Lines Matching +full:resolver +full:- +full:to +full:- +full:digital
2 # Copyright (c) 1999-2004 Damien Miller
4 # Permission to use, copy, modify, and distribute this software for any
9 # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
16 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
22 if test "$i" -nt "$srcdir/configure"; then
33 AC_MSG_CHECKING([if $CC supports C99-style variadic macros])
37 ]], [[return F(1, 2, -3);]])],
39 [ AC_MSG_ERROR([*** OpenSSH requires support for C99-style variadic macros]) ]
65 AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
68 dnl select manpage formatter to be used to build "cat" format pages.
72 MANFMT="$NROFF -mandoc"
74 MANFMT="$GROFF -mandoc -Tascii"
87 if test -x /sbin/sh; then
96 if test -z "$AR" ; then
101 if test ! -z "$PATH_PASSWD_PROG" ; then
106 dnl Since autoconf doesn't support it very well, we no longer allow users to
108 dnl use case we overlooked and someone needs to re-enable it. Unless a good
135 …[ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL…
154 [ --without-stackprotect Don't use compiler's stack protection], [
159 [ --without-hardening Don't use toolchain hardening flags], [
164 [ --without-retpoline Enable retpoline spectre mitigation], [
169 # We use -Werror for the tests only so that we catch warnings like "this is
170 # on by default" for things like -fPIE.
171 AC_MSG_CHECKING([if $CC supports -Werror])
173 CFLAGS="$CFLAGS -Werror"
176 WERROR="-Werror"],
184 GCC_VER=`$CC -v 2>&1 | $AWK '/gcc version /{print $3}'`
196 ver="`$CC -v 2>&1`"
198 CLANG_VER=apple-`echo "$ver" | grep 'clang version' | \
206 OSSH_CHECK_CFLAG_COMPILE([-pipe])
207 OSSH_CHECK_CFLAG_COMPILE([-Wunknown-warning-option])
208 OSSH_CHECK_CFLAG_COMPILE([-Wno-error=format-truncation])
209 OSSH_CHECK_CFLAG_COMPILE([-Qunused-arguments])
210 OSSH_CHECK_CFLAG_COMPILE([-Wall])
211 OSSH_CHECK_CFLAG_COMPILE([-Wextra])
212 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-arith])
213 OSSH_CHECK_CFLAG_COMPILE([-Wuninitialized])
214 OSSH_CHECK_CFLAG_COMPILE([-Wsign-compare])
215 OSSH_CHECK_CFLAG_COMPILE([-Wformat-security])
216 OSSH_CHECK_CFLAG_COMPILE([-Wsizeof-pointer-memaccess])
217 OSSH_CHECK_CFLAG_COMPILE([-Wpointer-sign], [-Wno-pointer-sign])
218 OSSH_CHECK_CFLAG_COMPILE([-Wunused-parameter], [-Wno-unused-parameter])
219 OSSH_CHECK_CFLAG_COMPILE([-Wunused-result], [-Wno-unused-result])
220 OSSH_CHECK_CFLAG_COMPILE([-Wimplicit-fallthrough])
221 OSSH_CHECK_CFLAG_COMPILE([-Wmisleading-indentation])
222 OSSH_CHECK_CFLAG_COMPILE([-Wbitwise-instead-of-logical])
223 OSSH_CHECK_CFLAG_COMPILE([-fno-strict-aliasing])
225 OSSH_CHECK_CFLAG_COMPILE([-D_FORTIFY_SOURCE=2])
226 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,relro])
227 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,now])
228 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,noexecstack])
229 # NB. -ftrapv expects certain support functions to be present in
230 # the compiler library (libgcc or similar) to detect integer operations
234 OSSH_CHECK_CFLAG_LINK([-ftrapv])
235 # clang 15 seems to have a bug in -fzero-call-used-regs=all. See
237 # https://github.com/llvm/llvm-project/issues/59242
241 apple-15*) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
243 *) OSSH_CHECK_CFLAG_LINK([-fzero-call-used-regs=used]) ;;
245 OSSH_CHECK_CFLAG_COMPILE([-ftrivial-auto-var-init=zero])
248 OSSH_CHECK_CFLAG_COMPILE([-mretpoline]) # clang
249 OSSH_CHECK_LDFLAG_LINK([-Wl,-z,retpolineplt])
252 AC_MSG_CHECKING([if $CC accepts -fno-builtin-memset])
254 CFLAGS="$CFLAGS -fno-builtin-memset"
262 # -fstack-protector-all doesn't always work for some GCC versions
264 # on a given platform gcc will emit a warning so we use -Werror.
266 for t in -fstack-protector-strong -fstack-protector-all \
267 -fstack-protector; do
271 CFLAGS="$CFLAGS $t -Werror"
272 LDFLAGS="$LDFLAGS $t -Werror"
309 if test -z "$have_llong_max"; then
310 # retry LLONG_MAX with -std=gnu99, needed on some Linuxes
313 CFLAGS="$CFLAGS -std=gnu99"
349 [[ int i; for (i=0; i<3; i++){int a[i]; a[i-1]=0;} exit(0); ]])],
359 [[ int a; a = 1; int b = 1; exit(a-b); ]])],
371 [ --without-rpath Disable auto-added -R linker paths],
376 rpath_opt="-R"
383 # Allow user to specify flags
385 [ --with-cflags Specify additional flags to pass to compiler],
387 if test -n "$withval" && test "x$withval" != "xno" && \
394 AC_ARG_WITH([cflags-after],
395 [ --with-cflags-after Specify additional flags to pass to compiler after configure],
397 if test -n "$withval" && test "x$withval" != "xno" && \
404 [ --with-cppflags Specify additional flags to pass to preprocessor] ,
406 if test -n "$withval" && test "x$withval" != "xno" && \
413 [ --with-ldflags Specify additional flags to pass to linker],
415 if test -n "$withval" && test "x$withval" != "xno" && \
421 AC_ARG_WITH([ldflags-after],
422 [ --with-ldflags-after Specify additional flags to pass to linker after configure],
424 if test -n "$withval" && test "x$withval" != "xno" && \
431 [ --with-libs Specify additional libraries to link with],
433 if test -n "$withval" && test "x$withval" != "xno" && \
440 [ --with-Werror Build main code with -Werror],
442 if test -n "$withval" && test "x$withval" != "xno"; then
443 werror_flags="-Werror"
451 dnl On some old platforms, sys/stat.h requires sys/types.h, but autoconf-2.71's
540 # to be included first.
582 # lastlog.h requires sys/time.h to be included first on Solaris
589 # sys/ptms.h requires sys/stream.h to be included first on Solaris
606 # Android requires sys/socket.h to be included before sys/un.h
612 # Messages for features tested for in target-specific section
619 # the --with-solaris-privs option and --with-sandbox=solaris).
622 # Check for some target-specific stuff
624 *-*-aix*)
626 # -qlanglevel=ansi, and autoconf 2.60 sometimes insists on using that
638 CC="`echo $CC | sed 's/-qlanglvl\=ansi//g'`"
639 CFLAGS="`echo $CFLAGS | sed 's/-qlanglvl\=ansi//g'`"
640 CPPFLAGS="`echo $CPPFLAGS | sed 's/-qlanglvl\=ansi//g'`"
644 AC_MSG_CHECKING([how to specify blibpath for linker ($LD)])
645 if (test -z "$blibpath"); then
650 flags="-Wl,-blibpath: -Wl,-rpath, -blibpath:"
652 flags="-blibpath: -Wl,-blibpath: -Wl,-rpath,"
655 if (test -z "$blibflags"); then
661 if (test -z "$blibflags"); then
663 AC_MSG_ERROR([*** must be able to specify blibpath on AIX - check config.log])
670 [Define if you want to enable AIX4's authenticate function])],
673 LIBS="$LIBS -ls"
705 AC_DEFINE([DISABLE_LASTLOG], [1], [Define if you don't want to use lastlog])
707 [Some systems need a utmpx entry for /bin/login to work])
709 [Define to a Set Process Title type if your system is
710 supported by bsd-setproctitle.c])
713 AC_DEFINE([PTY_ZEROREAD], [1], [read(1) can return 0 for a non-closed fd])
718 *-*-android*)
719 AC_DEFINE([DISABLE_UTMP], [1], [Define if you don't want to use utmp])
720 AC_DEFINE([DISABLE_WTMP], [1], [Define if you don't want to use wtmp])
722 *-*-cygwin*)
727 [Define to disable UID restoration test])
729 [Define if you want to disable shadow passwords])
733 [Define if your platform needs to skip post auth
735 AC_DEFINE([SSH_IOBUFSZ], [65535], [Windows is sensitive to read buffer size])
739 OSSH_CHECK_CFLAG_COMPILE([-Wno-attributes])
741 *-*-dgux*)
748 *-*-darwin*)
752 #include <mach-o/dyld.h>
771 [Define if your resolver libs need this for getrrsetbyname])
774 [Use tunnel device compatibility to OpenBSD])
776 [Prepend the address family to IP tunnel traffic])
785 [Define to a Set Process Title type if your system is
786 supported by bsd-setproctitle.c])
790 SSHDLIBS="$SSHDLIBS -lsandbox"
792 # proc_pidinfo()-based closefrom() replacement.
795 # poll(2) is broken for character-special devices (at least).
800 *-*-dragonfly*)
804 *-*-haiku*)
805 LIBS="$LIBS -lbsd "
806 CFLAGS="$CFLAGS -D_BSD_SOURCE"
812 *-*-hpux*)
813 # first we define all of the options common to all HP-UX releases
814 CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
819 [String used in /etc/passwd to denote locked account])
823 LIBS="$LIBS -lsec"
825 [AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])])
827 # next, we define all of the options specific to major releases
829 *-*-hpux10*)
830 if test -z "$GCC"; then
831 CFLAGS="$CFLAGS -Ae"
835 *-*-hpux11*)
837 [Define if you are using Solaris-derived PAM which
838 passes pam_messages to the conversation function
841 [Define if you don't want to use utmp])
842 AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
848 # lastly, we define options specific to minor releases
850 *-*-hpux10.26)
852 [Define if you have SecureWare-based
855 LIBS="$LIBS -lsecpw"
859 *-*-irix5*)
872 *-*-irix6*)
876 (cluster-wide session management, not C arrays)])
891 *-*-k*bsd*-gnu | *-*-kopensolaris*-gnu)
896 AC_DEFINE([USE_BTMP], [1], [Use btmp to log bad logins])
898 *-*-linux*)
902 dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
905 CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
910 [String used in /etc/passwd to denote locked account])
913 [Define to whatever link() returns for "not supported"
917 AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
920 case `uname -r` in
932 [Use tunnel device compatibility to OpenBSD])
934 [Prepend the address family to IP tunnel traffic])
969 x86_64-*)
972 i*86-*)
975 arm*-*)
978 aarch64*-*)
981 s390x-*)
984 s390-*)
987 powerpc-*)
990 powerpc64-*)
993 powerpc64le-*)
996 mips-*)
999 mipsel-*)
1002 mips64-*)
1012 mips64el-*)
1022 riscv64-*)
1034 *-*-minix)
1036 # poll(2) seems to choke on /dev/null; "Bad file descriptor"
1040 mips-sony-bsd|mips-sony-newsos4)
1041 AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to acquire controlling tty])
1044 *-*-netbsd*)
1046 rpath_opt="-R"
1048 CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
1053 [Prepend the address family to IP tunnel traffic])
1058 *-*-freebsd*)
1071 *-*-freebsd9.*|*-*-freebsd10.*)
1072 # Capsicum on 9 and 10 do not allow ppoll() so don't auto-enable.
1076 *-*-bsdi*)
1081 *-next-*)
1090 *-*-openbsd*)
1096 [syslog_r function is safe to use in in a signal handler])
1099 *-*-solaris*)
1101 rpath_opt="-R"
1108 to the unpriv'ed user])
1110 # Pushing STREAMS modules will cause sshd to acquire a controlling tty.
1114 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd
1121 sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'`
1122 if test "$sol2ver" -ge 8; then
1126 [Define if you don't want to use wtmp])
1134 AC_ARG_WITH([solaris-contracts],
1135 [ --with-solaris-contracts Enable Solaris process contracts (experimental)],
1140 LIBS="$LIBS -lcontract"
1144 AC_ARG_WITH([solaris-projects],
1145 [ --with-solaris-projects Enable Solaris projects (experimental)],
1150 LIBS="$LIBS -lproject"
1154 AC_ARG_WITH([solaris-privs],
1155 [ --with-solaris-privs Enable Solaris/Illumos privileges (experimental)],
1158 if test "x$ac_cv_func_setppriv" = "xyes" -a \
1163 [Define to disable UID restoration test])
1169 AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
1175 *-*-sunos4*)
1176 CPPFLAGS="$CPPFLAGS -DSUNOS4"
1185 *-ncr-sysv*)
1186 LIBS="$LIBS -lc89"
1193 *-sni-sysv*)
1196 # -lresolv needs to be at the end of LIBS or DNS lookups break
1197 AC_CHECK_LIB([resolv], [res_query], [ LIBS="$LIBS -lresolv" ])
1207 # Attention: always take care to bind libsocket and libnsl before libc,
1211 *-*-sysv4.2*)
1216 AC_DEFINE([PASSWD_NEEDS_USERNAME], [1], [must supply username to passwd])
1221 *-*-sysv5*)
1222 CPPFLAGS="$CPPFLAGS -Dvsnprintf=_xvsnprintf -Dsnprintf=_xsnprintf"
1233 *-*-sysv5SCO_SV*) # SCO OpenServer 6.x
1236 AC_CHECK_LIB([prot], [getluid], [ LIBS="$LIBS -lprot"
1237 AC_CHECK_FUNCS([getluid setluid], , , [-lprot])
1244 *-*-sysv*)
1247 *-*-sco3.2v4*)
1251 *-*-sco3.2v5*)
1252 if test -z "$GCC"; then
1253 CFLAGS="$CFLAGS -belf"
1255 LIBS="$LIBS -lprot -lx -ltinfo -lm"
1273 *-dec-osf*)
1274 AC_MSG_CHECKING([for Digital Unix SIA])
1277 [ --with-osfsia Enable Digital Unix SIA],
1285 if test -z "$no_osfsia" ; then
1286 if test -f /etc/sia/matrix.conf; then
1289 [Define if you have Digital Unix Security
1292 [Define if you don't want to use your
1295 LIBS="$LIBS -lsecurity -ldb -lm -laud"
1300 [String used in /etc/passwd to denote locked account])
1310 *-*-nto-qnx*)
1318 *-*-nto-qnx6*)
1324 *-*-ultrix*)
1325 AC_DEFINE([BROKEN_GETGROUPS], [1], [getgroups(0,NULL) will return -1])
1326 AC_DEFINE([NEED_SETPGRP], [1], [Need setpgrp to for controlling tty])
1331 AC_DEFINE([DISABLE_FD_PASSING], [1], [Need to call setpgrp as root])
1335 mkdir -p netinet
1337 name=`echo $header | tr 'a-z/.' 'A-Z__'`
1347 *-*-lynxos)
1348 CFLAGS="$CFLAGS -D__NO_INCLUDE_WARN__"
1352 *-*-gnu*)
1353 dnl GNU Hurd. Needs to be after the linux and the other *-gnu entries.
1354 dnl Target SUSv3/POSIX.1-2001 plus BSD specifics.
1357 CPPFLAGS="$CPPFLAGS -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE"
1381 LIBS="$LIBS -lgen"
1407 LIBS="$LIBS -lgen"
1415 [AC_CHECK_LIB([gen], [getspnam], [LIBS="$LIBS -lgen"])])
1419 dnl zlib defaults to enabled
1422 [ --with-zlib=PATH Use zlib in PATH],
1426 if test -d "$withval/lib"; then
1427 if test -n "${rpath_opt}"; then
1428 LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1430 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1433 if test -n "${rpath_opt}"; then
1434 LDFLAGS="-L${withval} ${rpath_opt}${withval} ${LDFLAGS}"
1436 LDFLAGS="-L${withval} ${LDFLAGS}"
1439 if test -d "$withval/include"; then
1440 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1442 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1454 CHANNELLIBS="$CHANNELLIBS -lz"
1457 …AC_CHECK_HEADER([zlib.h], ,[AC_MSG_ERROR([*** zlib.h missing - please install first or check confi…
1463 if test -n "${rpath_opt}"; then
1464 LDFLAGS="-L/usr/local/lib ${rpath_opt}/usr/local/lib ${saved_LDFLAGS}"
1466 LDFLAGS="-L/usr/local/lib ${saved_LDFLAGS}"
1468 CPPFLAGS="-I/usr/local/include ${saved_CPPFLAGS}"
1471 AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***])
1477 AC_ARG_WITH([zlib-version-check],
1478 [ --without-zlib-version-check Disable zlib version check],
1511 if test -z "$zlib_check_nonfatal" ; then
1512 AC_MSG_ERROR([*** zlib too old - check config.log ***
1516 "./configure --without-zlib-version-check".
1517 If you are in doubt, upgrade zlib to version 1.2.3 or greater.
1530 [], [ AC_CHECK_LIB([resolv], [strcasecmp], [LIBS="$LIBS -lresolv"]) ]
1534 LIBS="$LIBS -lc89"]) ]
1558 # see https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Particular-Functions.html
1563 AC_MSG_CHECKING([if calloc(0, N) returns non-null])
1577 AC_DEFINE(HAVE_CALLOC, 1, [calloc(0, x) returns non-null])
1581 [Define to rpl_calloc if the replacement function should be used.])
1656 [Define if your struct dirent expects you to
1666 if test -d "/proc/$$/fd" ; then
1675 AC_ARG_WITH([tcp-wrappers],
1676 [ --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
1682 if test -n "${withval}" && \
1684 if test -d "${withval}/lib"; then
1685 if test -n "${need_dash_r}"; then
1686 LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
1688 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1691 if test -n "${need_dash_r}"; then
1692 LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
1694 LDFLAGS="-L${withval} ${LDFLAGS}"
1697 if test -d "${withval}/include"; then
1698 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
1700 CPPFLAGS="-I${withval} ${CPPFLAGS}"
1703 LIBS="-lwrap $LIBS"
1718 SSHDLIBS="$SSHDLIBS -lwrap"
1728 # Check whether user wants to use ldns
1731 [ --with-ldns[[=PATH]] Use ldns for DNSSEC support (optionally in PATH)],
1735 AC_PATH_TOOL([LDNSCONFIG], [ldns-config], [no])
1737 LIBS="-lldns $LIBS"
1740 LIBS="$LIBS `$LDNSCONFIG --libs`"
1741 CPPFLAGS="$CPPFLAGS `$LDNSCONFIG --cflags`"
1745 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1746 LDFLAGS="$LDFLAGS -L${withval}/lib"
1747 LIBS="-lldns $LIBS"
1778 [ --with-libedit[[=PATH]] Enable libedit support for sftp],
1791 CPPFLAGS="$CPPFLAGS -I${withval}/include"
1792 if test -n "${rpath_opt}"; then
1793 LDFLAGS="-L${withval}/lib ${rpath_opt}${withval}/lib ${LDFLAGS}"
1795 LDFLAGS="-L${withval}/lib ${LDFLAGS}"
1799 LIBEDIT=`$PKGCONFIG --libs libedit`
1800 CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libedit`"
1802 LIBEDIT="-ledit -lcurses"
1804 OTHERLIBS=`echo $LIBEDIT | sed 's/-ledit//'`
1833 [ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
1856 if test "$sol2ver" -ge 11; then
1857 SSHDLIBS="$SSHDLIBS -lscf"
1867 SSHDLIBS="$SSHDLIBS -laudit"
1885 [ --with-pie Build Position Independent Executables if possible], [
1917 OSSH_CHECK_CFLAG_COMPILE([-fPIE])
1918 OSSH_CHECK_LDFLAG_LINK([-pie])
1919 # We use both -fPIE and -pie or neither.
1920 AC_MSG_CHECKING([whether both -fPIE and -pie are supported])
1921 if echo "x $CFLAGS" | grep ' -fPIE' >/dev/null 2>&1 && \
1922 echo "x $LDFLAGS" | grep ' -pie' >/dev/null 2>&1 ; then
1931 AC_MSG_CHECKING([whether -fPIC is accepted])
1933 CFLAGS="$CFLAGS -fPIC"
1937 PICFLAG="-fPIC"; ],
2100 char *loc = setlocale(LC_CTYPE, "en_US.UTF-8");
2120 [ --disable-pkcs11 disable PKCS#11 support code [no]],
2129 AC_ARG_ENABLE([security-key],
2130 [ --disable-security-key disable U2F/FIDO support code [no]],
2138 AC_ARG_WITH([security-key-builtin],
2139 [ --with-security-key-builtin include builtin U2F/FIDO support],
2144 AC_ARG_ENABLE([dsa-keys],
2145 [ --enable-dsa-keys enable DSA key support [no]],
2179 dnl check if we need -D_REENTRANT for localtime_r declaration.
2182 CPPFLAGS="$CPPFLAGS -D_REENTRANT"
2282 AC_MSG_CHECKING([if setresuid seems to work])
2306 AC_MSG_CHECKING([if setresgid seems to work])
2356 [LIBS="$LIBS -lbsd"; AC_DEFINE([HAVE_DAEMON])])]
2363 [LIBS="$LIBS -lucb"; AC_DEFINE([HAVE_GETPAGESIZE])])]
2384 AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor])
2416 # number of characters it tried to create (as per SUSv3)
2448 AC_MSG_WARN([****** Your vsnprintf() function is broken, complain to your vendor])
2472 if test "x$ac_cv_func_getpeereid" != "xyes" -a "x$ac_cv_func_getpeerucred" != "xyes"; then
2485 if test ! -z "$check_for_openpty_ctty_bug"; then
2530 AC_MSG_RESULT([cross-compiling, assuming yes])
2537 AC_MSG_CHECKING([if getaddrinfo seems to work])
2564 for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2565 if (ai->ai_family != AF_INET6)
2568 err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2581 sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
2584 if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
2599 AC_MSG_RESULT([cross-compiling, assuming yes])
2606 AC_MSG_CHECKING([if getaddrinfo seems to work])
2633 for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
2634 if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
2637 err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
2641 if (ai->ai_family == AF_INET && err != 0) {
2652 for the all-zeros IPv6 address])
2659 AC_MSG_RESULT([cross-compiling, assuming no])
2694 dnl implementation. Try to detect this mess, and assume the only safe option
2756 exit(r == -1 ? 0 : 1);
2780 AC_ARG_WITH([ssl-dir],
2781 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
2784 AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2791 if test -d "$withval/lib"; then
2793 elif test -d "$withval/lib64"; then
2799 if test -n "${rpath_opt}"; then
2800 LDFLAGS="-L${libcrypto_path} ${rpath_opt}${libcrypto_path} ${LDFLAGS}"
2802 LDFLAGS="-L${libcrypto_path} ${LDFLAGS}"
2804 if test -d "$withval/include"; then
2805 CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
2807 CPPFLAGS="-I${withval} ${CPPFLAGS}"
2810 dnl find its runtime libraries, before trying to use.
2811 if test -x "${withval}/bin/openssl" && \
2814 elif test -x "${withval}/apps/openssl" && \
2824 AC_ARG_WITH([openssl-header-check],
2825 [ --without-openssl-header-check Disable OpenSSL version consistency check],
2834 AC_ARG_WITH([ssl-engine],
2835 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
2839 AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2848 LIBS="-lcrypto $LIBS"
2849 CHANNELLIBS="-lcrypto $CHANNELLIBS"
2853 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2907 /* We need these legacy bits to warn for old libcrypto */
2924 if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
2933 ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
2941 lver=`echo "$sslver" | sed 's/.*libressl-//'`
2951 # https://openssl.org/policies/general/versioning-policy.html
2952 CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
2970 x86_64-*)
2973 AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
2998 by running "./configure --without-openssl-header-check".
3021 LIBS="$LIBS -ldl"
3022 AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
3028 CHANNELLIBS="$CHANNELLIBS -ldl"
3198 [ AC_MSG_WARN([cross-compiling: assuming yes])
3217 ecdsa-sha2-nistp256 \
3218 ecdh-sha2-nistp256 \
3219 ecdsa-sha2-nistp256-cert-v01@openssh.com"
3225 ecdsa-sha2-nistp384 \
3226 ecdh-sha2-nistp384 \
3227 ecdsa-sha2-nistp384-cert-v01@openssh.com"
3233 ecdh-sha2-nistp521 \
3234 ecdsa-sha2-nistp521 \
3235 ecdsa-sha2-nistp521-cert-v01@openssh.com"
3263 if test ! -z "$enable_dsa" ; then
3272 AC_MSG_CHECKING([whether to enable DSA key support])
3297 if test ! -z "$disable_pkcs11" ; then
3300 if test ! -z "$disable_sk" ; then
3304 AC_MSG_CHECKING([whether to enable PKCS11])
3310 AC_MSG_CHECKING([whether to enable U2F])
3313 AC_SUBST(SK_DUMMY_LIBRARY, [regress/misc/sk-dummy/sk-dummy.so])
3315 # Do not try to build sk-dummy library.
3320 # Now check for built-in security key support.
3321 if test "x$enable_sk" = "xyes" -a "x$enable_sk_internal" != "xno" ; then
3333 LIBFIDO2=`$PKGCONFIG --libs libfido2`
3334 CPPFLAGS="$CPPFLAGS `$PKGCONFIG --cflags libfido2`"
3336 LIBFIDO2="-lprivatefido2 -lprivatecbor"
3338 OTHERLIBS=`echo $LIBFIDO2 | sed 's/-lfido2//'`
3352 if test ! -z "$fido2_error" ; then
3362 [Enable for built-in U2F/FIDO support])
3363 enable_sk="built-in"
3416 AC_ARG_WITH([prngd-port],
3417 [ --with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT],
3423 [[0-9]]*)
3426 AC_MSG_ERROR([You must specify a numeric port number for --with-prngd-port])
3429 if test ! -z "$withval" ; then
3438 AC_ARG_WITH([prngd-socket],
3439 [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
3443 withval="/var/run/egd-pool"
3451 AC_MSG_ERROR([You must specify an absolute path to the entropy socket])
3455 if test ! -z "$withval" ; then
3456 if test ! -z "$PRNGD_PORT" ; then
3459 if test ! -r "$withval" ; then
3472 for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
3473 if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
3479 if test ! -z "$PRNGD_SOCKET" ; then
3489 if test ! -z "$PRNGD_PORT" ; then
3491 elif test ! -z "$PRNGD_SOCKET" ; then
3493 elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
3500 …figure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --…
3506 LIBS="$LIBS -liaf"
3507 AC_CHECK_FUNCS([set_id], [SSHDLIBS="$SSHDLIBS -liaf"
3517 LIBS="-lcrypt $LIBS"
3518 SSHDLIBS="-lcrypt $SSHDLIBS"
3526 [ --with-pam Enable PAM support ],
3543 SSHDLIBS="$SSHDLIBS -lpam"
3545 [Define if you want to enable PAM support])
3549 *-ldl*)
3553 SSHDLIBS="$SSHDLIBS -ldl"
3561 AC_ARG_WITH([pam-service],
3562 [ --with-pam-service=name Specify PAM service name ],
3584 (void)pam_strerror((pam_handle_t *)NULL, -1);
3588 which takes only one argument to pam_strerror])
3596 *-*-cygwin*)
3603 AC_ARG_WITH([privsep-user],
3604 [ --with-privsep-user=user Specify non-privileged user for privilege separation],
3606 if test -n "$withval" && test "x$withval" != "xno" && \
3614 [Cygwin function to fetch non-privileged user for privilege separation])
3617 [non-privileged user for privilege separation])
3669 # Decide which sandbox style to use
3672 …[ --with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, sec…
3724 if (r == -1)
3730 if (r == -1)
3759 exit (r == -1 ? 1 : 0);
3790 ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
3796 ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
3802 ( test -z "$sandbox_arg" && test "x$ac_cv_func_sandbox_init" = "xyes" && \
3804 test "x$ac_cv_func_sandbox_init" != "xyes" -o \
3810 ( test -z "$sandbox_arg" && \
3829 ( test -z "$sandbox_arg" && \
3840 ( test -z "$sandbox_arg" && test "x$ac_cv_func_setrlimit" = "xyes" && \
3846 AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
3850 ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
3853 elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
3858 AC_MSG_ERROR([unsupported --with-sandbox])
3861 # Cheap hack to ensure NEWS-OS libraries are arranged right.
3862 if test ! -z "$SONY" ; then
3863 LIBS="$LIBS -liberty";
3891 if test -z "$have_llong_max" && test -z "$have_long_long_max"; then
3904 #define my_abs(a) ((a) < 0 ? ((a) * -1) : (a))
3917 if (fprintf(f, "-") < 0)
3918 return -1;
3924 if (fprintf(f, "%d", l[--i]) < 0)
3925 return -1;
3928 return -1;
3951 if (llmin + 1 < llmin || llmin - 1 < llmin || llmax + 1 > llmax
3952 || llmax - 1 > llmax || llmin == llmax || llmin == 0
4022 if (test -z "$have_intxx_t" && \
4066 if test -z "$have_u_intxx_t" ; then
4088 if (test -z "$have_u_int64_t" && \
4101 if test -z "$have_u_intxx_t" ; then
4120 if (test -z "$have_uintxx_t" && \
4133 if (test -z "$have_uintxx_t" && \
4146 if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \
4719 LIBS="$LIBS -lresolv"
4720 AC_MSG_CHECKING([for res_query in -lresolv])
4769 [ --with-selinux Enable SELinux support],
4778 [ LIBSELINUX="-lselinux"
4779 LIBS="$LIBS -lselinux"
4791 [ --with-kerberos5=PATH Enable Kerberos 5 support],
4813 K5CFLAGS=`$PKGCONFIG --cflags krb5`
4814 K5LIBS=`$PKGCONFIG --libs krb5`
4818 if "$PKGCONFIG" krb5-gssapi; then
4823 GSSCFLAGS="`$PKGCONFIG --cflags krb5-gssapi`"
4824 GSSLIBS="`$PKGCONFIG --libs krb5-gssapi`"
4839 AC_PATH_TOOL([KRB5CONF], [krb5-config],
4840 [$KRB5ROOT/bin/krb5-config],
4842 if test -x $KRB5CONF ; then
4843 K5CFLAGS="`$KRB5CONF --cflags`"
4844 K5LIBS="`$KRB5CONF --libs`"
4853 GSSCFLAGS="`$KRB5CONF --cflags gssapi`"
4854 GSSLIBS="`$KRB5CONF --libs gssapi`"
4869 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
4870 LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
4876 K5LIBS="-lkrb5"
4877 K5LIBS="$K5LIBS -lcom_err -lasn1"
4879 [K5LIBS="$K5LIBS -lroken"])
4881 [K5LIBS="$K5LIBS -ldes"])
4883 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
4889 GSSLIBS="-lgssapi_krb5" ],
4892 GSSLIBS="-lgssapi" ],
4895 GSSLIBS="-lgss" ],
4896 AC_MSG_WARN([Cannot find any suitable gss-api library - build may fail]))
4902 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4904 AC_MSG_WARN([Cannot find any suitable gss-api header - build may fail])
4910 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi"
4916 if test -n "${rpath_opt}" ; then
4919 if test ! -z "$blibpath" ; then
4928 [Define this if you want to use libkafs' AFS support])])
4958 AC_ARG_WITH([privsep-path],
4959 [ --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)],
4961 if test -n "$withval" && test "x$withval" != "xno" && \
4970 [ --with-xauth=PATH Specify path to xauth program ],
4972 if test -n "$withval" && test "x$withval" != "xno" && \
4984 if (test ! -z "$xauth_path" && test -x "/usr/openwin/bin/xauth") ; then
4990 STRIP_OPT=-s
4992 [ --disable-strip Disable calling strip(1) on install],
5001 if test -z "$xauth_path" ; then
5011 dnl # --with-maildir=/path/to/mail gets top priority.
5013 dnl # Otherwise we run a program to get the dir from system headers.
5016 dnl # session.c expects anyway. Otherwise we set to the value found
5018 dnl # does not find what it needs, we default to /var/spool/mail.
5021 [ --with-maildir=/path/to/mail Specify your system mail directory],
5026 [Set this to your mail directory if you do not have _PATH_MAILDIR])
5069 maildir_what=`awk -F: '{print $1}' conftest.maildir`
5070 maildir=`awk -F: '{print $2}' conftest.maildir \
5079 # our test program didn't find it. Default to /var/spool/mail
5087 AC_MSG_WARN([cross compiling: use --with-maildir=/path/to/mail])
5094 if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes"; then
5098 if test -z "$no_dev_ptmx" ; then
5110 if test ! -z "$cross_compiling" && test "x$cross_compiling" != "xyes"; then
5124 [ --with-mantype=man|cat|doc Set man page type],
5136 if test -z "$MANTYPE"; then
5139 elif ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
5141 elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then
5155 # Whether to disable shadow password support
5157 [ --without-shadow Disable shadow password support],
5166 if test -z "$disable_shadow" ; then
5179 [Define if you want to use shadow password expire field])
5186 if test ! -z "$IPADDR_IN_DISPLAY" ; then
5189 [Define if you need to use IP address
5193 AC_ARG_WITH([ipaddr-display],
5194 [ --with-ipaddr-display Use ip address instead of hostname in $DISPLAY],
5205 AC_ARG_ENABLE([etc-default-login],
5206 [ --disable-etc-default-login Disable using PATH from /etc/default/login [no]],
5213 [ if test ! -z "$cross_compiling" && test "x$cross_compiling" = "xyes";
5231 dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
5237 # Whether to mess with the default path
5239 AC_ARG_WITH([default-path],
5240 [ --with-default-path= Specify default $PATH environment for server],
5244 --with-default-path=PATH has no effect on this system.
5247 if test ! -z "$external_path_file" ; then
5249 --with-default-path=PATH will only be used if PATH is not defined in
5257 AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
5259 if test ! -z "$external_path_file" ; then
5261 If PATH is defined in $external_path_file, ensure the path to scp is included,
5312 if test $? -ne 0 ; then
5314 if test $? -ne 0 ; then
5316 AC_MSG_RESULT([Adding $t_bindir to USER_PATH so scp will work])
5326 # Set superuser path separately to user path
5327 AC_ARG_WITH([superuser-path],
5328 [ --with-superuser-path= Specify different path for super-user],
5330 if test -n "$withval" && test "x$withval" != "xno" && \
5341 AC_MSG_CHECKING([if we need to convert IPv4 in IPv6-mapped addresses])
5344 [ --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses],
5366 # Whether to enable BSD auth support
5368 AC_ARG_WITH([bsd-auth],
5369 [ --with-bsd-auth Enable BSD auth support],
5379 # Where to place sshd.pid
5382 if test ! -d $piddir ; then
5389 AC_ARG_WITH([pid-dir],
5390 [ --with-pid-dir=PATH Specify location of sshd.pid file],
5392 if test -n "$withval" && test "x$withval" != "xno" && \
5395 if test ! -d $piddir ; then
5407 AC_ARG_ENABLE([fd-passing],
5408 [ --disable-fd-passing disable file descriptor passsing [no]],
5416 dnl allow user to disable some login recording features
5418 [ --disable-lastlog disable use of lastlog even if detected [no]],
5426 [ --disable-utmp disable use of utmp even if detected [no]],
5434 [ --disable-utmpx disable use of utmpx even if detected [no]],
5438 [Define if you don't want to use utmpx])
5443 [ --disable-wtmp disable use of wtmp even if detected [no]],
5451 [ --disable-wtmpx disable use of wtmpx even if detected [no]],
5455 [Define if you don't want to use wtmpx])
5460 [ --disable-libutil disable use of libutil (login() etc.) [no]],
5468 [ --disable-pututline disable use of pututline() etc. ([uw]tmp) [no]],
5472 [Define if you don't want to use pututline()
5473 etc. to write [uw]tmp])
5478 [ --disable-pututxline disable use of pututxline() etc. ([uw]tmpx) [no]],
5482 [Define if you don't want to use pututxline()
5483 etc. to write [uw]tmpx])
5488 [ --with-lastlog=FILE|DIR specify lastlog location [common locations]],
5492 elif test -n "$withval" && test "x${withval}" != "xyes"; then
5499 dnl NOTE: set the paths in the platform section to avoid the
5500 dnl need for command-line parameters
5501 dnl lastlog and [uw]tmp are subject to a file search if all else fails
5540 if test -z "$conf_lastlog_location"; then
5543 if (test -d "$f" || test -f "$f") ; then
5547 if test -z "$conf_lastlog_location"; then
5549 dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx
5554 if test -n "$conf_lastlog_location"; then
5556 [Define if you want to specify the path to your lastlog file])
5572 if test -z "$conf_utmp_location"; then
5575 if test -f $f ; then
5579 if test -z "$conf_utmp_location"; then
5584 if test -n "$conf_utmp_location"; then
5586 [Define if you want to specify the path to your utmp file])
5602 if test -z "$conf_wtmp_location"; then
5605 if test -f $f ; then
5609 if test -z "$conf_wtmp_location"; then
5614 if test -n "$conf_wtmp_location"; then
5616 [Define if you want to specify the path to your wtmp file])
5635 if test -z "$conf_wtmpx_location"; then
5641 [Define if you want to specify the path to your wtmpx file])
5645 if test ! -z "$blibpath" ; then
5687 dnl Adding -Werror to CFLAGS early prevents configure tests from running.
5716 LDFLAGS_NOPIE=`echo "$LDFLAGS" | sed 's/ -pie//'`
5717 CFLAGS_NOPIE=`echo "$CFLAGS" | sed 's/ -fPIE//'`
5723 openbsd-compat/Makefile openbsd-compat/regress/Makefile \
5734 E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
5752 echo " Make sure the path to scp is present, otherwise scp will not work"
5755 if test ! -z "$external_path_file"; then
5757 echo " used, ensure the path to scp is present, otherwise scp will not work.)"
5760 if test ! -z "$superuser_path" ; then
5790 if test ! -z "${CHANNELLIBS}"; then
5793 if test ! -z "${LIBFIDO2}"; then
5796 if test ! -z "${SSHDLIBS}"; then
5808 echo "PAM is enabled. You may need to install a PAM control file "
5815 if test ! -z "$NO_PEERCHECK" ; then
5817 echo "appear to support getpeereid(), getpeerucred() or the"
5818 echo "SO_PEERCRED getsockopt() option. These facilities are used to"
5819 echo "enforce security checks to prevent unauthorised connections to"
5820 echo "ssh-agent. Their absence increases the risk that a malicious"
5821 echo "user can connect to your agent."