Commit Graph

183 Commits

Author SHA1 Message Date
thorpej
05d9e5e0e0 Update racoon from today's KAME sources. Includes memory leak
fixes in the GSSAPI support code.
2001-01-30 02:04:39 +00:00
itojun
2d889f0dc5 have safeputchar() for tcpdump/packet-isakmp.c. reported by bernd,
sync with kame.
2001-01-28 17:17:56 +00:00
itojun
21ecf40da9 BIND 8.2.3 2001-01-27 08:07:35 +00:00
thorpej
b6abea6f2b Merge notsnap20010126 import. 2001-01-26 23:56:18 +00:00
thorpej
034d969067 Bring in latest racoon/libipsec from KAME (not part of a snap
kit).  Includes a few bugfixes from, including a re-key problem
and memory leak when doing GSSAPI authentication for Phase 1.
Also some better config file documentation.
2001-01-26 23:53:26 +00:00
jdolecek
f17efc018b complete the paragraph about HostKey directive, reword slighly 2001-01-24 22:59:11 +00:00
thorpej
16915b1818 Merge conflicts from notsnap20010124 import. 2001-01-24 18:18:32 +00:00
thorpej
1e7bdbcad4 Bring in latest racoon/libipsec from KAME (not part of a snap
kit).  Includes several racoon bugfixes, including ones that
fix coredumps when using GSSAPI authentication for Phase 1.
2001-01-24 18:10:22 +00:00
itojun
6530b069f5 fix to PR 11320 (ssh-askpass gets invoked forever if we don't have
control terminal).  from markus@openbsd
2001-01-21 02:44:05 +00:00
hubertf
cbd751b376 Sync with localsrc: The default is "ForwardX11 no". 2001-01-20 03:38:19 +00:00
itojun
096913193b disable s/key authentication request (from client) by default, to prevent
confusing fake s/key challenge to show up.
per recent discussion on tech-userlevel.
2001-01-18 13:37:17 +00:00
itojun
f08806ada3 fix printf format for u_int64_t 2001-01-17 11:35:38 +00:00
simonb
3cc4829557 Fix printf format with sizeof(). 2001-01-16 02:20:19 +00:00
toshii
a230982a45 Catch up with sshd config file entry changes.
Now we need to explicitly set DSA key location to use protocol version 2.
2001-01-15 06:13:08 +00:00
itojun
a98ee796df $NetBSD$ 2001-01-14 05:28:01 +00:00
itojun
a0f7a7d829 crypto/dist/ssh: resolve conflicts with 2.3.0/20010105.
usr.bin/ssh: add ssh-keyscan and sftp-server into SUBDIR.
2001-01-14 05:22:31 +00:00
itojun
bfbf0e0d31 NetBSD Secure Shell, based on OpenSSH 2.3.0 around 1/5/2001 2001-01-14 04:49:51 +00:00
lukem
286bcc01a3 don't use LOG_CONS 2001-01-11 02:58:05 +00:00
christos
339f061e38 remove redundant decls 2001-01-07 23:21:44 +00:00
mycroft
feb89c799a Add a COMPATIBILITY section, mentioning the lossage with IDEA-encrypted keys. 2001-01-07 20:48:06 +00:00
christos
6b02df2bb5 remove redundant decl. 2001-01-07 05:44:03 +00:00
christos
1473c569f5 eliminated redundant decl. 2001-01-07 00:01:16 +00:00
christos
2c1245f292 eliminate redundant declarations. 2001-01-06 23:30:57 +00:00
itojun
cbf1717a72 do not allow outsider from injecting syslog entry anonymously.
log peer's ip address instead.
openbsd PR 1600.
2001-01-05 06:33:36 +00:00
itojun
b1375d5035 do not look at environment variables if issetugid() == 0.
use random number device file as the default value.
from openbsd.
2001-01-05 06:22:32 +00:00
lukem
f819878ce7 use more standard %ll_ in favour of %q_ 2001-01-04 15:39:50 +00:00
itojun
650239ad74 fix error return (0 -> -1). sync with kame. 2001-01-04 06:16:38 +00:00
itojun
f2b75fc51d sync with kame: NULL != 0 2001-01-02 05:08:43 +00:00
itojun
5a3fc2bdaa PR 11715
- kerberos is in chapter 8, not 7
- ftp(1) is not kerberized.
2000-12-31 07:45:50 +00:00
toshii
3a0975845b Enable TCP_NODELAY socket option also for interactive IPv6 connections.
TCP_NODELAY isn't IPv4 only.
2000-12-30 14:54:38 +00:00
itojun
1a9f8a405b change pathname to netbsd-oriented 2000-12-29 03:12:59 +00:00
assar
492d9092b5 merge fix-ups 2000-12-29 02:52:35 +00:00
itojun
69fd2e0f90 location of manpage 2000-12-29 02:32:42 +00:00
itojun
57ebd1b3c8 KAME racoon, 2000/12/29 2000-12-29 02:25:05 +00:00
itojun
349ac51600 KAME libipsec/libpfkey, 2000/12/29 2000-12-29 02:24:40 +00:00
assar
8905d28796 was removed in krb4-1.0.5 2000-12-29 02:07:25 +00:00
assar
a842a70c3c merge 2000-12-29 01:52:14 +00:00
assar
2d80b20be2 import krb4-1.0.5 2000-12-29 01:42:08 +00:00
fvdl
be812c01d9 Remove redundant forward declaration of krb5_cache_data struct. 2000-12-24 12:17:21 +00:00
itojun
5389a2b390 cope with embedded KAME scopeid. getifaddrs() expose kernel internal format
to the userland.
2000-12-21 03:58:52 +00:00
nathanw
1cc86f8ba4 Check the return value of krb5_init_context(), and bail out if it failed.
Also, when failing, don't try to use the non-initialized context value
to determine the error text.

This avoids dumping core in the following programs when /etc/krb5.conf is
missing or broken: klist, kdestroy, kpasswd, kadmin, kadmind, ktutil, kdc.

XXX Better error reporting in this failure case would be nice.
2000-12-19 21:31:11 +00:00
assar
2eabd5aae0 (tf_create): remove the overwriting of the old ticket file 2000-12-09 00:53:52 +00:00
assar
71d1fbbd25 (kdc_reply_cipher): fix buffer over-run 2000-12-09 00:53:21 +00:00
assar
a32b774256 remove (obsolete) support for environment variables. 2000-12-09 00:51:46 +00:00
thorpej
ecf24d1394 Use getifaddrs() if HAVE_GETIFADDRS is defined. 2000-12-03 20:21:03 +00:00
thorpej
074a0c939d In krb5_sendto(), try the send/recv *inside* the loop through the
addinfos, so that e.g. if we fail to connect with an IPv6 address,
we can fall back onto an IPv4 address.
2000-12-02 01:53:08 +00:00
fvdl
c9366a8efe Fix reversed test. 2000-11-20 14:08:12 +00:00
mason
18a6237381 s/usefull/useful/ 2000-11-20 06:42:05 +00:00
itojun
40ad5fc4c1 correct validation on X11 forwarding. from markus@openbsd 2000-11-13 02:30:38 +00:00
joda
25f03b52f9 remove extra .Xc 2000-11-12 15:40:19 +00:00
is
d2b5345f10 When forwarding a connection, use the right descriptor to get IP options.
Fixes PR 11261 my Michael Eriksson, using his patch.
2000-11-07 16:06:24 +00:00
fvdl
e22c13589c Make gss_acquire_cred actually work. Add a ccache member to the id_t struct
to store alternate creds, retrieved from a keytab. Make gss_init_sec_context
work with creds != GSS_C_NO_CREDENTIAL. Free ccache in id_t in release_cred.
2000-11-06 15:06:51 +00:00
christos
392621627b always attempt to canonicalize hostnames, not only when the hostname
does not contain a dot.
2000-11-05 20:09:08 +00:00
mason
43bcdca61e Apply the following:
-       static u_int16_t n = HASH_MINSIZE / HASH_ENTRYSIZE;
+       static u_int32_t n = HASH_MINSIZE / HASH_ENTRYSIZE;

...so that large packets do not wrap "n".
2000-10-30 18:58:37 +00:00
veego
923459b8ef Print a newline after 'You entered the wrong passphrase.' 2000-10-29 08:55:59 +00:00
itojun
f3f11aec78 make version identification string conform to SSH version string format.
version format must be like:
	SSH-[0-9]*.[0-9]*-[^-]*( .*)?
and previous string did not conform to the requirement (too many hyphens).
based on comment from markus@openbsd (openssh maintainer)
2000-10-28 13:41:55 +00:00
joda
4b39e2fe3f fix v4 fallback lifetime calculation 2000-10-27 14:44:08 +00:00
simonb
dc0fe34aa7 Reduce swap_bytes() to a non-alignment dependent implementation - some
calls to swap_bytes() do indeed have non-aligned sources and destinations.
Fixes unaligned access problems on alpha and probably some of our other
architectures.
2000-10-23 11:40:55 +00:00
mycroft
968a585ab4 Fix formatting error. 2000-10-20 18:01:26 +00:00
martin
6a12425bca We have renamed the configuration file, adapt the documentation. 2000-10-20 12:40:34 +00:00
bouyer
e33acbd7b7 Correct printf format (used with integers, not longs). 2000-10-19 15:10:33 +00:00
taca
c011ac8db6 - Correct missing closedir(3) in SSL_add_dir_cert_subjects_to_stack().
This should be fix the bug that apache enabled SSL may exhaust its
  file descriptors.  Noted by TAKANO Yuji <takachan@running-dog.net>
  on apache@ecc.u-tokyo.ac.jp, apache mailing list in Japanese.

  He had already sent a bug report to openssl-dev@openssl.org, but it
  wasn't fixed in openssl-0.9.6.  :-(
2000-10-13 01:47:27 +00:00
itojun
b5c4933a2d printf format pedant. (size_t -> u_long). 2000-10-10 13:14:55 +00:00
is
612e4c298a define DES_LONG in time to be used by later header files. 2000-10-08 18:42:03 +00:00
is
7db764779b Format string cleanup by sommerfeld. 2000-10-08 18:40:08 +00:00
itojun
a001cd4e77 exit 0 on success, 1 on error 2000-10-06 06:21:16 +00:00
sommerfeld
dc3402136b Constify variables containing format strings 2000-10-05 14:32:50 +00:00
sommerfeld
37146bcc18 format checking for internal functions 2000-10-05 14:17:12 +00:00
sommerfeld
29dec280ee format checking for internal function 2000-10-05 14:16:10 +00:00
sommerfeld
8b2d1fefd2 Miscellaneous format string safety improvements 2000-10-05 14:09:07 +00:00
simonb
6fe5a2b27e Return failure in krb_get_lrealm() if no config files are found, rather
than then searching for a default realm.

Fixes PR lib/11010 from David Brownlee.  Patch from Jason Thorpe.
2000-10-04 04:08:30 +00:00
itojun
37a8d23037 improve error message on rnd(4) failure. the old text made reference
to ssl(4), which is openssl specific (talks about plugin RSA library).
2000-10-04 03:43:57 +00:00
itojun
18e8d6decc do not loop forever 2000-10-03 15:07:14 +00:00
itojun
42e4adfd95 make it useful as test (exit 0 if successful) 2000-10-03 14:45:36 +00:00
lukem
8e1c87ce80 - implement IgnoreRootRhosts. if set, ignores ~root/.[rs]hosts. defaults to
the value of IgnoreRhosts.  with `IgnoreRhosts yes' and `IgnoreRootRhosts no'
  you get similar behaviour to the `-l' flag on rshd(8).  this is based on
  similar modification i made which appeared in ssh 1.2.27 (?)
- document that IgnoreRhosts now doesn't apply to root.
- clarify that /etc/s?hosts.equiv doesn't apply to root (it didn't before
  my modification either).
- crank the version to 20001003
2000-10-03 09:56:38 +00:00
itojun
0b86bc5a1c nuke #define for changing variable size (affects ABI). 2000-10-03 04:00:19 +00:00
itojun
169eefc02f move rc5/idea dummy functions from crypto/dist/openssl/crypto to lib/libcrypto.
they are not part of the openssl distribution.
suggested by thorpej.
2000-10-01 22:17:59 +00:00
itojun
9c7b3bf3d5 nuke all NO_<algorithm name> in header file. they change ABI due to
#ifdef in struct/union definitions, and are bad for us shipping library binary.
2000-10-01 22:13:14 +00:00
itojun
563bf184ad improve abort message, when RC5/IDEA in libcrypto (dummy) is called. 2000-09-30 14:29:16 +00:00
itojun
e5e807d114 always compile RSA into libcrypto.
MKCRYPTO disables the whole crypto tree, and in that case,
we will not have RSA (nor libcrypto) with us.
2000-09-30 12:21:51 +00:00
itojun
bc22f284e4 we always build idea/rc5 (dummy, though). 2000-09-30 00:30:25 +00:00
itojun
8d26d03189 repair openssl (libcrypto) for non-32bit architecture.
don't use unsigned long where 32bit unsigned variable is asked for.
use u_int32_t.  (not sure if uint32_t is better or not, but anyway,
u_int32_t <-> uint32_t should not raise binary compatibility issue)
PR10921.

TODO: have arch-dependent Makefiles where we supply -DFOO for optimization.
(do not change size of variable though)

XXX: we should actually nuke all other #ifdef in /usr/include/openssl/*.h,
however, that needs a lot of work and will make future openssl upgrade harder.

remove RC5 and IDEA by default.  build them separately as
libcrypto_{rc5,idea}.a.  put dummy function, which is "warning to stderr
and exit(1)".  NOCRYPTO_{RC5,IDEA} are obsoleted.
PR10883.
2000-09-30 00:23:28 +00:00
thorpej
49a55a1d58 Import NetBSD Secure Shell. This is based on OpenSSH, but modified
somewhat.
2000-09-28 22:09:28 +00:00
fvdl
fb9657047a Add support for running kpasswdd from inetd. Active if INETD_SUPPORT
is defined. In either case, kpasswdd will continue to work from
the commandline as usual.
2000-09-13 11:29:26 +00:00
joda
7bc28b6591 add manpage for kadmin 2000-09-10 19:45:04 +00:00
joda
5ab344e414 add a, somewhat terse, kerberos overview manpage 2000-09-10 19:34:49 +00:00
joda
0acd5e96a9 move config and log files out of /var/heimdal 2000-09-10 19:29:44 +00:00
assar
38f9bead65 fix bad mdoc markup. closed PR/10854 2000-08-20 10:36:40 +00:00
fvdl
d2cc354307 Fix example: lib_defaults -> libdefaults, default_domain -> default_realm 2000-08-15 17:22:45 +00:00
thorpej
dafbb1e2ea - Reference count MCC IDs, and garbage-collect them in destroy if
the ref count is 0, and in close if the ref count is 0 and the
  ID is dead (i.e. has been previously destroyed).
- Don't use temp files to generate unique MCC names; use ASCII
  representations of pointers to the malloc'd IDs, which is
  unique enough for our purposes.
- Dead IDs cause an ENOENT error, as would a dead FCC ID.

Per discussion w/ Johan Danielsson <joda@pdc.kth.se>.
2000-08-10 18:58:59 +00:00
thorpej
7dd4170cf5 Fix typos in some #if 0'd code. 2000-08-10 16:18:00 +00:00
thorpej
4ffaedfcde Fix the semantics of krb5_cc_close() and krb5_cc_destroy() for
the MCC.  They now match the semantics of the MIT krb5
implementation.
2000-08-10 15:51:20 +00:00
thorpej
bae9616e91 Add support for multiple Memory Credendial Caches, like MIT has.
This fleshes out mcc_get_name(), mcc_resolve(), mcc_destroy().
2000-08-10 02:23:07 +00:00
thorpej
24ceace29d Add krb5_princ_type() and krb5_princ_size() that appear in the MIT
API but not in Heimdal, and add commented out empty versions of
krb5_princ_set_realm_length(), krb5_princ_set_realm_data(),
krb5_princ_name(), and krb5_princ_component(), which also appear
in the MIT API, but which cannot be implemented in Heimdal until
a change is made to how some data is represented internally (as
these API functions expose that, as foolish as that is, but
that's how MIT did it, and some applications use it).
2000-08-09 23:27:19 +00:00
thorpej
1435d15e40 Cause the kdc to write a pidfile in /var/run/kdc.pid and to
detach from the tty by default.  Add a [-D | --no-detach]
option to restore the old behavior (which is useful for
debugging).
2000-08-06 18:42:19 +00:00
thorpej
e80d60fa71 Catch krb5_init_context() failure. 2000-08-06 17:59:15 +00:00
thorpej
a240003d0c Plug a small memory leak. 2000-08-06 17:58:53 +00:00
thorpej
e59093f4f7 Use socklen_t as appropriate, so that this compiles on LP64
systems.
2000-08-06 06:48:50 +00:00
assar
de3878349f this was removed from the source 2000-08-03 03:39:02 +00:00
assar
9949e16264 merge back some hacks 2000-08-03 03:38:25 +00:00