| Age | Commit message (Collapse) | Author |
|---|
|
|
|
builtin glob implementation on Mac OS X. Based on a patch from
vgiffin at apple.
|
|
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if
creation of an untrusted cookie fails; found and fixed by Jan Pechanec
(closes: #444738).
- sshd(8) in new installations defaults to SSH Protocol 2 only. Existing
installations are unchanged.
- The SSH channel window size has been increased, and both ssh(1)
sshd(8) now send window updates more aggressively. These improves
performance on high-BDP (Bandwidth Delay Product) networks.
- ssh(1) and sshd(8) now preserve MAC contexts between packets, which
saves 2 hash calls per packet and results in 12-16% speedup for
arcfour256/hmac-md5.
- A new MAC algorithm has been added, UMAC-64 (RFC4418) as
"umac-64@openssh.com". UMAC-64 has been measured to be approximately
20% faster than HMAC-MD5.
- Failure to establish a ssh(1) TunnelForward is now treated as a fatal
error when the ExitOnForwardFailure option is set.
- ssh(1) returns a sensible exit status if the control master goes away
without passing the full exit status.
- When using a ProxyCommand in ssh(1), set the outgoing hostname with
gethostname(2), allowing hostbased authentication to work.
- Make scp(1) skip FIFOs rather than hanging (closes: #246774).
- Encode non-printing characters in scp(1) filenames. These could cause
copies to be aborted with a "protocol error".
- Handle SIGINT in sshd(8) privilege separation child process to ensure
that wtmp and lastlog records are correctly updated.
- Report GSSAPI mechanism in errors, for libraries that support multiple
mechanisms.
- Improve documentation for ssh-add(1)'s -d option.
- Rearrange and tidy GSSAPI code, removing server-only code being linked
into the client.
- Delay execution of ssh(1)'s LocalCommand until after all forwardings
have been established.
- In scp(1), do not truncate non-regular files.
- Improve exit message from ControlMaster clients.
- Prevent sftp-server(8) from reading until it runs out of buffer space,
whereupon it would exit with a fatal error (closes: #365541).
- pam_end() was not being called if authentication failed
(closes: #405041).
- Manual page datestamps updated (closes: #433181).
|
|
gcc supports it. ok djm@
|
|
so disable it for that platform. From bacon at cs nyu edu.
|
|
have <poll.h> (eq QNX). From bacon at cs nyu edu.
|
|
did a AC_CHECK_FUNCS within the AC_CHECK_LIB test.
|
|
Matt Kraai, ok djm@.
|
|
openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h]
Add an implementation of poll() built on top of select(2). Code from
OpenNTPD with changes suggested by djm. ok djm@
|
|
changes not previously backported to 4.3p2:
- 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4):
+ On portable OpenSSH, fix a GSSAPI authentication abort that could be
used to determine the validity of usernames on some platforms.
+ Implemented conditional configuration in sshd_config(5) using the
"Match" directive. This allows some configuration options to be
selectively overridden if specific criteria (based on user, group,
hostname and/or address) are met. So far a useful subset of
post-authentication options are supported and more are expected to
be added in future releases.
+ Add support for Diffie-Hellman group exchange key agreement with a
final hash of SHA256.
+ Added a "ForceCommand" directive to sshd_config(5). Similar to the
command="..." option accepted in ~/.ssh/authorized_keys, this forces
the execution of the specified command regardless of what the user
requested. This is very useful in conjunction with the new "Match"
option.
+ Add a "PermitOpen" directive to sshd_config(5). This mirrors the
permitopen="..." authorized_keys option, allowing fine-grained
control over the port-forwardings that a user is allowed to
establish.
+ Add optional logging of transactions to sftp-server(8).
+ ssh(1) will now record port numbers for hosts stored in
~/.ssh/known_hosts when a non-standard port has been requested
(closes: #50612).
+ Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a
non-zero exit code) when requested port forwardings could not be
established.
+ Extend sshd_config(5) "SubSystem" declarations to allow the
specification of command-line arguments.
+ Replacement of all integer overflow susceptible invocations of
malloc(3) and realloc(3) with overflow-checking equivalents.
+ Many manpage fixes and improvements.
+ Add optional support for OpenSSL hardware accelerators (engines),
enabled using the --with-ssl-engine configure option.
+ Tokens in configuration files may be double-quoted in order to
contain spaces (closes: #319639).
+ Move a debug() call out of a SIGCHLD handler, fixing a hang when the
session exits very quickly (closes: #307890).
+ Fix some incorrect buffer allocation calculations (closes: #410599).
+ ssh-add doesn't ask for a passphrase if key file permissions are too
liberal (closes: #103677).
+ Likewise, ssh doesn't ask either (closes: #99675).
- 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6):
+ sshd now allows the enabling and disabling of authentication methods
on a per user, group, host and network basis via the Match directive
in sshd_config.
+ Fixed an inconsistent check for a terminal when displaying scp
progress meter (closes: #257524).
+ Fix "hang on exit" when background processes are running at the time
of exit on a ttyful/login session (closes: #88337).
* Update to current GSSAPI patch from
http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch;
install ChangeLog.gssapi.
|
|
fallback to provided bit-swizzing functions
|
|
- (tim) [configure.ac] Bug #1287: Add missing test for ucred.h.
|
|
to prevent redefinition warnings.
|
|
__nonnull__ for versions of GCC that don't support it.
|
|
so we don't get redefinition warnings.
|
|
platform's _res if it has one. Should fix problem of DNSSEC record lookups
on NetBSD as reported by Curt Sampson.
|
|
- (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c
openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines
to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@
|
|
LIBWRAP and LIBPAM variables in Makefile with the general-purpose
SSHDLIBS. "I like" djm@
|
|
getpeerucred to implement getpeereid (currently only Solaris 10 and up).
Patch by Jan.Pechanec at Sun.
|
|
configure, as some platforms (OS X) ship OpenSSL headers whose version
does not match that of the shipping library. ok dtucker@
|
|
CRLF as well as LF lineendings) and write in binary mode. Patch from
vinschen at redhat.com.
|
|
Pfaff; closes: #391248).
|
|
* NMU to update SELinux patch, bringing it in line with current selinux
releases. The patch for this NMU is simply the Bug#394795 patch,
and no other changes. (closes: #394795)
|
|
SELinux functions so they're detected correctly. Patch from pebenito at
gentoo.org.
|
|
section so additional platform specific CHECK_HEADER tests will work
correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no
Feedback and "seems like a good idea" dtucker@
|
|
support. Patch from andrew.benham at thus net.
|
|
- (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added
to rev 1.308) to work around broken gcc 2.x header file.
|
|
$LDFLAGS. Patch from vapier at gentoo org.
|
|
macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags.
Allows build out of the box with older VAC and XLC compilers. Found by
David Bronder and Bernhard Simon.
|
|
Support SMF in Solaris Packages if enabled by configure. Patch from
Chad Mynhier, tested by dtucker@
|
|
|
|
|
|
|
|
|
|
updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius,
ok djm@
|
|
declaration of writev(2) and declare it ourselves if necessary. Makes
the atomiciov() calls build on really old systems. ok djm@
|
|
test for GLOB_NOMATCH and use our glob functions if it's not found.
Stops sftp from segfaulting when attempting to get a nonexistent file on
Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
from and tested by Corinna Vinschen.
|
|
[platform.c platform.h sshd.c openbsd-compat/Makefile.in]
[openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
[openbsd-compat/port-solaris.h] Add support for Solaris process
contracts, enabled with --use-solaris-contracts. Patch from Chad
Mynhier, tweaked by dtucker@ and myself; ok dtucker@
|
|
|
|
(0.9.8a and presumably newer) requires -ldl to successfully link.
|
|
fixing bug #1181. No changes yet.
|
|
afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl.
|
|
a signal handler (basically all of them, excepting OpenBSD);
ok dtucker@
|
|
closefrom.c from sudo.
|
|
for closefrom() on AIX. Pointed out by William Ahern.
|
|
versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
rather than just compiling it. Spotted by dlg@.
|
|
for SHUT_RD.
|
|
O_NONBLOCK
if they're really needed. Fixes build errors on HP-UX, old Linuxes and probably
more.
|
|
openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
include paths.h. Fixes build error on Solaris.
|
|
compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
configure would not select the correct libpath linker flags.
|
