X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/680cee3b13f3b5197cc438649719a36181466d1b..0fff78ff85eabb96f2600c7996ab2a6ffd21e706:/openssh/ChangeLog diff --git a/openssh/ChangeLog b/openssh/ChangeLog index 53a2e38..1bd316b 100644 --- a/openssh/ChangeLog +++ b/openssh/ChangeLog @@ -1,1170 +1,1110 @@ -20020626 - - (stevesk) [monitor.c] remove duplicate proto15 dispatch entry for PAM - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/06/23 21:34:07 - [channels.c] - tcode is u_int - - markus@cvs.openbsd.org 2002/06/24 13:12:23 - [ssh-agent.1] - the socket name contains ssh-agent's ppid; via mpech@ from form@ - - markus@cvs.openbsd.org 2002/06/24 14:33:27 - [channels.c channels.h clientloop.c serverloop.c] - move channel counter to u_int - - markus@cvs.openbsd.org 2002/06/24 14:55:38 - [authfile.c kex.c ssh-agent.c] - cat to (void) when output from buffer_get_X is ignored - - itojun@cvs.openbsd.org 2002/06/24 15:49:22 - [msg.c] - printf type pedant - - deraadt@cvs.openbsd.org 2002/06/24 17:57:20 - [sftp-server.c sshpty.c] - explicit (u_int) for uid and gid - - markus@cvs.openbsd.org 2002/06/25 16:22:42 - [authfd.c] - unnecessary cast - - markus@cvs.openbsd.org 2002/06/25 18:51:04 - [sshd.c] - lightweight do_setusercontext after chroot() - - (bal) Updated AIX package build. Patch by dtucker@zip.com.au - - (tim) [Makefile.in] fix test on installing ssh-rand-helper.8 - - (bal) added back in error check for mmap(). I screwed up, Pointed - out by stevesk@ - - (tim) [README.privsep] UnixWare tip no longer needed. - - (bal) fixed NeXTStep missing munmap() issue. It defines HAVE_MMAP, - but it all damned lies. - - (stevesk) [README.privsep] more for sshd pseudo-account. - - (tim) [contrib/caldera/openssh.spec] add support for privsep - - (djm) setlogin needs pgid==pid on BSD/OS; from itojun@ - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/06/26 08:53:12 - [bufaux.c] - limit size of BNs to 8KB; ok provos/deraadt - - markus@cvs.openbsd.org 2002/06/26 08:54:18 +20030916 + - (dtucker) [acconfig.h configure.ac defines.h session.c] Bug #252: Retrieve + PATH (or SUPATH) and UMASK from /etc/default/login on platforms that have it + (eg Solaris, Reliant Unix). Patch from Robert.Dahlem at siemens.com. + ok djm@ + - (bal) OpenBSD Sync + - deraadt@cvs.openbsd.org 2003/09/16 03:03:47 [buffer.c] - limit append to 1MB and buffers to 10MB - - markus@cvs.openbsd.org 2002/06/26 08:55:02 - [channels.c] - limit # of channels to 10000 - - markus@cvs.openbsd.org 2002/06/26 08:58:26 - [session.c] - limit # of env vars to 1000; ok deraadt/djm - - deraadt@cvs.openbsd.org 2002/06/26 13:20:57 - [monitor.c] - be careful in mm_zalloc - - deraadt@cvs.openbsd.org 2002/06/26 13:49:26 - [session.c] - disclose less information from environment files; based on input - from djm, and dschultz@uclink.Berkeley.EDU - - markus@cvs.openbsd.org 2002/06/26 13:55:37 - [auth2-chall.c] - make sure # of response matches # of queries, fixes int overflow; - from ISS - - markus@cvs.openbsd.org 2002/06/26 13:56:27 + do not expand buffer before attempting to reallocate it; markus ok + - (djm) Crank spec versions + - (djm) Banish (safe) sprintf from auth-pam.c. Patch from bal + - (tim) [configure.ac] Fix portability issues. + - (djm) Release 3.7p1 + +20030914 + - (dtucker) [Makefile regress/Makefile] Fix portability issues preventing + the regression tests from running with Solaris' make. Patch from Brian + Poole (raj at cerias.purdue.edu). + - (dtucker) [regress/Makefile] AIX's make doesn't like " +=", so replace + with vanilla "=". + +20030913 + - (dtucker) [regress/agent-timeout.sh] Timeout of 5 sec is borderline for + slower hosts, increase to 10 sec. + - (dtucker) [auth-passwd.c] On AIX, call setauthdb() before loginsuccess(), + required to correctly reset failed login count when using a password + registry other than "files" (eg LDAP, see bug #543). + - (tim) [configure.ac] define WITH_ABBREV_NO_TTY for SCO. + Report by Roger Cornelius. + - (dtucker) [auth-pam.c] Use SSHD_PAM_SERVICE for PAM service name, patch + from cjwatson at debian.org. + +20030912 + - (tim) [regress/agent-ptrace.sh] sh doesn't like "if ! shell_function; then". + - (tim) [Makefile.in] only mkdir regress if it does not exist. + - (tim) [regress/yes-head.sh] shell portability fix. + +20030911 + - (dtucker) [configure.ac] Bug #588, #615: Move other libgen tests to after + the dirname test, to allow a broken dirname to be detected correctly. + Based partially on patch supplied by alex.kiernan at thus.net. ok djm@ + - (tim) [configure.ac] Move libgen tests to before libwrap to unbreak + UnixWare 2.03 using --with-tcp-wrappers. + - (tim) [configure.ac] Prefer setuid/setgid on UnixWare and Open Server. + - (tim) [regress/agent-ptrace.sh regress/dynamic-forward.sh + regress/sftp-cmds.sh regress/stderr-after-eof.sh regress/test-exec.sh] + no longer depends on which(1). patch by dtucker@ + +20030910 + - (dtucker) [configure.ac] Bug #636: Add support for Cray's new X1 machine. + Patch from wendyp at cray.com. + - (dtucker) [configure.ac] Part of bug #615: tcsendbreak might be a macro. + - (dtucker) [regressh/yes-head.sh] Some platforms (eg Solaris) don't have + "yes". + +20030909 + - (tim) [regress/Makefile] Fixes for building outside of a read-only + source tree. + - (tim) [regress/agent-timeout.sh] s/TIMEOUT/SSHAGENT_TIMEOUT/ Fixes conflict + with shell read-only variable. + - (tim) [regress/sftp-badcmds.sh regress/sftp-cmds.sh] Fix errors like + UX:rm: ERROR: Cannot remove '.' or '..' + +20030908 + - (tim) [configure.ac openbsd-compat/getrrsetbyname.c] wrap _getshort and + _getlong in #ifndef + - (tim) [configure.ac acconfig.h openbsd-compat/getrrsetbyname.c] test for + HEADER.ad in arpa/nameser.h + - (tim) [ssh-keygen.c] s/PATH_MAX/MAXPATHLEN/ ok mouring@ + +20030907 + - (dtucker) [agent-ptrace.sh dynamic-forward.sh (all regress/)] + Put "which" inside quotes. + - (dtucker) [dynamic-forward.sh forwarding.sh sftp-batch.sh (all regress/)] + Add ${EXEEXT}: required to work on Cygwin. + - (dtucker) [regress/sftp-batch.sh] Make temporary batch file name more + distinctive, so "rm ${BATCH}.*" doesn't match the script itself. + - (dtucker) [regress/sftp-cmds.sh] Skip quoted file test on Cygwin. + - (dtucker) [openbsd-compat/xcrypt.c] #elsif -> #elif + - (dtucker) [acconfig.h] Typo. + - (dtucker) [CREDITS Makefile.in configure.ac mdoc2man.awk mdoc2man.pl] + Replace mdoc2man.pl with mdoc2man.awk, provided by Peter Stuge. + +20030906 + - (dtucker) [acconfig.h configure.ac uidswap.c] Prefer setuid/setgid on AIX. + +20030905 + - (dtucker) [Makefile.in] Add distclean target for regress/, fix clean target. + +20030904 + - (dtucker) Portablize regression tests. Parts contributed by Roumen + Petrov, David M. Williams and Corinna Vinschen. + - [Makefile.in] Add "make tests" target and "make clean" hooks. + - [regress/agent-getpeereid.sh] Skip test on platforms that don't support + getpeereid. + - [regress/agent-ptrace.sh] Skip tests if platform doesn't support it or + gdb cannot be found. + - [regress/reconfigure/sh] Make path to sshd fully qualified if required. + - [regress/rekey.sh] Remove dependence on /dev/zero (not all platforms have + it). The sparse file will take less disk space too. + - [regress/sftp-cmds.sh] Ensure files used for test are readable. + - [regress/stderr-after-eof.sh] Search for a usable checksum program. + - [regress/sftp-badcmds.sh regress/sftp-cmds.sh regress/sftp.sh + regress/ssh-com-client.sh regress/ssh-com-sftp.sh regress/stderr-data.sh + regress/transfer.sh] Use ${EXEEXT} where appropriate. + - [regress/sftp.sh regress/ssh-com-sftp.sh] Remove dependency on /dev/stdin. + - [regress/agent-ptrace.sh regress/agent-timeout.sh] + "grep -q" -> "grep >/dev/null" + - [regress/agent.sh regress/proto-version.sh regress/ssh-com.sh + regress/test-exec.sh] Handle different ways of echoing without newlines. + - [regress/dynamic-forward.sh] Some "which" programs output on stderr. + - [regress/sftp-cmds.sh] Use portable "test" option. + - [regress/test-exec.sh] Use sudo, search for "whoami" equivalent, always + use Strictmodes no, wait longer for sshd startup. + - [regress/Makefile] Remove BSDisms. + - [regress/README.regress] Add a basic readme. + - [Makefile.in regress/agent-getpeereid.sh] config.h is now in $BUILDDIR + not $OBJ. + - [Makefile.in regress/agent-ptrace] Fix minor regress issues on Cygwin. + +20030903 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/08/26 09:58:43 + [auth-passwd.c auth.c auth.h auth1.c auth2-none.c auth2-passwd.c] + [auth2.c monitor.c] + fix passwd auth for 'username leaks via timing'; with djm@, original + patches from solar + - markus@cvs.openbsd.org 2003/08/28 12:54:34 + [auth.h] + remove kerberos support from ssh1, since it has been replaced with GSSAPI; + but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ... + - markus@cvs.openbsd.org 2003/09/02 16:40:29 [version.h] - 3.4 - - (djm) Require krb5 devel for RPM build w/ KrbV - - (djm) Improve PAMAuthenticationViaKbdInt text from Nalin Dahyabhai - - - (djm) Update spec files for release - - (djm) Fix int overflow in auth2-pam.c, similar to one discovered by ISS - - (djm) Release 3.4p1 - -20020625 - - (stevesk) [INSTALL acconfig.h configure.ac defines.h] remove --with-rsh - - (stevesk) [README.privsep] minor updates - - (djm) Create privsep directory and warn if privsep user is missing - during make install - - (bal) Started list of PrivSep issues in TODO - - (bal) if mmap() is substandard, don't allow compression on server side. - Post 'event' we will add more options. - - (tim) [contrib/caldera/openssh.spec] Sync with Caldera - - (bal) moved aix_usrinfo() and noted not setting real TTY. Patch by - dtucker@zip.com.au - - (tim) [acconfig.h configure.ac sshd.c] BROKEN_FD_PASSING fix from Markus - for Cygwin, Cray, & SCO - -20020624 - - OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2002/06/23 03:25:50 - [tildexpand.c] - KNF - - deraadt@cvs.openbsd.org 2002/06/23 03:26:19 - [cipher.c key.c] - KNF - - deraadt@cvs.openbsd.org 2002/06/23 03:30:58 - [scard.c ssh-dss.c ssh-rsa.c sshconnect.c sshconnect2.c sshd.c sshlogin.c - sshpty.c] - various KNF and %d for unsigned - - deraadt@cvs.openbsd.org 2002/06/23 09:30:14 - [sftp-client.c sftp-client.h sftp-common.c sftp-int.c sftp-server.c - sftp.c] - bunch of u_int vs int stuff - - deraadt@cvs.openbsd.org 2002/06/23 09:39:55 + enter 3.7 + - jmc@cvs.openbsd.org 2003/09/02 18:50:06 + [sftp.1 ssh_config.5] + escape punctuation; + ok deraadt@ + +20030902 + - (djm) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2003/08/24 17:36:51 + [auth2-gss.c] + 64 bit cleanups; markus ok + - markus@cvs.openbsd.org 2003/08/28 12:54:34 + [auth-krb5.c auth.h auth1.c monitor.c monitor.h monitor_wrap.c] + [monitor_wrap.h readconf.c servconf.c session.c ssh_config.5] + [sshconnect1.c sshd.c sshd_config sshd_config.5] + remove kerberos support from ssh1, since it has been replaced with GSSAPI; + but keep kerberos passwd auth for ssh1 and 2; ok djm, hin, henning, ... + - markus@cvs.openbsd.org 2003/08/29 10:03:15 + [compat.c compat.h] + SSH_BUG_K5USER is unused; ok henning@ + - markus@cvs.openbsd.org 2003/08/29 10:04:36 + [channels.c nchan.c] + be less chatty; debug -> debug2, cleanup; ok henning@ + - markus@cvs.openbsd.org 2003/08/31 10:26:04 + [progressmeter.c] + pass file_size + 1 to snprintf: fixes printing of truncated + file names; fix based on patch/report from sturm@; + - markus@cvs.openbsd.org 2003/08/31 12:14:22 + [progressmeter.c] + do write to buf[-1] + - markus@cvs.openbsd.org 2003/08/31 13:29:05 + [session.c] + call ssh_gssapi_storecreds conditionally from do_exec(); + with sxw@inf.ed.ac.uk + - markus@cvs.openbsd.org 2003/08/31 13:30:18 + [gss-serv.c] + correct string termination in parse_ename(); sxw@inf.ed.ac.uk + - markus@cvs.openbsd.org 2003/08/31 13:31:57 + [gss-serv.c] + whitspace KNF + - markus@cvs.openbsd.org 2003/09/01 09:50:04 + [sshd_config.5] + gss kex is not supported; sxw@inf.ed.ac.uk + - markus@cvs.openbsd.org 2003/09/01 12:50:46 + [readconf.c] + rm gssapidelegatecreds alias; never supported before + - markus@cvs.openbsd.org 2003/09/01 13:52:18 + [ssh.h] + rm whitespace + - markus@cvs.openbsd.org 2003/09/01 18:15:50 + [readconf.c readconf.h servconf.c servconf.h ssh.c] + remove unused kerberos code; ok henning@ + - markus@cvs.openbsd.org 2003/09/01 20:44:54 + [auth2-gss.c] + fix leak + - (djm) Don't initialise pam_conv structures inline. Avoids HP/UX compiler + error. Part of Bug #423, patch from michael_steffens AT hp.com + - (djm) Bug #423: reorder setting of PAM_TTY and calling of PAM session + management (now done in do_setusercontext). Largely from + michael_steffens AT hp.com + - (djm) Fix openbsd-compat/ again - remove references to strl(cpy|cat).h + +20030829 + - (bal) openbsd-compat/ clean up. Considate headers, add in Id on our + files, and added missing license to header. + +20030826 + - (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint" + as deprecated. Remove mention from README.privsep. Patch from + aet AT cc.hut.fi + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/08/22 10:56:09 + [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c + gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c + readconf.h servconf.c servconf.h session.c session.h ssh-gss.h + ssh_config.5 sshconnect2.c sshd_config sshd_config.5] + support GSS API user authentication; patches from Simon Wilkinson, + stripped down and tested by Jakob and myself. + - markus@cvs.openbsd.org 2003/08/22 13:20:03 + [sshconnect2.c] + remove support for "kerberos-2@ssh.com" + - markus@cvs.openbsd.org 2003/08/22 13:22:27 + [auth2.c] (auth2-krb5.c removed) + nuke "kerberos-2@ssh.com" + - markus@cvs.openbsd.org 2003/08/22 20:55:06 + [LICENCE] + add Simon Wilkinson + - deraadt@cvs.openbsd.org 2003/08/24 17:36:52 + [monitor.c monitor_wrap.c sshconnect2.c] + 64 bit cleanups; markus ok + - fgsch@cvs.openbsd.org 2003/08/25 08:13:09 + [sftp-int.c] + fix div by zero when listing for filename lengths longer than width. + markus@ ok. + - djm@cvs.openbsd.org 2003/08/25 10:33:33 + [sshconnect2.c] + fprintf->logit to silence login banner with "ssh -q"; ok markus@ + - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h + configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c + sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson. + - (dtucker) [Makefile.in] Remove auth2-krb5. + - (dtucker) [contrib/aix/inventory.sh] Add public domain notice. ok mouring@ + (the original author) + - (dtucker) [auth.c] Do not check for locked accounts when PAM is enabled. + +20030825 + - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from + larsch@trustcenter.de + - (bal) openbsd-compat/ OpenBSD updates. Mostly licensing, ansifications + and minor fixes. OK djm@ + - (bal) redo how we handle 'mysignal()'. Move it to + openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to + be our 'mysignal' by default. OK djm@ + - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny + any access to locked accounts. ok djm@ + - (djm) Bug #564: Perform PAM account checks for all authentications when + UsePAM=yes; ok dtucker + - (dtucker) [configure.ac] Bug #533, #551: define BROKEN_GETADDRINFO on + Tru64, solves getnameinfo and "bad addr or host" errors. ok djm@ + - (dtucker) [README buildbff.sh inventory.sh] (all in contrib/aix) + Update package builder: correctly handle config variables, use lsuser + rather than /etc/passwd, fix typos, add Id's. + +20030822 + - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal + -lbroken; ok dtucker + - (dtucker) [contrib/cygwin/ssh-user-config] Put keys in authorized_keys + rather that authorized_keys2. Patch from vinschen@redhat.com. + +20030821 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/08/14 16:08:58 [ssh-keygen.c] - u_int stuff - - deraadt@cvs.openbsd.org 2002/06/23 09:46:51 - [bufaux.c servconf.c] - minor KNF. things the fingers do while you read - - deraadt@cvs.openbsd.org 2002/06/23 10:29:52 - [ssh-agent.c sshd.c] - some minor KNF and %u - - deraadt@cvs.openbsd.org 2002/06/23 20:39:45 + exit after primetest, ok djm@ + - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros, + change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for + consistency. + - (dtucker) [configure.ac] Move openpty/ctty test outside of case statement + and after normal openpty test. + +20030813 + - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/08/13 08:33:02 [session.c] - compression_level is u_int - - deraadt@cvs.openbsd.org 2002/06/23 21:06:13 - [sshpty.c] - KNF - - deraadt@cvs.openbsd.org 2002/06/23 21:06:41 - [channels.c channels.h session.c session.h] - display, screen, row, col, xpixel, ypixel are u_int; markus ok - - deraadt@cvs.openbsd.org 2002/06/23 21:10:02 - [packet.c] - packet_get_int() returns unsigned for reason & seqnr - - (bal) Also fixed IPADDR_IN_DISPLAY case where display, screen, row, col, - xpixel are u_int. + use more portable tcsendbreak(3) and ignore break_length; + ok deraadt, millert + - markus@cvs.openbsd.org 2003/08/13 08:46:31 + [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config + ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5] + remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@, + fgsch@, miod@, henning@, jakob@ and others + - markus@cvs.openbsd.org 2003/08/13 09:07:10 + [readconf.c ssh.c] + socks4->socks, since with support both 4 and 5; dtucker@zip.com.au + - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] + Add a tcsendbreak function for platforms that don't have one, based on the + one from OpenBSD. +20030811 + - (dtucker) OpenBSD CVS Sync + (thanks to Simon Wilkinson for help with this -dt) + - markus@cvs.openbsd.org 2003/07/16 15:02:06 + [auth-krb5.c] + mcc -> fcc; from Love Hörnquist Åstrand + otherwise the kerberos credentinal is stored in a memory cache + in the privileged sshd. ok jabob@, hin@ (some time ago) + - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicate + in bsd-cygwin_util.h). -20020623 - - (stevesk) [configure.ac] bug #255 LOGIN_NEEDS_UTMPX for AIX. - - (bal) removed GNUism for getops in ssh-agent since glibc lacks optreset. - - (bal) add extern char *getopt. Based on report by dtucker@zip.com.au - - OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2002/06/22 02:00:29 - [ssh.h] - correct comment - - stevesk@cvs.openbsd.org 2002/06/22 02:40:23 - [ssh.1] - section 5 not 4 for ssh_config - - naddy@cvs.openbsd.org 2002/06/22 11:51:39 - [ssh.1] - typo - - stevesk@cvs.openbsd.org 2002/06/22 16:32:54 - [sshd.8] - add /var/empty in FILES section - - stevesk@cvs.openbsd.org 2002/06/22 16:40:19 - [sshd.c] - check /var/empty owner mode; ok provos@ - - stevesk@cvs.openbsd.org 2002/06/22 16:41:57 - [scp.1] - typo - - stevesk@cvs.openbsd.org 2002/06/22 16:45:29 - [ssh-agent.1 sshd.8 sshd_config.5] - use process ID vs. pid/PID/process identifier - - stevesk@cvs.openbsd.org 2002/06/22 20:05:27 +20030808 + - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and + AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition + separately before defining them. + - (dtucker) [auth-pam.c] Don't set PAM_TTY if tty is null. ok djm@ + +20030807 + - (dtucker) [session.c] Have session_break_req not attempt to send a break + if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin). + - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is + defined (fixes compile error on really old Linuxes). + - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if + not already defined (eg Linux with some versions of libc5), based on those + from OpenBSD. + - (dtucker) [openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h] + Remove incorrect filenames from comments (file names are in Id tags). + - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.h] Move Cygwin + specific defines and includes to bsd-cygwin_util.h. Fixes build error too. + +20030802 + - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/07/22 13:35:22 + [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c + monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1 + ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h] + remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1); + test+ok henning@ + - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support. + - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/07/23 07:42:43 + [sshd_config] + remove AFS; itojun@ + - djm@cvs.openbsd.org 2003/07/28 09:49:56 + [ssh-keygen.1 ssh-keygen.c] + Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen. + Based on code from Phil Karn, William Allen Simpson and Niels Provos. + ok markus@, thanks jmc@ + - markus@cvs.openbsd.org 2003/07/29 18:24:00 + [LICENCE progressmeter.c] + replace 4 clause BSD licensed progressmeter code with a replacement + from Nils Nordman and myself; ok deraadt@ + (copied from OpenBSD an re-applied portable changes) + - markus@cvs.openbsd.org 2003/07/29 18:26:46 + [progressmeter.c] + fix length for "- stalled -" (included with previous import) + - markus@cvs.openbsd.org 2003/07/30 07:44:14 + [progressmeter.c] + use only 4 digits in format_size (included with previous import) + - markus@cvs.openbsd.org 2003/07/30 07:53:27 + [progressmeter.c] + whitespace (included with previous import) + - markus@cvs.openbsd.org 2003/07/31 09:21:02 + [auth2-none.c] + check whether passwd auth is allowd, similar to proto 1; rob@pitman.co.za + ok henning + - avsm@cvs.openbsd.org 2003/07/31 15:50:16 + [atomicio.c] + correct comment: atomicio takes vwrite, not write; deraadt@ ok + - markus@cvs.openbsd.org 2003/07/31 22:34:03 + [progressmeter.c] + print rate similar old version; round instead truncate; + (included in previous progressmeter.c commit) + - (dtucker) [openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] + Add a tcgetpgrp function. + - (dtucker) [Makefile.in moduli.c moduli.h] Add new files and to Makefile. + - (dtucker) [openbsd-compat/bsd-misc.c] Fix cut-and-paste bug in tcgetpgrp. + +20030730 + - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal + +20030726 + - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW -> + DISABLE_SHADOW. Fixes HP-UX compile error. + +20030724 + - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c + openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface, + and isolate shadow password functions. Tested in Solaris, but should + not break other platforms too badly (except maybe HP =). Also brings + auth-passwd.c into full sync with OpenBSD tree. + +20030723 + - (dtucker) [configure.ac] Back out change for bug #620. + +20030719 + - (dtucker) [configure.ac] Bug #620: Define BROKEN_GETADDRINFO for + Solaris/x86. Patch from jrhett at isite.net. + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/07/14 12:36:37 [sshd.c] - don't call setsid() if debugging or run from inetd; no "Operation not - permitted" errors now; ok millert@ markus@ - - stevesk@cvs.openbsd.org 2002/06/22 23:09:51 - [monitor.c] - save auth method before monitor_reset_key_state(); bugzilla bug #284; - ok provos@ - -20020622 - - (djm) Update README.privsep; spotted by fries@ - - (djm) Release 3.3p1 - - (bal) getopt now can be staticly compiled on those platforms missing - optreset. Patch by binder@arago.de - -20020621 - - (djm) Sync: - - djm@cvs.openbsd.org 2002/06/21 05:50:51 - [monitor.c] - Don't initialise compression buffers when compression=no in sshd_config; - ok Niels@ - - ID sync for auth-passwd.c - - (djm) Warn and disable compression on platforms which can't handle both - useprivilegeseparation=yes and compression=yes - - (djm) contrib/redhat/openssh.spec hacking: - - Merge in spec changes from seba@iq.pl (Sebastian Pachuta) - - Add new {ssh,sshd}_config.5 manpages - - Add new ssh-keysign program and remove setuid from ssh client - -20020620 - - (bal) Fixed AIX environment handling, use setpcred() instead of existing - code. (Bugzilla Bug 261) - - (bal) OpenBSD CVS Sync - - todd@cvs.openbsd.org 2002/06/14 21:35:00 - [monitor_wrap.c] - spelling; from Brian Poole - - markus@cvs.openbsd.org 2002/06/15 00:01:36 - [authfd.c authfd.h ssh-add.c ssh-agent.c] - break agent key lifetime protocol and allow other contraints for key - usage. - - markus@cvs.openbsd.org 2002/06/15 00:07:38 - [authfd.c authfd.h ssh-add.c ssh-agent.c] - fix stupid typo - - markus@cvs.openbsd.org 2002/06/15 01:27:48 - [authfd.c authfd.h ssh-add.c ssh-agent.c] - remove the CONSTRAIN_IDENTITY messages and introduce a new - ADD_ID message with contraints instead. contraints can be - only added together with the private key. - - itojun@cvs.openbsd.org 2002/06/16 21:30:58 - [ssh-keyscan.c] - use TAILQ_xx macro. from lukem@netbsd. markus ok - - deraadt@cvs.openbsd.org 2002/06/17 06:05:56 + remove undocumented -V option. would be only useful if openssh is used + as ssh v1 server for ssh.com's ssh v2. + - markus@cvs.openbsd.org 2003/07/16 10:34:53 + [ssh.c sshd.c] + don't exit on multiple -v or -d; ok deraadt@ + - markus@cvs.openbsd.org 2003/07/16 10:36:28 + [sshtty.c] + clear IUCLC in enter_raw_mode; from rob@pitman.co.za; ok deraadt@, fgs@ + - deraadt@cvs.openbsd.org 2003/07/18 01:54:25 [scp.c] - make usage like man page - - deraadt@cvs.openbsd.org 2002/06/19 00:27:55 - [auth-bsdauth.c auth-skey.c auth1.c auth2-chall.c auth2-none.c authfd.c - authfd.h monitor_wrap.c msg.c nchan.c radix.c readconf.c scp.c sftp.1 - ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c - ssh-keysign.c ssh.1 sshconnect.c sshconnect.h sshconnect2.c ttymodes.c - xmalloc.h] - KNF done automatically while reading.... - - markus@cvs.openbsd.org 2002/06/19 18:01:00 - [cipher.c monitor.c monitor_wrap.c packet.c packet.h] - make the monitor sync the transfer ssh1 session key; - transfer keycontext only for RC4 (this is still depends on EVP - implementation details and is broken). - - stevesk@cvs.openbsd.org 2002/06/20 19:56:07 - [ssh.1 sshd.8] - move configuration file options from ssh.1/sshd.8 to - ssh_config.5/sshd_config.5; ok deraadt@ millert@ - - stevesk@cvs.openbsd.org 2002/06/20 20:00:05 - [scp.1 sftp.1] - ssh_config(5) - - stevesk@cvs.openbsd.org 2002/06/20 20:03:34 - [ssh_config sshd_config] - refer to config file man page - - markus@cvs.openbsd.org 2002/06/20 23:05:56 - [servconf.c servconf.h session.c sshd.c] - allow Compression=yes/no in sshd_config - - markus@cvs.openbsd.org 2002/06/20 23:37:12 - [sshd_config] - add Compression - - stevesk@cvs.openbsd.org 2002/05/25 20:40:08 - [LICENCE] - missed Per Allansson (auth2-chall.c) - - (bal) Cygwin special handling of empty passwords wrong. Patch by - vinschen@redhat.com - - (bal) Missed integrating ssh_config.5 and sshd_config.5 - - (bal) Still more Makefile.in updates for ssh{d}_config.5 - -20020613 - - (bal) typo of setgroup for cygwin. Patch by vinschen@redhat.com - -20020612 - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/06/11 23:03:54 - [ssh.c] - remove unused cruft. - - markus@cvs.openbsd.org 2002/06/12 01:09:52 - [ssh.c] - ssh_connect returns 0 on success - - (bal) Build noop setgroups() for cygwin to clean up code (For other - platforms without the setgroups() requirement, you MUST define - SETGROUPS_NOOP in the configure.ac) Based on patch by vinschen@redhat.com - - (bal) Some platforms don't have ONLCR (Notable Mint) - -20020611 - - (bal) ssh-agent.c RCSD fix (|unexpand already done) - - (bal) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2002/06/09 22:15:15 - [ssh.1] - update for no setuid root and ssh-keysign; ok deraadt@ - - itojun@cvs.openbsd.org 2002/06/09 22:17:21 + userid is unsigned, but well, force it anyways; andrushock@korovino.net + - djm@cvs.openbsd.org 2003/07/19 00:45:53 + [sftp-int.c] + fix sftp filename parsing for arguments with escaped quotes. bz #517; + ok markus + - djm@cvs.openbsd.org 2003/07/19 00:46:31 + [regress/sftp-cmds.sh] + regress test for sftp arguments with escaped quotes; ok markus + +20030714 + - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare + loginfailed at all, so assume 3-arg loginfailed if not declared. + - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by + undef'ing it. + - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h] + Call setauthdb() before loginfailed(), which may load password registry- + specific functions. Based on patch by cawlfiel at us.ibm.com. + - (dtucker) [port-aix.h] Fix prototypes. + - (dtucker) OpenBSD CVS Sync + - avsm@cvs.openbsd.org 2003/07/09 13:58:19 + [key.c] + minor tweak: when generating the hex fingerprint, give strlcat the full + bound to the buffer, and add a comment below explaining why the + zero-termination is one less than the bound. markus@ ok + - markus@cvs.openbsd.org 2003/07/10 14:42:28 + [packet.c] + the 2^(blocksize*2) rekeying limit is too expensive for 3DES, + blowfish, etc, so enforce a 1GB limit for small blocksizes. + - markus@cvs.openbsd.org 2003/07/10 20:05:55 + [sftp.c] + sync usage with manpage, add missing -R + +20030708 + - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]] + Include AIX headers for authentication functions and make calls match + prototypes. Test for and handle 3-arg and 4-arg variants of loginfailed. + - (dtucker) [session.c] Check return value of setpcred(). + - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h] + Convert aixloginmsg into platform-independant Buffer loginmsg. + +20030707 + - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before + searching libraries for it. Fixes build errors on NCR MP-RAS. + +20030706 + - (dtucker) [ssh-rand-helper.c loginrec.c] + Apply atomicio typing change to these too. + +20030703 + - (dtucker) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/06/28 07:48:10 + [sshd.c] + report pidfile creation errors, based on patch from Roumen Petrov; + ok markus@ + - deraadt@cvs.openbsd.org 2003/06/28 16:23:06 + [atomicio.c atomicio.h authfd.c clientloop.c monitor_wrap.c msg.c + progressmeter.c scp.c sftp-client.c ssh-keyscan.c ssh.h sshconnect.c + sshd.c] + deal with typing of write vs read in atomicio + - markus@cvs.openbsd.org 2003/06/29 12:44:38 [sshconnect.c] - pass salen to sockaddr_ntop so that we are happy on linux/solaris - - stevesk@cvs.openbsd.org 2002/06/10 16:53:06 - [auth-rsa.c ssh-rsa.c] - display minimum RSA modulus in error(); ok markus@ - - stevesk@cvs.openbsd.org 2002/06/10 16:56:30 - [ssh-keysign.8] - merge in stuff from my man page; ok markus@ - - stevesk@cvs.openbsd.org 2002/06/10 17:36:23 - [ssh-add.1 ssh-add.c] - use convtime() to parse and validate key lifetime. can now - use '-t 2h' etc. ok markus@ provos@ - - stevesk@cvs.openbsd.org 2002/06/10 17:45:20 - [readconf.c ssh.1] - change RhostsRSAAuthentication and RhostsAuthentication default to no - since ssh is no longer setuid root by default; ok markus@ - - stevesk@cvs.openbsd.org 2002/06/10 21:21:10 - [ssh_config] - update defaults for RhostsRSAAuthentication and RhostsAuthentication - here too (all options commented out with default value). - - markus@cvs.openbsd.org 2002/06/10 22:28:41 - [channels.c channels.h session.c] - move creation of agent socket to session.c; no need for uidswapping - in channel.c. - - markus@cvs.openbsd.org 2002/06/11 04:14:26 - [ssh.c sshconnect.c sshconnect.h] - no longer use uidswap.[ch] from the ssh client - run less code with euid==0 if ssh is installed setuid root - just switch the euid, don't switch the complete set of groups - (this is only needed by sshd). ok provos@ - - mpech@cvs.openbsd.org 2002/06/11 05:46:20 - [auth-krb4.c monitor.h serverloop.c session.c ssh-agent.c sshd.c] - pid_t cleanup. Markus need this now to keep hacking. - markus@, millert@ ok - - itojun@cvs.openbsd.org 2002/06/11 08:11:45 - [canohost.c] - use "ntop" only after initialized - - (bal) Cygwin fix up from swap uid clean up in ssh.c patch by - vinschen@redhat.com - -20020609 - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/06/08 05:07:56 + memset 0, not \0; andrushock@korovino.net + - markus@cvs.openbsd.org 2003/07/02 12:56:34 + [channels.c] + deny dynamic forwarding with -R for v1, too; ok djm@ + - markus@cvs.openbsd.org 2003/07/02 14:51:16 + [channels.c ssh.1 ssh_config.5] + (re)add socks5 suppport to -D; ok djm@ + now ssh(1) can act both as a socks 4 and socks 5 server and + dynamically forward ports. + - markus@cvs.openbsd.org 2003/07/02 20:37:48 [ssh.c] - nuke ptrace comment - - markus@cvs.openbsd.org 2002/06/08 05:07:09 - [ssh-keysign.c] - only accept 20 byte session ids - - markus@cvs.openbsd.org 2002/06/08 05:17:01 - [readconf.c readconf.h ssh.1 ssh.c] - deprecate FallBackToRsh and UseRsh; patch from djm@ - - markus@cvs.openbsd.org 2002/06/08 05:40:01 + convert hostkeyalias to lowercase, otherwise uppercase aliases will + not match at all; ok henning@ + - markus@cvs.openbsd.org 2003/07/03 08:21:46 + [regress/dynamic-forward.sh] + add socks5; speedup; reformat; based on patch from dtucker@zip.com.au + - markus@cvs.openbsd.org 2003/07/03 08:24:13 + [regress/Makefile] + enable tests for dynamic fwd via socks (-D), uses nc(1) + - djm@cvs.openbsd.org 2003/07/03 08:09:06 + [readconf.c readconf.h ssh-keysign.c ssh.c] + fix AddressFamily option in config file, from brent@graveland.net; + ok markus@ + +20030630 + - (djm) Search for support functions necessary to build our + getrrsetbyname() replacement. Patch from Roumen Petrov + +20030629 + - (dtucker) [includes.h] Bug #602: move #include of netdb.h to after in.h + (fixes compiler warnings on Solaris 2.5.1). + - (dtucker) [configure.ac] Add sanity test after system-dependant compiler + flag modifications. + +20030628 + - (djm) Bug #591: use PKCS#15 private key label as a comment in case + of OpenSC. Report and patch from larsch@trustcenter.de + - (djm) Bug #593: Sanity check OpenSC card reader number; patch from + aj@dungeon.inka.de + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/06/23 09:02:44 + [ssh_config.5] + document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@ + - markus@cvs.openbsd.org 2003/06/24 08:23:46 + [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h + monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c] + int -> u_int; ok djm@, deraadt@, mouring@ + - miod@cvs.openbsd.org 2003/06/25 22:39:36 + [sftp-server.c] + Typo police: attribute is better written with an 'r'. + - markus@cvs.openbsd.org 2003/06/26 20:08:33 [readconf.c] - just warn about Deprecated options for now - - markus@cvs.openbsd.org 2002/06/08 05:41:18 - [ssh_config] - remove FallBackToRsh/UseRsh - - markus@cvs.openbsd.org 2002/06/08 12:36:53 + do not dump core for 'ssh -o proxycommand host'; ok deraadt@ + - (dtucker) [regress/dynamic-forward.sh] Import new regression test. + - (dtucker) [configure.ac] Bug #570: Have ./configure --enable-FEATURE + actually enable the feature, for those normally disabled. Patch by + openssh (at) roumenpetrov.info. + +20030624 + - (dtucker) Have configure refer the user to config.log and + contrib/findssl.sh for OpenSSL header/library mismatches. + +20030622 + - (dtucker) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/06/21 09:14:05 + [regress/reconfigure.sh] + missing $SUDO; from dtucker@zip.com.au + - markus@cvs.openbsd.org 2003/06/18 11:28:11 + [ssh-rsa.c] + backout last change, since it violates pkcs#1 + switch to share/misc/license.template + - djm@cvs.openbsd.org 2003/06/20 05:47:58 + [sshd_config.5] + sync description of protocol 2 cipher proposal; ok markus + - djm@cvs.openbsd.org 2003/06/20 05:48:21 + [sshd_config] + sync some implemented options; ok markus@ + - (dtucker) [regress/authorized_keys_root] Remove temp data file from CVS. + - (dtucker) [openbsd-compat/setproctitle.c] Ensure SPT_TYPE is defined before + testing its value. + +20030618 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/06/12 07:57:38 + [monitor.c sshlogin.c sshpty.c] + typos; dtucker at zip.com.au + - djm@cvs.openbsd.org 2003/06/12 12:22:47 + [LICENCE] + mention more copyright holders; ok markus@ + - nino@cvs.openbsd.org 2003/06/12 15:34:09 [scp.c] - remove FallBackToRsh - - markus@cvs.openbsd.org 2002/06/08 12:46:14 - [readconf.c] - silently ignore deprecated options, since FallBackToRsh might be passed - by remote scp commands. - - itojun@cvs.openbsd.org 2002/06/08 21:15:27 + Typo. Ok markus@. + - markus@cvs.openbsd.org 2003/06/12 19:12:03 + [scard.c scard.h ssh-agent.c ssh.c] + add sc_get_key_label; larsch at trustcenter.de; bugzilla#591 + - markus@cvs.openbsd.org 2003/06/16 08:22:35 + [ssh-rsa.c] + make sure the signature has at least the expected length (don't + insist on len == hlen + oidlen, since this breaks some smartcards) + bugzilla #592; ok djm@ + - markus@cvs.openbsd.org 2003/06/16 10:22:45 + [ssh-add.c] + print out key comment on each prompt; make ssh-askpass more useable; ok djm@ + - markus@cvs.openbsd.org 2003/06/17 18:14:23 + [cipher-ctr.c] + use license from /usr/share/misc/license.template for new code + - (dtucker) [reconfigure.sh rekey.sh sftp-badcmds.sh] + Import new regression tests from OpenBSD + - (dtucker) [regress/copy.1 regress/copy.2] Remove temp data files from CVS. + - (dtucker) OpenBSD CVS Sync (regress/) + - markus@cvs.openbsd.org 2003/04/02 12:21:13 + [Makefile] + enable rekey test + - djm@cvs.openbsd.org 2003/04/04 09:34:22 + [Makefile sftp-cmds.sh] + More regression tests, including recent directory rename bug; ok markus@ + - markus@cvs.openbsd.org 2003/05/14 22:08:27 + [ssh-com-client.sh ssh-com-keygen.sh ssh-com-sftp.sh ssh-com.sh] + test against some new commerical versions + - mouring@cvs.openbsd.org 2003/05/15 04:07:12 + [sftp-cmds.sh] + Advanced put/get testing for sftp. OK @djm + - markus@cvs.openbsd.org 2003/06/12 15:40:01 + [try-ciphers.sh] + add ctr + - markus@cvs.openbsd.org 2003/06/12 15:43:32 + [Makefile] + test -HUP; dtucker at zip.com.au + +20030614 + - (djm) Update license on fake-rfc2553.[ch]; ok itojun@ + +20030611 + - (djm) Mention portable copyright holders in LICENSE + - (djm) Put licenses on substantial header files + - (djm) Sync LICENSE against OpenBSD + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/06/10 09:12:11 + [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5] + [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] + - section reorder + - COMPATIBILITY merge + - macro cleanup + - kill whitespace at EOL + - new sentence, new line + ssh pages ok markus@ + - deraadt@cvs.openbsd.org 2003/06/10 22:20:52 + [packet.c progressmeter.c] + mostly ansi cleanup; pval ok + - jakob@cvs.openbsd.org 2003/06/11 10:16:16 [sshconnect.c] - always use getnameinfo. (diag message only) - - markus@cvs.openbsd.org 2002/06/09 04:33:27 + clean up check_host_key() and improve SSHFP feedback. ok markus@ + - jakob@cvs.openbsd.org 2003/06/11 10:18:47 + [dns.c] + sync with check_host_key() change + - djm@cvs.openbsd.org 2003/06/11 11:18:38 + [authfd.c authfd.h ssh-add.c ssh-agent.c] + make agent constraints (lifetime, confirm) work with smartcard keys; + ok markus@ + + +20030609 + - (djm) Sync README.smartcard with OpenBSD -current + - (djm) Re-merge OpenSC info into README.smartcard + +20030606 + - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@ + +20030605 + - (djm) Support AI_NUMERICHOST in fake-getaddrinfo.c. Needed for recent + canohost.c changes. + - (djm) Implement paranoid priv dropping checks, based on: + "SetUID demystified" - Hao Chen, David Wagner and Drew Dean + Proceedings of USENIX Security Symposium 2002 + - (djm) Don't use xmalloc() or pull in toplevel headers in fake-* code + - (djm) Merge all the openbsd/fake-* into fake-rfc2553.[ch] + - (djm) Bug #588 - Add scard-opensc.o back to Makefile.in + Patch from larsch@trustcenter.de + - (djm) Bug #589 - scard-opensc: load only keys with a private keys + Patch from larsch@trustcenter.de + - (dtucker) Add includes.h to fake-rfc2553.c so it will build. + - (dtucker) Define EAI_NONAME in fake-rfc2553.h (used by fake-rfc2553.c). + +20030604 + - (djm) Bug #573 - Remove unneeded Krb headers and compat goop. Patch from + simon@sxw.org.uk (Also matches a change in OpenBSD a while ago) + - (djm) Bug #577 - wrong flag in scard-opensc.c sc_private_decrypt. + Patch from larsch@trustcenter.de; ok markus@ + - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from + larsch@trustcenter.de; ok markus@ + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/06/04 08:25:18 [sshconnect.c] - abort() - > fatal() - - (bal) RCSID tag updates on channels.c, clientloop.c, nchan.c, - sftp-client.c, ssh-agenet.c, ssh-keygen.c and connect.h (we did unexpand - independant of them) - -20020607 - - (bal) Removed --{enable/disable}-suid-ssh - - (bal) Missed __progname in ssh-keysign.c patch by dtucker@zip.com.au - - (bal) use 'LOGIN_PROGRAM' not '/usr/bin/login' in session.c patch by - Bertrand.Velle@apogee-com.fr - -20020606 - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/05/15 21:56:38 - [servconf.c sshd.8 sshd_config] - re-enable privsep and disable setuid for post-3.2.2 - - markus@cvs.openbsd.org 2002/05/16 22:02:50 - [cipher.c kex.h mac.c] - fix warnings (openssl 0.9.7 requires const) - - stevesk@cvs.openbsd.org 2002/05/16 22:09:59 - [session.c ssh.c] - don't limit xauth pathlen on client side and longer print length on - server when debug; ok markus@ - - deraadt@cvs.openbsd.org 2002/05/19 20:54:52 - [log.h] - extra commas in enum not 100% portable - - deraadt@cvs.openbsd.org 2002/05/22 23:18:25 - [ssh.c sshd.c] - spelling; abishoff@arc.nasa.gov - - markus@cvs.openbsd.org 2002/05/23 19:24:30 - [authfile.c authfile.h pathnames.h ssh.c sshconnect.c sshconnect.h - sshconnect1.c sshconnect2.c ssh-keysign.8 ssh-keysign.c Makefile.in] - add /usr/libexec/ssh-keysign: a setuid helper program for hostbased - authentication in protocol v2 (needs to access the hostkeys). - - markus@cvs.openbsd.org 2002/05/23 19:39:34 + disable challenge/response and keyboard-interactive auth methods + upon hostkey mismatch. based on patch from fcusack AT fcusack.com. + bz #580; ok markus@ + - djm@cvs.openbsd.org 2003/06/04 10:23:48 + [sshd.c] + remove duplicated group-dropping code; ok markus@ + - djm@cvs.openbsd.org 2003/06/04 12:03:59 + [serverloop.c] + remove bitrotten commet; ok markus@ + - djm@cvs.openbsd.org 2003/06/04 12:18:49 + [scp.c] + ansify; ok markus@ + - djm@cvs.openbsd.org 2003/06/04 12:40:39 + [scp.c] + kill ssh process upon receipt of signal, bz #241. + based on patch from esb AT hawaii.edu; ok markus@ + - djm@cvs.openbsd.org 2003/06/04 12:41:22 + [sftp.c] + kill ssh process on receipt of signal; ok markus@ + - (djm) Update to fix of bug #584: lock card before return. + From larsch@trustcenter.de + - (djm) Always use mysignal() for SIGALRM + +20030603 + - (djm) Replace setproctitle replacement with code derived from + UCB sendmail + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/06/02 09:17:34 + [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c] + [canohost.c monitor.c servconf.c servconf.h session.c sshd_config] + [sshd_config.5] + deprecate VerifyReverseMapping since it's dangerous if combined + with IP based access control as noted by Mike Harding; replace with + a UseDNS option, UseDNS is on by default and includes the + VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@ + ok deraadt@, djm@ + - millert@cvs.openbsd.org 2003/06/03 02:56:16 + [scp.c] + Remove the advertising clause in the UCB license which Berkeley + rescinded 22 July 1999. Proofed by myself and Theo. + - (djm) Fix portable-specific uses of verify_reverse_mapping too + - (djm) Sync openbsd-compat with OpenBSD CVS. + - No more 4-term BSD licenses in linked code + - (dtucker) [port-aix.c bsd-cray.c] Fix uses of verify_reverse_mapping. + +20030602 + - (djm) Fix segv from bad reordering in auth-pam.c + - (djm) Always use saved_argv in sshd.c as compat_init_setproctitle may + clobber + - (tim) openbsd-compat/xmmap.[ch] License clarifications. Add missing + CVS ID. + - (djm) Remove "noip6" option from RedHat spec file. This may now be + set at runtime using AddressFamily option. + - (djm) Fix use of macro before #define in cipher-aes.c + - (djm) Sync license on openbsd-compat/bindresvport.c with OpenBSD CVS + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/05/26 12:54:40 + [sshconnect.c] + fix format strings; ok markus@ + - deraadt@cvs.openbsd.org 2003/05/29 16:58:45 + [sshd.c uidswap.c] + seteuid and setegid; markus ok + - jakob@cvs.openbsd.org 2003/06/02 08:31:10 + [ssh_config.5] + VerifyHostKeyDNS is v2 only. ok markus@ + +20030530 + - (dtucker) Add missing semicolon in md5crypt.c, patch from openssh at + roumenpetrov.info + - (dtucker) Define SSHD_ACQUIRES_CTTY for NCR MP-RAS and Reliant Unix. + +20030526 + - (djm) Avoid auth2-chall.c warning when compiling without + PAM, BSD_AUTH and SKEY + +20030525 +- (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/05/24 09:02:22 + [log.c] + pass logged data through strnvis; ok markus + - djm@cvs.openbsd.org 2003/05/24 09:30:40 + [authfile.c monitor.c sftp-common.c sshpty.c] + cast some types for printing; ok markus@ + +20030524 + - (dtucker) Correct --osfsia in INSTALL. Patch by skeleten at shillest.net + +20030523 + - (djm) Use VIS_SAFE on logged strings rather than default strnvis + encoding (which encodes many more characters) + - OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/05/20 12:03:35 + [sftp.1] + - new sentence, new line + - added .Xr's + - typos + ok djm@ + - jmc@cvs.openbsd.org 2003/05/20 12:09:31 + [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1] + new sentence, new line + - djm@cvs.openbsd.org 2003/05/23 08:29:30 + [sshconnect.c] + fix leak; ok markus@ + +20030520 + - (djm) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2003/05/18 23:22:01 + [log.c] + use syslog_r() in a signal handler called place; markus ok + - (djm) Configure logic to detect syslog_r and friends + +20030519 + - (djm) Sync auth-pam.h with what we actually implement + +20030518 + - (djm) Return of the dreaded PAM_TTY_KLUDGE, which went missing in + recent merge + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/05/16 03:27:12 + [readconf.c ssh_config ssh_config.5 ssh-keysign.c] + add AddressFamily option to ssh_config (like -4, -6 on commandline). + Portable bug #534; ok markus@ + - itojun@cvs.openbsd.org 2003/05/17 03:25:58 + [auth-rhosts.c] + just in case, put numbers to sscanf %s arg. + - markus@cvs.openbsd.org 2003/05/17 04:27:52 + [cipher.c cipher-ctr.c myproposal.h] + experimental support for aes-ctr modes from + http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt + ok djm@ + - (djm) Remove IPv4 by default hack now that we can specify AF in config + - (djm) Tidy and trim TODO + - (djm) Sync openbsd-compat/ with OpenBSD CVS head + - (djm) Big KNF on openbsd-compat/ + - (djm) KNF on md5crypt.[ch] + - (djm) KNF on auth-sia.[ch] + +20030517 + - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD) + +20030516 + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/05/15 13:52:10 [ssh.c] - add comment about ssh-keysign - - markus@cvs.openbsd.org 2002/05/24 08:45:14 - [sshconnect2.c] - stat ssh-keysign first, print error if stat fails; - some debug->error; fix comment - - markus@cvs.openbsd.org 2002/05/25 08:50:39 + Make "ssh -V" print the OpenSSL version in a human readable form. Patch + from Craig Leres (mindrot at ee.lbl.gov); ok markus@ + - jakob@cvs.openbsd.org 2003/05/15 14:02:47 + [readconf.c servconf.c] + warn for unsupported config option. ok markus@ + - markus@cvs.openbsd.org 2003/05/15 14:09:21 + [auth2-krb5.c] + fix 64bit issue; report itojun@ + - djm@cvs.openbsd.org 2003/05/15 14:55:25 + [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c] + add a ConnectTimeout option to ssh, based on patch from + Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@ + - (djm) Add warning for UsePAM when built without PAM support + - (djm) A few type mismatch fixes from Bug #565 + - (djm) Guard free_pam_environment against NULL argument. Works around + HP/UX PAM problems debugged by dtucker + +20030515 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/05/14 13:11:56 + [ssh-agent.1] + setup -> set up; + from wiz@netbsd + - jakob@cvs.openbsd.org 2003/05/14 18:16:20 + [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c] + [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c] + add experimental support for verifying hos keys using DNS as described + in draft-ietf-secsh-dns-xx.txt. more information in README.dns. + ok markus@ and henning@ + - markus@cvs.openbsd.org 2003/05/14 22:24:42 + [clientloop.c session.c ssh.1] + allow to send a BREAK to the remote system; ok various + - markus@cvs.openbsd.org 2003/05/15 00:28:28 [sshconnect2.c] - execlp->execl; from stevesk - - markus@cvs.openbsd.org 2002/05/25 18:51:07 - [auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c - auth2-passwd.c auth2-pubkey.c Makefile.in] - split auth2.c into one file per method; ok provos@/deraadt@ - - stevesk@cvs.openbsd.org 2002/05/26 20:35:10 + cleanup unregister of per-method packet handlers; ok djm@ + - jakob@cvs.openbsd.org 2003/05/15 01:48:10 + [readconf.c readconf.h servconf.c servconf.h] + always parse kerberos options. ok djm@ markus@ + - jakob@cvs.openbsd.org 2003/05/15 02:27:15 + [dns.c] + add missing freerrset + - markus@cvs.openbsd.org 2003/05/15 03:08:29 + [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c] + split out custom EVP ciphers + - djm@cvs.openbsd.org 2003/05/15 03:10:52 + [ssh-keygen.c] + avoid warning; ok jakob@ + - mouring@cvs.openbsd.org 2003/05/15 03:39:07 + [sftp-int.c] + Make put/get (globed and nonglobed) code more consistant. OK djm@ + - mouring@cvs.openbsd.org 2003/05/15 03:43:59 + [sftp-int.c sftp.c] + Teach ls how to display multiple column display and allow users + to return to single column format via 'ls -1'. OK @djm + - jakob@cvs.openbsd.org 2003/05/15 04:08:44 + [readconf.c servconf.c] + disable kerberos when not supported. ok markus@ + - markus@cvs.openbsd.org 2003/05/15 04:08:41 [ssh.1] - sort ChallengeResponseAuthentication; ok markus@ - - stevesk@cvs.openbsd.org 2002/05/28 16:45:27 - [monitor_mm.c] - print strerror(errno) on mmap/munmap error; ok markus@ - - stevesk@cvs.openbsd.org 2002/05/28 17:28:02 - [uidswap.c] - format spec change/casts and some KNF; ok markus@ - - stevesk@cvs.openbsd.org 2002/05/28 21:24:00 - [uidswap.c] - use correct function name in fatal() - - stevesk@cvs.openbsd.org 2002/05/29 03:06:30 - [ssh.1 sshd.8] - spelling - - markus@cvs.openbsd.org 2002/05/29 11:21:57 - [sshd.c] - don't start if privsep is enabled and SSH_PRIVSEP_USER or - _PATH_PRIVSEP_CHROOT_DIR are missing; ok deraadt@ - - markus@cvs.openbsd.org 2002/05/30 08:07:31 + ~B is ssh2 only + - (djm) Always parse UsePAM + - (djm) Configure glue for DNS support (code doesn't work in portable yet) + - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support) + - (djm) Tidy Makefile clean targets + - (djm) Adapt README.dns for portable + - (djm) Avoid uuencode.c warnings + - (djm) Enable UsePAM when built --with-pam + - (djm) Only build getrrsetbyname replacement when using --with-dns + - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv + correctly) + - (djm) Bug #444: Wrong paths after reconfigure + - (dtucker) HP-UX needs to include for TIOCSBRK + +20030514 + - (djm) Bug #117: Don't lie to PAM about username + - (djm) RCSID sync w/ OpenBSD + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2003/04/09 12:00:37 + [readconf.c] + strip trailing whitespace from config lines before parsing. + Fixes bz 528; ok markus@ + - markus@cvs.openbsd.org 2003/04/12 10:13:57 [cipher.c] - use rijndael/aes from libcrypto (openssl >= 0.9.7) instead of - our own implementation. allow use of AES hardware via libcrypto, - ok deraadt@ - - markus@cvs.openbsd.org 2002/05/31 10:30:33 + hide cipher details; ok djm@ + - markus@cvs.openbsd.org 2003/04/12 10:15:36 + [misc.c] + debug->debug2 + - naddy@cvs.openbsd.org 2003/04/12 11:40:15 + [ssh.1] + document -V switch, fix wording; ok markus@ + - markus@cvs.openbsd.org 2003/04/14 14:17:50 + [channels.c sshconnect.c sshd.c ssh-keyscan.c] + avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP + - mouring@cvs.openbsd.org 2003/04/14 21:31:27 + [sftp-int.c] + Missing globfree(&g) in process_put() spotted by Vince Brimhall + . ok@ Theo + - markus@cvs.openbsd.org 2003/04/16 14:35:27 + [auth.h] + document struct Authctxt; with solar + - deraadt@cvs.openbsd.org 2003/04/26 04:29:49 + [ssh-keyscan.c] + -t in usage(); rogier@quaak.org + - mouring@cvs.openbsd.org 2003/04/30 01:16:20 + [sshd.8 sshd_config.5] + Escape ?, * and ! in .Ql for nroff compatibility. OpenSSH Portable + Bug #550 and * escaping suggested by jmc@. + - david@cvs.openbsd.org 2003/04/30 20:41:07 + [sshd.8] + fix invalid .Pf macro usage introduced in previous commit + ok jmc@ mouring@ + - markus@cvs.openbsd.org 2003/05/11 16:56:48 + [authfile.c ssh-keygen.c] + change key_load_public to try to read a public from: + rsa1 private or rsa1 public and ssh2 keys. + this makes ssh-keygen -e fail for ssh1 keys more gracefully + for example; report from itojun (netbsd pr 20550). + - markus@cvs.openbsd.org 2003/05/11 20:30:25 + [channels.c clientloop.c serverloop.c session.c ssh.c] + make channel_new() strdup the 'remote_name' (not the caller); ok theo + - markus@cvs.openbsd.org 2003/05/12 16:55:37 [sshconnect2.c] - extent ssh-keysign protocol: - pass # of socket-fd to ssh-keysign, keysign verfies locally used - ip-address using this socket-fd, restricts fake local hostnames - to actual local hostnames; ok stevesk@ - - markus@cvs.openbsd.org 2002/05/31 11:35:15 - [auth.h auth2.c] - move Authmethod definitons to per-method file. - - markus@cvs.openbsd.org 2002/05/31 13:16:48 - [key.c] - add comment: - key_verify returns 1 for a correct signature, 0 for an incorrect signature - and -1 on error. - - markus@cvs.openbsd.org 2002/05/31 13:20:50 - [ssh-rsa.c] - pad received signature with leading zeros, because RSA_verify expects - a signature of RSA_size. the drafts says the signature is transmitted - unpadded (e.g. putty does not pad), reported by anakin@pobox.com - - deraadt@cvs.openbsd.org 2002/06/03 12:04:07 - [ssh.h] - compatiblity -> compatibility - decriptor -> descriptor - authentciated -> authenticated - transmition -> transmission - - markus@cvs.openbsd.org 2002/06/04 19:42:35 + for pubkey authentication try the user keys in the following order: + 1. agent keys that are found in the config file + 2. other agent keys + 3. keys that are only listed in the config file + this helps when an agent has many keys, where the server might + close the connection before the correct key is used. report & ok pb@ + - markus@cvs.openbsd.org 2003/05/12 18:35:18 + [ssh-keyscan.1] + typo: DSA keys are of type ssh-dss; Brian Poole + - markus@cvs.openbsd.org 2003/05/14 00:52:59 + [ssh2.h] + ranges for per auth method messages + - djm@cvs.openbsd.org 2003/05/14 01:00:44 + [sftp.1] + emphasise the batchmode functionality and make reference to pubkey auth, + both of which are FAQs; ok markus@ + - markus@cvs.openbsd.org 2003/05/14 02:15:47 + [auth2.c monitor.c sshconnect2.c auth2-krb5.c] + implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@ + server interops with commercial client; ok jakob@ djm@ + - jmc@cvs.openbsd.org 2003/05/14 08:25:39 + [sftp.1] + - better formatting in SYNOPSIS + - whitespace at EOL + ok djm@ + - markus@cvs.openbsd.org 2003/05/14 08:57:49 [monitor.c] - only allow enabled authentication methods; ok provos@ - - markus@cvs.openbsd.org 2002/06/04 19:53:40 - [monitor.c] - save the session id (hash) for ssh2 (it will be passed with the - initial sign request) and verify that this value is used during - authentication; ok provos@ - - markus@cvs.openbsd.org 2002/06/04 23:02:06 - [packet.c] - remove __FUNCTION__ - - markus@cvs.openbsd.org 2002/06/04 23:05:49 - [cipher.c monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c] - __FUNCTION__ -> __func__ - - markus@cvs.openbsd.org 2002/06/05 16:08:07 - [ssh-agent.1 ssh-agent.c] - '-a bind_address' binds the agent to user-specified unix-domain - socket instead of /tmp/ssh-XXXXXXXX/agent.; ok djm@ (some time ago). - - markus@cvs.openbsd.org 2002/06/05 16:08:07 - [ssh-agent.1 ssh-agent.c] - '-a bind_address' binds the agent to user-specified unix-domain - socket instead of /tmp/ssh-XXXXXXXX/agent.; ok djm@ (some time ago). - - markus@cvs.openbsd.org 2002/06/05 16:48:54 - [ssh-agent.c] - copy current request into an extra buffer and just flush this - request on errors, ok provos@ - - markus@cvs.openbsd.org 2002/06/05 19:57:12 - [authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c] - ssh-add -x for lock and -X for unlocking the agent. - todo: encrypt private keys with locked... - - markus@cvs.openbsd.org 2002/06/05 20:56:39 - [ssh-add.c] - add -x/-X to usage - - markus@cvs.openbsd.org 2002/06/05 21:55:44 - [authfd.c authfd.h ssh-add.1 ssh-add.c ssh-agent.c] - ssh-add -t life, Set lifetime (in seconds) when adding identities; - ok provos@ - - stevesk@cvs.openbsd.org 2002/06/06 01:09:41 - [monitor.h] - no trailing comma in enum; china@thewrittenword.com - - markus@cvs.openbsd.org 2002/06/06 17:12:44 - [sftp-server.c] - discard remaining bytes of current request; ok provos@ - - markus@cvs.openbsd.org 2002/06/06 17:30:11 - [sftp-server.c] - use get_int() macro (hide iqueue) - - (bal) Missed msg.[ch] in merge. Required for ssh-keysign. - - (bal) Forgot to add msg.c Makefile.in. - - (bal) monitor_mm.c typos. - - (bal) Refixed auth2.c. It was never fully commited while spliting out - authentication to different files. - - (bal) ssh-keysign should build and install correctly now. Phase two - would be to clean out any dead wood and disable ssh setuid on install. - - (bal) Reverse logic, use __func__ first since it's C99 - -20020604 - - (stevesk) [channels.c] bug #164 patch from YOSHIFUJI Hideaki (changed - setsockopt from debug to error for now). - -20020527 - - (tim) [configure.ac.orig monitor_fdpass.c] Enahnce msghdr tests to address - build problem on Irix reported by Dave Love . Back out - last monitor_fdpass.c changes that are no longer needed with new tests. - Patch tested on Irix by Jan-Frode Myklebust - -20020522 - - (djm) Fix spelling mistakes, spotted by Solar Designer i - - - Sync scard/ (not sure when it drifted) - - (djm) OpenBSD CVS Sync: - [auth.c] - Fix typo/thinko. Pass in as to auth_approval(), not NULL. - Closes PR 2659. - - Crank version - - Crank RPM spec versions - -20020521 - - (stevesk) [sshd.c] bug 245; disable setsid() for now - - (stevesk) [sshd.c] #ifndef HAVE_CYGWIN for setgroups() - -20020517 - - (tim) [configure.ac] remove extra MD5_MSG="no" line. - -20020515 - - (bal) CVS ID fix up on auth-passwd.c - - (bal) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2002/05/07 19:54:36 - [ssh.h] - use ssh uid - - deraadt@cvs.openbsd.org 2002/05/08 21:06:34 - [ssh.h] - move to sshd.sshd instead - - stevesk@cvs.openbsd.org 2002/05/11 20:24:48 - [ssh.h] - typo in comment - - itojun@cvs.openbsd.org 2002/05/13 02:37:39 - [auth-skey.c auth2.c] - less warnings. skey_{respond,query} are public (in auth.h) - - markus@cvs.openbsd.org 2002/05/13 20:44:58 - [auth-options.c auth.c auth.h] - move the packet_send_debug handling from auth-options.c to auth.c; - ok provos@ - - millert@cvs.openbsd.org 2002/05/13 15:53:19 - [sshd.c] - Call setsid() in the child after sshd accepts the connection and forks. - This is needed for privsep which calls setlogin() when it changes uids. - Without this, there is a race where the login name of an existing - connection, as returned by getlogin(), may be changed to the privsep - user (sshd). markus@ OK - - markus@cvs.openbsd.org 2002/05/13 21:26:49 - [auth-rhosts.c] - handle debug messages during rhosts-rsa and hostbased authentication; - ok provos@ - - mouring@cvs.openbsd.org 2002/05/15 15:47:49 - [kex.c monitor.c monitor_wrap.c sshd.c] - 'monitor' variable clashes with at least one lame platform (NeXT). i - Renamed to 'pmonitor'. provos@ - - deraadt@cvs.openbsd.org 2002/05/04 02:39:35 - [servconf.c sshd.8 sshd_config] - enable privsep by default; provos ok - - millert@cvs.openbsd.org 2002/05/06 23:34:33 - [ssh.1 sshd.8] - Kill/adjust r(login|exec)d? references now that those are no longer in - the tree. - - markus@cvs.openbsd.org 2002/05/15 21:02:53 - [servconf.c sshd.8 sshd_config] - disable privsep and enable setuid for the 3.2.2 release - - (bal) Fixed up PAM case. I think. - - (bal) Clarified openbsd-compat/*-cray.* Licence provided by Wendy - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/05/15 21:05:29 - [version.h] - enter OpenSSH_3.2.2 - - (bal) Caldara, Suse, and Redhat openssh.specs updated. - -20020514 - - (stevesk) [README.privsep] PAM+privsep works with Solaris 8. - - (tim) [sshpty.c] set tty modes when allocating old style bsd ptys to - match what newer style ptys have when allocated. Based on a patch by - Roger Cornelius - - (tim) [README.privsep] UnixWare 7 and OpenUNIX 8 work. - - (tim) [README.privsep] remove reference to UnixWare 7 and OpenUNIX 8 - from PAM-enabled pragraph. UnixWare has no PAM. - - (tim) [contrib/caldera/openssh.spec] update version. - -20020513 - - (stevesk) add initial README.privsep - - (stevesk) [configure.ac] nicer message: --with-privsep-user=user - - (djm) Add --with-superuser-path=xxx configure option to specify - what $PATH the superuser receives. - - (djm) Bug #231: UsePrivilegeSeparation turns off Banner. - - (djm) Add --with-privsep-path configure option - - (djm) Update RPM spec file: different superuser path, use - /var/empty/sshd for privsep - - (djm) Bug #234: missing readpassphrase declaration and defines - - (djm) Add INSTALL warning about SSH protocol 1 blowfish w/ - OpenSSL < 0.9.6 - -20020511 - - (tim) [configure.ac] applied a rework of djm's OpenSSL search cleanup patch. - Now only searches system and /usr/local/ssl (OpenSSL's default install path) - Others must use --with-ssl-dir=.... - - (tim) [monitor_fdpass.c] fix for systems that have both - HAVE_ACCRIGHTS_IN_MSGHDR and HAVE_CONTROL_IN_MSGHDR. Ie. sys/socket.h - has #define msg_accrights msg_control - -20020510 - - (stevesk) [auth.c] Shadow account and expiration cleanup. Now - check for root forced expire. Still don't check for inactive. - - (djm) Rework RedHat RPM files. Based on spec from Nalin - Dahyabhai and patches from - Pekka Savola - - (djm) Try to drop supplemental groups at daemon startup. Patch from - RedHat - - (bal) Back all the way out of auth-passwd.c changes. Breaks too many - things that don't set pw->pw_passwd. - -20020509 - - (tim) [Makefile.in] Unbreak make -f Makefile.in distprep - -20020508 - - (tim) [openbsd-compat/bsd-arc4random.c] fix logic on when seed_rng() is - called. Report by Chris Maxwell - - (tim) [Makefile.in configure.ac] set SHELL variable in Makefile - - (djm) Disable PAM kbd-int auth if privsep is turned on (it doesn't work) - -20020507 - - (tim) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h] - Add truncate() emulation to address Bug 208 - -20020506 - - (djm) Unbreak auth-passwd.c for PAM and SIA - - (djm) Unbreak PAM auth for protocol 1. Report from Pekka Savola - - - (djm) Don't reinitialise PAM credentials before we have started PAM. - Report from Pekka Savola - -20020506 - - (bal) Fixed auth-passwd.c to resolve PermitEmptyPassword issue - -20020501 - - (djm) Import OpenBSD regression tests. Requires BSD make to run - - (djm) Fix readpassphase compilation for systems which have it - -20020429 - - (tim) [contrib/caldera/openssh.spec] update fixUP to reflect changes in - sshd_config. - - (tim) [contrib/cygwin/README] remove reference to regex. - patch from Corinna Vinschen - -20020426 - - (djm) Bug #137, #209: fix make problems for scard/Ssh.bin, do uudecode - during distprep only - - (djm) Disable PAM password expiry until a complete fix for bug #188 - exists - - (djm) Bug #180: Set ToS bits on IPv4-in-IPv6 mapped addresses. Based on - patch from openssh@misc.tecq.org - -20020425 - - (stevesk) [defines.h] remove USE_TIMEVAL; unused - - (stevesk) [acconfig.h auth-passwd.c configure.ac sshd.c] HP-UX 10.26 - support. bug #184. most from dcole@keysoftsys.com. - -20020424 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/04/23 12:54:10 - [version.h] - 3.2.1 - - djm@cvs.openbsd.org 2002/04/23 22:16:29 - [sshd.c] - Improve error message; ok markus@ stevesk@ - -20020423 - - (stevesk) [acconfig.h configure.ac session.c] LOGIN_NO_ENDOPT for HP-UX - - (stevesk) [acconfig.h] NEED_IN_SYSTM_H unused - - (markus) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/04/23 12:58:26 - [radix.c] - send complete ticket; semerad@ss1000.ms.mff.cuni.cz - - (djm) Trim ChangeLog to include only post-3.1 changes - - (djm) Update RPM spec file versions - - (djm) Redhat spec enables KrbV by default - - (djm) Applied OpenSC smartcard updates from Markus & - Antti Tapaninen - - (djm) Define BROKEN_REALPATH for AIX, patch from - Antti Tapaninen - - (djm) Bug #214: Fix utmp for Irix (don't strip "tty"). Patch from - Kevin Taylor (??) via Philipp Grau - - - (djm) Bug #213: Simplify CMSG_ALIGN macros to avoid symbol clashes. - Reported by Doug Manton - - (djm) Bug #222: Fix tests for getaddrinfo on OSF/1. Spotted by - Robert Urban - - (djm) Bug #206 - blibpath isn't always needed for AIX ld, avoid - sizeof(long long int) == 4 breakage. Patch from Matthew Clarke - - - (djm) Make privsep work with PAM (still experimental) + http://bugzilla.mindrot.org/show_bug.cgi?id=560 + Privsep child continues to run after monitor killed. + Pass monitor signals through to child; Darren Tucker + - (djm) Make portable build with MIT krb5 (some issues remain) + - (djm) Add new UsePAM configuration directive to allow runtime control + over usage of PAM. This allows non-root use of sshd when built with + --with-pam + - (djm) Die screaming if start_pam() is called when UsePAM=no + - (djm) Avoid KrbV leak for MIT Kerberos + - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@ + - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability + +20030512 + - (djm) Redhat spec: Don't install profile.d scripts when not + building with GNOME/GTK askpass (patch from bet@rahul.net) + +20030510 + - (dtucker) Bug #318: Create ssh_prng_cmds.out during "make" rather than + "make install". Patch by roth@feep.net. + - (dtucker) Bug #536: Test for and work around openpty/controlling tty + problem on Linux (fixes "could not set controlling tty" errors). + - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with + proper challenge-response module + - (djm) 2-clause license on loginrec.c, with permission from + andre@ae-35.com + +20030504 + - (dtucker) Bug #497: Move #include of bsd-cygwin_util.h to openbsd-compat.h. + Patch from vinschen@redhat.com. + +20030503 + - (dtucker) Add missing "void" to record_failed_login in bsd-cray.c. Noted + by wendyp@cray.com. + +20030502 + - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels, + privsep should now work. + - (dtucker) Move handling of bad password authentications into a platform + specific record_failed_login() function (affects AIX & Unicos). ok mouring@ + +20030429 + - (djm) Add back radix.o (used by AFS support), after it went missing from + Makefile many moons ago + - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer + - (djm) Fix blibpath specification for AIX/gcc + - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org + +20030428 + - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit + hacked code. + +20030427 + - (bal) Bug #541: return; was dropped by mistake. Reported by + furrier@iglou.com + - (bal) Since we don't support platforms lacking u_int_64. We may + as well clean out some of those evil #ifdefs + - (bal) auth1.c minor resync while looking at the code. + - (bal) auth2.c same changed as above. + +20030409 + - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report + from matth@eecs.berkeley.edu + - (djm) Make the spec work with Redhat 9.0 (which renames sharutils) - (djm) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2002/04/20 09:02:03 + - markus@cvs.openbsd.org 2003/04/02 09:48:07 + [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] + [readconf.h serverloop.c sshconnect2.c] + reapply rekeying chage, tested by henning@, ok djm@ + - markus@cvs.openbsd.org 2003/04/02 14:36:26 + [ssh-keysign.c] + potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526 + - itojun@cvs.openbsd.org 2003/04/03 07:25:27 + [progressmeter.c] + $OpenBSD$ + - itojun@cvs.openbsd.org 2003/04/03 10:17:35 + [progressmeter.c] + remove $OpenBSD$, as other *.c does not have it. + - markus@cvs.openbsd.org 2003/04/07 08:29:57 + [monitor_wrap.c] + typo: get correct counters; introduced during rekeying change. + - millert@cvs.openbsd.org 2003/04/07 21:58:05 + [progressmeter.c] + The UCB copyright here is incorrect. This code did not originate + at UCB, it was written by Luke Mewburn. Updated the copyright at + the author's request. markus@ OK + - itojun@cvs.openbsd.org 2003/04/08 20:21:29 + [*.c *.h] + rename log() into logit() to avoid name conflict. markus ok, from + netbsd + - (djm) XXX - Performed locally using: + "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h" + - hin@cvs.openbsd.org 2003/04/09 08:23:52 [servconf.c] - No, afs requires explicit enabling - - markus@cvs.openbsd.org 2002/04/20 09:14:58 - [bufaux.c bufaux.h] - add buffer_{get,put}_short - - markus@cvs.openbsd.org 2002/04/20 09:17:19 - [radix.c] - rewrite using the buffer_* API, fixes overflow; ok deraadt@ - - stevesk@cvs.openbsd.org 2002/04/21 16:19:27 - [sshd.8 sshd_config] - document default AFSTokenPassing no; ok deraadt@ - - stevesk@cvs.openbsd.org 2002/04/21 16:25:06 - [sshconnect1.c] - spelling in error message; ok markus@ - - markus@cvs.openbsd.org 2002/04/22 06:15:47 - [radix.c] - fix check for overflow - - markus@cvs.openbsd.org 2002/04/22 16:16:53 - [servconf.c sshd.8 sshd_config] - do not auto-enable KerberosAuthentication; ok djm@, provos@, deraadt@ - - markus@cvs.openbsd.org 2002/04/22 21:04:52 - [channels.c clientloop.c clientloop.h ssh.c] - request reply (success/failure) for -R style fwd in protocol v2, - depends on ordered replies. - fixes http://bugzilla.mindrot.org/show_bug.cgi?id=215; ok provos@ - -20020421 - - (tim) [entropy.c.] Portability fix for SCO Unix 3.2v4.x (SCO OSR 3.0). - entropy.c needs seteuid(getuid()) for the setuid(original_uid) to - succeed. Patch by gert@greenie.muc.de. This fixes one part of Bug 208 - -20020418 - - (djm) Avoid SIGCHLD breakage when run from rsync. Fix from - Sturle Sunde - -20020417 - - (djm) Tell users to configure /dev/random support into OpenSSL in - INSTALL - - (djm) Fix .Nm in mdoc2man.pl from pspencer@fields.utoronto.ca - - (tim) [configure.ac] Issue warning on --with-default-path=/some_path - if LOGIN_CAP is enabled. Report & testing by Tuc - -20020415 - - (djm) Unbreak "make install". Fix from Darren Tucker - - - (stevesk) bsd-cygwin_util.[ch] BSD license from Corinna Vinschen - - (tim) [configure.ac] add tests for recvmsg and sendmsg. - [monitor_fdpass.c] add checks for HAVE_SENDMSG and HAVE_RECVMSG for - systems that HAVE_ACCRIGHTS_IN_MSGHDR but no recvmsg or sendmsg. - -20020414 - - (djm) ssh-rand-helper improvements - - Add commandline debugging options - - Don't write binary data if stdout is a tty (use hex instead) - - Give it a manpage - - (djm) Random number collection doc fixes from Ben - -20020413 - - (djm) Add KrbV support patch from Simon Wilkinson - -20020412 - - (stevesk) [auth-sia.[ch]] add BSD license from Chris Adams - - (tim) [configure.ac] add to msghdr tests. Change -L - to -h on testing for /bin being symbolic link - - (bal) Mistaken in Cygwin scripts for ssh starting. Patch by - Corinna Vinschen - - (bal) disable privsep if no MAP_ANON. We can re-enable it - after the release when we can do more testing. - -20020411 - - (stevesk) [auth-sia.c] cleanup - - (tim) [acconfig.h defines.h includes.h] put includes in includes.h and - defines in defines.h [rijndael.c openbsd-compat/fake-socket.h - openbsd-compat/inet_aton.c] include "includes.h" instead of "config.h" - ok stevesk@ - -20020410 - - (stevesk) [configure.ac monitor.c] HAVE_SOCKETPAIR - - (stevesk) [auth-sia.c] compile fix Chris Adams - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/04/10 08:21:47 - [auth1.c compat.c compat.h] - strip '@' from username only for KerbV and known broken clients, - bug #204 - - markus@cvs.openbsd.org 2002/04/10 08:56:01 + Don't include when compiling with Kerberos 5 support + - (djm) Fix up missing include for packet.c + - (djm) Fix missed log => logit occurance (reference by function pointer) + +20030402 + - (bal) if IP_TOS is not found or broken don't try to compile in + packet_set_tos() function call. bug #527 + +20030401 + - (djm) OpenBSD CVS Sync + - jmc@cvs.openbsd.org 2003/03/28 10:11:43 + [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5] + [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8] + - killed whitespace + - new sentence new line + - .Bk for arguments + ok markus@ + - markus@cvs.openbsd.org 2003/04/01 10:10:23 + [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] + [readconf.h serverloop.c sshconnect2.c] + rekeying bugfixes and automatic rekeying: + * both client and server rekey _automatically_ + (a) after 2^31 packets, because after 2^32 packets + the sequence number for packets wraps + (b) after 2^(blocksize_in_bits/4) blocks + (see: draft-ietf-secsh-newmodes-00.txt) + (a) and (b) are _enabled_ by default, and only disabled for known + openssh versions, that don't support rekeying properly. + * client option 'RekeyLimit' + * do not reply to requests during rekeying + - markus@cvs.openbsd.org 2003/04/01 10:22:21 + [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c] + [readconf.h serverloop.c sshconnect2.c] + backout rekeying changes (for 3.6.1) + - markus@cvs.openbsd.org 2003/04/01 10:31:26 + [compat.c compat.h kex.c] + bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@; + tested by ho@ and myself + - markus@cvs.openbsd.org 2003/04/01 10:56:46 [version.h] - OpenSSH_3.2 - - Added p1 to idenify Portable release version. - -20020408 - - (bal) Minor OpenSC updates. Fix up header locations and update - README.smartcard provided by Juha Yrjölä - -20020407 - - (stevesk) HAVE_CONTROL_IN_MSGHDR; not used right now. - Future: we may want to test if fd passing works correctly. - - (stevesk) [monitor_fdpass.c] fatal() for UsePrivilegeSeparation=yes - and no fd passing support. - - (stevesk) HAVE_MMAP and HAVE_SYS_MMAN_H and use them in - monitor_mm.c - - (stevesk) remove configure support for poll.h; it was removed - from sshd.c a long time ago. - - (stevesk) --with-privsep-user; default sshd - - (stevesk) wrap munmap() with HAVE_MMAP also. - -20020406 - - (djm) Typo in Suse SPEC file. Fix from Carsten Grohmann - - - (bal) Added MAP_FAILED to allow AIX and Trusted HP to compile. - - (bal) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2002/04/06 00:30:08 - [sftp-client.c] - Fix occasional corruption on upload due to bad reuse of request - id, spotted by chombier@mac.com; ok markus@ - - mouring@cvs.openbsd.org 2002/04/06 18:24:09 - [scp.c] - Fixes potental double // within path. - http://bugzilla.mindrot.org/show_bug.cgi?id=76 - - (bal) Slight update to OpenSC support. Better version checking. patch - by Juha Yrjölä - - (bal) Revered out of runtime IRIX detection of joblimits. Code is - incomplete. - - (bal) Quiet down configure.ac if /bin/test does not exist. - - (bal) We no longer use atexit()/xatexit()/on_exit() - -20020405 - - (bal) Patch for OpenSC SmartCard library; ok markus@; patch by - Juha Yrjölä - - (bal) Minor documentation update to reflect smartcard library - support changes. - - (bal) Too many issues. Remove all workarounds and - using internal version only. - - (bal) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2002/04/05 20:56:21 - [sshd.8] - clarify sshrc some and handle X11UseLocalhost=yes; ok markus@ - -20020404 - - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h - auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm. - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/04/03 09:26:11 - [cipher.c myproposal.h] - re-add rijndael-cbc@lysator.liu.se for MacSSH; ash@lab.poc.net - -20020402 - - (bal) Hand Sync of scp.c (reverted to upstream code) - - deraadt@cvs.openbsd.org 2002/03/30 17:45:46 - [scp.c] - stretch banners - - (bal) CVS ID sync of uidswap.c - - (bal) OpenBSD CVS Sync (now for the real sync) - - markus@cvs.openbsd.org 2002/03/27 22:21:45 - [ssh-keygen.c] - try to import keys with extra trailing === (seen with ssh.com < - 2.0.12) - - markus@cvs.openbsd.org 2002/03/28 15:34:51 - [session.c] - do not call record_login twice (for use_privsep) - - markus@cvs.openbsd.org 2002/03/29 18:59:32 - [session.c session.h] - retrieve last login time before the pty is allocated, store per - session - - stevesk@cvs.openbsd.org 2002/03/29 19:16:22 - [sshd.8] - RSA key modulus size minimum 768; ok markus@ - - stevesk@cvs.openbsd.org 2002/03/29 19:18:33 - [auth-rsa.c ssh-rsa.c ssh.h] - make RSA modulus minimum #define; ok markus@ - - markus@cvs.openbsd.org 2002/03/30 18:51:15 - [monitor.c serverloop.c sftp-int.c sftp.c sshd.c] - check waitpid for EINTR; based on patch from peter@ifm.liu.se - - markus@cvs.openbsd.org 2002/04/01 22:02:16 - [sftp-client.c] - 20480 is an upper limit for older server - - markus@cvs.openbsd.org 2002/04/01 22:07:17 - [sftp-client.c] - fallback to stat if server does not support lstat - - markus@cvs.openbsd.org 2002/04/02 11:49:39 - [ssh-agent.c] - check $SHELL for -k and -d, too; - http://bugzilla.mindrot.org/show_bug.cgi?id=199 - - markus@cvs.openbsd.org 2002/04/02 17:37:48 - [sftp.c] - always call log_init() - - markus@cvs.openbsd.org 2002/04/02 20:11:38 - [ssh-rsa.c] - ignore SSH_BUG_SIGBLOB for ssh-rsa; #187 - - (bal) mispelling in uidswap.c (portable only) - -20020401 - - (stevesk) [monitor.c] PAM should work again; will *not* work with - UsePrivilegeSeparation=yes. - - (stevesk) [auth1.c] fix password auth for protocol 1 when - !USE_PAM && !HAVE_OSF_SIA; merge issue. - -20020331 - - (tim) [configure.ac] use /bin/test -L to work around broken builtin on - Solaris 8 - - (tim) [sshconnect2.c] change uint32_t to u_int32_t - -20020330 - - (stevesk) [configure.ac] remove header check for sys/ttcompat.h - bug 167 - -20020327 - - (bal) 'pw' should be 'authctxt->pw' in auth1.c spotted by - kent@lysator.liu.se - - (bal) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2002/03/26 11:34:49 - [ssh.1 sshd.8] - update to recent drafts - - markus@cvs.openbsd.org 2002/03/26 11:37:05 - [ssh.c] - update Copyright - - markus@cvs.openbsd.org 2002/03/26 15:23:40 - [bufaux.c] - do not talk about packets in bufaux - - rees@cvs.openbsd.org 2002/03/26 18:46:59 - [scard.c] - try_AUT0 in read_pubkey too, for those paranoid few who want to - acl 'sh' - - markus@cvs.openbsd.org 2002/03/26 22:50:39 - [channels.h] - CHANNEL_EFD_OUTPUT_ACTIVE is false for CHAN_CLOSE_RCVD, too - - markus@cvs.openbsd.org 2002/03/26 23:13:03 - [auth-rsa.c] - disallow RSA keys < 768 for protocol 1, too (rhosts-rsa and rsa auth) - - markus@cvs.openbsd.org 2002/03/26 23:14:51 - [kex.c] - generate a new cookie for each SSH2_MSG_KEXINIT message we send out - - mouring@cvs.openbsd.org 2002/03/27 11:45:42 - [monitor.c] - monitor_allowed_key() returns int instead of pointer. ok markus@ - -20020325 - - (stevesk) import OpenBSD as "openbsd-compat/tree.h" - - (bal) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2002/03/23 20:57:26 - [sshd.c] - setproctitle() after preauth child; ok markus@ - - markus@cvs.openbsd.org 2002/03/24 16:00:27 - [serverloop.c] - remove unused debug - - markus@cvs.openbsd.org 2002/03/24 16:01:13 - [packet.c] - debug->debug3 for extra padding - - stevesk@cvs.openbsd.org 2002/03/24 17:27:03 - [kexgex.c] - typo; ok markus@ - - stevesk@cvs.openbsd.org 2002/03/24 17:53:16 - [monitor_fdpass.c] - minor cleanup and more error checking; ok markus@ - - markus@cvs.openbsd.org 2002/03/24 18:05:29 - [scard.c] - we need to figure out AUT0 for sc_private_encrypt, too - - stevesk@cvs.openbsd.org 2002/03/24 23:20:00 - [monitor.c] - remove "\n" from fatal() - - markus@cvs.openbsd.org 2002/03/25 09:21:13 - [auth-rsa.c] - return 0 (not NULL); tomh@po.crl.go.jp - - markus@cvs.openbsd.org 2002/03/25 09:25:06 - [auth-rh-rsa.c] - rm bogus comment - - markus@cvs.openbsd.org 2002/03/25 17:34:27 - [scard.c scard.h ssh-agent.c ssh-keygen.c ssh.c] - change sc_get_key to sc_get_keys and hide smartcard details in scard.c - - stevesk@cvs.openbsd.org 2002/03/25 20:12:10 - [monitor_mm.c monitor_wrap.c] - ssize_t args use "%ld" and cast to (long) - size_t args use "%lu" and cast to (u_long) - ok markus@ and thanks millert@ - - markus@cvs.openbsd.org 2002/03/25 21:04:02 - [ssh.c] - simplify num_identity_files handling - - markus@cvs.openbsd.org 2002/03/25 21:13:51 - [channels.c channels.h compat.c compat.h nchan.c] - don't send stderr data after EOF, accept this from older known - (broken) sshd servers only, fixes - http://bugzilla.mindrot.org/show_bug.cgi?id=179 - - stevesk@cvs.openbsd.org 2002/03/26 03:24:01 - [monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h] - $OpenBSD$ + 3.6.1 + - (djm) Crank spec file versions + - (djm) Release 3.6.1p1 -20020324 - - (stevesk) [session.c] disable LOGIN_NEEDS_TERM until we are sure - it can be removed. only used on solaris. will no longer compile with - privsep shuffling. - -20020322 - - (stevesk) HAVE_ACCRIGHTS_IN_MSGHDR configure support - - (stevesk) [monitor.c monitor_wrap.c] #ifdef HAVE_PW_CLASS_IN_PASSWD - - (stevesk) configure and cpp __FUNCTION__ gymnastics to handle nielsisms - - (stevesk) [monitor_fdpass.c] support for access rights style file - descriptor passing - - (stevesk) [auth2.c] merge cleanup/sync - - (stevesk) [defines.h] hp-ux 11 has ancillary data style fd passing, but - is missing CMSG_LEN() and CMSG_SPACE() macros. - - (stevesk) [defines.h] #define MAP_ANON MAP_ANONYMOUS for HP-UX; other - platforms may need this--I'm not sure. mmap() issues will need to be - addressed further. - - (tim) [cipher.c] fix problem with OpenBSD sync - - (stevesk) [LICENCE] OpenBSD sync - -20020321 - - (bal) OpenBSD CVS Sync - - itojun@cvs.openbsd.org 2002/03/08 06:10:16 - [sftp-client.c] - printf type mismatch - - itojun@cvs.openbsd.org 2002/03/11 03:18:49 - [sftp-client.c] - correct type mismatches (u_int64_t != unsigned long long) - - itojun@cvs.openbsd.org 2002/03/11 03:19:53 - [sftp-client.c] - indent - - markus@cvs.openbsd.org 2002/03/14 15:24:27 - [sshconnect1.c] - don't trust size sent by (rogue) server; noted by - s.esser@e-matters.de - - markus@cvs.openbsd.org 2002/03/14 16:38:26 - [sshd.c] - split out ssh1 session key decryption; ok provos@ - - markus@cvs.openbsd.org 2002/03/14 16:56:33 - [auth-rh-rsa.c auth-rsa.c auth.h] - split auth_rsa() for better readability and privsep; ok provos@ - - itojun@cvs.openbsd.org 2002/03/15 11:00:38 - [auth.c] - fix file type checking (use S_ISREG). ok by markus - - markus@cvs.openbsd.org 2002/03/16 11:24:53 - [compress.c] - skip inflateEnd if inflate fails; ok provos@ - - markus@cvs.openbsd.org 2002/03/16 17:22:09 - [auth-rh-rsa.c auth.h] - split auth_rhosts_rsa(), ok provos@ - - stevesk@cvs.openbsd.org 2002/03/16 17:41:25 - [auth-krb5.c] - BSD license. from Daniel Kouril via Dug Song. ok markus@ - - provos@cvs.openbsd.org 2002/03/17 20:25:56 - [auth.c auth.h auth1.c auth2.c] - getpwnamallow returns struct passwd * only if user valid; - okay markus@ - - provos@cvs.openbsd.org 2002/03/18 01:12:14 - [auth.h auth1.c auth2.c sshd.c] - have the authentication functions return the authentication context - and then do_authenticated; okay millert@ - - dugsong@cvs.openbsd.org 2002/03/18 01:30:10 - [auth-krb4.c] - set client to NULL after xfree(), from Rolf Braun - - - provos@cvs.openbsd.org 2002/03/18 03:41:08 - [auth.c session.c] - move auth_approval into getpwnamallow with help from millert@ - - markus@cvs.openbsd.org 2002/03/18 17:13:15 - [cipher.c cipher.h] - export/import cipher states; needed by ssh-privsep - - markus@cvs.openbsd.org 2002/03/18 17:16:38 - [packet.c packet.h] - export/import cipher state, iv and ssh2 seqnr; needed by ssh-privsep - - markus@cvs.openbsd.org 2002/03/18 17:23:31 - [key.c key.h] - add key_demote() for ssh-privsep - - provos@cvs.openbsd.org 2002/03/18 17:25:29 - [bufaux.c bufaux.h] - buffer_skip_string and extra sanity checking; needed by ssh-privsep - - provos@cvs.openbsd.org 2002/03/18 17:31:54 - [compress.c] - export compression streams for ssh-privsep - - provos@cvs.openbsd.org 2002/03/18 17:50:31 - [auth-bsdauth.c auth-options.c auth-rh-rsa.c auth-rsa.c] - [auth-skey.c auth.h auth1.c auth2-chall.c auth2.c kex.c kex.h kexdh.c] - [kexgex.c servconf.c] - [session.h servconf.h serverloop.c session.c sshd.c] - integrate privilege separated openssh; its turned off by default - for now. work done by me and markus@ - - provos@cvs.openbsd.org 2002/03/18 17:53:08 - [sshd.8] - credits for privsep - - provos@cvs.openbsd.org 2002/03/18 17:59:09 - [sshd.8] - document UsePrivilegeSeparation - - stevesk@cvs.openbsd.org 2002/03/18 23:52:51 - [servconf.c] - UnprivUser/UnprivGroup usable now--specify numeric user/group; ok - provos@ - - stevesk@cvs.openbsd.org 2002/03/19 03:03:43 - [pathnames.h servconf.c servconf.h sshd.c] - _PATH_PRIVSEP_CHROOT_DIR; ok provos@ - - stevesk@cvs.openbsd.org 2002/03/19 05:23:08 - [sshd.8] - Banner has no default. - - mpech@cvs.openbsd.org 2002/03/19 06:32:56 - [sftp-int.c] - use xfree() after xstrdup(). - - markus@ ok - - markus@cvs.openbsd.org 2002/03/19 10:35:39 - [auth-options.c auth.h session.c session.h sshd.c] - clean up prototypes - - markus@cvs.openbsd.org 2002/03/19 10:49:35 - [auth-krb5.c auth-rh-rsa.c auth.c cipher.c key.c misc.h] - [packet.c session.c sftp-client.c sftp-glob.h sftp.c ssh-add.c ssh.c] - [sshconnect2.c sshd.c ttymodes.c] - KNF whitespace - - markus@cvs.openbsd.org 2002/03/19 14:27:39 - [auth.c auth1.c auth2.c] - make getpwnamallow() allways call pwcopy() - - markus@cvs.openbsd.org 2002/03/19 15:31:47 - [auth.c] - check for NULL; from provos@ - - stevesk@cvs.openbsd.org 2002/03/20 19:12:25 - [servconf.c servconf.h ssh.h sshd.c] - for unprivileged user, group do: - pw=getpwnam(SSH_PRIVSEP_USER); do_setusercontext(pw). ok provos@ - - stevesk@cvs.openbsd.org 2002/03/20 21:08:08 - [sshd.c] - strerror() on chdir() fail; ok provos@ - - markus@cvs.openbsd.org 2002/03/21 10:21:20 - [ssh-add.c] - ignore errors for nonexisting default keys in ssh-add, - fixes http://bugzilla.mindrot.org/show_bug.cgi?id=158 - - jakob@cvs.openbsd.org 2002/03/21 15:17:26 - [clientloop.c ssh.1] - add built-in command line for adding new port forwardings on the fly. - based on a patch from brian wellington. ok markus@. - - markus@cvs.openbsd.org 2002/03/21 16:38:06 - [scard.c] - make compile w/ openssl 0.9.7 - - markus@cvs.openbsd.org 2002/03/21 16:54:53 - [scard.c scard.h ssh-keygen.c] - move key upload to scard.[ch] - - markus@cvs.openbsd.org 2002/03/21 16:57:15 - [scard.c] - remove const - - markus@cvs.openbsd.org 2002/03/21 16:58:13 - [clientloop.c] - remove unused - - rees@cvs.openbsd.org 2002/03/21 18:08:15 - [scard.c] - In sc_put_key(), sc_reader_id should be id. - - markus@cvs.openbsd.org 2002/03/21 20:51:12 - [sshd_config] - add privsep (off) - - markus@cvs.openbsd.org 2002/03/21 21:23:34 - [sshd.c] - add privsep_preauth() and remove 1 goto; ok provos@ - - rees@cvs.openbsd.org 2002/03/21 21:54:34 - [scard.c scard.h ssh-keygen.c] - Add PIN-protection for secret key. - - rees@cvs.openbsd.org 2002/03/21 22:44:05 - [authfd.c authfd.h ssh-add.c ssh-agent.c ssh.c] - Add PIN-protection for secret key. - - markus@cvs.openbsd.org 2002/03/21 23:07:37 - [clientloop.c] - remove unused, sync w/ cmdline patch in my tree. - -20020317 - - (tim) [configure.ac] Assume path given with --with-pid-dir=PATH is - wanted, warn if directory does not exist. Put system directories in - front of PATH for finding entorpy commands. - - (tim) [contrib/aix/buildbff.sh contrib/aix/inventory.sh] AIX package - build fixes. Patch by Darren Tucker - [contrib/solaris/buildpkg.sh] add missing dirs to SYSTEM_DIR. Have - postinstall check for $piddir and add if necessary. - -20020311 - - (tim) [contrib/solaris/buildpkg.sh, contrib/solaris/README] Updated to - build on all platforms that support SVR4 style package tools. Now runs - from build dir. Parts are based on patches from Antonio Navarro, and - Darren Tucker. - -20020308 - - (djm) Revert bits of Markus' OpenSSL compat patch which was - accidentally committed. - - (djm) Add Markus' patch for compat wih OpenSSL < 0.9.6. - Known issue: Blowfish for SSH1 does not work - - (stevesk) entropy.c: typo in debug message - - (djm) ssh-keygen -i needs seeded RNG; report from markus@ +20030326 + - (djm) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2003/03/26 04:02:51 + [sftp-server.c] + one last fix to the tree: race fix broke stuff; pr 3169; + srp@srparish.net, help from djm + +20030325 + - (djm) Fix getpeerid support for 64 bit BE systems. From + Arnd Bergmann + +20030324 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2003/03/23 19:02:00 + [monitor.c] + unbreak rekeying for privsep; ok millert@ + - Release 3.6p1 + - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo. + Report from murple@murple.net, diagnosis from dtucker@zip.com.au $Id$