Merge branch 'vendor/OPENSSH'
authorPeter Avalos <pavalos@dragonflybsd.org>
Sun, 28 Oct 2012 18:41:45 +0000 (11:41 -0700)
committerPeter Avalos <pavalos@dragonflybsd.org>
Sun, 28 Oct 2012 19:13:17 +0000 (12:13 -0700)
28 files changed:
1  2 
crypto/openssh/auth2-pubkey.c
crypto/openssh/auth2.c
crypto/openssh/authfile.c
crypto/openssh/channels.c
crypto/openssh/channels.h
crypto/openssh/clientloop.c
crypto/openssh/compat.c
crypto/openssh/compat.h
crypto/openssh/myproposal.h
crypto/openssh/packet.c
crypto/openssh/packet.h
crypto/openssh/readconf.c
crypto/openssh/readconf.h
crypto/openssh/scp.c
crypto/openssh/servconf.c
crypto/openssh/servconf.h
crypto/openssh/serverloop.c
crypto/openssh/session.c
crypto/openssh/sftp.1
crypto/openssh/sftp.c
crypto/openssh/ssh.1
crypto/openssh/ssh.c
crypto/openssh/ssh_config.5
crypto/openssh/sshconnect2.c
crypto/openssh/sshd.8
crypto/openssh/sshd.c
crypto/openssh/sshd_config
crypto/openssh/sshd_config.5

Simple merge
Simple merge
Simple merge
@@@ -2675,13 -2680,44 +2720,51 @@@ channel_set_af(int af
  }
  
  
 +void
 +channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
 +{
 +      hpn_disabled = external_hpn_disabled;
 +      hpn_buffer_size = external_hpn_buffer_size;
 +      debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
 +}
+ /*
+  * Determine whether or not a port forward listens to loopback, the
+  * specified address or wildcard. On the client, a specified bind
+  * address will always override gateway_ports. On the server, a
+  * gateway_ports of 1 (``yes'') will override the client's specification
+  * and force a wildcard bind, whereas a value of 2 (``clientspecified'')
+  * will bind to whatever address the client asked for.
+  *
+  * Special-case listen_addrs are:
+  *
+  * "0.0.0.0"               -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
+  * "" (empty string), "*"  -> wildcard v4/v6
+  * "localhost"             -> loopback v4/v6
+  */
+ static const char *
+ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
+     int is_client, int gateway_ports)
+ {
+       const char *addr = NULL;
+       int wildcard = 0;
+       if (listen_addr == NULL) {
+               /* No address specified: default to gateway_ports setting */
+               if (gateway_ports)
+                       wildcard = 1;
+       } else if (gateway_ports || is_client) {
+               if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
+                   strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
+                   *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
+                   (!is_client && gateway_ports == 1))
+                       wildcard = 1;
+               else if (strcmp(listen_addr, "localhost") != 0)
+                       addr = listen_addr;
+       }
+       if (wildcardp != NULL)
+               *wildcardp = wildcard;
+       return addr;
+ }
  
  static int
  channel_setup_fwd_listener(int type, const char *listen_addr,
                c = channel_new("port listener", type, sock, sock, -1,
                    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
                    0, "port listener", 1);
 +              else
 +                      c = channel_new("port listener", type, sock, sock, -1,
 +                        hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
 +                        0, "port listener", 1);
                c->path = xstrdup(host);
                c->host_port = port_to_connect;
-               c->listening_port = listen_port;
+               c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
+               if (listen_port == 0 && allocated_listen_port != NULL &&
+                   !(datafellows & SSH_BUG_DYNAMIC_RPORT))
+                       c->listening_port = *allocated_listen_port;
+               else
+                       c->listening_port = listen_port;
                success = 1;
        }
        if (success == 0)
@@@ -239,9 -239,10 +243,10 @@@ void      channel_input_status_confirm(int
  
  /* file descriptor handling (read/write) */
  
- void   channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int);
+ void   channel_prepare_select(fd_set **, fd_set **, int *, u_int*,
+            time_t*, int);
  void     channel_after_select(fd_set *, fd_set *);
 -void     channel_output_poll(void);
 +int      channel_output_poll(void);
  
  int      channel_not_very_much_buffered_data(void);
  void     channel_close_all(void);
Simple merge
Simple merge
@@@ -58,7 -58,7 +58,8 @@@
  #define SSH_OLD_FORWARD_ADDR  0x01000000
  #define SSH_BUG_RFWD_ADDR     0x02000000
  #define SSH_NEW_OPENSSH               0x04000000
- #define SSH_BUG_LARGEWINDOW     0x08000000
+ #define SSH_BUG_DYNAMIC_RPORT 0x08000000
++#define SSH_BUG_LARGEWINDOW     0x10000000
  
  void     enable_compat13(void);
  void     enable_compat20(void);
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
@@@ -290,46 -281,11 +293,48 @@@ fill_default_server_options(ServerOptio
                options->ip_qos_interactive = IPTOS_LOWDELAY;
        if (options->ip_qos_bulk == -1)
                options->ip_qos_bulk = IPTOS_THROUGHPUT;
 +
 +      if (options->hpn_disabled == -1)
 +              options->hpn_disabled = 0;
 +
 +      if (options->hpn_buffer_size == -1) {
 +              /* option not explicitly set. Now we have to figure out */
 +              /* what value to use */
 +              if (options->hpn_disabled == 1) {
 +                      options->hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
 +              } else {
 +                      /* get the current RCV size and set it to that */
 +                      /*create a socket but don't connect it */
 +                      /* we use that the get the rcv socket size */
 +                      sock = socket(AF_INET, SOCK_STREAM, 0);
 +                      getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
 +                                 &socksize, &socksizelen);
 +                      close(sock);
 +                      options->hpn_buffer_size = socksize;
 +                      debug ("HPN Buffer Size: %d", options->hpn_buffer_size);
 +
 +              }
 +      } else {
 +              /* we have to do this incase the user sets both values in a contradictory */
 +              /* manner. hpn_disabled overrrides hpn_buffer_size*/
 +              if (options->hpn_disabled <= 0) {
 +                      if (options->hpn_buffer_size == 0)
 +                              options->hpn_buffer_size = 1;
 +                      /* limit the maximum buffer to 64MB */
 +                      if (options->hpn_buffer_size > 64*1024) {
 +                              options->hpn_buffer_size = 64*1024*1024;
 +                      } else {
 +                              options->hpn_buffer_size *= 1024;
 +                      }
 +              } else
 +                      options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
 +      }
 +
+       if (options->version_addendum == NULL)
+               options->version_addendum = xstrdup("");
        /* Turn privilege separation on by default */
        if (use_privsep == -1)
-               use_privsep = PRIVSEP_ON;
+               use_privsep = PRIVSEP_NOSANDBOX;
  
  #ifndef HAVE_MMAP
        if (use_privsep && options->compression == 1) {
@@@ -372,9 -328,7 +377,8 @@@ typedef enum 
        sUsePrivilegeSeparation, sAllowAgentForwarding,
        sZeroKnowledgePasswordAuthentication, sHostCertificate,
        sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
-       sKexAlgorithms, sIPQoS,
+       sKexAlgorithms, sIPQoS, sVersionAddendum,
 +      sNoneEnabled, sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
-       sVersionAddendum,
        sDeprecated, sUnsupported
  } ServerOpCodes;
  
@@@ -499,12 -451,9 +502,13 @@@ static struct 
        { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
        { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
        { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
 +      { "noneenabled", sNoneEnabled },
 +      { "hpndisabled", sHPNDisabled },
 +      { "hpnbuffersize", sHPNBufferSize },
 +      { "tcprcvbufpoll", sTcpRcvBufPoll },
        { "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
        { "ipqos", sIPQoS, SSHCFG_ALL },
+       { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
        { NULL, sBadOption, 0 }
  };
  
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
Simple merge
@@@ -56,10 -49,12 +56,12 @@@ PermitRootLogin without-passwor
  # but this is overridden so installations will only check .ssh/authorized_keys
  AuthorizedKeysFile    .ssh/authorized_keys
  
+ #AuthorizedPrincipalsFile none
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 -#RhostsRSAAuthentication no
 +RhostsRSAAuthentication no
  # similar for protocol version 2
 -#HostbasedAuthentication no
 +HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
@@@ -117,9 -109,8 +119,10 @@@ UsePrivilegeSeparation sandbox            # Defau
  #MaxStartups 10
  #PermitTunnel no
  #ChrootDirectory none
+ #VersionAddendum none
  
 +#XAuthLocation /usr/pkg/bin/xauth
 +
  # no default banner path
  #Banner none
  
@@@ -1111,10 -1091,10 +1122,10 @@@ is set t
  then the pre-authentication unprivileged process is subject to additional
  restrictions.
  .It Cm VersionAddendum
- Specifies a string to append to the regular version string to identify
OS- or site-specific modifications.
+ Optionally specifies additional text to append to the SSH protocol banner
sent by the server upon connection.
  The default is
- .Dq DragonFly-20110920 .
 -.Dq none .
++.Dq DragonFly-20121028 .
  .It Cm X11DisplayOffset
  Specifies the first display number available for
  .Xr sshd 8 Ns 's