* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 10 insertions, 8 deletions

diff --git a/readconf.c b/readconf.c
index 163244ed9..487c3399b 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.177 2009/06/27 09:35:06 andreas Exp $ */
+/* $OpenBSD: readconf.c,v 1.183 2010/02/08 10:50:20 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -126,7 +126,7 @@ typedef enum {
         oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
         oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
         oUseBlacklistedKeys,
-        oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
+        oHostKeyAlgorithms, oBindAddress, oPKCS11Provider,
         oClearAllForwardings, oNoHostAuthenticationForLocalhost,
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
         oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -219,10 +219,12 @@ static struct {
         { "preferredauthentications", oPreferredAuthentications },
         { "hostkeyalgorithms", oHostKeyAlgorithms },
         { "bindaddress", oBindAddress },
-#ifdef SMARTCARD
-        { "smartcarddevice", oSmartcardDevice },
+#ifdef ENABLE_PKCS11
+        { "smartcarddevice", oPKCS11Provider },
+        { "pkcs11provider", oPKCS11Provider },
 #else
         { "smartcarddevice", oUnsupported },
+        { "pkcs11provider", oUnsupported },
 #endif
         { "clearallforwardings", oClearAllForwardings },
         { "enablesshkeysign", oEnableSSHKeysign },
@@ -645,8 +647,8 @@ parse_string:
                 charptr = &options->bind_address;
                 goto parse_string;
 
-        case oSmartcardDevice:
-                charptr = &options->smartcard_device;
+        case oPKCS11Provider:
+                charptr = &options->pkcs11_provider;
                 goto parse_string;
 
         case oProxyCommand:
@@ -1113,7 +1115,7 @@ initialize_options(Options * options)
         options->log_level = SYSLOG_LEVEL_NOT_SET;
         options->preferred_authentications = NULL;
         options->bind_address = NULL;
-        options->smartcard_device = NULL;
+        options->pkcs11_provider = NULL;
         options->enable_ssh_keysign = - 1;
         options->no_host_authentication_for_localhost = - 1;
         options->identities_only = - 1;
@@ -1212,7 +1214,7 @@ fill_default_options(Options * options)
         /* options->macs, default set in myproposals.h */
         /* options->hostkeyalgorithms, default set in myproposals.h */
         if (options->protocol == SSH_PROTO_UNKNOWN)
-                options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+                options->protocol = SSH_PROTO_2;
         if (options->num_identity_files == 0) {
                 if (options->protocol & SSH_PROTO_1) {
                         len = 2 + strlen(_PATH_SSH_CLIENT_IDENTITY) + 1;