summaryrefslogtreecommitdiff
path: root/entropy.c
AgeCommit message (Collapse)Author
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2006-09-28 - (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation errorDarren Tucker
on Solaris 8 w/out /dev/random or prngd. Patch from rl at math.technion.ac.il.
2006-09-01 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]Damien Miller
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] [sshconnect1.c sshconnect2.c sshd.c rc4.diff] [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] [openbsd-compat/port-uw.c] Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; compile problems reported by rac AT tenzing.org
2006-08-05 - (dtucker) [entropy.c] Needs unistd.h too.Darren Tucker
2006-08-05 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]Damien Miller
remove last traces of bufaux.h - it was merged into buffer.h in the big includes.h commit
2006-07-11 - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probablyDarren Tucker
others).
2006-05-12Merge 4.3p2 to the trunk.Colin Watson
2006-03-26 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18Damien Miller
[atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c] [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c] [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c] [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c] [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c] [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c] [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c] [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c] [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c] [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c] [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c] [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c] [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c] [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c] [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c] [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c] [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c] [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c] RCSID() can die
2006-03-16 - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.Darren Tucker
2005-09-28 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistencyDarren Tucker
2005-09-27 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'edDarren Tucker
process when sshd relies on ssh-random-helper. Should result in faster logins on systems without a real random device or prngd. ok djm@
2005-09-27 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuidDarren Tucker
calls, since they can't possibly fail. ok djm@
2005-09-14Merge 4.2p1 to the trunk.Colin Watson
2005-07-17 -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]Damien Miller
[ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
2004-03-01Merge 3.8p1 to the trunk. This builds and runs, but I haven't tested itColin Watson
extensively yet. ProtocolKeepAlives is now just a compatibility alias for ServerAliveInterval.
2003-11-21more whitespace (tabs this time)Damien Miller
2003-11-21 - djm@cvs.openbsd.org 2003/11/21 11:57:03Damien Miller
[everything] unexpand and delete whitespace at EOL; ok markus@ (done locally and RCS IDs synced)
2003-09-23Merge 3.7.1p2 to the trunk. I have absolutely no idea yet whether this willColin Watson
work.
2003-09-01Debian release 3.4p1-1.Colin Watson
2003-08-25 - (bal) redo how we handle 'mysignal()'. Move it toBen Lindstrom
openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to be our 'mysignal' by default. OK djm@
2003-05-16 - (djm) A few type mismatch fixes from Bug #565Damien Miller
2002-06-09unexpandBen Lindstrom
2002-04-21[entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0).Tim Rice
entropy.c needs seteuid(getuid()) for the setuid(original_uid) to succeed. Patch by gert@greenie.muc.de. This fixes one part of Bug 208
2002-04-18 - (djm) Avoid SIGCHLD breakage when run from rsync. Fix fromDamien Miller
Sturle Sunde <sturle.sunde@usit.uio.no>
2002-03-11 - (stevesk) entropy.c: typo in debug messageKevin Steves
2002-01-22 - (djm) autoconf hacking:Damien Miller
- We don't support --without-zlib currently, so don't allow it. - Rework cryptographic random number support detection. We now detect whether OpenSSL seeds itself. If it does, then we don't bother with the ssh-rand-helper program. You can force the use of ssh-rand-helper using the --with-rand-helper configure argument - Simplify and clean up ssh-rand-helper configuration
2001-12-24 - (djm) Ignore fix & patchlevel in OpenSSL version check. Patch fromDamien Miller
solar@openwall.com - (djm) Rework entropy code. If the OpenSSL PRNG is has not been internally seeded, execute a subprogram "ssh-rand-helper" to obtain some entropy for us. Rewrite the old in-process entropy collecter as an example ssh-rand-helper. - (djm) Always perform ssh_prng_cmds path lookups in configure, even if we don't end up using ssh_prng_cmds (so we always get a valid file)
2001-08-06 - (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ onDamien Miller
a fast UltraSPARC.
2001-06-27 - (djm) Fix a few warnings the above turned upDamien Miller
2001-03-19 - (djm) Seed PRNG at startup, rather than waiting for arc4random calls toDamien Miller
do it implicitly.
2001-03-04 - Allow PRNGd entropy collection from localhost TCP socket. ReplaceDamien Miller
"--with-egd-pool" configure option with "--with-prngd-socket" and "--with-prngd-port" options. Debugged and improved by Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE>
2001-02-27avoid warningDamien Miller
2001-02-27 - (djm) Warning fix on entropy.c saved uid stuff. Patch from Mark MillerDamien Miller
<markm@swoon.net>
2001-02-27 - (djm) fatal() on OpenSSL version mismatchDamien Miller
2001-02-27 - (djm) Fix up POSIX saved uid support. Report from Mark MillerDamien Miller
<markm@swoon.net> - (djm) Search for -lcrypt on FreeBSD too
2001-02-26 - (djm) Some systems (SCO3, NeXT) have weird saved uid semantics.Damien Miller
Based on patch from Tim Rice <tim@multitalents.net>
2001-02-18 - (stevesk) entropy.c: typo; should be SIGPIPEKevin Steves
2001-02-18 - (djm) Move entropy.c over to mysignal()Damien Miller
2001-02-18 - (djm) Robustify EGD/PRNGd code in face of socket closures. Patch fromDamien Miller
Todd C. Miller <Todd.Miller@courtesan.com>
2001-02-05 - stevesk@cvs.openbsd.org 2001/02/04 08:32:27Kevin Steves
[many files; did this manually to our top-level source dir] unexpand and remove end-of-line whitespace; ok markus@
2001-01-2220010123Ben Lindstrom
- (bal) regexp.h typo in configure.in. Should have been regex.h - (bal) SSH_USER_DIR to _PATH_SSH_USER_DIR patch by stevesk@
2001-01-22Hopefully things did not get mixed around too much. It compiles underBen Lindstrom
Linux and works. So that is at least a good sign. =) 20010122 - (bal) OpenBSD Resync - markus@cvs.openbsd.org 2001/01/19 12:45:26 GMT 2001 by markus [servconf.c ssh.h sshd.c] only auth-chall.c needs #ifdef SKEY - markus@cvs.openbsd.org 2001/01/19 15:55:10 GMT 2001 by markus [auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c packet.c pathname.h readconf.c scp.c servconf.c serverloop.c session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h ssh1.h sshconnect1.c sshd.c ttymodes.c] move ssh1 definitions to ssh1.h, pathnames to pathnames.h - markus@cvs.openbsd.org 2001/01/19 16:48:14 [sshd.8] fix typo; from stevesk@ - markus@cvs.openbsd.org 2001/01/19 16:50:58 [ssh-dss.c] clear and free digest, make consistent with other code (use dlen); from stevesk@ - markus@cvs.openbsd.org 2001/01/20 15:55:20 GMT 2001 by markus [auth-options.c auth-options.h auth-rsa.c auth2.c] pass the filename to auth_parse_options() - markus@cvs.openbsd.org 2001/01/20 17:59:40 GMT 2001 [readconf.c] fix SIGSEGV from -o ""; problem noted by jehsom@togetherweb.com - stevesk@cvs.openbsd.org 2001/01/20 18:20:29 [sshconnect2.c] dh_new_group() does not return NULL. ok markus@ - markus@cvs.openbsd.org 2001/01/20 21:33:42 [ssh-add.c] do not loop forever if askpass does not exist; from andrew@pimlott.ne.mediaone.net - djm@cvs.openbsd.org 2001/01/20 23:00:56 [servconf.c] Check for NULL return from strdelim; ok markus - djm@cvs.openbsd.org 2001/01/20 23:02:07 [readconf.c] KNF; ok markus - jakob@cvs.openbsd.org 2001/01/21 9:00:33 [ssh-keygen.1] remove -R flag; ok markus@ - markus@cvs.openbsd.org 2001/01/21 19:05:40 [atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c bufaux.c bufaux.h buffer.c canahost.c canahost.h channels.c cipher.c cli.c clientloop.c clientloop.h compat.c compress.c deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c key.c key.h log-client.c log-server.c log.c log.h login.c login.h match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h ttysmodes.c uidswap.c xmalloc.c] split ssh.h and try to cleanup the #include mess. remove unnecessary #includes. rename util.[ch] -> misc.[ch] - (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree - (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve conflict when compiling for non-kerb install - (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes on 1/19.
2001-01-17- (djm) Only write random seed file at exitDamien Miller
2000-11-25give up privs when reading seed fileDamien Miller
2000-10-16 - (djm) Make inability to read/write PRNG seedfile non-fatalDamien Miller
2000-09-29 - (djm) Clean up. Strip some unnecessary differences with OpenBSD's code,Damien Miller
tidy necessary differences. Use Markus' new debugN() in entropy.c
2000-09-16 - (djm) Add Steve VanDevender's <stevev@darkwing.uoregon.edu> PAMDamien Miller
password change patch. - (djm) Bring licenses on my stuff in line with OpenBSD's
2000-07-15 - Fixes for SunOS 4.1.4 from Gordon Atwood <gordon@cs.ualberta.ca>Damien Miller
- Include floatingpoint.h for entropy.c - strerror replacement
2000-07-09 - (djm) Fix pam sprintf fixDamien Miller
- (djm) Cleanup entropy collection code a little more. Split initialisation from seeding, perform intialisation immediatly at start, be careful with uids. Based on problem report from Jim Watt <jimw@peisj.pebio.com>
2000-06-26Fix fixed egd codeDamien Miller