summaryrefslogtreecommitdiff
path: root/regress
AgeCommit message (Collapse)Author
2007-12-24* New upstream release (closes: #453367).Colin Watson
- CVE-2007-4752: Prevent ssh(1) from using a trusted X11 cookie if creation of an untrusted cookie fails; found and fixed by Jan Pechanec (closes: #444738). - sshd(8) in new installations defaults to SSH Protocol 2 only. Existing installations are unchanged. - The SSH channel window size has been increased, and both ssh(1) sshd(8) now send window updates more aggressively. These improves performance on high-BDP (Bandwidth Delay Product) networks. - ssh(1) and sshd(8) now preserve MAC contexts between packets, which saves 2 hash calls per packet and results in 12-16% speedup for arcfour256/hmac-md5. - A new MAC algorithm has been added, UMAC-64 (RFC4418) as "umac-64@openssh.com". UMAC-64 has been measured to be approximately 20% faster than HMAC-MD5. - Failure to establish a ssh(1) TunnelForward is now treated as a fatal error when the ExitOnForwardFailure option is set. - ssh(1) returns a sensible exit status if the control master goes away without passing the full exit status. - When using a ProxyCommand in ssh(1), set the outgoing hostname with gethostname(2), allowing hostbased authentication to work. - Make scp(1) skip FIFOs rather than hanging (closes: #246774). - Encode non-printing characters in scp(1) filenames. These could cause copies to be aborted with a "protocol error". - Handle SIGINT in sshd(8) privilege separation child process to ensure that wtmp and lastlog records are correctly updated. - Report GSSAPI mechanism in errors, for libraries that support multiple mechanisms. - Improve documentation for ssh-add(1)'s -d option. - Rearrange and tidy GSSAPI code, removing server-only code being linked into the client. - Delay execution of ssh(1)'s LocalCommand until after all forwardings have been established. - In scp(1), do not truncate non-regular files. - Improve exit message from ControlMaster clients. - Prevent sftp-server(8) from reading until it runs out of buffer space, whereupon it would exit with a fatal error (closes: #365541). - pam_end() was not being called if authentication failed (closes: #405041). - Manual page datestamps updated (closes: #433181).
2007-12-23Import OpenSSH 4.7p1.Colin Watson
2007-06-12* New upstream release (closes: #395507, #397961, #420035). ImportantColin Watson
changes not previously backported to 4.3p2: - 4.4/4.4p1 (http://www.openssh.org/txt/release-4.4): + On portable OpenSSH, fix a GSSAPI authentication abort that could be used to determine the validity of usernames on some platforms. + Implemented conditional configuration in sshd_config(5) using the "Match" directive. This allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met. So far a useful subset of post-authentication options are supported and more are expected to be added in future releases. + Add support for Diffie-Hellman group exchange key agreement with a final hash of SHA256. + Added a "ForceCommand" directive to sshd_config(5). Similar to the command="..." option accepted in ~/.ssh/authorized_keys, this forces the execution of the specified command regardless of what the user requested. This is very useful in conjunction with the new "Match" option. + Add a "PermitOpen" directive to sshd_config(5). This mirrors the permitopen="..." authorized_keys option, allowing fine-grained control over the port-forwardings that a user is allowed to establish. + Add optional logging of transactions to sftp-server(8). + ssh(1) will now record port numbers for hosts stored in ~/.ssh/known_hosts when a non-standard port has been requested (closes: #50612). + Add an "ExitOnForwardFailure" option to cause ssh(1) to exit (with a non-zero exit code) when requested port forwardings could not be established. + Extend sshd_config(5) "SubSystem" declarations to allow the specification of command-line arguments. + Replacement of all integer overflow susceptible invocations of malloc(3) and realloc(3) with overflow-checking equivalents. + Many manpage fixes and improvements. + Add optional support for OpenSSL hardware accelerators (engines), enabled using the --with-ssl-engine configure option. + Tokens in configuration files may be double-quoted in order to contain spaces (closes: #319639). + Move a debug() call out of a SIGCHLD handler, fixing a hang when the session exits very quickly (closes: #307890). + Fix some incorrect buffer allocation calculations (closes: #410599). + ssh-add doesn't ask for a passphrase if key file permissions are too liberal (closes: #103677). + Likewise, ssh doesn't ask either (closes: #99675). - 4.6/4.6p1 (http://www.openssh.org/txt/release-4.6): + sshd now allows the enabling and disabling of authentication methods on a per user, group, host and network basis via the Match directive in sshd_config. + Fixed an inconsistent check for a terminal when displaying scp progress meter (closes: #257524). + Fix "hang on exit" when background processes are running at the time of exit on a ttyful/login session (closes: #88337). * Update to current GSSAPI patch from http://www.sxw.org.uk/computing/patches/openssh-4.6p1-gsskex-20070312.patch; install ChangeLog.gssapi.
2007-06-12Import OpenSSH 4.6p1.Colin Watson
2007-03-21 - (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we haveDarren Tucker
HAVE_GETPEERUCRED too. Also from Jan Pechanec.
2007-03-03 - (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little moreDarren Tucker
general to cover newer gdb versions on HP-UX.
2006-09-08 - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a betterDarren Tucker
chance of winning.
2006-07-24 - (dtucker) [regress/forcecommand.sh] Portablize.Darren Tucker
2006-07-24 - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]Damien Miller
[regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh] Sync regress tests to -current; include dtucker@'s new cfgmatch and forcecommand tests. Add cipher-speed.sh test (not linked in yet)
2006-05-12Merge 4.3p2 to the trunk.Colin Watson
2006-05-12Import OpenSSH 4.3p2.Colin Watson
2006-03-15 - (djm) [regress/.cvsignore] Ignore Makefile hereDamien Miller
2006-02-01 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' toDamien Miller
determine the user's login name - needed for regress tests on Solaris 10 and OpenSolaris
2006-01-31 - djm@cvs.openbsd.org 2006/01/31 10:36:33Damien Miller
[scp.sh] regress test for "scp a b c" where "c" is not a directory
2006-01-31 - djm@cvs.openbsd.org 2006/01/31 10:23:23Damien Miller
[scp.sh] regression test for CVE-2006-0225 written by dtucker@
2006-01-31 - djm@cvs.openbsd.org 2006/01/27 06:49:21Damien Miller
[scp.sh] regress test for local to local scp copies; ok dtucker@
2006-01-31 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39Damien Miller
[regress/scp-ssh-wrapper.sh] Fix assumption about how many args scp will pass; ok djm@ NB. ID sync only, we already had this
2006-01-31 - grunk@cvs.openbsd.org 2005/11/14 21:25:56Damien Miller
[regress/agent-getpeereid.sh] all other scripts in this dir use $SUDO, not 'sudo', so pull this even ok markus@
2006-01-31 - markus@cvs.openbsd.org 2005/06/30 11:02:37Damien Miller
[regress/scp.sh] allow SUDO=sudo; from Alexander Bluhm
2006-01-31 - djm@cvs.openbsd.org 2005/05/24 04:10:54Damien Miller
[regress/try-ciphers.sh] oops, new arcfour modes here too
2006-01-31 - djm@cvs.openbsd.org 2005/05/20 23:14:15Damien Miller
[regress/test-exec.sh] force addressfamily=inet for tests, unbreaking dynamic-forward regress for recently committed nc SOCKS5 changes
2006-01-31 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09Damien Miller
[regress/multiplex.sh] Don't call cleanup in multiplex as test-exec will cleanup anyway found by tim@, ok djm@ NB. ID sync only, we already had this
2006-01-31 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39Damien Miller
[regress/forwarding.sh] Regress test for ClearAllForwardings (bz #994); ok markus@
2005-12-14 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39Darren Tucker
[regress/scp-ssh-wrapper.sh] Fix assumption about how many args scp will pass; ok djm@
2005-11-28 - (dtucker) [regress/yes-head.sh] Work around breakage caused by someDarren Tucker
versions of GNU head. Based on patch from zappaman at buraphalinux.org
2005-11-24 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate soDarren Tucker
many and use them only once. Speeds up testing on older/slower hardware.
2005-11-12 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigureDarren Tucker
test: if sshd takes too long to reconfigure the subsequent connection will fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
2005-10-03 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scpDarren Tucker
is required in the system path for the multiplex test to work.
2005-09-14Merge 4.2p1 to the trunk.Colin Watson
2005-09-14Import OpenSSH 4.2p1.Colin Watson
2005-08-23 - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-Darren Tucker
qualified sshd pathname since some systems (eg Cygwin) may consider "/foo" and "//foo" to be different. Spotted by vinschen at redhat.com.
2005-05-30Merge 4.1p1 to the trunk.Colin Watson
2005-05-30Import OpenSSH 4.1p1.Colin Watson
2005-05-26 - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works onDarren Tucker
Cygwin.
2005-05-25Merge 4.0p1 to the trunk.Colin Watson
2005-04-25 - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so runningDarren Tucker
"make tests" works even if you'r building on a filesystem that doesn't support sockets. From deengert at anl.gov, ok djm@
2005-04-25 - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.shDarren Tucker
will clean up anyway. From tim@
2005-04-25 - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for theDarren Tucker
existence of a process since it's more portable. Found by jbasney at ncsa.uiuc.edu; ok tim@
2005-03-1420050312Darren Tucker
- (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug output ends up in the client's output, causing regress failures. Found by Corinna Vinschen. (got 4.0 branch and HEAD slightly askew, this is to resync)
2005-03-10Import OpenSSH 4.0p1.Colin Watson
2005-03-09 - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64Darren Tucker
so that regress tests behave. From Chris Adams.
2005-03-07 - (dtucker) [regress/test-exec.sh] Put SUDO in the right place.Darren Tucker
2005-03-07 - djm@cvs.openbsd.org 2005/03/04 08:48:46Darren Tucker
[Makefile envpass.sh] regress test for SendEnv config parsing bug; ok dtucker@
2005-03-07 - djm@cvs.openbsd.org 2005/02/27 23:13:36Darren Tucker
[login-timeout.sh] avoid nameservice lookups in regress test; ok dtucker@
2005-03-07 - dtucker@cvs.openbsd.org 2005/02/27 11:33:30Darren Tucker
[multiplex.sh test-exec.sh sshd-log-wrapper.sh] Add optional capability to log output from regress commands; ok markus@ Use with: make TEST_SSH_LOGFILE=/tmp/regress.log
2005-03-07 - david@cvs.openbsd.org 2005/01/14 04:21:18Darren Tucker
[Makefile test-exec.sh] pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@
2005-03-07 - fgsch@cvs.openbsd.org 2004/12/10 01:31:30Darren Tucker
[Makefile sftp-glob.sh] some globbing regress; prompted and ok djm@
2005-03-07 - (dtucker) OpenBSD CVS Sync (regress/)Darren Tucker
- fgsch@cvs.openbsd.org 2004/12/10 01:31:30 [Makefile] some globbing regress; prompted and ok djm@
2005-03-02 - (tim) [regress/agent-ptrace.sh] add another possible gdb error.Tim Rice
2005-02-08 - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for theDarren Tucker
regress tests so newer versions of GNU head(1) behave themselves. Patch by djm, so ok me.