[openssh] rebase to openssh-6.6p1
plautrba
plautrba at fedoraproject.org
Wed Jun 4 07:45:44 UTC 2014
commit 94c6f8ddcc028cc46d17ba9e66ca737f03ef40c6
Author: Petr Lautrbach <plautrba at redhat.com>
Date: Tue Jun 3 16:51:07 2014 +0200
rebase to openssh-6.6p1
.gitignore | 1 +
...2653.patch => openssh-6.6p1-CVE-2014-2653.patch | 12 +-
...opts.patch => openssh-6.6p1-allow-ip-opts.patch | 19 +-
...stest.patch => openssh-6.6p1-ctr-cavstest.patch | 89 +-
...p1-entropy.patch => openssh-6.6p1-entropy.patch | 137 +-
...rprint.patch => openssh-6.6p1-fingerprint.patch | 115 +-
....3p1-keycat.patch => openssh-6.6p1-keycat.patch | 138 +-
...p1-keyperm.patch => openssh-6.6p1-keyperm.patch | 22 +-
...sh-6.3p1-ldap.patch => openssh-6.6p1-ldap.patch | 3393 ++++++++++----------
...m-no.patch => openssh-6.6p1-log-usepam-no.patch | 20 +-
...ux.patch => openssh-6.6p1-privsep-selinux.patch | 62 +-
....3p1-redhat.patch => openssh-6.6p1-redhat.patch | 102 +-
...-role-mls.patch => openssh-6.6p1-role-mls.patch | 559 ++--
openssh.spec | 91 +-
sources | 2 +-
15 files changed, 2438 insertions(+), 2324 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 04bccd9..e407e89 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,3 +12,4 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
/openssh-6.2p2.tar.gz
/openssh-6.3p1.tar.gz
/openssh-6.4p1.tar.gz
+/openssh-6.6p1.tar.gz
diff --git a/openssh-6.4p1-CVE-2014-2653.patch b/openssh-6.6p1-CVE-2014-2653.patch
similarity index 91%
rename from openssh-6.4p1-CVE-2014-2653.patch
rename to openssh-6.6p1-CVE-2014-2653.patch
index 27f3fa3..c3bd0a1 100644
--- a/openssh-6.4p1-CVE-2014-2653.patch
+++ b/openssh-6.6p1-CVE-2014-2653.patch
@@ -1,5 +1,5 @@
diff --git a/ChangeLog b/ChangeLog
-index 29d70ec..a0fb67e 100644
+index 38de846..1603a07 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
@@ -14,14 +14,14 @@ index 29d70ec..a0fb67e 100644
+
+ Reported by mcv21 AT cam.ac.uk
+
- 20131010
- - dtucker at cvs.openbsd.org 2013/10/08 11:42:13
- [dh.c dh.h]
+ 20140313
+ - (djm) Release OpenSSH 6.6
+
diff --git a/sshconnect.c b/sshconnect.c
-index ddc167e..4d8c718 100644
+index 394cca8..e636f33 100644
--- a/sshconnect.c
+++ b/sshconnect.c
-@@ -1136,30 +1136,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+@@ -1219,30 +1219,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
{
int flags = 0;
char *fp;
diff --git a/openssh-5.2p1-allow-ip-opts.patch b/openssh-6.6p1-allow-ip-opts.patch
similarity index 74%
rename from openssh-5.2p1-allow-ip-opts.patch
rename to openssh-6.6p1-allow-ip-opts.patch
index 96aaab1..e56d8aa 100644
--- a/openssh-5.2p1-allow-ip-opts.patch
+++ b/openssh-6.6p1-allow-ip-opts.patch
@@ -1,7 +1,8 @@
-diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
---- openssh-5.2p1/canohost.c.ip-opts 2009-02-14 06:28:21.000000000 +0100
-+++ openssh-5.2p1/canohost.c 2009-09-01 15:31:29.000000000 +0200
-@@ -169,12 +169,27 @@ check_ip_options(int sock, char *ipaddr)
+diff --git a/canohost.c b/canohost.c
+index a61a8c9..97ce58c 100644
+--- a/canohost.c
++++ b/canohost.c
+@@ -165,12 +165,29 @@ check_ip_options(int sock, char *ipaddr)
option_size = sizeof(options);
if (getsockopt(sock, ipproto, IP_OPTIONS, options,
&option_size) >= 0 && option_size != 0) {
@@ -18,8 +19,12 @@ diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
+ case 1:
+ ++i;
+ break;
-+ case 131:
-+ case 137:
++ case 130:
++ case 133:
++ case 134:
++ i += options[i + 1];
++ break;
++ default:
+ /* Fail, fatally, if we detect either loose or strict
+ * source routing options. */
+ text[0] = '\0';
@@ -28,8 +33,6 @@ diff -up openssh-5.2p1/canohost.c.ip-opts openssh-5.2p1/canohost.c
+ " %2.2x", options[i]);
+ fatal("Connection from %.100s with IP options:%.800s",
+ ipaddr, text);
-+ default:
-+ i += options[i + 1];
+ }
+ } while (i < option_size);
}
diff --git a/openssh-6.3p1-ctr-cavstest.patch b/openssh-6.6p1-ctr-cavstest.patch
similarity index 90%
rename from openssh-6.3p1-ctr-cavstest.patch
rename to openssh-6.6p1-ctr-cavstest.patch
index 5cd9997..1997fa6 100644
--- a/openssh-6.3p1-ctr-cavstest.patch
+++ b/openssh-6.6p1-ctr-cavstest.patch
@@ -1,6 +1,47 @@
-diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
---- openssh-6.2p1/ctr-cavstest.c.ctr-cavs 2013-03-25 21:35:52.512586671 +0100
-+++ openssh-6.2p1/ctr-cavstest.c 2013-03-25 21:35:52.512586671 +0100
+diff --git a/Makefile.in b/Makefile.in
+index 4ab6717..581b121 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
+ SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
+ SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_KEYCAT=$(libexecdir)/ssh-keycat
++CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
+ INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
+
+ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+ canohost.o channels.o cipher.o cipher-aes.o \
+@@ -180,6 +181,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o
+ ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
+ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
+
++ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
++ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
++
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+
+@@ -288,6 +292,7 @@ install-files:
+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
+ fi
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
++ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+diff --git a/ctr-cavstest.c b/ctr-cavstest.c
+new file mode 100644
+index 0000000..bbcbe8a
+--- /dev/null
++++ b/ctr-cavstest.c
@@ -0,0 +1,208 @@
+/*
+ *
@@ -103,7 +144,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+int main (int argc, char *argv[])
+{
+
-+ Cipher *c;
++ const Cipher *c;
+ CipherContext cc;
+ char *algo = "aes128-ctr";
+ char *hexkey = NULL;
@@ -194,7 +235,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ return 2;
+ }
+
-+ cipher_crypt(&cc, outdata, data, datalen, 0, 0);
++ cipher_crypt(&cc, 0, outdata, data, datalen, 0, 0);
+
+ free(data);
+
@@ -210,41 +251,3 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
+ return 0;
+}
+
-diff -up openssh-6.2p1/Makefile.in.ctr-cavs openssh-6.2p1/Makefile.in
---- openssh-6.2p1/Makefile.in.ctr-cavs 2013-03-25 21:35:52.451586280 +0100
-+++ openssh-6.2p1/Makefile.in 2013-03-25 21:37:14.956114584 +0100
-@@ -28,6 +28,7 @@ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
- SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
- SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
- SSH_KEYCAT=$(libexecdir)/ssh-keycat
-+CTR_CAVSTEST=$(libexecdir)/ctr-cavstest
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -65,7 +66,7 @@ EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
- INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT) ssh-keycat$(EXEEXT) ctr-cavstest$(EXEEXT)
-
- LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-aes.o \
-@@ -174,6 +175,9 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
- ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
- $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
-
-+ctr-cavstest$(EXEEXT): $(LIBCOMPAT) libssh.a ctr-cavstest.o
-+ $(LD) -o $@ ctr-cavstest.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
-+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
-
-@@ -281,6 +285,7 @@ install-files:
- $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
- fi
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-keycat$(EXEEXT) $(DESTDIR)$(libexecdir)/ssh-keycat$(EXEEXT)
-+ $(INSTALL) -m 0755 $(STRIP_OPT) ctr-cavstest$(EXEEXT) $(DESTDIR)$(libexecdir)/ctr-cavstest$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
diff --git a/openssh-6.2p1-entropy.patch b/openssh-6.6p1-entropy.patch
similarity index 70%
rename from openssh-6.2p1-entropy.patch
rename to openssh-6.6p1-entropy.patch
index 4553422..67bd30f 100644
--- a/openssh-6.2p1-entropy.patch
+++ b/openssh-6.6p1-entropy.patch
@@ -1,7 +1,8 @@
-diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
---- openssh-6.2p1/entropy.c.entropy 2013-03-25 19:31:42.737611051 +0100
-+++ openssh-6.2p1/entropy.c 2013-03-25 19:31:42.797611433 +0100
-@@ -237,6 +237,9 @@ seed_rng(void)
+diff --git a/entropy.c b/entropy.c
+index 2d483b3..b361a04 100644
+--- a/entropy.c
++++ b/entropy.c
+@@ -234,6 +234,9 @@ seed_rng(void)
memset(buf, '\0', sizeof(buf));
#endif /* OPENSSL_PRNG_ONLY */
@@ -11,21 +12,24 @@ diff -up openssh-6.2p1/entropy.c.entropy openssh-6.2p1/entropy.c
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
-diff -up openssh-6.2p1/openbsd-compat/Makefile.in.entropy openssh-6.2p1/openbsd-compat/Makefile.in
---- openssh-6.2p1/openbsd-compat/Makefile.in.entropy 2013-03-25 19:31:42.798611440 +0100
-+++ openssh-6.2p1/openbsd-compat/Makefile.in 2013-03-25 19:33:02.042116876 +0100
-@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
+diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
+index b912dbe..9206337 100644
+--- a/openbsd-compat/Makefile.in
++++ b/openbsd-compat/Makefile.in
+@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
- COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
--PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
-+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
+-PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
++PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-linux-prng.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/openbsd-compat/port-linux-prng.c
---- openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy 2013-03-25 19:31:42.798611440 +0100
-+++ openssh-6.2p1/openbsd-compat/port-linux-prng.c 2013-03-25 19:31:42.798611440 +0100
+diff --git a/openbsd-compat/port-linux-prng.c b/openbsd-compat/port-linux-prng.c
+new file mode 100644
+index 0000000..92a617c
+--- /dev/null
++++ b/openbsd-compat/port-linux-prng.c
@@ -0,0 +1,59 @@
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
+
@@ -86,9 +90,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux-prng.c.entropy openssh-6.2p1/op
+ fatal ("EOF reading %s", random);
+ }
+}
-diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
---- openssh-6.2p1/ssh-add.0.entropy 2013-03-22 00:38:29.000000000 +0100
-+++ openssh-6.2p1/ssh-add.0 2013-03-25 19:31:42.799611446 +0100
+diff --git a/ssh-add.0 b/ssh-add.0
+index ba43fee..0b2629a 100644
+--- a/ssh-add.0
++++ b/ssh-add.0
@@ -82,6 +82,16 @@ ENVIRONMENT
Identifies the path of a UNIX-domain socket used to communicate
with the agent.
@@ -106,10 +111,11 @@ diff -up openssh-6.2p1/ssh-add.0.entropy openssh-6.2p1/ssh-add.0
FILES
~/.ssh/identity
Contains the protocol version 1 RSA authentication identity of
-diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
---- openssh-6.2p1/ssh-add.1.entropy 2012-12-07 03:06:13.000000000 +0100
-+++ openssh-6.2p1/ssh-add.1 2013-03-25 19:31:42.799611446 +0100
-@@ -160,6 +160,20 @@ to make this work.)
+diff --git a/ssh-add.1 b/ssh-add.1
+index 4812448..16305bf 100644
+--- a/ssh-add.1
++++ b/ssh-add.1
+@@ -161,6 +161,20 @@ to make this work.)
Identifies the path of a
.Ux Ns -domain
socket used to communicate with the agent.
@@ -130,10 +136,11 @@ diff -up openssh-6.2p1/ssh-add.1.entropy openssh-6.2p1/ssh-add.1
.El
.Sh FILES
.Bl -tag -width Ds
-diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
---- openssh-6.2p1/ssh-agent.1.entropy 2010-12-01 01:50:35.000000000 +0100
-+++ openssh-6.2p1/ssh-agent.1 2013-03-25 19:31:42.800611452 +0100
-@@ -198,6 +198,24 @@ sockets used to contain the connection t
+diff --git a/ssh-agent.1 b/ssh-agent.1
+index 281ecbd..1a9a635 100644
+--- a/ssh-agent.1
++++ b/ssh-agent.1
+@@ -201,6 +201,24 @@ sockets used to contain the connection to the authentication agent.
These sockets should only be readable by the owner.
The sockets should get automatically removed when the agent exits.
.El
@@ -158,12 +165,13 @@ diff -up openssh-6.2p1/ssh-agent.1.entropy openssh-6.2p1/ssh-agent.1
.Sh SEE ALSO
.Xr ssh 1 ,
.Xr ssh-add 1 ,
-diff -up openssh-6.2p1/sshd.8.entropy openssh-6.2p1/sshd.8
---- openssh-6.2p1/sshd.8.entropy 2013-03-25 19:31:42.752611146 +0100
-+++ openssh-6.2p1/sshd.8 2013-03-25 19:31:42.800611452 +0100
-@@ -945,6 +945,24 @@ concurrently for different ports, this c
- started last).
- The content of this file is not sensitive; it can be world-readable.
+diff --git a/ssh-keygen.1 b/ssh-keygen.1
+index 12e00d4..1b51a4a 100644
+--- a/ssh-keygen.1
++++ b/ssh-keygen.1
+@@ -832,6 +832,24 @@ Contains Diffie-Hellman groups used for DH-GEX.
+ The file format is described in
+ .Xr moduli 5 .
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
@@ -183,15 +191,16 @@ diff -up openssh-6.2p1/sshd.8.entropy openssh-6.2p1/sshd.8
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
- .Sh IPV6
- IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
.Sh SEE ALSO
-diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
---- openssh-6.2p1/ssh-keygen.1.entropy 2013-01-20 12:35:06.000000000 +0100
-+++ openssh-6.2p1/ssh-keygen.1 2013-03-25 19:31:42.801611459 +0100
-@@ -806,6 +806,24 @@ Contains Diffie-Hellman groups used for
- The file format is described in
- .Xr moduli 5 .
+ .Xr ssh 1 ,
+ .Xr ssh-add 1 ,
+diff --git a/ssh-keysign.8 b/ssh-keysign.8
+index 69d0829..02d79f8 100644
+--- a/ssh-keysign.8
++++ b/ssh-keysign.8
+@@ -80,6 +80,24 @@ must be set-uid root if host-based authentication is used.
+ If these files exist they are assumed to contain public certificate
+ information corresponding with the private keys above.
.El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
@@ -213,18 +222,18 @@ diff -up openssh-6.2p1/ssh-keygen.1.entropy openssh-6.2p1/ssh-keygen.1
+.El
.Sh SEE ALSO
.Xr ssh 1 ,
- .Xr ssh-add 1 ,
-diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
---- openssh-6.2p1/ssh-keysign.8.entropy 2010-08-31 14:41:14.000000000 +0200
-+++ openssh-6.2p1/ssh-keysign.8 2013-03-25 19:31:42.801611459 +0100
-@@ -78,6 +78,24 @@ must be set-uid root if host-based authe
- If these files exist they are assumed to contain public certificate
- information corresponding with the private keys above.
- .El
+ .Xr ssh-keygen 1 ,
+diff --git a/ssh.1 b/ssh.1
+index 929904b..f65e42f 100644
+--- a/ssh.1
++++ b/ssh.1
+@@ -1309,6 +1309,23 @@ For more information, see the
+ .Cm PermitUserEnvironment
+ option in
+ .Xr sshd_config 5 .
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
-+.Pp
-+.It Pa SSH_USE_STRONG_RNG
++.It Ev SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
@@ -239,19 +248,21 @@ diff -up openssh-6.2p1/ssh-keysign.8.entropy openssh-6.2p1/ssh-keysign.8
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
- .Sh SEE ALSO
- .Xr ssh 1 ,
- .Xr ssh-keygen 1 ,
-diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
---- openssh-6.2p1/ssh.1.entropy 2013-03-25 19:31:42.752611146 +0100
-+++ openssh-6.2p1/ssh.1 2013-03-25 19:31:42.799611446 +0100
-@@ -1277,6 +1277,23 @@ For more information, see the
- .Cm PermitUserEnvironment
- option in
- .Xr sshd_config 5 .
+ .Sh FILES
+ .Bl -tag -width Ds -compact
+ .It Pa ~/.rhosts
+diff --git a/sshd.8 b/sshd.8
+index c2c237f..058d37a 100644
+--- a/sshd.8
++++ b/sshd.8
+@@ -951,6 +951,24 @@ concurrently for different ports, this contains the process ID of the one
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
+.Sh ENVIRONMENT
+.Bl -tag -width Ds -compact
-+.It Ev SSH_USE_STRONG_RNG
++.Pp
++.It Pa SSH_USE_STRONG_RNG
+The reseeding of the OpenSSL random generator is usually done from
+.Cm /dev/urandom .
+If the
@@ -266,6 +277,6 @@ diff -up openssh-6.2p1/ssh.1.entropy openssh-6.2p1/ssh.1
+random generator because insufficient entropy causes the connection to
+be blocked until enough entropy is available.
+.El
- .Sh FILES
- .Bl -tag -width Ds -compact
- .It Pa ~/.rhosts
+ .Sh IPV6
+ IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be escaped in shell.
+ .Sh SEE ALSO
diff --git a/openssh-6.3p1-fingerprint.patch b/openssh-6.6p1-fingerprint.patch
similarity index 78%
rename from openssh-6.3p1-fingerprint.patch
rename to openssh-6.6p1-fingerprint.patch
index b9cfbdb..c5332fb 100644
--- a/openssh-6.3p1-fingerprint.patch
+++ b/openssh-6.6p1-fingerprint.patch
@@ -1,7 +1,7 @@
-diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c
-diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
---- openssh-6.3p1/auth.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
-+++ openssh-6.3p1/auth.c 2013-10-07 15:42:05.243812405 +0200
+diff --git a/auth.c b/auth.c
+index 9a36f1d..420a85b 100644
+--- a/auth.c
++++ b/auth.c
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
case 1:
revoked:
@@ -15,10 +15,11 @@ diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
free(key_fp);
return 1;
}
-diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c
---- openssh-6.3p1/auth2-hostbased.c.fingerprint 2013-10-07 14:02:36.998968153 +0200
-+++ openssh-6.3p1/auth2-hostbased.c 2013-10-07 15:43:49.747355927 +0200
-@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw,
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+index 488008f..eca0069 100644
+--- a/auth2-hostbased.c
++++ b/auth2-hostbased.c
+@@ -206,16 +206,18 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
if (host_status == HOST_OK) {
if (key_is_cert(key)) {
@@ -44,10 +45,11 @@ diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbas
}
free(fp);
}
-diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
---- openssh-6.3p1/auth2-pubkey.c.fingerprint 2013-07-18 08:10:10.000000000 +0200
-+++ openssh-6.3p1/auth2-pubkey.c 2013-10-07 15:50:44.617495624 +0200
-@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file,
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 0fd27bb..749b11a 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -365,10 +365,10 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
continue;
if (!key_is_cert_authority)
continue;
@@ -62,7 +64,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
/*
* If the user has specified a list of principals as
* a key option, then prefer that list to matching
-@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file,
+@@ -406,9 +406,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
if (key_is_cert_authority)
continue;
found_key = 1;
@@ -75,7 +77,7 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
free(fp);
break;
}
-@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -431,13 +431,13 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
return 0;
@@ -93,10 +95,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
options.trusted_user_ca_keys);
goto out;
}
-diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
---- openssh-6.3p1/key.c.fingerprint 2013-10-07 14:02:36.971968285 +0200
-+++ openssh-6.3p1/key.c 2013-10-07 14:02:36.999968148 +0200
-@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty
+diff --git a/key.c b/key.c
+index 168e1b7..eb98ea8 100644
+--- a/key.c
++++ b/key.c
+@@ -628,6 +628,34 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
return retval;
}
@@ -131,10 +134,11 @@ diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
/*
* Reads a multiple-precision integer in decimal from the buffer, and advances
* the pointer. The integer must already be initialized. This function is
-diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
---- openssh-6.3p1/key.h.fingerprint 2013-10-07 14:02:36.999968148 +0200
-+++ openssh-6.3p1/key.h 2013-10-07 15:44:17.574233450 +0200
-@@ -97,6 +97,9 @@ int key_equal_public(const Key *, cons
+diff --git a/key.h b/key.h
+index d8ad13d..0e3eea5 100644
+--- a/key.h
++++ b/key.h
+@@ -104,6 +104,9 @@ int key_equal_public(const Key *, const Key *);
int key_equal(const Key *, const Key *);
char *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
u_char *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
@@ -144,10 +148,11 @@ diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
const char *key_type(const Key *);
const char *key_cert_type(const Key *);
int key_write(const Key *, FILE *);
-diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
---- openssh-6.3p1/ssh-add.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
-+++ openssh-6.3p1/ssh-add.c 2013-10-07 14:44:57.466515766 +0200
-@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
+diff --git a/ssh-add.c b/ssh-add.c
+index 3421452..691949f 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -330,10 +330,10 @@ list_identities(AuthenticationConnection *ac, int do_fp)
key = ssh_get_next_identity(ac, &comment, version)) {
had_identities = 1;
if (do_fp) {
@@ -162,9 +167,10 @@ diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
free(fp);
} else {
if (!key_write(key, stdout))
-diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
---- openssh-6.3p1/ssh-agent.c.fingerprint 2013-10-07 14:02:37.000968143 +0200
-+++ openssh-6.3p1/ssh-agent.c 2013-10-07 15:41:11.627044336 +0200
+diff --git a/ssh-agent.c b/ssh-agent.c
+index ba24612..117fdde 100644
+--- a/ssh-agent.c
++++ b/ssh-agent.c
@@ -198,9 +198,9 @@ confirm_key(Identity *id)
char *p;
int ret = -1;
@@ -178,10 +184,11 @@ diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
ret = 0;
free(p);
-diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
---- openssh-6.3p1/ssh-keygen.c.fingerprint 2013-07-20 05:22:32.000000000 +0200
-+++ openssh-6.3p1/ssh-keygen.c 2013-10-07 14:25:52.864145038 +0200
-@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
+diff --git a/ssh-keygen.c b/ssh-keygen.c
+index 2a316bc..482dc1c 100644
+--- a/ssh-keygen.c
++++ b/ssh-keygen.c
+@@ -783,13 +783,14 @@ do_fingerprint(struct passwd *pw)
{
FILE *f;
Key *public;
@@ -198,7 +205,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
if (!have_identity)
-@@ -785,8 +786,8 @@ do_fingerprint(struct passwd *pw)
+@@ -801,8 +802,8 @@ do_fingerprint(struct passwd *pw)
public = key_load_public(identity_file, &comment);
if (public != NULL) {
fp = key_fingerprint(public, fptype, rep);
@@ -209,7 +216,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
-@@ -851,8 +852,8 @@ do_fingerprint(struct passwd *pw)
+@@ -867,8 +868,8 @@ do_fingerprint(struct passwd *pw)
}
comment = *cp ? cp : comment;
fp = key_fingerprint(public, fptype, rep);
@@ -220,7 +227,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
comment ? comment : "no comment", key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
-@@ -970,13 +971,15 @@ printhost(FILE *f, const char *name, Key
+@@ -986,13 +987,15 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
if (print_fingerprint) {
enum fp_rep rep;
enum fp_type fptype;
@@ -240,7 +247,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
key_type(public));
if (log_level >= SYSLOG_LEVEL_VERBOSE)
printf("%s\n", ra);
-@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw)
+@@ -1878,16 +1881,17 @@ do_show_cert(struct passwd *pw)
fatal("%s is not a certificate", identity_file);
v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
@@ -264,7 +271,7 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
printf(" Key ID: \"%s\"\n", key->cert->key_id);
if (!v00) {
printf(" Serial: %llu\n",
-@@ -2655,13 +2659,12 @@ passphrase_again:
+@@ -2686,13 +2690,12 @@ passphrase_again:
fclose(f);
if (!quiet) {
@@ -281,10 +288,11 @@ diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
printf("The key's randomart image is:\n");
printf("%s\n", ra);
free(ra);
-diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
---- openssh-6.3p1/sshconnect.c.fingerprint 2013-06-01 23:31:19.000000000 +0200
-+++ openssh-6.3p1/sshconnect.c 2013-10-07 14:43:54.859822036 +0200
-@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so
+diff --git a/sshconnect.c b/sshconnect.c
+index 573d7a8..394cca8 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -914,10 +914,10 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
"key for IP address '%.128s' to the list "
"of known hosts.", type, ip);
} else if (options.visual_host_key) {
@@ -299,7 +307,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
free(ra);
free(fp);
}
-@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so
+@@ -955,9 +955,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
else
snprintf(msg1, sizeof(msg1), ".");
/* The default */
@@ -311,7 +319,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
msg2[0] = '\0';
if (options.verify_host_key_dns) {
if (matching_host_key_dns)
-@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so
+@@ -972,10 +971,11 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
snprintf(msg, sizeof(msg),
"The authenticity of host '%.200s (%s)' can't be "
"established%s\n"
@@ -325,7 +333,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
options.visual_host_key ? "\n" : "",
options.visual_host_key ? ra : "",
msg2);
-@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka
+@@ -1220,8 +1220,9 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
int flags = 0;
char *fp;
@@ -337,7 +345,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
free(fp);
/* XXX certs are not yet supported for DNS */
-@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey
+@@ -1327,14 +1328,15 @@ show_other_keys(struct hostkeys *hostkeys, Key *key)
continue;
if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
continue;
@@ -357,7 +365,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
if (options.visual_host_key)
logit("%s", ra);
free(ra);
-@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key)
+@@ -1349,7 +1351,7 @@ warn_changed_key(Key *host_key)
{
char *fp;
@@ -366,7 +374,7 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
error("@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @");
-@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key)
+@@ -1357,8 +1359,8 @@ warn_changed_key(Key *host_key)
error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
error("It is also possible that a host key has just been changed.");
@@ -377,10 +385,11 @@ diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
error("Please contact your system administrator.");
free(fp);
-diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
---- openssh-6.3p1/sshconnect2.c.fingerprint 2013-10-07 14:02:37.001968139 +0200
-+++ openssh-6.3p1/sshconnect2.c 2013-10-07 15:20:09.403234714 +0200
-@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
+diff --git a/sshconnect2.c b/sshconnect2.c
+index 7f4ff41..adbbfc7 100644
+--- a/sshconnect2.c
++++ b/sshconnect2.c
+@@ -577,8 +577,9 @@ input_userauth_pk_ok(int type, u_int32_t seq, void *ctxt)
key->type, pktype);
goto done;
}
@@ -392,7 +401,7 @@ diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
free(fp);
/*
-@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
+@@ -986,8 +987,9 @@ sign_and_send_pubkey(Authctxt *authctxt, Identity *id)
int have_sig = 1;
char *fp;
diff --git a/openssh-6.3p1-keycat.patch b/openssh-6.6p1-keycat.patch
similarity index 72%
rename from openssh-6.3p1-keycat.patch
rename to openssh-6.6p1-keycat.patch
index 6105d09..d30dedb 100644
--- a/openssh-6.3p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@@ -1,6 +1,8 @@
-diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
---- openssh-6.3p1/HOWTO.ssh-keycat.keycat 2013-10-10 15:16:33.445566916 +0200
-+++ openssh-6.3p1/HOWTO.ssh-keycat 2013-10-10 15:16:33.445566916 +0200
+diff --git a/HOWTO.ssh-keycat b/HOWTO.ssh-keycat
+new file mode 100644
+index 0000000..630ec62
+--- /dev/null
++++ b/HOWTO.ssh-keycat
@@ -0,0 +1,12 @@
+The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
+of an user in any environment. This includes environments with
@@ -14,9 +16,10 @@ diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
+ PubkeyAuthentication yes
+
+
-diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
---- openssh-6.3p1/Makefile.in.keycat 2013-10-10 15:16:33.442566930 +0200
-+++ openssh-6.3p1/Makefile.in 2013-10-10 15:16:33.445566916 +0200
+diff --git a/Makefile.in b/Makefile.in
+index 411eadb..4ab6717 100644
+--- a/Makefile.in
++++ b/Makefile.in
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
SSH_KEYSIGN=$(libexecdir)/ssh-keysign
SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@@ -34,17 +37,17 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
-@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -176,6 +177,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11
ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-+ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keycat.o
-+ $(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
++ssh-keycat$(EXEEXT): $(LIBCOMPAT) $(SSHDOBJS) libssh.a ssh-keycat.o
++ $(LD) -o $@ ssh-keycat.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(SSHLIBS)
+
ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -279,6 +283,7 @@ install-files:
+@@ -283,6 +287,7 @@ install-files:
$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
fi
@@ -52,15 +55,16 @@ diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
---- openssh-6.3p1/auth2-pubkey.c.keycat 2013-10-10 15:16:33.429566992 +0200
-+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 15:16:33.445566916 +0200
-@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index c0ae0d4..cb0f931 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -600,6 +600,14 @@ user_key_command_allowed2(struct passwd *user_pw, Key *key)
_exit(1);
}
+#ifdef WITH_SELINUX
-+ if (ssh_selinux_setup_env_variables() < 0) {
++ if (sshd_selinux_setup_env_variables() < 0) {
+ error ("failed to copy environment: %s",
+ strerror(errno));
+ _exit(127);
@@ -70,19 +74,41 @@ diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
execl(options.authorized_keys_command,
options.authorized_keys_command, user_pw->pw_name, NULL);
-diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c
---- openssh-6.3p1/openbsd-compat/port-linux.c.keycat 2013-10-10 15:16:33.435566964 +0200
-+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:32:19.946065189 +0200
-@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
+diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+index d04f4ed..0077dd7 100644
+--- a/openbsd-compat/port-linux-sshd.c
++++ b/openbsd-compat/port-linux-sshd.c
+@@ -53,6 +53,20 @@ extern Authctxt *the_authctxt;
+ extern int inetd_flag;
+ extern int rexeced_flag;
+
++/* Wrapper around is_selinux_enabled() to log its return value once only */
++int
++sshd_selinux_enabled(void)
++{
++ static int enabled = -1;
++
++ if (enabled == -1) {
++ enabled = (is_selinux_enabled() == 1);
++ debug("SELinux support %s", enabled ? "enabled" : "disabled");
++ }
++
++ return (enabled);
++}
++
+ /* Send audit message */
+ static int
+ sshd_selinux_send_audit_message(int success, security_context_t default_context,
+@@ -307,7 +321,7 @@ sshd_selinux_getctxbyname(char *pwname,
/* Setup environment variables for pam_selinux */
static int
--ssh_selinux_setup_pam_variables(void)
-+ssh_selinux_setup_variables(int(*set_it)(const char *, const char *))
+-sshd_selinux_setup_pam_variables(void)
++sshd_selinux_setup_variables(int(*set_it)(char *, const char *))
{
const char *reqlvl;
char *role;
-@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
+@@ -318,16 +332,16 @@ sshd_selinux_setup_pam_variables(void)
ssh_selinux_get_role_level(&role, &reqlvl);
@@ -102,34 +128,82 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-
if (role != NULL)
free(role);
-@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
+@@ -335,6 +349,24 @@ sshd_selinux_setup_pam_variables(void)
return rv;
}
+static int
-+ssh_selinux_setup_pam_variables(void)
++sshd_selinux_setup_pam_variables(void)
+{
-+ return ssh_selinux_setup_variables(do_pam_putenv);
++ return sshd_selinux_setup_variables(do_pam_putenv);
+}
+
+static int
-+do_setenv(char *name, char *value)
++do_setenv(char *name, const char *value)
+{
+ return setenv(name, value, 1);
+}
+
+int
-+ssh_selinux_setup_env_variables(void)
++sshd_selinux_setup_env_variables(void)
+{
-+ return ssh_selinux_setup_variables(do_setenv);
++ return sshd_selinux_setup_variables(do_setenv);
+}
+
/* Set the execution context to the default for the specified user */
void
- ssh_selinux_setup_exec_context(char *pwname)
-diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c
---- openssh-6.3p1/ssh-keycat.c.keycat 2013-10-10 15:16:33.446566911 +0200
-+++ openssh-6.3p1/ssh-keycat.c 2013-10-10 15:16:33.446566911 +0200
+ sshd_selinux_setup_exec_context(char *pwname)
+@@ -343,7 +375,7 @@ sshd_selinux_setup_exec_context(char *pwname)
+ int r = 0;
+ security_context_t default_ctx = NULL;
+
+- if (!ssh_selinux_enabled())
++ if (!sshd_selinux_enabled())
+ return;
+
+ if (options.use_pam) {
+@@ -414,7 +446,7 @@ sshd_selinux_copy_context(void)
+ {
+ security_context_t *ctx;
+
+- if (!ssh_selinux_enabled())
++ if (!sshd_selinux_enabled())
+ return;
+
+ if (getexeccon((security_context_t *)&ctx) != 0) {
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index b18893c..cb51f99 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -25,8 +25,10 @@ void ssh_selinux_setup_pty(char *, const char *);
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
+
++int sshd_selinux_enabled(void);
+ void sshd_selinux_copy_context(void);
+ void sshd_selinux_setup_exec_context(char *);
++int sshd_selinux_setup_env_variables(void);
+ #endif
+
+ #ifdef LINUX_OOM_ADJUST
+diff --git a/platform.c b/platform.c
+index 0d39ab2..0dae387 100644
+--- a/platform.c
++++ b/platform.c
+@@ -102,7 +102,7 @@ platform_setusercontext(struct passwd *pw)
+ {
+ #ifdef WITH_SELINUX
+ /* Cache selinux status for later use */
+- (void)ssh_selinux_enabled();
++ (void)sshd_selinux_enabled();
+ #endif
+
+ #ifdef USE_SOLARIS_PROJECTS
+diff --git a/ssh-keycat.c b/ssh-keycat.c
+new file mode 100644
+index 0000000..f8ed7af
+--- /dev/null
++++ b/ssh-keycat.c
@@ -0,0 +1,238 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
diff --git a/openssh-5.8p1-keyperm.patch b/openssh-6.6p1-keyperm.patch
similarity index 56%
rename from openssh-5.8p1-keyperm.patch
rename to openssh-6.6p1-keyperm.patch
index 6167c14..fccb328 100644
--- a/openssh-5.8p1-keyperm.patch
+++ b/openssh-6.6p1-keyperm.patch
@@ -1,15 +1,15 @@
-diff -up openssh-5.8p1/authfile.c.keyperm openssh-5.8p1/authfile.c
---- openssh-5.8p1/authfile.c.keyperm 2010-12-01 02:03:39.000000000 +0100
-+++ openssh-5.8p1/authfile.c 2011-04-21 16:43:36.859648916 +0200
-@@ -57,6 +57,7 @@
- #include <stdlib.h>
- #include <string.h>
- #include <unistd.h>
-+#include <grp.h>
+diff -up openssh-6.6p1/authfile.c.keyperm openssh-6.6p1/authfile.c
+--- openssh-6.6p1/authfile.c.keyperm 2014-02-04 01:20:15.000000000 +0100
++++ openssh-6.6p1/authfile.c 2014-05-05 15:20:43.075246776 +0200
+@@ -54,6 +54,7 @@
- #include "xmalloc.h"
- #include "cipher.h"
-@@ -600,6 +612,13 @@ key_perm_ok(int fd, const char *filename
+ #include <errno.h>
+ #include <fcntl.h>
++#include <grp.h>
+ #include <stdarg.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+@@ -979,6 +980,13 @@ key_perm_ok(int fd, const char *filename
#ifdef HAVE_CYGWIN
if (check_ntsec(filename))
#endif
diff --git a/openssh-6.3p1-ldap.patch b/openssh-6.6p1-ldap.patch
similarity index 95%
rename from openssh-6.3p1-ldap.patch
rename to openssh-6.6p1-ldap.patch
index 052973c..961cdf5 100644
--- a/openssh-6.3p1-ldap.patch
+++ b/openssh-6.6p1-ldap.patch
@@ -1,116 +1,8 @@
-diff -up openssh-6.2p1/configure.ac.ldap openssh-6.2p1/configure.ac
---- openssh-6.2p1/configure.ac.ldap 2013-03-20 02:55:15.000000000 +0100
-+++ openssh-6.2p1/configure.ac 2013-03-25 21:27:15.888248071 +0100
-@@ -1509,6 +1509,106 @@ AC_ARG_WITH([audit],
- esac ]
- )
-
-+# Check whether user wants LDAP support
-+LDAP_MSG="no"
-+INSTALL_SSH_LDAP_HELPER=""
-+AC_ARG_WITH(ldap,
-+ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
-+ [
-+ if test "x$withval" != "xno" ; then
-+
-+ INSTALL_SSH_LDAP_HELPER="yes"
-+ CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
-+
-+ if test "x$withval" != "xyes" ; then
-+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
-+ LDFLAGS="$LDFLAGS -L${withval}/lib"
-+ fi
-+
-+ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
-+ LDAP_MSG="yes"
-+
-+ AC_CHECK_HEADERS(lber.h)
-+ AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
-+ AC_CHECK_HEADERS(ldap_ssl.h)
-+
-+ AC_ARG_WITH(ldap-lib,
-+ [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
-+
-+ if test -z "$with_ldap_lib"; then
-+ with_ldap_lib=auto
-+ fi
-+
-+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
-+ AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
-+ AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
-+ fi
-+
-+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
-+ AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
-+ fi
-+
-+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
-+ AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
-+ if test -z "$found_ldap_lib"; then
-+ AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
-+ fi
-+ if test -z "$found_ldap_lib"; then
-+ AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
-+ fi
-+ if test -z "$found_ldap_lib"; then
-+ AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
-+ fi
-+ fi
-+
-+ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
-+ AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
-+ fi
-+
-+ if test -z "$found_ldap_lib"; then
-+ AC_MSG_ERROR(could not locate a valid LDAP library)
-+ fi
-+
-+ AC_MSG_CHECKING([for working LDAP support])
-+ AC_TRY_COMPILE(
-+ [#include <sys/types.h>
-+ #include <ldap.h>],
-+ [(void)ldap_init(0, 0);],
-+ [AC_MSG_RESULT(yes)],
-+ [
-+ AC_MSG_RESULT(no)
-+ AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
-+ ])
-+ AC_CHECK_FUNCS( \
-+ ldap_init \
-+ ldap_get_lderrno \
-+ ldap_set_lderrno \
-+ ldap_parse_result \
-+ ldap_memfree \
-+ ldap_controls_free \
-+ ldap_set_option \
-+ ldap_get_option \
-+ ldapssl_init \
-+ ldap_start_tls_s \
-+ ldap_pvt_tls_set_option \
-+ ldap_initialize \
-+ )
-+ AC_CHECK_FUNCS(ldap_set_rebind_proc,
-+ AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
-+ AC_TRY_COMPILE(
-+ [#include <lber.h>
-+ #include <ldap.h>],
-+ [ldap_set_rebind_proc(0, 0, 0);],
-+ [ac_cv_ldap_set_rebind_proc=3],
-+ [ac_cv_ldap_set_rebind_proc=2])
-+ AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
-+ AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
-+ )
-+ fi
-+ ]
-+)
-+AC_SUBST(INSTALL_SSH_LDAP_HELPER)
-+
- dnl Checks for library functions. Please keep in alphabetical order
- AC_CHECK_FUNCS([ \
- arc4random \
-diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
---- openssh-6.2p1/HOWTO.ldap-keys.ldap 2013-03-25 21:27:15.889248078 +0100
-+++ openssh-6.2p1/HOWTO.ldap-keys 2013-03-25 21:27:15.889248078 +0100
+diff --git a/HOWTO.ldap-keys b/HOWTO.ldap-keys
+new file mode 100644
+index 0000000..dd5f5cc
+--- /dev/null
++++ b/HOWTO.ldap-keys
@@ -0,0 +1,108 @@
+
+HOW TO START
@@ -220,509 +112,383 @@ diff -up openssh-6.2p1/HOWTO.ldap-keys.ldap openssh-6.2p1/HOWTO.ldap-keys
+5) Author
+ Jan F. Chadima <jchadima at redhat.com>
+
-diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
---- openssh-6.2p1/ldapbody.c.ldap 2013-03-25 21:27:15.889248078 +0100
-+++ openssh-6.2p1/ldapbody.c 2013-03-25 21:27:15.889248078 +0100
-@@ -0,0 +1,494 @@
-+/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
-+/*
-+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "ldapincludes.h"
-+#include "log.h"
-+#include "xmalloc.h"
-+#include "ldapconf.h"
-+#include "ldapmisc.h"
-+#include "ldapbody.h"
-+#include <stdio.h>
-+#include <unistd.h>
+diff --git a/Makefile.in b/Makefile.in
+index 28a8ec4..411eadb 100644
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
+ ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
+ SFTP_SERVER=$(libexecdir)/sftp-server
+ SSH_KEYSIGN=$(libexecdir)/ssh-keysign
++SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
++SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
+ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
+ PRIVSEP_PATH=@PRIVSEP_PATH@
+ SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
+@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@
+ LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
+ EXEEXT=@EXEEXT@
+ MANFMT=@MANFMT@
++INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
+
+-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
++TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
+
+ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+ canohost.o channels.o cipher.o cipher-aes.o \
+@@ -98,8 +101,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+ sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
+ sandbox-seccomp-filter.o sandbox-capsicum.o
+
+-MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
+-MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
++MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap-helper.8.out ssh-ldap.conf.5.out
++MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5 ssh-ldap-helper.8 ssh-ldap.conf.5
+ MANTYPE = @MANTYPE@
+
+ CONFIGFILES=sshd_config.out ssh_config.out moduli.out
+@@ -170,6 +173,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readco
+ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
+ $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
++ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
++ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
+
-+#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
-+#define PUBKEYATTR "sshPublicKey"
-+#define LDAP_LOGFILE "%s/ldap.%d"
+ ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
+ $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+
+@@ -273,6 +279,10 @@ install-files:
+ $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
+ $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
++ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
++ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
++ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
++ fi
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
+ $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+@@ -289,6 +299,10 @@ install-files:
+ $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+ $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+ $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
++ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
++ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
++ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
++ fi
+ -rm -f $(DESTDIR)$(bindir)/slogin
+ ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
+@@ -318,6 +332,13 @@ install-sysconf:
+ else \
+ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
+ fi
++ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
++ if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
++ $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
++ else \
++ echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
++ fi ; \
++ fi
+
+ host-key: ssh-keygen$(EXEEXT)
+ @if [ -z "$(DESTDIR)" ] ; then \
+@@ -381,6 +402,8 @@ uninstall:
+ -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+ -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
++ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
++ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
+@@ -392,6 +415,7 @@ uninstall:
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
++ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
+
+ regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
+diff --git a/configure.ac b/configure.ac
+index 7c6ce08..722a19e 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1625,6 +1625,106 @@ if test "x$use_pie" != "xno"; then
+ fi
+ fi
+
++# Check whether user wants LDAP support
++LDAP_MSG="no"
++INSTALL_SSH_LDAP_HELPER=""
++AC_ARG_WITH(ldap,
++ [ --with-ldap[[=PATH]] Enable LDAP pubkey support (optionally in PATH)],
++ [
++ if test "x$withval" != "xno" ; then
+
-+static FILE *logfile = NULL;
-+static LDAP *ld;
++ INSTALL_SSH_LDAP_HELPER="yes"
++ CPPFLAGS="$CPPFLAGS -DLDAP_DEPRECATED"
+
-+static char *attrs[] = {
-+ PUBKEYATTR,
-+ NULL
-+};
++ if test "x$withval" != "xyes" ; then
++ CPPFLAGS="$CPPFLAGS -I${withval}/include"
++ LDFLAGS="$LDFLAGS -L${withval}/lib"
++ fi
+
-+void
-+ldap_checkconfig (void)
-+{
-+#ifdef HAVE_LDAP_INITIALIZE
-+ if (options.host == NULL && options.uri == NULL)
-+#else
-+ if (options.host == NULL)
-+#endif
-+ fatal ("missing \"host\" in config file");
-+}
++ AC_DEFINE([WITH_LDAP_PUBKEY], 1, [Enable LDAP pubkey support])
++ LDAP_MSG="yes"
+
-+#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
-+static int
-+_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
-+{
-+ struct timeval timeout;
-+ int rc;
-+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
-+ LDAPMessage *result;
-+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
-+
-+ debug2 ("Doing LDAP rebind to %s", options.binddn);
-+ if (options.ssl == SSL_START_TLS) {
-+ if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
-+ error ("ldap_starttls_s: %s", ldap_err2string (rc));
-+ return LDAP_OPERATIONS_ERROR;
-+ }
-+ }
-+
-+#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
-+ return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
-+#else
-+ if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
-+ fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
-+
-+ timeout.tv_sec = options.bind_timelimit;
-+ timeout.tv_usec = 0;
-+ result = NULL;
-+ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
-+ error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
-+ ldap_msgfree (result);
-+ return LDAP_OPERATIONS_ERROR;
-+ }
-+ debug3 ("LDAP rebind to %s succesfull", options.binddn);
-+ return rc;
-+#endif
-+}
-+#else
-+
-+static int
-+_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
-+{
-+ if (freeit)
-+ return LDAP_SUCCESS;
-+
-+ *whop = strdup (options.binddn);
-+ *credp = strdup (options.bindpw);
-+ *methodp = LDAP_AUTH_SIMPLE;
-+ debug2 ("Doing LDAP rebind for %s", *whop);
-+ return LDAP_SUCCESS;
-+}
-+#endif
-+
-+void
-+ldap_do_connect(void)
-+{
-+ int rc, msgid, ld_errno = 0;
-+ struct timeval timeout;
-+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
-+ int parserc;
-+ LDAPMessage *result;
-+ LDAPControl **controls;
-+ int reconnect = 0;
-+#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
-+
-+ debug ("LDAP do connect");
-+
-+retry:
-+ if (reconnect) {
-+ debug3 ("Reconnecting with ld_errno %d", ld_errno);
-+ if (options.bind_policy == 0 ||
-+ (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
-+ reconnect > 5)
-+ fatal ("Cannot connect to LDAP server");
-+
-+ if (reconnect > 1)
-+ sleep (reconnect - 1);
-+
-+ if (ld != NULL) {
-+ ldap_unbind (ld);
-+ ld = NULL;
-+ }
-+ logit("reconnecting to LDAP server...");
-+ }
-+
-+ if (ld == NULL) {
-+ int rc;
-+ struct timeval tv;
-+
-+#ifdef HAVE_LDAP_SET_OPTION
-+ if (options.debug > 0) {
-+#ifdef LBER_OPT_LOG_PRINT_FILE
-+ if (options.logdir) {
-+ char *logfilename;
-+ int logfilenamelen;
-+
-+ logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
-+ logfilename = xmalloc (logfilenamelen);
-+ snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
-+ logfilename[logfilenamelen - 1] = 0;
-+ if ((logfile = fopen (logfilename, "a")) == NULL)
-+ fatal ("cannot append to %s: %s", logfilename, strerror (errno));
-+ debug3 ("LDAP debug into %s", logfilename);
-+ free (logfilename);
-+ ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
-+ }
-+#endif
-+ if (options.debug) {
-+#ifdef LBER_OPT_DEBUG_LEVEL
-+ ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
-+#endif /* LBER_OPT_DEBUG_LEVEL */
-+#ifdef LDAP_OPT_DEBUG_LEVEL
-+ (void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
-+#endif /* LDAP_OPT_DEBUG_LEVEL */
-+ debug3 ("Set LDAP debug to %d", options.debug);
-+ }
-+ }
-+#endif /* HAVE_LDAP_SET_OPTION */
-+
-+ ld = NULL;
-+#ifdef HAVE_LDAPSSL_INIT
-+ if (options.host != NULL) {
-+ if (options.ssl_on == SSL_LDAPS) {
-+ if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
-+ fatal ("ldapssl_client_init %s", ldap_err2string (rc));
-+ debug3 ("LDAPssl client init");
-+ }
-+
-+ if (options.ssl_on != SSL_OFF) {
-+ if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
-+ fatal ("ldapssl_init failed");
-+ debug3 ("LDAPssl init");
-+ }
-+ }
-+#endif /* HAVE_LDAPSSL_INIT */
-+
-+ /* continue with opening */
-+ if (ld == NULL) {
-+#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
-+ /* Some global TLS-specific options need to be set before we create our
-+ * session context, so we set them here. */
-+
-+#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
-+ /* rand file */
-+ if (options.tls_randfile != NULL) {
-+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
-+ options.tls_randfile)) != LDAP_SUCCESS)
-+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
-+ ldap_err2string (rc));
-+ debug3 ("Set TLS random file %s", options.tls_randfile);
-+ }
-+#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
-+
-+ /* ca cert file */
-+ if (options.tls_cacertfile != NULL) {
-+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
-+ options.tls_cacertfile)) != LDAP_SUCCESS)
-+ error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
-+ ldap_err2string (rc));
-+ debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
-+ }
-+
-+ /* ca cert directory */
-+ if (options.tls_cacertdir != NULL) {
-+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
-+ options.tls_cacertdir)) != LDAP_SUCCESS)
-+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
-+ ldap_err2string (rc));
-+ debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
-+ }
-+
-+ /* require cert? */
-+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
-+ &options.tls_checkpeer)) != LDAP_SUCCESS)
-+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
-+ ldap_err2string (rc));
-+ debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
-+
-+ /* set cipher suite, certificate and private key: */
-+ if (options.tls_ciphers != NULL) {
-+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
-+ options.tls_ciphers)) != LDAP_SUCCESS)
-+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
-+ ldap_err2string (rc));
-+ debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
-+ }
-+
-+ /* cert file */
-+ if (options.tls_cert != NULL) {
-+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
-+ options.tls_cert)) != LDAP_SUCCESS)
-+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
-+ ldap_err2string (rc));
-+ debug3 ("Set TLS cert file %s ", options.tls_cert);
-+ }
-+
-+ /* key file */
-+ if (options.tls_key != NULL) {
-+ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
-+ options.tls_key)) != LDAP_SUCCESS)
-+ fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
-+ ldap_err2string (rc));
-+ debug3 ("Set TLS key file %s ", options.tls_key);
-+ }
-+#endif
-+#ifdef HAVE_LDAP_INITIALIZE
-+ if (options.uri != NULL) {
-+ if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
-+ fatal ("ldap_initialize %s", ldap_err2string (rc));
-+ debug3 ("LDAP initialize %s", options.uri);
-+ }
-+ }
-+#endif /* HAVE_LDAP_INTITIALIZE */
-+
-+ /* continue with opening */
-+ if ((ld == NULL) && (options.host != NULL)) {
-+#ifdef HAVE_LDAP_INIT
-+ if ((ld = ldap_init (options.host, options.port)) == NULL)
-+ fatal ("ldap_init failed");
-+ debug3 ("LDAP init %s:%d", options.host, options.port);
-+#else
-+ if ((ld = ldap_open (options.host, options.port)) == NULL)
-+ fatal ("ldap_open failed");
-+ debug3 ("LDAP open %s:%d", options.host, options.port);
-+#endif /* HAVE_LDAP_INIT */
-+ }
-+
-+ if (ld == NULL)
-+ fatal ("no way to open ldap");
-+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
-+ if (options.ssl == SSL_LDAPS) {
-+ if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
-+ fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
-+ debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
-+ }
-+#endif /* LDAP_OPT_X_TLS */
++ AC_CHECK_HEADERS(lber.h)
++ AC_CHECK_HEADERS(ldap.h, , AC_MSG_ERROR(could not locate <ldap.h>))
++ AC_CHECK_HEADERS(ldap_ssl.h)
+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
-+ (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
-+ &options.ldap_version);
-+#else
-+ ld->ld_version = options.ldap_version;
-+#endif
-+ debug3 ("LDAP set version to %d", options.ldap_version);
++ AC_ARG_WITH(ldap-lib,
++ [ --with-ldap-lib=type select ldap library [auto|netscape5|netscape4|netscape3|umich|openldap]])
+
-+#if LDAP_SET_REBIND_PROC_ARGS == 3
-+ ldap_set_rebind_proc (ld, _rebind_proc, NULL);
-+#elif LDAP_SET_REBIND_PROC_ARGS == 2
-+ ldap_set_rebind_proc (ld, _rebind_proc);
-+#else
-+#warning unknown LDAP_SET_REBIND_PROC_ARGS
-+#endif
-+ debug3 ("LDAP set rebind proc");
++ if test -z "$with_ldap_lib"; then
++ with_ldap_lib=auto
++ fi
+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
-+ (void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
-+#else
-+ ld->ld_deref = options.deref;
-+#endif
-+ debug3 ("LDAP set deref to %d", options.deref);
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = umich -o $with_ldap_lib = openldap \); then
++ AC_CHECK_LIB(lber, main, LIBS="-llber $LIBS" found_ldap_lib=yes)
++ AC_CHECK_LIB(ldap, main, LIBS="-lldap $LIBS" found_ldap_lib=yes)
++ fi
+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
-+ (void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
-+ &options.timelimit);
-+#else
-+ ld->ld_timelimit = options.timelimit;
-+#endif
-+ debug3 ("LDAP set timelimit to %d", options.timelimit);
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape5 \); then
++ AC_CHECK_LIB(ldap50, main, LIBS="-lldap50 -lssldap50 -lssl3 -lnss3 -lnspr4 -lprldap50 -lplc4 -lplds4 $LIBS" found_ldap_lib=yes)
++ fi
+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
-+ /*
-+ * This is a new option in the Netscape SDK which sets
-+ * the TCP connect timeout. For want of a better value,
-+ * we use the bind_timelimit to control this.
-+ */
-+ timeout = options.bind_timelimit * 1000;
-+ (void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
-+ debug3 ("LDAP set opt connect timeout to %d", timeout);
-+#endif
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape4 \); then
++ AC_CHECK_LIB(ldapssl41, main, LIBS="-lldapssl41 -lplc3 -lplds3 -lnspr3 $LIBS" found_ldap_lib=yes)
++ if test -z "$found_ldap_lib"; then
++ AC_CHECK_LIB(ldapssl40, main, LIBS="-lldapssl40 $LIBS" found_ldap_lib=yes)
++ fi
++ if test -z "$found_ldap_lib"; then
++ AC_CHECK_LIB(ldap41, main, LIBS="-lldap41 $LIBS" found_ldap_lib=yes)
++ fi
++ if test -z "$found_ldap_lib"; then
++ AC_CHECK_LIB(ldap40, main, LIBS="-lldap40 $LIBS" found_ldap_lib=yes)
++ fi
++ fi
+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
-+ tv.tv_sec = options.bind_timelimit;
-+ tv.tv_usec = 0;
-+ (void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
-+ debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
-+#endif
++ if test -z "$found_ldap_lib" -a \( $with_ldap_lib = auto -o $with_ldap_lib = netscape3 \); then
++ AC_CHECK_LIB(ldapssl30, main, LIBS="-lldapssl30 $LIBS" found_ldap_lib=yes)
++ fi
+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
-+ (void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
-+ options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
-+ debug3 ("LDAP set referrals to %d", options.referrals);
-+#endif
++ if test -z "$found_ldap_lib"; then
++ AC_MSG_ERROR(could not locate a valid LDAP library)
++ fi
+
-+#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
-+ (void) ldap_set_option (ld, LDAP_OPT_RESTART,
-+ options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
-+ debug3 ("LDAP set restart to %d", options.restart);
-+#endif
++ AC_MSG_CHECKING([for working LDAP support])
++ AC_TRY_COMPILE(
++ [#include <sys/types.h>
++ #include <ldap.h>],
++ [(void)ldap_init(0, 0);],
++ [AC_MSG_RESULT(yes)],
++ [
++ AC_MSG_RESULT(no)
++ AC_MSG_ERROR([** Incomplete or missing ldap libraries **])
++ ])
++ AC_CHECK_FUNCS( \
++ ldap_init \
++ ldap_get_lderrno \
++ ldap_set_lderrno \
++ ldap_parse_result \
++ ldap_memfree \
++ ldap_controls_free \
++ ldap_set_option \
++ ldap_get_option \
++ ldapssl_init \
++ ldap_start_tls_s \
++ ldap_pvt_tls_set_option \
++ ldap_initialize \
++ )
++ AC_CHECK_FUNCS(ldap_set_rebind_proc,
++ AC_MSG_CHECKING([number arguments of ldap_set_rebind_proc])
++ AC_TRY_COMPILE(
++ [#include <lber.h>
++ #include <ldap.h>],
++ [ldap_set_rebind_proc(0, 0, 0);],
++ [ac_cv_ldap_set_rebind_proc=3],
++ [ac_cv_ldap_set_rebind_proc=2])
++ AC_MSG_RESULT($ac_cv_ldap_set_rebind_proc)
++ AC_DEFINE(LDAP_SET_REBIND_PROC_ARGS, $ac_cv_ldap_set_rebind_proc, [number arguments of ldap_set_rebind_proc])
++ )
++ fi
++ ]
++)
++AC_SUBST(INSTALL_SSH_LDAP_HELPER)
+
-+#ifdef HAVE_LDAP_START_TLS_S
-+ if (options.ssl == SSL_START_TLS) {
-+ int version;
+ dnl Checks for library functions. Please keep in alphabetical order
+ AC_CHECK_FUNCS([ \
+ Blowfish_initstate \
+diff --git a/ldap-helper.c b/ldap-helper.c
+new file mode 100644
+index 0000000..e95a94a
+--- /dev/null
++++ b/ldap-helper.c
+@@ -0,0 +1,155 @@
++/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
++/*
++ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
+
-+ if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
-+ == LDAP_SUCCESS) {
-+ if (version < LDAP_VERSION3) {
-+ version = LDAP_VERSION3;
-+ (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
-+ &version);
-+ debug3 ("LDAP set version to %d", version);
-+ }
-+ }
++#include "ldapincludes.h"
++#include "log.h"
++#include "misc.h"
++#include "xmalloc.h"
++#include "ldapconf.h"
++#include "ldapbody.h"
++#include <string.h>
++#include <unistd.h>
+
-+ if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
-+ fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
-+ debug3 ("LDAP start TLS");
-+ }
-+#endif /* HAVE_LDAP_START_TLS_S */
-+ }
++static int config_debug = 0;
++int config_exclusive_config_file = 0;
++static char *config_file_name = "/etc/ssh/ldap.conf";
++static char *config_single_user = NULL;
++static int config_verbose = SYSLOG_LEVEL_VERBOSE;
++int config_warning_config_file = 0;
++extern char *__progname;
+
-+ if ((msgid = ldap_simple_bind (ld, options.binddn,
-+ options.bindpw)) == -1) {
-+ ld_errno = ldap_get_lderrno (ld, 0, 0);
++static void
++usage(void)
++{
++ fprintf(stderr, "usage: %s [options]\n",
++ __progname);
++ fprintf(stderr, "Options:\n");
++ fprintf(stderr, " -d Output the log messages to stderr.\n");
++ fprintf(stderr, " -e Check the config file for unknown commands.\n");
++ fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
++ fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
++ fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
++ fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
++ exit(1);
++}
+
-+ error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
-+ reconnect++;
-+ goto retry;
-+ }
-+ debug3 ("LDAP simple bind (%s)", options.binddn);
++/*
++ * Main program for the ssh pka ldap agent.
++ */
+
-+ timeout.tv_sec = options.bind_timelimit;
-+ timeout.tv_usec = 0;
-+ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
-+ ld_errno = ldap_get_lderrno (ld, 0, 0);
++int
++main(int ac, char **av)
++{
++ int opt;
++ FILE *outfile = NULL;
+
-+ error ("ldap_result %s", ldap_err2string (ld_errno));
-+ reconnect++;
-+ goto retry;
-+ }
-+ debug3 ("LDAP result in time");
++ __progname = ssh_get_progname(av[0]);
+
-+#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
-+ controls = NULL;
-+ if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
-+ fatal ("ldap_parse_result %s", ldap_err2string (parserc));
-+ debug3 ("LDAP parse result OK");
++ log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
+
-+ if (controls != NULL) {
-+ ldap_controls_free (controls);
-+ }
-+#else
-+ rc = ldap_result2error (session->ld, result, TRUE);
-+#endif
-+ if (rc != LDAP_SUCCESS)
-+ fatal ("error trying to bind as user \"%s\" (%s)",
-+ options.binddn, ldap_err2string (rc));
++ /*
++ * Initialize option structure to indicate that no values have been
++ * set.
++ */
++ initialize_options();
+
-+ debug2 ("LDAP do connect OK");
-+}
++ /* Parse command-line arguments. */
++ while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
++ switch (opt) {
++ case 'd':
++ config_debug = 1;
++ break;
+
-+void
-+process_user (const char *user, FILE *output)
-+{
-+ LDAPMessage *res, *e;
-+ char *buffer;
-+ int bufflen, rc, i;
-+ struct timeval timeout;
++ case 'e':
++ config_exclusive_config_file = 1;
++ config_warning_config_file = 1;
++ break;
+
-+ debug ("LDAP process user");
++ case 'f':
++ config_file_name = optarg;
++ break;
+
-+ /* quick check for attempts to be evil */
-+ if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
-+ (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
-+ logit ("illegal user name %s not processed", user);
-+ return;
-+ }
++ case 's':
++ config_single_user = optarg;
++ outfile = fdopen (dup (fileno (stdout)), "w");
++ break;
+
-+ /* build filter for LDAP request */
-+ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
-+ if (options.ssh_filter != NULL)
-+ bufflen += strlen (options.ssh_filter);
-+ buffer = xmalloc (bufflen);
-+ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
-+ buffer[bufflen - 1] = 0;
++ case 'v':
++ config_debug = 1;
++ if (config_verbose < SYSLOG_LEVEL_DEBUG3)
++ config_verbose++;
++ break;
+
-+ debug3 ("LDAP search scope = %d %s", options.scope, buffer);
++ case 'w':
++ config_warning_config_file = 1;
++ break;
+
-+ timeout.tv_sec = options.timelimit;
-+ timeout.tv_usec = 0;
-+ if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
-+ error ("ldap_search_st(): %s", ldap_err2string (rc));
-+ free (buffer);
-+ return;
++ case '?':
++ default:
++ usage();
++ break;
++ }
+ }
+
-+ /* free */
-+ free (buffer);
++ /* Initialize loging */
++ log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
+
-+ for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
-+ int num;
-+ struct berval **keys;
++ if (ac != optind)
++ fatal ("illegal extra parameter %s", av[1]);
+
-+ keys = ldap_get_values_len(ld, e, PUBKEYATTR);
-+ num = ldap_count_values_len(keys);
-+ for (i = 0 ; i < num ; i++) {
-+ char *cp; //, *options = NULL;
++ /* Ensure that fds 0 and 2 are open or directed to /dev/null */
++ if (config_debug == 0)
++ sanitise_stdfd();
+
-+ for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
-+ if (!*cp || *cp == '\n' || *cp == '#')
-+ continue;
++ /* Read config file */
++ read_config_file(config_file_name);
++ fill_default_options();
++ if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
++ debug3 ("=== Configuration ===");
++ dump_config();
++ debug3 ("=== *** ===");
++ }
+
-+ /* We have found the desired key. */
-+ fprintf (output, "%s\n", keys[i]->bv_val);
-+ }
++ ldap_checkconfig();
++ ldap_do_connect();
+
-+ ldap_value_free_len(keys);
++ if (config_single_user) {
++ process_user (config_single_user, outfile);
++ } else {
++ usage();
++ fatal ("Not yet implemented");
++/* TODO
++ * open unix socket a run the loop on it
++ */
+ }
+
-+ ldap_msgfree(res);
-+ debug2 ("LDAP process user finished");
++ ldap_do_close();
++ return 0;
+}
+
-+void
-+ldap_do_close(void)
-+{
-+ int rc;
-+
-+ debug ("LDAP do close");
-+ if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
-+ fatal ("ldap_unbind_ext: %s",
-+ ldap_err2string (rc));
-+
-+ ld = NULL;
-+ debug2 ("LDAP do close OK");
-+ return;
-+}
++/* Ugly hack */
++void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
++void buffer_put_string(Buffer *b, const void *f, u_int l) {}
+
-diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
---- openssh-6.2p1/ldapbody.h.ldap 2013-03-25 21:27:15.889248078 +0100
-+++ openssh-6.2p1/ldapbody.h 2013-03-25 21:27:15.889248078 +0100
-@@ -0,0 +1,37 @@
-+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+diff --git a/ldap-helper.h b/ldap-helper.h
+new file mode 100644
+index 0000000..14cb29a
+--- /dev/null
++++ b/ldap-helper.h
+@@ -0,0 +1,32 @@
++/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
+ *
@@ -747,22 +513,114 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
-+#ifndef LDAPBODY_H
-+#define LDAPBODY_H
++#ifndef LDAP_HELPER_H
++#define LDAP_HELPER_H
++
++extern int config_exclusive_config_file;
++extern int config_warning_config_file;
++
++#endif /* LDAP_HELPER_H */
+diff --git a/ldap.conf b/ldap.conf
+new file mode 100644
+index 0000000..42e38d3
+--- /dev/null
++++ b/ldap.conf
+@@ -0,0 +1,88 @@
++# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
++#
++# This is the example configuration file for the OpenSSH
++# LDAP backend
++#
++# see ssh-ldap.conf(5)
++#
++
++# URI with your LDAP server name. This allows to use
++# Unix Domain Sockets to connect to a local LDAP Server.
++#uri ldap://127.0.0.1/
++#uri ldaps://127.0.0.1/
++#uri ldapi://%2fvar%2frun%2fldapi_sock/
++# Note: %2f encodes the '/' used as directory separator
++
++# Another way to specify your LDAP server is to provide an
++# host name and the port of our LDAP server. Host name
++# must be resolvable without using LDAP.
++# Multiple hosts may be specified, each separated by a
++# space. How long nss_ldap takes to failover depends on
++# whether your LDAP client library supports configurable
++# network or connect timeouts (see bind_timelimit).
++#host 127.0.0.1
++
++# The port.
++# Optional: default is 389.
++#port 389
++
++# The distinguished name to bind to the server with.
++# Optional: default is to bind anonymously.
++#binddn cn=openssh_keys,dc=example,dc=org
++
++# The credentials to bind with.
++# Optional: default is no credential.
++#bindpw TopSecret
++
++# The distinguished name of the search base.
++#base dc=example,dc=org
++
++# The LDAP version to use (defaults to 3
++# if supported by client library)
++#ldap_version 3
++
++# The search scope.
++#scope sub
++#scope one
++#scope base
++
++# Search timelimit
++#timelimit 30
++
++# Bind/connect timelimit
++#bind_timelimit 30
+
-+#include <stdio.h>
++# Reconnect policy: hard (default) will retry connecting to
++# the software with exponential backoff, soft will fail
++# immediately.
++#bind_policy hard
+
-+void ldap_checkconfig(void);
-+void ldap_do_connect(void);
-+void process_user(const char *, FILE *);
-+void ldap_do_close(void);
++# SSL setup, may be implied by URI also.
++#ssl no
++#ssl on
++#ssl start_tls
+
-+#endif /* LDAPBODY_H */
++# OpenLDAP SSL options
++# Require and verify server certificate (yes/no)
++# Default is to use libldap's default behavior, which can be configured in
++# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
++# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
++#tls_checkpeer hard
+
---- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100
-+++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100
-@@ -0,0 +1,720 @@
-+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
++# CA certificates for server certificate verification
++# At least one of these are required if tls_checkpeer is "yes"
++#tls_cacertfile /etc/ssl/ca.cert
++#tls_cacertdir /etc/pki/tls/certs
++
++# Seed the PRNG if /dev/urandom is not provided
++#tls_randfile /var/run/egd-pool
++
++# SSL cipher suite
++# See man ciphers for syntax
++#tls_ciphers TLSv1
++
++# Client certificate and key
++# Use these, if your server requires client authentication.
++#tls_cert
++#tls_key
++
+diff --git a/ldapbody.c b/ldapbody.c
+new file mode 100644
+index 0000000..3029108
+--- /dev/null
++++ b/ldapbody.c
+@@ -0,0 +1,494 @@
++/* $OpenBSD: ldapbody.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
+ *
@@ -788,1032 +646,1250 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
+ */
+
+#include "ldapincludes.h"
-+#include "ldap-helper.h"
+#include "log.h"
-+#include "misc.h"
+#include "xmalloc.h"
+#include "ldapconf.h"
++#include "ldapmisc.h"
++#include "ldapbody.h"
++#include <stdio.h>
+#include <unistd.h>
-+#include <string.h>
+
-+/* Keyword tokens. */
++#define LDAPSEARCH_FORMAT "(&(objectclass=%s)(objectclass=ldapPublicKey)(uid=%s)%s)"
++#define PUBKEYATTR "sshPublicKey"
++#define LDAP_LOGFILE "%s/ldap.%d"
++
++static FILE *logfile = NULL;
++static LDAP *ld;
++
++static char *attrs[] = {
++ PUBKEYATTR,
++ NULL
++};
++
++void
++ldap_checkconfig (void)
++{
++#ifdef HAVE_LDAP_INITIALIZE
++ if (options.host == NULL && options.uri == NULL)
++#else
++ if (options.host == NULL)
++#endif
++ fatal ("missing \"host\" in config file");
++}
++
++#if defined(LDAP_API_FEATURE_X_OPENLDAP) && (LDAP_API_VERSION > 2000)
++static int
++_rebind_proc (LDAP * ld, LDAP_CONST char *url, int request, ber_int_t msgid)
++{
++ struct timeval timeout;
++ int rc;
++#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
++ LDAPMessage *result;
++#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
++
++ debug2 ("Doing LDAP rebind to %s", options.binddn);
++ if (options.ssl == SSL_START_TLS) {
++ if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS) {
++ error ("ldap_starttls_s: %s", ldap_err2string (rc));
++ return LDAP_OPERATIONS_ERROR;
++ }
++ }
++
++#if !defined(HAVE_LDAP_PARSE_RESULT) || !defined(HAVE_LDAP_CONTROLS_FREE)
++ return ldap_simple_bind_s (ld, options.binddn, options.bindpw);
++#else
++ if (ldap_simple_bind(ld, options.binddn, options.bindpw) < 0)
++ fatal ("ldap_simple_bind %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
++
++ timeout.tv_sec = options.bind_timelimit;
++ timeout.tv_usec = 0;
++ result = NULL;
++ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
++ error ("ldap_result %s", ldap_err2string (ldap_get_lderrno (ld, 0, 0)));
++ ldap_msgfree (result);
++ return LDAP_OPERATIONS_ERROR;
++ }
++ debug3 ("LDAP rebind to %s succesfull", options.binddn);
++ return rc;
++#endif
++}
++#else
++
++static int
++_rebind_proc (LDAP * ld, char **whop, char **credp, int *methodp, int freeit)
++{
++ if (freeit)
++ return LDAP_SUCCESS;
++
++ *whop = strdup (options.binddn);
++ *credp = strdup (options.bindpw);
++ *methodp = LDAP_AUTH_SIMPLE;
++ debug2 ("Doing LDAP rebind for %s", *whop);
++ return LDAP_SUCCESS;
++}
++#endif
++
++void
++ldap_do_connect(void)
++{
++ int rc, msgid, ld_errno = 0;
++ struct timeval timeout;
++#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
++ int parserc;
++ LDAPMessage *result;
++ LDAPControl **controls;
++ int reconnect = 0;
++#endif /* HAVE_LDAP_PARSE_RESULT && HAVE_LDAP_CONTROLS_FREE */
++
++ debug ("LDAP do connect");
++
++retry:
++ if (reconnect) {
++ debug3 ("Reconnecting with ld_errno %d", ld_errno);
++ if (options.bind_policy == 0 ||
++ (ld_errno != LDAP_SERVER_DOWN && ld_errno != LDAP_TIMEOUT) ||
++ reconnect > 5)
++ fatal ("Cannot connect to LDAP server");
++
++ if (reconnect > 1)
++ sleep (reconnect - 1);
++
++ if (ld != NULL) {
++ ldap_unbind (ld);
++ ld = NULL;
++ }
++ logit("reconnecting to LDAP server...");
++ }
++
++ if (ld == NULL) {
++ int rc;
++ struct timeval tv;
++
++#ifdef HAVE_LDAP_SET_OPTION
++ if (options.debug > 0) {
++#ifdef LBER_OPT_LOG_PRINT_FILE
++ if (options.logdir) {
++ char *logfilename;
++ int logfilenamelen;
++
++ logfilenamelen = strlen (LDAP_LOGFILE) + strlen ("000000") + strlen (options.logdir);
++ logfilename = xmalloc (logfilenamelen);
++ snprintf (logfilename, logfilenamelen, LDAP_LOGFILE, options.logdir, (int) getpid ());
++ logfilename[logfilenamelen - 1] = 0;
++ if ((logfile = fopen (logfilename, "a")) == NULL)
++ fatal ("cannot append to %s: %s", logfilename, strerror (errno));
++ debug3 ("LDAP debug into %s", logfilename);
++ free (logfilename);
++ ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
++ }
++#endif
++ if (options.debug) {
++#ifdef LBER_OPT_DEBUG_LEVEL
++ ber_set_option (NULL, LBER_OPT_DEBUG_LEVEL, &options.debug);
++#endif /* LBER_OPT_DEBUG_LEVEL */
++#ifdef LDAP_OPT_DEBUG_LEVEL
++ (void) ldap_set_option (NULL, LDAP_OPT_DEBUG_LEVEL, &options.debug);
++#endif /* LDAP_OPT_DEBUG_LEVEL */
++ debug3 ("Set LDAP debug to %d", options.debug);
++ }
++ }
++#endif /* HAVE_LDAP_SET_OPTION */
++
++ ld = NULL;
++#ifdef HAVE_LDAPSSL_INIT
++ if (options.host != NULL) {
++ if (options.ssl_on == SSL_LDAPS) {
++ if ((rc = ldapssl_client_init (options.sslpath, NULL)) != LDAP_SUCCESS)
++ fatal ("ldapssl_client_init %s", ldap_err2string (rc));
++ debug3 ("LDAPssl client init");
++ }
++
++ if (options.ssl_on != SSL_OFF) {
++ if ((ld = ldapssl_init (options.host, options.port, TRUE)) == NULL)
++ fatal ("ldapssl_init failed");
++ debug3 ("LDAPssl init");
++ }
++ }
++#endif /* HAVE_LDAPSSL_INIT */
++
++ /* continue with opening */
++ if (ld == NULL) {
++#if defined (HAVE_LDAP_START_TLS_S) || (defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS))
++ /* Some global TLS-specific options need to be set before we create our
++ * session context, so we set them here. */
++
++#ifdef LDAP_OPT_X_TLS_RANDOM_FILE
++ /* rand file */
++ if (options.tls_randfile != NULL) {
++ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_RANDOM_FILE,
++ options.tls_randfile)) != LDAP_SUCCESS)
++ fatal ("ldap_set_option(LDAP_OPT_X_TLS_RANDOM_FILE): %s",
++ ldap_err2string (rc));
++ debug3 ("Set TLS random file %s", options.tls_randfile);
++ }
++#endif /* LDAP_OPT_X_TLS_RANDOM_FILE */
++
++ /* ca cert file */
++ if (options.tls_cacertfile != NULL) {
++ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTFILE,
++ options.tls_cacertfile)) != LDAP_SUCCESS)
++ error ("ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE): %s",
++ ldap_err2string (rc));
++ debug3 ("Set TLS CA cert file %s ", options.tls_cacertfile);
++ }
++
++ /* ca cert directory */
++ if (options.tls_cacertdir != NULL) {
++ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CACERTDIR,
++ options.tls_cacertdir)) != LDAP_SUCCESS)
++ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR): %s",
++ ldap_err2string (rc));
++ debug3 ("Set TLS CA cert dir %s ", options.tls_cacertdir);
++ }
++
++ /* require cert? */
++ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,
++ &options.tls_checkpeer)) != LDAP_SUCCESS)
++ fatal ("ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT): %s",
++ ldap_err2string (rc));
++ debug3 ("Set TLS check peer to %d ", options.tls_checkpeer);
++
++ /* set cipher suite, certificate and private key: */
++ if (options.tls_ciphers != NULL) {
++ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CIPHER_SUITE,
++ options.tls_ciphers)) != LDAP_SUCCESS)
++ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CIPHER_SUITE): %s",
++ ldap_err2string (rc));
++ debug3 ("Set TLS ciphers to %s ", options.tls_ciphers);
++ }
+
-+typedef enum {
-+ lBadOption,
-+ lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
-+ lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
-+ lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
-+ lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
-+ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
-+ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
-+ lAccountClass, lDeprecated, lUnsupported
-+} OpCodes;
++ /* cert file */
++ if (options.tls_cert != NULL) {
++ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_CERTFILE,
++ options.tls_cert)) != LDAP_SUCCESS)
++ fatal ("ldap_set_option(LDAP_OPT_X_TLS_CERTFILE): %s",
++ ldap_err2string (rc));
++ debug3 ("Set TLS cert file %s ", options.tls_cert);
++ }
+
-+/* Textual representations of the tokens. */
++ /* key file */
++ if (options.tls_key != NULL) {
++ if ((rc = ldap_set_option (NULL, LDAP_OPT_X_TLS_KEYFILE,
++ options.tls_key)) != LDAP_SUCCESS)
++ fatal ("ldap_set_option(LDAP_OPT_X_TLS_KEYFILE): %s",
++ ldap_err2string (rc));
++ debug3 ("Set TLS key file %s ", options.tls_key);
++ }
++#endif
++#ifdef HAVE_LDAP_INITIALIZE
++ if (options.uri != NULL) {
++ if ((rc = ldap_initialize (&ld, options.uri)) != LDAP_SUCCESS)
++ fatal ("ldap_initialize %s", ldap_err2string (rc));
++ debug3 ("LDAP initialize %s", options.uri);
++ }
++ }
++#endif /* HAVE_LDAP_INTITIALIZE */
+
-+static struct {
-+ const char *name;
-+ OpCodes opcode;
-+} keywords[] = {
-+ { "URI", lURI },
-+ { "Base", lBase },
-+ { "BindDN", lBindDN },
-+ { "BindPW", lBindPW },
-+ { "RootBindDN", lRootBindDN },
-+ { "Host", lHost },
-+ { "Port", lPort },
-+ { "Scope", lScope },
-+ { "Deref", lDeref },
-+ { "TimeLimit", lTimeLimit },
-+ { "TimeOut", lTimeLimit },
-+ { "Bind_Timelimit", lBind_TimeLimit },
-+ { "Network_TimeOut", lBind_TimeLimit },
-+/*
-+ * Todo
-+ * SIZELIMIT
-+ */
-+ { "Ldap_Version", lLdap_Version },
-+ { "Version", lLdap_Version },
-+ { "Bind_Policy", lBind_Policy },
-+ { "SSLPath", lSSLPath },
-+ { "SSL", lSSL },
-+ { "Referrals", lReferrals },
-+ { "Restart", lRestart },
-+ { "TLS_CheckPeer", lTLS_CheckPeer },
-+ { "TLS_ReqCert", lTLS_CheckPeer },
-+ { "TLS_CaCertFile", lTLS_CaCertFile },
-+ { "TLS_CaCert", lTLS_CaCertFile },
-+ { "TLS_CaCertDir", lTLS_CaCertDir },
-+ { "TLS_Ciphers", lTLS_Ciphers },
-+ { "TLS_Cipher_Suite", lTLS_Ciphers },
-+ { "TLS_Cert", lTLS_Cert },
-+ { "TLS_Certificate", lTLS_Cert },
-+ { "TLS_Key", lTLS_Key },
-+ { "TLS_RandFile", lTLS_RandFile },
-+/*
-+ * Todo
-+ * TLS_CRLCHECK
-+ * TLS_CRLFILE
-+ */
-+ { "LogDir", lLogDir },
-+ { "Debug", lDebug },
-+ { "SSH_Filter", lSSH_Filter },
-+ { "AccountClass", lAccountClass },
-+ { NULL, lBadOption }
-+};
++ /* continue with opening */
++ if ((ld == NULL) && (options.host != NULL)) {
++#ifdef HAVE_LDAP_INIT
++ if ((ld = ldap_init (options.host, options.port)) == NULL)
++ fatal ("ldap_init failed");
++ debug3 ("LDAP init %s:%d", options.host, options.port);
++#else
++ if ((ld = ldap_open (options.host, options.port)) == NULL)
++ fatal ("ldap_open failed");
++ debug3 ("LDAP open %s:%d", options.host, options.port);
++#endif /* HAVE_LDAP_INIT */
++ }
+
-+/* Configuration ptions. */
++ if (ld == NULL)
++ fatal ("no way to open ldap");
+
-+Options options;
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS)
++ if (options.ssl == SSL_LDAPS) {
++ if ((rc = ldap_set_option (ld, LDAP_OPT_X_TLS, &options.tls_checkpeer)) != LDAP_SUCCESS)
++ fatal ("ldap_set_option(LDAP_OPT_X_TLS) %s", ldap_err2string (rc));
++ debug3 ("LDAP set LDAP_OPT_X_TLS_%d", options.tls_checkpeer);
++ }
++#endif /* LDAP_OPT_X_TLS */
+
-+/*
-+ * Returns the number of the token pointed to by cp or oBadOption.
-+ */
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_PROTOCOL_VERSION)
++ (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
++ &options.ldap_version);
++#else
++ ld->ld_version = options.ldap_version;
++#endif
++ debug3 ("LDAP set version to %d", options.ldap_version);
+
-+static OpCodes
-+parse_token(const char *cp, const char *filename, int linenum)
-+{
-+ u_int i;
++#if LDAP_SET_REBIND_PROC_ARGS == 3
++ ldap_set_rebind_proc (ld, _rebind_proc, NULL);
++#elif LDAP_SET_REBIND_PROC_ARGS == 2
++ ldap_set_rebind_proc (ld, _rebind_proc);
++#else
++#warning unknown LDAP_SET_REBIND_PROC_ARGS
++#endif
++ debug3 ("LDAP set rebind proc");
+
-+ for (i = 0; keywords[i].name; i++)
-+ if (strcasecmp(cp, keywords[i].name) == 0)
-+ return keywords[i].opcode;
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_DEREF)
++ (void) ldap_set_option (ld, LDAP_OPT_DEREF, &options.deref);
++#else
++ ld->ld_deref = options.deref;
++#endif
++ debug3 ("LDAP set deref to %d", options.deref);
+
-+ if (config_warning_config_file)
-+ logit("%s: line %d: Bad configuration option: %s",
-+ filename, linenum, cp);
-+ return lBadOption;
-+}
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_TIMELIMIT)
++ (void) ldap_set_option (ld, LDAP_OPT_TIMELIMIT,
++ &options.timelimit);
++#else
++ ld->ld_timelimit = options.timelimit;
++#endif
++ debug3 ("LDAP set timelimit to %d", options.timelimit);
+
-+/* Characters considered whitespace in strsep calls. */
-+#define WHITESPACE " \t\r\n"
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_X_OPT_CONNECT_TIMEOUT)
++ /*
++ * This is a new option in the Netscape SDK which sets
++ * the TCP connect timeout. For want of a better value,
++ * we use the bind_timelimit to control this.
++ */
++ timeout = options.bind_timelimit * 1000;
++ (void) ldap_set_option (ld, LDAP_X_OPT_CONNECT_TIMEOUT, &timeout);
++ debug3 ("LDAP set opt connect timeout to %d", timeout);
++#endif
+
-+/* return next token in configuration line */
-+static char *
-+ldap_strdelim(char **s)
-+{
-+ char *old;
-+ int wspace = 0;
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_NETWORK_TIMEOUT)
++ tv.tv_sec = options.bind_timelimit;
++ tv.tv_usec = 0;
++ (void) ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv);
++ debug3 ("LDAP set opt network timeout to %ld.0", tv.tv_sec);
++#endif
+
-+ if (*s == NULL)
-+ return NULL;
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_REFERRALS)
++ (void) ldap_set_option (ld, LDAP_OPT_REFERRALS,
++ options.referrals ? LDAP_OPT_ON : LDAP_OPT_OFF);
++ debug3 ("LDAP set referrals to %d", options.referrals);
++#endif
+
-+ old = *s;
++#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_RESTART)
++ (void) ldap_set_option (ld, LDAP_OPT_RESTART,
++ options.restart ? LDAP_OPT_ON : LDAP_OPT_OFF);
++ debug3 ("LDAP set restart to %d", options.restart);
++#endif
+
-+ *s = strpbrk(*s, WHITESPACE);
-+ if (*s == NULL)
-+ return (old);
++#ifdef HAVE_LDAP_START_TLS_S
++ if (options.ssl == SSL_START_TLS) {
++ int version;
+
-+ *s[0] = '\0';
++ if (ldap_get_option (ld, LDAP_OPT_PROTOCOL_VERSION, &version)
++ == LDAP_SUCCESS) {
++ if (version < LDAP_VERSION3) {
++ version = LDAP_VERSION3;
++ (void) ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION,
++ &version);
++ debug3 ("LDAP set version to %d", version);
++ }
++ }
+
-+ /* Skip any extra whitespace after first token */
-+ *s += strspn(*s + 1, WHITESPACE) + 1;
-+ if (*s[0] == '=' && !wspace)
-+ *s += strspn(*s + 1, WHITESPACE) + 1;
++ if ((rc = ldap_start_tls_s (ld, NULL, NULL)) != LDAP_SUCCESS)
++ fatal ("ldap_starttls_s: %s", ldap_err2string (rc));
++ debug3 ("LDAP start TLS");
++ }
++#endif /* HAVE_LDAP_START_TLS_S */
++ }
+
-+ return (old);
-+}
++ if ((msgid = ldap_simple_bind (ld, options.binddn,
++ options.bindpw)) == -1) {
++ ld_errno = ldap_get_lderrno (ld, 0, 0);
+
-+/*
-+ * Processes a single option line as used in the configuration files. This
-+ * only sets those values that have not already been set.
-+ */
-+#define WHITESPACE " \t\r\n"
++ error ("ldap_simple_bind %s", ldap_err2string (ld_errno));
++ reconnect++;
++ goto retry;
++ }
++ debug3 ("LDAP simple bind (%s)", options.binddn);
+
-+static int
-+process_config_line(char *line, const char *filename, int linenum)
-+{
-+ char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
-+ char *rootbinddn = NULL;
-+ int opcode, *intptr, value;
-+ size_t len;
++ timeout.tv_sec = options.bind_timelimit;
++ timeout.tv_usec = 0;
++ if ((rc = ldap_result (ld, msgid, FALSE, &timeout, &result)) < 1) {
++ ld_errno = ldap_get_lderrno (ld, 0, 0);
+
-+ /* Strip trailing whitespace */
-+ for (len = strlen(line) - 1; len > 0; len--) {
-+ if (strchr(WHITESPACE, line[len]) == NULL)
-+ break;
-+ line[len] = '\0';
++ error ("ldap_result %s", ldap_err2string (ld_errno));
++ reconnect++;
++ goto retry;
+ }
++ debug3 ("LDAP result in time");
+
-+ s = line;
-+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
-+ if ((keyword = ldap_strdelim(&s)) == NULL)
-+ return 0;
-+ /* Ignore leading whitespace. */
-+ if (*keyword == '\0')
-+ keyword = ldap_strdelim(&s);
-+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
-+ return 0;
++#if defined(HAVE_LDAP_PARSE_RESULT) && defined(HAVE_LDAP_CONTROLS_FREE)
++ controls = NULL;
++ if ((parserc = ldap_parse_result (ld, result, &rc, 0, 0, 0, &controls, TRUE)) != LDAP_SUCCESS)
++ fatal ("ldap_parse_result %s", ldap_err2string (parserc));
++ debug3 ("LDAP parse result OK");
+
-+ opcode = parse_token(keyword, filename, linenum);
++ if (controls != NULL) {
++ ldap_controls_free (controls);
++ }
++#else
++ rc = ldap_result2error (session->ld, result, TRUE);
++#endif
++ if (rc != LDAP_SUCCESS)
++ fatal ("error trying to bind as user \"%s\" (%s)",
++ options.binddn, ldap_err2string (rc));
+
-+ switch (opcode) {
-+ case lBadOption:
-+ /* don't panic, but count bad options */
-+ return -1;
-+ /* NOTREACHED */
++ debug2 ("LDAP do connect OK");
++}
+
-+ case lHost:
-+ xstringptr = &options.host;
-+parse_xstring:
-+ if (!s || *s == '\0')
-+ fatal("%s line %d: missing dn",filename,linenum);
-+ if (*xstringptr == NULL)
-+ *xstringptr = xstrdup(s);
-+ return 0;
++void
++process_user (const char *user, FILE *output)
++{
++ LDAPMessage *res, *e;
++ char *buffer;
++ int bufflen, rc, i;
++ struct timeval timeout;
+
-+ case lURI:
-+ xstringptr = &options.uri;
-+ goto parse_xstring;
++ debug ("LDAP process user");
+
-+ case lBase:
-+ xstringptr = &options.base;
-+ goto parse_xstring;
++ /* quick check for attempts to be evil */
++ if ((strchr(user, '(') != NULL) || (strchr(user, ')') != NULL) ||
++ (strchr(user, '*') != NULL) || (strchr(user, '\\') != NULL)) {
++ logit ("illegal user name %s not processed", user);
++ return;
++ }
+
-+ case lBindDN:
-+ xstringptr = &options.binddn;
-+ goto parse_xstring;
++ /* build filter for LDAP request */
++ bufflen = strlen (LDAPSEARCH_FORMAT) + strlen(options.account_class) + strlen (user);
++ if (options.ssh_filter != NULL)
++ bufflen += strlen (options.ssh_filter);
++ buffer = xmalloc (bufflen);
++ snprintf(buffer, bufflen, LDAPSEARCH_FORMAT, options.account_class, user, (options.ssh_filter != NULL) ? options.ssh_filter : NULL);
++ buffer[bufflen - 1] = 0;
+
-+ case lBindPW:
-+ charptr = &options.bindpw;
-+parse_string:
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (*charptr == NULL)
-+ *charptr = xstrdup(arg);
-+ break;
++ debug3 ("LDAP search scope = %d %s", options.scope, buffer);
+
-+ case lRootBindDN:
-+ xstringptr = &rootbinddn;
-+ goto parse_xstring;
++ timeout.tv_sec = options.timelimit;
++ timeout.tv_usec = 0;
++ if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
++ error ("ldap_search_st(): %s", ldap_err2string (rc));
++ free (buffer);
++ return;
++ }
+
-+ case lScope:
-+ intptr = &options.scope;
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
-+ value = LDAP_SCOPE_SUBTREE;
-+ else if (strcasecmp (arg, "one") == 0)
-+ value = LDAP_SCOPE_ONELEVEL;
-+ else if (strcasecmp (arg, "base") == 0)
-+ value = LDAP_SCOPE_BASE;
-+ else
-+ fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
-+ if (*intptr == -1)
-+ *intptr = value;
-+ break;
++ /* free */
++ free (buffer);
+
-+ case lDeref:
-+ intptr = &options.scope;
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (!strcasecmp (arg, "never"))
-+ value = LDAP_DEREF_NEVER;
-+ else if (!strcasecmp (arg, "searching"))
-+ value = LDAP_DEREF_SEARCHING;
-+ else if (!strcasecmp (arg, "finding"))
-+ value = LDAP_DEREF_FINDING;
-+ else if (!strcasecmp (arg, "always"))
-+ value = LDAP_DEREF_ALWAYS;
-+ else
-+ fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
-+ if (*intptr == -1)
-+ *intptr = value;
-+ break;
++ for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
++ int num;
++ struct berval **keys;
+
-+ case lPort:
-+ intptr = &options.port;
-+parse_int:
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (arg[0] < '0' || arg[0] > '9')
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
++ keys = ldap_get_values_len(ld, e, PUBKEYATTR);
++ num = ldap_count_values_len(keys);
++ for (i = 0 ; i < num ; i++) {
++ char *cp; //, *options = NULL;
+
-+ /* Octal, decimal, or hex format? */
-+ value = strtol(arg, &endofnumber, 0);
-+ if (arg == endofnumber)
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+ if (*intptr == -1)
-+ *intptr = value;
-+ break;
++ for (cp = keys[i]->bv_val; *cp == ' ' || *cp == '\t'; cp++);
++ if (!*cp || *cp == '\n' || *cp == '#')
++ continue;
+
-+ case lTimeLimit:
-+ intptr = &options.timelimit;
-+parse_time:
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%s line %d: missing time value.",
-+ filename, linenum);
-+ if ((value = convtime(arg)) == -1)
-+ fatal("%s line %d: invalid time value.",
-+ filename, linenum);
-+ if (*intptr == -1)
-+ *intptr = value;
-+ break;
++ /* We have found the desired key. */
++ fprintf (output, "%s\n", keys[i]->bv_val);
++ }
+
-+ case lBind_TimeLimit:
-+ intptr = &options.bind_timelimit;
-+ goto parse_time;
++ ldap_value_free_len(keys);
++ }
+
-+ case lLdap_Version:
-+ intptr = &options.ldap_version;
-+ goto parse_int;
++ ldap_msgfree(res);
++ debug2 ("LDAP process user finished");
++}
+
-+ case lBind_Policy:
-+ intptr = &options.bind_policy;
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
-+ value = 1;
-+ else if (strcasecmp(arg, "soft") == 0)
-+ value = 0;
-+ else
-+ fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
-+ if (*intptr == -1)
-+ break;
++void
++ldap_do_close(void)
++{
++ int rc;
+
-+ case lSSLPath:
-+ charptr = &options.sslpath;
-+ goto parse_string;
++ debug ("LDAP do close");
++ if ((rc = ldap_unbind_ext(ld, NULL, NULL)) != LDAP_SUCCESS)
++ fatal ("ldap_unbind_ext: %s",
++ ldap_err2string (rc));
+
-+ case lSSL:
-+ intptr = &options.ssl;
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
-+ value = SSL_LDAPS;
-+ else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
-+ value = SSL_OFF;
-+ else if (!strcasecmp (arg, "start_tls"))
-+ value = SSL_START_TLS;
-+ else
-+ fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
-+ if (*intptr == -1)
-+ *intptr = value;
-+ break;
++ ld = NULL;
++ debug2 ("LDAP do close OK");
++ return;
++}
+
-+ case lReferrals:
-+ intptr = &options.referrals;
-+parse_flag:
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
-+ value = 1;
-+ else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
-+ value = 0;
-+ else
-+ fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
-+ if (*intptr == -1)
-+ *intptr = value;
-+ break;
+diff --git a/ldapbody.h b/ldapbody.h
+new file mode 100644
+index 0000000..665dca2
+--- /dev/null
++++ b/ldapbody.h
+@@ -0,0 +1,37 @@
++/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
++/*
++ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
+
-+ case lRestart:
-+ intptr = &options.restart;
-+ goto parse_flag;
++#ifndef LDAPBODY_H
++#define LDAPBODY_H
+
-+ case lTLS_CheckPeer:
-+ intptr = &options.tls_checkpeer;
-+ arg = ldap_strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
-+ value = LDAP_OPT_X_TLS_NEVER;
-+ else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
-+ value = LDAP_OPT_X_TLS_HARD;
-+ else if (strcasecmp(arg, "demand") == 0)
-+ value = LDAP_OPT_X_TLS_DEMAND;
-+ else if (strcasecmp(arg, "allow") == 0)
-+ value = LDAP_OPT_X_TLS_ALLOW;
-+ else if (strcasecmp(arg, "try") == 0)
-+ value = LDAP_OPT_X_TLS_TRY;
-+ else
-+ fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
-+ if (*intptr == -1)
-+ break;
++#include <stdio.h>
+
-+ case lTLS_CaCertFile:
-+ charptr = &options.tls_cacertfile;
-+ goto parse_string;
++void ldap_checkconfig(void);
++void ldap_do_connect(void);
++void process_user(const char *, FILE *);
++void ldap_do_close(void);
+
-+ case lTLS_CaCertDir:
-+ charptr = &options.tls_cacertdir;
-+ goto parse_string;
++#endif /* LDAPBODY_H */
+
-+ case lTLS_Ciphers:
-+ xstringptr = &options.tls_ciphers;
-+ goto parse_xstring;
+diff --git a/ldapconf.c b/ldapconf.c
+new file mode 100644
+index 0000000..525060a
+--- /dev/null
++++ b/ldapconf.c
+@@ -0,0 +1,720 @@
++/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
++/*
++ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
+
-+ case lTLS_Cert:
-+ charptr = &options.tls_cert;
-+ goto parse_string;
++#include "ldapincludes.h"
++#include "ldap-helper.h"
++#include "log.h"
++#include "misc.h"
++#include "xmalloc.h"
++#include "ldapconf.h"
++#include <unistd.h>
++#include <string.h>
+
-+ case lTLS_Key:
-+ charptr = &options.tls_key;
-+ goto parse_string;
++/* Keyword tokens. */
+
-+ case lTLS_RandFile:
-+ charptr = &options.tls_randfile;
-+ goto parse_string;
++typedef enum {
++ lBadOption,
++ lHost, lURI, lBase, lBindDN, lBindPW, lRootBindDN,
++ lScope, lDeref, lPort, lTimeLimit, lBind_TimeLimit,
++ lLdap_Version, lBind_Policy, lSSLPath, lSSL, lReferrals,
++ lRestart, lTLS_CheckPeer, lTLS_CaCertFile,
++ lTLS_CaCertDir, lTLS_Ciphers, lTLS_Cert, lTLS_Key,
++ lTLS_RandFile, lLogDir, lDebug, lSSH_Filter,
++ lAccountClass, lDeprecated, lUnsupported
++} OpCodes;
+
-+ case lLogDir:
-+ charptr = &options.logdir;
-+ goto parse_string;
++/* Textual representations of the tokens. */
+
-+ case lDebug:
-+ intptr = &options.debug;
-+ goto parse_int;
++static struct {
++ const char *name;
++ OpCodes opcode;
++} keywords[] = {
++ { "URI", lURI },
++ { "Base", lBase },
++ { "BindDN", lBindDN },
++ { "BindPW", lBindPW },
++ { "RootBindDN", lRootBindDN },
++ { "Host", lHost },
++ { "Port", lPort },
++ { "Scope", lScope },
++ { "Deref", lDeref },
++ { "TimeLimit", lTimeLimit },
++ { "TimeOut", lTimeLimit },
++ { "Bind_Timelimit", lBind_TimeLimit },
++ { "Network_TimeOut", lBind_TimeLimit },
++/*
++ * Todo
++ * SIZELIMIT
++ */
++ { "Ldap_Version", lLdap_Version },
++ { "Version", lLdap_Version },
++ { "Bind_Policy", lBind_Policy },
++ { "SSLPath", lSSLPath },
++ { "SSL", lSSL },
++ { "Referrals", lReferrals },
++ { "Restart", lRestart },
++ { "TLS_CheckPeer", lTLS_CheckPeer },
++ { "TLS_ReqCert", lTLS_CheckPeer },
++ { "TLS_CaCertFile", lTLS_CaCertFile },
++ { "TLS_CaCert", lTLS_CaCertFile },
++ { "TLS_CaCertDir", lTLS_CaCertDir },
++ { "TLS_Ciphers", lTLS_Ciphers },
++ { "TLS_Cipher_Suite", lTLS_Ciphers },
++ { "TLS_Cert", lTLS_Cert },
++ { "TLS_Certificate", lTLS_Cert },
++ { "TLS_Key", lTLS_Key },
++ { "TLS_RandFile", lTLS_RandFile },
++/*
++ * Todo
++ * TLS_CRLCHECK
++ * TLS_CRLFILE
++ */
++ { "LogDir", lLogDir },
++ { "Debug", lDebug },
++ { "SSH_Filter", lSSH_Filter },
++ { "AccountClass", lAccountClass },
++ { NULL, lBadOption }
++};
+
-+ case lSSH_Filter:
-+ xstringptr = &options.ssh_filter;
-+ goto parse_xstring;
++/* Configuration ptions. */
+
-+ case lAccountClass:
-+ charptr = &options.account_class;
-+ goto parse_string;
++Options options;
+
-+ case lDeprecated:
-+ debug("%s line %d: Deprecated option \"%s\"",
-+ filename, linenum, keyword);
-+ return 0;
++/*
++ * Returns the number of the token pointed to by cp or oBadOption.
++ */
+
-+ case lUnsupported:
-+ error("%s line %d: Unsupported option \"%s\"",
-+ filename, linenum, keyword);
-+ return 0;
++static OpCodes
++parse_token(const char *cp, const char *filename, int linenum)
++{
++ u_int i;
+
-+ default:
-+ fatal("process_config_line: Unimplemented opcode %d", opcode);
-+ }
++ for (i = 0; keywords[i].name; i++)
++ if (strcasecmp(cp, keywords[i].name) == 0)
++ return keywords[i].opcode;
+
-+ /* Check that there is no garbage at end of line. */
-+ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
-+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
-+ filename, linenum, arg);
-+ }
-+ return 0;
++ if (config_warning_config_file)
++ logit("%s: line %d: Bad configuration option: %s",
++ filename, linenum, cp);
++ return lBadOption;
+}
+
-+/*
-+ * Reads the config file and modifies the options accordingly. Options
-+ * should already be initialized before this call. This never returns if
-+ * there is an error. If the file does not exist, this returns 0.
-+ */
++/* Characters considered whitespace in strsep calls. */
++#define WHITESPACE " \t\r\n"
+
-+void
-+read_config_file(const char *filename)
++/* return next token in configuration line */
++static char *
++ldap_strdelim(char **s)
+{
-+ FILE *f;
-+ char line[1024];
-+ int active, linenum;
-+ int bad_options = 0;
-+ struct stat sb;
++ char *old;
++ int wspace = 0;
+
-+ if ((f = fopen(filename, "r")) == NULL)
-+ fatal("fopen %s: %s", filename, strerror(errno));
++ if (*s == NULL)
++ return NULL;
+
-+ if (fstat(fileno(f), &sb) == -1)
-+ fatal("fstat %s: %s", filename, strerror(errno));
-+ if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
-+ (sb.st_mode & 022) != 0))
-+ fatal("Bad owner or permissions on %s", filename);
++ old = *s;
+
-+ debug("Reading configuration data %.200s", filename);
++ *s = strpbrk(*s, WHITESPACE);
++ if (*s == NULL)
++ return (old);
+
-+ /*
-+ * Mark that we are now processing the options. This flag is turned
-+ * on/off by Host specifications.
-+ */
-+ active = 1;
-+ linenum = 0;
-+ while (fgets(line, sizeof(line), f)) {
-+ /* Update line number counter. */
-+ linenum++;
-+ if (process_config_line(line, filename, linenum) != 0)
-+ bad_options++;
-+ }
-+ fclose(f);
-+ if ((bad_options > 0) && config_exclusive_config_file)
-+ fatal("%s: terminating, %d bad configuration options",
-+ filename, bad_options);
-+}
++ *s[0] = '\0';
+
-+/*
-+ * Initializes options to special values that indicate that they have not yet
-+ * been set. Read_config_file will only set options with this value. Options
-+ * are processed in the following order: command line, user config file,
-+ * system config file. Last, fill_default_options is called.
-+ */
++ /* Skip any extra whitespace after first token */
++ *s += strspn(*s + 1, WHITESPACE) + 1;
++ if (*s[0] == '=' && !wspace)
++ *s += strspn(*s + 1, WHITESPACE) + 1;
+
-+void
-+initialize_options(void)
-+{
-+ memset(&options, 'X', sizeof(options));
-+ options.host = NULL;
-+ options.uri = NULL;
-+ options.base = NULL;
-+ options.binddn = NULL;
-+ options.bindpw = NULL;
-+ options.scope = -1;
-+ options.deref = -1;
-+ options.port = -1;
-+ options.timelimit = -1;
-+ options.bind_timelimit = -1;
-+ options.ldap_version = -1;
-+ options.bind_policy = -1;
-+ options.sslpath = NULL;
-+ options.ssl = -1;
-+ options.referrals = -1;
-+ options.restart = -1;
-+ options.tls_checkpeer = -1;
-+ options.tls_cacertfile = NULL;
-+ options.tls_cacertdir = NULL;
-+ options.tls_ciphers = NULL;
-+ options.tls_cert = NULL;
-+ options.tls_key = NULL;
-+ options.tls_randfile = NULL;
-+ options.logdir = NULL;
-+ options.debug = -1;
-+ options.ssh_filter = NULL;
-+ options.account_class = NULL;
++ return (old);
+}
+
+/*
-+ * Called after processing other sources of option data, this fills those
-+ * options for which no value has been specified with their default values.
++ * Processes a single option line as used in the configuration files. This
++ * only sets those values that have not already been set.
+ */
++#define WHITESPACE " \t\r\n"
+
-+void
-+fill_default_options(void)
++static int
++process_config_line(char *line, const char *filename, int linenum)
+{
-+ if (options.uri != NULL) {
-+ LDAPURLDesc *ludp;
++ char *s, **charptr, **xstringptr, *endofnumber, *keyword, *arg;
++ char *rootbinddn = NULL;
++ int opcode, *intptr, value;
++ size_t len;
+
-+ if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
-+ if (options.ssl == -1) {
-+ if (strcmp (ludp->lud_scheme, "ldap") == 0)
-+ options.ssl = 2;
-+ if (strcmp (ludp->lud_scheme, "ldapi") == 0)
-+ options.ssl = 0;
-+ else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
-+ options.ssl = 1;
-+ }
-+ if (options.host == NULL)
-+ options.host = xstrdup (ludp->lud_host);
-+ if (options.port == -1)
-+ options.port = ludp->lud_port;
++ /* Strip trailing whitespace */
++ for (len = strlen(line) - 1; len > 0; len--) {
++ if (strchr(WHITESPACE, line[len]) == NULL)
++ break;
++ line[len] = '\0';
++ }
+
-+ ldap_free_urldesc (ludp);
-+ }
-+ }
-+ if (options.ssl == -1)
-+ options.ssl = SSL_START_TLS;
-+ if (options.port == -1)
-+ options.port = (options.ssl == 0) ? 389 : 636;
-+ if (options.uri == NULL) {
-+ int len;
-+#define MAXURILEN 4096
++ s = line;
++ /* Get the keyword. (Each line is supposed to begin with a keyword). */
++ if ((keyword = ldap_strdelim(&s)) == NULL)
++ return 0;
++ /* Ignore leading whitespace. */
++ if (*keyword == '\0')
++ keyword = ldap_strdelim(&s);
++ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
++ return 0;
+
-+ options.uri = xmalloc (MAXURILEN);
-+ len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
-+ (options.ssl == 0) ? "" : "s", options.host, options.port);
-+ options.uri[MAXURILEN - 1] = 0;
-+ options.uri = xrealloc (options.uri, len + 1, 1);
-+ }
-+ if (options.binddn == NULL)
-+ options.binddn = "";
-+ if (options.bindpw == NULL)
-+ options.bindpw = "";
-+ if (options.scope == -1)
-+ options.scope = LDAP_SCOPE_SUBTREE;
-+ if (options.deref == -1)
-+ options.deref = LDAP_DEREF_NEVER;
-+ if (options.timelimit == -1)
-+ options.timelimit = 10;
-+ if (options.bind_timelimit == -1)
-+ options.bind_timelimit = 10;
-+ if (options.ldap_version == -1)
-+ options.ldap_version = 3;
-+ if (options.bind_policy == -1)
-+ options.bind_policy = 1;
-+ if (options.referrals == -1)
-+ options.referrals = 1;
-+ if (options.restart == -1)
-+ options.restart = 1;
-+ if (options.tls_checkpeer == -1)
-+ options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
-+ if (options.debug == -1)
-+ options.debug = 0;
-+ if (options.ssh_filter == NULL)
-+ options.ssh_filter = "";
-+ if (options.account_class == NULL)
-+ options.account_class = "posixAccount";
-+}
++ opcode = parse_token(keyword, filename, linenum);
+
-+static const char *
-+lookup_opcode_name(OpCodes code)
-+{
-+ u_int i;
++ switch (opcode) {
++ case lBadOption:
++ /* don't panic, but count bad options */
++ return -1;
++ /* NOTREACHED */
+
-+ for (i = 0; keywords[i].name != NULL; i++)
-+ if (keywords[i].opcode == code)
-+ return(keywords[i].name);
-+ return "UNKNOWN";
-+}
++ case lHost:
++ xstringptr = &options.host;
++parse_xstring:
++ if (!s || *s == '\0')
++ fatal("%s line %d: missing dn",filename,linenum);
++ if (*xstringptr == NULL)
++ *xstringptr = xstrdup(s);
++ return 0;
+
-+static void
-+dump_cfg_string(OpCodes code, const char *val)
-+{
-+ if (val == NULL)
-+ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
-+ else
-+ debug3("%s %s", lookup_opcode_name(code), val);
-+}
++ case lURI:
++ xstringptr = &options.uri;
++ goto parse_xstring;
+
-+static void
-+dump_cfg_int(OpCodes code, int val)
-+{
-+ if (val == -1)
-+ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
-+ else
-+ debug3("%s %d", lookup_opcode_name(code), val);
-+}
++ case lBase:
++ xstringptr = &options.base;
++ goto parse_xstring;
+
-+struct names {
-+ int value;
-+ char *name;
-+};
++ case lBindDN:
++ xstringptr = &options.binddn;
++ goto parse_xstring;
+
-+static void
-+dump_cfg_namedint(OpCodes code, int val, struct names *names)
-+{
-+ u_int i;
++ case lBindPW:
++ charptr = &options.bindpw;
++parse_string:
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing argument.", filename, linenum);
++ if (*charptr == NULL)
++ *charptr = xstrdup(arg);
++ break;
+
-+ if (val == -1)
-+ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
-+ else {
-+ for (i = 0; names[i].value != -1; i++)
-+ if (names[i].value == val) {
-+ debug3("%s %s", lookup_opcode_name(code), names[i].name);
-+ return;
-+ }
-+ debug3("%s unknown: %d", lookup_opcode_name(code), val);
-+ }
-+}
++ case lRootBindDN:
++ xstringptr = &rootbinddn;
++ goto parse_xstring;
+
-+static struct names _yesnotls[] = {
-+ { 0, "No" },
-+ { 1, "Yes" },
-+ { 2, "Start_TLS" },
-+ { -1, NULL }};
++ case lScope:
++ intptr = &options.scope;
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
++ value = 0; /* To avoid compiler warning... */
++ if (strcasecmp (arg, "sub") == 0 || strcasecmp (arg, "subtree") == 0)
++ value = LDAP_SCOPE_SUBTREE;
++ else if (strcasecmp (arg, "one") == 0)
++ value = LDAP_SCOPE_ONELEVEL;
++ else if (strcasecmp (arg, "base") == 0)
++ value = LDAP_SCOPE_BASE;
++ else
++ fatal("%.200s line %d: Bad sub/one/base argument.", filename, linenum);
++ if (*intptr == -1)
++ *intptr = value;
++ break;
+
-+static struct names _scope[] = {
-+ { LDAP_SCOPE_BASE, "Base" },
-+ { LDAP_SCOPE_ONELEVEL, "One" },
-+ { LDAP_SCOPE_SUBTREE, "Sub"},
-+ { -1, NULL }};
++ case lDeref:
++ intptr = &options.scope;
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
++ value = 0; /* To avoid compiler warning... */
++ if (!strcasecmp (arg, "never"))
++ value = LDAP_DEREF_NEVER;
++ else if (!strcasecmp (arg, "searching"))
++ value = LDAP_DEREF_SEARCHING;
++ else if (!strcasecmp (arg, "finding"))
++ value = LDAP_DEREF_FINDING;
++ else if (!strcasecmp (arg, "always"))
++ value = LDAP_DEREF_ALWAYS;
++ else
++ fatal("%.200s line %d: Bad never/searching/finding/always argument.", filename, linenum);
++ if (*intptr == -1)
++ *intptr = value;
++ break;
++
++ case lPort:
++ intptr = &options.port;
++parse_int:
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing argument.", filename, linenum);
++ if (arg[0] < '0' || arg[0] > '9')
++ fatal("%.200s line %d: Bad number.", filename, linenum);
+
-+static struct names _deref[] = {
-+ { LDAP_DEREF_NEVER, "Never" },
-+ { LDAP_DEREF_SEARCHING, "Searching" },
-+ { LDAP_DEREF_FINDING, "Finding" },
-+ { LDAP_DEREF_ALWAYS, "Always" },
-+ { -1, NULL }};
++ /* Octal, decimal, or hex format? */
++ value = strtol(arg, &endofnumber, 0);
++ if (arg == endofnumber)
++ fatal("%.200s line %d: Bad number.", filename, linenum);
++ if (*intptr == -1)
++ *intptr = value;
++ break;
+
-+static struct names _yesno[] = {
-+ { 0, "No" },
-+ { 1, "Yes" },
-+ { -1, NULL }};
++ case lTimeLimit:
++ intptr = &options.timelimit;
++parse_time:
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: missing time value.",
++ filename, linenum);
++ if ((value = convtime(arg)) == -1)
++ fatal("%s line %d: invalid time value.",
++ filename, linenum);
++ if (*intptr == -1)
++ *intptr = value;
++ break;
+
-+static struct names _bindpolicy[] = {
-+ { 0, "Soft" },
-+ { 1, "Hard" },
-+ { -1, NULL }};
++ case lBind_TimeLimit:
++ intptr = &options.bind_timelimit;
++ goto parse_time;
+
-+static struct names _checkpeer[] = {
-+ { LDAP_OPT_X_TLS_NEVER, "Never" },
-+ { LDAP_OPT_X_TLS_HARD, "Hard" },
-+ { LDAP_OPT_X_TLS_DEMAND, "Demand" },
-+ { LDAP_OPT_X_TLS_ALLOW, "Allow" },
-+ { LDAP_OPT_X_TLS_TRY, "TRY" },
-+ { -1, NULL }};
++ case lLdap_Version:
++ intptr = &options.ldap_version;
++ goto parse_int;
+
-+void
-+dump_config(void)
-+{
-+ dump_cfg_string(lURI, options.uri);
-+ dump_cfg_string(lHost, options.host);
-+ dump_cfg_int(lPort, options.port);
-+ dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
-+ dump_cfg_int(lLdap_Version, options.ldap_version);
-+ dump_cfg_int(lTimeLimit, options.timelimit);
-+ dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
-+ dump_cfg_string(lBase, options.base);
-+ dump_cfg_string(lBindDN, options.binddn);
-+ dump_cfg_string(lBindPW, options.bindpw);
-+ dump_cfg_namedint(lScope, options.scope, _scope);
-+ dump_cfg_namedint(lDeref, options.deref, _deref);
-+ dump_cfg_namedint(lReferrals, options.referrals, _yesno);
-+ dump_cfg_namedint(lRestart, options.restart, _yesno);
-+ dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
-+ dump_cfg_string(lSSLPath, options.sslpath);
-+ dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
-+ dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
-+ dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
-+ dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
-+ dump_cfg_string(lTLS_Cert, options.tls_cert);
-+ dump_cfg_string(lTLS_Key, options.tls_key);
-+ dump_cfg_string(lTLS_RandFile, options.tls_randfile);
-+ dump_cfg_string(lLogDir, options.logdir);
-+ dump_cfg_int(lDebug, options.debug);
-+ dump_cfg_string(lSSH_Filter, options.ssh_filter);
-+ dump_cfg_string(lAccountClass, options.logdir);
-+}
++ case lBind_Policy:
++ intptr = &options.bind_policy;
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
++ value = 0; /* To avoid compiler warning... */
++ if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "hard_open") == 0 || strcasecmp(arg, "hard_init") == 0)
++ value = 1;
++ else if (strcasecmp(arg, "soft") == 0)
++ value = 0;
++ else
++ fatal("%.200s line %d: Bad soft/hard argument.", filename, linenum);
++ if (*intptr == -1)
++ break;
+
-diff -up openssh-6.2p2/ldapconf.h.ldap openssh-6.2p2/ldapconf.h
---- openssh-6.2p2/ldapconf.h.ldap 2013-06-07 15:10:05.602942689 +0200
-+++ openssh-6.2p2/ldapconf.h 2013-06-07 15:10:24.928857566 +0200
-@@ -0,0 +1,72 @@
-+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
-+/*
-+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
++ case lSSLPath:
++ charptr = &options.sslpath;
++ goto parse_string;
+
-+#ifndef LDAPCONF_H
-+#define LDAPCONF_H
++ case lSSL:
++ intptr = &options.ssl;
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
++ value = 0; /* To avoid compiler warning... */
++ if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
++ value = SSL_LDAPS;
++ else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
++ value = SSL_OFF;
++ else if (!strcasecmp (arg, "start_tls"))
++ value = SSL_START_TLS;
++ else
++ fatal("%.200s line %d: Bad yes/no/start_tls argument.", filename, linenum);
++ if (*intptr == -1)
++ *intptr = value;
++ break;
+
-+#define SSL_OFF 0
-+#define SSL_LDAPS 1
-+#define SSL_START_TLS 2
++ case lReferrals:
++ intptr = &options.referrals;
++parse_flag:
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
++ value = 0; /* To avoid compiler warning... */
++ if (strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
++ value = 1;
++ else if (strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
++ value = 0;
++ else
++ fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
++ if (*intptr == -1)
++ *intptr = value;
++ break;
+
-+/* Data structure for representing option data. */
++ case lRestart:
++ intptr = &options.restart;
++ goto parse_flag;
+
-+typedef struct {
-+ char *host;
-+ char *uri;
-+ char *base;
-+ char *binddn;
-+ char *bindpw;
-+ int scope;
-+ int deref;
-+ int port;
-+ int timelimit;
-+ int bind_timelimit;
-+ int ldap_version;
-+ int bind_policy;
-+ char *sslpath;
-+ int ssl;
-+ int referrals;
-+ int restart;
-+ int tls_checkpeer;
-+ char *tls_cacertfile;
-+ char *tls_cacertdir;
-+ char *tls_ciphers;
-+ char *tls_cert;
-+ char *tls_key;
-+ char *tls_randfile;
-+ char *logdir;
-+ int debug;
-+ char *ssh_filter;
-+ char *account_class;
-+} Options;
++ case lTLS_CheckPeer:
++ intptr = &options.tls_checkpeer;
++ arg = ldap_strdelim(&s);
++ if (!arg || *arg == '\0')
++ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
++ value = 0; /* To avoid compiler warning... */
++ if (strcasecmp(arg, "never") == 0 || strcasecmp(arg, "no") == 0 || strcasecmp(arg, "false") == 0 || strcasecmp(arg, "off") == 0)
++ value = LDAP_OPT_X_TLS_NEVER;
++ else if (strcasecmp(arg, "hard") == 0 || strcasecmp(arg, "yes") == 0 || strcasecmp(arg, "true") == 0 || strcasecmp(arg, "on") == 0)
++ value = LDAP_OPT_X_TLS_HARD;
++ else if (strcasecmp(arg, "demand") == 0)
++ value = LDAP_OPT_X_TLS_DEMAND;
++ else if (strcasecmp(arg, "allow") == 0)
++ value = LDAP_OPT_X_TLS_ALLOW;
++ else if (strcasecmp(arg, "try") == 0)
++ value = LDAP_OPT_X_TLS_TRY;
++ else
++ fatal("%.200s line %d: Bad never/hard/demand/alow/try argument.", filename, linenum);
++ if (*intptr == -1)
++ break;
+
-+extern Options options;
++ case lTLS_CaCertFile:
++ charptr = &options.tls_cacertfile;
++ goto parse_string;
+
-+void read_config_file(const char *);
-+void initialize_options(void);
-+void fill_default_options(void);
-+void dump_config(void);
++ case lTLS_CaCertDir:
++ charptr = &options.tls_cacertdir;
++ goto parse_string;
+
-+#endif /* LDAPCONF_H */
-diff -up openssh-6.2p1/ldap.conf.ldap openssh-6.2p1/ldap.conf
---- openssh-6.2p1/ldap.conf.ldap 2013-03-25 21:27:15.891248091 +0100
-+++ openssh-6.2p1/ldap.conf 2013-03-25 21:27:15.891248091 +0100
-@@ -0,0 +1,88 @@
-+# $Id: openssh-5.5p1-ldap.patch,v 1.3 2010/07/07 13:48:36 jfch2222 Exp $
-+#
-+# This is the example configuration file for the OpenSSH
-+# LDAP backend
-+#
-+# see ssh-ldap.conf(5)
-+#
++ case lTLS_Ciphers:
++ xstringptr = &options.tls_ciphers;
++ goto parse_xstring;
+
-+# URI with your LDAP server name. This allows to use
-+# Unix Domain Sockets to connect to a local LDAP Server.
-+#uri ldap://127.0.0.1/
-+#uri ldaps://127.0.0.1/
-+#uri ldapi://%2fvar%2frun%2fldapi_sock/
-+# Note: %2f encodes the '/' used as directory separator
++ case lTLS_Cert:
++ charptr = &options.tls_cert;
++ goto parse_string;
+
-+# Another way to specify your LDAP server is to provide an
-+# host name and the port of our LDAP server. Host name
-+# must be resolvable without using LDAP.
-+# Multiple hosts may be specified, each separated by a
-+# space. How long nss_ldap takes to failover depends on
-+# whether your LDAP client library supports configurable
-+# network or connect timeouts (see bind_timelimit).
-+#host 127.0.0.1
++ case lTLS_Key:
++ charptr = &options.tls_key;
++ goto parse_string;
+
-+# The port.
-+# Optional: default is 389.
-+#port 389
++ case lTLS_RandFile:
++ charptr = &options.tls_randfile;
++ goto parse_string;
+
-+# The distinguished name to bind to the server with.
-+# Optional: default is to bind anonymously.
-+#binddn cn=openssh_keys,dc=example,dc=org
++ case lLogDir:
++ charptr = &options.logdir;
++ goto parse_string;
+
-+# The credentials to bind with.
-+# Optional: default is no credential.
-+#bindpw TopSecret
++ case lDebug:
++ intptr = &options.debug;
++ goto parse_int;
+
-+# The distinguished name of the search base.
-+#base dc=example,dc=org
++ case lSSH_Filter:
++ xstringptr = &options.ssh_filter;
++ goto parse_xstring;
+
-+# The LDAP version to use (defaults to 3
-+# if supported by client library)
-+#ldap_version 3
++ case lAccountClass:
++ charptr = &options.account_class;
++ goto parse_string;
+
-+# The search scope.
-+#scope sub
-+#scope one
-+#scope base
++ case lDeprecated:
++ debug("%s line %d: Deprecated option \"%s\"",
++ filename, linenum, keyword);
++ return 0;
+
-+# Search timelimit
-+#timelimit 30
++ case lUnsupported:
++ error("%s line %d: Unsupported option \"%s\"",
++ filename, linenum, keyword);
++ return 0;
+
-+# Bind/connect timelimit
-+#bind_timelimit 30
++ default:
++ fatal("process_config_line: Unimplemented opcode %d", opcode);
++ }
+
-+# Reconnect policy: hard (default) will retry connecting to
-+# the software with exponential backoff, soft will fail
-+# immediately.
-+#bind_policy hard
++ /* Check that there is no garbage at end of line. */
++ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
++ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
++ filename, linenum, arg);
++ }
++ return 0;
++}
+
-+# SSL setup, may be implied by URI also.
-+#ssl no
-+#ssl on
-+#ssl start_tls
++/*
++ * Reads the config file and modifies the options accordingly. Options
++ * should already be initialized before this call. This never returns if
++ * there is an error. If the file does not exist, this returns 0.
++ */
+
-+# OpenLDAP SSL options
-+# Require and verify server certificate (yes/no)
-+# Default is to use libldap's default behavior, which can be configured in
-+# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
-+# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
-+#tls_checkpeer hard
++void
++read_config_file(const char *filename)
++{
++ FILE *f;
++ char line[1024];
++ int active, linenum;
++ int bad_options = 0;
++ struct stat sb;
+
-+# CA certificates for server certificate verification
-+# At least one of these are required if tls_checkpeer is "yes"
-+#tls_cacertfile /etc/ssl/ca.cert
-+#tls_cacertdir /etc/pki/tls/certs
++ if ((f = fopen(filename, "r")) == NULL)
++ fatal("fopen %s: %s", filename, strerror(errno));
+
-+# Seed the PRNG if /dev/urandom is not provided
-+#tls_randfile /var/run/egd-pool
++ if (fstat(fileno(f), &sb) == -1)
++ fatal("fstat %s: %s", filename, strerror(errno));
++ if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
++ (sb.st_mode & 022) != 0))
++ fatal("Bad owner or permissions on %s", filename);
+
-+# SSL cipher suite
-+# See man ciphers for syntax
-+#tls_ciphers TLSv1
++ debug("Reading configuration data %.200s", filename);
+
-+# Client certificate and key
-+# Use these, if your server requires client authentication.
-+#tls_cert
-+#tls_key
++ /*
++ * Mark that we are now processing the options. This flag is turned
++ * on/off by Host specifications.
++ */
++ active = 1;
++ linenum = 0;
++ while (fgets(line, sizeof(line), f)) {
++ /* Update line number counter. */
++ linenum++;
++ if (process_config_line(line, filename, linenum) != 0)
++ bad_options++;
++ }
++ fclose(f);
++ if ((bad_options > 0) && config_exclusive_config_file)
++ fatal("%s: terminating, %d bad configuration options",
++ filename, bad_options);
++}
+
-diff -up openssh-6.2p1/ldap-helper.c.ldap openssh-6.2p1/ldap-helper.c
---- openssh-6.2p1/ldap-helper.c.ldap 2013-03-25 21:27:15.892248097 +0100
-+++ openssh-6.2p1/ldap-helper.c 2013-03-25 21:27:15.892248097 +0100
-@@ -0,0 +1,155 @@
-+/* $OpenBSD: ssh-pka-ldap.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
-+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ * Initializes options to special values that indicate that they have not yet
++ * been set. Read_config_file will only set options with this value. Options
++ * are processed in the following order: command line, user config file,
++ * system config file. Last, fill_default_options is called.
+ */
+
-+#include "ldapincludes.h"
-+#include "log.h"
-+#include "misc.h"
-+#include "xmalloc.h"
-+#include "ldapconf.h"
-+#include "ldapbody.h"
-+#include <string.h>
-+#include <unistd.h>
++void
++initialize_options(void)
++{
++ memset(&options, 'X', sizeof(options));
++ options.host = NULL;
++ options.uri = NULL;
++ options.base = NULL;
++ options.binddn = NULL;
++ options.bindpw = NULL;
++ options.scope = -1;
++ options.deref = -1;
++ options.port = -1;
++ options.timelimit = -1;
++ options.bind_timelimit = -1;
++ options.ldap_version = -1;
++ options.bind_policy = -1;
++ options.sslpath = NULL;
++ options.ssl = -1;
++ options.referrals = -1;
++ options.restart = -1;
++ options.tls_checkpeer = -1;
++ options.tls_cacertfile = NULL;
++ options.tls_cacertdir = NULL;
++ options.tls_ciphers = NULL;
++ options.tls_cert = NULL;
++ options.tls_key = NULL;
++ options.tls_randfile = NULL;
++ options.logdir = NULL;
++ options.debug = -1;
++ options.ssh_filter = NULL;
++ options.account_class = NULL;
++}
++
++/*
++ * Called after processing other sources of option data, this fills those
++ * options for which no value has been specified with their default values.
++ */
++
++void
++fill_default_options(void)
++{
++ if (options.uri != NULL) {
++ LDAPURLDesc *ludp;
++
++ if (ldap_url_parse(options.uri, &ludp) == LDAP_SUCCESS) {
++ if (options.ssl == -1) {
++ if (strcmp (ludp->lud_scheme, "ldap") == 0)
++ options.ssl = 2;
++ if (strcmp (ludp->lud_scheme, "ldapi") == 0)
++ options.ssl = 0;
++ else if (strcmp (ludp->lud_scheme, "ldaps") == 0)
++ options.ssl = 1;
++ }
++ if (options.host == NULL)
++ options.host = xstrdup (ludp->lud_host);
++ if (options.port == -1)
++ options.port = ludp->lud_port;
++
++ ldap_free_urldesc (ludp);
++ }
++ }
++ if (options.ssl == -1)
++ options.ssl = SSL_START_TLS;
++ if (options.port == -1)
++ options.port = (options.ssl == 0) ? 389 : 636;
++ if (options.uri == NULL) {
++ int len;
++#define MAXURILEN 4096
++
++ options.uri = xmalloc (MAXURILEN);
++ len = snprintf (options.uri, MAXURILEN, "ldap%s://%s:%d",
++ (options.ssl == 0) ? "" : "s", options.host, options.port);
++ options.uri[MAXURILEN - 1] = 0;
++ options.uri = xrealloc (options.uri, len + 1, 1);
++ }
++ if (options.binddn == NULL)
++ options.binddn = "";
++ if (options.bindpw == NULL)
++ options.bindpw = "";
++ if (options.scope == -1)
++ options.scope = LDAP_SCOPE_SUBTREE;
++ if (options.deref == -1)
++ options.deref = LDAP_DEREF_NEVER;
++ if (options.timelimit == -1)
++ options.timelimit = 10;
++ if (options.bind_timelimit == -1)
++ options.bind_timelimit = 10;
++ if (options.ldap_version == -1)
++ options.ldap_version = 3;
++ if (options.bind_policy == -1)
++ options.bind_policy = 1;
++ if (options.referrals == -1)
++ options.referrals = 1;
++ if (options.restart == -1)
++ options.restart = 1;
++ if (options.tls_checkpeer == -1)
++ options.tls_checkpeer = LDAP_OPT_X_TLS_HARD;
++ if (options.debug == -1)
++ options.debug = 0;
++ if (options.ssh_filter == NULL)
++ options.ssh_filter = "";
++ if (options.account_class == NULL)
++ options.account_class = "posixAccount";
++}
+
-+static int config_debug = 0;
-+int config_exclusive_config_file = 0;
-+static char *config_file_name = "/etc/ssh/ldap.conf";
-+static char *config_single_user = NULL;
-+static int config_verbose = SYSLOG_LEVEL_VERBOSE;
-+int config_warning_config_file = 0;
-+extern char *__progname;
++static const char *
++lookup_opcode_name(OpCodes code)
++{
++ u_int i;
++
++ for (i = 0; keywords[i].name != NULL; i++)
++ if (keywords[i].opcode == code)
++ return(keywords[i].name);
++ return "UNKNOWN";
++}
+
+static void
-+usage(void)
++dump_cfg_string(OpCodes code, const char *val)
+{
-+ fprintf(stderr, "usage: %s [options]\n",
-+ __progname);
-+ fprintf(stderr, "Options:\n");
-+ fprintf(stderr, " -d Output the log messages to stderr.\n");
-+ fprintf(stderr, " -e Check the config file for unknown commands.\n");
-+ fprintf(stderr, " -f file Use alternate config file (default is /etc/ssh/ldap.conf).\n");
-+ fprintf(stderr, " -s user Do not demonize, send the user's key to stdout.\n");
-+ fprintf(stderr, " -v Increase verbosity of the debug output (implies -d).\n");
-+ fprintf(stderr, " -w Warn on unknown commands in the config file.\n");
-+ exit(1);
++ if (val == NULL)
++ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
++ else
++ debug3("%s %s", lookup_opcode_name(code), val);
+}
+
-+/*
-+ * Main program for the ssh pka ldap agent.
-+ */
-+
-+int
-+main(int ac, char **av)
++static void
++dump_cfg_int(OpCodes code, int val)
+{
-+ int opt;
-+ FILE *outfile = NULL;
-+
-+ __progname = ssh_get_progname(av[0]);
-+
-+ log_init(__progname, SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_AUTH, 0);
-+
-+ /*
-+ * Initialize option structure to indicate that no values have been
-+ * set.
-+ */
-+ initialize_options();
-+
-+ /* Parse command-line arguments. */
-+ while ((opt = getopt(ac, av, "def:s:vw")) != -1) {
-+ switch (opt) {
-+ case 'd':
-+ config_debug = 1;
-+ break;
-+
-+ case 'e':
-+ config_exclusive_config_file = 1;
-+ config_warning_config_file = 1;
-+ break;
-+
-+ case 'f':
-+ config_file_name = optarg;
-+ break;
-+
-+ case 's':
-+ config_single_user = optarg;
-+ outfile = fdopen (dup (fileno (stdout)), "w");
-+ break;
++ if (val == -1)
++ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
++ else
++ debug3("%s %d", lookup_opcode_name(code), val);
++}
+
-+ case 'v':
-+ config_debug = 1;
-+ if (config_verbose < SYSLOG_LEVEL_DEBUG3)
-+ config_verbose++;
-+ break;
++struct names {
++ int value;
++ char *name;
++};
+
-+ case 'w':
-+ config_warning_config_file = 1;
-+ break;
++static void
++dump_cfg_namedint(OpCodes code, int val, struct names *names)
++{
++ u_int i;
+
-+ case '?':
-+ default:
-+ usage();
-+ break;
++ if (val == -1)
++ debug3("%s <UNDEFINED>", lookup_opcode_name(code));
++ else {
++ for (i = 0; names[i].value != -1; i++)
++ if (names[i].value == val) {
++ debug3("%s %s", lookup_opcode_name(code), names[i].name);
++ return;
+ }
++ debug3("%s unknown: %d", lookup_opcode_name(code), val);
+ }
++}
+
-+ /* Initialize loging */
-+ log_init(__progname, config_verbose, SYSLOG_FACILITY_AUTH, config_debug);
++static struct names _yesnotls[] = {
++ { 0, "No" },
++ { 1, "Yes" },
++ { 2, "Start_TLS" },
++ { -1, NULL }};
+
-+ if (ac != optind)
-+ fatal ("illegal extra parameter %s", av[1]);
++static struct names _scope[] = {
++ { LDAP_SCOPE_BASE, "Base" },
++ { LDAP_SCOPE_ONELEVEL, "One" },
++ { LDAP_SCOPE_SUBTREE, "Sub"},
++ { -1, NULL }};
+
-+ /* Ensure that fds 0 and 2 are open or directed to /dev/null */
-+ if (config_debug == 0)
-+ sanitise_stdfd();
++static struct names _deref[] = {
++ { LDAP_DEREF_NEVER, "Never" },
++ { LDAP_DEREF_SEARCHING, "Searching" },
++ { LDAP_DEREF_FINDING, "Finding" },
++ { LDAP_DEREF_ALWAYS, "Always" },
++ { -1, NULL }};
+
-+ /* Read config file */
-+ read_config_file(config_file_name);
-+ fill_default_options();
-+ if (config_verbose == SYSLOG_LEVEL_DEBUG3) {
-+ debug3 ("=== Configuration ===");
-+ dump_config();
-+ debug3 ("=== *** ===");
-+ }
++static struct names _yesno[] = {
++ { 0, "No" },
++ { 1, "Yes" },
++ { -1, NULL }};
+
-+ ldap_checkconfig();
-+ ldap_do_connect();
++static struct names _bindpolicy[] = {
++ { 0, "Soft" },
++ { 1, "Hard" },
++ { -1, NULL }};
+
-+ if (config_single_user) {
-+ process_user (config_single_user, outfile);
-+ } else {
-+ usage();
-+ fatal ("Not yet implemented");
-+/* TODO
-+ * open unix socket a run the loop on it
-+ */
-+ }
++static struct names _checkpeer[] = {
++ { LDAP_OPT_X_TLS_NEVER, "Never" },
++ { LDAP_OPT_X_TLS_HARD, "Hard" },
++ { LDAP_OPT_X_TLS_DEMAND, "Demand" },
++ { LDAP_OPT_X_TLS_ALLOW, "Allow" },
++ { LDAP_OPT_X_TLS_TRY, "TRY" },
++ { -1, NULL }};
+
-+ ldap_do_close();
-+ return 0;
++void
++dump_config(void)
++{
++ dump_cfg_string(lURI, options.uri);
++ dump_cfg_string(lHost, options.host);
++ dump_cfg_int(lPort, options.port);
++ dump_cfg_namedint(lSSL, options.ssl, _yesnotls);
++ dump_cfg_int(lLdap_Version, options.ldap_version);
++ dump_cfg_int(lTimeLimit, options.timelimit);
++ dump_cfg_int(lBind_TimeLimit, options.bind_timelimit);
++ dump_cfg_string(lBase, options.base);
++ dump_cfg_string(lBindDN, options.binddn);
++ dump_cfg_string(lBindPW, options.bindpw);
++ dump_cfg_namedint(lScope, options.scope, _scope);
++ dump_cfg_namedint(lDeref, options.deref, _deref);
++ dump_cfg_namedint(lReferrals, options.referrals, _yesno);
++ dump_cfg_namedint(lRestart, options.restart, _yesno);
++ dump_cfg_namedint(lBind_Policy, options.bind_policy, _bindpolicy);
++ dump_cfg_string(lSSLPath, options.sslpath);
++ dump_cfg_namedint(lTLS_CheckPeer, options.tls_checkpeer, _checkpeer);
++ dump_cfg_string(lTLS_CaCertFile, options.tls_cacertfile);
++ dump_cfg_string(lTLS_CaCertDir, options.tls_cacertdir);
++ dump_cfg_string(lTLS_Ciphers, options.tls_ciphers);
++ dump_cfg_string(lTLS_Cert, options.tls_cert);
++ dump_cfg_string(lTLS_Key, options.tls_key);
++ dump_cfg_string(lTLS_RandFile, options.tls_randfile);
++ dump_cfg_string(lLogDir, options.logdir);
++ dump_cfg_int(lDebug, options.debug);
++ dump_cfg_string(lSSH_Filter, options.ssh_filter);
++ dump_cfg_string(lAccountClass, options.logdir);
+}
+
-+/* Ugly hack */
-+void *buffer_get_string(Buffer *b, u_int *l) { return NULL; }
-+void buffer_put_string(Buffer *b, const void *f, u_int l) {}
-+
-diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
---- openssh-6.2p1/ldap-helper.h.ldap 2013-03-25 21:27:15.892248097 +0100
-+++ openssh-6.2p1/ldap-helper.h 2013-03-25 21:27:15.892248097 +0100
-@@ -0,0 +1,32 @@
-+/* $OpenBSD: ldap-helper.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+diff --git a/ldapconf.h b/ldapconf.h
+new file mode 100644
+index 0000000..2cb550c
+--- /dev/null
++++ b/ldapconf.h
+@@ -0,0 +1,72 @@
++/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
+ *
@@ -1838,16 +1914,58 @@ diff -up openssh-6.2p1/ldap-helper.h.ldap openssh-6.2p1/ldap-helper.h
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
-+#ifndef LDAP_HELPER_H
-+#define LDAP_HELPER_H
++#ifndef LDAPCONF_H
++#define LDAPCONF_H
+
-+extern int config_exclusive_config_file;
-+extern int config_warning_config_file;
++#define SSL_OFF 0
++#define SSL_LDAPS 1
++#define SSL_START_TLS 2
++
++/* Data structure for representing option data. */
++
++typedef struct {
++ char *host;
++ char *uri;
++ char *base;
++ char *binddn;
++ char *bindpw;
++ int scope;
++ int deref;
++ int port;
++ int timelimit;
++ int bind_timelimit;
++ int ldap_version;
++ int bind_policy;
++ char *sslpath;
++ int ssl;
++ int referrals;
++ int restart;
++ int tls_checkpeer;
++ char *tls_cacertfile;
++ char *tls_cacertdir;
++ char *tls_ciphers;
++ char *tls_cert;
++ char *tls_key;
++ char *tls_randfile;
++ char *logdir;
++ int debug;
++ char *ssh_filter;
++ char *account_class;
++} Options;
++
++extern Options options;
++
++void read_config_file(const char *);
++void initialize_options(void);
++void fill_default_options(void);
++void dump_config(void);
+
-+#endif /* LDAP_HELPER_H */
-diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
---- openssh-6.2p1/ldapincludes.h.ldap 2013-03-25 21:27:15.892248097 +0100
-+++ openssh-6.2p1/ldapincludes.h 2013-03-25 21:27:15.892248097 +0100
++#endif /* LDAPCONF_H */
+diff --git a/ldapincludes.h b/ldapincludes.h
+new file mode 100644
+index 0000000..8539bdc
+--- /dev/null
++++ b/ldapincludes.h
@@ -0,0 +1,41 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -1890,9 +2008,11 @@ diff -up openssh-6.2p1/ldapincludes.h.ldap openssh-6.2p1/ldapincludes.h
+#endif
+
+#endif /* LDAPINCLUDES_H */
-diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
---- openssh-6.2p1/ldapmisc.c.ldap 2013-03-25 21:27:15.893248104 +0100
-+++ openssh-6.2p1/ldapmisc.c 2013-03-25 21:27:15.893248104 +0100
+diff --git a/ldapmisc.c b/ldapmisc.c
+new file mode 100644
+index 0000000..de23c0c
+--- /dev/null
++++ b/ldapmisc.c
@@ -0,0 +1,79 @@
+
+#include "ldapincludes.h"
@@ -1973,9 +2093,11 @@ diff -up openssh-6.2p1/ldapmisc.c.ldap openssh-6.2p1/ldapmisc.c
+}
+#endif
+
-diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
---- openssh-6.2p1/ldapmisc.h.ldap 2013-03-25 21:27:15.893248104 +0100
-+++ openssh-6.2p1/ldapmisc.h 2013-03-25 21:27:15.893248104 +0100
+diff --git a/ldapmisc.h b/ldapmisc.h
+new file mode 100644
+index 0000000..4c271df
+--- /dev/null
++++ b/ldapmisc.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: ldapbody.h,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
@@ -2012,106 +2134,11 @@ diff -up openssh-6.2p1/ldapmisc.h.ldap openssh-6.2p1/ldapmisc.h
+
+#endif /* LDAPMISC_H */
+
-diff -up openssh-6.2p1/Makefile.in.ldap openssh-6.2p1/Makefile.in
---- openssh-6.2p1/Makefile.in.ldap 2013-03-25 21:27:15.850247822 +0100
-+++ openssh-6.2p1/Makefile.in 2013-03-25 21:27:57.356518817 +0100
-@@ -25,6 +25,8 @@ SSH_PROGRAM=@bindir@/ssh
- ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
- SFTP_SERVER=$(libexecdir)/sftp-server
- SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-+SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
-+SSH_LDAP_WRAPPER=$(libexecdir)/ssh-ldap-wrapper
- SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
- PRIVSEP_PATH=@PRIVSEP_PATH@
- SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-@@ -60,8 +62,9 @@ XAUTH_PATH=@XAUTH_PATH@
- LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
- EXEEXT=@EXEEXT@
- MANFMT=@MANFMT@
-+INSTALL_SSH_LDAP_HELPER=@INSTALL_SSH_LDAP_HELPER@
-
--TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-+TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-ldap-helper$(EXEEXT)
-
- LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-aes.o \
-@@ -95,8 +98,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
- sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
- sandbox-seccomp-filter.o
-
--MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
--MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-+MANPAGES = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
-+MANPAGES_IN = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
- MANTYPE = @MANTYPE@
-
- CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-@@ -164,6 +167,9 @@ ssh-keysign$(EXEEXT): $(LIBCOMPAT) libss
- ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
- $(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-
-+ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
-+ $(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
-+
- ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
- $(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-
-@@ -266,6 +272,10 @@ install-files:
- $(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
- $(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+ $(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
-+ $(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
-+ fi
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
- $(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-@@ -282,6 +292,10 @@ install-files:
- $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
- $(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
- $(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+ $(INSTALL) -m 644 ssh-ldap-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8 ; \
-+ $(INSTALL) -m 644 ssh-ldap.conf.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh-ldap.conf.5 ; \
-+ fi
- -rm -f $(DESTDIR)$(bindir)/slogin
- ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-@@ -311,6 +325,13 @@ install-sysconf:
- else \
- echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
- fi
-+ if test ! -z "$(INSTALL_SSH_LDAP_HELPER)" ; then \
-+ if [ ! -f $(DESTDIR)$(sysconfdir)/ldap.conf ]; then \
-+ $(INSTALL) -m 644 ldap.conf $(DESTDIR)$(sysconfdir)/ldap.conf; \
-+ else \
-+ echo "$(DESTDIR)$(sysconfdir)/ldap.conf already exists, install will not overwrite"; \
-+ fi ; \
-+ fi
-
- host-key: ssh-keygen$(EXEEXT)
- @if [ -z "$(DESTDIR)" ] ; then \
-@@ -368,6 +389,8 @@ uninstall:
- -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
- -rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
- -rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-+ -rm -f $(DESTDIR)$(SSH_LDAP_HELPER)$(EXEEXT)
-+ -rm -f $(DESTDIR)$(SSH_LDAP_WRAPPER)$(EXEEXT)
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-@@ -379,6 +402,7 @@ uninstall:
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-+ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-ldap-helper.8
- -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-
- regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
-diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lpk-openldap.schema
---- openssh-6.2p1/openssh-lpk-openldap.schema.ldap 2013-03-25 21:27:15.894248110 +0100
-+++ openssh-6.2p1/openssh-lpk-openldap.schema 2013-03-25 21:27:15.894248110 +0100
+diff --git a/openssh-lpk-openldap.schema b/openssh-lpk-openldap.schema
+new file mode 100644
+index 0000000..c84f90f
+--- /dev/null
++++ b/openssh-lpk-openldap.schema
@@ -0,0 +1,21 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2134,9 +2161,11 @@ diff -up openssh-6.2p1/openssh-lpk-openldap.schema.ldap openssh-6.2p1/openssh-lp
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun.schema
---- openssh-6.2p1/openssh-lpk-sun.schema.ldap 2013-03-25 21:27:15.894248110 +0100
-+++ openssh-6.2p1/openssh-lpk-sun.schema 2013-03-25 21:27:15.894248110 +0100
+diff --git a/openssh-lpk-sun.schema b/openssh-lpk-sun.schema
+new file mode 100644
+index 0000000..3136673
+--- /dev/null
++++ b/openssh-lpk-sun.schema
@@ -0,0 +1,23 @@
+#
+# LDAP Public Key Patch schema for use with openssh-ldappubkey
@@ -2161,9 +2190,106 @@ diff -up openssh-6.2p1/openssh-lpk-sun.schema.ldap openssh-6.2p1/openssh-lpk-sun
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MUST ( sshPublicKey $ uid )
+ )
-diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
---- openssh-6.2p2/ssh-ldap.conf.5.ldap 2013-06-07 15:10:05.604942680 +0200
-+++ openssh-6.2p2/ssh-ldap.conf.5 2013-06-07 15:10:24.928857566 +0200
+diff --git a/ssh-ldap-helper.8 b/ssh-ldap-helper.8
+new file mode 100644
+index 0000000..5d2d7be
+--- /dev/null
++++ b/ssh-ldap-helper.8
+@@ -0,0 +1,79 @@
++.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
++.\"
++.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
++.\"
++.\" Permission to use, copy, modify, and distribute this software for any
++.\" purpose with or without fee is hereby granted, provided that the above
++.\" copyright notice and this permission notice appear in all copies.
++.\"
++.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++.\"
++.Dd $Mdocdate: April 29 2010 $
++.Dt SSH-LDAP-HELPER 8
++.Os
++.Sh NAME
++.Nm ssh-ldap-helper
++.Nd sshd helper program for ldap support
++.Sh SYNOPSIS
++.Nm ssh-ldap-helper
++.Op Fl devw
++.Op Fl f Ar file
++.Op Fl s Ar user
++.Sh DESCRIPTION
++.Nm
++is used by
++.Xr sshd 1
++to access keys provided by an LDAP.
++.Nm
++is disabled by default and can only be enabled in the
++sshd configuration file
++.Pa /etc/ssh/sshd_config
++by setting
++.Cm AuthorizedKeysCommand
++to
++.Dq /usr/libexec/ssh-ldap-wrapper .
++.Pp
++.Nm
++is not intended to be invoked by the user, but from
++.Xr sshd 8 via
++.Xr ssh-ldap-wrapper .
++.Pp
++The options are as follows:
++.Bl -tag -width Ds
++.It Fl d
++Set the debug mode;
++.Nm
++prints all logs to stderr instead of syslog.
++.It Fl e
++Implies \-w;
++.Nm
++halts if it encounters an unknown item in the ldap.conf file.
++.It Fl f
++.Nm
++uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
++.It Fl s
++.Nm
++prints out the user's keys to stdout and exits.
++.It Fl v
++Implies \-d;
++increases verbosity.
++.It Fl w
++.Nm
++writes warnings about unknown items in the ldap.conf configuration file.
++.El
++.Sh SEE ALSO
++.Xr sshd 8 ,
++.Xr sshd_config 5 ,
++.Xr ssh-ldap.conf 5 ,
++.Sh HISTORY
++.Nm
++first appeared in
++OpenSSH 5.5 + PKA-LDAP .
++.Sh AUTHORS
++.An Jan F. Chadima Aq jchadima at redhat.com
+diff --git a/ssh-ldap-wrapper b/ssh-ldap-wrapper
+new file mode 100644
+index 0000000..cb500aa
+--- /dev/null
++++ b/ssh-ldap-wrapper
+@@ -0,0 +1,4 @@
++#!/bin/sh
++
++exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
++
+diff --git a/ssh-ldap.conf.5 b/ssh-ldap.conf.5
+new file mode 100644
+index 0000000..f7081b8
+--- /dev/null
++++ b/ssh-ldap.conf.5
@@ -0,0 +1,379 @@
+.\" $OpenBSD: ssh-ldap.conf.5,v 1.1 2010/02/10 23:20:38 markus Exp $
+.\"
@@ -2544,94 +2670,3 @@ diff -up openssh-6.2p2/ssh-ldap.conf.5.ldap openssh-6.2p2/ssh-ldap.conf.5
+OpenSSH 5.5 + PKA-LDAP .
+.Sh AUTHORS
+.An Jan F. Chadima Aq jchadima at redhat.com
-diff -up openssh-6.2p1/ssh-ldap-helper.8.ldap openssh-6.2p1/ssh-ldap-helper.8
---- openssh-6.2p1/ssh-ldap-helper.8.ldap 2013-03-25 21:27:15.895248117 +0100
-+++ openssh-6.2p1/ssh-ldap-helper.8 2013-03-25 21:27:15.895248117 +0100
-@@ -0,0 +1,79 @@
-+.\" $OpenBSD: ssh-ldap-helper.8,v 1.1 2010/02/10 23:20:38 markus Exp $
-+.\"
-+.\" Copyright (c) 2010 Jan F. Chadima. All rights reserved.
-+.\"
-+.\" Permission to use, copy, modify, and distribute this software for any
-+.\" purpose with or without fee is hereby granted, provided that the above
-+.\" copyright notice and this permission notice appear in all copies.
-+.\"
-+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+.\"
-+.Dd $Mdocdate: April 29 2010 $
-+.Dt SSH-LDAP-HELPER 8
-+.Os
-+.Sh NAME
-+.Nm ssh-ldap-helper
-+.Nd sshd helper program for ldap support
-+.Sh SYNOPSIS
-+.Nm ssh-ldap-helper
-+.Op Fl devw
-+.Op Fl f Ar file
-+.Op Fl s Ar user
-+.Sh DESCRIPTION
-+.Nm
-+is used by
-+.Xr sshd 1
-+to access keys provided by an LDAP.
-+.Nm
-+is disabled by default and can only be enabled in the
-+sshd configuration file
-+.Pa /etc/ssh/sshd_config
-+by setting
-+.Cm AuthorizedKeysCommand
-+to
-+.Dq /usr/libexec/ssh-ldap-wrapper .
-+.Pp
-+.Nm
-+is not intended to be invoked by the user, but from
-+.Xr sshd 8 via
-+.Xr ssh-ldap-wrapper .
-+.Pp
-+The options are as follows:
-+.Bl -tag -width Ds
-+.It Fl d
-+Set the debug mode;
-+.Nm
-+prints all logs to stderr instead of syslog.
-+.It Fl e
-+Implies \-w;
-+.Nm
-+halts if it encounters an unknown item in the ldap.conf file.
-+.It Fl f
-+.Nm
-+uses this file as the ldap configuration file instead of /etc/ssh/ldap.conf (default).
-+.It Fl s
-+.Nm
-+prints out the user's keys to stdout and exits.
-+.It Fl v
-+Implies \-d;
-+increases verbosity.
-+.It Fl w
-+.Nm
-+writes warnings about unknown items in the ldap.conf configuration file.
-+.El
-+.Sh SEE ALSO
-+.Xr sshd 8 ,
-+.Xr sshd_config 5 ,
-+.Xr ssh-ldap.conf 5 ,
-+.Sh HISTORY
-+.Nm
-+first appeared in
-+OpenSSH 5.5 + PKA-LDAP .
-+.Sh AUTHORS
-+.An Jan F. Chadima Aq jchadima at redhat.com
-diff -up openssh-6.2p1/ssh-ldap-wrapper.ldap openssh-6.2p1/ssh-ldap-wrapper
---- openssh-6.2p1/ssh-ldap-wrapper.ldap 2013-03-25 21:27:15.896248124 +0100
-+++ openssh-6.2p1/ssh-ldap-wrapper 2013-03-25 21:27:15.896248124 +0100
-@@ -0,0 +1,4 @@
-+#!/bin/sh
-+
-+exec /usr/libexec/openssh/ssh-ldap-helper -s "$1"
-+
diff --git a/openssh-6.1p1-log-usepam-no.patch b/openssh-6.6p1-log-usepam-no.patch
similarity index 54%
rename from openssh-6.1p1-log-usepam-no.patch
rename to openssh-6.6p1-log-usepam-no.patch
index 64cec2c..bd3048c 100644
--- a/openssh-6.1p1-log-usepam-no.patch
+++ b/openssh-6.6p1-log-usepam-no.patch
@@ -1,7 +1,8 @@
-diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
---- openssh-6.1p1/sshd.c.log-usepam-no 2012-09-14 20:54:58.000000000 +0200
-+++ openssh-6.1p1/sshd.c 2012-09-14 20:55:42.289477749 +0200
-@@ -1617,6 +1617,10 @@ main(int ac, char **av)
+diff --git a/sshd.c b/sshd.c
+index a7b8b6a..24ab272 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -1620,6 +1620,10 @@ main(int ac, char **av)
parse_server_config(&options, rexeced_flag ? "rexec" : config_file_name,
&cfg, NULL);
@@ -12,15 +13,16 @@ diff -up openssh-6.1p1/sshd.c.log-usepam-no openssh-6.1p1/sshd.c
seed_rng();
/* Fill in default values for those options not explicitly set. */
-diff -up openssh-6.1p1/sshd_config.log-usepam-no openssh-6.1p1/sshd_config
---- openssh-6.1p1/sshd_config.log-usepam-no 2012-09-14 20:54:58.514255748 +0200
-+++ openssh-6.1p1/sshd_config 2012-09-14 20:54:58.551255954 +0200
-@@ -95,6 +95,8 @@ GSSAPICleanupCredentials no
+diff --git a/sshd_config b/sshd_config
+index 36cb27a..c1b7c03 100644
+--- a/sshd_config
++++ b/sshd_config
+@@ -101,6 +101,8 @@ GSSAPICleanupCredentials no
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
+# problems.
- #UsePAM no
UsePAM yes
+ #AllowAgentForwarding yes
diff --git a/openssh-6.3p1-privsep-selinux.patch b/openssh-6.6p1-privsep-selinux.patch
similarity index 51%
rename from openssh-6.3p1-privsep-selinux.patch
rename to openssh-6.6p1-privsep-selinux.patch
index 529468c..6507647 100644
--- a/openssh-6.3p1-privsep-selinux.patch
+++ b/openssh-6.6p1-privsep-selinux.patch
@@ -1,12 +1,13 @@
-diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c
---- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux 2013-10-10 14:58:20.634762245 +0200
-+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 15:13:57.864306950 +0200
-@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
- free(newctx);
+diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+index c18524e..d04f4ed 100644
+--- a/openbsd-compat/port-linux-sshd.c
++++ b/openbsd-compat/port-linux-sshd.c
+@@ -409,6 +409,25 @@ sshd_selinux_setup_exec_context(char *pwname)
+ debug3("%s: done", __func__);
}
+void
-+ssh_selinux_copy_context(void)
++sshd_selinux_copy_context(void)
+{
+ security_context_t *ctx;
+
@@ -24,34 +25,36 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1
+ }
+}
+
- #endif /* WITH_SELINUX */
+ #endif
+ #endif
- #ifdef LINUX_OOM_ADJUST
-diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h
---- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux 2011-01-25 02:16:18.000000000 +0100
-+++ openssh-6.3p1/openbsd-compat/port-linux.h 2013-10-10 14:58:20.634762245 +0200
-@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
- void ssh_selinux_setup_pty(char *, const char *);
- void ssh_selinux_setup_exec_context(char *);
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index 8ef6cc4..b18893c 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -25,6 +25,7 @@ void ssh_selinux_setup_pty(char *, const char *);
void ssh_selinux_change_context(const char *);
-+void ssh_selinux_copy_context(void);
void ssh_selinux_setfscreatecon(const char *);
+
++void sshd_selinux_copy_context(void);
+ void sshd_selinux_setup_exec_context(char *);
#endif
-diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
---- openssh-6.3p1/session.c.privsep-selinux 2013-10-10 14:58:20.617762326 +0200
-+++ openssh-6.3p1/session.c 2013-10-10 15:13:16.520503590 +0200
-@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw)
+diff --git a/session.c b/session.c
+index 2bcf818..b5dc144 100644
+--- a/session.c
++++ b/session.c
+@@ -1538,6 +1538,9 @@ do_setusercontext(struct passwd *pw)
pw->pw_uid);
chroot_path = percent_expand(tmp, "h", pw->pw_dir,
"u", pw->pw_name, (char *)NULL);
+#ifdef WITH_SELINUX
-+ ssh_selinux_copy_context();
++ sshd_selinux_copy_context();
+#endif
safely_chroot(chroot_path, pw->pw_uid);
free(tmp);
free(chroot_path);
-@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw)
+@@ -1565,6 +1568,12 @@ do_setusercontext(struct passwd *pw)
/* Permanently switch to the desired uid. */
permanently_set_uid(pw);
#endif
@@ -59,12 +62,12 @@ diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
+#ifdef WITH_SELINUX
+ if (options.chroot_directory == NULL ||
+ strcasecmp(options.chroot_directory, "none") == 0)
-+ ssh_selinux_copy_context();
++ sshd_selinux_copy_context();
+#endif
} else if (options.chroot_directory != NULL &&
strcasecmp(options.chroot_directory, "none") != 0) {
fatal("server lacks privileges to chroot to ChrootDirectory");
-@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command
+@@ -1826,9 +1835,6 @@ do_child(Session *s, const char *command)
argv[i] = NULL;
optind = optreset = 1;
__progname = argv[0];
@@ -74,10 +77,11 @@ diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
exit(sftp_server_main(i, argv, s->pw));
}
-diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
---- openssh-6.3p1/sshd.c.privsep-selinux 2013-10-10 14:58:20.632762255 +0200
-+++ openssh-6.3p1/sshd.c 2013-10-10 14:58:20.635762241 +0200
-@@ -668,6 +668,10 @@ privsep_preauth_child(void)
+diff --git a/sshd.c b/sshd.c
+index 07f9926..a97f8b7 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -632,6 +632,10 @@ privsep_preauth_child(void)
/* Demote the private keys to public keys. */
demote_sensitive_data();
@@ -88,14 +92,14 @@ diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
/* Change our root directory */
if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt)
+@@ -768,6 +772,13 @@ privsep_postauth(Authctxt *authctxt)
do_setusercontext(authctxt->pw);
skip:
+#ifdef WITH_SELINUX
+ /* switch SELinux content for root too */
+ if (authctxt->pw->pw_uid == 0) {
-+ ssh_selinux_copy_context();
++ sshd_selinux_copy_context();
+ }
+#endif
+
diff --git a/openssh-6.3p1-redhat.patch b/openssh-6.6p1-redhat.patch
similarity index 72%
rename from openssh-6.3p1-redhat.patch
rename to openssh-6.6p1-redhat.patch
index 98df47d..a87d9bf 100644
--- a/openssh-6.3p1-redhat.patch
+++ b/openssh-6.6p1-redhat.patch
@@ -1,6 +1,7 @@
-diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
---- openssh-6.3p1/ssh_config.redhat 2013-10-11 14:51:18.345876648 +0200
-+++ openssh-6.3p1/ssh_config 2013-10-11 15:13:05.429829266 +0200
+diff --git a/ssh_config b/ssh_config
+index 03a228f..6d1abaf 100644
+--- a/ssh_config
++++ b/ssh_config
@@ -46,3 +46,14 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
@@ -16,37 +17,10 @@ diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+ SendEnv XMODIFIERS
-diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
---- openssh-6.3p1/sshd_config.0.redhat 2013-09-13 08:20:43.000000000 +0200
-+++ openssh-6.3p1/sshd_config.0 2013-10-11 14:51:18.345876648 +0200
-@@ -653,9 +653,9 @@ DESCRIPTION
-
- SyslogFacility
- Gives the facility code that is used when logging messages from
-- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
-- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
-- default is AUTH.
-+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
-+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
-+ The default is AUTH.
-
- TCPKeepAlive
- Specifies whether the system should send TCP keepalive messages
-diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
---- openssh-6.3p1/sshd_config.5.redhat 2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.3p1/sshd_config.5 2013-10-11 14:51:18.346876643 +0200
-@@ -1095,7 +1095,7 @@ Note that this option applies to protoco
- .It Cm SyslogFacility
- Gives the facility code that is used when logging messages from
- .Xr sshd 8 .
--The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
-+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
- LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
- The default is AUTH.
- .It Cm TCPKeepAlive
-diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
---- openssh-6.3p1/sshd_config.redhat 2013-10-11 14:51:18.343876657 +0200
-+++ openssh-6.3p1/sshd_config 2013-10-11 14:51:18.346876643 +0200
+diff --git a/sshd_config b/sshd_config
+index c735429..e68ddee 100644
+--- a/sshd_config
++++ b/sshd_config
@@ -10,6 +10,10 @@
# possible, but leave them commented. Uncommented options override the
# default value.
@@ -58,7 +32,7 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
-@@ -21,9 +25,9 @@
+@@ -21,10 +25,10 @@
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
@@ -66,11 +40,13 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
+HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
+-#HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
++HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
-@@ -35,6 +39,7 @@
+@@ -36,6 +40,7 @@
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
@@ -78,7 +54,7 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
#LogLevel INFO
# Authentication:
-@@ -70,9 +75,11 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -71,9 +76,11 @@ AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
@@ -90,31 +66,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
# Kerberos options
#KerberosAuthentication no
-@@ -82,7 +89,9 @@ AuthorizedKeysFile .ssh/authorized_keys
+@@ -82,8 +89,8 @@ AuthorizedKeysFile .ssh/authorized_keys
+ #KerberosGetAFSToken no
# GSSAPI options
- #GSSAPIAuthentication no
+-#GSSAPIAuthentication no
+-#GSSAPICleanupCredentials yes
+GSSAPIAuthentication yes
- #GSSAPICleanupCredentials yes
+GSSAPICleanupCredentials no
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
-@@ -94,11 +103,13 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # Set this to 'yes' to enable PAM authentication, account processing,
+ # and session processing. If this is enabled, PAM authentication will
+@@ -94,12 +101,12 @@ AuthorizedKeysFile .ssh/authorized_keys
+ # If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
- #UsePAM no
+-#UsePAM no
+UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
- #X11Forwarding no
+-#X11Forwarding no
+X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
- #PrintMotd yes
-@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox # Defaul
+ #PermitTTY yes
+@@ -122,6 +129,12 @@ UsePrivilegeSeparation sandbox # Default for new installations.
# no default banner path
#Banner none
@@ -127,3 +105,33 @@ diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
+diff --git a/sshd_config.0 b/sshd_config.0
+index 413c260..87e7ee7 100644
+--- a/sshd_config.0
++++ b/sshd_config.0
+@@ -675,9 +675,9 @@ DESCRIPTION
+
+ SyslogFacility
+ Gives the facility code that is used when logging messages from
+- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0,
+- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The
+- default is AUTH.
++ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV,
++ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
++ The default is AUTH.
+
+ TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages
+diff --git a/sshd_config.5 b/sshd_config.5
+index ce71efe..12465c2 100644
+--- a/sshd_config.5
++++ b/sshd_config.5
+@@ -1131,7 +1131,7 @@ Note that this option applies to protocol version 2 only.
+ .It Cm SyslogFacility
+ Gives the facility code that is used when logging messages from
+ .Xr sshd 8 .
+-The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
++The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
+ .It Cm TCPKeepAlive
diff --git a/openssh-6.3p1-role-mls.patch b/openssh-6.6p1-role-mls.patch
similarity index 66%
rename from openssh-6.3p1-role-mls.patch
rename to openssh-6.6p1-role-mls.patch
index 89d54b3..4740c99 100644
--- a/openssh-6.3p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@@ -1,7 +1,8 @@
-diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c
---- openssh-6.3p1/auth-pam.c.role-mls 2013-10-10 14:34:43.799494546 +0200
-+++ openssh-6.3p1/auth-pam.c 2013-10-10 14:34:43.835494375 +0200
-@@ -1071,7 +1071,7 @@ is_pam_session_open(void)
+diff --git a/auth-pam.c b/auth-pam.c
+index d789bad..cd1a775 100644
+--- a/auth-pam.c
++++ b/auth-pam.c
+@@ -1068,7 +1068,7 @@ is_pam_session_open(void)
* during the ssh authentication process.
*/
int
@@ -10,9 +11,10 @@ diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c
{
int ret = 1;
#ifdef HAVE_PAM_PUTENV
-diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h
---- openssh-6.3p1/auth-pam.h.role-mls 2004-09-11 14:17:26.000000000 +0200
-+++ openssh-6.3p1/auth-pam.h 2013-10-10 14:34:43.835494375 +0200
+diff --git a/auth-pam.h b/auth-pam.h
+index a1a2b52..b109a5a 100644
+--- a/auth-pam.h
++++ b/auth-pam.h
@@ -38,7 +38,7 @@ void do_pam_session(void);
void do_pam_set_tty(const char *);
void do_pam_setcred(int );
@@ -22,9 +24,10 @@ diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h
char ** fetch_pam_environment(void);
char ** fetch_pam_child_environment(void);
void free_pam_environment(char **);
-diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h
---- openssh-6.3p1/auth.h.role-mls 2013-10-10 14:34:43.834494379 +0200
-+++ openssh-6.3p1/auth.h 2013-10-10 14:38:45.060348227 +0200
+diff --git a/auth.h b/auth.h
+index 124e597..4605588 100644
+--- a/auth.h
++++ b/auth.h
@@ -59,6 +59,9 @@ struct Authctxt {
char *service;
struct passwd *pw; /* set if 'valid' */
@@ -34,10 +37,11 @@ diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h
+#endif
void *kbdintctxt;
char *info; /* Extra info for next auth_log */
- void *jpake_ctx;
-diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c
---- openssh-6.3p1/auth1.c.role-mls 2013-06-02 00:01:24.000000000 +0200
-+++ openssh-6.3p1/auth1.c 2013-10-10 14:34:43.835494375 +0200
+ #ifdef BSD_AUTH
+diff --git a/auth1.c b/auth1.c
+index 0f870b3..df040bb 100644
+--- a/auth1.c
++++ b/auth1.c
@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt)
{
u_int ulen;
@@ -73,10 +77,11 @@ diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c
/* Verify that the user is a valid user. */
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
---- openssh-6.3p1/auth2-gss.c.role-mls 2013-06-01 23:31:18.000000000 +0200
-+++ openssh-6.3p1/auth2-gss.c 2013-10-10 14:34:43.836494370 +0200
-@@ -256,6 +256,7 @@ input_gssapi_mic(int type, u_int32_t ple
+diff --git a/auth2-gss.c b/auth2-gss.c
+index c28a705..4756dd7 100644
+--- a/auth2-gss.c
++++ b/auth2-gss.c
+@@ -251,6 +251,7 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
Authctxt *authctxt = ctxt;
Gssctxt *gssctxt;
int authenticated = 0;
@@ -84,7 +89,7 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
Buffer b;
gss_buffer_desc mic, gssbuf;
u_int len;
-@@ -268,7 +269,13 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -263,7 +264,13 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
mic.value = packet_get_string(&len);
mic.length = len;
@@ -99,7 +104,7 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
"gssapi-with-mic");
gssbuf.value = buffer_ptr(&b);
-@@ -280,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -275,6 +282,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
logit("GSSAPI MIC check failed");
buffer_free(&b);
@@ -108,10 +113,11 @@ diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
free(mic.value);
authctxt->postponed = 0;
-diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.c
---- openssh-6.3p1/auth2-hostbased.c.role-mls 2013-10-10 14:34:43.818494455 +0200
-+++ openssh-6.3p1/auth2-hostbased.c 2013-10-10 14:34:43.836494370 +0200
-@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
+diff --git a/auth2-hostbased.c b/auth2-hostbased.c
+index eca0069..95d678e 100644
+--- a/auth2-hostbased.c
++++ b/auth2-hostbased.c
+@@ -112,7 +112,15 @@ userauth_hostbased(Authctxt *authctxt)
buffer_put_string(&b, session_id2, session_id2_len);
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@@ -128,10 +134,11 @@ diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.
buffer_put_cstring(&b, service);
buffer_put_cstring(&b, "hostbased");
buffer_put_string(&b, pkalg, alen);
-diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c
---- openssh-6.3p1/auth2-pubkey.c.role-mls 2013-10-10 14:34:43.836494370 +0200
-+++ openssh-6.3p1/auth2-pubkey.c 2013-10-10 14:57:17.452062486 +0200
-@@ -127,9 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
+diff --git a/auth2-pubkey.c b/auth2-pubkey.c
+index 749b11a..c0ae0d4 100644
+--- a/auth2-pubkey.c
++++ b/auth2-pubkey.c
+@@ -133,9 +133,11 @@ userauth_pubkey(Authctxt *authctxt)
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
@@ -145,10 +152,11 @@ diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c
buffer_put_cstring(&b, userstyle);
free(userstyle);
buffer_put_cstring(&b,
-diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
---- openssh-6.3p1/auth2.c.role-mls 2013-10-10 14:34:43.819494451 +0200
-+++ openssh-6.3p1/auth2.c 2013-10-10 14:34:43.835494375 +0200
-@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
+diff --git a/auth2.c b/auth2.c
+index a5490c0..5f4f26f 100644
+--- a/auth2.c
++++ b/auth2.c
+@@ -215,6 +215,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
char *user, *service, *method, *style = NULL;
@@ -158,7 +166,7 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
int authenticated = 0;
if (authctxt == NULL)
-@@ -232,6 +235,11 @@ input_userauth_request(int type, u_int32
+@@ -226,6 +229,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
@@ -170,7 +178,7 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
-@@ -254,8 +262,15 @@ input_userauth_request(int type, u_int32
+@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
use_privsep ? " [net]" : "");
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
@@ -187,10 +195,11 @@ diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
userauth_banner();
if (auth2_setup_methods_lists(authctxt) != 0)
packet_disconnect("no authentication methods enabled");
-diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
---- openssh-6.3p1/misc.c.role-mls 2013-08-08 04:50:06.000000000 +0200
-+++ openssh-6.3p1/misc.c 2013-10-10 14:34:43.836494370 +0200
-@@ -429,6 +429,7 @@ char *
+diff --git a/misc.c b/misc.c
+index e4c8c32..f31cd91 100644
+--- a/misc.c
++++ b/misc.c
+@@ -430,6 +430,7 @@ char *
colon(char *cp)
{
int flag = 0;
@@ -198,7 +207,7 @@ diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
if (*cp == ':') /* Leading colon is part of file name. */
return NULL;
-@@ -444,6 +445,13 @@ colon(char *cp)
+@@ -445,6 +446,13 @@ colon(char *cp)
return (cp);
if (*cp == '/')
return NULL;
@@ -212,10 +221,11 @@ diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
}
return NULL;
}
-diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
---- openssh-6.3p1/monitor.c.role-mls 2013-10-10 14:34:43.821494441 +0200
-+++ openssh-6.3p1/monitor.c 2013-10-10 14:54:57.933725463 +0200
-@@ -149,6 +149,9 @@ int mm_answer_sign(int, Buffer *);
+diff --git a/monitor.c b/monitor.c
+index 531c4f9..229fada 100644
+--- a/monitor.c
++++ b/monitor.c
+@@ -145,6 +145,9 @@ int mm_answer_sign(int, Buffer *);
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
@@ -225,7 +235,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -233,6 +236,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -219,6 +222,9 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -235,7 +245,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
-@@ -853,6 +859,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -805,6 +811,9 @@ mm_answer_pwnamallow(int sock, Buffer *m)
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -245,7 +255,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
#ifdef USE_PAM
-@@ -894,6 +903,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -846,6 +855,25 @@ mm_answer_authserv(int sock, Buffer *m)
return (0);
}
@@ -271,7 +281,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
int
mm_answer_authpassword(int sock, Buffer *m)
{
-@@ -1269,7 +1297,7 @@ static int
+@@ -1220,7 +1248,7 @@ static int
monitor_valid_userblob(u_char *data, u_int datalen)
{
Buffer b;
@@ -280,7 +290,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
u_int len;
int fail = 0;
-@@ -1295,6 +1323,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1246,6 +1274,8 @@ monitor_valid_userblob(u_char *data, u_int datalen)
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@@ -289,7 +299,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-@@ -1330,7 +1360,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1281,7 +1311,7 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
char *chost)
{
Buffer b;
@@ -298,7 +308,7 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
u_int len;
int fail = 0;
-@@ -1347,6 +1377,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1298,6 +1328,8 @@ monitor_valid_hostbasedblob(u_char *data, u_int datalen, char *cuser,
if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
fail++;
p = buffer_get_cstring(&b, NULL);
@@ -307,23 +317,26 @@ diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
xasprintf(&userstyle, "%s%s%s", authctxt->user,
authctxt->style ? ":" : "",
authctxt->style ? authctxt->style : "");
-diff -up openssh-6.3p1/monitor.h.role-mls openssh-6.3p1/monitor.h
---- openssh-6.3p1/monitor.h.role-mls 2013-10-10 14:34:43.821494441 +0200
-+++ openssh-6.3p1/monitor.h 2013-10-10 14:34:43.837494365 +0200
-@@ -61,6 +61,9 @@ enum monitor_reqtype {
- MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
- MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
- MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
+diff --git a/monitor.h b/monitor.h
+index 5bc41b5..20e2b4a 100644
+--- a/monitor.h
++++ b/monitor.h
+@@ -57,6 +57,10 @@ enum monitor_reqtype {
+ MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
+ MONITOR_REQ_TERM = 50,
+
+#ifdef WITH_SELINUX
+ MONITOR_REQ_AUTHROLE = 80,
+#endif
-
++
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
-diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c
---- openssh-6.3p1/monitor_wrap.c.role-mls 2013-10-10 14:34:43.822494436 +0200
-+++ openssh-6.3p1/monitor_wrap.c 2013-10-10 14:34:43.838494360 +0200
-@@ -338,6 +338,25 @@ mm_inform_authserv(char *service, char *
+ MONITOR_REQ_PAM_INIT_CTX = 104, MONITOR_ANS_PAM_INIT_CTX = 105,
+diff --git a/monitor_wrap.c b/monitor_wrap.c
+index 1a47e41..d1b6d99 100644
+--- a/monitor_wrap.c
++++ b/monitor_wrap.c
+@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *style)
buffer_free(&m);
}
@@ -349,9 +362,10 @@ diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h
---- openssh-6.3p1/monitor_wrap.h.role-mls 2013-10-10 14:34:43.822494436 +0200
-+++ openssh-6.3p1/monitor_wrap.h 2013-10-10 14:34:43.838494360 +0200
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 18c2501..9d5e5ba 100644
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@@ -362,36 +376,67 @@ diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-6.3p1/openbsd-compat/Makefile.in.role-mls openssh-6.3p1/openbsd-compat/Makefile.in
---- openssh-6.3p1/openbsd-compat/Makefile.in.role-mls 2013-05-10 08:28:56.000000000 +0200
-+++ openssh-6.3p1/openbsd-compat/Makefile.in 2013-10-10 14:34:43.838494360 +0200
-@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
+diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
+index 6ecfb93..b912dbe 100644
+--- a/openbsd-compat/Makefile.in
++++ b/openbsd-compat/Makefile.in
+@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o di
- COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+ COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
-+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o
++PORTS=port-aix.o port-irix.o port-linux.o port-linux-sshd.o port-solaris.o port-tun.o port-uw.o
.c.o:
$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbsd-compat/port-linux.c
---- openssh-6.3p1/openbsd-compat/port-linux.c.role-mls 2013-06-02 00:07:32.000000000 +0200
-+++ openssh-6.3p1/openbsd-compat/port-linux.c 2013-10-10 14:40:41.841793347 +0200
-@@ -31,68 +31,271 @@
-
- #include "log.h"
- #include "xmalloc.h"
+diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c
+new file mode 100644
+index 0000000..c18524e
+--- /dev/null
++++ b/openbsd-compat/port-linux-sshd.c
+@@ -0,0 +1,414 @@
++/*
++ * Copyright (c) 2005 Daniel Walsh <dwalsh at redhat.com>
++ * Copyright (c) 2014 Petr Lautrbach <plautrba at redhat.com>
++ *
++ * Permission to use, copy, modify, and distribute this software for any
++ * purpose with or without fee is hereby granted, provided that the above
++ * copyright notice and this permission notice appear in all copies.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
++ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
++ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
++ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
++ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
++ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
++ */
++
++/*
++ * Linux-specific portability code - just SELinux support for sshd at present
++ */
++
++#include "includes.h"
++
++#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
++#include <errno.h>
++#include <stdarg.h>
++#include <string.h>
++#include <stdio.h>
++
++#include "log.h"
++#include "xmalloc.h"
+#include "servconf.h"
- #include "port-linux.h"
++#include "port-linux.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
-
- #ifdef WITH_SELINUX
- #include <selinux/selinux.h>
- #include <selinux/flask.h>
++
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/flask.h>
+#include <selinux/context.h>
- #include <selinux/get_context_list.h>
++#include <selinux/get_context_list.h>
+#include <selinux/get_default_type.h>
+#include <selinux/av_permissions.h>
+
@@ -399,14 +444,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+#include <libaudit.h>
+#include <unistd.h>
+#endif
-
- #ifndef SSH_SELINUX_UNCONFINED_TYPE
- # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
- #endif
-
--/* Wrapper around is_selinux_enabled() to log its return value once only */
--int
--ssh_selinux_enabled(void)
++
+extern ServerOptions options;
+extern Authctxt *the_authctxt;
+extern int inetd_flag;
@@ -414,10 +452,9 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+
+/* Send audit message */
+static int
-+send_audit_message(int success, security_context_t default_context,
++sshd_selinux_send_audit_message(int success, security_context_t default_context,
+ security_context_t selected_context)
- {
-- static int enabled = -1;
++{
+ int rc=0;
+#ifdef HAVE_LINUX_AUDIT
+ char *msg = NULL;
@@ -509,7 +546,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ freecon(*sc);
+ *sc = strdup(context_str(con));
+ context_free(con);
-+ if (!*sc)
++ if (!*sc)
+ return -1;
+ }
+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
@@ -532,10 +569,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ context_free(con);
+ goto out;
+ }
-
-- if (enabled == -1) {
-- enabled = (is_selinux_enabled() == 1);
-- debug("SELinux support %s", enabled ? "enabled" : "disabled");
++
+ debug("get_user_context: obtained context '%s' requested context '%s'",
+ obtained_raw, requested_raw);
+ if (strcmp(obtained_raw, requested_raw)) {
@@ -550,7 +584,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ freecon(requested_raw);
+ freecon(obtained_raw);
+ context_free(con);
- }
++ }
+#endif
+ return 0;
+ out:
@@ -558,8 +592,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ *sc = NULL;
+ return -1;
+}
-
-- return (enabled);
++
+static void
+ssh_selinux_get_role_level(char **role, const char **level)
+{
@@ -575,46 +608,37 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ }
+ }
+ }
- }
-
- /* Return the default security context for the given username */
- static security_context_t
--ssh_selinux_getctxbyname(char *pwname)
-+ssh_selinux_getctxbyname(char *pwname,
++}
++
++/* Return the default security context for the given username */
++static int
++sshd_selinux_getctxbyname(char *pwname,
+ security_context_t *default_sc, security_context_t *user_sc)
- {
-- security_context_t sc = NULL;
-- char *sename = NULL, *lvl = NULL;
-- int r;
++{
+ char *sename, *lvl;
+ char *role;
+ const char *reqlvl;
+ int r = 0;
+ context_t con = NULL;
-+
++
+ ssh_selinux_get_role_level(&role, &reqlvl);
-
- #ifdef HAVE_GETSEUSERBYNAME
-- if (getseuserbyname(pwname, &sename, &lvl) != 0)
-- return NULL;
++
++#ifdef HAVE_GETSEUSERBYNAME
+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+ sename = NULL;
+ lvl = NULL;
+ }
- #else
- sename = pwname;
-- lvl = NULL;
++#else
++ sename = pwname;
+ lvl = "";
- #endif
-
++#endif
++
+ if (r == 0) {
- #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-- r = get_default_context_with_level(sename, lvl, NULL, &sc);
++#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+ r = get_default_context_with_level(sename, lvl, NULL, default_sc);
- #else
-- r = get_default_context(sename, NULL, &sc);
++#else
+ r = get_default_context(sename, NULL, default_sc);
- #endif
++#endif
+ }
+
+ if (r == 0) {
@@ -634,26 +658,12 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ reqlvl = "";
+
+ debug("%s: current connection level '%s'", __func__, reqlvl);
-
-- if (r != 0) {
-- switch (security_getenforce()) {
-- case -1:
-- fatal("%s: ssh_selinux_getctxbyname: "
-- "security_getenforce() failed", __func__);
-- case 0:
-- error("%s: Failed to get default SELinux security "
-- "context for %s", __func__, pwname);
-- sc = NULL;
-- break;
-- default:
-- fatal("%s: Failed to get default SELinux security "
-- "context for %s (in enforcing mode)",
-- __func__, pwname);
- }
-+
++
++ }
++
+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
+ r = get_user_context(sename, role, reqlvl, user_sc);
-+
++
+ if (r == 0 && reqlvl != NULL && reqlvl[0]) {
+ security_context_t default_level_sc = *default_sc;
+ if (role != NULL && role[0]) {
@@ -677,14 +687,13 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ if (r != 0) {
+ error("%s: Failed to get default SELinux security "
+ "context for %s", __func__, pwname);
- }
-
- #ifdef HAVE_GETSEUSERBYNAME
-@@ -100,7 +303,42 @@ ssh_selinux_getctxbyname(char *pwname)
- free(lvl);
- #endif
-
-- return sc;
++ }
++
++#ifdef HAVE_GETSEUSERBYNAME
++ free(sename);
++ free(lvl);
++#endif
++
+ if (role != NULL)
+ free(role);
+ if (con)
@@ -695,7 +704,7 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+
+/* Setup environment variables for pam_selinux */
+static int
-+ssh_selinux_setup_pam_variables(void)
++sshd_selinux_setup_pam_variables(void)
+{
+ const char *reqlvl;
+ char *role;
@@ -721,22 +730,22 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ free(role);
+
+ return rv;
- }
-
- /* Set the execution context to the default for the specified user */
-@@ -108,28 +346,71 @@ void
- ssh_selinux_setup_exec_context(char *pwname)
- {
- security_context_t user_ctx = NULL;
++}
++
++/* Set the execution context to the default for the specified user */
++void
++sshd_selinux_setup_exec_context(char *pwname)
++{
++ security_context_t user_ctx = NULL;
+ int r = 0;
+ security_context_t default_ctx = NULL;
-
- if (!ssh_selinux_enabled())
- return;
-
++
++ if (!ssh_selinux_enabled())
++ return;
++
+ if (options.use_pam) {
+ /* do not compute context, just setup environment for pam_selinux */
-+ if (ssh_selinux_setup_pam_variables()) {
++ if (sshd_selinux_setup_pam_variables()) {
+ switch (security_getenforce()) {
+ case -1:
+ fatal("%s: security_getenforce() failed", __func__);
@@ -752,17 +761,15 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ return;
+ }
+
- debug3("%s: setting execution context", __func__);
-
-- user_ctx = ssh_selinux_getctxbyname(pwname);
-- if (setexeccon(user_ctx) != 0) {
-+ r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
++ debug3("%s: setting execution context", __func__);
++
++ r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
+ if (r >= 0) {
+ r = setexeccon(user_ctx);
+ if (r < 0) {
+ error("%s: Failed to set SELinux execution context %s for %s",
+ __func__, user_ctx, pwname);
-+ }
++ }
+#ifdef HAVE_SETKEYCREATECON
+ else if (setkeycreatecon(user_ctx) < 0) {
+ error("%s: Failed to set SELinux keyring creation context %s for %s",
@@ -776,155 +783,113 @@ diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbs
+ if (r < 0 || user_ctx != default_ctx) {
+ /* audit just the case when user changed a role or there was
+ a failure */
-+ send_audit_message(r >= 0, default_ctx, user_ctx);
++ sshd_selinux_send_audit_message(r >= 0, default_ctx, user_ctx);
+ }
+ if (r < 0) {
- switch (security_getenforce()) {
- case -1:
- fatal("%s: security_getenforce() failed", __func__);
- case 0:
-- error("%s: Failed to set SELinux execution "
-- "context for %s", __func__, pwname);
++ switch (security_getenforce()) {
++ case -1:
++ fatal("%s: security_getenforce() failed", __func__);
++ case 0:
+ error("%s: SELinux failure. Continuing in permissive mode.",
+ __func__);
- break;
- default:
-- fatal("%s: Failed to set SELinux execution context "
-- "for %s (in enforcing mode)", __func__, pwname);
++ break;
++ default:
+ fatal("%s: SELinux failure. Aborting connection.",
+ __func__);
- }
- }
-- if (user_ctx != NULL)
++ }
++ }
+ if (user_ctx != NULL && user_ctx != default_ctx)
- freecon(user_ctx);
++ freecon(user_ctx);
+ if (default_ctx != NULL)
+ freecon(default_ctx);
-
- debug3("%s: done", __func__);
- }
-@@ -147,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons
-
- debug3("%s: setting TTY context on %s", __func__, tty);
-
-- user_ctx = ssh_selinux_getctxbyname(pwname);
-+ if (getexeccon(&user_ctx) < 0) {
-+ error("%s: getexeccon: %s", __func__, strerror(errno));
-+ goto out;
-+ }
-
- /* XXX: should these calls fatal() upon failure in enforcing mode? */
-
-@@ -219,21 +503,6 @@ ssh_selinux_change_context(const char *n
- free(newctx);
++
++ debug3("%s: done", __func__);
++}
++
++#endif
++#endif
++
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 4637a7a..22ea8ef 100644
+--- a/openbsd-compat/port-linux.c
++++ b/openbsd-compat/port-linux.c
+@@ -103,37 +103,6 @@ ssh_selinux_getctxbyname(char *pwname)
+ return sc;
}
+-/* Set the execution context to the default for the specified user */
-void
--ssh_selinux_setfscreatecon(const char *path)
+-ssh_selinux_setup_exec_context(char *pwname)
-{
-- security_context_t context;
+- security_context_t user_ctx = NULL;
-
- if (!ssh_selinux_enabled())
- return;
-- if (path == NULL) {
-- setfscreatecon(NULL);
-- return;
+-
+- debug3("%s: setting execution context", __func__);
+-
+- user_ctx = ssh_selinux_getctxbyname(pwname);
+- if (setexeccon(user_ctx) != 0) {
+- switch (security_getenforce()) {
+- case -1:
+- fatal("%s: security_getenforce() failed", __func__);
+- case 0:
+- error("%s: Failed to set SELinux execution "
+- "context for %s", __func__, pwname);
+- break;
+- default:
+- fatal("%s: Failed to set SELinux execution context "
+- "for %s (in enforcing mode)", __func__, pwname);
+- }
- }
-- if (matchpathcon(path, 0700, &context) == 0)
-- setfscreatecon(context);
+- if (user_ctx != NULL)
+- freecon(user_ctx);
+-
+- debug3("%s: done", __func__);
-}
-
- #endif /* WITH_SELINUX */
+ /* Set the TTY context for the specified user */
+ void
+ ssh_selinux_setup_pty(char *pwname, const char *tty)
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index e3d1004..8ef6cc4 100644
+--- a/openbsd-compat/port-linux.h
++++ b/openbsd-compat/port-linux.h
+@@ -22,9 +22,10 @@
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
+-void ssh_selinux_setup_exec_context(char *);
+ void ssh_selinux_change_context(const char *);
+ void ssh_selinux_setfscreatecon(const char *);
++
++void sshd_selinux_setup_exec_context(char *);
+ #endif
#ifdef LINUX_OOM_ADJUST
-diff -up openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.3p1/openbsd-compat/port-linux_part_2.c
---- openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls 2013-10-10 14:34:43.839494355 +0200
-+++ openssh-6.3p1/openbsd-compat/port-linux_part_2.c 2013-10-10 14:34:43.839494355 +0200
-@@ -0,0 +1,75 @@
-+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
-+
-+/*
-+ * Copyright (c) 2005 Daniel Walsh <dwalsh at redhat.com>
-+ * Copyright (c) 2006 Damien Miller <djm at openbsd.org>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+
-+/*
-+ * Linux-specific portability code - just SELinux support at present
-+ */
-+
-+#include "includes.h"
-+
-+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
-+#include <errno.h>
-+#include <stdarg.h>
-+#include <string.h>
-+#include <stdio.h>
-+
-+#include "log.h"
-+#include "xmalloc.h"
-+#include "port-linux.h"
-+#include "key.h"
-+#include "hostfile.h"
-+#include "auth.h"
-+
-+#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
-+#include <selinux/flask.h>
-+#include <selinux/get_context_list.h>
-+
-+/* Wrapper around is_selinux_enabled() to log its return value once only */
-+int
-+ssh_selinux_enabled(void)
-+{
-+ static int enabled = -1;
-+
-+ if (enabled == -1) {
-+ enabled = (is_selinux_enabled() == 1);
-+ debug("SELinux support %s", enabled ? "enabled" : "disabled");
-+ }
-+
-+ return (enabled);
-+}
-+
-+void
-+ssh_selinux_setfscreatecon(const char *path)
-+{
-+ security_context_t context;
-+
-+ if (!ssh_selinux_enabled())
-+ return;
-+ if (path == NULL) {
-+ setfscreatecon(NULL);
-+ return;
-+ }
-+ if (matchpathcon(path, 0700, &context) == 0)
-+ setfscreatecon(context);
-+}
-+
-+#endif /* WITH_SELINUX */
-+
-+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
-diff -up openssh-6.3p1/sshd.c.role-mls openssh-6.3p1/sshd.c
---- openssh-6.3p1/sshd.c.role-mls 2013-10-10 14:34:43.824494427 +0200
-+++ openssh-6.3p1/sshd.c 2013-10-10 14:34:43.839494355 +0200
-@@ -2179,6 +2179,9 @@ main(int ac, char **av)
+diff --git a/platform.c b/platform.c
+index 30fc609..0d39ab2 100644
+--- a/platform.c
++++ b/platform.c
+@@ -183,7 +183,7 @@ platform_setusercontext_post_groups(struct passwd *pw)
+ }
+ #endif /* HAVE_SETPCRED */
+ #ifdef WITH_SELINUX
+- ssh_selinux_setup_exec_context(pw->pw_name);
++ sshd_selinux_setup_exec_context(pw->pw_name);
+ #endif
+ }
+
+diff --git a/sshd.c b/sshd.c
+index 7523de9..07f9926 100644
+--- a/sshd.c
++++ b/sshd.c
+@@ -2138,6 +2138,9 @@ main(int ac, char **av)
restore_uid();
}
#endif
+#ifdef WITH_SELINUX
-+ ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
++ sshd_selinux_setup_exec_context(authctxt->pw->pw_name);
+#endif
#ifdef USE_PAM
if (options.use_pam) {
diff --git a/openssh.spec b/openssh.spec
index 516b803..1bb4cf5 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -63,10 +63,10 @@
%endif
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%define openssh_ver 6.4p1
-%define openssh_rel 4
+%define openssh_ver 6.6p1
+%define openssh_rel 1
%define pam_ssh_agent_ver 0.9.3
-%define pam_ssh_agent_rel 1
+%define pam_ssh_agent_rel 2
Summary: An open source implementation of SSH protocol versions 1 and 2
Name: openssh
@@ -94,7 +94,7 @@ Patch0: openssh-5.9p1-wIm.patch
#?
Patch100: openssh-6.3p1-coverity.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1872
-Patch101: openssh-6.3p1-fingerprint.patch
+Patch101: openssh-6.6p1-fingerprint.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1894
#https://bugzilla.redhat.com/show_bug.cgi?id=735889
Patch102: openssh-5.8p1-getaddrinfo.patch
@@ -114,76 +114,74 @@ Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
# don't use xfree (#1024965)
Patch303: pam_ssh_agent_auth-0.9.3-no-xfree.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
-Patch400: openssh-6.3p1-role-mls.patch
+Patch400: openssh-6.6p1-role-mls.patch
#https://bugzilla.redhat.com/show_bug.cgi?id=781634
-Patch404: openssh-6.3p1-privsep-selinux.patch
+Patch404: openssh-6.6p1-privsep-selinux.patch
#?-- unwanted child :(
-Patch501: openssh-6.3p1-ldap.patch
+Patch501: openssh-6.6p1-ldap.patch
#?
-Patch502: openssh-6.3p1-keycat.patch
+Patch502: openssh-6.6p1-keycat.patch
#http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
-Patch601: openssh-5.2p1-allow-ip-opts.patch
+Patch601: openssh-6.6p1-allow-ip-opts.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1701
Patch602: openssh-5.9p1-randclean.patch
#http://cvsweb.netbsd.org/cgi-bin/cvsweb.cgi/src/crypto/dist/ssh/Attic/sftp-glob.c.diff?r1=1.13&r2=1.13.12.1&f=h
Patch603: openssh-5.8p1-glob.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1893
-Patch604: openssh-5.8p1-keyperm.patch
+Patch604: openssh-6.6p1-keyperm.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1329 (WONTFIX)
-Patch605: openssh-5.8p2-remove-stale-control-socket.patch
+# drop: Patch605: openssh-5.8p2-remove-stale-control-socket.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1925
Patch606: openssh-5.9p1-ipv6man.patch
#?
-Patch607: openssh-5.8p2-sigpipe.patch
+# drop? Patch607: openssh-5.8p2-sigpipe.patch
#?
Patch608: openssh-6.1p1-askpass-ld.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1789
-Patch609: openssh-5.5p1-x11.patch
+# drop? Patch609: openssh-5.5p1-x11.patch
#?
Patch700: openssh-6.3p1-fips.patch
#?
-Patch701: openssh-5.6p1-exit-deadlock.patch
+# drop? Patch701: openssh-5.6p1-exit-deadlock.patch
#?
Patch702: openssh-5.1p1-askpass-progress.patch
#?
Patch703: openssh-4.3p2-askpass-grab-info.patch
-#?
-Patch704: openssh-5.9p1-edns.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=205842
+# drop? Patch704: openssh-5.9p1-edns.patch
#?
Patch705: openssh-5.1p1-scp-manpage.patch
#?
Patch706: openssh-5.8p1-localdomain.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
-Patch707: openssh-6.3p1-redhat.patch
+Patch707: openssh-6.6p1-redhat.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
-Patch708: openssh-6.2p1-entropy.patch
+Patch708: openssh-6.6p1-entropy.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
Patch709: openssh-6.2p1-vendor.patch
# warn users for unsupported UsePAM=no (#757545)
-Patch711: openssh-6.1p1-log-usepam-no.patch
+Patch711: openssh-6.6p1-log-usepam-no.patch
# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
Patch712: openssh-6.3p1-ctr-evp-fast.patch
# add cavs test binary for the aes-ctr
-Patch713: openssh-6.3p1-ctr-cavstest.patch
+Patch713: openssh-6.6p1-ctr-cavstest.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
#changed cache storage type - #848228
-Patch800: openssh-6.3p1-gsskex.patch
+Patch800: openssh-6.6p1-gsskex.patch
#http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
-Patch801: openssh-6.3p1-force_krb.patch
+Patch801: openssh-6.6p1-force_krb.patch
Patch900: openssh-6.1p1-gssapi-canohost.patch
#https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch901: openssh-6.3p1-kuserok.patch
+Patch901: openssh-6.6p1-kuserok.patch
# use default_ccache_name from /etc/krb5.conf (#991186)
Patch902: openssh-6.3p1-krb5-use-default_ccache_name.patch
-# increase the size of the Diffie-Hellman groups (#1010607)
-Patch903: openssh-6.3p1-increase-size-of-DF-groups.patch
# FIPS mode - adjust the key echange DH groups and ssh-keygen according to SP800-131A (#1001748)
-Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch
+# merge: Patch904: openssh-6.4p1-FIPS-mode-SP800-131A.patch
# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set (#969375
Patch905: openssh-6.4p1-legacy-ssh-copy-id.patch
# Use tty allocation for a remote scp (#985650)
@@ -192,9 +190,7 @@ Patch906: openssh-6.4p1-fromto-remote.patch
Patch907: openssh-6.4p1-CLOCK_BOOTTIME.patch
# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
# dialog by offering only certificate keys. (#1081338)
-Patch908: openssh-6.4p1-CVE-2014-2653.patch
-# ignore environment variables with embedded '=' or '\0' characters (#1077843)
-Patch909: openssh-6.4p1-ignore-bad-env-var.patch
+Patch908: openssh-6.6p1-CVE-2014-2653.patch
License: BSD
@@ -358,12 +354,12 @@ The module is most useful for su and sudo service stacks.
%patch0 -p1 -b .wIm
%endif
-%patch100 -p1 -b .coverity
+# rework %patch100 -p1 -b .coverity
%patch101 -p1 -b .fingerprint
-%patch102 -p1 -b .getaddrinfo
+# investigate %patch102 -p1 -b .getaddrinfo
%patch103 -p1 -b .packet
-%patch200 -p1 -b .audit
+# rework %patch200 -p1 -b .audit
%if %{pam_ssh_agent}
pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
@@ -387,21 +383,23 @@ popd
%patch502 -p1 -b .keycat
%patch601 -p1 -b .ip-opts
-%patch602 -p1 -b .randclean
+# merge to fips
+# %patch602 -p1 -b .randclean
%patch603 -p1 -b .glob
%patch604 -p1 -b .keyperm
-%patch605 -p1 -b .remove_stale
+# drop %patch605 -p1 -b .remove_stale
%patch606 -p1 -b .ipv6man
-%patch607 -p1 -b .sigpipe
+# drop? %patch607 -p1 -b .sigpipe
%patch608 -p1 -b .askpass-ld
-%patch609 -p1 -b .x11
-
-%patch700 -p1 -b .fips
-%patch701 -p1 -b .exit-deadlock
+# drop? %patch609 -p1 -b .x11
+#
+# move to the end %patch700 -p1 -b .fips
+# drop? %patch701 -p1 -b .exit-deadlock
%patch702 -p1 -b .progress
%patch703 -p1 -b .grab-info
-%patch704 -p1 -b .edns
-%patch705 -p1 -b .manpage
+# investigate - https://bugzilla.redhat.com/show_bug.cgi?id=205842
+# probably not needed anymore %patch704 -p1 -b .edns
+# drop it %patch705 -p1 -b .manpage
%patch706 -p1 -b .localdomain
%patch707 -p1 -b .redhat
%patch708 -p1 -b .entropy
@@ -409,20 +407,18 @@ popd
%patch711 -p1 -b .log-usepam-no
%patch712 -p1 -b .evp-ctr
%patch713 -p1 -b .ctr-cavs
-
+#
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb
-
+#
%patch900 -p1 -b .canohost
%patch901 -p1 -b .kuserok
%patch902 -p1 -b .ccache_name
-%patch903 -p1 -b .dh
-%patch904 -p1 -b .SP800-131A
+# merge with fips %patch904 -p1 -b .SP800-131A
%patch905 -p1 -b .legacy-ssh-copy-id
%patch906 -p1 -b .fromto-remote
%patch907 -p1 -b .CLOCK_BOOTTIME
%patch908 -p1 -b .CVE-2014-2653
-%patch909 -p1 -b .bad-env-var
%if 0
# Nothing here yet
@@ -737,6 +733,9 @@ getent passwd sshd >/dev/null || \
%endif
%changelog
+* Tue Jun 03 2014 Petr Lautrbach <plautrba at redhat.com> 6.6p1-1 + 0.9.3-2
+- new upstream release openssh-6.6p1
+
* Thu May 15 2014 Petr Lautrbach <plautrba at redhat.com> 6.4p1-4 + 0.9.3-1
- use SSH_COPY_ID_LEGACY variable to run ssh-copy-id in the legacy mode
- make /etc/ssh/moduli file public (#1043661)
diff --git a/sources b/sources
index 90637ab..fbdb5e4 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
9872ca1983e566ff5a89c240529e223d pam_ssh_agent_auth-0.9.3.tar.bz2
-a62b88b884df0b09b8a8c5789ac9e51b openssh-6.4p1.tar.gz
+3e9800e6bca1fbac0eea4d41baa7f239 openssh-6.6p1.tar.gz
More information about the scm-commits
mailing list