summaryrefslogtreecommitdiff
path: root/ChangeLog
diff options
context:
space:
mode:
Diffstat (limited to 'ChangeLog')
-rw-r--r--ChangeLog370
1 files changed, 369 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index f2b96c37b..93555e518 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,371 @@
120070817
2 - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked
3 accounts and that's what the code looks for, so make man page and code
4 agree. Pointed out by Roumen Petrov.
5 - (dtucker) [INSTALL] Group the parts describing random options and PAM
6 implementations together which is hopefully more coherent.
7 - (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid.
8 - (dtucker) [INSTALL] Give PAM its own heading.
9 - (dtucker) [INSTALL] Link to tcpwrappers.
10
1120070816
12 - (dtucker) [session.c] Call PAM cleanup functions for unauthenticated
13 connections too. Based on a patch from Sandro Wefel, with & ok djm@
14
1520070815
16 - (dtucker) OpenBSD CVS Sync
17 - markus@cvs.openbsd.org 2007/08/15 08:14:46
18 [clientloop.c]
19 do NOT fall back to the trused x11 cookie if generation of an untrusted
20 cookie fails; from Jan Pechanec, via security-alert at sun.com;
21 ok dtucker
22 - markus@cvs.openbsd.org 2007/08/15 08:16:49
23 [version.h]
24 openssh 4.7
25 - stevesk@cvs.openbsd.org 2007/08/15 12:13:41
26 [ssh_config.5]
27 tun device forwarding now honours ExitOnForwardFailure; ok markus@
28 - (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler.
29 ok djm@
30 - (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec
31 contrib/suse/openssh.spec] Crank version.
32
3320070813
34 - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always
35 called with PAM_ESTABLISH_CRED at least once, which resolves a problem
36 with pam_dhkeys. Patch from David Leonard, ok djm@
37
3820070810
39 - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@
40 - (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From
41 Matt Kraai, ok djm@
42
4320070809
44 - (dtucker) [openbsd-compat/port-aix.c] Comment typo.
45 - (dtucker) [README.platform] Document the interaction between PermitRootLogin
46 and the AIX native login restrictions.
47 - (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't
48 used anywhere and are a potential source of warnings.
49
5020070808
51 - (djm) OpenBSD CVS Sync
52 - ray@cvs.openbsd.org 2007/07/12 05:48:05
53 [key.c]
54 Delint: remove some unreachable statements, from Bret Lambert.
55 OK markus@ and dtucker@.
56 - sobrado@cvs.openbsd.org 2007/08/06 19:16:06
57 [scp.1 scp.c]
58 the ellipsis is not an optional argument; while here, sync the usage
59 and synopsis of commands
60 lots of good ideas by jmc@
61 ok jmc@
62 - djm@cvs.openbsd.org 2007/08/07 07:32:53
63 [clientloop.c clientloop.h ssh.c]
64 bz#1232: ensure that any specified LocalCommand is executed after the
65 tunnel device is opened. Also, make failures to open a tunnel device
66 fatal when ExitOnForwardFailure is active.
67 Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
68
6920070724
70 - (tim) [openssh.xml.in] make FMRI match what package scripts use.
71 - (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call.
72 Report/patch by David.Leonard AT quest.com (and Bernhard Simon)
73 - (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5)
74 - (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}|
75
7620070628
77 - (djm) bz#1325: Fix SELinux in permissive mode where it would
78 incorrectly fatal() on errors. patch from cjwatson AT debian.org;
79 ok dtucker
80
8120070625
82 - (dtucker) OpenBSD CVS Sync
83 - djm@cvs.openbsd.org 2007/06/13 00:21:27
84 [scp.c]
85 don't ftruncate() non-regular files; bz#1236 reported by wood AT
86 xmission.com; ok dtucker@
87 - djm@cvs.openbsd.org 2007/06/14 21:43:25
88 [ssh.c]
89 handle EINTR when waiting for mux exit status properly
90 - djm@cvs.openbsd.org 2007/06/14 22:48:05
91 [ssh.c]
92 when waiting for the multiplex exit status, read until the master end
93 writes an entire int of data *and* closes the client_fd; fixes mux
94 regression spotted by dtucker, ok dtucker@
95 - djm@cvs.openbsd.org 2007/06/19 02:04:43
96 [atomicio.c]
97 if the fd passed to atomicio/atomiciov() is non blocking, then poll() to
98 avoid a spin if it is not yet ready for reading/writing; ok dtucker@
99 - dtucker@cvs.openbsd.org 2007/06/25 08:20:03
100 [channels.c]
101 Correct test for window updates every three packets; prevents sending
102 window updates for every single packet. ok markus@
103 - dtucker@cvs.openbsd.org 2007/06/25 12:02:27
104 [atomicio.c]
105 Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@
106 - (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match
107 atomicio.
108 - (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in
109 openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h]
110 Add an implementation of poll() built on top of select(2). Code from
111 OpenNTPD with changes suggested by djm. ok djm@
112
11320070614
114 - (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the
115 USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be
116 shared with umac.c. Allows building with OpenSSL 0.9.5 again including
117 umac support. With tim@ djm@, ok djm.
118 - (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL
119 sections. Fixes builds with early OpenSSL 0.9.6 versions.
120 - (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition
121 of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the
122 subsequent <0.9.7 test.
123
12420070612
125 - (dtucker) OpenBSD CVS Sync
126 - markus@cvs.openbsd.org 2007/06/11 09:14:00
127 [channels.h]
128 increase default channel windows; ok djm
129 - djm@cvs.openbsd.org 2007/06/12 07:41:00
130 [ssh-add.1]
131 better document ssh-add's -d option (delete identies from agent), bz#1224
132 new text based on some provided by andrewmc-debian AT celt.dias.ie;
133 ok dtucker@
134 - djm@cvs.openbsd.org 2007/06/12 08:20:00
135 [ssh-gss.h gss-serv.c gss-genr.c]
136 relocate server-only GSSAPI code from libssh to server; bz #1225
137 patch from simon AT sxw.org.uk; ok markus@ dtucker@
138 - djm@cvs.openbsd.org 2007/06/12 08:24:20
139 [scp.c]
140 make scp try to skip FIFOs rather than blocking when nothing is listening.
141 depends on the platform supporting sane O_NONBLOCK semantics for open
142 on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
143 bz #856; report by cjwatson AT debian.org; ok markus@
144 - djm@cvs.openbsd.org 2007/06/12 11:11:08
145 [ssh.c]
146 fix slave exit value when a control master goes away without passing the
147 full exit status by ensuring that the slave reads a full int. bz#1261
148 reported by frekko AT gmail.com; ok markus@ dtucker@
149 - djm@cvs.openbsd.org 2007/06/12 11:15:17
150 [ssh.c ssh.1]
151 Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
152 GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
153 and is useful for hosts with /home on Kerberised NFS; bz #1312
154 patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
155 - djm@cvs.openbsd.org 2007/06/12 11:45:27
156 [ssh.c]
157 improved exit message from multiplex slave sessions; bz #1262
158 reported by alexandre.nunes AT gmail.com; ok dtucker@
159 - dtucker@cvs.openbsd.org 2007/06/12 11:56:15
160 [gss-genr.c]
161 Pass GSS OID to gss_display_status to provide better information in
162 error messages. Patch from Simon Wilkinson via bz 1220. ok djm@
163 - jmc@cvs.openbsd.org 2007/06/12 13:41:03
164 [ssh-add.1]
165 identies -> identities;
166 - jmc@cvs.openbsd.org 2007/06/12 13:43:55
167 [ssh.1]
168 add -K to SYNOPSIS;
169 - dtucker@cvs.openbsd.org 2007/06/12 13:54:28
170 [scp.c]
171 Encode filename with strnvis if the name contains a newline (which can't
172 be represented in the scp protocol), from bz #891. ok markus@
173
17420070611
175 - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit
176 fix; tested by dtucker@ and jochen.kirn AT gmail.com
177 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
178 [kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
179 [ssh_config.5 sshd.8 sshd_config.5]
180 Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
181 must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
182 compared to hmac-md5. Represents a different approach to message
183 authentication to that of HMAC that may be beneficial if HMAC based on
184 one of its underlying hash algorithms is found to be vulnerable to a
185 new attack. http://www.ietf.org/rfc/rfc4418.txt
186 in conjunction with and OK djm@
187 - pvalchev@cvs.openbsd.org 2007/06/08 04:40:40
188 [ssh_config]
189 Add a "MACs" line after "Ciphers" with the default MAC algorithms,
190 to ease people who want to tweak both (eg. for performance reasons).
191 ok deraadt@ djm@ dtucker@
192 - jmc@cvs.openbsd.org 2007/06/08 07:43:46
193 [ssh_config.5]
194 put the MAC list into a display, like we do for ciphers,
195 since groff has trouble handling wide lines;
196 - jmc@cvs.openbsd.org 2007/06/08 07:48:09
197 [sshd_config.5]
198 oops, here too: put the MAC list into a display, like we do for
199 ciphers, since groff has trouble with wide lines;
200 - markus@cvs.openbsd.org 2007/06/11 08:04:44
201 [channels.c]
202 send 'window adjust' messages every tree packets and do not wait
203 until 50% of the window is consumed. ok djm dtucker
204 - (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then
205 fallback to provided bit-swizzing functions
206 - (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder"
207 argument to nanosleep may be NULL. Currently this never happens in OpenSSH,
208 but check anyway in case this changes or the code gets used elsewhere.
209 - (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should
210 prevent warnings about redefinitions of various things in paths.h.
211 Spotted by cartmanltd at hotmail.com.
212
21320070605
214 - (dtucker) OpenBSD CVS Sync
215 - djm@cvs.openbsd.org 2007/05/22 10:18:52
216 [sshd.c]
217 zap double include; from p_nowaczyk AT o2.pl
218 (not required in -portable, Id sync only)
219 - djm@cvs.openbsd.org 2007/05/30 05:58:13
220 [kex.c]
221 tidy: KNF, ARGSUSED and u_int
222 - jmc@cvs.openbsd.org 2007/05/31 19:20:16
223 [scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
224 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
225 convert to new .Dd format;
226 (We will need to teach mdoc2man.awk to understand this too.)
227 - djm@cvs.openbsd.org 2007/05/31 23:34:29
228 [packet.c]
229 gc unreachable code; spotted by Tavis Ormandy
230 - djm@cvs.openbsd.org 2007/06/02 09:04:58
231 [bufbn.c]
232 memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca
233 - djm@cvs.openbsd.org 2007/06/05 06:52:37
234 [kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
235 Preserve MAC ctx between packets, saving 2xhash calls per-packet.
236 Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
237 patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
238 committing at his request)
239 - (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that
240 OpenBSD's cvs now adds.
241 - (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so
242 mindrot's cvs doesn't expand it on us.
243 - (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs.
244
24520070520
246 - (dtucker) OpenBSD CVS Sync
247 - stevesk@cvs.openbsd.org 2007/04/14 22:01:58
248 [auth2.c]
249 remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
250 - stevesk@cvs.openbsd.org 2007/04/18 01:12:43
251 [sftp-server.c]
252 cast "%llu" format spec to (unsigned long long); do not assume a
253 u_int64_t arg is the same as 'unsigned long long'.
254 from Dmitry V. Levin <ldv@altlinux.org>
255 ok markus@ 'Yes, that looks correct' millert@
256 - dtucker@cvs.openbsd.org 2007/04/23 10:15:39
257 [servconf.c]
258 Remove debug() left over from development. ok deraadt@
259 - djm@cvs.openbsd.org 2007/05/17 07:50:31
260 [log.c]
261 save and restore errno when logging; ok deraadt@
262 - djm@cvs.openbsd.org 2007/05/17 07:55:29
263 [sftp-server.c]
264 bz#1286 stop reading and processing commands when input or output buffer
265 is nearly full, otherwise sftp-server would happily try to grow the
266 input/output buffers past the maximum supported by the buffer API and
267 promptly fatal()
268 based on patch from Thue Janus Kristensen; feedback & ok dtucker@
269 - djm@cvs.openbsd.org 2007/05/17 20:48:13
270 [sshconnect2.c]
271 fall back to gethostname() when the outgoing connection is not
272 on a socket, such as is the case when ProxyCommand is used.
273 Gives hostbased auth an opportunity to work; bz#616, report
274 and feedback stuart AT kaloram.com; ok markus@
275 - djm@cvs.openbsd.org 2007/05/17 20:52:13
276 [monitor.c]
277 pass received SIGINT from monitor to postauth child so it can clean
278 up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
279 ok markus@
280 - jolan@cvs.openbsd.org 2007/05/17 23:53:41
281 [sshconnect2.c]
282 djm owes me a vb and a tism cd for breaking ssh compilation
283 - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
284 ldv at altlinux.org.
285 - (dtucker) [auth-pam.c] Return empty string if fgets fails in
286 sshpam_tty_conv. Patch from ldv at altlinux.org.
287
28820070509
289 - (tim) [configure.ac] Bug #1287: Add missing test for ucred.h.
290
29120070429
292 - (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h
293 for select(2) prototype.
294 - (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype.
295 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the
296 platform's _res if it has one. Should fix problem of DNSSEC record lookups
297 on NetBSD as reported by Curt Sampson.
298 - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
299 - (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS
300 so we don't get redefinition warnings.
301 - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
302 - (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__
303 __nonnull__ for versions of GCC that don't support it.
304 - (dtucker) [configure.ac defines.h] Have configure check for offsetof
305 to prevent redefinition warnings.
306
30720070406
308 - (dtucker) [INSTALL] Update the systems that have PAM as standard. Link
309 to OpenPAM too.
310 - (dtucker) [INSTALL] prngd lives at sourceforge these days.
311
31220070326
313 - (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c
314 openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines
315 to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@
316
31720070325
318 - (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX,
319 LIBWRAP and LIBPAM variables in Makefile with the general-purpose
320 SSHDLIBS. "I like" djm@
321
32220070321
323 - (dtucker) OpenBSD CVS Sync
324 - dtucker@cvs.openbsd.org 2007/03/09 05:20:06
325 [servconf.c sshd.c]
326 Move C/R -> kbdint special case to after the defaults have been
327 loaded, which makes ChallengeResponse default to yes again. This
328 was broken by the Match changes and not fixed properly subsequently.
329 Found by okan at demirmen.com, ok djm@ "please do it" deraadt@
330 - djm@cvs.openbsd.org 2007/03/19 01:01:29
331 [sshd_config]
332 Disable the legacy SSH protocol 1 for new installations via
333 a configuration override. In the future, we will change the
334 server's default itself so users who need the legacy protocol
335 will need to turn it on explicitly
336 - dtucker@cvs.openbsd.org 2007/03/19 12:16:42
337 [ssh-agent.c]
338 Remove the signal handler that checks if the agent's parent process
339 has gone away, instead check when the select loop returns. Record when
340 the next key will expire when scanning for expired keys. Set the select
341 timeout to whichever of these two things happens next. With djm@, with &
342 ok deraadt@ markus@
343 - tedu@cvs.openbsd.org 2007/03/20 03:56:12
344 [readconf.c clientloop.c]
345 remove some bogus *p tests from charles longeau
346 ok deraadt millert
347 - jmc@cvs.openbsd.org 2007/03/20 15:57:15
348 [sshd.8]
349 - let synopsis and description agree for -f
350 - sort FILES
351 - +.Xr ssh-keyscan 1 ,
352 from Igor Sobrado
353 - (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use
354 getpeerucred to implement getpeereid (currently only Solaris 10 and up).
355 Patch by Jan.Pechanec at Sun.
356 - (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have
357 HAVE_GETPEERUCRED too. Also from Jan Pechanec.
358
35920070313
360 - (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include
361 string.h to prevent warnings, from vapier at gentoo.org.
362 - (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the
363 selinux bits in -portable.
364 - (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in
365 bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h
366 in cipher-bf1.c. Patch from Juan Gallego.
367 - (dtucker) [README.platform] Info about blibpath on AIX.
368
120070306 36920070306
2 - (djm) OpenBSD CVS Sync 370 - (djm) OpenBSD CVS Sync
3 - jmc@cvs.openbsd.org 2007/03/01 16:19:33 371 - jmc@cvs.openbsd.org 2007/03/01 16:19:33
@@ -2816,4 +3184,4 @@
2816 OpenServer 6 and add osr5bigcrypt support so when someone migrates 3184 OpenServer 6 and add osr5bigcrypt support so when someone migrates
2817 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 3185 passwords between UnixWare and OpenServer they will still work. OK dtucker@
2818 3186
2819$Id: ChangeLog,v 1.4635.2.1 2007/03/06 10:27:55 djm Exp $ 3187$Id: ChangeLog,v 1.4738.2.1 2007/09/04 06:49:09 djm Exp $