summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-03-03 - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here tooDamien Miller
2010-03-03 - djm@cvs.openbsd.org 2010/03/02 23:20:57Damien Miller
[ssh-keygen.c] POSIX strptime is stricter than OpenBSD's so do a little dance to appease it.
2010-03-03 - djm@cvs.openbsd.org 2010/03/02 23:20:57Damien Miller
[ssh-keygen.c] POSIX strptime is stricter than OpenBSD's so do a little dance to appease it.
2010-03-03 - otto@cvs.openbsd.org 2010/03/01 11:07:06Damien Miller
[ssh-add.c] zap what seems to be a left-over debug message; ok markus@
2010-03-03 - jmc@cvs.openbsd.org 2010/02/26 22:09:28Damien Miller
[ssh-keygen.1 ssh.1 sshd.8] tweak previous;
2010-03-03 - (djm) [PROTOCOL.certkeys] Add RCS IdentDamien Miller
2010-03-01 - (tim) [config.guess config.sub] Bug 1722: Update to latest versions fromTim Rice
http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22 respectively).
2010-03-01 - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOMDarren Tucker
adjust log at verbose only, since according to cjwatson in bug #1470 some virtualization platforms don't allow writes.
2010-03-01 - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} ReplaceDarren Tucker
"echo -n" with "echon" for portability.
2010-02-28 - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functionsTim Rice
to make older compilers (gcc 2.95) happy.
2010-03-01 - (djm) [auth.c] On Cygwin, refuse usernames that have differences inDamien Miller
case from that matched in the system password database. On this platform, passwords are stored case-insensitively, but sshd requires exact case matching for Match blocks in sshd_config(5). Based on a patch from vinschen AT redhat.com.
2010-02-28 - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environmentDamien Miller
variables copied into sshd child processes. From vinschen AT redhat.com
2010-02-28- (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seededDamien Miller
2010-02-27 - djm@cvs.openbsd.org 2010/02/26 20:33:21Damien Miller
[Makefile regress/cert-hostkey.sh regress/cert-userkey.sh] regression tests for certified keys
2010-02-27 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2010/02/26 20:29:54 [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c] [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c] [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c] [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c] [sshconnect2.c sshd.8 sshd.c sshd_config.5] Add support for certificate key types for users and hosts. OpenSSH certificate key types are not X.509 certificates, but a much simpler format that encodes a public key, identity information and some validity constraints and signs it with a CA key. CA keys are regular SSH keys. This certificate style avoids the attack surface of X.509 certificates and is very easy to deploy. Certified host keys allow automatic acceptance of new host keys when a CA certificate is marked as sh/known_hosts. see VERIFYING HOST KEYS in ssh(1) for details. Certified user keys allow authentication of users when the signing CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS FILE FORMAT" in sshd(8) for details. Certificates are minted using ssh-keygen(1), documentation is in the "CERTIFICATES" section of that manpage. Documentation on the format of certificates is in the file PROTOCOL.certkeys feedback and ok markus@
2010-02-24contrib/caldera/openssh.specDamien Miller
contrib/redhat/openssh.spec contrib/suse/openssh.spec
2010-02-24 - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helperDamien Miller
2010-02-24 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04Damien Miller
[regress/Makefile keygen-convert.sh] add regression test for ssh-keygen pubkey conversions
2010-02-24 - markus@cvs.openbsd.org 2010/02/08 10:52:47Damien Miller
[regress/agent-pkcs11.sh] test for PKCS#11 support (currently disabled)
2010-02-24 - djm@cvs.openbsd.org 2010/02/24 06:21:56Damien Miller
[regress/test-exec.sh] wait for sshd to fully stop in cleanup() function; avoids races in tests that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
2010-02-24 - djm@cvs.openbsd.org 2010/02/09 06:29:02Damien Miller
[regress/Makefile] turn on all the malloc(3) checking options when running regression tests. this has caught a few bugs for me in the past; ok dtucker@
2010-02-24 - djm@cvs.openbsd.org 2010/02/09 04:57:36Damien Miller
[regress/addrmatch.sh] clean up droppings
2010-02-24 - dtucker@cvs.openbsd.org 2010/01/11 02:53:44Damien Miller
[regress/forwarding.sh] regress test for stdio forwarding
2010-02-24 - dtucker@cvs.openbsd.org 2009/11/09 04:20:04Damien Miller
[regress/Makefile] add regression test for ssh-keygen pubkey conversions
2010-02-24 - djm@cvs.openbsd.org 2010/02/11 20:37:47Damien Miller
[pathnames.h] correct comment
2010-02-24 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller
[ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
2010-02-12- (djm) [configure.ac] Enable PKCS#11 support only when we find a workingDamien Miller
dlopen()
2010-02-12 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller
Use ssh_get_progname to fill __progname
2010-02-12 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]Damien Miller
Make it compile on OSX
2010-02-12 - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]Damien Miller
[scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java] Remove obsolete smartcard support
2010-02-12 - jmc@cvs.openbsd.org 2010/02/11 13:23:29Damien Miller
[ssh.1] libarary -> library;
2010-02-12 - markus@cvs.openbsd.org 2010/02/10 23:20:38Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5] pkcs#11 is no longer optional; improve wording; ok jmc@
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 06:18:46Damien Miller
[auth.c] unbreak ChrootDirectory+internal-sftp by skipping check for executable shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 03:56:28Damien Miller
[buffer.c buffer.h] constify the arguments to buffer_len, buffer_ptr and buffer_dump
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 00:50:59Damien Miller
[ssh-keygen.c] fix -Wall
2010-02-12 - djm@cvs.openbsd.org 2010/02/09 00:50:36Damien Miller
[ssh-agent.c] fallout from PKCS#11: unbreak -D
2010-02-12 - jmc@cvs.openbsd.org 2010/02/08 22:03:05Damien Miller
[ssh-add.1 ssh-keygen.1 ssh.1 ssh.c] tweak previous; ok markus
2010-02-12 - markus@cvs.openbsd.org 2010/02/08 10:50:20Damien Miller
[pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c] [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5] replace our obsolete smartcard code with PKCS#11. ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11 provider (shared library) while ssh-agent(1) delegates PKCS#11 to a forked a ssh-pkcs11-helper process. PKCS#11 is currently a compile time option. feedback and ok djm@; inspired by patches from Alon Bar-Lev `
2010-02-12 - djm@cvs.openbsd.org 2010/02/02 22:49:34Damien Miller
[bufaux.c] make buffer_get_string_ret() really non-fatal in all cases (it was using buffer_get_int(), which could fatal() on buffer empty); ok markus dtucker
2010-02-10 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS forDamien Miller
getseuserbyname; patch from calebcase AT gmail.com via cjwatson AT debian.org
2010-02-10This should have gone in with the multiplexing merge, but I dropped itDamien Miller
at the time.
2010-02-02 - djm@cvs.openbsd.org 2010/01/30 21:12:08Damien Miller
[channels.c] fake local addr:port when stdio fowarding as some servers (Tectia at least) validate that they are well-formed; reported by imorgan AT nas.nasa.gov ok dtucker
2010-02-02 - djm@cvs.openbsd.org 2010/01/30 21:08:33Damien Miller
[sshd.8] debug output goes to stderr, not "the system log"; ok markus dtucker
2010-01-30 - djm@cvs.openbsd.org 2010/01/30 02:54:53Damien Miller
[mux.c] don't mark channel as read failed if it is already closing; suppresses harmless error messages when connecting to SSH.COM Tectia server report by imorgan AT nas.nasa.gov
2010-01-30 - djm@cvs.openbsd.org 2010/01/29 20:16:17Damien Miller
[mux.c] kill correct channel (was killing already-dead mux channel, not its session channel)
2010-01-30 - djm@cvs.openbsd.org 2010/01/29 00:20:41Damien Miller
[sshd.c] set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com ok dtucker@
2010-01-30 - djm@cvs.openbsd.org 2010/01/28 00:21:18Damien Miller
[clientloop.c] downgrade an error() to a debug() - this particular case can be hit in normal operation for certain sequences of mux slave vs session closure and is harmless
2010-01-29 - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()Darren Tucker
after registering the hardware engines, which causes the openssl.cnf file to be processed. See OpenSSL's man page for OPENSSL_config(3) for details. Patch from Solomon Peachy, ok djm@.
2010-01-28 - djm@cvs.openbsd.org 2010/01/27 19:21:39Damien Miller
[sftp.c] add missing "p" flag to getopt optstring; bz#1704 from imorgan AT nas.nasa.gov
2010-01-28 - djm@cvs.openbsd.org 2010/01/27 13:26:17Damien Miller
[mux.c] fix bug introduced in mux rewrite: In a mux master, when a socket to a mux slave closes before its server session (as may occur when the slave has been signalled), gracefully close the server session rather than deleting its channel immediately. A server may have more messages on that channel to send (e.g. an exit message) that will fatal() the client if they are sent to a channel that has been prematurely deleted. spotted by imorgan AT nas.nasa.gov