]>
Commit | Line | Data |
---|---|---|
4cfa9611 | 1 | 20100130 |
2 | - (djm) OpenBSD CVS Sync | |
3 | - djm@cvs.openbsd.org 2010/01/28 00:21:18 | |
4 | [clientloop.c] | |
5 | downgrade an error() to a debug() - this particular case can be hit in | |
6 | normal operation for certain sequences of mux slave vs session closure | |
7 | and is harmless | |
08427260 | 8 | - djm@cvs.openbsd.org 2010/01/29 00:20:41 |
9 | [sshd.c] | |
10 | set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com | |
11 | ok dtucker@ | |
82aeff0c | 12 | - djm@cvs.openbsd.org 2010/01/29 20:16:17 |
13 | [mux.c] | |
14 | kill correct channel (was killing already-dead mux channel, not | |
15 | its session channel) | |
05daae8c | 16 | - djm@cvs.openbsd.org 2010/01/30 02:54:53 |
17 | [mux.c] | |
18 | don't mark channel as read failed if it is already closing; suppresses | |
19 | harmless error messages when connecting to SSH.COM Tectia server | |
20 | report by imorgan AT nas.nasa.gov | |
4cfa9611 | 21 | |
8dabd414 | 22 | 20100129 |
23 | - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config() | |
24 | after registering the hardware engines, which causes the openssl.cnf file to | |
25 | be processed. See OpenSSL's man page for OPENSSL_config(3) for details. | |
26 | Patch from Solomon Peachy, ok djm@. | |
27 | ||
ae1c633f | 28 | 20100128 |
29 | - (djm) OpenBSD CVS Sync | |
30 | - djm@cvs.openbsd.org 2010/01/26 02:15:20 | |
31 | [mux.c] | |
32 | -Wuninitialized and remove a // comment; from portable | |
33 | (Id sync only) | |
279c74eb | 34 | - djm@cvs.openbsd.org 2010/01/27 13:26:17 |
35 | [mux.c] | |
36 | fix bug introduced in mux rewrite: | |
37 | ||
38 | In a mux master, when a socket to a mux slave closes before its server | |
39 | session (as may occur when the slave has been signalled), gracefully | |
40 | close the server session rather than deleting its channel immediately. | |
41 | A server may have more messages on that channel to send (e.g. an exit | |
42 | message) that will fatal() the client if they are sent to a channel that | |
43 | has been prematurely deleted. | |
44 | ||
45 | spotted by imorgan AT nas.nasa.gov | |
dc3ae1cf | 46 | - djm@cvs.openbsd.org 2010/01/27 19:21:39 |
47 | [sftp.c] | |
48 | add missing "p" flag to getopt optstring; | |
49 | bz#1704 from imorgan AT nas.nasa.gov | |
ae1c633f | 50 | |
64dace2d | 51 | 20100126 |
52 | - (djm) OpenBSD CVS Sync | |
53 | - tedu@cvs.openbsd.org 2010/01/17 21:49:09 | |
54 | [ssh-agent.1] | |
55 | Correct and clarify ssh-add's password asking behavior. | |
56 | Improved text dtucker and ok jmc | |
6d6695ca | 57 | - dtucker@cvs.openbsd.org 2010/01/18 01:50:27 |
58 | [roaming_client.c] | |
59 | s/long long unsigned/unsigned long long/, from tim via portable | |
60 | (Id sync only, change already in portable) | |
a858eae9 | 61 | - djm@cvs.openbsd.org 2010/01/26 01:28:35 |
62 | [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c] | |
63 | rewrite ssh(1) multiplexing code to a more sensible protocol. | |
64 | ||
65 | The new multiplexing code uses channels for the listener and | |
66 | accepted control sockets to make the mux master non-blocking, so | |
67 | no stalls when processing messages from a slave. | |
68 | ||
69 | avoid use of fatal() in mux master protocol parsing so an errant slave | |
70 | process cannot take down a running master. | |
71 | ||
72 | implement requesting of port-forwards over multiplexed sessions. Any | |
73 | port forwards requested by the slave are added to those the master has | |
74 | established. | |
75 | ||
76 | add support for stdio forwarding ("ssh -W host:port ...") in mux slaves. | |
77 | ||
78 | document master/slave mux protocol so that other tools can use it to | |
79 | control a running ssh(1). Note: there are no guarantees that this | |
80 | protocol won't be incompatibly changed (though it is versioned). | |
81 | ||
82 | feedback Salvador Fandino, dtucker@ | |
83 | channel changes ok markus@ | |
64dace2d | 84 | |
abaf180d | 85 | 20100122 |
86 | - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of | |
87 | socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size | |
88 | in Cygwin to 65535. Patch from Corinna Vinschen. | |
89 | ||
afd41342 | 90 | 20100117 |
91 | - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too. | |
2b0d3778 | 92 | - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions |
93 | snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf(). | |
afd41342 | 94 | |
2e6adf75 | 95 | 20100116 |
96 | - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h | |
97 | so we correctly detect whether or not we have a native user_from_uid. | |
1666eacb | 98 | - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid |
99 | and group_from_gid. | |
6cf8b42e | 100 | - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by |
101 | Tim. | |
e5271db2 | 102 | - (dtucker) OpenBSD CVS Sync |
103 | - markus@cvs.openbsd.org 2010/01/15 09:24:23 | |
104 | [sftp-common.c] | |
105 | unused | |
6bcd3709 | 106 | - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused |
107 | variable warnings. | |
cc52586e | 108 | - (dtucker) [openbsd-compat/openbsd-compat.h] Typo. |
3be6fc36 | 109 | - (tim) [regress/portnum.sh] Shell portability fix. |
0303fddc | 110 | - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native |
111 | getaddrinfo() is too old and limited for addr_pton() in addrmatch.c. | |
cc365543 | 112 | - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we |
113 | use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/ | |
114 | to keep USL compilers happy. | |
2e6adf75 | 115 | |
69098855 | 116 | 20100115 |
117 | - (dtucker) OpenBSD CVS Sync | |
118 | - jmc@cvs.openbsd.org 2010/01/13 12:48:34 | |
119 | [sftp.1 sftp.c] | |
120 | sftp.1: put ls -h in the right place | |
121 | sftp.c: as above, plus add -p to get/put, and shorten their arg names | |
122 | to keep the help usage nicely aligned | |
123 | ok djm | |
239542dc | 124 | - djm@cvs.openbsd.org 2010/01/13 23:47:26 |
125 | [auth.c] | |
126 | when using ChrootDirectory, make sure we test for the existence of the | |
127 | user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu; | |
128 | ok dtucker | |
6d588777 | 129 | - dtucker@cvs.openbsd.org 2010/01/14 23:41:49 |
130 | [sftp-common.c] | |
131 | use user_from{uid,gid} to lookup up ids since it keeps a small cache. | |
132 | ok djm | |
d8311568 | 133 | - guenther@cvs.openbsd.org 2010/01/15 00:05:22 |
134 | [sftp.c] | |
135 | Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp | |
136 | inherited SIGTERM as ignored it will still be able to kill the ssh it | |
137 | starts. | |
138 | ok dtucker@ | |
8f8a4508 | 139 | - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no |
e45b6d40 | 140 | changes yet but there will be some to come). |
2dec25c9 | 141 | - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability |
142 | for pwcache. Also, added caching of negative hits. | |
69098855 | 143 | |
962386fc | 144 | 20100114 |
145 | - (djm) [platform.h] Add missing prototype for | |
146 | platform_krb5_get_principal_name | |
147 | ||
e37f390b | 148 | 20100113 |
149 | - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs. | |
1f4dfa18 | 150 | - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18: |
151 | missing restore of SIGTTOU and some whitespace. | |
851a428e | 152 | - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21. |
168e46a0 | 153 | - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22. |
154 | Fixes bz #1590, where sometimes you could not interrupt a connection while | |
155 | ssh was prompting for a passphrase or password. | |
52e1856c | 156 | - (dtucker) OpenBSD CVS Sync |
157 | - dtucker@cvs.openbsd.org 2010/01/13 00:19:04 | |
158 | [sshconnect.c auth.c] | |
159 | Fix a couple of typos/mispellings in comments | |
51529944 | 160 | - dtucker@cvs.openbsd.org 2010/01/13 01:10:56 |
161 | [key.c] | |
162 | Ignore and log any Protocol 1 keys where the claimed size is not equal to | |
163 | the actual size. Noted by Derek Martin, ok djm@ | |
420c55a1 | 164 | - dtucker@cvs.openbsd.org 2010/01/13 01:20:20 |
165 | [canohost.c ssh-keysign.c sshconnect2.c] | |
166 | Make HostBased authentication work with a ProxyCommand. bz #1569, patch | |
167 | from imorgan at nas nasa gov, ok djm@ | |
29793ade | 168 | - djm@cvs.openbsd.org 2010/01/13 01:40:16 |
169 | [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h] | |
170 | support '-h' (human-readable units) for sftp's ls command, just like | |
171 | ls(1); ok dtucker@ | |
ca24b550 | 172 | - djm@cvs.openbsd.org 2010/01/13 03:48:13 |
173 | [servconf.c servconf.h sshd.c] | |
174 | avoid run-time failures when specifying hostkeys via a relative | |
175 | path by prepending the cwd in these cases; bz#1290; ok dtucker@ | |
13455c70 | 176 | - djm@cvs.openbsd.org 2010/01/13 04:10:50 |
177 | [sftp.c] | |
178 | don't append a space after inserting a completion of a directory (i.e. | |
179 | a path ending in '/') for a slightly better user experience; ok dtucker@ | |
c1e654ec | 180 | - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef. |
795b6739 | 181 | - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG. |
182 | feedback and ok dtucker@ | |
e37f390b | 183 | |
e4393625 | 184 | 20100112 |
e6780883 | 185 | - (dtucker) OpenBSD CVS Sync |
186 | - dtucker@cvs.openbsd.org 2010/01/11 01:39:46 | |
187 | [ssh_config channels.c ssh.1 channels.h ssh.c] | |
188 | Add a 'netcat mode' (ssh -W). This connects stdio on the client to a | |
189 | single port forward on the server. This allows, for example, using ssh as | |
190 | a ProxyCommand to route connections via intermediate servers. | |
191 | bz #1618, man page help from jmc@, ok markus@ | |
13b90bdd | 192 | - dtucker@cvs.openbsd.org 2010/01/11 04:46:45 |
193 | [authfile.c sshconnect2.c] | |
194 | Do not prompt for a passphrase if we fail to open a keyfile, and log the | |
195 | reason the open failed to debug. | |
196 | bz #1693, found by tj AT castaglia org, ok djm@ | |
c23cfd0d | 197 | - djm@cvs.openbsd.org 2010/01/11 10:51:07 |
198 | [ssh-keygen.c] | |
199 | when converting keys, truncate key comments at 72 chars as per RFC4716; | |
200 | bz#1630 reported by tj AT castaglia.org; ok markus@ | |
17c7855a | 201 | - dtucker@cvs.openbsd.org 2010/01/12 00:16:47 |
202 | [authfile.c] | |
203 | Fix bug introduced in r1.78 (incorrect brace location) that broke key auth. | |
204 | Patch from joachim joachimschipper nl. | |
e8e24c80 | 205 | - djm@cvs.openbsd.org 2010/01/12 00:58:25 |
206 | [monitor_fdpass.c] | |
207 | avoid spinning when fd passing on nonblocking sockets by calling poll() | |
208 | in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@ | |
6bbbf0b8 | 209 | - djm@cvs.openbsd.org 2010/01/12 00:59:29 |
210 | [roaming_common.c] | |
211 | delete with extreme prejudice a debug() that fired with every keypress; | |
212 | ok dtucker deraadt | |
97397841 | 213 | - dtucker@cvs.openbsd.org 2010/01/12 01:31:05 |
214 | [session.c] | |
215 | Do not allow logins if /etc/nologin exists but is not readable by the user | |
216 | logging in. Noted by Jan.Pechanec at Sun, ok djm@ deraadt@ | |
e0cbb24b | 217 | - djm@cvs.openbsd.org 2010/01/12 01:36:08 |
218 | [buffer.h bufaux.c] | |
219 | add a buffer_get_string_ptr_ret() that does the same as | |
220 | buffer_get_string_ptr() but does not fatal() on error; ok dtucker@ | |
e4393625 | 221 | - dtucker@cvs.openbsd.org 2010/01/12 08:33:17 |
222 | [session.c] | |
223 | Add explicit stat so we reliably detect nologin with bad perms. | |
224 | ok djm markus | |
e6780883 | 225 | |
226 | 20100110 | |
70dd663d | 227 | - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] |
228 | Remove hacks add for RoutingDomain in preparation for its removal. | |
04b061c4 | 229 | - (dtucker) OpenBSD CVS Sync |
16d64584 | 230 | - dtucker@cvs.openbsd.org 2010/01/09 23:04:13 |
231 | [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h | |
232 | ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c | |
233 | readconf.h scp.1 sftp.1 ssh_config.5 misc.h] | |
234 | Remove RoutingDomain from ssh since it's now not needed. It can be | |
235 | replaced with "route exec" or "nc -V" as a proxycommand. "route exec" | |
236 | also ensures that trafic such as DNS lookups stays withing the specified | |
237 | routingdomain. For example (from reyk): | |
238 | # route -T 2 exec /usr/sbin/sshd | |
239 | or inherited from the parent process | |
240 | $ route -T 2 exec sh | |
241 | $ ssh 10.1.2.3 | |
242 | ok deraadt@ markus@ stevesk@ reyk@ | |
04b061c4 | 243 | - dtucker@cvs.openbsd.org 2010/01/10 03:51:17 |
244 | [servconf.c] | |
245 | Add ChrootDirectory to sshd.c test-mode output | |
5deb8b6e | 246 | - dtucker@cvs.openbsd.org 2010/01/10 07:15:56 |
247 | [auth.c] | |
248 | Output a debug if we can't open an existing keyfile. bz#1694, ok djm@ | |
70dd663d | 249 | |
e6780883 | 250 | 20100109 |
17073b5e | 251 | - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't |
252 | have it. | |
d59ac96c | 253 | - (dtucker) [defines.h] define PRIu64 for platforms that don't have it. |
2d7536f6 | 254 | - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef. |
5dec7926 | 255 | - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name |
256 | when using utmpx. Patch from Ed Schouten. | |
250caf33 | 257 | - (dtucker) OpenBSD CVS Sync |
258 | - djm@cvs.openbsd.org 2010/01/09 00:20:26 | |
259 | [sftp-server.c sftp-server.8] | |
260 | add a 'read-only' mode to sftp-server(8) that disables open in write mode | |
261 | and all other fs-modifying protocol methods. bz#430 ok dtucker@ | |
29c7b6ce | 262 | - djm@cvs.openbsd.org 2010/01/09 00:57:10 |
263 | [PROTOCOL] | |
264 | tweak language | |
0752feb3 | 265 | - jmc@cvs.openbsd.org 2010/01/09 03:36:00 |
266 | [sftp-server.8] | |
267 | bad place to forget a comma... | |
ccd01778 | 268 | - djm@cvs.openbsd.org 2010/01/09 05:04:24 |
269 | [mux.c sshpty.h clientloop.c sshtty.c] | |
270 | quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we | |
271 | usually don't actually have a tty to read/set; bz#1686 ok dtucker@ | |
7b610012 | 272 | - dtucker@cvs.openbsd.org 2010/01/09 05:17:00 |
273 | [roaming_client.c] | |
274 | Remove a PRIu64 format string that snuck in with roaming. ok djm@ | |
96fc1b1b | 275 | - dtucker@cvs.openbsd.org 2010/01/09 11:13:02 |
276 | [sftp.c] | |
277 | Prevent sftp from derefing a null pointer when given a "-" without a | |
278 | command. Also, allow whitespace to follow a "-". bz#1691, path from | |
279 | Colin Watson via Debian. ok djm@ deraadt@ | |
1e0e398c | 280 | - dtucker@cvs.openbsd.org 2010/01/09 11:17:56 |
281 | [sshd.c] | |
282 | Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs | |
283 | itself. Prevents two HUPs in quick succession from resulting in sshd | |
284 | dying. bz#1692, patch from Colin Watson via Ubuntu. | |
ce27af32 | 285 | - (dtucker) [defines.h] Remove now-undeeded PRIu64 define. |
17073b5e | 286 | |
e6780883 | 287 | 20100108 |
1270be26 | 288 | - (dtucker) OpenBSD CVS Sync |
289 | - andreas@cvs.openbsd.org 2009/10/24 11:11:58 | |
290 | [roaming.h] | |
291 | Declarations needed for upcoming changes. | |
292 | ok markus@ | |
d8b0d145 | 293 | - andreas@cvs.openbsd.org 2009/10/24 11:13:54 |
294 | [sshconnect2.c kex.h kex.c] | |
295 | Let the client detect if the server supports roaming by looking | |
296 | for the resume@appgate.com kex algorithm. | |
297 | ok markus@ | |
bb466eca | 298 | - andreas@cvs.openbsd.org 2009/10/24 11:15:29 |
299 | [clientloop.c] | |
300 | client_loop() must detect if the session has been suspended and resumed, | |
301 | and take appropriate action in that case. | |
302 | From Martin Forssen, maf at appgate dot com | |
d33822b7 | 303 | - andreas@cvs.openbsd.org 2009/10/24 11:19:17 |
304 | [ssh2.h] | |
305 | Define the KEX messages used when resuming a suspended connection. | |
bb466eca | 306 | ok markus@ |
60751dff | 307 | - andreas@cvs.openbsd.org 2009/10/24 11:22:37 |
308 | [roaming_common.c] | |
309 | Do the actual suspend/resume in the client. This won't be useful until | |
310 | the server side supports roaming. | |
311 | Most code from Martin Forssen, maf at appgate dot com. Some changes by | |
312 | me and markus@ | |
313 | ok markus@ | |
1cb94277 | 314 | - andreas@cvs.openbsd.org 2009/10/24 11:23:42 |
315 | [ssh.c] | |
316 | Request roaming to be enabled if UseRoaming is true and the server | |
317 | supports it. | |
318 | ok markus@ | |
fe7dba42 | 319 | - reyk@cvs.openbsd.org 2009/10/28 16:38:18 |
320 | [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c | |
321 | channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1 | |
322 | sftp.1 sshd_config.5 readconf.c ssh.c misc.c] | |
323 | Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan. | |
324 | ok markus@ | |
d92c9eaa | 325 | - jmc@cvs.openbsd.org 2009/10/28 21:45:08 |
326 | [sshd_config.5 sftp.1] | |
327 | tweak previous; | |
a30caa92 | 328 | - djm@cvs.openbsd.org 2009/11/10 02:56:22 |
329 | [ssh_config.5] | |
330 | explain the constraints on LocalCommand some more so people don't | |
331 | try to abuse it. | |
09367de8 | 332 | - djm@cvs.openbsd.org 2009/11/10 02:58:56 |
333 | [sshd_config.5] | |
334 | clarify that StrictModes does not apply to ChrootDirectory. Permissions | |
335 | and ownership are always checked when chrooting. bz#1532 | |
fe5bc072 | 336 | - dtucker@cvs.openbsd.org 2009/11/10 04:30:45 |
337 | [sshconnect2.c channels.c sshconnect.c] | |
338 | Set close-on-exec on various descriptors so they don't get leaked to | |
339 | child processes. bz #1643, patch from jchadima at redhat, ok deraadt. | |
7501ed0d | 340 | - markus@cvs.openbsd.org 2009/11/11 21:37:03 |
341 | [channels.c channels.h] | |
342 | fix race condition in x11/agent channel allocation: don't read after | |
343 | the end of the select read/write fdset and make sure a reused FD | |
344 | is not touched before the pre-handlers are called. | |
345 | with and ok djm@ | |
851d192b | 346 | - djm@cvs.openbsd.org 2009/11/17 05:31:44 |
347 | [clientloop.c] | |
348 | fix incorrect exit status when multiplexing and channel ID 0 is recycled | |
349 | bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker | |
0cc9aecf | 350 | - djm@cvs.openbsd.org 2009/11/19 23:39:50 |
351 | [session.c] | |
352 | bz#1606: error when an attempt is made to connect to a server | |
353 | with ForceCommand=internal-sftp with a shell session (i.e. not a | |
354 | subsystem session). Avoids stuck client when attempting to ssh to such a | |
355 | service. ok dtucker@ | |
f69e651d | 356 | - dtucker@cvs.openbsd.org 2009/11/20 00:15:41 |
357 | [session.c] | |
358 | Warn but do not fail if stat()ing the subsystem binary fails. This helps | |
359 | with chrootdirectory+forcecommand=sftp-server and restricted shells. | |
360 | bz #1599, ok djm. | |
b3534d29 | 361 | - djm@cvs.openbsd.org 2009/11/20 00:54:01 |
362 | [sftp.c] | |
363 | bz#1588 change "Connecting to host..." message to "Connected to host." | |
364 | and delay it until after the sftp protocol connection has been established. | |
365 | Avoids confusing sequence of messages when the underlying ssh connection | |
366 | experiences problems. ok dtucker@ | |
db528a58 | 367 | - dtucker@cvs.openbsd.org 2009/11/20 00:59:36 |
368 | [sshconnect2.c] | |
369 | Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@ | |
704709cf | 370 | - djm@cvs.openbsd.org 2009/11/20 03:24:07 |
371 | [misc.c] | |
372 | correct off-by-one in percent_expand(): we would fatal() when trying | |
373 | to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually | |
374 | work. Note that nothing in OpenSSH actually uses close to this limit at | |
375 | present. bz#1607 from Jan.Pechanec AT Sun.COM | |
f2aba402 | 376 | - halex@cvs.openbsd.org 2009/11/22 13:18:00 |
377 | [sftp.c] | |
378 | make passing of zero-length arguments to ssh safe by | |
379 | passing "-<switch>" "<value>" rather than "-<switch><value>" | |
380 | ok dtucker@, guenther@, djm@ | |
87d86481 | 381 | - dtucker@cvs.openbsd.org 2009/12/06 23:41:15 |
382 | [sshconnect2.c] | |
383 | zap unused variable and strlen; from Steve McClellan, ok djm | |
e657a401 | 384 | - djm@cvs.openbsd.org 2009/12/06 23:53:45 |
385 | [roaming_common.c] | |
386 | use socklen_t for getsockopt optlen parameter; reported by | |
387 | Steve.McClellan AT radisys.com, ok dtucker@ | |
38b1f255 | 388 | - dtucker@cvs.openbsd.org 2009/12/06 23:53:54 |
389 | [sftp.c] | |
390 | fix potential divide-by-zero in sftp's "df" output when talking to a server | |
391 | that reports zero files on the filesystem (Unix filesystems always have at | |
392 | least the root inode). From Steve McClellan at radisys, ok djm@ | |
d7af0c50 | 393 | - markus@cvs.openbsd.org 2009/12/11 18:16:33 |
394 | [key.c] | |
395 | switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537 | |
396 | for the RSA public exponent; discussed with provos; ok djm@ | |
c3773c6e | 397 | - guenther@cvs.openbsd.org 2009/12/20 07:28:36 |
398 | [ssh.c sftp.c scp.c] | |
399 | When passing user-controlled options with arguments to other programs, | |
400 | pass the option and option argument as separate argv entries and | |
401 | not smashed into one (e.g., as -l foo and not -lfoo). Also, always | |
402 | pass a "--" argument to stop option parsing, so that a positional | |
403 | argument that starts with a '-' isn't treated as an option. This | |
404 | fixes some error cases as well as the handling of hostnames and | |
405 | filenames that start with a '-'. | |
406 | Based on a diff by halex@ | |
407 | ok halex@ djm@ deraadt@ | |
f67f71f1 | 408 | - djm@cvs.openbsd.org 2009/12/20 23:20:40 |
409 | [PROTOCOL] | |
410 | fix an incorrect magic number and typo in PROTOCOL; bz#1688 | |
411 | report and fix from ueno AT unixuser.org | |
9e622dcd | 412 | - stevesk@cvs.openbsd.org 2009/12/25 19:40:21 |
413 | [readconf.c servconf.c misc.h ssh-keyscan.c misc.c] | |
414 | validate routing domain is in range 0-RT_TABLEID_MAX. | |
415 | 'Looks right' deraadt@ | |
bad23583 | 416 | - stevesk@cvs.openbsd.org 2009/12/29 16:38:41 |
417 | [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1] | |
418 | Rename RDomain config option to RoutingDomain to be more clear and | |
419 | consistent with other options. | |
420 | NOTE: if you currently use RDomain in the ssh client or server config, | |
421 | or ssh/sshd -o, you must update to use RoutingDomain. | |
422 | ok markus@ djm@ | |
d0335861 | 423 | - jmc@cvs.openbsd.org 2009/12/29 18:03:32 |
424 | [sshd_config.5 ssh_config.5] | |
425 | sort previous; | |
e85f4dce | 426 | - dtucker@cvs.openbsd.org 2010/01/04 01:45:30 |
427 | [sshconnect2.c] | |
428 | Don't escape backslashes in the SSH2 banner. bz#1533, patch from | |
429 | Michal Gorny via Gentoo. | |
4e715007 | 430 | - djm@cvs.openbsd.org 2010/01/04 02:03:57 |
431 | [sftp.c] | |
432 | Implement tab-completion of commands, local and remote filenames for sftp. | |
433 | Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009 | |
434 | Google Summer of Code) and polished to a fine sheen by myself again. | |
435 | It should deal more-or-less correctly with the ikky corner-cases presented | |
436 | by quoted filenames, but the UI could still be slightly improved. | |
437 | In particular, it is quite slow for remote completion on large directories. | |
438 | bz#200; ok markus@ | |
d4b8c904 | 439 | - djm@cvs.openbsd.org 2010/01/04 02:25:15 |
440 | [sftp-server.c] | |
441 | bz#1566 don't unnecessarily dup() in and out fds for sftp-server; | |
442 | ok markus@ | |
d03186af | 443 | - dtucker@cvs.openbsd.org 2010/01/08 21:50:49 |
444 | [sftp.c] | |
445 | Fix two warnings: possibly used unitialized and use a nul byte instead of | |
446 | NULL pointer. ok djm@ | |
6f8969f5 | 447 | - (dtucker) [Makefile.in added roaming_client.c roaming_serv.c] Import new |
448 | files for roaming and add to Makefile. | |
957016e4 | 449 | - (dtucker) [Makefile.in] .c files do not belong in the OBJ lines. |
81598a81 | 450 | - (dtucker) [sftp.c] ifdef out the sftp completion bits for platforms that |
451 | don't have libedit. | |
85fee9c0 | 452 | - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] Make |
453 | RoutingDomain an unsupported option on platforms that don't have it. | |
21e59e57 | 454 | - (dtucker) [sftp.c] Expand ifdef for libedit to cover complete_is_remote |
455 | too. | |
1c0194f1 | 456 | - (dtucker) [misc.c] Move the routingdomain ifdef to allow the socket to |
457 | be created. | |
3b6c53d3 | 458 | - (dtucker] [misc.c] Shrink the area covered by USE_ROUTINGDOMAIN more |
459 | to eliminate an unused variable warning. | |
fcbc6487 | 460 | - (dtucker) [roaming_serv.c] Include includes.h for u_intXX_t types. |
1270be26 | 461 | |
da073eee | 462 | 20091226 |
463 | - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1 | |
464 | Gzip all man pages. Patch from Corinna Vinschen. | |
465 | ||
3bef3252 | 466 | 20091221 |
467 | - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}] | |
468 | Bug #1583: Use system's kerberos principal name on AIX if it's available. | |
469 | Based on a patch from and tested by Miguel Sanders | |
470 | ||
fd2d830a | 471 | 20091208 |
472 | - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux, | |
473 | based on a patch from Vaclav Ovsik and Colin Watson. ok djm. | |
474 | ||
6b52ddbd | 475 | 20091207 |
476 | - (dtucker) Bug #1160: use pkg-config for opensc config if it's available. | |
477 | Tested by Martin Paljak. | |
95f0ee69 | 478 | - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass. |
6b52ddbd | 479 | |
e4402dc5 | 480 | 20091121 |
481 | - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it. | |
482 | Bug 1628. OK dtucker@ | |
483 | ||
48662587 | 484 | 20091120 |
485 | - (djm) [ssh-rand-helper.c] Print error and usage() when passed command- | |
486 | line arguments as none are supported. Exit when passed unrecognised | |
487 | commandline flags. bz#1568 from gson AT araneus.fi | |
488 | ||
489 | 20091118 | |
4e1082aa | 490 | - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to |
491 | set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify | |
492 | setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only() | |
e5a1e421 | 493 | bz#1648, report and fix from jan.kratochvil AT redhat.com |
494 | - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal. | |
495 | bz#1645, patch from jchadima AT redhat.com | |
4e1082aa | 496 | |
cd82326a | 497 | 20091107 |
498 | - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private | |
499 | keys when built with OpenSSL versions that don't do AES. | |
500 | ||
090c27c5 | 501 | 20091105 |
502 | - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with | |
503 | older versions of OpenSSL. | |
504 | ||
5c0f4199 | 505 | 20091024 |
506 | - (dtucker) OpenBSD CVS Sync | |
507 | - djm@cvs.openbsd.org 2009/10/11 23:03:15 | |
508 | [hostfile.c] | |
509 | mention the host name that we are looking for in check_host_in_hostfile() | |
1a0a69a7 | 510 | - sobrado@cvs.openbsd.org 2009/10/17 12:10:39 |
511 | [sftp-server.c] | |
512 | sort flags. | |
7a779483 | 513 | - sobrado@cvs.openbsd.org 2009/10/22 12:35:53 |
514 | [ssh.1 ssh-agent.1 ssh-add.1] | |
515 | use the UNIX-related macros (.At and .Ux) where appropriate. | |
516 | ok jmc@ | |
78da49cb | 517 | - sobrado@cvs.openbsd.org 2009/10/22 15:02:12 |
518 | [ssh-agent.1 ssh-add.1 ssh.1] | |
519 | write UNIX-domain in a more consistent way; while here, replace a | |
520 | few remaining ".Tn UNIX" macros with ".Ux" ones. | |
521 | pointed out by ratchov@, thanks! | |
522 | ok jmc@ | |
4c9466ae | 523 | - djm@cvs.openbsd.org 2009/10/22 22:26:13 |
524 | [authfile.c] | |
525 | switch from 3DES to AES-128 for encryption of passphrase-protected | |
526 | SSH protocol 2 private keys; ok several | |
fbba8bf6 | 527 | - djm@cvs.openbsd.org 2009/10/23 01:57:11 |
528 | [sshconnect2.c] | |
529 | disallow a hostile server from checking jpake auth by sending an | |
530 | out-of-sequence success message. (doesn't affect code enabled by default) | |
78edb05a | 531 | - dtucker@cvs.openbsd.org 2009/10/24 00:48:34 |
532 | [ssh-keygen.1] | |
533 | ssh-keygen now uses AES-128 for private keys | |
aaeda216 | 534 | - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro. |
51fa929a | 535 | - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux |
536 | is enabled set the security context to "sftpd_t" before running the | |
537 | internal sftp server Based on a patch from jchadima at redhat. | |
5c0f4199 | 538 | |
19b6c4d5 | 539 | 20091011 |
540 | - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for | |
541 | dirent d_type and DTTOIF as we've switched OpenBSD to the more portable | |
542 | lstat. | |
21af5fc4 | 543 | - (dtucker) OpenBSD CVS Sync |
544 | - markus@cvs.openbsd.org 2009/10/08 14:03:41 | |
545 | [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5] | |
546 | disable protocol 1 by default (after a transition period of about 10 years) | |
547 | ok deraadt | |
0dba6d86 | 548 | - jmc@cvs.openbsd.org 2009/10/08 20:42:12 |
549 | [sshd_config.5 ssh_config.5 sshd.8 ssh.1] | |
550 | some tweaks now that protocol 1 is not offered by default; ok markus | |
711fb093 | 551 | - dtucker@cvs.openbsd.org 2009/10/11 10:41:26 |
552 | [sftp-client.c] | |
553 | d_type isn't portable so use lstat to get dirent modes. Suggested by and | |
554 | "looks sane" deraadt@ | |
991c9728 | 555 | - markus@cvs.openbsd.org 2009/10/08 18:04:27 |
556 | [regress/test-exec.sh] | |
557 | re-enable protocol v1 for the tests. | |
19b6c4d5 | 558 | |
3496b8d4 | 559 | 20091007 |
560 | - (dtucker) OpenBSD CVS Sync | |
561 | - djm@cvs.openbsd.org 2009/08/12 00:13:00 | |
562 | [sftp.c sftp.1] | |
563 | support most of scp(1)'s commandline arguments in sftp(1), as a first | |
564 | step towards making sftp(1) a drop-in replacement for scp(1). | |
565 | One conflicting option (-P) has not been changed, pending further | |
566 | discussion. | |
567 | Patch from carlosvsilvapt@gmail.com as part of his work in the | |
568 | Google Summer of Code | |
b68241c3 | 569 | - jmc@cvs.openbsd.org 2009/08/12 06:31:42 |
570 | [sftp.1] | |
571 | sort options; | |
97658f13 | 572 | - djm@cvs.openbsd.org 2009/08/13 01:11:19 |
573 | [sftp.1 sftp.c] | |
574 | Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path", | |
575 | add "-P port" to match scp(1). Fortunately, the -P option is only really | |
576 | used by our regression scripts. | |
577 | part of larger patch from carlosvsilvapt@gmail.com for his Google Summer | |
578 | of Code work; ok deraadt markus | |
5aa0f160 | 579 | - jmc@cvs.openbsd.org 2009/08/13 13:39:54 |
580 | [sftp.1 sftp.c] | |
581 | sync synopsis and usage(); | |
e746280c | 582 | - djm@cvs.openbsd.org 2009/08/14 18:17:49 |
583 | [sftp-client.c] | |
584 | make the "get_handle: ..." error messages vaguely useful by allowing | |
585 | callers to specify their own error message strings. | |
5d799258 | 586 | - fgsch@cvs.openbsd.org 2009/08/15 18:56:34 |
587 | [auth.h] | |
588 | remove unused define. markus@ ok. | |
589 | (Id sync only, Portable still uses this.) | |
7b3a24aa | 590 | - dtucker@cvs.openbsd.org 2009/08/16 23:29:26 |
591 | [sshd_config.5] | |
592 | Add PubkeyAuthentication to the list allowed in a Match block (bz #1577) | |
d141f964 | 593 | - djm@cvs.openbsd.org 2009/08/18 18:36:21 |
594 | [sftp-client.h sftp.1 sftp-client.c sftp.c] | |
595 | recursive transfer support for get/put and on the commandline | |
596 | work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code | |
597 | with some tweaks by me; "go for it" deraadt@ | |
e83f55f9 | 598 | - djm@cvs.openbsd.org 2009/08/18 21:15:59 |
599 | [sftp.1] | |
600 | fix "get" command usage, spotted by jmc@ | |
3829cbca | 601 | - jmc@cvs.openbsd.org 2009/08/19 04:56:03 |
602 | [sftp.1] | |
603 | ether -> either; | |
2e2c33ad | 604 | - dtucker@cvs.openbsd.org 2009/08/20 23:54:28 |
605 | [mux.c] | |
606 | subsystem_flag is defined in ssh.c so it's extern; ok djm | |
99c5cf8e | 607 | - djm@cvs.openbsd.org 2009/08/27 17:28:52 |
608 | [sftp-server.c] | |
609 | allow setting an explicit umask on the commandline to override whatever | |
610 | default the user has. bz#1229; ok dtucker@ deraadt@ markus@ | |
bf3290be | 611 | - djm@cvs.openbsd.org 2009/08/27 17:33:49 |
612 | [ssh-keygen.c] | |
613 | force use of correct hash function for random-art signature display | |
614 | as it was inheriting the wrong one when bubblebabble signatures were | |
615 | activated; bz#1611 report and patch from fwojcik+openssh AT besh.com; | |
616 | ok markus@ | |
62b92bdc | 617 | - djm@cvs.openbsd.org 2009/08/27 17:43:00 |
618 | [sftp-server.8] | |
619 | allow setting an explicit umask on the commandline to override whatever | |
620 | default the user has. bz#1229; ok dtucker@ deraadt@ markus@ | |
b4741f94 | 621 | - djm@cvs.openbsd.org 2009/08/27 17:44:52 |
622 | [authfd.c ssh-add.c authfd.h] | |
623 | Do not fall back to adding keys without contraints (ssh-add -c / -t ...) | |
624 | when the agent refuses the constrained add request. This was a useful | |
625 | migration measure back in 2002 when constraints were new, but just | |
626 | adds risk now. | |
627 | bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@ | |
57a6b5dd | 628 | - djm@cvs.openbsd.org 2009/08/31 20:56:02 |
629 | [sftp-server.c] | |
630 | check correct variable for error message, spotted by martynas@ | |
b7177174 | 631 | - djm@cvs.openbsd.org 2009/08/31 21:01:29 |
632 | [sftp-server.8] | |
633 | document -e and -h; prodded by jmc@ | |
5561856d | 634 | - djm@cvs.openbsd.org 2009/09/01 14:43:17 |
635 | [ssh-agent.c] | |
636 | fix a race condition in ssh-agent that could result in a wedged or | |
637 | spinning agent: don't read off the end of the allocated fd_sets, and | |
638 | don't issue blocking read/write on agent sockets - just fall back to | |
639 | select() on retriable read/write errors. bz#1633 reported and tested | |
640 | by "noodle10000 AT googlemail.com"; ok dtucker@ markus@ | |
fd8b10fa | 641 | - grunk@cvs.openbsd.org 2009/10/01 11:37:33 |
642 | [dh.c] | |
643 | fix a cast | |
644 | ok djm@ markus@ | |
45bb6142 | 645 | - djm@cvs.openbsd.org 2009/10/06 04:46:40 |
646 | [session.c] | |
647 | bz#1596: fflush(NULL) before exec() to ensure that everying (motd | |
648 | in particular) has made it out before the streams go away. | |
1aeac41e | 649 | - djm@cvs.openbsd.org 2008/12/07 22:17:48 |
650 | [regress/addrmatch.sh] | |
651 | match string "passwordauthentication" only at start of line, not anywhere | |
652 | in sshd -T output | |
cbc2c3e5 | 653 | - dtucker@cvs.openbsd.org 2009/05/05 07:51:36 |
654 | [regress/multiplex.sh] | |
655 | Always specify ssh_config for multiplex tests: prevents breakage caused | |
656 | by options in ~/.ssh/config. From Dan Peterson. | |
95744748 | 657 | - djm@cvs.openbsd.org 2009/08/13 00:57:17 |
658 | [regress/Makefile] | |
659 | regression test for port number parsing. written as part of the a2port | |
660 | change that went into 5.2 but I forgot to commit it at the time... | |
6c8ebe98 | 661 | - djm@cvs.openbsd.org 2009/08/13 01:11:55 |
90fc667e | 662 | [regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh |
663 | regress/sftp-cmds.sh regres/sftp-glob.sh] | |
6c8ebe98 | 664 | date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7 |
665 | Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path", | |
666 | add "-P port" to match scp(1). Fortunately, the -P option is only really | |
667 | used by our regression scripts. | |
668 | part of larger patch from carlosvsilvapt@gmail.com for his Google Summer | |
669 | of Code work; ok deraadt markus | |
c16b5840 | 670 | - djm@cvs.openbsd.org 2009/08/20 18:43:07 |
90fc667e | 671 | [regress/ssh-com-sftp.sh] |
c16b5840 | 672 | fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos |
673 | Silva for Google Summer of Code | |
90fc667e | 674 | - dtucker@cvs.openbsd.org 2009/10/06 23:51:49 |
675 | [regress/ssh2putty.sh] | |
676 | Add OpenBSD tag to make syncs easier | |
deed7126 | 677 | - (dtucker) [regress/portnum.sh] Import new test. |
c7e0fa79 | 678 | - (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at |
4b48f754 | 679 | least dragonflybsd. |
c7e0fa79 | 680 | - (dtucker) d_type is not mandated by POSIX, so add fallback code using |
681 | stat(), needed on at least cygwin. | |
3496b8d4 | 682 | |
2391a73c | 683 | 20091002 |
684 | - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps. | |
685 | spotted by des AT des.no | |
686 | ||
018fda87 | 687 | 20090926 |
688 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] | |
689 | [contrib/suse/openssh.spec] Update for release | |
690 | - (djm) [README] update relnotes URL | |
691 | - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere | |
692 | - (djm) Release 5.3p1 | |
693 | ||
a37250f4 | 694 | 20090911 |
695 | - (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X | |
696 | 10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch | |
697 | from jbasney at ncsa uiuc edu. | |
698 | ||
bc33f6d6 | 699 | 20090908 |
700 | - (djm) [serverloop.c] Fix test for server-assigned remote forwarding port | |
701 | (-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@ | |
702 | ||
3acad382 | 703 | 20090901 |
704 | - (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for | |
705 | krb5-config if it's not in the location specified by --with-kerberos5. | |
706 | Patch from jchadima at redhat. | |
707 | ||
84c645ec | 708 | 20090829 |
709 | - (dtucker) [README.platform] Add text about development packages, based on | |
710 | text from Chris Pepper in bug #1631. | |
711 | ||
7a51ce05 | 712 | 20090828 |
713 | - dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently | |
714 | causes problems in some Tru64 configurations. | |
d108641a | 715 | - (djm) [sshd_config.5] downgrade mention of login.conf to be an example |
716 | and mention PAM as another provider for ChallengeResponseAuthentication; | |
717 | bz#1408; ok dtucker@ | |
6ecb350f | 718 | - (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when |
719 | attempting atomic rename(); ok dtucker@ | |
36141cb8 | 720 | - (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables |
721 | in argv, so pass them in the environment; ok dtucker@ | |
5e934f78 | 722 | - (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on |
723 | the pty master on Solaris, since it never succeeds and can hang if large | |
724 | amounts of data is sent to the slave (eg a copy-paste). Based on a patch | |
725 | originally from Doke Scott, ok djm@ | |
e7ac4a90 | 726 | - (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer |
727 | size a compile-time option and set it to 64k on Cygwin, since Corinna | |
728 | reports that it makes a significant difference to performance. ok djm@ | |
00789f24 | 729 | - (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry. |
7a51ce05 | 730 | |
bf87c429 | 731 | 20090820 |
732 | - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not | |
733 | using it since the type conflicts can cause problems on FreeBSD. Patch | |
734 | from Jonathan Chen. | |
406dc01a | 735 | - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move |
736 | the setpcred call on AIX to immediately before the permanently_set_uid(). | |
737 | Ensures that we still have privileges when we call chroot and | |
738 | pam_open_sesson. Based on a patch from David Leonard. | |
bf87c429 | 739 | |
8295689f | 740 | 20090817 |
741 | - (dtucker) [configure.ac] Check for headers before libraries for openssl an | |
742 | zlib, which should make the errors slightly more meaningful on platforms | |
743 | where there's separate "-devel" packages for those. | |
e339fa25 | 744 | - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make |
745 | PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders. | |
8295689f | 746 | |
852de6fd | 747 | 20090729 |
748 | - (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error | |
749 | function. Patch from Corinna Vinschen. | |
750 | ||
14a260e8 | 751 | 20090713 |
752 | - (dtucker) [openbsd-compat/getrrsetbyname.c] Reduce answer buffer size so it | |
753 | fits into 16 bits to work around a bug in glibc's resolver where it masks | |
754 | off the buffer size at 16 bits. Patch from Hauke Lampe, ok djm jakob. | |
755 | ||
0a008a4d | 756 | 20090712 |
757 | - (dtucker) [configure.ac] Include sys/param.h for the sys/mount.h test, | |
758 | prevents configure complaining on older BSDs. | |
74973c95 | 759 | - (dtucker [contrib/cygwin/ssh-{host,user}-config] Add license text. Patch |
760 | from Corinna Vinschen. | |
f12c178c | 761 | - (dtucker) [auth-pam.c] Bug #1534: move the deletion of PAM credentials on |
1d5c49e0 | 762 | logout to after the session close. Patch from Anicka Bernathova, |
763 | originally from Andreas Schwab via Novelll ok djm. | |
0a008a4d | 764 | |
78576c54 | 765 | 20090707 |
766 | - (dtucker) [contrib/cygwin/ssh-host-config] better support for automated | |
767 | scripts and fix usage of eval. Patch from Corinna Vinschen. | |
768 | ||
769 | 20090705 | |
dc11a83a | 770 | - (dtucker) OpenBSD CVS Sync |
771 | - andreas@cvs.openbsd.org 2009/06/27 09:29:06 | |
772 | [packet.h packet.c] | |
773 | packet_bacup_state() and packet_restore_state() will be used to | |
774 | temporarily save the current state ren resuming a suspended connection. | |
775 | ok markus@ | |
776 | - andreas@cvs.openbsd.org 2009/06/27 09:32:43 | |
777 | [roaming_common.c roaming.h] | |
778 | It may be necessary to retransmit some data when resuming, so add it | |
779 | to a buffer when roaming is enabled. | |
780 | Most of this code was written by Martin Forssen, maf at appgate dot com. | |
781 | ok markus@ | |
782 | - andreas@cvs.openbsd.org 2009/06/27 09:35:06 | |
783 | [readconf.h readconf.c] | |
784 | Add client option UseRoaming. It doesn't do anything yet but will | |
785 | control whether the client tries to use roaming if enabled on the | |
786 | server. From Martin Forssen. | |
787 | ok markus@ | |
788 | - markus@cvs.openbsd.org 2009/06/30 14:54:40 | |
789 | [version.h] | |
790 | crank version; ok deraadt | |
791 | - dtucker@cvs.openbsd.org 2009/07/02 02:11:47 | |
792 | [ssh.c] | |
793 | allow for long home dir paths (bz #1615). ok deraadt | |
794 | (based in part on a patch from jchadima at redhat) | |
795 | - stevesk@cvs.openbsd.org 2009/07/05 19:28:33 | |
796 | [clientloop.c] | |
797 | only send SSH2_MSG_DISCONNECT if we're in compat20; from dtucker@ | |
798 | ok deraadt@ markus@ | |
799 | ||
127c96db | 800 | 20090622 |
801 | - (dtucker) OpenBSD CVS Sync | |
802 | - dtucker@cvs.openbsd.org 2009/06/22 05:39:28 | |
803 | [monitor_wrap.c monitor_mm.c ssh-keygen.c auth2.c gss-genr.c sftp-client.c] | |
804 | alphabetize includes; reduces diff vs portable and style(9). | |
805 | ok stevesk djm | |
806 | (Id sync only; these were already in order in -portable) | |
807 | ||
f0956980 | 808 | 20090621 |
809 | - (dtucker) OpenBSD CVS Sync | |
810 | - markus@cvs.openbsd.org 2009/03/17 21:37:00 | |
811 | [ssh.c] | |
812 | pass correct argv[0] to openlog(); ok djm@ | |
8fe25329 | 813 | - jmc@cvs.openbsd.org 2009/03/19 15:15:09 |
814 | [ssh.1] | |
815 | for "Ciphers", just point the reader to the keyword in ssh_config(5), just | |
816 | as we do for "MACs": this stops us getting out of sync when the lists | |
817 | change; | |
818 | fixes documentation/6102, submitted by Peter J. Philipp | |
819 | alternative fix proposed by djm | |
820 | ok markus | |
230d03b6 | 821 | - tobias@cvs.openbsd.org 2009/03/23 08:31:19 |
822 | [ssh-agent.c] | |
823 | Fixed a possible out-of-bounds memory access if the environment variable | |
824 | SHELL is shorter than 3 characters. | |
825 | with input by and ok dtucker | |
7027325d | 826 | - tobias@cvs.openbsd.org 2009/03/23 19:38:04 |
827 | [ssh-agent.c] | |
828 | My previous commit didn't fix the problem at all, so stick at my first | |
829 | version of the fix presented to dtucker. | |
830 | Issue notified by Matthias Barkhoff (matthias dot barkhoff at gmx dot de). | |
831 | ok dtucker | |
b31ae930 | 832 | - sobrado@cvs.openbsd.org 2009/03/26 08:38:39 |
833 | [sftp-server.8 sshd.8 ssh-agent.1] | |
834 | fix a few typographical errors found by spell(1). | |
835 | ok dtucker@, jmc@ | |
640f440b | 836 | - stevesk@cvs.openbsd.org 2009/04/13 19:07:44 |
837 | [sshd_config.5] | |
838 | fix possessive; ok djm@ | |
7bd399ce | 839 | - stevesk@cvs.openbsd.org 2009/04/14 16:33:42 |
840 | [sftp-server.c] | |
841 | remove unused option character from getopt() optstring; ok markus@ | |
3e576dfe | 842 | - jj@cvs.openbsd.org 2009/04/14 21:10:54 |
843 | [servconf.c] | |
844 | Fixed a few the-the misspellings in comments. Skipped a bunch in | |
845 | binutils,gcc and so on. ok jmc@ | |
02d56d32 | 846 | - stevesk@cvs.openbsd.org 2009/04/17 19:23:06 |
847 | [session.c] | |
848 | use INTERNAL_SFTP_NAME for setproctitle() of in-process sftp-server; | |
849 | ok djm@ markus@ | |
db1f5925 | 850 | - stevesk@cvs.openbsd.org 2009/04/17 19:40:17 |
851 | [sshd_config.5] | |
852 | clarify that even internal-sftp needs /dev/log for logging to work; ok | |
853 | markus@ | |
47f4188a | 854 | - jmc@cvs.openbsd.org 2009/04/18 18:39:10 |
855 | [sshd_config.5] | |
856 | tweak previous; ok stevesk | |
5df1f0e3 | 857 | - stevesk@cvs.openbsd.org 2009/04/21 15:13:17 |
858 | [sshd_config.5] | |
859 | clarify we cd to user's home after chroot; ok markus@ on | |
860 | earlier version; tweaks and ok jmc@ | |
dc1f1948 | 861 | - andreas@cvs.openbsd.org 2009/05/25 06:48:01 |
862 | [channels.c packet.c clientloop.c packet.h serverloop.c monitor_wrap.c | |
863 | monitor.c] | |
864 | Put the globals in packet.c into a struct and don't access it directly | |
865 | from other files. No functional changes. | |
866 | ok markus@ djm@ | |
867 | - andreas@cvs.openbsd.org 2009/05/27 06:31:25 | |
868 | [canohost.h canohost.c] | |
869 | Add clear_cached_addr(), needed for upcoming changes allowing the peer | |
870 | address to change. | |
871 | ok markus@ | |
f936c5d4 | 872 | - andreas@cvs.openbsd.org 2009/05/27 06:33:39 |
873 | [clientloop.c] | |
874 | Send SSH2_MSG_DISCONNECT when the client disconnects. From a larger | |
875 | change from Martin Forssen, maf at appgate dot com. | |
876 | ok markus@ | |
abdc5018 | 877 | - andreas@cvs.openbsd.org 2009/05/27 06:34:36 |
878 | [kex.c kex.h] | |
879 | Move the KEX_COOKIE_LEN define to kex.h | |
880 | ok markus@ | |
87db7000 | 881 | - andreas@cvs.openbsd.org 2009/05/27 06:36:07 |
882 | [packet.h packet.c] | |
883 | Add packet_put_int64() and packet_get_int64(), part of a larger change | |
884 | from Martin Forssen. | |
c6063ed7 | 885 | ok markus@ |
886 | - andreas@cvs.openbsd.org 2009/05/27 06:38:16 | |
887 | [sshconnect.h sshconnect.c] | |
888 | Un-static ssh_exchange_identification(), part of a larger change from | |
889 | Martin Forssen and needed for upcoming changes. | |
890 | ok markus@ | |
5d4d25cd | 891 | - andreas@cvs.openbsd.org 2009/05/28 16:50:16 |
892 | [sshd.c packet.c serverloop.c monitor_wrap.c clientloop.c sshconnect.c | |
d0137ef8 | 893 | monitor.c Added roaming.h roaming_common.c roaming_dummy.c] |
5d4d25cd | 894 | Keep track of number of bytes read and written. Needed for upcoming |
895 | changes. Most code from Martin Forssen, maf at appgate dot com. | |
896 | ok markus@ | |
d0137ef8 | 897 | Also, applied appropriate changes to Makefile.in |
adb5cc1b | 898 | - andreas@cvs.openbsd.org 2009/06/12 20:43:22 |
899 | [monitor.c packet.c] | |
900 | Fix warnings found by chl@ and djm@ and change roaming_atomicio's | |
901 | return type to match atomicio's | |
902 | Diff from djm@, ok markus@ | |
6a49252d | 903 | - andreas@cvs.openbsd.org 2009/06/12 20:58:32 |
904 | [packet.c] | |
905 | Move some more statics into session_state | |
906 | ok markus@ djm@ | |
ac692f84 | 907 | - dtucker@cvs.openbsd.org 2009/06/21 07:37:15 |
908 | [kexdhs.c kexgexs.c] | |
909 | abort if key_sign fails, preventing possible null deref. Based on report | |
910 | from Paolo Ganci, ok markus@ djm@ | |
911 | - dtucker@cvs.openbsd.org 2009/06/21 09:04:03 | |
912 | [roaming.h roaming_common.c roaming_dummy.c] | |
913 | Add tags for the benefit of the sync scripts | |
914 | Also: pull in the changes for 1.1->1.2 missed in the previous sync. | |
9b9302ea | 915 | - (dtucker) [auth2-jpake.c auth2.c canohost.h session.c] Whitespace and |
916 | header-order changes to reduce diff vs OpenBSD. | |
c8dc0909 | 917 | - (dtucker) [servconf.c sshd.c] More whitespace sync. |
e85016d4 | 918 | - (dtucker) [roaming_common.c roaming_dummy.c] Wrap #include <inttypes.h> in |
919 | ifdef. | |
f0956980 | 920 | |
87562a58 | 921 | 20090616 |
922 | - (dtucker) [configure.ac defines.h] Bug #1607: handle the case where fsid_t | |
923 | is a struct with a __val member. Fixes build on, eg, Redhat 6.2. | |
924 | ||
6ee76eea | 925 | 20090504 |
926 | - (dtucker) [sshlogin.c] Move the NO_SSH_LASTLOG #ifndef line to include | |
927 | variable declarations. Should prevent unused warnings anywhere it's set | |
928 | (only Crays as far as I can tell) and be a no-op everywhere else. | |
929 | ||
bc9a470b | 930 | 20090318 |
931 | - (tim) [configure.ac] Remove setting IP_TOS_IS_BROKEN for Cygwin. The problem | |
932 | that setsockopt(IP_TOS) doesn't work on Cygwin has been fixed since 2005. | |
933 | Based on patch from vinschen at redhat com. | |
934 | ||
5077a5f6 | 935 | 20090308 |
936 | - (dtucker) [auth-passwd.c auth1.c auth2-kbdint.c auth2-none.c auth2-passwd.c | |
937 | auth2-pubkey.c session.c openbsd-compat/bsd-cygwin_util.{c,h} | |
938 | openbsd-compat/daemon.c] Remove support for Windows 95/98/ME and very old | |
939 | version of Cygwin. Patch from vinschen at redhat com. | |
940 | ||
3e566c29 | 941 | 20090307 |
942 | - (dtucker) [contrib/aix/buildbff.sh] Only try to rename ssh_prng_cmds if it | |
943 | exists (it's not created if OpenSSL's PRNG is self-seeded, eg if the OS | |
944 | has a /dev/random). | |
36b68fd5 | 945 | - (dtucker) [schnorr.c openbsd-compat/openssl-compat.{c,h}] Add |
946 | EVP_DigestUpdate to the OLD_EVP compatibility functions and tell schnorr.c | |
947 | to use them. Allows building with older OpenSSL versions. | |
aeed50df | 948 | - (dtucker) [configure.ac defines.h] Check for in_port_t and typedef if needed. |
86783a32 | 949 | - (dtucker) [configure.ac] Missing comma in type list. |
14e380c6 | 950 | - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}] |
951 | EVP_DigestUpdate does not exactly match the other OLD_EVP functions (eg | |
952 | in openssl 0.9.6) so add an explicit test for it. | |
3e566c29 | 953 | |
5b01421b | 954 | 20090306 |
955 | - (djm) OpenBSD CVS Sync | |
956 | - djm@cvs.openbsd.org 2009/03/05 07:18:19 | |
957 | [auth2-jpake.c jpake.c jpake.h monitor_wrap.c monitor_wrap.h schnorr.c] | |
958 | [sshconnect2.c] | |
959 | refactor the (disabled) Schnorr proof code to make it a little more | |
960 | generally useful | |
4f983ff5 | 961 | - djm@cvs.openbsd.org 2009/03/05 11:30:50 |
962 | [uuencode.c] | |
963 | document what these functions do so I don't ever have to recuse into | |
964 | b64_pton/ntop to remember their return values | |
5b01421b | 965 | |
ebf012a2 | 966 | 20090223 |
967 | - (djm) OpenBSD CVS Sync | |
968 | - djm@cvs.openbsd.org 2009/02/22 23:50:57 | |
969 | [ssh_config.5 sshd_config.5] | |
970 | don't advertise experimental options | |
09b37352 | 971 | - djm@cvs.openbsd.org 2009/02/22 23:59:25 |
972 | [sshd_config.5] | |
973 | missing period | |
52d8f3f6 | 974 | - djm@cvs.openbsd.org 2009/02/23 00:06:15 |
975 | [version.h] | |
976 | openssh-5.2 | |
dc336a3b | 977 | - (djm) [README] update for 5.2 |
0e8d25c9 | 978 | - (djm) Release openssh-5.2p1 |
ebf012a2 | 979 | |
7eec82ab | 980 | 20090222 |
981 | - (djm) OpenBSD CVS Sync | |
982 | - tobias@cvs.openbsd.org 2009/02/21 19:32:04 | |
983 | [misc.c sftp-server-main.c ssh-keygen.c] | |
984 | Added missing newlines in error messages. | |
985 | ok dtucker | |
986 | ||
1925d16d | 987 | 20090221 |
988 | - (djm) OpenBSD CVS Sync | |
989 | - djm@cvs.openbsd.org 2009/02/17 01:28:32 | |
990 | [ssh_config] | |
991 | sync with revised default ciphers; pointed out by dkrause@ | |
dca75d4b | 992 | - djm@cvs.openbsd.org 2009/02/18 04:31:21 |
993 | [schnorr.c] | |
994 | signature should hash over the entire group, not just the generator | |
995 | (this is still disabled code) | |
9a4a047b | 996 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
997 | [contrib/suse/openssh.spec] Prepare for 5.2p1 | |
1925d16d | 998 | |
aa10bde9 | 999 | 20090216 |
1000 | - (djm) [regress/conch-ciphers.sh regress/putty-ciphers.sh] | |
1001 | [regress/putty-kex.sh regress/putty-transfer.sh] Downgrade disabled | |
1002 | interop tests from FATAL error to a warning. Allows some interop | |
1003 | tests to proceed if others are missing necessary prerequisites. | |
4c3b7423 | 1004 | - (djm) [configure.ac] support GNU/kFreeBSD and GNU/kOpensolaris |
1005 | systems; patch from Aurelien Jarno via rmh AT aybabtu.com | |
aa10bde9 | 1006 | |
69354fe2 | 1007 | 20090214 |
1008 | - (djm) OpenBSD CVS Sync | |
1009 | - dtucker@cvs.openbsd.org 2009/02/02 11:15:14 | |
1010 | [sftp.c] | |
1011 | Initialize a few variables to prevent spurious "may be used | |
1012 | uninitialized" warnings from newer gcc's. ok djm@ | |
17525a70 | 1013 | - djm@cvs.openbsd.org 2009/02/12 03:00:56 |
1014 | [canohost.c canohost.h channels.c channels.h clientloop.c readconf.c] | |
1015 | [readconf.h serverloop.c ssh.c] | |
1016 | support remote port forwarding with a zero listen port (-R0:...) to | |
1017 | dyamically allocate a listen port at runtime (this is actually | |
1018 | specified in rfc4254); bz#1003 ok markus@ | |
1d68c50a | 1019 | - djm@cvs.openbsd.org 2009/02/12 03:16:01 |
1020 | [serverloop.c] | |
1021 | tighten check for -R0:... forwarding: only allow dynamic allocation | |
1022 | if want_reply is set in the packet | |
28b5d376 | 1023 | - djm@cvs.openbsd.org 2009/02/12 03:26:22 |
1024 | [monitor.c] | |
1025 | some paranoia: check that the serialised key is really KEY_RSA before | |
1026 | diddling its internals | |
db9039d0 | 1027 | - djm@cvs.openbsd.org 2009/02/12 03:42:09 |
1028 | [ssh.1] | |
1029 | document -R0:... usage | |
1e709459 | 1030 | - djm@cvs.openbsd.org 2009/02/12 03:44:25 |
1031 | [ssh.1] | |
1032 | consistency: Dq => Ql | |
c6b2c0e0 | 1033 | - djm@cvs.openbsd.org 2009/02/12 03:46:17 |
1034 | [ssh_config.5] | |
1035 | document RemoteForward usage with 0 listen port | |
e12d3e21 | 1036 | - jmc@cvs.openbsd.org 2009/02/12 07:34:20 |
1037 | [ssh_config.5] | |
1038 | kill trailing whitespace; | |
8b773163 | 1039 | - markus@cvs.openbsd.org 2009/02/13 11:50:21 |
1040 | [packet.c] | |
1041 | check for enc !=NULL in packet_start_discard | |
e75a14a1 | 1042 | - djm@cvs.openbsd.org 2009/02/14 06:35:49 |
1043 | [PROTOCOL] | |
1044 | mention that eow and no-more-sessions extensions are sent only to | |
1045 | OpenSSH peers | |
69354fe2 | 1046 | |
1047 | 20090212 | |
f7b8146b | 1048 | - (djm) [sshpty.c] bz#1419: OSX uses cloning ptys that automagically |
1049 | set ownership and modes, so avoid explicitly setting them | |
295dd642 | 1050 | - (djm) [configure.ac loginrec.c] bz#1421: fix lastlog support for OSX. |
1051 | OSX provides a getlastlogxbyname function that automates the reading of | |
1052 | a lastlog file. Also, the pututxline function will update lastlog so | |
1053 | there is no need for loginrec.c to do it explicitly. Collapse some | |
1054 | overly verbose code while I'm in there. | |
f7b8146b | 1055 | |
b4341d7a | 1056 | 20090201 |
1057 | - (dtucker) [defines.h sshconnect.c] INET6_ADDRSTRLEN is now needed in | |
1058 | channels.c too, so move the definition for non-IP6 platforms to defines.h | |
1059 | where it can be shared. | |
1060 | ||
e1986e0a | 1061 | 20090129 |
1062 | - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. | |
1063 | If the CYGWIN environment variable is empty, the installer script | |
1064 | should not install the service with an empty CYGWIN variable, but | |
1065 | rather without setting CYGWNI entirely. | |
863ba23a | 1066 | - (tim) [contrib/cygwin/ssh-host-config] Whitespace cleanup. No code changes. |
e1986e0a | 1067 | |
7f24626b | 1068 | 20090128 |
1069 | - (tim) [contrib/cygwin/ssh-host-config] Patch from Corinna Vinschen. | |
1070 | Changes to work on Cygwin 1.5.x as well as on the new Cygwin 1.7.x. | |
1071 | The information given for the setting of the CYGWIN environment variable | |
1072 | is wrong for both releases so I just removed it, together with the | |
1073 | unnecessary (Cygwin 1.5.x) or wrong (Cygwin 1.7.x) default setting. | |
1074 | ||
68405671 | 1075 | 20081228 |
1076 | - (djm) OpenBSD CVS Sync | |
1077 | - stevesk@cvs.openbsd.org 2008/12/09 03:20:42 | |
1078 | [channels.c servconf.c] | |
1079 | channel_print_adm_permitted_opens() should deal with all the printing | |
1080 | for that config option. suggested by markus@; ok markus@ djm@ | |
1081 | dtucker@ | |
7efff8ce | 1082 | - djm@cvs.openbsd.org 2008/12/09 04:32:22 |
1083 | [auth2-chall.c] | |
1084 | replace by-hand string building with xasprinf(); ok deraadt@ | |
d3cd4016 | 1085 | - sobrado@cvs.openbsd.org 2008/12/09 15:35:00 |
1086 | [sftp.1 sftp.c] | |
1087 | update for the synopses displayed by the 'help' command, there are a | |
1088 | few missing flags; add 'bye' to the output of 'help'; sorting and spacing. | |
1089 | jmc@ suggested replacing .Oo/.Oc with a single .Op macro. | |
1090 | ok jmc@ | |
6c20a13f | 1091 | - stevesk@cvs.openbsd.org 2008/12/09 22:37:33 |
1092 | [clientloop.c] | |
1093 | fix typo in error message | |
fd2ce9c6 | 1094 | - stevesk@cvs.openbsd.org 2008/12/10 03:55:20 |
1095 | [addrmatch.c] | |
1096 | o cannot be NULL here but use xfree() to be consistent; ok djm@ | |
8647612c | 1097 | - stevesk@cvs.openbsd.org 2008/12/29 01:12:36 |
1098 | [ssh-keyscan.1] | |
1099 | fix example, default key type is rsa for 3+ years; from | |
1100 | frederic.perrin@resel.fr | |
040d6b1f | 1101 | - stevesk@cvs.openbsd.org 2008/12/29 02:23:26 |
1102 | [pathnames.h] | |
1103 | no need to escape single quotes in comments | |
d4bfdc62 | 1104 | - okan@cvs.openbsd.org 2008/12/30 00:46:56 |
1105 | [sshd_config.5] | |
1106 | add AllowAgentForwarding to available Match keywords list | |
1107 | ok djm | |
6cf44b6a | 1108 | - djm@cvs.openbsd.org 2009/01/01 21:14:35 |
1109 | [channels.c] | |
1110 | call channel destroy callbacks on receipt of open failure messages. | |
1111 | fixes client hangs when connecting to a server that has MaxSessions=0 | |
1112 | set spotted by imorgan AT nas.nasa.gov; ok markus@ | |
546202d0 | 1113 | - djm@cvs.openbsd.org 2009/01/01 21:17:36 |
1114 | [kexgexs.c] | |
1115 | fix hash calculation for KEXGEX: hash over the original client-supplied | |
1116 | values and not the sanity checked versions that we acutally use; | |
1117 | bz#1540 reported by john.smith AT arrows.demon.co.uk | |
1118 | ok markus@ | |
4866a6d6 | 1119 | - djm@cvs.openbsd.org 2009/01/14 01:38:06 |
1120 | [channels.c] | |
1121 | support SOCKS4A protocol, from dwmw2 AT infradead.org via bz#1482; | |
1122 | "looks ok" markus@ | |
9b4b86c2 | 1123 | - stevesk@cvs.openbsd.org 2009/01/15 17:38:43 |
1124 | [readconf.c] | |
1125 | 1) use obsolete instead of alias for consistency | |
1126 | 2) oUserKnownHostsFile not obsolete but oGlobalKnownHostsFile2 is | |
1127 | so move the comment. | |
1128 | 3) reorder so like options are together | |
1129 | ok djm@ | |
1338ba77 | 1130 | - djm@cvs.openbsd.org 2009/01/22 09:46:01 |
1131 | [channels.c channels.h session.c] | |
1132 | make Channel->path an allocated string, saving a few bytes here and | |
1133 | there and fixing bz#1380 in the process; ok markus@ | |
920706fd | 1134 | - djm@cvs.openbsd.org 2009/01/22 09:49:57 |
1135 | [channels.c] | |
1136 | oops! I committed the wrong version of the Channel->path diff, | |
1137 | it was missing some tweaks suggested by stevesk@ | |
5134115d | 1138 | - djm@cvs.openbsd.org 2009/01/22 10:02:34 |
1139 | [clientloop.c misc.c readconf.c readconf.h servconf.c servconf.h] | |
1140 | [serverloop.c ssh-keyscan.c ssh.c sshd.c] | |
1141 | make a2port() return -1 when it encounters an invalid port number | |
1142 | rather than 0, which it will now treat as valid (needed for future work) | |
1143 | adjust current consumers of a2port() to check its return value is <= 0, | |
1144 | which in turn required some things to be converted from u_short => int | |
1145 | make use of int vs. u_short consistent in some other places too | |
1146 | feedback & ok markus@ | |
368e246f | 1147 | - djm@cvs.openbsd.org 2009/01/22 10:09:16 |
1148 | [auth-options.c] | |
1149 | another chunk of a2port() diff that got away. wtfdjm?? | |
700fd7e7 | 1150 | - djm@cvs.openbsd.org 2009/01/23 07:58:11 |
1151 | [myproposal.h] | |
1152 | prefer CTR modes and revised arcfour (i.e w/ discard) modes to CBC | |
1153 | modes; ok markus@ | |
29ec8eb3 | 1154 | - naddy@cvs.openbsd.org 2009/01/24 17:10:22 |
1155 | [ssh_config.5 sshd_config.5] | |
1156 | sync list of preferred ciphers; ok djm@ | |
608bcf58 | 1157 | - markus@cvs.openbsd.org 2009/01/26 09:58:15 |
1158 | [cipher.c cipher.h packet.c] | |
1159 | Work around the CPNI-957037 Plaintext Recovery Attack by always | |
1160 | reading 256K of data on packet size or HMAC errors (in CBC mode only). | |
1161 | Help, feedback and ok djm@ | |
1162 | Feedback from Martin Albrecht and Paterson Kenny | |
68405671 | 1163 | |
a25d08b3 | 1164 | 20090107 |
1165 | - (djm) [uidswap.c] bz#1412: Support >16 supplemental groups in OS X. | |
1166 | Patch based on one from vgiffin AT apple.com; ok dtucker@ | |
b5a1596f | 1167 | - (djm) [channels.c] bz#1419: support "on demand" X11 forwarding via |
1168 | launchd on OS X; patch from vgiffin AT apple.com, slightly tweaked; | |
1169 | ok dtucker@ | |
23b3ed0b | 1170 | - (djm) [contrib/ssh-copy-id.1 contrib/ssh-copy-id] bz#1492: Make |
1171 | ssh-copy-id copy id_rsa.pub by default (instead of the legacy "identity" | |
1172 | key). Patch from cjwatson AT debian.org | |
a25d08b3 | 1173 | |
16076ac9 | 1174 | 20090107 |
1175 | - (tim) [configure.ac defines.h openbsd-compat/port-uw.c | |
1176 | openbsd-compat/xcrypt.c] Add SECUREWARE support to OpenServer 6 SVR5 ABI. | |
1177 | OK djm@ dtucker@ | |
44a71983 | 1178 | - (tim) [configure.ac] Move check_for_libcrypt_later=1 in *-*-sysv5*) section. |
1179 | OpenServer 6 doesn't need libcrypt. | |
16076ac9 | 1180 | |
09925c00 | 1181 | 20081209 |
1182 | - (djm) OpenBSD CVS Sync | |
1183 | - djm@cvs.openbsd.org 2008/12/09 02:38:18 | |
1184 | [clientloop.c] | |
1185 | The ~C escape handler does not work correctly for multiplexed sessions - | |
1186 | it opens a commandline on the master session, instead of on the slave | |
1187 | that requested it. Disable it on slave sessions until such time as it | |
1188 | is fixed; bz#1543 report from Adrian Bridgett via Colin Watson | |
1189 | ok markus@ | |
ddb5e00f | 1190 | - djm@cvs.openbsd.org 2008/12/09 02:39:59 |
1191 | [sftp.c] | |
1192 | Deal correctly with failures in remote stat() operation in sftp, | |
1193 | correcting fail-on-error behaviour in batchmode. bz#1541 report and | |
1194 | fix from anedvedicky AT gmail.com; ok markus@ | |
bab3d903 | 1195 | - djm@cvs.openbsd.org 2008/12/09 02:58:16 |
1196 | [readconf.c] | |
1197 | don't leave junk (free'd) pointers around in Forward *fwd argument on | |
1198 | failure; avoids double-free in ~C -L handler when given an invalid | |
1199 | forwarding specification; bz#1539 report from adejong AT debian.org | |
1200 | via Colin Watson; ok markus@ dtucker@ | |
83cd8c39 | 1201 | - djm@cvs.openbsd.org 2008/12/09 03:02:37 |
1202 | [sftp.1 sftp.c] | |
1203 | correct sftp(1) and corresponding usage syntax; | |
1204 | bz#1518 patch from imorgan AT nas.nasa.gov; ok deraadt@ improved diff jmc@ | |
09925c00 | 1205 | |
53e2660a | 1206 | 20081208 |
1207 | - (djm) [configure.ac] bz#1538: better test for ProPolice/SSP: actually | |
1208 | use some stack in main(). | |
1209 | Report and suggested fix from vapier AT gentoo.org | |
66e16767 | 1210 | - (djm) OpenBSD CVS Sync |
1211 | - markus@cvs.openbsd.org 2008/12/02 19:01:07 | |
1212 | [clientloop.c] | |
1213 | we have to use the recipient's channel number (RFC 4254) for | |
1214 | SSH2_MSG_CHANNEL_SUCCESS/SSH2_MSG_CHANNEL_FAILURE messages, | |
1215 | otherwise we trigger 'Non-public channel' error messages on sshd | |
1216 | systems with clientkeepalive enabled; noticed by sturm; ok djm; | |
7ec2b275 | 1217 | - markus@cvs.openbsd.org 2008/12/02 19:08:59 |
1218 | [serverloop.c] | |
1219 | backout 1.149, since it's not necessary and openssh clients send | |
1220 | broken CHANNEL_FAILURE/SUCCESS messages since about 2004; ok djm@ | |
b09b559d | 1221 | - markus@cvs.openbsd.org 2008/12/02 19:09:38 |
1222 | [channels.c] | |
1223 | s/remote_id/id/ to be more consistent with other code; ok djm@ | |
53e2660a | 1224 | |
de470c82 | 1225 | 20081201 |
1226 | - (dtucker) [contrib/cygwin/{Makefile,ssh-host-config}] Add new doc files | |
1227 | and tweak the is-sshd-running check in ssh-host-config. Patch from | |
1228 | vinschen at redhat com. | |
66af1c21 | 1229 | - (dtucker) OpenBSD CVS Sync |
1230 | - markus@cvs.openbsd.org 2008/11/21 15:47:38 | |
1231 | [packet.c] | |
1232 | packet_disconnect() on padding error, too. should reduce the success | |
1233 | probability for the CPNI-957037 Plaintext Recovery Attack to 2^-18 | |
1234 | ok djm@ | |
8e10da10 | 1235 | - dtucker@cvs.openbsd.org 2008/11/30 11:59:26 |
1236 | [monitor_fdpass.c] | |
1237 | Retry sendmsg/recvmsg on EAGAIN and EINTR; ok djm@ | |
de470c82 | 1238 | |
d2aa725a | 1239 | 20081123 |
1240 | - (dtucker) [monitor_fdpass.c] Reduce diff vs OpenBSD by moving some | |
1241 | declarations, removing an unnecessary union member and adding whitespace. | |
c037a517 | 1242 | cmsgbuf.tmp thing spotted by des at des no, ok djm some time ago. |
d2aa725a | 1243 | |
95e16084 | 1244 | 20081118 |
1245 | - (tim) [addrmatch.c configure.ac] Some platforms do not have sin6_scope_id | |
1246 | member of sockaddr_in6. Also reported in Bug 1491 by David Leonard. OK and | |
1247 | feedback by djm@ | |
1248 | ||
0bd3332c | 1249 | 20081111 |
1250 | - (dtucker) OpenBSD CVS Sync | |
1251 | - jmc@cvs.openbsd.org 2008/11/05 11:22:54 | |
1252 | [servconf.c] | |
1253 | passord -> password; | |
1254 | fixes user/5975 from Rene Maroufi | |
1890bf8b | 1255 | - stevesk@cvs.openbsd.org 2008/11/07 00:42:12 |
1256 | [ssh-keygen.c] | |
1257 | spelling/typo in comment | |
92d0164c | 1258 | - stevesk@cvs.openbsd.org 2008/11/07 18:50:18 |
1259 | [nchan.c] | |
1260 | add space to some log/debug messages for readability; ok djm@ markus@ | |
3d7f6c3d | 1261 | - dtucker@cvs.openbsd.org 2008/11/07 23:34:48 |
1262 | [auth2-jpake.c] | |
1263 | Move JPAKE define to make life easier for portable. ok djm@ | |
94087553 | 1264 | - tobias@cvs.openbsd.org 2008/11/09 12:34:47 |
1265 | [session.c ssh.1] | |
1266 | typo fixed (overriden -> overridden) | |
1267 | ok espie, jmc | |
2505b891 | 1268 | - stevesk@cvs.openbsd.org 2008/11/11 02:58:09 |
1269 | [servconf.c] | |
1270 | USE_AFS not referenced so remove #ifdef. fixes sshd -T not printing | |
1271 | kerberosgetafstoken. ok dtucker@ | |
1272 | (Id sync only, we still want the ifdef in portable) | |
861e9e53 | 1273 | - stevesk@cvs.openbsd.org 2008/11/11 03:55:11 |
1274 | [channels.c] | |
1275 | for sshd -T print 'permitopen any' vs. 'permitopen' for case of no | |
1276 | permitopen's; ok and input dtucker@ | |
0771f5dd | 1277 | - djm@cvs.openbsd.org 2008/11/10 02:06:35 |
1278 | [regress/putty-ciphers.sh] | |
1279 | PuTTY supports AES CTR modes, so interop test against them too | |
0bd3332c | 1280 | |
39aa8698 | 1281 | 20081105 |
1282 | - OpenBSD CVS Sync | |
1283 | - djm@cvs.openbsd.org 2008/11/03 08:59:41 | |
1284 | [servconf.c] | |
1285 | include MaxSessions in sshd -T output; patch from imorgan AT nas.nasa.gov | |
a28625a6 | 1286 | - djm@cvs.openbsd.org 2008/11/04 07:58:09 |
1287 | [auth.c] | |
1288 | need unistd.h for close() prototype | |
1289 | (ID sync only) | |
5adf6b9a | 1290 | - djm@cvs.openbsd.org 2008/11/04 08:22:13 |
1291 | [auth.h auth2.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h] | |
1292 | [readconf.c readconf.h servconf.c servconf.h ssh2.h ssh_config.5] | |
1293 | [sshconnect2.c sshd_config.5 jpake.c jpake.h schnorr.c auth2-jpake.c] | |
1294 | [Makefile.in] | |
1295 | Add support for an experimental zero-knowledge password authentication | |
1296 | method using the J-PAKE protocol described in F. Hao, P. Ryan, | |
1297 | "Password Authenticated Key Exchange by Juggling", 16th Workshop on | |
1298 | Security Protocols, Cambridge, April 2008. | |
1299 | ||
1300 | This method allows password-based authentication without exposing | |
1301 | the password to the server. Instead, the client and server exchange | |
1302 | cryptographic proofs to demonstrate of knowledge of the password while | |
1303 | revealing nothing useful to an attacker or compromised endpoint. | |
1304 | ||
1305 | This is experimental, work-in-progress code and is presently | |
1306 | compiled-time disabled (turn on -DJPAKE in Makefile.inc). | |
1307 | ||
1308 | "just commit it. It isn't too intrusive." deraadt@ | |
d35f707e | 1309 | - stevesk@cvs.openbsd.org 2008/11/04 19:18:00 |
1310 | [readconf.c] | |
1311 | because parse_forward() is now used to parse all forward types (DLR), | |
1312 | and it malloc's space for host variables, we don't need to malloc | |
1313 | here. fixes small memory leaks. | |
1314 | ||
1315 | previously dynamic forwards were not parsed in parse_forward() and | |
1316 | space was not malloc'd in that case. | |
1317 | ||
1318 | ok djm@ | |
10cf2ac3 | 1319 | - stevesk@cvs.openbsd.org 2008/11/05 03:23:09 |
1320 | [clientloop.c ssh.1] | |
1321 | add dynamic forward escape command line; ok djm@ | |
39aa8698 | 1322 | |
94f36816 | 1323 | 20081103 |
1324 | - OpenBSD CVS Sync | |
1325 | - sthen@cvs.openbsd.org 2008/07/24 23:55:30 | |
1326 | [ssh-keygen.1] | |
1327 | Add "ssh-keygen -F -l" to synopsis (displays fingerprint from | |
1328 | known_hosts). ok djm@ | |
1329 | - grunk@cvs.openbsd.org 2008/07/25 06:56:35 | |
1330 | [ssh_config] | |
1331 | Add VisualHostKey to example file, ok djm@ | |
5ca42ddb | 1332 | - grunk@cvs.openbsd.org 2008/07/25 07:05:16 |
1333 | [key.c] | |
1334 | In random art visualization, make sure to use the end marker only at the | |
1335 | end. Initial diff by Dirk Loss, tweaks and ok djm@ | |
341cb46b | 1336 | - markus@cvs.openbsd.org 2008/07/31 14:48:28 |
1337 | [sshconnect2.c] | |
1338 | don't allocate space for empty banners; report t8m at centrum.cz; | |
1339 | ok deraadt | |
686bdcbd | 1340 | - krw@cvs.openbsd.org 2008/08/02 04:29:51 |
1341 | [ssh_config.5] | |
1342 | whitepsace -> whitespace. From Matthew Clarke via bugs@. | |
e3ef5245 | 1343 | - djm@cvs.openbsd.org 2008/08/21 04:09:57 |
1344 | [session.c] | |
1345 | allow ForceCommand internal-sftp with arguments. based on patch from | |
1346 | michael.barabanov AT gmail.com; ok markus@ | |
1975fb98 | 1347 | - djm@cvs.openbsd.org 2008/09/06 12:24:13 |
1348 | [kex.c] | |
1349 | OpenSSL 0.9.8h supplies a real EVP_sha256 so we do not need our | |
1350 | replacement anymore | |
1351 | (ID sync only for portable - we still need this) | |
72bd2fca | 1352 | - markus@cvs.openbsd.org 2008/09/11 14:22:37 |
1353 | [compat.c compat.h nchan.c ssh.c] | |
1354 | only send eow and no-more-sessions requests to openssh 5 and newer; | |
1355 | fixes interop problems with broken ssh v2 implementations; ok djm@ | |
2e96832c | 1356 | - millert@cvs.openbsd.org 2008/10/02 14:39:35 |
1357 | [session.c] | |
1358 | Convert an unchecked strdup to xstrdup. OK deraadt@ | |
dc94d57e | 1359 | - jmc@cvs.openbsd.org 2008/10/03 13:08:12 |
1360 | [sshd.8] | |
1361 | do not give an example of how to chmod files: we can presume the user | |
1362 | knows that. removes an ambiguity in the permission of authorized_keys; | |
1363 | ok deraadt | |
90d5350e | 1364 | - deraadt@cvs.openbsd.org 2008/10/03 23:56:28 |
1365 | [sshconnect2.c] | |
1366 | Repair strnvis() buffersize of 4*n+1, with termination gauranteed by the | |
1367 | function. | |
1368 | spotted by des@freebsd, who commited an incorrect fix to the freebsd tree | |
1369 | and (as is fairly typical) did not report the problem to us. But this fix | |
1370 | is correct. | |
1371 | ok djm | |
bf793210 | 1372 | - djm@cvs.openbsd.org 2008/10/08 23:34:03 |
1373 | [ssh.1 ssh.c] | |
1374 | Add -y option to force logging via syslog rather than stderr. | |
1375 | Useful for daemonised ssh connection (ssh -f). Patch originally from | |
1376 | and ok'd by markus@ | |
e68868a1 | 1377 | - djm@cvs.openbsd.org 2008/10/09 03:50:54 |
1378 | [servconf.c sshd_config.5] | |
1379 | support setting PermitEmptyPasswords in a Match block | |
1380 | requested in PR3891; ok dtucker@ | |
f3a4d0d0 | 1381 | - jmc@cvs.openbsd.org 2008/10/09 06:54:22 |
1382 | [ssh.c] | |
1383 | add -y to usage(); | |
6503dc91 | 1384 | - stevesk@cvs.openbsd.org 2008/10/10 04:55:16 |
1385 | [scp.c] | |
1386 | spelling in comment; ok djm@ | |
260bf88a | 1387 | - stevesk@cvs.openbsd.org 2008/10/10 05:00:12 |
1388 | [key.c] | |
1389 | typo in error message; ok djm@ | |
96a00a9d | 1390 | - stevesk@cvs.openbsd.org 2008/10/10 16:43:27 |
1391 | [ssh_config.5] | |
1392 | use 'Privileged ports can be forwarded only when logging in as root on | |
1393 | the remote machine.' for RemoteForward just like ssh.1 -R. | |
1394 | ok djm@ jmc@ | |
1395 | - stevesk@cvs.openbsd.org 2008/10/14 18:11:33 | |
1396 | [sshconnect.c] | |
1397 | use #define ROQUIET here; no binary change. ok dtucker@ | |
8d20b087 | 1398 | - stevesk@cvs.openbsd.org 2008/10/17 18:36:24 |
1399 | [ssh_config.5] | |
1400 | correct and clarify VisualHostKey; ok jmc@ | |
25f93f2c | 1401 | - stevesk@cvs.openbsd.org 2008/10/30 19:31:16 |
1402 | [clientloop.c sshd.c] | |
1403 | don't need to #include "monitor_fdpass.h" | |
b8974c94 | 1404 | - stevesk@cvs.openbsd.org 2008/10/31 15:05:34 |
1405 | [dispatch.c] | |
1406 | remove unused #define DISPATCH_MIN; ok markus@ | |
e64399cc | 1407 | - djm@cvs.openbsd.org 2008/11/01 04:50:08 |
1408 | [sshconnect2.c] | |
1409 | sprinkle ARGSUSED on dispatch handlers | |
1410 | nuke stale unusued prototype | |
2ea438c2 | 1411 | - stevesk@cvs.openbsd.org 2008/11/01 06:43:33 |
1412 | [channels.c] | |
1413 | fix some typos in log messages; ok djm@ | |
9995aaa3 | 1414 | - sobrado@cvs.openbsd.org 2008/11/01 11:14:36 |
1415 | [ssh-keyscan.1 ssh-keyscan.c] | |
1416 | the ellipsis is not an optional argument; while here, improve spacing. | |
30573fea | 1417 | - stevesk@cvs.openbsd.org 2008/11/01 17:40:33 |
1418 | [clientloop.c readconf.c readconf.h ssh.c] | |
1419 | merge dynamic forward parsing into parse_forward(); | |
1420 | 'i think this is OK' djm@ | |
9bbba34b | 1421 | - stevesk@cvs.openbsd.org 2008/11/02 00:16:16 |
1422 | [ttymodes.c] | |
1423 | protocol 2 tty modes support is now 7.5 years old so remove these | |
1424 | debug3()s; ok deraadt@ | |
b626b7ae | 1425 | - stevesk@cvs.openbsd.org 2008/11/03 01:07:02 |
1426 | [readconf.c] | |
1427 | remove valueless comment | |
c8eaf0ec | 1428 | - stevesk@cvs.openbsd.org 2008/11/03 02:44:41 |
1429 | [readconf.c] | |
1430 | fix comment | |
fce91335 | 1431 | - (djm) [contrib/caldera/ssh-host-keygen contrib/suse/rc.sshd] |
1432 | Make example scripts generate keys with default sizes rather than fixed, | |
1433 | non-default 1024 bits; patch from imorgan AT nas.nasa.gov | |
933e2f91 | 1434 | - (djm) [contrib/sshd.pam.generic contrib/caldera/sshd.pam] |
1435 | [contrib/redhat/sshd.pam] Move pam_nologin to account group from | |
1436 | incorrect auth group in example files; | |
1437 | patch from imorgan AT nas.nasa.gov | |
94f36816 | 1438 | |
d6339843 | 1439 | 20080906 |
1440 | - (dtucker) [config.guess config.sub] Update to latest versions from | |
1441 | http://git.savannah.gnu.org/gitweb/ (2008-04-14 and 2008-06-16 | |
1442 | respectively). | |
1443 | ||
974ce4a0 | 1444 | 20080830 |
1445 | - (dtucker) [openbsd-compat/bsd-poll.c] correctly check for number of FDs | |
1446 | larger than FD_SETSIZE (OpenSSH only ever uses poll with one fd). Patch | |
1447 | from Nicholas Marriott. | |
1448 | ||
e888d981 | 1449 | 20080721 |
1450 | - (djm) OpenBSD CVS Sync | |
1451 | - djm@cvs.openbsd.org 2008/07/23 07:36:55 | |
1452 | [servconf.c] | |
1453 | do not try to print options that have been compile-time disabled | |
1454 | in config test mode (sshd -T); report from nix-corp AT esperi.org.uk | |
1455 | ok dtucker@ | |
cee47c9f | 1456 | - (djm) [servconf.c] Print UsePAM option in config test mode (when it |
1457 | has been compiled in); report from nix-corp AT esperi.org.uk | |
1458 | ok dtucker@ | |
e888d981 | 1459 | |
b14e719f | 1460 | 20080721 |
1461 | - (djm) OpenBSD CVS Sync | |
1462 | - jmc@cvs.openbsd.org 2008/07/18 22:51:01 | |
1463 | [sftp-server.8] | |
1464 | no need for .Pp before or after .Sh; | |
f3b93df3 | 1465 | - djm@cvs.openbsd.org 2008/07/21 08:19:07 |
1466 | [version.h] | |
1467 | openssh-5.1 | |
11368183 | 1468 | - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
1469 | [contrib/suse/openssh.spec] Update version number in README and RPM specs | |
55d5db1c | 1470 | - (djm) Release OpenSSH-5.1 |
b14e719f | 1471 | |
e5df5ff2 | 1472 | 20080717 |
1473 | - (djm) OpenBSD CVS Sync | |
1474 | - djm@cvs.openbsd.org 2008/07/17 08:48:00 | |
1475 | [sshconnect2.c] | |
1476 | strnvis preauth banner; pointed out by mpf@ ok markus@ | |
2800468d | 1477 | - djm@cvs.openbsd.org 2008/07/17 08:51:07 |
1478 | [auth2-hostbased.c] | |
1479 | strip trailing '.' from hostname when HostbasedUsesNameFromPacketOnly=yes | |
1480 | report and patch from res AT qoxp.net (bz#1200); ok markus@ | |
d9d96f7a | 1481 | - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Remove long-unneeded compat |
1482 | code, replace with equivalent cygwin library call. Patch from vinschen | |
3a69fb58 | 1483 | at redhat.com, ok djm@. |
1484 | - (djm) [sshconnect2.c] vis.h isn't available everywhere | |
e5df5ff2 | 1485 | |
b8c9ea19 | 1486 | 20080716 |
1487 | - OpenBSD CVS Sync | |
1488 | - djm@cvs.openbsd.org 2008/07/15 02:23:14 | |
1489 | [sftp.1] | |
1490 | number of pipelined requests is now 64; | |
1491 | prodded by Iain.Morgan AT nasa.gov | |
dfe666f6 | 1492 | - djm@cvs.openbsd.org 2008/07/16 11:51:14 |
1493 | [clientloop.c] | |
1494 | rename variable first_gc -> last_gc (since it is actually the last | |
1495 | in the list). | |
cdfbc829 | 1496 | - djm@cvs.openbsd.org 2008/07/16 11:52:19 |
1497 | [channels.c] | |
1498 | this loop index should be automatic, not static | |
b8c9ea19 | 1499 | |
322b3f02 | 1500 | 20080714 |
1501 | - (djm) OpenBSD CVS Sync | |
1502 | - sthen@cvs.openbsd.org 2008/07/13 21:22:52 | |
1503 | [ssh-keygen.c] | |
1504 | Change "ssh-keygen -F [host] -l" to not display random art unless | |
1505 | -v is also specified, making it consistent with the manual and other | |
1506 | uses of -l. | |
1507 | ok grunk@ | |
9fb764ab | 1508 | - djm@cvs.openbsd.org 2008/07/13 22:13:07 |
1509 | [channels.c] | |
1510 | use struct sockaddr_storage instead of struct sockaddr for accept(2) | |
1511 | address argument. from visibilis AT yahoo.com in bz#1485; ok markus@ | |
873722cc | 1512 | - djm@cvs.openbsd.org 2008/07/13 22:16:03 |
1513 | [sftp.c] | |
1514 | increase number of piplelined requests so they properly fill the | |
1515 | (recently increased) channel window. prompted by rapier AT psc.edu; | |
1516 | ok markus@ | |
66fba053 | 1517 | - djm@cvs.openbsd.org 2008/07/14 01:55:56 |
1518 | [sftp-server.8] | |
1519 | mention requirement for /dev/log inside chroot when using sftp-server | |
1520 | with ChrootDirectory | |
6c6bb9a6 | 1521 | - (djm) [openbsd-compat/bindresvport.c] Rename variables s/sin/in/ to |
1522 | avoid clash with sin(3) function; reported by | |
1523 | cristian.ionescu-idbohrn AT axis.com | |
7be182d4 | 1524 | - (djm) [openbsd-compat/rresvport.c] Add unistd.h for missing close() |
1525 | prototype; reported by cristian.ionescu-idbohrn AT axis.com | |
6a9c22a5 | 1526 | - (djm) [umac.c] Rename variable s/buffer_ptr/bufp/ to avoid clash; |
1527 | reported by cristian.ionescu-idbohrn AT axis.com | |
7ea1abf7 | 1528 | - (djm) [contrib/cygwin/Makefile contrib/cygwin/ssh-host-config] |
1529 | [contrib/cygwin/ssh-user-config contrib/cygwin/sshd-inetd] | |
1530 | Revamped and simplified Cygwin ssh-host-config script that uses | |
1531 | unified csih configuration tool. Requires recent Cygwin. | |
1532 | Patch from vinschen AT redhat.com | |
322b3f02 | 1533 | |
267d5589 | 1534 | 20080712 |
1535 | - (djm) OpenBSD CVS Sync | |
1536 | - djm@cvs.openbsd.org 2008/07/12 04:52:50 | |
1537 | [channels.c] | |
1538 | unbreak; move clearing of cctx struct to before first use | |
1539 | reported by dkrause@ | |
da9a823d | 1540 | - djm@cvs.openbsd.org 2008/07/12 05:33:41 |
1541 | [scp.1] | |
1542 | better description for -i flag: | |
1543 | s/RSA authentication/public key authentication/ | |
2ade01eb | 1544 | - (djm) [openbsd-compat/fake-rfc2553.c openbsd-compat/fake-rfc2553.h] |
1545 | return EAI_FAMILY when trying to lookup unsupported address family; | |
1546 | from vinschen AT redhat.com | |
267d5589 | 1547 | |
971deff8 | 1548 | 20080711 |
1549 | - (djm) OpenBSD CVS Sync | |
1550 | - stevesk@cvs.openbsd.org 2008/07/07 00:31:41 | |
1551 | [ttymodes.c] | |
1552 | we don't need arg after the debug3() was removed. from lint. | |
1553 | ok djm@ | |
d5b5b8f6 | 1554 | - stevesk@cvs.openbsd.org 2008/07/07 23:32:51 |
1555 | [key.c] | |
1556 | /*NOTREACHED*/ for lint warning: | |
1557 | warning: function key_equal falls off bottom without returning value | |
1558 | ok djm@ | |
6eb3f18c | 1559 | - markus@cvs.openbsd.org 2008/07/10 18:05:58 |
1560 | [channels.c] | |
1561 | missing bzero; from mickey; ok djm@ | |
e8e08a80 | 1562 | - markus@cvs.openbsd.org 2008/07/10 18:08:11 |
1563 | [clientloop.c monitor.c monitor_wrap.c packet.c packet.h sshd.c] | |
1564 | sync v1 and v2 traffic accounting; add it to sshd, too; | |
1565 | ok djm@, dtucker@ | |
971deff8 | 1566 | |
17969fcc | 1567 | 20080709 |
1568 | - (djm) [Makefile.in] Print "all tests passed" when all regress tests pass | |
b5fc5d94 | 1569 | - (djm) [auth1.c] Fix format string vulnerability in protocol 1 PAM |
1570 | account check failure path. The vulnerable format buffer is supplied | |
1571 | from PAM and should not contain attacker-supplied data. | |
78cb4705 | 1572 | - (djm) [auth.c] Missing unistd.h for close() |
b5902374 | 1573 | - (djm) [configure.ac] Add -Wformat-security to CFLAGS for gcc 3.x and 4.x |
17969fcc | 1574 | |
3fde0623 | 1575 | 20080705 |
1576 | - (djm) [auth.c] Fixed test for locked account on HP/UX with shadowed | |
1577 | passwords disabled. bz#1083 report & patch from senthilkumar_sen AT | |
1578 | hotpop.com, w/ dtucker@ | |
e8983917 | 1579 | - (djm) [atomicio.c configure.ac] Disable poll() fallback in atomiciov for |
1580 | Tru64. readv doesn't seem to be a comparable object there. | |
1581 | bz#1386, patch from dtucker@ ok me | |
b8d635d0 | 1582 | - (djm) [Makefile.in] Pass though pass to conch for interop tests |
6ed8a3ae | 1583 | - (djm) [configure.ac] unbreak: remove extra closing brace |
d38d9a80 | 1584 | - (djm) OpenBSD CVS Sync |
1585 | - djm@cvs.openbsd.org 2008/07/04 23:08:25 | |
1586 | [packet.c] | |
1587 | handle EINTR in packet_write_poll()l ok dtucker@ | |
71709bcd | 1588 | - djm@cvs.openbsd.org 2008/07/04 23:30:16 |
1589 | [auth1.c auth2.c] | |
1590 | Make protocol 1 MaxAuthTries logic match protocol 2's. | |
1591 | Do not treat the first protocol 2 authentication attempt as | |
1592 | a failure IFF it is for method "none". | |
1593 | Makes MaxAuthTries' user-visible behaviour identical for | |
1594 | protocol 1 vs 2. | |
1595 | ok dtucker@ | |
3086db6e | 1596 | - djm@cvs.openbsd.org 2008/07/05 05:16:01 |
1597 | [PROTOCOL] | |
1598 | grammar | |
3fde0623 | 1599 | |
a0d38609 | 1600 | 20080704 |
1601 | - (dtucker) OpenBSD CVS Sync | |
1602 | - djm@cvs.openbsd.org 2008/07/02 13:30:34 | |
1603 | [auth2.c] | |
1604 | really really remove the freebie "none" auth try for protocol 2 | |
6c777090 | 1605 | - djm@cvs.openbsd.org 2008/07/02 13:47:39 |
1606 | [ssh.1 ssh.c] | |
1607 | When forking after authentication ("ssh -f") with ExitOnForwardFailure | |
1608 | enabled, delay the fork until after replies for any -R forwards have | |
1609 | been seen. Allows for robust detection of -R forward failure when | |
1610 | using -f (similar to bz#92); ok dtucker@ | |
f0b9fde3 | 1611 | - otto@cvs.openbsd.org 2008/07/03 21:46:58 |
1612 | [auth2-pubkey.c] | |
1613 | avoid nasty double free; ok dtucker@ djm@ | |
cece208b | 1614 | - djm@cvs.openbsd.org 2008/07/04 03:44:59 |
1615 | [servconf.c groupaccess.h groupaccess.c] | |
1616 | support negation of groups in "Match group" block (bz#1315); ok dtucker@ | |
c54d3d1c | 1617 | - dtucker@cvs.openbsd.org 2008/07/04 03:47:02 |
1618 | [monitor.c] | |
1619 | Make debug a little clearer. ok djm@ | |
c7cbf377 | 1620 | - djm@cvs.openbsd.org 2008/06/30 08:07:34 |
1621 | [regress/key-options.sh] | |
1622 | shell portability: use "=" instead of "==" in test(1) expressions, | |
1623 | double-quote string with backslash escaped / | |
8a972082 | 1624 | - djm@cvs.openbsd.org 2008/06/30 10:31:11 |
1625 | [regress/{putty-transfer,putty-kex,putty-ciphers}.sh] | |
1626 | remove "set -e" left over from debugging | |
9b0c87d9 | 1627 | - djm@cvs.openbsd.org 2008/06/30 10:43:03 |
1628 | [regress/conch-ciphers.sh] | |
1629 | explicitly disable conch options that could interfere with the test | |
97e61398 | 1630 | - (dtucker) [sftp-server.c] Bug #1447: fall back to racy rename if link |
1631 | returns EXDEV. Patch from Mike Garrison, ok djm@ | |
5a0c8771 | 1632 | - (djm) [atomicio.c channels.c clientloop.c defines.h includes.h] |
1633 | [packet.c scp.c serverloop.c sftp-client.c ssh-agent.c ssh-keyscan.c] | |
1634 | [sshd.c] Explicitly handle EWOULDBLOCK wherever we handle EAGAIN, on | |
1635 | some platforms (HP nonstop) it is a distinct errno; | |
1636 | bz#1467 reported by sconeu AT yahoo.com; ok dtucker@ | |
1637 | ||
8f02e0be | 1638 | 20080702 |
1639 | - (dtucker) OpenBSD CVS Sync | |
1640 | - djm@cvs.openbsd.org 2008/06/30 08:05:59 | |
1641 | [PROTOCOL.agent] | |
1642 | typo: s/constraint_date/constraint_data/ | |
fb5582f7 | 1643 | - djm@cvs.openbsd.org 2008/06/30 12:15:39 |
1644 | [serverloop.c] | |
1645 | only pass channel requests on session channels through to the session | |
1646 | channel handler, avoiding spurious log messages; ok! markus@ | |
4d92dbc1 | 1647 | - djm@cvs.openbsd.org 2008/06/30 12:16:02 |
1648 | [nchan.c] | |
1649 | only send eow@openssh.com notifications for session channels; ok! markus@ | |
8fb1ddc9 | 1650 | - djm@cvs.openbsd.org 2008/06/30 12:18:34 |
1651 | [PROTOCOL] | |
1652 | clarify that eow@openssh.com is only sent on session channels | |
979b31ed | 1653 | - dtucker@cvs.openbsd.org 2008/07/01 07:20:52 |
1654 | [sshconnect.c] | |
1655 | Check ExitOnForwardFailure if forwardings are disabled due to a failed | |
1656 | host key check. ok djm@ | |
f9b45eaf | 1657 | - dtucker@cvs.openbsd.org 2008/07/01 07:24:22 |
1658 | [sshconnect.c sshd.c] | |
1659 | Send CR LF during protocol banner exchanges, but only for Protocol 2 only, | |
1660 | in order to comply with RFC 4253. bz #1443, ok djm@ | |
5ebed98d | 1661 | - stevesk@cvs.openbsd.org 2008/07/01 23:12:47 |
1662 | [PROTOCOL.agent] | |
1663 | fix some typos; ok djm@ | |
39ceddb7 | 1664 | - djm@cvs.openbsd.org 2008/07/02 02:24:18 |
1665 | [sshd_config sshd_config.5 sshd.8 servconf.c] | |
1666 | increase default size of ssh protocol 1 ephemeral key from 768 to 1024 | |
1667 | bits; prodded by & ok dtucker@ ok deraadt@ | |
f7c2a004 | 1668 | - dtucker@cvs.openbsd.org 2008/07/02 12:03:51 |
1669 | [auth-rsa.c auth.c auth2-pubkey.c auth.h] | |
1670 | Merge duplicate host key file checks, based in part on a patch from Rob | |
1671 | Holland via bz #1348 . Also checks for non-regular files during protocol | |
1672 | 1 RSA auth. ok djm@ | |
221fc73c | 1673 | - djm@cvs.openbsd.org 2008/07/02 12:36:39 |
1674 | [auth2-none.c auth2.c] | |
1675 | Make protocol 2 MaxAuthTries behaviour a little more sensible: | |
1676 | Check whether client has exceeded MaxAuthTries before running | |
1677 | an authentication method and skip it if they have, previously it | |
1678 | would always allow one try (for "none" auth). | |
1679 | Preincrement failure count before post-auth test - previously this | |
1680 | checked and postincremented, also to allow one "none" try. | |
1681 | Together, these two changes always count the "none" auth method | |
1682 | which could be skipped by a malicious client (e.g. an SSH worm) | |
1683 | to get an extra attempt at a real auth method. They also make | |
1684 | MaxAuthTries=0 a useful way to block users entirely (esp. in a | |
1685 | sshd_config Match block). | |
1686 | Also, move sending of any preauth banner from "none" auth method | |
1687 | to the first call to input_userauth_request(), so worms that skip | |
1688 | the "none" method get to see it too. | |
8f02e0be | 1689 | |
00b7389d | 1690 | 20080630 |
1691 | - (djm) OpenBSD CVS Sync | |
1692 | - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 | |
1693 | [regress/Makefile regress/key-options.sh] | |
1694 | Add regress test for key options. ok djm@ | |
86d745dc | 1695 | - dtucker@cvs.openbsd.org 2008/06/11 23:11:40 |
014f1b23 | 1696 | [regress/Makefile] |
86d745dc | 1697 | Don't run cipher-speed test by default; mistakenly enabled by me |
014f1b23 | 1698 | - djm@cvs.openbsd.org 2008/06/28 13:57:25 |
1699 | [regress/Makefile regress/test-exec.sh regress/conch-ciphers.sh] | |
1700 | very basic regress test against Twisted Conch in "make interop" | |
1701 | target (conch is available in ports/devel/py-twisted/conch); | |
1702 | ok markus@ | |
8476b024 | 1703 | - (djm) [regress/Makefile] search for conch by path, like we do putty |
00b7389d | 1704 | |
aa47edcc | 1705 | 20080629 |
1706 | - (djm) OpenBSD CVS Sync | |
1707 | - martynas@cvs.openbsd.org 2008/06/21 07:46:46 | |
1708 | [sftp.c] | |
1709 | use optopt to get invalid flag, instead of return value of getopt, | |
1710 | which is always '?'; ok djm@ | |
ccf0fcb6 | 1711 | - otto@cvs.openbsd.org 2008/06/25 11:13:43 |
1712 | [key.c] | |
1713 | add key length to visual fingerprint; zap magical constants; | |
1714 | ok grunk@ djm@ | |
681efe9f | 1715 | - djm@cvs.openbsd.org 2008/06/26 06:10:09 |
1716 | [sftp-client.c sftp-server.c] | |
1717 | allow the sftp chmod(2)-equivalent operation to set set[ug]id/sticky | |
1718 | bits. Note that this only affects explicit setting of modes (e.g. via | |
1719 | sftp(1)'s chmod command) and not file transfers. (bz#1310) | |
1720 | ok deraadt@ at c2k8 | |
b080d398 | 1721 | - djm@cvs.openbsd.org 2008/06/26 09:19:40 |
1722 | [dh.c dh.h moduli.c] | |
1723 | when loading moduli from /etc/moduli in sshd(8), check that they | |
1724 | are of the expected "safe prime" structure and have had | |
1725 | appropriate primality tests performed; | |
1726 | feedback and ok dtucker@ | |
7b3999b8 | 1727 | - grunk@cvs.openbsd.org 2008/06/26 11:46:31 |
1728 | [readconf.c readconf.h ssh.1 ssh_config.5 sshconnect.c] | |
1729 | Move SSH Fingerprint Visualization away from sharing the config option | |
1730 | CheckHostIP to an own config option named VisualHostKey. | |
1731 | While there, fix the behaviour that ssh would draw a random art picture | |
1732 | on every newly seen host even when the option was not enabled. | |
1733 | prodded by deraadt@, discussions, | |
1734 | help and ok markus@ djm@ dtucker@ | |
2e8d3306 | 1735 | - jmc@cvs.openbsd.org 2008/06/26 21:11:46 |
1736 | [ssh.1] | |
1737 | add VisualHostKey to the list of options listed in -o; | |
cda43f66 | 1738 | - djm@cvs.openbsd.org 2008/06/28 07:25:07 |
1739 | [PROTOCOL] | |
1740 | spelling fixes | |
c525650a | 1741 | - djm@cvs.openbsd.org 2008/06/28 13:58:23 |
1742 | [ssh-agent.c] | |
1743 | refuse to add a key that has unknown constraints specified; | |
1744 | ok markus | |
9ee2fb0e | 1745 | - djm@cvs.openbsd.org 2008/06/28 14:05:15 |
1746 | [ssh-agent.c] | |
1747 | reset global compat flag after processing a protocol 2 signature | |
1748 | request with the legacy DSA encoding flag set; ok markus | |
ab3eb078 | 1749 | - djm@cvs.openbsd.org 2008/06/28 14:08:30 |
1750 | [PROTOCOL PROTOCOL.agent] | |
1751 | document the protocol used by ssh-agent; "looks ok" markus@ | |
aa47edcc | 1752 | |
f6351d4d | 1753 | 20080628 |
1754 | - (djm) [RFC.nroff contrib/cygwin/Makefile contrib/suse/openssh.spec] | |
1755 | RFC.nroff lacks a license, remove it (it is long gone in OpenBSD). | |
1756 | ||
bd6b3feb | 1757 | 20080626 |
1758 | - (djm) [Makefile.in moduli.5] Include moduli(5) manpage from OpenBSD. | |
1759 | (bz#1372) | |
a32d8b38 | 1760 | - (djm) [ contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
1761 | [contrib/suse/openssh.spec] Include moduli.5 in RPM spec files. | |
bd6b3feb | 1762 | |
b3784859 | 1763 | 20080616 |
1764 | - (dtucker) OpenBSD CVS Sync | |
1765 | - dtucker@cvs.openbsd.org 2008/06/16 13:22:53 | |
1766 | [session.c channels.c] | |
1767 | Rename the isatty argument to is_tty so we don't shadow | |
1768 | isatty(3). ok markus@ | |
245f4d36 | 1769 | - (dtucker) [channels.c] isatty -> is_tty here too. |
b3784859 | 1770 | |
b55b0285 | 1771 | 20080615 |
1772 | - (dtucker) [configure.ac] Enable -fno-builtin-memset when using gcc. | |
081573fe | 1773 | - OpenBSD CVS Sync |
1774 | - dtucker@cvs.openbsd.org 2008/06/14 15:49:48 | |
1775 | [sshd.c] | |
1776 | wrap long line at 80 chars | |
26512357 | 1777 | - dtucker@cvs.openbsd.org 2008/06/14 17:07:11 |
1778 | [sshd.c] | |
1779 | ensure default umask disallows at least group and world write; ok djm@ | |
2608aa2b | 1780 | - djm@cvs.openbsd.org 2008/06/14 18:33:43 |
1781 | [session.c] | |
1782 | suppress the warning message from chdir(homedir) failures | |
1783 | when chrooted (bz#1461); ok dtucker | |
49c5f262 | 1784 | - dtucker@cvs.openbsd.org 2008/06/14 19:42:10 |
1785 | [scp.1] | |
1786 | Mention that scp follows symlinks during -r. bz #1466, | |
1787 | from nectar at apple | |
d97287d3 | 1788 | - dtucker@cvs.openbsd.org 2008/06/15 16:55:38 |
1789 | [sshd_config.5] | |
1790 | MaxSessions is allowed in a Match block too | |
8086aeb2 | 1791 | - dtucker@cvs.openbsd.org 2008/06/15 16:58:40 |
1792 | [servconf.c sshd_config.5] | |
1793 | Allow MaxAuthTries within a Match block. ok djm@ | |
c9478090 | 1794 | - djm@cvs.openbsd.org 2008/06/15 20:06:26 |
1795 | [channels.c channels.h session.c] | |
1796 | don't call isatty() on a pty master, instead pass a flag down to | |
1797 | channel_set_fds() indicating that te fds refer to a tty. Fixes a | |
1798 | hang on exit on Solaris (bz#1463) in portable but is actually | |
1799 | a generic bug; ok dtucker deraadt markus | |
b55b0285 | 1800 | |
add357c6 | 1801 | 20080614 |
1802 | - (djm) [openbsd-compat/sigact.c] Avoid NULL derefs in ancient sigaction | |
1803 | replacement code; patch from ighighi AT gmail.com in bz#1240; | |
1804 | ok dtucker | |
1805 | ||
849d3ceb | 1806 | 20080613 |
1807 | - (dtucker) OpenBSD CVS Sync | |
1808 | - deraadt@cvs.openbsd.org 2008/06/13 09:44:36 | |
1809 | [packet.c] | |
1810 | compile on older gcc; no decl after code | |
52ad6b9a | 1811 | - dtucker@cvs.openbsd.org 2008/06/13 13:56:59 |
1812 | [monitor.c] | |
1813 | Clear key options in the monitor on failed authentication, prevents | |
1814 | applying additional restrictions to non-pubkey authentications in | |
1815 | the case where pubkey fails but another method subsequently succeeds. | |
1816 | bz #1472, found by Colin Watson, ok markus@ djm@ | |
1d0b7aaa | 1817 | - dtucker@cvs.openbsd.org 2008/06/13 14:18:51 |
1818 | [auth2-pubkey.c auth-rhosts.c] | |
1819 | Include unistd.h for close(), prevents warnings in -portable | |
a3f13d60 | 1820 | - dtucker@cvs.openbsd.org 2008/06/13 17:21:20 |
1821 | [mux.c] | |
1822 | Friendlier error messages for mux fallback. ok djm@ | |
a15e7da1 | 1823 | - dtucker@cvs.openbsd.org 2008/06/13 18:55:22 |
1824 | [scp.c] | |
1825 | Prevent -Wsign-compare warnings on LP64 systems. bz #1192, ok deraadt@ | |
990ada29 | 1826 | - grunk@cvs.openbsd.org 2008/06/13 20:13:26 |
1827 | [ssh.1] | |
1828 | Explain the use of SSH fpr visualization using random art, and cite the | |
1829 | original scientific paper inspiring that technique. | |
1830 | Much help with English and nroff by jmc@, thanks. | |
596a825b | 1831 | - (dtucker) [configure.ac] Bug #1276: avoid linking against libgssapi, which |
1832 | despite its name doesn't seem to implement all of GSSAPI. Patch from | |
1833 | Jan Engelhardt, sanity checked by Simon Wilkinson. | |
849d3ceb | 1834 | |
9754b94b | 1835 | 20080612 |
1836 | - (dtucker) OpenBSD CVS Sync | |
1837 | - jmc@cvs.openbsd.org 2008/06/11 07:30:37 | |
1838 | [sshd.8] | |
1839 | kill trailing whitespace; | |
aff73c5f | 1840 | - grunk@cvs.openbsd.org 2008/06/11 21:01:35 |
1841 | [ssh_config.5 key.h readconf.c readconf.h ssh-keygen.1 ssh-keygen.c key.c | |
1842 | sshconnect.c] | |
1843 | Introduce SSH Fingerprint ASCII Visualization, a technique inspired by the | |
1844 | graphical hash visualization schemes known as "random art", and by | |
1845 | Dan Kaminsky's musings on the subject during a BlackOp talk at the | |
1846 | 23C3 in Berlin. | |
1847 | Scientific publication (original paper): | |
1848 | "Hash Visualization: a New Technique to improve Real-World Security", | |
1849 | Perrig A. and Song D., 1999, International Workshop on Cryptographic | |
1850 | Techniques and E-Commerce (CrypTEC '99) | |
1851 | http://sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf | |
1852 | The algorithm used here is a worm crawling over a discrete plane, | |
1853 | leaving a trace (augmenting the field) everywhere it goes. | |
1854 | Movement is taken from dgst_raw 2bit-wise. Bumping into walls | |
1855 | makes the respective movement vector be ignored for this turn, | |
1856 | thus switching to the other color of the chessboard. | |
1857 | Graphs are not unambiguous for now, because circles in graphs can be | |
1858 | walked in either direction. | |
1859 | discussions with several people, | |
1860 | help, corrections and ok markus@ djm@ | |
93778882 | 1861 | - grunk@cvs.openbsd.org 2008/06/11 21:38:25 |
1862 | [ssh-keygen.c] | |
1863 | ssh-keygen -lv -f /etc/ssh/ssh_host_rsa_key.pub | |
1864 | would not display you the random art as intended, spotted by canacar@ | |
639211b7 | 1865 | - grunk@cvs.openbsd.org 2008/06/11 22:20:46 |
1866 | [ssh-keygen.c ssh-keygen.1] | |
1867 | ssh-keygen would write fingerprints to STDOUT, and random art to STDERR, | |
1868 | that is not how it was envisioned. | |
1869 | Also correct manpage saying that -v is needed along with -l for it to work. | |
1870 | spotted by naddy@ | |
e3115002 | 1871 | - otto@cvs.openbsd.org 2008/06/11 23:02:22 |
1872 | [key.c] | |
1873 | simpler way of computing the augmentations; ok grunk@ | |
fe88400f | 1874 | - grunk@cvs.openbsd.org 2008/06/11 23:03:56 |
1875 | [ssh_config.5] | |
1876 | CheckHostIP set to ``fingerprint'' will display both hex and random art | |
1877 | spotted by naddy@ | |
97841001 | 1878 | - grunk@cvs.openbsd.org 2008/06/11 23:51:57 |
1879 | [key.c] | |
1880 | #define statements that are not atoms need braces around them, else they | |
1881 | will cause trouble in some cases. | |
1882 | Also do a computation of -1 once, and not in a loop several times. | |
1883 | spotted by otto@ | |
e907df41 | 1884 | - dtucker@cvs.openbsd.org 2008/06/12 00:03:49 |
1885 | [dns.c canohost.c sshconnect.c] | |
1886 | Do not pass "0" strings as ports to getaddrinfo because the lookups | |
1887 | can slow things down and we never use the service info anyway. bz | |
1888 | #859, patch from YOSHIFUJI Hideaki and John Devitofranceschi. ok | |
1889 | deraadt@ djm@ | |
1890 | djm belives that the reason for the "0" strings is to ensure that | |
1891 | it's not possible to call getaddrinfo with both host and port being | |
1892 | NULL. In the case of canohost.c host is a local array. In the | |
1893 | case of sshconnect.c, it's checked for null immediately before use. | |
1894 | In dns.c it ultimately comes from ssh.c:main() and is guaranteed to | |
1895 | be non-null but it's not obvious, so I added a warning message in | |
1896 | case it is ever passed a null. | |
1897 | - grunk@cvs.openbsd.org 2008/06/12 00:13:55 | |
1898 | [sshconnect.c] | |
1899 | Make ssh print the random art also when ssh'ing to a host using IP only. | |
1900 | spotted by naddy@, ok and help djm@ dtucker@ | |
208cc0ee | 1901 | - otto@cvs.openbsd.org 2008/06/12 00:13:13 |
1902 | [key.c] | |
1903 | use an odd number of rows and columns and a separate start marker, looks | |
1904 | better; ok grunk@ | |
f17f705b | 1905 | - djm@cvs.openbsd.org 2008/06/12 03:40:52 |
1906 | [clientloop.h mux.c channels.c clientloop.c channels.h] | |
1907 | Enable ~ escapes for multiplex slave sessions; give each channel | |
1908 | its own escape state and hook the escape filters up to muxed | |
1909 | channels. bz #1331 | |
1910 | Mux slaves do not currently support the ~^Z and ~& escapes. | |
1911 | NB. this change cranks the mux protocol version, so a new ssh | |
1912 | mux client will not be able to connect to a running old ssh | |
1913 | mux master. | |
1914 | ok dtucker@ | |
72becb62 | 1915 | - djm@cvs.openbsd.org 2008/06/12 04:06:00 |
1916 | [clientloop.h ssh.c clientloop.c] | |
1917 | maintain an ordered queue of outstanding global requests that we | |
1918 | expect replies to, similar to the per-channel confirmation queue. | |
1919 | Use this queue to verify success or failure for remote forward | |
1920 | establishment in a race free way. | |
1921 | ok dtucker@ | |
344f1d3d | 1922 | - djm@cvs.openbsd.org 2008/06/12 04:17:47 |
1923 | [clientloop.c] | |
1924 | thall shalt not code past the eightieth column | |
e8097dc9 | 1925 | - djm@cvs.openbsd.org 2008/06/12 04:24:06 |
1926 | [ssh.c] | |
1927 | thal shalt not code past the eightieth column | |
9bcf03ce | 1928 | - djm@cvs.openbsd.org 2008/06/12 05:15:41 |
1929 | [PROTOCOL] | |
1930 | document tun@openssh.com forwarding method | |
aacab402 | 1931 | - djm@cvs.openbsd.org 2008/06/12 05:32:30 |
1932 | [mux.c] | |
1933 | some more TODO for me | |
2bb50d23 | 1934 | - grunk@cvs.openbsd.org 2008/06/12 05:42:46 |
1935 | [key.c] | |
1936 | supply the key type (rsa1, rsa, dsa) as a caption in the frame of the | |
1937 | random art. while there, stress the fact that the field base should at | |
1938 | least be 8 characters for the pictures to make sense. | |
1939 | comment and ok djm@ | |
1940 | - grunk@cvs.openbsd.org 2008/06/12 06:32:59 | |
1941 | [key.c] | |
1942 | We already mark the start of the worm, now also mark the end of the worm | |
1943 | in our random art drawings. | |
1944 | ok djm@ | |
e74caf1e | 1945 | - djm@cvs.openbsd.org 2008/06/12 15:19:17 |
1946 | [clientloop.h channels.h clientloop.c channels.c mux.c] | |
1947 | The multiplexing escape char handler commit last night introduced a | |
1948 | small memory leak per session; plug it. | |
e9d0b573 | 1949 | - dtucker@cvs.openbsd.org 2008/06/12 16:35:31 |
1950 | [ssh_config.5 ssh.c] | |
1951 | keyword expansion for localcommand. ok djm@ | |
a64f8307 | 1952 | - jmc@cvs.openbsd.org 2008/06/12 19:10:09 |
1953 | [ssh_config.5 ssh-keygen.1] | |
1954 | tweak the ascii art text; ok grunk | |
bc2d97c8 | 1955 | - dtucker@cvs.openbsd.org 2008/06/12 20:38:28 |
1956 | [sshd.c sshconnect.c packet.h misc.c misc.h packet.c] | |
1957 | Make keepalive timeouts apply while waiting for a packet, particularly | |
1958 | during key renegotiation (bz #1363). With djm and Matt Day, ok djm@ | |
ad39a852 | 1959 | - djm@cvs.openbsd.org 2008/06/12 20:47:04 |
1960 | [sftp-client.c] | |
1961 | print extension revisions for extensions that we understand | |
07d8d480 | 1962 | - djm@cvs.openbsd.org 2008/06/12 21:06:25 |
1963 | [clientloop.c] | |
1964 | I was coalescing expected global request confirmation replies at | |
1965 | the wrong end of the queue - fix; prompted by markus@ | |
31de76cc | 1966 | - grunk@cvs.openbsd.org 2008/06/12 21:14:46 |
1967 | [ssh-keygen.c] | |
1968 | make ssh-keygen -lf show the key type just as ssh-add -l would do it | |
1969 | ok djm@ markus@ | |
f97fb6ca | 1970 | - grunk@cvs.openbsd.org 2008/06/12 22:03:36 |
1971 | [key.c] | |
1972 | add my copyright, ok djm@ | |
6d8216ff | 1973 | - ian@cvs.openbsd.org 2008/06/12 23:24:58 |
1974 | [sshconnect.c] | |
1975 | tweak wording in message, ok deraadt@ jmc@ | |
2c83cd01 | 1976 | - dtucker@cvs.openbsd.org 2008/06/13 00:12:02 |
1977 | [sftp.h log.h] | |
1978 | replace __dead with __attribute__((noreturn)), makes things | |
1979 | a little easier to port. Also, add it to sigdie(). ok djm@ | |
b97ea6eb | 1980 | - djm@cvs.openbsd.org 2008/06/13 00:16:49 |
1981 | [mux.c] | |
1982 | fall back to creating a new TCP connection on most multiplexing errors | |
1983 | (socket connect fail, invalid version, refused permittion, corrupted | |
1984 | messages, etc.); bz #1329 ok dtucker@ | |
243cc316 | 1985 | - dtucker@cvs.openbsd.org 2008/06/13 00:47:53 |
1986 | [mux.c] | |
1987 | upcast size_t to u_long to match format arg; ok djm@ | |
041f11dc | 1988 | - dtucker@cvs.openbsd.org 2008/06/13 00:51:47 |
1989 | [mac.c] | |
1990 | upcast another size_t to u_long to match format | |
852eb76b | 1991 | - dtucker@cvs.openbsd.org 2008/06/13 01:38:23 |
1992 | [misc.c] | |
1993 | upcast uid to long with matching %ld, prevents warnings in portable | |
632f2669 | 1994 | - djm@cvs.openbsd.org 2008/06/13 04:40:22 |
1995 | [auth2-pubkey.c auth-rhosts.c] | |
1996 | refuse to read ~/.shosts or ~/.ssh/authorized_keys that are not | |
1997 | regular files; report from Solar Designer via Colin Watson in bz#1471 | |
1998 | ok dtucker@ deraadt | |
136d0181 | 1999 | - (dtucker) [clientloop.c serverloop.c] channel_register_filter now |
2000 | takes 2 more args. with djm@ | |
49190c3d | 2001 | - (dtucker) [defines.h] Bug #1112: __dead is, well dead. Based on a patch |
2002 | from Todd Vierling. | |
02e605ed | 2003 | - (dtucker) [auth-sia.c] Bug #1241: support password expiry on Tru64 SIA |
2004 | systems. Patch from R. Scott Bailey. | |
c694c610 | 2005 | - (dtucker) [umac.c] STORE_UINT32_REVERSED and endian_convert are never used |
2006 | on big endian machines, so ifdef them for little-endian only to prevent | |
2007 | unused function warnings on big-endians. | |
56f77432 | 2008 | - (dtucker) [openbsd-compat/setenv.c] Make offsets size_t to prevent |
2009 | compiler warnings on some platforms. Based on a discussion with otto@ | |
9754b94b | 2010 | |
554ebbed | 2011 | 20080611 |
2012 | - (djm) [channels.c configure.ac] | |
2013 | Do not set SO_REUSEADDR on wildcard X11 listeners (X11UseLocalhost=no) | |
2014 | bz#1464; ok dtucker | |
2015 | ||
15b5fa9b | 2016 | 20080610 |
2017 | - (dtucker) OpenBSD CVS Sync | |
2018 | - djm@cvs.openbsd.org 2008/06/10 03:57:27 | |
2019 | [servconf.c match.h sshd_config.5] | |
2020 | support CIDR address matching in sshd_config "Match address" blocks, with | |
2021 | full support for negation and fall-back to classic wildcard matching. | |
2022 | For example: | |
2023 | Match address 192.0.2.0/24,3ffe:ffff::/32,!10.* | |
2024 | PasswordAuthentication yes | |
2025 | addrmatch.c code mostly lifted from flowd's addr.c | |
2026 | feedback and ok dtucker@ | |
8b671558 | 2027 | - djm@cvs.openbsd.org 2008/06/10 04:17:46 |
2028 | [sshd_config.5] | |
2029 | better reference for pattern-list | |
1760c982 | 2030 | - dtucker@cvs.openbsd.org 2008/06/10 04:50:25 |
2031 | [sshd.c channels.h channels.c log.c servconf.c log.h servconf.h sshd.8] | |
2032 | Add extended test mode (-T) and connection parameters for test mode (-C). | |
2033 | -T causes sshd to write its effective configuration to stdout and exit. | |
2034 | -C causes any relevant Match rules to be applied before output. The | |
2035 | combination allows tesing of the parser and config files. ok deraadt djm | |
01e9e424 | 2036 | - jmc@cvs.openbsd.org 2008/06/10 07:12:00 |
2037 | [sshd_config.5] | |
2038 | tweak previous; | |
3b42e3ac | 2039 | - jmc@cvs.openbsd.org 2008/06/10 08:17:40 |
2040 | [sshd.8 sshd.c] | |
2041 | - update usage() | |
2042 | - fix SYNOPSIS, and sort options | |
2043 | - some minor additional fixes | |
f0528444 | 2044 | - dtucker@cvs.openbsd.org 2008/06/09 18:06:32 |
2045 | [regress/test-exec.sh] | |
2046 | Don't generate putty keys if we're not going to use them. ok djm | |
16d46c30 | 2047 | - dtucker@cvs.openbsd.org 2008/06/10 05:23:32 |
2048 | [regress/addrmatch.sh regress/Makefile] | |
2049 | Regress test for Match CIDR rules. ok djm@ | |
94edc013 | 2050 | - dtucker@cvs.openbsd.org 2008/06/10 15:21:41 |
2051 | [test-exec.sh] | |
2052 | Use a more portable construct for checking if we're running a putty test | |
64c576e9 | 2053 | - dtucker@cvs.openbsd.org 2008/06/10 15:28:49 |
2054 | [test-exec.sh] | |
2055 | Add quotes | |
f6748d7b | 2056 | - dtucker@cvs.openbsd.org 2008/06/10 18:21:24 |
2057 | [ssh_config.5] | |
2058 | clarify that Host patterns are space-separated. ok deraadt | |
3f0444ca | 2059 | - djm@cvs.openbsd.org 2008/06/10 22:15:23 |
2060 | [PROTOCOL ssh.c serverloop.c] | |
2061 | Add a no-more-sessions@openssh.com global request extension that the | |
2062 | client sends when it knows that it will never request another session | |
2063 | (i.e. when session multiplexing is disabled). This allows a server to | |
2064 | disallow further session requests and terminate the session. | |
2065 | Why would a non-multiplexing client ever issue additional session | |
2066 | requests? It could have been attacked with something like SSH'jack: | |
2067 | http://www.storm.net.nz/projects/7 | |
2068 | feedback & ok markus | |
b3b048d6 | 2069 | - djm@cvs.openbsd.org 2008/06/10 23:06:19 |
2070 | [auth-options.c match.c servconf.c addrmatch.c sshd.8] | |
2071 | support CIDR address matching in .ssh/authorized_keys from="..." stanzas | |
2072 | ok and extensive testing dtucker@ | |
8fb12ef0 | 2073 | - dtucker@cvs.openbsd.org 2008/06/10 23:21:34 |
2074 | [bufaux.c] | |
2075 | Use '\0' for a nul byte rather than unadorned 0. ok djm@ | |
a6d05adf | 2076 | - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 |
2077 | [Makefile regress/key-options.sh] | |
2078 | Add regress test for key options. ok djm@ | |
edee47f5 | 2079 | - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 |
2080 | since the new CIDR code in addmatch.c references it. | |
2081 | - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 | |
2082 | specific tests on platforms that don't do IPv6. | |
8ac1d2eb | 2083 | - (dtucker) [Makefile.in] Define TEST_SSH_IPV6 in make's arguments as well |
2084 | as environment. | |
0694c78f | 2085 | - (dtucker) [Makefile.in] Move addrmatch.o to libssh.a where it's needed now. |
15b5fa9b | 2086 | |
10e804f4 | 2087 | 20080609 |
2088 | - (dtucker) OpenBSD CVS Sync | |
2089 | - dtucker@cvs.openbsd.org 2008/06/08 17:04:41 | |
2090 | [sftp-server.c] | |
2091 | Add case for ENOSYS in errno_to_portable; ok deraadt | |
5a3cde15 | 2092 | - dtucker@cvs.openbsd.org 2008/06/08 20:15:29 |
2093 | [sftp.c sftp-client.c sftp-client.h] | |
2094 | Have the sftp client store the statvfs replies in wire format, | |
2095 | which prevents problems when the server's native sizes exceed the | |
2096 | client's. | |
2097 | Also extends the sizes of the remaining 32bit wire format to 64bit, | |
2098 | they're specified as unsigned long in the standard. | |
7290afcb | 2099 | - dtucker@cvs.openbsd.org 2008/06/09 13:02:39 |
2626070f | 2100 | [sftp-server.c] |
7290afcb | 2101 | Extend 32bit -> 64bit values for statvfs extension missed in previous |
2102 | commit. | |
2626070f | 2103 | - dtucker@cvs.openbsd.org 2008/06/09 13:38:46 |
2104 | [PROTOCOL] | |
2105 | Use a $OpenBSD tag so our scripts will sync changes. | |
10e804f4 | 2106 | |
22f5e872 | 2107 | 20080608 |
2108 | - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c | |
2109 | openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h | |
2110 | openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and | |
2111 | fstatvfs and remove #defines around statvfs code. ok djm@ | |
7a4f468b | 2112 | - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add a |
2113 | macro to convert fsid to unsigned long for platforms where fsid is a | |
2114 | 2-member array. | |
22f5e872 | 2115 | |
0894bbed | 2116 | 20080607 |
2117 | - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H. | |
4538e135 | 2118 | - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c] |
2119 | Do not enable statvfs extensions on platforms that do not have statvfs. | |
2abb1ef5 | 2120 | - (dtucker) OpenBSD CVS Sync |
2121 | - djm@cvs.openbsd.org 2008/05/19 06:14:02 | |
2122 | [packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@ | |
82bb6f20 | 2123 | - djm@cvs.openbsd.org 2008/05/19 15:45:07 |
2124 | [sshtty.c ttymodes.c sshpty.h] | |
2125 | Fix sending tty modes when stdin is not a tty (bz#1199). Previously | |
2126 | we would send the modes corresponding to a zeroed struct termios, | |
2127 | whereas we should have been sending an empty list of modes. | |
2128 | Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ | |
048acbeb | 2129 | - djm@cvs.openbsd.org 2008/05/19 15:46:31 |
2130 | [ssh-keygen.c] | |
2131 | support -l (print fingerprint) in combination with -F (find host) to | |
2132 | search for a host in ~/.ssh/known_hosts and display its fingerprint; | |
2133 | ok markus@ | |
4651c790 | 2134 | - djm@cvs.openbsd.org 2008/05/19 20:53:52 |
2135 | [clientloop.c] | |
2136 | unbreak tree by committing this bit that I missed from: | |
2137 | Fix sending tty modes when stdin is not a tty (bz#1199). Previously | |
2138 | we would send the modes corresponding to a zeroed struct termios, | |
2139 | whereas we should have been sending an empty list of modes. | |
2140 | Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@ | |
0894bbed | 2141 | |
07e61b8a | 2142 | 20080604 |
2143 | - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias | |
2144 | in arc4random_uniform with upper_bound in (2^30,2*31). Note that | |
2145 | OpenSSH did not make requests with upper bounds in this range. | |
2146 | ||
b3ef88dc | 2147 | 20080519 |
2148 | - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in] | |
2149 | [openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h] | |
2150 | Fix compilation on Linux, including pulling in fmt_scaled(3) | |
2151 | implementation from OpenBSD's libutil. | |
2152 | ||
9b04dbaa | 2153 | 20080518 |
2154 | - (djm) OpenBSD CVS Sync | |
2155 | - djm@cvs.openbsd.org 2008/04/04 05:14:38 | |
2156 | [sshd_config.5] | |
2157 | ChrootDirectory is supported in Match blocks (in fact, it is most useful | |
2158 | there). Spotted by Minstrel AT minstrel.org.uk | |
5b76e3ef | 2159 | - djm@cvs.openbsd.org 2008/04/04 06:44:26 |
2160 | [sshd_config.5] | |
2161 | oops, some unrelated stuff crept into that commit - backout. | |
2162 | spotted by jmc@ | |
ade21243 | 2163 | - djm@cvs.openbsd.org 2008/04/05 02:46:02 |
2164 | [sshd_config.5] | |
2165 | HostbasedAuthentication is supported under Match too | |
185adaf8 | 2166 | - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c] |
2167 | [configure.ac] Implement arc4random_buf(), import implementation of | |
2168 | arc4random_uniform() from OpenBSD | |
936e7c8c | 2169 | - (djm) [openbsd-compat/bsd-arc4random.c] Warning fixes |
c49ce62e | 2170 | - (djm) [openbsd-compat/port-tun.c] needs sys/queue.h |
c1d152b8 | 2171 | - (djm) OpenBSD CVS Sync |
2172 | - djm@cvs.openbsd.org 2008/04/13 00:22:17 | |
2173 | [dh.c sshd.c] | |
2174 | Use arc4random_buf() when requesting more than a single word of output | |
2175 | Use arc4random_uniform() when the desired random number upper bound | |
2176 | is not a power of two | |
2177 | ok deraadt@ millert@ | |
360b43ab | 2178 | - djm@cvs.openbsd.org 2008/04/18 12:32:11 |
2179 | [sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h] | |
2180 | introduce sftp extension methods statvfs@openssh.com and | |
2181 | fstatvfs@openssh.com that implement statvfs(2)-like operations, | |
2182 | based on a patch from miklos AT szeredi.hu (bz#1399) | |
2183 | also add a "df" command to the sftp client that uses the | |
2184 | statvfs@openssh.com to produce a df(1)-like display of filesystem | |
2185 | space and inode utilisation | |
2186 | ok markus@ | |
ea530517 | 2187 | - jmc@cvs.openbsd.org 2008/04/18 17:15:47 |
2188 | [sftp.1] | |
2189 | macro fixage; | |
48fbfda0 | 2190 | - djm@cvs.openbsd.org 2008/04/18 22:01:33 |
2191 | [session.c] | |
2192 | remove unneccessary parentheses | |
0bb7755b | 2193 | - otto@cvs.openbsd.org 2008/04/29 11:20:31 |
2194 | [monitor_mm.h] | |
2195 | garbage collect two unused fields in struct mm_master; ok markus@ | |
c47ff7a6 | 2196 | - djm@cvs.openbsd.org 2008/04/30 10:14:03 |
2197 | [ssh-keyscan.1 ssh-keyscan.c] | |
2198 | default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by | |
2199 | larsnooden AT openoffice.org | |
43c3f85c | 2200 | - pyr@cvs.openbsd.org 2008/05/07 05:49:37 |
2201 | [servconf.c servconf.h session.c sshd_config.5] | |
2202 | Enable the AllowAgentForwarding option in sshd_config (global and match | |
2203 | context), to specify if agents should be permitted on the server. | |
2204 | As the man page states: | |
2205 | ``Note that disabling Agent forwarding does not improve security | |
2206 | unless users are also denied shell access, as they can always install | |
2207 | their own forwarders.'' | |
2208 | ok djm@, ok and a mild frown markus@ | |
5c7e2b47 | 2209 | - pyr@cvs.openbsd.org 2008/05/07 06:43:35 |
2210 | [sshd_config] | |
2211 | push the sshd_config bits in, spotted by ajacoutot@ | |
94569631 | 2212 | - jmc@cvs.openbsd.org 2008/05/07 08:00:14 |
2213 | [sshd_config.5] | |
2214 | sort; | |
17f02f0a | 2215 | - markus@cvs.openbsd.org 2008/05/08 06:59:01 |
2216 | [bufaux.c buffer.h channels.c packet.c packet.h] | |
2217 | avoid extra malloc/copy/free when receiving data over the net; | |
2218 | ~10% speedup for localhost-scp; ok djm@ | |
3593bdc0 | 2219 | - djm@cvs.openbsd.org 2008/05/08 12:02:23 |
2220 | [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c] | |
2221 | [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c] | |
2222 | [ssh.c sshd.c] | |
2223 | Implement a channel success/failure status confirmation callback | |
2224 | mechanism. Each channel maintains a queue of callbacks, which will | |
2225 | be drained in order (RFC4253 guarantees confirm messages are not | |
2226 | reordered within an channel). | |
2227 | Also includes a abandonment callback to clean up if a channel is | |
2228 | closed without sending confirmation messages. This probably | |
2229 | shouldn't happen in compliant implementations, but it could be | |
2230 | abused to leak memory. | |
2231 | ok markus@ (as part of a larger diff) | |
c6dca55e | 2232 | - djm@cvs.openbsd.org 2008/05/08 12:21:16 |
2233 | [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c] | |
2234 | [sshd_config sshd_config.5] | |
2235 | Make the maximum number of sessions run-time controllable via | |
2236 | a sshd_config MaxSessions knob. This is useful for disabling | |
2237 | login/shell/subsystem access while leaving port-forwarding working | |
2238 | (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or | |
2239 | simply increasing the number of allows multiplexed sessions. | |
2240 | Because some bozos are sure to configure MaxSessions in excess of the | |
2241 | number of available file descriptors in sshd (which, at peak, might be | |
2242 | as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds | |
2243 | on error paths, and make it fail gracefully on out-of-fd conditions - | |
2244 | sending channel errors instead of than exiting with fatal(). | |
2245 | bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com | |
2246 | ok markus@ | |
95d3c124 | 2247 | - djm@cvs.openbsd.org 2008/05/08 13:06:11 |
2248 | [clientloop.c clientloop.h ssh.c] | |
2249 | Use new channel status confirmation callback system to properly deal | |
2250 | with "important" channel requests that fail, in particular command exec, | |
2251 | shell and subsystem requests. Previously we would optimistically assume | |
2252 | that the requests would always succeed, which could cause hangs if they | |
2253 | did not (e.g. when the server runs out of fds) or were unimplemented by | |
2254 | the server (bz #1384) | |
2255 | Also, properly report failing multiplex channel requests via the mux | |
2256 | client stderr (subject to LogLevel in the mux master) - better than | |
2257 | silently failing. | |
2258 | most bits ok markus@ (as part of a larger diff) | |
e07e21ad | 2259 | - djm@cvs.openbsd.org 2008/05/09 04:55:56 |
2260 | [channels.c channels.h clientloop.c serverloop.c] | |
2261 | Try additional addresses when connecting to a port forward destination | |
2262 | whose DNS name resolves to more than one address. The previous behaviour | |
2263 | was to try the first address and give up. | |
2264 | Reported by stig AT venaas.com in bz#343 | |
2265 | great feedback and ok markus@ | |
3bcced4c | 2266 | - djm@cvs.openbsd.org 2008/05/09 14:18:44 |
2267 | [clientloop.c clientloop.h ssh.c mux.c] | |
2268 | tidy up session multiplexing code, moving it into its own file and | |
2269 | making the function names more consistent - making ssh.c and | |
2270 | clientloop.c a fair bit more readable. | |
2271 | ok markus@ | |
6cd3e678 | 2272 | - djm@cvs.openbsd.org 2008/05/09 14:26:08 |
2273 | [ssh.c] | |
2274 | dingo stole my diff hunk | |
ee7c3e92 | 2275 | - markus@cvs.openbsd.org 2008/05/09 16:16:06 |
2276 | [session.c] | |
2277 | re-add the USE_PIPES code and enable it. | |
2278 | without pipes shutdown-read from the sshd does not trigger | |
2279 | a SIGPIPE when the forked program does a write. | |
2280 | ok djm@ | |
2281 | (Id sync only, USE_PIPES never left portable OpenSSH) | |
271f4a13 | 2282 | - markus@cvs.openbsd.org 2008/05/09 16:17:51 |
2283 | [channels.c] | |
2284 | error-fd race: don't enable the error fd in the select bitmask | |
2285 | for channels with both in- and output closed, since the channel | |
2286 | will go away before we call select(); | |
2287 | report, lots of debugging help and ok djm@ | |
50c96367 | 2288 | - markus@cvs.openbsd.org 2008/05/09 16:21:13 |
2289 | [channels.h clientloop.c nchan.c serverloop.c] | |
2290 | unbreak | |
2291 | ssh -2 localhost od /bin/ls | true | |
2292 | ignoring SIGPIPE by adding a new channel message (EOW) that signals | |
2293 | the peer that we're not interested in any data it might send. | |
2294 | fixes bz #85; discussion, debugging and ok djm@ | |
d5820099 | 2295 | - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20 |
2296 | [umac.c] | |
2297 | Ensure nh_result lies on a 64-bit boundary (fixes warnings observed | |
2298 | on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@ | |
56b12440 | 2299 | - djm@cvs.openbsd.org 2008/05/15 23:52:24 |
2300 | [nchan2.ms] | |
2301 | document eow message in ssh protocol 2 channel state machine; | |
2302 | feedback and ok markus@ | |
f8db3345 | 2303 | - djm@cvs.openbsd.org 2008/05/18 21:29:05 |
2304 | [sftp-server.c] | |
2305 | comment extension announcement | |
8be03682 | 2306 | - djm@cvs.openbsd.org 2008/05/16 08:30:42 |
2307 | [PROTOCOL] | |
2308 | document our protocol extensions and deviations; ok markus@ | |
2309 | - djm@cvs.openbsd.org 2008/05/17 01:31:56 | |
2310 | [PROTOCOL] | |
2311 | grammar and correctness fixes from stevesk@ | |
9b04dbaa | 2312 | |
490c3105 | 2313 | 20080403 |
2314 | - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile- | |
2315 | time warnings on LynxOS. Patch from ops AT iki.fi | |
1ebb73e4 | 2316 | - (djm) Force string arguments to replacement setproctitle() though |
2317 | strnvis first. Ok dtucker@ | |
490c3105 | 2318 | |
2b363e83 | 2319 | 20080403 |
2320 | - (djm) OpenBSD CVS sync: | |
2321 | - markus@cvs.openbsd.org 2008/04/02 15:36:51 | |
2322 | [channels.c] | |
2323 | avoid possible hijacking of x11-forwarded connections (back out 1.183) | |
2324 | CVE-2008-1483; ok djm@ | |
adb7acbc | 2325 | - jmc@cvs.openbsd.org 2008/03/27 22:37:57 |
2326 | [sshd.8] | |
2327 | remove trailing whitespace; | |
53e0dc70 | 2328 | - djm@cvs.openbsd.org 2008/04/03 09:50:14 |
2329 | [version.h] | |
2330 | openssh-5.0 | |
31b1b2c8 | 2331 | - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] |
2332 | [contrib/suse/openssh.spec] Crank version numbers in RPM spec files | |
dd052df9 | 2333 | - (djm) [README] Update link to release notes |
098ebea7 | 2334 | - (djm) Release 5.0p1 |