summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-05-07 11:47:26 +0100
committerColin Watson <cjwatson@debian.org>2013-05-07 11:47:26 +0100
commit2ea3f720daeb1ca9f765365fce3a9546961fe624 (patch)
treec4fb7d1f51fa51e7677232de806aae150e29e2ac /ChangeLog
parentf5efcd3450bbf8261915e0c4a6f851229dddaa79 (diff)
parentecebda56da46a03dafff923d91c382f31faa9eec (diff)
* New upstream release (http://www.openssh.com/txt/release-6.2).
- Add support for multiple required authentication in SSH protocol 2 via an AuthenticationMethods option (closes: #195716). - Fix Sophie Germain formula in moduli(5) (closes: #698612). - Update ssh-copy-id to Phil Hands' greatly revised version (closes: #99785, #322228, #620428; LP: #518883, #835901, #1074798).
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog671
1 files changed, 671 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index f8e600847..dbd8b0aa9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,673 @@
120120322
2 - (djm) [contrib/ssh-copy-id contrib/ssh-copy-id.1] Updated to Phil
3 Hands' greatly revised version.
4 - (djm) Release 6.2p1
5
620120318
7 - (djm) [configure.ac log.c scp.c sshconnect2.c openbsd-compat/vis.c]
8 [openbsd-compat/vis.h] FreeBSD's strnvis isn't compatible with OpenBSD's
9 so mark it as broken. Patch from des AT des.no
10
1120120317
12 - (tim) [configure.ac] OpenServer 5 wants lastlog even though it has none
13 of the bits the configure test looks for.
14
1520120316
16 - (djm) [configure.ac] Disable utmp, wtmp and/or lastlog if the platform
17 is unable to successfully compile them. Based on patch from des AT
18 des.no
19 - (djm) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
20 Add a usleep replacement for platforms that lack it; ok dtucker
21 - (djm) [session.c] FreeBSD needs setusercontext(..., LOGIN_SETUMASK) to
22 occur after UID switch; patch from John Marshall via des AT des.no;
23 ok dtucker@
24
2520120312
26 - (dtucker) [regress/Makefile regress/cipher-speed.sh regress/test-exec.sh]
27 Improve portability of cipher-speed test, based mostly on a patch from
28 Iain Morgan.
29 - (dtucker) [auth.c configure.ac platform.c platform.h] Accept uid 2 ("bin")
30 in addition to root as an owner of system directories on AIX and HP-UX.
31 ok djm@
32
3320130307
34 - (dtucker) [INSTALL] Bump documented autoconf version to what we're
35 currently using.
36 - (dtucker) [defines.h] Remove SIZEOF_CHAR bits since the test for it
37 was removed in configure.ac rev 1.481 as it was redundant.
38 - (tim) [Makefile.in] Add another missing $(EXEEXT) I should have seen 3 days
39 ago.
40 - (djm) [configure.ac] Add a timeout to the select/rlimit test to give it a
41 chance to complete on broken systems; ok dtucker@
42
4320130306
44 - (dtucker) [regress/forward-control.sh] Wait longer for the forwarding
45 connection to start so that the test works on slower machines.
46 - (dtucker) [configure.ac] test that we can set number of file descriptors
47 to zero with setrlimit before enabling the rlimit sandbox. This affects
48 (at least) HPUX 11.11.
49
5020130305
51 - (djm) [regress/modpipe.c] Compilation fix for AIX and parsing fix for
52 HP/UX. Spotted by Kevin Brott
53 - (dtucker) [configure.ac] use "=" for shell test and not "==". Spotted by
54 Amit Kulkarni and Kevin Brott.
55 - (dtucker) [Makefile.in] Remove trailing "\" on PATHS, which caused obscure
56 build breakage on (at least) HP-UX 11.11. Found by Amit Kulkarni and Kevin
57 Brott.
58 - (tim) [Makefile.in] Add missing $(EXEEXT). Found by Roumen Petrov.
59
6020130227
61 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
62 [contrib/suse/openssh.spec] Crank version numbers
63 - (tim) [regress/forward-control.sh] use sh in case login shell is csh.
64 - (tim) [regress/integrity.sh] shell portability fix.
65 - (tim) [regress/integrity.sh] keep old solaris awk from hanging.
66 - (tim) [regress/krl.sh] keep old solaris awk from hanging.
67
6820130226
69 - OpenBSD CVS Sync
70 - djm@cvs.openbsd.org 2013/02/20 08:27:50
71 [integrity.sh]
72 Add an option to modpipe that warns if the modification offset it not
73 reached in it's stream and turn it on for t-integrity. This should catch
74 cases where the session is not fuzzed for being too short (cf. my last
75 "oops" commit)
76 - (djm) [regress/integrity.sh] Run sshd via $SUDO; fixes tinderbox breakage
77 for UsePAM=yes configuration
78
7920130225
80 - (dtucker) [configure.ac ssh-gss.h] bz#2073: additional #includes needed
81 to use Solaris native GSS libs. Patch from Pierre Ossman.
82
8320130223
84 - (djm) [configure.ac includes.h loginrec.c mux.c sftp.c] Prefer
85 bsd/libutil.h to libutil.h to avoid deprecation warnings on Ubuntu.
86 ok tim
87
8820130222
89 - (dtucker) [Makefile.in configure.ac] bz#2072: don't link krb5 libs to
90 ssh(1) since they're not needed. Patch from Pierre Ossman, ok djm.
91 - (dtucker) [configure.ac] bz#2073: look for Solaris' differently-named
92 libgss too. Patch from Pierre Ossman, ok djm.
93 - (djm) [configure.ac sandbox-seccomp-filter.c] Support for Linux
94 seccomp-bpf sandbox on ARM. Patch from shawnlandden AT gmail.com;
95 ok dtucker
96
9720130221
98 - (tim) [regress/forward-control.sh] shell portability fix.
99
10020130220
101 - (tim) [regress/cipher-speed.sh regress/try-ciphers.sh] shell portability fix.
102 - (tim) [krl.c Makefile.in regress/Makefile regress/modpipe.c] remove unneeded
103 err.h include from krl.c. Additional portability fixes for modpipe. OK djm
104 - OpenBSD CVS Sync
105 - djm@cvs.openbsd.org 2013/02/20 08:27:50
106 [regress/integrity.sh regress/modpipe.c]
107 Add an option to modpipe that warns if the modification offset it not
108 reached in it's stream and turn it on for t-integrity. This should catch
109 cases where the session is not fuzzed for being too short (cf. my last
110 "oops" commit)
111 - djm@cvs.openbsd.org 2013/02/20 08:29:27
112 [regress/modpipe.c]
113 s/Id/OpenBSD/ in RCS tag
114
11520130219
116 - OpenBSD CVS Sync
117 - djm@cvs.openbsd.org 2013/02/18 22:26:47
118 [integrity.sh]
119 crank the offset yet again; it was still fuzzing KEX one of Darren's
120 portable test hosts at 2800
121 - djm@cvs.openbsd.org 2013/02/19 02:14:09
122 [integrity.sh]
123 oops, forgot to increase the output of the ssh command to ensure that
124 we actually reach $offset
125 - (djm) [regress/integrity.sh] Skip SHA2-based MACs on configurations that
126 lack support for SHA2.
127 - (djm) [regress/modpipe.c] Add local err, and errx functions for platforms
128 that do not have them.
129
13020130217
131 - OpenBSD CVS Sync
132 - djm@cvs.openbsd.org 2013/02/17 23:16:55
133 [integrity.sh]
134 make the ssh command generates some output to ensure that there are at
135 least offset+tries bytes in the stream.
136
13720130216
138 - OpenBSD CVS Sync
139 - djm@cvs.openbsd.org 2013/02/16 06:08:45
140 [integrity.sh]
141 make sure the fuzz offset is actually past the end of KEX for all KEX
142 types. diffie-hellman-group-exchange-sha256 requires an offset around
143 2700. Noticed via test failures in portable OpenSSH on platforms that
144 lack ECC and this the more byte-frugal ECDH KEX algorithms.
145
14620130215
147 - (djm) [contrib/suse/rc.sshd] Use SSHD_BIN consistently; bz#2056 from
148 Iain Morgan
149 - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
150 Use getpgrp() if we don't have getpgid() (old BSDs, maybe others).
151 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoull.c
152 openbsd-compat/openbsd-compat.h] Add strtoull to compat library for
153 platforms that don't have it.
154 - (dtucker) [openbsd-compat/openbsd-compat.h] Add prototype for strtoul,
155 group strto* function prototypes together.
156 - (dtucker) [openbsd-compat/bsd-misc.c] Handle the case where setpgrp() takes
157 an argument. Pointed out by djm.
158 - (djm) OpenBSD CVS Sync
159 - djm@cvs.openbsd.org 2013/02/14 21:35:59
160 [auth2-pubkey.c]
161 Correct error message that had a typo and was logging the wrong thing;
162 patch from Petr Lautrbach
163 - dtucker@cvs.openbsd.org 2013/02/15 00:21:01
164 [sshconnect2.c]
165 Warn more loudly if an IdentityFile provided by the user cannot be read.
166 bz #1981, ok djm@
167
16820130214
169 - (djm) [regress/krl.sh] Don't use ecdsa keys in environment that lack ECC.
170 - (djm) [regress/krl.sh] typo; found by Iain Morgan
171 - (djm) [regress/integrity.sh] Start fuzzing from offset 2500 (instead
172 of 2300) to avoid clobbering the end of (non-MAC'd) KEX. Verified by
173 Iain Morgan
174
17520130212
176 - (djm) OpenBSD CVS Sync
177 - djm@cvs.openbsd.org 2013/01/24 21:45:37
178 [krl.c]
179 fix handling of (unused) KRL signatures; skip string in correct buffer
180 - djm@cvs.openbsd.org 2013/01/24 22:08:56
181 [krl.c]
182 skip serial lookup when cert's serial number is zero
183 - krw@cvs.openbsd.org 2013/01/25 05:00:27
184 [krl.c]
185 Revert last. Breaks due to likely typo. Let djm@ fix later.
186 ok djm@ via dlg@
187 - djm@cvs.openbsd.org 2013/01/25 10:22:19
188 [krl.c]
189 redo last commit without the vi-vomit that snuck in:
190 skip serial lookup when cert's serial number is zero
191 (now with 100% better comment)
192 - djm@cvs.openbsd.org 2013/01/26 06:11:05
193 [Makefile.in acss.c acss.h cipher-acss.c cipher.c]
194 [openbsd-compat/openssl-compat.h]
195 remove ACSS, now that it is gone from libcrypto too
196 - djm@cvs.openbsd.org 2013/01/27 10:06:12
197 [krl.c]
198 actually use the xrealloc() return value; spotted by xi.wang AT gmail.com
199 - dtucker@cvs.openbsd.org 2013/02/06 00:20:42
200 [servconf.c sshd_config sshd_config.5]
201 Change default of MaxStartups to 10:30:100 to start doing random early
202 drop at 10 connections up to 100 connections. This will make it harder
203 to DoS as CPUs have come a long way since the original value was set
204 back in 2000. Prompted by nion at debian org, ok markus@
205 - dtucker@cvs.openbsd.org 2013/02/06 00:22:21
206 [auth.c]
207 Fix comment, from jfree.e1 at gmail
208 - djm@cvs.openbsd.org 2013/02/08 00:41:12
209 [sftp.c]
210 fix NULL deref when built without libedit and control characters
211 entered as command; debugging and patch from Iain Morgan an
212 Loganaden Velvindron in bz#1956
213 - markus@cvs.openbsd.org 2013/02/10 21:19:34
214 [version.h]
215 openssh 6.2
216 - djm@cvs.openbsd.org 2013/02/10 23:32:10
217 [ssh-keygen.c]
218 append to moduli file when screening candidates rather than overwriting.
219 allows resumption of interrupted screen; patch from Christophe Garault
220 in bz#1957; ok dtucker@
221 - djm@cvs.openbsd.org 2013/02/10 23:35:24
222 [packet.c]
223 record "Received disconnect" messages at ERROR rather than INFO priority,
224 since they are abnormal and result in a non-zero ssh exit status; patch
225 from Iain Morgan in bz#2057; ok dtucker@
226 - dtucker@cvs.openbsd.org 2013/02/11 21:21:58
227 [sshd.c]
228 Add openssl version to debug output similar to the client. ok markus@
229 - djm@cvs.openbsd.org 2013/02/11 23:58:51
230 [regress/try-ciphers.sh]
231 remove acss here too
232 - (djm) [regress/try-ciphers.sh] clean up CVS merge botch
233
23420130211
235 - (djm) [configure.ac openbsd-compat/openssl-compat.h] Repair build on old
236 libcrypto that lacks EVP_CIPHER_CTX_ctrl
237
23820130208
239 - (djm) [contrib/redhat/sshd.init] treat RETVAL as an integer;
240 patch from Iain Morgan in bz#2059
241 - (dtucker) [configure.ac openbsd-compat/sys-tree.h] Test if compiler allows
242 __attribute__ on return values and work around if necessary. ok djm@
243
24420130207
245 - (djm) [configure.ac] Don't probe seccomp capability of running kernel
246 at configure time; the seccomp sandbox will fall back to rlimit at
247 runtime anyway. Patch from plautrba AT redhat.com in bz#2011
248
24920130120
250 - (djm) [cipher-aes.c cipher-ctr.c openbsd-compat/openssl-compat.h]
251 Move prototypes for replacement ciphers to openssl-compat.h; fix EVP
252 prototypes for openssl-1.0.0-fips.
253 - (djm) OpenBSD CVS Sync
254 - jmc@cvs.openbsd.org 2013/01/18 07:57:47
255 [ssh-keygen.1]
256 tweak previous;
257 - jmc@cvs.openbsd.org 2013/01/18 07:59:46
258 [ssh-keygen.c]
259 -u before -V in usage();
260 - jmc@cvs.openbsd.org 2013/01/18 08:00:49
261 [sshd_config.5]
262 tweak previous;
263 - jmc@cvs.openbsd.org 2013/01/18 08:39:04
264 [ssh-keygen.1]
265 add -Q to the options list; ok djm
266 - jmc@cvs.openbsd.org 2013/01/18 21:48:43
267 [ssh-keygen.1]
268 command-line (adj.) -> command line (n.);
269 - jmc@cvs.openbsd.org 2013/01/19 07:13:25
270 [ssh-keygen.1]
271 fix some formatting; ok djm
272 - markus@cvs.openbsd.org 2013/01/19 12:34:55
273 [krl.c]
274 RB_INSERT does not remove existing elments; ok djm@
275 - (djm) [openbsd-compat/sys-tree.h] Sync with OpenBSD. krl.c needs newer
276 version.
277 - (djm) [regress/krl.sh] replacement for jot; most platforms lack it
278
27920130118
280 - (djm) OpenBSD CVS Sync
281 - djm@cvs.openbsd.org 2013/01/17 23:00:01
282 [auth.c key.c key.h ssh-keygen.1 ssh-keygen.c sshd_config.5]
283 [krl.c krl.h PROTOCOL.krl]
284 add support for Key Revocation Lists (KRLs). These are a compact way to
285 represent lists of revoked keys and certificates, taking as little as
286 a single bit of incremental cost to revoke a certificate by serial number.
287 KRLs are loaded via the existing RevokedKeys sshd_config option.
288 feedback and ok markus@
289 - djm@cvs.openbsd.org 2013/01/18 00:45:29
290 [regress/Makefile regress/cert-userkey.sh regress/krl.sh]
291 Tests for Key Revocation Lists (KRLs)
292 - djm@cvs.openbsd.org 2013/01/18 03:00:32
293 [krl.c]
294 fix KRL generation bug for list sections
295
29620130117
297 - (djm) [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
298 check for GCM support before testing GCM ciphers.
299
30020130112
301 - (djm) OpenBSD CVS Sync
302 - djm@cvs.openbsd.org 2013/01/12 11:22:04
303 [cipher.c]
304 improve error message for integrity failure in AES-GCM modes; ok markus@
305 - djm@cvs.openbsd.org 2013/01/12 11:23:53
306 [regress/cipher-speed.sh regress/integrity.sh regress/try-ciphers.sh]
307 test AES-GCM modes; feedback markus@
308 - (djm) [regress/integrity.sh] repair botched merge
309
31020130109
311 - (djm) OpenBSD CVS Sync
312 - dtucker@cvs.openbsd.org 2012/12/14 05:26:43
313 [auth.c]
314 use correct string in error message; from rustybsd at gmx.fr
315 - djm@cvs.openbsd.org 2013/01/02 00:32:07
316 [clientloop.c mux.c]
317 channel_setup_local_fwd_listener() returns 0 on failure, not -ve
318 bz#2055 reported by mathieu.lacage AT gmail.com
319 - djm@cvs.openbsd.org 2013/01/02 00:33:49
320 [PROTOCOL.agent]
321 correct format description for SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
322 bz#2051 from david AT lechnology.com
323 - djm@cvs.openbsd.org 2013/01/03 05:49:36
324 [servconf.h]
325 add a couple of ServerOptions members that should be copied to the privsep
326 child (for consistency, in this case they happen only to be accessed in
327 the monitor); ok dtucker@
328 - djm@cvs.openbsd.org 2013/01/03 12:49:01
329 [PROTOCOL]
330 fix description of MAC calculation for EtM modes; ok markus@
331 - djm@cvs.openbsd.org 2013/01/03 12:54:49
332 [sftp-server.8 sftp-server.c]
333 allow specification of an alternate start directory for sftp-server(8)
334 "I like this" markus@
335 - djm@cvs.openbsd.org 2013/01/03 23:22:58
336 [ssh-keygen.c]
337 allow fingerprinting of keys hosted in PKCS#11 tokens: ssh-keygen -lD ...
338 ok markus@
339 - jmc@cvs.openbsd.org 2013/01/04 19:26:38
340 [sftp-server.8 sftp-server.c]
341 sftp-server.8: add argument name to -d
342 sftp-server.c: add -d to usage()
343 ok djm
344 - markus@cvs.openbsd.org 2013/01/08 18:49:04
345 [PROTOCOL authfile.c cipher.c cipher.h kex.c kex.h monitor_wrap.c]
346 [myproposal.h packet.c ssh_config.5 sshd_config.5]
347 support AES-GCM as defined in RFC 5647 (but with simpler KEX handling)
348 ok and feedback djm@
349 - djm@cvs.openbsd.org 2013/01/09 05:40:17
350 [ssh-keygen.c]
351 correctly initialise fingerprint type for fingerprinting PKCS#11 keys
352 - (djm) [cipher.c configure.ac openbsd-compat/openssl-compat.h]
353 Fix merge botch, automatically detect AES-GCM in OpenSSL, move a little
354 cipher compat code to openssl-compat.h
355
35620121217
357 - (dtucker) [Makefile.in] Add some scaffolding so that the new regress
358 tests will work with VPATH directories.
359
36020121213
361 - (djm) OpenBSD CVS Sync
362 - markus@cvs.openbsd.org 2012/12/12 16:45:52
363 [packet.c]
364 reset incoming_packet buffer for each new packet in EtM-case, too;
365 this happens if packets are parsed only parially (e.g. ignore
366 messages sent when su/sudo turn off echo); noted by sthen/millert
367 - naddy@cvs.openbsd.org 2012/12/12 16:46:10
368 [cipher.c]
369 use OpenSSL's EVP_aes_{128,192,256}_ctr() API and remove our hand-rolled
370 counter mode code; ok djm@
371 - (djm) [configure.ac cipher-ctr.c] Adapt EVP AES CTR change to retain our
372 compat code for older OpenSSL
373 - (djm) [cipher.c] Fix missing prototype for compat code
374
37520121212
376 - (djm) OpenBSD CVS Sync
377 - markus@cvs.openbsd.org 2012/12/11 22:16:21
378 [monitor.c]
379 drain the log messages after receiving the keystate from the unpriv
380 child. otherwise it might block while sending. ok djm@
381 - markus@cvs.openbsd.org 2012/12/11 22:31:18
382 [PROTOCOL authfile.c cipher.c cipher.h kex.h mac.c myproposal.h]
383 [packet.c ssh_config.5 sshd_config.5]
384 add encrypt-then-mac (EtM) modes to openssh by defining new mac algorithms
385 that change the packet format and compute the MAC over the encrypted
386 message (including the packet size) instead of the plaintext data;
387 these EtM modes are considered more secure and used by default.
388 feedback and ok djm@
389 - sthen@cvs.openbsd.org 2012/12/11 22:51:45
390 [mac.c]
391 fix typo, s/tem/etm in hmac-ripemd160-tem. ok markus@
392 - markus@cvs.openbsd.org 2012/12/11 22:32:56
393 [regress/try-ciphers.sh]
394 add etm modes
395 - markus@cvs.openbsd.org 2012/12/11 22:42:11
396 [regress/Makefile regress/modpipe.c regress/integrity.sh]
397 test the integrity of the packets; with djm@
398 - markus@cvs.openbsd.org 2012/12/11 23:12:13
399 [try-ciphers.sh]
400 add hmac-ripemd160-etm@openssh.com
401 - (djm) [mac.c] fix merge botch
402 - (djm) [regress/Makefile regress/integrity.sh] Make the integrity.sh test
403 work on platforms without 'jot'
404 - (djm) [regress/integrity.sh] Fix awk quoting, packet length skip
405 - (djm) [regress/Makefile] fix t-exec rule
406
40720121207
408 - (dtucker) OpenBSD CVS Sync
409 - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
410 [regress/keys-command.sh]
411 Fix some problems with the keys-command test:
412 - use string comparison rather than numeric comparison
413 - check for existing KEY_COMMAND file and don't clobber if it exists
414 - clean up KEY_COMMAND file if we do create it.
415 - check that KEY_COMMAND is executable (which it won't be if eg /var/run
416 is mounted noexec).
417 ok djm.
418 - jmc@cvs.openbsd.org 2012/12/03 08:33:03
419 [ssh-add.1 sshd_config.5]
420 tweak previous;
421 - markus@cvs.openbsd.org 2012/12/05 15:42:52
422 [ssh-add.c]
423 prevent double-free of comment; ok djm@
424 - dtucker@cvs.openbsd.org 2012/12/07 01:51:35
425 [serverloop.c]
426 Cast signal to int for logging. A no-op on openbsd (they're always ints)
427 but will prevent warnings in portable. ok djm@
428
42920121205
430 - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
431
43220121203
433 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD to get
434 TAILQ_FOREACH_SAFE needed for upcoming changes.
435 - (djm) OpenBSD CVS Sync
436 - djm@cvs.openbsd.org 2012/12/02 20:26:11
437 [ssh_config.5 sshconnect2.c]
438 Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
439 This allows control of which keys are offered from tokens using
440 IdentityFile. ok markus@
441 - djm@cvs.openbsd.org 2012/12/02 20:42:15
442 [ssh-add.1 ssh-add.c]
443 make deleting explicit keys "ssh-add -d" symmetric with adding keys -
444 try to delete the corresponding certificate too and respect the -k option
445 to allow deleting of the key only; feedback and ok markus@
446 - djm@cvs.openbsd.org 2012/12/02 20:46:11
447 [auth-options.c channels.c servconf.c servconf.h serverloop.c session.c]
448 [sshd_config.5]
449 make AllowTcpForwarding accept "local" and "remote" in addition to its
450 current "yes"/"no" to allow the server to specify whether just local or
451 remote TCP forwarding is enabled. ok markus@
452 - dtucker@cvs.openbsd.org 2012/10/05 02:20:48
453 [regress/cipher-speed.sh regress/try-ciphers.sh]
454 Add umac-128@openssh.com to the list of MACs to be tested
455 - djm@cvs.openbsd.org 2012/10/19 05:10:42
456 [regress/cert-userkey.sh]
457 include a serial number when generating certs
458 - djm@cvs.openbsd.org 2012/11/22 22:49:30
459 [regress/Makefile regress/keys-command.sh]
460 regress for AuthorizedKeysCommand; hints from markus@
461 - djm@cvs.openbsd.org 2012/12/02 20:47:48
462 [Makefile regress/forward-control.sh]
463 regress for AllowTcpForwarding local/remote; ok markus@
464 - djm@cvs.openbsd.org 2012/12/03 00:14:06
465 [auth2-chall.c ssh-keygen.c]
466 Fix compilation with -Wall -Werror (trivial type fixes)
467 - (djm) [configure.ac] Turn on -g for gcc compilers. Helps pre-installation
468 debugging. ok dtucker@
469 - (djm) [configure.ac] Revert previous. configure.ac already does this
470 for us.
471
47220121114
473 - (djm) OpenBSD CVS Sync
474 - djm@cvs.openbsd.org 2012/11/14 02:24:27
475 [auth2-pubkey.c]
476 fix username passed to helper program
477 prepare stdio fds before closefrom()
478 spotted by landry@
479 - djm@cvs.openbsd.org 2012/11/14 02:32:15
480 [ssh-keygen.c]
481 allow the full range of unsigned serial numbers; 'fine' deraadt@
482 - djm@cvs.openbsd.org 2012/12/02 20:34:10
483 [auth.c auth.h auth1.c auth2-chall.c auth2-gss.c auth2-jpake.c auth2.c]
484 [monitor.c monitor.h]
485 Fixes logging of partial authentication when privsep is enabled
486 Previously, we recorded "Failed xxx" since we reset authenticated before
487 calling auth_log() in auth2.c. This adds an explcit "Partial" state.
488
489 Add a "submethod" to auth_log() to report which submethod is used
490 for keyboard-interactive.
491
492 Fix multiple authentication when one of the methods is
493 keyboard-interactive.
494
495 ok markus@
496 - dtucker@cvs.openbsd.org 2012/10/05 02:05:30
497 [regress/multiplex.sh]
498 Use 'kill -0' to test for the presence of a pid since it's more portable
499
50020121107
501 - (djm) OpenBSD CVS Sync
502 - eric@cvs.openbsd.org 2011/11/28 08:46:27
503 [moduli.5]
504 fix formula
505 ok djm@
506 - jmc@cvs.openbsd.org 2012/09/26 17:34:38
507 [moduli.5]
508 last stage of rfc changes, using consistent Rs/Re blocks, and moving the
509 references into a STANDARDS section;
510
51120121105
512 - (dtucker) [uidswap.c openbsd-compat/Makefile.in
513 openbsd-compat/bsd-setres_id.c openbsd-compat/bsd-setres_id.h
514 openbsd-compat/openbsd-compat.h] Move the fallback code for setting uids
515 and gids from uidswap.c to the compat library, which allows it to work with
516 the new setresuid calls in auth2-pubkey. with tim@, ok djm@
517 - (dtucker) [auth2-pubkey.c] wrap paths.h in an ifdef for platforms that
518 don't have it. Spotted by tim@.
519
52020121104
521 - (djm) OpenBSD CVS Sync
522 - jmc@cvs.openbsd.org 2012/10/31 08:04:50
523 [sshd_config.5]
524 tweak previous;
525 - djm@cvs.openbsd.org 2012/11/04 10:38:43
526 [auth2-pubkey.c sshd.c sshd_config.5]
527 Remove default of AuthorizedCommandUser. Administrators are now expected
528 to explicitly specify a user. feedback and ok markus@
529 - djm@cvs.openbsd.org 2012/11/04 11:09:15
530 [auth.h auth1.c auth2.c monitor.c servconf.c servconf.h sshd.c]
531 [sshd_config.5]
532 Support multiple required authentication via an AuthenticationMethods
533 option. This option lists one or more comma-separated lists of
534 authentication method names. Successful completion of all the methods in
535 any list is required for authentication to complete;
536 feedback and ok markus@
537
53820121030
539 - (djm) OpenBSD CVS Sync
540 - markus@cvs.openbsd.org 2012/10/05 12:34:39
541 [sftp.c]
542 fix signed vs unsigned warning; feedback & ok: djm@
543 - djm@cvs.openbsd.org 2012/10/30 21:29:55
544 [auth-rsa.c auth.c auth.h auth2-pubkey.c servconf.c servconf.h]
545 [sshd.c sshd_config sshd_config.5]
546 new sshd_config option AuthorizedKeysCommand to support fetching
547 authorized_keys from a command in addition to (or instead of) from
548 the filesystem. The command is run as the target server user unless
549 another specified via a new AuthorizedKeysCommandUser option.
550
551 patch originally by jchadima AT redhat.com, reworked by me; feedback
552 and ok markus@
553
55420121019
555 - (tim) [buildpkg.sh.in] Double up on some backslashes so they end up in
556 the generated file as intended.
557
55820121005
559 - (dtucker) OpenBSD CVS Sync
560 - djm@cvs.openbsd.org 2012/09/17 09:54:44
561 [sftp.c]
562 an XXX for later
563 - markus@cvs.openbsd.org 2012/09/17 13:04:11
564 [packet.c]
565 clear old keys on rekeing; ok djm
566 - dtucker@cvs.openbsd.org 2012/09/18 10:36:12
567 [sftp.c]
568 Add bounds check on sftp tab-completion. Part of a patch from from
569 Jean-Marc Robert via tech@, ok djm
570 - dtucker@cvs.openbsd.org 2012/09/21 10:53:07
571 [sftp.c]
572 Fix improper handling of absolute paths when PWD is part of the completed
573 path. Patch from Jean-Marc Robert via tech@, ok djm.
574 - dtucker@cvs.openbsd.org 2012/09/21 10:55:04
575 [sftp.c]
576 Fix handling of filenames containing escaped globbing characters and
577 escape "#" and "*". Patch from Jean-Marc Robert via tech@, ok djm.
578 - jmc@cvs.openbsd.org 2012/09/26 16:12:13
579 [ssh.1]
580 last stage of rfc changes, using consistent Rs/Re blocks, and moving the
581 references into a STANDARDS section;
582 - naddy@cvs.openbsd.org 2012/10/01 13:59:51
583 [monitor_wrap.c]
584 pasto; ok djm@
585 - djm@cvs.openbsd.org 2012/10/02 07:07:45
586 [ssh-keygen.c]
587 fix -z option, broken in revision 1.215
588 - markus@cvs.openbsd.org 2012/10/04 13:21:50
589 [myproposal.h ssh_config.5 umac.h sshd_config.5 ssh.1 sshd.8 mac.c]
590 add umac128 variant; ok djm@ at n2k12
591 - dtucker@cvs.openbsd.org 2012/09/06 04:11:07
592 [regress/try-ciphers.sh]
593 Restore missing space. (Id sync only).
594 - dtucker@cvs.openbsd.org 2012/09/09 11:51:25
595 [regress/multiplex.sh]
596 Add test for ssh -Ostop
597 - dtucker@cvs.openbsd.org 2012/09/10 00:49:21
598 [regress/multiplex.sh]
599 Log -O cmd output to the log file and make logging consistent with the
600 other tests. Test clean shutdown of an existing channel when testing
601 "stop".
602 - dtucker@cvs.openbsd.org 2012/09/10 01:51:19
603 [regress/multiplex.sh]
604 use -Ocheck and waiting for completions by PID to make multiplexing test
605 less racy and (hopefully) more reliable on slow hardware.
606 - [Makefile umac.c] Add special-case target to build umac128.o.
607 - [umac.c] Enforce allowed umac output sizes. From djm@.
608 - [Makefile.in] "Using $< in a non-suffix rule context is a GNUmake idiom".
609
61020120917
611 - (dtucker) OpenBSD CVS Sync
612 - dtucker@cvs.openbsd.org 2012/09/13 23:37:36
613 [servconf.c]
614 Fix comment line length
615 - markus@cvs.openbsd.org 2012/09/14 16:51:34
616 [sshconnect.c]
617 remove unused variable
618
61920120907
620 - (dtucker) OpenBSD CVS Sync
621 - dtucker@cvs.openbsd.org 2012/09/06 09:50:13
622 [clientloop.c]
623 Make the escape command help (~?) context sensitive so that only commands
624 that will work in the current session are shown. ok markus@
625 - jmc@cvs.openbsd.org 2012/09/06 13:57:42
626 [ssh.1]
627 missing letter in previous;
628 - dtucker@cvs.openbsd.org 2012/09/07 00:30:19
629 [clientloop.c]
630 Print '^Z' instead of a raw ^Z when the sequence is not supported. ok djm@
631 - dtucker@cvs.openbsd.org 2012/09/07 01:10:21
632 [clientloop.c]
633 Merge escape help text for ~v and ~V; ok djm@
634 - dtucker@cvs.openbsd.org 2012/09/07 06:34:21
635 [clientloop.c]
636 when muxmaster is run with -N, make it shut down gracefully when a client
637 sends it "-O stop" rather than hanging around (bz#1985). ok djm@
638
63920120906
640 - (dtucker) OpenBSD CVS Sync
641 - jmc@cvs.openbsd.org 2012/08/15 18:25:50
642 [ssh-keygen.1]
643 a little more info on certificate validity;
644 requested by Ross L Richardson, and provided by djm
645 - dtucker@cvs.openbsd.org 2012/08/17 00:45:45
646 [clientloop.c clientloop.h mux.c]
647 Force a clean shutdown of ControlMaster client sessions when the ~. escape
648 sequence is used. This means that ~. should now work in mux clients even
649 if the server is no longer responding. Found by tedu, ok djm.
650 - djm@cvs.openbsd.org 2012/08/17 01:22:56
651 [kex.c]
652 add some comments about better handling first-KEX-follows notifications
653 from the server. Nothing uses these right now. No binary change
654 - djm@cvs.openbsd.org 2012/08/17 01:25:58
655 [ssh-keygen.c]
656 print details of which host lines were deleted when using
657 "ssh-keygen -R host"; ok markus@
658 - djm@cvs.openbsd.org 2012/08/17 01:30:00
659 [compat.c sshconnect.c]
660 Send client banner immediately, rather than waiting for the server to
661 move first for SSH protocol 2 connections (the default). Patch based on
662 one in bz#1999 by tls AT panix.com, feedback dtucker@ ok markus@
663 - dtucker@cvs.openbsd.org 2012/09/06 04:37:39
664 [clientloop.c log.c ssh.1 log.h]
665 Add ~v and ~V escape sequences to raise and lower the logging level
666 respectively. Man page help from jmc, ok deraadt jmc
667
66820120830
669 - (dtucker) [moduli] Import new moduli file.
670
120120828 67120120828
2 - (djm) Release openssh-6.1 672 - (djm) Release openssh-6.1
3 673
@@ -172,6 +842,7 @@
172 [dns.c dns.h key.c key.h ssh-keygen.c] 842 [dns.c dns.h key.c key.h ssh-keygen.c]
173 add support for RFC6594 SSHFP DNS records for ECDSA key types. 843 add support for RFC6594 SSHFP DNS records for ECDSA key types.
174 patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@ 844 patch from bugzilla-m67 AT nulld.me in bz#1978; ok + tweak markus@
845 (Original authors Ondřej Surý, Ondřej Caletka and Daniel Black)
175 - djm@cvs.openbsd.org 2012/06/01 00:49:35 846 - djm@cvs.openbsd.org 2012/06/01 00:49:35
176 [PROTOCOL.mux] 847 [PROTOCOL.mux]
177 correct types of port numbers (integers, not strings); bz#2004 from 848 correct types of port numbers (integers, not strings); bz#2004 from