summaryrefslogtreecommitdiff
path: root/openbsd-compat
AgeCommit message (Collapse)Author
2007-06-12fix some missing #includes etc.Colin Watson
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2007-06-12Import OpenSSH 4.6p1.Colin Watson
2007-03-05 - (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around aDarren Tucker
bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256 ciphers from working correctly (disconnects with "Bad packet length" errors) as found by Ben Harris. ok djm@
2007-02-19 - (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to callocDarren Tucker
an array for signatures when there are none since "calloc(0, n) returns NULL on some platforms (eg Tru64), which is explicitly permitted by POSIX. Diagnosis and patch by svallet genoscope.cns.fr.
2007-01-24 - (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for publicDarren Tucker
library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro so it works properly and modify its callers so that they don't pre or post decrement arguments that are conditionally evaluated. While there, put SNPRINTF_CONST back as it prevents build failures in some configurations. ok djm@ (for most of it)
2007-01-14 - (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in returnDamien Miller
value of snprintf replacement, similar to bugs in various libc implementations. This overflow is not exploitable in OpenSSH. While I'm fiddling with it, make it a fair bit faster by inlining the append-char routine; ok dtucker@
2006-12-05 - (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@Damien Miller
2006-11-01 - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerrDarren Tucker
events fatal in Solaris process contract support and tell it to signal only processes in the same process group when something happens. Based on information from andrew.benham at thus.net and similar to a patch from Chad Mynhier. ok djm@
2006-09-18 - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes.Darren Tucker
Prevents macro redefinition warnings of "RDONLY".
2006-09-09 - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h.Darren Tucker
2006-09-03 - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check forDarren Tucker
declaration of writev(2) and declare it ourselves if necessary. Makes the atomiciov() calls build on really old systems. ok djm@
2006-09-02 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.cDarren Tucker
openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h> for hton* and ntoh* macros. Required on (at least) HP-UX since we define _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com.
2006-09-02 - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.Darren Tucker
2006-09-01 - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] ExplicitlyDarren Tucker
test for GLOB_NOMATCH and use our glob functions if it's not found. Stops sftp from segfaulting when attempting to get a nonexistent file on Cygwin (previous versions of OpenSSH didn't use the native glob). Partly from and tested by Corinna Vinschen.
2006-09-01 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declarationDarren Tucker
warnings for binary_open and binary_close. Patch from Corinna Vinschen.
2006-09-01 - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]Damien Miller
[openbsd-compat/rresvport.c] Some more headers: netinet/in.h sys/socket.h and unistd.h in various places
2006-09-01 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]Damien Miller
[auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] [sshconnect1.c sshconnect2.c sshd.c rc4.diff] [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] [openbsd-compat/port-uw.c] Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; compile problems reported by rac AT tenzing.org
2006-08-31 - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]Damien Miller
[platform.c platform.h sshd.c openbsd-compat/Makefile.in] [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c] [openbsd-compat/port-solaris.h] Add support for Solaris process contracts, enabled with --use-solaris-contracts. Patch from Chad Mynhier, tweaked by dtucker@ and myself; ok dtucker@
2006-08-30 - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always callDarren Tucker
loginsuccess on AIX immediately after authentication to clear the failed login count. Previously this would only happen when an interactive session starts (ie when a pty is allocated) but this means that accounts that have primarily non-interactive sessions (eg scp's) may gradually accumulate enough failures to lock out an account. This change may have a side effect of creating two audit records, one with a tty of "ssh" corresponding to the authentication and one with the allocated pty per interactive session.
2006-08-30 - (djm) [openbsd-compat/xcrypt.c] needs unistd.hDamien Miller
2006-08-24 - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to preventDarren Tucker
unused variable warning when we have a broken or missing mmap(2). Now with 100% more diff!
2006-08-24 - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.Darren Tucker
2006-08-24 - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).Darren Tucker
2006-08-24 - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)Darren Tucker
on POSIX systems.
2006-08-24 - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) onDarren Tucker
older systems.
2006-08-24 - (dtucker) [openbsd-compat/basename.c] Include errno.h.Darren Tucker
2006-08-19 - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add aDarren Tucker
single rule for the test progs.
2006-08-18 - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for theDarren Tucker
test progs instead; they work better than what we have.
2006-08-18 - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.Darren Tucker
2006-08-18 - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.Darren Tucker
2006-08-18 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync withDarren Tucker
closefrom.c from sudo.
2006-08-17 - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] RegressDarren Tucker
test for closefrom() in compat code.
2006-08-17 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntlDarren Tucker
for closefrom() on AIX. Pointed out by William Ahern.
2006-08-17 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]Darren Tucker
Include stdlib.h for malloc and friends.
2006-08-07 - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warningsDamien Miller
on Solaris 10
2006-08-06 - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,Darren Tucker
glob.c}] Include stdlib.h for malloc and friends in compat code.
2006-08-05 - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.Darren Tucker
2006-08-05 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compileDarren Tucker
on Cygwin.
2006-08-05 - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,Darren Tucker
otherwise it is implicitly declared as returning an int.
2006-08-05 - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.Darren Tucker
2006-08-05 - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots ofDarren Tucker
#include stdarg.h, needed for log.h.
2006-08-05 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]Damien Miller
[openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more includes for Linux in
2006-08-05 - (djm) [openbsd-compat/regress/snprintftest.c]Damien Miller
[openbsd-compat/regress/strduptest.c] Add missing includes so they pass compilation with "-Wall -Werror"
2006-08-05ignore built test binaries tooDamien Miller
2006-08-05ignore generated MakefileDamien Miller
2006-08-05 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]Damien Miller
remove last traces of bufaux.h - it was merged into buffer.h in the big includes.h commit
2006-08-05 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42Damien Miller
[OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] [serverloop.c session.c session.h sftp-client.c sftp-common.c] [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] almost entirely get rid of the culture of ".h files that include .h files" ok djm, sort of ok stevesk makes the pain stop in one easy step NB. portable commit contains everything *except* removing includes.h, as that will take a fair bit more work as we move headers that are required for portability workarounds to defines.h. (also, this step wasn't "easy")
2006-08-02 - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.Darren Tucker
2006-07-25 - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.Darren Tucker