lfsrsum = 0;
-}
-
-void
-acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode)
-{
-       memcpy(key->data, data, sizeof(key->data));
-       memset(key->subkey, 0, sizeof(key->subkey));
-
-       if (enc != -1)
-               key->encrypt = enc;
-       key->mode = mode;
-       key->subkey_avilable = 0;
-
-       acss_seed(key);
-}
-
-void
-acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey)
-{
-       memcpy(key->subkey, subkey, sizeof(key->subkey));
-       key->subkey_avilable = 1;
-       acss_seed(key);
-}
-#endif
diff --git a/crypto/openssh-3.9p1/acss.h b/crypto/openssh-3.9p1/acss.h
deleted file mode 100644 (file)
index 91b4895..0000000
+++ /dev/null
@@ -1,47 +0,0 @@
-/*     $Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _ACSS_H_
-#define _ACSS_H_
-
-/* 40bit key */
-#define ACSS_KEYSIZE           5
-
-/* modes of acss */
-#define ACSS_AUTHENTICATE      0
-#define ACSS_SESSIONKEY                1
-#define ACSS_TITLEKEY          2
-#define ACSS_DATA              3
-
-typedef struct acss_key_st {
-       unsigned int    lfsr17;         /* current state of lfsrs */
-       unsigned int    lfsr25;
-       unsigned int    lfsrsum;
-       unsigned char   seed[ACSS_KEYSIZE];
-       unsigned char   data[ACSS_KEYSIZE];
-       unsigned char   subkey[ACSS_KEYSIZE];
-       int             encrypt;        /* XXX make these bit flags? */
-       int             mode;
-       int             seeded;
-       int             subkey_avilable;
-} ACSS_KEY;
-
-void acss_setkey(ACSS_KEY *, const unsigned char *, int, int);
-void acss_setsubkey(ACSS_KEY *, const unsigned char *);
-int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *);
-
-#endif /* ifndef _ACSS_H_ */
diff --git a/crypto/openssh-3.9p1/atomicio.c b/crypto/openssh-3.9p1/atomicio.c
deleted file mode 100644 (file)
index 7637e16..0000000
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: atomicio.c,v 1.12 2003/07/31 15:50:16 avsm Exp $");
-
-#include "atomicio.h"
-
-/*
- * ensure all of data on socket comes through. f==read || f==vwrite
- */
-ssize_t
-atomicio(f, fd, _s, n)
-       ssize_t (*f) (int, void *, size_t);
-       int fd;
-       void *_s;
-       size_t n;
-{
-       char *s = _s;
-       ssize_t res, pos = 0;
-
-       while (n > pos) {
-               res = (f) (fd, s + pos, n - pos);
-               switch (res) {
-               case -1:
-#ifdef EWOULDBLOCK
-                       if (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)
-#else
-                       if (errno == EINTR || errno == EAGAIN)
-#endif
-                               continue;
-               case 0:
-                       return (res);
-               default:
-                       pos += res;
-               }
-       }
-       return (pos);
-}
diff --git a/crypto/openssh-3.9p1/atomicio.h b/crypto/openssh-3.9p1/atomicio.h
deleted file mode 100644 (file)
index 5c0f392..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-/*     $OpenBSD: atomicio.h,v 1.5 2003/06/28 16:23:06 deraadt Exp $    */
-
-/*
- * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Ensure all of data on socket comes through. f==read || f==vwrite
- */
-ssize_t        atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
-
-#define vwrite (ssize_t (*)(int, void *, size_t))write
diff --git a/crypto/openssh-3.9p1/auth-bsdauth.c b/crypto/openssh-3.9p1/auth-bsdauth.c
deleted file mode 100644 (file)
index 2ac27a7..0000000
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include "includes.h"
-RCSID("$OpenBSD: auth-bsdauth.c,v 1.5 2002/06/30 21:59:45 deraadt Exp $");
-
-#ifdef BSD_AUTH
-#include "xmalloc.h"
-#include "auth.h"
-#include "log.h"
-#include "monitor_wrap.h"
-
-static void *
-bsdauth_init_ctx(Authctxt *authctxt)
-{
-       return authctxt;
-}
-
-int
-bsdauth_query(void *ctx, char **name, char **infotxt,
-   u_int *numprompts, char ***prompts, u_int **echo_on)
-{
-       Authctxt *authctxt = ctx;
-       char *challenge = NULL;
-
-       if (authctxt->as != NULL) {
-               debug2("bsdauth_query: try reuse session");
-               challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
-               if (challenge == NULL) {
-                       auth_close(authctxt->as);
-                       authctxt->as = NULL;
-               }
-       }
-
-       if (challenge == NULL) {
-               debug2("bsdauth_query: new bsd auth session");
-               debug3("bsdauth_query: style %s",
-                   authctxt->style ? authctxt->style : "<default>");
-               authctxt->as = auth_userchallenge(authctxt->user,
-                   authctxt->style, "auth-ssh", &challenge);
-               if (authctxt->as == NULL)
-                       challenge = NULL;
-               debug2("bsdauth_query: <%s>", challenge ? challenge : "empty");
-       }
-
-       if (challenge == NULL)
-               return -1;
-
-       *name = xstrdup("");
-       *infotxt = xstrdup("");
-       *numprompts = 1;
-       *prompts = xmalloc(*numprompts * sizeof(char *));
-       *echo_on = xmalloc(*numprompts * sizeof(u_int));
-       (*echo_on)[0] = 0;
-       (*prompts)[0] = xstrdup(challenge);
-
-       return 0;
-}
-
-int
-bsdauth_respond(void *ctx, u_int numresponses, char **responses)
-{
-       Authctxt *authctxt = ctx;
-       int authok;
-
-       if (authctxt->as == 0)
-               error("bsdauth_respond: no bsd auth session");
-
-       if (numresponses != 1)
-               return -1;
-
-       authok = auth_userresponse(authctxt->as, responses[0], 0);
-       authctxt->as = NULL;
-       debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
-
-       return (authok == 0) ? -1 : 0;
-}
-
-static void
-bsdauth_free_ctx(void *ctx)
-{
-       Authctxt *authctxt = ctx;
-
-       if (authctxt && authctxt->as) {
-               auth_close(authctxt->as);
-               authctxt->as = NULL;
-       }
-}
-
-KbdintDevice bsdauth_device = {
-       "bsdauth",
-       bsdauth_init_ctx,
-       bsdauth_query,
-       bsdauth_respond,
-       bsdauth_free_ctx
-};
-
-KbdintDevice mm_bsdauth_device = {
-       "bsdauth",
-       bsdauth_init_ctx,
-       mm_bsdauth_query,
-       mm_bsdauth_respond,
-       bsdauth_free_ctx
-};
-#endif
diff --git a/crypto/openssh-3.9p1/auth-chall.c b/crypto/openssh-3.9p1/auth-chall.c
deleted file mode 100644 (file)
index a9d314d..0000000
+++ /dev/null
@@ -1,110 +0,0 @@
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $");
-
-#include "auth.h"
-#include "log.h"
-#include "xmalloc.h"
-
-/* limited protocol v1 interface to kbd-interactive authentication */
-
-extern KbdintDevice *devices[];
-static KbdintDevice *device;
-
-char *
-get_challenge(Authctxt *authctxt)
-{
-       char *challenge, *name, *info, **prompts;
-       u_int i, numprompts;
-       u_int *echo_on;
-
-       device = devices[0]; /* we always use the 1st device for protocol 1 */
-       if (device == NULL)
-               return NULL;
-       if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL)
-               return NULL;
-       if (device->query(authctxt->kbdintctxt, &name, &info,
-           &numprompts, &prompts, &echo_on)) {
-               device->free_ctx(authctxt->kbdintctxt);
-               authctxt->kbdintctxt = NULL;
-               return NULL;
-       }
-       if (numprompts < 1)
-               fatal("get_challenge: numprompts < 1");
-       challenge = xstrdup(prompts[0]);
-       for (i = 0; i < numprompts; i++)
-               xfree(prompts[i]);
-       xfree(prompts);
-       xfree(name);
-       xfree(echo_on);
-       xfree(info);
-
-       return (challenge);
-}
-int
-verify_response(Authctxt *authctxt, const char *response)
-{
-       char *resp[1], *name, *info, **prompts;
-       u_int i, numprompts, *echo_on;
-       int authenticated = 0;
-
-       if (device == NULL)
-               return 0;
-       if (authctxt->kbdintctxt == NULL)
-               return 0;
-       resp[0] = (char *)response;
-       switch (device->respond(authctxt->kbdintctxt, 1, resp)) {
-       case 0: /* Success */
-               authenticated = 1;
-               break;
-       case 1: /* Postponed - retry with empty query for PAM */
-               if ((device->query(authctxt->kbdintctxt, &name, &info,
-                   &numprompts, &prompts, &echo_on)) != 0)
-                       break;
-               if (numprompts == 0 &&
-                   device->respond(authctxt->kbdintctxt, 0, resp) == 0)
-                       authenticated = 1;
-
-               for (i = 0; i < numprompts; i++)
-                       xfree(prompts[i]);
-               xfree(prompts);
-               xfree(name);
-               xfree(echo_on);
-               xfree(info);
-               break;
-       }
-       device->free_ctx(authctxt->kbdintctxt);
-       authctxt->kbdintctxt = NULL;
-       return authenticated;
-}
-void
-abandon_challenge_response(Authctxt *authctxt)
-{
-       if (authctxt->kbdintctxt != NULL) {
-               device->free_ctx(authctxt->kbdintctxt);
-               authctxt->kbdintctxt = NULL;
-       }
-}
diff --git a/crypto/openssh-3.9p1/auth-krb5.c b/crypto/openssh-3.9p1/auth-krb5.c
deleted file mode 100644 (file)
index a324ff1..0000000
+++ /dev/null
@@ -1,232 +0,0 @@
-/*
- *    Kerberos v5 authentication and ticket-passing routines.
- *
- * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
- */
-/*
- * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
-
-#include "ssh.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "log.h"
-#include "servconf.h"
-#include "uidswap.h"
-#include "auth.h"
-
-#ifdef KRB5
-#include <krb5.h>
-
-extern ServerOptions    options;
-
-static int
-krb5_init(void *context)
-{
-       Authctxt *authctxt = (Authctxt *)context;
-       krb5_error_code problem;
-
-       if (authctxt->krb5_ctx == NULL) {
-               problem = krb5_init_context(&authctxt->krb5_ctx);
-               if (problem)
-                       return (problem);
-#ifdef KRB5_INIT_ETS
-               krb5_init_ets(authctxt->krb5_ctx);
-#endif
-       }
-       return (0);
-}
-
-int
-auth_krb5_password(Authctxt *authctxt, const char *password)
-{
-#ifndef HEIMDAL
-       krb5_creds creds;
-       krb5_principal server;
-       char ccname[40];
-       int tmpfd;
-       mode_t old_umask;
-#endif
-       krb5_error_code problem;
-       krb5_ccache ccache = NULL;
-       int len;
-
-       if (!authctxt->valid)
-               return (0);
-
-       temporarily_use_uid(authctxt->pw);
-
-       problem = krb5_init(authctxt);
-       if (problem)
-               goto out;
-
-       problem = krb5_parse_name(authctxt->krb5_ctx, authctxt->pw->pw_name,
-                   &authctxt->krb5_user);
-       if (problem)
-               goto out;
-
-#ifdef HEIMDAL
-       problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
-       if (problem)
-               goto out;
-
-       problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-               authctxt->krb5_user);
-       if (problem)
-               goto out;
-
-       restore_uid();
-
-       problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-           ccache, password, 1, NULL);
-
-       temporarily_use_uid(authctxt->pw);
-
-       if (problem)
-               goto out;
-
-       problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
-           &authctxt->krb5_fwd_ccache);
-       if (problem)
-               goto out;
-
-       problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
-           authctxt->krb5_fwd_ccache);
-       krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-       ccache = NULL;
-       if (problem)
-               goto out;
-
-#else
-       problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
-           authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
-       if (problem)
-               goto out;
-
-       problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
-           KRB5_NT_SRV_HST, &server);
-       if (problem)
-               goto out;
-
-       restore_uid();
-       problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
-           NULL, NULL, NULL);
-       krb5_free_principal(authctxt->krb5_ctx, server);
-       temporarily_use_uid(authctxt->pw);
-       if (problem)
-               goto out;
-
-       if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-                         authctxt->pw->pw_name)) {
-               problem = -1;
-               goto out;
-       }
-
-       snprintf(ccname,sizeof(ccname),"FILE:/tmp/krb5cc_%d_XXXXXX",geteuid());
-
-       old_umask = umask(0177);
-       tmpfd = mkstemp(ccname + strlen("FILE:"));
-       umask(old_umask);
-       if (tmpfd == -1) {
-               logit("mkstemp(): %.100s", strerror(errno));
-               problem = errno;
-               goto out;
-       }
-
-       if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-               logit("fchmod(): %.100s", strerror(errno));
-               close(tmpfd);
-               problem = errno;
-               goto out;
-       }
-       close(tmpfd);
-
-       problem = krb5_cc_resolve(authctxt->krb5_ctx, ccname, &authctxt->krb5_fwd_ccache);
-       if (problem)
-               goto out;
-
-       problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
-                                    authctxt->krb5_user);
-       if (problem)
-               goto out;
-
-       problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
-                                &creds);
-       if (problem)
-               goto out;
-#endif
-
-       authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-
-       len = strlen(authctxt->krb5_ticket_file) + 6;
-       authctxt->krb5_ccname = xmalloc(len);
-       snprintf(authctxt->krb5_ccname, len, "FILE:%s",
-           authctxt->krb5_ticket_file);
-
- out:
-       restore_uid();
-
-       if (problem) {
-               if (ccache)
-                       krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-
-               if (authctxt->krb5_ctx != NULL && problem!=-1)
-                       debug("Kerberos password authentication failed: %s",
-                           krb5_get_err_text(authctxt->krb5_ctx, problem));
-               else
-                       debug("Kerberos password authentication failed: %d",
-                           problem);
-
-               krb5_cleanup_proc(authctxt);
-
-               if (options.kerberos_or_local_passwd)
-                       return (-1);
-               else
-                       return (0);
-       }
-       return (1);
-}
-
-void
-krb5_cleanup_proc(Authctxt *authctxt)
-{
-       debug("krb5_cleanup_proc called");
-       if (authctxt->krb5_fwd_ccache) {
-               krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-               authctxt->krb5_fwd_ccache = NULL;
-       }
-       if (authctxt->krb5_user) {
-               krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
-               authctxt->krb5_user = NULL;
-       }
-       if (authctxt->krb5_ctx) {
-               krb5_free_context(authctxt->krb5_ctx);
-               authctxt->krb5_ctx = NULL;
-       }
-}
-
-#endif /* KRB5 */
diff --git a/crypto/openssh-3.9p1/auth-options.c b/crypto/openssh-3.9p1/auth-options.c
deleted file mode 100644 (file)
index 0e146ab..0000000
+++ /dev/null
@@ -1,300 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.28 2003/06/02 09:17:34 markus Exp $");
-
-#include "xmalloc.h"
-#include "match.h"
-#include "log.h"
-#include "canohost.h"
-#include "channels.h"
-#include "auth-options.h"
-#include "servconf.h"
-#include "misc.h"
-#include "monitor_wrap.h"
-#include "auth.h"
-
-/* Flags set authorized_keys flags */
-int no_port_forwarding_flag = 0;
-int no_agent_forwarding_flag = 0;
-int no_x11_forwarding_flag = 0;
-int no_pty_flag = 0;
-
-/* "command=" option. */
-char *forced_command = NULL;
-
-/* "environment=" options. */
-struct envstring *custom_environment = NULL;
-
-extern ServerOptions options;
-
-void
-auth_clear_options(void)
-{
-       no_agent_forwarding_flag = 0;
-       no_port_forwarding_flag = 0;
-       no_pty_flag = 0;
-       no_x11_forwarding_flag = 0;
-       while (custom_environment) {
-               struct envstring *ce = custom_environment;
-               custom_environment = ce->next;
-               xfree(ce->s);
-               xfree(ce);
-       }
-       if (forced_command) {
-               xfree(forced_command);
-               forced_command = NULL;
-       }
-       channel_clear_permitted_opens();
-       auth_debug_reset();
-}
-
-/*
- * return 1 if access is granted, 0 if not.
- * side effect: sets key option flags
- */
-int
-auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
-{
-       const char *cp;
-       int i;
-
-       /* reset options */
-       auth_clear_options();
-
-       if (!opts)
-               return 1;
-
-       while (*opts && *opts != ' ' && *opts != '\t') {
-               cp = "no-port-forwarding";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       auth_debug_add("Port forwarding disabled.");
-                       no_port_forwarding_flag = 1;
-                       opts += strlen(cp);
-                       goto next_option;
-               }
-               cp = "no-agent-forwarding";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       auth_debug_add("Agent forwarding disabled.");
-                       no_agent_forwarding_flag = 1;
-                       opts += strlen(cp);
-                       goto next_option;
-               }
-               cp = "no-X11-forwarding";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       auth_debug_add("X11 forwarding disabled.");
-                       no_x11_forwarding_flag = 1;
-                       opts += strlen(cp);
-                       goto next_option;
-               }
-               cp = "no-pty";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       auth_debug_add("Pty allocation disabled.");
-                       no_pty_flag = 1;
-                       opts += strlen(cp);
-                       goto next_option;
-               }
-               cp = "command=\"";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       opts += strlen(cp);
-                       forced_command = xmalloc(strlen(opts) + 1);
-                       i = 0;
-                       while (*opts) {
-                               if (*opts == '"')
-                                       break;
-                               if (*opts == '\\' && opts[1] == '"') {
-                                       opts += 2;
-                                       forced_command[i++] = '"';
-                                       continue;
-                               }
-                               forced_command[i++] = *opts++;
-                       }
-                       if (!*opts) {
-                               debug("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               auth_debug_add("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               xfree(forced_command);
-                               forced_command = NULL;
-                               goto bad_option;
-                       }
-                       forced_command[i] = 0;
-                       auth_debug_add("Forced command: %.900s", forced_command);
-                       opts++;
-                       goto next_option;
-               }
-               cp = "environment=\"";
-               if (options.permit_user_env &&
-                   strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       char *s;
-                       struct envstring *new_envstring;
-
-                       opts += strlen(cp);
-                       s = xmalloc(strlen(opts) + 1);
-                       i = 0;
-                       while (*opts) {
-                               if (*opts == '"')
-                                       break;
-                               if (*opts == '\\' && opts[1] == '"') {
-                                       opts += 2;
-                                       s[i++] = '"';
-                                       continue;
-                               }
-                               s[i++] = *opts++;
-                       }
-                       if (!*opts) {
-                               debug("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               auth_debug_add("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               xfree(s);
-                               goto bad_option;
-                       }
-                       s[i] = 0;
-                       auth_debug_add("Adding to environment: %.900s", s);
-                       debug("Adding to environment: %.900s", s);
-                       opts++;
-                       new_envstring = xmalloc(sizeof(struct envstring));
-                       new_envstring->s = s;
-                       new_envstring->next = custom_environment;
-                       custom_environment = new_envstring;
-                       goto next_option;
-               }
-               cp = "from=\"";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       const char *remote_ip = get_remote_ipaddr();
-                       const char *remote_host = get_canonical_hostname(
-                           options.use_dns);
-                       char *patterns = xmalloc(strlen(opts) + 1);
-
-                       opts += strlen(cp);
-                       i = 0;
-                       while (*opts) {
-                               if (*opts == '"')
-                                       break;
-                               if (*opts == '\\' && opts[1] == '"') {
-                                       opts += 2;
-                                       patterns[i++] = '"';
-                                       continue;
-                               }
-                               patterns[i++] = *opts++;
-                       }
-                       if (!*opts) {
-                               debug("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               auth_debug_add("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               xfree(patterns);
-                               goto bad_option;
-                       }
-                       patterns[i] = 0;
-                       opts++;
-                       if (match_host_and_ip(remote_host, remote_ip,
-                           patterns) != 1) {
-                               xfree(patterns);
-                               logit("Authentication tried for %.100s with "
-                                   "correct key but not from a permitted "
-                                   "host (host=%.200s, ip=%.200s).",
-                                   pw->pw_name, remote_host, remote_ip);
-                               auth_debug_add("Your host '%.200s' is not "
-                                   "permitted to use this key for login.",
-                                   remote_host);
-                               /* deny access */
-                               return 0;
-                       }
-                       xfree(patterns);
-                       /* Host name matches. */
-                       goto next_option;
-               }
-               cp = "permitopen=\"";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-                       char host[256], sport[6];
-                       u_short port;
-                       char *patterns = xmalloc(strlen(opts) + 1);
-
-                       opts += strlen(cp);
-                       i = 0;
-                       while (*opts) {
-                               if (*opts == '"')
-                                       break;
-                               if (*opts == '\\' && opts[1] == '"') {
-                                       opts += 2;
-                                       patterns[i++] = '"';
-                                       continue;
-                               }
-                               patterns[i++] = *opts++;
-                       }
-                       if (!*opts) {
-                               debug("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               auth_debug_add("%.100s, line %lu: missing end quote",
-                                   file, linenum);
-                               xfree(patterns);
-                               goto bad_option;
-                       }
-                       patterns[i] = 0;
-                       opts++;
-                       if (sscanf(patterns, "%255[^:]:%5[0-9]", host, sport) != 2 &&
-                           sscanf(patterns, "%255[^/]/%5[0-9]", host, sport) != 2) {
-                               debug("%.100s, line %lu: Bad permitopen specification "
-                                   "<%.100s>", file, linenum, patterns);
-                               auth_debug_add("%.100s, line %lu: "
-                                   "Bad permitopen specification", file, linenum);
-                               xfree(patterns);
-                               goto bad_option;
-                       }
-                       if ((port = a2port(sport)) == 0) {
-                               debug("%.100s, line %lu: Bad permitopen port <%.100s>",
-                                   file, linenum, sport);
-                               auth_debug_add("%.100s, line %lu: "
-                                   "Bad permitopen port", file, linenum);
-                               xfree(patterns);
-                               goto bad_option;
-                       }
-                       if (options.allow_tcp_forwarding)
-                               channel_add_permitted_opens(host, port);
-                       xfree(patterns);
-                       goto next_option;
-               }
-next_option:
-               /*
-                * Skip the comma, and move to the next option
-                * (or break out if there are no more).
-                */
-               if (!*opts)
-                       fatal("Bugs in auth-options.c option processing.");
-               if (*opts == ' ' || *opts == '\t')
-                       break;          /* End of options. */
-               if (*opts != ',')
-                       goto bad_option;
-               opts++;
-               /* Process the next option. */
-       }
-
-       if (!use_privsep)
-               auth_debug_send();
-
-       /* grant access */
-       return 1;
-
-bad_option:
-       logit("Bad options in %.100s file, line %lu: %.50s",
-           file, linenum, opts);
-       auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
-           file, linenum, opts);
-
-       if (!use_privsep)
-               auth_debug_send();
-
-       /* deny access */
-       return 0;
-}
diff --git a/crypto/openssh-3.9p1/auth-options.h b/crypto/openssh-3.9p1/auth-options.h
deleted file mode 100644 (file)
index 15fb212..0000000
+++ /dev/null
@@ -1,35 +0,0 @@
-/*     $OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $       */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef AUTH_OPTIONS_H
-#define AUTH_OPTIONS_H
-
-/* Linked list of custom environment strings */
-struct envstring {
-       struct envstring *next;
-       char   *s;
-};
-
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-
-int    auth_parse_options(struct passwd *, char *, char *, u_long);
-void   auth_clear_options(void);
-
-#endif
diff --git a/crypto/openssh-3.9p1/auth-pam.c b/crypto/openssh-3.9p1/auth-pam.c
deleted file mode 100644 (file)
index b93241f..0000000
+++ /dev/null
@@ -1,1115 +0,0 @@
-/*-
- * Copyright (c) 2002 Networks Associates Technology, Inc.
- * All rights reserved.
- *
- * This software was developed for the FreeBSD Project by ThinkSec AS and
- * NAI Labs, the Security Research Division of Network Associates, Inc.
- * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
- * DARPA CHATS research program.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-/*
- * Copyright (c) 2003,2004 Damien Miller <djm@mindrot.org>
- * Copyright (c) 2003,2004 Darren Tucker <dtucker@zip.com.au>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
-#include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.114 2004/08/16 13:12:06 dtucker Exp $");
-
-#ifdef USE_PAM
-#if defined(HAVE_SECURITY_PAM_APPL_H)
-#include <security/pam_appl.h>
-#elif defined (HAVE_PAM_PAM_APPL_H)
-#include <pam/pam_appl.h>
-#endif
-
-#include "auth.h"
-#include "auth-pam.h"
-#include "buffer.h"
-#include "bufaux.h"
-#include "canohost.h"
-#include "log.h"
-#include "monitor_wrap.h"
-#include "msg.h"
-#include "packet.h"
-#include "misc.h"
-#include "servconf.h"
-#include "ssh2.h"
-#include "xmalloc.h"
-#include "auth-options.h"
-
-extern ServerOptions options;
-extern Buffer loginmsg;
-extern int compat20;
-extern u_int utmp_len;
-
-#ifdef USE_POSIX_THREADS
-#include <pthread.h>
-/*
- * Avoid namespace clash when *not* using pthreads for systems *with*
- * pthreads, which unconditionally define pthread_t via sys/types.h
- * (e.g. Linux)
- */
-typedef pthread_t sp_pthread_t;
-#else
-typedef pid_t sp_pthread_t;
-#endif
-
-struct pam_ctxt {
-       sp_pthread_t     pam_thread;
-       int              pam_psock;
-       int              pam_csock;
-       int              pam_done;
-};
-
-static void sshpam_free_ctx(void *);
-static struct pam_ctxt *cleanup_ctxt;
-
-#ifndef USE_POSIX_THREADS
-/*
- * Simulate threads with processes.
- */
-
-static int sshpam_thread_status = -1;
-static mysig_t sshpam_oldsig;
-
-static void 
-sshpam_sigchld_handler(int sig)
-{
-       signal(SIGCHLD, SIG_DFL);
-       if (cleanup_ctxt == NULL)
-               return; /* handler called after PAM cleanup, shouldn't happen */
-       if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, WNOHANG)
-            <= 0) {
-               /* PAM thread has not exitted, privsep slave must have */
-               kill(cleanup_ctxt->pam_thread, SIGTERM);
-               if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
-                   <= 0)
-                       return; /* could not wait */
-       }
-       if (WIFSIGNALED(sshpam_thread_status) &&
-           WTERMSIG(sshpam_thread_status) == SIGTERM)
-               return; /* terminated by pthread_cancel */
-       if (!WIFEXITED(sshpam_thread_status))
-               fatal("PAM: authentication thread exited unexpectedly");
-       if (WEXITSTATUS(sshpam_thread_status) != 0)
-               fatal("PAM: authentication thread exited uncleanly");
-}
-
-static void
-pthread_exit(void *value __unused)
-{
-       _exit(0);
-}
-
-static int
-pthread_create(sp_pthread_t *thread, const void *attr __unused,
-    void *(*thread_start)(void *), void *arg)
-{
-       pid_t pid;
-
-       sshpam_thread_status = -1;
-       switch ((pid = fork())) {
-       case -1:
-               error("fork(): %s", strerror(errno));
-               return (-1);
-       case 0:
-               thread_start(arg);
-               _exit(1);
-       default:
-               *thread = pid;
-               sshpam_oldsig = signal(SIGCHLD, sshpam_sigchld_handler);
-               return (0);
-       }
-}
-
-static int
-pthread_cancel(sp_pthread_t thread)
-{
-       signal(SIGCHLD, sshpam_oldsig);
-       return (kill(thread, SIGTERM));
-}
-
-static int
-pthread_join(sp_pthread_t thread, void **value __unused)
-{
-       int status;
-
-       if (sshpam_thread_status != -1)
-               return (sshpam_thread_status);
-       signal(SIGCHLD, sshpam_oldsig);
-       waitpid(thread, &status, 0);
-       return (status);
-}
-#endif
-
-
-static pam_handle_t *sshpam_handle = NULL;
-static int sshpam_err = 0;
-static int sshpam_authenticated = 0;
-static int sshpam_session_open = 0;
-static int sshpam_cred_established = 0;
-static int sshpam_account_status = -1;
-static char **sshpam_env = NULL;
-static Authctxt *sshpam_authctxt = NULL;
-static const char *sshpam_password = NULL;
-
-/* Some PAM implementations don't implement this */
-#ifndef HAVE_PAM_GETENVLIST
-static char **
-pam_getenvlist(pam_handle_t *pamh)
-{
-       /*
-        * XXX - If necessary, we can still support envrionment passing
-        * for platforms without pam_getenvlist by searching for known
-        * env vars (e.g. KRB5CCNAME) from the PAM environment.
-        */
-        return NULL;
-}
-#endif
-
-/*
- * Some platforms, notably Solaris, do not enforce password complexity
- * rules during pam_chauthtok() if the real uid of the calling process
- * is 0, on the assumption that it's being called by "passwd" run by root.
- * This wraps pam_chauthtok and sets/restore the real uid so PAM will do
- * the right thing.
- */
-#ifdef SSHPAM_CHAUTHTOK_NEEDS_RUID
-static int
-sshpam_chauthtok_ruid(pam_handle_t *pamh, int flags)
-{
-       int result;
-
-       if (sshpam_authctxt == NULL)
-               fatal("PAM: sshpam_authctxt not initialized");
-       if (setreuid(sshpam_authctxt->pw->pw_uid, -1) == -1)
-               fatal("%s: setreuid failed: %s", __func__, strerror(errno));
-       result = pam_chauthtok(pamh, flags);
-       if (setreuid(0, -1) == -1)
-               fatal("%s: setreuid failed: %s", __func__, strerror(errno));
-       return result;
-}
-# define pam_chauthtok(a,b)    (sshpam_chauthtok_ruid((a), (b)))
-#endif
-
-void
-sshpam_password_change_required(int reqd)
-{
-       debug3("%s %d", __func__, reqd);
-       if (sshpam_authctxt == NULL)
-               fatal("%s: PAM authctxt not initialized", __func__);
-       sshpam_authctxt->force_pwchange = reqd;
-       if (reqd) {
-               no_port_forwarding_flag |= 2;
-               no_agent_forwarding_flag |= 2;
-               no_x11_forwarding_flag |= 2;
-       } else {
-               no_port_forwarding_flag &= ~2;
-               no_agent_forwarding_flag &= ~2;
-               no_x11_forwarding_flag &= ~2;
-       }
-}
-
-/* Import regular and PAM environment from subprocess */
-static void
-import_environments(Buffer *b)
-{
-       char *env;
-       u_int i, num_env;
-       int err;
-
-       debug3("PAM: %s entering", __func__);
-
-#ifndef USE_POSIX_THREADS
-       /* Import variables set by do_pam_account */
-       sshpam_account_status = buffer_get_int(b);
-       sshpam_password_change_required(buffer_get_int(b));
-
-       /* Import environment from subprocess */
-       num_env = buffer_get_int(b);
-       sshpam_env = xmalloc((num_env + 1) * sizeof(*sshpam_env));
-       debug3("PAM: num env strings %d", num_env);
-       for(i = 0; i < num_env; i++)
-               sshpam_env[i] = buffer_get_string(b, NULL);
-
-       sshpam_env[num_env] = NULL;
-
-       /* Import PAM environment from subprocess */
-       num_env = buffer_get_int(b);
-       debug("PAM: num PAM env strings %d", num_env);
-       for(i = 0; i < num_env; i++) {
-               env = buffer_get_string(b, NULL);
-
-#ifdef HAVE_PAM_PUTENV
-               /* Errors are not fatal here */
-               if ((err = pam_putenv(sshpam_handle, env)) != PAM_SUCCESS) {
-                       error("PAM: pam_putenv: %s",
-                           pam_strerror(sshpam_handle, sshpam_err));
-               }
-#endif
-       }
-#endif
-}
-
-/*
- * Conversation function for authentication thread.
- */
-static int
-sshpam_thread_conv(int n, struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-       Buffer buffer;
-       struct pam_ctxt *ctxt;
-       struct pam_response *reply;
-       int i;
-
-       debug3("PAM: %s entering, %d messages", __func__, n);
-       *resp = NULL;
-
-       if (data == NULL) {
-               error("PAM: conversation function passed a null context");
-               return (PAM_CONV_ERR);
-       }
-       ctxt = data;
-       if (n <= 0 || n > PAM_MAX_NUM_MSG)
-               return (PAM_CONV_ERR);
-
-       if ((reply = malloc(n * sizeof(*reply))) == NULL)
-               return (PAM_CONV_ERR);
-       memset(reply, 0, n * sizeof(*reply));
-
-       buffer_init(&buffer);
-       for (i = 0; i < n; ++i) {
-               switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-               case PAM_PROMPT_ECHO_OFF:
-                       buffer_put_cstring(&buffer,
-                           PAM_MSG_MEMBER(msg, i, msg));
-                       if (ssh_msg_send(ctxt->pam_csock,
-                           PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-                               goto fail;
-                       if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
-                               goto fail;
-                       if (buffer_get_char(&buffer) != PAM_AUTHTOK)
-                               goto fail;
-                       reply[i].resp = buffer_get_string(&buffer, NULL);
-                       break;
-               case PAM_PROMPT_ECHO_ON:
-                       buffer_put_cstring(&buffer,
-                           PAM_MSG_MEMBER(msg, i, msg));
-                       if (ssh_msg_send(ctxt->pam_csock,
-                           PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-                               goto fail;
-                       if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
-                               goto fail;
-                       if (buffer_get_char(&buffer) != PAM_AUTHTOK)
-                               goto fail;
-                       reply[i].resp = buffer_get_string(&buffer, NULL);
-                       break;
-               case PAM_ERROR_MSG:
-                       buffer_put_cstring(&buffer,
-                           PAM_MSG_MEMBER(msg, i, msg));
-                       if (ssh_msg_send(ctxt->pam_csock,
-                           PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-                               goto fail;
-                       break;
-               case PAM_TEXT_INFO:
-                       buffer_put_cstring(&buffer,
-                           PAM_MSG_MEMBER(msg, i, msg));
-                       if (ssh_msg_send(ctxt->pam_csock,
-                           PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
-                               goto fail;
-                       break;
-               default:
-                       goto fail;
-               }
-               buffer_clear(&buffer);
-       }
-       buffer_free(&buffer);
-       *resp = reply;
-       return (PAM_SUCCESS);
-
- fail:
-       for(i = 0; i < n; i++) {
-               if (reply[i].resp != NULL)
-                       xfree(reply[i].resp);
-       }
-       xfree(reply);
-       buffer_free(&buffer);
-       return (PAM_CONV_ERR);
-}
-
-/*
- * Authentication thread.
- */
-static void *
-sshpam_thread(void *ctxtp)
-{
-       struct pam_ctxt *ctxt = ctxtp;
-       Buffer buffer;
-       struct pam_conv sshpam_conv;
-       int flags = (options.permit_empty_passwd == 0 ?
-           PAM_DISALLOW_NULL_AUTHTOK : 0);
-#ifndef USE_POSIX_THREADS
-       extern char **environ;
-       char **env_from_pam;
-       u_int i;
-       const char *pam_user;
-
-       pam_get_item(sshpam_handle, PAM_USER, (void **)&pam_user);
-       environ[0] = NULL;
-
-       if (sshpam_authctxt != NULL) {
-               setproctitle("%s [pam]",
-                   sshpam_authctxt->valid ? pam_user : "unknown");
-       }
-#endif
-
-       sshpam_conv.conv = sshpam_thread_conv;
-       sshpam_conv.appdata_ptr = ctxt;
-
-       if (sshpam_authctxt == NULL)
-               fatal("%s: PAM authctxt not initialized", __func__);
-
-       buffer_init(&buffer);
-       sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-           (const void *)&sshpam_conv);
-       if (sshpam_err != PAM_SUCCESS)
-               goto auth_fail;
-       sshpam_err = pam_authenticate(sshpam_handle, flags);
-       if (sshpam_err != PAM_SUCCESS)
-               goto auth_fail;
-
-       if (compat20) {
-               if (!do_pam_account())
-                       goto auth_fail;
-               if (sshpam_authctxt->force_pwchange) {
-                       sshpam_err = pam_chauthtok(sshpam_handle,
-                           PAM_CHANGE_EXPIRED_AUTHTOK);
-                       if (sshpam_err != PAM_SUCCESS)
-                               goto auth_fail;
-                       sshpam_password_change_required(0);
-               }
-       }
-
-       buffer_put_cstring(&buffer, "OK");
-
-#ifndef USE_POSIX_THREADS
-       /* Export variables set by do_pam_account */
-       buffer_put_int(&buffer, sshpam_account_status);
-       buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
-
-       /* Export any environment strings set in child */
-       for(i = 0; environ[i] != NULL; i++)
-               ; /* Count */
-       buffer_put_int(&buffer, i);
-       for(i = 0; environ[i] != NULL; i++)
-               buffer_put_cstring(&buffer, environ[i]);
-
-       /* Export any environment strings set by PAM in child */
-       env_from_pam = pam_getenvlist(sshpam_handle);
-       for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
-               ; /* Count */
-       buffer_put_int(&buffer, i);
-       for(i = 0; env_from_pam != NULL && env_from_pam[i] != NULL; i++)
-               buffer_put_cstring(&buffer, env_from_pam[i]);
-#endif /* USE_POSIX_THREADS */
-
-       /* XXX - can't do much about an error here */
-       ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer);
-       buffer_free(&buffer);
-       pthread_exit(NULL);
-
- auth_fail:
-       buffer_put_cstring(&buffer,
-           pam_strerror(sshpam_handle, sshpam_err));
-       /* XXX - can't do much about an error here */
-       ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
-       buffer_free(&buffer);
-       pthread_exit(NULL);
-
-       return (NULL); /* Avoid warning for non-pthread case */
-}
-
-void
-sshpam_thread_cleanup(void)
-{
-       struct pam_ctxt *ctxt = cleanup_ctxt;
-
-       debug3("PAM: %s entering", __func__);
-       if (ctxt != NULL && ctxt->pam_thread != 0) {
-               pthread_cancel(ctxt->pam_thread);
-               pthread_join(ctxt->pam_thread, NULL);
-               close(ctxt->pam_psock);
-               close(ctxt->pam_csock);
-               memset(ctxt, 0, sizeof(*ctxt));
-               cleanup_ctxt = NULL;
-       }
-}
-
-static int
-sshpam_null_conv(int n, struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-       debug3("PAM: %s entering, %d messages", __func__, n);
-       return (PAM_CONV_ERR);
-}
-
-static struct pam_conv null_conv = { sshpam_null_conv, NULL };
-
-void
-sshpam_cleanup(void)
-{
-       debug("PAM: cleanup");
-       if (sshpam_handle == NULL)
-               return;
-       pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
-       if (sshpam_cred_established) {
-               pam_setcred(sshpam_handle, PAM_DELETE_CRED);
-               sshpam_cred_established = 0;
-       }
-       if (sshpam_session_open) {
-               pam_close_session(sshpam_handle, PAM_SILENT);
-               sshpam_session_open = 0;
-       }
-       sshpam_authenticated = 0;
-       pam_end(sshpam_handle, sshpam_err);
-       sshpam_handle = NULL;
-}
-
-static int
-sshpam_init(Authctxt *authctxt)
-{
-       extern char *__progname;
-       const char *pam_rhost, *pam_user, *user = authctxt->user;
-
-       if (sshpam_handle != NULL) {
-               /* We already have a PAM context; check if the user matches */
-               sshpam_err = pam_get_item(sshpam_handle,
-                   PAM_USER, (void **)&pam_user);
-               if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
-                       return (0);
-               pam_end(sshpam_handle, sshpam_err);
-               sshpam_handle = NULL;
-       }
-       debug("PAM: initializing for \"%s\"", user);
-       sshpam_err =
-           pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
-       sshpam_authctxt = authctxt;
-
-       if (sshpam_err != PAM_SUCCESS) {
-               pam_end(sshpam_handle, sshpam_err);
-               sshpam_handle = NULL;
-               return (-1);
-       }
-       pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
-       debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
-       sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
-       if (sshpam_err != PAM_SUCCESS) {
-               pam_end(sshpam_handle, sshpam_err);
-               sshpam_handle = NULL;
-               return (-1);
-       }
-#ifdef PAM_TTY_KLUDGE
-       /*
-        * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
-        * sshd doesn't set the tty until too late in the auth process and
-        * may not even set one (for tty-less connections)
-        */
-       debug("PAM: setting PAM_TTY to \"ssh\"");
-       sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
-       if (sshpam_err != PAM_SUCCESS) {
-               pam_end(sshpam_handle, sshpam_err);
-               sshpam_handle = NULL;
-               return (-1);
-       }
-#endif
-       return (0);
-}
-
-static void *
-sshpam_init_ctx(Authctxt *authctxt)
-{
-       struct pam_ctxt *ctxt;
-       int socks[2];
-
-       debug3("PAM: %s entering", __func__);
-       /* Refuse to start if we don't have PAM enabled */
-       if (!options.use_pam)
-               return NULL;
-
-       /* Initialize PAM */
-       if (sshpam_init(authctxt) == -1) {
-               error("PAM: initialization failed");
-               return (NULL);
-       }
-
-       ctxt = xmalloc(sizeof *ctxt);
-       memset(ctxt, 0, sizeof(*ctxt));
-
-       /* Start the authentication thread */
-       if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
-               error("PAM: failed create sockets: %s", strerror(errno));
-               xfree(ctxt);
-               return (NULL);
-       }
-       ctxt->pam_psock = socks[0];
-       ctxt->pam_csock = socks[1];
-       if (pthread_create(&ctxt->pam_thread, NULL, sshpam_thread, ctxt) == -1) {
-               error("PAM: failed to start authentication thread: %s",
-                   strerror(errno));
-               close(socks[0]);
-               close(socks[1]);
-               xfree(ctxt);
-               return (NULL);
-       }
-       cleanup_ctxt = ctxt;
-       return (ctxt);
-}
-
-static int
-sshpam_query(void *ctx, char **name, char **info,
-    u_int *num, char ***prompts, u_int **echo_on)
-{
-       Buffer buffer;
-       struct pam_ctxt *ctxt = ctx;
-       size_t plen;
-       u_char type;
-       char *msg;
-       size_t len;
-
-       debug3("PAM: %s entering", __func__);
-       buffer_init(&buffer);
-       *name = xstrdup("");
-       *info = xstrdup("");
-       *prompts = xmalloc(sizeof(char *));
-       **prompts = NULL;
-       plen = 0;
-       *echo_on = xmalloc(sizeof(u_int));
-       while (ssh_msg_recv(ctxt->pam_psock, &buffer) == 0) {
-               type = buffer_get_char(&buffer);
-               msg = buffer_get_string(&buffer, NULL);
-               switch (type) {
-               case PAM_PROMPT_ECHO_ON:
-               case PAM_PROMPT_ECHO_OFF:
-                       *num = 1;
-                       len = plen + strlen(msg) + 1;
-                       **prompts = xrealloc(**prompts, len);
-                       plen += snprintf(**prompts + plen, len, "%s", msg);
-                       **echo_on = (type == PAM_PROMPT_ECHO_ON);
-                       xfree(msg);
-                       return (0);
-               case PAM_ERROR_MSG:
-               case PAM_TEXT_INFO:
-                       /* accumulate messages */
-                       len = plen + strlen(msg) + 2;
-                       **prompts = xrealloc(**prompts, len);
-                       plen += snprintf(**prompts + plen, len, "%s\n", msg);
-                       xfree(msg);
-                       break;
-               case PAM_SUCCESS:
-               case PAM_AUTH_ERR:
-                       if (**prompts != NULL) {
-                               /* drain any accumulated messages */
-                               debug("PAM: %s", **prompts);
-                               buffer_append(&loginmsg, **prompts,
-                                   strlen(**prompts));
-                               xfree(**prompts);
-                               **prompts = NULL;
-                       }
-                       if (type == PAM_SUCCESS) {
-                               import_environments(&buffer);
-                               *num = 0;
-                               **echo_on = 0;
-                               ctxt->pam_done = 1;
-                               xfree(msg);
-                               return (0);
-                       }
-                       error("PAM: %s for %s%.100s from %.100s", msg,
-                           sshpam_authctxt->valid ? "" : "illegal user ",
-                           sshpam_authctxt->user,
-                           get_remote_name_or_ip(utmp_len, options.use_dns));
-                       /* FALLTHROUGH */
-               default:
-                       *num = 0;
-                       **echo_on = 0;
-                       xfree(msg);
-                       ctxt->pam_done = -1;
-                       return (-1);
-               }
-       }
-       return (-1);
-}
-
-/* XXX - see also comment in auth-chall.c:verify_response */
-static int
-sshpam_respond(void *ctx, u_int num, char **resp)
-{
-       Buffer buffer;
-       struct pam_ctxt *ctxt = ctx;
-
-       debug2("PAM: %s entering, %d responses", __func__, num);
-       switch (ctxt->pam_done) {
-       case 1:
-               sshpam_authenticated = 1;
-               return (0);
-       case 0:
-               break;
-       default:
-               return (-1);
-       }
-       if (num != 1) {
-               error("PAM: expected one response, got %u", num);
-               return (-1);
-       }
-       buffer_init(&buffer);
-       buffer_put_cstring(&buffer, *resp);
-       if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
-               buffer_free(&buffer);
-               return (-1);
-       }
-       buffer_free(&buffer);
-       return (1);
-}
-
-static void
-sshpam_free_ctx(void *ctxtp)
-{
-       struct pam_ctxt *ctxt = ctxtp;
-
-       debug3("PAM: %s entering", __func__);
-       sshpam_thread_cleanup();
-       xfree(ctxt);
-       /*
-        * We don't call sshpam_cleanup() here because we may need the PAM
-        * handle at a later stage, e.g. when setting up a session.  It's
-        * still on the cleanup list, so pam_end() *will* be called before
-        * the server process terminates.
-        */
-}
-
-KbdintDevice sshpam_device = {
-       "pam",
-       sshpam_init_ctx,
-       sshpam_query,
-       sshpam_respond,
-       sshpam_free_ctx
-};
-
-KbdintDevice mm_sshpam_device = {
-       "pam",
-       mm_sshpam_init_ctx,
-       mm_sshpam_query,
-       mm_sshpam_respond,
-       mm_sshpam_free_ctx
-};
-
-/*
- * This replaces auth-pam.c
- */
-void
-start_pam(Authctxt *authctxt)
-{
-       if (!options.use_pam)
-               fatal("PAM: initialisation requested when UsePAM=no");
-
-       if (sshpam_init(authctxt) == -1)
-               fatal("PAM: initialisation failed");
-}
-
-void
-finish_pam(void)
-{
-       sshpam_cleanup();
-}
-
-u_int
-do_pam_account(void)
-{
-       if (sshpam_account_status != -1)
-               return (sshpam_account_status);
-
-       sshpam_err = pam_acct_mgmt(sshpam_handle, 0);
-       debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err);
-       
-       if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) {
-               sshpam_account_status = 0;
-               return (sshpam_account_status);
-       }
-
-       if (sshpam_err == PAM_NEW_AUTHTOK_REQD)
-               sshpam_password_change_required(1);
-
-       sshpam_account_status = 1;
-       return (sshpam_account_status);
-}
-
-void
-do_pam_set_tty(const char *tty)
-{
-       if (tty != NULL) {
-               debug("PAM: setting PAM_TTY to \"%s\"", tty);
-               sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, tty);
-               if (sshpam_err != PAM_SUCCESS)
-                       fatal("PAM: failed to set PAM_TTY: %s",
-                           pam_strerror(sshpam_handle, sshpam_err));
-       }
-}
-
-void
-do_pam_setcred(int init)
-{
-       sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-           (const void *)&null_conv);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: failed to set PAM_CONV: %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-       if (init) {
-               debug("PAM: establishing credentials");
-               sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
-       } else {
-               debug("PAM: reinitializing credentials");
-               sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
-       }
-       if (sshpam_err == PAM_SUCCESS) {
-               sshpam_cred_established = 1;
-               return;
-       }
-       if (sshpam_authenticated)
-               fatal("PAM: pam_setcred(): %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-       else
-               debug("PAM: pam_setcred(): %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-}
-
-static int
-sshpam_tty_conv(int n, struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-       char input[PAM_MAX_MSG_SIZE];
-       struct pam_response *reply;
-       int i;
-
-       debug3("PAM: %s called with %d messages", __func__, n);
-
-       *resp = NULL;
-
-       if (n <= 0 || n > PAM_MAX_NUM_MSG || !isatty(STDIN_FILENO))
-               return (PAM_CONV_ERR);
-
-       if ((reply = malloc(n * sizeof(*reply))) == NULL)
-               return (PAM_CONV_ERR);
-       memset(reply, 0, n * sizeof(*reply));
-
-       for (i = 0; i < n; ++i) {
-               switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-               case PAM_PROMPT_ECHO_OFF:
-                       reply[i].resp =
-                           read_passphrase(PAM_MSG_MEMBER(msg, i, msg),
-                           RP_ALLOW_STDIN);
-                       reply[i].resp_retcode = PAM_SUCCESS;
-                       break;
-               case PAM_PROMPT_ECHO_ON:
-                       fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
-                       fgets(input, sizeof input, stdin);
-                       if ((reply[i].resp = strdup(input)) == NULL)
-                               goto fail;
-                       reply[i].resp_retcode = PAM_SUCCESS;
-                       break;
-               case PAM_ERROR_MSG:
-               case PAM_TEXT_INFO:
-                       fprintf(stderr, "%s\n", PAM_MSG_MEMBER(msg, i, msg));
-                       reply[i].resp_retcode = PAM_SUCCESS;
-                       break;
-               default:
-                       goto fail;
-               }
-       }
-       *resp = reply;
-       return (PAM_SUCCESS);
-
- fail:
-       for(i = 0; i < n; i++) {
-               if (reply[i].resp != NULL)
-                       xfree(reply[i].resp);
-       }
-       xfree(reply);
-       return (PAM_CONV_ERR);
-}
-
-static struct pam_conv tty_conv = { sshpam_tty_conv, NULL };
-
-/*
- * XXX this should be done in the authentication phase, but ssh1 doesn't
- * support that
- */
-void
-do_pam_chauthtok(void)
-{
-       if (use_privsep)
-               fatal("Password expired (unable to change with privsep)");
-       sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-           (const void *)&tty_conv);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: failed to set PAM_CONV: %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-       debug("PAM: changing password");
-       sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: pam_chauthtok(): %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-}
-
-static int
-sshpam_store_conv(int n, struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-       struct pam_response *reply;
-       int i;
-       size_t len;
-
-       debug3("PAM: %s called with %d messages", __func__, n);
-       *resp = NULL;
-
-       if (n <= 0 || n > PAM_MAX_NUM_MSG)
-               return (PAM_CONV_ERR);
-
-       if ((reply = malloc(n * sizeof(*reply))) == NULL)
-               return (PAM_CONV_ERR);
-       memset(reply, 0, n * sizeof(*reply));
-
-       for (i = 0; i < n; ++i) {
-               switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-               case PAM_ERROR_MSG:
-               case PAM_TEXT_INFO:
-                       len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-                       buffer_append(&loginmsg, PAM_MSG_MEMBER(msg, i, msg), len);
-                       buffer_append(&loginmsg, "\n", 1 );
-                       reply[i].resp_retcode = PAM_SUCCESS;
-                       break;
-               default:
-                       goto fail;
-               }
-       }
-       *resp = reply;
-       return (PAM_SUCCESS);
-
- fail:
-       for(i = 0; i < n; i++) {
-               if (reply[i].resp != NULL)
-                       xfree(reply[i].resp);
-       }
-       xfree(reply);
-       return (PAM_CONV_ERR);
-}
-
-static struct pam_conv store_conv = { sshpam_store_conv, NULL };
-
-void
-do_pam_session(void)
-{
-       debug3("PAM: opening session");
-       sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-           (const void *)&store_conv);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: failed to set PAM_CONV: %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-       sshpam_err = pam_open_session(sshpam_handle, 0);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: pam_open_session(): %s",
-                   pam_strerror(sshpam_handle, sshpam_err));
-       sshpam_session_open = 1;
-}
-
-/*
- * Set a PAM environment string. We need to do this so that the session
- * modules can handle things like Kerberos/GSI credentials that appear
- * during the ssh authentication process.
- */
-int
-do_pam_putenv(char *name, char *value)
-{
-       int ret = 1;
-#ifdef HAVE_PAM_PUTENV
-       char *compound;
-       size_t len;
-
-       len = strlen(name) + strlen(value) + 2;
-       compound = xmalloc(len);
-
-       snprintf(compound, len, "%s=%s", name, value);
-       ret = pam_putenv(sshpam_handle, compound);
-       xfree(compound);
-#endif
-
-       return (ret);
-}
-
-char **
-fetch_pam_child_environment(void)
-{
-       return sshpam_env;
-}
-
-char **
-fetch_pam_environment(void)
-{
-       return (pam_getenvlist(sshpam_handle));
-}
-
-void
-free_pam_environment(char **env)
-{
-       char **envp;
-
-       if (env == NULL)
-               return;
-
-       for (envp = env; *envp; envp++)
-               xfree(*envp);
-       xfree(env);
-}
-
-/*
- * "Blind" conversation function for password authentication.  Assumes that
- * echo-off prompts are for the password and stores messages for later
- * display.
- */
-static int
-sshpam_passwd_conv(int n, struct pam_message **msg,
-    struct pam_response **resp, void *data)
-{
-       struct pam_response *reply;
-       int i;
-       size_t len;
-
-       debug3("PAM: %s called with %d messages", __func__, n);
-
-       *resp = NULL;
-
-       if (n <= 0 || n > PAM_MAX_NUM_MSG)
-               return (PAM_CONV_ERR);
-
-       if ((reply = malloc(n * sizeof(*reply))) == NULL)
-               return (PAM_CONV_ERR);
-       memset(reply, 0, n * sizeof(*reply));
-
-       for (i = 0; i < n; ++i) {
-               switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
-               case PAM_PROMPT_ECHO_OFF:
-                       if (sshpam_password == NULL)
-                               goto fail;
-                       if ((reply[i].resp = strdup(sshpam_password)) == NULL)
-                               goto fail;
-                       reply[i].resp_retcode = PAM_SUCCESS;
-                       break;
-               case PAM_ERROR_MSG:
-               case PAM_TEXT_INFO:
-                       len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-                       if (len > 0) {
-                               buffer_append(&loginmsg,
-                                   PAM_MSG_MEMBER(msg, i, msg), len);
-                               buffer_append(&loginmsg, "\n", 1);
-                       }
-                       if ((reply[i].resp = strdup("")) == NULL)
-                               goto fail;
-                       reply[i].resp_retcode = PAM_SUCCESS;
-                       break;
-               default:
-                       goto fail;
-               }
-       }
-       *resp = reply;
-       return (PAM_SUCCESS);
-
- fail: 
-       for(i = 0; i < n; i++) {
-               if (reply[i].resp != NULL)
-                       xfree(reply[i].resp);
-       }
-       xfree(reply);
-       return (PAM_CONV_ERR);
-}
-
-static struct pam_conv passwd_conv = { sshpam_passwd_conv, NULL };
-
-/*
- * Attempt password authentication via PAM
- */
-int
-sshpam_auth_passwd(Authctxt *authctxt, const char *password)
-{
-       int flags = (options.permit_empty_passwd == 0 ?
-           PAM_DISALLOW_NULL_AUTHTOK : 0);
-       static char badpw[] = "\b\n\r\177INCORRECT";
-
-       if (!options.use_pam || sshpam_handle == NULL)
-               fatal("PAM: %s called when PAM disabled or failed to "
-                   "initialise.", __func__);
-
-       sshpam_password = password;
-       sshpam_authctxt = authctxt;
-
-       /*
-        * If the user logging in is invalid, or is root but is not permitted
-        * by PermitRootLogin, use an invalid password to prevent leaking
-        * information via timing (eg if the PAM config has a delay on fail).
-        */
-       if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
-            options.permit_root_login != PERMIT_YES))
-               sshpam_password = badpw;
-
-       sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
-           (const void *)&passwd_conv);
-       if (sshpam_err != PAM_SUCCESS)
-               fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
-                   pam_strerror(sshpam_handle, sshpam_err));
-
-       sshpam_err = pam_authenticate(sshpam_handle, flags);
-       sshpam_password = NULL;
-       if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
-               debug("PAM: password authentication accepted for %.100s",
-                   authctxt->user);
-               return 1;
-       } else {
-               debug("PAM: password authentication failed for %.100s: %s",
-                   authctxt->valid ? authctxt->user : "an illegal user",
-                   pam_strerror(sshpam_handle, sshpam_err));
-               return 0;
-       }
-}
-#endif /* USE_PAM */
diff --git a/crypto/openssh-3.9p1/auth-pam.h b/crypto/openssh-3.9p1/auth-pam.h
deleted file mode 100644 (file)
index f479413..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-/* $Id: auth-pam.h,v 1.26 2004/05/30 10:43:59 dtucker Exp $ */
-
-/*
- * Copyright (c) 2000 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#ifdef USE_PAM
-
-#if !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE              __progname
-#endif
-
-void start_pam(Authctxt *);
-void finish_pam(void);
-u_int do_pam_account(void);
-void do_pam_session(void);
-void do_pam_set_tty(const char *);
-void do_pam_setcred(int );
-void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
-char ** fetch_pam_environment(void);
-char ** fetch_pam_child_environment(void);
-void free_pam_environment(char **);
-void sshpam_thread_cleanup(void);
-void sshpam_cleanup(void);
-int sshpam_auth_passwd(Authctxt *, const char *);
-
-#endif /* USE_PAM */
diff --git a/crypto/openssh-3.9p1/auth-passwd.c b/crypto/openssh-3.9p1/auth-passwd.c
deleted file mode 100644 (file)
index 7a68e05..0000000
+++ /dev/null
@@ -1,155 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Password authentication.  This file contains the functions to check whether
- * the password is valid for the user.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Dug Song.  All rights reserved.
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
-
-#include "packet.h"
-#include "log.h"
-#include "servconf.h"
-#include "auth.h"
-#include "auth-options.h"
-
-extern ServerOptions options;
-int sys_auth_passwd(Authctxt *, const char *);
-
-void
-disable_forwarding(void)
-{
-       no_port_forwarding_flag = 1;
-       no_agent_forwarding_flag = 1;
-       no_x11_forwarding_flag = 1;
-}
-
-/*
- * Tries to authenticate the user using password.  Returns true if
- * authentication succeeds.
- */
-int
-auth_password(Authctxt *authctxt, const char *password)
-{
-       struct passwd * pw = authctxt->pw;
-       int ok = authctxt->valid;
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-       static int expire_checked = 0;
-#endif
-
-#ifndef HAVE_CYGWIN
-       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
-               ok = 0;
-#endif
-       if (*password == '\0' && options.permit_empty_passwd == 0)
-               return 0;
-
-#ifdef KRB5
-       if (options.kerberos_authentication == 1) {
-               int ret = auth_krb5_password(authctxt, password);
-               if (ret == 1 || ret == 0)
-                       return ret && ok;
-               /* Fall back to ordinary passwd authentication. */
-       }
-#endif
-#ifdef HAVE_CYGWIN
-       if (is_winnt) {
-               HANDLE hToken = cygwin_logon_user(pw, password);
-
-               if (hToken == INVALID_HANDLE_VALUE)
-                       return 0;
-               cygwin_set_impersonation_token(hToken);
-               return ok;
-       }
-#endif
-#ifdef USE_PAM
-       if (options.use_pam)
-               return (sshpam_auth_passwd(authctxt, password) && ok);
-#endif
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-       if (!expire_checked) {
-               expire_checked = 1;
-               if (auth_shadow_pwexpired(authctxt)) {
-                       disable_forwarding();
-                       authctxt->force_pwchange = 1;
-               }
-       }
-#endif
-               
-       return (sys_auth_passwd(authctxt, password) && ok);
-}
-
-#ifdef BSD_AUTH
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-       struct passwd *pw = authctxt->pw;
-       auth_session_t *as;
-
-       as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
-           (char *)password);
-       if (auth_getstate(as) & AUTH_PWEXPIRED) {
-               auth_close(as);
-               disable_forwarding();
-               authctxt->force_pwchange = 1;
-               return (1);
-       } else {
-               return (auth_close(as));
-       }
-}
-#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-       struct passwd *pw = authctxt->pw;
-       char *encrypted_password;
-
-       /* Just use the supplied fake password if authctxt is invalid */
-       char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
-
-       /* Check for users with no password. */
-       if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
-               return (1);
-
-       /* Encrypt the candidate password using the proper salt. */
-       encrypted_password = xcrypt(password,
-           (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-
-       /*
-        * Authentication is accepted if the encrypted passwords
-        * are identical.
-        */
-       return (strcmp(encrypted_password, pw_password) == 0);
-}
-#endif
diff --git a/crypto/openssh-3.9p1/auth-rh-rsa.c b/crypto/openssh-3.9p1/auth-rh-rsa.c
deleted file mode 100644 (file)
index 29eb538..0000000
+++ /dev/null
@@ -1,92 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Rhosts or /etc/hosts.equiv authentication combined with RSA host
- * authentication.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.37 2003/11/04 08:54:09 djm Exp $");
-
-#include "packet.h"
-#include "uidswap.h"
-#include "log.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "pathnames.h"
-#include "auth.h"
-#include "canohost.h"
-
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-
-int
-auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
-    Key *client_host_key)
-{
-       HostStatus host_status;
-
-       /* Check if we would accept it using rhosts authentication. */
-       if (!auth_rhosts(pw, cuser))
-               return 0;
-
-       host_status = check_key_in_hostfiles(pw, client_host_key,
-           chost, _PATH_SSH_SYSTEM_HOSTFILE,
-           options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-
-       return (host_status == HOST_OK);
-}
-
-/*
- * Tries to authenticate the user using the .rhosts file and the host using
- * its host key.  Returns true if authentication succeeds.
- */
-int
-auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
-{
-       char *chost;
-       struct passwd *pw = authctxt->pw;
-
-       debug("Trying rhosts with RSA host authentication for client user %.100s",
-           cuser);
-
-       if (!authctxt->valid || client_host_key == NULL ||
-           client_host_key->rsa == NULL)
-               return 0;
-
-       chost = (char *)get_canonical_hostname(options.use_dns);
-       debug("Rhosts RSA authentication: canonical host %.900s", chost);
-
-       if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
-               debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
-               packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
-               return 0;
-       }
-       /* A matching host key was found and is known. */
-
-       /* Perform the challenge-response dialog with the client for the host key. */
-       if (!auth_rsa_challenge_dialog(client_host_key)) {
-               logit("Client on %.800s failed to respond correctly to host authentication.",
-                   chost);
-               return 0;
-       }
-       /*
-        * We have authenticated the user using .rhosts or /etc/hosts.equiv,
-        * and the host using RSA. We accept the authentication.
-        */
-
-       verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
-          pw->pw_name, cuser, chost);
-       packet_send_debug("Rhosts with RSA host authentication accepted.");
-       return 1;
-}
diff --git a/crypto/openssh-3.9p1/auth-rhosts.c b/crypto/openssh-3.9p1/auth-rhosts.c
deleted file mode 100644 (file)
index 585246e..0000000
+++ /dev/null
@@ -1,295 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Rhosts authentication.  This file contains code to check whether to admit
- * the login based on rhosts authentication.  This file also processes
- * /etc/hosts.equiv.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.32 2003/11/04 08:54:09 djm Exp $");
-
-#include "packet.h"
-#include "uidswap.h"
-#include "pathnames.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "auth.h"
-
-/* import */
-extern ServerOptions options;
-extern int use_privsep;
-
-/*
- * This function processes an rhosts-style file (.rhosts, .shosts, or
- * /etc/hosts.equiv).  This returns true if authentication can be granted
- * based on the file, and returns zero otherwise.
- */
-
-static int
-check_rhosts_file(const char *filename, const char *hostname,
-                 const char *ipaddr, const char *client_user,
-                 const char *server_user)
-{
-       FILE *f;
-       char buf[1024]; /* Must not be larger than host, user, dummy below. */
-
-       /* Open the .rhosts file, deny if unreadable */
-       f = fopen(filename, "r");
-       if (!f)
-               return 0;
-
-       while (fgets(buf, sizeof(buf), f)) {
-               /* All three must be at least as big as buf to avoid overflows. */
-               char hostbuf[1024], userbuf[1024], dummy[1024], *host, *user, *cp;
-               int negated;
-
-               for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
-                       ;
-               if (*cp == '#' || *cp == '\n' || !*cp)
-                       continue;
-
-               /*
-                * NO_PLUS is supported at least on OSF/1.  We skip it (we
-                * don't ever support the plus syntax).
-                */
-               if (strncmp(cp, "NO_PLUS", 7) == 0)
-                       continue;
-
-               /*
-                * This should be safe because each buffer is as big as the
-                * whole string, and thus cannot be overwritten.
-                */
-               switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf,
-                   dummy)) {
-               case 0:
-                       auth_debug_add("Found empty line in %.100s.", filename);
-                       continue;
-               case 1:
-                       /* Host name only. */
-                       strlcpy(userbuf, server_user, sizeof(userbuf));
-                       break;
-               case 2:
-                       /* Got both host and user name. */
-                       break;
-               case 3:
-                       auth_debug_add("Found garbage in %.100s.", filename);
-                       continue;
-               default:
-                       /* Weird... */
-                       continue;
-               }
-
-               host = hostbuf;
-               user = userbuf;
-               negated = 0;
-
-               /* Process negated host names, or positive netgroups. */
-               if (host[0] == '-') {
-                       negated = 1;
-                       host++;
-               } else if (host[0] == '+')
-                       host++;
-
-               if (user[0] == '-') {
-                       negated = 1;
-                       user++;
-               } else if (user[0] == '+')
-                       user++;
-
-               /* Check for empty host/user names (particularly '+'). */
-               if (!host[0] || !user[0]) {
-                       /* We come here if either was '+' or '-'. */
-                       auth_debug_add("Ignoring wild host/user names in %.100s.",
-                           filename);
-                       continue;
-               }
-               /* Verify that host name matches. */
-               if (host[0] == '@') {
-                       if (!innetgr(host + 1, hostname, NULL, NULL) &&
-                           !innetgr(host + 1, ipaddr, NULL, NULL))
-                               continue;
-               } else if (strcasecmp(host, hostname) && strcmp(host, ipaddr) != 0)
-                       continue;       /* Different hostname. */
-
-               /* Verify that user name matches. */
-               if (user[0] == '@') {
-                       if (!innetgr(user + 1, NULL, client_user, NULL))
-                               continue;
-               } else if (strcmp(user, client_user) != 0)
-                       continue;       /* Different username. */
-
-               /* Found the user and host. */
-               fclose(f);
-
-               /* If the entry was negated, deny access. */
-               if (negated) {
-                       auth_debug_add("Matched negative entry in %.100s.",
-                            filename);
-                       return 0;
-               }
-               /* Accept authentication. */
-               return 1;
-       }
-
-       /* Authentication using this file denied. */
-       fclose(f);
-       return 0;
-}
-
-/*
- * Tries to authenticate the user using the .shosts or .rhosts file. Returns
- * true if authentication succeeds.  If ignore_rhosts is true, only
- * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
- */
-
-int
-auth_rhosts(struct passwd *pw, const char *client_user)
-{
-       const char *hostname, *ipaddr;
-
-       hostname = get_canonical_hostname(options.use_dns);
-       ipaddr = get_remote_ipaddr();
-       return auth_rhosts2(pw, client_user, hostname, ipaddr);
-}
-
-static int
-auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
-    const char *ipaddr)
-{
-       char buf[1024];
-       struct stat st;
-       static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
-       u_int rhosts_file_index;
-
-       debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s",
-           client_user, hostname, ipaddr);
-
-       /* Switch to the user's uid. */
-       temporarily_use_uid(pw);
-       /*
-        * Quick check: if the user has no .shosts or .rhosts files, return
-        * failure immediately without doing costly lookups from name
-        * servers.
-        */
-       for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
-           rhosts_file_index++) {
-               /* Check users .rhosts or .shosts. */
-               snprintf(buf, sizeof buf, "%.500s/%.100s",
-                        pw->pw_dir, rhosts_files[rhosts_file_index]);
-               if (stat(buf, &st) >= 0)
-                       break;
-       }
-       /* Switch back to privileged uid. */
-       restore_uid();
-
-       /* Deny if The user has no .shosts or .rhosts file and there are no system-wide files. */
-       if (!rhosts_files[rhosts_file_index] &&
-           stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
-           stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0)
-               return 0;
-
-       /* If not logging in as superuser, try /etc/hosts.equiv and shosts.equiv. */
-       if (pw->pw_uid != 0) {
-               if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
-                   client_user, pw->pw_name)) {
-                       auth_debug_add("Accepted for %.100s [%.100s] by /etc/hosts.equiv.",
-                           hostname, ipaddr);
-                       return 1;
-               }
-               if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
-                   client_user, pw->pw_name)) {
-                       auth_debug_add("Accepted for %.100s [%.100s] by %.100s.",
-                           hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
-                       return 1;
-               }
-       }
-       /*
-        * Check that the home directory is owned by root or the user, and is
-        * not group or world writable.
-        */
-       if (stat(pw->pw_dir, &st) < 0) {
-               logit("Rhosts authentication refused for %.100s: "
-                   "no home directory %.200s", pw->pw_name, pw->pw_dir);
-               auth_debug_add("Rhosts authentication refused for %.100s: "
-                   "no home directory %.200s", pw->pw_name, pw->pw_dir);
-               return 0;
-       }
-       if (options.strict_modes &&
-           ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-           (st.st_mode & 022) != 0)) {
-               logit("Rhosts authentication refused for %.100s: "
-                   "bad ownership or modes for home directory.", pw->pw_name);
-               auth_debug_add("Rhosts authentication refused for %.100s: "
-                   "bad ownership or modes for home directory.", pw->pw_name);
-               return 0;
-       }
-       /* Temporarily use the user's uid. */
-       temporarily_use_uid(pw);
-
-       /* Check all .rhosts files (currently .shosts and .rhosts). */
-       for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
-           rhosts_file_index++) {
-               /* Check users .rhosts or .shosts. */
-               snprintf(buf, sizeof buf, "%.500s/%.100s",
-                        pw->pw_dir, rhosts_files[rhosts_file_index]);
-               if (stat(buf, &st) < 0)
-                       continue;
-
-               /*
-                * Make sure that the file is either owned by the user or by
-                * root, and make sure it is not writable by anyone but the
-                * owner.  This is to help avoid novices accidentally
-                * allowing access to their account by anyone.
-                */
-               if (options.strict_modes &&
-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-                   (st.st_mode & 022) != 0)) {
-                       logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
-                           pw->pw_name, buf);
-                       auth_debug_add("Bad file modes for %.200s", buf);
-                       continue;
-               }
-               /* Check if we have been configured to ignore .rhosts and .shosts files. */
-               if (options.ignore_rhosts) {
-                       auth_debug_add("Server has been configured to ignore %.100s.",
-                           rhosts_files[rhosts_file_index]);
-                       continue;
-               }
-               /* Check if authentication is permitted by the file. */
-               if (check_rhosts_file(buf, hostname, ipaddr, client_user, pw->pw_name)) {
-                       auth_debug_add("Accepted by %.100s.",
-                           rhosts_files[rhosts_file_index]);
-                       /* Restore the privileged uid. */
-                       restore_uid();
-                       auth_debug_add("Accepted host %s ip %s client_user %s server_user %s",
-                               hostname, ipaddr, client_user, pw->pw_name);
-                       return 1;
-               }
-       }
-
-       /* Restore the privileged uid. */
-       restore_uid();
-       return 0;
-}
-
-int
-auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
-    const char *ipaddr)
-{
-       int ret;
-
-       auth_debug_reset();
-       ret = auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
-       if (!use_privsep)
-               auth_debug_send();
-       return ret;
-}
diff --git a/crypto/openssh-3.9p1/auth-rsa.c b/crypto/openssh-3.9p1/auth-rsa.c
deleted file mode 100644 (file)
index 16369d4..0000000
+++ /dev/null
@@ -1,327 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * RSA-based authentication.  This code determines whether to admit a login
- * based on RSA authentication.  This file also contains functions to check
- * validity of the host key.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.60 2004/06/21 17:36:31 avsm Exp $");
-
-#include <openssl/rsa.h>
-#include <openssl/md5.h>
-
-#include "rsa.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "ssh1.h"
-#include "uidswap.h"
-#include "match.h"
-#include "auth-options.h"
-#include "pathnames.h"
-#include "log.h"
-#include "servconf.h"
-#include "auth.h"
-#include "hostfile.h"
-#include "monitor_wrap.h"
-#include "ssh.h"
-
-/* import */
-extern ServerOptions options;
-
-/*
- * Session identifier that is used to bind key exchange and authentication
- * responses to a particular session.
- */
-extern u_char session_id[16];
-
-/*
- * The .ssh/authorized_keys file contains public keys, one per line, in the
- * following format:
- *   options bits e n comment
- * where bits, e and n are decimal numbers,
- * and comment is any string of characters up to newline.  The maximum
- * length of a line is 8000 characters.  See the documentation for a
- * description of the options.
- */
-
-BIGNUM *
-auth_rsa_generate_challenge(Key *key)
-{
-       BIGNUM *challenge;
-       BN_CTX *ctx;
-
-       if ((challenge = BN_new()) == NULL)
-               fatal("auth_rsa_generate_challenge: BN_new() failed");
-       /* Generate a random challenge. */
-       BN_rand(challenge, 256, 0, 0);
-       if ((ctx = BN_CTX_new()) == NULL)
-               fatal("auth_rsa_generate_challenge: BN_CTX_new() failed");
-       BN_mod(challenge, challenge, key->rsa->n, ctx);
-       BN_CTX_free(ctx);
-
-       return challenge;
-}
-
-int
-auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
-{
-       u_char buf[32], mdbuf[16];
-       MD5_CTX md;
-       int len;
-
-       /* don't allow short keys */
-       if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-               error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
-                   BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
-               return (0);
-       }
-
-       /* The response is MD5 of decrypted challenge plus session id. */
-       len = BN_num_bytes(challenge);
-       if (len <= 0 || len > 32)
-               fatal("auth_rsa_verify_response: bad challenge length %d", len);
-       memset(buf, 0, 32);
-       BN_bn2bin(challenge, buf + 32 - len);
-       MD5_Init(&md);
-       MD5_Update(&md, buf, 32);
-       MD5_Update(&md, session_id, 16);
-       MD5_Final(mdbuf, &md);
-
-       /* Verify that the response is the original challenge. */
-       if (memcmp(response, mdbuf, 16) != 0) {
-               /* Wrong answer. */
-               return (0);
-       }
-       /* Correct answer. */
-       return (1);
-}
-
-/*
- * Performs the RSA authentication challenge-response dialog with the client,
- * and returns true (non-zero) if the client gave the correct answer to
- * our challenge; returns zero if the client gives a wrong answer.
- */
-
-int
-auth_rsa_challenge_dialog(Key *key)
-{
-       BIGNUM *challenge, *encrypted_challenge;
-       u_char response[16];
-       int i, success;
-
-       if ((encrypted_challenge = BN_new()) == NULL)
-               fatal("auth_rsa_challenge_dialog: BN_new() failed");
-
-       challenge = PRIVSEP(auth_rsa_generate_challenge(key));
-
-       /* Encrypt the challenge with the public key. */
-       rsa_public_encrypt(encrypted_challenge, challenge, key->rsa);
-
-       /* Send the encrypted challenge to the client. */
-       packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
-       packet_put_bignum(encrypted_challenge);
-       packet_send();
-       BN_clear_free(encrypted_challenge);
-       packet_write_wait();
-
-       /* Wait for a response. */
-       packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
-       for (i = 0; i < 16; i++)
-               response[i] = packet_get_char();
-       packet_check_eom();
-
-       success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
-       BN_clear_free(challenge);
-       return (success);
-}
-
-/*
- * check if there's user key matching client_n,
- * return key if login is allowed, NULL otherwise
- */
-
-int
-auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
-{
-       char line[8192], *file;
-       int allowed = 0;
-       u_int bits;
-       FILE *f;
-       u_long linenum = 0;
-       struct stat st;
-       Key *key;
-
-       /* Temporarily use the user's uid. */
-       temporarily_use_uid(pw);
-
-       /* The authorized keys. */
-       file = authorized_keys_file(pw);
-       debug("trying public RSA key file %s", file);
-
-       /* Fail quietly if file does not exist */
-       if (stat(file, &st) < 0) {
-               /* Restore the privileged uid. */
-               restore_uid();
-               xfree(file);
-               return (0);
-       }
-       /* Open the file containing the authorized keys. */
-       f = fopen(file, "r");
-       if (!f) {
-               /* Restore the privileged uid. */
-               restore_uid();
-               xfree(file);
-               return (0);
-       }
-       if (options.strict_modes &&
-           secure_filename(f, file, pw, line, sizeof(line)) != 0) {
-               xfree(file);
-               fclose(f);
-               logit("Authentication refused: %s", line);
-               restore_uid();
-               return (0);
-       }
-
-       /* Flag indicating whether the key is allowed. */
-       allowed = 0;
-
-       key = key_new(KEY_RSA1);
-
-       /*
-        * Go though the accepted keys, looking for the current key.  If
-        * found, perform a challenge-response dialog to verify that the
-        * user really has the corresponding private key.
-        */
-       while (fgets(line, sizeof(line), f)) {
-               char *cp;
-               char *key_options;
-
-               linenum++;
-
-               /* Skip leading whitespace, empty and comment lines. */
-               for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-                       ;
-               if (!*cp || *cp == '\n' || *cp == '#')
-                       continue;
-
-               /*
-                * Check if there are options for this key, and if so,
-                * save their starting address and skip the option part
-                * for now.  If there are no options, set the starting
-                * address to NULL.
-                */
-               if (*cp < '0' || *cp > '9') {
-                       int quoted = 0;
-                       key_options = cp;
-                       for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
-                               if (*cp == '\\' && cp[1] == '"')
-                                       cp++;   /* Skip both */
-                               else if (*cp == '"')
-                                       quoted = !quoted;
-                       }
-               } else
-                       key_options = NULL;
-
-               /* Parse the key from the line. */
-               if (hostfile_read_key(&cp, &bits, key) == 0) {
-                       debug("%.100s, line %lu: non ssh1 key syntax",
-                           file, linenum);
-                       continue;
-               }
-               /* cp now points to the comment part. */
-
-               /* Check if the we have found the desired key (identified by its modulus). */
-               if (BN_cmp(key->rsa->n, client_n) != 0)
-                       continue;
-
-               /* check the real bits  */
-               if (bits != BN_num_bits(key->rsa->n))
-                       logit("Warning: %s, line %lu: keysize mismatch: "
-                           "actual %d vs. announced %d.",
-                           file, linenum, BN_num_bits(key->rsa->n), bits);
-
-               /* We have found the desired key. */
-               /*
-                * If our options do not allow this key to be used,
-                * do not send challenge.
-                */
-               if (!auth_parse_options(pw, key_options, file, linenum))
-                       continue;
-
-               /* break out, this key is allowed */
-               allowed = 1;
-               break;
-       }
-
-       /* Restore the privileged uid. */
-       restore_uid();
-
-       /* Close the file. */
-       xfree(file);
-       fclose(f);
-
-       /* return key if allowed */
-       if (allowed && rkey != NULL)
-               *rkey = key;
-       else
-               key_free(key);
-       return (allowed);
-}
-
-/*
- * Performs the RSA authentication dialog with the client.  This returns
- * 0 if the client could not be authenticated, and 1 if authentication was
- * successful.  This may exit if there is a serious protocol violation.
- */
-int
-auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
-{
-       Key *key;
-       char *fp;
-       struct passwd *pw = authctxt->pw;
-
-       /* no user given */
-       if (!authctxt->valid)
-               return 0;
-
-       if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {
-               auth_clear_options();
-               return (0);
-       }
-
-       /* Perform the challenge-response dialog for this key. */
-       if (!auth_rsa_challenge_dialog(key)) {
-               /* Wrong response. */
-               verbose("Wrong response to RSA authentication challenge.");
-               packet_send_debug("Wrong response to RSA authentication challenge.");
-               /*
-                * Break out of the loop. Otherwise we might send
-                * another challenge and break the protocol.
-                */
-               key_free(key);
-               return (0);
-       }
-       /*
-        * Correct response.  The client has been successfully
-        * authenticated. Note that we have not yet processed the
-        * options; this will be reset if the options cause the
-        * authentication to be rejected.
-        */
-       fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
-       verbose("Found matching %s key: %s",
-           key_type(key), fp);
-       xfree(fp);
-       key_free(key);
-
-       packet_send_debug("RSA authentication accepted.");
-       return (1);
-}
diff --git a/crypto/openssh-3.9p1/auth-shadow.c b/crypto/openssh-3.9p1/auth-shadow.c
deleted file mode 100644 (file)
index a85442d..0000000
+++ /dev/null
@@ -1,135 +0,0 @@
-/*
- * Copyright (c) 2004 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$Id: auth-shadow.c,v 1.5 2004/02/21 23:22:05 dtucker Exp $");
-
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#include <shadow.h>
-
-#include "auth.h"
-#include "buffer.h"
-#include "log.h"
-
-#define DAY    (24L * 60 * 60) /* 1 day in seconds */
-
-extern Buffer loginmsg;
-
-/*
- * For the account and password expiration functions, we assume the expiry
- * occurs the day after the day specified.
- */
-
-/*
- * Check if specified account is expired.  Returns 1 if account is expired,
- * 0 otherwise.
- */
-int
-auth_shadow_acctexpired(struct spwd *spw)
-{
-       time_t today;
-       int daysleft;
-       char buf[256];
-
-       today = time(NULL) / DAY;
-       daysleft = spw->sp_expire - today;
-       debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today,
-           (int)spw->sp_expire, daysleft);
-
-       if (spw->sp_expire == -1) {
-               debug3("account expiration disabled");
-       } else if (daysleft < 0) {
-               logit("Account %.100s has expired", spw->sp_namp);
-               return 1;
-       } else if (daysleft <= spw->sp_warn) {
-               debug3("account will expire in %d days", daysleft);
-               snprintf(buf, sizeof(buf),
-                   "Your account will expire in %d day%s.\n", daysleft,
-                   daysleft == 1 ? "" : "s");
-               buffer_append(&loginmsg, buf, strlen(buf));
-       }
-
-       return 0;
-}
-
-/*
- * Checks password expiry for platforms that use shadow passwd files.
- * Returns: 1 = password expired, 0 = password not expired
- */
-int
-auth_shadow_pwexpired(Authctxt *ctxt)
-{
-       struct spwd *spw = NULL;
-       const char *user = ctxt->pw->pw_name;
-       char buf[256];
-       time_t today;
-       int daysleft, disabled = 0;
-
-       if ((spw = getspnam((char *)user)) == NULL) {
-               error("Could not get shadow information for %.100s", user);
-               return 0;
-       }
-
-       today = time(NULL) / DAY;
-       debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
-           (int)spw->sp_lstchg, (int)spw->sp_max);
-
-#if defined(__hpux) && !defined(HAVE_SECUREWARE)
-       if (iscomsec()) {
-               struct pr_passwd *pr;
-                      
-               pr = getprpwnam((char *)user);
-
-               /* Test for Trusted Mode expiry disabled */
-               if (pr != NULL && pr->ufld.fd_min == 0 &&
-                   pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 &&
-                   pr->ufld.fd_pw_expire_warning == 0 &&
-                   pr->ufld.fd_schange != 0)
-                       disabled = 1;
-       }
-#endif
-
-       /* TODO: check sp_inact */
-       daysleft = spw->sp_lstchg + spw->sp_max - today;
-       if (disabled) {
-               debug3("password expiration disabled");
-       } else if (spw->sp_lstchg == 0) {
-               logit("User %.100s password has expired (root forced)", user);
-               return 1;
-       } else if (spw->sp_max == -1) {
-               debug3("password expiration disabled");
-       } else if (daysleft < 0) {
-               logit("User %.100s password has expired (password aged)", user);
-               return 1;
-       } else if (daysleft <= spw->sp_warn) {
-               debug3("password will expire in %d days", daysleft);
-               snprintf(buf, sizeof(buf),
-                   "Your password will expire in %d day%s.\n", daysleft,
-                   daysleft == 1 ? "" : "s");
-               buffer_append(&loginmsg, buf, strlen(buf));
-       }
-
-       return 0;
-}
-#endif /* USE_SHADOW && HAS_SHADOW_EXPIRE */
diff --git a/crypto/openssh-3.9p1/auth-sia.c b/crypto/openssh-3.9p1/auth-sia.c
deleted file mode 100644 (file)
index 63f55d0..0000000
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (c) 2002 Chris Adams.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_OSF_SIA
-#include "ssh.h"
-#include "auth.h"
-#include "auth-sia.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "uidswap.h"
-
-#include <sia.h>
-#include <siad.h>
-#include <pwd.h>
-#include <signal.h>
-#include <setjmp.h>
-#include <sys/resource.h>
-#include <unistd.h>
-#include <string.h>
-
-extern ServerOptions options;
-extern int saved_argc;
-extern char **saved_argv;
-
-int
-sys_auth_passwd(Authctxt *authctxt, char *pass)
-{
-       int ret;
-       SIAENTITY *ent = NULL;
-       const char *host;
-
-       host = get_canonical_hostname(options.use_dns);
-
-       if (!authctxt->user || pass == NULL || pass[0] == '\0')
-               return (0);
-
-       if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
-           NULL, 0, NULL) != SIASUCCESS)
-               return (0);
-
-       if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
-               error("Couldn't authenticate %s from %s",
-                   authctxt->user, host);
-               if (ret & SIASTOP)
-                       sia_ses_release(&ent);
-
-               return (0);
-       }
-
-       sia_ses_release(&ent);
-
-       return (1);
-}
-
-void
-session_setup_sia(struct passwd *pw, char *tty)
-{
-       SIAENTITY *ent = NULL;
-       const char *host;
-
-       host = get_canonical_hostname(options.use_dns);
-
-       if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
-           tty, 0, NULL) != SIASUCCESS)
-               fatal("sia_ses_init failed");
-
-       if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
-               sia_ses_release(&ent);
-               fatal("sia_make_entity_pwd failed");
-       }
-
-       ent->authtype = SIA_A_NONE;
-       if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
-               fatal("Couldn't establish session for %s from %s",
-                   pw->pw_name, host);
-
-       if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
-               fatal("Couldn't launch session for %s from %s",
-                   pw->pw_name, host);
-
-       sia_ses_release(&ent);
-
-       setuid(0);
-       permanently_set_uid(pw);
-}
-
-#endif /* HAVE_OSF_SIA */
diff --git a/crypto/openssh-3.9p1/auth-sia.h b/crypto/openssh-3.9p1/auth-sia.h
deleted file mode 100644 (file)
index ca55e91..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2002 Chris Adams.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_OSF_SIA
-
-int    sys_auth_passwd(Authctxt *, char *);
-void   session_setup_sia(struct passwd *, char *);
-
-#endif /* HAVE_OSF_SIA */
diff --git a/crypto/openssh-3.9p1/auth-skey.c b/crypto/openssh-3.9p1/auth-skey.c
deleted file mode 100644 (file)
index ac1af69..0000000
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include "includes.h"
-RCSID("$OpenBSD: auth-skey.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
-
-#ifdef SKEY
-
-#include <skey.h>
-
-#include "xmalloc.h"
-#include "auth.h"
-#include "monitor_wrap.h"
-
-static void *
-skey_init_ctx(Authctxt *authctxt)
-{
-       return authctxt;
-}
-
-int
-skey_query(void *ctx, char **name, char **infotxt,
-    u_int* numprompts, char ***prompts, u_int **echo_on)
-{
-       Authctxt *authctxt = ctx;
-       char challenge[1024], *p;
-       int len;
-       struct skey skey;
-
-       if (_compat_skeychallenge(&skey, authctxt->user, challenge, 
-           sizeof(challenge)) == -1)
-               return -1;
-
-       *name  = xstrdup("");
-       *infotxt  = xstrdup("");
-       *numprompts = 1;
-       *prompts = xmalloc(*numprompts * sizeof(char *));
-       *echo_on = xmalloc(*numprompts * sizeof(u_int));
-       (*echo_on)[0] = 0;
-
-       len = strlen(challenge) + strlen(SKEY_PROMPT) + 1;
-       p = xmalloc(len);
-       strlcpy(p, challenge, len);
-       strlcat(p, SKEY_PROMPT, len);
-       (*prompts)[0] = p;
-
-       return 0;
-}
-
-int
-skey_respond(void *ctx, u_int numresponses, char **responses)
-{
-       Authctxt *authctxt = ctx;
-
-       if (authctxt->valid &&
-           numresponses == 1 &&
-           skey_haskey(authctxt->pw->pw_name) == 0 &&
-           skey_passcheck(authctxt->pw->pw_name, responses[0]) != -1)
-           return 0;
-       return -1;
-}
-
-static void
-skey_free_ctx(void *ctx)
-{
-       /* we don't have a special context */
-}
-
-KbdintDevice skey_device = {
-       "skey",
-       skey_init_ctx,
-       skey_query,
-       skey_respond,
-       skey_free_ctx
-};
-
-KbdintDevice mm_skey_device = {
-       "skey",
-       skey_init_ctx,
-       mm_skey_query,
-       mm_skey_respond,
-       skey_free_ctx
-};
-#endif /* SKEY */
diff --git a/crypto/openssh-3.9p1/auth.c b/crypto/openssh-3.9p1/auth.c
deleted file mode 100644 (file)
index 0956b0b..0000000
+++ /dev/null
@@ -1,553 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.56 2004/07/28 09:40:29 markus Exp $");
-
-#ifdef HAVE_LOGIN_H
-#include <login.h>
-#endif
-#ifdef USE_SHADOW
-#include <shadow.h>
-#endif
-
-#ifdef HAVE_LIBGEN_H
-#include <libgen.h>
-#endif
-
-#include "xmalloc.h"
-#include "match.h"
-#include "groupaccess.h"
-#include "log.h"
-#include "servconf.h"
-#include "auth.h"
-#include "auth-options.h"
-#include "canohost.h"
-#include "buffer.h"
-#include "bufaux.h"
-#include "uidswap.h"
-#include "misc.h"
-#include "bufaux.h"
-#include "packet.h"
-
-/* import */
-extern ServerOptions options;
-extern Buffer loginmsg;
-
-/* Debugging messages */
-Buffer auth_debug;
-int auth_debug_init;
-
-/*
- * Check if the user is allowed to log in via ssh. If user is listed
- * in DenyUsers or one of user's groups is listed in DenyGroups, false
- * will be returned. If AllowUsers isn't empty and user isn't listed
- * there, or if AllowGroups isn't empty and one of user's groups isn't
- * listed there, false will be returned.
- * If the user's shell is not executable, false will be returned.
- * Otherwise true is returned.
- */
-int
-allowed_user(struct passwd * pw)
-{
-       struct stat st;
-       const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
-       char *shell;
-       int i;
-#ifdef USE_SHADOW
-       struct spwd *spw = NULL;
-#endif
-
-       /* Shouldn't be called if pw is NULL, but better safe than sorry... */
-       if (!pw || !pw->pw_name)
-               return 0;
-
-#ifdef USE_SHADOW
-       if (!options.use_pam)
-               spw = getspnam(pw->pw_name);
-#ifdef HAS_SHADOW_EXPIRE
-       if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
-               return 0;
-#endif /* HAS_SHADOW_EXPIRE */
-#endif /* USE_SHADOW */
-
-       /* grab passwd field for locked account check */
-#ifdef USE_SHADOW
-       if (spw != NULL)
-               passwd = spw->sp_pwdp;
-#else
-       passwd = pw->pw_passwd;
-#endif
-
-       /* check for locked account */
-       if (!options.use_pam && passwd && *passwd) {
-               int locked = 0;
-
-#ifdef LOCKED_PASSWD_STRING
-               if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
-                        locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_PREFIX
-               if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
-                   strlen(LOCKED_PASSWD_PREFIX)) == 0)
-                        locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_SUBSTR
-               if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
-                       locked = 1;
-#endif
-               if (locked) {
-                       logit("User %.100s not allowed because account is locked",
-                           pw->pw_name);
-                       return 0;
-               }
-       }
-
-       /*
-        * Get the shell from the password data.  An empty shell field is
-        * legal, and means /bin/sh.
-        */
-       shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
-
-       /* deny if shell does not exists or is not executable */
-       if (stat(shell, &st) != 0) {
-               logit("User %.100s not allowed because shell %.100s does not exist",
-                   pw->pw_name, shell);
-               return 0;
-       }
-       if (S_ISREG(st.st_mode) == 0 ||
-           (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
-               logit("User %.100s not allowed because shell %.100s is not executable",
-                   pw->pw_name, shell);
-               return 0;
-       }
-
-       if (options.num_deny_users > 0 || options.num_allow_users > 0) {
-               hostname = get_canonical_hostname(options.use_dns);
-               ipaddr = get_remote_ipaddr();
-       }
-
-       /* Return false if user is listed in DenyUsers */
-       if (options.num_deny_users > 0) {
-               for (i = 0; i < options.num_deny_users; i++)
-                       if (match_user(pw->pw_name, hostname, ipaddr,
-                           options.deny_users[i])) {
-                               logit("User %.100s not allowed because listed in DenyUsers",
-                                   pw->pw_name);
-                               return 0;
-                       }
-       }
-       /* Return false if AllowUsers isn't empty and user isn't listed there */
-       if (options.num_allow_users > 0) {
-               for (i = 0; i < options.num_allow_users; i++)
-                       if (match_user(pw->pw_name, hostname, ipaddr,
-                           options.allow_users[i]))
-                               break;
-               /* i < options.num_allow_users iff we break for loop */
-               if (i >= options.num_allow_users) {
-                       logit("User %.100s not allowed because not listed in AllowUsers",
-                           pw->pw_name);
-                       return 0;
-               }
-       }
-       if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
-               /* Get the user's group access list (primary and supplementary) */
-               if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
-                       logit("User %.100s not allowed because not in any group",
-                           pw->pw_name);
-                       return 0;
-               }
-
-               /* Return false if one of user's groups is listed in DenyGroups */
-               if (options.num_deny_groups > 0)
-                       if (ga_match(options.deny_groups,
-                           options.num_deny_groups)) {
-                               ga_free();
-                               logit("User %.100s not allowed because a group is listed in DenyGroups",
-                                   pw->pw_name);
-                               return 0;
-                       }
-               /*
-                * Return false if AllowGroups isn't empty and one of user's groups
-                * isn't listed there
-                */
-               if (options.num_allow_groups > 0)
-                       if (!ga_match(options.allow_groups,
-                           options.num_allow_groups)) {
-                               ga_free();
-                               logit("User %.100s not allowed because none of user's groups are listed in AllowGroups",
-                                   pw->pw_name);
-                               return 0;
-                       }
-               ga_free();
-       }
-
-#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
-       if (!sys_auth_allowed_user(pw))
-               return 0;
-#endif
-
-       /* We found no reason not to let this user try to log on... */
-       return 1;
-}
-
-void
-auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
-{
-       void (*authlog) (const char *fmt,...) = verbose;
-       char *authmsg;
-
-       /* Raise logging level */
-       if (authenticated == 1 ||
-           !authctxt->valid ||
-           authctxt->failures >= options.max_authtries / 2 ||
-           strcmp(method, "password") == 0)
-               authlog = logit;
-
-       if (authctxt->postponed)
-               authmsg = "Postponed";
-       else
-               authmsg = authenticated ? "Accepted" : "Failed";
-
-       authlog("%s %s for %s%.100s from %.200s port %d%s",
-           authmsg,
-           method,
-           authctxt->valid ? "" : "invalid user ",
-           authctxt->user,
-           get_remote_ipaddr(),
-           get_remote_port(),
-           info);
-
-#ifdef CUSTOM_FAILED_LOGIN
-       if (authenticated == 0 && strcmp(method, "password") == 0)
-               record_failed_login(authctxt->user, "ssh");
-#endif
-}
-
-/*
- * Check whether root logins are disallowed.
- */
-int
-auth_root_allowed(char *method)
-{
-       switch (options.permit_root_login) {
-       case PERMIT_YES:
-               return 1;
-               break;
-       case PERMIT_NO_PASSWD:
-               if (strcmp(method, "password") != 0)
-                       return 1;
-               break;
-       case PERMIT_FORCED_ONLY:
-               if (forced_command) {
-                       logit("Root login accepted for forced command.");
-                       return 1;
-               }
-               break;
-       }
-       logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
-       return 0;
-}
-
-
-/*
- * Given a template and a passwd structure, build a filename
- * by substituting % tokenised options. Currently, %% becomes '%',
- * %h becomes the home directory and %u the username.
- *
- * This returns a buffer allocated by xmalloc.
- */
-char *
-expand_filename(const char *filename, struct passwd *pw)
-{
-       Buffer buffer;
-       char *file;
-       const char *cp;
-
-       /*
-        * Build the filename string in the buffer by making the appropriate
-        * substitutions to the given file name.
-        */
-       buffer_init(&buffer);
-       for (cp = filename; *cp; cp++) {
-               if (cp[0] == '%' && cp[1] == '%') {
-                       buffer_append(&buffer, "%", 1);
-                       cp++;
-                       continue;
-               }
-               if (cp[0] == '%' && cp[1] == 'h') {
-                       buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
-                       cp++;
-                       continue;
-               }
-               if (cp[0] == '%' && cp[1] == 'u') {
-                       buffer_append(&buffer, pw->pw_name,
-                           strlen(pw->pw_name));
-                       cp++;
-                       continue;
-               }
-               buffer_append(&buffer, cp, 1);
-       }
-       buffer_append(&buffer, "\0", 1);
-
-       /*
-        * Ensure that filename starts anchored. If not, be backward
-        * compatible and prepend the '%h/'
-        */
-       file = xmalloc(MAXPATHLEN);
-       cp = buffer_ptr(&buffer);
-       if (*cp != '/')
-               snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
-       else
-               strlcpy(file, cp, MAXPATHLEN);
-
-       buffer_free(&buffer);
-       return file;
-}
-
-char *
-authorized_keys_file(struct passwd *pw)
-{
-       return expand_filename(options.authorized_keys_file, pw);
-}
-
-char *
-authorized_keys_file2(struct passwd *pw)
-{
-       return expand_filename(options.authorized_keys_file2, pw);
-}
-
-/* return ok if key exists in sysfile or userfile */
-HostStatus
-check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
-    const char *sysfile, const char *userfile)
-{
-       Key *found;
-       char *user_hostfile;
-       struct stat st;
-       HostStatus host_status;
-
-       /* Check if we know the host and its host key. */
-       found = key_new(key->type);
-       host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
-
-       if (host_status != HOST_OK && userfile != NULL) {
-               user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
-               if (options.strict_modes &&
-                   (stat(user_hostfile, &st) == 0) &&
-                   ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-                   (st.st_mode & 022) != 0)) {
-                       logit("Authentication refused for %.100s: "
-                           "bad owner or modes for %.200s",
-                           pw->pw_name, user_hostfile);
-               } else {
-                       temporarily_use_uid(pw);
-                       host_status = check_host_in_hostfile(user_hostfile,
-                           host, key, found, NULL);
-                       restore_uid();
-               }
-               xfree(user_hostfile);
-       }
-       key_free(found);
-
-       debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
-           "ok" : "not found", host);
-       return host_status;
-}
-
-
-/*
- * Check a given file for security. This is defined as all components
- * of the path to the file must be owned by either the owner of
- * of the file or root and no directories must be group or world writable.
- *
- * XXX Should any specific check be done for sym links ?
- *
- * Takes an open file descriptor, the file name, a uid and and
- * error buffer plus max size as arguments.
- *
- * Returns 0 on success and -1 on failure
- */
-int
-secure_filename(FILE *f, const char *file, struct passwd *pw,
-    char *err, size_t errlen)
-{
-       uid_t uid = pw->pw_uid;
-       char buf[MAXPATHLEN], homedir[MAXPATHLEN];
-       char *cp;
-       int comparehome = 0;
-       struct stat st;
-
-       if (realpath(file, buf) == NULL) {
-               snprintf(err, errlen, "realpath %s failed: %s", file,
-                   strerror(errno));
-               return -1;
-       }
-       if (realpath(pw->pw_dir, homedir) != NULL)
-               comparehome = 1;
-
-       /* check the open file to avoid races */
-       if (fstat(fileno(f), &st) < 0 ||
-           (st.st_uid != 0 && st.st_uid != uid) ||
-           (st.st_mode & 022) != 0) {
-               snprintf(err, errlen, "bad ownership or modes for file %s",
-                   buf);
-               return -1;
-       }
-
-       /* for each component of the canonical path, walking upwards */
-       for (;;) {
-               if ((cp = dirname(buf)) == NULL) {
-                       snprintf(err, errlen, "dirname() failed");
-                       return -1;
-               }
-               strlcpy(buf, cp, sizeof(buf));
-
-               debug3("secure_filename: checking '%s'", buf);
-               if (stat(buf, &st) < 0 ||
-                   (st.st_uid != 0 && st.st_uid != uid) ||
-                   (st.st_mode & 022) != 0) {
-                       snprintf(err, errlen,
-                           "bad ownership or modes for directory %s", buf);
-                       return -1;
-               }
-
-               /* If are passed the homedir then we can stop */
-               if (comparehome && strcmp(homedir, buf) == 0) {
-                       debug3("secure_filename: terminating check at '%s'",
-                           buf);
-                       break;
-               }
-               /*
-                * dirname should always complete with a "/" path,
-                * but we can be paranoid and check for "." too
-                */
-               if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
-                       break;
-       }
-       return 0;
-}
-
-struct passwd *
-getpwnamallow(const char *user)
-{
-#ifdef HAVE_LOGIN_CAP
-       extern login_cap_t *lc;
-#ifdef BSD_AUTH
-       auth_session_t *as;
-#endif
-#endif
-       struct passwd *pw;
-
-       pw = getpwnam(user);
-       if (pw == NULL) {
-               logit("Invalid user %.100s from %.100s",
-                   user, get_remote_ipaddr());
-#ifdef CUSTOM_FAILED_LOGIN
-               record_failed_login(user, "ssh");
-#endif
-               return (NULL);
-       }
-       if (!allowed_user(pw))
-               return (NULL);
-#ifdef HAVE_LOGIN_CAP
-       if ((lc = login_getclass(pw->pw_class)) == NULL) {
-               debug("unable to get login class: %s", user);
-               return (NULL);
-       }
-#ifdef BSD_AUTH
-       if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
-           auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
-               debug("Approval failure for %s", user);
-               pw = NULL;
-       }
-       if (as != NULL)
-               auth_close(as);
-#endif
-#endif
-       if (pw != NULL)
-               return (pwcopy(pw));
-       return (NULL);
-}
-
-void
-auth_debug_add(const char *fmt,...)
-{
-       char buf[1024];
-       va_list args;
-
-       if (!auth_debug_init)
-               return;
-
-       va_start(args, fmt);
-       vsnprintf(buf, sizeof(buf), fmt, args);
-       va_end(args);
-       buffer_put_cstring(&auth_debug, buf);
-}
-
-void
-auth_debug_send(void)
-{
-       char *msg;
-
-       if (!auth_debug_init)
-               return;
-       while (buffer_len(&auth_debug)) {
-               msg = buffer_get_string(&auth_debug, NULL);
-               packet_send_debug("%s", msg);
-               xfree(msg);
-       }
-}
-
-void
-auth_debug_reset(void)
-{
-       if (auth_debug_init)
-               buffer_clear(&auth_debug);
-       else {
-               buffer_init(&auth_debug);
-               auth_debug_init = 1;
-       }
-}
-
-struct passwd *
-fakepw(void)
-{
-       static struct passwd fake;
-
-       memset(&fake, 0, sizeof(fake));
-       fake.pw_name = "NOUSER";
-       fake.pw_passwd =
-           "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
-       fake.pw_gecos = "NOUSER";
-       fake.pw_uid = (uid_t)-1;
-       fake.pw_gid = (gid_t)-1;
-#ifdef HAVE_PW_CLASS_IN_PASSWD
-       fake.pw_class = "";
-#endif
-       fake.pw_dir = "/nonexist";
-       fake.pw_shell = "/nonexist";
-
-       return (&fake);
-}
diff --git a/crypto/openssh-3.9p1/auth.h b/crypto/openssh-3.9p1/auth.h
deleted file mode 100644 (file)
index 2f09440..0000000
+++ /dev/null
@@ -1,187 +0,0 @@
-/*     $OpenBSD: auth.h,v 1.50 2004/05/23 23:59:53 dtucker Exp $       */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#ifndef AUTH_H
-#define AUTH_H
-
-#include "key.h"
-#include "hostfile.h"
-#include <openssl/rsa.h>
-
-#ifdef HAVE_LOGIN_CAP
-#include <login_cap.h>
-#endif
-#ifdef BSD_AUTH
-#include <bsd_auth.h>
-#endif
-#ifdef KRB5
-#include <krb5.h>
-#endif
-
-typedef struct Authctxt Authctxt;
-typedef struct Authmethod Authmethod;
-typedef struct KbdintDevice KbdintDevice;
-
-struct Authctxt {
-       int              success;
-       int              postponed;     /* authentication needs another step */
-       int              valid;         /* user exists and is allowed to login */
-       int              attempt;
-       int              failures;
-       int              force_pwchange;
-       char            *user;          /* username sent by the client */
-       char            *service;
-       struct passwd   *pw;            /* set if 'valid' */
-       char            *style;
-       void            *kbdintctxt;
-#ifdef BSD_AUTH
-       auth_session_t  *as;
-#endif
-#ifdef KRB5
-       krb5_context     krb5_ctx;
-       krb5_ccache      krb5_fwd_ccache;
-       krb5_principal   krb5_user;
-       char            *krb5_ticket_file;
-       char            *krb5_ccname;
-#endif
-       void            *methoddata;
-};
-/*
- * Every authentication method has to handle authentication requests for
- * non-existing users, or for users that are not allowed to login. In this
- * case 'valid' is set to 0, but 'user' points to the username requested by
- * the client.
- */
-
-struct Authmethod {
-       char    *name;
-       int     (*userauth)(Authctxt *authctxt);
-       int     *enabled;
-};
-
-/*
- * Keyboard interactive device:
- * init_ctx    returns: non NULL upon success
- * query       returns: 0 - success, otherwise failure
- * respond     returns: 0 - success, 1 - need further interaction,
- *             otherwise - failure
- */
-struct KbdintDevice
-{
-       const char *name;
-       void*   (*init_ctx)(Authctxt*);
-       int     (*query)(void *ctx, char **name, char **infotxt,
-                   u_int *numprompts, char ***prompts, u_int **echo_on);
-       int     (*respond)(void *ctx, u_int numresp, char **responses);
-       void    (*free_ctx)(void *ctx);
-};
-
-int      auth_rhosts(struct passwd *, const char *);
-int
-auth_rhosts2(struct passwd *, const char *, const char *, const char *);
-
-int     auth_rhosts_rsa(Authctxt *, char *, Key *);
-int      auth_password(Authctxt *, const char *);
-int      auth_rsa(Authctxt *, BIGNUM *);
-int      auth_rsa_challenge_dialog(Key *);
-BIGNUM *auth_rsa_generate_challenge(Key *);
-int     auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
-int     auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
-
-int     auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
-int     hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
-int     user_key_allowed(struct passwd *, Key *);
-
-#ifdef KRB5
-int    auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
-int    auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
-int    auth_krb5_password(Authctxt *authctxt, const char *password);
-void   krb5_cleanup_proc(Authctxt *authctxt);
-#endif /* KRB5 */
-
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#include <shadow.h>
-int auth_shadow_acctexpired(struct spwd *);
-int auth_shadow_pwexpired(Authctxt *);
-#endif
-
-#include "auth-pam.h"
-void disable_forwarding(void);
-
-void   do_authentication(Authctxt *);
-void   do_authentication2(Authctxt *);
-
-void   auth_log(Authctxt *, int, char *, char *);
-void   userauth_finish(Authctxt *, int, char *);
-int    auth_root_allowed(char *);
-
-char   *auth2_read_banner(void);
-
-void   privsep_challenge_enable(void);
-
-int    auth2_challenge(Authctxt *, char *);
-void   auth2_challenge_stop(Authctxt *);
-int    bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
-int    bsdauth_respond(void *, u_int, char **);
-int    skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int    skey_respond(void *, u_int, char **);
-
-int    allowed_user(struct passwd *);
-struct passwd * getpwnamallow(const char *user);
-
-char   *get_challenge(Authctxt *);
-int    verify_response(Authctxt *, const char *);
-void   abandon_challenge_response(Authctxt *);
-
-char   *expand_filename(const char *, struct passwd *);
-char   *authorized_keys_file(struct passwd *);
-char   *authorized_keys_file2(struct passwd *);
-
-int
-secure_filename(FILE *, const char *, struct passwd *, char *, size_t);
-
-HostStatus
-check_key_in_hostfiles(struct passwd *, Key *, const char *,
-    const char *, const char *);
-
-/* hostkey handling */
-Key    *get_hostkey_by_index(int);
-Key    *get_hostkey_by_type(int);
-int     get_hostkey_index(Key *);
-int     ssh1_session_key(BIGNUM *);
-
-/* debug messages during authentication */
-void    auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-void    auth_debug_send(void);
-void    auth_debug_reset(void);
-
-struct passwd *fakepw(void);
-
-#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
-
-#define SKEY_PROMPT "\nS/Key Password: "
-#endif
diff --git a/crypto/openssh-3.9p1/auth1.c b/crypto/openssh-3.9p1/auth1.c
deleted file mode 100644 (file)
index 3f93b98..0000000
+++ /dev/null
@@ -1,337 +0,0 @@
-/*
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
-
-#include "xmalloc.h"
-#include "rsa.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "compat.h"
-#include "auth.h"
-#include "channels.h"
-#include "session.h"
-#include "uidswap.h"
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-
-/*
- * convert ssh auth msg type into description
- */
-static char *
-get_authname(int type)
-{
-       static char buf[1024];
-       switch (type) {
-       case SSH_CMSG_AUTH_PASSWORD:
-               return "password";
-       case SSH_CMSG_AUTH_RSA:
-               return "rsa";
-       case SSH_CMSG_AUTH_RHOSTS_RSA:
-               return "rhosts-rsa";
-       case SSH_CMSG_AUTH_RHOSTS:
-               return "rhosts";
-       case SSH_CMSG_AUTH_TIS:
-       case SSH_CMSG_AUTH_TIS_RESPONSE:
-               return "challenge-response";
-       }
-       snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
-       return buf;
-}
-
-/*
- * read packets, try to authenticate the user and
- * return only if authentication is successful
- */
-static void
-do_authloop(Authctxt *authctxt)
-{
-       int authenticated = 0;
-       u_int bits;
-       Key *client_host_key;
-       BIGNUM *n;
-       char *client_user, *password;
-       char info[1024];
-       u_int dlen;
-       u_int ulen;
-       int prev, type = 0;
-
-       debug("Attempting authentication for %s%.100s.",
-           authctxt->valid ? "" : "invalid user ", authctxt->user);
-
-       /* If the user has no password, accept authentication immediately. */
-       if (options.password_authentication &&
-#ifdef KRB5
-           (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
-#endif
-           PRIVSEP(auth_password(authctxt, ""))) {
-#ifdef USE_PAM
-               if (options.use_pam && (PRIVSEP(do_pam_account())))
-#endif
-               {
-                       auth_log(authctxt, 1, "without authentication", "");
-                       return;
-               }
-       }
-
-       /* Indicate that authentication is needed. */
-       packet_start(SSH_SMSG_FAILURE);
-       packet_send();
-       packet_write_wait();
-
-       client_user = NULL;
-
-       for (;;) {
-               /* default to fail */
-               authenticated = 0;
-
-               info[0] = '\0';
-
-               /* Get a packet from the client. */
-               prev = type;
-               type = packet_read();
-
-               /*
-                * If we started challenge-response authentication but the
-                * next packet is not a response to our challenge, release
-                * the resources allocated by get_challenge() (which would
-                * normally have been released by verify_response() had we
-                * received such a response)
-                */
-               if (prev == SSH_CMSG_AUTH_TIS &&
-                   type != SSH_CMSG_AUTH_TIS_RESPONSE)
-                       abandon_challenge_response(authctxt);
-
-               /* Process the packet. */
-               switch (type) {
-               case SSH_CMSG_AUTH_RHOSTS_RSA:
-                       if (!options.rhosts_rsa_authentication) {
-                               verbose("Rhosts with RSA authentication disabled.");
-                               break;
-                       }
-                       /*
-                        * Get client user name.  Note that we just have to
-                        * trust the client; root on the client machine can
-                        * claim to be any user.
-                        */
-                       client_user = packet_get_string(&ulen);
-
-                       /* Get the client host key. */
-                       client_host_key = key_new(KEY_RSA1);
-                       bits = packet_get_int();
-                       packet_get_bignum(client_host_key->rsa->e);
-                       packet_get_bignum(client_host_key->rsa->n);
-
-                       if (bits != BN_num_bits(client_host_key->rsa->n))
-                               verbose("Warning: keysize mismatch for client_host_key: "
-                                   "actual %d, announced %d",
-                                   BN_num_bits(client_host_key->rsa->n), bits);
-                       packet_check_eom();
-
-                       authenticated = auth_rhosts_rsa(authctxt, client_user,
-                           client_host_key);
-                       key_free(client_host_key);
-
-                       snprintf(info, sizeof info, " ruser %.100s", client_user);
-                       break;
-
-               case SSH_CMSG_AUTH_RSA:
-                       if (!options.rsa_authentication) {
-                               verbose("RSA authentication disabled.");
-                               break;
-                       }
-                       /* RSA authentication requested. */
-                       if ((n = BN_new()) == NULL)
-                               fatal("do_authloop: BN_new failed");
-                       packet_get_bignum(n);
-                       packet_check_eom();
-                       authenticated = auth_rsa(authctxt, n);
-                       BN_clear_free(n);
-                       break;
-
-               case SSH_CMSG_AUTH_PASSWORD:
-                       if (!options.password_authentication) {
-                               verbose("Password authentication disabled.");
-                               break;
-                       }
-                       /*
-                        * Read user password.  It is in plain text, but was
-                        * transmitted over the encrypted channel so it is
-                        * not visible to an outside observer.
-                        */
-                       password = packet_get_string(&dlen);
-                       packet_check_eom();
-
-                       /* Try authentication with the password. */
-                       authenticated = PRIVSEP(auth_password(authctxt, password));
-
-                       memset(password, 0, strlen(password));
-                       xfree(password);
-                       break;
-
-               case SSH_CMSG_AUTH_TIS:
-                       debug("rcvd SSH_CMSG_AUTH_TIS");
-                       if (options.challenge_response_authentication == 1) {
-                               char *challenge = get_challenge(authctxt);
-                               if (challenge != NULL) {
-                                       debug("sending challenge '%s'", challenge);
-                                       packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
-                                       packet_put_cstring(challenge);
-                                       xfree(challenge);
-                                       packet_send();
-                                       packet_write_wait();
-                                       continue;
-                               }
-                       }
-                       break;
-               case SSH_CMSG_AUTH_TIS_RESPONSE:
-                       debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
-                       if (options.challenge_response_authentication == 1) {
-                               char *response = packet_get_string(&dlen);
-                               packet_check_eom();
-                               authenticated = verify_response(authctxt, response);
-                               memset(response, 'r', dlen);
-                               xfree(response);
-                       }
-                       break;
-
-               default:
-                       /*
-                        * Any unknown messages will be ignored (and failure
-                        * returned) during authentication.
-                        */
-                       logit("Unknown message during authentication: type %d", type);
-                       break;
-               }
-#ifdef BSD_AUTH
-               if (authctxt->as) {
-                       auth_close(authctxt->as);
-                       authctxt->as = NULL;
-               }
-#endif
-               if (!authctxt->valid && authenticated)
-                       fatal("INTERNAL ERROR: authenticated invalid user %s",
-                           authctxt->user);
-
-#ifdef _UNICOS
-               if (authenticated && cray_access_denied(authctxt->user)) {
-                       authenticated = 0;
-                       fatal("Access denied for user %s.",authctxt->user);
-               }
-#endif /* _UNICOS */
-
-#ifdef HAVE_CYGWIN
-               if (authenticated &&
-                   !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, 
-                   authctxt->pw)) {
-                       packet_disconnect("Authentication rejected for uid %d.",
-                           authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
-                       authenticated = 0;
-               }
-#else
-               /* Special handling for root */
-               if (authenticated && authctxt->pw->pw_uid == 0 &&
-                   !auth_root_allowed(get_authname(type)))
-                       authenticated = 0;
-#endif
-
-#ifdef USE_PAM
-               if (options.use_pam && authenticated &&
-                   !PRIVSEP(do_pam_account()))
-                       authenticated = 0;
-#endif
-
-               /* Log before sending the reply */
-               auth_log(authctxt, authenticated, get_authname(type), info);
-
-               if (client_user != NULL) {
-                       xfree(client_user);
-                       client_user = NULL;
-               }
-
-               if (authenticated)
-                       return;
-
-               if (authctxt->failures++ > options.max_authtries)
-                       packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-
-               packet_start(SSH_SMSG_FAILURE);
-               packet_send();
-               packet_write_wait();
-       }
-}
-
-/*
- * Performs authentication of an incoming connection.  Session key has already
- * been exchanged and encryption is enabled.
- */
-void
-do_authentication(Authctxt *authctxt)
-{
-       u_int ulen;
-       char *user, *style = NULL;
-
-       /* Get the name of the user that we wish to log in as. */
-       packet_read_expect(SSH_CMSG_USER);
-
-       /* Get the user name. */
-       user = packet_get_string(&ulen);
-       packet_check_eom();
-
-       if ((style = strchr(user, ':')) != NULL)
-               *style++ = '\0';
-
-       authctxt->user = user;
-       authctxt->style = style;
-
-       /* Verify that the user is a valid user. */
-       if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-               authctxt->valid = 1;
-       else {
-               debug("do_authentication: invalid user %s", user);
-               authctxt->pw = fakepw();
-       }
-
-       setproctitle("%s%s", authctxt->valid ? user : "unknown",
-           use_privsep ? " [net]" : "");
-
-#ifdef USE_PAM
-       if (options.use_pam)
-               PRIVSEP(start_pam(authctxt));
-#endif
-
-       /*
-        * If we are not running as root, the user must have the same uid as
-        * the server. (Unless you are running Windows)
-        */
-#ifndef HAVE_CYGWIN
-       if (!use_privsep && getuid() != 0 && authctxt->pw &&
-           authctxt->pw->pw_uid != getuid())
-               packet_disconnect("Cannot change user when server not running as root.");
-#endif
-
-       /*
-        * Loop until the user has been authenticated or the connection is
-        * closed, do_authloop() returns only if authentication is successful
-        */
-       do_authloop(authctxt);
-
-       /* The user has been authenticated and accepted. */
-       packet_start(SSH_SMSG_SUCCESS);
-       packet_send();
-       packet_write_wait();
-}
diff --git a/crypto/openssh-3.9p1/auth2-chall.c b/crypto/openssh-3.9p1/auth2-chall.c
deleted file mode 100644 (file)
index 486baaa..0000000
+++ /dev/null
@@ -1,351 +0,0 @@
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2001 Per Allansson.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#include "includes.h"
-RCSID("$OpenBSD: auth2-chall.c,v 1.21 2004/06/01 14:20:45 dtucker Exp $");
-
-#include "ssh2.h"
-#include "auth.h"
-#include "buffer.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "dispatch.h"
-#include "log.h"
-
-static int auth2_challenge_start(Authctxt *);
-static int send_userauth_info_request(Authctxt *);
-static void input_userauth_info_response(int, u_int32_t, void *);
-
-#ifdef BSD_AUTH
-extern KbdintDevice bsdauth_device;
-#else
-#ifdef USE_PAM
-extern KbdintDevice sshpam_device;
-#endif
-#ifdef SKEY
-extern KbdintDevice skey_device;
-#endif
-#endif
-
-KbdintDevice *devices[] = {
-#ifdef BSD_AUTH
-       &bsdauth_device,
-#else
-#ifdef USE_PAM
-       &sshpam_device,
-#endif
-#ifdef SKEY
-       &skey_device,
-#endif
-#endif
-       NULL
-};
-
-typedef struct KbdintAuthctxt KbdintAuthctxt;
-struct KbdintAuthctxt
-{
-       char *devices;
-       void *ctxt;
-       KbdintDevice *device;
-       u_int nreq;
-};
-
-static KbdintAuthctxt *
-kbdint_alloc(const char *devs)
-{
-       KbdintAuthctxt *kbdintctxt;
-       Buffer b;
-       int i;
-
-       kbdintctxt = xmalloc(sizeof(KbdintAuthctxt));
-       if (strcmp(devs, "") == 0) {
-               buffer_init(&b);
-               for (i = 0; devices[i]; i++) {
-                       if (buffer_len(&b) > 0)
-                               buffer_append(&b, ",", 1);
-                       buffer_append(&b, devices[i]->name,
-                           strlen(devices[i]->name));
-               }
-               buffer_append(&b, "\0", 1);
-               kbdintctxt->devices = xstrdup(buffer_ptr(&b));
-               buffer_free(&b);
-       } else {
-               kbdintctxt->devices = xstrdup(devs);
-       }
-       debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
-       kbdintctxt->ctxt = NULL;
-       kbdintctxt->device = NULL;
-       kbdintctxt->nreq = 0;
-
-       return kbdintctxt;
-}
-static void
-kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
-{
-       if (kbdintctxt->ctxt) {
-               kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
-               kbdintctxt->ctxt = NULL;
-       }
-       kbdintctxt->device = NULL;
-}
-static void
-kbdint_free(KbdintAuthctxt *kbdintctxt)
-{
-       if (kbdintctxt->device)
-               kbdint_reset_device(kbdintctxt);
-       if (kbdintctxt->devices) {
-               xfree(kbdintctxt->devices);
-               kbdintctxt->devices = NULL;
-       }
-       xfree(kbdintctxt);
-}
-/* get next device */
-static int
-kbdint_next_device(KbdintAuthctxt *kbdintctxt)
-{
-       size_t len;
-       char *t;
-       int i;
-
-       if (kbdintctxt->device)
-               kbdint_reset_device(kbdintctxt);
-       do {
-               len = kbdintctxt->devices ?
-                   strcspn(kbdintctxt->devices, ",") : 0;
-
-               if (len == 0)
-                       break;
-               for (i = 0; devices[i]; i++)
-                       if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
-                               kbdintctxt->device = devices[i];
-               t = kbdintctxt->devices;
-               kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
-               xfree(t);
-               debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
-                  kbdintctxt->devices : "<empty>");
-       } while (kbdintctxt->devices && !kbdintctxt->device);
-
-       return kbdintctxt->device ? 1 : 0;
-}
-
-/*
- * try challenge-response, set authctxt->postponed if we have to
- * wait for the response.
- */
-int
-auth2_challenge(Authctxt *authctxt, char *devs)
-{
-       debug("auth2_challenge: user=%s devs=%s",
-           authctxt->user ? authctxt->user : "<nouser>",
-           devs ? devs : "<no devs>");
-
-       if (authctxt->user == NULL || !devs)
-               return 0;
-       if (authctxt->kbdintctxt == NULL)
-               authctxt->kbdintctxt = kbdint_alloc(devs);
-       return auth2_challenge_start(authctxt);
-}
-
-/* unregister kbd-int callbacks and context */
-void
-auth2_challenge_stop(Authctxt *authctxt)
-{
-       /* unregister callback */
-       dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
-       if (authctxt->kbdintctxt != NULL)  {
-               kbdint_free(authctxt->kbdintctxt);
-               authctxt->kbdintctxt = NULL;
-       }
-}
-
-/* side effect: sets authctxt->postponed if a reply was sent*/
-static int
-auth2_challenge_start(Authctxt *authctxt)
-{
-       KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
-
-       debug2("auth2_challenge_start: devices %s",
-           kbdintctxt->devices ?  kbdintctxt->devices : "<empty>");
-
-       if (kbdint_next_device(kbdintctxt) == 0) {
-               auth2_challenge_stop(authctxt);
-               return 0;
-       }
-       debug("auth2_challenge_start: trying authentication method '%s'",
-           kbdintctxt->device->name);
-
-       if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
-               auth2_challenge_stop(authctxt);
-               return 0;
-       }
-       if (send_userauth_info_request(authctxt) == 0) {
-               auth2_challenge_stop(authctxt);
-               return 0;
-       }
-       dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
-           &input_userauth_info_response);
-
-       authctxt->postponed = 1;
-       return 0;
-}
-
-static int
-send_userauth_info_request(Authctxt *authctxt)
-{
-       KbdintAuthctxt *kbdintctxt;
-       char *name, *instr, **prompts;
-       int i;
-       u_int *echo_on;
-
-       kbdintctxt = authctxt->kbdintctxt;
-       if (kbdintctxt->device->query(kbdintctxt->ctxt,
-           &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
-               return 0;
-
-       packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
-       packet_put_cstring(name);
-       packet_put_cstring(instr);
-       packet_put_cstring("");         /* language not used */
-       packet_put_int(kbdintctxt->nreq);
-       for (i = 0; i < kbdintctxt->nreq; i++) {
-               packet_put_cstring(prompts[i]);
-               packet_put_char(echo_on[i]);
-       }
-       packet_send();
-       packet_write_wait();
-
-       for (i = 0; i < kbdintctxt->nreq; i++)
-               xfree(prompts[i]);
-       xfree(prompts);
-       xfree(echo_on);
-       xfree(name);
-       xfree(instr);
-       return 1;
-}
-
-static void
-input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
-{
-       Authctxt *authctxt = ctxt;
-       KbdintAuthctxt *kbdintctxt;
-       int i, authenticated = 0, res, len;
-       u_int nresp;
-       char **response = NULL, *method;
-
-       if (authctxt == NULL)
-               fatal("input_userauth_info_response: no authctxt");
-       kbdintctxt = authctxt->kbdintctxt;
-       if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
-               fatal("input_userauth_info_response: no kbdintctxt");
-       if (kbdintctxt->device == NULL)
-               fatal("input_userauth_info_response: no device");
-
-       authctxt->postponed = 0;        /* reset */
-       nresp = packet_get_int();
-       if (nresp != kbdintctxt->nreq)
-               fatal("input_userauth_info_response: wrong number of replies");
-       if (nresp > 100)
-               fatal("input_userauth_info_response: too many replies");
-       if (nresp > 0) {
-               response = xmalloc(nresp * sizeof(char *));
-               for (i = 0; i < nresp; i++)
-                       response[i] = packet_get_string(NULL);
-       }
-       packet_check_eom();
-
-       if (authctxt->valid) {
-               res = kbdintctxt->device->respond(kbdintctxt->ctxt,
-                   nresp, response);
-       } else {
-               res = -1;
-       }
-
-       for (i = 0; i < nresp; i++) {
-               memset(response[i], 'r', strlen(response[i]));
-               xfree(response[i]);
-       }
-       if (response)
-               xfree(response);
-
-       switch (res) {
-       case 0:
-               /* Success! */
-               authenticated = 1;
-               break;
-       case 1:
-               /* Authentication needs further interaction */
-               if (send_userauth_info_request(authctxt) == 1)
-                       authctxt->postponed = 1;
-               break;
-       default:
-               /* Failure! */
-               break;
-       }
-
-       len = strlen("keyboard-interactive") + 2 +
-               strlen(kbdintctxt->device->name);
-       method = xmalloc(len);
-       snprintf(method, len, "keyboard-interactive/%s",
-           kbdintctxt->device->name);
-
-       if (!authctxt->postponed) {
-               if (authenticated) {
-                       auth2_challenge_stop(authctxt);
-               } else {
-                       /* start next device */
-                       /* may set authctxt->postponed */
-                       auth2_challenge_start(authctxt);
-               }
-       }
-       userauth_finish(authctxt, authenticated, method);
-       xfree(method);
-}
-
-void
-privsep_challenge_enable(void)
-{
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
-       int n = 0;
-#endif
-#ifdef BSD_AUTH
-       extern KbdintDevice mm_bsdauth_device;
-#endif
-#ifdef USE_PAM
-       extern KbdintDevice mm_sshpam_device;
-#endif
-#ifdef SKEY
-       extern KbdintDevice mm_skey_device;
-#endif
-
-#ifdef BSD_AUTH
-       devices[n++] = &mm_bsdauth_device;
-#else
-#ifdef USE_PAM
-       devices[n++] = &mm_sshpam_device;
-#endif
-#ifdef SKEY
-       devices[n++] = &mm_skey_device;
-#endif
-#endif
-}
diff --git a/crypto/openssh-3.9p1/auth2-gss.c b/crypto/openssh-3.9p1/auth2-gss.c
deleted file mode 100644 (file)
index 3289ba1..0000000
+++ /dev/null
@@ -1,295 +0,0 @@
-/*     $OpenBSD: auth2-gss.c,v 1.8 2004/06/21 17:36:31 avsm Exp $      */
-
-/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef GSSAPI
-
-#include "auth.h"
-#include "ssh2.h"
-#include "xmalloc.h"
-#include "log.h"
-#include "dispatch.h"
-#include "servconf.h"
-#include "compat.h"
-#include "packet.h"
-#include "monitor_wrap.h"
-
-#include "ssh-gss.h"
-
-extern ServerOptions options;
-
-static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
-static void input_gssapi_errtok(int, u_int32_t, void *);
-
-/*
- * We only support those mechanisms that we know about (ie ones that we know
- * how to check local user kuserok and the like
- */
-static int
-userauth_gssapi(Authctxt *authctxt)
-{
-       gss_OID_desc goid = {0, NULL};
-       Gssctxt *ctxt = NULL;
-       int mechs;
-       gss_OID_set supported;
-       int present;
-       OM_uint32 ms;
-       u_int len;
-       char *doid = NULL;
-
-       if (!authctxt->valid || authctxt->user == NULL)
-               return (0);
-
-       mechs = packet_get_int();
-       if (mechs == 0) {
-               debug("Mechanism negotiation is not supported");
-               return (0);
-       }
-
-       ssh_gssapi_supported_oids(&supported);
-       do {
-               mechs--;
-
-               if (doid)
-                       xfree(doid);
-
-               present = 0;
-               doid = packet_get_string(&len);
-
-               if (len > 2 &&
-                  doid[0] == SSH_GSS_OIDTYPE &&
-                  doid[1] == len - 2) {
-                       goid.elements = doid + 2;
-                       goid.length   = len - 2;
-                       gss_test_oid_set_member(&ms, &goid, supported,
-                           &present);
-               } else {
-                       logit("Badly formed OID received");
-               }
-       } while (mechs > 0 && !present);
-
-       gss_release_oid_set(&ms, &supported);
-
-       if (!present) {
-               xfree(doid);
-               return (0);
-       }
-
-       if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
-               xfree(doid);
-               return (0);
-       }
-
-       authctxt->methoddata=(void *)ctxt;
-
-       packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
-
-       /* Return the OID that we received */
-       packet_put_string(doid, len);
-
-       packet_send();
-       xfree(doid);
-
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
-       authctxt->postponed = 1;
-
-       return (0);
-}
-
-static void
-input_gssapi_token(int type, u_int32_t plen, void *ctxt)
-{
-       Authctxt *authctxt = ctxt;
-       Gssctxt *gssctxt;
-       gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-       gss_buffer_desc recv_tok;
-       OM_uint32 maj_status, min_status, flags;
-       u_int len;
-
-       if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-               fatal("No authentication or GSSAPI context");
-
-       gssctxt = authctxt->methoddata;
-       recv_tok.value = packet_get_string(&len);
-       recv_tok.length = len; /* u_int vs. size_t */
-
-       packet_check_eom();
-
-       maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-           &send_tok, &flags));
-
-       xfree(recv_tok.value);
-
-       if (GSS_ERROR(maj_status)) {
-               if (send_tok.length != 0) {
-                       packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-                       packet_put_string(send_tok.value, send_tok.length);
-                       packet_send();
-               }
-               authctxt->postponed = 0;
-               dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-               userauth_finish(authctxt, 0, "gssapi-with-mic");
-       } else {
-               if (send_tok.length != 0) {
-                       packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-                       packet_put_string(send_tok.value, send_tok.length);
-                       packet_send();
-               }
-               if (maj_status == GSS_S_COMPLETE) {
-                       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-                       if (flags & GSS_C_INTEG_FLAG)
-                               dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
-                                   &input_gssapi_mic);
-                       else
-                               dispatch_set(
-                                   SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
-                                   &input_gssapi_exchange_complete);
-               }
-       }
-
-       gss_release_buffer(&min_status, &send_tok);
-}
-
-static void
-input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
-{
-       Authctxt *authctxt = ctxt;
-       Gssctxt *gssctxt;
-       gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-       gss_buffer_desc recv_tok;
-       OM_uint32 maj_status;
-       u_int len;
-
-       if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-               fatal("No authentication or GSSAPI context");
-
-       gssctxt = authctxt->methoddata;
-       recv_tok.value = packet_get_string(&len);
-       recv_tok.length = len;
-
-       packet_check_eom();
-
-       /* Push the error token into GSSAPI to see what it says */
-       maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-           &send_tok, NULL));
-
-       xfree(recv_tok.value);
-
-       /* We can't return anything to the client, even if we wanted to */
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-
-       /* The client will have already moved on to the next auth */
-
-       gss_release_buffer(&maj_status, &send_tok);
-}
-
-/*
- * This is called when the client thinks we've completed authentication.
- * It should only be enabled in the dispatch handler by the function above,
- * which only enables it once the GSSAPI exchange is complete.
- */
-
-static void
-input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
-{
-       Authctxt *authctxt = ctxt;
-       Gssctxt *gssctxt;
-       int authenticated;
-
-       if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-               fatal("No authentication or GSSAPI context");
-
-       gssctxt = authctxt->methoddata;
-
-       /*
-        * We don't need to check the status, because we're only enabled in
-        * the dispatcher once the exchange is complete
-        */
-
-       packet_check_eom();
-
-       authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-
-       authctxt->postponed = 0;
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-       userauth_finish(authctxt, authenticated, "gssapi-with-mic");
-}
-
-static void
-input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
-{
-       Authctxt *authctxt = ctxt;
-       Gssctxt *gssctxt;
-       int authenticated = 0;
-       Buffer b;
-       gss_buffer_desc mic, gssbuf;
-       u_int len;
-
-       if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-               fatal("No authentication or GSSAPI context");
-
-       gssctxt = authctxt->methoddata;
-
-       mic.value = packet_get_string(&len);
-       mic.length = len;
-
-       ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
-           "gssapi-with-mic");
-
-       gssbuf.value = buffer_ptr(&b);
-       gssbuf.length = buffer_len(&b);
-
-       if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-               authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-       else
-               logit("GSSAPI MIC check failed");
-
-       buffer_free(&b);
-       xfree(mic.value);
-
-       authctxt->postponed = 0;
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
-       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-       userauth_finish(authctxt, authenticated, "gssapi-with-mic");
-}
-
-Authmethod method_gssapi = {
-       "gssapi-with-mic",
-       userauth_gssapi,
-       &options.gss_authentication
-};
-
-#endif /* GSSAPI */
diff --git a/crypto/openssh-3.9p1/auth2-hostbased.c b/crypto/openssh-3.9p1/auth2-hostbased.c
deleted file mode 100644 (file)
index 1111ed6..0000000
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth2-hostbased.c,v 1.6 2004/01/19 21:25:15 markus Exp $");
-
-#include "ssh2.h"
-#include "xmalloc.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "compat.h"
-#include "bufaux.h"
-#include "auth.h"
-#include "key.h"
-#include "canohost.h"
-#include "monitor_wrap.h"
-#include "pathnames.h"
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-static int
-userauth_hostbased(Authctxt *authctxt)
-{
-       Buffer b;
-       Key *key = NULL;
-       char *pkalg, *cuser, *chost, *service;
-       u_char *pkblob, *sig;
-       u_int alen, blen, slen;
-       int pktype;
-       int authenticated = 0;
-
-       if (!authctxt->valid) {
-               debug2("userauth_hostbased: disabled because of invalid user");
-               return 0;
-       }
-       pkalg = packet_get_string(&alen);
-       pkblob = packet_get_string(&blen);
-       chost = packet_get_string(NULL);
-       cuser = packet_get_string(NULL);
-       sig = packet_get_string(&slen);
-
-       debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
-           cuser, chost, pkalg, slen);
-#ifdef DEBUG_PK
-       debug("signature:");
-       buffer_init(&b);
-       buffer_append(&b, sig, slen);
-       buffer_dump(&b);
-       buffer_free(&b);
-#endif
-       pktype = key_type_from_name(pkalg);
-       if (pktype == KEY_UNSPEC) {
-               /* this is perfectly legal */
-               logit("userauth_hostbased: unsupported "
-                   "public key algorithm: %s", pkalg);
-               goto done;
-       }
-       key = key_from_blob(pkblob, blen);
-       if (key == NULL) {
-               error("userauth_hostbased: cannot decode key: %s", pkalg);
-               goto done;
-       }
-       if (key->type != pktype) {
-               error("userauth_hostbased: type mismatch for decoded key "
-                   "(received %d, expected %d)", key->type, pktype);
-               goto done;
-       }
-       service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
-           authctxt->service;
-       buffer_init(&b);
-       buffer_put_string(&b, session_id2, session_id2_len);
-       /* reconstruct packet */
-       buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-       buffer_put_cstring(&b, authctxt->user);
-       buffer_put_cstring(&b, service);
-       buffer_put_cstring(&b, "hostbased");
-       buffer_put_string(&b, pkalg, alen);
-       buffer_put_string(&b, pkblob, blen);
-       buffer_put_cstring(&b, chost);
-       buffer_put_cstring(&b, cuser);
-#ifdef DEBUG_PK
-       buffer_dump(&b);
-#endif
-       /* test for allowed key and correct signature */
-       authenticated = 0;
-       if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
-           PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
-                       buffer_len(&b))) == 1)
-               authenticated = 1;
-
-       buffer_free(&b);
-done:
-       debug2("userauth_hostbased: authenticated %d", authenticated);
-       if (key != NULL)
-               key_free(key);
-       xfree(pkalg);
-       xfree(pkblob);
-       xfree(cuser);
-       xfree(chost);
-       xfree(sig);
-       return authenticated;
-}
-
-/* return 1 if given hostkey is allowed */
-int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-    Key *key)
-{
-       const char *resolvedname, *ipaddr, *lookup;
-       HostStatus host_status;
-       int len;
-
-       resolvedname = get_canonical_hostname(options.use_dns);
-       ipaddr = get_remote_ipaddr();
-
-       debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
-           chost, resolvedname, ipaddr);
-
-       if (options.hostbased_uses_name_from_packet_only) {
-               if (auth_rhosts2(pw, cuser, chost, chost) == 0)
-                       return 0;
-               lookup = chost;
-       } else {
-               if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
-                       debug2("stripping trailing dot from chost %s", chost);
-                       chost[len - 1] = '\0';
-               }
-               if (strcasecmp(resolvedname, chost) != 0)
-                       logit("userauth_hostbased mismatch: "
-                           "client sends %s, but we resolve %s to %s",
-                           chost, ipaddr, resolvedname);
-               if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
-                       return 0;
-               lookup = resolvedname;
-       }
-       debug2("userauth_hostbased: access allowed by auth_rhosts2");
-
-       host_status = check_key_in_hostfiles(pw, key, lookup,
-           _PATH_SSH_SYSTEM_HOSTFILE,
-           options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-
-       /* backward compat if no key has been found. */
-       if (host_status == HOST_NEW)
-               host_status = check_key_in_hostfiles(pw, key, lookup,
-                   _PATH_SSH_SYSTEM_HOSTFILE2,
-                   options.ignore_user_known_hosts ? NULL :
-                   _PATH_SSH_USER_HOSTFILE2);
-
-       return (host_status == HOST_OK);
-}
-
-Authmethod method_hostbased = {
-       "hostbased",
-       userauth_hostbased,
-       &options.hostbased_authentication
-};
diff --git a/crypto/openssh-3.9p1/auth2-kbdint.c b/crypto/openssh-3.9p1/auth2-kbdint.c
deleted file mode 100644 (file)
index 1696ef4..0000000
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
-
-#include "packet.h"
-#include "auth.h"
-#include "log.h"
-#include "servconf.h"
-#include "xmalloc.h"
-
-/* import */
-extern ServerOptions options;
-
-static int
-userauth_kbdint(Authctxt *authctxt)
-{
-       int authenticated = 0;
-       char *lang, *devs;
-
-       lang = packet_get_string(NULL);
-       devs = packet_get_string(NULL);
-       packet_check_eom();
-
-       debug("keyboard-interactive devs %s", devs);
-
-       if (options.challenge_response_authentication)
-               authenticated = auth2_challenge(authctxt, devs);
-
-       xfree(devs);
-       xfree(lang);
-#ifdef HAVE_CYGWIN
-       if (check_nt_auth(0, authctxt->pw) == 0)
-               return(0);
-#endif
-       return authenticated;
-}
-
-Authmethod method_kbdint = {
-       "keyboard-interactive",
-       userauth_kbdint,
-       &options.kbd_interactive_authentication
-};
diff --git a/crypto/openssh-3.9p1/auth2-none.c b/crypto/openssh-3.9p1/auth2-none.c
deleted file mode 100644 (file)
index 2bf5b5c..0000000
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth2-none.c,v 1.7 2004/05/11 19:01:43 deraadt Exp $");
-
-#include "auth.h"
-#include "xmalloc.h"
-#include "packet.h"
-#include "log.h"
-#include "servconf.h"
-#include "atomicio.h"
-#include "compat.h"
-#include "ssh2.h"
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-
-/* "none" is allowed only one time */
-static int none_enabled = 1;
-
-char *
-auth2_read_banner(void)
-{
-       struct stat st;
-       char *banner = NULL;
-       size_t len, n;
-       int fd;
-
-       if ((fd = open(options.banner, O_RDONLY)) == -1)
-               return (NULL);
-       if (fstat(fd, &st) == -1) {
-               close(fd);
-               return (NULL);
-       }
-       if (st.st_size > 1*1024*1024) {
-               close(fd);
-               return (NULL);
-       }
-
-       len = (size_t)st.st_size;               /* truncate */
-       banner = xmalloc(len + 1);
-       n = atomicio(read, fd, banner, len);
-       close(fd);
-
-       if (n != len) {
-               xfree(banner);
-               return (NULL);
-       }
-       banner[n] = '\0';
-
-       return (banner);
-}
-
-static void
-userauth_banner(void)
-{
-       char *banner = NULL;
-
-       if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
-               return;
-
-       if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
-               goto done;
-
-       packet_start(SSH2_MSG_USERAUTH_BANNER);
-       packet_put_cstring(banner);
-       packet_put_cstring("");         /* language, unused */
-       packet_send();
-       debug("userauth_banner: sent");
-done:
-       if (banner)
-               xfree(banner);
-}
-
-static int
-userauth_none(Authctxt *authctxt)
-{
-       none_enabled = 0;
-       packet_check_eom();
-       userauth_banner();
-#ifdef HAVE_CYGWIN
-       if (check_nt_auth(1, authctxt->pw) == 0)
-               return(0);
-#endif
-       if (options.password_authentication)
-               return (PRIVSEP(auth_password(authctxt, "")));
-       return (0);
-}
-
-Authmethod method_none = {
-       "none",
-       userauth_none,
-       &none_enabled
-};
diff --git a/crypto/openssh-3.9p1/auth2-passwd.c b/crypto/openssh-3.9p1/auth2-passwd.c
deleted file mode 100644 (file)
index a4f482d..0000000
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth2-passwd.c,v 1.5 2003/12/31 00:24:50 dtucker Exp $");
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "log.h"
-#include "auth.h"
-#include "monitor_wrap.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
-
-static int
-userauth_passwd(Authctxt *authctxt)
-{
-       char *password, *newpass;
-       int authenticated = 0;
-       int change;
-       u_int len, newlen;
-
-       change = packet_get_char();
-       password = packet_get_string(&len);
-       if (change) {
-               /* discard new password from packet */
-               newpass = packet_get_string(&newlen);
-               memset(newpass, 0, newlen);
-               xfree(newpass);
-       }
-       packet_check_eom();
-
-       if (change)
-               logit("password change not supported");
-       else if (PRIVSEP(auth_password(authctxt, password)) == 1
-#ifdef HAVE_CYGWIN
-           && check_nt_auth(1, authctxt->pw)
-#endif
-           )
-               authenticated = 1;
-       memset(password, 0, len);
-       xfree(password);
-       return authenticated;
-}
-
-Authmethod method_passwd = {
-       "password",
-       userauth_passwd,
-       &options.password_authentication
-};
diff --git a/crypto/openssh-3.9p1/auth2-pubkey.c b/crypto/openssh-3.9p1/auth2-pubkey.c
deleted file mode 100644 (file)
index 9898d4a..0000000
+++ /dev/null
@@ -1,280 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: auth2-pubkey.c,v 1.7 2004/06/21 17:36:31 avsm Exp $");
-
-#include "ssh2.h"
-#include "xmalloc.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "servconf.h"
-#include "compat.h"
-#include "bufaux.h"
-#include "auth.h"
-#include "key.h"
-#include "pathnames.h"
-#include "uidswap.h"
-#include "auth-options.h"
-#include "canohost.h"
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-static int
-userauth_pubkey(Authctxt *authctxt)
-{
-       Buffer b;
-       Key *key = NULL;
-       char *pkalg;
-       u_char *pkblob, *sig;
-       u_int alen, blen, slen;
-       int have_sig, pktype;
-       int authenticated = 0;
-
-       if (!authctxt->valid) {
-               debug2("userauth_pubkey: disabled because of invalid user");
-               return 0;
-       }
-       have_sig = packet_get_char();
-       if (datafellows & SSH_BUG_PKAUTH) {
-               debug2("userauth_pubkey: SSH_BUG_PKAUTH");
-               /* no explicit pkalg given */
-               pkblob = packet_get_string(&blen);
-               buffer_init(&b);
-               buffer_append(&b, pkblob, blen);
-               /* so we have to extract the pkalg from the pkblob */
-               pkalg = buffer_get_string(&b, &alen);
-               buffer_free(&b);
-       } else {
-               pkalg = packet_get_string(&alen);
-               pkblob = packet_get_string(&blen);
-       }
-       pktype = key_type_from_name(pkalg);
-       if (pktype == KEY_UNSPEC) {
-               /* this is perfectly legal */
-               logit("userauth_pubkey: unsupported public key algorithm: %s",
-                   pkalg);
-               goto done;
-       }
-       key = key_from_blob(pkblob, blen);
-       if (key == NULL) {
-               error("userauth_pubkey: cannot decode key: %s", pkalg);
-               goto done;
-       }
-       if (key->type != pktype) {
-               error("userauth_pubkey: type mismatch for decoded key "
-                   "(received %d, expected %d)", key->type, pktype);
-               goto done;
-       }
-       if (have_sig) {
-               sig = packet_get_string(&slen);
-               packet_check_eom();
-               buffer_init(&b);
-               if (datafellows & SSH_OLD_SESSIONID) {
-                       buffer_append(&b, session_id2, session_id2_len);
-               } else {
-                       buffer_put_string(&b, session_id2, session_id2_len);
-               }
-               /* reconstruct packet */
-               buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-               buffer_put_cstring(&b, authctxt->user);
-               buffer_put_cstring(&b,
-                   datafellows & SSH_BUG_PKSERVICE ?
-                   "ssh-userauth" :
-                   authctxt->service);
-               if (datafellows & SSH_BUG_PKAUTH) {
-                       buffer_put_char(&b, have_sig);
-               } else {
-                       buffer_put_cstring(&b, "publickey");
-                       buffer_put_char(&b, have_sig);
-                       buffer_put_cstring(&b, pkalg);
-               }
-               buffer_put_string(&b, pkblob, bl