| Age | Commit message (Collapse) | Author |
|---|
|
changes not previously backported to 4.3p2:
- 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
+ On portable OpenSSH, fix a GSSAPI authentication abort that could be
used to determine the validity of usernames on some platforms.
+ Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of
post-authentication options are supported and more are expected to
be added in future releases.
+ Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.
+ Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"
option.
+ Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to
establish.
+ Add optional logging of transactions to sftp-server(8).
+ ssh(1) will now record port numbers for hosts stored in
~/.ssh/known_hosts when a non-standard port has been requested
(closes: #50612).
+ Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
non-zero exit code) when requested port forwardings could not be
established.
+ Extend sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments.
+ Replacement of all integer overflow susceptible invocations of
malloc(3) and realloc(3) with overflow-checking equivalents.
+ Many manpage fixes and improvements.
+ Add optional support for OpenSSL hardware accelerators (engines),
enabled using the --with-ssl-engine configure option.
+ Tokens in configuration files may be double-quoted in order to
contain spaces (closes: #319639).
+ Move a debug() call out of a SIGCHLD handler, fixing a hang when the
session exits very quickly (closes: #307890).
+ Fix some incorrect buffer allocation calculations (closes: #410599).
+ ssh-add doesn't ask for a passphrase if key file permissions are too
liberal (closes: #103677).
+ Likewise, ssh doesn't ask either (closes: #99675).
- 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
+ sshd now allows the enabling and disabling of authentication methods
on a per user, group, host and network basis via the Match directive
in sshd_config.
+ Fixed an inconsistent check for a terminal when displaying scp
progress meter (closes: #257524).
+ Fix "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
install ChangeLog.gssapi.
|
|
configure, as some platforms (OS X) ship OpenSSL headers whose version
does not match that of the shipping library. ok dtucker@
|
|
CRLF as well as LF lineendings) and write in binary mode. Patch from
vinschen at redhat.com.
|
|
Pfaff; closes: #391248).
|
|
* NMU to update SELinux patch, bringing it in line with current selinux
releases. The patch for this NMU is simply the Bug#394795 patch,
and no other changes. (closes: #394795)
|
|
SELinux functions so they're detected correctly. Patch from pebenito at
gentoo.org.
|
|
section so additional platform specific CHECK_HEADER tests will work
correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no
Feedback and "seems like a good idea" dtucker@
|
|
support. Patch from andrew.benham at thus net.
|
|
- (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added
to rev 1.308) to work around broken gcc 2.x header file.
|
|
$LDFLAGS. Patch from vapier at gentoo org.
|
|
macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags.
Allows build out of the box with older VAC and XLC compilers. Found by
David Bronder and Bernhard Simon.
|
|
Support SMF in Solaris Packages if enabled by configure. Patch from
Chad Mynhier, tested by dtucker@
|
|
|
|
|
|
|
|
|
|
updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius,
ok djm@
|
|
declaration of writev(2) and declare it ourselves if necessary. Makes
the atomiciov() calls build on really old systems. ok djm@
|
|
test for GLOB_NOMATCH and use our glob functions if it's not found.
Stops sftp from segfaulting when attempting to get a nonexistent file on
Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
from and tested by Corinna Vinschen.
|
|
[platform.c platform.h sshd.c openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
[openbsd-compat/port-solaris.h] Add support for Solaris process
contracts, enabled with --use-solaris-contracts. Patch from Chad
Mynhier, tweaked by dtucker@ and myself; ok dtucker@
|
|
|
|
(0.9.8a and presumably newer) requires -ldl to successfully link.
|
|
fixing bug #1181. No changes yet.
|
|
afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl.
|
|
a signal handler (basically all of them, excepting OpenBSD);
ok dtucker@
|
|
closefrom.c from sudo.
|
|
for closefrom() on AIX. Pointed out by William Ahern.
|
|
versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
rather than just compiling it. Spotted by dlg@.
|
|
for SHUT_RD.
|
|
O_NONBLOCK
if they're really needed. Fixes build errors on HP-UX, old Linuxes and probably
more.
|
|
openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
include paths.h. Fixes build error on Solaris.
|
|
compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
configure would not select the correct libpath linker flags.
|
|
with autoconf 2.60. Patch from vapier at gentoo.org.
|
|
Works around limitation in Solaris' passwd program for changing passwords
where the username is longer than 8 characters. ok djm@
|
|
4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
on the pty slave as zero-length reads on the pty master, which sshd
interprets as the descriptor closing. Since most things don't do zero
length writes this rarely matters, but occasionally it happens, and when
it does the SSH pty session appears to hang, so we add a special case for
this condition. ok djm@
|
|
tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch
from reyk@, tested by anil@
|
|
http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch
(closes: #352042).
|
|
|
|
[contrib/redhat/sshd.init openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
[openbsd-compat/port-linux.h] Add support for SELinux, setting
the execution and TTY contexts. based on patch from Daniel Walsh,
bz #880; ok dtucker@
|
|
/usr/include/crypto. Hint from djm@.
|
|
|
|
|
|
|
|
[openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h]
[openbsd-compat/sha2.c] First stab at portability glue for SHA256
KEX support, should work with libc SHA256 support or OpenSSL
EVP_sha256 if present
|
|
since not all platforms support it. Instead, use internal equivalent while
computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf*
as it's no longer required. Tested by Bernhard Simon, ok djm@
|
|
patch from kraai at ftbfs.org.
|
|
Add optional enabling of OpenSSL's (hardware) Engine support, via
configure --with-ssl-engine. Based in part on a diff by michal at
logix.cz.
|
|
Add first attempt at regress tests for compat library. ok djm@
|
|
|
|
-> NEED_SETPGRP), reported by Berhard Simon. ok tim@
|
