Index: head/security/hpn-ssh/files/patch-auth.c =================================================================== --- head/security/hpn-ssh/files/patch-auth.c (revision 118776) +++ head/security/hpn-ssh/files/patch-auth.c (revision 118777) @@ -1,29 +1,29 @@ ---- auth.c.orig Tue Sep 2 23:32:46 2003 -+++ auth.c Tue Sep 16 20:05:44 2003 -@@ -259,6 +259,17 @@ - } - #endif /* WITH_AIXAUTHENTICATE */ +--- auth.c.orig Thu Aug 12 14:40:25 2004 ++++ auth.c Mon Sep 20 05:04:48 2004 +@@ -208,6 +208,17 @@ + return 0; + #endif +#ifdef __FreeBSD__ + /* Fail if the account's expiration time has passed. */ + if (pw->pw_expire != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_expire) + return 0; + } +#endif /* __FreeBSD__ */ + /* We found no reason not to let this user try to log on... */ return 1; } -@@ -531,7 +542,7 @@ +@@ -472,7 +483,7 @@ if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP - if ((lc = login_getclass(pw->pw_class)) == NULL) { + if ((lc = login_getpwclass(pw)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } Property changes on: head/security/hpn-ssh/files/patch-auth.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.6 \ No newline at end of property +1.7 \ No newline at end of property Index: head/security/hpn-ssh/files/patch-auth2.c =================================================================== --- head/security/hpn-ssh/files/patch-auth2.c (revision 118776) +++ head/security/hpn-ssh/files/patch-auth2.c (revision 118777) @@ -1,68 +1,68 @@ ---- auth2.c.orig Tue Sep 2 23:32:46 2003 -+++ auth2.c Tue Sep 16 20:05:44 2003 +--- auth2.c.orig Thu Aug 12 14:40:25 2004 ++++ auth2.c Mon Sep 20 05:04:48 2004 @@ -35,6 +35,7 @@ #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "canohost.h" #ifdef GSSAPI #include "ssh-gss.h" -@@ -143,6 +144,15 @@ +@@ -134,6 +135,15 @@ Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; +#endif /* HAVE_LOGIN_CAP */ +#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(options.use_dns); + from_ip = get_remote_ipaddr(); +#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -187,6 +197,41 @@ +@@ -178,6 +188,41 @@ "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP + if (authctxt->pw != NULL) { + lc = login_getpwclass(authctxt->pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, authctxt->pw); + if (!auth_hostok(lc, from_host, from_ip)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", + authctxt->pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); + } + login_close(lc); + lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ +#ifdef LOGIN_ACCESS + if (authctxt->pw != NULL && + !login_access(authctxt->pw->pw_name, from_host)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } +#endif /* LOGIN_ACCESS */ +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif + /* reset state */ auth2_challenge_stop(authctxt); Property changes on: head/security/hpn-ssh/files/patch-auth2.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.3 \ No newline at end of property +1.4 \ No newline at end of property Index: head/security/hpn-ssh/files/patch-clientloop.c =================================================================== --- head/security/hpn-ssh/files/patch-clientloop.c (revision 118776) +++ head/security/hpn-ssh/files/patch-clientloop.c (revision 118777) @@ -1,11 +1,11 @@ ---- clientloop.c.orig Fri Apr 20 09:17:51 2001 -+++ clientloop.c Sat May 26 15:18:51 2001 -@@ -1131,7 +1131,7 @@ +--- clientloop.c.orig Fri Aug 13 13:18:01 2004 ++++ clientloop.c Mon Sep 20 05:04:48 2004 +@@ -1581,7 +1581,7 @@ if (strcmp(ctype, "forwarded-tcpip") == 0) { c = client_request_forwarded_tcpip(ctype, rchan); - } else if (strcmp(ctype, "x11") == 0) { + } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { c = client_request_x11(ctype, rchan); } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { c = client_request_agent(ctype, rchan); Property changes on: head/security/hpn-ssh/files/patch-clientloop.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.1 \ No newline at end of property +1.2 \ No newline at end of property Index: head/security/hpn-ssh/files/patch-loginrec.c =================================================================== --- head/security/hpn-ssh/files/patch-loginrec.c (revision 118776) +++ head/security/hpn-ssh/files/patch-loginrec.c (revision 118777) @@ -1,25 +1,25 @@ ---- loginrec.c.orig Thu Sep 26 02:38:49 2002 -+++ loginrec.c Mon Oct 21 06:51:34 2002 -@@ -172,6 +172,9 @@ +--- loginrec.c.orig Sun Aug 15 11:12:52 2004 ++++ loginrec.c Mon Sep 20 05:04:48 2004 +@@ -167,6 +167,9 @@ #ifdef HAVE_LIBUTIL_H # include #endif +#ifdef __FreeBSD__ +#include +#endif /** ** prototypes for helper functions in this file -@@ -654,7 +657,12 @@ +@@ -657,7 +660,12 @@ /* Use strncpy because we don't necessarily want null termination */ strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMP +# if defined(__FreeBSD__) && __FreeBSD_version <= 400000 strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); +# else + realhostname_sa(ut->ut_host, sizeof ut->ut_host, + &li->hostaddr.sa, li->hostaddr.sa.sa_len); +# endif # endif # ifdef HAVE_ADDR_IN_UTMP /* this is just a 32-bit IP address */ Property changes on: head/security/hpn-ssh/files/patch-loginrec.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.3 \ No newline at end of property +1.4 \ No newline at end of property Index: head/security/hpn-ssh/files/patch-sshd_config =================================================================== --- head/security/hpn-ssh/files/patch-sshd_config (revision 118776) +++ head/security/hpn-ssh/files/patch-sshd_config (revision 118777) @@ -1,18 +1,18 @@ ---- sshd_config.orig Tue Sep 2 14:51:18 2003 -+++ sshd_config Tue Sep 16 20:05:44 2003 +--- sshd_config.orig Mon May 24 02:36:24 2004 ++++ sshd_config Mon Sep 20 05:04:48 2004 @@ -34,6 +34,7 @@ #LoginGraceTime 2m #PermitRootLogin yes +PermitRootLogin no #StrictModes yes + #MaxAuthTries 6 - #RSAAuthentication yes -@@ -56,6 +57,7 @@ +@@ -57,6 +58,7 @@ # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no Property changes on: head/security/hpn-ssh/files/patch-sshd_config ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.3 \ No newline at end of property +1.4 \ No newline at end of property Index: head/security/openssh-portable/files/patch-auth.c =================================================================== --- head/security/openssh-portable/files/patch-auth.c (revision 118776) +++ head/security/openssh-portable/files/patch-auth.c (revision 118777) @@ -1,29 +1,29 @@ ---- auth.c.orig Tue Sep 2 23:32:46 2003 -+++ auth.c Tue Sep 16 20:05:44 2003 -@@ -259,6 +259,17 @@ - } - #endif /* WITH_AIXAUTHENTICATE */ +--- auth.c.orig Thu Aug 12 14:40:25 2004 ++++ auth.c Mon Sep 20 05:04:48 2004 +@@ -208,6 +208,17 @@ + return 0; + #endif +#ifdef __FreeBSD__ + /* Fail if the account's expiration time has passed. */ + if (pw->pw_expire != 0) { + struct timeval tv; + + (void)gettimeofday(&tv, NULL); + if (tv.tv_sec >= pw->pw_expire) + return 0; + } +#endif /* __FreeBSD__ */ + /* We found no reason not to let this user try to log on... */ return 1; } -@@ -531,7 +542,7 @@ +@@ -472,7 +483,7 @@ if (!allowed_user(pw)) return (NULL); #ifdef HAVE_LOGIN_CAP - if ((lc = login_getclass(pw->pw_class)) == NULL) { + if ((lc = login_getpwclass(pw)) == NULL) { debug("unable to get login class: %s", user); return (NULL); } Property changes on: head/security/openssh-portable/files/patch-auth.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.6 \ No newline at end of property +1.7 \ No newline at end of property Index: head/security/openssh-portable/files/patch-auth2.c =================================================================== --- head/security/openssh-portable/files/patch-auth2.c (revision 118776) +++ head/security/openssh-portable/files/patch-auth2.c (revision 118777) @@ -1,68 +1,68 @@ ---- auth2.c.orig Tue Sep 2 23:32:46 2003 -+++ auth2.c Tue Sep 16 20:05:44 2003 +--- auth2.c.orig Thu Aug 12 14:40:25 2004 ++++ auth2.c Mon Sep 20 05:04:48 2004 @@ -35,6 +35,7 @@ #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "canohost.h" #ifdef GSSAPI #include "ssh-gss.h" -@@ -143,6 +144,15 @@ +@@ -134,6 +135,15 @@ Authmethod *m = NULL; char *user, *service, *method, *style = NULL; int authenticated = 0; +#ifdef HAVE_LOGIN_CAP + login_cap_t *lc; +#endif /* HAVE_LOGIN_CAP */ +#if defined(HAVE_LOGIN_CAP) || defined(LOGIN_ACCESS) + const char *from_host, *from_ip; + + from_host = get_canonical_hostname(options.use_dns); + from_ip = get_remote_ipaddr(); +#endif /* HAVE_LOGIN_CAP || LOGIN_ACCESS */ if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); -@@ -187,6 +197,41 @@ +@@ -178,6 +188,41 @@ "(%s,%s) -> (%s,%s)", authctxt->user, authctxt->service, user, service); } + +#ifdef HAVE_LOGIN_CAP + if (authctxt->pw != NULL) { + lc = login_getpwclass(authctxt->pw); + if (lc == NULL) + lc = login_getclassbyname(NULL, authctxt->pw); + if (!auth_hostok(lc, from_host, from_ip)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } + if (!auth_timeok(lc, time(NULL))) { + logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", + authctxt->pw->pw_name, from_host); + packet_disconnect("Logins not available right now."); + } + login_close(lc); + lc = NULL; + } +#endif /* HAVE_LOGIN_CAP */ +#ifdef LOGIN_ACCESS + if (authctxt->pw != NULL && + !login_access(authctxt->pw->pw_name, from_host)) { + logit("Denied connection for %.200s from %.200s [%.200s].", + authctxt->pw->pw_name, from_host, from_ip); + packet_disconnect("Sorry, you are not allowed to connect."); + } +#endif /* LOGIN_ACCESS */ +#ifdef BSD_AUTH + if (authctxt->as) { + auth_close(authctxt->as); + authctxt->as = NULL; + } +#endif + /* reset state */ auth2_challenge_stop(authctxt); Property changes on: head/security/openssh-portable/files/patch-auth2.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.3 \ No newline at end of property +1.4 \ No newline at end of property Index: head/security/openssh-portable/files/patch-clientloop.c =================================================================== --- head/security/openssh-portable/files/patch-clientloop.c (revision 118776) +++ head/security/openssh-portable/files/patch-clientloop.c (revision 118777) @@ -1,11 +1,11 @@ ---- clientloop.c.orig Fri Apr 20 09:17:51 2001 -+++ clientloop.c Sat May 26 15:18:51 2001 -@@ -1131,7 +1131,7 @@ +--- clientloop.c.orig Fri Aug 13 13:18:01 2004 ++++ clientloop.c Mon Sep 20 05:04:48 2004 +@@ -1581,7 +1581,7 @@ if (strcmp(ctype, "forwarded-tcpip") == 0) { c = client_request_forwarded_tcpip(ctype, rchan); - } else if (strcmp(ctype, "x11") == 0) { + } else if (strcmp(ctype, "x11") == 0 && options.forward_x11) { c = client_request_x11(ctype, rchan); } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) { c = client_request_agent(ctype, rchan); Property changes on: head/security/openssh-portable/files/patch-clientloop.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.1 \ No newline at end of property +1.2 \ No newline at end of property Index: head/security/openssh-portable/files/patch-loginrec.c =================================================================== --- head/security/openssh-portable/files/patch-loginrec.c (revision 118776) +++ head/security/openssh-portable/files/patch-loginrec.c (revision 118777) @@ -1,25 +1,25 @@ ---- loginrec.c.orig Thu Sep 26 02:38:49 2002 -+++ loginrec.c Mon Oct 21 06:51:34 2002 -@@ -172,6 +172,9 @@ +--- loginrec.c.orig Sun Aug 15 11:12:52 2004 ++++ loginrec.c Mon Sep 20 05:04:48 2004 +@@ -167,6 +167,9 @@ #ifdef HAVE_LIBUTIL_H # include #endif +#ifdef __FreeBSD__ +#include +#endif /** ** prototypes for helper functions in this file -@@ -654,7 +657,12 @@ +@@ -657,7 +660,12 @@ /* Use strncpy because we don't necessarily want null termination */ strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMP +# if defined(__FreeBSD__) && __FreeBSD_version <= 400000 strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname)); +# else + realhostname_sa(ut->ut_host, sizeof ut->ut_host, + &li->hostaddr.sa, li->hostaddr.sa.sa_len); +# endif # endif # ifdef HAVE_ADDR_IN_UTMP /* this is just a 32-bit IP address */ Property changes on: head/security/openssh-portable/files/patch-loginrec.c ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.3 \ No newline at end of property +1.4 \ No newline at end of property Index: head/security/openssh-portable/files/patch-sshd_config =================================================================== --- head/security/openssh-portable/files/patch-sshd_config (revision 118776) +++ head/security/openssh-portable/files/patch-sshd_config (revision 118777) @@ -1,18 +1,18 @@ ---- sshd_config.orig Tue Sep 2 14:51:18 2003 -+++ sshd_config Tue Sep 16 20:05:44 2003 +--- sshd_config.orig Mon May 24 02:36:24 2004 ++++ sshd_config Mon Sep 20 05:04:48 2004 @@ -34,6 +34,7 @@ #LoginGraceTime 2m #PermitRootLogin yes +PermitRootLogin no #StrictModes yes + #MaxAuthTries 6 - #RSAAuthentication yes -@@ -56,6 +57,7 @@ +@@ -57,6 +58,7 @@ # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no Property changes on: head/security/openssh-portable/files/patch-sshd_config ___________________________________________________________________ Modified: cvs2svn:cvs-rev ## -1 +1 ## -1.3 \ No newline at end of property +1.4 \ No newline at end of property