]>
Commit | Line | Data |
---|---|---|
0b49a754 | 1 | Programming: |
61e96248 | 2 | - Grep for 'XXX' comments and fix |
3 | ||
4345ecda | 4 | - Link order is incorrect for some systems using Kerberos 4 and AFS. Result |
b5e83136 | 5 | is multiple inclusion of DES symbols. Holger Trapp |
6 | <holger.trapp@hrz.tu-chemnitz.de> reports that changing the configure | |
7 | generated link order from: | |
8 | -lresolv -lkrb -lz -lnsl -lutil -lkafs -lkrb -ldes -lcrypto | |
9 | to: | |
10 | -lresolv -lkrb -lz -lnsl -lutil -lcrypto -lkafs -lkrb -ldes | |
11 | fixing the problem. | |
4345ecda | 12 | |
38682136 | 13 | - Write a test program that calls stat() to search for EGD/PRNGd socket |
7c4ba20c | 14 | rather than use the (non-portable) "test -S". |
38682136 | 15 | |
d5eedf23 | 16 | - Replacement for setproctitle() - HP-UX support only currently |
e1a9c08d | 17 | |
7c4ba20c | 18 | - Handle changing passwords for the non-PAM expired password case |
19 | ||
d4f11b59 | 20 | - Improve PAM support (a pam_lastlog module will cause sshd to exit) |
cbecf1ed | 21 | and maybe support alternate forms of authentications like OPIE via |
0b6fbf03 | 22 | pam? |
e1a9c08d | 23 | |
7c4ba20c | 24 | - Rework PAM ChallengeResponseAuthentication |
25 | - Use kbdint request packet with 0 prompts for informational messages | |
26 | - Use different PAM service name for kbdint vs regular auth (suggest from | |
27 | Solar Designer) | |
28 | - Ability to select which ChallengeResponseAuthentications may be used | |
29 | and order to try them in e.g. "ChallengeResponseAuthentication skey, pam" | |
30 | ||
0b49a754 | 31 | - Complete Tru64 SIA support |
a483bb4f | 32 | - It looks like we could merge it into the password auth code to cut down |
33 | on diff size. Maybe PAM password auth too? | |
e1a9c08d | 34 | |
0b49a754 | 35 | - Finish integrating kernel-level auditing code for IRIX and SOLARIS |
36 | (Gilbert.r.loomis@saic.com) | |
2b942fe0 | 37 | |
b8c37305 | 38 | - sftp-server: Rework to step down to 32bit ints if the platform |
39 | lacks 'long long' == 64bit (Notable SCO w/ SCO compiler) | |
a0391976 | 40 | |
e876f2db | 41 | - Linux hangs for 20 seconds when you do "sleep 20&exit". All current |
42 | solutions break scp or leaves processes hanging around after the ssh | |
43 | connection has ended. It seems to be linked to two things. One | |
44 | select() under Linux is not as nice as others, and two the children | |
cbecf1ed | 45 | of the shell are not killed on exiting the shell. |
46 | A short run-down of what happens: | |
47 | - The shell starts up, and starts its own session. As a side-effect, it | |
48 | gets its own process group. | |
49 | - The child forks off sleep, and because it's in the background, puts it | |
50 | into its own process group. The sleep command inherits a copy of the | |
51 | shell's descriptor for the tty as its stdout. | |
52 | - The shell exits, but doesn't SIGHUP all of its child PIDs like it probably | |
53 | should(?) | |
54 | - The sshd server attempts to read from the master side of the pty, and | |
55 | while there are still process with the pty open, no EOF is produced. | |
56 | - The sleep command exits, closes its descriptor, sshd detects the EOF, and | |
57 | the connection gets closed. | |
58 | Ways we've tried fixing this in sshd, and why they didn't work out: | |
59 | - SIGHUP the sshd's process group. | |
60 | - The shell is in its own process group. | |
61 | - Track process group IDs of all children before we reap them (via an extra | |
62 | field in Session structures which holds the pgid for each child pid), and | |
63 | SIGHUP the pgid when we reap. | |
64 | - Background commands are in yet another process group. | |
65 | - Close the connection when the child dies. | |
66 | - Background commands may need to write data to the connection. Also | |
67 | prematurely truncates output from some commands (scp server, the | |
68 | famous "dd if=/dev/zero bs=1000 count=100" case). | |
69 | Known workarounds: | |
70 | - bash: shopt huponexit on | |
71 | - tcsh: none | |
72 | - zsh: setopt HUP (usually the default setting) | |
73 | (taken from email from Jason Stone to openssh-unix-dev, 5 May 2001) | |
74 | - pdksh: ? | |
75 | This appears to affect NetKit rsh under Linux as well: it behaves the same | |
76 | with 'sleep 20 & exit'. | |
e876f2db | 77 | |
8c9fe09e | 78 | - Build an automated test suite |
79 | ||
d5eedf23 | 80 | - 64-bit builds on HP-UX 11.X (stevesk@pobox.com): |
81 | - utmp/wtmp get corrupted (something in loginrec?) | |
d5eedf23 | 82 | - can't build with PAM (no 64-bit libpam yet) |
83 | ||
0b49a754 | 84 | Documentation: |
85 | - More and better | |
86 | ||
87 | - Install FAQ? | |
88 | ||
89 | - General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it | |
90 | would be best to use them. | |
91 | ||
92 | - Create a Documentation/ directory? | |
93 | ||
94 | Clean up configure/makefiles: | |
40d0f6b9 | 95 | - Clean up configure.ac - There are a few double #defined variables |
7c4ba20c | 96 | left to do. HAVE_LOGIN is one of them. Consider NOT looking for |
97 | information in wtmpx or utmpx or any of that stuff if it's not detected | |
98 | from the start | |
0b49a754 | 99 | |
0b49a754 | 100 | - Fails to compile when cross compile. |
101 | (vinschen@redhat.com) | |
102 | ||
103 | - Replace the whole u_intXX_t evilness in acconfig.h with something better??? | |
104 | ||
0c2fb82f | 105 | - Consider splitting the u_intXX_t test for sys/bitype.h into seperate test |
106 | to allow people to (right/wrongfully) link against Bind directly. | |
107 | ||
4027f21c | 108 | - Consider splitting configure.ac into seperate files which do logically |
109 | similar tests. E.g move all the type detection stuff into one file, | |
110 | entropy related stuff into another. | |
111 | ||
0b49a754 | 112 | Packaging: |
113 | - Solaris: Update packaging scripts and build new sysv startup scripts | |
7c4ba20c | 114 | Ideally the package metadata should be generated by autoconf. |
0b49a754 | 115 | (gilbert.r.loomis@saic.com) |
116 | ||
d5eedf23 | 117 | - HP-UX: Provide DEPOT package scripts. |
0b49a754 | 118 | (gilbert.r.loomis@saic.com) |
0b202697 | 119 | |
702b2855 | 120 | |
121 | PrivSep Issues: | |
122 | - mmap() issues. | |
b9ccb43d | 123 | + /dev/zero solution (Solaris) |
124 | + No/broken MAP_ANON (Irix) | |
125 | + broken /dev/zero parse (Linux) | |
702b2855 | 126 | - PAM |
127 | + See above PAM notes | |
128 | - AIX | |
e2bc41f9 | 129 | + usrinfo() does not set TTY, but only required for legicy systems. Works |
130 | with PrivSep. | |
702b2855 | 131 | - OSF |
132 | + SIA is broken | |
1c405c15 | 133 | - Cygwin |
134 | + Privsep for Pre-auth only (no fd passing) | |
702b2855 | 135 | |
0b202697 | 136 | $Id$ |