| 20090128 |
| - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. |
| Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. |
| The information given for the setting of the CYGWIN environment variable |
| is wrong for both releases so I just removed it, together with the |
| unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. |
| |
| 20081228 |
| - (djm) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2008/12/09 03:20:42 |
| [channels.c servconf.c] |
| channel_print_adm_permitted_opens() should deal with all the printing |
| for that config option. suggested by markus@; ok markus@ djm@ |
| dtucker@ |
| - djm@cvs.openbsd.org 2008/12/09 04:32:22 |
| [auth2-chall.c] |
| replace by-hand string building with xasprinf(); ok deraadt@ |
| - sobrado@cvs.openbsd.org 2008/12/09 15:35:00 |
| [sftp.1 sftp.c] |
| update for the synopses displayed by the 'help' command, there are a |
| few missing flags; add 'bye' to the output of 'help'; sorting and spacing. |
| jmc@ suggested replacing .Oo/.Oc with a single .Op macro. |
| ok jmc@ |
| - stevesk@cvs.openbsd.org 2008/12/09 22:37:33 |
| [clientloop.c] |
| fix typo in error message |
| - stevesk@cvs.openbsd.org 2008/12/10 03:55:20 |
| [addrmatch.c] |
| o cannot be NULL here but use xfree() to be consistent; ok djm@ |
| - stevesk@cvs.openbsd.org 2008/12/29 01:12:36 |
| [ssh-keyscan.1] |
| fix example, default key type is rsa for 3+ years; from |
| frederic.perrin@resel.fr |
| - stevesk@cvs.openbsd.org 2008/12/29 02:23:26 |
| [pathnames.h] |
| no need to escape single quotes in comments |
| - okan@cvs.openbsd.org 2008/12/30 00:46:56 |
| [sshd_config.5] |
| add AllowAgentForwarding to available Match keywords list |
| ok djm |
| - djm@cvs.openbsd.org 2009/01/01 21:14:35 |
| [channels.c] |
| call channel destroy callbacks on receipt of open failure messages. |
| fixes client hangs when connecting to a server that has MaxSessions=0 |
| set spotted by imorgan AT nas.nasa.gov; ok markus@ |
| - djm@cvs.openbsd.org 2009/01/01 21:17:36 |
| [kexgexs.c] |
| fix hash calculation for KEXGEX: hash over the original client-supplied |
| values and not the sanity checked versions that we acutally use; |
| bz#1540 reported by john.smith AT arrows.demon.co.uk |
| ok markus@ |
| - djm@cvs.openbsd.org 2009/01/14 01:38:06 |
| [channels.c] |
| support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482; |
| "looks ok" markus@ |
| - stevesk@cvs.openbsd.org 2009/01/15 17:38:43 |
| [readconf.c] |
| 1) use obsolete instead of alias for consistency |
| 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is |
| so move the comment. |
| 3) reorder so like options are together |
| ok djm@ |
| - djm@cvs.openbsd.org 2009/01/22 09:46:01 |
| [channels.c channels.h session.c] |
| make Channel->path an allocated string, saving a few bytes here and |
| there and fixing bz#1380 in the process; ok markus@ |
| - djm@cvs.openbsd.org 2009/01/22 09:49:57 |
| [channels.c] |
| oops! I committed the wrong version of the Channel->path diff, |
| it was missing some tweaks suggested by stevesk@ |
| - djm@cvs.openbsd.org 2009/01/22 10:02:34 |
| [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h] |
| [serverloop.c ssh-keyscan.c ssh.c sshd.c] |
| make a2port() return -1 when it encounters an invalid port number |
| rather than 0, which it will now treat as valid (needed for future work) |
| adjust current consumers of a2port() to check its return value is <= 0, |
| which in turn required some things to be converted from u_short => int |
| make use of int vs. u_short consistent in some other places too |
| feedback & ok markus@ |
| - djm@cvs.openbsd.org 2009/01/22 10:09:16 |
| [auth-options.c] |
| another chunk of a2port() diff that got away. wtfdjm?? |
| - djm@cvs.openbsd.org 2009/01/23 07:58:11 |
| [myproposal.h] |
| prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC |
| modes; ok markus@ |
| - naddy@cvs.openbsd.org 2009/01/24 17:10:22 |
| [ssh_config.5 sshd_config.5] |
| sync list of preferred ciphers; ok djm@ |
| - markus@cvs.openbsd.org 2009/01/26 09:58:15 |
| [cipher.c cipher.h packet.c] |
| Work around the CPNI-957037 Plaintext Recovery Attack by always |
| reading 256K of data on packet size or HMAC errors (in CBC mode only). |
| Help, feedback and ok djm@ |
| Feedback from Martin Albrecht and Paterson Kenny |
| |
| 20090107 |
| - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X. |
| Patch based on one from vgiffin AT apple.com; ok dtucker@ |
| - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via |
| launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked; |
| ok dtucker@ |
| - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make |
| ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity" |
| key). Patch from cjwatson AT debian.org |
| |
| 20090107 |
| - (tim) [configure.ac defines.h openbsd-compat/port-uw.c |
| openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI. |
| OK djm@ dtucker@ |
| - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section. |
| OpenServer 6 doesn't need libcrypt. |
| |
| 20081209 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/12/09 02:38:18 |
| [clientloop.c] |
| The ~C escape handler does not work correctly for multiplexed sessions - |
| it opens a commandline on the master session, instead of on the slave |
| that requested it. Disable it on slave sessions until such time as it |
| is fixed; bz#1543 report from Adrian Bridgett via Colin Watson |
| ok markus@ |
| - djm@cvs.openbsd.org 2008/12/09 02:39:59 |
| [sftp.c] |
| Deal correctly with failures in remote stat() operation in sftp, |
| correcting fail-on-error behaviour in batchmode. bz#1541 report and |
| fix from anedvedicky AT gmail.com; ok markus@ |
| - djm@cvs.openbsd.org 2008/12/09 02:58:16 |
| [readconf.c] |
| don't leave junk (free'd) pointers around in Forward *fwd argument on |
| failure; avoids double-free in ~C -L handler when given an invalid |
| forwarding specification; bz#1539 report from adejong AT debian.org |
| via Colin Watson; ok markus@ dtucker@ |
| - djm@cvs.openbsd.org 2008/12/09 03:02:37 |
| [sftp.1 sftp.c] |
| correct sftp(1) and corresponding usage syntax; |
| bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@ |
| |
| 20081208 |
| - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually |
| use some stack in main(). |
| Report and suggested fix from vapier AT gentoo.org |
| - (djm) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2008/12/02 19:01:07 |
| [clientloop.c] |
| we have to use the recipient's channel number (RFC 4254) for |
| SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages, |
| otherwise we trigger 'Non-public channel' error messages on sshd |
| systems with clientkeepalive enabled; noticed by sturm; ok djm; |
| - markus@cvs.openbsd.org 2008/12/02 19:08:59 |
| [serverloop.c] |
| backout 1.149, since it's not necessary and openssh clients send |
| broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@ |
| - markus@cvs.openbsd.org 2008/12/02 19:09:38 |
| [channels.c] |
| s/remote_id/id/ to be more consistent with other code; ok djm@ |
| |
| 20081201 |
| - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files |
| and tweak the is-sshd-running check in ssh-host-config. Patch from |
| vinschen at redhat com. |
| - (dtucker) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2008/11/21 15:47:38 |
| [packet.c] |
| packet_disconnect() on padding error, too. should reduce the success |
| probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 |
| ok djm@ |
| - dtucker@cvs.openbsd.org 2008/11/30 11:59:26 |
| [monitor_fdpass.c] |
| Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@ |
| |
| 20081123 |
| - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some |
| declarations, removing an unnecessary union member and adding whitespace. |
| cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago. |
| |
| 20081118 |
| - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id |
| member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and |
| feedback by djm@ |
| |
| 20081111 |
| - (dtucker) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2008/11/05 11:22:54 |
| [servconf.c] |
| passord -> password; |
| fixes user/5975 from Rene Maroufi |
| - stevesk@cvs.openbsd.org 2008/11/07 00:42:12 |
| [ssh-keygen.c] |
| spelling/typo in comment |
| - stevesk@cvs.openbsd.org 2008/11/07 18:50:18 |
| [nchan.c] |
| add space to some log/debug messages for readability; ok djm@ markus@ |
| - dtucker@cvs.openbsd.org 2008/11/07 23:34:48 |
| [auth2-jpake.c] |
| Move JPAKE define to make life easier for portable. ok djm@ |
| - tobias@cvs.openbsd.org 2008/11/09 12:34:47 |
| [session.c ssh.1] |
| typo fixed (overriden -> overridden) |
| ok espie, jmc |
| - stevesk@cvs.openbsd.org 2008/11/11 02:58:09 |
| [servconf.c] |
| USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing |
| kerberosgetafstoken. ok dtucker@ |
| (Id sync only, we still want the ifdef in portable) |
| - stevesk@cvs.openbsd.org 2008/11/11 03:55:11 |
| [channels.c] |
| for sshd -T print 'permitopen any' vs. 'permitopen' for case of no |
| permitopen's; ok and input dtucker@ |
| - djm@cvs.openbsd.org 2008/11/10 02:06:35 |
| [regress/putty-ciphers.sh] |
| PuTTY supports AES CTR modes, so interop test against them too |
| |
| 20081105 |
| - OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/11/03 08:59:41 |
| [servconf.c] |
| include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov |
| - djm@cvs.openbsd.org 2008/11/04 07:58:09 |
| [auth.c] |
| need unistd.h for close() prototype |
| (ID sync only) |
| - djm@cvs.openbsd.org 2008/11/04 08:22:13 |
| [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] |
| [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] |
| [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] |
| [Makefile.in] |
| Add support for an experimental zero-knowledge password authentication |
| method using the J-PAKE protocol described in F. Hao, P. Ryan, |
| "Password Authenticated Key Exchange by Juggling", 16th Workshop on |
| Security Protocols, Cambridge, April 2008. |
| |
| This method allows password-based authentication without exposing |
| the password to the server. Instead, the client and server exchange |
| cryptographic proofs to demonstrate of knowledge of the password while |
| revealing nothing useful to an attacker or compromised endpoint. |
| |
| This is experimental, work-in-progress code and is presently |
| compiled-time disabled (turn on -DJPAKE in Makefile.inc). |
| |
| "just commit it. It isn't too intrusive." deraadt@ |
| - stevesk@cvs.openbsd.org 2008/11/04 19:18:00 |
| [readconf.c] |
| because parse_forward() is now used to parse all forward types (DLR), |
| and it malloc's space for host variables, we don't need to malloc |
| here. fixes small memory leaks. |
| |
| previously dynamic forwards were not parsed in parse_forward() and |
| space was not malloc'd in that case. |
| |
| ok djm@ |
| - stevesk@cvs.openbsd.org 2008/11/05 03:23:09 |
| [clientloop.c ssh.1] |
| add dynamic forward escape command line; ok djm@ |
| |
| 20081103 |
| - OpenBSD CVS Sync |
| - sthen@cvs.openbsd.org 2008/07/24 23:55:30 |
| [ssh-keygen.1] |
| Add "ssh-keygen -F -l" to synopsis (displays fingerprint from |
| known_hosts). ok djm@ |
| - grunk@cvs.openbsd.org 2008/07/25 06:56:35 |
| [ssh_config] |
| Add VisualHostKey to example file, ok djm@ |
| - grunk@cvs.openbsd.org 2008/07/25 07:05:16 |
| [key.c] |
| In random art visualization, make sure to use the end marker only at the |
| end. Initial diff by Dirk Loss, tweaks and ok djm@ |
| - markus@cvs.openbsd.org 2008/07/31 14:48:28 |
| [sshconnect2.c] |
| don't allocate space for empty banners; report t8m at centrum.cz; |
| ok deraadt |
| - krw@cvs.openbsd.org 2008/08/02 04:29:51 |
| [ssh_config.5] |
| whitepsace -> whitespace. From Matthew Clarke via bugs@. |
| - djm@cvs.openbsd.org 2008/08/21 04:09:57 |
| [session.c] |
| allow ForceCommand internal-sftp with arguments. based on patch from |
| michael.barabanov AT gmail.com; ok markus@ |
| - djm@cvs.openbsd.org 2008/09/06 12:24:13 |
| [kex.c] |
| OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our |
| replacement anymore |
| (ID sync only for portable - we still need this) |
| - markus@cvs.openbsd.org 2008/09/11 14:22:37 |
| [compat.c compat.h nchan.c ssh.c] |
| only send eow and no-more-sessions requests to openssh 5 and newer; |
| fixes interop problems with broken ssh v2 implementations; ok djm@ |
| - millert@cvs.openbsd.org 2008/10/02 14:39:35 |
| [session.c] |
| Convert an unchecked strdup to xstrdup. OK deraadt@ |
| - jmc@cvs.openbsd.org 2008/10/03 13:08:12 |
| [sshd.8] |
| do not give an example of how to chmod files: we can presume the user |
| knows that. removes an ambiguity in the permission of authorized_keys; |
| ok deraadt |
| - deraadt@cvs.openbsd.org 2008/10/03 23:56:28 |
| [sshconnect2.c] |
| Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the |
| function. |
| spotted by des@freebsd, who commited an incorrect fix to the freebsd tree |
| and (as is fairly typical) did not report the problem to us. But this fix |
| is correct. |
| ok djm |
| - djm@cvs.openbsd.org 2008/10/08 23:34:03 |
| [ssh.1 ssh.c] |
| Add -y option to force logging via syslog rather than stderr. |
| Useful for daemonised ssh connection (ssh -f). Patch originally from |
| and ok'd by markus@ |
| - djm@cvs.openbsd.org 2008/10/09 03:50:54 |
| [servconf.c sshd_config.5] |
| support setting PermitEmptyPasswords in a Match block |
| requested in PR3891; ok dtucker@ |
| - jmc@cvs.openbsd.org 2008/10/09 06:54:22 |
| [ssh.c] |
| add -y to usage(); |
| - stevesk@cvs.openbsd.org 2008/10/10 04:55:16 |
| [scp.c] |
| spelling in comment; ok djm@ |
| - stevesk@cvs.openbsd.org 2008/10/10 05:00:12 |
| [key.c] |
| typo in error message; ok djm@ |
| - stevesk@cvs.openbsd.org 2008/10/10 16:43:27 |
| [ssh_config.5] |
| use 'Privileged ports can be forwarded only when logging in as root on |
| the remote machine.' for RemoteForward just like ssh.1 -R. |
| ok djm@ jmc@ |
| - stevesk@cvs.openbsd.org 2008/10/14 18:11:33 |
| [sshconnect.c] |
| use #define ROQUIET here; no binary change. ok dtucker@ |
| - stevesk@cvs.openbsd.org 2008/10/17 18:36:24 |
| [ssh_config.5] |
| correct and clarify VisualHostKey; ok jmc@ |
| - stevesk@cvs.openbsd.org 2008/10/30 19:31:16 |
| [clientloop.c sshd.c] |
| don't need to #include "monitor_fdpass.h" |
| - stevesk@cvs.openbsd.org 2008/10/31 15:05:34 |
| [dispatch.c] |
| remove unused #define DISPATCH_MIN; ok markus@ |
| - djm@cvs.openbsd.org 2008/11/01 04:50:08 |
| [sshconnect2.c] |
| sprinkle ARGSUSED on dispatch handlers |
| nuke stale unusued prototype |
| - stevesk@cvs.openbsd.org 2008/11/01 06:43:33 |
| [channels.c] |
| fix some typos in log messages; ok djm@ |
| - sobrado@cvs.openbsd.org 2008/11/01 11:14:36 |
| [ssh-keyscan.1 ssh-keyscan.c] |
| the ellipsis is not an optional argument; while here, improve spacing. |
| - stevesk@cvs.openbsd.org 2008/11/01 17:40:33 |
| [clientloop.c readconf.c readconf.h ssh.c] |
| merge dynamic forward parsing into parse_forward(); |
| 'i think this is OK' djm@ |
| - stevesk@cvs.openbsd.org 2008/11/02 00:16:16 |
| [ttymodes.c] |
| protocol 2 tty modes support is now 7.5 years old so remove these |
| debug3()s; ok deraadt@ |
| - stevesk@cvs.openbsd.org 2008/11/03 01:07:02 |
| [readconf.c] |
| remove valueless comment |
| - stevesk@cvs.openbsd.org 2008/11/03 02:44:41 |
| [readconf.c] |
| fix comment |
| - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] |
| Make example scripts generate keys with default sizes rather than fixed, |
| non-default 1024 bits; patch from imorgan AT nas.nasa.gov |
| - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] |
| [contrib/redhat/sshd.pam] Move pam_nologin to account group from |
| incorrect auth group in example files; |
| patch from imorgan AT nas.nasa.gov |
| |
| 20080906 |
| - (dtucker) [config.guess config.sub] Update to latest versions from |
| http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16 |
| respectively). |
| |
| 20080830 |
| - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs |
| larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch |
| from Nicholas Marriott. |
| |
| 20080721 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/07/23 07:36:55 |
| [servconf.c] |
| do not try to print options that have been compile-time disabled |
| in config test mode (sshd -T); report from nix-corp AT esperi.org.uk |
| ok dtucker@ |
| - (djm) [servconf.c] Print UsePAM option in config test mode (when it |
| has been compiled in); report from nix-corp AT esperi.org.uk |
| ok dtucker@ |
| |
| 20080721 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2008/07/18 22:51:01 |
| [sftp-server.8] |
| no need for .Pp before or after .Sh; |
| - djm@cvs.openbsd.org 2008/07/21 08:19:07 |
| [version.h] |
| openssh-5.1 |
| - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| [contrib/suse/openssh.spec] Update version number in README and RPM specs |
| - (djm) Release OpenSSH-5.1 |
| |
| 20080717 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/07/17 08:48:00 |
| [sshconnect2.c] |
| strnvis preauth banner; pointed out by mpf@ ok markus@ |
| - djm@cvs.openbsd.org 2008/07/17 08:51:07 |
| [auth2-hostbased.c] |
| strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes |
| report and patch from res AT qoxp.net (bz#1200); ok markus@ |
| - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat |
| code, replace with equivalent cygwin library call. Patch from vinschen |
| at redhat.com, ok djm@. |
| - (djm) [sshconnect2.c] vis.h isn't available everywhere |
| |
| 20080716 |
| - OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/07/15 02:23:14 |
| [sftp.1] |
| number of pipelined requests is now 64; |
| prodded by Iain.Morgan AT nasa.gov |
| - djm@cvs.openbsd.org 2008/07/16 11:51:14 |
| [clientloop.c] |
| rename variable first_gc -> last_gc (since it is actually the last |
| in the list). |
| - djm@cvs.openbsd.org 2008/07/16 11:52:19 |
| [channels.c] |
| this loop index should be automatic, not static |
| |
| 20080714 |
| - (djm) OpenBSD CVS Sync |
| - sthen@cvs.openbsd.org 2008/07/13 21:22:52 |
| [ssh-keygen.c] |
| Change "ssh-keygen -F [host] -l" to not display random art unless |
| -v is also specified, making it consistent with the manual and other |
| uses of -l. |
| ok grunk@ |
| - djm@cvs.openbsd.org 2008/07/13 22:13:07 |
| [channels.c] |
| use struct sockaddr_storage instead of struct sockaddr for accept(2) |
| address argument. from visibilis AT yahoo.com in bz#1485; ok markus@ |
| - djm@cvs.openbsd.org 2008/07/13 22:16:03 |
| [sftp.c] |
| increase number of piplelined requests so they properly fill the |
| (recently increased) channel window. prompted by rapier AT psc.edu; |
| ok markus@ |
| - djm@cvs.openbsd.org 2008/07/14 01:55:56 |
| [sftp-server.8] |
| mention requirement for /dev/log inside chroot when using sftp-server |
| with ChrootDirectory |
| - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to |
| avoid clash with sin(3) function; reported by |
| cristian.ionescu-idbohrn AT axis.com |
| - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close() |
| prototype; reported by cristian.ionescu-idbohrn AT axis.com |
| - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash; |
| reported by cristian.ionescu-idbohrn AT axis.com |
| - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config] |
| [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd] |
| Revamped and simplified Cygwin ssh-host-config script that uses |
| unified csih configuration tool. Requires recent Cygwin. |
| Patch from vinschen AT redhat.com |
| |
| 20080712 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/07/12 04:52:50 |
| [channels.c] |
| unbreak; move clearing of cctx struct to before first use |
| reported by dkrause@ |
| - djm@cvs.openbsd.org 2008/07/12 05:33:41 |
| [scp.1] |
| better description for -i flag: |
| s/RSA authentication/public key authentication/ |
| - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h] |
| return EAI_FAMILY when trying to lookup unsupported address family; |
| from vinschen AT redhat.com |
| |
| 20080711 |
| - (djm) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2008/07/07 00:31:41 |
| [ttymodes.c] |
| we don't need arg after the debug3() was removed. from lint. |
| ok djm@ |
| - stevesk@cvs.openbsd.org 2008/07/07 23:32:51 |
| [key.c] |
| /*NOTREACHED*/ for lint warning: |
| warning: function key_equal falls off bottom without returning value |
| ok djm@ |
| - markus@cvs.openbsd.org 2008/07/10 18:05:58 |
| [channels.c] |
| missing bzero; from mickey; ok djm@ |
| - markus@cvs.openbsd.org 2008/07/10 18:08:11 |
| [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c] |
| sync v1 and v2 traffic accounting; add it to sshd, too; |
| ok djm@, dtucker@ |
| |
| 20080709 |
| - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass |
| - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM |
| account check failure path. The vulnerable format buffer is supplied |
| from PAM and should not contain attacker-supplied data. |
| - (djm) [auth.c] Missing unistd.h for close() |
| - (djm) [configure.ac] Add -Wformat-security to CFLAGS for gcc 3.x and 4.x |
| |
| 20080705 |
| - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed |
| passwords disabled. bz#1083 report & patch from senthilkumar_sen AT |
| hotpop.com, w/ dtucker@ |
| - (djm) [atomicio.c configure.ac] Disable poll() fallback in atomiciov for |
| Tru64. readv doesn't seem to be a comparable object there. |
| bz#1386, patch from dtucker@ ok me |
| - (djm) [Makefile.in] Pass though pass to conch for interop tests |
| - (djm) [configure.ac] unbreak: remove extra closing brace |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/07/04 23:08:25 |
| [packet.c] |
| handle EINTR in packet_write_poll()l ok dtucker@ |
| - djm@cvs.openbsd.org 2008/07/04 23:30:16 |
| [auth1.c auth2.c] |
| Make protocol 1 MaxAuthTries logic match protocol 2's. |
| Do not treat the first protocol 2 authentication attempt as |
| a failure IFF it is for method "none". |
| Makes MaxAuthTries' user-visible behaviour identical for |
| protocol 1 vs 2. |
| ok dtucker@ |
| - djm@cvs.openbsd.org 2008/07/05 05:16:01 |
| [PROTOCOL] |
| grammar |
| |
| 20080704 |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/07/02 13:30:34 |
| [auth2.c] |
| really really remove the freebie "none" auth try for protocol 2 |
| - djm@cvs.openbsd.org 2008/07/02 13:47:39 |
| [ssh.1 ssh.c] |
| When forking after authentication ("ssh -f") with ExitOnForwardFailure |
| enabled, delay the fork until after replies for any -R forwards have |
| been seen. Allows for robust detection of -R forward failure when |
| using -f (similar to bz#92); ok dtucker@ |
| - otto@cvs.openbsd.org 2008/07/03 21:46:58 |
| [auth2-pubkey.c] |
| avoid nasty double free; ok dtucker@ djm@ |
| - djm@cvs.openbsd.org 2008/07/04 03:44:59 |
| [servconf.c groupaccess.h groupaccess.c] |
| support negation of groups in "Match group" block (bz#1315); ok dtucker@ |
| - dtucker@cvs.openbsd.org 2008/07/04 03:47:02 |
| [monitor.c] |
| Make debug a little clearer. ok djm@ |
| - djm@cvs.openbsd.org 2008/06/30 08:07:34 |
| [regress/key-options.sh] |
| shell portability: use "=" instead of "==" in test(1) expressions, |
| double-quote string with backslash escaped / |
| - djm@cvs.openbsd.org 2008/06/30 10:31:11 |
| [regress/{putty-transfer,putty-kex,putty-ciphers}.sh] |
| remove "set -e" left over from debugging |
| - djm@cvs.openbsd.org 2008/06/30 10:43:03 |
| [regress/conch-ciphers.sh] |
| explicitly disable conch options that could interfere with the test |
| - (dtucker) [sftp-server.c] Bug #1447: fall back to racy rename if link |
| returns EXDEV. Patch from Mike Garrison, ok djm@ |
| - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h] |
| [packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c] |
| [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on |
| some platforms (HP nonstop) it is a distinct errno; |
| bz#1467 reported by sconeu AT yahoo.com; ok dtucker@ |
| |
| 20080702 |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/06/30 08:05:59 |
| [PROTOCOL.agent] |
| typo: s/constraint_date/constraint_data/ |
| - djm@cvs.openbsd.org 2008/06/30 12:15:39 |
| [serverloop.c] |
| only pass channel requests on session channels through to the session |
| channel handler, avoiding spurious log messages; ok! markus@ |
| - djm@cvs.openbsd.org 2008/06/30 12:16:02 |
| [nchan.c] |
| only send eow@openssh.com notifications for session channels; ok! markus@ |
| - djm@cvs.openbsd.org 2008/06/30 12:18:34 |
| [PROTOCOL] |
| clarify that eow@openssh.com is only sent on session channels |
| - dtucker@cvs.openbsd.org 2008/07/01 07:20:52 |
| [sshconnect.c] |
| Check ExitOnForwardFailure if forwardings are disabled due to a failed |
| host key check. ok djm@ |
| - dtucker@cvs.openbsd.org 2008/07/01 07:24:22 |
| [sshconnect.c sshd.c] |
| Send CR LF during protocol banner exchanges, but only for Protocol 2 only, |
| in order to comply with RFC 4253. bz #1443, ok djm@ |
| - stevesk@cvs.openbsd.org 2008/07/01 23:12:47 |
| [PROTOCOL.agent] |
| fix some typos; ok djm@ |
| - djm@cvs.openbsd.org 2008/07/02 02:24:18 |
| [sshd_config sshd_config.5 sshd.8 servconf.c] |
| increase default size of ssh protocol 1 ephemeral key from 768 to 1024 |
| bits; prodded by & ok dtucker@ ok deraadt@ |
| - dtucker@cvs.openbsd.org 2008/07/02 12:03:51 |
| [auth-rsa.c auth.c auth2-pubkey.c auth.h] |
| Merge duplicate host key file checks, based in part on a patch from Rob |
| Holland via bz #1348 . Also checks for non-regular files during protocol |
| 1 RSA auth. ok djm@ |
| - djm@cvs.openbsd.org 2008/07/02 12:36:39 |
| [auth2-none.c auth2.c] |
| Make protocol 2 MaxAuthTries behaviour a little more sensible: |
| Check whether client has exceeded MaxAuthTries before running |
| an authentication method and skip it if they have, previously it |
| would always allow one try (for "none" auth). |
| Preincrement failure count before post-auth test - previously this |
| checked and postincremented, also to allow one "none" try. |
| Together, these two changes always count the "none" auth method |
| which could be skipped by a malicious client (e.g. an SSH worm) |
| to get an extra attempt at a real auth method. They also make |
| MaxAuthTries=0 a useful way to block users entirely (esp. in a |
| sshd_config Match block). |
| Also, move sending of any preauth banner from "none" auth method |
| to the first call to input_userauth_request(), so worms that skip |
| the "none" method get to see it too. |
| |
| 20080630 |
| - (djm) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 |
| [regress/Makefile regress/key-options.sh] |
| Add regress test for key options. ok djm@ |
| - dtucker@cvs.openbsd.org 2008/06/11 23:11:40 |
| [regress/Makefile] |
| Don't run cipher-speed test by default; mistakenly enabled by me |
| - djm@cvs.openbsd.org 2008/06/28 13:57:25 |
| [regress/Makefile regress/test-exec.sh regress/conch-ciphers.sh] |
| very basic regress test against Twisted Conch in "make interop" |
| target (conch is available in ports/devel/py-twisted/conch); |
| ok markus@ |
| - (djm) [regress/Makefile] search for conch by path, like we do putty |
| |
| 20080629 |
| - (djm) OpenBSD CVS Sync |
| - martynas@cvs.openbsd.org 2008/06/21 07:46:46 |
| [sftp.c] |
| use optopt to get invalid flag, instead of return value of getopt, |
| which is always '?'; ok djm@ |
| - otto@cvs.openbsd.org 2008/06/25 11:13:43 |
| [key.c] |
| add key length to visual fingerprint; zap magical constants; |
| ok grunk@ djm@ |
| - djm@cvs.openbsd.org 2008/06/26 06:10:09 |
| [sftp-client.c sftp-server.c] |
| allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky |
| bits. Note that this only affects explicit setting of modes (e.g. via |
| sftp(1)'s chmod command) and not file transfers. (bz#1310) |
| ok deraadt@ at c2k8 |
| - djm@cvs.openbsd.org 2008/06/26 09:19:40 |
| [dh.c dh.h moduli.c] |
| when loading moduli from /etc/moduli in sshd(8), check that they |
| are of the expected "safe prime" structure and have had |
| appropriate primality tests performed; |
| feedback and ok dtucker@ |
| - grunk@cvs.openbsd.org 2008/06/26 11:46:31 |
| [readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c] |
| Move SSH Fingerprint Visualization away from sharing the config option |
| CheckHostIP to an own config option named VisualHostKey. |
| While there, fix the behaviour that ssh would draw a random art picture |
| on every newly seen host even when the option was not enabled. |
| prodded by deraadt@, discussions, |
| help and ok markus@ djm@ dtucker@ |
| - jmc@cvs.openbsd.org 2008/06/26 21:11:46 |
| [ssh.1] |
| add VisualHostKey to the list of options listed in -o; |
| - djm@cvs.openbsd.org 2008/06/28 07:25:07 |
| [PROTOCOL] |
| spelling fixes |
| - djm@cvs.openbsd.org 2008/06/28 13:58:23 |
| [ssh-agent.c] |
| refuse to add a key that has unknown constraints specified; |
| ok markus |
| - djm@cvs.openbsd.org 2008/06/28 14:05:15 |
| [ssh-agent.c] |
| reset global compat flag after processing a protocol 2 signature |
| request with the legacy DSA encoding flag set; ok markus |
| - djm@cvs.openbsd.org 2008/06/28 14:08:30 |
| [PROTOCOL PROTOCOL.agent] |
| document the protocol used by ssh-agent; "looks ok" markus@ |
| |
| 20080628 |
| - (djm) [RFC.nroff contrib/cygwin/Makefile contrib/suse/openssh.spec] |
| RFC.nroff lacks a license, remove it (it is long gone in OpenBSD). |
| |
| 20080626 |
| - (djm) [Makefile.in moduli.5] Include moduli(5) manpage from OpenBSD. |
| (bz#1372) |
| - (djm) [ contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| [contrib/suse/openssh.spec] Include moduli.5 in RPM spec files. |
| |
| 20080616 |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2008/06/16 13:22:53 |
| [session.c channels.c] |
| Rename the isatty argument to is_tty so we don't shadow |
| isatty(3). ok markus@ |
| - (dtucker) [channels.c] isatty -> is_tty here too. |
| |
| 20080615 |
| - (dtucker) [configure.ac] Enable -fno-builtin-memset when using gcc. |
| - OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2008/06/14 15:49:48 |
| [sshd.c] |
| wrap long line at 80 chars |
| - dtucker@cvs.openbsd.org 2008/06/14 17:07:11 |
| [sshd.c] |
| ensure default umask disallows at least group and world write; ok djm@ |
| - djm@cvs.openbsd.org 2008/06/14 18:33:43 |
| [session.c] |
| suppress the warning message from chdir(homedir) failures |
| when chrooted (bz#1461); ok dtucker |
| - dtucker@cvs.openbsd.org 2008/06/14 19:42:10 |
| [scp.1] |
| Mention that scp follows symlinks during -r. bz #1466, |
| from nectar at apple |
| - dtucker@cvs.openbsd.org 2008/06/15 16:55:38 |
| [sshd_config.5] |
| MaxSessions is allowed in a Match block too |
| - dtucker@cvs.openbsd.org 2008/06/15 16:58:40 |
| [servconf.c sshd_config.5] |
| Allow MaxAuthTries within a Match block. ok djm@ |
| - djm@cvs.openbsd.org 2008/06/15 20:06:26 |
| [channels.c channels.h session.c] |
| don't call isatty() on a pty master, instead pass a flag down to |
| channel_set_fds() indicating that te fds refer to a tty. Fixes a |
| hang on exit on Solaris (bz#1463) in portable but is actually |
| a generic bug; ok dtucker deraadt markus |
| |
| 20080614 |
| - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction |
| replacement code; patch from ighighi AT gmail.com in bz#1240; |
| ok dtucker |
| |
| 20080613 |
| - (dtucker) OpenBSD CVS Sync |
| - deraadt@cvs.openbsd.org 2008/06/13 09:44:36 |
| [packet.c] |
| compile on older gcc; no decl after code |
| - dtucker@cvs.openbsd.org 2008/06/13 13:56:59 |
| [monitor.c] |
| Clear key options in the monitor on failed authentication, prevents |
| applying additional restrictions to non-pubkey authentications in |
| the case where pubkey fails but another method subsequently succeeds. |
| bz #1472, found by Colin Watson, ok markus@ djm@ |
| - dtucker@cvs.openbsd.org 2008/06/13 14:18:51 |
| [auth2-pubkey.c auth-rhosts.c] |
| Include unistd.h for close(), prevents warnings in -portable |
| - dtucker@cvs.openbsd.org 2008/06/13 17:21:20 |
| [mux.c] |
| Friendlier error messages for mux fallback. ok djm@ |
| - dtucker@cvs.openbsd.org 2008/06/13 18:55:22 |
| [scp.c] |
| Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@ |
| - grunk@cvs.openbsd.org 2008/06/13 20:13:26 |
| [ssh.1] |
| Explain the use of SSH fpr visualization using random art, and cite the |
| original scientific paper inspiring that technique. |
| Much help with English and nroff by jmc@, thanks. |
| - (dtucker) [configure.ac] Bug #1276: avoid linking against libgssapi, which |
| despite its name doesn't seem to implement all of GSSAPI. Patch from |
| Jan Engelhardt, sanity checked by Simon Wilkinson. |
| |
| 20080612 |
| - (dtucker) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2008/06/11 07:30:37 |
| [sshd.8] |
| kill trailing whitespace; |
| - grunk@cvs.openbsd.org 2008/06/11 21:01:35 |
| [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c |
| sshconnect.c] |
| Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the |
| graphical hash visualization schemes known as "random art", and by |
| Dan Kaminsky's musings on the subject during a BlackOp talk at the |
| 23C3 in Berlin. |
| Scientific publication (original paper): |
| "Hash Visualization: a New Technique to improve Real-World Security", |
| Perrig A. and Song D., 1999, International Workshop on Cryptographic |
| Techniques and E-Commerce (CrypTEC '99) |
| http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf |
| The algorithm used here is a worm crawling over a discrete plane, |
| leaving a trace (augmenting the field) everywhere it goes. |
| Movement is taken from dgst_raw 2bit-wise. Bumping into walls |
| makes the respective movement vector be ignored for this turn, |
| thus switching to the other color of the chessboard. |
| Graphs are not unambiguous for now, because circles in graphs can be |
| walked in either direction. |
| discussions with several people, |
| help, corrections and ok markus@ djm@ |
| - grunk@cvs.openbsd.org 2008/06/11 21:38:25 |
| [ssh-keygen.c] |
| ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub |
| would not display you the random art as intended, spotted by canacar@ |
| - grunk@cvs.openbsd.org 2008/06/11 22:20:46 |
| [ssh-keygen.c ssh-keygen.1] |
| ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, |
| that is not how it was envisioned. |
| Also correct manpage saying that -v is needed along with -l for it to work. |
| spotted by naddy@ |
| - otto@cvs.openbsd.org 2008/06/11 23:02:22 |
| [key.c] |
| simpler way of computing the augmentations; ok grunk@ |
| - grunk@cvs.openbsd.org 2008/06/11 23:03:56 |
| [ssh_config.5] |
| CheckHostIP set to ``fingerprint'' will display both hex and random art |
| spotted by naddy@ |
| - grunk@cvs.openbsd.org 2008/06/11 23:51:57 |
| [key.c] |
| #define statements that are not atoms need braces around them, else they |
| will cause trouble in some cases. |
| Also do a computation of -1 once, and not in a loop several times. |
| spotted by otto@ |
| - dtucker@cvs.openbsd.org 2008/06/12 00:03:49 |
| [dns.c canohost.c sshconnect.c] |
| Do not pass "0" strings as ports to getaddrinfo because the lookups |
| can slow things down and we never use the service info anyway. bz |
| #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok |
| deraadt@ djm@ |
| djm belives that the reason for the "0" strings is to ensure that |
| it's not possible to call getaddrinfo with both host and port being |
| NULL. In the case of canohost.c host is a local array. In the |
| case of sshconnect.c, it's checked for null immediately before use. |
| In dns.c it ultimately comes from ssh.c:main() and is guaranteed to |
| be non-null but it's not obvious, so I added a warning message in |
| case it is ever passed a null. |
| - grunk@cvs.openbsd.org 2008/06/12 00:13:55 |
| [sshconnect.c] |
| Make ssh print the random art also when ssh'ing to a host using IP only. |
| spotted by naddy@, ok and help djm@ dtucker@ |
| - otto@cvs.openbsd.org 2008/06/12 00:13:13 |
| [key.c] |
| use an odd number of rows and columns and a separate start marker, looks |
| better; ok grunk@ |
| - djm@cvs.openbsd.org 2008/06/12 03:40:52 |
| [clientloop.h mux.c channels.c clientloop.c channels.h] |
| Enable ~ escapes for multiplex slave sessions; give each channel |
| its own escape state and hook the escape filters up to muxed |
| channels. bz #1331 |
| Mux slaves do not currently support the ~^Z and ~& escapes. |
| NB. this change cranks the mux protocol version, so a new ssh |
| mux client will not be able to connect to a running old ssh |
| mux master. |
| ok dtucker@ |
| - djm@cvs.openbsd.org 2008/06/12 04:06:00 |
| [clientloop.h ssh.c clientloop.c] |
| maintain an ordered queue of outstanding global requests that we |
| expect replies to, similar to the per-channel confirmation queue. |
| Use this queue to verify success or failure for remote forward |
| establishment in a race free way. |
| ok dtucker@ |
| - djm@cvs.openbsd.org 2008/06/12 04:17:47 |
| [clientloop.c] |
| thall shalt not code past the eightieth column |
| - djm@cvs.openbsd.org 2008/06/12 04:24:06 |
| [ssh.c] |
| thal shalt not code past the eightieth column |
| - djm@cvs.openbsd.org 2008/06/12 05:15:41 |
| [PROTOCOL] |
| document tun@openssh.com forwarding method |
| - djm@cvs.openbsd.org 2008/06/12 05:32:30 |
| [mux.c] |
| some more TODO for me |
| - grunk@cvs.openbsd.org 2008/06/12 05:42:46 |
| [key.c] |
| supply the key type (rsa1, rsa, dsa) as a caption in the frame of the |
| random art. while there, stress the fact that the field base should at |
| least be 8 characters for the pictures to make sense. |
| comment and ok djm@ |
| - grunk@cvs.openbsd.org 2008/06/12 06:32:59 |
| [key.c] |
| We already mark the start of the worm, now also mark the end of the worm |
| in our random art drawings. |
| ok djm@ |
| - djm@cvs.openbsd.org 2008/06/12 15:19:17 |
| [clientloop.h channels.h clientloop.c channels.c mux.c] |
| The multiplexing escape char handler commit last night introduced a |
| small memory leak per session; plug it. |
| - dtucker@cvs.openbsd.org 2008/06/12 16:35:31 |
| [ssh_config.5 ssh.c] |
| keyword expansion for localcommand. ok djm@ |
| - jmc@cvs.openbsd.org 2008/06/12 19:10:09 |
| [ssh_config.5 ssh-keygen.1] |
| tweak the ascii art text; ok grunk |
| - dtucker@cvs.openbsd.org 2008/06/12 20:38:28 |
| [sshd.c sshconnect.c packet.h misc.c misc.h packet.c] |
| Make keepalive timeouts apply while waiting for a packet, particularly |
| during key renegotiation (bz #1363). With djm and Matt Day, ok djm@ |
| - djm@cvs.openbsd.org 2008/06/12 20:47:04 |
| [sftp-client.c] |
| print extension revisions for extensions that we understand |
| - djm@cvs.openbsd.org 2008/06/12 21:06:25 |
| [clientloop.c] |
| I was coalescing expected global request confirmation replies at |
| the wrong end of the queue - fix; prompted by markus@ |
| - grunk@cvs.openbsd.org 2008/06/12 21:14:46 |
| [ssh-keygen.c] |
| make ssh-keygen -lf show the key type just as ssh-add -l would do it |
| ok djm@ markus@ |
| - grunk@cvs.openbsd.org 2008/06/12 22:03:36 |
| [key.c] |
| add my copyright, ok djm@ |
| - ian@cvs.openbsd.org 2008/06/12 23:24:58 |
| [sshconnect.c] |
| tweak wording in message, ok deraadt@ jmc@ |
| - dtucker@cvs.openbsd.org 2008/06/13 00:12:02 |
| [sftp.h log.h] |
| replace __dead with __attribute__((noreturn)), makes things |
| a little easier to port. Also, add it to sigdie(). ok djm@ |
| - djm@cvs.openbsd.org 2008/06/13 00:16:49 |
| [mux.c] |
| fall back to creating a new TCP connection on most multiplexing errors |
| (socket connect fail, invalid version, refused permittion, corrupted |
| messages, etc.); bz #1329 ok dtucker@ |
| - dtucker@cvs.openbsd.org 2008/06/13 00:47:53 |
| [mux.c] |
| upcast size_t to u_long to match format arg; ok djm@ |
| - dtucker@cvs.openbsd.org 2008/06/13 00:51:47 |
| [mac.c] |
| upcast another size_t to u_long to match format |
| - dtucker@cvs.openbsd.org 2008/06/13 01:38:23 |
| [misc.c] |
| upcast uid to long with matching %ld, prevents warnings in portable |
| - djm@cvs.openbsd.org 2008/06/13 04:40:22 |
| [auth2-pubkey.c auth-rhosts.c] |
| refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not |
| regular files; report from Solar Designer via Colin Watson in bz#1471 |
| ok dtucker@ deraadt |
| - (dtucker) [clientloop.c serverloop.c] channel_register_filter now |
| takes 2 more args. with djm@ |
| - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch |
| from Todd Vierling. |
| - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIA |
| systems. Patch from R. Scott Bailey. |
| - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never used |
| on big endian machines, so ifdef them for little-endian only to prevent |
| unused function warnings on big-endians. |
| - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to prevent |
| compiler warnings on some platforms. Based on a discussion with otto@ |
| |
| 20080611 |
| - (djm) [channels.c configure.ac] |
| Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no) |
| bz#1464; ok dtucker |
| |
| 20080610 |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/06/10 03:57:27 |
| [servconf.c match.h sshd_config.5] |
| support CIDR address matching in sshd_config "Match address" blocks, with |
| full support for negation and fall-back to classic wildcard matching. |
| For example: |
| Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* |
| PasswordAuthentication yes |
| addrmatch.c code mostly lifted from flowd's addr.c |
| feedback and ok dtucker@ |
| - djm@cvs.openbsd.org 2008/06/10 04:17:46 |
| [sshd_config.5] |
| better reference for pattern-list |
| - dtucker@cvs.openbsd.org 2008/06/10 04:50:25 |
| [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] |
| Add extended test mode (-T) and connection parameters for test mode (-C). |
| -T causes sshd to write its effective configuration to stdout and exit. |
| -C causes any relevant Match rules to be applied before output. The |
| combination allows tesing of the parser and config files. ok deraadt djm |
| - jmc@cvs.openbsd.org 2008/06/10 07:12:00 |
| [sshd_config.5] |
| tweak previous; |
| - jmc@cvs.openbsd.org 2008/06/10 08:17:40 |
| [sshd.8 sshd.c] |
| - update usage() |
| - fix SYNOPSIS, and sort options |
| - some minor additional fixes |
| - dtucker@cvs.openbsd.org 2008/06/09 18:06:32 |
| [regress/test-exec.sh] |
| Don't generate putty keys if we're not going to use them. ok djm |
| - dtucker@cvs.openbsd.org 2008/06/10 05:23:32 |
| [regress/addrmatch.sh regress/Makefile] |
| Regress test for Match CIDR rules. ok djm@ |
| - dtucker@cvs.openbsd.org 2008/06/10 15:21:41 |
| [test-exec.sh] |
| Use a more portable construct for checking if we're running a putty test |
| - dtucker@cvs.openbsd.org 2008/06/10 15:28:49 |
| [test-exec.sh] |
| Add quotes |
| - dtucker@cvs.openbsd.org 2008/06/10 18:21:24 |
| [ssh_config.5] |
| clarify that Host patterns are space-separated. ok deraadt |
| - djm@cvs.openbsd.org 2008/06/10 22:15:23 |
| [PROTOCOL ssh.c serverloop.c] |
| Add a no-more-sessions@openssh.com global request extension that the |
| client sends when it knows that it will never request another session |
| (i.e. when session multiplexing is disabled). This allows a server to |
| disallow further session requests and terminate the session. |
| Why would a non-multiplexing client ever issue additional session |
| requests? It could have been attacked with something like SSH'jack: |
| http://www.storm.net.nz/projects/7 |
| feedback & ok markus |
| - djm@cvs.openbsd.org 2008/06/10 23:06:19 |
| [auth-options.c match.c servconf.c addrmatch.c sshd.8] |
| support CIDR address matching in .ssh/authorized_keys from="..." stanzas |
| ok and extensive testing dtucker@ |
| - dtucker@cvs.openbsd.org 2008/06/10 23:21:34 |
| [bufaux.c] |
| Use '\0' for a nul byte rather than unadorned 0. ok djm@ |
| - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 |
| [Makefile regress/key-options.sh] |
| Add regress test for key options. ok djm@ |
| - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 |
| since the new CIDR code in addmatch.c references it. |
| - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 |
| specific tests on platforms that don't do IPv6. |
| - (dtucker) [Makefile.in] Define TEST_SSH_IPV6 in make's arguments as well |
| as environment. |
| - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now. |
| |
| 20080609 |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2008/06/08 17:04:41 |
| [sftp-server.c] |
| Add case for ENOSYS in errno_to_portable; ok deraadt |
| - dtucker@cvs.openbsd.org 2008/06/08 20:15:29 |
| [sftp.c sftp-client.c sftp-client.h] |
| Have the sftp client store the statvfs replies in wire format, |
| which prevents problems when the server's native sizes exceed the |
| client's. |
| Also extends the sizes of the remaining 32bit wire format to 64bit, |
| they're specified as unsigned long in the standard. |
| - dtucker@cvs.openbsd.org 2008/06/09 13:02:39 |
| [sftp-server.c] |
| Extend 32bit -> 64bit values for statvfs extension missed in previous |
| commit. |
| - dtucker@cvs.openbsd.org 2008/06/09 13:38:46 |
| [PROTOCOL] |
| Use a $OpenBSD tag so our scripts will sync changes. |
| |
| 20080608 |
| - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c |
| openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h |
| openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and |
| fstatvfs and remove #defines around statvfs code. ok djm@ |
| - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add a |
| macro to convert fsid to unsigned long for platforms where fsid is a |
| 2-member array. |
| |
| 20080607 |
| - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H. |
| - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c] |
| Do not enable statvfs extensions on platforms that do not have statvfs. |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/05/19 06:14:02 |
| [packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@ |
| - djm@cvs.openbsd.org 2008/05/19 15:45:07 |
| [sshtty.c ttymodes.c sshpty.h] |
| Fix sending tty modes when stdin is not a tty (bz#1199). Previously |
| we would send the modes corresponding to a zeroed struct termios, |
| whereas we should have been sending an empty list of modes. |
| Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ |
| - djm@cvs.openbsd.org 2008/05/19 15:46:31 |
| [ssh-keygen.c] |
| support -l (print fingerprint) in combination with -F (find host) to |
| search for a host in ~/.ssh/known_hosts and display its fingerprint; |
| ok markus@ |
| - djm@cvs.openbsd.org 2008/05/19 20:53:52 |
| [clientloop.c] |
| unbreak tree by committing this bit that I missed from: |
| Fix sending tty modes when stdin is not a tty (bz#1199). Previously |
| we would send the modes corresponding to a zeroed struct termios, |
| whereas we should have been sending an empty list of modes. |
| Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ |
| |
| 20080604 |
| - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias |
| in arc4random_uniform with upper_bound in (2^30,2*31). Note that |
| OpenSSH did not make requests with upper bounds in this range. |
| |
| 20080519 |
| - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in] |
| [openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h] |
| Fix compilation on Linux, including pulling in fmt_scaled(3) |
| implementation from OpenBSD's libutil. |
| |
| 20080518 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/04/04 05:14:38 |
| [sshd_config.5] |
| ChrootDirectory is supported in Match blocks (in fact, it is most useful |
| there). Spotted by Minstrel AT minstrel.org.uk |
| - djm@cvs.openbsd.org 2008/04/04 06:44:26 |
| [sshd_config.5] |
| oops, some unrelated stuff crept into that commit - backout. |
| spotted by jmc@ |
| - djm@cvs.openbsd.org 2008/04/05 02:46:02 |
| [sshd_config.5] |
| HostbasedAuthentication is supported under Match too |
| - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c] |
| [configure.ac] Implement arc4random_buf(), import implementation of |
| arc4random_uniform() from OpenBSD |
| - (djm) [openbsd-compat/bsd-arc4random.c] Warning fixes |
| - (djm) [openbsd-compat/port-tun.c] needs sys/queue.h |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2008/04/13 00:22:17 |
| [dh.c sshd.c] |
| Use arc4random_buf() when requesting more than a single word of output |
| Use arc4random_uniform() when the desired random number upper bound |
| is not a power of two |
| ok deraadt@ millert@ |
| - djm@cvs.openbsd.org 2008/04/18 12:32:11 |
| [sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h] |
| introduce sftp extension methods statvfs@openssh.com and |
| fstatvfs@openssh.com that implement statvfs(2)-like operations, |
| based on a patch from miklos AT szeredi.hu (bz#1399) |
| also add a "df" command to the sftp client that uses the |
| statvfs@openssh.com to produce a df(1)-like display of filesystem |
| space and inode utilisation |
| ok markus@ |
| - jmc@cvs.openbsd.org 2008/04/18 17:15:47 |
| [sftp.1] |
| macro fixage; |
| - djm@cvs.openbsd.org 2008/04/18 22:01:33 |
| [session.c] |
| remove unneccessary parentheses |
| - otto@cvs.openbsd.org 2008/04/29 11:20:31 |
| [monitor_mm.h] |
| garbage collect two unused fields in struct mm_master; ok markus@ |
| - djm@cvs.openbsd.org 2008/04/30 10:14:03 |
| [ssh-keyscan.1 ssh-keyscan.c] |
| default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by |
| larsnooden AT openoffice.org |
| - pyr@cvs.openbsd.org 2008/05/07 05:49:37 |
| [servconf.c servconf.h session.c sshd_config.5] |
| Enable the AllowAgentForwarding option in sshd_config (global and match |
| context), to specify if agents should be permitted on the server. |
| As the man page states: |
| ``Note that disabling Agent forwarding does not improve security |
| unless users are also denied shell access, as they can always install |
| their own forwarders.'' |
| ok djm@, ok and a mild frown markus@ |
| - pyr@cvs.openbsd.org 2008/05/07 06:43:35 |
| [sshd_config] |
| push the sshd_config bits in, spotted by ajacoutot@ |
| - jmc@cvs.openbsd.org 2008/05/07 08:00:14 |
| [sshd_config.5] |
| sort; |
| - markus@cvs.openbsd.org 2008/05/08 06:59:01 |
| [bufaux.c buffer.h channels.c packet.c packet.h] |
| avoid extra malloc/copy/free when receiving data over the net; |
| ~10% speedup for localhost-scp; ok djm@ |
| - djm@cvs.openbsd.org 2008/05/08 12:02:23 |
| [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] |
| [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] |
| [ssh.c sshd.c] |
| Implement a channel success/failure status confirmation callback |
| mechanism. Each channel maintains a queue of callbacks, which will |
| be drained in order (RFC4253 guarantees confirm messages are not |
| reordered within an channel). |
| Also includes a abandonment callback to clean up if a channel is |
| closed without sending confirmation messages. This probably |
| shouldn't happen in compliant implementations, but it could be |
| abused to leak memory. |
| ok markus@ (as part of a larger diff) |
| - djm@cvs.openbsd.org 2008/05/08 12:21:16 |
| [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] |
| [sshd_config sshd_config.5] |
| Make the maximum number of sessions run-time controllable via |
| a sshd_config MaxSessions knob. This is useful for disabling |
| login/shell/subsystem access while leaving port-forwarding working |
| (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or |
| simply increasing the number of allows multiplexed sessions. |
| Because some bozos are sure to configure MaxSessions in excess of the |
| number of available file descriptors in sshd (which, at peak, might be |
| as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds |
| on error paths, and make it fail gracefully on out-of-fd conditions - |
| sending channel errors instead of than exiting with fatal(). |
| bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com |
| ok markus@ |
| - djm@cvs.openbsd.org 2008/05/08 13:06:11 |
| [clientloop.c clientloop.h ssh.c] |
| Use new channel status confirmation callback system to properly deal |
| with "important" channel requests that fail, in particular command exec, |
| shell and subsystem requests. Previously we would optimistically assume |
| that the requests would always succeed, which could cause hangs if they |
| did not (e.g. when the server runs out of fds) or were unimplemented by |
| the server (bz #1384) |
| Also, properly report failing multiplex channel requests via the mux |
| client stderr (subject to LogLevel in the mux master) - better than |
| silently failing. |
| most bits ok markus@ (as part of a larger diff) |
| - djm@cvs.openbsd.org 2008/05/09 04:55:56 |
| [channels.c channels.h clientloop.c serverloop.c] |
| Try additional addresses when connecting to a port forward destination |
| whose DNS name resolves to more than one address. The previous behaviour |
| was to try the first address and give up. |
| Reported by stig AT venaas.com in bz#343 |
| great feedback and ok markus@ |
| - djm@cvs.openbsd.org 2008/05/09 14:18:44 |
| [clientloop.c clientloop.h ssh.c mux.c] |
| tidy up session multiplexing code, moving it into its own file and |
| making the function names more consistent - making ssh.c and |
| clientloop.c a fair bit more readable. |
| ok markus@ |
| - djm@cvs.openbsd.org 2008/05/09 14:26:08 |
| [ssh.c] |
| dingo stole my diff hunk |
| - markus@cvs.openbsd.org 2008/05/09 16:16:06 |
| [session.c] |
| re-add the USE_PIPES code and enable it. |
| without pipes shutdown-read from the sshd does not trigger |
| a SIGPIPE when the forked program does a write. |
| ok djm@ |
| (Id sync only, USE_PIPES never left portable OpenSSH) |
| - markus@cvs.openbsd.org 2008/05/09 16:17:51 |
| [channels.c] |
| error-fd race: don't enable the error fd in the select bitmask |
| for channels with both in- and output closed, since the channel |
| will go away before we call select(); |
| report, lots of debugging help and ok djm@ |
| - markus@cvs.openbsd.org 2008/05/09 16:21:13 |
| [channels.h clientloop.c nchan.c serverloop.c] |
| unbreak |
| ssh -2 localhost od /bin/ls | true |
| ignoring SIGPIPE by adding a new channel message (EOW) that signals |
| the peer that we're not interested in any data it might send. |
| fixes bz #85; discussion, debugging and ok djm@ |
| - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20 |
| [umac.c] |
| Ensure nh_result lies on a 64-bit boundary (fixes warnings observed |
| on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@ |
| - djm@cvs.openbsd.org 2008/05/15 23:52:24 |
| [nchan2.ms] |
| document eow message in ssh protocol 2 channel state machine; |
| feedback and ok markus@ |
| - djm@cvs.openbsd.org 2008/05/18 21:29:05 |
| [sftp-server.c] |
| comment extension announcement |
| - djm@cvs.openbsd.org 2008/05/16 08:30:42 |
| [PROTOCOL] |
| document our protocol extensions and deviations; ok markus@ |
| - djm@cvs.openbsd.org 2008/05/17 01:31:56 |
| [PROTOCOL] |
| grammar and correctness fixes from stevesk@ |
| |
| 20080403 |
| - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- |
| time warnings on LynxOS. Patch from ops AT iki.fi |
| - (djm) Force string arguments to replacement setproctitle() though |
| strnvis first. Ok dtucker@ |
| |
| 20080403 |
| - (djm) OpenBSD CVS sync: |
| - markus@cvs.openbsd.org 2008/04/02 15:36:51 |
| [channels.c] |
| avoid possible hijacking of x11-forwarded connections (back out 1.183) |
| CVE-2008-1483; ok djm@ |
| - jmc@cvs.openbsd.org 2008/03/27 22:37:57 |
| [sshd.8] |
| remove trailing whitespace; |
| - djm@cvs.openbsd.org 2008/04/03 09:50:14 |
| [version.h] |
| openssh-5.0 |
| - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| [contrib/suse/openssh.spec] Crank version numbers in RPM spec files |
| - (djm) [README] Update link to release notes |
| - (djm) Release 5.0p1 |
| |
| 20080315 |
| - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are |
| empty; report and patch from Peter Stuge |
| - (djm) [regress/test-exec.sh] Silence noise from detection of putty |
| commands; report from Peter Stuge |
| - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing |
| crashes when used with ChrootDirectory |
| |
| |
| 20080327 |
| - (dtucker) Cache selinux status earlier so we know if it's enabled after a |
| chroot. Allows ChrootDirectory to work with selinux support compiled in |
| but not enabled. Using it with selinux enabled will require some selinux |
| support inside the chroot. "looks sane" djm@ |
| - (djm) Fix RCS ident in sftp-server-main.c |
| - (djm) OpenBSD CVS sync: |
| - jmc@cvs.openbsd.org 2008/02/11 07:58:28 |
| [ssh.1 sshd.8 sshd_config.5] |
| bump Mdocdate for pages committed in "febuary", necessary because |
| of a typo in rcs.c; |
| - deraadt@cvs.openbsd.org 2008/03/13 01:49:53 |
| [monitor_fdpass.c] |
| Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to |
| an extensive discussion with otto, kettenis, millert, and hshoexer |
| - deraadt@cvs.openbsd.org 2008/03/15 16:19:02 |
| [monitor_fdpass.c] |
| Repair the simple cases for msg_controllen where it should just be |
| CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because |
| of alignment; ok kettenis hshoexer |
| - djm@cvs.openbsd.org 2008/03/23 12:54:01 |
| [sftp-client.c] |
| prefer POSIX-style file renaming over filexfer rename behaviour if the |
| server supports the posix-rename@openssh.com extension. |
| Note that the old (filexfer) behaviour would refuse to clobber an |
| existing file. Users who depended on this should adjust their sftp(1) |
| usage. |
| ok deraadt@ markus@ |
| - deraadt@cvs.openbsd.org 2008/03/24 16:11:07 |
| [monitor_fdpass.c] |
| msg_controllen has to be CMSG_SPACE so that the kernel can account for |
| each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This |
| works now that kernel fd passing has been fixed to accept a bit of |
| sloppiness because of this ABI repair. |
| lots of discussion with kettenis |
| - djm@cvs.openbsd.org 2008/03/25 11:58:02 |
| [session.c sshd_config.5] |
| ignore ~/.ssh/rc if a sshd_config ForceCommand is specified; |
| from dtucker@ ok deraadt@ djm@ |
| - djm@cvs.openbsd.org 2008/03/25 23:01:41 |
| [session.c] |
| last patch had backwards test; spotted by termim AT gmail.com |
| - djm@cvs.openbsd.org 2008/03/26 21:28:14 |
| [auth-options.c auth-options.h session.c sshd.8] |
| add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc |
| - djm@cvs.openbsd.org 2008/03/27 00:16:49 |
| [version.h] |
| openssh-4.9 |
| - djm@cvs.openbsd.org 2008/03/24 21:46:54 |
| [regress/sftp-badcmds.sh] |
| disable no-replace rename test now that we prefer a POSIX rename; spotted |
| by dkrause@ |
| - (djm) [configure.ac] fix alignment of --without-stackprotect description |
| - (djm) [configure.ac] --with-selinux too |
| - (djm) [regress/Makefile] cleanup PuTTY interop test droppings |
| - (djm) [README] Update link to release notes |
| - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| [contrib/suse/openssh.spec] Crank version numbers in RPM spec files |
| - (djm) Release 4.9p1 |
| |
| 20080315 |
| - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are |
| empty; report and patch from Peter Stuge |
| - (djm) [regress/test-exec.sh] Silence noise from detection of putty |
| commands; report from Peter Stuge |
| - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing |
| crashes when used with ChrootDirectory |
| |
| 20080314 |
| - (tim) [regress/sftp-cmds.sh] s/cd/lcd/ in lls test. Reported by |
| vinschen at redhat.com. Add () to put echo commands in subshell for lls test |
| I mistakenly left out of last commit. |
| - (tim) [regress/localcommand.sh] Shell portability fix. Reported by imorgan at |
| nas.nasa.gov |
| |
| 20080313 |
| - (djm) [Makefile.in regress/Makefile] Fix interop-tests target (note to |
| self: make changes to Makefile.in next time, not the generated Makefile). |
| - (djm) [Makefile.in regress/test-exec.sh] Find installed plink(1) and |
| puttygen(1) by $PATH |
| - (tim) [scp.c] Use poll.h if available, fall back to sys/poll.h if not. Patch |
| by vinschen at redhat.com. |
| - (tim) [regress/sftp-cmds.sh regress/ssh2putty.sh] Shell portability fixes |
| from vinschen at redhat.com and imorgan at nas.nasa.gov |
| |
| 20080312 |
| - (djm) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2007/10/29 06:57:13 |
| [regress/Makefile regress/localcommand.sh] |
| Add simple regress test for LocalCommand; ok djm@ |
| - jmc@cvs.openbsd.org 2007/11/25 15:35:09 |
| [regress/agent-getpeereid.sh regress/agent.sh] |
| more existant -> existent, from Martynas Venckus; |
| pfctl changes: ok henning |
| ssh changes: ok deraadt |
| - djm@cvs.openbsd.org 2007/12/12 05:04:03 |
| [regress/sftp-cmds.sh] |
| unbreak lls command and add a regress test that would have caught the |
| breakage; spotted by mouring@ |
| NB. sftp code change already committed. |
| - djm@cvs.openbsd.org 2007/12/21 04:13:53 |
| [regress/Makefile regress/test-exec.sh regress/putty-ciphers.sh] |
| [regress/putty-kex.sh regress/putty-transfer.sh regress/ssh2putty.sh] |
| basic (crypto, kex and transfer) interop regression tests against putty |
| To run these, install putty and run "make interop-tests" from the build |
| directory - the tests aren't run by default yet. |
| |
| 20080311 |
| - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move |
| pam_open_session and pam_close_session into the privsep monitor, which |
| will ensure that pam_session_close is called as root. Patch from Tomas |
| Mraz. |
| |
| 20080309 |
| - (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't |
| always work for all platforms and versions, so test what we can and |
| add a configure flag to turn it of if needed. ok djm@ |
| - (dtucker) [openbsd-compat/port-aix.{c,h}] Remove AIX specific initgroups |
| implementation. It's not needed to fix bug #1081 and breaks the build |
| on some AIX configurations. |
| - (dtucker) [openbsd-compat/regress/strtonumtest.c] Bug #1347: Use platform's |
| equivalent of LLONG_MAX for the compat regression tests, which makes them |
| run on AIX and HP-UX. Patch from David Leonard. |
| - (dtucker) [configure.ac] Run stack-protector tests with -Werror to catch |
| platforms where gcc understands the option but it's not supported (and |
| thus generates a warning). |
| |
| 20080307 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2008/02/11 07:58:28 |
| [ssh.1 sshd.8 sshd_config.5] |
| bump Mdocdate for pages committed in "febuary", necessary because |
| of a typo in rcs.c; |
| - djm@cvs.openbsd.org 2008/02/13 22:38:17 |
| [servconf.h session.c sshd.c] |
| rekey arc4random and OpenSSL RNG in postauth child |
| closefrom fds > 2 before shell/command execution |
| ok markus@ |
| - mbalmer@cvs.openbsd.org 2008/02/14 13:10:31 |
| [sshd.c] |
| When started in configuration test mode (-t) do not check that sshd is |
| being started with an absolute path. |
| ok djm |
| - markus@cvs.openbsd.org 2008/02/20 15:25:26 |
| [session.c] |
| correct boolean encoding for coredump; der Mouse via dugsong |
| - djm@cvs.openbsd.org 2008/02/22 05:58:56 |
| [session.c] |
| closefrom() call was too early, delay it until just before we execute |
| the user's rc files (if any). |
| - dtucker@cvs.openbsd.org 2008/02/22 20:44:02 |
| [clientloop.c packet.c packet.h serverloop.c] |
| Allow all SSH2 packet types, including UNIMPLEMENTED to reset the |
| keepalive timer (bz #1307). ok markus@ |
| - djm@cvs.openbsd.org 2008/02/27 20:21:15 |
| [sftp-server.c] |
| add an extension method "posix-rename@openssh.com" to perform POSIX atomic |
| rename() operations. based on patch from miklos AT szeredi.hu in bz#1400; |
| ok dtucker@ markus@ |
| - deraadt@cvs.openbsd.org 2008/03/02 18:19:35 |
| [monitor_fdpass.c] |
| use a union to ensure alignment of the cmsg (pay attention: various other |
| parts of the tree need this treatment too); ok djm |
| - deraadt@cvs.openbsd.org 2008/03/04 21:15:42 |
| [version.h] |
| crank version; from djm |
| - (tim) [regress/sftp-glob.sh] Shell portability fix. |
| |
| 20080302 |
| - (dtucker) [configure.ac] FreeBSD's glob() doesn't behave the way we expect |
| either, so use our own. |
| |
| 20080229 |
| - (dtucker) [openbsd-compat/bsd-poll.c] We don't check for select(2) in |
| configure (and there's not much point, as openssh won't work without it) |
| so HAVE_SELECT is not defined and the poll(2) compat code doesn't get |
| built in. Remove HAVE_SELECT so we can build on platforms without poll. |
| - (dtucker) [scp.c] Include sys/poll.h inside HAVE_SYS_POLL_H. |
| - (djm) [contrib/gnome-ssh-askpass2.h] Keep askpass windown on top. From |
| Debian patch via bernd AT openbsd.org |
| |
| 20080228 |
| - (dtucker) [configure.ac] Add -fstack-protector to LDFLAGS too, fixes |
| linking problems on AIX with gcc 4.1.x. |
| - (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c |
| openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat |
| header to after OpenSSL headers, since some versions of OpenSSL have |
| SSLeay_add_all_algorithms as a macro already. |
| - (dtucker) [key.c defines.h openbsd-compat/openssl-compat.h] Move old OpenSSL |
| compat glue into openssl-compat.h. |
| - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement |
| getgrouplist via getgrset on AIX, rather than iterating over getgrent. |
| This allows, eg, Match and AllowGroups directives to work with NIS and |
| LDAP groups. |
| - (dtucker) [sshd.c] Bug #1042: make log messages for tcpwrappers use the |
| same SyslogFacility as the rest of sshd. Patch from William Knox, |
| ok djm@. |
| |
| 20080225 |
| - (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack |
| since it now conflicts with the helper function in misc.c. From |
| vinschen AT redhat.com. |
| - (dtucker) [configure.ac audit-bsm.c] Bug #1420: Add a local implementation |
| of aug_get_machine for systems that don't have their own (eg OS X, FreeBSD). |
| Help and testing from csjp at FreeBSD org, vgiffin at apple com. ok djm@ |
| - (dtucker) [includes.h openbsd-compat/openssl-compat.c] Bug #1437: reshuffle |
| headers so ./configure --with-ssl-engine actually works. Patch from |
| Ian Lister. |
| |
| 20080224 |
| - (tim) [contrib/cygwin/ssh-host-config] |
| Grammar changes on SYSCONFDIR LOCALSTATEDIR messages. |
| Check more thoroughly that it's possible to create the /var/empty directory. |
| Patch by vinschen AT redhat.com |
| |
| 20080210 |
| - OpenBSD CVS Sync |
| - chl@cvs.openbsd.org 2008/01/11 07:22:28 |
| [sftp-client.c sftp-client.h] |
| disable unused functions |
| initially from tobias@, but disabled them by placing them in |
| "#ifdef notyet" which was asked by djm@ |
| ok djm@ tobias@ |
| - djm@cvs.openbsd.org 2008/01/19 19:13:28 |
| [ssh.1] |
| satisfy the pedants: -q does not suppress all diagnostic messages (e.g. |
| some commandline parsing warnings go unconditionally to stdout). |
| - djm@cvs.openbsd.org 2008/01/19 20:48:53 |
| [clientloop.c] |
| fd leak on session multiplexing error path. Report and patch from |
| gregory_shively AT fanniemae.com |
| - djm@cvs.openbsd.org 2008/01/19 20:51:26 |
| [ssh.c] |
| ignore SIGPIPE in multiplex client mode - we can receive this if the |
| server runs out of fds on us midway. Report and patch from |
| gregory_shively AT fanniemae.com |
| - djm@cvs.openbsd.org 2008/01/19 22:04:57 |
| [sftp-client.c] |
| fix remote handle leak in do_download() local file open error path; |
| report and fix from sworley AT chkno.net |
| - djm@cvs.openbsd.org 2008/01/19 22:22:58 |
| [ssh-keygen.c] |
| when hashing individual hosts (ssh-keygen -Hf hostname), make sure we |
| hash just the specified hostname and not the entire hostspec from the |
| keyfile. It may be of the form "hostname,ipaddr", which would lead to |
| a hash that never matches. report and fix from jp AT devnull.cz |
| - djm@cvs.openbsd.org 2008/01/19 22:37:19 |
| [ssh-keygen.c] |
| unbreak line numbering (broken in revision 1.164), fix error message |
| - djm@cvs.openbsd.org 2008/01/19 23:02:40 |
| [channels.c] |
| When we added support for specified bind addresses for port forwards, we |
| added a quirk SSH_OLD_FORWARD_ADDR. There is a bug in our handling of |
| this for -L port forwards that causes the client to listen on both v4 |
| and v6 addresses when connected to a server with this quirk, despite |
| having set 0.0.0.0 as a bind_address. |
| report and patch from Jan.Pechanec AT Sun.COM; ok dtucker@ |
| - djm@cvs.openbsd.org 2008/01/19 23:09:49 |
| [readconf.c readconf.h sshconnect2.c] |
| promote rekeylimit to a int64 so it can hold the maximum useful limit |
| of 2^32; report and patch from Jan.Pechanec AT Sun.COM, ok dtucker@ |
| - djm@cvs.openbsd.org 2008/01/20 00:38:30 |
| [sftp.c] |
| When uploading, correctly handle the case of an unquoted filename with |
| glob metacharacters that match a file exactly but not as a glob, e.g. a |
| file called "[abcd]". report and test cases from duncan2nd AT gmx.de |
| - djm@cvs.openbsd.org 2008/01/21 17:24:30 |
| [sftp-server.c] |
| Remove the fixed 100 handle limit in sftp-server and allocate as many |
| as we have available file descriptors. Patch from miklos AT szeredi.hu; |
| ok dtucker@ markus@ |
| - djm@cvs.openbsd.org 2008/01/21 19:20:17 |
| [sftp-client.c] |
| when a remote write error occurs during an upload, ensure that ACKs for |
| all issued requests are properly drained. patch from t8m AT centrum.cz |
| - dtucker@cvs.openbsd.org 2008/01/23 01:56:54 |
| [clientloop.c packet.c serverloop.c] |
| Revert the change for bz #1307 as it causes connection aborts if an IGNORE |
| packet arrives while we're waiting in packet_read_expect (and possibly |
| elsewhere). |
| - jmc@cvs.openbsd.org 2008/01/31 20:06:50 |
| [scp.1] |
| explain how to handle local file names containing colons; |
| requested by Tamas TEVESZ |
| ok dtucker |
| - markus@cvs.openbsd.org 2008/02/04 21:53:00 |
| [session.c sftp-server.c sftp.h] |
| link sftp-server into sshd; feedback and ok djm@ |
| - mcbride@cvs.openbsd.org 2008/02/09 12:15:43 |
| [ssh.1 sshd.8] |
| Document the correct permissions for the ~/.ssh/ directory. |
| ok jmc |
| - djm@cvs.openbsd.org 2008/02/10 09:55:37 |
| [sshd_config.5] |
| mantion that "internal-sftp" is useful with ForceCommand too |
| - djm@cvs.openbsd.org 2008/02/10 10:54:29 |
| [servconf.c session.c] |
| delay ~ expansion for ChrootDirectory so it expands to the logged-in user's |
| home, rather than the user who starts sshd (probably root) |
| |
| 20080119 |
| - (djm) Silence noice from expr in ssh-copy-id; patch from |
| mikel AT mikelward.com |
| - (djm) Only listen for IPv6 connections on AF_INET6 sockets; patch from |
| tsr2600 AT gmail.com |
| |
| 20080102 |
| - (dtucker) [configure.ac] Fix message for -fstack-protector-all test. |
| |
| 20080101 |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2007/12/31 10:41:31 |
| [readconf.c servconf.c] |
| Prevent strict-aliasing warnings on newer gcc versions. bz #1355, patch |
| from Dmitry V. Levin, ok djm@ |
| - dtucker@cvs.openbsd.org 2007/12/31 15:27:04 |
| [sshd.c] |
| When in inetd mode, have sshd generate a Protocol 1 ephemeral server |
| key only for connections where the client chooses Protocol 1 as opposed |
| to when it's enabled in the server's config. Speeds up Protocol 2 |
| connections to inetd-mode servers that also allow Protocol 1. bz #440, |
| based on a patch from bruno at wolff.to, ok markus@ |
| - dtucker@cvs.openbsd.org 2008/01/01 08:47:04 |
| [misc.c] |
| spaces -> tabs from my previous commit |
| - dtucker@cvs.openbsd.org 2008/01/01 09:06:39 |
| [scp.c] |
| If scp -p encounters a pre-epoch timestamp, use the epoch which is |
| as close as we can get given that it's used unsigned. Add a little |
| debugging while there. bz #828, ok djm@ |
| - dtucker@cvs.openbsd.org 2008/01/01 09:27:33 |
| [sshd_config.5 servconf.c] |
| Allow PermitRootLogin in a Match block. Allows for, eg, permitting root |
| only from the local network. ok markus@, man page bit ok jmc@ |
| - dtucker@cvs.openbsd.org 2008/01/01 08:51:20 |
| [moduli] |
| Updated moduli file; ok djm@ |
| |
| 20071231 |
| - (dtucker) [configure.ac openbsd-compat/glob.{c,h}] Bug #1407: force use of |
| builtin glob implementation on Mac OS X. Based on a patch from |
| vgiffin at apple. |
| |
| 20071229 |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2007/12/12 05:04:03 |
| [sftp.c] |
| unbreak lls command and add a regress test that would have caught the |
| breakage; spotted by mouring@ |
| - dtucker@cvs.openbsd.org 2007/12/27 14:22:08 |
| [servconf.c canohost.c misc.c channels.c sshconnect.c misc.h ssh-keyscan.c |
| sshd.c] |
| Add a small helper function to consistently handle the EAI_SYSTEM error |
| code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417. |
| ok markus@ stevesk@ |
| - dtucker@cvs.openbsd.org 2007/12/28 15:32:24 |
| [clientloop.c serverloop.c packet.c] |
| Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the |
| ServerAlive and ClientAlive timers. Prevents dropping a connection |
| when these are enabled but the peer does not support our keepalives. |
| bz #1307, ok djm@. |
| - dtucker@cvs.openbsd.org 2007/12/28 22:34:47 |
| [clientloop.c] |
| Use the correct packet maximum sizes for remote port and agent forwarding. |
| Prevents the server from killing the connection if too much data is queued |
| and an excessively large packet gets sent. bz #1360, ok djm@. |
| |
| 20071202 |
| - (dtucker) [configure.ac] Enable -fstack-protector-all on systems where |
| gcc supports it. ok djm@ |
| - (dtucker) [scp.c] Update $OpenBSD tag missing from rev 1.175 and remove |
| leftover debug code. |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2007/10/29 00:52:45 |
| [auth2-gss.c] |
| Allow build without -DGSSAPI; ok deraadt@ |
| (Id sync only, Portable already has the ifdefs) |
| - dtucker@cvs.openbsd.org 2007/10/29 01:55:04 |
| [ssh.c] |
| Plug tiny mem leaks in ControlPath and ProxyCommand option processing; |
| ok djm@ |
| - dtucker@cvs.openbsd.org 2007/10/29 04:08:08 |
| [monitor_wrap.c monitor.c] |
| Send config block back to slave for invalid users too so options |
| set by a Match block (eg Banner) behave the same for non-existent |
| users. Found by and ok djm@ |
| - dtucker@cvs.openbsd.org 2007/10/29 06:51:59 |
| [ssh_config.5] |
| ProxyCommand and LocalCommand use the user's shell, not /bin/sh; ok djm@ |
| - dtucker@cvs.openbsd.org 2007/10/29 06:54:50 |
| [ssh.c] |
| Make LocalCommand work for Protocol 1 too; ok djm@ |
| - jmc@cvs.openbsd.org 2007/10/29 07:48:19 |
| [ssh_config.5] |
| clean up after previous macro removal; |
| - djm@cvs.openbsd.org 2007/11/03 00:36:14 |
| [clientloop.c] |
| fix memory leak in process_cmdline(), patch from Jan.Pechanec AT Sun.COM; |
| ok dtucker@ |
| - deraadt@cvs.openbsd.org 2007/11/03 01:24:06 |
| [ssh.c] |
| bz #1377: getpwuid results were being clobbered by another getpw* call |
| inside tilde_expand_filename(); save the data we need carefully |
| ok djm |
| - dtucker@cvs.openbsd.org 2007/11/03 02:00:32 |
| [ssh.c] |
| Use xstrdup/xfree when saving pwname and pwdir; ok deraadt@ |
| - deraadt@cvs.openbsd.org 2007/11/03 02:03:49 |
| [ssh.c] |
| avoid errno trashing in signal handler; ok dtucker |
| |
| 20071030 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2007/10/29 23:49:41 |
| [openbsd-compat/sys-tree.h] |
| remove extra backslash at the end of RB_PROTOTYPE, report from |
| Jan.Pechanec AT Sun.COM; ok deraadt@ |
| |
| 20071026 |
| - (djm) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2007/09/11 23:49:09 |
| [sshpty.c] |
| remove #if defined block not needed; ok markus@ dtucker@ |
| (NB. RCD ID sync only for portable) |
| - djm@cvs.openbsd.org 2007/09/21 03:05:23 |
| [ssh_config.5] |
| document KbdInteractiveAuthentication in ssh_config.5; |
| patch from dkg AT fifthhorseman.net |
| - djm@cvs.openbsd.org 2007/09/21 08:15:29 |
| [auth-bsdauth.c auth-passwd.c auth.c auth.h auth1.c auth2-chall.c] |
| [monitor.c monitor_wrap.c] |
| unifdef -DBSD_AUTH |
| unifdef -USKEY |
| These options have been in use for some years; |
| ok markus@ "no objection" millert@ |
| (NB. RCD ID sync only for portable) |
| - canacar@cvs.openbsd.org 2007/09/25 23:48:57 |
| [ssh-agent.c] |
| When adding a key that already exists, update the properties |
| (time, confirm, comment) instead of discarding them. ok djm@ markus@ |
| - ray@cvs.openbsd.org 2007/09/27 00:15:57 |
| [dh.c] |
| Don't return -1 on error in dh_pub_is_valid(), since it evaluates |
| to true. |
| Also fix a typo. |
| Initial diff from Matthew Dempsky, input from djm. |
| OK djm, markus. |
| - dtucker@cvs.openbsd.org 2007/09/29 00:25:51 |
| [auth2.c] |
| Remove unused prototype. ok djm@ |
| - chl@cvs.openbsd.org 2007/10/02 17:49:58 |
| [ssh-keygen.c] |
| handles zero-sized strings that fgets can return |
| properly removes trailing newline |
| removes an unused variable |
| correctly counts line number |
| "looks ok" ray@ markus@ |
| - markus@cvs.openbsd.org 2007/10/22 19:10:24 |
| [readconf.c] |
| make sure that both the local and remote port are correct when |
| parsing -L; Jan Pechanec (bz #1378) |
| - djm@cvs.openbsd.org 2007/10/24 03:30:02 |
| [sftp.c] |
| rework argument splitting and parsing to cope correctly with common |
| shell escapes and make handling of escaped characters consistent |
| with sh(1) and between sftp commands (especially between ones that |
| glob their arguments and ones that don't). |
| parse command flags using getopt(3) rather than hand-rolled parsers. |
| ok dtucker@ |
| - djm@cvs.openbsd.org 2007/10/24 03:44:02 |
| [scp.c] |
| factor out network read/write into an atomicio()-like function, and |
| use it to handle short reads, apply bandwidth limits and update |
| counters. make network IO non-blocking, so a small trickle of |
| reads/writes has a chance of updating the progress meter; bz #799 |
| ok dtucker@ |
| - djm@cvs.openbsd.org 2006/08/29 09:44:00 |
| [regress/sftp-cmds.sh] |
| clean up our mess |
| - markus@cvs.openbsd.org 2006/11/06 09:27:43 |
| [regress/cfgmatch.sh] |
| fix quoting for non-(c)sh login shells. |
| - dtucker@cvs.openbsd.org 2006/12/13 08:36:36 |
| [regress/cfgmatch.sh] |
| Additional test for multiple PermitOpen entries. ok djm@ |
| - pvalchev@cvs.openbsd.org 2007/06/07 19:41:46 |
| [regress/cipher-speed.sh regress/try-ciphers.sh] |
| test umac-64@openssh.com |
| ok djm@ |
| - djm@cvs.openbsd.org 2007/10/24 03:32:35 |
| [regress/sftp-cmds.sh regress/sftp-glob.sh regress/test-exec.sh] |
| comprehensive tests for sftp escaping its interaction with globbing; |
| ok dtucker@ |
| - djm@cvs.openbsd.org 2007/10/26 05:30:01 |
| [regress/sftp-glob.sh regress/test-exec.sh] |
| remove "echo -E" crap that I added in last commit and use printf(1) for |
| cases where we strictly require echo not to reprocess escape characters. |
| - deraadt@cvs.openbsd.org 2005/11/28 17:50:12 |
| [openbsd-compat/glob.c] |
| unused arg in internal static API |
| - jakob@cvs.openbsd.org 2007/10/11 18:36:41 |
| [openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h] |
| use RRSIG instead of SIG for DNSSEC. ok djm@ |
| - otto@cvs.openbsd.org 2006/10/21 09:55:03 |
| [openbsd-compat/base64.c] |
| remove calls to abort(3) that can't happen anyway; from |
| <bret dot lambert at gmail.com>; ok millert@ deraadt@ |
| - frantzen@cvs.openbsd.org 2004/04/24 18:11:46 |
| [openbsd-compat/sys-tree.h] |
| sync to Niels Provos' version. avoid unused variable warning in |
| RB_NEXT() |
| - tdeval@cvs.openbsd.org 2004/11/24 18:10:42 |
| [openbsd-compat/sys-tree.h] |
| typo |
| - grange@cvs.openbsd.org 2004/05/04 16:59:32 |
| [openbsd-compat/sys-queue.h] |
| Remove useless ``elm'' argument from the SIMPLEQ_REMOVE_HEAD macro. |
| This matches our SLIST behaviour and NetBSD's SIMPLEQ as well. |
| ok millert krw deraadt |
| - deraadt@cvs.openbsd.org 2005/02/25 13:29:30 |
| [openbsd-compat/sys-queue.h] |
| minor white spacing |
| - otto@cvs.openbsd.org 2005/10/17 20:19:42 |
| [openbsd-compat/sys-queue.h] |
| Performing certain operations on queue.h data structurs produced |
| funny results. An example is calling LIST_REMOVE on the same |
| element twice. This will not fail, but result in a data structure |
| referencing who knows what. Prevent these accidents by NULLing some |
| fields on remove and replace. This way, either a panic or segfault |
| will be produced on the faulty operation. |
| - otto@cvs.openbsd.org 2005/10/24 20:25:14 |
| [openbsd-compat/sys-queue.h] |
| Partly backout. NOLIST, used in LISTs is probably interfering. |
| requested by deraadt@ |
| - otto@cvs.openbsd.org 2005/10/25 06:37:47 |
| [openbsd-compat/sys-queue.h] |
| Some uvm problem is being exposed with the more strict macros. |
| Revert until we've found out what's causing the panics. |
| - otto@cvs.openbsd.org 2005/11/25 08:06:25 |
| [openbsd-compat/sys-queue.h] |
| Introduce debugging aid for queue macros. Disabled by default; but |
| developers are encouraged to run with this enabled. |
| ok krw@ fgsch@ deraadt@ |
| - otto@cvs.openbsd.org 2007/04/30 18:42:34 |
| [openbsd-compat/sys-queue.h] |
| Enable QUEUE_MACRO_DEBUG on DIAGNOSTIC kernels. |
| Input and okays from krw@, millert@, otto@, deraadt@, miod@. |
| - millert@cvs.openbsd.org 2004/10/07 16:56:11 |
| GLOB_NOESCAPE is POSIX so move it out of the #ifndef _POSIX_SOURCE |
| block. |
| (NB. mostly an RCS ID sync, as portable strips out the conditionals) |
| - (djm) [regress/sftp-cmds.sh] |
| Use more restrictive glob to pick up test files from /bin - some platforms |
| ship broken symlinks there which could spoil the test. |
| - (djm) [openbsd-compat/bindresvport.c] |
| Sync RCS ID after irrelevant (for portable OpenSSH) header shuffling |
| |
| 20070927 |
| - (dtucker) [configure.ac atomicio.c] Fall back to including <sys/poll.h> if |
| we don't have <poll.h> (eq QNX). From bacon at cs nyu edu. |
| - (dtucker) [configure.ac defines.h] Shadow expiry does not work on QNX6 |
| so disable it for that platform. From bacon at cs nyu edu. |
| |
| 20070921 |
| - (djm) [atomicio.c] Fix spin avoidance for platforms that define |
| EWOULDBLOCK; patch from ben AT psc.edu |
| |
| 20070917 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2007/08/23 02:49:43 |
| [auth-passwd.c auth.c session.c] |
| unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@ |
| NB. RCS ID sync only for portable |
| - djm@cvs.openbsd.org 2007/08/23 02:55:51 |
| [auth-passwd.c auth.c session.c] |
| missed include bits from last commit |
| NB. RCS ID sync only for portable |
| - djm@cvs.openbsd.org 2007/08/23 03:06:10 |
| [auth.h] |
| login_cap.h doesn't belong here |
| NB. RCS ID sync only for portable |
| - djm@cvs.openbsd.org 2007/08/23 03:22:16 |
| [auth2-none.c sshd_config sshd_config.5] |
| Support "Banner=none" to disable displaying of the pre-login banner; |
| ok dtucker@ deraadt@ |
| - djm@cvs.openbsd.org 2007/08/23 03:23:26 |
| [sshconnect.c] |
| Execute ProxyCommands with $SHELL rather than /bin/sh unconditionally |
| - djm@cvs.openbsd.org 2007/09/04 03:21:03 |
| [clientloop.c monitor.c monitor_fdpass.c monitor_fdpass.h] |
| [monitor_wrap.c ssh.c] |
| make file descriptor passing code return an error rather than call fatal() |
| when it encounters problems, and use this to make session multiplexing |
| masters survive slaves failing to pass all stdio FDs; ok markus@ |
| - djm@cvs.openbsd.org 2007/09/04 11:15:56 |
| [ssh.c sshconnect.c sshconnect.h] |
| make ssh(1)'s ConnectTimeout option apply to both the TCP connection and |
| SSH banner exchange (previously it just covered the TCP connection). |
| This allows callers of ssh(1) to better detect and deal with stuck servers |
| that accept a TCP connection but don't progress the protocol, and also |
| makes ConnectTimeout useful for connections via a ProxyCommand; |
| feedback and "looks ok" markus@ |
| - sobrado@cvs.openbsd.org 2007/09/09 11:38:01 |
| [ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.c] |
| sort synopsis and options in ssh-agent(1); usage is lowercase |
| ok jmc@ |
| - stevesk@cvs.openbsd.org 2007/09/11 04:36:29 |
| [sshpty.c] |
| sort #include |
| NB. RCS ID sync only |
| - gilles@cvs.openbsd.org 2007/09/11 15:47:17 |
| [session.c ssh-keygen.c sshlogin.c] |
| use strcspn to properly overwrite '\n' in fgets returned buffer |
| ok pyr@, ray@, millert@, moritz@, chl@ |
| - stevesk@cvs.openbsd.org 2007/09/11 23:49:09 |
| [sshpty.c] |
| remove #if defined block not needed; ok markus@ dtucker@ |
| NB. RCS ID sync only |
| - stevesk@cvs.openbsd.org 2007/09/12 19:39:19 |
| [umac.c] |
| use xmalloc() and xfree(); ok markus@ pvalchev@ |
| - djm@cvs.openbsd.org 2007/09/13 04:39:04 |
| [sftp-server.c] |
| fix incorrect test when setting syslog facility; from Jan Pechanec |
| - djm@cvs.openbsd.org 2007/09/16 00:55:52 |
| [sftp-client.c] |
| use off_t instead of u_int64_t for file offsets, matching what the |
| progressmeter code expects; bz #842 |
| - (tim) [defines.h] Fix regression in long password support on OpenServer 6. |
| Problem report and additional testing rac AT tenzing.org. |
| |
| 20070914 |
| - (dtucker) [openbsd-compat/bsd-asprintf.c] Plug mem leak in error path. |
| Patch from Jan.Pechanec at sun com. |
| |
| 20070910 |
| - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1358: Always |
| return 0 on successful test. From David.Leonard at quest com. |
| - (tim) [configure.ac] Autoconf didn't define HAVE_LIBIAF because we |
| did a AC_CHECK_FUNCS within the AC_CHECK_LIB test. |
| |
| 20070817 |
| - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked |
| accounts and that's what the code looks for, so make man page and code |
| agree. Pointed out by Roumen Petrov. |
| - (dtucker) [INSTALL] Group the parts describing random options and PAM |
| implementations together which is hopefully more coherent. |
| - (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid. |
| - (dtucker) [INSTALL] Give PAM its own heading. |
| - (dtucker) [INSTALL] Link to tcpwrappers. |
| |
| 20070816 |
| - (dtucker) [session.c] Call PAM cleanup functions for unauthenticated |
| connections too. Based on a patch from Sandro Wefel, with & ok djm@ |
| |
| 20070815 |
| - (dtucker) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2007/08/15 08:14:46 |
| [clientloop.c] |
| do NOT fall back to the trused x11 cookie if generation of an untrusted |
| cookie fails; from Jan Pechanec, via security-alert at sun.com; |
| ok dtucker |
| - markus@cvs.openbsd.org 2007/08/15 08:16:49 |
| [version.h] |
| openssh 4.7 |
| - stevesk@cvs.openbsd.org 2007/08/15 12:13:41 |
| [ssh_config.5] |
| tun device forwarding now honours ExitOnForwardFailure; ok markus@ |
| - (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler. |
| ok djm@ |
| - (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec |
| contrib/suse/openssh.spec] Crank version. |
| |
| 20070813 |
| - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always |
| called with PAM_ESTABLISH_CRED at least once, which resolves a problem |
| with pam_dhkeys. Patch from David Leonard, ok djm@ |
| |
| 20070810 |
| - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@ |
| - (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From |
| Matt Kraai, ok djm@ |
| |
| 20070809 |
| - (dtucker) [openbsd-compat/port-aix.c] Comment typo. |
| - (dtucker) [README.platform] Document the interaction between PermitRootLogin |
| and the AIX native login restrictions. |
| - (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't |
| used anywhere and are a potential source of warnings. |
| |
| 20070808 |
| - (djm) OpenBSD CVS Sync |
| - ray@cvs.openbsd.org 2007/07/12 05:48:05 |
| [key.c] |
| Delint: remove some unreachable statements, from Bret Lambert. |
| OK markus@ and dtucker@. |
| - sobrado@cvs.openbsd.org 2007/08/06 19:16:06 |
| [scp.1 scp.c] |
| the ellipsis is not an optional argument; while here, sync the usage |
| and synopsis of commands |
| lots of good ideas by jmc@ |
| ok jmc@ |
| - djm@cvs.openbsd.org 2007/08/07 07:32:53 |
| [clientloop.c clientloop.h ssh.c] |
| bz#1232: ensure that any specified LocalCommand is executed after the |
| tunnel device is opened. Also, make failures to open a tunnel device |
| fatal when ExitOnForwardFailure is active. |
| Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt |
| |
| 20070724 |
| - (tim) [openssh.xml.in] make FMRI match what package scripts use. |
| - (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call. |
| Report/patch by David.Leonard AT quest.com (and Bernhard Simon) |
| - (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5) |
| - (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}| |
| |
| 20070628 |
| - (djm) bz#1325: Fix SELinux in permissive mode where it would |
| incorrectly fatal() on errors. patch from cjwatson AT debian.org; |
| ok dtucker |
| |
| 20070625 |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2007/06/13 00:21:27 |
| [scp.c] |
| don't ftruncate() non-regular files; bz#1236 reported by wood AT |
| xmission.com; ok dtucker@ |
| - djm@cvs.openbsd.org 2007/06/14 21:43:25 |
| [ssh.c] |
| handle EINTR when waiting for mux exit status properly |
| - djm@cvs.openbsd.org 2007/06/14 22:48:05 |
| [ssh.c] |
| when waiting for the multiplex exit status, read until the master end |
| writes an entire int of data *and* closes the client_fd; fixes mux |
| regression spotted by dtucker, ok dtucker@ |
| - djm@cvs.openbsd.org 2007/06/19 02:04:43 |
| [atomicio.c] |
| if the fd passed to atomicio/atomiciov() is non blocking, then poll() to |
| avoid a spin if it is not yet ready for reading/writing; ok dtucker@ |
| - dtucker@cvs.openbsd.org 2007/06/25 08:20:03 |
| [channels.c] |
| Correct test for window updates every three packets; prevents sending |
| window updates for every single packet. ok markus@ |
| - dtucker@cvs.openbsd.org 2007/06/25 12:02:27 |
| [atomicio.c] |
| Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@ |
| - (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match |
| atomicio. |
| - (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in |
| openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h] |
| Add an implementation of poll() built on top of select(2). Code from |
| OpenNTPD with changes suggested by djm. ok djm@ |
| |
| 20070614 |
| - (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the |
| USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be |
| shared with umac.c. Allows building with OpenSSL 0.9.5 again including |
| umac support. With tim@ djm@, ok djm. |
| - (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL |
| sections. Fixes builds with early OpenSSL 0.9.6 versions. |
| - (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition |
| of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the |
| subsequent <0.9.7 test. |
| |
| 20070612 |
| - (dtucker) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2007/06/11 09:14:00 |
| [channels.h] |
| increase default channel windows; ok djm |
| - djm@cvs.openbsd.org 2007/06/12 07:41:00 |
| [ssh-add.1] |
| better document ssh-add's -d option (delete identies from agent), bz#1224 |
| new text based on some provided by andrewmc-debian AT celt.dias.ie; |
| ok dtucker@ |
| - djm@cvs.openbsd.org 2007/06/12 08:20:00 |
| [ssh-gss.h gss-serv.c gss-genr.c] |
| relocate server-only GSSAPI code from libssh to server; bz #1225 |
| patch from simon AT sxw.org.uk; ok markus@ dtucker@ |
| - djm@cvs.openbsd.org 2007/06/12 08:24:20 |
| [scp.c] |
| make scp try to skip FIFOs rather than blocking when nothing is listening. |
| depends on the platform supporting sane O_NONBLOCK semantics for open |
| on FIFOs (apparently POSIX does not mandate this), which OpenBSD does. |
| bz #856; report by cjwatson AT debian.org; ok markus@ |
| - djm@cvs.openbsd.org 2007/06/12 11:11:08 |
| [ssh.c] |
| fix slave exit value when a control master goes away without passing the |
| full exit status by ensuring that the slave reads a full int. bz#1261 |
| reported by frekko AT gmail.com; ok markus@ dtucker@ |
| - djm@cvs.openbsd.org 2007/06/12 11:15:17 |
| [ssh.c ssh.1] |
| Add "-K" flag for ssh to set GSSAPIAuthentication=yes and |
| GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) |
| and is useful for hosts with /home on Kerberised NFS; bz #1312 |
| patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@ |
| - djm@cvs.openbsd.org 2007/06/12 11:45:27 |
| [ssh.c] |
| improved exit message from multiplex slave sessions; bz #1262 |
| reported by alexandre.nunes AT gmail.com; ok dtucker@ |
| - dtucker@cvs.openbsd.org 2007/06/12 11:56:15 |
| [gss-genr.c] |
| Pass GSS OID to gss_display_status to provide better information in |
| error messages. Patch from Simon Wilkinson via bz 1220. ok djm@ |
| - jmc@cvs.openbsd.org 2007/06/12 13:41:03 |
| [ssh-add.1] |
| identies -> identities; |
| - jmc@cvs.openbsd.org 2007/06/12 13:43:55 |
| [ssh.1] |
| add -K to SYNOPSIS; |
| - dtucker@cvs.openbsd.org 2007/06/12 13:54:28 |
| [scp.c] |
| Encode filename with strnvis if the name contains a newline (which can't |
| be represented in the scp protocol), from bz #891. ok markus@ |
| |
| 20070611 |
| - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit |
| fix; tested by dtucker@ and jochen.kirn AT gmail.com |
| - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34 |
| [kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] |
| [ssh_config.5 sshd.8 sshd_config.5] |
| Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, |
| must specify umac-64@openssh.com). Provides about 20% end-to-end speedup |
| compared to hmac-md5. Represents a different approach to message |
| authentication to that of HMAC that may be beneficial if HMAC based on |
| one of its underlying hash algorithms is found to be vulnerable to a |
| new attack. http://www.ietf.org/rfc/rfc4418.txt |
| in conjunction with and OK djm@ |
| - pvalchev@cvs.openbsd.org 2007/06/08 04:40:40 |
| [ssh_config] |
| Add a "MACs" line after "Ciphers" with the default MAC algorithms, |
| to ease people who want to tweak both (eg. for performance reasons). |
| ok deraadt@ djm@ dtucker@ |
| - jmc@cvs.openbsd.org 2007/06/08 07:43:46 |
| [ssh_config.5] |
| put the MAC list into a display, like we do for ciphers, |
| since groff has trouble handling wide lines; |
| - jmc@cvs.openbsd.org 2007/06/08 07:48:09 |
| [sshd_config.5] |
| oops, here too: put the MAC list into a display, like we do for |
| ciphers, since groff has trouble with wide lines; |
| - markus@cvs.openbsd.org 2007/06/11 08:04:44 |
| [channels.c] |
| send 'window adjust' messages every tree packets and do not wait |
| until 50% of the window is consumed. ok djm dtucker |
| - (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then |
| fallback to provided bit-swizzing functions |
| - (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder" |
| argument to nanosleep may be NULL. Currently this never happens in OpenSSH, |
| but check anyway in case this changes or the code gets used elsewhere. |
| - (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should |
| prevent warnings about redefinitions of various things in paths.h. |
| Spotted by cartmanltd at hotmail.com. |
| |
| 20070605 |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2007/05/22 10:18:52 |
| [sshd.c] |
| zap double include; from p_nowaczyk AT o2.pl |
| (not required in -portable, Id sync only) |
| - djm@cvs.openbsd.org 2007/05/30 05:58:13 |
| [kex.c] |
| tidy: KNF, ARGSUSED and u_int |
| - jmc@cvs.openbsd.org 2007/05/31 19:20:16 |
| [scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1 |
| ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8] |
| convert to new .Dd format; |
| (We will need to teach mdoc2man.awk to understand this too.) |
| - djm@cvs.openbsd.org 2007/05/31 23:34:29 |
| [packet.c] |
| gc unreachable code; spotted by Tavis Ormandy |
| - djm@cvs.openbsd.org 2007/06/02 09:04:58 |
| [bufbn.c] |
| memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca |
| - djm@cvs.openbsd.org 2007/06/05 06:52:37 |
| [kex.c monitor_wrap.c packet.c mac.h kex.h mac.c] |
| Preserve MAC ctx between packets, saving 2xhash calls per-packet. |
| Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5 |
| patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm |
| committing at his request) |
| - (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that |
| OpenBSD's cvs now adds. |
| - (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so |
| mindrot's cvs doesn't expand it on us. |
| - (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs. |
| |
| 20070520 |
| - (dtucker) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2007/04/14 22:01:58 |
| [auth2.c] |
| remove unused macro; from Dmitry V. Levin <ldv@altlinux.org> |
| - stevesk@cvs.openbsd.org 2007/04/18 01:12:43 |
| [sftp-server.c] |
| cast "%llu" format spec to (unsigned long long); do not assume a |
| u_int64_t arg is the same as 'unsigned long long'. |
| from Dmitry V. Levin <ldv@altlinux.org> |
| ok markus@ 'Yes, that looks correct' millert@ |
| - dtucker@cvs.openbsd.org 2007/04/23 10:15:39 |
| [servconf.c] |
| Remove debug() left over from development. ok deraadt@ |
| - djm@cvs.openbsd.org 2007/05/17 07:50:31 |
| [log.c] |
| save and restore errno when logging; ok deraadt@ |
| - djm@cvs.openbsd.org 2007/05/17 07:55:29 |
| [sftp-server.c] |
| bz#1286 stop reading and processing commands when input or output buffer |
| is nearly full, otherwise sftp-server would happily try to grow the |
| input/output buffers past the maximum supported by the buffer API and |
| promptly fatal() |
| based on patch from Thue Janus Kristensen; feedback & ok dtucker@ |
| - djm@cvs.openbsd.org 2007/05/17 20:48:13 |
| [sshconnect2.c] |
| fall back to gethostname() when the outgoing connection is not |
| on a socket, such as is the case when ProxyCommand is used. |
| Gives hostbased auth an opportunity to work; bz#616, report |
| and feedback stuart AT kaloram.com; ok markus@ |
| - djm@cvs.openbsd.org 2007/05/17 20:52:13 |
| [monitor.c] |
| pass received SIGINT from monitor to postauth child so it can clean |
| up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com; |
| ok markus@ |
| - jolan@cvs.openbsd.org 2007/05/17 23:53:41 |
| [sshconnect2.c] |
| djm owes me a vb and a tism cd for breaking ssh compilation |
| - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from |
| ldv at altlinux.org. |
| - (dtucker) [auth-pam.c] Return empty string if fgets fails in |
| sshpam_tty_conv. Patch from ldv at altlinux.org. |
| |
| 20070509 |
| - (tim) [configure.ac] Bug #1287: Add missing test for ucred.h. |
| |
| 20070429 |
| - (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h |
| for select(2) prototype. |
| - (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype. |
| - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the |
| platform's _res if it has one. Should fix problem of DNSSEC record lookups |
| on NetBSD as reported by Curt Sampson. |
| - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. |
| - (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS |
| so we don't get redefinition warnings. |
| - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype. |
| - (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__ |
| __nonnull__ for versions of GCC that don't support it. |
| - (dtucker) [configure.ac defines.h] Have configure check for offsetof |
| to prevent redefinition warnings. |
| |
| 20070406 |
| - (dtucker) [INSTALL] Update the systems that have PAM as standard. Link |
| to OpenPAM too. |
| - (dtucker) [INSTALL] prngd lives at sourceforge these days. |
| |
| 20070326 |
| - (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c |
| openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines |
| to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@ |
| |
| 20070325 |
| - (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX, |
| LIBWRAP and LIBPAM variables in Makefile with the general-purpose |
| SSHDLIBS. "I like" djm@ |
| |
| 20070321 |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2007/03/09 05:20:06 |
| [servconf.c sshd.c] |
| Move C/R -> kbdint special case to after the defaults have been |
| loaded, which makes ChallengeResponse default to yes again. This |
| was broken by the Match changes and not fixed properly subsequently. |
| Found by okan at demirmen.com, ok djm@ "please do it" deraadt@ |
| - djm@cvs.openbsd.org 2007/03/19 01:01:29 |
| [sshd_config] |
| Disable the legacy SSH protocol 1 for new installations via |
| a configuration override. In the future, we will change the |
| server's default itself so users who need the legacy protocol |
| will need to turn it on explicitly |
| - dtucker@cvs.openbsd.org 2007/03/19 12:16:42 |
| [ssh-agent.c] |
| Remove the signal handler that checks if the agent's parent process |
| has gone away, instead check when the select loop returns. Record when |
| the next key will expire when scanning for expired keys. Set the select |
| timeout to whichever of these two things happens next. With djm@, with & |
| ok deraadt@ markus@ |
| - tedu@cvs.openbsd.org 2007/03/20 03:56:12 |
| [readconf.c clientloop.c] |
| remove some bogus *p tests from charles longeau |
| ok deraadt millert |
| - jmc@cvs.openbsd.org 2007/03/20 15:57:15 |
| [sshd.8] |
| - let synopsis and description agree for -f |
| - sort FILES |
| - +.Xr ssh-keyscan 1 , |
| from Igor Sobrado |
| - (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use |
| getpeerucred to implement getpeereid (currently only Solaris 10 and up). |
| Patch by Jan.Pechanec at Sun. |
| - (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have |
| HAVE_GETPEERUCRED too. Also from Jan Pechanec. |
| |
| 20070313 |
| - (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include |
| string.h to prevent warnings, from vapier at gentoo.org. |
| - (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the |
| selinux bits in -portable. |
| - (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in |
| bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h |
| in cipher-bf1.c. Patch from Juan Gallego. |
| - (dtucker) [README.platform] Info about blibpath on AIX. |
| |
| 20070306 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2007/03/01 16:19:33 |
| [sshd_config.5] |
| sort the `match' keywords; |
| - djm@cvs.openbsd.org 2007/03/06 10:13:14 |
| [version.h] |
| openssh-4.6; "please" deraadt@ |
| - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| [contrib/suse/openssh.spec] crank spec files for release |
| - (djm) [README] correct link to release notes |
| - (djm) Release 4.6p1 |
| |
| 20070304 |
| - (djm) [configure.ac] add a --without-openssl-header-check option to |
| configure, as some platforms (OS X) ship OpenSSL headers whose version |
| does not match that of the shipping library. ok dtucker@ |
| - (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a |
| bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256 |
| ciphers from working correctly (disconnects with "Bad packet length" |
| errors) as found by Ben Harris. ok djm@ |
| |
| 20070303 |
| - (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more |
| general to cover newer gdb versions on HP-UX. |
| |
| 20070302 |
| - (dtucker) [configure.ac] For Cygwin, read files in textmode (which allows |
| CRLF as well as LF lineendings) and write in binary mode. Patch from |
| vinschen at redhat.com. |
| - (dtucker) [INSTALL] Update to autoconf-2.61. |
| |
| 20070301 |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2007/03/01 10:28:02 |
| [auth2.c sshd_config.5 servconf.c] |
| Remove ChallengeResponseAuthentication support inside a Match |
| block as its interaction with KbdInteractive makes it difficult to |
| support. Also, relocate the CR/kbdint option special-case code into |
| servconf. "please commit" djm@, ok markus@ for the relocation. |
| - (tim) [buildpkg.sh.in openssh.xml.in] Clean up Solaris 10 smf(5) bits. |
| "Looks sane" dtucker@ |
| |
| 20070228 |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2007/02/28 00:55:30 |
| [ssh-agent.c] |
| Remove expired keys periodically so they don't remain in memory when |
| the agent is entirely idle, as noted by David R. Piegdon. This is the |
| simple fix, a more efficient one will be done later. With markus, |
| deraadt, with & ok djm. |
| |
| 20070225 |
| - (dtucker) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2007/02/20 10:25:14 |
| [clientloop.c] |
| set maximum packet and window sizes the same for multiplexed clients |
| as normal connections; ok markus@ |
| - dtucker@cvs.openbsd.org 2007/02/21 11:00:05 |
| [sshd.c] |
| Clear alarm() before restarting sshd on SIGHUP. Without this, if there's |
| a SIGALRM pending (for SSH1 key regeneration) when sshd is SIGHUP'ed, the |
| newly exec'ed sshd will get the SIGALRM and not have a handler for it, |
| and the default action will terminate the listening sshd. Analysis and |
| patch from andrew at gaul.org. |
| - dtucker@cvs.openbsd.org 2007/02/22 12:58:40 |
| [servconf.c] |
| Check activep so Match and GatewayPorts work together; ok markus@ |
| - ray@cvs.openbsd.org 2007/02/24 03:30:11 |
| [moduli.c] |
| - strlen returns size_t, not int. |
| - Pass full buffer size to fgets. |
| OK djm@, millert@, and moritz@. |
| |
| 20070219 |
| - (dtucker) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2007/01/10 13:23:22 |
| [ssh_config.5] |
| do not use a list for SYNOPSIS; |
| this is actually part of a larger report sent by eric s. raymond |
| and forwarded by brad, but i only read half of it. spotted by brad. |
| - jmc@cvs.openbsd.org 2007/01/12 20:20:41 |
| [ssh-keygen.1 ssh-keygen.c] |
| more secsh -> rfc 4716 updates; |
| spotted by wiz@netbsd |
| ok markus |
| - dtucker@cvs.openbsd.org 2007/01/17 23:22:52 |
| [readconf.c] |
| Honour activep for times (eg ServerAliveInterval) while parsing |
| ssh_config and ~/.ssh/config so they work properly with Host directives. |
| From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@ |
| - stevesk@cvs.openbsd.org 2007/01/21 01:41:54 |
| [auth-skey.c kex.c ssh-keygen.c session.c clientloop.c] |
| spaces |
| - stevesk@cvs.openbsd.org 2007/01/21 01:45:35 |
| [readconf.c] |
| spaces |
| - djm@cvs.openbsd.org 2007/01/22 11:32:50 |
| [sftp-client.c] |
| return error from do_upload() when a write fails. fixes bz#1252: zero |
| exit status from sftp when uploading to a full device. report from |
| jirkat AT atlas.cz; ok dtucker@ |
| - djm@cvs.openbsd.org 2007/01/22 13:06:21 |
| [scp.c] |
| fix detection of whether we should show progress meter or not: scp |
| tested isatty(stderr) but wrote the progress meter to stdout. This patch |
| makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com; |
| of dtucker@ |
| - stevesk@cvs.openbsd.org 2007/02/14 14:32:00 |
| [bufbn.c] |
| typos in comments; ok jmc@ |
| - dtucker@cvs.openbsd.org 2007/02/19 10:45:58 |
| [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5] |
| Teach Match how handle config directives that are used before |
| authentication. This allows configurations such as permitting password |
| authentication from the local net only while requiring pubkey from |
| offsite. ok djm@, man page bits ok jmc@ |
| - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some |
| platforms don't have it. Patch from dleonard at vintela.com. |
| - (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc |
| an array for signatures when there are none since "calloc(0, n) returns |
| NULL on some platforms (eg Tru64), which is explicitly permitted by |
| POSIX. Diagnosis and patch by svallet genoscope.cns.fr. |
| |
| 20070128 |
| - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52) |
| when closing a tty session when a background process still holds tty |
| fds open. Great detective work and patch by Marc Aurele La France, |
| slightly tweaked by me; ok dtucker@ |
| |
| 20070123 |
| - (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public |
| library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro |
| so it works properly and modify its callers so that they don't pre or |
| post decrement arguments that are conditionally evaluated. While there, |
| put SNPRINTF_CONST back as it prevents build failures in some |
| configurations. ok djm@ (for most of it) |
| |
| 20070122 |
| - (djm) [ssh-rand-helper.8] manpage nits; |
| from dleonard AT vintela.com (bz#1529) |
| |
| 20070117 |
| - (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h |
| and multiple including it causes problems on old IRIXes. (It snuck back |
| in during a sync.) Found (again) by Georg Schwarz. |
| |
| 20070114 |
| - (dtucker) [ssh-keygen.c] av -> argv to match earlier sync. |
| - (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return |
| value of snprintf replacement, similar to bugs in various libc |
| implementations. This overflow is not exploitable in OpenSSH. |
| While I'm fiddling with it, make it a fair bit faster by inlining the |
| append-char routine; ok dtucker@ |
| |
| 20070105 |
| - (djm) OpenBSD CVS Sync |
| - deraadt@cvs.openbsd.org 2006/11/14 19:41:04 |
| [ssh-keygen.c] |
| use argc and argv not some made up short form |
| - ray@cvs.openbsd.org 2006/11/23 01:35:11 |
| [misc.c sftp.c] |
| Don't access buf[strlen(buf) - 1] for zero-length strings. |
| ``ok by me'' djm@. |
| - markus@cvs.openbsd.org 2006/12/11 21:25:46 |
| [ssh-keygen.1 ssh.1] |
| add rfc 4716 (public key format); ok jmc |
| - djm@cvs.openbsd.org 2006/12/12 03:58:42 |
| [channels.c compat.c compat.h] |
| bz #1019: some ssh.com versions apparently can't cope with the |
| remote port forwarding bind_address being a hostname, so send |
| them an address for cases where they are not explicitly |
| specified (wildcard or localhost bind). reported by daveroth AT |
| acm.org; ok dtucker@ deraadt@ |
| - dtucker@cvs.openbsd.org 2006/12/13 08:34:39 |
| [servconf.c] |
| Make PermitOpen work with multiple values like the man pages says. |
| bz #1267 with details from peter at dmtz.com, with & ok djm@ |
| - dtucker@cvs.openbsd.org 2006/12/14 10:01:14 |
| [servconf.c] |
| Make "PermitOpen all" first-match within a block to match the way other |
| options work. ok markus@ djm@ |
| - jmc@cvs.openbsd.org 2007/01/02 09:57:25 |
| [sshd_config.5] |
| do not use lists for SYNOPSIS; |
| from eric s. raymond via brad |
| - stevesk@cvs.openbsd.org 2007/01/03 00:53:38 |
| [ssh-keygen.c] |
| remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan |
| - stevesk@cvs.openbsd.org 2007/01/03 03:01:40 |
| [auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c] |
| spaces |
| - stevesk@cvs.openbsd.org 2007/01/03 04:09:15 |
| [sftp.c] |
| ARGSUSED for lint |
| - stevesk@cvs.openbsd.org 2007/01/03 07:22:36 |
| [sftp-server.c] |
| spaces |
| |
| 20061205 |
| - (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would |
| occur if the server did not have the privsep user and an invalid user |
| tried to login and both privsep and krb5 auth are disabled; ok dtucker@ |
| - (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@ |
| |
| 20061108 |
| - (dtucker) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2006/11/07 13:02:07 |
| [dh.c] |
| BN_hex2bn returns int; from dtucker@ |
| |
| 20061107 |
| - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it |
| if we absolutely need it. Pointed out by Corinna, ok djm@ |
| - (dtucker) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2006/11/06 21:25:28 |
| [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c |
| ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c] |
| add missing checks for openssl return codes; with & ok djm@ |
| - markus@cvs.openbsd.org 2006/11/07 10:31:31 |
| [monitor.c version.h] |
| correctly check for bad signatures in the monitor, otherwise the monitor |
| and the unpriv process can get out of sync. with dtucker@, ok djm@, |
| dtucker@ |
| - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump |
| versions. |
| - (dtucker) Release 4.5p1. |
| |
| 20061105 |
| - (djm) OpenBSD CVS Sync |
| - otto@cvs.openbsd.org 2006/10/28 18:08:10 |
| [ssh.1] |
| correct/expand example of usage of -w; ok jmc@ stevesk@ |
| - markus@cvs.openbsd.org 2006/10/31 16:33:12 |
| [kexdhc.c kexdhs.c kexgexc.c kexgexs.c] |
| check DH_compute_key() for -1 even if it should not happen because of |
| earlier calls to dh_pub_is_valid(); report krahmer at suse.de; ok djm |
| |
| 20061101 |
| - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerr |
| events fatal in Solaris process contract support and tell it to signal |
| only processes in the same process group when something happens. |
| Based on information from andrew.benham at thus.net and similar to |
| a patch from Chad Mynhier. ok djm@ |
| |
| 20061027 |
| - (djm) [auth.c] gc some dead code |
| |
| 20061023 |
| - (djm) OpenBSD CVS Sync |
| - ray@cvs.openbsd.org 2006/09/30 17:48:22 |
| [sftp.c] |
| Clear errno before calling the strtol functions. |
| From Paul Stoeber <x0001 at x dot de1 dot cc>. |
| OK deraadt@. |
| - djm@cvs.openbsd.org 2006/10/06 02:29:19 |
| [ssh-agent.c ssh-keyscan.c ssh.c] |
| sys/resource.h needs sys/time.h; prompted by brad@ |
| (NB. Id sync only for portable) |
| - djm@cvs.openbsd.org 2006/10/09 23:36:11 |
| [session.c] |
| xmalloc -> xcalloc that was missed previously, from portable |
| (NB. Id sync only for portable, obviously) |
| - markus@cvs.openbsd.org 2006/10/10 10:12:45 |
| [sshconnect.c] |
| sleep before retrying (not after) since sleep changes errno; fixes |
| pr 5250; rad@twig.com; ok dtucker djm |
| - markus@cvs.openbsd.org 2006/10/11 12:38:03 |
| [clientloop.c serverloop.c] |
| exit instead of doing a blocking tcp send if we detect a client/server |
| timeout, since the tcp sendqueue might be already full (of alive |
| requests); ok dtucker, report mpf |
| - djm@cvs.openbsd.org 2006/10/22 02:25:50 |
| [sftp-client.c] |
| cancel progress meter when upload write fails; ok deraadt@ |
| - (tim) [Makefile.in scard/Makefile.in] Add datarootdir= lines to keep |
| autoconf 2.60 from complaining. |
| |
| 20061018 |
| - (dtucker) OpenBSD CVS Sync |
| - ray@cvs.openbsd.org 2006/09/25 04:55:38 |
| [ssh-keyscan.1 ssh.1] |
| Change "a SSH" to "an SSH". Hurray, I'm not the only one who |
| pronounces "SSH" as "ess-ess-aich". |
| OK jmc@ and stevesk@. |
| - (dtucker) [sshd.c] Reshuffle storing of pw struct; prevents warnings |
| on older versions of OS X. ok djm@ |
| |
| 20061016 |
| - (dtucker) [monitor_fdpass.c] Include sys/in.h, required for cmsg macros |
| on older (2.0) Linuxes. Based on patch from thmo-13 at gmx de. |
| |
| 20061006 |
| - (tim) [buildpkg.sh.in] Use uname -r instead of -v in OS_VER for Solaris. |
| Differentiate between OpenServer 5 and OpenServer 6 |
| - (dtucker) [configure.ac] Set put -lselinux into $LIBS while testing for |
| SELinux functions so they're detected correctly. Patch from pebenito at |
| gentoo.org. |
| - (tim) [buildpkg.sh.in] Some systems have really limited nawk (OpenServer). |
| Allow setting alternate awk in openssh-config.local. |
| |
| 20061003 |
| - (tim) [configure.ac] Move CHECK_HEADERS test before platform specific |
| section so additional platform specific CHECK_HEADER tests will work |
| correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no |
| Feedback and "seems like a good idea" dtucker@ |
| |
| 20061001 |
| - (dtucker) [audit-bsm.c] Include errno.h. Pointed out by des at des.no. |
| |
| 20060929 |
| - (dtucker) [configure.ac] Bug #1239: Fix configure test for OpenSSH engine |
| support. Patch from andrew.benham at thus net. |
| |
| 20060928 |
| - (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation error |
| on Solaris 8 w/out /dev/random or prngd. Patch from rl at |
| math.technion.ac.il. |
| |
| 20060926 |
| - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not |
| referenced any more. ok djm@ |
| - (dtucker) [sftp-server.8] Resync; spotted by djm@ |
| - (dtucker) Release 4.4p1. |
| |
| 20060924 |
| - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added |
| to rev 1.308) to work around broken gcc 2.x header file. |
| |
| 20060923 |
| - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than |
| $LDFLAGS. Patch from vapier at gentoo org. |
| |
| 20060922 |
| - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on |
| some platforms (eg HP-UX 11.00). From santhi.amirta at gmail com. |
| |
| 20060921 |
| - (dtucker) OpenBSD CVS Sync |
| - otto@cvs.openbsd.org 2006/09/19 05:52:23 |
| [sftp.c] |
| Use S_IS* macros insted of masking with S_IF* flags. The latter may |
| have multiple bits set, which lead to surprising results. Spotted by |
| Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@ |
| - markus@cvs.openbsd.org 2006/09/19 21:14:08 |
| [packet.c] |
| client NULL deref on protocol error; Tavis Ormandy, Google Security Team |
| - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes |
| build error on Ultrix. From Bernhard Simon. |
| |
| 20060918 |
| - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow |
| macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags. |
| Allows build out of the box with older VAC and XLC compilers. Found by |
| David Bronder and Bernhard Simon. |
| - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes. |
| Prevents macro redefinition warnings of "RDONLY". |
| |
| 20060916 |
| - OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2006/09/16 19:53:37 |
| [deattack.c deattack.h packet.c] |
| limit maximum work performed by the CRC compensation attack detector, |
| problem reported by Tavis Ormandy, Google Security Team; |
| ok markus@ deraadt@ |
| - (djm) Add openssh.xml to .cvsignore and sort it |
| - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth |
| process so that any logging it does is with the right timezone. From |
| Scott Strickler, ok djm@. |
| - (dtucker) [monitor.c] Correctly handle auditing of single commands when |
| using Protocol 1. From jhb at freebsd. |
| - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@ |
| - (dtucker) [INSTALL] Add info about audit support. |
| |
| 20060912 |
| - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in] |
| Support SMF in Solaris Packages if enabled by configure. Patch from |
| Chad Mynhier, tested by dtucker@ |
| |
| 20060911 |
| - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends. Noted |
| by Pekka Savola. |
| |
| 20060910 |
| - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available. |
| - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB. |
| |
| 20060909 |
| - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h. |
| - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user. |
| - (dtucker) [buildpkg.sh.in] Always create privsep user. ok djm@ |
| |
| 20060908 |
| - (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch |
| from Chris Adams. |
| - (dtucker) [configure.ac] The BSM header test needs time.h in some cases. |
| |
| 20060907 |
| - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can |
| be used to drop privilege to; fixes Solaris GSSAPI crash reported by |
| Magnus Abrante; suggestion and feedback dtucker@ |
| NB. this change will require that the privilege separation user must |
| exist on all the time, not just when UsePrivilegeSeparation=yes |
| - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6 |
| - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H. |
| - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better |
| chance of winning. |
| |
| 20060905 |
| - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov. |
| - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP. |
| |
| 20060904 |
| - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native |
| updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius, |
| ok djm@ |
| |
| 20060903 |
| - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for |
| declaration of writev(2) and declare it ourselves if necessary. Makes |
| the atomiciov() calls build on really old systems. ok djm@ |
| |
| 20060902 |
| - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan. |
| - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c |
| openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c |
| openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h> |
| for hton* and ntoh* macros. Required on (at least) HP-UX since we define |
| _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com. |
| |
| 20060901 |
| - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c] |
| [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] |
| [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] |
| [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] |
| [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] |
| [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] |
| [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] |
| [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] |
| [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] |
| [sshconnect1.c sshconnect2.c sshd.c] |
| [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] |
| [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] |
| [openbsd-compat/port-uw.c] |
| Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; |
| compile problems reported by rac AT tenzing.org |
| - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c] |
| [openbsd-compat/rresvport.c] Some more headers: netinet/in.h |
| sys/socket.h and unistd.h in various places |
| - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration |
| warnings for binary_open and binary_close. Patch from Corinna Vinschen. |
| - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly |
| test for GLOB_NOMATCH and use our glob functions if it's not found. |
| Stops sftp from segfaulting when attempting to get a nonexistent file on |
| Cygwin (previous versions of OpenSSH didn't use the native glob). Partly |
| from and tested by Corinna Vinschen. |
| - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank |
| versions. |
| |
| 20060831 |
| - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ] |
| [platform.c platform.h sshd.c openbsd-compat/Makefile.in] |
| [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c] |
| [openbsd-compat/port-solaris.h] Add support for Solaris process |
| contracts, enabled with --use-solaris-contracts. Patch from Chad |
| Mynhier, tweaked by dtucker@ and myself; ok dtucker@ |
| - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege |
| while setting up the ssh service account. Patch from Corinna Vinschen. |
| |
| 20060830 |
| - (djm) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2006/08/21 08:14:01 |
| [sshd_config.5] |
| Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, |
| ok jmc@ djm@ |
| - dtucker@cvs.openbsd.org 2006/08/21 08:15:57 |
| [sshd.8] |
| Add more detail about what permissions are and aren't accepted for |
| authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@ |
| - djm@cvs.openbsd.org 2006/08/29 10:40:19 |
| [channels.c session.c] |
| normalise some inconsistent (but harmless) NULL pointer checks |
| spotted by the Stanford SATURN tool, via Isil Dillig; |
| ok markus@ deraadt@ |
| - dtucker@cvs.openbsd.org 2006/08/29 12:02:30 |
| [gss-genr.c] |
| Work around a problem in Heimdal that occurs when KRB5CCNAME file is |
| missing, by checking whether or not kerberos allocated us a context |
| before attempting to free it. Patch from Simon Wilkinson, tested by |
| biorn@, ok djm@ |
| - dtucker@cvs.openbsd.org 2006/08/30 00:06:51 |
| [sshconnect2.c] |
| Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL |
| where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@ |
| - djm@cvs.openbsd.org 2006/08/30 00:14:37 |
| [version.h] |
| crank to 4.4 |
| - (djm) [openbsd-compat/xcrypt.c] needs unistd.h |
| - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call |
| loginsuccess on AIX immediately after authentication to clear the failed |
| login count. Previously this would only happen when an interactive |
| session starts (ie when a pty is allocated) but this means that accounts |
| that have primarily non-interactive sessions (eg scp's) may gradually |
| accumulate enough failures to lock out an account. This change may have |
| a side effect of creating two audit records, one with a tty of "ssh" |
| corresponding to the authentication and one with the allocated pty per |
| interactive session. |
| |
| 20060824 |
| - (dtucker) [openbsd-compat/basename.c] Include errno.h. |
| - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on |
| older systems. |
| - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2) |
| on POSIX systems. |
| - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2). |
| - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc. |
| - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent |
| unused variable warning when we have a broken or missing mmap(2). |
| |
| 20060822 |
| - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in |
| Makefile. Patch from santhi.amirta at gmail, ok djm. |
| |
| 20060820 |
| - (dtucker) [log.c] Move ifdef to prevent unused variable warning. |
| - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore |
| afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl. |
| - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for |
| fixing bug #1181. No changes yet. |
| - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL |
| (0.9.8a and presumably newer) requires -ldl to successfully link. |
| - (dtucker) [configure.ac] Remove errant "-". |
| |
| 20060819 |
| - (djm) OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2006/08/18 22:41:29 |
| [gss-genr.c] |
| GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk |
| - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a |
| single rule for the test progs. |
| |
| 20060818 |
| - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with |
| closefrom.c from sudo. |
| - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid. |
| - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error. |
| - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the |
| test progs instead; they work better than what we have. |
| - (djm) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2006/08/06 01:13:32 |
| [compress.c monitor.c monitor_wrap.c] |
| "zlib.h" can be <zlib.h>; ok djm@ markus@ |
| - miod@cvs.openbsd.org 2006/08/12 20:46:46 |
| [monitor.c monitor_wrap.c] |
| Revert previous include file ordering change, for ssh to compile under |
| gcc2 (or until openssl include files are cleaned of parameter names |
| in function prototypes) |
| - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 |
| [servconf.c servconf.h sshd_config.5] |
| Add ability to match groups to Match keyword in sshd_config. Feedback |
| djm@, stevesk@, ok stevesk@. |
| - djm@cvs.openbsd.org 2006/08/16 11:47:15 |
| [sshd.c] |
| factor inetd connection, TCP listen and main TCP accept loop out of |
| main() into separate functions to improve readability; ok markus@ |
| - deraadt@cvs.openbsd.org 2006/08/18 09:13:26 |
| [log.c log.h sshd.c] |
| make signal handler termination path shorter; risky code pointed out by |
| mark dowd; ok djm markus |
| - markus@cvs.openbsd.org 2006/08/18 09:15:20 |
| [auth.h session.c sshd.c] |
| delay authentication related cleanups until we're authenticated and |
| all alarms have been cancelled; ok deraadt |
| - djm@cvs.openbsd.org 2006/08/18 10:27:16 |
| [misc.h] |
| reorder so prototypes are sorted by the files they refer to; no |
| binary change |
| - djm@cvs.openbsd.org 2006/08/18 13:54:54 |
| [gss-genr.c ssh-gss.h sshconnect2.c] |
| bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk |
| ok markus@ |
| - djm@cvs.openbsd.org 2006/08/18 14:40:34 |
| [gss-genr.c ssh-gss.h] |
| constify host argument to match the rest of the GSSAPI functions and |
| unbreak compilation with -Werror |
| - (djm) Disable sigdie() for platforms that cannot safely syslog inside |
| a signal handler (basically all of them, excepting OpenBSD); |
| ok dtucker@ |
| |
| 20060817 |
| - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] |
| Include stdlib.h for malloc and friends. |
| - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl |
| for closefrom() on AIX. Pointed out by William Ahern. |
| - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress |
| test for closefrom() in compat code. |
| |
| 20060816 |
| - (djm) [audit-bsm.c] Sprinkle in some headers |
| |
| 20060815 |
| - (dtucker) [LICENCE] Add Reyk to the list for the compat dir. |
| |
| 20060806 |
| - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings |
| on Solaris 10 |
| |
| 20060806 |
| - (dtucker) [defines.h] With the includes.h changes we no longer get the |
| name clash on "YES" so we can remove the workaround for it. |
| - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c, |
| glob.c}] Include stdlib.h for malloc and friends in compat code. |
| |
| 20060805 |
| - (djm) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2006/07/24 13:58:22 |
| [sshconnect.c] |
| disable tunnel forwarding when no strict host key checking |
| and key changed; ok djm@ markus@ dtucker@ |
| - stevesk@cvs.openbsd.org 2006/07/25 02:01:34 |
| [scard.c] |
| need #include <string.h> |
| - stevesk@cvs.openbsd.org 2006/07/25 02:59:21 |
| [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c] |
| [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c] |
| move #include <sys/time.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/26 02:35:17 |
| [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c] |
| [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c] |
| [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c] |
| [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c] |
| [uidswap.c xmalloc.c] |
| move #include <sys/param.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/26 13:57:17 |
| [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c] |
| [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c] |
| [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] |
| [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c] |
| [sshconnect1.c sshd.c xmalloc.c] |
| move #include <stdlib.h> out of includes.h |
| - jmc@cvs.openbsd.org 2006/07/27 08:00:50 |
| [ssh_config.5] |
| avoid confusing wording in HashKnownHosts: |
| originally spotted by alan amesbury; |
| ok deraadt |
| - jmc@cvs.openbsd.org 2006/07/27 08:00:50 |
| [ssh_config.5] |
| avoid confusing wording in HashKnownHosts: |
| originally spotted by alan amesbury; |
| ok deraadt |
| - dtucker@cvs.openbsd.org 2006/08/01 11:34:36 |
| [sshconnect.c] |
| Allow fallback to known_hosts entries without port qualifiers for |
| non-standard ports too, so that all existing known_hosts entries will be |
| recognised. Requested by, feedback and ok markus@ |
| - stevesk@cvs.openbsd.org 2006/08/01 23:22:48 |
| [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c] |
| [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c] |
| [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c] |
| [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c] |
| [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c] |
| [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c] |
| [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c] |
| [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c] |
| [uuencode.h xmalloc.c] |
| move #include <stdio.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/08/01 23:36:12 |
| [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c] |
| clean extra spaces |
| - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 |
| [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] |
| [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] |
| [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] |
| [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] |
| [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] |
| [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] |
| [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] |
| [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] |
| [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] |
| [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] |
| [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] |
| [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] |
| [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] |
| [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] |
| [serverloop.c session.c session.h sftp-client.c sftp-common.c] |
| [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] |
| [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] |
| [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] |
| [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] |
| [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] |
| [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] |
| almost entirely get rid of the culture of ".h files that include .h files" |
| ok djm, sort of ok stevesk |
| makes the pain stop in one easy step |
| NB. portable commit contains everything *except* removing includes.h, as |
| that will take a fair bit more work as we move headers that are required |
| for portability workarounds to defines.h. (also, this step wasn't "easy") |
| - stevesk@cvs.openbsd.org 2006/08/04 20:46:05 |
| [monitor.c session.c ssh-agent.c] |
| spaces |
| - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c |
| - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c] |
| remove last traces of bufaux.h - it was merged into buffer.h in the big |
| includes.h commit |
| - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec |
| - (djm) [openbsd-compat/regress/snprintftest.c] |
| [openbsd-compat/regress/strduptest.c] Add missing includes so they pass |
| compilation with "-Wall -Werror" |
| - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c] |
| [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more |
| includes for Linux in |
| - (dtucker) [cleanup.c] Need defines.h for __dead. |
| - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable. |
| - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of |
| #include stdarg.h, needed for log.h. |
| - (dtucker) [entropy.c] Needs unistd.h too. |
| - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h. |
| - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc. |
| - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll, |
| otherwise it is implicitly declared as returning an int. |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2006/08/05 07:52:52 |
| [auth2-none.c sshd.c monitor_wrap.c] |
| Add headers required to build with KERBEROS5=no. ok djm@ |
| - dtucker@cvs.openbsd.org 2006/08/05 08:00:33 |
| [auth-skey.c] |
| Add headers required to build with -DSKEY. ok djm@ |
| - dtucker@cvs.openbsd.org 2006/08/05 08:28:24 |
| [monitor_wrap.c auth-skey.c auth2-chall.c] |
| Zap unused variables in -DSKEY code. ok djm@ |
| - dtucker@cvs.openbsd.org 2006/08/05 08:34:04 |
| [packet.c] |
| Typo in comment |
| - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile |
| on Cygwin. |
| - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa. |
| - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h. |
| - (dtucker) [audit.c audit.h] Repair headers. |
| - (dtucker) [audit-bsm.c] Add additional headers now required. |
| |
| 20060804 |
| - (dtucker) [configure.ac] The "crippled AES" test does not work on recent |
| versions of Solaris, so use AC_LINK_IFELSE to actually link the test program |
| rather than just compiling it. Spotted by dlg@. |
| |
| 20060802 |
| - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype. |
| |
| 20060725 |
| - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW. |
| |
| 20060724 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2006/07/12 13:39:55 |
| [sshd_config.5] |
| - new sentence, new line |
| - s/The the/The/ |
| - kill a bad comma |
| - stevesk@cvs.openbsd.org 2006/07/12 22:28:52 |
| [auth-options.c canohost.c channels.c includes.h readconf.c] |
| [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c] |
| move #include <netdb.h> out of includes.h; ok djm@ |
| - stevesk@cvs.openbsd.org 2006/07/12 22:42:32 |
| [includes.h ssh.c ssh-rand-helper.c] |
| move #include <stddef.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/14 01:15:28 |
| [monitor_wrap.h] |
| don't need incompletely-typed 'struct passwd' now with |
| #include <pwd.h>; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/07/17 01:31:10 |
| [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c] |
| [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c] |
| [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c] |
| [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c] |
| [sshconnect.c sshlogin.c sshpty.c uidswap.c] |
| move #include <unistd.h> out of includes.h |
| - dtucker@cvs.openbsd.org 2006/07/17 12:02:24 |
| [auth-options.c] |
| Use '\0' rather than 0 to terminates strings; ok djm@ |
| - dtucker@cvs.openbsd.org 2006/07/17 12:06:00 |
| [channels.c channels.h servconf.c sshd_config.5] |
| Add PermitOpen directive to sshd_config which is equivalent to the |
| "permitopen" key option. Allows server admin to allow TCP port |
| forwarding only two specific host/port pairs. Useful when combined |
| with Match. |
| If permitopen is used in both sshd_config and a key option, both |
| must allow a given connection before it will be permitted. |
| Note that users can still use external forwarders such as netcat, |
| so to be those must be controlled too for the limits to be effective. |
| Feedback & ok djm@, man page corrections & ok jmc@. |
| - jmc@cvs.openbsd.org 2006/07/18 07:50:40 |
| [sshd_config.5] |
| tweak; ok dtucker |
| - jmc@cvs.openbsd.org 2006/07/18 07:56:28 |
| [scp.1] |
| replace DIAGNOSTICS with .Ex; |
| - jmc@cvs.openbsd.org 2006/07/18 08:03:09 |
| [ssh-agent.1 sshd_config.5] |
| mark up angle brackets; |
| - dtucker@cvs.openbsd.org 2006/07/18 08:22:23 |
| [sshd_config.5] |
| Clarify description of Match, with minor correction from jmc@ |
| - stevesk@cvs.openbsd.org 2006/07/18 22:27:55 |
| [dh.c] |
| remove unneeded includes; ok djm@ |
| - dtucker@cvs.openbsd.org 2006/07/19 08:56:41 |
| [servconf.c sshd_config.5] |
| Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to |
| Match. ok djm@ |
| - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 |
| [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] |
| Add ForceCommand keyword to sshd_config, equivalent to the "command=" |
| key option, man page entry and example in sshd_config. |
| Feedback & ok djm@, man page corrections & ok jmc@ |
| - stevesk@cvs.openbsd.org 2006/07/20 15:26:15 |
| [auth1.c serverloop.c session.c sshconnect2.c] |
| missed some needed #include <unistd.h> when KERBEROS5=no; issue from |
| massimo@cedoc.mo.it |
| - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 |
| [channels.c channels.h servconf.c servconf.h sshd_config.5] |
| Make PermitOpen take a list of permitted ports and act more like most |
| other keywords (ie the first match is the effective setting). This |
| also makes it easier to override a previously set PermitOpen. ok djm@ |
| - stevesk@cvs.openbsd.org 2006/07/21 21:13:30 |
| [channels.c] |
| more ARGSUSED (lint) for dispatch table-driven functions; ok djm@ |
| - stevesk@cvs.openbsd.org 2006/07/21 21:26:55 |
| [progressmeter.c] |
| ARGSUSED for signal handler |
| - stevesk@cvs.openbsd.org 2006/07/22 19:08:54 |
| [includes.h moduli.c progressmeter.c scp.c sftp-common.c] |
| [sftp-server.c ssh-agent.c sshlogin.c] |
| move #include <time.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/22 20:48:23 |
| [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c] |
| [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c] |
| [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c] |
| [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c] |
| [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c] |
| [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c] |
| [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c] |
| [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c] |
| [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c] |
| [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c] |
| [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] |
| [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c] |
| [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c] |
| move #include <string.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/23 01:11:05 |
| [auth.h dispatch.c kex.h sftp-client.c] |
| #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h> |
| move |
| - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c] |
| [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c] |
| [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c] |
| [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c] |
| [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c] |
| [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c] |
| [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c] |
| [openbsd-compat/mktemp.c openbsd-compat/port-linux.c] |
| [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] |
| [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c] |
| make the portable tree compile again - sprinkle unistd.h and string.h |
| back in. Don't redefine __unused, as it turned out to be used in |
| headers on Linux, and replace its use in auth-pam.c with ARGSUSED |
| - (djm) [openbsd-compat/glob.c] |
| Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles |
| on OpenBSD (or other platforms with a decent glob implementation) with |
| -Werror |
| - (djm) [uuencode.c] |
| Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on |
| some platforms |
| - (djm) [session.c] |
| fix compile error with -Werror -Wall: 'path' is only used in |
| do_setup_env() if HAVE_LOGIN_CAP is not defined |
| - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c] |
| [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c] |
| [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c] |
| [openbsd-compat/port-aix.c openbsd-compat/port-irix.c] |
| [openbsd-compat/rresvport.c] |
| These look to need string.h and/or unistd.h (based on a grep for function |
| names) |
| - (djm) [Makefile.in] |
| Remove generated openbsd-compat/regress/Makefile in distclean target |
| - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh] |
| [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh] |
| Sync regress tests to -current; include dtucker@'s new cfgmatch and |
| forcecommand tests. Add cipher-speed.sh test (not linked in yet) |
| - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including |
| system headers before defines.h will cause conflicting definitions. |
| - (dtucker) [regress/forcecommand.sh] Portablize. |
| |
| 20060713 |
| - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h |
| |
| 20060712 |
| - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and |
| O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old |
| Linuxes and probably more. |
| - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h> |
| for SHUT_RD. |
| - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before |
| <netinet/ip.h>. |
| - (dtucker) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2006/07/10 16:01:57 |
| [sftp-glob.c sftp-common.h sftp.c] |
| buffer.h only needed in sftp-common.h and remove some unneeded |
| user includes; ok djm@ |
| - jmc@cvs.openbsd.org 2006/07/10 16:04:21 |
| [sshd.8] |
| s/and and/and/ |
| - stevesk@cvs.openbsd.org 2006/07/10 16:37:36 |
| [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c |
| auth.c packet.c log.c] |
| move #include <stdarg.h> out of includes.h; ok markus@ |
| - dtucker@cvs.openbsd.org 2006/07/11 10:12:07 |
| [ssh.c] |
| Only copy the part of environment variable that we actually use. Prevents |
| ssh bailing when SendEnv is used and an environment variable with a really |
| long value exists. ok djm@ |
| - markus@cvs.openbsd.org 2006/07/11 18:50:48 |
| [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c |
| channels.h readconf.c] |
| add ExitOnForwardFailure: terminate the connection if ssh(1) |
| cannot set up all requested dynamic, local, and remote port |
| forwardings. ok djm, dtucker, stevesk, jmc |
| - stevesk@cvs.openbsd.org 2006/07/11 20:07:25 |
| [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c |
| sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c |
| includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c |
| sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c |
| ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c] |
| move #include <errno.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/07/11 20:16:43 |
| [ssh.c] |
| cast asterisk field precision argument to int to remove warning; |
| ok markus@ |
| - stevesk@cvs.openbsd.org 2006/07/11 20:27:56 |
| [authfile.c ssh.c] |
| need <errno.h> here also (it's also included in <openssl/err.h>) |
| - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 |
| [sshd.c servconf.h servconf.c sshd_config.5 auth.c] |
| Add support for conditional directives to sshd_config via a "Match" |
| keyword, which works similarly to the "Host" directive in ssh_config. |
| Lines after a Match line override the default set in the main section |
| if the condition on the Match line is true, eg |
| AllowTcpForwarding yes |
| Match User anoncvs |
| AllowTcpForwarding no |
| will allow port forwarding by all users except "anoncvs". |
| Currently only a very small subset of directives are supported. |
| ok djm@ |
| - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c |
| openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c |
| openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>. |
| - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h. |
| - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too. |
| - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h. |
| - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c |
| openbsd-compat/rresvport.c] More errno.h. |
| |
| 20060711 |
| - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c |
| openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally |
| include paths.h. Fixes build error on Solaris. |
| - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably |
| others). |
| |
| 20060710 |
| - (dtucker) [INSTALL] New autoconf version: 2.60. |
| - OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2006/06/14 10:50:42 |
| [sshconnect.c] |
| limit the number of pre-banner characters we will accept; ok markus@ |
| - djm@cvs.openbsd.org 2006/06/26 10:36:15 |
| [clientloop.c] |
| mention optional bind_address in runtime port forwarding setup |
| command-line help. patch from santhi.amirta AT gmail.com |
| - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 |
| [ssh.1 ssh.c ssh_config.5 sshd_config.5] |
| more details and clarity for tun(4) device forwarding; ok and help |
| jmc@ |
| - stevesk@cvs.openbsd.org 2006/07/02 18:36:47 |
| [gss-serv-krb5.c gss-serv.c] |
| no "servconf.h" needed here |
| (gss-serv-krb5.c change not applied, portable needs the server options) |
| - stevesk@cvs.openbsd.org 2006/07/02 22:45:59 |
| [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c] |
| move #include <grp.h> out of includes.h |
| (portable needed uidswap.c too) |
| - stevesk@cvs.openbsd.org 2006/07/02 23:01:55 |
| [clientloop.c ssh.1] |
| use -KR[bind_address:]port here; ok djm@ |
| - stevesk@cvs.openbsd.org 2006/07/03 08:54:20 |
| [includes.h ssh.c sshconnect.c sshd.c] |
| move #include "version.h" out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/07/03 17:59:32 |
| [channels.c includes.h] |
| move #include <arpa/inet.h> out of includes.h; old ok djm@ |
| (portable needed session.c too) |
| - stevesk@cvs.openbsd.org 2006/07/05 02:42:09 |
| [canohost.c hostfile.c includes.h misc.c packet.c readconf.c] |
| [serverloop.c sshconnect.c uuencode.c] |
| move #include <netinet/in.h> out of includes.h; ok deraadt@ |
| (also ssh-rand-helper.c logintest.c loginrec.c) |
| - djm@cvs.openbsd.org 2006/07/06 10:47:05 |
| [servconf.c servconf.h session.c sshd_config.5] |
| support arguments to Subsystem commands; ok markus@ |
| - djm@cvs.openbsd.org 2006/07/06 10:47:57 |
| [sftp-server.8 sftp-server.c] |
| add commandline options to enable logging of transactions; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/07/06 16:03:53 |
| [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c] |
| [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c] |
| [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c] |
| [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c] |
| [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c] |
| [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c] |
| [uidswap.h] |
| move #include <pwd.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/07/06 16:22:39 |
| [ssh-keygen.c] |
| move #include "dns.h" up |
| - stevesk@cvs.openbsd.org 2006/07/06 17:36:37 |
| [monitor_wrap.h] |
| typo in comment |
| - stevesk@cvs.openbsd.org 2006/07/08 21:47:12 |
| [authfd.c canohost.c clientloop.c dns.c dns.h includes.h] |
| [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c] |
| [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h] |
| move #include <sys/socket.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/08 21:48:53 |
| [monitor.c session.c] |
| missed these from last commit: |
| move #include <sys/socket.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/08 23:30:06 |
| [log.c] |
| move user includes after /usr/include files |
| - stevesk@cvs.openbsd.org 2006/07/09 15:15:11 |
| [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c] |
| [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c] |
| [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] |
| [sshlogin.c sshpty.c] |
| move #include <fcntl.h> out of includes.h |
| - stevesk@cvs.openbsd.org 2006/07/09 15:27:59 |
| [ssh-add.c] |
| use O_RDONLY vs. 0 in open(); no binary change |
| - djm@cvs.openbsd.org 2006/07/10 11:24:54 |
| [sftp-server.c] |
| remove optind - it isn't used here |
| - djm@cvs.openbsd.org 2006/07/10 11:25:53 |
| [sftp-server.c] |
| don't log variables that aren't yet set |
| - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c] |
| [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h] |
| [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] |
| [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h |
| - OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2006/07/10 12:03:20 |
| [scp.c] |
| duplicate argv at the start of main() because it gets modified later; |
| pointed out by deraadt@ ok markus@ |
| - djm@cvs.openbsd.org 2006/07/10 12:08:08 |
| [channels.c] |
| fix misparsing of SOCKS 5 packets that could result in a crash; |
| reported by mk@ ok markus@ |
| - dtucker@cvs.openbsd.org 2006/07/10 12:46:51 |
| [misc.c misc.h sshd.8 sshconnect.c] |
| Add port identifier to known_hosts for non-default ports, based originally |
| on a patch from Devin Nate in bz#910. |
| For any connection using the default port or using a HostKeyAlias the |
| format is unchanged, otherwise the host name or address is enclosed |
| within square brackets in the same format as sshd's ListenAddress. |
| Tested by many, ok markus@. |
| - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h> |
| for struct sockaddr on platforms that use the fake-rfc stuff. |
| |
| 20060706 |
| - (dtucker) [configure.ac] Try AIX blibpath test in different order when |
| compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so |
| configure would not select the correct libpath linker flags. |
| - (dtucker) [INSTALL] A bit more info on autoconf. |
| |
| 20060705 |
| - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the |
| target already exists. |
| |
| 20060630 |
| - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf |
| declaration too. Patch from russ at sludge.net. |
| - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it, |
| prevents warnings on platforms where _res is in the system headers. |
| - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which |
| version. |
| |
| 20060627 |
| - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems |
| with autoconf 2.60. Patch from vapier at gentoo.org. |
| |
| 20060625 |
| - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys |
| only, otherwise sshd can hang exiting non-interactive sessions. |
| |
| 20060624 |
| - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris. |
| Works around limitation in Solaris' passwd program for changing passwords |
| where the username is longer than 8 characters. ok djm@ |
| - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug |
| #1102 workaround. |
| |
| 20060623 |
| - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add |
| tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch |
| from reyk@, tested by anil@ |
| - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX |
| 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes |
| on the pty slave as zero-length reads on the pty master, which sshd |
| interprets as the descriptor closing. Since most things don't do zero |
| length writes this rarely matters, but occasionally it happens, and when |
| it does the SSH pty session appears to hang, so we add a special case for |
| this condition. ok djm@ |
| |
| 20060613 |
| - (djm) [getput.h] This file has been replaced by functions in misc.c |
| - OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2006/05/08 10:49:48 |
| [sshconnect2.c] |
| uint32_t -> u_int32_t (which we use everywhere else) |
| (Id sync only - portable already had this) |
| - markus@cvs.openbsd.org 2006/05/16 09:00:00 |
| [clientloop.c] |
| missing free; from Kylene Hall |
| - markus@cvs.openbsd.org 2006/05/17 12:43:34 |
| [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c] |
| fix leak; coverity via Kylene Jo Hall |
| - miod@cvs.openbsd.org 2006/05/18 21:27:25 |
| [kexdhc.c kexgexc.c] |
| paramter -> parameter |
| - dtucker@cvs.openbsd.org 2006/05/29 12:54:08 |
| [ssh_config.5] |
| Add gssapi-with-mic to PreferredAuthentications default list; ok jmc |
| - dtucker@cvs.openbsd.org 2006/05/29 12:56:33 |
| [ssh_config] |
| Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in |
| sample ssh_config. ok markus@ |
| - jmc@cvs.openbsd.org 2006/05/29 16:10:03 |
| [ssh_config.5] |
| oops - previous was too long; split the list of auths up |
| - mk@cvs.openbsd.org 2006/05/30 11:46:38 |
| [ssh-add.c] |
| Sync usage() with man page and reality. |
| ok deraadt dtucker |
| - jmc@cvs.openbsd.org 2006/05/29 16:13:23 |
| [ssh.1] |
| add GSSAPI to the list of authentication methods supported; |
| - mk@cvs.openbsd.org 2006/05/30 11:46:38 |
| [ssh-add.c] |
| Sync usage() with man page and reality. |
| ok deraadt dtucker |
| - markus@cvs.openbsd.org 2006/06/01 09:21:48 |
| [sshd.c] |
| call get_remote_ipaddr() early; fixes logging after client disconnects; |
| report mpf@; ok dtucker@ |
| - markus@cvs.openbsd.org 2006/06/06 10:20:20 |
| [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c] |
| replace remaining setuid() calls with permanently_set_uid() and |
| check seteuid() return values; report Marcus Meissner; ok dtucker djm |
| - markus@cvs.openbsd.org 2006/06/08 14:45:49 |
| [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h] |
| do not set the gid, noted by solar; ok djm |
| - djm@cvs.openbsd.org 2006/06/13 01:18:36 |
| [ssh-agent.c] |
| always use a format string, even when printing a constant |
| - djm@cvs.openbsd.org 2006/06/13 02:17:07 |
| [ssh-agent.c] |
| revert; i am on drugs. spotted by alexander AT beard.se |
| |
| 20060521 |
| - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor |
| and slave, we can remove the special-case handling in the audit hook in |
| auth_log. |
| |
| 20060517 |
| - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file |
| pointer leak. From kjhall at us.ibm.com, found by coverity. |
| |
| 20060515 |
| - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of |
| _res, prevents problems on some platforms that have _res as a global but |
| don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by |
| georg.schwarz at freenet.de, ok djm@. |
| - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative |
| default. Patch originally from tim@, ok djm |
| - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and |
| do not allow kbdint again after the PAM account check fails. ok djm@ |
| |
| 20060506 |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2006/04/25 08:02:27 |
| [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c] |
| Prevent ssh from trying to open private keys with bad permissions more than |
| once or prompting for their passphrases (which it subsequently ignores |
| anyway), similar to a previous change in ssh-add. bz #1186, ok djm@ |
| - djm@cvs.openbsd.org 2006/05/04 14:55:23 |
| [dh.c] |
| tighter DH exponent checks here too; feedback and ok markus@ |
| - djm@cvs.openbsd.org 2006/04/01 05:37:46 |
| [OVERVIEW] |
| $OpenBSD$ in here too |
| - dtucker@cvs.openbsd.org 2006/05/06 08:35:40 |
| [auth-krb5.c] |
| Add $OpenBSD$ in comment here too |
| |
| 20060504 |
| - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c |
| session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c |
| openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar) |
| in Portable-only code; since calloc zeros, remove now-redundant memsets. |
| Also add a couple of sanity checks. With & ok djm@ |
| |
| 20060503 |
| - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h |
| and double including it on IRIX 5.3 causes problems. From Georg Schwarz, |
| "no objections" tim@ |
| |
| 20060423 |
| - (djm) OpenBSD CVS Sync |
| - deraadt@cvs.openbsd.org 2006/04/01 05:42:20 |
| [scp.c] |
| minimal lint cleanup (unused crud, and some size_t); ok djm |
| - djm@cvs.openbsd.org 2006/04/01 05:50:29 |
| [scp.c] |
| xasprintification; ok deraadt@ |
| - djm@cvs.openbsd.org 2006/04/01 05:51:34 |
| [atomicio.c] |
| ANSIfy; requested deraadt@ |
| - dtucker@cvs.openbsd.org 2006/04/02 08:34:52 |
| [ssh-keysign.c] |
| sessionid can be 32 bytes now too when sha256 kex is used; ok djm@ |
| - djm@cvs.openbsd.org 2006/04/03 07:10:38 |
| [gss-genr.c] |
| GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066 |
| by dleonard AT vintela.com. use xasprintf() to simplify code while in |
| there; "looks right" deraadt@ |
| - djm@cvs.openbsd.org 2006/04/16 00:48:52 |
| [buffer.c buffer.h channels.c] |
| Fix condition where we could exit with a fatal error when an input |
| buffer became too large and the remote end had advertised a big window. |
| The problem was a mismatch in the backoff math between the channels code |
| and the buffer code, so make a buffer_check_alloc() function that the |
| channels code can use to propsectivly check whether an incremental |
| allocation will succeed. bz #1131, debugged with the assistance of |
| cove AT wildpackets.com; ok dtucker@ deraadt@ |
| - djm@cvs.openbsd.org 2006/04/16 00:52:55 |
| [atomicio.c atomicio.h] |
| introduce atomiciov() function that wraps readv/writev to retry |
| interrupted transfers like atomicio() does for read/write; |
| feedback deraadt@ dtucker@ stevesk@ ok deraadt@ |
| - djm@cvs.openbsd.org 2006/04/16 00:54:10 |
| [sftp-client.c] |
| avoid making a tiny 4-byte write to send the packet length of sftp |
| commands, which would result in a separate tiny packet on the wire by |
| using atomiciov(writev, ...) to write the length and the command in one |
| pass; ok deraadt@ |
| - djm@cvs.openbsd.org 2006/04/16 07:59:00 |
| [atomicio.c] |
| reorder sanity test so that it cannot dereference past the end of the |
| iov array; well spotted canacar@! |
| - dtucker@cvs.openbsd.org 2006/04/18 10:44:28 |
| [bufaux.c bufbn.c Makefile.in] |
| Move Buffer bignum functions into their own file, bufbn.c. This means |
| that sftp and sftp-server (which use the Buffer functions in bufaux.c |
| but not the bignum ones) no longer need to be linked with libcrypto. |
| ok markus@ |
| - djm@cvs.openbsd.org 2006/04/20 09:27:09 |
| [auth.h clientloop.c dispatch.c dispatch.h kex.h] |
| replace the last non-sig_atomic_t flag used in a signal handler with a |
| sig_atomic_t, unfortunately with some knock-on effects in other (non- |
| signal) contexts in which it is used; ok markus@ |
| - markus@cvs.openbsd.org 2006/04/20 09:47:59 |
| [sshconnect.c] |
| simplify; ok djm@ |
| - djm@cvs.openbsd.org 2006/04/20 21:53:44 |
| [includes.h session.c sftp.c] |
| Switch from using pipes to socketpairs for communication between |
| sftp/scp and ssh, and between sshd and its subprocesses. This saves |
| a file descriptor per session and apparently makes userland ppp over |
| ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this |
| decision on a per-platform basis) |
| - djm@cvs.openbsd.org 2006/04/22 04:06:51 |
| [uidswap.c] |
| use setres[ug]id() to permanently revoke privileges; ok deraadt@ |
| (ID Sync only - portable already uses setres[ug]id() whenever possible) |
| - stevesk@cvs.openbsd.org 2006/04/22 18:29:33 |
| [crc32.c] |
| remove extra spaces |
| - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get |
| sig_atomic_t |
| |
| 20060421 |
| - (djm) [Makefile.in configure.ac session.c sshpty.c] |
| [contrib/redhat/sshd.init openbsd-compat/Makefile.in] |
| [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c] |
| [openbsd-compat/port-linux.h] Add support for SELinux, setting |
| the execution and TTY contexts. based on patch from Daniel Walsh, |
| bz #880; ok dtucker@ |
| |
| 20060418 |
| - (djm) [canohost.c] Reorder IP options check so that it isn't broken |
| by mapped addresses; bz #1179 reported by markw wtech-llc.com; |
| ok dtucker@ |
| |
| 20060331 |
| - OpenBSD CVS Sync |
| - deraadt@cvs.openbsd.org 2006/03/27 01:21:18 |
| [xmalloc.c] |
| we can do the size & nmemb check before the integer overflow check; |
| evol |
| - deraadt@cvs.openbsd.org 2006/03/27 13:03:54 |
| [dh.c] |
| use strtonum() instead of atoi(), limit dhg size to 64k; ok djm |
| - djm@cvs.openbsd.org 2006/03/27 23:15:46 |
| [sftp.c] |
| always use a format string for addargs; spotted by mouring@ |
| - deraadt@cvs.openbsd.org 2006/03/28 00:12:31 |
| [README.tun ssh.c] |
| spacing |
| - deraadt@cvs.openbsd.org 2006/03/28 01:52:28 |
| [channels.c] |
| do not accept unreasonable X ports numbers; ok djm |
| - deraadt@cvs.openbsd.org 2006/03/28 01:53:43 |
| [ssh-agent.c] |
| use strtonum() to parse the pid from the file, and range check it |
| better; ok djm |
| - djm@cvs.openbsd.org 2006/03/30 09:41:25 |
| [channels.c] |
| ARGSUSED for dispatch table-driven functions |
| - djm@cvs.openbsd.org 2006/03/30 09:58:16 |
| [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h] |
| [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c] |
| replace {GET,PUT}_XXBIT macros with functionally similar functions, |
| silencing a heap of lint warnings. also allows them to use |
| __bounded__ checking which can't be applied to macros; requested |
| by and feedback from deraadt@ |
| - djm@cvs.openbsd.org 2006/03/30 10:41:25 |
| [ssh.c ssh_config.5] |
| add percent escape chars to the IdentityFile option, bz #1159 based |
| on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@ |
| - dtucker@cvs.openbsd.org 2006/03/30 11:05:17 |
| [ssh-keygen.c] |
| Correctly handle truncated files while converting keys; ok djm@ |
| - dtucker@cvs.openbsd.org 2006/03/30 11:40:21 |
| [auth.c monitor.c] |
| Prevent duplicate log messages when privsep=yes; ok djm@ |
| - jmc@cvs.openbsd.org 2006/03/31 09:09:30 |
| [ssh_config.5] |
| kill trailing whitespace; |
| - djm@cvs.openbsd.org 2006/03/31 09:13:56 |
| [ssh_config.5] |
| remote user escape is %r not %h; spotted by jmc@ |
| |
| 20060326 |
| - OpenBSD CVS Sync |
| - jakob@cvs.openbsd.org 2006/03/15 08:46:44 |
| [ssh-keygen.c] |
| if no key file are given when printing the DNS host record, use the |
| host key file(s) as default. ok djm@ |
| - biorn@cvs.openbsd.org 2006/03/16 10:31:45 |
| [scp.c] |
| Try to display errormessage even if remout == -1 |
| ok djm@, markus@ |
| - djm@cvs.openbsd.org 2006/03/17 22:31:50 |
| [authfd.c] |
| another unreachable found by lint |
| - djm@cvs.openbsd.org 2006/03/17 22:31:11 |
| [authfd.c] |
| unreachanble statement, found by lint |
| - djm@cvs.openbsd.org 2006/03/19 02:22:32 |
| [serverloop.c] |
| memory leaks detected by Coverity via elad AT netbsd.org; |
| ok deraadt@ dtucker@ |
| - djm@cvs.openbsd.org 2006/03/19 02:22:56 |
| [sftp.c] |
| more memory leaks detected by Coverity via elad AT netbsd.org; |
| deraadt@ ok |
| - djm@cvs.openbsd.org 2006/03/19 02:23:26 |
| [hostfile.c] |
| FILE* leak detected by Coverity via elad AT netbsd.org; |
| ok deraadt@ |
| - djm@cvs.openbsd.org 2006/03/19 02:24:05 |
| [dh.c readconf.c servconf.c] |
| potential NULL pointer dereferences detected by Coverity |
| via elad AT netbsd.org; ok deraadt@ |
| - djm@cvs.openbsd.org 2006/03/19 07:41:30 |
| [sshconnect2.c] |
| memory leaks detected by Coverity via elad AT netbsd.org; |
| deraadt@ ok |
| - dtucker@cvs.openbsd.org 2006/03/19 11:51:52 |
| [servconf.c] |
| Correct strdelim null test; ok djm@ |
| - deraadt@cvs.openbsd.org 2006/03/19 18:52:11 |
| [auth1.c authfd.c channels.c] |
| spacing |
| - deraadt@cvs.openbsd.org 2006/03/19 18:53:12 |
| [kex.c kex.h monitor.c myproposal.h session.c] |
| spacing |
| - deraadt@cvs.openbsd.org 2006/03/19 18:56:41 |
| [clientloop.c progressmeter.c serverloop.c sshd.c] |
| ARGSUSED for signal handlers |
| - deraadt@cvs.openbsd.org 2006/03/19 18:59:49 |
| [ssh-keyscan.c] |
| please lint |
| - deraadt@cvs.openbsd.org 2006/03/19 18:59:30 |
| [ssh.c] |
| spacing |
| - deraadt@cvs.openbsd.org 2006/03/19 18:59:09 |
| [authfile.c] |
| whoever thought that break after return was a good idea needs to |
| get their head examimed |
| - djm@cvs.openbsd.org 2006/03/20 04:09:44 |
| [monitor.c] |
| memory leaks detected by Coverity via elad AT netbsd.org; |
| deraadt@ ok |
| that should be all of them now |
| - djm@cvs.openbsd.org 2006/03/20 11:38:46 |
| [key.c] |
| (really) last of the Coverity diffs: avoid possible NULL deref in |
| key_free. via elad AT netbsd.org; markus@ ok |
| - deraadt@cvs.openbsd.org 2006/03/20 17:10:19 |
| [auth.c key.c misc.c packet.c ssh-add.c] |
| in a switch (), break after return or goto is stupid |
| - deraadt@cvs.openbsd.org 2006/03/20 17:13:16 |
| [key.c] |
| djm did a typo |
| - deraadt@cvs.openbsd.org 2006/03/20 17:17:23 |
| [ssh-rsa.c] |
| in a switch (), break after return or goto is stupid |
| - deraadt@cvs.openbsd.org 2006/03/20 18:14:02 |
| [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c] |
| [ssh.c sshpty.c sshpty.h] |
| sprinkle u_int throughout pty subsystem, ok markus |
| - deraadt@cvs.openbsd.org 2006/03/20 18:17:20 |
| [auth1.c auth2.c sshd.c] |
| sprinkle some ARGSUSED for table driven functions (which sometimes |
| must ignore their args) |
| - deraadt@cvs.openbsd.org 2006/03/20 18:26:55 |
| [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c] |
| [ssh-rsa.c ssh.c sshlogin.c] |
| annoying spacing fixes getting in the way of real diffs |
| - deraadt@cvs.openbsd.org 2006/03/20 18:27:50 |
| [monitor.c] |
| spacing |
| - deraadt@cvs.openbsd.org 2006/03/20 18:35:12 |
| [channels.c] |
| x11_fake_data is only ever used as u_char * |
| - deraadt@cvs.openbsd.org 2006/03/20 18:41:43 |
| [dns.c] |
| cast xstrdup to propert u_char * |
| - deraadt@cvs.openbsd.org 2006/03/20 18:42:27 |
| [canohost.c match.c ssh.c sshconnect.c] |
| be strict with tolower() casting |
| - deraadt@cvs.openbsd.org 2006/03/20 18:48:34 |
| [channels.c fatal.c kex.c packet.c serverloop.c] |
| spacing |
| - deraadt@cvs.openbsd.org 2006/03/20 21:11:53 |
| [ttymodes.c] |
| spacing |
| - djm@cvs.openbsd.org 2006/03/25 00:05:41 |
| [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c] |
| [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c] |
| [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c] |
| [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c] |
| [xmalloc.c xmalloc.h] |
| introduce xcalloc() and xasprintf() failure-checked allocations |
| functions and use them throughout openssh |
| |
| xcalloc is particularly important because malloc(nmemb * size) is a |
| dangerous idiom (subject to integer overflow) and it is time for it |
| to die |
| |
| feedback and ok deraadt@ |
| - djm@cvs.openbsd.org 2006/03/25 01:13:23 |
| [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c] |
| [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c] |
| [uidswap.c] |
| change OpenSSH's xrealloc() function from being xrealloc(p, new_size) |
| to xrealloc(p, new_nmemb, new_itemsize). |
| |
| realloc is particularly prone to integer overflows because it is |
| almost always allocating "n * size" bytes, so this is a far safer |
| API; ok deraadt@ |
| - djm@cvs.openbsd.org 2006/03/25 01:30:23 |
| [sftp.c] |
| "abormally" is a perfectly cromulent word, but "abnormally" is better |
| - djm@cvs.openbsd.org 2006/03/25 13:17:03 |
| [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c] |
| [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c] |
| [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c] |
| [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c] |
| [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c] |
| [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c] |
| [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c] |
| [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c] |
| [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c] |
| [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c] |
| [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c] |
| [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c] |
| [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] |
| [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] |
| [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] |
| [uidswap.c uuencode.c xmalloc.c] |
| Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that |
| Theo nuked - our scripts to sync -portable need them in the files |
| - deraadt@cvs.openbsd.org 2006/03/25 18:29:35 |
| [auth-rsa.c authfd.c packet.c] |
| needed casts (always will be needed) |
| - deraadt@cvs.openbsd.org 2006/03/25 18:30:55 |
| [clientloop.c serverloop.c] |
| spacing |
| - deraadt@cvs.openbsd.org 2006/03/25 18:36:15 |
| [sshlogin.c sshlogin.h] |
| nicer size_t and time_t types |
| - deraadt@cvs.openbsd.org 2006/03/25 18:40:14 |
| [ssh-keygen.c] |
| cast strtonum() result to right type |
| - deraadt@cvs.openbsd.org 2006/03/25 18:41:45 |
| [ssh-agent.c] |
| mark two more signal handlers ARGSUSED |
| - deraadt@cvs.openbsd.org 2006/03/25 18:43:30 |
| [channels.c] |
| use strtonum() instead of atoi() [limit X screens to 400, sorry] |
| - deraadt@cvs.openbsd.org 2006/03/25 18:56:55 |
| [bufaux.c channels.c packet.c] |
| remove (char *) casts to a function that accepts void * for the arg |
| - deraadt@cvs.openbsd.org 2006/03/25 18:58:10 |
| [channels.c] |
| delete cast not required |
| - djm@cvs.openbsd.org 2006/03/25 22:22:43 |
| [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] |
| [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] |
| [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] |
| [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] |
| [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] |
| [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] |
| [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] |
| [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] |
| [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] |
| [ttymodes.h uidswap.h uuencode.h xmalloc.h] |
| standardise spacing in $OpenBSD$ tags; requested by deraadt@ |
| - deraadt@cvs.openbsd.org 2006/03/26 01:31:48 |
| [uuencode.c] |
| typo |
| |
| 20060325 |
| - OpenBSD CVS Sync |
| - djm@cvs.openbsd.org 2006/03/16 04:24:42 |
| [ssh.1] |
| Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs |
| that OpenSSH supports |
| - deraadt@cvs.openbsd.org 2006/03/19 18:51:18 |
| [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c] |
| [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c] |
| [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c] |
| [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c] |
| [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c] |
| [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c] |
| [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] |
| [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c] |
| [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c] |
| [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c] |
| [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c] |
| [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c] |
| [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c] |
| [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c] |
| [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c] |
| [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] |
| [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] |
| [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] |
| [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c] |
| [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c] |
| [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c] |
| [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c] |
| [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c] |
| RCSID() can die |
| - deraadt@cvs.openbsd.org 2006/03/19 18:53:12 |
| [kex.h myproposal.h] |
| spacing |
| - djm@cvs.openbsd.org 2006/03/20 04:07:22 |
| [auth2-gss.c] |
| GSSAPI related leaks detected by Coverity via elad AT netbsd.org; |
| reviewed by simon AT sxw.org.uk; deraadt@ ok |
| - djm@cvs.openbsd.org 2006/03/20 04:07:49 |
| [gss-genr.c] |
| more GSSAPI related leaks detected by Coverity via elad AT netbsd.org; |
| reviewed by simon AT sxw.org.uk; deraadt@ ok |
| - djm@cvs.openbsd.org 2006/03/20 04:08:18 |
| [gss-serv.c] |
| last lot of GSSAPI related leaks detected by Coverity via |
| elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok |
| - deraadt@cvs.openbsd.org 2006/03/20 18:14:02 |
| [monitor_wrap.h sshpty.h] |
| sprinkle u_int throughout pty subsystem, ok markus |
| - deraadt@cvs.openbsd.org 2006/03/20 18:26:55 |
| [session.h] |
| annoying spacing fixes getting in the way of real diffs |
| - deraadt@cvs.openbsd.org 2006/03/20 18:41:43 |
| [dns.c] |
| cast xstrdup to propert u_char * |
| - jakob@cvs.openbsd.org 2006/03/22 21:16:24 |
| [ssh.1] |
| simplify SSHFP example; ok jmc@ |
| - djm@cvs.openbsd.org 2006/03/22 21:27:15 |
| [deattack.c deattack.h] |
| remove IV support from the CRC attack detector, OpenSSH has never used |
| it - it only applied to IDEA-CFB, which we don't support. |
| prompted by NetBSD Coverity report via elad AT netbsd.org; |
| feedback markus@ "nuke it" deraadt@ |
| |
| 20060318 |
| - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via |
| elad AT NetBSD.org |
| - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take |
| a LLONG rather than a long. Fixes scp'ing of large files on platforms |
| with missing/broken snprintfs. Patch from e.borovac at bom.gov.au. |
| |
| 20060316 |
| - (dtucker) [entropy.c] Add headers for WIFEXITED and friends. |
| - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in |
| /usr/include/crypto. Hint from djm@. |
| - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h] |
| Disable sha256 when openssl < 0.9.7. Patch from djm@. |
| - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old |
| OpenSSL; ok tim |
| |
| 20060315 |
| - (djm) OpenBSD CVS Sync: |
| - msf@cvs.openbsd.org 2006/02/06 15:54:07 |
| [ssh.1] |
| - typo fix |
| ok jmc@ |
| - jmc@cvs.openbsd.org 2006/02/06 21:44:47 |
| [ssh.1] |
| make this a little less ambiguous... |
| - stevesk@cvs.openbsd.org 2006/02/07 01:08:04 |
| [auth-rhosts.c includes.h] |
| move #include <netgroup.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/07 01:18:09 |
| [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c] |
| move #include <sys/queue.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/07 01:42:00 |
| [channels.c clientloop.c clientloop.h includes.h packet.h] |
| [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c] |
| move #include <termios.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/07 01:52:50 |
| [sshtty.c] |
| "log.h" not needed |
| - stevesk@cvs.openbsd.org 2006/02/07 03:47:05 |
| [hostfile.c] |
| "packet.h" not needed |
| - stevesk@cvs.openbsd.org 2006/02/07 03:59:20 |
| [deattack.c] |
| duplicate #include |
| - stevesk@cvs.openbsd.org 2006/02/08 12:15:27 |
| [auth.c clientloop.c includes.h misc.c monitor.c readpass.c] |
| [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c] |
| [sshd.c sshpty.c] |
| move #include <paths.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/08 12:32:49 |
| [includes.h misc.c] |
| move #include <netinet/tcp.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/08 13:15:44 |
| [gss-serv.c monitor.c] |
| small KNF |
| - stevesk@cvs.openbsd.org 2006/02/08 14:16:59 |
| [sshconnect.c] |
| <openssl/bn.h> not needed |
| - stevesk@cvs.openbsd.org 2006/02/08 14:31:30 |
| [includes.h ssh-agent.c ssh-keyscan.c ssh.c] |
| move #include <sys/resource.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/08 14:38:18 |
| [includes.h packet.c] |
| move #include <netinet/in_systm.h> and <netinet/ip.h> out of |
| includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/08 23:51:24 |
| [includes.h scp.c sftp-glob.c sftp-server.c] |
| move #include <dirent.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/09 00:32:07 |
| [includes.h] |
| #include <sys/endian.h> not needed; ok djm@ |
| NB. ID Sync only - we still need this (but it may move later) |
| - jmc@cvs.openbsd.org 2006/02/09 10:10:47 |
| [sshd.8] |
| - move some text into a CAVEATS section |
| - merge the COMMAND EXECUTION... section into AUTHENTICATION |
| - stevesk@cvs.openbsd.org 2006/02/10 00:27:13 |
| [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c] |
| [ssh.c sshd.c sshpty.c] |
| move #include <sys/ioctl.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/10 01:44:27 |
| [includes.h monitor.c readpass.c scp.c serverloop.c session.c] |
| [sftp.c sshconnect.c sshconnect2.c sshd.c] |
| move #include <sys/wait.h> out of includes.h; ok markus@ |
| - otto@cvs.openbsd.org 2006/02/11 19:31:18 |
| [atomicio.c] |
| type correctness; from Ray Lai in PR 5011; ok millert@ |
| - djm@cvs.openbsd.org 2006/02/12 06:45:34 |
| [ssh.c ssh_config.5] |
| add a %l expansion code to the ControlPath, which is filled in with the |
| local hostname at runtime. Requested by henning@ to avoid some problems |
| with /home on NFS; ok dtucker@ |
| - djm@cvs.openbsd.org 2006/02/12 10:44:18 |
| [readconf.c] |
| raise error when the user specifies a RekeyLimit that is smaller than 16 |
| (the smallest of our cipher's blocksize) or big enough to cause integer |
| wraparound; ok & feedback dtucker@ |
| - jmc@cvs.openbsd.org 2006/02/12 10:49:44 |
| [ssh_config.5] |
| slight rewording; ok djm |
| - jmc@cvs.openbsd.org 2006/02/12 10:52:41 |
| [sshd.8] |
| rework the description of authorized_keys a little; |
| - jmc@cvs.openbsd.org 2006/02/12 17:57:19 |
| [sshd.8] |
| sort the list of options permissable w/ authorized_keys; |
| ok djm dtucker |
| - jmc@cvs.openbsd.org 2006/02/13 10:16:39 |
| [sshd.8] |
| no need to subsection the authorized_keys examples - instead, convert |
| this to look like an actual file. also use proto 2 keys, and use IETF |
| example addresses; |
| - jmc@cvs.openbsd.org 2006/02/13 10:21:25 |
| [sshd.8] |
| small tweaks for the ssh_known_hosts section; |
| - jmc@cvs.openbsd.org 2006/02/13 11:02:26 |
| [sshd.8] |
| turn this into an example ssh_known_hosts file; ok djm |
| - jmc@cvs.openbsd.org 2006/02/13 11:08:43 |
| [sshd.8] |
| - avoid nasty line split |
| - `*' does not need to be escaped |
| - jmc@cvs.openbsd.org 2006/02/13 11:27:25 |
| [sshd.8] |
| sort FILES and use a -compact list; |
| - david@cvs.openbsd.org 2006/02/15 05:08:24 |
| [sftp-client.c] |
| typo in comment; ok djm@ |
| - jmc@cvs.openbsd.org 2006/02/15 16:53:20 |
| [ssh.1] |
| remove the IETF draft references and replace them with some updated RFCs; |
| - jmc@cvs.openbsd.org 2006/02/15 16:55:33 |
| [sshd.8] |
| remove ietf draft references; RFC list now maintained in ssh.1; |
| - jmc@cvs.openbsd.org 2006/02/16 09:05:34 |
| [sshd.8] |
| sync some of the FILES entries w/ ssh.1; |
| - jmc@cvs.openbsd.org 2006/02/19 19:52:10 |
| [sshd.8] |
| move the sshrc stuff out of FILES, and into its own section: |
| FILES is not a good place to document how stuff works; |
| - jmc@cvs.openbsd.org 2006/02/19 20:02:17 |
| [sshd.8] |
| sync the (s)hosts.equiv FILES entries w/ those from ssh.1; |
| - jmc@cvs.openbsd.org 2006/02/19 20:05:00 |
| [sshd.8] |
| grammar; |
| - jmc@cvs.openbsd.org 2006/02/19 20:12:25 |
| [ssh_config.5] |
| add some vertical space; |
| - stevesk@cvs.openbsd.org 2006/02/20 16:36:15 |
| [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c] |
| move #include <sys/un.h> out of includes.h; ok djm@ |
| - stevesk@cvs.openbsd.org 2006/02/20 17:02:44 |
| [clientloop.c includes.h monitor.c progressmeter.c scp.c] |
| [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c] |
| move #include <signal.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/20 17:19:54 |
| [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c] |
| [authfile.c clientloop.c includes.h readconf.c scp.c session.c] |
| [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c] |
| [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c] |
| [sshconnect2.c sshd.c sshpty.c] |
| move #include <sys/stat.h> out of includes.h; ok markus@ |
| - stevesk@cvs.openbsd.org 2006/02/22 00:04:45 |
| [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c] |
| [sshconnect.c] |
| move #include <ctype.h> out of includes.h; ok djm@ |
| - jmc@cvs.openbsd.org 2006/02/24 10:25:14 |
| [ssh_config.5] |
| add section on patterns; |
| from dtucker + myself |
| - jmc@cvs.openbsd.org 2006/02/24 10:33:54 |
| [sshd_config.5] |
| signpost to PATTERNS; |
| - jmc@cvs.openbsd.org 2006/02/24 10:37:07 |
| [ssh_config.5] |
| tidy up the refs to PATTERNS; |
| - jmc@cvs.openbsd.org 2006/02/24 10:39:52 |
| [sshd.8] |
| signpost to PATTERNS section; |
| - jmc@cvs.openbsd.org 2006/02/24 20:22:16 |
| [ssh-keysign.8 ssh_config.5 sshd_config.5] |
| some consistency fixes; |
| - jmc@cvs.openbsd.org 2006/02/24 20:31:31 |
| [ssh.1 ssh_config.5 sshd.8 sshd_config.5] |
| more consistency fixes; |
| - jmc@cvs.openbsd.org 2006/02/24 23:20:07 |
| [ssh_config.5] |
| some grammar/wording fixes; |
| - jmc@cvs.openbsd.org 2006/02/24 23:43:57 |
| [sshd_config.5] |
| some grammar/wording fixes; |
| - jmc@cvs.openbsd.org 2006/02/24 23:51:17 |
| [sshd_config.5] |
| oops - bits i missed; |
| - jmc@cvs.openbsd.org 2006/02/25 12:26:17 |
| [ssh_config.5] |
| document the possible values for KbdInteractiveDevices; |
| help/ok dtucker |
| - jmc@cvs.openbsd.org 2006/02/25 12:28:34 |
| [sshd_config.5] |
| document the order in which allow/deny directives are processed; |
| help/ok dtucker |
| - jmc@cvs.openbsd.org 2006/02/26 17:17:18 |
| [ssh_config.5] |
| move PATTERNS to the end of the main body; requested by dtucker |
| - jmc@cvs.openbsd.org 2006/02/26 18:01:13 |
| [sshd_config.5] |
| subsection is pointless here; |
| - jmc@cvs.openbsd.org 2006/02/26 18:03:10 |
| [ssh_config.5] |
| comma; |
| - djm@cvs.openbsd.org 2006/02/28 01:10:21 |
| [session.c] |
| fix logout recording when privilege separation is disabled, analysis and |
| patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@ |
| NB. ID sync only - patch already in portable |
| - djm@cvs.openbsd.org 2006/03/04 04:12:58 |
| [serverloop.c] |
| move a debug() outside of a signal handler; ok markus@ a little while back |
| - djm@cvs.openbsd.org 2006/03/12 04:23:07 |
| [ssh.c] |
| knf nit |
| - djm@cvs.openbsd.org 2006/03/13 08:16:00 |
| [sshd.c] |
| don't log that we are listening on a socket before the listen() call |
| actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@ |
| - dtucker@cvs.openbsd.org 2006/03/13 08:33:00 |
| [packet.c] |
| Set TCP_NODELAY for all connections not just "interactive" ones. Fixes |
| poor performance and protocol stalls under some network conditions (mindrot |
| bugs #556 and #981). Patch originally from markus@, ok djm@ |
| - dtucker@cvs.openbsd.org 2006/03/13 08:43:16 |
| [ssh-keygen.c] |
| Make ssh-keygen handle CR and CRLF line termination when converting IETF |
| format keys, in adition to vanilla LF. mindrot #1157, tested by Chris |
| Pepper, ok djm@ |
| - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 |
| [misc.c ssh_config.5 sshd_config.5] |
| Allow config directives to contain whitespace by surrounding them by double |
| quotes. mindrot #482, man page help from jmc@, ok djm@ |
| - dtucker@cvs.openbsd.org 2006/03/13 10:26:52 |
| [authfile.c authfile.h ssh-add.c] |
| Make ssh-add check file permissions before attempting to load private |
| key files multiple times; it will fail anyway and this prevents confusing |
| multiple prompts and warnings. mindrot #1138, ok djm@ |
| - djm@cvs.openbsd.org 2006/03/14 00:15:39 |
| [canohost.c] |
| log the originating address and not just the name when a reverse |
| mapping check fails, requested by linux AT linuon.com |
| - markus@cvs.openbsd.org 2006/03/14 16:32:48 |
| [ssh_config.5 sshd_config.5] |
| *AliveCountMax applies to protcol v2 only; ok dtucker, djm |
| - djm@cvs.openbsd.org 2006/03/07 09:07:40 |
| [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] |
| Implement the diffie-hellman-group-exchange-sha256 key exchange method |
| using the SHA256 code in libc (and wrapper to make it into an OpenSSL |
| EVP), interop tested against CVS PuTTY |
| NB. no portability bits committed yet |
| - (djm) [configure.ac defines.h kex.c md-sha256.c] |
| [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h] |
| [openbsd-compat/sha2.c] First stab at portability glue for SHA256 |
| KEX support, should work with libc SHA256 support or OpenSSL |
| EVP_sha256 if present |
| - (djm) [includes.h] Restore accidentally dropped netinet/in.h |
| - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files |
| - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present |
| - (djm) [regress/.cvsignore] Ignore Makefile here |
| - (djm) [loginrec.c] Need stat.h |
| - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with |
| system sha2.h |
| - (djm) [ssh-rand-helper.c] Needs a bunch of headers |
| - (djm) [ssh-agent.c] Restore dropped stat.h |
| - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out |
| SHA384, which we don't need and doesn't compile without tweaks |
| - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c] |
| [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c] |
| [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c] |
| [openbsd-compat/glob.c openbsd-compat/mktemp.c] |
| [openbsd-compat/readpassphrase.c] Lots of include fixes for |
| OpenSolaris |
| - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:" |
| - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some |
| includes removed from includes.h |
| - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE |
| - (djm) [includes.h] Put back paths.h, it is needed in defines.h |
| - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs |
| sys/ioctl.h for struct winsize. |
| - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD. |
| |
| 20060313 |
| - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) |
| since not all platforms support it. Instead, use internal equivalent while |
| computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf* |
| as it's no longer required. Tested by Bernhard Simon, ok djm@ |
| |
| 20060304 |
| - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a |
| file rather than directory, required as Cygwin will be importing lastlog(1). |
| Also tightens up permissions on the file. Patch from vinschen@redhat.com. |
| - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h |
| includes. Patch from gentoo.riverrat at gmail.com. |
| |
| 20060226 |
| - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY |
| patch from kraai at ftbfs.org. |
| |
| 20060223 |
| - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current |
| reality. Pointed out by tryponraj at gmail.com. |
| |
| 20060222 |
| - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only |
| compile in compat code if required. |
| |
| 20060221 |
| - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about |
| redefinition of SSLeay_add_all_algorithms. |
| |
| 20060220 |
| - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}] |
| Add optional enabling of OpenSSL's (hardware) Engine support, via |
| configure --with-ssl-engine. Based in part on a diff by michal at |
| logix.cz. |
| |
| 20060219 |
| - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/] |
| Add first attempt at regress tests for compat library. ok djm@ |
| |
| 20060214 |
| - (tim) [buildpkg.sh.in] Make the names consistent. |
| s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@ |
| |
| 20060212 |
| - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned |
| to silence compiler warning, from vinschen at redhat.com. |
| - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX. |
| - (dtucker) [README version.h contrib/caldera/openssh.spec |
| contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version |
| strings to match 4.3p2 release. |
| |
| 20060208 |
| - (tim) [session.c] Logout records were not updated on systems with |
| post auth privsep disabled due to bug 1086 changes. Analysis and patch |
| by vinschen at redhat.com. OK tim@, dtucker@. |
| - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP |
| -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@ |
| |
| 20060206 |
| - (tim) [configure.ac] Remove unnecessary tests for net/if.h and |
| netinet/in_systm.h. OK dtucker@. |
| |
| 20060205 |
| - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test |
| for Solaris. OK dtucker@. |
| - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by |
| kraai at ftbfs.org. |
| |
| 20060203 |
| - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first |
| AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run |
| by a platform specific check, builtin standard includes tests will be |
| skipped on the other platforms. |
| Analysis and suggestion by vinschen at redhat.com, patch by dtucker@. |
| OK tim@, djm@. |
| |
| 20060202 |
| - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it |
| works with picky compilers. Patch from alex.kiernan at thus.net. |
| |
| 20060201 |
| - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to |
| determine the user's login name - needed for regress tests on Solaris |
| 10 and OpenSolaris |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2006/02/01 09:06:50 |
| [sshd.8] |
| - merge sections on protocols 1 and 2 into a single section |
| - remove configuration file section |
| ok markus |
| - jmc@cvs.openbsd.org 2006/02/01 09:11:41 |
| [sshd.8] |
| small tweak; |
| - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
| [contrib/suse/openssh.spec] Update versions ahead of release |
| - markus@cvs.openbsd.org 2006/02/01 11:27:22 |
| [version.h] |
| openssh 4.3 |
| - (djm) Release OpenSSH 4.3p1 |
| |
| 20060131 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2006/01/20 11:21:45 |
| [ssh_config.5] |
| - word change, agreed w/ markus |
| - consistency fixes |
| - jmc@cvs.openbsd.org 2006/01/25 09:04:34 |
| [sshd.8] |
| move the options description up the page, and a few additional tweaks |
| whilst in here; |
| ok markus |
| - jmc@cvs.openbsd.org 2006/01/25 09:07:22 |
| [sshd.8] |
| move subsections to full sections; |
| - jmc@cvs.openbsd.org 2006/01/26 08:47:56 |
| [ssh.1] |
| add a section on verifying host keys in dns; |
| written with a lot of help from jakob; |
| feedback dtucker/markus; |
| ok markus |
| - reyk@cvs.openbsd.org 2006/01/30 12:22:22 |
| [channels.c] |
| mark channel as write failed or dead instead of read failed on error |
| of the channel output filter. |
| ok markus@ |
| - jmc@cvs.openbsd.org 2006/01/30 13:37:49 |
| [ssh.1] |
| remove an incorrect sentence; |
| reported by roumen petrov; |
| ok djm markus |
| - djm@cvs.openbsd.org 2006/01/31 10:19:02 |
| [misc.c misc.h scp.c sftp.c] |
| fix local arbitrary command execution vulnerability on local/local and |
| remote/remote copies (CVE-2006-0225, bz #1094), patch by |
| t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@ |
| - djm@cvs.openbsd.org 2006/01/31 10:35:43 |
| [scp.c] |
| "scp a b c" shouldn't clobber "c" when it is not a directory, report and |
| fix from biorn@; ok markus@ |
| - (djm) Sync regress tests to OpenBSD: |
| - dtucker@cvs.openbsd.org 2005/03/10 10:20:39 |
| [regress/forwarding.sh] |
| Regress test for ClearAllForwardings (bz #994); ok markus@ |
| - dtucker@cvs.openbsd.org 2005/04/25 09:54:09 |
| [regress/multiplex.sh] |
| Don't call cleanup in multiplex as test-exec will cleanup anyway |
| found by tim@, ok djm@ |
| NB. ID sync only, we already had this |
| - djm@cvs.openbsd.org 2005/05/20 23:14:15 |
| [regress/test-exec.sh] |
| force addressfamily=inet for tests, unbreaking dynamic-forward regress for |
| recently committed nc SOCKS5 changes |
| - djm@cvs.openbsd.org 2005/05/24 04:10:54 |
| [regress/try-ciphers.sh] |
| oops, new arcfour modes here too |
| - markus@cvs.openbsd.org 2005/06/30 11:02:37 |
| [regress/scp.sh] |
| allow SUDO=sudo; from Alexander Bluhm |
| - grunk@cvs.openbsd.org 2005/11/14 21:25:56 |
| [regress/agent-getpeereid.sh] |
| all other scripts in this dir use $SUDO, not 'sudo', so pull this even |
| ok markus@ |
| - dtucker@cvs.openbsd.org 2005/12/14 04:36:39 |
| [regress/scp-ssh-wrapper.sh] |
| Fix assumption about how many args scp will pass; ok djm@ |
| NB. ID sync only, we already had this |
| - djm@cvs.openbsd.org 2006/01/27 06:49:21 |
| [scp.sh] |
| regress test for local to local scp copies; ok dtucker@ |
| - djm@cvs.openbsd.org 2006/01/31 10:23:23 |
| [scp.sh] |
| regression test for CVE-2006-0225 written by dtucker@ |
| - djm@cvs.openbsd.org 2006/01/31 10:36:33 |
| [scp.sh] |
| regress test for "scp a b c" where "c" is not a directory |
| |
| 20060129 |
| - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the |
| opensshd.init script interpretter if /sbin/sh does not exist. ok tim@ |
| |
| 20060120 |
| - (dtucker) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2006/01/15 17:37:05 |
| [ssh.1] |
| correction from deraadt |
| - jmc@cvs.openbsd.org 2006/01/18 10:53:29 |
| [ssh.1] |
| add a section on ssh-based vpn, based on reyk's README.tun; |
| - dtucker@cvs.openbsd.org 2006/01/20 00:14:55 |
| [scp.1 ssh.1 ssh_config.5 sftp.1] |
| Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot |
| #1056 with feedback from jmc, djm and markus; ok jmc@ djm@ |
| |
| 20060114 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2006/01/06 13:27:32 |
| [ssh.1] |
| weed out some duplicate info in the known_hosts FILES entries; |
| ok djm |
| - jmc@cvs.openbsd.org 2006/01/06 13:29:10 |
| [ssh.1] |
| final round of whacking FILES for duplicate info, and some consistency |
| fixes; |
| ok djm |
| - jmc@cvs.openbsd.org 2006/01/12 14:44:12 |
| [ssh.1] |
| split sections on tcp and x11 forwarding into two sections. |
| add an example in the tcp section, based on sth i wrote for ssh faq; |
| help + ok: djm markus dtucker |
| - jmc@cvs.openbsd.org 2006/01/12 18:48:48 |
| [ssh.1] |
| refer to `TCP' rather than `TCP/IP' in the context of connection |
| forwarding; |
| ok markus |
| - jmc@cvs.openbsd.org 2006/01/12 22:20:00 |
| [sshd.8] |
| refer to TCP forwarding, rather than TCP/IP forwarding; |
| - jmc@cvs.openbsd.org 2006/01/12 22:26:02 |
| [ssh_config.5] |
| refer to TCP forwarding, rather than TCP/IP forwarding; |
| - jmc@cvs.openbsd.org 2006/01/12 22:34:12 |
| [ssh.1] |
| back out a sentence - AUTHENTICATION already documents this; |
| |
| 20060109 |
| - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on |
| tcpip service so it's always started after IP is up. Patch from |
| vinschen at redhat.com. |
| |
| 20060106 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2006/01/03 16:31:10 |
| [ssh.1] |
| move FILES to a -compact list, and make each files an item in that list. |
| this avoids nastly line wrap when we have long pathnames, and treats |
| each file as a separate item; |
| remove the .Pa too, since it is useless. |
| - jmc@cvs.openbsd.org 2006/01/03 16:35:30 |
| [ssh.1] |
| use a larger width for the ENVIRONMENT list; |
| - jmc@cvs.openbsd.org 2006/01/03 16:52:36 |
| [ssh.1] |
| put FILES in some sort of order: sort by pathname |
| - jmc@cvs.openbsd.org 2006/01/03 16:55:18 |
| [ssh.1] |
| tweak the description of ~/.ssh/environment |
| - jmc@cvs.openbsd.org 2006/01/04 18:42:46 |
| [ssh.1] |
| chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES |
| entries; |
| ok markus |
| - jmc@cvs.openbsd.org 2006/01/04 18:45:01 |
| [ssh.1] |
| remove .Xr's to rsh(1) and telnet(1): they are hardly needed; |
| - jmc@cvs.openbsd.org 2006/01/04 19:40:24 |
| [ssh.1] |
| +.Xr ssh-keyscan 1 , |
| - jmc@cvs.openbsd.org 2006/01/04 19:50:09 |
| [ssh.1] |
| -.Xr gzip 1 , |
| - djm@cvs.openbsd.org 2006/01/05 23:43:53 |
| [misc.c] |
| check that stdio file descriptors are actually closed before clobbering |
| them in sanitise_stdfd(). problems occurred when a lower numbered fd was |
| closed, but higher ones weren't. spotted by, and patch tested by |
| Frédéric Olivié |
| |
| 20060103 |
| - (djm) [channels.c] clean up harmless merge error, from reyk@ |
| |
| 20060103 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2006/01/02 17:09:49 |
| [ssh_config.5 sshd_config.5] |
| some corrections from michael knudsen; |
| |
| 20060102 |
| - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2005/12/31 10:46:17 |
| [ssh.1] |
| merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER |
| AUTHENTICATION" sections into "AUTHENTICATION"; |
| some rewording done to make the text read better, plus some |
| improvements from djm; |
| ok djm |
| - jmc@cvs.openbsd.org 2005/12/31 13:44:04 |
| [ssh.1] |
| clean up ENVIRONMENT a little; |
| - jmc@cvs.openbsd.org 2005/12/31 13:45:19 |
| [ssh.1] |
| .Nm does not require an argument; |
| - stevesk@cvs.openbsd.org 2006/01/01 08:59:27 |
| [includes.h misc.c] |
| move <net/if.h>; ok djm@ |
| - stevesk@cvs.openbsd.org 2006/01/01 10:08:48 |
| [misc.c] |
| no trailing "\n" for debug() |
| - djm@cvs.openbsd.org 2006/01/02 01:20:31 |
| [sftp-client.c sftp-common.h sftp-server.c] |
| use a common max. packet length, no binary change |
| - reyk@cvs.openbsd.org 2006/01/02 07:53:44 |
| [misc.c] |
| clarify tun(4) opening - set the mode and bring the interface up. also |
| (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces. |
| suggested and ok by djm@ |
| - jmc@cvs.openbsd.org 2006/01/02 12:31:06 |
| [ssh.1] |
| start to cut some duplicate info from FILES; |
| help/ok djm |
| |
| 20060101 |
| - (djm) [Makefile.in configure.ac includes.h misc.c] |
| [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support |
| for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is |
| limited to IPv4 tunnels only, and most versions don't support the |
| tap(4) device at all. |
| - (djm) [configure.ac] Fix linux/if_tun.h test |
| - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too |
| |
| 20051229 |
| - (djm) OpenBSD CVS Sync |
| - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 |
| [canohost.c channels.c clientloop.c] |
| use 'break-in' for consistency; ok deraadt@ ok and input jmc@ |
| - reyk@cvs.openbsd.org 2005/12/30 15:56:37 |
| [channels.c channels.h clientloop.c] |
| add channel output filter interface. |
| ok djm@, suggested by markus@ |
| - jmc@cvs.openbsd.org 2005/12/30 16:59:00 |
| [sftp.1] |
| do not suggest that interactive authentication will work |
| with the -b flag; |
| based on a diff from john l. scarfone; |
| ok djm |
| - stevesk@cvs.openbsd.org 2005/12/31 01:38:45 |
| [ssh.1] |
| document -MM; ok djm@ |
| - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac] |
| [serverloop.c ssh.c openbsd-compat/Makefile.in] |
| [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding |
| compatability support for Linux, diff from reyk@ |
| - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does |
| not exist |
| - (djm) [configure.ac] oops, make that linux/if_tun.h |
| |
| 20051229 |
| - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd |
| |
| 20051224 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2005/12/20 21:59:43 |
| [ssh.1] |
| merge the sections on protocols 1 and 2 into one section on |
| authentication; |
| feedback djm dtucker |
| ok deraadt markus dtucker |
| - jmc@cvs.openbsd.org 2005/12/20 22:02:50 |
| [ssh.1] |
| .Ss -> .Sh: subsections have not made this page more readable |
| - jmc@cvs.openbsd.org 2005/12/20 22:09:41 |
| [ssh.1] |
| move info on ssh return values and config files up into the main |
| description; |
| - jmc@cvs.openbsd.org 2005/12/21 11:48:16 |
| [ssh.1] |
| -L and -R descriptions are now above, not below, ~C description; |
| - jmc@cvs.openbsd.org 2005/12/21 11:57:25 |
| [ssh.1] |
| options now described `above', rather than `later'; |
| - jmc@cvs.openbsd.org 2005/12/21 12:53:31 |
| [ssh.1] |
| -Y does X11 forwarding too; |
| ok markus |
| - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 |
| [sshd.8] |
| clarify precedence of -p, Port, ListenAddress; ok and help jmc@ |
| - jmc@cvs.openbsd.org 2005/12/22 10:31:40 |
| [ssh_config.5] |
| put the description of "UsePrivilegedPort" in the correct place; |
| - jmc@cvs.openbsd.org 2005/12/22 11:23:42 |
| [ssh.1] |
| expand the description of -w somewhat; |
| help/ok reyk |
| - jmc@cvs.openbsd.org 2005/12/23 14:55:53 |
| [ssh.1] |
| - sync the description of -e w/ synopsis |
| - simplify the description of -I |
| - note that -I is only available if support compiled in, and that it |
| isn't by default |
| feedback/ok djm@ |
| - jmc@cvs.openbsd.org 2005/12/23 23:46:23 |
| [ssh.1] |
| less mark up for -c; |
| - djm@cvs.openbsd.org 2005/12/24 02:27:41 |
| [session.c sshd.c] |
| eliminate some code duplicated in privsep and non-privsep paths, and |
| explicitly clear SIGALRM handler; "groovy" deraadt@ |
| |
| 20051220 |
| - (dtucker) OpenBSD CVS Sync |
| - reyk@cvs.openbsd.org 2005/12/13 15:03:02 |
| [serverloop.c] |
| if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY |
| - jmc@cvs.openbsd.org 2005/12/16 18:07:08 |
| [ssh.1] |
| move the option descriptions up the page: start of a restructure; |
| ok markus deraadt |
| - jmc@cvs.openbsd.org 2005/12/16 18:08:53 |
| [ssh.1] |
| simplify a sentence; |
| - jmc@cvs.openbsd.org 2005/12/16 18:12:22 |
| [ssh.1] |
| make the description of -c a little nicer; |
| - jmc@cvs.openbsd.org 2005/12/16 18:14:40 |
| [ssh.1] |
| signpost the protocol sections; |
| - stevesk@cvs.openbsd.org 2005/12/17 21:13:05 |
| [ssh_config.5 session.c] |
| spelling: fowarding, fowarded |
| - stevesk@cvs.openbsd.org 2005/12/17 21:36:42 |
| [ssh_config.5] |
| spelling: intented -> intended |
| - dtucker@cvs.openbsd.org 2005/12/20 04:41:07 |
| [ssh.c] |
| exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@ |
| |
| 20051219 |
| - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac |
| openbsd-compat/openssl-compat.h] Check for and work around broken AES |
| ciphers >128bit on (some) Solaris 10 systems. ok djm@ |
| |
| 20051217 |
| - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which |
| scp.c also uses, so undef them here. |
| - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our |
| snprintf replacement can have a conflicting declaration in HP-UX's system |
| headers (const vs. no const) so we now check for and work around it. Patch |
| from the dynamic duo of David Leonard and Ted Percival. |
| |
| 20051214 |
| - (dtucker) OpenBSD CVS Sync (regress/) |
| - dtucker@cvs.openbsd.org 2005/12/30 04:36:39 |
| [regress/scp-ssh-wrapper.sh] |
| Fix assumption about how many args scp will pass; ok djm@ |
| |
| 20051213 |
| - (djm) OpenBSD CVS Sync |
| - jmc@cvs.openbsd.org 2005/11/30 11:18:27 |
| [ssh.1] |
| timezone -> time zone |
| - jmc@cvs.openbsd.org 2005/11/30 11:45:20 |
| [ssh.1] |
| avoid ambiguities in describing TZ; |
| ok djm@ |
| - reyk@cvs.openbsd.org 2005/12/06 22:38:28 |
| [auth-options.c auth-options.h channels.c channels.h clientloop.c] |
| [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] |
| [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] |
| [sshconnect.h sshd.8 sshd_config sshd_config.5] |
| Add support for tun(4) forwarding over OpenSSH, based on an idea and |
| initial channel code bits by markus@. This is a simple and easy way to |
| use OpenSSH for ad hoc virtual private network connections, e.g. |
| administrative tunnels or secure wireless access. It's based on a new |
| ssh channel and works similar to the existing TCP forwarding support, |
| except that it depends on the tun(4) network interface on both ends of |
| the connection for layer 2 or layer 3 tunneling. This diff also adds |
| support for LocalCommand in the ssh(1) client. |
| ok djm@, markus@, jmc@ (manpages), tested and discussed with others |
| - djm@cvs.openbsd.org 2005/12/07 03:52:22 |
| [clientloop.c] |
| reyk forgot to compile with -Werror (missing header) |
| - jmc@cvs.openbsd.org 2005/12/07 10:52:13 |
| [ssh.1] |
| - avoid line split in SYNOPSIS |
| - add args to -w |
| - kill trailing whitespace |
| - jmc@cvs.openbsd.org 2005/12/08 14:59:44 |
| [ssh.1 ssh_config.5] |
| make `!command' a little clearer; |
| ok reyk |
| - jmc@cvs.openbsd.org 2005/12/08 15:06:29 |
| [ssh_config.5] |
| keep options in order; |
| - reyk@cvs.openbsd.org 2005/12/08 18:34:11 |
| [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] |
| [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] |
| two changes to the new ssh tunnel support. this breaks compatibility |
| with the initial commit but is required for a portable approach. |
| - make the tunnel id u_int and platform friendly, use predefined types. |
| - support configuration of layer 2 (ethernet) or layer 3 |
| (point-to-point, default) modes. configuration is done using the |
| Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and |
| restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option |
| in sshd_config(5). |
| ok djm@, man page bits by jmc@ |
| - jmc@cvs.openbsd.org 2005/12/08 21:37:50 |
| [ssh_config.5] |
| new sentence, new line; |
| - markus@cvs.openbsd.org 2005/12/12 13:46:18 |
| [channels.c channels.h session.c] |
| make sure protocol messages for internal channels are ignored. |
| allow adjust messages for non-open channels; with and ok djm@ |
| - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable |
| again by providing a sys_tun_open() function for your platform and |
| setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match |
| OpenBSD's tunnel protocol, which prepends the address family to the |
| packet |
| |
| 20051201 |
| - (djm) [envpass.sh] Remove regress script that was accidentally committed |
| in top level directory and not noticed for over a year :) |
| |
| 20051129 |
| - (tim) [ssh-keygen.c] Move DSA length test after setting default when |
| bits == 0. |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 |
| [ssh-keygen.c] |
| Populate default key sizes before checking them; from & ok tim@ |
| - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string) |
| for UnixWare. |
| |
| 20051128 |
| - (dtucker) [regress/yes-head.sh] Work around breakage caused by some |
| versions of GNU head. Based on patch from zappaman at buraphalinux.org |
| - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use |
| _GNU_SOURCE instead. Patch from t8m at centrum.cz. |
| - (dtucker) OpenBSD CVS Sync |
| - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 |
| [ssh-keygen.1 ssh-keygen.c] |
| Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, |
| increase minumum RSA key size to 768 bits and update man page to reflect |
| these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), |
| ok djm@, grudging ok deraadt@. |
| - dtucker@cvs.openbsd.org 2005/11/28 06:02:56 |
| [ssh-agent.1] |
| Update agent socket path templates to reflect reality, correct xref for |
| time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@ |
| |
| 20051126 |
| - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, |
| when they're available) need the real UID set otherwise pam_chauthtok will |
| set ADMCHG after changing the password, forcing the user to change it |
| again immediately. |
| |
| 20051125 |
| - (dtucker) [configure.ac] Apply tim's fix for older systems where the |
| resolver state in resolv.h is "state" not "__res_state". With slight |
| modification by me to also work on old AIXes. ok djm@ |
| - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for |
| snprintf formats, fixes warnings on some 64 bit platforms. Patch from |
| shaw at vranix.com, ok djm@ |
| |
| 20051124 |
| - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c |
| openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an |
| asprintf() implementation, after syncing our {v,}snprintf() implementation |
| with some extra fixes from Samba's version. With help and debugging from |
| dtucker and tim; ok dtucker@ |
| - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument |
| order in Reliant Unix block. Patch from johane at lysator.liu.se. |
| - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so |
| many and use them only once. Speeds up testing on older/slower hardware. |
| |
| 20051122 |
| - (dtucker) OpenBSD CVS Sync |
| - deraadt@cvs.openbsd.org 2005/11/12 18:37:59 |
| [ssh-add.c] |
| space |
| - deraadt@cvs.openbsd.org 2005/11/12 18:38:15 |
| [scp.c] |
| avoid close(-1), as in rcp; ok cloder |
| - millert@cvs.openbsd.org 2005/11/15 11:59:54 |
| [includes.h] |
| Include sys/queue.h explicitly instead of assuming some other header |
| will pull it in. At the moment it gets pulled in by sys/select.h |
| (which ssh has no business including) via event.h. OK markus@ |
| (ID sync only in -portable) |
| - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 |
| [auth-krb5.c] |
| Perform Kerberos calls even for invalid users to prevent leaking |
| information about account validity. bz #975, patch originally from |
| Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, |
| ok markus@ |
| - dtucker@cvs.openbsd.org 2005/11/22 03:36:03 |
| [hostfile.c] |
| Correct format/arguments to debug call; spotted by shaw at vranix.com |
| ok djm@ |
| - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch |
| from shaw at vranix.com. |
| |
| 20051120 |
| - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what |
| is going on. |
| |
| 20051112 |
| - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific |
| ifdef lost during sync. Spotted by tim@. |
| - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag. |
| - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test. |
| - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@ |
| - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure |
| test: if sshd takes too long to reconfigure the subsequent connection will |
| fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready. |
| |
| 20051110 |
| - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from |
| OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of |
| "register"). |
| - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove |
| unnecessary prototype. |
| - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c |
| revs 1.7 - 1.9. |
| - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path. |
| Patch from djm@. |
| - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+ |
| since they're not useful right now. Patch from djm@. |
| - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI |
| prototypes, removal of "register"). |
| - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal |
| of "register"). |
| - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to |
| after the copyright notices. Having them at the top next to the CVSIDs |
| guarantees a conflict for each and every sync. |
| - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10. |
| - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker. |
| - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7. |
| Removal of rcsid, "whiteout" inode type. |
| - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14. |
| Removal of rcsid, will no longer strlcpy parts of the string. |
| - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5. |
| - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7. |
| - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18. |
| - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5. |
| - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25. |
| - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9. |
| - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14. |
| - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up |
| with OpenBSD code since we don't support platforms without fstat any more. |
| - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9. |
| - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6. |
| - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7. |
| - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6. |
| - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6. |
| - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13. |
| - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19. |
| - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8. |
| - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker. |
| - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17. |
| - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4. |
| Id and copyright sync only, there were no substantial changes we need. |
| - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c] |
| -Wsign-compare fixes from djm. |
| - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3. |
| Id and copyright sync only, there were no substantial changes we need. |
| - (dtucker) [configure.ac] Try to get the gcc version number in a way that |
| doesn't change between versions, and use a safer default. |
| |
| 20051105 |
| - (djm) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2005/10/07 11:13:57 |
| [ssh-keygen.c] |
| change DSA default back to 1024, as it's defined for 1024 bits only |
| and this causes interop problems with other clients. moreover, |
| in order to improve the security of DSA you need to change more |
| components of DSA key generation (e.g. the internal SHA1 hash); |
| ok deraadt |
| - djm@cvs.openbsd.org 2005/10/10 10:23:08 |
| [channels.c channels.h clientloop.c serverloop.c session.c] |
| fix regression I introduced in 4.2: X11 forwardings initiated after |
| a session has exited (e.g. "(sleep 5; xterm) &") would not start. |
| bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@ |
| - djm@cvs.openbsd.org 2005/10/11 23:37:37 |
| [channels.c] |
| bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing |
| bind() failure when a previous connection's listeners are in TIME_WAIT, |
| reported by plattner AT inf.ethz.ch; ok dtucker@ |
| - stevesk@cvs.openbsd.org 2005/10/13 14:03:01 |
| [auth2-gss.c gss-genr.c gss-serv.c] |
| remove unneeded #includes; ok markus@ |
| - stevesk@cvs.openbsd.org 2005/10/13 14:20:37 |
| [gss-serv.c] |
| spelling in comments |
| - stevesk@cvs.openbsd.org 2005/10/13 19:08:08 |
| [gss-serv-krb5.c gss-serv.c] |
| unused declarations; ok deraadt@ |
| (id sync only for gss-serv-krb5.c) |
| - stevesk@cvs.openbsd.org 2005/10/13 19:13:41 |
| [dns.c] |
| unneeded #include, unused declaration, little knf; ok deraadt@ |
| - stevesk@cvs.openbsd.org 2005/10/13 22:24:31 |
| [auth2-gss.c gss-genr.c gss-serv.c monitor.c] |
| KNF; ok djm@ |
| - stevesk@cvs.openbsd.org 2005/10/14 02:17:59 |
| [ssh-keygen.c ssh.c sshconnect2.c] |
| no trailing "\n" for log functions; ok djm@ |
| - stevesk@cvs.openbsd.org 2005/10/14 02:29:37 |
| [channels.c clientloop.c] |
| free()->xfree(); ok djm@ |
| - stevesk@cvs.openbsd.org 2005/10/15 15:28:12 |
| [sshconnect.c] |
| make external definition static; ok deraadt@ |
| - stevesk@cvs.openbsd.org 2005/10/17 13:45:05 |
| [dns.c] |
| fix memory leaks from 2 sources: |
| 1) key_fingerprint_raw() |
| 2) malloc in dns_read_rdata() |
| ok jakob@ |
| - stevesk@cvs.openbsd.org 2005/10/17 14:01:28 |
| [dns.c] |
| remove #ifdef LWRES; ok jakob@ |
| - stevesk@cvs.openbsd.org 2005/10/17 14:13:35 |
| [dns.c dns.h] |
| more cleanups; ok jakob@ |
| - djm@cvs.openbsd.org 2005/10/30 01:23:19 |
| [ssh_config.5] |
| mention control socket fallback behaviour, reported by |
| tryponraj AT gmail.com |
| - djm@cvs.openbsd.org 2005/10/30 04:01:03 |
| [ssh-keyscan.c] |
| make ssh-keygen discard junk from server before SSH- ident, spotted by |
| dave AT cirt.net; ok dtucker@ |
| - djm@cvs.openbsd.org 2005/10/30 04:03:24 |
| [ssh.c] |
| fix misleading debug message; ok dtucker@ |
| - dtucker@cvs.openbsd.org 2005/10/30 08:29:29 |
| [canohost.c sshd.c] |
| Check for connections with IP options earlier and drop silently. ok djm@ |
| - jmc@cvs.openbsd.org 2005/10/30 08:43:47 |
| [ssh_config.5] |
| remove trailing whitespace; |
| - djm@cvs.openbsd.org 2005/10/30 08:52:18 |
| [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c] |
| [ssh.c sshconnect.c sshconnect1.c sshd.c] |
| no need to escape single quotes in comments, no binary change |
| - dtucker@cvs.openbsd.org 2005/10/31 06:15:04 |
| [sftp.c] |
| Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@ |
| - djm@cvs.openbsd.org 2005/10/31 11:12:49 |
| [ssh-keygen.1 ssh-keygen.c] |
| generate a protocol 2 RSA key by default |
| - djm@cvs.openbsd.org 2005/10/31 11:48:29 |
| [serverloop.c] |
| make sure we clean up wtmp, etc. file when we receive a SIGTERM, |
| SIGINT or SIGQUIT when running without privilege separation (the |
| normal privsep case is already OK). Patch mainly by dtucker@ and |
| senthilkumar_sen AT hotpop.com; ok dtucker@ |
| - jmc@cvs.openbsd.org 2005/10/31 19:55:25 |
| [ssh-keygen.1] |
| grammar; |
| - dtucker@cvs.openbsd.org 2005/11/03 13:38:29 |
| [canohost.c] |
| Cache reverse lookups with and without DNS separately; ok markus@ |
| - djm@cvs.openbsd.org 2005/11/04 05:15:59 |
| [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] |
| remove hardcoded hash lengths in key exchange code, allowing |
| implementation of KEX methods with different hashes (e.g. SHA-256); |
| ok markus@ dtucker@ stevesk@ |
| - djm@cvs.openbsd.org 2005/11/05 05:01:15 |
| [bufaux.c] |
| Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT |
| cs.stanford.edu; ok dtucker@ |
| - (dtucker) [README.platform] Add PAM section. |
| - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version, |
| resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu; |
| ok dtucker@ |
| |
| 20051102 |
| - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). |
| Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net |
| via FreeBSD. |
| |
| 20051030 |
| - (djm) [contrib/suse/openssh.spec contrib/suse/rc. |
| sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init |
| files from imorgan AT nas.nasa.gov |
| - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is |
| enabled, instead allow PAM to handle it. Note that on platforms using PAM, |
| the pam_nologin module should be added to sshd's session stack in order to |
| maintain exising behaviour. Based on patch and discussion from t8m at |
| centrum.cz, ok djm@ |
| |
| 20051025 |
| - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the |
| sizeof(long long) checks, to make fixing bug #1104 easier (no changes |
| yet). |
| - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't |
| understand "%lld", even though the compiler has "long long", so handle |
| it as a special case. Patch tested by mcaskill.scott at epa.gov. |
| - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no |
| prompt. Patch from vinschen at redhat.com. |
| |
| 20051017 |
| - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling. |
| /etc/default/login report and testing from aabaker at iee.org, corrections |
| from tim@. |
| |
| 20051009 |
| - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current |
| versions from OpenBSD. ok djm@ |
| |
| 20051008 |
| - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from |
| brian.smith at agilent com. |
| - (djm) [configure.ac] missing 'test' call for -with-Werror test |
| |
| 20051005 |
| - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended |
| "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and |
| senthilkumar_sen at hotpop.com. |
| |
| 20051003 |
| - (dtucker) OpenBSD CVS Sync |
| - markus@cvs.openbsd.org 2005/09/07 08:53:53 |
| [channels.c] |
| enforce chanid != NULL; ok djm |
| - markus@cvs.openbsd.org 2005/09/09 19:18:05 |
| [clientloop.c] |
| typo; from mark at mcs.vuw.ac.nz, bug #1082 |
| - djm@cvs.openbsd.org 2005/09/13 23:40:07 |
| [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c |
| scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c] |
| ensure that stdio fds are attached; ok deraadt@ |
| - djm@cvs.openbsd.org 2005/09/19 11:37:34 |
| [ssh_config.5 ssh.1] |
| mention ability to specify bind_address for DynamicForward and -D options; |
| bz#1077 spotted by Haruyama Seigo |
| - djm@cvs.openbsd.org 2005/09/19 11:47:09 |
| [sshd.c] |
| stop connection abort on rekey with delayed compression enabled when |
| post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@ |
| - djm@cvs.openbsd.org 2005/09/19 11:48:10 |
| [gss-serv.c] |
| typo |
| - jmc@cvs.openbsd.org 2005/09/19 15:38:27 |
| [ssh.1] |
| some more .Bk/.Ek to avoid ugly line split; |
| - jmc@cvs.openbsd.org 2005/09/19 15:42:44 |
| [ssh.c] |
| update -D usage here too; |
| - djm@cvs.openbsd.org 2005/09/19 23:31:31 |
| [ssh.1] |
| spelling nit from stevesk@ |
| - djm@cvs.openbsd.org 2005/09/21 23:36:54 |
| [sshd_config.5] |
| aquire -> acquire, from stevesk@ |
| - djm@cvs.openbsd.org 2005/09/21 23:37:11 |
| [sshd.c] |
| change label at markus@'s request |
| - jaredy@cvs.openbsd.org 2005/09/30 20:34:26 |
| [ssh-keyscan.1] |
| deploy .An -nosplit; ok jmc |
| - dtucker@cvs.openbsd.org 2005/10/03 07:44:42 |
| [canohost.c] |
| Relocate check_ip_options call to prevent logging of garbage for |
| connections with IP options set. bz#1092 from David Leonard, |
| "looks good" deraadt@ |
| - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp |
| is required in the system path for the multiplex test to work. |
| |
| 20050930 |
| - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype |
| for strtoll. Patch from o.flebbe at science-computing.de. |
| - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep |
| child during PAM account check without clearing it. This restores the |
| post-login warnings such as LDAP password expiry. Patch from Tomas Mraz |
| with help from several others. |
| |
| 20050929 |
| - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg |
| introduced during sync. |
| |
| 20050928 |
| - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency. |
| - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from |
| PAM via keyboard-interactive. Patch tested by the folks at Vintela. |
| |
| 20050927 |
| - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid |
| calls, since they can't possibly fail. ok djm@ |
| - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed |
| process when sshd relies on ssh-random-helper. Should result in faster |
| logins on systems without a real random device or prngd. ok djm@ |
| |
| 20050924 |
| - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove |
| duplicate call. ok djm@ |
| |
| 20050922 |
| - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from |
| skeleten at shillest.net. |
| - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at |
| shillest.net. |
| |
| 20050919 |
| - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to |
| AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages. |
| ok dtucker@ |
| |
| 20050912 |
| - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by |
| Mike Frysinger. |
| |
| 20050908 |
| - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to |
| OpenServer 6 and add osr5bigcrypt support so when someone migrates |
| passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
| |
| $Id: ChangeLog,v 1.5180 2009/01/28 20:50:04 tim Exp $ |
| |