allow WAYLAND_DISPLAY to enable SSH_ASKPASS

From dkg via GHPR479; ok dtucker@

Avoid kill with -1 argument.
The out_ctx label can be reached before fork has been called. If this
happens, then kill -1 would be called, sending SIGTERM to all processes
reachable by the current process.

From tobias@ and c3h2_ctf via github PR#286, ok djm@

mention in comment that read_passphrase(..., RP_ALLOW_STDIN) will
try to use askpass first. bz3314

convert a couple of debug() -> debug_f() while here

Free the previously allocated msg buffer after writing it out.
OK djm@

unbreak; missing NULL check

when requesting a security key touch on stderr, inform the user once
the touch has been recorded; requested by claudio@ ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

There are lots of place where we want to redirect stdin, stdout
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@

let the "Confirm user presence for key ..." ssh-askpass notification
respect $SSH_ASKPASS_REQUIRE; ok markus@

allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking
passphrases, only when confirming the use of a key (i.e. for ssh-agent
keys added with "ssh-add -c keyfile")

bring the __func__

use error()+_exit() instead of fatal() to avoid running cleanup
handlers in child process; spotted via weird regress failures in
portable

follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

pass SSH_ASKPASS_PROMPT hint to y/n key confirm too

dd API for performing one-shot notifications via tty or SSH_ASKPASS

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Print an \r in front of the password prompt so parts of a password
that was entered too early are likely clobbered by the prompt.
Idea from doas.

from and ok djm
"i like it" deraadt

Remove support for running ssh(1) setuid and fatal if attempted.
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@

Pass (char *)NULL rather than (char *)0 to execl and execlp.

ok dtucker@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

fix ControlMaster=ask regression

reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

do not set the gid, noted by solar; ok djm

replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/wait.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.33.2;
missing {}

Add debug message if read_passphrase can't open /dev/tty; bz #471; ok djm@

branches: 1.31.2;
factor out common permission-asking code to separate function; ok markus@

branches: 1.30.2;
Add option for confirmation (ControlMaster=ask) via ssh-askpass before opening
shared connections; ok markus@

kill a tiny header; ok deraadt@

branches: 1.28.4; 1.28.6;
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@

branches: 1.27.2; 1.27.4;
client side support for PASSWD_CHANGEREQ
based on work by johan.andersson@appgate.com; ok provos@

readpass.c is not longer from UCB, since we now use readpassphrase(3)

use _PATH_TTY

Avoid interruptable passphrase read; ok markus@

don't strdup too much data; from gotoh@taiyo.co.jp; ok millert.

branches: 1.22.2;
delete spurious #includes; ok deraadt@ markus@

don't panic if fork or pipe fail (just return an empty passwd).

do not return NULL, use "" instead.

switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use const for 'prompt'. Brought over from portable tree.

Put the 'const' back into ssh_askpass() function. Pointed out
by Mark Miller <markm@swoon.net>. OK Markus

branches: 1.15.2;
call askpass from ssh, too, based on work by roth@feep.net, ok deraadt

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

branches: 1.12.2;
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

OpenBSD tag

branches: 1.10.2;
whitespace cleanup

instead of blocking SIGINT, catch it ourselves, so that we can clean the
tty modes up and kill ourselves -- instead of our process group leader (scp,
cvs, ...) going away and leaving us in noecho mode. people with cbreak
shells never even noticed..

avoid stdio; based on work by markus, millert, and I

KNF, final part 3

much more KNF

KNF part 1

we do not ship ssh-askpass

even smaller

cull more ancient garbage from pre-POSIX days

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

Avoid kill with -1 argument.
The out_ctx label can be reached before fork has been called. If this
happens, then kill -1 would be called, sending SIGTERM to all processes
reachable by the current process.

From tobias@ and c3h2_ctf via github PR#286, ok djm@

mention in comment that read_passphrase(..., RP_ALLOW_STDIN) will
try to use askpass first. bz3314

convert a couple of debug() -> debug_f() while here

Free the previously allocated msg buffer after writing it out.
OK djm@

unbreak; missing NULL check

when requesting a security key touch on stderr, inform the user once
the touch has been recorded; requested by claudio@ ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

There are lots of place where we want to redirect stdin, stdout
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@

let the "Confirm user presence for key ..." ssh-askpass notification
respect $SSH_ASKPASS_REQUIRE; ok markus@

allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking
passphrases, only when confirming the use of a key (i.e. for ssh-agent
keys added with "ssh-add -c keyfile")

bring the __func__

use error()+_exit() instead of fatal() to avoid running cleanup
handlers in child process; spotted via weird regress failures in
portable

follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

pass SSH_ASKPASS_PROMPT hint to y/n key confirm too

dd API for performing one-shot notifications via tty or SSH_ASKPASS

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Print an \r in front of the password prompt so parts of a password
that was entered too early are likely clobbered by the prompt.
Idea from doas.

from and ok djm
"i like it" deraadt

Remove support for running ssh(1) setuid and fatal if attempted.
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@

Pass (char *)NULL rather than (char *)0 to execl and execlp.

ok dtucker@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

fix ControlMaster=ask regression

reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

do not set the gid, noted by solar; ok djm

replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/wait.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.33.2;
missing {}

Add debug message if read_passphrase can't open /dev/tty; bz #471; ok djm@

branches: 1.31.2;
factor out common permission-asking code to separate function; ok markus@

branches: 1.30.2;
Add option for confirmation (ControlMaster=ask) via ssh-askpass before opening
shared connections; ok markus@

kill a tiny header; ok deraadt@

branches: 1.28.4; 1.28.6;
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@

branches: 1.27.2; 1.27.4;
client side support for PASSWD_CHANGEREQ
based on work by johan.andersson@appgate.com; ok provos@

readpass.c is not longer from UCB, since we now use readpassphrase(3)

use _PATH_TTY

Avoid interruptable passphrase read; ok markus@

don't strdup too much data; from gotoh@taiyo.co.jp; ok millert.

branches: 1.22.2;
delete spurious #includes; ok deraadt@ markus@

don't panic if fork or pipe fail (just return an empty passwd).

do not return NULL, use "" instead.

switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use const for 'prompt'. Brought over from portable tree.

Put the 'const' back into ssh_askpass() function. Pointed out
by Mark Miller <markm@swoon.net>. OK Markus

branches: 1.15.2;
call askpass from ssh, too, based on work by roth@feep.net, ok deraadt

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

branches: 1.12.2;
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

OpenBSD tag

branches: 1.10.2;
whitespace cleanup

instead of blocking SIGINT, catch it ourselves, so that we can clean the
tty modes up and kill ourselves -- instead of our process group leader (scp,
cvs, ...) going away and leaving us in noecho mode. people with cbreak
shells never even noticed..

avoid stdio; based on work by markus, millert, and I

KNF, final part 3

much more KNF

KNF part 1

we do not ship ssh-askpass

even smaller

cull more ancient garbage from pre-POSIX days

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

mention in comment that read_passphrase(..., RP_ALLOW_STDIN) will
try to use askpass first. bz3314

convert a couple of debug() -> debug_f() while here

Free the previously allocated msg buffer after writing it out.
OK djm@

unbreak; missing NULL check

when requesting a security key touch on stderr, inform the user once
the touch has been recorded; requested by claudio@ ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

There are lots of place where we want to redirect stdin, stdout
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@

let the "Confirm user presence for key ..." ssh-askpass notification
respect $SSH_ASKPASS_REQUIRE; ok markus@

allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking
passphrases, only when confirming the use of a key (i.e. for ssh-agent
keys added with "ssh-add -c keyfile")

bring the __func__

use error()+_exit() instead of fatal() to avoid running cleanup
handlers in child process; spotted via weird regress failures in
portable

follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

pass SSH_ASKPASS_PROMPT hint to y/n key confirm too

dd API for performing one-shot notifications via tty or SSH_ASKPASS

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Print an \r in front of the password prompt so parts of a password
that was entered too early are likely clobbered by the prompt.
Idea from doas.

from and ok djm
"i like it" deraadt

Remove support for running ssh(1) setuid and fatal if attempted.
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@

Pass (char *)NULL rather than (char *)0 to execl and execlp.

ok dtucker@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

fix ControlMaster=ask regression

reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

do not set the gid, noted by solar; ok djm

replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/wait.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.33.2;
missing {}

Add debug message if read_passphrase can't open /dev/tty; bz #471; ok djm@

branches: 1.31.2;
factor out common permission-asking code to separate function; ok markus@

branches: 1.30.2;
Add option for confirmation (ControlMaster=ask) via ssh-askpass before opening
shared connections; ok markus@

kill a tiny header; ok deraadt@

branches: 1.28.4; 1.28.6;
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@

branches: 1.27.2; 1.27.4;
client side support for PASSWD_CHANGEREQ
based on work by johan.andersson@appgate.com; ok provos@

readpass.c is not longer from UCB, since we now use readpassphrase(3)

use _PATH_TTY

Avoid interruptable passphrase read; ok markus@

don't strdup too much data; from gotoh@taiyo.co.jp; ok millert.

branches: 1.22.2;
delete spurious #includes; ok deraadt@ markus@

don't panic if fork or pipe fail (just return an empty passwd).

do not return NULL, use "" instead.

switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use const for 'prompt'. Brought over from portable tree.

Put the 'const' back into ssh_askpass() function. Pointed out
by Mark Miller <markm@swoon.net>. OK Markus

branches: 1.15.2;
call askpass from ssh, too, based on work by roth@feep.net, ok deraadt

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

branches: 1.12.2;
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

OpenBSD tag

branches: 1.10.2;
whitespace cleanup

instead of blocking SIGINT, catch it ourselves, so that we can clean the
tty modes up and kill ourselves -- instead of our process group leader (scp,
cvs, ...) going away and leaving us in noecho mode. people with cbreak
shells never even noticed..

avoid stdio; based on work by markus, millert, and I

KNF, final part 3

much more KNF

KNF part 1

we do not ship ssh-askpass

even smaller

cull more ancient garbage from pre-POSIX days

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

Free the previously allocated msg buffer after writing it out.
OK djm@

unbreak; missing NULL check

when requesting a security key touch on stderr, inform the user once
the touch has been recorded; requested by claudio@ ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

There are lots of place where we want to redirect stdin, stdout
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@

let the "Confirm user presence for key ..." ssh-askpass notification
respect $SSH_ASKPASS_REQUIRE; ok markus@

allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking
passphrases, only when confirming the use of a key (i.e. for ssh-agent
keys added with "ssh-add -c keyfile")

bring the __func__

use error()+_exit() instead of fatal() to avoid running cleanup
handlers in child process; spotted via weird regress failures in
portable

follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

pass SSH_ASKPASS_PROMPT hint to y/n key confirm too

dd API for performing one-shot notifications via tty or SSH_ASKPASS

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Print an \r in front of the password prompt so parts of a password
that was entered too early are likely clobbered by the prompt.
Idea from doas.

from and ok djm
"i like it" deraadt

Remove support for running ssh(1) setuid and fatal if attempted.
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@

Pass (char *)NULL rather than (char *)0 to execl and execlp.

ok dtucker@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

fix ControlMaster=ask regression

reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

do not set the gid, noted by solar; ok djm

replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/wait.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.33.2;
missing {}

Add debug message if read_passphrase can't open /dev/tty; bz #471; ok djm@

branches: 1.31.2;
factor out common permission-asking code to separate function; ok markus@

branches: 1.30.2;
Add option for confirmation (ControlMaster=ask) via ssh-askpass before opening
shared connections; ok markus@

kill a tiny header; ok deraadt@

branches: 1.28.4; 1.28.6;
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@

branches: 1.27.2; 1.27.4;
client side support for PASSWD_CHANGEREQ
based on work by johan.andersson@appgate.com; ok provos@

readpass.c is not longer from UCB, since we now use readpassphrase(3)

use _PATH_TTY

Avoid interruptable passphrase read; ok markus@

don't strdup too much data; from gotoh@taiyo.co.jp; ok millert.

branches: 1.22.2;
delete spurious #includes; ok deraadt@ markus@

don't panic if fork or pipe fail (just return an empty passwd).

do not return NULL, use "" instead.

switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use const for 'prompt'. Brought over from portable tree.

Put the 'const' back into ssh_askpass() function. Pointed out
by Mark Miller <markm@swoon.net>. OK Markus

branches: 1.15.2;
call askpass from ssh, too, based on work by roth@feep.net, ok deraadt

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

branches: 1.12.2;
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

OpenBSD tag

branches: 1.10.2;
whitespace cleanup

instead of blocking SIGINT, catch it ourselves, so that we can clean the
tty modes up and kill ourselves -- instead of our process group leader (scp,
cvs, ...) going away and leaving us in noecho mode. people with cbreak
shells never even noticed..

avoid stdio; based on work by markus, millert, and I

KNF, final part 3

much more KNF

KNF part 1

we do not ship ssh-askpass

even smaller

cull more ancient garbage from pre-POSIX days

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

There are lots of place where we want to redirect stdin, stdout
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@

let the "Confirm user presence for key ..." ssh-askpass notification
respect $SSH_ASKPASS_REQUIRE; ok markus@

allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking
passphrases, only when confirming the use of a key (i.e. for ssh-agent
keys added with "ssh-add -c keyfile")

bring the __func__

use error()+_exit() instead of fatal() to avoid running cleanup
handlers in child process; spotted via weird regress failures in
portable

follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

pass SSH_ASKPASS_PROMPT hint to y/n key confirm too

dd API for performing one-shot notifications via tty or SSH_ASKPASS

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Print an \r in front of the password prompt so parts of a password
that was entered too early are likely clobbered by the prompt.
Idea from doas.

from and ok djm
"i like it" deraadt

Remove support for running ssh(1) setuid and fatal if attempted.
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@

Pass (char *)NULL rather than (char *)0 to execl and execlp.

ok dtucker@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

fix ControlMaster=ask regression

reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

do not set the gid, noted by solar; ok djm

replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/wait.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.33.2;
missing {}

Add debug message if read_passphrase can't open /dev/tty; bz #471; ok djm@

branches: 1.31.2;
factor out common permission-asking code to separate function; ok markus@

branches: 1.30.2;
Add option for confirmation (ControlMaster=ask) via ssh-askpass before opening
shared connections; ok markus@

kill a tiny header; ok deraadt@

branches: 1.28.4; 1.28.6;
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@

branches: 1.27.2; 1.27.4;
client side support for PASSWD_CHANGEREQ
based on work by johan.andersson@appgate.com; ok provos@

readpass.c is not longer from UCB, since we now use readpassphrase(3)

use _PATH_TTY

Avoid interruptable passphrase read; ok markus@

don't strdup too much data; from gotoh@taiyo.co.jp; ok millert.

branches: 1.22.2;
delete spurious #includes; ok deraadt@ markus@

don't panic if fork or pipe fail (just return an empty passwd).

do not return NULL, use "" instead.

switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use const for 'prompt'. Brought over from portable tree.

Put the 'const' back into ssh_askpass() function. Pointed out
by Mark Miller <markm@swoon.net>. OK Markus

branches: 1.15.2;
call askpass from ssh, too, based on work by roth@feep.net, ok deraadt

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

branches: 1.12.2;
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

OpenBSD tag

branches: 1.10.2;
whitespace cleanup

instead of blocking SIGINT, catch it ourselves, so that we can clean the
tty modes up and kill ourselves -- instead of our process group leader (scp,
cvs, ...) going away and leaving us in noecho mode. people with cbreak
shells never even noticed..

avoid stdio; based on work by markus, millert, and I

KNF, final part 3

much more KNF

KNF part 1

we do not ship ssh-askpass

even smaller

cull more ancient garbage from pre-POSIX days

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

There are lots of place where we want to redirect stdin, stdout
and/or stderr to /dev/null. Factor all these out to a single
stdfd_devnull() function that allows selection of which of these
to redirect. ok markus@

let the "Confirm user presence for key ..." ssh-askpass notification
respect $SSH_ASKPASS_REQUIRE; ok markus@

allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking
passphrases, only when confirming the use of a key (i.e. for ssh-agent
keys added with "ssh-add -c keyfile")

bring the __func__

use error()+_exit() instead of fatal() to avoid running cleanup
handlers in child process; spotted via weird regress failures in
portable

follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

pass SSH_ASKPASS_PROMPT hint to y/n key confirm too

dd API for performing one-shot notifications via tty or SSH_ASKPASS

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Print an \r in front of the password prompt so parts of a password
that was entered too early are likely clobbered by the prompt.
Idea from doas.

from and ok djm
"i like it" deraadt

Remove support for running ssh(1) setuid and fatal if attempted.
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@

Pass (char *)NULL rather than (char *)0 to execl and execlp.

ok dtucker@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

fix ControlMaster=ask regression

reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

do not set the gid, noted by solar; ok djm

replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/wait.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.33.2;
missing {}

Add debug message if read_passphrase can't open /dev/tty; bz #471; ok djm@

branches: 1.31.2;
factor out common permission-asking code to separate function; ok markus@

branches: 1.30.2;
Add option for confirmation (ControlMaster=ask) via ssh-askpass before opening
shared connections; ok markus@

kill a tiny header; ok deraadt@

branches: 1.28.4; 1.28.6;
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@

branches: 1.27.2; 1.27.4;
client side support for PASSWD_CHANGEREQ
based on work by johan.andersson@appgate.com; ok provos@

readpass.c is not longer from UCB, since we now use readpassphrase(3)

use _PATH_TTY

Avoid interruptable passphrase read; ok markus@

don't strdup too much data; from gotoh@taiyo.co.jp; ok millert.

branches: 1.22.2;
delete spurious #includes; ok deraadt@ markus@

don't panic if fork or pipe fail (just return an empty passwd).

do not return NULL, use "" instead.

switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use const for 'prompt'. Brought over from portable tree.

Put the 'const' back into ssh_askpass() function. Pointed out
by Mark Miller <markm@swoon.net>. OK Markus

branches: 1.15.2;
call askpass from ssh, too, based on work by roth@feep.net, ok deraadt

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]

branches: 1.12.2;
add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me

OpenBSD tag

branches: 1.10.2;
whitespace cleanup

instead of blocking SIGINT, catch it ourselves, so that we can clean the
tty modes up and kill ourselves -- instead of our process group leader (scp,
cvs, ...) going away and leaving us in noecho mode. people with cbreak
shells never even noticed..

avoid stdio; based on work by markus, millert, and I

KNF, final part 3

much more KNF

KNF part 1

we do not ship ssh-askpass

even smaller

cull more ancient garbage from pre-POSIX days

i bet a lot of people didn't know what ssh 1.2.16 had a nice license.
well, except for the patent issues. someone in sweden (forget their
name at the moment) cleaned out most of the patented code, and now
this code removes rsa code. when this is done, it will link against
libssl, but the work isn't completely done yet. then we need to bring
this up to modern days, featurewise.

let the "Confirm user presence for key ..." ssh-askpass notification
respect $SSH_ASKPASS_REQUIRE; ok markus@

allow some additional control over the use of ssh-askpass
via $SSH_ASKPASS_REQUIRE, including force-enable/disable.
bz#69 ok markus@

Replace all calls to signal(2) with a wrapper around sigaction(2).
This wrapper blocks all other signals during the handler preventing
races between handlers, and sets SA_RESTART which should reduce the
potential for short read/write operations.

fix setting of $SSH_ASKPASS_PROMPT - it shouldn't be set when asking
passphrases, only when confirming the use of a key (i.e. for ssh-agent
keys added with "ssh-add -c keyfile")

bring the __func__

use error()+_exit() instead of fatal() to avoid running cleanup
handlers in child process; spotted via weird regress failures in
portable

follow existing askpass logic for security key notifier: fall back
to _PATH_SSH_ASKPASS_DEFAULT if no $SSH_ASKPASS environment variable
is set.

pass SSH_ASKPASS_PROMPT hint to y/n key confirm too

dd API for performing one-shot notifications via tty or SSH_ASKPASS

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

Print an \r in front of the password prompt so parts of a password
that was entered too early are likely clobbered by the prompt.
Idea from doas.

from and ok djm
"i like it" deraadt

Remove support for running ssh(1) setuid and fatal if attempted.
Do not link uidwap.c into ssh any more. Neuters UsePrivilegedPort,
which will be marked as deprecated shortly. ok markus@ djm@

Pass (char *)NULL rather than (char *)0 to execl and execlp.

ok dtucker@

convert memset of potentially-private data to explicit_bzero()

bye, bye xfree(); ok markus@

fix ControlMaster=ask regression

reset SIGCHLD handler before fork (and restore it after) so we don't miss
the the askpass child's exit status. Correct test for exit status/signal to
account for waitpid() failure; with claudio@ ok claudio@ markus@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdio.h> out of includes.h

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <errno.h> out of includes.h; ok markus@

move #include <stdarg.h> out of includes.h; ok markus@

move #include <fcntl.h> out of includes.h

do not set the gid, noted by solar; ok djm

replace remaining setuid() calls with permanently_set_uid() and
check seteuid() return values; report Marcus Meissner; ok dtucker djm

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.35.2;
move #include <sys/wait.h> out of includes.h; ok markus@

move #include <paths.h> out of includes.h; ok markus@

branches: 1.33.2;
missing {}

Add debug message if read_passphrase can't open /dev/tty; bz #471; ok djm@

branches: 1.31.2;
factor out common permission-asking code to separate function; ok markus@

branches: 1.30.2;
Add option for confirmation (ControlMaster=ask) via ssh-askpass before opening
shared connections; ok markus@

kill a tiny header; ok deraadt@

branches: 1.28.4; 1.28.6;
ssh-add -c, prompt user for confirmation (using ssh-askpass) when
private agent key is used; with djm@; test by dugsong@, djm@; ok deraadt@

branches: 1.27.2; 1.27.4;
client side support for PASSWD_CHANGEREQ
based on work by johan.andersson@appgate.com; ok provos@

readpass.c is not longer from UCB, since we now use readpassphrase(3)

use _PATH_TTY

Avoid interruptable passphrase read; ok markus@

don't strdup too much data; from gotoh@taiyo.co.jp; ok millert.

branches: 1.22.2;
delete spurious #includes; ok deraadt@ markus@

don't panic if fork or pipe fail (just return an empty passwd).

do not return NULL, use "" instead.

switch to readpassphrase(3)
2.7/8-stable needs readpassphrase.[ch] from libc

more strict prototypes. raise warning level in Makefile.inc. markus ok'ed
TODO; cleanup headers

Use const for 'prompt'. Brought over from portable tree.

Put the 'const' back into ssh_askpass() function. Pointed out
by Mark Miller <markm@swoon.net>. OK Markus

branches: 1.15.2;
call askpass from ssh, too, based on work by roth@feep.net, ok deraadt

sync with netbsd tree changes.
- more strict prototypes, include necessary headers
- use paths.h/pathnames.h decls
- size_t typecase to int -> u_long

split ssh.h and try to cleanup the #include mess. remove unnecessary #includes.
rename util.[ch] -> misc.[ch]