- (djm) autoconf hacking:
- We don't support --without-zlib currently, so don't allow it.
- Rework cryptographic random number support detection. We now detect
whether OpenSSL seeds itself. If it does, then we don't bother with
the ssh-rand-helper program. You can force the use of ssh-rand-helper
using the --with-rand-helper configure argument
- Simplify and clean up ssh-rand-helper configuration
diff --git a/configure.ac b/configure.ac
index 0ed1ddd..9cc7dc9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-i# $Id: configure.ac,v 1.10 2002/01/14 08:01:06 djm Exp $
+i# $Id: configure.ac,v 1.11 2002/01/22 10:57:54 djm Exp $
AC_INIT
AC_CONFIG_SRCDIR([ssh.c])
@@ -336,6 +336,9 @@
AC_ARG_WITH(zlib,
[ --with-zlib=PATH Use zlib in PATH],
[
+ if test "x$withval" != "xno" ; then
+ AC_MSG_ERROR([*** zlib is required ***])
+ fi
if test -d "$withval/lib"; then
if test -n "${need_dash_r}"; then
LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -815,6 +818,144 @@
AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
fi
+
+### Configure cryptographic random number support
+
+# Check wheter OpenSSL seeds itself
+AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
+AC_TRY_RUN(
+ [
+#include <string.h>
+#include <openssl/rand.h>
+int main(void) { return(RAND_status() == 1 ? 0 : 1); }
+ ],
+ [
+ OPENSSL_SEEDS_ITSELF=yes
+ AC_MSG_RESULT(yes)
+ ],
+ [
+ AC_MSG_RESULT(no)
+ # Default to use of the rand helper if OpenSSL doesn't
+ # seed itself
+ USE_RAND_HELPER=yes
+ ]
+)
+
+
+# Do we want to force the use of the rand helper?
+AC_ARG_WITH(rand-helper,
+ [ --with-rand-helper Use subprocess to gather strong randomness ],
+ [
+ if test "x$withval" = "xno" ; then
+ # Force use of OpenSSL's internal RNG, even if
+ # the previous test showed it to be unseeded.
+ if test -z "$OPENSSL_SEEDS_ITSELF" ; then
+ AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG])
+ OPENSSL_SEEDS_ITSELF=yes
+ USE_RAND_HELPER=""
+ fi
+ else
+ USE_RAND_HELPER=yes
+ fi
+ ],
+)
+
+# Which randomness source do we use?
+if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then
+ # OpenSSL only
+ AC_DEFINE(OPENSSL_PRNG_ONLY)
+ RAND_MSG="OpenSSL internal ONLY"
+ INSTALL_SSH_RAND_HELPER=""
+elif test ! -z "$OPENSSL_SEEDS_ITSELF" -a ! -z "$USE_RAND_HELPER" ; then
+ # OpenSSL with fallback to rand helper
+ RAND_MSG="ssh-rand-helper"
+ INSTALL_SSH_RAND_HELPER="yes"
+fi
+AC_SUBST(INSTALL_SSH_RAND_HELPER)
+
+### Configuration of ssh-rand-helper
+
+# PRNGD TCP socket
+AC_ARG_WITH(prngd-port,
+ [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT],
+ [
+ if test ! -z "$withval" -a "x$withval" != "xno" ; then
+ PRNGD_PORT="$withval"
+ AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
+ fi
+ ]
+)
+
+# PRNGD Unix domain socket
+AC_ARG_WITH(prngd-socket,
+ [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
+ [
+ if test -z "$withval" ; then
+ withval="/var/run/egd-pool"
+ fi
+ if test "x$withval" != "xno" ; then
+ if test ! -z "$PRNGD_PORT" ; then
+ AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket)
+ fi
+ if ! echo "$withval" | grep -q '^/' ; then
+ AC_MSG_ERROR(You must specify an absolute path to the entropy socket)
+ fi
+ if ! test -r "$withval" ; then
+ AC_MSG_WARN(Entropy socket is not readable)
+ fi
+ PRNGD_SOCKET="$withval"
+ AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
+ fi
+ ]
+)
+
+# Change default command timeout for hashing entropy source
+entropy_timeout=200
+AC_ARG_WITH(entropy-timeout,
+ [ --with-entropy-timeout Specify entropy gathering command timeout (msec)],
+ [
+ if test "x$withval" != "xno" ; then
+ entropy_timeout=$withval
+ fi
+ ]
+)
+
+AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout)
+
+# These programs are used by the command hashing source to gather entropy
+OSSH_PATH_ENTROPY_PROG(PROG_LS, ls)
+OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat)
+OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp)
+OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
+OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
+OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
+OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
+OSSH_PATH_ENTROPY_PROG(PROG_W, w)
+OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
+OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)
+OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog)
+OSSH_PATH_ENTROPY_PROG(PROG_DF, df)
+OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat)
+OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime)
+OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs)
+OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail)
+
+# Where does ssh-rand-helper get its randomness from?
+INSTALL_SSH_PRNG_CMDS=""
+if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then
+ if test ! -z "$PRNGD_PORT" ; then
+ RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT"
+ elif test ! -z "$PRNGD_SOCKET" ; then
+ RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\""
+ else
+ RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)"
+ RAND_HELPER_CMDHASH=yes
+ INSTALL_SSH_PRNG_CMDS="yes"
+ fi
+fi
+AC_SUBST(INSTALL_SSH_PRNG_CMDS)
+
+
# Cheap hack to ensure NEWS-OS libraries are arranged right.
if test ! -z "$SONY" ; then
LIBS="$LIBS -liberty";
@@ -1531,109 +1672,6 @@
)
# Options from here on. Some of these are preset by platform above
-
-# Check for user-specified random device, otherwise check /dev/urandom
-AC_ARG_WITH(random,
- [ --with-random=FILE read entropy from FILE (default=/dev/urandom)],
- [
- if test "x$withval" != "xno" ; then
- RANDOM_POOL="$withval";
- if ! echo "$RANDOM_POOL" | grep -q '^/' ; then
- AC_MSG_ERROR(You must specify an absolute path to the random device)
- fi
- if ! test -r "$RANDOM_POOL" ; then
- AC_MSG_WARN(Random device is not readable)
- fi
- AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL")
- fi
- ],
- [
- # Check for random device
- AC_CHECK_FILE("/dev/urandom",
- [
- RANDOM_POOL="/dev/urandom";
- AC_SUBST(RANDOM_POOL)
- AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL")
- ]
- )
- ]
-)
-
-# Check for PRNGD/EGD pool file
-AC_ARG_WITH(prngd-port,
- [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT],
- [
- if test ! -z "$withval" -a "x$withval" != "xno" ; then
- PRNGD_PORT="$withval"
- AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
- fi
- ]
-)
-
-# Check for PRNGD/EGD pool file
-AC_ARG_WITH(prngd-socket,
- [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
- [
- if test "x$withval" != "xno" ; then
- PRNGD_SOCKET="$withval"
- if echo "$PRNGD_SOCKET" | grep -q '^/' ; then
- AC_MSG_ERROR(You must specify an absolute path to the entropy socket)
- fi
- if ! test -r "$PRNGD_SOCKET" ; then
- AC_MSG_WARN(Entropy socket is not readable)
- fi
- AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
- fi
- ],
- [
- # Check for existing socket only if we don't have a random device already
- if test -z "$RANDOM_POOL" ; then
- AC_MSG_CHECKING(for PRNGD/EGD socket)
- # Insert other locations here
- for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
- if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
- PRNGD_SOCKET="$sock"
- AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
- break;
- fi
- done
- if test ! -z "$PRNGD_SOCKET" ; then
- AC_MSG_RESULT($PRNGD_SOCKET)
- else
- AC_MSG_RESULT(not found)
- fi
- fi
- ]
-)
-
-
-# detect pathnames for entropy gathering commands, if we need them
-INSTALL_SSH_PRNG_CMDS=""
-rm -f prng_commands
-if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
- INSTALL_SSH_PRNG_CMDS="yes"
-fi
-AC_SUBST(INSTALL_SSH_PRNG_CMDS)
-
-# These programs are used to gather entropy from
-OSSH_PATH_ENTROPY_PROG(PROG_LS, ls)
-OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat)
-OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp)
-OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
-OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
-OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
-OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
-OSSH_PATH_ENTROPY_PROG(PROG_W, w)
-OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
-OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)
-OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog)
-OSSH_PATH_ENTROPY_PROG(PROG_DF, df)
-OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat)
-OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime)
-OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs)
-OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail)
-
-
AC_ARG_WITH(mantype,
[ --with-mantype=man|cat|doc Set man page type],
[
@@ -1825,12 +1863,13 @@
)
# Whether to enable BSD auth support
+BSD_AUTH_MSG=no
AC_ARG_WITH(bsd-auth,
[ --with-bsd-auth Enable BSD auth support],
[
if test "x$withval" != "xno" ; then
AC_DEFINE(BSD_AUTH)
- bsd_auth=yes
+ BSD_AUTH_MSG=yes
fi
]
)
@@ -2097,44 +2136,17 @@
fi
-# Change default command timeout for builtin PRNG
-entropy_timeout=200
-AC_ARG_WITH(entropy-timeout,
- [ --with-entropy-timeout Specify entropy gathering command timeout (msec)],
- [
- if test "x$withval" != "xno" ; then
- entropy_timeout=$withval
- fi
- ]
-)
-AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout)
-
-
if test ! -z "$blibpath" ; then
LDFLAGS="$LDFLAGS -blibpath:$blibpath"
AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile])
fi
AC_EXEEXT
-
AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
AC_OUTPUT
# Print summary of options
-if test ! -z "$RANDOM_POOL" ; then
- RAND_MSG="Device ($RANDOM_POOL)"
-else
- if test ! -z "$PRNGD_PORT" ; then
- RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)"
- elif test ! -z "$PRNGD_SOCKET" ; then
- RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)"
- else
- RAND_MSG="Builtin (timeout $entropy_timeout)"
- BUILTIN_RNG=1
- fi
-fi
-
# Someone please show me a better way :)
A=`eval echo ${prefix}` ; A=`eval echo ${A}`
B=`eval echo ${bindir}` ; B=`eval echo ${B}`
@@ -2154,7 +2166,6 @@
echo " Manual pages: $F"
echo " PID file: $G"
echo " sshd default user PATH: $H"
-echo " Random number collection: $RAND_MSG"
echo " Manpage format: $MANTYPE"
echo " PAM support: ${PAM_MSG}"
echo " KerberosIV support: $KRB4_MSG"
@@ -2166,9 +2177,10 @@
echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
echo " Use IPv4 by default hack: $IPV4_HACK_MSG"
echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
-
-if test ! -z "$bsd_auth"; then
- echo " BSD Auth support: yes"
+echo " BSD Auth support: $BSD_AUTH_MSG"
+echo " Random number source: $RAND_MSG"
+if test ! -z "$USE_RAND_HELPER" ; then
+ echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
fi
echo ""
@@ -2183,22 +2195,24 @@
echo ""
if test "x$PAM_MSG" = "xyes" ; then
- echo "PAM is enabled. You may need to install a PAM control file for sshd,"
- echo "otherwise password authentication may fail. Example PAM control files"
- echo "can be found in the contrib/ subdirectory"
- echo ""
-fi
-
-if test ! -z "$BUILTIN_RNG" ; then
- echo "WARNING: you are using the builtin random number collection service."
- echo "Please read WARNING.RNG and request that your OS vendor includes"
- echo "/dev/random in future versions of their OS."
+ echo "PAM is enabled. You may need to install a PAM control file "
+ echo "for sshd, otherwise password authentication may fail. "
+ echo "Example PAM control files can be found in the contrib/ "
+ echo "subdirectory"
echo ""
fi
if test ! -z "$NO_SFTP"; then
- echo "sftp-server will be disabled. Your compiler does not support"
- echo "64bit integers."
+ echo "sftp-server will be disabled. Your compiler does not "
+ echo "support 64bit integers."
+ echo ""
+fi
+
+if test ! -z "$RAND_HELPER_CMDHASH" ; then
+ echo "WARNING: you are using the builtin random number collection "
+ echo "service. Please read WARNING.RNG and request that your OS "
+ echo "vendor includes kernel-based random number collection in "
+ echo "future versions of your OS."
echo ""
fi