]> andersk Git - gssapi-openssh.git/blame - openssh/ChangeLog
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Import of OpenSSH 5.2p1
[gssapi-openssh.git] / openssh / ChangeLog
CommitLineData
91d9cdd3 120090223
2 - (djm) OpenBSD CVS Sync
3 - djm@cvs.openbsd.org 2009/02/22 23:50:57
4 [ssh_config.5 sshd_config.5]
5 don't advertise experimental options
6 - djm@cvs.openbsd.org 2009/02/22 23:59:25
7 [sshd_config.5]
8 missing period
9 - djm@cvs.openbsd.org 2009/02/23 00:06:15
10 [version.h]
11 openssh-5.2
12 - (djm) [README] update for 5.2
13 - (djm) Release openssh-5.2p1
14
1520090222
16 - (djm) OpenBSD CVS Sync
17 - tobias@cvs.openbsd.org 2009/02/21 19:32:04
18 [misc.c sftp-server-main.c ssh-keygen.c]
19 Added missing newlines in error messages.
20 ok dtucker
21
2220090221
23 - (djm) OpenBSD CVS Sync
24 - djm@cvs.openbsd.org 2009/02/17 01:28:32
25 [ssh_config]
26 sync with revised default ciphers; pointed out by dkrause@
27 - djm@cvs.openbsd.org 2009/02/18 04:31:21
28 [schnorr.c]
29 signature should hash over the entire group, not just the generator
30 (this is still disabled code)
31 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
32 [contrib/suse/openssh.spec] Prepare for 5.2p1
33
3420090216
35 - (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh]
36 [regress/putty-kex.sh regress/putty-transfer.sh] Downgrade disabled
37 interop tests from FATAL error to a warning. Allows some interop
38 tests to proceed if others are missing necessary prerequisites.
39 - (djm) [configure.ac] support GNU/kFreeBSD and GNU/kOpensolaris
40 systems; patch from Aurelien Jarno via rmh AT aybabtu.com
41
4220090214
43 - (djm) OpenBSD CVS Sync
44 - dtucker@cvs.openbsd.org 2009/02/02 11:15:14
45 [sftp.c]
46 Initialize a few variables to prevent spurious "may be used
47 uninitialized" warnings from newer gcc's. ok djm@
48 - djm@cvs.openbsd.org 2009/02/12 03:00:56
49 [canohost.c canohost.h channels.c channels.h clientloop.c readconf.c]
50 [readconf.h serverloop.c ssh.c]
51 support remote port forwarding with a zero listen port (-R0:...) to
52 dyamically allocate a listen port at runtime (this is actually
53 specified in rfc4254); bz#1003 ok markus@
54 - djm@cvs.openbsd.org 2009/02/12 03:16:01
55 [serverloop.c]
56 tighten check for -R0:... forwarding: only allow dynamic allocation
57 if want_reply is set in the packet
58 - djm@cvs.openbsd.org 2009/02/12 03:26:22
59 [monitor.c]
60 some paranoia: check that the serialised key is really KEY_RSA before
61 diddling its internals
62 - djm@cvs.openbsd.org 2009/02/12 03:42:09
63 [ssh.1]
64 document -R0:... usage
65 - djm@cvs.openbsd.org 2009/02/12 03:44:25
66 [ssh.1]
67 consistency: Dq => Ql
68 - djm@cvs.openbsd.org 2009/02/12 03:46:17
69 [ssh_config.5]
70 document RemoteForward usage with 0 listen port
71 - jmc@cvs.openbsd.org 2009/02/12 07:34:20
72 [ssh_config.5]
73 kill trailing whitespace;
74 - markus@cvs.openbsd.org 2009/02/13 11:50:21
75 [packet.c]
76 check for enc !=NULL in packet_start_discard
77 - djm@cvs.openbsd.org 2009/02/14 06:35:49
78 [PROTOCOL]
79 mention that eow and no-more-sessions extensions are sent only to
80 OpenSSH peers
81
8220090212
83 - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically
84 set ownership and modes, so avoid explicitly setting them
85 - (djm) [configure.ac loginrec.c] bz#1421: fix lastlog support for OSX.
86 OSX provides a getlastlogxbyname function that automates the reading of
87 a lastlog file. Also, the pututxline function will update lastlog so
88 there is no need for loginrec.c to do it explicitly. Collapse some
89 overly verbose code while I'm in there.
90
9120090201
92 - (dtucker) [defines.h sshconnect.c] INET6_ADDRSTRLEN is now needed in
93 channels.c too, so move the definition for non-IP6 platforms to defines.h
94 where it can be shared.
95
9620090129
97 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen.
98 If the CYGWIN environment variable is empty, the installer script
99 should not install the service with an empty CYGWIN variable, but
100 rather without setting CYGWNI entirely.
101 - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes.
102
10320090128
104 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen.
105 Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x.
106 The information given for the setting of the CYGWIN environment variable
107 is wrong for both releases so I just removed it, together with the
108 unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting.
109
11020081228
111 - (djm) OpenBSD CVS Sync
112 - stevesk@cvs.openbsd.org 2008/12/09 03:20:42
113 [channels.c servconf.c]
114 channel_print_adm_permitted_opens() should deal with all the printing
115 for that config option. suggested by markus@; ok markus@ djm@
116 dtucker@
117 - djm@cvs.openbsd.org 2008/12/09 04:32:22
118 [auth2-chall.c]
119 replace by-hand string building with xasprinf(); ok deraadt@
120 - sobrado@cvs.openbsd.org 2008/12/09 15:35:00
121 [sftp.1 sftp.c]
122 update for the synopses displayed by the 'help' command, there are a
123 few missing flags; add 'bye' to the output of 'help'; sorting and spacing.
124 jmc@ suggested replacing .Oo/.Oc with a single .Op macro.
125 ok jmc@
126 - stevesk@cvs.openbsd.org 2008/12/09 22:37:33
127 [clientloop.c]
128 fix typo in error message
129 - stevesk@cvs.openbsd.org 2008/12/10 03:55:20
130 [addrmatch.c]
131 o cannot be NULL here but use xfree() to be consistent; ok djm@
132 - stevesk@cvs.openbsd.org 2008/12/29 01:12:36
133 [ssh-keyscan.1]
134 fix example, default key type is rsa for 3+ years; from
135 frederic.perrin@resel.fr
136 - stevesk@cvs.openbsd.org 2008/12/29 02:23:26
137 [pathnames.h]
138 no need to escape single quotes in comments
139 - okan@cvs.openbsd.org 2008/12/30 00:46:56
140 [sshd_config.5]
141 add AllowAgentForwarding to available Match keywords list
142 ok djm
143 - djm@cvs.openbsd.org 2009/01/01 21:14:35
144 [channels.c]
145 call channel destroy callbacks on receipt of open failure messages.
146 fixes client hangs when connecting to a server that has MaxSessions=0
147 set spotted by imorgan AT nas.nasa.gov; ok markus@
148 - djm@cvs.openbsd.org 2009/01/01 21:17:36
149 [kexgexs.c]
150 fix hash calculation for KEXGEX: hash over the original client-supplied
151 values and not the sanity checked versions that we acutally use;
152 bz#1540 reported by john.smith AT arrows.demon.co.uk
153 ok markus@
154 - djm@cvs.openbsd.org 2009/01/14 01:38:06
155 [channels.c]
156 support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482;
157 "looks ok" markus@
158 - stevesk@cvs.openbsd.org 2009/01/15 17:38:43
159 [readconf.c]
160 1) use obsolete instead of alias for consistency
161 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is
162 so move the comment.
163 3) reorder so like options are together
164 ok djm@
165 - djm@cvs.openbsd.org 2009/01/22 09:46:01
166 [channels.c channels.h session.c]
167 make Channel->path an allocated string, saving a few bytes here and
168 there and fixing bz#1380 in the process; ok markus@
169 - djm@cvs.openbsd.org 2009/01/22 09:49:57
170 [channels.c]
171 oops! I committed the wrong version of the Channel->path diff,
172 it was missing some tweaks suggested by stevesk@
173 - djm@cvs.openbsd.org 2009/01/22 10:02:34
174 [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h]
175 [serverloop.c ssh-keyscan.c ssh.c sshd.c]
176 make a2port() return -1 when it encounters an invalid port number
177 rather than 0, which it will now treat as valid (needed for future work)
178 adjust current consumers of a2port() to check its return value is <= 0,
179 which in turn required some things to be converted from u_short => int
180 make use of int vs. u_short consistent in some other places too
181 feedback & ok markus@
182 - djm@cvs.openbsd.org 2009/01/22 10:09:16
183 [auth-options.c]
184 another chunk of a2port() diff that got away. wtfdjm??
185 - djm@cvs.openbsd.org 2009/01/23 07:58:11
186 [myproposal.h]
187 prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC
188 modes; ok markus@
189 - naddy@cvs.openbsd.org 2009/01/24 17:10:22
190 [ssh_config.5 sshd_config.5]
191 sync list of preferred ciphers; ok djm@
192 - markus@cvs.openbsd.org 2009/01/26 09:58:15
193 [cipher.c cipher.h packet.c]
194 Work around the CPNI-957037 Plaintext Recovery Attack by always
195 reading 256K of data on packet size or HMAC errors (in CBC mode only).
196 Help, feedback and ok djm@
197 Feedback from Martin Albrecht and Paterson Kenny
198
19920090107
200 - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X.
201 Patch based on one from vgiffin AT apple.com; ok dtucker@
202 - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via
203 launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked;
204 ok dtucker@
205 - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make
206 ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity"
207 key). Patch from cjwatson AT debian.org
208
20920090107
210 - (tim) [configure.ac defines.h openbsd-compat/port-uw.c
211 openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI.
212 OK djm@ dtucker@
213 - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section.
214 OpenServer 6 doesn't need libcrypt.
215
21620081209
217 - (djm) OpenBSD CVS Sync
218 - djm@cvs.openbsd.org 2008/12/09 02:38:18
219 [clientloop.c]
220 The ~C escape handler does not work correctly for multiplexed sessions -
221 it opens a commandline on the master session, instead of on the slave
222 that requested it. Disable it on slave sessions until such time as it
223 is fixed; bz#1543 report from Adrian Bridgett via Colin Watson
224 ok markus@
225 - djm@cvs.openbsd.org 2008/12/09 02:39:59
226 [sftp.c]
227 Deal correctly with failures in remote stat() operation in sftp,
228 correcting fail-on-error behaviour in batchmode. bz#1541 report and
229 fix from anedvedicky AT gmail.com; ok markus@
230 - djm@cvs.openbsd.org 2008/12/09 02:58:16
231 [readconf.c]
232 don't leave junk (free'd) pointers around in Forward *fwd argument on
233 failure; avoids double-free in ~C -L handler when given an invalid
234 forwarding specification; bz#1539 report from adejong AT debian.org
235 via Colin Watson; ok markus@ dtucker@
236 - djm@cvs.openbsd.org 2008/12/09 03:02:37
237 [sftp.1 sftp.c]
238 correct sftp(1) and corresponding usage syntax;
239 bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@
240
24120081208
242 - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually
243 use some stack in main().
244 Report and suggested fix from vapier AT gentoo.org
245 - (djm) OpenBSD CVS Sync
246 - markus@cvs.openbsd.org 2008/12/02 19:01:07
247 [clientloop.c]
248 we have to use the recipient's channel number (RFC 4254) for
249 SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages,
250 otherwise we trigger 'Non-public channel' error messages on sshd
251 systems with clientkeepalive enabled; noticed by sturm; ok djm;
252 - markus@cvs.openbsd.org 2008/12/02 19:08:59
253 [serverloop.c]
254 backout 1.149, since it's not necessary and openssh clients send
255 broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@
256 - markus@cvs.openbsd.org 2008/12/02 19:09:38
257 [channels.c]
258 s/remote_id/id/ to be more consistent with other code; ok djm@
259
26020081201
261 - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files
262 and tweak the is-sshd-running check in ssh-host-config. Patch from
263 vinschen at redhat com.
264 - (dtucker) OpenBSD CVS Sync
265 - markus@cvs.openbsd.org 2008/11/21 15:47:38
266 [packet.c]
267 packet_disconnect() on padding error, too. should reduce the success
268 probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18
269 ok djm@
270 - dtucker@cvs.openbsd.org 2008/11/30 11:59:26
271 [monitor_fdpass.c]
272 Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@
273
27420081123
275 - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some
276 declarations, removing an unnecessary union member and adding whitespace.
277 cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago.
278
27920081118
280 - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id
281 member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and
282 feedback by djm@
283
28420081111
285 - (dtucker) OpenBSD CVS Sync
286 - jmc@cvs.openbsd.org 2008/11/05 11:22:54
287 [servconf.c]
288 passord -> password;
289 fixes user/5975 from Rene Maroufi
290 - stevesk@cvs.openbsd.org 2008/11/07 00:42:12
291 [ssh-keygen.c]
292 spelling/typo in comment
293 - stevesk@cvs.openbsd.org 2008/11/07 18:50:18
294 [nchan.c]
295 add space to some log/debug messages for readability; ok djm@ markus@
296 - dtucker@cvs.openbsd.org 2008/11/07 23:34:48
297 [auth2-jpake.c]
298 Move JPAKE define to make life easier for portable. ok djm@
299 - tobias@cvs.openbsd.org 2008/11/09 12:34:47
300 [session.c ssh.1]
301 typo fixed (overriden -> overridden)
302 ok espie, jmc
303 - stevesk@cvs.openbsd.org 2008/11/11 02:58:09
304 [servconf.c]
305 USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing
306 kerberosgetafstoken. ok dtucker@
307 (Id sync only, we still want the ifdef in portable)
308 - stevesk@cvs.openbsd.org 2008/11/11 03:55:11
309 [channels.c]
310 for sshd -T print 'permitopen any' vs. 'permitopen' for case of no
311 permitopen's; ok and input dtucker@
312 - djm@cvs.openbsd.org 2008/11/10 02:06:35
313 [regress/putty-ciphers.sh]
314 PuTTY supports AES CTR modes, so interop test against them too
315
31620081105
317 - OpenBSD CVS Sync
318 - djm@cvs.openbsd.org 2008/11/03 08:59:41
319 [servconf.c]
320 include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov
321 - djm@cvs.openbsd.org 2008/11/04 07:58:09
322 [auth.c]
323 need unistd.h for close() prototype
324 (ID sync only)
325 - djm@cvs.openbsd.org 2008/11/04 08:22:13
326 [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
327 [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
328 [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
329 [Makefile.in]
330 Add support for an experimental zero-knowledge password authentication
331 method using the J-PAKE protocol described in F. Hao, P. Ryan,
332 "Password Authenticated Key Exchange by Juggling", 16th Workshop on
333 Security Protocols, Cambridge, April 2008.
334
335 This method allows password-based authentication without exposing
336 the password to the server. Instead, the client and server exchange
337 cryptographic proofs to demonstrate of knowledge of the password while
338 revealing nothing useful to an attacker or compromised endpoint.
339
340 This is experimental, work-in-progress code and is presently
341 compiled-time disabled (turn on -DJPAKE in Makefile.inc).
342
343 "just commit it. It isn't too intrusive." deraadt@
344 - stevesk@cvs.openbsd.org 2008/11/04 19:18:00
345 [readconf.c]
346 because parse_forward() is now used to parse all forward types (DLR),
347 and it malloc's space for host variables, we don't need to malloc
348 here. fixes small memory leaks.
349
350 previously dynamic forwards were not parsed in parse_forward() and
351 space was not malloc'd in that case.
352
353 ok djm@
354 - stevesk@cvs.openbsd.org 2008/11/05 03:23:09
355 [clientloop.c ssh.1]
356 add dynamic forward escape command line; ok djm@
357
35820081103
359 - OpenBSD CVS Sync
360 - sthen@cvs.openbsd.org 2008/07/24 23:55:30
361 [ssh-keygen.1]
362 Add "ssh-keygen -F -l" to synopsis (displays fingerprint from
363 known_hosts). ok djm@
364 - grunk@cvs.openbsd.org 2008/07/25 06:56:35
365 [ssh_config]
366 Add VisualHostKey to example file, ok djm@
367 - grunk@cvs.openbsd.org 2008/07/25 07:05:16
368 [key.c]
369 In random art visualization, make sure to use the end marker only at the
370 end. Initial diff by Dirk Loss, tweaks and ok djm@
371 - markus@cvs.openbsd.org 2008/07/31 14:48:28
372 [sshconnect2.c]
373 don't allocate space for empty banners; report t8m at centrum.cz;
374 ok deraadt
375 - krw@cvs.openbsd.org 2008/08/02 04:29:51
376 [ssh_config.5]
377 whitepsace -> whitespace. From Matthew Clarke via bugs@.
378 - djm@cvs.openbsd.org 2008/08/21 04:09:57
379 [session.c]
380 allow ForceCommand internal-sftp with arguments. based on patch from
381 michael.barabanov AT gmail.com; ok markus@
382 - djm@cvs.openbsd.org 2008/09/06 12:24:13
383 [kex.c]
384 OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our
385 replacement anymore
386 (ID sync only for portable - we still need this)
387 - markus@cvs.openbsd.org 2008/09/11 14:22:37
388 [compat.c compat.h nchan.c ssh.c]
389 only send eow and no-more-sessions requests to openssh 5 and newer;
390 fixes interop problems with broken ssh v2 implementations; ok djm@
391 - millert@cvs.openbsd.org 2008/10/02 14:39:35
392 [session.c]
393 Convert an unchecked strdup to xstrdup. OK deraadt@
394 - jmc@cvs.openbsd.org 2008/10/03 13:08:12
395 [sshd.8]
396 do not give an example of how to chmod files: we can presume the user
397 knows that. removes an ambiguity in the permission of authorized_keys;
398 ok deraadt
399 - deraadt@cvs.openbsd.org 2008/10/03 23:56:28
400 [sshconnect2.c]
401 Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the
402 function.
403 spotted by des@freebsd, who commited an incorrect fix to the freebsd tree
404 and (as is fairly typical) did not report the problem to us. But this fix
405 is correct.
406 ok djm
407 - djm@cvs.openbsd.org 2008/10/08 23:34:03
408 [ssh.1 ssh.c]
409 Add -y option to force logging via syslog rather than stderr.
410 Useful for daemonised ssh connection (ssh -f). Patch originally from
411 and ok'd by markus@
412 - djm@cvs.openbsd.org 2008/10/09 03:50:54
413 [servconf.c sshd_config.5]
414 support setting PermitEmptyPasswords in a Match block
415 requested in PR3891; ok dtucker@
416 - jmc@cvs.openbsd.org 2008/10/09 06:54:22
417 [ssh.c]
418 add -y to usage();
419 - stevesk@cvs.openbsd.org 2008/10/10 04:55:16
420 [scp.c]
421 spelling in comment; ok djm@
422 - stevesk@cvs.openbsd.org 2008/10/10 05:00:12
423 [key.c]
424 typo in error message; ok djm@
425 - stevesk@cvs.openbsd.org 2008/10/10 16:43:27
426 [ssh_config.5]
427 use 'Privileged ports can be forwarded only when logging in as root on
428 the remote machine.' for RemoteForward just like ssh.1 -R.
429 ok djm@ jmc@
430 - stevesk@cvs.openbsd.org 2008/10/14 18:11:33
431 [sshconnect.c]
432 use #define ROQUIET here; no binary change. ok dtucker@
433 - stevesk@cvs.openbsd.org 2008/10/17 18:36:24
434 [ssh_config.5]
435 correct and clarify VisualHostKey; ok jmc@
436 - stevesk@cvs.openbsd.org 2008/10/30 19:31:16
437 [clientloop.c sshd.c]
438 don't need to #include "monitor_fdpass.h"
439 - stevesk@cvs.openbsd.org 2008/10/31 15:05:34
440 [dispatch.c]
441 remove unused #define DISPATCH_MIN; ok markus@
442 - djm@cvs.openbsd.org 2008/11/01 04:50:08
443 [sshconnect2.c]
444 sprinkle ARGSUSED on dispatch handlers
445 nuke stale unusued prototype
446 - stevesk@cvs.openbsd.org 2008/11/01 06:43:33
447 [channels.c]
448 fix some typos in log messages; ok djm@
449 - sobrado@cvs.openbsd.org 2008/11/01 11:14:36
450 [ssh-keyscan.1 ssh-keyscan.c]
451 the ellipsis is not an optional argument; while here, improve spacing.
452 - stevesk@cvs.openbsd.org 2008/11/01 17:40:33
453 [clientloop.c readconf.c readconf.h ssh.c]
454 merge dynamic forward parsing into parse_forward();
455 'i think this is OK' djm@
456 - stevesk@cvs.openbsd.org 2008/11/02 00:16:16
457 [ttymodes.c]
458 protocol 2 tty modes support is now 7.5 years old so remove these
459 debug3()s; ok deraadt@
460 - stevesk@cvs.openbsd.org 2008/11/03 01:07:02
461 [readconf.c]
462 remove valueless comment
463 - stevesk@cvs.openbsd.org 2008/11/03 02:44:41
464 [readconf.c]
465 fix comment
466 - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd]
467 Make example scripts generate keys with default sizes rather than fixed,
468 non-default 1024 bits; patch from imorgan AT nas.nasa.gov
469 - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam]
470 [contrib/redhat/sshd.pam] Move pam_nologin to account group from
471 incorrect auth group in example files;
472 patch from imorgan AT nas.nasa.gov
473
47420080906
475 - (dtucker) [config.guess config.sub] Update to latest versions from
476 http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16
477 respectively).
478
47920080830
480 - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs
481 larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch
482 from Nicholas Marriott.
483
48420080721
485 - (djm) OpenBSD CVS Sync
486 - djm@cvs.openbsd.org 2008/07/23 07:36:55
487 [servconf.c]
488 do not try to print options that have been compile-time disabled
489 in config test mode (sshd -T); report from nix-corp AT esperi.org.uk
490 ok dtucker@
491 - (djm) [servconf.c] Print UsePAM option in config test mode (when it
492 has been compiled in); report from nix-corp AT esperi.org.uk
493 ok dtucker@
494
22616013 49520080721
496 - (djm) OpenBSD CVS Sync
497 - jmc@cvs.openbsd.org 2008/07/18 22:51:01
498 [sftp-server.8]
499 no need for .Pp before or after .Sh;
500 - djm@cvs.openbsd.org 2008/07/21 08:19:07
501 [version.h]
502 openssh-5.1
503 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
504 [contrib/suse/openssh.spec] Update version number in README and RPM specs
505 - (djm) Release OpenSSH-5.1
506
50720080717
508 - (djm) OpenBSD CVS Sync
509 - djm@cvs.openbsd.org 2008/07/17 08:48:00
510 [sshconnect2.c]
511 strnvis preauth banner; pointed out by mpf@ ok markus@
512 - djm@cvs.openbsd.org 2008/07/17 08:51:07
513 [auth2-hostbased.c]
514 strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes
515 report and patch from res AT qoxp.net (bz#1200); ok markus@
516 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat
517 code, replace with equivalent cygwin library call. Patch from vinschen
518 at redhat.com, ok djm@.
519 - (djm) [sshconnect2.c] vis.h isn't available everywhere
520
52120080716
522 - OpenBSD CVS Sync
523 - djm@cvs.openbsd.org 2008/07/15 02:23:14
524 [sftp.1]
525 number of pipelined requests is now 64;
526 prodded by Iain.Morgan AT nasa.gov
527 - djm@cvs.openbsd.org 2008/07/16 11:51:14
528 [clientloop.c]
529 rename variable first_gc -> last_gc (since it is actually the last
530 in the list).
531 - djm@cvs.openbsd.org 2008/07/16 11:52:19
532 [channels.c]
533 this loop index should be automatic, not static
534
53520080714
536 - (djm) OpenBSD CVS Sync
537 - sthen@cvs.openbsd.org 2008/07/13 21:22:52
538 [ssh-keygen.c]
539 Change "ssh-keygen -F [host] -l" to not display random art unless
540 -v is also specified, making it consistent with the manual and other
541 uses of -l.
542 ok grunk@
543 - djm@cvs.openbsd.org 2008/07/13 22:13:07
544 [channels.c]
545 use struct sockaddr_storage instead of struct sockaddr for accept(2)
546 address argument. from visibilis AT yahoo.com in bz#1485; ok markus@
547 - djm@cvs.openbsd.org 2008/07/13 22:16:03
548 [sftp.c]
549 increase number of piplelined requests so they properly fill the
550 (recently increased) channel window. prompted by rapier AT psc.edu;
551 ok markus@
552 - djm@cvs.openbsd.org 2008/07/14 01:55:56
553 [sftp-server.8]
554 mention requirement for /dev/log inside chroot when using sftp-server
555 with ChrootDirectory
556 - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to
557 avoid clash with sin(3) function; reported by
558 cristian.ionescu-idbohrn AT axis.com
559 - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close()
560 prototype; reported by cristian.ionescu-idbohrn AT axis.com
561 - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash;
562 reported by cristian.ionescu-idbohrn AT axis.com
563 - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config]
564 [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd]
565 Revamped and simplified Cygwin ssh-host-config script that uses
566 unified csih configuration tool. Requires recent Cygwin.
567 Patch from vinschen AT redhat.com
568
56920080712
570 - (djm) OpenBSD CVS Sync
571 - djm@cvs.openbsd.org 2008/07/12 04:52:50
572 [channels.c]
573 unbreak; move clearing of cctx struct to before first use
574 reported by dkrause@
575 - djm@cvs.openbsd.org 2008/07/12 05:33:41
576 [scp.1]
577 better description for -i flag:
578 s/RSA authentication/public key authentication/
579 - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h]
580 return EAI_FAMILY when trying to lookup unsupported address family;
581 from vinschen AT redhat.com
582
58320080711
584 - (djm) OpenBSD CVS Sync
585 - stevesk@cvs.openbsd.org 2008/07/07 00:31:41
586 [ttymodes.c]
587 we don't need arg after the debug3() was removed. from lint.
588 ok djm@
589 - stevesk@cvs.openbsd.org 2008/07/07 23:32:51
590 [key.c]
591 /*NOTREACHED*/ for lint warning:
592 warning: function key_equal falls off bottom without returning value
593 ok djm@
594 - markus@cvs.openbsd.org 2008/07/10 18:05:58
595 [channels.c]
596 missing bzero; from mickey; ok djm@
597 - markus@cvs.openbsd.org 2008/07/10 18:08:11
598 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c]
599 sync v1 and v2 traffic accounting; add it to sshd, too;
600 ok djm@, dtucker@
601
60220080709
603 - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass
604 - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM
605 account check failure path. The vulnerable format buffer is supplied
606 from PAM and should not contain attacker-supplied data.
607 - (djm) [auth.c] Missing unistd.h for close()
608 - (djm) [configure.ac] Add -Wformat-security to CFLAGS for gcc 3.x and 4.x
609
61020080705
611 - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed
612 passwords disabled. bz#1083 report & patch from senthilkumar_sen AT
613 hotpop.com, w/ dtucker@
614 - (djm) [atomicio.c configure.ac] Disable poll() fallback in atomiciov for
615 Tru64. readv doesn't seem to be a comparable object there.
616 bz#1386, patch from dtucker@ ok me
617 - (djm) [Makefile.in] Pass though pass to conch for interop tests
618 - (djm) [configure.ac] unbreak: remove extra closing brace
619 - (djm) OpenBSD CVS Sync
620 - djm@cvs.openbsd.org 2008/07/04 23:08:25
621 [packet.c]
622 handle EINTR in packet_write_poll()l ok dtucker@
623 - djm@cvs.openbsd.org 2008/07/04 23:30:16
624 [auth1.c auth2.c]
625 Make protocol 1 MaxAuthTries logic match protocol 2's.
626 Do not treat the first protocol 2 authentication attempt as
627 a failure IFF it is for method "none".
628 Makes MaxAuthTries' user-visible behaviour identical for
629 protocol 1 vs 2.
630 ok dtucker@
631 - djm@cvs.openbsd.org 2008/07/05 05:16:01
632 [PROTOCOL]
633 grammar
634
63520080704
636 - (dtucker) OpenBSD CVS Sync
637 - djm@cvs.openbsd.org 2008/07/02 13:30:34
638 [auth2.c]
639 really really remove the freebie "none" auth try for protocol 2
640 - djm@cvs.openbsd.org 2008/07/02 13:47:39
641 [ssh.1 ssh.c]
642 When forking after authentication ("ssh -f") with ExitOnForwardFailure
643 enabled, delay the fork until after replies for any -R forwards have
644 been seen. Allows for robust detection of -R forward failure when
645 using -f (similar to bz#92); ok dtucker@
646 - otto@cvs.openbsd.org 2008/07/03 21:46:58
647 [auth2-pubkey.c]
648 avoid nasty double free; ok dtucker@ djm@
649 - djm@cvs.openbsd.org 2008/07/04 03:44:59
650 [servconf.c groupaccess.h groupaccess.c]
651 support negation of groups in "Match group" block (bz#1315); ok dtucker@
652 - dtucker@cvs.openbsd.org 2008/07/04 03:47:02
653 [monitor.c]
654 Make debug a little clearer. ok djm@
655 - djm@cvs.openbsd.org 2008/06/30 08:07:34
656 [regress/key-options.sh]
657 shell portability: use "=" instead of "==" in test(1) expressions,
658 double-quote string with backslash escaped /
659 - djm@cvs.openbsd.org 2008/06/30 10:31:11
660 [regress/{putty-transfer,putty-kex,putty-ciphers}.sh]
661 remove "set -e" left over from debugging
662 - djm@cvs.openbsd.org 2008/06/30 10:43:03
663 [regress/conch-ciphers.sh]
664 explicitly disable conch options that could interfere with the test
665 - (dtucker) [sftp-server.c] Bug #1447: fall back to racy rename if link
666 returns EXDEV. Patch from Mike Garrison, ok djm@
667 - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h]
668 [packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c]
669 [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on
670 some platforms (HP nonstop) it is a distinct errno;
671 bz#1467 reported by sconeu AT yahoo.com; ok dtucker@
672
67320080702
674 - (dtucker) OpenBSD CVS Sync
675 - djm@cvs.openbsd.org 2008/06/30 08:05:59
676 [PROTOCOL.agent]
677 typo: s/constraint_date/constraint_data/
678 - djm@cvs.openbsd.org 2008/06/30 12:15:39
679 [serverloop.c]
680 only pass channel requests on session channels through to the session
681 channel handler, avoiding spurious log messages; ok! markus@
682 - djm@cvs.openbsd.org 2008/06/30 12:16:02
683 [nchan.c]
684 only send eow@openssh.com notifications for session channels; ok! markus@
685 - djm@cvs.openbsd.org 2008/06/30 12:18:34
686 [PROTOCOL]
687 clarify that eow@openssh.com is only sent on session channels
688 - dtucker@cvs.openbsd.org 2008/07/01 07:20:52
689 [sshconnect.c]
690 Check ExitOnForwardFailure if forwardings are disabled due to a failed
691 host key check. ok djm@
692 - dtucker@cvs.openbsd.org 2008/07/01 07:24:22
693 [sshconnect.c sshd.c]
694 Send CR LF during protocol banner exchanges, but only for Protocol 2 only,
695 in order to comply with RFC 4253. bz #1443, ok djm@
696 - stevesk@cvs.openbsd.org 2008/07/01 23:12:47
697 [PROTOCOL.agent]
698 fix some typos; ok djm@
699 - djm@cvs.openbsd.org 2008/07/02 02:24:18
700 [sshd_config sshd_config.5 sshd.8 servconf.c]
701 increase default size of ssh protocol 1 ephemeral key from 768 to 1024
702 bits; prodded by & ok dtucker@ ok deraadt@
703 - dtucker@cvs.openbsd.org 2008/07/02 12:03:51
704 [auth-rsa.c auth.c auth2-pubkey.c auth.h]
705 Merge duplicate host key file checks, based in part on a patch from Rob
706 Holland via bz #1348 . Also checks for non-regular files during protocol
707 1 RSA auth. ok djm@
708 - djm@cvs.openbsd.org 2008/07/02 12:36:39
709 [auth2-none.c auth2.c]
710 Make protocol 2 MaxAuthTries behaviour a little more sensible:
711 Check whether client has exceeded MaxAuthTries before running
712 an authentication method and skip it if they have, previously it
713 would always allow one try (for "none" auth).
714 Preincrement failure count before post-auth test - previously this
715 checked and postincremented, also to allow one "none" try.
716 Together, these two changes always count the "none" auth method
717 which could be skipped by a malicious client (e.g. an SSH worm)
718 to get an extra attempt at a real auth method. They also make
719 MaxAuthTries=0 a useful way to block users entirely (esp. in a
720 sshd_config Match block).
721 Also, move sending of any preauth banner from "none" auth method
722 to the first call to input_userauth_request(), so worms that skip
723 the "none" method get to see it too.
724
72520080630
726 - (djm) OpenBSD CVS Sync
727 - dtucker@cvs.openbsd.org 2008/06/10 23:13:43
728 [regress/Makefile regress/key-options.sh]
729 Add regress test for key options. ok djm@
730 - dtucker@cvs.openbsd.org 2008/06/11 23:11:40
731 [regress/Makefile]
732 Don't run cipher-speed test by default; mistakenly enabled by me
733 - djm@cvs.openbsd.org 2008/06/28 13:57:25
734 [regress/Makefile regress/test-exec.sh regress/conch-ciphers.sh]
735 very basic regress test against Twisted Conch in "make interop"
736 target (conch is available in ports/devel/py-twisted/conch);
737 ok markus@
738 - (djm) [regress/Makefile] search for conch by path, like we do putty
739
74020080629
741 - (djm) OpenBSD CVS Sync
742 - martynas@cvs.openbsd.org 2008/06/21 07:46:46
743 [sftp.c]
744 use optopt to get invalid flag, instead of return value of getopt,
745 which is always '?'; ok djm@
746 - otto@cvs.openbsd.org 2008/06/25 11:13:43
747 [key.c]
748 add key length to visual fingerprint; zap magical constants;
749 ok grunk@ djm@
750 - djm@cvs.openbsd.org 2008/06/26 06:10:09
751 [sftp-client.c sftp-server.c]
752 allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky
753 bits. Note that this only affects explicit setting of modes (e.g. via
754 sftp(1)'s chmod command) and not file transfers. (bz#1310)
755 ok deraadt@ at c2k8
756 - djm@cvs.openbsd.org 2008/06/26 09:19:40
757 [dh.c dh.h moduli.c]
758 when loading moduli from /etc/moduli in sshd(8), check that they
759 are of the expected "safe prime" structure and have had
760 appropriate primality tests performed;
761 feedback and ok dtucker@
762 - grunk@cvs.openbsd.org 2008/06/26 11:46:31
763 [readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c]
764 Move SSH Fingerprint Visualization away from sharing the config option
765 CheckHostIP to an own config option named VisualHostKey.
766 While there, fix the behaviour that ssh would draw a random art picture
767 on every newly seen host even when the option was not enabled.
768 prodded by deraadt@, discussions,
769 help and ok markus@ djm@ dtucker@
770 - jmc@cvs.openbsd.org 2008/06/26 21:11:46
771 [ssh.1]
772 add VisualHostKey to the list of options listed in -o;
773 - djm@cvs.openbsd.org 2008/06/28 07:25:07
774 [PROTOCOL]
775 spelling fixes
776 - djm@cvs.openbsd.org 2008/06/28 13:58:23
777 [ssh-agent.c]
778 refuse to add a key that has unknown constraints specified;
779 ok markus
780 - djm@cvs.openbsd.org 2008/06/28 14:05:15
781 [ssh-agent.c]
782 reset global compat flag after processing a protocol 2 signature
783 request with the legacy DSA encoding flag set; ok markus
784 - djm@cvs.openbsd.org 2008/06/28 14:08:30
785 [PROTOCOL PROTOCOL.agent]
786 document the protocol used by ssh-agent; "looks ok" markus@
787
78820080628
789 - (djm) [RFC.nroff contrib/cygwin/Makefile contrib/suse/openssh.spec]
790 RFC.nroff lacks a license, remove it (it is long gone in OpenBSD).
791
79220080626
793 - (djm) [Makefile.in moduli.5] Include moduli(5) manpage from OpenBSD.
794 (bz#1372)
795 - (djm) [ contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
796 [contrib/suse/openssh.spec] Include moduli.5 in RPM spec files.
797
79820080616
799 - (dtucker) OpenBSD CVS Sync
800 - dtucker@cvs.openbsd.org 2008/06/16 13:22:53
801 [session.c channels.c]
802 Rename the isatty argument to is_tty so we don't shadow
803 isatty(3). ok markus@
804 - (dtucker) [channels.c] isatty -> is_tty here too.
805
80620080615
807 - (dtucker) [configure.ac] Enable -fno-builtin-memset when using gcc.
808 - OpenBSD CVS Sync
809 - dtucker@cvs.openbsd.org 2008/06/14 15:49:48
810 [sshd.c]
811 wrap long line at 80 chars
812 - dtucker@cvs.openbsd.org 2008/06/14 17:07:11
813 [sshd.c]
814 ensure default umask disallows at least group and world write; ok djm@
815 - djm@cvs.openbsd.org 2008/06/14 18:33:43
816 [session.c]
817 suppress the warning message from chdir(homedir) failures
818 when chrooted (bz#1461); ok dtucker
819 - dtucker@cvs.openbsd.org 2008/06/14 19:42:10
820 [scp.1]
821 Mention that scp follows symlinks during -r. bz #1466,
822 from nectar at apple
823 - dtucker@cvs.openbsd.org 2008/06/15 16:55:38
824 [sshd_config.5]
825 MaxSessions is allowed in a Match block too
826 - dtucker@cvs.openbsd.org 2008/06/15 16:58:40
827 [servconf.c sshd_config.5]
828 Allow MaxAuthTries within a Match block. ok djm@
829 - djm@cvs.openbsd.org 2008/06/15 20:06:26
830 [channels.c channels.h session.c]
831 don't call isatty() on a pty master, instead pass a flag down to
832 channel_set_fds() indicating that te fds refer to a tty. Fixes a
833 hang on exit on Solaris (bz#1463) in portable but is actually
834 a generic bug; ok dtucker deraadt markus
835
83620080614
837 - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction
838 replacement code; patch from ighighi AT gmail.com in bz#1240;
839 ok dtucker
840
84120080613
842 - (dtucker) OpenBSD CVS Sync
843 - deraadt@cvs.openbsd.org 2008/06/13 09:44:36
844 [packet.c]
845 compile on older gcc; no decl after code
846 - dtucker@cvs.openbsd.org 2008/06/13 13:56:59
847 [monitor.c]
848 Clear key options in the monitor on failed authentication, prevents
849 applying additional restrictions to non-pubkey authentications in
850 the case where pubkey fails but another method subsequently succeeds.
851 bz #1472, found by Colin Watson, ok markus@ djm@
852 - dtucker@cvs.openbsd.org 2008/06/13 14:18:51
853 [auth2-pubkey.c auth-rhosts.c]
854 Include unistd.h for close(), prevents warnings in -portable
855 - dtucker@cvs.openbsd.org 2008/06/13 17:21:20
856 [mux.c]
857 Friendlier error messages for mux fallback. ok djm@
858 - dtucker@cvs.openbsd.org 2008/06/13 18:55:22
859 [scp.c]
860 Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@
861 - grunk@cvs.openbsd.org 2008/06/13 20:13:26
862 [ssh.1]
863 Explain the use of SSH fpr visualization using random art, and cite the
864 original scientific paper inspiring that technique.
865 Much help with English and nroff by jmc@, thanks.
866 - (dtucker) [configure.ac] Bug #1276: avoid linking against libgssapi, which
867 despite its name doesn't seem to implement all of GSSAPI. Patch from
868 Jan Engelhardt, sanity checked by Simon Wilkinson.
869
87020080612
871 - (dtucker) OpenBSD CVS Sync
872 - jmc@cvs.openbsd.org 2008/06/11 07:30:37
873 [sshd.8]
874 kill trailing whitespace;
875 - grunk@cvs.openbsd.org 2008/06/11 21:01:35
876 [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
877 sshconnect.c]
878 Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
879 graphical hash visualization schemes known as "random art", and by
880 Dan Kaminsky's musings on the subject during a BlackOp talk at the
881 23C3 in Berlin.
882 Scientific publication (original paper):
883 "Hash Visualization: a New Technique to improve Real-World Security",
884 Perrig A. and Song D., 1999, International Workshop on Cryptographic
885 Techniques and E-Commerce (CrypTEC '99)
886 http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
887 The algorithm used here is a worm crawling over a discrete plane,
888 leaving a trace (augmenting the field) everywhere it goes.
889 Movement is taken from dgst_raw 2bit-wise. Bumping into walls
890 makes the respective movement vector be ignored for this turn,
891 thus switching to the other color of the chessboard.
892 Graphs are not unambiguous for now, because circles in graphs can be
893 walked in either direction.
894 discussions with several people,
895 help, corrections and ok markus@ djm@
896 - grunk@cvs.openbsd.org 2008/06/11 21:38:25
897 [ssh-keygen.c]
898 ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub
899 would not display you the random art as intended, spotted by canacar@
900 - grunk@cvs.openbsd.org 2008/06/11 22:20:46
901 [ssh-keygen.c ssh-keygen.1]
902 ssh-keygen would write fingerprints to STDOUT, and random art to STDERR,
903 that is not how it was envisioned.
904 Also correct manpage saying that -v is needed along with -l for it to work.
905 spotted by naddy@
906 - otto@cvs.openbsd.org 2008/06/11 23:02:22
907 [key.c]
908 simpler way of computing the augmentations; ok grunk@
909 - grunk@cvs.openbsd.org 2008/06/11 23:03:56
910 [ssh_config.5]
911 CheckHostIP set to ``fingerprint'' will display both hex and random art
912 spotted by naddy@
913 - grunk@cvs.openbsd.org 2008/06/11 23:51:57
914 [key.c]
915 #define statements that are not atoms need braces around them, else they
916 will cause trouble in some cases.
917 Also do a computation of -1 once, and not in a loop several times.
918 spotted by otto@
919 - dtucker@cvs.openbsd.org 2008/06/12 00:03:49
920 [dns.c canohost.c sshconnect.c]
921 Do not pass "0" strings as ports to getaddrinfo because the lookups
922 can slow things down and we never use the service info anyway. bz
923 #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok
924 deraadt@ djm@
925 djm belives that the reason for the "0" strings is to ensure that
926 it's not possible to call getaddrinfo with both host and port being
927 NULL. In the case of canohost.c host is a local array. In the
928 case of sshconnect.c, it's checked for null immediately before use.
929 In dns.c it ultimately comes from ssh.c:main() and is guaranteed to
930 be non-null but it's not obvious, so I added a warning message in
931 case it is ever passed a null.
932 - grunk@cvs.openbsd.org 2008/06/12 00:13:55
933 [sshconnect.c]
934 Make ssh print the random art also when ssh'ing to a host using IP only.
935 spotted by naddy@, ok and help djm@ dtucker@
936 - otto@cvs.openbsd.org 2008/06/12 00:13:13
937 [key.c]
938 use an odd number of rows and columns and a separate start marker, looks
939 better; ok grunk@
940 - djm@cvs.openbsd.org 2008/06/12 03:40:52
941 [clientloop.h mux.c channels.c clientloop.c channels.h]
942 Enable ~ escapes for multiplex slave sessions; give each channel
943 its own escape state and hook the escape filters up to muxed
944 channels. bz #1331
945 Mux slaves do not currently support the ~^Z and ~& escapes.
946 NB. this change cranks the mux protocol version, so a new ssh
947 mux client will not be able to connect to a running old ssh
948 mux master.
949 ok dtucker@
950 - djm@cvs.openbsd.org 2008/06/12 04:06:00
951 [clientloop.h ssh.c clientloop.c]
952 maintain an ordered queue of outstanding global requests that we
953 expect replies to, similar to the per-channel confirmation queue.
954 Use this queue to verify success or failure for remote forward
955 establishment in a race free way.
956 ok dtucker@
957 - djm@cvs.openbsd.org 2008/06/12 04:17:47
958 [clientloop.c]
959 thall shalt not code past the eightieth column
960 - djm@cvs.openbsd.org 2008/06/12 04:24:06
961 [ssh.c]
962 thal shalt not code past the eightieth column
963 - djm@cvs.openbsd.org 2008/06/12 05:15:41
964 [PROTOCOL]
965 document tun@openssh.com forwarding method
966 - djm@cvs.openbsd.org 2008/06/12 05:32:30
967 [mux.c]
968 some more TODO for me
969 - grunk@cvs.openbsd.org 2008/06/12 05:42:46
970 [key.c]
971 supply the key type (rsa1, rsa, dsa) as a caption in the frame of the
972 random art. while there, stress the fact that the field base should at
973 least be 8 characters for the pictures to make sense.
974 comment and ok djm@
975 - grunk@cvs.openbsd.org 2008/06/12 06:32:59
976 [key.c]
977 We already mark the start of the worm, now also mark the end of the worm
978 in our random art drawings.
979 ok djm@
980 - djm@cvs.openbsd.org 2008/06/12 15:19:17
981 [clientloop.h channels.h clientloop.c channels.c mux.c]
982 The multiplexing escape char handler commit last night introduced a
983 small memory leak per session; plug it.
984 - dtucker@cvs.openbsd.org 2008/06/12 16:35:31
985 [ssh_config.5 ssh.c]
986 keyword expansion for localcommand. ok djm@
987 - jmc@cvs.openbsd.org 2008/06/12 19:10:09
988 [ssh_config.5 ssh-keygen.1]
989 tweak the ascii art text; ok grunk
990 - dtucker@cvs.openbsd.org 2008/06/12 20:38:28
991 [sshd.c sshconnect.c packet.h misc.c misc.h packet.c]
992 Make keepalive timeouts apply while waiting for a packet, particularly
993 during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
994 - djm@cvs.openbsd.org 2008/06/12 20:47:04
995 [sftp-client.c]
996 print extension revisions for extensions that we understand
997 - djm@cvs.openbsd.org 2008/06/12 21:06:25
998 [clientloop.c]
999 I was coalescing expected global request confirmation replies at
1000 the wrong end of the queue - fix; prompted by markus@
1001 - grunk@cvs.openbsd.org 2008/06/12 21:14:46
1002 [ssh-keygen.c]
1003 make ssh-keygen -lf show the key type just as ssh-add -l would do it
1004 ok djm@ markus@
1005 - grunk@cvs.openbsd.org 2008/06/12 22:03:36
1006 [key.c]
1007 add my copyright, ok djm@
1008 - ian@cvs.openbsd.org 2008/06/12 23:24:58
1009 [sshconnect.c]
1010 tweak wording in message, ok deraadt@ jmc@
1011 - dtucker@cvs.openbsd.org 2008/06/13 00:12:02
1012 [sftp.h log.h]
1013 replace __dead with __attribute__((noreturn)), makes things
1014 a little easier to port. Also, add it to sigdie(). ok djm@
1015 - djm@cvs.openbsd.org 2008/06/13 00:16:49
1016 [mux.c]
1017 fall back to creating a new TCP connection on most multiplexing errors
1018 (socket connect fail, invalid version, refused permittion, corrupted
1019 messages, etc.); bz #1329 ok dtucker@
1020 - dtucker@cvs.openbsd.org 2008/06/13 00:47:53
1021 [mux.c]
1022 upcast size_t to u_long to match format arg; ok djm@
1023 - dtucker@cvs.openbsd.org 2008/06/13 00:51:47
1024 [mac.c]
1025 upcast another size_t to u_long to match format
1026 - dtucker@cvs.openbsd.org 2008/06/13 01:38:23
1027 [misc.c]
1028 upcast uid to long with matching %ld, prevents warnings in portable
1029 - djm@cvs.openbsd.org 2008/06/13 04:40:22
1030 [auth2-pubkey.c auth-rhosts.c]
1031 refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
1032 regular files; report from Solar Designer via Colin Watson in bz#1471
1033 ok dtucker@ deraadt
1034 - (dtucker) [clientloop.c serverloop.c] channel_register_filter now
1035 takes 2 more args. with djm@
1036 - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch
1037 from Todd Vierling.
1038 - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIA
1039 systems. Patch from R. Scott Bailey.
1040 - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never used
1041 on big endian machines, so ifdef them for little-endian only to prevent
1042 unused function warnings on big-endians.
1043 - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to prevent
1044 compiler warnings on some platforms. Based on a discussion with otto@
1045
104620080611
1047 - (djm) [channels.c configure.ac]
1048 Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no)
1049 bz#1464; ok dtucker
1050
105120080610
1052 - (dtucker) OpenBSD CVS Sync
1053 - djm@cvs.openbsd.org 2008/06/10 03:57:27
1054 [servconf.c match.h sshd_config.5]
1055 support CIDR address matching in sshd_config "Match address" blocks, with
1056 full support for negation and fall-back to classic wildcard matching.
1057 For example:
1058 Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
1059 PasswordAuthentication yes
1060 addrmatch.c code mostly lifted from flowd's addr.c
1061 feedback and ok dtucker@
1062 - djm@cvs.openbsd.org 2008/06/10 04:17:46
1063 [sshd_config.5]
1064 better reference for pattern-list
1065 - dtucker@cvs.openbsd.org 2008/06/10 04:50:25
1066 [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8]
1067 Add extended test mode (-T) and connection parameters for test mode (-C).
1068 -T causes sshd to write its effective configuration to stdout and exit.
1069 -C causes any relevant Match rules to be applied before output. The
1070 combination allows tesing of the parser and config files. ok deraadt djm
1071 - jmc@cvs.openbsd.org 2008/06/10 07:12:00
1072 [sshd_config.5]
1073 tweak previous;
1074 - jmc@cvs.openbsd.org 2008/06/10 08:17:40
1075 [sshd.8 sshd.c]
1076 - update usage()
1077 - fix SYNOPSIS, and sort options
1078 - some minor additional fixes
1079 - dtucker@cvs.openbsd.org 2008/06/09 18:06:32
1080 [regress/test-exec.sh]
1081 Don't generate putty keys if we're not going to use them. ok djm
1082 - dtucker@cvs.openbsd.org 2008/06/10 05:23:32
1083 [regress/addrmatch.sh regress/Makefile]
1084 Regress test for Match CIDR rules. ok djm@
1085 - dtucker@cvs.openbsd.org 2008/06/10 15:21:41
1086 [test-exec.sh]
1087 Use a more portable construct for checking if we're running a putty test
1088 - dtucker@cvs.openbsd.org 2008/06/10 15:28:49
1089 [test-exec.sh]
1090 Add quotes
1091 - dtucker@cvs.openbsd.org 2008/06/10 18:21:24
1092 [ssh_config.5]
1093 clarify that Host patterns are space-separated. ok deraadt
1094 - djm@cvs.openbsd.org 2008/06/10 22:15:23
1095 [PROTOCOL ssh.c serverloop.c]
1096 Add a no-more-sessions@openssh.com global request extension that the
1097 client sends when it knows that it will never request another session
1098 (i.e. when session multiplexing is disabled). This allows a server to
1099 disallow further session requests and terminate the session.
1100 Why would a non-multiplexing client ever issue additional session
1101 requests? It could have been attacked with something like SSH'jack:
1102 http://www.storm.net.nz/projects/7
1103 feedback & ok markus
1104 - djm@cvs.openbsd.org 2008/06/10 23:06:19
1105 [auth-options.c match.c servconf.c addrmatch.c sshd.8]
1106 support CIDR address matching in .ssh/authorized_keys from="..." stanzas
1107 ok and extensive testing dtucker@
1108 - dtucker@cvs.openbsd.org 2008/06/10 23:21:34
1109 [bufaux.c]
1110 Use '\0' for a nul byte rather than unadorned 0. ok djm@
1111 - dtucker@cvs.openbsd.org 2008/06/10 23:13:43
1112 [Makefile regress/key-options.sh]
1113 Add regress test for key options. ok djm@
1114 - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6
1115 since the new CIDR code in addmatch.c references it.
1116 - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6
1117 specific tests on platforms that don't do IPv6.
1118 - (dtucker) [Makefile.in] Define TEST_SSH_IPV6 in make's arguments as well
1119 as environment.
1120 - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now.
1121
112220080609
1123 - (dtucker) OpenBSD CVS Sync
1124 - dtucker@cvs.openbsd.org 2008/06/08 17:04:41
1125 [sftp-server.c]
1126 Add case for ENOSYS in errno_to_portable; ok deraadt
1127 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29
1128 [sftp.c sftp-client.c sftp-client.h]
1129 Have the sftp client store the statvfs replies in wire format,
1130 which prevents problems when the server's native sizes exceed the
1131 client's.
1132 Also extends the sizes of the remaining 32bit wire format to 64bit,
1133 they're specified as unsigned long in the standard.
1134 - dtucker@cvs.openbsd.org 2008/06/09 13:02:39
1135 [sftp-server.c]
1136 Extend 32bit -> 64bit values for statvfs extension missed in previous
1137 commit.
1138 - dtucker@cvs.openbsd.org 2008/06/09 13:38:46
1139 [PROTOCOL]
1140 Use a $OpenBSD tag so our scripts will sync changes.
1141
114220080608
1143 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c
1144 openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
1145 openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and
1146 fstatvfs and remove #defines around statvfs code. ok djm@
1147 - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add a
1148 macro to convert fsid to unsigned long for platforms where fsid is a
1149 2-member array.
1150
115120080607
1152 - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H.
1153 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c]
1154 Do not enable statvfs extensions on platforms that do not have statvfs.
1155 - (dtucker) OpenBSD CVS Sync
1156 - djm@cvs.openbsd.org 2008/05/19 06:14:02
1157 [packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@
1158 - djm@cvs.openbsd.org 2008/05/19 15:45:07
1159 [sshtty.c ttymodes.c sshpty.h]
1160 Fix sending tty modes when stdin is not a tty (bz#1199). Previously
1161 we would send the modes corresponding to a zeroed struct termios,
1162 whereas we should have been sending an empty list of modes.
1163 Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
1164 - djm@cvs.openbsd.org 2008/05/19 15:46:31
1165 [ssh-keygen.c]
1166 support -l (print fingerprint) in combination with -F (find host) to
1167 search for a host in ~/.ssh/known_hosts and display its fingerprint;
1168 ok markus@
1169 - djm@cvs.openbsd.org 2008/05/19 20:53:52
1170 [clientloop.c]
1171 unbreak tree by committing this bit that I missed from:
1172 Fix sending tty modes when stdin is not a tty (bz#1199). Previously
1173 we would send the modes corresponding to a zeroed struct termios,
1174 whereas we should have been sending an empty list of modes.
1175 Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
1176
117720080604
1178 - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias
1179 in arc4random_uniform with upper_bound in (2^30,2*31). Note that
1180 OpenSSH did not make requests with upper bounds in this range.
1181
118220080519
1183 - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in]
1184 [openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h]
1185 Fix compilation on Linux, including pulling in fmt_scaled(3)
1186 implementation from OpenBSD's libutil.
1187
118820080518
1189 - (djm) OpenBSD CVS Sync
1190 - djm@cvs.openbsd.org 2008/04/04 05:14:38
1191 [sshd_config.5]
1192 ChrootDirectory is supported in Match blocks (in fact, it is most useful
1193 there). Spotted by Minstrel AT minstrel.org.uk
1194 - djm@cvs.openbsd.org 2008/04/04 06:44:26
1195 [sshd_config.5]
1196 oops, some unrelated stuff crept into that commit - backout.
1197 spotted by jmc@
1198 - djm@cvs.openbsd.org 2008/04/05 02:46:02
1199 [sshd_config.5]
1200 HostbasedAuthentication is supported under Match too
1201 - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c]
1202 [configure.ac] Implement arc4random_buf(), import implementation of
1203 arc4random_uniform() from OpenBSD
1204 - (djm) [openbsd-compat/bsd-arc4random.c] Warning fixes
1205 - (djm) [openbsd-compat/port-tun.c] needs sys/queue.h
1206 - (djm) OpenBSD CVS Sync
1207 - djm@cvs.openbsd.org 2008/04/13 00:22:17
1208 [dh.c sshd.c]
1209 Use arc4random_buf() when requesting more than a single word of output
1210 Use arc4random_uniform() when the desired random number upper bound
1211 is not a power of two
1212 ok deraadt@ millert@
1213 - djm@cvs.openbsd.org 2008/04/18 12:32:11
1214 [sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h]
1215 introduce sftp extension methods statvfs@openssh.com and
1216 fstatvfs@openssh.com that implement statvfs(2)-like operations,
1217 based on a patch from miklos AT szeredi.hu (bz#1399)
1218 also add a "df" command to the sftp client that uses the
1219 statvfs@openssh.com to produce a df(1)-like display of filesystem
1220 space and inode utilisation
1221 ok markus@
1222 - jmc@cvs.openbsd.org 2008/04/18 17:15:47
1223 [sftp.1]
1224 macro fixage;
1225 - djm@cvs.openbsd.org 2008/04/18 22:01:33
1226 [session.c]
1227 remove unneccessary parentheses
1228 - otto@cvs.openbsd.org 2008/04/29 11:20:31
1229 [monitor_mm.h]
1230 garbage collect two unused fields in struct mm_master; ok markus@
1231 - djm@cvs.openbsd.org 2008/04/30 10:14:03
1232 [ssh-keyscan.1 ssh-keyscan.c]
1233 default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by
1234 larsnooden AT openoffice.org
1235 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
1236 [servconf.c servconf.h session.c sshd_config.5]
1237 Enable the AllowAgentForwarding option in sshd_config (global and match
1238 context), to specify if agents should be permitted on the server.
1239 As the man page states:
1240 ``Note that disabling Agent forwarding does not improve security
1241 unless users are also denied shell access, as they can always install
1242 their own forwarders.''
1243 ok djm@, ok and a mild frown markus@
1244 - pyr@cvs.openbsd.org 2008/05/07 06:43:35
1245 [sshd_config]
1246 push the sshd_config bits in, spotted by ajacoutot@
1247 - jmc@cvs.openbsd.org 2008/05/07 08:00:14
1248 [sshd_config.5]
1249 sort;
1250 - markus@cvs.openbsd.org 2008/05/08 06:59:01
1251 [bufaux.c buffer.h channels.c packet.c packet.h]
1252 avoid extra malloc/copy/free when receiving data over the net;
1253 ~10% speedup for localhost-scp; ok djm@
1254 - djm@cvs.openbsd.org 2008/05/08 12:02:23
1255 [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
1256 [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
1257 [ssh.c sshd.c]
1258 Implement a channel success/failure status confirmation callback
1259 mechanism. Each channel maintains a queue of callbacks, which will
1260 be drained in order (RFC4253 guarantees confirm messages are not
1261 reordered within an channel).
1262 Also includes a abandonment callback to clean up if a channel is
1263 closed without sending confirmation messages. This probably
1264 shouldn't happen in compliant implementations, but it could be
1265 abused to leak memory.
1266 ok markus@ (as part of a larger diff)
1267 - djm@cvs.openbsd.org 2008/05/08 12:21:16
1268 [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
1269 [sshd_config sshd_config.5]
1270 Make the maximum number of sessions run-time controllable via
1271 a sshd_config MaxSessions knob. This is useful for disabling
1272 login/shell/subsystem access while leaving port-forwarding working
1273 (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
1274 simply increasing the number of allows multiplexed sessions.
1275 Because some bozos are sure to configure MaxSessions in excess of the
1276 number of available file descriptors in sshd (which, at peak, might be
1277 as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
1278 on error paths, and make it fail gracefully on out-of-fd conditions -
1279 sending channel errors instead of than exiting with fatal().
1280 bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
1281 ok markus@
1282 - djm@cvs.openbsd.org 2008/05/08 13:06:11
1283 [clientloop.c clientloop.h ssh.c]
1284 Use new channel status confirmation callback system to properly deal
1285 with "important" channel requests that fail, in particular command exec,
1286 shell and subsystem requests. Previously we would optimistically assume
1287 that the requests would always succeed, which could cause hangs if they
1288 did not (e.g. when the server runs out of fds) or were unimplemented by
1289 the server (bz #1384)
1290 Also, properly report failing multiplex channel requests via the mux
1291 client stderr (subject to LogLevel in the mux master) - better than
1292 silently failing.
1293 most bits ok markus@ (as part of a larger diff)
1294 - djm@cvs.openbsd.org 2008/05/09 04:55:56
1295 [channels.c channels.h clientloop.c serverloop.c]
1296 Try additional addresses when connecting to a port forward destination
1297 whose DNS name resolves to more than one address. The previous behaviour
1298 was to try the first address and give up.
1299 Reported by stig AT venaas.com in bz#343
1300 great feedback and ok markus@
1301 - djm@cvs.openbsd.org 2008/05/09 14:18:44
1302 [clientloop.c clientloop.h ssh.c mux.c]
1303 tidy up session multiplexing code, moving it into its own file and
1304 making the function names more consistent - making ssh.c and
1305 clientloop.c a fair bit more readable.
1306 ok markus@
1307 - djm@cvs.openbsd.org 2008/05/09 14:26:08
1308 [ssh.c]
1309 dingo stole my diff hunk
1310 - markus@cvs.openbsd.org 2008/05/09 16:16:06
1311 [session.c]
1312 re-add the USE_PIPES code and enable it.
1313 without pipes shutdown-read from the sshd does not trigger
1314 a SIGPIPE when the forked program does a write.
1315 ok djm@
1316 (Id sync only, USE_PIPES never left portable OpenSSH)
1317 - markus@cvs.openbsd.org 2008/05/09 16:17:51
1318 [channels.c]
1319 error-fd race: don't enable the error fd in the select bitmask
1320 for channels with both in- and output closed, since the channel
1321 will go away before we call select();
1322 report, lots of debugging help and ok djm@
1323 - markus@cvs.openbsd.org 2008/05/09 16:21:13
1324 [channels.h clientloop.c nchan.c serverloop.c]
1325 unbreak
1326 ssh -2 localhost od /bin/ls | true
1327 ignoring SIGPIPE by adding a new channel message (EOW) that signals
1328 the peer that we're not interested in any data it might send.
1329 fixes bz #85; discussion, debugging and ok djm@
1330 - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20
1331 [umac.c]
1332 Ensure nh_result lies on a 64-bit boundary (fixes warnings observed
1333 on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@
1334 - djm@cvs.openbsd.org 2008/05/15 23:52:24
1335 [nchan2.ms]
1336 document eow message in ssh protocol 2 channel state machine;
1337 feedback and ok markus@
1338 - djm@cvs.openbsd.org 2008/05/18 21:29:05
1339 [sftp-server.c]
1340 comment extension announcement
1341 - djm@cvs.openbsd.org 2008/05/16 08:30:42
1342 [PROTOCOL]
1343 document our protocol extensions and deviations; ok markus@
1344 - djm@cvs.openbsd.org 2008/05/17 01:31:56
1345 [PROTOCOL]
1346 grammar and correctness fixes from stevesk@
1347
134820080403
1349 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
1350 time warnings on LynxOS. Patch from ops AT iki.fi
1351 - (djm) Force string arguments to replacement setproctitle() though
1352 strnvis first. Ok dtucker@
1353
5d113e7f 135420080403
1355 - (djm) OpenBSD CVS sync:
1356 - markus@cvs.openbsd.org 2008/04/02 15:36:51
1357 [channels.c]
1358 avoid possible hijacking of x11-forwarded connections (back out 1.183)
1359 CVE-2008-1483; ok djm@
1360 - jmc@cvs.openbsd.org 2008/03/27 22:37:57
1361 [sshd.8]
1362 remove trailing whitespace;
1363 - djm@cvs.openbsd.org 2008/04/03 09:50:14
1364 [version.h]
1365 openssh-5.0
1366 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
1367 [contrib/suse/openssh.spec] Crank version numbers in RPM spec files
1368 - (djm) [README] Update link to release notes
1369 - (djm) Release 5.0p1
git-cvsimport mirror of GSI OpenSSH
This page took 0.808775 seconds and 5 git commands to generate.