Attachment #1765 for bug #1663





/* return 1 if user allows given key */
static int
user_search_key_in_file(FILE *f, char *file, Key* key, struct passwd *pw)
{
	char line[SSH_MAX_PUBKEY_BYTES];
	int found_key = 0;
	FILE *f;
	u_long linenum = 0;
	Key *found;
	char *fp;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

	if (!f) {
		restore_uid();
		return 0;
	}

	found_key = 0;
	found = key_new(key->type);


			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	if (!found_key)
		debug2("key not found");
	return found_key;
}


/* return 1 if user allows given key */
static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
	FILE *f;
	int found_key = 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw);

	debug("trying public key file %s", file);
	f = auth_openkeyfile(file, pw, options.strict_modes);

 	if (f) {
 		found_key = user_search_key_in_file (f, file, key, pw);
		fclose(f);
	}

	restore_uid();
	return found_key;
}

#ifdef WITH_PUBKEY_AGENT

#define WHITESPACE " \t\r\n"

/* return 1 if user allows given key */
static int
user_key_via_agent_allowed2(struct passwd *pw, Key *key)
{
	FILE *f;
	int found_key = 0;
	char *pubkey_agent_string = NULL;
	char *tmp_pubkey_agent_string = NULL;
	char *progname;
	char *cp;
	struct passwd *runas_pw;
	struct stat st;

	if (options.pubkey_agent == NULL || options.pubkey_agent[0] != '/')
		return -1;

	/* get the run as identity from config */
	runas_pw = (options.pubkey_agent_runas == NULL)? pw
	    : getpwnam (options.pubkey_agent_runas);
	if (!runas_pw) {
		error("%s: getpwnam(\"%s\"): %s", __func__,
		    options.pubkey_agent_runas, strerror(errno));
		return 0;
	}

	/* Temporarily use the specified uid. */
	if (runas_pw->pw_uid != 0)
		temporarily_use_uid(runas_pw);

	pubkey_agent_string = percent_expand(options.pubkey_agent,
	    "h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);

	/* Test whether agent can be modified by non root user */
	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);

	debug3("%s: checking program '%s'", __func__, progname);

	if (stat (progname, &st) < 0) {
		error("%s: stat(\"%s\"): %s", __func__,
		    progname, strerror(errno));
		goto go_away;
	}

	if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
		error("bad ownership or modes for pubkey agent \"%s\"",
		    progname);
		goto go_away;
	}

	if (!S_ISREG(st.st_mode)) {
		error("pubkey agent \"%s\" is not a regular file",
		    progname);
		goto go_away;
	}

	/*
	 * Descend the path, checking that each component is a
	 * root-owned directory with strict permissions.
	 */
	do {
		if ((cp = strrchr(progname, '/')) == NULL)
			break;
		else 
			*cp = '\0';
	
		debug3("%s: checking component '%s'", __func__, progname);

		if (stat(progname, &st) != 0) {
			error("%s: stat(\"%s\"): %s", __func__,
			    progname, strerror(errno));
			goto go_away;
		}
		if (st.st_uid != 0 || (st.st_mode & 022) != 0) {
			error("bad ownership or modes for pubkey agent path component \"%s\"",
			    progname);
			goto go_away;
		}
		if (!S_ISDIR(st.st_mode)) {
			error("pubkey agent path component \"%s\" is not a directory",
			    progname);
			goto go_away;
		}
	} while (0);

	/* open the pipe and read the keys */
	f = popen (pubkey_agent_string, "r");
	if (!f) {
		error("%s: popen (\"%s\", \"r\"): %s", __func__,
		    pubkey_agent_string, strerror (errno));
		goto go_away;
	}

	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
	pclose (f);

go_away:
	if (tmp_pubkey_agent_string)
		xfree (tmp_pubkey_agent_string);
	if (pubkey_agent_string)
		xfree (pubkey_agent_string);

	if (runas_pw->pw_uid != 0)
		restore_uid();
	return found_key;
}
#endif

/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
int
user_key_allowed(struct passwd *pw, Key *key)
{
	int success;
	char *file;

#ifdef WITH_PUBKEY_AGENT
	success = user_key_via_agent_allowed2(pw, key);
	if (success >= 0)
		return success;
#endif

	file = authorized_keys_file(pw);
	success = user_key_allowed2(pw, key, file);
	xfree(file);




with_tcp_wrappers
with_libedit
with_audit
with_pka
with_ssl_dir
with_openssl_header_check
with_ssl_engine

  --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
  --with-libedit[=PATH]   Enable libedit support for sftp
  --with-audit=module     Enable EXPERIMENTAL audit support (modules=debug,bsm)
  --with-pka      Enable pubkey agent support
  --with-ssl-dir=PATH     Specify path to OpenSSL installation
  --without-openssl-header-check Disable OpenSSL version consistency check
  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support

fi


# Check whether user wants pubkey agent support
PKA_MSG="no"

# Check whether --with-pka was given.
if test "${with_pka+set}" = set; then
  withval=$with_pka;
		if test "x$withval" != "xno" ; then

cat >>confdefs.h <<\_ACEOF
#define WITH_PUBKEY_AGENT 1
_ACEOF

			PKA_MSG="yes"
		fi


fi






echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "                       PKA support: $PKA_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"




	esac ]
)

# Check whether user wants pubkey agent support
PKA_MSG="no"
AC_ARG_WITH(pka,
	[  --with-pka      Enable pubkey agent support],
	[
		if test "x$withval" != "xno" ; then
			AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
			PKA_MSG="yes"
		fi
	]
)

dnl    Checks for library functions. Please keep in alphabetical order
AC_CHECK_FUNCS( \
	arc4random \

echo "                 Smartcard support: $SCARD_MSG"
echo "                     S/KEY support: $SKEY_MSG"
echo "              TCP Wrappers support: $TCPW_MSG"
echo "                       PKA support: $PKA_MSG"
echo "              MD5 password support: $MD5_MSG"
echo "                   libedit support: $LIBEDIT_MSG"
echo "  Solaris process contract support: $SPC_MSG"

Lines 127-132 initialize_server_options(ServerOptions Link Here

(-)openssh-5.3p1/servconf.c.pka (+30 lines)
127	options->num_permitted_opens = -1;	127	options->num_permitted_opens = -1;
128	options->adm_forced_command = NULL;	128	options->adm_forced_command = NULL;
129	options->chroot_directory = NULL;	129	options->chroot_directory = NULL;
		130	options->pubkey_agent = NULL;
		131	options->pubkey_agent_runas = NULL;
130	options->zero_knowledge_password_authentication = -1;	132	options->zero_knowledge_password_authentication = -1;
131	}	133	}
132		134
Lines 306-311 typedef enum { Link Here
306	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,	308	sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
307	sUsePrivilegeSeparation, sAllowAgentForwarding,	309	sUsePrivilegeSeparation, sAllowAgentForwarding,
308	sZeroKnowledgePasswordAuthentication,	310	sZeroKnowledgePasswordAuthentication,
		311	sPubkeyAgent, sPubkeyAgentRunAs,
309	sDeprecated, sUnsupported	312	sDeprecated, sUnsupported
310	} ServerOpCodes;	313	} ServerOpCodes;
311		314
Lines 424-429 static struct { Link Here
424	{ "permitopen", sPermitOpen, SSHCFG_ALL },	427	{ "permitopen", sPermitOpen, SSHCFG_ALL },
425	{ "forcecommand", sForceCommand, SSHCFG_ALL },	428	{ "forcecommand", sForceCommand, SSHCFG_ALL },
426	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },	429	{ "chrootdirectory", sChrootDirectory, SSHCFG_ALL },
		430	#ifdef WITH_PUBKEY_AGENT
		431	{ "pubkeyagent", sPubkeyAgent, SSHCFG_ALL },
		432	{ "pubkeyagentrunas", sPubkeyAgentRunAs, SSHCFG_ALL },
		433	#else
		434	{ "pubkeyagent", sUnsupported, SSHCFG_ALL },
		435	{ "pubkeyagentrunas", sUnsupported, SSHCFG_ALL },
		436	#endif
427	{ NULL, sBadOption, 0 }	437	{ NULL, sBadOption, 0 }
428	};	438	};
429		439
Lines 1294-1299 process_server_config_line(ServerOptions Link Here
1294	*charptr = xstrdup(arg);	1304	*charptr = xstrdup(arg);
1295	break;	1305	break;
1296		1306
		1307	case sPubkeyAgent:
		1308	len = strspn(cp, WHITESPACE);
		1309	if (*activep && options->pubkey_agent == NULL)
		1310	options->pubkey_agent = xstrdup(cp + len);
		1311	return 0;
		1312
		1313	case sPubkeyAgentRunAs:
		1314	charptr = &options->pubkey_agent_runas;
		1315
		1316	arg = strdelim(&cp);
		1317	if (activep && charptr == NULL)
		1318	*charptr = xstrdup(arg);
		1319	break;
		1320
1297	case sDeprecated:	1321	case sDeprecated:
1298	logit("%s line %d: Deprecated option %s",	1322	logit("%s line %d: Deprecated option %s",
1299	filename, linenum, arg);	1323	filename, linenum, arg);
Lines 1387-1392 copy_set_server_options(ServerOptions *d Link Here
1387	M_CP_INTOPT(gss_authentication);	1411	M_CP_INTOPT(gss_authentication);
1388	M_CP_INTOPT(rsa_authentication);	1412	M_CP_INTOPT(rsa_authentication);
1389	M_CP_INTOPT(pubkey_authentication);	1413	M_CP_INTOPT(pubkey_authentication);
		1414	M_CP_STROPT(pubkey_agent);
		1415	M_CP_STROPT(pubkey_agent_runas);
1390	M_CP_INTOPT(kerberos_authentication);	1416	M_CP_INTOPT(kerberos_authentication);
1391	M_CP_INTOPT(hostbased_authentication);	1417	M_CP_INTOPT(hostbased_authentication);
1392	M_CP_INTOPT(kbd_interactive_authentication);	1418	M_CP_INTOPT(kbd_interactive_authentication);
Lines 1626-1631 dump_config(ServerOptions *o) Link Here
1626	dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);	1652	dump_cfg_string(sAuthorizedKeysFile, o->authorized_keys_file);
1627	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);	1653	dump_cfg_string(sAuthorizedKeysFile2, o->authorized_keys_file2);
1628	dump_cfg_string(sForceCommand, o->adm_forced_command);	1654	dump_cfg_string(sForceCommand, o->adm_forced_command);
		1655	#ifdef WITH_PUBKEY_AGENT
		1656	dump_cfg_string(sPubkeyAgent, o->pubkey_agent);
		1657	dump_cfg_string(sPubkeyAgentRunAs, o->pubkey_agent_runas);
		1658	#endif
1629		1659
1630	/* string arguments requiring a lookup */	1660	/* string arguments requiring a lookup */
1631	dump_cfg_string(sLogLevel, log_level_name(o->log_level));	1661	dump_cfg_string(sLogLevel, log_level_name(o->log_level));

Lines 151-156 typedef struct { Link Here

(-)openssh-5.3p1/servconf.h.pka (+2 lines)
151	int num_permitted_opens;	151	int num_permitted_opens;
152		152
153	char *chroot_directory;	153	char *chroot_directory;
		154	char *pubkey_agent;
		155	char *pubkey_agent_runas;
154	} ServerOptions;	156	} ServerOptions;
155		157
156	void initialize_server_options(ServerOptions *);	158	void initialize_server_options(ServerOptions *);




             AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
             GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
             KbdInteractiveAuthentication, KerberosAuthentication,
             MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
             PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
             PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
             RSAAuthentication, X11DisplayOffset, X11Forwarding and
             X11UseLocalHost.

     MaxAuthTries
             Specifies the maximum number of authentication attempts permitted

             fault is ``yes''.  Note that this option applies to protocol ver-
             sion 2 only.

     PubkeyAgent
             Specifies which agent is used for lookup of the user's public
             keys. Empty string means to use the authorized_keys file.  By
             default there is no PubkeyAgent set.  Note that this option has
             an effect only with PubkeyAuthentication switched on.

     PubkeyAgentRunAs
             Specifies the user under whose account the PubkeyAgent is run.
             Empty string (the default value) means the user being authorized
             is used.

     RhostsRSAAuthentication
             Specifies whether rhosts or /etc/hosts.equiv authentication to-
             gether with successful RSA host authentication is allowed.  The

Lines 46-51 Protocol 2 Link Here

(-)openssh-5.3p1/sshd_config.pka (+2 lines)
46	#RSAAuthentication yes	46	#RSAAuthentication yes
47	#PubkeyAuthentication yes	47	#PubkeyAuthentication yes
48	#AuthorizedKeysFile .ssh/authorized_keys	48	#AuthorizedKeysFile .ssh/authorized_keys
		49	#PubkeyAgent none
		50	#PubkeyAgentRunAs nobody
49		51
50	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts	52	# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
51	#RhostsRSAAuthentication no	53	#RhostsRSAAuthentication no

Lines 610-615 Available keywords are Link Here

(-)openssh-5.3p1/sshd_config.5.pka (+13 lines)
610	.Cm KerberosAuthentication ,	610	.Cm KerberosAuthentication ,
611	.Cm MaxAuthTries ,	611	.Cm MaxAuthTries ,
612	.Cm MaxSessions ,	612	.Cm MaxSessions ,
		613	.Cm PubkeyAuthentication ,
		614	.Cm PubkeyAgent ,
		615	.Cm PubkeyAgentRunAs ,
613	.Cm PasswordAuthentication ,	616	.Cm PasswordAuthentication ,
614	.Cm PermitEmptyPasswords ,	617	.Cm PermitEmptyPasswords ,
615	.Cm PermitOpen ,	618	.Cm PermitOpen ,
Lines 805-810 Specifies whether public key authenticat Link Here
805	The default is	808	The default is
806	.Dq yes .	809	.Dq yes .
807	Note that this option applies to protocol version 2 only.	810	Note that this option applies to protocol version 2 only.
		811	.It Cm PubkeyAgent
		812	Specifies which agent is used for lookup of the user's public
		813	keys. Empty string means to use the authorized_keys file.
		814	By default there is no PubkeyAgent set.
		815	Note that this option has an effect only with PubkeyAuthentication
		816	switched on.
		817	.It Cm PubkeyAgentRunAs
		818	Specifies the user under whose account the PubkeyAgent is run. Empty
		819	string (the default value) means the user being authorized is used.
		820	.Dq
808	.It Cm RhostsRSAAuthentication	821	.It Cm RhostsRSAAuthentication
809	Specifies whether rhosts or /etc/hosts.equiv authentication together	822	Specifies whether rhosts or /etc/hosts.equiv authentication together
810	with successful RSA host authentication is allowed.	823	with successful RSA host authentication is allowed.

Return to bug 1663

Lines 175-200 done: Link Here

(-)openssh-5.3p1/auth2-pubkey.c.pka (-16 / +143 lines)
175		175
176	/* return 1 if user allows given key */	176	/* return 1 if user allows given key */
177	static int	177	static int
178	user_key_allowed2(struct passwd pw, Key key, char *file)	178	user_search_key_in_file(FILE f, char file, Key* key, struct passwd *pw)
179	{	179	{
180	char line[SSH_MAX_PUBKEY_BYTES];	180	char line[SSH_MAX_PUBKEY_BYTES];
181	int found_key = 0;	181	int found_key = 0;
182	FILE *f;
183	u_long linenum = 0;	182	u_long linenum = 0;
184	Key *found;	183	Key *found;
185	char *fp;	184	char *fp;
186		185
187	/* Temporarily use the user's uid. */
188	temporarily_use_uid(pw);
189
190	debug("trying public key file %s", file);
191	f = auth_openkeyfile(file, pw, options.strict_modes);
192
193	if (!f) {
194	restore_uid();
195	return 0;
196	}
197
198	found_key = 0;	186	found_key = 0;
199	found = key_new(key->type);	187	found = key_new(key->type);
200		188
Lines 239-259 user_key_allowed2(struct passwd *pw, Key Link Here
239	break;	227	break;
240	}	228	}
241	}	229	}
242	restore_uid();
243	fclose(f);
244	key_free(found);	230	key_free(found);
245	if (!found_key)	231	if (!found_key)
246	debug2("key not found");	232	debug2("key not found");
247	return found_key;	233	return found_key;
248	}	234	}
249		235
250	/* check whether given key is in .ssh/authorized_keys* */	236
		237	/* return 1 if user allows given key */
		238	static int
		239	user_key_allowed2(struct passwd pw, Key key, char *file)
		240	{
		241	FILE *f;
		242	int found_key = 0;
		243
		244	/* Temporarily use the user's uid. */
		245	temporarily_use_uid(pw);
		246
		247	debug("trying public key file %s", file);
		248	f = auth_openkeyfile(file, pw, options.strict_modes);
		249
		250	if (f) {
		251	found_key = user_search_key_in_file (f, file, key, pw);
		252	fclose(f);
		253	}
		254
		255	restore_uid();
		256	return found_key;
		257	}
		258
		259	#ifdef WITH_PUBKEY_AGENT
		260
		261	#define WHITESPACE " \t\r\n"
		262
		263	/* return 1 if user allows given key */
		264	static int
		265	user_key_via_agent_allowed2(struct passwd pw, Key key)
		266	{
		267	FILE *f;
		268	int found_key = 0;
		269	char *pubkey_agent_string = NULL;
		270	char *tmp_pubkey_agent_string = NULL;
		271	char *progname;
		272	char *cp;
		273	struct passwd *runas_pw;
		274	struct stat st;
		275
		276	if (options.pubkey_agent == NULL \|\| options.pubkey_agent[0] != '/')
		277	return -1;
		278
		279	/* get the run as identity from config */
		280	runas_pw = (options.pubkey_agent_runas == NULL)? pw
		281	: getpwnam (options.pubkey_agent_runas);
		282	if (!runas_pw) {
		283	error("%s: getpwnam(\"%s\"): %s", __func__,
		284	options.pubkey_agent_runas, strerror(errno));
		285	return 0;
		286	}
		287
		288	/* Temporarily use the specified uid. */
		289	if (runas_pw->pw_uid != 0)
		290	temporarily_use_uid(runas_pw);
		291
		292	pubkey_agent_string = percent_expand(options.pubkey_agent,
		293	"h", pw->pw_dir, "u", pw->pw_name, (char *)NULL);
		294
		295	/* Test whether agent can be modified by non root user */
		296	tmp_pubkey_agent_string = xstrdup (pubkey_agent_string);
		297	progname = strtok (tmp_pubkey_agent_string, WHITESPACE);
		298
		299	debug3("%s: checking program '%s'", __func__, progname);
		300
301	if (stat (progname, &st) < 0) {
302	error("%s: stat(\"%s\"): %s", __func__,
303	progname, strerror(errno));
304	goto go_away;
305	}
306
307	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
308	error("bad ownership or modes for pubkey agent \"%s\"",
309	progname);
310	goto go_away;
311	}
312
313	if (!S_ISREG(st.st_mode)) {
314	error("pubkey agent \"%s\" is not a regular file",
315	progname);
316	goto go_away;
317	}
318
319	/*
320	* Descend the path, checking that each component is a
321	* root-owned directory with strict permissions.
322	*/
323	do {
324	if ((cp = strrchr(progname, '/')) == NULL)
325	break;
326	else
327	*cp = '\0';
328
329	debug3("%s: checking component '%s'", __func__, progname);
330
331	if (stat(progname, &st) != 0) {
332	error("%s: stat(\"%s\"): %s", __func__,
333	progname, strerror(errno));
334	goto go_away;
335	}
336	if (st.st_uid != 0 \|\| (st.st_mode & 022) != 0) {
337	error("bad ownership or modes for pubkey agent path component \"%s\"",
338	progname);
339	goto go_away;
340	}
341	if (!S_ISDIR(st.st_mode)) {
342	error("pubkey agent path component \"%s\" is not a directory",
343	progname);
344	goto go_away;
345	}
346	} while (0);
347
348	/* open the pipe and read the keys */
349	f = popen (pubkey_agent_string, "r");
350	if (!f) {
351	error("%s: popen (\"%s\", \"r\"): %s", __func__,
352	pubkey_agent_string, strerror (errno));
353	goto go_away;
354	}
355
356	found_key = user_search_key_in_file (f, options.pubkey_agent, key, pw);
357	pclose (f);
358
359	go_away:
360	if (tmp_pubkey_agent_string)
361	xfree (tmp_pubkey_agent_string);
362	if (pubkey_agent_string)
363	xfree (pubkey_agent_string);
364
365	if (runas_pw->pw_uid != 0)
366	restore_uid();
367	return found_key;
368	}
369	#endif
370
371	/* check whether given key is in <pkey_agent or .ssh/authorized_keys* */
251	int	372	int
252	user_key_allowed(struct passwd pw, Key key)	373	user_key_allowed(struct passwd pw, Key key)
253	{	374	{
254	int success;	375	int success;
255	char *file;	376	char *file;
256		377
		378	#ifdef WITH_PUBKEY_AGENT
		379	success = user_key_via_agent_allowed2(pw, key);
		380	if (success >= 0)
		381	return success;
		382	#endif
		383
257	file = authorized_keys_file(pw);	384	file = authorized_keys_file(pw);
258	success = user_key_allowed2(pw, key, file);	385	success = user_key_allowed2(pw, key, file);
259	xfree(file);	386	xfree(file);

Lines 769-774 with_skey Link Here

(-)openssh-5.3p1/configure.pka (+22 lines)
769	with_tcp_wrappers	769	with_tcp_wrappers
770	with_libedit	770	with_libedit
771	with_audit	771	with_audit
		772	with_pka
772	with_ssl_dir	773	with_ssl_dir
773	with_openssl_header_check	774	with_openssl_header_check
774	with_ssl_engine	775	with_ssl_engine
Lines 1473-1478 Optional Packages: Link Here
1473	--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)	1474	--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
1474	--with-libedit[=PATH] Enable libedit support for sftp	1475	--with-libedit[=PATH] Enable libedit support for sftp
1475	--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)	1476	--with-audit=module Enable EXPERIMENTAL audit support (modules=debug,bsm)
		1477	--with-pka Enable pubkey agent support
1476	--with-ssl-dir=PATH Specify path to OpenSSL installation	1478	--with-ssl-dir=PATH Specify path to OpenSSL installation
1477	--without-openssl-header-check Disable OpenSSL version consistency check	1479	--without-openssl-header-check Disable OpenSSL version consistency check
1478	--with-ssl-engine Enable OpenSSL (hardware) ENGINE support	1480	--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
Lines 13443-13448 $as_echo "$as_me: error: Unknown audit m Link Here
13443	fi	13445	fi
13444		13446
13445		13447
		13448	# Check whether user wants pubkey agent support
		13449	PKA_MSG="no"
		13450
		13451	# Check whether --with-pka was given.
		13452	if test "${with_pka+set}" = set; then
		13453	withval=$with_pka;
		13454	if test "x$withval" != "xno" ; then
		13455
		13456	cat >>confdefs.h <<\_ACEOF
		13457	#define WITH_PUBKEY_AGENT 1
		13458	_ACEOF
		13459
		13460	PKA_MSG="yes"
		13461	fi
		13462
		13463
		13464	fi
		13465
		13466
13446		13467
13447		13468
13448		13469
Lines 32772-32777 echo " Linux audit support Link Here
32772	echo " Smartcard support: $SCARD_MSG"	32793	echo " Smartcard support: $SCARD_MSG"
32773	echo " S/KEY support: $SKEY_MSG"	32794	echo " S/KEY support: $SKEY_MSG"
32774	echo " TCP Wrappers support: $TCPW_MSG"	32795	echo " TCP Wrappers support: $TCPW_MSG"
		32796	echo " PKA support: $PKA_MSG"
32775	echo " MD5 password support: $MD5_MSG"	32797	echo " MD5 password support: $MD5_MSG"
32776	echo " libedit support: $LIBEDIT_MSG"	32798	echo " libedit support: $LIBEDIT_MSG"
32777	echo " Solaris process contract support: $SPC_MSG"	32799	echo " Solaris process contract support: $SPC_MSG"

Lines 344-353 DESCRIPTION Link Here

(-)openssh-5.3p1/sshd_config.0.pka (-4 / +16 lines)
344	AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,	344	AllowTcpForwarding, Banner, ChrootDirectory, ForceCommand,
345	GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,	345	GatewayPorts, GSSAPIAuthentication, HostbasedAuthentication,
346	KbdInteractiveAuthentication, KerberosAuthentication,	346	KbdInteractiveAuthentication, KerberosAuthentication,
347	MaxAuthTries, MaxSessions, PasswordAuthentication,	347	MaxAuthTries, MaxSessions, PubkeyAuthentication, PubkeyAgent,
348	PermitEmptyPasswords, PermitOpen, PermitRootLogin,	348	PubkeyAgentRunAs, PasswordAuthentication, PermitEmptyPasswords,
349	RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,	349	PermitOpen, PermitRootLogin, RhostsRSAAuthentication,
350	X11Forwarding and X11UseLocalHost.	350	RSAAuthentication, X11DisplayOffset, X11Forwarding and
		351	X11UseLocalHost.
351		352
352	MaxAuthTries	353	MaxAuthTries
353	Specifies the maximum number of authentication attempts permitted	354	Specifies the maximum number of authentication attempts permitted
Lines 455-460 DESCRIPTION Link Here
455	fault is ``yes''. Note that this option applies to protocol ver-	456	fault is ``yes''. Note that this option applies to protocol ver-
456	sion 2 only.	457	sion 2 only.
457		458
		459	PubkeyAgent
		460	Specifies which agent is used for lookup of the user's public
		461	keys. Empty string means to use the authorized_keys file. By
		462	default there is no PubkeyAgent set. Note that this option has
		463	an effect only with PubkeyAuthentication switched on.
		464
		465	PubkeyAgentRunAs
		466	Specifies the user under whose account the PubkeyAgent is run.
		467	Empty string (the default value) means the user being authorized
		468	is used.
		469
458	RhostsRSAAuthentication	470	RhostsRSAAuthentication
459	Specifies whether rhosts or /etc/hosts.equiv authentication to-	471	Specifies whether rhosts or /etc/hosts.equiv authentication to-
460	gether with successful RSA host authentication is allowed. The	472	gether with successful RSA host authentication is allowed. The

Lines 1319-1324 AC_ARG_WITH(audit, Link Here

(-)openssh-5.3p1/configure.ac.pka (+13 lines)
1319	esac ]	1319	esac ]
1320	)	1320	)
1321		1321
		1322	# Check whether user wants pubkey agent support
		1323	PKA_MSG="no"
		1324	AC_ARG_WITH(pka,
		1325	[ --with-pka Enable pubkey agent support],
		1326	[
		1327	if test "x$withval" != "xno" ; then
		1328	AC_DEFINE([WITH_PUBKEY_AGENT], 1, [Enable pubkey agent support])
		1329	PKA_MSG="yes"
		1330	fi
		1331	]
		1332	)
		1333
1322	dnl Checks for library functions. Please keep in alphabetical order	1334	dnl Checks for library functions. Please keep in alphabetical order
1323	AC_CHECK_FUNCS( \	1335	AC_CHECK_FUNCS( \
1324	arc4random \	1336	arc4random \
Lines 4229-4234 echo " SELinux support Link Here
4229	echo " Smartcard support: $SCARD_MSG"	4241	echo " Smartcard support: $SCARD_MSG"
4230	echo " S/KEY support: $SKEY_MSG"	4242	echo " S/KEY support: $SKEY_MSG"
4231	echo " TCP Wrappers support: $TCPW_MSG"	4243	echo " TCP Wrappers support: $TCPW_MSG"
		4244	echo " PKA support: $PKA_MSG"
4232	echo " MD5 password support: $MD5_MSG"	4245	echo " MD5 password support: $MD5_MSG"
4233	echo " libedit support: $LIBEDIT_MSG"	4246	echo " libedit support: $LIBEDIT_MSG"
4234	echo " Solaris process contract support: $SPC_MSG"	4247	echo " Solaris process contract support: $SPC_MSG"