diff options
| author | Dag-Erling Smørgrav <des@FreeBSD.org> | 2009-02-24 18:49:27 +0000 |
|---|---|---|
| committer | Dag-Erling Smørgrav <des@FreeBSD.org> | 2009-02-24 18:49:27 +0000 |
| commit | 9ab1052dcdca9be06dcec8abc37103a70e358e73 (patch) | |
| tree | e584c257bb55edd49609ecf2750698017a03411e /ChangeLog | |
| parent | 23371b1d95849b7f55a33cad9ba00f81e822c5a1 (diff) | |
| download | src-9ab1052dcdca9be06dcec8abc37103a70e358e73.tar.gz src-9ab1052dcdca9be06dcec8abc37103a70e358e73.zip | |
Vendor import of OpenSSH 5.2p1vendor/openssh/5.2p1
Notes
Notes:
svn path=/vendor-crypto/openssh/dist/; revision=189006
svn path=/vendor-crypto/openssh/5.2p1/; revision=189007; tag=vendor/openssh/5.2p1
Diffstat (limited to 'ChangeLog')
| -rw-r--r-- | ChangeLog | 4332 |
1 files changed, 494 insertions, 3838 deletions
diff --git a/ChangeLog b/ChangeLog index 3d08a80d3c9c..f802c0d7fc4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,497 @@ +20090223 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2009/02/22 23:50:57 + [ssh_config.5 sshd_config.5] + don't advertise experimental options + - djm@cvs.openbsd.org 2009/02/22 23:59:25 + [sshd_config.5] + missing period + - djm@cvs.openbsd.org 2009/02/23 00:06:15 + [version.h] + openssh-5.2 + - (djm) [README] update for 5.2 + - (djm) Release openssh-5.2p1 + +20090222 + - (djm) OpenBSD CVS Sync + - tobias@cvs.openbsd.org 2009/02/21 19:32:04 + [misc.c sftp-server-main.c ssh-keygen.c] + Added missing newlines in error messages. + ok dtucker + +20090221 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2009/02/17 01:28:32 + [ssh_config] + sync with revised default ciphers; pointed out by dkrause@ + - djm@cvs.openbsd.org 2009/02/18 04:31:21 + [schnorr.c] + signature should hash over the entire group, not just the generator + (this is still disabled code) + - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] + [contrib/suse/openssh.spec] Prepare for 5.2p1 + +20090216 + - (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh] + [regress/putty-kex.sh regress/putty-transfer.sh] Downgrade disabled + interop tests from FATAL error to a warning. Allows some interop + tests to proceed if others are missing necessary prerequisites. + - (djm) [configure.ac] support GNU/kFreeBSD and GNU/kOpensolaris + systems; patch from Aurelien Jarno via rmh AT aybabtu.com + +20090214 + - (djm) OpenBSD CVS Sync + - dtucker@cvs.openbsd.org 2009/02/02 11:15:14 + [sftp.c] + Initialize a few variables to prevent spurious "may be used + uninitialized" warnings from newer gcc's. ok djm@ + - djm@cvs.openbsd.org 2009/02/12 03:00:56 + [canohost.c canohost.h channels.c channels.h clientloop.c readconf.c] + [readconf.h serverloop.c ssh.c] + support remote port forwarding with a zero listen port (-R0:...) to + dyamically allocate a listen port at runtime (this is actually + specified in rfc4254); bz#1003 ok markus@ + - djm@cvs.openbsd.org 2009/02/12 03:16:01 + [serverloop.c] + tighten check for -R0:... forwarding: only allow dynamic allocation + if want_reply is set in the packet + - djm@cvs.openbsd.org 2009/02/12 03:26:22 + [monitor.c] + some paranoia: check that the serialised key is really KEY_RSA before + diddling its internals + - djm@cvs.openbsd.org 2009/02/12 03:42:09 + [ssh.1] + document -R0:... usage + - djm@cvs.openbsd.org 2009/02/12 03:44:25 + [ssh.1] + consistency: Dq => Ql + - djm@cvs.openbsd.org 2009/02/12 03:46:17 + [ssh_config.5] + document RemoteForward usage with 0 listen port + - jmc@cvs.openbsd.org 2009/02/12 07:34:20 + [ssh_config.5] + kill trailing whitespace; + - markus@cvs.openbsd.org 2009/02/13 11:50:21 + [packet.c] + check for enc !=NULL in packet_start_discard + - djm@cvs.openbsd.org 2009/02/14 06:35:49 + [PROTOCOL] + mention that eow and no-more-sessions extensions are sent only to + OpenSSH peers + +20090212 + - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically + set ownership and modes, so avoid explicitly setting them + - (djm) [configure.ac loginrec.c] bz#1421: fix lastlog support for OSX. + OSX provides a getlastlogxbyname function that automates the reading of + a lastlog file. Also, the pututxline function will update lastlog so + there is no need for loginrec.c to do it explicitly. Collapse some + overly verbose code while I'm in there. + +20090201 + - (dtucker) [defines.h sshconnect.c] INET6_ADDRSTRLEN is now needed in + channels.c too, so move the definition for non-IP6 platforms to defines.h + where it can be shared. + +20090129 + - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. + If the CYGWIN environment variable is empty, the installer script + should not install the service with an empty CYGWIN variable, but + rather without setting CYGWNI entirely. + - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. + +20090128 + - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. + Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. + The information given for the setting of the CYGWIN environment variable + is wrong for both releases so I just removed it, together with the + unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. + +20081228 + - (djm) OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2008/12/09 03:20:42 + [channels.c servconf.c] + channel_print_adm_permitted_opens() should deal with all the printing + for that config option. suggested by markus@; ok markus@ djm@ + dtucker@ + - djm@cvs.openbsd.org 2008/12/09 04:32:22 + [auth2-chall.c] + replace by-hand string building with xasprinf(); ok deraadt@ + - sobrado@cvs.openbsd.org 2008/12/09 15:35:00 + [sftp.1 sftp.c] + update for the synopses displayed by the 'help' command, there are a + few missing flags; add 'bye' to the output of 'help'; sorting and spacing. + jmc@ suggested replacing .Oo/.Oc with a single .Op macro. + ok jmc@ + - stevesk@cvs.openbsd.org 2008/12/09 22:37:33 + [clientloop.c] + fix typo in error message + - stevesk@cvs.openbsd.org 2008/12/10 03:55:20 + [addrmatch.c] + o cannot be NULL here but use xfree() to be consistent; ok djm@ + - stevesk@cvs.openbsd.org 2008/12/29 01:12:36 + [ssh-keyscan.1] + fix example, default key type is rsa for 3+ years; from + frederic.perrin@resel.fr + - stevesk@cvs.openbsd.org 2008/12/29 02:23:26 + [pathnames.h] + no need to escape single quotes in comments + - okan@cvs.openbsd.org 2008/12/30 00:46:56 + [sshd_config.5] + add AllowAgentForwarding to available Match keywords list + ok djm + - djm@cvs.openbsd.org 2009/01/01 21:14:35 + [channels.c] + call channel destroy callbacks on receipt of open failure messages. + fixes client hangs when connecting to a server that has MaxSessions=0 + set spotted by imorgan AT nas.nasa.gov; ok markus@ + - djm@cvs.openbsd.org 2009/01/01 21:17:36 + [kexgexs.c] + fix hash calculation for KEXGEX: hash over the original client-supplied + values and not the sanity checked versions that we acutally use; + bz#1540 reported by john.smith AT arrows.demon.co.uk + ok markus@ + - djm@cvs.openbsd.org 2009/01/14 01:38:06 + [channels.c] + support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482; + "looks ok" markus@ + - stevesk@cvs.openbsd.org 2009/01/15 17:38:43 + [readconf.c] + 1) use obsolete instead of alias for consistency + 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is + so move the comment. + 3) reorder so like options are together + ok djm@ + - djm@cvs.openbsd.org 2009/01/22 09:46:01 + [channels.c channels.h session.c] + make Channel->path an allocated string, saving a few bytes here and + there and fixing bz#1380 in the process; ok markus@ + - djm@cvs.openbsd.org 2009/01/22 09:49:57 + [channels.c] + oops! I committed the wrong version of the Channel->path diff, + it was missing some tweaks suggested by stevesk@ + - djm@cvs.openbsd.org 2009/01/22 10:02:34 + [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h] + [serverloop.c ssh-keyscan.c ssh.c sshd.c] + make a2port() return -1 when it encounters an invalid port number + rather than 0, which it will now treat as valid (needed for future work) + adjust current consumers of a2port() to check its return value is <= 0, + which in turn required some things to be converted from u_short => int + make use of int vs. u_short consistent in some other places too + feedback & ok markus@ + - djm@cvs.openbsd.org 2009/01/22 10:09:16 + [auth-options.c] + another chunk of a2port() diff that got away. wtfdjm?? + - djm@cvs.openbsd.org 2009/01/23 07:58:11 + [myproposal.h] + prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC + modes; ok markus@ + - naddy@cvs.openbsd.org 2009/01/24 17:10:22 + [ssh_config.5 sshd_config.5] + sync list of preferred ciphers; ok djm@ + - markus@cvs.openbsd.org 2009/01/26 09:58:15 + [cipher.c cipher.h packet.c] + Work around the CPNI-957037 Plaintext Recovery Attack by always + reading 256K of data on packet size or HMAC errors (in CBC mode only). + Help, feedback and ok djm@ + Feedback from Martin Albrecht and Paterson Kenny + +20090107 + - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X. + Patch based on one from vgiffin AT apple.com; ok dtucker@ + - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via + launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked; + ok dtucker@ + - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make + ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity" + key). Patch from cjwatson AT debian.org + +20090107 + - (tim) [configure.ac defines.h openbsd-compat/port-uw.c + openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI. + OK djm@ dtucker@ + - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section. + OpenServer 6 doesn't need libcrypt. + +20081209 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/12/09 02:38:18 + [clientloop.c] + The ~C escape handler does not work correctly for multiplexed sessions - + it opens a commandline on the master session, instead of on the slave + that requested it. Disable it on slave sessions until such time as it + is fixed; bz#1543 report from Adrian Bridgett via Colin Watson + ok markus@ + - djm@cvs.openbsd.org 2008/12/09 02:39:59 + [sftp.c] + Deal correctly with failures in remote stat() operation in sftp, + correcting fail-on-error behaviour in batchmode. bz#1541 report and + fix from anedvedicky AT gmail.com; ok markus@ + - djm@cvs.openbsd.org 2008/12/09 02:58:16 + [readconf.c] + don't leave junk (free'd) pointers around in Forward *fwd argument on + failure; avoids double-free in ~C -L handler when given an invalid + forwarding specification; bz#1539 report from adejong AT debian.org + via Colin Watson; ok markus@ dtucker@ + - djm@cvs.openbsd.org 2008/12/09 03:02:37 + [sftp.1 sftp.c] + correct sftp(1) and corresponding usage syntax; + bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@ + +20081208 + - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually + use some stack in main(). + Report and suggested fix from vapier AT gentoo.org + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2008/12/02 19:01:07 + [clientloop.c] + we have to use the recipient's channel number (RFC 4254) for + SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages, + otherwise we trigger 'Non-public channel' error messages on sshd + systems with clientkeepalive enabled; noticed by sturm; ok djm; + - markus@cvs.openbsd.org 2008/12/02 19:08:59 + [serverloop.c] + backout 1.149, since it's not necessary and openssh clients send + broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@ + - markus@cvs.openbsd.org 2008/12/02 19:09:38 + [channels.c] + s/remote_id/id/ to be more consistent with other code; ok djm@ + +20081201 + - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files + and tweak the is-sshd-running check in ssh-host-config. Patch from + vinschen at redhat com. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2008/11/21 15:47:38 + [packet.c] + packet_disconnect() on padding error, too. should reduce the success + probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 + ok djm@ + - dtucker@cvs.openbsd.org 2008/11/30 11:59:26 + [monitor_fdpass.c] + Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@ + +20081123 + - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some + declarations, removing an unnecessary union member and adding whitespace. + cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago. + +20081118 + - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id + member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and + feedback by djm@ + +20081111 + - (dtucker) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2008/11/05 11:22:54 + [servconf.c] + passord -> password; + fixes user/5975 from Rene Maroufi + - stevesk@cvs.openbsd.org 2008/11/07 00:42:12 + [ssh-keygen.c] + spelling/typo in comment + - stevesk@cvs.openbsd.org 2008/11/07 18:50:18 + [nchan.c] + add space to some log/debug messages for readability; ok djm@ markus@ + - dtucker@cvs.openbsd.org 2008/11/07 23:34:48 + [auth2-jpake.c] + Move JPAKE define to make life easier for portable. ok djm@ + - tobias@cvs.openbsd.org 2008/11/09 12:34:47 + [session.c ssh.1] + typo fixed (overriden -> overridden) + ok espie, jmc + - stevesk@cvs.openbsd.org 2008/11/11 02:58:09 + [servconf.c] + USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing + kerberosgetafstoken. ok dtucker@ + (Id sync only, we still want the ifdef in portable) + - stevesk@cvs.openbsd.org 2008/11/11 03:55:11 + [channels.c] + for sshd -T print 'permitopen any' vs. 'permitopen' for case of no + permitopen's; ok and input dtucker@ + - djm@cvs.openbsd.org 2008/11/10 02:06:35 + [regress/putty-ciphers.sh] + PuTTY supports AES CTR modes, so interop test against them too + +20081105 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/11/03 08:59:41 + [servconf.c] + include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov + - djm@cvs.openbsd.org 2008/11/04 07:58:09 + [auth.c] + need unistd.h for close() prototype + (ID sync only) + - djm@cvs.openbsd.org 2008/11/04 08:22:13 + [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] + [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] + [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] + [Makefile.in] + Add support for an experimental zero-knowledge password authentication + method using the J-PAKE protocol described in F. Hao, P. Ryan, + "Password Authenticated Key Exchange by Juggling", 16th Workshop on + Security Protocols, Cambridge, April 2008. + + This method allows password-based authentication without exposing + the password to the server. Instead, the client and server exchange + cryptographic proofs to demonstrate of knowledge of the password while + revealing nothing useful to an attacker or compromised endpoint. + + This is experimental, work-in-progress code and is presently + compiled-time disabled (turn on -DJPAKE in Makefile.inc). + + "just commit it. It isn't too intrusive." deraadt@ + - stevesk@cvs.openbsd.org 2008/11/04 19:18:00 + [readconf.c] + because parse_forward() is now used to parse all forward types (DLR), + and it malloc's space for host variables, we don't need to malloc + here. fixes small memory leaks. + + previously dynamic forwards were not parsed in parse_forward() and + space was not malloc'd in that case. + + ok djm@ + - stevesk@cvs.openbsd.org 2008/11/05 03:23:09 + [clientloop.c ssh.1] + add dynamic forward escape command line; ok djm@ + +20081103 + - OpenBSD CVS Sync + - sthen@cvs.openbsd.org 2008/07/24 23:55:30 + [ssh-keygen.1] + Add "ssh-keygen -F -l" to synopsis (displays fingerprint from + known_hosts). ok djm@ + - grunk@cvs.openbsd.org 2008/07/25 06:56:35 + [ssh_config] + Add VisualHostKey to example file, ok djm@ + - grunk@cvs.openbsd.org 2008/07/25 07:05:16 + [key.c] + In random art visualization, make sure to use the end marker only at the + end. Initial diff by Dirk Loss, tweaks and ok djm@ + - markus@cvs.openbsd.org 2008/07/31 14:48:28 + [sshconnect2.c] + don't allocate space for empty banners; report t8m at centrum.cz; + ok deraadt + - krw@cvs.openbsd.org 2008/08/02 04:29:51 + [ssh_config.5] + whitepsace -> whitespace. From Matthew Clarke via bugs@. + - djm@cvs.openbsd.org 2008/08/21 04:09:57 + [session.c] + allow ForceCommand internal-sftp with arguments. based on patch from + michael.barabanov AT gmail.com; ok markus@ + - djm@cvs.openbsd.org 2008/09/06 12:24:13 + [kex.c] + OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our + replacement anymore + (ID sync only for portable - we still need this) + - markus@cvs.openbsd.org 2008/09/11 14:22:37 + [compat.c compat.h nchan.c ssh.c] + only send eow and no-more-sessions requests to openssh 5 and newer; + fixes interop problems with broken ssh v2 implementations; ok djm@ + - millert@cvs.openbsd.org 2008/10/02 14:39:35 + [session.c] + Convert an unchecked strdup to xstrdup. OK deraadt@ + - jmc@cvs.openbsd.org 2008/10/03 13:08:12 + [sshd.8] + do not give an example of how to chmod files: we can presume the user + knows that. removes an ambiguity in the permission of authorized_keys; + ok deraadt + - deraadt@cvs.openbsd.org 2008/10/03 23:56:28 + [sshconnect2.c] + Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the + function. + spotted by des@freebsd, who commited an incorrect fix to the freebsd tree + and (as is fairly typical) did not report the problem to us. But this fix + is correct. + ok djm + - djm@cvs.openbsd.org 2008/10/08 23:34:03 + [ssh.1 ssh.c] + Add -y option to force logging via syslog rather than stderr. + Useful for daemonised ssh connection (ssh -f). Patch originally from + and ok'd by markus@ + - djm@cvs.openbsd.org 2008/10/09 03:50:54 + [servconf.c sshd_config.5] + support setting PermitEmptyPasswords in a Match block + requested in PR3891; ok dtucker@ + - jmc@cvs.openbsd.org 2008/10/09 06:54:22 + [ssh.c] + add -y to usage(); + - stevesk@cvs.openbsd.org 2008/10/10 04:55:16 + [scp.c] + spelling in comment; ok djm@ + - stevesk@cvs.openbsd.org 2008/10/10 05:00:12 + [key.c] + typo in error message; ok djm@ + - stevesk@cvs.openbsd.org 2008/10/10 16:43:27 + [ssh_config.5] + use 'Privileged ports can be forwarded only when logging in as root on + the remote machine.' for RemoteForward just like ssh.1 -R. + ok djm@ jmc@ + - stevesk@cvs.openbsd.org 2008/10/14 18:11:33 + [sshconnect.c] + use #define ROQUIET here; no binary change. ok dtucker@ + - stevesk@cvs.openbsd.org 2008/10/17 18:36:24 + [ssh_config.5] + correct and clarify VisualHostKey; ok jmc@ + - stevesk@cvs.openbsd.org 2008/10/30 19:31:16 + [clientloop.c sshd.c] + don't need to #include "monitor_fdpass.h" + - stevesk@cvs.openbsd.org 2008/10/31 15:05:34 + [dispatch.c] + remove unused #define DISPATCH_MIN; ok markus@ + - djm@cvs.openbsd.org 2008/11/01 04:50:08 + [sshconnect2.c] + sprinkle ARGSUSED on dispatch handlers + nuke stale unusued prototype + - stevesk@cvs.openbsd.org 2008/11/01 06:43:33 + [channels.c] + fix some typos in log messages; ok djm@ + - sobrado@cvs.openbsd.org 2008/11/01 11:14:36 + [ssh-keyscan.1 ssh-keyscan.c] + the ellipsis is not an optional argument; while here, improve spacing. + - stevesk@cvs.openbsd.org 2008/11/01 17:40:33 + [clientloop.c readconf.c readconf.h ssh.c] + merge dynamic forward parsing into parse_forward(); + 'i think this is OK' djm@ + - stevesk@cvs.openbsd.org 2008/11/02 00:16:16 + [ttymodes.c] + protocol 2 tty modes support is now 7.5 years old so remove these + debug3()s; ok deraadt@ + - stevesk@cvs.openbsd.org 2008/11/03 01:07:02 + [readconf.c] + remove valueless comment + - stevesk@cvs.openbsd.org 2008/11/03 02:44:41 + [readconf.c] + fix comment + - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] + Make example scripts generate keys with default sizes rather than fixed, + non-default 1024 bits; patch from imorgan AT nas.nasa.gov + - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] + [contrib/redhat/sshd.pam] Move pam_nologin to account group from + incorrect auth group in example files; + patch from imorgan AT nas.nasa.gov + +20080906 + - (dtucker) [config.guess config.sub] Update to latest versions from + http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16 + respectively). + +20080830 + - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs + larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch + from Nicholas Marriott. + +20080721 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2008/07/23 07:36:55 + [servconf.c] + do not try to print options that have been compile-time disabled + in config test mode (sshd -T); report from nix-corp AT esperi.org.uk + ok dtucker@ + - (djm) [servconf.c] Print UsePAM option in config test mode (when it + has been compiled in); report from nix-corp AT esperi.org.uk + ok dtucker@ + 20080721 - (djm) OpenBSD CVS Sync - jmc@cvs.openbsd.org 2008/07/18 22:51:01 @@ -873,3841 +1367,3 @@ [contrib/suse/openssh.spec] Crank version numbers in RPM spec files - (djm) [README] Update link to release notes - (djm) Release 5.0p1 - -20080315 - - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are - empty; report and patch from Peter Stuge - - (djm) [regress/test-exec.sh] Silence noise from detection of putty - commands; report from Peter Stuge - - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing - crashes when used with ChrootDirectory - - -20080327 - - (dtucker) Cache selinux status earlier so we know if it's enabled after a - chroot. Allows ChrootDirectory to work with selinux support compiled in - but not enabled. Using it with selinux enabled will require some selinux - support inside the chroot. "looks sane" djm@ - - (djm) Fix RCS ident in sftp-server-main.c - - (djm) OpenBSD CVS sync: - - jmc@cvs.openbsd.org 2008/02/11 07:58:28 - [ssh.1 sshd.8 sshd_config.5] - bump Mdocdate for pages committed in "febuary", necessary because - of a typo in rcs.c; - - deraadt@cvs.openbsd.org 2008/03/13 01:49:53 - [monitor_fdpass.c] - Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to - an extensive discussion with otto, kettenis, millert, and hshoexer - - deraadt@cvs.openbsd.org 2008/03/15 16:19:02 - [monitor_fdpass.c] - Repair the simple cases for msg_controllen where it should just be - CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because - of alignment; ok kettenis hshoexer - - djm@cvs.openbsd.org 2008/03/23 12:54:01 - [sftp-client.c] - prefer POSIX-style file renaming over filexfer rename behaviour if the - server supports the posix-rename@openssh.com extension. - Note that the old (filexfer) behaviour would refuse to clobber an - existing file. Users who depended on this should adjust their sftp(1) - usage. - ok deraadt@ markus@ - - deraadt@cvs.openbsd.org 2008/03/24 16:11:07 - [monitor_fdpass.c] - msg_controllen has to be CMSG_SPACE so that the kernel can account for - each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This - works now that kernel fd passing has been fixed to accept a bit of - sloppiness because of this ABI repair. - lots of discussion with kettenis - - djm@cvs.openbsd.org 2008/03/25 11:58:02 - [session.c sshd_config.5] - ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; - from dtucker@ ok deraadt@ djm@ - - djm@cvs.openbsd.org 2008/03/25 23:01:41 - [session.c] - last patch had backwards test; spotted by termim AT gmail.com - - djm@cvs.openbsd.org 2008/03/26 21:28:14 - [auth-options.c auth-options.h session.c sshd.8] - add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc - - djm@cvs.openbsd.org 2008/03/27 00:16:49 - [version.h] - openssh-4.9 - - djm@cvs.openbsd.org 2008/03/24 21:46:54 - [regress/sftp-badcmds.sh] - disable no-replace rename test now that we prefer a POSIX rename; spotted - by dkrause@ - - (djm) [configure.ac] fix alignment of --without-stackprotect description - - (djm) [configure.ac] --with-selinux too - - (djm) [regress/Makefile] cleanup PuTTY interop test droppings - - (djm) [README] Update link to release notes - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Crank version numbers in RPM spec files - - (djm) Release 4.9p1 - -20080315 - - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are - empty; report and patch from Peter Stuge - - (djm) [regress/test-exec.sh] Silence noise from detection of putty - commands; report from Peter Stuge - - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing - crashes when used with ChrootDirectory - -20080314 - - (tim) [regress/sftp-cmds.sh] s/cd/lcd/ in lls test. Reported by - vinschen at redhat.com. Add () to put echo commands in subshell for lls test - I mistakenly left out of last commit. - - (tim) [regress/localcommand.sh] Shell portability fix. Reported by imorgan at - nas.nasa.gov - -20080313 - - (djm) [Makefile.in regress/Makefile] Fix interop-tests target (note to - self: make changes to Makefile.in next time, not the generated Makefile). - - (djm) [Makefile.in regress/test-exec.sh] Find installed plink(1) and - puttygen(1) by $PATH - - (tim) [scp.c] Use poll.h if available, fall back to sys/poll.h if not. Patch - by vinschen at redhat.com. - - (tim) [regress/sftp-cmds.sh regress/ssh2putty.sh] Shell portability fixes - from vinschen at redhat.com and imorgan at nas.nasa.gov - -20080312 - - (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2007/10/29 06:57:13 - [regress/Makefile regress/localcommand.sh] - Add simple regress test for LocalCommand; ok djm@ - - jmc@cvs.openbsd.org 2007/11/25 15:35:09 - [regress/agent-getpeereid.sh regress/agent.sh] - more existant -> existent, from Martynas Venckus; - pfctl changes: ok henning - ssh changes: ok deraadt - - djm@cvs.openbsd.org 2007/12/12 05:04:03 - [regress/sftp-cmds.sh] - unbreak lls command and add a regress test that would have caught the - breakage; spotted by mouring@ - NB. sftp code change already committed. - - djm@cvs.openbsd.org 2007/12/21 04:13:53 - [regress/Makefile regress/test-exec.sh regress/putty-ciphers.sh] - [regress/putty-kex.sh regress/putty-transfer.sh regress/ssh2putty.sh] - basic (crypto, kex and transfer) interop regression tests against putty - To run these, install putty and run "make interop-tests" from the build - directory - the tests aren't run by default yet. - -20080311 - - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move - pam_open_session and pam_close_session into the privsep monitor, which - will ensure that pam_session_close is called as root. Patch from Tomas - Mraz. - -20080309 - - (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't - always work for all platforms and versions, so test what we can and - add a configure flag to turn it of if needed. ok djm@ - - (dtucker) [openbsd-compat/port-aix.{c,h}] Remove AIX specific initgroups - implementation. It's not needed to fix bug #1081 and breaks the build - on some AIX configurations. - - (dtucker) [openbsd-compat/regress/strtonumtest.c] Bug #1347: Use platform's - equivalent of LLONG_MAX for the compat regression tests, which makes them - run on AIX and HP-UX. Patch from David Leonard. - - (dtucker) [configure.ac] Run stack-protector tests with -Werror to catch - platforms where gcc understands the option but it's not supported (and - thus generates a warning). - -20080307 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2008/02/11 07:58:28 - [ssh.1 sshd.8 sshd_config.5] - bump Mdocdate for pages committed in "febuary", necessary because - of a typo in rcs.c; - - djm@cvs.openbsd.org 2008/02/13 22:38:17 - [servconf.h session.c sshd.c] - rekey arc4random and OpenSSL RNG in postauth child - closefrom fds > 2 before shell/command execution - ok markus@ - - mbalmer@cvs.openbsd.org 2008/02/14 13:10:31 - [sshd.c] - When started in configuration test mode (-t) do not check that sshd is - being started with an absolute path. - ok djm - - markus@cvs.openbsd.org 2008/02/20 15:25:26 - [session.c] - correct boolean encoding for coredump; der Mouse via dugsong - - djm@cvs.openbsd.org 2008/02/22 05:58:56 - [session.c] - closefrom() call was too early, delay it until just before we execute - the user's rc files (if any). - - dtucker@cvs.openbsd.org 2008/02/22 20:44:02 - [clientloop.c packet.c packet.h serverloop.c] - Allow all SSH2 packet types, including UNIMPLEMENTED to reset the - keepalive timer (bz #1307). ok markus@ - - djm@cvs.openbsd.org 2008/02/27 20:21:15 - [sftp-server.c] - add an extension method "posix-rename@openssh.com" to perform POSIX atomic - rename() operations. based on patch from miklos AT szeredi.hu in bz#1400; - ok dtucker@ markus@ - - deraadt@cvs.openbsd.org 2008/03/02 18:19:35 - [monitor_fdpass.c] - use a union to ensure alignment of the cmsg (pay attention: various other - parts of the tree need this treatment too); ok djm - - deraadt@cvs.openbsd.org 2008/03/04 21:15:42 - [version.h] - crank version; from djm - - (tim) [regress/sftp-glob.sh] Shell portability fix. - -20080302 - - (dtucker) [configure.ac] FreeBSD's glob() doesn't behave the way we expect - either, so use our own. - -20080229 - - (dtucker) [openbsd-compat/bsd-poll.c] We don't check for select(2) in - configure (and there's not much point, as openssh won't work without it) - so HAVE_SELECT is not defined and the poll(2) compat code doesn't get - built in. Remove HAVE_SELECT so we can build on platforms without poll. - - (dtucker) [scp.c] Include sys/poll.h inside HAVE_SYS_POLL_H. - - (djm) [contrib/gnome-ssh-askpass2.h] Keep askpass windown on top. From - Debian patch via bernd AT openbsd.org - -20080228 - - (dtucker) [configure.ac] Add -fstack-protector to LDFLAGS too, fixes - linking problems on AIX with gcc 4.1.x. - - (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c - openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat - header to after OpenSSL headers, since some versions of OpenSSL have - SSLeay_add_all_algorithms as a macro already. - - (dtucker) [key.c defines.h openbsd-compat/openssl-compat.h] Move old OpenSSL - compat glue into openssl-compat.h. - - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement - getgrouplist via getgrset on AIX, rather than iterating over getgrent. - This allows, eg, Match and AllowGroups directives to work with NIS and - LDAP groups. - - (dtucker) [sshd.c] Bug #1042: make log messages for tcpwrappers use the - same SyslogFacility as the rest of sshd. Patch from William Knox, - ok djm@. - -20080225 - - (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack - since it now conflicts with the helper function in misc.c. From - vinschen AT redhat.com. - - (dtucker) [configure.ac audit-bsm.c] Bug #1420: Add a local implementation - of aug_get_machine for systems that don't have their own (eg OS X, FreeBSD). - Help and testing from csjp at FreeBSD org, vgiffin at apple com. ok djm@ - - (dtucker) [includes.h openbsd-compat/openssl-compat.c] Bug #1437: reshuffle - headers so ./configure --with-ssl-engine actually works. Patch from - Ian Lister. - -20080224 - - (tim) [contrib/cygwin/ssh-host-config] - Grammar changes on SYSCONFDIR LOCALSTATEDIR messages. - Check more thoroughly that it's possible to create the /var/empty directory. - Patch by vinschen AT redhat.com - -20080210 - - OpenBSD CVS Sync - - chl@cvs.openbsd.org 2008/01/11 07:22:28 - [sftp-client.c sftp-client.h] - disable unused functions - initially from tobias@, but disabled them by placing them in - "#ifdef notyet" which was asked by djm@ - ok djm@ tobias@ - - djm@cvs.openbsd.org 2008/01/19 19:13:28 - [ssh.1] - satisfy the pedants: -q does not suppress all diagnostic messages (e.g. - some commandline parsing warnings go unconditionally to stdout). - - djm@cvs.openbsd.org 2008/01/19 20:48:53 - [clientloop.c] - fd leak on session multiplexing error path. Report and patch from - gregory_shively AT fanniemae.com - - djm@cvs.openbsd.org 2008/01/19 20:51:26 - [ssh.c] - ignore SIGPIPE in multiplex client mode - we can receive this if the - server runs out of fds on us midway. Report and patch from - gregory_shively AT fanniemae.com - - djm@cvs.openbsd.org 2008/01/19 22:04:57 - [sftp-client.c] - fix remote handle leak in do_download() local file open error path; - report and fix from sworley AT chkno.net - - djm@cvs.openbsd.org 2008/01/19 22:22:58 - [ssh-keygen.c] - when hashing individual hosts (ssh-keygen -Hf hostname), make sure we - hash just the specified hostname and not the entire hostspec from the - keyfile. It may be of the form "hostname,ipaddr", which would lead to - a hash that never matches. report and fix from jp AT devnull.cz - - djm@cvs.openbsd.org 2008/01/19 22:37:19 - [ssh-keygen.c] - unbreak line numbering (broken in revision 1.164), fix error message - - djm@cvs.openbsd.org 2008/01/19 23:02:40 - [channels.c] - When we added support for specified bind addresses for port forwards, we - added a quirk SSH_OLD_FORWARD_ADDR. There is a bug in our handling of - this for -L port forwards that causes the client to listen on both v4 - and v6 addresses when connected to a server with this quirk, despite - having set 0.0.0.0 as a bind_address. - report and patch from Jan.Pechanec AT Sun.COM; ok dtucker@ - - djm@cvs.openbsd.org 2008/01/19 23:09:49 - [readconf.c readconf.h sshconnect2.c] - promote rekeylimit to a int64 so it can hold the maximum useful limit - of 2^32; report and patch from Jan.Pechanec AT Sun.COM, ok dtucker@ - - djm@cvs.openbsd.org 2008/01/20 00:38:30 - [sftp.c] - When uploading, correctly handle the case of an unquoted filename with - glob metacharacters that match a file exactly but not as a glob, e.g. a - file called "[abcd]". report and test cases from duncan2nd AT gmx.de - - djm@cvs.openbsd.org 2008/01/21 17:24:30 - [sftp-server.c] - Remove the fixed 100 handle limit in sftp-server and allocate as many - as we have available file descriptors. Patch from miklos AT szeredi.hu; - ok dtucker@ markus@ - - djm@cvs.openbsd.org 2008/01/21 19:20:17 - [sftp-client.c] - when a remote write error occurs during an upload, ensure that ACKs for - all issued requests are properly drained. patch from t8m AT centrum.cz - - dtucker@cvs.openbsd.org 2008/01/23 01:56:54 - [clientloop.c packet.c serverloop.c] - Revert the change for bz #1307 as it causes connection aborts if an IGNORE - packet arrives while we're waiting in packet_read_expect (and possibly - elsewhere). - - jmc@cvs.openbsd.org 2008/01/31 20:06:50 - [scp.1] - explain how to handle local file names containing colons; - requested by Tamas TEVESZ - ok dtucker - - markus@cvs.openbsd.org 2008/02/04 21:53:00 - [session.c sftp-server.c sftp.h] - link sftp-server into sshd; feedback and ok djm@ - - mcbride@cvs.openbsd.org 2008/02/09 12:15:43 - [ssh.1 sshd.8] - Document the correct permissions for the ~/.ssh/ directory. - ok jmc - - djm@cvs.openbsd.org 2008/02/10 09:55:37 - [sshd_config.5] - mantion that "internal-sftp" is useful with ForceCommand too - - djm@cvs.openbsd.org 2008/02/10 10:54:29 - [servconf.c session.c] - delay ~ expansion for ChrootDirectory so it expands to the logged-in user's - home, rather than the user who starts sshd (probably root) - -20080119 - - (djm) Silence noice from expr in ssh-copy-id; patch from - mikel AT mikelward.com - - (djm) Only listen for IPv6 connections on AF_INET6 sockets; patch from - tsr2600 AT gmail.com - -20080102 - - (dtucker) [configure.ac] Fix message for -fstack-protector-all test. - -20080101 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2007/12/31 10:41:31 - [readconf.c servconf.c] - Prevent strict-aliasing warnings on newer gcc versions. bz #1355, patch - from Dmitry V. Levin, ok djm@ - - dtucker@cvs.openbsd.org 2007/12/31 15:27:04 - [sshd.c] - When in inetd mode, have sshd generate a Protocol 1 ephemeral server - key only for connections where the client chooses Protocol 1 as opposed - to when it's enabled in the server's config. Speeds up Protocol 2 - connections to inetd-mode servers that also allow Protocol 1. bz #440, - based on a patch from bruno at wolff.to, ok markus@ - - dtucker@cvs.openbsd.org 2008/01/01 08:47:04 - [misc.c] - spaces -> tabs from my previous commit - - dtucker@cvs.openbsd.org 2008/01/01 09:06:39 - [scp.c] - If scp -p encounters a pre-epoch timestamp, use the epoch which is - as close as we can get given that it's used unsigned. Add a little - debugging while there. bz #828, ok djm@ - - dtucker@cvs.openbsd.org 2008/01/01 09:27:33 - [sshd_config.5 servconf.c] - Allow PermitRootLogin in a Match block. Allows for, eg, permitting root - only from the local network. ok markus@, man page bit ok jmc@ - - dtucker@cvs.openbsd.org 2008/01/01 08:51:20 - [moduli] - Updated moduli file; ok djm@ - -20071231 - - (dtucker) [configure.ac openbsd-compat/glob.{c,h}] Bug #1407: force use of - builtin glob implementation on Mac OS X. Based on a patch from - vgiffin at apple. - -20071229 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2007/12/12 05:04:03 - [sftp.c] - unbreak lls command and add a regress test that would have caught the - breakage; spotted by mouring@ - - dtucker@cvs.openbsd.org 2007/12/27 14:22:08 - [servconf.c canohost.c misc.c channels.c sshconnect.c misc.h ssh-keyscan.c - sshd.c] - Add a small helper function to consistently handle the EAI_SYSTEM error - code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417. - ok markus@ stevesk@ - - dtucker@cvs.openbsd.org 2007/12/28 15:32:24 - [clientloop.c serverloop.c packet.c] - Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the - ServerAlive and ClientAlive timers. Prevents dropping a connection - when these are enabled but the peer does not support our keepalives. - bz #1307, ok djm@. - - dtucker@cvs.openbsd.org 2007/12/28 22:34:47 - [clientloop.c] - Use the correct packet maximum sizes for remote port and agent forwarding. - Prevents the server from killing the connection if too much data is queued - and an excessively large packet gets sent. bz #1360, ok djm@. - -20071202 - - (dtucker) [configure.ac] Enable -fstack-protector-all on systems where - gcc supports it. ok djm@ - - (dtucker) [scp.c] Update $OpenBSD tag missing from rev 1.175 and remove - leftover debug code. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2007/10/29 00:52:45 - [auth2-gss.c] - Allow build without -DGSSAPI; ok deraadt@ - (Id sync only, Portable already has the ifdefs) - - dtucker@cvs.openbsd.org 2007/10/29 01:55:04 - [ssh.c] - Plug tiny mem leaks in ControlPath and ProxyCommand option processing; - ok djm@ - - dtucker@cvs.openbsd.org 2007/10/29 04:08:08 - [monitor_wrap.c monitor.c] - Send config block back to slave for invalid users too so options - set by a Match block (eg Banner) behave the same for non-existent - users. Found by and ok djm@ - - dtucker@cvs.openbsd.org 2007/10/29 06:51:59 - [ssh_config.5] - ProxyCommand and LocalCommand use the user's shell, not /bin/sh; ok djm@ - - dtucker@cvs.openbsd.org 2007/10/29 06:54:50 - [ssh.c] - Make LocalCommand work for Protocol 1 too; ok djm@ - - jmc@cvs.openbsd.org 2007/10/29 07:48:19 - [ssh_config.5] - clean up after previous macro removal; - - djm@cvs.openbsd.org 2007/11/03 00:36:14 - [clientloop.c] - fix memory leak in process_cmdline(), patch from Jan.Pechanec AT Sun.COM; - ok dtucker@ - - deraadt@cvs.openbsd.org 2007/11/03 01:24:06 - [ssh.c] - bz #1377: getpwuid results were being clobbered by another getpw* call - inside tilde_expand_filename(); save the data we need carefully - ok djm - - dtucker@cvs.openbsd.org 2007/11/03 02:00:32 - [ssh.c] - Use xstrdup/xfree when saving pwname and pwdir; ok deraadt@ - - deraadt@cvs.openbsd.org 2007/11/03 02:03:49 - [ssh.c] - avoid errno trashing in signal handler; ok dtucker - -20071030 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2007/10/29 23:49:41 - [openbsd-compat/sys-tree.h] - remove extra backslash at the end of RB_PROTOTYPE, report from - Jan.Pechanec AT Sun.COM; ok deraadt@ - -20071026 - - (djm) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2007/09/11 23:49:09 - [sshpty.c] - remove #if defined block not needed; ok markus@ dtucker@ - (NB. RCD ID sync only for portable) - - djm@cvs.openbsd.org 2007/09/21 03:05:23 - [ssh_config.5] - document KbdInteractiveAuthentication in ssh_config.5; - patch from dkg AT fifthhorseman.net - - djm@cvs.openbsd.org 2007/09/21 08:15:29 - [auth-bsdauth.c auth-passwd.c auth.c auth.h auth1.c auth2-chall.c] - [monitor.c monitor_wrap.c] - unifdef -DBSD_AUTH - unifdef -USKEY - These options have been in use for some years; - ok markus@ "no objection" millert@ - (NB. RCD ID sync only for portable) - - canacar@cvs.openbsd.org 2007/09/25 23:48:57 - [ssh-agent.c] - When adding a key that already exists, update the properties - (time, confirm, comment) instead of discarding them. ok djm@ markus@ - - ray@cvs.openbsd.org 2007/09/27 00:15:57 - [dh.c] - Don't return -1 on error in dh_pub_is_valid(), since it evaluates - to true. - Also fix a typo. - Initial diff from Matthew Dempsky, input from djm. - OK djm, markus. - - dtucker@cvs.openbsd.org 2007/09/29 00:25:51 - [auth2.c] - Remove unused prototype. ok djm@ - - chl@cvs.openbsd.org 2007/10/02 17:49:58 - [ssh-keygen.c] - handles zero-sized strings that fgets can return - properly removes trailing newline - removes an unused variable - correctly counts line number - "looks ok" ray@ markus@ - - markus@cvs.openbsd.org 2007/10/22 19:10:24 - [readconf.c] - make sure that both the local and remote port are correct when - parsing -L; Jan Pechanec (bz #1378) - - djm@cvs.openbsd.org 2007/10/24 03:30:02 - [sftp.c] - rework argument splitting and parsing to cope correctly with common - shell escapes and make handling of escaped characters consistent - with sh(1) and between sftp commands (especially between ones that - glob their arguments and ones that don't). - parse command flags using getopt(3) rather than hand-rolled parsers. - ok dtucker@ - - djm@cvs.openbsd.org 2007/10/24 03:44:02 - [scp.c] - factor out network read/write into an atomicio()-like function, and - use it to handle short reads, apply bandwidth limits and update - counters. make network IO non-blocking, so a small trickle of - reads/writes has a chance of updating the progress meter; bz #799 - ok dtucker@ - - djm@cvs.openbsd.org 2006/08/29 09:44:00 - [regress/sftp-cmds.sh] - clean up our mess - - markus@cvs.openbsd.org 2006/11/06 09:27:43 - [regress/cfgmatch.sh] - fix quoting for non-(c)sh login shells. - - dtucker@cvs.openbsd.org 2006/12/13 08:36:36 - [regress/cfgmatch.sh] - Additional test for multiple PermitOpen entries. ok djm@ - - pvalchev@cvs.openbsd.org 2007/06/07 19:41:46 - [regress/cipher-speed.sh regress/try-ciphers.sh] - test umac-64@openssh.com - ok djm@ - - djm@cvs.openbsd.org 2007/10/24 03:32:35 - [regress/sftp-cmds.sh regress/sftp-glob.sh regress/test-exec.sh] - comprehensive tests for sftp escaping its interaction with globbing; - ok dtucker@ - - djm@cvs.openbsd.org 2007/10/26 05:30:01 - [regress/sftp-glob.sh regress/test-exec.sh] - remove "echo -E" crap that I added in last commit and use printf(1) for - cases where we strictly require echo not to reprocess escape characters. - - deraadt@cvs.openbsd.org 2005/11/28 17:50:12 - [openbsd-compat/glob.c] - unused arg in internal static API - - jakob@cvs.openbsd.org 2007/10/11 18:36:41 - [openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h] - use RRSIG instead of SIG for DNSSEC. ok djm@ - - otto@cvs.openbsd.org 2006/10/21 09:55:03 - [openbsd-compat/base64.c] - remove calls to abort(3) that can't happen anyway; from - <bret dot lambert at gmail.com>; ok millert@ deraadt@ - - frantzen@cvs.openbsd.org 2004/04/24 18:11:46 - [openbsd-compat/sys-tree.h] - sync to Niels Provos' version. avoid unused variable warning in - RB_NEXT() - - tdeval@cvs.openbsd.org 2004/11/24 18:10:42 - [openbsd-compat/sys-tree.h] - typo - - grange@cvs.openbsd.org 2004/05/04 16:59:32 - [openbsd-compat/sys-queue.h] - Remove useless ``elm'' argument from the SIMPLEQ_REMOVE_HEAD macro. - This matches our SLIST behaviour and NetBSD's SIMPLEQ as well. - ok millert krw deraadt - - deraadt@cvs.openbsd.org 2005/02/25 13:29:30 - [openbsd-compat/sys-queue.h] - minor white spacing - - otto@cvs.openbsd.org 2005/10/17 20:19:42 - [openbsd-compat/sys-queue.h] - Performing certain operations on queue.h data structurs produced - funny results. An example is calling LIST_REMOVE on the same - element twice. This will not fail, but result in a data structure - referencing who knows what. Prevent these accidents by NULLing some - fields on remove and replace. This way, either a panic or segfault - will be produced on the faulty operation. - - otto@cvs.openbsd.org 2005/10/24 20:25:14 - [openbsd-compat/sys-queue.h] - Partly backout. NOLIST, used in LISTs is probably interfering. - requested by deraadt@ - - otto@cvs.openbsd.org 2005/10/25 06:37:47 - [openbsd-compat/sys-queue.h] - Some uvm problem is being exposed with the more strict macros. - Revert until we've found out what's causing the panics. - - otto@cvs.openbsd.org 2005/11/25 08:06:25 - [openbsd-compat/sys-queue.h] - Introduce debugging aid for queue macros. Disabled by default; but - developers are encouraged to run with this enabled. - ok krw@ fgsch@ deraadt@ - - otto@cvs.openbsd.org 2007/04/30 18:42:34 - [openbsd-compat/sys-queue.h] - Enable QUEUE_MACRO_DEBUG on DIAGNOSTIC kernels. - Input and okays from krw@, millert@, otto@, deraadt@, miod@. - - millert@cvs.openbsd.org 2004/10/07 16:56:11 - GLOB_NOESCAPE is POSIX so move it out of the #ifndef _POSIX_SOURCE - block. - (NB. mostly an RCS ID sync, as portable strips out the conditionals) - - (djm) [regress/sftp-cmds.sh] - Use more restrictive glob to pick up test files from /bin - some platforms - ship broken symlinks there which could spoil the test. - - (djm) [openbsd-compat/bindresvport.c] - Sync RCS ID after irrelevant (for portable OpenSSH) header shuffling - -20070927 - - (dtucker) [configure.ac atomicio.c] Fall back to including <sys/poll.h> if - we don't have <poll.h> (eq QNX). From bacon at cs nyu edu. - - (dtucker) [configure.ac defines.h] Shadow expiry does not work on QNX6 - so disable it for that platform. From bacon at cs nyu edu. - -20070921 - - (djm) [atomicio.c] Fix spin avoidance for platforms that define - EWOULDBLOCK; patch from ben AT psc.edu - -20070917 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2007/08/23 02:49:43 - [auth-passwd.c auth.c session.c] - unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@ - NB. RCS ID sync only for portable - - djm@cvs.openbsd.org 2007/08/23 02:55:51 - [auth-passwd.c auth.c session.c] - missed include bits from last commit - NB. RCS ID sync only for portable - - djm@cvs.openbsd.org 2007/08/23 03:06:10 - [auth.h] - login_cap.h doesn't belong here - NB. RCS ID sync only for portable - - djm@cvs.openbsd.org 2007/08/23 03:22:16 - [auth2-none.c sshd_config sshd_config.5] - Support "Banner=none" to disable displaying of the pre-login banner; - ok dtucker@ deraadt@ - - djm@cvs.openbsd.org 2007/08/23 03:23:26 - [sshconnect.c] - Execute ProxyCommands with $SHELL rather than /bin/sh unconditionally - - djm@cvs.openbsd.org 2007/09/04 03:21:03 - [clientloop.c monitor.c monitor_fdpass.c monitor_fdpass.h] - [monitor_wrap.c ssh.c] - make file descriptor passing code return an error rather than call fatal() - when it encounters problems, and use this to make session multiplexing - masters survive slaves failing to pass all stdio FDs; ok markus@ - - djm@cvs.openbsd.org 2007/09/04 11:15:56 - [ssh.c sshconnect.c sshconnect.h] - make ssh(1)'s ConnectTimeout option apply to both the TCP connection and - SSH banner exchange (previously it just covered the TCP connection). - This allows callers of ssh(1) to better detect and deal with stuck servers - that accept a TCP connection but don't progress the protocol, and also - makes ConnectTimeout useful for connections via a ProxyCommand; - feedback and "looks ok" markus@ - - sobrado@cvs.openbsd.org 2007/09/09 11:38:01 - [ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.c] - sort synopsis and options in ssh-agent(1); usage is lowercase - ok jmc@ - - stevesk@cvs.openbsd.org 2007/09/11 04:36:29 - [sshpty.c] - sort #include - NB. RCS ID sync only - - gilles@cvs.openbsd.org 2007/09/11 15:47:17 - [session.c ssh-keygen.c sshlogin.c] - use strcspn to properly overwrite '\n' in fgets returned buffer - ok pyr@, ray@, millert@, moritz@, chl@ - - stevesk@cvs.openbsd.org 2007/09/11 23:49:09 - [sshpty.c] - remove #if defined block not needed; ok markus@ dtucker@ - NB. RCS ID sync only - - stevesk@cvs.openbsd.org 2007/09/12 19:39:19 - [umac.c] - use xmalloc() and xfree(); ok markus@ pvalchev@ - - djm@cvs.openbsd.org 2007/09/13 04:39:04 - [sftp-server.c] - fix incorrect test when setting syslog facility; from Jan Pechanec - - djm@cvs.openbsd.org 2007/09/16 00:55:52 - [sftp-client.c] - use off_t instead of u_int64_t for file offsets, matching what the - progressmeter code expects; bz #842 - - (tim) [defines.h] Fix regression in long password support on OpenServer 6. - Problem report and additional testing rac AT tenzing.org. - -20070914 - - (dtucker) [openbsd-compat/bsd-asprintf.c] Plug mem leak in error path. - Patch from Jan.Pechanec at sun com. - -20070910 - - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1358: Always - return 0 on successful test. From David.Leonard at quest com. - - (tim) [configure.ac] Autoconf didn't define HAVE_LIBIAF because we - did a AC_CHECK_FUNCS within the AC_CHECK_LIB test. - -20070817 - - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked - accounts and that's what the code looks for, so make man page and code - agree. Pointed out by Roumen Petrov. - - (dtucker) [INSTALL] Group the parts describing random options and PAM - implementations together which is hopefully more coherent. - - (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid. - - (dtucker) [INSTALL] Give PAM its own heading. - - (dtucker) [INSTALL] Link to tcpwrappers. - -20070816 - - (dtucker) [session.c] Call PAM cleanup functions for unauthenticated - connections too. Based on a patch from Sandro Wefel, with & ok djm@ - -20070815 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2007/08/15 08:14:46 - [clientloop.c] - do NOT fall back to the trused x11 cookie if generation of an untrusted - cookie fails; from Jan Pechanec, via security-alert at sun.com; - ok dtucker - - markus@cvs.openbsd.org 2007/08/15 08:16:49 - [version.h] - openssh 4.7 - - stevesk@cvs.openbsd.org 2007/08/15 12:13:41 - [ssh_config.5] - tun device forwarding now honours ExitOnForwardFailure; ok markus@ - - (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler. - ok djm@ - - (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec - contrib/suse/openssh.spec] Crank version. - -20070813 - - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always - called with PAM_ESTABLISH_CRED at least once, which resolves a problem - with pam_dhkeys. Patch from David Leonard, ok djm@ - -20070810 - - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@ - - (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From - Matt Kraai, ok djm@ - -20070809 - - (dtucker) [openbsd-compat/port-aix.c] Comment typo. - - (dtucker) [README.platform] Document the interaction between PermitRootLogin - and the AIX native login restrictions. - - (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't - used anywhere and are a potential source of warnings. - -20070808 - - (djm) OpenBSD CVS Sync - - ray@cvs.openbsd.org 2007/07/12 05:48:05 - [key.c] - Delint: remove some unreachable statements, from Bret Lambert. - OK markus@ and dtucker@. - - sobrado@cvs.openbsd.org 2007/08/06 19:16:06 - [scp.1 scp.c] - the ellipsis is not an optional argument; while here, sync the usage - and synopsis of commands - lots of good ideas by jmc@ - ok jmc@ - - djm@cvs.openbsd.org 2007/08/07 07:32:53 - [clientloop.c clientloop.h ssh.c] - bz#1232: ensure that any specified LocalCommand is executed after the - tunnel device is opened. Also, make failures to open a tunnel device - fatal when ExitOnForwardFailure is active. - Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt - -20070724 - - (tim) [openssh.xml.in] make FMRI match what package scripts use. - - (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call. - Report/patch by David.Leonard AT quest.com (and Bernhard Simon) - - (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5) - - (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}| - -20070628 - - (djm) bz#1325: Fix SELinux in permissive mode where it would - incorrectly fatal() on errors. patch from cjwatson AT debian.org; - ok dtucker - -20070625 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2007/06/13 00:21:27 - [scp.c] - don't ftruncate() non-regular files; bz#1236 reported by wood AT - xmission.com; ok dtucker@ - - djm@cvs.openbsd.org 2007/06/14 21:43:25 - [ssh.c] - handle EINTR when waiting for mux exit status properly - - djm@cvs.openbsd.org 2007/06/14 22:48:05 - [ssh.c] - when waiting for the multiplex exit status, read until the master end - writes an entire int of data *and* closes the client_fd; fixes mux - regression spotted by dtucker, ok dtucker@ - - djm@cvs.openbsd.org 2007/06/19 02:04:43 - [atomicio.c] - if the fd passed to atomicio/atomiciov() is non blocking, then poll() to - avoid a spin if it is not yet ready for reading/writing; ok dtucker@ - - dtucker@cvs.openbsd.org 2007/06/25 08:20:03 - [channels.c] - Correct test for window updates every three packets; prevents sending - window updates for every single packet. ok markus@ - - dtucker@cvs.openbsd.org 2007/06/25 12:02:27 - [atomicio.c] - Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@ - - (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match - atomicio. - - (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in - openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h] - Add an implementation of poll() built on top of select(2). Code from - OpenNTPD with changes suggested by djm. ok djm@ - -20070614 - - (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the - USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be - shared with umac.c. Allows building with OpenSSL 0.9.5 again including - umac support. With tim@ djm@, ok djm. - - (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL - sections. Fixes builds with early OpenSSL 0.9.6 versions. - - (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition - of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the - subsequent <0.9.7 test. - -20070612 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2007/06/11 09:14:00 - [channels.h] - increase default channel windows; ok djm - - djm@cvs.openbsd.org 2007/06/12 07:41:00 - [ssh-add.1] - better document ssh-add's -d option (delete identies from agent), bz#1224 - new text based on some provided by andrewmc-debian AT celt.dias.ie; - ok dtucker@ - - djm@cvs.openbsd.org 2007/06/12 08:20:00 - [ssh-gss.h gss-serv.c gss-genr.c] - relocate server-only GSSAPI code from libssh to server; bz #1225 - patch from simon AT sxw.org.uk; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2007/06/12 08:24:20 - [scp.c] - make scp try to skip FIFOs rather than blocking when nothing is listening. - depends on the platform supporting sane O_NONBLOCK semantics for open - on FIFOs (apparently POSIX does not mandate this), which OpenBSD does. - bz #856; report by cjwatson AT debian.org; ok markus@ - - djm@cvs.openbsd.org 2007/06/12 11:11:08 - [ssh.c] - fix slave exit value when a control master goes away without passing the - full exit status by ensuring that the slave reads a full int. bz#1261 - reported by frekko AT gmail.com; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2007/06/12 11:15:17 - [ssh.c ssh.1] - Add "-K" flag for ssh to set GSSAPIAuthentication=yes and - GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) - and is useful for hosts with /home on Kerberised NFS; bz #1312 - patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@ - - djm@cvs.openbsd.org 2007/06/12 11:45:27 - [ssh.c] - improved exit message from multiplex slave sessions; bz #1262 - reported by alexandre.nunes AT gmail.com; ok dtucker@ - - dtucker@cvs.openbsd.org 2007/06/12 11:56:15 - [gss-genr.c] - Pass GSS OID to gss_display_status to provide better information in - error messages. Patch from Simon Wilkinson via bz 1220. ok djm@ - - jmc@cvs.openbsd.org 2007/06/12 13:41:03 - [ssh-add.1] - identies -> identities; - - jmc@cvs.openbsd.org 2007/06/12 13:43:55 - [ssh.1] - add -K to SYNOPSIS; - - dtucker@cvs.openbsd.org 2007/06/12 13:54:28 - [scp.c] - Encode filename with strnvis if the name contains a newline (which can't - be represented in the scp protocol), from bz #891. ok markus@ - -20070611 - - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit - fix; tested by dtucker@ and jochen.kirn AT gmail.com - - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34 - [kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] - [ssh_config.5 sshd.8 sshd_config.5] - Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, - must specify umac-64@openssh.com). Provides about 20% end-to-end speedup - compared to hmac-md5. Represents a different approach to message - authentication to that of HMAC that may be beneficial if HMAC based on - one of its underlying hash algorithms is found to be vulnerable to a - new attack. http://www.ietf.org/rfc/rfc4418.txt - in conjunction with and OK djm@ - - pvalchev@cvs.openbsd.org 2007/06/08 04:40:40 - [ssh_config] - Add a "MACs" line after "Ciphers" with the default MAC algorithms, - to ease people who want to tweak both (eg. for performance reasons). - ok deraadt@ djm@ dtucker@ - - jmc@cvs.openbsd.org 2007/06/08 07:43:46 - [ssh_config.5] - put the MAC list into a display, like we do for ciphers, - since groff has trouble handling wide lines; - - jmc@cvs.openbsd.org 2007/06/08 07:48:09 - [sshd_config.5] - oops, here too: put the MAC list into a display, like we do for - ciphers, since groff has trouble with wide lines; - - markus@cvs.openbsd.org 2007/06/11 08:04:44 - [channels.c] - send 'window adjust' messages every tree packets and do not wait - until 50% of the window is consumed. ok djm dtucker - - (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then - fallback to provided bit-swizzing functions - - (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder" - argument to nanosleep may be NULL. Currently this never happens in OpenSSH, - but check anyway in case this changes or the code gets used elsewhere. - - (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should - prevent warnings about redefinitions of various things in paths.h. - Spotted by cartmanltd at hotmail.com. - -20070605 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2007/05/22 10:18:52 - [sshd.c] - zap double include; from p_nowaczyk AT o2.pl - (not required in -portable, Id sync only) - - djm@cvs.openbsd.org 2007/05/30 05:58:13 - [kex.c] - tidy: KNF, ARGSUSED and u_int - - jmc@cvs.openbsd.org 2007/05/31 19:20:16 - [scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 - ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] - convert to new .Dd format; - (We will need to teach mdoc2man.awk to understand this too.) - - djm@cvs.openbsd.org 2007/05/31 23:34:29 - [packet.c] - gc unreachable code; spotted by Tavis Ormandy - - djm@cvs.openbsd.org 2007/06/02 09:04:58 - [bufbn.c] - memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca - - djm@cvs.openbsd.org 2007/06/05 06:52:37 - [kex.c monitor_wrap.c packet.c mac.h kex.h mac.c] - Preserve MAC ctx between packets, saving 2xhash calls per-packet. - Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5 - patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm - committing at his request) - - (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that - OpenBSD's cvs now adds. - - (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so - mindrot's cvs doesn't expand it on us. - - (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs. - -20070520 - - (dtucker) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2007/04/14 22:01:58 - [auth2.c] - remove unused macro; from Dmitry V. Levin <ldv@altlinux.org> - - stevesk@cvs.openbsd.org 2007/04/18 01:12:43 - [sftp-server.c] - cast "%llu" format spec to (unsigned long long); do not assume a - u_int64_t arg is the same as 'unsigned long long'. - from Dmitry V. Levin <ldv@altlinux.org> - ok markus@ 'Yes, that looks correct' millert@ - - dtucker@cvs.openbsd.org 2007/04/23 10:15:39 - [servconf.c] - Remove debug() left over from development. ok deraadt@ - - djm@cvs.openbsd.org 2007/05/17 07:50:31 - [log.c] - save and restore errno when logging; ok deraadt@ - - djm@cvs.openbsd.org 2007/05/17 07:55:29 - [sftp-server.c] - bz#1286 stop reading and processing commands when input or output buffer - is nearly full, otherwise sftp-server would happily try to grow the - input/output buffers past the maximum supported by the buffer API and - promptly fatal() - based on patch from Thue Janus Kristensen; feedback & ok dtucker@ - - djm@cvs.openbsd.org 2007/05/17 20:48:13 - [sshconnect2.c] - fall back to gethostname() when the outgoing connection is not - on a socket, such as is the case when ProxyCommand is used. - Gives hostbased auth an opportunity to work; bz#616, report - and feedback stuart AT kaloram.com; ok markus@ - - djm@cvs.openbsd.org 2007/05/17 20:52:13 - [monitor.c] - pass received SIGINT from monitor to postauth child so it can clean - up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; - ok markus@ - - jolan@cvs.openbsd.org 2007/05/17 23:53:41 - [sshconnect2.c] - djm owes me a vb and a tism cd for breaking ssh compilation - - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from - ldv at altlinux.org. - - (dtucker) [auth-pam.c] Return empty string if fgets fails in - sshpam_tty_conv. Patch from ldv at altlinux.org. - -20070509 - - (tim) [configure.ac] Bug #1287: Add missing test for ucred.h. - -20070429 - - (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h - for select(2) prototype. - - (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype. - - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the - platform's _res if it has one. Should fix problem of DNSSEC record lookups - on NetBSD as reported by Curt Sampson. - - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. - - (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS - so we don't get redefinition warnings. - - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. - - (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__ - __nonnull__ for versions of GCC that don't support it. - - (dtucker) [configure.ac defines.h] Have configure check for offsetof - to prevent redefinition warnings. - -20070406 - - (dtucker) [INSTALL] Update the systems that have PAM as standard. Link - to OpenPAM too. - - (dtucker) [INSTALL] prngd lives at sourceforge these days. - -20070326 - - (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c - openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines - to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@ - -20070325 - - (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX, - LIBWRAP and LIBPAM variables in Makefile with the general-purpose - SSHDLIBS. "I like" djm@ - -20070321 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2007/03/09 05:20:06 - [servconf.c sshd.c] - Move C/R -> kbdint special case to after the defaults have been - loaded, which makes ChallengeResponse default to yes again. This - was broken by the Match changes and not fixed properly subsequently. - Found by okan at demirmen.com, ok djm@ "please do it" deraadt@ - - djm@cvs.openbsd.org 2007/03/19 01:01:29 - [sshd_config] - Disable the legacy SSH protocol 1 for new installations via - a configuration override. In the future, we will change the - server's default itself so users who need the legacy protocol - will need to turn it on explicitly - - dtucker@cvs.openbsd.org 2007/03/19 12:16:42 - [ssh-agent.c] - Remove the signal handler that checks if the agent's parent process - has gone away, instead check when the select loop returns. Record when - the next key will expire when scanning for expired keys. Set the select - timeout to whichever of these two things happens next. With djm@, with & - ok deraadt@ markus@ - - tedu@cvs.openbsd.org 2007/03/20 03:56:12 - [readconf.c clientloop.c] - remove some bogus *p tests from charles longeau - ok deraadt millert - - jmc@cvs.openbsd.org 2007/03/20 15:57:15 - [sshd.8] - - let synopsis and description agree for -f - - sort FILES - - +.Xr ssh-keyscan 1 , - from Igor Sobrado - - (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use - getpeerucred to implement getpeereid (currently only Solaris 10 and up). - Patch by Jan.Pechanec at Sun. - - (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have - HAVE_GETPEERUCRED too. Also from Jan Pechanec. - -20070313 - - (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include - string.h to prevent warnings, from vapier at gentoo.org. - - (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the - selinux bits in -portable. - - (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in - bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h - in cipher-bf1.c. Patch from Juan Gallego. - - (dtucker) [README.platform] Info about blibpath on AIX. - -20070306 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2007/03/01 16:19:33 - [sshd_config.5] - sort the `match' keywords; - - djm@cvs.openbsd.org 2007/03/06 10:13:14 - [version.h] - openssh-4.6; "please" deraadt@ - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] crank spec files for release - - (djm) [README] correct link to release notes - - (djm) Release 4.6p1 - -20070304 - - (djm) [configure.ac] add a --without-openssl-header-check option to - configure, as some platforms (OS X) ship OpenSSL headers whose version - does not match that of the shipping library. ok dtucker@ - - (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a - bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256 - ciphers from working correctly (disconnects with "Bad packet length" - errors) as found by Ben Harris. ok djm@ - -20070303 - - (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more - general to cover newer gdb versions on HP-UX. - -20070302 - - (dtucker) [configure.ac] For Cygwin, read files in textmode (which allows - CRLF as well as LF lineendings) and write in binary mode. Patch from - vinschen at redhat.com. - - (dtucker) [INSTALL] Update to autoconf-2.61. - -20070301 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2007/03/01 10:28:02 - [auth2.c sshd_config.5 servconf.c] - Remove ChallengeResponseAuthentication support inside a Match - block as its interaction with KbdInteractive makes it difficult to - support. Also, relocate the CR/kbdint option special-case code into - servconf. "please commit" djm@, ok markus@ for the relocation. - - (tim) [buildpkg.sh.in openssh.xml.in] Clean up Solaris 10 smf(5) bits. - "Looks sane" dtucker@ - -20070228 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2007/02/28 00:55:30 - [ssh-agent.c] - Remove expired keys periodically so they don't remain in memory when - the agent is entirely idle, as noted by David R. Piegdon. This is the - simple fix, a more efficient one will be done later. With markus, - deraadt, with & ok djm. - -20070225 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2007/02/20 10:25:14 - [clientloop.c] - set maximum packet and window sizes the same for multiplexed clients - as normal connections; ok markus@ - - dtucker@cvs.openbsd.org 2007/02/21 11:00:05 - [sshd.c] - Clear alarm() before restarting sshd on SIGHUP. Without this, if there's - a SIGALRM pending (for SSH1 key regeneration) when sshd is SIGHUP'ed, the - newly exec'ed sshd will get the SIGALRM and not have a handler for it, - and the default action will terminate the listening sshd. Analysis and - patch from andrew at gaul.org. - - dtucker@cvs.openbsd.org 2007/02/22 12:58:40 - [servconf.c] - Check activep so Match and GatewayPorts work together; ok markus@ - - ray@cvs.openbsd.org 2007/02/24 03:30:11 - [moduli.c] - - strlen returns size_t, not int. - - Pass full buffer size to fgets. - OK djm@, millert@, and moritz@. - -20070219 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2007/01/10 13:23:22 - [ssh_config.5] - do not use a list for SYNOPSIS; - this is actually part of a larger report sent by eric s. raymond - and forwarded by brad, but i only read half of it. spotted by brad. - - jmc@cvs.openbsd.org 2007/01/12 20:20:41 - [ssh-keygen.1 ssh-keygen.c] - more secsh -> rfc 4716 updates; - spotted by wiz@netbsd - ok markus - - dtucker@cvs.openbsd.org 2007/01/17 23:22:52 - [readconf.c] - Honour activep for times (eg ServerAliveInterval) while parsing - ssh_config and ~/.ssh/config so they work properly with Host directives. - From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@ - - stevesk@cvs.openbsd.org 2007/01/21 01:41:54 - [auth-skey.c kex.c ssh-keygen.c session.c clientloop.c] - spaces - - stevesk@cvs.openbsd.org 2007/01/21 01:45:35 - [readconf.c] - spaces - - djm@cvs.openbsd.org 2007/01/22 11:32:50 - [sftp-client.c] - return error from do_upload() when a write fails. fixes bz#1252: zero - exit status from sftp when uploading to a full device. report from - jirkat AT atlas.cz; ok dtucker@ - - djm@cvs.openbsd.org 2007/01/22 13:06:21 - [scp.c] - fix detection of whether we should show progress meter or not: scp - tested isatty(stderr) but wrote the progress meter to stdout. This patch - makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com; - of dtucker@ - - stevesk@cvs.openbsd.org 2007/02/14 14:32:00 - [bufbn.c] - typos in comments; ok jmc@ - - dtucker@cvs.openbsd.org 2007/02/19 10:45:58 - [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] - Teach Match how handle config directives that are used before - authentication. This allows configurations such as permitting password - authentication from the local net only while requiring pubkey from - offsite. ok djm@, man page bits ok jmc@ - - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some - platforms don't have it. Patch from dleonard at vintela.com. - - (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc - an array for signatures when there are none since "calloc(0, n) returns - NULL on some platforms (eg Tru64), which is explicitly permitted by - POSIX. Diagnosis and patch by svallet genoscope.cns.fr. - -20070128 - - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) - when closing a tty session when a background process still holds tty - fds open. Great detective work and patch by Marc Aurele La France, - slightly tweaked by me; ok dtucker@ - -20070123 - - (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public - library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro - so it works properly and modify its callers so that they don't pre or - post decrement arguments that are conditionally evaluated. While there, - put SNPRINTF_CONST back as it prevents build failures in some - configurations. ok djm@ (for most of it) - -20070122 - - (djm) [ssh-rand-helper.8] manpage nits; - from dleonard AT vintela.com (bz#1529) - -20070117 - - (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h - and multiple including it causes problems on old IRIXes. (It snuck back - in during a sync.) Found (again) by Georg Schwarz. - -20070114 - - (dtucker) [ssh-keygen.c] av -> argv to match earlier sync. - - (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return - value of snprintf replacement, similar to bugs in various libc - implementations. This overflow is not exploitable in OpenSSH. - While I'm fiddling with it, make it a fair bit faster by inlining the - append-char routine; ok dtucker@ - -20070105 - - (djm) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2006/11/14 19:41:04 - [ssh-keygen.c] - use argc and argv not some made up short form - - ray@cvs.openbsd.org 2006/11/23 01:35:11 - [misc.c sftp.c] - Don't access buf[strlen(buf) - 1] for zero-length strings. - ``ok by me'' djm@. - - markus@cvs.openbsd.org 2006/12/11 21:25:46 - [ssh-keygen.1 ssh.1] - add rfc 4716 (public key format); ok jmc - - djm@cvs.openbsd.org 2006/12/12 03:58:42 - [channels.c compat.c compat.h] - bz #1019: some ssh.com versions apparently can't cope with the - remote port forwarding bind_address being a hostname, so send - them an address for cases where they are not explicitly - specified (wildcard or localhost bind). reported by daveroth AT - acm.org; ok dtucker@ deraadt@ - - dtucker@cvs.openbsd.org 2006/12/13 08:34:39 - [servconf.c] - Make PermitOpen work with multiple values like the man pages says. - bz #1267 with details from peter at dmtz.com, with & ok djm@ - - dtucker@cvs.openbsd.org 2006/12/14 10:01:14 - [servconf.c] - Make "PermitOpen all" first-match within a block to match the way other - options work. ok markus@ djm@ - - jmc@cvs.openbsd.org 2007/01/02 09:57:25 - [sshd_config.5] - do not use lists for SYNOPSIS; - from eric s. raymond via brad - - stevesk@cvs.openbsd.org 2007/01/03 00:53:38 - [ssh-keygen.c] - remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan - - stevesk@cvs.openbsd.org 2007/01/03 03:01:40 - [auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c] - spaces - - stevesk@cvs.openbsd.org 2007/01/03 04:09:15 - [sftp.c] - ARGSUSED for lint - - stevesk@cvs.openbsd.org 2007/01/03 07:22:36 - [sftp-server.c] - spaces - -20061205 - - (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would - occur if the server did not have the privsep user and an invalid user - tried to login and both privsep and krb5 auth are disabled; ok dtucker@ - - (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@ - -20061108 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2006/11/07 13:02:07 - [dh.c] - BN_hex2bn returns int; from dtucker@ - -20061107 - - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it - if we absolutely need it. Pointed out by Corinna, ok djm@ - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2006/11/06 21:25:28 - [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c - ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c] - add missing checks for openssl return codes; with & ok djm@ - - markus@cvs.openbsd.org 2006/11/07 10:31:31 - [monitor.c version.h] - correctly check for bad signatures in the monitor, otherwise the monitor - and the unpriv process can get out of sync. with dtucker@, ok djm@, - dtucker@ - - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump - versions. - - (dtucker) Release 4.5p1. - -20061105 - - (djm) OpenBSD CVS Sync - - otto@cvs.openbsd.org 2006/10/28 18:08:10 - [ssh.1] - correct/expand example of usage of -w; ok jmc@ stevesk@ - - markus@cvs.openbsd.org 2006/10/31 16:33:12 - [kexdhc.c kexdhs.c kexgexc.c kexgexs.c] - check DH_compute_key() for -1 even if it should not happen because of - earlier calls to dh_pub_is_valid(); report krahmer at suse.de; ok djm - -20061101 - - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerr - events fatal in Solaris process contract support and tell it to signal - only processes in the same process group when something happens. - Based on information from andrew.benham at thus.net and similar to - a patch from Chad Mynhier. ok djm@ - -20061027 -- (djm) [auth.c] gc some dead code - -20061023 - - (djm) OpenBSD CVS Sync - - ray@cvs.openbsd.org 2006/09/30 17:48:22 - [sftp.c] - Clear errno before calling the strtol functions. - From Paul Stoeber <x0001 at x dot de1 dot cc>. - OK deraadt@. - - djm@cvs.openbsd.org 2006/10/06 02:29:19 - [ssh-agent.c ssh-keyscan.c ssh.c] - sys/resource.h needs sys/time.h; prompted by brad@ - (NB. Id sync only for portable) - - djm@cvs.openbsd.org 2006/10/09 23:36:11 - [session.c] - xmalloc -> xcalloc that was missed previously, from portable - (NB. Id sync only for portable, obviously) - - markus@cvs.openbsd.org 2006/10/10 10:12:45 - [sshconnect.c] - sleep before retrying (not after) since sleep changes errno; fixes - pr 5250; rad@twig.com; ok dtucker djm - - markus@cvs.openbsd.org 2006/10/11 12:38:03 - [clientloop.c serverloop.c] - exit instead of doing a blocking tcp send if we detect a client/server - timeout, since the tcp sendqueue might be already full (of alive - requests); ok dtucker, report mpf - - djm@cvs.openbsd.org 2006/10/22 02:25:50 - [sftp-client.c] - cancel progress meter when upload write fails; ok deraadt@ - - (tim) [Makefile.in scard/Makefile.in] Add datarootdir= lines to keep - autoconf 2.60 from complaining. - -20061018 - - (dtucker) OpenBSD CVS Sync - - ray@cvs.openbsd.org 2006/09/25 04:55:38 - [ssh-keyscan.1 ssh.1] - Change "a SSH" to "an SSH". Hurray, I'm not the only one who - pronounces "SSH" as "ess-ess-aich". - OK jmc@ and stevesk@. - - (dtucker) [sshd.c] Reshuffle storing of pw struct; prevents warnings - on older versions of OS X. ok djm@ - -20061016 - - (dtucker) [monitor_fdpass.c] Include sys/in.h, required for cmsg macros - on older (2.0) Linuxes. Based on patch from thmo-13 at gmx de. - -20061006 - - (tim) [buildpkg.sh.in] Use uname -r instead of -v in OS_VER for Solaris. - Differentiate between OpenServer 5 and OpenServer 6 - - (dtucker) [configure.ac] Set put -lselinux into $LIBS while testing for - SELinux functions so they're detected correctly. Patch from pebenito at - gentoo.org. - - (tim) [buildpkg.sh.in] Some systems have really limited nawk (OpenServer). - Allow setting alternate awk in openssh-config.local. - -20061003 - - (tim) [configure.ac] Move CHECK_HEADERS test before platform specific - section so additional platform specific CHECK_HEADER tests will work - correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no - Feedback and "seems like a good idea" dtucker@ - -20061001 - - (dtucker) [audit-bsm.c] Include errno.h. Pointed out by des at des.no. - -20060929 - - (dtucker) [configure.ac] Bug #1239: Fix configure test for OpenSSH engine - support. Patch from andrew.benham at thus net. - -20060928 - - (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation error - on Solaris 8 w/out /dev/random or prngd. Patch from rl at - math.technion.ac.il. - -20060926 - - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not - referenced any more. ok djm@ - - (dtucker) [sftp-server.8] Resync; spotted by djm@ - - (dtucker) Release 4.4p1. - -20060924 - - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added - to rev 1.308) to work around broken gcc 2.x header file. - -20060923 - - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than - $LDFLAGS. Patch from vapier at gentoo org. - -20060922 - - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on - some platforms (eg HP-UX 11.00). From santhi.amirta at gmail com. - -20060921 - - (dtucker) OpenBSD CVS Sync - - otto@cvs.openbsd.org 2006/09/19 05:52:23 - [sftp.c] - Use S_IS* macros insted of masking with S_IF* flags. The latter may - have multiple bits set, which lead to surprising results. Spotted by - Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@ - - markus@cvs.openbsd.org 2006/09/19 21:14:08 - [packet.c] - client NULL deref on protocol error; Tavis Ormandy, Google Security Team - - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes - build error on Ultrix. From Bernhard Simon. - -20060918 - - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow - macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags. - Allows build out of the box with older VAC and XLC compilers. Found by - David Bronder and Bernhard Simon. - - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes. - Prevents macro redefinition warnings of "RDONLY". - -20060916 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/09/16 19:53:37 - [deattack.c deattack.h packet.c] - limit maximum work performed by the CRC compensation attack detector, - problem reported by Tavis Ormandy, Google Security Team; - ok markus@ deraadt@ - - (djm) Add openssh.xml to .cvsignore and sort it - - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth - process so that any logging it does is with the right timezone. From - Scott Strickler, ok djm@. - - (dtucker) [monitor.c] Correctly handle auditing of single commands when - using Protocol 1. From jhb at freebsd. - - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@ - - (dtucker) [INSTALL] Add info about audit support. - -20060912 - - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in] - Support SMF in Solaris Packages if enabled by configure. Patch from - Chad Mynhier, tested by dtucker@ - -20060911 - - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends. Noted - by Pekka Savola. - -20060910 - - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available. - - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB. - -20060909 - - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h. - - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user. - - (dtucker) [buildpkg.sh.in] Always create privsep user. ok djm@ - -20060908 - - (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch - from Chris Adams. - - (dtucker) [configure.ac] The BSM header test needs time.h in some cases. - -20060907 - - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can - be used to drop privilege to; fixes Solaris GSSAPI crash reported by - Magnus Abrante; suggestion and feedback dtucker@ - NB. this change will require that the privilege separation user must - exist on all the time, not just when UsePrivilegeSeparation=yes - - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6 - - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H. - - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better - chance of winning. - -20060905 - - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov. - - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP. - -20060904 - - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native - updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius, - ok djm@ - -20060903 - - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for - declaration of writev(2) and declare it ourselves if necessary. Makes - the atomiciov() calls build on really old systems. ok djm@ - -20060902 - - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan. - - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c - openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c - openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h> - for hton* and ntoh* macros. Required on (at least) HP-UX since we define - _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com. - -20060901 - - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c] - [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] - [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] - [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] - [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] - [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] - [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] - [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] - [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] - [sshconnect1.c sshconnect2.c sshd.c] - [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] - [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] - [openbsd-compat/port-uw.c] - Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; - compile problems reported by rac AT tenzing.org - - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c] - [openbsd-compat/rresvport.c] Some more headers: netinet/in.h - sys/socket.h and unistd.h in various places - - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration - warnings for binary_open and binary_close. Patch from Corinna Vinschen. - - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly - test for GLOB_NOMATCH and use our glob functions if it's not found. - Stops sftp from segfaulting when attempting to get a nonexistent file on - Cygwin (previous versions of OpenSSH didn't use the native glob). Partly - from and tested by Corinna Vinschen. - - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank - versions. - -20060831 - - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ] - [platform.c platform.h sshd.c openbsd-compat/Makefile.in] - [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c] - [openbsd-compat/port-solaris.h] Add support for Solaris process - contracts, enabled with --use-solaris-contracts. Patch from Chad - Mynhier, tweaked by dtucker@ and myself; ok dtucker@ - - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege - while setting up the ssh service account. Patch from Corinna Vinschen. - -20060830 - - (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2006/08/21 08:14:01 - [sshd_config.5] - Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, - ok jmc@ djm@ - - dtucker@cvs.openbsd.org 2006/08/21 08:15:57 - [sshd.8] - Add more detail about what permissions are and aren't accepted for - authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@ - - djm@cvs.openbsd.org 2006/08/29 10:40:19 - [channels.c session.c] - normalise some inconsistent (but harmless) NULL pointer checks - spotted by the Stanford SATURN tool, via Isil Dillig; - ok markus@ deraadt@ - - dtucker@cvs.openbsd.org 2006/08/29 12:02:30 - [gss-genr.c] - Work around a problem in Heimdal that occurs when KRB5CCNAME file is - missing, by checking whether or not kerberos allocated us a context - before attempting to free it. Patch from Simon Wilkinson, tested by - biorn@, ok djm@ - - dtucker@cvs.openbsd.org 2006/08/30 00:06:51 - [sshconnect2.c] - Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL - where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@ - - djm@cvs.openbsd.org 2006/08/30 00:14:37 - [version.h] - crank to 4.4 - - (djm) [openbsd-compat/xcrypt.c] needs unistd.h - - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call - loginsuccess on AIX immediately after authentication to clear the failed - login count. Previously this would only happen when an interactive - session starts (ie when a pty is allocated) but this means that accounts - that have primarily non-interactive sessions (eg scp's) may gradually - accumulate enough failures to lock out an account. This change may have - a side effect of creating two audit records, one with a tty of "ssh" - corresponding to the authentication and one with the allocated pty per - interactive session. - -20060824 - - (dtucker) [openbsd-compat/basename.c] Include errno.h. - - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on - older systems. - - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2) - on POSIX systems. - - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2). - - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc. - - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent - unused variable warning when we have a broken or missing mmap(2). - -20060822 - - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in - Makefile. Patch from santhi.amirta at gmail, ok djm. - -20060820 - - (dtucker) [log.c] Move ifdef to prevent unused variable warning. - - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore - afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl. - - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for - fixing bug #1181. No changes yet. - - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL - (0.9.8a and presumably newer) requires -ldl to successfully link. - - (dtucker) [configure.ac] Remove errant "-". - -20060819 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/08/18 22:41:29 - [gss-genr.c] - GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk - - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a - single rule for the test progs. - -20060818 - - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with - closefrom.c from sudo. - - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid. - - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error. - - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the - test progs instead; they work better than what we have. - - (djm) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2006/08/06 01:13:32 - [compress.c monitor.c monitor_wrap.c] - "zlib.h" can be <zlib.h>; ok djm@ markus@ - - miod@cvs.openbsd.org 2006/08/12 20:46:46 - [monitor.c monitor_wrap.c] - Revert previous include file ordering change, for ssh to compile under - gcc2 (or until openssl include files are cleaned of parameter names - in function prototypes) - - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 - [servconf.c servconf.h sshd_config.5] - Add ability to match groups to Match keyword in sshd_config. Feedback - djm@, stevesk@, ok stevesk@. - - djm@cvs.openbsd.org 2006/08/16 11:47:15 - [sshd.c] - factor inetd connection, TCP listen and main TCP accept loop out of - main() into separate functions to improve readability; ok markus@ - - deraadt@cvs.openbsd.org 2006/08/18 09:13:26 - [log.c log.h sshd.c] - make signal handler termination path shorter; risky code pointed out by - mark dowd; ok djm markus - - markus@cvs.openbsd.org 2006/08/18 09:15:20 - [auth.h session.c sshd.c] - delay authentication related cleanups until we're authenticated and - all alarms have been cancelled; ok deraadt - - djm@cvs.openbsd.org 2006/08/18 10:27:16 - [misc.h] - reorder so prototypes are sorted by the files they refer to; no - binary change - - djm@cvs.openbsd.org 2006/08/18 13:54:54 - [gss-genr.c ssh-gss.h sshconnect2.c] - bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk - ok markus@ - - djm@cvs.openbsd.org 2006/08/18 14:40:34 - [gss-genr.c ssh-gss.h] - constify host argument to match the rest of the GSSAPI functions and - unbreak compilation with -Werror - - (djm) Disable sigdie() for platforms that cannot safely syslog inside - a signal handler (basically all of them, excepting OpenBSD); - ok dtucker@ - -20060817 - - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] - Include stdlib.h for malloc and friends. - - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl - for closefrom() on AIX. Pointed out by William Ahern. - - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress - test for closefrom() in compat code. - -20060816 - - (djm) [audit-bsm.c] Sprinkle in some headers - -20060815 - - (dtucker) [LICENCE] Add Reyk to the list for the compat dir. - -20060806 - - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings - on Solaris 10 - -20060806 - - (dtucker) [defines.h] With the includes.h changes we no longer get the - name clash on "YES" so we can remove the workaround for it. - - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c, - glob.c}] Include stdlib.h for malloc and friends in compat code. - -20060805 - - (djm) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2006/07/24 13:58:22 - [sshconnect.c] - disable tunnel forwarding when no strict host key checking - and key changed; ok djm@ markus@ dtucker@ - - stevesk@cvs.openbsd.org 2006/07/25 02:01:34 - [scard.c] - need #include <string.h> - - stevesk@cvs.openbsd.org 2006/07/25 02:59:21 - [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c] - [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c] - move #include <sys/time.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/26 02:35:17 - [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c] - [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c] - [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c] - [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c] - [uidswap.c xmalloc.c] - move #include <sys/param.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/26 13:57:17 - [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c] - [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c] - [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] - [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c] - [sshconnect1.c sshd.c xmalloc.c] - move #include <stdlib.h> out of includes.h - - jmc@cvs.openbsd.org 2006/07/27 08:00:50 - [ssh_config.5] - avoid confusing wording in HashKnownHosts: - originally spotted by alan amesbury; - ok deraadt - - jmc@cvs.openbsd.org 2006/07/27 08:00:50 - [ssh_config.5] - avoid confusing wording in HashKnownHosts: - originally spotted by alan amesbury; - ok deraadt - - dtucker@cvs.openbsd.org 2006/08/01 11:34:36 - [sshconnect.c] - Allow fallback to known_hosts entries without port qualifiers for - non-standard ports too, so that all existing known_hosts entries will be - recognised. Requested by, feedback and ok markus@ - - stevesk@cvs.openbsd.org 2006/08/01 23:22:48 - [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c] - [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c] - [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c] - [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c] - [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c] - [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c] - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c] - [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c] - [uuencode.h xmalloc.c] - move #include <stdio.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/08/01 23:36:12 - [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c] - clean extra spaces - - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 - [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] - [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] - [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] - [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] - [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] - [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] - [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] - [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] - [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] - [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] - [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] - [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] - [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] - [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] - [serverloop.c session.c session.h sftp-client.c sftp-common.c] - [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] - [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] - [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] - [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] - [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] - [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] - almost entirely get rid of the culture of ".h files that include .h files" - ok djm, sort of ok stevesk - makes the pain stop in one easy step - NB. portable commit contains everything *except* removing includes.h, as - that will take a fair bit more work as we move headers that are required - for portability workarounds to defines.h. (also, this step wasn't "easy") - - stevesk@cvs.openbsd.org 2006/08/04 20:46:05 - [monitor.c session.c ssh-agent.c] - spaces - - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c - - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c] - remove last traces of bufaux.h - it was merged into buffer.h in the big - includes.h commit - - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec - - (djm) [openbsd-compat/regress/snprintftest.c] - [openbsd-compat/regress/strduptest.c] Add missing includes so they pass - compilation with "-Wall -Werror" - - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c] - [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more - includes for Linux in - - (dtucker) [cleanup.c] Need defines.h for __dead. - - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable. - - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of - #include stdarg.h, needed for log.h. - - (dtucker) [entropy.c] Needs unistd.h too. - - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h. - - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc. - - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll, - otherwise it is implicitly declared as returning an int. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2006/08/05 07:52:52 - [auth2-none.c sshd.c monitor_wrap.c] - Add headers required to build with KERBEROS5=no. ok djm@ - - dtucker@cvs.openbsd.org 2006/08/05 08:00:33 - [auth-skey.c] - Add headers required to build with -DSKEY. ok djm@ - - dtucker@cvs.openbsd.org 2006/08/05 08:28:24 - [monitor_wrap.c auth-skey.c auth2-chall.c] - Zap unused variables in -DSKEY code. ok djm@ - - dtucker@cvs.openbsd.org 2006/08/05 08:34:04 - [packet.c] - Typo in comment - - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile - on Cygwin. - - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa. - - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h. - - (dtucker) [audit.c audit.h] Repair headers. - - (dtucker) [audit-bsm.c] Add additional headers now required. - -20060804 - - (dtucker) [configure.ac] The "crippled AES" test does not work on recent - versions of Solaris, so use AC_LINK_IFELSE to actually link the test program - rather than just compiling it. Spotted by dlg@. - -20060802 - - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype. - -20060725 - - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW. - -20060724 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/07/12 13:39:55 - [sshd_config.5] - - new sentence, new line - - s/The the/The/ - - kill a bad comma - - stevesk@cvs.openbsd.org 2006/07/12 22:28:52 - [auth-options.c canohost.c channels.c includes.h readconf.c] - [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c] - move #include <netdb.h> out of includes.h; ok djm@ - - stevesk@cvs.openbsd.org 2006/07/12 22:42:32 - [includes.h ssh.c ssh-rand-helper.c] - move #include <stddef.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/14 01:15:28 - [monitor_wrap.h] - don't need incompletely-typed 'struct passwd' now with - #include <pwd.h>; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/17 01:31:10 - [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c] - [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c] - [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c] - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c] - [sshconnect.c sshlogin.c sshpty.c uidswap.c] - move #include <unistd.h> out of includes.h - - dtucker@cvs.openbsd.org 2006/07/17 12:02:24 - [auth-options.c] - Use '\0' rather than 0 to terminates strings; ok djm@ - - dtucker@cvs.openbsd.org 2006/07/17 12:06:00 - [channels.c channels.h servconf.c sshd_config.5] - Add PermitOpen directive to sshd_config which is equivalent to the - "permitopen" key option. Allows server admin to allow TCP port - forwarding only two specific host/port pairs. Useful when combined - with Match. - If permitopen is used in both sshd_config and a key option, both - must allow a given connection before it will be permitted. - Note that users can still use external forwarders such as netcat, - so to be those must be controlled too for the limits to be effective. - Feedback & ok djm@, man page corrections & ok jmc@. - - jmc@cvs.openbsd.org 2006/07/18 07:50:40 - [sshd_config.5] - tweak; ok dtucker - - jmc@cvs.openbsd.org 2006/07/18 07:56:28 - [scp.1] - replace DIAGNOSTICS with .Ex; - - jmc@cvs.openbsd.org 2006/07/18 08:03:09 - [ssh-agent.1 sshd_config.5] - mark up angle brackets; - - dtucker@cvs.openbsd.org 2006/07/18 08:22:23 - [sshd_config.5] - Clarify description of Match, with minor correction from jmc@ - - stevesk@cvs.openbsd.org 2006/07/18 22:27:55 - [dh.c] - remove unneeded includes; ok djm@ - - dtucker@cvs.openbsd.org 2006/07/19 08:56:41 - [servconf.c sshd_config.5] - Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to - Match. ok djm@ - - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 - [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] - Add ForceCommand keyword to sshd_config, equivalent to the "command=" - key option, man page entry and example in sshd_config. - Feedback & ok djm@, man page corrections & ok jmc@ - - stevesk@cvs.openbsd.org 2006/07/20 15:26:15 - [auth1.c serverloop.c session.c sshconnect2.c] - missed some needed #include <unistd.h> when KERBEROS5=no; issue from - massimo@cedoc.mo.it - - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 - [channels.c channels.h servconf.c servconf.h sshd_config.5] - Make PermitOpen take a list of permitted ports and act more like most - other keywords (ie the first match is the effective setting). This - also makes it easier to override a previously set PermitOpen. ok djm@ - - stevesk@cvs.openbsd.org 2006/07/21 21:13:30 - [channels.c] - more ARGSUSED (lint) for dispatch table-driven functions; ok djm@ - - stevesk@cvs.openbsd.org 2006/07/21 21:26:55 - [progressmeter.c] - ARGSUSED for signal handler - - stevesk@cvs.openbsd.org 2006/07/22 19:08:54 - [includes.h moduli.c progressmeter.c scp.c sftp-common.c] - [sftp-server.c ssh-agent.c sshlogin.c] - move #include <time.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/22 20:48:23 - [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c] - [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c] - [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c] - [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c] - [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c] - [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c] - [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c] - [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c] - [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c] - [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c] - [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] - [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c] - [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c] - move #include <string.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/23 01:11:05 - [auth.h dispatch.c kex.h sftp-client.c] - #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h> - move - - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c] - [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c] - [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c] - [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c] - [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c] - [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c] - [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c] - [openbsd-compat/mktemp.c openbsd-compat/port-linux.c] - [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] - [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c] - make the portable tree compile again - sprinkle unistd.h and string.h - back in. Don't redefine __unused, as it turned out to be used in - headers on Linux, and replace its use in auth-pam.c with ARGSUSED - - (djm) [openbsd-compat/glob.c] - Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles - on OpenBSD (or other platforms with a decent glob implementation) with - -Werror - - (djm) [uuencode.c] - Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on - some platforms - - (djm) [session.c] - fix compile error with -Werror -Wall: 'path' is only used in - do_setup_env() if HAVE_LOGIN_CAP is not defined - - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c] - [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c] - [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c] - [openbsd-compat/port-aix.c openbsd-compat/port-irix.c] - [openbsd-compat/rresvport.c] - These look to need string.h and/or unistd.h (based on a grep for function - names) - - (djm) [Makefile.in] - Remove generated openbsd-compat/regress/Makefile in distclean target - - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh] - [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh] - Sync regress tests to -current; include dtucker@'s new cfgmatch and - forcecommand tests. Add cipher-speed.sh test (not linked in yet) - - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including - system headers before defines.h will cause conflicting definitions. - - (dtucker) [regress/forcecommand.sh] Portablize. - -20060713 - - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h - -20060712 - - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and - O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old - Linuxes and probably more. - - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h> - for SHUT_RD. - - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before - <netinet/ip.h>. - - (dtucker) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2006/07/10 16:01:57 - [sftp-glob.c sftp-common.h sftp.c] - buffer.h only needed in sftp-common.h and remove some unneeded - user includes; ok djm@ - - jmc@cvs.openbsd.org 2006/07/10 16:04:21 - [sshd.8] - s/and and/and/ - - stevesk@cvs.openbsd.org 2006/07/10 16:37:36 - [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c - auth.c packet.c log.c] - move #include <stdarg.h> out of includes.h; ok markus@ - - dtucker@cvs.openbsd.org 2006/07/11 10:12:07 - [ssh.c] - Only copy the part of environment variable that we actually use. Prevents - ssh bailing when SendEnv is used and an environment variable with a really - long value exists. ok djm@ - - markus@cvs.openbsd.org 2006/07/11 18:50:48 - [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c - channels.h readconf.c] - add ExitOnForwardFailure: terminate the connection if ssh(1) - cannot set up all requested dynamic, local, and remote port - forwardings. ok djm, dtucker, stevesk, jmc - - stevesk@cvs.openbsd.org 2006/07/11 20:07:25 - [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c - sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c - includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c - sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c - ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c] - move #include <errno.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/11 20:16:43 - [ssh.c] - cast asterisk field precision argument to int to remove warning; - ok markus@ - - stevesk@cvs.openbsd.org 2006/07/11 20:27:56 - [authfile.c ssh.c] - need <errno.h> here also (it's also included in <openssl/err.h>) - - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 - [sshd.c servconf.h servconf.c sshd_config.5 auth.c] - Add support for conditional directives to sshd_config via a "Match" - keyword, which works similarly to the "Host" directive in ssh_config. - Lines after a Match line override the default set in the main section - if the condition on the Match line is true, eg - AllowTcpForwarding yes - Match User anoncvs - AllowTcpForwarding no - will allow port forwarding by all users except "anoncvs". - Currently only a very small subset of directives are supported. - ok djm@ - - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c - openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c - openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>. - - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h. - - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too. - - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h. - - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c - openbsd-compat/rresvport.c] More errno.h. - -20060711 - - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c - openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally - include paths.h. Fixes build error on Solaris. - - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably - others). - -20060710 - - (dtucker) [INSTALL] New autoconf version: 2.60. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/06/14 10:50:42 - [sshconnect.c] - limit the number of pre-banner characters we will accept; ok markus@ - - djm@cvs.openbsd.org 2006/06/26 10:36:15 - [clientloop.c] - mention optional bind_address in runtime port forwarding setup - command-line help. patch from santhi.amirta AT gmail.com - - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 - [ssh.1 ssh.c ssh_config.5 sshd_config.5] - more details and clarity for tun(4) device forwarding; ok and help - jmc@ - - stevesk@cvs.openbsd.org 2006/07/02 18:36:47 - [gss-serv-krb5.c gss-serv.c] - no "servconf.h" needed here - (gss-serv-krb5.c change not applied, portable needs the server options) - - stevesk@cvs.openbsd.org 2006/07/02 22:45:59 - [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c] - move #include <grp.h> out of includes.h - (portable needed uidswap.c too) - - stevesk@cvs.openbsd.org 2006/07/02 23:01:55 - [clientloop.c ssh.1] - use -KR[bind_address:]port here; ok djm@ - - stevesk@cvs.openbsd.org 2006/07/03 08:54:20 - [includes.h ssh.c sshconnect.c sshd.c] - move #include "version.h" out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/03 17:59:32 - [channels.c includes.h] - move #include <arpa/inet.h> out of includes.h; old ok djm@ - (portable needed session.c too) - - stevesk@cvs.openbsd.org 2006/07/05 02:42:09 - [canohost.c hostfile.c includes.h misc.c packet.c readconf.c] - [serverloop.c sshconnect.c uuencode.c] - move #include <netinet/in.h> out of includes.h; ok deraadt@ - (also ssh-rand-helper.c logintest.c loginrec.c) - - djm@cvs.openbsd.org 2006/07/06 10:47:05 - [servconf.c servconf.h session.c sshd_config.5] - support arguments to Subsystem commands; ok markus@ - - djm@cvs.openbsd.org 2006/07/06 10:47:57 - [sftp-server.8 sftp-server.c] - add commandline options to enable logging of transactions; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/06 16:03:53 - [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c] - [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c] - [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c] - [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c] - [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c] - [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c] - [uidswap.h] - move #include <pwd.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/06 16:22:39 - [ssh-keygen.c] - move #include "dns.h" up - - stevesk@cvs.openbsd.org 2006/07/06 17:36:37 - [monitor_wrap.h] - typo in comment - - stevesk@cvs.openbsd.org 2006/07/08 21:47:12 - [authfd.c canohost.c clientloop.c dns.c dns.h includes.h] - [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c] - [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h] - move #include <sys/socket.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/08 21:48:53 - [monitor.c session.c] - missed these from last commit: - move #include <sys/socket.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/08 23:30:06 - [log.c] - move user includes after /usr/include files - - stevesk@cvs.openbsd.org 2006/07/09 15:15:11 - [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c] - [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c] - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - [sshlogin.c sshpty.c] - move #include <fcntl.h> out of includes.h - - stevesk@cvs.openbsd.org 2006/07/09 15:27:59 - [ssh-add.c] - use O_RDONLY vs. 0 in open(); no binary change - - djm@cvs.openbsd.org 2006/07/10 11:24:54 - [sftp-server.c] - remove optind - it isn't used here - - djm@cvs.openbsd.org 2006/07/10 11:25:53 - [sftp-server.c] - don't log variables that aren't yet set - - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c] - [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h] - [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] - [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/07/10 12:03:20 - [scp.c] - duplicate argv at the start of main() because it gets modified later; - pointed out by deraadt@ ok markus@ - - djm@cvs.openbsd.org 2006/07/10 12:08:08 - [channels.c] - fix misparsing of SOCKS 5 packets that could result in a crash; - reported by mk@ ok markus@ - - dtucker@cvs.openbsd.org 2006/07/10 12:46:51 - [misc.c misc.h sshd.8 sshconnect.c] - Add port identifier to known_hosts for non-default ports, based originally - on a patch from Devin Nate in bz#910. - For any connection using the default port or using a HostKeyAlias the - format is unchanged, otherwise the host name or address is enclosed - within square brackets in the same format as sshd's ListenAddress. - Tested by many, ok markus@. - - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h> - for struct sockaddr on platforms that use the fake-rfc stuff. - -20060706 - - (dtucker) [configure.ac] Try AIX blibpath test in different order when - compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so - configure would not select the correct libpath linker flags. - - (dtucker) [INSTALL] A bit more info on autoconf. - -20060705 - - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the - target already exists. - -20060630 - - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf - declaration too. Patch from russ at sludge.net. - - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it, - prevents warnings on platforms where _res is in the system headers. - - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which - version. - -20060627 - - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems - with autoconf 2.60. Patch from vapier at gentoo.org. - -20060625 - - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys - only, otherwise sshd can hang exiting non-interactive sessions. - -20060624 - - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris. - Works around limitation in Solaris' passwd program for changing passwords - where the username is longer than 8 characters. ok djm@ - - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug - #1102 workaround. - -20060623 - - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add - tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch - from reyk@, tested by anil@ - - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX - 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes - on the pty slave as zero-length reads on the pty master, which sshd - interprets as the descriptor closing. Since most things don't do zero - length writes this rarely matters, but occasionally it happens, and when - it does the SSH pty session appears to hang, so we add a special case for - this condition. ok djm@ - -20060613 - - (djm) [getput.h] This file has been replaced by functions in misc.c - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/05/08 10:49:48 - [sshconnect2.c] - uint32_t -> u_int32_t (which we use everywhere else) - (Id sync only - portable already had this) - - markus@cvs.openbsd.org 2006/05/16 09:00:00 - [clientloop.c] - missing free; from Kylene Hall - - markus@cvs.openbsd.org 2006/05/17 12:43:34 - [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c] - fix leak; coverity via Kylene Jo Hall - - miod@cvs.openbsd.org 2006/05/18 21:27:25 - [kexdhc.c kexgexc.c] - paramter -> parameter - - dtucker@cvs.openbsd.org 2006/05/29 12:54:08 - [ssh_config.5] - Add gssapi-with-mic to PreferredAuthentications default list; ok jmc - - dtucker@cvs.openbsd.org 2006/05/29 12:56:33 - [ssh_config] - Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in - sample ssh_config. ok markus@ - - jmc@cvs.openbsd.org 2006/05/29 16:10:03 - [ssh_config.5] - oops - previous was too long; split the list of auths up - - mk@cvs.openbsd.org 2006/05/30 11:46:38 - [ssh-add.c] - Sync usage() with man page and reality. - ok deraadt dtucker - - jmc@cvs.openbsd.org 2006/05/29 16:13:23 - [ssh.1] - add GSSAPI to the list of authentication methods supported; - - mk@cvs.openbsd.org 2006/05/30 11:46:38 - [ssh-add.c] - Sync usage() with man page and reality. - ok deraadt dtucker - - markus@cvs.openbsd.org 2006/06/01 09:21:48 - [sshd.c] - call get_remote_ipaddr() early; fixes logging after client disconnects; - report mpf@; ok dtucker@ - - markus@cvs.openbsd.org 2006/06/06 10:20:20 - [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c] - replace remaining setuid() calls with permanently_set_uid() and - check seteuid() return values; report Marcus Meissner; ok dtucker djm - - markus@cvs.openbsd.org 2006/06/08 14:45:49 - [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h] - do not set the gid, noted by solar; ok djm - - djm@cvs.openbsd.org 2006/06/13 01:18:36 - [ssh-agent.c] - always use a format string, even when printing a constant - - djm@cvs.openbsd.org 2006/06/13 02:17:07 - [ssh-agent.c] - revert; i am on drugs. spotted by alexander AT beard.se - -20060521 - - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor - and slave, we can remove the special-case handling in the audit hook in - auth_log. - -20060517 - - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file - pointer leak. From kjhall at us.ibm.com, found by coverity. - -20060515 - - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of - _res, prevents problems on some platforms that have _res as a global but - don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by - georg.schwarz at freenet.de, ok djm@. - - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative - default. Patch originally from tim@, ok djm - - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and - do not allow kbdint again after the PAM account check fails. ok djm@ - -20060506 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2006/04/25 08:02:27 - [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c] - Prevent ssh from trying to open private keys with bad permissions more than - once or prompting for their passphrases (which it subsequently ignores - anyway), similar to a previous change in ssh-add. bz #1186, ok djm@ - - djm@cvs.openbsd.org 2006/05/04 14:55:23 - [dh.c] - tighter DH exponent checks here too; feedback and ok markus@ - - djm@cvs.openbsd.org 2006/04/01 05:37:46 - [OVERVIEW] - $OpenBSD$ in here too - - dtucker@cvs.openbsd.org 2006/05/06 08:35:40 - [auth-krb5.c] - Add $OpenBSD$ in comment here too - -20060504 - - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c - session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c - openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar) - in Portable-only code; since calloc zeros, remove now-redundant memsets. - Also add a couple of sanity checks. With & ok djm@ - -20060503 - - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h - and double including it on IRIX 5.3 causes problems. From Georg Schwarz, - "no objections" tim@ - -20060423 - - (djm) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2006/04/01 05:42:20 - [scp.c] - minimal lint cleanup (unused crud, and some size_t); ok djm - - djm@cvs.openbsd.org 2006/04/01 05:50:29 - [scp.c] - xasprintification; ok deraadt@ - - djm@cvs.openbsd.org 2006/04/01 05:51:34 - [atomicio.c] - ANSIfy; requested deraadt@ - - dtucker@cvs.openbsd.org 2006/04/02 08:34:52 - [ssh-keysign.c] - sessionid can be 32 bytes now too when sha256 kex is used; ok djm@ - - djm@cvs.openbsd.org 2006/04/03 07:10:38 - [gss-genr.c] - GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066 - by dleonard AT vintela.com. use xasprintf() to simplify code while in - there; "looks right" deraadt@ - - djm@cvs.openbsd.org 2006/04/16 00:48:52 - [buffer.c buffer.h channels.c] - Fix condition where we could exit with a fatal error when an input - buffer became too large and the remote end had advertised a big window. - The problem was a mismatch in the backoff math between the channels code - and the buffer code, so make a buffer_check_alloc() function that the - channels code can use to propsectivly check whether an incremental - allocation will succeed. bz #1131, debugged with the assistance of - cove AT wildpackets.com; ok dtucker@ deraadt@ - - djm@cvs.openbsd.org 2006/04/16 00:52:55 - [atomicio.c atomicio.h] - introduce atomiciov() function that wraps readv/writev to retry - interrupted transfers like atomicio() does for read/write; - feedback deraadt@ dtucker@ stevesk@ ok deraadt@ - - djm@cvs.openbsd.org 2006/04/16 00:54:10 - [sftp-client.c] - avoid making a tiny 4-byte write to send the packet length of sftp - commands, which would result in a separate tiny packet on the wire by - using atomiciov(writev, ...) to write the length and the command in one - pass; ok deraadt@ - - djm@cvs.openbsd.org 2006/04/16 07:59:00 - [atomicio.c] - reorder sanity test so that it cannot dereference past the end of the - iov array; well spotted canacar@! - - dtucker@cvs.openbsd.org 2006/04/18 10:44:28 - [bufaux.c bufbn.c Makefile.in] - Move Buffer bignum functions into their own file, bufbn.c. This means - that sftp and sftp-server (which use the Buffer functions in bufaux.c - but not the bignum ones) no longer need to be linked with libcrypto. - ok markus@ - - djm@cvs.openbsd.org 2006/04/20 09:27:09 - [auth.h clientloop.c dispatch.c dispatch.h kex.h] - replace the last non-sig_atomic_t flag used in a signal handler with a - sig_atomic_t, unfortunately with some knock-on effects in other (non- - signal) contexts in which it is used; ok markus@ - - markus@cvs.openbsd.org 2006/04/20 09:47:59 - [sshconnect.c] - simplify; ok djm@ - - djm@cvs.openbsd.org 2006/04/20 21:53:44 - [includes.h session.c sftp.c] - Switch from using pipes to socketpairs for communication between - sftp/scp and ssh, and between sshd and its subprocesses. This saves - a file descriptor per session and apparently makes userland ppp over - ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this - decision on a per-platform basis) - - djm@cvs.openbsd.org 2006/04/22 04:06:51 - [uidswap.c] - use setres[ug]id() to permanently revoke privileges; ok deraadt@ - (ID Sync only - portable already uses setres[ug]id() whenever possible) - - stevesk@cvs.openbsd.org 2006/04/22 18:29:33 - [crc32.c] - remove extra spaces - - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get - sig_atomic_t - -20060421 - - (djm) [Makefile.in configure.ac session.c sshpty.c] - [contrib/redhat/sshd.init openbsd-compat/Makefile.in] - [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c] - [openbsd-compat/port-linux.h] Add support for SELinux, setting - the execution and TTY contexts. based on patch from Daniel Walsh, - bz #880; ok dtucker@ - -20060418 - - (djm) [canohost.c] Reorder IP options check so that it isn't broken - by mapped addresses; bz #1179 reported by markw wtech-llc.com; - ok dtucker@ - -20060331 - - OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2006/03/27 01:21:18 - [xmalloc.c] - we can do the size & nmemb check before the integer overflow check; - evol - - deraadt@cvs.openbsd.org 2006/03/27 13:03:54 - [dh.c] - use strtonum() instead of atoi(), limit dhg size to 64k; ok djm - - djm@cvs.openbsd.org 2006/03/27 23:15:46 - [sftp.c] - always use a format string for addargs; spotted by mouring@ - - deraadt@cvs.openbsd.org 2006/03/28 00:12:31 - [README.tun ssh.c] - spacing - - deraadt@cvs.openbsd.org 2006/03/28 01:52:28 - [channels.c] - do not accept unreasonable X ports numbers; ok djm - - deraadt@cvs.openbsd.org 2006/03/28 01:53:43 - [ssh-agent.c] - use strtonum() to parse the pid from the file, and range check it - better; ok djm - - djm@cvs.openbsd.org 2006/03/30 09:41:25 - [channels.c] - ARGSUSED for dispatch table-driven functions - - djm@cvs.openbsd.org 2006/03/30 09:58:16 - [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h] - [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c] - replace {GET,PUT}_XXBIT macros with functionally similar functions, - silencing a heap of lint warnings. also allows them to use - __bounded__ checking which can't be applied to macros; requested - by and feedback from deraadt@ - - djm@cvs.openbsd.org 2006/03/30 10:41:25 - [ssh.c ssh_config.5] - add percent escape chars to the IdentityFile option, bz #1159 based - on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@ - - dtucker@cvs.openbsd.org 2006/03/30 11:05:17 - [ssh-keygen.c] - Correctly handle truncated files while converting keys; ok djm@ - - dtucker@cvs.openbsd.org 2006/03/30 11:40:21 - [auth.c monitor.c] - Prevent duplicate log messages when privsep=yes; ok djm@ - - jmc@cvs.openbsd.org 2006/03/31 09:09:30 - [ssh_config.5] - kill trailing whitespace; - - djm@cvs.openbsd.org 2006/03/31 09:13:56 - [ssh_config.5] - remote user escape is %r not %h; spotted by jmc@ - -20060326 - - OpenBSD CVS Sync - - jakob@cvs.openbsd.org 2006/03/15 08:46:44 - [ssh-keygen.c] - if no key file are given when printing the DNS host record, use the - host key file(s) as default. ok djm@ - - biorn@cvs.openbsd.org 2006/03/16 10:31:45 - [scp.c] - Try to display errormessage even if remout == -1 - ok djm@, markus@ - - djm@cvs.openbsd.org 2006/03/17 22:31:50 - [authfd.c] - another unreachable found by lint - - djm@cvs.openbsd.org 2006/03/17 22:31:11 - [authfd.c] - unreachanble statement, found by lint - - djm@cvs.openbsd.org 2006/03/19 02:22:32 - [serverloop.c] - memory leaks detected by Coverity via elad AT netbsd.org; - ok deraadt@ dtucker@ - - djm@cvs.openbsd.org 2006/03/19 02:22:56 - [sftp.c] - more memory leaks detected by Coverity via elad AT netbsd.org; - deraadt@ ok - - djm@cvs.openbsd.org 2006/03/19 02:23:26 - [hostfile.c] - FILE* leak detected by Coverity via elad AT netbsd.org; - ok deraadt@ - - djm@cvs.openbsd.org 2006/03/19 02:24:05 - [dh.c readconf.c servconf.c] - potential NULL pointer dereferences detected by Coverity - via elad AT netbsd.org; ok deraadt@ - - djm@cvs.openbsd.org 2006/03/19 07:41:30 - [sshconnect2.c] - memory leaks detected by Coverity via elad AT netbsd.org; - deraadt@ ok - - dtucker@cvs.openbsd.org 2006/03/19 11:51:52 - [servconf.c] - Correct strdelim null test; ok djm@ - - deraadt@cvs.openbsd.org 2006/03/19 18:52:11 - [auth1.c authfd.c channels.c] - spacing - - deraadt@cvs.openbsd.org 2006/03/19 18:53:12 - [kex.c kex.h monitor.c myproposal.h session.c] - spacing - - deraadt@cvs.openbsd.org 2006/03/19 18:56:41 - [clientloop.c progressmeter.c serverloop.c sshd.c] - ARGSUSED for signal handlers - - deraadt@cvs.openbsd.org 2006/03/19 18:59:49 - [ssh-keyscan.c] - please lint - - deraadt@cvs.openbsd.org 2006/03/19 18:59:30 - [ssh.c] - spacing - - deraadt@cvs.openbsd.org 2006/03/19 18:59:09 - [authfile.c] - whoever thought that break after return was a good idea needs to - get their head examimed - - djm@cvs.openbsd.org 2006/03/20 04:09:44 - [monitor.c] - memory leaks detected by Coverity via elad AT netbsd.org; - deraadt@ ok - that should be all of them now - - djm@cvs.openbsd.org 2006/03/20 11:38:46 - [key.c] - (really) last of the Coverity diffs: avoid possible NULL deref in - key_free. via elad AT netbsd.org; markus@ ok - - deraadt@cvs.openbsd.org 2006/03/20 17:10:19 - [auth.c key.c misc.c packet.c ssh-add.c] - in a switch (), break after return or goto is stupid - - deraadt@cvs.openbsd.org 2006/03/20 17:13:16 - [key.c] - djm did a typo - - deraadt@cvs.openbsd.org 2006/03/20 17:17:23 - [ssh-rsa.c] - in a switch (), break after return or goto is stupid - - deraadt@cvs.openbsd.org 2006/03/20 18:14:02 - [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c] - [ssh.c sshpty.c sshpty.h] - sprinkle u_int throughout pty subsystem, ok markus - - deraadt@cvs.openbsd.org 2006/03/20 18:17:20 - [auth1.c auth2.c sshd.c] - sprinkle some ARGSUSED for table driven functions (which sometimes - must ignore their args) - - deraadt@cvs.openbsd.org 2006/03/20 18:26:55 - [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c] - [ssh-rsa.c ssh.c sshlogin.c] - annoying spacing fixes getting in the way of real diffs - - deraadt@cvs.openbsd.org 2006/03/20 18:27:50 - [monitor.c] - spacing - - deraadt@cvs.openbsd.org 2006/03/20 18:35:12 - [channels.c] - x11_fake_data is only ever used as u_char * - - deraadt@cvs.openbsd.org 2006/03/20 18:41:43 - [dns.c] - cast xstrdup to propert u_char * - - deraadt@cvs.openbsd.org 2006/03/20 18:42:27 - [canohost.c match.c ssh.c sshconnect.c] - be strict with tolower() casting - - deraadt@cvs.openbsd.org 2006/03/20 18:48:34 - [channels.c fatal.c kex.c packet.c serverloop.c] - spacing - - deraadt@cvs.openbsd.org 2006/03/20 21:11:53 - [ttymodes.c] - spacing - - djm@cvs.openbsd.org 2006/03/25 00:05:41 - [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c] - [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c] - [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c] - [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c] - [xmalloc.c xmalloc.h] - introduce xcalloc() and xasprintf() failure-checked allocations - functions and use them throughout openssh - - xcalloc is particularly important because malloc(nmemb * size) is a - dangerous idiom (subject to integer overflow) and it is time for it - to die - - feedback and ok deraadt@ - - djm@cvs.openbsd.org 2006/03/25 01:13:23 - [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c] - [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c] - [uidswap.c] - change OpenSSH's xrealloc() function from being xrealloc(p, new_size) - to xrealloc(p, new_nmemb, new_itemsize). - - realloc is particularly prone to integer overflows because it is - almost always allocating "n * size" bytes, so this is a far safer - API; ok deraadt@ - - djm@cvs.openbsd.org 2006/03/25 01:30:23 - [sftp.c] - "abormally" is a perfectly cromulent word, but "abnormally" is better - - djm@cvs.openbsd.org 2006/03/25 13:17:03 - [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c] - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c] - [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] - [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c] - [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c] - [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c] - [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c] - [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c] - [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c] - [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c] - [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c] - [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c] - [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] - [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] - [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] - [uidswap.c uuencode.c xmalloc.c] - Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that - Theo nuked - our scripts to sync -portable need them in the files - - deraadt@cvs.openbsd.org 2006/03/25 18:29:35 - [auth-rsa.c authfd.c packet.c] - needed casts (always will be needed) - - deraadt@cvs.openbsd.org 2006/03/25 18:30:55 - [clientloop.c serverloop.c] - spacing - - deraadt@cvs.openbsd.org 2006/03/25 18:36:15 - [sshlogin.c sshlogin.h] - nicer size_t and time_t types - - deraadt@cvs.openbsd.org 2006/03/25 18:40:14 - [ssh-keygen.c] - cast strtonum() result to right type - - deraadt@cvs.openbsd.org 2006/03/25 18:41:45 - [ssh-agent.c] - mark two more signal handlers ARGSUSED - - deraadt@cvs.openbsd.org 2006/03/25 18:43:30 - [channels.c] - use strtonum() instead of atoi() [limit X screens to 400, sorry] - - deraadt@cvs.openbsd.org 2006/03/25 18:56:55 - [bufaux.c channels.c packet.c] - remove (char *) casts to a function that accepts void * for the arg - - deraadt@cvs.openbsd.org 2006/03/25 18:58:10 - [channels.c] - delete cast not required - - djm@cvs.openbsd.org 2006/03/25 22:22:43 - [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] - [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] - [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] - [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] - [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] - [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] - [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] - [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] - [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] - [ttymodes.h uidswap.h uuencode.h xmalloc.h] - standardise spacing in $OpenBSD$ tags; requested by deraadt@ - - deraadt@cvs.openbsd.org 2006/03/26 01:31:48 - [uuencode.c] - typo - -20060325 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/03/16 04:24:42 - [ssh.1] - Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs - that OpenSSH supports - - deraadt@cvs.openbsd.org 2006/03/19 18:51:18 - [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c] - [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c] - [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c] - [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c] - [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c] - [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c] - [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] - [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c] - [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c] - [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c] - [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c] - [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c] - [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c] - [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c] - [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c] - [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] - [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] - [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] - [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c] - [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c] - [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c] - [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c] - [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c] - RCSID() can die - - deraadt@cvs.openbsd.org 2006/03/19 18:53:12 - [kex.h myproposal.h] - spacing - - djm@cvs.openbsd.org 2006/03/20 04:07:22 - [auth2-gss.c] - GSSAPI related leaks detected by Coverity via elad AT netbsd.org; - reviewed by simon AT sxw.org.uk; deraadt@ ok - - djm@cvs.openbsd.org 2006/03/20 04:07:49 - [gss-genr.c] - more GSSAPI related leaks detected by Coverity via elad AT netbsd.org; - reviewed by simon AT sxw.org.uk; deraadt@ ok - - djm@cvs.openbsd.org 2006/03/20 04:08:18 - [gss-serv.c] - last lot of GSSAPI related leaks detected by Coverity via - elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok - - deraadt@cvs.openbsd.org 2006/03/20 18:14:02 - [monitor_wrap.h sshpty.h] - sprinkle u_int throughout pty subsystem, ok markus - - deraadt@cvs.openbsd.org 2006/03/20 18:26:55 - [session.h] - annoying spacing fixes getting in the way of real diffs - - deraadt@cvs.openbsd.org 2006/03/20 18:41:43 - [dns.c] - cast xstrdup to propert u_char * - - jakob@cvs.openbsd.org 2006/03/22 21:16:24 - [ssh.1] - simplify SSHFP example; ok jmc@ - - djm@cvs.openbsd.org 2006/03/22 21:27:15 - [deattack.c deattack.h] - remove IV support from the CRC attack detector, OpenSSH has never used - it - it only applied to IDEA-CFB, which we don't support. - prompted by NetBSD Coverity report via elad AT netbsd.org; - feedback markus@ "nuke it" deraadt@ - -20060318 - - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via - elad AT NetBSD.org - - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take - a LLONG rather than a long. Fixes scp'ing of large files on platforms - with missing/broken snprintfs. Patch from e.borovac at bom.gov.au. - -20060316 - - (dtucker) [entropy.c] Add headers for WIFEXITED and friends. - - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in - /usr/include/crypto. Hint from djm@. - - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h] - Disable sha256 when openssl < 0.9.7. Patch from djm@. - - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old - OpenSSL; ok tim - -20060315 - - (djm) OpenBSD CVS Sync: - - msf@cvs.openbsd.org 2006/02/06 15:54:07 - [ssh.1] - - typo fix - ok jmc@ - - jmc@cvs.openbsd.org 2006/02/06 21:44:47 - [ssh.1] - make this a little less ambiguous... - - stevesk@cvs.openbsd.org 2006/02/07 01:08:04 - [auth-rhosts.c includes.h] - move #include <netgroup.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/07 01:18:09 - [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c] - move #include <sys/queue.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/07 01:42:00 - [channels.c clientloop.c clientloop.h includes.h packet.h] - [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c] - move #include <termios.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/07 01:52:50 - [sshtty.c] - "log.h" not needed - - stevesk@cvs.openbsd.org 2006/02/07 03:47:05 - [hostfile.c] - "packet.h" not needed - - stevesk@cvs.openbsd.org 2006/02/07 03:59:20 - [deattack.c] - duplicate #include - - stevesk@cvs.openbsd.org 2006/02/08 12:15:27 - [auth.c clientloop.c includes.h misc.c monitor.c readpass.c] - [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c] - [sshd.c sshpty.c] - move #include <paths.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 12:32:49 - [includes.h misc.c] - move #include <netinet/tcp.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 13:15:44 - [gss-serv.c monitor.c] - small KNF - - stevesk@cvs.openbsd.org 2006/02/08 14:16:59 - [sshconnect.c] - <openssl/bn.h> not needed - - stevesk@cvs.openbsd.org 2006/02/08 14:31:30 - [includes.h ssh-agent.c ssh-keyscan.c ssh.c] - move #include <sys/resource.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 14:38:18 - [includes.h packet.c] - move #include <netinet/in_systm.h> and <netinet/ip.h> out of - includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 23:51:24 - [includes.h scp.c sftp-glob.c sftp-server.c] - move #include <dirent.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/09 00:32:07 - [includes.h] - #include <sys/endian.h> not needed; ok djm@ - NB. ID Sync only - we still need this (but it may move later) - - jmc@cvs.openbsd.org 2006/02/09 10:10:47 - [sshd.8] - - move some text into a CAVEATS section - - merge the COMMAND EXECUTION... section into AUTHENTICATION - - stevesk@cvs.openbsd.org 2006/02/10 00:27:13 - [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c] - [ssh.c sshd.c sshpty.c] - move #include <sys/ioctl.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/10 01:44:27 - [includes.h monitor.c readpass.c scp.c serverloop.c session.c] - [sftp.c sshconnect.c sshconnect2.c sshd.c] - move #include <sys/wait.h> out of includes.h; ok markus@ - - otto@cvs.openbsd.org 2006/02/11 19:31:18 - [atomicio.c] - type correctness; from Ray Lai in PR 5011; ok millert@ - - djm@cvs.openbsd.org 2006/02/12 06:45:34 - [ssh.c ssh_config.5] - add a %l expansion code to the ControlPath, which is filled in with the - local hostname at runtime. Requested by henning@ to avoid some problems - with /home on NFS; ok dtucker@ - - djm@cvs.openbsd.org 2006/02/12 10:44:18 - [readconf.c] - raise error when the user specifies a RekeyLimit that is smaller than 16 - (the smallest of our cipher's blocksize) or big enough to cause integer - wraparound; ok & feedback dtucker@ - - jmc@cvs.openbsd.org 2006/02/12 10:49:44 - [ssh_config.5] - slight rewording; ok djm - - jmc@cvs.openbsd.org 2006/02/12 10:52:41 - [sshd.8] - rework the description of authorized_keys a little; - - jmc@cvs.openbsd.org 2006/02/12 17:57:19 - [sshd.8] - sort the list of options permissable w/ authorized_keys; - ok djm dtucker - - jmc@cvs.openbsd.org 2006/02/13 10:16:39 - [sshd.8] - no need to subsection the authorized_keys examples - instead, convert - this to look like an actual file. also use proto 2 keys, and use IETF - example addresses; - - jmc@cvs.openbsd.org 2006/02/13 10:21:25 - [sshd.8] - small tweaks for the ssh_known_hosts section; - - jmc@cvs.openbsd.org 2006/02/13 11:02:26 - [sshd.8] - turn this into an example ssh_known_hosts file; ok djm - - jmc@cvs.openbsd.org 2006/02/13 11:08:43 - [sshd.8] - - avoid nasty line split - - `*' does not need to be escaped - - jmc@cvs.openbsd.org 2006/02/13 11:27:25 - [sshd.8] - sort FILES and use a -compact list; - - david@cvs.openbsd.org 2006/02/15 05:08:24 - [sftp-client.c] - typo in comment; ok djm@ - - jmc@cvs.openbsd.org 2006/02/15 16:53:20 - [ssh.1] - remove the IETF draft references and replace them with some updated RFCs; - - jmc@cvs.openbsd.org 2006/02/15 16:55:33 - [sshd.8] - remove ietf draft references; RFC list now maintained in ssh.1; - - jmc@cvs.openbsd.org 2006/02/16 09:05:34 - [sshd.8] - sync some of the FILES entries w/ ssh.1; - - jmc@cvs.openbsd.org 2006/02/19 19:52:10 - [sshd.8] - move the sshrc stuff out of FILES, and into its own section: - FILES is not a good place to document how stuff works; - - jmc@cvs.openbsd.org 2006/02/19 20:02:17 - [sshd.8] - sync the (s)hosts.equiv FILES entries w/ those from ssh.1; - - jmc@cvs.openbsd.org 2006/02/19 20:05:00 - [sshd.8] - grammar; - - jmc@cvs.openbsd.org 2006/02/19 20:12:25 - [ssh_config.5] - add some vertical space; - - stevesk@cvs.openbsd.org 2006/02/20 16:36:15 - [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c] - move #include <sys/un.h> out of includes.h; ok djm@ - - stevesk@cvs.openbsd.org 2006/02/20 17:02:44 - [clientloop.c includes.h monitor.c progressmeter.c scp.c] - [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c] - move #include <signal.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/20 17:19:54 - [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c] - [authfile.c clientloop.c includes.h readconf.c scp.c session.c] - [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c] - [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c] - [sshconnect2.c sshd.c sshpty.c] - move #include <sys/stat.h> out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/22 00:04:45 - [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c] - [sshconnect.c] - move #include <ctype.h> out of includes.h; ok djm@ - - jmc@cvs.openbsd.org 2006/02/24 10:25:14 - [ssh_config.5] - add section on patterns; - from dtucker + myself - - jmc@cvs.openbsd.org 2006/02/24 10:33:54 - [sshd_config.5] - signpost to PATTERNS; - - jmc@cvs.openbsd.org 2006/02/24 10:37:07 - [ssh_config.5] - tidy up the refs to PATTERNS; - - jmc@cvs.openbsd.org 2006/02/24 10:39:52 - [sshd.8] - signpost to PATTERNS section; - - jmc@cvs.openbsd.org 2006/02/24 20:22:16 - [ssh-keysign.8 ssh_config.5 sshd_config.5] - some consistency fixes; - - jmc@cvs.openbsd.org 2006/02/24 20:31:31 - [ssh.1 ssh_config.5 sshd.8 sshd_config.5] - more consistency fixes; - - jmc@cvs.openbsd.org 2006/02/24 23:20:07 - [ssh_config.5] - some grammar/wording fixes; - - jmc@cvs.openbsd.org 2006/02/24 23:43:57 - [sshd_config.5] - some grammar/wording fixes; - - jmc@cvs.openbsd.org 2006/02/24 23:51:17 - [sshd_config.5] - oops - bits i missed; - - jmc@cvs.openbsd.org 2006/02/25 12:26:17 - [ssh_config.5] - document the possible values for KbdInteractiveDevices; - help/ok dtucker - - jmc@cvs.openbsd.org 2006/02/25 12:28:34 - [sshd_config.5] - document the order in which allow/deny directives are processed; - help/ok dtucker - - jmc@cvs.openbsd.org 2006/02/26 17:17:18 - [ssh_config.5] - move PATTERNS to the end of the main body; requested by dtucker - - jmc@cvs.openbsd.org 2006/02/26 18:01:13 - [sshd_config.5] - subsection is pointless here; - - jmc@cvs.openbsd.org 2006/02/26 18:03:10 - [ssh_config.5] - comma; - - djm@cvs.openbsd.org 2006/02/28 01:10:21 - [session.c] - fix logout recording when privilege separation is disabled, analysis and - patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@ - NB. ID sync only - patch already in portable - - djm@cvs.openbsd.org 2006/03/04 04:12:58 - [serverloop.c] - move a debug() outside of a signal handler; ok markus@ a little while back - - djm@cvs.openbsd.org 2006/03/12 04:23:07 - [ssh.c] - knf nit - - djm@cvs.openbsd.org 2006/03/13 08:16:00 - [sshd.c] - don't log that we are listening on a socket before the listen() call - actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@ - - dtucker@cvs.openbsd.org 2006/03/13 08:33:00 - [packet.c] - Set TCP_NODELAY for all connections not just "interactive" ones. Fixes - poor performance and protocol stalls under some network conditions (mindrot - bugs #556 and #981). Patch originally from markus@, ok djm@ - - dtucker@cvs.openbsd.org 2006/03/13 08:43:16 - [ssh-keygen.c] - Make ssh-keygen handle CR and CRLF line termination when converting IETF - format keys, in adition to vanilla LF. mindrot #1157, tested by Chris - Pepper, ok djm@ - - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 - [misc.c ssh_config.5 sshd_config.5] - Allow config directives to contain whitespace by surrounding them by double - quotes. mindrot #482, man page help from jmc@, ok djm@ - - dtucker@cvs.openbsd.org 2006/03/13 10:26:52 - [authfile.c authfile.h ssh-add.c] - Make ssh-add check file permissions before attempting to load private - key files multiple times; it will fail anyway and this prevents confusing - multiple prompts and warnings. mindrot #1138, ok djm@ - - djm@cvs.openbsd.org 2006/03/14 00:15:39 - [canohost.c] - log the originating address and not just the name when a reverse - mapping check fails, requested by linux AT linuon.com - - markus@cvs.openbsd.org 2006/03/14 16:32:48 - [ssh_config.5 sshd_config.5] - *AliveCountMax applies to protcol v2 only; ok dtucker, djm - - djm@cvs.openbsd.org 2006/03/07 09:07:40 - [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] - Implement the diffie-hellman-group-exchange-sha256 key exchange method - using the SHA256 code in libc (and wrapper to make it into an OpenSSL - EVP), interop tested against CVS PuTTY - NB. no portability bits committed yet - - (djm) [configure.ac defines.h kex.c md-sha256.c] - [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h] - [openbsd-compat/sha2.c] First stab at portability glue for SHA256 - KEX support, should work with libc SHA256 support or OpenSSL - EVP_sha256 if present - - (djm) [includes.h] Restore accidentally dropped netinet/in.h - - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files - - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present - - (djm) [regress/.cvsignore] Ignore Makefile here - - (djm) [loginrec.c] Need stat.h - - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with - system sha2.h - - (djm) [ssh-rand-helper.c] Needs a bunch of headers - - (djm) [ssh-agent.c] Restore dropped stat.h - - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out - SHA384, which we don't need and doesn't compile without tweaks - - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c] - [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c] - [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c] - [openbsd-compat/glob.c openbsd-compat/mktemp.c] - [openbsd-compat/readpassphrase.c] Lots of include fixes for - OpenSolaris - - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:" - - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some - includes removed from includes.h - - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE - - (djm) [includes.h] Put back paths.h, it is needed in defines.h - - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs - sys/ioctl.h for struct winsize. - - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD. - -20060313 - - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) - since not all platforms support it. Instead, use internal equivalent while - computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf* - as it's no longer required. Tested by Bernhard Simon, ok djm@ - -20060304 - - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a - file rather than directory, required as Cygwin will be importing lastlog(1). - Also tightens up permissions on the file. Patch from vinschen@redhat.com. - - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h - includes. Patch from gentoo.riverrat at gmail.com. - -20060226 - - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY - patch from kraai at ftbfs.org. - -20060223 - - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current - reality. Pointed out by tryponraj at gmail.com. - -20060222 - - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only - compile in compat code if required. - -20060221 - - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about - redefinition of SSLeay_add_all_algorithms. - -20060220 - - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}] - Add optional enabling of OpenSSL's (hardware) Engine support, via - configure --with-ssl-engine. Based in part on a diff by michal at - logix.cz. - -20060219 - - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/] - Add first attempt at regress tests for compat library. ok djm@ - -20060214 - - (tim) [buildpkg.sh.in] Make the names consistent. - s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@ - -20060212 - - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned - to silence compiler warning, from vinschen at redhat.com. - - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX. - - (dtucker) [README version.h contrib/caldera/openssh.spec - contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version - strings to match 4.3p2 release. - -20060208 - - (tim) [session.c] Logout records were not updated on systems with - post auth privsep disabled due to bug 1086 changes. Analysis and patch - by vinschen at redhat.com. OK tim@, dtucker@. - - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP - -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@ - -20060206 - - (tim) [configure.ac] Remove unnecessary tests for net/if.h and - netinet/in_systm.h. OK dtucker@. - -20060205 - - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test - for Solaris. OK dtucker@. - - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by - kraai at ftbfs.org. - -20060203 - - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first - AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run - by a platform specific check, builtin standard includes tests will be - skipped on the other platforms. - Analysis and suggestion by vinschen at redhat.com, patch by dtucker@. - OK tim@, djm@. - -20060202 - - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it - works with picky compilers. Patch from alex.kiernan at thus.net. - -20060201 - - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to - determine the user's login name - needed for regress tests on Solaris - 10 and OpenSolaris - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/02/01 09:06:50 - [sshd.8] - - merge sections on protocols 1 and 2 into a single section - - remove configuration file section - ok markus - - jmc@cvs.openbsd.org 2006/02/01 09:11:41 - [sshd.8] - small tweak; - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update versions ahead of release - - markus@cvs.openbsd.org 2006/02/01 11:27:22 - [version.h] - openssh 4.3 - - (djm) Release OpenSSH 4.3p1 - -20060131 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/20 11:21:45 - [ssh_config.5] - - word change, agreed w/ markus - - consistency fixes - - jmc@cvs.openbsd.org 2006/01/25 09:04:34 - [sshd.8] - move the options description up the page, and a few additional tweaks - whilst in here; - ok markus - - jmc@cvs.openbsd.org 2006/01/25 09:07:22 - [sshd.8] - move subsections to full sections; - - jmc@cvs.openbsd.org 2006/01/26 08:47:56 - [ssh.1] - add a section on verifying host keys in dns; - written with a lot of help from jakob; - feedback dtucker/markus; - ok markus - - reyk@cvs.openbsd.org 2006/01/30 12:22:22 - [channels.c] - mark channel as write failed or dead instead of read failed on error - of the channel output filter. - ok markus@ - - jmc@cvs.openbsd.org 2006/01/30 13:37:49 - [ssh.1] - remove an incorrect sentence; - reported by roumen petrov; - ok djm markus - - djm@cvs.openbsd.org 2006/01/31 10:19:02 - [misc.c misc.h scp.c sftp.c] - fix local arbitrary command execution vulnerability on local/local and - remote/remote copies (CVE-2006-0225, bz #1094), patch by - t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@ - - djm@cvs.openbsd.org 2006/01/31 10:35:43 - [scp.c] - "scp a b c" shouldn't clobber "c" when it is not a directory, report and - fix from biorn@; ok markus@ - - (djm) Sync regress tests to OpenBSD: - - dtucker@cvs.openbsd.org 2005/03/10 10:20:39 - [regress/forwarding.sh] - Regress test for ClearAllForwardings (bz #994); ok markus@ - - dtucker@cvs.openbsd.org 2005/04/25 09:54:09 - [regress/multiplex.sh] - Don't call cleanup in multiplex as test-exec will cleanup anyway - found by tim@, ok djm@ - NB. ID sync only, we already had this - - djm@cvs.openbsd.org 2005/05/20 23:14:15 - [regress/test-exec.sh] - force addressfamily=inet for tests, unbreaking dynamic-forward regress for - recently committed nc SOCKS5 changes - - djm@cvs.openbsd.org 2005/05/24 04:10:54 - [regress/try-ciphers.sh] - oops, new arcfour modes here too - - markus@cvs.openbsd.org 2005/06/30 11:02:37 - [regress/scp.sh] - allow SUDO=sudo; from Alexander Bluhm - - grunk@cvs.openbsd.org 2005/11/14 21:25:56 - [regress/agent-getpeereid.sh] - all other scripts in this dir use $SUDO, not 'sudo', so pull this even - ok markus@ - - dtucker@cvs.openbsd.org 2005/12/14 04:36:39 - [regress/scp-ssh-wrapper.sh] - Fix assumption about how many args scp will pass; ok djm@ - NB. ID sync only, we already had this - - djm@cvs.openbsd.org 2006/01/27 06:49:21 - [scp.sh] - regress test for local to local scp copies; ok dtucker@ - - djm@cvs.openbsd.org 2006/01/31 10:23:23 - [scp.sh] - regression test for CVE-2006-0225 written by dtucker@ - - djm@cvs.openbsd.org 2006/01/31 10:36:33 - [scp.sh] - regress test for "scp a b c" where "c" is not a directory - -20060129 - - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the - opensshd.init script interpretter if /sbin/sh does not exist. ok tim@ - -20060120 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/15 17:37:05 - [ssh.1] - correction from deraadt - - jmc@cvs.openbsd.org 2006/01/18 10:53:29 - [ssh.1] - add a section on ssh-based vpn, based on reyk's README.tun; - - dtucker@cvs.openbsd.org 2006/01/20 00:14:55 - [scp.1 ssh.1 ssh_config.5 sftp.1] - Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot - #1056 with feedback from jmc, djm and markus; ok jmc@ djm@ - -20060114 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/06 13:27:32 - [ssh.1] - weed out some duplicate info in the known_hosts FILES entries; - ok djm - - jmc@cvs.openbsd.org 2006/01/06 13:29:10 - [ssh.1] - final round of whacking FILES for duplicate info, and some consistency - fixes; - ok djm - - jmc@cvs.openbsd.org 2006/01/12 14:44:12 - [ssh.1] - split sections on tcp and x11 forwarding into two sections. - add an example in the tcp section, based on sth i wrote for ssh faq; - help + ok: djm markus dtucker - - jmc@cvs.openbsd.org 2006/01/12 18:48:48 - [ssh.1] - refer to `TCP' rather than `TCP/IP' in the context of connection - forwarding; - ok markus - - jmc@cvs.openbsd.org 2006/01/12 22:20:00 - [sshd.8] - refer to TCP forwarding, rather than TCP/IP forwarding; - - jmc@cvs.openbsd.org 2006/01/12 22:26:02 - [ssh_config.5] - refer to TCP forwarding, rather than TCP/IP forwarding; - - jmc@cvs.openbsd.org 2006/01/12 22:34:12 - [ssh.1] - back out a sentence - AUTHENTICATION already documents this; - -20060109 - - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on - tcpip service so it's always started after IP is up. Patch from - vinschen at redhat.com. - -20060106 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/03 16:31:10 - [ssh.1] - move FILES to a -compact list, and make each files an item in that list. - this avoids nastly line wrap when we have long pathnames, and treats - each file as a separate item; - remove the .Pa too, since it is useless. - - jmc@cvs.openbsd.org 2006/01/03 16:35:30 - [ssh.1] - use a larger width for the ENVIRONMENT list; - - jmc@cvs.openbsd.org 2006/01/03 16:52:36 - [ssh.1] - put FILES in some sort of order: sort by pathname - - jmc@cvs.openbsd.org 2006/01/03 16:55:18 - [ssh.1] - tweak the description of ~/.ssh/environment - - jmc@cvs.openbsd.org 2006/01/04 18:42:46 - [ssh.1] - chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES - entries; - ok markus - - jmc@cvs.openbsd.org 2006/01/04 18:45:01 - [ssh.1] - remove .Xr's to rsh(1) and telnet(1): they are hardly needed; - - jmc@cvs.openbsd.org 2006/01/04 19:40:24 - [ssh.1] - +.Xr ssh-keyscan 1 , - - jmc@cvs.openbsd.org 2006/01/04 19:50:09 - [ssh.1] - -.Xr gzip 1 , - - djm@cvs.openbsd.org 2006/01/05 23:43:53 - [misc.c] - check that stdio file descriptors are actually closed before clobbering - them in sanitise_stdfd(). problems occurred when a lower numbered fd was - closed, but higher ones weren't. spotted by, and patch tested by - Frédéric Olivié - -20060103 - - (djm) [channels.c] clean up harmless merge error, from reyk@ - -20060103 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/02 17:09:49 - [ssh_config.5 sshd_config.5] - some corrections from michael knudsen; - -20060102 - - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/12/31 10:46:17 - [ssh.1] - merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER - AUTHENTICATION" sections into "AUTHENTICATION"; - some rewording done to make the text read better, plus some - improvements from djm; - ok djm - - jmc@cvs.openbsd.org 2005/12/31 13:44:04 - [ssh.1] - clean up ENVIRONMENT a little; - - jmc@cvs.openbsd.org 2005/12/31 13:45:19 - [ssh.1] - .Nm does not require an argument; - - stevesk@cvs.openbsd.org 2006/01/01 08:59:27 - [includes.h misc.c] - move <net/if.h>; ok djm@ - - stevesk@cvs.openbsd.org 2006/01/01 10:08:48 - [misc.c] - no trailing "\n" for debug() - - djm@cvs.openbsd.org 2006/01/02 01:20:31 - [sftp-client.c sftp-common.h sftp-server.c] - use a common max. packet length, no binary change - - reyk@cvs.openbsd.org 2006/01/02 07:53:44 - [misc.c] - clarify tun(4) opening - set the mode and bring the interface up. also - (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces. - suggested and ok by djm@ - - jmc@cvs.openbsd.org 2006/01/02 12:31:06 - [ssh.1] - start to cut some duplicate info from FILES; - help/ok djm - -20060101 - - (djm) [Makefile.in configure.ac includes.h misc.c] - [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support - for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is - limited to IPv4 tunnels only, and most versions don't support the - tap(4) device at all. - - (djm) [configure.ac] Fix linux/if_tun.h test - - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too - -20051229 - - (djm) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 - [canohost.c channels.c clientloop.c] - use 'break-in' for consistency; ok deraadt@ ok and input jmc@ - - reyk@cvs.openbsd.org 2005/12/30 15:56:37 - [channels.c channels.h clientloop.c] - add channel output filter interface. - ok djm@, suggested by markus@ - - jmc@cvs.openbsd.org 2005/12/30 16:59:00 - [sftp.1] - do not suggest that interactive authentication will work - with the -b flag; - based on a diff from john l. scarfone; - ok djm - - stevesk@cvs.openbsd.org 2005/12/31 01:38:45 - [ssh.1] - document -MM; ok djm@ - - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac] - [serverloop.c ssh.c openbsd-compat/Makefile.in] - [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding - compatability support for Linux, diff from reyk@ - - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does - not exist - - (djm) [configure.ac] oops, make that linux/if_tun.h - -20051229 - - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd - -20051224 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/12/20 21:59:43 - [ssh.1] - merge the sections on protocols 1 and 2 into one section on - authentication; - feedback djm dtucker - ok deraadt markus dtucker - - jmc@cvs.openbsd.org 2005/12/20 22:02:50 - [ssh.1] - .Ss -> .Sh: subsections have not made this page more readable - - jmc@cvs.openbsd.org 2005/12/20 22:09:41 - [ssh.1] - move info on ssh return values and config files up into the main - description; - - jmc@cvs.openbsd.org 2005/12/21 11:48:16 - [ssh.1] - -L and -R descriptions are now above, not below, ~C description; - - jmc@cvs.openbsd.org 2005/12/21 11:57:25 - [ssh.1] - options now described `above', rather than `later'; - - jmc@cvs.openbsd.org 2005/12/21 12:53:31 - [ssh.1] - -Y does X11 forwarding too; - ok markus - - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 - [sshd.8] - clarify precedence of -p, Port, ListenAddress; ok and help jmc@ - - jmc@cvs.openbsd.org 2005/12/22 10:31:40 - [ssh_config.5] - put the description of "UsePrivilegedPort" in the correct place; - - jmc@cvs.openbsd.org 2005/12/22 11:23:42 - [ssh.1] - expand the description of -w somewhat; - help/ok reyk - - jmc@cvs.openbsd.org 2005/12/23 14:55:53 - [ssh.1] - - sync the description of -e w/ synopsis - - simplify the description of -I - - note that -I is only available if support compiled in, and that it - isn't by default - feedback/ok djm@ - - jmc@cvs.openbsd.org 2005/12/23 23:46:23 - [ssh.1] - less mark up for -c; - - djm@cvs.openbsd.org 2005/12/24 02:27:41 - [session.c sshd.c] - eliminate some code duplicated in privsep and non-privsep paths, and - explicitly clear SIGALRM handler; "groovy" deraadt@ - -20051220 - - (dtucker) OpenBSD CVS Sync - - reyk@cvs.openbsd.org 2005/12/13 15:03:02 - [serverloop.c] - if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY - - jmc@cvs.openbsd.org 2005/12/16 18:07:08 - [ssh.1] - move the option descriptions up the page: start of a restructure; - ok markus deraadt - - jmc@cvs.openbsd.org 2005/12/16 18:08:53 - [ssh.1] - simplify a sentence; - - jmc@cvs.openbsd.org 2005/12/16 18:12:22 - [ssh.1] - make the description of -c a little nicer; - - jmc@cvs.openbsd.org 2005/12/16 18:14:40 - [ssh.1] - signpost the protocol sections; - - stevesk@cvs.openbsd.org 2005/12/17 21:13:05 - [ssh_config.5 session.c] - spelling: fowarding, fowarded - - stevesk@cvs.openbsd.org 2005/12/17 21:36:42 - [ssh_config.5] - spelling: intented -> intended - - dtucker@cvs.openbsd.org 2005/12/20 04:41:07 - [ssh.c] - exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@ - -20051219 - - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac - openbsd-compat/openssl-compat.h] Check for and work around broken AES - ciphers >128bit on (some) Solaris 10 systems. ok djm@ - -20051217 - - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which - scp.c also uses, so undef them here. - - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our - snprintf replacement can have a conflicting declaration in HP-UX's system - headers (const vs. no const) so we now check for and work around it. Patch - from the dynamic duo of David Leonard and Ted Percival. - -20051214 - - (dtucker) OpenBSD CVS Sync (regress/) - - dtucker@cvs.openbsd.org 2005/12/30 04:36:39 - [regress/scp-ssh-wrapper.sh] - Fix assumption about how many args scp will pass; ok djm@ - -20051213 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/11/30 11:18:27 - [ssh.1] - timezone -> time zone - - jmc@cvs.openbsd.org 2005/11/30 11:45:20 - [ssh.1] - avoid ambiguities in describing TZ; - ok djm@ - - reyk@cvs.openbsd.org 2005/12/06 22:38:28 - [auth-options.c auth-options.h channels.c channels.h clientloop.c] - [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] - [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] - [sshconnect.h sshd.8 sshd_config sshd_config.5] - Add support for tun(4) forwarding over OpenSSH, based on an idea and - initial channel code bits by markus@. This is a simple and easy way to - use OpenSSH for ad hoc virtual private network connections, e.g. - administrative tunnels or secure wireless access. It's based on a new - ssh channel and works similar to the existing TCP forwarding support, - except that it depends on the tun(4) network interface on both ends of - the connection for layer 2 or layer 3 tunneling. This diff also adds - support for LocalCommand in the ssh(1) client. - ok djm@, markus@, jmc@ (manpages), tested and discussed with others - - djm@cvs.openbsd.org 2005/12/07 03:52:22 - [clientloop.c] - reyk forgot to compile with -Werror (missing header) - - jmc@cvs.openbsd.org 2005/12/07 10:52:13 - [ssh.1] - - avoid line split in SYNOPSIS - - add args to -w - - kill trailing whitespace - - jmc@cvs.openbsd.org 2005/12/08 14:59:44 - [ssh.1 ssh_config.5] - make `!command' a little clearer; - ok reyk - - jmc@cvs.openbsd.org 2005/12/08 15:06:29 - [ssh_config.5] - keep options in order; - - reyk@cvs.openbsd.org 2005/12/08 18:34:11 - [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] - [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] - two changes to the new ssh tunnel support. this breaks compatibility - with the initial commit but is required for a portable approach. - - make the tunnel id u_int and platform friendly, use predefined types. - - support configuration of layer 2 (ethernet) or layer 3 - (point-to-point, default) modes. configuration is done using the - Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and - restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option - in sshd_config(5). - ok djm@, man page bits by jmc@ - - jmc@cvs.openbsd.org 2005/12/08 21:37:50 - [ssh_config.5] - new sentence, new line; - - markus@cvs.openbsd.org 2005/12/12 13:46:18 - [channels.c channels.h session.c] - make sure protocol messages for internal channels are ignored. - allow adjust messages for non-open channels; with and ok djm@ - - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable - again by providing a sys_tun_open() function for your platform and - setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match - OpenBSD's tunnel protocol, which prepends the address family to the - packet - -20051201 - - (djm) [envpass.sh] Remove regress script that was accidentally committed - in top level directory and not noticed for over a year :) - -20051129 - - (tim) [ssh-keygen.c] Move DSA length test after setting default when - bits == 0. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 - [ssh-keygen.c] - Populate default key sizes before checking them; from & ok tim@ - - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string) - for UnixWare. - -20051128 - - (dtucker) [regress/yes-head.sh] Work around breakage caused by some - versions of GNU head. Based on patch from zappaman at buraphalinux.org - - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use - _GNU_SOURCE instead. Patch from t8m at centrum.cz. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 - [ssh-keygen.1 ssh-keygen.c] - Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, - increase minumum RSA key size to 768 bits and update man page to reflect - these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), - ok djm@, grudging ok deraadt@. - - dtucker@cvs.openbsd.org 2005/11/28 06:02:56 - [ssh-agent.1] - Update agent socket path templates to reflect reality, correct xref for - time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@ - -20051126 - - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, - when they're available) need the real UID set otherwise pam_chauthtok will - set ADMCHG after changing the password, forcing the user to change it - again immediately. - -20051125 - - (dtucker) [configure.ac] Apply tim's fix for older systems where the - resolver state in resolv.h is "state" not "__res_state". With slight - modification by me to also work on old AIXes. ok djm@ - - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for - snprintf formats, fixes warnings on some 64 bit platforms. Patch from - shaw at vranix.com, ok djm@ - -20051124 - - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c - openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an - asprintf() implementation, after syncing our {v,}snprintf() implementation - with some extra fixes from Samba's version. With help and debugging from - dtucker and tim; ok dtucker@ - - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument - order in Reliant Unix block. Patch from johane at lysator.liu.se. - - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so - many and use them only once. Speeds up testing on older/slower hardware. - -20051122 - - (dtucker) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2005/11/12 18:37:59 - [ssh-add.c] - space - - deraadt@cvs.openbsd.org 2005/11/12 18:38:15 - [scp.c] - avoid close(-1), as in rcp; ok cloder - - millert@cvs.openbsd.org 2005/11/15 11:59:54 - [includes.h] - Include sys/queue.h explicitly instead of assuming some other header - will pull it in. At the moment it gets pulled in by sys/select.h - (which ssh has no business including) via event.h. OK markus@ - (ID sync only in -portable) - - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 - [auth-krb5.c] - Perform Kerberos calls even for invalid users to prevent leaking - information about account validity. bz #975, patch originally from - Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, - ok markus@ - - dtucker@cvs.openbsd.org 2005/11/22 03:36:03 - [hostfile.c] - Correct format/arguments to debug call; spotted by shaw at vranix.com - ok djm@ - - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch - from shaw at vranix.com. - -20051120 - - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what - is going on. - -20051112 - - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific - ifdef lost during sync. Spotted by tim@. - - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag. - - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test. - - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@ - - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure - test: if sshd takes too long to reconfigure the subsequent connection will - fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready. - -20051110 - - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from - OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of - "register"). - - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove - unnecessary prototype. - - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c - revs 1.7 - 1.9. - - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path. - Patch from djm@. - - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+ - since they're not useful right now. Patch from djm@. - - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI - prototypes, removal of "register"). - - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal - of "register"). - - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to - after the copyright notices. Having them at the top next to the CVSIDs - guarantees a conflict for each and every sync. - - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10. - - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker. - - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7. - Removal of rcsid, "whiteout" inode type. - - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14. - Removal of rcsid, will no longer strlcpy parts of the string. - - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5. - - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7. - - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18. - - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5. - - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25. - - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9. - - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14. - - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up - with OpenBSD code since we don't support platforms without fstat any more. - - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9. - - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6. - - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7. - - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6. - - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6. - - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13. - - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19. - - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8. - - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker. - - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17. - - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4. - Id and copyright sync only, there were no substantial changes we need. - - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c] - -Wsign-compare fixes from djm. - - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3. - Id and copyright sync only, there were no substantial changes we need. - - (dtucker) [configure.ac] Try to get the gcc version number in a way that - doesn't change between versions, and use a safer default. - -20051105 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2005/10/07 11:13:57 - [ssh-keygen.c] - change DSA default back to 1024, as it's defined for 1024 bits only - and this causes interop problems with other clients. moreover, - in order to improve the security of DSA you need to change more - components of DSA key generation (e.g. the internal SHA1 hash); - ok deraadt - - djm@cvs.openbsd.org 2005/10/10 10:23:08 - [channels.c channels.h clientloop.c serverloop.c session.c] - fix regression I introduced in 4.2: X11 forwardings initiated after - a session has exited (e.g. "(sleep 5; xterm) &") would not start. - bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2005/10/11 23:37:37 - [channels.c] - bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing - bind() failure when a previous connection's listeners are in TIME_WAIT, - reported by plattner AT inf.ethz.ch; ok dtucker@ - - stevesk@cvs.openbsd.org 2005/10/13 14:03:01 - [auth2-gss.c gss-genr.c gss-serv.c] - remove unneeded #includes; ok markus@ - - stevesk@cvs.openbsd.org 2005/10/13 14:20:37 - [gss-serv.c] - spelling in comments - - stevesk@cvs.openbsd.org 2005/10/13 19:08:08 - [gss-serv-krb5.c gss-serv.c] - unused declarations; ok deraadt@ - (id sync only for gss-serv-krb5.c) - - stevesk@cvs.openbsd.org 2005/10/13 19:13:41 - [dns.c] - unneeded #include, unused declaration, little knf; ok deraadt@ - - stevesk@cvs.openbsd.org 2005/10/13 22:24:31 - [auth2-gss.c gss-genr.c gss-serv.c monitor.c] - KNF; ok djm@ - - stevesk@cvs.openbsd.org 2005/10/14 02:17:59 - [ssh-keygen.c ssh.c sshconnect2.c] - no trailing "\n" for log functions; ok djm@ - - stevesk@cvs.openbsd.org 2005/10/14 02:29:37 - [channels.c clientloop.c] - free()->xfree(); ok djm@ - - stevesk@cvs.openbsd.org 2005/10/15 15:28:12 - [sshconnect.c] - make external definition static; ok deraadt@ - - stevesk@cvs.openbsd.org 2005/10/17 13:45:05 - [dns.c] - fix memory leaks from 2 sources: - 1) key_fingerprint_raw() - 2) malloc in dns_read_rdata() - ok jakob@ - - stevesk@cvs.openbsd.org 2005/10/17 14:01:28 - [dns.c] - remove #ifdef LWRES; ok jakob@ - - stevesk@cvs.openbsd.org 2005/10/17 14:13:35 - [dns.c dns.h] - more cleanups; ok jakob@ - - djm@cvs.openbsd.org 2005/10/30 01:23:19 - [ssh_config.5] - mention control socket fallback behaviour, reported by - tryponraj AT gmail.com - - djm@cvs.openbsd.org 2005/10/30 04:01:03 - [ssh-keyscan.c] - make ssh-keygen discard junk from server before SSH- ident, spotted by - dave AT cirt.net; ok dtucker@ - - djm@cvs.openbsd.org 2005/10/30 04:03:24 - [ssh.c] - fix misleading debug message; ok dtucker@ - - dtucker@cvs.openbsd.org 2005/10/30 08:29:29 - [canohost.c sshd.c] - Check for connections with IP options earlier and drop silently. ok djm@ - - jmc@cvs.openbsd.org 2005/10/30 08:43:47 - [ssh_config.5] - remove trailing whitespace; - - djm@cvs.openbsd.org 2005/10/30 08:52:18 - [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c] - [ssh.c sshconnect.c sshconnect1.c sshd.c] - no need to escape single quotes in comments, no binary change - - dtucker@cvs.openbsd.org 2005/10/31 06:15:04 - [sftp.c] - Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@ - - djm@cvs.openbsd.org 2005/10/31 11:12:49 - [ssh-keygen.1 ssh-keygen.c] - generate a protocol 2 RSA key by default - - djm@cvs.openbsd.org 2005/10/31 11:48:29 - [serverloop.c] - make sure we clean up wtmp, etc. file when we receive a SIGTERM, - SIGINT or SIGQUIT when running without privilege separation (the - normal privsep case is already OK). Patch mainly by dtucker@ and - senthilkumar_sen AT hotpop.com; ok dtucker@ - - jmc@cvs.openbsd.org 2005/10/31 19:55:25 - [ssh-keygen.1] - grammar; - - dtucker@cvs.openbsd.org 2005/11/03 13:38:29 - [canohost.c] - Cache reverse lookups with and without DNS separately; ok markus@ - - djm@cvs.openbsd.org 2005/11/04 05:15:59 - [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] - remove hardcoded hash lengths in key exchange code, allowing - implementation of KEX methods with different hashes (e.g. SHA-256); - ok markus@ dtucker@ stevesk@ - - djm@cvs.openbsd.org 2005/11/05 05:01:15 - [bufaux.c] - Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT - cs.stanford.edu; ok dtucker@ - - (dtucker) [README.platform] Add PAM section. - - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version, - resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu; - ok dtucker@ - -20051102 - - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). - Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net - via FreeBSD. - -20051030 - - (djm) [contrib/suse/openssh.spec contrib/suse/rc. - sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init - files from imorgan AT nas.nasa.gov - - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is - enabled, instead allow PAM to handle it. Note that on platforms using PAM, - the pam_nologin module should be added to sshd's session stack in order to - maintain exising behaviour. Based on patch and discussion from t8m at - centrum.cz, ok djm@ - -20051025 - - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the - sizeof(long long) checks, to make fixing bug #1104 easier (no changes - yet). - - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't - understand "%lld", even though the compiler has "long long", so handle - it as a special case. Patch tested by mcaskill.scott at epa.gov. - - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no - prompt. Patch from vinschen at redhat.com. - -20051017 - - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling. - /etc/default/login report and testing from aabaker at iee.org, corrections - from tim@. - -20051009 - - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current - versions from OpenBSD. ok djm@ - -20051008 - - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from - brian.smith at agilent com. - - (djm) [configure.ac] missing 'test' call for -with-Werror test - -20051005 - - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended - "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and - senthilkumar_sen at hotpop.com. - -20051003 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2005/09/07 08:53:53 - [channels.c] - enforce chanid != NULL; ok djm - - markus@cvs.openbsd.org 2005/09/09 19:18:05 - [clientloop.c] - typo; from mark at mcs.vuw.ac.nz, bug #1082 - - djm@cvs.openbsd.org 2005/09/13 23:40:07 - [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c - scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c] - ensure that stdio fds are attached; ok deraadt@ - - djm@cvs.openbsd.org 2005/09/19 11:37:34 - [ssh_config.5 ssh.1] - mention ability to specify bind_address for DynamicForward and -D options; - bz#1077 spotted by Haruyama Seigo - - djm@cvs.openbsd.org 2005/09/19 11:47:09 - [sshd.c] - stop connection abort on rekey with delayed compression enabled when - post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@ - - djm@cvs.openbsd.org 2005/09/19 11:48:10 - [gss-serv.c] - typo - - jmc@cvs.openbsd.org 2005/09/19 15:38:27 - [ssh.1] - some more .Bk/.Ek to avoid ugly line split; - - jmc@cvs.openbsd.org 2005/09/19 15:42:44 - [ssh.c] - update -D usage here too; - - djm@cvs.openbsd.org 2005/09/19 23:31:31 - [ssh.1] - spelling nit from stevesk@ - - djm@cvs.openbsd.org 2005/09/21 23:36:54 - [sshd_config.5] - aquire -> acquire, from stevesk@ - - djm@cvs.openbsd.org 2005/09/21 23:37:11 - [sshd.c] - change label at markus@'s request - - jaredy@cvs.openbsd.org 2005/09/30 20:34:26 - [ssh-keyscan.1] - deploy .An -nosplit; ok jmc - - dtucker@cvs.openbsd.org 2005/10/03 07:44:42 - [canohost.c] - Relocate check_ip_options call to prevent logging of garbage for - connections with IP options set. bz#1092 from David Leonard, - "looks good" deraadt@ - - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp - is required in the system path for the multiplex test to work. - -20050930 - - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype - for strtoll. Patch from o.flebbe at science-computing.de. - - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep - child during PAM account check without clearing it. This restores the - post-login warnings such as LDAP password expiry. Patch from Tomas Mraz - with help from several others. - -20050929 - - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg - introduced during sync. - -20050928 - - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency. - - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from - PAM via keyboard-interactive. Patch tested by the folks at Vintela. - -20050927 - - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid - calls, since they can't possibly fail. ok djm@ - - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed - process when sshd relies on ssh-random-helper. Should result in faster - logins on systems without a real random device or prngd. ok djm@ - -20050924 - - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove - duplicate call. ok djm@ - -20050922 - - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from - skeleten at shillest.net. - - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at - shillest.net. - -20050919 - - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to - AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages. - ok dtucker@ - -20050912 - - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by - Mike Frysinger. - -20050908 - - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to - OpenServer 6 and add osr5bigcrypt support so when someone migrates - passwords between UnixWare and OpenServer they will still work. OK dtucker@ - -$Id: ChangeLog,v 1.5095 2008/07/21 08:22:25 djm Exp $ |