Index: /branches/rel_apv_10_7/usr/click/bin/openssh/array_patch =================================================================== --- /branches/rel_apv_10_7/usr/click/bin/openssh/array_patch (revision 38493) +++ /branches/rel_apv_10_7/usr/click/bin/openssh/array_patch (working copy) @@ -1,6 +1,6 @@ diff -ru1 openssh-9.3p2/Makefile.in openssh-9.3p2-patch/Makefile.in --- openssh-9.3p2/Makefile.in 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/Makefile.in 2024-05-16 16:14:01.472590569 +0800 ++++ openssh-9.3p2-patch/Makefile.in 2024-08-05 17:00:44.124383461 +0800 @@ -71,3 +71,3 @@ -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT) ssh-sk-helper$(EXEEXT) @@ -32,7 +32,7 @@ diff -ru1 openssh-9.3p2/auth.c openssh-9.3p2-patch/auth.c --- openssh-9.3p2/auth.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/auth.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/auth.c 2024-08-05 17:00:44.124383461 +0800 @@ -78,2 +78,33 @@ +#include @@ -158,7 +158,7 @@ + diff -ru1 openssh-9.3p2/auth.h openssh-9.3p2-patch/auth.h --- openssh-9.3p2/auth.h 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/auth.h 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/auth.h 2024-08-05 17:00:44.124383461 +0800 @@ -240,2 +240,4 @@ +#define MAX_USER_NAME_SIZE 256 @@ -166,7 +166,7 @@ int sys_auth_passwd(struct ssh *, const char *); diff -ru1 openssh-9.3p2/auth2-passwd.c openssh-9.3p2-patch/auth2-passwd.c --- openssh-9.3p2/auth2-passwd.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/auth2-passwd.c 2024-05-17 13:48:43.990080453 +0800 ++++ openssh-9.3p2-patch/auth2-passwd.c 2024-08-05 17:00:44.124383461 +0800 @@ -46,2 +46,28 @@ #include "servconf.h" +#include @@ -206,9 +206,12 @@ + + ext_authenticated = 0; -@@ -65,7 +96,59 @@ - } -+ +@@ -66,6 +97,58 @@ + +- if (change) +- logit("password change not supported"); +- else if (PRIVSEP(auth_password(ssh, password)) == 1) +- authenticated = 1; + /*really do external authentication*/ + if (do_exauth) { + int ret_value = EXT_AUTH_FAILED; @@ -264,15 +267,11 @@ + + } + authenticated = ext_authenticated || local_authenticated; - -- if (change) -- logit("password change not supported"); -- else if (PRIVSEP(auth_password(ssh, password)) == 1) -- authenticated = 1; ++ freezero(password, len); diff -ru1 openssh-9.3p2/auth2.c openssh-9.3p2-patch/auth2.c --- openssh-9.3p2/auth2.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/auth2.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/auth2.c 2024-08-05 17:00:44.124383461 +0800 @@ -60,2 +60,26 @@ +/* ArrayOS external auth support */ @@ -341,23 +340,23 @@ + + login_info_shm_attach(); + - if ((style = strchr(user, ':')) != NULL) + if ((style = strchr(user, ':')) != NULL) @@ -281,16 +338,102 @@ - if (authctxt->attempt++ == 0) { + if (authctxt->attempt++ == 0) { + local_auth_valid = 0; + ext_auth_valid = 0; + local_auth_pw = NULL; + ext_auth_pw = NULL; + do_exauth = 0; + - /* setup auth context */ + /* setup auth context */ - authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); + local_auth_pw = PRIVSEP(getpwnamallow(ssh, user)); - authctxt->user = xstrdup(user); + authctxt->user = xstrdup(user); - if (authctxt->pw && strcmp(service, "ssh-connection")==0) { + if (local_auth_pw && strcmp(service, "ssh-connection")==0) { - authctxt->valid = 1; - debug2_f("setting up authctxt for %s", user); + authctxt->valid = 1; + debug2_f("setting up authctxt for %s", user); + local_auth_valid = 1; + } + @@ -427,8 +426,8 @@ + } + } + } - } else { - authctxt->valid = 0; + } else { + authctxt->valid = 0; - /* Invalid user, fake password information */ - authctxt->pw = fakepw(); + /* @@ -450,9 +449,8 @@ } + #ifdef USE_PAM -@@ -329,2 +472,26 @@ - authctxt->server_caused_failure = 0; -+ +@@ -330,2 +473,26 @@ + + if (user_login_p && user_login_p->passwd_forcemode) { + user_index = get_user_index(authctxt->user); + if ((user_index != -1) && check_user_locked(user_index)) { @@ -476,7 +474,8 @@ + return 0; + } + } - ++ + /* try to authenticate user */ @@ -348,2 +515,27 @@ +/* @@ -525,12 +524,12 @@ + } + } + - /* now we can break out */ + /* now we can break out */ @@ -433,4 +640,35 @@ - if (!partial && !authctxt->server_caused_failure && + if (!partial && !authctxt->server_caused_failure && - (authctxt->attempt > 1 || strcmp(method, "none") != 0)) + (authctxt->attempt > 1 || strcmp(method, "none") != 0)) { - authctxt->failures++; + authctxt->failures++; + + if (user_login_p && user_login_p->passwd_forcemode) { + if (user_index == -1) { @@ -562,15 +561,14 @@ + + } + - if (authctxt->failures >= options.max_authtries) { + if (authctxt->failures >= options.max_authtries) { @@ -450,2 +688,4 @@ fatal_fr(r, "send failure packet"); + array_auth_log(ssh, authenticated, method, " failed"); + array_send_addr_info(ssh); free(methods); -@@ -843,2 +1083,161 @@ - } -+ +@@ -844 +1084,160 @@ + +static int +login_info_shm_attach(void) +{ @@ -729,19 +727,18 @@ + return 0; +} + - ++ diff -ru1 openssh-9.3p2/configure openssh-9.3p2-patch/configure --- openssh-9.3p2/configure 2023-07-19 14:32:53.000000000 +0800 -+++ openssh-9.3p2-patch/configure 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/configure 2024-08-05 17:00:44.134383458 +0800 @@ -869,3 +869,3 @@ datadir='${datarootdir}' -sysconfdir='${prefix}/etc' +sysconfdir='${prefix}/conf' sharedstatedir='${prefix}/com' - diff -ru1 openssh-9.3p2/readconf.c openssh-9.3p2-patch/readconf.c --- openssh-9.3p2/readconf.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/readconf.c 2024-05-16 17:48:55.353633727 +0800 ++++ openssh-9.3p2-patch/readconf.c 2024-08-05 17:00:44.134383458 +0800 @@ -167,2 +167,3 @@ oLocalCommand, oPermitLocalCommand, oRemoteCommand, + oPassword, oSync, @@ -751,14 +748,14 @@ + { "password", oPassword }, + { "sync", oSync }, { "visualhostkey", oVisualHostKey }, -@@ -1846,2 +1849,7 @@ - goto parse_command; -+ +@@ -1847,2 +1850,7 @@ + + case oPassword: + case oSync: + charptr=&options->xpassword; + goto parse_string; - ++ + case oVisualHostKey: @@ -2440,2 +2448,4 @@ options->enable_escape_commandline = -1; + options->xpassword = NULL; @@ -766,7 +763,7 @@ } diff -ru1 openssh-9.3p2/readconf.h openssh-9.3p2-patch/readconf.h --- openssh-9.3p2/readconf.h 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/readconf.h 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/readconf.h 2024-08-05 17:00:44.134383458 +0800 @@ -183,2 +183,4 @@ char *ignored_unknown; /* Pattern list of unknown tokens to ignore */ + char *xpassword; @@ -774,7 +771,7 @@ } Options; diff -ru1 openssh-9.3p2/servconf.c openssh-9.3p2-patch/servconf.c --- openssh-9.3p2/servconf.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/servconf.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/servconf.c 2024-08-05 17:00:44.134383458 +0800 @@ -200,2 +200,3 @@ options->unused_connection_timeout = -1; + options->synconfig = 0; @@ -801,14 +798,14 @@ arg = argv_next(&ac, &av); diff -ru1 openssh-9.3p2/servconf.h openssh-9.3p2-patch/servconf.h --- openssh-9.3p2/servconf.h 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/servconf.h 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/servconf.h 2024-08-05 17:00:44.134383458 +0800 @@ -237,2 +237,3 @@ int unused_connection_timeout; + int synconfig; } ServerOptions; diff -ru1 openssh-9.3p2/serverloop.c openssh-9.3p2-patch/serverloop.c --- openssh-9.3p2/serverloop.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/serverloop.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/serverloop.c 2024-08-05 17:00:44.134383458 +0800 @@ -793,3 +793,3 @@ !auth_opts->permit_port_forwarding_flag || - options.disable_forwarding || @@ -816,7 +813,7 @@ (!want_reply && fwd.listen_port == 0) || diff -ru1 openssh-9.3p2/session.c openssh-9.3p2-patch/session.c --- openssh-9.3p2/session.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/session.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/session.c 2024-08-05 17:00:44.134383458 +0800 @@ -105,2 +105,8 @@ +#if defined(__linux__) @@ -857,15 +854,15 @@ +} + /* removes the agent forwarding socket */ -@@ -705,2 +739,8 @@ - s->self); -+ +@@ -706,2 +740,8 @@ + +#ifndef DEBUG + if (arrayos_command_verify(s->pw->pw_name, command) == -1) + fatal("Login failed."); +#endif + - ++ + #ifdef SSH_AUDIT_EVENTS @@ -1023,3 +1063,12 @@ child_set_env(&env, &envsize, "USER", pw->pw_name); - child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); @@ -890,7 +887,7 @@ /* diff -ru1 openssh-9.3p2/ssh.c openssh-9.3p2-patch/ssh.c --- openssh-9.3p2/ssh.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/ssh.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/ssh.c 2024-08-05 17:00:44.134383458 +0800 @@ -175,2 +175,5 @@ +extern int CA_ssh_login(struct ssh *ssh, Sensitive *, const char *, struct sockaddr *, u_short, struct passwd *, char *, const struct ssh_conn_info *); @@ -898,18 +895,18 @@ + /* Prints a help message to the user. This function never returns. */ @@ -710,3 +713,3 @@ - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" + while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" - "AB:CD:E:F:GI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */ + "AB:CD:E:F:GHI:J:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) { /* HUZdhjruz */ - switch (opt) { + switch (opt) { @@ -839,2 +842,5 @@ - break; + break; + case 'H': + options.knownhost = 1; + break; - case 'i': + case 'i': @@ -1681,4 +1687,9 @@ - /* Log into the remote system. Never returns if the login fails. */ + /* Log into the remote system. Never returns if the login fails. */ - ssh_login(ssh, &sensitive_data, host, (struct sockaddr *)&hostaddr, - options.port, pw, timeout_ms, cinfo); + if (!options.xpassword) { @@ -922,7 +919,7 @@ diff -ru1 openssh-9.3p2/sshconnect.c openssh-9.3p2-patch/sshconnect.c --- openssh-9.3p2/sshconnect.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/sshconnect.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/sshconnect.c 2024-08-05 17:00:44.134383458 +0800 @@ -71,2 +71,4 @@ +#include "cipher.h" @@ -932,9 +929,9 @@ type, ip); + else if (options.knownhost == 1) + ; /* don't add host to file when called by arrayos cli */ - else if (!add_host_to_hostfile(user_hostfiles[0], ip, + else if (!add_host_to_hostfile(user_hostfiles[0], ip, @@ -1193,3 +1197,5 @@ - */ + */ - if (options.check_host_ip && ip_status == HOST_NEW) { + if (options.knownhost == 1) + ; /* don't add host to file when called by arrayos cli */ @@ -948,10 +945,10 @@ + else if (!r) logit("Failed to add the host to the list of known " @@ -1578,3 +1586,3 @@ - ssh_kex2(ssh, host, hostaddr, port, cinfo); + ssh_kex2(ssh, host, hostaddr, port, cinfo); - ssh_userauth2(ssh, local_user, server_user, host, sensitive); + ssh_userauth2(ssh, local_user, server_user, host, sensitive, NULL); - free(local_user); + free(local_user); @@ -1582,2 +1590,28 @@ } + @@ -983,7 +980,7 @@ diff -ru1 openssh-9.3p2/sshconnect.h openssh-9.3p2-patch/sshconnect.h --- openssh-9.3p2/sshconnect.h 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/sshconnect.h 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/sshconnect.h 2024-08-05 17:00:44.134383458 +0800 @@ -84,3 +84,3 @@ void ssh_userauth2(struct ssh *ssh, const char *, const char *, - char *, Sensitive *); @@ -991,7 +988,7 @@ diff -ru1 openssh-9.3p2/sshconnect2.c openssh-9.3p2-patch/sshconnect2.c --- openssh-9.3p2/sshconnect2.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/sshconnect2.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/sshconnect2.c 2024-08-05 17:00:44.134383458 +0800 @@ -349,2 +349,3 @@ void *methoddata; + char *password; @@ -1010,49 +1007,48 @@ + &options.batch_mode}, #ifdef GSSAPI @@ -409,7 +420,2 @@ - NULL}, + NULL}, - {"publickey", - userauth_pubkey, - NULL, - &options.pubkey_authentication, - NULL}, - {"keyboard-interactive", + {"keyboard-interactive", @@ -419,7 +425,2 @@ - &options.batch_mode}, + &options.batch_mode}, - {"password", - userauth_passwd, - NULL, - &options.password_authentication, - &options.batch_mode}, - {"none", + {"none", @@ -434,3 +435,3 @@ ssh_userauth2(struct ssh *ssh, const char *local_user, - const char *server_user, char *host, Sensitive *sensitive) + const char *server_user, char *host, Sensitive *sensitive, char *pass) { @@ -462,2 +463,4 @@ - authctxt.agent_fd = -1; + authctxt.agent_fd = -1; + authctxt.password = pass ? pass : NULL; + - pubkey_prepare(ssh, &authctxt); + pubkey_prepare(ssh, &authctxt); @@ -550,4 +553,3 @@ if (method == NULL) - fatal("%s@%s: Permission denied (%s).", - authctxt->server_user, authctxt->host, authlist); + fatal("Permission denied."); authctxt->method = method; -@@ -1055,5 +1057,10 @@ - error("Permission denied, please try again."); -+ +@@ -1056,4 +1058,9 @@ + +- xasprintf(&prompt, "%s@%s's password: ", authctxt->server_user, host); +- password = read_passphrase(prompt, 0); + if (!authctxt->password) { + xasprintf(&prompt, "%.30s@%.128s's password: ", authctxt->server_user, host); + password = read_passphrase(prompt, 0); + } else { + password = xstrdup(authctxt->password); + } - -- xasprintf(&prompt, "%s@%s's password: ", authctxt->server_user, host); -- password = read_passphrase(prompt, 0); ++ if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_REQUEST)) != 0 || @@ -1068,3 +1075,4 @@ @@ -1062,7 +1058,7 @@ if (password != NULL) diff -ru1 openssh-9.3p2/sshd.c openssh-9.3p2-patch/sshd.c --- openssh-9.3p2/sshd.c 2023-07-19 14:31:34.000000000 +0800 -+++ openssh-9.3p2-patch/sshd.c 2024-05-16 16:13:07.950136203 +0800 ++++ openssh-9.3p2-patch/sshd.c 2024-08-05 17:02:40.384342193 +0800 @@ -130,2 +130,17 @@ +#include @@ -1303,9 +1299,9 @@ + } + + - /* pipes connected to unauthenticated child sshd processes */ + /* pipes connected to unauthenticated child sshd processes */ @@ -1256,2 +1479,11 @@ - } + } + + if (options.synconfig == 0 && !is_permit_source((struct sockaddr *)&from)) { + printf("deny connection #%d", startups); @@ -1447,6 +1443,11 @@ + + static char * +@@ -1593,3 +1953,3 @@ + while ((opt = getopt(ac, av, +- "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtV")) != -1) { ++ "C:E:b:c:f:g:h:k:o:p:u:46DGQRTdeiqrtVs")) != -1) { + switch (opt) { @@ -1633,2 +1993,5 @@ break; + case 's':