summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-04-16* New upstream release:Colin Watson
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys.
2010-04-16merge 5.5p1Colin Watson
2010-04-16releasing version 1:5.4p1-2Colin Watson
2010-04-16Import 5.5p1 tarballColin Watson
2010-04-10 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfoDarren Tucker
back so we disable the IPv6 tests if we don't have it.
2010-04-10lintian-symlink-pickiness: remember to bump Last-UpdateColin Watson
2010-04-09Add a NEWS.Debian entry about changes in smartcard support relative toColin Watson
previous unofficial builds (closes: #231472).
2010-04-09 - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enableDarren Tucker
utmpx support on FreeBSD where possible. Patch from Ed Schouten, ok djm@
2010-04-09 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if weDarren Tucker
have it and the path is not provided to --with-libedit. Based on a patch from Iain Morgan.
2010-04-09 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrongDarren Tucker
ones. Based on a patch from Roumen Petrov.
2010-04-08Use dh_install more effectively.Colin Watson
2010-04-08remove obsolete Ssh.bin hack, no longer needed with new PKCS#11 smartcard ↵Colin Watson
handling
2010-04-08remove old ssh_prng_cmds handling; we never use this, and it's unnecessary ↵Colin Watson
with debhelper v3 anyway
2010-04-07Drop lpia support, since Ubuntu no longer supports this architecture.Colin Watson
2010-04-07Convert to dh(1), and use dh_installdocs --link-doc.Colin Watson
2010-04-06Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 isColin Watson
installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
2010-04-06lintian-symlink-pickiness.patch rejected upstream, but we need to keep itColin Watson
2010-04-06releasing version 1:5.4p1-1Colin Watson
2010-04-03* Policy version 3.8.4:Colin Watson
- Add a Homepage field.
2010-03-31Drop most of our "LogLevel SILENT" (-qq) patch. This was originallyColin Watson
introduced to match the behaviour of non-free SSH, in which -q does not suppress fatal errors, but matching the behaviour of OpenSSH upstream is much more important nowadays. We no longer document that -q does not suppress fatal errors (closes: #280609). Migrate "LogLevel SILENT" to "LogLevel QUIET" in sshd_config on upgrade.
2010-03-31Drop Debian-specific removal of OpenSSL version check. Upstream ignoresColin Watson
the two patchlevel nybbles now, which is sufficient to address the original reason this change was introduced, and it appears that any change in the major/minor/fix nybbles would involve a new libssl package name. (We'd still lose if the status nybble were ever changed, but that would mean somebody had packaged a development/beta version rather than a proper release, which doesn't appear to be normal practice.)
2010-03-31Remove SSHD_OOM_ADJUST configuration. sshd now unconditionally makesColin Watson
itself non-OOM-killable, and doesn't require configuration to avoid log spam in virtualisation containers (closes: #555625).
2010-03-31ssh-vulnkey.patch: update another call to auth_key_is_revokedColin Watson
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-31merge 5.4p1Colin Watson
2010-03-31Import 5.4p1 tarballColin Watson
2010-03-31handle merge history from previous tarball branchColin Watson
2010-03-29Hardcode the location of xauth to /usr/bin/xauth rather thanColin Watson
/usr/bin/X11/xauth (thanks, Aron Griffis; closes: #575725, LP: #8440). xauth no longer depends on x11-common, so we're no longer guaranteed to have the /usr/bin/X11 symlink available. I was taking advantage of the /usr/bin/X11 symlink to smooth X's move to /usr/bin, but this is far enough in the past now that it's probably safe to just use /usr/bin.
2010-03-26 - dtucker@cvs.openbsd.org 2010/03/26 01:06:13Darren Tucker
[ssh_config.5] Reformat default value of PreferredAuthentications entry (current formatting implies ", " is acceptable as a separator, which it's not. ok djm@
2010-03-26 - djm@cvs.openbsd.org 2010/03/26 00:26:58Damien Miller
[ssh.1] mention that -S none disables connection sharing; from Colin Watson
2010-03-26 - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;Damien Miller
bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@
2010-03-26 - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 usingDarren Tucker
pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).
2010-03-26 - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721Damien Miller
ok dtucker@
2010-03-26 - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -Damien Miller
set up SELinux execution context before chroot() call. From Russell Coker via Colin watson; bz#1726 ok dtucker@
2010-03-26 - djm@cvs.openbsd.org 2010/03/25 23:38:28Damien Miller
[servconf.c] from portable: getcwd(NULL, 0) doesn't work on all platforms, so use a stack buffer; ok dtucker@
2010-03-26 - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originallyDarren Tucker
by Ingo Weinhold via Scott McCreary, ok djm@
2010-03-26 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detectionDamien Miller
for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
2010-03-24 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directoryDarren Tucker
containing the services file explicitely case-insensitive. This allows to tweak the Windows services file reliably. Patch from vinschen at redhat.
2010-03-22 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2010-03-22 - djm@cvs.openbsd.org 2010/03/16 16:36:49Damien Miller
[version.h] crank version to openssh-5.5 since we have a few fixes since 5.4; requested deraadt@ kettenis@
2010-03-22 - stevesk@cvs.openbsd.org 2010/03/16 15:46:52Damien Miller
[auth-options.c] spelling in error message. ok djm kettenis
2010-03-22 - stevesk@cvs.openbsd.org 2010/03/15 19:40:02Damien Miller
[key.c key.h ssh-keygen.c] also print certificate type (user or host) for ssh-keygen -L ok djm kettenis
2010-03-22 - jmc@cvs.openbsd.org 2010/03/13 23:38:13Damien Miller
[ssh-keygen.1] fix a formatting error (args need quoted); noted by stevesk
2010-03-22 - djm@cvs.openbsd.org 2010/03/13 21:45:46Damien Miller
[ssh-keygen.1] Certificates are named *-cert.pub, not *_cert.pub; committing a diff from stevesk@ ok me
2010-03-22 - djm@cvs.openbsd.org 2010/03/13 21:10:38Damien Miller
[clientloop.c] protocol conformance fix: send language tag when disconnecting normally; spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
2010-03-22 - markus@cvs.openbsd.org 2010/03/12 11:37:40Damien Miller
[servconf.c] do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths free() (not xfree()) the buffer returned by getcwd()
2010-03-22 - djm@cvs.openbsd.org 2010/03/12 01:06:25Damien Miller
[servconf.c] unbreak AuthorizedKeys option with a $HOME-relative path; reported by vinschen AT redhat.com, ok dtucker@
2010-03-22 - djm@cvs.openbsd.org 2010/03/10 23:27:17Damien Miller
[auth2-pubkey.c] correct certificate logging and make it more consistent between authorized_keys and TrustedCAKeys; ok markus@
2010-03-22 - jmc@cvs.openbsd.org 2010/03/10 07:40:35Damien Miller
[ssh-keygen.1] typos; from Ross Richardson closes prs 6334 and 6335
2010-03-22 - jmc@cvs.openbsd.org 2010/03/08 09:41:27Damien Miller
[ssh-keygen.1] sort the list of constraints (to -O); ok djm