* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 979 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index b2df66023..d6e4a4a25 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,982 @@
+20100307
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/03/07 22:16:01
+     [ssh-keygen.c]
+     make internal strptime string match strftime format;
+     suggested by vinschen AT redhat.com and markus@
+   - djm@cvs.openbsd.org 2010/03/08 00:28:55
+     [ssh-keygen.1]
+     document permit-agent-forwarding certificate constraint; patch from
+     stevesk@
+   - djm@cvs.openbsd.org 2010/03/07 22:01:32
+     [version.h]
+     openssh-5.4
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   crank version numbers
+ - (djm) Release OpenSSH-5.4p1
+
+20100307
+ - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
+   it gets the passwd struct from the LAM that knows about the user which is
+   not necessarily the default.  Patch from Alexandre Letourneau.
+ - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
+   do not set real uid, since that's needed for the chroot, and will be set
+   by permanently_set_uid.
+ - (dtucker) [session.c] Also initialize creds to NULL for handing to
+    setpcred.
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
+     [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
+     Hold authentication debug messages until after successful authentication.
+     Fixes an info leak of environment variables specified in authorized_keys,
+     reported by Jacob Appelbaum.  ok djm@
+
+20100305
+ - OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2010/03/04 12:51:25
+     [ssh.1 sshd_config.5]
+     tweak previous;
+   - djm@cvs.openbsd.org 2010/03/04 20:35:08
+     [ssh-keygen.1 ssh-keygen.c]
+     Add a -L flag to print the contents of a certificate; ok markus@
+   - jmc@cvs.openbsd.org 2010/03/04 22:52:40
+     [ssh-keygen.1]
+     fix Bk/Ek;
+   - djm@cvs.openbsd.org 2010/03/04 23:17:25
+     [sshd_config.5]
+     missing word; spotted by jmc@
+   - djm@cvs.openbsd.org 2010/03/04 23:19:29
+     [ssh.1 sshd.8]
+     move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
+     format section and rework it a bit; requested by jmc@
+   - djm@cvs.openbsd.org 2010/03/04 23:27:25
+     [auth-options.c ssh-keygen.c]
+     "force-command" is not spelled "forced-command"; spotted by
+     imorgan AT nas.nasa.gov
+   - djm@cvs.openbsd.org 2010/03/05 02:58:11
+     [auth.c]
+     make the warning for a revoked key louder and more noticable
+   - jmc@cvs.openbsd.org 2010/03/05 06:50:35
+     [ssh.1 sshd.8]
+     tweak previous;
+   - jmc@cvs.openbsd.org 2010/03/05 08:31:20
+     [ssh.1]
+     document certificate authentication; help/ok djm
+   - djm@cvs.openbsd.org 2010/03/05 10:28:21
+     [ssh-add.1 ssh.1 ssh_config.5]
+     mention loading of certificate files from [private]-cert.pub when
+     they are present; feedback and ok jmc@
+ - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
+   compilers. OK djm@
+ - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
+   on some platforms
+ - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@
+
+20100304
+ - (djm) [ssh-keygen.c] Use correct local variable, instead of
+   maybe-undefined global "optarg"
+ - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
+   on XFree86-devel with neutral /usr/include/X11/Xlib.h;
+   imorgan AT nas.nasa.gov in bz#1731
+ - (djm) [.cvsignore] Ignore ssh-pkcs11-helper
+ - (djm) [regress/Makefile] Cleanup sshd_proxy_orig
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/03/03 01:44:36
+     [auth-options.c key.c]
+     reject strings with embedded ASCII nul chars in certificate key IDs,
+     principal names and constraints
+   - djm@cvs.openbsd.org 2010/03/03 22:49:50
+     [sshd.8]
+     the authorized_keys option for CA keys is "cert-authority", not
+     "from=cert-authority". spotted by imorgan AT nas.nasa.gov
+   - djm@cvs.openbsd.org 2010/03/03 22:50:40
+     [PROTOCOL.certkeys]
+     s/similar same/similar/; from imorgan AT nas.nasa.gov
+   - djm@cvs.openbsd.org 2010/03/04 01:44:57
+     [key.c]
+     use buffer_get_string_ptr_ret() where we are checking the return
+     value explicitly instead of the fatal()-causing buffer_get_string_ptr()
+   - djm@cvs.openbsd.org 2010/03/04 10:36:03
+     [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
+     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
+     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
+     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
+     are trusted to authenticate users (in addition than doing it per-user
+     in authorized_keys).
+     
+     Add a RevokedKeys option to sshd_config and a @revoked marker to
+     known_hosts to allow keys to me revoked and banned for user or host
+     authentication.
+     
+     feedback and ok markus@
+   - djm@cvs.openbsd.org 2010/03/03 00:47:23
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     add an extra test to ensure that authentication with the wrong
+     certificate fails as it should (and it does)
+   - djm@cvs.openbsd.org 2010/03/04 10:38:23
+     [regress/cert-hostkey.sh regress/cert-userkey.sh]
+     additional regression tests for revoked keys and TrustedUserCAKeys
+
+20100303
+ - (djm) [PROTOCOL.certkeys] Add RCS Ident
+ - OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2010/02/26 22:09:28
+     [ssh-keygen.1 ssh.1 sshd.8]
+     tweak previous;
+   - otto@cvs.openbsd.org 2010/03/01 11:07:06
+     [ssh-add.c]
+     zap what seems to be a left-over debug message; ok markus@
+   - djm@cvs.openbsd.org 2010/03/02 23:20:57
+     [ssh-keygen.c]
+     POSIX strptime is stricter than OpenBSD's so do a little dance to
+     appease it.
+ - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too
+
+20100302
+ - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
+   http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
+   respectively).
+
+20100301
+ - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace
+   "echo -n" with "echon" for portability.
+ - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
+   adjust log at verbose only, since according to cjwatson in bug #1470
+   some virtualization platforms don't allow writes.
+
+20100228
+ - (djm) [auth.c] On Cygwin, refuse usernames that have differences in
+   case from that matched in the system password database. On this
+   platform, passwords are stored case-insensitively, but sshd requires
+   exact case matching for Match blocks in sshd_config(5). Based on
+   a patch from vinschen AT redhat.com.
+ - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions
+   to make older compilers (gcc 2.95) happy.
+
+20100227
+ - (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded
+ - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment
+   variables copied into sshd child processes. From vinschen AT redhat.com
+
+20100226
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/02/26 20:29:54
+     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
+     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
+     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
+     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
+     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
+     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
+     Add support for certificate key types for users and hosts.
+     
+     OpenSSH certificate key types are not X.509 certificates, but a much
+     simpler format that encodes a public key, identity information and
+     some validity constraints and signs it with a CA key. CA keys are
+     regular SSH keys. This certificate style avoids the attack surface
+     of X.509 certificates and is very easy to deploy.
+     
+     Certified host keys allow automatic acceptance of new host keys
+     when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
+     see VERIFYING HOST KEYS in ssh(1) for details.
+     
+     Certified user keys allow authentication of users when the signing
+     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
+     FILE FORMAT" in sshd(8) for details.
+     
+     Certificates are minted using ssh-keygen(1), documentation is in
+     the "CERTIFICATES" section of that manpage.
+     
+     Documentation on the format of certificates is in the file
+     PROTOCOL.certkeys
+     
+     feedback and ok markus@
+   - djm@cvs.openbsd.org 2010/02/26 20:33:21
+     [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
+     regression tests for certified keys
+
+20100224
+ - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
+   [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/02/11 20:37:47
+     [pathnames.h]
+     correct comment
+   - dtucker@cvs.openbsd.org 2009/11/09 04:20:04
+     [regress/Makefile]
+     add regression test for ssh-keygen pubkey conversions
+   - dtucker@cvs.openbsd.org 2010/01/11 02:53:44
+     [regress/forwarding.sh]
+     regress test for stdio forwarding
+   - djm@cvs.openbsd.org 2010/02/09 04:57:36
+     [regress/addrmatch.sh]
+     clean up droppings
+   - djm@cvs.openbsd.org 2010/02/09 06:29:02
+     [regress/Makefile]
+     turn on all the malloc(3) checking options when running regression
+     tests. this has caught a few bugs for me in the past; ok dtucker@
+   - djm@cvs.openbsd.org 2010/02/24 06:21:56
+     [regress/test-exec.sh]
+     wait for sshd to fully stop in cleanup() function; avoids races in tests
+     that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
+   - markus@cvs.openbsd.org 2010/02/08 10:52:47
+     [regress/agent-pkcs11.sh]
+     test for PKCS#11 support (currently disabled)
+ - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Add PKCS#11 helper binary and manpage
+
+20100212
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/02/02 22:49:34
+     [bufaux.c]
+     make buffer_get_string_ret() really non-fatal in all cases (it was
+     using buffer_get_int(), which could fatal() on buffer empty);
+     ok markus dtucker
+   - markus@cvs.openbsd.org 2010/02/08 10:50:20
+     [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
+     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
+     replace our obsolete smartcard code with PKCS#11.
+        ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
+     ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
+     provider (shared library) while ssh-agent(1) delegates PKCS#11 to
+     a forked a ssh-pkcs11-helper process.
+     PKCS#11 is currently a compile time option.
+     feedback and ok djm@; inspired by patches from Alon Bar-Lev
+   - jmc@cvs.openbsd.org 2010/02/08 22:03:05
+     [ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
+     tweak previous; ok markus
+   - djm@cvs.openbsd.org 2010/02/09 00:50:36
+     [ssh-agent.c]
+     fallout from PKCS#11: unbreak -D
+   - djm@cvs.openbsd.org 2010/02/09 00:50:59
+     [ssh-keygen.c]
+     fix -Wall
+   - djm@cvs.openbsd.org 2010/02/09 03:56:28
+     [buffer.c buffer.h]
+     constify the arguments to buffer_len, buffer_ptr and buffer_dump
+   - djm@cvs.openbsd.org 2010/02/09 06:18:46
+     [auth.c]
+     unbreak ChrootDirectory+internal-sftp by skipping check for executable
+     shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
+   - markus@cvs.openbsd.org 2010/02/10 23:20:38
+     [ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
+     pkcs#11 is no longer optional; improve wording; ok jmc@
+   - jmc@cvs.openbsd.org 2010/02/11 13:23:29
+     [ssh.1]
+     libarary -> library;
+ - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
+   [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
+   Remove obsolete smartcard support
+ - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
+   Make it compile on OSX
+ - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
+   Use ssh_get_progname to fill __progname
+ - (djm) [configure.ac] Enable PKCS#11 support only when we find a working
+   dlopen()
+
+20100210
+ - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for
+   getseuserbyname; patch from calebcase AT gmail.com via
+   cjwatson AT debian.org
+
+20100202
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/01/30 21:08:33
+     [sshd.8]
+     debug output goes to stderr, not "the system log"; ok markus dtucker
+   - djm@cvs.openbsd.org 2010/01/30 21:12:08
+     [channels.c]
+     fake local addr:port when stdio fowarding as some servers (Tectia at
+     least) validate that they are well-formed;
+     reported by imorgan AT nas.nasa.gov
+     ok dtucker
+
+20100130
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/01/28 00:21:18
+     [clientloop.c]
+     downgrade an error() to a debug() - this particular case can be hit in
+     normal operation for certain sequences of mux slave vs session closure
+     and is harmless
+   - djm@cvs.openbsd.org 2010/01/29 00:20:41
+     [sshd.c]
+     set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
+     ok dtucker@
+   - djm@cvs.openbsd.org 2010/01/29 20:16:17
+     [mux.c]
+     kill correct channel (was killing already-dead mux channel, not
+     its session channel)
+   - djm@cvs.openbsd.org 2010/01/30 02:54:53
+     [mux.c]
+     don't mark channel as read failed if it is already closing; suppresses
+     harmless error messages when connecting to SSH.COM Tectia server
+     report by imorgan AT nas.nasa.gov
+
+20100129
+ - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
+   after registering the hardware engines, which causes the openssl.cnf file to
+   be processed.  See OpenSSL's man page for OPENSSL_config(3) for details.
+   Patch from Solomon Peachy, ok djm@.
+
+20100128
+ - (djm) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/01/26 02:15:20
+     [mux.c]
+     -Wuninitialized and remove a // comment; from portable
+     (Id sync only)
+   - djm@cvs.openbsd.org 2010/01/27 13:26:17
+     [mux.c]
+     fix bug introduced in mux rewrite:
+     
+     In a mux master, when a socket to a mux slave closes before its server
+     session (as may occur when the slave has been signalled), gracefully
+     close the server session rather than deleting its channel immediately.
+     A server may have more messages on that channel to send (e.g. an exit
+     message) that will fatal() the client if they are sent to a channel that
+     has been prematurely deleted.
+     
+     spotted by imorgan AT nas.nasa.gov
+   - djm@cvs.openbsd.org 2010/01/27 19:21:39
+     [sftp.c]
+     add missing "p" flag to getopt optstring;
+     bz#1704 from imorgan AT nas.nasa.gov
+
+20100126
+ - (djm) OpenBSD CVS Sync
+   - tedu@cvs.openbsd.org 2010/01/17 21:49:09
+     [ssh-agent.1]
+     Correct and clarify ssh-add's password asking behavior.
+     Improved text dtucker and ok jmc
+   - dtucker@cvs.openbsd.org 2010/01/18 01:50:27
+     [roaming_client.c]
+     s/long long unsigned/unsigned long long/, from tim via portable
+     (Id sync only, change already in portable)
+   - djm@cvs.openbsd.org 2010/01/26 01:28:35
+     [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c]
+     rewrite ssh(1) multiplexing code to a more sensible protocol.
+     
+     The new multiplexing code uses channels for the listener and
+     accepted control sockets to make the mux master non-blocking, so
+     no stalls when processing messages from a slave.
+     
+     avoid use of fatal() in mux master protocol parsing so an errant slave
+     process cannot take down a running master.
+     
+     implement requesting of port-forwards over multiplexed sessions. Any
+     port forwards requested by the slave are added to those the master has
+     established.
+     
+     add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
+     
+     document master/slave mux protocol so that other tools can use it to
+     control a running ssh(1). Note: there are no guarantees that this
+     protocol won't be incompatibly changed (though it is versioned).
+     
+     feedback Salvador Fandino, dtucker@
+     channel changes ok markus@
+
+20100122
+ - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of
+   socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size
+   in Cygwin to 65535. Patch from Corinna Vinschen.
+
+20100117
+ - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too.
+ - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions
+   snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf().
+
+20100116
+ - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h
+   so we correctly detect whether or not we have a native user_from_uid.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid
+   and group_from_gid.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by
+   Tim.
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2010/01/15 09:24:23
+     [sftp-common.c]
+     unused
+ - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused
+   variable warnings.
+ - (dtucker) [openbsd-compat/openbsd-compat.h] Typo.
+ - (tim) [regress/portnum.sh] Shell portability fix.
+ - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native
+   getaddrinfo() is too old and limited for addr_pton() in addrmatch.c.
+ - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we
+   use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/
+   to keep USL compilers happy.
+
+20100115
+ - (dtucker) OpenBSD CVS Sync
+   - jmc@cvs.openbsd.org 2010/01/13 12:48:34
+     [sftp.1 sftp.c]
+     sftp.1: put ls -h in the right place
+     sftp.c: as above, plus add -p to get/put, and shorten their arg names
+     to keep the help usage nicely aligned
+     ok djm
+   - djm@cvs.openbsd.org 2010/01/13 23:47:26
+     [auth.c]
+     when using ChrootDirectory, make sure we test for the existence of the
+     user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
+     ok dtucker
+   - dtucker@cvs.openbsd.org 2010/01/14 23:41:49
+     [sftp-common.c]
+     use user_from{uid,gid} to lookup up ids since it keeps a small cache.
+     ok djm
+   - guenther@cvs.openbsd.org 2010/01/15 00:05:22
+     [sftp.c]
+     Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
+     inherited SIGTERM as ignored it will still be able to kill the ssh it
+     starts.
+     ok dtucker@
+ - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no
+   changes yet but there will be some to come).
+ - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability
+   for pwcache.  Also, added caching of negative hits.
+
+20100114
+ - (djm) [platform.h] Add missing prototype for
+   platform_krb5_get_principal_name
+
+20100113
+ - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs.
+ - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18:
+   missing restore of SIGTTOU and some whitespace.
+ - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21.
+ - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22.
+   Fixes bz #1590, where sometimes you could not interrupt a connection while
+   ssh was prompting for a passphrase or password.
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2010/01/13 00:19:04
+     [sshconnect.c auth.c]
+     Fix a couple of typos/mispellings in comments
+   - dtucker@cvs.openbsd.org 2010/01/13 01:10:56
+     [key.c]
+     Ignore and log any Protocol 1 keys where the claimed size is not equal to
+     the actual size.  Noted by Derek Martin, ok djm@
+   - dtucker@cvs.openbsd.org 2010/01/13 01:20:20
+     [canohost.c ssh-keysign.c sshconnect2.c]
+     Make HostBased authentication work with a ProxyCommand.  bz #1569, patch
+     from imorgan at nas nasa gov, ok djm@
+   - djm@cvs.openbsd.org 2010/01/13 01:40:16
+     [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h]
+     support '-h' (human-readable units) for sftp's ls command, just like
+     ls(1); ok dtucker@
+   - djm@cvs.openbsd.org 2010/01/13 03:48:13
+     [servconf.c servconf.h sshd.c]
+     avoid run-time failures when specifying hostkeys via a relative
+     path by prepending the cwd in these cases; bz#1290; ok dtucker@
+   - djm@cvs.openbsd.org 2010/01/13 04:10:50
+     [sftp.c]
+     don't append a space after inserting a completion of a directory (i.e.
+     a path ending in '/') for a slightly better user experience; ok dtucker@
+ - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef.
+ - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG. 
+   feedback and ok dtucker@
+
+20100112
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
+     [ssh_config channels.c ssh.1 channels.h ssh.c]
+     Add a 'netcat mode' (ssh -W).  This connects stdio on the client to a
+     single port forward on the server.  This allows, for example, using ssh as
+     a ProxyCommand to route connections via intermediate servers.
+     bz #1618, man page help from jmc@, ok markus@
+   - dtucker@cvs.openbsd.org 2010/01/11 04:46:45
+     [authfile.c sshconnect2.c]
+     Do not prompt for a passphrase if we fail to open a keyfile, and log the
+     reason the open failed to debug.
+     bz #1693, found by tj AT castaglia org, ok djm@
+   - djm@cvs.openbsd.org 2010/01/11 10:51:07
+     [ssh-keygen.c]
+     when converting keys, truncate key comments at 72 chars as per RFC4716;
+     bz#1630 reported by tj AT castaglia.org; ok markus@
+   - dtucker@cvs.openbsd.org 2010/01/12 00:16:47
+     [authfile.c]
+     Fix bug introduced in r1.78 (incorrect brace location) that broke key auth.
+     Patch from joachim joachimschipper nl.
+   - djm@cvs.openbsd.org 2010/01/12 00:58:25
+     [monitor_fdpass.c]
+     avoid spinning when fd passing on nonblocking sockets by calling poll()
+     in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@
+   - djm@cvs.openbsd.org 2010/01/12 00:59:29
+     [roaming_common.c]
+     delete with extreme prejudice a debug() that fired with every keypress;
+     ok dtucker deraadt
+   - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
+     [session.c]
+     Do not allow logins if /etc/nologin exists but is not readable by the user
+     logging in.  Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
+   - djm@cvs.openbsd.org 2010/01/12 01:36:08
+     [buffer.h bufaux.c]
+     add a buffer_get_string_ptr_ret() that does the same as
+     buffer_get_string_ptr() but does not fatal() on error; ok dtucker@
+   - dtucker@cvs.openbsd.org 2010/01/12 08:33:17
+     [session.c]
+     Add explicit stat so we reliably detect nologin with bad perms.
+     ok djm markus
+
+20100110
+ - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
+   Remove hacks add for RoutingDomain in preparation for its removal.
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
+     [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
+     ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
+     readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
+     Remove RoutingDomain from ssh since it's now not needed.  It can be
+     replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
+     also ensures that trafic such as DNS lookups stays withing the specified
+     routingdomain.  For example (from reyk):
+     # route -T 2 exec /usr/sbin/sshd
+     or inherited from the parent process
+     $ route -T 2 exec sh
+     $ ssh 10.1.2.3
+     ok deraadt@ markus@ stevesk@ reyk@
+   - dtucker@cvs.openbsd.org 2010/01/10 03:51:17
+     [servconf.c]
+     Add ChrootDirectory to sshd.c test-mode output
+   - dtucker@cvs.openbsd.org 2010/01/10 07:15:56
+     [auth.c]
+     Output a debug if we can't open an existing keyfile.  bz#1694, ok djm@
+
+20100109
+ - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't
+   have it.
+ - (dtucker) [defines.h] define PRIu64 for platforms that don't have it.
+ - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef.
+ - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name
+   when using utmpx.  Patch from Ed Schouten.
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2010/01/09 00:20:26
+     [sftp-server.c sftp-server.8]
+     add a 'read-only' mode to sftp-server(8) that disables open in write mode
+     and all other fs-modifying protocol methods. bz#430 ok dtucker@
+   - djm@cvs.openbsd.org 2010/01/09 00:57:10
+     [PROTOCOL]
+     tweak language
+   - jmc@cvs.openbsd.org 2010/01/09 03:36:00
+     [sftp-server.8]
+     bad place to forget a comma...
+   - djm@cvs.openbsd.org 2010/01/09 05:04:24
+     [mux.c sshpty.h clientloop.c sshtty.c]
+     quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
+     usually don't actually have a tty to read/set; bz#1686 ok dtucker@
+   - dtucker@cvs.openbsd.org 2010/01/09 05:17:00
+     [roaming_client.c]
+     Remove a PRIu64 format string that snuck in with roaming.  ok djm@
+   - dtucker@cvs.openbsd.org 2010/01/09 11:13:02
+     [sftp.c]
+     Prevent sftp from derefing a null pointer when given a "-" without a
+     command.  Also, allow whitespace to follow a "-".  bz#1691, path from
+     Colin Watson via Debian.  ok djm@ deraadt@
+   - dtucker@cvs.openbsd.org 2010/01/09 11:17:56
+     [sshd.c]
+     Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs
+     itself.  Prevents two HUPs in quick succession from resulting in sshd
+     dying.  bz#1692, patch from Colin Watson via Ubuntu.
+ - (dtucker) [defines.h] Remove now-undeeded PRIu64 define.
+
+20100108
+ - (dtucker) OpenBSD CVS Sync
+   - andreas@cvs.openbsd.org 2009/10/24 11:11:58
+     [roaming.h]
+     Declarations needed for upcoming changes.
+     ok markus@
+   - andreas@cvs.openbsd.org 2009/10/24 11:13:54
+     [sshconnect2.c kex.h kex.c]
+     Let the client detect if the server supports roaming by looking
+     for the resume@appgate.com kex algorithm.
+     ok markus@
+   - andreas@cvs.openbsd.org 2009/10/24 11:15:29
+     [clientloop.c]
+     client_loop() must detect if the session has been suspended and resumed,
+     and take appropriate action in that case.
+     From Martin Forssen, maf at appgate dot com
+   - andreas@cvs.openbsd.org 2009/10/24 11:19:17
+     [ssh2.h]
+     Define the KEX messages used when resuming a suspended connection.
+     ok markus@
+   - andreas@cvs.openbsd.org 2009/10/24 11:22:37
+     [roaming_common.c]
+     Do the actual suspend/resume in the client. This won't be useful until
+     the server side supports roaming.
+     Most code from Martin Forssen, maf at appgate dot com. Some changes by
+     me and markus@
+     ok markus@
+   - andreas@cvs.openbsd.org 2009/10/24 11:23:42
+     [ssh.c]
+     Request roaming to be enabled if UseRoaming is true and the server
+     supports it.
+     ok markus@
+   - reyk@cvs.openbsd.org 2009/10/28 16:38:18
+     [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
+     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
+     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
+     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
+     ok markus@
+   - jmc@cvs.openbsd.org 2009/10/28 21:45:08
+     [sshd_config.5 sftp.1]
+     tweak previous;
+   - djm@cvs.openbsd.org 2009/11/10 02:56:22
+     [ssh_config.5]
+     explain the constraints on LocalCommand some more so people don't
+     try to abuse it.
+   - djm@cvs.openbsd.org 2009/11/10 02:58:56
+     [sshd_config.5]
+     clarify that StrictModes does not apply to ChrootDirectory. Permissions
+     and ownership are always checked when chrooting. bz#1532
+   - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
+     [sshconnect2.c channels.c sshconnect.c]
+     Set close-on-exec on various descriptors so they don't get leaked to
+     child processes.  bz #1643, patch from jchadima at redhat, ok deraadt.
+   - markus@cvs.openbsd.org 2009/11/11 21:37:03
+     [channels.c channels.h]
+     fix race condition in x11/agent channel allocation: don't read after
+     the end of the select read/write fdset and make sure a reused FD
+     is not touched before the pre-handlers are called.
+     with and ok djm@
+   - djm@cvs.openbsd.org 2009/11/17 05:31:44
+     [clientloop.c]
+     fix incorrect exit status when multiplexing and channel ID 0 is recycled
+     bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
+   - djm@cvs.openbsd.org 2009/11/19 23:39:50
+     [session.c]
+     bz#1606: error when an attempt is made to connect to a server
+     with ForceCommand=internal-sftp with a shell session (i.e. not a
+     subsystem session). Avoids stuck client when attempting to ssh to such a
+     service. ok dtucker@
+   - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
+     [session.c]
+     Warn but do not fail if stat()ing the subsystem binary fails.  This helps
+     with chrootdirectory+forcecommand=sftp-server and restricted shells.
+     bz #1599, ok djm.
+   - djm@cvs.openbsd.org 2009/11/20 00:54:01
+     [sftp.c]
+     bz#1588 change "Connecting to host..." message to "Connected to host."
+     and delay it until after the sftp protocol connection has been established.
+     Avoids confusing sequence of messages when the underlying ssh connection
+     experiences problems. ok dtucker@
+   - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
+     [sshconnect2.c]
+     Use the HostKeyAlias when prompting for passwords.  bz#1039, ok djm@
+   - djm@cvs.openbsd.org 2009/11/20 03:24:07
+     [misc.c]
+     correct off-by-one in percent_expand(): we would fatal() when trying
+     to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
+     work.  Note that nothing in OpenSSH actually uses close to this limit at
+     present.  bz#1607 from Jan.Pechanec AT Sun.COM
+   - halex@cvs.openbsd.org 2009/11/22 13:18:00
+     [sftp.c]
+     make passing of zero-length arguments to ssh safe by
+     passing "-<switch>" "<value>" rather than "-<switch><value>"
+     ok dtucker@, guenther@, djm@
+   - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
+     [sshconnect2.c]
+     zap unused variable and strlen; from Steve McClellan, ok djm
+   - djm@cvs.openbsd.org 2009/12/06 23:53:45
+     [roaming_common.c]
+     use socklen_t for getsockopt optlen parameter; reported by
+     Steve.McClellan AT radisys.com, ok dtucker@
+   - dtucker@cvs.openbsd.org 2009/12/06 23:53:54
+     [sftp.c]
+     fix potential divide-by-zero in sftp's "df" output when talking to a server
+     that reports zero files on the filesystem (Unix filesystems always have at
+     least the root inode).  From Steve McClellan at radisys, ok djm@
+   - markus@cvs.openbsd.org 2009/12/11 18:16:33
+     [key.c]
+     switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
+     for the RSA public exponent; discussed with provos; ok djm@
+   - guenther@cvs.openbsd.org 2009/12/20 07:28:36
+     [ssh.c sftp.c scp.c]
+     When passing user-controlled options with arguments to other programs,
+     pass the option and option argument as separate argv entries and
+     not smashed into one (e.g., as -l foo and not -lfoo).  Also, always
+     pass a "--" argument to stop option parsing, so that a positional
+     argument that starts with a '-' isn't treated as an option.  This
+     fixes some error cases as well as the handling of hostnames and
+     filenames that start with a '-'.
+     Based on a diff by halex@
+     ok halex@ djm@ deraadt@
+   - djm@cvs.openbsd.org 2009/12/20 23:20:40
+     [PROTOCOL]
+     fix an incorrect magic number and typo in PROTOCOL; bz#1688
+     report and fix from ueno AT unixuser.org
+   - stevesk@cvs.openbsd.org 2009/12/25 19:40:21
+     [readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
+     validate routing domain is in range 0-RT_TABLEID_MAX.
+     'Looks right' deraadt@
+   - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
+     [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
+     Rename RDomain config option to RoutingDomain to be more clear and
+     consistent with other options.
+     NOTE: if you currently use RDomain in the ssh client or server config,
+     or ssh/sshd -o, you must update to use RoutingDomain.
+     ok markus@ djm@
+   - jmc@cvs.openbsd.org 2009/12/29 18:03:32
+     [sshd_config.5 ssh_config.5]
+     sort previous;
+   - dtucker@cvs.openbsd.org 2010/01/04 01:45:30
+     [sshconnect2.c]
+     Don't escape backslashes in the SSH2 banner.  bz#1533, patch from
+     Michal Gorny via Gentoo.
+   - djm@cvs.openbsd.org 2010/01/04 02:03:57
+     [sftp.c]
+     Implement tab-completion of commands, local and remote filenames for sftp.
+     Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009
+     Google Summer of Code) and polished to a fine sheen by myself again.
+     It should deal more-or-less correctly with the ikky corner-cases presented
+     by quoted filenames, but the UI could still be slightly improved.
+     In particular, it is quite slow for remote completion on large directories.
+     bz#200; ok markus@
+   - djm@cvs.openbsd.org 2010/01/04 02:25:15
+     [sftp-server.c]
+     bz#1566 don't unnecessarily dup() in and out fds for sftp-server;
+     ok markus@
+   - dtucker@cvs.openbsd.org 2010/01/08 21:50:49
+     [sftp.c]
+     Fix two warnings: possibly used unitialized and use a nul byte instead of
+     NULL pointer.  ok djm@
+ - (dtucker) [Makefile.in added roaming_client.c roaming_serv.c] Import new
+   files for roaming and add to Makefile.
+ - (dtucker) [Makefile.in] .c files do not belong in the OBJ lines.
+ - (dtucker) [sftp.c] ifdef out the sftp completion bits for platforms that
+   don't have libedit.
+ - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] Make
+   RoutingDomain an unsupported option on platforms that don't have it.
+ - (dtucker) [sftp.c] Expand ifdef for libedit to cover complete_is_remote
+   too.
+ - (dtucker) [misc.c] Move the routingdomain ifdef to allow the socket to
+   be created.
+ - (dtucker] [misc.c] Shrink the area covered by USE_ROUTINGDOMAIN more
+   to eliminate an unused variable warning.
+ - (dtucker) [roaming_serv.c] Include includes.h for u_intXX_t types.
+
+20091226
+ - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
+   Gzip all man pages. Patch from Corinna Vinschen.
+
+20091221
+ - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
+   Bug #1583: Use system's kerberos principal name on AIX if it's available.
+   Based on a patch from and tested by Miguel Sanders 
+
+20091208
+ - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
+   based on a patch from Vaclav Ovsik and Colin Watson.  ok djm.
+
+20091207
+ - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
+   Tested by Martin Paljak.
+ - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.
+
+20091121
+ - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
+   Bug 1628. OK dtucker@
+
+20091120
+ - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
+   line arguments as none are supported. Exit when passed unrecognised
+   commandline flags. bz#1568 from gson AT araneus.fi
+
+20091118
+ - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
+   set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
+   setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
+   bz#1648, report and fix from jan.kratochvil AT redhat.com
+ - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
+   bz#1645, patch from jchadima AT redhat.com
+
+20091107
+ - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
+    keys when built with OpenSSL versions that don't do AES.
+
+20091105
+ - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
+   older versions of OpenSSL.
+
+20091024
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2009/10/11 23:03:15
+     [hostfile.c]
+     mention the host name that we are looking for in check_host_in_hostfile()
+   - sobrado@cvs.openbsd.org 2009/10/17 12:10:39
+     [sftp-server.c]
+     sort flags.
+   - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
+     [ssh.1 ssh-agent.1 ssh-add.1]
+     use the UNIX-related macros (.At and .Ux) where appropriate.
+     ok jmc@
+   - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
+     [ssh-agent.1 ssh-add.1 ssh.1]
+     write UNIX-domain in a more consistent way; while here, replace a
+     few remaining ".Tn UNIX" macros with ".Ux" ones.
+     pointed out by ratchov@, thanks!
+     ok jmc@
+   - djm@cvs.openbsd.org 2009/10/22 22:26:13
+     [authfile.c]
+     switch from 3DES to AES-128 for encryption of passphrase-protected
+     SSH protocol 2 private keys; ok several
+   - djm@cvs.openbsd.org 2009/10/23 01:57:11
+     [sshconnect2.c]
+     disallow a hostile server from checking jpake auth by sending an
+     out-of-sequence success message. (doesn't affect code enabled by default)
+   - dtucker@cvs.openbsd.org 2009/10/24 00:48:34
+     [ssh-keygen.1]
+     ssh-keygen now uses AES-128 for private keys
+ - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
+ - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
+   is enabled set the security context to "sftpd_t" before running the
+   internal sftp server   Based on a patch from jchadima at redhat.
+
+20091011
+ - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
+   dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
+   lstat.
+ - (dtucker) OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2009/10/08 14:03:41
+     [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
+     disable protocol 1 by default (after a transition period of about 10 years)
+     ok deraadt
+   - jmc@cvs.openbsd.org 2009/10/08 20:42:12
+     [sshd_config.5 ssh_config.5 sshd.8 ssh.1]
+     some tweaks now that protocol 1 is not offered by default; ok markus
+   - dtucker@cvs.openbsd.org 2009/10/11 10:41:26
+     [sftp-client.c]
+     d_type isn't portable so use lstat to get dirent modes.  Suggested by and
+     "looks sane" deraadt@
+   - markus@cvs.openbsd.org 2009/10/08 18:04:27
+     [regress/test-exec.sh]
+     re-enable protocol v1 for the tests.
+
+20091007
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2009/08/12 00:13:00
+     [sftp.c sftp.1]
+     support most of scp(1)'s commandline arguments in sftp(1), as a first
+     step towards making sftp(1) a drop-in replacement for scp(1).
+     One conflicting option (-P) has not been changed, pending further
+     discussion.
+     Patch from carlosvsilvapt@gmail.com as part of his work in the
+     Google Summer of Code
+  - jmc@cvs.openbsd.org 2009/08/12 06:31:42
+     [sftp.1]
+     sort options;
+   - djm@cvs.openbsd.org 2009/08/13 01:11:19
+     [sftp.1 sftp.c]
+     Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
+     add "-P port" to match scp(1). Fortunately, the -P option is only really
+     used by our regression scripts.
+     part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
+     of Code work; ok deraadt markus
+   - jmc@cvs.openbsd.org 2009/08/13 13:39:54
+     [sftp.1 sftp.c]
+     sync synopsis and usage();
+   - djm@cvs.openbsd.org 2009/08/14 18:17:49
+     [sftp-client.c]
+     make the "get_handle: ..." error messages vaguely useful by allowing
+     callers to specify their own error message strings.
+   - fgsch@cvs.openbsd.org 2009/08/15 18:56:34
+     [auth.h]
+     remove unused define. markus@ ok.
+     (Id sync only, Portable still uses this.)
+   - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
+     [sshd_config.5]
+     Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
+   - djm@cvs.openbsd.org 2009/08/18 18:36:21
+     [sftp-client.h sftp.1 sftp-client.c sftp.c]
+     recursive transfer support for get/put and on the commandline
+     work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
+     with some tweaks by me; "go for it" deraadt@
+  - djm@cvs.openbsd.org 2009/08/18 21:15:59
+     [sftp.1]
+     fix "get" command usage, spotted by jmc@
+   - jmc@cvs.openbsd.org 2009/08/19 04:56:03
+     [sftp.1]
+     ether -> either;
+   - dtucker@cvs.openbsd.org 2009/08/20 23:54:28
+     [mux.c]
+     subsystem_flag is defined in ssh.c so it's extern; ok djm
+   - djm@cvs.openbsd.org 2009/08/27 17:28:52
+     [sftp-server.c]
+     allow setting an explicit umask on the commandline to override whatever
+     default the user has. bz#1229; ok dtucker@ deraadt@ markus@
+   - djm@cvs.openbsd.org 2009/08/27 17:33:49
+     [ssh-keygen.c]
+     force use of correct hash function for random-art signature display
+     as it was inheriting the wrong one when bubblebabble signatures were
+     activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
+     ok markus@
+   - djm@cvs.openbsd.org 2009/08/27 17:43:00
+     [sftp-server.8]
+     allow setting an explicit umask on the commandline to override whatever
+     default the user has. bz#1229; ok dtucker@ deraadt@ markus@
+   - djm@cvs.openbsd.org 2009/08/27 17:44:52
+     [authfd.c ssh-add.c authfd.h]
+     Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
+     when the agent refuses the constrained add request. This was a useful
+     migration measure back in 2002 when constraints were new, but just
+     adds risk now.
+     bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
+   - djm@cvs.openbsd.org 2009/08/31 20:56:02
+     [sftp-server.c]
+     check correct variable for error message, spotted by martynas@
+   - djm@cvs.openbsd.org 2009/08/31 21:01:29
+     [sftp-server.8]
+     document -e and -h; prodded by jmc@
+   - djm@cvs.openbsd.org 2009/09/01 14:43:17
+     [ssh-agent.c]
+     fix a race condition in ssh-agent that could result in a wedged or
+     spinning agent: don't read off the end of the allocated fd_sets, and
+     don't issue blocking read/write on agent sockets - just fall back to
+     select() on retriable read/write errors. bz#1633 reported and tested
+     by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
+   - grunk@cvs.openbsd.org 2009/10/01 11:37:33
+     [dh.c]
+     fix a cast
+     ok djm@ markus@
+   - djm@cvs.openbsd.org 2009/10/06 04:46:40
+     [session.c]
+     bz#1596: fflush(NULL) before exec() to ensure that everying (motd
+     in particular) has made it out before the streams go away.
+   - djm@cvs.openbsd.org 2008/12/07 22:17:48
+     [regress/addrmatch.sh]
+     match string "passwordauthentication" only at start of line, not anywhere
+     in sshd -T output
+   - dtucker@cvs.openbsd.org 2009/05/05 07:51:36
+     [regress/multiplex.sh]
+     Always specify ssh_config for multiplex tests: prevents breakage caused
+     by options in ~/.ssh/config.  From Dan Peterson.
+   - djm@cvs.openbsd.org 2009/08/13 00:57:17
+     [regress/Makefile]
+     regression test for port number parsing. written as part of the a2port
+     change that went into 5.2 but I forgot to commit it at the time...
+   - djm@cvs.openbsd.org 2009/08/13 01:11:55
+     [regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh
+     regress/sftp-cmds.sh regres/sftp-glob.sh]
+     date: 2009/08/13 01:11:19;  author: djm;  state: Exp;  lines: +10 -7
+     Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
+     add "-P port" to match scp(1). Fortunately, the -P option is only really
+     used by our regression scripts.
+     part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
+     of Code work; ok deraadt markus
+   - djm@cvs.openbsd.org 2009/08/20 18:43:07
+     [regress/ssh-com-sftp.sh]
+     fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
+     Silva for Google Summer of Code
+   - dtucker@cvs.openbsd.org 2009/10/06 23:51:49
+     [regress/ssh2putty.sh]
+     Add OpenBSD tag to make syncs easier
+ - (dtucker) [regress/portnum.sh] Import new test.
+ - (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at
+   least dragonflybsd.
+ - (dtucker) d_type is not mandated by POSIX, so add fallback code using
+    stat(), needed on at least cygwin.
+
+20091002
+ - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps.
+   spotted by des AT des.no
+
 20090926
  - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
          [contrib/suse/openssh.spec] Update for release