summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2010-03-31 10:46:28 +0100
committerColin Watson <cjwatson@debian.org>2010-03-31 10:46:28 +0100
commitefd3d4522636ae029488c2e9730b60c88e257d2e (patch)
tree31e02ac3f16090ce8c53448677356b2b7f423683 /ChangeLog
parentbbec4db36d464ea1d464a707625125f9fd5c7b5e (diff)
parentd1a87e462e1db89f19cd960588d0c6b287cb5ccc (diff)
* New upstream release (LP: #535029).
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog979
1 files changed, 979 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index b2df66023..d6e4a4a25 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,982 @@
120100307
2 - (djm) OpenBSD CVS Sync
3 - djm@cvs.openbsd.org 2010/03/07 22:16:01
4 [ssh-keygen.c]
5 make internal strptime string match strftime format;
6 suggested by vinschen AT redhat.com and markus@
7 - djm@cvs.openbsd.org 2010/03/08 00:28:55
8 [ssh-keygen.1]
9 document permit-agent-forwarding certificate constraint; patch from
10 stevesk@
11 - djm@cvs.openbsd.org 2010/03/07 22:01:32
12 [version.h]
13 openssh-5.4
14 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
15 crank version numbers
16 - (djm) Release OpenSSH-5.4p1
17
1820100307
19 - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
20 it gets the passwd struct from the LAM that knows about the user which is
21 not necessarily the default. Patch from Alexandre Letourneau.
22 - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
23 do not set real uid, since that's needed for the chroot, and will be set
24 by permanently_set_uid.
25 - (dtucker) [session.c] Also initialize creds to NULL for handing to
26 setpcred.
27 - (dtucker) OpenBSD CVS Sync
28 - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
29 [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
30 Hold authentication debug messages until after successful authentication.
31 Fixes an info leak of environment variables specified in authorized_keys,
32 reported by Jacob Appelbaum. ok djm@
33
3420100305
35 - OpenBSD CVS Sync
36 - jmc@cvs.openbsd.org 2010/03/04 12:51:25
37 [ssh.1 sshd_config.5]
38 tweak previous;
39 - djm@cvs.openbsd.org 2010/03/04 20:35:08
40 [ssh-keygen.1 ssh-keygen.c]
41 Add a -L flag to print the contents of a certificate; ok markus@
42 - jmc@cvs.openbsd.org 2010/03/04 22:52:40
43 [ssh-keygen.1]
44 fix Bk/Ek;
45 - djm@cvs.openbsd.org 2010/03/04 23:17:25
46 [sshd_config.5]
47 missing word; spotted by jmc@
48 - djm@cvs.openbsd.org 2010/03/04 23:19:29
49 [ssh.1 sshd.8]
50 move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
51 format section and rework it a bit; requested by jmc@
52 - djm@cvs.openbsd.org 2010/03/04 23:27:25
53 [auth-options.c ssh-keygen.c]
54 "force-command" is not spelled "forced-command"; spotted by
55 imorgan AT nas.nasa.gov
56 - djm@cvs.openbsd.org 2010/03/05 02:58:11
57 [auth.c]
58 make the warning for a revoked key louder and more noticable
59 - jmc@cvs.openbsd.org 2010/03/05 06:50:35
60 [ssh.1 sshd.8]
61 tweak previous;
62 - jmc@cvs.openbsd.org 2010/03/05 08:31:20
63 [ssh.1]
64 document certificate authentication; help/ok djm
65 - djm@cvs.openbsd.org 2010/03/05 10:28:21
66 [ssh-add.1 ssh.1 ssh_config.5]
67 mention loading of certificate files from [private]-cert.pub when
68 they are present; feedback and ok jmc@
69 - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
70 compilers. OK djm@
71 - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
72 on some platforms
73 - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@
74
7520100304
76 - (djm) [ssh-keygen.c] Use correct local variable, instead of
77 maybe-undefined global "optarg"
78 - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
79 on XFree86-devel with neutral /usr/include/X11/Xlib.h;
80 imorgan AT nas.nasa.gov in bz#1731
81 - (djm) [.cvsignore] Ignore ssh-pkcs11-helper
82 - (djm) [regress/Makefile] Cleanup sshd_proxy_orig
83 - OpenBSD CVS Sync
84 - djm@cvs.openbsd.org 2010/03/03 01:44:36
85 [auth-options.c key.c]
86 reject strings with embedded ASCII nul chars in certificate key IDs,
87 principal names and constraints
88 - djm@cvs.openbsd.org 2010/03/03 22:49:50
89 [sshd.8]
90 the authorized_keys option for CA keys is "cert-authority", not
91 "from=cert-authority". spotted by imorgan AT nas.nasa.gov
92 - djm@cvs.openbsd.org 2010/03/03 22:50:40
93 [PROTOCOL.certkeys]
94 s/similar same/similar/; from imorgan AT nas.nasa.gov
95 - djm@cvs.openbsd.org 2010/03/04 01:44:57
96 [key.c]
97 use buffer_get_string_ptr_ret() where we are checking the return
98 value explicitly instead of the fatal()-causing buffer_get_string_ptr()
99 - djm@cvs.openbsd.org 2010/03/04 10:36:03
100 [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
101 [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
102 [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
103 Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
104 are trusted to authenticate users (in addition than doing it per-user
105 in authorized_keys).
106
107 Add a RevokedKeys option to sshd_config and a @revoked marker to
108 known_hosts to allow keys to me revoked and banned for user or host
109 authentication.
110
111 feedback and ok markus@
112 - djm@cvs.openbsd.org 2010/03/03 00:47:23
113 [regress/cert-hostkey.sh regress/cert-userkey.sh]
114 add an extra test to ensure that authentication with the wrong
115 certificate fails as it should (and it does)
116 - djm@cvs.openbsd.org 2010/03/04 10:38:23
117 [regress/cert-hostkey.sh regress/cert-userkey.sh]
118 additional regression tests for revoked keys and TrustedUserCAKeys
119
12020100303
121 - (djm) [PROTOCOL.certkeys] Add RCS Ident
122 - OpenBSD CVS Sync
123 - jmc@cvs.openbsd.org 2010/02/26 22:09:28
124 [ssh-keygen.1 ssh.1 sshd.8]
125 tweak previous;
126 - otto@cvs.openbsd.org 2010/03/01 11:07:06
127 [ssh-add.c]
128 zap what seems to be a left-over debug message; ok markus@
129 - djm@cvs.openbsd.org 2010/03/02 23:20:57
130 [ssh-keygen.c]
131 POSIX strptime is stricter than OpenBSD's so do a little dance to
132 appease it.
133 - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too
134
13520100302
136 - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
137 http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
138 respectively).
139
14020100301
141 - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace
142 "echo -n" with "echon" for portability.
143 - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
144 adjust log at verbose only, since according to cjwatson in bug #1470
145 some virtualization platforms don't allow writes.
146
14720100228
148 - (djm) [auth.c] On Cygwin, refuse usernames that have differences in
149 case from that matched in the system password database. On this
150 platform, passwords are stored case-insensitively, but sshd requires
151 exact case matching for Match blocks in sshd_config(5). Based on
152 a patch from vinschen AT redhat.com.
153 - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions
154 to make older compilers (gcc 2.95) happy.
155
15620100227
157 - (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded
158 - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment
159 variables copied into sshd child processes. From vinschen AT redhat.com
160
16120100226
162 - OpenBSD CVS Sync
163 - djm@cvs.openbsd.org 2010/02/26 20:29:54
164 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
165 [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
166 [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
167 [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
168 [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
169 [sshconnect2.c sshd.8 sshd.c sshd_config.5]
170 Add support for certificate key types for users and hosts.
171
172 OpenSSH certificate key types are not X.509 certificates, but a much
173 simpler format that encodes a public key, identity information and
174 some validity constraints and signs it with a CA key. CA keys are
175 regular SSH keys. This certificate style avoids the attack surface
176 of X.509 certificates and is very easy to deploy.
177
178 Certified host keys allow automatic acceptance of new host keys
179 when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
180 see VERIFYING HOST KEYS in ssh(1) for details.
181
182 Certified user keys allow authentication of users when the signing
183 CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
184 FILE FORMAT" in sshd(8) for details.
185
186 Certificates are minted using ssh-keygen(1), documentation is in
187 the "CERTIFICATES" section of that manpage.
188
189 Documentation on the format of certificates is in the file
190 PROTOCOL.certkeys
191
192 feedback and ok markus@
193 - djm@cvs.openbsd.org 2010/02/26 20:33:21
194 [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
195 regression tests for certified keys
196
19720100224
198 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
199 [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
200 - (djm) OpenBSD CVS Sync
201 - djm@cvs.openbsd.org 2010/02/11 20:37:47
202 [pathnames.h]
203 correct comment
204 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04
205 [regress/Makefile]
206 add regression test for ssh-keygen pubkey conversions
207 - dtucker@cvs.openbsd.org 2010/01/11 02:53:44
208 [regress/forwarding.sh]
209 regress test for stdio forwarding
210 - djm@cvs.openbsd.org 2010/02/09 04:57:36
211 [regress/addrmatch.sh]
212 clean up droppings
213 - djm@cvs.openbsd.org 2010/02/09 06:29:02
214 [regress/Makefile]
215 turn on all the malloc(3) checking options when running regression
216 tests. this has caught a few bugs for me in the past; ok dtucker@
217 - djm@cvs.openbsd.org 2010/02/24 06:21:56
218 [regress/test-exec.sh]
219 wait for sshd to fully stop in cleanup() function; avoids races in tests
220 that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
221 - markus@cvs.openbsd.org 2010/02/08 10:52:47
222 [regress/agent-pkcs11.sh]
223 test for PKCS#11 support (currently disabled)
224 - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper
225 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
226 [contrib/suse/openssh.spec] Add PKCS#11 helper binary and manpage
227
22820100212
229 - (djm) OpenBSD CVS Sync
230 - djm@cvs.openbsd.org 2010/02/02 22:49:34
231 [bufaux.c]
232 make buffer_get_string_ret() really non-fatal in all cases (it was
233 using buffer_get_int(), which could fatal() on buffer empty);
234 ok markus dtucker
235 - markus@cvs.openbsd.org 2010/02/08 10:50:20
236 [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
237 [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
238 replace our obsolete smartcard code with PKCS#11.
239 ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
240 ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
241 provider (shared library) while ssh-agent(1) delegates PKCS#11 to
242 a forked a ssh-pkcs11-helper process.
243 PKCS#11 is currently a compile time option.
244 feedback and ok djm@; inspired by patches from Alon Bar-Lev
245 - jmc@cvs.openbsd.org 2010/02/08 22:03:05
246 [ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
247 tweak previous; ok markus
248 - djm@cvs.openbsd.org 2010/02/09 00:50:36
249 [ssh-agent.c]
250 fallout from PKCS#11: unbreak -D
251 - djm@cvs.openbsd.org 2010/02/09 00:50:59
252 [ssh-keygen.c]
253 fix -Wall
254 - djm@cvs.openbsd.org 2010/02/09 03:56:28
255 [buffer.c buffer.h]
256 constify the arguments to buffer_len, buffer_ptr and buffer_dump
257 - djm@cvs.openbsd.org 2010/02/09 06:18:46
258 [auth.c]
259 unbreak ChrootDirectory+internal-sftp by skipping check for executable
260 shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
261 - markus@cvs.openbsd.org 2010/02/10 23:20:38
262 [ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
263 pkcs#11 is no longer optional; improve wording; ok jmc@
264 - jmc@cvs.openbsd.org 2010/02/11 13:23:29
265 [ssh.1]
266 libarary -> library;
267 - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
268 [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
269 Remove obsolete smartcard support
270 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
271 Make it compile on OSX
272 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
273 Use ssh_get_progname to fill __progname
274 - (djm) [configure.ac] Enable PKCS#11 support only when we find a working
275 dlopen()
276
27720100210
278 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for
279 getseuserbyname; patch from calebcase AT gmail.com via
280 cjwatson AT debian.org
281
28220100202
283 - (djm) OpenBSD CVS Sync
284 - djm@cvs.openbsd.org 2010/01/30 21:08:33
285 [sshd.8]
286 debug output goes to stderr, not "the system log"; ok markus dtucker
287 - djm@cvs.openbsd.org 2010/01/30 21:12:08
288 [channels.c]
289 fake local addr:port when stdio fowarding as some servers (Tectia at
290 least) validate that they are well-formed;
291 reported by imorgan AT nas.nasa.gov
292 ok dtucker
293
29420100130
295 - (djm) OpenBSD CVS Sync
296 - djm@cvs.openbsd.org 2010/01/28 00:21:18
297 [clientloop.c]
298 downgrade an error() to a debug() - this particular case can be hit in
299 normal operation for certain sequences of mux slave vs session closure
300 and is harmless
301 - djm@cvs.openbsd.org 2010/01/29 00:20:41
302 [sshd.c]
303 set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
304 ok dtucker@
305 - djm@cvs.openbsd.org 2010/01/29 20:16:17
306 [mux.c]
307 kill correct channel (was killing already-dead mux channel, not
308 its session channel)
309 - djm@cvs.openbsd.org 2010/01/30 02:54:53
310 [mux.c]
311 don't mark channel as read failed if it is already closing; suppresses
312 harmless error messages when connecting to SSH.COM Tectia server
313 report by imorgan AT nas.nasa.gov
314
31520100129
316 - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
317 after registering the hardware engines, which causes the openssl.cnf file to
318 be processed. See OpenSSL's man page for OPENSSL_config(3) for details.
319 Patch from Solomon Peachy, ok djm@.
320
32120100128
322 - (djm) OpenBSD CVS Sync
323 - djm@cvs.openbsd.org 2010/01/26 02:15:20
324 [mux.c]
325 -Wuninitialized and remove a // comment; from portable
326 (Id sync only)
327 - djm@cvs.openbsd.org 2010/01/27 13:26:17
328 [mux.c]
329 fix bug introduced in mux rewrite:
330
331 In a mux master, when a socket to a mux slave closes before its server
332 session (as may occur when the slave has been signalled), gracefully
333 close the server session rather than deleting its channel immediately.
334 A server may have more messages on that channel to send (e.g. an exit
335 message) that will fatal() the client if they are sent to a channel that
336 has been prematurely deleted.
337
338 spotted by imorgan AT nas.nasa.gov
339 - djm@cvs.openbsd.org 2010/01/27 19:21:39
340 [sftp.c]
341 add missing "p" flag to getopt optstring;
342 bz#1704 from imorgan AT nas.nasa.gov
343
34420100126
345 - (djm) OpenBSD CVS Sync
346 - tedu@cvs.openbsd.org 2010/01/17 21:49:09
347 [ssh-agent.1]
348 Correct and clarify ssh-add's password asking behavior.
349 Improved text dtucker and ok jmc
350 - dtucker@cvs.openbsd.org 2010/01/18 01:50:27
351 [roaming_client.c]
352 s/long long unsigned/unsigned long long/, from tim via portable
353 (Id sync only, change already in portable)
354 - djm@cvs.openbsd.org 2010/01/26 01:28:35
355 [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c]
356 rewrite ssh(1) multiplexing code to a more sensible protocol.
357
358 The new multiplexing code uses channels for the listener and
359 accepted control sockets to make the mux master non-blocking, so
360 no stalls when processing messages from a slave.
361
362 avoid use of fatal() in mux master protocol parsing so an errant slave
363 process cannot take down a running master.
364
365 implement requesting of port-forwards over multiplexed sessions. Any
366 port forwards requested by the slave are added to those the master has
367 established.
368
369 add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
370
371 document master/slave mux protocol so that other tools can use it to
372 control a running ssh(1). Note: there are no guarantees that this
373 protocol won't be incompatibly changed (though it is versioned).
374
375 feedback Salvador Fandino, dtucker@
376 channel changes ok markus@
377
37820100122
379 - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of
380 socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size
381 in Cygwin to 65535. Patch from Corinna Vinschen.
382
38320100117
384 - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too.
385 - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions
386 snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf().
387
38820100116
389 - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h
390 so we correctly detect whether or not we have a native user_from_uid.
391 - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid
392 and group_from_gid.
393 - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by
394 Tim.
395 - (dtucker) OpenBSD CVS Sync
396 - markus@cvs.openbsd.org 2010/01/15 09:24:23
397 [sftp-common.c]
398 unused
399 - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused
400 variable warnings.
401 - (dtucker) [openbsd-compat/openbsd-compat.h] Typo.
402 - (tim) [regress/portnum.sh] Shell portability fix.
403 - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native
404 getaddrinfo() is too old and limited for addr_pton() in addrmatch.c.
405 - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we
406 use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/
407 to keep USL compilers happy.
408
40920100115
410 - (dtucker) OpenBSD CVS Sync
411 - jmc@cvs.openbsd.org 2010/01/13 12:48:34
412 [sftp.1 sftp.c]
413 sftp.1: put ls -h in the right place
414 sftp.c: as above, plus add -p to get/put, and shorten their arg names
415 to keep the help usage nicely aligned
416 ok djm
417 - djm@cvs.openbsd.org 2010/01/13 23:47:26
418 [auth.c]
419 when using ChrootDirectory, make sure we test for the existence of the
420 user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
421 ok dtucker
422 - dtucker@cvs.openbsd.org 2010/01/14 23:41:49
423 [sftp-common.c]
424 use user_from{uid,gid} to lookup up ids since it keeps a small cache.
425 ok djm
426 - guenther@cvs.openbsd.org 2010/01/15 00:05:22
427 [sftp.c]
428 Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
429 inherited SIGTERM as ignored it will still be able to kill the ssh it
430 starts.
431 ok dtucker@
432 - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no
433 changes yet but there will be some to come).
434 - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability
435 for pwcache. Also, added caching of negative hits.
436
43720100114
438 - (djm) [platform.h] Add missing prototype for
439 platform_krb5_get_principal_name
440
44120100113
442 - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs.
443 - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18:
444 missing restore of SIGTTOU and some whitespace.
445 - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21.
446 - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22.
447 Fixes bz #1590, where sometimes you could not interrupt a connection while
448 ssh was prompting for a passphrase or password.
449 - (dtucker) OpenBSD CVS Sync
450 - dtucker@cvs.openbsd.org 2010/01/13 00:19:04
451 [sshconnect.c auth.c]
452 Fix a couple of typos/mispellings in comments
453 - dtucker@cvs.openbsd.org 2010/01/13 01:10:56
454 [key.c]
455 Ignore and log any Protocol 1 keys where the claimed size is not equal to
456 the actual size. Noted by Derek Martin, ok djm@
457 - dtucker@cvs.openbsd.org 2010/01/13 01:20:20
458 [canohost.c ssh-keysign.c sshconnect2.c]
459 Make HostBased authentication work with a ProxyCommand. bz #1569, patch
460 from imorgan at nas nasa gov, ok djm@
461 - djm@cvs.openbsd.org 2010/01/13 01:40:16
462 [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h]
463 support '-h' (human-readable units) for sftp's ls command, just like
464 ls(1); ok dtucker@
465 - djm@cvs.openbsd.org 2010/01/13 03:48:13
466 [servconf.c servconf.h sshd.c]
467 avoid run-time failures when specifying hostkeys via a relative
468 path by prepending the cwd in these cases; bz#1290; ok dtucker@
469 - djm@cvs.openbsd.org 2010/01/13 04:10:50
470 [sftp.c]
471 don't append a space after inserting a completion of a directory (i.e.
472 a path ending in '/') for a slightly better user experience; ok dtucker@
473 - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef.
474 - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG.
475 feedback and ok dtucker@
476
47720100112
478 - (dtucker) OpenBSD CVS Sync
479 - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
480 [ssh_config channels.c ssh.1 channels.h ssh.c]
481 Add a 'netcat mode' (ssh -W). This connects stdio on the client to a
482 single port forward on the server. This allows, for example, using ssh as
483 a ProxyCommand to route connections via intermediate servers.
484 bz #1618, man page help from jmc@, ok markus@
485 - dtucker@cvs.openbsd.org 2010/01/11 04:46:45
486 [authfile.c sshconnect2.c]
487 Do not prompt for a passphrase if we fail to open a keyfile, and log the
488 reason the open failed to debug.
489 bz #1693, found by tj AT castaglia org, ok djm@
490 - djm@cvs.openbsd.org 2010/01/11 10:51:07
491 [ssh-keygen.c]
492 when converting keys, truncate key comments at 72 chars as per RFC4716;
493 bz#1630 reported by tj AT castaglia.org; ok markus@
494 - dtucker@cvs.openbsd.org 2010/01/12 00:16:47
495 [authfile.c]
496 Fix bug introduced in r1.78 (incorrect brace location) that broke key auth.
497 Patch from joachim joachimschipper nl.
498 - djm@cvs.openbsd.org 2010/01/12 00:58:25
499 [monitor_fdpass.c]
500 avoid spinning when fd passing on nonblocking sockets by calling poll()
501 in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@
502 - djm@cvs.openbsd.org 2010/01/12 00:59:29
503 [roaming_common.c]
504 delete with extreme prejudice a debug() that fired with every keypress;
505 ok dtucker deraadt
506 - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
507 [session.c]
508 Do not allow logins if /etc/nologin exists but is not readable by the user
509 logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
510 - djm@cvs.openbsd.org 2010/01/12 01:36:08
511 [buffer.h bufaux.c]
512 add a buffer_get_string_ptr_ret() that does the same as
513 buffer_get_string_ptr() but does not fatal() on error; ok dtucker@
514 - dtucker@cvs.openbsd.org 2010/01/12 08:33:17
515 [session.c]
516 Add explicit stat so we reliably detect nologin with bad perms.
517 ok djm markus
518
51920100110
520 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
521 Remove hacks add for RoutingDomain in preparation for its removal.
522 - (dtucker) OpenBSD CVS Sync
523 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
524 [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
525 ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
526 readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
527 Remove RoutingDomain from ssh since it's now not needed. It can be
528 replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
529 also ensures that trafic such as DNS lookups stays withing the specified
530 routingdomain. For example (from reyk):
531 # route -T 2 exec /usr/sbin/sshd
532 or inherited from the parent process
533 $ route -T 2 exec sh
534 $ ssh 10.1.2.3
535 ok deraadt@ markus@ stevesk@ reyk@
536 - dtucker@cvs.openbsd.org 2010/01/10 03:51:17
537 [servconf.c]
538 Add ChrootDirectory to sshd.c test-mode output
539 - dtucker@cvs.openbsd.org 2010/01/10 07:15:56
540 [auth.c]
541 Output a debug if we can't open an existing keyfile. bz#1694, ok djm@
542
54320100109
544 - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't
545 have it.
546 - (dtucker) [defines.h] define PRIu64 for platforms that don't have it.
547 - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef.
548 - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name
549 when using utmpx. Patch from Ed Schouten.
550 - (dtucker) OpenBSD CVS Sync
551 - djm@cvs.openbsd.org 2010/01/09 00:20:26
552 [sftp-server.c sftp-server.8]
553 add a 'read-only' mode to sftp-server(8) that disables open in write mode
554 and all other fs-modifying protocol methods. bz#430 ok dtucker@
555 - djm@cvs.openbsd.org 2010/01/09 00:57:10
556 [PROTOCOL]
557 tweak language
558 - jmc@cvs.openbsd.org 2010/01/09 03:36:00
559 [sftp-server.8]
560 bad place to forget a comma...
561 - djm@cvs.openbsd.org 2010/01/09 05:04:24
562 [mux.c sshpty.h clientloop.c sshtty.c]
563 quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
564 usually don't actually have a tty to read/set; bz#1686 ok dtucker@
565 - dtucker@cvs.openbsd.org 2010/01/09 05:17:00
566 [roaming_client.c]
567 Remove a PRIu64 format string that snuck in with roaming. ok djm@
568 - dtucker@cvs.openbsd.org 2010/01/09 11:13:02
569 [sftp.c]
570 Prevent sftp from derefing a null pointer when given a "-" without a
571 command. Also, allow whitespace to follow a "-". bz#1691, path from
572 Colin Watson via Debian. ok djm@ deraadt@
573 - dtucker@cvs.openbsd.org 2010/01/09 11:17:56
574 [sshd.c]
575 Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs
576 itself. Prevents two HUPs in quick succession from resulting in sshd
577 dying. bz#1692, patch from Colin Watson via Ubuntu.
578 - (dtucker) [defines.h] Remove now-undeeded PRIu64 define.
579
58020100108
581 - (dtucker) OpenBSD CVS Sync
582 - andreas@cvs.openbsd.org 2009/10/24 11:11:58
583 [roaming.h]
584 Declarations needed for upcoming changes.
585 ok markus@
586 - andreas@cvs.openbsd.org 2009/10/24 11:13:54
587 [sshconnect2.c kex.h kex.c]
588 Let the client detect if the server supports roaming by looking
589 for the resume@appgate.com kex algorithm.
590 ok markus@
591 - andreas@cvs.openbsd.org 2009/10/24 11:15:29
592 [clientloop.c]
593 client_loop() must detect if the session has been suspended and resumed,
594 and take appropriate action in that case.
595 From Martin Forssen, maf at appgate dot com
596 - andreas@cvs.openbsd.org 2009/10/24 11:19:17
597 [ssh2.h]
598 Define the KEX messages used when resuming a suspended connection.
599 ok markus@
600 - andreas@cvs.openbsd.org 2009/10/24 11:22:37
601 [roaming_common.c]
602 Do the actual suspend/resume in the client. This won't be useful until
603 the server side supports roaming.
604 Most code from Martin Forssen, maf at appgate dot com. Some changes by
605 me and markus@
606 ok markus@
607 - andreas@cvs.openbsd.org 2009/10/24 11:23:42
608 [ssh.c]
609 Request roaming to be enabled if UseRoaming is true and the server
610 supports it.
611 ok markus@
612 - reyk@cvs.openbsd.org 2009/10/28 16:38:18
613 [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
614 channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
615 sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
616 Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
617 ok markus@
618 - jmc@cvs.openbsd.org 2009/10/28 21:45:08
619 [sshd_config.5 sftp.1]
620 tweak previous;
621 - djm@cvs.openbsd.org 2009/11/10 02:56:22
622 [ssh_config.5]
623 explain the constraints on LocalCommand some more so people don't
624 try to abuse it.
625 - djm@cvs.openbsd.org 2009/11/10 02:58:56
626 [sshd_config.5]
627 clarify that StrictModes does not apply to ChrootDirectory. Permissions
628 and ownership are always checked when chrooting. bz#1532
629 - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
630 [sshconnect2.c channels.c sshconnect.c]
631 Set close-on-exec on various descriptors so they don't get leaked to
632 child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
633 - markus@cvs.openbsd.org 2009/11/11 21:37:03
634 [channels.c channels.h]
635 fix race condition in x11/agent channel allocation: don't read after
636 the end of the select read/write fdset and make sure a reused FD
637 is not touched before the pre-handlers are called.
638 with and ok djm@
639 - djm@cvs.openbsd.org 2009/11/17 05:31:44
640 [clientloop.c]
641 fix incorrect exit status when multiplexing and channel ID 0 is recycled
642 bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
643 - djm@cvs.openbsd.org 2009/11/19 23:39:50
644 [session.c]
645 bz#1606: error when an attempt is made to connect to a server
646 with ForceCommand=internal-sftp with a shell session (i.e. not a
647 subsystem session). Avoids stuck client when attempting to ssh to such a
648 service. ok dtucker@
649 - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
650 [session.c]
651 Warn but do not fail if stat()ing the subsystem binary fails. This helps
652 with chrootdirectory+forcecommand=sftp-server and restricted shells.
653 bz #1599, ok djm.
654 - djm@cvs.openbsd.org 2009/11/20 00:54:01
655 [sftp.c]
656 bz#1588 change "Connecting to host..." message to "Connected to host."
657 and delay it until after the sftp protocol connection has been established.
658 Avoids confusing sequence of messages when the underlying ssh connection
659 experiences problems. ok dtucker@
660 - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
661 [sshconnect2.c]
662 Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
663 - djm@cvs.openbsd.org 2009/11/20 03:24:07
664 [misc.c]
665 correct off-by-one in percent_expand(): we would fatal() when trying
666 to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
667 work. Note that nothing in OpenSSH actually uses close to this limit at
668 present. bz#1607 from Jan.Pechanec AT Sun.COM
669 - halex@cvs.openbsd.org 2009/11/22 13:18:00
670 [sftp.c]
671 make passing of zero-length arguments to ssh safe by
672 passing "-<switch>" "<value>" rather than "-<switch><value>"
673 ok dtucker@, guenther@, djm@
674 - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
675 [sshconnect2.c]
676 zap unused variable and strlen; from Steve McClellan, ok djm
677 - djm@cvs.openbsd.org 2009/12/06 23:53:45
678 [roaming_common.c]
679 use socklen_t for getsockopt optlen parameter; reported by
680 Steve.McClellan AT radisys.com, ok dtucker@
681 - dtucker@cvs.openbsd.org 2009/12/06 23:53:54
682 [sftp.c]
683 fix potential divide-by-zero in sftp's "df" output when talking to a server
684 that reports zero files on the filesystem (Unix filesystems always have at
685 least the root inode). From Steve McClellan at radisys, ok djm@
686 - markus@cvs.openbsd.org 2009/12/11 18:16:33
687 [key.c]
688 switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
689 for the RSA public exponent; discussed with provos; ok djm@
690 - guenther@cvs.openbsd.org 2009/12/20 07:28:36
691 [ssh.c sftp.c scp.c]
692 When passing user-controlled options with arguments to other programs,
693 pass the option and option argument as separate argv entries and
694 not smashed into one (e.g., as -l foo and not -lfoo). Also, always
695 pass a "--" argument to stop option parsing, so that a positional
696 argument that starts with a '-' isn't treated as an option. This
697 fixes some error cases as well as the handling of hostnames and
698 filenames that start with a '-'.
699 Based on a diff by halex@
700 ok halex@ djm@ deraadt@
701 - djm@cvs.openbsd.org 2009/12/20 23:20:40
702 [PROTOCOL]
703 fix an incorrect magic number and typo in PROTOCOL; bz#1688
704 report and fix from ueno AT unixuser.org
705 - stevesk@cvs.openbsd.org 2009/12/25 19:40:21
706 [readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
707 validate routing domain is in range 0-RT_TABLEID_MAX.
708 'Looks right' deraadt@
709 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
710 [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
711 Rename RDomain config option to RoutingDomain to be more clear and
712 consistent with other options.
713 NOTE: if you currently use RDomain in the ssh client or server config,
714 or ssh/sshd -o, you must update to use RoutingDomain.
715 ok markus@ djm@
716 - jmc@cvs.openbsd.org 2009/12/29 18:03:32
717 [sshd_config.5 ssh_config.5]
718 sort previous;
719 - dtucker@cvs.openbsd.org 2010/01/04 01:45:30
720 [sshconnect2.c]
721 Don't escape backslashes in the SSH2 banner. bz#1533, patch from
722 Michal Gorny via Gentoo.
723 - djm@cvs.openbsd.org 2010/01/04 02:03:57
724 [sftp.c]
725 Implement tab-completion of commands, local and remote filenames for sftp.
726 Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009
727 Google Summer of Code) and polished to a fine sheen by myself again.
728 It should deal more-or-less correctly with the ikky corner-cases presented
729 by quoted filenames, but the UI could still be slightly improved.
730 In particular, it is quite slow for remote completion on large directories.
731 bz#200; ok markus@
732 - djm@cvs.openbsd.org 2010/01/04 02:25:15
733 [sftp-server.c]
734 bz#1566 don't unnecessarily dup() in and out fds for sftp-server;
735 ok markus@
736 - dtucker@cvs.openbsd.org 2010/01/08 21:50:49
737 [sftp.c]
738 Fix two warnings: possibly used unitialized and use a nul byte instead of
739 NULL pointer. ok djm@
740 - (dtucker) [Makefile.in added roaming_client.c roaming_serv.c] Import new
741 files for roaming and add to Makefile.
742 - (dtucker) [Makefile.in] .c files do not belong in the OBJ lines.
743 - (dtucker) [sftp.c] ifdef out the sftp completion bits for platforms that
744 don't have libedit.
745 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] Make
746 RoutingDomain an unsupported option on platforms that don't have it.
747 - (dtucker) [sftp.c] Expand ifdef for libedit to cover complete_is_remote
748 too.
749 - (dtucker) [misc.c] Move the routingdomain ifdef to allow the socket to
750 be created.
751 - (dtucker] [misc.c] Shrink the area covered by USE_ROUTINGDOMAIN more
752 to eliminate an unused variable warning.
753 - (dtucker) [roaming_serv.c] Include includes.h for u_intXX_t types.
754
75520091226
756 - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
757 Gzip all man pages. Patch from Corinna Vinschen.
758
75920091221
760 - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
761 Bug #1583: Use system's kerberos principal name on AIX if it's available.
762 Based on a patch from and tested by Miguel Sanders
763
76420091208
765 - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
766 based on a patch from Vaclav Ovsik and Colin Watson. ok djm.
767
76820091207
769 - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
770 Tested by Martin Paljak.
771 - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.
772
77320091121
774 - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
775 Bug 1628. OK dtucker@
776
77720091120
778 - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
779 line arguments as none are supported. Exit when passed unrecognised
780 commandline flags. bz#1568 from gson AT araneus.fi
781
78220091118
783 - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
784 set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
785 setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
786 bz#1648, report and fix from jan.kratochvil AT redhat.com
787 - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
788 bz#1645, patch from jchadima AT redhat.com
789
79020091107
791 - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
792 keys when built with OpenSSL versions that don't do AES.
793
79420091105
795 - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
796 older versions of OpenSSL.
797
79820091024
799 - (dtucker) OpenBSD CVS Sync
800 - djm@cvs.openbsd.org 2009/10/11 23:03:15
801 [hostfile.c]
802 mention the host name that we are looking for in check_host_in_hostfile()
803 - sobrado@cvs.openbsd.org 2009/10/17 12:10:39
804 [sftp-server.c]
805 sort flags.
806 - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
807 [ssh.1 ssh-agent.1 ssh-add.1]
808 use the UNIX-related macros (.At and .Ux) where appropriate.
809 ok jmc@
810 - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
811 [ssh-agent.1 ssh-add.1 ssh.1]
812 write UNIX-domain in a more consistent way; while here, replace a
813 few remaining ".Tn UNIX" macros with ".Ux" ones.
814 pointed out by ratchov@, thanks!
815 ok jmc@
816 - djm@cvs.openbsd.org 2009/10/22 22:26:13
817 [authfile.c]
818 switch from 3DES to AES-128 for encryption of passphrase-protected
819 SSH protocol 2 private keys; ok several
820 - djm@cvs.openbsd.org 2009/10/23 01:57:11
821 [sshconnect2.c]
822 disallow a hostile server from checking jpake auth by sending an
823 out-of-sequence success message. (doesn't affect code enabled by default)
824 - dtucker@cvs.openbsd.org 2009/10/24 00:48:34
825 [ssh-keygen.1]
826 ssh-keygen now uses AES-128 for private keys
827 - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
828 - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
829 is enabled set the security context to "sftpd_t" before running the
830 internal sftp server Based on a patch from jchadima at redhat.
831
83220091011
833 - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
834 dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
835 lstat.
836 - (dtucker) OpenBSD CVS Sync
837 - markus@cvs.openbsd.org 2009/10/08 14:03:41
838 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
839 disable protocol 1 by default (after a transition period of about 10 years)
840 ok deraadt
841 - jmc@cvs.openbsd.org 2009/10/08 20:42:12
842 [sshd_config.5 ssh_config.5 sshd.8 ssh.1]
843 some tweaks now that protocol 1 is not offered by default; ok markus
844 - dtucker@cvs.openbsd.org 2009/10/11 10:41:26
845 [sftp-client.c]
846 d_type isn't portable so use lstat to get dirent modes. Suggested by and
847 "looks sane" deraadt@
848 - markus@cvs.openbsd.org 2009/10/08 18:04:27
849 [regress/test-exec.sh]
850 re-enable protocol v1 for the tests.
851
85220091007
853 - (dtucker) OpenBSD CVS Sync
854 - djm@cvs.openbsd.org 2009/08/12 00:13:00
855 [sftp.c sftp.1]
856 support most of scp(1)'s commandline arguments in sftp(1), as a first
857 step towards making sftp(1) a drop-in replacement for scp(1).
858 One conflicting option (-P) has not been changed, pending further
859 discussion.
860 Patch from carlosvsilvapt@gmail.com as part of his work in the
861 Google Summer of Code
862 - jmc@cvs.openbsd.org 2009/08/12 06:31:42
863 [sftp.1]
864 sort options;
865 - djm@cvs.openbsd.org 2009/08/13 01:11:19
866 [sftp.1 sftp.c]
867 Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
868 add "-P port" to match scp(1). Fortunately, the -P option is only really
869 used by our regression scripts.
870 part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
871 of Code work; ok deraadt markus
872 - jmc@cvs.openbsd.org 2009/08/13 13:39:54
873 [sftp.1 sftp.c]
874 sync synopsis and usage();
875 - djm@cvs.openbsd.org 2009/08/14 18:17:49
876 [sftp-client.c]
877 make the "get_handle: ..." error messages vaguely useful by allowing
878 callers to specify their own error message strings.
879 - fgsch@cvs.openbsd.org 2009/08/15 18:56:34
880 [auth.h]
881 remove unused define. markus@ ok.
882 (Id sync only, Portable still uses this.)
883 - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
884 [sshd_config.5]
885 Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
886 - djm@cvs.openbsd.org 2009/08/18 18:36:21
887 [sftp-client.h sftp.1 sftp-client.c sftp.c]
888 recursive transfer support for get/put and on the commandline
889 work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
890 with some tweaks by me; "go for it" deraadt@
891 - djm@cvs.openbsd.org 2009/08/18 21:15:59
892 [sftp.1]
893 fix "get" command usage, spotted by jmc@
894 - jmc@cvs.openbsd.org 2009/08/19 04:56:03
895 [sftp.1]
896 ether -> either;
897 - dtucker@cvs.openbsd.org 2009/08/20 23:54:28
898 [mux.c]
899 subsystem_flag is defined in ssh.c so it's extern; ok djm
900 - djm@cvs.openbsd.org 2009/08/27 17:28:52
901 [sftp-server.c]
902 allow setting an explicit umask on the commandline to override whatever
903 default the user has. bz#1229; ok dtucker@ deraadt@ markus@
904 - djm@cvs.openbsd.org 2009/08/27 17:33:49
905 [ssh-keygen.c]
906 force use of correct hash function for random-art signature display
907 as it was inheriting the wrong one when bubblebabble signatures were
908 activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
909 ok markus@
910 - djm@cvs.openbsd.org 2009/08/27 17:43:00
911 [sftp-server.8]
912 allow setting an explicit umask on the commandline to override whatever
913 default the user has. bz#1229; ok dtucker@ deraadt@ markus@
914 - djm@cvs.openbsd.org 2009/08/27 17:44:52
915 [authfd.c ssh-add.c authfd.h]
916 Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
917 when the agent refuses the constrained add request. This was a useful
918 migration measure back in 2002 when constraints were new, but just
919 adds risk now.
920 bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
921 - djm@cvs.openbsd.org 2009/08/31 20:56:02
922 [sftp-server.c]
923 check correct variable for error message, spotted by martynas@
924 - djm@cvs.openbsd.org 2009/08/31 21:01:29
925 [sftp-server.8]
926 document -e and -h; prodded by jmc@
927 - djm@cvs.openbsd.org 2009/09/01 14:43:17
928 [ssh-agent.c]
929 fix a race condition in ssh-agent that could result in a wedged or
930 spinning agent: don't read off the end of the allocated fd_sets, and
931 don't issue blocking read/write on agent sockets - just fall back to
932 select() on retriable read/write errors. bz#1633 reported and tested
933 by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
934 - grunk@cvs.openbsd.org 2009/10/01 11:37:33
935 [dh.c]
936 fix a cast
937 ok djm@ markus@
938 - djm@cvs.openbsd.org 2009/10/06 04:46:40
939 [session.c]
940 bz#1596: fflush(NULL) before exec() to ensure that everying (motd
941 in particular) has made it out before the streams go away.
942 - djm@cvs.openbsd.org 2008/12/07 22:17:48
943 [regress/addrmatch.sh]
944 match string "passwordauthentication" only at start of line, not anywhere
945 in sshd -T output
946 - dtucker@cvs.openbsd.org 2009/05/05 07:51:36
947 [regress/multiplex.sh]
948 Always specify ssh_config for multiplex tests: prevents breakage caused
949 by options in ~/.ssh/config. From Dan Peterson.
950 - djm@cvs.openbsd.org 2009/08/13 00:57:17
951 [regress/Makefile]
952 regression test for port number parsing. written as part of the a2port
953 change that went into 5.2 but I forgot to commit it at the time...
954 - djm@cvs.openbsd.org 2009/08/13 01:11:55
955 [regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh
956 regress/sftp-cmds.sh regres/sftp-glob.sh]
957 date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7
958 Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
959 add "-P port" to match scp(1). Fortunately, the -P option is only really
960 used by our regression scripts.
961 part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
962 of Code work; ok deraadt markus
963 - djm@cvs.openbsd.org 2009/08/20 18:43:07
964 [regress/ssh-com-sftp.sh]
965 fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
966 Silva for Google Summer of Code
967 - dtucker@cvs.openbsd.org 2009/10/06 23:51:49
968 [regress/ssh2putty.sh]
969 Add OpenBSD tag to make syncs easier
970 - (dtucker) [regress/portnum.sh] Import new test.
971 - (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at
972 least dragonflybsd.
973 - (dtucker) d_type is not mandated by POSIX, so add fallback code using
974 stat(), needed on at least cygwin.
975
97620091002
977 - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps.
978 spotted by des AT des.no
979
120090926 98020090926
2 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] 981 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
3 [contrib/suse/openssh.spec] Update for release 982 [contrib/suse/openssh.spec] Update for release