]> andersk Git - openssh.git/blame - ChangeLog
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- dtucker@cvs.openbsd.org 2010/01/10 03:51:17
[openssh.git] / ChangeLog
CommitLineData
70dd663d 120091210
2 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
3 Remove hacks add for RoutingDomain in preparation for its removal.
04b061c4 4 - (dtucker) OpenBSD CVS Sync
16d64584 5 - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
6 [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
7 ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
8 readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
9 Remove RoutingDomain from ssh since it's now not needed. It can be
10 replaced with "route exec" or "nc -V" as a proxycommand. "route exec"
11 also ensures that trafic such as DNS lookups stays withing the specified
12 routingdomain. For example (from reyk):
13 # route -T 2 exec /usr/sbin/sshd
14 or inherited from the parent process
15 $ route -T 2 exec sh
16 $ ssh 10.1.2.3
17 ok deraadt@ markus@ stevesk@ reyk@
04b061c4 18 - dtucker@cvs.openbsd.org 2010/01/10 03:51:17
19 [servconf.c]
20 Add ChrootDirectory to sshd.c test-mode output
70dd663d 21
17073b5e 2220091209
23 - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't
24 have it.
d59ac96c 25 - (dtucker) [defines.h] define PRIu64 for platforms that don't have it.
2d7536f6 26 - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef.
5dec7926 27 - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name
28 when using utmpx. Patch from Ed Schouten.
250caf33 29 - (dtucker) OpenBSD CVS Sync
30 - djm@cvs.openbsd.org 2010/01/09 00:20:26
31 [sftp-server.c sftp-server.8]
32 add a 'read-only' mode to sftp-server(8) that disables open in write mode
33 and all other fs-modifying protocol methods. bz#430 ok dtucker@
29c7b6ce 34 - djm@cvs.openbsd.org 2010/01/09 00:57:10
35 [PROTOCOL]
36 tweak language
0752feb3 37 - jmc@cvs.openbsd.org 2010/01/09 03:36:00
38 [sftp-server.8]
39 bad place to forget a comma...
ccd01778 40 - djm@cvs.openbsd.org 2010/01/09 05:04:24
41 [mux.c sshpty.h clientloop.c sshtty.c]
42 quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
43 usually don't actually have a tty to read/set; bz#1686 ok dtucker@
7b610012 44 - dtucker@cvs.openbsd.org 2010/01/09 05:17:00
45 [roaming_client.c]
46 Remove a PRIu64 format string that snuck in with roaming. ok djm@
96fc1b1b 47 - dtucker@cvs.openbsd.org 2010/01/09 11:13:02
48 [sftp.c]
49 Prevent sftp from derefing a null pointer when given a "-" without a
50 command. Also, allow whitespace to follow a "-". bz#1691, path from
51 Colin Watson via Debian. ok djm@ deraadt@
1e0e398c 52 - dtucker@cvs.openbsd.org 2010/01/09 11:17:56
53 [sshd.c]
54 Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs
55 itself. Prevents two HUPs in quick succession from resulting in sshd
56 dying. bz#1692, patch from Colin Watson via Ubuntu.
ce27af32 57 - (dtucker) [defines.h] Remove now-undeeded PRIu64 define.
17073b5e 58
1270be26 5920091208
60 - (dtucker) OpenBSD CVS Sync
61 - andreas@cvs.openbsd.org 2009/10/24 11:11:58
62 [roaming.h]
63 Declarations needed for upcoming changes.
64 ok markus@
d8b0d145 65 - andreas@cvs.openbsd.org 2009/10/24 11:13:54
66 [sshconnect2.c kex.h kex.c]
67 Let the client detect if the server supports roaming by looking
68 for the resume@appgate.com kex algorithm.
69 ok markus@
bb466eca 70 - andreas@cvs.openbsd.org 2009/10/24 11:15:29
71 [clientloop.c]
72 client_loop() must detect if the session has been suspended and resumed,
73 and take appropriate action in that case.
74 From Martin Forssen, maf at appgate dot com
d33822b7 75 - andreas@cvs.openbsd.org 2009/10/24 11:19:17
76 [ssh2.h]
77 Define the KEX messages used when resuming a suspended connection.
bb466eca 78 ok markus@
60751dff 79 - andreas@cvs.openbsd.org 2009/10/24 11:22:37
80 [roaming_common.c]
81 Do the actual suspend/resume in the client. This won't be useful until
82 the server side supports roaming.
83 Most code from Martin Forssen, maf at appgate dot com. Some changes by
84 me and markus@
85 ok markus@
1cb94277 86 - andreas@cvs.openbsd.org 2009/10/24 11:23:42
87 [ssh.c]
88 Request roaming to be enabled if UseRoaming is true and the server
89 supports it.
90 ok markus@
fe7dba42 91 - reyk@cvs.openbsd.org 2009/10/28 16:38:18
92 [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
93 channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
94 sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
95 Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
96 ok markus@
d92c9eaa 97 - jmc@cvs.openbsd.org 2009/10/28 21:45:08
98 [sshd_config.5 sftp.1]
99 tweak previous;
a30caa92 100 - djm@cvs.openbsd.org 2009/11/10 02:56:22
101 [ssh_config.5]
102 explain the constraints on LocalCommand some more so people don't
103 try to abuse it.
09367de8 104 - djm@cvs.openbsd.org 2009/11/10 02:58:56
105 [sshd_config.5]
106 clarify that StrictModes does not apply to ChrootDirectory. Permissions
107 and ownership are always checked when chrooting. bz#1532
fe5bc072 108 - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
109 [sshconnect2.c channels.c sshconnect.c]
110 Set close-on-exec on various descriptors so they don't get leaked to
111 child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
7501ed0d 112 - markus@cvs.openbsd.org 2009/11/11 21:37:03
113 [channels.c channels.h]
114 fix race condition in x11/agent channel allocation: don't read after
115 the end of the select read/write fdset and make sure a reused FD
116 is not touched before the pre-handlers are called.
117 with and ok djm@
851d192b 118 - djm@cvs.openbsd.org 2009/11/17 05:31:44
119 [clientloop.c]
120 fix incorrect exit status when multiplexing and channel ID 0 is recycled
121 bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
0cc9aecf 122 - djm@cvs.openbsd.org 2009/11/19 23:39:50
123 [session.c]
124 bz#1606: error when an attempt is made to connect to a server
125 with ForceCommand=internal-sftp with a shell session (i.e. not a
126 subsystem session). Avoids stuck client when attempting to ssh to such a
127 service. ok dtucker@
f69e651d 128 - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
129 [session.c]
130 Warn but do not fail if stat()ing the subsystem binary fails. This helps
131 with chrootdirectory+forcecommand=sftp-server and restricted shells.
132 bz #1599, ok djm.
b3534d29 133 - djm@cvs.openbsd.org 2009/11/20 00:54:01
134 [sftp.c]
135 bz#1588 change "Connecting to host..." message to "Connected to host."
136 and delay it until after the sftp protocol connection has been established.
137 Avoids confusing sequence of messages when the underlying ssh connection
138 experiences problems. ok dtucker@
db528a58 139 - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
140 [sshconnect2.c]
141 Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
704709cf 142 - djm@cvs.openbsd.org 2009/11/20 03:24:07
143 [misc.c]
144 correct off-by-one in percent_expand(): we would fatal() when trying
145 to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
146 work. Note that nothing in OpenSSH actually uses close to this limit at
147 present. bz#1607 from Jan.Pechanec AT Sun.COM
f2aba402 148 - halex@cvs.openbsd.org 2009/11/22 13:18:00
149 [sftp.c]
150 make passing of zero-length arguments to ssh safe by
151 passing "-<switch>" "<value>" rather than "-<switch><value>"
152 ok dtucker@, guenther@, djm@
87d86481 153 - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
154 [sshconnect2.c]
155 zap unused variable and strlen; from Steve McClellan, ok djm
e657a401 156 - djm@cvs.openbsd.org 2009/12/06 23:53:45
157 [roaming_common.c]
158 use socklen_t for getsockopt optlen parameter; reported by
159 Steve.McClellan AT radisys.com, ok dtucker@
38b1f255 160 - dtucker@cvs.openbsd.org 2009/12/06 23:53:54
161 [sftp.c]
162 fix potential divide-by-zero in sftp's "df" output when talking to a server
163 that reports zero files on the filesystem (Unix filesystems always have at
164 least the root inode). From Steve McClellan at radisys, ok djm@
d7af0c50 165 - markus@cvs.openbsd.org 2009/12/11 18:16:33
166 [key.c]
167 switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
168 for the RSA public exponent; discussed with provos; ok djm@
c3773c6e 169 - guenther@cvs.openbsd.org 2009/12/20 07:28:36
170 [ssh.c sftp.c scp.c]
171 When passing user-controlled options with arguments to other programs,
172 pass the option and option argument as separate argv entries and
173 not smashed into one (e.g., as -l foo and not -lfoo). Also, always
174 pass a "--" argument to stop option parsing, so that a positional
175 argument that starts with a '-' isn't treated as an option. This
176 fixes some error cases as well as the handling of hostnames and
177 filenames that start with a '-'.
178 Based on a diff by halex@
179 ok halex@ djm@ deraadt@
f67f71f1 180 - djm@cvs.openbsd.org 2009/12/20 23:20:40
181 [PROTOCOL]
182 fix an incorrect magic number and typo in PROTOCOL; bz#1688
183 report and fix from ueno AT unixuser.org
9e622dcd 184 - stevesk@cvs.openbsd.org 2009/12/25 19:40:21
185 [readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
186 validate routing domain is in range 0-RT_TABLEID_MAX.
187 'Looks right' deraadt@
bad23583 188 - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
189 [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
190 Rename RDomain config option to RoutingDomain to be more clear and
191 consistent with other options.
192 NOTE: if you currently use RDomain in the ssh client or server config,
193 or ssh/sshd -o, you must update to use RoutingDomain.
194 ok markus@ djm@
d0335861 195 - jmc@cvs.openbsd.org 2009/12/29 18:03:32
196 [sshd_config.5 ssh_config.5]
197 sort previous;
e85f4dce 198 - dtucker@cvs.openbsd.org 2010/01/04 01:45:30
199 [sshconnect2.c]
200 Don't escape backslashes in the SSH2 banner. bz#1533, patch from
201 Michal Gorny via Gentoo.
4e715007 202 - djm@cvs.openbsd.org 2010/01/04 02:03:57
203 [sftp.c]
204 Implement tab-completion of commands, local and remote filenames for sftp.
205 Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009
206 Google Summer of Code) and polished to a fine sheen by myself again.
207 It should deal more-or-less correctly with the ikky corner-cases presented
208 by quoted filenames, but the UI could still be slightly improved.
209 In particular, it is quite slow for remote completion on large directories.
210 bz#200; ok markus@
d4b8c904 211 - djm@cvs.openbsd.org 2010/01/04 02:25:15
212 [sftp-server.c]
213 bz#1566 don't unnecessarily dup() in and out fds for sftp-server;
214 ok markus@
d03186af 215 - dtucker@cvs.openbsd.org 2010/01/08 21:50:49
216 [sftp.c]
217 Fix two warnings: possibly used unitialized and use a nul byte instead of
218 NULL pointer. ok djm@
6f8969f5 219 - (dtucker) [Makefile.in added roaming_client.c roaming_serv.c] Import new
220 files for roaming and add to Makefile.
957016e4 221 - (dtucker) [Makefile.in] .c files do not belong in the OBJ lines.
81598a81 222 - (dtucker) [sftp.c] ifdef out the sftp completion bits for platforms that
223 don't have libedit.
85fee9c0 224 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] Make
225 RoutingDomain an unsupported option on platforms that don't have it.
21e59e57 226 - (dtucker) [sftp.c] Expand ifdef for libedit to cover complete_is_remote
227 too.
1c0194f1 228 - (dtucker) [misc.c] Move the routingdomain ifdef to allow the socket to
229 be created.
3b6c53d3 230 - (dtucker] [misc.c] Shrink the area covered by USE_ROUTINGDOMAIN more
231 to eliminate an unused variable warning.
fcbc6487 232 - (dtucker) [roaming_serv.c] Include includes.h for u_intXX_t types.
1270be26 233
da073eee 23420091226
235 - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
236 Gzip all man pages. Patch from Corinna Vinschen.
237
3bef3252 23820091221
239 - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
240 Bug #1583: Use system's kerberos principal name on AIX if it's available.
241 Based on a patch from and tested by Miguel Sanders
242
fd2d830a 24320091208
244 - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
245 based on a patch from Vaclav Ovsik and Colin Watson. ok djm.
246
6b52ddbd 24720091207
248 - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
249 Tested by Martin Paljak.
95f0ee69 250 - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.
6b52ddbd 251
e4402dc5 25220091121
253 - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
254 Bug 1628. OK dtucker@
255
48662587 25620091120
257 - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
258 line arguments as none are supported. Exit when passed unrecognised
259 commandline flags. bz#1568 from gson AT araneus.fi
260
26120091118
4e1082aa 262 - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
263 set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
264 setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
e5a1e421 265 bz#1648, report and fix from jan.kratochvil AT redhat.com
266 - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
267 bz#1645, patch from jchadima AT redhat.com
4e1082aa 268
cd82326a 26920091107
270 - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
271 keys when built with OpenSSL versions that don't do AES.
272
090c27c5 27320091105
274 - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
275 older versions of OpenSSL.
276
5c0f4199 27720091024
278 - (dtucker) OpenBSD CVS Sync
279 - djm@cvs.openbsd.org 2009/10/11 23:03:15
280 [hostfile.c]
281 mention the host name that we are looking for in check_host_in_hostfile()
1a0a69a7 282 - sobrado@cvs.openbsd.org 2009/10/17 12:10:39
283 [sftp-server.c]
284 sort flags.
7a779483 285 - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
286 [ssh.1 ssh-agent.1 ssh-add.1]
287 use the UNIX-related macros (.At and .Ux) where appropriate.
288 ok jmc@
78da49cb 289 - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
290 [ssh-agent.1 ssh-add.1 ssh.1]
291 write UNIX-domain in a more consistent way; while here, replace a
292 few remaining ".Tn UNIX" macros with ".Ux" ones.
293 pointed out by ratchov@, thanks!
294 ok jmc@
4c9466ae 295 - djm@cvs.openbsd.org 2009/10/22 22:26:13
296 [authfile.c]
297 switch from 3DES to AES-128 for encryption of passphrase-protected
298 SSH protocol 2 private keys; ok several
fbba8bf6 299 - djm@cvs.openbsd.org 2009/10/23 01:57:11
300 [sshconnect2.c]
301 disallow a hostile server from checking jpake auth by sending an
302 out-of-sequence success message. (doesn't affect code enabled by default)
78edb05a 303 - dtucker@cvs.openbsd.org 2009/10/24 00:48:34
304 [ssh-keygen.1]
305 ssh-keygen now uses AES-128 for private keys
aaeda216 306 - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
51fa929a 307 - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
308 is enabled set the security context to "sftpd_t" before running the
309 internal sftp server Based on a patch from jchadima at redhat.
5c0f4199 310
19b6c4d5 31120091011
312 - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
313 dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
314 lstat.
21af5fc4 315 - (dtucker) OpenBSD CVS Sync
316 - markus@cvs.openbsd.org 2009/10/08 14:03:41
317 [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
318 disable protocol 1 by default (after a transition period of about 10 years)
319 ok deraadt
0dba6d86 320 - jmc@cvs.openbsd.org 2009/10/08 20:42:12
321 [sshd_config.5 ssh_config.5 sshd.8 ssh.1]
322 some tweaks now that protocol 1 is not offered by default; ok markus
711fb093 323 - dtucker@cvs.openbsd.org 2009/10/11 10:41:26
324 [sftp-client.c]
325 d_type isn't portable so use lstat to get dirent modes. Suggested by and
326 "looks sane" deraadt@
991c9728 327 - markus@cvs.openbsd.org 2009/10/08 18:04:27
328 [regress/test-exec.sh]
329 re-enable protocol v1 for the tests.
19b6c4d5 330
3496b8d4 33120091007
332 - (dtucker) OpenBSD CVS Sync
333 - djm@cvs.openbsd.org 2009/08/12 00:13:00
334 [sftp.c sftp.1]
335 support most of scp(1)'s commandline arguments in sftp(1), as a first
336 step towards making sftp(1) a drop-in replacement for scp(1).
337 One conflicting option (-P) has not been changed, pending further
338 discussion.
339 Patch from carlosvsilvapt@gmail.com as part of his work in the
340 Google Summer of Code
b68241c3 341 - jmc@cvs.openbsd.org 2009/08/12 06:31:42
342 [sftp.1]
343 sort options;
97658f13 344 - djm@cvs.openbsd.org 2009/08/13 01:11:19
345 [sftp.1 sftp.c]
346 Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
347 add "-P port" to match scp(1). Fortunately, the -P option is only really
348 used by our regression scripts.
349 part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
350 of Code work; ok deraadt markus
5aa0f160 351 - jmc@cvs.openbsd.org 2009/08/13 13:39:54
352 [sftp.1 sftp.c]
353 sync synopsis and usage();
e746280c 354 - djm@cvs.openbsd.org 2009/08/14 18:17:49
355 [sftp-client.c]
356 make the "get_handle: ..." error messages vaguely useful by allowing
357 callers to specify their own error message strings.
5d799258 358 - fgsch@cvs.openbsd.org 2009/08/15 18:56:34
359 [auth.h]
360 remove unused define. markus@ ok.
361 (Id sync only, Portable still uses this.)
7b3a24aa 362 - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
363 [sshd_config.5]
364 Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
d141f964 365 - djm@cvs.openbsd.org 2009/08/18 18:36:21
366 [sftp-client.h sftp.1 sftp-client.c sftp.c]
367 recursive transfer support for get/put and on the commandline
368 work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
369 with some tweaks by me; "go for it" deraadt@
e83f55f9 370 - djm@cvs.openbsd.org 2009/08/18 21:15:59
371 [sftp.1]
372 fix "get" command usage, spotted by jmc@
3829cbca 373 - jmc@cvs.openbsd.org 2009/08/19 04:56:03
374 [sftp.1]
375 ether -> either;
2e2c33ad 376 - dtucker@cvs.openbsd.org 2009/08/20 23:54:28
377 [mux.c]
378 subsystem_flag is defined in ssh.c so it's extern; ok djm
99c5cf8e 379 - djm@cvs.openbsd.org 2009/08/27 17:28:52
380 [sftp-server.c]
381 allow setting an explicit umask on the commandline to override whatever
382 default the user has. bz#1229; ok dtucker@ deraadt@ markus@
bf3290be 383 - djm@cvs.openbsd.org 2009/08/27 17:33:49
384 [ssh-keygen.c]
385 force use of correct hash function for random-art signature display
386 as it was inheriting the wrong one when bubblebabble signatures were
387 activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
388 ok markus@
62b92bdc 389 - djm@cvs.openbsd.org 2009/08/27 17:43:00
390 [sftp-server.8]
391 allow setting an explicit umask on the commandline to override whatever
392 default the user has. bz#1229; ok dtucker@ deraadt@ markus@
b4741f94 393 - djm@cvs.openbsd.org 2009/08/27 17:44:52
394 [authfd.c ssh-add.c authfd.h]
395 Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
396 when the agent refuses the constrained add request. This was a useful
397 migration measure back in 2002 when constraints were new, but just
398 adds risk now.
399 bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
57a6b5dd 400 - djm@cvs.openbsd.org 2009/08/31 20:56:02
401 [sftp-server.c]
402 check correct variable for error message, spotted by martynas@
b7177174 403 - djm@cvs.openbsd.org 2009/08/31 21:01:29
404 [sftp-server.8]
405 document -e and -h; prodded by jmc@
5561856d 406 - djm@cvs.openbsd.org 2009/09/01 14:43:17
407 [ssh-agent.c]
408 fix a race condition in ssh-agent that could result in a wedged or
409 spinning agent: don't read off the end of the allocated fd_sets, and
410 don't issue blocking read/write on agent sockets - just fall back to
411 select() on retriable read/write errors. bz#1633 reported and tested
412 by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
fd8b10fa 413 - grunk@cvs.openbsd.org 2009/10/01 11:37:33
414 [dh.c]
415 fix a cast
416 ok djm@ markus@
45bb6142 417 - djm@cvs.openbsd.org 2009/10/06 04:46:40
418 [session.c]
419 bz#1596: fflush(NULL) before exec() to ensure that everying (motd
420 in particular) has made it out before the streams go away.
1aeac41e 421 - djm@cvs.openbsd.org 2008/12/07 22:17:48
422 [regress/addrmatch.sh]
423 match string "passwordauthentication" only at start of line, not anywhere
424 in sshd -T output
cbc2c3e5 425 - dtucker@cvs.openbsd.org 2009/05/05 07:51:36
426 [regress/multiplex.sh]
427 Always specify ssh_config for multiplex tests: prevents breakage caused
428 by options in ~/.ssh/config. From Dan Peterson.
95744748 429 - djm@cvs.openbsd.org 2009/08/13 00:57:17
430 [regress/Makefile]
431 regression test for port number parsing. written as part of the a2port
432 change that went into 5.2 but I forgot to commit it at the time...
6c8ebe98 433 - djm@cvs.openbsd.org 2009/08/13 01:11:55
90fc667e 434 [regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh
435 regress/sftp-cmds.sh regres/sftp-glob.sh]
6c8ebe98 436 date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7
437 Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
438 add "-P port" to match scp(1). Fortunately, the -P option is only really
439 used by our regression scripts.
440 part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
441 of Code work; ok deraadt markus
c16b5840 442 - djm@cvs.openbsd.org 2009/08/20 18:43:07
90fc667e 443 [regress/ssh-com-sftp.sh]
c16b5840 444 fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
445 Silva for Google Summer of Code
90fc667e 446 - dtucker@cvs.openbsd.org 2009/10/06 23:51:49
447 [regress/ssh2putty.sh]
448 Add OpenBSD tag to make syncs easier
deed7126 449 - (dtucker) [regress/portnum.sh] Import new test.
c7e0fa79 450 - (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at
4b48f754 451 least dragonflybsd.
c7e0fa79 452 - (dtucker) d_type is not mandated by POSIX, so add fallback code using
453 stat(), needed on at least cygwin.
3496b8d4 454
2391a73c 45520091002
456 - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps.
457 spotted by des AT des.no
458
018fda87 45920090926
460 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
461 [contrib/suse/openssh.spec] Update for release
462 - (djm) [README] update relnotes URL
463 - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
464 - (djm) Release 5.3p1
465
a37250f4 46620090911
467 - (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
468 10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
469 from jbasney at ncsa uiuc edu.
470
bc33f6d6 47120090908
472 - (djm) [serverloop.c] Fix test for server-assigned remote forwarding port
473 (-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@
474
3acad382 47520090901
476 - (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
477 krb5-config if it's not in the location specified by --with-kerberos5.
478 Patch from jchadima at redhat.
479
84c645ec 48020090829
481 - (dtucker) [README.platform] Add text about development packages, based on
482 text from Chris Pepper in bug #1631.
483
7a51ce05 48420090828
485 - dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently
486 causes problems in some Tru64 configurations.
d108641a 487 - (djm) [sshd_config.5] downgrade mention of login.conf to be an example
488 and mention PAM as another provider for ChallengeResponseAuthentication;
489 bz#1408; ok dtucker@
6ecb350f 490 - (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when
491 attempting atomic rename(); ok dtucker@
36141cb8 492 - (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables
493 in argv, so pass them in the environment; ok dtucker@
5e934f78 494 - (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
495 the pty master on Solaris, since it never succeeds and can hang if large
496 amounts of data is sent to the slave (eg a copy-paste). Based on a patch
497 originally from Doke Scott, ok djm@
e7ac4a90 498 - (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
499 size a compile-time option and set it to 64k on Cygwin, since Corinna
500 reports that it makes a significant difference to performance. ok djm@
00789f24 501 - (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry.
7a51ce05 502
bf87c429 50320090820
504 - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
505 using it since the type conflicts can cause problems on FreeBSD. Patch
506 from Jonathan Chen.
406dc01a 507 - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
508 the setpcred call on AIX to immediately before the permanently_set_uid().
509 Ensures that we still have privileges when we call chroot and
510 pam_open_sesson. Based on a patch from David Leonard.
bf87c429 511
8295689f 51220090817
513 - (dtucker) [configure.ac] Check for headers before libraries for openssl an
514 zlib, which should make the errors slightly more meaningful on platforms
515 where there's separate "-devel" packages for those.
e339fa25 516 - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make
517 PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders.
8295689f 518
852de6fd 51920090729
520 - (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error
521 function. Patch from Corinna Vinschen.
522
14a260e8 52320090713
524 - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it
525 fits into 16 bits to work around a bug in glibc's resolver where it masks
526 off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob.
527
0a008a4d 52820090712
529 - (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test,
530 prevents configure complaining on older BSDs.
74973c95 531 - (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch
532 from Corinna Vinschen.
f12c178c 533 - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on
1d5c49e0 534 logout to after the session close. Patch from Anicka Bernathova,
535 originally from Andreas Schwab via Novelll ok djm.
0a008a4d 536
78576c54 53720090707
538 - (dtucker) [contrib/cygwin/ssh-host-config] better support for automated
539 scripts and fix usage of eval. Patch from Corinna Vinschen.
540
54120090705
dc11a83a 542 - (dtucker) OpenBSD CVS Sync
543 - andreas@cvs.openbsd.org 2009/06/27 09:29:06
544 [packet.h packet.c]
545 packet_bacup_state() and packet_restore_state() will be used to
546 temporarily save the current state ren resuming a suspended connection.
547 ok markus@
548 - andreas@cvs.openbsd.org 2009/06/27 09:32:43
549 [roaming_common.c roaming.h]
550 It may be necessary to retransmit some data when resuming, so add it
551 to a buffer when roaming is enabled.
552 Most of this code was written by Martin Forssen, maf at appgate dot com.
553 ok markus@
554 - andreas@cvs.openbsd.org 2009/06/27 09:35:06
555 [readconf.h readconf.c]
556 Add client option UseRoaming. It doesn't do anything yet but will
557 control whether the client tries to use roaming if enabled on the
558 server. From Martin Forssen.
559 ok markus@
560 - markus@cvs.openbsd.org 2009/06/30 14:54:40
561 [version.h]
562 crank version; ok deraadt
563 - dtucker@cvs.openbsd.org 2009/07/02 02:11:47
564 [ssh.c]
565 allow for long home dir paths (bz #1615). ok deraadt
566 (based in part on a patch from jchadima at redhat)
567 - stevesk@cvs.openbsd.org 2009/07/05 19:28:33
568 [clientloop.c]
569 only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@
570 ok deraadt@ markus@
571
127c96db 57220090622
573 - (dtucker) OpenBSD CVS Sync
574 - dtucker@cvs.openbsd.org 2009/06/22 05:39:28
575 [monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c]
576 alphabetize includes; reduces diff vs portable and style(9).
577 ok stevesk djm
578 (Id sync only; these were already in order in -portable)
579
f0956980 58020090621
581 - (dtucker) OpenBSD CVS Sync
582 - markus@cvs.openbsd.org 2009/03/17 21:37:00
583 [ssh.c]
584 pass correct argv[0] to openlog(); ok djm@
8fe25329 585 - jmc@cvs.openbsd.org 2009/03/19 15:15:09
586 [ssh.1]
587 for "Ciphers", just point the reader to the keyword in ssh_config(5), just
588 as we do for "MACs": this stops us getting out of sync when the lists
589 change;
590 fixes documentation/6102, submitted by Peter J. Philipp
591 alternative fix proposed by djm
592 ok markus
230d03b6 593 - tobias@cvs.openbsd.org 2009/03/23 08:31:19
594 [ssh-agent.c]
595 Fixed a possible out-of-bounds memory access if the environment variable
596 SHELL is shorter than 3 characters.
597 with input by and ok dtucker
7027325d 598 - tobias@cvs.openbsd.org 2009/03/23 19:38:04
599 [ssh-agent.c]
600 My previous commit didn't fix the problem at all, so stick at my first
601 version of the fix presented to dtucker.
602 Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de).
603 ok dtucker
b31ae930 604 - sobrado@cvs.openbsd.org 2009/03/26 08:38:39
605 [sftp-server.8 sshd.8 ssh-agent.1]
606 fix a few typographical errors found by spell(1).
607 ok dtucker@, jmc@
640f440b 608 - stevesk@cvs.openbsd.org 2009/04/13 19:07:44
609 [sshd_config.5]
610 fix possessive; ok djm@
7bd399ce 611 - stevesk@cvs.openbsd.org 2009/04/14 16:33:42
612 [sftp-server.c]
613 remove unused option character from getopt() optstring; ok markus@
3e576dfe 614 - jj@cvs.openbsd.org 2009/04/14 21:10:54
615 [servconf.c]
616 Fixed a few the-the misspellings in comments. Skipped a bunch in
617 binutils,gcc and so on. ok jmc@
02d56d32 618 - stevesk@cvs.openbsd.org 2009/04/17 19:23:06
619 [session.c]
620 use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server;
621 ok djm@ markus@
db1f5925 622 - stevesk@cvs.openbsd.org 2009/04/17 19:40:17
623 [sshd_config.5]
624 clarify that even internal-sftp needs /dev/log for logging to work; ok
625 markus@
47f4188a 626 - jmc@cvs.openbsd.org 2009/04/18 18:39:10
627 [sshd_config.5]
628 tweak previous; ok stevesk
5df1f0e3 629 - stevesk@cvs.openbsd.org 2009/04/21 15:13:17
630 [sshd_config.5]
631 clarify we cd to user's home after chroot; ok markus@ on
632 earlier version; tweaks and ok jmc@
dc1f1948 633 - andreas@cvs.openbsd.org 2009/05/25 06:48:01
634 [channels.c packet.c clientloop.c packet.h serverloop.c monitor_wrap.c
635 monitor.c]
636 Put the globals in packet.c into a struct and don't access it directly
637 from other files. No functional changes.
638 ok markus@ djm@
639 - andreas@cvs.openbsd.org 2009/05/27 06:31:25
640 [canohost.h canohost.c]
641 Add clear_cached_addr(), needed for upcoming changes allowing the peer
642 address to change.
643 ok markus@
f936c5d4 644 - andreas@cvs.openbsd.org 2009/05/27 06:33:39
645 [clientloop.c]
646 Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger
647 change from Martin Forssen, maf at appgate dot com.
648 ok markus@
abdc5018 649 - andreas@cvs.openbsd.org 2009/05/27 06:34:36
650 [kex.c kex.h]
651 Move the KEX_COOKIE_LEN define to kex.h
652 ok markus@
87db7000 653 - andreas@cvs.openbsd.org 2009/05/27 06:36:07
654 [packet.h packet.c]
655 Add packet_put_int64() and packet_get_int64(), part of a larger change
656 from Martin Forssen.
c6063ed7 657 ok markus@
658 - andreas@cvs.openbsd.org 2009/05/27 06:38:16
659 [sshconnect.h sshconnect.c]
660 Un-static ssh_exchange_identification(), part of a larger change from
661 Martin Forssen and needed for upcoming changes.
662 ok markus@
5d4d25cd 663 - andreas@cvs.openbsd.org 2009/05/28 16:50:16
664 [sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c
d0137ef8 665 monitor.c Added roaming.h roaming_common.c roaming_dummy.c]
5d4d25cd 666 Keep track of number of bytes read and written. Needed for upcoming
667 changes. Most code from Martin Forssen, maf at appgate dot com.
668 ok markus@
d0137ef8 669 Also, applied appropriate changes to Makefile.in
adb5cc1b 670 - andreas@cvs.openbsd.org 2009/06/12 20:43:22
671 [monitor.c packet.c]
672 Fix warnings found by chl@ and djm@ and change roaming_atomicio's
673 return type to match atomicio's
674 Diff from djm@, ok markus@
6a49252d 675 - andreas@cvs.openbsd.org 2009/06/12 20:58:32
676 [packet.c]
677 Move some more statics into session_state
678 ok markus@ djm@
ac692f84 679 - dtucker@cvs.openbsd.org 2009/06/21 07:37:15
680 [kexdhs.c kexgexs.c]
681 abort if key_sign fails, preventing possible null deref. Based on report
682 from Paolo Ganci, ok markus@ djm@
683 - dtucker@cvs.openbsd.org 2009/06/21 09:04:03
684 [roaming.h roaming_common.c roaming_dummy.c]
685 Add tags for the benefit of the sync scripts
686 Also: pull in the changes for 1.1->1.2 missed in the previous sync.
9b9302ea 687 - (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and
688 header-order changes to reduce diff vs OpenBSD.
c8dc0909 689 - (dtucker) [servconf.c sshd.c] More whitespace sync.
e85016d4 690 - (dtucker) [roaming_common.c roaming_dummy.c] Wrap #include <inttypes.h> in
691 ifdef.
f0956980 692
87562a58 69320090616
694 - (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t
695 is a struct with a __val member. Fixes build on, eg, Redhat 6.2.
696
6ee76eea 69720090504
698 - (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include
699 variable declarations. Should prevent unused warnings anywhere it's set
700 (only Crays as far as I can tell) and be a no-op everywhere else.
701
bc9a470b 70220090318
703 - (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem
704 that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005.
705 Based on patch from vinschen at redhat com.
706
5077a5f6 70720090308
708 - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c
709 auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h}
710 openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old
711 version of Cygwin. Patch from vinschen at redhat com.
712
3e566c29 71320090307
714 - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it
715 exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS
716 has a /dev/random).
36b68fd5 717 - (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add
718 EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c
719 to use them. Allows building with older OpenSSL versions.
aeed50df 720 - (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed.
86783a32 721 - (dtucker) [configure.ac] Missing comma in type list.
14e380c6 722 - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]
723 EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg
724 in openssl 0.9.6) so add an explicit test for it.
3e566c29 725
5b01421b 72620090306
727 - (djm) OpenBSD CVS Sync
728 - djm@cvs.openbsd.org 2009/03/05 07:18:19
729 [auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c]
730 [sshconnect2.c]
731 refactor the (disabled) Schnorr proof code to make it a little more
732 generally useful
4f983ff5 733 - djm@cvs.openbsd.org 2009/03/05 11:30:50
734 [uuencode.c]
735 document what these functions do so I don't ever have to recuse into
736 b64_pton/ntop to remember their return values
5b01421b 737
ebf012a2 73820090223
739 - (djm) OpenBSD CVS Sync
740 - djm@cvs.openbsd.org 2009/02/22 23:50:57
741 [ssh_config.5 sshd_config.5]
742 don't advertise experimental options
09b37352 743 - djm@cvs.openbsd.org 2009/02/22 23:59:25
744 [sshd_config.5]
745 missing period
52d8f3f6 746 - djm@cvs.openbsd.org 2009/02/23 00:06:15
747 [version.h]
748 openssh-5.2
dc336a3b 749 - (djm) [README] update for 5.2
0e8d25c9 750 - (djm) Release openssh-5.2p1
ebf012a2 751
7eec82ab 75220090222
753 - (djm) OpenBSD CVS Sync
754 - tobias@cvs.openbsd.org 2009/02/21 19:32:04
755 [misc.c sftp-server-main.c ssh-keygen.c]
756 Added missing newlines in error messages.
757 ok dtucker
758
1925d16d 75920090221
760 - (djm) OpenBSD CVS Sync
761 - djm@cvs.openbsd.org 2009/02/17 01:28:32
762 [ssh_config]
763 sync with revised default ciphers; pointed out by dkrause@
dca75d4b 764 - djm@cvs.openbsd.org 2009/02/18 04:31:21
765 [schnorr.c]
766 signature should hash over the entire group, not just the generator
767 (this is still disabled code)
9a4a047b 768 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
769 [contrib/suse/openssh.spec] Prepare for 5.2p1
1925d16d 770
aa10bde9 77120090216
772 - (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh]
773 [regress/putty-kex.sh regress/putty-transfer.sh] Downgrade disabled
774 interop tests from FATAL error to a warning. Allows some interop
775 tests to proceed if others are missing necessary prerequisites.
4c3b7423 776 - (djm) [configure.ac] support GNU/kFreeBSD and GNU/kOpensolaris
777 systems; patch from Aurelien Jarno via rmh AT aybabtu.com
aa10bde9 778
69354fe2 77920090214
780 - (djm) OpenBSD CVS Sync
781 - dtucker@cvs.openbsd.org 2009/02/02 11:15:14
782 [sftp.c]
783 Initialize a few variables to prevent spurious "may be used
784 uninitialized" warnings from newer gcc's. ok djm@
17525a70 785 - djm@cvs.openbsd.org 2009/02/12 03:00:56
786 [canohost.c canohost.h channels.c channels.h clientloop.c readconf.c]
787 [readconf.h serverloop.c ssh.c]
788 support remote port forwarding with a zero listen port (-R0:...) to
789 dyamically allocate a listen port at runtime (this is actually
790 specified in rfc4254); bz#1003 ok markus@
1d68c50a 791 - djm@cvs.openbsd.org 2009/02/12 03:16:01
792 [serverloop.c]
793 tighten check for -R0:... forwarding: only allow dynamic allocation
794 if want_reply is set in the packet
28b5d376 795 - djm@cvs.openbsd.org 2009/02/12 03:26:22
796 [monitor.c]
797 some paranoia: check that the serialised key is really KEY_RSA before
798 diddling its internals
db9039d0 799 - djm@cvs.openbsd.org 2009/02/12 03:42:09
800 [ssh.1]
801 document -R0:... usage
1e709459 802 - djm@cvs.openbsd.org 2009/02/12 03:44:25
803 [ssh.1]
804 consistency: Dq => Ql
c6b2c0e0 805 - djm@cvs.openbsd.org 2009/02/12 03:46:17
806 [ssh_config.5]
807 document RemoteForward usage with 0 listen port
e12d3e21 808 - jmc@cvs.openbsd.org 2009/02/12 07:34:20
809 [ssh_config.5]
810 kill trailing whitespace;
8b773163 811 - markus@cvs.openbsd.org 2009/02/13 11:50:21
812 [packet.c]
813 check for enc !=NULL in packet_start_discard
e75a14a1 814 - djm@cvs.openbsd.org 2009/02/14 06:35:49
815 [PROTOCOL]
816 mention that eow and no-more-sessions extensions are sent only to
817 OpenSSH peers
69354fe2 818
81920090212
f7b8146b 820 - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically
821 set ownership and modes, so avoid explicitly setting them
295dd642 822 - (djm) [configure.ac loginrec.c] bz#1421: fix lastlog support for OSX.
823 OSX provides a getlastlogxbyname function that automates the reading of
824 a lastlog file. Also, the pututxline function will update lastlog so
825 there is no need for loginrec.c to do it explicitly. Collapse some
826 overly verbose code while I'm in there.
f7b8146b 827
b4341d7a 82820090201
829 - (dtucker) [defines.h sshconnect.c] INET6_ADDRSTRLEN is now needed in
830 channels.c too, so move the definition for non-IP6 platforms to defines.h
831 where it can be shared.
832
e1986e0a 83320090129
834 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen.
835 If the CYGWIN environment variable is empty, the installer script
836 should not install the service with an empty CYGWIN variable, but
837 rather without setting CYGWNI entirely.
863ba23a 838 - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes.
e1986e0a 839
7f24626b 84020090128
841 - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen.
842 Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x.
843 The information given for the setting of the CYGWIN environment variable
844 is wrong for both releases so I just removed it, together with the
845 unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting.
846
68405671 84720081228
848 - (djm) OpenBSD CVS Sync
849 - stevesk@cvs.openbsd.org 2008/12/09 03:20:42
850 [channels.c servconf.c]
851 channel_print_adm_permitted_opens() should deal with all the printing
852 for that config option. suggested by markus@; ok markus@ djm@
853 dtucker@
7efff8ce 854 - djm@cvs.openbsd.org 2008/12/09 04:32:22
855 [auth2-chall.c]
856 replace by-hand string building with xasprinf(); ok deraadt@
d3cd4016 857 - sobrado@cvs.openbsd.org 2008/12/09 15:35:00
858 [sftp.1 sftp.c]
859 update for the synopses displayed by the 'help' command, there are a
860 few missing flags; add 'bye' to the output of 'help'; sorting and spacing.
861 jmc@ suggested replacing .Oo/.Oc with a single .Op macro.
862 ok jmc@
6c20a13f 863 - stevesk@cvs.openbsd.org 2008/12/09 22:37:33
864 [clientloop.c]
865 fix typo in error message
fd2ce9c6 866 - stevesk@cvs.openbsd.org 2008/12/10 03:55:20
867 [addrmatch.c]
868 o cannot be NULL here but use xfree() to be consistent; ok djm@
8647612c 869 - stevesk@cvs.openbsd.org 2008/12/29 01:12:36
870 [ssh-keyscan.1]
871 fix example, default key type is rsa for 3+ years; from
872 frederic.perrin@resel.fr
040d6b1f 873 - stevesk@cvs.openbsd.org 2008/12/29 02:23:26
874 [pathnames.h]
875 no need to escape single quotes in comments
d4bfdc62 876 - okan@cvs.openbsd.org 2008/12/30 00:46:56
877 [sshd_config.5]
878 add AllowAgentForwarding to available Match keywords list
879 ok djm
6cf44b6a 880 - djm@cvs.openbsd.org 2009/01/01 21:14:35
881 [channels.c]
882 call channel destroy callbacks on receipt of open failure messages.
883 fixes client hangs when connecting to a server that has MaxSessions=0
884 set spotted by imorgan AT nas.nasa.gov; ok markus@
546202d0 885 - djm@cvs.openbsd.org 2009/01/01 21:17:36
886 [kexgexs.c]
887 fix hash calculation for KEXGEX: hash over the original client-supplied
888 values and not the sanity checked versions that we acutally use;
889 bz#1540 reported by john.smith AT arrows.demon.co.uk
890 ok markus@
4866a6d6 891 - djm@cvs.openbsd.org 2009/01/14 01:38:06
892 [channels.c]
893 support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482;
894 "looks ok" markus@
9b4b86c2 895 - stevesk@cvs.openbsd.org 2009/01/15 17:38:43
896 [readconf.c]
897 1) use obsolete instead of alias for consistency
898 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is
899 so move the comment.
900 3) reorder so like options are together
901 ok djm@
1338ba77 902 - djm@cvs.openbsd.org 2009/01/22 09:46:01
903 [channels.c channels.h session.c]
904 make Channel->path an allocated string, saving a few bytes here and
905 there and fixing bz#1380 in the process; ok markus@
920706fd 906 - djm@cvs.openbsd.org 2009/01/22 09:49:57
907 [channels.c]
908 oops! I committed the wrong version of the Channel->path diff,
909 it was missing some tweaks suggested by stevesk@
5134115d 910 - djm@cvs.openbsd.org 2009/01/22 10:02:34
911 [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h]
912 [serverloop.c ssh-keyscan.c ssh.c sshd.c]
913 make a2port() return -1 when it encounters an invalid port number
914 rather than 0, which it will now treat as valid (needed for future work)
915 adjust current consumers of a2port() to check its return value is <= 0,
916 which in turn required some things to be converted from u_short => int
917 make use of int vs. u_short consistent in some other places too
918 feedback & ok markus@
368e246f 919 - djm@cvs.openbsd.org 2009/01/22 10:09:16
920 [auth-options.c]
921 another chunk of a2port() diff that got away. wtfdjm??
700fd7e7 922 - djm@cvs.openbsd.org 2009/01/23 07:58:11
923 [myproposal.h]
924 prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC
925 modes; ok markus@
29ec8eb3 926 - naddy@cvs.openbsd.org 2009/01/24 17:10:22
927 [ssh_config.5 sshd_config.5]
928 sync list of preferred ciphers; ok djm@
608bcf58 929 - markus@cvs.openbsd.org 2009/01/26 09:58:15
930 [cipher.c cipher.h packet.c]
931 Work around the CPNI-957037 Plaintext Recovery Attack by always
932 reading 256K of data on packet size or HMAC errors (in CBC mode only).
933 Help, feedback and ok djm@
934 Feedback from Martin Albrecht and Paterson Kenny
68405671 935
a25d08b3 93620090107
937 - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X.
938 Patch based on one from vgiffin AT apple.com; ok dtucker@
b5a1596f 939 - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via
940 launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked;
941 ok dtucker@
23b3ed0b 942 - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make
943 ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity"
944 key). Patch from cjwatson AT debian.org
a25d08b3 945
16076ac9 94620090107
947 - (tim) [configure.ac defines.h openbsd-compat/port-uw.c
948 openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI.
949 OK djm@ dtucker@
44a71983 950 - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section.
951 OpenServer 6 doesn't need libcrypt.
16076ac9 952
09925c00 95320081209
954 - (djm) OpenBSD CVS Sync
955 - djm@cvs.openbsd.org 2008/12/09 02:38:18
956 [clientloop.c]
957 The ~C escape handler does not work correctly for multiplexed sessions -
958 it opens a commandline on the master session, instead of on the slave
959 that requested it. Disable it on slave sessions until such time as it
960 is fixed; bz#1543 report from Adrian Bridgett via Colin Watson
961 ok markus@
ddb5e00f 962 - djm@cvs.openbsd.org 2008/12/09 02:39:59
963 [sftp.c]
964 Deal correctly with failures in remote stat() operation in sftp,
965 correcting fail-on-error behaviour in batchmode. bz#1541 report and
966 fix from anedvedicky AT gmail.com; ok markus@
bab3d903 967 - djm@cvs.openbsd.org 2008/12/09 02:58:16
968 [readconf.c]
969 don't leave junk (free'd) pointers around in Forward *fwd argument on
970 failure; avoids double-free in ~C -L handler when given an invalid
971 forwarding specification; bz#1539 report from adejong AT debian.org
972 via Colin Watson; ok markus@ dtucker@
83cd8c39 973 - djm@cvs.openbsd.org 2008/12/09 03:02:37
974 [sftp.1 sftp.c]
975 correct sftp(1) and corresponding usage syntax;
976 bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@
09925c00 977
53e2660a 97820081208
979 - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually
980 use some stack in main().
981 Report and suggested fix from vapier AT gentoo.org
66e16767 982 - (djm) OpenBSD CVS Sync
983 - markus@cvs.openbsd.org 2008/12/02 19:01:07
984 [clientloop.c]
985 we have to use the recipient's channel number (RFC 4254) for
986 SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages,
987 otherwise we trigger 'Non-public channel' error messages on sshd
988 systems with clientkeepalive enabled; noticed by sturm; ok djm;
7ec2b275 989 - markus@cvs.openbsd.org 2008/12/02 19:08:59
990 [serverloop.c]
991 backout 1.149, since it's not necessary and openssh clients send
992 broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@
b09b559d 993 - markus@cvs.openbsd.org 2008/12/02 19:09:38
994 [channels.c]
995 s/remote_id/id/ to be more consistent with other code; ok djm@
53e2660a 996
de470c82 99720081201
998 - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files
999 and tweak the is-sshd-running check in ssh-host-config. Patch from
1000 vinschen at redhat com.
66af1c21 1001 - (dtucker) OpenBSD CVS Sync
1002 - markus@cvs.openbsd.org 2008/11/21 15:47:38
1003 [packet.c]
1004 packet_disconnect() on padding error, too. should reduce the success
1005 probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18
1006 ok djm@
8e10da10 1007 - dtucker@cvs.openbsd.org 2008/11/30 11:59:26
1008 [monitor_fdpass.c]
1009 Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@
de470c82 1010
d2aa725a 101120081123
1012 - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some
1013 declarations, removing an unnecessary union member and adding whitespace.
c037a517 1014 cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago.
d2aa725a 1015
95e16084 101620081118
1017 - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id
1018 member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and
1019 feedback by djm@
1020
0bd3332c 102120081111
1022 - (dtucker) OpenBSD CVS Sync
1023 - jmc@cvs.openbsd.org 2008/11/05 11:22:54
1024 [servconf.c]
1025 passord -> password;
1026 fixes user/5975 from Rene Maroufi
1890bf8b 1027 - stevesk@cvs.openbsd.org 2008/11/07 00:42:12
1028 [ssh-keygen.c]
1029 spelling/typo in comment
92d0164c 1030 - stevesk@cvs.openbsd.org 2008/11/07 18:50:18
1031 [nchan.c]
1032 add space to some log/debug messages for readability; ok djm@ markus@
3d7f6c3d 1033 - dtucker@cvs.openbsd.org 2008/11/07 23:34:48
1034 [auth2-jpake.c]
1035 Move JPAKE define to make life easier for portable. ok djm@
94087553 1036 - tobias@cvs.openbsd.org 2008/11/09 12:34:47
1037 [session.c ssh.1]
1038 typo fixed (overriden -> overridden)
1039 ok espie, jmc
2505b891 1040 - stevesk@cvs.openbsd.org 2008/11/11 02:58:09
1041 [servconf.c]
1042 USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing
1043 kerberosgetafstoken. ok dtucker@
1044 (Id sync only, we still want the ifdef in portable)
861e9e53 1045 - stevesk@cvs.openbsd.org 2008/11/11 03:55:11
1046 [channels.c]
1047 for sshd -T print 'permitopen any' vs. 'permitopen' for case of no
1048 permitopen's; ok and input dtucker@
0771f5dd 1049 - djm@cvs.openbsd.org 2008/11/10 02:06:35
1050 [regress/putty-ciphers.sh]
1051 PuTTY supports AES CTR modes, so interop test against them too
0bd3332c 1052
39aa8698 105320081105
1054 - OpenBSD CVS Sync
1055 - djm@cvs.openbsd.org 2008/11/03 08:59:41
1056 [servconf.c]
1057 include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov
a28625a6 1058 - djm@cvs.openbsd.org 2008/11/04 07:58:09
1059 [auth.c]
1060 need unistd.h for close() prototype
1061 (ID sync only)
5adf6b9a 1062 - djm@cvs.openbsd.org 2008/11/04 08:22:13
1063 [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h]
1064 [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5]
1065 [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c]
1066 [Makefile.in]
1067 Add support for an experimental zero-knowledge password authentication
1068 method using the J-PAKE protocol described in F. Hao, P. Ryan,
1069 "Password Authenticated Key Exchange by Juggling", 16th Workshop on
1070 Security Protocols, Cambridge, April 2008.
1071
1072 This method allows password-based authentication without exposing
1073 the password to the server. Instead, the client and server exchange
1074 cryptographic proofs to demonstrate of knowledge of the password while
1075 revealing nothing useful to an attacker or compromised endpoint.
1076
1077 This is experimental, work-in-progress code and is presently
1078 compiled-time disabled (turn on -DJPAKE in Makefile.inc).
1079
1080 "just commit it. It isn't too intrusive." deraadt@
d35f707e 1081 - stevesk@cvs.openbsd.org 2008/11/04 19:18:00
1082 [readconf.c]
1083 because parse_forward() is now used to parse all forward types (DLR),
1084 and it malloc's space for host variables, we don't need to malloc
1085 here. fixes small memory leaks.
1086
1087 previously dynamic forwards were not parsed in parse_forward() and
1088 space was not malloc'd in that case.
1089
1090 ok djm@
10cf2ac3 1091 - stevesk@cvs.openbsd.org 2008/11/05 03:23:09
1092 [clientloop.c ssh.1]
1093 add dynamic forward escape command line; ok djm@
39aa8698 1094
94f36816 109520081103
1096 - OpenBSD CVS Sync
1097 - sthen@cvs.openbsd.org 2008/07/24 23:55:30
1098 [ssh-keygen.1]
1099 Add "ssh-keygen -F -l" to synopsis (displays fingerprint from
1100 known_hosts). ok djm@
1101 - grunk@cvs.openbsd.org 2008/07/25 06:56:35
1102 [ssh_config]
1103 Add VisualHostKey to example file, ok djm@
5ca42ddb 1104 - grunk@cvs.openbsd.org 2008/07/25 07:05:16
1105 [key.c]
1106 In random art visualization, make sure to use the end marker only at the
1107 end. Initial diff by Dirk Loss, tweaks and ok djm@
341cb46b 1108 - markus@cvs.openbsd.org 2008/07/31 14:48:28
1109 [sshconnect2.c]
1110 don't allocate space for empty banners; report t8m at centrum.cz;
1111 ok deraadt
686bdcbd 1112 - krw@cvs.openbsd.org 2008/08/02 04:29:51
1113 [ssh_config.5]
1114 whitepsace -> whitespace. From Matthew Clarke via bugs@.
e3ef5245 1115 - djm@cvs.openbsd.org 2008/08/21 04:09:57
1116 [session.c]
1117 allow ForceCommand internal-sftp with arguments. based on patch from
1118 michael.barabanov AT gmail.com; ok markus@
1975fb98 1119 - djm@cvs.openbsd.org 2008/09/06 12:24:13
1120 [kex.c]
1121 OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our
1122 replacement anymore
1123 (ID sync only for portable - we still need this)
72bd2fca 1124 - markus@cvs.openbsd.org 2008/09/11 14:22:37
1125 [compat.c compat.h nchan.c ssh.c]
1126 only send eow and no-more-sessions requests to openssh 5 and newer;
1127 fixes interop problems with broken ssh v2 implementations; ok djm@
2e96832c 1128 - millert@cvs.openbsd.org 2008/10/02 14:39:35
1129 [session.c]
1130 Convert an unchecked strdup to xstrdup. OK deraadt@
dc94d57e 1131 - jmc@cvs.openbsd.org 2008/10/03 13:08:12
1132 [sshd.8]
1133 do not give an example of how to chmod files: we can presume the user
1134 knows that. removes an ambiguity in the permission of authorized_keys;
1135 ok deraadt
90d5350e 1136 - deraadt@cvs.openbsd.org 2008/10/03 23:56:28
1137 [sshconnect2.c]
1138 Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the
1139 function.
1140 spotted by des@freebsd, who commited an incorrect fix to the freebsd tree
1141 and (as is fairly typical) did not report the problem to us. But this fix
1142 is correct.
1143 ok djm
bf793210 1144 - djm@cvs.openbsd.org 2008/10/08 23:34:03
1145 [ssh.1 ssh.c]
1146 Add -y option to force logging via syslog rather than stderr.
1147 Useful for daemonised ssh connection (ssh -f). Patch originally from
1148 and ok'd by markus@
e68868a1 1149 - djm@cvs.openbsd.org 2008/10/09 03:50:54
1150 [servconf.c sshd_config.5]
1151 support setting PermitEmptyPasswords in a Match block
1152 requested in PR3891; ok dtucker@
f3a4d0d0 1153 - jmc@cvs.openbsd.org 2008/10/09 06:54:22
1154 [ssh.c]
1155 add -y to usage();
6503dc91 1156 - stevesk@cvs.openbsd.org 2008/10/10 04:55:16
1157 [scp.c]
1158 spelling in comment; ok djm@
260bf88a 1159 - stevesk@cvs.openbsd.org 2008/10/10 05:00:12
1160 [key.c]
1161 typo in error message; ok djm@
96a00a9d 1162 - stevesk@cvs.openbsd.org 2008/10/10 16:43:27
1163 [ssh_config.5]
1164 use 'Privileged ports can be forwarded only when logging in as root on
1165 the remote machine.' for RemoteForward just like ssh.1 -R.
1166 ok djm@ jmc@
1167 - stevesk@cvs.openbsd.org 2008/10/14 18:11:33
1168 [sshconnect.c]
1169 use #define ROQUIET here; no binary change. ok dtucker@
8d20b087 1170 - stevesk@cvs.openbsd.org 2008/10/17 18:36:24
1171 [ssh_config.5]
1172 correct and clarify VisualHostKey; ok jmc@
25f93f2c 1173 - stevesk@cvs.openbsd.org 2008/10/30 19:31:16
1174 [clientloop.c sshd.c]
1175 don't need to #include "monitor_fdpass.h"
b8974c94 1176 - stevesk@cvs.openbsd.org 2008/10/31 15:05:34
1177 [dispatch.c]
1178 remove unused #define DISPATCH_MIN; ok markus@
e64399cc 1179 - djm@cvs.openbsd.org 2008/11/01 04:50:08
1180 [sshconnect2.c]
1181 sprinkle ARGSUSED on dispatch handlers
1182 nuke stale unusued prototype
2ea438c2 1183 - stevesk@cvs.openbsd.org 2008/11/01 06:43:33
1184 [channels.c]
1185 fix some typos in log messages; ok djm@
9995aaa3 1186 - sobrado@cvs.openbsd.org 2008/11/01 11:14:36
1187 [ssh-keyscan.1 ssh-keyscan.c]
1188 the ellipsis is not an optional argument; while here, improve spacing.
30573fea 1189 - stevesk@cvs.openbsd.org 2008/11/01 17:40:33
1190 [clientloop.c readconf.c readconf.h ssh.c]
1191 merge dynamic forward parsing into parse_forward();
1192 'i think this is OK' djm@
9bbba34b 1193 - stevesk@cvs.openbsd.org 2008/11/02 00:16:16
1194 [ttymodes.c]
1195 protocol 2 tty modes support is now 7.5 years old so remove these
1196 debug3()s; ok deraadt@
b626b7ae 1197 - stevesk@cvs.openbsd.org 2008/11/03 01:07:02
1198 [readconf.c]
1199 remove valueless comment
c8eaf0ec 1200 - stevesk@cvs.openbsd.org 2008/11/03 02:44:41
1201 [readconf.c]
1202 fix comment
fce91335 1203 - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd]
1204 Make example scripts generate keys with default sizes rather than fixed,
1205 non-default 1024 bits; patch from imorgan AT nas.nasa.gov
933e2f91 1206 - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam]
1207 [contrib/redhat/sshd.pam] Move pam_nologin to account group from
1208 incorrect auth group in example files;
1209 patch from imorgan AT nas.nasa.gov
94f36816 1210
d6339843 121120080906
1212 - (dtucker) [config.guess config.sub] Update to latest versions from
1213 http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16
1214 respectively).
1215
974ce4a0 121620080830
1217 - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs
1218 larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch
1219 from Nicholas Marriott.
1220
e888d981 122120080721
1222 - (djm) OpenBSD CVS Sync
1223 - djm@cvs.openbsd.org 2008/07/23 07:36:55
1224 [servconf.c]
1225 do not try to print options that have been compile-time disabled
1226 in config test mode (sshd -T); report from nix-corp AT esperi.org.uk
1227 ok dtucker@
cee47c9f 1228 - (djm) [servconf.c] Print UsePAM option in config test mode (when it
1229 has been compiled in); report from nix-corp AT esperi.org.uk
1230 ok dtucker@
e888d981 1231
b14e719f 123220080721
1233 - (djm) OpenBSD CVS Sync
1234 - jmc@cvs.openbsd.org 2008/07/18 22:51:01
1235 [sftp-server.8]
1236 no need for .Pp before or after .Sh;
f3b93df3 1237 - djm@cvs.openbsd.org 2008/07/21 08:19:07
1238 [version.h]
1239 openssh-5.1
11368183 1240 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
1241 [contrib/suse/openssh.spec] Update version number in README and RPM specs
55d5db1c 1242 - (djm) Release OpenSSH-5.1
b14e719f 1243
e5df5ff2 124420080717
1245 - (djm) OpenBSD CVS Sync
1246 - djm@cvs.openbsd.org 2008/07/17 08:48:00
1247 [sshconnect2.c]
1248 strnvis preauth banner; pointed out by mpf@ ok markus@
2800468d 1249 - djm@cvs.openbsd.org 2008/07/17 08:51:07
1250 [auth2-hostbased.c]
1251 strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes
1252 report and patch from res AT qoxp.net (bz#1200); ok markus@
d9d96f7a 1253 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat
1254 code, replace with equivalent cygwin library call. Patch from vinschen
3a69fb58 1255 at redhat.com, ok djm@.
1256 - (djm) [sshconnect2.c] vis.h isn't available everywhere
e5df5ff2 1257
b8c9ea19 125820080716
1259 - OpenBSD CVS Sync
1260 - djm@cvs.openbsd.org 2008/07/15 02:23:14
1261 [sftp.1]
1262 number of pipelined requests is now 64;
1263 prodded by Iain.Morgan AT nasa.gov
dfe666f6 1264 - djm@cvs.openbsd.org 2008/07/16 11:51:14
1265 [clientloop.c]
1266 rename variable first_gc -> last_gc (since it is actually the last
1267 in the list).
cdfbc829 1268 - djm@cvs.openbsd.org 2008/07/16 11:52:19
1269 [channels.c]
1270 this loop index should be automatic, not static
b8c9ea19 1271
322b3f02 127220080714
1273 - (djm) OpenBSD CVS Sync
1274 - sthen@cvs.openbsd.org 2008/07/13 21:22:52
1275 [ssh-keygen.c]
1276 Change "ssh-keygen -F [host] -l" to not display random art unless
1277 -v is also specified, making it consistent with the manual and other
1278 uses of -l.
1279 ok grunk@
9fb764ab 1280 - djm@cvs.openbsd.org 2008/07/13 22:13:07
1281 [channels.c]
1282 use struct sockaddr_storage instead of struct sockaddr for accept(2)
1283 address argument. from visibilis AT yahoo.com in bz#1485; ok markus@
873722cc 1284 - djm@cvs.openbsd.org 2008/07/13 22:16:03
1285 [sftp.c]
1286 increase number of piplelined requests so they properly fill the
1287 (recently increased) channel window. prompted by rapier AT psc.edu;
1288 ok markus@
66fba053 1289 - djm@cvs.openbsd.org 2008/07/14 01:55:56
1290 [sftp-server.8]
1291 mention requirement for /dev/log inside chroot when using sftp-server
1292 with ChrootDirectory
6c6bb9a6 1293 - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to
1294 avoid clash with sin(3) function; reported by
1295 cristian.ionescu-idbohrn AT axis.com
7be182d4 1296 - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close()
1297 prototype; reported by cristian.ionescu-idbohrn AT axis.com
6a9c22a5 1298 - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash;
1299 reported by cristian.ionescu-idbohrn AT axis.com
7ea1abf7 1300 - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config]
1301 [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd]
1302 Revamped and simplified Cygwin ssh-host-config script that uses
1303 unified csih configuration tool. Requires recent Cygwin.
1304 Patch from vinschen AT redhat.com
322b3f02 1305
267d5589 130620080712
1307 - (djm) OpenBSD CVS Sync
1308 - djm@cvs.openbsd.org 2008/07/12 04:52:50
1309 [channels.c]
1310 unbreak; move clearing of cctx struct to before first use
1311 reported by dkrause@
da9a823d 1312 - djm@cvs.openbsd.org 2008/07/12 05:33:41
1313 [scp.1]
1314 better description for -i flag:
1315 s/RSA authentication/public key authentication/
2ade01eb 1316 - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h]
1317 return EAI_FAMILY when trying to lookup unsupported address family;
1318 from vinschen AT redhat.com
267d5589 1319
971deff8 132020080711
1321 - (djm) OpenBSD CVS Sync
1322 - stevesk@cvs.openbsd.org 2008/07/07 00:31:41
1323 [ttymodes.c]
1324 we don't need arg after the debug3() was removed. from lint.
1325 ok djm@
d5b5b8f6 1326 - stevesk@cvs.openbsd.org 2008/07/07 23:32:51
1327 [key.c]
1328 /*NOTREACHED*/ for lint warning:
1329 warning: function key_equal falls off bottom without returning value
1330 ok djm@
6eb3f18c 1331 - markus@cvs.openbsd.org 2008/07/10 18:05:58
1332 [channels.c]
1333 missing bzero; from mickey; ok djm@
e8e08a80 1334 - markus@cvs.openbsd.org 2008/07/10 18:08:11
1335 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c]
1336 sync v1 and v2 traffic accounting; add it to sshd, too;
1337 ok djm@, dtucker@
971deff8 1338
17969fcc 133920080709
1340 - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass
b5fc5d94 1341 - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM
1342 account check failure path. The vulnerable format buffer is supplied
1343 from PAM and should not contain attacker-supplied data.
78cb4705 1344 - (djm) [auth.c] Missing unistd.h for close()
b5902374 1345 - (djm) [configure.ac] Add -Wformat-security to CFLAGS for gcc 3.x and 4.x
17969fcc 1346
3fde0623 134720080705
1348 - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed
1349 passwords disabled. bz#1083 report & patch from senthilkumar_sen AT
1350 hotpop.com, w/ dtucker@
e8983917 1351 - (djm) [atomicio.c configure.ac] Disable poll() fallback in atomiciov for
1352 Tru64. readv doesn't seem to be a comparable object there.
1353 bz#1386, patch from dtucker@ ok me
b8d635d0 1354 - (djm) [Makefile.in] Pass though pass to conch for interop tests
6ed8a3ae 1355 - (djm) [configure.ac] unbreak: remove extra closing brace
d38d9a80 1356 - (djm) OpenBSD CVS Sync
1357 - djm@cvs.openbsd.org 2008/07/04 23:08:25
1358 [packet.c]
1359 handle EINTR in packet_write_poll()l ok dtucker@
71709bcd 1360 - djm@cvs.openbsd.org 2008/07/04 23:30:16
1361 [auth1.c auth2.c]
1362 Make protocol 1 MaxAuthTries logic match protocol 2's.
1363 Do not treat the first protocol 2 authentication attempt as
1364 a failure IFF it is for method "none".
1365 Makes MaxAuthTries' user-visible behaviour identical for
1366 protocol 1 vs 2.
1367 ok dtucker@
3086db6e 1368 - djm@cvs.openbsd.org 2008/07/05 05:16:01
1369 [PROTOCOL]
1370 grammar
3fde0623 1371
a0d38609 137220080704
1373 - (dtucker) OpenBSD CVS Sync
1374 - djm@cvs.openbsd.org 2008/07/02 13:30:34
1375 [auth2.c]
1376 really really remove the freebie "none" auth try for protocol 2
6c777090 1377 - djm@cvs.openbsd.org 2008/07/02 13:47:39
1378 [ssh.1 ssh.c]
1379 When forking after authentication ("ssh -f") with ExitOnForwardFailure
1380 enabled, delay the fork until after replies for any -R forwards have
1381 been seen. Allows for robust detection of -R forward failure when
1382 using -f (similar to bz#92); ok dtucker@
f0b9fde3 1383 - otto@cvs.openbsd.org 2008/07/03 21:46:58
1384 [auth2-pubkey.c]
1385 avoid nasty double free; ok dtucker@ djm@
cece208b 1386 - djm@cvs.openbsd.org 2008/07/04 03:44:59
1387 [servconf.c groupaccess.h groupaccess.c]
1388 support negation of groups in "Match group" block (bz#1315); ok dtucker@
c54d3d1c 1389 - dtucker@cvs.openbsd.org 2008/07/04 03:47:02
1390 [monitor.c]
1391 Make debug a little clearer. ok djm@
c7cbf377 1392 - djm@cvs.openbsd.org 2008/06/30 08:07:34
1393 [regress/key-options.sh]
1394 shell portability: use "=" instead of "==" in test(1) expressions,
1395 double-quote string with backslash escaped /
8a972082 1396 - djm@cvs.openbsd.org 2008/06/30 10:31:11
1397 [regress/{putty-transfer,putty-kex,putty-ciphers}.sh]
1398 remove "set -e" left over from debugging
9b0c87d9 1399 - djm@cvs.openbsd.org 2008/06/30 10:43:03
1400 [regress/conch-ciphers.sh]
1401 explicitly disable conch options that could interfere with the test
97e61398 1402 - (dtucker) [sftp-server.c] Bug #1447: fall back to racy rename if link
1403 returns EXDEV. Patch from Mike Garrison, ok djm@
5a0c8771 1404 - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h]
1405 [packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c]
1406 [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on
1407 some platforms (HP nonstop) it is a distinct errno;
1408 bz#1467 reported by sconeu AT yahoo.com; ok dtucker@
1409
8f02e0be 141020080702
1411 - (dtucker) OpenBSD CVS Sync
1412 - djm@cvs.openbsd.org 2008/06/30 08:05:59
1413 [PROTOCOL.agent]
1414 typo: s/constraint_date/constraint_data/
fb5582f7 1415 - djm@cvs.openbsd.org 2008/06/30 12:15:39
1416 [serverloop.c]
1417 only pass channel requests on session channels through to the session
1418 channel handler, avoiding spurious log messages; ok! markus@
4d92dbc1 1419 - djm@cvs.openbsd.org 2008/06/30 12:16:02
1420 [nchan.c]
1421 only send eow@openssh.com notifications for session channels; ok! markus@
8fb1ddc9 1422 - djm@cvs.openbsd.org 2008/06/30 12:18:34
1423 [PROTOCOL]
1424 clarify that eow@openssh.com is only sent on session channels
979b31ed 1425 - dtucker@cvs.openbsd.org 2008/07/01 07:20:52
1426 [sshconnect.c]
1427 Check ExitOnForwardFailure if forwardings are disabled due to a failed
1428 host key check. ok djm@
f9b45eaf 1429 - dtucker@cvs.openbsd.org 2008/07/01 07:24:22
1430 [sshconnect.c sshd.c]
1431 Send CR LF during protocol banner exchanges, but only for Protocol 2 only,
1432 in order to comply with RFC 4253. bz #1443, ok djm@
5ebed98d 1433 - stevesk@cvs.openbsd.org 2008/07/01 23:12:47
1434 [PROTOCOL.agent]
1435 fix some typos; ok djm@
39ceddb7 1436 - djm@cvs.openbsd.org 2008/07/02 02:24:18
1437 [sshd_config sshd_config.5 sshd.8 servconf.c]
1438 increase default size of ssh protocol 1 ephemeral key from 768 to 1024
1439 bits; prodded by & ok dtucker@ ok deraadt@
f7c2a004 1440 - dtucker@cvs.openbsd.org 2008/07/02 12:03:51
1441 [auth-rsa.c auth.c auth2-pubkey.c auth.h]
1442 Merge duplicate host key file checks, based in part on a patch from Rob
1443 Holland via bz #1348 . Also checks for non-regular files during protocol
1444 1 RSA auth. ok djm@
221fc73c 1445 - djm@cvs.openbsd.org 2008/07/02 12:36:39
1446 [auth2-none.c auth2.c]
1447 Make protocol 2 MaxAuthTries behaviour a little more sensible:
1448 Check whether client has exceeded MaxAuthTries before running
1449 an authentication method and skip it if they have, previously it
1450 would always allow one try (for "none" auth).
1451 Preincrement failure count before post-auth test - previously this
1452 checked and postincremented, also to allow one "none" try.
1453 Together, these two changes always count the "none" auth method
1454 which could be skipped by a malicious client (e.g. an SSH worm)
1455 to get an extra attempt at a real auth method. They also make
1456 MaxAuthTries=0 a useful way to block users entirely (esp. in a
1457 sshd_config Match block).
1458 Also, move sending of any preauth banner from "none" auth method
1459 to the first call to input_userauth_request(), so worms that skip
1460 the "none" method get to see it too.
8f02e0be 1461
00b7389d 146220080630
1463 - (djm) OpenBSD CVS Sync
1464 - dtucker@cvs.openbsd.org 2008/06/10 23:13:43
1465 [regress/Makefile regress/key-options.sh]
1466 Add regress test for key options. ok djm@
86d745dc 1467 - dtucker@cvs.openbsd.org 2008/06/11 23:11:40
014f1b23 1468 [regress/Makefile]
86d745dc 1469 Don't run cipher-speed test by default; mistakenly enabled by me
014f1b23 1470 - djm@cvs.openbsd.org 2008/06/28 13:57:25
1471 [regress/Makefile regress/test-exec.sh regress/conch-ciphers.sh]
1472 very basic regress test against Twisted Conch in "make interop"
1473 target (conch is available in ports/devel/py-twisted/conch);
1474 ok markus@
8476b024 1475 - (djm) [regress/Makefile] search for conch by path, like we do putty
00b7389d 1476
aa47edcc 147720080629
1478 - (djm) OpenBSD CVS Sync
1479 - martynas@cvs.openbsd.org 2008/06/21 07:46:46
1480 [sftp.c]
1481 use optopt to get invalid flag, instead of return value of getopt,
1482 which is always '?'; ok djm@
ccf0fcb6 1483 - otto@cvs.openbsd.org 2008/06/25 11:13:43
1484 [key.c]
1485 add key length to visual fingerprint; zap magical constants;
1486 ok grunk@ djm@
681efe9f 1487 - djm@cvs.openbsd.org 2008/06/26 06:10:09
1488 [sftp-client.c sftp-server.c]
1489 allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky
1490 bits. Note that this only affects explicit setting of modes (e.g. via
1491 sftp(1)'s chmod command) and not file transfers. (bz#1310)
1492 ok deraadt@ at c2k8
b080d398 1493 - djm@cvs.openbsd.org 2008/06/26 09:19:40
1494 [dh.c dh.h moduli.c]
1495 when loading moduli from /etc/moduli in sshd(8), check that they
1496 are of the expected "safe prime" structure and have had
1497 appropriate primality tests performed;
1498 feedback and ok dtucker@
7b3999b8 1499 - grunk@cvs.openbsd.org 2008/06/26 11:46:31
1500 [readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c]
1501 Move SSH Fingerprint Visualization away from sharing the config option
1502 CheckHostIP to an own config option named VisualHostKey.
1503 While there, fix the behaviour that ssh would draw a random art picture
1504 on every newly seen host even when the option was not enabled.
1505 prodded by deraadt@, discussions,
1506 help and ok markus@ djm@ dtucker@
2e8d3306 1507 - jmc@cvs.openbsd.org 2008/06/26 21:11:46
1508 [ssh.1]
1509 add VisualHostKey to the list of options listed in -o;
cda43f66 1510 - djm@cvs.openbsd.org 2008/06/28 07:25:07
1511 [PROTOCOL]
1512 spelling fixes
c525650a 1513 - djm@cvs.openbsd.org 2008/06/28 13:58:23
1514 [ssh-agent.c]
1515 refuse to add a key that has unknown constraints specified;
1516 ok markus
9ee2fb0e 1517 - djm@cvs.openbsd.org 2008/06/28 14:05:15
1518 [ssh-agent.c]
1519 reset global compat flag after processing a protocol 2 signature
1520 request with the legacy DSA encoding flag set; ok markus
ab3eb078 1521 - djm@cvs.openbsd.org 2008/06/28 14:08:30
1522 [PROTOCOL PROTOCOL.agent]
1523 document the protocol used by ssh-agent; "looks ok" markus@
aa47edcc 1524
f6351d4d 152520080628
1526 - (djm) [RFC.nroff contrib/cygwin/Makefile contrib/suse/openssh.spec]
1527 RFC.nroff lacks a license, remove it (it is long gone in OpenBSD).
1528
bd6b3feb 152920080626
1530 - (djm) [Makefile.in moduli.5] Include moduli(5) manpage from OpenBSD.
1531 (bz#1372)
a32d8b38 1532 - (djm) [ contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
1533 [contrib/suse/openssh.spec] Include moduli.5 in RPM spec files.
bd6b3feb 1534
b3784859 153520080616
1536 - (dtucker) OpenBSD CVS Sync
1537 - dtucker@cvs.openbsd.org 2008/06/16 13:22:53
1538 [session.c channels.c]
1539 Rename the isatty argument to is_tty so we don't shadow
1540 isatty(3). ok markus@
245f4d36 1541 - (dtucker) [channels.c] isatty -> is_tty here too.
b3784859 1542
b55b0285 154320080615
1544 - (dtucker) [configure.ac] Enable -fno-builtin-memset when using gcc.
081573fe 1545 - OpenBSD CVS Sync
1546 - dtucker@cvs.openbsd.org 2008/06/14 15:49:48
1547 [sshd.c]
1548 wrap long line at 80 chars
26512357 1549 - dtucker@cvs.openbsd.org 2008/06/14 17:07:11
1550 [sshd.c]
1551 ensure default umask disallows at least group and world write; ok djm@
2608aa2b 1552 - djm@cvs.openbsd.org 2008/06/14 18:33:43
1553 [session.c]
1554 suppress the warning message from chdir(homedir) failures
1555 when chrooted (bz#1461); ok dtucker
49c5f262 1556 - dtucker@cvs.openbsd.org 2008/06/14 19:42:10
1557 [scp.1]
1558 Mention that scp follows symlinks during -r. bz #1466,
1559 from nectar at apple
d97287d3 1560 - dtucker@cvs.openbsd.org 2008/06/15 16:55:38
1561 [sshd_config.5]
1562 MaxSessions is allowed in a Match block too
8086aeb2 1563 - dtucker@cvs.openbsd.org 2008/06/15 16:58:40
1564 [servconf.c sshd_config.5]
1565 Allow MaxAuthTries within a Match block. ok djm@
c9478090 1566 - djm@cvs.openbsd.org 2008/06/15 20:06:26
1567 [channels.c channels.h session.c]
1568 don't call isatty() on a pty master, instead pass a flag down to
1569 channel_set_fds() indicating that te fds refer to a tty. Fixes a
1570 hang on exit on Solaris (bz#1463) in portable but is actually
1571 a generic bug; ok dtucker deraadt markus
b55b0285 1572
add357c6 157320080614
1574 - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction
1575 replacement code; patch from ighighi AT gmail.com in bz#1240;
1576 ok dtucker
1577
849d3ceb 157820080613
1579 - (dtucker) OpenBSD CVS Sync
1580 - deraadt@cvs.openbsd.org 2008/06/13 09:44:36
1581 [packet.c]
1582 compile on older gcc; no decl after code
52ad6b9a 1583 - dtucker@cvs.openbsd.org 2008/06/13 13:56:59
1584 [monitor.c]
1585 Clear key options in the monitor on failed authentication, prevents
1586 applying additional restrictions to non-pubkey authentications in
1587 the case where pubkey fails but another method subsequently succeeds.
1588 bz #1472, found by Colin Watson, ok markus@ djm@
1d0b7aaa 1589 - dtucker@cvs.openbsd.org 2008/06/13 14:18:51
1590 [auth2-pubkey.c auth-rhosts.c]
1591 Include unistd.h for close(), prevents warnings in -portable
a3f13d60 1592 - dtucker@cvs.openbsd.org 2008/06/13 17:21:20
1593 [mux.c]
1594 Friendlier error messages for mux fallback. ok djm@
a15e7da1 1595 - dtucker@cvs.openbsd.org 2008/06/13 18:55:22
1596 [scp.c]
1597 Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@
990ada29 1598 - grunk@cvs.openbsd.org 2008/06/13 20:13:26
1599 [ssh.1]
1600 Explain the use of SSH fpr visualization using random art, and cite the
1601 original scientific paper inspiring that technique.
1602 Much help with English and nroff by jmc@, thanks.
596a825b 1603 - (dtucker) [configure.ac] Bug #1276: avoid linking against libgssapi, which
1604 despite its name doesn't seem to implement all of GSSAPI. Patch from
1605 Jan Engelhardt, sanity checked by Simon Wilkinson.
849d3ceb 1606
9754b94b 160720080612
1608 - (dtucker) OpenBSD CVS Sync
1609 - jmc@cvs.openbsd.org 2008/06/11 07:30:37
1610 [sshd.8]
1611 kill trailing whitespace;
aff73c5f 1612 - grunk@cvs.openbsd.org 2008/06/11 21:01:35
1613 [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c
1614 sshconnect.c]
1615 Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the
1616 graphical hash visualization schemes known as "random art", and by
1617 Dan Kaminsky's musings on the subject during a BlackOp talk at the
1618 23C3 in Berlin.
1619 Scientific publication (original paper):
1620 "Hash Visualization: a New Technique to improve Real-World Security",
1621 Perrig A. and Song D., 1999, International Workshop on Cryptographic
1622 Techniques and E-Commerce (CrypTEC '99)
1623 http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
1624 The algorithm used here is a worm crawling over a discrete plane,
1625 leaving a trace (augmenting the field) everywhere it goes.
1626 Movement is taken from dgst_raw 2bit-wise. Bumping into walls
1627 makes the respective movement vector be ignored for this turn,
1628 thus switching to the other color of the chessboard.
1629 Graphs are not unambiguous for now, because circles in graphs can be
1630 walked in either direction.
1631 discussions with several people,
1632 help, corrections and ok markus@ djm@
93778882 1633 - grunk@cvs.openbsd.org 2008/06/11 21:38:25
1634 [ssh-keygen.c]
1635 ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub
1636 would not display you the random art as intended, spotted by canacar@
639211b7 1637 - grunk@cvs.openbsd.org 2008/06/11 22:20:46
1638 [ssh-keygen.c ssh-keygen.1]
1639 ssh-keygen would write fingerprints to STDOUT, and random art to STDERR,
1640 that is not how it was envisioned.
1641 Also correct manpage saying that -v is needed along with -l for it to work.
1642 spotted by naddy@
e3115002 1643 - otto@cvs.openbsd.org 2008/06/11 23:02:22
1644 [key.c]
1645 simpler way of computing the augmentations; ok grunk@
fe88400f 1646 - grunk@cvs.openbsd.org 2008/06/11 23:03:56
1647 [ssh_config.5]
1648 CheckHostIP set to ``fingerprint'' will display both hex and random art
1649 spotted by naddy@
97841001 1650 - grunk@cvs.openbsd.org 2008/06/11 23:51:57
1651 [key.c]
1652 #define statements that are not atoms need braces around them, else they
1653 will cause trouble in some cases.
1654 Also do a computation of -1 once, and not in a loop several times.
1655 spotted by otto@
e907df41 1656 - dtucker@cvs.openbsd.org 2008/06/12 00:03:49
1657 [dns.c canohost.c sshconnect.c]
1658 Do not pass "0" strings as ports to getaddrinfo because the lookups
1659 can slow things down and we never use the service info anyway. bz
1660 #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok
1661 deraadt@ djm@
1662 djm belives that the reason for the "0" strings is to ensure that
1663 it's not possible to call getaddrinfo with both host and port being
1664 NULL. In the case of canohost.c host is a local array. In the
1665 case of sshconnect.c, it's checked for null immediately before use.
1666 In dns.c it ultimately comes from ssh.c:main() and is guaranteed to
1667 be non-null but it's not obvious, so I added a warning message in
1668 case it is ever passed a null.
1669 - grunk@cvs.openbsd.org 2008/06/12 00:13:55
1670 [sshconnect.c]
1671 Make ssh print the random art also when ssh'ing to a host using IP only.
1672 spotted by naddy@, ok and help djm@ dtucker@
208cc0ee 1673 - otto@cvs.openbsd.org 2008/06/12 00:13:13
1674 [key.c]
1675 use an odd number of rows and columns and a separate start marker, looks
1676 better; ok grunk@
f17f705b 1677 - djm@cvs.openbsd.org 2008/06/12 03:40:52
1678 [clientloop.h mux.c channels.c clientloop.c channels.h]
1679 Enable ~ escapes for multiplex slave sessions; give each channel
1680 its own escape state and hook the escape filters up to muxed
1681 channels. bz #1331
1682 Mux slaves do not currently support the ~^Z and ~& escapes.
1683 NB. this change cranks the mux protocol version, so a new ssh
1684 mux client will not be able to connect to a running old ssh
1685 mux master.
1686 ok dtucker@
72becb62 1687 - djm@cvs.openbsd.org 2008/06/12 04:06:00
1688 [clientloop.h ssh.c clientloop.c]
1689 maintain an ordered queue of outstanding global requests that we
1690 expect replies to, similar to the per-channel confirmation queue.
1691 Use this queue to verify success or failure for remote forward
1692 establishment in a race free way.
1693 ok dtucker@
344f1d3d 1694 - djm@cvs.openbsd.org 2008/06/12 04:17:47
1695 [clientloop.c]
1696 thall shalt not code past the eightieth column
e8097dc9 1697 - djm@cvs.openbsd.org 2008/06/12 04:24:06
1698 [ssh.c]
1699 thal shalt not code past the eightieth column
9bcf03ce 1700 - djm@cvs.openbsd.org 2008/06/12 05:15:41
1701 [PROTOCOL]
1702 document tun@openssh.com forwarding method
aacab402 1703 - djm@cvs.openbsd.org 2008/06/12 05:32:30
1704 [mux.c]
1705 some more TODO for me
2bb50d23 1706 - grunk@cvs.openbsd.org 2008/06/12 05:42:46
1707 [key.c]
1708 supply the key type (rsa1, rsa, dsa) as a caption in the frame of the
1709 random art. while there, stress the fact that the field base should at
1710 least be 8 characters for the pictures to make sense.
1711 comment and ok djm@
1712 - grunk@cvs.openbsd.org 2008/06/12 06:32:59
1713 [key.c]
1714 We already mark the start of the worm, now also mark the end of the worm
1715 in our random art drawings.
1716 ok djm@
e74caf1e 1717 - djm@cvs.openbsd.org 2008/06/12 15:19:17
1718 [clientloop.h channels.h clientloop.c channels.c mux.c]
1719 The multiplexing escape char handler commit last night introduced a
1720 small memory leak per session; plug it.
e9d0b573 1721 - dtucker@cvs.openbsd.org 2008/06/12 16:35:31
1722 [ssh_config.5 ssh.c]
1723 keyword expansion for localcommand. ok djm@
a64f8307 1724 - jmc@cvs.openbsd.org 2008/06/12 19:10:09
1725 [ssh_config.5 ssh-keygen.1]
1726 tweak the ascii art text; ok grunk
bc2d97c8 1727 - dtucker@cvs.openbsd.org 2008/06/12 20:38:28
1728 [sshd.c sshconnect.c packet.h misc.c misc.h packet.c]
1729 Make keepalive timeouts apply while waiting for a packet, particularly
1730 during key renegotiation (bz #1363). With djm and Matt Day, ok djm@
ad39a852 1731 - djm@cvs.openbsd.org 2008/06/12 20:47:04
1732 [sftp-client.c]
1733 print extension revisions for extensions that we understand
07d8d480 1734 - djm@cvs.openbsd.org 2008/06/12 21:06:25
1735 [clientloop.c]
1736 I was coalescing expected global request confirmation replies at
1737 the wrong end of the queue - fix; prompted by markus@
31de76cc 1738 - grunk@cvs.openbsd.org 2008/06/12 21:14:46
1739 [ssh-keygen.c]
1740 make ssh-keygen -lf show the key type just as ssh-add -l would do it
1741 ok djm@ markus@
f97fb6ca 1742 - grunk@cvs.openbsd.org 2008/06/12 22:03:36
1743 [key.c]
1744 add my copyright, ok djm@
6d8216ff 1745 - ian@cvs.openbsd.org 2008/06/12 23:24:58
1746 [sshconnect.c]
1747 tweak wording in message, ok deraadt@ jmc@
2c83cd01 1748 - dtucker@cvs.openbsd.org 2008/06/13 00:12:02
1749 [sftp.h log.h]
1750 replace __dead with __attribute__((noreturn)), makes things
1751 a little easier to port. Also, add it to sigdie(). ok djm@
b97ea6eb 1752 - djm@cvs.openbsd.org 2008/06/13 00:16:49
1753 [mux.c]
1754 fall back to creating a new TCP connection on most multiplexing errors
1755 (socket connect fail, invalid version, refused permittion, corrupted
1756 messages, etc.); bz #1329 ok dtucker@
243cc316 1757 - dtucker@cvs.openbsd.org 2008/06/13 00:47:53
1758 [mux.c]
1759 upcast size_t to u_long to match format arg; ok djm@
041f11dc 1760 - dtucker@cvs.openbsd.org 2008/06/13 00:51:47
1761 [mac.c]
1762 upcast another size_t to u_long to match format
852eb76b 1763 - dtucker@cvs.openbsd.org 2008/06/13 01:38:23
1764 [misc.c]
1765 upcast uid to long with matching %ld, prevents warnings in portable
632f2669 1766 - djm@cvs.openbsd.org 2008/06/13 04:40:22
1767 [auth2-pubkey.c auth-rhosts.c]
1768 refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not
1769 regular files; report from Solar Designer via Colin Watson in bz#1471
1770 ok dtucker@ deraadt
136d0181 1771 - (dtucker) [clientloop.c serverloop.c] channel_register_filter now
1772 takes 2 more args. with djm@
49190c3d 1773 - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch
1774 from Todd Vierling.
02e605ed 1775 - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIA
1776 systems. Patch from R. Scott Bailey.
c694c610 1777 - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never used
1778 on big endian machines, so ifdef them for little-endian only to prevent
1779 unused function warnings on big-endians.
56f77432 1780 - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to prevent
1781 compiler warnings on some platforms. Based on a discussion with otto@
9754b94b 1782
554ebbed 178320080611
1784 - (djm) [channels.c configure.ac]
1785 Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no)
1786 bz#1464; ok dtucker
1787
15b5fa9b 178820080610
1789 - (dtucker) OpenBSD CVS Sync
1790 - djm@cvs.openbsd.org 2008/06/10 03:57:27
1791 [servconf.c match.h sshd_config.5]
1792 support CIDR address matching in sshd_config "Match address" blocks, with
1793 full support for negation and fall-back to classic wildcard matching.
1794 For example:
1795 Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
1796 PasswordAuthentication yes
1797 addrmatch.c code mostly lifted from flowd's addr.c
1798 feedback and ok dtucker@
8b671558 1799 - djm@cvs.openbsd.org 2008/06/10 04:17:46
1800 [sshd_config.5]
1801 better reference for pattern-list
1760c982 1802 - dtucker@cvs.openbsd.org 2008/06/10 04:50:25
1803 [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8]
1804 Add extended test mode (-T) and connection parameters for test mode (-C).
1805 -T causes sshd to write its effective configuration to stdout and exit.
1806 -C causes any relevant Match rules to be applied before output. The
1807 combination allows tesing of the parser and config files. ok deraadt djm
01e9e424 1808 - jmc@cvs.openbsd.org 2008/06/10 07:12:00
1809 [sshd_config.5]
1810 tweak previous;
3b42e3ac 1811 - jmc@cvs.openbsd.org 2008/06/10 08:17:40
1812 [sshd.8 sshd.c]
1813 - update usage()
1814 - fix SYNOPSIS, and sort options
1815 - some minor additional fixes
f0528444 1816 - dtucker@cvs.openbsd.org 2008/06/09 18:06:32
1817 [regress/test-exec.sh]
1818 Don't generate putty keys if we're not going to use them. ok djm
16d46c30 1819 - dtucker@cvs.openbsd.org 2008/06/10 05:23:32
1820 [regress/addrmatch.sh regress/Makefile]
1821 Regress test for Match CIDR rules. ok djm@
94edc013 1822 - dtucker@cvs.openbsd.org 2008/06/10 15:21:41
1823 [test-exec.sh]
1824 Use a more portable construct for checking if we're running a putty test
64c576e9 1825 - dtucker@cvs.openbsd.org 2008/06/10 15:28:49
1826 [test-exec.sh]
1827 Add quotes
f6748d7b 1828 - dtucker@cvs.openbsd.org 2008/06/10 18:21:24
1829 [ssh_config.5]
1830 clarify that Host patterns are space-separated. ok deraadt
3f0444ca 1831 - djm@cvs.openbsd.org 2008/06/10 22:15:23
1832 [PROTOCOL ssh.c serverloop.c]
1833 Add a no-more-sessions@openssh.com global request extension that the
1834 client sends when it knows that it will never request another session
1835 (i.e. when session multiplexing is disabled). This allows a server to
1836 disallow further session requests and terminate the session.
1837 Why would a non-multiplexing client ever issue additional session
1838 requests? It could have been attacked with something like SSH'jack:
1839 http://www.storm.net.nz/projects/7
1840 feedback & ok markus
b3b048d6 1841 - djm@cvs.openbsd.org 2008/06/10 23:06:19
1842 [auth-options.c match.c servconf.c addrmatch.c sshd.8]
1843 support CIDR address matching in .ssh/authorized_keys from="..." stanzas
1844 ok and extensive testing dtucker@
8fb12ef0 1845 - dtucker@cvs.openbsd.org 2008/06/10 23:21:34
1846 [bufaux.c]
1847 Use '\0' for a nul byte rather than unadorned 0. ok djm@
a6d05adf 1848 - dtucker@cvs.openbsd.org 2008/06/10 23:13:43
1849 [Makefile regress/key-options.sh]
1850 Add regress test for key options. ok djm@
edee47f5 1851 - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6
1852 since the new CIDR code in addmatch.c references it.
1853 - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6
1854 specific tests on platforms that don't do IPv6.
8ac1d2eb 1855 - (dtucker) [Makefile.in] Define TEST_SSH_IPV6 in make's arguments as well
1856 as environment.
0694c78f 1857 - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now.
15b5fa9b 1858
10e804f4 185920080609
1860 - (dtucker) OpenBSD CVS Sync
1861 - dtucker@cvs.openbsd.org 2008/06/08 17:04:41
1862 [sftp-server.c]
1863 Add case for ENOSYS in errno_to_portable; ok deraadt
5a3cde15 1864 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29
1865 [sftp.c sftp-client.c sftp-client.h]
1866 Have the sftp client store the statvfs replies in wire format,
1867 which prevents problems when the server's native sizes exceed the
1868 client's.
1869 Also extends the sizes of the remaining 32bit wire format to 64bit,
1870 they're specified as unsigned long in the standard.
7290afcb 1871 - dtucker@cvs.openbsd.org 2008/06/09 13:02:39
2626070f 1872 [sftp-server.c]
7290afcb 1873 Extend 32bit -> 64bit values for statvfs extension missed in previous
1874 commit.
2626070f 1875 - dtucker@cvs.openbsd.org 2008/06/09 13:38:46
1876 [PROTOCOL]
1877 Use a $OpenBSD tag so our scripts will sync changes.
10e804f4 1878
22f5e872 187920080608
1880 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c
1881 openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
1882 openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and
1883 fstatvfs and remove #defines around statvfs code. ok djm@
7a4f468b 1884 - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add a
1885 macro to convert fsid to unsigned long for platforms where fsid is a
1886 2-member array.
22f5e872 1887
0894bbed 188820080607
1889 - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H.
4538e135 1890 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c]
1891 Do not enable statvfs extensions on platforms that do not have statvfs.
2abb1ef5 1892 - (dtucker) OpenBSD CVS Sync
1893 - djm@cvs.openbsd.org 2008/05/19 06:14:02
1894 [packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@
82bb6f20 1895 - djm@cvs.openbsd.org 2008/05/19 15:45:07
1896 [sshtty.c ttymodes.c sshpty.h]
1897 Fix sending tty modes when stdin is not a tty (bz#1199). Previously
1898 we would send the modes corresponding to a zeroed struct termios,
1899 whereas we should have been sending an empty list of modes.
1900 Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
048acbeb 1901 - djm@cvs.openbsd.org 2008/05/19 15:46:31
1902 [ssh-keygen.c]
1903 support -l (print fingerprint) in combination with -F (find host) to
1904 search for a host in ~/.ssh/known_hosts and display its fingerprint;
1905 ok markus@
4651c790 1906 - djm@cvs.openbsd.org 2008/05/19 20:53:52
1907 [clientloop.c]
1908 unbreak tree by committing this bit that I missed from:
1909 Fix sending tty modes when stdin is not a tty (bz#1199). Previously
1910 we would send the modes corresponding to a zeroed struct termios,
1911 whereas we should have been sending an empty list of modes.
1912 Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
0894bbed 1913
07e61b8a 191420080604
1915 - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias
1916 in arc4random_uniform with upper_bound in (2^30,2*31). Note that
1917 OpenSSH did not make requests with upper bounds in this range.
1918
b3ef88dc 191920080519
1920 - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in]
1921 [openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h]
1922 Fix compilation on Linux, including pulling in fmt_scaled(3)
1923 implementation from OpenBSD's libutil.
1924
9b04dbaa 192520080518
1926 - (djm) OpenBSD CVS Sync
1927 - djm@cvs.openbsd.org 2008/04/04 05:14:38
1928 [sshd_config.5]
1929 ChrootDirectory is supported in Match blocks (in fact, it is most useful
1930 there). Spotted by Minstrel AT minstrel.org.uk
5b76e3ef 1931 - djm@cvs.openbsd.org 2008/04/04 06:44:26
1932 [sshd_config.5]
1933 oops, some unrelated stuff crept into that commit - backout.
1934 spotted by jmc@
ade21243 1935 - djm@cvs.openbsd.org 2008/04/05 02:46:02
1936 [sshd_config.5]
1937 HostbasedAuthentication is supported under Match too
185adaf8 1938 - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c]
1939 [configure.ac] Implement arc4random_buf(), import implementation of
1940 arc4random_uniform() from OpenBSD
936e7c8c 1941 - (djm) [openbsd-compat/bsd-arc4random.c] Warning fixes
c49ce62e 1942 - (djm) [openbsd-compat/port-tun.c] needs sys/queue.h
c1d152b8 1943 - (djm) OpenBSD CVS Sync
1944 - djm@cvs.openbsd.org 2008/04/13 00:22:17
1945 [dh.c sshd.c]
1946 Use arc4random_buf() when requesting more than a single word of output
1947 Use arc4random_uniform() when the desired random number upper bound
1948 is not a power of two
1949 ok deraadt@ millert@
360b43ab 1950 - djm@cvs.openbsd.org 2008/04/18 12:32:11
1951 [sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h]
1952 introduce sftp extension methods statvfs@openssh.com and
1953 fstatvfs@openssh.com that implement statvfs(2)-like operations,
1954 based on a patch from miklos AT szeredi.hu (bz#1399)
1955 also add a "df" command to the sftp client that uses the
1956 statvfs@openssh.com to produce a df(1)-like display of filesystem
1957 space and inode utilisation
1958 ok markus@
ea530517 1959 - jmc@cvs.openbsd.org 2008/04/18 17:15:47
1960 [sftp.1]
1961 macro fixage;
48fbfda0 1962 - djm@cvs.openbsd.org 2008/04/18 22:01:33
1963 [session.c]
1964 remove unneccessary parentheses
0bb7755b 1965 - otto@cvs.openbsd.org 2008/04/29 11:20:31
1966 [monitor_mm.h]
1967 garbage collect two unused fields in struct mm_master; ok markus@
c47ff7a6 1968 - djm@cvs.openbsd.org 2008/04/30 10:14:03
1969 [ssh-keyscan.1 ssh-keyscan.c]
1970 default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by
1971 larsnooden AT openoffice.org
43c3f85c 1972 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
1973 [servconf.c servconf.h session.c sshd_config.5]
1974 Enable the AllowAgentForwarding option in sshd_config (global and match
1975 context), to specify if agents should be permitted on the server.
1976 As the man page states:
1977 ``Note that disabling Agent forwarding does not improve security
1978 unless users are also denied shell access, as they can always install
1979 their own forwarders.''
1980 ok djm@, ok and a mild frown markus@
5c7e2b47 1981 - pyr@cvs.openbsd.org 2008/05/07 06:43:35
1982 [sshd_config]
1983 push the sshd_config bits in, spotted by ajacoutot@
94569631 1984 - jmc@cvs.openbsd.org 2008/05/07 08:00:14
1985 [sshd_config.5]
1986 sort;
17f02f0a 1987 - markus@cvs.openbsd.org 2008/05/08 06:59:01
1988 [bufaux.c buffer.h channels.c packet.c packet.h]
1989 avoid extra malloc/copy/free when receiving data over the net;
1990 ~10% speedup for localhost-scp; ok djm@
3593bdc0 1991 - djm@cvs.openbsd.org 2008/05/08 12:02:23
1992 [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
1993 [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
1994 [ssh.c sshd.c]
1995 Implement a channel success/failure status confirmation callback
1996 mechanism. Each channel maintains a queue of callbacks, which will
1997 be drained in order (RFC4253 guarantees confirm messages are not
1998 reordered within an channel).
1999 Also includes a abandonment callback to clean up if a channel is
2000 closed without sending confirmation messages. This probably
2001 shouldn't happen in compliant implementations, but it could be
2002 abused to leak memory.
2003 ok markus@ (as part of a larger diff)
c6dca55e 2004 - djm@cvs.openbsd.org 2008/05/08 12:21:16
2005 [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
2006 [sshd_config sshd_config.5]
2007 Make the maximum number of sessions run-time controllable via
2008 a sshd_config MaxSessions knob. This is useful for disabling
2009 login/shell/subsystem access while leaving port-forwarding working
2010 (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
2011 simply increasing the number of allows multiplexed sessions.
2012 Because some bozos are sure to configure MaxSessions in excess of the
2013 number of available file descriptors in sshd (which, at peak, might be
2014 as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
2015 on error paths, and make it fail gracefully on out-of-fd conditions -
2016 sending channel errors instead of than exiting with fatal().
2017 bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
2018 ok markus@
95d3c124 2019 - djm@cvs.openbsd.org 2008/05/08 13:06:11
2020 [clientloop.c clientloop.h ssh.c]
2021 Use new channel status confirmation callback system to properly deal
2022 with "important" channel requests that fail, in particular command exec,
2023 shell and subsystem requests. Previously we would optimistically assume
2024 that the requests would always succeed, which could cause hangs if they
2025 did not (e.g. when the server runs out of fds) or were unimplemented by
2026 the server (bz #1384)
2027 Also, properly report failing multiplex channel requests via the mux
2028 client stderr (subject to LogLevel in the mux master) - better than
2029 silently failing.
2030 most bits ok markus@ (as part of a larger diff)
e07e21ad 2031 - djm@cvs.openbsd.org 2008/05/09 04:55:56
2032 [channels.c channels.h clientloop.c serverloop.c]
2033 Try additional addresses when connecting to a port forward destination
2034 whose DNS name resolves to more than one address. The previous behaviour
2035 was to try the first address and give up.
2036 Reported by stig AT venaas.com in bz#343
2037 great feedback and ok markus@
3bcced4c 2038 - djm@cvs.openbsd.org 2008/05/09 14:18:44
2039 [clientloop.c clientloop.h ssh.c mux.c]
2040 tidy up session multiplexing code, moving it into its own file and
2041 making the function names more consistent - making ssh.c and
2042 clientloop.c a fair bit more readable.
2043 ok markus@
6cd3e678 2044 - djm@cvs.openbsd.org 2008/05/09 14:26:08
2045 [ssh.c]
2046 dingo stole my diff hunk
ee7c3e92 2047 - markus@cvs.openbsd.org 2008/05/09 16:16:06
2048 [session.c]
2049 re-add the USE_PIPES code and enable it.
2050 without pipes shutdown-read from the sshd does not trigger
2051 a SIGPIPE when the forked program does a write.
2052 ok djm@
2053 (Id sync only, USE_PIPES never left portable OpenSSH)
271f4a13 2054 - markus@cvs.openbsd.org 2008/05/09 16:17:51
2055 [channels.c]
2056 error-fd race: don't enable the error fd in the select bitmask
2057 for channels with both in- and output closed, since the channel
2058 will go away before we call select();
2059 report, lots of debugging help and ok djm@
50c96367 2060 - markus@cvs.openbsd.org 2008/05/09 16:21:13
2061 [channels.h clientloop.c nchan.c serverloop.c]
2062 unbreak
2063 ssh -2 localhost od /bin/ls | true
2064 ignoring SIGPIPE by adding a new channel message (EOW) that signals
2065 the peer that we're not interested in any data it might send.
2066 fixes bz #85; discussion, debugging and ok djm@
d5820099 2067 - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20
2068 [umac.c]
2069 Ensure nh_result lies on a 64-bit boundary (fixes warnings observed
2070 on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@
56b12440 2071 - djm@cvs.openbsd.org 2008/05/15 23:52:24
2072 [nchan2.ms]
2073 document eow message in ssh protocol 2 channel state machine;
2074 feedback and ok markus@
f8db3345 2075 - djm@cvs.openbsd.org 2008/05/18 21:29:05
2076 [sftp-server.c]
2077 comment extension announcement
8be03682 2078 - djm@cvs.openbsd.org 2008/05/16 08:30:42
2079 [PROTOCOL]
2080 document our protocol extensions and deviations; ok markus@
2081 - djm@cvs.openbsd.org 2008/05/17 01:31:56
2082 [PROTOCOL]
2083 grammar and correctness fixes from stevesk@
9b04dbaa 2084
490c3105 208520080403
2086 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
2087 time warnings on LynxOS. Patch from ops AT iki.fi
1ebb73e4 2088 - (djm) Force string arguments to replacement setproctitle() though
2089 strnvis first. Ok dtucker@
490c3105 2090
2b363e83 209120080403
2092 - (djm) OpenBSD CVS sync:
2093 - markus@cvs.openbsd.org 2008/04/02 15:36:51
2094 [channels.c]
2095 avoid possible hijacking of x11-forwarded connections (back out 1.183)
2096 CVE-2008-1483; ok djm@
adb7acbc 2097 - jmc@cvs.openbsd.org 2008/03/27 22:37:57
2098 [sshd.8]
2099 remove trailing whitespace;
53e0dc70 2100 - djm@cvs.openbsd.org 2008/04/03 09:50:14
2101 [version.h]
2102 openssh-5.0
31b1b2c8 2103 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
2104 [contrib/suse/openssh.spec] Crank version numbers in RPM spec files
dd052df9 2105 - (djm) [README] Update link to release notes
098ebea7 2106 - (djm) Release 5.0p1
git-cvsimport mirror of OpenSSH
This page took 0.46962 seconds and 5 git commands to generate.