summaryrefslogtreecommitdiff
path: root/openbsd-compat
AgeCommit message (Collapse)Author
2010-11-22 - (dtucker) Bug #1840: fix warning when configuring --with-ssl-engine, patchDarren Tucker
from vapier at gentoo org.
2010-11-08 - (tim) [configure.ac openbsd-compat/bsd-misc.h openbsd-compat/bsd-misc.c] AddTim Rice
support for platforms missing isblank(). ok djm@
2010-11-05 - (dtucker) [configure.ac platform.{c,h} session.cDarren Tucker
openbsd-compat/port-solaris.{c,h}] Bug #1824: Add Solaris Project support. Patch from cory.erickson at csu mnscu edu with a bit of rework from me. ok djm@
2010-10-24 - (tim) [openbsd-compat/glob.h] Remove sys/cdefs.h include that came withTim Rice
1.12 to unbreak Solaris build. ok djm@
2010-10-07 - (djm) [openbsd-compat/Makefile.in] Actually link timingsafe_bcmpDamien Miller
2010-10-07 - (djm) [openbsd-compat/glob.c] restore ARG_MAX compat code.Damien Miller
2010-10-07 - djm@cvs.openbsd.org 2010/10/01 23:05:32Damien Miller
[cipher-3des1.c cipher-bf1.c cipher-ctr.c openbsd-compat/openssl-compat.h] adapt to API changes in openssl-1.0.0a NB. contains compat code to select correct API for older OpenSSL
2010-10-07sadly, two typos on one line is not my best recordDamien Miller
2010-10-07unbreak previousDamien Miller
2010-10-07 - djm@cvs.openbsd.org 2010/09/25 09:30:16Damien Miller
[sftp.c configure.ac openbsd-compat/glob.c openbsd-compat/glob.h] make use of new glob(3) GLOB_KEEPSTAT extension to save extra server rountrips to fetch per-file stat(2) information. NB. update openbsd-compat/ glob(3) implementation from OpenBSD libc to match.
2010-10-07 - matthew@cvs.openbsd.org 2010/09/24 13:33:00Damien Miller
[misc.c misc.h configure.ac openbsd-compat/openbsd-compat.h] [openbsd-compat/timingsafe_bcmp.c] Add timingsafe_bcmp(3) to libc, mention that it's already in the kernel in kern(9), and remove it from OpenSSH. ok deraadt@, djm@ NB. re-added under openbsd-compat/ for portable OpenSSH
2010-09-10 - (dtucker) [openbsd-compat/port-linux.c] Check is_selinux_enabled for exactDarren Tucker
return code since it can apparently return -1 under some conditions. From openssh bugs werbittewas de, ok djm@
2010-08-23* New upstream release (http://www.openssh.com/txt/release-5.6):Colin Watson
- Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity (closes: #335697, #350898, #454787, #500573, #550262). - Support AuthorizedKeysFile, AuthorizedPrincipalsFile, HostbasedUsesNameFromPacketOnly, and PermitTunnel in sshd_config(5) Match blocks (closes: #549858). - sftp(1): fix ls in working directories that contain globbing characters in their pathnames (LP: #530714).
2010-08-23Import 5.6p1 tarballColin Watson
2010-08-16 - (dtucker) [configure.ac openbsd-compat/Makefile.inDarren Tucker
openbsd-compat/openbsd-compat.h openbsd-compat/strptime.c] Add strptime to the compat library which helps on platforms like old IRIX. Based on work by djm, tested by Tom Christensen.
2010-08-10 - (djm) bz#1561: don't bother setting IFF_UP on tun(4) device if it isDamien Miller
already set. Makes FreeBSD user openable tunnels useful; patch from richard.burakowski+ossh AT mrburak.net, ok dtucker@
2010-06-26 - (tim) [openbsd-compat/port-uw.c] Reorder includes. auth-options.h now needsTim Rice
key.h.
2010-05-12 - (djm) [openbsd-compat/openssl-compat.h] Fix build breakage on olderDamien Miller
libcrypto by defining OPENSSL_[DR]SA_MAX_MODULUS_BITS if they aren't already. ok dtucker@
2010-04-16* New upstream release:Colin Watson
- Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths. - Include a language tag when sending a protocol 2 disconnection message. - Make logging of certificates used for user authentication more clear and consistent between CAs specified using TrustedUserCAKeys and authorized_keys.
2010-04-16Import 5.5p1 tarballColin Watson
2010-04-06Borrow patch from Fedora to add DNSSEC support: if glibc 2.11 isColin Watson
installed, the host key is published in an SSHFP RR secured with DNSSEC, and VerifyHostKeyDNS=yes, then ssh will no longer prompt for host key verification (closes: #572049).
2010-03-31* New upstream release (LP: #535029).Colin Watson
- After a transition period of about 10 years, this release disables SSH protocol 1 by default. Clients and servers that need to use the legacy protocol must explicitly enable it in ssh_config / sshd_config or on the command-line. - Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. This support is enabled by default in the Debian packaging, since it now doesn't involve additional library dependencies (closes: #231472, LP: #16918). - Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (closes: #482806). - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...". - Add the ability to revoke keys in sshd(8) and ssh(1). (For the Debian package, this overlaps with the key blacklisting facility added in openssh 1:4.7p1-9, but with different file formats and slightly different scopes; for the moment, I've roughly merged the two.) - Various multiplexing improvements, including support for requesting port-forwardings via the multiplex protocol (closes: #360151). - Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has (closes: #496843). - Many sftp client improvements, including tab-completion, more options, and recursive transfer support for get/put (LP: #33378). The old mget/mput commands never worked properly and have been removed (closes: #270399, #428082). - Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug (closes: #431538). - Prevent sftp from crashing when given a "-" without a command. Also, allow whitespace to follow a "-" (closes: #531561).
2010-03-31Import 5.4p1 tarballColin Watson
2010-03-26 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detectionDamien Miller
for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
2010-03-01 - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOMDarren Tucker
adjust log at verbose only, since according to cjwatson in bug #1470 some virtualization platforms don't allow writes.
2010-02-28 - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environmentDamien Miller
variables copied into sshd child processes. From vinschen AT redhat.com
2010-01-29 - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()Darren Tucker
after registering the hardware engines, which causes the openssl.cnf file to be processed. See OpenSSL's man page for OPENSSL_config(3) for details. Patch from Solomon Peachy, ok djm@.
2010-01-24* New upstream release.Colin Watson
* Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.3p1-gsskex-all-20100124.patch.
2010-01-24Import 5.3p1 tarballColin Watson
2010-01-16 - (dtucker) [openbsd-compat/openbsd-compat.h] Typo.Darren Tucker
2010-01-16 - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unusedDarren Tucker
variable warnings.
2010-01-16 - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted byDarren Tucker
Tim.
2010-01-16 - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uidDarren Tucker
and group_from_gid.
2010-01-16 - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.hDarren Tucker
so we correctly detect whether or not we have a native user_from_uid.
2010-01-15 - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} PortabilityDarren Tucker
for pwcache. Also, added caching of negative hits.
2010-01-15 - (dtucker) [openbsd-compat.c/pwcache.c] Pull in pwcache.c from OpenBSD (noDarren Tucker
changes yet but there will be some to come).
2010-01-13 - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22.Darren Tucker
Fixes bz #1590, where sometimes you could not interrupt a connection while ssh was prompting for a passphrase or password.
2010-01-13 - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21.Darren Tucker
2010-01-13 - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's ↵Darren Tucker
r1.18: missing restore of SIGTTOU and some whitespace.
2010-01-02Initialise sc to NULL in ssh_selinux_getctxbyname (thanks, Václav Ovsík;Colin Watson
closes: #498684).
2010-01-01* New upstream release (closes: #536182). Yes, I know 5.3p1 has been outColin Watson
for a while, but there's no GSSAPI patch available for it yet. - Change the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". - Add countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack (closes: #506115, LP: #379329). - ForceCommand directive now accepts commandline arguments for the internal-sftp server (closes: #524423, LP: #362511). - Add AllowAgentForwarding to available Match keywords list (closes: #540623). - Make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE messages to avoid triggering 'Non-public channel' error messages on sshd(8) in openssh-5.1. - Avoid printing 'Non-public channel' warnings in sshd(8), since the ssh(1) has sent incorrect channel numbers since ~2004 (this reverts a behaviour introduced in openssh-5.1; closes: #496017). * Update to GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-5.2p1-gsskex-all-20090726.patch, including cascading credentials support (LP: #416958).
2010-01-01Import 5.2p1 tarballColin Watson
2009-12-21 - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]Darren Tucker
Bug #1583: Use system's kerberos principal name on AIX if it's available. Based on a patch from and tested by Miguel Sanders.
2009-12-08 - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,Darren Tucker
based on a patch from Vaclav Ovsik and Colin Watson. ok djm.
2009-10-24 - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinuxDarren Tucker
is enabled set the security context to "sftpd_t" before running the internal sftp server Based on a patch from jchadima at redhat.
2009-08-20 - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: moveDarren Tucker
the setpcred call on AIX to immediately before the permanently_set_uid(). Ensures that we still have privileges when we call chroot and pam_open_sesson. Based on a patch from David Leonard.
2009-08-17 - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: makeDarren Tucker
PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders.
2009-07-13 - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so itDarren Tucker
fits into 16 bits to work around a bug in glibc's resolver where it masks off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
2009-03-08 - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.cDarren Tucker
auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old version of Cygwin. Patch from vinschen at redhat com.
2009-03-07 - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]Darren Tucker
EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg in openssl 0.9.6) so add an explicit test for it.