2 - (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint"
3 as deprecated. Remove mention from README.privsep. Patch from
5 - (dtucker) OpenBSD CVS Sync
6 - markus@cvs.openbsd.org 2003/08/22 10:56:09
7 [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
8 gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
9 readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
10 ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
11 support GSS API user authentication; patches from Simon Wilkinson,
12 stripped down and tested by Jakob and myself.
13 - markus@cvs.openbsd.org 2003/08/22 13:20:03
15 remove support for "kerberos-2@ssh.com"
16 - markus@cvs.openbsd.org 2003/08/22 13:22:27
17 [auth2.c] (auth2-krb5.c removed)
18 nuke "kerberos-2@ssh.com"
19 - markus@cvs.openbsd.org 2003/08/22 20:55:06
22 - deraadt@cvs.openbsd.org 2003/08/24 17:36:52
23 [monitor.c monitor_wrap.c sshconnect2.c]
24 64 bit cleanups; markus ok
25 - fgsch@cvs.openbsd.org 2003/08/25 08:13:09
27 fix div by zero when listing for filename lengths longer than width.
29 - djm@cvs.openbsd.org 2003/08/25 10:33:33
31 fprintf->logit to silence login banner with "ssh -q"; ok markus@
32 - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
33 configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
34 sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
35 - (dtucker) [Makefile.in] Remove auth2-krb5.
36 - (dtucker) [contrib/aix/inventory.sh] Add public domain notice. ok mouring@
40 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
42 - (bal) openbsd-compat/ OpenBSD updates. Mostly licensing, ansifications
43 and minor fixes. OK djm@
44 - (bal) redo how we handle 'mysignal()'. Move it to
45 openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to
46 be our 'mysignal' by default. OK djm@
47 - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny
48 any access to locked accounts. ok djm@
49 - (djm) Bug #564: Perform PAM account checks for all authentications when
50 UsePAM=yes; ok dtucker
51 - (dtucker) [configure.ac] Bug #533, #551: define BROKEN_GETADDRINFO on
52 Tru64, solves getnameinfo and "bad addr or host" errors. ok djm@
53 - (dtucker) [README buildbff.sh inventory.sh] (all in contrib/aix)
54 Update package builder: correctly handle config variables, use lsuser
55 rather than /etc/passwd, fix typos, add Id's.
58 - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal
60 - (dtucker) [contrib/cygwin/ssh-user-config] Put keys in authorized_keys
61 rather that authorized_keys2. Patch from vinschen@redhat.com.
64 - (dtucker) OpenBSD CVS Sync
65 - markus@cvs.openbsd.org 2003/08/14 16:08:58
67 exit after primetest, ok djm@
68 - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros,
69 change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for
71 - (dtucker) [configure.ac] Move openpty/ctty test outside of case statement
72 and after normal openpty test.
75 - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge.
76 - (dtucker) OpenBSD CVS Sync
77 - markus@cvs.openbsd.org 2003/08/13 08:33:02
79 use more portable tcsendbreak(3) and ignore break_length;
81 - markus@cvs.openbsd.org 2003/08/13 08:46:31
82 [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
83 ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
84 remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
85 fgsch@, miod@, henning@, jakob@ and others
86 - markus@cvs.openbsd.org 2003/08/13 09:07:10
88 socks4->socks, since with support both 4 and 5; dtucker@zip.com.au
89 - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
90 Add a tcsendbreak function for platforms that don't have one, based on the
94 - (dtucker) OpenBSD CVS Sync
95 (thanks to Simon Wilkinson for help with this -dt)
96 - markus@cvs.openbsd.org 2003/07/16 15:02:06
98 mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
99 otherwise the kerberos credentinal is stored in a memory cache
100 in the privileged sshd. ok jabob@, hin@ (some time ago)
101 - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicate
102 in bsd-cygwin_util.h).
105 - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and
106 AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition
107 separately before defining them.
108 - (dtucker) [auth-pam.c] Don't set PAM_TTY if tty is null. ok djm@
111 - (dtucker) [session.c] Have session_break_req not attempt to send a break
112 if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin).
113 - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is
114 defined (fixes compile error on really old Linuxes).
115 - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if
116 not already defined (eg Linux with some versions of libc5), based on those
118 - (dtucker) [openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
119 Remove incorrect filenames from comments (file names are in Id tags).
120 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.h] Move Cygwin
121 specific defines and includes to bsd-cygwin_util.h. Fixes build error too.
124 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
125 - (dtucker) OpenBSD CVS Sync
126 - markus@cvs.openbsd.org 2003/07/22 13:35:22
127 [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
128 monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
129 ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
130 remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
132 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
133 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
134 - (dtucker) OpenBSD CVS Sync
135 - markus@cvs.openbsd.org 2003/07/23 07:42:43
138 - djm@cvs.openbsd.org 2003/07/28 09:49:56
139 [ssh-keygen.1 ssh-keygen.c]
140 Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen.
141 Based on code from Phil Karn, William Allen Simpson and Niels Provos.
142 ok markus@, thanks jmc@
143 - markus@cvs.openbsd.org 2003/07/29 18:24:00
144 [LICENCE progressmeter.c]
145 replace 4 clause BSD licensed progressmeter code with a replacement
146 from Nils Nordman and myself; ok deraadt@
147 (copied from OpenBSD an re-applied portable changes)
148 - markus@cvs.openbsd.org 2003/07/29 18:26:46
150 fix length for "- stalled -" (included with previous import)
151 - markus@cvs.openbsd.org 2003/07/30 07:44:14
153 use only 4 digits in format_size (included with previous import)
154 - markus@cvs.openbsd.org 2003/07/30 07:53:27
156 whitespace (included with previous import)
157 - markus@cvs.openbsd.org 2003/07/31 09:21:02
159 check whether passwd auth is allowd, similar to proto 1; rob@pitman.co.za
161 - avsm@cvs.openbsd.org 2003/07/31 15:50:16
163 correct comment: atomicio takes vwrite, not write; deraadt@ ok
164 - markus@cvs.openbsd.org 2003/07/31 22:34:03
166 print rate similar old version; round instead truncate;
167 (included in previous progressmeter.c commit)
168 - (dtucker) [openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
169 Add a tcgetpgrp function.
170 - (dtucker) [Makefile.in moduli.c moduli.h] Add new files and to Makefile.
171 - (dtucker) [openbsd-compat/bsd-misc.c] Fix cut-and-paste bug in tcgetpgrp.
174 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
177 - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW ->
178 DISABLE_SHADOW. Fixes HP-UX compile error.
181 - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c
182 openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface,
183 and isolate shadow password functions. Tested in Solaris, but should
184 not break other platforms too badly (except maybe HP =). Also brings
185 auth-passwd.c into full sync with OpenBSD tree.
188 - (dtucker) [configure.ac] Back out change for bug #620.
191 - (dtucker) [configure.ac] Bug #620: Define BROKEN_GETADDRINFO for
192 Solaris/x86. Patch from jrhett at isite.net.
193 - (dtucker) OpenBSD CVS Sync
194 - markus@cvs.openbsd.org 2003/07/14 12:36:37
196 remove undocumented -V option. would be only useful if openssh is used
197 as ssh v1 server for ssh.com's ssh v2.
198 - markus@cvs.openbsd.org 2003/07/16 10:34:53
200 don't exit on multiple -v or -d; ok deraadt@
201 - markus@cvs.openbsd.org 2003/07/16 10:36:28
203 clear IUCLC in enter_raw_mode; from rob@pitman.co.za; ok deraadt@, fgs@
204 - deraadt@cvs.openbsd.org 2003/07/18 01:54:25
206 userid is unsigned, but well, force it anyways; andrushock@korovino.net
207 - djm@cvs.openbsd.org 2003/07/19 00:45:53
209 fix sftp filename parsing for arguments with escaped quotes. bz #517;
211 - djm@cvs.openbsd.org 2003/07/19 00:46:31
212 [regress/sftp-cmds.sh]
213 regress test for sftp arguments with escaped quotes; ok markus
216 - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare
217 loginfailed at all, so assume 3-arg loginfailed if not declared.
218 - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by
220 - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h]
221 Call setauthdb() before loginfailed(), which may load password registry-
222 specific functions. Based on patch by cawlfiel at us.ibm.com.
223 - (dtucker) [port-aix.h] Fix prototypes.
224 - (dtucker) OpenBSD CVS Sync
225 - avsm@cvs.openbsd.org 2003/07/09 13:58:19
227 minor tweak: when generating the hex fingerprint, give strlcat the full
228 bound to the buffer, and add a comment below explaining why the
229 zero-termination is one less than the bound. markus@ ok
230 - markus@cvs.openbsd.org 2003/07/10 14:42:28
232 the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
233 blowfish, etc, so enforce a 1GB limit for small blocksizes.
234 - markus@cvs.openbsd.org 2003/07/10 20:05:55
236 sync usage with manpage, add missing -R
239 - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
240 Include AIX headers for authentication functions and make calls match
241 prototypes. Test for and handle 3-arg and 4-arg variants of loginfailed.
242 - (dtucker) [session.c] Check return value of setpcred().
243 - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
244 Convert aixloginmsg into platform-independant Buffer loginmsg.
247 - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
248 searching libraries for it. Fixes build errors on NCR MP-RAS.
251 - (dtucker) [ssh-rand-helper.c loginrec.c]
252 Apply atomicio typing change to these too.
255 - (dtucker) OpenBSD CVS Sync
256 - djm@cvs.openbsd.org 2003/06/28 07:48:10
258 report pidfile creation errors, based on patch from Roumen Petrov;
260 - deraadt@cvs.openbsd.org 2003/06/28 16:23:06
261 [atomicio.c atomicio.h authfd.c clientloop.c monitor_wrap.c msg.c
262 progressmeter.c scp.c sftp-client.c ssh-keyscan.c ssh.h sshconnect.c
264 deal with typing of write vs read in atomicio
265 - markus@cvs.openbsd.org 2003/06/29 12:44:38
267 memset 0, not \0; andrushock@korovino.net
268 - markus@cvs.openbsd.org 2003/07/02 12:56:34
270 deny dynamic forwarding with -R for v1, too; ok djm@
271 - markus@cvs.openbsd.org 2003/07/02 14:51:16
272 [channels.c ssh.1 ssh_config.5]
273 (re)add socks5 suppport to -D; ok djm@
274 now ssh(1) can act both as a socks 4 and socks 5 server and
275 dynamically forward ports.
276 - markus@cvs.openbsd.org 2003/07/02 20:37:48
278 convert hostkeyalias to lowercase, otherwise uppercase aliases will
279 not match at all; ok henning@
280 - markus@cvs.openbsd.org 2003/07/03 08:21:46
281 [regress/dynamic-forward.sh]
282 add socks5; speedup; reformat; based on patch from dtucker@zip.com.au
283 - markus@cvs.openbsd.org 2003/07/03 08:24:13
285 enable tests for dynamic fwd via socks (-D), uses nc(1)
286 - djm@cvs.openbsd.org 2003/07/03 08:09:06
287 [readconf.c readconf.h ssh-keysign.c ssh.c]
288 fix AddressFamily option in config file, from brent@graveland.net;
292 - (djm) Search for support functions necessary to build our
293 getrrsetbyname() replacement. Patch from Roumen Petrov
296 - (dtucker) [includes.h] Bug #602: move #include of netdb.h to after in.h
297 (fixes compiler warnings on Solaris 2.5.1).
298 - (dtucker) [configure.ac] Add sanity test after system-dependant compiler
302 - (djm) Bug #591: use PKCS#15 private key label as a comment in case
303 of OpenSC. Report and patch from larsch@trustcenter.de
304 - (djm) Bug #593: Sanity check OpenSC card reader number; patch from
306 - (dtucker) OpenBSD CVS Sync
307 - markus@cvs.openbsd.org 2003/06/23 09:02:44
309 document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@
310 - markus@cvs.openbsd.org 2003/06/24 08:23:46
311 [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h
312 monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c]
313 int -> u_int; ok djm@, deraadt@, mouring@
314 - miod@cvs.openbsd.org 2003/06/25 22:39:36
316 Typo police: attribute is better written with an 'r'.
317 - markus@cvs.openbsd.org 2003/06/26 20:08:33
319 do not dump core for 'ssh -o proxycommand host'; ok deraadt@
320 - (dtucker) [regress/dynamic-forward.sh] Import new regression test.
321 - (dtucker) [configure.ac] Bug #570: Have ./configure --enable-FEATURE
322 actually enable the feature, for those normally disabled. Patch by
323 openssh (at) roumenpetrov.info.
326 - (dtucker) Have configure refer the user to config.log and
327 contrib/findssl.sh for OpenSSL header/library mismatches.
330 - (dtucker) OpenBSD CVS Sync
331 - markus@cvs.openbsd.org 2003/06/21 09:14:05
332 [regress/reconfigure.sh]
333 missing $SUDO; from dtucker@zip.com.au
334 - markus@cvs.openbsd.org 2003/06/18 11:28:11
336 backout last change, since it violates pkcs#1
337 switch to share/misc/license.template
338 - djm@cvs.openbsd.org 2003/06/20 05:47:58
340 sync description of protocol 2 cipher proposal; ok markus
341 - djm@cvs.openbsd.org 2003/06/20 05:48:21
343 sync some implemented options; ok markus@
344 - (dtucker) [regress/authorized_keys_root] Remove temp data file from CVS.
345 - (dtucker) [openbsd-compat/setproctitle.c] Ensure SPT_TYPE is defined before
349 - (djm) OpenBSD CVS Sync
350 - markus@cvs.openbsd.org 2003/06/12 07:57:38
351 [monitor.c sshlogin.c sshpty.c]
352 typos; dtucker at zip.com.au
353 - djm@cvs.openbsd.org 2003/06/12 12:22:47
355 mention more copyright holders; ok markus@
356 - nino@cvs.openbsd.org 2003/06/12 15:34:09
359 - markus@cvs.openbsd.org 2003/06/12 19:12:03
360 [scard.c scard.h ssh-agent.c ssh.c]
361 add sc_get_key_label; larsch at trustcenter.de; bugzilla#591
362 - markus@cvs.openbsd.org 2003/06/16 08:22:35
364 make sure the signature has at least the expected length (don't
365 insist on len == hlen + oidlen, since this breaks some smartcards)
366 bugzilla #592; ok djm@
367 - markus@cvs.openbsd.org 2003/06/16 10:22:45
369 print out key comment on each prompt; make ssh-askpass more useable; ok djm@
370 - markus@cvs.openbsd.org 2003/06/17 18:14:23
372 use license from /usr/share/misc/license.template for new code
373 - (dtucker) [reconfigure.sh rekey.sh sftp-badcmds.sh]
374 Import new regression tests from OpenBSD
375 - (dtucker) [regress/copy.1 regress/copy.2] Remove temp data files from CVS.
376 - (dtucker) OpenBSD CVS Sync (regress/)
377 - markus@cvs.openbsd.org 2003/04/02 12:21:13
380 - djm@cvs.openbsd.org 2003/04/04 09:34:22
381 [Makefile sftp-cmds.sh]
382 More regression tests, including recent directory rename bug; ok markus@
383 - markus@cvs.openbsd.org 2003/05/14 22:08:27
384 [ssh-com-client.sh ssh-com-keygen.sh ssh-com-sftp.sh ssh-com.sh]
385 test against some new commerical versions
386 - mouring@cvs.openbsd.org 2003/05/15 04:07:12
388 Advanced put/get testing for sftp. OK @djm
389 - markus@cvs.openbsd.org 2003/06/12 15:40:01
392 - markus@cvs.openbsd.org 2003/06/12 15:43:32
394 test -HUP; dtucker at zip.com.au
397 - (djm) Update license on fake-rfc2553.[ch]; ok itojun@
400 - (djm) Mention portable copyright holders in LICENSE
401 - (djm) Put licenses on substantial header files
402 - (djm) Sync LICENSE against OpenBSD
403 - (djm) OpenBSD CVS Sync
404 - jmc@cvs.openbsd.org 2003/06/10 09:12:11
405 [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5]
406 [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
408 - COMPATIBILITY merge
410 - kill whitespace at EOL
411 - new sentence, new line
413 - deraadt@cvs.openbsd.org 2003/06/10 22:20:52
414 [packet.c progressmeter.c]
415 mostly ansi cleanup; pval ok
416 - jakob@cvs.openbsd.org 2003/06/11 10:16:16
418 clean up check_host_key() and improve SSHFP feedback. ok markus@
419 - jakob@cvs.openbsd.org 2003/06/11 10:18:47
421 sync with check_host_key() change
422 - djm@cvs.openbsd.org 2003/06/11 11:18:38
423 [authfd.c authfd.h ssh-add.c ssh-agent.c]
424 make agent constraints (lifetime, confirm) work with smartcard keys;
429 - (djm) Sync README.smartcard with OpenBSD -current
430 - (djm) Re-merge OpenSC info into README.smartcard
433 - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
436 - (djm) Support AI_NUMERICHOST in fake-getaddrinfo.c. Needed for recent
438 - (djm) Implement paranoid priv dropping checks, based on:
439 "SetUID demystified" - Hao Chen, David Wagner and Drew Dean
440 Proceedings of USENIX Security Symposium 2002
441 - (djm) Don't use xmalloc() or pull in toplevel headers in fake-* code
442 - (djm) Merge all the openbsd/fake-* into fake-rfc2553.[ch]
443 - (djm) Bug #588 - Add scard-opensc.o back to Makefile.in
444 Patch from larsch@trustcenter.de
445 - (djm) Bug #589 - scard-opensc: load only keys with a private keys
446 Patch from larsch@trustcenter.de
447 - (dtucker) Add includes.h to fake-rfc2553.c so it will build.
448 - (dtucker) Define EAI_NONAME in fake-rfc2553.h (used by fake-rfc2553.c).
451 - (djm) Bug #573 - Remove unneeded Krb headers and compat goop. Patch from
452 simon@sxw.org.uk (Also matches a change in OpenBSD a while ago)
453 - (djm) Bug #577 - wrong flag in scard-opensc.c sc_private_decrypt.
454 Patch from larsch@trustcenter.de; ok markus@
455 - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from
456 larsch@trustcenter.de; ok markus@
457 - (djm) OpenBSD CVS Sync
458 - djm@cvs.openbsd.org 2003/06/04 08:25:18
460 disable challenge/response and keyboard-interactive auth methods
461 upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
463 - djm@cvs.openbsd.org 2003/06/04 10:23:48
465 remove duplicated group-dropping code; ok markus@
466 - djm@cvs.openbsd.org 2003/06/04 12:03:59
468 remove bitrotten commet; ok markus@
469 - djm@cvs.openbsd.org 2003/06/04 12:18:49
472 - djm@cvs.openbsd.org 2003/06/04 12:40:39
474 kill ssh process upon receipt of signal, bz #241.
475 based on patch from esb AT hawaii.edu; ok markus@
476 - djm@cvs.openbsd.org 2003/06/04 12:41:22
478 kill ssh process on receipt of signal; ok markus@
479 - (djm) Update to fix of bug #584: lock card before return.
480 From larsch@trustcenter.de
481 - (djm) Always use mysignal() for SIGALRM
484 - (djm) Replace setproctitle replacement with code derived from
486 - (djm) OpenBSD CVS Sync
487 - markus@cvs.openbsd.org 2003/06/02 09:17:34
488 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
489 [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
491 deprecate VerifyReverseMapping since it's dangerous if combined
492 with IP based access control as noted by Mike Harding; replace with
493 a UseDNS option, UseDNS is on by default and includes the
494 VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
496 - millert@cvs.openbsd.org 2003/06/03 02:56:16
498 Remove the advertising clause in the UCB license which Berkeley
499 rescinded 22 July 1999. Proofed by myself and Theo.
500 - (djm) Fix portable-specific uses of verify_reverse_mapping too
501 - (djm) Sync openbsd-compat with OpenBSD CVS.
502 - No more 4-term BSD licenses in linked code
503 - (dtucker) [port-aix.c bsd-cray.c] Fix uses of verify_reverse_mapping.
506 - (djm) Fix segv from bad reordering in auth-pam.c
507 - (djm) Always use saved_argv in sshd.c as compat_init_setproctitle may
509 - (tim) openbsd-compat/xmmap.[ch] License clarifications. Add missing
511 - (djm) Remove "noip6" option from RedHat spec file. This may now be
512 set at runtime using AddressFamily option.
513 - (djm) Fix use of macro before #define in cipher-aes.c
514 - (djm) Sync license on openbsd-compat/bindresvport.c with OpenBSD CVS
515 - (djm) OpenBSD CVS Sync
516 - djm@cvs.openbsd.org 2003/05/26 12:54:40
518 fix format strings; ok markus@
519 - deraadt@cvs.openbsd.org 2003/05/29 16:58:45
521 seteuid and setegid; markus ok
522 - jakob@cvs.openbsd.org 2003/06/02 08:31:10
524 VerifyHostKeyDNS is v2 only. ok markus@
527 - (dtucker) Add missing semicolon in md5crypt.c, patch from openssh at
529 - (dtucker) Define SSHD_ACQUIRES_CTTY for NCR MP-RAS and Reliant Unix.
532 - (djm) Avoid auth2-chall.c warning when compiling without
533 PAM, BSD_AUTH and SKEY
536 - (djm) OpenBSD CVS Sync
537 - djm@cvs.openbsd.org 2003/05/24 09:02:22
539 pass logged data through strnvis; ok markus
540 - djm@cvs.openbsd.org 2003/05/24 09:30:40
541 [authfile.c monitor.c sftp-common.c sshpty.c]
542 cast some types for printing; ok markus@
545 - (dtucker) Correct --osfsia in INSTALL. Patch by skeleten at shillest.net
548 - (djm) Use VIS_SAFE on logged strings rather than default strnvis
549 encoding (which encodes many more characters)
551 - jmc@cvs.openbsd.org 2003/05/20 12:03:35
553 - new sentence, new line
557 - jmc@cvs.openbsd.org 2003/05/20 12:09:31
558 [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1]
559 new sentence, new line
560 - djm@cvs.openbsd.org 2003/05/23 08:29:30
565 - (djm) OpenBSD CVS Sync
566 - deraadt@cvs.openbsd.org 2003/05/18 23:22:01
568 use syslog_r() in a signal handler called place; markus ok
569 - (djm) Configure logic to detect syslog_r and friends
572 - (djm) Sync auth-pam.h with what we actually implement
575 - (djm) Return of the dreaded PAM_TTY_KLUDGE, which went missing in
577 - (djm) OpenBSD CVS Sync
578 - djm@cvs.openbsd.org 2003/05/16 03:27:12
579 [readconf.c ssh_config ssh_config.5 ssh-keysign.c]
580 add AddressFamily option to ssh_config (like -4, -6 on commandline).
581 Portable bug #534; ok markus@
582 - itojun@cvs.openbsd.org 2003/05/17 03:25:58
584 just in case, put numbers to sscanf %s arg.
585 - markus@cvs.openbsd.org 2003/05/17 04:27:52
586 [cipher.c cipher-ctr.c myproposal.h]
587 experimental support for aes-ctr modes from
588 http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt
590 - (djm) Remove IPv4 by default hack now that we can specify AF in config
591 - (djm) Tidy and trim TODO
592 - (djm) Sync openbsd-compat/ with OpenBSD CVS head
593 - (djm) Big KNF on openbsd-compat/
594 - (djm) KNF on md5crypt.[ch]
595 - (djm) KNF on auth-sia.[ch]
598 - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD)
601 - (djm) OpenBSD CVS Sync
602 - djm@cvs.openbsd.org 2003/05/15 13:52:10
604 Make "ssh -V" print the OpenSSL version in a human readable form. Patch
605 from Craig Leres (mindrot at ee.lbl.gov); ok markus@
606 - jakob@cvs.openbsd.org 2003/05/15 14:02:47
607 [readconf.c servconf.c]
608 warn for unsupported config option. ok markus@
609 - markus@cvs.openbsd.org 2003/05/15 14:09:21
611 fix 64bit issue; report itojun@
612 - djm@cvs.openbsd.org 2003/05/15 14:55:25
613 [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c]
614 add a ConnectTimeout option to ssh, based on patch from
615 Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@
616 - (djm) Add warning for UsePAM when built without PAM support
617 - (djm) A few type mismatch fixes from Bug #565
618 - (djm) Guard free_pam_environment against NULL argument. Works around
619 HP/UX PAM problems debugged by dtucker
622 - (djm) OpenBSD CVS Sync
623 - jmc@cvs.openbsd.org 2003/05/14 13:11:56
627 - jakob@cvs.openbsd.org 2003/05/14 18:16:20
628 [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c]
629 [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c]
630 add experimental support for verifying hos keys using DNS as described
631 in draft-ietf-secsh-dns-xx.txt. more information in README.dns.
632 ok markus@ and henning@
633 - markus@cvs.openbsd.org 2003/05/14 22:24:42
634 [clientloop.c session.c ssh.1]
635 allow to send a BREAK to the remote system; ok various
636 - markus@cvs.openbsd.org 2003/05/15 00:28:28
638 cleanup unregister of per-method packet handlers; ok djm@
639 - jakob@cvs.openbsd.org 2003/05/15 01:48:10
640 [readconf.c readconf.h servconf.c servconf.h]
641 always parse kerberos options. ok djm@ markus@
642 - jakob@cvs.openbsd.org 2003/05/15 02:27:15
644 add missing freerrset
645 - markus@cvs.openbsd.org 2003/05/15 03:08:29
646 [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c]
647 split out custom EVP ciphers
648 - djm@cvs.openbsd.org 2003/05/15 03:10:52
650 avoid warning; ok jakob@
651 - mouring@cvs.openbsd.org 2003/05/15 03:39:07
653 Make put/get (globed and nonglobed) code more consistant. OK djm@
654 - mouring@cvs.openbsd.org 2003/05/15 03:43:59
656 Teach ls how to display multiple column display and allow users
657 to return to single column format via 'ls -1'. OK @djm
658 - jakob@cvs.openbsd.org 2003/05/15 04:08:44
659 [readconf.c servconf.c]
660 disable kerberos when not supported. ok markus@
661 - markus@cvs.openbsd.org 2003/05/15 04:08:41
664 - (djm) Always parse UsePAM
665 - (djm) Configure glue for DNS support (code doesn't work in portable yet)
666 - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support)
667 - (djm) Tidy Makefile clean targets
668 - (djm) Adapt README.dns for portable
669 - (djm) Avoid uuencode.c warnings
670 - (djm) Enable UsePAM when built --with-pam
671 - (djm) Only build getrrsetbyname replacement when using --with-dns
672 - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv
674 - (djm) Bug #444: Wrong paths after reconfigure
675 - (dtucker) HP-UX needs to include <sys/strtio.h> for TIOCSBRK
678 - (djm) Bug #117: Don't lie to PAM about username
679 - (djm) RCSID sync w/ OpenBSD
680 - (djm) OpenBSD CVS Sync
681 - djm@cvs.openbsd.org 2003/04/09 12:00:37
683 strip trailing whitespace from config lines before parsing.
684 Fixes bz 528; ok markus@
685 - markus@cvs.openbsd.org 2003/04/12 10:13:57
687 hide cipher details; ok djm@
688 - markus@cvs.openbsd.org 2003/04/12 10:15:36
691 - naddy@cvs.openbsd.org 2003/04/12 11:40:15
693 document -V switch, fix wording; ok markus@
694 - markus@cvs.openbsd.org 2003/04/14 14:17:50
695 [channels.c sshconnect.c sshd.c ssh-keyscan.c]
696 avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP
697 - mouring@cvs.openbsd.org 2003/04/14 21:31:27
699 Missing globfree(&g) in process_put() spotted by Vince Brimhall
700 <VBrimhall@novell.com>. ok@ Theo
701 - markus@cvs.openbsd.org 2003/04/16 14:35:27
703 document struct Authctxt; with solar
704 - deraadt@cvs.openbsd.org 2003/04/26 04:29:49
706 -t in usage(); rogier@quaak.org
707 - mouring@cvs.openbsd.org 2003/04/30 01:16:20
708 [sshd.8 sshd_config.5]
709 Escape ?, * and ! in .Ql for nroff compatibility. OpenSSH Portable
710 Bug #550 and * escaping suggested by jmc@.
711 - david@cvs.openbsd.org 2003/04/30 20:41:07
713 fix invalid .Pf macro usage introduced in previous commit
715 - markus@cvs.openbsd.org 2003/05/11 16:56:48
716 [authfile.c ssh-keygen.c]
717 change key_load_public to try to read a public from:
718 rsa1 private or rsa1 public and ssh2 keys.
719 this makes ssh-keygen -e fail for ssh1 keys more gracefully
720 for example; report from itojun (netbsd pr 20550).
721 - markus@cvs.openbsd.org 2003/05/11 20:30:25
722 [channels.c clientloop.c serverloop.c session.c ssh.c]
723 make channel_new() strdup the 'remote_name' (not the caller); ok theo
724 - markus@cvs.openbsd.org 2003/05/12 16:55:37
726 for pubkey authentication try the user keys in the following order:
727 1. agent keys that are found in the config file
729 3. keys that are only listed in the config file
730 this helps when an agent has many keys, where the server might
731 close the connection before the correct key is used. report & ok pb@
732 - markus@cvs.openbsd.org 2003/05/12 18:35:18
734 typo: DSA keys are of type ssh-dss; Brian Poole
735 - markus@cvs.openbsd.org 2003/05/14 00:52:59
737 ranges for per auth method messages
738 - djm@cvs.openbsd.org 2003/05/14 01:00:44
740 emphasise the batchmode functionality and make reference to pubkey auth,
741 both of which are FAQs; ok markus@
742 - markus@cvs.openbsd.org 2003/05/14 02:15:47
743 [auth2.c monitor.c sshconnect2.c auth2-krb5.c]
744 implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
745 server interops with commercial client; ok jakob@ djm@
746 - jmc@cvs.openbsd.org 2003/05/14 08:25:39
748 - better formatting in SYNOPSIS
751 - markus@cvs.openbsd.org 2003/05/14 08:57:49
753 http://bugzilla.mindrot.org/show_bug.cgi?id=560
754 Privsep child continues to run after monitor killed.
755 Pass monitor signals through to child; Darren Tucker
756 - (djm) Make portable build with MIT krb5 (some issues remain)
757 - (djm) Add new UsePAM configuration directive to allow runtime control
758 over usage of PAM. This allows non-root use of sshd when built with
760 - (djm) Die screaming if start_pam() is called when UsePAM=no
761 - (djm) Avoid KrbV leak for MIT Kerberos
762 - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@
763 - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability
766 - (djm) Redhat spec: Don't install profile.d scripts when not
767 building with GNOME/GTK askpass (patch from bet@rahul.net)
770 - (dtucker) Bug #318: Create ssh_prng_cmds.out during "make" rather than
771 "make install". Patch by roth@feep.net.
772 - (dtucker) Bug #536: Test for and work around openpty/controlling tty
773 problem on Linux (fixes "could not set controlling tty" errors).
774 - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with
775 proper challenge-response module
776 - (djm) 2-clause license on loginrec.c, with permission from
780 - (dtucker) Bug #497: Move #include of bsd-cygwin_util.h to openbsd-compat.h.
781 Patch from vinschen@redhat.com.
784 - (dtucker) Add missing "void" to record_failed_login in bsd-cray.c. Noted
788 - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels,
789 privsep should now work.
790 - (dtucker) Move handling of bad password authentications into a platform
791 specific record_failed_login() function (affects AIX & Unicos). ok mouring@
794 - (djm) Add back radix.o (used by AFS support), after it went missing from
795 Makefile many moons ago
796 - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
797 - (djm) Fix blibpath specification for AIX/gcc
798 - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
801 - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit
805 - (bal) Bug #541: return; was dropped by mistake. Reported by
807 - (bal) Since we don't support platforms lacking u_int_64. We may
808 as well clean out some of those evil #ifdefs
809 - (bal) auth1.c minor resync while looking at the code.
810 - (bal) auth2.c same changed as above.
813 - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report
814 from matth@eecs.berkeley.edu
815 - (djm) Make the spec work with Redhat 9.0 (which renames sharutils)
816 - (djm) OpenBSD CVS Sync
817 - markus@cvs.openbsd.org 2003/04/02 09:48:07
818 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
819 [readconf.h serverloop.c sshconnect2.c]
820 reapply rekeying chage, tested by henning@, ok djm@
821 - markus@cvs.openbsd.org 2003/04/02 14:36:26
823 potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526
824 - itojun@cvs.openbsd.org 2003/04/03 07:25:27
827 - itojun@cvs.openbsd.org 2003/04/03 10:17:35
829 remove $OpenBSD$, as other *.c does not have it.
830 - markus@cvs.openbsd.org 2003/04/07 08:29:57
832 typo: get correct counters; introduced during rekeying change.
833 - millert@cvs.openbsd.org 2003/04/07 21:58:05
835 The UCB copyright here is incorrect. This code did not originate
836 at UCB, it was written by Luke Mewburn. Updated the copyright at
837 the author's request. markus@ OK
838 - itojun@cvs.openbsd.org 2003/04/08 20:21:29
840 rename log() into logit() to avoid name conflict. markus ok, from
842 - (djm) XXX - Performed locally using:
843 "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h"
844 - hin@cvs.openbsd.org 2003/04/09 08:23:52
846 Don't include <krb.h> when compiling with Kerberos 5 support
847 - (djm) Fix up missing include for packet.c
848 - (djm) Fix missed log => logit occurance (reference by function pointer)
851 - (bal) if IP_TOS is not found or broken don't try to compile in
852 packet_set_tos() function call. bug #527
855 - (djm) OpenBSD CVS Sync
856 - jmc@cvs.openbsd.org 2003/03/28 10:11:43
857 [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
858 [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
860 - new sentence new line
863 - markus@cvs.openbsd.org 2003/04/01 10:10:23
864 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
865 [readconf.h serverloop.c sshconnect2.c]
866 rekeying bugfixes and automatic rekeying:
867 * both client and server rekey _automatically_
868 (a) after 2^31 packets, because after 2^32 packets
869 the sequence number for packets wraps
870 (b) after 2^(blocksize_in_bits/4) blocks
871 (see: draft-ietf-secsh-newmodes-00.txt)
872 (a) and (b) are _enabled_ by default, and only disabled for known
873 openssh versions, that don't support rekeying properly.
874 * client option 'RekeyLimit'
875 * do not reply to requests during rekeying
876 - markus@cvs.openbsd.org 2003/04/01 10:22:21
877 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
878 [readconf.h serverloop.c sshconnect2.c]
879 backout rekeying changes (for 3.6.1)
880 - markus@cvs.openbsd.org 2003/04/01 10:31:26
881 [compat.c compat.h kex.c]
882 bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@;
883 tested by ho@ and myself
884 - markus@cvs.openbsd.org 2003/04/01 10:56:46
887 - (djm) Crank spec file versions
888 - (djm) Release 3.6.1p1
891 - (djm) OpenBSD CVS Sync
892 - deraadt@cvs.openbsd.org 2003/03/26 04:02:51
894 one last fix to the tree: race fix broke stuff; pr 3169;
895 srp@srparish.net, help from djm
898 - (djm) Fix getpeerid support for 64 bit BE systems. From
899 Arnd Bergmann <arndb@de.ibm.com>
902 - (djm) OpenBSD CVS Sync
903 - markus@cvs.openbsd.org 2003/03/23 19:02:00
905 unbreak rekeying for privsep; ok millert@
907 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
908 Report from murple@murple.net, diagnosis from dtucker@zip.com.au