split auth-rsa option parsing into auth-options

add options support to authorized_keys2

7 files changed, 301 insertions, 231 deletions

diff --git a/usr.bin/ssh/auth-options.c b/usr.bin/ssh/auth-options.c
new file mode 100644
index 00000000000..9e02c14b7d0
--- /dev/null
+++ b/usr.bin/ssh/auth-options.c
@@ -0,0 +1,208 @@
+#include "includes.h"
+RCSID("$Id: auth-options.c,v 1.1 2000/06/18 04:05:01 markus Exp $");
+
+#include "ssh.h"
+#include "packet.h"
+#include "xmalloc.h"
+#include "match.h"
+
+/* Flags set authorized_keys flags */
+int no_port_forwarding_flag = 0;
+int no_agent_forwarding_flag = 0;
+int no_x11_forwarding_flag = 0;
+int no_pty_flag = 0;
+
+/* "command=" option. */
+char *forced_command = NULL;
+
+/* "environment=" options. */
+struct envstring *custom_environment = NULL;
+
+/* return 1 if access is granted, 0 if not. side effect: sets key option flags */
+int
+auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
+{
+	const char *cp;
+	if (!options)
+		return 1;
+	while (*options && *options != ' ' && *options != '\t') {
+		cp = "no-port-forwarding";
+		if (strncmp(options, cp, strlen(cp)) == 0) {
+			packet_send_debug("Port forwarding disabled.");
+			no_port_forwarding_flag = 1;
+			options += strlen(cp);
+			goto next_option;
+		}
+		cp = "no-agent-forwarding";
+		if (strncmp(options, cp, strlen(cp)) == 0) {
+			packet_send_debug("Agent forwarding disabled.");
+			no_agent_forwarding_flag = 1;
+			options += strlen(cp);
+			goto next_option;
+		}
+		cp = "no-X11-forwarding";
+		if (strncmp(options, cp, strlen(cp)) == 0) {
+			packet_send_debug("X11 forwarding disabled.");
+			no_x11_forwarding_flag = 1;
+			options += strlen(cp);
+			goto next_option;
+		}
+		cp = "no-pty";
+		if (strncmp(options, cp, strlen(cp)) == 0) {
+			packet_send_debug("Pty allocation disabled.");
+			no_pty_flag = 1;
+			options += strlen(cp);
+			goto next_option;
+		}
+		cp = "command=\"";
+		if (strncmp(options, cp, strlen(cp)) == 0) {
+			int i;
+			options += strlen(cp);
+			forced_command = xmalloc(strlen(options) + 1);
+			i = 0;
+			while (*options) {
+				if (*options == '"')
+					break;
+				if (*options == '\\' && options[1] == '"') {
+					options += 2;
+					forced_command[i++] = '"';
+					continue;
+				}
+				forced_command[i++] = *options++;
+			}
+			if (!*options) {
+				debug("%.100s, line %lu: missing end quote",
+				      SSH_USER_PERMITTED_KEYS, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+						  SSH_USER_PERMITTED_KEYS, linenum);
+				continue;
+			}
+			forced_command[i] = 0;
+			packet_send_debug("Forced command: %.900s", forced_command);
+			options++;
+			goto next_option;
+		}
+		cp = "environment=\"";
+		if (strncmp(options, cp, strlen(cp)) == 0) {
+			int i;
+			char *s;
+			struct envstring *new_envstring;
+			options += strlen(cp);
+			s = xmalloc(strlen(options) + 1);
+			i = 0;
+			while (*options) {
+				if (*options == '"')
+					break;
+				if (*options == '\\' && options[1] == '"') {
+					options += 2;
+					s[i++] = '"';
+					continue;
+				}
+				s[i++] = *options++;
+			}
+			if (!*options) {
+				debug("%.100s, line %lu: missing end quote",
+				      SSH_USER_PERMITTED_KEYS, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+						  SSH_USER_PERMITTED_KEYS, linenum);
+				continue;
+			}
+			s[i] = 0;
+			packet_send_debug("Adding to environment: %.900s", s);
+			debug("Adding to environment: %.900s", s);
+			options++;
+			new_envstring = xmalloc(sizeof(struct envstring));
+			new_envstring->s = s;
+			new_envstring->next = custom_environment;
+			custom_environment = new_envstring;
+			goto next_option;
+		}
+		cp = "from=\"";
+		if (strncmp(options, cp, strlen(cp)) == 0) {
+			int mname, mip;
+			char *patterns = xmalloc(strlen(options) + 1);
+			int i;
+			options += strlen(cp);
+			i = 0;
+			while (*options) {
+				if (*options == '"')
+					break;
+				if (*options == '\\' && options[1] == '"') {
+					options += 2;
+					patterns[i++] = '"';
+					continue;
+				}
+				patterns[i++] = *options++;
+			}
+			if (!*options) {
+				debug("%.100s, line %lu: missing end quote",
+				    SSH_USER_PERMITTED_KEYS, linenum);
+				packet_send_debug("%.100s, line %lu: missing end quote",
+				    SSH_USER_PERMITTED_KEYS, linenum);
+				continue;
+			}
+			patterns[i] = 0;
+			options++;
+			/*
+			 * Deny access if we get a negative
+			 * match for the hostname or the ip
+			 * or if we get not match at all
+			 */
+			mname = match_hostname(get_canonical_hostname(),
+			    patterns, strlen(patterns));
+			mip = match_hostname(get_remote_ipaddr(),
+			    patterns, strlen(patterns));
+			xfree(patterns);
+			if (mname == -1 || mip == -1 ||
+			    (mname != 1 && mip != 1)) {
+				log("Authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
+				    pw->pw_name, get_canonical_hostname(),
+				    get_remote_ipaddr());
+				packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
+				get_canonical_hostname());
+				/* key invalid for this host, reset flags */
+				no_agent_forwarding_flag = 0;
+				no_port_forwarding_flag = 0;
+				no_pty_flag = 0;
+				no_x11_forwarding_flag = 0;
+				while (custom_environment) {
+					struct envstring *ce = custom_environment;
+					custom_environment = ce->next;
+					xfree(ce->s);
+					xfree(ce);
+				}
+				if (forced_command) {
+					xfree(forced_command);
+					forced_command = NULL;
+				}
+				/* deny access */
+				return 0;
+			}
+			/* Host name matches. */
+			goto next_option;
+		}
+next_option:
+		/*
+		 * Skip the comma, and move to the next option
+		 * (or break out if there are no more).
+		 */
+		if (!*options)
+			fatal("Bugs in auth-options.c option processing.");
+		if (*options == ' ' || *options == '\t')
+			break;		/* End of options. */
+		if (*options != ',')
+			goto bad_option;
+		options++;
+		/* Process the next option. */
+	}
+	/* grant access */
+	return 1;
+
+bad_option:
+	log("Bad options in %.100s file, line %lu: %.50s",
+	    SSH_USER_PERMITTED_KEYS, linenum, options);
+	packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
+	    SSH_USER_PERMITTED_KEYS, linenum, options);
+	/* deny access */
+	return 0;
+}
diff --git a/usr.bin/ssh/auth-options.h b/usr.bin/ssh/auth-options.h
new file mode 100644
index 00000000000..1ecdb9df4e1
--- /dev/null
+++ b/usr.bin/ssh/auth-options.h
@@ -0,0 +1,13 @@
+#ifndef AUTH_OPTIONS_H
+#define AUTH_OPTIONS_H
+/* Flags that may be set in authorized_keys options. */
+extern int no_port_forwarding_flag;
+extern int no_agent_forwarding_flag;
+extern int no_x11_forwarding_flag;
+extern int no_pty_flag;
+extern char *forced_command;
+extern struct envstring *custom_environment;
+
+/* return 1 if access is granted, 0 if not. side effect: sets key option flags */
+int	auth_parse_options(struct passwd *pw, char *options, unsigned long linenum);
+#endif
diff --git a/usr.bin/ssh/auth-rsa.c b/usr.bin/ssh/auth-rsa.c
index f19a20a9978..1c38e73f399 100644
--- a/usr.bin/ssh/auth-rsa.c
+++ b/usr.bin/ssh/auth-rsa.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: auth-rsa.c,v 1.24 2000/06/06 19:32:13 markus Exp $");
+RCSID("$Id: auth-rsa.c,v 1.25 2000/06/18 04:05:02 markus Exp $");
 
 #include "rsa.h"
 #include "packet.h"
@@ -26,18 +26,11 @@ RCSID("$Id: auth-rsa.c,v 1.24 2000/06/06 19:32:13 markus Exp $");
 #include "uidswap.h"
 #include "match.h"
 #include "servconf.h"
+#include "auth-options.h"
 
 #include <openssl/rsa.h>
 #include <openssl/md5.h>
 
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-
 /*
  * Session identifier that is used to bind key exchange and authentication
  * responses to a particular session.
@@ -133,7 +126,6 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 	unsigned long linenum = 0;
 	struct stat st;
 	RSA *pk;
-	int mname, mip;
 
 	/* Temporarily use the user's uid. */
 	temporarily_use_uid(pw->pw_uid);
@@ -269,195 +261,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
 		 * authenticated. Note that we have not yet processed the
 		 * options; this will be reset if the options cause the
 		 * authentication to be rejected.
-		 */
-		authenticated = 1;
-
-		/* RSA part of authentication was accepted.  Now process the options. */
-		if (options) {
-			while (*options && *options != ' ' && *options != '\t') {
-				cp = "no-port-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Port forwarding disabled.");
-					no_port_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-agent-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Agent forwarding disabled.");
-					no_agent_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-X11-forwarding";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("X11 forwarding disabled.");
-					no_x11_forwarding_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "no-pty";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					packet_send_debug("Pty allocation disabled.");
-					no_pty_flag = 1;
-					options += strlen(cp);
-					goto next_option;
-				}
-				cp = "command=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					int i;
-					options += strlen(cp);
-					forced_command = xmalloc(strlen(options) + 1);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							forced_command[i++] = '"';
-							continue;
-						}
-						forced_command[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					forced_command[i] = 0;
-					packet_send_debug("Forced command: %.900s", forced_command);
-					options++;
-					goto next_option;
-				}
-				cp = "environment=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					int i;
-					char *s;
-					struct envstring *new_envstring;
-					options += strlen(cp);
-					s = xmalloc(strlen(options) + 1);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							s[i++] = '"';
-							continue;
-						}
-						s[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					s[i] = 0;
-					packet_send_debug("Adding to environment: %.900s", s);
-					debug("Adding to environment: %.900s", s);
-					options++;
-					new_envstring = xmalloc(sizeof(struct envstring));
-					new_envstring->s = s;
-					new_envstring->next = custom_environment;
-					custom_environment = new_envstring;
-					goto next_option;
-				}
-				cp = "from=\"";
-				if (strncmp(options, cp, strlen(cp)) == 0) {
-					char *patterns = xmalloc(strlen(options) + 1);
-					int i;
-					options += strlen(cp);
-					i = 0;
-					while (*options) {
-						if (*options == '"')
-							break;
-						if (*options == '\\' && options[1] == '"') {
-							options += 2;
-							patterns[i++] = '"';
-							continue;
-						}
-						patterns[i++] = *options++;
-					}
-					if (!*options) {
-						debug("%.100s, line %lu: missing end quote",
-						      SSH_USER_PERMITTED_KEYS, linenum);
-						packet_send_debug("%.100s, line %lu: missing end quote",
-								  SSH_USER_PERMITTED_KEYS, linenum);
-						continue;
-					}
-					patterns[i] = 0;
-					options++;
-					/*
-					 * Deny access if we get a negative
-					 * match for the hostname or the ip
-					 * or if we get not match at all
-					 */
-					mname = match_hostname(get_canonical_hostname(),
-					    patterns, strlen(patterns));
-					mip = match_hostname(get_remote_ipaddr(),
-					    patterns, strlen(patterns));
-					if (mname == -1 || mip == -1 ||
-					    (mname != 1 && mip != 1)) {
-						log("RSA authentication tried for %.100s with correct key but not from a permitted host (host=%.200s, ip=%.200s).",
-						    pw->pw_name, get_canonical_hostname(),
-						    get_remote_ipaddr());
-						packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
-						get_canonical_hostname());
-						xfree(patterns);
-						/* key invalid for this host, reset flags */
-						authenticated = 0;
-						no_agent_forwarding_flag = 0;
-						no_port_forwarding_flag = 0;
-						no_pty_flag = 0;
-						no_x11_forwarding_flag = 0;
-						while (custom_environment) {
-							struct envstring *ce = custom_environment;
-							custom_environment = ce->next;
-							xfree(ce->s);
-							xfree(ce);
-						}
-						if (forced_command) {
-							xfree(forced_command);
-							forced_command = NULL;
-						}
-						break;
-					}
-					xfree(patterns);
-					/* Host name matches. */
-					goto next_option;
-				}
-		bad_option:
-				log("Bad options in %.100s file, line %lu: %.50s",
-				    SSH_USER_PERMITTED_KEYS, linenum, options);
-				packet_send_debug("Bad options in %.100s file, line %lu: %.50s",
-						  SSH_USER_PERMITTED_KEYS, linenum, options);
-				authenticated = 0;
-				break;
-
-		next_option:
-				/*
-				 * Skip the comma, and move to the next option
-				 * (or break out if there are no more).
-				 */
-				if (!*options)
-					fatal("Bugs in auth-rsa.c option processing.");
-				if (*options == ' ' || *options == '\t')
-					break;		/* End of options. */
-				if (*options != ',')
-					goto bad_option;
-				options++;
-				/* Process the next option. */
-				continue;
-			}
-		}
-		/*
 		 * Break out of the loop if authentication was successful;
 		 * otherwise continue searching.
 		 */
+		authenticated = auth_parse_options(pw, options, linenum);
 		if (authenticated)
 			break;
 	}
diff --git a/usr.bin/ssh/auth2.c b/usr.bin/ssh/auth2.c
index 731a313ac33..e0dc179d3de 100644
--- a/usr.bin/ssh/auth2.c
+++ b/usr.bin/ssh/auth2.c
@@ -27,7 +27,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.9 2000/06/18 01:09:10 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.10 2000/06/18 04:05:02 markus Exp $");
 
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth2.c,v 1.9 2000/06/18 01:09:10 markus Exp $");
 
 #include "dsa.h"
 #include "uidswap.h"
+#include "auth-options.h"
 
 /* import */
 extern ServerOptions options;
@@ -444,17 +445,36 @@ user_dsa_key_allowed(struct passwd *pw, Key *key)
 	found = key_new(KEY_DSA);
 
 	while (fgets(line, sizeof(line), f)) {
-		char *cp;
+		char *cp, *options = NULL;
 		linenum++;
 		/* Skip leading whitespace, empty and comment lines. */
 		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
 			;
 		if (!*cp || *cp == '\n' || *cp == '#')
 			continue;
+
 		bits = key_read(found, &cp);
-		if (bits == 0)
-			continue;
-		if (key_equal(found, key)) {
+		if (bits == 0) {
+			/* no key?  check if there are options for this key */
+			int quoted = 0;
+			options = cp;
+			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
+				if (*cp == '\\' && cp[1] == '"')
+					cp++;	/* Skip both */
+				else if (*cp == '"')
+					quoted = !quoted;
+			}
+			/* Skip remaining whitespace. */
+			for (; *cp == ' ' || *cp == '\t'; cp++)
+				;
+			bits = key_read(found, &cp);
+			if (bits == 0) {
+				/* still no key?  advance to next line*/
+				continue;
+			}
+		}
+		if (key_equal(found, key) &&
+		    auth_parse_options(pw, options, linenum) == 1) {
 			found_key = 1;
 			debug("matching key found: file %s, line %ld",
 			    file, linenum);
diff --git a/usr.bin/ssh/serverloop.c b/usr.bin/ssh/serverloop.c
index 74a800b9d96..46ac69a5ca7 100644
--- a/usr.bin/ssh/serverloop.c
+++ b/usr.bin/ssh/serverloop.c
@@ -23,6 +23,7 @@
 #include "ssh2.h"
 #include "session.h"
 #include "dispatch.h"
+#include "auth-options.h"
 
 static Buffer stdin_buffer;	/* Buffer for stdin data. */
 static Buffer stdout_buffer;	/* Buffer for stdout data. */
@@ -706,7 +707,13 @@ input_direct_tcpip(void)
 
 	debug("open direct-tcpip: from %s port %d to %s port %d",
 	   originator, originator_port, target, target_port);
+
 	/* XXX check permission */
+	if (! no_port_forwarding_flag) {
+		xfree(target);
+		xfree(originator);
+		return -1;
+	}
 	sock = channel_connect_to(target, target_port);
 	xfree(target);
 	xfree(originator);
diff --git a/usr.bin/ssh/session.c b/usr.bin/ssh/session.c
index 6c9b42c2642..a540eb320c4 100644
--- a/usr.bin/ssh/session.c
+++ b/usr.bin/ssh/session.c
@@ -8,7 +8,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.18 2000/06/17 22:52:33 jakob Exp $");
+RCSID("$OpenBSD: session.c,v 1.19 2000/06/18 04:05:02 markus Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -26,6 +26,7 @@ RCSID("$OpenBSD: session.c,v 1.18 2000/06/17 22:52:33 jakob Exp $");
 #include "bufaux.h"
 #include "ssh2.h"
 #include "auth.h"
+#include "auth-options.h"
 
 /* types */
 
@@ -79,18 +80,6 @@ static char *xauthfile;
 #define MAX_SESSIONS 10
 Session	sessions[MAX_SESSIONS];
 
-/* Flags set in auth-rsa from authorized_keys flags.  These are set in auth-rsa.c. */
-int no_port_forwarding_flag = 0;
-int no_agent_forwarding_flag = 0;
-int no_x11_forwarding_flag = 0;
-int no_pty_flag = 0;
-
-/* RSA authentication "command=" option. */
-char *forced_command = NULL;
-
-/* RSA authentication "environment=" options. */
-struct envstring *custom_environment = NULL;
-
 /*
  * Remove local Xauthority file.
  */
@@ -1174,6 +1163,8 @@ session_pty_req(Session *s)
 	unsigned int len;
 	char *term_modes;	/* encoded terminal modes */
 
+	if (no_pty_flag)
+		return 0;
 	if (s->ttyfd != -1)
 		return 0;
 	s->term = packet_get_string(&len);
@@ -1244,6 +1235,10 @@ session_subsystem_req(Session *s)
 int
 session_x11_req(Session *s)
 {
+	if (!no_port_forwarding_flag) {
+		debug("X11 forwarding disabled in user configuration file.");
+		return 0;
+	}
 	if (!options.x11_forwarding) {
 		debug("X11 forwarding disabled in server configuration file.");
 		return 0;
@@ -1290,6 +1285,40 @@ session_x11_req(Session *s)
 	return 1;
 }
 
+int
+session_shell_req(Session *s)
+{
+	/* if forced_command == NULL, the shell is execed */
+	char *shell = forced_command;
+	packet_done();
+	s->extended = 1;
+	if (s->ttyfd == -1)
+		do_exec_no_pty(s, shell, s->pw);
+	else
+		do_exec_pty(s, shell, s->pw);
+	return 1;
+}
+
+int
+session_exec_req(Session *s)
+{
+	char *command = packet_get_string(&len);
+	packet_done();
+	if (forced_command) {
+		xfree(command);
+		command = forced_command;
+		debug("Forced command '%.500s'", forced_command);
+	}
+	s->extended = 1;
+	if (s->ttyfd == -1)
+		do_exec_no_pty(s, command, s->pw);
+	else
+		do_exec_pty(s, command, s->pw);
+	if (forced_command == NULL)
+		xfree(command);
+	return 1;
+}
+
 void
 session_input_channel_req(int id, void *arg)
 {
@@ -1319,23 +1348,9 @@ session_input_channel_req(int id, void *arg)
 	 */
 	if (c->type == SSH_CHANNEL_LARVAL) {
 		if (strcmp(rtype, "shell") == 0) {
-			packet_done();
-			s->extended = 1;
-			if (s->ttyfd == -1)
-				do_exec_no_pty(s, NULL, s->pw);
-			else
-				do_exec_pty(s, NULL, s->pw);
-			success = 1;
+			success = session_shell_req(s);
 		} else if (strcmp(rtype, "exec") == 0) {
-			char *command = packet_get_string(&len);
-			packet_done();
-			s->extended = 1;
-			if (s->ttyfd == -1)
-				do_exec_no_pty(s, command, s->pw);
-			else
-				do_exec_pty(s, command, s->pw);
-			xfree(command);
-			success = 1;
+			success = session_exec_req(s);
 		} else if (strcmp(rtype, "pty-req") == 0) {
 			success =  session_pty_req(s);
 		} else if (strcmp(rtype, "x11-req") == 0) {
diff --git a/usr.bin/ssh/sshd/Makefile b/usr.bin/ssh/sshd/Makefile
index f74a0325375..321e1dfe5fb 100644
--- a/usr.bin/ssh/sshd/Makefile
+++ b/usr.bin/ssh/sshd/Makefile
@@ -8,7 +8,7 @@ MAN=	sshd.8
 
 SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
 	pty.c log-server.c login.c servconf.c serverloop.c \
-	auth.c auth1.c auth2.c session.c
+	auth.c auth1.c auth2.c auth-options.c session.c
 
 .include <bsd.own.mk> # for KERBEROS and AFS