Attachment #1703 for bug #1663





/* return 1 if user allows given key */
static int
user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
	char line[SSH_MAX_PUBKEY_BYTES];
	int found_key = 0;
	FILE *f;
	u_long linenum = 0;
	Key *found;
	char *fp;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

	if (!f) {
		restore_uid();
		return 0;
	}

	found_key = 0;
	found = key_new(key->type);


			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	if (!found_key)
		debug2("key not found");
	return found_key;
}


/* return 1 if user allows given key */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	FILE *f;
	int found_key = 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

 	if (f) {
 		found_key = user_search_key_in_file (f, file, key, pw);
		fclose(f);
	}

	restore_uid();
	return found_key;
}

#ifdef WITH_PUBKEY_AGENT

#define WHITESPACE " \t\r\n"

/* return 1 if user allows given key */
static int
user_key_via_agent_allowed2(struct passwd *pw, Key *key)
{
	FILE *f;
	int found_key = 0;
	char *pubkey_agent_string = NULL;
	char *tmp_pubkey_agent_string = NULL;
	char *progname;
	char *cp;
	struct passwd *runas_pw;
	struct stat st;

	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
		return -1;

	/* get the run as identity from config */
	runas_pw = (options.pubkey_agent_runas == NULL)? pw
	    : getpwnam (options.pubkey_agent_runas);
	if (!runas_pw) {
		error("%s: getpwnam(\"%s\"): %s", __func__,
		    options.pubkey_agent_runas, strerror(errno));
		return 0;
	}

	/* Temporarily use the specified uid. */
	if (runas_pw->pw_uid != 0)
		temporarily_use_uid(runas_pw);

	pubkey_agent_string = percent_expand(options.pubkey_agent,
	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);

	/* Test whether agent can be modified by non root user */
	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);

	debug3("%s: checking program '%s'", __func__, progname);

	if (stat (progname, &st) < 0) {
		error("%s: stat(\"%s\"): %s", __func__,
		    progname, strerror(errno));
		goto go_away;
	}

	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
		error("bad ownership or modes for pubkey agent \"%s\"",
		    progname);
		goto go_away;
	}

	if (!S_ISREG(st.st_mode)) {
		error("pubkey agent \"%s\" is not a regular file",
		    progname);
		goto go_away;
	}

	/*
	 * Descend the path, checking that each component is a
	 * root-owned directory with strict permissions.
	 */
	do {
		if ((cp = strrchr(progname, '/')) == NULL)
			break;
		else 
			*cp = '\0';
	
		debug3("%s: checking component '%s'", __func__, progname);

		if (stat(progname, &st) != 0) {
			error("%s: stat(\"%s\"): %s", __func__,
			    progname, strerror(errno));
			goto go_away;
		}
		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
			error("bad ownership or modes for pubkey agent path component \"%s\"",
			    progname);
			goto go_away;
		}
		if (!S_ISDIR(st.st_mode)) {
			error("pubkey agent path component \"%s\" is not a directory",
			    progname);
			goto go_away;
		}
	} while (0);

	/* open the pipe and read the keys */
	f = popen (pubkey_agent_string, "r");
	if (!f) {
		error("%s: popen (\"%s\", \"r\"): %s", __func__,
		    pubkey_agent_string, strerror (errno));
		goto go_away;
	}

	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
	pclose (f);

go_away:
	if (tmp_pubkey_agent_string)
		xfree (tmp_pubkey_agent_string);
	if (pubkey_agent_string)
		xfree (pubkey_agent_string);

	if (runas_pw->pw_uid != 0)
		restore_uid();
	return found_key;
}
#endif

/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
	int success;
	char *file;

#ifdef WITH_PUBKEY_AGENT
	success = user_key_via_agent_allowed2(pw, key);
	if (success >= 0)
		return success;
#endif

	file = authorized_keys_file(pw);
	success = user_key_allowed2(pw, key, file);
	xfree(file);




	esac ]
)

# Check whether user wants pubkey agent support
PKA_MSG="no"
AC_ARG_WITH(pka,
	[  --with-pka      Enable pubkey agent support],
	[
		if test "x$withval" != "xno" ; then
			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
			PKA_MSG="yes"
		fi
	]
)

dnl    Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
	arc4random \

echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "                       PKA support: $PKA_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"




with_tcp_wrappers
with_libedit
with_audit
with_pka
with_ssl_dir
with_openssl_header_check
with_ssl_engine

  --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
  --with-libedit[=PATH]   Enable libedit support for sftp
  --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
  --with-pka      Enable pubkey agent support
  --with-ssl-dir=PATH     Specify path to OpenSSL installation
  --without-openssl-header-check Disable OpenSSL version consistency check
  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support

fi


# Check whether user wants pubkey agent support
PKA_MSG="no"

# Check whether --with-pka was given.
if test "${with_pka+set}" = set; then
  withval=$with_pka;
		if test "x$withval" != "xno" ; then

cat >>confdefs.h <<\_ACEOF
#define WITH_PUBKEY_AGENT 1
_ACEOF

			PKA_MSG="yes"
		fi


fi






echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "                       PKA support: $PKA_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"

Lines 128-133 initialize_server_options(ServerOptions Link Here

(-)openssh-5.3p1/servconf.c.pka (+26 lines)
128	options->num_permitted_opens = -1;	128	options->num_permitted_opens = -1;
129	options->adm_forced_command = NULL;	129	options->adm_forced_command = NULL;
130	options->chroot_directory = NULL;	130	options->chroot_directory = NULL;
		131	options->pubkey_agent = NULL;
		132	options->pubkey_agent_runas = NULL;
131	options->zero_knowledge_password_authentication = -1;	133	options->zero_knowledge_password_authentication = -1;
132	}	134	}
133		135
Lines 310-315 typedef enum { Link Here
310	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	312	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
311	sUsePrivilegeSeparation, sAllowAgentForwarding,	313	sUsePrivilegeSeparation, sAllowAgentForwarding,
312	sZeroKnowledgePasswordAuthentication,	314	sZeroKnowledgePasswordAuthentication,
		315	sPubkeyAgent, sPubkeyAgentRunAs,
313	sDeprecated, sUnsupported	316	sDeprecated, sUnsupported
314	} ServerOpCodes;	317	} ServerOpCodes;
315		318
Lines 429-434 static struct { Link Here
429	{ "permitopen", sPermitOpen, SSHCFG_ALL },	432	{ "permitopen", sPermitOpen, SSHCFG_ALL },
430	{ "forcecommand", sForceCommand, SSHCFG_ALL },	433	{ "forcecommand", sForceCommand, SSHCFG_ALL },
431	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },	434	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
		435	#ifdef WITH_PUBKEY_AGENT
		436	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
		437	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
		438	#else
		439	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
		440	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
		441	#endif
432	{ NULL, sBadOption, 0 }	442	{ NULL, sBadOption, 0 }
433	};	443	};
434		444
Lines 1303-1308 process_server_config_line(ServerOptions Link Here
1303	*charptr = xstrdup(arg);	1313	*charptr = xstrdup(arg);
1304	break;	1314	break;
1305		1315
		1316	case sPubkeyAgent:
		1317	len = strspn(cp, WHITESPACE);
		1318	if (*activep && options->pubkey_agent == NULL)
		1319	options->pubkey_agent = xstrdup(cp + len);
		1320	return 0;
		1321
		1322	case sPubkeyAgentRunAs:
		1323	charptr = &options->pubkey_agent_runas;
		1324	break;
		1325
1306	case sDeprecated:	1326	case sDeprecated:
1307	logit("%s line %d: Deprecated option %s",	1327	logit("%s line %d: Deprecated option %s",
1308	filename, linenum, arg);	1328	filename, linenum, arg);
Lines 1396-1401 copy_set_server_options(ServerOptions *d Link Here
1396	M_CP_INTOPT(gss_authentication);	1416	M_CP_INTOPT(gss_authentication);
1397	M_CP_INTOPT(rsa_authentication);	1417	M_CP_INTOPT(rsa_authentication);
1398	M_CP_INTOPT(pubkey_authentication);	1418	M_CP_INTOPT(pubkey_authentication);
		1419	M_CP_STROPT(pubkey_agent);
		1420	M_CP_STROPT(pubkey_agent_runas);
1399	M_CP_INTOPT(kerberos_authentication);	1421	M_CP_INTOPT(kerberos_authentication);
1400	M_CP_INTOPT(hostbased_authentication);	1422	M_CP_INTOPT(hostbased_authentication);
1401	M_CP_INTOPT(kbd_interactive_authentication);	1423	M_CP_INTOPT(kbd_interactive_authentication);
Lines 1636-1641 dump_config(ServerOptions *o) Link Here
1636	dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);	1658	dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1637	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);	1659	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1638	dump_cfg_string(sForceCommand, o->adm_forced_command);	1660	dump_cfg_string(sForceCommand, o->adm_forced_command);
		1661	#ifdef WITH_PUBKEY_AGENT
		1662	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
		1663	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
		1664	#endif
1639		1665
1640	/* string arguments requiring a lookup */	1666	/* string arguments requiring a lookup */
1641	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1667	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 152-157 typedef struct { Link Here

(-)openssh-5.3p1/servconf.h.pka (+2 lines)
152	int num_permitted_opens;	152	int num_permitted_opens;
153		153
154	char *chroot_directory;	154	char *chroot_directory;
		155	char *pubkey_agent;
		156	char *pubkey_agent_runas;
155	} ServerOptions;	157	} ServerOptions;
156		158
157	void initialize_server_options(ServerOptions *);	159	void initialize_server_options(ServerOptions *);




             AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
             GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
             KbdInteractiveAuthentication, KerberosAuthentication,
             MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
             PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
             PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
             RSAAuthentication, X11DisplayOffset, X11Forwarding and
             X11UseLocalHost.

     MaxAuthTries
             Specifies the maximum number of authentication attempts permitted

             fault is ``yes''.  Note that this option applies to protocol ver-
             sion 2 only.

     PubkeyAgent
             Specifies which agent is used for lookup of the user's public
             keys. Empty string means to use the authorized_keys file.  By
             default there is no PubkeyAgent set.  Note that this option has
             an effect only with PubkeyAuthentication switched on.

     PubkeyAgentRunAs
             Specifies the user under whose account the PubkeyAgent is run.
             Empty string (the default value) means the user being authorized
             is used.

     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication to-
             gether with successful RSA host authentication is allowed.  The

Lines 610-615 Available keywords are Link Here

(-)openssh-5.3p1/sshd_config.5.pka (+13 lines)
610	.Cm KerberosAuthentication ,	610	.Cm KerberosAuthentication ,
611	.Cm MaxAuthTries ,	611	.Cm MaxAuthTries ,
612	.Cm MaxSessions ,	612	.Cm MaxSessions ,
		613	.Cm PubkeyAuthentication ,
		614	.Cm PubkeyAgent ,
		615	.Cm PubkeyAgentRunAs ,
613	.Cm PasswordAuthentication ,	616	.Cm PasswordAuthentication ,
614	.Cm PermitEmptyPasswords ,	617	.Cm PermitEmptyPasswords ,
615	.Cm PermitOpen ,	618	.Cm PermitOpen ,
Lines 805-810 Specifies whether public key authenticat Link Here
805	The default is	808	The default is
806	.Dq yes .	809	.Dq yes .
807	Note that this option applies to protocol version 2 only.	810	Note that this option applies to protocol version 2 only.
		811	.It Cm PubkeyAgent
		812	Specifies which agent is used for lookup of the user's public
		813	keys. Empty string means to use the authorized_keys file.
		814	By default there is no PubkeyAgent set.
		815	Note that this option has an effect only with PubkeyAuthentication
		816	switched on.
		817	.It Cm PubkeyAgentRunAs
		818	Specifies the user under whose account the PubkeyAgent is run. Empty
		819	string (the default value) means the user being authorized is used.
		820	.Dq
808	.It Cm RhostsRSAAuthentication	821	.It Cm RhostsRSAAuthentication
809	Specifies whether rhosts or /etc/hosts.equiv authentication together	822	Specifies whether rhosts or /etc/hosts.equiv authentication together
810	with successful RSA host authentication is allowed.	823	with successful RSA host authentication is allowed.

Lines 47-52 SyslogFacility AUTHPRIV Link Here

(-)openssh-5.3p1/sshd_config.pka (+2 lines)
47	#RSAAuthentication yes	47	#RSAAuthentication yes
48	#PubkeyAuthentication yes	48	#PubkeyAuthentication yes
49	#AuthorizedKeysFile .ssh/authorized_keys	49	#AuthorizedKeysFile .ssh/authorized_keys
		50	#PubkeyAgent none
		51	#PubkeyAgentRunAs nobody
50		52
51	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	53	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
52	#RhostsRSAAuthentication no	54	#RhostsRSAAuthentication no

Return to bug 1663

Lines 184-209 done: Link Here

(-)openssh-5.3p1/auth2-pubkey.c.pka (-16 / +143 lines)
184		184
185	/* return 1 if user allows given key */	185	/* return 1 if user allows given key */
186	static int	186	static int
187	user_key_allowed2(struct passwd pw, Key key, char *file)	187	user_search_key_in_file(FILE f, char file, Key* key, struct passwd *pw)
188	{	188	{
189	char line[SSH_MAX_PUBKEY_BYTES];	189	char line[SSH_MAX_PUBKEY_BYTES];
190	int found_key = 0;	190	int found_key = 0;
191	FILE *f;
192	u_long linenum = 0;	191	u_long linenum = 0;
193	Key *found;	192	Key *found;
194	char *fp;	193	char *fp;
195		194
196	/* Temporarily use the user's uid. */
197	temporarily_use_uid(pw);
198
199	debug("trying public key file %s", file);
200	f = auth_openkeyfile(file, pw, options.strict_modes);
201
202	if (!f) {
203	restore_uid();
204	return 0;
205	}
206
207	found_key = 0;	195	found_key = 0;
208	found = key_new(key->type);	196	found = key_new(key->type);
209		197
Lines 248-268 user_key_allowed2(struct passwd *pw, Key Link Here
248	break;	236	break;
249	}	237	}
250	}	238	}
251	restore_uid();
252	fclose(f);
253	key_free(found);	239	key_free(found);
254	if (!found_key)	240	if (!found_key)
255	debug2("key not found");	241	debug2("key not found");
256	return found_key;	242	return found_key;
257	}	243	}
258		244
259	/* check whether given key is in .ssh/authorized_keys* */	245
		246	/* return 1 if user allows given key */
		247	static int
		248	user_key_allowed2(struct passwd pw, Key key, char *file)
		249	{
		250	FILE *f;
		251	int found_key = 0;
		252
		253	/* Temporarily use the user's uid. */
		254	temporarily_use_uid(pw);
		255
		256	debug("trying public key file %s", file);
		257	f = auth_openkeyfile(file, pw, options.strict_modes);
		258
		259	if (f) {
		260	found_key = user_search_key_in_file (f, file, key, pw);
		261	fclose(f);
		262	}
		263
		264	restore_uid();
		265	return found_key;
		266	}
		267
		268	#ifdef WITH_PUBKEY_AGENT
		269
		270	#define WHITESPACE " \t\r\n"
		271
		272	/* return 1 if user allows given key */
		273	static int
		274	user_key_via_agent_allowed2(struct passwd pw, Key key)
		275	{
		276	FILE *f;
		277	int found_key = 0;
		278	char *pubkey_agent_string = NULL;
		279	char *tmp_pubkey_agent_string = NULL;
		280	char *progname;
		281	char *cp;
		282	struct passwd *runas_pw;
		283	struct stat st;
		284
		285	if (options.pubkey_agent == NULL \|\| options.pubkey_agent[0] != '/')
		286	return -1;
		287
		288	/* get the run as identity from config */
		289	runas_pw = (options.pubkey_agent_runas == NULL)? pw
		290	: getpwnam (options.pubkey_agent_runas);
		291	if (!runas_pw) {
		292	error("%s: getpwnam(\"%s\"): %s", __func__,
		293	options.pubkey_agent_runas, strerror(errno));
		294	return 0;
		295	}
		296
		297	/* Temporarily use the specified uid. */
		298	if (runas_pw->pw_uid != 0)
		299	temporarily_use_uid(runas_pw);
		300
		301	pubkey_agent_string = percent_expand(options.pubkey_agent,
		302	"h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
		303
		304	/* Test whether agent can be modified by non root user */
		305	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
		306	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
		307
		308	debug3("%s: checking program '%s'", __func__, progname);
		309
310	if (stat (progname, &st) < 0) {
311	error("%s: stat(\"%s\"): %s", __func__,
312	progname, strerror(errno));
313	goto go_away;
314	}
315
316	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
317	error("bad ownership or modes for pubkey agent \"%s\"",
318	progname);
319	goto go_away;
320	}
321
322	if (!S_ISREG(st.st_mode)) {
323	error("pubkey agent \"%s\" is not a regular file",
324	progname);
325	goto go_away;
326	}
327
328	/*
329	* Descend the path, checking that each component is a
330	* root-owned directory with strict permissions.
331	*/
332	do {
333	if ((cp = strrchr(progname, '/')) == NULL)
334	break;
335	else
336	*cp = '\0';
337
338	debug3("%s: checking component '%s'", __func__, progname);
339
340	if (stat(progname, &st) != 0) {
341	error("%s: stat(\"%s\"): %s", __func__,
342	progname, strerror(errno));
343	goto go_away;
344	}
345	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
346	error("bad ownership or modes for pubkey agent path component \"%s\"",
347	progname);
348	goto go_away;
349	}
350	if (!S_ISDIR(st.st_mode)) {
351	error("pubkey agent path component \"%s\" is not a directory",
352	progname);
353	goto go_away;
354	}
355	} while (0);
356
357	/* open the pipe and read the keys */
358	f = popen (pubkey_agent_string, "r");
359	if (!f) {
360	error("%s: popen (\"%s\", \"r\"): %s", __func__,
361	pubkey_agent_string, strerror (errno));
362	goto go_away;
363	}
364
365	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
366	pclose (f);
367
368	go_away:
369	if (tmp_pubkey_agent_string)
370	xfree (tmp_pubkey_agent_string);
371	if (pubkey_agent_string)
372	xfree (pubkey_agent_string);
373
374	if (runas_pw->pw_uid != 0)
375	restore_uid();
376	return found_key;
377	}
378	#endif
379
380	/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
260	int	381	int
261	user_key_allowed(struct passwd pw, Key key)	382	user_key_allowed(struct passwd pw, Key key)
262	{	383	{
263	int success;	384	int success;
264	char *file;	385	char *file;
265		386
		387	#ifdef WITH_PUBKEY_AGENT
		388	success = user_key_via_agent_allowed2(pw, key);
		389	if (success >= 0)
		390	return success;
		391	#endif
		392
266	file = authorized_keys_file(pw);	393	file = authorized_keys_file(pw);
267	success = user_key_allowed2(pw, key, file);	394	success = user_key_allowed2(pw, key, file);
268	xfree(file);	395	xfree(file);

Lines 769-774 with_skey Link Here

(-)openssh-5.3p1/configure.pka (+22 lines)
769	with_tcp_wrappers	769	with_tcp_wrappers
770	with_libedit	770	with_libedit
771	with_audit	771	with_audit
		772	with_pka
772	with_ssl_dir	773	with_ssl_dir
773	with_openssl_header_check	774	with_openssl_header_check
774	with_ssl_engine	775	with_ssl_engine
Lines 1473-1478 Optional Packages: Link Here
1473	--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)	1474	--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
1474	--with-libedit[=PATH] Enable libedit support for sftp	1475	--with-libedit[=PATH] Enable libedit support for sftp
1475	--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)	1476	--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)
		1477	--with-pka Enable pubkey agent support
1476	--with-ssl-dir=PATH Specify path to OpenSSL installation	1478	--with-ssl-dir=PATH Specify path to OpenSSL installation
1477	--without-openssl-header-check Disable OpenSSL version consistency check	1479	--without-openssl-header-check Disable OpenSSL version consistency check
1478	--with-ssl-engine Enable OpenSSL (hardware) ENGINE support	1480	--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
Lines 13443-13448 $as_echo "$as_me: error: Unknown audit m Link Here
13443	fi	13445	fi
13444		13446
13445		13447
		13448	# Check whether user wants pubkey agent support
		13449	PKA_MSG="no"
		13450
		13451	# Check whether --with-pka was given.
		13452	if test "${with_pka+set}" = set; then
		13453	withval=$with_pka;
		13454	if test "x$withval" != "xno" ; then
		13455
		13456	cat >>confdefs.h <<\_ACEOF
		13457	#define WITH_PUBKEY_AGENT 1
		13458	_ACEOF
		13459
		13460	PKA_MSG="yes"
		13461	fi
		13462
		13463
		13464	fi
		13465
		13466
13446		13467
13447		13468
13448		13469
Lines 32772-32777 echo " Linux audit support Link Here
32772	echo " Smartcard support: $SCARD_MSG"	32793	echo " Smartcard support: $SCARD_MSG"
32773	echo " S/KEY support: $SKEY_MSG"	32794	echo " S/KEY support: $SKEY_MSG"
32774	echo " TCP Wrappers support: $TCPW_MSG"	32795	echo " TCP Wrappers support: $TCPW_MSG"
		32796	echo " PKA support: $PKA_MSG"
32775	echo " MD5 password support: $MD5_MSG"	32797	echo " MD5 password support: $MD5_MSG"
32776	echo " libedit support: $LIBEDIT_MSG"	32798	echo " libedit support: $LIBEDIT_MSG"
32777	echo " Solaris process contract support: $SPC_MSG"	32799	echo " Solaris process contract support: $SPC_MSG"

Lines 344-353 DESCRIPTION Link Here

(-)openssh-5.3p1/sshd_config.0.pka (-4 / +16 lines)
344	AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,	344	AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
345	GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,	345	GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
346	KbdInteractiveAuthentication, KerberosAuthentication,	346	KbdInteractiveAuthentication, KerberosAuthentication,
347	MaxAuthTries, MaxSessions, PasswordAuthentication,	347	MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
348	PermitEmptyPasswords, PermitOpen, PermitRootLogin,	348	PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
349	RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,	349	PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
350	X11Forwarding and X11UseLocalHost.	350	RSAAuthentication, X11DisplayOffset, X11Forwarding and
		351	X11UseLocalHost.
351		352
352	MaxAuthTries	353	MaxAuthTries
353	Specifies the maximum number of authentication attempts permitted	354	Specifies the maximum number of authentication attempts permitted
Lines 455-460 DESCRIPTION Link Here
455	fault is ``yes''. Note that this option applies to protocol ver-	456	fault is ``yes''. Note that this option applies to protocol ver-
456	sion 2 only.	457	sion 2 only.
457		458
		459	PubkeyAgent
		460	Specifies which agent is used for lookup of the user's public
		461	keys. Empty string means to use the authorized_keys file. By
		462	default there is no PubkeyAgent set. Note that this option has
		463	an effect only with PubkeyAuthentication switched on.
		464
		465	PubkeyAgentRunAs
		466	Specifies the user under whose account the PubkeyAgent is run.
		467	Empty string (the default value) means the user being authorized
		468	is used.
		469
458	RhostsRSAAuthentication	470	RhostsRSAAuthentication
459	Specifies whether rhosts or /etc/hosts.equiv authentication to-	471	Specifies whether rhosts or /etc/hosts.equiv authentication to-
460	gether with successful RSA host authentication is allowed. The	472	gether with successful RSA host authentication is allowed. The

Lines 1319-1324 AC_ARG_WITH(audit, Link Here

(-)openssh-5.3p1/configure.ac.pka (+13 lines)
1319	esac ]	1319	esac ]
1320	)	1320	)
1321		1321
		1322	# Check whether user wants pubkey agent support
		1323	PKA_MSG="no"
		1324	AC_ARG_WITH(pka,
		1325	[ --with-pka Enable pubkey agent support],
		1326	[
		1327	if test "x$withval" != "xno" ; then
		1328	AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
		1329	PKA_MSG="yes"
		1330	fi
		1331	]
		1332	)
		1333
1322	dnl Checks for library functions. Please keep in alphabetical order	1334	dnl Checks for library functions. Please keep in alphabetical order
1323	AC_CHECK_FUNCS( \	1335	AC_CHECK_FUNCS( \
1324	arc4random \	1336	arc4random \
Lines 4264-4269 echo " Linux audit support Link Here
4264	echo " Smartcard support: $SCARD_MSG"	4276	echo " Smartcard support: $SCARD_MSG"
4265	echo " S/KEY support: $SKEY_MSG"	4277	echo " S/KEY support: $SKEY_MSG"
4266	echo " TCP Wrappers support: $TCPW_MSG"	4278	echo " TCP Wrappers support: $TCPW_MSG"
		4279	echo " PKA support: $PKA_MSG"
4267	echo " MD5 password support: $MD5_MSG"	4280	echo " MD5 password support: $MD5_MSG"
4268	echo " libedit support: $LIBEDIT_MSG"	4281	echo " libedit support: $LIBEDIT_MSG"
4269	echo " Solaris process contract support: $SPC_MSG"	4282	echo " Solaris process contract support: $SPC_MSG"