remove ChangeLog file

Commit logs will be generated from git at release time.

1 files changed, 0 insertions, 3818 deletions

diff --git a/ChangeLog b/ChangeLog
deleted file mode 100644
index 94e8dd47b..000000000
--- a/ChangeLog
+++ /dev/null
@@ -1,3818 +0,0 @@
-20131006
- - (djm) Release OpenSSH-6.7
-
-20141003
- - (djm) [sshd_config.5] typo; from Iain Morgan
-
-20141001
- - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]
-   [openbsd-compat/openbsd-compat.h] Kludge around bad glibc
-   _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
-   ok dtucker@
-
-20140910
- - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
-   patch from Felix von Leitner; ok dtucker
-
-20140908
- - (dtucker) [INSTALL] Update info about egd.  ok djm@
-
-20140904
- - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG
-
-20140903
- - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and
-   conditionalise to avoid duplicate definition.
- - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to
-   permissions/ACLs; from Corinna Vinschen
-
-20140830
- - (djm) [openbsd-compat/openssl-compat.h] add
-   OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
- - (djm) [misc.c] Missing newline between functions
- - (djm) [openbsd-compat/openssl-compat.h] add include guard
- - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@
-
-20140827
- - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
-   [regress/unittests/sshkey/common.c]
-   [regress/unittests/sshkey/test_file.c]
-   [regress/unittests/sshkey/test_fuzz.c]
-   [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
-   on !ECC OpenSSL systems
- - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
-   monitor, not preauth; bz#2263
- - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
-   using memset_s() where possible; improve fallback to indirect bzero
-   via a volatile pointer to give it more of a chance to avoid being
-   optimised away.
-
-20140825
- - (djm) [bufec.c] Skip this file on !ECC OpenSSL
- - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,
-   update OpenSSL version requirement.
-
-20140824
- - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not
-   PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
-
-20140823
- - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
-   lastlog writing on platforms with high UIDs; bz#2263
- - (djm) [configure.ac] We now require a working vsnprintf everywhere (not
-   just for systems that lack asprintf); check for it always and extend
-   test to catch more brokenness. Fixes builds on Solaris <= 9
-
-20140822
- - (djm) [configure.ac] include leading zero characters in OpenSSL version
-   number; fixes test for unsupported versions
- - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC
- - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/
-   definition mismatch) and warning for broken/missing snprintf case.
- - (djm) [configure.ac] double braces to appease autoconf
-
-20140821
- - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.
- - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL
- - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that
-   don't set __progname. Diagnosed by Tom Christensen.
-
-20140820
- - (djm) [configure.ac] Check OpenSSL version is supported at configure time;
-   suggested by Kevin Brott
- - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than
-   -L/-l; fixes linking problems on some platforms
- - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC
- - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna
-
-20140819
- - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen
- - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.
- - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG
- - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]
-   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
-   of TCP wrappers.
-
-20140811
- - (djm) [myproposal.h] Make curve25519 KEX dependent on
-   HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
-
-20140810
- - (djm) [README contrib/caldera/openssh.spec]
-   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
-
-20140801
- - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need
-   a better solution, but this will have to do for now.
- - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin
-   is closed; avoid regress failures when stdin is /dev/null
- - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate
-   nc from stdin, it's more portable
-
-20140730
- - OpenBSD CVS Sync
-   - millert@cvs.openbsd.org 2014/07/24 22:57:10
-     [ssh.1]
-     Mention UNIX-domain socket forwarding too.  OK jmc@ deraadt@
-   - dtucker@cvs.openbsd.org 2014/07/25 21:22:03
-     [ssh-agent.c]
-     Clear buffer used for handling messages.  This prevents keys being
-     left in memory after they have been expired or deleted in some cases
-     (but note that ssh-agent is setgid so you would still need root to
-     access them).  Pointed out by Kevin Burns, ok deraadt
-   - schwarze@cvs.openbsd.org 2014/07/28 15:40:08
-     [sftp-server.8 sshd_config.5]
-     some systems no longer need /dev/log;
-     issue noticed by jirib;
-     ok deraadt
-
-20140725
- - (djm) [regress/multiplex.sh] restore incorrectly deleted line;
-   pointed out by Christian Hesse
-
-20140722
- - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow;
-   put it back
- - (djm) [regress/multiplex.sh] change the test for still-open Unix
-   domain sockets to be robust against nc implementations that produce
-   error messages.
- - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa-
-   specific tests inside OPENSSL_HAS_ECC.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2014/07/22 01:18:50
-     [key.c]
-     Prevent spam from key_load_private_pem during hostbased auth.  ok djm@
-   - guenther@cvs.openbsd.org 2014/07/22 07:13:42
-     [umac.c]
-     Convert from <sys/endian.h> to the shiney new <endian.h>
-     ok dtucker@, who also confirmed that -portable handles this already
-     (ID sync only, includes.h pulls in endian.h if available.)
-   - djm@cvs.openbsd.org 2014/07/22 01:32:12
-     [regress/multiplex.sh]
-     change the test for still-open Unix domain sockets to be robust against
-     nc implementations that produce error messages. from -portable
-     (Id sync only)
-   - dtucker@cvs.openbsd.org 2014/07/22 23:23:22
-     [regress/unittests/sshkey/mktestdata.sh]
-     Sign test certs with ed25519 instead of ecdsa so that they'll work in
-     -portable on platforms that don't have ECDSA in their OpenSSL.  ok djm
-   - dtucker@cvs.openbsd.org 2014/07/22 23:57:40
-     [regress/unittests/sshkey/mktestdata.sh]
-     Add $OpenBSD tag to make syncs easier
-   - dtucker@cvs.openbsd.org 2014/07/22 23:35:38
-     [regress/unittests/sshkey/testdata/*]
-     Regenerate test keys with certs signed with ed25519 instead of ecdsa.
-     These can be used in -portable on platforms that don't support ECDSA.
-
-20140721
- - OpenBSD CVS Sync
-   - millert@cvs.openbsd.org 2014/07/15 15:54:15
-     [forwarding.sh multiplex.sh]
-     Add support for Unix domain socket forwarding.  A remote TCP port
-     may be forwarded to a local Unix domain socket and vice versa or
-     both ends may be a Unix domain socket.  This is a reimplementation
-     of the streamlocal patches by William Ahern from:
-         http://www.25thandclement.com/~william/projects/streamlocal.html
-     OK djm@ markus@
- - (djm) [regress/multiplex.sh] Not all netcat accept the -N option.
- - (dtucker) [sshkey.c] ifdef out unused variable when compiling without
-   OPENSSL_HAS_ECC.
-
-20140721
- - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits
-   needed to build AES CTR mode against OpenSSL 0.9.8f and above.  ok djm
- - (dtucker) [regress/unittests/sshkey/
-   {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
-   ifdefs.
-
-20140719
- - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used
-   in servconf.h.
-
-20140718
- - OpenBSD CVS Sync
-   - millert@cvs.openbsd.org 2014/07/15 15:54:14
-     [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
-     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
-     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
-     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
-     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
-     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
-     [sshd_config.5 sshlogin.c]
-     Add support for Unix domain socket forwarding.  A remote TCP port
-     may be forwarded to a local Unix domain socket and vice versa or
-     both ends may be a Unix domain socket.  This is a reimplementation
-     of the streamlocal patches by William Ahern from:
-         http://www.25thandclement.com/~william/projects/streamlocal.html
-     OK djm@ markus@
-   - jmc@cvs.openbsd.org 2014/07/16 14:48:57
-     [ssh.1]
-     add the streamlocal* options to ssh's -o list; millert says they're
-     irrelevant for scp/sftp;
-     ok markus millert
-   - djm@cvs.openbsd.org 2014/07/17 00:10:56
-     [sandbox-systrace.c]
-     ifdef SYS_sendsyslog so this will compile without patching on -stable
-   - djm@cvs.openbsd.org 2014/07/17 00:10:18
-     [mux.c]
-     preserve errno across syscall
-   - djm@cvs.openbsd.org 2014/07/17 00:12:03
-     [key.c]
-     silence "incorrect passphrase" error spam; reported and ok dtucker@
-   - djm@cvs.openbsd.org 2014/07/17 07:22:19
-     [mux.c ssh.c]
-     reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
-     previously we were always returning 0. bz#2255 reported by Brendan
-     Germain; ok dtucker
-   - djm@cvs.openbsd.org 2014/07/18 02:46:01
-     [ssh-agent.c]
-     restore umask around listener socket creation (dropped in streamlocal patch
-     merge)
- - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used
-   in servconf.h.
- - (dtucker) [Makefile.in] Add a t-exec target to run just the executable
-   tests.
- - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.
-
-20140717
- - (djm) [digest-openssl.c] Preserve array order when disabling digests.
-   Reported by Petr Lautrbach.
- - OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2014/07/11 08:09:54
-     [sandbox-systrace.c]
-     Permit use of SYS_sendsyslog from inside the sandbox.  Clock is ticking,
-     update your kernels and sshd soon.. libc will start using sendsyslog()
-     in about 4 days.
-   - tedu@cvs.openbsd.org 2014/07/11 13:54:34
-     [myproposal.h]
-     by popular demand, add back hamc-sha1 to server proposal for better compat
-     with many clients still in use. ok deraadt
-
-20140715
- - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
-   has been located; fixes builds agains libressl-portable
-
-20140711
- - OpenBSD CVS Sync
-   - benno@cvs.openbsd.org 2014/07/09 14:15:56
-     [ssh-add.c]
-     fix ssh-add crash while loading more than one key
-     ok markus@
-
-20140709
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/07/07 08:19:12
-     [ssh_config.5]
-     mention that ProxyCommand is executed using shell "exec" to avoid
-     a lingering process; bz#1977
-   - djm@cvs.openbsd.org 2014/07/09 01:45:10
-     [sftp.c]
-     more useful error message when GLOB_NOSPACE occurs;
-     bz#2254, patch from Orion Poplawski
-   - djm@cvs.openbsd.org 2014/07/09 03:02:15
-     [key.c]
-     downgrade more error() to debug() to better match what old authfile.c
-     did; suppresses spurious errors with hostbased authentication enabled
-   - djm@cvs.openbsd.org 2014/07/06 07:42:03
-     [multiplex.sh test-exec.sh]
-     add a hook to the cleanup() function to kill $SSH_PID if it is set
-     
-     use it to kill the mux master started in multiplex.sh (it was being left
-     around on fatal failures)
-   - djm@cvs.openbsd.org 2014/07/07 08:15:26
-     [multiplex.sh]
-     remove forced-fatal that I stuck in there to test the new cleanup
-     logic and forgot to remove...
-
-20140706
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/07/03 23:18:35
-     [authfile.h]
-     remove leakmalloc droppings
-   - djm@cvs.openbsd.org 2014/07/05 23:11:48
-     [channels.c]
-     fix remote-forward cancel regression; ok markus@
-
-20140704
- - OpenBSD CVS Sync
-   - jsing@cvs.openbsd.org 2014/07/03 12:42:16
-     [cipher-chachapoly.c]
-     Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
-     makes it easier to verify that chacha_encrypt_bytes() is only called once
-     per chacha_ivsetup() call.
-     ok djm@
-   - djm@cvs.openbsd.org 2014/07/03 22:23:46
-     [sshconnect.c]
-     when rekeying, skip file/DNS lookup if it is the same as the key sent
-     during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
-   - djm@cvs.openbsd.org 2014/07/03 22:33:41
-     [channels.c]
-     allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
-     GatewayPorts=no; allows client to choose address family;
-     bz#2222 ok markus@
-   - djm@cvs.openbsd.org 2014/07/03 22:40:43
-     [servconf.c servconf.h session.c sshd.8 sshd_config.5]
-     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
-     executed, mirroring the no-user-rc authorized_keys option;
-     bz#2160; ok markus@
-
-20140703
- - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
-   doesn't support it.
- - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;
-   bz#2237
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/07/03 01:45:38
-     [sshkey.c]
-     make Ed25519 keys' title fit properly in the randomart border; bz#2247
-     based on patch from Christian Hesse
-   - djm@cvs.openbsd.org 2014/07/03 03:11:03
-     [ssh-agent.c]
-     Only cleanup agent socket in the main agent process and not in any
-     subprocesses it may have started (e.g. forked askpass). Fixes
-     agent sockets being zapped when askpass processes fatal();
-     bz#2236 patch from Dmitry V. Levin
-   - djm@cvs.openbsd.org 2014/07/03 03:15:01
-     [ssh-add.c]
-     make stdout line-buffered; saves partial output getting lost when
-     ssh-add fatal()s part-way through (e.g. when listing keys from an
-     agent that supports key types that ssh-add doesn't);
-     bz#2234, reported by Phil Pennock
-   - djm@cvs.openbsd.org 2014/07/03 03:26:43
-     [digest-openssl.c]
-     use EVP_Digest() for one-shot hash instead of creating, updating,
-     finalising and destroying a context.
-     bz#2231, based on patch from Timo Teras
-   - djm@cvs.openbsd.org 2014/07/03 03:34:09
-     [gss-serv.c session.c ssh-keygen.c]
-     standardise on NI_MAXHOST for gethostname() string lengths; about
-     1/2 the cases were using it already. Fixes bz#2239 en passant
-   - djm@cvs.openbsd.org 2014/07/03 03:47:27
-     [ssh-keygen.c]
-     When hashing or removing hosts using ssh-keygen, don't choke on
-     @revoked markers and don't remove @cert-authority markers;
-     bz#2241, reported by mlindgren AT runelind.net
-   - djm@cvs.openbsd.org 2014/07/03 04:36:45
-     [digest.h]
-     forward-declare struct sshbuf so consumers don't need to include sshbuf.h
-   - djm@cvs.openbsd.org 2014/07/03 05:32:36
-     [ssh_config.5]
-     mention '%%' escape sequence in HostName directives and how it may
-     be used to specify IPv6 link-local addresses
-   - djm@cvs.openbsd.org 2014/07/03 05:38:17
-     [ssh.1]
-     document that -g will only work in the multiplexed case if applied to
-     the mux master
-   - djm@cvs.openbsd.org 2014/07/03 06:39:19
-     [ssh.c ssh_config.5]
-     Add a %C escape sequence for LocalCommand and ControlPath that expands
-     to a unique identifer based on a has of the tuple of (local host,
-     remote user, hostname, port).
-     
-     Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
-     control paths.
-     
-     bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
-   - jmc@cvs.openbsd.org 2014/07/03 07:45:27
-     [ssh_config.5]
-     escape %C since groff thinks it part of an Rs/Re block;
-   - djm@cvs.openbsd.org 2014/07/03 11:16:55
-     [auth.c auth.h auth1.c auth2.c]
-     make the "Too many authentication failures" message include the
-     user, source address, port and protocol in a format similar to the
-     authentication success / failure messages; bz#2199, ok dtucker
-
-20140702
- - OpenBSD CVS Sync
-   - deraadt@cvs.openbsd.org 2014/06/13 08:26:29
-     [sandbox-systrace.c]
-     permit SYS_getentropy
-     from matthew
-   - matthew@cvs.openbsd.org 2014/06/18 02:59:13
-     [sandbox-systrace.c]
-     Now that we have a dedicated getentropy(2) system call for
-     arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
-     sandbox.
-     
-     ok djm
-   - naddy@cvs.openbsd.org 2014/06/18 15:42:09
-     [sshbuf-getput-crypto.c]
-     The ssh_get_bignum functions must accept the same range of bignums
-     the corresponding ssh_put_bignum functions create.  This fixes the
-     use of 16384-bit RSA keys (bug reported by Eivind Evensen).
-     ok djm@
-   - djm@cvs.openbsd.org 2014/06/24 00:52:02
-     [krl.c]
-     fix bug in KRL generation: multiple consecutive revoked certificate
-     serial number ranges could be serialised to an invalid format.
-     
-     Readers of a broken KRL caused by this bug will fail closed, so no
-     should-have-been-revoked key will be accepted.
-   - djm@cvs.openbsd.org 2014/06/24 01:13:21
-     [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
-     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
-     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
-     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
-     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
-     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
-     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
-     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
-     [sshconnect2.c sshd.c sshkey.c sshkey.h
-     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
-     New key API: refactor key-related functions to be more library-like,
-     existing API is offered as a set of wrappers.
-     
-     with and ok markus@
-     
-     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
-     Dempsky and Ron Bowes for a detailed review a few months ago.
-     NB. This commit also removes portable OpenSSH support for OpenSSL
-     <0.9.8e.
-   - djm@cvs.openbsd.org 2014/06/24 02:19:48
-     [ssh.c]
-     don't fatal() when hostname canonicalisation fails with a
-     ProxyCommand in use; continue and allow the ProxyCommand to
-     connect anyway (e.g. to a host with a name outside the DNS
-     behind a bastion)
-   - djm@cvs.openbsd.org 2014/06/24 02:21:01
-     [scp.c]
-     when copying local->remote fails during read, don't send uninitialised
-     heap to the remote end. Reported by Jann Horn
-   - deraadt@cvs.openbsd.org 2014/06/25 14:16:09
-     [sshbuf.c]
-     unblock SIGSEGV before raising it
-     ok djm
-   - markus@cvs.openbsd.org 2014/06/27 16:41:56
-     [channels.c channels.h clientloop.c ssh.c]
-     fix remote fwding with same listen port but different listen address
-     with gerhard@, ok djm@
-   - markus@cvs.openbsd.org 2014/06/27 18:50:39
-     [ssh-add.c]
-     fix loading of private keys
-   - djm@cvs.openbsd.org 2014/06/30 12:54:39
-     [key.c]
-     suppress spurious error message when loading key with a passphrase;
-     reported by kettenis@ ok markus@
-   - djm@cvs.openbsd.org 2014/07/02 04:59:06
-     [cipher-3des1.c]
-     fix ssh protocol 1 on the server that regressed with the sshkey change
-     (sometimes fatal() after auth completed), make file return useful status
-     codes.
-     NB. Id sync only for these two. They were bundled into the sshkey merge
-     above, since it was easier to sync the entire file and then apply
-     portable-specific changed atop it.
-   - djm@cvs.openbsd.org 2014/04/30 05:32:00
-     [regress/Makefile]
-     unit tests for new buffer API; including basic fuzz testing
-     NB. Id sync only.
-   - djm@cvs.openbsd.org 2014/05/21 07:04:21
-     [regress/integrity.sh]
-     when failing because of unexpected output, show the offending output
-   - djm@cvs.openbsd.org 2014/06/24 01:04:43
-     [regress/krl.sh]
-     regress test for broken consecutive revoked serial number ranges
-   - djm@cvs.openbsd.org 2014/06/24 01:14:17
-     [Makefile.in regress/Makefile regress/unittests/Makefile]
-     [regress/unittests/sshkey/Makefile]
-     [regress/unittests/sshkey/common.c]
-     [regress/unittests/sshkey/common.h]
-     [regress/unittests/sshkey/mktestdata.sh]
-     [regress/unittests/sshkey/test_file.c]
-     [regress/unittests/sshkey/test_fuzz.c]
-     [regress/unittests/sshkey/test_sshkey.c]
-     [regress/unittests/sshkey/tests.c]
-     [regress/unittests/sshkey/testdata/dsa_1]
-     [regress/unittests/sshkey/testdata/dsa_1-cert.fp]
-     [regress/unittests/sshkey/testdata/dsa_1-cert.pub]
-     [regress/unittests/sshkey/testdata/dsa_1.fp]
-     [regress/unittests/sshkey/testdata/dsa_1.fp.bb]
-     [regress/unittests/sshkey/testdata/dsa_1.param.g]
-     [regress/unittests/sshkey/testdata/dsa_1.param.priv]
-     [regress/unittests/sshkey/testdata/dsa_1.param.pub]
-     [regress/unittests/sshkey/testdata/dsa_1.pub]
-     [regress/unittests/sshkey/testdata/dsa_1_pw]
-     [regress/unittests/sshkey/testdata/dsa_2]
-     [regress/unittests/sshkey/testdata/dsa_2.fp]
-     [regress/unittests/sshkey/testdata/dsa_2.fp.bb]
-     [regress/unittests/sshkey/testdata/dsa_2.pub]
-     [regress/unittests/sshkey/testdata/dsa_n]
-     [regress/unittests/sshkey/testdata/dsa_n_pw]
-     [regress/unittests/sshkey/testdata/ecdsa_1]
-     [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp]
-     [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_1.fp]
-     [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb]
-     [regress/unittests/sshkey/testdata/ecdsa_1.param.curve]
-     [regress/unittests/sshkey/testdata/ecdsa_1.param.priv]
-     [regress/unittests/sshkey/testdata/ecdsa_1.param.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_1.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_1_pw]
-     [regress/unittests/sshkey/testdata/ecdsa_2]
-     [regress/unittests/sshkey/testdata/ecdsa_2.fp]
-     [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb]
-     [regress/unittests/sshkey/testdata/ecdsa_2.param.curve]
-     [regress/unittests/sshkey/testdata/ecdsa_2.param.priv]
-     [regress/unittests/sshkey/testdata/ecdsa_2.param.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_2.pub]
-     [regress/unittests/sshkey/testdata/ecdsa_n]
-     [regress/unittests/sshkey/testdata/ecdsa_n_pw]
-     [regress/unittests/sshkey/testdata/ed25519_1]
-     [regress/unittests/sshkey/testdata/ed25519_1-cert.fp]
-     [regress/unittests/sshkey/testdata/ed25519_1-cert.pub]
-     [regress/unittests/sshkey/testdata/ed25519_1.fp]
-     [regress/unittests/sshkey/testdata/ed25519_1.fp.bb]
-     [regress/unittests/sshkey/testdata/ed25519_1.pub]
-     [regress/unittests/sshkey/testdata/ed25519_1_pw]
-     [regress/unittests/sshkey/testdata/ed25519_2]
-     [regress/unittests/sshkey/testdata/ed25519_2.fp]
-     [regress/unittests/sshkey/testdata/ed25519_2.fp.bb]
-     [regress/unittests/sshkey/testdata/ed25519_2.pub]
-     [regress/unittests/sshkey/testdata/pw]
-     [regress/unittests/sshkey/testdata/rsa1_1]
-     [regress/unittests/sshkey/testdata/rsa1_1.fp]
-     [regress/unittests/sshkey/testdata/rsa1_1.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa1_1.param.n]
-     [regress/unittests/sshkey/testdata/rsa1_1.pub]
-     [regress/unittests/sshkey/testdata/rsa1_1_pw]
-     [regress/unittests/sshkey/testdata/rsa1_2]
-     [regress/unittests/sshkey/testdata/rsa1_2.fp]
-     [regress/unittests/sshkey/testdata/rsa1_2.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa1_2.param.n]
-     [regress/unittests/sshkey/testdata/rsa1_2.pub]
-     [regress/unittests/sshkey/testdata/rsa_1]
-     [regress/unittests/sshkey/testdata/rsa_1-cert.fp]
-     [regress/unittests/sshkey/testdata/rsa_1-cert.pub]
-     [regress/unittests/sshkey/testdata/rsa_1.fp]
-     [regress/unittests/sshkey/testdata/rsa_1.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa_1.param.n]
-     [regress/unittests/sshkey/testdata/rsa_1.param.p]
-     [regress/unittests/sshkey/testdata/rsa_1.param.q]
-     [regress/unittests/sshkey/testdata/rsa_1.pub]
-     [regress/unittests/sshkey/testdata/rsa_1_pw]
-     [regress/unittests/sshkey/testdata/rsa_2]
-     [regress/unittests/sshkey/testdata/rsa_2.fp]
-     [regress/unittests/sshkey/testdata/rsa_2.fp.bb]
-     [regress/unittests/sshkey/testdata/rsa_2.param.n]
-     [regress/unittests/sshkey/testdata/rsa_2.param.p]
-     [regress/unittests/sshkey/testdata/rsa_2.param.q]
-     [regress/unittests/sshkey/testdata/rsa_2.pub]
-     [regress/unittests/sshkey/testdata/rsa_n]
-     [regress/unittests/sshkey/testdata/rsa_n_pw]
-     unit and fuzz tests for new key API
- - (djm) [sshkey.c] Conditionalise inclusion of util.h
- - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test
-
-20140618
- - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
-
-20140617
- - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
-   openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
-   Move the OpenSSL header/library version test into its own function and add
-   tests for it. Fix it to allow fix version upgrades (but not downgrades).
-   Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
-   ok djm@ chl@
-
-20140616
- - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR.  From rak at debian via
-   OpenSMTPD and chl@
-
-20140612
- - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
-   been removed from sshd.c.
-
-20140611
- - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
-   openbsd-compat/bsd-asprintf.c.
- - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*]
-   Wrap stdlib.h include an ifdef for platforms that don't have it.
- - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for
-   u_intXX_t types.
-
-20140610
- - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
-   regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256
-   curve tests if OpenSSL has them.
- - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
-   the proposal if the version of OpenSSL we're using doesn't support ECC.
- - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef
-   ECC variable too.
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/06/05 22:17:50
-     [sshconnect2.c]
-     fix inverted test that caused PKCS#11 keys that were explicitly listed
-     not to be preferred. Reported by Dirk-Willem van Gulik
-   - dtucker@cvs.openbsd.org 2014/06/10 21:46:11
-     [sshbuf.h]
-     Group ECC functions together to make things a little easier in -portable.
-     "doesn't bother me" deraadt@
- - (dtucker) [sshbuf.h] Only declare ECC functions if building without
-   OpenSSL or if OpenSSL has ECC.
- - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an
-   assigment that might get optimized out.  ok djm@
- - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for
-   compat stuff, specifically whether or not OpenSSL has ECC.
-
-20140527
- - (djm) [cipher.c] Fix merge botch.
- - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config
-   from Corinna Vinschen, fixing a number of bugs and preparing for
-   Cygwin 1.7.30.
- - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c]
-   [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
-   separation user at runtime, since it may need to be a domain account.
-   Patch from Corinna Vinschen.
-
-20140522
- - (djm) [Makefile.in] typo in path
-
-20140521
- - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use
-   vhangup on Linux. It doens't work for non-root users, and for them
-   it just messes up the tty settings.
- - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC
-   when it is available. It takes into account time spent suspended,
-   thereby ensuring timeouts (e.g. for expiring agent keys) fire
-   correctly. bz#2228 reported by John Haxby
-
-20140519
- - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
-   OpenBSD
- - OpenBSD CVS Sync
-   - logan@cvs.openbsd.org 2014/04/20 09:24:26
-     [dns.c dns.h ssh-keygen.c]
-     Add support for SSHFP DNS records for ED25519 key types.
-     OK from djm@
-   - logan@cvs.openbsd.org 2014/04/21 14:36:16
-     [sftp-client.c sftp-client.h sftp.c]
-     Implement sftp upload resume support.
-     OK from djm@, with input from guenther@, mlarkin@ and
-     okan@
-   - logan@cvs.openbsd.org 2014/04/22 10:07:12
-     [sftp.c]
-     Sort the sftp command list.
-     OK from djm@
-   - logan@cvs.openbsd.org 2014/04/22 12:42:04
-     [sftp.1]
-     Document sftp upload resume.
-     OK from djm@, with feedback from okan@.
-   - jmc@cvs.openbsd.org 2014/04/22 14:16:30
-     [sftp.1]
-     zap eol whitespace;
-   - djm@cvs.openbsd.org 2014/04/23 12:42:34
-     [readconf.c]
-     don't record duplicate IdentityFiles
-   - djm@cvs.openbsd.org 2014/04/28 03:09:18
-     [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
-     [ssh-keygen.c]
-     buffer_get_string_ptr's return should be const to remind
-     callers that futzing with it will futz with the actual buffer
-     contents
-   - djm@cvs.openbsd.org 2014/04/29 13:10:30
-     [clientloop.c serverloop.c]
-     bz#1818 - don't send channel success/failre replies on channels that
-     have sent a close already; analysis and patch from Simon Tatham;
-     ok markus@
-   - markus@cvs.openbsd.org 2014/04/29 18:01:49
-     [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
-     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
-     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
-     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
-     make compiling against OpenSSL optional (make OPENSSL=no);
-     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
-     allows us to explore further options; with and ok djm
-   - dtucker@cvs.openbsd.org 2014/04/29 19:58:50
-     [sftp.c]
-     Move nulling of variable next to where it's freed.  ok markus@
-   - dtucker@cvs.openbsd.org 2014/04/29 20:36:51
-     [sftp.c]
-     Don't attempt to append a nul quote char to the filename.  Should prevent
-     fatal'ing with "el_insertstr failed" when there's a single quote char
-     somewhere in the string.  bz#2238, ok markus@
-   - djm@cvs.openbsd.org 2014/04/30 05:29:56
-     [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c]
-     [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c]
-     [ssherr.h]
-     New buffer API; the first installment of the conversion/replacement
-     of OpenSSH's internals to make them usable as a standalone library.
-     
-     This includes a set of wrappers to make it compatible with the
-     existing buffer API so replacement can occur incrementally.
-     
-     With and ok markus@
-     
-     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
-     Dempsky and Ron Bowes for a detailed review.
-   - naddy@cvs.openbsd.org 2014/04/30 19:07:48
-     [mac.c myproposal.h umac.c]
-     UMAC can use our local fallback implementation of AES when OpenSSL isn't
-     available.  Glue code straight from Ted Krovetz's original umac.c.
-     ok markus@
-   - djm@cvs.openbsd.org 2014/05/02 03:27:54
-     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
-     [misc.h poly1305.h ssh-pkcs11.c defines.h]
-     revert __bounded change; it causes way more problems for portable than
-     it solves; pointed out by dtucker@
-   - markus@cvs.openbsd.org 2014/05/03 17:20:34
-     [monitor.c packet.c packet.h]
-     unbreak compression, by re-init-ing the compression code in the
-     post-auth child. the new buffer code is more strict, and requires
-     buffer_init() while the old code was happy after a bzero();
-     originally from djm@
-   - logan@cvs.openbsd.org 2014/05/05 07:02:30
-     [sftp.c]
-     Zap extra whitespace.
-     
-     OK from djm@ and dtucker@
- - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write
-   portability glue to support building without libcrypto
- - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c]
-   [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/03/13 20:44:49
-     [login-timeout.sh]
-     this test is a sorry mess of race conditions; add another sleep
-     to avoid a failure on slow machines (at least until I find a
-     better way)
-   - djm@cvs.openbsd.org 2014/04/21 22:15:37
-     [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
-     repair regress tests broken by server-side default cipher/kex/mac changes
-     by ensuring that the option under test is included in the server's
-     algorithm list
-   - dtucker@cvs.openbsd.org 2014/05/03 18:46:14
-     [proxy-connect.sh]
-     Add tests for with and without compression, with and without privsep.
-   - logan@cvs.openbsd.org 2014/05/04 10:40:59
-     [connect-privsep.sh]
-     Remove the Z flag from the list of malloc options as it
-     was removed from malloc.c 10 days ago.
-     
-     OK from miod@
- - (djm) [regress/unittests/Makefile]
-   [regress/unittests/Makefile.inc]
-   [regress/unittests/sshbuf/Makefile]
-   [regress/unittests/sshbuf/test_sshbuf.c]
-   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
-   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_misc.c]
-   [regress/unittests/sshbuf/tests.c]
-   [regress/unittests/test_helper/Makefile]
-   [regress/unittests/test_helper/fuzz.c]
-   [regress/unittests/test_helper/test_helper.c]
-   [regress/unittests/test_helper/test_helper.h]
-   Import new unit tests from OpenBSD; not yet hooked up to build.
- - (djm) [regress/Makefile Makefile.in]
-   [regress/unittests/sshbuf/test_sshbuf.c
-   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
-   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
-   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
-   [regress/unittests/sshbuf/test_sshbuf_misc.c]
-   [regress/unittests/sshbuf/tests.c]
-   [regress/unittests/test_helper/fuzz.c]
-   [regress/unittests/test_helper/test_helper.c]
-   Hook new unit tests into the build and "make tests"
- - (djm) [sshbuf.c] need __predict_false
-
-20140430
- - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
-   have it.  Only attempt to use __attribute__(__bounded__) for gcc.
-
-20140420
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/03/03 22:22:30
-     [session.c]
-     ignore enviornment variables with embedded '=' or '\0' characters;
-     spotted by Jann Horn; ok deraadt@
-     Id sync only - portable already has this.
-   - djm@cvs.openbsd.org 2014/03/12 04:44:58
-     [ssh-keyscan.c]
-     scan for Ed25519 keys by default too
-   - djm@cvs.openbsd.org 2014/03/12 04:50:32
-     [auth-bsdauth.c ssh-keygen.c]
-     don't count on things that accept arguments by reference to clear
-     things for us on error; most things do, but it's unsafe form.
-   - djm@cvs.openbsd.org 2014/03/12 04:51:12
-     [authfile.c]
-     correct test that kdf name is not "none" or "bcrypt"
-   - naddy@cvs.openbsd.org 2014/03/12 13:06:59
-     [ssh-keyscan.1]
-     scan for Ed25519 keys by default too
-   - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
-     [ssh-agent.c ssh-keygen.1 ssh-keygen.c]
-     Improve usage() and documentation towards the standard form. 
-     In particular, this line saves a lot of man page reading time.
-       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
-                         [-N new_passphrase] [-C comment] [-f output_keyfile]
-     ok schwarze jmc
-   - tedu@cvs.openbsd.org 2014/03/17 19:44:10
-     [ssh.1]
-     old descriptions of des and blowfish are old. maybe ok deraadt
-   - tedu@cvs.openbsd.org 2014/03/19 14:42:44
-     [scp.1]
-     there is no need for rcp anymore
-     ok deraadt millert
-   - markus@cvs.openbsd.org 2014/03/25 09:40:03
-     [myproposal.h]
-     trimm default proposals.
-     
-     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
-     (arcfour), and the broken modes (CBC) from the default configuration
-     (the patch only changes the default, all the modes are still available
-     for the config files).
-     
-     ok djm@, reminded by tedu@ & naddy@ and discussed with many
-   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
-     [myproposal.h]
-     The current sharing of myproposal[] between both client and server code
-     makes the previous diff highly unpallatable.  We want to go in that
-     direction for the server, but not for the client.  Sigh.
-     Brought up by naddy.
-   - markus@cvs.openbsd.org 2014/03/27 23:01:27
-     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
-     disable weak proposals in sshd, but keep them in ssh; ok djm@
-   - djm@cvs.openbsd.org 2014/03/26 04:55:35
-     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
-     [misc.h poly1305.h ssh-pkcs11.c]
-     use __bounded(...) attribute recently added to sys/cdefs.h instead of
-     longform __attribute__(__bounded(...));
-     
-     for brevity and a warning free compilation with llvm/clang
-   - tedu@cvs.openbsd.org 2014/03/26 19:58:37
-     [sshd.8 sshd.c]
-     remove libwrap support. ok deraadt djm mfriedl
-   - naddy@cvs.openbsd.org 2014/03/28 05:17:11
-     [ssh_config.5 sshd_config.5]
-     sync available and default algorithms, improve algorithm list formatting
-     help from jmc@ and schwarze@, ok deraadt@
-   - jmc@cvs.openbsd.org 2014/03/31 13:39:34
-     [ssh-keygen.1]
-     the text for the -K option was inserted in the wrong place in -r1.108;
-     fix From: Matthew Clarke
-   - djm@cvs.openbsd.org 2014/04/01 02:05:27
-     [ssh-keysign.c]
-     include fingerprint of key not found
-     use arc4random_buf() instead of loop+arc4random()
-   - djm@cvs.openbsd.org 2014/04/01 03:34:10
-     [sshconnect.c]
-     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
-     certificate keys to plain keys and attempt SSHFP resolution.
-     
-     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
-     dialog by offering only certificate keys.
-     
-     Reported by mcv21 AT cam.ac.uk
-   - djm@cvs.openbsd.org 2014/04/01 05:32:57
-     [packet.c]
-     demote a debug3 to PACKET_DEBUG; ok markus@
-   - djm@cvs.openbsd.org 2014/04/12 04:55:53
-     [sshd.c]
-     avoid crash at exit: check that pmonitor!=NULL before dereferencing;
-     bz#2225, patch from kavi AT juniper.net
-   - djm@cvs.openbsd.org 2014/04/16 23:22:45
-     [bufaux.c]
-     skip leading zero bytes in buffer_put_bignum2_from_string();
-     reported by jan AT mojzis.com; ok markus@
-   - djm@cvs.openbsd.org 2014/04/16 23:28:12
-     [ssh-agent.1]
-     remove the identity files from this manpage - ssh-agent doesn't deal
-     with them at all and the same information is duplicated in ssh-add.1
-     (which does deal with them); prodded by deraadt@
-   - djm@cvs.openbsd.org 2014/04/18 23:52:25
-     [compat.c compat.h sshconnect2.c sshd.c version.h]
-     OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
-     using the curve25519-sha256@libssh.org KEX exchange method to fail
-     when connecting with something that implements the spec properly.
-     
-     Disable this KEX method when speaking to one of the affected
-     versions.
-     
-     reported by Aris Adamantiadis; ok markus@
-   - djm@cvs.openbsd.org 2014/04/19 05:54:59
-     [compat.c]
-     missing wildcard; pointed out by naddy@
-   - tedu@cvs.openbsd.org 2014/04/19 14:53:48
-     [ssh-keysign.c sshd.c]
-     Delete futile calls to RAND_seed. ok djm
-     NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
-   - tedu@cvs.openbsd.org 2014/04/19 18:15:16
-     [sshd.8]
-     remove some really old rsh references
-   - tedu@cvs.openbsd.org 2014/04/19 18:42:19
-     [ssh.1]
-     delete .xr to hosts.equiv. there's still an unfortunate amount of
-     documentation referring to rhosts equivalency in here.
-   - djm@cvs.openbsd.org 2014/04/20 02:30:25
-     [misc.c misc.h umac.c]
-     use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
-     strict-alignment architectures; reported by and ok stsp@
-   - djm@cvs.openbsd.org 2014/04/20 02:49:32
-     [compat.c]
-     add a canonical 6.6 + curve25519 bignum fix fake version that I can
-     recommend people use ahead of the openssh-6.7 release
-
-20140401
- - (djm) On platforms that support it, use prctl() to prevent sftp-server
-   from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
- - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
-   version. From des@des.no
-
-20140317
- - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
-   remind myself to add sandbox violation logging via the log socket.
-
-20140314
- - (tim) [opensshd.init.in] Add support for ed25519
-
-20140313
- - (djm) Release OpenSSH 6.6
-
-20140304
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/03/03 22:22:30
-     [session.c]
-     ignore enviornment variables with embedded '=' or '\0' characters;
-     spotted by Jann Horn; ok deraadt@
-
-20140301
- - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
-   no moduli file exists at the expected location.
-
-20140228
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/02/27 00:41:49
-     [bufbn.c]
-     fix unsigned overflow that could lead to reading a short ssh protocol
-     1 bignum value; found by Ben Hawkes; ok deraadt@
-   - djm@cvs.openbsd.org 2014/02/27 08:25:09
-     [bufbn.c]
-     off by one in range check
-   - djm@cvs.openbsd.org 2014/02/27 22:47:07
-     [sshd_config.5]
-     bz#2184 clarify behaviour of a keyword that appears in multiple
-     matching Match blocks; ok dtucker@
-   - djm@cvs.openbsd.org 2014/02/27 22:57:40
-     [version.h]
-     openssh-6.6
-   - dtucker@cvs.openbsd.org 2014/01/19 23:43:02
-     [regress/sftp-chroot.sh]
-     Don't use -q on sftp as it suppresses logging, instead redirect the
-     output to the regress logfile.
-   - dtucker@cvs.openbsd.org 2014/01/20 00:00:30
-     [sregress/ftp-chroot.sh]
-     append to rather than truncating the log file
-   - dtucker@cvs.openbsd.org 2014/01/25 04:35:32
-     [regress/Makefile regress/dhgex.sh]
-     Add a test for DH GEX sizes
-   - djm@cvs.openbsd.org 2014/01/26 10:22:10
-     [regress/cert-hostkey.sh]
-     automatically generate revoked keys from listed keys rather than
-     manually specifying each type; from portable
-     (Id sync only)
-   - djm@cvs.openbsd.org 2014/01/26 10:49:17
-     [scp-ssh-wrapper.sh scp.sh]
-     make sure $SCP is tested on the remote end rather than whichever one
-     happens to be in $PATH; from portable
-     (Id sync only)
-   - djm@cvs.openbsd.org 2014/02/27 20:04:16
-     [login-timeout.sh]
-     remove any existing LoginGraceTime from sshd_config before adding
-     a specific one for the test back in
-   - djm@cvs.openbsd.org 2014/02/27 21:21:25
-     [agent-ptrace.sh agent.sh]
-     keep return values that are printed in error messages;
-     from portable
-     (Id sync only)
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Crank version numbers
- - (djm) [regress/host-expand.sh] Add RCS Id
-
-20140227
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/02/26 20:18:37
-     [ssh.c]
-     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
-     ok dtucker@ markus@
-   - djm@cvs.openbsd.org 2014/02/26 20:28:44
-     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
-     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
-     sandboxing, as running this code in the sandbox can cause violations;
-     ok markus@
-   - djm@cvs.openbsd.org 2014/02/26 20:29:29
-     [channels.c]
-     don't assume that the socks4 username is \0 terminated;
-     spotted by Ben Hawkes; ok markus@
-   - markus@cvs.openbsd.org 2014/02/26 21:53:37
-     [sshd.c]
-     ssh_gssapi_prepare_supported_oids needs GSSAPI
-
-20140224
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/02/07 06:55:54
-     [cipher.c mac.c]
-     remove some logging that makes ssh debugging output very verbose;
-     ok markus
-   - djm@cvs.openbsd.org 2014/02/15 23:05:36
-     [channels.c]
-     avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
-     bz#2200, debian#738692 via Colin Watson; ok dtucker@
-   - djm@cvs.openbsd.org 2014/02/22 01:32:19
-     [readconf.c]
-     when processing Match blocks, skip 'exec' clauses if previous predicates
-     failed to match; ok markus@
-   - djm@cvs.openbsd.org 2014/02/23 20:03:42
-     [ssh-ed25519.c]
-     check for unsigned overflow; not reachable in OpenSSH but others might
-     copy our code...
-   - djm@cvs.openbsd.org 2014/02/23 20:11:36
-     [readconf.c readconf.h ssh.c ssh_config.5]
-     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
-     the hostname. This allows users to write configurations that always
-     refer to canonical hostnames, e.g.
-     
-     CanonicalizeHostname yes
-     CanonicalDomains int.example.org example.org
-     CanonicalizeFallbackLocal no
-     
-     Host *.int.example.org
-         Compression off
-     Host *.example.org
-         User djm
-     
-     ok markus@
-
-20140213
- - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]  Add compat
-   code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
-
-20140207
- - OpenBSD CVS Sync
-   - naddy@cvs.openbsd.org 2014/02/05 20:13:25
-     [ssh-keygen.1 ssh-keygen.c]
-     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
-     while here, fix ordering in usage(); requested by jmc@
-   - djm@cvs.openbsd.org 2014/02/06 22:21:01
-     [sshconnect.c]
-     in ssh_create_socket(), only do the getaddrinfo for BindAddress when
-     BindAddress is actually specified. Fixes regression in 6.5 for
-     UsePrivilegedPort=yes; patch from Corinna Vinschen
-
-20140206
- - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
-   before freeing since free(NULL) is a no-op.  ok djm.
- - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
-   __NR_shutdown; some go via the socketcall(2) multiplexer.
-
-20140205
- - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
-   headers/libc but not supported by the kernel. Patch from Loganaden
-   Velvindron @ AfriNIC
-
-20140204
- - OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2014/01/27 18:58:14
-     [Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
-     replace openssl HMAC with an implementation based on our ssh_digest_*
-     ok and feedback djm@
-   - markus@cvs.openbsd.org 2014/01/27 19:18:54
-     [auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
-     replace openssl MD5 with our ssh_digest_*; ok djm@
-   - markus@cvs.openbsd.org 2014/01/27 20:13:46
-     [digest.c digest-openssl.c digest-libc.c Makefile.in]
-     rename digest.c to digest-openssl.c and add libc variant; ok djm@
-   - jmc@cvs.openbsd.org 2014/01/28 14:13:39
-     [ssh-keyscan.1]
-     kill some bad Pa;
-     From: Jan Stary
-   - djm@cvs.openbsd.org 2014/01/29 00:19:26
-     [sshd.c]
-     use kill(0, ...) instead of killpg(0, ...); on most operating systems
-     they are equivalent, but SUSv2 describes the latter as having undefined
-     behaviour; from portable; ok dtucker
-     (Id sync only; change is already in portable)
-   - djm@cvs.openbsd.org 2014/01/29 06:18:35
-     [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
-     [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
-     [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
-     remove experimental, never-enabled JPAKE code; ok markus@
-   - jmc@cvs.openbsd.org 2014/01/29 14:04:51
-     [sshd_config.5]
-     document kbdinteractiveauthentication;
-     requested From: Ross L Richardson
-     
-     dtucker/markus helped explain its workings;
-   - djm@cvs.openbsd.org 2014/01/30 22:26:14
-     [sandbox-systrace.c]
-     allow shutdown(2) syscall in sandbox - it may be called by packet_close()
-     from portable
-     (Id sync only; change is already in portable)
-   - tedu@cvs.openbsd.org 2014/01/31 16:39:19
-     [auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
-     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
-     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
-     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
-     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
-     replace most bzero with explicit_bzero, except a few that cna be memset
-     ok djm dtucker
-   - djm@cvs.openbsd.org 2014/02/02 03:44:32
-     [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
-     [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
-     [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
-     [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
-     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
-     [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
-     [sshd.c]
-     convert memset of potentially-private data to explicit_bzero()
-   - djm@cvs.openbsd.org 2014/02/03 23:28:00
-     [ssh-ecdsa.c]
-     fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
-     DSA_SIG_new. Reported by Batz Spear; ok markus@
-   - djm@cvs.openbsd.org 2014/02/02 03:44:31
-     [digest-libc.c digest-openssl.c]
-     convert memset of potentially-private data to explicit_bzero()
-   - djm@cvs.openbsd.org 2014/02/04 00:24:29
-     [ssh.c]
-     delay lowercasing of hostname until right before hostname
-     canonicalisation to unbreak case-sensitive matching of ssh_config;
-     reported by Ike Devolder; ok markus@
- - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
- - (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
-
-20140131
- - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
-   syscall from sandboxes; it may be called by packet_close.
- - (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros.  Fixes
-   build with HP-UX's compiler.  Patch from Kevin Brott.
- - (tim) [Makefile.in] build regress/setuid-allow.
-
-20140130
- - (djm) [configure.ac] Only check for width-specified integer types
-   in headers that actually exist. patch from Tom G. Christensen;
-   ok dtucker@
- - (djm) [configure.ac atomicio.c] Kludge around NetBSD offering
-   different symbols for 'read' when various compiler flags are
-   in use, causing atomicio.c comparisons against it to break and
-   read/write operations to hang; ok dtucker
- - (djm) Release openssh-6.5p1
-
-20140129
- - (djm) [configure.ac] Fix broken shell test '==' vs '='; patch from
-   Tom G. Christensen
-
-20140128
- - (djm) [configure.ac] Search for inet_ntop in libnsl and libresovl;
-   ok dtucker
- - (djm) [sshd.c] Use kill(0, ...) instead of killpg(0, ...); the
-   latter being specified to have undefined behaviour in SUSv3;
-   ok dtucker
- - (tim) [regress/agent.sh regress/agent-ptrace.sh] Assign $? to a variable
-   when used as an error message inside an if statement so we display the
-   correct into. agent.sh patch from Petr Lautrbach.
-
-20140127
- - (dtucker) [Makefile.in] Remove trailing backslash which some make
-   implementations (eg older Solaris) do not cope with.
-
-20140126
- - OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2014/01/25 10:12:50
-     [cipher.c cipher.h kex.c kex.h kexgexc.c]
-     Add a special case for the DH group size for 3des-cbc, which has an
-     effective strength much lower than the key size.  This causes problems
-     with some cryptlib implementations, which don't support group sizes larger
-     than 4k but also don't use the largest group size it does support as
-     specified in the RFC.  Based on a patch from Petr Lautrbach at Redhat,
-     reduced by me with input from Markus.  ok djm@ markus@
-   - markus@cvs.openbsd.org 2014/01/25 20:35:37
-     [kex.c]
-     dh_need needs to be set to max(seclen, blocksize, ivlen, mac_len)
-     ok dtucker@, noted by mancha
-  - (djm) [configure.ac sandbox-capsicum.c sandbox-rlimit.c] Disable
-    RLIMIT_NOFILE pseudo-sandbox on FreeBSD. In some configurations,
-    libc will attempt to open additional file descriptors for crypto
-    offload and crash if they cannot be opened.
- - (djm) [configure.ac] correct AC_DEFINE for previous.
-
-20140125
- - (djm) [configure.ac] Fix detection of capsicum sandbox on FreeBSD
- - (djm) [configure.ac] Do not attempt to use capsicum sandbox unless
-   sys/capability.h exists and cap_rights_limit is in libc. Fixes
-   build on FreeBSD9x which provides the header but not the libc
-   support.
- - (djm) [configure.ac] autoconf sets finds to 'yes' not '1', so test
-   against the correct thing.
-
-20140124
- - (djm) [Makefile.in regress/scp-ssh-wrapper.sh regress/scp.sh] Make
-   the scp regress test actually test the built scp rather than the one
-   in $PATH. ok dtucker@
-
-20140123
- - (tim) [session.c] Improve error reporting on set_id().
- - (dtucker) [configure.ac] NetBSD's (and FreeBSD's) strnvis is gratuitously
-   incompatible with OpenBSD's despite post-dating it by more than a decade.
-   Declare it as broken, and document FreeBSD's as the same.  ok djm@
-
-20140122
- - (djm) [openbsd-compat/setproctitle.c] Don't fail to compile if a
-   platform that is expected to use the reuse-argv style setproctitle
-   hack surprises us by providing a setproctitle in libc; ok dtucker
- - (djm) [configure.ac] Unless specifically requested, only attempt
-   to build Position Independent Executables on gcc >= 4.x; ok dtucker
- - (djm) [configure.ac aclocal.m4] More tests to detect fallout from
-   platform hardening options: include some long long int arithmatic
-   to detect missing support functions for -ftrapv in libgcc and
-   equivalents, actually test linking when -ftrapv is supplied and
-   set either both -pie/-fPIE or neither. feedback and ok dtucker@
-
-20140121
- - (dtucker) [configure.ac] Make PIE a configure-time option which defaults
-   to on platforms where it's known to be reliably detected and off elsewhere.
-   Works around platforms such as FreeBSD 9.1 where it does not interop with
-   -ftrapv (it seems to work but fails when trying to link ssh).  ok djm@
- - (dtucker) [aclocal.m4] Differentiate between compile-time and link-time
-   tests in the configure output.  ok djm.
- - (tim) [platform.c session.c] Fix bug affecting SVR5 platforms introduced
-   with sftp chroot support. Move set_id call after chroot.
- - (djm) [aclocal.m4] Flesh out the code run in the OSSH_CHECK_CFLAG_COMPILE
-   and OSSH_CHECK_LDFLAG_LINK tests to give them a better chance of
-   detecting toolchain-related problems; ok dtucker
-
-20140120
- - (dtucker) [gss-serv-krb5.c] Fall back to krb5_cc_gen_new if the Kerberos
-   implementation does not have krb5_cc_new_unique, similar to what we do
-   in auth-krb5.c.
- - (djm) [regress/cert-hostkey.sh] Fix regress failure on platforms that
-   skip one or more key types (e.g. RHEL/CentOS 6.5); ok dtucker@
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/01/20 00:08:48
-     [digest.c]
-     memleak; found by Loganaden Velvindron @ AfriNIC; ok markus@
-
-20140119
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2014/01/17 06:23:24
-     [sftp-server.c]
-     fix log message statvfs.  ok djm
-   - dtucker@cvs.openbsd.org 2014/01/18 09:36:26
-     [session.c]
-     explicitly define USE_PIPES to 1 to prevent redefinition warnings in
-     portable on platforms that use pipes for everything.  From vinschen at
-     redhat.
-   - dtucker@cvs.openbsd.org 2014/01/19 04:17:29
-     [canohost.c addrmatch.c]
-     Cast socklen_t when comparing to size_t and use socklen_t to iterate over
-     the ip options, both to prevent signed/unsigned comparison warnings.
-     Patch from vinschen at redhat via portable openssh, begrudging ok deraadt.
-   - djm@cvs.openbsd.org 2014/01/19 04:48:08
-     [ssh_config.5]
-     fix inverted meaning of 'no' and 'yes' for CanonicalizeFallbackLocal
-   - dtucker@cvs.openbsd.org 2014/01/19 11:21:51
-     [addrmatch.c]
-     Cast the sizeof to socklen_t so it'll work even if the supplied len is
-     negative.  Suggested by and ok djm, ok deraadt.
-
-20140118
- - (dtucker) [uidswap.c] Prevent unused variable warnings on Cygwin.  Patch
-   from vinschen at redhat.com
- - (dtucker) [openbsd-compat/bsd-cygwin_util.h] Add missing function
-   declarations that stopped being included when we stopped including
-   <windows.h> from openbsd-compat/bsd-cygwin_util.h.  Patch from vinschen at
-   redhat.com.
- - (dtucker) [configure.ac] On Cygwin the getopt variables (like optargs,
-   optind) are defined in getopt.h already.  Unfortunately they are defined as
-   "declspec(dllimport)" for historical reasons, because the GNU linker didn't
-   allow auto-import on PE/COFF targets way back when.  The problem is the
-   dllexport attributes collide with the definitions in the various source
-   files in OpenSSH, which obviousy define the variables without
-   declspec(dllimport).  The least intrusive way to get rid of these warnings
-   is to disable warnings for GCC compiler attributes when building on Cygwin.
-   Patch from vinschen at redhat.com.
- - (dtucker) [sandbox-capsicum.c] Correct some error messages and make the
-   return value check for cap_enter() consistent with the other uses in
-   FreeBSD.  From by Loganaden Velvindron @ AfriNIC via bz#2140.
-
-20140117
- - (dtucker) [aclocal.m4 configure.ac] Add some additional compiler/toolchain
-   hardening flags including -fstack-protector-strong.  These default to on
-   if the toolchain supports them, but there is a configure-time knob
-   (--without-hardening) to disable them if necessary.  ok djm@
- - (djm) [sftp-client.c] signed/unsigned comparison fix
- - (dtucker) [loginrec.c] Cast to the types specfied in the format
-    specification to prevent warnings.
- - (dtucker) [crypto_api.h] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
- - (dtucker) [poly1305.c] Wrap stdlib.h include inside #ifdef HAVE_STDINT_H.
- - (dtucker) [blocks.c fe25519.c ge25519.c hash.c sc25519.c verify.c] Include
-   includes.h to pull in all of the compatibility stuff.
- - (dtucker) [openbsd-compat/bcrypt_pbkdf.c] Wrap stdlib.h include inside
-   #ifdef HAVE_STDINT_H.
- - (dtucker) [defines.h] Add typedefs for uintXX_t types for platforms that
-   don't have them.
- - (dtucker) [configure.ac] Split AC_CHECK_FUNCS for OpenSSL functions into
-   separate lines and alphabetize for easier diffing of changes.
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/01/17 00:21:06
-     [sftp-client.c]
-     signed/unsigned comparison warning fix; from portable (Id sync only)
-   - dtucker@cvs.openbsd.org 2014/01/17 05:26:41
-     [digest.c]
-     remove unused includes.  ok djm@
- - (djm) [Makefile.in configure.ac sandbox-capsicum.c sandbox-darwin.c]
-   [sandbox-null.c sandbox-rlimit.c sandbox-seccomp-filter.c]
-   [sandbox-systrace.c ssh-sandbox.h sshd.c] Support preauth sandboxing
-   using the Capsicum API introduced in FreeBSD 10. Patch by Dag-Erling
-   Smorgrav, updated by Loganaden Velvindron @ AfriNIC; ok dtucker@
- - (dtucker) [configure.ac digest.c openbsd-compat/openssl-compat.c
-   openbsd-compat/openssl-compat.h]  Add compatibility layer for older
-   openssl versions.  ok djm@
- - (dtucker) Fix typo in #ifndef.
- - (dtucker) [configure.ac openbsd-compat/bsd-statvfs.c
-   openbsd-compat/bsd-statvfs.h] Implement enough of statvfs on top of statfs
-   to be useful (and for the regression tests to pass) on platforms that
-   have statfs and fstatfs.  ok djm@
- - (dtucker) [openbsd-compat/bsd-statvfs.h] Only start including headers if we
-   need them to cut down on the name collisions.
- - (dtucker) [configure.ac] Also look in inttypes.h for uintXX_t types.
- - (dtucker) [configure.ac] Have --without-hardening not turn off
-   stack-protector since that has a separate flag that's been around a while.
- - (dtucker) [readconf.c] Wrap paths.h inside an ifdef.  Allows building on
-   Solaris.
- - (dtucker) [defines.h] Move our definitions of uintXX_t types down to after
-   they're defined if we have to define them ourselves.  Fixes builds on old
-   AIX.
-
-20140118
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/01/16 07:31:09
-     [sftp-client.c]
-     needless and incorrect cast to size_t can break resumption of
-     large download; patch from tobias@
-   - djm@cvs.openbsd.org 2014/01/16 07:32:00
-     [version.h]
-     openssh-6.5
- - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Crank RPM spec version numbers.
- - (djm) [README] update release notes URL.
-
-20140112
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2014/01/10 05:59:19
-     [sshd_config]
-     the /etc/ssh/ssh_host_ed25519_key is loaded by default too
-   - djm@cvs.openbsd.org 2014/01/12 08:13:13
-     [bufaux.c buffer.h kex.c kex.h kexc25519.c kexc25519c.c kexc25519s.c]
-     [kexdhc.c kexdhs.c kexecdhc.c kexecdhs.c kexgexc.c kexgexs.c]
-     avoid use of OpenSSL BIGNUM type and functions for KEX with
-     Curve25519 by adding a buffer_put_bignum2_from_string() that stores
-     a string using the bignum encoding rules. Will make it easier to
-     build a reduced-feature OpenSSH without OpenSSL in the future;
-     ok markus@
-
-20140110
- - (djm) OpenBSD CVS Sync
-   - tedu@cvs.openbsd.org 2014/01/04 17:50:55
-     [mac.c monitor_mm.c monitor_mm.h xmalloc.c]
-     use standard types and formats for size_t like variables. ok dtucker
-   - guenther@cvs.openbsd.org 2014/01/09 03:26:00
-     [sftp-common.c]
-     When formating the time for "ls -l"-style output, show dates in the future
-     with the year, and rearrange a comparison to avoid a potentional signed
-     arithmetic overflow that would give the wrong result.
-     ok djm@
-   - djm@cvs.openbsd.org 2014/01/09 23:20:00
-     [digest.c digest.h hostfile.c kex.c kex.h kexc25519.c kexc25519c.c]
-     [kexc25519s.c kexdh.c kexecdh.c kexecdhc.c kexecdhs.c kexgex.c kexgexc.c]
-     [kexgexs.c key.c key.h roaming_client.c roaming_common.c schnorr.c]
-     [schnorr.h ssh-dss.c ssh-ecdsa.c ssh-rsa.c sshconnect2.c]
-     Introduce digest API and use it to perform all hashing operations
-     rather than calling OpenSSL EVP_Digest* directly. Will make it easier
-     to build a reduced-feature OpenSSH without OpenSSL in future;
-     feedback, ok markus@
-   - djm@cvs.openbsd.org 2014/01/09 23:26:48
-     [sshconnect.c sshd.c]
-     ban clients/servers that suffer from SSH_BUG_DERIVEKEY, they are ancient,
-     deranged and might make some attacks on KEX easier; ok markus@
-
-20140108
- - (djm) [regress/.cvsignore] Ignore regress test droppings; ok dtucker@
-
-20131231
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/12/30 23:52:28
-     [auth2-hostbased.c auth2-pubkey.c compat.c compat.h ssh-rsa.c]
-     [sshconnect.c sshconnect2.c sshd.c]
-     refuse RSA keys from old proprietary clients/servers that use the
-     obsolete RSA+MD5 signature scheme. it will still be possible to connect
-     with these clients/servers but only DSA keys will be accepted, and we'll
-     deprecate them entirely in a future release. ok markus@
-
-20131229
- - (djm) [loginrec.c] Check for username truncation when looking up lastlog
-   entries
- - (djm) [regress/Makefile] Add some generated files for cleaning
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/12/19 00:10:30
-     [ssh-add.c]
-     skip requesting smartcard PIN when removing keys from agent; bz#2187
-     patch from jay AT slushpupie.com; ok dtucker
-   - dtucker@cvs.openbsd.org 2013/12/19 00:19:12
-     [serverloop.c]
-     Cast client_alive_interval to u_int64_t before assinging to
-     max_time_milliseconds to avoid potential integer overflow in the timeout.
-     bz#2170, patch from Loganaden Velvindron, ok djm@
-   - djm@cvs.openbsd.org 2013/12/19 00:27:57
-     [auth-options.c]
-     simplify freeing of source-address certificate restriction
-   - djm@cvs.openbsd.org 2013/12/19 01:04:36
-     [channels.c]
-     bz#2147: fix multiple remote forwardings with dynamically assigned
-     listen ports. In the s->c message to open the channel we were sending
-     zero (the magic number to request a dynamic port) instead of the actual
-     listen port. The client therefore had no way of discriminating between
-     them.
-     
-     Diagnosis and fix by ronf AT timeheart.net
-   - djm@cvs.openbsd.org 2013/12/19 01:19:41
-     [ssh-agent.c]
-     bz#2186: don't crash (NULL deref) when deleting PKCS#11 keys from an agent
-     that has a mix of normal and PKCS#11 keys; fix from jay AT slushpupie.com;
-     ok dtucker
-   - djm@cvs.openbsd.org 2013/12/19 22:57:13
-     [poly1305.c poly1305.h]
-     use full name for author, with his permission
-   - tedu@cvs.openbsd.org 2013/12/21 07:10:47
-     [ssh-keygen.1]
-     small typo
-   - djm@cvs.openbsd.org 2013/12/27 22:30:17
-     [ssh-dss.c ssh-ecdsa.c ssh-rsa.c]
-     make the original RSA and DSA signing/verification code look more like
-     the ECDSA/Ed25519 ones: use key_type_plain() when checking the key type
-     rather than tediously listing all variants, use __func__ for debug/
-     error messages
-   - djm@cvs.openbsd.org 2013/12/27 22:37:18
-     [ssh-rsa.c]
-     correct comment
-   - djm@cvs.openbsd.org 2013/12/29 02:28:10
-     [key.c]
-     allow ed25519 keys to appear as certificate authorities
-   - djm@cvs.openbsd.org 2013/12/29 02:37:04
-     [key.c]
-     correct comment for key_to_certified()
-   - djm@cvs.openbsd.org 2013/12/29 02:49:52
-     [key.c]
-     correct comment for key_drop_cert()
-   - djm@cvs.openbsd.org 2013/12/29 04:20:04
-     [key.c]
-     to make sure we don't omit any key types as valid CA keys again,
-     factor the valid key type check into a key_type_is_valid_ca()
-     function
-   - djm@cvs.openbsd.org 2013/12/29 04:29:25
-     [authfd.c]
-     allow deletion of ed25519 keys from the agent
-   - djm@cvs.openbsd.org 2013/12/29 04:35:50
-     [authfile.c]
-     don't refuse to load Ed25519 certificates
-   - djm@cvs.openbsd.org 2013/12/29 05:42:16
-     [ssh.c]
-     don't forget to load Ed25519 certs too
-   - djm@cvs.openbsd.org 2013/12/29 05:57:02
-     [sshconnect.c]
-     when showing other hostkeys, don't forget Ed25519 keys
-
-20131221
- - (dtucker) [regress/keytype.sh] Actually test ecdsa key types.
-
-20131219
- - (dtucker) [configure.ac] bz#2178: Don't try to use BSM on Solaris versions
-   greater than 11 either rather than just 11.  Patch from Tomas Kuthan.
- - (dtucker) [auth-pam.c] bz#2163: check return value from pam_get_item().
-   Patch from Loganaden Velvindron.
-
-20131218
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/12/07 08:08:26
-     [ssh-keygen.1]
-     document -a and -o wrt new key format
-   - naddy@cvs.openbsd.org 2013/12/07 11:58:46
-     [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8 ssh.1]
-     [ssh_config.5 sshd.8 sshd_config.5]
-     add missing mentions of ed25519; ok djm@
-   - dtucker@cvs.openbsd.org 2013/12/08 09:53:27
-     [sshd_config.5]
-     Use a literal for the default value of KEXAlgorithms.  ok deraadt jmc
-   - markus@cvs.openbsd.org 2013/12/09 11:03:45
-     [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
-     [ge25519_base.data hash.c sc25519.c sc25519.h verify.c]
-     Add Authors for the public domain ed25519/nacl code.
-     see also http://nacl.cr.yp.to/features.html
-        All of the NaCl software is in the public domain.
-     and http://ed25519.cr.yp.to/software.html
-        The Ed25519 software is in the public domain.
-   - markus@cvs.openbsd.org 2013/12/09 11:08:17
-     [crypto_api.h]
-     remove unused defines
-   - pascal@cvs.openbsd.org 2013/12/15 18:17:26
-     [ssh-add.c]
-     Make ssh-add also add .ssh/id_ed25519; fixes lie in manual page.
-     ok markus@
-   - djm@cvs.openbsd.org 2013/12/15 21:42:35
-     [cipher-chachapoly.c]
-     add some comments and constify a constant
-   - markus@cvs.openbsd.org 2013/12/17 10:36:38
-     [crypto_api.h]
-     I've assempled the header file by cut&pasting from generated headers
-     and the source files.
-
-20131208
- - (djm) [openbsd-compat/bsd-setres_id.c] Missing header; from Corinna
-   Vinschen
- - (djm) [Makefile.in regress/Makefile regress/agent-ptrace.sh]
-   [regress/setuid-allowed.c] Check that ssh-agent is not on a no-setuid
-   filesystem before running agent-ptrace.sh; ok dtucker
-
-20131207
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/12/05 22:59:45
-     [sftp-client.c]
-     fix memory leak in error path in do_readdir(); pointed out by
-     Loganaden Velvindron @ AfriNIC in bz#2163
-   - djm@cvs.openbsd.org 2013/12/06 03:40:51
-     [ssh-keygen.c]
-     remove duplicated character ('g') in getopt() string;
-     document the (few) remaining option characters so we don't have to
-     rummage next time.
-   - markus@cvs.openbsd.org 2013/12/06 13:30:08
-     [authfd.c key.c key.h ssh-agent.c]
-     move private key (de)serialization to key.c; ok djm
-   - markus@cvs.openbsd.org 2013/12/06 13:34:54
-     [authfile.c authfile.h cipher.c cipher.h key.c packet.c ssh-agent.c]
-     [ssh-keygen.c PROTOCOL.key] new private key format, bcrypt as KDF by
-     default; details in PROTOCOL.key; feedback and lots help from djm;
-     ok djm@
-   - markus@cvs.openbsd.org 2013/12/06 13:39:49
-     [authfd.c authfile.c key.c key.h myproposal.h pathnames.h readconf.c]
-     [servconf.c ssh-agent.c ssh-keygen.c ssh-keyscan.1 ssh-keyscan.c]
-     [ssh-keysign.c ssh.c ssh_config.5 sshd.8 sshd.c verify.c ssh-ed25519.c]
-     [sc25519.h sc25519.c hash.c ge25519_base.data ge25519.h ge25519.c]
-     [fe25519.h fe25519.c ed25519.c crypto_api.h blocks.c]
-     support ed25519 keys (hostkeys and user identities) using the public
-     domain ed25519 reference code from SUPERCOP, see
-     http://ed25519.cr.yp.to/software.html
-     feedback, help & ok djm@
-   - jmc@cvs.openbsd.org 2013/12/06 15:29:07
-     [sshd.8]
-     missing comma;
-   - djm@cvs.openbsd.org 2013/12/07 00:19:15
-     [key.c]
-     set k->cert = NULL after freeing it
-   - markus@cvs.openbsd.org 2013/12/06 13:52:46
-     [regress/Makefile regress/agent.sh regress/cert-hostkey.sh]
-     [regress/cert-userkey.sh regress/keytype.sh]
-     test ed25519 support; from djm@
- - (djm) [blocks.c ed25519.c fe25519.c fe25519.h ge25519.c ge25519.h]
-   [ge25519_base.data hash.c sc25519.c sc25519.h verify.c] Fix RCS idents
- - (djm) [Makefile.in] Add ed25519 sources
- - (djm) [authfile.c] Conditionalise inclusion of util.h
- - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bcrypt_pbkdf.c]
-   [openbsd-compat/blf.h openbsd-compat/blowfish.c]
-   [openbsd-compat/openbsd-compat.h] Start at supporting bcrypt_pbkdf in
-   portable.
- - (djm) [ed25519.c ssh-ed25519.c openbsd-compat/Makefile.in]
-   [openbsd-compat/bcrypt_pbkdf.c] Make ed25519/new key format compile on
-   Linux
- - (djm) [regress/cert-hostkey.sh] Fix merge botch
- - (djm) [Makefile.in] PATHSUBS and keygen bits for Ed25519; from
-   Loganaden Velvindron @ AfriNIC in bz#2179
-
-20131205
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2013/11/21 08:05:09
-     [ssh_config.5 sshd_config.5]
-     no need for .Pp before displays;
-   - deraadt@cvs.openbsd.org 2013/11/25 18:04:21
-     [ssh.1 ssh.c]
-     improve -Q usage and such.  One usage change is that the option is now
-     case-sensitive
-     ok dtucker markus djm
-   - jmc@cvs.openbsd.org 2013/11/26 12:14:54
-     [ssh.1 ssh.c]
-     - put -Q in the right place
-     - Ar was a poor choice for the arguments to -Q. i've chosen an
-       admittedly equally poor Cm, at least consistent with the rest
-       of the docs. also no need for multiple instances
-     - zap a now redundant Nm
-     - usage() sync
-   - deraadt@cvs.openbsd.org 2013/11/26 19:15:09
-     [pkcs11.h]
-     cleanup 1 << 31 idioms.  Resurrection of this issue pointed out by
-     Eitan Adler ok markus for ssh, implies same change in kerberosV
-   - djm@cvs.openbsd.org 2013/12/01 23:19:05
-     [PROTOCOL]
-     mention curve25519-sha256@libssh.org key exchange algorithm
-   - djm@cvs.openbsd.org 2013/12/02 02:50:27
-     [PROTOCOL.chacha20poly1305]
-     typo; from Jon Cave
-   - djm@cvs.openbsd.org 2013/12/02 02:56:17
-     [ssh-pkcs11-helper.c]
-     use-after-free; bz#2175 patch from Loganaden Velvindron @ AfriNIC
-   - djm@cvs.openbsd.org 2013/12/02 03:09:22
-     [key.c]
-     make key_to_blob() return a NULL blob on failure; part of
-     bz#2175 from Loganaden Velvindron @ AfriNIC
-   - djm@cvs.openbsd.org 2013/12/02 03:13:14
-     [cipher.c]
-     correct bzero of chacha20+poly1305 key context. bz#2177 from
-     Loganaden Velvindron @ AfriNIC
-     
-     Also make it a memset for consistency with the rest of cipher.c
-   - djm@cvs.openbsd.org 2013/12/04 04:20:01
-     [sftp-client.c]
-     bz#2171: don't leak local_fd on error; from Loganaden Velvindron @
-     AfriNIC
-   - djm@cvs.openbsd.org 2013/12/05 01:16:41
-     [servconf.c servconf.h]
-     bz#2161 - fix AuthorizedKeysCommand inside a Match block and
-     rearrange things so the same error is harder to make next time;
-     with and ok dtucker@
- - (dtucker) [configure.ac] bz#2173: use pkg-config --libs to include correct
-   -L location for libedit.  Patch from Serge van den Boom.
-
-20131121
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/11/08 11:15:19
-     [bufaux.c bufbn.c buffer.c sftp-client.c sftp-common.c sftp-glob.c]
-     [uidswap.c] Include stdlib.h for free() as per the man page.
-   - markus@cvs.openbsd.org 2013/11/13 13:48:20
-     [ssh-pkcs11.c]
-     add missing braces found by pedro
-   - djm@cvs.openbsd.org 2013/11/20 02:19:01
-     [sshd.c]
-     delay closure of in/out fds until after "Bad protocol version
-     identification..." message, as get_remote_ipaddr/get_remote_port
-     require them open.
-   - deraadt@cvs.openbsd.org 2013/11/20 20:53:10
-     [scp.c]
-     unsigned casts for ctype macros where neccessary
-     ok guenther millert markus
-   - deraadt@cvs.openbsd.org 2013/11/20 20:54:10
-     [canohost.c clientloop.c match.c readconf.c sftp.c]
-     unsigned casts for ctype macros where neccessary
-     ok guenther millert markus
-   - djm@cvs.openbsd.org 2013/11/21 00:45:44
-     [Makefile.in PROTOCOL PROTOCOL.chacha20poly1305 authfile.c chacha.c]
-     [chacha.h cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h]
-     [dh.c myproposal.h packet.c poly1305.c poly1305.h servconf.c ssh.1]
-     [ssh.c ssh_config.5 sshd_config.5] Add a new protocol 2 transport
-     cipher "chacha20-poly1305@openssh.com" that combines Daniel
-     Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an
-     authenticated encryption mode.
-     
-     Inspired by and similar to Adam Langley's proposal for TLS:
-     http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
-     but differs in layout used for the MAC calculation and the use of a
-     second ChaCha20 instance to separately encrypt packet lengths.
-     Details are in the PROTOCOL.chacha20poly1305 file.
-     
-     Feedback markus@, naddy@; manpage bits Loganden Velvindron @ AfriNIC
-     ok markus@ naddy@
-   - naddy@cvs.openbsd.org 2013/11/18 05:09:32
-     [regress/forward-control.sh]
-     bump timeout to 10 seconds to allow slow machines (e.g. Alpha PC164)
-     to successfully run this; ok djm@
-   - djm@cvs.openbsd.org 2013/11/21 03:15:46
-     [regress/krl.sh]
-     add some reminders for additional tests that I'd like to implement
-   - djm@cvs.openbsd.org 2013/11/21 03:16:47
-     [regress/modpipe.c]
-     use unsigned long long instead of u_int64_t here to avoid warnings
-     on some systems portable OpenSSH is built on.
-   - djm@cvs.openbsd.org 2013/11/21 03:18:51
-     [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
-     [regress/try-ciphers.sh]
-     use new "ssh -Q cipher-auth" query to obtain lists of authenticated
-     encryption ciphers instead of specifying them manually; ensures that
-     the new chacha20poly1305@openssh.com mode is tested;
-     
-     ok markus@ and naddy@ as part of the diff to add
-     chacha20poly1305@openssh.com
-
-20131110
- - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
-   querying the ones that are compiled in.
-
-20131109
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/11/09 05:41:34
-     [regress/test-exec.sh regress/rekey.sh]
-     Use smaller test data files to speed up tests.  Grow test datafiles
-     where necessary for a specific test.
- - (dtucker) [configure.ac kex.c key.c myproposal.h] Test for the presence of
-   NID_X9_62_prime256v1, NID_secp384r1 and NID_secp521r1 and test that the
-   latter actually works before using it.  Fedora (at least) has NID_secp521r1
-   that doesn't work (see https://bugzilla.redhat.com/show_bug.cgi?id=1021897).
- - (dtucker) [configure.ac] Fix brackets in NID_secp521r1 test.
- - (dtucker) [configure.ac] Add missing "test".
- - (dtucker) [key.c] Check for the correct defines for NID_secp521r1.
-
-20131108
- - (dtucker) OpenBSD CVS Sync
-    - dtucker@cvs.openbsd.org 2013/11/08 01:06:14
-      [regress/rekey.sh]
-      Rekey less frequently during tests to speed them up
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/11/07 11:58:27
-     [cipher.c cipher.h kex.c kex.h mac.c mac.h servconf.c ssh.c]
-     Output the effective values of Ciphers, MACs and KexAlgorithms when
-     the default has not been overridden.  ok markus@
-   - djm@cvs.openbsd.org 2013/11/08 00:39:15
-     [auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c]
-     [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c]
-     [sftp-client.c sftp-glob.c]
-     use calloc for all structure allocations; from markus@
-   - djm@cvs.openbsd.org 2013/11/08 01:38:11
-     [version.h]
-     openssh-6.4
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Update version numbers following release.
- - (dtucker) [openbsd-compat/openbsd-compat.h] Add null implementation of
-   arc4random_stir for platforms that have arc4random but don't have
-   arc4random_stir (right now this is only OpenBSD -current).
- - (dtucker) [kex.c] Only enable CURVE25519_SHA256 if we actually have
-   EVP_sha256.
- - (dtucker) [myproposal.h] Conditionally enable CURVE25519_SHA256.
- - (dtucker) [openbsd-compat/bsd-poll.c] Add headers to prevent compile
-   warnings.
- - (dtucker) [Makefile.in configure.ac] Set MALLOC_OPTIONS per platform
-   and pass in TEST_ENV.  use stderr to get polluted
-   and the stderr-data test to fail.
- - (dtucker) [contrib/cygwin/ssh-host-config] Simplify host key generation:
-   rather than testing and generating each key, call ssh-keygen -A.
-   Patch from vinschen at redhat.com.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/11/09 05:41:34
-     [regress/test-exec.sh regress/rekey.sh]
-     Use smaller test data files to speed up tests.  Grow test datafiles
-     where necessary for a specific test.
-
-20131107
- - (djm) [ssh-pkcs11.c] Bring back "non-constant initialiser" fix (rev 1.5)
-   that got lost in recent merge.
- - (djm) [Makefile.in monitor.c] Missed chunks of curve25519 KEX diff
- - (djm) [regress/modpipe.c regress/rekey.sh] Never intended to commit these
- - (djm) [configure.ac defines.h] Skip arc4random_stir() calls on platforms
-   that lack it but have arc4random_uniform()
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2013/11/04 11:51:16
-     [monitor.c]
-     fix rekeying for KEX_C25519_SHA256; noted by dtucker@
-     RCSID sync only; I thought this was a merge botch and fixed it already
-   - markus@cvs.openbsd.org 2013/11/06 16:52:11
-     [monitor_wrap.c]
-     fix rekeying for AES-GCM modes; ok deraadt
-   - djm@cvs.openbsd.org 2013/11/06 23:05:59
-     [ssh-pkcs11.c]
-     from portable: s/true/true_val/ to avoid name collisions on dump platforms
-     RCSID sync only
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/10/09 23:44:14
-     [regress/Makefile] (ID sync only)
-     regression test for sftp request white/blacklisting and readonly mode.
-   - markus@cvs.openbsd.org 2013/11/02 22:39:53
-     [regress/kextype.sh]
-     add curve25519-sha256@libssh.org
-   - dtucker@cvs.openbsd.org 2013/11/04 12:27:42
-     [regress/rekey.sh]
-     Test rekeying with all KexAlgorithms.
-   - dtucker@cvs.openbsd.org 2013/11/07 00:12:05
-     [regress/rekey.sh]
-     Test rekeying for every Cipher, MAC and KEX, plus test every KEX with
-     the GCM ciphers.
-   - dtucker@cvs.openbsd.org 2013/11/07 01:12:51
-     [regress/rekey.sh]
-     Factor out the data transfer rekey tests
-   - dtucker@cvs.openbsd.org 2013/11/07 02:48:38
-     [regress/integrity.sh regress/cipher-speed.sh regress/try-ciphers.sh]
-     Use ssh -Q instead of hardcoding lists of ciphers or MACs.
-   - dtucker@cvs.openbsd.org 2013/11/07 03:55:41
-     [regress/kextype.sh]
-     Use ssh -Q to get kex types instead of a static list.
-   - dtucker@cvs.openbsd.org 2013/11/07 04:26:56
-     [regress/kextype.sh]
-     trailing space
- - (dtucker) [Makefile.in configure.ac] Remove TEST_SSH_SHA256 environment
-   variable.  It's no longer used now that we get the supported MACs from
-   ssh -Q.
-
-20131104
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2013/11/02 20:03:54
-     [ssh-pkcs11.c]
-     support pkcs#11 tokes that only provide x509 zerts instead of raw pubkeys;
-     fixes bz#1908; based on patch from Laurent Barbe; ok djm
-   - markus@cvs.openbsd.org 2013/11/02 21:59:15
-     [kex.c kex.h myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
-     use curve25519 for default key exchange (curve25519-sha256@libssh.org);
-     initial patch from Aris Adamantiadis; ok djm@
-   - markus@cvs.openbsd.org 2013/11/02 22:10:15
-     [kexdhs.c kexecdhs.c]
-     no need to include monitor_wrap.h
-   - markus@cvs.openbsd.org 2013/11/02 22:24:24
-     [kexdhs.c kexecdhs.c]
-     no need to include ssh-gss.h
-   - markus@cvs.openbsd.org 2013/11/02 22:34:01
-     [auth-options.c]
-     no need to include monitor_wrap.h and ssh-gss.h
-   - markus@cvs.openbsd.org 2013/11/02 22:39:19
-     [ssh_config.5 sshd_config.5]
-     the default kex is now curve25519-sha256@libssh.org
-   - djm@cvs.openbsd.org 2013/11/03 10:37:19
-     [roaming_common.c]
-     fix a couple of function definitions foo() -> foo(void)
-     (-Wold-style-definition)
- - (djm) [kexc25519.c kexc25519c.c kexc25519s.c] Import missed files from
-   KEX/curve25519 change
-
-20131103
- - (dtucker) [openbsd-compat/bsd-misc.c] Include time.h for nanosleep.
-   From OpenSMTPD where it prevents "implicit declaration" warnings (it's
-   a no-op in OpenSSH).  From chl at openbsd.
- - (dtucker) [openbsd-compat/setproctitle.c] Handle error case form the 2nd
-   vsnprintf.  From eric at openbsd via chl@.
- - (dtucker) [configure.ac defines.h] Add typedefs for intmax_t and uintmax_t
-   for platforms that don't have them.
-
-20131030
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/10/29 09:42:11
-     [key.c key.h]
-     fix potential stack exhaustion caused by nested certificates;
-     report by Mateusz Kocielski; ok dtucker@ markus@
-   - djm@cvs.openbsd.org 2013/10/29 09:48:02
-     [servconf.c servconf.h session.c sshd_config sshd_config.5]
-     shd_config PermitTTY to disallow TTY allocation, mirroring the
-     longstanding no-pty authorized_keys option;
-     bz#2070, patch from Teran McKinney; ok markus@
-   - jmc@cvs.openbsd.org 2013/10/29 18:49:32
-     [sshd_config.5]
-     pty(4), not pty(7);
-
-20131026
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/10/25 23:04:51
-     [ssh.c]
-     fix crash when using ProxyCommand caused by previous commit - was calling
-     freeaddrinfo(NULL); spotted by sthen@ and Tim Ruehsen, patch by sthen@
-
-20131025
- - (djm) [ssh-keygen.c ssh-keysign.c sshconnect1.c sshd.c] Remove
-   unnecessary arc4random_stir() calls. The only ones left are to ensure
-   that the PRNG gets a different state after fork() for platforms that
-   have broken the API.
-
-20131024
- - (djm) [auth-krb5.c] bz#2032 - use local username in krb5_kuserok check
-   rather than full client name which may be of form user@REALM;
-   patch from Miguel Sanders; ok dtucker@
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/10/23 05:40:58
-     [servconf.c]
-     fix comment
-   - djm@cvs.openbsd.org 2013/10/23 23:35:32
-     [sshd.c]
-     include local address and port in "Connection from ..." message (only
-     shown at loglevel>=verbose)
-   - dtucker@cvs.openbsd.org 2013/10/24 00:49:49
-     [moduli.c]
-     Periodically print progress and, if possible, expected time to completion
-     when screening moduli for DH groups.  ok deraadt djm
-   - dtucker@cvs.openbsd.org 2013/10/24 00:51:48
-     [readconf.c servconf.c ssh_config.5 sshd_config.5]
-     Disallow empty Match statements and add "Match all" which matches
-     everything.  ok djm, man page help jmc@
-   - djm@cvs.openbsd.org 2013/10/24 08:19:36
-     [ssh.c]
-     fix bug introduced in hostname canonicalisation commit: don't try to
-     resolve hostnames when a ProxyCommand is set unless the user has forced
-     canonicalisation; spotted by Iain Morgan
- - (tim) [regress/sftp-perm.sh] We need a shell that understands "! somecmd"
-
-20131023
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/10/20 04:39:28
-     [ssh_config.5]
-     document % expansions performed by "Match command ..."
-   - djm@cvs.openbsd.org 2013/10/20 06:19:28
-     [readconf.c ssh_config.5]
-     rename "command" subclause of the recently-added "Match" keyword to
-     "exec"; it's shorter, clearer in intent and we might want to add the
-     ability to match against the command being executed at the remote end in
-     the future.
-   - djm@cvs.openbsd.org 2013/10/20 09:51:26
-     [scp.1 sftp.1]
-     add canonicalisation options to -o lists
-   - jmc@cvs.openbsd.org 2013/10/20 18:00:13
-     [ssh_config.5]
-     tweak the "exec" description, as worded by djm;
-   - djm@cvs.openbsd.org 2013/10/23 03:03:07
-     [readconf.c]
-     Hostname may have %h sequences that should be expanded prior to Match
-     evaluation; spotted by Iain Morgan
-   - djm@cvs.openbsd.org 2013/10/23 03:05:19
-     [readconf.c ssh.c]
-     comment
-   - djm@cvs.openbsd.org 2013/10/23 04:16:22
-     [ssh-keygen.c]
-     Make code match documentation: relative-specified certificate expiry time
-     should be relative to current time and not the validity start time.
-     Reported by Petr Lautrbach; ok deraadt@
-
-20131018
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/10/09 23:44:14
-     [regress/Makefile regress/sftp-perm.sh]
-     regression test for sftp request white/blacklisting and readonly mode.
-   - jmc@cvs.openbsd.org 2013/10/17 07:35:48
-     [sftp.1 sftp.c]
-     tweak previous;
-   - djm@cvs.openbsd.org 2013/10/17 22:08:04
-     [sshd.c]
-     include remote port in bad banner message; bz#2162
-
-20131017
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2013/10/15 14:10:25
-     [ssh.1 ssh_config.5]
-     tweak previous;
-   - djm@cvs.openbsd.org 2013/10/16 02:31:47
-     [readconf.c readconf.h roaming_client.c ssh.1 ssh.c ssh_config.5]
-     [sshconnect.c sshconnect.h]
-     Implement client-side hostname canonicalisation to allow an explicit
-     search path of domain suffixes to use to convert unqualified host names
-     to fully-qualified ones for host key matching.
-     This is particularly useful for host certificates, which would otherwise
-     need to list unqualified names alongside fully-qualified ones (and this
-     causes a number of problems).
-     "looks fine" markus@
-   - jmc@cvs.openbsd.org 2013/10/16 06:42:25
-     [ssh_config.5]
-     tweak previous;
-   - djm@cvs.openbsd.org 2013/10/16 22:49:39
-     [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
-     s/canonicalise/canonicalize/ for consistency with existing spelling,
-     e.g. authorized_keys; pointed out by naddy@
-   - djm@cvs.openbsd.org 2013/10/16 22:58:01
-     [ssh.c ssh_config.5]
-     one I missed in previous: s/isation/ization/
-   - djm@cvs.openbsd.org 2013/10/17 00:30:13
-     [PROTOCOL sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c]
-     fsync@openssh.com protocol extension for sftp-server
-     client support to allow calling fsync() faster successful transfer
-     patch mostly by imorgan AT nas.nasa.gov; bz#1798
-     "fine" markus@ "grumble OK" deraadt@ "doesn't sound bad to me" millert@
-   - djm@cvs.openbsd.org 2013/10/17 00:46:49
-     [ssh.c]
-     rearrange check to reduce diff against -portable
-     (Id sync only)
-
-20131015
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/10/09 23:42:17
-     [sftp-server.8 sftp-server.c]
-     Add ability to whitelist and/or blacklist sftp protocol requests by name.
-     Refactor dispatch loop and consolidate read-only mode checks.
-     Make global variables static, since sftp-server is linked into sshd(8).
-     ok dtucker@
-   - djm@cvs.openbsd.org 2013/10/10 00:53:25
-     [sftp-server.c]
-     add -Q, -P and -p to usage() before jmc@ catches me
-   - djm@cvs.openbsd.org 2013/10/10 01:43:03
-     [sshd.c]
-     bz#2139: fix re-exec fallback by ensuring that startup_pipe is correctly
-     updated; ok dtucker@
-   - djm@cvs.openbsd.org 2013/10/11 02:45:36
-     [sftp-client.c]
-     rename flag arguments to be more clear and consistent.
-     reorder some internal function arguments to make adding additional flags
-     easier.
-     no functional change
-   - djm@cvs.openbsd.org 2013/10/11 02:52:23
-     [sftp-client.c]
-     missed one arg reorder
-   - djm@cvs.openbsd.org 2013/10/11 02:53:45
-     [sftp-client.h]
-     obsolete comment
-   - jmc@cvs.openbsd.org 2013/10/14 14:18:56
-     [sftp-server.8 sftp-server.c]
-     tweak previous;
-     ok djm
-   - djm@cvs.openbsd.org 2013/10/14 21:20:52
-     [session.c session.h]
-     Add logging of session starts in a useful format; ok markus@ feedback and
-     ok dtucker@
-   - djm@cvs.openbsd.org 2013/10/14 22:22:05
-     [readconf.c readconf.h ssh-keysign.c ssh.c ssh_config.5]
-     add a "Match" keyword to ssh_config that allows matching on hostname,
-     user and result of arbitrary commands. "nice work" markus@
-   - djm@cvs.openbsd.org 2013/10/14 23:28:23
-     [canohost.c misc.c misc.h readconf.c sftp-server.c ssh.c]
-     refactor client config code a little:
-     add multistate option partsing to readconf.c, similar to servconf.c's
-     existing code.
-     move checking of options that accept "none" as an argument to readconf.c
-     add a lowercase() function and use it instead of explicit tolower() in
-     loops
-     part of a larger diff that was ok markus@
-   - djm@cvs.openbsd.org 2013/10/14 23:31:01
-     [ssh.c]
-     whitespace at EOL; pointed out by markus@
- - [ssh.c] g/c unused variable.
-
-20131010
- - (dtucker) OpenBSD CVS Sync
-   - sthen@cvs.openbsd.org 2013/09/16 11:35:43
-     [ssh_config]
-     Remove gssapi config parts from ssh_config, as was already done for
-     sshd_config.  Req by/ok ajacoutot@
-     ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
-   - djm@cvs.openbsd.org 2013/09/19 00:24:52
-     [progressmeter.c]
-     store the initial file offset so the progress meter doesn't freak out
-     when resuming sftp transfers. bz#2137; patch from Iain Morgan; ok dtucker@`
-   - djm@cvs.openbsd.org 2013/09/19 00:49:12
-     [sftp-client.c]
-     fix swapped pflag and printflag in sftp upload_dir; from Iain Morgan
-   - djm@cvs.openbsd.org 2013/09/19 01:24:46
-     [channels.c]
-     bz#1297 - tell the client (via packet_send_debug) when their preferred
-     listen address has been overridden by the server's GatewayPorts;
-     ok dtucker@
-   - djm@cvs.openbsd.org 2013/09/19 01:26:29
-     [sshconnect.c]
-     bz#1211: make BindAddress work with UsePrivilegedPort=yes; patch from
-     swp AT swp.pp.ru; ok dtucker@
-   - dtucker@cvs.openbsd.org 2013/10/08 11:42:13
-     [dh.c dh.h]
-     Increase the size of the Diffie-Hellman groups requested for a each
-     symmetric key size.  New values from NIST Special Publication 800-57 with
-     the upper limit specified by RFC4419.  Pointed out by Peter Backes, ok
-     djm@.
-
-20131009
- - (djm) [openbsd-compat/arc4random.c openbsd-compat/chacha_private.h] Pull
-   in OpenBSD implementation of arc4random, shortly to replace the existing
-   bsd-arc4random.c
- - (djm) [openbsd-compat/Makefile.in openbsd-compat/arc4random.c]
-   [openbsd-compat/bsd-arc4random.c] Replace old RC4-based arc4random
-   implementation with recent OpenBSD's ChaCha-based PRNG. ok dtucker@,
-   tested tim@
-
-20130922
- - (dtucker) [platform.c platform.h sshd.c] bz#2156: restore Linux oom_adj
-   setting when handling SIGHUP to maintain behaviour over retart.  Patch
-   from Matthew Ife.
-
-20130918
- - (dtucker) [sshd_config] Trailing whitespace; from jstjohn at purdue edu.
-
-20130914
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/08/22 19:02:21
-     [sshd.c]
-     Stir PRNG after post-accept fork. The child gets a different PRNG state
-     anyway via rexec and explicit privsep reseeds, but it's good to be sure.
-     ok markus@
-   - mikeb@cvs.openbsd.org 2013/08/28 12:34:27
-     [ssh-keygen.c]
-     improve batch processing a bit by making use of the quite flag a bit
-     more often and exit with a non zero code if asked to find a hostname
-     in a known_hosts file and it wasn't there;
-     originally from reyk@,  ok djm
-   - djm@cvs.openbsd.org 2013/08/31 00:13:54
-     [sftp.c]
-     make ^w match ksh behaviour (delete previous word instead of entire line)
-   - deraadt@cvs.openbsd.org 2013/09/02 22:00:34
-     [ssh-keygen.c sshconnect1.c sshd.c]
-     All the instances of arc4random_stir() are bogus, since arc4random()
-     does this itself, inside itself, and has for a very long time..  Actually,
-     this was probably reducing the entropy available.
-     ok djm
-     ID SYNC ONLY for portable; we don't trust other arc4random implementations
-     to do this right.
-   - sthen@cvs.openbsd.org 2013/09/07 13:53:11
-     [sshd_config]
-     Remove commented-out kerberos/gssapi config options from sample config,
-     kerberos support is currently not enabled in ssh in OpenBSD. Discussed with
-     various people; ok deraadt@
-     ID SYNC ONLY for portable; kerberos/gssapi is still pretty popular
-   - djm@cvs.openbsd.org 2013/09/12 01:41:12
-     [clientloop.c]
-     fix connection crash when sending break (~B) on ControlPersist'd session;
-     ok dtucker@
-   - djm@cvs.openbsd.org 2013/09/13 06:54:34
-     [channels.c]
-     avoid unaligned access in code that reused a buffer to send a
-     struct in_addr in a reply; simpler just use use buffer_put_int();
-     from portable; spotted by and ok dtucker@
-
-20130828
- - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code the
-   'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we
-   start to use them in the future.
- - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bits
-   until we have configure support.
-
-20130821
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/08/06 23:03:49
-     [sftp.c]
-     fix some whitespace at EOL
-     make list of commands an enum rather than a long list of defines
-     add -a to usage()
-   - djm@cvs.openbsd.org 2013/08/06 23:05:01
-     [sftp.1]
-     document top-level -a option (the -a option to 'get' was already
-     documented)
-   - djm@cvs.openbsd.org 2013/08/06 23:06:01
-     [servconf.c]
-     add cast to avoid format warning; from portable
-   - jmc@cvs.openbsd.org 2013/08/07 06:24:51
-     [sftp.1 sftp.c]
-     sort -a;
-   - djm@cvs.openbsd.org 2013/08/08 04:52:04
-     [sftp.c]
-     fix two year old regression: symlinking a file would incorrectly
-     canonicalise the target path. bz#2129 report from delphij AT freebsd.org
-   - djm@cvs.openbsd.org 2013/08/08 05:04:03
-     [sftp-client.c sftp-client.h sftp.c]
-     add a "-l" flag for the rename command to force it to use the silly
-     standard SSH_FXP_RENAME command instead of the POSIX-rename- like
-     posix-rename@openssh.com extension.
-
-     intended for use in regress tests, so no documentation.
-   - djm@cvs.openbsd.org 2013/08/09 03:37:25
-     [sftp.c]
-     do getopt parsing for all sftp commands (with an empty optstring for
-     commands without arguments) to ensure consistent behaviour
-   - djm@cvs.openbsd.org 2013/08/09 03:39:13
-     [sftp-client.c]
-     two problems found by a to-be-committed regress test: 1) msg_id was not
-     being initialised so was starting at a random value from the heap
-     (harmless, but confusing). 2) some error conditions were not being
-     propagated back to the caller
-   - djm@cvs.openbsd.org 2013/08/09 03:56:42
-     [sftp.c]
-     enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word;
-     matching ksh's relatively recent change.
-   - djm@cvs.openbsd.org 2013/08/13 18:32:08
-     [ssh-keygen.c]
-     typo in error message; from Stephan Rickauer
-   - djm@cvs.openbsd.org 2013/08/13 18:33:08
-     [ssh-keygen.c]
-     another of the same typo
-   - jmc@cvs.openbsd.org 2013/08/14 08:39:27
-     [scp.1 ssh.1]
-     some Bx/Ox conversion;
-     From: Jan Stary
-   - djm@cvs.openbsd.org 2013/08/20 00:11:38
-     [readconf.c readconf.h ssh_config.5 sshconnect.c]
-     Add a ssh_config ProxyUseFDPass option that supports the use of
-     ProxyCommands that establish a connection and then pass a connected
-     file descriptor back to ssh(1). This allows the ProxyCommand to exit
-     rather than have to shuffle data back and forth and enables ssh to use
-     getpeername, etc. to obtain address information just like it does with
-     regular directly-connected sockets. ok markus@
-   - jmc@cvs.openbsd.org 2013/08/20 06:56:07
-     [ssh.1 ssh_config.5]
-     some proxyusefdpass tweaks;
-
-20130808
- - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -nt
-   since some platforms (eg really old FreeBSD) don't have it.  Instead,
-   run "make clean" before a complete regress run.  ok djm.
- - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime(
-   CLOCK_MONOTONIC...) fails.  Some older versions of RHEL have the
-   CLOCK_MONOTONIC define but don't actually support it.  Found and tested
-   by Kevin Brott, ok djm.
- - (dtucker) [misc.c] Remove define added for fallback testing that was
-   mistakenly included in the previous commit.
- - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -nt
-   removal.  The "make clean" removes modpipe which is built by the top-level
-   directory before running the tests.  Spotted by tim@
- - (djm) Release 6.3p1
-
-20130804
- - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add support
-   for building with older Heimdal versions.  ok djm.
-
-20130801
- - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-
-   blocking connecting socket will clear any stored errno that might
-   otherwise have been retrievable via getsockopt(). A hack to limit writes
-   to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap
-   it in an #ifdef. Diagnosis and patch from Ivo Raisr.
- - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134
-
-20130725
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/07/20 22:20:42
-     [krl.c]
-     fix verification error in (as-yet usused) KRL signature checking path
-   - djm@cvs.openbsd.org 2013/07/22 05:00:17
-     [umac.c]
-     make MAC key, data to be hashed and nonce for final hash const;
-     checked with -Wcast-qual
-   - djm@cvs.openbsd.org 2013/07/22 12:20:02
-     [umac.h]
-     oops, forgot to commit corresponding header change;
-     spotted by jsg and jasper
-   - djm@cvs.openbsd.org 2013/07/25 00:29:10
-     [ssh.c]
-     daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure
-     it is fully detached from its controlling terminal. based on debugging
-   - djm@cvs.openbsd.org 2013/07/25 00:56:52
-     [sftp-client.c sftp-client.h sftp.1 sftp.c]
-     sftp support for resuming partial downloads; patch mostly by Loganaden
-     Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
-     "Just be careful" deraadt@
-   - djm@cvs.openbsd.org 2013/07/25 00:57:37
-     [version.h]
-     openssh-6.3 for release
-   - dtucker@cvs.openbsd.org 2013/05/30 20:12:32
-     [regress/test-exec.sh]
-     use ssh and sshd as testdata since it needs to be >256k for the rekey test
-   - dtucker@cvs.openbsd.org 2013/06/10 21:56:43
-     [regress/forwarding.sh]
-     Add test for forward config parsing
-   - djm@cvs.openbsd.org 2013/06/21 02:26:26
-     [regress/sftp-cmds.sh regress/test-exec.sh]
-     unbreak sftp-cmds for renamed test data (s/ls/data/)
- - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers on
-   Solaris and UnixWare. Feedback and OK djm@
- - (tim) [regress/forwarding.sh] Fix for building outside source tree.
-
-20130720
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2013/07/19 07:37:48
-     [auth.h kex.h kexdhs.c kexecdhs.c kexgexs.c monitor.c servconf.c]
-     [servconf.h session.c sshd.c sshd_config.5]
-     add ssh-agent(1) support to sshd(8); allows encrypted hostkeys,
-     or hostkeys on smartcards; most of the work by Zev Weiss; bz #1974
-     ok djm@
-   - djm@cvs.openbsd.org 2013/07/20 01:43:46
-     [umac.c]
-     use a union to ensure correct alignment; ok deraadt
-   - djm@cvs.openbsd.org 2013/07/20 01:44:37
-     [ssh-keygen.c ssh.c]
-     More useful error message on missing current user in /etc/passwd
-   - djm@cvs.openbsd.org 2013/07/20 01:50:20
-     [ssh-agent.c]
-     call cleanup_handler on SIGINT when in debug mode to ensure sockets
-     are cleaned up on manual exit; bz#2120
-   - djm@cvs.openbsd.org 2013/07/20 01:55:13
-     [auth-krb5.c gss-serv-krb5.c gss-serv.c]
-     fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
-
-20130718
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/06/10 19:19:44
-     [readconf.c]
-     revert 1.203 while we investigate crashes reported by okan@
-   - guenther@cvs.openbsd.org 2013/06/17 04:48:42
-     [scp.c]
-     Handle time_t values as long long's when formatting them and when
-     parsing them from remote servers.
-     Improve error checking in parsing of 'T' lines.
-     ok dtucker@ deraadt@
-   - markus@cvs.openbsd.org 2013/06/20 19:15:06
-     [krl.c]
-     don't leak the rdata blob on errors; ok djm@
-   - djm@cvs.openbsd.org 2013/06/21 00:34:49
-     [auth-rsa.c auth.h auth2-hostbased.c auth2-pubkey.c monitor.c]
-     for hostbased authentication, print the client host and user on
-     the auth success/failure line; bz#2064, ok dtucker@
-   - djm@cvs.openbsd.org 2013/06/21 00:37:49
-     [ssh_config.5]
-     explicitly mention that IdentitiesOnly can be used with IdentityFile
-     to control which keys are offered from an agent.
-   - djm@cvs.openbsd.org 2013/06/21 05:42:32
-     [dh.c]
-     sprinkle in some error() to explain moduli(5) parse failures
-   - djm@cvs.openbsd.org 2013/06/21 05:43:10
-     [scp.c]
-     make this -Wsign-compare clean after time_t conversion
-   - djm@cvs.openbsd.org 2013/06/22 06:31:57
-     [scp.c]
-     improved time_t overflow check suggested by guenther@
-   - jmc@cvs.openbsd.org 2013/06/27 14:05:37
-     [ssh-keygen.1 ssh.1 ssh_config.5 sshd.8 sshd_config.5]
-     do not use Sx for sections outwith the man page - ingo informs me that
-     stuff like html will render with broken links;
-     issue reported by Eric S. Raymond, via djm
-   - markus@cvs.openbsd.org 2013/07/02 12:31:43
-     [dh.c]
-     remove extra whitespace
-   - djm@cvs.openbsd.org 2013/07/12 00:19:59
-     [auth-options.c auth-rsa.c bufaux.c buffer.h channels.c hostfile.c]
-     [hostfile.h mux.c packet.c packet.h roaming_common.c serverloop.c]
-     fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
-   - djm@cvs.openbsd.org 2013/07/12 00:20:00
-     [sftp.c ssh-keygen.c ssh-pkcs11.c]
-     fix pointer-signedness warnings from clang/llvm-3.3; "seems nice" deraadt@
-   - djm@cvs.openbsd.org 2013/07/12 00:43:50
-     [misc.c]
-     in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
-     errno == 0. Avoids confusing error message in some broken resolver
-     cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
-   - djm@cvs.openbsd.org 2013/07/12 05:42:03
-     [ssh-keygen.c]
-     do_print_resource_record() can never be called with a NULL filename, so
-     don't attempt (and bungle) asking for one if it has not been specified
-     bz#2127 ok dtucker@
-   - djm@cvs.openbsd.org 2013/07/12 05:48:55
-     [ssh.c]
-     set TCP nodelay for connections started with -N; bz#2124 ok dtucker@
-   - schwarze@cvs.openbsd.org 2013/07/16 00:07:52
-     [scp.1 sftp-server.8 ssh-keyscan.1 ssh-keysign.8 ssh-pkcs11-helper.8]
-     use .Mt for email addresses; from Jan Stary <hans at stare dot cz>; ok jmc@
-   - djm@cvs.openbsd.org 2013/07/18 01:12:26
-     [ssh.1]
-     be more exact wrt perms for ~/.ssh/config; bz#2078
-
-20130702
- - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
-   contrib/cygwin/ssh-user-config] Modernizes and improve readability of
-   the Cygwin README file (which hasn't been updated for ages), drop
-   unsupported OSes from the ssh-host-config help text, and drop an
-   unneeded option from ssh-user-config.  Patch from vinschen at redhat com.
-
-20130610
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/06/07 15:37:52
-     [channels.c channels.h clientloop.c]
-     Add an "ABANDONED" channel state and use for mux sessions that are
-     disconnected via the ~. escape sequence.  Channels in this state will
-     be able to close if the server responds, but do not count as active channels.
-     This means that if you ~. all of the mux clients when using ControlPersist
-     on a broken network, the backgrounded mux master will exit when the
-     Control Persist time expires rather than hanging around indefinitely.
-     bz#1917, also reported and tested by tedu@.  ok djm@ markus@.
- - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported
-   algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages.
- - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
-   the required OpenSSL support.  Patch from naddy at freebsd.
- - (dtucker) [myproposal.h] Make the conditional algorithm support consistent
-   and add some comments so it's clear what goes where.
-
-20130605
- - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of
-   the necessary functions, not from the openssl version.
- - (dtucker) [contrib/ssh-copy-id] bz#2117: Use portable operator in test.
-   Patch from cjwatson at debian.
- - (dtucker) [regress/forwarding.sh] For (as yet unknown) reason, the
-   forwarding test is extremely slow copying data on some machines so switch
-   back to copying the much smaller ls binary until we can figure out why
-   this is.
- - (dtucker) [Makefile.in] append $CFLAGS to compiler options when building
-   modpipe in case there's anything in there we need.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/06/02 21:01:51
-     [channels.h]
-     typo in comment
-   - dtucker@cvs.openbsd.org 2013/06/02 23:36:29
-     [clientloop.h clientloop.c mux.c]
-     No need for the mux cleanup callback to be visible so restore it to static
-     and call it through the detach_user function pointer.  ok djm@
-   - dtucker@cvs.openbsd.org 2013/06/03 00:03:18
-     [mac.c]
-     force the MAC output to be 64-bit aligned so umac won't see unaligned
-     accesses on strict-alignment architectures.  bz#2101, patch from
-     tomas.kuthan at oracle.com, ok djm@
-   - dtucker@cvs.openbsd.org 2013/06/04 19:12:23
-     [scp.c]
-     use MAXPATHLEN for buffer size instead of fixed value.  ok markus
-   - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
-     [sftp.c]
-     Make sftp's libedit interface marginally multibyte aware by building up
-     the quoted string by character instead of by byte.  Prevents failures
-     when linked against a libedit built with wide character support (bz#1990).
-     "looks ok" djm
-   - dtucker@cvs.openbsd.org 2013/06/05 02:07:29
-     [mux.c]
-     fix leaks in mux error paths, from Zhenbo Xu, found by Melton. bz#1967,
-     ok djm
-   - dtucker@cvs.openbsd.org 2013/06/05 02:27:50
-     [sshd.c]
-     When running sshd -D, close stderr unless we have explicitly requesting
-     logging to stderr. From james.hunt at ubuntu.com via bz#1976, djm's patch
-     so, err, ok dtucker.
-   - dtucker@cvs.openbsd.org 2013/06/05 12:52:38
-     [sshconnect2.c]
-     Fix memory leaks found by Zhenbo Xu and the Melton tool.  bz#1967, ok djm
-   - dtucker@cvs.openbsd.org 2013/06/05 22:00:28
-     [readconf.c]
-     plug another memleak.  bz#1967, from Zhenbo Xu, detected by Melton, ok djm
- - (dtucker) [configure.ac sftp.c openbsd-compat/openbsd-compat.h] Cater for
-    platforms that don't have multibyte character support (specifically,
-    mblen).
-
-20130602
- - (tim) [Makefile.in] Make Solaris, UnixWare, & OpenServer linkers happy
-   linking regress/modpipe.
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/06/02 13:33:05
-     [progressmeter.c]
-     Add misc.h for monotime prototype. (ID sync only).
-   - dtucker@cvs.openbsd.org 2013/06/02 13:35:58
-     [ssh-agent.c]
-     Make parent_alive_interval time_t to avoid signed/unsigned comparison
- - (dtucker) [configure.ac]  sys/un.h needs sys/socket.h on some platforms
-   to prevent noise from configure. Patch from Nathan Osman. (bz#2114).
- - (dtucker) [configure.ac] bz#2111: don't try to use lastlog on Android.
-   Patch from Nathan Osman.
- - (tim) [configure.ac regress/Makefile] With rev 1.47 of test-exec.sh we
-   need a shell that can handle "[ file1 -nt file2 ]". Rather than keep
-   dealing with shell portability issues in regression tests, we let
-   configure find us a capable shell on those platforms with an old /bin/sh.
- - (tim) [aclocal.m4] Enhance OSSH_CHECK_CFLAG_COMPILE to check stderr.
-   feedback and ok dtucker
- - (tim) [regress/sftp-chroot.sh] skip if no sudo. ok dtucker
- - (dtucker) [configure.ac] Some platforms need sys/types.h before sys/un.h.
- - (dtucker) [configure.ac] Some other platforms need sys/types.h before
-   sys/socket.h.
-
-20130601
- - (dtucker) [configure.ac openbsd-compat/xcrypt.c] bz#2112: fall back to
-   using openssl's DES_crypt function on platorms that don't have a native
-   one, eg Android.  Based on a patch from Nathan Osman.
- - (dtucker) [configure.ac defines.h] Test for fd_mask, howmany and NFDBITS
-   rather than trying to enumerate the plaforms that don't have them.
-   Based on a patch from Nathan Osman, with help from tim@.
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/05/17 00:13:13
-     [xmalloc.h cipher.c sftp-glob.c ssh-keyscan.c ssh.c sftp-common.c
-     ssh-ecdsa.c auth2-chall.c compat.c readconf.c kexgexs.c monitor.c
-     gss-genr.c cipher-3des1.c kex.c monitor_wrap.c ssh-pkcs11-client.c
-     auth-options.c rsa.c auth2-pubkey.c sftp.c hostfile.c auth2.c
-     servconf.c auth.c authfile.c xmalloc.c uuencode.c sftp-client.c
-     auth2-gss.c sftp-server.c bufaux.c mac.c session.c jpake.c kexgexc.c
-     sshconnect.c auth-chall.c auth2-passwd.c sshconnect1.c buffer.c
-     kexecdhs.c kexdhs.c ssh-rsa.c auth1.c ssh-pkcs11.c auth2-kbdint.c
-     kexdhc.c sshd.c umac.c ssh-dss.c auth2-jpake.c bufbn.c clientloop.c
-     monitor_mm.c scp.c roaming_client.c serverloop.c key.c auth-rsa.c
-     ssh-pkcs11-helper.c ssh-keysign.c ssh-keygen.c match.c channels.c
-     sshconnect2.c addrmatch.c mux.c canohost.c kexecdhc.c schnorr.c
-     ssh-add.c misc.c auth2-hostbased.c ssh-agent.c bufec.c groupaccess.c
-     dns.c packet.c readpass.c authfd.c moduli.c]
-     bye, bye xfree(); ok markus@
-   - djm@cvs.openbsd.org 2013/05/19 02:38:28
-     [auth2-pubkey.c]
-     fix failure to recognise cert-authority keys if a key of a different type
-     appeared in authorized_keys before it; ok markus@
-   - djm@cvs.openbsd.org 2013/05/19 02:42:42
-     [auth.h auth.c key.c monitor.c auth-rsa.c auth2.c auth1.c key.h]
-     Standardise logging of supplemental information during userauth. Keys
-     and ruser is now logged in the auth success/failure message alongside
-     the local username, remote host/port and protocol in use. Certificates
-     contents and CA are logged too.
-     Pushing all logging onto a single line simplifies log analysis as it is
-     no longer necessary to relate information scattered across multiple log
-     entries. "I like it" markus@
-   - dtucker@cvs.openbsd.org 2013/05/31 12:28:10
-     [ssh-agent.c]
-     Use time_t where appropriate.  ok djm
-   - dtucker@cvs.openbsd.org 2013/06/01 13:15:52
-     [ssh-agent.c clientloop.c misc.h packet.c progressmeter.c misc.c
-     channels.c sandbox-systrace.c]
-     Use clock_gettime(CLOCK_MONOTONIC ...) for ssh timers so that things like
-     keepalives and rekeying will work properly over clock steps.  Suggested by
-     markus@, "looks good" djm@.
-   - dtucker@cvs.openbsd.org 2013/06/01 20:59:25
-     [scp.c sftp-client.c]
-     Replace S_IWRITE, which isn't standardized, with S_IWUSR, which is.  Patch
-     from Nathan Osman via bz#2085.  ok deraadt.
-   - dtucker@cvs.openbsd.org 2013/06/01 22:34:50
-     [sftp-client.c]
-     Update progressmeter when data is acked, not when it's sent.  bz#2108, from
-     Debian via Colin Watson, ok djm@
- - (dtucker) [M auth-chall.c auth-krb5.c auth-pam.c cipher-aes.c cipher-ctr.c
-   groupaccess.c loginrec.c monitor.c monitor_wrap.c session.c sshd.c
-   sshlogin.c uidswap.c openbsd-compat/bsd-cygwin_util.c
-   openbsd-compat/getrrsetbyname-ldns.c openbsd-compat/port-aix.c
-   openbsd-compat/port-linux.c] Replace portable-specific instances of xfree
-   with the equivalent calls to free.
- - (dtucker) [configure.ac misc.c] Look for clock_gettime in librt and fall
-   back to time(NULL) if we can't find it anywhere.
- - (dtucker) [sandbox-seccomp-filter.c] Allow clock_gettimeofday.
-
-20130529
-  - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] bz#2087: Add a null
-    implementation of endgrent for platforms that don't have it (eg Android).
-    Loosely based on a patch from Nathan Osman, ok djm
-
- 20130517
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/03/07 00:20:34
-     [regress/proxy-connect.sh]
-     repeat test with a style appended to the username
-   - dtucker@cvs.openbsd.org 2013/03/23 11:09:43
-     [regress/test-exec.sh]
-     Only regenerate host keys if they don't exist or if ssh-keygen has changed
-     since they were.  Reduces test runtime by 5-30% depending on machine
-     speed.
-   - dtucker@cvs.openbsd.org 2013/04/06 06:00:22
-     [regress/rekey.sh regress/test-exec.sh regress/integrity.sh
-     regress/multiplex.sh Makefile regress/cfgmatch.sh]
-     Split the regress log into 3 parts: the debug output from ssh, the debug
-     log from sshd and the output from the client command (ssh, scp or sftp).
-     Somewhat functional now, will become more useful when ssh/sshd -E is added.
-   - dtucker@cvs.openbsd.org 2013/04/07 02:16:03
-     [regress/Makefile regress/rekey.sh regress/integrity.sh
-     regress/sshd-log-wrapper.sh regress/forwarding.sh regress/test-exec.sh]
-     use -E option for ssh and sshd to write debuging logs to ssh{,d}.log and
-     save the output from any failing tests.  If a test fails the debug output
-     from ssh and sshd for the failing tests (and only the failing tests) should
-     be available in failed-ssh{,d}.log.
-   - djm@cvs.openbsd.org 2013/04/18 02:46:12
-     [regress/Makefile regress/sftp-chroot.sh]
-     test sshd ChrootDirectory+internal-sftp; feedback & ok dtucker@
-   - dtucker@cvs.openbsd.org 2013/04/22 07:23:08
-     [regress/multiplex.sh]
-     Write mux master logs to regress.log instead of ssh.log to keep separate
-   - djm@cvs.openbsd.org 2013/05/10 03:46:14
-     [regress/modpipe.c]
-     sync some portability changes from portable OpenSSH (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/16 02:10:35
-     [regress/rekey.sh]
-     Add test for time-based rekeying
-   - dtucker@cvs.openbsd.org 2013/05/16 03:33:30
-     [regress/rekey.sh]
-     test rekeying when there's no data being transferred
-   - dtucker@cvs.openbsd.org 2013/05/16 04:26:10
-     [regress/rekey.sh]
-     add server-side rekey test
-   - dtucker@cvs.openbsd.org 2013/05/16 05:48:31
-     [regress/rekey.sh]
-     add tests for RekeyLimit parsing
-   - dtucker@cvs.openbsd.org 2013/05/17 00:37:40
-     [regress/agent.sh regress/keytype.sh regress/cfgmatch.sh
-     regress/forcecommand.sh regress/proto-version.sh regress/test-exec.sh
-     regress/cipher-speed.sh regress/cert-hostkey.sh regress/cert-userkey.sh
-     regress/ssh-com.sh]
-     replace 'echo -n' with 'printf' since it's more portable
-     also remove "echon" hack.
-   - dtucker@cvs.openbsd.org 2013/05/17 01:16:09
-     [regress/agent-timeout.sh]
-     Pull back some portability changes from -portable:
-      - TIMEOUT is a read-only variable in some shells
-      - not all greps have -q so redirect to /dev/null instead.
-     (ID sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 01:32:11
-     [regress/integrity.sh]
-     don't print output from ssh before getting it (it's available in ssh.log)
-   - dtucker@cvs.openbsd.org 2013/05/17 04:29:14
-     [regress/sftp.sh regress/putty-ciphers.sh regress/cipher-speed.sh
-     regress/test-exec.sh regress/sftp-batch.sh regress/dynamic-forward.sh
-     regress/putty-transfer.sh regress/conch-ciphers.sh regress/sftp-cmds.sh
-     regress/scp.sh regress/ssh-com-sftp.sh regress/rekey.sh
-     regress/putty-kex.sh regress/stderr-data.sh regress/stderr-after-eof.sh
-     regress/sftp-badcmds.sh regress/reexec.sh regress/ssh-com-client.sh
-     regress/sftp-chroot.sh regress/forwarding.sh regress/transfer.sh
-     regress/multiplex.sh]
-     Move the setting of DATA and COPY into test-exec.sh
-   - dtucker@cvs.openbsd.org 2013/05/17 10:16:26
-     [regress/try-ciphers.sh]
-     use expr for math to keep diffs vs portable down
-     (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:23:52
-     [regress/login-timeout.sh regress/reexec.sh regress/test-exec.sh]
-     Use SUDO when cat'ing pid files and running the sshd log wrapper so that
-     it works with a restrictive umask and the pid files are not world readable.
-     Changes from -portable.  (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:24:48
-     [regress/localcommand.sh]
-     use backticks for portability. (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:26:26
-     [regress/sftp-badcmds.sh]
-     remove unused BATCH variable. (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:28:11
-     [regress/sftp.sh]
-     only compare copied data if sftp succeeds.  from portable (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:30:07
-     [regress/test-exec.sh]
-     wait a bit longer for startup and use case for absolute path.
-     from portable (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:33:09
-     [regress/agent-getpeereid.sh]
-     don't redirect stdout from sudo.  from portable (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:34:30
-     [regress/portnum.sh]
-     use a more portable negated if structure.  from portable (id sync only)
-   - dtucker@cvs.openbsd.org 2013/05/17 10:35:43
-     [regress/scp.sh]
-     use a file extention that's not special on some platforms.  from portable
-     (id sync only)
- - (dtucker) [regress/bsd.regress.mk] Remove unused file.  We've never used it
-   in portable and it's long gone in openbsd.
- - (dtucker) [regress/integrity.sh].  Force fixed Diffie-Hellman key exchange
-   methods.  When the openssl version doesn't support ECDH then next one on
-   the list is DH group exchange, but that causes a bit more traffic which can
-   mean that the tests flip bits in the initial exchange rather than the MACed
-   traffic and we get different errors to what the tests look for.
- - (dtucker) [openbsd-compat/getopt.h] Remove unneeded bits.
- - (dtucker) [regress/cfgmatch.sh] Resync config file setup with openbsd.
- - (dtucker) [regress/agent-getpeereid.sh] Resync spaces with openbsd.
- - (dtucker) [regress/integrity.sh regress/krl.sh regress/test-exec.sh]
-   Move the jot helper function to portable-specific part of test-exec.sh.
- - (dtucker) [regress/test-exec.sh] Move the portable-specific functions
-   together and add a couple of missing lines from openbsd.
- - (dtucker) [regress/stderr-after-eof.sh regress/test-exec.sh] Move the md5
-   helper function to the portable part of test-exec.sh.
- - (dtucker) [regress/runtests.sh] Remove obsolete test driver script.
- - (dtucker) [regress/cfgmatch.sh] Remove unneeded sleep renderd obsolete by
-   rev 1.6 which calls wait.
-
-20130516
- - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be 
-    executed if mktemp failed; bz#2105 ok dtucker@
- - (dtucker) OpenBSD CVS Sync
-   - tedu@cvs.openbsd.org 2013/04/23 17:49:45
-     [misc.c]
-     use xasprintf instead of a series of strlcats and strdup. ok djm
-   - tedu@cvs.openbsd.org 2013/04/24 16:01:46
-     [misc.c]
-     remove extra parens noticed by nicm
-   - dtucker@cvs.openbsd.org 2013/05/06 07:35:12
-     [sftp-server.8]
-     Reference the version of the sftp draft we actually implement.  ok djm@
-   - djm@cvs.openbsd.org 2013/05/10 03:40:07
-     [sshconnect2.c]
-     fix bzero(ptr_to_struct, sizeof(ptr_to_struct)); bz#2100 from
-     Colin Watson
-   - djm@cvs.openbsd.org 2013/05/10 04:08:01
-     [key.c]
-     memleak in cert_free(), wasn't actually freeing the struct;
-     bz#2096 from shm AT digitalsun.pl
-   - dtucker@cvs.openbsd.org 2013/05/10 10:13:50
-     [ssh-pkcs11-helper.c]
-     remove unused extern optarg.  ok markus@
-   - dtucker@cvs.openbsd.org 2013/05/16 02:00:34
-     [ssh_config sshconnect2.c packet.c readconf.h readconf.c clientloop.c
-     ssh_config.5 packet.h]
-     Add an optional second argument to RekeyLimit in the client to allow
-     rekeying based on elapsed time in addition to amount of traffic.
-     with djm@ jmc@, ok djm
-   - dtucker@cvs.openbsd.org 2013/05/16 04:09:14
-     [sshd_config.5 servconf.c servconf.h packet.c serverloop.c monitor.c sshd_config
-     sshd.c] Add RekeyLimit to sshd with the same syntax as the client allowing
-     rekeying based on traffic volume or time.  ok djm@, help & ok jmc@ for the man
-     page.
-   - djm@cvs.openbsd.org 2013/05/16 04:27:50
-     [ssh_config.5 readconf.h readconf.c]
-     add the ability to ignore specific unrecognised ssh_config options;
-     bz#866; ok markus@
-   - jmc@cvs.openbsd.org 2013/05/16 06:28:45
-     [ssh_config.5]
-     put IgnoreUnknown in the right place;
-   - jmc@cvs.openbsd.org 2013/05/16 06:30:06
-     [sshd_config.5]
-     oops! avoid Xr to self;
-   - dtucker@cvs.openbsd.org 2013/05/16 09:08:41
-     [log.c scp.c sshd.c serverloop.c schnorr.c sftp.c]
-     Fix some "unused result" warnings found via clang and -portable.
-     ok markus@
-   - dtucker@cvs.openbsd.org 2013/05/16 09:12:31
-     [readconf.c servconf.c]
-     switch RekeyLimit traffic volume parsing to scan_scaled.  ok djm@
-   - dtucker@cvs.openbsd.org 2013/05/16 10:43:34
-     [servconf.c readconf.c]
-     remove now-unused variables
-   - dtucker@cvs.openbsd.org 2013/05/16 10:44:06
-     [servconf.c]
-     remove another now-unused variable
- - (dtucker) [configure.ac readconf.c servconf.c
-     openbsd-compat/openbsd-compat.h] Add compat bits for scan_scaled.
-
-20130510
- - (dtucker) [configure.ac] Enable -Wsizeof-pointer-memaccess if the compiler
-   supports it.  Mentioned by Colin Watson in bz#2100, ok djm.
- - (dtucker) [openbsd-compat/getopt.c] Factor out portibility changes to
-   getopt.c.  Preprocessed source is identical other than line numbers.
- - (dtucker) [openbsd-compat/getopt_long.c] Import from OpenBSD.  No
-   portability changes yet.
- - (dtucker) [openbsd-compat/Makefile.in openbsd-compat/getopt.c
-   openbsd-compat/getopt_long.c regress/modpipe.c] Remove getopt.c, add
-   portability code to getopt_long.c and switch over Makefile and the ugly
-   hack in modpipe.c.  Fixes bz#1448.
- - (dtucker) [openbsd-compat/getopt.h openbsd-compat/getopt_long.c
-   openbsd-compat/openbsd-compat.h] pull in getopt.h from openbsd and plumb
-   in to use it when we're using our own getopt.
- - (dtucker) [kex.c] Only include sha256 and ECC key exchange methods when the
-   underlying libraries support them.
- - (dtucker) [configure.ac] Add -Werror to the -Qunused-arguments test so
-   we don't get a warning on compilers that *don't* support it.  Add
-   -Wno-unknown-warning-option.  Move both to the start of the list for
-   maximum noise suppression.  Tested with gcc 4.6.3, gcc 2.95.4 and clang 2.9.
-
-20130423
- - (djm) [auth.c configure.ac misc.c monitor.c monitor_wrap.c] Support
-   platforms, such as Android, that lack struct passwd.pw_gecos. Report
-   and initial patch from Nathan Osman bz#2086; feedback tim@ ok dtucker@
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2013/03/05 20:16:09
-     [sshconnect2.c]
-     reset pubkey order on partial success; ok djm@
-   - djm@cvs.openbsd.org 2013/03/06 23:35:23
-     [session.c]
-     fatal() when ChrootDirectory specified by running without root privileges;
-     ok markus@
-   - djm@cvs.openbsd.org 2013/03/06 23:36:53
-     [readconf.c]
-     g/c unused variable (-Wunused)
-   - djm@cvs.openbsd.org 2013/03/07 00:19:59
-     [auth2-pubkey.c monitor.c]
-     reconstruct the original username that was sent by the client, which may
-     have included a style (e.g. "root:skey") when checking public key
-     signatures. Fixes public key and hostbased auth when the client specified
-     a style; ok markus@
-   - markus@cvs.openbsd.org 2013/03/07 19:27:25
-     [auth.h auth2-chall.c auth2.c monitor.c sshd_config.5]
-     add submethod support to AuthenticationMethods; ok and freedback djm@
-   - djm@cvs.openbsd.org 2013/03/08 06:32:58
-     [ssh.c]
-     allow "ssh -f none ..." ok markus@
-   - djm@cvs.openbsd.org 2013/04/05 00:14:00
-     [auth2-gss.c krl.c sshconnect2.c]
-     hush some {unused, printf type} warnings
-   - djm@cvs.openbsd.org 2013/04/05 00:31:49
-     [pathnames.h]
-     use the existing _PATH_SSH_USER_RC define to construct the other
-     pathnames; bz#2077, ok dtucker@ (no binary change)
-   - djm@cvs.openbsd.org 2013/04/05 00:58:51
-     [mux.c]
-     cleanup mux-created channels that are in SSH_CHANNEL_OPENING state too
-     (in addition to ones already in OPEN); bz#2079, ok dtucker@
-   - markus@cvs.openbsd.org 2013/04/06 16:07:00
-     [channels.c sshd.c]
-     handle ECONNABORTED for accept(); ok deraadt some time ago...
-   - dtucker@cvs.openbsd.org 2013/04/07 02:10:33
-     [log.c log.h ssh.1 ssh.c sshd.8 sshd.c]
-     Add -E option to ssh and sshd to append debugging logs to a specified file
-     instead of stderr or syslog.  ok markus@, man page help jmc@
-   - dtucker@cvs.openbsd.org 2013/04/07 09:40:27
-     [sshd.8]
-     clarify -e text. suggested by & ok jmc@
-   - djm@cvs.openbsd.org 2013/04/11 02:27:50
-     [packet.c]
-     quiet disconnect notifications on the server from error() back to logit()
-     if it is a normal client closure; bz#2057 ok+feedback dtucker@
-   - dtucker@cvs.openbsd.org 2013/04/17 09:04:09
-     [session.c]
-     revert rev 1.262; it fails because uid is already set here.  ok djm@
-   - djm@cvs.openbsd.org 2013/04/18 02:16:07
-     [sftp.c]
-     make "sftp -q" do what it says on the sticker: hush everything but errors;
-     ok dtucker@
-   - djm@cvs.openbsd.org 2013/04/19 01:00:10
-     [sshd_config.5]
-     document the requirment that the AuthorizedKeysCommand be owned by root;
-     ok dtucker@ markus@
-   - djm@cvs.openbsd.org 2013/04/19 01:01:00
-     [ssh-keygen.c]
-     fix some memory leaks; bz#2088 ok dtucker@
-   - djm@cvs.openbsd.org 2013/04/19 01:03:01
-     [session.c]
-     reintroduce 1.262 without the connection-killing bug:
-     fatal() when ChrootDirectory specified by running without root privileges;
-     ok markus@
-   - djm@cvs.openbsd.org 2013/04/19 01:06:50
-     [authfile.c cipher.c cipher.h kex.c kex.h kexecdh.c kexecdhc.c kexecdhs.c]
-     [key.c key.h mac.c mac.h packet.c ssh.1 ssh.c]
-     add the ability to query supported ciphers, MACs, key type and KEX
-     algorithms to ssh. Includes some refactoring of KEX and key type handling
-     to be table-driven; ok markus@
-   - djm@cvs.openbsd.org 2013/04/19 11:10:18
-     [ssh.c]
-     add -Q to usage; reminded by jmc@
-   - djm@cvs.openbsd.org 2013/04/19 12:07:08
-     [kex.c]
-     remove duplicated list entry pointed out by naddy@
-   - dtucker@cvs.openbsd.org 2013/04/22 01:17:18
-     [mux.c]
-     typo in debug output: evitval->exitval
-
-20130418
- - (djm) [config.guess config.sub] Update to last versions before they switch
-   to GPL3. ok dtucker@
- - (dtucker) [configure.ac] Use -Qunused-arguments to suppress warnings from
-   unused argument warnings (in particular, -fno-builtin-memset) from clang.
-
-20130404
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2013/02/17 23:16:57
-     [readconf.c ssh.c readconf.h sshconnect2.c]
-     Keep track of which IndentityFile options were manually supplied and which
-     were default options, and don't warn if the latter are missing.
-     ok markus@
-   - dtucker@cvs.openbsd.org 2013/02/19 02:12:47
-     [krl.c]
-     Remove bogus include.  ok djm
-   - dtucker@cvs.openbsd.org 2013/02/22 04:45:09
-     [ssh.c readconf.c readconf.h]
-     Don't complain if IdentityFiles specified in system-wide configs are
-     missing.  ok djm, deraadt.
-   - markus@cvs.openbsd.org 2013/02/22 19:13:56
-     [sshconnect.c]
-     support ProxyCommand=- (stdin/out already point to the proxy); ok djm@
-   - djm@cvs.openbsd.org 2013/02/22 22:09:01
-     [ssh.c]
-     Allow IdenityFile=none; ok markus deraadt (and dtucker for an earlier
-     version)
-
-20130401
- - (dtucker) [openbsd-compat/bsd-cygwin_util.{c,h}] Don't include windows.h
-   to avoid conflicting definitions of __int64, adding the required bits.
-   Patch from Corinna Vinschen.
-
-20130323
- - (tim) [Makefile.in] remove some duplication introduced in 20130220 commit.
-
-20130322
- - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
-   Hands' greatly revised version.
- - (djm) Release 6.2p1
- - (dtucker) [configure.ac] Add stdlib.h to zlib check for exit() prototype.
- - (dtucker) [includes.h] Check if _GNU_SOURCE is already defined before
-   defining it again.  Prevents warnings if someone, eg, sets it in CFLAGS.
-
-20130318
- - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
-   [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
-   so mark it as broken. Patch from des AT des.no
-
-20130317
- - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none
-   of the bits the configure test looks for.
-
-20130316
- - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform
-   is unable to successfully compile them. Based on patch from des AT
-   des.no
- - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
-   Add a usleep replacement for platforms that lack it; ok dtucker
- - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to
-   occur after UID switch; patch from John Marshall via des AT des.no;
-   ok dtucker@
-
-20130312
- - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh]
-   Improve portability of cipher-speed test, based mostly on a patch from
-   Iain Morgan.
- - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin")
-   in addition to root as an owner of system directories on AIX and HP-UX.
-   ok djm@
-
-20130307
- - (dtucker) [INSTALL] Bump documented autoconf version to what we're
-   currently using.
- - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it
-   was removed in configure.ac rev 1.481 as it was redundant.
- - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days
-   ago.
- - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a
-   chance to complete on broken systems; ok dtucker@
-
-20130306
- - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding
-  connection to start so that the test works on slower machines.
- - (dtucker) [configure.ac] test that we can set number of file descriptors
-   to zero with setrlimit before enabling the rlimit sandbox.  This affects
-   (at least) HPUX 11.11.
-
-20130305
- - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for
-   HP/UX. Spotted by Kevin Brott
- - (dtucker) [configure.ac] use "=" for shell test and not "==".  Spotted by
-   Amit Kulkarni and Kevin Brott.
- - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure
-   build breakage on (at least) HP-UX 11.11.  Found by Amit Kulkarni and Kevin
-   Brott.
- - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov.
-
-20130227
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Crank version numbers
- - (tim) [regress/forward-control.sh] use sh in case login shell is csh.
- - (tim) [regress/integrity.sh] shell portability fix.
- - (tim) [regress/integrity.sh] keep old solaris awk from hanging.
- - (tim) [regress/krl.sh] keep old solaris awk from hanging.
-
-20130226
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/20 08:27:50
-     [integrity.sh]
-     Add an option to modpipe that warns if the modification offset it not
-     reached in it's stream and turn it on for t-integrity. This should catch
-     cases where the session is not fuzzed for being too short (cf. my last
-     "oops" commit)
- - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage
-   for UsePAM=yes configuration
-
-20130225
- - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed
-   to use Solaris native GSS libs.  Patch from Pierre Ossman.
-
-20130223
- - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer
-   bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu.
-   ok tim
-
-20130222
- - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to
-   ssh(1) since they're not needed.  Patch from Pierre Ossman, ok djm.
- - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named
-   libgss too.  Patch from Pierre Ossman, ok djm.
- - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
-   seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
-   ok dtucker
-
-20130221
- - (tim) [regress/forward-control.sh] shell portability fix.
-
-20130220
- - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix.
- - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded
-   err.h include from krl.c. Additional portability fixes for modpipe. OK djm
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/20 08:27:50
-     [regress/integrity.sh regress/modpipe.c]
-     Add an option to modpipe that warns if the modification offset it not
-     reached in it's stream and turn it on for t-integrity. This should catch
-     cases where the session is not fuzzed for being too short (cf. my last
-     "oops" commit)
-   - djm@cvs.openbsd.org 2013/02/20 08:29:27
-     [regress/modpipe.c]
-     s/Id/OpenBSD/ in RCS tag
-
-20130219
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/18 22:26:47
-     [integrity.sh]
-     crank the offset yet again; it was still fuzzing KEX one of Darren's
-     portable test hosts at 2800
-   - djm@cvs.openbsd.org 2013/02/19 02:14:09
-     [integrity.sh]
-     oops, forgot to increase the output of the ssh command to ensure that
-     we actually reach $offset
- - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that
-   lack support for SHA2.
- - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms
-   that do not have them.
-
-20130217
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/17 23:16:55
-     [integrity.sh]
-     make the ssh command generates some output to ensure that there are at
-     least offset+tries bytes in the stream.
-
-20130216
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/16 06:08:45
-     [integrity.sh]
-     make sure the fuzz offset is actually past the end of KEX for all KEX
-     types. diffie-hellman-group-exchange-sha256 requires an offset around
-     2700. Noticed via test failures in portable OpenSSH on platforms that
-     lack ECC and this the more byte-frugal ECDH KEX algorithms.
-
-20130215
- - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from
-   Iain Morgan
- - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
-   Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
- - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c
-   openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
-   platforms that don't have it.
- - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul,
-   group strto* function prototypes together.
- - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes
-   an argument.  Pointed out by djm.
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/02/14 21:35:59
-     [auth2-pubkey.c]
-     Correct error message that had a typo and was logging the wrong thing;
-     patch from Petr Lautrbach
-   - dtucker@cvs.openbsd.org 2013/02/15 00:21:01
-     [sshconnect2.c]
-     Warn more loudly if an IdentityFile provided by the user cannot be read.
-     bz #1981, ok djm@
-
-20130214
- - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC.
- - (djm) [regress/krl.sh] typo; found by Iain Morgan
- - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead
-   of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by
-   Iain Morgan
-
-20130212
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/01/24 21:45:37
-     [krl.c]
-     fix handling of (unused) KRL signatures; skip string in correct buffer
-   - djm@cvs.openbsd.org 2013/01/24 22:08:56
-     [krl.c]
-     skip serial lookup when cert's serial number is zero
-   - krw@cvs.openbsd.org 2013/01/25 05:00:27
-     [krl.c]
-     Revert last. Breaks due to likely typo. Let djm@ fix later.
-     ok djm@ via dlg@
-   - djm@cvs.openbsd.org 2013/01/25 10:22:19
-     [krl.c]
-     redo last commit without the vi-vomit that snuck in:
-     skip serial lookup when cert's serial number is zero
-     (now with 100% better comment)
-   - djm@cvs.openbsd.org 2013/01/26 06:11:05
-     [Makefile.in acss.c acss.h cipher-acss.c cipher.c]
-     [openbsd-compat/openssl-compat.h]
-     remove ACSS, now that it is gone from libcrypto too
-   - djm@cvs.openbsd.org 2013/01/27 10:06:12
-     [krl.c]
-     actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
-   - dtucker@cvs.openbsd.org 2013/02/06 00:20:42
-     [servconf.c sshd_config sshd_config.5]
-     Change default of MaxStartups to 10:30:100 to start doing random early
-     drop at 10 connections up to 100 connections.  This will make it harder
-     to DoS as CPUs have come a long way since the original value was set
-     back in 2000.  Prompted by nion at debian org, ok markus@
-   - dtucker@cvs.openbsd.org 2013/02/06 00:22:21
-     [auth.c]
-     Fix comment, from jfree.e1 at gmail
-   - djm@cvs.openbsd.org 2013/02/08 00:41:12
-     [sftp.c]
-     fix NULL deref when built without libedit and control characters
-     entered as command; debugging and patch from Iain Morgan an
-     Loganaden Velvindron in bz#1956
-   - markus@cvs.openbsd.org 2013/02/10 21:19:34
-     [version.h]
-     openssh 6.2
-   - djm@cvs.openbsd.org 2013/02/10 23:32:10
-     [ssh-keygen.c]
-     append to moduli file when screening candidates rather than overwriting.
-     allows resumption of interrupted screen; patch from Christophe Garault
-     in bz#1957; ok dtucker@
-   - djm@cvs.openbsd.org 2013/02/10 23:35:24
-     [packet.c]
-     record "Received disconnect" messages at ERROR rather than INFO priority,
-     since they are abnormal and result in a non-zero ssh exit status; patch
-     from Iain Morgan in bz#2057; ok dtucker@
-   - dtucker@cvs.openbsd.org 2013/02/11 21:21:58
-     [sshd.c]
-     Add openssl version to debug output similar to the client.  ok markus@
-   - djm@cvs.openbsd.org 2013/02/11 23:58:51
-     [regress/try-ciphers.sh]
-     remove acss here too
- - (djm) [regress/try-ciphers.sh] clean up CVS merge botch
-
-20130211
- - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
-   libcrypto that lacks EVP_CIPHER_CTX_ctrl
-
-20130208
- - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer;
-   patch from Iain Morgan in bz#2059
- - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows
-   __attribute__ on return values and work around if necessary.  ok djm@
-
-20130207
- - (djm) [configure.ac] Don't probe seccomp capability of running kernel
-   at configure time; the seccomp sandbox will fall back to rlimit at
-   runtime anyway. Patch from plautrba AT redhat.com in bz#2011
-
-20130120
- - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h]
-   Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
-   prototypes for openssl-1.0.0-fips.
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2013/01/18 07:57:47
-     [ssh-keygen.1]
-     tweak previous;
-   - jmc@cvs.openbsd.org 2013/01/18 07:59:46
-     [ssh-keygen.c]
-     -u before -V in usage();
-   - jmc@cvs.openbsd.org 2013/01/18 08:00:49
-     [sshd_config.5]
-     tweak previous;
-   - jmc@cvs.openbsd.org 2013/01/18 08:39:04
-     [ssh-keygen.1]
-     add -Q to the options list; ok djm
-   - jmc@cvs.openbsd.org 2013/01/18 21:48:43
-     [ssh-keygen.1]
-     command-line (adj.) -> command line (n.);
-   - jmc@cvs.openbsd.org 2013/01/19 07:13:25
-     [ssh-keygen.1]
-     fix some formatting; ok djm
-   - markus@cvs.openbsd.org 2013/01/19 12:34:55
-     [krl.c]
-     RB_INSERT does not remove existing elments; ok djm@
- - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer
-   version.
- - (djm) [regress/krl.sh] replacement for jot; most platforms lack it
-
-20130118
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/01/17 23:00:01
-     [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
-     [krl.c krl.h PROTOCOL.krl]
-     add support for Key Revocation Lists (KRLs). These are a compact way to
-     represent lists of revoked keys and certificates, taking as little as
-     a single bit of incremental cost to revoke a certificate by serial number.
-     KRLs are loaded via the existing RevokedKeys sshd_config option.
-     feedback and ok markus@
-   - djm@cvs.openbsd.org 2013/01/18 00:45:29
-     [regress/Makefile regress/cert-userkey.sh regress/krl.sh]
-     Tests for Key Revocation Lists (KRLs)
-   - djm@cvs.openbsd.org 2013/01/18 03:00:32
-     [krl.c]
-     fix KRL generation bug for list sections
-
-20130117
- - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
-   check for GCM support before testing GCM ciphers.
-
-20130112
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2013/01/12 11:22:04
-     [cipher.c]
-     improve error message for integrity failure in AES-GCM modes; ok markus@
-   - djm@cvs.openbsd.org 2013/01/12 11:23:53
-     [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
-     test AES-GCM modes; feedback markus@
- - (djm) [regress/integrity.sh] repair botched merge
-
-20130109
- - (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2012/12/14 05:26:43
-     [auth.c]
-     use correct string in error message; from rustybsd at gmx.fr
-   - djm@cvs.openbsd.org 2013/01/02 00:32:07
-     [clientloop.c mux.c]
-     channel_setup_local_fwd_listener() returns 0 on failure, not -ve
-     bz#2055 reported by mathieu.lacage AT gmail.com
-   - djm@cvs.openbsd.org 2013/01/02 00:33:49
-     [PROTOCOL.agent]
-     correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
-     bz#2051 from david AT lechnology.com
-   - djm@cvs.openbsd.org 2013/01/03 05:49:36
-     [servconf.h]
-     add a couple of ServerOptions members that should be copied to the privsep
-     child (for consistency, in this case they happen only to be accessed in
-     the monitor); ok dtucker@
-   - djm@cvs.openbsd.org 2013/01/03 12:49:01
-     [PROTOCOL]
-     fix description of MAC calculation for EtM modes; ok markus@
-   - djm@cvs.openbsd.org 2013/01/03 12:54:49
-     [sftp-server.8 sftp-server.c]
-     allow specification of an alternate start directory for sftp-server(8)
-     "I like this" markus@
-   - djm@cvs.openbsd.org 2013/01/03 23:22:58
-     [ssh-keygen.c]
-     allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
-     ok markus@
-   - jmc@cvs.openbsd.org 2013/01/04 19:26:38
-     [sftp-server.8 sftp-server.c]
-     sftp-server.8: add argument name to -d
-     sftp-server.c: add -d to usage()
-     ok djm
-   - markus@cvs.openbsd.org 2013/01/08 18:49:04
-     [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
-     [myproposal.h packet.c ssh_config.5 sshd_config.5]
-     support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
-     ok and feedback djm@
-   - djm@cvs.openbsd.org 2013/01/09 05:40:17
-     [ssh-keygen.c]
-     correctly initialise fingerprint type for fingerprinting PKCS#11 keys
- - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
-   Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
-   cipher compat code to openssl-compat.h
-
-20121217
- - (dtucker) [Makefile.in] Add some scaffolding so that the new regress
-   tests will work with VPATH directories.
-
-20121213
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2012/12/12 16:45:52
-     [packet.c]
-     reset incoming_packet buffer for each new packet in EtM-case, too;
-     this happens if packets are parsed only parially (e.g. ignore
-     messages sent when su/sudo turn off echo); noted by sthen/millert
-   - naddy@cvs.openbsd.org 2012/12/12 16:46:10
-     [cipher.c]
-     use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled
-     counter mode code; ok djm@
- - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
-   compat code for older OpenSSL
- - (djm) [cipher.c] Fix missing prototype for compat code
-
-20121212
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2012/12/11 22:16:21
-     [monitor.c]
-     drain the log messages after receiving the keystate from the unpriv
-     child. otherwise it might block while sending. ok djm@
-   - markus@cvs.openbsd.org 2012/12/11 22:31:18
-     [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
-     [packet.c ssh_config.5 sshd_config.5]
-     add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
-     that change the packet format and compute the MAC over the encrypted
-     message (including the packet size) instead of the plaintext data;
-     these EtM modes are considered more secure and used by default.
-     feedback and ok djm@
-   - sthen@cvs.openbsd.org 2012/12/11 22:51:45
-     [mac.c]
-     fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
-   - markus@cvs.openbsd.org 2012/12/11 22:32:56
-     [regress/try-ciphers.sh]
-     add etm modes
-   - markus@cvs.openbsd.org 2012/12/11 22:42:11
-     [regress/Makefile regress/modpipe.c regress/integrity.sh]
-     test the integrity of the packets; with djm@
-   - markus@cvs.openbsd.org 2012/12/11 23:12:13
-     [try-ciphers.sh]
-     add hmac-ripemd160-etm@openssh.com
- - (djm) [mac.c] fix merge botch
- - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test
-   work on platforms without 'jot'
- - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip
- - (djm) [regress/Makefile] fix t-exec rule
-
-20121207
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
-     [regress/keys-command.sh]
-     Fix some problems with the keys-command test:
-      - use string comparison rather than numeric comparison
-      - check for existing KEY_COMMAND file and don't clobber if it exists
-      - clean up KEY_COMMAND file if we do create it.
-      - check that KEY_COMMAND is executable (which it won't be if eg /var/run
-        is mounted noexec).
-     ok djm.
-   - jmc@cvs.openbsd.org 2012/12/03 08:33:03
-     [ssh-add.1 sshd_config.5]
-     tweak previous;
-   - markus@cvs.openbsd.org 2012/12/05 15:42:52
-     [ssh-add.c]
-     prevent double-free of comment; ok djm@
-   - dtucker@cvs.openbsd.org 2012/12/07 01:51:35
-     [serverloop.c]
-     Cast signal to int for logging.  A no-op on openbsd (they're always ints)
-     but will prevent warnings in portable.  ok djm@
-
-20121205
- - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
-
-20121203
- - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
-   TAILQ_FOREACH_SAFE needed for upcoming changes.
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2012/12/02 20:26:11
-     [ssh_config.5 sshconnect2.c]
-     Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
-     This allows control of which keys are offered from tokens using
-     IdentityFile. ok markus@
-   - djm@cvs.openbsd.org 2012/12/02 20:42:15
-     [ssh-add.1 ssh-add.c]
-     make deleting explicit keys "ssh-add -d" symmetric with adding keys -
-     try to delete the corresponding certificate too and respect the -k option
-     to allow deleting of the key only; feedback and ok markus@
-   - djm@cvs.openbsd.org 2012/12/02 20:46:11
-     [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
-     [sshd_config.5]
-     make AllowTcpForwarding accept "local" and "remote" in addition to its
-     current "yes"/"no" to allow the server to specify whether just local or
-     remote TCP forwarding is enabled. ok markus@
-   - dtucker@cvs.openbsd.org 2012/10/05 02:20:48
-     [regress/cipher-speed.sh regress/try-ciphers.sh]
-     Add umac-128@openssh.com to the list of MACs to be tested
-   - djm@cvs.openbsd.org 2012/10/19 05:10:42
-     [regress/cert-userkey.sh]
-     include a serial number when generating certs
-   - djm@cvs.openbsd.org 2012/11/22 22:49:30
-     [regress/Makefile regress/keys-command.sh]
-     regress for AuthorizedKeysCommand; hints from markus@
-   - djm@cvs.openbsd.org 2012/12/02 20:47:48
-     [Makefile regress/forward-control.sh]
-     regress for AllowTcpForwarding local/remote; ok markus@
-   - djm@cvs.openbsd.org 2012/12/03 00:14:06
-     [auth2-chall.c ssh-keygen.c]
-     Fix compilation with -Wall -Werror (trivial type fixes)
- - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
-   debugging. ok dtucker@
- - (djm) [configure.ac] Revert previous. configure.ac already does this
-   for us.
-
-20121114
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2012/11/14 02:24:27
-     [auth2-pubkey.c]
-     fix username passed to helper program
-     prepare stdio fds before closefrom()
-     spotted by landry@
-   - djm@cvs.openbsd.org 2012/11/14 02:32:15
-     [ssh-keygen.c]
-     allow the full range of unsigned serial numbers; 'fine' deraadt@
-   - djm@cvs.openbsd.org 2012/12/02 20:34:10
-     [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
-     [monitor.c monitor.h]
-     Fixes logging of partial authentication when privsep is enabled
-     Previously, we recorded "Failed xxx" since we reset authenticated before
-     calling auth_log() in auth2.c. This adds an explcit "Partial" state.
-     
-     Add a "submethod" to auth_log() to report which submethod is used
-     for keyboard-interactive.
-     
-     Fix multiple authentication when one of the methods is
-     keyboard-interactive.
-     
-     ok markus@
-   - dtucker@cvs.openbsd.org 2012/10/05 02:05:30
-     [regress/multiplex.sh]
-     Use 'kill -0' to test for the presence of a pid since it's more portable
-
-20121107
- - (djm) OpenBSD CVS Sync
-   - eric@cvs.openbsd.org 2011/11/28 08:46:27
-     [moduli.5]
-     fix formula
-     ok djm@
-   - jmc@cvs.openbsd.org 2012/09/26 17:34:38
-     [moduli.5]
-     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
-     references into a STANDARDS section;
-
-20121105
- - (dtucker) [uidswap.c openbsd-compat/Makefile.in
-   openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
-   openbsd-compat/openbsd-compat.h]  Move the fallback code for setting uids
-   and gids from uidswap.c to the compat library, which allows it to work with
-   the new setresuid calls in auth2-pubkey.  with tim@, ok djm@
- - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
-   don't have it.  Spotted by tim@.
-
-20121104
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2012/10/31 08:04:50
-     [sshd_config.5]
-     tweak previous;
-   - djm@cvs.openbsd.org 2012/11/04 10:38:43
-     [auth2-pubkey.c sshd.c sshd_config.5]
-     Remove default of AuthorizedCommandUser. Administrators are now expected
-     to explicitly specify a user. feedback and ok markus@
-   - djm@cvs.openbsd.org 2012/11/04 11:09:15
-     [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
-     [sshd_config.5]
-     Support multiple required authentication via an AuthenticationMethods
-     option. This option lists one or more comma-separated lists of
-     authentication method names. Successful completion of all the methods in
-     any list is required for authentication to complete;
-     feedback and ok markus@
-
-20121030
- - (djm) OpenBSD CVS Sync
-   - markus@cvs.openbsd.org 2012/10/05 12:34:39
-     [sftp.c]
-     fix signed vs unsigned warning; feedback & ok: djm@
-   - djm@cvs.openbsd.org 2012/10/30 21:29:55
-     [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
-     [sshd.c sshd_config sshd_config.5]
-     new sshd_config option AuthorizedKeysCommand to support fetching
-     authorized_keys from a command in addition to (or instead of) from
-     the filesystem. The command is run as the target server user unless
-     another specified via a new AuthorizedKeysCommandUser option.
-     
-     patch originally by jchadima AT redhat.com, reworked by me; feedback
-     and ok markus@
-
-20121019
- - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
-   the generated file as intended.
-
-20121005
- - (dtucker) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2012/09/17 09:54:44
-     [sftp.c]
-     an XXX for later
-   - markus@cvs.openbsd.org 2012/09/17 13:04:11
-     [packet.c]
-     clear old keys on rekeing; ok djm
-   - dtucker@cvs.openbsd.org 2012/09/18 10:36:12
-     [sftp.c]
-     Add bounds check on sftp tab-completion.  Part of a patch from from
-     Jean-Marc Robert via tech@, ok djm
-   - dtucker@cvs.openbsd.org 2012/09/21 10:53:07
-     [sftp.c]
-     Fix improper handling of absolute paths when PWD is part of the completed
-     path.  Patch from Jean-Marc Robert via tech@, ok djm.
-  - dtucker@cvs.openbsd.org 2012/09/21 10:55:04
-     [sftp.c]
-     Fix handling of filenames containing escaped globbing characters and
-     escape "#" and "*".  Patch from Jean-Marc Robert via tech@, ok djm.
-   - jmc@cvs.openbsd.org 2012/09/26 16:12:13
-     [ssh.1]
-     last stage of rfc changes, using consistent Rs/Re blocks, and moving the
-     references into a STANDARDS section;
-   - naddy@cvs.openbsd.org 2012/10/01 13:59:51
-     [monitor_wrap.c]
-     pasto; ok djm@
-   - djm@cvs.openbsd.org 2012/10/02 07:07:45
-     [ssh-keygen.c]
-     fix -z option, broken in revision 1.215
-   - markus@cvs.openbsd.org 2012/10/04 13:21:50
-     [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
-     add umac128 variant; ok djm@ at n2k12
-  - dtucker@cvs.openbsd.org 2012/09/06 04:11:07
-     [regress/try-ciphers.sh]
-     Restore missing space.  (Id sync only).
-   - dtucker@cvs.openbsd.org 2012/09/09 11:51:25
-     [regress/multiplex.sh]
-     Add test for ssh -Ostop
-   - dtucker@cvs.openbsd.org 2012/09/10 00:49:21
-     [regress/multiplex.sh]
-     Log -O cmd output to the log file and make logging consistent with the
-     other tests.  Test clean shutdown of an existing channel when testing
-     "stop".
-   - dtucker@cvs.openbsd.org 2012/09/10 01:51:19
-     [regress/multiplex.sh]
-     use -Ocheck and waiting for completions by PID to make multiplexing test
-     less racy and (hopefully) more reliable on slow hardware.
- - [Makefile umac.c] Add special-case target to build umac128.o.
- - [umac.c] Enforce allowed umac output sizes.  From djm@.
- - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom".
-
-20120917
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2012/09/13 23:37:36
-     [servconf.c]
-     Fix comment line length
-   - markus@cvs.openbsd.org 2012/09/14 16:51:34
-     [sshconnect.c]
-     remove unused variable
-
-20120907
- - (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2012/09/06 09:50:13
-     [clientloop.c]
-     Make the escape command help (~?) context sensitive so that only commands
-     that will work in the current session are shown.  ok markus@
-   - jmc@cvs.openbsd.org 2012/09/06 13:57:42
-     [ssh.1]
-     missing letter in previous;
-   - dtucker@cvs.openbsd.org 2012/09/07 00:30:19
-     [clientloop.c]
-     Print '^Z' instead of a raw ^Z when the sequence is not supported.  ok djm@
-   - dtucker@cvs.openbsd.org 2012/09/07 01:10:21
-     [clientloop.c]
-     Merge escape help text for ~v and ~V; ok djm@
-   - dtucker@cvs.openbsd.org 2012/09/07 06:34:21
-     [clientloop.c]
-     when muxmaster is run with -N, make it shut down gracefully when a client
-     sends it "-O stop" rather than hanging around (bz#1985).  ok djm@
-
-20120906
- - (dtucker) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2012/08/15 18:25:50
-     [ssh-keygen.1]
-     a little more info on certificate validity;
-     requested by Ross L Richardson, and provided by djm
-   - dtucker@cvs.openbsd.org 2012/08/17 00:45:45
-     [clientloop.c clientloop.h mux.c]
-     Force a clean shutdown of ControlMaster client sessions when the ~. escape
-     sequence is used.  This means that ~. should now work in mux clients even
-     if the server is no longer responding.  Found by tedu, ok djm.
-   - djm@cvs.openbsd.org 2012/08/17 01:22:56
-     [kex.c]
-     add some comments about better handling first-KEX-follows notifications
-     from the server. Nothing uses these right now. No binary change
-   - djm@cvs.openbsd.org 2012/08/17 01:25:58
-     [ssh-keygen.c]
-     print details of which host lines were deleted when using
-     "ssh-keygen -R host"; ok markus@
-   - djm@cvs.openbsd.org 2012/08/17 01:30:00
-     [compat.c sshconnect.c]
-     Send client banner immediately, rather than waiting for the server to
-     move first for SSH protocol 2 connections (the default). Patch based on
-     one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
-   - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
-     [clientloop.c log.c ssh.1 log.h]
-     Add ~v and ~V escape sequences to raise and lower the logging level
-     respectively. Man page help from jmc, ok deraadt jmc
-
-20120830
- - (dtucker) [moduli] Import new moduli file.
-
-20120828
- - (djm) Release openssh-6.1
-
-20120828
- - (dtucker) [openbsd-compat/bsd-cygwin_util.h] define WIN32_LEAN_AND_MEAN
-   for compatibility with future mingw-w64 headers.  Patch from vinschen at
-   redhat com.
-
-20120822
- - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Update version numbers
-
-20120731
- - (djm) OpenBSD CVS Sync
-   - jmc@cvs.openbsd.org 2012/07/06 06:38:03
-     [ssh-keygen.c]
-     missing full stop in usage();
-   - djm@cvs.openbsd.org 2012/07/10 02:19:15
-     [servconf.c servconf.h sshd.c sshd_config]
-     Turn on systrace sandboxing of pre-auth sshd by default for new installs
-     by shipping a config that overrides the current UsePrivilegeSeparation=yes
-     default. Make it easier to flip the default in the future by adding too.
-     prodded markus@ feedback dtucker@ "get it in" deraadt@
-   - dtucker@cvs.openbsd.org 2012/07/13 01:35:21
-     [servconf.c]
-     handle long comments in config files better.  bz#2025, ok markus
-   - markus@cvs.openbsd.org 2012/07/22 18:19:21
-     [version.h]
-     openssh 6.1
-
-20120720
- - (dtucker) Import regened moduli file.
-
-20120706
- - (djm) [sandbox-seccomp-filter.c] fallback to rlimit if seccomp filter is
-   not available. Allows use of sshd compiled on host with a filter-capable
-   kernel on hosts that lack the support. bz#2011 ok dtucker@
- - (djm) [configure.ac] Recursively expand $(bindir) to ensure it has no
-   unexpanded $(prefix) embedded. bz#2007 patch from nix-corp AT
-   esperi.org.uk; ok dtucker@
-- (djm) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2012/07/06 00:41:59
-     [moduli.c ssh-keygen.1 ssh-keygen.c]
-     Add options to specify starting line number and number of lines to process
-     when screening moduli candidates.  This allows processing of different
-     parts of a candidate moduli file in parallel.  man page help jmc@, ok djm@
-   - djm@cvs.openbsd.org 2012/07/06 01:37:21
-     [mux.c]
-     fix memory leak of passed-in environment variables and connection
-     context when new session message is malformed; bz#2003 from Bert.Wesarg
-     AT googlemail.com
-   - djm@cvs.openbsd.org 2012/07/06 01:47:38
-     [ssh.c]
-     move setting of tty_flag to after config parsing so RequestTTY options
-     are correctly picked up. bz#1995 patch from przemoc AT gmail.com;
-     ok dtucker@
-
-20120704
- - (dtucker) [configure.ac openbsd-compat/bsd-misc.h] Add setlinebuf for
-   platforms that don't have it.  "looks good" tim@
-
-20120703
- - (dtucker) [configure.ac] Detect platforms that can't use select(2) with
-   setrlimit(RLIMIT_NOFILE, rl_zero) and disable the rlimit sandbox on those.
- - (dtucker) [configure.ac sandbox-rlimit.c] Test whether or not
-   setrlimit(RLIMIT_FSIZE, rl_zero) and skip it if it's not supported.  Its
-   benefit is minor, so it's not worth disabling the sandbox if it doesn't
-   work.
-
-20120702
-- (dtucker) OpenBSD CVS Sync
-   - naddy@cvs.openbsd.org 2012/06/29 13:57:25
-     [ssh_config.5 sshd_config.5]
-     match the documented MAC order of preference to the actual one;
-     ok dtucker@
-   - markus@cvs.openbsd.org 2012/06/30 14:35:09
-     [sandbox-systrace.c sshd.c]
-     fix a during the load of the sandbox policies (child can still make
-     the read-syscall and wait forever for systrace-answers) by replacing
-     the read/write synchronisation with SIGSTOP/SIGCONT;
-     report and help hshoexer@; ok djm@, dtucker@
-   - dtucker@cvs.openbsd.org 2012/07/02 08:50:03
-     [ssh.c]
-     set interactive ToS for forwarded X11 sessions.  ok djm@
-   - dtucker@cvs.openbsd.org 2012/07/02 12:13:26
-     [ssh-pkcs11-helper.c sftp-client.c]
-     fix a couple of "assigned but not used" warnings.  ok markus@
-   - dtucker@cvs.openbsd.org 2012/07/02 14:37:06
-     [regress/connect-privsep.sh]
-     remove exit from end of test since it prevents reporting failure
- - (dtucker) [regress/reexec.sh regress/sftp-cmds.sh regress/test-exec.sh]
-   Move cygwin detection to test-exec and use to skip reexec test on cygwin.
- - (dtucker) [regress/test-exec.sh] Correct uname for cygwin/w2k.
-
-20120629
- - OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2012/06/21 00:16:07
-     [addrmatch.c]
-     fix strlcpy truncation check.  from carsten at debian org, ok markus
-   - dtucker@cvs.openbsd.org 2012/06/22 12:30:26
-     [monitor.c sshconnect2.c]
-     remove dead code following 'for (;;)' loops.
-     From Steve.McClellan at radisys com, ok markus@
-   - dtucker@cvs.openbsd.org 2012/06/22 14:36:33
-     [sftp.c]
-     Remove unused variable leftover from tab-completion changes.
-     From Steve.McClellan at radisys com, ok markus@
-   - dtucker@cvs.openbsd.org 2012/06/26 11:02:30
-     [sandbox-systrace.c]
-     Add mquery to the list of allowed syscalls for "UsePrivilegeSeparation
-     sandbox" since malloc now uses it.  From johnw.mail at gmail com.
-   - dtucker@cvs.openbsd.org 2012/06/28 05:07:45
-     [mac.c myproposal.h ssh_config.5 sshd_config.5]
-     Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
-     from draft6 of the spec and will not be in the RFC when published.  Patch
-     from mdb at juniper net via bz#2023, ok markus.
-   - naddy@cvs.openbsd.org 2012/06/29 13:57:25
-     [ssh_config.5 sshd_config.5]
-     match the documented MAC order of preference to the actual one; ok dtucker@
-   - dtucker@cvs.openbsd.org 2012/05/13 01:42:32
-     [regress/addrmatch.sh]
-     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
-     to match.  Feedback and ok djm@ markus@.
-   - djm@cvs.openbsd.org 2012/06/01 00:47:35
-     [regress/multiplex.sh regress/forwarding.sh]
-     append to rather than truncate test log; bz#2013 from openssh AT
-     roumenpetrov.info
-   - djm@cvs.openbsd.org 2012/06/01 00:52:52
-     [regress/sftp-cmds.sh]
-     don't delete .* on cleanup due to unintended env expansion; pointed out in
-     bz#2014 by openssh AT roumenpetrov.info
-   - dtucker@cvs.openbsd.org 2012/06/26 12:06:59
-     [regress/connect-privsep.sh]
-     test sandbox with every malloc option
-   - dtucker@cvs.openbsd.org 2012/06/28 05:07:45
-     [regress/try-ciphers.sh regress/cipher-speed.sh]
-     Remove hmac-sha2-256-96 and hmac-sha2-512-96 MACs since they were removed
-     from draft6 of the spec and will not be in the RFC when published.  Patch
-     from mdb at juniper net via bz#2023, ok markus.
- - (dtucker) [myproposal.h] Remove trailing backslash to fix compile error.
- - (dtucker) [key.c] ifdef out sha256 key types on platforms that don't have
-   the required functions in libcrypto.
-
-20120628
- - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null
-   pointer deref in the client when built with LDNS and using DNSSEC with a
-   CNAME.  Patch from gregdlg+mr at hochet info.
-
-20120622
- - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs as
-   can logon as a service.  Patch from vinschen at redhat com.
-
-20120620
- - (djm) OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2011/12/02 00:41:56
-     [mux.c]
-     fix bz#1948: ssh -f doesn't fork for multiplexed connection.
-     ok dtucker@
-   - djm@cvs.openbsd.org 2011/12/04 23:16:12
-     [mux.c]
-     revert:
-     > revision 1.32
-     > date: 2011/12/02 00:41:56;  author: djm;  state: Exp;  lines: +4 -1
-     > fix bz#1948: ssh -f doesn't fork for multiplexed connection.
-     > ok dtucker@
-     it interacts badly with ControlPersist
-   - djm@cvs.openbsd.org 2012/01/07 21:11:36
-     [mux.c]
-     fix double-free in new session handler
-     NB. Id sync only
-   - djm@cvs.openbsd.org 2012/05/23 03:28:28
-     [dns.c dns.h key.c key.h ssh-keygen.c]
-     add support for RFC6594 SSHFP DNS records for ECDSA key types.
-     patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
-     (Original authors Ondřej Surý,  Ondřej Caletka and Daniel Black)
-   - djm@cvs.openbsd.org 2012/06/01 00:49:35
-     [PROTOCOL.mux]
-     correct types of port numbers (integers, not strings); bz#2004 from
-     bert.wesarg AT googlemail.com
-   - djm@cvs.openbsd.org 2012/06/01 01:01:22
-     [mux.c]
-     fix memory leak when mux socket creation fails; bz#2002 from bert.wesarg
-     AT googlemail.com
-   - dtucker@cvs.openbsd.org 2012/06/18 11:43:53
-     [jpake.c]
-     correct sizeof usage.  patch from saw at online.de, ok deraadt
-   - dtucker@cvs.openbsd.org 2012/06/18 11:49:58
-     [ssh_config.5]
-     RSA instead of DSA twice.  From Steve.McClellan at radisys com
-   - dtucker@cvs.openbsd.org 2012/06/18 12:07:07
-     [ssh.1 sshd.8]
-     Remove mention of 'three' key files since there are now four.  From
-     Steve.McClellan at radisys com.
-   - dtucker@cvs.openbsd.org 2012/06/18 12:17:18
-     [ssh.1]
-     Clarify description of -W.  Noted by Steve.McClellan at radisys com,
-     ok jmc
-   - markus@cvs.openbsd.org 2012/06/19 18:25:28
-     [servconf.c servconf.h sshd_config.5]
-     sshd_config: extend Match to allow AcceptEnv and {Allow,Deny}{Users,Groups}
-     this allows 'Match LocalPort 1022' combined with 'AllowUser bauer'
-     ok djm@ (back in March)
-   - jmc@cvs.openbsd.org 2012/06/19 21:35:54
-     [sshd_config.5]
-     tweak previous; ok markus
-   - djm@cvs.openbsd.org 2012/06/20 04:42:58
-     [clientloop.c serverloop.c]
-     initialise accept() backoff timer to avoid EINVAL from select(2) in
-     rekeying
-
-20120519
- - (dtucker) [configure.ac] bz#2010: fix non-portable shell construct.  Patch
-   from cjwatson at debian org.
- - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to find
-   pkg-config so it does the right thing when cross-compiling.  Patch from
-   cjwatson at debian org.
-- (dtucker) OpenBSD CVS Sync
-   - dtucker@cvs.openbsd.org 2012/05/13 01:42:32
-     [servconf.h servconf.c sshd.8 sshd.c auth.c sshd_config.5]
-     Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
-     to match.  Feedback and ok djm@ markus@.
-   - dtucker@cvs.openbsd.org 2012/05/19 06:30:30
-     [sshd_config.5]
-     Document PermitOpen none.  bz#2001, patch from Loganaden Velvindron
-
-20120504
- - (dtucker) [configure.ac] Include <sys/param.h> rather than <sys/types.h>
-   to fix building on some plaforms.  Fom bowman at math utah edu and
-   des at des no.
-
-20120427
- - (dtucker) [regress/addrmatch.sh] skip tests when running on a non-ipv6
-   platform rather than exiting early, so that we still clean up and return
-   success or failure to test-exec.sh
-
-20120426
- - (djm) [auth-passwd.c] Handle crypt() returning NULL; from Paul Wouters
-   via Niels
- - (djm) [auth-krb5.c] Save errno across calls that might modify it;
-   ok dtucker@
-
-20120423
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2012/04/23 08:18:17
-     [channels.c]
-     fix function proto/source mismatch
-
-20120422
- - OpenBSD CVS Sync
-   - djm@cvs.openbsd.org 2012/02/29 11:21:26
-     [ssh-keygen.c]
-     allow conversion of RSA1 keys to public PEM and PKCS8; "nice" markus@
-   - guenther@cvs.openbsd.org 2012/03/15 03:10:27
-     [session.c]
-     root should always be excluded from the test for /etc/nologin instead
-     of having it always enforced even when marked as ignorenologin.  This
-     regressed when the logic was incompletely flipped around in rev 1.251
-     ok halex@ millert@
-   - djm@cvs.openbsd.org 2012/03/28 07:23:22
-     [PROTOCOL.certkeys]
-     explain certificate extensions/crit split rationale. Mention requirement
-     that each appear at most once per cert.
-   - dtucker@cvs.openbsd.org 2012/03/29 23:54:36
-     [channels.c channels.h servconf.c]
-     Add PermitOpen none option based on patch from Loganaden Velvindron
-     (bz #1949).  ok djm@
-   - djm@cvs.openbsd.org 2012/04/11 13:16:19
-     [channels.c channels.h clientloop.c serverloop.c]
-     don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
-     while; ok deraadt@ markus@
-   - djm@cvs.openbsd.org 2012/04/11 13:17:54
-     [auth.c]
-     Support "none" as an argument for AuthorizedPrincipalsFile to indicate
-     no file should be read.
-   - djm@cvs.openbsd.org 2012/04/11 13:26:40
-     [sshd.c]
-     don't spin in accept() when out of fds (ENFILE/ENFILE) - back off for a
-     while; ok deraadt@ markus@
-   - djm@cvs.openbsd.org 2012/04/11 13:34:17
-     [ssh-keyscan.1 ssh-keyscan.c]
-     now that sshd defaults to offering ECDSA keys, ssh-keyscan should also
-     look for them by default; bz#1971
-   - djm@cvs.openbsd.org 2012/04/12 02:42:32
-     [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
-     VersionAddendum option to allow server operators to append some arbitrary
-     text to the SSH-... banner; ok deraadt@ "don't care" markus@
-   - djm@cvs.openbsd.org 2012/04/12 02:43:55
-     [sshd_config sshd_config.5]
-     mention AuthorizedPrincipalsFile=none default
-   - djm@cvs.openbsd.org 2012/04/20 03:24:23
-     [sftp.c]
-     setlinebuf(3) is more readable than setvbuf(.., _IOLBF, ...)
-   - jmc@cvs.openbsd.org 2012/04/20 16:26:22
-     [ssh.1]
-     use "brackets" instead of "braces", for consistency;
-
-20120420
- - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
-   [contrib/suse/openssh.spec] Update for release 6.0
- - (djm) [README] Update URL to release notes.
- - (djm) Release openssh-6.0
-