diff options
author | Damien Miller <djm@mindrot.org> | 2011-01-22 20:24:34 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2011-01-22 20:24:34 +1100 |
commit | 4a5eb41cee4cdda9d224d575b435d6277f4cc086 (patch) | |
tree | 53922593d9c465bf8bdc2a49c19946a48c8a9f5a /ChangeLog | |
parent | 966accc5331784f26e3231dcd3c162f581e1dce6 (diff) |
trim entries older than 5.5p1
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 2743 |
1 files changed, 0 insertions, 2743 deletions
@@ -1201,2746 +1201,3 @@ | |||
1201 | 1201 | ||
1202 | ok markus@ | 1202 | ok markus@ |
1203 | 1203 | ||
1204 | 20100410 | ||
1205 | - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo | ||
1206 | back so we disable the IPv6 tests if we don't have it. | ||
1207 | |||
1208 | 20100409 | ||
1209 | - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong | ||
1210 | ones. Based on a patch from Roumen Petrov. | ||
1211 | - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we | ||
1212 | have it and the path is not provided to --with-libedit. Based on a patch | ||
1213 | from Iain Morgan. | ||
1214 | - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable | ||
1215 | utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@ | ||
1216 | |||
1217 | 20100326 | ||
1218 | - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection | ||
1219 | for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson | ||
1220 | - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally | ||
1221 | by Ingo Weinhold via Scott McCreary, ok djm@ | ||
1222 | - (djm) OpenBSD CVS Sync | ||
1223 | - djm@cvs.openbsd.org 2010/03/25 23:38:28 | ||
1224 | [servconf.c] | ||
1225 | from portable: getcwd(NULL, 0) doesn't work on all platforms, so | ||
1226 | use a stack buffer; ok dtucker@ | ||
1227 | - djm@cvs.openbsd.org 2010/03/26 00:26:58 | ||
1228 | [ssh.1] | ||
1229 | mention that -S none disables connection sharing; from Colin Watson | ||
1230 | - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms - | ||
1231 | set up SELinux execution context before chroot() call. From Russell | ||
1232 | Coker via Colin watson; bz#1726 ok dtucker@ | ||
1233 | - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721 | ||
1234 | ok dtucker@ | ||
1235 | - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using | ||
1236 | pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold). | ||
1237 | - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys; | ||
1238 | bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@ | ||
1239 | - (dtucker) OpenBSD CVS Sync | ||
1240 | - dtucker@cvs.openbsd.org 2010/03/26 01:06:13 | ||
1241 | [ssh_config.5] | ||
1242 | Reformat default value of PreferredAuthentications entry (current | ||
1243 | formatting implies ", " is acceptable as a separator, which it's not. | ||
1244 | ok djm@ | ||
1245 | |||
1246 | 20100324 | ||
1247 | - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory | ||
1248 | containing the services file explicitely case-insensitive. This allows to | ||
1249 | tweak the Windows services file reliably. Patch from vinschen at redhat. | ||
1250 | |||
1251 | 20100321 | ||
1252 | - (djm) OpenBSD CVS Sync | ||
1253 | - jmc@cvs.openbsd.org 2010/03/08 09:41:27 | ||
1254 | [ssh-keygen.1] | ||
1255 | sort the list of constraints (to -O); ok djm | ||
1256 | - jmc@cvs.openbsd.org 2010/03/10 07:40:35 | ||
1257 | [ssh-keygen.1] | ||
1258 | typos; from Ross Richardson | ||
1259 | closes prs 6334 and 6335 | ||
1260 | - djm@cvs.openbsd.org 2010/03/10 23:27:17 | ||
1261 | [auth2-pubkey.c] | ||
1262 | correct certificate logging and make it more consistent between | ||
1263 | authorized_keys and TrustedCAKeys; ok markus@ | ||
1264 | - djm@cvs.openbsd.org 2010/03/12 01:06:25 | ||
1265 | [servconf.c] | ||
1266 | unbreak AuthorizedKeys option with a $HOME-relative path; reported by | ||
1267 | vinschen AT redhat.com, ok dtucker@ | ||
1268 | - markus@cvs.openbsd.org 2010/03/12 11:37:40 | ||
1269 | [servconf.c] | ||
1270 | do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths | ||
1271 | free() (not xfree()) the buffer returned by getcwd() | ||
1272 | - djm@cvs.openbsd.org 2010/03/13 21:10:38 | ||
1273 | [clientloop.c] | ||
1274 | protocol conformance fix: send language tag when disconnecting normally; | ||
1275 | spotted by 1.41421 AT gmail.com, ok markus@ deraadt@ | ||
1276 | - djm@cvs.openbsd.org 2010/03/13 21:45:46 | ||
1277 | [ssh-keygen.1] | ||
1278 | Certificates are named *-cert.pub, not *_cert.pub; committing a diff | ||
1279 | from stevesk@ ok me | ||
1280 | - jmc@cvs.openbsd.org 2010/03/13 23:38:13 | ||
1281 | [ssh-keygen.1] | ||
1282 | fix a formatting error (args need quoted); noted by stevesk | ||
1283 | - stevesk@cvs.openbsd.org 2010/03/15 19:40:02 | ||
1284 | [key.c key.h ssh-keygen.c] | ||
1285 | also print certificate type (user or host) for ssh-keygen -L | ||
1286 | ok djm kettenis | ||
1287 | - stevesk@cvs.openbsd.org 2010/03/16 15:46:52 | ||
1288 | [auth-options.c] | ||
1289 | spelling in error message. ok djm kettenis | ||
1290 | - djm@cvs.openbsd.org 2010/03/16 16:36:49 | ||
1291 | [version.h] | ||
1292 | crank version to openssh-5.5 since we have a few fixes since 5.4; | ||
1293 | requested deraadt@ kettenis@ | ||
1294 | - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
1295 | [contrib/suse/openssh.spec] Crank version numbers | ||
1296 | |||
1297 | 20100314 | ||
1298 | - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix | ||
1299 | compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot | ||
1300 | AT fefe.de | ||
1301 | - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for | ||
1302 | ssh-pkcs11-helper to repair static builds (we do the same for | ||
1303 | ssh-keyscan). Reported by felix-mindrot AT fefe.de | ||
1304 | |||
1305 | 20100312 | ||
1306 | - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir) | ||
1307 | - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets. | ||
1308 | Patch from Corinna Vinschen. | ||
1309 | - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install | ||
1310 | on a Cygwin installation. Patch from Corinna Vinschen. | ||
1311 | |||
1312 | 20100311 | ||
1313 | - (tim) [contrib/suse/openssh.spec] crank version number here too. | ||
1314 | report by imorgan AT nas.nasa.gov | ||
1315 | |||
1316 | 20100309 | ||
1317 | - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO | ||
1318 | so setting it in CFLAGS correctly skips IPv6 tests. | ||
1319 | |||
1320 | 20100308 | ||
1321 | - (djm) OpenBSD CVS Sync | ||
1322 | - djm@cvs.openbsd.org 2010/03/07 22:16:01 | ||
1323 | [ssh-keygen.c] | ||
1324 | make internal strptime string match strftime format; | ||
1325 | suggested by vinschen AT redhat.com and markus@ | ||
1326 | - djm@cvs.openbsd.org 2010/03/08 00:28:55 | ||
1327 | [ssh-keygen.1] | ||
1328 | document permit-agent-forwarding certificate constraint; patch from | ||
1329 | stevesk@ | ||
1330 | - djm@cvs.openbsd.org 2010/03/07 22:01:32 | ||
1331 | [version.h] | ||
1332 | openssh-5.4 | ||
1333 | - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
1334 | crank version numbers | ||
1335 | - (djm) Release OpenSSH-5.4p1 | ||
1336 | |||
1337 | 20100307 | ||
1338 | - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that | ||
1339 | it gets the passwd struct from the LAM that knows about the user which is | ||
1340 | not necessarily the default. Patch from Alexandre Letourneau. | ||
1341 | - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and | ||
1342 | do not set real uid, since that's needed for the chroot, and will be set | ||
1343 | by permanently_set_uid. | ||
1344 | - (dtucker) [session.c] Also initialize creds to NULL for handing to | ||
1345 | setpcred. | ||
1346 | - (dtucker) OpenBSD CVS Sync | ||
1347 | - dtucker@cvs.openbsd.org 2010/03/07 11:57:13 | ||
1348 | [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c] | ||
1349 | Hold authentication debug messages until after successful authentication. | ||
1350 | Fixes an info leak of environment variables specified in authorized_keys, | ||
1351 | reported by Jacob Appelbaum. ok djm@ | ||
1352 | |||
1353 | 20100305 | ||
1354 | - OpenBSD CVS Sync | ||
1355 | - jmc@cvs.openbsd.org 2010/03/04 12:51:25 | ||
1356 | [ssh.1 sshd_config.5] | ||
1357 | tweak previous; | ||
1358 | - djm@cvs.openbsd.org 2010/03/04 20:35:08 | ||
1359 | [ssh-keygen.1 ssh-keygen.c] | ||
1360 | Add a -L flag to print the contents of a certificate; ok markus@ | ||
1361 | - jmc@cvs.openbsd.org 2010/03/04 22:52:40 | ||
1362 | [ssh-keygen.1] | ||
1363 | fix Bk/Ek; | ||
1364 | - djm@cvs.openbsd.org 2010/03/04 23:17:25 | ||
1365 | [sshd_config.5] | ||
1366 | missing word; spotted by jmc@ | ||
1367 | - djm@cvs.openbsd.org 2010/03/04 23:19:29 | ||
1368 | [ssh.1 sshd.8] | ||
1369 | move section on CA and revoked keys from ssh.1 to sshd.8's known hosts | ||
1370 | format section and rework it a bit; requested by jmc@ | ||
1371 | - djm@cvs.openbsd.org 2010/03/04 23:27:25 | ||
1372 | [auth-options.c ssh-keygen.c] | ||
1373 | "force-command" is not spelled "forced-command"; spotted by | ||
1374 | imorgan AT nas.nasa.gov | ||
1375 | - djm@cvs.openbsd.org 2010/03/05 02:58:11 | ||
1376 | [auth.c] | ||
1377 | make the warning for a revoked key louder and more noticable | ||
1378 | - jmc@cvs.openbsd.org 2010/03/05 06:50:35 | ||
1379 | [ssh.1 sshd.8] | ||
1380 | tweak previous; | ||
1381 | - jmc@cvs.openbsd.org 2010/03/05 08:31:20 | ||
1382 | [ssh.1] | ||
1383 | document certificate authentication; help/ok djm | ||
1384 | - djm@cvs.openbsd.org 2010/03/05 10:28:21 | ||
1385 | [ssh-add.1 ssh.1 ssh_config.5] | ||
1386 | mention loading of certificate files from [private]-cert.pub when | ||
1387 | they are present; feedback and ok jmc@ | ||
1388 | - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older | ||
1389 | compilers. OK djm@ | ||
1390 | - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure | ||
1391 | on some platforms | ||
1392 | - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@ | ||
1393 | |||
1394 | 20100304 | ||
1395 | - (djm) [ssh-keygen.c] Use correct local variable, instead of | ||
1396 | maybe-undefined global "optarg" | ||
1397 | - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq | ||
1398 | on XFree86-devel with neutral /usr/include/X11/Xlib.h; | ||
1399 | imorgan AT nas.nasa.gov in bz#1731 | ||
1400 | - (djm) [.cvsignore] Ignore ssh-pkcs11-helper | ||
1401 | - (djm) [regress/Makefile] Cleanup sshd_proxy_orig | ||
1402 | - OpenBSD CVS Sync | ||
1403 | - djm@cvs.openbsd.org 2010/03/03 01:44:36 | ||
1404 | [auth-options.c key.c] | ||
1405 | reject strings with embedded ASCII nul chars in certificate key IDs, | ||
1406 | principal names and constraints | ||
1407 | - djm@cvs.openbsd.org 2010/03/03 22:49:50 | ||
1408 | [sshd.8] | ||
1409 | the authorized_keys option for CA keys is "cert-authority", not | ||
1410 | "from=cert-authority". spotted by imorgan AT nas.nasa.gov | ||
1411 | - djm@cvs.openbsd.org 2010/03/03 22:50:40 | ||
1412 | [PROTOCOL.certkeys] | ||
1413 | s/similar same/similar/; from imorgan AT nas.nasa.gov | ||
1414 | - djm@cvs.openbsd.org 2010/03/04 01:44:57 | ||
1415 | [key.c] | ||
1416 | use buffer_get_string_ptr_ret() where we are checking the return | ||
1417 | value explicitly instead of the fatal()-causing buffer_get_string_ptr() | ||
1418 | - djm@cvs.openbsd.org 2010/03/04 10:36:03 | ||
1419 | [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c] | ||
1420 | [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h] | ||
1421 | [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5] | ||
1422 | Add a TrustedUserCAKeys option to sshd_config to specify CA keys that | ||
1423 | are trusted to authenticate users (in addition than doing it per-user | ||
1424 | in authorized_keys). | ||
1425 | |||
1426 | Add a RevokedKeys option to sshd_config and a @revoked marker to | ||
1427 | known_hosts to allow keys to me revoked and banned for user or host | ||
1428 | authentication. | ||
1429 | |||
1430 | feedback and ok markus@ | ||
1431 | - djm@cvs.openbsd.org 2010/03/03 00:47:23 | ||
1432 | [regress/cert-hostkey.sh regress/cert-userkey.sh] | ||
1433 | add an extra test to ensure that authentication with the wrong | ||
1434 | certificate fails as it should (and it does) | ||
1435 | - djm@cvs.openbsd.org 2010/03/04 10:38:23 | ||
1436 | [regress/cert-hostkey.sh regress/cert-userkey.sh] | ||
1437 | additional regression tests for revoked keys and TrustedUserCAKeys | ||
1438 | |||
1439 | 20100303 | ||
1440 | - (djm) [PROTOCOL.certkeys] Add RCS Ident | ||
1441 | - OpenBSD CVS Sync | ||
1442 | - jmc@cvs.openbsd.org 2010/02/26 22:09:28 | ||
1443 | [ssh-keygen.1 ssh.1 sshd.8] | ||
1444 | tweak previous; | ||
1445 | - otto@cvs.openbsd.org 2010/03/01 11:07:06 | ||
1446 | [ssh-add.c] | ||
1447 | zap what seems to be a left-over debug message; ok markus@ | ||
1448 | - djm@cvs.openbsd.org 2010/03/02 23:20:57 | ||
1449 | [ssh-keygen.c] | ||
1450 | POSIX strptime is stricter than OpenBSD's so do a little dance to | ||
1451 | appease it. | ||
1452 | - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too | ||
1453 | |||
1454 | 20100302 | ||
1455 | - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from | ||
1456 | http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22 | ||
1457 | respectively). | ||
1458 | |||
1459 | 20100301 | ||
1460 | - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace | ||
1461 | "echo -n" with "echon" for portability. | ||
1462 | - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM | ||
1463 | adjust log at verbose only, since according to cjwatson in bug #1470 | ||
1464 | some virtualization platforms don't allow writes. | ||
1465 | |||
1466 | 20100228 | ||
1467 | - (djm) [auth.c] On Cygwin, refuse usernames that have differences in | ||
1468 | case from that matched in the system password database. On this | ||
1469 | platform, passwords are stored case-insensitively, but sshd requires | ||
1470 | exact case matching for Match blocks in sshd_config(5). Based on | ||
1471 | a patch from vinschen AT redhat.com. | ||
1472 | - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions | ||
1473 | to make older compilers (gcc 2.95) happy. | ||
1474 | |||
1475 | 20100227 | ||
1476 | - (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded | ||
1477 | - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment | ||
1478 | variables copied into sshd child processes. From vinschen AT redhat.com | ||
1479 | |||
1480 | 20100226 | ||
1481 | - OpenBSD CVS Sync | ||
1482 | - djm@cvs.openbsd.org 2010/02/26 20:29:54 | ||
1483 | [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] | ||
1484 | [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] | ||
1485 | [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] | ||
1486 | [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] | ||
1487 | [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] | ||
1488 | [sshconnect2.c sshd.8 sshd.c sshd_config.5] | ||
1489 | Add support for certificate key types for users and hosts. | ||
1490 | |||
1491 | OpenSSH certificate key types are not X.509 certificates, but a much | ||
1492 | simpler format that encodes a public key, identity information and | ||
1493 | some validity constraints and signs it with a CA key. CA keys are | ||
1494 | regular SSH keys. This certificate style avoids the attack surface | ||
1495 | of X.509 certificates and is very easy to deploy. | ||
1496 | |||
1497 | Certified host keys allow automatic acceptance of new host keys | ||
1498 | when a CA certificate is marked as trusted in ~/.ssh/known_hosts. | ||
1499 | see VERIFYING HOST KEYS in ssh(1) for details. | ||
1500 | |||
1501 | Certified user keys allow authentication of users when the signing | ||
1502 | CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS | ||
1503 | FILE FORMAT" in sshd(8) for details. | ||
1504 | |||
1505 | Certificates are minted using ssh-keygen(1), documentation is in | ||
1506 | the "CERTIFICATES" section of that manpage. | ||
1507 | |||
1508 | Documentation on the format of certificates is in the file | ||
1509 | PROTOCOL.certkeys | ||
1510 | |||
1511 | feedback and ok markus@ | ||
1512 | - djm@cvs.openbsd.org 2010/02/26 20:33:21 | ||
1513 | [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] | ||
1514 | regression tests for certified keys | ||
1515 | |||
1516 | 20100224 | ||
1517 | - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] | ||
1518 | [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable | ||
1519 | - (djm) OpenBSD CVS Sync | ||
1520 | - djm@cvs.openbsd.org 2010/02/11 20:37:47 | ||
1521 | [pathnames.h] | ||
1522 | correct comment | ||
1523 | - dtucker@cvs.openbsd.org 2009/11/09 04:20:04 | ||
1524 | [regress/Makefile] | ||
1525 | add regression test for ssh-keygen pubkey conversions | ||
1526 | - dtucker@cvs.openbsd.org 2010/01/11 02:53:44 | ||
1527 | [regress/forwarding.sh] | ||
1528 | regress test for stdio forwarding | ||
1529 | - djm@cvs.openbsd.org 2010/02/09 04:57:36 | ||
1530 | [regress/addrmatch.sh] | ||
1531 | clean up droppings | ||
1532 | - djm@cvs.openbsd.org 2010/02/09 06:29:02 | ||
1533 | [regress/Makefile] | ||
1534 | turn on all the malloc(3) checking options when running regression | ||
1535 | tests. this has caught a few bugs for me in the past; ok dtucker@ | ||
1536 | - djm@cvs.openbsd.org 2010/02/24 06:21:56 | ||
1537 | [regress/test-exec.sh] | ||
1538 | wait for sshd to fully stop in cleanup() function; avoids races in tests | ||
1539 | that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@ | ||
1540 | - markus@cvs.openbsd.org 2010/02/08 10:52:47 | ||
1541 | [regress/agent-pkcs11.sh] | ||
1542 | test for PKCS#11 support (currently disabled) | ||
1543 | - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper | ||
1544 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
1545 | [contrib/suse/openssh.spec] Add PKCS#11 helper binary and manpage | ||
1546 | |||
1547 | 20100212 | ||
1548 | - (djm) OpenBSD CVS Sync | ||
1549 | - djm@cvs.openbsd.org 2010/02/02 22:49:34 | ||
1550 | [bufaux.c] | ||
1551 | make buffer_get_string_ret() really non-fatal in all cases (it was | ||
1552 | using buffer_get_int(), which could fatal() on buffer empty); | ||
1553 | ok markus dtucker | ||
1554 | - markus@cvs.openbsd.org 2010/02/08 10:50:20 | ||
1555 | [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] | ||
1556 | [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] | ||
1557 | replace our obsolete smartcard code with PKCS#11. | ||
1558 | ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf | ||
1559 | ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 | ||
1560 | provider (shared library) while ssh-agent(1) delegates PKCS#11 to | ||
1561 | a forked a ssh-pkcs11-helper process. | ||
1562 | PKCS#11 is currently a compile time option. | ||
1563 | feedback and ok djm@; inspired by patches from Alon Bar-Lev | ||
1564 | - jmc@cvs.openbsd.org 2010/02/08 22:03:05 | ||
1565 | [ssh-add.1 ssh-keygen.1 ssh.1 ssh.c] | ||
1566 | tweak previous; ok markus | ||
1567 | - djm@cvs.openbsd.org 2010/02/09 00:50:36 | ||
1568 | [ssh-agent.c] | ||
1569 | fallout from PKCS#11: unbreak -D | ||
1570 | - djm@cvs.openbsd.org 2010/02/09 00:50:59 | ||
1571 | [ssh-keygen.c] | ||
1572 | fix -Wall | ||
1573 | - djm@cvs.openbsd.org 2010/02/09 03:56:28 | ||
1574 | [buffer.c buffer.h] | ||
1575 | constify the arguments to buffer_len, buffer_ptr and buffer_dump | ||
1576 | - djm@cvs.openbsd.org 2010/02/09 06:18:46 | ||
1577 | [auth.c] | ||
1578 | unbreak ChrootDirectory+internal-sftp by skipping check for executable | ||
1579 | shell when chrooting; reported by danh AT wzrd.com; ok dtucker@ | ||
1580 | - markus@cvs.openbsd.org 2010/02/10 23:20:38 | ||
1581 | [ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] | ||
1582 | pkcs#11 is no longer optional; improve wording; ok jmc@ | ||
1583 | - jmc@cvs.openbsd.org 2010/02/11 13:23:29 | ||
1584 | [ssh.1] | ||
1585 | libarary -> library; | ||
1586 | - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c] | ||
1587 | [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java] | ||
1588 | Remove obsolete smartcard support | ||
1589 | - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] | ||
1590 | Make it compile on OSX | ||
1591 | - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c] | ||
1592 | Use ssh_get_progname to fill __progname | ||
1593 | - (djm) [configure.ac] Enable PKCS#11 support only when we find a working | ||
1594 | dlopen() | ||
1595 | |||
1596 | 20100210 | ||
1597 | - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for | ||
1598 | getseuserbyname; patch from calebcase AT gmail.com via | ||
1599 | cjwatson AT debian.org | ||
1600 | |||
1601 | 20100202 | ||
1602 | - (djm) OpenBSD CVS Sync | ||
1603 | - djm@cvs.openbsd.org 2010/01/30 21:08:33 | ||
1604 | [sshd.8] | ||
1605 | debug output goes to stderr, not "the system log"; ok markus dtucker | ||
1606 | - djm@cvs.openbsd.org 2010/01/30 21:12:08 | ||
1607 | [channels.c] | ||
1608 | fake local addr:port when stdio fowarding as some servers (Tectia at | ||
1609 | least) validate that they are well-formed; | ||
1610 | reported by imorgan AT nas.nasa.gov | ||
1611 | ok dtucker | ||
1612 | |||
1613 | 20100130 | ||
1614 | - (djm) OpenBSD CVS Sync | ||
1615 | - djm@cvs.openbsd.org 2010/01/28 00:21:18 | ||
1616 | [clientloop.c] | ||
1617 | downgrade an error() to a debug() - this particular case can be hit in | ||
1618 | normal operation for certain sequences of mux slave vs session closure | ||
1619 | and is harmless | ||
1620 | - djm@cvs.openbsd.org 2010/01/29 00:20:41 | ||
1621 | [sshd.c] | ||
1622 | set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com | ||
1623 | ok dtucker@ | ||
1624 | - djm@cvs.openbsd.org 2010/01/29 20:16:17 | ||
1625 | [mux.c] | ||
1626 | kill correct channel (was killing already-dead mux channel, not | ||
1627 | its session channel) | ||
1628 | - djm@cvs.openbsd.org 2010/01/30 02:54:53 | ||
1629 | [mux.c] | ||
1630 | don't mark channel as read failed if it is already closing; suppresses | ||
1631 | harmless error messages when connecting to SSH.COM Tectia server | ||
1632 | report by imorgan AT nas.nasa.gov | ||
1633 | |||
1634 | 20100129 | ||
1635 | - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config() | ||
1636 | after registering the hardware engines, which causes the openssl.cnf file to | ||
1637 | be processed. See OpenSSL's man page for OPENSSL_config(3) for details. | ||
1638 | Patch from Solomon Peachy, ok djm@. | ||
1639 | |||
1640 | 20100128 | ||
1641 | - (djm) OpenBSD CVS Sync | ||
1642 | - djm@cvs.openbsd.org 2010/01/26 02:15:20 | ||
1643 | [mux.c] | ||
1644 | -Wuninitialized and remove a // comment; from portable | ||
1645 | (Id sync only) | ||
1646 | - djm@cvs.openbsd.org 2010/01/27 13:26:17 | ||
1647 | [mux.c] | ||
1648 | fix bug introduced in mux rewrite: | ||
1649 | |||
1650 | In a mux master, when a socket to a mux slave closes before its server | ||
1651 | session (as may occur when the slave has been signalled), gracefully | ||
1652 | close the server session rather than deleting its channel immediately. | ||
1653 | A server may have more messages on that channel to send (e.g. an exit | ||
1654 | message) that will fatal() the client if they are sent to a channel that | ||
1655 | has been prematurely deleted. | ||
1656 | |||
1657 | spotted by imorgan AT nas.nasa.gov | ||
1658 | - djm@cvs.openbsd.org 2010/01/27 19:21:39 | ||
1659 | [sftp.c] | ||
1660 | add missing "p" flag to getopt optstring; | ||
1661 | bz#1704 from imorgan AT nas.nasa.gov | ||
1662 | |||
1663 | 20100126 | ||
1664 | - (djm) OpenBSD CVS Sync | ||
1665 | - tedu@cvs.openbsd.org 2010/01/17 21:49:09 | ||
1666 | [ssh-agent.1] | ||
1667 | Correct and clarify ssh-add's password asking behavior. | ||
1668 | Improved text dtucker and ok jmc | ||
1669 | - dtucker@cvs.openbsd.org 2010/01/18 01:50:27 | ||
1670 | [roaming_client.c] | ||
1671 | s/long long unsigned/unsigned long long/, from tim via portable | ||
1672 | (Id sync only, change already in portable) | ||
1673 | - djm@cvs.openbsd.org 2010/01/26 01:28:35 | ||
1674 | [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c] | ||
1675 | rewrite ssh(1) multiplexing code to a more sensible protocol. | ||
1676 | |||
1677 | The new multiplexing code uses channels for the listener and | ||
1678 | accepted control sockets to make the mux master non-blocking, so | ||
1679 | no stalls when processing messages from a slave. | ||
1680 | |||
1681 | avoid use of fatal() in mux master protocol parsing so an errant slave | ||
1682 | process cannot take down a running master. | ||
1683 | |||
1684 | implement requesting of port-forwards over multiplexed sessions. Any | ||
1685 | port forwards requested by the slave are added to those the master has | ||
1686 | established. | ||
1687 | |||
1688 | add support for stdio forwarding ("ssh -W host:port ...") in mux slaves. | ||
1689 | |||
1690 | document master/slave mux protocol so that other tools can use it to | ||
1691 | control a running ssh(1). Note: there are no guarantees that this | ||
1692 | protocol won't be incompatibly changed (though it is versioned). | ||
1693 | |||
1694 | feedback Salvador Fandino, dtucker@ | ||
1695 | channel changes ok markus@ | ||
1696 | |||
1697 | 20100122 | ||
1698 | - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of | ||
1699 | socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size | ||
1700 | in Cygwin to 65535. Patch from Corinna Vinschen. | ||
1701 | |||
1702 | 20100117 | ||
1703 | - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too. | ||
1704 | - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions | ||
1705 | snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf(). | ||
1706 | |||
1707 | 20100116 | ||
1708 | - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h | ||
1709 | so we correctly detect whether or not we have a native user_from_uid. | ||
1710 | - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid | ||
1711 | and group_from_gid. | ||
1712 | - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by | ||
1713 | Tim. | ||
1714 | - (dtucker) OpenBSD CVS Sync | ||
1715 | - markus@cvs.openbsd.org 2010/01/15 09:24:23 | ||
1716 | [sftp-common.c] | ||
1717 | unused | ||
1718 | - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused | ||
1719 | variable warnings. | ||
1720 | - (dtucker) [openbsd-compat/openbsd-compat.h] Typo. | ||
1721 | - (tim) [regress/portnum.sh] Shell portability fix. | ||
1722 | - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native | ||
1723 | getaddrinfo() is too old and limited for addr_pton() in addrmatch.c. | ||
1724 | - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we | ||
1725 | use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/ | ||
1726 | to keep USL compilers happy. | ||
1727 | |||
1728 | 20100115 | ||
1729 | - (dtucker) OpenBSD CVS Sync | ||
1730 | - jmc@cvs.openbsd.org 2010/01/13 12:48:34 | ||
1731 | [sftp.1 sftp.c] | ||
1732 | sftp.1: put ls -h in the right place | ||
1733 | sftp.c: as above, plus add -p to get/put, and shorten their arg names | ||
1734 | to keep the help usage nicely aligned | ||
1735 | ok djm | ||
1736 | - djm@cvs.openbsd.org 2010/01/13 23:47:26 | ||
1737 | [auth.c] | ||
1738 | when using ChrootDirectory, make sure we test for the existence of the | ||
1739 | user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; | ||
1740 | ok dtucker | ||
1741 | - dtucker@cvs.openbsd.org 2010/01/14 23:41:49 | ||
1742 | [sftp-common.c] | ||
1743 | use user_from{uid,gid} to lookup up ids since it keeps a small cache. | ||
1744 | ok djm | ||
1745 | - guenther@cvs.openbsd.org 2010/01/15 00:05:22 | ||
1746 | [sftp.c] | ||
1747 | Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp | ||
1748 | inherited SIGTERM as ignored it will still be able to kill the ssh it | ||
1749 | starts. | ||
1750 | ok dtucker@ | ||
1751 | - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no | ||
1752 | changes yet but there will be some to come). | ||
1753 | - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability | ||
1754 | for pwcache. Also, added caching of negative hits. | ||
1755 | |||
1756 | 20100114 | ||
1757 | - (djm) [platform.h] Add missing prototype for | ||
1758 | platform_krb5_get_principal_name | ||
1759 | |||
1760 | 20100113 | ||
1761 | - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs. | ||
1762 | - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18: | ||
1763 | missing restore of SIGTTOU and some whitespace. | ||
1764 | - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21. | ||
1765 | - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22. | ||
1766 | Fixes bz #1590, where sometimes you could not interrupt a connection while | ||
1767 | ssh was prompting for a passphrase or password. | ||
1768 | - (dtucker) OpenBSD CVS Sync | ||
1769 | - dtucker@cvs.openbsd.org 2010/01/13 00:19:04 | ||
1770 | [sshconnect.c auth.c] | ||
1771 | Fix a couple of typos/mispellings in comments | ||
1772 | - dtucker@cvs.openbsd.org 2010/01/13 01:10:56 | ||
1773 | [key.c] | ||
1774 | Ignore and log any Protocol 1 keys where the claimed size is not equal to | ||
1775 | the actual size. Noted by Derek Martin, ok djm@ | ||
1776 | - dtucker@cvs.openbsd.org 2010/01/13 01:20:20 | ||
1777 | [canohost.c ssh-keysign.c sshconnect2.c] | ||
1778 | Make HostBased authentication work with a ProxyCommand. bz #1569, patch | ||
1779 | from imorgan at nas nasa gov, ok djm@ | ||
1780 | - djm@cvs.openbsd.org 2010/01/13 01:40:16 | ||
1781 | [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h] | ||
1782 | support '-h' (human-readable units) for sftp's ls command, just like | ||
1783 | ls(1); ok dtucker@ | ||
1784 | - djm@cvs.openbsd.org 2010/01/13 03:48:13 | ||
1785 | [servconf.c servconf.h sshd.c] | ||
1786 | avoid run-time failures when specifying hostkeys via a relative | ||
1787 | path by prepending the cwd in these cases; bz#1290; ok dtucker@ | ||
1788 | - djm@cvs.openbsd.org 2010/01/13 04:10:50 | ||
1789 | [sftp.c] | ||
1790 | don't append a space after inserting a completion of a directory (i.e. | ||
1791 | a path ending in '/') for a slightly better user experience; ok dtucker@ | ||
1792 | - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef. | ||
1793 | - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG. | ||
1794 | feedback and ok dtucker@ | ||
1795 | |||
1796 | 20100112 | ||
1797 | - (dtucker) OpenBSD CVS Sync | ||
1798 | - dtucker@cvs.openbsd.org 2010/01/11 01:39:46 | ||
1799 | [ssh_config channels.c ssh.1 channels.h ssh.c] | ||
1800 | Add a 'netcat mode' (ssh -W). This connects stdio on the client to a | ||
1801 | single port forward on the server. This allows, for example, using ssh as | ||
1802 | a ProxyCommand to route connections via intermediate servers. | ||
1803 | bz #1618, man page help from jmc@, ok markus@ | ||
1804 | - dtucker@cvs.openbsd.org 2010/01/11 04:46:45 | ||
1805 | [authfile.c sshconnect2.c] | ||
1806 | Do not prompt for a passphrase if we fail to open a keyfile, and log the | ||
1807 | reason the open failed to debug. | ||
1808 | bz #1693, found by tj AT castaglia org, ok djm@ | ||
1809 | - djm@cvs.openbsd.org 2010/01/11 10:51:07 | ||
1810 | [ssh-keygen.c] | ||
1811 | when converting keys, truncate key comments at 72 chars as per RFC4716; | ||
1812 | bz#1630 reported by tj AT castaglia.org; ok markus@ | ||
1813 | - dtucker@cvs.openbsd.org 2010/01/12 00:16:47 | ||
1814 | [authfile.c] | ||
1815 | Fix bug introduced in r1.78 (incorrect brace location) that broke key auth. | ||
1816 | Patch from joachim joachimschipper nl. | ||
1817 | - djm@cvs.openbsd.org 2010/01/12 00:58:25 | ||
1818 | [monitor_fdpass.c] | ||
1819 | avoid spinning when fd passing on nonblocking sockets by calling poll() | ||
1820 | in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@ | ||
1821 | - djm@cvs.openbsd.org 2010/01/12 00:59:29 | ||
1822 | [roaming_common.c] | ||
1823 | delete with extreme prejudice a debug() that fired with every keypress; | ||
1824 | ok dtucker deraadt | ||
1825 | - dtucker@cvs.openbsd.org 2010/01/12 01:31:05 | ||
1826 | [session.c] | ||
1827 | Do not allow logins if /etc/nologin exists but is not readable by the user | ||
1828 | logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@ | ||
1829 | - djm@cvs.openbsd.org 2010/01/12 01:36:08 | ||
1830 | [buffer.h bufaux.c] | ||
1831 | add a buffer_get_string_ptr_ret() that does the same as | ||
1832 | buffer_get_string_ptr() but does not fatal() on error; ok dtucker@ | ||
1833 | - dtucker@cvs.openbsd.org 2010/01/12 08:33:17 | ||
1834 | [session.c] | ||
1835 | Add explicit stat so we reliably detect nologin with bad perms. | ||
1836 | ok djm markus | ||
1837 | |||
1838 | 20100110 | ||
1839 | - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] | ||
1840 | Remove hacks add for RoutingDomain in preparation for its removal. | ||
1841 | - (dtucker) OpenBSD CVS Sync | ||
1842 | - dtucker@cvs.openbsd.org 2010/01/09 23:04:13 | ||
1843 | [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h | ||
1844 | ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c | ||
1845 | readconf.h scp.1 sftp.1 ssh_config.5 misc.h] | ||
1846 | Remove RoutingDomain from ssh since it's now not needed. It can be | ||
1847 | replaced with "route exec" or "nc -V" as a proxycommand. "route exec" | ||
1848 | also ensures that trafic such as DNS lookups stays withing the specified | ||
1849 | routingdomain. For example (from reyk): | ||
1850 | # route -T 2 exec /usr/sbin/sshd | ||
1851 | or inherited from the parent process | ||
1852 | $ route -T 2 exec sh | ||
1853 | $ ssh 10.1.2.3 | ||
1854 | ok deraadt@ markus@ stevesk@ reyk@ | ||
1855 | - dtucker@cvs.openbsd.org 2010/01/10 03:51:17 | ||
1856 | [servconf.c] | ||
1857 | Add ChrootDirectory to sshd.c test-mode output | ||
1858 | - dtucker@cvs.openbsd.org 2010/01/10 07:15:56 | ||
1859 | [auth.c] | ||
1860 | Output a debug if we can't open an existing keyfile. bz#1694, ok djm@ | ||
1861 | |||
1862 | 20100109 | ||
1863 | - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't | ||
1864 | have it. | ||
1865 | - (dtucker) [defines.h] define PRIu64 for platforms that don't have it. | ||
1866 | - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef. | ||
1867 | - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name | ||
1868 | when using utmpx. Patch from Ed Schouten. | ||
1869 | - (dtucker) OpenBSD CVS Sync | ||
1870 | - djm@cvs.openbsd.org 2010/01/09 00:20:26 | ||
1871 | [sftp-server.c sftp-server.8] | ||
1872 | add a 'read-only' mode to sftp-server(8) that disables open in write mode | ||
1873 | and all other fs-modifying protocol methods. bz#430 ok dtucker@ | ||
1874 | - djm@cvs.openbsd.org 2010/01/09 00:57:10 | ||
1875 | [PROTOCOL] | ||
1876 | tweak language | ||
1877 | - jmc@cvs.openbsd.org 2010/01/09 03:36:00 | ||
1878 | [sftp-server.8] | ||
1879 | bad place to forget a comma... | ||
1880 | - djm@cvs.openbsd.org 2010/01/09 05:04:24 | ||
1881 | [mux.c sshpty.h clientloop.c sshtty.c] | ||
1882 | quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we | ||
1883 | usually don't actually have a tty to read/set; bz#1686 ok dtucker@ | ||
1884 | - dtucker@cvs.openbsd.org 2010/01/09 05:17:00 | ||
1885 | [roaming_client.c] | ||
1886 | Remove a PRIu64 format string that snuck in with roaming. ok djm@ | ||
1887 | - dtucker@cvs.openbsd.org 2010/01/09 11:13:02 | ||
1888 | [sftp.c] | ||
1889 | Prevent sftp from derefing a null pointer when given a "-" without a | ||
1890 | command. Also, allow whitespace to follow a "-". bz#1691, path from | ||
1891 | Colin Watson via Debian. ok djm@ deraadt@ | ||
1892 | - dtucker@cvs.openbsd.org 2010/01/09 11:17:56 | ||
1893 | [sshd.c] | ||
1894 | Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs | ||
1895 | itself. Prevents two HUPs in quick succession from resulting in sshd | ||
1896 | dying. bz#1692, patch from Colin Watson via Ubuntu. | ||
1897 | - (dtucker) [defines.h] Remove now-undeeded PRIu64 define. | ||
1898 | |||
1899 | 20100108 | ||
1900 | - (dtucker) OpenBSD CVS Sync | ||
1901 | - andreas@cvs.openbsd.org 2009/10/24 11:11:58 | ||
1902 | [roaming.h] | ||
1903 | Declarations needed for upcoming changes. | ||
1904 | ok markus@ | ||
1905 | - andreas@cvs.openbsd.org 2009/10/24 11:13:54 | ||
1906 | [sshconnect2.c kex.h kex.c] | ||
1907 | Let the client detect if the server supports roaming by looking | ||
1908 | for the resume@appgate.com kex algorithm. | ||
1909 | ok markus@ | ||
1910 | - andreas@cvs.openbsd.org 2009/10/24 11:15:29 | ||
1911 | [clientloop.c] | ||
1912 | client_loop() must detect if the session has been suspended and resumed, | ||
1913 | and take appropriate action in that case. | ||
1914 | From Martin Forssen, maf at appgate dot com | ||
1915 | - andreas@cvs.openbsd.org 2009/10/24 11:19:17 | ||
1916 | [ssh2.h] | ||
1917 | Define the KEX messages used when resuming a suspended connection. | ||
1918 | ok markus@ | ||
1919 | - andreas@cvs.openbsd.org 2009/10/24 11:22:37 | ||
1920 | [roaming_common.c] | ||
1921 | Do the actual suspend/resume in the client. This won't be useful until | ||
1922 | the server side supports roaming. | ||
1923 | Most code from Martin Forssen, maf at appgate dot com. Some changes by | ||
1924 | me and markus@ | ||
1925 | ok markus@ | ||
1926 | - andreas@cvs.openbsd.org 2009/10/24 11:23:42 | ||
1927 | [ssh.c] | ||
1928 | Request roaming to be enabled if UseRoaming is true and the server | ||
1929 | supports it. | ||
1930 | ok markus@ | ||
1931 | - reyk@cvs.openbsd.org 2009/10/28 16:38:18 | ||
1932 | [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c | ||
1933 | channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 | ||
1934 | sftp.1 sshd_config.5 readconf.c ssh.c misc.c] | ||
1935 | Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. | ||
1936 | ok markus@ | ||
1937 | - jmc@cvs.openbsd.org 2009/10/28 21:45:08 | ||
1938 | [sshd_config.5 sftp.1] | ||
1939 | tweak previous; | ||
1940 | - djm@cvs.openbsd.org 2009/11/10 02:56:22 | ||
1941 | [ssh_config.5] | ||
1942 | explain the constraints on LocalCommand some more so people don't | ||
1943 | try to abuse it. | ||
1944 | - djm@cvs.openbsd.org 2009/11/10 02:58:56 | ||
1945 | [sshd_config.5] | ||
1946 | clarify that StrictModes does not apply to ChrootDirectory. Permissions | ||
1947 | and ownership are always checked when chrooting. bz#1532 | ||
1948 | - dtucker@cvs.openbsd.org 2009/11/10 04:30:45 | ||
1949 | [sshconnect2.c channels.c sshconnect.c] | ||
1950 | Set close-on-exec on various descriptors so they don't get leaked to | ||
1951 | child processes. bz #1643, patch from jchadima at redhat, ok deraadt. | ||
1952 | - markus@cvs.openbsd.org 2009/11/11 21:37:03 | ||
1953 | [channels.c channels.h] | ||
1954 | fix race condition in x11/agent channel allocation: don't read after | ||
1955 | the end of the select read/write fdset and make sure a reused FD | ||
1956 | is not touched before the pre-handlers are called. | ||
1957 | with and ok djm@ | ||
1958 | - djm@cvs.openbsd.org 2009/11/17 05:31:44 | ||
1959 | [clientloop.c] | ||
1960 | fix incorrect exit status when multiplexing and channel ID 0 is recycled | ||
1961 | bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker | ||
1962 | - djm@cvs.openbsd.org 2009/11/19 23:39:50 | ||
1963 | [session.c] | ||
1964 | bz#1606: error when an attempt is made to connect to a server | ||
1965 | with ForceCommand=internal-sftp with a shell session (i.e. not a | ||
1966 | subsystem session). Avoids stuck client when attempting to ssh to such a | ||
1967 | service. ok dtucker@ | ||
1968 | - dtucker@cvs.openbsd.org 2009/11/20 00:15:41 | ||
1969 | [session.c] | ||
1970 | Warn but do not fail if stat()ing the subsystem binary fails. This helps | ||
1971 | with chrootdirectory+forcecommand=sftp-server and restricted shells. | ||
1972 | bz #1599, ok djm. | ||
1973 | - djm@cvs.openbsd.org 2009/11/20 00:54:01 | ||
1974 | [sftp.c] | ||
1975 | bz#1588 change "Connecting to host..." message to "Connected to host." | ||
1976 | and delay it until after the sftp protocol connection has been established. | ||
1977 | Avoids confusing sequence of messages when the underlying ssh connection | ||
1978 | experiences problems. ok dtucker@ | ||
1979 | - dtucker@cvs.openbsd.org 2009/11/20 00:59:36 | ||
1980 | [sshconnect2.c] | ||
1981 | Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@ | ||
1982 | - djm@cvs.openbsd.org 2009/11/20 03:24:07 | ||
1983 | [misc.c] | ||
1984 | correct off-by-one in percent_expand(): we would fatal() when trying | ||
1985 | to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually | ||
1986 | work. Note that nothing in OpenSSH actually uses close to this limit at | ||
1987 | present. bz#1607 from Jan.Pechanec AT Sun.COM | ||
1988 | - halex@cvs.openbsd.org 2009/11/22 13:18:00 | ||
1989 | [sftp.c] | ||
1990 | make passing of zero-length arguments to ssh safe by | ||
1991 | passing "-<switch>" "<value>" rather than "-<switch><value>" | ||
1992 | ok dtucker@, guenther@, djm@ | ||
1993 | - dtucker@cvs.openbsd.org 2009/12/06 23:41:15 | ||
1994 | [sshconnect2.c] | ||
1995 | zap unused variable and strlen; from Steve McClellan, ok djm | ||
1996 | - djm@cvs.openbsd.org 2009/12/06 23:53:45 | ||
1997 | [roaming_common.c] | ||
1998 | use socklen_t for getsockopt optlen parameter; reported by | ||
1999 | Steve.McClellan AT radisys.com, ok dtucker@ | ||
2000 | - dtucker@cvs.openbsd.org 2009/12/06 23:53:54 | ||
2001 | [sftp.c] | ||
2002 | fix potential divide-by-zero in sftp's "df" output when talking to a server | ||
2003 | that reports zero files on the filesystem (Unix filesystems always have at | ||
2004 | least the root inode). From Steve McClellan at radisys, ok djm@ | ||
2005 | - markus@cvs.openbsd.org 2009/12/11 18:16:33 | ||
2006 | [key.c] | ||
2007 | switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537 | ||
2008 | for the RSA public exponent; discussed with provos; ok djm@ | ||
2009 | - guenther@cvs.openbsd.org 2009/12/20 07:28:36 | ||
2010 | [ssh.c sftp.c scp.c] | ||
2011 | When passing user-controlled options with arguments to other programs, | ||
2012 | pass the option and option argument as separate argv entries and | ||
2013 | not smashed into one (e.g., as -l foo and not -lfoo). Also, always | ||
2014 | pass a "--" argument to stop option parsing, so that a positional | ||
2015 | argument that starts with a '-' isn't treated as an option. This | ||
2016 | fixes some error cases as well as the handling of hostnames and | ||
2017 | filenames that start with a '-'. | ||
2018 | Based on a diff by halex@ | ||
2019 | ok halex@ djm@ deraadt@ | ||
2020 | - djm@cvs.openbsd.org 2009/12/20 23:20:40 | ||
2021 | [PROTOCOL] | ||
2022 | fix an incorrect magic number and typo in PROTOCOL; bz#1688 | ||
2023 | report and fix from ueno AT unixuser.org | ||
2024 | - stevesk@cvs.openbsd.org 2009/12/25 19:40:21 | ||
2025 | [readconf.c servconf.c misc.h ssh-keyscan.c misc.c] | ||
2026 | validate routing domain is in range 0-RT_TABLEID_MAX. | ||
2027 | 'Looks right' deraadt@ | ||
2028 | - stevesk@cvs.openbsd.org 2009/12/29 16:38:41 | ||
2029 | [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] | ||
2030 | Rename RDomain config option to RoutingDomain to be more clear and | ||
2031 | consistent with other options. | ||
2032 | NOTE: if you currently use RDomain in the ssh client or server config, | ||
2033 | or ssh/sshd -o, you must update to use RoutingDomain. | ||
2034 | ok markus@ djm@ | ||
2035 | - jmc@cvs.openbsd.org 2009/12/29 18:03:32 | ||
2036 | [sshd_config.5 ssh_config.5] | ||
2037 | sort previous; | ||
2038 | - dtucker@cvs.openbsd.org 2010/01/04 01:45:30 | ||
2039 | [sshconnect2.c] | ||
2040 | Don't escape backslashes in the SSH2 banner. bz#1533, patch from | ||
2041 | Michal Gorny via Gentoo. | ||
2042 | - djm@cvs.openbsd.org 2010/01/04 02:03:57 | ||
2043 | [sftp.c] | ||
2044 | Implement tab-completion of commands, local and remote filenames for sftp. | ||
2045 | Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009 | ||
2046 | Google Summer of Code) and polished to a fine sheen by myself again. | ||
2047 | It should deal more-or-less correctly with the ikky corner-cases presented | ||
2048 | by quoted filenames, but the UI could still be slightly improved. | ||
2049 | In particular, it is quite slow for remote completion on large directories. | ||
2050 | bz#200; ok markus@ | ||
2051 | - djm@cvs.openbsd.org 2010/01/04 02:25:15 | ||
2052 | [sftp-server.c] | ||
2053 | bz#1566 don't unnecessarily dup() in and out fds for sftp-server; | ||
2054 | ok markus@ | ||
2055 | - dtucker@cvs.openbsd.org 2010/01/08 21:50:49 | ||
2056 | [sftp.c] | ||
2057 | Fix two warnings: possibly used unitialized and use a nul byte instead of | ||
2058 | NULL pointer. ok djm@ | ||
2059 | - (dtucker) [Makefile.in added roaming_client.c roaming_serv.c] Import new | ||
2060 | files for roaming and add to Makefile. | ||
2061 | - (dtucker) [Makefile.in] .c files do not belong in the OBJ lines. | ||
2062 | - (dtucker) [sftp.c] ifdef out the sftp completion bits for platforms that | ||
2063 | don't have libedit. | ||
2064 | - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] Make | ||
2065 | RoutingDomain an unsupported option on platforms that don't have it. | ||
2066 | - (dtucker) [sftp.c] Expand ifdef for libedit to cover complete_is_remote | ||
2067 | too. | ||
2068 | - (dtucker) [misc.c] Move the routingdomain ifdef to allow the socket to | ||
2069 | be created. | ||
2070 | - (dtucker] [misc.c] Shrink the area covered by USE_ROUTINGDOMAIN more | ||
2071 | to eliminate an unused variable warning. | ||
2072 | - (dtucker) [roaming_serv.c] Include includes.h for u_intXX_t types. | ||
2073 | |||
2074 | 20091226 | ||
2075 | - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1 | ||
2076 | Gzip all man pages. Patch from Corinna Vinschen. | ||
2077 | |||
2078 | 20091221 | ||
2079 | - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}] | ||
2080 | Bug #1583: Use system's kerberos principal name on AIX if it's available. | ||
2081 | Based on a patch from and tested by Miguel Sanders | ||
2082 | |||
2083 | 20091208 | ||
2084 | - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux, | ||
2085 | based on a patch from Vaclav Ovsik and Colin Watson. ok djm. | ||
2086 | |||
2087 | 20091207 | ||
2088 | - (dtucker) Bug #1160: use pkg-config for opensc config if it's available. | ||
2089 | Tested by Martin Paljak. | ||
2090 | - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass. | ||
2091 | |||
2092 | 20091121 | ||
2093 | - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it. | ||
2094 | Bug 1628. OK dtucker@ | ||
2095 | |||
2096 | 20091120 | ||
2097 | - (djm) [ssh-rand-helper.c] Print error and usage() when passed command- | ||
2098 | line arguments as none are supported. Exit when passed unrecognised | ||
2099 | commandline flags. bz#1568 from gson AT araneus.fi | ||
2100 | |||
2101 | 20091118 | ||
2102 | - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to | ||
2103 | set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify | ||
2104 | setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only() | ||
2105 | bz#1648, report and fix from jan.kratochvil AT redhat.com | ||
2106 | - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal. | ||
2107 | bz#1645, patch from jchadima AT redhat.com | ||
2108 | |||
2109 | 20091107 | ||
2110 | - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private | ||
2111 | keys when built with OpenSSL versions that don't do AES. | ||
2112 | |||
2113 | 20091105 | ||
2114 | - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with | ||
2115 | older versions of OpenSSL. | ||
2116 | |||
2117 | 20091024 | ||
2118 | - (dtucker) OpenBSD CVS Sync | ||
2119 | - djm@cvs.openbsd.org 2009/10/11 23:03:15 | ||
2120 | [hostfile.c] | ||
2121 | mention the host name that we are looking for in check_host_in_hostfile() | ||
2122 | - sobrado@cvs.openbsd.org 2009/10/17 12:10:39 | ||
2123 | [sftp-server.c] | ||
2124 | sort flags. | ||
2125 | - sobrado@cvs.openbsd.org 2009/10/22 12:35:53 | ||
2126 | [ssh.1 ssh-agent.1 ssh-add.1] | ||
2127 | use the UNIX-related macros (.At and .Ux) where appropriate. | ||
2128 | ok jmc@ | ||
2129 | - sobrado@cvs.openbsd.org 2009/10/22 15:02:12 | ||
2130 | [ssh-agent.1 ssh-add.1 ssh.1] | ||
2131 | write UNIX-domain in a more consistent way; while here, replace a | ||
2132 | few remaining ".Tn UNIX" macros with ".Ux" ones. | ||
2133 | pointed out by ratchov@, thanks! | ||
2134 | ok jmc@ | ||
2135 | - djm@cvs.openbsd.org 2009/10/22 22:26:13 | ||
2136 | [authfile.c] | ||
2137 | switch from 3DES to AES-128 for encryption of passphrase-protected | ||
2138 | SSH protocol 2 private keys; ok several | ||
2139 | - djm@cvs.openbsd.org 2009/10/23 01:57:11 | ||
2140 | [sshconnect2.c] | ||
2141 | disallow a hostile server from checking jpake auth by sending an | ||
2142 | out-of-sequence success message. (doesn't affect code enabled by default) | ||
2143 | - dtucker@cvs.openbsd.org 2009/10/24 00:48:34 | ||
2144 | [ssh-keygen.1] | ||
2145 | ssh-keygen now uses AES-128 for private keys | ||
2146 | - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro. | ||
2147 | - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux | ||
2148 | is enabled set the security context to "sftpd_t" before running the | ||
2149 | internal sftp server Based on a patch from jchadima at redhat. | ||
2150 | |||
2151 | 20091011 | ||
2152 | - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for | ||
2153 | dirent d_type and DTTOIF as we've switched OpenBSD to the more portable | ||
2154 | lstat. | ||
2155 | - (dtucker) OpenBSD CVS Sync | ||
2156 | - markus@cvs.openbsd.org 2009/10/08 14:03:41 | ||
2157 | [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] | ||
2158 | disable protocol 1 by default (after a transition period of about 10 years) | ||
2159 | ok deraadt | ||
2160 | - jmc@cvs.openbsd.org 2009/10/08 20:42:12 | ||
2161 | [sshd_config.5 ssh_config.5 sshd.8 ssh.1] | ||
2162 | some tweaks now that protocol 1 is not offered by default; ok markus | ||
2163 | - dtucker@cvs.openbsd.org 2009/10/11 10:41:26 | ||
2164 | [sftp-client.c] | ||
2165 | d_type isn't portable so use lstat to get dirent modes. Suggested by and | ||
2166 | "looks sane" deraadt@ | ||
2167 | - markus@cvs.openbsd.org 2009/10/08 18:04:27 | ||
2168 | [regress/test-exec.sh] | ||
2169 | re-enable protocol v1 for the tests. | ||
2170 | |||
2171 | 20091007 | ||
2172 | - (dtucker) OpenBSD CVS Sync | ||
2173 | - djm@cvs.openbsd.org 2009/08/12 00:13:00 | ||
2174 | [sftp.c sftp.1] | ||
2175 | support most of scp(1)'s commandline arguments in sftp(1), as a first | ||
2176 | step towards making sftp(1) a drop-in replacement for scp(1). | ||
2177 | One conflicting option (-P) has not been changed, pending further | ||
2178 | discussion. | ||
2179 | Patch from carlosvsilvapt@gmail.com as part of his work in the | ||
2180 | Google Summer of Code | ||
2181 | - jmc@cvs.openbsd.org 2009/08/12 06:31:42 | ||
2182 | [sftp.1] | ||
2183 | sort options; | ||
2184 | - djm@cvs.openbsd.org 2009/08/13 01:11:19 | ||
2185 | [sftp.1 sftp.c] | ||
2186 | Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path", | ||
2187 | add "-P port" to match scp(1). Fortunately, the -P option is only really | ||
2188 | used by our regression scripts. | ||
2189 | part of larger patch from carlosvsilvapt@gmail.com for his Google Summer | ||
2190 | of Code work; ok deraadt markus | ||
2191 | - jmc@cvs.openbsd.org 2009/08/13 13:39:54 | ||
2192 | [sftp.1 sftp.c] | ||
2193 | sync synopsis and usage(); | ||
2194 | - djm@cvs.openbsd.org 2009/08/14 18:17:49 | ||
2195 | [sftp-client.c] | ||
2196 | make the "get_handle: ..." error messages vaguely useful by allowing | ||
2197 | callers to specify their own error message strings. | ||
2198 | - fgsch@cvs.openbsd.org 2009/08/15 18:56:34 | ||
2199 | [auth.h] | ||
2200 | remove unused define. markus@ ok. | ||
2201 | (Id sync only, Portable still uses this.) | ||
2202 | - dtucker@cvs.openbsd.org 2009/08/16 23:29:26 | ||
2203 | [sshd_config.5] | ||
2204 | Add PubkeyAuthentication to the list allowed in a Match block (bz #1577) | ||
2205 | - djm@cvs.openbsd.org 2009/08/18 18:36:21 | ||
2206 | [sftp-client.h sftp.1 sftp-client.c sftp.c] | ||
2207 | recursive transfer support for get/put and on the commandline | ||
2208 | work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code | ||
2209 | with some tweaks by me; "go for it" deraadt@ | ||
2210 | - djm@cvs.openbsd.org 2009/08/18 21:15:59 | ||
2211 | [sftp.1] | ||
2212 | fix "get" command usage, spotted by jmc@ | ||
2213 | - jmc@cvs.openbsd.org 2009/08/19 04:56:03 | ||
2214 | [sftp.1] | ||
2215 | ether -> either; | ||
2216 | - dtucker@cvs.openbsd.org 2009/08/20 23:54:28 | ||
2217 | [mux.c] | ||
2218 | subsystem_flag is defined in ssh.c so it's extern; ok djm | ||
2219 | - djm@cvs.openbsd.org 2009/08/27 17:28:52 | ||
2220 | [sftp-server.c] | ||
2221 | allow setting an explicit umask on the commandline to override whatever | ||
2222 | default the user has. bz#1229; ok dtucker@ deraadt@ markus@ | ||
2223 | - djm@cvs.openbsd.org 2009/08/27 17:33:49 | ||
2224 | [ssh-keygen.c] | ||
2225 | force use of correct hash function for random-art signature display | ||
2226 | as it was inheriting the wrong one when bubblebabble signatures were | ||
2227 | activated; bz#1611 report and patch from fwojcik+openssh AT besh.com; | ||
2228 | ok markus@ | ||
2229 | - djm@cvs.openbsd.org 2009/08/27 17:43:00 | ||
2230 | [sftp-server.8] | ||
2231 | allow setting an explicit umask on the commandline to override whatever | ||
2232 | default the user has. bz#1229; ok dtucker@ deraadt@ markus@ | ||
2233 | - djm@cvs.openbsd.org 2009/08/27 17:44:52 | ||
2234 | [authfd.c ssh-add.c authfd.h] | ||
2235 | Do not fall back to adding keys without contraints (ssh-add -c / -t ...) | ||
2236 | when the agent refuses the constrained add request. This was a useful | ||
2237 | migration measure back in 2002 when constraints were new, but just | ||
2238 | adds risk now. | ||
2239 | bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@ | ||
2240 | - djm@cvs.openbsd.org 2009/08/31 20:56:02 | ||
2241 | [sftp-server.c] | ||
2242 | check correct variable for error message, spotted by martynas@ | ||
2243 | - djm@cvs.openbsd.org 2009/08/31 21:01:29 | ||
2244 | [sftp-server.8] | ||
2245 | document -e and -h; prodded by jmc@ | ||
2246 | - djm@cvs.openbsd.org 2009/09/01 14:43:17 | ||
2247 | [ssh-agent.c] | ||
2248 | fix a race condition in ssh-agent that could result in a wedged or | ||
2249 | spinning agent: don't read off the end of the allocated fd_sets, and | ||
2250 | don't issue blocking read/write on agent sockets - just fall back to | ||
2251 | select() on retriable read/write errors. bz#1633 reported and tested | ||
2252 | by "noodle10000 AT googlemail.com"; ok dtucker@ markus@ | ||
2253 | - grunk@cvs.openbsd.org 2009/10/01 11:37:33 | ||
2254 | [dh.c] | ||
2255 | fix a cast | ||
2256 | ok djm@ markus@ | ||
2257 | - djm@cvs.openbsd.org 2009/10/06 04:46:40 | ||
2258 | [session.c] | ||
2259 | bz#1596: fflush(NULL) before exec() to ensure that everying (motd | ||
2260 | in particular) has made it out before the streams go away. | ||
2261 | - djm@cvs.openbsd.org 2008/12/07 22:17:48 | ||
2262 | [regress/addrmatch.sh] | ||
2263 | match string "passwordauthentication" only at start of line, not anywhere | ||
2264 | in sshd -T output | ||
2265 | - dtucker@cvs.openbsd.org 2009/05/05 07:51:36 | ||
2266 | [regress/multiplex.sh] | ||
2267 | Always specify ssh_config for multiplex tests: prevents breakage caused | ||
2268 | by options in ~/.ssh/config. From Dan Peterson. | ||
2269 | - djm@cvs.openbsd.org 2009/08/13 00:57:17 | ||
2270 | [regress/Makefile] | ||
2271 | regression test for port number parsing. written as part of the a2port | ||
2272 | change that went into 5.2 but I forgot to commit it at the time... | ||
2273 | - djm@cvs.openbsd.org 2009/08/13 01:11:55 | ||
2274 | [regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh | ||
2275 | regress/sftp-cmds.sh regres/sftp-glob.sh] | ||
2276 | date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7 | ||
2277 | Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path", | ||
2278 | add "-P port" to match scp(1). Fortunately, the -P option is only really | ||
2279 | used by our regression scripts. | ||
2280 | part of larger patch from carlosvsilvapt@gmail.com for his Google Summer | ||
2281 | of Code work; ok deraadt markus | ||
2282 | - djm@cvs.openbsd.org 2009/08/20 18:43:07 | ||
2283 | [regress/ssh-com-sftp.sh] | ||
2284 | fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos | ||
2285 | Silva for Google Summer of Code | ||
2286 | - dtucker@cvs.openbsd.org 2009/10/06 23:51:49 | ||
2287 | [regress/ssh2putty.sh] | ||
2288 | Add OpenBSD tag to make syncs easier | ||
2289 | - (dtucker) [regress/portnum.sh] Import new test. | ||
2290 | - (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at | ||
2291 | least dragonflybsd. | ||
2292 | - (dtucker) d_type is not mandated by POSIX, so add fallback code using | ||
2293 | stat(), needed on at least cygwin. | ||
2294 | |||
2295 | 20091002 | ||
2296 | - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps. | ||
2297 | spotted by des AT des.no | ||
2298 | |||
2299 | 20090926 | ||
2300 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
2301 | [contrib/suse/openssh.spec] Update for release | ||
2302 | - (djm) [README] update relnotes URL | ||
2303 | - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere | ||
2304 | - (djm) Release 5.3p1 | ||
2305 | |||
2306 | 20090911 | ||
2307 | - (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X | ||
2308 | 10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch | ||
2309 | from jbasney at ncsa uiuc edu. | ||
2310 | |||
2311 | 20090908 | ||
2312 | - (djm) [serverloop.c] Fix test for server-assigned remote forwarding port | ||
2313 | (-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@ | ||
2314 | |||
2315 | 20090901 | ||
2316 | - (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for | ||
2317 | krb5-config if it's not in the location specified by --with-kerberos5. | ||
2318 | Patch from jchadima at redhat. | ||
2319 | |||
2320 | 20090829 | ||
2321 | - (dtucker) [README.platform] Add text about development packages, based on | ||
2322 | text from Chris Pepper in bug #1631. | ||
2323 | |||
2324 | 20090828 | ||
2325 | - dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently | ||
2326 | causes problems in some Tru64 configurations. | ||
2327 | - (djm) [sshd_config.5] downgrade mention of login.conf to be an example | ||
2328 | and mention PAM as another provider for ChallengeResponseAuthentication; | ||
2329 | bz#1408; ok dtucker@ | ||
2330 | - (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when | ||
2331 | attempting atomic rename(); ok dtucker@ | ||
2332 | - (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables | ||
2333 | in argv, so pass them in the environment; ok dtucker@ | ||
2334 | - (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on | ||
2335 | the pty master on Solaris, since it never succeeds and can hang if large | ||
2336 | amounts of data is sent to the slave (eg a copy-paste). Based on a patch | ||
2337 | originally from Doke Scott, ok djm@ | ||
2338 | - (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer | ||
2339 | size a compile-time option and set it to 64k on Cygwin, since Corinna | ||
2340 | reports that it makes a significant difference to performance. ok djm@ | ||
2341 | - (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry. | ||
2342 | |||
2343 | 20090820 | ||
2344 | - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not | ||
2345 | using it since the type conflicts can cause problems on FreeBSD. Patch | ||
2346 | from Jonathan Chen. | ||
2347 | - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move | ||
2348 | the setpcred call on AIX to immediately before the permanently_set_uid(). | ||
2349 | Ensures that we still have privileges when we call chroot and | ||
2350 | pam_open_sesson. Based on a patch from David Leonard. | ||
2351 | |||
2352 | 20090817 | ||
2353 | - (dtucker) [configure.ac] Check for headers before libraries for openssl an | ||
2354 | zlib, which should make the errors slightly more meaningful on platforms | ||
2355 | where there's separate "-devel" packages for those. | ||
2356 | - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make | ||
2357 | PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders. | ||
2358 | |||
2359 | 20090729 | ||
2360 | - (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error | ||
2361 | function. Patch from Corinna Vinschen. | ||
2362 | |||
2363 | 20090713 | ||
2364 | - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it | ||
2365 | fits into 16 bits to work around a bug in glibc's resolver where it masks | ||
2366 | off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob. | ||
2367 | |||
2368 | 20090712 | ||
2369 | - (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test, | ||
2370 | prevents configure complaining on older BSDs. | ||
2371 | - (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch | ||
2372 | from Corinna Vinschen. | ||
2373 | - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on | ||
2374 | logout to after the session close. Patch from Anicka Bernathova, | ||
2375 | originally from Andreas Schwab via Novelll ok djm. | ||
2376 | |||
2377 | 20090707 | ||
2378 | - (dtucker) [contrib/cygwin/ssh-host-config] better support for automated | ||
2379 | scripts and fix usage of eval. Patch from Corinna Vinschen. | ||
2380 | |||
2381 | 20090705 | ||
2382 | - (dtucker) OpenBSD CVS Sync | ||
2383 | - andreas@cvs.openbsd.org 2009/06/27 09:29:06 | ||
2384 | [packet.h packet.c] | ||
2385 | packet_bacup_state() and packet_restore_state() will be used to | ||
2386 | temporarily save the current state ren resuming a suspended connection. | ||
2387 | ok markus@ | ||
2388 | - andreas@cvs.openbsd.org 2009/06/27 09:32:43 | ||
2389 | [roaming_common.c roaming.h] | ||
2390 | It may be necessary to retransmit some data when resuming, so add it | ||
2391 | to a buffer when roaming is enabled. | ||
2392 | Most of this code was written by Martin Forssen, maf at appgate dot com. | ||
2393 | ok markus@ | ||
2394 | - andreas@cvs.openbsd.org 2009/06/27 09:35:06 | ||
2395 | [readconf.h readconf.c] | ||
2396 | Add client option UseRoaming. It doesn't do anything yet but will | ||
2397 | control whether the client tries to use roaming if enabled on the | ||
2398 | server. From Martin Forssen. | ||
2399 | ok markus@ | ||
2400 | - markus@cvs.openbsd.org 2009/06/30 14:54:40 | ||
2401 | [version.h] | ||
2402 | crank version; ok deraadt | ||
2403 | - dtucker@cvs.openbsd.org 2009/07/02 02:11:47 | ||
2404 | [ssh.c] | ||
2405 | allow for long home dir paths (bz #1615). ok deraadt | ||
2406 | (based in part on a patch from jchadima at redhat) | ||
2407 | - stevesk@cvs.openbsd.org 2009/07/05 19:28:33 | ||
2408 | [clientloop.c] | ||
2409 | only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@ | ||
2410 | ok deraadt@ markus@ | ||
2411 | |||
2412 | 20090622 | ||
2413 | - (dtucker) OpenBSD CVS Sync | ||
2414 | - dtucker@cvs.openbsd.org 2009/06/22 05:39:28 | ||
2415 | [monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c] | ||
2416 | alphabetize includes; reduces diff vs portable and style(9). | ||
2417 | ok stevesk djm | ||
2418 | (Id sync only; these were already in order in -portable) | ||
2419 | |||
2420 | 20090621 | ||
2421 | - (dtucker) OpenBSD CVS Sync | ||
2422 | - markus@cvs.openbsd.org 2009/03/17 21:37:00 | ||
2423 | [ssh.c] | ||
2424 | pass correct argv[0] to openlog(); ok djm@ | ||
2425 | - jmc@cvs.openbsd.org 2009/03/19 15:15:09 | ||
2426 | [ssh.1] | ||
2427 | for "Ciphers", just point the reader to the keyword in ssh_config(5), just | ||
2428 | as we do for "MACs": this stops us getting out of sync when the lists | ||
2429 | change; | ||
2430 | fixes documentation/6102, submitted by Peter J. Philipp | ||
2431 | alternative fix proposed by djm | ||
2432 | ok markus | ||
2433 | - tobias@cvs.openbsd.org 2009/03/23 08:31:19 | ||
2434 | [ssh-agent.c] | ||
2435 | Fixed a possible out-of-bounds memory access if the environment variable | ||
2436 | SHELL is shorter than 3 characters. | ||
2437 | with input by and ok dtucker | ||
2438 | - tobias@cvs.openbsd.org 2009/03/23 19:38:04 | ||
2439 | [ssh-agent.c] | ||
2440 | My previous commit didn't fix the problem at all, so stick at my first | ||
2441 | version of the fix presented to dtucker. | ||
2442 | Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de). | ||
2443 | ok dtucker | ||
2444 | - sobrado@cvs.openbsd.org 2009/03/26 08:38:39 | ||
2445 | [sftp-server.8 sshd.8 ssh-agent.1] | ||
2446 | fix a few typographical errors found by spell(1). | ||
2447 | ok dtucker@, jmc@ | ||
2448 | - stevesk@cvs.openbsd.org 2009/04/13 19:07:44 | ||
2449 | [sshd_config.5] | ||
2450 | fix possessive; ok djm@ | ||
2451 | - stevesk@cvs.openbsd.org 2009/04/14 16:33:42 | ||
2452 | [sftp-server.c] | ||
2453 | remove unused option character from getopt() optstring; ok markus@ | ||
2454 | - jj@cvs.openbsd.org 2009/04/14 21:10:54 | ||
2455 | [servconf.c] | ||
2456 | Fixed a few the-the misspellings in comments. Skipped a bunch in | ||
2457 | binutils,gcc and so on. ok jmc@ | ||
2458 | - stevesk@cvs.openbsd.org 2009/04/17 19:23:06 | ||
2459 | [session.c] | ||
2460 | use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server; | ||
2461 | ok djm@ markus@ | ||
2462 | - stevesk@cvs.openbsd.org 2009/04/17 19:40:17 | ||
2463 | [sshd_config.5] | ||
2464 | clarify that even internal-sftp needs /dev/log for logging to work; ok | ||
2465 | markus@ | ||
2466 | - jmc@cvs.openbsd.org 2009/04/18 18:39:10 | ||
2467 | [sshd_config.5] | ||
2468 | tweak previous; ok stevesk | ||
2469 | - stevesk@cvs.openbsd.org 2009/04/21 15:13:17 | ||
2470 | [sshd_config.5] | ||
2471 | clarify we cd to user's home after chroot; ok markus@ on | ||
2472 | earlier version; tweaks and ok jmc@ | ||
2473 | - andreas@cvs.openbsd.org 2009/05/25 06:48:01 | ||
2474 | [channels.c packet.c clientloop.c packet.h serverloop.c monitor_wrap.c | ||
2475 | monitor.c] | ||
2476 | Put the globals in packet.c into a struct and don't access it directly | ||
2477 | from other files. No functional changes. | ||
2478 | ok markus@ djm@ | ||
2479 | - andreas@cvs.openbsd.org 2009/05/27 06:31:25 | ||
2480 | [canohost.h canohost.c] | ||
2481 | Add clear_cached_addr(), needed for upcoming changes allowing the peer | ||
2482 | address to change. | ||
2483 | ok markus@ | ||
2484 | - andreas@cvs.openbsd.org 2009/05/27 06:33:39 | ||
2485 | [clientloop.c] | ||
2486 | Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger | ||
2487 | change from Martin Forssen, maf at appgate dot com. | ||
2488 | ok markus@ | ||
2489 | - andreas@cvs.openbsd.org 2009/05/27 06:34:36 | ||
2490 | [kex.c kex.h] | ||
2491 | Move the KEX_COOKIE_LEN define to kex.h | ||
2492 | ok markus@ | ||
2493 | - andreas@cvs.openbsd.org 2009/05/27 06:36:07 | ||
2494 | [packet.h packet.c] | ||
2495 | Add packet_put_int64() and packet_get_int64(), part of a larger change | ||
2496 | from Martin Forssen. | ||
2497 | ok markus@ | ||
2498 | - andreas@cvs.openbsd.org 2009/05/27 06:38:16 | ||
2499 | [sshconnect.h sshconnect.c] | ||
2500 | Un-static ssh_exchange_identification(), part of a larger change from | ||
2501 | Martin Forssen and needed for upcoming changes. | ||
2502 | ok markus@ | ||
2503 | - andreas@cvs.openbsd.org 2009/05/28 16:50:16 | ||
2504 | [sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c | ||
2505 | monitor.c Added roaming.h roaming_common.c roaming_dummy.c] | ||
2506 | Keep track of number of bytes read and written. Needed for upcoming | ||
2507 | changes. Most code from Martin Forssen, maf at appgate dot com. | ||
2508 | ok markus@ | ||
2509 | Also, applied appropriate changes to Makefile.in | ||
2510 | - andreas@cvs.openbsd.org 2009/06/12 20:43:22 | ||
2511 | [monitor.c packet.c] | ||
2512 | Fix warnings found by chl@ and djm@ and change roaming_atomicio's | ||
2513 | return type to match atomicio's | ||
2514 | Diff from djm@, ok markus@ | ||
2515 | - andreas@cvs.openbsd.org 2009/06/12 20:58:32 | ||
2516 | [packet.c] | ||
2517 | Move some more statics into session_state | ||
2518 | ok markus@ djm@ | ||
2519 | - dtucker@cvs.openbsd.org 2009/06/21 07:37:15 | ||
2520 | [kexdhs.c kexgexs.c] | ||
2521 | abort if key_sign fails, preventing possible null deref. Based on report | ||
2522 | from Paolo Ganci, ok markus@ djm@ | ||
2523 | - dtucker@cvs.openbsd.org 2009/06/21 09:04:03 | ||
2524 | [roaming.h roaming_common.c roaming_dummy.c] | ||
2525 | Add tags for the benefit of the sync scripts | ||
2526 | Also: pull in the changes for 1.1->1.2 missed in the previous sync. | ||
2527 | - (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and | ||
2528 | header-order changes to reduce diff vs OpenBSD. | ||
2529 | - (dtucker) [servconf.c sshd.c] More whitespace sync. | ||
2530 | - (dtucker) [roaming_common.c roaming_dummy.c] Wrap #include <inttypes.h> in | ||
2531 | ifdef. | ||
2532 | |||
2533 | 20090616 | ||
2534 | - (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t | ||
2535 | is a struct with a __val member. Fixes build on, eg, Redhat 6.2. | ||
2536 | |||
2537 | 20090504 | ||
2538 | - (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include | ||
2539 | variable declarations. Should prevent unused warnings anywhere it's set | ||
2540 | (only Crays as far as I can tell) and be a no-op everywhere else. | ||
2541 | |||
2542 | 20090318 | ||
2543 | - (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem | ||
2544 | that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005. | ||
2545 | Based on patch from vinschen at redhat com. | ||
2546 | |||
2547 | 20090308 | ||
2548 | - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c | ||
2549 | auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} | ||
2550 | openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old | ||
2551 | version of Cygwin. Patch from vinschen at redhat com. | ||
2552 | |||
2553 | 20090307 | ||
2554 | - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it | ||
2555 | exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS | ||
2556 | has a /dev/random). | ||
2557 | - (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add | ||
2558 | EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c | ||
2559 | to use them. Allows building with older OpenSSL versions. | ||
2560 | - (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed. | ||
2561 | - (dtucker) [configure.ac] Missing comma in type list. | ||
2562 | - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] | ||
2563 | EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg | ||
2564 | in openssl 0.9.6) so add an explicit test for it. | ||
2565 | |||
2566 | 20090306 | ||
2567 | - (djm) OpenBSD CVS Sync | ||
2568 | - djm@cvs.openbsd.org 2009/03/05 07:18:19 | ||
2569 | [auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c] | ||
2570 | [sshconnect2.c] | ||
2571 | refactor the (disabled) Schnorr proof code to make it a little more | ||
2572 | generally useful | ||
2573 | - djm@cvs.openbsd.org 2009/03/05 11:30:50 | ||
2574 | [uuencode.c] | ||
2575 | document what these functions do so I don't ever have to recuse into | ||
2576 | b64_pton/ntop to remember their return values | ||
2577 | |||
2578 | 20090223 | ||
2579 | - (djm) OpenBSD CVS Sync | ||
2580 | - djm@cvs.openbsd.org 2009/02/22 23:50:57 | ||
2581 | [ssh_config.5 sshd_config.5] | ||
2582 | don't advertise experimental options | ||
2583 | - djm@cvs.openbsd.org 2009/02/22 23:59:25 | ||
2584 | [sshd_config.5] | ||
2585 | missing period | ||
2586 | - djm@cvs.openbsd.org 2009/02/23 00:06:15 | ||
2587 | [version.h] | ||
2588 | openssh-5.2 | ||
2589 | - (djm) [README] update for 5.2 | ||
2590 | - (djm) Release openssh-5.2p1 | ||
2591 | |||
2592 | 20090222 | ||
2593 | - (djm) OpenBSD CVS Sync | ||
2594 | - tobias@cvs.openbsd.org 2009/02/21 19:32:04 | ||
2595 | [misc.c sftp-server-main.c ssh-keygen.c] | ||
2596 | Added missing newlines in error messages. | ||
2597 | ok dtucker | ||
2598 | |||
2599 | 20090221 | ||
2600 | - (djm) OpenBSD CVS Sync | ||
2601 | - djm@cvs.openbsd.org 2009/02/17 01:28:32 | ||
2602 | [ssh_config] | ||
2603 | sync with revised default ciphers; pointed out by dkrause@ | ||
2604 | - djm@cvs.openbsd.org 2009/02/18 04:31:21 | ||
2605 | [schnorr.c] | ||
2606 | signature should hash over the entire group, not just the generator | ||
2607 | (this is still disabled code) | ||
2608 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
2609 | [contrib/suse/openssh.spec] Prepare for 5.2p1 | ||
2610 | |||
2611 | 20090216 | ||
2612 | - (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh] | ||
2613 | [regress/putty-kex.sh regress/putty-transfer.sh] Downgrade disabled | ||
2614 | interop tests from FATAL error to a warning. Allows some interop | ||
2615 | tests to proceed if others are missing necessary prerequisites. | ||
2616 | - (djm) [configure.ac] support GNU/kFreeBSD and GNU/kOpensolaris | ||
2617 | systems; patch from Aurelien Jarno via rmh AT aybabtu.com | ||
2618 | |||
2619 | 20090214 | ||
2620 | - (djm) OpenBSD CVS Sync | ||
2621 | - dtucker@cvs.openbsd.org 2009/02/02 11:15:14 | ||
2622 | [sftp.c] | ||
2623 | Initialize a few variables to prevent spurious "may be used | ||
2624 | uninitialized" warnings from newer gcc's. ok djm@ | ||
2625 | - djm@cvs.openbsd.org 2009/02/12 03:00:56 | ||
2626 | [canohost.c canohost.h channels.c channels.h clientloop.c readconf.c] | ||
2627 | [readconf.h serverloop.c ssh.c] | ||
2628 | support remote port forwarding with a zero listen port (-R0:...) to | ||
2629 | dyamically allocate a listen port at runtime (this is actually | ||
2630 | specified in rfc4254); bz#1003 ok markus@ | ||
2631 | - djm@cvs.openbsd.org 2009/02/12 03:16:01 | ||
2632 | [serverloop.c] | ||
2633 | tighten check for -R0:... forwarding: only allow dynamic allocation | ||
2634 | if want_reply is set in the packet | ||
2635 | - djm@cvs.openbsd.org 2009/02/12 03:26:22 | ||
2636 | [monitor.c] | ||
2637 | some paranoia: check that the serialised key is really KEY_RSA before | ||
2638 | diddling its internals | ||
2639 | - djm@cvs.openbsd.org 2009/02/12 03:42:09 | ||
2640 | [ssh.1] | ||
2641 | document -R0:... usage | ||
2642 | - djm@cvs.openbsd.org 2009/02/12 03:44:25 | ||
2643 | [ssh.1] | ||
2644 | consistency: Dq => Ql | ||
2645 | - djm@cvs.openbsd.org 2009/02/12 03:46:17 | ||
2646 | [ssh_config.5] | ||
2647 | document RemoteForward usage with 0 listen port | ||
2648 | - jmc@cvs.openbsd.org 2009/02/12 07:34:20 | ||
2649 | [ssh_config.5] | ||
2650 | kill trailing whitespace; | ||
2651 | - markus@cvs.openbsd.org 2009/02/13 11:50:21 | ||
2652 | [packet.c] | ||
2653 | check for enc !=NULL in packet_start_discard | ||
2654 | - djm@cvs.openbsd.org 2009/02/14 06:35:49 | ||
2655 | [PROTOCOL] | ||
2656 | mention that eow and no-more-sessions extensions are sent only to | ||
2657 | OpenSSH peers | ||
2658 | |||
2659 | 20090212 | ||
2660 | - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically | ||
2661 | set ownership and modes, so avoid explicitly setting them | ||
2662 | - (djm) [configure.ac loginrec.c] bz#1421: fix lastlog support for OSX. | ||
2663 | OSX provides a getlastlogxbyname function that automates the reading of | ||
2664 | a lastlog file. Also, the pututxline function will update lastlog so | ||
2665 | there is no need for loginrec.c to do it explicitly. Collapse some | ||
2666 | overly verbose code while I'm in there. | ||
2667 | |||
2668 | 20090201 | ||
2669 | - (dtucker) [defines.h sshconnect.c] INET6_ADDRSTRLEN is now needed in | ||
2670 | channels.c too, so move the definition for non-IP6 platforms to defines.h | ||
2671 | where it can be shared. | ||
2672 | |||
2673 | 20090129 | ||
2674 | - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. | ||
2675 | If the CYGWIN environment variable is empty, the installer script | ||
2676 | should not install the service with an empty CYGWIN variable, but | ||
2677 | rather without setting CYGWNI entirely. | ||
2678 | - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. | ||
2679 | |||
2680 | 20090128 | ||
2681 | - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. | ||
2682 | Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. | ||
2683 | The information given for the setting of the CYGWIN environment variable | ||
2684 | is wrong for both releases so I just removed it, together with the | ||
2685 | unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. | ||
2686 | |||
2687 | 20081228 | ||
2688 | - (djm) OpenBSD CVS Sync | ||
2689 | - stevesk@cvs.openbsd.org 2008/12/09 03:20:42 | ||
2690 | [channels.c servconf.c] | ||
2691 | channel_print_adm_permitted_opens() should deal with all the printing | ||
2692 | for that config option. suggested by markus@; ok markus@ djm@ | ||
2693 | dtucker@ | ||
2694 | - djm@cvs.openbsd.org 2008/12/09 04:32:22 | ||
2695 | [auth2-chall.c] | ||
2696 | replace by-hand string building with xasprinf(); ok deraadt@ | ||
2697 | - sobrado@cvs.openbsd.org 2008/12/09 15:35:00 | ||
2698 | [sftp.1 sftp.c] | ||
2699 | update for the synopses displayed by the 'help' command, there are a | ||
2700 | few missing flags; add 'bye' to the output of 'help'; sorting and spacing. | ||
2701 | jmc@ suggested replacing .Oo/.Oc with a single .Op macro. | ||
2702 | ok jmc@ | ||
2703 | - stevesk@cvs.openbsd.org 2008/12/09 22:37:33 | ||
2704 | [clientloop.c] | ||
2705 | fix typo in error message | ||
2706 | - stevesk@cvs.openbsd.org 2008/12/10 03:55:20 | ||
2707 | [addrmatch.c] | ||
2708 | o cannot be NULL here but use xfree() to be consistent; ok djm@ | ||
2709 | - stevesk@cvs.openbsd.org 2008/12/29 01:12:36 | ||
2710 | [ssh-keyscan.1] | ||
2711 | fix example, default key type is rsa for 3+ years; from | ||
2712 | frederic.perrin@resel.fr | ||
2713 | - stevesk@cvs.openbsd.org 2008/12/29 02:23:26 | ||
2714 | [pathnames.h] | ||
2715 | no need to escape single quotes in comments | ||
2716 | - okan@cvs.openbsd.org 2008/12/30 00:46:56 | ||
2717 | [sshd_config.5] | ||
2718 | add AllowAgentForwarding to available Match keywords list | ||
2719 | ok djm | ||
2720 | - djm@cvs.openbsd.org 2009/01/01 21:14:35 | ||
2721 | [channels.c] | ||
2722 | call channel destroy callbacks on receipt of open failure messages. | ||
2723 | fixes client hangs when connecting to a server that has MaxSessions=0 | ||
2724 | set spotted by imorgan AT nas.nasa.gov; ok markus@ | ||
2725 | - djm@cvs.openbsd.org 2009/01/01 21:17:36 | ||
2726 | [kexgexs.c] | ||
2727 | fix hash calculation for KEXGEX: hash over the original client-supplied | ||
2728 | values and not the sanity checked versions that we acutally use; | ||
2729 | bz#1540 reported by john.smith AT arrows.demon.co.uk | ||
2730 | ok markus@ | ||
2731 | - djm@cvs.openbsd.org 2009/01/14 01:38:06 | ||
2732 | [channels.c] | ||
2733 | support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482; | ||
2734 | "looks ok" markus@ | ||
2735 | - stevesk@cvs.openbsd.org 2009/01/15 17:38:43 | ||
2736 | [readconf.c] | ||
2737 | 1) use obsolete instead of alias for consistency | ||
2738 | 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is | ||
2739 | so move the comment. | ||
2740 | 3) reorder so like options are together | ||
2741 | ok djm@ | ||
2742 | - djm@cvs.openbsd.org 2009/01/22 09:46:01 | ||
2743 | [channels.c channels.h session.c] | ||
2744 | make Channel->path an allocated string, saving a few bytes here and | ||
2745 | there and fixing bz#1380 in the process; ok markus@ | ||
2746 | - djm@cvs.openbsd.org 2009/01/22 09:49:57 | ||
2747 | [channels.c] | ||
2748 | oops! I committed the wrong version of the Channel->path diff, | ||
2749 | it was missing some tweaks suggested by stevesk@ | ||
2750 | - djm@cvs.openbsd.org 2009/01/22 10:02:34 | ||
2751 | [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h] | ||
2752 | [serverloop.c ssh-keyscan.c ssh.c sshd.c] | ||
2753 | make a2port() return -1 when it encounters an invalid port number | ||
2754 | rather than 0, which it will now treat as valid (needed for future work) | ||
2755 | adjust current consumers of a2port() to check its return value is <= 0, | ||
2756 | which in turn required some things to be converted from u_short => int | ||
2757 | make use of int vs. u_short consistent in some other places too | ||
2758 | feedback & ok markus@ | ||
2759 | - djm@cvs.openbsd.org 2009/01/22 10:09:16 | ||
2760 | [auth-options.c] | ||
2761 | another chunk of a2port() diff that got away. wtfdjm?? | ||
2762 | - djm@cvs.openbsd.org 2009/01/23 07:58:11 | ||
2763 | [myproposal.h] | ||
2764 | prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC | ||
2765 | modes; ok markus@ | ||
2766 | - naddy@cvs.openbsd.org 2009/01/24 17:10:22 | ||
2767 | [ssh_config.5 sshd_config.5] | ||
2768 | sync list of preferred ciphers; ok djm@ | ||
2769 | - markus@cvs.openbsd.org 2009/01/26 09:58:15 | ||
2770 | [cipher.c cipher.h packet.c] | ||
2771 | Work around the CPNI-957037 Plaintext Recovery Attack by always | ||
2772 | reading 256K of data on packet size or HMAC errors (in CBC mode only). | ||
2773 | Help, feedback and ok djm@ | ||
2774 | Feedback from Martin Albrecht and Paterson Kenny | ||
2775 | |||
2776 | 20090107 | ||
2777 | - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X. | ||
2778 | Patch based on one from vgiffin AT apple.com; ok dtucker@ | ||
2779 | - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via | ||
2780 | launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked; | ||
2781 | ok dtucker@ | ||
2782 | - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make | ||
2783 | ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity" | ||
2784 | key). Patch from cjwatson AT debian.org | ||
2785 | |||
2786 | 20090107 | ||
2787 | - (tim) [configure.ac defines.h openbsd-compat/port-uw.c | ||
2788 | openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI. | ||
2789 | OK djm@ dtucker@ | ||
2790 | - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section. | ||
2791 | OpenServer 6 doesn't need libcrypt. | ||
2792 | |||
2793 | 20081209 | ||
2794 | - (djm) OpenBSD CVS Sync | ||
2795 | - djm@cvs.openbsd.org 2008/12/09 02:38:18 | ||
2796 | [clientloop.c] | ||
2797 | The ~C escape handler does not work correctly for multiplexed sessions - | ||
2798 | it opens a commandline on the master session, instead of on the slave | ||
2799 | that requested it. Disable it on slave sessions until such time as it | ||
2800 | is fixed; bz#1543 report from Adrian Bridgett via Colin Watson | ||
2801 | ok markus@ | ||
2802 | - djm@cvs.openbsd.org 2008/12/09 02:39:59 | ||
2803 | [sftp.c] | ||
2804 | Deal correctly with failures in remote stat() operation in sftp, | ||
2805 | correcting fail-on-error behaviour in batchmode. bz#1541 report and | ||
2806 | fix from anedvedicky AT gmail.com; ok markus@ | ||
2807 | - djm@cvs.openbsd.org 2008/12/09 02:58:16 | ||
2808 | [readconf.c] | ||
2809 | don't leave junk (free'd) pointers around in Forward *fwd argument on | ||
2810 | failure; avoids double-free in ~C -L handler when given an invalid | ||
2811 | forwarding specification; bz#1539 report from adejong AT debian.org | ||
2812 | via Colin Watson; ok markus@ dtucker@ | ||
2813 | - djm@cvs.openbsd.org 2008/12/09 03:02:37 | ||
2814 | [sftp.1 sftp.c] | ||
2815 | correct sftp(1) and corresponding usage syntax; | ||
2816 | bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@ | ||
2817 | |||
2818 | 20081208 | ||
2819 | - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually | ||
2820 | use some stack in main(). | ||
2821 | Report and suggested fix from vapier AT gentoo.org | ||
2822 | - (djm) OpenBSD CVS Sync | ||
2823 | - markus@cvs.openbsd.org 2008/12/02 19:01:07 | ||
2824 | [clientloop.c] | ||
2825 | we have to use the recipient's channel number (RFC 4254) for | ||
2826 | SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages, | ||
2827 | otherwise we trigger 'Non-public channel' error messages on sshd | ||
2828 | systems with clientkeepalive enabled; noticed by sturm; ok djm; | ||
2829 | - markus@cvs.openbsd.org 2008/12/02 19:08:59 | ||
2830 | [serverloop.c] | ||
2831 | backout 1.149, since it's not necessary and openssh clients send | ||
2832 | broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@ | ||
2833 | - markus@cvs.openbsd.org 2008/12/02 19:09:38 | ||
2834 | [channels.c] | ||
2835 | s/remote_id/id/ to be more consistent with other code; ok djm@ | ||
2836 | |||
2837 | 20081201 | ||
2838 | - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files | ||
2839 | and tweak the is-sshd-running check in ssh-host-config. Patch from | ||
2840 | vinschen at redhat com. | ||
2841 | - (dtucker) OpenBSD CVS Sync | ||
2842 | - markus@cvs.openbsd.org 2008/11/21 15:47:38 | ||
2843 | [packet.c] | ||
2844 | packet_disconnect() on padding error, too. should reduce the success | ||
2845 | probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 | ||
2846 | ok djm@ | ||
2847 | - dtucker@cvs.openbsd.org 2008/11/30 11:59:26 | ||
2848 | [monitor_fdpass.c] | ||
2849 | Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@ | ||
2850 | |||
2851 | 20081123 | ||
2852 | - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some | ||
2853 | declarations, removing an unnecessary union member and adding whitespace. | ||
2854 | cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago. | ||
2855 | |||
2856 | 20081118 | ||
2857 | - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id | ||
2858 | member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and | ||
2859 | feedback by djm@ | ||
2860 | |||
2861 | 20081111 | ||
2862 | - (dtucker) OpenBSD CVS Sync | ||
2863 | - jmc@cvs.openbsd.org 2008/11/05 11:22:54 | ||
2864 | [servconf.c] | ||
2865 | passord -> password; | ||
2866 | fixes user/5975 from Rene Maroufi | ||
2867 | - stevesk@cvs.openbsd.org 2008/11/07 00:42:12 | ||
2868 | [ssh-keygen.c] | ||
2869 | spelling/typo in comment | ||
2870 | - stevesk@cvs.openbsd.org 2008/11/07 18:50:18 | ||
2871 | [nchan.c] | ||
2872 | add space to some log/debug messages for readability; ok djm@ markus@ | ||
2873 | - dtucker@cvs.openbsd.org 2008/11/07 23:34:48 | ||
2874 | [auth2-jpake.c] | ||
2875 | Move JPAKE define to make life easier for portable. ok djm@ | ||
2876 | - tobias@cvs.openbsd.org 2008/11/09 12:34:47 | ||
2877 | [session.c ssh.1] | ||
2878 | typo fixed (overriden -> overridden) | ||
2879 | ok espie, jmc | ||
2880 | - stevesk@cvs.openbsd.org 2008/11/11 02:58:09 | ||
2881 | [servconf.c] | ||
2882 | USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing | ||
2883 | kerberosgetafstoken. ok dtucker@ | ||
2884 | (Id sync only, we still want the ifdef in portable) | ||
2885 | - stevesk@cvs.openbsd.org 2008/11/11 03:55:11 | ||
2886 | [channels.c] | ||
2887 | for sshd -T print 'permitopen any' vs. 'permitopen' for case of no | ||
2888 | permitopen's; ok and input dtucker@ | ||
2889 | - djm@cvs.openbsd.org 2008/11/10 02:06:35 | ||
2890 | [regress/putty-ciphers.sh] | ||
2891 | PuTTY supports AES CTR modes, so interop test against them too | ||
2892 | |||
2893 | 20081105 | ||
2894 | - OpenBSD CVS Sync | ||
2895 | - djm@cvs.openbsd.org 2008/11/03 08:59:41 | ||
2896 | [servconf.c] | ||
2897 | include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov | ||
2898 | - djm@cvs.openbsd.org 2008/11/04 07:58:09 | ||
2899 | [auth.c] | ||
2900 | need unistd.h for close() prototype | ||
2901 | (ID sync only) | ||
2902 | - djm@cvs.openbsd.org 2008/11/04 08:22:13 | ||
2903 | [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] | ||
2904 | [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] | ||
2905 | [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] | ||
2906 | [Makefile.in] | ||
2907 | Add support for an experimental zero-knowledge password authentication | ||
2908 | method using the J-PAKE protocol described in F. Hao, P. Ryan, | ||
2909 | "Password Authenticated Key Exchange by Juggling", 16th Workshop on | ||
2910 | Security Protocols, Cambridge, April 2008. | ||
2911 | |||
2912 | This method allows password-based authentication without exposing | ||
2913 | the password to the server. Instead, the client and server exchange | ||
2914 | cryptographic proofs to demonstrate of knowledge of the password while | ||
2915 | revealing nothing useful to an attacker or compromised endpoint. | ||
2916 | |||
2917 | This is experimental, work-in-progress code and is presently | ||
2918 | compiled-time disabled (turn on -DJPAKE in Makefile.inc). | ||
2919 | |||
2920 | "just commit it. It isn't too intrusive." deraadt@ | ||
2921 | - stevesk@cvs.openbsd.org 2008/11/04 19:18:00 | ||
2922 | [readconf.c] | ||
2923 | because parse_forward() is now used to parse all forward types (DLR), | ||
2924 | and it malloc's space for host variables, we don't need to malloc | ||
2925 | here. fixes small memory leaks. | ||
2926 | |||
2927 | previously dynamic forwards were not parsed in parse_forward() and | ||
2928 | space was not malloc'd in that case. | ||
2929 | |||
2930 | ok djm@ | ||
2931 | - stevesk@cvs.openbsd.org 2008/11/05 03:23:09 | ||
2932 | [clientloop.c ssh.1] | ||
2933 | add dynamic forward escape command line; ok djm@ | ||
2934 | |||
2935 | 20081103 | ||
2936 | - OpenBSD CVS Sync | ||
2937 | - sthen@cvs.openbsd.org 2008/07/24 23:55:30 | ||
2938 | [ssh-keygen.1] | ||
2939 | Add "ssh-keygen -F -l" to synopsis (displays fingerprint from | ||
2940 | known_hosts). ok djm@ | ||
2941 | - grunk@cvs.openbsd.org 2008/07/25 06:56:35 | ||
2942 | [ssh_config] | ||
2943 | Add VisualHostKey to example file, ok djm@ | ||
2944 | - grunk@cvs.openbsd.org 2008/07/25 07:05:16 | ||
2945 | [key.c] | ||
2946 | In random art visualization, make sure to use the end marker only at the | ||
2947 | end. Initial diff by Dirk Loss, tweaks and ok djm@ | ||
2948 | - markus@cvs.openbsd.org 2008/07/31 14:48:28 | ||
2949 | [sshconnect2.c] | ||
2950 | don't allocate space for empty banners; report t8m at centrum.cz; | ||
2951 | ok deraadt | ||
2952 | - krw@cvs.openbsd.org 2008/08/02 04:29:51 | ||
2953 | [ssh_config.5] | ||
2954 | whitepsace -> whitespace. From Matthew Clarke via bugs@. | ||
2955 | - djm@cvs.openbsd.org 2008/08/21 04:09:57 | ||
2956 | [session.c] | ||
2957 | allow ForceCommand internal-sftp with arguments. based on patch from | ||
2958 | michael.barabanov AT gmail.com; ok markus@ | ||
2959 | - djm@cvs.openbsd.org 2008/09/06 12:24:13 | ||
2960 | [kex.c] | ||
2961 | OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our | ||
2962 | replacement anymore | ||
2963 | (ID sync only for portable - we still need this) | ||
2964 | - markus@cvs.openbsd.org 2008/09/11 14:22:37 | ||
2965 | [compat.c compat.h nchan.c ssh.c] | ||
2966 | only send eow and no-more-sessions requests to openssh 5 and newer; | ||
2967 | fixes interop problems with broken ssh v2 implementations; ok djm@ | ||
2968 | - millert@cvs.openbsd.org 2008/10/02 14:39:35 | ||
2969 | [session.c] | ||
2970 | Convert an unchecked strdup to xstrdup. OK deraadt@ | ||
2971 | - jmc@cvs.openbsd.org 2008/10/03 13:08:12 | ||
2972 | [sshd.8] | ||
2973 | do not give an example of how to chmod files: we can presume the user | ||
2974 | knows that. removes an ambiguity in the permission of authorized_keys; | ||
2975 | ok deraadt | ||
2976 | - deraadt@cvs.openbsd.org 2008/10/03 23:56:28 | ||
2977 | [sshconnect2.c] | ||
2978 | Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the | ||
2979 | function. | ||
2980 | spotted by des@freebsd, who commited an incorrect fix to the freebsd tree | ||
2981 | and (as is fairly typical) did not report the problem to us. But this fix | ||
2982 | is correct. | ||
2983 | ok djm | ||
2984 | - djm@cvs.openbsd.org 2008/10/08 23:34:03 | ||
2985 | [ssh.1 ssh.c] | ||
2986 | Add -y option to force logging via syslog rather than stderr. | ||
2987 | Useful for daemonised ssh connection (ssh -f). Patch originally from | ||
2988 | and ok'd by markus@ | ||
2989 | - djm@cvs.openbsd.org 2008/10/09 03:50:54 | ||
2990 | [servconf.c sshd_config.5] | ||
2991 | support setting PermitEmptyPasswords in a Match block | ||
2992 | requested in PR3891; ok dtucker@ | ||
2993 | - jmc@cvs.openbsd.org 2008/10/09 06:54:22 | ||
2994 | [ssh.c] | ||
2995 | add -y to usage(); | ||
2996 | - stevesk@cvs.openbsd.org 2008/10/10 04:55:16 | ||
2997 | [scp.c] | ||
2998 | spelling in comment; ok djm@ | ||
2999 | - stevesk@cvs.openbsd.org 2008/10/10 05:00:12 | ||
3000 | [key.c] | ||
3001 | typo in error message; ok djm@ | ||
3002 | - stevesk@cvs.openbsd.org 2008/10/10 16:43:27 | ||
3003 | [ssh_config.5] | ||
3004 | use 'Privileged ports can be forwarded only when logging in as root on | ||
3005 | the remote machine.' for RemoteForward just like ssh.1 -R. | ||
3006 | ok djm@ jmc@ | ||
3007 | - stevesk@cvs.openbsd.org 2008/10/14 18:11:33 | ||
3008 | [sshconnect.c] | ||
3009 | use #define ROQUIET here; no binary change. ok dtucker@ | ||
3010 | - stevesk@cvs.openbsd.org 2008/10/17 18:36:24 | ||
3011 | [ssh_config.5] | ||
3012 | correct and clarify VisualHostKey; ok jmc@ | ||
3013 | - stevesk@cvs.openbsd.org 2008/10/30 19:31:16 | ||
3014 | [clientloop.c sshd.c] | ||
3015 | don't need to #include "monitor_fdpass.h" | ||
3016 | - stevesk@cvs.openbsd.org 2008/10/31 15:05:34 | ||
3017 | [dispatch.c] | ||
3018 | remove unused #define DISPATCH_MIN; ok markus@ | ||
3019 | - djm@cvs.openbsd.org 2008/11/01 04:50:08 | ||
3020 | [sshconnect2.c] | ||
3021 | sprinkle ARGSUSED on dispatch handlers | ||
3022 | nuke stale unusued prototype | ||
3023 | - stevesk@cvs.openbsd.org 2008/11/01 06:43:33 | ||
3024 | [channels.c] | ||
3025 | fix some typos in log messages; ok djm@ | ||
3026 | - sobrado@cvs.openbsd.org 2008/11/01 11:14:36 | ||
3027 | [ssh-keyscan.1 ssh-keyscan.c] | ||
3028 | the ellipsis is not an optional argument; while here, improve spacing. | ||
3029 | - stevesk@cvs.openbsd.org 2008/11/01 17:40:33 | ||
3030 | [clientloop.c readconf.c readconf.h ssh.c] | ||
3031 | merge dynamic forward parsing into parse_forward(); | ||
3032 | 'i think this is OK' djm@ | ||
3033 | - stevesk@cvs.openbsd.org 2008/11/02 00:16:16 | ||
3034 | [ttymodes.c] | ||
3035 | protocol 2 tty modes support is now 7.5 years old so remove these | ||
3036 | debug3()s; ok deraadt@ | ||
3037 | - stevesk@cvs.openbsd.org 2008/11/03 01:07:02 | ||
3038 | [readconf.c] | ||
3039 | remove valueless comment | ||
3040 | - stevesk@cvs.openbsd.org 2008/11/03 02:44:41 | ||
3041 | [readconf.c] | ||
3042 | fix comment | ||
3043 | - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] | ||
3044 | Make example scripts generate keys with default sizes rather than fixed, | ||
3045 | non-default 1024 bits; patch from imorgan AT nas.nasa.gov | ||
3046 | - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] | ||
3047 | [contrib/redhat/sshd.pam] Move pam_nologin to account group from | ||
3048 | incorrect auth group in example files; | ||
3049 | patch from imorgan AT nas.nasa.gov | ||
3050 | |||
3051 | 20080906 | ||
3052 | - (dtucker) [config.guess config.sub] Update to latest versions from | ||
3053 | http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16 | ||
3054 | respectively). | ||
3055 | |||
3056 | 20080830 | ||
3057 | - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs | ||
3058 | larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch | ||
3059 | from Nicholas Marriott. | ||
3060 | |||
3061 | 20080721 | ||
3062 | - (djm) OpenBSD CVS Sync | ||
3063 | - djm@cvs.openbsd.org 2008/07/23 07:36:55 | ||
3064 | [servconf.c] | ||
3065 | do not try to print options that have been compile-time disabled | ||
3066 | in config test mode (sshd -T); report from nix-corp AT esperi.org.uk | ||
3067 | ok dtucker@ | ||
3068 | - (djm) [servconf.c] Print UsePAM option in config test mode (when it | ||
3069 | has been compiled in); report from nix-corp AT esperi.org.uk | ||
3070 | ok dtucker@ | ||
3071 | |||
3072 | 20080721 | ||
3073 | - (djm) OpenBSD CVS Sync | ||
3074 | - jmc@cvs.openbsd.org 2008/07/18 22:51:01 | ||
3075 | [sftp-server.8] | ||
3076 | no need for .Pp before or after .Sh; | ||
3077 | - djm@cvs.openbsd.org 2008/07/21 08:19:07 | ||
3078 | [version.h] | ||
3079 | openssh-5.1 | ||
3080 | - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
3081 | [contrib/suse/openssh.spec] Update version number in README and RPM specs | ||
3082 | - (djm) Release OpenSSH-5.1 | ||
3083 | |||
3084 | 20080717 | ||
3085 | - (djm) OpenBSD CVS Sync | ||
3086 | - djm@cvs.openbsd.org 2008/07/17 08:48:00 | ||
3087 | [sshconnect2.c] | ||
3088 | strnvis preauth banner; pointed out by mpf@ ok markus@ | ||
3089 | - djm@cvs.openbsd.org 2008/07/17 08:51:07 | ||
3090 | [auth2-hostbased.c] | ||
3091 | strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes | ||
3092 | report and patch from res AT qoxp.net (bz#1200); ok markus@ | ||
3093 | - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat | ||
3094 | code, replace with equivalent cygwin library call. Patch from vinschen | ||
3095 | at redhat.com, ok djm@. | ||
3096 | - (djm) [sshconnect2.c] vis.h isn't available everywhere | ||
3097 | |||
3098 | 20080716 | ||
3099 | - OpenBSD CVS Sync | ||
3100 | - djm@cvs.openbsd.org 2008/07/15 02:23:14 | ||
3101 | [sftp.1] | ||
3102 | number of pipelined requests is now 64; | ||
3103 | prodded by Iain.Morgan AT nasa.gov | ||
3104 | - djm@cvs.openbsd.org 2008/07/16 11:51:14 | ||
3105 | [clientloop.c] | ||
3106 | rename variable first_gc -> last_gc (since it is actually the last | ||
3107 | in the list). | ||
3108 | - djm@cvs.openbsd.org 2008/07/16 11:52:19 | ||
3109 | [channels.c] | ||
3110 | this loop index should be automatic, not static | ||
3111 | |||
3112 | 20080714 | ||
3113 | - (djm) OpenBSD CVS Sync | ||
3114 | - sthen@cvs.openbsd.org 2008/07/13 21:22:52 | ||
3115 | [ssh-keygen.c] | ||
3116 | Change "ssh-keygen -F [host] -l" to not display random art unless | ||
3117 | -v is also specified, making it consistent with the manual and other | ||
3118 | uses of -l. | ||
3119 | ok grunk@ | ||
3120 | - djm@cvs.openbsd.org 2008/07/13 22:13:07 | ||
3121 | [channels.c] | ||
3122 | use struct sockaddr_storage instead of struct sockaddr for accept(2) | ||
3123 | address argument. from visibilis AT yahoo.com in bz#1485; ok markus@ | ||
3124 | - djm@cvs.openbsd.org 2008/07/13 22:16:03 | ||
3125 | [sftp.c] | ||
3126 | increase number of piplelined requests so they properly fill the | ||
3127 | (recently increased) channel window. prompted by rapier AT psc.edu; | ||
3128 | ok markus@ | ||
3129 | - djm@cvs.openbsd.org 2008/07/14 01:55:56 | ||
3130 | [sftp-server.8] | ||
3131 | mention requirement for /dev/log inside chroot when using sftp-server | ||
3132 | with ChrootDirectory | ||
3133 | - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to | ||
3134 | avoid clash with sin(3) function; reported by | ||
3135 | cristian.ionescu-idbohrn AT axis.com | ||
3136 | - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close() | ||
3137 | prototype; reported by cristian.ionescu-idbohrn AT axis.com | ||
3138 | - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash; | ||
3139 | reported by cristian.ionescu-idbohrn AT axis.com | ||
3140 | - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config] | ||
3141 | [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd] | ||
3142 | Revamped and simplified Cygwin ssh-host-config script that uses | ||
3143 | unified csih configuration tool. Requires recent Cygwin. | ||
3144 | Patch from vinschen AT redhat.com | ||
3145 | |||
3146 | 20080712 | ||
3147 | - (djm) OpenBSD CVS Sync | ||
3148 | - djm@cvs.openbsd.org 2008/07/12 04:52:50 | ||
3149 | [channels.c] | ||
3150 | unbreak; move clearing of cctx struct to before first use | ||
3151 | reported by dkrause@ | ||
3152 | - djm@cvs.openbsd.org 2008/07/12 05:33:41 | ||
3153 | [scp.1] | ||
3154 | better description for -i flag: | ||
3155 | s/RSA authentication/public key authentication/ | ||
3156 | - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h] | ||
3157 | return EAI_FAMILY when trying to lookup unsupported address family; | ||
3158 | from vinschen AT redhat.com | ||
3159 | |||
3160 | 20080711 | ||
3161 | - (djm) OpenBSD CVS Sync | ||
3162 | - stevesk@cvs.openbsd.org 2008/07/07 00:31:41 | ||
3163 | [ttymodes.c] | ||
3164 | we don't need arg after the debug3() was removed. from lint. | ||
3165 | ok djm@ | ||
3166 | - stevesk@cvs.openbsd.org 2008/07/07 23:32:51 | ||
3167 | [key.c] | ||
3168 | /*NOTREACHED*/ for lint warning: | ||
3169 | warning: function key_equal falls off bottom without returning value | ||
3170 | ok djm@ | ||
3171 | - markus@cvs.openbsd.org 2008/07/10 18:05:58 | ||
3172 | [channels.c] | ||
3173 | missing bzero; from mickey; ok djm@ | ||
3174 | - markus@cvs.openbsd.org 2008/07/10 18:08:11 | ||
3175 | [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c] | ||
3176 | sync v1 and v2 traffic accounting; add it to sshd, too; | ||
3177 | ok djm@, dtucker@ | ||
3178 | |||
3179 | 20080709 | ||
3180 | - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass | ||
3181 | - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM | ||
3182 | account check failure path. The vulnerable format buffer is supplied | ||
3183 | from PAM and should not contain attacker-supplied data. | ||
3184 | - (djm) [auth.c] Missing unistd.h for close() | ||
3185 | - (djm) [configure.ac] Add -Wformat-security to CFLAGS for gcc 3.x and 4.x | ||
3186 | |||
3187 | 20080705 | ||
3188 | - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed | ||
3189 | passwords disabled. bz#1083 report & patch from senthilkumar_sen AT | ||
3190 | hotpop.com, w/ dtucker@ | ||
3191 | - (djm) [atomicio.c configure.ac] Disable poll() fallback in atomiciov for | ||
3192 | Tru64. readv doesn't seem to be a comparable object there. | ||
3193 | bz#1386, patch from dtucker@ ok me | ||
3194 | - (djm) [Makefile.in] Pass though pass to conch for interop tests | ||
3195 | - (djm) [configure.ac] unbreak: remove extra closing brace | ||
3196 | - (djm) OpenBSD CVS Sync | ||
3197 | - djm@cvs.openbsd.org 2008/07/04 23:08:25 | ||
3198 | [packet.c] | ||
3199 | handle EINTR in packet_write_poll()l ok dtucker@ | ||
3200 | - djm@cvs.openbsd.org 2008/07/04 23:30:16 | ||
3201 | [auth1.c auth2.c] | ||
3202 | Make protocol 1 MaxAuthTries logic match protocol 2's. | ||
3203 | Do not treat the first protocol 2 authentication attempt as | ||
3204 | a failure IFF it is for method "none". | ||
3205 | Makes MaxAuthTries' user-visible behaviour identical for | ||
3206 | protocol 1 vs 2. | ||
3207 | ok dtucker@ | ||
3208 | - djm@cvs.openbsd.org 2008/07/05 05:16:01 | ||
3209 | [PROTOCOL] | ||
3210 | grammar | ||
3211 | |||
3212 | 20080704 | ||
3213 | - (dtucker) OpenBSD CVS Sync | ||
3214 | - djm@cvs.openbsd.org 2008/07/02 13:30:34 | ||
3215 | [auth2.c] | ||
3216 | really really remove the freebie "none" auth try for protocol 2 | ||
3217 | - djm@cvs.openbsd.org 2008/07/02 13:47:39 | ||
3218 | [ssh.1 ssh.c] | ||
3219 | When forking after authentication ("ssh -f") with ExitOnForwardFailure | ||
3220 | enabled, delay the fork until after replies for any -R forwards have | ||
3221 | been seen. Allows for robust detection of -R forward failure when | ||
3222 | using -f (similar to bz#92); ok dtucker@ | ||
3223 | - otto@cvs.openbsd.org 2008/07/03 21:46:58 | ||
3224 | [auth2-pubkey.c] | ||
3225 | avoid nasty double free; ok dtucker@ djm@ | ||
3226 | - djm@cvs.openbsd.org 2008/07/04 03:44:59 | ||
3227 | [servconf.c groupaccess.h groupaccess.c] | ||
3228 | support negation of groups in "Match group" block (bz#1315); ok dtucker@ | ||
3229 | - dtucker@cvs.openbsd.org 2008/07/04 03:47:02 | ||
3230 | [monitor.c] | ||
3231 | Make debug a little clearer. ok djm@ | ||
3232 | - djm@cvs.openbsd.org 2008/06/30 08:07:34 | ||
3233 | [regress/key-options.sh] | ||
3234 | shell portability: use "=" instead of "==" in test(1) expressions, | ||
3235 | double-quote string with backslash escaped / | ||
3236 | - djm@cvs.openbsd.org 2008/06/30 10:31:11 | ||
3237 | [regress/{putty-transfer,putty-kex,putty-ciphers}.sh] | ||
3238 | remove "set -e" left over from debugging | ||
3239 | - djm@cvs.openbsd.org 2008/06/30 10:43:03 | ||
3240 | [regress/conch-ciphers.sh] | ||
3241 | explicitly disable conch options that could interfere with the test | ||
3242 | - (dtucker) [sftp-server.c] Bug #1447: fall back to racy rename if link | ||
3243 | returns EXDEV. Patch from Mike Garrison, ok djm@ | ||
3244 | - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h] | ||
3245 | [packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c] | ||
3246 | [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on | ||
3247 | some platforms (HP nonstop) it is a distinct errno; | ||
3248 | bz#1467 reported by sconeu AT yahoo.com; ok dtucker@ | ||
3249 | |||
3250 | 20080702 | ||
3251 | - (dtucker) OpenBSD CVS Sync | ||
3252 | - djm@cvs.openbsd.org 2008/06/30 08:05:59 | ||
3253 | [PROTOCOL.agent] | ||
3254 | typo: s/constraint_date/constraint_data/ | ||
3255 | - djm@cvs.openbsd.org 2008/06/30 12:15:39 | ||
3256 | [serverloop.c] | ||
3257 | only pass channel requests on session channels through to the session | ||
3258 | channel handler, avoiding spurious log messages; ok! markus@ | ||
3259 | - djm@cvs.openbsd.org 2008/06/30 12:16:02 | ||
3260 | [nchan.c] | ||
3261 | only send eow@openssh.com notifications for session channels; ok! markus@ | ||
3262 | - djm@cvs.openbsd.org 2008/06/30 12:18:34 | ||
3263 | [PROTOCOL] | ||
3264 | clarify that eow@openssh.com is only sent on session channels | ||
3265 | - dtucker@cvs.openbsd.org 2008/07/01 07:20:52 | ||
3266 | [sshconnect.c] | ||
3267 | Check ExitOnForwardFailure if forwardings are disabled due to a failed | ||
3268 | host key check. ok djm@ | ||
3269 | - dtucker@cvs.openbsd.org 2008/07/01 07:24:22 | ||
3270 | [sshconnect.c sshd.c] | ||
3271 | Send CR LF during protocol banner exchanges, but only for Protocol 2 only, | ||
3272 | in order to comply with RFC 4253. bz #1443, ok djm@ | ||
3273 | - stevesk@cvs.openbsd.org 2008/07/01 23:12:47 | ||
3274 | [PROTOCOL.agent] | ||
3275 | fix some typos; ok djm@ | ||
3276 | - djm@cvs.openbsd.org 2008/07/02 02:24:18 | ||
3277 | [sshd_config sshd_config.5 sshd.8 servconf.c] | ||
3278 | increase default size of ssh protocol 1 ephemeral key from 768 to 1024 | ||
3279 | bits; prodded by & ok dtucker@ ok deraadt@ | ||
3280 | - dtucker@cvs.openbsd.org 2008/07/02 12:03:51 | ||
3281 | [auth-rsa.c auth.c auth2-pubkey.c auth.h] | ||
3282 | Merge duplicate host key file checks, based in part on a patch from Rob | ||
3283 | Holland via bz #1348 . Also checks for non-regular files during protocol | ||
3284 | 1 RSA auth. ok djm@ | ||
3285 | - djm@cvs.openbsd.org 2008/07/02 12:36:39 | ||
3286 | [auth2-none.c auth2.c] | ||
3287 | Make protocol 2 MaxAuthTries behaviour a little more sensible: | ||
3288 | Check whether client has exceeded MaxAuthTries before running | ||
3289 | an authentication method and skip it if they have, previously it | ||
3290 | would always allow one try (for "none" auth). | ||
3291 | Preincrement failure count before post-auth test - previously this | ||
3292 | checked and postincremented, also to allow one "none" try. | ||
3293 | Together, these two changes always count the "none" auth method | ||
3294 | which could be skipped by a malicious client (e.g. an SSH worm) | ||
3295 | to get an extra attempt at a real auth method. They also make | ||
3296 | MaxAuthTries=0 a useful way to block users entirely (esp. in a | ||
3297 | sshd_config Match block). | ||
3298 | Also, move sending of any preauth banner from "none" auth method | ||
3299 | to the first call to input_userauth_request(), so worms that skip | ||
3300 | the "none" method get to see it too. | ||
3301 | |||
3302 | 20080630 | ||
3303 | - (djm) OpenBSD CVS Sync | ||
3304 | - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 | ||
3305 | [regress/Makefile regress/key-options.sh] | ||
3306 | Add regress test for key options. ok djm@ | ||
3307 | - dtucker@cvs.openbsd.org 2008/06/11 23:11:40 | ||
3308 | [regress/Makefile] | ||
3309 | Don't run cipher-speed test by default; mistakenly enabled by me | ||
3310 | - djm@cvs.openbsd.org 2008/06/28 13:57:25 | ||
3311 | [regress/Makefile regress/test-exec.sh regress/conch-ciphers.sh] | ||
3312 | very basic regress test against Twisted Conch in "make interop" | ||
3313 | target (conch is available in ports/devel/py-twisted/conch); | ||
3314 | ok markus@ | ||
3315 | - (djm) [regress/Makefile] search for conch by path, like we do putty | ||
3316 | |||
3317 | 20080629 | ||
3318 | - (djm) OpenBSD CVS Sync | ||
3319 | - martynas@cvs.openbsd.org 2008/06/21 07:46:46 | ||
3320 | [sftp.c] | ||
3321 | use optopt to get invalid flag, instead of return value of getopt, | ||
3322 | which is always '?'; ok djm@ | ||
3323 | - otto@cvs.openbsd.org 2008/06/25 11:13:43 | ||
3324 | [key.c] | ||
3325 | add key length to visual fingerprint; zap magical constants; | ||
3326 | ok grunk@ djm@ | ||
3327 | - djm@cvs.openbsd.org 2008/06/26 06:10:09 | ||
3328 | [sftp-client.c sftp-server.c] | ||
3329 | allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky | ||
3330 | bits. Note that this only affects explicit setting of modes (e.g. via | ||
3331 | sftp(1)'s chmod command) and not file transfers. (bz#1310) | ||
3332 | ok deraadt@ at c2k8 | ||
3333 | - djm@cvs.openbsd.org 2008/06/26 09:19:40 | ||
3334 | [dh.c dh.h moduli.c] | ||
3335 | when loading moduli from /etc/moduli in sshd(8), check that they | ||
3336 | are of the expected "safe prime" structure and have had | ||
3337 | appropriate primality tests performed; | ||
3338 | feedback and ok dtucker@ | ||
3339 | - grunk@cvs.openbsd.org 2008/06/26 11:46:31 | ||
3340 | [readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c] | ||
3341 | Move SSH Fingerprint Visualization away from sharing the config option | ||
3342 | CheckHostIP to an own config option named VisualHostKey. | ||
3343 | While there, fix the behaviour that ssh would draw a random art picture | ||
3344 | on every newly seen host even when the option was not enabled. | ||
3345 | prodded by deraadt@, discussions, | ||
3346 | help and ok markus@ djm@ dtucker@ | ||
3347 | - jmc@cvs.openbsd.org 2008/06/26 21:11:46 | ||
3348 | [ssh.1] | ||
3349 | add VisualHostKey to the list of options listed in -o; | ||
3350 | - djm@cvs.openbsd.org 2008/06/28 07:25:07 | ||
3351 | [PROTOCOL] | ||
3352 | spelling fixes | ||
3353 | - djm@cvs.openbsd.org 2008/06/28 13:58:23 | ||
3354 | [ssh-agent.c] | ||
3355 | refuse to add a key that has unknown constraints specified; | ||
3356 | ok markus | ||
3357 | - djm@cvs.openbsd.org 2008/06/28 14:05:15 | ||
3358 | [ssh-agent.c] | ||
3359 | reset global compat flag after processing a protocol 2 signature | ||
3360 | request with the legacy DSA encoding flag set; ok markus | ||
3361 | - djm@cvs.openbsd.org 2008/06/28 14:08:30 | ||
3362 | [PROTOCOL PROTOCOL.agent] | ||
3363 | document the protocol used by ssh-agent; "looks ok" markus@ | ||
3364 | |||
3365 | 20080628 | ||
3366 | - (djm) [RFC.nroff contrib/cygwin/Makefile contrib/suse/openssh.spec] | ||
3367 | RFC.nroff lacks a license, remove it (it is long gone in OpenBSD). | ||
3368 | |||
3369 | 20080626 | ||
3370 | - (djm) [Makefile.in moduli.5] Include moduli(5) manpage from OpenBSD. | ||
3371 | (bz#1372) | ||
3372 | - (djm) [ contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
3373 | [contrib/suse/openssh.spec] Include moduli.5 in RPM spec files. | ||
3374 | |||
3375 | 20080616 | ||
3376 | - (dtucker) OpenBSD CVS Sync | ||
3377 | - dtucker@cvs.openbsd.org 2008/06/16 13:22:53 | ||
3378 | [session.c channels.c] | ||
3379 | Rename the isatty argument to is_tty so we don't shadow | ||
3380 | isatty(3). ok markus@ | ||
3381 | - (dtucker) [channels.c] isatty -> is_tty here too. | ||
3382 | |||
3383 | 20080615 | ||
3384 | - (dtucker) [configure.ac] Enable -fno-builtin-memset when using gcc. | ||
3385 | - OpenBSD CVS Sync | ||
3386 | - dtucker@cvs.openbsd.org 2008/06/14 15:49:48 | ||
3387 | [sshd.c] | ||
3388 | wrap long line at 80 chars | ||
3389 | - dtucker@cvs.openbsd.org 2008/06/14 17:07:11 | ||
3390 | [sshd.c] | ||
3391 | ensure default umask disallows at least group and world write; ok djm@ | ||
3392 | - djm@cvs.openbsd.org 2008/06/14 18:33:43 | ||
3393 | [session.c] | ||
3394 | suppress the warning message from chdir(homedir) failures | ||
3395 | when chrooted (bz#1461); ok dtucker | ||
3396 | - dtucker@cvs.openbsd.org 2008/06/14 19:42:10 | ||
3397 | [scp.1] | ||
3398 | Mention that scp follows symlinks during -r. bz #1466, | ||
3399 | from nectar at apple | ||
3400 | - dtucker@cvs.openbsd.org 2008/06/15 16:55:38 | ||
3401 | [sshd_config.5] | ||
3402 | MaxSessions is allowed in a Match block too | ||
3403 | - dtucker@cvs.openbsd.org 2008/06/15 16:58:40 | ||
3404 | [servconf.c sshd_config.5] | ||
3405 | Allow MaxAuthTries within a Match block. ok djm@ | ||
3406 | - djm@cvs.openbsd.org 2008/06/15 20:06:26 | ||
3407 | [channels.c channels.h session.c] | ||
3408 | don't call isatty() on a pty master, instead pass a flag down to | ||
3409 | channel_set_fds() indicating that te fds refer to a tty. Fixes a | ||
3410 | hang on exit on Solaris (bz#1463) in portable but is actually | ||
3411 | a generic bug; ok dtucker deraadt markus | ||
3412 | |||
3413 | 20080614 | ||
3414 | - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction | ||
3415 | replacement code; patch from ighighi AT gmail.com in bz#1240; | ||
3416 | ok dtucker | ||
3417 | |||
3418 | 20080613 | ||
3419 | - (dtucker) OpenBSD CVS Sync | ||
3420 | - deraadt@cvs.openbsd.org 2008/06/13 09:44:36 | ||
3421 | [packet.c] | ||
3422 | compile on older gcc; no decl after code | ||
3423 | - dtucker@cvs.openbsd.org 2008/06/13 13:56:59 | ||
3424 | [monitor.c] | ||
3425 | Clear key options in the monitor on failed authentication, prevents | ||
3426 | applying additional restrictions to non-pubkey authentications in | ||
3427 | the case where pubkey fails but another method subsequently succeeds. | ||
3428 | bz #1472, found by Colin Watson, ok markus@ djm@ | ||
3429 | - dtucker@cvs.openbsd.org 2008/06/13 14:18:51 | ||
3430 | [auth2-pubkey.c auth-rhosts.c] | ||
3431 | Include unistd.h for close(), prevents warnings in -portable | ||
3432 | - dtucker@cvs.openbsd.org 2008/06/13 17:21:20 | ||
3433 | [mux.c] | ||
3434 | Friendlier error messages for mux fallback. ok djm@ | ||
3435 | - dtucker@cvs.openbsd.org 2008/06/13 18:55:22 | ||
3436 | [scp.c] | ||
3437 | Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@ | ||
3438 | - grunk@cvs.openbsd.org 2008/06/13 20:13:26 | ||
3439 | [ssh.1] | ||
3440 | Explain the use of SSH fpr visualization using random art, and cite the | ||
3441 | original scientific paper inspiring that technique. | ||
3442 | Much help with English and nroff by jmc@, thanks. | ||
3443 | - (dtucker) [configure.ac] Bug #1276: avoid linking against libgssapi, which | ||
3444 | despite its name doesn't seem to implement all of GSSAPI. Patch from | ||
3445 | Jan Engelhardt, sanity checked by Simon Wilkinson. | ||
3446 | |||
3447 | 20080612 | ||
3448 | - (dtucker) OpenBSD CVS Sync | ||
3449 | - jmc@cvs.openbsd.org 2008/06/11 07:30:37 | ||
3450 | [sshd.8] | ||
3451 | kill trailing whitespace; | ||
3452 | - grunk@cvs.openbsd.org 2008/06/11 21:01:35 | ||
3453 | [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c | ||
3454 | sshconnect.c] | ||
3455 | Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the | ||
3456 | graphical hash visualization schemes known as "random art", and by | ||
3457 | Dan Kaminsky's musings on the subject during a BlackOp talk at the | ||
3458 | 23C3 in Berlin. | ||
3459 | Scientific publication (original paper): | ||
3460 | "Hash Visualization: a New Technique to improve Real-World Security", | ||
3461 | Perrig A. and Song D., 1999, International Workshop on Cryptographic | ||
3462 | Techniques and E-Commerce (CrypTEC '99) | ||
3463 | http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf | ||
3464 | The algorithm used here is a worm crawling over a discrete plane, | ||
3465 | leaving a trace (augmenting the field) everywhere it goes. | ||
3466 | Movement is taken from dgst_raw 2bit-wise. Bumping into walls | ||
3467 | makes the respective movement vector be ignored for this turn, | ||
3468 | thus switching to the other color of the chessboard. | ||
3469 | Graphs are not unambiguous for now, because circles in graphs can be | ||
3470 | walked in either direction. | ||
3471 | discussions with several people, | ||
3472 | help, corrections and ok markus@ djm@ | ||
3473 | - grunk@cvs.openbsd.org 2008/06/11 21:38:25 | ||
3474 | [ssh-keygen.c] | ||
3475 | ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub | ||
3476 | would not display you the random art as intended, spotted by canacar@ | ||
3477 | - grunk@cvs.openbsd.org 2008/06/11 22:20:46 | ||
3478 | [ssh-keygen.c ssh-keygen.1] | ||
3479 | ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, | ||
3480 | that is not how it was envisioned. | ||
3481 | Also correct manpage saying that -v is needed along with -l for it to work. | ||
3482 | spotted by naddy@ | ||
3483 | - otto@cvs.openbsd.org 2008/06/11 23:02:22 | ||
3484 | [key.c] | ||
3485 | simpler way of computing the augmentations; ok grunk@ | ||
3486 | - grunk@cvs.openbsd.org 2008/06/11 23:03:56 | ||
3487 | [ssh_config.5] | ||
3488 | CheckHostIP set to ``fingerprint'' will display both hex and random art | ||
3489 | spotted by naddy@ | ||
3490 | - grunk@cvs.openbsd.org 2008/06/11 23:51:57 | ||
3491 | [key.c] | ||
3492 | #define statements that are not atoms need braces around them, else they | ||
3493 | will cause trouble in some cases. | ||
3494 | Also do a computation of -1 once, and not in a loop several times. | ||
3495 | spotted by otto@ | ||
3496 | - dtucker@cvs.openbsd.org 2008/06/12 00:03:49 | ||
3497 | [dns.c canohost.c sshconnect.c] | ||
3498 | Do not pass "0" strings as ports to getaddrinfo because the lookups | ||
3499 | can slow things down and we never use the service info anyway. bz | ||
3500 | #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok | ||
3501 | deraadt@ djm@ | ||
3502 | djm belives that the reason for the "0" strings is to ensure that | ||
3503 | it's not possible to call getaddrinfo with both host and port being | ||
3504 | NULL. In the case of canohost.c host is a local array. In the | ||
3505 | case of sshconnect.c, it's checked for null immediately before use. | ||
3506 | In dns.c it ultimately comes from ssh.c:main() and is guaranteed to | ||
3507 | be non-null but it's not obvious, so I added a warning message in | ||
3508 | case it is ever passed a null. | ||
3509 | - grunk@cvs.openbsd.org 2008/06/12 00:13:55 | ||
3510 | [sshconnect.c] | ||
3511 | Make ssh print the random art also when ssh'ing to a host using IP only. | ||
3512 | spotted by naddy@, ok and help djm@ dtucker@ | ||
3513 | - otto@cvs.openbsd.org 2008/06/12 00:13:13 | ||
3514 | [key.c] | ||
3515 | use an odd number of rows and columns and a separate start marker, looks | ||
3516 | better; ok grunk@ | ||
3517 | - djm@cvs.openbsd.org 2008/06/12 03:40:52 | ||
3518 | [clientloop.h mux.c channels.c clientloop.c channels.h] | ||
3519 | Enable ~ escapes for multiplex slave sessions; give each channel | ||
3520 | its own escape state and hook the escape filters up to muxed | ||
3521 | channels. bz #1331 | ||
3522 | Mux slaves do not currently support the ~^Z and ~& escapes. | ||
3523 | NB. this change cranks the mux protocol version, so a new ssh | ||
3524 | mux client will not be able to connect to a running old ssh | ||
3525 | mux master. | ||
3526 | ok dtucker@ | ||
3527 | - djm@cvs.openbsd.org 2008/06/12 04:06:00 | ||
3528 | [clientloop.h ssh.c clientloop.c] | ||
3529 | maintain an ordered queue of outstanding global requests that we | ||
3530 | expect replies to, similar to the per-channel confirmation queue. | ||
3531 | Use this queue to verify success or failure for remote forward | ||
3532 | establishment in a race free way. | ||
3533 | ok dtucker@ | ||
3534 | - djm@cvs.openbsd.org 2008/06/12 04:17:47 | ||
3535 | [clientloop.c] | ||
3536 | thall shalt not code past the eightieth column | ||
3537 | - djm@cvs.openbsd.org 2008/06/12 04:24:06 | ||
3538 | [ssh.c] | ||
3539 | thal shalt not code past the eightieth column | ||
3540 | - djm@cvs.openbsd.org 2008/06/12 05:15:41 | ||
3541 | [PROTOCOL] | ||
3542 | document tun@openssh.com forwarding method | ||
3543 | - djm@cvs.openbsd.org 2008/06/12 05:32:30 | ||
3544 | [mux.c] | ||
3545 | some more TODO for me | ||
3546 | - grunk@cvs.openbsd.org 2008/06/12 05:42:46 | ||
3547 | [key.c] | ||
3548 | supply the key type (rsa1, rsa, dsa) as a caption in the frame of the | ||
3549 | random art. while there, stress the fact that the field base should at | ||
3550 | least be 8 characters for the pictures to make sense. | ||
3551 | comment and ok djm@ | ||
3552 | - grunk@cvs.openbsd.org 2008/06/12 06:32:59 | ||
3553 | [key.c] | ||
3554 | We already mark the start of the worm, now also mark the end of the worm | ||
3555 | in our random art drawings. | ||
3556 | ok djm@ | ||
3557 | - djm@cvs.openbsd.org 2008/06/12 15:19:17 | ||
3558 | [clientloop.h channels.h clientloop.c channels.c mux.c] | ||
3559 | The multiplexing escape char handler commit last night introduced a | ||
3560 | small memory leak per session; plug it. | ||
3561 | - dtucker@cvs.openbsd.org 2008/06/12 16:35:31 | ||
3562 | [ssh_config.5 ssh.c] | ||
3563 | keyword expansion for localcommand. ok djm@ | ||
3564 | - jmc@cvs.openbsd.org 2008/06/12 19:10:09 | ||
3565 | [ssh_config.5 ssh-keygen.1] | ||
3566 | tweak the ascii art text; ok grunk | ||
3567 | - dtucker@cvs.openbsd.org 2008/06/12 20:38:28 | ||
3568 | [sshd.c sshconnect.c packet.h misc.c misc.h packet.c] | ||
3569 | Make keepalive timeouts apply while waiting for a packet, particularly | ||
3570 | during key renegotiation (bz #1363). With djm and Matt Day, ok djm@ | ||
3571 | - djm@cvs.openbsd.org 2008/06/12 20:47:04 | ||
3572 | [sftp-client.c] | ||
3573 | print extension revisions for extensions that we understand | ||
3574 | - djm@cvs.openbsd.org 2008/06/12 21:06:25 | ||
3575 | [clientloop.c] | ||
3576 | I was coalescing expected global request confirmation replies at | ||
3577 | the wrong end of the queue - fix; prompted by markus@ | ||
3578 | - grunk@cvs.openbsd.org 2008/06/12 21:14:46 | ||
3579 | [ssh-keygen.c] | ||
3580 | make ssh-keygen -lf show the key type just as ssh-add -l would do it | ||
3581 | ok djm@ markus@ | ||
3582 | - grunk@cvs.openbsd.org 2008/06/12 22:03:36 | ||
3583 | [key.c] | ||
3584 | add my copyright, ok djm@ | ||
3585 | - ian@cvs.openbsd.org 2008/06/12 23:24:58 | ||
3586 | [sshconnect.c] | ||
3587 | tweak wording in message, ok deraadt@ jmc@ | ||
3588 | - dtucker@cvs.openbsd.org 2008/06/13 00:12:02 | ||
3589 | [sftp.h log.h] | ||
3590 | replace __dead with __attribute__((noreturn)), makes things | ||
3591 | a little easier to port. Also, add it to sigdie(). ok djm@ | ||
3592 | - djm@cvs.openbsd.org 2008/06/13 00:16:49 | ||
3593 | [mux.c] | ||
3594 | fall back to creating a new TCP connection on most multiplexing errors | ||
3595 | (socket connect fail, invalid version, refused permittion, corrupted | ||
3596 | messages, etc.); bz #1329 ok dtucker@ | ||
3597 | - dtucker@cvs.openbsd.org 2008/06/13 00:47:53 | ||
3598 | [mux.c] | ||
3599 | upcast size_t to u_long to match format arg; ok djm@ | ||
3600 | - dtucker@cvs.openbsd.org 2008/06/13 00:51:47 | ||
3601 | [mac.c] | ||
3602 | upcast another size_t to u_long to match format | ||
3603 | - dtucker@cvs.openbsd.org 2008/06/13 01:38:23 | ||
3604 | [misc.c] | ||
3605 | upcast uid to long with matching %ld, prevents warnings in portable | ||
3606 | - djm@cvs.openbsd.org 2008/06/13 04:40:22 | ||
3607 | [auth2-pubkey.c auth-rhosts.c] | ||
3608 | refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not | ||
3609 | regular files; report from Solar Designer via Colin Watson in bz#1471 | ||
3610 | ok dtucker@ deraadt | ||
3611 | - (dtucker) [clientloop.c serverloop.c] channel_register_filter now | ||
3612 | takes 2 more args. with djm@ | ||
3613 | - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch | ||
3614 | from Todd Vierling. | ||
3615 | - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIA | ||
3616 | systems. Patch from R. Scott Bailey. | ||
3617 | - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never used | ||
3618 | on big endian machines, so ifdef them for little-endian only to prevent | ||
3619 | unused function warnings on big-endians. | ||
3620 | - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to prevent | ||
3621 | compiler warnings on some platforms. Based on a discussion with otto@ | ||
3622 | |||
3623 | 20080611 | ||
3624 | - (djm) [channels.c configure.ac] | ||
3625 | Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no) | ||
3626 | bz#1464; ok dtucker | ||
3627 | |||
3628 | 20080610 | ||
3629 | - (dtucker) OpenBSD CVS Sync | ||
3630 | - djm@cvs.openbsd.org 2008/06/10 03:57:27 | ||
3631 | [servconf.c match.h sshd_config.5] | ||
3632 | support CIDR address matching in sshd_config "Match address" blocks, with | ||
3633 | full support for negation and fall-back to classic wildcard matching. | ||
3634 | For example: | ||
3635 | Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* | ||
3636 | PasswordAuthentication yes | ||
3637 | addrmatch.c code mostly lifted from flowd's addr.c | ||
3638 | feedback and ok dtucker@ | ||
3639 | - djm@cvs.openbsd.org 2008/06/10 04:17:46 | ||
3640 | [sshd_config.5] | ||
3641 | better reference for pattern-list | ||
3642 | - dtucker@cvs.openbsd.org 2008/06/10 04:50:25 | ||
3643 | [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] | ||
3644 | Add extended test mode (-T) and connection parameters for test mode (-C). | ||
3645 | -T causes sshd to write its effective configuration to stdout and exit. | ||
3646 | -C causes any relevant Match rules to be applied before output. The | ||
3647 | combination allows tesing of the parser and config files. ok deraadt djm | ||
3648 | - jmc@cvs.openbsd.org 2008/06/10 07:12:00 | ||
3649 | [sshd_config.5] | ||
3650 | tweak previous; | ||
3651 | - jmc@cvs.openbsd.org 2008/06/10 08:17:40 | ||
3652 | [sshd.8 sshd.c] | ||
3653 | - update usage() | ||
3654 | - fix SYNOPSIS, and sort options | ||
3655 | - some minor additional fixes | ||
3656 | - dtucker@cvs.openbsd.org 2008/06/09 18:06:32 | ||
3657 | [regress/test-exec.sh] | ||
3658 | Don't generate putty keys if we're not going to use them. ok djm | ||
3659 | - dtucker@cvs.openbsd.org 2008/06/10 05:23:32 | ||
3660 | [regress/addrmatch.sh regress/Makefile] | ||
3661 | Regress test for Match CIDR rules. ok djm@ | ||
3662 | - dtucker@cvs.openbsd.org 2008/06/10 15:21:41 | ||
3663 | [test-exec.sh] | ||
3664 | Use a more portable construct for checking if we're running a putty test | ||
3665 | - dtucker@cvs.openbsd.org 2008/06/10 15:28:49 | ||
3666 | [test-exec.sh] | ||
3667 | Add quotes | ||
3668 | - dtucker@cvs.openbsd.org 2008/06/10 18:21:24 | ||
3669 | [ssh_config.5] | ||
3670 | clarify that Host patterns are space-separated. ok deraadt | ||
3671 | - djm@cvs.openbsd.org 2008/06/10 22:15:23 | ||
3672 | [PROTOCOL ssh.c serverloop.c] | ||
3673 | Add a no-more-sessions@openssh.com global request extension that the | ||
3674 | client sends when it knows that it will never request another session | ||
3675 | (i.e. when session multiplexing is disabled). This allows a server to | ||
3676 | disallow further session requests and terminate the session. | ||
3677 | Why would a non-multiplexing client ever issue additional session | ||
3678 | requests? It could have been attacked with something like SSH'jack: | ||
3679 | http://www.storm.net.nz/projects/7 | ||
3680 | feedback & ok markus | ||
3681 | - djm@cvs.openbsd.org 2008/06/10 23:06:19 | ||
3682 | [auth-options.c match.c servconf.c addrmatch.c sshd.8] | ||
3683 | support CIDR address matching in .ssh/authorized_keys from="..." stanzas | ||
3684 | ok and extensive testing dtucker@ | ||
3685 | - dtucker@cvs.openbsd.org 2008/06/10 23:21:34 | ||
3686 | [bufaux.c] | ||
3687 | Use '\0' for a nul byte rather than unadorned 0. ok djm@ | ||
3688 | - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 | ||
3689 | [Makefile regress/key-options.sh] | ||
3690 | Add regress test for key options. ok djm@ | ||
3691 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 | ||
3692 | since the new CIDR code in addmatch.c references it. | ||
3693 | - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 | ||
3694 | specific tests on platforms that don't do IPv6. | ||
3695 | - (dtucker) [Makefile.in] Define TEST_SSH_IPV6 in make's arguments as well | ||
3696 | as environment. | ||
3697 | - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now. | ||
3698 | |||
3699 | 20080609 | ||
3700 | - (dtucker) OpenBSD CVS Sync | ||
3701 | - dtucker@cvs.openbsd.org 2008/06/08 17:04:41 | ||
3702 | [sftp-server.c] | ||
3703 | Add case for ENOSYS in errno_to_portable; ok deraadt | ||
3704 | - dtucker@cvs.openbsd.org 2008/06/08 20:15:29 | ||
3705 | [sftp.c sftp-client.c sftp-client.h] | ||
3706 | Have the sftp client store the statvfs replies in wire format, | ||
3707 | which prevents problems when the server's native sizes exceed the | ||
3708 | client's. | ||
3709 | Also extends the sizes of the remaining 32bit wire format to 64bit, | ||
3710 | they're specified as unsigned long in the standard. | ||
3711 | - dtucker@cvs.openbsd.org 2008/06/09 13:02:39 | ||
3712 | [sftp-server.c] | ||
3713 | Extend 32bit -> 64bit values for statvfs extension missed in previous | ||
3714 | commit. | ||
3715 | - dtucker@cvs.openbsd.org 2008/06/09 13:38:46 | ||
3716 | [PROTOCOL] | ||
3717 | Use a $OpenBSD tag so our scripts will sync changes. | ||
3718 | |||
3719 | 20080608 | ||
3720 | - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c | ||
3721 | openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h | ||
3722 | openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and | ||
3723 | fstatvfs and remove #defines around statvfs code. ok djm@ | ||
3724 | - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add a | ||
3725 | macro to convert fsid to unsigned long for platforms where fsid is a | ||
3726 | 2-member array. | ||
3727 | |||
3728 | 20080607 | ||
3729 | - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H. | ||
3730 | - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c] | ||
3731 | Do not enable statvfs extensions on platforms that do not have statvfs. | ||
3732 | - (dtucker) OpenBSD CVS Sync | ||
3733 | - djm@cvs.openbsd.org 2008/05/19 06:14:02 | ||
3734 | [packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@ | ||
3735 | - djm@cvs.openbsd.org 2008/05/19 15:45:07 | ||
3736 | [sshtty.c ttymodes.c sshpty.h] | ||
3737 | Fix sending tty modes when stdin is not a tty (bz#1199). Previously | ||
3738 | we would send the modes corresponding to a zeroed struct termios, | ||
3739 | whereas we should have been sending an empty list of modes. | ||
3740 | Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ | ||
3741 | - djm@cvs.openbsd.org 2008/05/19 15:46:31 | ||
3742 | [ssh-keygen.c] | ||
3743 | support -l (print fingerprint) in combination with -F (find host) to | ||
3744 | search for a host in ~/.ssh/known_hosts and display its fingerprint; | ||
3745 | ok markus@ | ||
3746 | - djm@cvs.openbsd.org 2008/05/19 20:53:52 | ||
3747 | [clientloop.c] | ||
3748 | unbreak tree by committing this bit that I missed from: | ||
3749 | Fix sending tty modes when stdin is not a tty (bz#1199). Previously | ||
3750 | we would send the modes corresponding to a zeroed struct termios, | ||
3751 | whereas we should have been sending an empty list of modes. | ||
3752 | Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ | ||
3753 | |||
3754 | 20080604 | ||
3755 | - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias | ||
3756 | in arc4random_uniform with upper_bound in (2^30,2*31). Note that | ||
3757 | OpenSSH did not make requests with upper bounds in this range. | ||
3758 | |||
3759 | 20080519 | ||
3760 | - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in] | ||
3761 | [openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h] | ||
3762 | Fix compilation on Linux, including pulling in fmt_scaled(3) | ||
3763 | implementation from OpenBSD's libutil. | ||
3764 | |||
3765 | 20080518 | ||
3766 | - (djm) OpenBSD CVS Sync | ||
3767 | - djm@cvs.openbsd.org 2008/04/04 05:14:38 | ||
3768 | [sshd_config.5] | ||
3769 | ChrootDirectory is supported in Match blocks (in fact, it is most useful | ||
3770 | there). Spotted by Minstrel AT minstrel.org.uk | ||
3771 | - djm@cvs.openbsd.org 2008/04/04 06:44:26 | ||
3772 | [sshd_config.5] | ||
3773 | oops, some unrelated stuff crept into that commit - backout. | ||
3774 | spotted by jmc@ | ||
3775 | - djm@cvs.openbsd.org 2008/04/05 02:46:02 | ||
3776 | [sshd_config.5] | ||
3777 | HostbasedAuthentication is supported under Match too | ||
3778 | - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c] | ||
3779 | [configure.ac] Implement arc4random_buf(), import implementation of | ||
3780 | arc4random_uniform() from OpenBSD | ||
3781 | - (djm) [openbsd-compat/bsd-arc4random.c] Warning fixes | ||
3782 | - (djm) [openbsd-compat/port-tun.c] needs sys/queue.h | ||
3783 | - (djm) OpenBSD CVS Sync | ||
3784 | - djm@cvs.openbsd.org 2008/04/13 00:22:17 | ||
3785 | [dh.c sshd.c] | ||
3786 | Use arc4random_buf() when requesting more than a single word of output | ||
3787 | Use arc4random_uniform() when the desired random number upper bound | ||
3788 | is not a power of two | ||
3789 | ok deraadt@ millert@ | ||
3790 | - djm@cvs.openbsd.org 2008/04/18 12:32:11 | ||
3791 | [sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h] | ||
3792 | introduce sftp extension methods statvfs@openssh.com and | ||
3793 | fstatvfs@openssh.com that implement statvfs(2)-like operations, | ||
3794 | based on a patch from miklos AT szeredi.hu (bz#1399) | ||
3795 | also add a "df" command to the sftp client that uses the | ||
3796 | statvfs@openssh.com to produce a df(1)-like display of filesystem | ||
3797 | space and inode utilisation | ||
3798 | ok markus@ | ||
3799 | - jmc@cvs.openbsd.org 2008/04/18 17:15:47 | ||
3800 | [sftp.1] | ||
3801 | macro fixage; | ||
3802 | - djm@cvs.openbsd.org 2008/04/18 22:01:33 | ||
3803 | [session.c] | ||
3804 | remove unneccessary parentheses | ||
3805 | - otto@cvs.openbsd.org 2008/04/29 11:20:31 | ||
3806 | [monitor_mm.h] | ||
3807 | garbage collect two unused fields in struct mm_master; ok markus@ | ||
3808 | - djm@cvs.openbsd.org 2008/04/30 10:14:03 | ||
3809 | [ssh-keyscan.1 ssh-keyscan.c] | ||
3810 | default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by | ||
3811 | larsnooden AT openoffice.org | ||
3812 | - pyr@cvs.openbsd.org 2008/05/07 05:49:37 | ||
3813 | [servconf.c servconf.h session.c sshd_config.5] | ||
3814 | Enable the AllowAgentForwarding option in sshd_config (global and match | ||
3815 | context), to specify if agents should be permitted on the server. | ||
3816 | As the man page states: | ||
3817 | ``Note that disabling Agent forwarding does not improve security | ||
3818 | unless users are also denied shell access, as they can always install | ||
3819 | their own forwarders.'' | ||
3820 | ok djm@, ok and a mild frown markus@ | ||
3821 | - pyr@cvs.openbsd.org 2008/05/07 06:43:35 | ||
3822 | [sshd_config] | ||
3823 | push the sshd_config bits in, spotted by ajacoutot@ | ||
3824 | - jmc@cvs.openbsd.org 2008/05/07 08:00:14 | ||
3825 | [sshd_config.5] | ||
3826 | sort; | ||
3827 | - markus@cvs.openbsd.org 2008/05/08 06:59:01 | ||
3828 | [bufaux.c buffer.h channels.c packet.c packet.h] | ||
3829 | avoid extra malloc/copy/free when receiving data over the net; | ||
3830 | ~10% speedup for localhost-scp; ok djm@ | ||
3831 | - djm@cvs.openbsd.org 2008/05/08 12:02:23 | ||
3832 | [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] | ||
3833 | [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] | ||
3834 | [ssh.c sshd.c] | ||
3835 | Implement a channel success/failure status confirmation callback | ||
3836 | mechanism. Each channel maintains a queue of callbacks, which will | ||
3837 | be drained in order (RFC4253 guarantees confirm messages are not | ||
3838 | reordered within an channel). | ||
3839 | Also includes a abandonment callback to clean up if a channel is | ||
3840 | closed without sending confirmation messages. This probably | ||
3841 | shouldn't happen in compliant implementations, but it could be | ||
3842 | abused to leak memory. | ||
3843 | ok markus@ (as part of a larger diff) | ||
3844 | - djm@cvs.openbsd.org 2008/05/08 12:21:16 | ||
3845 | [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] | ||
3846 | [sshd_config sshd_config.5] | ||
3847 | Make the maximum number of sessions run-time controllable via | ||
3848 | a sshd_config MaxSessions knob. This is useful for disabling | ||
3849 | login/shell/subsystem access while leaving port-forwarding working | ||
3850 | (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or | ||
3851 | simply increasing the number of allows multiplexed sessions. | ||
3852 | Because some bozos are sure to configure MaxSessions in excess of the | ||
3853 | number of available file descriptors in sshd (which, at peak, might be | ||
3854 | as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds | ||
3855 | on error paths, and make it fail gracefully on out-of-fd conditions - | ||
3856 | sending channel errors instead of than exiting with fatal(). | ||
3857 | bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com | ||
3858 | ok markus@ | ||
3859 | - djm@cvs.openbsd.org 2008/05/08 13:06:11 | ||
3860 | [clientloop.c clientloop.h ssh.c] | ||
3861 | Use new channel status confirmation callback system to properly deal | ||
3862 | with "important" channel requests that fail, in particular command exec, | ||
3863 | shell and subsystem requests. Previously we would optimistically assume | ||
3864 | that the requests would always succeed, which could cause hangs if they | ||
3865 | did not (e.g. when the server runs out of fds) or were unimplemented by | ||
3866 | the server (bz #1384) | ||
3867 | Also, properly report failing multiplex channel requests via the mux | ||
3868 | client stderr (subject to LogLevel in the mux master) - better than | ||
3869 | silently failing. | ||
3870 | most bits ok markus@ (as part of a larger diff) | ||
3871 | - djm@cvs.openbsd.org 2008/05/09 04:55:56 | ||
3872 | [channels.c channels.h clientloop.c serverloop.c] | ||
3873 | Try additional addresses when connecting to a port forward destination | ||
3874 | whose DNS name resolves to more than one address. The previous behaviour | ||
3875 | was to try the first address and give up. | ||
3876 | Reported by stig AT venaas.com in bz#343 | ||
3877 | great feedback and ok markus@ | ||
3878 | - djm@cvs.openbsd.org 2008/05/09 14:18:44 | ||
3879 | [clientloop.c clientloop.h ssh.c mux.c] | ||
3880 | tidy up session multiplexing code, moving it into its own file and | ||
3881 | making the function names more consistent - making ssh.c and | ||
3882 | clientloop.c a fair bit more readable. | ||
3883 | ok markus@ | ||
3884 | - djm@cvs.openbsd.org 2008/05/09 14:26:08 | ||
3885 | [ssh.c] | ||
3886 | dingo stole my diff hunk | ||
3887 | - markus@cvs.openbsd.org 2008/05/09 16:16:06 | ||
3888 | [session.c] | ||
3889 | re-add the USE_PIPES code and enable it. | ||
3890 | without pipes shutdown-read from the sshd does not trigger | ||
3891 | a SIGPIPE when the forked program does a write. | ||
3892 | ok djm@ | ||
3893 | (Id sync only, USE_PIPES never left portable OpenSSH) | ||
3894 | - markus@cvs.openbsd.org 2008/05/09 16:17:51 | ||
3895 | [channels.c] | ||
3896 | error-fd race: don't enable the error fd in the select bitmask | ||
3897 | for channels with both in- and output closed, since the channel | ||
3898 | will go away before we call select(); | ||
3899 | report, lots of debugging help and ok djm@ | ||
3900 | - markus@cvs.openbsd.org 2008/05/09 16:21:13 | ||
3901 | [channels.h clientloop.c nchan.c serverloop.c] | ||
3902 | unbreak | ||
3903 | ssh -2 localhost od /bin/ls | true | ||
3904 | ignoring SIGPIPE by adding a new channel message (EOW) that signals | ||
3905 | the peer that we're not interested in any data it might send. | ||
3906 | fixes bz #85; discussion, debugging and ok djm@ | ||
3907 | - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20 | ||
3908 | [umac.c] | ||
3909 | Ensure nh_result lies on a 64-bit boundary (fixes warnings observed | ||
3910 | on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@ | ||
3911 | - djm@cvs.openbsd.org 2008/05/15 23:52:24 | ||
3912 | [nchan2.ms] | ||
3913 | document eow message in ssh protocol 2 channel state machine; | ||
3914 | feedback and ok markus@ | ||
3915 | - djm@cvs.openbsd.org 2008/05/18 21:29:05 | ||
3916 | [sftp-server.c] | ||
3917 | comment extension announcement | ||
3918 | - djm@cvs.openbsd.org 2008/05/16 08:30:42 | ||
3919 | [PROTOCOL] | ||
3920 | document our protocol extensions and deviations; ok markus@ | ||
3921 | - djm@cvs.openbsd.org 2008/05/17 01:31:56 | ||
3922 | [PROTOCOL] | ||
3923 | grammar and correctness fixes from stevesk@ | ||
3924 | |||
3925 | 20080403 | ||
3926 | - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- | ||
3927 | time warnings on LynxOS. Patch from ops AT iki.fi | ||
3928 | - (djm) Force string arguments to replacement setproctitle() though | ||
3929 | strnvis first. Ok dtucker@ | ||
3930 | |||
3931 | 20080403 | ||
3932 | - (djm) OpenBSD CVS sync: | ||
3933 | - markus@cvs.openbsd.org 2008/04/02 15:36:51 | ||
3934 | [channels.c] | ||
3935 | avoid possible hijacking of x11-forwarded connections (back out 1.183) | ||
3936 | CVE-2008-1483; ok djm@ | ||
3937 | - jmc@cvs.openbsd.org 2008/03/27 22:37:57 | ||
3938 | [sshd.8] | ||
3939 | remove trailing whitespace; | ||
3940 | - djm@cvs.openbsd.org 2008/04/03 09:50:14 | ||
3941 | [version.h] | ||
3942 | openssh-5.0 | ||
3943 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | ||
3944 | [contrib/suse/openssh.spec] Crank version numbers in RPM spec files | ||
3945 | - (djm) [README] Update link to release notes | ||
3946 | - (djm) Release 5.0p1 | ||