[gsi-openssh/f19] Based on openssh-6.2p2-8.fc19
Mattias Ellert
ellert at fedoraproject.org
Wed Jul 16 06:20:58 UTC 2014
commit 0a53c94f7eb12608489a2ae3fa5dd769f0a1fe78
Author: Mattias Ellert <mattias.ellert at fysast.uu.se>
Date: Wed Jul 16 08:20:42 2014 +0200
Based on openssh-6.2p2-8.fc19
gsi-openssh.spec | 21 ++++++++-
openssh-6.2p1-audit.patch | 23 ++++++---
openssh-6.2p1-ldap.patch | 60 +++++++++++++++++------
openssh-6.2p2-CVE-2014-2653.patch | 80 ++++++++++++++++++++++++++++++++
openssh-6.2p2-fromto-remote.patch | 16 ++++++
openssh-6.2p2-ignore-bad-env-var.patch | 37 +++++++++++++++
openssh-6.2p2-legacy-ssh-copy-id.patch | 59 +++++++++++++++++++++++
7 files changed, 271 insertions(+), 25 deletions(-)
---
diff --git a/gsi-openssh.spec b/gsi-openssh.spec
index f5f1ff1..3e76029 100644
--- a/gsi-openssh.spec
+++ b/gsi-openssh.spec
@@ -29,7 +29,7 @@
%global ldap 1
%global openssh_ver 6.2p2
-%global openssh_rel 4
+%global openssh_rel 5
Summary: An implementation of the SSH protocol with GSI authentication
Name: gsi-openssh
@@ -136,6 +136,16 @@ Patch908: openssh-6.2p2-sftp-multibyte.patch
Patch909: openssh-6.2p2-ssh_gai_strerror.patch
# increase the size of the Diffie-Hellman groups (#1010607)
Patch910: openssh-6.2p2-increase-size-of-DF-groups.patch
+# Run ssh-copy-id in the legacy mode when SSH_COPY_ID_LEGACY variable is set
+# http://bugzilla.mindrot.org/show_bug.cgi?id=2110
+Patch911: openssh-6.2p2-legacy-ssh-copy-id.patch
+# Use tty allocation for a remote scp (#985650)
+Patch912: openssh-6.2p2-fromto-remote.patch
+# Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+# dialog by offering only certificate keys. (#1081338)
+Patch913: openssh-6.2p2-CVE-2014-2653.patch
+# ignore environment variables with embedded '=' or '\0' characters (#1077843)
+Patch914: openssh-6.2p2-ignore-bad-env-var.patch
# This is the patch that adds GSI support
# Based on http://grid.ncsa.illinois.edu/ssh/dl/patch/openssh-6.2p2.patch
@@ -287,6 +297,10 @@ This version of OpenSSH has been modified to support GSI authentication.
%patch908 -p1 -b .sftp-multibyte
%patch909 -p1 -b .ssh_gai_strerror
%patch910 -p1 -b .dh
+%patch911 -p1 -b .legacy-ssh-copy-id
+%patch912 -p1 -b .fromto-remote
+%patch913 -p1 -b .CVE-2014-2653
+%patch914 -p1 -b .bad-env-var
%patch98 -p1 -b .gsi
@@ -458,7 +472,7 @@ getent passwd sshd >/dev/null || \
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE LICENSE.globus_usage OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns README.sshd-and-gsisshd TODO
%attr(0755,root,root) %dir %{_sysconfdir}/gsissh
-%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/gsissh/moduli
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/gsissh/moduli
%attr(0755,root,root) %{_bindir}/gsissh-keygen
%attr(0644,root,root) %{_mandir}/man1/gsissh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/gsissh
@@ -500,6 +514,9 @@ getent passwd sshd >/dev/null || \
%attr(0644,root,root) %{_unitdir}/gsisshd-keygen.service
%changelog
+* Wed Jul 16 2014 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.2p2-5
+- Based on openssh-6.2p2-8.fc19
+
* Thu Dec 12 2013 Mattias Ellert <mattias.ellert at fysast.uu.se> - 6.2p2-4
- Based on openssh-6.2p2-7.fc19
diff --git a/openssh-6.2p1-audit.patch b/openssh-6.2p1-audit.patch
index 9a5d23c..5e445b0 100644
--- a/openssh-6.2p1-audit.patch
+++ b/openssh-6.2p1-audit.patch
@@ -1670,7 +1670,7 @@ index 0c7f2e3..f47c7df 100644
struct Session;
diff --git a/packet.c b/packet.c
-index a51c1f2..faa3a85 100644
+index 06406dc..0e58db3 100644
--- a/packet.c
+++ b/packet.c
@@ -60,6 +60,7 @@
@@ -1780,7 +1780,7 @@ index a51c1f2..faa3a85 100644
}
active_state->newkeys[mode] = kex_get_newkeys(mode);
if (active_state->newkeys[mode] == NULL)
-@@ -1971,6 +1989,47 @@ packet_get_newkeys(int mode)
+@@ -1975,6 +1993,47 @@ packet_get_newkeys(int mode)
return (void *)active_state->newkeys[mode];
}
@@ -1828,7 +1828,7 @@ index a51c1f2..faa3a85 100644
/*
* Save the state for the real connection, and use a separate state when
* resuming a suspended connection.
-@@ -1978,18 +2037,12 @@ packet_get_newkeys(int mode)
+@@ -1982,18 +2041,12 @@ packet_get_newkeys(int mode)
void
packet_backup_state(void)
{
@@ -1848,7 +1848,7 @@ index a51c1f2..faa3a85 100644
}
/*
-@@ -2006,9 +2059,7 @@ packet_restore_state(void)
+@@ -2010,9 +2063,7 @@ packet_restore_state(void)
backup_state = active_state;
active_state = tmp;
active_state->connection_in = backup_state->connection_in;
@@ -1858,7 +1858,7 @@ index a51c1f2..faa3a85 100644
len = buffer_len(&backup_state->input);
if (len > 0) {
buf = buffer_ptr(&backup_state->input);
-@@ -2016,4 +2067,10 @@ packet_restore_state(void)
+@@ -2020,4 +2071,10 @@ packet_restore_state(void)
buffer_clear(&backup_state->input);
add_recv_bytes(len);
}
@@ -2063,7 +2063,7 @@ index cbb8e3a..fc6a7d3 100644
void session_close(Session *);
void do_setusercontext(struct passwd *);
diff --git a/sshd.c b/sshd.c
-index 740ef4b..9aff64c 100644
+index 740ef4b..61ab3f5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -118,6 +118,7 @@
@@ -2187,6 +2187,15 @@ index 740ef4b..9aff64c 100644
}
/* Certs do not need demotion */
}
+@@ -646,7 +697,7 @@ privsep_preauth(Authctxt *authctxt)
+
+ if (use_privsep == PRIVSEP_ON)
+ box = ssh_sandbox_init();
+- pid = fork();
++ pmonitor->m_pid = pid = fork();
+ if (pid == -1) {
+ fatal("fork of unprivileged child failed");
+ } else if (pid != 0) {
@@ -700,6 +751,8 @@ privsep_preauth(Authctxt *authctxt)
}
}
@@ -2283,7 +2292,7 @@ index 740ef4b..9aff64c 100644
pmonitor->m_pid, strerror(errno));
}
}
-+ is_privsep_child = use_privsep && pmonitor != NULL && !mm_is_monitor();
++ is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
+ if (sensitive_data.host_keys != NULL)
+ destroy_sensitive_data(is_privsep_child);
+ packet_destroy_all(1, is_privsep_child);
diff --git a/openssh-6.2p1-ldap.patch b/openssh-6.2p1-ldap.patch
index 8d717c5..d2e1391 100644
--- a/openssh-6.2p1-ldap.patch
+++ b/openssh-6.2p1-ldap.patch
@@ -759,10 +759,9 @@ diff -up openssh-6.2p1/ldapbody.h.ldap openssh-6.2p1/ldapbody.h
+
+#endif /* LDAPBODY_H */
+
-diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
---- openssh-6.2p2/ldapconf.c.ldap 2013-06-07 15:10:05.601942693 +0200
-+++ openssh-6.2p2/ldapconf.c 2013-06-07 15:10:24.928857566 +0200
-@@ -0,0 +1,691 @@
+--- openssh-6.4p1/ldapconf.c.ldap 2013-11-26 10:31:03.513794385 +0100
++++ openssh-6.4p1/ldapconf.c 2013-11-26 10:38:15.474635149 +0100
+@@ -0,0 +1,720 @@
+/* $OpenBSD: ldapconf.c,v 1.1 2009/12/03 03:34:42 jfch Exp $ */
+/*
+ * Copyright (c) 2009 Jan F. Chadima. All rights reserved.
@@ -886,6 +885,35 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ return lBadOption;
+}
+
++/* Characters considered whitespace in strsep calls. */
++#define WHITESPACE " \t\r\n"
++
++/* return next token in configuration line */
++static char *
++ldap_strdelim(char **s)
++{
++ char *old;
++ int wspace = 0;
++
++ if (*s == NULL)
++ return NULL;
++
++ old = *s;
++
++ *s = strpbrk(*s, WHITESPACE);
++ if (*s == NULL)
++ return (old);
++
++ *s[0] = '\0';
++
++ /* Skip any extra whitespace after first token */
++ *s += strspn(*s + 1, WHITESPACE) + 1;
++ if (*s[0] == '=' && !wspace)
++ *s += strspn(*s + 1, WHITESPACE) + 1;
++
++ return (old);
++}
++
+/*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set.
@@ -909,11 +937,11 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ s = line;
+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
-+ if ((keyword = strdelim(&s)) == NULL)
++ if ((keyword = ldap_strdelim(&s)) == NULL)
+ return 0;
+ /* Ignore leading whitespace. */
+ if (*keyword == '\0')
-+ keyword = strdelim(&s);
++ keyword = ldap_strdelim(&s);
+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
+ return 0;
+
@@ -949,7 +977,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lBindPW:
+ charptr = &options.bindpw;
+parse_string:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ if (*charptr == NULL)
@@ -962,7 +990,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lScope:
+ intptr = &options.scope;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing sub/one/base argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -980,7 +1008,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lDeref:
+ intptr = &options.scope;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing never/searching/finding/always argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1001,7 +1029,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lPort:
+ intptr = &options.port;
+parse_int:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing argument.", filename, linenum);
+ if (arg[0] < '0' || arg[0] > '9')
@@ -1018,7 +1046,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lTimeLimit:
+ intptr = &options.timelimit;
+parse_time:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%s line %d: missing time value.",
+ filename, linenum);
@@ -1039,7 +1067,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lBind_Policy:
+ intptr = &options.bind_policy;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing soft/hard argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1058,7 +1086,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lSSL:
+ intptr = &options.ssl;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing yes/no/start_tls argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1077,7 +1105,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ case lReferrals:
+ intptr = &options.referrals;
+parse_flag:
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1097,7 +1125,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+
+ case lTLS_CheckPeer:
+ intptr = &options.tls_checkpeer;
-+ arg = strdelim(&s);
++ arg = ldap_strdelim(&s);
+ if (!arg || *arg == '\0')
+ fatal("%.200s line %d: Missing never/hard/demand/alow/try argument.", filename, linenum);
+ value = 0; /* To avoid compiler warning... */
@@ -1171,7 +1199,7 @@ diff -up openssh-6.2p2/ldapconf.c.ldap openssh-6.2p2/ldapconf.c
+ }
+
+ /* Check that there is no garbage at end of line. */
-+ if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
++ if ((arg = ldap_strdelim(&s)) != NULL && *arg != '\0') {
+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
+ filename, linenum, arg);
+ }
diff --git a/openssh-6.2p2-CVE-2014-2653.patch b/openssh-6.2p2-CVE-2014-2653.patch
new file mode 100644
index 0000000..f9ac821
--- /dev/null
+++ b/openssh-6.2p2-CVE-2014-2653.patch
@@ -0,0 +1,80 @@
+diff --git a/ChangeLog b/ChangeLog
+index 29d70ec..a0fb67e 100644
+--- a/ChangeLog
++++ b/ChangeLog
+@@ -1,3 +1,14 @@
++20140420
++ - djm at cvs.openbsd.org 2014/04/01 03:34:10
++ [sshconnect.c]
++ When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
++ certificate keys to plain keys and attempt SSHFP resolution.
++
++ Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
++ dialog by offering only certificate keys.
++
++ Reported by mcv21 AT cam.ac.uk
++
+ 20131010
+ - dtucker at cvs.openbsd.org 2013/10/08 11:42:13
+ [dh.c dh.h]
+diff --git a/sshconnect.c b/sshconnect.c
+index f2ba1b2..f0fdc70 100644
+--- a/sshconnect.c
++++ b/sshconnect.c
+@@ -1137,30 +1137,40 @@ verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
+ {
+ int flags = 0;
+ char *fp;
++ Key *plain = NULL;
+
+ fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
+ debug("Server host key: %s %s%s", key_type(host_key),
+ key_fingerprint_prefix(), fp);
+ xfree(fp);
+
+- /* XXX certs are not yet supported for DNS */
+- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+- if (flags & DNS_VERIFY_FOUND) {
+-
+- if (options.verify_host_key_dns == 1 &&
+- flags & DNS_VERIFY_MATCH &&
+- flags & DNS_VERIFY_SECURE)
+- return 0;
+-
+- if (flags & DNS_VERIFY_MATCH) {
+- matching_host_key_dns = 1;
+- } else {
+- warn_changed_key(host_key);
+- error("Update the SSHFP RR in DNS with the new "
+- "host key to get rid of this message.");
++ if (options.verify_host_key_dns) {
++ /*
++ * XXX certs are not yet supported for DNS, so downgrade
++ * them and try the plain key.
++ */
++ plain = key_from_private(host_key);
++ if (key_is_cert(plain))
++ key_drop_cert(plain);
++ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++ if (flags & DNS_VERIFY_FOUND) {
++ if (options.verify_host_key_dns == 1 &&
++ flags & DNS_VERIFY_MATCH &&
++ flags & DNS_VERIFY_SECURE) {
++ key_free(plain);
++ return 0;
++ }
++ if (flags & DNS_VERIFY_MATCH) {
++ matching_host_key_dns = 1;
++ } else {
++ warn_changed_key(plain);
++ error("Update the SSHFP RR in DNS "
++ "with the new host key to get rid "
++ "of this message.");
++ }
+ }
+ }
++ key_free(plain);
+ }
+
+ return check_host_key(host, hostaddr, options.port, host_key, RDRW,
diff --git a/openssh-6.2p2-fromto-remote.patch b/openssh-6.2p2-fromto-remote.patch
new file mode 100644
index 0000000..4a7d849
--- /dev/null
+++ b/openssh-6.2p2-fromto-remote.patch
@@ -0,0 +1,16 @@
+diff --git a/scp.c b/scp.c
+index d98fa67..25d347b 100644
+--- a/scp.c
++++ b/scp.c
+@@ -638,7 +638,10 @@ toremote(char *targ, int argc, char **argv)
+ addargs(&alist, "%s", ssh_program);
+ addargs(&alist, "-x");
+ addargs(&alist, "-oClearAllForwardings=yes");
+- addargs(&alist, "-n");
++ if (isatty(fileno(stdin)))
++ addargs(&alist, "-t");
++ else
++ addargs(&alist, "-n");
+ for (j = 0; j < remote_remote_args.num; j++) {
+ addargs(&alist, "%s",
+ remote_remote_args.list[j]);
diff --git a/openssh-6.2p2-ignore-bad-env-var.patch b/openssh-6.2p2-ignore-bad-env-var.patch
new file mode 100644
index 0000000..3bb49c2
--- /dev/null
+++ b/openssh-6.2p2-ignore-bad-env-var.patch
@@ -0,0 +1,37 @@
+diff -U0 openssh-6.4p1/ChangeLog.bad-env-var openssh-6.4p1/ChangeLog
+--- openssh-6.4p1/ChangeLog.bad-env-var 2014-03-19 21:37:36.270509907 +0100
++++ openssh-6.4p1/ChangeLog 2014-03-19 21:37:36.276509878 +0100
+@@ -0,0 +1,7 @@
++20140304
++ - OpenBSD CVS Sync
++ - djm at cvs.openbsd.org 2014/03/03 22:22:30
++ [session.c]
++ ignore enviornment variables with embedded '=' or '\0' characters;
++ spotted by Jann Horn; ok deraadt@
++
+diff -up openssh-6.4p1/session.c.bad-env-var openssh-6.4p1/session.c
+--- openssh-6.4p1/session.c.bad-env-var 2014-03-19 21:37:36.233510090 +0100
++++ openssh-6.4p1/session.c 2014-03-19 21:37:36.277509873 +0100
+@@ -990,6 +990,11 @@ child_set_env(char ***envp, u_int *envsi
+ u_int envsize;
+ u_int i, namelen;
+
++ if (strchr(name, '=') != NULL) {
++ error("Invalid environment variable \"%.100s\"", name);
++ return;
++ }
++
+ /*
+ * If we're passed an uninitialized list, allocate a single null
+ * entry before continuing.
+@@ -2255,8 +2260,8 @@ session_env_req(Session *s)
+ char *name, *val;
+ u_int name_len, val_len, i;
+
+- name = packet_get_string(&name_len);
+- val = packet_get_string(&val_len);
++ name = packet_get_cstring(&name_len);
++ val = packet_get_cstring(&val_len);
+ packet_check_eom();
+
+ /* Don't set too many environment variables */
diff --git a/openssh-6.2p2-legacy-ssh-copy-id.patch b/openssh-6.2p2-legacy-ssh-copy-id.patch
new file mode 100644
index 0000000..826f1ad
--- /dev/null
+++ b/openssh-6.2p2-legacy-ssh-copy-id.patch
@@ -0,0 +1,59 @@
+diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
+index 9f2817b..1530f6f 100644
+--- a/contrib/ssh-copy-id
++++ b/contrib/ssh-copy-id
+@@ -77,7 +77,7 @@ use_id_file() {
+ PUB_ID_FILE="$L_ID_FILE.pub"
+ fi
+
+- PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
++ [ "x$SSH_COPY_ID_LEGACY" != "x" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
+
+ # check that the files are readable
+ for f in $PUB_ID_FILE $PRIV_ID_FILE ; do
+@@ -243,7 +243,7 @@ populate_new_ids() {
+ printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
+ }
+
+-REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
++[ "x$SSH_COPY_ID_LEGACY" != "x" ] || REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' "$@" 2>&1 |
+ sed -ne 's/.*remote software version //p')
+
+ case "$REMOTE_VERSION" in
+@@ -268,7 +268,11 @@ case "$REMOTE_VERSION" in
+ ;;
+ *)
+ # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
+- populate_new_ids 0
++ if [ "x$SSH_COPY_ID_LEGACY" != "x" ]; then
++ NEW_IDS=`eval "$GET_ID"`
++ else
++ populate_new_ids 0
++ fi
+ [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | ssh "$@" "
+ umask 077 ;
+ mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ;
+diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
+index 67a59e4..edbf56f 100644
+--- a/contrib/ssh-copy-id.1
++++ b/contrib/ssh-copy-id.1
+@@ -180,6 +180,19 @@ should prove enlightening (N.B. the modern approach is to use the
+ .Fl W
+ option, rather than
+ .Xr nc 1 ) .
++.Sh ENVIRONMENT
++.Bl -tag -width Ds
++.Pp
++.It Pa SSH_COPY_ID_LEGACY
++If the
++.Cm SSH_COPY_ID_LEGACY
++environment variable is set, the
++.Nm
++is run in a legacy mode. In this mode, the
++.Nm
++doesn't check an existence of a private key and doesn't do remote checks
++of the remote server versions or if public keys are already installed.
++.El
+ .Sh "SEE ALSO"
+ .Xr ssh 1 ,
+ .Xr ssh-agent 1 ,
More information about the scm-commits
mailing list