2 - (dtucker) OpenBSD CVS Sync
3 - djm@cvs.openbsd.org 2008/06/10 03:57:27
4 [servconf.c match.h sshd_config.5]
5 support CIDR address matching in sshd_config "Match address" blocks, with
6 full support for negation and fall-back to classic wildcard matching.
8 Match address 192.0.2.0/24,3ffe:ffff::/32,!10.*
9 PasswordAuthentication yes
10 addrmatch.c code mostly lifted from flowd's addr.c
11 feedback and ok dtucker@
14 - (dtucker) OpenBSD CVS Sync
15 - dtucker@cvs.openbsd.org 2008/06/08 17:04:41
17 Add case for ENOSYS in errno_to_portable; ok deraadt
18 - dtucker@cvs.openbsd.org 2008/06/08 20:15:29
19 [sftp.c sftp-client.c sftp-client.h]
20 Have the sftp client store the statvfs replies in wire format,
21 which prevents problems when the server's native sizes exceed the
23 Also extends the sizes of the remaining 32bit wire format to 64bit,
24 they're specified as unsigned long in the standard.
25 - dtucker@cvs.openbsd.org 2008/06/09 13:02:39
27 Extend 32bit -> 64bit values for statvfs extension missed in previous
29 - dtucker@cvs.openbsd.org 2008/06/09 13:38:46
31 Use a $OpenBSD tag so our scripts will sync changes.
34 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c
35 openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
36 openbsd-compat/bsd-statvfs.{c,h}] Add a null implementation of statvfs and
37 fstatvfs and remove #defines around statvfs code. ok djm@
38 - (dtucker) [configure.ac defines.h sftp-client.c M sftp-server.c] Add a
39 macro to convert fsid to unsigned long for platforms where fsid is a
43 - (dtucker) [mux.c] Include paths.h inside ifdef HAVE_PATHS_H.
44 - (dtucker) [configure.ac defines.h sftp-client.c sftp-server.c sftp.c]
45 Do not enable statvfs extensions on platforms that do not have statvfs.
46 - (dtucker) OpenBSD CVS Sync
47 - djm@cvs.openbsd.org 2008/05/19 06:14:02
48 [packet.c] unbreak protocol keepalive timeouts bz#1465; ok dtucker@
49 - djm@cvs.openbsd.org 2008/05/19 15:45:07
50 [sshtty.c ttymodes.c sshpty.h]
51 Fix sending tty modes when stdin is not a tty (bz#1199). Previously
52 we would send the modes corresponding to a zeroed struct termios,
53 whereas we should have been sending an empty list of modes.
54 Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
55 - djm@cvs.openbsd.org 2008/05/19 15:46:31
57 support -l (print fingerprint) in combination with -F (find host) to
58 search for a host in ~/.ssh/known_hosts and display its fingerprint;
60 - djm@cvs.openbsd.org 2008/05/19 20:53:52
62 unbreak tree by committing this bit that I missed from:
63 Fix sending tty modes when stdin is not a tty (bz#1199). Previously
64 we would send the modes corresponding to a zeroed struct termios,
65 whereas we should have been sending an empty list of modes.
66 Based on patch from daniel.ritz AT alcatel.ch; ok dtucker@ markus@
69 - (djm) [openbsd-compat/bsd-arc4random.c] Fix math bug that caused bias
70 in arc4random_uniform with upper_bound in (2^30,2*31). Note that
71 OpenSSH did not make requests with upper bounds in this range.
74 - (djm) [configure.ac mux.c sftp.c openbsd-compat/Makefile.in]
75 [openbsd-compat/fmt_scaled.c openbsd-compat/openbsd-compat.h]
76 Fix compilation on Linux, including pulling in fmt_scaled(3)
77 implementation from OpenBSD's libutil.
80 - (djm) OpenBSD CVS Sync
81 - djm@cvs.openbsd.org 2008/04/04 05:14:38
83 ChrootDirectory is supported in Match blocks (in fact, it is most useful
84 there). Spotted by Minstrel AT minstrel.org.uk
85 - djm@cvs.openbsd.org 2008/04/04 06:44:26
87 oops, some unrelated stuff crept into that commit - backout.
89 - djm@cvs.openbsd.org 2008/04/05 02:46:02
91 HostbasedAuthentication is supported under Match too
92 - (djm) [openbsd-compat/bsd-arc4random.c openbsd-compat/openbsd-compat.c]
93 [configure.ac] Implement arc4random_buf(), import implementation of
94 arc4random_uniform() from OpenBSD
95 - (djm) [openbsd-compat/bsd-arc4random.c] Warning fixes
96 - (djm) [openbsd-compat/port-tun.c] needs sys/queue.h
97 - (djm) OpenBSD CVS Sync
98 - djm@cvs.openbsd.org 2008/04/13 00:22:17
100 Use arc4random_buf() when requesting more than a single word of output
101 Use arc4random_uniform() when the desired random number upper bound
102 is not a power of two
104 - djm@cvs.openbsd.org 2008/04/18 12:32:11
105 [sftp-client.c sftp-client.h sftp-server.c sftp.1 sftp.c sftp.h]
106 introduce sftp extension methods statvfs@openssh.com and
107 fstatvfs@openssh.com that implement statvfs(2)-like operations,
108 based on a patch from miklos AT szeredi.hu (bz#1399)
109 also add a "df" command to the sftp client that uses the
110 statvfs@openssh.com to produce a df(1)-like display of filesystem
111 space and inode utilisation
113 - jmc@cvs.openbsd.org 2008/04/18 17:15:47
116 - djm@cvs.openbsd.org 2008/04/18 22:01:33
118 remove unneccessary parentheses
119 - otto@cvs.openbsd.org 2008/04/29 11:20:31
121 garbage collect two unused fields in struct mm_master; ok markus@
122 - djm@cvs.openbsd.org 2008/04/30 10:14:03
123 [ssh-keyscan.1 ssh-keyscan.c]
124 default to rsa (protocol 2) keys, instead of rsa1 keys; spotted by
125 larsnooden AT openoffice.org
126 - pyr@cvs.openbsd.org 2008/05/07 05:49:37
127 [servconf.c servconf.h session.c sshd_config.5]
128 Enable the AllowAgentForwarding option in sshd_config (global and match
129 context), to specify if agents should be permitted on the server.
130 As the man page states:
131 ``Note that disabling Agent forwarding does not improve security
132 unless users are also denied shell access, as they can always install
133 their own forwarders.''
134 ok djm@, ok and a mild frown markus@
135 - pyr@cvs.openbsd.org 2008/05/07 06:43:35
137 push the sshd_config bits in, spotted by ajacoutot@
138 - jmc@cvs.openbsd.org 2008/05/07 08:00:14
141 - markus@cvs.openbsd.org 2008/05/08 06:59:01
142 [bufaux.c buffer.h channels.c packet.c packet.h]
143 avoid extra malloc/copy/free when receiving data over the net;
144 ~10% speedup for localhost-scp; ok djm@
145 - djm@cvs.openbsd.org 2008/05/08 12:02:23
146 [auth-options.c auth1.c channels.c channels.h clientloop.c gss-serv.c]
147 [monitor.c monitor_wrap.c nchan.c servconf.c serverloop.c session.c]
149 Implement a channel success/failure status confirmation callback
150 mechanism. Each channel maintains a queue of callbacks, which will
151 be drained in order (RFC4253 guarantees confirm messages are not
152 reordered within an channel).
153 Also includes a abandonment callback to clean up if a channel is
154 closed without sending confirmation messages. This probably
155 shouldn't happen in compliant implementations, but it could be
156 abused to leak memory.
157 ok markus@ (as part of a larger diff)
158 - djm@cvs.openbsd.org 2008/05/08 12:21:16
159 [monitor.c monitor_wrap.c session.h servconf.c servconf.h session.c]
160 [sshd_config sshd_config.5]
161 Make the maximum number of sessions run-time controllable via
162 a sshd_config MaxSessions knob. This is useful for disabling
163 login/shell/subsystem access while leaving port-forwarding working
164 (MaxSessions 0), disabling connection multiplexing (MaxSessions 1) or
165 simply increasing the number of allows multiplexed sessions.
166 Because some bozos are sure to configure MaxSessions in excess of the
167 number of available file descriptors in sshd (which, at peak, might be
168 as many as 9*MaxSessions), audit sshd to ensure that it doesn't leak fds
169 on error paths, and make it fail gracefully on out-of-fd conditions -
170 sending channel errors instead of than exiting with fatal().
171 bz#1090; MaxSessions config bits and manpage from junyer AT gmail.com
173 - djm@cvs.openbsd.org 2008/05/08 13:06:11
174 [clientloop.c clientloop.h ssh.c]
175 Use new channel status confirmation callback system to properly deal
176 with "important" channel requests that fail, in particular command exec,
177 shell and subsystem requests. Previously we would optimistically assume
178 that the requests would always succeed, which could cause hangs if they
179 did not (e.g. when the server runs out of fds) or were unimplemented by
180 the server (bz #1384)
181 Also, properly report failing multiplex channel requests via the mux
182 client stderr (subject to LogLevel in the mux master) - better than
184 most bits ok markus@ (as part of a larger diff)
185 - djm@cvs.openbsd.org 2008/05/09 04:55:56
186 [channels.c channels.h clientloop.c serverloop.c]
187 Try additional addresses when connecting to a port forward destination
188 whose DNS name resolves to more than one address. The previous behaviour
189 was to try the first address and give up.
190 Reported by stig AT venaas.com in bz#343
191 great feedback and ok markus@
192 - djm@cvs.openbsd.org 2008/05/09 14:18:44
193 [clientloop.c clientloop.h ssh.c mux.c]
194 tidy up session multiplexing code, moving it into its own file and
195 making the function names more consistent - making ssh.c and
196 clientloop.c a fair bit more readable.
198 - djm@cvs.openbsd.org 2008/05/09 14:26:08
200 dingo stole my diff hunk
201 - markus@cvs.openbsd.org 2008/05/09 16:16:06
203 re-add the USE_PIPES code and enable it.
204 without pipes shutdown-read from the sshd does not trigger
205 a SIGPIPE when the forked program does a write.
207 (Id sync only, USE_PIPES never left portable OpenSSH)
208 - markus@cvs.openbsd.org 2008/05/09 16:17:51
210 error-fd race: don't enable the error fd in the select bitmask
211 for channels with both in- and output closed, since the channel
212 will go away before we call select();
213 report, lots of debugging help and ok djm@
214 - markus@cvs.openbsd.org 2008/05/09 16:21:13
215 [channels.h clientloop.c nchan.c serverloop.c]
217 ssh -2 localhost od /bin/ls | true
218 ignoring SIGPIPE by adding a new channel message (EOW) that signals
219 the peer that we're not interested in any data it might send.
220 fixes bz #85; discussion, debugging and ok djm@
221 - pvalchev@cvs.openbsd.org 2008/05/12 20:52:20
223 Ensure nh_result lies on a 64-bit boundary (fixes warnings observed
224 on Itanium on Linux); from Dale Talcott (bug #1462); ok djm@
225 - djm@cvs.openbsd.org 2008/05/15 23:52:24
227 document eow message in ssh protocol 2 channel state machine;
228 feedback and ok markus@
229 - djm@cvs.openbsd.org 2008/05/18 21:29:05
231 comment extension announcement
232 - djm@cvs.openbsd.org 2008/05/16 08:30:42
234 document our protocol extensions and deviations; ok markus@
235 - djm@cvs.openbsd.org 2008/05/17 01:31:56
237 grammar and correctness fixes from stevesk@
240 - (djm) [openbsd-compat/bsd-poll.c] Include stdlib.h to avoid compile-
241 time warnings on LynxOS. Patch from ops AT iki.fi
242 - (djm) Force string arguments to replacement setproctitle() though
243 strnvis first. Ok dtucker@
246 - (djm) OpenBSD CVS sync:
247 - markus@cvs.openbsd.org 2008/04/02 15:36:51
249 avoid possible hijacking of x11-forwarded connections (back out 1.183)
250 CVE-2008-1483; ok djm@
251 - jmc@cvs.openbsd.org 2008/03/27 22:37:57
253 remove trailing whitespace;
254 - djm@cvs.openbsd.org 2008/04/03 09:50:14
257 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
258 [contrib/suse/openssh.spec] Crank version numbers in RPM spec files
259 - (djm) [README] Update link to release notes
260 - (djm) Release 5.0p1
263 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are
264 empty; report and patch from Peter Stuge
265 - (djm) [regress/test-exec.sh] Silence noise from detection of putty
266 commands; report from Peter Stuge
267 - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing
268 crashes when used with ChrootDirectory
272 - (dtucker) Cache selinux status earlier so we know if it's enabled after a
273 chroot. Allows ChrootDirectory to work with selinux support compiled in
274 but not enabled. Using it with selinux enabled will require some selinux
275 support inside the chroot. "looks sane" djm@
276 - (djm) Fix RCS ident in sftp-server-main.c
277 - (djm) OpenBSD CVS sync:
278 - jmc@cvs.openbsd.org 2008/02/11 07:58:28
279 [ssh.1 sshd.8 sshd_config.5]
280 bump Mdocdate for pages committed in "febuary", necessary because
282 - deraadt@cvs.openbsd.org 2008/03/13 01:49:53
284 Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to
285 an extensive discussion with otto, kettenis, millert, and hshoexer
286 - deraadt@cvs.openbsd.org 2008/03/15 16:19:02
288 Repair the simple cases for msg_controllen where it should just be
289 CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
290 of alignment; ok kettenis hshoexer
291 - djm@cvs.openbsd.org 2008/03/23 12:54:01
293 prefer POSIX-style file renaming over filexfer rename behaviour if the
294 server supports the posix-rename@openssh.com extension.
295 Note that the old (filexfer) behaviour would refuse to clobber an
296 existing file. Users who depended on this should adjust their sftp(1)
299 - deraadt@cvs.openbsd.org 2008/03/24 16:11:07
301 msg_controllen has to be CMSG_SPACE so that the kernel can account for
302 each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
303 works now that kernel fd passing has been fixed to accept a bit of
304 sloppiness because of this ABI repair.
305 lots of discussion with kettenis
306 - djm@cvs.openbsd.org 2008/03/25 11:58:02
307 [session.c sshd_config.5]
308 ignore ~/.ssh/rc if a sshd_config ForceCommand is specified;
309 from dtucker@ ok deraadt@ djm@
310 - djm@cvs.openbsd.org 2008/03/25 23:01:41
312 last patch had backwards test; spotted by termim AT gmail.com
313 - djm@cvs.openbsd.org 2008/03/26 21:28:14
314 [auth-options.c auth-options.h session.c sshd.8]
315 add no-user-rc authorized_keys option to disable execution of ~/.ssh/rc
316 - djm@cvs.openbsd.org 2008/03/27 00:16:49
319 - djm@cvs.openbsd.org 2008/03/24 21:46:54
320 [regress/sftp-badcmds.sh]
321 disable no-replace rename test now that we prefer a POSIX rename; spotted
323 - (djm) [configure.ac] fix alignment of --without-stackprotect description
324 - (djm) [configure.ac] --with-selinux too
325 - (djm) [regress/Makefile] cleanup PuTTY interop test droppings
326 - (djm) [README] Update link to release notes
327 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
328 [contrib/suse/openssh.spec] Crank version numbers in RPM spec files
329 - (djm) Release 4.9p1
332 - (djm) [regress/test-exec.sh] Quote putty-related variables in case they are
333 empty; report and patch from Peter Stuge
334 - (djm) [regress/test-exec.sh] Silence noise from detection of putty
335 commands; report from Peter Stuge
336 - (djm) [session.c] Relocate incorrectly-placed closefrom() that was causing
337 crashes when used with ChrootDirectory
340 - (tim) [regress/sftp-cmds.sh] s/cd/lcd/ in lls test. Reported by
341 vinschen at redhat.com. Add () to put echo commands in subshell for lls test
342 I mistakenly left out of last commit.
343 - (tim) [regress/localcommand.sh] Shell portability fix. Reported by imorgan at
347 - (djm) [Makefile.in regress/Makefile] Fix interop-tests target (note to
348 self: make changes to Makefile.in next time, not the generated Makefile).
349 - (djm) [Makefile.in regress/test-exec.sh] Find installed plink(1) and
351 - (tim) [scp.c] Use poll.h if available, fall back to sys/poll.h if not. Patch
352 by vinschen at redhat.com.
353 - (tim) [regress/sftp-cmds.sh regress/ssh2putty.sh] Shell portability fixes
354 from vinschen at redhat.com and imorgan at nas.nasa.gov
357 - (djm) OpenBSD CVS Sync
358 - dtucker@cvs.openbsd.org 2007/10/29 06:57:13
359 [regress/Makefile regress/localcommand.sh]
360 Add simple regress test for LocalCommand; ok djm@
361 - jmc@cvs.openbsd.org 2007/11/25 15:35:09
362 [regress/agent-getpeereid.sh regress/agent.sh]
363 more existant -> existent, from Martynas Venckus;
364 pfctl changes: ok henning
365 ssh changes: ok deraadt
366 - djm@cvs.openbsd.org 2007/12/12 05:04:03
367 [regress/sftp-cmds.sh]
368 unbreak lls command and add a regress test that would have caught the
369 breakage; spotted by mouring@
370 NB. sftp code change already committed.
371 - djm@cvs.openbsd.org 2007/12/21 04:13:53
372 [regress/Makefile regress/test-exec.sh regress/putty-ciphers.sh]
373 [regress/putty-kex.sh regress/putty-transfer.sh regress/ssh2putty.sh]
374 basic (crypto, kex and transfer) interop regression tests against putty
375 To run these, install putty and run "make interop-tests" from the build
376 directory - the tests aren't run by default yet.
379 - (dtucker) [auth-pam.c monitor.c session.c sshd.c] Bug #926: Move
380 pam_open_session and pam_close_session into the privsep monitor, which
381 will ensure that pam_session_close is called as root. Patch from Tomas
385 - (dtucker) [configure.ac] It turns out gcc's -fstack-protector-all doesn't
386 always work for all platforms and versions, so test what we can and
387 add a configure flag to turn it of if needed. ok djm@
388 - (dtucker) [openbsd-compat/port-aix.{c,h}] Remove AIX specific initgroups
389 implementation. It's not needed to fix bug #1081 and breaks the build
390 on some AIX configurations.
391 - (dtucker) [openbsd-compat/regress/strtonumtest.c] Bug #1347: Use platform's
392 equivalent of LLONG_MAX for the compat regression tests, which makes them
393 run on AIX and HP-UX. Patch from David Leonard.
394 - (dtucker) [configure.ac] Run stack-protector tests with -Werror to catch
395 platforms where gcc understands the option but it's not supported (and
396 thus generates a warning).
399 - (djm) OpenBSD CVS Sync
400 - jmc@cvs.openbsd.org 2008/02/11 07:58:28
401 [ssh.1 sshd.8 sshd_config.5]
402 bump Mdocdate for pages committed in "febuary", necessary because
404 - djm@cvs.openbsd.org 2008/02/13 22:38:17
405 [servconf.h session.c sshd.c]
406 rekey arc4random and OpenSSL RNG in postauth child
407 closefrom fds > 2 before shell/command execution
409 - mbalmer@cvs.openbsd.org 2008/02/14 13:10:31
411 When started in configuration test mode (-t) do not check that sshd is
412 being started with an absolute path.
414 - markus@cvs.openbsd.org 2008/02/20 15:25:26
416 correct boolean encoding for coredump; der Mouse via dugsong
417 - djm@cvs.openbsd.org 2008/02/22 05:58:56
419 closefrom() call was too early, delay it until just before we execute
420 the user's rc files (if any).
421 - dtucker@cvs.openbsd.org 2008/02/22 20:44:02
422 [clientloop.c packet.c packet.h serverloop.c]
423 Allow all SSH2 packet types, including UNIMPLEMENTED to reset the
424 keepalive timer (bz #1307). ok markus@
425 - djm@cvs.openbsd.org 2008/02/27 20:21:15
427 add an extension method "posix-rename@openssh.com" to perform POSIX atomic
428 rename() operations. based on patch from miklos AT szeredi.hu in bz#1400;
430 - deraadt@cvs.openbsd.org 2008/03/02 18:19:35
432 use a union to ensure alignment of the cmsg (pay attention: various other
433 parts of the tree need this treatment too); ok djm
434 - deraadt@cvs.openbsd.org 2008/03/04 21:15:42
436 crank version; from djm
437 - (tim) [regress/sftp-glob.sh] Shell portability fix.
440 - (dtucker) [configure.ac] FreeBSD's glob() doesn't behave the way we expect
441 either, so use our own.
444 - (dtucker) [openbsd-compat/bsd-poll.c] We don't check for select(2) in
445 configure (and there's not much point, as openssh won't work without it)
446 so HAVE_SELECT is not defined and the poll(2) compat code doesn't get
447 built in. Remove HAVE_SELECT so we can build on platforms without poll.
448 - (dtucker) [scp.c] Include sys/poll.h inside HAVE_SYS_POLL_H.
449 - (djm) [contrib/gnome-ssh-askpass2.h] Keep askpass windown on top. From
450 Debian patch via bernd AT openbsd.org
453 - (dtucker) [configure.ac] Add -fstack-protector to LDFLAGS too, fixes
454 linking problems on AIX with gcc 4.1.x.
455 - (dtucker) [includes.h ssh-add.c ssh-agent.c ssh-keygen.c ssh.c sshd.c
456 openbsd-compat/openssl-compat.{c,h}] Bug #1437 Move the OpenSSL compat
457 header to after OpenSSL headers, since some versions of OpenSSL have
458 SSLeay_add_all_algorithms as a macro already.
459 - (dtucker) [key.c defines.h openbsd-compat/openssl-compat.h] Move old OpenSSL
460 compat glue into openssl-compat.h.
461 - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Bug #1081: Implement
462 getgrouplist via getgrset on AIX, rather than iterating over getgrent.
463 This allows, eg, Match and AllowGroups directives to work with NIS and
465 - (dtucker) [sshd.c] Bug #1042: make log messages for tcpwrappers use the
466 same SyslogFacility as the rest of sshd. Patch from William Knox,
470 - (dtucker) [openbsd-compat/fake-rfc2553.h] rename ssh_gai_strerror hack
471 since it now conflicts with the helper function in misc.c. From
472 vinschen AT redhat.com.
473 - (dtucker) [configure.ac audit-bsm.c] Bug #1420: Add a local implementation
474 of aug_get_machine for systems that don't have their own (eg OS X, FreeBSD).
475 Help and testing from csjp at FreeBSD org, vgiffin at apple com. ok djm@
476 - (dtucker) [includes.h openbsd-compat/openssl-compat.c] Bug #1437: reshuffle
477 headers so ./configure --with-ssl-engine actually works. Patch from
481 - (tim) [contrib/cygwin/ssh-host-config]
482 Grammar changes on SYSCONFDIR LOCALSTATEDIR messages.
483 Check more thoroughly that it's possible to create the /var/empty directory.
484 Patch by vinschen AT redhat.com
488 - chl@cvs.openbsd.org 2008/01/11 07:22:28
489 [sftp-client.c sftp-client.h]
490 disable unused functions
491 initially from tobias@, but disabled them by placing them in
492 "#ifdef notyet" which was asked by djm@
494 - djm@cvs.openbsd.org 2008/01/19 19:13:28
496 satisfy the pedants: -q does not suppress all diagnostic messages (e.g.
497 some commandline parsing warnings go unconditionally to stdout).
498 - djm@cvs.openbsd.org 2008/01/19 20:48:53
500 fd leak on session multiplexing error path. Report and patch from
501 gregory_shively AT fanniemae.com
502 - djm@cvs.openbsd.org 2008/01/19 20:51:26
504 ignore SIGPIPE in multiplex client mode - we can receive this if the
505 server runs out of fds on us midway. Report and patch from
506 gregory_shively AT fanniemae.com
507 - djm@cvs.openbsd.org 2008/01/19 22:04:57
509 fix remote handle leak in do_download() local file open error path;
510 report and fix from sworley AT chkno.net
511 - djm@cvs.openbsd.org 2008/01/19 22:22:58
513 when hashing individual hosts (ssh-keygen -Hf hostname), make sure we
514 hash just the specified hostname and not the entire hostspec from the
515 keyfile. It may be of the form "hostname,ipaddr", which would lead to
516 a hash that never matches. report and fix from jp AT devnull.cz
517 - djm@cvs.openbsd.org 2008/01/19 22:37:19
519 unbreak line numbering (broken in revision 1.164), fix error message
520 - djm@cvs.openbsd.org 2008/01/19 23:02:40
522 When we added support for specified bind addresses for port forwards, we
523 added a quirk SSH_OLD_FORWARD_ADDR. There is a bug in our handling of
524 this for -L port forwards that causes the client to listen on both v4
525 and v6 addresses when connected to a server with this quirk, despite
526 having set 0.0.0.0 as a bind_address.
527 report and patch from Jan.Pechanec AT Sun.COM; ok dtucker@
528 - djm@cvs.openbsd.org 2008/01/19 23:09:49
529 [readconf.c readconf.h sshconnect2.c]
530 promote rekeylimit to a int64 so it can hold the maximum useful limit
531 of 2^32; report and patch from Jan.Pechanec AT Sun.COM, ok dtucker@
532 - djm@cvs.openbsd.org 2008/01/20 00:38:30
534 When uploading, correctly handle the case of an unquoted filename with
535 glob metacharacters that match a file exactly but not as a glob, e.g. a
536 file called "[abcd]". report and test cases from duncan2nd AT gmx.de
537 - djm@cvs.openbsd.org 2008/01/21 17:24:30
539 Remove the fixed 100 handle limit in sftp-server and allocate as many
540 as we have available file descriptors. Patch from miklos AT szeredi.hu;
542 - djm@cvs.openbsd.org 2008/01/21 19:20:17
544 when a remote write error occurs during an upload, ensure that ACKs for
545 all issued requests are properly drained. patch from t8m AT centrum.cz
546 - dtucker@cvs.openbsd.org 2008/01/23 01:56:54
547 [clientloop.c packet.c serverloop.c]
548 Revert the change for bz #1307 as it causes connection aborts if an IGNORE
549 packet arrives while we're waiting in packet_read_expect (and possibly
551 - jmc@cvs.openbsd.org 2008/01/31 20:06:50
553 explain how to handle local file names containing colons;
554 requested by Tamas TEVESZ
556 - markus@cvs.openbsd.org 2008/02/04 21:53:00
557 [session.c sftp-server.c sftp.h]
558 link sftp-server into sshd; feedback and ok djm@
559 - mcbride@cvs.openbsd.org 2008/02/09 12:15:43
561 Document the correct permissions for the ~/.ssh/ directory.
563 - djm@cvs.openbsd.org 2008/02/10 09:55:37
565 mantion that "internal-sftp" is useful with ForceCommand too
566 - djm@cvs.openbsd.org 2008/02/10 10:54:29
567 [servconf.c session.c]
568 delay ~ expansion for ChrootDirectory so it expands to the logged-in user's
569 home, rather than the user who starts sshd (probably root)
572 - (djm) Silence noice from expr in ssh-copy-id; patch from
573 mikel AT mikelward.com
574 - (djm) Only listen for IPv6 connections on AF_INET6 sockets; patch from
578 - (dtucker) [configure.ac] Fix message for -fstack-protector-all test.
581 - (dtucker) OpenBSD CVS Sync
582 - dtucker@cvs.openbsd.org 2007/12/31 10:41:31
583 [readconf.c servconf.c]
584 Prevent strict-aliasing warnings on newer gcc versions. bz #1355, patch
585 from Dmitry V. Levin, ok djm@
586 - dtucker@cvs.openbsd.org 2007/12/31 15:27:04
588 When in inetd mode, have sshd generate a Protocol 1 ephemeral server
589 key only for connections where the client chooses Protocol 1 as opposed
590 to when it's enabled in the server's config. Speeds up Protocol 2
591 connections to inetd-mode servers that also allow Protocol 1. bz #440,
592 based on a patch from bruno at wolff.to, ok markus@
593 - dtucker@cvs.openbsd.org 2008/01/01 08:47:04
595 spaces -> tabs from my previous commit
596 - dtucker@cvs.openbsd.org 2008/01/01 09:06:39
598 If scp -p encounters a pre-epoch timestamp, use the epoch which is
599 as close as we can get given that it's used unsigned. Add a little
600 debugging while there. bz #828, ok djm@
601 - dtucker@cvs.openbsd.org 2008/01/01 09:27:33
602 [sshd_config.5 servconf.c]
603 Allow PermitRootLogin in a Match block. Allows for, eg, permitting root
604 only from the local network. ok markus@, man page bit ok jmc@
605 - dtucker@cvs.openbsd.org 2008/01/01 08:51:20
607 Updated moduli file; ok djm@
610 - (dtucker) [configure.ac openbsd-compat/glob.{c,h}] Bug #1407: force use of
611 builtin glob implementation on Mac OS X. Based on a patch from
615 - (dtucker) OpenBSD CVS Sync
616 - djm@cvs.openbsd.org 2007/12/12 05:04:03
618 unbreak lls command and add a regress test that would have caught the
619 breakage; spotted by mouring@
620 - dtucker@cvs.openbsd.org 2007/12/27 14:22:08
621 [servconf.c canohost.c misc.c channels.c sshconnect.c misc.h ssh-keyscan.c
623 Add a small helper function to consistently handle the EAI_SYSTEM error
624 code of getaddrinfo. Prompted by vgiffin at apple com via bz #1417.
626 - dtucker@cvs.openbsd.org 2007/12/28 15:32:24
627 [clientloop.c serverloop.c packet.c]
628 Make SSH2_MSG_UNIMPLEMENTED and SSH2_MSG_IGNORE messages reset the
629 ServerAlive and ClientAlive timers. Prevents dropping a connection
630 when these are enabled but the peer does not support our keepalives.
632 - dtucker@cvs.openbsd.org 2007/12/28 22:34:47
634 Use the correct packet maximum sizes for remote port and agent forwarding.
635 Prevents the server from killing the connection if too much data is queued
636 and an excessively large packet gets sent. bz #1360, ok djm@.
639 - (dtucker) [configure.ac] Enable -fstack-protector-all on systems where
640 gcc supports it. ok djm@
641 - (dtucker) [scp.c] Update $OpenBSD tag missing from rev 1.175 and remove
643 - (dtucker) OpenBSD CVS Sync
644 - dtucker@cvs.openbsd.org 2007/10/29 00:52:45
646 Allow build without -DGSSAPI; ok deraadt@
647 (Id sync only, Portable already has the ifdefs)
648 - dtucker@cvs.openbsd.org 2007/10/29 01:55:04
650 Plug tiny mem leaks in ControlPath and ProxyCommand option processing;
652 - dtucker@cvs.openbsd.org 2007/10/29 04:08:08
653 [monitor_wrap.c monitor.c]
654 Send config block back to slave for invalid users too so options
655 set by a Match block (eg Banner) behave the same for non-existent
656 users. Found by and ok djm@
657 - dtucker@cvs.openbsd.org 2007/10/29 06:51:59
659 ProxyCommand and LocalCommand use the user's shell, not /bin/sh; ok djm@
660 - dtucker@cvs.openbsd.org 2007/10/29 06:54:50
662 Make LocalCommand work for Protocol 1 too; ok djm@
663 - jmc@cvs.openbsd.org 2007/10/29 07:48:19
665 clean up after previous macro removal;
666 - djm@cvs.openbsd.org 2007/11/03 00:36:14
668 fix memory leak in process_cmdline(), patch from Jan.Pechanec AT Sun.COM;
670 - deraadt@cvs.openbsd.org 2007/11/03 01:24:06
672 bz #1377: getpwuid results were being clobbered by another getpw* call
673 inside tilde_expand_filename(); save the data we need carefully
675 - dtucker@cvs.openbsd.org 2007/11/03 02:00:32
677 Use xstrdup/xfree when saving pwname and pwdir; ok deraadt@
678 - deraadt@cvs.openbsd.org 2007/11/03 02:03:49
680 avoid errno trashing in signal handler; ok dtucker
683 - (djm) OpenBSD CVS Sync
684 - djm@cvs.openbsd.org 2007/10/29 23:49:41
685 [openbsd-compat/sys-tree.h]
686 remove extra backslash at the end of RB_PROTOTYPE, report from
687 Jan.Pechanec AT Sun.COM; ok deraadt@
690 - (djm) OpenBSD CVS Sync
691 - stevesk@cvs.openbsd.org 2007/09/11 23:49:09
693 remove #if defined block not needed; ok markus@ dtucker@
694 (NB. RCD ID sync only for portable)
695 - djm@cvs.openbsd.org 2007/09/21 03:05:23
697 document KbdInteractiveAuthentication in ssh_config.5;
698 patch from dkg AT fifthhorseman.net
699 - djm@cvs.openbsd.org 2007/09/21 08:15:29
700 [auth-bsdauth.c auth-passwd.c auth.c auth.h auth1.c auth2-chall.c]
701 [monitor.c monitor_wrap.c]
704 These options have been in use for some years;
705 ok markus@ "no objection" millert@
706 (NB. RCD ID sync only for portable)
707 - canacar@cvs.openbsd.org 2007/09/25 23:48:57
709 When adding a key that already exists, update the properties
710 (time, confirm, comment) instead of discarding them. ok djm@ markus@
711 - ray@cvs.openbsd.org 2007/09/27 00:15:57
713 Don't return -1 on error in dh_pub_is_valid(), since it evaluates
716 Initial diff from Matthew Dempsky, input from djm.
718 - dtucker@cvs.openbsd.org 2007/09/29 00:25:51
720 Remove unused prototype. ok djm@
721 - chl@cvs.openbsd.org 2007/10/02 17:49:58
723 handles zero-sized strings that fgets can return
724 properly removes trailing newline
725 removes an unused variable
726 correctly counts line number
727 "looks ok" ray@ markus@
728 - markus@cvs.openbsd.org 2007/10/22 19:10:24
730 make sure that both the local and remote port are correct when
731 parsing -L; Jan Pechanec (bz #1378)
732 - djm@cvs.openbsd.org 2007/10/24 03:30:02
734 rework argument splitting and parsing to cope correctly with common
735 shell escapes and make handling of escaped characters consistent
736 with sh(1) and between sftp commands (especially between ones that
737 glob their arguments and ones that don't).
738 parse command flags using getopt(3) rather than hand-rolled parsers.
740 - djm@cvs.openbsd.org 2007/10/24 03:44:02
742 factor out network read/write into an atomicio()-like function, and
743 use it to handle short reads, apply bandwidth limits and update
744 counters. make network IO non-blocking, so a small trickle of
745 reads/writes has a chance of updating the progress meter; bz #799
747 - djm@cvs.openbsd.org 2006/08/29 09:44:00
748 [regress/sftp-cmds.sh]
750 - markus@cvs.openbsd.org 2006/11/06 09:27:43
751 [regress/cfgmatch.sh]
752 fix quoting for non-(c)sh login shells.
753 - dtucker@cvs.openbsd.org 2006/12/13 08:36:36
754 [regress/cfgmatch.sh]
755 Additional test for multiple PermitOpen entries. ok djm@
756 - pvalchev@cvs.openbsd.org 2007/06/07 19:41:46
757 [regress/cipher-speed.sh regress/try-ciphers.sh]
758 test umac-64@openssh.com
760 - djm@cvs.openbsd.org 2007/10/24 03:32:35
761 [regress/sftp-cmds.sh regress/sftp-glob.sh regress/test-exec.sh]
762 comprehensive tests for sftp escaping its interaction with globbing;
764 - djm@cvs.openbsd.org 2007/10/26 05:30:01
765 [regress/sftp-glob.sh regress/test-exec.sh]
766 remove "echo -E" crap that I added in last commit and use printf(1) for
767 cases where we strictly require echo not to reprocess escape characters.
768 - deraadt@cvs.openbsd.org 2005/11/28 17:50:12
769 [openbsd-compat/glob.c]
770 unused arg in internal static API
771 - jakob@cvs.openbsd.org 2007/10/11 18:36:41
772 [openbsd-compat/getrrsetbyname.c openbsd-compat/getrrsetbyname.h]
773 use RRSIG instead of SIG for DNSSEC. ok djm@
774 - otto@cvs.openbsd.org 2006/10/21 09:55:03
775 [openbsd-compat/base64.c]
776 remove calls to abort(3) that can't happen anyway; from
777 <bret dot lambert at gmail.com>; ok millert@ deraadt@
778 - frantzen@cvs.openbsd.org 2004/04/24 18:11:46
779 [openbsd-compat/sys-tree.h]
780 sync to Niels Provos' version. avoid unused variable warning in
782 - tdeval@cvs.openbsd.org 2004/11/24 18:10:42
783 [openbsd-compat/sys-tree.h]
785 - grange@cvs.openbsd.org 2004/05/04 16:59:32
786 [openbsd-compat/sys-queue.h]
787 Remove useless ``elm'' argument from the SIMPLEQ_REMOVE_HEAD macro.
788 This matches our SLIST behaviour and NetBSD's SIMPLEQ as well.
789 ok millert krw deraadt
790 - deraadt@cvs.openbsd.org 2005/02/25 13:29:30
791 [openbsd-compat/sys-queue.h]
793 - otto@cvs.openbsd.org 2005/10/17 20:19:42
794 [openbsd-compat/sys-queue.h]
795 Performing certain operations on queue.h data structurs produced
796 funny results. An example is calling LIST_REMOVE on the same
797 element twice. This will not fail, but result in a data structure
798 referencing who knows what. Prevent these accidents by NULLing some
799 fields on remove and replace. This way, either a panic or segfault
800 will be produced on the faulty operation.
801 - otto@cvs.openbsd.org 2005/10/24 20:25:14
802 [openbsd-compat/sys-queue.h]
803 Partly backout. NOLIST, used in LISTs is probably interfering.
804 requested by deraadt@
805 - otto@cvs.openbsd.org 2005/10/25 06:37:47
806 [openbsd-compat/sys-queue.h]
807 Some uvm problem is being exposed with the more strict macros.
808 Revert until we've found out what's causing the panics.
809 - otto@cvs.openbsd.org 2005/11/25 08:06:25
810 [openbsd-compat/sys-queue.h]
811 Introduce debugging aid for queue macros. Disabled by default; but
812 developers are encouraged to run with this enabled.
813 ok krw@ fgsch@ deraadt@
814 - otto@cvs.openbsd.org 2007/04/30 18:42:34
815 [openbsd-compat/sys-queue.h]
816 Enable QUEUE_MACRO_DEBUG on DIAGNOSTIC kernels.
817 Input and okays from krw@, millert@, otto@, deraadt@, miod@.
818 - millert@cvs.openbsd.org 2004/10/07 16:56:11
819 GLOB_NOESCAPE is POSIX so move it out of the #ifndef _POSIX_SOURCE
821 (NB. mostly an RCS ID sync, as portable strips out the conditionals)
822 - (djm) [regress/sftp-cmds.sh]
823 Use more restrictive glob to pick up test files from /bin - some platforms
824 ship broken symlinks there which could spoil the test.
825 - (djm) [openbsd-compat/bindresvport.c]
826 Sync RCS ID after irrelevant (for portable OpenSSH) header shuffling
829 - (dtucker) [configure.ac atomicio.c] Fall back to including <sys/poll.h> if
830 we don't have <poll.h> (eq QNX). From bacon at cs nyu edu.
831 - (dtucker) [configure.ac defines.h] Shadow expiry does not work on QNX6
832 so disable it for that platform. From bacon at cs nyu edu.
835 - (djm) [atomicio.c] Fix spin avoidance for platforms that define
836 EWOULDBLOCK; patch from ben AT psc.edu
839 - (djm) OpenBSD CVS Sync
840 - djm@cvs.openbsd.org 2007/08/23 02:49:43
841 [auth-passwd.c auth.c session.c]
842 unifdef HAVE_LOGIN_CAP; ok deraadt@ millert@
843 NB. RCS ID sync only for portable
844 - djm@cvs.openbsd.org 2007/08/23 02:55:51
845 [auth-passwd.c auth.c session.c]
846 missed include bits from last commit
847 NB. RCS ID sync only for portable
848 - djm@cvs.openbsd.org 2007/08/23 03:06:10
850 login_cap.h doesn't belong here
851 NB. RCS ID sync only for portable
852 - djm@cvs.openbsd.org 2007/08/23 03:22:16
853 [auth2-none.c sshd_config sshd_config.5]
854 Support "Banner=none" to disable displaying of the pre-login banner;
856 - djm@cvs.openbsd.org 2007/08/23 03:23:26
858 Execute ProxyCommands with $SHELL rather than /bin/sh unconditionally
859 - djm@cvs.openbsd.org 2007/09/04 03:21:03
860 [clientloop.c monitor.c monitor_fdpass.c monitor_fdpass.h]
861 [monitor_wrap.c ssh.c]
862 make file descriptor passing code return an error rather than call fatal()
863 when it encounters problems, and use this to make session multiplexing
864 masters survive slaves failing to pass all stdio FDs; ok markus@
865 - djm@cvs.openbsd.org 2007/09/04 11:15:56
866 [ssh.c sshconnect.c sshconnect.h]
867 make ssh(1)'s ConnectTimeout option apply to both the TCP connection and
868 SSH banner exchange (previously it just covered the TCP connection).
869 This allows callers of ssh(1) to better detect and deal with stuck servers
870 that accept a TCP connection but don't progress the protocol, and also
871 makes ConnectTimeout useful for connections via a ProxyCommand;
872 feedback and "looks ok" markus@
873 - sobrado@cvs.openbsd.org 2007/09/09 11:38:01
874 [ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.c]
875 sort synopsis and options in ssh-agent(1); usage is lowercase
877 - stevesk@cvs.openbsd.org 2007/09/11 04:36:29
881 - gilles@cvs.openbsd.org 2007/09/11 15:47:17
882 [session.c ssh-keygen.c sshlogin.c]
883 use strcspn to properly overwrite '\n' in fgets returned buffer
884 ok pyr@, ray@, millert@, moritz@, chl@
885 - stevesk@cvs.openbsd.org 2007/09/11 23:49:09
887 remove #if defined block not needed; ok markus@ dtucker@
889 - stevesk@cvs.openbsd.org 2007/09/12 19:39:19
891 use xmalloc() and xfree(); ok markus@ pvalchev@
892 - djm@cvs.openbsd.org 2007/09/13 04:39:04
894 fix incorrect test when setting syslog facility; from Jan Pechanec
895 - djm@cvs.openbsd.org 2007/09/16 00:55:52
897 use off_t instead of u_int64_t for file offsets, matching what the
898 progressmeter code expects; bz #842
899 - (tim) [defines.h] Fix regression in long password support on OpenServer 6.
900 Problem report and additional testing rac AT tenzing.org.
903 - (dtucker) [openbsd-compat/bsd-asprintf.c] Plug mem leak in error path.
904 Patch from Jan.Pechanec at sun com.
907 - (dtucker) [openbsd-compat/regress/closefromtest.c] Bug #1358: Always
908 return 0 on successful test. From David.Leonard at quest com.
909 - (tim) [configure.ac] Autoconf didn't define HAVE_LIBIAF because we
910 did a AC_CHECK_FUNCS within the AC_CHECK_LIB test.
913 - (dtucker) [sshd.8] Many Linux variants use a single "!" to denote locked
914 accounts and that's what the code looks for, so make man page and code
915 agree. Pointed out by Roumen Petrov.
916 - (dtucker) [INSTALL] Group the parts describing random options and PAM
917 implementations together which is hopefully more coherent.
918 - (dtucker) [INSTALL] the pid file is sshd.pid not ssh.pid.
919 - (dtucker) [INSTALL] Give PAM its own heading.
920 - (dtucker) [INSTALL] Link to tcpwrappers.
923 - (dtucker) [session.c] Call PAM cleanup functions for unauthenticated
924 connections too. Based on a patch from Sandro Wefel, with & ok djm@
927 - (dtucker) OpenBSD CVS Sync
928 - markus@cvs.openbsd.org 2007/08/15 08:14:46
930 do NOT fall back to the trused x11 cookie if generation of an untrusted
931 cookie fails; from Jan Pechanec, via security-alert at sun.com;
933 - markus@cvs.openbsd.org 2007/08/15 08:16:49
936 - stevesk@cvs.openbsd.org 2007/08/15 12:13:41
938 tun device forwarding now honours ExitOnForwardFailure; ok markus@
939 - (dtucker) [openbsd-compat/bsd-cray.c] Remove debug from signal handler.
941 - (dtucker) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec
942 contrib/suse/openssh.spec] Crank version.
945 - (dtucker) [session.c] Bug #1339: ensure that pam_setcred() is always
946 called with PAM_ESTABLISH_CRED at least once, which resolves a problem
947 with pam_dhkeys. Patch from David Leonard, ok djm@
950 - (dtucker) [auth-pam.c] Use sigdie here too. ok djm@
951 - (dtucker) [configure.ac] Bug #1343: Set DISABLE_FD_PASSING for QNX6. From
955 - (dtucker) [openbsd-compat/port-aix.c] Comment typo.
956 - (dtucker) [README.platform] Document the interaction between PermitRootLogin
957 and the AIX native login restrictions.
958 - (dtucker) [defines.h] Remove _PATH_{CSHELL,SHELLS} which aren't
959 used anywhere and are a potential source of warnings.
962 - (djm) OpenBSD CVS Sync
963 - ray@cvs.openbsd.org 2007/07/12 05:48:05
965 Delint: remove some unreachable statements, from Bret Lambert.
966 OK markus@ and dtucker@.
967 - sobrado@cvs.openbsd.org 2007/08/06 19:16:06
969 the ellipsis is not an optional argument; while here, sync the usage
970 and synopsis of commands
971 lots of good ideas by jmc@
973 - djm@cvs.openbsd.org 2007/08/07 07:32:53
974 [clientloop.c clientloop.h ssh.c]
975 bz#1232: ensure that any specified LocalCommand is executed after the
976 tunnel device is opened. Also, make failures to open a tunnel device
977 fatal when ExitOnForwardFailure is active.
978 Reported by h.goebel AT goebel-consult.de; ok dtucker markus reyk deraadt
981 - (tim) [openssh.xml.in] make FMRI match what package scripts use.
982 - (tim) [openbsd-compat/regress/closefromtest.c] Bug 1345: fix open() call.
983 Report/patch by David.Leonard AT quest.com (and Bernhard Simon)
984 - (tim) [buildpkg.sh.in openssh.xml.in] Allow more flexibility where smf(5)
985 - (tim) [buildpkg.sh.in] s|$FAKE_ROOT/${sysconfdir}|$FAKE_ROOT${sysconfdir}|
988 - (djm) bz#1325: Fix SELinux in permissive mode where it would
989 incorrectly fatal() on errors. patch from cjwatson AT debian.org;
993 - (dtucker) OpenBSD CVS Sync
994 - djm@cvs.openbsd.org 2007/06/13 00:21:27
996 don't ftruncate() non-regular files; bz#1236 reported by wood AT
997 xmission.com; ok dtucker@
998 - djm@cvs.openbsd.org 2007/06/14 21:43:25
1000 handle EINTR when waiting for mux exit status properly
1001 - djm@cvs.openbsd.org 2007/06/14 22:48:05
1003 when waiting for the multiplex exit status, read until the master end
1004 writes an entire int of data *and* closes the client_fd; fixes mux
1005 regression spotted by dtucker, ok dtucker@
1006 - djm@cvs.openbsd.org 2007/06/19 02:04:43
1008 if the fd passed to atomicio/atomiciov() is non blocking, then poll() to
1009 avoid a spin if it is not yet ready for reading/writing; ok dtucker@
1010 - dtucker@cvs.openbsd.org 2007/06/25 08:20:03
1012 Correct test for window updates every three packets; prevents sending
1013 window updates for every single packet. ok markus@
1014 - dtucker@cvs.openbsd.org 2007/06/25 12:02:27
1016 Include <poll.h> like the man page says rather than <sys/poll.h>. ok djm@
1017 - (dtucker) [atomicio.c] Test for EWOULDBLOCK in atomiciov to match
1019 - (dtucker) [atomicio.c configure.ac openbsd-compat/Makefile.in
1020 openbsd-compat/bsd-poll.{c,h} openbsd-compat/openbsd-compat.h]
1021 Add an implementation of poll() built on top of select(2). Code from
1022 OpenNTPD with changes suggested by djm. ok djm@
1025 - (dtucker) [cipher-ctr.c umac.c openbsd-compat/openssl-compat.h] Move the
1026 USE_BUILTIN_RIJNDAEL compat goop to openssl-compat.h so it can be
1027 shared with umac.c. Allows building with OpenSSL 0.9.5 again including
1028 umac support. With tim@ djm@, ok djm.
1029 - (dtucker) [openbsd-compat/openssl-compat.h] Merge USE_BUILTIN_RIJNDAEL
1030 sections. Fixes builds with early OpenSSL 0.9.6 versions.
1031 - (dtucker) [openbsd-compat/openssl-compat.h] Remove redundant definition
1032 of USE_BUILTIN_RIJNDAEL since the <0.9.6 test is covered by the
1033 subsequent <0.9.7 test.
1036 - (dtucker) OpenBSD CVS Sync
1037 - markus@cvs.openbsd.org 2007/06/11 09:14:00
1039 increase default channel windows; ok djm
1040 - djm@cvs.openbsd.org 2007/06/12 07:41:00
1042 better document ssh-add's -d option (delete identies from agent), bz#1224
1043 new text based on some provided by andrewmc-debian AT celt.dias.ie;
1045 - djm@cvs.openbsd.org 2007/06/12 08:20:00
1046 [ssh-gss.h gss-serv.c gss-genr.c]
1047 relocate server-only GSSAPI code from libssh to server; bz #1225
1048 patch from simon AT sxw.org.uk; ok markus@ dtucker@
1049 - djm@cvs.openbsd.org 2007/06/12 08:24:20
1051 make scp try to skip FIFOs rather than blocking when nothing is listening.
1052 depends on the platform supporting sane O_NONBLOCK semantics for open
1053 on FIFOs (apparently POSIX does not mandate this), which OpenBSD does.
1054 bz #856; report by cjwatson AT debian.org; ok markus@
1055 - djm@cvs.openbsd.org 2007/06/12 11:11:08
1057 fix slave exit value when a control master goes away without passing the
1058 full exit status by ensuring that the slave reads a full int. bz#1261
1059 reported by frekko AT gmail.com; ok markus@ dtucker@
1060 - djm@cvs.openbsd.org 2007/06/12 11:15:17
1062 Add "-K" flag for ssh to set GSSAPIAuthentication=yes and
1063 GSSAPIDelegateCredentials=yes. This is symmetric with -k (disable GSSAPI)
1064 and is useful for hosts with /home on Kerberised NFS; bz #1312
1065 patch from Markus.Kuhn AT cl.cam.ac.uk; ok dtucker@ markus@
1066 - djm@cvs.openbsd.org 2007/06/12 11:45:27
1068 improved exit message from multiplex slave sessions; bz #1262
1069 reported by alexandre.nunes AT gmail.com; ok dtucker@
1070 - dtucker@cvs.openbsd.org 2007/06/12 11:56:15
1072 Pass GSS OID to gss_display_status to provide better information in
1073 error messages. Patch from Simon Wilkinson via bz 1220. ok djm@
1074 - jmc@cvs.openbsd.org 2007/06/12 13:41:03
1076 identies -> identities;
1077 - jmc@cvs.openbsd.org 2007/06/12 13:43:55
1080 - dtucker@cvs.openbsd.org 2007/06/12 13:54:28
1082 Encode filename with strnvis if the name contains a newline (which can't
1083 be represented in the scp protocol), from bz #891. ok markus@
1086 - (djm) Bugzilla #1306: silence spurious error messages from hang-on-exit
1087 fix; tested by dtucker@ and jochen.kirn AT gmail.com
1088 - pvalchev@cvs.openbsd.org 2007/06/07 19:37:34
1089 [kex.h mac.c mac.h monitor_wrap.c myproposal.h packet.c ssh.1]
1090 [ssh_config.5 sshd.8 sshd_config.5]
1091 Add a new MAC algorithm for data integrity, UMAC-64 (not default yet,
1092 must specify umac-64@openssh.com). Provides about 20% end-to-end speedup
1093 compared to hmac-md5. Represents a different approach to message
1094 authentication to that of HMAC that may be beneficial if HMAC based on
1095 one of its underlying hash algorithms is found to be vulnerable to a
1096 new attack. http://www.ietf.org/rfc/rfc4418.txt
1097 in conjunction with and OK djm@
1098 - pvalchev@cvs.openbsd.org 2007/06/08 04:40:40
1100 Add a "MACs" line after "Ciphers" with the default MAC algorithms,
1101 to ease people who want to tweak both (eg. for performance reasons).
1102 ok deraadt@ djm@ dtucker@
1103 - jmc@cvs.openbsd.org 2007/06/08 07:43:46
1105 put the MAC list into a display, like we do for ciphers,
1106 since groff has trouble handling wide lines;
1107 - jmc@cvs.openbsd.org 2007/06/08 07:48:09
1109 oops, here too: put the MAC list into a display, like we do for
1110 ciphers, since groff has trouble with wide lines;
1111 - markus@cvs.openbsd.org 2007/06/11 08:04:44
1113 send 'window adjust' messages every tree packets and do not wait
1114 until 50% of the window is consumed. ok djm dtucker
1115 - (djm) [configure.ac umac.c] If platform doesn't provide swap32(3), then
1116 fallback to provided bit-swizzing functions
1117 - (dtucker) [openbsd-compat/bsd-misc.c] According to the spec the "remainder"
1118 argument to nanosleep may be NULL. Currently this never happens in OpenSSH,
1119 but check anyway in case this changes or the code gets used elsewhere.
1120 - (dtucker) [includes.h] Bug #1243: HAVE_PATHS -> HAVE_PATHS_H. Should
1121 prevent warnings about redefinitions of various things in paths.h.
1122 Spotted by cartmanltd at hotmail.com.
1125 - (dtucker) OpenBSD CVS Sync
1126 - djm@cvs.openbsd.org 2007/05/22 10:18:52
1128 zap double include; from p_nowaczyk AT o2.pl
1129 (not required in -portable, Id sync only)
1130 - djm@cvs.openbsd.org 2007/05/30 05:58:13
1132 tidy: KNF, ARGSUSED and u_int
1133 - jmc@cvs.openbsd.org 2007/05/31 19:20:16
1134 [scp.1 ssh_config.5 sftp-server.8 ssh-agent.1 sshd_config.5 sftp.1
1135 ssh-keygen.1 ssh-keyscan.1 ssh-add.1 sshd.8 ssh.1 ssh-keysign.8]
1136 convert to new .Dd format;
1137 (We will need to teach mdoc2man.awk to understand this too.)
1138 - djm@cvs.openbsd.org 2007/05/31 23:34:29
1140 gc unreachable code; spotted by Tavis Ormandy
1141 - djm@cvs.openbsd.org 2007/06/02 09:04:58
1143 memory leak on error path; from arnaud.lacombe.1 AT ulaval.ca
1144 - djm@cvs.openbsd.org 2007/06/05 06:52:37
1145 [kex.c monitor_wrap.c packet.c mac.h kex.h mac.c]
1146 Preserve MAC ctx between packets, saving 2xhash calls per-packet.
1147 Yields around a 12-16% end-to-end speedup for arcfour256/hmac-md5
1148 patch from markus@ tested dtucker@ and myself, ok markus@ and me (I'm
1149 committing at his request)
1150 - (dtucker) [mdoc2man.awk] Teach it to deal with $Mdocdate tags that
1151 OpenBSD's cvs now adds.
1152 - (dtucker) [mdoc2man.awk] Remove trailing "$" from Mdocdate regex so
1153 mindrot's cvs doesn't expand it on us.
1154 - (dtucker) [mdoc2man.awk] Add support for %R references, used for RFCs.
1157 - (dtucker) OpenBSD CVS Sync
1158 - stevesk@cvs.openbsd.org 2007/04/14 22:01:58
1160 remove unused macro; from Dmitry V. Levin <ldv@altlinux.org>
1161 - stevesk@cvs.openbsd.org 2007/04/18 01:12:43
1163 cast "%llu" format spec to (unsigned long long); do not assume a
1164 u_int64_t arg is the same as 'unsigned long long'.
1165 from Dmitry V. Levin <ldv@altlinux.org>
1166 ok markus@ 'Yes, that looks correct' millert@
1167 - dtucker@cvs.openbsd.org 2007/04/23 10:15:39
1169 Remove debug() left over from development. ok deraadt@
1170 - djm@cvs.openbsd.org 2007/05/17 07:50:31
1172 save and restore errno when logging; ok deraadt@
1173 - djm@cvs.openbsd.org 2007/05/17 07:55:29
1175 bz#1286 stop reading and processing commands when input or output buffer
1176 is nearly full, otherwise sftp-server would happily try to grow the
1177 input/output buffers past the maximum supported by the buffer API and
1179 based on patch from Thue Janus Kristensen; feedback & ok dtucker@
1180 - djm@cvs.openbsd.org 2007/05/17 20:48:13
1182 fall back to gethostname() when the outgoing connection is not
1183 on a socket, such as is the case when ProxyCommand is used.
1184 Gives hostbased auth an opportunity to work; bz#616, report
1185 and feedback stuart AT kaloram.com; ok markus@
1186 - djm@cvs.openbsd.org 2007/05/17 20:52:13
1188 pass received SIGINT from monitor to postauth child so it can clean
1189 up properly. bz#1196, patch from senthilkumar_sen AT hotpop.com;
1191 - jolan@cvs.openbsd.org 2007/05/17 23:53:41
1193 djm owes me a vb and a tism cd for breaking ssh compilation
1194 - (dtucker) [auth-pam.c] malloc+memset -> calloc. Patch from
1195 ldv at altlinux.org.
1196 - (dtucker) [auth-pam.c] Return empty string if fgets fails in
1197 sshpam_tty_conv. Patch from ldv at altlinux.org.
1200 - (tim) [configure.ac] Bug #1287: Add missing test for ucred.h.
1203 - (dtucker) [openbsd-compat/bsd-misc.c] Include unistd.h and sys/types.h
1204 for select(2) prototype.
1205 - (dtucker) [auth-shadow.c loginrec.c] Include time.h for time(2) prototype.
1206 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1299: Use the
1207 platform's _res if it has one. Should fix problem of DNSSEC record lookups
1208 on NetBSD as reported by Curt Sampson.
1209 - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
1210 - (dtucker) [configure.ac defines.h] Have configure check for MAXSYMLINKS
1211 so we don't get redefinition warnings.
1212 - (dtucker) [openbsd-compat/xmmap.c] Include stdlib.h for mkstemp prototype.
1213 - (dtucker) [configure.ac defines.h] Prevent warnings about __attribute__
1214 __nonnull__ for versions of GCC that don't support it.
1215 - (dtucker) [configure.ac defines.h] Have configure check for offsetof
1216 to prevent redefinition warnings.
1219 - (dtucker) [INSTALL] Update the systems that have PAM as standard. Link
1221 - (dtucker) [INSTALL] prngd lives at sourceforge these days.
1224 - (tim) [auth.c configure.ac defines.h session.c openbsd-compat/port-uw.c
1225 openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] Rework libiaf test/defines
1226 to account for IRIX having libiaf but not set_id(). Patch with & ok dtucker@
1229 - (dtucker) [Makefile.in configure.ac] Replace single-purpose LIBSELINUX,
1230 LIBWRAP and LIBPAM variables in Makefile with the general-purpose
1231 SSHDLIBS. "I like" djm@
1234 - (dtucker) OpenBSD CVS Sync
1235 - dtucker@cvs.openbsd.org 2007/03/09 05:20:06
1237 Move C/R -> kbdint special case to after the defaults have been
1238 loaded, which makes ChallengeResponse default to yes again. This
1239 was broken by the Match changes and not fixed properly subsequently.
1240 Found by okan at demirmen.com, ok djm@ "please do it" deraadt@
1241 - djm@cvs.openbsd.org 2007/03/19 01:01:29
1243 Disable the legacy SSH protocol 1 for new installations via
1244 a configuration override. In the future, we will change the
1245 server's default itself so users who need the legacy protocol
1246 will need to turn it on explicitly
1247 - dtucker@cvs.openbsd.org 2007/03/19 12:16:42
1249 Remove the signal handler that checks if the agent's parent process
1250 has gone away, instead check when the select loop returns. Record when
1251 the next key will expire when scanning for expired keys. Set the select
1252 timeout to whichever of these two things happens next. With djm@, with &
1254 - tedu@cvs.openbsd.org 2007/03/20 03:56:12
1255 [readconf.c clientloop.c]
1256 remove some bogus *p tests from charles longeau
1258 - jmc@cvs.openbsd.org 2007/03/20 15:57:15
1260 - let synopsis and description agree for -f
1262 - +.Xr ssh-keyscan 1 ,
1264 - (dtucker) [configure.ac openbsd-compat/bsd-getpeereid.c] Bug #1287: Use
1265 getpeerucred to implement getpeereid (currently only Solaris 10 and up).
1266 Patch by Jan.Pechanec at Sun.
1267 - (dtucker) [regress/agent-getpeereid.sh] Do peereid test if we have
1268 HAVE_GETPEERUCRED too. Also from Jan Pechanec.
1271 - (dtucker) [entropy.c scard-opensc.c ssh-rand-helper.c] Bug #1294: include
1272 string.h to prevent warnings, from vapier at gentoo.org.
1273 - (dtucker) [LICENCE] Add Daniel Walsh as a copyright holder for the
1274 selinux bits in -portable.
1275 - (dtucker) [cipher-3des1.c cipher-bf1.c] The OpenSSL 0.9.8e problem in
1276 bug #1291 also affects Protocol 1 3des. While at it, use compat-openssl.h
1277 in cipher-bf1.c. Patch from Juan Gallego.
1278 - (dtucker) [README.platform] Info about blibpath on AIX.
1281 - (djm) OpenBSD CVS Sync
1282 - jmc@cvs.openbsd.org 2007/03/01 16:19:33
1284 sort the `match' keywords;
1285 - djm@cvs.openbsd.org 2007/03/06 10:13:14
1287 openssh-4.6; "please" deraadt@
1288 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
1289 [contrib/suse/openssh.spec] crank spec files for release
1290 - (djm) [README] correct link to release notes
1291 - (djm) Release 4.6p1
1294 - (djm) [configure.ac] add a --without-openssl-header-check option to
1295 configure, as some platforms (OS X) ship OpenSSL headers whose version
1296 does not match that of the shipping library. ok dtucker@
1297 - (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a
1298 bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256
1299 ciphers from working correctly (disconnects with "Bad packet length"
1300 errors) as found by Ben Harris. ok djm@
1303 - (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more
1304 general to cover newer gdb versions on HP-UX.
1307 - (dtucker) [configure.ac] For Cygwin, read files in textmode (which allows
1308 CRLF as well as LF lineendings) and write in binary mode. Patch from
1309 vinschen at redhat.com.
1310 - (dtucker) [INSTALL] Update to autoconf-2.61.
1313 - (dtucker) OpenBSD CVS Sync
1314 - dtucker@cvs.openbsd.org 2007/03/01 10:28:02
1315 [auth2.c sshd_config.5 servconf.c]
1316 Remove ChallengeResponseAuthentication support inside a Match
1317 block as its interaction with KbdInteractive makes it difficult to
1318 support. Also, relocate the CR/kbdint option special-case code into
1319 servconf. "please commit" djm@, ok markus@ for the relocation.
1320 - (tim) [buildpkg.sh.in openssh.xml.in] Clean up Solaris 10 smf(5) bits.
1321 "Looks sane" dtucker@
1324 - (dtucker) OpenBSD CVS Sync
1325 - dtucker@cvs.openbsd.org 2007/02/28 00:55:30
1327 Remove expired keys periodically so they don't remain in memory when
1328 the agent is entirely idle, as noted by David R. Piegdon. This is the
1329 simple fix, a more efficient one will be done later. With markus,
1330 deraadt, with & ok djm.
1333 - (dtucker) OpenBSD CVS Sync
1334 - djm@cvs.openbsd.org 2007/02/20 10:25:14
1336 set maximum packet and window sizes the same for multiplexed clients
1337 as normal connections; ok markus@
1338 - dtucker@cvs.openbsd.org 2007/02/21 11:00:05
1340 Clear alarm() before restarting sshd on SIGHUP. Without this, if there's
1341 a SIGALRM pending (for SSH1 key regeneration) when sshd is SIGHUP'ed, the
1342 newly exec'ed sshd will get the SIGALRM and not have a handler for it,
1343 and the default action will terminate the listening sshd. Analysis and
1344 patch from andrew at gaul.org.
1345 - dtucker@cvs.openbsd.org 2007/02/22 12:58:40
1347 Check activep so Match and GatewayPorts work together; ok markus@
1348 - ray@cvs.openbsd.org 2007/02/24 03:30:11
1350 - strlen returns size_t, not int.
1351 - Pass full buffer size to fgets.
1352 OK djm@, millert@, and moritz@.
1355 - (dtucker) OpenBSD CVS Sync
1356 - jmc@cvs.openbsd.org 2007/01/10 13:23:22
1358 do not use a list for SYNOPSIS;
1359 this is actually part of a larger report sent by eric s. raymond
1360 and forwarded by brad, but i only read half of it. spotted by brad.
1361 - jmc@cvs.openbsd.org 2007/01/12 20:20:41
1362 [ssh-keygen.1 ssh-keygen.c]
1363 more secsh -> rfc 4716 updates;
1364 spotted by wiz@netbsd
1366 - dtucker@cvs.openbsd.org 2007/01/17 23:22:52
1368 Honour activep for times (eg ServerAliveInterval) while parsing
1369 ssh_config and ~/.ssh/config so they work properly with Host directives.
1370 From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@
1371 - stevesk@cvs.openbsd.org 2007/01/21 01:41:54
1372 [auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
1374 - stevesk@cvs.openbsd.org 2007/01/21 01:45:35
1377 - djm@cvs.openbsd.org 2007/01/22 11:32:50
1379 return error from do_upload() when a write fails. fixes bz#1252: zero
1380 exit status from sftp when uploading to a full device. report from
1381 jirkat AT atlas.cz; ok dtucker@
1382 - djm@cvs.openbsd.org 2007/01/22 13:06:21
1384 fix detection of whether we should show progress meter or not: scp
1385 tested isatty(stderr) but wrote the progress meter to stdout. This patch
1386 makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
1388 - stevesk@cvs.openbsd.org 2007/02/14 14:32:00
1390 typos in comments; ok jmc@
1391 - dtucker@cvs.openbsd.org 2007/02/19 10:45:58
1392 [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
1393 Teach Match how handle config directives that are used before
1394 authentication. This allows configurations such as permitting password
1395 authentication from the local net only while requiring pubkey from
1396 offsite. ok djm@, man page bits ok jmc@
1397 - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some
1398 platforms don't have it. Patch from dleonard at vintela.com.
1399 - (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc
1400 an array for signatures when there are none since "calloc(0, n) returns
1401 NULL on some platforms (eg Tru64), which is explicitly permitted by
1402 POSIX. Diagnosis and patch by svallet genoscope.cns.fr.
1405 - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52)
1406 when closing a tty session when a background process still holds tty
1407 fds open. Great detective work and patch by Marc Aurele La France,
1408 slightly tweaked by me; ok dtucker@
1411 - (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public
1412 library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro
1413 so it works properly and modify its callers so that they don't pre or
1414 post decrement arguments that are conditionally evaluated. While there,
1415 put SNPRINTF_CONST back as it prevents build failures in some
1416 configurations. ok djm@ (for most of it)
1419 - (djm) [ssh-rand-helper.8] manpage nits;
1420 from dleonard AT vintela.com (bz#1529)
1423 - (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h
1424 and multiple including it causes problems on old IRIXes. (It snuck back
1425 in during a sync.) Found (again) by Georg Schwarz.
1428 - (dtucker) [ssh-keygen.c] av -> argv to match earlier sync.
1429 - (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return
1430 value of snprintf replacement, similar to bugs in various libc
1431 implementations. This overflow is not exploitable in OpenSSH.
1432 While I'm fiddling with it, make it a fair bit faster by inlining the
1433 append-char routine; ok dtucker@
1436 - (djm) OpenBSD CVS Sync
1437 - deraadt@cvs.openbsd.org 2006/11/14 19:41:04
1439 use argc and argv not some made up short form
1440 - ray@cvs.openbsd.org 2006/11/23 01:35:11
1442 Don't access buf[strlen(buf) - 1] for zero-length strings.
1444 - markus@cvs.openbsd.org 2006/12/11 21:25:46
1445 [ssh-keygen.1 ssh.1]
1446 add rfc 4716 (public key format); ok jmc
1447 - djm@cvs.openbsd.org 2006/12/12 03:58:42
1448 [channels.c compat.c compat.h]
1449 bz #1019: some ssh.com versions apparently can't cope with the
1450 remote port forwarding bind_address being a hostname, so send
1451 them an address for cases where they are not explicitly
1452 specified (wildcard or localhost bind). reported by daveroth AT
1453 acm.org; ok dtucker@ deraadt@
1454 - dtucker@cvs.openbsd.org 2006/12/13 08:34:39
1456 Make PermitOpen work with multiple values like the man pages says.
1457 bz #1267 with details from peter at dmtz.com, with & ok djm@
1458 - dtucker@cvs.openbsd.org 2006/12/14 10:01:14
1460 Make "PermitOpen all" first-match within a block to match the way other
1461 options work. ok markus@ djm@
1462 - jmc@cvs.openbsd.org 2007/01/02 09:57:25
1464 do not use lists for SYNOPSIS;
1465 from eric s. raymond via brad
1466 - stevesk@cvs.openbsd.org 2007/01/03 00:53:38
1468 remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
1469 - stevesk@cvs.openbsd.org 2007/01/03 03:01:40
1470 [auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
1472 - stevesk@cvs.openbsd.org 2007/01/03 04:09:15
1475 - stevesk@cvs.openbsd.org 2007/01/03 07:22:36
1480 - (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would
1481 occur if the server did not have the privsep user and an invalid user
1482 tried to login and both privsep and krb5 auth are disabled; ok dtucker@
1483 - (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@
1486 - (dtucker) OpenBSD CVS Sync
1487 - markus@cvs.openbsd.org 2006/11/07 13:02:07
1489 BN_hex2bn returns int; from dtucker@
1492 - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
1493 if we absolutely need it. Pointed out by Corinna, ok djm@
1494 - (dtucker) OpenBSD CVS Sync
1495 - markus@cvs.openbsd.org 2006/11/06 21:25:28
1496 [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
1497 ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
1498 add missing checks for openssl return codes; with & ok djm@
1499 - markus@cvs.openbsd.org 2006/11/07 10:31:31
1500 [monitor.c version.h]
1501 correctly check for bad signatures in the monitor, otherwise the monitor
1502 and the unpriv process can get out of sync. with dtucker@, ok djm@,
1504 - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump
1506 - (dtucker) Release 4.5p1.
1509 - (djm) OpenBSD CVS Sync
1510 - otto@cvs.openbsd.org 2006/10/28 18:08:10
1512 correct/expand example of usage of -w; ok jmc@ stevesk@
1513 - markus@cvs.openbsd.org 2006/10/31 16:33:12
1514 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c]
1515 check DH_compute_key() for -1 even if it should not happen because of
1516 earlier calls to dh_pub_is_valid(); report krahmer at suse.de; ok djm
1519 - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerr
1520 events fatal in Solaris process contract support and tell it to signal
1521 only processes in the same process group when something happens.
1522 Based on information from andrew.benham at thus.net and similar to
1523 a patch from Chad Mynhier. ok djm@
1526 - (djm) [auth.c] gc some dead code
1529 - (djm) OpenBSD CVS Sync
1530 - ray@cvs.openbsd.org 2006/09/30 17:48:22
1532 Clear errno before calling the strtol functions.
1533 From Paul Stoeber <x0001 at x dot de1 dot cc>.
1535 - djm@cvs.openbsd.org 2006/10/06 02:29:19
1536 [ssh-agent.c ssh-keyscan.c ssh.c]
1537 sys/resource.h needs sys/time.h; prompted by brad@
1538 (NB. Id sync only for portable)
1539 - djm@cvs.openbsd.org 2006/10/09 23:36:11
1541 xmalloc -> xcalloc that was missed previously, from portable
1542 (NB. Id sync only for portable, obviously)
1543 - markus@cvs.openbsd.org 2006/10/10 10:12:45
1545 sleep before retrying (not after) since sleep changes errno; fixes
1546 pr 5250; rad@twig.com; ok dtucker djm
1547 - markus@cvs.openbsd.org 2006/10/11 12:38:03
1548 [clientloop.c serverloop.c]
1549 exit instead of doing a blocking tcp send if we detect a client/server
1550 timeout, since the tcp sendqueue might be already full (of alive
1551 requests); ok dtucker, report mpf
1552 - djm@cvs.openbsd.org 2006/10/22 02:25:50
1554 cancel progress meter when upload write fails; ok deraadt@
1555 - (tim) [Makefile.in scard/Makefile.in] Add datarootdir= lines to keep
1556 autoconf 2.60 from complaining.
1559 - (dtucker) OpenBSD CVS Sync
1560 - ray@cvs.openbsd.org 2006/09/25 04:55:38
1561 [ssh-keyscan.1 ssh.1]
1562 Change "a SSH" to "an SSH". Hurray, I'm not the only one who
1563 pronounces "SSH" as "ess-ess-aich".
1564 OK jmc@ and stevesk@.
1565 - (dtucker) [sshd.c] Reshuffle storing of pw struct; prevents warnings
1566 on older versions of OS X. ok djm@
1569 - (dtucker) [monitor_fdpass.c] Include sys/in.h, required for cmsg macros
1570 on older (2.0) Linuxes. Based on patch from thmo-13 at gmx de.
1573 - (tim) [buildpkg.sh.in] Use uname -r instead of -v in OS_VER for Solaris.
1574 Differentiate between OpenServer 5 and OpenServer 6
1575 - (dtucker) [configure.ac] Set put -lselinux into $LIBS while testing for
1576 SELinux functions so they're detected correctly. Patch from pebenito at
1578 - (tim) [buildpkg.sh.in] Some systems have really limited nawk (OpenServer).
1579 Allow setting alternate awk in openssh-config.local.
1582 - (tim) [configure.ac] Move CHECK_HEADERS test before platform specific
1583 section so additional platform specific CHECK_HEADER tests will work
1584 correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no
1585 Feedback and "seems like a good idea" dtucker@
1588 - (dtucker) [audit-bsm.c] Include errno.h. Pointed out by des at des.no.
1591 - (dtucker) [configure.ac] Bug #1239: Fix configure test for OpenSSH engine
1592 support. Patch from andrew.benham at thus net.
1595 - (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation error
1596 on Solaris 8 w/out /dev/random or prngd. Patch from rl at
1597 math.technion.ac.il.
1600 - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not
1601 referenced any more. ok djm@
1602 - (dtucker) [sftp-server.8] Resync; spotted by djm@
1603 - (dtucker) Release 4.4p1.
1606 - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added
1607 to rev 1.308) to work around broken gcc 2.x header file.
1610 - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than
1611 $LDFLAGS. Patch from vapier at gentoo org.
1614 - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on
1615 some platforms (eg HP-UX 11.00). From santhi.amirta at gmail com.
1618 - (dtucker) OpenBSD CVS Sync
1619 - otto@cvs.openbsd.org 2006/09/19 05:52:23
1621 Use S_IS* macros insted of masking with S_IF* flags. The latter may
1622 have multiple bits set, which lead to surprising results. Spotted by
1623 Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@
1624 - markus@cvs.openbsd.org 2006/09/19 21:14:08
1626 client NULL deref on protocol error; Tavis Ormandy, Google Security Team
1627 - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes
1628 build error on Ultrix. From Bernhard Simon.
1631 - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow
1632 macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags.
1633 Allows build out of the box with older VAC and XLC compilers. Found by
1634 David Bronder and Bernhard Simon.
1635 - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes.
1636 Prevents macro redefinition warnings of "RDONLY".
1640 - djm@cvs.openbsd.org 2006/09/16 19:53:37
1641 [deattack.c deattack.h packet.c]
1642 limit maximum work performed by the CRC compensation attack detector,
1643 problem reported by Tavis Ormandy, Google Security Team;
1645 - (djm) Add openssh.xml to .cvsignore and sort it
1646 - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
1647 process so that any logging it does is with the right timezone. From
1648 Scott Strickler, ok djm@.
1649 - (dtucker) [monitor.c] Correctly handle auditing of single commands when
1650 using Protocol 1. From jhb at freebsd.
1651 - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@
1652 - (dtucker) [INSTALL] Add info about audit support.
1655 - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in]
1656 Support SMF in Solaris Packages if enabled by configure. Patch from
1657 Chad Mynhier, tested by dtucker@
1660 - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends. Noted
1664 - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available.
1665 - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB.
1668 - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h.
1669 - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user.
1670 - (dtucker) [buildpkg.sh.in] Always create privsep user. ok djm@
1673 - (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch
1675 - (dtucker) [configure.ac] The BSM header test needs time.h in some cases.
1678 - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
1679 be used to drop privilege to; fixes Solaris GSSAPI crash reported by
1680 Magnus Abrante; suggestion and feedback dtucker@
1681 NB. this change will require that the privilege separation user must
1682 exist on all the time, not just when UsePrivilegeSeparation=yes
1683 - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6
1684 - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H.
1685 - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better
1689 - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov.
1690 - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP.
1693 - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native
1694 updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius,
1698 - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for
1699 declaration of writev(2) and declare it ourselves if necessary. Makes
1700 the atomiciov() calls build on really old systems. ok djm@
1703 - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.
1704 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
1705 openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
1706 openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
1707 for hton* and ntoh* macros. Required on (at least) HP-UX since we define
1708 _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com.
1711 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
1712 [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
1713 [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
1714 [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
1715 [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
1716 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
1717 [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
1718 [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
1719 [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
1720 [sshconnect1.c sshconnect2.c sshd.c]
1721 [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
1722 [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
1723 [openbsd-compat/port-uw.c]
1724 Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
1725 compile problems reported by rac AT tenzing.org
1726 - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
1727 [openbsd-compat/rresvport.c] Some more headers: netinet/in.h
1728 sys/socket.h and unistd.h in various places
1729 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration
1730 warnings for binary_open and binary_close. Patch from Corinna Vinschen.
1731 - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
1732 test for GLOB_NOMATCH and use our glob functions if it's not found.
1733 Stops sftp from segfaulting when attempting to get a nonexistent file on
1734 Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
1735 from and tested by Corinna Vinschen.
1736 - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank
1740 - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
1741 [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
1742 [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
1743 [openbsd-compat/port-solaris.h] Add support for Solaris process
1744 contracts, enabled with --use-solaris-contracts. Patch from Chad
1745 Mynhier, tweaked by dtucker@ and myself; ok dtucker@
1746 - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege
1747 while setting up the ssh service account. Patch from Corinna Vinschen.
1750 - (djm) OpenBSD CVS Sync
1751 - dtucker@cvs.openbsd.org 2006/08/21 08:14:01
1753 Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
1755 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57
1757 Add more detail about what permissions are and aren't accepted for
1758 authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
1759 - djm@cvs.openbsd.org 2006/08/29 10:40:19
1760 [channels.c session.c]
1761 normalise some inconsistent (but harmless) NULL pointer checks
1762 spotted by the Stanford SATURN tool, via Isil Dillig;
1764 - dtucker@cvs.openbsd.org 2006/08/29 12:02:30
1766 Work around a problem in Heimdal that occurs when KRB5CCNAME file is
1767 missing, by checking whether or not kerberos allocated us a context
1768 before attempting to free it. Patch from Simon Wilkinson, tested by
1770 - dtucker@cvs.openbsd.org 2006/08/30 00:06:51
1772 Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
1773 where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@
1774 - djm@cvs.openbsd.org 2006/08/30 00:14:37
1777 - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
1778 - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
1779 loginsuccess on AIX immediately after authentication to clear the failed
1780 login count. Previously this would only happen when an interactive
1781 session starts (ie when a pty is allocated) but this means that accounts
1782 that have primarily non-interactive sessions (eg scp's) may gradually
1783 accumulate enough failures to lock out an account. This change may have
1784 a side effect of creating two audit records, one with a tty of "ssh"
1785 corresponding to the authentication and one with the allocated pty per
1786 interactive session.
1789 - (dtucker) [openbsd-compat/basename.c] Include errno.h.
1790 - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on
1792 - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)
1794 - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).
1795 - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.
1796 - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent
1797 unused variable warning when we have a broken or missing mmap(2).
1800 - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in
1801 Makefile. Patch from santhi.amirta at gmail, ok djm.
1804 - (dtucker) [log.c] Move ifdef to prevent unused variable warning.
1805 - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore
1806 afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl.
1807 - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for
1808 fixing bug #1181. No changes yet.
1809 - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL
1810 (0.9.8a and presumably newer) requires -ldl to successfully link.
1811 - (dtucker) [configure.ac] Remove errant "-".
1814 - (djm) OpenBSD CVS Sync
1815 - djm@cvs.openbsd.org 2006/08/18 22:41:29
1817 GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
1818 - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a
1819 single rule for the test progs.
1822 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with
1823 closefrom.c from sudo.
1824 - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.
1825 - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.
1826 - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the
1827 test progs instead; they work better than what we have.
1828 - (djm) OpenBSD CVS Sync
1829 - stevesk@cvs.openbsd.org 2006/08/06 01:13:32
1830 [compress.c monitor.c monitor_wrap.c]
1831 "zlib.h" can be <zlib.h>; ok djm@ markus@
1832 - miod@cvs.openbsd.org 2006/08/12 20:46:46
1833 [monitor.c monitor_wrap.c]
1834 Revert previous include file ordering change, for ssh to compile under
1835 gcc2 (or until openssl include files are cleaned of parameter names
1836 in function prototypes)
1837 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
1838 [servconf.c servconf.h sshd_config.5]
1839 Add ability to match groups to Match keyword in sshd_config. Feedback
1840 djm@, stevesk@, ok stevesk@.
1841 - djm@cvs.openbsd.org 2006/08/16 11:47:15
1843 factor inetd connection, TCP listen and main TCP accept loop out of
1844 main() into separate functions to improve readability; ok markus@
1845 - deraadt@cvs.openbsd.org 2006/08/18 09:13:26
1846 [log.c log.h sshd.c]
1847 make signal handler termination path shorter; risky code pointed out by
1848 mark dowd; ok djm markus
1849 - markus@cvs.openbsd.org 2006/08/18 09:15:20
1850 [auth.h session.c sshd.c]
1851 delay authentication related cleanups until we're authenticated and
1852 all alarms have been cancelled; ok deraadt
1853 - djm@cvs.openbsd.org 2006/08/18 10:27:16
1855 reorder so prototypes are sorted by the files they refer to; no
1857 - djm@cvs.openbsd.org 2006/08/18 13:54:54
1858 [gss-genr.c ssh-gss.h sshconnect2.c]
1859 bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
1861 - djm@cvs.openbsd.org 2006/08/18 14:40:34
1862 [gss-genr.c ssh-gss.h]
1863 constify host argument to match the rest of the GSSAPI functions and
1864 unbreak compilation with -Werror
1865 - (djm) Disable sigdie() for platforms that cannot safely syslog inside
1866 a signal handler (basically all of them, excepting OpenBSD);
1870 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
1871 Include stdlib.h for malloc and friends.
1872 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl
1873 for closefrom() on AIX. Pointed out by William Ahern.
1874 - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress
1875 test for closefrom() in compat code.
1878 - (djm) [audit-bsm.c] Sprinkle in some headers
1881 - (dtucker) [LICENCE] Add Reyk to the list for the compat dir.
1884 - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings
1888 - (dtucker) [defines.h] With the includes.h changes we no longer get the
1889 name clash on "YES" so we can remove the workaround for it.
1890 - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,
1891 glob.c}] Include stdlib.h for malloc and friends in compat code.
1894 - (djm) OpenBSD CVS Sync
1895 - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
1897 disable tunnel forwarding when no strict host key checking
1898 and key changed; ok djm@ markus@ dtucker@
1899 - stevesk@cvs.openbsd.org 2006/07/25 02:01:34
1901 need #include <string.h>
1902 - stevesk@cvs.openbsd.org 2006/07/25 02:59:21
1903 [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c]
1904 [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c]
1905 move #include <sys/time.h> out of includes.h
1906 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
1907 [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
1908 [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
1909 [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
1910 [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
1911 [uidswap.c xmalloc.c]
1912 move #include <sys/param.h> out of includes.h
1913 - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
1914 [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
1915 [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
1916 [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
1917 [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
1918 [sshconnect1.c sshd.c xmalloc.c]
1919 move #include <stdlib.h> out of includes.h
1920 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
1922 avoid confusing wording in HashKnownHosts:
1923 originally spotted by alan amesbury;
1925 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
1927 avoid confusing wording in HashKnownHosts:
1928 originally spotted by alan amesbury;
1930 - dtucker@cvs.openbsd.org 2006/08/01 11:34:36
1932 Allow fallback to known_hosts entries without port qualifiers for
1933 non-standard ports too, so that all existing known_hosts entries will be
1934 recognised. Requested by, feedback and ok markus@
1935 - stevesk@cvs.openbsd.org 2006/08/01 23:22:48
1936 [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
1937 [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
1938 [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
1939 [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
1940 [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
1941 [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
1942 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
1943 [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
1944 [uuencode.h xmalloc.c]
1945 move #include <stdio.h> out of includes.h
1946 - stevesk@cvs.openbsd.org 2006/08/01 23:36:12
1947 [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c]
1949 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
1950 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
1951 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
1952 [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
1953 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
1954 [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
1955 [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
1956 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
1957 [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
1958 [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
1959 [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
1960 [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
1961 [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
1962 [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
1963 [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
1964 [serverloop.c session.c session.h sftp-client.c sftp-common.c]
1965 [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
1966 [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
1967 [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
1968 [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
1969 [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
1970 [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
1971 almost entirely get rid of the culture of ".h files that include .h files"
1972 ok djm, sort of ok stevesk
1973 makes the pain stop in one easy step
1974 NB. portable commit contains everything *except* removing includes.h, as
1975 that will take a fair bit more work as we move headers that are required
1976 for portability workarounds to defines.h. (also, this step wasn't "easy")
1977 - stevesk@cvs.openbsd.org 2006/08/04 20:46:05
1978 [monitor.c session.c ssh-agent.c]
1980 - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c
1981 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
1982 remove last traces of bufaux.h - it was merged into buffer.h in the big
1984 - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec
1985 - (djm) [openbsd-compat/regress/snprintftest.c]
1986 [openbsd-compat/regress/strduptest.c] Add missing includes so they pass
1987 compilation with "-Wall -Werror"
1988 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
1989 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
1990 includes for Linux in
1991 - (dtucker) [cleanup.c] Need defines.h for __dead.
1992 - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.
1993 - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of
1994 #include stdarg.h, needed for log.h.
1995 - (dtucker) [entropy.c] Needs unistd.h too.
1996 - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h.
1997 - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.
1998 - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,
1999 otherwise it is implicitly declared as returning an int.
2000 - (dtucker) OpenBSD CVS Sync
2001 - dtucker@cvs.openbsd.org 2006/08/05 07:52:52
2002 [auth2-none.c sshd.c monitor_wrap.c]
2003 Add headers required to build with KERBEROS5=no. ok djm@
2004 - dtucker@cvs.openbsd.org 2006/08/05 08:00:33
2006 Add headers required to build with -DSKEY. ok djm@
2007 - dtucker@cvs.openbsd.org 2006/08/05 08:28:24
2008 [monitor_wrap.c auth-skey.c auth2-chall.c]
2009 Zap unused variables in -DSKEY code. ok djm@
2010 - dtucker@cvs.openbsd.org 2006/08/05 08:34:04
2013 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile
2015 - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.
2016 - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h.
2017 - (dtucker) [audit.c audit.h] Repair headers.
2018 - (dtucker) [audit-bsm.c] Add additional headers now required.
2021 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
2022 versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
2023 rather than just compiling it. Spotted by dlg@.
2026 - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.
2029 - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.
2032 - (djm) OpenBSD CVS Sync
2033 - jmc@cvs.openbsd.org 2006/07/12 13:39:55
2035 - new sentence, new line
2038 - stevesk@cvs.openbsd.org 2006/07/12 22:28:52
2039 [auth-options.c canohost.c channels.c includes.h readconf.c]
2040 [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
2041 move #include <netdb.h> out of includes.h; ok djm@
2042 - stevesk@cvs.openbsd.org 2006/07/12 22:42:32
2043 [includes.h ssh.c ssh-rand-helper.c]
2044 move #include <stddef.h> out of includes.h
2045 - stevesk@cvs.openbsd.org 2006/07/14 01:15:28
2047 don't need incompletely-typed 'struct passwd' now with
2048 #include <pwd.h>; ok markus@
2049 - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
2050 [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
2051 [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
2052 [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
2053 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
2054 [sshconnect.c sshlogin.c sshpty.c uidswap.c]
2055 move #include <unistd.h> out of includes.h
2056 - dtucker@cvs.openbsd.org 2006/07/17 12:02:24
2058 Use '\0' rather than 0 to terminates strings; ok djm@
2059 - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
2060 [channels.c channels.h servconf.c sshd_config.5]
2061 Add PermitOpen directive to sshd_config which is equivalent to the
2062 "permitopen" key option. Allows server admin to allow TCP port
2063 forwarding only two specific host/port pairs. Useful when combined
2065 If permitopen is used in both sshd_config and a key option, both
2066 must allow a given connection before it will be permitted.
2067 Note that users can still use external forwarders such as netcat,
2068 so to be those must be controlled too for the limits to be effective.
2069 Feedback & ok djm@, man page corrections & ok jmc@.
2070 - jmc@cvs.openbsd.org 2006/07/18 07:50:40
2073 - jmc@cvs.openbsd.org 2006/07/18 07:56:28
2075 replace DIAGNOSTICS with .Ex;
2076 - jmc@cvs.openbsd.org 2006/07/18 08:03:09
2077 [ssh-agent.1 sshd_config.5]
2078 mark up angle brackets;
2079 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
2081 Clarify description of Match, with minor correction from jmc@
2082 - stevesk@cvs.openbsd.org 2006/07/18 22:27:55
2084 remove unneeded includes; ok djm@
2085 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
2086 [servconf.c sshd_config.5]
2087 Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
2089 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
2090 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
2091 Add ForceCommand keyword to sshd_config, equivalent to the "command="
2092 key option, man page entry and example in sshd_config.
2093 Feedback & ok djm@, man page corrections & ok jmc@
2094 - stevesk@cvs.openbsd.org 2006/07/20 15:26:15
2095 [auth1.c serverloop.c session.c sshconnect2.c]
2096 missed some needed #include <unistd.h> when KERBEROS5=no; issue from
2098 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
2099 [channels.c channels.h servconf.c servconf.h sshd_config.5]
2100 Make PermitOpen take a list of permitted ports and act more like most
2101 other keywords (ie the first match is the effective setting). This
2102 also makes it easier to override a previously set PermitOpen. ok djm@
2103 - stevesk@cvs.openbsd.org 2006/07/21 21:13:30
2105 more ARGSUSED (lint) for dispatch table-driven functions; ok djm@
2106 - stevesk@cvs.openbsd.org 2006/07/21 21:26:55
2108 ARGSUSED for signal handler
2109 - stevesk@cvs.openbsd.org 2006/07/22 19:08:54
2110 [includes.h moduli.c progressmeter.c scp.c sftp-common.c]
2111 [sftp-server.c ssh-agent.c sshlogin.c]
2112 move #include <time.h> out of includes.h
2113 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
2114 [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
2115 [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
2116 [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
2117 [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
2118 [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
2119 [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
2120 [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
2121 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
2122 [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
2123 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
2124 [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
2125 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
2126 [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
2127 move #include <string.h> out of includes.h
2128 - stevesk@cvs.openbsd.org 2006/07/23 01:11:05
2129 [auth.h dispatch.c kex.h sftp-client.c]
2130 #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
2132 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
2133 [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
2134 [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
2135 [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
2136 [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
2137 [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
2138 [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
2139 [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
2140 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
2141 [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
2142 make the portable tree compile again - sprinkle unistd.h and string.h
2143 back in. Don't redefine __unused, as it turned out to be used in
2144 headers on Linux, and replace its use in auth-pam.c with ARGSUSED
2145 - (djm) [openbsd-compat/glob.c]
2146 Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles
2147 on OpenBSD (or other platforms with a decent glob implementation) with
2149 - (djm) [uuencode.c]
2150 Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on
2153 fix compile error with -Werror -Wall: 'path' is only used in
2154 do_setup_env() if HAVE_LOGIN_CAP is not defined
2155 - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c]
2156 [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c]
2157 [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c]
2158 [openbsd-compat/port-aix.c openbsd-compat/port-irix.c]
2159 [openbsd-compat/rresvport.c]
2160 These look to need string.h and/or unistd.h (based on a grep for function
2162 - (djm) [Makefile.in]
2163 Remove generated openbsd-compat/regress/Makefile in distclean target
2164 - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
2165 [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
2166 Sync regress tests to -current; include dtucker@'s new cfgmatch and
2167 forcecommand tests. Add cipher-speed.sh test (not linked in yet)
2168 - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including
2169 system headers before defines.h will cause conflicting definitions.
2170 - (dtucker) [regress/forcecommand.sh] Portablize.
2173 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
2176 - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and
2177 O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old
2178 Linuxes and probably more.
2179 - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h>
2181 - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before
2183 - (dtucker) OpenBSD CVS Sync
2184 - stevesk@cvs.openbsd.org 2006/07/10 16:01:57
2185 [sftp-glob.c sftp-common.h sftp.c]
2186 buffer.h only needed in sftp-common.h and remove some unneeded
2187 user includes; ok djm@
2188 - jmc@cvs.openbsd.org 2006/07/10 16:04:21
2191 - stevesk@cvs.openbsd.org 2006/07/10 16:37:36
2192 [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c
2193 auth.c packet.c log.c]
2194 move #include <stdarg.h> out of includes.h; ok markus@
2195 - dtucker@cvs.openbsd.org 2006/07/11 10:12:07
2197 Only copy the part of environment variable that we actually use. Prevents
2198 ssh bailing when SendEnv is used and an environment variable with a really
2199 long value exists. ok djm@
2200 - markus@cvs.openbsd.org 2006/07/11 18:50:48
2201 [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
2202 channels.h readconf.c]
2203 add ExitOnForwardFailure: terminate the connection if ssh(1)
2204 cannot set up all requested dynamic, local, and remote port
2205 forwardings. ok djm, dtucker, stevesk, jmc
2206 - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
2207 [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
2208 sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
2209 includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
2210 sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
2211 ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
2212 move #include <errno.h> out of includes.h; ok markus@
2213 - stevesk@cvs.openbsd.org 2006/07/11 20:16:43
2215 cast asterisk field precision argument to int to remove warning;
2217 - stevesk@cvs.openbsd.org 2006/07/11 20:27:56
2219 need <errno.h> here also (it's also included in <openssl/err.h>)
2220 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
2221 [sshd.c servconf.h servconf.c sshd_config.5 auth.c]
2222 Add support for conditional directives to sshd_config via a "Match"
2223 keyword, which works similarly to the "Host" directive in ssh_config.
2224 Lines after a Match line override the default set in the main section
2225 if the condition on the Match line is true, eg
2226 AllowTcpForwarding yes
2228 AllowTcpForwarding no
2229 will allow port forwarding by all users except "anoncvs".
2230 Currently only a very small subset of directives are supported.
2232 - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c
2233 openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c
2234 openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>.
2235 - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h.
2236 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too.
2237 - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h.
2238 - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c
2239 openbsd-compat/rresvport.c] More errno.h.
2242 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
2243 openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
2244 include paths.h. Fixes build error on Solaris.
2245 - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably
2249 - (dtucker) [INSTALL] New autoconf version: 2.60.
2251 - djm@cvs.openbsd.org 2006/06/14 10:50:42
2253 limit the number of pre-banner characters we will accept; ok markus@
2254 - djm@cvs.openbsd.org 2006/06/26 10:36:15
2256 mention optional bind_address in runtime port forwarding setup
2257 command-line help. patch from santhi.amirta AT gmail.com
2258 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
2259 [ssh.1 ssh.c ssh_config.5 sshd_config.5]
2260 more details and clarity for tun(4) device forwarding; ok and help
2262 - stevesk@cvs.openbsd.org 2006/07/02 18:36:47
2263 [gss-serv-krb5.c gss-serv.c]
2264 no "servconf.h" needed here
2265 (gss-serv-krb5.c change not applied, portable needs the server options)
2266 - stevesk@cvs.openbsd.org 2006/07/02 22:45:59
2267 [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
2268 move #include <grp.h> out of includes.h
2269 (portable needed uidswap.c too)
2270 - stevesk@cvs.openbsd.org 2006/07/02 23:01:55
2271 [clientloop.c ssh.1]
2272 use -KR[bind_address:]port here; ok djm@
2273 - stevesk@cvs.openbsd.org 2006/07/03 08:54:20
2274 [includes.h ssh.c sshconnect.c sshd.c]
2275 move #include "version.h" out of includes.h; ok markus@
2276 - stevesk@cvs.openbsd.org 2006/07/03 17:59:32
2277 [channels.c includes.h]
2278 move #include <arpa/inet.h> out of includes.h; old ok djm@
2279 (portable needed session.c too)
2280 - stevesk@cvs.openbsd.org 2006/07/05 02:42:09
2281 [canohost.c hostfile.c includes.h misc.c packet.c readconf.c]
2282 [serverloop.c sshconnect.c uuencode.c]
2283 move #include <netinet/in.h> out of includes.h; ok deraadt@
2284 (also ssh-rand-helper.c logintest.c loginrec.c)
2285 - djm@cvs.openbsd.org 2006/07/06 10:47:05
2286 [servconf.c servconf.h session.c sshd_config.5]
2287 support arguments to Subsystem commands; ok markus@
2288 - djm@cvs.openbsd.org 2006/07/06 10:47:57
2289 [sftp-server.8 sftp-server.c]
2290 add commandline options to enable logging of transactions; ok markus@
2291 - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
2292 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
2293 [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
2294 [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
2295 [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
2296 [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
2297 [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
2299 move #include <pwd.h> out of includes.h; ok markus@
2300 - stevesk@cvs.openbsd.org 2006/07/06 16:22:39
2302 move #include "dns.h" up
2303 - stevesk@cvs.openbsd.org 2006/07/06 17:36:37
2306 - stevesk@cvs.openbsd.org 2006/07/08 21:47:12
2307 [authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
2308 [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
2309 [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
2310 move #include <sys/socket.h> out of includes.h
2311 - stevesk@cvs.openbsd.org 2006/07/08 21:48:53
2312 [monitor.c session.c]
2313 missed these from last commit:
2314 move #include <sys/socket.h> out of includes.h
2315 - stevesk@cvs.openbsd.org 2006/07/08 23:30:06
2317 move user includes after /usr/include files
2318 - stevesk@cvs.openbsd.org 2006/07/09 15:15:11
2319 [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
2320 [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
2321 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
2322 [sshlogin.c sshpty.c]
2323 move #include <fcntl.h> out of includes.h
2324 - stevesk@cvs.openbsd.org 2006/07/09 15:27:59
2326 use O_RDONLY vs. 0 in open(); no binary change
2327 - djm@cvs.openbsd.org 2006/07/10 11:24:54
2329 remove optind - it isn't used here
2330 - djm@cvs.openbsd.org 2006/07/10 11:25:53
2332 don't log variables that aren't yet set
2333 - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]
2334 [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h]
2335 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
2336 [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
2338 - djm@cvs.openbsd.org 2006/07/10 12:03:20
2340 duplicate argv at the start of main() because it gets modified later;
2341 pointed out by deraadt@ ok markus@
2342 - djm@cvs.openbsd.org 2006/07/10 12:08:08
2344 fix misparsing of SOCKS 5 packets that could result in a crash;
2345 reported by mk@ ok markus@
2346 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
2347 [misc.c misc.h sshd.8 sshconnect.c]
2348 Add port identifier to known_hosts for non-default ports, based originally
2349 on a patch from Devin Nate in bz#910.
2350 For any connection using the default port or using a HostKeyAlias the
2351 format is unchanged, otherwise the host name or address is enclosed
2352 within square brackets in the same format as sshd's ListenAddress.
2353 Tested by many, ok markus@.
2354 - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h>
2355 for struct sockaddr on platforms that use the fake-rfc stuff.
2358 - (dtucker) [configure.ac] Try AIX blibpath test in different order when
2359 compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
2360 configure would not select the correct libpath linker flags.
2361 - (dtucker) [INSTALL] A bit more info on autoconf.
2364 - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the
2365 target already exists.
2368 - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf
2369 declaration too. Patch from russ at sludge.net.
2370 - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it,
2371 prevents warnings on platforms where _res is in the system headers.
2372 - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which
2376 - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems
2377 with autoconf 2.60. Patch from vapier at gentoo.org.
2380 - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys
2381 only, otherwise sshd can hang exiting non-interactive sessions.
2384 - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
2385 Works around limitation in Solaris' passwd program for changing passwords
2386 where the username is longer than 8 characters. ok djm@
2387 - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug
2391 - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
2392 tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch
2393 from reyk@, tested by anil@
2394 - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
2395 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
2396 on the pty slave as zero-length reads on the pty master, which sshd
2397 interprets as the descriptor closing. Since most things don't do zero
2398 length writes this rarely matters, but occasionally it happens, and when
2399 it does the SSH pty session appears to hang, so we add a special case for
2400 this condition. ok djm@
2403 - (djm) [getput.h] This file has been replaced by functions in misc.c
2405 - djm@cvs.openbsd.org 2006/05/08 10:49:48
2407 uint32_t -> u_int32_t (which we use everywhere else)
2408 (Id sync only - portable already had this)
2409 - markus@cvs.openbsd.org 2006/05/16 09:00:00
2411 missing free; from Kylene Hall
2412 - markus@cvs.openbsd.org 2006/05/17 12:43:34
2413 [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
2414 fix leak; coverity via Kylene Jo Hall
2415 - miod@cvs.openbsd.org 2006/05/18 21:27:25
2416 [kexdhc.c kexgexc.c]
2417 paramter -> parameter
2418 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08
2420 Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
2421 - dtucker@cvs.openbsd.org 2006/05/29 12:56:33
2423 Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in
2424 sample ssh_config. ok markus@
2425 - jmc@cvs.openbsd.org 2006/05/29 16:10:03
2427 oops - previous was too long; split the list of auths up
2428 - mk@cvs.openbsd.org 2006/05/30 11:46:38
2430 Sync usage() with man page and reality.
2432 - jmc@cvs.openbsd.org 2006/05/29 16:13:23
2434 add GSSAPI to the list of authentication methods supported;
2435 - mk@cvs.openbsd.org 2006/05/30 11:46:38
2437 Sync usage() with man page and reality.
2439 - markus@cvs.openbsd.org 2006/06/01 09:21:48
2441 call get_remote_ipaddr() early; fixes logging after client disconnects;
2442 report mpf@; ok dtucker@
2443 - markus@cvs.openbsd.org 2006/06/06 10:20:20
2444 [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
2445 replace remaining setuid() calls with permanently_set_uid() and
2446 check seteuid() return values; report Marcus Meissner; ok dtucker djm
2447 - markus@cvs.openbsd.org 2006/06/08 14:45:49
2448 [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
2449 do not set the gid, noted by solar; ok djm
2450 - djm@cvs.openbsd.org 2006/06/13 01:18:36
2452 always use a format string, even when printing a constant
2453 - djm@cvs.openbsd.org 2006/06/13 02:17:07
2455 revert; i am on drugs. spotted by alexander AT beard.se
2458 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
2459 and slave, we can remove the special-case handling in the audit hook in
2463 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
2464 pointer leak. From kjhall at us.ibm.com, found by coverity.
2467 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
2468 _res, prevents problems on some platforms that have _res as a global but
2469 don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
2470 georg.schwarz at freenet.de, ok djm@.
2471 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
2472 default. Patch originally from tim@, ok djm
2473 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
2474 do not allow kbdint again after the PAM account check fails. ok djm@
2477 - (dtucker) OpenBSD CVS Sync
2478 - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
2479 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
2480 Prevent ssh from trying to open private keys with bad permissions more than
2481 once or prompting for their passphrases (which it subsequently ignores
2482 anyway), similar to a previous change in ssh-add. bz #1186, ok djm@
2483 - djm@cvs.openbsd.org 2006/05/04 14:55:23
2485 tighter DH exponent checks here too; feedback and ok markus@
2486 - djm@cvs.openbsd.org 2006/04/01 05:37:46
2488 $OpenBSD$ in here too
2489 - dtucker@cvs.openbsd.org 2006/05/06 08:35:40
2491 Add $OpenBSD$ in comment here too
2494 - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
2495 session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
2496 openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
2497 in Portable-only code; since calloc zeros, remove now-redundant memsets.
2498 Also add a couple of sanity checks. With & ok djm@
2501 - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h
2502 and double including it on IRIX 5.3 causes problems. From Georg Schwarz,
2503 "no objections" tim@
2506 - (djm) OpenBSD CVS Sync
2507 - deraadt@cvs.openbsd.org 2006/04/01 05:42:20
2509 minimal lint cleanup (unused crud, and some size_t); ok djm
2510 - djm@cvs.openbsd.org 2006/04/01 05:50:29
2512 xasprintification; ok deraadt@
2513 - djm@cvs.openbsd.org 2006/04/01 05:51:34
2515 ANSIfy; requested deraadt@
2516 - dtucker@cvs.openbsd.org 2006/04/02 08:34:52
2518 sessionid can be 32 bytes now too when sha256 kex is used; ok djm@
2519 - djm@cvs.openbsd.org 2006/04/03 07:10:38
2521 GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
2522 by dleonard AT vintela.com. use xasprintf() to simplify code while in
2523 there; "looks right" deraadt@
2524 - djm@cvs.openbsd.org 2006/04/16 00:48:52
2525 [buffer.c buffer.h channels.c]
2526 Fix condition where we could exit with a fatal error when an input
2527 buffer became too large and the remote end had advertised a big window.
2528 The problem was a mismatch in the backoff math between the channels code
2529 and the buffer code, so make a buffer_check_alloc() function that the
2530 channels code can use to propsectivly check whether an incremental
2531 allocation will succeed. bz #1131, debugged with the assistance of
2532 cove AT wildpackets.com; ok dtucker@ deraadt@
2533 - djm@cvs.openbsd.org 2006/04/16 00:52:55
2534 [atomicio.c atomicio.h]
2535 introduce atomiciov() function that wraps readv/writev to retry
2536 interrupted transfers like atomicio() does for read/write;
2537 feedback deraadt@ dtucker@ stevesk@ ok deraadt@
2538 - djm@cvs.openbsd.org 2006/04/16 00:54:10
2540 avoid making a tiny 4-byte write to send the packet length of sftp
2541 commands, which would result in a separate tiny packet on the wire by
2542 using atomiciov(writev, ...) to write the length and the command in one
2544 - djm@cvs.openbsd.org 2006/04/16 07:59:00
2546 reorder sanity test so that it cannot dereference past the end of the
2547 iov array; well spotted canacar@!
2548 - dtucker@cvs.openbsd.org 2006/04/18 10:44:28
2549 [bufaux.c bufbn.c Makefile.in]
2550 Move Buffer bignum functions into their own file, bufbn.c. This means
2551 that sftp and sftp-server (which use the Buffer functions in bufaux.c
2552 but not the bignum ones) no longer need to be linked with libcrypto.
2554 - djm@cvs.openbsd.org 2006/04/20 09:27:09
2555 [auth.h clientloop.c dispatch.c dispatch.h kex.h]
2556 replace the last non-sig_atomic_t flag used in a signal handler with a
2557 sig_atomic_t, unfortunately with some knock-on effects in other (non-
2558 signal) contexts in which it is used; ok markus@
2559 - markus@cvs.openbsd.org 2006/04/20 09:47:59
2562 - djm@cvs.openbsd.org 2006/04/20 21:53:44
2563 [includes.h session.c sftp.c]
2564 Switch from using pipes to socketpairs for communication between
2565 sftp/scp and ssh, and between sshd and its subprocesses. This saves
2566 a file descriptor per session and apparently makes userland ppp over
2567 ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this
2568 decision on a per-platform basis)
2569 - djm@cvs.openbsd.org 2006/04/22 04:06:51
2571 use setres[ug]id() to permanently revoke privileges; ok deraadt@
2572 (ID Sync only - portable already uses setres[ug]id() whenever possible)
2573 - stevesk@cvs.openbsd.org 2006/04/22 18:29:33
2576 - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get
2580 - (djm) [Makefile.in configure.ac session.c sshpty.c]
2581 [contrib/redhat/sshd.init openbsd-compat/Makefile.in]
2582 [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
2583 [openbsd-compat/port-linux.h] Add support for SELinux, setting
2584 the execution and TTY contexts. based on patch from Daniel Walsh,
2585 bz #880; ok dtucker@
2588 - (djm) [canohost.c] Reorder IP options check so that it isn't broken
2589 by mapped addresses; bz #1179 reported by markw wtech-llc.com;
2594 - deraadt@cvs.openbsd.org 2006/03/27 01:21:18
2596 we can do the size & nmemb check before the integer overflow check;
2598 - deraadt@cvs.openbsd.org 2006/03/27 13:03:54
2600 use strtonum() instead of atoi(), limit dhg size to 64k; ok djm
2601 - djm@cvs.openbsd.org 2006/03/27 23:15:46
2603 always use a format string for addargs; spotted by mouring@
2604 - deraadt@cvs.openbsd.org 2006/03/28 00:12:31
2607 - deraadt@cvs.openbsd.org 2006/03/28 01:52:28
2609 do not accept unreasonable X ports numbers; ok djm
2610 - deraadt@cvs.openbsd.org 2006/03/28 01:53:43
2612 use strtonum() to parse the pid from the file, and range check it
2614 - djm@cvs.openbsd.org 2006/03/30 09:41:25
2616 ARGSUSED for dispatch table-driven functions
2617 - djm@cvs.openbsd.org 2006/03/30 09:58:16
2618 [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h]
2619 [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c]
2620 replace {GET,PUT}_XXBIT macros with functionally similar functions,
2621 silencing a heap of lint warnings. also allows them to use
2622 __bounded__ checking which can't be applied to macros; requested
2623 by and feedback from deraadt@
2624 - djm@cvs.openbsd.org 2006/03/30 10:41:25
2625 [ssh.c ssh_config.5]
2626 add percent escape chars to the IdentityFile option, bz #1159 based
2627 on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
2628 - dtucker@cvs.openbsd.org 2006/03/30 11:05:17
2630 Correctly handle truncated files while converting keys; ok djm@
2631 - dtucker@cvs.openbsd.org 2006/03/30 11:40:21
2633 Prevent duplicate log messages when privsep=yes; ok djm@
2634 - jmc@cvs.openbsd.org 2006/03/31 09:09:30
2636 kill trailing whitespace;
2637 - djm@cvs.openbsd.org 2006/03/31 09:13:56
2639 remote user escape is %r not %h; spotted by jmc@
2643 - jakob@cvs.openbsd.org 2006/03/15 08:46:44
2645 if no key file are given when printing the DNS host record, use the
2646 host key file(s) as default. ok djm@
2647 - biorn@cvs.openbsd.org 2006/03/16 10:31:45
2649 Try to display errormessage even if remout == -1
2651 - djm@cvs.openbsd.org 2006/03/17 22:31:50
2653 another unreachable found by lint
2654 - djm@cvs.openbsd.org 2006/03/17 22:31:11
2656 unreachanble statement, found by lint
2657 - djm@cvs.openbsd.org 2006/03/19 02:22:32
2659 memory leaks detected by Coverity via elad AT netbsd.org;
2660 ok deraadt@ dtucker@
2661 - djm@cvs.openbsd.org 2006/03/19 02:22:56
2663 more memory leaks detected by Coverity via elad AT netbsd.org;
2665 - djm@cvs.openbsd.org 2006/03/19 02:23:26
2667 FILE* leak detected by Coverity via elad AT netbsd.org;
2669 - djm@cvs.openbsd.org 2006/03/19 02:24:05
2670 [dh.c readconf.c servconf.c]
2671 potential NULL pointer dereferences detected by Coverity
2672 via elad AT netbsd.org; ok deraadt@
2673 - djm@cvs.openbsd.org 2006/03/19 07:41:30
2675 memory leaks detected by Coverity via elad AT netbsd.org;
2677 - dtucker@cvs.openbsd.org 2006/03/19 11:51:52
2679 Correct strdelim null test; ok djm@
2680 - deraadt@cvs.openbsd.org 2006/03/19 18:52:11
2681 [auth1.c authfd.c channels.c]
2683 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
2684 [kex.c kex.h monitor.c myproposal.h session.c]
2686 - deraadt@cvs.openbsd.org 2006/03/19 18:56:41
2687 [clientloop.c progressmeter.c serverloop.c sshd.c]
2688 ARGSUSED for signal handlers
2689 - deraadt@cvs.openbsd.org 2006/03/19 18:59:49
2692 - deraadt@cvs.openbsd.org 2006/03/19 18:59:30
2695 - deraadt@cvs.openbsd.org 2006/03/19 18:59:09
2697 whoever thought that break after return was a good idea needs to
2698 get their head examimed
2699 - djm@cvs.openbsd.org 2006/03/20 04:09:44
2701 memory leaks detected by Coverity via elad AT netbsd.org;
2703 that should be all of them now
2704 - djm@cvs.openbsd.org 2006/03/20 11:38:46
2706 (really) last of the Coverity diffs: avoid possible NULL deref in
2707 key_free. via elad AT netbsd.org; markus@ ok
2708 - deraadt@cvs.openbsd.org 2006/03/20 17:10:19
2709 [auth.c key.c misc.c packet.c ssh-add.c]
2710 in a switch (), break after return or goto is stupid
2711 - deraadt@cvs.openbsd.org 2006/03/20 17:13:16
2714 - deraadt@cvs.openbsd.org 2006/03/20 17:17:23
2716 in a switch (), break after return or goto is stupid
2717 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
2718 [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c]
2719 [ssh.c sshpty.c sshpty.h]
2720 sprinkle u_int throughout pty subsystem, ok markus
2721 - deraadt@cvs.openbsd.org 2006/03/20 18:17:20
2722 [auth1.c auth2.c sshd.c]
2723 sprinkle some ARGSUSED for table driven functions (which sometimes
2724 must ignore their args)
2725 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
2726 [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c]
2727 [ssh-rsa.c ssh.c sshlogin.c]
2728 annoying spacing fixes getting in the way of real diffs
2729 - deraadt@cvs.openbsd.org 2006/03/20 18:27:50
2732 - deraadt@cvs.openbsd.org 2006/03/20 18:35:12
2734 x11_fake_data is only ever used as u_char *
2735 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
2737 cast xstrdup to propert u_char *
2738 - deraadt@cvs.openbsd.org 2006/03/20 18:42:27
2739 [canohost.c match.c ssh.c sshconnect.c]
2740 be strict with tolower() casting
2741 - deraadt@cvs.openbsd.org 2006/03/20 18:48:34
2742 [channels.c fatal.c kex.c packet.c serverloop.c]
2744 - deraadt@cvs.openbsd.org 2006/03/20 21:11:53
2747 - djm@cvs.openbsd.org 2006/03/25 00:05:41
2748 [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
2749 [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
2750 [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
2751 [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
2752 [xmalloc.c xmalloc.h]
2753 introduce xcalloc() and xasprintf() failure-checked allocations
2754 functions and use them throughout openssh
2756 xcalloc is particularly important because malloc(nmemb * size) is a
2757 dangerous idiom (subject to integer overflow) and it is time for it
2760 feedback and ok deraadt@
2761 - djm@cvs.openbsd.org 2006/03/25 01:13:23
2762 [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
2763 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
2765 change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
2766 to xrealloc(p, new_nmemb, new_itemsize).
2768 realloc is particularly prone to integer overflows because it is
2769 almost always allocating "n * size" bytes, so this is a far safer
2771 - djm@cvs.openbsd.org 2006/03/25 01:30:23
2773 "abormally" is a perfectly cromulent word, but "abnormally" is better
2774 - djm@cvs.openbsd.org 2006/03/25 13:17:03
2775 [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
2776 [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
2777 [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
2778 [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
2779 [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
2780 [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
2781 [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
2782 [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
2783 [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
2784 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
2785 [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
2786 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
2787 [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
2788 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
2789 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
2790 [uidswap.c uuencode.c xmalloc.c]
2791 Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
2792 Theo nuked - our scripts to sync -portable need them in the files
2793 - deraadt@cvs.openbsd.org 2006/03/25 18:29:35
2794 [auth-rsa.c authfd.c packet.c]
2795 needed casts (always will be needed)
2796 - deraadt@cvs.openbsd.org 2006/03/25 18:30:55
2797 [clientloop.c serverloop.c]
2799 - deraadt@cvs.openbsd.org 2006/03/25 18:36:15
2800 [sshlogin.c sshlogin.h]
2801 nicer size_t and time_t types
2802 - deraadt@cvs.openbsd.org 2006/03/25 18:40:14
2804 cast strtonum() result to right type
2805 - deraadt@cvs.openbsd.org 2006/03/25 18:41:45
2807 mark two more signal handlers ARGSUSED
2808 - deraadt@cvs.openbsd.org 2006/03/25 18:43:30
2810 use strtonum() instead of atoi() [limit X screens to 400, sorry]
2811 - deraadt@cvs.openbsd.org 2006/03/25 18:56:55
2812 [bufaux.c channels.c packet.c]
2813 remove (char *) casts to a function that accepts void * for the arg
2814 - deraadt@cvs.openbsd.org 2006/03/25 18:58:10
2816 delete cast not required
2817 - djm@cvs.openbsd.org 2006/03/25 22:22:43
2818 [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
2819 [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
2820 [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
2821 [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
2822 [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
2823 [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
2824 [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
2825 [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
2826 [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
2827 [ttymodes.h uidswap.h uuencode.h xmalloc.h]
2828 standardise spacing in $OpenBSD$ tags; requested by deraadt@
2829 - deraadt@cvs.openbsd.org 2006/03/26 01:31:48
2835 - djm@cvs.openbsd.org 2006/03/16 04:24:42
2837 Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs
2838 that OpenSSH supports
2839 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
2840 [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
2841 [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
2842 [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
2843 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
2844 [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
2845 [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
2846 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
2847 [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
2848 [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
2849 [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
2850 [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
2851 [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
2852 [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
2853 [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
2854 [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
2855 [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
2856 [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
2857 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
2858 [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
2859 [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
2860 [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
2861 [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
2862 [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
2864 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
2865 [kex.h myproposal.h]
2867 - djm@cvs.openbsd.org 2006/03/20 04:07:22
2869 GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
2870 reviewed by simon AT sxw.org.uk; deraadt@ ok
2871 - djm@cvs.openbsd.org 2006/03/20 04:07:49
2873 more GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
2874 reviewed by simon AT sxw.org.uk; deraadt@ ok
2875 - djm@cvs.openbsd.org 2006/03/20 04:08:18
2877 last lot of GSSAPI related leaks detected by Coverity via
2878 elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
2879 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
2880 [monitor_wrap.h sshpty.h]
2881 sprinkle u_int throughout pty subsystem, ok markus
2882 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
2884 annoying spacing fixes getting in the way of real diffs
2885 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
2887 cast xstrdup to propert u_char *
2888 - jakob@cvs.openbsd.org 2006/03/22 21:16:24
2890 simplify SSHFP example; ok jmc@
2891 - djm@cvs.openbsd.org 2006/03/22 21:27:15
2892 [deattack.c deattack.h]
2893 remove IV support from the CRC attack detector, OpenSSH has never used
2894 it - it only applied to IDEA-CFB, which we don't support.
2895 prompted by NetBSD Coverity report via elad AT netbsd.org;
2896 feedback markus@ "nuke it" deraadt@
2899 - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
2901 - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take
2902 a LLONG rather than a long. Fixes scp'ing of large files on platforms
2903 with missing/broken snprintfs. Patch from e.borovac at bom.gov.au.
2906 - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
2907 - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
2908 /usr/include/crypto. Hint from djm@.
2909 - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
2910 Disable sha256 when openssl < 0.9.7. Patch from djm@.
2911 - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old
2915 - (djm) OpenBSD CVS Sync:
2916 - msf@cvs.openbsd.org 2006/02/06 15:54:07
2920 - jmc@cvs.openbsd.org 2006/02/06 21:44:47
2922 make this a little less ambiguous...
2923 - stevesk@cvs.openbsd.org 2006/02/07 01:08:04
2924 [auth-rhosts.c includes.h]
2925 move #include <netgroup.h> out of includes.h; ok markus@
2926 - stevesk@cvs.openbsd.org 2006/02/07 01:18:09
2927 [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c]
2928 move #include <sys/queue.h> out of includes.h; ok markus@
2929 - stevesk@cvs.openbsd.org 2006/02/07 01:42:00
2930 [channels.c clientloop.c clientloop.h includes.h packet.h]
2931 [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c]
2932 move #include <termios.h> out of includes.h; ok markus@
2933 - stevesk@cvs.openbsd.org 2006/02/07 01:52:50
2936 - stevesk@cvs.openbsd.org 2006/02/07 03:47:05
2938 "packet.h" not needed
2939 - stevesk@cvs.openbsd.org 2006/02/07 03:59:20
2942 - stevesk@cvs.openbsd.org 2006/02/08 12:15:27
2943 [auth.c clientloop.c includes.h misc.c monitor.c readpass.c]
2944 [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c]
2946 move #include <paths.h> out of includes.h; ok markus@
2947 - stevesk@cvs.openbsd.org 2006/02/08 12:32:49
2949 move #include <netinet/tcp.h> out of includes.h; ok markus@
2950 - stevesk@cvs.openbsd.org 2006/02/08 13:15:44
2951 [gss-serv.c monitor.c]
2953 - stevesk@cvs.openbsd.org 2006/02/08 14:16:59
2955 <openssl/bn.h> not needed
2956 - stevesk@cvs.openbsd.org 2006/02/08 14:31:30
2957 [includes.h ssh-agent.c ssh-keyscan.c ssh.c]
2958 move #include <sys/resource.h> out of includes.h; ok markus@
2959 - stevesk@cvs.openbsd.org 2006/02/08 14:38:18
2960 [includes.h packet.c]
2961 move #include <netinet/in_systm.h> and <netinet/ip.h> out of
2962 includes.h; ok markus@
2963 - stevesk@cvs.openbsd.org 2006/02/08 23:51:24
2964 [includes.h scp.c sftp-glob.c sftp-server.c]
2965 move #include <dirent.h> out of includes.h; ok markus@
2966 - stevesk@cvs.openbsd.org 2006/02/09 00:32:07
2968 #include <sys/endian.h> not needed; ok djm@
2969 NB. ID Sync only - we still need this (but it may move later)
2970 - jmc@cvs.openbsd.org 2006/02/09 10:10:47
2972 - move some text into a CAVEATS section
2973 - merge the COMMAND EXECUTION... section into AUTHENTICATION
2974 - stevesk@cvs.openbsd.org 2006/02/10 00:27:13
2975 [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c]
2976 [ssh.c sshd.c sshpty.c]
2977 move #include <sys/ioctl.h> out of includes.h; ok markus@
2978 - stevesk@cvs.openbsd.org 2006/02/10 01:44:27
2979 [includes.h monitor.c readpass.c scp.c serverloop.c session.c
\7f]
2980 [sftp.c sshconnect.c sshconnect2.c sshd.c]
2981 move #include <sys/wait.h> out of includes.h; ok markus@
2982 - otto@cvs.openbsd.org 2006/02/11 19:31:18
2984 type correctness; from Ray Lai in PR 5011; ok millert@
2985 - djm@cvs.openbsd.org 2006/02/12 06:45:34
2986 [ssh.c ssh_config.5]
2987 add a %l expansion code to the ControlPath, which is filled in with the
2988 local hostname at runtime. Requested by henning@ to avoid some problems
2989 with /home on NFS; ok dtucker@
2990 - djm@cvs.openbsd.org 2006/02/12 10:44:18
2992 raise error when the user specifies a RekeyLimit that is smaller than 16
2993 (the smallest of our cipher's blocksize) or big enough to cause integer
2994 wraparound; ok & feedback dtucker@
2995 - jmc@cvs.openbsd.org 2006/02/12 10:49:44
2997 slight rewording; ok djm
2998 - jmc@cvs.openbsd.org 2006/02/12 10:52:41
3000 rework the description of authorized_keys a little;
3001 - jmc@cvs.openbsd.org 2006/02/12 17:57:19
3003 sort the list of options permissable w/ authorized_keys;
3005 - jmc@cvs.openbsd.org 2006/02/13 10:16:39
3007 no need to subsection the authorized_keys examples - instead, convert
3008 this to look like an actual file. also use proto 2 keys, and use IETF
3010 - jmc@cvs.openbsd.org 2006/02/13 10:21:25
3012 small tweaks for the ssh_known_hosts section;
3013 - jmc@cvs.openbsd.org 2006/02/13 11:02:26
3015 turn this into an example ssh_known_hosts file; ok djm
3016 - jmc@cvs.openbsd.org 2006/02/13 11:08:43
3018 - avoid nasty line split
3019 - `*' does not need to be escaped
3020 - jmc@cvs.openbsd.org 2006/02/13 11:27:25
3022 sort FILES and use a -compact list;
3023 - david@cvs.openbsd.org 2006/02/15 05:08:24
3025 typo in comment; ok djm@
3026 - jmc@cvs.openbsd.org 2006/02/15 16:53:20
3028 remove the IETF draft references and replace them with some updated RFCs;
3029 - jmc@cvs.openbsd.org 2006/02/15 16:55:33
3031 remove ietf draft references; RFC list now maintained in ssh.1;
3032 - jmc@cvs.openbsd.org 2006/02/16 09:05:34
3034 sync some of the FILES entries w/ ssh.1;
3035 - jmc@cvs.openbsd.org 2006/02/19 19:52:10
3037 move the sshrc stuff out of FILES, and into its own section:
3038 FILES is not a good place to document how stuff works;
3039 - jmc@cvs.openbsd.org 2006/02/19 20:02:17
3041 sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
3042 - jmc@cvs.openbsd.org 2006/02/19 20:05:00
3045 - jmc@cvs.openbsd.org 2006/02/19 20:12:25
3047 add some vertical space;
3048 - stevesk@cvs.openbsd.org 2006/02/20 16:36:15
3049 [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c]
3050 move #include <sys/un.h> out of includes.h; ok djm@
3051 - stevesk@cvs.openbsd.org 2006/02/20 17:02:44
3052 [clientloop.c includes.h monitor.c progressmeter.c scp.c]
3053 [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c]
3054 move #include <signal.h> out of includes.h; ok markus@
3055 - stevesk@cvs.openbsd.org 2006/02/20 17:19:54
3056 [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c]
3057 [authfile.c clientloop.c includes.h readconf.c scp.c session.c]
3058 [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c]
3059 [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c]
3060 [sshconnect2.c sshd.c sshpty.c]
3061 move #include <sys/stat.h> out of includes.h; ok markus@
3062 - stevesk@cvs.openbsd.org 2006/02/22 00:04:45
3063 [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c]
3065 move #include <ctype.h> out of includes.h; ok djm@
3066 - jmc@cvs.openbsd.org 2006/02/24 10:25:14
3068 add section on patterns;
3069 from dtucker + myself
3070 - jmc@cvs.openbsd.org 2006/02/24 10:33:54
3072 signpost to PATTERNS;
3073 - jmc@cvs.openbsd.org 2006/02/24 10:37:07
3075 tidy up the refs to PATTERNS;
3076 - jmc@cvs.openbsd.org 2006/02/24 10:39:52
3078 signpost to PATTERNS section;
3079 - jmc@cvs.openbsd.org 2006/02/24 20:22:16
3080 [ssh-keysign.8 ssh_config.5 sshd_config.5]
3081 some consistency fixes;
3082 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
3083 [ssh.1 ssh_config.5 sshd.8 sshd_config.5]
3084 more consistency fixes;
3085 - jmc@cvs.openbsd.org 2006/02/24 23:20:07
3087 some grammar/wording fixes;
3088 - jmc@cvs.openbsd.org 2006/02/24 23:43:57
3090 some grammar/wording fixes;
3091 - jmc@cvs.openbsd.org 2006/02/24 23:51:17
3093 oops - bits i missed;
3094 - jmc@cvs.openbsd.org 2006/02/25 12:26:17
3096 document the possible values for KbdInteractiveDevices;
3098 - jmc@cvs.openbsd.org 2006/02/25 12:28:34
3100 document the order in which allow/deny directives are processed;
3102 - jmc@cvs.openbsd.org 2006/02/26 17:17:18
3104 move PATTERNS to the end of the main body; requested by dtucker
3105 - jmc@cvs.openbsd.org 2006/02/26 18:01:13
3107 subsection is pointless here;
3108 - jmc@cvs.openbsd.org 2006/02/26 18:03:10
3111 - djm@cvs.openbsd.org 2006/02/28 01:10:21
3113 fix logout recording when privilege separation is disabled, analysis and
3114 patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@
3115 NB. ID sync only - patch already in portable
3116 - djm@cvs.openbsd.org 2006/03/04 04:12:58
3118 move a debug() outside of a signal handler; ok markus@ a little while back
3119 - djm@cvs.openbsd.org 2006/03/12 04:23:07
3122 - djm@cvs.openbsd.org 2006/03/13 08:16:00
3124 don't log that we are listening on a socket before the listen() call
3125 actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@
3126 - dtucker@cvs.openbsd.org 2006/03/13 08:33:00
3128 Set TCP_NODELAY for all connections not just "interactive" ones. Fixes
3129 poor performance and protocol stalls under some network conditions (mindrot
3130 bugs #556 and #981). Patch originally from markus@, ok djm@
3131 - dtucker@cvs.openbsd.org 2006/03/13 08:43:16
3133 Make ssh-keygen handle CR and CRLF line termination when converting IETF
3134 format keys, in adition to vanilla LF. mindrot #1157, tested by Chris
3136 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
3137 [misc.c ssh_config.5 sshd_config.5]
3138 Allow config directives to contain whitespace by surrounding them by double
3139 quotes. mindrot #482, man page help from jmc@, ok djm@
3140 - dtucker@cvs.openbsd.org 2006/03/13 10:26:52
3141 [authfile.c authfile.h ssh-add.c]
3142 Make ssh-add check file permissions before attempting to load private
3143 key files multiple times; it will fail anyway and this prevents confusing
3144 multiple prompts and warnings. mindrot #1138, ok djm@
3145 - djm@cvs.openbsd.org 2006/03/14 00:15:39
3147 log the originating address and not just the name when a reverse
3148 mapping check fails, requested by linux AT linuon.com
3149 - markus@cvs.openbsd.org 2006/03/14 16:32:48
3150 [ssh_config.5 sshd_config.5]
3151 *AliveCountMax applies to protcol v2 only; ok dtucker, djm
3152 - djm@cvs.openbsd.org 2006/03/07 09:07:40
3153 [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
3154 Implement the diffie-hellman-group-exchange-sha256 key exchange method
3155 using the SHA256 code in libc (and wrapper to make it into an OpenSSL
3156 EVP), interop tested against CVS PuTTY
3157 NB. no portability bits committed yet
3158 - (djm) [configure.ac defines.h kex.c md-sha256.c]
3159 [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h]
3160 [openbsd-compat/sha2.c] First stab at portability glue for SHA256
3161 KEX support, should work with libc SHA256 support or OpenSSL
3162 EVP_sha256 if present
3163 - (djm) [includes.h] Restore accidentally dropped netinet/in.h
3164 - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files
3165 - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present
3166 - (djm) [regress/.cvsignore] Ignore Makefile here
3167 - (djm) [loginrec.c] Need stat.h
3168 - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with
3170 - (djm) [ssh-rand-helper.c] Needs a bunch of headers
3171 - (djm) [ssh-agent.c] Restore dropped stat.h
3172 - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out
3173 SHA384, which we don't need and doesn't compile without tweaks
3174 - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
3175 [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
3176 [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
3177 [openbsd-compat/glob.c openbsd-compat/mktemp.c]
3178 [openbsd-compat/readpassphrase.c] Lots of include fixes for
3180 - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:"
3181 - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some
3182 includes removed from includes.h
3183 - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE
3184 - (djm) [includes.h] Put back paths.h, it is needed in defines.h
3185 - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs
3186 sys/ioctl.h for struct winsize.
3187 - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD.
3190 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
3191 since not all platforms support it. Instead, use internal equivalent while
3192 computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf*
3193 as it's no longer required. Tested by Bernhard Simon, ok djm@
3196 - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a
3197 file rather than directory, required as Cygwin will be importing lastlog(1).
3198 Also tightens up permissions on the file. Patch from vinschen@redhat.com.
3199 - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h
3200 includes. Patch from gentoo.riverrat at gmail.com.
3203 - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY
3204 patch from kraai at ftbfs.org.
3207 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
3208 reality. Pointed out by tryponraj at gmail.com.
3211 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only
3212 compile in compat code if required.
3215 - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about
3216 redefinition of SSLeay_add_all_algorithms.
3219 - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
3220 Add optional enabling of OpenSSL's (hardware) Engine support, via
3221 configure --with-ssl-engine. Based in part on a diff by michal at
3225 - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/]
3226 Add first attempt at regress tests for compat library. ok djm@
3229 - (tim) [buildpkg.sh.in] Make the names consistent.
3230 s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@
3233 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned
3234 to silence compiler warning, from vinschen at redhat.com.
3235 - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX.
3236 - (dtucker) [README version.h contrib/caldera/openssh.spec
3237 contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version
3238 strings to match 4.3p2 release.
3241 - (tim) [session.c] Logout records were not updated on systems with
3242 post auth privsep disabled due to bug 1086 changes. Analysis and patch
3243 by vinschen at redhat.com. OK tim@, dtucker@.
3244 - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
3245 -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@
3248 - (tim) [configure.ac] Remove unnecessary tests for net/if.h and
3249 netinet/in_systm.h. OK dtucker@.
3252 - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test
3253 for Solaris. OK dtucker@.
3254 - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by
3258 - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
3259 AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
3260 by a platform specific check, builtin standard includes tests will be
3261 skipped on the other platforms.
3262 Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
3266 - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it
3267 works with picky compilers. Patch from alex.kiernan at thus.net.
3270 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
3271 determine the user's login name - needed for regress tests on Solaris
3273 - (djm) OpenBSD CVS Sync
3274 - jmc@cvs.openbsd.org 2006/02/01 09:06:50
3276 - merge sections on protocols 1 and 2 into a single section
3277 - remove configuration file section
3279 - jmc@cvs.openbsd.org 2006/02/01 09:11:41
3282 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
3283 [contrib/suse/openssh.spec] Update versions ahead of release
3284 - markus@cvs.openbsd.org 2006/02/01 11:27:22
3287 - (djm) Release OpenSSH 4.3p1
3290 - (djm) OpenBSD CVS Sync
3291 - jmc@cvs.openbsd.org 2006/01/20 11:21:45
3293 - word change, agreed w/ markus
3295 - jmc@cvs.openbsd.org 2006/01/25 09:04:34
3297 move the options description up the page, and a few additional tweaks
3300 - jmc@cvs.openbsd.org 2006/01/25 09:07:22
3302 move subsections to full sections;
3303 - jmc@cvs.openbsd.org 2006/01/26 08:47:56
3305 add a section on verifying host keys in dns;
3306 written with a lot of help from jakob;
3307 feedback dtucker/markus;
3309 - reyk@cvs.openbsd.org 2006/01/30 12:22:22
3311 mark channel as write failed or dead instead of read failed on error
3312 of the channel output filter.
3314 - jmc@cvs.openbsd.org 2006/01/30 13:37:49
3316 remove an incorrect sentence;
3317 reported by roumen petrov;
3319 - djm@cvs.openbsd.org 2006/01/31 10:19:02
3320 [misc.c misc.h scp.c sftp.c]
3321 fix local arbitrary command execution vulnerability on local/local and
3322 remote/remote copies (CVE-2006-0225, bz #1094), patch by
3323 t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
3324 - djm@cvs.openbsd.org 2006/01/31 10:35:43
3326 "scp a b c" shouldn't clobber "c" when it is not a directory, report and
3327 fix from biorn@; ok markus@
3328 - (djm) Sync regress tests to OpenBSD:
3329 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
3330 [regress/forwarding.sh]
3331 Regress test for ClearAllForwardings (bz #994); ok markus@
3332 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
3333 [regress/multiplex.sh]
3334 Don't call cleanup in multiplex as test-exec will cleanup anyway
3335 found by tim@, ok djm@
3336 NB. ID sync only, we already had this
3337 - djm@cvs.openbsd.org 2005/05/20 23:14:15
3338 [regress/test-exec.sh]
3339 force addressfamily=inet for tests, unbreaking dynamic-forward regress for
3340 recently committed nc SOCKS5 changes
3341 - djm@cvs.openbsd.org 2005/05/24 04:10:54
3342 [regress/try-ciphers.sh]
3343 oops, new arcfour modes here too
3344 - markus@cvs.openbsd.org 2005/06/30 11:02:37
3346 allow SUDO=sudo; from Alexander Bluhm
3347 - grunk@cvs.openbsd.org 2005/11/14 21:25:56
3348 [regress/agent-getpeereid.sh]
3349 all other scripts in this dir use $SUDO, not 'sudo', so pull this even
3351 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
3352 [regress/scp-ssh-wrapper.sh]
3353 Fix assumption about how many args scp will pass; ok djm@
3354 NB. ID sync only, we already had this
3355 - djm@cvs.openbsd.org 2006/01/27 06:49:21
3357 regress test for local to local scp copies; ok dtucker@
3358 - djm@cvs.openbsd.org 2006/01/31 10:23:23
3360 regression test for CVE-2006-0225 written by dtucker@
3361 - djm@cvs.openbsd.org 2006/01/31 10:36:33
3363 regress test for "scp a b c" where "c" is not a directory
3366 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
3367 opensshd.init script interpretter if /sbin/sh does not exist. ok tim@
3370 - (dtucker) OpenBSD CVS Sync
3371 - jmc@cvs.openbsd.org 2006/01/15 17:37:05
3373 correction from deraadt
3374 - jmc@cvs.openbsd.org 2006/01/18 10:53:29
3376 add a section on ssh-based vpn, based on reyk's README.tun;
3377 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
3378 [scp.1 ssh.1 ssh_config.5 sftp.1]
3379 Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
3380 #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
3383 - (djm) OpenBSD CVS Sync
3384 - jmc@cvs.openbsd.org 2006/01/06 13:27:32
3386 weed out some duplicate info in the known_hosts FILES entries;
3388 - jmc@cvs.openbsd.org 2006/01/06 13:29:10
3390 final round of whacking FILES for duplicate info, and some consistency
3393 - jmc@cvs.openbsd.org 2006/01/12 14:44:12
3395 split sections on tcp and x11 forwarding into two sections.
3396 add an example in the tcp section, based on sth i wrote for ssh faq;
3397 help + ok: djm markus dtucker
3398 - jmc@cvs.openbsd.org 2006/01/12 18:48:48
3400 refer to `TCP' rather than `TCP/IP' in the context of connection
3403 - jmc@cvs.openbsd.org 2006/01/12 22:20:00
3405 refer to TCP forwarding, rather than TCP/IP forwarding;
3406 - jmc@cvs.openbsd.org 2006/01/12 22:26:02
3408 refer to TCP forwarding, rather than TCP/IP forwarding;
3409 - jmc@cvs.openbsd.org 2006/01/12 22:34:12
3411 back out a sentence - AUTHENTICATION already documents this;
3414 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
3415 tcpip service so it's always started after IP is up. Patch from
3416 vinschen at redhat.com.
3419 - (djm) OpenBSD CVS Sync
3420 - jmc@cvs.openbsd.org 2006/01/03 16:31:10
3422 move FILES to a -compact list, and make each files an item in that list.
3423 this avoids nastly line wrap when we have long pathnames, and treats
3424 each file as a separate item;
3425 remove the .Pa too, since it is useless.
3426 - jmc@cvs.openbsd.org 2006/01/03 16:35:30
3428 use a larger width for the ENVIRONMENT list;
3429 - jmc@cvs.openbsd.org 2006/01/03 16:52:36
3431 put FILES in some sort of order: sort by pathname
3432 - jmc@cvs.openbsd.org 2006/01/03 16:55:18
3434 tweak the description of ~/.ssh/environment
3435 - jmc@cvs.openbsd.org 2006/01/04 18:42:46
3437 chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
3440 - jmc@cvs.openbsd.org 2006/01/04 18:45:01
3442 remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
3443 - jmc@cvs.openbsd.org 2006/01/04 19:40:24
3445 +.Xr ssh-keyscan 1 ,
3446 - jmc@cvs.openbsd.org 2006/01/04 19:50:09
3449 - djm@cvs.openbsd.org 2006/01/05 23:43:53
3451 check that stdio file descriptors are actually closed before clobbering
3452 them in sanitise_stdfd(). problems occurred when a lower numbered fd was
3453 closed, but higher ones weren't. spotted by, and patch tested by
3457 - (djm) [channels.c] clean up harmless merge error, from reyk@
3460 - (djm) OpenBSD CVS Sync
3461 - jmc@cvs.openbsd.org 2006/01/02 17:09:49
3462 [ssh_config.5 sshd_config.5]
3463 some corrections from michael knudsen;
3466 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
3467 - (djm) OpenBSD CVS Sync
3468 - jmc@cvs.openbsd.org 2005/12/31 10:46:17
3470 merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
3471 AUTHENTICATION" sections into "AUTHENTICATION";
3472 some rewording done to make the text read better, plus some
3473 improvements from djm;
3475 - jmc@cvs.openbsd.org 2005/12/31 13:44:04
3477 clean up ENVIRONMENT a little;
3478 - jmc@cvs.openbsd.org 2005/12/31 13:45:19
3480 .Nm does not require an argument;
3481 - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
3483 move <net/if.h>; ok djm@
3484 - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
3486 no trailing "\n" for debug()
3487 - djm@cvs.openbsd.org 2006/01/02 01:20:31
3488 [sftp-client.c sftp-common.h sftp-server.c]
3489 use a common max. packet length, no binary change
3490 - reyk@cvs.openbsd.org 2006/01/02 07:53:44
3492 clarify tun(4) opening - set the mode and bring the interface up. also
3493 (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
3494 suggested and ok by djm@
3495 - jmc@cvs.openbsd.org 2006/01/02 12:31:06
3497 start to cut some duplicate info from FILES;
3501 - (djm) [Makefile.in configure.ac includes.h misc.c]
3502 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
3503 for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
3504 limited to IPv4 tunnels only, and most versions don't support the
3505 tap(4) device at all.
3506 - (djm) [configure.ac] Fix linux/if_tun.h test
3507 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
3510 - (djm) OpenBSD CVS Sync
3511 - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
3512 [canohost.c channels.c clientloop.c]
3513 use 'break-in' for consistency; ok deraadt@ ok and input jmc@
3514 - reyk@cvs.openbsd.org 2005/12/30 15:56:37
3515 [channels.c channels.h clientloop.c]
3516 add channel output filter interface.
3517 ok djm@, suggested by markus@
3518 - jmc@cvs.openbsd.org 2005/12/30 16:59:00
3520 do not suggest that interactive authentication will work
3522 based on a diff from john l. scarfone;
3524 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
3526 document -MM; ok djm@
3527 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
3528 [serverloop.c ssh.c openbsd-compat/Makefile.in]
3529 [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
3530 compatability support for Linux, diff from reyk@
3531 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
3533 - (djm) [configure.ac] oops, make that linux/if_tun.h
3536 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
3539 - (djm) OpenBSD CVS Sync
3540 - jmc@cvs.openbsd.org 2005/12/20 21:59:43
3542 merge the sections on protocols 1 and 2 into one section on
3544 feedback djm dtucker
3545 ok deraadt markus dtucker
3546 - jmc@cvs.openbsd.org 2005/12/20 22:02:50
3548 .Ss -> .Sh: subsections have not made this page more readable
3549 - jmc@cvs.openbsd.org 2005/12/20 22:09:41
3551 move info on ssh return values and config files up into the main
3553 - jmc@cvs.openbsd.org 2005/12/21 11:48:16
3555 -L and -R descriptions are now above, not below, ~C description;
3556 - jmc@cvs.openbsd.org 2005/12/21 11:57:25
3558 options now described `above', rather than `later';
3559 - jmc@cvs.openbsd.org 2005/12/21 12:53:31
3561 -Y does X11 forwarding too;
3563 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
3565 clarify precedence of -p, Port, ListenAddress; ok and help jmc@
3566 - jmc@cvs.openbsd.org 2005/12/22 10:31:40
3568 put the description of "UsePrivilegedPort" in the correct place;
3569 - jmc@cvs.openbsd.org 2005/12/22 11:23:42
3571 expand the description of -w somewhat;
3573 - jmc@cvs.openbsd.org 2005/12/23 14:55:53
3575 - sync the description of -e w/ synopsis
3576 - simplify the description of -I
3577 - note that -I is only available if support compiled in, and that it
3580 - jmc@cvs.openbsd.org 2005/12/23 23:46:23
3582 less mark up for -c;
3583 - djm@cvs.openbsd.org 2005/12/24 02:27:41
3585 eliminate some code duplicated in privsep and non-privsep paths, and
3586 explicitly clear SIGALRM handler; "groovy" deraadt@
3589 - (dtucker) OpenBSD CVS Sync
3590 - reyk@cvs.openbsd.org 2005/12/13 15:03:02
3592 if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
3593 - jmc@cvs.openbsd.org 2005/12/16 18:07:08
3595 move the option descriptions up the page: start of a restructure;
3597 - jmc@cvs.openbsd.org 2005/12/16 18:08:53
3599 simplify a sentence;
3600 - jmc@cvs.openbsd.org 2005/12/16 18:12:22
3602 make the description of -c a little nicer;
3603 - jmc@cvs.openbsd.org 2005/12/16 18:14:40
3605 signpost the protocol sections;
3606 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
3607 [ssh_config.5 session.c]
3608 spelling: fowarding, fowarded
3609 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
3611 spelling: intented -> intended
3612 - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
3614 exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
3617 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
3618 openbsd-compat/openssl-compat.h] Check for and work around broken AES
3619 ciphers >128bit on (some) Solaris 10 systems. ok djm@
3622 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
3623 scp.c also uses, so undef them here.
3624 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
3625 snprintf replacement can have a conflicting declaration in HP-UX's system
3626 headers (const vs. no const) so we now check for and work around it. Patch
3627 from the dynamic duo of David Leonard and Ted Percival.
3630 - (dtucker) OpenBSD CVS Sync (regress/)
3631 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
3632 [regress/scp-ssh-wrapper.sh]
3633 Fix assumption about how many args scp will pass; ok djm@
3636 - (djm) OpenBSD CVS Sync
3637 - jmc@cvs.openbsd.org 2005/11/30 11:18:27
3639 timezone -> time zone
3640 - jmc@cvs.openbsd.org 2005/11/30 11:45:20
3642 avoid ambiguities in describing TZ;
3644 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
3645 [auth-options.c auth-options.h channels.c channels.h clientloop.c]
3646 [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
3647 [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
3648 [sshconnect.h sshd.8 sshd_config sshd_config.5]
3649 Add support for tun(4) forwarding over OpenSSH, based on an idea and
3650 initial channel code bits by markus@. This is a simple and easy way to
3651 use OpenSSH for ad hoc virtual private network connections, e.g.
3652 administrative tunnels or secure wireless access. It's based on a new
3653 ssh channel and works similar to the existing TCP forwarding support,
3654 except that it depends on the tun(4) network interface on both ends of
3655 the connection for layer 2 or layer 3 tunneling. This diff also adds
3656 support for LocalCommand in the ssh(1) client.
3657 ok djm@, markus@, jmc@ (manpages), tested and discussed with others
3658 - djm@cvs.openbsd.org 2005/12/07 03:52:22
3660 reyk forgot to compile with -Werror (missing header)
3661 - jmc@cvs.openbsd.org 2005/12/07 10:52:13
3663 - avoid line split in SYNOPSIS
3665 - kill trailing whitespace
3666 - jmc@cvs.openbsd.org 2005/12/08 14:59:44
3667 [ssh.1 ssh_config.5]
3668 make `!command' a little clearer;
3670 - jmc@cvs.openbsd.org 2005/12/08 15:06:29
3672 keep options in order;
3673 - reyk@cvs.openbsd.org 2005/12/08 18:34:11
3674 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
3675 [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
3676 two changes to the new ssh tunnel support. this breaks compatibility
3677 with the initial commit but is required for a portable approach.
3678 - make the tunnel id u_int and platform friendly, use predefined types.
3679 - support configuration of layer 2 (ethernet) or layer 3
3680 (point-to-point, default) modes. configuration is done using the
3681 Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
3682 restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
3684 ok djm@, man page bits by jmc@
3685 - jmc@cvs.openbsd.org 2005/12/08 21:37:50
3687 new sentence, new line;
3688 - markus@cvs.openbsd.org 2005/12/12 13:46:18
3689 [channels.c channels.h session.c]
3690 make sure protocol messages for internal channels are ignored.
3691 allow adjust messages for non-open channels; with and ok djm@
3692 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
3693 again by providing a sys_tun_open() function for your platform and
3694 setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match
3695 OpenBSD's tunnel protocol, which prepends the address family to the
3699 - (djm) [envpass.sh] Remove regress script that was accidentally committed
3700 in top level directory and not noticed for over a year :)
3703 - (tim) [ssh-keygen.c] Move DSA length test after setting default when
3705 - (dtucker) OpenBSD CVS Sync
3706 - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
3708 Populate default key sizes before checking them; from & ok tim@
3709 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
3713 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
3714 versions of GNU head. Based on patch from zappaman at buraphalinux.org
3715 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
3716 _GNU_SOURCE instead. Patch from t8m at centrum.cz.
3717 - (dtucker) OpenBSD CVS Sync
3718 - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
3719 [ssh-keygen.1 ssh-keygen.c]
3720 Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
3721 increase minumum RSA key size to 768 bits and update man page to reflect
3722 these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
3723 ok djm@, grudging ok deraadt@.
3724 - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
3726 Update agent socket path templates to reflect reality, correct xref for
3727 time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@
3730 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
3731 when they're available) need the real UID set otherwise pam_chauthtok will
3732 set ADMCHG after changing the password, forcing the user to change it
3736 - (dtucker) [configure.ac] Apply tim's fix for older systems where the
3737 resolver state in resolv.h is "state" not "__res_state". With slight
3738 modification by me to also work on old AIXes. ok djm@
3739 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
3740 snprintf formats, fixes warnings on some 64 bit platforms. Patch from
3741 shaw at vranix.com, ok djm@
3744 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c
3745 openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an
3746 asprintf() implementation, after syncing our {v,}snprintf() implementation
3747 with some extra fixes from Samba's version. With help and debugging from
3748 dtucker and tim; ok dtucker@
3749 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
3750 order in Reliant Unix block. Patch from johane at lysator.liu.se.
3751 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
3752 many and use them only once. Speeds up testing on older/slower hardware.
3755 - (dtucker) OpenBSD CVS Sync
3756 - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
3759 - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
3761 avoid close(-1), as in rcp; ok cloder
3762 - millert@cvs.openbsd.org 2005/11/15 11:59:54
3764 Include sys/queue.h explicitly instead of assuming some other header
3765 will pull it in. At the moment it gets pulled in by sys/select.h
3766 (which ssh has no business including) via event.h. OK markus@
3767 (ID sync only in -portable)
3768 - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
3770 Perform Kerberos calls even for invalid users to prevent leaking
3771 information about account validity. bz #975, patch originally from
3772 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
3774 - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
3776 Correct format/arguments to debug call; spotted by shaw at vranix.com
3778 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
3779 from shaw at vranix.com.
3782 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
3786 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
3787 ifdef lost during sync. Spotted by tim@.
3788 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
3789 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
3790 - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@
3791 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
3792 test: if sshd takes too long to reconfigure the subsequent connection will
3793 fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
3796 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
3797 OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
3799 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
3800 unnecessary prototype.
3801 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
3803 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
3805 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
3806 since they're not useful right now. Patch from djm@.
3807 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
3808 prototypes, removal of "register").
3809 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
3811 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
3812 after the copyright notices. Having them at the top next to the CVSIDs
3813 guarantees a conflict for each and every sync.
3814 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
3815 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
3816 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
3817 Removal of rcsid, "whiteout" inode type.
3818 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
3819 Removal of rcsid, will no longer strlcpy parts of the string.
3820 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
3821 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
3822 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
3823 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
3824 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
3825 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
3826 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
3827 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
3828 with OpenBSD code since we don't support platforms without fstat any more.
3829 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
3830 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
3831 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
3832 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
3833 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
3834 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
3835 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
3836 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
3837 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
3838 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
3839 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
3840 Id and copyright sync only, there were no substantial changes we need.
3841 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
3842 -Wsign-compare fixes from djm.
3843 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
3844 Id and copyright sync only, there were no substantial changes we need.
3845 - (dtucker) [configure.ac] Try to get the gcc version number in a way that
3846 doesn't change between versions, and use a safer default.
3849 - (djm) OpenBSD CVS Sync
3850 - markus@cvs.openbsd.org 2005/10/07 11:13:57
3852 change DSA default back to 1024, as it's defined for 1024 bits only
3853 and this causes interop problems with other clients. moreover,
3854 in order to improve the security of DSA you need to change more
3855 components of DSA key generation (e.g. the internal SHA1 hash);
3857 - djm@cvs.openbsd.org 2005/10/10 10:23:08
3858 [channels.c channels.h clientloop.c serverloop.c session.c]
3859 fix regression I introduced in 4.2: X11 forwardings initiated after
3860 a session has exited (e.g. "(sleep 5; xterm) &") would not start.
3861 bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
3862 - djm@cvs.openbsd.org 2005/10/11 23:37:37
3864 bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
3865 bind() failure when a previous connection's listeners are in TIME_WAIT,
3866 reported by plattner AT inf.ethz.ch; ok dtucker@
3867 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
3868 [auth2-gss.c gss-genr.c gss-serv.c]
3869 remove unneeded #includes; ok markus@
3870 - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
3872 spelling in comments
3873 - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
3874 [gss-serv-krb5.c gss-serv.c]
3875 unused declarations; ok deraadt@
3876 (id sync only for gss-serv-krb5.c)
3877 - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
3879 unneeded #include, unused declaration, little knf; ok deraadt@
3880 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
3881 [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
3883 - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
3884 [ssh-keygen.c ssh.c sshconnect2.c]
3885 no trailing "\n" for log functions; ok djm@
3886 - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
3887 [channels.c clientloop.c]
3888 free()->xfree(); ok djm@
3889 - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
3891 make external definition static; ok deraadt@
3892 - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
3894 fix memory leaks from 2 sources:
3895 1) key_fingerprint_raw()
3896 2) malloc in dns_read_rdata()
3898 - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
3900 remove #ifdef LWRES; ok jakob@
3901 - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
3903 more cleanups; ok jakob@
3904 - djm@cvs.openbsd.org 2005/10/30 01:23:19
3906 mention control socket fallback behaviour, reported by
3907 tryponraj AT gmail.com
3908 - djm@cvs.openbsd.org 2005/10/30 04:01:03
3910 make ssh-keygen discard junk from server before SSH- ident, spotted by
3911 dave AT cirt.net; ok dtucker@
3912 - djm@cvs.openbsd.org 2005/10/30 04:03:24
3914 fix misleading debug message; ok dtucker@
3915 - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
3917 Check for connections with IP options earlier and drop silently. ok djm@
3918 - jmc@cvs.openbsd.org 2005/10/30 08:43:47
3920 remove trailing whitespace;
3921 - djm@cvs.openbsd.org 2005/10/30 08:52:18
3922 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
3923 [ssh.c sshconnect.c sshconnect1.c sshd.c]
3924 no need to escape single quotes in comments, no binary change
3925 - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
3927 Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
3928 - djm@cvs.openbsd.org 2005/10/31 11:12:49
3929 [ssh-keygen.1 ssh-keygen.c]
3930 generate a protocol 2 RSA key by default
3931 - djm@cvs.openbsd.org 2005/10/31 11:48:29
3933 make sure we clean up wtmp, etc. file when we receive a SIGTERM,
3934 SIGINT or SIGQUIT when running without privilege separation (the
3935 normal privsep case is already OK). Patch mainly by dtucker@ and
3936 senthilkumar_sen AT hotpop.com; ok dtucker@
3937 - jmc@cvs.openbsd.org 2005/10/31 19:55:25
3940 - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
3942 Cache reverse lookups with and without DNS separately; ok markus@
3943 - djm@cvs.openbsd.org 2005/11/04 05:15:59
3944 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
3945 remove hardcoded hash lengths in key exchange code, allowing
3946 implementation of KEX methods with different hashes (e.g. SHA-256);
3947 ok markus@ dtucker@ stevesk@
3948 - djm@cvs.openbsd.org 2005/11/05 05:01:15
3950 Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
3951 cs.stanford.edu; ok dtucker@
3952 - (dtucker) [README.platform] Add PAM section.
3953 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
3954 resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
3958 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
3959 Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
3963 - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
3964 sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init
3965 files from imorgan AT nas.nasa.gov
3966 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
3967 enabled, instead allow PAM to handle it. Note that on platforms using PAM,
3968 the pam_nologin module should be added to sshd's session stack in order to
3969 maintain exising behaviour. Based on patch and discussion from t8m at
3973 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
3974 sizeof(long long) checks, to make fixing bug #1104 easier (no changes
3976 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
3977 understand "%lld", even though the compiler has "long long", so handle
3978 it as a special case. Patch tested by mcaskill.scott at epa.gov.
3979 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
3980 prompt. Patch from vinschen at redhat.com.
3983 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
3984 /etc/default/login report and testing from aabaker at iee.org, corrections
3988 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
3989 versions from OpenBSD. ok djm@
3992 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
3993 brian.smith at agilent com.
3994 - (djm) [configure.ac] missing 'test' call for -with-Werror test
3997 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
3998 "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
3999 senthilkumar_sen at hotpop.com.
4002 - (dtucker) OpenBSD CVS Sync
4003 - markus@cvs.openbsd.org 2005/09/07 08:53:53
4005 enforce chanid != NULL; ok djm
4006 - markus@cvs.openbsd.org 2005/09/09 19:18:05
4008 typo; from mark at mcs.vuw.ac.nz, bug #1082
4009 - djm@cvs.openbsd.org 2005/09/13 23:40:07
4010 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
4011 scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
4012 ensure that stdio fds are attached; ok deraadt@
4013 - djm@cvs.openbsd.org 2005/09/19 11:37:34
4014 [ssh_config.5 ssh.1]
4015 mention ability to specify bind_address for DynamicForward and -D options;
4016 bz#1077 spotted by Haruyama Seigo
4017 - djm@cvs.openbsd.org 2005/09/19 11:47:09
4019 stop connection abort on rekey with delayed compression enabled when
4020 post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
4021 - djm@cvs.openbsd.org 2005/09/19 11:48:10
4024 - jmc@cvs.openbsd.org 2005/09/19 15:38:27
4026 some more .Bk/.Ek to avoid ugly line split;
4027 - jmc@cvs.openbsd.org 2005/09/19 15:42:44
4029 update -D usage here too;
4030 - djm@cvs.openbsd.org 2005/09/19 23:31:31
4032 spelling nit from stevesk@
4033 - djm@cvs.openbsd.org 2005/09/21 23:36:54
4035 aquire -> acquire, from stevesk@
4036 - djm@cvs.openbsd.org 2005/09/21 23:37:11
4038 change label at markus@'s request
4039 - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
4041 deploy .An -nosplit; ok jmc
4042 - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
4044 Relocate check_ip_options call to prevent logging of garbage for
4045 connections with IP options set. bz#1092 from David Leonard,
4046 "looks good" deraadt@
4047 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
4048 is required in the system path for the multiplex test to work.
4051 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
4052 for strtoll. Patch from o.flebbe at science-computing.de.
4053 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
4054 child during PAM account check without clearing it. This restores the
4055 post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
4056 with help from several others.
4059 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
4060 introduced during sync.
4063 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
4064 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
4065 PAM via keyboard-interactive. Patch tested by the folks at Vintela.
4068 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
4069 calls, since they can't possibly fail. ok djm@
4070 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
4071 process when sshd relies on ssh-random-helper. Should result in faster
4072 logins on systems without a real random device or prngd. ok djm@
4075 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
4076 duplicate call. ok djm@
4079 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
4080 skeleten at shillest.net.
4081 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
4085 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
4086 AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
4090 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
4094 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
4095 OpenServer 6 and add osr5bigcrypt support so when someone migrates
4096 passwords between UnixWare and OpenServer they will still work. OK dtucker@