--- netkit-telnet-ssl-0.17.24+0.1.orig/Makefile +++ netkit-telnet-ssl-0.17.24+0.1/Makefile @@ -1,7 +1,7 @@ # You can do "make SUB=blah" to make only a few, or edit here, or both # You can also run make directly in the subdirs you want. -SUB = telnet telnetd telnetlogin +SUB = libtelnet telnet telnetd telnetlogin %.build: (cd $(patsubst %.build, %, $@) && $(MAKE)) --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/NEWS +++ netkit-telnet-ssl-0.17.24+0.1/debian/NEWS @@ -0,0 +1,42 @@ +netkit-telnet-ssl (0.17.24+0.1-21) unstable; urgency=low + + SSL keys/certificates generated since 2006-09-17 with Debian's openssl + package are vulnerable due to a predictable random number generator. + For more details see: + + http://www.debian.org/security/2008/dsa-1571 + http://www.debian.org/security/key-rollover/ + http://wiki.debian.org/SSLkeys + + To generate new keys using the default telnetd-ssl setup (as root): + + rm -f /etc/telnetd-ssl/telnetd.pem /etc/ssl/certs/telnetd.pem + dpkg-reconfigure telnetd-ssl + + If you have set up any SSL infrastructure beyond this, it will + also need to be regenerated. + + -- Ian Beckwith Mon, 26 May 2008 00:37:58 +0100 + +netkit-telnet-ssl (0.17.24+0.1-5) unstable; urgency=low + + * Autologin + For compatability with vanilla telnet, and by popular demand, autologin + is no longer on by default in telnet-ssl. + + Autologin is enabled if any of the following command-line arguments are used: + + * -a + * -l username + * -r (rlogin mode) + * -z cert=cert.pem + * -z key=key.pem + + * Certificate-based authentication + SSL telnetd now supports -z certsok and /etc/ssl.users for + certificate-based authentication without a password. As a consequence + of this, telnetlogin(8) now accepts -f for login without a + password. See telnetd(8) for more information. + + -- Ian Beckwith Sun, 5 Dec 2004 12:57:09 +0000 + --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/README.Debian +++ netkit-telnet-ssl-0.17.24+0.1/debian/README.Debian @@ -1,5 +1,5 @@ The SSL patches were downloaded from -ftp://ftp.uni-mainz.de/pub/internet/security/ssl/SSL-MZapps/netkit-telnet-0.17+ssl-0.1.diff.gz +ftp://ftp.uni-mainz.de/pub/software/security/ssl/SSL-MZapps/netkit-telnet-0.17+ssl-0.1.diff.gz The packages was build in the following way: @@ -10,3 +10,5 @@ #don't fix problems with applied patches ! cd .. cp -a netkit-telnet-ssl-0.17.24+0.1 netkit-telnet-ssl-0.17.24+0.1.orig +cd netkit-telnet-ssl-0.17.24+0.1 +zcat ../netkit-telnet-ssl_0.17.17+0.1-2.diff.gz | patch -p1 --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/changelog +++ netkit-telnet-ssl-0.17.24+0.1/debian/changelog @@ -1,3 +1,272 @@ +netkit-telnet-ssl (0.17.24+0.1-24) unstable; urgency=medium + + * Fix buffer overflow (Closes: #695181). + + -- Ian Beckwith Sat, 22 Feb 2014 17:00:11 +0000 + +netkit-telnet-ssl (0.17.24+0.1-23) unstable; urgency=low + + * Remove hardcoded dependencies on libssl0.9.8 (Closes: #622656) + Thanks to Guillem Jover for patch. + * Propitiate lintian: + + telnet-ssl: Depends: add ${misc:Depends}. + + Remove long-obsolete Replaces: netstd and + Conflicts: ssltelnet, suidmanager. + + Add debian/source/format. + + Fix syntax of lintian overrides. + + Add lintian override for spelling of IAC DONT. + + Tweak wording of Description. + + Tweak debian/NEWS. + + debian/copyright: Explicitly include license instead + of reference to common-licenses. + + Standards-Version: 3.9.1. + + -- Ian Beckwith Wed, 20 Apr 2011 01:21:48 +0100 + +netkit-telnet-ssl (0.17.24+0.1-22) unstable; urgency=low + + * General package tidy: + + Use set -e in all maintainer scripts. + + Update maintainer email. + + Remove DM-Upload-Allowed now I have Ascended. + + Standards-Version: 3.8.2 (no changes). + + Override non-applicable lintian tags no-homepage-field and + spelling-error-in-binary. + + Use dh_lintian to install overrides + + Build-depend on debhelper version with dh_lintian. + + -- Ian Beckwith Wed, 22 Jul 2009 01:30:39 +0100 + +netkit-telnet-ssl (0.17.24+0.1-21) unstable; urgency=low + + * Update debian/NEWS with details of openssl problems + and key rollover. + * debian/control Depends: + + Explicitly depend on fixed openssl. + + Remove versioned dependencies on versions of dpkg and base-files + that long predate oldstable. + + Depend on passwd, needed for {user,group}del. + * telnetd-ssl postinst/postrm: fix update-inetd --remove regexp. + * Added stub debian/watch (upstream is dead). + * Standards-Version: 3.8.0 (no changes). + + -- Ian Beckwith Fri, 13 Jun 2008 13:11:15 +0100 + +netkit-telnet-ssl (0.17.24+0.1-20) unstable; urgency=low + + * debian/control: + + Add DM-Upload-Allowed: yes + + Maintainer: update my email address. + + Standard-Version: 3.7.3 (no changes). + * */Makefile: cut out unnecessary linking. + * debian/NEWS: reformat to keep lintian happy. + * debian/telnetd.postinst: work round checkbashisms false positive. + * telnetd/telnetd.8: fix quoting. + * debian/rules: remove unneeded debhelper calls. + + -- Ian Beckwith Wed, 26 Mar 2008 02:55:38 +0000 + +netkit-telnet-ssl (0.17.24+0.1-19) unstable; urgency=low + + * telnet-ssl: Handle SSL_ERROR_WANT_READ, triggered by SSL + rehandshaking, based on patch by Alfred Arnold. + * Fix compiler warnings when converting string constants + to 'char *'s. + + -- Ian Beckwith Thu, 04 Oct 2007 22:30:28 +0100 + +netkit-telnet-ssl (0.17.24+0.1-18) unstable; urgency=low + + * debian/control: + + Added ${misc:Depends} to Depends. + + Updated long description. + * debian/rules: + + Use $(CURDIR) instead of `pwd`. + + Only run make distclean if MCONFIG exists, + instead of ignoring return code. + * Change telnet-ssl menu section to match new menu policy. + * Bump debhelper compat level to 5. + + -- Ian Beckwith Mon, 06 Aug 2007 17:19:38 +0100 + +netkit-telnet-ssl (0.17.24+0.1-17) unstable; urgency=low + + * Preserve telnetd arguments across all upgrades, including + ones which modify the inetd.conf entry (Closes: #421503). + * Avoid spurious updates when telnetd has arguments in inetd.conf. + + -- Ian Beckwith Mon, 14 May 2007 02:25:45 +0100 + +netkit-telnet-ssl (0.17.24+0.1-16) unstable; urgency=low + + * Fix inetd dependencies, thanks to Marco d'Itri (Closes: #402583). + + Drop dependencies on netbase and update-inetd. + + Add dependency on openbsd-inetd | inet-superserver. + + -- Ian Beckwith Wed, 13 Dec 2006 03:28:58 +0000 + +netkit-telnet-ssl (0.17.24+0.1-15) unstable; urgency=low + + * debian/control: add Depends: on update-inetd. + + -- Ian Beckwith Wed, 6 Dec 2006 05:56:34 +0000 + +netkit-telnet-ssl (0.17.24+0.1-14) unstable; urgency=medium + + * Changed telnetd-ssl.telnetd-ssl to telnetd-ssl in inetd configuration. + Former format not supported by inetutils-inetd. + Thanks to Alberto Gonzalez Iniesta. + urgency=medium to try and get this fix in etch. + * Install telnet README files in /usr/share/doc/telnet-ssl/ + (rather than /usr/share/doc/telnet/) + + -- Ian Beckwith Sat, 11 Nov 2006 17:11:42 +0000 + +netkit-telnet-ssl (0.17.24+0.1-13) unstable; urgency=low + + * Tweaked fix for #122763. + * New telnet command: startssl - start SSL when talking + to non-telnetds (eg imapd with STARTTLS) (Closes: #187202). + * telnetd.postinst: configure: rewrite netkit-telnet's + inetd entry if it still exists. + * telnetd.8: add -z sslopt to options in SYNOPSIS. + + -- Ian Beckwith Sun, 24 Sep 2006 01:40:09 +0100 + +netkit-telnet-ssl (0.17.24+0.1-12) unstable; urgency=low + + * telnetd-ssl: Fixed segfault in netwritebuf() (Closes: #122763). + * Added Christoph Martin to Uploaders:. + + -- Ian Beckwith Mon, 10 Jul 2006 02:37:20 +0100 + +netkit-telnet-ssl (0.17.24+0.1-11) unstable; urgency=low + + * Move telnetd.pem to /etc/telnetd-ssl (Closes: #368416): + * Use private copy of openssl.cnf (from openssl_0.9.8b-2) (Closes: #372105). + * Set Common Name to FQDN when generating certificate. + * Standards-Version: 3.7.2 (No changes). + + -- Ian Beckwith Fri, 16 Jun 2006 19:10:02 +0100 + +netkit-telnet-ssl (0.17.24+0.1-10) unstable; urgency=low + + * telnet: don't disable ssl to localhost if -z secure + is set (Closes: #339528, #339535). + * Applied Justin Pryzby's netkit-telnet patch to reject invalid + port numbers (See #300273). + * Man page fixes: + + telnet.1: formatting fix, thanks to Nicolas François (Closes: #357737). + + issue.net.5: insert \& in %-sequences to stop groff interpreting them. + + -- Ian Beckwith Fri, 28 Apr 2006 20:13:02 +0100 + +netkit-telnet-ssl (0.17.24+0.1-9) unstable; urgency=low + + * Fixed socks problems, thanks to IWAMURO Motonori (Closes: #314416). + * Dropped netbase as a dependency of telnet-ssl (Closes: #316946). + * telnetd-ssl postinst/postrm changes: + + Rename telnetd user to telnetd-ssl (Closes: #147945). + + Made update-inetd regexps a bit more robust. + + Added || true to rmdir calls in telnetd.post{inst,rm}. + + Use colons to separate user and group in chown calls. + * Bumped Standards-Version (No changes). + * Switched to debhelper compat level 4. + * Fixed warnings generated by gcc 4. + + -- Ian Beckwith Tue, 12 Jul 2005 02:07:26 +0100 + +netkit-telnet-ssl (0.17.24+0.1-8) unstable; urgency=low + + * Ack NMU. Thanks Joey Hess (Closes: #302036). + * telnetd-ssl.postinst: create telnetd user with home + dir of /nonexistant (See #272312). + * telnetd/utility.c: wrap SSL_writev in #ifdef USE_SSL + Thanks to Matt Bookman. + + -- Ian Beckwith Thu, 14 Apr 2005 16:55:29 +0100 + +netkit-telnet-ssl (0.17.24+0.1-7.1) unstable; urgency=HIGH + + * NMU + * telnet/telnet.cc: Fixed buffer overflow in the handling of the + LINEMODE suboptions in telnet clients (CAN-2005-0469). + Thanks Martin 'Joey' Schulze for the patch. + Closes: #302036 + + -- Joey Hess Thu, 31 Mar 2005 11:09:56 -1000 + +netkit-telnet-ssl (0.17.24+0.1-7) unstable; urgency=low + + * telnetd.postrm: use "test -x" instead of "command -v" (Closes: #293052). + * telnetd.{prerm,postinst}: use "test -x" before calls to update-inetd. + + -- Ian Beckwith Thu, 24 Feb 2005 20:09:31 +0000 + +netkit-telnet-ssl (0.17.24+0.1-6) unstable; urgency=high + + * Urgency high due to security fix + * Fixed format string vulnerability discovered by Joel Eriksson + [telnetd/telnetd.c, CAN-2004-0998] + + -- Ian Beckwith Tue, 21 Dec 2004 18:13:20 +0000 + +netkit-telnet-ssl (0.17.24+0.1-5) unstable; urgency=low + + * telnet: + + Separate autologin and SSL (Closes: #57149, #57266, #59295, #62198, #83306). + + Autologin now defaults to off (use -a to enable). + + Verify server cert commonName matches remote hostname (Closes: #210749). + + Enable -z authdebug (Closes: #145551). + + Enable SSL when connecting from telnet> prompt (Closes: #26994). + + Give better diagnostics and exit cleanly when SSL certificate verification fails. + + Make -z verify=3 simulate -z certrequired. + * telnetlogin: + + added '-f username' option for preauthenticated login without password. + + fixed logic of check_a_hostname. + * telnetd: + + Fix -z certsok (Closes: #36527). + + set SSL_VERIFY_PEER if certsok enabled. + + Add -N option to log IP addresses rather than perform reverse DNS lookups. + Thanks to Dean Gaudet (Closes: #258371). + * Support DEB_BUILD_OPTIONS. + * Fixed compiler warnings. + * Updated man pages. + * debian/control: changed Priority: to extra. + + -- Ian Beckwith Sun, 5 Dec 2004 12:57:09 +0000 + +netkit-telnet-ssl (0.17.24+0.1-4) unstable; urgency=high + + * telnetd/utility.c: Fix remote DOS hole (CAN-2004-0911). Thanks Herbert Xu. + + -- Ian Beckwith Thu, 30 Sep 2004 20:23:02 +0100 + +netkit-telnet-ssl (0.17.24+0.1-3) unstable; urgency=low + + * New Maintainer (Closes: #260184) + * telnet/commands.cc: Apply Josh Martin's patch to fix + buffer overflow when $HOME is too big. + * telnetd/issue.net.5: escaped hyphen. + + -- Ian Beckwith Sun, 15 Aug 2004 16:48:32 +0100 + +netkit-telnet-ssl (0.17.24+0.1-2) unstable; urgency=high + + * fix syslog format string vulnerability CAN-2004-0640 (closes: #258372) + * correct lintian error of description field + * correct menu entry + + -- Christoph Martin Tue, 13 Jul 2004 11:39:27 +0200 + +netkit-telnet-ssl (0.17.24+0.1-1) unstable; urgency=low + + * Bring netkit-telnet-ssl in line with current netkit-telnet + * Build for sid/sarge (closes: #189600) + * Fix telnet.1 manpage (closes: #156454) + + -- Christoph Martin Thu, 27 May 2004 13:50:41 +0200 + netkit-telnet (0.17-24) unstable; urgency=low * New maintainer. (Closes: #249714) @@ -53,6 +322,21 @@ -- Herbert Xu Sun, 7 Apr 2002 09:41:12 +1000 +netkit-telnet-ssl (0.17.17+0.1-2) unstable; urgency=low + + * moved from nonus to main + + -- Christoph Martin Sat, 23 Mar 2002 12:33:10 +0100 + +netkit-telnet-ssl (0.17.17+0.1-1) unstable; urgency=high + + * Provide telnet-server (#120180). + * Fixed IAC+SB crash (#122313, #128988). + * drop dummy ssltelnet package + * reintroduce options -4 and -6 (closes: #129253) + + -- Christoph Martin Wed, 6 Mar 2002 17:07:23 +0100 + netkit-telnet (0.17-17) unstable; urgency=high * Provide telnet-server (closes: #120180). @@ -60,6 +344,20 @@ -- Herbert Xu Fri, 18 Jan 2002 20:13:23 +1100 +netkit-telnet-ssl (0.17.16+0.1-2) unstable; urgency=high + + * fixed a bug in urgent handling which caused a session close on + interrupt characters (closes: #121831) + + -- Christoph Martin Sat, 1 Dec 2001 20:33:21 +0100 + +netkit-telnet-ssl (0.17.16+0.1-1) unstable; urgency=high + + * bring in line with netkit-telnet + * fixes netobuf overflows and some minor errors + + -- Christoph Martin Tue, 20 Nov 2001 16:18:00 +0100 + netkit-telnet (0.17-16) unstable; urgency=low * Set resolv_hostp outside the source routing ifdef in telnetd. @@ -80,6 +378,26 @@ -- Herbert Xu Sat, 11 Aug 2001 17:52:25 +1000 +netkit-telnet-ssl (0.17.13+0.1-2) unstable; urgency=high + + * fix environ problem in telnetlogin (closes: #108848, #109510, #109478) + * more cleanup in clean make-target (closes: #104194) + + -- Christoph Martin Fri, 24 Aug 2001 15:04:30 +0200 + +netkit-telnet-ssl (0.17.13+0.1-1) unstable; urgency=low + + * bring in line with netkit-telnet + * Updated devpts check to include devfs as well. + * Added include to telnetd/utility.c (96803). + * Added exit 0 to telnetd.postrm (93934). + * Changed misleading help message (94231). + * Renamed member printf to xprintf (91351). + * Use new in C++ compiler test (91353). + * fix typo in telnetd(8) manpage (closes: #99865) + + -- Christoph Martin Thu, 14 Jun 2001 16:23:54 +0200 + netkit-telnet (0.17-13) unstable; urgency=medium * Updated devpts check to include devfs as well. @@ -106,6 +424,13 @@ -- Herbert Xu Fri, 13 Apr 2001 19:34:12 +1000 +netkit-telnet-ssl (0.17.9-1) unstable; urgency=low + + * bring netkit-telnet changes to -ssl + * change builddepends libssl096-dev to libssl-dev + + -- Christoph Martin Sat, 10 Mar 2001 17:16:47 +0100 + netkit-telnet (0.17-9) unstable; urgency=low * Fixed path to license file (Christoph Martin, closes: #86476). @@ -116,6 +441,14 @@ -- Herbert Xu Sun, 25 Feb 2001 00:00:59 +1100 +netkit-telnet-ssl (0.17.8+0.1-1) unstable; urgency=low + + * bring netkit-telnet patches to -ssl + * use upstream patch netkit-telnet-0.17+ssl-0.1.diff + * fix pointer to BSD license in copyright + + -- Christoph Martin Sun, 18 Feb 2001 13:08:49 +0100 + netkit-telnet (0.17-8) unstable; urgency=low * Removed remnant of suidregister from telnetd (closes: #85882). @@ -124,6 +457,13 @@ -- Herbert Xu Sat, 17 Feb 2001 12:53:11 +1100 +netkit-telnet-ssl (0.17.7-1) unstable; urgency=low + + * bring netkit-telnet patches to -ssl + * fix builddepends to libssl096-dev (closes: #84174) + + -- Christoph Martin Thu, 1 Feb 2001 10:27:12 +0100 + netkit-telnet (0.17-7) unstable; urgency=low * Added includes for gcc 2.97 (Randolph Chung, closes: #83337). @@ -132,6 +472,15 @@ -- Herbert Xu Mon, 29 Jan 2001 21:10:59 +1100 +netkit-telnet-ssl (0.17.6-1) unstable; urgency=medium + + * link against libssl096 because libssl095a has vanished (closes: + #82063, #82064, #82053, #82499) + * new upstream Debian version + * builddepend on libssl096-dev + + -- Christoph Martin Tue, 16 Jan 2001 15:02:21 +0100 + netkit-telnet (0.17-6) unstable; urgency=low * Added menu entry for telnet (closes: #74845). @@ -144,6 +493,13 @@ -- Herbert Xu Fri, 22 Sep 2000 23:12:57 +1100 +netkit-telnet-ssl (0.17.4-1) unstable; urgency=low + + * new upstream version (closes: #69572) + * link against libssl095a (closes: #66305, #67078) + + -- Christoph Martin Tue, 19 Sep 2000 21:15:58 +0200 + netkit-telnet (0.17-4) unstable; urgency=low * Relaxed telnetlogin a bit. @@ -196,6 +552,16 @@ -- Herbert Xu Mon, 24 Apr 2000 16:58:22 +1000 +netkit-telnet-ssl (0.16.3-1) frozen unstable; urgency=medium + + * brings fixes applied to netkit-telnet also to netkit-telnet-ssl. These + versions versions should have parallel features and bugfixes. + * Made FHS compliant (closes: Bug#60428, #61489) + * fix call to suidunregister (wrong package) (closes: Bug#60437) + * recompile with libncurses5 like netkit-telnet + + -- Christoph Martin Sun, 9 Apr 2000 11:52:47 +0200 + netkit-telnet (0.16-3) frozen unstable; urgency=medium * Restored the default to not being 8-bit clean since it breaks SunOS @@ -213,6 +579,18 @@ -- Herbert Xu Sun, 12 Mar 2000 21:10:47 +1100 +netkit-telnet-ssl (0.16.1-1) frozen unstable; urgency=low + + * brings security fixes applied to netkit-telnet also to + netkit-telnet-ssl. These versions should have parallel features and + bugfixes. + * Now uses update-alternatives for telnet so it will install at same + time as othe versions of telnet (eg in heimdal-clients) (closes: + Bug#54557). (Thanks to Brian May ) + * typo in postinst in call to suidregister (closes: Bug#55197) + + -- Christoph Martin Mon, 13 Mar 2000 20:25:15 +0100 + netkit-telnet (0.16-1) frozen unstable; urgency=low * New upstream release with security fixes. @@ -220,6 +598,15 @@ -- Herbert Xu Thu, 3 Feb 2000 13:42:29 +1100 +netkit-telnet-ssl (0.14.9-1) unstable; urgency=low + + * new upstream + * telnetd-ssl now provides telnetd (closes: Bug#54557) + * make auto-generated telnetd.pem readable only for root.telnetd + (closes: Bug#54471) + + -- Christoph Martin Sat, 15 Jan 2000 10:38:02 +0100 + netkit-telnet (0.14-9) unstable; urgency=low * Compile login with -g -O2 -Wall. @@ -228,6 +615,31 @@ -- Herbert Xu Tue, 30 Nov 1999 22:43:39 +1100 +netkit-telnet-ssl (0.14.8-3) unstable; urgency=high + + * remove diversions of old ssltelnet package, so that telnet and telnetd + are usable again (closes: Bug#52622, #51328, #52624) + * telnet-ssl now provides telnet (closes: Bug#51968, #49500) + + -- Christoph Martin Mon, 10 Jan 2000 20:51:10 +0100 + +netkit-telnet-ssl (0.14.8-2) unstable; urgency=low + + * don't use lorder in creating libs (closes: Bug#48893) + * fix problem with pending data from ssl connection (closes: Bug#43196) + + -- Christoph Martin Sun, 28 Nov 1999 14:39:05 +0100 + +netkit-telnet-ssl (0.14.8-1) unstable; urgency=low + + * new upstream + * fixes problem with compatibility with recent telnetd (closes: + Bug#45485) + * feature change: default for connections to localhost is now not to + encrypt the connection (closes: Bug#41076) + + -- Christoph Martin Fri, 22 Oct 1999 14:06:16 +0200 + netkit-telnet (0.14-8) unstable; urgency=low * Call fatalperror() instead of fatal() when getpty() fails. @@ -267,6 +679,15 @@ -- Herbert Xu Thu, 2 Sep 1999 21:18:06 +1000 +netkit-telnet-ssl (0.14.2-1) unstable; urgency=low + + * new upstream version (Closes #43577) + * link agains openssl 0.9.4 + * disable default encryption for localhost (Closes #41076) + * be less verbose on connection opening + + -- Christoph Martin Sun, 29 Aug 1999 16:58:40 +0200 + netkit-telnet (0.14-2) unstable; urgency=low * telnetd now depends on adduser and passwd (fixes #43515). @@ -294,6 +715,34 @@ -- Herbert Xu Tue, 16 Mar 1999 15:24:36 +1100 +netkit-telnet-ssl (0.12-4) unstable; urgency=high + + * fixes security hole in termcap handling + * change include paths to work with openssl 0.9.3 + + -- Christoph Martin Mon, 23 Aug 1999 21:28:26 +0200 + +netkit-telnet-ssl (0.12-3) unstable; urgency=low + + * include empty package ssltelnet to help upgrade to telnet(d)-ssl (Bug + #34987, #38360, #38569, #36031, #36748, #37237) + + -- Christoph Martin Mon, 31 May 1999 16:22:33 +0200 + +netkit-telnet-ssl (0.12-2) unstable; urgency=low + + * linked against new libssl09 (openssl) + + -- Christoph Martin Mon, 3 May 1999 20:50:31 +0200 + +netkit-telnet-ssl (0.12-1) unstable; urgency=low + + * First SSL-patch to netkit-telnet, rewrite and replacement of ssltelnet + * Fixes several bugs of ssltelnet (#11844, #14641, #17461, #21336, + #22428, #25389, #26405, #26553) + + -- Christoph Martin Sun, 7 Mar 1999 22:20:24 +0100 + netkit-telnet (0.12-4) frozen unstable; urgency=low * Uploaded to slink. @@ -318,3 +767,4 @@ -- Herbert Xu Mon, 28 Sep 1998 16:50:43 +1000 + --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/compat +++ netkit-telnet-ssl-0.17.24+0.1/debian/compat @@ -0,0 +1 @@ +5 --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/control +++ netkit-telnet-ssl-0.17.24+0.1/debian/control @@ -1,27 +1,45 @@ -Source: netkit-telnet +Source: netkit-telnet-ssl Section: net -Priority: standard -Maintainer: Robert Millan -Standards-Version: 3.6.1 -Build-Depends: debhelper, libncurses-dev +Priority: extra +Maintainer: Ian Beckwith +Uploaders: Christoph Martin +Standards-Version: 3.9.1 +Build-Depends: debhelper (>= 6.0.7~), libncurses-dev, libssl-dev (>= 0.9.8g-9) -Package: telnet +Package: telnet-ssl Architecture: any -Depends: netbase, ${shlibs:Depends} -Replaces: netstd +Depends: ${shlibs:Depends}, ${misc:Depends} +Conflicts: telnet Provides: telnet-client -Description: The telnet client. +Description: telnet client with SSL encryption support The telnet command is used for interactive communication with another host using the TELNET protocol. + . + SSL telnet replaces normal telnet using SSL authentication and + encryption. It interoperates with normal telnetd in both directions. + It checks if the other side is also talking SSL, if not it falls back + to normal telnet protocol. + . + Advantages over normal telnet: Your passwords and the data you send + will not go in cleartext over the line. Nobody can get it with + tcpdump or similar tools. With SSLtelnet you can also connect to + https-server like https://www.mozilla.org. Just do + 'telnet -z ssl www.mozilla.org 443' -Package: telnetd +Package: telnetd-ssl Architecture: any -Priority: optional -Depends: adduser, base-files (>= 2.1.8), dpkg (>= 1.7.0), netbase, passwd, ${shlibs:Depends} -Replaces: netstd +Depends: adduser, openbsd-inetd | inet-superserver, passwd, openssl (>= 0.9.8g-9), ${shlibs:Depends}, ${misc:Depends} Provides: telnet-server -Conflicts: suidmanager (<< 0.50) -Description: The telnet server. +Conflicts: telnetd +Description: telnet server with SSL encryption support The in.telnetd program is a server which supports the DARPA telnet interactive communication protocol. - + . + SSL telnetd replaces normal telnetd using SSL authentication and + encryption. It interoperates with normal telnetd in both directions. + It checks if the other side is also talking SSL, if not it falls back + to normal telnet protocol. + . + Advantages over normal telnetd: Your passwords and the data you send + will not go in cleartext over the line. Nobody can get it with + tcpdump or similar tools. --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/copyright +++ netkit-telnet-ssl-0.17.24+0.1/debian/copyright @@ -13,6 +13,50 @@ Copyright (c) 1994 Peter Tobias (issue.net(5)) Copyright (c) 1983, 1995 Eric P. Allman (setproctitle.[ch]) -The license can be found at /usr/share/common-licenses/BSD. +/* + * Copyright (c) 1988, 1990 Regents of the University of California. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * The modifications to support SSLeay were done by Tim Hudson + * tjh@cryptsoft.com + * + * You can do whatever you like with these patches except pretend that + * you wrote them. + * + * Email ssl-users-request@mincom.oz.au to get instructions on how to + * join the mailing list that discusses SSLeay and also these patches. + * + * The modifications for this version of telnet where done by + * Christoph Martin + */ -$Id: copyright,v 1.4 2001/02/18 20:28:33 herbert Exp $ --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/dirs +++ netkit-telnet-ssl-0.17.24+0.1/debian/dirs @@ -1,3 +1,3 @@ usr/bin -usr/share/doc/telnet +usr/share/doc/telnet-ssl usr/share/man/man1 --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/docs +++ netkit-telnet-ssl-0.17.24+0.1/debian/docs @@ -1,2 +1,4 @@ BUGS README +README.SSL +VERSION --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/menu +++ netkit-telnet-ssl-0.17.24+0.1/debian/menu @@ -1,3 +1,3 @@ -?package(telnet): \ - needs="text" section="Apps/Net" title="Telnet" command="telnet" \ - hints="Terminal" +?package(telnet-ssl): \ + needs="text" section="Applications/Network/Communication" \ + title="Telnet-SSL" command="/usr/bin/telnet-ssl" hints="Terminal" --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/openssl.cnf +++ netkit-telnet-ssl-0.17.24+0.1/debian/openssl.cnf @@ -0,0 +1,313 @@ +# +# OpenSSL example configuration file. +# This is mostly being used for generation of certificate requests. +# + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +RANDFILE = $ENV::HOME/.rnd + +# Extra OBJECT IDENTIFIER info: +#oid_file = $ENV::HOME/.oid +oid_section = new_oids + +# To use this configuration file with the "-extfile" option of the +# "openssl x509" utility, name here the section containing the +# X.509v3 extensions to use: +# extensions = +# (Alternatively, use a configuration file that has only +# X.509v3 extensions in its main [= default] section.) + +[ new_oids ] + +# We can add new OIDs in here for use by 'ca' and 'req'. +# Add a simple OID like this: +# testoid1=1.2.3.4 +# Or use config file substitution like this: +# testoid2=${testoid1}.5.6 + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several ctificates with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem# The private key +RANDFILE = $dir/private/.rand # private random number file + +x509_extensions = usr_cert # The extentions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the self signed cert + +# Passwords for private keys if not present they will be prompted for +# input_password = secret +# output_password = secret + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer:always + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +basicConstraints = CA:true + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# keyUsage = cRLSign, keyCertSign + +# Some might want this also +# nsCertType = sslCA, emailCA + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always + +[ proxy_cert_ext ] +# These extensions should be added when creating a proxy certificate + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# Here are some examples of the usage of nsCertType. If it is omitted +# the certificate can be used for anything *except* object signing. + +# This is OK for an SSL server. +# nsCertType = server + +# For an object signing certificate this would be used. +# nsCertType = objsign + +# For normal client use this is typical +# nsCertType = client, email + +# and for everything including object signing: +# nsCertType = client, email, objsign + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer:always + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem +#nsBaseUrl +#nsRevocationUrl +#nsRenewalUrl +#nsCaPolicyUrl +#nsSslServerName + +# This really needs to be in place for it to be a proxy certificate. +proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/postinst +++ netkit-telnet-ssl-0.17.24+0.1/debian/postinst @@ -1,8 +1,9 @@ -#!/bin/sh -e -# $Id: postinst,v 1.4 2000/08/23 10:08:42 herbert Exp $ +#!/bin/sh -update-alternatives --install /usr/bin/telnet telnet /usr/bin/telnet.netkit \ +set -e + +update-alternatives --install /usr/bin/telnet telnet /usr/bin/telnet-ssl \ 100 --slave /usr/share/man/man1/telnet.1.gz telnet.1.gz \ - /usr/share/man/man1/telnet.netkit.1.gz + /usr/share/man/man1/telnet-ssl.1.gz #DEBHELPER# --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/preinst +++ netkit-telnet-ssl-0.17.24+0.1/debian/preinst @@ -0,0 +1,10 @@ +#!/bin/sh + +set -e + +dpkg-divert --quiet --package ssltelnet --remove --rename \ + --divert /usr/bin/telnet.nossl /usr/bin/telnet +dpkg-divert --quiet --package ssltelnet --remove --rename \ + --divert /usr/man/man1/telnet.nossl.1.gz /usr/man/man1/telnet.1.gz + +#DEBHELPER# --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/prerm +++ netkit-telnet-ssl-0.17.24+0.1/debian/prerm @@ -1,7 +1,9 @@ #!/bin/sh +set -e + if [ "$1" = remove ] || [ "$1" = deconfigure ]; then - update-alternatives --remove telnet /usr/bin/telnet.netkit + update-alternatives --remove telnet /usr/bin/telnet-ssl fi #DEBHELPER# --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/rules +++ netkit-telnet-ssl-0.17.24+0.1/debian/rules @@ -1,15 +1,21 @@ #!/usr/bin/make -f -# $Id: rules,v 1.12 2003/10/18 03:37:54 herbert Exp $ +# $Id: rules,v 1.6 2007-08-06 16:30:01 ianb Exp $ # Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess. # Uncomment this to turn on verbose mode. #export DH_VERBOSE=1 +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CONFIGUREARGS=--with-debug +else + CONFIGUREARGS= +endif + build: dh_testdir if [ ! -f MCONFIG ]; then \ - ./configure; \ + ./configure $(CONFIGUREARGS); \ sed -e 's/^CFLAGS=\(.*\)$$/CFLAGS= -Ddebian -D_GNU_SOURCE -g \1/' \ -e 's/^CXXFLAGS=\(.*\)$$/CXXFLAGS= -Ddebian -D_GNU_SOURCE -g \1/' \ MCONFIG > MCONFIG.new; \ @@ -21,27 +27,33 @@ dh_testdir dh_testroot - -$(MAKE) distclean + [ ! -f MCONFIG ] || $(MAKE) distclean + rm -f debian/telnetd-ssl.dirs debian/telnetd-ssl.postinst debian/telnetd-ssl.postrm debian/telnetd-ssl.prerm dh_clean install: build + cp debian/telnetd.dirs debian/telnetd-ssl.dirs + cp debian/telnetd.postinst debian/telnetd-ssl.postinst + cp debian/telnetd.postrm debian/telnetd-ssl.postrm + cp debian/telnetd.prerm debian/telnetd-ssl.prerm dh_testdir dh_testroot dh_clean -k dh_installdirs - $(MAKE) -C telnet INSTALLROOT=`pwd`/debian/tmp MANDIR=/usr/share/man \ + $(MAKE) -C telnet INSTALLROOT=$(CURDIR)/debian/telnet-ssl MANDIR=/usr/share/man \ install - mv debian/tmp/usr/bin/telnet debian/tmp/usr/bin/telnet.netkit - mv debian/tmp/usr/share/man/man1/telnet.1 \ - debian/tmp/usr/share/man/man1/telnet.netkit.1 - cp telnet/README debian/tmp/usr/share/doc/telnet/README.telnet - cp telnet/README.old debian/tmp/usr/share/doc/telnet/README.telnet.old - $(MAKE) -C telnetd INSTALLROOT=`pwd`/debian/telnetd \ +# mv debian/tmp/usr/bin/telnet debian/tmp/usr/bin/telnet.netkit +# mv debian/tmp/usr/share/man/man1/telnet.1 \ +# debian/tmp/usr/share/man/man1/telnet.netkit.1 + cp telnet/README debian/telnet-ssl/usr/share/doc/telnet-ssl/README.telnet + cp telnet/README.old debian/telnet-ssl/usr/share/doc/telnet-ssl/README.telnet.old + $(MAKE) -C telnetd INSTALLROOT=$(CURDIR)/debian/telnetd-ssl \ MANDIR=/usr/share/man install - cp telnetlogin/telnetlogin.8 debian/telnetd/usr/share/man/man8 - cp telnetlogin/telnetlogin debian/telnetd/usr/lib + cp telnetlogin/telnetlogin.8 debian/telnetd-ssl/usr/share/man/man8 + cp telnetlogin/telnetlogin debian/telnetd-ssl/usr/lib + cp debian/openssl.cnf debian/telnetd-ssl/etc/telnetd-ssl # Build architecture-independent files here. binary-indep: build install @@ -49,29 +61,22 @@ # Build architecture-dependent files here. binary-arch: build install -# dh_testversion dh_testdir dh_testroot dh_installdocs - dh_installexamples dh_installmenu -# dh_installemacsen -# dh_installinit - dh_installcron -# dh_installmanpages -# dh_undocumented dh_installchangelogs ChangeLog + dh_lintian dh_strip dh_compress dh_fixperms dh_installdeb dh_shlibdeps dh_gencontrol -# dh_makeshlibs dh_md5sums dh_builddeb -source diff: +source diff: @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false binary: binary-indep binary-arch --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/source/format +++ netkit-telnet-ssl-0.17.24+0.1/debian/source/format @@ -0,0 +1 @@ +1.0 --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/ssltelnet.preinst +++ netkit-telnet-ssl-0.17.24+0.1/debian/ssltelnet.preinst @@ -0,0 +1,14 @@ +#!/bin/sh -e + +dpkg-divert --package ssltelnet --remove --rename \ + --divert /usr/bin/telnet.nossl /usr/bin/telnet +dpkg-divert --package ssltelnet --remove --rename \ + --divert /usr/man/man1/telnet.nossl.1.gz /usr/man/man1/telnet.1.gz +dpkg-divert --package ssltelnet --remove --rename \ + --divert /usr/sbin/in.telnetd.nossl /usr/sbin/in.telnetd +dpkg-divert --package ssltelnet --remove --rename \ + --divert /usr/man/man8/telnetd.nossl.8.gz /usr/man/man8/telnetd.8.gz +dpkg-divert --package ssltelnet --remove --rename \ + --divert /usr/man/man8/in.telnetd.nossl.8.gz /usr/man/man8/in.telnetd.8.gz + +#DEBHELPER# --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/telnet-ssl.lintian-overrides +++ netkit-telnet-ssl-0.17.24+0.1/debian/telnet-ssl.lintian-overrides @@ -0,0 +1,6 @@ +# netkit is long dead upstream +telnet-ssl: no-homepage-field +# dont is valid as part of telnet IAC DONT.. commands +telnet-ssl: spelling-error-in-binary usr/bin/telnet-ssl dont don't +telnet-ssl: spelling-error-in-manpage usr/share/man/man1/telnet-ssl.1.gz dont don't + --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/telnetd-ssl.lintian-overrides +++ netkit-telnet-ssl-0.17.24+0.1/debian/telnetd-ssl.lintian-overrides @@ -0,0 +1,5 @@ +# netkit is long dead upstream +telnetd-ssl: no-homepage-field +# dont is valid as part of telnet IAC DONT.. commands +telnetd-ssl: spelling-error-in-binary usr/sbin/in.telnetd dont don't + --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/telnetd-ssl.preinst +++ netkit-telnet-ssl-0.17.24+0.1/debian/telnetd-ssl.preinst @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +dpkg-divert --quiet --package ssltelnet --remove --rename \ + --divert /usr/sbin/in.telnetd.nossl /usr/sbin/in.telnetd +dpkg-divert --quiet --package ssltelnet --remove --rename \ + --divert /usr/man/man8/telnetd.nossl.8.gz /usr/man/man8/telnetd.8.gz +dpkg-divert --quiet --package ssltelnet --remove --rename \ + --divert /usr/man/man8/in.telnetd.nossl.8.gz /usr/man/man8/in.telnetd.8.gz + +#DEBHELPER# --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/telnetd.dirs +++ netkit-telnet-ssl-0.17.24+0.1/debian/telnetd.dirs @@ -2,3 +2,4 @@ usr/share/man/man5 usr/share/man/man8 usr/sbin +/etc/telnetd-ssl --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/telnetd.postinst +++ netkit-telnet-ssl-0.17.24+0.1/debian/telnetd.postinst @@ -1,32 +1,63 @@ -#!/bin/sh -e -# $Id: telnetd.postinst,v 1.15 2003/10/24 12:52:18 herbert Exp $ +#!/bin/sh + +set -e update_inetd_entry() { - if [ $2 ]; then - update-inetd --remove "$rootent" - update-inetd --group STANDARD --add "$telnetdent" + if [ "$2" = "yes" ]; then + entry="$telnetdsslent" else - update-inetd --remove "$telnetdent" - update-inetd --group STANDARD --add "$rootent" + entry="$rootent" + fi + args="`grep '^##.*/usr/sbin/in.telnetd' /etc/inetd.conf|sed 's/.*\/usr\/sbin\/in.telnetd\(.*\)/\1/'`" + if [ -n "$args" ]; then + entry="$entry$args" fi + update-inetd --remove ".*telnet" + update-inetd --group STANDARD --add "$entry" } -if ! id -u telnetd >/dev/null 2>&1; then - if sg telnetd -c true 2>/dev/null; then - adduser --quiet --system --ingroup telnetd --home / telnetd - else - adduser --quiet --system --group --home / telnetd - fi + +if ! id -u telnetd-ssl >/dev/null 2>&1 ; then + # rename telnetd user to telnetd-ssl + if id -u telnetd >/dev/null 2>&1; then + home=~telnetd + set +e + userdel telnetd + err=$? + set -e + case $err in + 0) + if [ "$home" = /usr/lib/telnetd ]; then + rmdir --ignore-fail-on-non-empty /usr/lib/telnetd || true + fi + ;; + 6) + ;; + *) + exit $err + ;; + esac + fi + if sg telnetd -c true >/dev/null 2>&1; then + groupdel telnetd + fi + if sg telnetd-ssl -c true >/dev/null 2>&1 ; then + adduser --quiet --no-create-home --disabled-password --system --ingroup telnetd-ssl --home /nonexistent telnetd-ssl + else + adduser --quiet --no-create-home --disabled-password --system --group --home /nonexistent telnetd-ssl + fi fi -adduser --quiet telnetd utmp + +adduser --quiet telnetd-ssl utmp if [ -z "$(dpkg-statoverride --list /usr/lib/telnetlogin)" ]; then - chown root:telnetd /usr/lib/telnetlogin + chown root:telnetd-ssl /usr/lib/telnetlogin chmod 4754 /usr/lib/telnetlogin fi rootent="telnet stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.telnetd" -telnetdent="telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" +#telnetdent="telnet stream tcp nowait telnetd.telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd" +telnetdsslent="telnet stream tcp nowait telnetd-ssl /usr/sbin/tcpd /usr/sbin/in.telnetd" if egrep -q "^(devpts /dev/pts|devfs /dev) " /proc/mounts; then devpts=yes @@ -36,13 +67,20 @@ case "$1" in abort-upgrade | abort-deconfigure | abort-remove) - update-inetd --enable telnet + if test -x /usr/sbin/inetd ; then + update-inetd --enable telnet + fi ;; configure) - if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.17-13; then + if test -x /usr/sbin/update-inetd ; then + if [ -z "$2" ] || + dpkg --compare-versions "$2" lt 0.17.24+0.1-14 || + grep -q ' telnetd ' /etc/inetd.conf + then update_inetd_entry "$2" $devpts - else + else update-inetd --enable telnet + fi fi ;; *) @@ -51,4 +89,35 @@ ;; esac +PATH=$PATH:/usr/bin/ssl +if [ -f /etc/ssl/certs/telnetd.pem ] +then + echo "Moving telnetd.pem to /etc/telnetd-ssl" + mv /etc/ssl/certs/telnetd.pem /etc/telnetd-ssl + # remove old cert hash - don't care if it fails + rm -f `openssl x509 -noout -hash < /etc/telnetd-ssl/telnetd.pem`.0 || true +elif [ -f /etc/telnetd-ssl/telnetd.pem ] +then + echo "You already have /etc/telnetd-ssl/telnetd.pem" +else + cd /etc/telnetd-ssl + HSTNAME=`hostname -s` + DOMAINNAME=`hostname -d` + openssl req -config /etc/telnetd-ssl/openssl.cnf -new -x509 -nodes -out telnetd.pem -keyout telnetd.pem > /dev/null 2>&1 <<+ +. +. +. +$DOMAINNAME +$HSTNAME telnetd +$HSTNAME.$DOMAINNAME +root@$HSTNAME.$DOMAINNAME ++ +# req -new -x509 -nodes -out telnetd.pem -keyout telnetd.pem +# ln -sf telnetd.pem `openssl x509 -noout -hash < telnetd.pem`.0 +# chmod 644 telnetd.pem +fi + +chown root:telnetd-ssl /etc/telnetd-ssl/telnetd.pem +chmod 0640 /etc/telnetd-ssl/telnetd.pem + #DEBHELPER# --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/telnetd.postrm +++ netkit-telnet-ssl-0.17.24+0.1/debian/telnetd.postrm @@ -1,19 +1,20 @@ #!/bin/sh -e -# $Id: telnetd.postrm,v 1.10 2002/09/22 04:51:49 herbert Exp $ +# $Id: telnetd.postrm,v 1.7 2006-06-16 18:43:11 ianb Exp $ case "$1" in abort-install | abort-upgrade | upgrade | failed-upgrade) ;; remove | disappear) + # telnetd user evidently once had a home, telnetd-ssl user never did. home=~telnetd set +e - userdel telnetd + userdel telnetd >/dev/null 2>&1 err=$? set -e case $err in 0) if [ "$home" = /usr/lib/telnetd ]; then - rmdir --ignore-fail-on-non-empty /usr/lib/telnetd + rmdir --ignore-fail-on-non-empty /usr/lib/telnetd || true fi ;; 6) @@ -24,7 +25,19 @@ esac set +e - groupdel telnetd + userdel telnetd-ssl >/dev/null 2>&1 + err=$? + set -e + case $err in + 0 | 6) + ;; + *) + exit $err + ;; + esac + + set +e + groupdel telnetd >/dev/null 2>&1 err=$? set -e case $err in @@ -36,10 +49,14 @@ esac ;; purge) - # If netbase is not installed, then we don't need to do the remove. - if command -v update-inetd >/dev/null 2>&1; then - update-inetd --remove "telnet .* /usr/sbin/in.telnetd" + # If update-inetd is not installed, then we don't need to do the remove. + if test -x /usr/sbin/update-inetd; then + update-inetd --remove "## telnet" fi + cd /etc/telnetd-ssl + PATH=$PATH:/usr/bin/ssl +# rm -f `openssl x509 -noout -hash < telnetd.pem`.0 + rm -f telnetd.pem ;; *) echo "$0: incorrect arguments: $*" >&2 --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/telnetd.prerm +++ netkit-telnet-ssl-0.17.24+0.1/debian/telnetd.prerm @@ -1,6 +1,10 @@ -#!/bin/sh -e -# $Id: telnetd.prerm,v 1.3 2001/03/15 20:38:36 herbert Exp $ +#!/bin/sh + +set -e + +if test -x /usr/sbin/update-inetd ; then + update-inetd --disable telnet +fi -update-inetd --disable telnet #DEBHELPER# --- netkit-telnet-ssl-0.17.24+0.1.orig/debian/watch +++ netkit-telnet-ssl-0.17.24+0.1/debian/watch @@ -0,0 +1,2 @@ +# Nothing to watch - netkit upstream has been dead for years. +# and the SSL patch is unmaintained upstream too. --- netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h +++ netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth-proto.h @@ -68,7 +68,7 @@ #if defined(AUTHENTICATE) Authenticator *findauthenticator P((int, int)); -void auth_init P((char *, int)); +void auth_init P((const char *, int)); int auth_cmd P((int, char **)); void auth_request P((void)); void auth_send P((unsigned char *, int)); @@ -123,7 +123,9 @@ int auth_ssl_status P((Authenticator *, char *, int)); void auth_ssl_printsub P((unsigned char *, int, unsigned char *, int)); #endif /* USE_SSL */ - + +extern void printsub P((char, unsigned char *, int)); +extern int writenet P((char *, int)); #endif #ifdef __cplusplus } --- netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c +++ netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth.c @@ -37,6 +37,9 @@ */ #ifndef lint +#ifdef __GNUC__ +__attribute__ ((unused)) +#endif /* __GNUC__ */ static char sccsid[] = "@(#)auth.c 5.2 (Berkeley) 3/22/91"; #endif /* not lint */ @@ -83,8 +86,11 @@ #define typemask(x) (1<<((x)-1)) +int auth_onoff(const char *type, int on); + + int auth_debug_mode = 0; -static char *Name = "Noname"; +static const char *Name = "Noname"; static int Server = 0; static Authenticator *authenticated = 0; static int authenticating = 0; @@ -170,7 +176,7 @@ void auth_init(name, server) - char *name; + const char *name; int server; { Authenticator *ap = authenticators; @@ -241,7 +247,7 @@ int auth_onoff(type, on) - char *type; + const char *type; int on; { int i, mask = -1; @@ -335,7 +341,7 @@ } *e++ = IAC; *e++ = SE; - writenet(str_request, e - str_request); + writenet((char *) str_request, e - str_request); printsub('>', &str_request[2], e - str_request - 2); } } @@ -424,7 +430,7 @@ } auth_send_data += 2; } - writenet(str_none, sizeof(str_none)); + writenet((char *) str_none, sizeof(str_none)); printsub('>', &str_none[2], sizeof(str_none) - 2); if (auth_debug_mode) printf(">>>%s: Sent failure message\r\n", Name); @@ -456,7 +462,7 @@ return; } - if (ap = findauthenticator(data[0], data[1])) { + if ((ap = findauthenticator(data[0], data[1]))) { if (ap->is) (*ap->is)(ap, data+2, cnt-2); } else if (auth_debug_mode) @@ -474,7 +480,7 @@ if (cnt < 2) return; - if (ap = findauthenticator(data[0], data[1])) { + if ((ap = findauthenticator(data[0], data[1]))) { if (ap->reply) (*ap->reply)(ap, data+2, cnt-2); } else if (auth_debug_mode) @@ -487,7 +493,7 @@ unsigned char *data; int cnt; { - Authenticator *ap; + /* Authenticator *ap; */ unsigned char savename[256]; if (cnt < 1) { @@ -505,7 +511,7 @@ savename[cnt] = '\0'; /* Null terminate */ if (auth_debug_mode) printf(">>>%s: Got NAME [%s]\r\n", Name, savename); - auth_encrypt_user(savename); + auth_encrypt_user((char *)savename); } int @@ -526,7 +532,7 @@ } *e++ = IAC; *e++ = SE; - writenet(str_request, e - str_request); + writenet((char *) str_request, e - str_request); printsub('>', &str_request[2], e - &str_request[2]); return(1); } @@ -542,6 +548,9 @@ } /* ARGSUSED */ +#ifdef __GNUC__ +__attribute__ ((used)) +#endif /* __GNUC__ */ static void auth_intr(sig) int sig; --- netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h +++ netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc-proto.h @@ -68,7 +68,7 @@ extern "C" { #endif -void auth_encrypt_init P((char *, char *, char *, int)); +void auth_encrypt_init P((char *, char *, const char *, int)); void auth_encrypt_connect P((int)); void auth_encrypt_user P((const char *name)); void printd P((unsigned char *, int)); --- netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c +++ netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc.c @@ -32,6 +32,9 @@ */ #ifndef lint +#ifdef __GNUC__ +__attribute__ ((unused)) +#endif /* __GNUC__ */ static char sccsid[] = "@(#)misc.c 5.1 (Berkeley) 2/28/91"; #endif /* not lint */ @@ -54,7 +57,12 @@ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ +#include +#include + #include "misc.h" +#include "auth.h" +#include "auth-proto.h" char *RemoteHostName; char *LocalHostName; @@ -65,7 +73,7 @@ auth_encrypt_init(local, remote, name, server) char *local; char *remote; - char *name; + const char *name; int server; { RemoteHostName = remote; --- netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c +++ netkit-telnet-ssl-0.17.24+0.1/libtelnet/ssl.c @@ -47,6 +47,9 @@ #include #endif +#include +#include + #include "auth.h" #include "misc.h" @@ -91,11 +94,12 @@ #define VERIFY_ROOT_OK VERIFY_OK #endif +extern int netflush(void); + extern int auth_debug_mode; -static auth_ssl_valid = 0; +static int auth_ssl_valid = 0; static char *auth_ssl_name = 0; /* this holds the oneline name */ -extern BIO *bio_err; extern int ssl_only_flag; extern int ssl_debug_flag; extern int ssl_active_flag; @@ -120,6 +124,9 @@ BIO *bio_err=NULL; +int auth_failed=0; + + /* compile this set to 1 to negotiate SSL but not actually start it */ static int ssl_dummy_flag=0; @@ -135,37 +142,41 @@ * telnet connect if we are talking straight ssl with no telnet * protocol --tjh */ -int +void display_connect_details(ssl_con,verbose) SSL *ssl_con; int verbose; { X509 *peer; - char *cipher_list; + char *p; if (ssl_active_flag && verbose) { #ifdef SSLEAY8 - char *p; - char buf[1024]; int i; - +#endif /* SSLEAY8 */ + fprintf(stderr,"[SSL cipher="); +#ifdef SSLEAY8 /* grab the full list of ciphers */ i=0; - buf[0]='\0'; - while((p=SSL_get_cipher_list(ssl_con,i++))!=NULL) { - if (i>0) - strcat(buf,":"); - strcat(buf,p); + while((p=(char *)SSL_get_cipher_list(ssl_con,i++))!=NULL) { + if (i>1) { + fprintf(stderr,":"); + } + fprintf(stderr, "%s", p); + } + if(i==1) { + fprintf(stderr, ""); } - cipher_list=buf; #else /* !SSLEAY8 */ - cipher_list=SSL_get_cipher(ssl_con); + p=SSL_get_cipher(ssl_con); + if(p) { + fprintf(stderr, "%s", p); + } else { + /* the cipher list *can* be NULL ... useless but it happens! */ + fprintf(stderr, ""); + } #endif /* !SSLEAY8 */ - - /* the cipher list *can* be NULL ... useless but it happens! */ - if (cipher_list==NULL) - cipher_list=""; - fprintf(stderr,"[SSL cipher=%s]\r\n",cipher_list); + fprintf(stderr,"]\r\n"); peer=SSL_get_peer_certificate(ssl_con); if (peer != NULL) { char *str; @@ -230,7 +241,7 @@ *p++ = SE; if (str_data[3] == TELQUAL_IS) printsub('>', &str_data[2], p - (&str_data[2])); - return(writenet(str_data, p - str_data)); + return(writenet((char *) str_data, p - str_data)); } int auth_ssl_init(ap, server) @@ -280,7 +291,7 @@ unsigned char *data; int cnt; { - int valid; + /* int valid; */ if (cnt-- < 1) return; @@ -364,7 +375,7 @@ unsigned char *data; int cnt; { - int i; + /* int i; */ int status; if (cnt-- < 1) @@ -389,16 +400,13 @@ SSL_set_verify(ssl_con,ssl_verify_flag, client_verify_callback); if ((status = SSL_connect(ssl_con)) <= 0) { - fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status); - fflush(stderr); - - perror("telnet: Unable to ssl_connect to remote host"); + auth_finished(0,AUTH_REJECT); + fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status); + fprintf(stderr,"telnet: Unable to ssl_connect to remote host\n"); ERR_print_errors(bio_err); - - /* don't know what I "should" be doing here ... */ - - auth_finished(0,AUTH_REJECT); + fflush(stderr); + auth_failed=1; return; } else { @@ -452,7 +460,7 @@ */ if (ssl_certsok_flag) { user_fp = fopen("/etc/ssl.users", "r"); - if (!auth_ssl_name || !user_fp) { + if (!auth_ssl_name || !user_fp || !UserNameRequested) { /* If we haven't received a certificate, then don't * return AUTH_VALID. */ @@ -486,7 +494,7 @@ cp = strchr(n, ','); if (cp) *cp++ = '\0'; - if (!UserNameRequested || + if (UserNameRequested && !strcmp(UserNameRequested, n)) { strcpy(name, n); fclose(user_fp); @@ -543,7 +551,7 @@ default: sprintf(lbuf, " %d (unknown)", data[3]); strncpy((char *)buf, lbuf, buflen); - common2: +/* common2: */ BUMP(buf, buflen); for (i = 4; i < cnt; i++) { sprintf(lbuf, " %d", data[i]); @@ -568,7 +576,7 @@ #endif /* SSLEAY8 */ { static char *saved_subject=NULL; - X509 *peer; + /* X509 *peer; */ char *subject, *issuer; #ifdef SSLEAY8 int depth,error; @@ -715,8 +723,8 @@ int depth, error; #endif /* SSLEAY8 */ { - X509 *peer; - char *subject, *issuer; + /* X509 *peer; */ + char *subject, *issuer, *cnsubj; #ifdef SSLEAY8 int depth,error; char *xs; @@ -727,13 +735,13 @@ #endif /* SSLEAY8 */ -#ifdef LOCAL_DEBUG - fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n", - depth,ok,error,X509_cert_verify_error_string(error)); - fflush(stderr); -#endif /* LOCAL_DEBUG */ + if(ssl_debug_flag && !ok) { + fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n", + depth,ok,error,X509_verify_cert_error_string(error)); + fflush(stderr); + } - subject=issuer=NULL; + subject=issuer=cnsubj=NULL; /* first thing is to have a meaningful name for the current * certificate that is being verified ... and if we cannot @@ -761,60 +769,77 @@ fflush(stderr); } - /* if the server is using a self signed certificate then - * we need to decide if that is good enough for us to - * accept ... - */ - if (error==VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { - if (ssl_cert_required) { - /* make 100% sure that in secure more we drop the - * connection if the server does not have a - * real certificate! - */ - fprintf(stderr,"SSL: rejecting connection - server has a self-signed certificate\n"); - fflush(stderr); - - /* sometimes it is really handy to be able to debug things - * and still get a connection! - */ - if (ssl_debug_flag) { - fprintf(stderr,"SSL: debug -> ignoring cert required!\n"); - fflush(stderr); - ok=1; - } else { - ok=0; - } - goto return_time; - } else { - ok=1; - goto return_time; - } + /* verify commonName matches hostname */ + if(ssl_cert_required && depth == 0) { + char *cn,*p; + + cnsubj=strdup(subject); + if(cnsubj == NULL) { + fprintf(stderr,"SSL: Out of memory.\n"); + ok=0; + goto return_time; + } + cn=strstr(cnsubj,"/CN="); + if(cn == NULL) { + fprintf(stderr,"SSL: Cannot extract CN from certificate subject.\n"); + ok=0; + goto return_time; + } + cn+=4; /* skip /CN= */ + p=strchr(cn,'/'); + if(p != NULL) { + *p='\0'; + } + if(strcasecmp(cn,RemoteHostName) != 0) { + fprintf(stderr,"SSL: Certificate CN (%s) does not match hostname (%s)\n", + cn,RemoteHostName); + ok=0; + goto return_time; + } } - /* if we have any form of error in secure mode we reject the connection */ - if (! ((error==VERIFY_OK)||(error==VERIFY_ROOT_OK)) ) { - if (ssl_cert_required) { - fprintf(stderr,"SSL: rejecting connection - "); - if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) { - fprintf(stderr,"unknown issuer: %s\n",issuer); - } else { - ERR_print_errors(bio_err); - } - fflush(stderr); - ok=0; - goto return_time; - } else { - /* be nice and display a lot more meaningful stuff - * so that we know which issuer is unknown no matter - * what the callers options are ... - */ - if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) { - fprintf(stderr,"SSL: unknown issuer: %s\n",issuer); - fflush(stderr); - } - } + if((error==VERIFY_OK) || (error==VERIFY_ROOT_OK)) { + goto return_time; } + switch(error) { + case VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + fprintf(stderr,"SSL: Server has a self-signed certificate\n"); + case VERIFY_ERR_UNABLE_TO_GET_ISSUER: + fprintf(stderr,"SSL: unknown issuer: %s\n",issuer); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + fprintf(stderr,"SSL: Certificate not yet valid\n"); + BIO_printf(bio_err,"notBefore="); + ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + fprintf(stderr,"SSL: Error in certificate notBefore field\n"); + BIO_printf(bio_err,"notBefore="); + ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + fprintf(stderr,"SSL: Certificate has expired\n"); + BIO_printf(bio_err,"notAfter="); + ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + fprintf(stderr,"SSL: Error in certificate notAfter field\n"); + BIO_printf(bio_err,"notAfter="); + ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + default: + fprintf(stderr,"SSL: %s (%d)\n", X509_verify_cert_error_string(error),error); + break; + } + + /* If we are here there was an error */ + ok=0; + return_time: ; /* clean up things */ @@ -822,7 +847,20 @@ free(subject); if (issuer!=NULL) free(issuer); - + if (cnsubj!=NULL) + free(cnsubj); + if(!ok && ssl_cert_required) { + if(ssl_debug_flag) { + fprintf(stderr,"SSL: debug -> ignoring cert required!\n"); + ok=1; + } + else { + fprintf(stderr,"SSL: Rejecting connection\n"); + ok=0; + } + } + fflush(stderr); + return ok; } --- netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h +++ netkit-telnet-ssl-0.17.24+0.1/libtelnet/sslapp.h @@ -45,6 +45,7 @@ #include "x509.h" #include "ssl.h" #define OLDPROTO NOPROTO +#undef NOPROTO #define NOPROTO #include "err.h" #undef NOPROTO @@ -72,7 +73,7 @@ /* we hide all the initialisation code in a separate file now */ extern int do_ssleay_init(int server); -extern int display_connect_details(SSL *ssl_con, int verbose); +extern void display_connect_details(SSL *ssl_con, int verbose); extern int server_verify_callback(); extern int client_verify_callback(); --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile +++ netkit-telnet-ssl-0.17.24+0.1/telnet/Makefile @@ -3,26 +3,31 @@ include ../MCONFIG include ../MRULES +# ignore imported LIBS value, drags in too much +LIBS= + #CXXFLAGS:=$(patsubst -O2, -g, $(CXXFLAGS)) # -DAUTHENTICATE -CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE -LIBS = $(LIBTERMCAP) +CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE -DAUTHENTICATE -DUSE_SSL \ + -I/usr/include/openssl -I../ +LIBTELNET = ../libtelnet/libtelnet.a +LIBS += $(LIBTERMCAP) $(LIBTELNET) -lssl -lcrypto SRCS = commands.cc main.cc network.cc ring.cc sys_bsd.cc telnet.cc \ - terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc + terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc \ + glue.cc glue2.cc OBJS = $(patsubst %.cc, %.o, $(SRCS)) - -telnet: $(OBJS) - $(CXX) $(LDFLAGS) $^ $(LIBS) -o $@ +telnet: $(OBJS) $(LIBTELNET) + $(CXX) -static-libgcc $(LDFLAGS) $^ $(LIBS) -o $@ include depend.mk depend: $(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk install: telnet - install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl + install -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1/telnet-ssl.1 clean: --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/authenc.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/authenc.cc @@ -35,7 +35,7 @@ * From: @(#)authenc.c 5.1 (Berkeley) 3/1/91 */ char au_rcsid[] = - "$Id: authenc.cc,v 1.6 2000/07/23 03:24:53 dholland Exp $"; + "$Id: authenc.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #if defined(ENCRYPT) || defined(AUTHENTICATE) #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/commands.cc @@ -35,7 +35,7 @@ * From: @(#)commands.c 5.5 (Berkeley) 3/22/91 */ char cmd_rcsid[] = - "$Id: commands.cc,v 1.34 2000/07/23 04:16:24 dholland Exp $"; + "$Id: commands.cc,v 1.13 2007-10-04 21:38:18 ianb Exp $"; #include @@ -653,6 +653,21 @@ return 1; } +#ifdef AUTHENTICATE + +static int tog_autologin(int) { + if(autologin == 0) { + autologin=1; + env_export("USER"); + } + else { + autologin=0; + env_unexport("USER"); + } + return 1; +} + +#endif /* AUTHENTICATE */ static int netdata; /* Print out network data flow */ static int prettydump; /* Print "netdata" output in user readable format */ @@ -682,13 +697,13 @@ #if defined(AUTHENTICATE) { "autologin", "automatic sending of login and/or authentication info", - NULL, &autologin, + tog_autologin, NULL, "send login name and/or authentication information" }, { "authdebug", "Toggle authentication debugging", auth_togdebug, NULL, "print authentication debugging information" }, #endif -#if 0 +#ifdef ENCRYPT { "autoencrypt", "automatic encryption of data stream", EncryptAutoEnc, NULL, "automatically encrypt output" }, @@ -701,7 +716,7 @@ { "encdebug", "Toggle encryption debugging", EncryptDebug, NULL, "print encryption debugging information" }, -#endif +#endif /* ENCRYPT */ { "skiprc", "don't read the telnetrc files", NULL, &skiprc, @@ -750,7 +765,7 @@ NULL, &showoptions, "show option processing" }, - { "termdata", "(debugging) toggle printing of hexadecimal terminal data", + { "termdata", "toggle printing of hexadecimal terminal data (debugging)", NULL, &termdata, "print hexadecimal representation of terminal traffic" }, @@ -1357,9 +1372,9 @@ else shellname++; if (argc > 1) - execl(shellp, shellname, "-c", &saveline[1], 0); + execl(shellp, shellname, "-c", &saveline[1], (char *) NULL); else - execl(shellp, shellname, 0); + execl(shellp, shellname, (char *) NULL); perror("Execl"); _exit(1); } @@ -1510,10 +1525,10 @@ #if defined(AUTHENTICATE) struct authlist { - char *name; - char *help; - int (*handler)(const char *, const char *); - int narg; + const char *name; + const char *help; + int (*handler)(const char *, const char *); + int narg; }; static int auth_help (const char *, const char *); @@ -1833,8 +1848,22 @@ if (*portp == '-') { portp++; telnetport = 1; - } else + } else { telnetport = 0; + if (*portp >='0' && *portp<='9') { + char *end; + long int p; + + p=strtol(portp, &end, 10); + if (ERANGE==errno && (LONG_MIN==p || LONG_MAX==p)) { + fprintf(stderr, "telnet: port %s overflows\n", portp); + return 0; + } else if (p<=0 || p>=65536) { + fprintf(stderr, "telnet: port %s out of range\n", portp); + return 0; + } + } + } } else { portp = "telnet"; @@ -1860,7 +1889,7 @@ if (res < 0) return 0; } - + /* Resolve both the host and service simultaneously. */ res = getaddrinfo(resolv_hostp, portp, &hints, &hostaddr); if (res == EAI_NONAME) { @@ -1902,6 +1931,16 @@ NI_NUMERICHOST | NI_NUMERICSERV); printf("Trying %s...\n", name); + + if (tmpaddr->ai_canonname == 0) { + hostname = new char[strlen(hostp)+1]; + strcpy(hostname, hostp); + } + else { + hostname = new char[strlen(tmpaddr->ai_canonname)+1]; + strcpy(hostname, tmpaddr->ai_canonname); + } + x = nlink.connect(debug, tmpaddr, srp, srlen, tos); if (!x) goto err; @@ -1909,18 +1948,18 @@ goto nextaddr; connected++; + +#ifdef USE_SSL + if (ssl_secure_flag || (strcmp(hostp, "localhost") != 0)) { + /* autologin = 1; */ + use_authentication=1; + } +#endif /* USE_SSL */ + #if defined(AUTHENTICATE) auth_encrypt_connect(connected); #endif } while (connected == 0); - if (tmpaddr->ai_canonname == 0) { - hostname = new char[strlen(hostp)+1]; - strcpy(hostname, hostp); - } - else { - hostname = new char[strlen(tmpaddr->ai_canonname)+1]; - strcpy(hostname, tmpaddr->ai_canonname); - } cmdrc(hostp, hostname, portp); freeaddrinfo(hostaddr); @@ -1966,6 +2005,9 @@ #if defined(AUTHENTICATE) authhelp[] = "turn on (off) authentication ('auth ?' for more)", #endif +#if defined(USE_SSL) + startsslhelp[] = "switch to telnet-over-ssl (use 'auth' for ssl-over-telnet)", +#endif zhelp[] = "suspend telnet", /* shellhelp[] = "invoke a subshell", */ envhelp[] = "change environment variables ('environ ?' for more)", @@ -1981,6 +2023,34 @@ return 0; } +#if defined(USE_SSL) +static int startssl_cmd(void) +{ + if(ssl_con == NULL) + { + fprintf(stderr,"telnet: Internal error - ssl_con not initialised.\n"); + return 1; + } + + if(ssl_active_flag) + { + fprintf(stderr,"telnet: SSL already in use.\n"); + return 1; + } + + if (SSL_connect(ssl_con) < 1) + { + ERR_print_errors_fp(stderr); + fflush(stderr); + } else { + display_connect_details(ssl_con,ssl_debug_flag); + ssl_active_flag=1; + ssl_only_flag=1; + } + return 1; +} +#endif /* USE_SSL */ + static int slc_mode_import_0(void) { slc_mode_import(0); return 1; @@ -2028,6 +2098,10 @@ #endif // BIND("encrypt", encrypthelp, encrypt_cmd); +#if defined(USE_SSL) + BIND("startssl", startsslhelp, startssl_cmd); +#endif + BIND("z", zhelp, suspend); #if defined(TN3270) /* why?! */ @@ -2233,22 +2307,18 @@ } void cmdrc(const char *m1, const char *m2, const char *port) { - static char *rcname = 0; - static char rcbuf[128]; + char *rcname = NULL; if (skiprc) return; readrc(m1, m2, port, "/etc/telnetrc"); - if (rcname == 0) { - rcname = getenv("HOME"); - if (rcname) - strcpy(rcbuf, rcname); - else - rcbuf[0] = '\0'; - strcat(rcbuf, "/.telnetrc"); - rcname = rcbuf; - } + if (asprintf (&rcname, "%s/.telnetrc", getenv ("HOME")) == -1) + { + perror ("asprintf"); + return; + } readrc(m1, m2, port, rcname); + free (rcname); } #if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP) --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/defines.h +++ netkit-telnet-ssl-0.17.24+0.1/telnet/defines.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)defines.h 5.1 (Berkeley) 9/14/90 - * $Id: defines.h,v 1.5 1996/08/04 23:44:43 dholland Exp $ + * $Id: defines.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ #define ENV_VAR NEW_ENV_VAR --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h +++ netkit-telnet-ssl-0.17.24+0.1/telnet/externs.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)externs.h 5.3 (Berkeley) 3/22/91 - * $Id: externs.h,v 1.20 1999/08/19 09:34:15 dholland Exp $ + * $Id: externs.h,v 1.2 2004-11-17 15:28:51 ianb Exp $ */ #ifndef BSD @@ -57,6 +57,7 @@ #define SUBBUFSIZE 256 extern int autologin; /* Autologin enabled */ +extern int use_authentication; /* use SSL authentication */ extern int skiprc; /* Don't process the ~/.telnetrc file */ extern int eight; /* use eight bit mode (binary in and/or out) */ extern int binary; /* use binary option (in and/or out) */ --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/fdset.h +++ netkit-telnet-ssl-0.17.24+0.1/telnet/fdset.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)fdset.h 5.1 (Berkeley) 9/14/90 - * $Id: fdset.h,v 1.1 1996/07/16 05:17:22 dholland Exp $ + * $Id: fdset.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ /* --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/general.h +++ netkit-telnet-ssl-0.17.24+0.1/telnet/general.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)general.h 5.2 (Berkeley) 3/1/91 - * $Id: general.h,v 1.1 1996/07/16 05:17:22 dholland Exp $ + * $Id: general.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ /* --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/genget.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/genget.cc @@ -35,7 +35,7 @@ * From: @(#)genget.c 5.1 (Berkeley) 2/28/91 */ char gg_rcsid[] = - "$Id: genget.cc,v 1.3 1996/07/26 09:54:09 dholland Exp $"; + "$Id: genget.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/glue.cc @@ -11,8 +11,9 @@ printsub_h(direction, pointer, length); } -extern "C" void writenet(const char *str, int len) { +extern "C" int writenet(const char *str, int len) { netoring.write(str, len); + return 1; } extern "C" int telnet_spin() { --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/main.cc @@ -39,7 +39,7 @@ * From: @(#)main.c 5.4 (Berkeley) 3/22/91 */ char main_rcsid[] = - "$Id: main.cc,v 1.14 1999/08/01 05:06:37 dholland Exp $"; + "$Id: main.cc,v 1.6 2004-11-22 20:26:37 ianb Exp $"; #include "../version.h" @@ -86,16 +86,27 @@ * -X disable specified auth type */ void usage(void) { - fprintf(stderr, "Usage: %s %s%s%s%s\n", + fprintf(stderr, "Usage: %s %s%s%s%s%s\n", prompt, +#ifdef AUTHENTICATE + "[-4] [-6] [-8] [-E] [-K] [-L] [-X atype] [-a] [-d] [-e char]", + "\n\t[-l user] [-n tracefile] [ -b addr ]", +#else "[-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user]", "\n\t[-n tracefile] [ -b addr ]", +#endif #ifdef TN3270 "\n\t" "[-noasynch] [-noasynctty] [-noasyncnet] [-r] [-t transcom]\n\t", #else " [-r] ", #endif +#ifdef USE_SSL + /* might as well output something useful here ... */ + "\n\t[-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t[-z cert=file] [-z key=file]\n\t", +#else /* !USE_SSL */ + "", +#endif /* USE_SSL */ "[host-name [port]]" ); exit(1); @@ -135,8 +146,73 @@ autologin = -1; while ((ch = getopt(argc, argv, - "4678EKLS:X:ab:de:k:l:n:rt:x")) != EOF) { + "4678EKLS:X:ab:de:k:l:n:rt:xz:")) != EOF) { switch(ch) { +#ifdef USE_SSL + case 'z': + { + char *origopt; + + origopt=strdup(optarg); + optarg=strtok(origopt,","); + + while(optarg!=NULL) { + + if (strcmp(optarg, "debug") == 0 ) { + ssl_debug_flag=1; + } else if (strcmp(optarg, "authdebug") == 0 ) { + auth_debug_mode=1; + } else if (strcmp(optarg, "ssl") == 0 ) { + ssl_only_flag=1; + } else if ( (strcmp(optarg, "!ssl") == 0) || + (strcmp(optarg, "nossl") == 0) ) { + /* we may want to switch SSL negotiation off + * for testing or other reasons + */ + ssl_disabled_flag=1; + } else if (strcmp(optarg, "certrequired") == 0 ) { + ssl_cert_required=1; + } else if (strcmp(optarg, "secure") == 0 ) { + ssl_secure_flag=1; + } else if (strcmp(optarg, "verbose") == 0 ) { + ssl_verbose_flag=1; + } else if (strncmp(optarg, "verify=", + strlen("verify=")) == 0 ) { + ssl_verify_flag=atoi(optarg+strlen("verify=")); + } else if (strncmp(optarg, "cert=", + strlen("cert=")) == 0 ) { + ssl_cert_file= optarg + strlen("cert="); + } else if (strncmp(optarg, "key=", + strlen("key=")) == 0 ) { + ssl_key_file= optarg + strlen("key="); + } else if (strncmp(optarg,"cipher=", + strlen("cipher="))==0) { + ssl_cipher_list=optarg+strlen("cipher="); + } else { + /* report when we are given rubbish so that + * if the user makes a mistake they have to + * correct it! + */ + fprintf(stderr,"Unknown SSL option %s\n",optarg); + fflush(stderr); + exit(1); + } + + /* get the next one ... */ + optarg=strtok(NULL,","); + + } + + /* + if (origopt!=NULL) + free(origopt); + */ + + } + + break; +#endif /* USE_SSL */ + case '4': family = AF_INET; break; @@ -257,14 +333,25 @@ autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1; #ifdef USE_SSL + if((ssl_cert_file != NULL) || (ssl_key_file != NULL)) { + autologin = 1; + } + if (ssl_secure_flag||ssl_cert_required) { /* in secure mode we *must* switch on the base level * verify checking otherwise we cannot abort connections * at the right place! */ if (ssl_verify_flag == 0) - ssl_verify_flag = 1; + ssl_verify_flag = SSL_VERIFY_PEER;; } + + /* client mode ignores SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + so simulate it using certrequired */ + if(ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + ssl_cert_required=1; + } + #endif /* USE_SSL */ argc -= optind; @@ -289,11 +376,6 @@ *argp++ = family == AF_INET ? "-4" : "-6"; } *argp++ = argv[0]; /* host */ -#ifdef USE_SSL - if (strcmp(argv[0], "localhost") != 0) { - autologin = 1; - } -#endif /* USE_SSL */ if (argc > 1) *argp++ = argv[1]; /* port */ *argp = 0; --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/netlink.cc @@ -12,12 +12,27 @@ #include "proto.h" #include "ring.h" #include +#include /* In Linux, this is an enum */ #if defined(__linux__) || defined(IPPROTO_IP) #define HAS_IPPROTO_IP #endif +/* code from Peter 'Luna' Runestig */ +static int select_read(int rfd) +/* timeout = 20 seconds */ +{ + fd_set rfds; + struct timeval tv; + + FD_ZERO(&rfds); + FD_SET(rfd, &rfds); + tv.tv_sec = 20; + tv.tv_usec = 0; + return select(rfd + 1, &rfds, NULL, NULL, &tv); +} + netlink nlink; class netchannel : public ringbuf::source { @@ -26,12 +41,23 @@ int net = nlink.getfd(); int l; #ifdef USE_SSL - if (ssl_active_flag) - l = SSL_read(ssl_con, buf, maxlen); - else + if (ssl_active_flag) { + do { + l = SSL_read(ssl_con, buf, maxlen); + /* + * SSL_ERROR_WANT_READ may occur if an SSL/TLS rehandshake occurs. + * This means that data was available at the socket, but all was + * consumed by SSL itself, so we select (w/20s timeout) and retry. + */ + } while (l<0 && + (SSL_ERROR_WANT_READ == SSL_get_error(ssl_con, l)) && + (select_read(net) > 0)); + } else #endif /* USE_SSL */ - l = recv(net, buf, maxlen, 0); - if (l<0 && errno == EWOULDBLOCK) l = 0; + { + l = recv(net, buf, maxlen, 0); + if (l<0 && errno == EWOULDBLOCK) l = 0; + } return l; } }; @@ -70,11 +96,11 @@ netlink::netlink() { net = -1; } -netlink::~netlink() { ::close(net); } +netlink::~netlink() { if (net >= 0) ::close(net); } int netlink::setdebug(int debug) { - if (net > 0 && + if (net >= 0 && (setsockopt(net, SOL_SOCKET, SO_DEBUG, &debug, sizeof(debug))) < 0) { perror("setsockopt (SO_DEBUG)"); } @@ -95,7 +121,8 @@ ssl_active_flag=0; } #endif /* USE_SSL */ - ::close(net); + if (net >= 0) + ::close(net); net = -1; } @@ -142,7 +169,8 @@ { int on=1; int res; - + extern char *hostname; + res = socket(addr->ai_family); if (res < 2) return res; @@ -192,10 +220,24 @@ /* bind in the network descriptor */ SSL_set_fd(ssl_con,net); +#if defined(AUTHENTICATE) + /* moved from telnet() so client_verify_callback knows RemoteHostName -ianb */ + { + static char local_host[256] = { 0 }; + int len = sizeof(local_host); + + if (!local_host[0]) { + gethostname(local_host, len); /* WAS &len!!! */ + local_host[sizeof(local_host)-1] = 0; + } + auth_encrypt_init(local_host, hostname, "TELNET", 0); + } +#endif + /* if we are doing raw SSL then start it now ... */ if (ssl_only_flag) { if (!SSL_connect(ssl_con)) { - static char errbuf[1024]; + /* static char errbuf[1024]; */ ERR_print_errors_fp(stderr); perror("SSL_connect"); --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/network.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/network.cc @@ -35,7 +35,7 @@ * From: @(#)network.c 5.2 (Berkeley) 3/1/91 */ char net_rcsid[] = - "$Id: network.cc,v 1.15 1996/08/13 08:09:58 dholland Exp $"; + "$Id: network.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/proto.h +++ netkit-telnet-ssl-0.17.24+0.1/telnet/proto.h @@ -10,9 +10,11 @@ int TerminalSpecialChars(int); void TerminalSpeeds(long *ispeed, long *ospeed); int TerminalWindowSize(long *rows, long *cols); +#if 0 void auth_encrypt_user(char *); void auth_name(unsigned char *, int); void auth_printsub(unsigned char *, int, unsigned char *, int); +#endif void cmdrc(const char *, const char *, const char *); void env_init(void); int getconnmode(void); --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/ring.cc @@ -35,7 +35,7 @@ * From: @(#)ring.c 5.2 (Berkeley) 3/1/91 */ char ring_rcsid[] = - "$Id: ring.cc,v 1.23 2000/07/23 03:25:09 dholland Exp $"; + "$Id: ring.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * This defines a structure for a ring buffer. --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.h +++ netkit-telnet-ssl-0.17.24+0.1/telnet/ring.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)ring.h 5.2 (Berkeley) 3/1/91 - * $Id: ring.h,v 1.13 1996/08/13 08:43:28 dholland Exp $ + * $Id: ring.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ class datasink { --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/sys_bsd.cc @@ -35,7 +35,7 @@ * From: @(#)sys_bsd.c 5.2 (Berkeley) 3/1/91 */ char bsd_rcsid[] = - "$Id: sys_bsd.cc,v 1.24 1999/09/28 16:29:24 dholland Exp $"; + "$Id: sys_bsd.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * The following routines try to encapsulate what is system dependent --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1 +++ netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.1 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)telnet.1 6.16 (Berkeley) 7/27/91 -.\" $Id: telnet.1,v 1.15 2000/07/30 23:57:08 dholland Exp $ +.\" $Id: telnet.1,v 1.5 2006-09-24 00:48:31 ianb Exp $ .\" .Dd August 15, 1999 .Dt TELNET 1 @@ -42,12 +42,14 @@ protocol .Sh SYNOPSIS .Nm telnet -.Op Fl 468ELadr +.Op Fl 468EKLadr .Op Fl S Ar tos +.Op Fl X Ar authtype .Op Fl b Ar address .Op Fl e Ar escapechar .Op Fl l Ar user .Op Fl n Ar tracefile +.Op Fl z Ar option .Oo .Ar host .Op Ar port @@ -152,44 +154,47 @@ command below. .It Fl z Ar option Set SSL (Secure Socket Layer) parameters. The default is to negotiate -via telnet protocoll if SSL is availlable at server side and then to +via telnet protocol if SSL is available at server side and then to switch it on. In this mode you can connect to both conventional and -SSL enhanced telnetd's. +SSL enhanced telnetd's. If the connection is made to localhost and +.Ic -z secure +is not set, then +SSL is not enabled. .Pp The SSL parameters are: .Bl -tag -width Fl -.It Ic Ar debug +.It Ic debug Send SSL related debugging information to stderr. -.It Ic Ar authdebug +.It Ic authdebug Enable authentication debugging. -.It Ic Ar ssl +.It Ic ssl Negotiate SSL at first, then use telnet protocol. In this mode you can connect to any server supporting directly SSL like Apache-SSL. Use .Ic telnet -z ssl ssl3.netscape.com https for example. telnet protocol negotiation goes encrypted. -.It Ic Ar nossl, Ar !ssl -switch of SSL negotiation -.It Ic Ar certrequired -client certificate is mandatory -.It Ic Ar secure +.It Ic nossl, Ic !ssl +switch off SSL negotiation +.It Ic certrequired +server certificate is mandatory +.It Ic secure Don't switch back to unencrypted mode (no SSL) if SSL is not available. -.It Ic Ar verbose +.It Ic verbose Be verbose about certificates etc. -.It Ic Ar verify=int +.It Ic verify= Ns Ar int .\" TODO Set the SSL verify flags (SSL_VERIFY_* in .Ar ssl/ssl.h ). .\" TODO -.It Ic Ar cert=cert_file +.It Ic cert= Ns Ar cert_file .\" TODO Use the certificate(s) in .Ar cert_file . -.It Ic Ar key=key_file +.It Ic key= Ns Ar key_file .\" TODO Use the key(s) in .Ar key_file . -.It Ic Ar cipher=ciph_list +.It Ic cipher= Ns Ar ciph_list .\" TODO Set the preferred ciphers to .Ar ciph_list . @@ -319,10 +324,6 @@ List the current status of the various types of authentication. .El -.Pp -Note that the current version of -.Nm telnet -does not support authentication. .It Ic close Close the connection to the remote host, if any, and return to command mode. @@ -332,49 +333,49 @@ and .Ic toggle values (see below). -.It Ic encrypt Ar argument ... -The encrypt command controls the -.Dv TELNET ENCRYPT -protocol option. If -.Nm telnet -was compiled without encryption, the -.Ic encrypt -command will not be supported. -.Pp -Valid arguments are as follows: -.Bl -tag -width Ar -.It Ic disable Ar type Ic [input|output] -Disable the specified type of encryption. If you do not specify input -or output, encryption of both is disabled. To obtain a list of -available types, use ``encrypt disable \&?''. -.It Ic enable Ar type Ic [input|output] -Enable the specified type of encryption. If you do not specify input -or output, encryption of both is enabled. To obtain a list of -available types, use ``encrypt enable \&?''. -.It Ic input -This is the same as ``encrypt start input''. -.It Ic -input -This is the same as ``encrypt stop input''. -.It Ic output -This is the same as ``encrypt start output''. -.It Ic -output -This is the same as ``encrypt stop output''. -.It Ic start Ic [input|output] -Attempt to begin encrypting. If you do not specify input or output, -encryption of both input and output is started. -.It Ic status -Display the current status of the encryption module. -.It Ic stop Ic [input|output] -Stop encrypting. If you do not specify input or output, encryption of -both is stopped. -.It Ic type Ar type -Sets the default type of encryption to be used with later ``encrypt start'' -or ``encrypt stop'' commands. -.El -.Pp -Note that the current version of -.Nm telnet -does not support encryption. +.\" .It Ic encrypt Ar argument ... +.\" The encrypt command controls the +.\" .Dv TELNET ENCRYPT +.\" protocol option. If +.\" .Nm telnet +.\" was compiled without encryption, the +.\" .Ic encrypt +.\" command will not be supported. +.\" .Pp +.\" Valid arguments are as follows: +.\" .Bl -tag -width Ar +.\" .It Ic disable Ar type Ic [input|output] +.\" Disable the specified type of encryption. If you do not specify input +.\" or output, encryption of both is disabled. To obtain a list of +.\" available types, use ``encrypt disable \&?''. +.\" .It Ic enable Ar type Ic [input|output] +.\" Enable the specified type of encryption. If you do not specify input +.\" or output, encryption of both is enabled. To obtain a list of +.\" available types, use ``encrypt enable \&?''. +.\" .It Ic input +.\" This is the same as ``encrypt start input''. +.\" .It Ic -input +.\" This is the same as ``encrypt stop input''. +.\" .It Ic output +.\" This is the same as ``encrypt start output''. +.\" .It Ic -output +.\" This is the same as ``encrypt stop output''. +.\" .It Ic start Ic [input|output] +.\" Attempt to begin encrypting. If you do not specify input or output, +.\" encryption of both input and output is started. +.\" .It Ic status +.\" Display the current status of the encryption module. +.\" .It Ic stop Ic [input|output] +.\" Stop encrypting. If you do not specify input or output, encryption of +.\" both is stopped. +.\" .It Ic type Ar type +.\" Sets the default type of encryption to be used with later ``encrypt start'' +.\" or ``encrypt stop'' commands. +.\" .El +.\" .Pp +.\" Note that the current version of +.\" .Nm telnet +.\" does not support encryption. .It Ic environ Ar arguments... The .Ic environ @@ -1017,6 +1018,16 @@ .Ic slc command. .El +.It Ic startssl +Attempt to negotiate telnet-over-SSL (as with the +.Ic -z ssl +option). This is useful when connecting to non-telnetds such +as imapd (with the +.Ic STARTTLS +command). To control SSL when connecting to a SSL-enabled +telnetd, use the +.Ic auth +command instead. .It Ic status Show the current status of .Nm telnet . @@ -1079,17 +1090,17 @@ .Dv FALSE (see .Xr stty 1 ) . -.It Ic autodecrypt -When the -.Dv TELNET ENCRYPT -option is negotiated, by -default the actual encryption (decryption) of the data -stream does not start automatically. The autoencrypt -(autodecrypt) command states that encryption of the -output (input) stream should be enabled as soon as -possible. -.Pp -Note that this flag exists only if encryption support is enabled. +.\" .It Ic autodecrypt +.\" When the +.\" .Dv TELNET ENCRYPT +.\" option is negotiated, by +.\" default the actual encryption (decryption) of the data +.\" stream does not start automatically. The autoencrypt +.\" (autodecrypt) command states that encryption of the +.\" output (input) stream should be enabled as soon as +.\" possible. +.\" .Pp +.\" Note that this flag exists only if encryption support is enabled. .It Ic autologin If the remote side supports the .Dv TELNET AUTHENTICATION @@ -1174,9 +1185,9 @@ .Ic super user ) . The initial value for this toggle is .Dv FALSE . -.It Ic encdebug -Turns on debugging information for the encryption code. -Note that this flag only exists if encryption support is available. +.\" .It Ic encdebug +.\" Turns on debugging information for the encryption code. +.\" Note that this flag only exists if encryption support is available. .It Ic localchars If this is .Dv TRUE , @@ -1221,8 +1232,9 @@ is sent as .Ic abort , and -.Ic eof and -.B suspend +.Ic eof +and +.Ic suspend are sent as .Ic eof and .Ic susp , @@ -1263,16 +1275,16 @@ Toggles the display of all terminal data (in hexadecimal format). The initial value for this toggle is .Dv FALSE . -.It Ic verbose_encrypt -When the -.Ic verbose_encrypt -toggle is -.Dv TRUE , -.Tn TELNET -prints out a message each time encryption is enabled or -disabled. The initial value for this toggle is -.Dv FALSE. -This flag only exists if encryption support is available. +.\" .It Ic verbose_encrypt +.\" When the +.\" .Ic verbose_encrypt +.\" toggle is +.\" .Dv TRUE , +.\" .Tn TELNET +.\" prints out a message each time encryption is enabled or +.\" disabled. The initial value for this toggle is +.\" .Dv FALSE. +.\" This flag only exists if encryption support is available. .It Ic \&? Displays the legal .Ic toggle --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc @@ -47,7 +47,7 @@ * From: @(#)telnet.c 5.53 (Berkeley) 3/22/91 */ char telnet_rcsid[] = -"$Id: telnet.cc,v 1.36 2000/07/23 03:24:53 dholland Exp $"; +"$Id: telnet.cc,v 1.8 2005-04-14 15:26:27 ianb Exp $"; #include #include @@ -107,6 +107,7 @@ eight = 3, binary = 0, autologin = 0, /* Autologin anyone? */ + use_authentication = 0, skiprc = 0, connected, showoptions, @@ -495,7 +496,8 @@ break; #if defined(AUTHENTICATE) case TELOPT_AUTHENTICATION: - if (autologin) + /* if (autologin) */ + if (use_authentication) new_state_ok = 1; break; #endif @@ -722,6 +724,7 @@ */ static void suboption(void) { + extern int auth_failed; printsub('<', subbuffer, SB_LEN()+2); switch (SB_GET()) { case TELOPT_TTYPE: @@ -845,7 +848,8 @@ #if defined(AUTHENTICATE) case TELOPT_AUTHENTICATION: { - if (!autologin) + /* if (!autologin) */ + if (!use_authentication) break; if (SB_EOF()) return; @@ -864,6 +868,10 @@ if (my_want_state_is_wont(TELOPT_AUTHENTICATION)) return; auth_reply(subpointer, SB_LEN()); + if(auth_failed) { + /* auth rejected, quit */ + quit(); + } break; case TELQUAL_NAME: if (my_want_state_is_dont(TELOPT_AUTHENTICATION)) @@ -1140,6 +1148,7 @@ unsigned char slc_reply[128]; +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; unsigned char *slc_replyp; void slc_start_reply(void) { @@ -1151,6 +1160,14 @@ } void slc_add_reply(int func, int flags, int value) { + /* A sequence of up to 6 bytes my be written for this member of the SLC + * suboption list by this function. The end of negotiation command, + * which is written by slc_end_reply(), will require 2 additional + * bytes. Do not proceed unless there is sufficient space for these + * items. + */ + if (&slc_replyp[6+2] > slc_reply_eom) + return; if ((*slc_replyp++ = func) == IAC) *slc_replyp++ = IAC; if ((*slc_replyp++ = flags) == IAC) @@ -1819,25 +1836,19 @@ */ void telnet(const char *user) { sys_telnet_init(); - -#if defined(AUTHENTICATE) - { - static char local_host[256] = { 0 }; - int len = sizeof(local_host); - - if (!local_host[0]) { - gethostname(local_host, len); /* WAS &len!!! */ - local_host[sizeof(local_host)-1] = 0; - } - auth_encrypt_init(local_host, hostname, "TELNET", 0); - auth_encrypt_user(user); - } + +#ifdef AUTHENTICATE + auth_encrypt_user(user); #endif - + #if !defined(TN3270) if (telnetport) { + + send_will(TELOPT_ENVIRON, 1); + #if defined(AUTHENTICATE) - if (autologin) + /* if (autologin) */ + if (use_authentication) send_will(TELOPT_AUTHENTICATION, 1); #endif send_do(TELOPT_SGA, 1); @@ -1846,7 +1857,6 @@ send_will(TELOPT_TSPEED, 1); send_will(TELOPT_LFLOW, 1); send_will(TELOPT_LINEMODE, 1); - send_will(TELOPT_ENVIRON, 1); send_do(TELOPT_STATUS, 1); if (env_getvalue("DISPLAY", 0)) send_will(TELOPT_XDISPLOC, 1); --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/terminal.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/terminal.cc @@ -35,7 +35,7 @@ * From: @(#)terminal.c 5.3 (Berkeley) 3/22/91 */ char terminal_rcsid[] = - "$Id: terminal.cc,v 1.25 1999/12/12 19:48:05 dholland Exp $"; + "$Id: terminal.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/tn3270.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/tn3270.cc @@ -35,7 +35,7 @@ * From: @(#)tn3270.c 5.2 (Berkeley) 3/1/91 */ char tn3270_rcsid[] = - "$Id: tn3270.cc,v 1.9 1996/08/13 09:08:34 dholland Exp $"; + "$Id: tn3270.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/types.h +++ netkit-telnet-ssl-0.17.24+0.1/telnet/types.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)types.h 5.1 (Berkeley) 9/14/90 - * $Id: types.h,v 1.2 1996/07/27 00:45:54 dholland Exp $ + * $Id: types.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ typedef struct { --- netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc +++ netkit-telnet-ssl-0.17.24+0.1/telnet/utilities.cc @@ -35,7 +35,7 @@ * From: @(#)utilities.c 5.3 (Berkeley) 3/22/91 */ char util_rcsid[] = - "$Id: utilities.cc,v 1.19 1999/12/12 15:33:40 dholland Exp $"; + "$Id: utilities.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #define TELOPTS #define TELCMDS --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/Makefile @@ -9,9 +9,11 @@ # take out -DPARANOID_TTYS. CFLAGS += '-DISSUE_FILE="/etc/issue.net"' -DPARANOID_TTYS \ - -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS \ - -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\" -# LIBS += $(LIBTERMCAP) + -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS -DAUTHENTICATE \ + -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\" \ + -DUSE_SSL -I/usr/include/openssl -I.. +LIBTELNET = ../libtelnet/libtelnet.a +LIBS += $(LIBTELNET) -lssl -lcrypto OBJS = telnetd.o state.o termstat.o slc.o sys_term.o utility.o \ global.o setproctitle.o @@ -28,7 +30,7 @@ telnetd.o: ../version.h install: telnetd - install -s -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd + install -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/ install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd.8 ln -sf in.telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd.8 --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/authenc.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/authenc.c @@ -23,7 +23,7 @@ * From: @(#)authenc.c 5.1 (Berkeley) 3/1/91 */ char authenc_rcsid[] = - "$Id: authenc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $"; + "$Id: authenc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #if defined(ENCRYPT) || defined(AUTHENTICATE) #include "telnetd.h" --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/defs.h +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/defs.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)defs.h 5.10 (Berkeley) 3/1/91 - * $Id: defs.h,v 1.7 1999/08/02 03:14:03 dholland Exp $ + * $Id: defs.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ /* --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/ext.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)ext.h 5.7 (Berkeley) 3/1/91 - * $Id: ext.h,v 1.9 1999/12/12 14:59:44 dholland Exp $ + * $Id: ext.h,v 1.2 2004-11-21 12:53:12 ianb Exp $ */ /* @@ -113,7 +113,7 @@ void interrupt(void); void localstat(void); void netclear(void); -void netflush(void); +int netflush(void); size_t netbuflen(int); void sendurg(const char *, size_t); @@ -183,7 +183,8 @@ void tty_tspeed(int); void willoption(int); void wontoption(int); -#define writenet(b, l) fwrite(b, 1, l, netfile) +int writenet(char *, int); +/*#define writenet(b, l) fwrite(b, 1, l, netfile)*/ void netopen(void); #if defined(ENCRYPT) --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/getent.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/getent.c @@ -35,7 +35,7 @@ * From: @(#)getent.c 5.1 (Berkeley) 2/28/91 */ char ge_rcsid[] = - "$Id: getent.c,v 1.3 1996/08/15 06:23:28 dholland Exp $"; + "$Id: getent.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * Copyright (c) 1991 Regents of the University of California. --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/global.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/global.c @@ -35,7 +35,7 @@ * From: @(#)global.c 5.2 (Berkeley) 6/1/90 */ char global_rcsid[] = - "$Id: global.c,v 1.4 1999/12/12 14:59:44 dholland Exp $"; + "$Id: global.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * Allocate global variables. --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/issue.net.5 +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/issue.net.5 @@ -15,26 +15,26 @@ .Pa /etc/issue.net is a text file which contains a message or system identification to be printed before the login prompt of a telnet session. It may contain -various `%-char' sequences. The following sequences are supported by +various `%\&\-char' sequences. The following sequences are supported by .Ic telnetd : .Bl -tag -offset indent -compact -width "abcde" -.It %t +.It %\&t - show the current tty -.It %h +.It %\&h - show the system node name (FQDN) -.It %D +.It %\&D - show the name of the NIS domain -.It %d +.It %\&d - show the current time and date -.It %s +.It %\&s - show the name of the operating system -.It %m +.It %\&m - show the machine (hardware) type -.It %r +.It %\&r - show the operating system release -.It %v +.It %\&v - show the operating system version -.It %% +.It %\&% - display a single '%' character .El .Sh FILES --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/pathnames.h +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/pathnames.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)pathnames.h 5.5 (Berkeley) 6/28/90 - * $Id: pathnames.h,v 1.3 1996/08/29 22:31:24 dholland Exp $ + * $Id: pathnames.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.3 +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.3 @@ -1,5 +1,5 @@ .\" OpenBSD: setproctitle.3,v 1.4 1996/10/08 01:20:08 michaels Exp -.\" $Id: setproctitle.3,v 1.13 2000/07/30 23:57:09 dholland Exp $ +.\" $Id: setproctitle.3,v 1.1 2004-10-14 13:19:53 ianb Exp $ .\" .\" Copyright (c) 1994, 1995 Christopher G. Demetriou .\" All rights reserved. --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.c @@ -39,7 +39,7 @@ * From: @(#)conf.c 8.243 (Berkeley) 11/20/95 */ char setproctitle_rcsid[] = - "$Id: setproctitle.c,v 1.3 1999/12/10 23:06:39 bryce Exp $"; + "$Id: setproctitle.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/slc.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/slc.c @@ -35,7 +35,7 @@ * From: @(#)slc.c 5.7 (Berkeley) 3/1/91 */ char slc_rcsid[] = - "$Id: slc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $"; + "$Id: slc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include "telnetd.h" --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/state.c @@ -35,11 +35,12 @@ * From: @(#)state.c 5.10 (Berkeley) 3/22/91 */ char state_rcsid[] = - "$Id: state.c,v 1.12 1999/12/12 19:41:44 dholland Exp $"; + "$Id: state.c,v 1.5 2005-07-07 21:53:00 ianb Exp $"; #include "telnetd.h" #if defined(AUTHENTICATE) #include +extern char *UserNameRequested; #endif int not42 = 1; @@ -1161,7 +1162,7 @@ case TELOPT_ENVIRON: { register int c; - register char *cp, *varp, *valp; + register unsigned char *cp, *varp, *valp; if (SB_EOF()) return; @@ -1177,25 +1178,41 @@ if (SB_EOF()) return; - cp = varp = (char *)subpointer; + cp = varp = (unsigned char *)subpointer; valp = 0; while (!SB_EOF()) { switch (c = SB_GET()) { case ENV_VALUE: *cp = '\0'; - cp = valp = (char *)subpointer; + cp = valp = (unsigned char *)subpointer; break; case ENV_VAR: *cp = '\0'; - if (envvarok(varp)) { - if (valp) - (void)setenv(varp, valp, 1); - else - unsetenv(varp); + if (envvarok((char *)varp)) { + if (valp) { + (void)setenv((char *)varp, (char *)valp, 1); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=strdup((char *)valp); + } +#endif /* AUTHENTICATE */ + } + else { + unsetenv((char *)varp); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=NULL; + } +#endif /* AUTHENTICATE */ + } } - cp = varp = (char *)subpointer; + cp = varp = (unsigned char *)subpointer; valp = 0; break; @@ -1211,11 +1228,27 @@ } } *cp = '\0'; - if (envvarok(varp)) { - if (valp) - (void)setenv(varp, valp, 1); - else - unsetenv(varp); + if (envvarok((char *)varp)) { + if (valp) { + (void)setenv((char *)varp, (char *)valp, 1); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=strdup((char *)valp); + } +#endif /* AUTHENTICATE */ + } + else { + unsetenv((char *)varp); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=NULL; + } +#endif /* AUTHENTICATE */ + } } break; } /* end of case TELOPT_ENVIRON */ @@ -1367,7 +1400,7 @@ ADD(IAC); ADD(SE); - writenet(statusbuf, ncp - statusbuf); + writenet((char *)statusbuf, ncp - statusbuf); netflush(); /* Send it on its way */ DIAG(TD_OPTIONS, {printsub('>', statusbuf, ncp - statusbuf); netflush();}); --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/sys_term.c @@ -35,7 +35,7 @@ * From: @(#)sys_term.c 5.16 (Berkeley) 3/22/91 */ char st_rcsid[] = - "$Id: sys_term.c,v 1.17 1999/12/17 14:28:47 dholland Exp $"; + "$Id: sys_term.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8 +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)telnetd.8 6.8 (Berkeley) 4/20/91 -.\" $Id: telnetd.8,v 1.18 2000/07/30 23:57:10 dholland Exp $ +.\" $Id: telnetd.8,v 1.5 2006-09-24 00:48:31 ianb Exp $ .\" .Dd December 29, 1996 .Dt TELNETD 8 @@ -42,7 +42,7 @@ protocol server .Sh SYNOPSIS .Nm /usr/sbin/in.telnetd -.Op Fl hns +.Op Fl hnNs .Op Fl a Ar authmode .Op Fl D Ar debugmode .Op Fl L Ar loginprg @@ -50,6 +50,7 @@ .Op Fl X Ar authtype .Op Fl edebug .Op Fl debug Ar port +.Op Fl z Ar sslopt .Sh DESCRIPTION The .Nm telnetd @@ -175,6 +176,9 @@ if the client is still there, so that idle connections from machines that have crashed or can no longer be reached may be cleaned up. +.It Fl N +Disable reverse DNS lookups and use the numeric IP address in logs +and REMOTEHOST environment variable. .It Fl s This option is only enabled if .Nm telnetd @@ -219,12 +223,16 @@ only accepts connections from SSL enhanced telnet with option .Ic -z ssl .It Ic nossl, !ssl -switch of SSL negotiation +switch off SSL negotiation .It Ic certsok Look username up in /etc/ssl.users. The format of this file is lines of this form: .Ar user1,user2:/C=US/..... -where user1 and user2 are usernames. If client certificate is valid, +where user1 and user2 are usernames and /C=US/... is the subject name of +the certificate. Use +.Ar openssl x509 -subject -noout +to extract the subject name. +If client certificate is valid, authenticate without password. .It Ic certrequired client certificate is mandatory @@ -307,7 +315,7 @@ .Ed .Pp The pseudo-terminal allocated to the client is configured -to operate in \*(lqcooked\*(rq mode, and with +to operate in \(lqcooked\(rq mode, and with .Dv XTABS .Dv CRMOD enabled (see @@ -451,7 +459,6 @@ is compiled with support for data encryption, and indicates a willingness to decrypt the data stream. -.Xr issue.net 5 ) . .El .Sh FILES .Pa /etc/services , --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c @@ -39,7 +39,7 @@ * From: @(#)telnetd.c 5.48 (Berkeley) 3/1/91 */ char telnetd_rcsid[] = - "$Id: telnetd.c,v 1.24 2000/04/12 21:36:12 dholland Exp $"; + "$Id: telnetd.c,v 1.7 2006-06-16 13:29:00 ianb Exp $"; #include "../version.h" @@ -90,6 +90,7 @@ int debug = 0; int keepalive = 1; +int numeric_hosts = 0; #ifdef LOGIN_WRAPPER char *loginprg = LOGIN_WRAPPER; #else @@ -222,13 +223,12 @@ * certificate that we will be running with as we cannot * be sure of the cwd when we are launched */ - sprintf(cert_filepath,"%s/%s",X509_get_default_cert_dir(), - "telnetd.pem"); + strcpy(cert_filepath, "/etc/telnetd-ssl/telnetd.pem"); ssl_cert_file=cert_filepath; ssl_key_file=NULL; #endif /* USE_SSL */ - while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:z:")) != EOF) { + while ((ch = getopt(argc, argv, "d:a:e:lhnNr:I:D:B:sS:a:X:L:z:")) != EOF) { switch(ch) { #ifdef USE_SSL @@ -389,6 +389,10 @@ keepalive = 0; break; + case 'N': + numeric_hosts = 1; + break; + #ifdef SecurID case 's': /* SecurID required */ @@ -427,7 +431,7 @@ #ifdef USE_SSL - if (ssl_secure_flag || ssl_cert_required) { + if (ssl_secure_flag || ssl_cert_required || ssl_certsok_flag) { /* in secure mode we *must* switch on the base level * verify checking otherwise we cannot abort connections * at the right place! @@ -520,9 +524,9 @@ sprintf(errbuf,"SSL_accept error %s\n", ERR_error_string(ERR_get_error(),NULL)); - syslog(LOG_WARNING, errbuf); + syslog(LOG_WARNING, "%s", errbuf); - BIO_printf(bio_err,errbuf); + BIO_printf(bio_err,"%s",errbuf); /* go to sleep to make sure we are noticed */ sleep(10); @@ -571,6 +575,11 @@ #ifdef AUTHENTICATE fprintf(stderr, " [-X auth-type]"); #endif +#ifdef USE_SSL + /* might as well output something useful here ... */ + fprintf(stderr, "\n\t [-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t"); + fprintf(stderr, " [-z cert=file] [-z key=file]\n\t"); +#endif /* USE_SSL */ fprintf(stderr, "\n"); exit(1); } @@ -596,6 +605,18 @@ /* * Handle the Authentication option before we do anything else. */ + send_do(TELOPT_ENVIRON, 1); + while (his_will_wont_is_changing(TELOPT_ENVIRON)) { + ttloop(); + } + + if (his_state_is_will(TELOPT_ENVIRON)) { + netoprintf("%c%c%c%c%c%c", + IAC, SB, TELOPT_ENVIRON, TELQUAL_SEND, IAC, SE); + while (sequenceIs(environsubopt, baseline)) + ttloop(); + } + send_do(TELOPT_AUTHENTICATION, 1); while (his_will_wont_is_changing(TELOPT_AUTHENTICATION)) ttloop(); @@ -654,7 +675,6 @@ send_do(TELOPT_TTYPE, 1); send_do(TELOPT_TSPEED, 1); send_do(TELOPT_XDISPLOC, 1); - send_do(TELOPT_ENVIRON, 1); while ( #if defined(ENCRYPT) his_do_dont_is_changing(TELOPT_ENCRYPT) || @@ -698,10 +718,6 @@ while (sequenceIs(xdisplocsubopt, baseline)) ttloop(); } - if (his_state_is_will(TELOPT_ENVIRON)) { - while (sequenceIs(environsubopt, baseline)) - ttloop(); - } if (his_state_is_will(TELOPT_TTYPE)) { char first[256], last[256]; @@ -852,7 +868,7 @@ static void doit(struct sockaddr *who, socklen_t who_len) { - const char *host; + char *host; int level; char user_name[256]; int i; @@ -867,7 +883,8 @@ /* get name of connected client */ if (getnameinfo(who, who_len, remote_host_name, - sizeof(remote_host_name), 0, 0, 0)) { + sizeof(remote_host_name), 0, 0, + numeric_hosts ? NI_NUMERICHOST : 0)) { syslog(LOG_ERR, "doit: getnameinfo: %m"); *remote_host_name = 0; } --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.h +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.h @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)telnetd.h 5.3 (Berkeley) 3/1/91 - * $Id: telnetd.h,v 1.2 1999/03/27 07:46:21 dholland Exp $ + * $Id: telnetd.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/termstat.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/termstat.c @@ -35,7 +35,7 @@ * From: @(#)termstat.c 5.10 (Berkeley) 3/22/91 */ char termstat_rcsid[] = - "$Id: termstat.c,v 1.6 1999/12/12 14:59:45 dholland Exp $"; + "$Id: termstat.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include "telnetd.h" --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetd/utility.c @@ -35,7 +35,7 @@ * From: @(#)utility.c 5.8 (Berkeley) 3/22/91 */ char util_rcsid[] = - "$Id: utility.c,v 1.11 1999/12/12 14:59:45 dholland Exp $"; + "$Id: utility.c,v 1.8 2006-09-24 00:48:31 ianb Exp $"; #define PRINTOPTIONS @@ -86,6 +86,11 @@ DIAG(TD_REPORT, netoprintf("td: ttloop\r\n");); netflush(); +#ifdef USE_SSL + if (ssl_active_flag) + ncc = SSL_read(ssl_con, netibuf, sizeof netibuf); + else +#endif /* USE_SSL */ ncc = read(net, netibuf, sizeof(netibuf)); if (ncc < 0) { syslog(LOG_INFO, "ttloop: read: %m\n"); @@ -216,7 +221,7 @@ } out: - return next ? next + (current - end) : current; + return (const char *) (next ? (next + (current - end)) : current ); } /* end of nextitem */ @@ -243,6 +248,29 @@ doclear--; } /* end of netclear */ +#ifdef USE_SSL +static int +SSL_writev(SSL *ssl_con,const struct iovec *vector,int num) +{ + const struct iovec *v = vector; + + int ret; + int len = 0; + + while (num > 0) { + ret = SSL_write(ssl_con, v->iov_base, v->iov_len); + if (ret < 0) + return ret; + if (ret != v->iov_len) + syslog(LOG_NOTICE, "SSL_writev: short write\n"); + num -= v->iov_len; + len += ret; + v++; + } + return len; +} +#endif /* USE_SSL */ + static void netwritebuf(void) { @@ -253,6 +281,9 @@ size_t len; int ltrailing = trailing; + if (!listlen) + return; + vector = malloc(listlen * sizeof(struct iovec)); if (!vector) { return; @@ -265,6 +296,11 @@ if (lp == urg) { len = v - vector; if (!len) { +#ifdef USE_SSL + if (ssl_active_flag) + n = SSL_write(ssl_con, lp->buf, 1); + else +#endif /* USE_SSL */ n = send(net, lp->buf, 1, MSG_OOB); if (n > 0) { urg = 0; @@ -282,15 +318,25 @@ vector->iov_base = (char *)vector->iov_base + skip; vector->iov_len -= skip; - n = writev(net, vector, len); + if(vector->iov_len == 0 ) { + n=0; + } else { + +#ifdef USE_SSL + if (ssl_active_flag) + n = SSL_writev(ssl_con, vector, len); /* normal write */ + else +#endif /* USE_SSL */ + n = writev(net, vector, len); epi: - free(vector); + free(vector); - if (n < 0) { + if (n < 0) { if (errno != EWOULDBLOCK && errno != EINTR) - cleanup(0); + cleanup(0); return; + } } len = n + skip; @@ -315,6 +361,10 @@ } } + if(ltrailing && (len==0)) { + ltrailing=trailing=0; + } + skip = len; } @@ -323,16 +373,22 @@ * Send as much data as possible to the network, * handling requests for urgent data. */ -void +int netflush(void) { if (fflush(netfile)) { /* out of memory? */ cleanup(0); + return 0; } - if (listlen) { - netwritebuf(); - } + netwritebuf(); + return 1; +} + +int +writenet(char *b , int l) +{ + return(fwrite(b, 1, l, netfile)); } @@ -983,7 +1039,7 @@ ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ? "MUTUAL" : "ONE-WAY"); - auth_printsub(&pointer[1], length - 1, buf, sizeof(buf)); + auth_printsub(&pointer[1], length - 1, (unsigned char *) buf, sizeof(buf)); netoprintf("%s", buf); break; @@ -1191,7 +1247,15 @@ size_t l; size_t m = tail->len; - p = nextitem(tail->buf, tail->buf + tail->len, buf, end); + if((tail->buf == NULL) || (tail->len==0)) + { + p = nextitem((unsigned char *) buf, (unsigned char *) end,0,0); + } + else + { + p = nextitem((unsigned char *) tail->buf, (unsigned char *) (tail->buf + tail->len), + (unsigned char *) buf, (unsigned char *) end); + } ltrailing = !p; if (ltrailing) { p = end; @@ -1245,7 +1309,7 @@ const char *p; size_t l; - p = nextitem(buf, end, 0, 0); + p = nextitem((unsigned char *) buf, (unsigned char *) end, 0, 0); ltrailing = !p; if (ltrailing) { p = end; --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/Makefile +++ netkit-telnet-ssl-0.17.24+0.1/telnetlogin/Makefile @@ -3,6 +3,9 @@ include ../MCONFIG include ../MRULES +# ignore imported LIBS value, drags in too much +LIBS= + OBJS = telnetlogin.o telnetlogin: $(OBJS) --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.8 +++ netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.8 @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: telnetlogin.8,v 1.4 2000/07/30 23:57:10 dholland Exp $ +.\" $Id: telnetlogin.8,v 1.2 2004-11-07 15:47:43 ianb Exp $ .\" .Dd April 12, 2000 .Dt TELNETLOGIN 8 @@ -40,6 +40,7 @@ .Nm telnetlogin .Op Fl h Ar host .Op Fl p +.Op Fl f Ar username .Op Ar username .Sh DESCRIPTION .Nm telnetlogin @@ -79,11 +80,6 @@ .Xr inetd 8 , .Xr telnetd 8 .Sh RESTRICTIONS -.Nm telnetlogin -does not permit the -.Fl f -option to login, so will not -work with telnetds that perform authentication via Kerberos or SSL. .Pp THIS IS PRESENTLY EXPERIMENTAL CODE; USE WITH CAUTION. .Sh HISTORY --- netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.c +++ netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.c @@ -35,7 +35,7 @@ "All rights reserved.\n"; char rcsid[] = - "$Id: telnetlogin.c,v 1.1 2000/04/13 01:07:22 dholland Exp $"; + "$Id: telnetlogin.c,v 1.2 2004-11-07 15:47:43 ianb Exp $"; #include "../version.h" #include @@ -76,7 +76,16 @@ int i=0; /* should we check length? */ for (i=0; hname[i]; i++) { - if (hname[i]<=32 && hname[i]>126) return -1; + if ((hname[i]<=32) || (hname[i]>126)) return -1; + } + return 0; +} + +static int check_username(char *username) { + int i; + if (strlen(username) > 32) return -1; + for (i=0; username[i]; i++) { + if ((username[i]<=32) || (username[i]>126)) return -1; } return 0; } @@ -158,6 +167,12 @@ if (argn < argc && !strcmp(argv[argn], "-p")) { argn++; } + if (argn < argc && !strcmp(argv[argn], "-f")) { + argn++; + if (argn==argc) die("Illegal args: -f requires argument"); + if (check_username(argv[argn])) die("Illegal remote username specified"); + argn++; + } if (argn < argc && argv[argn][0] != '-') { argn++; }