[packages/openssh-legacy] Minimal package with ssh clients that still support DSA.
arekm
arekm at pld-linux.org
Tue Jul 2 20:04:04 CEST 2024
commit 98701b806e5858aca04666589d6214753e68acd1
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Tue Jul 2 19:46:09 2024 +0200
Minimal package with ssh clients that still support DSA.
branch.sh | 35 -
openssh-5.2p1-hpn13v6.diff | 3695 --------------------------------------------
openssh-disable_ldap.patch | 12 -
openssh-legacy.spec | 359 +++++
openssh-lpk.schema | 19 -
openssh.spec | 903 -----------
openssh.sysconfig | 7 -
opensshd.init | 156 --
opensshd.pamd | 14 -
pld-ssh_config | 14 -
pld-sshd_config | 12 -
ssh-agent.conf | 19 -
ssh-agent.sh | 28 -
sshd-keygen | 19 -
sshd.service | 14 -
sshd.socket | 10 -
sshd at .service | 9 -
17 files changed, 359 insertions(+), 4966 deletions(-)
---
diff --git a/openssh-legacy.spec b/openssh-legacy.spec
new file mode 100644
index 0000000..10efe24
--- /dev/null
+++ b/openssh-legacy.spec
@@ -0,0 +1,359 @@
+# Conditional build:
+%bcond_with ldns # DNSSEC support via libldns
+%bcond_without libedit # libedit (editline/history support in sftp client)
+%bcond_without kerberos5 # Kerberos5 support
+%bcond_without selinux # SELinux support
+%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel)
+%bcond_with tests # test suite
+%bcond_with tests_conch # run conch interoperability tests
+
+%define pam_ver 1:1.1.8-5
+
+Summary: OpenSSH free Secure Shell (SSH) implementation
+Summary(de.UTF-8): OpenSSH - freie Implementation der Secure Shell (SSH)
+Summary(es.UTF-8): Implementación libre de SSH
+Summary(fr.UTF-8): Implémentation libre du shell sécurisé OpenSSH (SSH)
+Summary(it.UTF-8): Implementazione gratuita OpenSSH della Secure Shell
+Summary(pl.UTF-8): Publicznie dostępna implementacja bezpiecznego shella (SSH)
+Summary(pt.UTF-8): Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH)
+Summary(pt_BR.UTF-8): Implementação livre do SSH
+Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
+Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
+Name: openssh-legacy
+# Upgrade only to versions that support DSA keys
+Version: 9.8p1
+Release: 1
+License: BSD
+Group: Applications/Networking
+Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+# Source0-md5: bc04ff77796758c0b37bd0bc9314cd3f
+Patch0: openssh-no-pty-tests.patch
+Patch1: openssh-tests-reuseport.patch
+Patch2: openssh-pam_misc.patch
+Patch3: openssh-sigpipe.patch
+# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
+Patch4: openssh-ldap.patch
+Patch5: openssh-ldap-fixes.patch
+Patch6: ldap.conf.patch
+Patch7: openssh-config.patch
+Patch8: ldap-helper-sigpipe.patch
+
+Patch11: openssh-chroot.patch
+
+Patch13: openssh-skip-interop-tests.patch
+Patch14: openssh-bind.patch
+URL: http://www.openssh.com/portable.html
+BuildRequires: %{__perl}
+BuildRequires: autoconf >= 2.50
+BuildRequires: automake
+%{?with_libedit:BuildRequires: libedit-devel}
+BuildRequires: libfido2-devel >= 1.5.0
+%{?with_libseccomp:BuildRequires: libseccomp-devel}
+%{?with_selinux:BuildRequires: libselinux-devel}
+%{?with_ldap:BuildRequires: openldap-devel}
+BuildRequires: openssl-devel >= 1.1.1
+BuildRequires: pam-devel
+%if %{with tests} && %{with tests_conch}
+BuildRequires: python-TwistedConch
+%endif
+BuildRequires: rpm >= 4.4.9-56
+BuildRequires: rpm-build >= 4.6
+BuildRequires: rpmbuild(macros) >= 1.752
+BuildRequires: sed >= 4.0
+BuildRequires: zlib-devel >= 1.2.3
+%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?)
+BuildRequires: %{name}-server
+%endif
+%if %{with tests} && %{with libseccomp}
+# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag
+BuildRequires: uname(release) >= 3.5
+%endif
+Requires: zlib >= 1.2.3
+Obsoletes: ssh
+BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+
+%define _sysconfdir /etc/ssh
+%define _libexecdir %{_libdir}/%{name}
+%define _privsepdir /usr/share/empty
+
+%description
+Ssh (Secure Shell) a program for logging into a remote machine and for
+executing commands in a remote machine. It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network. X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
+it up to date in terms of security and features, as well as removing
+all patented algorithms to seperate libraries (OpenSSL).
+
+This package includes the core files necessary for both the OpenSSH
+client and server. To make this package useful, you should also
+install openssh-clients, openssh-server, or both.
+
+%description -l de.UTF-8
+OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es
+ersetzt telnet, rlogin, rexec und rsh und stellt eine sichere,
+verschlüsselte Verbindung zwischen zwei nicht vertrauenswürdigen Hosts
+über eine unsicheres Netzwerk her. X11 Verbindungen und beliebige
+andere TCP/IP Ports können ebenso über den sicheren Channel
+weitergeleitet werden.
+
+%description -l es.UTF-8
+SSH es un programa para accesar y ejecutar órdenes en computadores
+remotos. Sustituye rlogin y rsh, y suministra un canal de comunicación
+seguro entre dos servidores en una red insegura. Conexiones X11 y
+puertas TCP/IP arbitrárias también pueden ser usadas por el canal
+seguro.
+
+OpenSSH es el resultado del trabajo del equipo de OpenBSD para
+continuar la última versión gratuita de SSH, actualizándolo en
+términos de seguridad y recursos,así también eliminando todos los
+algoritmos patentados y colocándolos en bibliotecas separadas
+(OpenSSL).
+
+Este paquete contiene "port" para Linux de OpenSSH. Se debe instalar
+también el paquete openssh-clients u openssh-server o ambos.
+
+%description -l fr.UTF-8
+OpenSSH (Secure Shell) fournit un accès à un système distant. Il
+remplace telnet, rlogin, rexec et rsh, tout en assurant des
+communications cryptées securisées entre deux hôtes non fiabilisés sur
+un réseau non sécurisé. Des connexions X11 et des ports TCP/IP
+arbitraires peuvent également être transmis sur le canal sécurisé.
+
+%description -l it.UTF-8
+OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
+Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni
+sicure e crittate tra due host non fidati su una rete non sicura. Le
+connessioni X11 ad una porta TCP/IP arbitraria possono essere
+inoltrate attraverso un canale sicuro.
+
+%description -l pl.UTF-8
+Ssh (Secure Shell) to program służący do logowania się na zdalną
+maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
+zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
+pomiędzy dwoma hostami.
+
+Ten pakiet zawiera podstawowe pliki potrzebne zarówno po stronie
+klienta jak i serwera OpenSSH. Aby był użyteczny, trzeba zainstalować
+co najmniej jeden z pakietów: openssh-clients lub openssh-server.
+
+%description -l pt.UTF-8
+OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
+telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e
+cifradas entre duas máquinas sem confiança mútua sobre uma rede
+insegura. Ligações X11 e portos TCP/IP arbitrários também poder ser
+reenviados pelo canal seguro.
+
+%description -l pt_BR.UTF-8
+SSH é um programa para acessar e executar comandos em máquinas
+remotas. Ele substitui rlogin e rsh, e provem um canal de comunicação
+seguro entre dois hosts em uma rede insegura. Conexões X11 e portas
+TCP/IP arbitrárias também podem ser usadas pelo canal seguro.
+
+OpenSSH é o resultado do trabalho da equipe do OpenBSD em continuar a
+última versão gratuita do SSH, atualizando-o em termos de segurança e
+recursos, assim como removendo todos os algoritmos patenteados e
+colocando-os em bibliotecas separadas (OpenSSL).
+
+Esse pacote contém o "port" pra Linux do OpenSSH. Você deve instalar
+também ou o pacote openssh-clients, ou o openssh-server, ou ambos.
+
+%description -l ru.UTF-8
+Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
+машину и для выполнения команд на удаленной машине. Она предназначена
+для замены rlogin и rsh и обеспечивает безопасную шифрованную
+коммуникацию между двумя хостами в сети, являющейся небезопасной.
+Соединения X11 и любые порты TCP/IP могут также быть проведены через
+безопасный канал.
+
+OpenSSH - это переделка командой разработчиков OpenBSD последней
+свободной версии SSH, доведенная до современного состояния в терминах
+уровня безопасности и поддерживаемых возможностей. Все патентованные
+алгоритмы вынесены в отдельные библиотеки (OpenSSL).
+
+Этот пакет содержит файлы, необходимые как для клиента, так и для
+сервера OpenSSH. Вам нужно будет установить еще openssh-clients,
+openssh-server, или оба пакета.
+
+%description -l uk.UTF-8
+Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
+машини та для виконання команд на віддаленій машині. Вона призначена
+для заміни rlogin та rsh і забезпечує безпечну шифровану комунікацію
+між двома хостами в мережі, яка не є безпечною. З'єднання X11 та
+довільні порти TCP/IP можуть також бути проведені через безпечний
+канал.
+
+OpenSSH - це переробка командою розробників OpenBSD останньої вільної
+версії SSH, доведена до сучасного стану в термінах рівня безпеки та
+підтримуваних можливостей. Всі патентовані алгоритми винесені до
+окремих бібліотек (OpenSSL).
+
+Цей пакет містить файли, необхідні як для клієнта, так і для сервера
+OpenSSH. Вам потрібно буде ще встановити openssh-clients,
+openssh-server, чи обидва пакети.
+
+%package clients
+Summary: OpenSSH Secure Shell protocol clients
+Summary(es.UTF-8): Clientes de OpenSSH
+Summary(pl.UTF-8): Klienci protokołu Secure Shell
+Summary(pt_BR.UTF-8): Clientes do OpenSSH
+Summary(ru.UTF-8): OpenSSH - клиенты протокола Secure Shell
+Summary(uk.UTF-8): OpenSSH - клієнти протоколу Secure Shell
+Group: Applications/Networking
+Requires: %{name} = %{epoch}:%{version}-%{release}
+Suggests: %{name}-clients-helper-fido = %{epoch}:%{version}-%{release}
+%requires_eq_to openssl%{?_isa} openssl-devel
+
+%description clients
+Ssh (Secure Shell) a program for logging into a remote machine and for
+executing commands in a remote machine. It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network. X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
+it up to date in terms of security and features, as well as removing
+all patented algorithms to seperate libraries (OpenSSL).
+
+This package includes the clients necessary to make encrypted
+connections to SSH servers.
+
+%description clients -l es.UTF-8
+Este paquete incluye los clientes que se necesitan para hacer
+conexiones codificadas con servidores SSH.
+
+%description clients -l pl.UTF-8
+Ssh (Secure Shell) to program służący do logowania się na zdalną
+maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
+zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
+pomiędzy dwoma hostami.
+
+Ten pakiet zawiera klientów służących do łączenia się z serwerami SSH.
+
+%description clients -l pt_BR.UTF-8
+Esse pacote inclui os clientes necessários para fazer conexões
+encriptadas com servidores SSH.
+
+%description clients -l ru.UTF-8
+Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
+машину и для выполнения команд на удаленной машине.
+
+Этот пакет содержит программы-клиенты, необходимые для установления
+зашифрованных соединений с серверами SSH.
+
+%description clients -l uk.UTF-8
+Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
+машини та для виконання команд на віддаленій машині.
+
+Цей пакет містить програми-клієнти, необхідні для встановлення
+зашифрованих з'єднань з серверами SSH.
+
+%prep
+%setup -q -n openssh-%{version}
+#%%patch100 -p1
+
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+
+%patch11 -p1
+
+%patch13 -p1
+
+%patch14 -p1
+
+# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
+sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
+
+# prevent being ovewritten by aclocal calls
+%{__mv} aclocal.m4 acinclude.m4
+
+%build
+%{__aclocal}
+%{__autoconf}
+%{__autoheader}
+CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99"
+%configure \
+ PERL=%{__perl} \
+ --disable-strip \
+ --enable-utmpx \
+ --enable-wtmpx \
+ --enable-dsa-keys \
+ --with-4in6 \
+ --without-audit \
+ --with-ipaddr-display \
+ %{?with_kerberos5:--with-kerberos5=/usr} \
+ --without-ldap \
+ %{?with_ldns:--with-ldns} \
+ %{?with_libedit:--with-libedit} \
+ --with-mantype=doc \
+ --with-pam \
+ --with-pid-dir=%{_localstatedir}/run \
+ --with-privsep-path=%{_privsepdir} \
+ --with-privsep-user=sshd \
+ --with-security-key-builtin \
+ %{?with_selinux:--with-selinux} \
+%if %{with libseccomp}
+ --with-sandbox=seccomp_filter \
+%else
+ --with-sandbox=rlimit \
+%endif
+ --with-xauth=%{_bindir}/xauth
+
+%{__make} ssh scp sftp ssh-keygen ssh-keyscan ssh-keysign
+
+%if %{with tests}
+%{__make} -j1 tests \
+ TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \
+ TEST_SSH_TRACE="yes" \
+%if %{without tests_conch}
+ SKIP_LTESTS="conch-ciphers"
+%endif
+%endif
+
+%install
+rm -rf $RPM_BUILD_ROOT
+
+install -d $RPM_BUILD_ROOT{%{_bindir},%{_mandir}/man{1,8}}
+
+for bin in ssh scp sftp ssh-keygen ssh-keyscan ssh-keysign; do
+ cp -a ${bin} $RPM_BUILD_ROOT%{_bindir}/${bin}-legacy
+done
+for man1 in ssh scp sftp ssh-keygen ssh-keyscan; do
+ man=$(basename ${man1} .1)
+ cp -a ${man}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${man}-legacy.1
+done
+
+cp -a ssh-keysign.8 $RPM_BUILD_ROOT%{_mandir}/man8/ssh-keysign-legacy.8
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post clients
+%env_update
+
+%postun clients
+%env_update
+
+%files clients
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_bindir}/scp-legacy
+%attr(755,root,root) %{_bindir}/sftp-legacy
+%attr(755,root,root) %{_bindir}/ssh-keygen-legacy
+%attr(755,root,root) %{_bindir}/ssh-keyscan-legacy
+%attr(755,root,root) %{_bindir}/ssh-keysign-legacy
+%attr(755,root,root) %{_bindir}/ssh-legacy
+%{_mandir}/man1/scp-legacy.1*
+%{_mandir}/man1/sftp-legacy.1*
+%{_mandir}/man1/ssh-keygen-legacy.1*
+%{_mandir}/man1/ssh-keyscan-legacy.1*
+%{_mandir}/man1/ssh-legacy.1*
+%{_mandir}/man8/ssh-keysign-legacy.8*
diff --git a/openssh.spec b/openssh.spec
deleted file mode 100644
index e6dc790..0000000
--- a/openssh.spec
+++ /dev/null
@@ -1,903 +0,0 @@
-# TODO:
-# - add trigger to enable this:
-# * sshd(8): This release turns on pre-auth sandboxing sshd by default for
-# new installs, by setting UsePrivilegeSeparation=sandbox in sshd_config.
-#
-# Conditional build:
-%bcond_without audit # sshd audit support
-%bcond_with gnome # gnome-askpass (GNOME 1.x) utility
-%bcond_without gtk # gnome-askpass (GTK+ 2.x) utility
-%bcond_without ldap # LDAP support
-%bcond_with ldns # DNSSEC support via libldns
-%bcond_without libedit # libedit (editline/history support in sftp client)
-%bcond_without kerberos5 # Kerberos5 support
-%bcond_without selinux # SELinux support
-%bcond_without libseccomp # use libseccomp for seccomp privsep (requires 3.5 kernel)
-%bcond_with hpn # High Performance SSH/SCP - HPN-SSH including Cipher NONE (broken too often)
-%bcond_without tests # test suite
-%bcond_with tests_conch # run conch interoperability tests
-
-# gtk2-based gnome-askpass means no gnome1-based
-%{?with_gtk:%undefine with_gnome}
-
-%if "%{pld_release}" == "ac"
-%define pam_ver 0.79.0
-%else
-%define pam_ver 1:1.1.8-5
-%endif
-Summary: OpenSSH free Secure Shell (SSH) implementation
-Summary(de.UTF-8): OpenSSH - freie Implementation der Secure Shell (SSH)
-Summary(es.UTF-8): Implementación libre de SSH
-Summary(fr.UTF-8): Implémentation libre du shell sécurisé OpenSSH (SSH)
-Summary(it.UTF-8): Implementazione gratuita OpenSSH della Secure Shell
-Summary(pl.UTF-8): Publicznie dostępna implementacja bezpiecznego shella (SSH)
-Summary(pt.UTF-8): Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH)
-Summary(pt_BR.UTF-8): Implementação livre do SSH
-Summary(ru.UTF-8): OpenSSH - свободная реализация протокола Secure Shell (SSH)
-Summary(uk.UTF-8): OpenSSH - вільна реалізація протоколу Secure Shell (SSH)
-Name: openssh
-Version: 9.8p1
-Release: 1
-Epoch: 2
-License: BSD
-Group: Applications/Networking
-Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/%{name}-%{version}.tar.gz
-# Source0-md5: bc04ff77796758c0b37bd0bc9314cd3f
-Source1: http://www.mif.pg.gda.pl/homepages/ankry/man-PLD/%{name}-non-english-man-pages.tar.bz2
-# Source1-md5: 66943d481cc422512b537bcc2c7400d1
-Source2: %{name}d.init
-Source3: %{name}d.pamd
-Source4: %{name}.sysconfig
-Source5: ssh-agent.sh
-Source6: ssh-agent.conf
-Source7: %{name}-lpk.schema
-Source9: sshd.service
-Source10: sshd-keygen
-Source11: sshd.socket
-Source12: sshd at .service
-Source13: pld-ssh_config
-Source14: pld-sshd_config
-Patch100: %{name}-git.patch
-# Patch100-md5: eb723cc4f21efc32752161d539c9c5e9
-Patch0: %{name}-no-pty-tests.patch
-Patch1: %{name}-tests-reuseport.patch
-Patch2: %{name}-pam_misc.patch
-Patch3: %{name}-sigpipe.patch
-# http://pkgs.fedoraproject.org/gitweb/?p=openssh.git;a=tree
-Patch4: %{name}-ldap.patch
-Patch5: %{name}-ldap-fixes.patch
-Patch6: ldap.conf.patch
-Patch7: %{name}-config.patch
-Patch8: ldap-helper-sigpipe.patch
-# High Performance SSH/SCP - HPN-SSH - http://www.psc.edu/networking/projects/hpn-ssh/
-# http://www.psc.edu/networking/projects/hpn-ssh/openssh-5.2p1-hpn13v6.diff.gz
-Patch9: %{name}-5.2p1-hpn13v6.diff
-
-Patch11: %{name}-chroot.patch
-
-Patch13: %{name}-skip-interop-tests.patch
-Patch14: %{name}-bind.patch
-Patch15: %{name}-disable_ldap.patch
-URL: http://www.openssh.com/portable.html
-BuildRequires: %{__perl}
-%{?with_audit:BuildRequires: audit-libs-devel}
-BuildRequires: autoconf >= 2.50
-BuildRequires: automake
-%{?with_gnome:BuildRequires: gnome-libs-devel}
-%{?with_gtk:BuildRequires: gtk+2-devel}
-%{?with_kerberos5:BuildRequires: heimdal-devel >= 0.7}
-%{?with_ldns:BuildRequires: ldns-devel}
-%{?with_libedit:BuildRequires: libedit-devel}
-BuildRequires: libfido2-devel >= 1.5.0
-%{?with_libseccomp:BuildRequires: libseccomp-devel}
-%{?with_selinux:BuildRequires: libselinux-devel}
-%{?with_ldap:BuildRequires: openldap-devel}
-BuildRequires: openssl-devel >= 1.1.1
-BuildRequires: pam-devel
-%{?with_gtk:BuildRequires: pkgconfig}
-%if %{with tests} && %{with tests_conch}
-BuildRequires: python-TwistedConch
-%endif
-BuildRequires: rpm >= 4.4.9-56
-BuildRequires: rpm-build >= 4.6
-BuildRequires: rpmbuild(macros) >= 1.752
-BuildRequires: sed >= 4.0
-BuildRequires: zlib-devel >= 1.2.3
-%if %{with tests} && 0%(id -u sshd >/dev/null 2>&1; echo $?)
-BuildRequires: %{name}-server
-%endif
-%if %{with tests} && %{with libseccomp}
-# libseccomp based sandbox requires NO_NEW_PRIVS prctl flag
-BuildRequires: uname(release) >= 3.5
-%endif
-Requires: zlib >= 1.2.3
-Obsoletes: ssh
-BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
-
-%define _sysconfdir /etc/ssh
-%define _libexecdir %{_libdir}/%{name}
-%define _privsepdir /usr/share/empty
-%define schemadir /usr/share/openldap/schema
-
-%description
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
-it up to date in terms of security and features, as well as removing
-all patented algorithms to seperate libraries (OpenSSL).
-
-This package includes the core files necessary for both the OpenSSH
-client and server. To make this package useful, you should also
-install openssh-clients, openssh-server, or both.
-
-%if %{with hpn}
-This release includes High Performance SSH/SCP patches from
-http://www.psc.edu/networking/projects/hpn-ssh/ which are supposed to
-increase throughput on fast connections with high RTT (20-150 msec).
-See the website for '-w' values for your connection and /proc/sys TCP
-values. BTW. in a LAN you have got generally RTT < 1 msec.
-%endif
-
-%description -l de.UTF-8
-OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es
-ersetzt telnet, rlogin, rexec und rsh und stellt eine sichere,
-verschlüsselte Verbindung zwischen zwei nicht vertrauenswürdigen Hosts
-über eine unsicheres Netzwerk her. X11 Verbindungen und beliebige
-andere TCP/IP Ports können ebenso über den sicheren Channel
-weitergeleitet werden.
-
-%description -l es.UTF-8
-SSH es un programa para accesar y ejecutar órdenes en computadores
-remotos. Sustituye rlogin y rsh, y suministra un canal de comunicación
-seguro entre dos servidores en una red insegura. Conexiones X11 y
-puertas TCP/IP arbitrárias también pueden ser usadas por el canal
-seguro.
-
-OpenSSH es el resultado del trabajo del equipo de OpenBSD para
-continuar la última versión gratuita de SSH, actualizándolo en
-términos de seguridad y recursos,así también eliminando todos los
-algoritmos patentados y colocándolos en bibliotecas separadas
-(OpenSSL).
-
-Este paquete contiene "port" para Linux de OpenSSH. Se debe instalar
-también el paquete openssh-clients u openssh-server o ambos.
-
-%description -l fr.UTF-8
-OpenSSH (Secure Shell) fournit un accès à un système distant. Il
-remplace telnet, rlogin, rexec et rsh, tout en assurant des
-communications cryptées securisées entre deux hôtes non fiabilisés sur
-un réseau non sécurisé. Des connexions X11 et des ports TCP/IP
-arbitraires peuvent également être transmis sur le canal sécurisé.
-
-%description -l it.UTF-8
-OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
-Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni
-sicure e crittate tra due host non fidati su una rete non sicura. Le
-connessioni X11 ad una porta TCP/IP arbitraria possono essere
-inoltrate attraverso un canale sicuro.
-
-%description -l pl.UTF-8
-Ssh (Secure Shell) to program służący do logowania się na zdalną
-maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
-zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
-pomiędzy dwoma hostami.
-
-Ten pakiet zawiera podstawowe pliki potrzebne zarówno po stronie
-klienta jak i serwera OpenSSH. Aby był użyteczny, trzeba zainstalować
-co najmniej jeden z pakietów: openssh-clients lub openssh-server.
-
-%if %{with hpn}
-Ta wersja zawiera łaty z projektu High Performance SSH/SCP
-http://www.psc.edu/networking/projects/hpn-ssh/, które mają na celu
-zwiększenie przepustowości transmisji dla szybkich połączeń z dużym
-RTT (20-150 msec). Na stronie projektu znaleźć można odpowednie dla
-danego połączenia wartości parametru '-w' oraz opcje /proc/sys dla
-TCP. Nawiasem mówiąc w sieciach LAN RTT < 1 msec.
-%endif
-
-%description -l pt.UTF-8
-OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
-telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e
-cifradas entre duas máquinas sem confiança mútua sobre uma rede
-insegura. Ligações X11 e portos TCP/IP arbitrários também poder ser
-reenviados pelo canal seguro.
-
-%description -l pt_BR.UTF-8
-SSH é um programa para acessar e executar comandos em máquinas
-remotas. Ele substitui rlogin e rsh, e provem um canal de comunicação
-seguro entre dois hosts em uma rede insegura. Conexões X11 e portas
-TCP/IP arbitrárias também podem ser usadas pelo canal seguro.
-
-OpenSSH é o resultado do trabalho da equipe do OpenBSD em continuar a
-última versão gratuita do SSH, atualizando-o em termos de segurança e
-recursos, assim como removendo todos os algoritmos patenteados e
-colocando-os em bibliotecas separadas (OpenSSL).
-
-Esse pacote contém o "port" pra Linux do OpenSSH. Você deve instalar
-também ou o pacote openssh-clients, ou o openssh-server, ou ambos.
-
-%description -l ru.UTF-8
-Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
-машину и для выполнения команд на удаленной машине. Она предназначена
-для замены rlogin и rsh и обеспечивает безопасную шифрованную
-коммуникацию между двумя хостами в сети, являющейся небезопасной.
-Соединения X11 и любые порты TCP/IP могут также быть проведены через
-безопасный канал.
-
-OpenSSH - это переделка командой разработчиков OpenBSD последней
-свободной версии SSH, доведенная до современного состояния в терминах
-уровня безопасности и поддерживаемых возможностей. Все патентованные
-алгоритмы вынесены в отдельные библиотеки (OpenSSL).
-
-Этот пакет содержит файлы, необходимые как для клиента, так и для
-сервера OpenSSH. Вам нужно будет установить еще openssh-clients,
-openssh-server, или оба пакета.
-
-%description -l uk.UTF-8
-Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
-машини та для виконання команд на віддаленій машині. Вона призначена
-для заміни rlogin та rsh і забезпечує безпечну шифровану комунікацію
-між двома хостами в мережі, яка не є безпечною. З'єднання X11 та
-довільні порти TCP/IP можуть також бути проведені через безпечний
-канал.
-
-OpenSSH - це переробка командою розробників OpenBSD останньої вільної
-версії SSH, доведена до сучасного стану в термінах рівня безпеки та
-підтримуваних можливостей. Всі патентовані алгоритми винесені до
-окремих бібліотек (OpenSSL).
-
-Цей пакет містить файли, необхідні як для клієнта, так і для сервера
-OpenSSH. Вам потрібно буде ще встановити openssh-clients,
-openssh-server, чи обидва пакети.
-
-%package clients
-Summary: OpenSSH Secure Shell protocol clients
-Summary(es.UTF-8): Clientes de OpenSSH
-Summary(pl.UTF-8): Klienci protokołu Secure Shell
-Summary(pt_BR.UTF-8): Clientes do OpenSSH
-Summary(ru.UTF-8): OpenSSH - клиенты протокола Secure Shell
-Summary(uk.UTF-8): OpenSSH - клієнти протоколу Secure Shell
-Group: Applications/Networking
-Requires: %{name} = %{epoch}:%{version}-%{release}
-Suggests: %{name}-clients-helper-fido = %{epoch}:%{version}-%{release}
-Provides: ssh-clients
-Obsoletes: ssh-clients
-%requires_eq_to openssl%{?_isa} openssl-devel
-
-%description clients
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
-it up to date in terms of security and features, as well as removing
-all patented algorithms to seperate libraries (OpenSSL).
-
-This package includes the clients necessary to make encrypted
-connections to SSH servers.
-
-%description clients -l es.UTF-8
-Este paquete incluye los clientes que se necesitan para hacer
-conexiones codificadas con servidores SSH.
-
-%description clients -l pl.UTF-8
-Ssh (Secure Shell) to program służący do logowania się na zdalną
-maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
-zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
-pomiędzy dwoma hostami.
-
-Ten pakiet zawiera klientów służących do łączenia się z serwerami SSH.
-
-%description clients -l pt_BR.UTF-8
-Esse pacote inclui os clientes necessários para fazer conexões
-encriptadas com servidores SSH.
-
-%description clients -l ru.UTF-8
-Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
-машину и для выполнения команд на удаленной машине.
-
-Этот пакет содержит программы-клиенты, необходимые для установления
-зашифрованных соединений с серверами SSH.
-
-%description clients -l uk.UTF-8
-Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
-машини та для виконання команд на віддаленій машині.
-
-Цей пакет містить програми-клієнти, необхідні для встановлення
-зашифрованих з'єднань з серверами SSH.
-
-%package clients-agent-profile_d
-Summary: OpenSSH Secure Shell agent init script
-Summary(pl.UTF-8): Skrypt startowy agenta OpenSSH
-Group: Applications/Networking
-Requires: %{name}-clients = %{epoch}:%{version}-%{release}
-
-%description clients-agent-profile_d
-profile.d scripts for starting SSH agent.
-
-%description clients-agent-profile_d -l pl.UTF-8
-Skrypty profile.d do uruchamiania agenta SSH.
-
-%package clients-agent-xinitrc
-Summary: OpenSSH Secure Shell agent init script
-Summary(pl.UTF-8): Skrypt inicjujący agenta ssh przez xinitrc
-Group: Applications/Networking
-Requires: %{name}-clients-agent-profile_d = %{epoch}:%{version}-%{release}
-Requires: xinitrc
-
-%description clients-agent-xinitrc
-xinitrc scripts for starting SSH agent.
-
-%description clients-agent-xinitrc -l pl.UTF-8
-Skrypty xinitrc do uruchamiania agenta SSH.
-
-%package clients-helper-fido
-Summary: OpenSSH helper for FIDO authenticator
-Summary(pl.UTF-8): OpenSSH helper obsługujący klucz autoryzujący FIDO
-Group: Applications/Networking
-Requires: %{name}-clients = %{epoch}:%{version}-%{release}
-Requires: libfido2 >= 1.5.0
-
-%description clients-helper-fido
-OpenSSH helper for FIDO authenticator.
-
-%description clients-helper-fido -l pl.UTF-8
-OpenSSH helper obsługujący klucz autoryzujący FIDO.
-
-%package server
-Summary: OpenSSH Secure Shell protocol server (sshd)
-Summary(de.UTF-8): OpenSSH Secure Shell Protocol-Server (sshd)
-Summary(es.UTF-8): Servidor OpenSSH para comunicaciones codificadas
-Summary(fr.UTF-8): Serveur de protocole du shell sécurisé OpenSSH (sshd)
-Summary(it.UTF-8): Server OpenSSH per il protocollo Secure Shell (sshd)
-Summary(pl.UTF-8): Serwer protokołu Secure Shell (sshd)
-Summary(pt.UTF-8): Servidor do protocolo 'Secure Shell' OpenSSH (sshd)
-Summary(pt_BR.UTF-8): Servidor OpenSSH para comunicações encriptadas
-Summary(ru.UTF-8): OpenSSH - сервер протокола Secure Shell (sshd)
-Summary(uk.UTF-8): OpenSSH - сервер протоколу Secure Shell (sshd)
-Group: Networking/Daemons
-Requires(post): /sbin/chkconfig
-Requires(post): grep
-Requires(post,preun): /sbin/chkconfig
-Requires(postun): /usr/sbin/userdel
-Requires(pre): /bin/id
-Requires(pre): /usr/sbin/useradd
-Requires(post,preun,postun): systemd-units >= 38
-Requires: %{name} = %{epoch}:%{version}-%{release}
-%if "%{pld_release}" == "ac"
-Requires: filesystem >= 2.0-1
-Requires: pam >= 0.79.0
-%else
-Requires: filesystem >= 3.0-11
-Requires: pam >= %{pam_ver}
-Suggests: xorg-app-xauth
-%endif
-Requires: rc-scripts >= 0.4.3.0
-Requires: systemd-units >= 38
-%{?with_libseccomp:Requires: uname(release) >= 3.5}
-Requires: util-linux
-%{?with_ldap:Suggests: %{name}-server-ldap}
-Suggests: /bin/login
-Suggests: xorg-app-xauth
-Provides: ssh-server
-Provides: user(sshd)
-%requires_eq_to openssl%{?_isa} openssl-devel
-
-%description server
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
-it up to date in terms of security and features, as well as removing
-all patented algorithms to seperate libraries (OpenSSL).
-
-This package contains the secure shell daemon. The sshd is the server
-part of the secure shell protocol and allows ssh clients to connect to
-your host.
-
-%description server -l de.UTF-8
-Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
-
-%description server -l es.UTF-8
-Este paquete contiene el servidor SSH. sshd es la parte servidor del
-protocolo secure shell y permite que clientes ssh se conecten a su
-servidor.
-
-%description server -l fr.UTF-8
-Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
-
-%description server -l it.UTF-8
-Questo pacchetto installa sshd, il server di OpenSSH.
-
-%description server -l pl.UTF-8
-Ssh (Secure Shell) to program służący do logowania się na zdalną
-maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
-zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
-pomiędzy dwoma hostami.
-
-Ten pakiet zawiera serwer sshd (do którego mogą łączyć się klienci
-ssh).
-
-%description server -l pt.UTF-8
-Este pacote intala o sshd, o servidor do OpenSSH.
-
-%description server -l pt_BR.UTF-8
-Esse pacote contém o servidor SSH. O sshd é a parte servidor do
-protocolo secure shell e permite que clientes ssh se conectem ao seu
-host.
-
-%description server -l ru.UTF-8
-Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
-машину и для выполнения команд на удаленной машине.
-
-Этот пакет содержит sshd - "демон" Secure Shell. sshd - это серверная
-часть протокола Secure Shell, позволяющая клиентам ssh соединяться с
-вашим хостом.
-
-%description server -l uk.UTF-8
-Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
-машини та для виконання команд на віддаленій машині.
-
-Цей пакет містить sshd - "демон" Secure Shell. sshd - це серверна
-частина протоколу Secure Shell, яка дозволяє клієнтам ssh зв'язуватись
-з вашим хостом.
-
-%package server-ldap
-Summary: A LDAP support for open source SSH server daemon
-Summary(pl.UTF-8): Wsparcie LDAP dla serwera OpenSSH
-Group: Daemons
-Requires: %{name} = %{epoch}:%{version}-%{release}
-Requires: openldap-nss-config
-
-%description server-ldap
-OpenSSH LDAP backend is a way how to distribute the authorized tokens
-among the servers in the network.
-
-%description server-ldap -l pl.UTF-8
-Backend LDAP dla OpenSSH to metoda rozprowadzania autoryzowanych
-tokenów między serwerami w sieci.
-
-%package gnome-askpass
-Summary: OpenSSH GNOME passphrase dialog
-Summary(de.UTF-8): OpenSSH GNOME Passwort-Dialog
-Summary(es.UTF-8): Diálogo para introducción de passphrase para GNOME
-Summary(fr.UTF-8): Dialogue pass-phrase GNOME d'OpenSSH
-Summary(it.UTF-8): Finestra di dialogo GNOME per la frase segreta di OpenSSH
-Summary(pl.UTF-8): Odpytywacz hasła OpenSSH dla GNOME
-Summary(pt.UTF-8): Diálogo de pedido de senha para GNOME do OpenSSH
-Summary(pt_BR.UTF-8): Diálogo para entrada de passphrase para GNOME
-Summary(ru.UTF-8): OpenSSH - диалог ввода ключевой фразы (passphrase) для GNOME
-Summary(uk.UTF-8): OpenSSH - діалог вводу ключової фрази (passphrase) для GNOME
-Group: Applications/Networking
-Requires: %{name} = %{epoch}:%{version}-%{release}
-Obsoletes: openssh-askpass
-Obsoletes: ssh-askpass
-Obsoletes: ssh-extras
-
-%description gnome-askpass
-Ssh (Secure Shell) a program for logging into a remote machine and for
-executing commands in a remote machine. It is intended to replace
-rlogin and rsh, and provide secure encrypted communications between
-two untrusted hosts over an insecure network. X11 connections and
-arbitrary TCP/IP ports can also be forwarded over the secure channel.
-
-OpenSSH is OpenBSD's rework of the last free version of SSH, bringing
-it up to date in terms of security and features, as well as removing
-all patented algorithms to seperate libraries (OpenSSL).
-
-This package contains the GNOME passphrase dialog.
-
-%description gnome-askpass -l es.UTF-8
-Este paquete contiene un programa que abre una caja de diálogo para
-entrada de passphrase en GNOME.
-
-%description gnome-askpass -l pl.UTF-8
-Ssh (Secure Shell) to program służący do logowania się na zdalną
-maszynę i uruchamiania na niej aplikacji. W zamierzeniu openssh ma
-zastąpić rlogin, rsh i dostarczyć bezpieczne, szyfrowane połączenie
-pomiędzy dwoma hostami.
-
-Ten pakiet zawiera ,,odpytywacz hasła'' dla GNOME.
-
-%description gnome-askpass -l pt_BR.UTF-8
-Esse pacote contém um programa que abre uma caixa de diálogo para
-entrada de passphrase no GNOME.
-
-%description gnome-askpass -l ru.UTF-8
-Ssh (Secure Shell) - это программа для "захода" (login) на удаленную
-машину и для выполнения команд на удаленной машине.
-
-Этот пакет содержит диалог ввода ключевой фразы для использования под
-GNOME.
-
-%description gnome-askpass -l uk.UTF-8
-Ssh (Secure Shell) - це програма для "заходу" (login) до віддаленої
-машини та для виконання команд на віддаленій машині.
-
-Цей пакет містить діалог вводу ключової фрази для використання під
-GNOME.
-
-%package -n openldap-schema-openssh-lpk
-Summary: OpenSSH LDAP Public Key schema
-Summary(pl.UTF-8): Schemat klucza publicznego LDAP dla OpenSSH
-Group: Networking/Daemons
-Requires(post,postun): sed >= 4.0
-Requires: openldap-servers
-BuildArch: noarch
-
-%description -n openldap-schema-openssh-lpk
-This package contains OpenSSH LDAP Public Key schema for openldap.
-
-%description -n openldap-schema-openssh-lpk -l pl.UTF-8
-Ten pakiet zawiera schemat klucza publicznego LDAP dla OpenSSH dla
-openldap-a.
-
-%prep
-%setup -q
-#%%patch100 -p1
-
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-
-%{?with_hpn:%patch9 -p1}
-
-%patch11 -p1
-
-%patch13 -p1
-
-%patch14 -p1
-%{!?with_ldap:%patch15 -p1}
-
-%if "%{pld_release}" == "ac"
-# fix for missing x11.pc
-%{__sed} -i -e 's/\(`$(PKG_CONFIG) --libs gtk+-2.0\) x11`/\1` -lX11/' contrib/Makefile
-%endif
-
-# hack since arc4random from openbsd-compat needs symbols from libssh and vice versa
-sed -i -e 's#-lssh -lopenbsd-compat#-lssh -lopenbsd-compat -lssh -lopenbsd-compat#g' Makefile*
-
-grep -rl /usr/libexec/openssh/ssh-ldap-helper . | xargs \
-%{__sed} -i -e 's,/usr/libexec/openssh/ssh-ldap-helper,%{_libexecdir}/ssh-ldap-helper,'
-
-# prevent being ovewritten by aclocal calls
-%{__mv} aclocal.m4 acinclude.m4
-
-%build
-%{__aclocal}
-%{__autoconf}
-%{__autoheader}
-CPPFLAGS="%{rpmcppflags} -DCHROOT -std=gnu99"
-%configure \
- PERL=%{__perl} \
- --disable-strip \
- --enable-utmpx \
- --enable-wtmpx \
- --with-4in6 \
- %{?with_audit:--with-audit=linux} \
- --with-ipaddr-display \
- %{?with_kerberos5:--with-kerberos5=/usr} \
- --with-ldap%{!?with_ldap:=no} \
- %{?with_ldns:--with-ldns} \
- %{?with_libedit:--with-libedit} \
- --with-mantype=doc \
- --with-md5-passwords \
- --with-pam \
- --with-pid-dir=%{_localstatedir}/run \
- --with-privsep-path=%{_privsepdir} \
- --with-privsep-user=sshd \
- --with-security-key-builtin \
- %{?with_selinux:--with-selinux} \
-%if "%{pld_release}" == "ac"
- --with-xauth=/usr/X11R6/bin/xauth
-%else
-%if %{with libseccomp}
- --with-sandbox=seccomp_filter \
-%else
- --with-sandbox=rlimit \
-%endif
- --with-xauth=%{_bindir}/xauth
-%endif
-
-echo '#define LOGIN_PROGRAM "/bin/login"' >>config.h
-
-%{__make}
-
-%if %{with tests}
-%{__make} -j1 tests \
- TEST_SSH_PORT=$((4242 + ${RANDOM:-$$} % 1000)) \
- TEST_SSH_TRACE="yes" \
-%if %{without tests_conch}
- SKIP_LTESTS="conch-ciphers"
-%endif
-%endif
-
-cd contrib
-%if %{with gnome}
-%{__make} gnome-ssh-askpass1 \
- CC="%{__cc} %{rpmldflags} %{rpmcflags}"
-%endif
-%if %{with gtk}
-%{__make} gnome-ssh-askpass2 \
- CC="%{__cc} %{rpmldflags} %{rpmcflags}"
-%endif
-
-%install
-rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sysconfdir},/etc/{pam.d,rc.d/init.d,sysconfig,security,env.d}} \
- $RPM_BUILD_ROOT{%{_libexecdir}/ssh,%{schemadir},%{systemdunitdir}}
-install -d $RPM_BUILD_ROOT%{_sysconfdir}/ssh{,d}_config.d
-install -d $RPM_BUILD_ROOT/etc/{profile.d,X11/xinit/xinitrc.d}
-
-%{__make} install \
- DESTDIR=$RPM_BUILD_ROOT
-
-bzip2 -dc %{SOURCE1} | tar xf - -C $RPM_BUILD_ROOT%{_mandir}
-
-install -p %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
-cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sshd
-cp -p %{SOURCE4} $RPM_BUILD_ROOT/etc/sysconfig/sshd
-cp -p %{SOURCE5} $RPM_BUILD_ROOT/etc/profile.d
-ln -sf /etc/profile.d/ssh-agent.sh $RPM_BUILD_ROOT/etc/X11/xinit/xinitrc.d/ssh-agent.sh
-cp -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}
-cp -p %{SOURCE13} $RPM_BUILD_ROOT%{_sysconfdir}/ssh_config.d/50-pld.conf
-cp -p %{SOURCE14} $RPM_BUILD_ROOT%{_sysconfdir}/sshd_config.d/50-pld.conf
-cp -p %{SOURCE7} $RPM_BUILD_ROOT%{schemadir}
-
-cp -p %{SOURCE9} %{SOURCE11} %{SOURCE12} $RPM_BUILD_ROOT%{systemdunitdir}
-install -p %{SOURCE10} $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
-
-%{__sed} -i -e 's|@@LIBEXECDIR@@|%{_libexecdir}|g' \
- $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd \
- $RPM_BUILD_ROOT%{systemdunitdir}/sshd.service \
- $RPM_BUILD_ROOT%{systemdunitdir}/sshd at .service \
- $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
-
-%if %{with gnome}
-install -p contrib/gnome-ssh-askpass1 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
-%endif
-%if %{with gtk}
-install -p contrib/gnome-ssh-askpass2 $RPM_BUILD_ROOT%{_libexecdir}/ssh/ssh-askpass
-%endif
-%if %{with gnome} || %{with gtk}
-cat << 'EOF' >$RPM_BUILD_ROOT/etc/env.d/GNOME_SSH_ASKPASS_GRAB_SERVER
-#GNOME_SSH_ASKPASS_GRAB_SERVER="true"
-EOF
-cat << 'EOF' >$RPM_BUILD_ROOT/etc/env.d/GNOME_SSH_ASKPASS_GRAB_POINTER
-#GNOME_SSH_ASKPASS_GRAB_POINTER="true"
-EOF
-ln -s %{_libexecdir}/ssh/ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/ssh-askpass
-%endif
-
-install -p contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}
-cp -p contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1
-
-touch $RPM_BUILD_ROOT/etc/security/blacklist.sshd
-
-cat << 'EOF' > $RPM_BUILD_ROOT/etc/env.d/SSH_ASKPASS
-#SSH_ASKPASS="%{_libexecdir}/ssh-askpass"
-EOF
-
-%if "%{pld_release}" == "ac"
-# not present in ac, no point searching it
-%{__sed} -i -e '/pam_keyinit.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
-# openssl on ac does not have OPENSSL_HAS_ECC
-%{__sed} -i -e '/ecdsa/d' $RPM_BUILD_ROOT%{_libexecdir}/sshd-keygen
-%endif
-
-%if %{without audit}
-# remove recording user's login uid to the process attribute
-%{__sed} -i -e '/pam_loginuid.so/d' $RPM_BUILD_ROOT/etc/pam.d/sshd
-%endif
-
-%{__rm} $RPM_BUILD_ROOT%{_mandir}/README.openssh-non-english-man-pages
-%{?with_ldap:%{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/ldap.conf}
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post clients
-%env_update
-
-%postun clients
-%env_update
-
-%post gnome-askpass
-%env_update
-
-%postun gnome-askpass
-%env_update
-
-%pre server
-%useradd -P %{name}-server -u 40 -d %{_privsepdir} -s /bin/false -c "OpenSSH PrivSep User" -g nobody sshd
-
-%post server
-/sbin/chkconfig --add sshd
-%service sshd reload "OpenSSH Daemon"
-NORESTART=1
-%systemd_post sshd.service
-
-%preun server
-if [ "$1" = "0" ]; then
- %service sshd stop
- /sbin/chkconfig --del sshd
-fi
-%systemd_preun sshd.service
-
-%postun server
-if [ "$1" = "0" ]; then
- %userremove sshd
-fi
-%systemd_reload
-
-%triggerpostun server -- %{name}-server < 2:7.0p1-2
-%banner %{name}-server -e << EOF
-!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!
-! Starting from openssh 7.0 DSA keys are disabled !
-! on server and client side. You will NOT be able !
-! to use DSA keys for authentication. Please read !
-! about PubkeyAcceptedKeyTypes in man ssh_config. !
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-EOF
-
-%triggerpostun server -- %{name}-server < 6.2p1-1
-cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
-sed -i -e 's#AuthorizedKeysCommandRunAs#AuthorizedKeysCommandUser##g' %{_sysconfdir}/sshd_config
-
-%triggerpostun server -- %{name}-server < 2:5.9p1-8
-# lpk.patch to ldap.patch
-if grep -qE '^(UseLPK|Lpk)' %{_sysconfdir}/sshd_config; then
- echo >&2 "Migrating LPK patch to LDAP patch"
- cp -f %{_sysconfdir}/sshd_config{,.rpmorig}
- %{__sed} -i -e '
- # disable old configs
- # just UseLPK/LkpLdapConf supported for now
- s/^\s*UseLPK/## Obsolete &/
- s/^\s*Lpk/## Obsolete &/
- # Enable new ones, assumes /etc/ldap.conf defaults, see HOWTO.ldap-keys
- /UseLPK/iAuthorizedKeysCommand %{_libexecdir}/ssh-ldap-wrapper
- ' %{_sysconfdir}/sshd_config
- if [ ! -x /bin/systemd_booted ] || ! /bin/systemd_booted; then
- /bin/systemctl try-restart sshd.service || :
- else
- %service -q sshd reload
- fi
-fi
-%systemd_trigger sshd.service
-if [ -x /bin/systemd_booted ] && /bin/systemd_booted; then
-%banner %{name}-server -e << EOF
-!!!!!!!!!!!!!!!!!!!!!!! WARNING !!!!!!!!!!!!!!!!!!!!!!!!!
-! Native systemd support for sshd has been installed. !
-! Restarting sshd.service with systemctl WILL kill all !
-! active ssh sessions (daemon as such will be started). !
-!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-EOF
-fi
-
-%post -n openldap-schema-openssh-lpk
-%openldap_schema_register %{schemadir}/openssh-lpk.schema
-%service -q ldap restart
-
-%postun -n openldap-schema-openssh-lpk
-if [ "$1" = "0" ]; then
- %openldap_schema_unregister %{schemadir}/openssh-lpk.schema
- %service -q ldap restart
-fi
-
-%files
-%defattr(644,root,root,755)
-%doc TODO README OVERVIEW CREDITS Change*
-%attr(755,root,root) %{_bindir}/ssh-key*
-#%attr(755,root,root) %{_bindir}/ssh-vulnkey*
-%{_mandir}/man1/ssh-key*.1*
-#%{_mandir}/man1/ssh-vulnkey*.1*
-%dir %{_sysconfdir}
-%dir %{_libexecdir}
-
-%files clients
-%defattr(644,root,root,755)
-%attr(755,root,root) %{_bindir}/ssh
-%attr(755,root,root) %{_bindir}/sftp
-%attr(755,root,root) %{_bindir}/ssh-agent
-%attr(755,root,root) %{_bindir}/ssh-add
-%attr(755,root,root) %{_bindir}/ssh-copy-id
-%attr(755,root,root) %{_bindir}/scp
-%attr(755,root,root) %{_libexecdir}/ssh-pkcs11-helper
-%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config
-%dir %{_sysconfdir}/ssh_config.d
-%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh_config.d/50-pld.conf
-%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/SSH_ASKPASS
-%{_mandir}/man1/scp.1*
-%{_mandir}/man1/ssh.1*
-%{_mandir}/man1/sftp.1*
-%{_mandir}/man1/ssh-agent.1*
-%{_mandir}/man1/ssh-add.1*
-%{_mandir}/man1/ssh-copy-id.1*
-%{_mandir}/man5/ssh_config.5*
-%{_mandir}/man8/ssh-pkcs11-helper.8*
-%lang(it) %{_mandir}/it/man1/ssh.1*
-%lang(it) %{_mandir}/it/man5/ssh_config.5*
-%lang(pl) %{_mandir}/pl/man1/scp.1*
-%lang(zh_CN) %{_mandir}/zh_CN/man1/scp.1*
-
-# for host-based auth (suid required for accessing private host key)
-#%attr(4755,root,root) %{_libexecdir}/ssh-keysign
-#%{_mandir}/man8/ssh-keysign.8*
-
-%files clients-agent-profile_d
-%defattr(644,root,root,755)
-%config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/ssh-agent.conf
-%attr(755,root,root) /etc/profile.d/ssh-agent.sh
-
-%files clients-agent-xinitrc
-%defattr(644,root,root,755)
-%attr(755,root,root) /etc/X11/xinit/xinitrc.d/ssh-agent.sh
-
-%files clients-helper-fido
-%defattr(644,root,root,755)
-%attr(755,root,root) %{_libexecdir}/ssh-sk-helper
-%{_mandir}/man8/ssh-sk-helper.8*
-
-%files server
-%defattr(644,root,root,755)
-%attr(755,root,root) %{_sbindir}/sshd
-%attr(755,root,root) %{_libexecdir}/sftp-server
-%attr(755,root,root) %{_libexecdir}/ssh-keysign
-%attr(755,root,root) %{_libexecdir}/sshd-keygen
-%attr(755,root,root) %{_libexecdir}/sshd-session
-%{_mandir}/man8/sshd.8*
-%{_mandir}/man8/sftp-server.8*
-%{_mandir}/man8/ssh-keysign.8*
-%{_mandir}/man5/sshd_config.5*
-%{_mandir}/man5/moduli.5*
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config
-%attr(750,root,root) %dir %{_sysconfdir}/sshd_config.d
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sshd_config.d/50-pld.conf
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sshd
-%{_sysconfdir}/moduli
-%attr(754,root,root) /etc/rc.d/init.d/sshd
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/sysconfig/sshd
-%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/security/blacklist.sshd
-%{systemdunitdir}/sshd.service
-%{systemdunitdir}/sshd.socket
-%{systemdunitdir}/sshd at .service
-
-%if %{with ldap}
-%files server-ldap
-%defattr(644,root,root,755)
-%doc HOWTO.ldap-keys ldap.conf
-%attr(755,root,root) %{_libexecdir}/ssh-ldap-helper
-%attr(755,root,root) %{_libexecdir}/ssh-ldap-wrapper
-%{_mandir}/man5/ssh-ldap.conf.5*
-%{_mandir}/man8/ssh-ldap-helper.8*
-%endif
-
-%if %{with gnome} || %{with gtk}
-%files gnome-askpass
-%defattr(644,root,root,755)
-%config(noreplace,missingok) %verify(not md5 mtime size) /etc/env.d/GNOME_SSH_ASKPASS*
-%dir %{_libexecdir}/ssh
-%attr(755,root,root) %{_libexecdir}/ssh/ssh-askpass
-%attr(755,root,root) %{_libexecdir}/ssh-askpass
-%endif
-
-%if %{with ldap}
-%files -n openldap-schema-openssh-lpk
-%defattr(644,root,root,755)
-%{schemadir}/openssh-lpk.schema
-%endif
diff --git a/branch.sh b/branch.sh
deleted file mode 100755
index e25b4b0..0000000
--- a/branch.sh
+++ /dev/null
@@ -1,35 +0,0 @@
-#!/bin/sh
-
-# https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-March/040086.html
-
-set -e
-url=https://github.com/openssh/openssh-portable.git
-package=openssh
-tag=V_9_0_P1
-branch=V_9_0
-out=$package-git.patch
-repo=$package.git
-
-# use filterdiff, etc to exclude bad chunks from diff
-filter() {
- cat
-}
-
-if [ ! -d $repo ]; then
- git clone --bare $url -b $branch $repo
-fi
-
-cd $repo
- git fetch origin +$branch:$branch +refs/tags/$tag:refs/tags/$tag
- git log -p --reverse $tag..$branch ":(exclude)doc/doc-*" ":(exclude)test" ":(exclude).*" | filter > ../$out.tmp
-cd ..
-
-if cmp -s $out{,.tmp}; then
- echo >&2 "No new diffs..."
- rm -f $out.tmp
- exit 0
-fi
-mv -f $out{.tmp,}
-
-../md5 $package.spec
-../dropin $out
diff --git a/openssh-5.2p1-hpn13v6.diff b/openssh-5.2p1-hpn13v6.diff
deleted file mode 100644
index 3c64d2a..0000000
--- a/openssh-5.2p1-hpn13v6.diff
+++ /dev/null
@@ -1,3695 +0,0 @@
-diff -NupwB openssh-5.2p1-canonical/auth2.c openssh-5.2p1-hpn13v6/auth2.c
---- openssh-5.2p1-canonical/auth2.c 2008-11-05 00:20:46.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/auth2.c 2009-05-14 12:36:10.000000000 -0400
-@@ -49,6 +49,7 @@
- #include "dispatch.h"
- #include "pathnames.h"
- #include "buffer.h"
-+#include "canohost.h"
-
- #ifdef GSSAPI
- #include "ssh-gss.h"
-@@ -75,6 +76,9 @@ extern Authmethod method_gssapi;
- extern Authmethod method_jpake;
- #endif
-
-+static int log_flag = 0;
-+
-+
- Authmethod *authmethods[] = {
- &method_none,
- &method_pubkey,
-@@ -225,6 +229,11 @@ input_userauth_request(int type, u_int32
- service = packet_get_string(NULL);
- method = packet_get_string(NULL);
- debug("userauth-request for user %s service %s method %s", user, service, method);
-+ if (!log_flag) {
-+ logit("SSH: Server;Ltype: Authname;Remote: %s-%d;Name: %s",
-+ get_remote_ipaddr(), get_remote_port(), user);
-+ log_flag = 1;
-+ }
- debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
-
- if ((style = strchr(user, ':')) != NULL)
-diff -NupwB openssh-5.2p1-canonical/buffer.c openssh-5.2p1-hpn13v6/buffer.c
---- openssh-5.2p1-canonical/buffer.c 2006-08-04 22:39:39.000000000 -0400
-+++ openssh-5.2p1-hpn13v6/buffer.c 2009-05-14 12:36:10.000000000 -0400
-@@ -127,7 +127,7 @@ restart:
-
- /* Increase the size of the buffer and retry. */
- newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
-- if (newlen > BUFFER_MAX_LEN)
-+ if (newlen > BUFFER_MAX_LEN_HPN)
- fatal("buffer_append_space: alloc %u not supported",
- newlen);
- buffer->buf = xrealloc(buffer->buf, 1, newlen);
-diff -NupwB openssh-5.2p1-canonical/buffer.h openssh-5.2p1-hpn13v6/buffer.h
---- openssh-5.2p1-canonical/buffer.h 2008-05-19 00:59:37.000000000 -0400
-+++ openssh-5.2p1-hpn13v6/buffer.h 2009-05-14 12:36:10.000000000 -0400
-@@ -16,6 +16,9 @@
- #ifndef BUFFER_H
- #define BUFFER_H
-
-+/* move the following to a more appropriate place and name */
-+#define BUFFER_MAX_LEN_HPN 0x4000000 /* 64MB */
-+
- typedef struct {
- u_char *buf; /* Buffer for data. */
- u_int alloc; /* Number of bytes allocated for data. */
-diff -NupwB openssh-5.2p1-canonical/channels.c openssh-5.2p1-hpn13v6/channels.c
---- openssh-5.2p1-canonical/channels.c 2009-02-14 00:28:21.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/channels.c 2009-05-14 12:36:10.000000000 -0400
-@@ -169,8 +169,14 @@ static void port_open_helper(Channel *c,
- static int connect_next(struct channel_connect *);
- static void channel_connect_ctx_free(struct channel_connect *);
-
-+
-+static int hpn_disabled = 0;
-+static int hpn_buffer_size = 2 * 1024 * 1024;
-+
- /* -- channel core */
-
-+
-+
- Channel *
- channel_by_id(int id)
- {
-@@ -308,6 +314,7 @@ channel_new(char *ctype, int type, int r
- c->local_window_max = window;
- c->local_consumed = 0;
- c->local_maxpacket = maxpack;
-+ c->dynamic_window = 0;
- c->remote_id = -1;
- c->remote_name = xstrdup(remote_name);
- c->remote_window = 0;
-@@ -798,11 +805,35 @@ channel_pre_open_13(Channel *c, fd_set *
- FD_SET(c->sock, writeset);
- }
-
-+int channel_tcpwinsz () {
-+ u_int32_t tcpwinsz = 0;
-+ socklen_t optsz = sizeof(tcpwinsz);
-+ int ret = -1;
-+
-+ /* if we aren't on a socket return 128KB*/
-+ if(!packet_connection_is_on_socket())
-+ return(128*1024);
-+ ret = getsockopt(packet_get_connection_in(),
-+ SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
-+ /* return no more than 64MB */
-+ if ((ret == 0) && tcpwinsz > BUFFER_MAX_LEN_HPN)
-+ tcpwinsz = BUFFER_MAX_LEN_HPN;
-+ debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
-+ packet_get_connection_in());
-+ return(tcpwinsz);
-+}
-+
- static void
- channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
- {
- u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
-
-+ /* check buffer limits */
-+ if ((!c->tcpwinsz) || (c->dynamic_window > 0))
-+ c->tcpwinsz = channel_tcpwinsz();
-+
-+ limit = MIN(limit, 2 * c->tcpwinsz);
-+
- if (c->istate == CHAN_INPUT_OPEN &&
- limit > 0 &&
- buffer_len(&c->input) < limit &&
-@@ -1759,14 +1790,21 @@ channel_check_window(Channel *c)
- c->local_maxpacket*3) ||
- c->local_window < c->local_window_max/2) &&
- c->local_consumed > 0) {
-+ u_int addition = 0;
-+ /* adjust max window size if we are in a dynamic environment */
-+ if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
-+ /* grow the window somewhat aggressively to maintain pressure */
-+ addition = 1.5*(c->tcpwinsz - c->local_window_max);
-+ c->local_window_max += addition;
-+ }
- packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
- packet_put_int(c->remote_id);
-- packet_put_int(c->local_consumed);
-+ packet_put_int(c->local_consumed + addition);
- packet_send();
- debug2("channel %d: window %d sent adjust %d",
- c->self, c->local_window,
- c->local_consumed);
-- c->local_window += c->local_consumed;
-+ c->local_window += c->local_consumed + addition;
- c->local_consumed = 0;
- }
- return 1;
-@@ -1969,11 +2007,12 @@ channel_after_select(fd_set *readset, fd
-
-
- /* If there is data to send to the connection, enqueue some of it now. */
--void
-+int
- channel_output_poll(void)
- {
- Channel *c;
- u_int i, len;
-+ int packet_length = 0;
-
- for (i = 0; i < channels_alloc; i++) {
- c = channels[i];
-@@ -2013,7 +2052,7 @@ channel_output_poll(void)
- packet_start(SSH2_MSG_CHANNEL_DATA);
- packet_put_int(c->remote_id);
- packet_put_string(data, dlen);
-- packet_send();
-+ packet_length = packet_send();
- c->remote_window -= dlen + 4;
- free(data);
- }
-@@ -2043,7 +2082,7 @@ channel_output_poll(void)
- SSH2_MSG_CHANNEL_DATA : SSH_MSG_CHANNEL_DATA);
- packet_put_int(c->remote_id);
- packet_put_string(buffer_ptr(&c->input), len);
-- packet_send();
-+ packet_length = packet_send();
- buffer_consume(&c->input, len);
- c->remote_window -= len;
- }
-@@ -2078,12 +2117,13 @@ channel_output_poll(void)
- packet_put_int(c->remote_id);
- packet_put_int(SSH2_EXTENDED_DATA_STDERR);
- packet_put_string(buffer_ptr(&c->extended), len);
-- packet_send();
-+ packet_length = packet_send();
- buffer_consume(&c->extended, len);
- c->remote_window -= len;
- debug2("channel %d: sent ext data %d", c->self, len);
- }
- }
-+ return (packet_length);
- }
-
-
-@@ -2459,6 +2499,15 @@ channel_set_af(int af)
- IPv4or6 = af;
- }
-
-+
-+void
-+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
-+{
-+ hpn_disabled = external_hpn_disabled;
-+ hpn_buffer_size = external_hpn_buffer_size;
-+ debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
-+}
-+
- static int
- channel_setup_fwd_listener(int type, const char *listen_addr,
- u_short listen_port, int *allocated_listen_port,
-@@ -2610,9 +2659,15 @@ channel_setup_fwd_listener(int type, con
- }
-
- /* Allocate a channel number for the socket. */
-+ /* explicitly test for hpn disabled option. if true use smaller window size */
-+ if (hpn_disabled)
- c = channel_new("port listener", type, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
- 0, "port listener", 1);
-+ else
-+ c = channel_new("port listener", type, sock, sock, -1,
-+ hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-+ 0, "port listener", 1);
- c->path = xstrdup(host);
- c->host_port = port_to_connect;
- c->listening_port = listen_port;
-@@ -3151,10 +3206,17 @@ x11_create_display_inet(int x11_display_
- *chanids = xcalloc(num_socks + 1, sizeof(**chanids));
- for (n = 0; n < num_socks; n++) {
- sock = socks[n];
-+ /* Is this really necassary? */
-+ if (hpn_disabled)
- nc = channel_new("x11 listener",
- SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
- CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
- 0, "X11 inet listener", 1);
-+ else
-+ nc = channel_new("x11 listener",
-+ SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
-+ hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
-+ 0, "X11 inet listener", 1);
- nc->single_connection = single_connection;
- (*chanids)[n] = nc->self;
- }
-diff -NupwB openssh-5.2p1-canonical/channels.h openssh-5.2p1-hpn13v6/channels.h
---- openssh-5.2p1-canonical/channels.h 2009-02-14 00:28:21.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/channels.h 2009-05-14 12:36:10.000000000 -0400
-@@ -115,8 +115,10 @@ struct Channel {
- u_int local_window_max;
- u_int local_consumed;
- u_int local_maxpacket;
-+ int dynamic_window;
- int extended_usage;
- int single_connection;
-+ u_int tcpwinsz;
-
- char *ctype; /* type */
-
-@@ -146,9 +148,11 @@ struct Channel {
-
- /* default window/packet sizes for tcp/x11-fwd-channel */
- #define CHAN_SES_PACKET_DEFAULT (32*1024)
--#define CHAN_SES_WINDOW_DEFAULT (64*CHAN_SES_PACKET_DEFAULT)
-+#define CHAN_SES_WINDOW_DEFAULT (4*CHAN_SES_PACKET_DEFAULT)
-+
- #define CHAN_TCP_PACKET_DEFAULT (32*1024)
--#define CHAN_TCP_WINDOW_DEFAULT (64*CHAN_TCP_PACKET_DEFAULT)
-+#define CHAN_TCP_WINDOW_DEFAULT (4*CHAN_TCP_PACKET_DEFAULT)
-+
- #define CHAN_X11_PACKET_DEFAULT (16*1024)
- #define CHAN_X11_WINDOW_DEFAULT (4*CHAN_X11_PACKET_DEFAULT)
-
-@@ -221,7 +225,7 @@ void channel_input_status_confirm(int,
-
- void channel_prepare_select(fd_set **, fd_set **, int *, u_int*, int);
- void channel_after_select(fd_set *, fd_set *);
--void channel_output_poll(void);
-+int channel_output_poll(void);
-
- int channel_not_very_much_buffered_data(void);
- void channel_close_all(void);
-@@ -277,4 +281,7 @@ void chan_rcvd_ieof(Channel *);
- void chan_write_failed(Channel *);
- void chan_obuf_empty(Channel *);
-
-+/* hpn handler */
-+void channel_set_hpn(int, int);
-+
- #endif
-diff -NupwB openssh-5.2p1-canonical/cipher.c openssh-5.2p1-hpn13v6/cipher.c
---- openssh-5.2p1-canonical/cipher.c 2009-01-28 00:38:41.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/cipher.c 2009-05-14 12:36:10.000000000 -0400
-@@ -55,6 +55,7 @@ extern const EVP_CIPHER *evp_ssh1_bf(voi
- extern const EVP_CIPHER *evp_ssh1_3des(void);
- extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
- extern const EVP_CIPHER *evp_aes_128_ctr(void);
-+extern const EVP_CIPHER *evp_aes_ctr_mt(void);
- extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
-
- struct Cipher {
-@@ -82,9 +83,9 @@ struct Cipher {
- { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
- { "rijndael-cbc at lysator.liu.se",
- SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
-- { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
-- { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
-- { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
-+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt },
-+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt },
-+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt },
- #ifdef USE_CIPHER_ACSS
- { "acss at openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss },
- #endif
-@@ -163,7 +164,8 @@ ciphers_valid(const char *names)
- for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
- (p = strsep(&cp, CIPHER_SEP))) {
- c = cipher_by_name(p);
-- if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-+ if (c == NULL || (c->number != SSH_CIPHER_SSH2 &&
-+c->number != SSH_CIPHER_NONE)) {
- debug("bad cipher %s [%s]", p, names);
- free(cipher_list);
- return 0;
-@@ -337,6 +339,7 @@ cipher_get_keyiv(CipherContext *cc, u_ch
- int evplen;
-
- switch (c->number) {
-+ case SSH_CIPHER_NONE:
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
-@@ -371,6 +374,7 @@ cipher_set_keyiv(CipherContext *cc, u_ch
- int evplen = 0;
-
- switch (c->number) {
-+ case SSH_CIPHER_NONE:
- case SSH_CIPHER_SSH2:
- case SSH_CIPHER_DES:
- case SSH_CIPHER_BLOWFISH:
-diff -NupwB openssh-5.2p1-canonical/cipher-ctr-mt.c openssh-5.2p1-hpn13v6/cipher-ctr-mt.c
---- openssh-5.2p1-canonical/cipher-ctr-mt.c 1969-12-31 19:00:00.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/cipher-ctr-mt.c 2009-05-14 12:36:10.000000000 -0400
-@@ -0,0 +1,473 @@
-+/*
-+ * OpenSSH Multi-threaded AES-CTR Cipher
-+ *
-+ * Author: Benjamin Bennett <ben at psc.edu>
-+ * Copyright (c) 2008 Pittsburgh Supercomputing Center. All rights reserved.
-+ *
-+ * Based on original OpenSSH AES-CTR cipher. Small portions remain unchanged,
-+ * Copyright (c) 2003 Markus Friedl <markus at openbsd.org>
-+ *
-+ * Permission to use, copy, modify, and distribute this software for any
-+ * purpose with or without fee is hereby granted, provided that the above
-+ * copyright notice and this permission notice appear in all copies.
-+ *
-+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ */
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+
-+#include <stdarg.h>
-+#include <string.h>
-+
-+#include <openssl/evp.h>
-+
-+#include "xmalloc.h"
-+#include "log.h"
-+
-+/* compatibility with old or broken OpenSSL versions */
-+#include "openbsd-compat/openssl-compat.h"
-+
-+#ifndef USE_BUILTIN_RIJNDAEL
-+#include <openssl/aes.h>
-+#endif
-+
-+#include <pthread.h>
-+
-+/*-------------------- TUNABLES --------------------*/
-+/* Number of pregen threads to use */
-+#define CIPHER_THREADS 2
-+
-+/* Number of keystream queues */
-+#define NUMKQ (CIPHER_THREADS + 2)
-+
-+/* Length of a keystream queue */
-+#define KQLEN 4096
-+
-+/* Processor cacheline length */
-+#define CACHELINE_LEN 64
-+
-+/* Collect thread stats and print at cancellation when in debug mode */
-+/* #define CIPHER_THREAD_STATS */
-+
-+/* Use single-byte XOR instead of 8-byte XOR */
-+/* #define CIPHER_BYTE_XOR */
-+/*-------------------- END TUNABLES --------------------*/
-+
-+
-+const EVP_CIPHER *evp_aes_ctr_mt(void);
-+
-+#ifdef CIPHER_THREAD_STATS
-+/*
-+ * Struct to collect thread stats
-+ */
-+struct thread_stats {
-+ u_int fills;
-+ u_int skips;
-+ u_int waits;
-+ u_int drains;
-+};
-+
-+/*
-+ * Debug print the thread stats
-+ * Use with pthread_cleanup_push for displaying at thread cancellation
-+ */
-+static void
-+thread_loop_stats(void *x)
-+{
-+ struct thread_stats *s = x;
-+
-+ debug("tid %lu - %u fills, %u skips, %u waits", pthread_self(),
-+ s->fills, s->skips, s->waits);
-+}
-+
-+ #define STATS_STRUCT(s) struct thread_stats s
-+ #define STATS_INIT(s) { memset(&s, 0, sizeof(s)); }
-+ #define STATS_FILL(s) { s.fills++; }
-+ #define STATS_SKIP(s) { s.skips++; }
-+ #define STATS_WAIT(s) { s.waits++; }
-+ #define STATS_DRAIN(s) { s.drains++; }
-+#else
-+ #define STATS_STRUCT(s)
-+ #define STATS_INIT(s)
-+ #define STATS_FILL(s)
-+ #define STATS_SKIP(s)
-+ #define STATS_WAIT(s)
-+ #define STATS_DRAIN(s)
-+#endif
-+
-+/* Keystream Queue state */
-+enum {
-+ KQINIT,
-+ KQEMPTY,
-+ KQFILLING,
-+ KQFULL,
-+ KQDRAINING
-+};
-+
-+/* Keystream Queue struct */
-+struct kq {
-+ u_char keys[KQLEN][AES_BLOCK_SIZE];
-+ u_char ctr[AES_BLOCK_SIZE];
-+ u_char pad0[CACHELINE_LEN];
-+ volatile int qstate;
-+ pthread_mutex_t lock;
-+ pthread_cond_t cond;
-+ u_char pad1[CACHELINE_LEN];
-+};
-+
-+/* Context struct */
-+struct ssh_aes_ctr_ctx
-+{
-+ struct kq q[NUMKQ];
-+ AES_KEY aes_ctx;
-+ STATS_STRUCT(stats);
-+ u_char aes_counter[AES_BLOCK_SIZE];
-+ pthread_t tid[CIPHER_THREADS];
-+ int state;
-+ int qidx;
-+ int ridx;
-+};
-+
-+/* <friedl>
-+ * increment counter 'ctr',
-+ * the counter is of size 'len' bytes and stored in network-byte-order.
-+ * (LSB at ctr[len-1], MSB at ctr[0])
-+ */
-+static void
-+ssh_ctr_inc(u_char *ctr, u_int len)
-+{
-+ int i;
-+
-+ for (i = len - 1; i >= 0; i--)
-+ if (++ctr[i]) /* continue on overflow */
-+ return;
-+}
-+
-+/*
-+ * Add num to counter 'ctr'
-+ */
-+static void
-+ssh_ctr_add(u_char *ctr, uint32_t num, u_int len)
-+{
-+ int i;
-+ uint16_t n;
-+
-+ for (n = 0, i = len - 1; i >= 0 && (num || n); i--) {
-+ n = ctr[i] + (num & 0xff) + n;
-+ num >>= 8;
-+ ctr[i] = n & 0xff;
-+ n >>= 8;
-+ }
-+}
-+
-+/*
-+ * Threads may be cancelled in a pthread_cond_wait, we must free the mutex
-+ */
-+static void
-+thread_loop_cleanup(void *x)
-+{
-+ pthread_mutex_unlock((pthread_mutex_t *)x);
-+}
-+
-+/*
-+ * The life of a pregen thread:
-+ * Find empty keystream queues and fill them using their counter.
-+ * When done, update counter for the next fill.
-+ */
-+static void *
-+thread_loop(void *x)
-+{
-+ AES_KEY key;
-+ STATS_STRUCT(stats);
-+ struct ssh_aes_ctr_ctx *c = x;
-+ struct kq *q;
-+ int i;
-+ int qidx;
-+
-+ /* Threads stats on cancellation */
-+ STATS_INIT(stats);
-+#ifdef CIPHER_THREAD_STATS
-+ pthread_cleanup_push(thread_loop_stats, &stats);
-+#endif
-+
-+ /* Thread local copy of AES key */
-+ memcpy(&key, &c->aes_ctx, sizeof(key));
-+
-+ /*
-+ * Handle the special case of startup, one thread must fill
-+ * the first KQ then mark it as draining. Lock held throughout.
-+ */
-+ if (pthread_equal(pthread_self(), c->tid[0])) {
-+ q = &c->q[0];
-+ pthread_mutex_lock(&q->lock);
-+ if (q->qstate == KQINIT) {
-+ for (i = 0; i < KQLEN; i++) {
-+ AES_encrypt(q->ctr, q->keys[i], &key);
-+ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
-+ }
-+ ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
-+ q->qstate = KQDRAINING;
-+ STATS_FILL(stats);
-+ pthread_cond_broadcast(&q->cond);
-+ }
-+ pthread_mutex_unlock(&q->lock);
-+ }
-+ else
-+ STATS_SKIP(stats);
-+
-+ /*
-+ * Normal case is to find empty queues and fill them, skipping over
-+ * queues already filled by other threads and stopping to wait for
-+ * a draining queue to become empty.
-+ *
-+ * Multiple threads may be waiting on a draining queue and awoken
-+ * when empty. The first thread to wake will mark it as filling,
-+ * others will move on to fill, skip, or wait on the next queue.
-+ */
-+ for (qidx = 1;; qidx = (qidx + 1) % NUMKQ) {
-+ /* Check if I was cancelled, also checked in cond_wait */
-+ pthread_testcancel();
-+
-+ /* Lock queue and block if its draining */
-+ q = &c->q[qidx];
-+ pthread_mutex_lock(&q->lock);
-+ pthread_cleanup_push(thread_loop_cleanup, &q->lock);
-+ while (q->qstate == KQDRAINING || q->qstate == KQINIT) {
-+ STATS_WAIT(stats);
-+ pthread_cond_wait(&q->cond, &q->lock);
-+ }
-+ pthread_cleanup_pop(0);
-+
-+ /* If filling or full, somebody else got it, skip */
-+ if (q->qstate != KQEMPTY) {
-+ pthread_mutex_unlock(&q->lock);
-+ STATS_SKIP(stats);
-+ continue;
-+ }
-+
-+ /*
-+ * Empty, let's fill it.
-+ * Queue lock is relinquished while we do this so others
-+ * can see that it's being filled.
-+ */
-+ q->qstate = KQFILLING;
-+ pthread_mutex_unlock(&q->lock);
-+ for (i = 0; i < KQLEN; i++) {
-+ AES_encrypt(q->ctr, q->keys[i], &key);
-+ ssh_ctr_inc(q->ctr, AES_BLOCK_SIZE);
-+ }
-+
-+ /* Re-lock, mark full and signal consumer */
-+ pthread_mutex_lock(&q->lock);
-+ ssh_ctr_add(q->ctr, KQLEN * (NUMKQ - 1), AES_BLOCK_SIZE);
-+ q->qstate = KQFULL;
-+ STATS_FILL(stats);
-+ pthread_cond_signal(&q->cond);
-+ pthread_mutex_unlock(&q->lock);
-+ }
-+
-+#ifdef CIPHER_THREAD_STATS
-+ /* Stats */
-+ pthread_cleanup_pop(1);
-+#endif
-+
-+ return NULL;
-+}
-+
-+static int
-+ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-+ u_int len)
-+{
-+ struct ssh_aes_ctr_ctx *c;
-+ struct kq *q, *oldq;
-+ int ridx;
-+ u_char *buf;
-+
-+ if (len == 0)
-+ return (1);
-+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
-+ return (0);
-+
-+ q = &c->q[c->qidx];
-+ ridx = c->ridx;
-+
-+ /* src already padded to block multiple */
-+ while (len > 0) {
-+ buf = q->keys[ridx];
-+
-+#ifdef CIPHER_BYTE_XOR
-+ dest[0] = src[0] ^ buf[0];
-+ dest[1] = src[1] ^ buf[1];
-+ dest[2] = src[2] ^ buf[2];
-+ dest[3] = src[3] ^ buf[3];
-+ dest[4] = src[4] ^ buf[4];
-+ dest[5] = src[5] ^ buf[5];
-+ dest[6] = src[6] ^ buf[6];
-+ dest[7] = src[7] ^ buf[7];
-+ dest[8] = src[8] ^ buf[8];
-+ dest[9] = src[9] ^ buf[9];
-+ dest[10] = src[10] ^ buf[10];
-+ dest[11] = src[11] ^ buf[11];
-+ dest[12] = src[12] ^ buf[12];
-+ dest[13] = src[13] ^ buf[13];
-+ dest[14] = src[14] ^ buf[14];
-+ dest[15] = src[15] ^ buf[15];
-+#else
-+ *(uint64_t *)dest = *(uint64_t *)src ^ *(uint64_t *)buf;
-+ *(uint64_t *)(dest + 8) = *(uint64_t *)(src + 8) ^
-+ *(uint64_t *)(buf + 8);
-+#endif
-+
-+ dest += 16;
-+ src += 16;
-+ len -= 16;
-+ ssh_ctr_inc(ctx->iv, AES_BLOCK_SIZE);
-+
-+ /* Increment read index, switch queues on rollover */
-+ if ((ridx = (ridx + 1) % KQLEN) == 0) {
-+ oldq = q;
-+
-+ /* Mark next queue draining, may need to wait */
-+ c->qidx = (c->qidx + 1) % NUMKQ;
-+ q = &c->q[c->qidx];
-+ pthread_mutex_lock(&q->lock);
-+ while (q->qstate != KQFULL) {
-+ STATS_WAIT(c->stats);
-+ pthread_cond_wait(&q->cond, &q->lock);
-+ }
-+ q->qstate = KQDRAINING;
-+ pthread_mutex_unlock(&q->lock);
-+
-+ /* Mark consumed queue empty and signal producers */
-+ pthread_mutex_lock(&oldq->lock);
-+ oldq->qstate = KQEMPTY;
-+ STATS_DRAIN(c->stats);
-+ pthread_cond_broadcast(&oldq->cond);
-+ pthread_mutex_unlock(&oldq->lock);
-+ }
-+ }
-+ c->ridx = ridx;
-+ return (1);
-+}
-+
-+#define HAVE_NONE 0
-+#define HAVE_KEY 1
-+#define HAVE_IV 2
-+static int
-+ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-+ int enc)
-+{
-+ struct ssh_aes_ctr_ctx *c;
-+ int i;
-+
-+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-+ c = xmalloc(sizeof(*c));
-+
-+ c->state = HAVE_NONE;
-+ for (i = 0; i < NUMKQ; i++) {
-+ pthread_mutex_init(&c->q[i].lock, NULL);
-+ pthread_cond_init(&c->q[i].cond, NULL);
-+ }
-+
-+ STATS_INIT(c->stats);
-+
-+ EVP_CIPHER_CTX_set_app_data(ctx, c);
-+ }
-+
-+ if (c->state == (HAVE_KEY | HAVE_IV)) {
-+ /* Cancel pregen threads */
-+ for (i = 0; i < CIPHER_THREADS; i++)
-+ pthread_cancel(c->tid[i]);
-+ for (i = 0; i < CIPHER_THREADS; i++)
-+ pthread_join(c->tid[i], NULL);
-+ /* Start over getting key & iv */
-+ c->state = HAVE_NONE;
-+ }
-+
-+ if (key != NULL) {
-+ AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-+ &c->aes_ctx);
-+ c->state |= HAVE_KEY;
-+ }
-+
-+ if (iv != NULL) {
-+ memcpy(ctx->iv, iv, AES_BLOCK_SIZE);
-+ c->state |= HAVE_IV;
-+ }
-+
-+ if (c->state == (HAVE_KEY | HAVE_IV)) {
-+ /* Clear queues */
-+ memcpy(c->q[0].ctr, ctx->iv, AES_BLOCK_SIZE);
-+ c->q[0].qstate = KQINIT;
-+ for (i = 1; i < NUMKQ; i++) {
-+ memcpy(c->q[i].ctr, ctx->iv, AES_BLOCK_SIZE);
-+ ssh_ctr_add(c->q[i].ctr, i * KQLEN, AES_BLOCK_SIZE);
-+ c->q[i].qstate = KQEMPTY;
-+ }
-+ c->qidx = 0;
-+ c->ridx = 0;
-+
-+ /* Start threads */
-+ for (i = 0; i < CIPHER_THREADS; i++) {
-+ pthread_create(&c->tid[i], NULL, thread_loop, c);
-+ }
-+ pthread_mutex_lock(&c->q[0].lock);
-+ while (c->q[0].qstate != KQDRAINING)
-+ pthread_cond_wait(&c->q[0].cond, &c->q[0].lock);
-+ pthread_mutex_unlock(&c->q[0].lock);
-+
-+ }
-+ return (1);
-+}
-+
-+static int
-+ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
-+{
-+ struct ssh_aes_ctr_ctx *c;
-+ int i;
-+
-+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-+#ifdef CIPHER_THREAD_STATS
-+ debug("main thread: %u drains, %u waits", c->stats.drains,
-+ c->stats.waits);
-+#endif
-+ /* Cancel pregen threads */
-+ for (i = 0; i < CIPHER_THREADS; i++)
-+ pthread_cancel(c->tid[i]);
-+ for (i = 0; i < CIPHER_THREADS; i++)
-+ pthread_join(c->tid[i], NULL);
-+
-+ memset(c, 0, sizeof(*c));
-+ free(c);
-+ EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-+ }
-+ return (1);
-+}
-+
-+/* <friedl> */
-+const EVP_CIPHER *
-+evp_aes_ctr_mt(void)
-+{
-+ static EVP_CIPHER aes_ctr;
-+
-+ memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
-+ aes_ctr.nid = NID_undef;
-+ aes_ctr.block_size = AES_BLOCK_SIZE;
-+ aes_ctr.iv_len = AES_BLOCK_SIZE;
-+ aes_ctr.key_len = 16;
-+ aes_ctr.init = ssh_aes_ctr_init;
-+ aes_ctr.cleanup = ssh_aes_ctr_cleanup;
-+ aes_ctr.do_cipher = ssh_aes_ctr;
-+#ifndef SSH_OLD_EVP
-+ aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-+ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-+#endif
-+ return (&aes_ctr);
-+}
-diff -NupwB openssh-5.2p1-canonical/clientloop.c openssh-5.2p1-hpn13v6/clientloop.c
---- openssh-5.2p1-canonical/clientloop.c 2009-02-14 00:28:21.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/clientloop.c 2009-05-14 12:36:10.000000000 -0400
-@@ -1688,9 +1688,15 @@ client_request_x11(const char *request_t
- sock = x11_connect_display();
- if (sock < 0)
- return NULL;
-+ /* again is this really necessary for X11? */
-+ if (options.hpn_disabled)
- c = channel_new("x11",
- SSH_CHANNEL_X11_OPEN, sock, sock, -1,
- CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
-+ else
-+ c = channel_new("x11",
-+ SSH_CHANNEL_X11_OPEN, sock, sock, -1,
-+ options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
- c->force_drain = 1;
- return c;
- }
-@@ -1710,9 +1716,15 @@ client_request_agent(const char *request
- sock = ssh_get_authentication_socket();
- if (sock < 0)
- return NULL;
-+ if (options.hpn_disabled)
- c = channel_new("authentication agent connection",
- SSH_CHANNEL_OPEN, sock, sock, -1,
-- CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
-+ CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_WINDOW_DEFAULT, 0,
-+ "authentication agent connection", 1);
-+ else
-+ c = channel_new("authentication agent connection",
-+ SSH_CHANNEL_OPEN, sock, sock, -1,
-+ options.hpn_buffer_size, options.hpn_buffer_size, 0,
- "authentication agent connection", 1);
- c->force_drain = 1;
- return c;
-@@ -1740,10 +1752,18 @@ client_request_tun_fwd(int tun_mode, int
- return -1;
- }
-
-+ if(options.hpn_disabled)
-+ c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-+ CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-+ 0, "tun", 1);
-+ else
- c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-- CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
-+ options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
-+ 0, "tun", 1);
- c->datagram = 1;
-
-+
-+
- #if defined(SSH_TUN_FILTER)
- if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
- channel_register_filter(c->self, sys_tun_infilter,
-diff -NupwB openssh-5.2p1-canonical/compat.c openssh-5.2p1-hpn13v6/compat.c
---- openssh-5.2p1-canonical/compat.c 2008-11-03 03:20:14.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/compat.c 2009-05-14 12:36:10.000000000 -0400
-@@ -170,6 +170,15 @@ compat_datafellows(const char *version)
- strlen(check[i].pat), 0) == 1) {
- debug("match: %s pat %s", version, check[i].pat);
- datafellows = check[i].bugs;
-+ /* Check to see if the remote side is OpenSSH and not HPN */
-+ if(strstr(version,"OpenSSH") != NULL)
-+ {
-+ if (strstr(version,"hpn") == NULL)
-+ {
-+ datafellows |= SSH_BUG_LARGEWINDOW;
-+ debug("Remote is NON-HPN aware");
-+ }
-+ }
- return;
- }
- }
-diff -NupwB openssh-5.2p1-canonical/compat.h openssh-5.2p1-hpn13v6/compat.h
---- openssh-5.2p1-canonical/compat.h 2008-11-03 03:20:14.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/compat.h 2009-05-14 12:36:10.000000000 -0400
-@@ -58,6 +58,7 @@
- #define SSH_OLD_FORWARD_ADDR 0x01000000
- #define SSH_BUG_RFWD_ADDR 0x02000000
- #define SSH_NEW_OPENSSH 0x04000000
-+#define SSH_BUG_LARGEWINDOW 0x08000000
-
- void enable_compat13(void);
- void enable_compat20(void);
-Common subdirectories: openssh-5.2p1-canonical/contrib and openssh-5.2p1-hpn13v6/contrib
-diff -NupwB openssh-5.2p1-canonical/HPN-README openssh-5.2p1-hpn13v6/HPN-README
---- openssh-5.2p1-canonical/HPN-README 1969-12-31 19:00:00.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/HPN-README 2009-05-14 12:36:10.000000000 -0400
-@@ -0,0 +1,128 @@
-+Notes:
-+
-+MULTI-THREADED CIPHER:
-+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
-+on hosts with multiple cores to use more than one processing core during encryption.
-+Tests have show significant throughput performance increases when using MTR-AES-CTR up
-+to and including a full gigabit per second on quad core systems. It should be possible to
-+achieve full line rate on dual core systems but OS and data management overhead makes this
-+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
-+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
-+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
-+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
-+nomenclature.
-+Use examples: ssh -caes128-ctr you at host.com
-+ scp -oCipher=aes256-ctr file you at host.com:~/file
-+
-+NONE CIPHER:
-+To use the NONE option you must have the NoneEnabled switch set on the server and
-+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
-+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
-+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
-+be disabled.
-+
-+The performance increase will only be as good as the network and TCP stack tuning
-+on the reciever side of the connection allows. As a rule of thumb a user will need
-+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
-+HPN-SSH home page describes this in greater detail.
-+
-+http://www.psc.edu/networking/projects/hpn-ssh
-+
-+BUFFER SIZES:
-+
-+If HPN is disabled the receive buffer size will be set to the
-+OpenSSH default of 64K.
-+
-+If an HPN system connects to a nonHPN system the receive buffer will
-+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
-+
-+If an HPN to HPN connection is established a number of different things might
-+happen based on the user options and conditions.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = up to 64MB
-+This is the default state. The HPN buffer size will grow to a maximum of 64MB
-+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
-+geared towards 10GigE transcontinental connections.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = TCP receive buffer value.
-+Users on non-autotuning systesm should disable TCPRcvBufPoll in the
-+ssh_cofig and sshd_config
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
-+This would be the system defined TCP receive buffer (RWIN).
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
-+Generally there is no need to set both.
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
-+HPN Buffer Size = grows to HPNBufferSize
-+The buffer will grow up to the maximum size specified here.
-+
-+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
-+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
-+Generally there is no need to set both of these, especially on autotuning
-+systems. However, if the users wishes to override the autotuning this would be
-+one way to do it.
-+
-+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
-+HPN Buffer Size = TCPRcvBuf.
-+This will override autotuning and set the TCP recieve buffer to the user defined
-+value.
-+
-+
-+HPN Specific Configuration options
-+
-+TcpRcvBuf=[int]KB client
-+ set the TCP socket receive buffer to n Kilobytes. It can be set up to the
-+maximum socket size allowed by the system. This is useful in situations where
-+the tcp receive window is set low but the maximum buffer size is set
-+higher (as is typical). This works on a per TCP connection basis. You can also
-+use this to artifically limit the transfer rate of the connection. In these
-+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
-+Default is the current system wide tcp receive buffer size.
-+
-+TcpRcvBufPoll=[yes/no] client/server
-+ enable of disable the polling of the tcp receive buffer through the life
-+of the connection. You would want to make sure that this option is enabled
-+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
-+default is yes.
-+
-+NoneEnabled=[yes/no] client/server
-+ enable or disable the use of the None cipher. Care must always be used
-+when enabling this as it will allow users to send data in the clear. However,
-+it is important to note that authentication information remains encrypted
-+even if this option is enabled. Set to no by default.
-+
-+NoneSwitch=[yes/no] client
-+ Switch the encryption cipher being used to the None cipher after
-+authentication takes place. NoneEnabled must be enabled on both the client
-+and server side of the connection. When the connection switches to the NONE
-+cipher a warning is sent to STDERR. The connection attempt will fail with an
-+error if a client requests a NoneSwitch from the server that does not explicitly
-+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
-+interactive (shell) sessions and it will fail silently. Set to no by default.
-+
-+HPNDisabled=[yes/no] client/server
-+ In some situations, such as transfers on a local area network, the impact
-+of the HPN code produces a net decrease in performance. In these cases it is
-+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
-+
-+HPNBufferSize=[int]KB client/server
-+ This is the default buffer size the HPN functionality uses when interacting
-+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
-+option as applied to the internal SSH flow control. This value can range from
-+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
-+problems depending on the length of the network path. The default size of this buffer
-+is 2MB.
-+
-+
-+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier at psc.edu)
-+ The majority of the actual coding for versions up to HPN12v1 was performed
-+ by Michael Stevens (mstevens at andrew.cmu.edu). The MT-AES-CTR cipher was
-+ implemented by Ben Bennet (ben at psc.edu). This work was financed, in part,
-+ by Cisco System, Inc., the National Library of Medicine,
-+ and the National Science Foundation.
-diff -NupwB openssh-5.2p1-canonical/kex.c openssh-5.2p1-hpn13v6/kex.c
---- openssh-5.2p1-canonical/kex.c 2008-11-03 03:19:12.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/kex.c 2009-05-14 12:36:10.000000000 -0400
-@@ -48,6 +48,7 @@
- #include "match.h"
- #include "dispatch.h"
- #include "monitor.h"
-+#include "canohost.h"
-
- #define KEX_COOKIE_LEN 16
-
-@@ -64,7 +65,8 @@ static void kex_kexinit_finish(Kex *);
- static void kex_choose_conf(Kex *);
-
- /* put algorithm proposal into buffer */
--static void
-+/* used in sshconnect.c as well as kex.c */
-+void
- kex_prop2buf(Buffer *b, char *proposal[PROPOSAL_MAX])
- {
- u_int i;
-@@ -376,6 +378,13 @@ kex_choose_conf(Kex *kex)
- int nenc, nmac, ncomp;
- u_int mode, ctos, need;
- int first_kex_follows, type;
-+ int log_flag = 0;
-+
-+ int auth_flag;
-+
-+ auth_flag = packet_authentication_state();
-+
-+ debug ("AUTH STATE IS %d", auth_flag);
-
- my = kex_buf2prop(&kex->my, NULL);
- peer = kex_buf2prop(&kex->peer, &first_kex_follows);
-@@ -400,11 +409,34 @@ kex_choose_conf(Kex *kex)
- choose_enc (&newkeys->enc, cprop[nenc], sprop[nenc]);
- choose_mac (&newkeys->mac, cprop[nmac], sprop[nmac]);
- choose_comp(&newkeys->comp, cprop[ncomp], sprop[ncomp]);
-+ debug("REQUESTED ENC.NAME is '%s'", newkeys->enc.name);
-+ if (strcmp(newkeys->enc.name, "none") == 0) {
-+ debug("Requesting NONE. Authflag is %d", auth_flag);
-+ if (auth_flag == 1) {
-+ debug("None requested post authentication.");
-+ } else {
-+ fatal("Pre-authentication none cipher requests are not allowed.");
-+ }
-+ }
- debug("kex: %s %s %s %s",
- ctos ? "client->server" : "server->client",
- newkeys->enc.name,
- newkeys->mac.name,
- newkeys->comp.name);
-+ /* client starts withctos = 0 && log flag = 0 and no log*/
-+ /* 2nd client pass ctos=1 and flag = 1 so no log*/
-+ /* server starts with ctos =1 && log_flag = 0 so log */
-+ /* 2nd sever pass ctos = 1 && log flag = 1 so no log*/
-+ /* -cjr*/
-+ if (ctos && !log_flag) {
-+ logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
-+ get_remote_ipaddr(),
-+ get_remote_port(),
-+ newkeys->enc.name,
-+ newkeys->mac.name,
-+ newkeys->comp.name);
-+ }
-+ log_flag = 1;
- }
- choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
- choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-diff -NupwB openssh-5.2p1-canonical/kex.h openssh-5.2p1-hpn13v6/kex.h
---- openssh-5.2p1-canonical/kex.h 2007-06-11 00:01:42.000000000 -0400
-+++ openssh-5.2p1-hpn13v6/kex.h 2009-05-14 12:36:10.000000000 -0400
-@@ -127,6 +127,8 @@ struct Kex {
- void (*kex[KEX_MAX])(Kex *);
- };
-
-+void kex_prop2buf(Buffer *, char *proposal[PROPOSAL_MAX]);
-+
- Kex *kex_setup(char *[PROPOSAL_MAX]);
- void kex_finish(Kex *);
-
-diff -NupwB openssh-5.2p1-canonical/Makefile.in openssh-5.2p1-hpn13v6/Makefile.in
---- openssh-5.2p1-canonical/Makefile.in 2008-11-05 00:20:46.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/Makefile.in 2009-05-14 12:36:10.000000000 -0400
-@@ -43,7 +43,7 @@ CC=@CC@
- LD=@LD@
- CFLAGS=@CFLAGS@
- CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
--LIBS=@LIBS@
-+LIBS=@LIBS@ -lpthread
- SSHDLIBS=@SSHDLIBS@
- LIBEDIT=@LIBEDIT@
- AR=@AR@
-@@ -64,7 +64,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-a
-
- LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o bufbn.o buffer.o \
- canohost.o channels.o cipher.o cipher-acss.o cipher-aes.o \
-- cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
-+ cipher-bf1.o cipher-ctr.o cipher-ctr-mt.o cipher-3des1.o cleanup.o \
- compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
- log.o match.o md-sha256.o moduli.o nchan.o packet.o \
- readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
-diff -NupwB openssh-5.2p1-canonical/myproposal.h openssh-5.2p1-hpn13v6/myproposal.h
---- openssh-5.2p1-canonical/myproposal.h 2009-01-28 00:33:31.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/myproposal.h 2009-05-14 12:36:10.000000000 -0400
-@@ -47,6 +47,8 @@
- "arcfour256,arcfour128," \
- "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
- "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se"
-+#define KEX_ENCRYPT_INCLUDE_NONE KEX_DEFAULT_ENCRYPT \
-+ ",none"
- #define KEX_DEFAULT_MAC \
- "hmac-md5,hmac-sha1,umac-64 at openssh.com,hmac-ripemd160," \
- "hmac-ripemd160 at openssh.com," \
-Common subdirectories: openssh-5.2p1-canonical/openbsd-compat and openssh-5.2p1-hpn13v6/openbsd-compat
-diff -NupwB openssh-5.2p1-canonical/packet.c openssh-5.2p1-hpn13v6/packet.c
---- openssh-5.2p1-canonical/packet.c 2009-02-14 00:35:01.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/packet.c 2009-05-14 12:36:10.000000000 -0400
-@@ -775,7 +775,7 @@ packet_enable_delayed_compress(void)
- /*
- * Finalize packet in SSH2 format (compress, mac, encrypt, enqueue)
- */
--static void
-+static int
- packet_send2_wrapped(void)
- {
- u_char type, *cp, *macbuf = NULL;
-@@ -888,11 +888,13 @@ packet_send2_wrapped(void)
- set_newkeys(MODE_OUT);
- else if (type == SSH2_MSG_USERAUTH_SUCCESS && server_side)
- packet_enable_delayed_compress();
-+ return(packet_length);
- }
-
--static void
-+static int
- packet_send2(void)
- {
-+ static int packet_length = 0;
- static int rekeying = 0;
- struct packet *p;
- u_char type, *cp;
-@@ -910,7 +912,7 @@ packet_send2(void)
- memcpy(&p->payload, &outgoing_packet, sizeof(Buffer));
- buffer_init(&outgoing_packet);
- TAILQ_INSERT_TAIL(&outgoing, p, next);
-- return;
-+ return(sizeof(Buffer));
- }
- }
-
-@@ -918,7 +920,7 @@ packet_send2(void)
- if (type == SSH2_MSG_KEXINIT)
- rekeying = 1;
-
-- packet_send2_wrapped();
-+ packet_length = packet_send2_wrapped();
-
- /* after a NEWKEYS message we can send the complete queue */
- if (type == SSH2_MSG_NEWKEYS) {
-@@ -931,19 +933,22 @@ packet_send2(void)
- sizeof(Buffer));
- TAILQ_REMOVE(&outgoing, p, next);
- free(p);
-- packet_send2_wrapped();
-+ packet_length += packet_send2_wrapped();
- }
- }
-+ return(packet_length);
- }
-
--void
-+int
- packet_send(void)
- {
-+ int packet_len = 0;
- if (compat20)
-- packet_send2();
-+ packet_len = packet_send2();
- else
- packet_send1();
- DBG(debug("packet_send done"));
-+ return(packet_len);
- }
-
- /*
-@@ -1544,23 +1549,25 @@ packet_disconnect(const char *fmt,...)
-
- /* Checks if there is any buffered output, and tries to write some of the output. */
-
--void
-+int
- packet_write_poll(void)
- {
-- int len = buffer_len(&output);
-+ int len = 0;
-+ len = buffer_len(&output);
-
- if (len > 0) {
- len = write(connection_out, buffer_ptr(&output), len);
- if (len == -1) {
- if (errno == EINTR || errno == EAGAIN ||
- errno == EWOULDBLOCK)
-- return;
-+ return (0);
- fatal("Write failed: %.100s", strerror(errno));
- }
- if (len == 0)
- fatal("Write connection closed");
- buffer_consume(&output, len);
- }
-+ return(len);
- }
-
-
-@@ -1569,16 +1576,17 @@ packet_write_poll(void)
- * written.
- */
-
--void
-+int
- packet_write_wait(void)
- {
- fd_set *setp;
- int ret, ms_remain;
- struct timeval start, timeout, *timeoutp = NULL;
-+ u_int bytes_sent = 0;
-
- setp = (fd_set *)xcalloc(howmany(connection_out + 1, NFDBITS),
- sizeof(fd_mask));
-- packet_write_poll();
-+ bytes_sent += packet_write_poll();
- while (packet_have_data_to_write()) {
- memset(setp, 0, howmany(connection_out + 1, NFDBITS) *
- sizeof(fd_mask));
-@@ -1612,7 +1620,7 @@ packet_write_wait(void)
- "waiting to write", get_remote_ipaddr());
- cleanup_exit(255);
- }
-- packet_write_poll();
-+ bytes_sent += packet_write_poll();
- }
- free(setp);
- }
-@@ -1736,12 +1744,24 @@ packet_send_ignore(int nbytes)
- }
- }
-
-+int rekey_requested = 0;
-+void
-+packet_request_rekeying(void)
-+{
-+ rekey_requested = 1;
-+}
-+
- #define MAX_PACKETS (1U<<31)
- int
- packet_need_rekeying(void)
- {
- if (datafellows & SSH_BUG_NOREKEY)
- return 0;
-+ if (rekey_requested == 1)
-+ {
-+ rekey_requested = 0;
-+ return 1;
-+ }
- return
- (p_send.packets > MAX_PACKETS) ||
- (p_read.packets > MAX_PACKETS) ||
-@@ -1766,3 +1786,9 @@ packet_set_authenticated(void)
- {
- after_authentication = 1;
- }
-+
-+int
-+packet_authentication_state(void)
-+{
-+ return(after_authentication);
-+}
-diff -NupwB openssh-5.2p1-canonical/packet.h openssh-5.2p1-hpn13v6/packet.h
---- openssh-5.2p1-canonical/packet.h 2008-07-11 03:36:48.000000000 -0400
-+++ openssh-5.2p1-hpn13v6/packet.h 2009-05-14 12:36:10.000000000 -0400
-@@ -20,6 +20,9 @@
-
- #include <openssl/bn.h>
-
-+void
-+packet_request_rekeying(void);
-+
- void packet_set_connection(int, int);
- void packet_set_timeout(int, int);
- void packet_set_nonblocking(void);
-@@ -35,6 +38,7 @@ void packet_set_interactive(int);
- int packet_is_interactive(void);
- void packet_set_server(void);
- void packet_set_authenticated(void);
-+int packet_authentication_state(void);
-
- void packet_start(u_char);
- void packet_put_char(int ch);
-@@ -44,7 +48,7 @@ void packet_put_bignum2(BIGNUM * val
- void packet_put_string(const void *buf, u_int len);
- void packet_put_cstring(const char *str);
- void packet_put_raw(const void *buf, u_int len);
--void packet_send(void);
-+int packet_send(void);
-
- int packet_read(void);
- void packet_read_expect(int type);
-@@ -73,8 +77,8 @@ void packet_set_state(int, u_int32_t, u
- int packet_get_ssh1_cipher(void);
- void packet_set_iv(int, u_char *);
-
--void packet_write_poll(void);
--void packet_write_wait(void);
-+int packet_write_poll(void);
-+int packet_write_wait(void);
- int packet_have_data_to_write(void);
- int packet_not_very_much_data_to_write(void);
-
-diff -NupwB openssh-5.2p1-canonical/progressmeter.c openssh-5.2p1-hpn13v6/progressmeter.c
---- openssh-5.2p1-canonical/progressmeter.c 2006-08-04 22:39:40.000000000 -0400
-+++ openssh-5.2p1-hpn13v6/progressmeter.c 2009-05-14 12:36:10.000000000 -0400
-@@ -68,6 +68,8 @@ static time_t last_update; /* last progr
- static char *file; /* name of the file being transferred */
- static off_t end_pos; /* ending position of transfer */
- static off_t cur_pos; /* transfer position as of last refresh */
-+static off_t last_pos;
-+static off_t max_delta_pos = 0;
- static volatile off_t *counter; /* progress counter */
- static long stalled; /* how long we have been stalled */
- static int bytes_per_second; /* current speed in bytes per second */
-@@ -128,12 +130,17 @@ refresh_progress_meter(void)
- int hours, minutes, seconds;
- int i, len;
- int file_len;
-+ off_t delta_pos;
-
- transferred = *counter - cur_pos;
- cur_pos = *counter;
- now = time(NULL);
- bytes_left = end_pos - cur_pos;
-
-+ delta_pos = cur_pos - last_pos;
-+ if (delta_pos > max_delta_pos)
-+ max_delta_pos = delta_pos;
-+
- if (bytes_left > 0)
- elapsed = now - last_update;
- else {
-@@ -158,7 +165,7 @@ refresh_progress_meter(void)
-
- /* filename */
- buf[0] = '\0';
-- file_len = win_size - 35;
-+ file_len = win_size - 45;
- if (file_len > 0) {
- len = snprintf(buf, file_len + 1, "\r%s", file);
- if (len < 0)
-@@ -175,7 +182,8 @@ refresh_progress_meter(void)
- percent = ((float)cur_pos / end_pos) * 100;
- else
- percent = 100;
-- snprintf(buf + strlen(buf), win_size - strlen(buf),
-+
-+ snprintf(buf + strlen(buf), win_size - strlen(buf-8),
- " %3d%% ", percent);
-
- /* amount transferred */
-@@ -188,6 +196,15 @@ refresh_progress_meter(void)
- (off_t)bytes_per_second);
- strlcat(buf, "/s ", win_size);
-
-+ /* instantaneous rate */
-+ if (bytes_left > 0)
-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
-+ delta_pos);
-+ else
-+ format_rate(buf + strlen(buf), win_size - strlen(buf),
-+ max_delta_pos);
-+ strlcat(buf, "/s ", win_size);
-+
- /* ETA */
- if (!transferred)
- stalled += elapsed;
-@@ -224,6 +241,7 @@ refresh_progress_meter(void)
-
- atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
- last_update = now;
-+ last_pos = cur_pos;
- }
-
- /*ARGSUSED*/
-diff -NupwB openssh-5.2p1-canonical/readconf.c openssh-5.2p1-hpn13v6/readconf.c
---- openssh-5.2p1-canonical/readconf.c 2009-02-14 00:28:21.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/readconf.c 2009-05-14 12:36:10.000000000 -0400
-@@ -131,6 +131,8 @@ typedef enum {
- oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
- oVisualHostKey, oZeroKnowledgePasswordAuthentication,
-+ oNoneEnabled, oTcpRcvBufPoll, oTcpRcvBuf, oNoneSwitch, oHPNDisabled,
-+ oHPNBufferSize,
- oDeprecated, oUnsupported
- } OpCodes;
-
-@@ -234,6 +236,12 @@ static struct {
- #else
- { "zeroknowledgepasswordauthentication", oUnsupported },
- #endif
-+ { "noneenabled", oNoneEnabled },
-+ { "tcprcvbufpoll", oTcpRcvBufPoll },
-+ { "tcprcvbuf", oTcpRcvBuf },
-+ { "noneswitch", oNoneSwitch },
-+ { "hpndisabled", oHPNDisabled },
-+ { "hpnbuffersize", oHPNBufferSize },
-
- { NULL, oBadOption }
- };
-@@ -465,6 +473,37 @@ parse_flag:
- intptr = &options->check_host_ip;
- goto parse_flag;
-
-+ case oNoneEnabled:
-+ intptr = &options->none_enabled;
-+ goto parse_flag;
-+
-+ /* we check to see if the command comes from the */
-+ /* command line or not. If it does then enable it */
-+ /* otherwise fail. NONE should never be a default configuration */
-+ case oNoneSwitch:
-+ if(strcmp(filename,"command-line")==0)
-+ {
-+ intptr = &options->none_switch;
-+ goto parse_flag;
-+ } else {
-+ error("NoneSwitch is found in %.200s.\nYou may only use this configuration option from the command line", filename);
-+ error("Continuing...");
-+ debug("NoneSwitch directive found in %.200s.", filename);
-+ return 0;
-+ }
-+
-+ case oHPNDisabled:
-+ intptr = &options->hpn_disabled;
-+ goto parse_flag;
-+
-+ case oHPNBufferSize:
-+ intptr = &options->hpn_buffer_size;
-+ goto parse_int;
-+
-+ case oTcpRcvBufPoll:
-+ intptr = &options->tcp_rcv_buf_poll;
-+ goto parse_flag;
-+
- case oVerifyHostKeyDNS:
- intptr = &options->verify_host_key_dns;
- goto parse_yesnoask;
-@@ -643,6 +682,10 @@ parse_int:
- intptr = &options->connection_attempts;
- goto parse_int;
-
-+ case oTcpRcvBuf:
-+ intptr = &options->tcp_rcv_buf;
-+ goto parse_int;
-+
- case oCipher:
- intptr = &options->cipher;
- arg = strdelim(&s);
-@@ -1065,6 +1108,12 @@ initialize_options(Options * options)
- options->permit_local_command = -1;
- options->visual_host_key = -1;
- options->zero_knowledge_password_authentication = -1;
-+ options->none_switch = -1;
-+ options->none_enabled = -1;
-+ options->hpn_disabled = -1;
-+ options->hpn_buffer_size = -1;
-+ options->tcp_rcv_buf_poll = -1;
-+ options->tcp_rcv_buf = -1;
- }
-
- /*
-@@ -1187,6 +1236,29 @@ fill_default_options(Options * options)
- options->server_alive_interval = 0;
- if (options->server_alive_count_max == -1)
- options->server_alive_count_max = 3;
-+ if (options->none_switch == -1)
-+ options->none_switch = 0;
-+ if (options->hpn_disabled == -1)
-+ options->hpn_disabled = 0;
-+ if (options->hpn_buffer_size > -1)
-+ {
-+ /* if a user tries to set the size to 0 set it to 1KB */
-+ if (options->hpn_buffer_size == 0)
-+ options->hpn_buffer_size = 1024;
-+ /*limit the buffer to 64MB*/
-+ if (options->hpn_buffer_size > 65536)
-+ {
-+ options->hpn_buffer_size = 65536*1024;
-+ debug("User requested buffer larger than 64MB. Request reverted to 64MB");
-+ }
-+ debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
-+ }
-+ if (options->tcp_rcv_buf == 0)
-+ options->tcp_rcv_buf = 1;
-+ if (options->tcp_rcv_buf > -1)
-+ options->tcp_rcv_buf *=1024;
-+ if (options->tcp_rcv_buf_poll == -1)
-+ options->tcp_rcv_buf_poll = 1;
- if (options->control_master == -1)
- options->control_master = 0;
- if (options->hash_known_hosts == -1)
-diff -NupwB openssh-5.2p1-canonical/readconf.c.orig openssh-5.2p1-hpn13v6/readconf.c.orig
---- openssh-5.2p1-canonical/readconf.c.orig 1969-12-31 19:00:00.000000000 -0500
-+++ openssh-5.2p1-hpn13v6/readconf.c.orig 2009-02-14 00:28:21.000000000 -0500
-@@ -0,0 +1,1310 @@
-+/* $OpenBSD: readconf.c,v 1.176 2009/02/12 03:00:56 djm Exp $ */
-+/*
-+ * Author: Tatu Ylonen <ylo at cs.hut.fi>
-+ * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
-+ * All rights reserved
-+ * Functions for reading the configuration files.
-+ *
-+ * As far as I am concerned, the code I have written for this software
-+ * can be used freely for any purpose. Any derived versions of this
-+ * software must be clearly marked as such, and if the derived work is
-+ * incompatible with the protocol description in the RFC file, it must be
-+ * called by a name other than "ssh" or "Secure Shell".
-+ */
-+
-+#include "includes.h"
-+
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <sys/socket.h>
-+
-+#include <netinet/in.h>
-+
-+#include <ctype.h>
-+#include <errno.h>
-+#include <netdb.h>
-+#include <signal.h>
-+#include <stdarg.h>
-+#include <stdio.h>
-+#include <string.h>
-+#include <unistd.h>
-+
-+#include "xmalloc.h"
-+#include "ssh.h"
-+#include "compat.h"
-+#include "cipher.h"
-+#include "pathnames.h"
-+#include "log.h"
-+#include "key.h"
-+#include "readconf.h"
-+#include "match.h"
-+#include "misc.h"
-+#include "buffer.h"
-+#include "kex.h"
-+#include "mac.h"
-+
-+/* Format of the configuration file:
-+
-+ # Configuration data is parsed as follows:
-+ # 1. command line options
-+ # 2. user-specific file
-+ # 3. system-wide file
-+ # Any configuration value is only changed the first time it is set.
-+ # Thus, host-specific definitions should be at the beginning of the
-+ # configuration file, and defaults at the end.
-+
-+ # Host-specific declarations. These may override anything above. A single
-+ # host may match multiple declarations; these are processed in the order
-+ # that they are given in.
-+
-+ Host *.ngs.fi ngs.fi
-+ User foo
-+
-+ Host fake.com
-+ HostName another.host.name.real.org
-+ User blaah
-+ Port 34289
-+ ForwardX11 no
-+ ForwardAgent no
-+
-+ Host books.com
-+ RemoteForward 9999 shadows.cs.hut.fi:9999
-+ Cipher 3des
-+
-+ Host fascist.blob.com
-+ Port 23123
-+ User tylonen
-+ PasswordAuthentication no
-+
-+ Host puukko.hut.fi
-+ User t35124p
-+ ProxyCommand ssh-proxy %h %p
-+
-+ Host *.fr
-+ PublicKeyAuthentication no
-+
-+ Host *.su
-+ Cipher none
-+ PasswordAuthentication no
-+
-+ Host vpn.fake.com
-+ Tunnel yes
-+ TunnelDevice 3
-+
-+ # Defaults for various options
-+ Host *
-+ ForwardAgent no
-+ ForwardX11 no
-+ PasswordAuthentication yes
-+ RSAAuthentication yes
-+ RhostsRSAAuthentication yes
-+ StrictHostKeyChecking yes
-+ TcpKeepAlive no
-+ IdentityFile ~/.ssh/identity
-+ Port 22
-+ EscapeChar ~
-+
-+*/
-+
-+/* Keyword tokens. */
-+
-+typedef enum {
-+ oBadOption,
-+ oForwardAgent, oForwardX11, oForwardX11Trusted, oGatewayPorts,
-+ oExitOnForwardFailure,
-+ oPasswordAuthentication, oRSAAuthentication,
-+ oChallengeResponseAuthentication, oXAuthLocation,
-+ oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
-+ oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand,
-+ oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts,
-+ oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression,
-+ oCompressionLevel, oTCPKeepAlive, oNumberOfPasswordPrompts,
-+ oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oMacs,
-+ oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication,
-+ oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
-+ oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
-+ oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
-+ oClearAllForwardings, oNoHostAuthenticationForLocalhost,
-+ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
-+ oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-+ oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
-+ oSendEnv, oControlPath, oControlMaster, oHashKnownHosts,
-+ oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-+ oVisualHostKey, oZeroKnowledgePasswordAuthentication,
-+ oDeprecated, oUnsupported
-+} OpCodes;
-+
-+/* Textual representations of the tokens. */
-+
-+static struct {
-+ const char *name;
-+ OpCodes opcode;
-+} keywords[] = {
-+ { "forwardagent", oForwardAgent },
-+ { "forwardx11", oForwardX11 },
-+ { "forwardx11trusted", oForwardX11Trusted },
-+ { "exitonforwardfailure", oExitOnForwardFailure },
-+ { "xauthlocation", oXAuthLocation },
-+ { "gatewayports", oGatewayPorts },
-+ { "useprivilegedport", oUsePrivilegedPort },
-+ { "rhostsauthentication", oDeprecated },
-+ { "passwordauthentication", oPasswordAuthentication },
-+ { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
-+ { "kbdinteractivedevices", oKbdInteractiveDevices },
-+ { "rsaauthentication", oRSAAuthentication },
-+ { "pubkeyauthentication", oPubkeyAuthentication },
-+ { "dsaauthentication", oPubkeyAuthentication }, /* alias */
-+ { "rhostsrsaauthentication", oRhostsRSAAuthentication },
-+ { "hostbasedauthentication", oHostbasedAuthentication },
-+ { "challengeresponseauthentication", oChallengeResponseAuthentication },
-+ { "skeyauthentication", oChallengeResponseAuthentication }, /* alias */
-+ { "tisauthentication", oChallengeResponseAuthentication }, /* alias */
-+ { "kerberosauthentication", oUnsupported },
-+ { "kerberostgtpassing", oUnsupported },
-+ { "afstokenpassing", oUnsupported },
-+#if defined(GSSAPI)
-+ { "gssapiauthentication", oGssAuthentication },
-+ { "gssapidelegatecredentials", oGssDelegateCreds },
-+#else
-+ { "gssapiauthentication", oUnsupported },
-+ { "gssapidelegatecredentials", oUnsupported },
-+#endif
-+ { "fallbacktorsh", oDeprecated },
-+ { "usersh", oDeprecated },
-+ { "identityfile", oIdentityFile },
-+ { "identityfile2", oIdentityFile }, /* obsolete */
-+ { "identitiesonly", oIdentitiesOnly },
-+ { "hostname", oHostName },
-+ { "hostkeyalias", oHostKeyAlias },
-+ { "proxycommand", oProxyCommand },
-+ { "port", oPort },
-+ { "cipher", oCipher },
-+ { "ciphers", oCiphers },
-+ { "macs", oMacs },
-+ { "protocol", oProtocol },
-+ { "remoteforward", oRemoteForward },
-+ { "localforward", oLocalForward },
-+ { "user", oUser },
-+ { "host", oHost },
-+ { "escapechar", oEscapeChar },
-+ { "globalknownhostsfile", oGlobalKnownHostsFile },
-+ { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, /* obsolete */
-+ { "userknownhostsfile", oUserKnownHostsFile },
-+ { "userknownhostsfile2", oUserKnownHostsFile2 }, /* obsolete */
-+ { "connectionattempts", oConnectionAttempts },
-+ { "batchmode", oBatchMode },
-+ { "checkhostip", oCheckHostIP },
-+ { "stricthostkeychecking", oStrictHostKeyChecking },
-+ { "compression", oCompression },
-+ { "compressionlevel", oCompressionLevel },
-+ { "tcpkeepalive", oTCPKeepAlive },
-+ { "keepalive", oTCPKeepAlive }, /* obsolete */
-+ { "numberofpasswordprompts", oNumberOfPasswordPrompts },
-+ { "loglevel", oLogLevel },
-+ { "dynamicforward", oDynamicForward },
-+ { "preferredauthentications", oPreferredAuthentications },
-+ { "hostkeyalgorithms", oHostKeyAlgorithms },
-+ { "bindaddress", oBindAddress },
-+#ifdef SMARTCARD
-+ { "smartcarddevice", oSmartcardDevice },
-+#else
-+ { "smartcarddevice", oUnsupported },
-+#endif
-+ { "clearallforwardings", oClearAllForwardings },
-+ { "enablesshkeysign", oEnableSSHKeysign },
-+ { "verifyhostkeydns", oVerifyHostKeyDNS },
-+ { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost },
-+ { "rekeylimit", oRekeyLimit },
-+ { "connecttimeout", oConnectTimeout },
-+ { "addressfamily", oAddressFamily },
-+ { "serveraliveinterval", oServerAliveInterval },
-+ { "serveralivecountmax", oServerAliveCountMax },
-+ { "sendenv", oSendEnv },
-+ { "controlpath", oControlPath },
-+ { "controlmaster", oControlMaster },
-+ { "hashknownhosts", oHashKnownHosts },
-+ { "tunnel", oTunnel },
-+ { "tunneldevice", oTunnelDevice },
-+ { "localcommand", oLocalCommand },
-+ { "permitlocalcommand", oPermitLocalCommand },
-+ { "visualhostkey", oVisualHostKey },
-+#ifdef JPAKE
-+ { "zeroknowledgepasswordauthentication",
-+ oZeroKnowledgePasswordAuthentication },
-+#else
-+ { "zeroknowledgepasswordauthentication", oUnsupported },
-+#endif
-+
-+ { NULL, oBadOption }
-+};
-+
-+/*
-+ * Adds a local TCP/IP port forward to options. Never returns if there is an
-+ * error.
-+ */
-+
-+void
-+add_local_forward(Options *options, const Forward *newfwd)
-+{
-+ Forward *fwd;
-+#ifndef NO_IPPORT_RESERVED_CONCEPT
-+ extern uid_t original_real_uid;
-+ if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
-+ fatal("Privileged ports can only be forwarded by root.");
-+#endif
-+ if (options->num_local_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
-+ fatal("Too many local forwards (max %d).", SSH_MAX_FORWARDS_PER_DIRECTION);
-+ fwd = &options->local_forwards[options->num_local_forwards++];
-+
-+ fwd->listen_host = newfwd->listen_host;
-+ fwd->listen_port = newfwd->listen_port;
-+ fwd->connect_host = newfwd->connect_host;
-+ fwd->connect_port = newfwd->connect_port;
-+}
-+
-+/*
-+ * Adds a remote TCP/IP port forward to options. Never returns if there is
-+ * an error.
-+ */
-+
-+void
-+add_remote_forward(Options *options, const Forward *newfwd)
-+{
-+ Forward *fwd;
-+ if (options->num_remote_forwards >= SSH_MAX_FORWARDS_PER_DIRECTION)
-+ fatal("Too many remote forwards (max %d).",
-+ SSH_MAX_FORWARDS_PER_DIRECTION);
-+ fwd = &options->remote_forwards[options->num_remote_forwards++];
-+
-+ fwd->listen_host = newfwd->listen_host;
-+ fwd->listen_port = newfwd->listen_port;
-+ fwd->connect_host = newfwd->connect_host;
-+ fwd->connect_port = newfwd->connect_port;
-+}
-+
-+static void
-+clear_forwardings(Options *options)
-+{
-+ int i;
-+
-+ for (i = 0; i < options->num_local_forwards; i++) {
-+ if (options->local_forwards[i].listen_host != NULL)
-+ free(options->local_forwards[i].listen_host);
-+ free(options->local_forwards[i].connect_host);
-+ }
-+ options->num_local_forwards = 0;
-+ for (i = 0; i < options->num_remote_forwards; i++) {
-+ if (options->remote_forwards[i].listen_host != NULL)
-+ free(options->remote_forwards[i].listen_host);
-+ free(options->remote_forwards[i].connect_host);
-+ }
-+ options->num_remote_forwards = 0;
-+ options->tun_open = SSH_TUNMODE_NO;
-+}
-+
-+/*
-+ * Returns the number of the token pointed to by cp or oBadOption.
-+ */
-+
-+static OpCodes
-+parse_token(const char *cp, const char *filename, int linenum)
-+{
-+ u_int i;
-+
-+ for (i = 0; keywords[i].name; i++)
-+ if (strcasecmp(cp, keywords[i].name) == 0)
-+ return keywords[i].opcode;
-+
-+ error("%s: line %d: Bad configuration option: %s",
-+ filename, linenum, cp);
-+ return oBadOption;
-+}
-+
-+/*
-+ * Processes a single option line as used in the configuration files. This
-+ * only sets those values that have not already been set.
-+ */
-+#define WHITESPACE " \t\r\n"
-+
-+int
-+process_config_line(Options *options, const char *host,
-+ char *line, const char *filename, int linenum,
-+ int *activep)
-+{
-+ char *s, **charptr, *endofnumber, *keyword, *arg, *arg2, fwdarg[256];
-+ int opcode, *intptr, value, value2, scale;
-+ LogLevel *log_level_ptr;
-+ long long orig, val64;
-+ size_t len;
-+ Forward fwd;
-+
-+ /* Strip trailing whitespace */
-+ for (len = strlen(line) - 1; len > 0; len--) {
-+ if (strchr(WHITESPACE, line[len]) == NULL)
-+ break;
-+ line[len] = '\0';
-+ }
-+
-+ s = line;
-+ /* Get the keyword. (Each line is supposed to begin with a keyword). */
-+ if ((keyword = strdelim(&s)) == NULL)
-+ return 0;
-+ /* Ignore leading whitespace. */
-+ if (*keyword == '\0')
-+ keyword = strdelim(&s);
-+ if (keyword == NULL || !*keyword || *keyword == '\n' || *keyword == '#')
-+ return 0;
-+
-+ opcode = parse_token(keyword, filename, linenum);
-+
-+ switch (opcode) {
-+ case oBadOption:
-+ /* don't panic, but count bad options */
-+ return -1;
-+ /* NOTREACHED */
-+ case oConnectTimeout:
-+ intptr = &options->connection_timeout;
-+parse_time:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%s line %d: missing time value.",
-+ filename, linenum);
-+ if ((value = convtime(arg)) == -1)
-+ fatal("%s line %d: invalid time value.",
-+ filename, linenum);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oForwardAgent:
-+ intptr = &options->forward_agent;
-+parse_flag:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing yes/no argument.", filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
-+ value = 1;
-+ else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
-+ value = 0;
-+ else
-+ fatal("%.200s line %d: Bad yes/no argument.", filename, linenum);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oForwardX11:
-+ intptr = &options->forward_x11;
-+ goto parse_flag;
-+
-+ case oForwardX11Trusted:
-+ intptr = &options->forward_x11_trusted;
-+ goto parse_flag;
-+
-+ case oGatewayPorts:
-+ intptr = &options->gateway_ports;
-+ goto parse_flag;
-+
-+ case oExitOnForwardFailure:
-+ intptr = &options->exit_on_forward_failure;
-+ goto parse_flag;
-+
-+ case oUsePrivilegedPort:
-+ intptr = &options->use_privileged_port;
-+ goto parse_flag;
-+
-+ case oPasswordAuthentication:
-+ intptr = &options->password_authentication;
-+ goto parse_flag;
-+
-+ case oZeroKnowledgePasswordAuthentication:
-+ intptr = &options->zero_knowledge_password_authentication;
-+ goto parse_flag;
-+
-+ case oKbdInteractiveAuthentication:
-+ intptr = &options->kbd_interactive_authentication;
-+ goto parse_flag;
-+
-+ case oKbdInteractiveDevices:
-+ charptr = &options->kbd_interactive_devices;
-+ goto parse_string;
-+
-+ case oPubkeyAuthentication:
-+ intptr = &options->pubkey_authentication;
-+ goto parse_flag;
-+
-+ case oRSAAuthentication:
-+ intptr = &options->rsa_authentication;
-+ goto parse_flag;
-+
-+ case oRhostsRSAAuthentication:
-+ intptr = &options->rhosts_rsa_authentication;
-+ goto parse_flag;
-+
-+ case oHostbasedAuthentication:
-+ intptr = &options->hostbased_authentication;
-+ goto parse_flag;
-+
-+ case oChallengeResponseAuthentication:
-+ intptr = &options->challenge_response_authentication;
-+ goto parse_flag;
-+
-+ case oGssAuthentication:
-+ intptr = &options->gss_authentication;
-+ goto parse_flag;
-+
-+ case oGssDelegateCreds:
-+ intptr = &options->gss_deleg_creds;
-+ goto parse_flag;
-+
-+ case oBatchMode:
-+ intptr = &options->batch_mode;
-+ goto parse_flag;
-+
-+ case oCheckHostIP:
-+ intptr = &options->check_host_ip;
-+ goto parse_flag;
-+
-+ case oVerifyHostKeyDNS:
-+ intptr = &options->verify_host_key_dns;
-+ goto parse_yesnoask;
-+
-+ case oStrictHostKeyChecking:
-+ intptr = &options->strict_host_key_checking;
-+parse_yesnoask:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing yes/no/ask argument.",
-+ filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
-+ value = 1;
-+ else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
-+ value = 0;
-+ else if (strcmp(arg, "ask") == 0)
-+ value = 2;
-+ else
-+ fatal("%.200s line %d: Bad yes/no/ask argument.", filename, linenum);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oCompression:
-+ intptr = &options->compression;
-+ goto parse_flag;
-+
-+ case oTCPKeepAlive:
-+ intptr = &options->tcp_keep_alive;
-+ goto parse_flag;
-+
-+ case oNoHostAuthenticationForLocalhost:
-+ intptr = &options->no_host_authentication_for_localhost;
-+ goto parse_flag;
-+
-+ case oNumberOfPasswordPrompts:
-+ intptr = &options->number_of_password_prompts;
-+ goto parse_int;
-+
-+ case oCompressionLevel:
-+ intptr = &options->compression_level;
-+ goto parse_int;
-+
-+ case oRekeyLimit:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (arg[0] < '0' || arg[0] > '9')
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+ orig = val64 = strtoll(arg, &endofnumber, 10);
-+ if (arg == endofnumber)
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+ switch (toupper(*endofnumber)) {
-+ case '\0':
-+ scale = 1;
-+ break;
-+ case 'K':
-+ scale = 1<<10;
-+ break;
-+ case 'M':
-+ scale = 1<<20;
-+ break;
-+ case 'G':
-+ scale = 1<<30;
-+ break;
-+ default:
-+ fatal("%.200s line %d: Invalid RekeyLimit suffix",
-+ filename, linenum);
-+ }
-+ val64 *= scale;
-+ /* detect integer wrap and too-large limits */
-+ if ((val64 / scale) != orig || val64 > UINT_MAX)
-+ fatal("%.200s line %d: RekeyLimit too large",
-+ filename, linenum);
-+ if (val64 < 16)
-+ fatal("%.200s line %d: RekeyLimit too small",
-+ filename, linenum);
-+ if (*activep && options->rekey_limit == -1)
-+ options->rekey_limit = (u_int32_t)val64;
-+ break;
-+
-+ case oIdentityFile:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (*activep) {
-+ intptr = &options->num_identity_files;
-+ if (*intptr >= SSH_MAX_IDENTITY_FILES)
-+ fatal("%.200s line %d: Too many identity files specified (max %d).",
-+ filename, linenum, SSH_MAX_IDENTITY_FILES);
-+ charptr = &options->identity_files[*intptr];
-+ *charptr = xstrdup(arg);
-+ *intptr = *intptr + 1;
-+ }
-+ break;
-+
-+ case oXAuthLocation:
-+ charptr=&options->xauth_location;
-+ goto parse_string;
-+
-+ case oUser:
-+ charptr = &options->user;
-+parse_string:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (*activep && *charptr == NULL)
-+ *charptr = xstrdup(arg);
-+ break;
-+
-+ case oGlobalKnownHostsFile:
-+ charptr = &options->system_hostfile;
-+ goto parse_string;
-+
-+ case oUserKnownHostsFile:
-+ charptr = &options->user_hostfile;
-+ goto parse_string;
-+
-+ case oGlobalKnownHostsFile2:
-+ charptr = &options->system_hostfile2;
-+ goto parse_string;
-+
-+ case oUserKnownHostsFile2:
-+ charptr = &options->user_hostfile2;
-+ goto parse_string;
-+
-+ case oHostName:
-+ charptr = &options->hostname;
-+ goto parse_string;
-+
-+ case oHostKeyAlias:
-+ charptr = &options->host_key_alias;
-+ goto parse_string;
-+
-+ case oPreferredAuthentications:
-+ charptr = &options->preferred_authentications;
-+ goto parse_string;
-+
-+ case oBindAddress:
-+ charptr = &options->bind_address;
-+ goto parse_string;
-+
-+ case oSmartcardDevice:
-+ charptr = &options->smartcard_device;
-+ goto parse_string;
-+
-+ case oProxyCommand:
-+ charptr = &options->proxy_command;
-+parse_command:
-+ if (s == NULL)
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ len = strspn(s, WHITESPACE "=");
-+ if (*activep && *charptr == NULL)
-+ *charptr = xstrdup(s + len);
-+ return 0;
-+
-+ case oPort:
-+ intptr = &options->port;
-+parse_int:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (arg[0] < '0' || arg[0] > '9')
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+
-+ /* Octal, decimal, or hex format? */
-+ value = strtol(arg, &endofnumber, 0);
-+ if (arg == endofnumber)
-+ fatal("%.200s line %d: Bad number.", filename, linenum);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oConnectionAttempts:
-+ intptr = &options->connection_attempts;
-+ goto parse_int;
-+
-+ case oCipher:
-+ intptr = &options->cipher;
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ value = cipher_number(arg);
-+ if (value == -1)
-+ fatal("%.200s line %d: Bad cipher '%s'.",
-+ filename, linenum, arg ? arg : "<NONE>");
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oCiphers:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (!ciphers_valid(arg))
-+ fatal("%.200s line %d: Bad SSH2 cipher spec '%s'.",
-+ filename, linenum, arg ? arg : "<NONE>");
-+ if (*activep && options->ciphers == NULL)
-+ options->ciphers = xstrdup(arg);
-+ break;
-+
-+ case oMacs:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (!mac_valid(arg))
-+ fatal("%.200s line %d: Bad SSH2 Mac spec '%s'.",
-+ filename, linenum, arg ? arg : "<NONE>");
-+ if (*activep && options->macs == NULL)
-+ options->macs = xstrdup(arg);
-+ break;
-+
-+ case oHostKeyAlgorithms:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (!key_names_valid2(arg))
-+ fatal("%.200s line %d: Bad protocol 2 host key algorithms '%s'.",
-+ filename, linenum, arg ? arg : "<NONE>");
-+ if (*activep && options->hostkeyalgorithms == NULL)
-+ options->hostkeyalgorithms = xstrdup(arg);
-+ break;
-+
-+ case oProtocol:
-+ intptr = &options->protocol;
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ value = proto_spec(arg);
-+ if (value == SSH_PROTO_UNKNOWN)
-+ fatal("%.200s line %d: Bad protocol spec '%s'.",
-+ filename, linenum, arg ? arg : "<NONE>");
-+ if (*activep && *intptr == SSH_PROTO_UNKNOWN)
-+ *intptr = value;
-+ break;
-+
-+ case oLogLevel:
-+ log_level_ptr = &options->log_level;
-+ arg = strdelim(&s);
-+ value = log_level_number(arg);
-+ if (value == SYSLOG_LEVEL_NOT_SET)
-+ fatal("%.200s line %d: unsupported log level '%s'",
-+ filename, linenum, arg ? arg : "<NONE>");
-+ if (*activep && *log_level_ptr == SYSLOG_LEVEL_NOT_SET)
-+ *log_level_ptr = (LogLevel) value;
-+ break;
-+
-+ case oLocalForward:
-+ case oRemoteForward:
-+ case oDynamicForward:
-+ arg = strdelim(&s);
-+ if (arg == NULL || *arg == '\0')
-+ fatal("%.200s line %d: Missing port argument.",
-+ filename, linenum);
-+
-+ if (opcode == oLocalForward ||
-+ opcode == oRemoteForward) {
-+ arg2 = strdelim(&s);
-+ if (arg2 == NULL || *arg2 == '\0')
-+ fatal("%.200s line %d: Missing target argument.",
-+ filename, linenum);
-+
-+ /* construct a string for parse_forward */
-+ snprintf(fwdarg, sizeof(fwdarg), "%s:%s", arg, arg2);
-+ } else if (opcode == oDynamicForward) {
-+ strlcpy(fwdarg, arg, sizeof(fwdarg));
-+ }
-+
-+ if (parse_forward(&fwd, fwdarg,
-+ opcode == oDynamicForward ? 1 : 0,
-+ opcode == oRemoteForward ? 1 : 0) == 0)
-+ fatal("%.200s line %d: Bad forwarding specification.",
-+ filename, linenum);
-+
-+ if (*activep) {
-+ if (opcode == oLocalForward ||
-+ opcode == oDynamicForward)
-+ add_local_forward(options, &fwd);
-+ else if (opcode == oRemoteForward)
-+ add_remote_forward(options, &fwd);
-+ }
-+ break;
-+
-+ case oClearAllForwardings:
-+ intptr = &options->clear_forwardings;
-+ goto parse_flag;
-+
-+ case oHost:
-+ *activep = 0;
-+ while ((arg = strdelim(&s)) != NULL && *arg != '\0')
-+ if (match_pattern(host, arg)) {
-+ debug("Applying options for %.100s", arg);
-+ *activep = 1;
-+ break;
-+ }
-+ /* Avoid garbage check below, as strdelim is done. */
-+ return 0;
-+
-+ case oEscapeChar:
-+ intptr = &options->escape_char;
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ if (arg[0] == '^' && arg[2] == 0 &&
-+ (u_char) arg[1] >= 64 && (u_char) arg[1] < 128)
-+ value = (u_char) arg[1] & 31;
-+ else if (strlen(arg) == 1)
-+ value = (u_char) arg[0];
-+ else if (strcmp(arg, "none") == 0)
-+ value = SSH_ESCAPECHAR_NONE;
-+ else {
-+ fatal("%.200s line %d: Bad escape character.",
-+ filename, linenum);
-+ /* NOTREACHED */
-+ value = 0; /* Avoid compiler warning. */
-+ }
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oAddressFamily:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%s line %d: missing address family.",
-+ filename, linenum);
-+ intptr = &options->address_family;
-+ if (strcasecmp(arg, "inet") == 0)
-+ value = AF_INET;
-+ else if (strcasecmp(arg, "inet6") == 0)
-+ value = AF_INET6;
-+ else if (strcasecmp(arg, "any") == 0)
-+ value = AF_UNSPEC;
-+ else
-+ fatal("Unsupported AddressFamily \"%s\"", arg);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oEnableSSHKeysign:
-+ intptr = &options->enable_ssh_keysign;
-+ goto parse_flag;
-+
-+ case oIdentitiesOnly:
-+ intptr = &options->identities_only;
-+ goto parse_flag;
-+
-+ case oServerAliveInterval:
-+ intptr = &options->server_alive_interval;
-+ goto parse_time;
-+
-+ case oServerAliveCountMax:
-+ intptr = &options->server_alive_count_max;
-+ goto parse_int;
-+
-+ case oSendEnv:
-+ while ((arg = strdelim(&s)) != NULL && *arg != '\0') {
-+ if (strchr(arg, '=') != NULL)
-+ fatal("%s line %d: Invalid environment name.",
-+ filename, linenum);
-+ if (!*activep)
-+ continue;
-+ if (options->num_send_env >= MAX_SEND_ENV)
-+ fatal("%s line %d: too many send env.",
-+ filename, linenum);
-+ options->send_env[options->num_send_env++] =
-+ xstrdup(arg);
-+ }
-+ break;
-+
-+ case oControlPath:
-+ charptr = &options->control_path;
-+ goto parse_string;
-+
-+ case oControlMaster:
-+ intptr = &options->control_master;
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing ControlMaster argument.",
-+ filename, linenum);
-+ value = 0; /* To avoid compiler warning... */
-+ if (strcmp(arg, "yes") == 0 || strcmp(arg, "true") == 0)
-+ value = SSHCTL_MASTER_YES;
-+ else if (strcmp(arg, "no") == 0 || strcmp(arg, "false") == 0)
-+ value = SSHCTL_MASTER_NO;
-+ else if (strcmp(arg, "auto") == 0)
-+ value = SSHCTL_MASTER_AUTO;
-+ else if (strcmp(arg, "ask") == 0)
-+ value = SSHCTL_MASTER_ASK;
-+ else if (strcmp(arg, "autoask") == 0)
-+ value = SSHCTL_MASTER_AUTO_ASK;
-+ else
-+ fatal("%.200s line %d: Bad ControlMaster argument.",
-+ filename, linenum);
-+ if (*activep && *intptr == -1)
-+ *intptr = value;
-+ break;
-+
-+ case oHashKnownHosts:
-+ intptr = &options->hash_known_hosts;
-+ goto parse_flag;
-+
-+ case oTunnel:
-+ intptr = &options->tun_open;
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%s line %d: Missing yes/point-to-point/"
-+ "ethernet/no argument.", filename, linenum);
-+ value = 0; /* silence compiler */
-+ if (strcasecmp(arg, "ethernet") == 0)
-+ value = SSH_TUNMODE_ETHERNET;
-+ else if (strcasecmp(arg, "point-to-point") == 0)
-+ value = SSH_TUNMODE_POINTOPOINT;
-+ else if (strcasecmp(arg, "yes") == 0)
-+ value = SSH_TUNMODE_DEFAULT;
-+ else if (strcasecmp(arg, "no") == 0)
-+ value = SSH_TUNMODE_NO;
-+ else
-+ fatal("%s line %d: Bad yes/point-to-point/ethernet/"
-+ "no argument: %s", filename, linenum, arg);
-+ if (*activep)
-+ *intptr = value;
-+ break;
-+
-+ case oTunnelDevice:
-+ arg = strdelim(&s);
-+ if (!arg || *arg == '\0')
-+ fatal("%.200s line %d: Missing argument.", filename, linenum);
-+ value = a2tun(arg, &value2);
-+ if (value == SSH_TUNID_ERR)
-+ fatal("%.200s line %d: Bad tun device.", filename, linenum);
-+ if (*activep) {
-+ options->tun_local = value;
-+ options->tun_remote = value2;
-+ }
-+ break;
-+
-+ case oLocalCommand:
-+ charptr = &options->local_command;
-+ goto parse_command;
-+
-+ case oPermitLocalCommand:
-+ intptr = &options->permit_local_command;
-+ goto parse_flag;
-+
-+ case oVisualHostKey:
-+ intptr = &options->visual_host_key;
-+ goto parse_flag;
-+
-+ case oDeprecated:
-+ debug("%s line %d: Deprecated option \"%s\"",
-+ filename, linenum, keyword);
-+ return 0;
-+
-+ case oUnsupported:
-+ error("%s line %d: Unsupported option \"%s\"",
-+ filename, linenum, keyword);
-+ return 0;
-+
-+ default:
-+ fatal("process_config_line: Unimplemented opcode %d", opcode);
-+ }
-+
-+ /* Check that there is no garbage at end of line. */
-+ if ((arg = strdelim(&s)) != NULL && *arg != '\0') {
-+ fatal("%.200s line %d: garbage at end of line; \"%.200s\".",
-+ filename, linenum, arg);
-+ }
-+ return 0;
-+}
-+
-+
-+/*
-+ * Reads the config file and modifies the options accordingly. Options
-+ * should already be initialized before this call. This never returns if
-+ * there is an error. If the file does not exist, this returns 0.
-+ */
-+
-+int
-+read_config_file(const char *filename, const char *host, Options *options,
-+ int checkperm)
-+{
-+ FILE *f;
-+ char line[1024];
-+ int active, linenum;
-+ int bad_options = 0;
-+
-+ if ((f = fopen(filename, "r")) == NULL)
-+ return 0;
-+
-+ if (checkperm) {
-+ struct stat sb;
-+
-+ if (fstat(fileno(f), &sb) == -1)
-+ fatal("fstat %s: %s", filename, strerror(errno));
-+ if (((sb.st_uid != 0 && sb.st_uid != getuid()) ||
-+ (sb.st_mode & 022) != 0))
-+ fatal("Bad owner or permissions on %s", filename);
-+ }
-+
-+ debug("Reading configuration data %.200s", filename);
-+
-+ /*
-+ * Mark that we are now processing the options. This flag is turned
-+ * on/off by Host specifications.
-+ */
-+ active = 1;
-+ linenum = 0;
-+ while (fgets(line, sizeof(line), f)) {
-+ /* Update line number counter. */
-+ linenum++;
-+ if (process_config_line(options, host, line, filename, linenum, &active) != 0)
-+ bad_options++;
-+ }
-+ fclose(f);
-+ if (bad_options > 0)
-+ fatal("%s: terminating, %d bad configuration options",
-+ filename, bad_options);
-+ return 1;
-+}
-+
-+/*
-+ * Initializes options to special values that indicate that they have not yet
-+ * been set. Read_config_file will only set options with this value. Options
-+ * are processed in the following order: command line, user config file,
-+ * system config file. Last, fill_default_options is called.
-+ */
-+
-+void
-+initialize_options(Options * options)
-+{
-+ memset(options, 'X', sizeof(*options));
-+ options->forward_agent = -1;
-+ options->forward_x11 = -1;
-+ options->forward_x11_trusted = -1;
-+ options->exit_on_forward_failure = -1;
-+ options->xauth_location = NULL;
-+ options->gateway_ports = -1;
-+ options->use_privileged_port = -1;
-+ options->rsa_authentication = -1;
-+ options->pubkey_authentication = -1;
-+ options->challenge_response_authentication = -1;
-+ options->gss_authentication = -1;
-+ options->gss_deleg_creds = -1;
-+ options->password_authentication = -1;
-+ options->kbd_interactive_authentication = -1;
-+ options->kbd_interactive_devices = NULL;
-+ options->rhosts_rsa_authentication = -1;
-+ options->hostbased_authentication = -1;
-+ options->batch_mode = -1;
-+ options->check_host_ip = -1;
-+ options->strict_host_key_checking = -1;
-+ options->compression = -1;
-+ options->tcp_keep_alive = -1;
-+ options->compression_level = -1;
-+ options->port = -1;
-+ options->address_family = -1;
-+ options->connection_attempts = -1;
-+ options->connection_timeout = -1;
-+ options->number_of_password_prompts = -1;
-+ options->cipher = -1;
-+ options->ciphers = NULL;
-+ options->macs = NULL;
-+ options->hostkeyalgorithms = NULL;
-+ options->protocol = SSH_PROTO_UNKNOWN;
-+ options->num_identity_files = 0;
-+ options->hostname = NULL;
-+ options->host_key_alias = NULL;
-+ options->proxy_command = NULL;
-+ options->user = NULL;
-+ options->escape_char = -1;
-+ options->system_hostfile = NULL;
-+ options->user_hostfile = NULL;
-+ options->system_hostfile2 = NULL;
-+ options->user_hostfile2 = NULL;
-+ options->num_local_forwards = 0;
-+ options->num_remote_forwards = 0;
-+ options->clear_forwardings = -1;
-+ options->log_level = SYSLOG_LEVEL_NOT_SET;
-+ options->preferred_authentications = NULL;
-+ options->bind_address = NULL;
-+ options->smartcard_device = NULL;
-+ options->enable_ssh_keysign = - 1;
-+ options->no_host_authentication_for_localhost = - 1;
-+ options->identities_only = - 1;
-+ options->rekey_limit = - 1;
-+ options->verify_host_key_dns = -1;
-+ options->server_alive_interval = -1;
-+ options->server_alive_count_max = -1;
-+ options->num_send_env = 0;
-+ options->control_path = NULL;
-+ options->control_master = -1;
-+ options->hash_known_hosts = -1;
-+ options->tun_open = -1;
-+ options->tun_local = -1;
-+ options->tun_remote = -1;
-+ options->local_command = NULL;
-+ options->permit_local_command = -1;
-+ options->visual_host_key = -1;
-+ options->zero_knowledge_password_authentication = -1;
-+}
-+
-+/*
-+ * Called after processing other sources of option data, this fills those
-+ * options for which no value has been specified with their default values.
-+ */
-+
-+void
-+fill_default_options(Options * options)
-+{
-+ int len;
-+
-+ if (options->forward_agent == -1)
-+ options->forward_agent = 0;
-+ if (options->forward_x11 == -1)
-+ options->forward_x11 = 0;
-+ if (options->forward_x11_trusted == -1)
-+ options->forward_x11_trusted = 0;
-+ if (options->exit_on_forward_failure == -1)
-+ options->exit_on_forward_failure = 0;
-+ if (options->xauth_location == NULL)
-+ options->xauth_location = _PATH_XAUTH;
-+ if (options->gateway_ports == -1)
-+ options->gateway_ports = 0;
<Skipped 1467 lines>
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/openssh-legacy.git/commitdiff/98701b806e5858aca04666589d6214753e68acd1
More information about the pld-cvs-commit
mailing list