Commit Graph

77 Commits

Author SHA1 Message Date
tls
4147a3c54a Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry.  RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros.  Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default.  Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
2007-05-28 12:06:17 +00:00
wiz
6919c6578c s/independant/independent/, from Zafer. 2006-11-24 22:04:21 +00:00
christos
f6e58c8bec Add -DHEIMDAL 2006-09-28 21:24:58 +00:00
lukem
143c145a8f Only use -Wno-pointer-sign for gcc4. 2006-05-12 03:52:05 +00:00
mrg
aadd7d4847 sprinkle some -fno-strict-aliasing and -Wno-pointer-sign with GCC4. 2006-05-11 23:16:28 +00:00
mrg
35b9b80e28 build sshconnect1.c with -fno-strict-aliasing. 2006-05-11 01:26:03 +00:00
christos
85e611dd01 Goodbye KerberosIV 2006-03-20 04:03:10 +00:00
christos
2d51080a2d Do not attempt to generate moduli from moduli.c using the shuttle
suffix rule.  This can happen if moduli.c is newer than moduli.
Reported by Hisashi T Fujinaka.
2006-02-15 15:51:37 +00:00
christos
d3b0b4d68a PR/30750: Mark Davies: ssh gives bogus complaint when gssapi authentication
fails. The problem was that different ssh programs were compiled with different
cpp flags. In particular, ssh-keysign was affected. Move all the CPPFLAGS
to Makefile.inc. Note that I am not moving the library portion of the defines
because we don't want to link everything with all the libraries.
2005-08-18 00:19:28 +00:00
christos
0d20a48365 remove -static. 2005-07-29 01:19:20 +00:00
christos
ab388e3703 sftp now uses libedit. 2005-04-23 16:54:09 +00:00
christos
192c2eccf6 Add -lcrypt where -lcrypto is specified. 2005-03-09 03:11:22 +00:00
he
5152518685 Add -lcrypt to link lines for applications using -lkrb5, so that they
link successfully when MKPIC=no, as is always the case for our ports
which do not support shared libraries.

Discussed with thorpej and christos.
2005-03-04 20:44:55 +00:00
he
8e8728c45c Introduce PAM_STATIC_LDADD and PAM_STATIC_DPADD. When compiling
with MKPIC=no, possibly because the target does not support shared
libraries, these include libraries required to resolve all symbols
which end up referenced from PAM-using applications.  The libraries
presently required are -lcrypt, -lrpcsvc and -lutil.

Add use of these variables which are currently set up to use PAM,
so that they compile when MKPIC=no.

Also, in the telnetd case, reorder the order of the libraries, so
that libtelnet.a comes before -ltermcap and -lutil, again to fix
link error when MKPIC=no.

Discussed with thorpej and christos.
2005-03-04 20:41:08 +00:00
christos
0f037c7626 - Add depency ob ligssapi and the required c-file(s).
- Reorder libkafs so its possible to build w/o kerberos4
From Love.
2005-02-13 22:48:01 +00:00
christos
1b9aa59ad8 Add depency on libgssapi and add the required c-file(s)
From Love.
2005-02-13 22:44:07 +00:00
christos
d578cd9dc7 Add a couple of HAVE_'s 2005-02-13 19:15:43 +00:00
christos
15b0d355be Only need the PAM hooks for sshd. Now it compiles, PAM portion untested. 2005-02-13 18:15:05 +00:00
christos
cea75c91ac Add PAM glue [unused] 2005-02-13 06:07:54 +00:00
christos
573119d831 Update for OpenSSH-3.9 2005-02-13 06:07:21 +00:00
lukem
4d41fe6044 Style/consistency cleanup:
* libcrypto & libz are provided by ../Makefile.inc
* <bsd.own.mk> isn't required by most of these
* be consistent in the layout
2005-01-03 06:05:50 +00:00
lukem
ecfeee924b Use the public libssh that's now available. 2005-01-03 06:04:08 +00:00
lukem
b817247988 Use MKPRIVATELIB=yes instead of providing an empty libinstall:: target and
setting NOLINT, NOPIC, NOPROFILE (etc)
2004-05-23 02:24:50 +00:00
lukem
ee04d88971 Consistently use CONFIGFILES & CONFIGLINKS (which enable the 'configinstall'
target) instead of using home-grown 'distribution' targets or using
FILES with the 'install' target.
Add some etc/ subdir Makefiles where appropriate.

XXX: some of etc/Makefile install-etc-files could be converted to CONFIGFILES.
2004-05-16 09:53:09 +00:00
dyoung
4758291178 Fix the checkflist for builds without Kerberos 4 (MKKERBEROS4=no)
and without Kerberos 4 & 5 (MKKERBEROS=no). Previously checkflist
complained of missing files.

* move kerberos- and kerberos 4-only files into new flists,
  distrib/sets/lists/*/krb.*

* make the flist generators grok MKKERBEROS{,4} variables

* fix Makefiles which treat MKKERBEROS=no as MKKERBEROS5=no.
  9 out of 10 experts agree that it is ludicrous to build w/
  KERBEROS4 and w/o KERBEROS5.

* fix header files, also, which treat MKKERBEROS=no as MKKERBEROS5=no.

* omit some Kerberos-only subdirectories from the build as
  MKKERBEROS{,4} indicate

(I acknowledge the sentiment that flists are the wrong way to go,
and that the makefiles should produce the metalog directly.  That
sounds to me like the right way to go, but I am not prepared to do
revamp all the makefiles.  While my approach is expedient, it fits
painlessly within the current build architecture until we are
delivered from flist purgatory, and it does not postpone our
delivery. Fair enough?)
2003-12-11 09:46:26 +00:00
lha
afad8d1f7c libkrb depends on libdes, patch in private mail from
Harold Gutch logix at foobar franken de
2003-08-23 23:03:42 +00:00
itojun
88ec7d3792 bring back krb4 support, just to suppress unwanted noise from other developers.
note that official openssh distribution have already dropped kerberosIV support,
therefore maintenance cost needs to be paid by us.  and have no intent to help.
2003-07-24 15:31:52 +00:00
itojun
0abe0bddb0 forgot to remove -lkafs. from rafal 2003-07-23 08:00:52 +00:00
itojun
8556dff80c remove KRB4 and AFS support. sync w/ openssh main tree 2003-07-23 03:52:16 +00:00
itojun
25ad1ea430 UPPORT_UTMP{,X} outside of .if KERBEROS. PR 22202 2003-07-21 03:37:43 +00:00
itojun
56d0ea03cf >implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
>server interops with commercial client; ok jakob@ djm@

markus@openbsd
2003-05-14 18:22:07 +00:00
itojun
e7e7c84a6a sync w/ 3.6.1 2003-04-03 06:21:31 +00:00
itojun
ef7d24574a upgrade to openssh 3.5. major changes include:
- krb4/5 support for privsep (krb5 diff was already applied)

includes fake implementaation of getpeereid() from openssh-portable, which
does nothing useful - need improvement.
2002-10-01 14:07:26 +00:00
lukem
5d4973fe97 makefile delint. use NETBSDSRCDIR as appropriate 2002-09-18 14:00:33 +00:00
lukem
09ccdda836 rcsid fix 2002-09-18 13:50:52 +00:00
simonb
cb9c117389 Don't set BINOWN if using the default BINMODE. 2002-08-02 04:05:13 +00:00
christos
0b56b322c8 Add utmpx support. 2002-07-28 23:43:12 +00:00
itojun
412f69af85 re-enable ssh-keysign's sbit. sync w/openbsd 2002-07-03 14:23:49 +00:00
itojun
968294e218 >make ssh-keysign read /etc/ssh/ssh_config
>and exit if HostbasedAuthentication is disabled globally. based on discussions
>with deraadt, itojun and sommerfeld; ok itojun@

sync w/openbsd
2002-07-03 14:23:13 +00:00
itojun
124313224f install ssh-keysign non-setuid for the moment.
(HostbasedAuthentication does not work for a while)
2002-07-01 06:19:22 +00:00
itojun
de7e3177b2 tidy up makefiles 2002-06-24 06:11:11 +00:00
itojun
82659024b5 make sure to install ssh-keysign as setuid root 2002-06-24 05:52:29 +00:00
itojun
3ea946f134 sync with openssh 3.3.
local mods included to make it compile with openssl 0.9.6d.
2002-06-24 05:48:24 +00:00
lukem
244b762de1 Complete the conversion back to the OpenSSH default configuration files of
"/etc/ssh/ssh_config" (from "/etc/ssh/ssh.conf") for ssh(1) and other
userland tools, and "/etc/ssh/sshd_config (from "/etc/ssh/sshd.conf")
for sshd(8).

etc/postinstall will detect this, and if "fix" is given, rename the files.
2002-04-29 08:23:34 +00:00
itojun
34b40b030e sync with openssh 3.2 as of 2002/4/22.
- privilege separation
- afs/kerberos auth security issue fixed
2002-04-22 07:59:35 +00:00
thorpej
9c33b55e7c Split the notion of building Hesiod, Kerberos, S/key, and YP
infrastructure and using that infrastructure in programs.

	* MKHESIOD, MKKERBEROS, MKSKEY, and MKYP control building
	  of the infratsructure (libraries, support programs, etc.)

	* USE_HESIOD, USE_KERBEROS, USE_SKEY, and USE_YP control
	  building of support for using the corresponding API
	  in various libraries/programs that can use it.

As discussed on tech-toolchain.
2002-03-22 18:10:19 +00:00
itojun
0a2445c3b6 move sshd config files to /etc/ssh 2002-03-11 04:57:55 +00:00
itojun
af34a358ff sync w/ 3.1 as of 2002/3/8. configuration file directory is still /etc
(openbsd usr.bin/ssh is using /etc/ssh)
2002-03-08 02:00:50 +00:00
lukem
670a900e30 use ${INSTALL_FILE} as appropriate 2002-02-09 09:14:32 +00:00
lukem
b0b0a32ad7 Set NOxxx= before <bsd.own.mk> is pulled in (even indirectly).
Otherwise the appropriate MKxxx=no won't be defined .
2001-12-12 12:24:19 +00:00