- (djm) Add back radix.o (used by AFS support), after it went missing from

Makefile many moons ago
 - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
 - (djm) Fix blibpath specification for AIX/gcc
 - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org

CREDITS

@@ -5,7 +5,7 @@ Theo de Raadt, and Dug Song - Creators of OpenSSH
 
 Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
 Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
-Andre Lucas <andre.lucas@dial.pipex.com> - new login code, many fixes
+Andre Lucas <andre@ae-35.com> - new login code, many fixes
 Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
 Andrew McGill <andrewm@datrix.co.za> - SCO fixes
 Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
@@ -91,5 +91,5 @@ Apologies to anyone I have missed.
 
 Damien Miller <djm@mindrot.org>
 
-$Id: CREDITS,v 1.67 2002/07/28 20:31:19 stevesk Exp $
+$Id: CREDITS,v 1.68 2003/04/29 13:22:40 djm Exp $
 

ChangeLog

@@ -1,3 +1,10 @@
+20030429
+ - (djm) Add back radix.o (used by AFS support), after it went missing from
+   Makefile many moons ago
+ - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
+ - (djm) Fix blibpath specification for AIX/gcc
+ - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
+
 20030428
  - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit 
    hacked code.
@@ -1349,4 +1356,4 @@
      save auth method before monitor_reset_key_state(); bugzilla bug #284;
      ok provos@
 
-$Id: ChangeLog,v 1.2663 2003/04/28 23:30:43 mouring Exp $
+$Id: ChangeLog,v 1.2664 2003/04/29 13:22:40 djm Exp $

Makefile.in

@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.228 2003/03/21 00:34:34 mouring Exp $
+# $Id: Makefile.in,v 1.229 2003/04/29 13:22:40 djm Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -62,7 +62,7 @@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keys
 
 LIBSSH_OBJS=authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o \
 	cipher.o compat.o compress.o crc32.o deattack.o fatal.o \
-	hostfile.o log.o match.o mpaux.o nchan.o packet.o readpass.o \
+	hostfile.o log.o match.o mpaux.o nchan.o packet.o radix.o readpass.o \
 	rsa.o tildexpand.o ttymodes.o xmalloc.o atomicio.o \
 	key.o dispatch.o kex.o mac.o uuencode.o misc.o \
 	rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \

auth-pam.c

@@ -38,7 +38,7 @@ extern char *__progname;
 
 extern int use_privsep;
 
-RCSID("$Id: auth-pam.c,v 1.56 2003/04/09 10:59:48 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.57 2003/04/29 13:22:40 djm Exp $");
 
 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now."
@@ -201,7 +201,7 @@ void do_pam_cleanup_proc(void *context)
 	}
 }
 
-/* Attempt password authentation using PAM */
+/* Attempt password authentication using PAM */
 int auth_pam_password(Authctxt *authctxt, const char *password)
 {
 	extern ServerOptions options;
@@ -215,13 +215,13 @@ int auth_pam_password(Authctxt *authctxt, const char *password)
 	pamstate = INITIAL_LOGIN;
 	pam_retval = do_pam_authenticate(
 	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
-	if (pam_retval == PAM_SUCCESS) {
-		debug("PAM Password authentication accepted for "
-		    "user \"%.100s\"", pw->pw_name);
+	if (pam_retval == PAM_SUCCESS && pw) {
+		debug("PAM password authentication accepted for "
+		    "%.100s", pw->pw_name);
 		return 1;
 	} else {
-		debug("PAM Password authentication for \"%.100s\" "
-		    "failed[%d]: %s", pw->pw_name, pam_retval, 
+		debug("PAM password authentication failed for "
+		    "%.100s: %s", pw ? pw->pw_name : "an illegal user",
 		    PAM_STRERROR(__pamh, pam_retval));
 		return 0;
 	}

auth-passwd.c

@@ -93,6 +93,7 @@ int
 auth_password(Authctxt *authctxt, const char *password)
 {
 	struct passwd * pw = authctxt->pw;
+	int ok = authctxt->valid;
 #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
 	char *encrypted_password;
 	char *pw_password;
@@ -115,19 +116,23 @@ auth_password(Authctxt *authctxt, const char *password)
 
 	/* deny if no user. */
 	if (pw == NULL)
-		return 0;
+		ok = 0;
 #ifndef HAVE_CYGWIN
-       if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
-		return 0;
+	if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+		ok = 0;
 #endif
 	if (*password == '\0' && options.permit_empty_passwd == 0)
-		return 0;
+		ok = 0;
 
 #if defined(USE_PAM)
-	return auth_pam_password(authctxt, password);
+	return auth_pam_password(authctxt, password) && ok;
 #elif defined(HAVE_OSF_SIA)
+	if (!ok)
+		return 0;
 	return auth_sia_password(authctxt, password);
 #else
+	if (!ok)
+		return 0;
 # ifdef KRB5
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb5_password(authctxt, password);

auth2-none.c

@@ -100,7 +100,7 @@ userauth_none(Authctxt *authctxt)
 	if (check_nt_auth(1, authctxt->pw) == 0)
 		return(0);
 #endif
-	return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0);
+	return PRIVSEP(auth_password(authctxt, "")) && authctxt->valid;
 }
 
 Authmethod method_none = {

auth2-passwd.c

@@ -47,11 +47,11 @@ userauth_passwd(Authctxt *authctxt)
 		logit("password change not supported");
 	password = packet_get_string(&len);
 	packet_check_eom();
-	if (authctxt->valid &&
+	if (PRIVSEP(auth_password(authctxt, password)) == 1 && authctxt->valid
 #ifdef HAVE_CYGWIN
-	    check_nt_auth(1, authctxt->pw) &&
+	    && check_nt_auth(1, authctxt->pw)
 #endif
-	    PRIVSEP(auth_password(authctxt, password)) == 1)
+	    )
 		authenticated = 1;
 	memset(password, 0, len);
 	xfree(password);

configure.ac

@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.113 2003/03/21 01:18:09 mouring Exp $
+# $Id: configure.ac,v 1.114 2003/04/29 13:22:40 djm Exp $
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -57,20 +57,24 @@ case "$host" in
 	AFS_LIBS="-lld"
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
 	LDFLAGS="$LDFLAGS -L/usr/local/lib"
-	if (test "$LD" != "gcc" && test -z "$blibpath"); then
-		AC_MSG_CHECKING([if linkage editor ($LD) accepts -blibpath])
-		saved_LDFLAGS="$LDFLAGS"
-		LDFLAGS="$LDFLAGS -blibpath:/usr/lib:/lib:/usr/local/lib"
-		AC_TRY_LINK([],
-			[],
-			[
-				AC_MSG_RESULT(yes)
-				blibpath="/usr/lib:/lib:/usr/local/lib"
-			],
-			[ AC_MSG_RESULT(no) ]
-		)
-		LDFLAGS="$saved_LDFLAGS"
+	AC_MSG_CHECKING([how to specify blibpath for linker ($LD)]) 
+	if (test -z "$blibpath"); then
+		blibpath="/usr/lib:/lib:/usr/local/lib"
 	fi
+	saved_LDFLAGS="$LDFLAGS"
+	for tryflags in -blibpath: -Wl,-blibpath: -Wl,-rpath, ;do
+		if (test -z "$blibflags"); then
+			LDFLAGS="$saved_LDFLAGS $tryflags$blibpath"
+			AC_TRY_LINK([], [], [blibflags=$tryflags])
+		fi
+	done
+	if (test -z "$blibflags"); then
+		AC_MSG_RESULT(not found)
+		AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
+	else
+		AC_MSG_RESULT($blibflags)
+	fi
+	LDFLAGS="$saved_LDFLAGS"
 	AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)],
 		[AC_CHECK_LIB(s,authenticate,
 			[ AC_DEFINE(WITH_AIXAUTHENTICATE)
@@ -618,6 +622,7 @@ AC_CHECK_FUNCS(\
 )
 
 AC_SEARCH_LIBS(nanosleep, rt posix4, AC_DEFINE(HAVE_NANOSLEEP))
+AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME))
 
 dnl Make sure strsep prototype is defined before defining HAVE_STRSEP
 AC_CHECK_DECL(strsep, [AC_CHECK_FUNCS(strsep)])
@@ -2473,8 +2478,8 @@ fi
 
 
 if test ! -z "$blibpath" ; then
-	LDFLAGS="$LDFLAGS -blibpath:$blibpath"
-	AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile])
+	LDFLAGS="$LDFLAGS $blibflags$blibpath"
+	AC_MSG_WARN([Please check and edit blibpath in LDFLAGS in Makefile])
 fi
 
 dnl remove pam and dl because they are in $LIBPAM

contrib/caldera/openssh.spec

@@ -17,7 +17,7 @@
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable	1
 %if %{use_stable}
-  %define version 	3.6.1p1
+  %define version 	3.6.1p2
   %define cvs		%{nil}
   %define release 	2
 %else
@@ -364,4 +364,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.42 2003/04/01 11:46:53 djm Exp $
+$Id: openssh.spec,v 1.43 2003/04/29 13:22:40 djm Exp $

contrib/redhat/openssh.spec

@@ -1,5 +1,5 @@
-%define ver 3.6.1p1
-%define rel 2
+%define ver 3.6.1p2
+%define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
 %define sshd_uid    74

contrib/suse/openssh.spec

@@ -1,6 +1,6 @@
 Summary: OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name: openssh
-Version: 3.6.1p1
+Version: 3.6.1p2
 URL: http://www.openssh.com/
 Release: 1
 Source0: openssh-%{version}.tar.gz

monitor.c

@@ -606,7 +606,7 @@ mm_answer_authpassword(int socket, Buffer *m)
 	passwd = buffer_get_string(m, &plen);
 	/* Only authenticate if the context is valid */
 	authenticated = options.password_authentication &&
-	    authctxt->valid && auth_password(authctxt, passwd);
+	    auth_password(authctxt, passwd) && authctxt->valid;
 	memset(passwd, 0, strlen(passwd));
 	xfree(passwd);
 

version.h

@@ -1,3 +1,3 @@
 /* $OpenBSD: version.h,v 1.37 2003/04/01 10:56:46 markus Exp $ */
 
-#define SSH_VERSION    "OpenSSH_3.6.1p1"
+#define SSH_VERSION    "OpenSSH_3.6.1p2"