summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-02-09GSSAPI key exchange supportSimon Wilkinson
This patch has been rejected upstream: "None of the OpenSSH developers are in favour of adding this, and this situation has not changed for several years. This is not a slight on Simon's patch, which is of fine quality, but just that a) we don't trust GSSAPI implementations that much and b) we don't like adding new KEX since they are pre-auth attack surface. This one is particularly scary, since it requires hooks out to typically root-owned system resources." However, quite a lot of people rely on this in Debian, and it's better to have it merged into the main openssh package rather than having separate -krb5 packages (as we used to have). It seems to have a generally good security history. Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1242 Last-Updated: 2013-11-09 Patch-Name: gssapi.patch
2013-11-09Import 6.4p1 tarballColin Watson
2013-11-08 - (djm) Release 6.4p1Damien Miller
2013-11-08 - djm@cvs.openbsd.org 2013/11/08 01:38:11Damien Miller
[version.h] openssh-6.4
2013-11-08 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] update version numbers
2013-11-08 - djm@cvs.openbsd.org 2013/11/08 00:39:15Damien Miller
[auth-options.c auth2-chall.c authfd.c channels.c cipher-3des1.c] [clientloop.c gss-genr.c monitor_mm.c packet.c schnorr.c umac.c] [sftp-client.c sftp-glob.c] use calloc for all structure allocations; from markus@
2013-11-08 - markus@cvs.openbsd.org 2013/11/06 16:52:11Damien Miller
[monitor_wrap.c] fix rekeying for AES-GCM modes; ok deraadt
2013-09-14Import 6.3p1 tarballColin Watson
2013-09-13- (djm) [channels.c] sigh, typo s/buffet_/buffer_/Damien Miller
2013-09-13 - (djm) [channels.c] Fix unaligned access on sparc machines in SOCKS5 code;Damien Miller
ok dtucker@
2013-09-13 - (djm) Release 6.3p1Damien Miller
2013-08-28 - (djm) [openbsd-compat/bsd-snprintf.c] #ifdef noytet for intmax_t bitsDamien Miller
until we have configure support.
2013-08-28 - (djm) [openbsd-compat/bsd-snprintf.c] teach our local snprintf code theDamien Miller
'j' (intmax_t/uintmax_t) and 'z' (size_t/ssize_t) conversions in case we start to use them in the future.
2013-08-21 - jmc@cvs.openbsd.org 2013/08/20 06:56:07Damien Miller
[ssh.1 ssh_config.5] some proxyusefdpass tweaks;
2013-08-21 - djm@cvs.openbsd.org 2013/08/20 00:11:38Damien Miller
[readconf.c readconf.h ssh_config.5 sshconnect.c] Add a ssh_config ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than have to shuffle data back and forth and enables ssh to use getpeername, etc. to obtain address information just like it does with regular directly-connected sockets. ok markus@
2013-08-21 - jmc@cvs.openbsd.org 2013/08/14 08:39:27Damien Miller
[scp.1 ssh.1] some Bx/Ox conversion; From: Jan Stary
2013-08-21 - djm@cvs.openbsd.org 2013/08/13 18:33:08Damien Miller
[ssh-keygen.c] another of the same typo
2013-08-21 - djm@cvs.openbsd.org 2013/08/13 18:32:08Damien Miller
[ssh-keygen.c] typo in error message; from Stephan Rickauer
2013-08-21 - djm@cvs.openbsd.org 2013/08/09 03:56:42Damien Miller
[sftp.c] enable ctrl-left-arrow and ctrl-right-arrow to move forward/back a word; matching ksh's relatively recent change.
2013-08-21 - djm@cvs.openbsd.org 2013/08/09 03:39:13Damien Miller
[sftp-client.c] two problems found by a to-be-committed regress test: 1) msg_id was not being initialised so was starting at a random value from the heap (harmless, but confusing). 2) some error conditions were not being propagated back to the caller
2013-08-21 - djm@cvs.openbsd.org 2013/08/09 03:37:25Damien Miller
[sftp.c] do getopt parsing for all sftp commands (with an empty optstring for commands without arguments) to ensure consistent behaviour
2013-08-21 - djm@cvs.openbsd.org 2013/08/08 05:04:03Damien Miller
[sftp-client.c sftp-client.h sftp.c] add a "-l" flag for the rename command to force it to use the silly standard SSH_FXP_RENAME command instead of the POSIX-rename- like posix-rename@openssh.com extension. intended for use in regress tests, so no documentation.
2013-08-21 - djm@cvs.openbsd.org 2013/08/08 04:52:04Damien Miller
[sftp.c] fix two year old regression: symlinking a file would incorrectly canonicalise the target path. bz#2129 report from delphij AT freebsd.org
2013-08-21 - jmc@cvs.openbsd.org 2013/08/07 06:24:51Damien Miller
[sftp.1 sftp.c] sort -a;
2013-08-21 - djm@cvs.openbsd.org 2013/08/06 23:06:01Damien Miller
[servconf.c] add cast to avoid format warning; from portable
2013-08-21 - djm@cvs.openbsd.org 2013/08/06 23:05:01Damien Miller
[sftp.1] document top-level -a option (the -a option to 'get' was already documented)
2013-08-21 - djm@cvs.openbsd.org 2013/08/06 23:03:49Damien Miller
[sftp.c] fix some whitespace at EOL make list of commands an enum rather than a long list of defines add -a to usage()
2013-08-08 - (dtucker) [regress/Makefile regress/test-exec.sh] Roll back the -ntDarren Tucker
removal. The "make clean" removes modpipe which is built by the top-level directory before running the tests. Spotted by tim@
2013-08-08 - (dtucker) [misc.c] Remove define added for fallback testing that wasDarren Tucker
mistakenly included in the previous commit.
2013-08-08 - (dtucker) [misc.c] Fall back to time(2) at runtime if clock_gettime(Darren Tucker
CLOCK_MONOTONIC...) fails. Some older versions of RHEL have the CLOCK_MONOTONIC define but don't actually support it. Found and tested by Kevin Brott, ok djm.
2013-08-08 - (dtucker) [regress/Makefile regress/test-exec.sh] Don't try to use test -ntDarren Tucker
since some platforms (eg really old FreeBSD) don't have it. Instead, run "make clean" before a complete regress run. ok djm.
2013-08-04 - (dtucker) [auth-krb5.c configure.ac openbsd-compat/bsd-misc.h] Add supportDarren Tucker
for building with older Heimdal versions. ok djm.
2013-08-01 - (djm) [sshlogin.h] Fix prototype merge botch from 2006; bz#2134Damien Miller
2013-08-01 - (djm) [channels.c channels.h] bz#2135: On Solaris, isatty() on a non-Damien Miller
blocking connecting socket will clear any stored errno that might otherwise have been retrievable via getsockopt(). A hack to limit writes to TTYs on AIX was triggering this. Since only AIX needs the hack, wrap it in an #ifdef. Diagnosis and patch from Ivo Raisr.
2013-07-25more correct comment for last commitTim Rice
2013-07-25 - (tim) [regress/forwarding.sh] Fix for building outside read only source tree.Tim Rice
2013-07-25 - (tim) [sftp-client.c] Use of a gcc extension trips up native compilers onTim Rice
Solaris and UnixWare. Feedback and OK djm@
2013-07-25 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Update version numbers
2013-07-25 - djm@cvs.openbsd.org 2013/06/21 02:26:26Damien Miller
[regress/sftp-cmds.sh regress/test-exec.sh] unbreak sftp-cmds for renamed test data (s/ls/data/)
2013-07-25 - dtucker@cvs.openbsd.org 2013/06/10 21:56:43Damien Miller
[regress/forwarding.sh] Add test for forward config parsing
2013-07-25 - dtucker@cvs.openbsd.org 2013/05/30 20:12:32Damien Miller
[regress/test-exec.sh] use ssh and sshd as testdata since it needs to be >256k for the rekey test
2013-07-25 - djm@cvs.openbsd.org 2013/07/25 00:57:37Damien Miller
[version.h] openssh-6.3 for release
2013-07-25 - djm@cvs.openbsd.org 2013/07/25 00:56:52Damien Miller
[sftp-client.c sftp-client.h sftp.1 sftp.c] sftp support for resuming partial downloads; patch mostly by Loganaden Velvindron/AfriNIC with some tweaks by me; feedback and ok dtucker@
2013-07-25 - djm@cvs.openbsd.org 2013/07/25 00:29:10Damien Miller
[ssh.c] daemonise backgrounded (ControlPersist'ed) multiplexing master to ensure it is fully detached from its controlling terminal. based on debugging
2013-07-25 - djm@cvs.openbsd.org 2013/07/22 12:20:02Damien Miller
[umac.h] oops, forgot to commit corresponding header change; spotted by jsg and jasper
2013-07-25 - djm@cvs.openbsd.org 2013/07/22 05:00:17Damien Miller
[umac.c] make MAC key, data to be hashed and nonce for final hash const; checked with -Wcast-qual
2013-07-25 - djm@cvs.openbsd.org 2013/07/20 22:20:42Damien Miller
[krl.c] fix verification error in (as-yet usused) KRL signature checking path
2013-07-20 - djm@cvs.openbsd.org 2013/07/20 01:55:13Damien Miller
[auth-krb5.c gss-serv-krb5.c gss-serv.c] fix kerberos/GSSAPI deprecation warnings and linking; "looks okay" millert@
2013-07-20 - djm@cvs.openbsd.org 2013/07/20 01:50:20Damien Miller
[ssh-agent.c] call cleanup_handler on SIGINT when in debug mode to ensure sockets are cleaned up on manual exit; bz#2120
2013-07-20 - djm@cvs.openbsd.org 2013/07/20 01:44:37Damien Miller
[ssh-keygen.c ssh.c] More useful error message on missing current user in /etc/passwd