summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2011-01-26adjust ECDSA commentary in changelog - we aren't generating ECDSA host keys ↵Colin Watson
on upgrades
2011-01-26changelog for GSSAPI updateColin Watson
2011-01-26merge gssapi branchColin Watson
2011-01-26import openssh-5.7p1-gsskex-all-20110125.patchColin Watson
2011-01-25Rearrange selinux-role.patch so that it links properly given thisColin Watson
SELinux build fix.
2011-01-25Backport SELinux build fix from CVS.Colin Watson
2011-01-24Build-depend on libssl-dev (>= 0.9.8g) to ensure sufficient ECC support.Colin Watson
2011-01-24Generate ECDSA host keys. These will only be used on freshColin Watson
installations or if you manually add 'HostKey /etc/ssh/ssh_host_ecdsa_key' to /etc/ssh/sshd_config.
2011-01-24* New upstream release (http://www.openssh.org/txt/release-5.7):Colin Watson
- Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. - sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command. - scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host (closes: #508613). - ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races (closes: #454784). Stale server sockets are now automatically removed (closes: #523250). - ssh(1): install a SIGCHLD handler to reap expired child process (closes: #594687). - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories (closes: #357469, although only if you arrange for ssh-agent to actually see $TMPDIR since the setgid bit will cause it to be stripped off).
2011-01-24merge 5.7p1Colin Watson
2011-01-24import openssh-5.6p1-gsskex-all-20110101.patchColin Watson
2011-01-24Import 5.7p1 tarballColin Watson
2011-01-22 - (djm) Release 5.7p1Damien Miller
2011-01-22trim entries older than 5.5p1Damien Miller
2011-01-22 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] update versions in docs and spec files.
2011-01-22 - OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2011/01/22 09:18:53 [version.h] crank to OpenSSH-5.7
2011-01-22 - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] AddDarren Tucker
RSA_get_default_method() for the benefit of openssl versions that don't have it (at least openssl-engine-0.9.6b). Found and tested by Kevin Brott, ok djm@.
2011-01-19 - (djm) [configure.ac] Disable ECC on OpenSSL <0.9.8g. Releases prior toDamien Miller
0.9.8 lacked it, and 0.9.8a through 0.9.8d have proven buggy in pre- release testing (random crashes and failure to load ECC keys). ok dtucker@
2011-01-18 - (tim) [contrib/caldera/openssh.spec] Use CFLAGS from Makefile insteadTim Rice
of RPM so build completes. Signatures were changed to .asc since 4.1p1.
2011-01-17- (dtucker) [LICENCE Makefile.in audit-bsm.c audit-linux.c audit.c audit.hDarren Tucker
configure.ac defines.h loginrec.c] Bug #1402: add linux audit subsystem support, based on patches from Tomas Mraz and jchadima at redhat.
2011-01-17 - (dtucker) [openbsd-compat/port-linux.c] Fix minor bug caught by -Werror onDarren Tucker
the tinderbox.
2011-01-16 - (tim) [regress/agent-getpeereid.sh] shell portability fix.Tim Rice
2011-01-17 - (djm) [configure.ac regress/agent-getpeereid.sh regress/multiplex.sh]Damien Miller
[regress/sftp-glob.sh regress/test-exec.sh] Rework how feature tests are disabled on platforms that do not support them; add a "config_defined()" shell function that greps for defines in config.h and use them to decide on feature tests. Convert a couple of existing grep's over config.h to use the new function Add a define "FILESYSTEM_NO_BACKSLASH" for filesystem that can't represent backslash characters in filenames, enable it for Cygwin and use it to turn of tests for quotes backslashes in sftp-glob.sh. based on discussion with vinschen AT redhat.com and dtucker@; ok dtucker@
2011-01-17 - (dtucker) [openbsd-compat/port-linux.c] Bug #1838: Add support for the newDarren Tucker
Linux OOM-killer magic values that changed in 2.6.36 kernels, with fallback to the old values. Feedback from vapier at gentoo org and djm, ok djm.
2011-01-17 - (djm) [regress/agent-getpeereid.sh] leave stdout attached when runningDamien Miller
ssh-add to avoid $SUDO failures on Linux
2011-01-17 - (djm) [regress/agent-ptrace.sh] Fix false failure on OS X by addingDamien Miller
its unique snowflake of a gdb error to the ones we look for.
2011-01-17 - (djm) [regress/Makefile] use $TEST_SSH_KEYGEN instead of the one inDamien Miller
$PATH, fix cleanup of droppings; reported by openssh AT roumenpetrov.info; ok dtucker@
2011-01-16 - djm@cvs.openbsd.org 2011/01/16 12:05:59Damien Miller
[clientloop.c] a couple more tweaks to the post-close protocol 1 stderr/stdout flush: now that we use atomicio(), convert them from while loops to if statements add test and cast to compile cleanly with -Wsigned
2011-01-16 - djm@cvs.openbsd.org 2011/01/16 11:50:36Damien Miller
[sshconnect.c] reset the SIGPIPE handler when forking to execute child processes; ok dtucker@
2011-01-16 - djm@cvs.openbsd.org 2011/01/16 11:50:05Damien Miller
[clientloop.c] Use atomicio when flushing protocol 1 std{out,err} buffers at session close. This was a latent bug exposed by setting a SIGCHLD handler and spotted by kevin.brott AT gmail.com; ok dtucker@
2011-01-16 - (dtucker) [Makefile.in configure.ac regress/kextype.sh] Skip sha256-basedDarren Tucker
on configurations that don't have it.
2011-01-16not February yet...Darren Tucker
2011-01-13 - (tim) [regress/cert-hostkey.sh] Add missing TEST_SSH_ECC guard around someTim Rice
ecdsa bits.
2011-01-13 - (tim) [regress/cert-hostkey.sh] Typo. Missing $ on variable name.Tim Rice
2011-01-14 - (djm) [Makefile.in] Use shell test to disable ecdsa key generating inDamien Miller
host-key-force target rather than a substitution that is replaced with a comment so that the Makefile.in is still a syntactically valid Makefile (useful to run the distprep target)
2011-01-14 - djm@cvs.openbsd.org 2011/01/13 21:55:25Damien Miller
[PROTOCOL.mux] correct protocol names and add a couple of missing protocol number defines; patch from bert.wesarg AT googlemail.com
2011-01-14 - djm@cvs.openbsd.org 2011/01/13 21:54:53Damien Miller
[mux.c] correct error messages; patch from bert.wesarg AT googlemail.com
2011-01-13 - (djm) [regress/kextype.sh] Testing diffie-hellman-group-exchange-sha256Damien Miller
should not depend on ECC support
2011-01-13 - (djm) [myproposal.h] Fix reversed OPENSSL_VERSION_NUMBER test and badDamien Miller
#define that was causing diffie-hellman-group-exchange-sha256 to be incorrectly disabled
2011-01-13 - (djm) [regress/Makefile] add a few more generated files to the cleanDamien Miller
target
2011-01-13 - (djm) [entropy.c] cast OPENSSL_VERSION_NUMBER to u_long to avoidDamien Miller
gcc warning on platforms where it defaults to int
2011-01-12 - (tim) [Makefile.in configure.ac opensshd.init.in] Add support for generatingTim Rice
ecdsa keys. ok djm.
2011-01-12 - (tim) [Makefile.in] test the ECC bits if we have the capability. ok djmTim Rice
2011-01-13 - (djm) [misc.c] include time.h for nanosleep() prototypeDamien Miller
2011-01-12 - (djm) [configure.ac] Fix broken test for gcc >= 4.4 with per-compilerDamien Miller
flag tests that don't depend on gcc version at all; suggested by and ok dtucker@
2011-01-12 - (djm) [configure.ac] Turn on -Wno-unused-result for gcc >= 4.4 to avoidDamien Miller
silly warnings on write() calls we don't care succeed or not.
2011-01-12 - djm@cvs.openbsd.org 2011/01/12 01:53:14Damien Miller
avoid some integer overflows mostly with GLOB_APPEND and GLOB_DOOFFS and sanity check arguments (these will be unnecessary when we switch struct glob members from being type into to size_t in the future); "looks ok" tedu@ feedback guenther@
2011-01-12 - nicm@cvs.openbsd.org 2010/10/08 21:48:42Damien Miller
[openbsd-compat/glob.c] Extend GLOB_LIMIT to cover readdir and stat and bump the malloc limit from ARG_MAX to 64K. Fixes glob-using programs (notably ftp) able to be triggered to hit resource limits. Idea from a similar NetBSD change, original problem reported by jasper@. ok millert tedu jasper
2011-01-11 - djm@cvs.openbsd.org 2011/01/11 06:13:10Damien Miller
[clientloop.c ssh-keygen.c sshd.c] some unsigned long long casts that make things a bit easier for portable without resorting to dropping PRIu64 formats everywhere
2011-01-11 - djm@cvs.openbsd.org 2011/01/11 06:06:09Damien Miller
[sshlogin.c] fd leak on error paths; from zinovik@ NB. Id sync only; we use loginrec.c that was also audited and fixed recently