summaryrefslogtreecommitdiff
path: root/contrib
AgeCommit message (Collapse)Author
2012-09-07* New upstream release (http://www.openssh.com/txt/release-6.1).Colin Watson
- Enable pre-auth sandboxing by default for new installs. - Allow "PermitOpen none" to refuse all port-forwarding requests (closes: #543683).
2012-08-24Call restorecon on copied ~/.ssh/authorized_keys if possible, since someColin Watson
SELinux policies require this (closes: #658675).
2012-08-22 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Update version numbers
2012-06-22 - (dtucker) [contrib/cygwin/ssh-host-config] Ensure that user sshd runs asDarren Tucker
can logon as a service. Patch from vinschen at redhat com.
2012-05-19 - (dtucker) [configure.ac contrib/Makefile] bz#1996: use AC_PATH_TOOL to findDarren Tucker
pkg-config so it does the right thing when cross-compiling. Patch from cjwatson at debian org.
2012-05-18* New upstream release (http://www.openssh.org/txt/release-6.0).Colin Watson
- Fix IPQoS not being set on non-mapped v4-in-v6 addressed connections (closes: #643312, #650512). - Add a new privilege separation sandbox implementation for Linux's new seccomp sandbox, automatically enabled on platforms that support it. (Note: privilege separation sandboxing is still experimental.)
2012-04-20 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Update for release 6.0
2012-04-02* Fix cross-building:Colin Watson
- Allow using a cross-architecture pkg-config. - Pass default LDFLAGS to contrib/Makefile. - Allow dh_strip to strip gnome-ssh-askpass, rather than calling 'install -s'.
2012-03-30 - (dtucker) [contrib/redhat/openssh.spec] Bug #1992: remove now-gone WARNINGDarren Tucker
file from spec file. From crighter at nuclioss com.
2011-10-25 - (dtucker) [contrib/cygwin/Makefile] Continue if installing a doc fileDarren Tucker
fails. Patch from Corinna Vinschen.
2011-09-07merge respun 5.9p1Colin Watson
2011-09-07Import 5.9p1 tarball (respun)Colin Watson
2011-09-07 - (djm) [contrib/redhat/openssh.spec] Correct restorcon => restoreconDamien Miller
2011-09-07 - (djm) [README version.h] Correct versionDamien Miller
2011-09-06* New upstream release (http://www.openssh.org/txt/release-5.9).Colin Watson
- Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt. - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot (closes: #75043, #429243, #599240). - ssh(1) now warns when a server refuses X11 forwarding (closes: #504757). - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace (closes: #76312). The authorized_keys2 fallback is deprecated but documented (closes: #560156). - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS, as well as IPv4 ToS/DSCP (closes: #498297). - ssh-add(1) now accepts keys piped from standard input. E.g. "ssh-add - < /path/to/key" (closes: #229124). - Clean up lost-passphrase text in ssh-keygen(1) (closes: #444691). - Say "required" rather than "recommended" in unprotected-private-key warning (LP: #663455).
2011-09-06Import 5.9p1 tarballColin Watson
2011-09-05 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Update version numbers.
2011-09-05 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Update version numbers.
2011-08-17 - (djm) [contrib/ssh-copy-id] Missing backlslash; spotted byDamien Miller
bisson AT archlinux.org
2011-08-12 - (djm) [contrib/ssh-copy-id] Fix failure for cases where the path to theDamien Miller
identify file contained whitespace. bz#1828 patch from gwenael.lambrouin AT gmail.com; ok dtucker@
2011-08-12 - (djm) [contrib/redhat/openssh.spec contrib/redhat/sshd.init]Damien Miller
[contrib/suse/openssh.spec contrib/suse/rc.sshd] Updated RHEL and SLES init scrips from imorgan AT nas.nasa.gov
2011-06-03 - (dtucker) [README version.h contrib/caldera/openssh.specDarren Tucker
contrib/redhat/openssh.spec contrib/suse/openssh.spec] Pull the version bumps from the 5.8p2 branch into HEAD. ok djm.
2011-05-05 - (djm) [Makefile.in WARNING.RNG aclocal.m4 buildpkg.sh.in configure.ac]Damien Miller
[entropy.c ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-pkcs11-helper.c ssh-rand-helper.8 ssh-rand-helper.c] [ssh.c ssh_prng_cmds.in sshd.c contrib/aix/buildbff.sh] [regress/README.regress] Remove ssh-rand-helper and all its tentacles. PRNGd seeding has been rolled into entropy.c directly. Thanks to tim@ for testing on affected platforms.
2011-02-21 - (dtucker) [contrib/cygwin/ssh-host-config] From Corinna: revamp of theDarren Tucker
Cygwin-specific service installer script ssh-host-config. The actual functionality is the same, the revisited version is just more exact when it comes to check for problems which disallow to run certain aspects of the script. So, part of this script and the also rearranged service helper script library "csih" is to check if all the tools required to run the script are available on the system. The new script also is more thorough to inform the user why the script failed. Patch from vinschen at redhat com.
2011-02-06 - (dtucker) [contrib/cygwin/ssh-{host,user}-config] Add ECDSA keyDarren Tucker
generation and simplify. Patch from Corinna Vinschen.
2011-02-05* New upstream release (http://www.openssh.org/txt/release-5.8):Colin Watson
- Fix stack information leak in legacy certificate signing (http://www.openssh.com/txt/legacy-cert.adv).
2011-02-05Import 5.8p1 tarballColin Watson
2011-02-04 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] update versions in docs and spec files. - Release OpenSSH 5.8p1
2011-02-04 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] update versions in docs and spec files. - Release OpenSSH 5.8p1
2011-01-24* New upstream release (http://www.openssh.org/txt/release-5.7):Colin Watson
- Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. - sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command. - scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host (closes: #508613). - ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races (closes: #454784). Stale server sockets are now automatically removed (closes: #523250). - ssh(1): install a SIGCHLD handler to reap expired child process (closes: #594687). - ssh(1)/ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories (closes: #357469, although only if you arrange for ssh-agent to actually see $TMPDIR since the setgid bit will cause it to be stripped off).
2011-01-24Import 5.7p1 tarballColin Watson
2011-01-22 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] update versions in docs and spec files.
2011-01-18 - (tim) [contrib/caldera/openssh.spec] Use CFLAGS from Makefile insteadTim Rice
of RPM so build completes. Signatures were changed to .asc since 4.1p1.
2010-08-27 - (dtucker) [contrib/redhat/sshd.init] Bug #1810: initlog is deprecated,Darren Tucker
remove. Patch from martynas at venck us.
2010-08-23* New upstream release (http://www.openssh.com/txt/release-5.6):Colin Watson
- Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity (closes: #335697, #350898, #454787, #500573, #550262). - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) Match blocks (closes: #549858). - sftp(1): fix ls in working directories that contain globbing characters in their pathnames (LP: #530714).
2010-08-23Import 5.6p1 tarballColin Watson
2010-08-10 - (dtucker) bug #1530: strip trailing ":" from hostname in ssh-copy-id.Darren Tucker
based in part on a patch from Colin Watson, ok djm@
2010-08-09 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]Damien Miller
[contrib/suse/openssh.spec] Crank version numbers
2010-07-19 - (dtucker) [contrib/ssh-copy-ud.1] Bug #1786: update ssh-copy-id.1 with moreDarren Tucker
details about its behaviour WRT existing directories. Patch from asguthrie at gmail com, ok djm.
2010-07-14 - (tim) [contrib/redhat/openssh.spec] Bug 1796: Test for skip_x11_askpassTim Rice
(line 77) should have been for no_x11_askpass.
2010-06-18 - (djm) [contrib/ssh-copy-id] Update key file explicitly under ~Damien Miller
rather than assuming that $CWD == $HOME. bz#1500, patch from timothy AT gelter.com
2010-06-17 - (tim) [contrib/cygwin/README] Remove a reference to the obsoleteTim Rice
minires-devel package, and to add the reference to the libedit-devel package since CYgwin now provides libedit. Patch from Corinna Vinschen.
2010-04-18 - (dtucker) [contrib/aix/buildbff.sh] Fix creation of ssh_prng_cmds.defaultDarren Tucker
file.
2010-04-16* New upstream release:Colin Watson
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys.
2010-04-16Import 5.5p1 tarballColin Watson
2010-04-09 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrongDarren Tucker
ones. Based on a patch from Roumen Petrov.
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-31Import 5.4p1 tarballColin Watson
2010-03-26 - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;Damien Miller
bz#1723 patch from Adeodato Simó via Colin Watson; ok dtucker@
2010-03-26 - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 usingDarren Tucker
pkg-config, patch from Colin Watson. Needed for newer linkers (ie gold).