X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/9108f8d92b8e2b4b5fe61eb8e419bf94ba216d44..d5efc78afe35c0cdd3b43799024062d31edb61c6:/openssh/ChangeLog diff --git a/openssh/ChangeLog b/openssh/ChangeLog index 2dbd861..d79e7fb 100644 --- a/openssh/ChangeLog +++ b/openssh/ChangeLog @@ -1,5490 +1,6922 @@ -20060926 - - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not - referenced any more. ok djm@ - - (dtucker) [sftp-server.8] Resync; spotted by djm@ - -20060924 - - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added - to rev 1.308) to work around broken gcc 2.x header file. - -20060923 - - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than - $LDFLAGS. Patch from vapier at gentoo org. - -20060922 - - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on - some platforms (eg HP-UX 11.00). From santhi.amirta at gmail com. - -20060921 - - (dtucker) OpenBSD CVS Sync - - otto@cvs.openbsd.org 2006/09/19 05:52:23 - [sftp.c] - Use S_IS* macros insted of masking with S_IF* flags. The latter may - have multiple bits set, which lead to surprising results. Spotted by - Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@ - - markus@cvs.openbsd.org 2006/09/19 21:14:08 - [packet.c] - client NULL deref on protocol error; Tavis Ormandy, Google Security Team - - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes - build error on Ultrix. From Bernhard Simon. - -20060918 - - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow - macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags. - Allows build out of the box with older VAC and XLC compilers. Found by - David Bronder and Bernhard Simon. - - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes. - Prevents macro redefinition warnings of "RDONLY". - -20060916 - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/09/16 19:53:37 - [deattack.c deattack.h packet.c] - limit maximum work performed by the CRC compensation attack detector, - problem reported by Tavis Ormandy, Google Security Team; - ok markus@ deraadt@ - - (djm) Add openssh.xml to .cvsignore and sort it - - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth - process so that any logging it does is with the right timezone. From - Scott Strickler, ok djm@. - - (dtucker) [monitor.c] Correctly handle auditing of single commands when - using Protocol 1. From jhb at freebsd. - - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@ - - (dtucker) [INSTALL] Add info about audit support. - -20060912 - - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in] - Support SMF in Solaris Packages if enabled by configure. Patch from - Chad Mynhier, tested by dtucker@ - -20060911 - - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends. Noted - by Pekka Savola. - -20060910 - - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available. - - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB. - -20060909 - - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h. - - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user. - - (dtucker) [buildpkg.sh.in] Always create privsep user. ok djm@ - -20060908 - - (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch - from Chris Adams. - - (dtucker) [configure.ac] The BSM header test needs time.h in some cases. - -20060907 - - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can - be used to drop privilege to; fixes Solaris GSSAPI crash reported by - Magnus Abrante; suggestion and feedback dtucker@ - NB. this change will require that the privilege separation user must - exist on all the time, not just when UsePrivilegeSeparation=yes - - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6 - - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H. - - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better - chance of winning. - -20060905 - - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov. - - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP. - -20060904 - - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native - updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius, - ok djm@ - -20060903 - - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for - declaration of writev(2) and declare it ourselves if necessary. Makes - the atomiciov() calls build on really old systems. ok djm@ - -20060902 - - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan. - - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c - openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c - openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include - for hton* and ntoh* macros. Required on (at least) HP-UX since we define - _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com. - -20060901 - - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c] - [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c] - [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c] - [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c] - [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] - [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c] - [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c] - [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c] - [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c] - [sshconnect1.c sshconnect2.c sshd.c] - [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c] - [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c] - [openbsd-compat/port-uw.c] - Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h; - compile problems reported by rac AT tenzing.org - - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c] - [openbsd-compat/rresvport.c] Some more headers: netinet/in.h - sys/socket.h and unistd.h in various places - - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration - warnings for binary_open and binary_close. Patch from Corinna Vinschen. - - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly - test for GLOB_NOMATCH and use our glob functions if it's not found. - Stops sftp from segfaulting when attempting to get a nonexistent file on - Cygwin (previous versions of OpenSSH didn't use the native glob). Partly - from and tested by Corinna Vinschen. - - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank - versions. - -20060831 - - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ] - [platform.c platform.h sshd.c openbsd-compat/Makefile.in] - [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c] - [openbsd-compat/port-solaris.h] Add support for Solaris process - contracts, enabled with --use-solaris-contracts. Patch from Chad - Mynhier, tweaked by dtucker@ and myself; ok dtucker@ - - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege - while setting up the ssh service account. Patch from Corinna Vinschen. - -20060830 +20011202 + - (djm) Syn with OpenBSD OpenSSH-3.0.2 + - markus@cvs.openbsd.org + [session.c sshd.8 version.h] + Don't allow authorized_keys specified environment variables when + UseLogin in active + +20011115 + - (djm) Fix IPv4 default in ssh-keyscan. Spotted by Dan Astoorian + Fix from markus@ + - (djm) Release 3.0.1p1 + +20011113 + - (djm) Fix early (and double) free of remote user when using Kerberos. + Patch from Simon Wilkinson + - (djm) AIX login{success,failed} changes. Move loginsuccess call to + do_authenticated. Call loginfailed for protocol 2 failures > MAX like + we do for protocol 1. Reports from Ralf Wenk , + K.Wolkersdorfer@fz-juelich.de and others - (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2006/08/21 08:14:01 - [sshd_config.5] - Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@, - ok jmc@ djm@ - - dtucker@cvs.openbsd.org 2006/08/21 08:15:57 - [sshd.8] - Add more detail about what permissions are and aren't accepted for - authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@ - - djm@cvs.openbsd.org 2006/08/29 10:40:19 - [channels.c session.c] - normalise some inconsistent (but harmless) NULL pointer checks - spotted by the Stanford SATURN tool, via Isil Dillig; - ok markus@ deraadt@ - - dtucker@cvs.openbsd.org 2006/08/29 12:02:30 - [gss-genr.c] - Work around a problem in Heimdal that occurs when KRB5CCNAME file is - missing, by checking whether or not kerberos allocated us a context - before attempting to free it. Patch from Simon Wilkinson, tested by - biorn@, ok djm@ - - dtucker@cvs.openbsd.org 2006/08/30 00:06:51 - [sshconnect2.c] - Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL - where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@ - - djm@cvs.openbsd.org 2006/08/30 00:14:37 + - dugsong@cvs.openbsd.org 2001/11/11 18:47:10 + [auth-krb5.c] + fix krb5 authorization check. found by . from + art@, deraadt@ ok + - markus@cvs.openbsd.org 2001/11/12 11:17:07 + [servconf.c] + enable authorized_keys2 again. tested by fries@ + - markus@cvs.openbsd.org 2001/11/13 02:03:57 [version.h] - crank to 4.4 - - (djm) [openbsd-compat/xcrypt.c] needs unistd.h - - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call - loginsuccess on AIX immediately after authentication to clear the failed - login count. Previously this would only happen when an interactive - session starts (ie when a pty is allocated) but this means that accounts - that have primarily non-interactive sessions (eg scp's) may gradually - accumulate enough failures to lock out an account. This change may have - a side effect of creating two audit records, one with a tty of "ssh" - corresponding to the authentication and one with the allocated pty per - interactive session. - -20060824 - - (dtucker) [openbsd-compat/basename.c] Include errno.h. - - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on - older systems. - - (dtucker) [openbsd-compat/bsd-misc.c] Include for select(2) - on POSIX systems. - - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2). - - (dtucker) [openbsd-compat/rresvport.c] Include for malloc. - - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent - unused variable warning when we have a broken or missing mmap(2). - -20060822 - - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in - Makefile. Patch from santhi.amirta at gmail, ok djm. - -20060820 - - (dtucker) [log.c] Move ifdef to prevent unused variable warning. - - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore - afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl. - - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for - fixing bug #1181. No changes yet. - - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL - (0.9.8a and presumably newer) requires -ldl to successfully link. - - (dtucker) [configure.ac] Remove errant "-". - -20060819 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/08/18 22:41:29 - [gss-genr.c] - GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk - - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a - single rule for the test progs. - -20060818 - - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with - closefrom.c from sudo. - - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid. - - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error. - - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the - test progs instead; they work better than what we have. - - (djm) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2006/08/06 01:13:32 - [compress.c monitor.c monitor_wrap.c] - "zlib.h" can be ; ok djm@ markus@ - - miod@cvs.openbsd.org 2006/08/12 20:46:46 - [monitor.c monitor_wrap.c] - Revert previous include file ordering change, for ssh to compile under - gcc2 (or until openssl include files are cleaned of parameter names - in function prototypes) - - dtucker@cvs.openbsd.org 2006/08/14 12:40:25 - [servconf.c servconf.h sshd_config.5] - Add ability to match groups to Match keyword in sshd_config. Feedback - djm@, stevesk@, ok stevesk@. - - djm@cvs.openbsd.org 2006/08/16 11:47:15 + enter 3.0.1 + - (djm) Bump RPM package versions + +20011112 + - (djm) Makefile correctness fix from Mark D. Baushke + - (djm) Cygwin config patch from Corinna Vinschen + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/10/24 08:41:41 [sshd.c] - factor inetd connection, TCP listen and main TCP accept loop out of - main() into separate functions to improve readability; ok markus@ - - deraadt@cvs.openbsd.org 2006/08/18 09:13:26 - [log.c log.h sshd.c] - make signal handler termination path shorter; risky code pointed out by - mark dowd; ok djm markus - - markus@cvs.openbsd.org 2006/08/18 09:15:20 - [auth.h session.c sshd.c] - delay authentication related cleanups until we're authenticated and - all alarms have been cancelled; ok deraadt - - djm@cvs.openbsd.org 2006/08/18 10:27:16 - [misc.h] - reorder so prototypes are sorted by the files they refer to; no - binary change - - djm@cvs.openbsd.org 2006/08/18 13:54:54 - [gss-genr.c ssh-gss.h sshconnect2.c] - bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk - ok markus@ - - djm@cvs.openbsd.org 2006/08/18 14:40:34 - [gss-genr.c ssh-gss.h] - constify host argument to match the rest of the GSSAPI functions and - unbreak compilation with -Werror - - (djm) Disable sigdie() for platforms that cannot safely syslog inside - a signal handler (basically all of them, excepting OpenBSD); - ok dtucker@ - -20060817 - - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c] - Include stdlib.h for malloc and friends. - - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl - for closefrom() on AIX. Pointed out by William Ahern. - - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress - test for closefrom() in compat code. - -20060816 - - (djm) [audit-bsm.c] Sprinkle in some headers - -20060815 - - (dtucker) [LICENCE] Add Reyk to the list for the compat dir. - -20060806 - - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings - on Solaris 10 - -20060806 - - (dtucker) [defines.h] With the includes.h changes we no longer get the - name clash on "YES" so we can remove the workaround for it. - - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c, - glob.c}] Include stdlib.h for malloc and friends in compat code. - -20060805 + mention remote port in debug message + - markus@cvs.openbsd.org 2001/10/24 08:41:20 + [ssh.c] + remove unused + - markus@cvs.openbsd.org 2001/10/24 08:51:35 + [clientloop.c ssh.c] + ignore SIGPIPE early, makes ssh work if agent dies, netbsd-pr via itojun@ + - markus@cvs.openbsd.org 2001/10/24 19:57:40 + [clientloop.c] + make ~& (backgrounding) work again for proto v1; add support ~& for v2, too + - markus@cvs.openbsd.org 2001/10/25 21:14:32 + [ssh-keygen.1 ssh-keygen.c] + better docu for fingerprinting, ok deraadt@ + - markus@cvs.openbsd.org 2001/10/29 19:27:15 + [sshconnect2.c] + hostbased: check for client hostkey before building chost + - markus@cvs.openbsd.org 2001/10/30 20:29:09 + [ssh.1] + ssh.1 + - markus@cvs.openbsd.org 2001/11/07 16:03:17 + [packet.c packet.h sshconnect2.c] + pad using the padding field from the ssh2 packet instead of sending + extra ignore messages. tested against several other ssh servers. + - markus@cvs.openbsd.org 2001/11/07 21:40:21 + [ssh-rsa.c] + ssh_rsa_sign/verify: SSH_BUG_SIGBLOB not supported + - markus@cvs.openbsd.org 2001/11/07 22:10:28 + [ssh-dss.c ssh-rsa.c] + missing free and sync dss/rsa code. + - markus@cvs.openbsd.org 2001/11/07 22:12:01 + [sshd.8] + s/Keepalive/KeepAlive/; from openbsd@davidkrause.com + - markus@cvs.openbsd.org 2001/11/07 22:41:51 + [auth2.c auth-rh-rsa.c] + unused includes + - markus@cvs.openbsd.org 2001/11/07 22:53:21 + [channels.h] + crank c->path to 256 so they can hold a full hostname; dwd@bell-labs.com + - markus@cvs.openbsd.org 2001/11/08 10:51:08 + [readpass.c] + don't strdup too much data; from gotoh@taiyo.co.jp; ok millert. + - markus@cvs.openbsd.org 2001/11/08 17:49:53 + [ssh.1] + mention setuid root requirements; noted by cnorris@csc.UVic.ca; ok stevesk@ + - markus@cvs.openbsd.org 2001/11/08 20:02:24 + [auth.c] + don't print ROOT in CAPS for the authentication messages, i.e. + Accepted publickey for ROOT from 127.0.0.1 port 42734 ssh2 + becomes + Accepted publickey for root from 127.0.0.1 port 42734 ssh2 + - markus@cvs.openbsd.org 2001/11/09 18:59:23 + [clientloop.c serverloop.c] + don't memset too much memory, ok millert@ + original patch from jlk@kamens.brookline.ma.us via nalin@redhat.com + - markus@cvs.openbsd.org 2001/11/10 13:19:45 + [sshd.c] + cleanup libwrap support (remove bogus comment, bogus close(), add + debug, etc). + - markus@cvs.openbsd.org 2001/11/10 13:22:42 + [ssh-rsa.c] + KNF (unexpand) + - markus@cvs.openbsd.org 2001/11/10 13:37:20 + [packet.c] + remove extra debug() + - markus@cvs.openbsd.org 2001/11/11 13:02:31 + [servconf.c] + make AuthorizedKeysFile2 fallback to AuthorizedKeysFile if + AuthorizedKeysFile is specified. + - (djm) Reorder portable-specific server options so that they come first. + This should help reduce diff collisions for new server options (as they + will appear at the end) + +20011109 + - (stevesk) auth-pam.c: use do_pam_authenticate(PAM_DISALLOW_NULL_AUTHTOK) + if permit_empty_passwd == 0 so null password check cannot be bypassed. + jayaraj@amritapuri.com OpenBSD bug 2168 + - markus@cvs.openbsd.org 2001/11/09 19:08:35 + [sshd.c] + remove extra trailing dot from log message; pilot@naughty.monkey.org + +20011103 + - (tim) [ contrib/caldera/openssh.spec contrib/caldera/sshd.init] Updates + from Raymund Will + [acconfig.h configure.in] Clean up login checks. + Problem reported by Jim Knoble + +20011101 + - (djm) Compat define for OpenSSL < 0.9.6 (No OPENSSL_free) + +20011031 + - (djm) Unsmoke drugs: config files should be noreplace. + +20011030 + - (djm) Redhat RPM spec: remove noreplace from config files, allow IPv6 + by default (can force IPv4 using --define "noipv6 1") + +20011029 + - (tim) [TODO defines.h loginrec.c] Change the references to configure.in + to configure.ac + +20011028 + - (djm) Avoid bug in Solaris PAM libs + - (djm) Disconnect if no tty and PAM reports password expired + - (djm) Fix for PAM password changes being echoed (from stevesk) + - (stevesk) Fix compile problem with PAM password change fix + - (stevesk) README: zlib location is http://www.gzip.org/zlib/ + +20011027 + - (tim) [configure.ac] Fixes for ReliantUNIX (don't use libucb) + Patch by Robert Dahlem + +20011026 + - (bal) Set the correct current time in login_utmp_only(). Patch by + Wayne Davison + - (tim) [scard/Makefile.in] Fix install: when building outside of source + tree and using --src=/full_path/to/openssh + Patch by Mark D. Baushke + +20011025 + - (bal) Use VDISABLE if _POSIX_VDISABLE is set in readpassphrase.c. Patch + by todd@ + - (tim) [configure.ac] Give path given in --with-xxx= for pcre,zlib, and + tcp-wrappers precedence over system libraries and includes. + Report from Dave Dykstra + +20011024 + - (bal) Should be 3.0p1 not 3.0p2. Corrected version.h already. + - (tim) configure.in -> configure.ac + +20011023 + - (bal) Updated version to 3.0p1 in preparing for release. + - (bal) Added 'PAM_TTY_KLUDGE' to Solaris platform. + - (tim) [configure.in] Fix test for broken dirname. Based on patch from + Dave Dykstra . Remove un-needed test for zlib.h. + [contrib/caldera/openssh.spec, contrib/redhat/openssh.spec, + contrib/suse/openssh.spec] Update version to match version.h + +20011022 + - (djm) Fix fd leak in loginrec.c (ro fd to lastlog was left open). + Report from Michal Zalewski + +20011021 + - (tim) [configure.in] Clean up library testing. Add optional PATH to + --with-pcre, --with-zlib, and --with-tcp-wrappers. Based on + patch by albert chin (china@thewrittenword.com) + Re-arange AC_CHECK_HEADERS and AC_CHECK_FUNCS for eaiser reading + of patches to configure.in. Replace obsolete AC_STRUCT_ST_BLKSIZE + with AC_CHECK_MEMBERS. Add test for broken dirname() on + Solaris 2.5.1 by Dan Astoorian + [acconfig.h aclocal.m4 defines.h configure.in] Better socklen_t test. + patch by albert chin (china@thewrittenword.com) + [scp.c] Replace obsolete HAVE_ST_BLKSIZE with + HAVE_STRUCT_STAT_ST_BLKSIZE. + [Makefile.in] When running make in top level, always do make + in openbsd-compat. patch by Dave Dykstra + +20011019 + - (bal) Fixed up init.d symlink issue and piddir stuff. Patches by + Zoran Milojevic and j.petersen@msh.de + +20011012 + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/10/10 22:18:47 + [channels.c channels.h clientloop.c nchan.c serverloop.c] + [session.c session.h] + try to keep channels open until an exit-status message is sent. + don't kill the login shells if the shells stdin/out/err is closed. + this should now work: + ssh -2n localhost 'exec > /dev/null 2>&1; sleep 10; exit 5'; echo ? + - markus@cvs.openbsd.org 2001/10/11 13:45:21 + [session.c] + delay detach of session if a channel gets closed but the child is + still alive. however, release pty, since the fd's to the child are + already closed. + - markus@cvs.openbsd.org 2001/10/11 15:24:00 + [clientloop.c] + clear select masks if we return before calling select(). + - (djm) "make veryclean" fix from Tom Holroyd + - (djm) Clean some autoconf-2.52 junk when doing "make distclean" + - (djm) Cleanup sshpty.c a little + - (bal) First wave of contrib/solaris/ package upgrades. Still more + work needs to be done, but it is a 190% better then the stuff we + had before! + - (bal) Minor bug fix in contrib/solaris/opensshd.in .. $etcdir was not + set right. + +20011010 - (djm) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2006/07/24 13:58:22 + - markus@cvs.openbsd.org 2001/10/04 14:34:16 + [key.c] + call OPENSSL_free() for memory allocated by openssl; from chombier@mac.com + - markus@cvs.openbsd.org 2001/10/04 15:05:40 + [channels.c serverloop.c] + comment out bogus conditions for selecting on connection_in + - markus@cvs.openbsd.org 2001/10/04 15:12:37 + [serverloop.c] + client_alive_check cleanup + - markus@cvs.openbsd.org 2001/10/06 00:14:50 [sshconnect.c] - disable tunnel forwarding when no strict host key checking - and key changed; ok djm@ markus@ dtucker@ - - stevesk@cvs.openbsd.org 2006/07/25 02:01:34 - [scard.c] - need #include - - stevesk@cvs.openbsd.org 2006/07/25 02:59:21 - [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c] - [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/26 02:35:17 - [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c] - [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c] - [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c] - [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c] - [uidswap.c xmalloc.c] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/26 13:57:17 - [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c] - [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c] - [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] - [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c] - [sshconnect1.c sshd.c xmalloc.c] - move #include out of includes.h - - jmc@cvs.openbsd.org 2006/07/27 08:00:50 - [ssh_config.5] - avoid confusing wording in HashKnownHosts: - originally spotted by alan amesbury; - ok deraadt - - jmc@cvs.openbsd.org 2006/07/27 08:00:50 - [ssh_config.5] - avoid confusing wording in HashKnownHosts: - originally spotted by alan amesbury; - ok deraadt - - dtucker@cvs.openbsd.org 2006/08/01 11:34:36 + remove unused argument + - markus@cvs.openbsd.org 2001/10/06 00:36:42 + [session.c] + fix typo in error message, sync with do_exec_nopty + - markus@cvs.openbsd.org 2001/10/06 11:18:19 + [sshconnect1.c sshconnect2.c sshconnect.c] + unify hostkey check error messages, simplify prompt. + - markus@cvs.openbsd.org 2001/10/07 10:29:52 + [authfile.c] + grammer; Matthew_Clarke@mindlink.bc.ca + - markus@cvs.openbsd.org 2001/10/07 17:49:40 + [channels.c channels.h] + avoid possible FD_ISSET overflow for channels established + during channnel_after_select() (used for dynamic channels). + - markus@cvs.openbsd.org 2001/10/08 11:48:57 + [channels.c] + better debug + - markus@cvs.openbsd.org 2001/10/08 16:15:47 [sshconnect.c] - Allow fallback to known_hosts entries without port qualifiers for - non-standard ports too, so that all existing known_hosts entries will be - recognised. Requested by, feedback and ok markus@ - - stevesk@cvs.openbsd.org 2006/08/01 23:22:48 - [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c] - [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c] - [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c] - [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c] - [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c] - [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c] - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c] - [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c] - [uuencode.h xmalloc.c] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/08/01 23:36:12 - [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c] - clean extra spaces - - deraadt@cvs.openbsd.org 2006/08/03 03:34:42 - [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c] - [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c] - [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c] - [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ] - [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c] - [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c] - [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c] - [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c] - [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c] - [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c] - [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c] - [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c] - [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c] - [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h] - [serverloop.c session.c session.h sftp-client.c sftp-common.c] - [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c] - [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c] - [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c] - [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c] - [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h] - [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h] - almost entirely get rid of the culture of ".h files that include .h files" - ok djm, sort of ok stevesk - makes the pain stop in one easy step - NB. portable commit contains everything *except* removing includes.h, as - that will take a fair bit more work as we move headers that are required - for portability workarounds to defines.h. (also, this step wasn't "easy") - - stevesk@cvs.openbsd.org 2006/08/04 20:46:05 - [monitor.c session.c ssh-agent.c] - spaces - - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c - - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c] - remove last traces of bufaux.h - it was merged into buffer.h in the big - includes.h commit - - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec - - (djm) [openbsd-compat/regress/snprintftest.c] - [openbsd-compat/regress/strduptest.c] Add missing includes so they pass - compilation with "-Wall -Werror" - - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c] - [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more - includes for Linux in - - (dtucker) [cleanup.c] Need defines.h for __dead. - - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable. - - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of - #include stdarg.h, needed for log.h. - - (dtucker) [entropy.c] Needs unistd.h too. - - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h. - - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc. - - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll, - otherwise it is implicitly declared as returning an int. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2006/08/05 07:52:52 - [auth2-none.c sshd.c monitor_wrap.c] - Add headers required to build with KERBEROS5=no. ok djm@ - - dtucker@cvs.openbsd.org 2006/08/05 08:00:33 - [auth-skey.c] - Add headers required to build with -DSKEY. ok djm@ - - dtucker@cvs.openbsd.org 2006/08/05 08:28:24 - [monitor_wrap.c auth-skey.c auth2-chall.c] - Zap unused variables in -DSKEY code. ok djm@ - - dtucker@cvs.openbsd.org 2006/08/05 08:34:04 + use correct family for -b option + - markus@cvs.openbsd.org 2001/10/08 19:05:05 + [ssh.c sshconnect.c sshconnect.h ssh-keyscan.c] + some more IPv4or6 cleanup + - markus@cvs.openbsd.org 2001/10/09 10:12:08 + [session.c] + chdir $HOME after krb_afslog(); from bbense@networking.stanford.edu + - markus@cvs.openbsd.org 2001/10/09 19:32:49 + [session.c] + stat subsystem command before calling do_exec, and return error to client. + - markus@cvs.openbsd.org 2001/10/09 19:51:18 + [serverloop.c] + close all channels if the connection to the remote host has been closed, + should fix sshd's hanging with WCHAN==wait + - markus@cvs.openbsd.org 2001/10/09 21:59:41 + [channels.c channels.h serverloop.c session.c session.h] + simplify session close: no more delayed session_close, no more + blocking wait() calls. + - (bal) removed two unsed headers in openbsd-compat/bsd-misc.c + - (bal) seed_init() and seed_rng() required in ssh-keyscan.c + +20011007 + - (bal) ssh-copy-id corrected permissions for .ssh/ and authorized_keys. + Prompted by Matthew Vernon + +20011005 + - (bal) AES works under Cray, no more hack. + +20011004 + - (bal) nchan2.ms resync. BSD License applied. + +20011003 + - (bal) CVS ID fix up in version.h + - (bal) OpenBSD CVS Sync: + - markus@cvs.openbsd.org 2001/09/27 11:58:16 + [compress.c] + mem leak; chombier@mac.com + - markus@cvs.openbsd.org 2001/09/27 11:59:37 [packet.c] - Typo in comment - - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile - on Cygwin. - - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa. - - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h. - - (dtucker) [audit.c audit.h] Repair headers. - - (dtucker) [audit-bsm.c] Add additional headers now required. - -20060804 - - (dtucker) [configure.ac] The "crippled AES" test does not work on recent - versions of Solaris, so use AC_LINK_IFELSE to actually link the test program - rather than just compiling it. Spotted by dlg@. - -20060802 - - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype. - -20060725 - - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW. - -20060724 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/07/12 13:39:55 - [sshd_config.5] - - new sentence, new line - - s/The the/The/ - - kill a bad comma - - stevesk@cvs.openbsd.org 2006/07/12 22:28:52 - [auth-options.c canohost.c channels.c includes.h readconf.c] - [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c] - move #include out of includes.h; ok djm@ - - stevesk@cvs.openbsd.org 2006/07/12 22:42:32 - [includes.h ssh.c ssh-rand-helper.c] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/14 01:15:28 - [monitor_wrap.h] - don't need incompletely-typed 'struct passwd' now with - #include ; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/17 01:31:10 - [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c] - [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c] - [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c] - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c] - [sshconnect.c sshlogin.c sshpty.c uidswap.c] - move #include out of includes.h - - dtucker@cvs.openbsd.org 2006/07/17 12:02:24 - [auth-options.c] - Use '\0' rather than 0 to terminates strings; ok djm@ - - dtucker@cvs.openbsd.org 2006/07/17 12:06:00 - [channels.c channels.h servconf.c sshd_config.5] - Add PermitOpen directive to sshd_config which is equivalent to the - "permitopen" key option. Allows server admin to allow TCP port - forwarding only two specific host/port pairs. Useful when combined - with Match. - If permitopen is used in both sshd_config and a key option, both - must allow a given connection before it will be permitted. - Note that users can still use external forwarders such as netcat, - so to be those must be controlled too for the limits to be effective. - Feedback & ok djm@, man page corrections & ok jmc@. - - jmc@cvs.openbsd.org 2006/07/18 07:50:40 - [sshd_config.5] - tweak; ok dtucker - - jmc@cvs.openbsd.org 2006/07/18 07:56:28 - [scp.1] - replace DIAGNOSTICS with .Ex; - - jmc@cvs.openbsd.org 2006/07/18 08:03:09 - [ssh-agent.1 sshd_config.5] - mark up angle brackets; - - dtucker@cvs.openbsd.org 2006/07/18 08:22:23 - [sshd_config.5] - Clarify description of Match, with minor correction from jmc@ - - stevesk@cvs.openbsd.org 2006/07/18 22:27:55 - [dh.c] - remove unneeded includes; ok djm@ - - dtucker@cvs.openbsd.org 2006/07/19 08:56:41 - [servconf.c sshd_config.5] - Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to - Match. ok djm@ - - dtucker@cvs.openbsd.org 2006/07/19 13:07:10 - [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5] - Add ForceCommand keyword to sshd_config, equivalent to the "command=" - key option, man page entry and example in sshd_config. - Feedback & ok djm@, man page corrections & ok jmc@ - - stevesk@cvs.openbsd.org 2006/07/20 15:26:15 - [auth1.c serverloop.c session.c sshconnect2.c] - missed some needed #include when KERBEROS5=no; issue from - massimo@cedoc.mo.it - - dtucker@cvs.openbsd.org 2006/07/21 12:43:36 - [channels.c channels.h servconf.c servconf.h sshd_config.5] - Make PermitOpen take a list of permitted ports and act more like most - other keywords (ie the first match is the effective setting). This - also makes it easier to override a previously set PermitOpen. ok djm@ - - stevesk@cvs.openbsd.org 2006/07/21 21:13:30 - [channels.c] - more ARGSUSED (lint) for dispatch table-driven functions; ok djm@ - - stevesk@cvs.openbsd.org 2006/07/21 21:26:55 - [progressmeter.c] - ARGSUSED for signal handler - - stevesk@cvs.openbsd.org 2006/07/22 19:08:54 - [includes.h moduli.c progressmeter.c scp.c sftp-common.c] - [sftp-server.c ssh-agent.c sshlogin.c] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/22 20:48:23 - [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c] - [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c] - [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c] - [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c] - [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c] - [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c] - [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c] - [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c] - [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c] - [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c] - [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c] - [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c] - [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/23 01:11:05 - [auth.h dispatch.c kex.h sftp-client.c] - #include for sig_atomic_t; need this prior to - move - - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c] - [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c] - [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c] - [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c] - [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c] - [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c] - [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c] - [openbsd-compat/mktemp.c openbsd-compat/port-linux.c] - [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] - [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c] - make the portable tree compile again - sprinkle unistd.h and string.h - back in. Don't redefine __unused, as it turned out to be used in - headers on Linux, and replace its use in auth-pam.c with ARGSUSED - - (djm) [openbsd-compat/glob.c] - Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles - on OpenBSD (or other platforms with a decent glob implementation) with - -Werror - - (djm) [uuencode.c] - Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on - some platforms - - (djm) [session.c] - fix compile error with -Werror -Wall: 'path' is only used in - do_setup_env() if HAVE_LOGIN_CAP is not defined - - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c] - [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c] - [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c] - [openbsd-compat/port-aix.c openbsd-compat/port-irix.c] - [openbsd-compat/rresvport.c] - These look to need string.h and/or unistd.h (based on a grep for function - names) - - (djm) [Makefile.in] - Remove generated openbsd-compat/regress/Makefile in distclean target - - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh] - [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh] - Sync regress tests to -current; include dtucker@'s new cfgmatch and - forcecommand tests. Add cipher-speed.sh test (not linked in yet) - - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including - system headers before defines.h will cause conflicting definitions. - - (dtucker) [regress/forcecommand.sh] Portablize. - -20060713 - - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h - -20060712 - - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and - O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old - Linuxes and probably more. - - (dtucker) [configure.ac] OpenBSD needs before - for SHUT_RD. - - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs before - . - - (dtucker) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2006/07/10 16:01:57 - [sftp-glob.c sftp-common.h sftp.c] - buffer.h only needed in sftp-common.h and remove some unneeded - user includes; ok djm@ - - jmc@cvs.openbsd.org 2006/07/10 16:04:21 + missing called=1; chombier@mac.com + - markus@cvs.openbsd.org 2001/09/27 15:31:17 + [auth2.c auth2-chall.c sshconnect1.c] + typos; from solar + - camield@cvs.openbsd.org 2001/09/27 17:53:24 [sshd.8] - s/and and/and/ - - stevesk@cvs.openbsd.org 2006/07/10 16:37:36 - [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c - auth.c packet.c log.c] - move #include out of includes.h; ok markus@ - - dtucker@cvs.openbsd.org 2006/07/11 10:12:07 - [ssh.c] - Only copy the part of environment variable that we actually use. Prevents - ssh bailing when SendEnv is used and an environment variable with a really - long value exists. ok djm@ - - markus@cvs.openbsd.org 2006/07/11 18:50:48 - [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c - channels.h readconf.c] - add ExitOnForwardFailure: terminate the connection if ssh(1) - cannot set up all requested dynamic, local, and remote port - forwardings. ok djm, dtucker, stevesk, jmc - - stevesk@cvs.openbsd.org 2006/07/11 20:07:25 - [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c - sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c - includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c - sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c - ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/11 20:16:43 - [ssh.c] - cast asterisk field precision argument to int to remove warning; + don't talk about compile-time options ok markus@ - - stevesk@cvs.openbsd.org 2006/07/11 20:27:56 - [authfile.c ssh.c] - need here also (it's also included in ) - - dtucker@cvs.openbsd.org 2006/07/12 11:34:58 - [sshd.c servconf.h servconf.c sshd_config.5 auth.c] - Add support for conditional directives to sshd_config via a "Match" - keyword, which works similarly to the "Host" directive in ssh_config. - Lines after a Match line override the default set in the main section - if the condition on the Match line is true, eg - AllowTcpForwarding yes - Match User anoncvs - AllowTcpForwarding no - will allow port forwarding by all users except "anoncvs". - Currently only a very small subset of directives are supported. - ok djm@ - - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c - openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c - openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include . - - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h. - - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too. - - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h. - - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c - openbsd-compat/rresvport.c] More errno.h. - -20060711 - - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c - openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally - include paths.h. Fixes build error on Solaris. - - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably - others). - -20060710 - - (dtucker) [INSTALL] New autoconf version: 2.60. - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/06/14 10:50:42 - [sshconnect.c] - limit the number of pre-banner characters we will accept; ok markus@ - - djm@cvs.openbsd.org 2006/06/26 10:36:15 - [clientloop.c] - mention optional bind_address in runtime port forwarding setup - command-line help. patch from santhi.amirta AT gmail.com - - stevesk@cvs.openbsd.org 2006/07/02 17:12:58 - [ssh.1 ssh.c ssh_config.5 sshd_config.5] - more details and clarity for tun(4) device forwarding; ok and help - jmc@ - - stevesk@cvs.openbsd.org 2006/07/02 18:36:47 - [gss-serv-krb5.c gss-serv.c] - no "servconf.h" needed here - (gss-serv-krb5.c change not applied, portable needs the server options) - - stevesk@cvs.openbsd.org 2006/07/02 22:45:59 - [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c] - move #include out of includes.h - (portable needed uidswap.c too) - - stevesk@cvs.openbsd.org 2006/07/02 23:01:55 - [clientloop.c ssh.1] - use -KR[bind_address:]port here; ok djm@ - - stevesk@cvs.openbsd.org 2006/07/03 08:54:20 - [includes.h ssh.c sshconnect.c sshd.c] - move #include "version.h" out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/03 17:59:32 - [channels.c includes.h] - move #include out of includes.h; old ok djm@ - (portable needed session.c too) - - stevesk@cvs.openbsd.org 2006/07/05 02:42:09 - [canohost.c hostfile.c includes.h misc.c packet.c readconf.c] - [serverloop.c sshconnect.c uuencode.c] - move #include out of includes.h; ok deraadt@ - (also ssh-rand-helper.c logintest.c loginrec.c) - - djm@cvs.openbsd.org 2006/07/06 10:47:05 - [servconf.c servconf.h session.c sshd_config.5] - support arguments to Subsystem commands; ok markus@ - - djm@cvs.openbsd.org 2006/07/06 10:47:57 - [sftp-server.8 sftp-server.c] - add commandline options to enable logging of transactions; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/06 16:03:53 - [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c] - [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c] - [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c] - [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c] - [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c] - [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c] - [uidswap.h] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/07/06 16:22:39 + - djm@cvs.openbsd.org 2001/09/28 12:07:09 [ssh-keygen.c] - move #include "dns.h" up - - stevesk@cvs.openbsd.org 2006/07/06 17:36:37 - [monitor_wrap.h] - typo in comment - - stevesk@cvs.openbsd.org 2006/07/08 21:47:12 - [authfd.c canohost.c clientloop.c dns.c dns.h includes.h] - [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c] - [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/08 21:48:53 - [monitor.c session.c] - missed these from last commit: - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/08 23:30:06 - [log.c] - move user includes after /usr/include files - - stevesk@cvs.openbsd.org 2006/07/09 15:15:11 - [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c] - [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c] - [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c] - [sshlogin.c sshpty.c] - move #include out of includes.h - - stevesk@cvs.openbsd.org 2006/07/09 15:27:59 - [ssh-add.c] - use O_RDONLY vs. 0 in open(); no binary change - - djm@cvs.openbsd.org 2006/07/10 11:24:54 - [sftp-server.c] - remove optind - it isn't used here - - djm@cvs.openbsd.org 2006/07/10 11:25:53 - [sftp-server.c] - don't log variables that aren't yet set - - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c] - [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h] - [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c] - [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/07/10 12:03:20 + bzero private key after loading to smartcard; ok markus@ + - markus@cvs.openbsd.org 2001/09/28 15:46:29 + [ssh.c] + bug: read user config first; report kaukasoi@elektroni.ee.tut.fi + - markus@cvs.openbsd.org 2001/10/01 08:06:28 [scp.c] - duplicate argv at the start of main() because it gets modified later; - pointed out by deraadt@ ok markus@ - - djm@cvs.openbsd.org 2006/07/10 12:08:08 - [channels.c] - fix misparsing of SOCKS 5 packets that could result in a crash; - reported by mk@ ok markus@ - - dtucker@cvs.openbsd.org 2006/07/10 12:46:51 - [misc.c misc.h sshd.8 sshconnect.c] - Add port identifier to known_hosts for non-default ports, based originally - on a patch from Devin Nate in bz#910. - For any connection using the default port or using a HostKeyAlias the - format is unchanged, otherwise the host name or address is enclosed - within square brackets in the same format as sshd's ListenAddress. - Tested by many, ok markus@. - - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include - for struct sockaddr on platforms that use the fake-rfc stuff. - -20060706 - - (dtucker) [configure.ac] Try AIX blibpath test in different order when - compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so - configure would not select the correct libpath linker flags. - - (dtucker) [INSTALL] A bit more info on autoconf. - -20060705 - - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the - target already exists. - -20060630 - - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf - declaration too. Patch from russ at sludge.net. - - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it, - prevents warnings on platforms where _res is in the system headers. - - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which - version. - -20060627 - - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems - with autoconf 2.60. Patch from vapier at gentoo.org. - -20060625 - - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys - only, otherwise sshd can hang exiting non-interactive sessions. - -20060624 - - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris. - Works around limitation in Solaris' passwd program for changing passwords - where the username is longer than 8 characters. ok djm@ - - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug - #1102 workaround. - -20060623 - - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add - tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch - from reyk@, tested by anil@ - - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX - 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes - on the pty slave as zero-length reads on the pty master, which sshd - interprets as the descriptor closing. Since most things don't do zero - length writes this rarely matters, but occasionally it happens, and when - it does the SSH pty session appears to hang, so we add a special case for - this condition. ok djm@ - -20060613 - - (djm) [getput.h] This file has been replaced by functions in misc.c - - OpenBSD CVS Sync - - djm@cvs.openbsd.org 2006/05/08 10:49:48 - [sshconnect2.c] - uint32_t -> u_int32_t (which we use everywhere else) - (Id sync only - portable already had this) - - markus@cvs.openbsd.org 2006/05/16 09:00:00 - [clientloop.c] - missing free; from Kylene Hall - - markus@cvs.openbsd.org 2006/05/17 12:43:34 - [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c] - fix leak; coverity via Kylene Jo Hall - - miod@cvs.openbsd.org 2006/05/18 21:27:25 - [kexdhc.c kexgexc.c] - paramter -> parameter - - dtucker@cvs.openbsd.org 2006/05/29 12:54:08 - [ssh_config.5] - Add gssapi-with-mic to PreferredAuthentications default list; ok jmc - - dtucker@cvs.openbsd.org 2006/05/29 12:56:33 - [ssh_config] - Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in - sample ssh_config. ok markus@ - - jmc@cvs.openbsd.org 2006/05/29 16:10:03 - [ssh_config.5] - oops - previous was too long; split the list of auths up - - mk@cvs.openbsd.org 2006/05/30 11:46:38 + skip filenames containing \n; report jdamery@chiark.greenend.org.uk + and matthew@debian.org + - markus@cvs.openbsd.org 2001/10/01 21:38:53 + [channels.c channels.h ssh.c sshd.c] + remove ugliness; vp@drexel.edu via angelos + - markus@cvs.openbsd.org 2001/10/01 21:51:16 + [readconf.c readconf.h ssh.1 sshconnect.c] + add NoHostAuthenticationForLocalhost; note that the hostkey is + now check for localhost, too. + - djm@cvs.openbsd.org 2001/10/02 08:38:50 [ssh-add.c] - Sync usage() with man page and reality. - ok deraadt dtucker - - jmc@cvs.openbsd.org 2006/05/29 16:13:23 - [ssh.1] - add GSSAPI to the list of authentication methods supported; - - mk@cvs.openbsd.org 2006/05/30 11:46:38 - [ssh-add.c] - Sync usage() with man page and reality. - ok deraadt dtucker - - markus@cvs.openbsd.org 2006/06/01 09:21:48 + return non-zero exit code on error; ok markus@ + - stevesk@cvs.openbsd.org 2001/10/02 22:56:09 [sshd.c] - call get_remote_ipaddr() early; fixes logging after client disconnects; - report mpf@; ok dtucker@ - - markus@cvs.openbsd.org 2006/06/06 10:20:20 - [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c] - replace remaining setuid() calls with permanently_set_uid() and - check seteuid() return values; report Marcus Meissner; ok dtucker djm - - markus@cvs.openbsd.org 2006/06/08 14:45:49 - [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h] - do not set the gid, noted by solar; ok djm - - djm@cvs.openbsd.org 2006/06/13 01:18:36 - [ssh-agent.c] - always use a format string, even when printing a constant - - djm@cvs.openbsd.org 2006/06/13 02:17:07 - [ssh-agent.c] - revert; i am on drugs. spotted by alexander AT beard.se - -20060521 - - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor - and slave, we can remove the special-case handling in the audit hook in - auth_log. - -20060517 - - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file - pointer leak. From kjhall at us.ibm.com, found by coverity. - -20060515 - - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of - _res, prevents problems on some platforms that have _res as a global but - don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by - georg.schwarz at freenet.de, ok djm@. - - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative - default. Patch originally from tim@, ok djm - - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and - do not allow kbdint again after the PAM account check fails. ok djm@ - -20060506 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2006/04/25 08:02:27 - [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c] - Prevent ssh from trying to open private keys with bad permissions more than - once or prompting for their passphrases (which it subsequently ignores - anyway), similar to a previous change in ssh-add. bz #1186, ok djm@ - - djm@cvs.openbsd.org 2006/05/04 14:55:23 - [dh.c] - tighter DH exponent checks here too; feedback and ok markus@ - - djm@cvs.openbsd.org 2006/04/01 05:37:46 - [OVERVIEW] - $OpenBSD$ in here too - - dtucker@cvs.openbsd.org 2006/05/06 08:35:40 - [auth-krb5.c] - Add $OpenBSD$ in comment here too - -20060504 - - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c - session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c - openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar) - in Portable-only code; since calloc zeros, remove now-redundant memsets. - Also add a couple of sanity checks. With & ok djm@ + #include "channels.h" for channel_set_af() + - markus@cvs.openbsd.org 2001/10/03 10:01:20 + [auth.c] + use realpath() for homedir, too. from jinmei@isl.rdc.toshiba.co.jp -20060503 - - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h - and double including it on IRIX 5.3 causes problems. From Georg Schwarz, - "no objections" tim@ +20011001 + - (stevesk) loginrec.c: fix type conversion problems exposed when using + 64-bit off_t. + +20010929 + - (bal) move reading 'config.h' up higher. Patch by albert chin + out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/07 01:18:09 - [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/07 01:42:00 - [channels.c clientloop.c clientloop.h includes.h packet.h] - [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/07 01:52:50 - [sshtty.c] - "log.h" not needed - - stevesk@cvs.openbsd.org 2006/02/07 03:47:05 - [hostfile.c] - "packet.h" not needed - - stevesk@cvs.openbsd.org 2006/02/07 03:59:20 - [deattack.c] - duplicate #include - - stevesk@cvs.openbsd.org 2006/02/08 12:15:27 - [auth.c clientloop.c includes.h misc.c monitor.c readpass.c] - [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c] - [sshd.c sshpty.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 12:32:49 - [includes.h misc.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 13:15:44 - [gss-serv.c monitor.c] - small KNF - - stevesk@cvs.openbsd.org 2006/02/08 14:16:59 - [sshconnect.c] - not needed - - stevesk@cvs.openbsd.org 2006/02/08 14:31:30 - [includes.h ssh-agent.c ssh-keyscan.c ssh.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 14:38:18 - [includes.h packet.c] - move #include and out of - includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/08 23:51:24 - [includes.h scp.c sftp-glob.c sftp-server.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/09 00:32:07 - [includes.h] - #include not needed; ok djm@ - NB. ID Sync only - we still need this (but it may move later) - - jmc@cvs.openbsd.org 2006/02/09 10:10:47 - [sshd.8] - - move some text into a CAVEATS section - - merge the COMMAND EXECUTION... section into AUTHENTICATION - - stevesk@cvs.openbsd.org 2006/02/10 00:27:13 - [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c] - [ssh.c sshd.c sshpty.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/10 01:44:27 - [includes.h monitor.c readpass.c scp.c serverloop.c session.c] - [sftp.c sshconnect.c sshconnect2.c sshd.c] - move #include out of includes.h; ok markus@ - - otto@cvs.openbsd.org 2006/02/11 19:31:18 - [atomicio.c] - type correctness; from Ray Lai in PR 5011; ok millert@ - - djm@cvs.openbsd.org 2006/02/12 06:45:34 - [ssh.c ssh_config.5] - add a %l expansion code to the ControlPath, which is filled in with the - local hostname at runtime. Requested by henning@ to avoid some problems - with /home on NFS; ok dtucker@ - - djm@cvs.openbsd.org 2006/02/12 10:44:18 - [readconf.c] - raise error when the user specifies a RekeyLimit that is smaller than 16 - (the smallest of our cipher's blocksize) or big enough to cause integer - wraparound; ok & feedback dtucker@ - - jmc@cvs.openbsd.org 2006/02/12 10:49:44 - [ssh_config.5] - slight rewording; ok djm - - jmc@cvs.openbsd.org 2006/02/12 10:52:41 - [sshd.8] - rework the description of authorized_keys a little; - - jmc@cvs.openbsd.org 2006/02/12 17:57:19 - [sshd.8] - sort the list of options permissable w/ authorized_keys; - ok djm dtucker - - jmc@cvs.openbsd.org 2006/02/13 10:16:39 - [sshd.8] - no need to subsection the authorized_keys examples - instead, convert - this to look like an actual file. also use proto 2 keys, and use IETF - example addresses; - - jmc@cvs.openbsd.org 2006/02/13 10:21:25 - [sshd.8] - small tweaks for the ssh_known_hosts section; - - jmc@cvs.openbsd.org 2006/02/13 11:02:26 - [sshd.8] - turn this into an example ssh_known_hosts file; ok djm - - jmc@cvs.openbsd.org 2006/02/13 11:08:43 - [sshd.8] - - avoid nasty line split - - `*' does not need to be escaped - - jmc@cvs.openbsd.org 2006/02/13 11:27:25 - [sshd.8] - sort FILES and use a -compact list; - - david@cvs.openbsd.org 2006/02/15 05:08:24 - [sftp-client.c] - typo in comment; ok djm@ - - jmc@cvs.openbsd.org 2006/02/15 16:53:20 - [ssh.1] - remove the IETF draft references and replace them with some updated RFCs; - - jmc@cvs.openbsd.org 2006/02/15 16:55:33 - [sshd.8] - remove ietf draft references; RFC list now maintained in ssh.1; - - jmc@cvs.openbsd.org 2006/02/16 09:05:34 +20010920 + - (tim) [scard/Makefile.in] Don't strip the Java binary + - (stevesk) sun_len, SUN_LEN() configure stuff no longer required + - (bal) OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/09/20 00:15:54 [sshd.8] - sync some of the FILES entries w/ ssh.1; - - jmc@cvs.openbsd.org 2006/02/19 19:52:10 - [sshd.8] - move the sshrc stuff out of FILES, and into its own section: - FILES is not a good place to document how stuff works; - - jmc@cvs.openbsd.org 2006/02/19 20:02:17 + fix ClientAliveCountMax + - markus@cvs.openbsd.org 2001/09/20 13:46:48 + [auth2.c] + key_read returns now -1 or 1 + - markus@cvs.openbsd.org 2001/09/20 13:50:40 + [compat.c compat.h ssh.c] + bug compat: request a dummy channel for -N (no shell) sessions + + cleanup; vinschen@redhat.com + - mouring@cvs.openbsd.org 2001/09/20 20:57:51 + [sshd_config] + CheckMail removed. OKed stevesk@ + +20010919 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/09/19 10:08:51 [sshd.8] - sync the (s)hosts.equiv FILES entries w/ those from ssh.1; - - jmc@cvs.openbsd.org 2006/02/19 20:05:00 + command=xxx applies to subsystem now, too + - markus@cvs.openbsd.org 2001/09/19 13:23:29 + [key.c] + key_read() now returns -1 on type mismatch, too + - stevesk@cvs.openbsd.org 2001/09/19 19:24:19 + [readconf.c readconf.h scp.c sftp.c ssh.1] + add ClearAllForwardings ssh option and set it in scp and sftp; ok + markus@ + - stevesk@cvs.openbsd.org 2001/09/19 19:35:30 + [authfd.c] + use sizeof addr vs. SUN_LEN(addr) for sockaddr_un. Stevens + blesses this and we do it this way elsewhere. this helps in + portable because not all systems have SUN_LEN() and + sockaddr_un.sun_len. ok markus@ + - stevesk@cvs.openbsd.org 2001/09/19 21:04:53 [sshd.8] - grammar; - - jmc@cvs.openbsd.org 2006/02/19 20:12:25 - [ssh_config.5] - add some vertical space; - - stevesk@cvs.openbsd.org 2006/02/20 16:36:15 - [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c] - move #include out of includes.h; ok djm@ - - stevesk@cvs.openbsd.org 2006/02/20 17:02:44 - [clientloop.c includes.h monitor.c progressmeter.c scp.c] - [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/20 17:19:54 - [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c] - [authfile.c clientloop.c includes.h readconf.c scp.c session.c] - [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c] - [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c] - [sshconnect2.c sshd.c sshpty.c] - move #include out of includes.h; ok markus@ - - stevesk@cvs.openbsd.org 2006/02/22 00:04:45 - [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c] - [sshconnect.c] - move #include out of includes.h; ok djm@ - - jmc@cvs.openbsd.org 2006/02/24 10:25:14 - [ssh_config.5] - add section on patterns; - from dtucker + myself - - jmc@cvs.openbsd.org 2006/02/24 10:33:54 - [sshd_config.5] - signpost to PATTERNS; - - jmc@cvs.openbsd.org 2006/02/24 10:37:07 - [ssh_config.5] - tidy up the refs to PATTERNS; - - jmc@cvs.openbsd.org 2006/02/24 10:39:52 + missing -t in usage + - stevesk@cvs.openbsd.org 2001/09/19 21:41:57 [sshd.8] - signpost to PATTERNS section; - - jmc@cvs.openbsd.org 2006/02/24 20:22:16 - [ssh-keysign.8 ssh_config.5 sshd_config.5] - some consistency fixes; - - jmc@cvs.openbsd.org 2006/02/24 20:31:31 - [ssh.1 ssh_config.5 sshd.8 sshd_config.5] - more consistency fixes; - - jmc@cvs.openbsd.org 2006/02/24 23:20:07 - [ssh_config.5] - some grammar/wording fixes; - - jmc@cvs.openbsd.org 2006/02/24 23:43:57 - [sshd_config.5] - some grammar/wording fixes; - - jmc@cvs.openbsd.org 2006/02/24 23:51:17 - [sshd_config.5] - oops - bits i missed; - - jmc@cvs.openbsd.org 2006/02/25 12:26:17 - [ssh_config.5] - document the possible values for KbdInteractiveDevices; - help/ok dtucker - - jmc@cvs.openbsd.org 2006/02/25 12:28:34 - [sshd_config.5] - document the order in which allow/deny directives are processed; - help/ok dtucker - - jmc@cvs.openbsd.org 2006/02/26 17:17:18 - [ssh_config.5] - move PATTERNS to the end of the main body; requested by dtucker - - jmc@cvs.openbsd.org 2006/02/26 18:01:13 - [sshd_config.5] - subsection is pointless here; - - jmc@cvs.openbsd.org 2006/02/26 18:03:10 - [ssh_config.5] - comma; - - djm@cvs.openbsd.org 2006/02/28 01:10:21 + don't advertise -V in usage; ok markus@ + - (bal) openbsd-compat/vis.[ch] is dead wood. Removed. + +20010918 + - (djm) Configure support for smartcards. Based on Ben's work. + - (djm) Revert setgroups call, it causes problems on OS-X + - (djm) Avoid warning on BSDgetopt + - (djm) More makefile infrastructre for smartcard support, also based + on Ben's work + - (djm) Specify --datadir in RPM spec files so smartcard applet gets + put somewhere sane. Add Ssh.bin to manifest. + - (djm) Make smartcard support conditional in Redhat RPM spec + - (bal) LICENCE update. Has not been done in a while. + - (stevesk) nchan.c: we use X/Open Sockets on HP-UX now so shutdown(2) + returns ENOTCONN vs. EINVAL for socket not connected; remove EINVAL + check. ok Lutz Jaenicke + - (bal) OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/09/17 17:57:57 + [scp.1 scp.c sftp.1 sftp.c] + add -Fssh_config option; ok markus@ + - stevesk@cvs.openbsd.org 2001/09/17 19:27:15 + [kexdh.c kexgex.c key.c key.h ssh-dss.c ssh-keygen.c ssh-rsa.c] + u_char*/char* cleanup; ok markus + - markus@cvs.openbsd.org 2001/09/17 20:22:14 + [scard.c] + never keep a connection to the smartcard open. + allows ssh-keygen -D U while the agent is running; report from + jakob@ + - stevesk@cvs.openbsd.org 2001/09/17 20:38:09 + [sftp.1 sftp.c] + cleanup and document -1, -s and -S; ok markus@ + - markus@cvs.openbsd.org 2001/09/17 20:50:22 + [key.c ssh-keygen.c] + better error handling if you try to export a bad key to ssh.com + - markus@cvs.openbsd.org 2001/09/17 20:52:47 + [channels.c channels.h clientloop.c] + try to fix agent-forwarding-backconnection-bug, as seen on HPUX, + for example; with Lutz.Jaenicke@aet.TU-Cottbus.DE, + - markus@cvs.openbsd.org 2001/09/17 21:04:02 + [channels.c serverloop.c] + don't send fake dummy packets on CR (\r) + bugreport from yyua@cs.sfu.ca via solar@@openwall.com + - markus@cvs.openbsd.org 2001/09/17 21:09:47 + [compat.c] + more versions suffering the SSH_BUG_DEBUG bug; + 3.0.x reported by dbutts@maddog.storability.com + - stevesk@cvs.openbsd.org 2001/09/17 23:56:07 + [scp.1] + missing -B in usage string + +20010917 + - (djm) x11-ssh-askpass-1.2.4 in RPM spec, revert workarounds + - (tim) [includes.h openbsd-compat/getopt.c openbsd-compat/getopt.h] + rename getopt() to BSDgetopt() to keep form conflicting with + system getopt(). + [Makefile.in configure.in] disable filepriv until I can add + missing procpriv calls. + +20010916 + - (djm) Workaround XFree breakage in RPM spec file + - (bal) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/09/16 14:46:54 + [session.c] + calls krb_afslog() after setting $HOME; mattiasa@e.kth.se; fixes + pr 1943b + +20010915 + - (djm) Make do_pre_login static to avoid prototype #ifdef hell + - (djm) Sync scard/ stuff + - (djm) Redhat spec file cleanups from Pekka Savola and + Redhat + - (djm) Redhat initscript config sanity checking from Pekka Savola + + - (djm) Clear supplemental groups at sshd start to prevent them from + being propogated to random PAM modules. Based on patch from Redhat via + Pekka Savola + - (djm) Make sure rijndael.c picks config.h + - (djm) Ensure that u_char gets defined + +20010914 + - (bal) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/09/13 + [rijndael.c rijndael.h] + missing $OpenBSD + - markus@cvs.openbsd.org 2001/09/14 [session.c] - fix logout recording when privilege separation is disabled, analysis and - patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@ - NB. ID sync only - patch already in portable - - djm@cvs.openbsd.org 2006/03/04 04:12:58 - [serverloop.c] - move a debug() outside of a signal handler; ok markus@ a little while back - - djm@cvs.openbsd.org 2006/03/12 04:23:07 - [ssh.c] - knf nit - - djm@cvs.openbsd.org 2006/03/13 08:16:00 + command=xxx overwrites subsystems, too + - markus@cvs.openbsd.org 2001/09/14 [sshd.c] - don't log that we are listening on a socket before the listen() call - actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@ - - dtucker@cvs.openbsd.org 2006/03/13 08:33:00 - [packet.c] - Set TCP_NODELAY for all connections not just "interactive" ones. Fixes - poor performance and protocol stalls under some network conditions (mindrot - bugs #556 and #981). Patch originally from markus@, ok djm@ - - dtucker@cvs.openbsd.org 2006/03/13 08:43:16 - [ssh-keygen.c] - Make ssh-keygen handle CR and CRLF line termination when converting IETF - format keys, in adition to vanilla LF. mindrot #1157, tested by Chris - Pepper, ok djm@ - - dtucker@cvs.openbsd.org 2006/03/13 10:14:29 - [misc.c ssh_config.5 sshd_config.5] - Allow config directives to contain whitespace by surrounding them by double - quotes. mindrot #482, man page help from jmc@, ok djm@ - - dtucker@cvs.openbsd.org 2006/03/13 10:26:52 - [authfile.c authfile.h ssh-add.c] - Make ssh-add check file permissions before attempting to load private - key files multiple times; it will fail anyway and this prevents confusing - multiple prompts and warnings. mindrot #1138, ok djm@ - - djm@cvs.openbsd.org 2006/03/14 00:15:39 - [canohost.c] - log the originating address and not just the name when a reverse - mapping check fails, requested by linux AT linuon.com - - markus@cvs.openbsd.org 2006/03/14 16:32:48 - [ssh_config.5 sshd_config.5] - *AliveCountMax applies to protcol v2 only; ok dtucker, djm - - djm@cvs.openbsd.org 2006/03/07 09:07:40 - [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c] - Implement the diffie-hellman-group-exchange-sha256 key exchange method - using the SHA256 code in libc (and wrapper to make it into an OpenSSL - EVP), interop tested against CVS PuTTY - NB. no portability bits committed yet - - (djm) [configure.ac defines.h kex.c md-sha256.c] - [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h] - [openbsd-compat/sha2.c] First stab at portability glue for SHA256 - KEX support, should work with libc SHA256 support or OpenSSL - EVP_sha256 if present - - (djm) [includes.h] Restore accidentally dropped netinet/in.h - - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files - - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present - - (djm) [regress/.cvsignore] Ignore Makefile here - - (djm) [loginrec.c] Need stat.h - - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with - system sha2.h - - (djm) [ssh-rand-helper.c] Needs a bunch of headers - - (djm) [ssh-agent.c] Restore dropped stat.h - - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out - SHA384, which we don't need and doesn't compile without tweaks - - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c] - [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c] - [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c] - [openbsd-compat/glob.c openbsd-compat/mktemp.c] - [openbsd-compat/readpassphrase.c] Lots of include fixes for - OpenSolaris - - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:" - - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some - includes removed from includes.h - - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE - - (djm) [includes.h] Put back paths.h, it is needed in defines.h - - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs - sys/ioctl.h for struct winsize. - - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD. - -20060313 - - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong) - since not all platforms support it. Instead, use internal equivalent while - computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf* - as it's no longer required. Tested by Bernhard Simon, ok djm@ - -20060304 - - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a - file rather than directory, required as Cygwin will be importing lastlog(1). - Also tightens up permissions on the file. Patch from vinschen@redhat.com. - - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h - includes. Patch from gentoo.riverrat at gmail.com. - -20060226 - - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY - patch from kraai at ftbfs.org. - -20060223 - - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current - reality. Pointed out by tryponraj at gmail.com. - -20060222 - - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only - compile in compat code if required. - -20060221 - - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about - redefinition of SSLeay_add_all_algorithms. - -20060220 - - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}] - Add optional enabling of OpenSSL's (hardware) Engine support, via - configure --with-ssl-engine. Based in part on a diff by michal at - logix.cz. - -20060219 - - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/] - Add first attempt at regress tests for compat library. ok djm@ - -20060214 - - (tim) [buildpkg.sh.in] Make the names consistent. - s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@ - -20060212 - - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned - to silence compiler warning, from vinschen at redhat.com. - - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX. - - (dtucker) [README version.h contrib/caldera/openssh.spec - contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version - strings to match 4.3p2 release. - -20060208 - - (tim) [session.c] Logout records were not updated on systems with - post auth privsep disabled due to bug 1086 changes. Analysis and patch - by vinschen at redhat.com. OK tim@, dtucker@. - - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP - -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@ - -20060206 - - (tim) [configure.ac] Remove unnecessary tests for net/if.h and - netinet/in_systm.h. OK dtucker@. - -20060205 - - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test - for Solaris. OK dtucker@. - - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by - kraai at ftbfs.org. - -20060203 - - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first - AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run - by a platform specific check, builtin standard includes tests will be - skipped on the other platforms. - Analysis and suggestion by vinschen at redhat.com, patch by dtucker@. - OK tim@, djm@. - -20060202 - - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it - works with picky compilers. Patch from alex.kiernan at thus.net. - -20060201 - - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to - determine the user's login name - needed for regress tests on Solaris - 10 and OpenSolaris - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/02/01 09:06:50 - [sshd.8] - - merge sections on protocols 1 and 2 into a single section - - remove configuration file section - ok markus - - jmc@cvs.openbsd.org 2006/02/01 09:11:41 - [sshd.8] - small tweak; - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update versions ahead of release - - markus@cvs.openbsd.org 2006/02/01 11:27:22 - [version.h] - openssh 4.3 - - (djm) Release OpenSSH 4.3p1 + typo -20060131 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/20 11:21:45 - [ssh_config.5] - - word change, agreed w/ markus - - consistency fixes - - jmc@cvs.openbsd.org 2006/01/25 09:04:34 - [sshd.8] - move the options description up the page, and a few additional tweaks - whilst in here; - ok markus - - jmc@cvs.openbsd.org 2006/01/25 09:07:22 +20010913 + - (bal) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/08/23 11:31:59 + [cipher.c cipher.h] + switch to the optimised AES reference code from + http://www.esat.kuleuven.ac.be/~rijmen/rijndael/rijndael-fst-3.0.zip + +20010912 + - (bal) OpenBSD CVS Sync + - jakob@cvs.openbsd.org 2001/08/16 19:18:34 + [servconf.c servconf.h session.c sshd.8] + deprecate CheckMail. ok markus@ + - stevesk@cvs.openbsd.org 2001/08/16 20:14:57 + [ssh.1 sshd.8] + document case sensitivity for ssh, sshd and key file + options and arguments; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/17 18:59:47 + [servconf.h] + typo in comment + - stevesk@cvs.openbsd.org 2001/08/21 21:47:42 + [ssh.1 sshd.8] + minor typos and cleanup + - stevesk@cvs.openbsd.org 2001/08/22 16:21:21 + [ssh.1] + hostname not optional; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/22 16:30:02 [sshd.8] - move subsections to full sections; - - jmc@cvs.openbsd.org 2006/01/26 08:47:56 + no rexd; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/22 17:45:16 [ssh.1] - add a section on verifying host keys in dns; - written with a lot of help from jakob; - feedback dtucker/markus; - ok markus - - reyk@cvs.openbsd.org 2006/01/30 12:22:22 - [channels.c] - mark channel as write failed or dead instead of read failed on error - of the channel output filter. + document cipher des for protocol 1; ok deraadt@ + - camield@cvs.openbsd.org 2001/08/23 17:59:31 + [sshd.c] + end request with 0, not NULL ok markus@ - - jmc@cvs.openbsd.org 2006/01/30 13:37:49 - [ssh.1] - remove an incorrect sentence; - reported by roumen petrov; - ok djm markus - - djm@cvs.openbsd.org 2006/01/31 10:19:02 - [misc.c misc.h scp.c sftp.c] - fix local arbitrary command execution vulnerability on local/local and - remote/remote copies (CVE-2006-0225, bz #1094), patch by - t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@ - - djm@cvs.openbsd.org 2006/01/31 10:35:43 - [scp.c] - "scp a b c" shouldn't clobber "c" when it is not a directory, report and - fix from biorn@; ok markus@ - - (djm) Sync regress tests to OpenBSD: - - dtucker@cvs.openbsd.org 2005/03/10 10:20:39 - [regress/forwarding.sh] - Regress test for ClearAllForwardings (bz #994); ok markus@ - - dtucker@cvs.openbsd.org 2005/04/25 09:54:09 - [regress/multiplex.sh] - Don't call cleanup in multiplex as test-exec will cleanup anyway - found by tim@, ok djm@ - NB. ID sync only, we already had this - - djm@cvs.openbsd.org 2005/05/20 23:14:15 - [regress/test-exec.sh] - force addressfamily=inet for tests, unbreaking dynamic-forward regress for - recently committed nc SOCKS5 changes - - djm@cvs.openbsd.org 2005/05/24 04:10:54 - [regress/try-ciphers.sh] - oops, new arcfour modes here too - - markus@cvs.openbsd.org 2005/06/30 11:02:37 - [regress/scp.sh] - allow SUDO=sudo; from Alexander Bluhm - - grunk@cvs.openbsd.org 2005/11/14 21:25:56 - [regress/agent-getpeereid.sh] - all other scripts in this dir use $SUDO, not 'sudo', so pull this even + - stevesk@cvs.openbsd.org 2001/08/23 18:02:48 + [ssh-agent.1] + fix usage; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/23 18:08:59 + [ssh-add.1 ssh-keyscan.1] + minor cleanup + - danh@cvs.openbsd.org 2001/08/27 22:02:13 + [ssh-keyscan.c] + fix memory fault if non-existent filename is given to the -f option ok markus@ - - dtucker@cvs.openbsd.org 2005/12/14 04:36:39 - [regress/scp-ssh-wrapper.sh] - Fix assumption about how many args scp will pass; ok djm@ - NB. ID sync only, we already had this - - djm@cvs.openbsd.org 2006/01/27 06:49:21 - [scp.sh] - regress test for local to local scp copies; ok dtucker@ - - djm@cvs.openbsd.org 2006/01/31 10:23:23 - [scp.sh] - regression test for CVE-2006-0225 written by dtucker@ - - djm@cvs.openbsd.org 2006/01/31 10:36:33 - [scp.sh] - regress test for "scp a b c" where "c" is not a directory - -20060129 - - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the - opensshd.init script interpretter if /sbin/sh does not exist. ok tim@ - -20060120 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/15 17:37:05 - [ssh.1] - correction from deraadt - - jmc@cvs.openbsd.org 2006/01/18 10:53:29 - [ssh.1] - add a section on ssh-based vpn, based on reyk's README.tun; - - dtucker@cvs.openbsd.org 2006/01/20 00:14:55 - [scp.1 ssh.1 ssh_config.5 sftp.1] - Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot - #1056 with feedback from jmc, djm and markus; ok jmc@ djm@ - -20060114 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/06 13:27:32 - [ssh.1] - weed out some duplicate info in the known_hosts FILES entries; - ok djm - - jmc@cvs.openbsd.org 2006/01/06 13:29:10 - [ssh.1] - final round of whacking FILES for duplicate info, and some consistency - fixes; - ok djm - - jmc@cvs.openbsd.org 2006/01/12 14:44:12 - [ssh.1] - split sections on tcp and x11 forwarding into two sections. - add an example in the tcp section, based on sth i wrote for ssh faq; - help + ok: djm markus dtucker - - jmc@cvs.openbsd.org 2006/01/12 18:48:48 - [ssh.1] - refer to `TCP' rather than `TCP/IP' in the context of connection - forwarding; - ok markus - - jmc@cvs.openbsd.org 2006/01/12 22:20:00 + - markus@cvs.openbsd.org 2001/08/28 09:51:26 + [readconf.c] + don't set DynamicForward unless Host matches + - markus@cvs.openbsd.org 2001/08/28 15:39:48 + [ssh.1 ssh.c] + allow: ssh -F configfile host + - markus@cvs.openbsd.org 2001/08/29 20:44:03 + [scp.c] + clear the malloc'd buffer, otherwise source() will leak malloc'd + memory; ok theo@ + - stevesk@cvs.openbsd.org 2001/08/29 23:02:21 [sshd.8] - refer to TCP forwarding, rather than TCP/IP forwarding; - - jmc@cvs.openbsd.org 2006/01/12 22:26:02 - [ssh_config.5] - refer to TCP forwarding, rather than TCP/IP forwarding; - - jmc@cvs.openbsd.org 2006/01/12 22:34:12 + add text about -u0 preventing DNS requests; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/29 23:13:10 + [ssh.1 ssh.c] + document -D and DynamicForward; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/29 23:27:23 + [ssh.c] + validate ports for -L/-R; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/29 23:39:40 + [ssh.1 sshd.8] + additional documentation for GatewayPorts; ok markus@ + - naddy@cvs.openbsd.org 2001/08/30 15:42:36 [ssh.1] - back out a sentence - AUTHENTICATION already documents this; - -20060109 - - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on - tcpip service so it's always started after IP is up. Patch from - vinschen at redhat.com. + add -D to synopsis line; ok markus@ + - stevesk@cvs.openbsd.org 2001/08/30 16:04:35 + [readconf.c ssh.1] + validate ports for LocalForward/RemoteForward. + add host/port alternative syntax for IPv6 (like -L/-R). + ok markus@ + - stevesk@cvs.openbsd.org 2001/08/30 20:36:34 + [auth-options.c sshd.8] + validate ports for permitopen key file option. add host/port + alternative syntax for IPv6. ok markus@ + - markus@cvs.openbsd.org 2001/08/30 22:22:32 + [ssh-keyscan.c] + do not pass pointers to longjmp; fix from wayne@blorf.net + - markus@cvs.openbsd.org 2001/08/31 11:46:39 + [sshconnect2.c] + disable kbd-interactive if we don't get SSH2_MSG_USERAUTH_INFO_REQUEST + messages + - stevesk@cvs.openbsd.org 2001/09/03 20:58:33 + [readconf.c readconf.h ssh.c] + fatal() for nonexistent -Fssh_config. ok markus@ + - deraadt@cvs.openbsd.org 2001/09/05 06:23:07 + [scp.1 sftp.1 ssh.1 ssh-agent.1 sshd.8 ssh-keygen.1 ssh-keyscan.1] + avoid first person in manual pages + - stevesk@cvs.openbsd.org 2001/09/12 18:18:25 + [scp.c] + don't forward agent for non third-party copies; ok markus@ -20060106 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/03 16:31:10 - [ssh.1] - move FILES to a -compact list, and make each files an item in that list. - this avoids nastly line wrap when we have long pathnames, and treats - each file as a separate item; - remove the .Pa too, since it is useless. - - jmc@cvs.openbsd.org 2006/01/03 16:35:30 - [ssh.1] - use a larger width for the ENVIRONMENT list; - - jmc@cvs.openbsd.org 2006/01/03 16:52:36 - [ssh.1] - put FILES in some sort of order: sort by pathname - - jmc@cvs.openbsd.org 2006/01/03 16:55:18 - [ssh.1] - tweak the description of ~/.ssh/environment - - jmc@cvs.openbsd.org 2006/01/04 18:42:46 +20010815 + - (bal) Fixed stray code in readconf.c that went in by mistake. + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/08/07 10:37:46 + [authfd.c authfd.h] + extended failure messages from galb@vandyke.com + - deraadt@cvs.openbsd.org 2001/08/08 07:16:58 + [scp.1] + when describing the -o option, give -o Protocol=1 as the specific example + since we are SICK AND TIRED of clueless people who cannot have difficulty + thinking on their own. + - markus@cvs.openbsd.org 2001/08/08 18:20:15 + [uidswap.c] + permanently_set_uid is a noop if user is not privilegued; + fixes bug on solaris; from sbi@uchicago.edu + - markus@cvs.openbsd.org 2001/08/08 21:34:19 + [uidswap.c] + undo last change; does not work for sshd + - jakob@cvs.openbsd.org 2001/08/11 22:51:27 + [ssh.c tildexpand.c] + fix more paths beginning with "//"; . + ok markus@ + - stevesk@cvs.openbsd.org 2001/08/13 23:38:54 + [scp.c] + don't need main prototype (also sync with rcp); ok markus@ + - markus@cvs.openbsd.org 2001/08/14 09:23:02 + [sftp.1 sftp-int.c] + "bye"; hk63a@netscape.net + - stevesk@cvs.openbsd.org 2001/08/14 17:54:29 + [scp.1 sftp.1 ssh.1] + consistent documentation and example of ``-o ssh_option'' for sftp and + scp; document keyword=argument for ssh. + - (bal) QNX resync. OK tim@ + +20010814 + - (stevesk) sshpty.c, cray.[ch]: whitespace, formatting and cleanup + for some #ifdef _CRAY code; ok wendyp@cray.com + - (stevesk) sshpty.c: return 0 on error in cray pty code; + ok wendyp@cray.com + - (stevesk) bsd-cray.c: utmp strings are not C strings + - (stevesk) bsd-cray.c: more cleanup; ok wendyp@cray.com + +20010812 + - (djm) Fix detection of long long int support. Based on patch from + Michael Stone . ok stevesk, tim + +20010808 + - (bal) Minor correction to inet_ntop.h. _BSD_RRESVPORT_H should be + _BSD_INET_NTOP_H. Pointed out by Mark Miller + +20010807 + - (tim) [configure.in sshconnect.c openbsd-compat/Makefile.in + openbsd-compat/openbsd-compat.h ] Add inet_ntop.c inet_ntop.h back + in. Needed for sshconnect.c + [sshconnect.c] fix INET6_ADDRSTRLEN for non IPv6 machines + [configure.in] make tests with missing libraries fail + patch by Wendy Palm + Added openbsd-compat/bsd-cray.h. Selective patches from + William L. Jones + +20010806 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/07/22 21:32:27 + [sshpty.c] + update comment + - pvalchev@cvs.openbsd.org 2001/07/22 21:32:42 [ssh.1] - chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES - entries; - ok markus - - jmc@cvs.openbsd.org 2006/01/04 18:45:01 + There is no option "Compress", point to "Compression" instead; ok + markus + - markus@cvs.openbsd.org 2001/07/22 22:04:19 + [readconf.c ssh.1] + enable challenge-response auth by default; ok millert@ + - markus@cvs.openbsd.org 2001/07/22 22:24:16 + [sshd.8] + Xr login.conf + - markus@cvs.openbsd.org 2001/07/23 09:06:28 + [sshconnect2.c] + reorder default sequence of userauth methods to match ssh behaviour: + hostbased,publickey,keyboard-interactive,password + - markus@cvs.openbsd.org 2001/07/23 12:47:05 [ssh.1] - remove .Xr's to rsh(1) and telnet(1): they are hardly needed; - - jmc@cvs.openbsd.org 2006/01/04 19:40:24 + sync PreferredAuthentications + - aaron@cvs.openbsd.org 2001/07/23 14:14:18 + [ssh-keygen.1] + Fix typo. + - stevesk@cvs.openbsd.org 2001/07/23 18:14:58 + [auth2.c auth-rsa.c] + use %lu; ok markus@ + - stevesk@cvs.openbsd.org 2001/07/23 18:21:46 + [xmalloc.c] + no zero size xstrdup() error; ok markus@ + - markus@cvs.openbsd.org 2001/07/25 11:59:35 + [scard.c] + typo in comment + - markus@cvs.openbsd.org 2001/07/25 14:35:18 + [readconf.c ssh.1 ssh.c sshconnect.c] + cleanup connect(); connection_attempts 4 -> 1; from + eivind@freebsd.org + - stevesk@cvs.openbsd.org 2001/07/26 17:18:22 + [sshd.8 sshd.c] + add -t option to test configuration file and keys; pekkas@netcore.fi + ok markus@ + - rees@cvs.openbsd.org 2001/07/26 20:04:27 + [scard.c ssh-keygen.c] + Inquire Cyberflex class for 0xf0 cards + change aid to conform to 7816-5 + remove gratuitous fid selects + - millert@cvs.openbsd.org 2001/07/27 14:50:45 + [ssh.c] + If smart card support is compiled in and a smart card is being used + for authentication, make it the first method used. markus@ OK + - deraadt@cvs.openbsd.org 2001/07/27 17:26:16 + [scp.c] + shorten lines + - markus@cvs.openbsd.org 2001/07/28 09:21:15 + [sshd.8] + cleanup some RSA vs DSA vs SSH1 vs SSH2 notes + - mouring@cvs.openbsd.org 2001/07/29 17:02:46 + [scp.1] + Clarified -o option in scp.1 OKed by Markus@ + - jakob@cvs.openbsd.org 2001/07/30 16:06:07 + [scard.c scard.h] + better errorcodes from sc_*; ok markus@ + - stevesk@cvs.openbsd.org 2001/07/30 16:23:30 + [rijndael.c rijndael.h] + new BSD-style license: + Brian Gladman : + >I have updated my code at: + >http://fp.gladman.plus.com/cryptography_technology/rijndael/index.htm + >with a copyright notice as follows: + >[...] + >I am not sure which version of my old code you are using but I am + >happy for the notice above to be substituted for my existing copyright + >intent if this meets your purpose. + - jakob@cvs.openbsd.org 2001/07/31 08:41:10 + [scard.c] + do not complain about missing smartcards. ok markus@ + - jakob@cvs.openbsd.org 2001/07/31 09:28:44 + [readconf.c readconf.h ssh.1 ssh.c] + add 'SmartcardDevice' client option to specify which smartcard device + is used to access a smartcard used for storing the user's private RSA + key. ok markus@. + - jakob@cvs.openbsd.org 2001/07/31 12:42:50 + [sftp-int.c sftp-server.c] + avoid paths beginning with "//"; + ok markus@ + - jakob@cvs.openbsd.org 2001/07/31 12:53:34 + [scard.c] + close smartcard connection if card is missing + - markus@cvs.openbsd.org 2001/08/01 22:03:33 + [authfd.c authfd.h readconf.c readconf.h scard.c scard.h ssh-add.c + ssh-agent.c ssh.c] + use strings instead of ints for smartcard reader ids + - markus@cvs.openbsd.org 2001/08/01 22:16:45 + [ssh.1 sshd.8] + refer to current ietf drafts for protocol v2 + - markus@cvs.openbsd.org 2001/08/01 23:33:09 + [ssh-keygen.c] + allow uploading RSA keys for non-default AUT0 (sha1 over passphrase + like sectok). + - markus@cvs.openbsd.org 2001/08/01 23:38:45 + [scard.c ssh.c] + support finish rsa keys. + free public keys after login -> call finish -> close smartcard. + - markus@cvs.openbsd.org 2001/08/02 00:10:17 + [ssh-keygen.c] + add -D readerid option (download, i.e. print public RSA key to stdout). + check for card present when uploading keys. + use strings instead of ints for smartcard reader ids, too. + - jakob@cvs.openbsd.org 2001/08/02 08:58:35 + [ssh-keygen.c] + change -u (upload smartcard key) to -U. ok markus@ + - jakob@cvs.openbsd.org 2001/08/02 15:06:52 + [ssh-keygen.c] + more verbose usage(). ok markus@ + - jakob@cvs.openbsd.org 2001/08/02 15:07:23 + [ssh-keygen.1] + document smartcard upload/download. ok markus@ + - jakob@cvs.openbsd.org 2001/08/02 15:32:10 + [ssh.c] + add smartcard to usage(). ok markus@ + - jakob@cvs.openbsd.org 2001/08/02 15:43:57 + [ssh-agent.c ssh.c ssh-keygen.c] + add /* SMARTCARD */ to #else/#endif. ok markus@ + - jakob@cvs.openbsd.org 2001/08/02 16:14:05 + [scard.c ssh-agent.c ssh.c ssh-keygen.c] + clean up some /* SMARTCARD */. ok markus@ + - mpech@cvs.openbsd.org 2001/08/02 18:37:35 + [ssh-keyscan.1] + o) .Sh AUTHOR -> .Sh AUTHORS; + o) .Sh EXAMPLE -> .Sh EXAMPLES; + o) Delete .Sh OPTIONS. Text moved to .Sh DESCRIPTION; + + millert@ ok + - jakob@cvs.openbsd.org 2001/08/03 10:31:19 + [ssh-add.1] + document smartcard options. ok markus@ + - jakob@cvs.openbsd.org 2001/08/03 10:31:30 + [ssh-add.c ssh-agent.c ssh-keyscan.c] + improve usage(). ok markus@ + - markus@cvs.openbsd.org 2001/08/05 23:18:20 + [ssh-keyscan.1 ssh-keyscan.c] + ssh 2 support; from wayned@users.sourceforge.net + - markus@cvs.openbsd.org 2001/08/05 23:29:58 + [ssh-keyscan.c] + make -t dsa work with commercial servers, too + - stevesk@cvs.openbsd.org 2001/08/06 19:47:05 + [scp.c] + use alarm vs. setitimer for portable; ok markus@ + - (bal) ssh-keyscan double -lssh hack due to seed_rng(). + - (bal) Second around of UNICOS patches. A few other things left. + Patches by William L. Jones + +20010803 + - (djm) Fix interrupted read in entropy gatherer. Spotted by markus@ on + a fast UltraSPARC. + +20010726 + - (stevesk) use mysignal() in protocol 1 loop now that the SIGCHLD + handler has converged. + +20010725 + - (bal) Added 'install-nokeys' to Makefile to assist package builders. + +20010724 + - (bal) 4711 not 04711 for ssh binary. + +20010722 + - (bal) Starting the Unicossmk merger. File merged TODO, configure.in, + myproposal.h, ssh_prng_cmds.in, and openbsd-compat/Makefile.in. + Added openbsd-compat/bsd-cray.c. Rest will be merged after + approval. Selective patches from William L. Jones + + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/07/18 21:10:43 + [sshpty.c] + pr #1946, allow sshd if /dev is readonly + - stevesk@cvs.openbsd.org 2001/07/18 21:40:40 + [ssh-agent.c] + chdir("/") from bbraun@synack.net; ok markus@ + - stevesk@cvs.openbsd.org 2001/07/19 00:41:44 [ssh.1] - +.Xr ssh-keyscan 1 , - - jmc@cvs.openbsd.org 2006/01/04 19:50:09 + escape chars are below now + - markus@cvs.openbsd.org 2001/07/20 14:46:11 + [ssh-agent.c] + do not exit() from signal handlers; ok deraadt@ + - stevesk@cvs.openbsd.org 2001/07/20 18:41:51 [ssh.1] - -.Xr gzip 1 , - - djm@cvs.openbsd.org 2006/01/05 23:43:53 - [misc.c] - check that stdio file descriptors are actually closed before clobbering - them in sanitise_stdfd(). problems occurred when a lower numbered fd was - closed, but higher ones weren't. spotted by, and patch tested by - Frédéric Olivié - -20060103 - - (djm) [channels.c] clean up harmless merge error, from reyk@ + "the" command line -20060103 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2006/01/02 17:09:49 - [ssh_config.5 sshd_config.5] - some corrections from michael knudsen; +20010719 + - (tim) [configure.in] put inet_aton back in AC_CHECK_FUNCS. + report from Mark Miller -20060102 - - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/12/31 10:46:17 - [ssh.1] - merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER - AUTHENTICATION" sections into "AUTHENTICATION"; - some rewording done to make the text read better, plus some - improvements from djm; - ok djm - - jmc@cvs.openbsd.org 2005/12/31 13:44:04 - [ssh.1] - clean up ENVIRONMENT a little; - - jmc@cvs.openbsd.org 2005/12/31 13:45:19 - [ssh.1] - .Nm does not require an argument; - - stevesk@cvs.openbsd.org 2006/01/01 08:59:27 - [includes.h misc.c] - move ; ok djm@ - - stevesk@cvs.openbsd.org 2006/01/01 10:08:48 - [misc.c] - no trailing "\n" for debug() - - djm@cvs.openbsd.org 2006/01/02 01:20:31 - [sftp-client.c sftp-common.h sftp-server.c] - use a common max. packet length, no binary change - - reyk@cvs.openbsd.org 2006/01/02 07:53:44 - [misc.c] - clarify tun(4) opening - set the mode and bring the interface up. also - (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces. - suggested and ok by djm@ - - jmc@cvs.openbsd.org 2006/01/02 12:31:06 - [ssh.1] - start to cut some duplicate info from FILES; - help/ok djm - -20060101 - - (djm) [Makefile.in configure.ac includes.h misc.c] - [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support - for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is - limited to IPv4 tunnels only, and most versions don't support the - tap(4) device at all. - - (djm) [configure.ac] Fix linux/if_tun.h test - - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too - -20051229 - - (djm) OpenBSD CVS Sync - - stevesk@cvs.openbsd.org 2005/12/28 22:46:06 - [canohost.c channels.c clientloop.c] - use 'break-in' for consistency; ok deraadt@ ok and input jmc@ - - reyk@cvs.openbsd.org 2005/12/30 15:56:37 - [channels.c channels.h clientloop.c] - add channel output filter interface. - ok djm@, suggested by markus@ - - jmc@cvs.openbsd.org 2005/12/30 16:59:00 - [sftp.1] - do not suggest that interactive authentication will work - with the -b flag; - based on a diff from john l. scarfone; - ok djm - - stevesk@cvs.openbsd.org 2005/12/31 01:38:45 - [ssh.1] - document -MM; ok djm@ - - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac] - [serverloop.c ssh.c openbsd-compat/Makefile.in] - [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding - compatability support for Linux, diff from reyk@ - - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does - not exist - - (djm) [configure.ac] oops, make that linux/if_tun.h - -20051229 - - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd - -20051224 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/12/20 21:59:43 - [ssh.1] - merge the sections on protocols 1 and 2 into one section on - authentication; - feedback djm dtucker - ok deraadt markus dtucker - - jmc@cvs.openbsd.org 2005/12/20 22:02:50 +20010718 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/07/14 15:10:17 + [readpass.c sftp-client.c sftp-common.c sftp-glob.c] + delete spurious #includes; ok deraadt@ markus@ + - markus@cvs.openbsd.org 2001/07/15 16:17:08 + [serverloop.c] + schedule client alive for ssh2 only, greg@cheers.bungi.com + - stevesk@cvs.openbsd.org 2001/07/15 16:57:21 + [ssh-agent.1] + -d will not fork; ok markus@ + - stevesk@cvs.openbsd.org 2001/07/15 16:58:29 + [ssh-agent.c] + typo in usage; ok markus@ + - markus@cvs.openbsd.org 2001/07/17 20:48:42 + [ssh-agent.c] + update maxfd if maxfd is closed; report from jmcelroy@dtgnet.com + - markus@cvs.openbsd.org 2001/07/17 21:04:58 + [channels.c channels.h clientloop.c nchan.c serverloop.c] + keep track of both maxfd and the size of the malloc'ed fdsets. + update maxfd if maxfd gets closed. + - mouring@cvs.openbsd.org 2001/07/18 16:45:52 + [scp.c] + Missing -o in scp usage() + - (bal) Cleaned up trailing spaces in ChangeLog. + - (bal) Allow sshd to switch user context without password for Cygwin. + Patch by Corinna Vinschen + - (bal) Updated cygwin README and ssh-host-config. Patch by + Corinna Vinschen + +20010715 + - (bal) Set "BROKEN_GETADDRINFO" for darwin platform. Reported by + Josh Larios + - (tim) put openssh/openbsd-compat/inet_aton.[ch] back in. + needed by openbsd-compat/fake-getaddrinfo.c + +20010714 + - (stevesk) change getopt() declaration + - (stevesk) configure.in: use ll suffix for long long constant + in snprintf() test + +20010713 + - (djm) Enable /etc/nologin check on PAM systems, as some lack the + pam_nologin module. Report from William Yodlowsky + + - (djm) Revert dirname fix, a better one is on its way. + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/07/04 22:47:19 + [ssh-agent.c] + ignore SIGPIPE when debugging, too + - markus@cvs.openbsd.org 2001/07/04 23:13:10 + [scard.c scard.h ssh-agent.c] + handle card removal more gracefully, add sc_close() to scard.h + - markus@cvs.openbsd.org 2001/07/04 23:39:07 + [ssh-agent.c] + for smartcards remove both RSA1/2 keys + - markus@cvs.openbsd.org 2001/07/04 23:49:27 + [ssh-agent.c] + handle mutiple adds of the same smartcard key + - espie@cvs.openbsd.org 2001/07/05 11:43:33 + [sftp-glob.c] + Directly cast to the right type. Ok markus@ + - stevesk@cvs.openbsd.org 2001/07/05 20:32:47 + [sshconnect1.c] + statement after label; ok dugsong@ + - stevesk@cvs.openbsd.org 2001/07/08 15:23:38 + [servconf.c] + fix ``MaxStartups max''; ok markus@ + - fgsch@cvs.openbsd.org 2001/07/09 05:58:47 + [ssh.c] + Use getopt(3); markus@ ok. + - deraadt@cvs.openbsd.org 2001/07/09 07:04:53 + [session.c sftp-int.c] + correct type on last arg to execl(); nordin@cse.ogi.edu + - markus@cvs.openbsd.org 2001/07/10 21:49:12 + [readpass.c] + don't panic if fork or pipe fail (just return an empty passwd). + - itojun@cvs.openbsd.org 2001/07/11 00:24:53 + [servconf.c] + make it compilable in all 4 combination of KRB4/KRB5 settings. + dugsong ok + XXX isn't it sensitive to the order of -I/usr/include/kerberosIV and + -I/usr/include/kerberosV? + - markus@cvs.openbsd.org 2001/07/11 16:29:59 + [ssh.c] + sort options string, fix -p, add -k + - markus@cvs.openbsd.org 2001/07/11 18:26:15 + [auth.c] + no need to call dirname(pw->pw_dir). + note that dirname(3) modifies its argument on some systems. + - (djm) Reorder Makefile.in so clean targets work a little better when + run directly from Makefile.in + - (djm) Pull in getopt(3) from OpenBSD libc for the optreset extension. + +20010711 + - (djm) dirname(3) may modify its argument on glibc and other systems. + Patch from markus@, spotted by Tom Holroyd + +20010704 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/06/25 08:25:41 + [channels.c channels.h cipher.c clientloop.c compat.c compat.h + hostfile.c kex.c kex.h key.c key.h nchan.c packet.c serverloop.c + session.c session.h sftp-server.c ssh-add.c ssh-agent.c uuencode.h] + update copyright for 2001 + - markus@cvs.openbsd.org 2001/06/25 17:18:27 + [ssh-keygen.1] + sshd(8) will never read the private keys, but ssh(1) does; + hugh@mimosa.com + - provos@cvs.openbsd.org 2001/06/25 17:54:47 + [auth.c auth.h auth-rsa.c] + terminate secure_filename checking after checking homedir. that way + it works on AFS. okay markus@ + - stevesk@cvs.openbsd.org 2001/06/25 20:26:37 + [auth2.c sshconnect2.c] + prototype cleanup; ok markus@ + - markus@cvs.openbsd.org 2001/06/26 02:47:07 + [ssh-keygen.c] + allow loading a private RSA key to a cyberflex card. + - markus@cvs.openbsd.org 2001/06/26 04:07:06 + [ssh-agent.1 ssh-agent.c] + add debug flag + - markus@cvs.openbsd.org 2001/06/26 04:59:59 + [authfd.c authfd.h ssh-add.c] + initial support for smartcards in the agent + - markus@cvs.openbsd.org 2001/06/26 05:07:43 + [ssh-agent.c] + update usage + - markus@cvs.openbsd.org 2001/06/26 05:33:34 + [ssh-agent.c] + more smartcard support. + - mpech@cvs.openbsd.org 2001/06/26 05:48:07 + [sshd.8] + remove unnecessary .Pp between .It; + millert@ ok + - markus@cvs.openbsd.org 2001/06/26 05:50:11 + [auth2.c] + new interface for secure_filename() + - itojun@cvs.openbsd.org 2001/06/26 06:32:58 + [atomicio.h authfd.h authfile.h auth.h auth-options.h bufaux.h + buffer.h canohost.h channels.h cipher.h clientloop.h compat.h + compress.h crc32.h deattack.h dh.h dispatch.h groupaccess.h + hostfile.h kex.h key.h log.h mac.h match.h misc.h mpaux.h packet.h + radix.h readconf.h readpass.h rsa.h] + prototype pedant. not very creative... + - () -> (void) + - no variable names + - itojun@cvs.openbsd.org 2001/06/26 06:33:07 + [servconf.h serverloop.h session.h sftp-client.h sftp-common.h + sftp-glob.h sftp-int.h sshconnect.h ssh-dss.h sshlogin.h sshpty.h + ssh-rsa.h tildexpand.h uidswap.h uuencode.h xmalloc.h] + prototype pedant. not very creative... + - () -> (void) + - no variable names + - dugsong@cvs.openbsd.org 2001/06/26 16:15:25 + [auth1.c auth.h auth-krb4.c auth-passwd.c readconf.c readconf.h + servconf.c servconf.h session.c sshconnect1.c sshd.c] + Kerberos v5 support for SSH1, mostly from Assar Westerlund + and Bjorn Gronvall . markus@ ok + - markus@cvs.openbsd.org 2001/06/26 17:25:34 [ssh.1] - .Ss -> .Sh: subsections have not made this page more readable - - jmc@cvs.openbsd.org 2005/12/20 22:09:41 + document SSH_ASKPASS; fubob@MIT.EDU + - markus@cvs.openbsd.org 2001/06/26 17:27:25 + [authfd.h authfile.h auth.h auth-options.h bufaux.h buffer.h + canohost.h channels.h cipher.h clientloop.h compat.h compress.h + crc32.h deattack.h dh.h dispatch.h groupaccess.c groupaccess.h + hostfile.h kex.h key.h log.c log.h mac.h misc.c misc.h mpaux.h + packet.h radix.h readconf.h readpass.h rsa.h servconf.h serverloop.h + session.h sftp-common.c sftp-common.h sftp-glob.h sftp-int.h + sshconnect.h ssh-dss.h sshlogin.h sshpty.h ssh-rsa.h sshtty.h + tildexpand.h uidswap.h uuencode.h xmalloc.h] + remove comments from .h, since they are cut&paste from the .c files + and out of sync + - dugsong@cvs.openbsd.org 2001/06/26 17:41:49 + [servconf.c] + #include + - markus@cvs.openbsd.org 2001/06/26 20:14:11 + [key.c key.h ssh.c sshconnect1.c sshconnect2.c] + add smartcard support to the client, too (now you can use both + the agent and the client). + - markus@cvs.openbsd.org 2001/06/27 02:12:54 + [serverloop.c serverloop.h session.c session.h] + quick hack to make ssh2 work again. + - markus@cvs.openbsd.org 2001/06/27 04:48:53 + [auth.c match.c sshd.8] + tridge@samba.org + - markus@cvs.openbsd.org 2001/06/27 05:35:42 + [ssh-keygen.c] + use cyberflex_inq_class to inquire class. + - markus@cvs.openbsd.org 2001/06/27 05:42:25 + [rsa.c rsa.h ssh-agent.c ssh-keygen.c] + s/generate_additional_parameters/rsa_generate_additional_parameters/ + http://www.humppa.com/ + - markus@cvs.openbsd.org 2001/06/27 06:26:36 + [ssh-add.c] + convert to getopt(3) + - stevesk@cvs.openbsd.org 2001/06/28 19:57:35 + [ssh-keygen.c] + '\0' terminated data[] is ok; ok markus@ + - markus@cvs.openbsd.org 2001/06/29 07:06:34 + [ssh-keygen.c] + new error handling for cyberflex_* + - markus@cvs.openbsd.org 2001/06/29 07:11:01 + [ssh-keygen.c] + initialize early + - stevesk@cvs.openbsd.org 2001/06/29 18:38:44 + [clientloop.c] + sync function definition with declaration; ok markus@ + - stevesk@cvs.openbsd.org 2001/06/29 18:40:28 + [channels.c] + use socklen_t for getsockopt arg #5; ok markus@ + - stevesk@cvs.openbsd.org 2001/06/30 18:08:40 + [channels.c channels.h clientloop.c] + adress -> address; ok markus@ + - markus@cvs.openbsd.org 2001/07/02 13:59:15 + [serverloop.c session.c session.h] + wait until !session_have_children(); bugreport from + Lutz.Jaenicke@aet.TU-Cottbus.DE + - markus@cvs.openbsd.org 2001/07/02 22:29:20 + [readpass.c] + do not return NULL, use "" instead. + - markus@cvs.openbsd.org 2001/07/02 22:40:18 + [ssh-keygen.c] + update for sectok.h interface changes. + - markus@cvs.openbsd.org 2001/07/02 22:52:57 + [channels.c channels.h serverloop.c] + improve cleanup/exit logic in ssh2: + stop listening to channels, detach channel users (e.g. sessions). + wait for children (i.e. dying sessions), send exit messages, + cleanup all channels. + - (bal) forget a few new files in sync up. + - (bal) Makefile fix up requires scard.c + - (stevesk) sync misc.h + - (stevesk) more sync for session.c + - (stevesk) sync servconf.h (comments) + - (tim) [contrib/caldera/openssh.spec] sync with Caldera + - (tim) [openbsd-compat/dirname.h] Remove ^M causing some compilers to + issue warning (line 1: tokens ignored at end of directive line) + - (tim) [sshconnect1.c] give the compiler something to do for success: + if KRB5 and AFS are not defined + (ERROR: "sshconnect1.c", line 1274: Syntax error before or at: }) + +20010629 + - (bal) Removed net_aton() since we don't use it any more + - (bal) Fixed _DISABLE_VPOSIX in readpassphrase.c. + - (bal) Updated zlib's home. Thanks to David Howe . + - (stevesk) remove _REENTRANT #define + - (stevesk) session.c: use u_int for envsize + - (stevesk) remove cli.[ch] + +20010628 + - (djm) Sync openbsd-compat with -current libc + - (djm) Fix from Lutz Jaenicke for my + broken makefile + - (bal) Removed strtok_r() and inet_ntop() since they are no longer used. + - (bal) Remove getusershell() since it's no longer used. + +20010627 + - (djm) Reintroduce pam_session call for non-pty sessions. + - (djm) Remove redundant and incorrect test for max auth attempts in + PAM kbdint code. Based on fix from Matthew Melvin + + - (djm) Rename sysconfdir/primes => sysconfdir/moduli + - (djm) Oops, forgot make logic for primes=>moduli. Also try to rename + existing primes->moduli if it exists. + - (djm) Sync with -current openbsd-compat/readpassphrase.c: + - djm@cvs.openbsd.org 2001/06/27 13:23:30 + typo, spotted by Tom Holroyd ; ok deraadt@ + - (djm) Turn up warnings if gcc or egcs detected + - (stevesk) for HP-UX 11.X use X/Open socket interface; + pulls in modern socket prototypes and eliminates a number of compiler + warnings. see xopen_networking(7). + - (stevesk) fix x11 forwarding from _PATH_XAUTH change + - (stevesk) use X/Open socket interface for HP-UX 10.X also + +20010625 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/06/21 21:08:25 + [session.c] + don't reset forced_command (we allow multiple login shells in + ssh2); dwd@bell-labs.com + - mpech@cvs.openbsd.org 2001/06/22 10:17:51 + [ssh.1 sshd.8 ssh-keyscan.1] + o) .Sh AUTHOR -> .Sh AUTHORS; + o) remove unnecessary .Pp; + o) better -mdoc style; + o) typo; + o) sort SEE ALSO; + aaron@ ok + - provos@cvs.openbsd.org 2001/06/22 21:27:08 + [dh.c pathnames.h] + use /etc/moduli instead of /etc/primes, okay markus@ + - provos@cvs.openbsd.org 2001/06/22 21:28:53 + [sshd.8] + document /etc/moduli + - markus@cvs.openbsd.org 2001/06/22 21:55:49 + [auth2.c auth-rsa.c pathnames.h ssh.1 sshd.8 sshd_config + ssh-keygen.1] + merge authorized_keys2 into authorized_keys. + authorized_keys2 is used for backward compat. + (just append authorized_keys2 to authorized_keys). + - provos@cvs.openbsd.org 2001/06/22 21:57:59 + [dh.c] + increase linebuffer to deal with larger moduli; use rewind instead of + close/open + - markus@cvs.openbsd.org 2001/06/22 22:21:20 + [sftp-server.c] + allow long usernames/groups in readdir + - markus@cvs.openbsd.org 2001/06/22 23:35:21 + [ssh.c] + don't overwrite argv (fixes ssh user@host in 'ps'), report by ericj@ + - deraadt@cvs.openbsd.org 2001/06/23 00:16:16 + [scp.c] + slightly better care + - markus@cvs.openbsd.org 2001/06/23 00:20:57 + [auth2.c auth.c auth.h auth-rh-rsa.c] + *known_hosts2 is obsolete for hostbased authentication and + only used for backward compat. merge ssh1/2 hostkey check + and move it to auth.c + - deraadt@cvs.openbsd.org 2001/06/23 02:33:05 + [sftp.1 sftp-server.8 ssh-keygen.1] + join .%A entries; most by bk@rt.fm + - markus@cvs.openbsd.org 2001/06/23 02:34:33 + [kexdh.c kexgex.c kex.h pathnames.h readconf.c servconf.h ssh.1 + sshconnect1.c sshconnect2.c sshconnect.c sshconnect.h sshd.8] + get rid of known_hosts2, use it for hostkey lookup, but do not + modify. + - markus@cvs.openbsd.org 2001/06/23 03:03:59 + [sshd.8] + draft-ietf-secsh-dh-group-exchange-01.txt + - markus@cvs.openbsd.org 2001/06/23 03:04:42 + [auth2.c auth-rh-rsa.c] + restore correct ignore_user_known_hosts logic. + - markus@cvs.openbsd.org 2001/06/23 05:26:02 + [key.c] + handle sigature of size 0 (some broken clients send this). + - deraadt@cvs.openbsd.org 2001/06/23 05:57:09 + [sftp.1 sftp-server.8 ssh-keygen.1] + ok, tmac is now fixed + - markus@cvs.openbsd.org 2001/06/23 06:41:10 + [ssh-keygen.c] + try to decode ssh-3.0.0 private rsa keys + (allow migration to openssh, not vice versa), #910 + - itojun@cvs.openbsd.org 2001/06/23 15:12:20 + [auth1.c auth2.c auth2-chall.c authfd.c authfile.c auth-rhosts.c + canohost.c channels.c cipher.c clientloop.c deattack.c dh.c + hostfile.c kex.c kexdh.c kexgex.c key.c nchan.c packet.c radix.c + readpass.c scp.c servconf.c serverloop.c session.c sftp.c + sftp-client.c sftp-glob.c sftp-int.c sftp-server.c ssh-add.c + ssh-agent.c ssh.c sshconnect1.c sshconnect2.c sshconnect.c sshd.c + ssh-keygen.c ssh-keyscan.c] + more strict prototypes. raise warning level in Makefile.inc. + markus ok'ed + TODO; cleanup headers + - markus@cvs.openbsd.org 2001/06/23 17:05:22 + [ssh-keygen.c] + fix import for (broken?) ssh.com/f-secure private keys + (i tested > 1000 RSA keys) + - itojun@cvs.openbsd.org 2001/06/23 17:48:18 + [sftp.1 ssh.1 sshd.8 ssh-keyscan.1] + kill whitespace at EOL. + - markus@cvs.openbsd.org 2001/06/23 19:12:43 + [sshd.c] + pidfile/sigterm race; bbraun@synack.net + - markus@cvs.openbsd.org 2001/06/23 22:37:46 + [sshconnect1.c] + consistent with ssh2: skip key if empty passphrase is entered, + retry num_of_passwd_prompt times if passphrase is wrong. ok fgsch@ + - markus@cvs.openbsd.org 2001/06/24 05:25:10 + [auth-options.c match.c match.h] + move ip+hostname check to match.c + - markus@cvs.openbsd.org 2001/06/24 05:35:33 + [readpass.c readpass.h ssh-add.c sshconnect2.c ssh-keygen.c] + switch to readpassphrase(3) + 2.7/8-stable needs readpassphrase.[ch] from libc + - markus@cvs.openbsd.org 2001/06/24 05:47:13 + [sshconnect2.c] + oops, missing format string + - markus@cvs.openbsd.org 2001/06/24 17:18:31 + [ttymodes.c] + passing modes works fine: debug2->3 + - (djm) -Wall fix for session.c + - (djm) Bring in readpassphrase() from OpenBSD libc. Compiles OK on Linux and + Solaris + +20010622 + - (stevesk) handle systems without pw_expire and pw_change. + +20010621 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/06/16 08:49:38 + [misc.c] + typo; dunlap@apl.washington.edu + - markus@cvs.openbsd.org 2001/06/16 08:50:39 + [channels.h] + bad //-style comment; thx to stevev@darkwing.uoregon.edu + - markus@cvs.openbsd.org 2001/06/16 08:57:35 + [scp.c] + no stdio or exit() in signal handlers. + - markus@cvs.openbsd.org 2001/06/16 08:58:34 + [misc.c] + copy pw_expire and pw_change, too. + - markus@cvs.openbsd.org 2001/06/19 12:34:09 + [session.c] + cleanup forced command handling, from dwd@bell-labs.com + - markus@cvs.openbsd.org 2001/06/19 14:09:45 + [session.c sshd.8] + disable x11-fwd if use_login is enabled; from lukem@wasabisystems.com + - markus@cvs.openbsd.org 2001/06/19 15:40:45 + [session.c] + allocate and free at the same level. + - markus@cvs.openbsd.org 2001/06/20 13:56:39 + [channels.c channels.h clientloop.c packet.c serverloop.c] + move from channel_stop_listening to channel_free_all, + call channel_free_all before calling waitpid() in serverloop. + fixes the utmp handling; report from Lutz.Jaenicke@aet.TU-Cottbus.DE + +20010615 + - (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL + around grantpt(). + - (stevesk) update TODO: STREAMS pty systems don't call vhangup() now + +20010614 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/06/13 09:10:31 + [session.c] + typo, use pid not s->pid, mstone@cs.loyola.edu + +20010613 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/06/12 10:58:29 + [session.c] + merge session_free into session_close() + merge pty_cleanup_proc into session_pty_cleanup() + - markus@cvs.openbsd.org 2001/06/12 16:10:38 + [session.c] + merge ssh1/ssh2 tty msg parse and alloc code + - markus@cvs.openbsd.org 2001/06/12 16:11:26 + [packet.c] + do not log() packet_set_maxsize + - markus@cvs.openbsd.org 2001/06/12 21:21:29 + [session.c] + remove xauth-cookie-in-tmp handling. use default $XAUTHORITY, since + we do already trust $HOME/.ssh + you can use .ssh/sshrc and .ssh/environment if you want to customize + the location of the xauth cookies + - markus@cvs.openbsd.org 2001/06/12 21:30:57 + [session.c] + unused + +20010612 + - scp.c ID update (upstream synced vfsprintf() from us) + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/06/10 11:29:20 + [dispatch.c] + we support rekeying + protocol errors are fatal. + - markus@cvs.openbsd.org 2001/06/11 10:18:24 + [session.c] + reset pointer to NULL after xfree(); report from solar@openwall.com + - markus@cvs.openbsd.org 2001/06/11 16:04:38 + [sshd.8] + typo; bdubreuil@crrel.usace.army.mil + +20010611 + - (bal) NeXT/MacOS X lack libgen.h and dirname(). Patch by Mark Miller + + - (bal) Handle broken krb4 issues on Solaris with multiple defined u_*_t + types. Patch by Jan IVEN + - (bal) Fixed Makefile.in so that 'configure; make install' works. + +20010610 + - (bal) Missed two files in major resync. auth-bsdauth.c and auth-skey.c + +20010609 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/30 12:55:13 + [auth-options.c auth2.c channels.c channels.h clientloop.c nchan.c + packet.c serverloop.c session.c ssh.c ssh1.h] + channel layer cleanup: merge header files and split .c files + - markus@cvs.openbsd.org 2001/05/30 15:20:10 + [ssh.c] + merge functions, simplify. + - markus@cvs.openbsd.org 2001/05/31 10:30:17 + [auth-options.c auth2.c channels.c channels.h clientloop.c nchan.c + packet.c serverloop.c session.c ssh.c] + undo the .c file split, just merge the header and keep the cvs + history + - (bal) Channels.c and Channels.h -- "Merge Functions, simplify" (draged + out of ssh Attic) + - (bal) Ooops.. nchan.c (and remove nchan.h) resync from OpenBSD ssh + Attic. + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/31 13:08:04 + [sshd_config] + group options and add some more comments + - markus@cvs.openbsd.org 2001/06/03 14:55:39 + [channels.c channels.h session.c] + use fatal_register_cleanup instead of atexit, sync with x11 authdir + handling + - markus@cvs.openbsd.org 2001/06/03 19:36:44 + [ssh-keygen.1] + 1-2 bits of entrophy per character (not per word), ok stevesk@ + - markus@cvs.openbsd.org 2001/06/03 19:38:42 + [scp.c] + pass -v to ssh; from slade@shore.net + - markus@cvs.openbsd.org 2001/06/03 20:06:11 + [auth2-chall.c] + the challenge response device decides how to handle non-existing + users. + -> fake challenges for skey and cryptocard + - markus@cvs.openbsd.org 2001/06/04 21:59:43 + [channels.c channels.h session.c] + switch uid when cleaning up tmp files and sockets; reported by + zen-parse@gmx.net on bugtraq + - markus@cvs.openbsd.org 2001/06/04 23:07:21 + [clientloop.c serverloop.c sshd.c] + set flags in the signal handlers, do real work in the main loop, + ok provos@ + - markus@cvs.openbsd.org 2001/06/04 23:16:16 + [session.c] + merge ssh1/2 x11-fwd setup, create listener after tmp-dir + - pvalchev@cvs.openbsd.org 2001/06/05 05:05:39 + [ssh-keyscan.1 ssh-keyscan.c] + License clarification from David Mazieres, ok deraadt@ + - markus@cvs.openbsd.org 2001/06/05 10:24:32 + [channels.c] + don't delete the auth socket in channel_stop_listening() + auth_sock_cleanup_proc() will take care of this. + - markus@cvs.openbsd.org 2001/06/05 16:46:19 + [session.c] + let session_close() delete the pty. deny x11fwd if xauthfile is set. + - markus@cvs.openbsd.org 2001/06/06 23:13:54 + [ssh-dss.c ssh-rsa.c] + cleanup, remove old code + - markus@cvs.openbsd.org 2001/06/06 23:19:35 + [ssh-add.c] + remove debug message; Darren.Moffat@eng.sun.com + - markus@cvs.openbsd.org 2001/06/07 19:57:53 + [auth2.c] + style is used for bsdauth. + disconnect on user/service change (ietf-drafts) + - markus@cvs.openbsd.org 2001/06/07 20:23:05 + [authfd.c authfile.c channels.c kexdh.c kexgex.c packet.c ssh.c + sshconnect.c sshconnect1.c] + use xxx_put_cstring() + - markus@cvs.openbsd.org 2001/06/07 22:25:02 + [session.c] + don't overwrite errno + delay deletion of the xauth cookie + - markus@cvs.openbsd.org 2001/06/08 15:25:40 + [includes.h pathnames.h readconf.c servconf.c] + move the path for xauth to pathnames.h + - (bal) configure.in fix for Tru64 (forgeting to reset $LIB) + - (bal) ANSIify strmode() + - (bal) --with-catman should be --with-mantype patch by Dave + Dykstra + +20010606 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/17 21:34:15 [ssh.1] - move info on ssh return values and config files up into the main - description; - - jmc@cvs.openbsd.org 2005/12/21 11:48:16 + no spaces in PreferredAuthentications; + meixner@rbg.informatik.tu-darmstadt.de + - markus@cvs.openbsd.org 2001/05/18 14:13:29 + [auth-chall.c auth.h auth1.c auth2-chall.c auth2.c readconf.c + readconf.h servconf.c servconf.h sshconnect1.c sshconnect2.c sshd.c] + improved kbd-interactive support. work by per@appgate.com and me + - djm@cvs.openbsd.org 2001/05/19 00:36:40 + [session.c] + Disable X11 forwarding if xauth binary is not found. Patch from Nalin + Dahyabhai ; ok markus@ + - markus@cvs.openbsd.org 2001/05/19 16:05:41 + [scp.c] + ftruncate() instead of open()+O_TRUNC like rcp.c does + allows scp /path/to/file localhost:/path/to/file + - markus@cvs.openbsd.org 2001/05/19 16:08:43 + [sshd.8] + sort options; Matthew.Stier@fnc.fujitsu.com + - markus@cvs.openbsd.org 2001/05/19 16:32:16 + [ssh.1 sshconnect2.c] + change preferredauthentication order to + publickey,hostbased,password,keyboard-interactive + document that hostbased defaults to no, document order + - markus@cvs.openbsd.org 2001/05/19 16:46:19 + [ssh.1 sshd.8] + document MACs defaults with .Dq + - stevesk@cvs.openbsd.org 2001/05/19 19:43:57 + [misc.c misc.h servconf.c sshd.8 sshd.c] + sshd command-line arguments and configuration file options that + specify time may be expressed using a sequence of the form: + time[qualifier], where time is a positive integer value and qualifier + is one of the following: + ,s,m,h,d,w + Examples: + 600 600 seconds (10 minutes) + 10m 10 minutes + 1h30m 1 hour 30 minutes (90 minutes) + ok markus@ + - stevesk@cvs.openbsd.org 2001/05/19 19:57:09 + [channels.c] + typo in error message + - markus@cvs.openbsd.org 2001/05/20 17:20:36 + [auth-rsa.c auth.c auth.h auth2.c servconf.c servconf.h sshd.8 + sshd_config] + configurable authorized_keys{,2} location; originally from peter@; + ok djm@ + - markus@cvs.openbsd.org 2001/05/24 11:12:42 + [auth.c] + fix comment; from jakob@ + - stevesk@cvs.openbsd.org 2001/05/24 18:57:53 + [clientloop.c readconf.c ssh.c ssh.h] + don't perform escape processing when ``EscapeChar none''; ok markus@ + - markus@cvs.openbsd.org 2001/05/25 14:37:32 + [ssh-keygen.c] + use -P for -e and -y, too. + - markus@cvs.openbsd.org 2001/05/28 08:04:39 + [ssh.c] + fix usage() + - markus@cvs.openbsd.org 2001/05/28 10:08:55 + [authfile.c] + key_load_private: set comment to filename for PEM keys + - markus@cvs.openbsd.org 2001/05/28 22:51:11 + [cipher.c cipher.h] + simpler 3des for ssh1 + - markus@cvs.openbsd.org 2001/05/28 23:14:49 + [channels.c channels.h nchan.c] + undo broken channel fix and try a different one. there + should be still some select errors... + - markus@cvs.openbsd.org 2001/05/28 23:25:24 + [channels.c] + cleanup, typo + - markus@cvs.openbsd.org 2001/05/28 23:58:35 + [packet.c packet.h sshconnect.c sshd.c] + remove some lines, simplify. + - markus@cvs.openbsd.org 2001/05/29 12:31:27 + [authfile.c] + typo + +20010528 + - (tim) [conifgure.in] add setvbuf test needed for sftp-int.c + Patch by Corinna Vinschen + +20010517 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/12 19:53:13 + [sftp-server.c] + readlink does not NULL-terminate; mhe@home.se + - deraadt@cvs.openbsd.org 2001/05/15 22:04:01 [ssh.1] - -L and -R descriptions are now above, not below, ~C description; - - jmc@cvs.openbsd.org 2005/12/21 11:57:25 + X11 forwarding details improved + - markus@cvs.openbsd.org 2001/05/16 20:51:57 + [authfile.c] + return comments for private pem files, too; report from nolan@naic.edu + - markus@cvs.openbsd.org 2001/05/16 21:53:53 + [clientloop.c] + check for open sessions before we call select(); fixes the x11 client + bug reported by bowman@math.ualberta.ca + - markus@cvs.openbsd.org 2001/05/16 22:09:21 + [channels.c nchan.c] + more select() error fixes (don't set rfd/wfd to -1). + - (bal) Enabled USE_PIPES for Cygwin on Corinna Vinschen + - (bal) Corrected on_exit() emulation via atexit(). + +20010512 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/11 14:59:56 + [clientloop.c misc.c misc.h] + add unset_nonblock for stdout/err flushing in client_loop(). + - (bal) Patch to partial sync up contrib/solaris/ packaging software. + Patch by pete + +20010511 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/09 22:51:57 + [channels.c] + fix -R for protocol 2, noticed by greg@nest.cx. + bug was introduced with experimental dynamic forwarding. + - markus@cvs.openbsd.org 2001/05/09 23:01:31 + [rijndael.h] + fix prototype; J.S.Peatfield@damtp.cam.ac.uk + +20010509 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/06 21:23:31 + [cli.c] + cli_read() fails to catch SIGINT + overflow; from obdb@zzlevo.net + - markus@cvs.openbsd.org 2001/05/08 19:17:31 + [channels.c serverloop.c clientloop.c] + adds correct error reporting to async connect()s + fixes the server-discards-data-before-connected-bug found by + onoe@sm.sony.co.jp + - mouring@cvs.openbsd.org 2001/05/08 19:45:25 + [misc.c misc.h scp.c sftp.c] + Use addargs() in sftp plus some clean up of addargs(). OK Markus + - markus@cvs.openbsd.org 2001/05/06 21:45:14 + [clientloop.c] + use atomicio for flushing stdout/stderr bufs. thanks to + jbw@izanami.cee.hw.ac.uk + - markus@cvs.openbsd.org 2001/05/08 22:48:07 + [atomicio.c] + no need for xmalloc.h, thanks to espie@ + - (bal) UseLogin patch for Solaris/UNICOS. Patch by Wayne Davison + + - (bal) ./configure support to disable SIA on OSF1. Patch by + Chris Adams + - (bal) Updates from the Sony NEWS-OS platform by NAKAJI Hiroyuki + + +20010508 + - (bal) Fixed configure test for USE_SIA. + +20010506 + - (djm) Update config.guess and config.sub with latest versions (from + ftp://ftp.gnu.org/gnu/config/) to allow configure on ia64-hpux. + Suggested by Jason Mader + - (bal) White Space and #ifdef sync with OpenBSD + - (bal) Add 'seed_rng()' to ssh-add.c + - (bal) CVS ID updates for readpass.c, readpass.h, cli.c, and cli.h + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/05/05 13:42:52 + [sftp.1 ssh-add.1 ssh-keygen.1] + typos, grammar + +20010505 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/05/04 14:21:56 + [ssh.1 sshd.8] + typos + - markus@cvs.openbsd.org 2001/05/04 14:34:34 + [channels.c] + channel_new() reallocs channels[], we cannot use Channel *c after + calling channel_new(), XXX fix this in the future... + - markus@cvs.openbsd.org 2001/05/04 23:47:34 + [channels.c channels.h clientloop.c nchan.c nchan.h serverloop.c ssh.c] + move to Channel **channels (instead of Channel *channels), fixes realloc + problems. channel_new now returns a Channel *, favour Channel * over + channel id. remove old channel_allocate interface. + +20010504 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/05/03 15:07:39 + [channels.c] + typo in debug() string + - markus@cvs.openbsd.org 2001/05/03 15:45:15 + [session.c] + exec shell -c /bin/sh .ssh/sshrc, from abartlet@pcug.org.au + - stevesk@cvs.openbsd.org 2001/05/03 21:43:01 + [servconf.c] + remove "\n" from fatal() + - mouring@cvs.openbsd.org 2001/05/03 23:09:53 + [misc.c misc.h scp.c sftp.c] + Move colon() and cleanhost() to misc.c where I should I have put it in + the first place + - (bal) Updated Cygwin README by Corinna Vinschen + - (bal) Avoid socket file security issues in ssh-agent for Cygwin. + Patch by Egor Duda + +20010503 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/05/02 16:41:20 + [ssh-add.c] + fix prompt for ssh-add. + +20010502 + - OpenBSD CVS Sync + - mouring@cvs.openbsd.org 2001/05/02 01:25:39 + [readpass.c] + Put the 'const' back into ssh_askpass() function. Pointed out + by Mark Miller . OK Markus + +20010501 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/30 11:18:52 + [readconf.c readconf.h ssh.1 ssh.c sshconnect.c] + implement 'ssh -b bind_address' like 'telnet -b' + - markus@cvs.openbsd.org 2001/04/30 15:50:46 + [compat.c compat.h kex.c] + allow interop with weaker key generation used by ssh-2.0.x, x < 10 + - markus@cvs.openbsd.org 2001/04/30 16:02:49 + [compat.c] + ssh-2.0.10 has the weak-key-bug, too. + - (tim) [contrib/caldera/openssh.spec] add Requires line for Caldera 3.1 + +20010430 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/29 18:32:52 + [serverloop.c] + fix whitespace + - markus@cvs.openbsd.org 2001/04/29 19:16:52 + [channels.c clientloop.c compat.c compat.h serverloop.c] + more ssh.com-2.0.x bug-compat; from per@appgate.com + - (tim) New version of mdoc2man.pl from Mark D. Roth + - (djm) Add .cvsignore files, suggested by Wayne Davison + +20010429 + - (bal) Updated INSTALL. PCRE moved to a new place. + - (djm) Release OpenSSH-2.9p1 + +20010427 + - (bal) Fixed uidswap.c so it should work on non-posix complient systems. + patch based on 2.5.2 version by djm. + - (bal) Build manpages and config files once unless changed. Patch by + Carson Gaspar + - (bal) arpa/nameser.h does not exist on Cygwin. Patch by Corinna + Vinschen + - (bal) Add /etc/sysconfig/sshd support to redhat's sshd.init. Patch by + Pekka Savola + - (bal) Cygwin lacks setgroups() API. Patch by Corinna Vinschen + + - (bal) version.h synced, RPM specs updated for 2.9 + - (tim) update contrib/caldera files with what Caldera is using. + + +20010425 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/23 21:57:07 + [ssh-keygen.1 ssh-keygen.c] + allow public key for -e, too + - markus@cvs.openbsd.org 2001/04/23 22:14:13 + [ssh-keygen.c] + remove debug + - (bal) Whitespace resync w/ OpenBSD for uidswap.c + - (djm) Add new server configuration directive 'PAMAuthenticationViaKbdInt' + (default: off), implies KbdInteractiveAuthentication. Suggestion from + markus@ + - (djm) Include crypt.h if available in auth-passwd.c + - tim@mindrot.org 2001/04/25 21:38:01 [configure.in] + man page detection fixes for SCO + +20010424 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/22 23:58:36 + [ssh-keygen.1 ssh.1 sshd.8] + document hostbased and other cleanup + - (stevesk) start_pam() doesn't use DNS now for sshd -u0. + - (stevesk) auth-pam.c: use PERMIT_NO_PASSWD + - (bal) sys/queue.h is bogus for NCR platform. Patch by Daniel Carroll + + - (bal) Fixed contrib/postinstall.in. Patch by wsanders@wsanders.net + +20010422 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/20 16:32:22 + [uidswap.c] + set non-privileged gid before uid; tholo@ and deraadt@ + - mouring@cvs.openbsd.org 2001/04/21 00:55:57 + [sftp.1] + Spelling + - djm@cvs.openbsd.org 2001/04/22 08:13:30 [ssh.1] - options now described `above', rather than `later'; - - jmc@cvs.openbsd.org 2005/12/21 12:53:31 + typos spotted by stevesk@; ok deraadt@ + - markus@cvs.openbsd.org 2001/04/22 12:34:05 + [scp.c] + scp > 2GB; niles@scyld.com; ok deraadt@, djm@ + - markus@cvs.openbsd.org 2001/04/22 13:25:37 + [ssh-keygen.1 ssh-keygen.c] + rename arguments -x -> -e (export key), -X -> -i (import key) + xref draft-ietf-secsh-publickeyfile-01.txt + - markus@cvs.openbsd.org 2001/04/22 13:32:27 + [sftp-server.8 sftp.1 ssh.1 sshd.8] + xref draft-ietf-secsh-* + - markus@cvs.openbsd.org 2001/04/22 13:41:02 + [ssh-keygen.1 ssh-keygen.c] + style, noted by stevesk; sort flags in usage + +20010421 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/04/20 07:17:51 + [clientloop.c ssh.1] + Split out and improve escape character documentation, mention ~R in + ~? help text; ok markus@ + - Update RPM spec files for CVS version.h + - (stevesk) set the default PAM service name to __progname instead + of the hard-coded value "sshd"; from Mark D. Roth + - (stevesk) document PAM service name change in INSTALL + - tim@mindrot.org 2001/04/21 14:25:57 [Makefile.in configure.in] + fix perl test, fix nroff test, fix Makefile to build outside source tree + +20010420 + - OpenBSD CVS Sync + - ian@cvs.openbsd.org 2001/04/18 16:21:05 + [ssh-keyscan.1] + Fix typo reported in PR/1779 + - markus@cvs.openbsd.org 2001/04/18 21:57:42 + [readpass.c ssh-add.c] + call askpass from ssh, too, based on work by roth@feep.net, ok deraadt + - markus@cvs.openbsd.org 2001/04/18 22:03:45 + [auth2.c sshconnect2.c] + use FDQN with trailing dot in the hostbased auth packets, ok deraadt@ + - markus@cvs.openbsd.org 2001/04/18 22:48:26 + [auth2.c] + no longer const + - markus@cvs.openbsd.org 2001/04/18 23:43:26 + [auth2.c compat.c sshconnect2.c] + more ssh v2 hostbased-auth interop: ssh.com >= 2.1.0 works now + (however the 2.1.0 server seems to work only if debug is enabled...) + - markus@cvs.openbsd.org 2001/04/18 23:44:51 + [authfile.c] + error->debug; noted by fries@ + - markus@cvs.openbsd.org 2001/04/19 00:05:11 + [auth2.c] + use local variable, no function call needed. + (btw, hostbased works now with ssh.com >= 2.0.13) + - (bal) Put scp-common.h back into scp.c (it exists in the upstream + tree) pointed out by Tom Holroyd + +20010418 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/17 19:34:25 + [session.c] + move auth_approval to do_authenticated(). + do_child(): nuke hostkeys from memory + don't source .ssh/rc for subsystems. + - markus@cvs.openbsd.org 2001/04/18 14:15:00 + [canohost.c] + debug->debug3 + - (bal) renabled 'catman-do:' and fixed it. So now catman pages should + be working again. + - (bal) Makfile day... Cleaned up multiple mantype support (Patch by + Mark D. Roth ), and fixed PIDDIR support. + +20010417 + - (bal) Add perl5 check for HP/UX, Removed GNUness from Makefile.in + and temporary commented out 'catman-do:' since it is broken. Patches + for the first two by Lutz Jaenicke + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/16 08:26:04 + [key.c] + better safe than sorry in later mods; yongari@kt-is.co.kr + - markus@cvs.openbsd.org 2001/04/17 08:14:01 + [sshconnect1.c] + check for key!=NULL, thanks to costa + - markus@cvs.openbsd.org 2001/04/17 09:52:48 + [clientloop.c] + handle EINTR/EAGAIN on read; ok deraadt@ + - markus@cvs.openbsd.org 2001/04/17 10:53:26 + [key.c key.h readconf.c readconf.h ssh.1 sshconnect2.c] + add HostKeyAlgorithms; based on patch from res@shore.net; ok provos@ + - markus@cvs.openbsd.org 2001/04/17 12:55:04 + [channels.c ssh.c] + undo socks5 and https support since they are not really used and + only bloat ssh. remove -D from usage(), since '-D' is experimental. + +20010416 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/15 01:35:22 + [ttymodes.c] + fix comments + - markus@cvs.openbsd.org 2001/04/15 08:43:47 + [dh.c sftp-glob.c sftp-glob.h sftp-int.c sshconnect2.c sshd.c] + some unused variable and typos; from tomh@po.crl.go.jp + - markus@cvs.openbsd.org 2001/04/15 16:58:03 + [authfile.c ssh-keygen.c sshd.c] + don't use errno for key_{load,save}_private; discussion w/ solar@openwall + - markus@cvs.openbsd.org 2001/04/15 17:16:00 + [clientloop.c] + set stdin/out/err to nonblocking in SSH proto 1, too. suggested by ho@ + should fix some of the blocking problems for rsync over SSH-1 + - stevesk@cvs.openbsd.org 2001/04/15 19:41:21 + [sshd.8] + some ClientAlive cleanup; ok markus@ + - stevesk@cvs.openbsd.org 2001/04/15 21:28:35 + [readconf.c servconf.c] + use fatal() or error() vs. fprintf(); ok markus@ + - (djm) Convert mandoc manpages to man automatically. Patch from Mark D. + Roth + - (bal) CVS ID fix up and slight manpage fix from OpenBSD tree. + - (djm) OpenBSD CVS Sync + - mouring@cvs.openbsd.org 2001/04/16 02:31:44 + [scp.c sftp.c] + IPv6 support for sftp (which I bungled in my last patch) which is + borrowed from scp.c. Thanks to Markus@ for pointing it out. + - deraadt@cvs.openbsd.org 2001/04/16 08:05:34 + [xmalloc.c] + xrealloc dealing with ptr == nULL; mouring + - djm@cvs.openbsd.org 2001/04/16 08:19:31 + [session.c] + Split motd and hushlogin checks into seperate functions, helps for + portable. From Chris Adams ; ok markus@ + - Fix OSF SIA support displaying too much information for quiet + logins and logins where access was denied by SIA. Patch from Chris Adams + + +20010415 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/14 04:31:01 + [ssh-add.c] + do not double free + - markus@cvs.openbsd.org 2001/04/14 16:17:14 + [channels.c] + remove some channels that are not appropriate for keepalive. + - markus@cvs.openbsd.org 2001/04/14 16:27:57 + [ssh-add.c] + use clear_pass instead of xfree() + - stevesk@cvs.openbsd.org 2001/04/14 16:33:20 + [clientloop.c packet.h session.c ssh.c ttymodes.c ttymodes.h] + protocol 2 tty modes support; ok markus@ + - stevesk@cvs.openbsd.org 2001/04/14 17:04:42 + [scp.c] + 'T' handling rcp/scp sync; ok markus@ + - Missed sshtty.[ch] in Sync. + +20010414 + - Sync with OpenBSD glob.c, strlcat.c and vis.c changes + - Cygwin sftp/sftp-server binary mode patch from Corinna Vinschen + + - OpenBSD CVS Sync + - beck@cvs.openbsd.org 2001/04/13 22:46:54 + [channels.c channels.h servconf.c servconf.h serverloop.c sshd.8] + Add options ClientAliveInterval and ClientAliveCountMax to sshd. + This gives the ability to do a "keepalive" via the encrypted channel + which can't be spoofed (unlike TCP keepalives). Useful for when you want + to use ssh connections to authenticate people for something, and know + relatively quickly when they are no longer authenticated. Disabled + by default (of course). ok markus@ + +20010413 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/12 14:29:09 + [ssh.c] + show debug output during option processing, report from + pekkas@netcore.fi + - markus@cvs.openbsd.org 2001/04/12 19:15:26 + [auth-rhosts.c auth.h auth2.c buffer.c canohost.c canohost.h + compat.c compat.h hostfile.c pathnames.h readconf.c readconf.h + servconf.c servconf.h ssh.c sshconnect.c sshconnect.h sshconnect1.c + sshconnect2.c sshd_config] + implement HostbasedAuthentication (= RhostRSAAuthentication for ssh v2) + similar to RhostRSAAuthentication unless you enable (the experimental) + HostbasedUsesNameFromPacketOnly option. please test. :) + - markus@cvs.openbsd.org 2001/04/12 19:39:27 + [readconf.c] + typo + - stevesk@cvs.openbsd.org 2001/04/12 20:09:38 + [misc.c misc.h readconf.c servconf.c ssh.c sshd.c] + robust port validation; ok markus@ jakob@ + - mouring@cvs.openbsd.org 2001/04/12 23:17:54 + [sftp-int.c sftp-int.h sftp.1 sftp.c] + Add support for: + sftp [user@]host[:file [file]] - Fetch remote file(s) + sftp [user@]host[:dir[/]] - Start in remote dir/ + OK deraadt@ + - stevesk@cvs.openbsd.org 2001/04/13 01:26:17 + [ssh.c] + missing \n in error message + - (bal) Added openbsd-compat/inet_ntop.[ch] since HP/UX (and others) + lack it. + +20010412 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/10 07:46:58 + [channels.c] + cleanup socks4 handling + - itojun@cvs.openbsd.org 2001/04/10 09:13:22 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + document id_rsa{.pub,}. markus ok + - markus@cvs.openbsd.org 2001/04/10 12:15:23 + [channels.c] + debug cleanup + - djm@cvs.openbsd.org 2001/04/11 07:06:22 + [sftp-int.c] + 'mget' and 'mput' aliases; ok markus@ + - markus@cvs.openbsd.org 2001/04/11 10:59:01 + [ssh.c] + use strtol() for ports, thanks jakob@ + - markus@cvs.openbsd.org 2001/04/11 13:56:13 + [channels.c ssh.c] + https-connect and socks5 support. i feel so bad. + - lebel@cvs.openbsd.org 2001/04/11 16:25:30 + [sshd.8 sshd.c] + implement the -e option into sshd: + -e When this option is specified, sshd will send the output to the + standard error instead of the system log. + markus@ OK. + +20010410 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/08 20:52:55 + [sftp.c] + do not modify an actual argv[] entry + - stevesk@cvs.openbsd.org 2001/04/08 23:28:27 + [sshd.8] + spelling + - stevesk@cvs.openbsd.org 2001/04/09 00:42:05 + [sftp.1] + spelling + - markus@cvs.openbsd.org 2001/04/09 15:12:23 + [ssh-add.c] + passphrase caching: ssh-add tries last passphrase, clears passphrase if + not successful and after last try. + based on discussions with espie@, jakob@, ... and code from jakob@ and + wolfgang@wsrcc.com + - markus@cvs.openbsd.org 2001/04/09 15:19:49 + [ssh-add.1] + ssh-add retries the last passphrase... + - stevesk@cvs.openbsd.org 2001/04/09 18:00:15 + [sshd.8] + ListenAddress mandoc from aaron@ + +20010409 + - (stevesk) use setresgid() for setegid() if needed + - (stevesk) configure.in: typo + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/08 16:01:36 + [sshd.8] + document ListenAddress addr:port + - markus@cvs.openbsd.org 2001/04/08 13:03:00 + [ssh-add.c] + init pointers with NULL, thanks to danimal@danimal.org + - markus@cvs.openbsd.org 2001/04/08 11:27:33 + [clientloop.c] + leave_raw_mode if ssh2 "session" is closed + - markus@cvs.openbsd.org 2001/04/06 21:00:17 + [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth2.c channels.c session.c + ssh.c sshconnect.c sshconnect.h uidswap.c uidswap.h] + do gid/groups-swap in addition to uid-swap, should help if /home/group + is chmod 750 + chgrp grp /home/group/, work be deraadt and me, thanks + to olar@openwall.com is comments. we had many requests for this. + - markus@cvs.openbsd.org 2001/04/07 08:55:18 + [buffer.c channels.c channels.h readconf.c ssh.c] + allow the ssh client act as a SOCKS4 proxy (dynamic local + portforwarding). work by Dan Kaminsky and me. + thanks to Dan for this great patch: use 'ssh -D 1080 host' and make + netscape use localhost:1080 as a socks proxy. + - markus@cvs.openbsd.org 2001/04/08 11:24:33 + [uidswap.c] + KNF + +20010408 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/06 22:12:47 + [hostfile.c] + unused; typo in comment + - stevesk@cvs.openbsd.org 2001/04/06 22:25:25 + [servconf.c] + in addition to: + ListenAddress host|ipv4_addr|ipv6_addr + permit: + ListenAddress [host|ipv4_addr|ipv6_addr]:port + ListenAddress host|ipv4_addr:port + sshd.8 updates coming. ok markus@ + +20010407 + - (bal) CVS ID Resync of version.h + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/05 23:39:20 + [serverloop.c] + keep the ssh session even if there is no active channel. + this is more in line with the protocol spec and makes + ssh -N -L 1234:server:110 host + more useful. + based on discussion with long time ago + and recent mail from + - deraadt@cvs.openbsd.org 2001/04/06 16:46:59 + [scp.c] + remove trailing / from source paths; fixes pr#1756 + +20010406 + - (stevesk) logintest.c: fix for systems without __progname + - (stevesk) Makefile.in: log.o is in libssh.a + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/05 10:00:06 + [compat.c] + 2.3.x does old GEX, too; report jakob@ + - markus@cvs.openbsd.org 2001/04/05 10:39:03 + [compress.c compress.h packet.c] + reset compress state per direction when rekeying. + - markus@cvs.openbsd.org 2001/04/05 10:39:48 + [version.h] + temporary version 2.5.4 (supports rekeying). + this is not an official release. + - markus@cvs.openbsd.org 2001/04/05 10:42:57 + [auth-chall.c authfd.c channels.c clientloop.c kex.c kexgex.c key.c + mac.c packet.c serverloop.c sftp-client.c sftp-client.h sftp-glob.c + sftp-glob.h sftp-int.c sftp-server.c sftp.c ssh-keygen.c sshconnect.c + sshconnect2.c sshd.c] + fix whitespace: unexpand + trailing spaces. + - markus@cvs.openbsd.org 2001/04/05 11:09:17 + [clientloop.c compat.c compat.h] + add SSH_BUG_NOREKEY and detect broken (=all old) openssh versions. + - markus@cvs.openbsd.org 2001/04/05 15:45:43 [ssh.1] - -Y does X11 forwarding too; - ok markus - - stevesk@cvs.openbsd.org 2005/12/21 22:44:26 + ssh defaults to protocol v2; from quisar@quisar.ambre.net + - stevesk@cvs.openbsd.org 2001/04/05 15:48:18 + [canohost.c canohost.h session.c] + move get_remote_name_or_ip() to canohost.[ch]; for portable. ok markus@ + - markus@cvs.openbsd.org 2001/04/05 20:01:10 + [clientloop.c] + for ~R print message if server does not support rekeying. (and fix ~R). + - markus@cvs.openbsd.org 2001/04/05 21:02:46 + [buffer.c] + better error message + - markus@cvs.openbsd.org 2001/04/05 21:05:24 + [clientloop.c ssh.c] + don't request a session for 'ssh -N', pointed out slade@shore.net + +20010405 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/04/04 09:48:35 + [kex.c kex.h kexdh.c kexgex.c packet.c sshconnect2.c sshd.c] + don't sent multiple kexinit-requests. + send newkeys, block while waiting for newkeys. + fix comments. + - markus@cvs.openbsd.org 2001/04/04 14:34:58 + [clientloop.c kex.c kex.h serverloop.c sshconnect2.c sshd.c] + enable server side rekeying + some rekey related clientup. + todo: we should not send any non-KEX messages after we send KEXINIT + - markus@cvs.openbsd.org 2001/04/04 15:50:55 + [compat.c] + f-secure 1.3.2 does not handle IGNORE; from milliondl@ornl.gov + - markus@cvs.openbsd.org 2001/04/04 20:25:38 + [channels.c channels.h clientloop.c kex.c kex.h serverloop.c + sshconnect2.c sshd.c] + more robust rekeying + don't send channel data after rekeying is started. + - markus@cvs.openbsd.org 2001/04/04 20:32:56 + [auth2.c] + we don't care about missing bannerfiles; from tsoome@ut.ee, ok deraadt@ + - markus@cvs.openbsd.org 2001/04/04 22:04:35 + [kex.c kexgex.c serverloop.c] + parse full kexinit packet. + make server-side more robust, too. + - markus@cvs.openbsd.org 2001/04/04 23:09:18 + [dh.c kex.c packet.c] + clear+free keys,iv for rekeying. + + fix DH mem leaks. ok niels@ + - (stevesk) don't use vhangup() if defined(HAVE_DEV_PTMX); also removes + BROKEN_VHANGUP + +20010404 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/04/02 17:32:23 + [ssh-agent.1] + grammar; slade@shore.net + - stevesk@cvs.openbsd.org 2001/04/03 13:56:11 + [sftp-glob.c ssh-agent.c ssh-keygen.c] + free() -> xfree() + - markus@cvs.openbsd.org 2001/04/03 19:53:29 + [dh.c dh.h kex.c kex.h sshconnect2.c sshd.c] + move kex to kex*.c, used dispatch_set() callbacks for kex. should + make rekeying easier. + - todd@cvs.openbsd.org 2001/04/03 21:19:38 + [ssh_config] + id_rsa1/2 -> id_rsa; ok markus@ + - markus@cvs.openbsd.org 2001/04/03 23:32:12 + [kex.c kex.h packet.c sshconnect2.c sshd.c] + undo parts of recent my changes: main part of keyexchange does not + need dispatch-callbacks, since application data is delayed until + the keyexchange completes (if i understand the drafts correctly). + add some infrastructure for re-keying. + - markus@cvs.openbsd.org 2001/04/04 00:06:54 + [clientloop.c sshconnect2.c] + enable client rekeying + (1) force rekeying with ~R, or + (2) if the server requests rekeying. + works against ssh-2.0.12/2.0.13/2.1.0/2.2.0/2.3.0/2.3.1/2.4.0 + - (bal) Oops.. Missed including kexdh.c and kexgex.c in OpenBSD sync. + +20010403 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/04/02 14:15:31 [sshd.8] - clarify precedence of -p, Port, ListenAddress; ok and help jmc@ - - jmc@cvs.openbsd.org 2005/12/22 10:31:40 - [ssh_config.5] - put the description of "UsePrivilegedPort" in the correct place; - - jmc@cvs.openbsd.org 2005/12/22 11:23:42 + typo; ok markus@ + - stevesk@cvs.openbsd.org 2001/04/02 14:20:23 + [readconf.c servconf.c] + correct comment; ok markus@ + - (stevesk) nchan.c: remove ostate checks and add EINVAL to + shutdown(SHUT_RD) error() bypass for HP-UX. + +20010402 + - (stevesk) log.c openbsd sync; missing newlines + - (stevesk) sshpty.h openbsd sync; PTY_H -> SSHPTY_H + +20010330 + - (djm) Another openbsd-compat/glob.c sync + - (djm) OpenBSD CVS Sync + - provos@cvs.openbsd.org 2001/03/28 21:59:41 + [kex.c kex.h sshconnect2.c sshd.c] + forgot to include min and max params in hash, okay markus@ + - provos@cvs.openbsd.org 2001/03/28 22:04:57 + [dh.c] + more sanity checking on primes file + - markus@cvs.openbsd.org 2001/03/28 22:43:31 + [auth.h auth2.c auth2-chall.c] + check auth_root_allowed for kbd-int auth, too. + - provos@cvs.openbsd.org 2001/03/29 14:24:59 + [sshconnect2.c] + use recommended defaults + - stevesk@cvs.openbsd.org 2001/03/29 21:06:21 + [sshconnect2.c sshd.c] + need to set both STOC and CTOS for SSH_BUG_BIGENDIANAES; ok markus@ + - markus@cvs.openbsd.org 2001/03/29 21:17:40 + [dh.c dh.h kex.c kex.h] + prepare for rekeying: move DH code to dh.c + - djm@cvs.openbsd.org 2001/03/29 23:42:01 + [sshd.c] + Protocol 1 key regeneration log => verbose, some KNF; ok markus@ + +20010329 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/03/26 15:47:59 [ssh.1] - expand the description of -w somewhat; - help/ok reyk - - jmc@cvs.openbsd.org 2005/12/23 14:55:53 + document more defaults; misc. cleanup. ok markus@ + - markus@cvs.openbsd.org 2001/03/26 23:12:42 + [authfile.c] + KNF + - markus@cvs.openbsd.org 2001/03/26 23:23:24 + [rsa.c rsa.h ssh-agent.c ssh-keygen.c] + try to read private f-secure ssh v2 rsa keys. + - markus@cvs.openbsd.org 2001/03/27 10:34:08 + [ssh-rsa.c sshd.c] + use EVP_get_digestbynid, reorder some calls and fix missing free. + - markus@cvs.openbsd.org 2001/03/27 10:57:00 + [compat.c compat.h ssh-rsa.c] + some older systems use NID_md5 instead of NID_sha1 for RSASSA-PKCS1-v1_5 + signatures in SSH protocol 2, ok djm@ + - provos@cvs.openbsd.org 2001/03/27 17:46:50 + [compat.c compat.h dh.c dh.h ssh2.h sshconnect2.c sshd.c version.h] + make dh group exchange more flexible, allow min and max group size, + okay markus@, deraadt@ + - stevesk@cvs.openbsd.org 2001/03/28 19:56:23 + [scp.c] + start to sync scp closer to rcp; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/28 20:04:38 + [scp.c] + usage more like rcp and add missing -B to usage; ok markus@ + - markus@cvs.openbsd.org 2001/03/28 20:50:45 + [sshd.c] + call refuse() before close(); from olemx@ans.pl + +20010328 + - (djm) Reorder tests and library inclusion for Krb4/AFS to try to + resolve linking conflicts with libcrypto. Report and suggested fix + from Holger Trapp + - (djm) Work around Solaris' broken struct dirent. Diagnosis and suggested + fix from Philippe Levan + - (djm) Rework krbIV tests to get us closer to building on Redhat. Still + doesn't work because of conflicts between krbIV's and OpenSSL's des.h + - (djm) Sync openbsd-compat/glob.c + +20010327 + - Attempt sync with sshlogin.c w/ OpenBSD (mainly CVS ID) + - Fix pointer issues in waitpid() and wait() replaces. Patch by Lutz + Jaenicke + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/25 00:01:34 + [session.c] + shorten; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/25 13:16:11 + [servconf.c servconf.h session.c sshd.8 sshd_config] + PrintLastLog option; from chip@valinux.com with some minor + changes by me. ok markus@ + - markus@cvs.openbsd.org 2001/03/26 08:07:09 + [authfile.c authfile.h ssh-add.c ssh-keygen.c ssh.c sshconnect.c + sshconnect.h sshconnect1.c sshconnect2.c sshd.c] + simpler key load/save interface, see authfile.h + - (djm) Reestablish PAM credentials (which can be supplemental group + memberships) after initgroups() blows them away. Report and suggested + fix from Nalin Dahyabhai + +20010324 + - Fixed permissions ssh-keyscan. Thanks to Christopher Linn . + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/23 11:04:07 + [compat.c compat.h sshconnect2.c sshd.c] + Compat for OpenSSH with broken Rijndael/AES. ok markus@ + - markus@cvs.openbsd.org 2001/03/23 12:02:49 + [auth1.c] + authctxt is now passed to do_authenticated + - markus@cvs.openbsd.org 2001/03/23 13:10:57 + [sftp-int.c] + fix put, upload to _absolute_ path, ok djm@ + - markus@cvs.openbsd.org 2001/03/23 14:28:32 + [session.c sshd.c] + ignore SIGPIPE, restore in child, fixes x11-fwd crashes; with djm@ + - (djm) Pull out our own SIGPIPE hacks + +20010323 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/22 20:22:55 + [sshd.c] + do not place linefeeds in buffer + +20010322 + - (djm) Better AIX no tty fix, spotted by Gert Doering + - (bal) version.c CVS ID resync + - (bal) auth-chall.c auth-passwd.c auth.h auth1.c auth2.c session.c CVS ID + resync + - (bal) scp.c CVS ID resync + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/20 19:10:16 + [readconf.c] + default to SSH protocol version 2 + - markus@cvs.openbsd.org 2001/03/20 19:21:21 + [session.c] + remove unused arg + - markus@cvs.openbsd.org 2001/03/20 19:21:21 + [session.c] + remove unused arg + - markus@cvs.openbsd.org 2001/03/21 11:43:45 + [auth1.c auth2.c session.c session.h] + merge common ssh v1/2 code + - jakob@cvs.openbsd.org 2001/03/21 14:20:45 + [ssh-keygen.c] + add -B flag to usage + - markus@cvs.openbsd.org 2001/03/21 21:06:30 + [session.c] + missing init; from mib@unimelb.edu.au + +20010321 + - (djm) Fix ttyname breakage for AIX and Tru64. Patch from Steve + VanDevender + - (djm) Make sure pam_retval is initialised on call to pam_end. Patch + from Solar Designer + - (djm) Don't loop forever when changing password via PAM. Patch + from Solar Designer + - (djm) Generate config files before build + - (djm) Correctly handle SIA and AIX when no tty present. Spotted and + suggested fix from Mike Battersby + +20010320 + - (bal) glob.c update to added GLOB_LIMITS (OpenBSD CVS). + - (bal) glob.c update to set gl_pathv to NULL (OpenBSD CVS). + - (bal) Oops. Missed globc.h change (OpenBSD CVS). + - (djm) OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/19 17:07:23 + [auth.c readconf.c] + undo /etc/shell and proto 2,1 change for openssh-2.5.2 + - markus@cvs.openbsd.org 2001/03/19 17:12:10 + [version.h] + version 2.5.2 + - (djm) Update RPM spec version + - (djm) Release 2.5.2p1 +- tim@mindrot.org 2001/03/19 18:33:47 [defines.h] + change S_ISLNK macro to work for UnixWare 2.03 +- tim@mindrot.org 2001/03/19 20:45:11 [openbsd-compat/glob.c] + add get_arg_max(). Use sysconf() if ARG_MAX is not defined + +20010319 + - (djm) Seed PRNG at startup, rather than waiting for arc4random calls to + do it implicitly. + - (djm) Add getusershell() functions from OpenBSD CVS + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/18 12:07:52 + [auth-options.c] + ignore permitopen="host:port" if AllowTcpForwarding==no + - (djm) Make scp work on systems without 64-bit ints + - tim@mindrot.org 2001/03/18 18:28:39 [defines.h] + move HAVE_LONG_LONG_INT where it works + - (bal) Use 'NGROUPS' for NeXT Since 'MAX_NGROUPS' is wrapped up in -lposix + stuff. Change suggested by Mark Miller + - (bal) Small fix to scp. %lu vs %ld + - (bal) NeXTStep lacks S_ISLNK. Plus split up S_IS* + - (djm) OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/19 03:52:51 + [sftp-client.c] + Report ssh connection closing correctly; ok deraadt@ + - deraadt@cvs.openbsd.org 2001/03/18 23:30:55 + [compat.c compat.h sshd.c] + specifically version match on ssh scanners. do not log scan + information to the console + - djm@cvs.openbsd.org 2001/03/19 12:10:17 + [sshd.8] + Document permitopen authorized_keys option; ok markus@ + - djm@cvs.openbsd.org 2001/03/19 05:49:52 [ssh.1] - - sync the description of -e w/ synopsis - - simplify the description of -I - - note that -I is only available if support compiled in, and that it - isn't by default - feedback/ok djm@ - - jmc@cvs.openbsd.org 2005/12/23 23:46:23 + document PreferredAuthentications option; ok markus@ + - (bal) Minor NeXT fixed. Forgot to #undef NGROUPS_MAX + +20010318 + - (bal) Fixed scp type casing issue which causes "scp: protocol error: + size not delimited" fatal errors when tranfering. + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/17 17:27:59 + [auth.c] + check /etc/shells, too + - tim@mindrot.org 2001/03/17 18:45:25 [compat.c] + openbsd-compat/fake-regex.h + +20010317 + - Support usrinfo() on AIX. Based on patch from Gert Doering + + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/15 15:05:59 + [scp.c] + use %lld in printf, ok millert@/deraadt@; report from ssh@client.fi + - markus@cvs.openbsd.org 2001/03/15 22:07:08 + [session.c] + pass Session to do_child + KNF + - djm@cvs.openbsd.org 2001/03/16 08:16:18 + [sftp-client.c sftp-client.h sftp-glob.c sftp-int.c] + Revise globbing for get/put to be more shell-like. In particular, + "get/put file* directory/" now works. ok markus@ + - markus@cvs.openbsd.org 2001/03/16 09:55:53 + [sftp-int.c] + fix memset and whitespace + - markus@cvs.openbsd.org 2001/03/16 13:44:24 + [sftp-int.c] + discourage strcat/strcpy + - markus@cvs.openbsd.org 2001/03/16 19:06:30 + [auth-options.c channels.c channels.h serverloop.c session.c] + implement "permitopen" key option, restricts -L style forwarding to + to specified host:port pairs. based on work by harlan@genua.de + - Check for gl_matchc support in glob_t and fall back to the + openbsd-compat/glob.[ch] support if it does not exist. + +20010315 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/14 08:57:14 + [sftp-client.c] + Wall + - markus@cvs.openbsd.org 2001/03/14 15:15:58 + [sftp-int.c] + add version command + - deraadt@cvs.openbsd.org 2001/03/14 22:50:25 + [sftp-server.c] + note no getopt() + - (stevesk) ssh-keyscan.c: specify "openbsd-compat/fake-queue.h" + - (bal) Cygwin README change by Corinna Vinschen + +20010314 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/13 17:34:42 + [auth-options.c] + missing xfree, deny key on parse error; ok stevesk@ + - djm@cvs.openbsd.org 2001/03/13 22:42:54 + [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] + sftp client filename globbing for get, put, ch{mod,grp,own}. ok markus@ + - (bal) Fix strerror() in bsd-misc.c + - (djm) Add replacement glob() from OpenBSD libc if the system glob is + missing or lacks the GLOB_ALTDIRFUNC extension + - (djm) Remove -I$(srcdir)/openbsd-compat from CFLAGS, refer to headers + relatively. Avoids conflict between glob.h and /usr/include/glob.h + +20010313 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/12 22:02:02 + [key.c key.h ssh-add.c ssh-keygen.c sshconnect.c sshconnect2.c] + remove old key_fingerprint interface, s/_ex// + +20010312 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/11 13:25:36 + [auth2.c key.c] + debug + - jakob@cvs.openbsd.org 2001/03/11 15:03:16 + [key.c key.h] + add improved fingerprint functions. based on work by Carsten + Raskgaard and modified by me. ok markus@. + - jakob@cvs.openbsd.org 2001/03/11 15:04:16 + [ssh-keygen.1 ssh-keygen.c] + print both md5, sha1 and bubblebabble fingerprints when using + ssh-keygen -l -v. ok markus@. + - jakob@cvs.openbsd.org 2001/03/11 15:13:09 + [key.c] + cleanup & shorten some var names key_fingerprint_bubblebabble. + - deraadt@cvs.openbsd.org 2001/03/11 16:39:03 + [ssh-keygen.c] + KNF, and SHA1 binary output is just creeping featurism + - tim@mindrot.org 2001/03/11 17:29:32 [configure.in] + test if snprintf() supports %ll + add /dev to search path for PRNGD/EGD socket + fix my mistake in USER_PATH test program + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/11 18:29:51 + [key.c] + style+cleanup + - markus@cvs.openbsd.org 2001/03/11 22:33:24 + [ssh-keygen.1 ssh-keygen.c] + remove -v again. use -B instead for bubblebabble. make -B consistent + with -l and make -B work with /path/to/known_hosts. ok deraadt@ + - (djm) Bump portable version number for generating test RPMs + - (djm) Add "static_openssl" RPM build option, remove rsh build dependency + - (bal) Reorder includes in Makefile. + +20010311 + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/10 12:48:27 + [sshconnect2.c] + ignore nonexisting private keys; report rjmooney@mediaone.net + - deraadt@cvs.openbsd.org 2001/03/10 12:53:51 + [readconf.c ssh_config] + default to SSH2, now that m68k runs fast + - stevesk@cvs.openbsd.org 2001/03/10 15:02:05 + [ttymodes.c ttymodes.h] + remove unused sgtty macros; ok markus@ + - deraadt@cvs.openbsd.org 2001/03/10 15:31:00 + [compat.c compat.h sshconnect.c] + all known netscreen ssh versions, and older versions of OSU ssh cannot + handle password padding (newer OSU is fixed) + - tim@mindrot.org 2001/03/10 16:33:42 [configure.in Makefile.in sshd_config] + make sure $bindir is in USER_PATH so scp will work + - OpenBSD CVS Sync + - markus@cvs.openbsd.org 2001/03/10 17:51:04 + [kex.c match.c match.h readconf.c readconf.h sshconnect2.c] + add PreferredAuthentications + +20010310 + - OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/09 03:14:39 + [ssh-keygen.c] + create *.pub files with umask 0644, so that you can mv them to + authorized_keys + - deraadt@cvs.openbsd.org 2001/03/09 12:30:29 + [sshd.c] + typo; slade@shore.net + - Removed log.o from sftp client. Not needed. + +20010309 + - OpenBSD CVS Sync + - stevesk@cvs.openbsd.org 2001/03/08 18:47:12 + [auth1.c] + unused; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/08 20:44:48 + [sftp.1] + spelling, cleanup; ok deraadt@ + - markus@cvs.openbsd.org 2001/03/08 21:42:33 + [compat.c compat.h readconf.h ssh.c sshconnect1.c sshconnect2.c] + implement client side of SSH2_MSG_USERAUTH_PK_OK (test public key -> + no need to do enter passphrase or do expensive sign operations if the + server does not accept key). + +20010308 + - OpenBSD CVS Sync + - djm@cvs.openbsd.org 2001/03/07 10:11:23 + [sftp-client.c sftp-client.h sftp-int.c sftp-server.c sftp.1 sftp.c sftp.h] + Support for new draft (draft-ietf-secsh-filexfer-01). New symlink handling + functions and small protocol change. + - markus@cvs.openbsd.org 2001/03/08 00:15:48 + [readconf.c ssh.1] + turn off useprivilegedports by default. only rhost-auth needs + this. older sshd's may need this, too. + - (stevesk) Reliant Unix (SNI) needs HAVE_BOGUS_SYS_QUEUE_H; + Dirk Markwardt + +20010307 + - (bal) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/06 06:11:18 + [ssh-keyscan.c] + appease gcc + - deraadt@cvs.openbsd.org 2001/03/06 06:11:44 + [sftp-int.c sftp.1 sftp.c] + sftp -b batchfile; mouring@etoh.eviladmin.org + - deraadt@cvs.openbsd.org 2001/03/06 15:10:42 + [sftp.1] + order things + - deraadt@cvs.openbsd.org 2001/03/07 01:19:06 + [ssh.1 sshd.8] + the name "secure shell" is boring, noone ever uses it + - deraadt@cvs.openbsd.org 2001/03/07 04:05:58 [ssh.1] - less mark up for -c; - - djm@cvs.openbsd.org 2005/12/24 02:27:41 - [session.c sshd.c] - eliminate some code duplicated in privsep and non-privsep paths, and - explicitly clear SIGALRM handler; "groovy" deraadt@ + removed dated comment + - Cygwin contrib improvements from Corinna Vinschen -20051220 - - (dtucker) OpenBSD CVS Sync - - reyk@cvs.openbsd.org 2005/12/13 15:03:02 - [serverloop.c] - if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY - - jmc@cvs.openbsd.org 2005/12/16 18:07:08 - [ssh.1] - move the option descriptions up the page: start of a restructure; - ok markus deraadt - - jmc@cvs.openbsd.org 2005/12/16 18:08:53 - [ssh.1] - simplify a sentence; - - jmc@cvs.openbsd.org 2005/12/16 18:12:22 - [ssh.1] - make the description of -c a little nicer; - - jmc@cvs.openbsd.org 2005/12/16 18:14:40 - [ssh.1] - signpost the protocol sections; - - stevesk@cvs.openbsd.org 2005/12/17 21:13:05 - [ssh_config.5 session.c] - spelling: fowarding, fowarded - - stevesk@cvs.openbsd.org 2005/12/17 21:36:42 - [ssh_config.5] - spelling: intented -> intended - - dtucker@cvs.openbsd.org 2005/12/20 04:41:07 - [ssh.c] - exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@ - -20051219 - - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac - openbsd-compat/openssl-compat.h] Check for and work around broken AES - ciphers >128bit on (some) Solaris 10 systems. ok djm@ - -20051217 - - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which - scp.c also uses, so undef them here. - - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our - snprintf replacement can have a conflicting declaration in HP-UX's system - headers (const vs. no const) so we now check for and work around it. Patch - from the dynamic duo of David Leonard and Ted Percival. - -20051214 - - (dtucker) OpenBSD CVS Sync (regress/) - - dtucker@cvs.openbsd.org 2005/12/30 04:36:39 - [regress/scp-ssh-wrapper.sh] - Fix assumption about how many args scp will pass; ok djm@ - -20051213 - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/11/30 11:18:27 - [ssh.1] - timezone -> time zone - - jmc@cvs.openbsd.org 2005/11/30 11:45:20 +20010306 + - (bal) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/03/05 14:28:47 + [sshd.8] + alpha order; jcs@rt.fm + - stevesk@cvs.openbsd.org 2001/03/05 15:44:51 + [servconf.c] + sync error message; ok markus@ + - deraadt@cvs.openbsd.org 2001/03/05 15:56:16 + [myproposal.h ssh.1] + switch to aes128-cbc/hmac-md5 by default in SSH2 -- faster; + provos & markus ok + - deraadt@cvs.openbsd.org 2001/03/05 16:07:15 + [sshd.8] + detail default hmac setup too + - markus@cvs.openbsd.org 2001/03/05 17:17:21 + [kex.c kex.h sshconnect2.c sshd.c] + generate a 2*need size (~300 instead of 1024/2048) random private + exponent during the DH key agreement. according to Niels (the great + german advisor) this is safe since /etc/primes contains strong + primes only. + + References: + P. C. van Oorschot and M. J. Wiener, On Diffie-Hellman key + agreement with short exponents, In Advances in Cryptology + - EUROCRYPT'96, LNCS 1070, Springer-Verlag, 1996, pp.332-343. + - stevesk@cvs.openbsd.org 2001/03/05 17:40:48 [ssh.1] - avoid ambiguities in describing TZ; - ok djm@ - - reyk@cvs.openbsd.org 2005/12/06 22:38:28 - [auth-options.c auth-options.h channels.c channels.h clientloop.c] - [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h] - [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c] - [sshconnect.h sshd.8 sshd_config sshd_config.5] - Add support for tun(4) forwarding over OpenSSH, based on an idea and - initial channel code bits by markus@. This is a simple and easy way to - use OpenSSH for ad hoc virtual private network connections, e.g. - administrative tunnels or secure wireless access. It's based on a new - ssh channel and works similar to the existing TCP forwarding support, - except that it depends on the tun(4) network interface on both ends of - the connection for layer 2 or layer 3 tunneling. This diff also adds - support for LocalCommand in the ssh(1) client. - ok djm@, markus@, jmc@ (manpages), tested and discussed with others - - djm@cvs.openbsd.org 2005/12/07 03:52:22 + more ssh_known_hosts2 documentation; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/05 17:58:22 + [dh.c] + spelling + - deraadt@cvs.openbsd.org 2001/03/06 00:33:04 + [authfd.c cli.c ssh-agent.c] + EINTR/EAGAIN handling is required in more cases + - millert@cvs.openbsd.org 2001/03/06 01:06:03 + [ssh-keyscan.c] + Don't assume we wil get the version string all in one read(). + deraadt@ OK'd + - millert@cvs.openbsd.org 2001/03/06 01:08:27 [clientloop.c] - reyk forgot to compile with -Werror (missing header) - - jmc@cvs.openbsd.org 2005/12/07 10:52:13 - [ssh.1] - - avoid line split in SYNOPSIS - - add args to -w - - kill trailing whitespace - - jmc@cvs.openbsd.org 2005/12/08 14:59:44 - [ssh.1 ssh_config.5] - make `!command' a little clearer; - ok reyk - - jmc@cvs.openbsd.org 2005/12/08 15:06:29 - [ssh_config.5] - keep options in order; - - reyk@cvs.openbsd.org 2005/12/08 18:34:11 - [auth-options.c includes.h misc.c misc.h readconf.c servconf.c] - [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac] - two changes to the new ssh tunnel support. this breaks compatibility - with the initial commit but is required for a portable approach. - - make the tunnel id u_int and platform friendly, use predefined types. - - support configuration of layer 2 (ethernet) or layer 3 - (point-to-point, default) modes. configuration is done using the - Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and - restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option - in sshd_config(5). - ok djm@, man page bits by jmc@ - - jmc@cvs.openbsd.org 2005/12/08 21:37:50 - [ssh_config.5] - new sentence, new line; - - markus@cvs.openbsd.org 2005/12/12 13:46:18 - [channels.c channels.h session.c] - make sure protocol messages for internal channels are ignored. - allow adjust messages for non-open channels; with and ok djm@ - - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable - again by providing a sys_tun_open() function for your platform and - setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match - OpenBSD's tunnel protocol, which prepends the address family to the - packet - -20051201 - - (djm) [envpass.sh] Remove regress script that was accidentally committed - in top level directory and not noticed for over a year :) - -20051129 - - (tim) [ssh-keygen.c] Move DSA length test after setting default when - bits == 0. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/11/29 02:04:55 - [ssh-keygen.c] - Populate default key sizes before checking them; from & ok tim@ - - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string) - for UnixWare. - -20051128 - - (dtucker) [regress/yes-head.sh] Work around breakage caused by some - versions of GNU head. Based on patch from zappaman at buraphalinux.org - - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use - _GNU_SOURCE instead. Patch from t8m at centrum.cz. - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/11/28 05:16:53 - [ssh-keygen.1 ssh-keygen.c] - Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2, - increase minumum RSA key size to 768 bits and update man page to reflect - these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com), - ok djm@, grudging ok deraadt@. - - dtucker@cvs.openbsd.org 2005/11/28 06:02:56 - [ssh-agent.1] - Update agent socket path templates to reflect reality, correct xref for - time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@ - -20051126 - - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer, - when they're available) need the real UID set otherwise pam_chauthtok will - set ADMCHG after changing the password, forcing the user to change it - again immediately. - -20051125 - - (dtucker) [configure.ac] Apply tim's fix for older systems where the - resolver state in resolv.h is "state" not "__res_state". With slight - modification by me to also work on old AIXes. ok djm@ - - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for - snprintf formats, fixes warnings on some 64 bit platforms. Patch from - shaw at vranix.com, ok djm@ - -20051124 - - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c - openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an - asprintf() implementation, after syncing our {v,}snprintf() implementation - with some extra fixes from Samba's version. With help and debugging from - dtucker and tim; ok dtucker@ - - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument - order in Reliant Unix block. Patch from johane at lysator.liu.se. - - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so - many and use them only once. Speeds up testing on older/slower hardware. - -20051122 - - (dtucker) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2005/11/12 18:37:59 - [ssh-add.c] - space - - deraadt@cvs.openbsd.org 2005/11/12 18:38:15 - [scp.c] - avoid close(-1), as in rcp; ok cloder - - millert@cvs.openbsd.org 2005/11/15 11:59:54 - [includes.h] - Include sys/queue.h explicitly instead of assuming some other header - will pull it in. At the moment it gets pulled in by sys/select.h - (which ssh has no business including) via event.h. OK markus@ - (ID sync only in -portable) - - dtucker@cvs.openbsd.org 2005/11/21 09:42:10 - [auth-krb5.c] - Perform Kerberos calls even for invalid users to prevent leaking - information about account validity. bz #975, patch originally from - Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@, - ok markus@ - - dtucker@cvs.openbsd.org 2005/11/22 03:36:03 - [hostfile.c] - Correct format/arguments to debug call; spotted by shaw at vranix.com - ok djm@ - - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch - from shaw at vranix.com. - -20051120 - - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what - is going on. - -20051112 - - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific - ifdef lost during sync. Spotted by tim@. - - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag. - - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test. - - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@ - - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure - test: if sshd takes too long to reconfigure the subsequent connection will - fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready. - -20051110 - - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from - OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of - "register"). - - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove - unnecessary prototype. - - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c - revs 1.7 - 1.9. - - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path. - Patch from djm@. - - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+ - since they're not useful right now. Patch from djm@. - - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI - prototypes, removal of "register"). - - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal - of "register"). - - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to - after the copyright notices. Having them at the top next to the CVSIDs - guarantees a conflict for each and every sync. - - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10. - - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker. - - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7. - Removal of rcsid, "whiteout" inode type. - - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14. - Removal of rcsid, will no longer strlcpy parts of the string. - - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5. - - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7. - - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18. - - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5. - - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25. - - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9. - - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14. - - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up - with OpenBSD code since we don't support platforms without fstat any more. - - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9. - - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6. - - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7. - - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6. - - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6. - - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13. - - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19. - - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8. - - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker. - - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17. - - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4. - Id and copyright sync only, there were no substantial changes we need. - - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c] - -Wsign-compare fixes from djm. - - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3. - Id and copyright sync only, there were no substantial changes we need. - - (dtucker) [configure.ac] Try to get the gcc version number in a way that - doesn't change between versions, and use a safer default. - -20051105 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2005/10/07 11:13:57 - [ssh-keygen.c] - change DSA default back to 1024, as it's defined for 1024 bits only - and this causes interop problems with other clients. moreover, - in order to improve the security of DSA you need to change more - components of DSA key generation (e.g. the internal SHA1 hash); - ok deraadt - - djm@cvs.openbsd.org 2005/10/10 10:23:08 - [channels.c channels.h clientloop.c serverloop.c session.c] - fix regression I introduced in 4.2: X11 forwardings initiated after - a session has exited (e.g. "(sleep 5; xterm) &") would not start. - bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@ - - djm@cvs.openbsd.org 2005/10/11 23:37:37 - [channels.c] - bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing - bind() failure when a previous connection's listeners are in TIME_WAIT, - reported by plattner AT inf.ethz.ch; ok dtucker@ - - stevesk@cvs.openbsd.org 2005/10/13 14:03:01 - [auth2-gss.c gss-genr.c gss-serv.c] - remove unneeded #includes; ok markus@ - - stevesk@cvs.openbsd.org 2005/10/13 14:20:37 - [gss-serv.c] - spelling in comments - - stevesk@cvs.openbsd.org 2005/10/13 19:08:08 - [gss-serv-krb5.c gss-serv.c] - unused declarations; ok deraadt@ - (id sync only for gss-serv-krb5.c) - - stevesk@cvs.openbsd.org 2005/10/13 19:13:41 - [dns.c] - unneeded #include, unused declaration, little knf; ok deraadt@ - - stevesk@cvs.openbsd.org 2005/10/13 22:24:31 - [auth2-gss.c gss-genr.c gss-serv.c monitor.c] - KNF; ok djm@ - - stevesk@cvs.openbsd.org 2005/10/14 02:17:59 - [ssh-keygen.c ssh.c sshconnect2.c] - no trailing "\n" for log functions; ok djm@ - - stevesk@cvs.openbsd.org 2005/10/14 02:29:37 - [channels.c clientloop.c] - free()->xfree(); ok djm@ - - stevesk@cvs.openbsd.org 2005/10/15 15:28:12 - [sshconnect.c] - make external definition static; ok deraadt@ - - stevesk@cvs.openbsd.org 2005/10/17 13:45:05 - [dns.c] - fix memory leaks from 2 sources: - 1) key_fingerprint_raw() - 2) malloc in dns_read_rdata() - ok jakob@ - - stevesk@cvs.openbsd.org 2005/10/17 14:01:28 - [dns.c] - remove #ifdef LWRES; ok jakob@ - - stevesk@cvs.openbsd.org 2005/10/17 14:13:35 - [dns.c dns.h] - more cleanups; ok jakob@ - - djm@cvs.openbsd.org 2005/10/30 01:23:19 - [ssh_config.5] - mention control socket fallback behaviour, reported by - tryponraj AT gmail.com - - djm@cvs.openbsd.org 2005/10/30 04:01:03 + If read() fails with EINTR deal with it the same way we treat EAGAIN + +20010305 + - (bal) CVS ID touch up on sshpty.[ch] and sshlogin.[ch] + - (bal) CVS ID touch up on sftp-int.c + - (bal) CVS ID touch up on uuencode.c + - (bal) CVS ID touch up on auth2.c, serverloop.c, session.c & sshd.c + - (bal) OpenBSD CVS Sync + - deraadt@cvs.openbsd.org 2001/02/17 23:48:48 + [sshd.8] + it's the OpenSSH one + - deraadt@cvs.openbsd.org 2001/02/21 07:37:04 [ssh-keyscan.c] - make ssh-keygen discard junk from server before SSH- ident, spotted by - dave AT cirt.net; ok dtucker@ - - djm@cvs.openbsd.org 2005/10/30 04:03:24 + inline -> __inline__, and some indent + - deraadt@cvs.openbsd.org 2001/02/21 09:05:54 + [authfile.c] + improve fd handling + - deraadt@cvs.openbsd.org 2001/02/21 09:12:56 + [sftp-server.c] + careful with & and &&; markus ok + - stevesk@cvs.openbsd.org 2001/02/21 21:14:04 [ssh.c] - fix misleading debug message; ok dtucker@ - - dtucker@cvs.openbsd.org 2005/10/30 08:29:29 - [canohost.c sshd.c] - Check for connections with IP options earlier and drop silently. ok djm@ - - jmc@cvs.openbsd.org 2005/10/30 08:43:47 - [ssh_config.5] - remove trailing whitespace; - - djm@cvs.openbsd.org 2005/10/30 08:52:18 - [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c] - [ssh.c sshconnect.c sshconnect1.c sshd.c] - no need to escape single quotes in comments, no binary change - - dtucker@cvs.openbsd.org 2005/10/31 06:15:04 - [sftp.c] - Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@ - - djm@cvs.openbsd.org 2005/10/31 11:12:49 + -i supports DSA identities now; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/22 04:29:37 + [servconf.c] + grammar; slade@shore.net + - deraadt@cvs.openbsd.org 2001/02/22 06:43:55 [ssh-keygen.1 ssh-keygen.c] - generate a protocol 2 RSA key by default - - djm@cvs.openbsd.org 2005/10/31 11:48:29 + document -d, and -t defaults to rsa1 + - deraadt@cvs.openbsd.org 2001/02/22 08:03:51 + [ssh-keygen.1 ssh-keygen.c] + bye bye -d + - deraadt@cvs.openbsd.org 2001/02/22 18:09:06 + [sshd_config] + activate RSA 2 key + - markus@cvs.openbsd.org 2001/02/22 21:57:27 + [ssh.1 sshd.8] + typos/grammar from matt@anzen.com + - markus@cvs.openbsd.org 2001/02/22 21:59:44 + [auth.c auth.h auth1.c auth2.c misc.c misc.h ssh.c] + use pwcopy in ssh.c, too + - markus@cvs.openbsd.org 2001/02/23 15:34:53 [serverloop.c] - make sure we clean up wtmp, etc. file when we receive a SIGTERM, - SIGINT or SIGQUIT when running without privilege separation (the - normal privsep case is already OK). Patch mainly by dtucker@ and - senthilkumar_sen AT hotpop.com; ok dtucker@ - - jmc@cvs.openbsd.org 2005/10/31 19:55:25 - [ssh-keygen.1] - grammar; - - dtucker@cvs.openbsd.org 2005/11/03 13:38:29 - [canohost.c] - Cache reverse lookups with and without DNS separately; ok markus@ - - djm@cvs.openbsd.org 2005/11/04 05:15:59 - [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c] - remove hardcoded hash lengths in key exchange code, allowing - implementation of KEX methods with different hashes (e.g. SHA-256); - ok markus@ dtucker@ stevesk@ - - djm@cvs.openbsd.org 2005/11/05 05:01:15 - [bufaux.c] - Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT - cs.stanford.edu; ok dtucker@ - - (dtucker) [README.platform] Add PAM section. - - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version, - resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu; - ok dtucker@ - -20051102 - - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup(). - Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net - via FreeBSD. - -20051030 - - (djm) [contrib/suse/openssh.spec contrib/suse/rc. - sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init - files from imorgan AT nas.nasa.gov - - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is - enabled, instead allow PAM to handle it. Note that on platforms using PAM, - the pam_nologin module should be added to sshd's session stack in order to - maintain exising behaviour. Based on patch and discussion from t8m at - centrum.cz, ok djm@ - -20051025 - - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the - sizeof(long long) checks, to make fixing bug #1104 easier (no changes - yet). - - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't - understand "%lld", even though the compiler has "long long", so handle - it as a special case. Patch tested by mcaskill.scott at epa.gov. - - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no - prompt. Patch from vinschen at redhat.com. - -20051017 - - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling. - /etc/default/login report and testing from aabaker at iee.org, corrections - from tim@. - -20051009 - - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current - versions from OpenBSD. ok djm@ - -20051008 - - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from - brian.smith at agilent com. - - (djm) [configure.ac] missing 'test' call for -with-Werror test - -20051005 - - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended - "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and - senthilkumar_sen at hotpop.com. - -20051003 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2005/09/07 08:53:53 - [channels.c] - enforce chanid != NULL; ok djm - - markus@cvs.openbsd.org 2005/09/09 19:18:05 + debug2->3 + - markus@cvs.openbsd.org 2001/02/23 18:15:13 + [sshd.c] + the random session key depends now on the session_key_int + sent by the 'attacker' + dig1 = md5(cookie|session_key_int); + dig2 = md5(dig1|cookie|session_key_int); + fake_session_key = dig1|dig2; + this change is caused by a mail from anakin@pobox.com + patch based on discussions with my german advisor niels@openbsd.org + - deraadt@cvs.openbsd.org 2001/02/24 10:37:55 + [readconf.c] + look for id_rsa by default, before id_dsa + - deraadt@cvs.openbsd.org 2001/02/24 10:37:26 + [sshd_config] + ssh2 rsa key before dsa key + - markus@cvs.openbsd.org 2001/02/27 10:35:27 + [packet.c] + fix random padding + - markus@cvs.openbsd.org 2001/02/27 11:00:11 + [compat.c] + support SSH-2.0-2.1 ; from Christophe_Moret@hp.com + - deraadt@cvs.openbsd.org 2001/02/28 05:34:28 + [misc.c] + pull in protos + - deraadt@cvs.openbsd.org 2001/02/28 05:36:28 + [sftp.c] + do not kill the subprocess on termination (we will see if this helps + things or hurts things) + - markus@cvs.openbsd.org 2001/02/28 08:45:39 [clientloop.c] - typo; from mark at mcs.vuw.ac.nz, bug #1082 - - djm@cvs.openbsd.org 2005/09/13 23:40:07 - [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c - scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c] - ensure that stdio fds are attached; ok deraadt@ - - djm@cvs.openbsd.org 2005/09/19 11:37:34 - [ssh_config.5 ssh.1] - mention ability to specify bind_address for DynamicForward and -D options; - bz#1077 spotted by Haruyama Seigo - - djm@cvs.openbsd.org 2005/09/19 11:47:09 + fix byte counts for ssh protocol v1 + - markus@cvs.openbsd.org 2001/02/28 08:54:55 + [channels.c nchan.c nchan.h] + make sure remote stderr does not get truncated. + remove closed fd's from the select mask. + - markus@cvs.openbsd.org 2001/02/28 09:57:07 + [packet.c packet.h sshconnect2.c] + in ssh protocol v2 use ignore messages for padding (instead of + trailing \0). + - markus@cvs.openbsd.org 2001/02/28 12:55:07 + [channels.c] + unify debug messages + - deraadt@cvs.openbsd.org 2001/02/28 17:52:54 + [misc.c] + for completeness, copy pw_gecos too + - markus@cvs.openbsd.org 2001/02/28 21:21:41 [sshd.c] - stop connection abort on rekey with delayed compression enabled when - post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@ - - djm@cvs.openbsd.org 2005/09/19 11:48:10 - [gss-serv.c] + generate a fake session id, too + - markus@cvs.openbsd.org 2001/02/28 21:27:48 + [channels.c packet.c packet.h serverloop.c] + use ignore message to simulate a SSH2_MSG_CHANNEL_DATA message + use random content in ignore messages. + - markus@cvs.openbsd.org 2001/02/28 21:31:32 + [channels.c] typo - - jmc@cvs.openbsd.org 2005/09/19 15:38:27 - [ssh.1] - some more .Bk/.Ek to avoid ugly line split; - - jmc@cvs.openbsd.org 2005/09/19 15:42:44 + - deraadt@cvs.openbsd.org 2001/03/01 02:11:25 + [authfd.c] + split line so that p will have an easier time next time around + - deraadt@cvs.openbsd.org 2001/03/01 02:29:04 [ssh.c] - update -D usage here too; - - djm@cvs.openbsd.org 2005/09/19 23:31:31 - [ssh.1] - spelling nit from stevesk@ - - djm@cvs.openbsd.org 2005/09/21 23:36:54 - [sshd_config.5] - aquire -> acquire, from stevesk@ - - djm@cvs.openbsd.org 2005/09/21 23:37:11 - [sshd.c] - change label at markus@'s request - - jaredy@cvs.openbsd.org 2005/09/30 20:34:26 - [ssh-keyscan.1] - deploy .An -nosplit; ok jmc - - dtucker@cvs.openbsd.org 2005/10/03 07:44:42 - [canohost.c] - Relocate check_ip_options call to prevent logging of garbage for - connections with IP options set. bz#1092 from David Leonard, - "looks good" deraadt@ - - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp - is required in the system path for the multiplex test to work. - -20050930 - - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype - for strtoll. Patch from o.flebbe at science-computing.de. - - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep - child during PAM account check without clearing it. This restores the - post-login warnings such as LDAP password expiry. Patch from Tomas Mraz - with help from several others. - -20050929 - - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg - introduced during sync. - -20050928 - - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency. - - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from - PAM via keyboard-interactive. Patch tested by the folks at Vintela. - -20050927 - - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid - calls, since they can't possibly fail. ok djm@ - - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed - process when sshd relies on ssh-random-helper. Should result in faster - logins on systems without a real random device or prngd. ok djm@ - -20050924 - - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove - duplicate call. ok djm@ - -20050922 - - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from - skeleten at shillest.net. - - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at - shillest.net. - -20050919 - - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to - AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages. - ok dtucker@ - -20050912 - - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by - Mike Frysinger. - -20050908 - - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to - OpenServer 6 and add osr5bigcrypt support so when someone migrates - passwords between UnixWare and OpenServer they will still work. OK dtucker@ - -20050901 - - (djm) Update RPM spec file versions - -20050831 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2005/08/30 22:08:05 - [gss-serv.c sshconnect2.c] - destroy credentials if krb5_kuserok() call fails. Stops credentials being - delegated to users who are not authorised for GSSAPIAuthentication when - GSSAPIDeletegateCredentials=yes and another authentication mechanism - succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by - simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@ - - markus@cvs.openbsd.org 2005/08/31 09:28:42 - [version.h] - 4.2 - - (dtucker) [README] Update release note URL to 4.2 - - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c - openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable - libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd(). - Feedback and OK dtucker@ - -20050830 - - (tim) [configure.ac] Back out last change. It needs to be done differently. - -20050829 - - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long - password support to 7.x for now. - -20050826 - - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c - openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h - openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c - openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char) - on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing - by tim@. Feedback and OK dtucker@ - -20050823 - - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully- - qualified sshd pathname since some systems (eg Cygwin) may consider "/foo" - and "//foo" to be different. Spotted by vinschen at redhat.com. - - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements - and OK dtucker@ - - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@ - -20050821 - - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for - LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@ - -20050816 - - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE, - from Jacob Nevins; ok dtucker@ - -20050815 - - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT - - (tim) [configure.ac] corrections to libedit tests. Report and patches - by skeleten AT shillest.net - -20050812 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2005/07/28 17:36:22 - [packet.c] - missing packet_init_compression(); from solar - - djm@cvs.openbsd.org 2005/07/30 01:26:16 + shorten usage by a line + - deraadt@cvs.openbsd.org 2001/03/01 02:45:10 + [auth-rsa.c auth2.c deattack.c packet.c] + KNF + - deraadt@cvs.openbsd.org 2001/03/01 03:38:33 + [cli.c cli.h rijndael.h ssh-keyscan.1] + copyright notices on all source files + - markus@cvs.openbsd.org 2001/03/01 22:46:37 [ssh.c] - fix -D listen_host initialisation, so it picks up gateway_ports setting - correctly - - djm@cvs.openbsd.org 2005/07/30 02:03:47 - [readconf.c] - listen_hosts initialisation here too; spotted greg AT y2005.nest.cx - - dtucker@cvs.openbsd.org 2005/08/06 10:03:12 - [servconf.c] - Unbreak sshd ListenAddress for bare IPv6 addresses. - Report from Janusz Mucka; ok djm@ - - jaredy@cvs.openbsd.org 2005/08/08 13:22:48 + don't truncate remote ssh-2 commands; from mkubita@securities.cz + use min, not max for logging, fixes overflow. + - deraadt@cvs.openbsd.org 2001/03/02 06:21:01 + [sshd.8] + explain SIGHUP better + - deraadt@cvs.openbsd.org 2001/03/02 09:42:49 + [sshd.8] + doc the dsa/rsa key pair files + - deraadt@cvs.openbsd.org 2001/03/02 18:54:31 + [atomicio.c atomicio.h auth-chall.c auth.c auth2-chall.c crc32.h + scp.c serverloop.c session.c sftp-server.8 sftp.1 ssh-add.1 ssh-add.c + ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh.1 sshd.8] + make copyright lines the same format + - deraadt@cvs.openbsd.org 2001/03/03 06:53:12 + [ssh-keyscan.c] + standard theo sweep + - millert@cvs.openbsd.org 2001/03/03 21:19:41 + [ssh-keyscan.c] + Dynamically allocate read_wait and its copies. Since maxfd is + based on resource limits it is often (usually?) larger than FD_SETSIZE. + - millert@cvs.openbsd.org 2001/03/03 21:40:30 + [sftp-server.c] + Dynamically allocate fd_set; deraadt@ OK + - millert@cvs.openbsd.org 2001/03/03 21:41:07 + [packet.c] + Dynamically allocate fd_set; deraadt@ OK + - deraadt@cvs.openbsd.org 2001/03/03 22:07:50 + [sftp-server.c] + KNF + - markus@cvs.openbsd.org 2001/03/03 23:52:22 [sftp.c] - sftp prompt enhancements: - - in non-interactive mode, do not print an empty prompt at the end - before finishing - - print newline after EOF in editline mode - - call el_end() in editline mode - ok dtucker djm - -20050810 - - (dtucker) [configure.ac] Test libedit library and headers for compatibility. - Report from skeleten AT shillest.net, ok djm@ - - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c] - Sync current (thread-safe) version of realpath.c from OpenBSD (which is - in turn based on FreeBSD's). ok djm@ - -20050809 - - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@ - Report by skeleten AT shillest.net - -20050803 - - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines - individually and use a value less likely to collide with real values from - netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@ - - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the - latter is specified in the standard. - -20050802 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/07/27 10:39:03 - [scp.c hostfile.c sftp-client.c] - Silence bogus -Wuninitialized warnings; ok djm@ - - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling - with gcc. ok djm@ - - (dtucker) [configure.ac] Add a --with-Werror option to configure for - adding -Werror to CFLAGS when all of the configure tests are done. ok djm@ - -20050726 - - (dtucker) [configure.ac] Update zlib warning message too, pointed out by - tim@. - - (djm) OpenBSD CVS Sync - - otto@cvs.openbsd.org 2005/07/19 15:32:26 - [auth-passwd.c] - auth_usercheck(3) can return NULL, so check for that. Report from - mpech@. ok markus@ - - markus@cvs.openbsd.org 2005/07/25 11:59:40 - [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c] - [sshconnect2.c sshd.c sshd_config sshd_config.5] - add a new compression method that delays compression until the user - has been authenticated successfully and set compression to 'delayed' - for sshd. - this breaks older openssh clients (< 3.5) if they insist on - compression, so you have to re-enable compression in sshd_config. - ok djm@ - -20050725 - - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096. - -20050717 -- OpenBSD CVS Sync - - djm@cvs.openbsd.org 2005/07/16 01:35:24 - [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c] - [sshconnect.c] - spacing - - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c] - [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL - in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]") - - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line - - djm@cvs.openbsd.org 2005/07/17 06:49:04 - [channels.c channels.h session.c session.h] - Fix a number of X11 forwarding channel leaks: - 1. Refuse multiple X11 forwarding requests on the same session - 2. Clean up all listeners after a single_connection X11 forward, not just - the one that made the single connection - 3. Destroy X11 listeners when the session owning them goes away - testing and ok dtucker@ - - djm@cvs.openbsd.org 2005/07/17 07:17:55 - [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c] - [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c] - [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c] - [sshconnect.c sshconnect2.c] - knf says that a 2nd level indent is four (not three or five) spaces - -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c] - [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too - - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls - -20050716 - - (dtucker) [auth-pam.c] Ensure that only one side of the authentication - socketpair stays open on in both the monitor and PAM process. Patch from - Joerg Sonnenberger. - -20050714 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/07/06 09:33:05 - [ssh.1] - clarify meaning of ssh -b ; with & ok jmc@ - - dtucker@cvs.openbsd.org 2005/07/08 09:26:18 - [misc.c] - Make comment match code; ok djm@ - - markus@cvs.openbsd.org 2005/07/08 09:41:33 - [channels.h] - race when efd gets closed while there is still buffered data: - change CHANNEL_EFD_OUTPUT_ACTIVE() - 1) c->efd must always be valid AND - 2a) no EOF has been seen OR - 2b) there is buffered data - report, initial fix and testing Chuck Cranor - - dtucker@cvs.openbsd.org 2005/07/08 10:20:41 - [ssh_config.5] - change BindAddress to match recent ssh -b change; prompted by markus@ - - jmc@cvs.openbsd.org 2005/07/08 12:53:10 - [ssh_config.5] - new sentence, new line; - - dtucker@cvs.openbsd.org 2005/07/14 04:00:43 - [misc.h] - use __sentinel__ attribute; ok deraadt@ djm@ markus@ - - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the - compiler doesn't understand it to prevent warnings. If any mainstream - compiler versions acquire it we can test for those versions. Based on - discussion with djm@. - -20050707 - - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for - the MIT Kerberos code path into a common function and expand mkstemp - template to be consistent with the rest of OpenSSH. From sxw at - inf.ed.ac.uk, ok djm@ - - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno - in the case where the buffer is insufficient, so always return ENOMEM. - Also pointed out by sxw at inf.ed.ac.uk. - - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove - calls to krb5_init_ets, which has not been required since krb-1.1.x and - most Kerberos versions no longer export in their public API. From sxw - at inf.ed.ac.uk, ok djm@ - -20050706 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2005/07/01 13:19:47 + clean up arg processing. based on work by Christophe_Moret@hp.com + - markus@cvs.openbsd.org 2001/03/03 23:59:34 + [log.c ssh.c] + log*.c -> log.c + - markus@cvs.openbsd.org 2001/03/04 00:03:59 [channels.c] - don't free() if getaddrinfo() fails; report mpech@ - - djm@cvs.openbsd.org 2005/07/04 00:58:43 - [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5] - implement support for X11 and agent forwarding over multiplex slave - connections. Because of protocol limitations, the slave connections inherit - the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding - their own. - ok dtucker@ "put it in" deraadt@ - - jmc@cvs.openbsd.org 2005/07/04 11:29:51 - [ssh_config.5] - fix Xr and a little grammar; - - markus@cvs.openbsd.org 2005/07/04 14:04:11 - [channels.c] - don't forget to set x11_saved_display - -20050626 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2005/06/17 22:53:47 - [ssh.c sshconnect.c] - Fix ControlPath's %p expanding to "0" for a default port, - spotted dwmw2 AT infradead.org; ok markus@ - - djm@cvs.openbsd.org 2005/06/18 04:30:36 - [ssh.c ssh_config.5] - allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@ - - djm@cvs.openbsd.org 2005/06/25 22:47:49 - [ssh.c] - do the default port filling code a few lines earlier, so it really - does fix %p - -20050618 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2005/05/20 12:57:01; - [auth1.c] split protocol 1 auth methods into separate functions, makes - authloop much more readable; fixes and ok markus@ (portable ok & - polish dtucker@) - - djm@cvs.openbsd.org 2005/06/17 02:44:33 - [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@ - - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable, - tested and fixes tim@ - -20050617 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2005/06/16 03:38:36 - [channels.c channels.h clientloop.c clientloop.h ssh.c] - move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd - easier later; ok deraadt@ - - markus@cvs.openbsd.org 2005/06/16 08:00:00 - [canohost.c channels.c sshd.c] - don't exit if getpeername fails for forwarded ports; bugzilla #1054; - ok djm - - djm@cvs.openbsd.org 2005/06/17 02:44:33 - [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c] - [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c] - [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c] - [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c] - [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c] - make this -Wsign-compare clean; ok avsm@ markus@ - NB. auth1.c changes not committed yet (conflicts with uncommitted sync) - NB2. more work may be needed to make portable Wsign-compare clean - - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h - openbsd-compat/openssl-compat.c] only include openssl compat stuff where - it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by - and ok tim@ - -20050616 - - (djm) OpenBSD CVS Sync - - jaredy@cvs.openbsd.org 2005/06/07 13:25:23 - [progressmeter.c] - catch SIGWINCH and resize progress meter accordingly; ok markus dtucker - - djm@cvs.openbsd.org 2005/06/06 11:20:36 - [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c] - introduce a generic %foo expansion function. replace existing % expansion - and add expansion to ControlPath; ok markus@ - - djm@cvs.openbsd.org 2005/06/08 03:50:00 - [ssh-keygen.1 ssh-keygen.c sshd.8] - increase default rsa/dsa key length from 1024 to 2048 bits; - ok markus@ deraadt@ - - djm@cvs.openbsd.org 2005/06/08 11:25:09 - [clientloop.c readconf.c readconf.h ssh.c ssh_config.5] - add ControlMaster=auto/autoask options to support opportunistic - multiplexing; tested avsm@ and jakob@, ok markus@ - - dtucker@cvs.openbsd.org 2005/06/09 13:43:49 - [cipher.c] - Correctly initialize end of array sentinel; ok djm@ - (Id sync only, change already in portable) - -20050609 - - (dtucker) [cipher.c openbsd-compat/Makefile.in - openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}] - Move compatibility code for supporting older OpenSSL versions to the - compat layer. Suggested by and "no objection" djm@ - -20050607 - - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX: - in today's episode we attempt to coax it from limits.h where it may be - hiding, failing that we take the DIY approach. Tested by tim@ - -20050603 - - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't - defined, and check that it helps before keeping it in CFLAGS. Some old - gcc's don't set an error code when encountering an unknown value in -std. - Found and tested by tim@. - - (dtucker) [configure.ac] Point configure's reporting address at the - openssh-unix-dev list. ok tim@ djm@ - -20050602 - - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h. - Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms - to skip builtin standard includes tests. (first AC_CHECK_HEADERS test - must be run on all platforms) Add missing ;; to case statement. OK dtucker@ - -20050601 - - (dtucker) [configure.ac] Look for _getshort and _getlong in - arpa/nameser.h. - - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c] - Add strtoll to the compat library, from OpenBSD. - - (dtucker) OpenBSD CVS Sync - - avsm@cvs.openbsd.org 2005/05/26 02:08:05 - [scp.c] - If copying multiple files to a target file (which normally fails, as it - must be a target directory), kill the spawned ssh child before exiting. - This stops it trying to authenticate and spewing lots of output. - deraadt@ ok - - dtucker@cvs.openbsd.org 2005/05/26 09:08:12 - [ssh-keygen.c] - uint32_t -> u_int32_t for consistency; ok djm@ - - djm@cvs.openbsd.org 2005/05/27 08:30:37 + debug1->2 + - stevesk@cvs.openbsd.org 2001/03/04 10:57:53 [ssh.c] - fix -O for cases where no ControlPath has been specified or socket at - ControlPath is not contactable; spotted by and ok avsm@ - - (tim) [config.guess config.sub] Update to '2005-05-27' version. - - (tim) [configure.ac] set TEST_SHELL for OpenServer 6 - -20050531 - - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at - vintela.com. - - (dtucker) [mdoc2man.awk] Teach it to understand .Ox. - -20050530 - - (dtucker) [README] Link to new release notes. Beter late than never... - -20050529 - - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the - argument to passwdexpired to be initialized to NULL. Suggested by tim@ - While at it, initialize the other arguments to auth functions in case they - ever acquire this behaviour. - - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there. - - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message, - spotted by tim@. - -20050528 - - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have - one entry per line to make it easier to merge changes. ok djm@ - - (dtucker) [configure.ac] strsep() may be defined in string.h, so check - for its presence and include it in the strsep check. - - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for - its presence before doing AC_FUNC_GETPGRP. - - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor - version-specific variations as required. - - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as - per the autoconf man page. Configure should always define them but it - doesn't hurt to check. - -20050527 - - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by - David Leach; ok dtucker@ - - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c - openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo. - Required changes from Bernhard Simon, integrated by me. ok djm@ - -20050525 - - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not - been used for a while - - (djm) OpenBSD CVS Sync - - otto@cvs.openbsd.org 2005/04/05 13:45:31 - [ssh-keygen.c] - - djm@cvs.openbsd.org 2005/04/06 09:43:59 + add -m to usage; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/04 11:04:41 + [sshd.8] + small cleanup and clarify for PermitRootLogin; ok markus@ + - stevesk@cvs.openbsd.org 2001/03/04 11:16:06 + [servconf.c sshd.8] + kill obsolete RandomSeed; ok markus@ deraadt@ + - stevesk@cvs.openbsd.org 2001/03/04 12:54:04 + [sshd.8] + spelling + - millert@cvs.openbsd.org 2001/03/04 17:42:28 + [authfd.c channels.c dh.c log.c readconf.c servconf.c sftp-int.c + ssh.c sshconnect.c sshd.c] + log functions should not be passed strings that end in newline as they + get passed on to syslog() and when logging to stderr, do_log() appends + its own newline. + - deraadt@cvs.openbsd.org 2001/03/04 18:21:28 + [sshd.8] + list SSH2 ciphers + - (bal) Put HAVE_PW_CLASS_IN_PASSWD back into pwcopy() + - (bal) Fix up logging since it changed. removed log-*.c + - (djm) Fix up LOG_AUTHPRIV for systems that have it + - (stevesk) OpenBSD sync: + - deraadt@cvs.openbsd.org 2001/03/05 08:37:27 + [ssh-keyscan.c] + skip inlining, why bother + - (stevesk) sftp.c: handle __progname + +20010304 + - (bal) Remove make-ssh-known-hosts.1 since it's no longer valid. + - (bal) Updated contrib/README to remove 'make-ssh-known-hosts' and + give Mark Roth credit for mdoc2man.pl + +20010303 + - (djm) Remove make-ssh-known-hosts.pl, ssh-keyscan is better. + - (djm) Document PAM ChallengeResponseAuthentication in sshd.8 + - (djm) Disable and comment ChallengeResponseAuthentication in sshd_config + - (djm) Allow PRNGd entropy collection from localhost TCP socket. Replace + "--with-egd-pool" configure option with "--with-prngd-socket" and + "--with-prngd-port" options. Debugged and improved by Lutz Jaenicke + + +20010301 + - (djm) Properly add -lcrypt if needed. + - (djm) Force standard PAM conversation function in a few more places. + Patch from Redhat 2.5.1p1-2 RPM, probably Nalin Dahyabhai + + - (djm) Cygwin needs pw->pw_gecos copied too. Patch from Corinna Vinschen + + - (djm) Released 2.5.1p2 + +20010228 + - (djm) Detect endianness in configure and use it in rijndael.c. Fixes + "Bad packet length" bugs. + - (djm) Fully revert PAM session patch (again). All PAM session init is + now done before the final fork(). + - (djm) EGD detection patch from Tim Rice + - (djm) Remove /tmp from EGD socket search list + +20010227 + - (bal) Applied shutdown() patch for sftp.c by Corinna Vinschen + + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/02/23 15:37:45 + [session.c] + handle SSH_PROTOFLAG_SCREEN_NUMBER for buggy clients + - (bal) sshd.init support for all Redhat release. Patch by Jim Knoble + + - (djm) Fix up POSIX saved uid support. Report from Mark Miller + + - (djm) Search for -lcrypt on FreeBSD too + - (djm) fatal() on OpenSSL version mismatch + - (djm) Move PAM init to after fork for non-Solaris derived PAMs + - (djm) Warning fix on entropy.c saved uid stuff. Patch from Mark Miller + + - (djm) Fix PAM fix + - (djm) Remove 'noreplace' flag from sshd_config in RPM spec files. This + change is being made as 2.5.x configfiles are not back-compatible with + 2.3.x. + - (djm) Avoid warnings for missing broken IP_TOS. Patch from Mark Miller + + - (djm) Open Server 5 doesn't need BROKEN_SAVED_UIDS. Patch from Tim Rice + + - (djm) Avoid multiple definition of _PATH_LS. Patch from Tim Rice + + +20010226 + - (bal) Fixed bsd-snprinf.c so it now honors 'BROKEN_SNPRINTF' again. + - (djm) Some systems (SCO3, NeXT) have weird saved uid semantics. + Based on patch from Tim Rice + +20010225 + - (djm) Use %{_libexecdir} rather than hardcoded path in RPM specfile + Patch from Adrian Ho + - (bal) Replace 'unsigned long long' to 'u_int64_t' since not every + platform defines u_int64_t as being that. + +20010224 + - (bal) Missed part of the UNIX sockets patch. Patch by Corinna + Vinschen + - (bal) Reorder where 'strftime' is detected to resolve linking + issues on SCO. Patch by Tim Rice + +20010224 + - (bal) pam_stack fix to correctly detect between RH7 and older RHs. + Patch by Pekka Savola + - (bal) Renamed sigaction.[ch] to sigact.[ch]. Causes problems with + some platforms. + - (bal) Generalize lack of UNIX sockets since this also effects Cray + not just Cygwin. Based on patch by Wendy Palm + +20010223 + - (bal) Fix --define rh7 in openssh.spec file. Patch by Steve Tell + + - (bal) Patch to force OpenSSH rpm to require the same version of OpenSSL + that it was compiled against. Patch by Pekka Savola + - (bal) Double -I for OpenSSL on SCO. Patch by Tim Rice + + +20010222 + - (bal) Corrected SCO luid patch by svaughan + - (bal) Added mdoc2man.pl from Mark Roth + - (bal) Removed reference to liblogin from contrib/README. It was + integrated into OpenSSH a long while ago. + - (stevesk) remove erroneous #ifdef sgi code. + Michael Stone + +20010221 + - (bal) Removed -L/usr/ucblib -R/usr/ucblib for Solaris platform. + - (bal) Fixed OpenSSL rework to use $saved_*. Patch by Tim Rice + + - (bal) Reverted out of 2001/02/15 patch by djm below because it + breaks Solaris. + - (djm) Move PAM session setup back to before setuid to user. + fixes problems on Solaris-drived PAMs. + - (stevesk) session.c: back out to where we were before: + - (djm) Move PAM session initialisation until after fork in sshd. Patch + from Nalin Dahyabhai + +20010220 + - (bal) Fix mixed up params to memmove() from Jan 5th in setenv.c and + getcwd.c. + - (bal) OpenBSD CVS Sync: + - deraadt@cvs.openbsd.org 2001/02/19 23:09:05 [sshd.c] - avoid harmless logspam by not performing setsockopt() on non-socket; - ok markus@ - - dtucker@cvs.openbsd.org 2005/04/06 12:26:06 - [ssh.c] - Fix debug call for port forwards; patch from pete at seebeyond.com, - ok djm@ (ID sync only - change already in portable) - - djm@cvs.openbsd.org 2005/04/09 04:32:54 - [misc.c misc.h tildexpand.c Makefile.in] - replace tilde_expand_filename with a simpler implementation, ahead of - more whacking; ok deraadt@ - - jmc@cvs.openbsd.org 2005/04/14 12:30:30 - [ssh.1] - arg to -b is an address, not if_name; - ok markus@ - - jakob@cvs.openbsd.org 2005/04/20 10:05:45 - [dns.c] - do not try to look up SSHFP for numerical hostname. ok djm@ - - djm@cvs.openbsd.org 2005/04/21 06:17:50 - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8] - [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment - variable, so don't say that we do (bz #623); ok deraadt@ - - djm@cvs.openbsd.org 2005/04/21 11:47:19 - [ssh.c] - don't allocate a pty when -n flag (/dev/null stdin) is set, patch from - ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@ - - dtucker@cvs.openbsd.org 2005/04/23 23:43:47 - [readpass.c] - Add debug message if read_passphrase can't open /dev/tty; bz #471; - ok djm@ - - jmc@cvs.openbsd.org 2005/04/26 12:59:02 - [sftp-client.h] - spelling correction in comment from wiz@netbsd; - - jakob@cvs.openbsd.org 2005/04/26 13:08:37 - [ssh.c ssh_config.5] - fallback gracefully if client cannot connect to ControlPath. ok djm@ - - moritz@cvs.openbsd.org 2005/04/28 10:17:56 - [progressmeter.c ssh-keyscan.c] - add snprintf checks. ok djm@ markus@ - - markus@cvs.openbsd.org 2005/05/02 21:13:22 - [readpass.c] - missing {} - - djm@cvs.openbsd.org 2005/05/10 10:28:11 - [ssh.c] - print nice error message for EADDRINUSE as well (ID sync only) - - djm@cvs.openbsd.org 2005/05/10 10:30:43 + clarify message to make it not mention "ident" + +20010219 + - (bal) Markus' blessing to rename login.[ch] -> sshlogin.[ch] and + pty.[ch] -> sshpty.[ch] + - (djm) Rework search for OpenSSL location. Skip directories which don't + exist, don't add -L$ssldir/lib if it doesn't exist. Should help SCO + with its limit of 6 -L options. + - OpenBSD CVS Sync: + - reinhard@cvs.openbsd.org 2001/02/17 08:24:40 + [sftp.1] + typo + - deraadt@cvs.openbsd.org 2001/02/17 16:28:58 [ssh.c] - report real errors on fallback from ControlMaster=no to normal connect - - markus@cvs.openbsd.org 2005/05/16 15:30:51 - [readconf.c servconf.c] - check return value from strdelim() for NULL (AddressFamily); mpech - - djm@cvs.openbsd.org 2005/05/19 02:39:55 - [sshd_config.5] - sort config options, from grunk AT pestilenz.org; ok jmc@ - - djm@cvs.openbsd.org 2005/05/19 02:40:52 - [sshd_config] - whitespace nit, from grunk AT pestilenz.org - - djm@cvs.openbsd.org 2005/05/19 02:42:26 - [includes.h] - fix cast, from grunk AT pestilenz.org - - djm@cvs.openbsd.org 2005/05/20 10:50:55 - [ssh_config.5] - give a ProxyCommand example using nc(1), with and ok jmc@ - - jmc@cvs.openbsd.org 2005/05/20 11:23:32 - [ssh_config.5] - oops - article and spacing; - - avsm@cvs.openbsd.org 2005/05/23 22:44:01 - [moduli.c ssh-keygen.c] - - removes signed/unsigned comparisons in moduli generation - - use strtonum instead of atoi where its easier - - check some strlcpy overflow and fatal instead of truncate - - djm@cvs.openbsd.org 2005/05/23 23:32:46 - [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5] - add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes; + cleanup -V output; noted by millert + - deraadt@cvs.openbsd.org 2001/02/17 16:48:48 + [sshd.8] + it's the OpenSSH one + - markus@cvs.openbsd.org 2001/02/18 11:33:54 + [dispatch.c] + typo, SSH2_MSG_KEXINIT, from aspa@kronodoc.fi + - markus@cvs.openbsd.org 2001/02/19 02:53:32 + [compat.c compat.h serverloop.c] + ssh-1.2.{18-22} has broken handling of ignore messages; report from + itojun@ + - markus@cvs.openbsd.org 2001/02/19 03:35:23 + [version.h] + OpenSSH_2.5.1 adds bug compat with 1.2.{18-22} + - deraadt@cvs.openbsd.org 2001/02/19 03:36:25 + [scp.c] + np is changed by recursion; vinschen@redhat.com + - Update versions in RPM spec files + - Release 2.5.1p1 + +20010218 + - (bal) Patch for fix FCHMOD reference in ftp-client.c by Tim Rice + + - (Bal) Patch for lack of RA_RESTART in misc.c for mysignal by + stevesk + - (djm) Fix my breaking of cygwin builds, Patch from Corinna Vinschen + and myself. + - (djm) Close listen_sock on bind() failures. Patch from Arkadiusz + Miskiewicz + - (djm) Robustify EGD/PRNGd code in face of socket closures. Patch from + Todd C. Miller + - (djm) Use ttyname() to determine name of tty returned by openpty() + rather then risking overflow. Patch from Marek Michalkiewicz + + - (djm) Swapped tests for no_libsocket and no_libnsl in configure.in. + Patch from Marek Michalkiewicz + - (djm) Doc fixes from Pekka Savola + - (djm) Use SA_INTERRUPT along SA_RESTART if present (equivalent for + SunOS) + - (djm) SCO needs librpc for libwrap. Patch from Tim Rice + + - (stevesk) misc.c: cpp rework of SA_(INTERRUPT|RESTART) handling. + - (stevesk) scp.c: use mysignal() for updateprogressmeter() handler. + - (djm) SA_INTERRUPT is the converse of SA_RESTART, apply it only for + SIGALRM. + - (djm) Move entropy.c over to mysignal() + - (djm) SunOS 4.x also needs to define HAVE_BOGUS_SYS_QUEUE_H as it has + a that lacks the TAILQ_* macros. Patch from Todd C. + Miller + - (djm) Update RPM spec files for 2.5.0p1 + - (djm) Merge BSD_AUTH support from Markus Friedl and David J. MacKenzie + enable with --with-bsd-auth. + - (stevesk) entropy.c: typo; should be SIGPIPE + +20010217 + - (bal) OpenBSD Sync: + - markus@cvs.openbsd.org 2001/02/16 13:38:18 + [channel.c] + remove debug + - markus@cvs.openbsd.org 2001/02/16 14:03:43 + [session.c] + proper payload-length check for x11 w/o screen-number + +20010216 + - (bal) added '--with-prce' to allow overriding of system regex when + required (tested by David Dulek ) + - (bal) Added DG/UX case and set that they have a broken IPTOS. + - (djm) Mini-configure reorder patch from Tim Rice + Fixes linking on SCO. + - (djm) Make gnome-ssh-askpass handle multi-line prompts. Patch from + Nalin Dahyabhai + - (djm) BSD license for gnome-ssh-askpass (was X11) + - (djm) KNF on gnome-ssh-askpass + - (djm) USE_PIPES for a few more sysv platforms + - (djm) Cleanup configure.in a little + - (djm) Ask users to check config.log when we can't find necessary libs + - (djm) Set "login ID" on systems with setluid. Only enabled for SCO + OpenServer for now. Based on patch from svaughan + - (djm) OpenBSD CVS: + - markus@cvs.openbsd.org 2001/02/15 16:19:59 + [channels.c channels.h serverloop.c sshconnect.c sshconnect.h] + [sshconnect1.c sshconnect2.c] + genericize password padding function for SSH1 and SSH2. + add stylized echo to 2, too. + - (djm) Add roundup() macro to defines.h + - (stevesk) set SA_RESTART flag in mysignal() for SIGCHLD; + needed on Unixware 2.x. + +20010215 + - (djm) Move PAM session setup back to before setuid to user. Fixes + problems on Solaris-derived PAMs. + - (djm) Clean up PAM namespace. Suggested by Darren Moffat + + - (bal) Sync w/ OpenSSH for new release + - markus@cvs.openbsd.org 2001/02/12 12:45:06 + [sshconnect1.c] + fix xmalloc(0), ok dugsong@ + - markus@cvs.openbsd.org 2001/02/11 12:59:25 + [Makefile.in sshd.8 sshconnect2.c readconf.h readconf.c packet.c + sshd.c ssh.c ssh.1 servconf.h servconf.c myproposal.h kex.h kex.c] + 1) clean up the MAC support for SSH-2 + 2) allow you to specify the MAC with 'ssh -m' + 3) or the 'MACs' keyword in ssh(d)_config + 4) add hmac-{md5,sha1}-96 + ok stevesk@, provos@ + - markus@cvs.openbsd.org 2001/02/12 16:16:23 + [auth-passwd.c auth.c auth.h auth1.c auth2.c servconf.c servconf.h + ssh-keygen.c sshd.8] + PermitRootLogin={yes,without-password,forced-commands-only,no} + (before this change, root could login even if PermitRootLogin==no) + - deraadt@cvs.openbsd.org 2001/02/12 22:56:09 + [clientloop.c packet.c ssh-keyscan.c] + deal with EAGAIN/EINTR selects which were skipped + - markus@cvs.openssh.org 2001/02/13 22:49:40 + [auth1.c auth2.c] + setproctitle(user) only if getpwnam succeeds + - markus@cvs.openbsd.org 2001/02/12 23:26:20 + [sshd.c] + missing memset; from solar@openwall.com + - stevesk@cvs.openbsd.org 2001/02/12 20:53:33 + [sftp-int.c] + lumask now works with 1 numeric arg; ok markus@, djm@ + - djm@cvs.openbsd.org 2001/02/14 9:46:03 + [sftp-client.c sftp-int.c sftp.1] + Fix and document 'preserve modes & times' option ('-p' flag in sftp); ok markus@ - - avsm@cvs.openbsd.org 2005/05/24 02:05:09 - [ssh-keygen.c] - some style nits from dmiller@, and use a fatal() instead of a printf()/exit - - avsm@cvs.openbsd.org 2005/05/24 17:32:44 - [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c] - [ssh-keyscan.c sshconnect.c] - Switch atomicio to use a simpler interface; it now returns a size_t - (containing number of bytes read/written), and indicates error by - returning 0. EOF is signalled by errno==EPIPE. - Typical use now becomes: - - if (atomicio(read, ..., len) != len) - err(1,"read"); - - ok deraadt@, cloder@, djm@ - - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on - Cygwin. - - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux: - warning: dereferencing type-punned pointer will break strict-aliasing rules - warning: passing arg 3 of `pam_get_item' from incompatible pointer type - The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@ - - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide - templates for _getshort and _getlong if missing to prevent compiler warnings - on Linux. - - (djm) [configure.ac openbsd-compat/Makefile.in] - [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c] - Add strtonum(3) from OpenBSD libc, new code needs it. - Unfortunately Linux forces us to do a bizarre dance with compiler - options to get LLONG_MIN/MAX; Spotted by and ok dtucker@ - -20050524 - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update spec file versions to 4.1p1 - - (dtucker) [auth-pam.c] Since people don't seem to be getting the message - that USE_POSIX_THREADS is unsupported, not recommended and generally a bad - idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK. Attempting to use - USE_POSIX_THREADS will now generate an error so we don't silently change - behaviour. ok djm@ - - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory - allocation when retrieving core Windows environment. Add CYGWIN variable - to propagated variables. Patch from vinschen at redhat.com, ok djm@ - - Release 4.1p1 - -20050524 - - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure - terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz; - "looks ok" dtucker@ - -20050512 - - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script - hard link section. Bug 1038. - -20050509 - - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a - user-mode mounts in Cygwin installation. Patch from vinschen at redhat.com. - -20050504 - - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used - unix domain socket, so catch that too; from jakob@ ok dtucker@ - -20050503 - - (dtucker) [canohost.c] normalise socket addresses returned by - get_remote_hostname(). This means that IPv4 addresses in log messages - on IPv6 enabled machines will no longer be prefixed by "::ffff:" and - AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style - addresses only for 4-in-6 mapped connections, regardless of whether - or not the machine is IPv6 enabled. ok djm@ - -20050425 - - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the - existence of a process since it's more portable. Found by jbasney at - ncsa.uiuc.edu; ok tim@ - - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh - will clean up anyway. From tim@ - - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running - "make tests" works even if you're building on a filesystem that doesn't - support sockets. From deengert at anl.gov, ok djm@ - -20050424 - - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or - 1.2.1.2 or higher. With tim@, ok djm@ - -20050423 - - (tim) [config.guess] Add support for OpenServer 6. - -20050421 - - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if - UseLogin is set as PAM is not used to establish credentials in that - case. Found by Michael Selvesteen, ok djm@ - -20050419 - - (dtucker) [INSTALL] Reference README.privsep for the privilege separation - requirements. Pointed out by Bengt Svensson. - - (dtucker) [INSTALL] Put the s/key text and URL back together. - - (dtucker) [INSTALL] Fix s/key text too. - -20050411 - - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME - -20050405 - - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it. ok djm@ - - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on - Tru64. Patch from cmadams at hiwaay.net. - - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of - sys_auth_passwd, pointed out by cmadams at hiwaay.net. - -20050403 - - (djm) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2005/03/31 18:39:21 + - (bal) replaced PATH_MAX in sftp-int.c w/ MAXPATHLEN. + - (djm) Move to Jim's 1.2.0 X11 askpass program + - (stevesk) OpenBSD sync: + - deraadt@cvs.openbsd.org 2001/02/15 01:38:04 + [serverloop.c] + indent + +20010214 + - (djm) Don't try to close PAM session or delete credentials if the + session has not been open or credentials not set. Based on patch from + Andrew Bartlett + - (djm) Move PAM session initialisation until after fork in sshd. Patch + from Nalin Dahyabhai + - (bal) Missing function prototype in bsd-snprintf.c patch by + Mark Miller + - (djm) Split out and improve OSF SIA auth code. Patch from Chris Adams + with a little modification and KNF. + - (stevesk) fix for SIA patch, misplaced session_setup_sia() + +20010213 + - (djm) Only test -S potential EGD sockets if they exist and are readable. + - (bal) Cleaned out bsd-snprintf.c. VARARGS have been banished and + I did a base KNF over the whe whole file to make it more acceptable. + (backed out of original patch and removed it from ChangeLog) + - (bal) Use chown() if fchown() does not exist in ftp-server.c patch by + Tim Rice + - (stevesk) auth1.c: fix PAM passwordless check. + +20010212 + - (djm) Update Redhat specfile to allow --define "skip_x11_askpass 1", + --define "skip_gnome_askpass 1", --define "rh7 1" and make the + implicit rpm-3.0.5 dependancy explicit. Patch and suggestions from + Pekka Savola + - (djm) Clean up PCRE text in INSTALL + - (djm) Fix OSF SIA auth NULL pointer deref. Report from Mike Battersby + + - (bal) NCR SVR4 compatiblity provide by Don Bragg + - (stevesk) session.c: remove debugging code. + +20010211 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/02/07 22:35:46 + [auth1.c auth2.c sshd.c] + move k_setpag() to a central place; ok dugsong@ + - markus@cvs.openbsd.org 2001/02/10 12:52:02 + [auth2.c] + offer passwd before s/key + - markus@cvs.openbsd.org 2001/02/8 22:37:10 + [canohost.c] + remove last call to sprintf; ok deraadt@ + - markus@cvs.openbsd.org 2001/02/10 1:33:32 + [canohost.c] + add debug message, since sshd blocks here if DNS is not available + - markus@cvs.openbsd.org 2001/02/10 12:44:02 + [cli.c] + don't call vis() for \r + - danh@cvs.openbsd.org 2001/02/10 0:12:43 [scp.c] - copy argv[] element instead of smashing the one that ps will see; ok otto - - djm@cvs.openbsd.org 2005/04/02 12:41:16 + revert a small change to allow -r option to work again; ok deraadt@ + - danh@cvs.openbsd.org 2001/02/10 15:14:11 [scp.c] - since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror - build - - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read - will free as needed. ok tim@ djm@ - -20050331 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/03/16 11:10:38 - [ssh_config.5] - get the syntax right for {Local,Remote}Forward; - based on a diff from markus; - problem report from ponraj; - ok dtucker@ markus@ deraadt@ - - markus@cvs.openbsd.org 2005/03/16 21:17:39 - [version.h] - 4.1 - - jmc@cvs.openbsd.org 2005/03/18 17:05:00 - [sshd_config.5] - typo; - - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in - handling of password expiry messages returned by AIX's authentication - routines, originally reported by robvdwal at sara.nl. - - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug - message on some platforms. Patch from pete at seebeyond.com via djm. - - (dtucker) [monitor.c] Remaining part of fix for bug #1006. - -20050329 - - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're - interested in which is much faster in large (eg LDAP or NIS) environments. - Patch from dleonard at vintela.com. - -20050321 - - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes - and -Lyes to CFLAGS and LIBS. Pointed out by peter at slagheap.net, - with & ok tim@ - - (dtucker) [configure.ac] Make configure error out if the user specifies - --with-libedit but the required libs can't be found, rather than silently - ignoring and continuing. ok tim@ - - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions - of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se. - -20050317 - - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional. - Make --without-opensc work. - - (tim) [configure.ac] portability changes on test statements. Some shells - have problems with -a operator. - - (tim) [configure.ac] make some configure options a little more error proof. - - (tim) [configure.ac] remove trailing white space. - -20050314 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/03/10 10:15:02 - [readconf.c] - Check listen addresses for null, prevents xfree from dying during - ClearAllForwardings (bz #996). From Craig Leres, ok markus@ - - deraadt@cvs.openbsd.org 2005/03/10 22:01:05 - [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c - monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c - readconf.c bufaux.c sftp.c] - spacing - - deraadt@cvs.openbsd.org 2005/03/10 22:40:38 + fix memory leak; ok markus@ + - djm@cvs.openbsd.org 2001/02/10 0:45:52 + [scp.1] + Mention that you can quote pathnames with spaces in them + - markus@cvs.openbsd.org 2001/02/10 1:46:28 + [ssh.c] + remove mapping of argv[0] -> hostname + - markus@cvs.openbsd.org 2001/02/06 22:26:17 + [sshconnect2.c] + do not ask for passphrase in batch mode; report from ejb@ql.org + - itojun@cvs.opebsd.org 2001/02/08 10:47:05 + [sshconnect.c sshconnect1.c sshconnect2.c] + %.30s is too short for IPv6 numeric address. use %.128s for now. + markus ok + - markus@cvs.openbsd.org 2001/02/09 12:28:35 + [sshconnect2.c] + do not free twice, thanks to /etc/malloc.conf + - markus@cvs.openbsd.org 2001/02/09 17:10:53 + [sshconnect2.c] + partial success: debug->log; "Permission denied" if no more auth methods + - markus@cvs.openbsd.org 2001/02/10 12:09:21 + [sshconnect2.c] + remove some lines + - markus@cvs.openbsd.org 2001/02/09 13:38:07 [auth-options.c] - spacing - - markus@cvs.openbsd.org 2005/03/11 14:59:06 - [ssh-keygen.c] - typo, missing \n; mpech - - jmc@cvs.openbsd.org 2005/03/12 11:55:03 - [ssh_config.5] - escape `.' at eol to avoid double spacing issues; - - dtucker@cvs.openbsd.org 2005/03/14 10:09:03 - [ssh-keygen.1] - Correct description of -H (bz #997); ok markus@, punctuation jmc@ - - dtucker@cvs.openbsd.org 2005/03/14 11:44:42 - [auth.c] - Populate host for log message for logins denied by AllowUsers and - DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com) - - markus@cvs.openbsd.org 2005/03/14 11:46:56 - [buffer.c buffer.h channels.c] - limit input buffer size for channels; bugzilla #896; with and ok dtucker@ - - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed - with a rpm -F - -20050313 - - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the - localized name of the local administrators group more reliable. From - vinschen at redhat.com. - -20050312 - - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug - output ends up in the client's output, causing regress failures. Found - by Corinna Vinschen. - -20050309 - - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64 - so that regress tests behave. From Chris Adams. - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/03/07 23:41:54 - [ssh.1 ssh_config.5] - more macro simplification; - - djm@cvs.openbsd.org 2005/03/08 23:49:48 + reset options if no option is given; from han.holl@prismant.nl + - markus@cvs.openbsd.org 2001/02/08 21:58:28 + [channels.c] + nuke sprintf, ok deraadt@ + - markus@cvs.openbsd.org 2001/02/08 21:58:28 + [channels.c] + nuke sprintf, ok deraadt@ + - markus@cvs.openbsd.org 2001/02/06 22:43:02 + [clientloop.h] + remove confusing callback code + - deraadt@cvs.openbsd.org 2001/02/08 14:39:36 + [readconf.c] + snprintf + - itojun@cvs.openbsd.org 2001/02/08 19:30:52 + sync with netbsd tree changes. + - more strict prototypes, include necessary headers + - use paths.h/pathnames.h decls + - size_t typecase to int -> u_long + - itojun@cvs.openbsd.org 2001/02/07 18:04:50 + [ssh-keyscan.c] + fix size_t -> int cast (use u_long). markus ok + - markus@cvs.openbsd.org 2001/02/07 22:43:16 + [ssh-keyscan.c] + s/getline/Linebuf_getline/; from roumen.petrov@skalasoft.com + - itojun@cvs.openbsd.org 2001/02/09 9:04:59 + [ssh-keyscan.c] + do not assume malloc() returns zero-filled region. found by + malloc.conf=AJ. + - markus@cvs.openbsd.org 2001/02/08 22:35:30 + [sshconnect.c] + don't connect if batch_mode is true and stricthostkeychecking set to + 'ask' + - djm@cvs.openbsd.org 2001/02/04 21:26:07 + [sshd_config] + type: ok markus@ + - deraadt@cvs.openbsd.org 2001/02/06 22:07:50 + [sshd_config] + enable sftp-server by default + - deraadt 2001/02/07 8:57:26 + [xmalloc.c] + deal with new ANSI malloc stuff + - markus@cvs.openbsd.org 2001/02/07 16:46:08 + [xmalloc.c] + typo in fatal() + - itojun@cvs.openbsd.org 2001/02/07 18:04:50 + [xmalloc.c] + fix size_t -> int cast (use u_long). markus ok + - 1.47 Thu Feb 8 23:11:42 GMT 2001 by dugsong + [serverloop.c sshconnect1.c] + mitigate SSH1 traffic analysis - from Solar Designer + , ok provos@ + - (bal) fixed sftp-client.c. Return 'status' instead of '0' + (from the OpenBSD tree) + - (bal) Synced ssh.1, ssh-add.1 and sshd.8 w/ OpenBSD + - (bal) sftp-sever.c '%8lld' to '%8llu' (OpenBSD Sync) + - (bal) uuencode.c resync w/ OpenBSD tree, plus whitespace. + - (bal) A bit more whitespace cleanup + - (djm) Set PAM_RHOST earlier, patch from Andrew Bartlett + + - (stevesk) misc.c: ssh.h not needed. + - (stevesk) compat.c: more friendly cpp error + - (stevesk) OpenBSD sync: + - stevesk@cvs.openbsd.org 2001/02/11 06:15:57 + [LICENSE] + typos and small cleanup; ok deraadt@ + +20010210 + - (djm) Sync sftp and scp stuff from OpenBSD: + - djm@cvs.openbsd.org 2001/02/07 03:55:13 + [sftp-client.c] + Don't free handles before we are done with them. Based on work from + Corinna Vinschen . ok markus@ + - djm@cvs.openbsd.org 2001/02/06 22:32:53 + [sftp.1] + Punctuation fix from Pekka Savola + - deraadt@cvs.openbsd.org 2001/02/07 04:07:29 + [sftp.1] + pretty up significantly + - itojun@cvs.openbsd.org 2001/02/07 06:49:42 + [sftp.1] + .Bl-.El mismatch. markus ok + - djm@cvs.openbsd.org 2001/02/07 06:12:30 + [sftp-int.c] + Check that target is a directory before doing ls; ok markus@ + - itojun@cvs.openbsd.org 2001/02/07 11:01:18 + [scp.c sftp-client.c sftp-server.c] + unsigned long long -> %llu, not %qu. markus ok + - stevesk@cvs.openbsd.org 2001/02/07 11:10:39 + [sftp.1 sftp-int.c] + more man page cleanup and sync of help text with man page; ok markus@ + - markus@cvs.openbsd.org 2001/02/07 14:58:34 + [sftp-client.c] + older servers reply with SSH2_FXP_NAME + count==0 instead of EOF + - djm@cvs.openbsd.org 2001/02/07 15:27:19 + [sftp.c] + Don't forward agent and X11 in sftp. Suggestion from Roumen Petrov + + - stevesk@cvs.openbsd.org 2001/02/07 15:36:04 + [sftp-int.c] + portable; ok markus@ + - stevesk@cvs.openbsd.org 2001/02/07 15:55:47 + [sftp-int.c] + lowercase cmds[].c also; ok markus@ + - markus@cvs.openbsd.org 2001/02/07 17:04:52 + [pathnames.h sftp.c] + allow sftp over ssh protocol 1; ok djm@ + - deraadt@cvs.openbsd.org 2001/02/08 07:38:55 + [scp.c] + memory leak fix, and snprintf throughout + - deraadt@cvs.openbsd.org 2001/02/08 08:02:02 + [sftp-int.c] + plug a memory leak + - stevesk@cvs.openbsd.org 2001/02/08 10:11:23 + [session.c sftp-client.c] + %i -> %d + - stevesk@cvs.openbsd.org 2001/02/08 10:57:59 + [sftp-int.c] + typo + - stevesk@cvs.openbsd.org 2001/02/08 15:28:07 + [sftp-int.c pathnames.h] + _PATH_LS; ok markus@ + - djm@cvs.openbsd.org 2001/02/09 04:46:25 + [sftp-int.c] + Check for NULL attribs for chown, chmod & chgrp operations, only send + relevant attribs back to server; ok markus@ + - djm@cvs.openbsd.org 2001/02/06 15:05:25 + [sftp.c] + Use getopt to process commandline arguments + - djm@cvs.openbsd.org 2001/02/06 15:06:21 + [sftp.c ] + Wait for ssh subprocess at exit + - djm@cvs.openbsd.org 2001/02/06 15:18:16 + [sftp-int.c] + stat target for remote chdir before doing chdir + - djm@cvs.openbsd.org 2001/02/06 15:32:54 + [sftp.1] + Punctuation fix from Pekka Savola + - provos@cvs.openbsd.org 2001/02/05 22:22:02 + [sftp-int.c] + cleanup get_pathname, fix pwd after failed cd. okay djm@ + - (djm) Update makefile.in for _PATH_SFTP_SERVER + - (bal) sftp-client.c replace NULL w/ 0 in do_ls() (pending in OpenBSD tree) + +20010209 + - (bal) patch to vis.c to deal with HAVE_VIS right by Robert Mooney + + - (bal) .c.o rule in openbsd-compat/Makefile.in did not make it to the + main tree while porting forward. Pointed out by Lutz Jaenicke + + - (bal) double entry in configure.in. Pointed out by Lutz Jaenicke + + - (stevesk) OpenBSD sync: + - markus@cvs.openbsd.org 2001/02/08 11:20:01 + [auth2.c] + strict checking + - markus@cvs.openbsd.org 2001/02/08 11:15:22 [version.h] - OpenSSH 4.0 - - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - [contrib/suse/openssh.spec] Update spec file versions - - (djm) [log.c] Fix dumb syntax error; ok dtucker@ - - (djm) Release OpenSSH 4.0p1 - -20050307 - - (dtucker) [configure.ac] Disable gettext search when configuring with - BSM audit support for the time being. ok djm@ - - (dtucker) OpenBSD CVS Sync (regress/) - - fgsch@cvs.openbsd.org 2004/12/10 01:31:30 - [Makefile sftp-glob.sh] - some globbing regress; prompted and ok djm@ - - david@cvs.openbsd.org 2005/01/14 04:21:18 - [Makefile test-exec.sh] - pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@ - - dtucker@cvs.openbsd.org 2005/02/27 11:33:30 - [multiplex.sh test-exec.sh sshd-log-wrapper.sh] - Add optional capability to log output from regress commands; ok markus@ - Use with: make TEST_SSH_LOGFILE=/tmp/regress.log - - djm@cvs.openbsd.org 2005/02/27 23:13:36 - [login-timeout.sh] - avoid nameservice lookups in regress test; ok dtucker@ - - djm@cvs.openbsd.org 2005/03/04 08:48:46 - [Makefile envpass.sh] - regress test for SendEnv config parsing bug; ok dtucker@ - - (dtucker) [regress/test-exec.sh] Put SUDO in the right place. - - (tim) [configure.ac] SCO 3.2v4.2 no longer supported. - -20050306 - - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor - when attempting to audit disconnect events. Reported by Phil Dibowitz. - - (dtucker) [session.c sshd.c] Bug #125 comment #49: Send disconnect audit - events earlier, prevents mm_request_send errors reported by Matt Goebel. - -20050305 - - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch - from vinschen at redhat.com - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2005/03/02 11:45:01 + update to 2.3.2 + - markus@cvs.openbsd.org 2001/02/08 11:12:30 + [auth2.c] + fix typo + - (djm) Update spec files + - (bal) OpenBSD sync: + - deraadt@cvs.openbsd.org 2001/02/08 14:38:54 + [scp.c] + memory leak fix, and snprintf throughout + - markus@cvs.openbsd.org 2001/02/06 22:43:02 + [clientloop.c] + remove confusing callback code + - (djm) Add CVS Id's to files that we have missed + - (bal) OpenBSD Sync (more): + - itojun@cvs.openbsd.org 2001/02/08 19:30:52 + sync with netbsd tree changes. + - more strict prototypes, include necessary headers + - use paths.h/pathnames.h decls + - size_t typecase to int -> u_long + - markus@cvs.openbsd.org 2001/02/06 22:07:42 + [ssh.c] + fatal() if subsystem fails + - markus@cvs.openbsd.org 2001/02/06 22:43:02 + [ssh.c] + remove confusing callback code + - jakob@cvs.openbsd.org 2001/02/06 23:03:24 + [ssh.c] + add -1 option (force protocol version 1). ok markus@ + - jakob@cvs.openbsd.org 2001/02/06 23:06:21 + [ssh.c] + reorder -{1,2,4,6} options. ok markus@ + - (bal) Missing 'const' in readpass.h + - (bal) OpenBSD Sync (so at least the thing compiles for 2.3.2 =) + - djm@cvs.openbsd.org 2001/02/06 23:30:28 + [sftp-client.c] + replace arc4random with counter for request ids; ok markus@ + - (djm) Define _PATH_TTY for systems that don't. Report from Lutz + Jaenicke + +20010208 + - (djm) Don't delete external askpass program in make uninstall target. + Report and fix from Roumen Petrov + - (djm) Fix linking of sftp, don't need arc4random any more. + - (djm) Try to use shell that supports "test -S" for EGD socket search. + Based on patch from Tim Rice + +20010207 + - (bal) Save the whole path to AR in configure. Some Solaris 2.7 installs + seem lose track of it while in openbsd-compat/ (two confirmed reports) + - (djm) Much KNF on PAM code + - (djm) Revise auth-pam.c conversation function to be a little more + readable. + - (djm) Revise kbd-int PAM conversation function to fold all text messages + to before first prompt. Fixes hangs if last pam_message did not require + a reply. + - (djm) Fix password changing when using PAM kbd-int authentication + +20010205 + - (bal) Disable groupaccess by setting NGROUPS_MAX to 0 for platforms + that don't have NGROUPS_MAX. + - (bal) AIX patch for auth1.c by William L. Jones + - (stevesk) OpenBSD sync: + - stevesk@cvs.openbsd.org 2001/02/04 08:32:27 + [many files; did this manually to our top-level source dir] + unexpand and remove end-of-line whitespace; ok markus@ + - stevesk@cvs.openbsd.org 2001/02/04 15:21:19 + [sftp-server.c] + SSH2_FILEXFER_ATTR_UIDGID support; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/04 17:02:32 + [sftp-int.c] + ? == help + - deraadt@cvs.openbsd.org 2001/02/04 16:47:46 + [sftp-int.c] + sort commands, so that abbreviations work as expected + - stevesk@cvs.openbsd.org 2001/02/04 15:17:52 + [sftp-int.c] + debugging sftp: precedence and missing break. chmod, chown, chgrp + seem to be working now. + - markus@cvs.openbsd.org 2001/02/04 14:41:21 + [sftp-int.c] + use base 8 for umask/chmod + - markus@cvs.openbsd.org 2001/02/04 11:11:54 + [sftp-int.c] + fix LCD + - markus@cvs.openbsd.org 2001/02/04 08:10:44 [ssh.1] - missing word; - - djm@cvs.openbsd.org 2005/03/04 08:48:06 - [readconf.c] - fix SendEnv config parsing bug found by Roumen Petrov; ok dtucker@ - -20050302 + typo; dpo@club-internet.fr + - stevesk@cvs.openbsd.org 2001/02/04 06:30:12 + [auth2.c authfd.c packet.c] + remove duplicate #include's; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/04 16:56:23 + [scp.c sshd.c] + alpha happiness + - stevesk@cvs.openbsd.org 2001/02/04 15:12:17 + [sshd.c] + precedence; ok markus@ + - deraadt@cvs.openbsd.org 2001/02/04 08:14:15 + [ssh.c sshd.c] + make the alpha happy + - markus@cvs.openbsd.org 2001/01/31 13:37:24 + [channels.c channels.h serverloop.c ssh.c] + do not disconnect if local port forwarding fails, e.g. if port is + already in use + - markus@cvs.openbsd.org 2001/02/01 14:58:09 + [channels.c] + use ipaddr in channel messages, ietf-secsh wants this + - markus@cvs.openbsd.org 2001/01/31 12:26:20 + [channels.c] + ssh.com-2.0.1x does not send additional info in CHANNEL_OPEN_FAILURE + messages; bug report from edmundo@rano.org + - markus@cvs.openbsd.org 2001/01/31 13:48:09 + [sshconnect2.c] + unused + - deraadt@cvs.openbsd.org 2001/02/04 08:23:08 + [sftp-client.c sftp-server.c] + make gcc on the alpha even happier + +20010204 + - (bal) I think this is the last of the bsd-*.h that don't belong. + - (bal) Minor Makefile fix + - (bal) openbsd-compat/Makefile minor fix. Ensure dependancies are done + right. + - (bal) Changed order of LIB="" in -with-skey due to library resolving. + - (bal) next-posix.h changed to bsd-nextstep.h - (djm) OpenBSD CVS sync: - - jmc@cvs.openbsd.org 2005/03/01 14:47:58 + - markus@cvs.openbsd.org 2001/02/03 03:08:38 + [auth-options.c auth-rh-rsa.c auth-rhosts.c auth.c canohost.c] + [canohost.h servconf.c servconf.h session.c sshconnect1.c sshd.8] + [sshd_config] + make ReverseMappingCheck optional in sshd_config; ok djm@,dugsong@ + - markus@cvs.openbsd.org 2001/02/03 03:19:51 + [ssh.1 sshd.8 sshd_config] + Skey is now called ChallengeResponse + - markus@cvs.openbsd.org 2001/02/03 03:43:09 + [sshd.8] + use no-pty option in .ssh/authorized_keys* if you need a 8-bit clean + channel. note from Erik.Anggard@cygate.se (pr/1659) + - stevesk@cvs.openbsd.org 2001/02/03 10:03:06 [ssh.1] - remove some unneccesary macros; - do not mark up punctuation; - - jmc@cvs.openbsd.org 2005/03/01 14:55:23 - [ssh_config.5] - do not mark up punctuation; - whitespace; - - jmc@cvs.openbsd.org 2005/03/01 14:59:49 + typos; ok markus@ + - djm@cvs.openbsd.org 2001/02/04 04:11:56 + [scp.1 sftp-server.c ssh.1 sshd.8 sftp-client.c sftp-client.h] + [sftp-common.c sftp-common.h sftp-int.c sftp-int.h sftp.1 sftp.c] + Basic interactive sftp client; ok theo@ + - (djm) Update RPM specs for new sftp binary + - (djm) Update several bits for new optional reverse lookup stuff. I + think I got them all. + - (djm) Makefile.in fixes + - (stevesk) add mysignal() wrapper and use it for the protocol 2 + SIGCHLD handler. + - (djm) Use setvbuf() instead of setlinebuf(). Suggest from stevesk@ + +20010203 + - (bal) Cygwin clean up by Corinna Vinschen + - (bal) renamed queue.h to fake-queue.h (even if it's an OpenBSD + based file) to ensure #include space does not get confused. + - (bal) Minor Makefile.in tweak. dirname may not exist on some + platforms so builds fail. (NeXT being a well known one) + +20010202 + - (bal) Makefile fix where sourcedir != builddir by Corinna Vinschen + + - (bal) Makefile fix to use $(MAKE) instead of 'make' for platforms + that use 'gmake'. Patch by Tim Rice + +20010201 + - (bal) Minor fix to Makefile to stop rebuilding executables if no + changes have occured to any of the supporting code. Patch by + Roumen Petrov + +20010131 + - (djm) OpenBSD CVS Sync: + - djm@cvs.openbsd.org 2001/01/30 15:48:53 + [sshconnect.c] + Make warning message a little more consistent. ok markus@ + - (djm) Fix autoconf logic for --with-lastlog=no Report and diagnosis from + Philipp Buehler and Kevin Steves + respectively. + - (djm) Don't log SSH2 PAM KbdInt responses to debug, they may contain + passwords. + - (bal) Reorder. Move all bsd-*, fake-*, next-*, and cygwin* stuff to + openbsd-compat/. And resolve all ./configure and Makefile.in issues + assocated. + +20010130 + - (djm) OpenBSD CVS Sync: + - markus@cvs.openbsd.org 2001/01/29 09:55:37 + [channels.c channels.h clientloop.c serverloop.c] + fix select overflow; ok deraadt@ and stevesk@ + - markus@cvs.openbsd.org 2001/01/29 12:42:35 + [canohost.c canohost.h channels.c clientloop.c] + add get_peer_ipaddr(socket), x11-fwd in ssh2 requires ipaddr, not DNS + - markus@cvs.openbsd.org 2001/01/29 12:47:32 + [rsa.c rsa.h ssh-agent.c sshconnect1.c sshd.c] + handle rsa_private_decrypt failures; helps against the Bleichenbacher + pkcs#1 attack + - djm@cvs.openbsd.org 2001/01/29 05:36:11 + [ssh.1 ssh.c] + Allow invocation of sybsystem by commandline (-s); ok markus@ + - (stevesk) configure.in: remove duplicate PROG_LS + +20010129 + - (stevesk) sftp-server.c: use %lld vs. %qd + +20010128 + - (bal) Put USE_PIPES back into sco3.2v5 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/28 10:15:34 + [dispatch.c] + re-keying is not supported; ok deraadt@ + - markus@cvs.openbsd.org 2001/01/28 10:24:04 + [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + cleanup AUTHORS sections + - markus@cvs.openbsd.org 2001/01/28 10:37:26 + [sshd.c sshd.8] + remove -Q, no longer needed + - stevesk@cvs.openbsd.org 2001/01/28 20:36:16 + [readconf.c ssh.1] + ``StrictHostKeyChecking ask'' documentation and small cleanup. + ok markus@ + - stevesk@cvs.openbsd.org 2001/01/28 20:43:25 + [sshd.8] + spelling. ok markus@ + - stevesk@cvs.openbsd.org 2001/01/28 20:53:21 + [xmalloc.c] + use size_t for strlen() return. ok markus@ + - stevesk@cvs.openbsd.org 2001/01/28 22:27:05 + [authfile.c] + spelling. use sizeof vs. strlen(). ok markus@ + - niklas@cvs.openbsd.org 2001/01/29 1:59:14 + [atomicio.h canohost.h clientloop.h deattack.h dh.h dispatch.h + groupaccess.c groupaccess.h hmac.h hostfile.h includes.h kex.h + key.h log.h login.h match.h misc.h myproposal.h nchan.ms pathnames.h + radix.h readpass.h rijndael.h serverloop.h session.h sftp.h ssh-add.1 + ssh-dss.h ssh-keygen.1 ssh-keyscan.1 ssh-rsa.h ssh1.h ssh_config + sshconnect.h sshd_config tildexpand.h uidswap.h uuencode.h] + $OpenBSD$ + - (bal) Minor auth2.c resync. Whitespace and moving of an #include. + +20010126 + - (bal) SSH_PROGRAM vs _PATH_SSH_PROGRAM fix pointed out by Roumen + Petrov + - (bal) OpenBSD Sync + - deraadt@cvs.openbsd.org 2001/01/25 8:06:33 + [ssh-agent.c] + call _exit() in signal handler + +20010125 + - (djm) Sync bsd-* support files: + - deraadt@cvs.openbsd.org 2000/01/26 03:43:20 + [rresvport.c bindresvport.c] + new bindresvport() semantics that itojun, shin, jean-luc and i have + agreed on, which will be happy for the future. bindresvport_sa() for + sockaddr *, too. docs later.. + - deraadt@cvs.openbsd.org 2000/01/24 02:24:21 + [bindresvport.c] + in bindresvport(), if sin is non-NULL, example sin->sin_family for + the actual family being processed + - (djm) Mention PRNGd in documentation, it is nicer than EGD + - (djm) Automatically search for "well-known" EGD/PRNGd sockets in autoconf + - (bal) AC_FUNC_STRFTIME added to autoconf + - (bal) OpenBSD Resync + - stevesk@cvs.openbsd.org 2001/01/24 21:03:50 + [channels.c] + missing freeaddrinfo(); ok markus@ + +20010124 + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/23 10:45:10 + [ssh.h] + nuke comment + - (bal) no 64bit support patch from Tim Rice + - (bal) #ifdef around S_IFSOCK if platform does not support it. + patch by Tim Rice + - (bal) fake-regex.h cleanup based on Tim Rice's patch. + - (stevesk) sftp-server.c: fix chmod() mode mask + +20010123 + - (bal) regexp.h typo in configure.in. Should have been regex.h + - (bal) SSH_USER_DIR to _PATH_SSH_USER_DIR patch by stevesk@ + - (bal) SSH_ASKPASS_DEFAULT to _PATH_SSH_ASKPASS_DEFAULT + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/22 8:15:00 + [auth-krb4.c sshconnect1.c] + only AFS needs radix.[ch] + - markus@cvs.openbsd.org 2001/01/22 8:32:53 + [auth2.c] + no need to include; from mouring@etoh.eviladmin.org + - stevesk@cvs.openbsd.org 2001/01/22 16:55:21 + [key.c] + free() -> xfree(); ok markus@ + - stevesk@cvs.openbsd.org 2001/01/22 17:22:28 + [sshconnect2.c sshd.c] + fix memory leaks in SSH2 key exchange; ok markus@ + - markus@cvs.openbsd.org 2001/01/22 23:06:39 + [auth1.c auth2.c readconf.c readconf.h servconf.c servconf.h + sshconnect1.c sshconnect2.c sshd.c] + rename skey -> challenge response. + auto-enable kbd-interactive for ssh2 if challenge-reponse is enabled. + + +20010122 + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/19 12:45:26 GMT 2001 by markus + [servconf.c ssh.h sshd.c] + only auth-chall.c needs #ifdef SKEY + - markus@cvs.openbsd.org 2001/01/19 15:55:10 GMT 2001 by markus + [auth-krb4.c auth-options.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c + auth1.c auth2.c channels.c clientloop.c dh.c dispatch.c nchan.c + packet.c pathname.h readconf.c scp.c servconf.c serverloop.c + session.c ssh-add.c ssh-keygen.c ssh-keyscan.c ssh.c ssh.h + ssh1.h sshconnect1.c sshd.c ttymodes.c] + move ssh1 definitions to ssh1.h, pathnames to pathnames.h + - markus@cvs.openbsd.org 2001/01/19 16:48:14 [sshd.8] - new sentence, new line; - whitespace; - - jmc@cvs.openbsd.org 2005/03/01 15:05:00 + fix typo; from stevesk@ + - markus@cvs.openbsd.org 2001/01/19 16:50:58 + [ssh-dss.c] + clear and free digest, make consistent with other code (use dlen); from + stevesk@ + - markus@cvs.openbsd.org 2001/01/20 15:55:20 GMT 2001 by markus + [auth-options.c auth-options.h auth-rsa.c auth2.c] + pass the filename to auth_parse_options() + - markus@cvs.openbsd.org 2001/01/20 17:59:40 GMT 2001 + [readconf.c] + fix SIGSEGV from -o ""; problem noted by jehsom@togetherweb.com + - stevesk@cvs.openbsd.org 2001/01/20 18:20:29 + [sshconnect2.c] + dh_new_group() does not return NULL. ok markus@ + - markus@cvs.openbsd.org 2001/01/20 21:33:42 + [ssh-add.c] + do not loop forever if askpass does not exist; from + andrew@pimlott.ne.mediaone.net + - djm@cvs.openbsd.org 2001/01/20 23:00:56 + [servconf.c] + Check for NULL return from strdelim; ok markus + - djm@cvs.openbsd.org 2001/01/20 23:02:07 + [readconf.c] + KNF; ok markus + - jakob@cvs.openbsd.org 2001/01/21 9:00:33 [ssh-keygen.1] - whitespace; - - jmc@cvs.openbsd.org 2005/03/01 15:47:14 - [ssh-keyscan.1 ssh-keyscan.c] - sort options and sync usage(); - - jmc@cvs.openbsd.org 2005/03/01 17:19:35 - [scp.1 sftp.1] - add HashKnownHosts to -o list; - ok markus@ - - jmc@cvs.openbsd.org 2005/03/01 17:22:06 - [ssh.c] - sync usage() w/ man SYNOPSIS; - ok markus@ - - jmc@cvs.openbsd.org 2005/03/01 17:32:19 - [ssh-add.1] - sort options; - - jmc@cvs.openbsd.org 2005/03/01 18:15:56 + remove -R flag; ok markus@ + - markus@cvs.openbsd.org 2001/01/21 19:05:40 + [atomicio.c automicio.h auth-chall.c auth-krb4.c auth-options.c + auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c + auth.c auth.h auth1.c auth2-chall.c auth2.c authfd.c authfile.c + bufaux.c bufaux.h buffer.c canahost.c canahost.h channels.c + cipher.c cli.c clientloop.c clientloop.h compat.c compress.c + deattack.c dh.c dispatch.c groupaccess.c hmac.c hostfile.c kex.c + key.c key.h log-client.c log-server.c log.c log.h login.c login.h + match.c misc.c misc.h nchan.c packet.c pty.c radix.h readconf.c + readpass.c readpass.h rsa.c scp.c servconf.c serverloop.c serverloop.h + session.c sftp-server.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c + ssh-keyscan.c ssh-rsa.c ssh.c ssh.h sshconnect.c sshconnect.h + sshconnect1.c sshconnect2.c sshd.c tildexpand.c tildexpand.h + ttysmodes.c uidswap.c xmalloc.c] + split ssh.h and try to cleanup the #include mess. remove unnecessary + #includes. rename util.[ch] -> misc.[ch] + - (bal) renamed 'PIDDIR' to '_PATH_SSH_PIDDIR' to match OpenBSD tree + - (bal) Moved #ifdef KRB4 in auth-krb4.c above the #include to resolve + conflict when compiling for non-kerb install + - (bal) removed the #ifdef SKEY in auth1.c to match Markus' changes + on 1/19. + +20010120 + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/19 12:45:26 + [ssh-chall.c servconf.c servconf.h ssh.h sshd.c] + only auth-chall.c needs #ifdef SKEY + - (bal) Slight auth2-pam.c clean up. + - (bal) Includes a fake-regexp.h to be only used if regcomp() is found, + but no 'regexp.h' found (SCO OpenServer 3 lacks the header). + +20010119 + - (djm) Update versions in RPM specfiles + - (bal) OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/18 16:20:21 + [log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h + sshd.8 sshd.c] + log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many + systems + - markus@cvs.openbsd.org 2001/01/18 16:59:59 + [auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c + session.h sshconnect1.c] + 1) removes fake skey from sshd, since this will be much + harder with /usr/libexec/auth/login_XXX + 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) + 3) make addition of BSD_AUTH and other challenge reponse methods + easier. + - markus@cvs.openbsd.org 2001/01/18 17:12:43 + [auth-chall.c auth2-chall.c] + rename *-skey.c *-chall.c since the files are not skey specific + - (djm) Merge patch from Tim Waugh (via Nalin Dahyabhai ) + to fix NULL pointer deref and fake authloop breakage in PAM code. + - (bal) Updated contrib/cygwin/ by Corinna Vinschen + - (bal) Minor cygwin patch to auth1.c. Suggested by djm. + +20010118 + - (bal) Super Sized OpenBSD Resync + - markus@cvs.openbsd.org 2001/01/11 22:14:20 GMT 2001 by markus + [sshd.c] + maxfd+1 + - markus@cvs.openbsd.org 2001/01/13 17:59:18 [ssh-keygen.1] - sort options (no attempt made at synopsis clean up though); - spelling (occurance -> occurrence); - use prompt before examples; - grammar; - - djm@cvs.openbsd.org 2005/03/02 01:00:06 + small ssh-keygen manpage cleanup; stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:03:07 + [scp.c ssh-keygen.c sshd.c] + getopt() returns -1 not EOF; stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:06:54 + [ssh-keyscan.c] + use SSH_DEFAULT_PORT; from stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:12:47 + [ssh-keyscan.c] + free() -> xfree(); fix memory leak; from stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/13 18:14:13 + [ssh-add.c] + typo, from stevesk@sweden.hp.com + - markus@cvs.openbsd.org 2001/01/13 18:32:50 + [packet.c session.c ssh.c sshconnect.c sshd.c] + split out keepalive from packet_interactive (from dale@accentre.com) + set IPTOS_LOWDELAY TCP_NODELAY IPTOS_THROUGHPUT for ssh2, too. + - markus@cvs.openbsd.org 2001/01/13 18:36:45 + [packet.c packet.h] + reorder, typo + - markus@cvs.openbsd.org 2001/01/13 18:38:00 + [auth-options.c] + fix comment + - markus@cvs.openbsd.org 2001/01/13 18:43:31 + [session.c] + Wall + - markus@cvs.openbsd.org 2001/01/13 19:14:08 + [clientloop.h clientloop.c ssh.c] + move callback to headerfile + - markus@cvs.openbsd.org 2001/01/15 21:40:10 + [ssh.c] + use log() instead of stderr + - markus@cvs.openbsd.org 2001/01/15 21:43:51 + [dh.c] + use error() not stderr! + - markus@cvs.openbsd.org 2001/01/15 21:45:29 + [sftp-server.c] + rename must fail if newpath exists, debug off by default + - markus@cvs.openbsd.org 2001/01/15 21:46:38 + [sftp-server.c] + readable long listing for sftp-server, ok deraadt@ + - markus@cvs.openbsd.org 2001/01/16 19:20:06 + [key.c ssh-rsa.c] + make "ssh-rsa" key format for ssh2 confirm to the ietf-drafts; from + galb@vandyke.com. note that you have to delete older ssh2-rsa keys, + since they are in the wrong format, too. they must be removed from + .ssh/authorized_keys2 and .ssh/known_hosts2, etc. + (cd; grep -v ssh-rsa .ssh/authorized_keys2 > TMP && mv TMP + .ssh/authorized_keys2) additionally, we now check that + BN_num_bits(rsa->n) >= 768. + - markus@cvs.openbsd.org 2001/01/16 20:54:27 + [sftp-server.c] + remove some statics. simpler handles; idea from nisse@lysator.liu.se + - deraadt@cvs.openbsd.org 2001/01/16 23:58:08 + [bufaux.c radix.c sshconnect.h sshconnect1.c] + indent + - (bal) Added bsd-strmode.[ch] since some non-OpenBSD platforms may + be missing such feature. + + +20010117 + - (djm) Only write random seed file at exit + - (djm) Make PAM support optional, enable with --with-pam + - (djm) Try to use libcrypt on Linux, but link it after OpenSSL (which + provides a crypt() of its own) + - (djm) Avoid a warning in bsd-bindresvport.c + - (djm) Try to avoid adding -I/usr/include to CPPFLAGS during SSL tests. This + can cause weird segfaults errors on Solaris + - (djm) Avoid warning in PAM code by making read_passphrase arguments const + - (djm) Add --with-pam to RPM spec files + +20010115 + - (bal) sftp-server.c change to use chmod() if fchmod() does not exist. + - (bal) utimes() support via utime() interface on machine that lack utimes(). + +20010114 + - (stevesk) initial work for OpenBSD "support supplementary group in + {Allow,Deny}Groups" patch: + - import getgrouplist.c from OpenBSD (bsd-getgrouplist.c) + - add bsd-getgrouplist.h + - new files groupaccess.[ch] + - build but don't use yet (need to merge auth.c changes) + - (stevesk) complete: + - markus@cvs.openbsd.org 2001/01/13 11:56:48 + [auth.c sshd.8] + support supplementary group in {Allow,Deny}Groups + from stevesk@pobox.com + +20010112 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/10 22:56:22 + [bufaux.h bufaux.c sftp-server.c sftp.h getput.h] + cleanup sftp-server implementation: + add buffer_get_int64, buffer_put_int64, GET_64BIT, PUT_64BIT + parse SSH2_FILEXFER_ATTR_EXTENDED + send SSH2_FX_EOF if readdir returns no more entries + reply to SSH2_FXP_EXTENDED message + use #defines from the draft + move #definations to sftp.h + more info: + http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt + - markus@cvs.openbsd.org 2001/01/10 19:43:20 + [sshd.c] + XXX - generate_empheral_server_key() is not safe against races, + because it calls log() + - markus@cvs.openbsd.org 2001/01/09 21:19:50 + [packet.c] + allow TCP_NDELAY for ipv6; from netbsd via itojun@ + +20010110 + - (djm) SNI/Reliant Unix needs USE_PIPES and $DISPLAY hack. Report from + Bladt Norbert + +20010109 + - (bal) Resync CVS ID of cli.c + - (stevesk) auth1.c: free should be after WITH_AIXAUTHENTICATE + code. + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/08 22:29:05 + [auth2.c compat.c compat.h servconf.c servconf.h sshd.8 + sshd_config version.h] + implement option 'Banner /etc/issue.net' for ssh2, move version to + 2.3.1 (needed for bugcompat detection, 2.3.0 would fail if Banner + is enabled). + - markus@cvs.openbsd.org 2001/01/08 22:03:23 + [channels.c ssh-keyscan.c] + O_NDELAY -> O_NONBLOCK; thanks stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/08 21:55:41 + [sshconnect1.c] + more cleanups and fixes from stevesk@pobox.com: + 1) try_agent_authentication() for loop will overwrite key just + allocated with key_new(); don't alloc + 2) call ssh_close_authentication_connection() before exit + try_agent_authentication() + 3) free mem on bad passphrase in try_rsa_authentication() + - markus@cvs.openbsd.org 2001/01/08 21:48:17 + [kex.c] + missing free; thanks stevesk@pobox.com + - (bal) Detect if clock_t structure exists, if not define it. + - (bal) Detect if O_NONBLOCK exists, if not define it. + - (bal) removed news4-posix.h (now empty) + - (bal) changed bsd-bindresvport.c and bsd-rresvport.c to use 'socklen_t' + instead of 'int' + - (stevesk) sshd_config: sync + - (stevesk) defines.h: remove spurious ``;'' + +20010108 + - (bal) Fixed another typo in cli.c + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/07 21:26:55 + [cli.c] + typo + - markus@cvs.openbsd.org 2001/01/07 21:26:55 + [cli.c] + missing free, stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/07 19:06:25 + [auth1.c] + missing free, stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/07 11:28:04 + [log-client.c log-server.c log.c readconf.c servconf.c ssh.1 + ssh.h sshd.8 sshd.c] + rename SYSLOG_LEVEL_INFO->SYSLOG_LEVEL_NOTICE + syslog priority changes: + fatal() LOG_ERR -> LOG_CRIT + log() LOG_INFO -> LOG_NOTICE + - Updated TODO + +20010107 + - (bal) OpenBSD Sync + - markus@cvs.openbsd.org 2001/01/06 11:23:27 + [ssh-rsa.c] + remove unused + - itojun@cvs.openbsd.org 2001/01/05 08:23:29 + [ssh-keyscan.1] + missing .El + - markus@cvs.openbsd.org 2001/01/04 22:41:03 + [session.c sshconnect.c] + consistent use of _PATH_BSHELL; from stevesk@pobox.com + - djm@cvs.openbsd.org 2001/01/04 22:35:32 + [ssh.1 sshd.8] + Mention AES as available SSH2 Cipher; ok markus + - markus@cvs.openbsd.org 2001/01/04 22:25:58 + [sshd.c] + sync usage()/man with defaults; from stevesk@pobox.com + - markus@cvs.openbsd.org 2001/01/04 22:21:26 + [sshconnect2.c] + handle SSH2_MSG_USERAUTH_BANNER; fixes bug when connecting to a server + that prints a banner (e.g. /etc/issue.net) + +20010105 + - (bal) contrib/caldera/ provided by Tim Rice + - (bal) bsd-getcwd.c and bsd-setenv.c changed from bcopy() to memmove() + +20010104 + - (djm) Fix memory leak on systems with BROKEN_GETADDRINFO. Based on + work by Chris Vaughan + +20010103 + - (bal) fixed up sshconnect.c so it was closer inline with the OpenBSD + tree (mainly positioning) + - (bal) OpenSSH CVS Update + - markus@cvs.openbsd.org 2001/01/02 20:41:02 + [packet.c] + log remote ip on disconnect; PR 1600 from jcs@rt.fm + - markus@cvs.openbsd.org 2001/01/02 20:50:56 + [sshconnect.c] + strict_host_key_checking for host_status != HOST_CHANGED && + ip_status == HOST_CHANGED + - (bal) authfile.c: Synced CVS ID tag + - (bal) UnixWare 2.0 fixes by Tim Rice + - (bal) Disable sftp-server if no 64bit int support exists. Based on + patch by Tim Rice + - (bal) Makefile.in changes to uninstall: target to remove sftp-server + and sftp-server.8 manpage. + +20010102 + - (bal) OpenBSD CVS Update + - markus@cvs.openbsd.org 2001/01/01 14:52:49 + [scp.c] + use shared fatal(); from stevesk@pobox.com + +20001231 + - (bal) Reverted out of MAXHOSTNAMELEN. This should be set per OS. + for multiple reasons. + - (bal) Reverted out of a partial NeXT patch. + +20001230 + - (bal) OpenBSD CVS Update + - markus@cvs.openbsd.org 2000/12/28 18:58:30 + [ssh-keygen.c] + enable 'ssh-keygen -l -f ~/.ssh/{authorized_keys,known_hosts}{,2} + - markus@cvs.openbsd.org 2000/12/29 22:19:13 + [channels.c] + missing xfree; from vaughan99@yahoo.com + - (bal) Resynced CVS ID with OpenBSD for channel.c and uidswap.c + - (bal) if no MAXHOSTNAMELEN is defined. Default to 64 character defination. + Suggested by Christian Kurz + - (bal) Add in '.c.o' section to Makefile.in to address make programs that + don't honor CPPFLAGS by default. Suggested by Lutz Jaenicke + + +20001229 + - (bal) Fixed spelling of 'authorized_keys' in ssh-copy-id.1 by Christian + Kurz + - (bal) OpenBSD CVS Update + - markus@cvs.openbsd.org 2000/12/28 14:25:51 + [auth.h auth2.c] + count authentication failures only + - markus@cvs.openbsd.org 2000/12/28 14:25:03 [sshconnect.c] - fix addition of new hashed hostnames when CheckHostIP=yes; - found and ok dtucker@ - - djm@cvs.openbsd.org 2005/03/02 01:27:41 + fingerprint for MITM attacks, too. + - markus@cvs.openbsd.org 2000/12/28 12:03:57 + [sshd.8 sshd.c] + document -D + - markus@cvs.openbsd.org 2000/12/27 14:19:21 + [serverloop.c] + less chatty + - markus@cvs.openbsd.org 2000/12/27 12:34 + [auth1.c sshconnect2.c sshd.c] + typo + - markus@cvs.openbsd.org 2000/12/27 12:30:19 + [readconf.c readconf.h ssh.1 sshconnect.c] + new option: HostKeyAlias: allow the user to record the host key + under a different name. This is useful for ssh tunneling over + forwarded connections or if you run multiple sshd's on different + ports on the same machine. + - markus@cvs.openbsd.org 2000/12/27 11:51:53 + [ssh.1 ssh.c] + multiple -t force pty allocation, document ORIGINAL_COMMAND + - markus@cvs.openbsd.org 2000/12/27 11:41:31 + [sshd.8] + update for ssh-2 + - (stevesk) compress.[ch] sync with openbsd; missed in prototype + fix merge. + +20001228 + - (bal) Patch to add libutil.h to loginrec.c only if the platform has + libutil.h. Suggested by Pekka Savola + - (djm) Update to new x11-askpass in RPM spec + - (bal) SCO patch to not include since it's unrelated + header. Patch by Tim Rice + - Updated TODO w/ known HP/UX issue + - (bal) removed extra noticed by Kevin Steves and removed the + bad reference to 'NeXT including it else were' on the #ifdef version. + +20001227 + - (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by + Takumi Yamane + - (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch + by Corinna Vinschen + - (djm) Fix catman-do target for non-bash + - (bal) Typo in configure.in: entut?ent should be endut?ent. Suggested by + Takumi Yamane + - (bal) Checks for getrlimit(), sysconf(), and setdtablesize(). Patch + by Corinna Vinschen + - (djm) Fix catman-do target for non-bash + - (bal) Fixed NeXT's lack of CPPFLAGS honoring. + - (bal) ssh-keyscan.c: NeXT (and older BSDs) don't support getrlimit() w/ + 'RLIMIT_NOFILE' + - (djm) Remove *.Ylonen files. They are no longer in the OpenBSD tree, + the info in COPYING.Ylonen has been moved to the start of each + SSH1-derived file and README.Ylonen is well out of date. + +20001223 + - (bal) Fixed Makefile.in to support recompile of all ssh and sshd objects + if a change to config.h has occurred. Suggested by Gert Doering + + - (bal) OpenBSD CVS Update: + - markus@cvs.openbsd.org 2000/12/22 16:49:40 [ssh-keygen.c] - ignore hostnames with metachars when hashing; ok deraadt@ - - djm@cvs.openbsd.org 2005/03/02 02:21:07 + fix ssh-keygen -x -t type > file; from Roumen.Petrov@skalasoft.com + +20001222 + - Updated RCSID for pty.c + - (bal) OpenBSD CVS Updates: + - markus@cvs.openbsd.org 2000/12/21 15:10:16 + [auth-rh-rsa.c hostfile.c hostfile.h sshconnect.c] + print keyfile:line for changed hostkeys, for deraadt@, ok deraadt@ + - markus@cvs.openbsd.org 2000/12/20 19:26:56 + [authfile.c] + allow ssh -i userkey for root + - markus@cvs.openbsd.org 2000/12/20 19:37:21 + [authfd.c authfd.h kex.c sshconnect2.c sshd.c uidswap.c uidswap.h] + fix prototypes; from stevesk@pobox.com + - markus@cvs.openbsd.org 2000/12/20 19:32:08 + [sshd.c] + init pointer to NULL; report from Jan.Ivan@cern.ch + - markus@cvs.openbsd.org 2000/12/19 23:17:54 + [auth-krb4.c auth-options.c auth-options.h auth-rhosts.c auth-rsa.c + auth1.c auth2-skey.c auth2.c authfd.c authfd.h authfile.c bufaux.c + bufaux.h buffer.c canohost.c channels.c clientloop.c compress.c + crc32.c deattack.c getput.h hmac.c hmac.h hostfile.c kex.c kex.h + key.c key.h log.c login.c match.c match.h mpaux.c mpaux.h packet.c + packet.h radix.c readconf.c rsa.c scp.c servconf.c servconf.h + serverloop.c session.c sftp-server.c ssh-agent.c ssh-dss.c ssh-dss.h + ssh-keygen.c ssh-keyscan.c ssh-rsa.c ssh-rsa.h ssh.c ssh.h uuencode.c + uuencode.h sshconnect1.c sshconnect2.c sshd.c tildexpand.c] + replace 'unsigned bla' with 'u_bla' everywhere. also replace 'char + unsigned' with u_char. + +20001221 + - (stevesk) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/19 15:43:45 + [authfile.c channels.c sftp-server.c ssh-agent.c] + remove() -> unlink() for consistency + - markus@cvs.openbsd.org 2000/12/19 15:48:09 + [ssh-keyscan.c] + replace with + - markus@cvs.openbsd.org 2000/12/17 02:33:40 + [uidswap.c] + typo; from wsanchez@apple.com + +20001220 + - (djm) Workaround PAM inconsistencies between Solaris derived PAM code + and Linux-PAM. Based on report and fix from Andrew Morgan + + +20001218 + - (stevesk) rsa.c: entropy.h not needed. + - (bal) split CFLAGS into CFLAGS and CPPFLAGS in configure.in and Makefile. + Suggested by Wilfredo Sanchez + +20001216 + - (stevesk) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/16 02:53:57 + [scp.c] + allow + in usernames; request from Florian.Weimer@RUS.Uni-Stuttgart.DE + - markus@cvs.openbsd.org 2000/12/16 02:39:57 + [scp.c] + unused; from stevesk@pobox.com + +20001215 + - (stevesk) Old OpenBSD patch wasn't completely applied: + - markus@cvs.openbsd.org 2000/01/24 22:11:20 + [scp.c] + allow '.' in usernames; from jedgar@fxp.org + - (stevesk) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/13 16:26:53 + [ssh-keyscan.c] + fatal already adds \n; from stevesk@pobox.com + - markus@cvs.openbsd.org 2000/12/13 16:25:44 + [ssh-agent.c] + remove redundant spaces; from stevesk@pobox.com + - ho@cvs.openbsd.org 2000/12/12 15:50:21 + [pty.c] + When failing to set tty owner and mode on a read-only filesystem, don't + abort if the tty already has correct owner and reasonably sane modes. + Example; permit 'root' to login to a firewall with read-only root fs. + (markus@ ok) + - deraadt@cvs.openbsd.org 2000/12/13 06:36:05 + [pty.c] + KNF + - markus@cvs.openbsd.org 2000/12/12 14:45:21 + [sshd.c] + source port < 1024 is no longer required for rhosts-rsa since it + adds no additional security. + - markus@cvs.openbsd.org 2000/12/12 16:11:49 + [ssh.1 ssh.c] + rhosts-rsa is no longer automagically disabled if ssh is not privileged. + UsePrivilegedPort=no disables rhosts-rsa _only_ for old servers. + these changes should not change the visible default behaviour of the ssh client. + - deraadt@cvs.openbsd.org 2000/12/11 10:27:33 + [scp.c] + when copying 0-sized files, do not re-print ETA time at completion + - provos@cvs.openbsd.org 2000/12/15 10:30:15 + [kex.c kex.h sshconnect2.c sshd.c] + compute diffie-hellman in parallel between server and client. okay markus@ + +20001213 + - (djm) Make sure we reset the SIGPIPE disposition after we fork. Report + from Andreas M. Kirchwitz + - (stevesk) OpenBSD CVS update: + - markus@cvs.openbsd.org 2000/12/12 15:30:02 + [ssh-keyscan.c ssh.c sshd.c] + consistently use __progname; from stevesk@pobox.com + +20001211 + - (bal) Applied patch to include ssh-keyscan into Redhat's package, and + patch to install ssh-keyscan manpage. Patch by Pekka Savola + + - (bal) OpenbSD CVS update + - markus@cvs.openbsd.org 2000/12/10 17:01:53 + [sshconnect1.c] + always request new challenge for skey/tis-auth, fixes interop with + other implementations; report from roth@feep.net + +20001210 + - (bal) OpenBSD CVS updates + - markus@cvs.openbsd.org 2000/12/09 13:41:51 + [cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h] + undo rijndael changes + - markus@cvs.openbsd.org 2000/12/09 13:48:31 + [rijndael.c] + fix byte order bug w/o introducing new implementation + - markus@cvs.openbsd.org 2000/12/09 14:08:27 + [sftp-server.c] + "" -> "." for realpath; from vinschen@redhat.com + - markus@cvs.openbsd.org 2000/12/09 14:06:54 + [ssh-agent.c] + extern int optind; from stevesk@sweden.hp.com + - provos@cvs.openbsd.org 2000/12/09 23:51:11 + [compat.c] + remove unnecessary '\n' + +20001209 + - (bal) OpenBSD CVS updates: + - djm@cvs.openbsd.org 2000/12/07 4:24:59 [ssh.1] - bz#987: mention ForwardX11Trusted in ssh.1, - reported by andrew.benham AT thus.net; ok deraadt@ - - (tim) [regress/agent-ptrace.sh] add another possible gdb error. - -20050301 - - (djm) OpenBSD CVS sync: - - otto@cvs.openbsd.org 2005/02/16 09:56:44 - [ssh.c] - Better diagnostic if an identity file is not accesible. ok markus@ djm@ - - djm@cvs.openbsd.org 2005/02/18 03:05:53 - [canohost.c] - better error messages for getnameinfo failures; ok dtucker@ - - djm@cvs.openbsd.org 2005/02/20 22:59:06 - [sftp.c] - turn on ssh batch mode when in sftp batch mode, patch from - jdmossh AT nand.net; - ok markus@ - - jmc@cvs.openbsd.org 2005/02/25 10:55:13 - [sshd.8] - add /etc/motd and $HOME/.hushlogin to FILES; - from michael knudsen; - - djm@cvs.openbsd.org 2005/02/28 00:54:10 - [ssh_config.5] - bz#849: document timeout on untrusted x11 forwarding sessions. Reported by - orion AT cora.nwra.com; ok markus@ - - djm@cvs.openbsd.org 2005/03/01 10:09:52 - [auth-options.c channels.c channels.h clientloop.c compat.c compat.h] - [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5] - [sshd_config.5] - bz#413: allow optional specification of bind address for port forwardings. - Patch originally by Dan Astorian, but worked on by several people - Adds GatewayPorts=clientspecified option on server to allow remote - forwards to bind to client-specified ports. - - djm@cvs.openbsd.org 2005/03/01 10:40:27 - [hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5] - [sshconnect.c sshd.8] - add support for hashing host names and addresses added to known_hosts - files, to improve privacy of which hosts user have been visiting; ok - markus@ deraadt@ - - djm@cvs.openbsd.org 2005/03/01 10:41:28 - [ssh-keyscan.1 ssh-keyscan.c] - option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@ - - djm@cvs.openbsd.org 2005/03/01 10:42:49 - [ssh-keygen.1 ssh-keygen.c ssh_config.5] - add tools for managing known_hosts files with hashed hostnames, including - hashing existing files and deleting hosts by name; ok markus@ deraadt@ - -20050226 - - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c] - Remove two obsolete Cygwin #ifdefs. Patch from vinschen at redhat.com. - - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}] - Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any - more. Patch from vinschen at redhat.com. - - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the - binaries without the config files. Primarily useful for packaging. - Patch from phil at usc.edu. ok djm@ - -20050224 - - (djm) [configure.ac] in_addr_t test needs sys/types.h too - -20050222 - - (dtucker) [uidswap.c] Skip uid restore test on Cygwin. Patch from - vinschen at redhat.com. - -20050220 - - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac - defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support. Configure - --with-audit=bsm to enable. Patch originally from Sun Microsystems, - parts by John R. Jackson. ok djm@ - - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes - unrelated platforms to be configured incorrectly. - -20050216 - - (djm) write seed to temporary file and atomically rename into place; - ok dtucker@ - - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called - via mkstemp in some configurations. ok djm@ - - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined - by the system headers. - - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant - Unix; prevents problems relating to the location of -lresolv in the - link order. - - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic - authentication early enough to be available to PAM session modules when - privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam - Hartman and similar to Debian's ssh-krb5 package. - - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more - compiler warnings on AIX. - -20050215 - - (dtucker) [config.sh.in] Collect oslevel -r too. - - (dtucker) [README.platform auth.c configure.ac loginrec.c - openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6 - on AIX where possible (see README.platform for details) and work around - a misfeature of AIX's getnameinfo. ok djm@ - - (dtucker) [loginrec.c] Add missing #include. - -20050211 - - (dtucker) [configure.ac] Tidy up configure --help output. - - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too. - -20050210 - - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the - --disable-etc-default-login configure option. - -20050209 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2005/01/28 09:45:53 - [ssh_config] - Make it clear that the example entries in ssh_config are only some of the - commonly-used options and refer the user to ssh_config(5) for more - details; ok djm@ - - jmc@cvs.openbsd.org 2005/01/28 15:05:43 - [ssh_config.5] - grammar; - - jmc@cvs.openbsd.org 2005/01/28 18:14:09 - [ssh_config.5] - wording; - ok markus@ - - dtucker@cvs.openbsd.org 2005/01/30 11:18:08 - [monitor.c] - Make code match intent; ok djm@ - - dtucker@cvs.openbsd.org 2005/02/08 22:24:57 + Typo fix from Wilfredo Sanchez ; ok theo + +20001207 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/06 22:58:14 + [compat.c compat.h packet.c] + disable debug messages for ssh.com/f-secure 2.0.1x, 2.1.0 + - markus@cvs.openbsd.org 2000/12/06 23:10:39 + [rijndael.c] + unexpand(1) + - markus@cvs.openbsd.org 2000/12/06 23:05:43 + [cipher.c cipher.h rijndael.c rijndael.h rijndael_boxes.h] + new rijndael implementation. fixes endian bugs + +20001206 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/05 20:34:09 + [channels.c channels.h clientloop.c serverloop.c] + async connects for -R/-L; ok deraadt@ + - todd@cvs.openssh.org 2000/12/05 16:47:28 [sshd.c] - Provide reason in error message if getnameinfo fails; ok markus@ - - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call - disable_forwarding() from compat library. Prevent linker errrors trying - to resolve it for binaries other than sshd. ok djm@ - - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir - paths. ok djm@ - - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require - the username to be passed to the passwd command when changing expired - passwords. ok djm@ - -20050208 - - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the - regress tests so newer versions of GNU head(1) behave themselves. Patch - by djm, so ok me. - - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings. - - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c - monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit - defines and enums with SSH_ to prevent namespace collisions on some - platforms (eg AIX). - -20050204 - - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too. - - (dtucker) [auth.c] Fix parens in audit log check. - -20050202 - - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath - rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@ - - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}] - Make record_failed_login() call provide hostname rather than having the - implementations having to do lookups themselves. Only affects AIX and - UNICOS (the latter only uses the "user" parameter anyway). ok djm@ - - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child - the process. Since we also unset KRB5CCNAME at startup, if it's set after - authentication it must have been set by the platform's native auth system. - This was already done for AIX; this enables it for the general case. - - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c] - Bug #974: Teach sshd to write failed login records to btmp for failed auth - attempts (currently only for password, kbdint and C/R, only on Linux and - HP-UX), based on code from login.c from util-linux. With ashok_kovai at - hotmail.com, ok djm@ - - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c - monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125: - (first stage) Add audit instrumentation to sshd, currently disabled by - default. with suggestions from and ok djm@ - -20050201 - - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some - platforms syslog will revert to its default values. This may result in - messages from external libraries (eg libwrap) being sent to a different - facility. - - (dtucker) [sshd_config.5] Bug #701: remove warning about - keyboard-interactive since this is no longer the case. - -20050124 - - (dtucker) OpenBSD CVS Sync - - otto@cvs.openbsd.org 2005/01/21 08:32:02 - [auth-passwd.c sshd.c] - Warn in advance for password and account expiry; initialize loginmsg - buffer earlier and clear it after privsep fork. ok and help dtucker@ - markus@ - - dtucker@cvs.openbsd.org 2005/01/22 08:17:59 - [auth.c] - Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and - DenyGroups. bz #909, ok djm@ - - djm@cvs.openbsd.org 2005/01/23 10:18:12 - [cipher.c] - config option "Ciphers" should be case-sensitive; ok dtucker@ - - dtucker@cvs.openbsd.org 2005/01/24 10:22:06 - [scp.c sftp.c] - Have scp and sftp wait for the spawned ssh to exit before they exit - themselves. This prevents ssh from being unable to restore terminal - modes (not normally a problem on OpenBSD but common with -Portable - on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950); - ok djm@ markus@ - - dtucker@cvs.openbsd.org 2005/01/24 10:29:06 - [moduli] - Import new moduli; requested by deraadt@ a week ago - - dtucker@cvs.openbsd.org 2005/01/24 11:47:13 - [auth-passwd.c] - #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@ - -20050120 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/12/23 17:35:48 + tweak comment to reflect real location of pid file; ok provos@ + - (stevesk) Import from OpenBSD for systems that don't + have it (used in ssh-keyscan). + - (stevesk) OpenBSD CVS update: + - markus@cvs.openbsd.org 2000/12/06 19:57:48 + [ssh-keyscan.c] + err(3) -> internal error(), from stevesk@sweden.hp.com + +20001205 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/04 19:24:02 + [ssh-keyscan.c ssh-keyscan.1] + David Maziere's ssh-keyscan, ok niels@ + - (bal) Updated Makefile.in to include ssh-keyscan that was just added + to the recent OpenBSD source tree. + - (stevesk) fix typos in contrib/hpux/README + +20001204 + - (bal) More C functions defined in NeXT that are unaccessable without + defining -POSIX. + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/12/03 11:29:04 + [compat.c] + remove fallback to SSH_BUG_HMAC now that the drafts are updated + - markus@cvs.openbsd.org 2000/12/03 11:27:55 + [compat.c] + correctly match "2.1.0.pl2 SSH" etc; from + pekkas@netcore.fi/bugzilla.redhat + - markus@cvs.openbsd.org 2000/12/03 11:15:03 + [auth2.c compat.c compat.h sshconnect2.c] + support f-secure/ssh.com 2.0.12; ok niels@ + +20001203 + - (bal) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/11/30 22:54:31 + [channels.c] + debug->warn if tried to do -R style fwd w/o client requesting this; + ok neils@ + - markus@cvs.openbsd.org 2000/11/29 20:39:17 + [cipher.c] + des_cbc_encrypt -> des_ncbc_encrypt since it already updates the IV + - markus@cvs.openbsd.org 2000/11/30 18:33:05 + [ssh-agent.c] + agents must not dump core, ok niels@ + - markus@cvs.openbsd.org 2000/11/30 07:04:02 + [ssh.1] + T is for both protocols + - markus@cvs.openbsd.org 2000/12/01 00:00:51 + [ssh.1] + typo; from green@FreeBSD.org + - markus@cvs.openbsd.org 2000/11/30 07:02:35 + [ssh.c] + check -T before isatty() + - provos@cvs.openbsd.org 2000/11/29 13:51:27 + [sshconnect.c] + show IP address and hostname when new key is encountered. okay markus@ + - markus@cvs.openbsd.org 2000/11/30 22:53:35 + [sshconnect.c] + disable agent/x11/port fwding if hostkey has changed; ok niels@ + - marksu@cvs.openbsd.org 2000/11/29 21:11:59 + [sshd.c] + sshd -D, startup w/o deamon(), for monitoring scripts or inittab; + from handler@sub-rosa.com and eric@urbanrange.com; ok niels@ + - (djm) Added patch from Nalin Dahyabhai to enable + PAM authentication using KbdInteractive. + - (djm) Added another TODO + +20001202 + - (bal) Backed out of part of Alain St-Denis' loginrec.c patch. + - (bal) Irix need some sort of mansubdir, patch by Michael Stone + + +20001129 + - (djm) Back out all the serverloop.c hacks. sshd will now hang again + if there are background children with open fds. + - (djm) bsd-rresvport.c bzero -> memset + - (djm) Don't fail in defines.h on absence of 64 bit types (we will + still fail during compilation of sftp-server). + - (djm) Fail if ar is not found during configure + - (djm) OpenBSD CVS updates: + - provos@cvs.openbsd.org 2000/11/22 08:38:31 + [sshd.8] + talk about /etc/primes, okay markus@ + - markus@cvs.openbsd.org 2000/11/23 14:03:48 + [ssh.c sshconnect1.c sshconnect2.c] + complain about invalid ciphers for ssh1/ssh2, fall back to reasonable + defaults + - markus@cvs.openbsd.org 2000/11/25 09:42:53 + [sshconnect1.c] + reorder check for illegal ciphers, bugreport from espie@ + - markus@cvs.openbsd.org 2000/11/25 10:19:34 + [ssh-keygen.c ssh.h] + print keytype when generating a key. + reasonable defaults for RSA1/RSA/DSA keys. + - (djm) Patch from Pekka Savola to include a few + more manpage paths in fixpaths calls + - (djm) Also add xauth path at Pekka's suggestion. + - (djm) Add Redhat RPM patch for AUTHPRIV SyslogFacility + +20001125 + - (djm) Give up privs when reading seed file + +20001123 + - (bal) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/11/15 22:31:36 + [auth-options.c] + case insensitive key options; from stevesk@sweeden.hp.com + - markus@cvs.openbsd.org 2000/11/16 17:55:43 + [dh.c] + do not use perror() in sshd, after child is forked() + - markus@cvs.openbsd.org 2000/11/14 23:42:40 + [auth-rsa.c] + parse option only if key matches; fix some confusing seen by the client + - markus@cvs.openbsd.org 2000/11/14 23:44:19 [session.c] - check for NULL; from mpech - - markus@cvs.openbsd.org 2004/12/23 17:38:07 + check no_agent_forward_flag for ssh-2, too + - markus@cvs.openbsd.org 2000/11/15 + [ssh-agent.1] + reorder SYNOPSIS; typo, use .It + - markus@cvs.openbsd.org 2000/11/14 23:48:55 + [ssh-agent.c] + do not reorder keys if a key is removed + - markus@cvs.openbsd.org 2000/11/15 19:58:08 + [ssh.c] + just ignore non existing user keys + - millert@cvs.openbsd.org 200/11/15 20:24:43 [ssh-keygen.c] - leak; from mpech - - djm@cvs.openbsd.org 2004/12/23 23:11:00 - [servconf.c servconf.h sshd.c sshd_config sshd_config.5] - bz #898: support AddressFamily in sshd_config. from - peak@argo.troja.mff.cuni.cz; ok deraadt@ - - markus@cvs.openbsd.org 2005/01/05 08:51:32 + Add missing \n at end of error message. + +20001122 + - (bal) Minor patch to ensure platforms lacking IRIX job limit supports + are compilable. + - (bal) Updated TODO as of 11/18/2000 with known things to resolve. + +20001117 + - (bal) Changed from 'primes' to 'primes.out' for consistancy sake. It + has no affect the output. Patch by Corinna Vinschen + - (stevesk) Reworked progname support. + - (bal) Misplaced #include "includes.h" in bsd-setproctitle.c. Patch by + Shinichi Maruyama + +20001116 + - (bal) Added in MAXSYMLINK test in bsd-realpath.c. Required for some SCO + releases. + - (bal) Make builds work outside of source tree. Patch by Mark D. Roth + + +20001113 + - (djm) Add pointer to http://www.imasy.or.jp/~gotoh/connect.c to + contrib/README + - (djm) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/11/06 16:04:56 + [channels.c channels.h clientloop.c nchan.c serverloop.c] + [session.c ssh.c] + agent forwarding and -R for ssh2, based on work from + jhuuskon@messi.uku.fi + - markus@cvs.openbsd.org 2000/11/06 16:13:27 + [ssh.c sshconnect.c sshd.c] + do not disabled rhosts(rsa) if server port > 1024; from + pekkas@netcore.fi + - markus@cvs.openbsd.org 2000/11/06 16:16:35 [sshconnect.c] - remove dead code, log connect() failures with level error, ok djm@ - - jmc@cvs.openbsd.org 2005/01/08 00:41:19 - [sshd_config.5] - `login'(n) -> `log in'(v); - - dtucker@cvs.openbsd.org 2005/01/17 03:25:46 - [moduli.c] - Correct spelling: SCHNOOR->SCHNORR; ok djm@ - - dtucker@cvs.openbsd.org 2005/01/17 22:48:39 - [sshd.c] - Make debugging output continue after reexec; ok djm@ - - dtucker@cvs.openbsd.org 2005/01/19 13:11:47 - [auth-bsdauth.c auth2-chall.c] - Have keyboard-interactive code call the drivers even for responses for - invalid logins. This allows the drivers themselves to decide how to - handle them and prevent leaking information where possible. Existing - behaviour for bsdauth is maintained by checking authctxt->valid in the - bsdauth driver. Note that any third-party kbdint drivers will now need - to be able to handle responses for invalid logins. ok markus@ - - djm@cvs.openbsd.org 2004/12/22 02:13:19 - [cipher-ctr.c cipher.c] - remove fallback AES support for old OpenSSL, as OpenBSD has had it for - many years now; ok deraadt@ - (Id sync only: Portable will continue to support older OpenSSLs) - - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user - existence via keyboard-interactive/pam, in conjunction with previous - auth2-chall.c change; with Colin Watson and djm. - - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128 - bytes to prevent errors from login_init_entry() when the username is - exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@ - - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from - the list of available kbdint devices if UsePAM=no. ok djm@ - -20050118 - - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement - "make survey" and "make send-survey". This will provide data on the - configure parameters, platform and platform features to the development - team, which will allow (among other things) better targetting of testing. - It's entirely voluntary and is off be default. ok djm@ - - (dtucker) [survey.sh.in] Remove any blank lines from the output of - ccver-v and ccver-V. - -20041220 - - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading - from prngd is enabled at compile time but fails at run time, eg because - prngd is not running. Note that if you have prngd running when OpenSSH is - built, OpenSSL will consider itself internally seeded and rand-helper won't - be built at all unless explicitly enabled via --with-rand-helper. ok djm@ - - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since - on some wacky platforms (eg old AIXes), dd will refuse to create an output - file if it doesn't exist. - -20041213 - - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from - amarendra.godbole at ge com. - -20041211 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/12/06 16:00:43 - [bufaux.c] - use 0x00 not \0 since buf[] is a bignum - - fgsch@cvs.openbsd.org 2004/12/10 03:10:42 - [sftp.c] - - fix globbed ls for paths the same lenght as the globbed path when - we have a unique matching. - - fix globbed ls in case of a directory when we have a unique matching. - - as a side effect, if the path does not exist error (used to silently - ignore). - - don't do extra do_lstat() if we only have one matching file. - djm@ ok - - dtucker@cvs.openbsd.org 2004/12/11 01:48:56 - [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h] - Fix debug call in error path of authorized_keys processing and fix related - warnings; ok djm@ - -20041208 - - (tim) [configure.ac] Comment some non obvious platforms in the - target-specific case statement. Suggested and OK by dtucker@ - -20041207 - - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test. - -20041206 - - (dtucker) [TODO WARNING.RNG] Update to reflect current reality. ok djm@ - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/11/25 22:22:14 - [sftp-client.c sftp.c] - leak; from mpech - - jmc@cvs.openbsd.org 2004/11/29 00:05:17 - [sftp.1] - missing full stop; - - djm@cvs.openbsd.org 2004/11/29 07:41:24 - [sftp-client.h sftp.c] - Some small fixes from moritz@jodeit.org. ok deraadt@ - - jaredy@cvs.openbsd.org 2004/12/05 23:55:07 - [sftp.1] - - explain that patterns can be used as arguments in get/put/ls/etc - commands (prodded by Michael Knudsen) - - describe ls flags as a list - - other minor improvements - ok jmc, djm - - dtucker@cvs.openbsd.org 2004/12/06 11:41:03 - [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8] - Discard over-length authorized_keys entries rather than complaining when - they don't decode. bz #884, with & ok djm@ - - (dtucker) OpenBSD CVS Sync (regress/) - - djm@cvs.openbsd.org 2004/06/26 06:16:07 - [reexec.sh] - don't change the name of the copied sshd for the reexec fallback test, - makes life simpler for portable - - dtucker@cvs.openbsd.org 2004/07/08 12:59:35 - [scp.sh] - Regress test for bz #863 (scp double-error), requires $SUDO. ok markus@ - - david@cvs.openbsd.org 2004/07/09 19:45:43 - [Makefile] - add a missing CLEANFILES used in the re-exec test - - djm@cvs.openbsd.org 2004/10/08 02:01:50 - [reexec.sh] - shrink and tidy; ok dtucker@ - - djm@cvs.openbsd.org 2004/10/29 23:59:22 - [Makefile added brokenkeys.sh] - regression test for handling of corrupt keys in authorized_keys file - - djm@cvs.openbsd.org 2004/11/07 00:32:41 - [multiplex.sh] - regression tests for new multiplex commands - - dtucker@cvs.openbsd.org 2004/11/25 09:39:27 - [test-exec.sh] - Remove obsolete RhostsAuthentication from test config; ok markus@ - - dtucker@cvs.openbsd.org 2004/12/06 10:49:56 - [test-exec.sh] - Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@ - -20041203 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2004/11/07 17:42:36 + downgrade client to 1.3 if server is 1.4; help from mdb@juniper.net + - markus@cvs.openbsd.org 2000/11/09 18:04:40 + [auth1.c] + typo; from mouring@pconline.com + - markus@cvs.openbsd.org 2000/11/12 12:03:28 + [ssh-agent.c] + off-by-one when removing a key from the agent + - markus@cvs.openbsd.org 2000/11/12 12:50:39 + [auth-rh-rsa.c auth2.c authfd.c authfd.h] + [authfile.c hostfile.c kex.c kex.h key.c key.h myproposal.h] + [readconf.c readconf.h rsa.c rsa.h servconf.c servconf.h ssh-add.c] + [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config] + [sshconnect1.c sshconnect2.c sshd.8 sshd.c sshd_config ssh-dss.c] + [ssh-dss.h ssh-rsa.c ssh-rsa.h dsa.c dsa.h] + add support for RSA to SSH2. please test. + there are now 3 types of keys: RSA1 is used by ssh-1 only, + RSA and DSA are used by SSH2. + you can use 'ssh-keygen -t rsa -f ssh2_rsa_file' to generate RSA + keys for SSH2 and use the RSA keys for hostkeys or for user keys. + SSH2 RSA or DSA keys are added to .ssh/authorised_keys2 as before. + - (djm) Fix up Makefile and Redhat init script to create RSA host keys + - (djm) Change to interim version + - (djm) Fix RPM spec file stupidity + - (djm) fixpaths to DSA and RSA keys too + +20001112 + - (bal) SCO Patch to add needed libraries for configure.in. Patch by + Phillips Porch + - (bal) IRIX patch to adding Job Limits. Patch by Denis Parker + + - (stevesk) pty.c: HP-UX 10 and 11 don't define TIOCSCTTY. Add error() to + failed ioctl(TIOCSCTTY) call. + +20001111 + - (djm) Added /etc/primes for kex DH group neg, fixup Makefile.in and + packaging files + - (djm) Fix new Makefile.in warnings + - (djm) Fix vsprintf("%h") in bsd-snprintf.c, short int va_args are + promoted to type int. Report and fix from Dan Astoorian + + - (djm) Hardwire sysconfdir in RPM spec files as some RPM versions get + it wrong. Report from Bennett Todd + +20001110 + - (bal) Fixed dropped answer from skey_keyinfo() in auth1.c + - (bal) Changed from --with-skey to --with-skey=PATH in configure.in + - (bal) Added in check to verify S/Key library is being detected in + configure.in + - (bal) next-posix.h - added another prototype wrapped in POSIX ifdef/endif. + Patch by Mark Miller + - (bal) Added 'util.h' header to loginrec.c only if HAVE_UTIL_H is defined + to remove warnings under MacOS X. Patch by Mark Miller + - (bal) Fixed LDFLAG mispelling in configure.in for --with-afs + +20001107 + - (bal) acconfig.in - removed the double "USE_PIPES" entry. Patch by + Mark Miller + - (bal) sshd.init files corrected to assign $? to RETVAL. Patch by + Jarno Huuskonen + - (bal) fixpaths fixed to stop it from quitely failing. Patch by + Mark D. Roth + +20001106 + - (djm) Use Jim's new 1.0.3 askpass in Redhat RPMs + - (djm) Manually fix up missed diff hunks (mainly RCS idents) + - (djm) Remove UPGRADING document in favour of a link to the better + maintained FAQ on www.openssh.com + - (djm) Fix multiple dependancy on gnome-libs from Pekka Savola + + - (djm) Don't need X11-askpass in RPM spec file if building without it + from Pekka Savola + - (djm) Release 2.3.0p1 + - (bal) typo in configure.in in regards to --with-ldflags from Marko + Asplund + - (bal) fixed next-posix.h. Forgot prototype of getppid(). + +20001105 + - (bal) Sync with OpenBSD: + - markus@cvs.openbsd.org 2000/10/31 9:31:58 + [compat.c] + handle all old openssh versions + - markus@cvs.openbsd.org 2000/10/31 13:1853 + [deattack.c] + so that large packets do not wrap "n"; from netbsd + - (bal) rijndel.c - fix up RCSID to match OpenBSD tree + - (bal) auth2-skey.c - Checked in. Missing from portable tree. + - (bal) Reworked NEWS-OS and NeXT ports to extract waitpid() and + setsid() into more common files + - (stevesk) pty.c: use __hpux to identify HP-UX. + - (bal) Missed auth-skey.o in Makefile.in and minor correction to + bsd-waitpid.c + +20001029 + - (stevesk) Fix typo in auth.c: USE_PAM not PAM + - (stevesk) Create contrib/cygwin/ directory; patch from + Corinna Vinschen + - (bal) Resolved more $xno and $xyes issues in configure.in + - (bal) next-posix.h - spelling and forgot a prototype + +20001028 + - (djm) fix select hack in serverloop.c from Philippe WILLEM + + - (djm) Fix mangled AIXAUTHENTICATE code + - (djm) authctxt->pw may be NULL. Fix from Markus Friedl + + - (djm) Sync with OpenBSD: + - markus@cvs.openbsd.org 2000/10/16 15:46:32 [ssh.1] - options sort, and whitespace; - - jmc@cvs.openbsd.org 2004/11/07 17:57:30 - [ssh.c] - usage(): - - add -O - - sync -S w/ manpage - - remove -h - - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is - subsequently denied by the PAM auth stack, send the PAM message to the - user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2). - ok djm@ - -20041107 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/11/05 12:19:56 - [sftp.c] - command editing and history support via libedit; ok markus@ - thanks to hshoexer@ and many testers on tech@ too - - djm@cvs.openbsd.org 2004/11/07 00:01:46 - [clientloop.c clientloop.h ssh.1 ssh.c] - add basic control of a running multiplex master connection; including the - ability to check its status and request it to exit; ok markus@ - - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure - option and supporting makefile bits and documentation. - -20041105 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/08/30 09:18:08 - [LICENCE] - s/keygen/keyscan/ - - jmc@cvs.openbsd.org 2004/08/30 21:22:49 - [ssh-add.1 ssh.1] - .Xsession -> .xsession; - originally from a pr from f at obiit dot org, but missed by myself; - ok markus@ matthieu@ - - djm@cvs.openbsd.org 2004/09/07 23:41:30 - [clientloop.c ssh.c] - cleanup multiplex control socket on SIGHUP too, spotted by sturm@ - ok markus@ deraadt@ - - deraadt@cvs.openbsd.org 2004/09/15 00:46:01 - [ssh.c] - /* fallthrough */ is something a programmer understands. But - /* FALLTHROUGH */ is also understood by lint, so that is better. - - jaredy@cvs.openbsd.org 2004/09/15 03:25:41 - [sshd_config.5] - mention PrintLastLog only prints last login time for interactive - sessions, like PrintMotd mentions. - From Michael Knudsen, with wording changed slightly to match the - PrintMotd description. - ok djm - - mickey@cvs.openbsd.org 2004/09/15 18:42:27 - [sshd.c] - use less doubles in daemons; markus@ ok - - deraadt@cvs.openbsd.org 2004/09/15 18:46:04 + fixes from pekkas@netcore.fi + - markus@cvs.openbsd.org 2000/10/17 14:28:11 + [atomicio.c] + return number of characters processed; ok deraadt@ + - markus@cvs.openbsd.org 2000/10/18 12:04:02 + [atomicio.c] + undo + - markus@cvs.openbsd.org 2000/10/18 12:23:02 [scp.c] - scratch that do { } while (0) wrapper in this case - - djm@cvs.openbsd.org 2004/09/23 13:00:04 - [ssh.c] - correctly honour -n in multiplex client mode; spotted by sturm@ ok markus@ - - djm@cvs.openbsd.org 2004/09/25 03:45:14 - [sshd.c] - these printf args are no longer double; ok deraadt@ markus@ - - djm@cvs.openbsd.org 2004/10/07 10:10:24 - [scp.1 sftp.1 ssh.1 ssh_config.5] - document KbdInteractiveDevices; ok markus@ - - djm@cvs.openbsd.org 2004/10/07 10:12:36 - [ssh-agent.c] - don't unlink agent socket when bind() fails, spotted by rich AT - rich-paul.net, ok markus@ - - markus@cvs.openbsd.org 2004/10/20 11:48:53 - [packet.c ssh1.h] - disconnect for invalid (out of range) message types. - - djm@cvs.openbsd.org 2004/10/29 21:47:15 - [channels.c channels.h clientloop.c] - fix some window size change bugs for multiplexed connections: windows sizes - were not being updated if they had changed after ~^Z suspends and SIGWINCH - was not being processed unless the first connection had requested a tty; - ok markus - - djm@cvs.openbsd.org 2004/10/29 22:53:56 - [clientloop.c misc.h readpass.c ssh-agent.c] - factor out common permission-asking code to separate function; ok markus@ - - djm@cvs.openbsd.org 2004/10/29 23:56:17 - [bufaux.c bufaux.h buffer.c buffer.h] - introduce a new buffer API that returns an error rather than fatal()ing - when presented with bad data; ok markus@ - - djm@cvs.openbsd.org 2004/10/29 23:57:05 - [key.c] - use new buffer API to avoid fatal errors on corrupt keys in authorized_keys - files; ok markus@ - -20041102 - - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX - 10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__ - only if a conflict is detected. - -20041019 - - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or - on Cygwin. Cygwin parts from vinschen at redhat com; ok djm@ - -20041016 - - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations; - ok dtucker@ - -20041006 - - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode - and other PAM platforms. - - (dtucker) [monitor_mm.c openbsd-compat/xmmap.c] Bug #940: cast constants - to void * to appease picky compilers (eg Tru64's "cc -std1"). - -20040930 - - (dtucker) [configure.ac] Set AC_PACKAGE_NAME. ok djm@ - -20040923 - - (dtucker) [openbsd-compat/bsd-snprintf.c] Previous change was off by one, - which could have caused the justification to be wrong. ok djm@ - -20040921 - - (dtucker) [openbsd-compat/bsd-snprintf.c] Check for max length too. - ok djm@ - - (dtucker) [contrib/cygwin/ssh-host-config] Update to match current Cygwin - install process. Patch from vinschen at redhat.com. - -20040912 - - (djm) [loginrec.c] Start KNF and tidy up of this long-neglected file. - No change in resultant binary - - (djm) [loginrec.c] __func__ifiy - - (djm) [loginrec.c] xmalloc - - (djm) [ssh.c sshd.c version.h] Don't divulge portable version in protocol - banner. Suggested by deraadt@, ok mouring@, dtucker@ - - (dtucker) [configure.ac] Fix incorrect quoting and tests for cross-compile. - Partly by & ok djm@. - -20040911 - - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@ - - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from - failing PAM session modules to user then exit, similar to the way - /etc/nologin is handled. ok djm@ - - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change. - - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c] - Make cygwin code more consistent with that which surrounds it - - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c] - Bug #892: Send messages from failing PAM account modules to the client via - SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with - SSH2 kbdint authentication, which need to be dealt with separately. ok djm@ - - (dtucker) [session.c] Bug #927: make .hushlogin silent again. ok djm@ - - (dtucker) [configure.ac] Bug #321: Add cross-compile support to configure. - Parts by chua at ayrnetworks.com, astrand at lysator.liu.se and me. ok djm@ - - (dtucker) [auth-krb5.c] Bug #922: Pass KRB5CCNAME to PAM. From deengert - at anl.gov, ok djm@ - -20040830 - - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only - copy required environment variables on Cygwin. Patch from vinschen at - redhat.com, ok djm@ - - (dtucker) [regress/Makefile] Clean scp-ssh-wrapper.scp too. Patch from - vinschen at redhat.com. - - (dtucker) [Makefile.in contrib/ssh-copy-id] Bug #894: Improve portability - of shell constructs. Patch from cjwatson at debian.org. - -20040829 - - (dtucker) [openbsd-compat/getrrsetbyname.c] Prevent getrrsetbyname from - failing with NOMEMORY if no sigs are returned and malloc(0) returns NULL. - From Martin.Kraemer at Fujitsu-Siemens.com; ok djm@ - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/08/23 11:48:09 - [authfile.c] - fix error path, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus - - djm@cvs.openbsd.org 2004/08/23 11:48:47 - [channels.c] - typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus - - dtucker@cvs.openbsd.org 2004/08/23 14:26:38 - [ssh-keysign.c ssh.c] - Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches - change in Portable; ok markus@ (CVS ID sync only) - - dtucker@cvs.openbsd.org 2004/08/23 14:29:23 - [ssh-keysign.c] - Remove duplicate getuid(), suggested by & ok markus@ - - markus@cvs.openbsd.org 2004/08/26 16:00:55 - [ssh.1 sshd.8] - get rid of references to rhosts authentication; with jmc@ - - djm@cvs.openbsd.org 2004/08/28 01:01:48 - [sshd.c] - don't erroneously close stdin for !reexec case, from Dave Johnson; - ok markus@ - - (dtucker) [configure.ac] Include sys/stream.h in sys/ptms.h header check, - fixes configure warning on Solaris reported by wknox at mitre.org. - - (dtucker) [regress/multiplex.sh] Skip test on platforms that do not - support FD passing since multiplex requires it. Noted by tim@ - - (dtucker) [regress/dynamic-forward.sh] Allow time for connections to be torn - down, needed on some platforms, should be harmless on others. Patch from - jason at devrandom.org. - - (dtucker) [regress/scp.sh] Make this work on Cygwin too, which doesn't like - files ending in .exe that aren't binaries; patch from vinschen at redhat.com. - - (dtucker) [Makefile.in] Get regress/Makefile symlink right for out-of-tree - builds too, from vinschen at redhat.com. - - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64 - too; patch from cmadams at hiwaay.net. - - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo. - - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for - accounts with authentication configs that sshd can't support (ie - SYSTEM=NONE and AUTH1=something). - -20040828 - - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from - vinschen at redhat.com. - -20040823 - - (djm) [ssh-rand-helper.c] Typo. Found by - Martin.Kraemer AT Fujitsu-Siemens.com - - (djm) [loginrec.c] Typo and bad args in error messages; Spotted by - Martin.Kraemer AT Fujitsu-Siemens.com - -20040817 - - (dtucker) [regress/README.regress] Note compatibility issues with GNU head. - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/08/16 08:17:01 - [version.h] - 3.9 - - (djm) Crank RPM spec version numbers - - (djm) Release 3.9p1 - -20040816 - - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root - to convince Solaris PAM to honour password complexity rules. ok djm@ - -20040815 - - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since - it does the right thing on all platforms. ok djm@ - - (djm) [acconfig.h configure.ac openbsd-compat/Makefile.in - openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-misc.c - openbsd-compat/bsd-misc.h openbsd-compat/openbsd-compat.h] Use smarter - closefrom() replacement from sudo; ok dtucker@ - - (djm) [loginrec.c] Check that seek succeeded here too; ok dtucker - - (dtucker) [Makefile.in] Fix typo. - -20040814 - - (dtucker) [auth-krb5.c gss-serv-krb5.c openbsd-compat/xmmap.c] - Explicitly set umask for mkstemp; ok djm@ - - (dtucker) [includes.h] Undef _INCLUDE__STDC__ on HP-UX, otherwise - prot.h and shadow.h provide conflicting declarations of getspnam. ok djm@ - - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] - Plug AIX login recording into login_write so logins will be recorded for - all auth types. - -20040813 - - (dtucker) [openbsd-compat/bsd-misc.c] Typo in #ifdef; from vinschen at - redhat.com -- (dtucker) OpenBSD CVS Sync - - avsm@cvs.openbsd.org 2004/08/11 21:43:05 - [channels.c channels.h clientloop.c misc.c misc.h serverloop.c ssh-agent.c] - some signed/unsigned int comparison cleanups; markus@ ok - - avsm@cvs.openbsd.org 2004/08/11 21:44:32 - [authfd.c scp.c ssh-keyscan.c] - use atomicio instead of homegrown equivalents or read/write. - markus@ ok - - djm@cvs.openbsd.org 2004/08/12 09:18:24 - [sshlogin.c] - typo in error message, spotted by moritz AT jodeit.org (Id sync only) - - jakob@cvs.openbsd.org 2004/08/12 21:41:13 - [ssh-keygen.1 ssh.1] - improve SSHFP documentation; ok deraadt@ - - jmc@cvs.openbsd.org 2004/08/13 00:01:43 - [ssh-keygen.1] - kill whitespace at eol; - - djm@cvs.openbsd.org 2004/08/13 02:51:48 - [monitor_fdpass.c] - extra check for no message case; ok markus, deraadt, hshoexer, henning - - dtucker@cvs.openbsd.org 2004/08/13 11:09:24 - [servconf.c] - Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr - ok markus@, djm@ - -20040812 - - (dtucker) [sshd.c] Remove duplicate variable imported during sync. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/07/28 08:56:22 - [sshd.c] - call setsid() _before_ re-exec - - markus@cvs.openbsd.org 2004/07/28 09:40:29 - [auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c - sshconnect1.c] - more s/illegal/invalid/ - - djm@cvs.openbsd.org 2004/08/04 10:37:52 - [dh.c] - return group14 when no primes found - fixes hang on empty /etc/moduli; - ok markus@ - - dtucker@cvs.openbsd.org 2004/08/11 11:09:54 - [servconf.c] - Fix minor leak; "looks right" deraadt@ - - dtucker@cvs.openbsd.org 2004/08/11 11:50:09 - [sshd.c] - Don't try to close startup_pipe if it's not open; ok djm@ - - djm@cvs.openbsd.org 2004/08/11 11:59:22 - [sshlogin.c] - check that lseek went were we told it to; ok markus@ - (Id sync only, but similar changes are needed in loginrec.c) - - djm@cvs.openbsd.org 2004/08/11 12:01:16 - [sshlogin.c] - make store_lastlog_message() static to appease -Wall; ok markus - - (dtucker) [sshd.c] Clear loginmsg in postauth monitor, prevents doubling - messages generated before the postauth privsep split. - -20040720 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/07/21 08:56:12 - [auth.c] - s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas, - miod, ... - - djm@cvs.openbsd.org 2004/07/21 10:33:31 - [auth1.c auth2.c] - bz#899: Don't display invalid usernames in setproctitle - from peak AT argo.troja.mff.cuni.cz; ok markus@ - - djm@cvs.openbsd.org 2004/07/21 10:36:23 - [gss-serv-krb5.c] - fix function declaration - - djm@cvs.openbsd.org 2004/07/21 11:51:29 + replace atomicio(read,...) with read(); ok deraadt@ + - markus@cvs.openbsd.org 2000/10/18 12:42:00 + [session.c] + restore old record login behaviour + - deraadt@cvs.openbsd.org 2000/10/19 10:41:13 + [auth-skey.c] + fmt string problem in unused code + - provos@cvs.openbsd.org 2000/10/19 10:45:16 + [sshconnect2.c] + don't reference freed memory. okay deraadt@ + - markus@cvs.openbsd.org 2000/10/21 11:04:23 [canohost.c] - bz#902: cache remote port so we don't fatal() in auth_log when remote - connection goes away quickly. from peak AT argo.troja.mff.cuni.cz; - ok markus@ - - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalid - usernames in setproctitle from peak AT argo.troja.mff.cuni.cz; - -20040720 - - (djm) [log.c] bz #111: Escape more control characters when sending data - to syslog; from peak AT argo.troja.mff.cuni.cz - - (djm) [contrib/redhat/sshd.pam] bz #903: Remove redundant entries; from - peak AT argo.troja.mff.cuni.cz - - (djm) [regress/README.regress] Remove caveat regarding TCP wrappers, now - that sshd is fixed to behave better; suggested by tim - -20040719 - - (djm) [openbsd-compat/bsd-arc4random.c] Discard early keystream, like OpenBSD - ok dtucker@ - - (djm) [auth-pam.c] Avoid use of xstrdup and friends in conversation function, - instead return PAM_CONV_ERR, avoiding another path to fatal(); ok dtucker@ - - (tim) [configure.ac] updwtmpx() on OpenServer seems to add duplicate entry. - Report by rac AT tenzing.org - -20040717 - - (dtucker) [logintest.c scp.c sftp-server.c sftp.c ssh-add.c ssh-agent.c - ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c ssh.c sshd.c - openbsd-compat/bsd-misc.c] Move "char *__progname" to bsd-misc.c. Reduces - diff vs OpenBSD; ok mouring@, tested by tim@ too. - - (dtucker) OpenBSD CVS Sync - - deraadt@cvs.openbsd.org 2004/07/11 17:48:47 - [channels.c cipher.c clientloop.c clientloop.h compat.h moduli.c - readconf.c nchan.c pathnames.h progressmeter.c readconf.h servconf.c - session.c sftp-client.c sftp.c ssh-agent.1 ssh-keygen.c ssh.c ssh1.h - sshd.c ttymodes.h] - spaces - - brad@cvs.openbsd.org 2004/07/12 23:34:25 - [ssh-keyscan.1] - Fix incorrect macro, .I -> .Em - From: Eric S. Raymond - ok jmc@ - - dtucker@cvs.openbsd.org 2004/07/17 05:31:41 - [monitor.c monitor_wrap.c session.c session.h sshd.c sshlogin.c] - Move "Last logged in at.." message generation to the monitor, right - before recording the new login. Fixes missing lastlog message when - /var/log/lastlog is not world-readable and incorrect datestamp when - multiple sessions are used (bz #463); much assistance & ok markus@ - -20040711 - - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows - the monitor to properly clean up the PAM thread (Debian bug #252676). - -20040709 - - (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from - vinschen AT redhat.com - -20040708 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2004/07/03 05:11:33 - [sshlogin.c] (RCSID sync only, the corresponding code is not in Portable) - Use '\0' not 0 for string; ok djm@, deraadt@ - - dtucker@cvs.openbsd.org 2004/07/03 11:02:25 - [monitor_wrap.c] - Put s/key functions inside #ifdef SKEY same as monitor.c, - from des@freebsd via bz #330, ok markus@ - - dtucker@cvs.openbsd.org 2004/07/08 12:47:21 + typo, eramore@era-t.ericsson.se; ok niels@ + - markus@cvs.openbsd.org 2000/10/23 13:31:55 + [cipher.c] + non-alignment dependent swap_bytes(); from + simonb@wasabisystems.com/netbsd + - markus@cvs.openbsd.org 2000/10/26 12:38:28 + [compat.c] + add older vandyke products + - markus@cvs.openbsd.org 2000/10/27 01:32:19 + [channels.c channels.h clientloop.c serverloop.c session.c] + [ssh.c util.c] + enable non-blocking IO on channels, and tty's (except for the + client ttys). + +20001027 + - (djm) Increase REKEY_BYTES to 2^24 for arc4random + +20001025 + - (djm) Added WARNING.RNG file and modified configure to ask users of the + builtin entropy code to read it. + - (djm) Prefer builtin regex to PCRE. + - (bal) Added USE_PIPS defined to NeXT configure.in since scp hangs randomly. + - (bal) Apply fixes to configure.in pointed out by Pavel Roskin + + +20001020 + - (djm) Don't define _REENTRANT for SNI/Reliant Unix + - (bal) Imported NEWS-OS waitpid() macros into NeXT. Since implementation + is more correct then current version. + +20001018 + - (stevesk) Add initial support for setproctitle(). Current + support is for the HP-UX pstat(PSTAT_SETCMD, ...) method. + - (stevesk) Add egd startup scripts to contrib/hpux/ + +20001017 + - (djm) Add -lregex to cywin libs from Corinna Vinschen + + - (djm) Don't rely on atomicio's retval to determine length of askpass + supplied passphrase. Problem report from Lutz Jaenicke + + - (bal) Changed from GNU rx to PCRE on suggestion from djm. + - (bal) Integrated Sony NEWS-OS patches from NAKAJI Hirouyuki + + +20001016 + - (djm) Sync with OpenBSD: + - markus@cvs.openbsd.org 2000/10/14 04:01:15 + [cipher.c] + debug3 + - markus@cvs.openbsd.org 2000/10/14 04:07:23 [scp.c] - Prevent scp from skipping the file following a double-error. - bz #863, ok markus@ - -20040702 - - (dtucker) [mdoc2man.awk] Teach it to ignore .Bk -words, reported by - strube at physik3.gwdg.de a long time ago. - -20040701 - - (dtucker) [session.c] Call display_loginmsg again after do_pam_session. - Ensures messages from PAM modules are displayed when privsep=no. - - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes - warnings on compliant platforms. From paul.a.bolton at bt.com. ok djm@ - - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK - to pam_authenticate for challenge-response auth too. Originally from - fcusack at fcusack.com, ok djm@ - - (tim) [buildpkg.sh.in] Add $REV to bump the package revision within - the same version. Handle the case where someone uses --with-privsep-user= - and the user name does not match the group name. ok dtucker@ - -20040630 - - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL - appdata_ptr to the conversation function. ok djm@ - - (djm) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2004/06/26 09:03:21 + remove spaces from arguments; from djm@mindrot.org + - markus@cvs.openbsd.org 2000/10/14 06:09:46 [ssh.1] - - remove double word - - rearrange .Bk to keep SYNOPSIS nice - - -M before -m in options description - - jmc@cvs.openbsd.org 2004/06/26 09:11:14 - [ssh_config.5] - punctuation and grammar fixes. also, keep the options in order. - - jmc@cvs.openbsd.org 2004/06/26 09:14:40 - [sshd_config.5] - new sentence, new line; - - avsm@cvs.openbsd.org 2004/06/26 20:07:16 + Cipher is for SSH-1 only + - markus@cvs.openbsd.org 2000/10/14 06:12:09 + [servconf.c servconf.h serverloop.c session.c sshd.8] + AllowTcpForwarding; from naddy@ + - markus@cvs.openbsd.org 2000/10/14 06:16:56 + [auth2.c compat.c compat.h sshconnect2.c version.h] + OpenSSH_2.3; note that is is not complete, but the version number + needs to be changed for interoperability reasons + - markus@cvs.openbsd.org 2000/10/14 06:19:45 + [auth-rsa.c] + do not send RSA challenge if key is not allowed by key-options; from + eivind@ThinkSec.com + - markus@cvs.openbsd.org 2000/10/15 08:14:01 + [rijndael.c session.c] + typos; from stevesk@sweden.hp.com + - markus@cvs.openbsd.org 2000/10/15 08:18:31 + [rijndael.c] + typo + - (djm) Copy manpages back over from OpenBSD - too tedious to wade + through diffs + - (djm) Added condrestart to Redhat init script. Patch from Pekka Savola + + - (djm) Update version in Redhat spec file + - (djm) Merge some of Nalin Dahyabhai changes from the + Redhat 7.0 spec file + - (djm) Make inability to read/write PRNG seedfile non-fatal + + +20001015 + - (djm) Fix ssh2 hang on background processes at logout. + +20001014 + - (bal) Add support for realpath and getcwd for platforms with broken + or missing realpath implementations for sftp-server. + - (bal) Corrected mistake in INSTALL in regards to GNU rx library + - (bal) Add support for GNU rx library for those lacking regexp support + - (djm) Don't accept PAM_PROMPT_ECHO_ON messages during initial auth + - (djm) Revert SSH2 serverloop hack, will find a better way. + - (djm) Add workaround for Linux 2.4's gratuitious errno change. Patch + from Martin Johansson + - (djm) Big OpenBSD sync: + - markus@cvs.openbsd.org 2000/09/30 10:27:44 + [log.c] + allow loglevel debug + - markus@cvs.openbsd.org 2000/10/03 11:59:57 + [packet.c] + hmac->mac + - markus@cvs.openbsd.org 2000/10/03 12:03:03 + [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c] + move fake-auth from auth1.c to individual auth methods, disables s/key in + debug-msg + - markus@cvs.openbsd.org 2000/10/03 12:16:48 + ssh.c + do not resolve canonname, i have no idea why this was added oin ossh + - markus@cvs.openbsd.org 2000/10/09 15:30:44 + ssh-keygen.1 ssh-keygen.c + -X now reads private ssh.com DSA keys, too. + - markus@cvs.openbsd.org 2000/10/09 15:32:34 + auth-options.c + clear options on every call. + - markus@cvs.openbsd.org 2000/10/09 15:51:00 + authfd.c authfd.h + interop with ssh-agent2, from + - markus@cvs.openbsd.org 2000/10/10 14:20:45 + compat.c + use rexexp for version string matching + - provos@cvs.openbsd.org 2000/10/10 22:02:18 + [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h] + First rough implementation of the diffie-hellman group exchange. The + client can ask the server for bigger groups to perform the diffie-hellman + in, thus increasing the attack complexity when using ciphers with longer + keys. University of Windsor provided network, T the company. + - markus@cvs.openbsd.org 2000/10/11 13:59:52 + [auth-rsa.c auth2.c] + clear auth options unless auth sucessfull + - markus@cvs.openbsd.org 2000/10/11 14:00:27 + [auth-options.h] + clear auth options unless auth sucessfull + - markus@cvs.openbsd.org 2000/10/11 14:03:27 + [scp.1 scp.c] + support 'scp -o' with help from mouring@pconline.com + - markus@cvs.openbsd.org 2000/10/11 14:11:35 + [dh.c] + Wall + - markus@cvs.openbsd.org 2000/10/11 14:14:40 + [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h] + [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h] + add support for s/key (kbd-interactive) to ssh2, based on work by + mkiernan@avantgo.com and me + - markus@cvs.openbsd.org 2000/10/11 14:27:24 + [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h] + [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c] + [sshconnect2.c sshd.c] + new cipher framework + - markus@cvs.openbsd.org 2000/10/11 14:45:21 + [cipher.c] + remove DES + - markus@cvs.openbsd.org 2000/10/12 03:59:20 + [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c] + enable DES in SSH-1 clients only + - markus@cvs.openbsd.org 2000/10/12 08:21:13 + [kex.h packet.c] + remove unused + - markus@cvs.openbsd.org 2000/10/13 12:34:46 [sshd.c] - initialise some fd variables to -1, djm@ ok - - djm@cvs.openbsd.org 2004/06/30 08:36:59 + Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se + - markus@cvs.openbsd.org 2000/10/13 12:59:15 + [cipher.c cipher.h myproposal.h rijndael.c rijndael.h] + rijndael/aes support + - markus@cvs.openbsd.org 2000/10/13 13:10:54 + [sshd.8] + more info about -V + - markus@cvs.openbsd.org 2000/10/13 13:12:02 + [myproposal.h] + prefer no compression + - (djm) Fix scp user@host handling + - (djm) Don't clobber ssh_prng_cmds on install + - (stevesk) Include config.h in rijndael.c so we define intXX_t and + u_intXX_t types on all platforms. + - (stevesk) rijndael.c: cleanup missing declaration warnings. + - (stevesk) ~/.hushlogin shouldn't cause required password change to + be bypassed. + - (stevesk) Display correct path to ssh-askpass in configure output. + Report from Lutz Jaenicke. + +20001007 + - (stevesk) Print PAM return value in PAM log messages to aid + with debugging. + - (stevesk) Fix detection of pw_class struct member in configure; + patch from KAMAHARA Junzo + +20001002 + - (djm) Fix USER_PATH, report from Kevin Steves + - (djm) Add host system and CC to end-of-configure report. Suggested by + Lutz Jaenicke + +20000931 + - (djm) Cygwin fixes from Corinna Vinschen + +20000930 + - (djm) Irix ssh_prng_cmds path fix from Pekka Savola + - (djm) Support in bsd-snprintf.c for long long conversions from + Ben Lindstrom + - (djm) Cleanup NeXT support from Ben Lindstrom + - (djm) Ignore SIGPIPEs from serverloop to child. Fixes crashes with + very short lived X connections. Bug report from Tobias Oetiker + . Fix from Markus Friedl + - (djm) Add recent InitScripts as a RPM dependancy for openssh-server + patch from Pekka Savola + - (djm) Forgot to cvs add LICENSE file + - (djm) Add LICENSE to RPM spec files + - (djm) CVS OpenBSD sync: + - markus@cvs.openbsd.org 2000/09/26 13:59:59 + [clientloop.c] + use debug2 + - markus@cvs.openbsd.org 2000/09/27 15:41:34 + [auth2.c sshconnect2.c] + use key_type() + - markus@cvs.openbsd.org 2000/09/28 12:03:18 + [channels.c] + debug -> debug2 cleanup + - (djm) Irix strips "/dev/tty" from [uw]tmp entries (other systems only + strip "/dev/"). Fix loginrec.c based on patch from Alain St-Denis + + - (djm) Fix 9 character passphrase failure with gnome-ssh-askpass. + Problem was caused by interrupted read in ssh-add. Report from Donald + J. Barry + +20000929 + - (djm) Fix SSH2 not terminating until all background tasks done problem. + - (djm) Another off-by-one fix from Pavel Kankovsky + + - (djm) Clean up. Strip some unnecessary differences with OpenBSD's code, + tidy necessary differences. Use Markus' new debugN() in entropy.c + - (djm) Merged big SCO portability patch from Tim Rice + + +20000926 + - (djm) Update X11-askpass to 1.0.2 in RPM spec file + - (djm) Define _REENTRANT to pickup strtok_r() on HP/UX + - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c. + Report and fix from Pavel Kankovsky + +20000924 + - (djm) Merged cleanup patch from Mark Miller + - (djm) A bit more cleanup - created cygwin_util.h + - (djm) Include strtok_r() from OpenBSD libc. Fixes report from Mark Miller + + +20000923 + - (djm) Fix address logging in utmp from Kevin Steves + + - (djm) Redhat spec and manpage fixes from Pekka Savola + - (djm) Seperate tests for int64_t and u_int64_t types + - (djm) Tweak password expiry checking at suggestion of Kevin Steves + + - (djm) NeXT patch from Ben Lindstrom + - (djm) Use printf %lld instead of %qd in sftp-server.c. Fix from + Michael Stone + - (djm) OpenBSD CVS sync: + - markus@cvs.openbsd.org 2000/09/17 09:38:59 + [sshconnect2.c sshd.c] + fix DEBUG_KEXDH + - markus@cvs.openbsd.org 2000/09/17 09:52:51 + [sshconnect.c] + yes no; ok niels@ + - markus@cvs.openbsd.org 2000/09/21 04:55:11 + [sshd.8] + typo + - markus@cvs.openbsd.org 2000/09/21 05:03:54 + [serverloop.c] + typo + - markus@cvs.openbsd.org 2000/09/21 05:11:42 + scp.c + utime() to utimes(); mouring@pconline.com + - markus@cvs.openbsd.org 2000/09/21 05:25:08 + sshconnect2.c + change login logic in ssh2, allows plugin of other auth methods + - markus@cvs.openbsd.org 2000/09/21 05:25:35 + [auth2.c channels.c channels.h clientloop.c dispatch.c dispatch.h] + [serverloop.c] + add context to dispatch_run + - markus@cvs.openbsd.org 2000/09/21 05:07:52 + authfd.c authfd.h ssh-agent.c + bug compat for old ssh.com software + +20000920 + - (djm) Fix bad path substitution. Report from Andrew Miner + + +20000916 + - (djm) Fix SSL search order from Lutz Jaenicke + + - (djm) New SuSE spec from Corinna Vinschen + - (djm) Update CygWin support from Corinna Vinschen + - (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage. + Patch from Larry Jones + - (djm) Add Steve VanDevender's PAM + password change patch. + - (djm) Bring licenses on my stuff in line with OpenBSD's + - (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from + Kevin Steves + - (djm) Shadow expiry check fix from Pavel Troller + - (djm) Re-enable int64_t types - we need them for sftp + - (djm) Use libexecdir from configure , rather than libexecdir/ssh + - (djm) Update Redhat SPEC file accordingly + - (djm) Add Kevin Steves HP/UX contrib files + - (djm) Add Charles Levert getpgrp patch + - (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter + + - (djm) Fixprogs and entropy list fixes from Larry Jones + + - (djm) Fix for SuSE spec file from Takashi YOSHIDA + + - (djm) Merge OpenBSD changes: + - markus@cvs.openbsd.org 2000/09/05 02:59:57 [session.c] - unbreak TTY break, diagnosed by darren AT dazwin.com; ok markus@ - -20040627 - - (tim) update README files. - - (dtucker) [mdoc2man.awk] Bug #883: correctly recognise .Pa and .Ev macros. - - (dtucker) [regress/README.regress] Document new variables. - - (dtucker) [acconfig.h configure.ac sftp-server.c] Bug #823: add sftp - rename handling for Linux which returns EPERM for link() on (at least some) - filesystems that do not support hard links. sftp-server will fall back to - stat+rename() in such cases. - - (dtucker) [openbsd-compat/port-aix.c] Missing __func__. - -20040626 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/06/25 18:43:36 - [sshd.c] - fix broken fd handling in the re-exec fallback path, particularly when - /dev/crypto is in use; ok deraadt@ markus@ - - djm@cvs.openbsd.org 2004/06/25 23:21:38 - [sftp.c] - bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de - -20040625 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/06/24 19:30:54 - [servconf.c servconf.h sshd.c] - re-exec sshd on accept(); initial work, final debugging and ok markus@ - - djm@cvs.openbsd.org 2004/06/25 01:16:09 - [sshd.c] - only perform tcp wrappers checks when the incoming connection is on a - socket. silences useless warnings from regress tests that use - proxycommand="sshd -i". prompted by david@ ok markus@ - - djm@cvs.openbsd.org 2004/06/24 19:32:00 - [regress/Makefile regress/test-exec.sh, added regress/reexec.sh] - regress test for re-exec corner cases - - djm@cvs.openbsd.org 2004/06/25 01:25:12 - [regress/test-exec.sh] - clean reexec-specific junk out of text-exec.sh and simplify; idea markus@ - - dtucker@cvs.openbsd.org 2004/06/25 05:38:48 + print hostname (not hushlogin) + - markus@cvs.openbsd.org 2000/09/05 13:18:48 + [authfile.c ssh-add.c] + enable ssh-add -d for DSA keys + - markus@cvs.openbsd.org 2000/09/05 13:20:49 [sftp-server.c] - Fall back to stat+rename if filesystem doesn't doesn't support hard - links. bz#823, ok djm@ - - (dtucker) [configure.ac openbsd-compat/misc.c [openbsd-compat/misc.h] - Add closefrom() for platforms that don't have it. - - (dtucker) [sshd.c] add line missing from reexec sync. - -20040623 - - (dtucker) [auth1.c] Ensure do_pam_account is called for Protocol 1 - connections with empty passwords. Patch from davidwu at nbttech.com, - ok djm@ - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2004/06/22 22:42:02 - [regress/envpass.sh] - Add quoting for test -z; ok markus@ - - dtucker@cvs.openbsd.org 2004/06/22 22:45:52 - [regress/test-exec.sh] - Add TEST_SSH_SSHD_CONFOPTS and TEST_SSH_SSH_CONFOPTS to allow adding - arbitary options to sshd_config and ssh_config during tests. ok markus@ - - dtucker@cvs.openbsd.org 2004/06/22 22:55:56 - [regress/dynamic-forward.sh regress/test-exec.sh] - Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@ - - mouring@cvs.openbsd.org 2004/06/23 00:39:38 - [rijndael.c] - -Wshadow fix up s/encrypt/do_encrypt/. OK djm@, markus@ - - dtucker@cvs.openbsd.org 2004/06/23 14:31:01 + cleanup + - markus@cvs.openbsd.org 2000/09/06 03:46:41 + [authfile.h] + prototype + - deraadt@cvs.openbsd.org 2000/09/07 14:27:56 + [ALL] + cleanup copyright notices on all files. I have attempted to be + accurate with the details. everything is now under Tatu's licence + (which I copied from his readme), and/or the core-sdi bsd-ish thing + for deattack, or various openbsd developers under a 2-term bsd + licence. We're not changing any rules, just being accurate. + - markus@cvs.openbsd.org 2000/09/07 14:40:30 + [channels.c channels.h clientloop.c serverloop.c ssh.c] + cleanup window and packet sizes for ssh2 flow control; ok niels + - markus@cvs.openbsd.org 2000/09/07 14:53:00 + [scp.c] + typo + - markus@cvs.openbsd.org 2000/09/07 15:13:37 + [auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c] + [authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h] + [pty.c readconf.c] + some more Copyright fixes + - markus@cvs.openbsd.org 2000/09/08 03:02:51 + [README.openssh2] + bye bye + - deraadt@cvs.openbsd.org 2000/09/11 18:38:33 + [LICENCE cipher.c] + a few more comments about it being ARC4 not RC4 + - markus@cvs.openbsd.org 2000/09/12 14:53:11 + [log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c] + multiple debug levels + - markus@cvs.openbsd.org 2000/09/14 14:25:15 + [clientloop.c] + typo + - deraadt@cvs.openbsd.org 2000/09/15 01:13:51 + [ssh-agent.c] + check return value for setenv(3) for failure, and deal appropriately + +20000913 + - (djm) Fix server not exiting with jobs in background. + +20000905 + - (djm) Import OpenBSD CVS changes + - markus@cvs.openbsd.org 2000/08/31 15:52:24 + [Makefile sshd.8 sshd_config sftp-server.8 sftp-server.c] + implement a SFTP server. interops with sftp2, scp2 and the windows + client from ssh.com + - markus@cvs.openbsd.org 2000/08/31 15:56:03 + [README.openssh2] + sync + - markus@cvs.openbsd.org 2000/08/31 16:05:42 + [session.c] + Wall + - markus@cvs.openbsd.org 2000/08/31 16:09:34 + [authfd.c ssh-agent.c] + add a flag to SSH2_AGENTC_SIGN_REQUEST for future extensions + - deraadt@cvs.openbsd.org 2000/09/01 09:25:13 + [scp.1 scp.c] + cleanup and fix -S support; stevesk@sweden.hp.com + - markus@cvs.openbsd.org 2000/09/01 16:29:32 + [sftp-server.c] + portability fixes + - markus@cvs.openbsd.org 2000/09/01 16:32:41 + [sftp-server.c] + fix cast; mouring@pconline.com + - itojun@cvs.openbsd.org 2000/09/03 09:23:28 + [ssh-add.1 ssh.1] + add missing .El against .Bl. + - markus@cvs.openbsd.org 2000/09/04 13:03:41 + [session.c] + missing close; ok theo + - markus@cvs.openbsd.org 2000/09/04 13:07:21 + [session.c] + fix get_last_login_time order; from andre@van-veen.de + - markus@cvs.openbsd.org 2000/09/04 13:10:09 + [sftp-server.c] + more cast fixes; from mouring@pconline.com + - markus@cvs.openbsd.org 2000/09/04 13:06:04 + [session.c] + set SSH_ORIGINAL_COMMAND; from Leakin@dfw.nostrum.com, bet@rahul.net + - (djm) Cleanup after import. Fix sftp-server compilation, Makefile + - (djm) Merge cygwin support from Corinna Vinschen + +20000903 + - (djm) Fix Redhat init script + +20000901 + - (djm) Pick up Jim's new X11-askpass + - (djm) Release 2.2.0p1 + +20000831 + - (djm) Workaround SIGPIPE problems on SCO. Fix from Aran Cox + + - (djm) Pick up new version (2.2.0) from OpenBSD CVS + +20000830 + - (djm) Compile warning fixes from Mark Miller + - (djm) Periodically rekey arc4random + - (djm) Clean up diff against OpenBSD. + - (djm) HPUX 11 needs USE_PIPES as well: Kevin Steves + + - (djm) Quieten the pam delete credentials error message + - (djm) Fix printing of $DISPLAY hack if set by system type. Report from + Kevin Steves + - (djm) NeXT patch from Ben Lindstrom + - (djm) Fix doh in bsd-arc4random.c + +20000829 + - (djm) Fix ^C ignored issue on Solaris. Diagnosis from Gert + Doering , John Horne and + Garrick James + - (djm) Check for SCO pty naming style (ptyp%d/ttyp%d). Based on fix from + Bastian Trompetter + - (djm) NeXT tweaks from Ben Lindstrom + - More OpenBSD updates: + - deraadt@cvs.openbsd.org 2000/08/24 15:46:59 + [scp.c] + off_t in sink, to fix files > 2GB, i think, test is still running ;-) + - deraadt@cvs.openbsd.org 2000/08/25 10:10:06 + [session.c] + Wall + - markus@cvs.openbsd.org 2000/08/26 04:33:43 + [compat.c] + ssh.com-2.3.0 + - markus@cvs.openbsd.org 2000/08/27 12:18:05 + [compat.c] + compatibility with future ssh.com versions + - deraadt@cvs.openbsd.org 2000/08/27 21:50:55 + [auth-krb4.c session.c ssh-add.c sshconnect.c uidswap.c] + print uid/gid as unsigned + - markus@cvs.openbsd.org 2000/08/28 13:51:00 [ssh.c] - Fix counting in master/slave when passing environment variables; ok djm@ - - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match - -Wshadow change. - - (bal) [Makefile.in] Remove opensshd.init on 'make distclean' - - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] - Move loginrestrictions test to port-aix.c, replace with a generic hook. - - (tim) [regress/try-ciphers.sh] "if ! some_command" is not portable. - - (bal) [contrib/README] Removed "mdoc2man.pl" reference and added - reference to "findssl.sh" - -20040622 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/06/20 17:36:59 + enable -n and -f for ssh2 + - markus@cvs.openbsd.org 2000/08/28 14:19:53 [ssh.c] - filter passed env vars at slave in connection sharing case; ok markus@ - - djm@cvs.openbsd.org 2004/06/20 18:53:39 - [sftp.c] - make "ls -l" listings print user/group names, add "ls -n" to show uid/gid - (like /bin/ls); idea & ok markus@ - - djm@cvs.openbsd.org 2004/06/20 19:28:12 - [sftp.1] - mention new -n flag - - avsm@cvs.openbsd.org 2004/06/21 17:36:31 - [auth-rsa.c auth2-gss.c auth2-pubkey.c authfile.c canohost.c channels.c - cipher.c dns.c kex.c monitor.c monitor_fdpass.c monitor_wrap.c - monitor_wrap.h nchan.c packet.c progressmeter.c scp.c sftp-server.c sftp.c - ssh-gss.h ssh-keygen.c ssh.c sshconnect.c sshconnect1.c sshlogin.c - sshpty.c] - make ssh -Wshadow clean, no functional changes - markus@ ok - - djm@cvs.openbsd.org 2004/06/21 17:53:03 - [session.c] - fix fd leak for multiple subsystem connections; with markus@ - - djm@cvs.openbsd.org 2004/06/21 22:02:58 - [log.h] - mark fatal and cleanup exit as __dead; ok markus@ - - djm@cvs.openbsd.org 2004/06/21 22:04:50 - [sftp.c] - introduce sorting for ls, same options as /bin/ls; ok markus@ - - djm@cvs.openbsd.org 2004/06/21 22:30:45 - [sftp.c] - prefix ls option flags with LS_ - - djm@cvs.openbsd.org 2004/06/21 22:41:31 - [sftp.1] - document sort options - - djm@cvs.openbsd.org 2004/06/22 01:16:39 - [sftp.c] - don't show .files by default in ls, add -a option to turn them back on; - ok markus - - markus@cvs.openbsd.org 2004/06/22 03:12:13 - [regress/envpass.sh regress/multiplex.sh] - more portable env passing tests - - dtucker@cvs.openbsd.org 2004/06/22 05:05:45 - [monitor.c monitor_wrap.c] - Change login->username, will prevent -Wshadow errors in Portable; - ok markus@ - - (dtucker) [monitor.c] Fix Portable-specific -Wshadow warnings on "socket". - - (dtucker) [defines.h] Define __dead if not already defined. - - (bal) [auth-passwd.c auth1.c] Clean up unused variables. - -20040620 - - (tim) [configure.ac Makefile.in] Only change TEST_SHELL on broken platforms. - -20040619 - - (dtucker) [auth-pam.c] Don't use PAM namespace for - pam_password_change_required either. - - (tim) [configure.ac buildpkg.sh.in contrib/solaris/README] move opensshd - init script to top level directory. Add opensshd.init.in. - Remove contrib/solaris/buildpkg.sh, contrib/solaris/opensshd.in - -20040618 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/06/17 14:52:48 - [clientloop.c clientloop.h ssh.c] - support environment passing over shared connections; ok markus@ - - djm@cvs.openbsd.org 2004/06/17 15:10:14 - [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5] - Add option for confirmation (ControlMaster=ask) via ssh-askpass before - opening shared connections; ok markus@ - - djm@cvs.openbsd.org 2004/06/17 14:53:27 - [regress/multiplex.sh] - shared connection env passing regress test - - (dtucker) [regress/README.regress] Add detail on how to run a single - test from the top-level Makefile. - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/06/17 23:56:57 - [ssh.1 ssh.c] - sync usage() and SYNPOSIS with connection sharing changes - - dtucker@cvs.openbsd.org 2004/06/18 06:13:25 - [sftp.c] - Use execvp instead of execv so sftp -S ssh works. "makes sense" markus@ - - dtucker@cvs.openbsd.org 2004/06/18 06:15:51 - [multiplex.sh] - Use -S for scp/sftp to force the use of the ssh being tested. - ok djm@,markus@ - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/06/18 10:40:19 + allow combination of -N and -f + - markus@cvs.openbsd.org 2000/08/28 14:20:56 + [util.c] + util.c + - markus@cvs.openbsd.org 2000/08/28 14:22:02 + [util.c] + undo + - markus@cvs.openbsd.org 2000/08/28 14:23:38 + [util.c] + don't complain if setting NONBLOCK fails with ENODEV + +20000823 + - (djm) Define USE_PIPES to avoid socketpair problems on HPUX 10 and SunOS 4 + Avoids "scp never exits" problem. Reports from Lutz Jaenicke + and Tamito KAJIYAMA + + - (djm) Pick up LOGIN_PROGRAM from environment or PATH if not set by headers + - (djm) Add local version to version.h + - (djm) Don't reseed arc4random everytime it is used + - (djm) OpenBSD CVS updates: + - deraadt@cvs.openbsd.org 2000/08/18 20:07:23 [ssh.c] - delay signal handler setup until we have finished talking to the master. - allow interrupting of setup (e.g. if master is stuck); ok markus@ - - markus@cvs.openbsd.org 2004/06/18 10:55:43 - [ssh.1 ssh.c] - trim synopsis for -S, allow -S and -oControlMaster, -MM means 'ask'; - ok djm - - djm@cvs.openbsd.org 2004/06/18 11:11:54 - [channels.c clientloop.c] - Don't explode in clientloop when we receive a bogus channel id, but - also don't generate them to begin with; ok markus@ - -20040617 - - (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some - platforms), so test if diff understands it. Pointed out by tim@, ok djm@ - - (dtucker) OpenBSD CVS Sync regress/ - - dtucker@cvs.openbsd.org 2004/06/17 05:51:59 - [regress/multiplex.sh] - Remove datafile between and after tests, kill sshd rather than wait; - ok djm@ - - dtucker@cvs.openbsd.org 2004/06/17 06:00:05 - [regress/multiplex.sh] - Use DATA and COPY for test data rather than hard-coded paths; ok djm@ - - dtucker@cvs.openbsd.org 2004/06/17 06:19:06 - [regress/multiplex.sh] - Add small description of failing test to failure message; ok djm@ - - (dtucker) [regress/multiplex.sh] add EXEEXT for those platforms that need - it. - - (dtucker) [regress/multiplex.sh] Increase sleep time to 120 sec (60 is not - enough for slow systems, especially if they don't have a kernel RNG). - -20040616 - - (dtucker) [openbsd-compat/port-aix.c] Expand whitespace -> tabs. No - code changes. - - (dtucker) OpenBSD CVS Sync regress/ - - djm@cvs.openbsd.org 2004/04/27 09:47:30 - [regress/Makefile regress/test-exec.sh, added regress/envpass.sh] - regress test for environment passing, SendEnv & AcceptEnv options; - ok markus@ - - dtucker@cvs.openbsd.org 2004/06/13 13:51:02 - [regress/Makefile regress/test-exec.sh, added regress/scp-ssh-wrapper.sh - regress/scp.sh] - Add scp regression test; with & ok markus@ - - djm@cvs.openbsd.org 2004/06/13 15:04:08 - [regress/Makefile regress/test-exec.sh, added regress/envpass.sh] - regress test for client multiplexing; ok markus@ - - djm@cvs.openbsd.org 2004/06/13 15:16:54 - [regress/test-exec.sh] - remove duplicate setting of $SCP; spotted by markus@ - - dtucker@cvs.openbsd.org 2004/06/16 13:15:09 - [regress/scp.sh] - Make scp -r tests use diff -rN not cmp (which won't do dirs. ok markus@ - - dtucker@cvs.openbsd.org 2004/06/16 13:16:40 - [regress/multiplex.sh] - Silence multiplex sftp and scp tests. ok markus@ - - (dtucker) [regress/test-exec.sh] - Move Portable-only StrictModes to top of list to make syncs easier. - - (dtucker) [regress/README.regress] - Add $TEST_SHELL to readme. - -20040615 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/05/26 08:59:57 - [sftp.c] - exit -> _exit in forked child on error; from andrushock AT korovino.net - - markus@cvs.openbsd.org 2004/05/26 23:02:39 - [channels.c] - missing freeaddrinfo; Andrey Matveev - - dtucker@cvs.openbsd.org 2004/05/27 00:50:13 - [readconf.c] - Kill dead code after fatal(); ok djm@ - - dtucker@cvs.openbsd.org 2004/06/01 14:20:45 - [auth2-chall.c] - Remove redundant #include; ok markus@ - - pedro@cvs.openbsd.org 2004/06/03 12:22:20 - [sftp-client.c sftp.c] - initialize pointers, ok markus@ - - djm@cvs.openbsd.org 2004/06/13 12:53:24 - [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h] - [ssh-keyscan.c sshconnect2.c sshd.c] - implement diffie-hellman-group14-sha1 kex method (trivial extension to - existing diffie-hellman-group1-sha1); ok markus@ - - dtucker@cvs.openbsd.org 2004/06/13 14:01:42 - [ssh.1 ssh_config.5 sshd_config.5] - List supported ciphers in man pages, tidy up ssh -c; - "looks fine" jmc@, ok markus@ - - djm@cvs.openbsd.org 2004/06/13 15:03:02 - [channels.c channels.h clientloop.c clientloop.h includes.h readconf.c] - [readconf.h scp.1 sftp.1 ssh.1 ssh.c ssh_config.5] - implement session multiplexing in the client (the server has supported - this since 2.0); ok markus@ - - djm@cvs.openbsd.org 2004/06/14 01:44:39 - [channels.c clientloop.c misc.c misc.h packet.c ssh-agent.c ssh-keyscan.c] - [sshd.c] - set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@ - - djm@cvs.openbsd.org 2004/06/15 05:45:04 - [clientloop.c] - missed one unset_nonblock; spotted by Tim Rice - - (djm) Fix Makefile.in for connection sharing changes - - (djm) [ssh.c] Use separate var for address length - -20040603 - - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions. - ok djm@ - -20040601 - - (djm) [auth-pam.c] Add copyright for local changes - -20040530 - - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM - support for PasswordAuthentication=yes. ok djm@ - - (dtucker) [auth-pam.c] Use an invalid password for root if - PermitRootLogin != yes or the login is invalid, to prevent leaking - information. Based on Openwall's owl-always-auth patch. ok djm@ - - (tim) [configure.ac Makefile.in] Add support for "make package" ok djm@ - - (tim) [buildpkg.sh.in] New file. A more flexible version of - contrib/solaris/buildpkg.sh used for "make package". - - (tim) [buildpkg.sh.in] Last minute fix didn't make it in the .in file. - -20040527 - - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec - contrib/README CREDITS INSTALL] Bug #873: Correct URLs for x11-ssh-askpass - and Jim Knoble's email address , from Jim himself. - -20040524 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/05/19 12:17:33 - [sftp-client.c sftp.c] - gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while - waiting for a command; ok markus@ - - dtucker@cvs.openbsd.org 2004/05/20 10:58:05 + accept remsh as a valid name as well; roman@buildpoint.com + - deraadt@cvs.openbsd.org 2000/08/18 20:17:13 + [deattack.c crc32.c packet.c] + rename crc32() to ssh_crc32() to avoid zlib name clash. do not move to + libz crc32 function yet, because it has ugly "long"'s in it; + oneill@cs.sfu.ca + - deraadt@cvs.openbsd.org 2000/08/18 20:26:08 + [scp.1 scp.c] + -S prog support; tv@debian.org + - deraadt@cvs.openbsd.org 2000/08/18 20:50:07 + [scp.c] + knf + - deraadt@cvs.openbsd.org 2000/08/18 20:57:33 + [log-client.c] + shorten + - markus@cvs.openbsd.org 2000/08/19 12:48:11 + [channels.c channels.h clientloop.c ssh.c ssh.h] + support for ~. in ssh2 + - deraadt@cvs.openbsd.org 2000/08/19 15:29:40 + [crc32.h] + proper prototype + - markus@cvs.openbsd.org 2000/08/19 15:34:44 + [authfd.c authfd.h key.c key.h ssh-add.1 ssh-add.c ssh-agent.1] + [ssh-agent.c ssh-keygen.c sshconnect1.c sshconnect2.c Makefile] + [fingerprint.c fingerprint.h] + add SSH2/DSA support to the agent and some other DSA related cleanups. + (note that we cannot talk to ssh.com's ssh2 agents) + - markus@cvs.openbsd.org 2000/08/19 15:55:52 + [channels.c channels.h clientloop.c] + more ~ support for ssh2 + - markus@cvs.openbsd.org 2000/08/19 16:21:19 [clientloop.c] - Trivial type fix 0 -> '\0'; ok markus@ - - markus@cvs.openbsd.org 2004/05/21 08:43:03 - [kex.h moduli.c tildexpand.c] - add prototypes for -Wall; ok djm - - djm@cvs.openbsd.org 2004/05/21 11:33:11 - [channels.c channels.h clientloop.c serverloop.c ssh.1] - bz #756: add support for the cancel-tcpip-forward request for the server - and the client (through the ~C commandline). reported by z3p AT - twistedmatrix.com; ok markus@ - - djm@cvs.openbsd.org 2004/05/22 06:32:12 - [clientloop.c ssh.1] - use '-h' for help in ~C commandline instead of '-?'; inspired by jmc@ - - jmc@cvs.openbsd.org 2004/05/22 16:01:05 + oops + - millert@cvs.openbsd.org 2000/08/20 12:25:53 + [session.c] + We have to stash the result of get_remote_name_or_ip() before we + close our socket or getpeername() will get EBADF and the process + will exit. Only a problem for "UseLogin yes". + - millert@cvs.openbsd.org 2000/08/20 12:30:59 + [session.c] + Only check /etc/nologin if "UseLogin no" since login(1) may have its + own policy on determining who is allowed to login when /etc/nologin + is present. Also use the _PATH_NOLOGIN define. + - millert@cvs.openbsd.org 2000/08/20 12:42:43 + [auth1.c auth2.c session.c ssh.c] + Add calls to setusercontext() and login_get*(). We basically call + setusercontext() in most places where previously we did a setlogin(). + Add default login.conf file and put root in the "daemon" login class. + - millert@cvs.openbsd.org 2000/08/21 10:23:31 + [session.c] + Fix incorrect PATH setting; noted by Markus. + +20000818 + - (djm) OpenBSD CVS changes: + - markus@cvs.openbsd.org 2000/07/22 03:14:37 + [servconf.c servconf.h sshd.8 sshd.c sshd_config] + random early drop; ok theo, niels + - deraadt@cvs.openbsd.org 2000/07/26 11:46:51 [ssh.1] - kill whitespace at eol; - - dtucker@cvs.openbsd.org 2004/05/23 23:59:53 - [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config - sshd_config.5] - Add MaxAuthTries sshd config option; ok markus@ - - (dtucker) [auth-pam.c] Bug #839: Ensure that pam authentication "thread" - is terminated if the privsep slave exits during keyboard-interactive - authentication. ok djm@ - - (dtucker) [sshd.c] Fix typo in comment. - -20040523 - - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in - sshd_config; ok dtucker@ - - (djm) [configure.ac] Warn if the system has no known way of figuring out - which user is on the other end of a Unix domain socket; ok dtucker@ - - (bal) [openbsd-compat/sys-queue.h] Reintroduce machinary to handle - old/broken/incomplete . - -20040513 - - (dtucker) [configure.ac] Bug #867: Additional tests for res_query in - libresolv, fixes problems detecting it on some platforms - (eg Linux/x86-64). From Kurt Roeckx via Debian, ok mouring@ - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2004/05/04 18:36:07 - [scp.1] - SendEnv here too; - - jmc@cvs.openbsd.org 2004/05/06 11:24:23 - [ssh_config.5] - typo from John Cosimano (PR 3770); - - deraadt@cvs.openbsd.org 2004/05/08 00:01:37 - [auth.c clientloop.c misc.h servconf.c ssh.c sshpty.h sshtty.c - tildexpand.c], removed: sshtty.h tildexpand.h - make two tiny header files go away; djm ok - - djm@cvs.openbsd.org 2004/05/08 00:21:31 - [clientloop.c misc.h readpass.c scard.c ssh-add.c ssh-agent.c ssh-keygen.c - sshconnect.c sshconnect1.c sshconnect2.c] removed: readpass.h - kill a tiny header; ok deraadt@ - - djm@cvs.openbsd.org 2004/05/09 00:06:47 - [moduli.c ssh-keygen.c] removed: moduli.h - zap another tiny header; ok deraadt@ - - djm@cvs.openbsd.org 2004/05/09 01:19:28 - [OVERVIEW auth-rsa.c auth1.c kex.c monitor.c session.c sshconnect1.c - sshd.c] removed: mpaux.c mpaux.h - kill some more tiny files; ok deraadt@ - - djm@cvs.openbsd.org 2004/05/09 01:26:48 - [kex.c] - don't overwrite what we are trying to compute - - deraadt@cvs.openbsd.org 2004/05/11 19:01:43 - [auth.c auth2-none.c authfile.c channels.c monitor.c monitor_mm.c - packet.c packet.h progressmeter.c session.c openbsd-compat/xmmap.c] - improve some code lint did not like; djm millert ok - - dtucker@cvs.openbsd.org 2004/05/13 02:47:50 - [ssh-agent.1] - Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@ - - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to - UsePAM section. Parts from djm@ and jmc@. - - (dtucker) [auth-pam.c scard-opensc.c] Tinderbox says auth-pam.c uses - readpass.h, grep says scard-opensc.c does too. Replace with misc.h. - - (dtucker) [openbsd-compat/getrrsetbyname.c] Check that HAVE_DECL_H_ERROR - is defined before using. - - (dtucker) [openbsd-compat/getrrsetbyname.c] Fix typo too: HAVE_DECL_H_ERROR - -> HAVE_DECL_H_ERRNO. - -20040502 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/04/22 11:56:57 - [moduli.c] - Bugzilla #850: Sophie Germain is the correct name of the French - mathematician, "Sophie Germaine" isn't; from Luc.Maisonobe@c-s.fr - - djm@cvs.openbsd.org 2004/04/27 09:46:37 - [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c - ssh_config.5 sshd_config.5] - bz #815: implement ability to pass specified environment variables from - the client to the server; ok markus@ - - djm@cvs.openbsd.org 2004/04/28 05:17:10 - [ssh_config.5 sshd_config.5] - manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu) - - jmc@cvs.openbsd.org 2004/04/28 07:02:56 - [sshd_config.5] - remove unnecessary .Pp; - - jmc@cvs.openbsd.org 2004/04/28 07:13:42 - [sftp.1 ssh.1] - add SendEnv to -o list; - - dtucker@cvs.openbsd.org 2004/05/02 11:54:31 + typo + - deraadt@cvs.openbsd.org 2000/08/01 11:46:11 [sshd.8] - Man page grammar fix (bz #858), from damerell at chiark.greenend.org.uk - via Debian; ok djm@ - - dtucker@cvs.openbsd.org 2004/05/02 11:57:52 - [ssh.1] - ConnectionTimeout -> ConnectTimeout, from m.a.ellis at ncl.ac.uk via - Debian. ok djm@ - - dtucker@cvs.openbsd.org 2004/05/02 23:02:17 - [sftp.1] - ConnectionTimeout -> ConnectTimeout here too, pointed out by jmc@ - - dtucker@cvs.openbsd.org 2004/05/02 23:17:51 - [scp.1] - ConnectionTimeout -> ConnectTimeout for scp.1 too. + many fixes from pepper@mail.reppep.com + - provos@cvs.openbsd.org 2000/08/01 13:01:42 + [Makefile.in util.c aux.c] + rename aux.c to util.c to help with cygwin port + - deraadt@cvs.openbsd.org 2000/08/02 00:23:31 + [authfd.c] + correct sun_len; Alexander@Leidinger.net + - provos@cvs.openbsd.org 2000/08/02 10:27:17 + [readconf.c sshd.8] + disable kerberos authentication by default + - provos@cvs.openbsd.org 2000/08/02 11:27:05 + [sshd.8 readconf.c auth-krb4.c] + disallow kerberos authentication if we can't verify the TGT; from + dugsong@ + kerberos authentication is on by default only if you have a srvtab. + - markus@cvs.openbsd.org 2000/08/04 14:30:07 + [auth.c] + unused + - markus@cvs.openbsd.org 2000/08/04 14:30:35 + [sshd_config] + MaxStartups + - markus@cvs.openbsd.org 2000/08/15 13:20:46 + [authfd.c] + cleanup; ok niels@ + - markus@cvs.openbsd.org 2000/08/17 14:05:10 + [session.c] + cleanup login(1)-like jobs, no duplicate utmp entries + - markus@cvs.openbsd.org 2000/08/17 14:06:34 + [session.c sshd.8 sshd.c] + sshd -u len, similar to telnetd + - (djm) Lastlog was not getting closed after writing login entry + - (djm) Add Solaris package support from Rip Loomis + +20000816 + - (djm) Replacement for inet_ntoa for Irix (which breaks on gcc) + - (djm) Fix strerror replacement for old SunOS. Based on patch from + Charles Levert + - (djm) Seperate arc4random into seperate file and use OpenSSL's RC4 + implementation. + - (djm) SUN_LEN macro for systems which lack it + +20000815 + - (djm) More SunOS 4.1.x fixes from Nate Itkin + - (djm) Avoid failures on Irix when ssh is not setuid. Fix from + Michael Stone + - (djm) Don't seek in directory based lastlogs + - (djm) Fix --with-ipaddr-display configure option test. Patch from + Jarno Huuskonen + - (djm) Fix AIX limits from Alexandre Oliva + +20000813 + - (djm) Add $(srcdir) to includes when compiling (for VPATH). Report from + Fabrice bacchella + +20000809 + - (djm) Define AIX hard limits if headers don't. Report from + Bill Painter + - (djm) utmp direct write & SunOS 4 patch from Charles Levert + + +20000808 + - (djm) Cleanup Redhat RPMs. Generate keys at runtime rather than install + time, spec file cleanup. + +20000807 + - (djm) Set 0755 on binaries during install. Report from Lutz Jaenicke + - (djm) Suppress error messages on channel close shutdown() failurs + works around Linux bug. Patch from Zack Weinberg + - (djm) Add some more entropy collection commands from Lutz Jaenicke + +20000725 + - (djm) Fix autoconf typo: HAVE_BINRESVPORT_AF -> HAVE_BINDRESVPORT_AF + +20000721 + - (djm) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/07/16 02:27:22 + [authfd.c authfd.h channels.c clientloop.c ssh-add.c ssh-agent.c ssh.c] + [sshconnect1.c sshconnect2.c] + make ssh-add accept dsa keys (the agent does not) + - djm@cvs.openbsd.org 2000/07/17 19:25:02 + [sshd.c] + Another closing of stdin; ok deraadt + - markus@cvs.openbsd.org 2000/07/19 18:33:12 + [dsa.c] + missing free, reorder + - markus@cvs.openbsd.org 2000/07/20 16:23:14 + [ssh-keygen.1] + document input and output files -20040423 - - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno - as extern int if not already declared. Fixes compile errors on old SCO - platforms. ok tim@ - - (dtucker) [README.platform] List prereqs for building on Cygwin. +20000720 + - (djm) Spec file fix from Petr Novotny -20040421 - - (djm) Update config.guess and config.sub to autoconf-2.59 versions; ok tim@ +20000716 + - (djm) Release 2.1.1p4 -20040420 - - (djm) OpenBSD CVS Sync - - henning@cvs.openbsd.org 2004/04/08 16:08:21 - [sshconnect2.c] - swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what - FreeBSD and NetBSD do. - ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@ - - djm@cvs.openbsd.org 2004/04/18 23:10:26 - [readconf.c readconf.h ssh-keysign.c ssh.c] - perform strict ownership and modes checks for ~/.ssh/config files, - as these can be used to execute arbitrary programs; ok markus@ - NB. ssh will now exit when it detects a config with poor permissions - - djm@cvs.openbsd.org 2004/04/19 13:02:40 - [ssh.1 ssh_config.5] - document strict permission checks on ~/.ssh/config; prompted by, - with & ok jmc@ - - jmc@cvs.openbsd.org 2004/04/19 16:12:14 - [ssh_config.5] - kill whitespace at eol; - - djm@cvs.openbsd.org 2004/04/19 21:51:49 - [ssh.c] - fix idiot typo that i introduced in my last commit; - spotted by cschneid AT cschneid.com - - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for - above change - - (djm) [configure.ac] Check whether libroken is required when building - with Heimdal - -20040419 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2004/02/29 22:04:45 - [regress/login-timeout.sh] - Use sudo when restarting daemon during test. ok markus@ - - dtucker@cvs.openbsd.org 2004/03/08 10:17:12 - [regress/login-timeout.sh] - Missing OBJ, from tim@. ok markus@ (Already fixed, ID sync only) - - djm@cvs.openbsd.org 2004/03/30 12:41:56 - [sftp-client.c] - sync comment with reality - - djm@cvs.openbsd.org 2004/03/31 21:58:47 - [canohost.c] - don't skip ip options check when UseDNS=no; ok markus@ (ID sync only) - - markus@cvs.openbsd.org 2004/04/01 12:19:57 +20000715 + - (djm) OpenBSD CVS updates + - provos@cvs.openbsd.org 2000/07/13 16:53:22 + [aux.c readconf.c servconf.c ssh.h] + allow multiple whitespace but only one '=' between tokens, bug report from + Ralf S. Engelschall but different fix. okay deraadt@ + - provos@cvs.openbsd.org 2000/07/13 17:14:09 + [clientloop.c] + typo; todd@fries.net + - provos@cvs.openbsd.org 2000/07/13 17:19:31 [scp.c] - limit trust between local and remote rcp/scp process, - noticed by lcamtuf; ok deraadt@, djm@ - -20040418 - - (dtucker) [auth-pam.c] Log username and source host for failed PAM - authentication attempts. With & ok djm@ - - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow - change of user context without a password, so relax auth method - restrictions; from vinschen AT redhat.com; ok dtucker@ - -20040416 - - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since - FAT/NTFS does not permit quotes in filenames. From vinschen at redhat.com - - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache - file using FILE: method, fixes problems on Mac OSX. - Patch from simon@sxw.org.uk; ok dtucker@ - - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and - BROKEN_SETREGID for SCO OpenServer 3 - -20040412 - - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning - from bug #701 (text from jfh at cise.ufl.edu). - - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg - skeychallenge(), eg on NetBSD. ok mouring@ - - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly - 4-arg, with compatibility for 3-arg versions. From djm@, ok me. - - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@ - -20040408 - - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating - pty name on Linux 2.6.x systems. Patch from jpe at eisenmenger.org. - - (bal) [monitor.c monitor_wrap.c] Second try. Put the zlib.h headers - back and #undef TARGET_OS_MAC instead. (Bug report pending with Apple) - - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and - simplify loginrec.c. ok tim@ - - (bal) [monitor.c monitor_wrap.c] Ok.. Last time. Promise. Tim suggested - limiting scope and dtucker@ agreed. - -20040407 - - (dtucker) [session.c] Flush stdout after displaying loginmsg. From - f_mohr at yahoo.de. - - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see - if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X) - are starting to restrict it as internal since it is not needed by - developers any more. (Patch based on Apple tree) - - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since - krb5 on MacOS/X conflicts. There may be a better solution, but this will - work for now. - -20040406 - - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use - updwtmpx() on IRIX since it seems to clobber utmp. ok djm@ - - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect - broken getaddrinfo and friends on HP-UX. ok djm@ - -20040330 - - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on - Linuxes, since that's what many use. ok djm@ - - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c - to reduce potential confusion with the one in sshd.c. ok djm@ - - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection; - with & ok dtucker@ - -20040327 - - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent - duplicate login messages for mutli-session logins. ok djm@ - -20040322 - - (djm) [sshd.c] Drop supplemental groups if started as root - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/03/09 22:11:05 - [ssh.c] - increase x11 cookie lifetime to 20 minutes; ok djm - - markus@cvs.openbsd.org 2004/03/10 09:45:06 - [ssh.c] - trim usage to match ssh(1) and look more like unix. ok djm@ - - markus@cvs.openbsd.org 2004/03/11 08:36:26 - [sshd.c] - trim usage; ok deraadt - - markus@cvs.openbsd.org 2004/03/11 10:21:17 - [ssh.c sshd.c] - ssh, sshd: sync version output, ok djm - - markus@cvs.openbsd.org 2004/03/20 10:40:59 - [version.h] - 3.8.1 - - (djm) Crank RPM spec versions - -20040311 - - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker - -20040310 - - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo - before redefining it, silences warnings on Tru64. - -20040308 - - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some - platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@ - - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h - openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being - inherited by the child. ok djm@ - - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c - monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized - even if keyboard-interactive is not used by the client. Prevents - segfaults in some cases where the user's password is expired (note this - is not considered a security exposure). ok djm@ - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/03/03 06:47:52 - [sshd.c] - change proctiltle after accept(2); ok henning, deraadt, djm - - djm@cvs.openbsd.org 2004/03/03 09:30:42 - [sftp-client.c] - Don't print duplicate messages when progressmeter is off - Spotted by job317 AT mailvault.com; ok markus@ - - djm@cvs.openbsd.org 2004/03/03 09:31:20 - [sftp.c] - Fix initialisation of progress meter; ok markus@ - - markus@cvs.openbsd.org 2004/03/05 10:53:58 - [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c] - add IdentitiesOnly; ok djm@, pb@ - - djm@cvs.openbsd.org 2004/03/08 09:38:05 - [ssh-keyscan.c] - explicitly initialise remote_major and remote_minor. - from cjwatson AT debian.org; ok markus@ - - dtucker@cvs.openbsd.org 2004/03/08 10:18:57 - [sshd_config.5] - Document KerberosGetAFSToken; ok markus@ - - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal - -20040307 - - (tim) [regress/login-timeout.sh] fix building outside of source tree. - -20040304 - - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with - -DUSE_POSIX_THREADS. From antoine.verheijen at ualbert ca. ok djm@ - - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread, - prevent hanging during PAM keyboard-interactive authentications. ok djm@ - - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h - openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when - configured --with-osfsia. ok djm@ - -20040303 - - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent - ok dtucker - -20040229 - - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188 - -20040229 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/02/25 00:22:45 - [sshd.c] - typo in comment - - dtucker@cvs.openbsd.org 2004/02/27 22:42:47 - [dh.c] - Prevent sshd from sending DH groups with a primitive generator of zero or - one, even if they are listed in /etc/moduli. ok markus@ - - dtucker@cvs.openbsd.org 2004/02/27 22:44:56 - [dh.c] - Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone - ever uses one. ok markus@ - - dtucker@cvs.openbsd.org 2004/02/27 22:49:27 - [dh.c] - Reset bit counter at the right time, fixes debug output in the case where - the DH group is rejected. ok markus@ - - dtucker@cvs.openbsd.org 2004/02/17 08:23:20 - [regress/Makefile regress/login-timeout.sh] - Add regression test for LoginGraceTime; ok markus@ - - markus@cvs.openbsd.org 2004/02/24 16:56:30 - [regress/test-exec.sh] - allow arguments in ${TEST_SSH_XXX} - - markus@cvs.openbsd.org 2004/02/24 17:06:52 - [regress/ssh-com-client.sh regress/ssh-com-keygen.sh - regress/ssh-com-sftp.sh regress/ssh-com.sh] - test against recent ssh.com releases - - dtucker@cvs.openbsd.org 2004/02/28 12:16:57 - [regress/dynamic-forward.sh] - Make dynamic-forward understand nc's new output. ok markus@ - - dtucker@cvs.openbsd.org 2004/02/28 13:44:45 - [regress/try-ciphers.sh] - Test acss too; ok markus@ - - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we - built with openssl < 0.9.7) - -20040226 - - (bal) KNF our sshlogin.c even if the code looks nothing like upstream - code due to diversity issues. - -20040225 - - (djm) Trim ChangeLog - - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora - -20040224 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/02/19 21:15:04 - [sftp-server.c] - switch to new license.template - - markus@cvs.openbsd.org 2004/02/23 12:02:33 + close can fail on AFS, report error; from Greg Hudson + - markus@cvs.openbsd.org 2000/07/14 16:59:46 + [readconf.c servconf.c] + allow leading whitespace. ok niels + - djm@cvs.openbsd.org 2000/07/14 22:01:38 + [ssh-keygen.c ssh.c] + Always create ~/.ssh with mode 700; ok Markus + - Fixes for SunOS 4.1.4 from Gordon Atwood + - Include floatingpoint.h for entropy.c + - strerror replacement + +20000712 + - (djm) Remove -lresolve for Reliant Unix + - (djm) OpenBSD CVS Updates: + - deraadt@cvs.openbsd.org 2000/07/11 02:11:34 + [session.c sshd.c ] + make MaxStartups code still work with -d; djm + - deraadt@cvs.openbsd.org 2000/07/11 13:17:45 + [readconf.c ssh_config] + disable FallBackToRsh by default + - (djm) Replace in_addr_t with u_int32_t in bsd-inet_aton.c. Report from + Ben Lindstrom + - (djm) Make building of X11-Askpass and GNOME-Askpass optional in RPM + spec file. + - (djm) Released 2.1.1p3 + +20000711 + - (djm) Fixup for AIX getuserattr() support from Tom Bertelson + + - (djm) ReliantUNIX support from Udo Schweigert + - (djm) NeXT: dirent structures to get scp working from Ben Lindstrom + + - (djm) Fix broken inet_ntoa check and ut_user/ut_name confusion, report + from Jim Watt + - (djm) Replaced bsd-snprintf.c with one from Mutt source tree, it is known + to compile on more platforms (incl NeXT). + - (djm) Added bsd-inet_aton and configure support for NeXT + - (djm) Misc NeXT fixes from Ben Lindstrom + - (djm) OpenBSD CVS updates: + - markus@cvs.openbsd.org 2000/06/26 03:22:29 + [authfd.c] + cleanup, less cut&paste + - markus@cvs.openbsd.org 2000/06/26 15:59:19 + [servconf.c servconf.h session.c sshd.8 sshd.c] + MaxStartups: limit number of unauthenticated connections, work by + theo and me + - deraadt@cvs.openbsd.org 2000/07/05 14:18:07 + [session.c] + use no_x11_forwarding_flag correctly; provos ok + - provos@cvs.openbsd.org 2000/07/05 15:35:57 [sshd.c] - backout revision 1.279; set listen socket to non-block; ok henning. - - markus@cvs.openbsd.org 2004/02/23 15:12:46 - [bufaux.c] - encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka - and drop support for negative BNs; ok otto@ - - markus@cvs.openbsd.org 2004/02/23 15:16:46 - [version.h] - enter 3.8 - - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found - with krb5-config, hunt down gssapi.h and friends. Based partially on patch - from deengert at anl.gov. ok djm@ - - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime - using sysconf() if available Based on patches from - holger AT van-lengerich.de and openssh_bugzilla AT hockin.org - - (dtucker) [uidswap.c] Minor KNF. ok djm@ - - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@ - - (djm) Crank RPM spec versions - - (dtucker) [README] Add pointer to release notes. ok djm@ - - (dtucker) {README.platform] Add platform-specific notes. - - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot - - (djm) Release 3.8p1 - -20040223 - - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the - non-interactive path. ok djm@ - -20040222 - - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test - to auth-shadow.c, no functional change. ok djm@ - - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or - password expiry. ok djm@ - - (dtucker) [auth-passwd.c] Only check password expiry once. Prevents - multiple warnings if a wrong password is entered. - - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path - too. - -20040220 - - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@ - -20040218 - - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a - path with a "-" in it. From Sergio.Gelato at astro.su.se. - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/02/17 07:17:29 - [sftp-glob.c sftp.c] - Remove useless headers; ok deraadt@ - - djm@cvs.openbsd.org 2004/02/17 11:03:08 - [sftp.c] - sftp.c and sftp-int.c, together at last; ok markus@ - - jmc@cvs.openbsd.org 2004/02/17 19:35:21 - [sshd_config.5] - remove cruft left over from RhostsAuthentication removal; - ok markus@ - - (djm) [log.c] Correct use of HAVE_OPENLOG_R - - (djm) [log.c] Tighten openlog_r tests - -20040217 - - (djm) Simplify the license on code I have written. No code changes. - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/02/17 05:39:51 - [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c] - [sftp-int.h sftp.c] - switch to license.template for code written by me (belated, I know...) - - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from - stadal@suse.cz and simon@sxw.org.uk - - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@ - - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for - display after login. Should fix problems like pam_motd not displaying - anything, noticed by cjwatson at debian.org. ok djm@ - -20040212 - - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh] - Portablity fixes. Data sftp transfers needs to be world readable. Some - older shells hang on while loops when doing sh -n some_script. OK dtucker@ - - (tim) [configure.ac] Make sure -lcrypto is before -lsocket for sco3. - ok mouring@ - -20040211 - - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check - if HAS_SHADOW_EXPIRY is set. - - (tim) [configure.ac] Fix comment to match code changes in ver 1.117 - -20040210 - - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c - openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's - native password expiry. - - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h - defines.h] Bug #14: Use do_pwchange to support password expiry and force - change for platforms using /etc/shadow. ok djm@ - - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat - functions to avoid conflicts with Heimdal's libroken. ok djm@ - - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to - change expired PAM passwords for SSHv1 connections without privsep. - pam_chauthtok is still used when privsep is disabled. ok djm@ - - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move - include from port-aix.h to port-aix.c and remove unnecessary function - definition. Fixes build errors on AIX. - - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms - that support it. from & ok mouring@ - - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x. - ok djm@ - -20040207 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2004/02/06 23:41:13 - [cipher-ctr.c] - Use EVP_CIPHER_CTX_key_length for key length. ok markus@ - (This will fix builds with OpenSSL 0.9.5) - - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5. - ok djm@, markus@ - -20040206 - - (dtucker) [acss.c acss.h] Fix $Id tags. - - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with - OpenSSL >= 0.9.7. ok djm@ - - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root - user, since some modules might fail due to lack of privilege. ok djm@ - - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO - for HP-UX 11.11. If there are known-good configs where this is not - required, please report them. ok djm@ - - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent - accidentally inheriting from root's environment. ok djm@ - - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796: - Restore previous authdb setting after auth calls. Fixes problems with - setpcred failing on accounts that use AFS or NIS password registries. - - (dtucker) [configure.ac includes.h] Include if present, - required on Solaris 2.5.1 for queue_t, which is used by . - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2004/01/30 09:48:57 - [auth-passwd.c auth.h pathnames.h session.c] - support for password change; ok dtucker@ - (set password-dead=1w in login.conf to use this). - In -Portable, this is currently only platforms using bsdauth. - - dtucker@cvs.openbsd.org 2004/02/05 05:37:17 - [monitor.c sshd.c] - Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@ - - markus@cvs.openbsd.org 2004/02/05 15:33:33 - [progressmeter.c] - fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@ - -20040129 - - (dtucker) OpenBSD CVS Sync regress/ - - dtucker@cvs.openbsd.org 2003/10/11 11:49:49 - [Makefile banner.sh] - Test missing banner file, suppression of banner with ssh -q, check return - code from ssh. ok markus@ - - jmc@cvs.openbsd.org 2003/11/07 10:16:44 - [ssh-com.sh] - adress -> address, and a few more; all from Jonathon Gray; - - djm@cvs.openbsd.org 2004/01/13 09:49:06 - [sftp-batch.sh] - - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from - tim@, ok several - - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h] - Bug #775: Cray fixes from wendy at cray.com - -20040128 - - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@ - - (dtucker) [moduli] Import new moduli file from OpenBSD. - -20040127 - - (djm) OpenBSD CVS Sync - - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03 - [cipher.c] - enable acss for ssh - ok deraadt@ markus@ - - mouring@cvs.openbsd.org 2004/01/23 17:57:48 - [sftp-int.c] - Fix issue pointed out with ls not handling large directories - with embeded paths correctly. OK damien@ - - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33 - [cipher.c] - rename acss@opebsd.org to acss@openssh.org - ok deraadt@ - - djm@cvs.openbsd.org 2004/01/25 03:49:09 - [sshconnect.c] - reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785) - from jclonguet AT free.fr; ok millert@ - - djm@cvs.openbsd.org 2004/01/27 10:08:10 - [sftp.c] - reorder parsing so user:skey@host:file works (bugzilla #777) - patch from admorten AT umich.edu; ok markus@ - - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS - if libcrypto lacks it - -20040126 - - (tim) Typo in regress/README.regress - - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated. - - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG - - (tim) [configure.ac includes.h] add for grantpt() and friends. - - (tim) [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ - and T_SIG to getrrsetbyname.h - -20040124 - - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com - -20040123 - - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from - ralf.hack AT pipex.net; ok dtucker@ - - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect - Kerberos location (and thus work with Fedora Core 1); - from jason AT devrandom.org - - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for - zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@ - - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options. - Patch from vinschen at redhat.com. - - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] - Change AFS symbol to USE_AFS to prevent namespace collisions, do not - include kafs.h unless necessary. From deengert at anl.gov. - - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and - -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \ - CPPFLAGS="-I/usr/local/include" ./configure if needed. - -20040122 - - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/ - GSSAPI detection, libs and includes. ok djm@ - - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not - just HEIMDAL. - - (tim) [contrib/solaris/buildpkg.sh] Allow for the possibility of - /usr/local being a symbolic link. Fixes problem reported by Henry Grebler. - -20040121 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2004/01/13 09:25:05 - [sftp-int.c sftp.1 sftp.c] - Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and - enable use of "-b -" to accept batchfile from stdin; ok markus@ - - jmc@cvs.openbsd.org 2004/01/13 12:17:33 - [sftp.1] - remove unnecessary Ic's; - kill whitespace at EOL; - ok djm@ - - markus@cvs.openbsd.org 2004/01/13 19:23:15 - [compress.c session.c] - -Wall; ok henning - - markus@cvs.openbsd.org 2004/01/13 19:45:15 - [compress.c] - cast for portability; millert@ - - markus@cvs.openbsd.org 2004/01/19 09:24:21 - [channels.c] - fake consumption for half closed channels since the peer is waiting for - window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@ - reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo' - - markus@cvs.openbsd.org 2004/01/19 21:25:15 - [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c] - fix mem leaks; some fixes from Pete Flugstad; tested dtucker@ - - djm@cvs.openbsd.org 2004/01/21 03:07:59 - [sftp.c] - initialise infile in main, rather than statically - from portable - - deraadt@cvs.openbsd.org 2004/01/11 21:55:06 - [sshpty.c] - for pty opening, only use the openpty() path. the other stuff only needs - to be in openssh-p; markus ok - - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an - openpty() replacement - -20040114 - - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits - unexpectedly. with & ok djm@ - - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add - test for case where cleanup has already run. - - (dtucker) [auth-pam.c] Add minor debugging. - -20040113 - - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No - functional changes. - -20040108 - - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and - only define if not already. From des at freebsd.org. - - (dtucker) [configure.ac] Remove extra (typo) comma. - -20040105 - - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from - cjwatson at debian.org. - - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c] - Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@ - -20040102 - - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from - jakob@ - - (djm) Remove useless DNS support configure summary message. from jakob@ - - (djm) OSX/Darwin put the PAM headers in a different place, detect this. - Report from jakob@ - -20031231 - - (dtucker) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/12/22 09:16:58 - [moduli.c ssh-keygen.1 ssh-keygen.c] - tidy up moduli generation debugging, add -v (verbose/debug) option to - ssh-keygen; ok markus@ - - markus@cvs.openbsd.org 2003/12/22 20:29:55 - [cipher-3des1.c] - EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr - - jakob@cvs.openbsd.org 2003/12/23 16:12:10 - [servconf.c servconf.h session.c sshd_config] - implement KerberosGetAFSToken server option. ok markus@, beck@ - - millert@cvs.openbsd.org 2003/12/29 16:39:50 - [sshd_config] - KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK - - dtucker@cvs.openbsd.org 2003/12/31 00:24:50 - [auth2-passwd.c] - Ignore password change request during password auth (which we currently - don't support) and discard proposed new password. corrections/ok markus@ - - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist. - -20031219 - - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we - typedef size_t ourselves. - -20031218 - - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban. - - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive - authentication. Partially fixes bug #423. Feedback & ok djm@ - -20031217 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/12/09 15:28:43 + typo + - aaron@cvs.openbsd.org 2000/07/05 22:06:58 + [scp.1 ssh-agent.1 ssh-keygen.1 sshd.8] + Insert more missing .El directives. Our troff really should identify + these and spit out a warning. + - todd@cvs.openbsd.org 2000/07/06 21:55:04 + [auth-rsa.c auth2.c ssh-keygen.c] + clean code is good code + - deraadt@cvs.openbsd.org 2000/07/07 02:14:29 [serverloop.c] - make ClientKeepAlive work for ssh -N, too (no login shell requested). - 1) send a bogus channel request if we find a channel - 2) send a bogus global request if we don't have a channel - ok + test beck@ - - markus@cvs.openbsd.org 2003/12/09 17:29:04 + sense of port forwarding flag test was backwards + - provos@cvs.openbsd.org 2000/07/08 17:17:31 + [compat.c readconf.c] + replace strtok with strsep; from David Young + - deraadt@cvs.openbsd.org 2000/07/08 19:21:15 + [auth.h] + KNF + - ho@cvs.openbsd.org 2000/07/08 19:27:33 + [compat.c readconf.c] + Better conditions for strsep() ending. + - ho@cvs.openbsd.org 2000/07/10 10:27:05 + [readconf.c] + Get the correct message on errors. (niels@ ok) + - ho@cvs.openbsd.org 2000/07/10 10:30:25 + [cipher.c kex.c servconf.c] + strtok() --> strsep(). (niels@ ok) + - (djm) Fix problem with debug mode and MaxStartups + - (djm) Don't generate host keys when $(DESTDIR) is set (e.g. during RPM + builds) + - (djm) Add strsep function from OpenBSD libc for systems that lack it + +20000709 + - (djm) Only enable PAM_TTY kludge for Linux. Problem report from + Kevin Steves + - (djm) Match prototype and function declaration for rresvport_af. + Problem report from Niklas Edmundsson + - (djm) Missing $(DESTDIR) on host-key target causing problems with RPM + builds. Problem report from Gregory Leblanc + - (djm) Replace ut_name with ut_user. Patch from Jim Watt + + - (djm) Fix pam sprintf fix + - (djm) Cleanup entropy collection code a little more. Split initialisation + from seeding, perform intialisation immediatly at start, be careful with + uids. Based on problem report from Jim Watt + - (djm) More NeXT compatibility from Ben Lindstrom + Including sigaction() et al. replacements + - (djm) AIX getuserattr() session initialisation from Tom Bertelson + + +20000708 + - (djm) Fix bad fprintf format handling in auth-pam.c. Patch from + Aaron Hopkins + - (djm) Fix incorrect configure handling of --with-rsh-path option. Fix from + Lutz Jaenicke + - (djm) Fixed undefined variables for OSF SIA. Report from + Baars, Henk + - (djm) Handle EWOULDBLOCK returns from read() and write() in atomicio.c + Fix from Marquess, Steve Mr JMLFDC + - (djm) Don't use inet_addr. + +20000702 + - (djm) Fix brace mismatch from Corinna Vinschen + - (djm) Stop shadow expiry checking from preventing logins with NIS. Based + on fix from HARUYAMA Seigo + - (djm) Use standard OpenSSL functions in auth-skey.c. Patch from + Chris, the Young One + - (djm) Fix scp progress meter on really wide terminals. Based on patch + from James H. Cloos Jr. + +20000701 + - (djm) Fix Tru64 SIA problems reported by John P Speno + - (djm) Login fixes from Tom Bertelson + - (djm) Replace "/bin/sh" with _PATH_BSHELL. Report from Corinna Vinschen + + - (djm) Replace "/usr/bin/login" with LOGIN_PROGRAM + - (djm) Added check for broken snprintf() functions which do not correctly + terminate output string and attempt to use replacement. + - (djm) Released 2.1.1p2 + +20000628 + - (djm) Fixes to lastlog code for Irix + - (djm) Use atomicio in loginrec + - (djm) Patch from Michael Stone to add support for + Irix 6.x array sessions, project id's, and system audit trail id. + - (djm) Added 'distprep' make target to simplify packaging + - (djm) Added patch from Chris Adams to add OSF SIA + support. Enable using "USE_SIA=1 ./configure [options]" + +20000627 + - (djm) Fixes to login code - not setting li->uid, cleanups + - (djm) Formatting + +20000626 + - (djm) Better fix to aclocal tests from Garrick James + - (djm) Account expiry support from Andreas Steinmetz + - (djm) Added password expiry checking (no password change support) + - (djm) Make EGD failures non-fatal if OpenSSL's entropy pool is still OK + based on patch from Lutz Jaenicke + - (djm) Fix fixed EGD code. + - OpenBSD CVS update + - provos@cvs.openbsd.org 2000/06/25 14:17:58 + [channels.c] + correct check for bad channel ids; from Wei Dai + +20000623 + - (djm) Use sa_family_t in prototype for rresvport_af. Patch from + Svante Signell + - (djm) Autoconf logic to define sa_family_t if it is missing + - OpenBSD CVS Updates: + - markus@cvs.openbsd.org 2000/06/22 10:32:27 [sshd.c] - fix -o and HUP; ok henning@ - - markus@cvs.openbsd.org 2003/12/09 17:30:05 - [ssh.c] - don't modify argv for ssh -o; similar to sshd.c 1.283 - - markus@cvs.openbsd.org 2003/12/09 21:53:37 - [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1] - [ssh_config.5 sshconnect.c sshd.c sshd_config.5] - rename keepalive to tcpkeepalive; the old name causes too much - confusion; ok djm, dtucker; with help from jmc@ - - dtucker@cvs.openbsd.org 2003/12/09 23:45:32 - [clientloop.c] - Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@ - - markus@cvs.openbsd.org 2003/12/14 12:37:21 - [ssh_config.5] - we don't support GSS KEX; from Simon Wilkinson - - markus@cvs.openbsd.org 2003/12/16 15:49:51 - [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1] - [ssh.c ssh_config.5] - application layer keep alive (ServerAliveInterval ServerAliveCountMax) - for ssh(1), similar to the sshd(8) option; ok beck@; with help from - jmc and dtucker@ - - markus@cvs.openbsd.org 2003/12/16 15:51:54 - [dh.c] - use <= instead of < in dh_estimate; ok provos/hshoexer; - do not return < DH_GRP_MIN - - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for - setres[ug]id() present but not implemented (eg some Linux/glibc - combinations). - - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are - using a real 'signal()' (Noticed by a NeXT Compile) - -20031209 - - (dtucker) OpenBSD CVS Sync - - matthieu@cvs.openbsd.org 2003/11/25 23:10:08 - [ssh-add.1] - ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@. - - djm@cvs.openbsd.org 2003/11/26 21:44:29 - [cipher-aes.c] - fix #ifdef before #define; ok markus@ - (RCS ID sync only, Portable already had this) - - markus@cvs.openbsd.org 2003/12/02 12:15:10 - [progressmeter.c] - improvments from andreas@: - * saner speed estimate for transfers that takes less than a second by - rounding the time to 1 second. - * when the transfer is finished calculate the actual total speed - rather than the current speed which is given during the transfer - - markus@cvs.openbsd.org 2003/12/02 17:01:15 - [channels.c session.c ssh-agent.c ssh.h sshd.c] - use SSH_LISTEN_BACKLOG (=128) in listen(2). - - djm@cvs.openbsd.org 2003/12/07 06:34:18 - [moduli.c] - remove unused debugging #define templates - - markus@cvs.openbsd.org 2003/12/08 11:00:47 - [kexgexc.c] - print requested group size in debug; ok djm - - dtucker@cvs.openbsd.org 2003/12/09 13:52:55 - [moduli.c] - Prevent ssh-keygen -T from outputting moduli with a generator of 0, since - they can't be used for Diffie-Hellman. Assistance and ok djm@ - - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below. - -20031208 - - (tim) [configure.ac] Bug 770. Fix --without-rpath. - -20031123 - - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own - function and call it unconditionally - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/11/23 23:17:34 - [ssh-keyscan.c] - from portable - use sysconf to detect fd limit; ok markus@ - (tidy diff by adding SSH_SSFDMAX macro to defines.h) - - djm@cvs.openbsd.org 2003/11/23 23:18:45 - [ssh-keygen.c] - consistency PATH_MAX -> MAXPATHLEN; ok markus@ - (RCS ID sync only) - - djm@cvs.openbsd.org 2003/11/23 23:21:21 - [scp.c] - from portable: rename clashing variable limit-> limit_rate; ok markus@ - (RCS ID sync only) - - dtucker@cvs.openbsd.org 2003/11/24 00:16:35 - [ssh.1 ssh.c] - Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@ - - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original - source file path (in OpenBSD tree). - -20031122 - - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@ - - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h] - Move AIX specific password authentication code to port-aix.c, call - authenticate() until reenter flag is clear. - - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net. - Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA - is enabled, rely on SIA to check for locked accounts if enabled. ok djm@ - - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch - - (djm) [sftp-int.c] Remove duplicated code from bogus sync - - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code - -20031121 - - (djm) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/11/20 11:39:28 - [progressmeter.c] - fix rounding errors; from andreas@ - - djm@cvs.openbsd.org 2003/11/21 11:57:03 - [everything] - unexpand and delete whitespace at EOL; ok markus@ - (done locally and RCS IDs synced) - -20031118 - - (djm) Fix early exit for root auth success when UsePAM=yes and - PermitRootLogin=no - - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv, - and use it for do_pam_session. Fixes problems like pam_motd not - displaying anything. ok djm@ - - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@ - - (djm) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2003/11/18 00:40:05 - [serverloop.c] - Correct check for authctxt->valid. ok djm@ - - djm@cvs.openbsd.org 2003/11/18 10:53:07 - [monitor.c] - unbreak fake authloop for non-existent users (my screwup). Spotted and - tested by dtucker@; ok markus@ - -20031117 - - (djm) OpenBSD CVS Sync - - djm@cvs.openbsd.org 2003/11/03 09:03:37 - [auth-chall.c] - make this a little more idiot-proof; ok markus@ - (includes portable-specific changes) - - jakob@cvs.openbsd.org 2003/11/03 09:09:41 + missing atomicio; report from Steve.Marquess@DET.AMEDD.ARMY.MIL + - djm@cvs.openbsd.org 2000/06/22 17:55:00 + [auth-krb4.c key.c radix.c uuencode.c] + Missing CVS idents; ok markus + +20000622 + - (djm) Automatically generate host key during "make install". Suggested + by Gary E. Miller + - (djm) Paranoia before kill() system call + - OpenBSD CVS Updates: + - markus@cvs.openbsd.org 2000/06/18 18:50:11 + [auth2.c compat.c compat.h sshconnect2.c] + make userauth+pubkey interop with ssh.com-2.2.0 + - markus@cvs.openbsd.org 2000/06/18 20:56:17 + [dsa.c] + mem leak + be more paranoid in dsa_verify. + - markus@cvs.openbsd.org 2000/06/18 21:29:50 + [key.c] + cleanup fingerprinting, less hardcoded sizes + - markus@cvs.openbsd.org 2000/06/19 19:39:45 + [atomicio.c auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c] + [auth-rsa.c auth-skey.c authfd.c authfd.h authfile.c bufaux.c bufaux.h] + [buffer.c buffer.h canohost.c channels.c channels.h cipher.c cipher.h] + [clientloop.c compat.c compat.h compress.c compress.h crc32.c crc32.h] + [deattack.c dispatch.c dsa.c fingerprint.c fingerprint.h getput.h hmac.c] + [kex.c log-client.c log-server.c login.c match.c mpaux.c mpaux.h nchan.c] + [nchan.h packet.c packet.h pty.c pty.h readconf.c readconf.h readpass.c] + [rsa.c rsa.h scp.c servconf.c servconf.h ssh-add.c ssh-keygen.c ssh.c] + [ssh.h tildexpand.c ttymodes.c ttymodes.h uidswap.c xmalloc.c xmalloc.h] + OpenBSD tag + - markus@cvs.openbsd.org 2000/06/21 10:46:10 + sshconnect2.c missing free; nuke old comment + +20000620 + - (djm) Replace use of '-o' and '-a' logical operators in configure tests + with '||' and '&&'. As suggested by Jim Knoble + to fix SCO Unixware problem reported by Gary E. Miller + - (djm) Typo in loginrec.c + +20000618 + - (djm) Add summary of configure options to end of ./configure run + - (djm) Not all systems define RUSAGE_SELF & RUSAGE_CHILDREN. Report from + Michael Stone + - (djm) rusage is a privileged operation on some Unices (incl. + Solaris 2.5.1). Report from Paul D. Smith + - (djm) Avoid PAM failures when running without a TTY. Report from + Martin Petrak + - (djm) Include sys/types.h when including netinet/in.h in configure tests. + Patch from Jun-ichiro itojun Hagino + - (djm) Started merge of Ben Lindstrom's NeXT support + - OpenBSD CVS updates: + - deraadt@cvs.openbsd.org 2000/06/17 09:58:46 + [channels.c] + everyone says "nix it" (remove protocol 2 debugging message) + - markus@cvs.openbsd.org 2000/06/17 13:24:34 [sshconnect.c] - move changed key warning into warn_changed_key(). ok markus@ - - jakob@cvs.openbsd.org 2003/11/03 09:37:32 + allow extended server banners + - markus@cvs.openbsd.org 2000/06/17 14:30:10 [sshconnect.c] - do not free static type pointer in warn_changed_key() - - djm@cvs.openbsd.org 2003/11/04 08:54:09 - [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c] - [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c] - [session.c] - standardise arguments to auth methods - they should all take authctxt. - check authctxt->valid rather then pw != NULL; ok markus@ - - jakob@cvs.openbsd.org 2003/11/08 16:02:40 - [auth1.c] - remove unused variable (pw). ok djm@ - (id sync only - still used in portable) - - jmc@cvs.openbsd.org 2003/11/08 19:17:29 - [sftp-int.c] - typos from Jonathon Gray; - - jakob@cvs.openbsd.org 2003/11/10 16:23:41 - [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c] - [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c] - [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h] - constify. ok markus@ & djm@ - - dtucker@cvs.openbsd.org 2003/11/12 10:12:15 + missing atomicio, typo + - jakob@cvs.openbsd.org 2000/06/17 16:52:34 + [servconf.c servconf.h session.c sshd.8 sshd_config] + add support for ssh v2 subsystems. ok markus@. + - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 + [readconf.c servconf.c] + include = in WHITESPACE; markus ok + - markus@cvs.openbsd.org 2000/06/17 19:09:10 + [auth2.c] + implement bug compatibility with ssh-2.0.13 pubkey, server side + - markus@cvs.openbsd.org 2000/06/17 21:00:28 + [compat.c] + initial support for ssh.com's 2.2.0 + - markus@cvs.openbsd.org 2000/06/17 21:16:09 [scp.c] - When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@ - - jakob@cvs.openbsd.org 2003/11/12 16:39:58 - [dns.c dns.h readconf.c ssh_config.5 sshconnect.c] - update SSHFP validation. ok markus@ - - jmc@cvs.openbsd.org 2003/11/12 20:14:51 - [ssh_config.5] - make verb agree with subject, and kill some whitespace; - - markus@cvs.openbsd.org 2003/11/14 13:19:09 - [sshconnect2.c] - cleanup and minor fixes for the client code; from Simon Wilkinson - - djm@cvs.openbsd.org 2003/11/17 09:45:39 - [msg.c msg.h sshconnect2.c ssh-keysign.c] - return error on msg send/receive failure (rather than fatal); ok markus@ - - markus@cvs.openbsd.org 2003/11/17 11:06:07 - [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c] - [monitor_wrap.h sshconnect2.c ssh-gss.h] - replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson; - test + ok jakob. - - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int - conversation function - - (djm) Export environment variables from authentication subprocess to - parent. Part of Bug #717 - -20031115 - - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and - HP-UX, skip test on AIX. - -20031113 - - (dtucker) [auth-pam.c] Append newlines to lines output by the - pam_chauthtok_conv(). - - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All - contrib/cygwin). Major update from vinschen at redhat.com. - - Makefile provides a `cygwin-postinstall' target to run right after - `make install'. - - Better support for Windows 2003 Server. - - Try to get permissions as correct as possible. - - New command line options to allow full automated host configuration. - - Create configs from skeletons in /etc/defaults/etc. - - Use /bin/bash, allows reading user input with readline support. - - Remove really old configs from /usr/local. - - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and - PAM_ERROR_MSG messages. - -20031106 - - (djm) Clarify UsePAM consequences a little more - -20031103 - - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services - are created correctly with CRLF line terminations. Patch from vinschen at - redhat.com. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/10/15 09:48:45 - [monitor_wrap.c] - check pmonitor != NULL - - markus@cvs.openbsd.org 2003/10/21 09:50:06 - [auth2-gss.c] - make sure the doid is larger than 2 - - avsm@cvs.openbsd.org 2003/10/26 16:57:43 - [sshconnect2.c] - rename 'supported' static var in userauth_gssapi() to 'gss_supported' - to avoid shadowing the global version. markus@ ok - - markus@cvs.openbsd.org 2003/10/28 09:08:06 - [misc.c] - error->debug for getsockopt+TCP_NODELAY; several requests - - markus@cvs.openbsd.org 2003/11/02 11:01:03 - [auth2-gss.c compat.c compat.h sshconnect2.c] - remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk - - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid. - -20031021 - - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords - directly. Noted by Darren.Moffat at sun.com. - - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set, - make agent setgid during test. - -20031017 - - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with - MD5 passwords even if PAM support is enabled. From steev at detritus.net. - -20031015 - - (dtucker) OpenBSD CVS Sync - - jmc@cvs.openbsd.org 2003/10/08 08:27:36 - [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8] - scp and sftp: add options list and sort options. options list requested - by deraadt@ - sshd: use same format as ssh - ssh: remove wrong option from list - sftp-server: Subsystem is documented in ssh_config(5), not sshd(8) - ok deraadt@ markus@ - - markus@cvs.openbsd.org 2003/10/08 15:21:24 - [readconf.c ssh_config.5] - default GSS API to no in client, too; ok jakob, deraadt@ - - markus@cvs.openbsd.org 2003/10/11 08:24:08 - [readconf.c readconf.h ssh.1 ssh.c ssh_config.5] - remote x11 clients are now untrusted by default, uses xauth(8) to generate - untrusted cookies; ForwardX11Trusted=yes restores old behaviour. - ok deraadt; feedback and ok djm/fries - - markus@cvs.openbsd.org 2003/10/11 08:26:43 - [sshconnect2.c] - search keys in reverse order; fixes #684 - - markus@cvs.openbsd.org 2003/10/11 11:36:23 - [monitor_wrap.c] - return NULL for missing banner; ok djm@ - - jmc@cvs.openbsd.org 2003/10/12 13:12:13 - [ssh_config.5] - note that EnableSSHKeySign should be in the non-hostspecific section; - remove unnecessary .Pp; - ok markus@ - - markus@cvs.openbsd.org 2003/10/13 08:22:25 - [scp.1 sftp.1] - don't refer to options related to forwarding; ok jmc@ - - jakob@cvs.openbsd.org 2003/10/14 19:42:10 - [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c] - include SSHFP lookup code (not enabled by default). ok markus@ - - jakob@cvs.openbsd.org 2003/10/14 19:43:23 - [README.dns] - update - - markus@cvs.openbsd.org 2003/10/14 19:54:39 - [session.c ssh-agent.c] - 10X for mkdtemp; djm@ - - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c - openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always - compiled in but disabled in config. - - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode. - - (tim) [regress/banner.sh] portability fix. - -20031009 - - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@ - -20031008 - - (dtucker) OpenBSD CVS Sync - - dtucker@cvs.openbsd.org 2003/10/07 01:47:27 - [sshconnect2.c] - Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 & - #707. ok markus@ - - djm@cvs.openbsd.org 2003/10/07 07:04:16 - [sftp-int.c] - sftp quoting fix from admorten AT umich.edu; ok markus@ - - deraadt@cvs.openbsd.org 2003/10/07 21:58:28 - [sshconnect2.c] - set ptr to NULL after free - - dtucker@cvs.openbsd.org 2003/10/07 01:52:13 - [regress/Makefile regress/banner.sh] - Test SSH2 banner. ok markus@ - - djm@cvs.openbsd.org 2003/10/07 07:04:52 - [regress/sftp-cmds.sh] - more sftp quoting regress tests; ok markus - -20031007 - - (djm) Delete autom4te.cache after autoreconf - - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static - cleanup functions. With & ok djm@ - - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a - run-time switch, always build --with-md5-passwords. - - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c] - Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@ - - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID - on Reliant Unix. Patch from Robert.Dahlem at siemens.com. - - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on - Reliant Unix. Based on patch from Robert.Dahlem at siemens.com. - -20031003 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/10/02 10:41:59 - [sshd.c] - print openssl version, too, several requests; ok henning/djm. - - markus@cvs.openbsd.org 2003/10/02 08:26:53 - [ssh-gss.h] - missing $OpenBSD:; dtucker - - (tim) [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default - option. + typo + - markus@cvs.openbsd.org 2000/06/17 22:05:02 + [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] + split auth-rsa option parsing into auth-options + add options support to authorized_keys2 + - markus@cvs.openbsd.org 2000/06/17 22:42:54 + [session.c] + typo -20031002 - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/09/23 20:17:11 - [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c - cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h - monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h - ssh-agent.c sshd.c] - replace fatal_cleanup() and linked list of fatal callbacks with static - cleanup_exit() function. re-refine cleanup_exit() where appropriate, - allocate sshd's authctxt eary to allow simpler cleanup in sshd. - tested by many, ok deraadt@ - - markus@cvs.openbsd.org 2003/09/23 20:18:52 - [progressmeter.c] - don't print trailing \0; bug #709; Robert.Dahlem@siemens.com - ok millert/deraadt@ - - markus@cvs.openbsd.org 2003/09/23 20:41:11 - [channels.c channels.h clientloop.c] - move client only agent code to clientloop.c - - markus@cvs.openbsd.org 2003/09/26 08:19:29 +20000613 + - (djm) Fixes from Andrew McGill : + - Platform define for SCO 3.x which breaks on /dev/ptmx + - Detect and try to fix missing MAXPATHLEN + - (djm) Fix short copy in loginrec.c (based on patch from Phill Camp + + +20000612 + - (djm) Glob manpages in RPM spec files to catch compressed files + - (djm) Full license in auth-pam.c + - (djm) Configure fixes from SAKAI Kiyotaka + - (andre) AIX, lastlog, configure fixes from Tom Bertelson : + - Don't try to retrieve lastlog from wtmp/wtmpx if DISABLE_LASTLOG is + def'd + - Set AIX to use preformatted manpages + +20000610 + - (djm) Minor doc tweaks + - (djm) Fix for configure on bash2 from Jim Knoble + +20000609 + - (djm) Patch from Kenji Miyake to disable utmp usage + (in favour of utmpx) on Solaris 8 + +20000606 + - (djm) Cleanup of entropy.c. Reorganised code, removed second pass through + list of commands (by default). Removed verbose debugging (by default). + - (djm) Increased command entropy estimates and default entropy collection + timeout + - (djm) Remove duplicate headers from loginrec.c + - (djm) Don't add /usr/local/lib to library search path on Irix + - (djm) Fix rsh path in RPMs. Report from Jason L Tibbitts III + + - (djm) Warn user if grabs fail in GNOME askpass. Patch from Zack Weinberg + + - (djm) OpenBSD CVS updates: + - todd@cvs.openbsd.org + [sshconnect2.c] + teach protocol v2 to count login failures properly and also enable an + explanation of why the password prompt comes up again like v1; this is NOT + crypto + - markus@cvs.openbsd.org + [readconf.c readconf.h servconf.c servconf.h session.c ssh.1 ssh.c sshd.8] + xauth_location support; pr 1234 + [readconf.c sshconnect2.c] + typo, unused + [session.c] + allow use_login only for login sessions, otherwise remote commands are + execed with uid==0 + [sshd.8] + document UseLogin better + [version.h] + OpenSSH 2.1.1 + [auth-rsa.c] + fix match_hostname() logic for auth-rsa: deny access if we have a + negative match or no match at all + [channels.c hostfile.c match.c] + don't panic if mkdtemp fails for authfwd; jkb@yahoo-inc.com via + kris@FreeBSD.org + +20000606 + - (djm) Added --with-cflags, --with-ldflags and --with-libs options to + configure. + +20000604 + - Configure tweaking for new login code on Irix 5.3 + - (andre) login code changes based on djm feedback + +20000603 + - (andre) New login code + - Remove bsd-login.[ch] and all the OpenBSD-derived code in login.c + - Add loginrec.[ch], logintest.c and autoconf code + +20000531 + - Cleanup of auth.c, login.c and fake-* + - Cleanup of auth-pam.c, save and print "account expired" error messages + - Fix EGD read bug by IWAMURO Motonori + - Rewrote bsd-login to use proper utmp API if available. Major cleanup + of fallback DIY code. + +20000530 + - Define atexit for old Solaris + - Fix buffer overrun in login.c for systems which use syslen in utmpx. + patch from YOSHIFUJI Hideaki + - OpenBSD CVS updates: + - markus@cvs.openbsd.org + [session.c] + make x11-fwd work w/ localhost (xauth add host/unix:11) + [cipher.c compat.c readconf.c servconf.c] + check strtok() != NULL; ok niels@ + [key.c] + fix key_read() for uuencoded keys w/o '=' + [serverloop.c] + group ssh1 vs. ssh2 in serverloop + [kex.c kex.h myproposal.h sshconnect2.c sshd.c] + split kexinit/kexdh, factor out common code + [readconf.c ssh.1 ssh.c] + forwardagent defaults to no, add ssh -A + - theo@cvs.openbsd.org + [session.c] + just some line shortening + - Released 2.1.0p3 + +20000520 + - Xauth fix from Markus Friedl + - Don't touch utmp if USE_UTMPX defined + - SunOS 4.x support from Todd C. Miller + - SIGCHLD fix for AIX and HPUX from Tom Bertelson + - HPUX and Configure fixes from Lutz Jaenicke + + - Use mkinstalldirs script to make directories instead of non-portable + "install -d". Suggested by Lutz Jaenicke + - Doc cleanup + +20000518 + - Include Andre Lucas' fixprogs script. Forgot to "cvs add" it yesterday + - OpenBSD CVS updates: + - markus@cvs.openbsd.org + [sshconnect.c] + copy only ai_addrlen bytes; misiek@pld.org.pl + [auth.c] + accept an empty shell in authentication; bug reported by + chris@tinker.ucr.edu + [serverloop.c] + we don't have stderr for interactive terminal sessions (fcntl errors) + +20000517 + - Fix from Andre Lucas + - Fixes command line printing segfaults (spotter: Bladt Norbert) + - Fixes erroneous printing of debug messages to syslog + - Fixes utmp for MacOS X (spotter: Aristedes Maniatis) + - Gives useful error message if PRNG initialisation fails + - Reduced ssh startup delay + - Measures cumulative command time rather than the time between reads + after select() + - 'fixprogs' perl script to eliminate non-working entropy commands, and + optionally run 'ent' to measure command entropy + - Applied Tom Bertelson's AIX authentication fix + - Avoid WCOREDUMP complation errors for systems that lack it + - Avoid SIGCHLD warnings from entropy commands + - Fix HAVE_PAM_GETENVLIST setting from Simon Wilkinson + - OpenBSD CVS update: + - markus@cvs.openbsd.org + [ssh.c] + fix usage() + [ssh2.h] + draft-ietf-secsh-architecture-05.txt + [ssh.1] + document ssh -T -N (ssh2 only) + [channels.c serverloop.c ssh.h sshconnect.c sshd.c aux.c] + enable nonblocking IO for sshd w/ proto 1, too; split out common code + [aux.c] + missing include + - Several patches from SAKAI Kiyotaka + - INSTALL typo and URL fix + - Makefile fix + - Solaris fixes + - Checking for ssize_t and memmove. Based on patch from SAKAI Kiyotaka + + - RSAless operation patch from kevin_oconnor@standardandpoors.com + - Detect OpenSSL seperatly from RSA + - Better test for RSA (more compatible with RSAref). Based on work by + Ed Eden + +20000513 + - Fix for non-recognised DSA keys from Arkadiusz Miskiewicz + + +20000511 + - Fix for prng_seed permissions checking from Lutz Jaenicke + + - "make host-key" fix for Irix + +20000509 + - OpenBSD CVS update + - markus@cvs.openbsd.org + [cipher.h myproposal.h readconf.c readconf.h servconf.c ssh.1 ssh.c] + [ssh.h sshconnect1.c sshconnect2.c sshd.8] + - complain about invalid ciphers in SSH1 (e.g. arcfour is SSH2 only) + - hugh@cvs.openbsd.org + [ssh.1] + - zap typo + [ssh-keygen.1] + - One last nit fix. (markus approved) + [sshd.8] + - some markus certified spelling adjustments + - markus@cvs.openbsd.org + [auth2.c channels.c clientloop.c compat compat.h dsa.c kex.c] + [sshconnect2.c ] + - bug compat w/ ssh-2.0.13 x11, split out bugs + [nchan.c] + - no drain if ibuf_empty, fixes x11fwd problems; tests by fries@ + [ssh-keygen.c] + - handle escapes in real and original key format, ok millert@ + [version.h] + - OpenSSH-2.1 + - Moved all the bsd-* and fake-* stuff into new libopenbsd-compat.a + - Doc updates + - Cleanup of bsd-base64 headers, bugfix definitions of __b64_*. Reported + by Andre Lucas + +20000508 + - Makefile and RPM spec fixes + - Generate DSA host keys during "make key" or RPM installs + - OpenBSD CVS update + - markus@cvs.openbsd.org + [clientloop.c sshconnect2.c] + - make x11-fwd interop w/ ssh-2.0.13 + [README.openssh2] + - interop w/ SecureFX + - Release 2.0.0beta2 + + - Configure caching and cleanup patch from Andre Lucas' + + +20000507 + - Remove references to SSLeay. + - Big OpenBSD CVS update + - markus@cvs.openbsd.org + [clientloop.c] + - typo + [session.c] + - update proctitle on pty alloc/dealloc, e.g. w/ windows client + [session.c] + - update proctitle for proto 1, too + [channels.h nchan.c serverloop.c session.c sshd.c] + - use c-style comments + - deraadt@cvs.openbsd.org + [scp.c] + - more atomicio + - markus@cvs.openbsd.org + [channels.c] + - set O_NONBLOCK + [ssh.1] + - update AUTHOR + [readconf.c ssh-keygen.c ssh.h] + - default DSA key file ~/.ssh/id_dsa + [clientloop.c] + - typo, rm verbose debug + - deraadt@cvs.openbsd.org + [ssh-keygen.1] + - document DSA use of ssh-keygen + [sshd.8] + - a start at describing what i understand of the DSA side + [ssh-keygen.1] + - document -X and -x + [ssh-keygen.c] + - simplify usage + - markus@cvs.openbsd.org + [sshd.8] + - there is no rhosts_dsa + [ssh-keygen.1] + - document -y, update -X,-x + [nchan.c] + - fix close for non-open ssh1 channels + [servconf.c servconf.h ssh.h sshd.8 sshd.c ] + - s/DsaKey/HostDSAKey/, document option + [sshconnect2.c] + - respect number_of_password_prompts + [channels.c channels.h servconf.c servconf.h session.c sshd.8] + - GatewayPorts for sshd, ok deraadt@ + [ssh-add.1 ssh-agent.1 ssh.1] + - more doc on: DSA, id_dsa, known_hosts2, authorized_keys2 + [ssh.1] + - more info on proto 2 + [sshd.8] + - sync AUTHOR w/ ssh.1 + [key.c key.h sshconnect.c] + - print key type when talking about host keys + [packet.c] + - clear padding in ssh2 + [dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h] + - replace broken uuencode w/ libc b64_ntop + [auth2.c] + - log failure before sending the reply + [key.c radix.c uuencode.c] + - remote trailing comments before calling __b64_pton + [auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1] + [sshconnect2.c sshd.8] + - add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8 + - Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch]) + +20000502 + - OpenBSD CVS update + [channels.c] + - init all fds, close all fds. + [sshconnect2.c] + - check whether file exists before asking for passphrase + [servconf.c servconf.h sshd.8 sshd.c] + - PidFile, pr 1210 + [channels.c] + - EINTR + [channels.c] + - unbreak, ok niels@ + [sshd.c] + - unlink pid file, ok niels@ + [auth2.c] + - Add missing #ifdefs; ok - markus + - Add Andre Lucas' patch to read entropy + gathering commands from a text file + - Release 2.0.0beta1 + +20000501 + - OpenBSD CVS update + [packet.c] + - send debug messages in SSH2 format + [scp.c] + - fix very rare EAGAIN/EINTR issues; based on work by djm + [packet.c] + - less debug, rm unused + [auth2.c] + - disable kerb,s/key in ssh2 + [sshd.8] + - Minor tweaks and typo fixes. + [ssh-keygen.c] + - Put -d into usage and reorder. markus ok. + - Include missing headers for OpenSSL tests. Fix from Phil Karn + + - Fixed __progname symbol collisions reported by Andre Lucas + + - Merged bsd-login ttyslot and AIX utmp patch from Gert Doering + + - Add some missing ifdefs to auth2.c + - Deprecate perl-tk askpass. + - Irix portability fixes - don't include netinet headers more than once + - Make sure we don't save PRNG seed more than once + +20000430 + - Merge HP-UX fixes and TCB support from Ged Lodder + - Integrate Andre Lucas' entropy collection + patch. + - Adds timeout to entropy collection + - Disables slow entropy sources + - Load and save seed file + - Changed entropy seed code to user per-user seeds only (server seed is + saved in root's .ssh directory) + - Use atexit() and fatal cleanups to save seed on exit + - More OpenBSD updates: + [session.c] + - don't call chan_write_failed() if we are not writing + [auth-rsa.c auth1.c authfd.c hostfile.c ssh-agent.c] + - keysize warnings error() -> log() + +20000429 + - Merge big update to OpenSSH-2.0 from OpenBSD CVS + [README.openssh2] + - interop w/ F-secure windows client + - sync documentation + - ssh_host_dsa_key not ssh_dsa_key + [auth-rsa.c] + - missing fclose + [auth.c authfile.c compat.c dsa.c dsa.h hostfile.c key.c key.h radix.c] + [readconf.c readconf.h ssh-add.c ssh-keygen.c ssh.c ssh.h sshconnect.c] + [sshd.c uuencode.c uuencode.h authfile.h] + - add DSA pubkey auth and other SSH2 fixes. use ssh-keygen -[xX] + for trading keys with the real and the original SSH, directly from the + people who invented the SSH protocol. + [auth.c auth.h authfile.c sshconnect.c auth1.c auth2.c sshconnect.h] + [sshconnect1.c sshconnect2.c] + - split auth/sshconnect in one file per protocol version + [sshconnect2.c] + - remove debug + [uuencode.c] + - add trailing = + [version.h] + - OpenSSH-2.0 + [ssh-keygen.1 ssh-keygen.c] + - add -R flag: exit code indicates if RSA is alive + [sshd.c] + - remove unused + silent if -Q is specified + [ssh.h] + - host key becomes /etc/ssh_host_dsa_key + [readconf.c servconf.c ] + - ssh/sshd default to proto 1 and 2 + [uuencode.c] + - remove debug + [auth2.c ssh-keygen.c sshconnect2.c sshd.c] + - xfree DSA blobs + [auth2.c serverloop.c session.c] + - cleanup logging for sshd/2, respect PasswordAuth no + [sshconnect2.c] + - less debug, respect .ssh/config + [README.openssh2 channels.c channels.h] + - clientloop.c session.c ssh.c + - support for x11-fwding, client+server + +20000421 + - Merge fix from OpenBSD CVS + [ssh-agent.c] + - Fix memory leak per connection. Report from Andy Spiegl + via Debian bug #59926 + - Define __progname in session.c if libc doesn't + - Remove indentation on autoconf #include statements to avoid bug in + DEC Tru64 compiler. Report and fix from David Del Piero + + +20000420 + - Make fixpaths work with perl4, patch from Andre Lucas + + - Sync with OpenBSD CVS: + [clientloop.c login.c serverloop.c ssh-agent.c ssh.h sshconnect.c sshd.c] + - pid_t + [session.c] + - remove bogus chan_read_failed. this could cause data + corruption (missing data) at end of a SSH2 session. + - Merge fixes from Debian patch from Phil Hands + - Allow setting of PAM service name through CFLAGS (SSHD_PAM_SERVICE) + - Use vhangup to clean up Linux ttys + - Force posix getopt processing on GNU libc systems + - Debian bug #55910 - remove references to ssl(8) manpages + - Debian bug #58031 - ssh_config lies about default cipher + +20000419 + - OpenBSD CVS updates + [channels.c] + - fix pr 1196, listen_port and port_to_connect interchanged + [scp.c] + - after completion, replace the progress bar ETA counter with a final + elapsed time; my idea, aaron wrote the patch + [ssh_config sshd_config] + - show 'Protocol' as an example, ok markus@ + [sshd.c] + - missing xfree() + - Add missing header to bsd-misc.c + +20000416 + - Reduce diff against OpenBSD source + - All OpenSSL includes are now unconditionally referenced as + openssl/foo.h + - Pick up formatting changes + - Other minor changed (typecasts, etc) that I missed + +20000415 + - OpenBSD CVS updates. + [ssh.1 ssh.c] + - ssh -2 + [auth.c channels.c clientloop.c packet.c packet.h serverloop.c] + [session.c sshconnect.c] + - check payload for (illegal) extra data + [ALL] + whitespace cleanup + +20000413 + - INSTALL doc updates + - Merged OpenBSD updates to include paths. + +20000412 + - OpenBSD CVS updates: + - [channels.c] + repair x11-fwd + - [sshconnect.c] + fix passwd prompt for ssh2, less debugging output. + - [clientloop.c compat.c dsa.c kex.c sshd.c] + less debugging output + - [kex.c kex.h sshconnect.c sshd.c] + check for reasonable public DH values + - [README.openssh2 cipher.c cipher.h compat.c compat.h readconf.c] + [readconf.h servconf.c servconf.h ssh.c ssh.h sshconnect.c sshd.c] + add Cipher and Protocol options to ssh/sshd, e.g.: + ssh -o 'Protocol 1,2' if you prefer proto 1, ssh -o 'Ciphers + arcfour,3des-cbc' + - [sshd.c] + print 1.99 only if server supports both + +20000408 + - Avoid some compiler warnings in fake-get*.c + - Add IPTOS macros for systems which lack them + - Only set define entropy collection macros if they are found + - More large OpenBSD CVS updates: + - [auth.c auth.h servconf.c servconf.h serverloop.c session.c] + [session.h ssh.h sshd.c README.openssh2] + ssh2 server side, see README.openssh2; enable with 'sshd -2' + - [channels.c] + no adjust after close + - [sshd.c compat.c ] + interop w/ latest ssh.com windows client. + +20000406 + - OpenBSD CVS update: + - [channels.c] + close efd on eof + - [clientloop.c compat.c ssh.c sshconnect.c myproposal.h] + ssh2 client implementation, interops w/ ssh.com and lsh servers. + - [sshconnect.c] + missing free. + - [authfile.c cipher.c cipher.h packet.c sshconnect.c sshd.c] + remove unused argument, split cipher_mask() + - [clientloop.c] + re-order: group ssh1 vs. ssh2 + - Make Redhat spec require openssl >= 0.9.5a + +20000404 + - Add tests for RAND_add function when searching for OpenSSL + - OpenBSD CVS update: + - [packet.h packet.c] + ssh2 packet format + - [packet.h packet.c nchan2.ms nchan.h compat.h compat.c] + [channels.h channels.c] + channel layer support for ssh2 + - [kex.h kex.c hmac.h hmac.c dsa.c dsa.h] + DSA, keyexchange, algorithm agreement for ssh2 + - Generate manpages before make install not at the end of make all + - Don't seed the rng quite so often + - Always reseed rng when requested + +20000403 + - Wrote entropy collection routines for systems that lack /dev/random + and EGD + - Disable tests and typedefs for 64 bit types. They are currently unused. + +20000401 + - Big OpenBSD CVS update (mainly beginnings of SSH2 infrastructure) + - [auth.c session.c sshd.c auth.h] + split sshd.c -> auth.c session.c sshd.c plus cleanup and goto-removal + - [bufaux.c bufaux.h] + support ssh2 bignums + - [channels.c channels.h clientloop.c sshd.c nchan.c nchan.h packet.c] + [readconf.c ssh.c ssh.h serverloop.c] + replace big switch() with function tables (prepare for ssh2) + - [ssh2.h] + ssh2 message type codes + - [sshd.8] + reorder Xr to avoid cutting + - [serverloop.c] + close(fdin) if fdin != fdout, shutdown otherwise, ok theo@ + - [channels.c] + missing close + allow bigger packets + - [cipher.c cipher.h] + support ssh2 ciphers + - [compress.c] + cleanup, less code + - [dispatch.c dispatch.h] + function tables for different message types + - [log-server.c] + do not log() if debuggin to stderr + rename a cpp symbol, to avoid param.h collision + - [mpaux.c] + KNF + - [nchan.c] + sync w/ channels.c + +20000326 + - Better tests for OpenSSL w/ RSAref + - Added replacement setenv() function from OpenBSD libc. Suggested by + Ben Lindstrom + - OpenBSD CVS update + - [auth-krb4.c] + -Wall + - [auth-rh-rsa.c auth-rsa.c hostfile.c hostfile.h key.c key.h match.c] + [match.h ssh.c ssh.h sshconnect.c sshd.c] + initial support for DSA keys. ok deraadt@, niels@ + - [cipher.c cipher.h] + remove unused cipher_attack_detected code + - [scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + Fix some formatting problems I missed before. + - [ssh.1 sshd.8] + fix spelling errors, From: FreeBSD + - [ssh.c] + switch to raw mode only if he _get_ a pty (not if we _want_ a pty). + +20000324 + - Released 1.2.3 + +20000317 + - Clarified --with-default-path option. + - Added -blibpath handling for AIX to work around stupid runtime linking. + Problem elucidated by gshapiro@SENDMAIL.ORG by way of Jim Knoble + + - Checks for 64 bit int types. Problem report from Mats Fredholm + + - OpenBSD CVS updates: + - [atomicio.c auth-krb4.c bufaux.c channels.c compress.c fingerprint.c] + [packet.h radix.c rsa.c scp.c ssh-agent.c ssh-keygen.c sshconnect.c] [sshd.c] - no need to set the listen sockets to non-block; ok deraadt@ - - jmc@cvs.openbsd.org 2003/09/29 11:40:51 - [ssh.1] - - add list of options to -o and .Xr ssh_config(5) - - some other cleanup - requested by deraadt@; - ok deraadt@ markus@ - - markus@cvs.openbsd.org 2003/09/29 20:19:57 - [servconf.c sshd_config] - GSSAPICleanupCreds -> GSSAPICleanupCredentials - - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring - --with-pam. ok djm@ - - (dtucker) [ssh-gss.h] Prototype change missed in sync. - - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations. - Based on patches by Matthias Koeppe and Thomas Baden. ok djm@ - -20030930 - - (bal) Fix issues in openbsd-compat/realpath.c - -20030925 - - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove - DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from - michael_steffens at hp.com, ok djm@ - - (tim) [sshd_config] UsePAM defaults to no. - -20030924 - - (djm) Update version.h and spec files for HEAD - - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6. - -20030923 - - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree - builds. Portability corrections from tim@. - - (dtucker) [configure.ac] Bug #665: uid swapping issues on Mac OS X. - Patch from max at quendi.de. - - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi. - - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64. - - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS. - Patch from david.haughton at ncr.com - - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6. - Part of patch supplied by bugzilla-openssh at thewrittenword.com - - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c - openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with - where gai_strerror is defined as "const char *". Part of patch supplied - by bugzilla-openssh at thewrittenword.com - - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update - ssh-host-config to match current defaults, bump README version. Patch from - vinschen at redhat.com. - - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the - OS does not support permanently dropping privileges. Patch from - vinschen at redhat.com. - - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h, - add canohost.h to stop warning. Based on patch from openssh-unix-dev at - thewrittenword.com - - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or - higher. - - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/ - - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN. - Report by distler AT golem ph utexas edu. - - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from - article by genty at austin.ibm.com, included with the author's permission. - - (dtucker) OpenBSD CVS Sync - - markus@cvs.openbsd.org 2003/09/18 07:52:54 - [sshconnect.c] - missing {}; bug #656; jclonguet at free.fr - - markus@cvs.openbsd.org 2003/09/18 07:54:48 - [buffer.c] - protect against double free; #660; zardoz at users.sf.net - - markus@cvs.openbsd.org 2003/09/18 07:56:05 - [authfile.c] - missing buffer_free(&encrypted); #662; zardoz at users.sf.net - - markus@cvs.openbsd.org 2003/09/18 08:49:45 - [deattack.c misc.c session.c ssh-agent.c] - more buffer allocation fixes; from Solar Designer; CAN-2003-0682; - ok millert@ - - miod@cvs.openbsd.org 2003/09/18 13:02:21 - [authfd.c bufaux.c dh.c mac.c ssh-keygen.c] - A few signedness fixes for harmless situations; markus@ ok - - markus@cvs.openbsd.org 2003/09/19 09:02:02 - [packet.c] - buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471 - - markus@cvs.openbsd.org 2003/09/19 09:03:00 - [buffer.c] - sign fix in buffer_dump; Jedi/Sector One; pr 3473 - - markus@cvs.openbsd.org 2003/09/19 11:29:40 - [ssh-agent.c] - provide a ssh-agent specific fatal() function; ok deraadt - - markus@cvs.openbsd.org 2003/09/19 11:30:39 - [ssh-keyscan.c] - avoid fatal_cleanup, just call exit(); ok deraadt - - markus@cvs.openbsd.org 2003/09/19 11:31:33 - [channels.c] - do not call channel_free_all on fatal; ok deraadt - - markus@cvs.openbsd.org 2003/09/19 11:33:09 - [packet.c sshd.c] - do not call packet_close on fatal; ok deraadt - - markus@cvs.openbsd.org 2003/09/19 17:40:20 - [scp.c] - error handling for remote-remote copy; #638; report Harald Koenig; - ok millert, fgs, henning, deraadt - - markus@cvs.openbsd.org 2003/09/19 17:43:35 - [clientloop.c sshtty.c sshtty.h] - remove fatal callbacks from client code; ok deraadt - - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john - on #unixhelp@efnet - - (tim) [configure.ac] add --disable-etc-default-login option. ok djm - - (djm) Sync with V_3_7 branch: - - (djm) Fix SSH1 challenge kludge - - (djm) Bug #671: Fix builds on OpenBSD - - (djm) Bug #676: Fix PAM stack corruption - - (djm) Fix bad free() in PAM code - - (djm) Don't call pam_end before pam_init - - (djm) Enable build with old OpenSSL again - - (djm) Trim deprecated options from INSTALL. Mention UsePAM - - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu + pedantic: signed vs. unsigned, void*-arithm, etc + - [ssh.1 sshd.8] + Various cleanups and standardizations. + - Runtime error fix for HPUX from Otmar Stahl + + +20000316 + - Fixed configure not passing LDFLAGS to Solaris. Report from David G. + Hesprich + - Propogate LD through to Makefile + - Doc cleanups + - Added blurb about "scp: command not found" errors to UPGRADING + +20000315 + - Fix broken CFLAGS handling during search for OpenSSL. Fixes va_list + problems with gcc/Solaris. + - Don't free argument to putenv() after use (in setenv() replacement). + Report from Seigo Tanimura + - Created contrib/ subdirectory. Included helpers from Phil Hands' + Debian package, README file and chroot patch from Ricardo Cerqueira + + - Moved gnome-ssh-askpass.c to contrib directory and removed config + option. + - Slight cleanup to doc files + - Configure fix from Bratislav ILICH + +20000314 + - Include macro for IN6_IS_ADDR_V4MAPPED. Report from + peter@frontierflying.com + - Include /usr/local/include and /usr/local/lib for systems that don't + do it themselves + - -R/usr/local/lib for Solaris + - Fix RSAref detection + - Fix IN6_IS_ADDR_V4MAPPED macro + +20000311 + - Detect RSAref + - OpenBSD CVS change + [sshd.c] + - disallow guessing of root password + - More configure fixes + - IPv6 workarounds from Hideaki YOSHIFUJI + +20000309 + - OpenBSD CVS updates to v1.2.3 + [ssh.h atomicio.c] + - int atomicio -> ssize_t (for alpha). ok deraadt@ + [auth-rsa.c] + - delay MD5 computation until client sends response, free() early, cleanup. + [cipher.c] + - void* -> unsigned char*, ok niels@ + [hostfile.c] + - remove unused variable 'len'. fix comments. + - remove unused variable + [log-client.c log-server.c] + - rename a cpp symbol, to avoid param.h collision + [packet.c] + - missing xfree() + - getsockname() requires initialized tolen; andy@guildsoftware.com + - use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; + from Holger.Trapp@Informatik.TU-Chemnitz.DE + [pty.c pty.h] + - register cleanup for pty earlier. move code for pty-owner handling to + pty.c ok provos@, dugsong@ + [readconf.c] + - turn off x11-fwd for the client, too. + [rsa.c] + - PKCS#1 padding + [scp.c] + - allow '.' in usernames; from jedgar@fxp.org + [servconf.c] + - typo: ignore_user_known_hosts int->flag; naddy@mips.rhein-neckar.de + - sync with sshd_config + [ssh-keygen.c] + - enable ssh-keygen -l -f ~/.ssh/known_hosts, ok deraadt@ + [ssh.1] + - Change invalid 'CHAT' loglevel to 'VERBOSE' + [ssh.c] + - suppress AAAA query host when '-4' is used; from shin@nd.net.fujitsu.co.jp + - turn off x11-fwd for the client, too. + [sshconnect.c] + - missing xfree() + - retry rresvport_af(), too. from sumikawa@ebina.hitachi.co.jp. + - read error vs. "Connection closed by remote host" + [sshd.8] + - ie. -> i.e., + - do not link to a commercial page.. + - sync with sshd_config + [sshd.c] + - no need for poll.h; from bright@wintelcom.net + - log with level log() not fatal() if peer behaves badly. + - don't panic if client behaves strange. ok deraadt@ + - make no-port-forwarding for RSA keys deny both -L and -R style fwding + - delay close() of pty until the pty has been chowned back to root + - oops, fix comment, too. + - missing xfree() + - move XAUTHORITY to subdir. ok dugsong@. fixes debian bug #57907, too. + (http://cgi.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=57907) + - register cleanup for pty earlier. move code for pty-owner handling to + pty.c ok provos@, dugsong@ + - create x11 cookie file + - fix pr 1113, fclose() -> pclose(), todo: remote popen() + - version 1.2.3 + - Cleaned up + - Removed warning workaround for Linux and devpts filesystems (no longer + required after OpenBSD updates) + +20000308 + - Configure fix from Hiroshi Takekawa + +20000307 + - Released 1.2.2p1 + +20000305 + - Fix DEC compile fix + - Explicitly seed OpenSSL's PRNG before checking rsa_alive() + - Check for getpagesize in libucb.a if not found in libc. Fix for old + Solaris from Andre Lucas + - Check for libwrap if --with-tcp-wrappers option specified. Suggestion + Mate Wierdl + +20000303 + - Added "make host-key" target, Suggestion from Dominik Brettnacher + + - Don't permanently fail on bind() if getaddrinfo has more choices left for + us. Needed to work around messy IPv6 on Linux. Patch from Arkadiusz + Miskiewicz + - DEC Unix compile fix from David Del Piero + - Manpage fix from David Del Piero + +20000302 + - Big cleanup of autoconf code + - Rearranged to be a little more logical + - Added -R option for Solaris + - Rewrote OpenSSL detection code. Now uses AC_TRY_RUN with a test program + to detect library and header location _and_ ensure library has proper + RSA support built in (this is a problem with OpenSSL 0.9.5). + - Applied pty cleanup patch from markus.friedl@informatik.uni-erlangen.de + - Avoid warning message with Unix98 ptys + - Warning was valid - possible race condition on PTYs. Avoided using + platform-specific code. + - Document some common problems + - Allow root access to any key. Patch from + markus.friedl@informatik.uni-erlangen.de + +20000207 + - Removed SOCKS code. Will support through a ProxyCommand. + +20000203 + - Fixed SEGVs in authloop, fix from vbzoli@hbrt.hu + - Add --with-ssl-dir option + +20000202 + - Fix lastlog code for directory based lastlogs. Fix from Josh Durham + + - Documentation fixes from HARUYAMA Seigo + - Added URLs to Japanese translations of documents by HARUYAMA Seigo + + +20000201 + - Use socket pairs by default (instead of pipes). Prevents race condition + on several (buggy) OSs. Report and fix from tridge@linuxcare.com + +20000127 + - Seed OpenSSL's random number generator before generating RSA keypairs + - Split random collector into seperate file + - Compile fix from Andre Lucas + +20000126 + - Released 1.2.2 stable + + - NeXT keeps it lastlog in /usr/adm. Report from + mouring@newton.pconline.com + - Added note in UPGRADING re interop with commercial SSH using idea. + Report from Jim Knoble + - Fix linking order for Kerberos/AFS. Fix from Holget Trapp + + +20000125 + - Fix NULL pointer dereference in login.c. Fix from Andre Lucas + + - Reorder PAM initialisation so it does not mess up lastlog. Reported + by Andre Lucas + - Use preformatted manpages on SCO, report from Gary E. Miller + + - New URL for x11-ssh-askpass. + - Fixpaths was missing /etc/ssh_known_hosts. Report from Jim Knoble + + - Added 'DESTDIR' option to Makefile to ease package building. Patch from + Jim Knoble + - Updated RPM spec files to use DESTDIR + +20000124 + - Pick up version 1.2.2 from OpenBSD CVS (no changes, just version number + increment) + +20000123 + - OpenBSD CVS: + - [packet.c] + getsockname() requires initialized tolen; andy@guildsoftware.com + - AIX patch from Matt Richards and David Rankin + + - Fix lastlog support, patch from Andre Lucas + +20000122 + - Fix compilation of bsd-snprintf.c on Solaris, fix from Ben Taylor + + - Merge preformatted manpage patch from Andre Lucas + + - Make IPv4 use the default in RPM packages + - Irix uses preformatted manpages + - Missing htons() in bsd-bindresvport.c, fix from Holger Trapp + + - OpenBSD CVS updates: + - [packet.c] + use getpeername() in packet_connection_is_on_socket(), fixes sshd -i; + from Holger.Trapp@Informatik.TU-Chemnitz.DE + - [sshd.c] + log with level log() not fatal() if peer behaves badly. + - [readpass.c] + instead of blocking SIGINT, catch it ourselves, so that we can clean + the tty modes up and kill ourselves -- instead of our process group + leader (scp, cvs, ...) going away and leaving us in noecho mode. + people with cbreak shells never even noticed.. + - [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8] + ie. -> i.e., + +20000120 + - Don't use getaddrinfo on AIX + - Update to latest OpenBSD CVS: + - [auth-rsa.c] + - fix user/1056, sshd keeps restrictions; dbt@meat.net + - [sshconnect.c] + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - destroy keys earlier + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - [sshd.c] + - no need for poll.h; from bright@wintelcom.net + - disable agent fwding for proto 1.3, remove abuse of auth-rsa flags. + - split key exchange (kex) and user authentication (user-auth), + ok: provos@ + - Big manpage and config file cleanup from Andre Lucas + + - Re-added latest (unmodified) OpenBSD manpages + - Doc updates + - NetBSD patch from David Rankin and + Christos Zoulas + +20000119 + - SCO compile fixes from Gary E. Miller + - Compile fix from Darren_Hall@progressive.com + - Linux/glibc-2.1.2 takes a *long* time to look up names for AF_UNSPEC + addresses using getaddrinfo(). Added a configure switch to make the + default lookup mode AF_INET + +20000118 + - Fixed --with-pid-dir option + - Makefile fix from Gary E. Miller + - Compile fix for HPUX and Solaris from Andre Lucas + + +20000117 + - Clean up bsd-bindresvport.c. Use arc4random() for picking initial + port, ignore EINVAL errors (Linux) when searching for free port. + - Revert __snprintf -> snprintf aliasing. Apparently Solaris + __snprintf isn't. Report from Theo de Raadt + - Document location of Redhat PAM file in INSTALL. + - Fixed X11 forwarding bug on Linux. libc advertises AF_INET6 + INADDR_ANY_INIT addresses via getaddrinfo, but may not be able to + deliver (no IPv6 kernel support) + - Released 1.2.1pre27 + + - Fix rresvport_af failure errors (logic error in bsd-bindresvport.c) + - Fix --with-ipaddr-display option test. Fix from Jarno Huuskonen + + - Fix hang on logout if processes are still using the pty. Needs + further testing. + - Patch from Christos Zoulas + - Try $prefix first when looking for OpenSSL. + - Include sys/types.h when including sys/socket.h in test programs + - Substitute PID directory in sshd.8. Suggestion from Andrew + Stribblehill + +20000116 + - Renamed --with-xauth-path to --with-xauth + - Added --with-pid-dir option + - Released 1.2.1pre26 + + - Compilation fix from Kiyokazu SUTO + - Fixed broken bugfix for /dev/ptmx on Linux systems which lack + openpty(). Report from Kiyokazu SUTO + +20000115 + - Add --with-xauth-path configure directive and explicit test for + /usr/openwin/bin/xauth for Solaris systems. Report from Anders + Nordby + - Fix incorrect detection of /dev/ptmx on Linux systems that lack + openpty. Report from John Seifarth + - Look for intXX_t and u_intXX_t in sys/bitypes.h if they are not in + sys/types.h. Fixes problems on SCO, report from Gary E. Miller + + - Use __snprintf and __vnsprintf if they are found where snprintf and + vnsprintf are lacking. Suggested by Ben Taylor + and others. + +20000114 + - Merged OpenBSD IPv6 patch: + - [sshd.c sshd.8 sshconnect.c ssh.h ssh.c servconf.h servconf.c scp.1] + [scp.c packet.h packet.c login.c log.c canohost.c channels.c] + [hostfile.c sshd_config] + ipv6 support: mostly gethostbyname->getaddrinfo/getnameinfo, new + features: sshd allows multiple ListenAddress and Port options. note + that libwrap is not IPv6-ready. (based on patches from + fujiwara@rcac.tdi.co.jp) + - [ssh.c canohost.c] + more hints (hints.ai_socktype=SOCK_STREAM) for getaddrinfo, + from itojun@ + - [channels.c] + listen on _all_ interfaces for X11-Fwd (hints.ai_flags = AI_PASSIVE) + - [packet.h] + allow auth-kerberos for IPv4 only + - [scp.1 sshd.8 servconf.h scp.c] + document -4, -6, and 'ssh -L 2022/::1/22' + - [ssh.c] + 'ssh @host' is illegal (null user name), from + karsten@gedankenpolizei.de + - [sshconnect.c] + better error message + - [sshd.c] + allow auth-kerberos for IPv4 only + - Big IPv6 merge: + - Cleanup overrun in sockaddr copying on RHL 6.1 + - Replacements for getaddrinfo, getnameinfo, etc based on versions + from patch from KIKUCHI Takahiro + - Replacement for missing structures on systems that lack IPv6 + - record_login needed to know about AF_INET6 addresses + - Borrowed more code from OpenBSD: rresvport_af and requisites + +20000110 + - Fixes to auth-skey to enable it to use the standard OpenSSL libraries + +20000107 + - New config.sub and config.guess to fix problems on SCO. Supplied + by Gary E. Miller + - SCO build fix from Gary E. Miller + - Released 1.2.1pre25 + +20000106 + - Documentation update & cleanup + - Better KrbIV / AFS detection, based on patch from: + Holger Trapp + +20000105 + - Fixed annoying DES corruption problem. libcrypt has been + overriding symbols in libcrypto. Removed libcrypt and crypt.h + altogether (libcrypto includes its own crypt(1) replacement) + - Added platform-specific rules for Irix 6.x. Included warning that + they are untested. + +20000103 + - Add explicit make rules for files proccessed by fixpaths. + - Fix "make install" in RPM spec files. Report from Tenkou N. Hattori + + - Removed "nullok" directive from default PAM configuration files. + Added information on enabling EmptyPasswords on openssh+PAM in + UPGRADING file. + - OpenBSD CVS updates + - [ssh-agent.c] + cleanup_exit() for SIGTERM/SIGHUP, too. from fgsch@ and + dgaudet@arctic.org + - [sshconnect.c] + compare correct version for 1.3 compat mode + +20000102 + - Prevent multiple inclusion of config.h and defines.h. Suggested + by Andre Lucas + - Properly clean up on exit of ssh-agent. Patch from Dean Gaudet + + +19991231 + - Fix password support on systems with a mixture of shadowed and + non-shadowed passwords (e.g. NIS). Report and fix from + HARUYAMA Seigo + - Fix broken autoconf typedef detection. Report from Marc G. + Fournier + - Fix occasional crash on LinuxPPC. Patch from Franz Sirl + + - Prevent typedefs from being compiled more than once. Report from + Marc G. Fournier + - Fill in ut_utaddr utmp field. Report from Benjamin Charron + + - Really fix broken default path. Fix from Jim Knoble + + - Remove test for quad_t. No longer needed. + - Released 1.2.1pre24 + + - Added support for directory-based lastlogs + - Really fix typedefs, patch from Ben Taylor + +19991230 + - OpenBSD CVS updates: + - [auth-passwd.c] + check for NULL 1st + - Removed most of the pam code into its own file auth-pam.[ch]. This + cleaned up sshd.c up significantly. + - PAM authentication was incorrectly interpreting + "PermitRootLogin without-password". Report from Matthias Andree + + - Updated documentation with ./configure options + - Released 1.2.1pre23 + +19991229 + - Applied another NetBSD portability patch from David Rankin + + - Fix --with-default-path option. + - Autodetect perl, patch from David Rankin + + - Print whether OpenSSH was compiled with RSARef, patch from + Nalin Dahyabhai + - Calls to pam_setcred, patch from Nalin Dahyabhai + + - Detect missing size_t and typedef it. + - Rename helper.[ch] to (more appropriate) bsd-misc.[ch] + - Minor Makefile cleaning + +19991228 + - Replacement for getpagesize() for systems which lack it + - NetBSD login.c compile fix from David Rankin + + - Fully set ut_tv if present in utmp or utmpx + - Portability fixes for Irix 5.3 (now compiles OK!) + - autoconf and other misc cleanups + - Merged AIX patch from Darren Hall + - Cleaned up defines.h + - Released 1.2.1pre22 + +19991227 + - Automatically correct paths in manpages and configuration files. Patch + and script from Andre Lucas + - Removed credits from README to CREDITS file, updated. + - Added --with-default-path to specify custom path for server + - Removed #ifdef trickery from acconfig.h into defines.h + - PAM bugfix. PermitEmptyPassword was being ignored. + - Fixed PAM config files to allow empty passwords if server does. + - Explained spurious PAM auth warning workaround in UPGRADING + - Use last few chars of tty line as ut_id + - New SuSE RPM spec file from Chris Saia + - OpenBSD CVS updates: + - [packet.h auth-rhosts.c] + check format string for packet_disconnect and packet_send_debug, too + - [channels.c] + use packet_get_maxsize for channels. consistence. + +19991226 + - Enabled utmpx support by default for Solaris + - Cleanup sshd.c PAM a little more + - Revised RPM package to include Jim Knoble's + X11 ssh-askpass program. + - Disable logging of PAM success and failures, PAM is verbose enough. + Unfortunatly there is currently no way to disable auth failure + messages. Mention this in UPGRADING file and sent message to PAM + developers + - OpenBSD CVS update: + - [ssh-keygen.1 ssh.1] + remove ref to .ssh/random_seed, mention .ssh/environment in + .Sh FILES, too + - Released 1.2.1pre21 + - Fixed implicit '.' in default path, report from Jim Knoble + + - Redhat RPM spec fixes from Jim Knoble + +19991225 + - More fixes from Andre Lucas + - Cleanup of auth-passwd.c for shadow and MD5 passwords + - Cleanup and bugfix of PAM authentication code + - Released 1.2.1pre20 + + - Merged fixes from Ben Taylor + - Fixed configure support for PAM. Reported by Naz <96na@eng.cam.ac.uk> + - Disabled logging of PAM password authentication failures when password + is empty. (e.g start of authentication loop). Reported by Naz + <96na@eng.cam.ac.uk>) + +19991223 + - Merged later HPUX patch from Andre Lucas + + - Above patch included better utmpx support from Ben Taylor + + +19991222 + - Fix undefined fd_set type in ssh.h from Povl H. Pedersen + + - Fix login.c breakage on systems which lack ut_host in struct + utmp. Reported by Willard Dawson + +19991221 + - Integration of large HPUX patch from Andre Lucas + . Integrating it had a few other + benefits: + - Ability to disable shadow passwords at configure time + - Ability to disable lastlog support at configure time + - Support for IP address in $DISPLAY + - OpenBSD CVS update: + - [sshconnect.c] + say "REMOTE HOST IDENTIFICATION HAS CHANGED" + - Fix DISABLE_SHADOW support + - Allow MD5 passwords even if shadow passwords are disabled + - Release 1.2.1pre19 + +19991218 + - Redhat init script patch from Chun-Chung Chen + + - Avoid breakage on systems without IPv6 headers + +19991216 + - Makefile changes for Solaris from Peter Kocks + + - Minor updates to docs + - Merged OpenBSD CVS changes: + - [authfd.c ssh-agent.c] + keysize warnings talk about identity files + - [packet.c] + "Connection closed by x.x.x.x": fatal() -> log() + - Correctly handle empty passwords in shadow file. Patch from: + "Chris, the Young One" + - Released 1.2.1pre18 + +19991215 + - Integrated patchs from Juergen Keil + - Avoid void* pointer arithmatic + - Use LDFLAGS correctly + - Fix SIGIO error in scp + - Simplify status line printing in scp + - Added better test for inline functions compiler support from + Darren_Hall@progressive.com + +19991214 + - OpenBSD CVS Changes + - [canohost.c] + fix get_remote_port() and friends for sshd -i; + Holger.Trapp@Informatik.TU-Chemnitz.DE + - [mpaux.c] + make code simpler. no need for memcpy. niels@ ok + - [pty.c] + namebuflen not sizeof namebuflen; bnd@ep-ag.com via djm@mindrot.org + fix proto; markus + - [ssh.1] + typo; mark.baushke@solipsa.com + - [channels.c ssh.c ssh.h sshd.c] + type conflict for 'extern Type *options' in channels.c; dot@dotat.at + - [sshconnect.c] + move checking of hostkey into own function. + - [version.h] + OpenSSH-1.2.1 + - Clean up broken includes in pty.c + - Some older systems don't have poll.h, they use sys/poll.h instead + - Doc updates + +19991211 + - Fix compilation on systems with AFS. Reported by + aloomis@glue.umd.edu + - Fix installation on Solaris. Reported by + Gordon Rowell + - Fix gccisms (__attribute__ and inline). Report by edgy@us.ibm.com, + patch from Markus Friedl + - Auto-locate xauth. Patch from David Agraz + - Compile fix from David Agraz + - Avoid compiler warning in bsd-snprintf.c + - Added pam_limits.so to default PAM config. Suggested by + Jim Knoble + +19991209 + - Import of patch from Ben Taylor : + - Improved PAM support + - "uninstall" rule for Makefile + - utmpx support + - Should fix PAM problems on Solaris + - OpenBSD CVS updates: + - [readpass.c] + avoid stdio; based on work by markus, millert, and I + - [sshd.c] + make sure the client selects a supported cipher + - [sshd.c] + fix sighup handling. accept would just restart and daemon handled + sighup only after the next connection was accepted. use poll on + listen sock now. + - [sshd.c] + make that a fatal + - Applied patch from David Rankin + to fix libwrap support on NetBSD + - Released 1.2pre17 + +19991208 + - Compile fix for Solaris with /dev/ptmx from + David Agraz + +19991207 + - sshd Redhat init script patch from Jim Knoble + fixes compatability with 4.x and 5.x + - Fixed default SSH_ASKPASS + - Fix PAM account and session being called multiple times. Problem + reported by Adrian Baugh + - Merged more OpenBSD changes: + - [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c] + move atomicio into it's own file. wrap all socket write()s which + were doing write(sock, buf, len) != len, with atomicio() calls. + - [auth-skey.c] + fd leak + - [authfile.c] + properly name fd variable + - [channels.c] + display great hatred towards strcpy + - [pty.c pty.h sshd.c] + use openpty() if it exists (it does on BSD4_4) + - [tildexpand.c] + check for ~ expansion past MAXPATHLEN + - Modified helper.c to use new atomicio function. + - Reformat Makefile a little + - Moved RC4 routines from rc4.[ch] into helper.c + - Added autoconf code to detect /dev/ptmx (Solaris) and /dev/ptc (AIX) + - Updated SuSE spec from Chris Saia + - Tweaked Redhat spec + - Clean up bad imports of a few files (forgot -kb) + - Released 1.2pre16 + +19991204 + - Small cleanup of PAM code in sshd.c + - Merged OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c auth-skey.c ssh.h] + move skey-auth from auth-passwd.c to auth-skey.c, same for krb4 + - [auth-rsa.c] + warn only about mismatch if key is _used_ + warn about keysize-mismatch with log() not error() + channels.c readconf.c readconf.h ssh.c ssh.h sshconnect.c + ports are u_short + - [hostfile.c] + indent, shorter warning + - [nchan.c] + use error() for internal errors + - [packet.c] + set loglevel for SSH_MSG_DISCONNECT to log(), not fatal() + serverloop.c + indent + - [ssh-add.1 ssh-add.c ssh.h] + document $SSH_ASKPASS, reasonable default + - [ssh.1] + CheckHostIP is not available for connects via proxy command + - [sshconnect.c] + typo + easier to read client code for passwd and skey auth + turn of checkhostip for proxy connects, since we don't know the remote ip + +19991126 + - Add definition for __P() + - Added [v]snprintf() replacement for systems that lack it + +19991125 + - More reformatting merged from OpenBSD CVS + - Merged OpenBSD CVS changes: + - [channels.c] + fix packet_integrity_check() for !have_hostname_in_open. + report from mrwizard@psu.edu via djm@ibs.com.au + - [channels.c] + set SO_REUSEADDR and SO_LINGER for forwarded ports. + chip@valinux.com via damien@ibs.com.au + - [nchan.c] + it's not an error() if shutdown_write failes in nchan. + - [readconf.c] + remove dead #ifdef-0-code + - [readconf.c servconf.c] + strcasecmp instead of tolower + - [scp.c] + progress meter overflow fix from damien@ibs.com.au + - [ssh-add.1 ssh-add.c] + SSH_ASKPASS support + - [ssh.1 ssh.c] + postpone fork_after_authentication until command execution, + request/patch from jahakala@cc.jyu.fi via damien@ibs.com.au + plus: use daemon() for backgrounding + - Added BSD compatible install program and autoconf test, thanks to + Niels Kristian Bech Jensen + - Solaris fixing, thanks to Ben Taylor + - Merged beginnings of AIX support from Tor-Ake Fransson + - Release 1.2pre15 + +19991124 + - Merged very large OpenBSD source code reformat + - OpenBSD CVS updates + - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c] + [ssh.h sshd.8 sshd.c] + syslog changes: + * Unified Logmessage for all auth-types, for success and for failed + * Standard connections get only ONE line in the LOG when level==LOG: + Auth-attempts are logged only, if authentication is: + a) successfull or + b) with passwd or + c) we had more than AUTH_FAIL_LOG failues + * many log() became verbose() + * old behaviour with level=VERBOSE + - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c] + tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE + messages. allows use of s/key in windows (ttssh, securecrt) and + ssh-1.2.27 clients without 'ssh -v', ok: niels@ + - [sshd.8] + -V, for fallback to openssh in SSH2 compatibility mode + - [sshd.c] + fix sigchld race; cjc5@po.cwru.edu + +19991123 + - Added SuSE package files from Chris Saia + - Restructured package-related files under packages/* + - Added generic PAM config + - Numerous little Solaris fixes + - Add recommendation to use GNU make to INSTALL document + +19991122 + - Make close gnome-ssh-askpass (Debian bug #50299) + - OpenBSD CVS Changes + - [ssh-keygen.c] + don't create ~/.ssh only if the user wants to store the private + key there. show fingerprint instead of public-key after + keygeneration. ok niels@ + - Added OpenBSD bsd-strlcat.c, created bsd-strlcat.h + - Added timersub() macro + - Tidy RCSIDs of bsd-*.c + - Added autoconf test and macro to deal with old PAM libraries + pam_strerror definition (one arg vs two). + - Fix EGD problems (Thanks to Ben Taylor ) + - Retry /dev/urandom reads interrupted by signal (report from + Robert Hardy ) + - Added a setenv replacement for systems which lack it + - Only display public key comment when presenting ssh-askpass dialog + - Released 1.2pre14 + + - Configure, Make and changelog corrections from Tudor Bosman + and Niels Kristian Bech Jensen + +19991121 + - OpenBSD CVS Changes: + - [channels.c] + make this compile, bad markus + - [log.c readconf.c servconf.c ssh.h] + bugfix: loglevels are per host in clientconfig, + factor out common log-level parsing code. + - [servconf.c] + remove unused index (-Wall) + - [ssh-agent.c] + only one 'extern char *__progname' + - [sshd.8] + document SIGHUP, -Q to synopsis + - [sshconnect.c serverloop.c sshd.c packet.c packet.h] + [channels.c clientloop.c] + SSH_CMSG_MAX_PACKET_SIZE, some clients use this, some need this, niels@ + [hope this time my ISP stays alive during commit] + - [OVERVIEW README] typos; green@freebsd + - [ssh-keygen.c] + replace xstrdup+strcat with strlcat+fixed buffer, fixes OF (bad me) + exit if writing the key fails (no infinit loop) + print usage() everytime we get bad options + - [ssh-keygen.c] overflow, djm@mindrot.org + - [sshd.c] fix sigchld race; cjc5@po.cwru.edu + +19991120 + - Merged more Solaris support from Marc G. Fournier + + - Wrote autoconf tests for integer bit-types + - Fixed enabling kerberos support + - Fix segfault in ssh-keygen caused by buffer overrun in filename + handling. + +19991119 + - Merged PAM buffer overrun patch from Chip Salzenberg + - Merged OpenBSD CVS changes + - [auth-rhosts.c auth-rsa.c ssh-agent.c sshconnect.c sshd.c] + more %d vs. %s in fmt-strings + - [authfd.c] + Integers should not be printed with %s + - EGD uses a socket, not a named pipe. Duh. + - Fix includes in fingerprint.c + - Fix scp progress bar bug again. + - Move ssh-askpass from ${libdir}/ssh to ${libexecdir}/ssh at request of + David Rankin + - Added autoconf option to enable Kerberos 4 support (untested) + - Added autoconf option to enable AFS support (untested) + - Added autoconf option to enable S/Key support (untested) + - Added autoconf option to enable TCP wrappers support (compiles OK) + - Renamed BSD helper function files to bsd-* + - Added tests for login and daemon and enable OpenBSD replacements for + when they are absent. + - Added non-PAM MD5 password support patch from Tudor Bosman + +19991118 + - Merged OpenBSD CVS changes + - [scp.c] foregroundproc() in scp + - [sshconnect.h] include fingerprint.h + - [sshd.c] bugfix: the log() for passwd-auth escaped during logging + changes. + - [ssh.1] Spell my name right. + - Added openssh.com info to README + +19991117 + - Merged OpenBSD CVS changes + - [ChangeLog.Ylonen] noone needs this anymore + - [authfd.c] close-on-exec for auth-socket, ok deraadt + - [hostfile.c] + in known_hosts key lookup the entry for the bits does not need + to match, all the information is contained in n and e. This + solves the problem with buggy servers announcing the wrong + modulus length. markus and me. + - [serverloop.c] + bugfix: check for space if child has terminated, from: + iedowse@maths.tcd.ie + - [ssh-add.1 ssh-add.c ssh-keygen.1 ssh-keygen.c sshconnect.c] + [fingerprint.c fingerprint.h] + rsa key fingerprints, idea from Bjoern Groenvall + - [ssh-agent.1] typo + - [ssh.1] add OpenSSH information to AUTHOR section. okay markus@ + - [sshd.c] + force logging to stderr while loading private key file + (lost while converting to new log-levels) + +19991116 + - Fix some Linux libc5 problems reported by Miles Wilson + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c auth-rsa.c authfd.c authfd.h hostfile.c mpaux.c] + [mpaux.h ssh-add.c ssh-agent.c ssh.h ssh.c sshd.c] + the keysize of rsa-parameter 'n' is passed implizit, + a few more checks and warnings about 'pretended' keysizes. + - [cipher.c cipher.h packet.c packet.h sshd.c] + remove support for cipher RC4 + - [ssh.c] + a note for legay systems about secuity issues with permanently_set_uid(), + the private hostkey and ptrace() + - [sshconnect.c] + more detailed messages about adding and checking hostkeys + +19991115 + - Merged OpenBSD CVS changes: + - [ssh-add.c] change passphrase loop logic and remove ref to + $DISPLAY, ok niels + - Changed to ssh-add.c broke askpass support. Revised it to be a little more + modular. + - Revised autoconf support for enabling/disabling askpass support. + - Merged more OpenBSD CVS changes: + [auth-krb4.c] + - disconnect if getpeername() fails + - missing xfree(*client) + [canohost.c] + - disconnect if getpeername() fails + - fix comment: we _do_ disconnect if ip-options are set + [sshd.c] + - disconnect if getpeername() fails + - move checking of remote port to central place + [auth-rhosts.c] move checking of remote port to central place + [log-server.c] avoid extra fd per sshd, from millert@ + [readconf.c] print _all_ bad config-options in ssh(1), too + [readconf.h] print _all_ bad config-options in ssh(1), too + [ssh.c] print _all_ bad config-options in ssh(1), too + [sshconnect.c] disconnect if getpeername() fails + - OpenBSD's changes to sshd.c broke the PAM stuff, re-merged it. + - Various small cleanups to bring diff (against OpenBSD) size down. + - Merged more Solaris compability from Marc G. Fournier + + - Wrote autoconf tests for __progname symbol + - RPM spec file fixes from Jim Knoble + - Released 1.2pre12 + + - Another OpenBSD CVS update: + - [ssh-keygen.1] fix .Xr + +19991114 + - Solaris compilation fixes (still imcomplete) + +19991113 + - Build patch from Niels Kristian Bech Jensen + - Don't install config files if they already exist + - Fix inclusion of additional preprocessor directives from acconfig.h + - Removed redundant inclusions of config.h + - Added 'Obsoletes' lines to RPM spec file + - Merged OpenBSD CVS changes: + - [bufaux.c] save a view malloc/memcpy/memset/free's, ok niels + - [scp.c] fix overflow reported by damien@ibs.com.au: off_t + totalsize, ok niels,aaron + - Delay fork (-f option) in ssh until after port forwarded connections + have been initialised. Patch from Jani Hakala + - Added shadow password patch from Thomas Neumann + - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled + - Tidied default config file some more + - Revised Redhat initscript to fix bug: sshd (re)start would fail + if executed from inside a ssh login. + +19991112 + - Merged changes from OpenBSD CVS + - [sshd.c] session_key_int may be zero + - [auth-rh-rsa.c servconf.c servconf.h ssh.h sshd.8 sshd.c sshd_config] + IgnoreUserKnownHosts(default=no), used for RhostRSAAuth, ok + deraadt,millert + - Brought default sshd_config more in line with OpenBSD's + - Grab server in gnome-ssh-askpass (Debian bug #49872) + - Released 1.2pre10 + + - Added INSTALL documentation + - Merged yet more changes from OpenBSD CVS + - [auth-rh-rsa.c auth-rhosts.c auth-rsa.c channels.c clientloop.c] + [ssh.c ssh.h sshconnect.c sshd.c] + make all access to options via 'extern Options options' + and 'extern ServerOptions options' respectively; + options are no longer passed as arguments: + * make options handling more consistent + * remove #include "readconf.h" from ssh.h + * readconf.h is only included if necessary + - [mpaux.c] clear temp buffer + - [servconf.c] print _all_ bad options found in configfile + - Make ssh-askpass support optional through autoconf + - Fix nasty division-by-zero error in scp.c + - Released 1.2pre11 + +19991111 + - Added (untested) Entropy Gathering Daemon (EGD) support + - Fixed /dev/urandom fd leak (Debian bug #49722) + - Merged OpenBSD CVS changes: + - [auth-rh-rsa.c] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [ssh.1] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - [sshd.8] user/958: check ~/.ssh/known_hosts for rhosts-rsa, too + - Fix integer overflow which was messing up scp's progress bar for large + file transfers. Fix submitted to OpenBSD developers. Report and fix + from Kees Cook + - Merged more OpenBSD CVS changes: + - [auth-krb4.c auth-passwd.c] remove x11- and krb-cleanup from fatal() + + krb-cleanup cleanup + - [clientloop.c log-client.c log-server.c ] + [readconf.c readconf.h servconf.c servconf.h ] + [ssh.1 ssh.c ssh.h sshd.8] + add LogLevel {QUIET, FATAL, ERROR, INFO, CHAT, DEBUG} to ssh/sshd, + obsoletes QuietMode and FascistLogging in sshd. + - [sshd.c] fix fatal/assert() bug reported by damien@ibs.com.au: + allow session_key_int != sizeof(session_key) + [this should fix the pre-assert-removal-core-files] + - Updated default config file to use new LogLevel option and to improve + readability + +19991110 + - Merged several minor fixes: + - ssh-agent commandline parsing + - RPM spec file now installs ssh setuid root + - Makefile creates libdir + - Merged beginnings of Solaris compability from Marc G. Fournier + + +19991109 + - Autodetection of SSL/Crypto library location via autoconf + - Fixed location of ssh-askpass to follow autoconf + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Autodetection of RSAref library for US users + - Minor doc updates + - Merged OpenBSD CVS changes: + - [rsa.c] bugfix: use correct size for memset() + - [sshconnect.c] warn if announced size of modulus 'n' != real size + - Added GNOME passphrase requestor (use --with-gnome-askpass) + - RPM build now creates subpackages + - Released 1.2pre9 + +19991108 + - Removed debian/ directory. This is now being maintained separately. + - Added symlinks for slogin in RPM spec file + - Fixed permissions on manpages in RPM spec file + - Added references to required libraries in README file + - Removed config.h.in from CVS + - Removed pwdb support (better pluggable auth is provided by glibc) + - Made PAM and requisite libdl optional + - Removed lots of unnecessary checks from autoconf + - Added support and autoconf test for openpty() function (Unix98 pty support) + - Fix for scp not finding ssh if not installed as /usr/bin/ssh + - Added TODO file + - Merged parts of Debian patch From Phil Hands : + - Added ssh-askpass program + - Added ssh-askpass support to ssh-add.c + - Create symlinks for slogin on install + - Fix "distclean" target in makefile + - Added example for ssh-agent to manpage + - Added support for PAM_TEXT_INFO messages + - Disable internal /etc/nologin support if PAM enabled + - Merged latest OpenBSD CVS changes: + - [all] replace assert() with error, fatal or packet_disconnect + - [sshd.c] don't send fail-msg but disconnect if too many authentication + failures + - [sshd.c] remove unused argument. ok dugsong + - [sshd.c] typo + - [rsa.c] clear buffers used for encryption. ok: niels + - [rsa.c] replace assert() with error, fatal or packet_disconnect + - [auth-krb4.c] remove unused argument. ok dugsong + - Fixed coredump after merge of OpenBSD rsa.c patch + - Released 1.2pre8 + +19991102 + - Merged change from OpenBSD CVS + - One-line cleanup in sshd.c + +19991030 + - Integrated debian package support from Dan Brosemer + - Merged latest updates for OpenBSD CVS: + - channels.[ch] - remove broken x11 fix and document istate/ostate + - ssh-agent.c - call setsid() regardless of argv[] + - ssh.c - save a few lines when disabling rhosts-{rsa-}auth + - Documentation cleanups + - Renamed README -> README.Ylonen + - Renamed README.openssh ->README + +19991029 + - Renamed openssh* back to ssh* at request of Theo de Raadt + - Incorporated latest changes from OpenBSD's CVS + - Integrated Makefile patch from Niels Kristian Bech Jensen + - Integrated PAM env patch from Nalin Dahyabhai + - Make distclean now removed configure script + - Improved PAM logging + - Added some debug() calls for PAM + - Removed redundant subdirectories + - Integrated part of a patch from Dan Brosemer for + building on Debian. + - Fixed off-by-one error in PAM env patch + - Released 1.2pre6 + +19991028 + - Further PAM enhancements. + - Much cleaner + - Now uses account and session modules for all logins. + - Integrated patch from Dan Brosemer + - Build fixes + - Autoconf + - Change binary names to open* + - Fixed autoconf script to detect PAM on RH6.1 + - Added tests for libpwdb, and OpenBSD functions to autoconf + - Released 1.2pre4 + + - Imported latest OpenBSD CVS code + - Updated README.openssh + - Released 1.2pre5 + +19991027 + - Adapted PAM patch. + - Released 1.0pre2 + + - Excised my buggy replacements for strlcpy and mkdtemp + - Imported correct OpenBSD strlcpy and mkdtemp routines. + - Reduced arc4random_stir entropy read to 32 bytes (256 bits) + - Picked up correct version number from OpenBSD + - Added sshd.pam PAM configuration file + - Added sshd.init Redhat init script + - Added openssh.spec RPM spec file + - Released 1.2pre3 + +19991026 + - Fixed include paths of OpenSSL functions + - Use OpenSSL MD5 routines + - Imported RC4 code from nanocrypt + - Wrote replacements for OpenBSD arc4random* functions + - Wrote replacements for strlcpy and mkdtemp + - Released 1.0pre1 $Id$