summaryrefslogtreecommitdiff
path: root/gss-genr.c
AgeCommit message (Collapse)Author
2007-11-08revert mistakenly committed experimentColin Watson
2007-11-08* Fix sshd/inittab advice in README.Debian to account for rc.d movementColin Watson
(closes: #450632).
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2006-08-30 - dtucker@cvs.openbsd.org 2006/08/29 12:02:30Damien Miller
[gss-genr.c] Work around a problem in Heimdal that occurs when KRB5CCNAME file is missing, by checking whether or not kerberos allocated us a context before attempting to free it. Patch from Simon Wilkinson, tested by biorn@, ok djm@
2006-08-19 - (djm) OpenBSD CVS SyncDamien Miller
- djm@cvs.openbsd.org 2006/08/18 22:41:29 [gss-genr.c] GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
2006-08-19 - djm@cvs.openbsd.org 2006/08/18 14:40:34Damien Miller
[gss-genr.c ssh-gss.h] constify host argument to match the rest of the GSSAPI functions and unbreak compilation with -Werror
2006-08-19 - djm@cvs.openbsd.org 2006/08/18 13:54:54Damien Miller
[gss-genr.c ssh-gss.h sshconnect2.c] bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk ok markus@
2006-08-05 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42Damien Miller
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy")
2006-08-05 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17Damien Miller
[atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c] [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c] [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c] [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c] [uidswap.c xmalloc.c] move #include <sys/param.h> out of includes.h
2006-07-24 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]Damien Miller
[canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c] [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c] [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c] [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c] [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c] [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c] [openbsd-compat/mktemp.c openbsd-compat/port-linux.c] [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c] make the portable tree compile again - sprinkle unistd.h and string.h back in. Don't redefine __unused, as it turned out to be used in headers on Linux, and replace its use in auth-pam.c with ARGSUSED
2006-07-24 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23Damien Miller
[atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c] [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c] [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c] [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c] [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c] [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c] [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c] [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c] [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c] [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c] [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c] move #include <string.h> out of includes.h
2006-05-12* Update to current GSSAPI patch fromColin Watson
http://www.sxw.org.uk/computing/patches/openssh-4.3p2-gsskex-20060223.patch (closes: #352042).
2006-05-12Merge 4.3p2 to the trunk.Colin Watson
2006-04-23 - djm@cvs.openbsd.org 2006/04/03 07:10:38Damien Miller
[gss-genr.c] GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066 by dleonard AT vintela.com. use xasprintf() to simplify code while in there; "looks right" deraadt@
2006-03-26 - djm@cvs.openbsd.org 2006/03/25 22:22:43Damien Miller
[atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h] [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h] [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h] [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c] [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h] [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h] [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h] [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h] [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h] [ttymodes.h uidswap.h uuencode.h xmalloc.h] standardise spacing in $OpenBSD$ tags; requested by deraadt@
2006-03-26 - djm@cvs.openbsd.org 2006/03/25 00:05:41Damien Miller
[auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c] [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c] [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c] [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c] [xmalloc.c xmalloc.h] introduce xcalloc() and xasprintf() failure-checked allocations functions and use them throughout openssh xcalloc is particularly important because malloc(nmemb * size) is a dangerous idiom (subject to integer overflow) and it is time for it to die feedback and ok deraadt@
2006-03-26 - djm@cvs.openbsd.org 2006/03/20 04:07:49Damien Miller
[gss-genr.c] more GSSAPI related leaks detected by Coverity via elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
2005-11-05 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31Damien Miller
[auth2-gss.c gss-genr.c gss-serv.c monitor.c] KNF; ok djm@
2005-11-05 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01Damien Miller
[auth2-gss.c gss-genr.c gss-serv.c] remove unneeded #includes; ok markus@
2005-09-16* Initialise token to GSS_C_EMPTY_BUFFER in ssh_gssapi_check_mechanismColin Watson
(closes: #328606).
2005-09-14* Add remaining pieces of Kerberos support (closes: #275472):Colin Watson
- Add GSSAPI key exchange support from http://www.sxw.org.uk/computing/patches/openssh.html (thanks, Stephen Frost).
2005-07-17 - djm@cvs.openbsd.org 2005/07/17 07:17:55Damien Miller
[auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c] [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c] [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c] [sshconnect.c sshconnect2.c] knf says that a 2nd level indent is four (not three or five) spaces
2003-11-21more whitespace (tabs this time)Damien Miller
2003-11-21 - djm@cvs.openbsd.org 2003/11/21 11:57:03Damien Miller
[everything] unexpand and delete whitespace at EOL; ok markus@ (done locally and RCS IDs synced)
2003-11-17 - markus@cvs.openbsd.org 2003/11/17 11:06:07Damien Miller
[auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c] [monitor_wrap.h sshconnect2.c ssh-gss.h] replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; test + ok jakob.
2003-08-26 - markus@cvs.openbsd.org 2003/08/22 10:56:09Darren Tucker
[auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c session.h ssh-gss.h ssh_config.5 sshconnect2.c sshd_config sshd_config.5] support GSS API user authentication; patches from Simon Wilkinson, stripped down and tested by Jakob and myself.