summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2007-06-12add Short-DescriptionColin Watson
2007-06-12credit Ubuntu where appropriateColin Watson
2007-06-12* If building on Ubuntu, add /sbin, /usr/sbin, and /usr/local/sbin to theColin Watson
default path.
2007-06-12* Build position-independent executables (only for debs, not for udebs) toColin Watson
take advantage of address space layout randomisation.
2007-06-12* Belatedly build-depend on zlib1g-dev (>= 1:1.2.3-1) (closes: #333447).Colin Watson
2007-06-12--with-ssl-engine also closes: #408027Colin Watson
2007-06-12* Emit a slightly more informative message from the init script ifColin Watson
/dev/null has somehow become not a character device (closes: #369964).
2007-06-12* Move init script start links to S16, and remove stop links altogetherColin Watson
(closes: #122188).
2007-06-12* Use LSB functions in init scripts, and add an LSB-style header (thanks,Colin Watson
Christian Perrier; closes: #389038).
2007-06-12fix some missing #includes etc.Colin Watson
2007-06-12* Build the .deb --with-ssl-engine (LP: #119295).Colin Watson
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2007-06-13 - dtucker@cvs.openbsd.org 2007/06/12 13:54:28Darren Tucker
[scp.c] Encode filename with strnvis if the name contains a newline (which can't be represented in the scp protocol), from bz #891. ok markus@
2007-06-13 - jmc@cvs.openbsd.org 2007/06/12 13:43:55Darren Tucker
[ssh.1] add -K to SYNOPSIS;
2007-06-13 - jmc@cvs.openbsd.org 2007/06/12 13:41:03Darren Tucker
[ssh-add.1] identies -> identities;
2007-06-12 - dtucker@cvs.openbsd.org 2007/06/12 11:56:15Darren Tucker
[gss-genr.c] Pass GSS OID to gss_display_status to provide better information in error messages. Patch from Simon Wilkinson via bz 1220. ok djm@
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 11:45:27Darren Tucker
[ssh.c] improved exit message from multiplex slave sessions; bz #1262 reported by alexandre.nunes AT gmail.com; ok dtucker@
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 11:15:17Darren Tucker
[ssh.c ssh.1] Add "-K" flag for ssh to set GSSAPIAuthentication=yes and GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI) and is useful for hosts with /home on Kerberised NFS; bz #1312 patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 11:11:08Darren Tucker
[ssh.c] fix slave exit value when a control master goes away without passing the full exit status by ensuring that the slave reads a full int. bz#1261 reported by frekko AT gmail.com; ok markus@ dtucker@
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 08:24:20Darren Tucker
[scp.c] make scp try to skip FIFOs rather than blocking when nothing is listening. depends on the platform supporting sane O_NONBLOCK semantics for open on FIFOs (apparently POSIX does not mandate this), which OpenBSD does. bz #856; report by cjwatson AT debian.org; ok markus@
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 08:20:00Darren Tucker
[ssh-gss.h gss-serv.c gss-genr.c] relocate server-only GSSAPI code from libssh to server; bz #1225 patch from simon AT sxw.org.uk; ok markus@ dtucker@
2007-06-12 - djm@cvs.openbsd.org 2007/06/12 07:41:00Darren Tucker
[ssh-add.1] better document ssh-add's -d option (delete identies from agent), bz#1224 new text based on some provided by andrewmc-debian AT celt.dias.ie; ok dtucker@
2007-06-12 - markus@cvs.openbsd.org 2007/06/11 09:14:00Darren Tucker
[channels.h] increase default channel windows; ok djm
2007-06-12Import OpenSSH 4.6p1.Colin Watson
2007-06-11 - markus@cvs.openbsd.org 2007/06/11 08:04:44Damien Miller
[channels.c] send 'window adjust' messages every tree packets and do not wait until 50% of the window is consumed. ok djm dtucker
2007-06-11 - (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. ShouldDarren Tucker
prevent warnings about redefinitions of various things in paths.h. Spotted by cartmanltd at hotmail.com.
2007-06-11 - (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder"Darren Tucker
argument to nanosleep may be NULL. Currently this never happens in OpenSSH, but check anyway in case this changes or the code gets used elsewhere.
2007-06-11 - (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), thenDamien Miller
fallback to provided bit-swizzing functions
2007-06-11 - jmc@cvs.openbsd.org 2007/06/08 07:48:09Damien Miller
[sshd_config.5] oops, here too: put the MAC list into a display, like we do for ciphers, since groff has trouble with wide lines;
2007-06-11 - jmc@cvs.openbsd.org 2007/06/08 07:43:46Damien Miller
[ssh_config.5] put the MAC list into a display, like we do for ciphers, since groff has trouble handling wide lines;
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/08 04:40:40Damien Miller
[ssh_config] Add a "MACs" line after "Ciphers" with the default MAC algorithms, to ease people who want to tweak both (eg. for performance reasons). ok deraadt@ djm@ dtucker@
2007-06-11 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34Damien Miller
[kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1] [ssh_config.5 sshd.8 sshd_config.5] Add a new MAC algorithm for data integrity, UMAC-64 (not default yet, must specify umac-64@openssh.com). Provides about 20% end-to-end speedup compared to hmac-md5. Represents a different approach to message authentication to that of HMAC that may be beneficial if HMAC based on one of its underlying hash algorithms is found to be vulnerable to a new attack. http://www.ietf.org/rfc/rfc4418.txt in conjunction with and OK djm@
2007-06-11 - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exitDamien Miller
fix; tested by dtucker@ and jochen.kirn AT gmail.com
2007-06-11spacingDamien Miller
2007-06-10releasing version 1:4.3p2-11Colin Watson
2007-06-10msgcatColin Watson
2007-06-10 - Update Vietnamese (thanks, Clytie Siddall; closes: #426991).Colin Watson
2007-06-10 - Add Korean (thanks, Sunjae Park; closes: #424008).Colin Watson
2007-06-09* Use 'start-stop-daemon --oknodo' so that openssh-server's init scriptColin Watson
exits successfully if sshd is already running (closes: #426858).
2007-06-09msgcat againColin Watson
2007-06-09final translation updates from Christian Perrier in #420107Colin Watson
2007-06-09 - Update Dutch (thanks, Bart Cornelis; closes: #422767).Colin Watson
2007-06-09 - Update Portuguese (thanks, Ricardo Silva; closes: #423112).Colin Watson
2007-06-09update creditColin Watson
2007-06-09 - Update Russian (thanks, Sergey Alyoshin; closes: #420862).Colin Watson
2007-06-06* openssh-client Suggests: libpam-ssh (closes: #427840).Colin Watson
2007-06-05 - (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs.Darren Tucker
2007-06-05 - (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex soDarren Tucker
mindrot's cvs doesn't expand it on us.
2007-06-05 - (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags thatDarren Tucker
OpenBSD's cvs now adds.
2007-06-05 - djm@cvs.openbsd.org 2007/06/05 06:52:37Darren Tucker
[kex.c monitor_wrap.c packet.c mac.h kex.h mac.c] Preserve MAC ctx between packets, saving 2xhash calls per-packet. Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5 patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm committing at his request)