2 - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.
3 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
4 openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
5 openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
6 for hton* and ntoh* macros. Required on (at least) HP-UX since we define
7 _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com.
10 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
11 [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
12 [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
13 [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
14 [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
15 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
16 [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
17 [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
18 [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
19 [sshconnect1.c sshconnect2.c sshd.c]
20 [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
21 [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
22 [openbsd-compat/port-uw.c]
23 Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
24 compile problems reported by rac AT tenzing.org
25 - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
26 [openbsd-compat/rresvport.c] Some more headers: netinet/in.h
27 sys/socket.h and unistd.h in various places
28 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration
29 warnings for binary_open and binary_close. Patch from Corinna Vinschen.
30 - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
31 test for GLOB_NOMATCH and use our glob functions if it's not found.
32 Stops sftp from segfaulting when attempting to get a nonexistent file on
33 Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
34 from and tested by Corinna Vinschen.
35 - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank
39 - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
40 [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
41 [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
42 [openbsd-compat/port-solaris.h] Add support for Solaris process
43 contracts, enabled with --use-solaris-contracts. Patch from Chad
44 Mynhier, tweaked by dtucker@ and myself; ok dtucker@
45 - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege
46 while setting up the ssh service account. Patch from Corinna Vinschen.
49 - (djm) OpenBSD CVS Sync
50 - dtucker@cvs.openbsd.org 2006/08/21 08:14:01
52 Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
54 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57
56 Add more detail about what permissions are and aren't accepted for
57 authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
58 - djm@cvs.openbsd.org 2006/08/29 10:40:19
59 [channels.c session.c]
60 normalise some inconsistent (but harmless) NULL pointer checks
61 spotted by the Stanford SATURN tool, via Isil Dillig;
63 - dtucker@cvs.openbsd.org 2006/08/29 12:02:30
65 Work around a problem in Heimdal that occurs when KRB5CCNAME file is
66 missing, by checking whether or not kerberos allocated us a context
67 before attempting to free it. Patch from Simon Wilkinson, tested by
69 - dtucker@cvs.openbsd.org 2006/08/30 00:06:51
71 Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
72 where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@
73 - djm@cvs.openbsd.org 2006/08/30 00:14:37
76 - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
77 - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
78 loginsuccess on AIX immediately after authentication to clear the failed
79 login count. Previously this would only happen when an interactive
80 session starts (ie when a pty is allocated) but this means that accounts
81 that have primarily non-interactive sessions (eg scp's) may gradually
82 accumulate enough failures to lock out an account. This change may have
83 a side effect of creating two audit records, one with a tty of "ssh"
84 corresponding to the authentication and one with the allocated pty per
88 - (dtucker) [openbsd-compat/basename.c] Include errno.h.
89 - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on
91 - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)
93 - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).
94 - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.
95 - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent
96 unused variable warning when we have a broken or missing mmap(2).
99 - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in
100 Makefile. Patch from santhi.amirta at gmail, ok djm.
103 - (dtucker) [log.c] Move ifdef to prevent unused variable warning.
104 - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore
105 afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl.
106 - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for
107 fixing bug #1181. No changes yet.
108 - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL
109 (0.9.8a and presumably newer) requires -ldl to successfully link.
110 - (dtucker) [configure.ac] Remove errant "-".
113 - (djm) OpenBSD CVS Sync
114 - djm@cvs.openbsd.org 2006/08/18 22:41:29
116 GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
117 - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a
118 single rule for the test progs.
121 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with
122 closefrom.c from sudo.
123 - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.
124 - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.
125 - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the
126 test progs instead; they work better than what we have.
127 - (djm) OpenBSD CVS Sync
128 - stevesk@cvs.openbsd.org 2006/08/06 01:13:32
129 [compress.c monitor.c monitor_wrap.c]
130 "zlib.h" can be <zlib.h>; ok djm@ markus@
131 - miod@cvs.openbsd.org 2006/08/12 20:46:46
132 [monitor.c monitor_wrap.c]
133 Revert previous include file ordering change, for ssh to compile under
134 gcc2 (or until openssl include files are cleaned of parameter names
135 in function prototypes)
136 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
137 [servconf.c servconf.h sshd_config.5]
138 Add ability to match groups to Match keyword in sshd_config. Feedback
139 djm@, stevesk@, ok stevesk@.
140 - djm@cvs.openbsd.org 2006/08/16 11:47:15
142 factor inetd connection, TCP listen and main TCP accept loop out of
143 main() into separate functions to improve readability; ok markus@
144 - deraadt@cvs.openbsd.org 2006/08/18 09:13:26
146 make signal handler termination path shorter; risky code pointed out by
147 mark dowd; ok djm markus
148 - markus@cvs.openbsd.org 2006/08/18 09:15:20
149 [auth.h session.c sshd.c]
150 delay authentication related cleanups until we're authenticated and
151 all alarms have been cancelled; ok deraadt
152 - djm@cvs.openbsd.org 2006/08/18 10:27:16
154 reorder so prototypes are sorted by the files they refer to; no
156 - djm@cvs.openbsd.org 2006/08/18 13:54:54
157 [gss-genr.c ssh-gss.h sshconnect2.c]
158 bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
160 - djm@cvs.openbsd.org 2006/08/18 14:40:34
161 [gss-genr.c ssh-gss.h]
162 constify host argument to match the rest of the GSSAPI functions and
163 unbreak compilation with -Werror
164 - (djm) Disable sigdie() for platforms that cannot safely syslog inside
165 a signal handler (basically all of them, excepting OpenBSD);
169 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
170 Include stdlib.h for malloc and friends.
171 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl
172 for closefrom() on AIX. Pointed out by William Ahern.
173 - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress
174 test for closefrom() in compat code.
177 - (djm) [audit-bsm.c] Sprinkle in some headers
180 - (dtucker) [LICENCE] Add Reyk to the list for the compat dir.
183 - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings
187 - (dtucker) [defines.h] With the includes.h changes we no longer get the
188 name clash on "YES" so we can remove the workaround for it.
189 - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,
190 glob.c}] Include stdlib.h for malloc and friends in compat code.
193 - (djm) OpenBSD CVS Sync
194 - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
196 disable tunnel forwarding when no strict host key checking
197 and key changed; ok djm@ markus@ dtucker@
198 - stevesk@cvs.openbsd.org 2006/07/25 02:01:34
200 need #include <string.h>
201 - stevesk@cvs.openbsd.org 2006/07/25 02:59:21
202 [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c]
203 [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c]
204 move #include <sys/time.h> out of includes.h
205 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
206 [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
207 [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
208 [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
209 [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
210 [uidswap.c xmalloc.c]
211 move #include <sys/param.h> out of includes.h
212 - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
213 [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
214 [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
215 [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
216 [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
217 [sshconnect1.c sshd.c xmalloc.c]
218 move #include <stdlib.h> out of includes.h
219 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
221 avoid confusing wording in HashKnownHosts:
222 originally spotted by alan amesbury;
224 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
226 avoid confusing wording in HashKnownHosts:
227 originally spotted by alan amesbury;
229 - dtucker@cvs.openbsd.org 2006/08/01 11:34:36
231 Allow fallback to known_hosts entries without port qualifiers for
232 non-standard ports too, so that all existing known_hosts entries will be
233 recognised. Requested by, feedback and ok markus@
234 - stevesk@cvs.openbsd.org 2006/08/01 23:22:48
235 [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
236 [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
237 [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
238 [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
239 [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
240 [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
241 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
242 [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
243 [uuencode.h xmalloc.c]
244 move #include <stdio.h> out of includes.h
245 - stevesk@cvs.openbsd.org 2006/08/01 23:36:12
246 [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c]
248 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
249 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
250 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
251 [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
252 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
253 [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
254 [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
255 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
256 [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
257 [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
258 [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
259 [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
260 [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
261 [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
262 [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
263 [serverloop.c session.c session.h sftp-client.c sftp-common.c]
264 [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
265 [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
266 [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
267 [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
268 [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
269 [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
270 almost entirely get rid of the culture of ".h files that include .h files"
271 ok djm, sort of ok stevesk
272 makes the pain stop in one easy step
273 NB. portable commit contains everything *except* removing includes.h, as
274 that will take a fair bit more work as we move headers that are required
275 for portability workarounds to defines.h. (also, this step wasn't "easy")
276 - stevesk@cvs.openbsd.org 2006/08/04 20:46:05
277 [monitor.c session.c ssh-agent.c]
279 - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c
280 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
281 remove last traces of bufaux.h - it was merged into buffer.h in the big
283 - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec
284 - (djm) [openbsd-compat/regress/snprintftest.c]
285 [openbsd-compat/regress/strduptest.c] Add missing includes so they pass
286 compilation with "-Wall -Werror"
287 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
288 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
289 includes for Linux in
290 - (dtucker) [cleanup.c] Need defines.h for __dead.
291 - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.
292 - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of
293 #include stdarg.h, needed for log.h.
294 - (dtucker) [entropy.c] Needs unistd.h too.
295 - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h.
296 - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.
297 - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,
298 otherwise it is implicitly declared as returning an int.
299 - (dtucker) OpenBSD CVS Sync
300 - dtucker@cvs.openbsd.org 2006/08/05 07:52:52
301 [auth2-none.c sshd.c monitor_wrap.c]
302 Add headers required to build with KERBEROS5=no. ok djm@
303 - dtucker@cvs.openbsd.org 2006/08/05 08:00:33
305 Add headers required to build with -DSKEY. ok djm@
306 - dtucker@cvs.openbsd.org 2006/08/05 08:28:24
307 [monitor_wrap.c auth-skey.c auth2-chall.c]
308 Zap unused variables in -DSKEY code. ok djm@
309 - dtucker@cvs.openbsd.org 2006/08/05 08:34:04
312 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile
314 - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.
315 - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h.
316 - (dtucker) [audit.c audit.h] Repair headers.
317 - (dtucker) [audit-bsm.c] Add additional headers now required.
320 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
321 versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
322 rather than just compiling it. Spotted by dlg@.
325 - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.
328 - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.
331 - (djm) OpenBSD CVS Sync
332 - jmc@cvs.openbsd.org 2006/07/12 13:39:55
334 - new sentence, new line
337 - stevesk@cvs.openbsd.org 2006/07/12 22:28:52
338 [auth-options.c canohost.c channels.c includes.h readconf.c]
339 [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
340 move #include <netdb.h> out of includes.h; ok djm@
341 - stevesk@cvs.openbsd.org 2006/07/12 22:42:32
342 [includes.h ssh.c ssh-rand-helper.c]
343 move #include <stddef.h> out of includes.h
344 - stevesk@cvs.openbsd.org 2006/07/14 01:15:28
346 don't need incompletely-typed 'struct passwd' now with
347 #include <pwd.h>; ok markus@
348 - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
349 [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
350 [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
351 [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
352 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
353 [sshconnect.c sshlogin.c sshpty.c uidswap.c]
354 move #include <unistd.h> out of includes.h
355 - dtucker@cvs.openbsd.org 2006/07/17 12:02:24
357 Use '\0' rather than 0 to terminates strings; ok djm@
358 - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
359 [channels.c channels.h servconf.c sshd_config.5]
360 Add PermitOpen directive to sshd_config which is equivalent to the
361 "permitopen" key option. Allows server admin to allow TCP port
362 forwarding only two specific host/port pairs. Useful when combined
364 If permitopen is used in both sshd_config and a key option, both
365 must allow a given connection before it will be permitted.
366 Note that users can still use external forwarders such as netcat,
367 so to be those must be controlled too for the limits to be effective.
368 Feedback & ok djm@, man page corrections & ok jmc@.
369 - jmc@cvs.openbsd.org 2006/07/18 07:50:40
372 - jmc@cvs.openbsd.org 2006/07/18 07:56:28
374 replace DIAGNOSTICS with .Ex;
375 - jmc@cvs.openbsd.org 2006/07/18 08:03:09
376 [ssh-agent.1 sshd_config.5]
377 mark up angle brackets;
378 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
380 Clarify description of Match, with minor correction from jmc@
381 - stevesk@cvs.openbsd.org 2006/07/18 22:27:55
383 remove unneeded includes; ok djm@
384 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
385 [servconf.c sshd_config.5]
386 Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
388 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
389 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
390 Add ForceCommand keyword to sshd_config, equivalent to the "command="
391 key option, man page entry and example in sshd_config.
392 Feedback & ok djm@, man page corrections & ok jmc@
393 - stevesk@cvs.openbsd.org 2006/07/20 15:26:15
394 [auth1.c serverloop.c session.c sshconnect2.c]
395 missed some needed #include <unistd.h> when KERBEROS5=no; issue from
397 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
398 [channels.c channels.h servconf.c servconf.h sshd_config.5]
399 Make PermitOpen take a list of permitted ports and act more like most
400 other keywords (ie the first match is the effective setting). This
401 also makes it easier to override a previously set PermitOpen. ok djm@
402 - stevesk@cvs.openbsd.org 2006/07/21 21:13:30
404 more ARGSUSED (lint) for dispatch table-driven functions; ok djm@
405 - stevesk@cvs.openbsd.org 2006/07/21 21:26:55
407 ARGSUSED for signal handler
408 - stevesk@cvs.openbsd.org 2006/07/22 19:08:54
409 [includes.h moduli.c progressmeter.c scp.c sftp-common.c]
410 [sftp-server.c ssh-agent.c sshlogin.c]
411 move #include <time.h> out of includes.h
412 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
413 [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
414 [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
415 [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
416 [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
417 [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
418 [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
419 [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
420 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
421 [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
422 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
423 [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
424 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
425 [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
426 move #include <string.h> out of includes.h
427 - stevesk@cvs.openbsd.org 2006/07/23 01:11:05
428 [auth.h dispatch.c kex.h sftp-client.c]
429 #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
431 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
432 [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
433 [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
434 [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
435 [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
436 [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
437 [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
438 [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
439 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
440 [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
441 make the portable tree compile again - sprinkle unistd.h and string.h
442 back in. Don't redefine __unused, as it turned out to be used in
443 headers on Linux, and replace its use in auth-pam.c with ARGSUSED
444 - (djm) [openbsd-compat/glob.c]
445 Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles
446 on OpenBSD (or other platforms with a decent glob implementation) with
449 Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on
452 fix compile error with -Werror -Wall: 'path' is only used in
453 do_setup_env() if HAVE_LOGIN_CAP is not defined
454 - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c]
455 [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c]
456 [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c]
457 [openbsd-compat/port-aix.c openbsd-compat/port-irix.c]
458 [openbsd-compat/rresvport.c]
459 These look to need string.h and/or unistd.h (based on a grep for function
461 - (djm) [Makefile.in]
462 Remove generated openbsd-compat/regress/Makefile in distclean target
463 - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
464 [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
465 Sync regress tests to -current; include dtucker@'s new cfgmatch and
466 forcecommand tests. Add cipher-speed.sh test (not linked in yet)
467 - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including
468 system headers before defines.h will cause conflicting definitions.
469 - (dtucker) [regress/forcecommand.sh] Portablize.
472 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
475 - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and
476 O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old
477 Linuxes and probably more.
478 - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h>
480 - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before
482 - (dtucker) OpenBSD CVS Sync
483 - stevesk@cvs.openbsd.org 2006/07/10 16:01:57
484 [sftp-glob.c sftp-common.h sftp.c]
485 buffer.h only needed in sftp-common.h and remove some unneeded
486 user includes; ok djm@
487 - jmc@cvs.openbsd.org 2006/07/10 16:04:21
490 - stevesk@cvs.openbsd.org 2006/07/10 16:37:36
491 [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c
492 auth.c packet.c log.c]
493 move #include <stdarg.h> out of includes.h; ok markus@
494 - dtucker@cvs.openbsd.org 2006/07/11 10:12:07
496 Only copy the part of environment variable that we actually use. Prevents
497 ssh bailing when SendEnv is used and an environment variable with a really
498 long value exists. ok djm@
499 - markus@cvs.openbsd.org 2006/07/11 18:50:48
500 [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
501 channels.h readconf.c]
502 add ExitOnForwardFailure: terminate the connection if ssh(1)
503 cannot set up all requested dynamic, local, and remote port
504 forwardings. ok djm, dtucker, stevesk, jmc
505 - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
506 [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
507 sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
508 includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
509 sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
510 ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
511 move #include <errno.h> out of includes.h; ok markus@
512 - stevesk@cvs.openbsd.org 2006/07/11 20:16:43
514 cast asterisk field precision argument to int to remove warning;
516 - stevesk@cvs.openbsd.org 2006/07/11 20:27:56
518 need <errno.h> here also (it's also included in <openssl/err.h>)
519 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
520 [sshd.c servconf.h servconf.c sshd_config.5 auth.c]
521 Add support for conditional directives to sshd_config via a "Match"
522 keyword, which works similarly to the "Host" directive in ssh_config.
523 Lines after a Match line override the default set in the main section
524 if the condition on the Match line is true, eg
525 AllowTcpForwarding yes
527 AllowTcpForwarding no
528 will allow port forwarding by all users except "anoncvs".
529 Currently only a very small subset of directives are supported.
531 - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c
532 openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c
533 openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>.
534 - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h.
535 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too.
536 - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h.
537 - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c
538 openbsd-compat/rresvport.c] More errno.h.
541 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
542 openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
543 include paths.h. Fixes build error on Solaris.
544 - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably
548 - (dtucker) [INSTALL] New autoconf version: 2.60.
550 - djm@cvs.openbsd.org 2006/06/14 10:50:42
552 limit the number of pre-banner characters we will accept; ok markus@
553 - djm@cvs.openbsd.org 2006/06/26 10:36:15
555 mention optional bind_address in runtime port forwarding setup
556 command-line help. patch from santhi.amirta AT gmail.com
557 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
558 [ssh.1 ssh.c ssh_config.5 sshd_config.5]
559 more details and clarity for tun(4) device forwarding; ok and help
561 - stevesk@cvs.openbsd.org 2006/07/02 18:36:47
562 [gss-serv-krb5.c gss-serv.c]
563 no "servconf.h" needed here
564 (gss-serv-krb5.c change not applied, portable needs the server options)
565 - stevesk@cvs.openbsd.org 2006/07/02 22:45:59
566 [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
567 move #include <grp.h> out of includes.h
568 (portable needed uidswap.c too)
569 - stevesk@cvs.openbsd.org 2006/07/02 23:01:55
571 use -KR[bind_address:]port here; ok djm@
572 - stevesk@cvs.openbsd.org 2006/07/03 08:54:20
573 [includes.h ssh.c sshconnect.c sshd.c]
574 move #include "version.h" out of includes.h; ok markus@
575 - stevesk@cvs.openbsd.org 2006/07/03 17:59:32
576 [channels.c includes.h]
577 move #include <arpa/inet.h> out of includes.h; old ok djm@
578 (portable needed session.c too)
579 - stevesk@cvs.openbsd.org 2006/07/05 02:42:09
580 [canohost.c hostfile.c includes.h misc.c packet.c readconf.c]
581 [serverloop.c sshconnect.c uuencode.c]
582 move #include <netinet/in.h> out of includes.h; ok deraadt@
583 (also ssh-rand-helper.c logintest.c loginrec.c)
584 - djm@cvs.openbsd.org 2006/07/06 10:47:05
585 [servconf.c servconf.h session.c sshd_config.5]
586 support arguments to Subsystem commands; ok markus@
587 - djm@cvs.openbsd.org 2006/07/06 10:47:57
588 [sftp-server.8 sftp-server.c]
589 add commandline options to enable logging of transactions; ok markus@
590 - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
591 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
592 [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
593 [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
594 [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
595 [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
596 [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
598 move #include <pwd.h> out of includes.h; ok markus@
599 - stevesk@cvs.openbsd.org 2006/07/06 16:22:39
601 move #include "dns.h" up
602 - stevesk@cvs.openbsd.org 2006/07/06 17:36:37
605 - stevesk@cvs.openbsd.org 2006/07/08 21:47:12
606 [authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
607 [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
608 [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
609 move #include <sys/socket.h> out of includes.h
610 - stevesk@cvs.openbsd.org 2006/07/08 21:48:53
611 [monitor.c session.c]
612 missed these from last commit:
613 move #include <sys/socket.h> out of includes.h
614 - stevesk@cvs.openbsd.org 2006/07/08 23:30:06
616 move user includes after /usr/include files
617 - stevesk@cvs.openbsd.org 2006/07/09 15:15:11
618 [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
619 [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
620 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
621 [sshlogin.c sshpty.c]
622 move #include <fcntl.h> out of includes.h
623 - stevesk@cvs.openbsd.org 2006/07/09 15:27:59
625 use O_RDONLY vs. 0 in open(); no binary change
626 - djm@cvs.openbsd.org 2006/07/10 11:24:54
628 remove optind - it isn't used here
629 - djm@cvs.openbsd.org 2006/07/10 11:25:53
631 don't log variables that aren't yet set
632 - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]
633 [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h]
634 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
635 [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
637 - djm@cvs.openbsd.org 2006/07/10 12:03:20
639 duplicate argv at the start of main() because it gets modified later;
640 pointed out by deraadt@ ok markus@
641 - djm@cvs.openbsd.org 2006/07/10 12:08:08
643 fix misparsing of SOCKS 5 packets that could result in a crash;
644 reported by mk@ ok markus@
645 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
646 [misc.c misc.h sshd.8 sshconnect.c]
647 Add port identifier to known_hosts for non-default ports, based originally
648 on a patch from Devin Nate in bz#910.
649 For any connection using the default port or using a HostKeyAlias the
650 format is unchanged, otherwise the host name or address is enclosed
651 within square brackets in the same format as sshd's ListenAddress.
652 Tested by many, ok markus@.
653 - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h>
654 for struct sockaddr on platforms that use the fake-rfc stuff.
657 - (dtucker) [configure.ac] Try AIX blibpath test in different order when
658 compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
659 configure would not select the correct libpath linker flags.
660 - (dtucker) [INSTALL] A bit more info on autoconf.
663 - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the
664 target already exists.
667 - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf
668 declaration too. Patch from russ at sludge.net.
669 - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it,
670 prevents warnings on platforms where _res is in the system headers.
671 - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which
675 - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems
676 with autoconf 2.60. Patch from vapier at gentoo.org.
679 - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys
680 only, otherwise sshd can hang exiting non-interactive sessions.
683 - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
684 Works around limitation in Solaris' passwd program for changing passwords
685 where the username is longer than 8 characters. ok djm@
686 - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug
690 - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
691 tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch
692 from reyk@, tested by anil@
693 - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
694 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
695 on the pty slave as zero-length reads on the pty master, which sshd
696 interprets as the descriptor closing. Since most things don't do zero
697 length writes this rarely matters, but occasionally it happens, and when
698 it does the SSH pty session appears to hang, so we add a special case for
699 this condition. ok djm@
702 - (djm) [getput.h] This file has been replaced by functions in misc.c
704 - djm@cvs.openbsd.org 2006/05/08 10:49:48
706 uint32_t -> u_int32_t (which we use everywhere else)
707 (Id sync only - portable already had this)
708 - markus@cvs.openbsd.org 2006/05/16 09:00:00
710 missing free; from Kylene Hall
711 - markus@cvs.openbsd.org 2006/05/17 12:43:34
712 [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
713 fix leak; coverity via Kylene Jo Hall
714 - miod@cvs.openbsd.org 2006/05/18 21:27:25
716 paramter -> parameter
717 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08
719 Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
720 - dtucker@cvs.openbsd.org 2006/05/29 12:56:33
722 Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in
723 sample ssh_config. ok markus@
724 - jmc@cvs.openbsd.org 2006/05/29 16:10:03
726 oops - previous was too long; split the list of auths up
727 - mk@cvs.openbsd.org 2006/05/30 11:46:38
729 Sync usage() with man page and reality.
731 - jmc@cvs.openbsd.org 2006/05/29 16:13:23
733 add GSSAPI to the list of authentication methods supported;
734 - mk@cvs.openbsd.org 2006/05/30 11:46:38
736 Sync usage() with man page and reality.
738 - markus@cvs.openbsd.org 2006/06/01 09:21:48
740 call get_remote_ipaddr() early; fixes logging after client disconnects;
741 report mpf@; ok dtucker@
742 - markus@cvs.openbsd.org 2006/06/06 10:20:20
743 [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
744 replace remaining setuid() calls with permanently_set_uid() and
745 check seteuid() return values; report Marcus Meissner; ok dtucker djm
746 - markus@cvs.openbsd.org 2006/06/08 14:45:49
747 [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
748 do not set the gid, noted by solar; ok djm
749 - djm@cvs.openbsd.org 2006/06/13 01:18:36
751 always use a format string, even when printing a constant
752 - djm@cvs.openbsd.org 2006/06/13 02:17:07
754 revert; i am on drugs. spotted by alexander AT beard.se
757 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
758 and slave, we can remove the special-case handling in the audit hook in
762 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
763 pointer leak. From kjhall at us.ibm.com, found by coverity.
766 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
767 _res, prevents problems on some platforms that have _res as a global but
768 don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
769 georg.schwarz at freenet.de, ok djm@.
770 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
771 default. Patch originally from tim@, ok djm
772 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
773 do not allow kbdint again after the PAM account check fails. ok djm@
776 - (dtucker) OpenBSD CVS Sync
777 - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
778 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
779 Prevent ssh from trying to open private keys with bad permissions more than
780 once or prompting for their passphrases (which it subsequently ignores
781 anyway), similar to a previous change in ssh-add. bz #1186, ok djm@
782 - djm@cvs.openbsd.org 2006/05/04 14:55:23
784 tighter DH exponent checks here too; feedback and ok markus@
785 - djm@cvs.openbsd.org 2006/04/01 05:37:46
787 $OpenBSD$ in here too
788 - dtucker@cvs.openbsd.org 2006/05/06 08:35:40
790 Add $OpenBSD$ in comment here too
793 - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
794 session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
795 openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
796 in Portable-only code; since calloc zeros, remove now-redundant memsets.
797 Also add a couple of sanity checks. With & ok djm@
800 - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h
801 and double including it on IRIX 5.3 causes problems. From Georg Schwarz,
805 - (djm) OpenBSD CVS Sync
806 - deraadt@cvs.openbsd.org 2006/04/01 05:42:20
808 minimal lint cleanup (unused crud, and some size_t); ok djm
809 - djm@cvs.openbsd.org 2006/04/01 05:50:29
811 xasprintification; ok deraadt@
812 - djm@cvs.openbsd.org 2006/04/01 05:51:34
814 ANSIfy; requested deraadt@
815 - dtucker@cvs.openbsd.org 2006/04/02 08:34:52
817 sessionid can be 32 bytes now too when sha256 kex is used; ok djm@
818 - djm@cvs.openbsd.org 2006/04/03 07:10:38
820 GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
821 by dleonard AT vintela.com. use xasprintf() to simplify code while in
822 there; "looks right" deraadt@
823 - djm@cvs.openbsd.org 2006/04/16 00:48:52
824 [buffer.c buffer.h channels.c]
825 Fix condition where we could exit with a fatal error when an input
826 buffer became too large and the remote end had advertised a big window.
827 The problem was a mismatch in the backoff math between the channels code
828 and the buffer code, so make a buffer_check_alloc() function that the
829 channels code can use to propsectivly check whether an incremental
830 allocation will succeed. bz #1131, debugged with the assistance of
831 cove AT wildpackets.com; ok dtucker@ deraadt@
832 - djm@cvs.openbsd.org 2006/04/16 00:52:55
833 [atomicio.c atomicio.h]
834 introduce atomiciov() function that wraps readv/writev to retry
835 interrupted transfers like atomicio() does for read/write;
836 feedback deraadt@ dtucker@ stevesk@ ok deraadt@
837 - djm@cvs.openbsd.org 2006/04/16 00:54:10
839 avoid making a tiny 4-byte write to send the packet length of sftp
840 commands, which would result in a separate tiny packet on the wire by
841 using atomiciov(writev, ...) to write the length and the command in one
843 - djm@cvs.openbsd.org 2006/04/16 07:59:00
845 reorder sanity test so that it cannot dereference past the end of the
846 iov array; well spotted canacar@!
847 - dtucker@cvs.openbsd.org 2006/04/18 10:44:28
848 [bufaux.c bufbn.c Makefile.in]
849 Move Buffer bignum functions into their own file, bufbn.c. This means
850 that sftp and sftp-server (which use the Buffer functions in bufaux.c
851 but not the bignum ones) no longer need to be linked with libcrypto.
853 - djm@cvs.openbsd.org 2006/04/20 09:27:09
854 [auth.h clientloop.c dispatch.c dispatch.h kex.h]
855 replace the last non-sig_atomic_t flag used in a signal handler with a
856 sig_atomic_t, unfortunately with some knock-on effects in other (non-
857 signal) contexts in which it is used; ok markus@
858 - markus@cvs.openbsd.org 2006/04/20 09:47:59
861 - djm@cvs.openbsd.org 2006/04/20 21:53:44
862 [includes.h session.c sftp.c]
863 Switch from using pipes to socketpairs for communication between
864 sftp/scp and ssh, and between sshd and its subprocesses. This saves
865 a file descriptor per session and apparently makes userland ppp over
866 ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this
867 decision on a per-platform basis)
868 - djm@cvs.openbsd.org 2006/04/22 04:06:51
870 use setres[ug]id() to permanently revoke privileges; ok deraadt@
871 (ID Sync only - portable already uses setres[ug]id() whenever possible)
872 - stevesk@cvs.openbsd.org 2006/04/22 18:29:33
875 - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get
879 - (djm) [Makefile.in configure.ac session.c sshpty.c]
880 [contrib/redhat/sshd.init openbsd-compat/Makefile.in]
881 [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
882 [openbsd-compat/port-linux.h] Add support for SELinux, setting
883 the execution and TTY contexts. based on patch from Daniel Walsh,
887 - (djm) [canohost.c] Reorder IP options check so that it isn't broken
888 by mapped addresses; bz #1179 reported by markw wtech-llc.com;
893 - deraadt@cvs.openbsd.org 2006/03/27 01:21:18
895 we can do the size & nmemb check before the integer overflow check;
897 - deraadt@cvs.openbsd.org 2006/03/27 13:03:54
899 use strtonum() instead of atoi(), limit dhg size to 64k; ok djm
900 - djm@cvs.openbsd.org 2006/03/27 23:15:46
902 always use a format string for addargs; spotted by mouring@
903 - deraadt@cvs.openbsd.org 2006/03/28 00:12:31
906 - deraadt@cvs.openbsd.org 2006/03/28 01:52:28
908 do not accept unreasonable X ports numbers; ok djm
909 - deraadt@cvs.openbsd.org 2006/03/28 01:53:43
911 use strtonum() to parse the pid from the file, and range check it
913 - djm@cvs.openbsd.org 2006/03/30 09:41:25
915 ARGSUSED for dispatch table-driven functions
916 - djm@cvs.openbsd.org 2006/03/30 09:58:16
917 [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h]
918 [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c]
919 replace {GET,PUT}_XXBIT macros with functionally similar functions,
920 silencing a heap of lint warnings. also allows them to use
921 __bounded__ checking which can't be applied to macros; requested
922 by and feedback from deraadt@
923 - djm@cvs.openbsd.org 2006/03/30 10:41:25
925 add percent escape chars to the IdentityFile option, bz #1159 based
926 on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
927 - dtucker@cvs.openbsd.org 2006/03/30 11:05:17
929 Correctly handle truncated files while converting keys; ok djm@
930 - dtucker@cvs.openbsd.org 2006/03/30 11:40:21
932 Prevent duplicate log messages when privsep=yes; ok djm@
933 - jmc@cvs.openbsd.org 2006/03/31 09:09:30
935 kill trailing whitespace;
936 - djm@cvs.openbsd.org 2006/03/31 09:13:56
938 remote user escape is %r not %h; spotted by jmc@
942 - jakob@cvs.openbsd.org 2006/03/15 08:46:44
944 if no key file are given when printing the DNS host record, use the
945 host key file(s) as default. ok djm@
946 - biorn@cvs.openbsd.org 2006/03/16 10:31:45
948 Try to display errormessage even if remout == -1
950 - djm@cvs.openbsd.org 2006/03/17 22:31:50
952 another unreachable found by lint
953 - djm@cvs.openbsd.org 2006/03/17 22:31:11
955 unreachanble statement, found by lint
956 - djm@cvs.openbsd.org 2006/03/19 02:22:32
958 memory leaks detected by Coverity via elad AT netbsd.org;
960 - djm@cvs.openbsd.org 2006/03/19 02:22:56
962 more memory leaks detected by Coverity via elad AT netbsd.org;
964 - djm@cvs.openbsd.org 2006/03/19 02:23:26
966 FILE* leak detected by Coverity via elad AT netbsd.org;
968 - djm@cvs.openbsd.org 2006/03/19 02:24:05
969 [dh.c readconf.c servconf.c]
970 potential NULL pointer dereferences detected by Coverity
971 via elad AT netbsd.org; ok deraadt@
972 - djm@cvs.openbsd.org 2006/03/19 07:41:30
974 memory leaks detected by Coverity via elad AT netbsd.org;
976 - dtucker@cvs.openbsd.org 2006/03/19 11:51:52
978 Correct strdelim null test; ok djm@
979 - deraadt@cvs.openbsd.org 2006/03/19 18:52:11
980 [auth1.c authfd.c channels.c]
982 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
983 [kex.c kex.h monitor.c myproposal.h session.c]
985 - deraadt@cvs.openbsd.org 2006/03/19 18:56:41
986 [clientloop.c progressmeter.c serverloop.c sshd.c]
987 ARGSUSED for signal handlers
988 - deraadt@cvs.openbsd.org 2006/03/19 18:59:49
991 - deraadt@cvs.openbsd.org 2006/03/19 18:59:30
994 - deraadt@cvs.openbsd.org 2006/03/19 18:59:09
996 whoever thought that break after return was a good idea needs to
997 get their head examimed
998 - djm@cvs.openbsd.org 2006/03/20 04:09:44
1000 memory leaks detected by Coverity via elad AT netbsd.org;
1002 that should be all of them now
1003 - djm@cvs.openbsd.org 2006/03/20 11:38:46
1005 (really) last of the Coverity diffs: avoid possible NULL deref in
1006 key_free. via elad AT netbsd.org; markus@ ok
1007 - deraadt@cvs.openbsd.org 2006/03/20 17:10:19
1008 [auth.c key.c misc.c packet.c ssh-add.c]
1009 in a switch (), break after return or goto is stupid
1010 - deraadt@cvs.openbsd.org 2006/03/20 17:13:16
1013 - deraadt@cvs.openbsd.org 2006/03/20 17:17:23
1015 in a switch (), break after return or goto is stupid
1016 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
1017 [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c]
1018 [ssh.c sshpty.c sshpty.h]
1019 sprinkle u_int throughout pty subsystem, ok markus
1020 - deraadt@cvs.openbsd.org 2006/03/20 18:17:20
1021 [auth1.c auth2.c sshd.c]
1022 sprinkle some ARGSUSED for table driven functions (which sometimes
1023 must ignore their args)
1024 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
1025 [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c]
1026 [ssh-rsa.c ssh.c sshlogin.c]
1027 annoying spacing fixes getting in the way of real diffs
1028 - deraadt@cvs.openbsd.org 2006/03/20 18:27:50
1031 - deraadt@cvs.openbsd.org 2006/03/20 18:35:12
1033 x11_fake_data is only ever used as u_char *
1034 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
1036 cast xstrdup to propert u_char *
1037 - deraadt@cvs.openbsd.org 2006/03/20 18:42:27
1038 [canohost.c match.c ssh.c sshconnect.c]
1039 be strict with tolower() casting
1040 - deraadt@cvs.openbsd.org 2006/03/20 18:48:34
1041 [channels.c fatal.c kex.c packet.c serverloop.c]
1043 - deraadt@cvs.openbsd.org 2006/03/20 21:11:53
1046 - djm@cvs.openbsd.org 2006/03/25 00:05:41
1047 [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
1048 [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
1049 [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
1050 [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
1051 [xmalloc.c xmalloc.h]
1052 introduce xcalloc() and xasprintf() failure-checked allocations
1053 functions and use them throughout openssh
1055 xcalloc is particularly important because malloc(nmemb * size) is a
1056 dangerous idiom (subject to integer overflow) and it is time for it
1059 feedback and ok deraadt@
1060 - djm@cvs.openbsd.org 2006/03/25 01:13:23
1061 [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
1062 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
1064 change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
1065 to xrealloc(p, new_nmemb, new_itemsize).
1067 realloc is particularly prone to integer overflows because it is
1068 almost always allocating "n * size" bytes, so this is a far safer
1070 - djm@cvs.openbsd.org 2006/03/25 01:30:23
1072 "abormally" is a perfectly cromulent word, but "abnormally" is better
1073 - djm@cvs.openbsd.org 2006/03/25 13:17:03
1074 [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
1075 [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
1076 [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
1077 [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
1078 [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
1079 [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
1080 [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
1081 [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
1082 [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
1083 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
1084 [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
1085 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
1086 [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
1087 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
1088 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
1089 [uidswap.c uuencode.c xmalloc.c]
1090 Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
1091 Theo nuked - our scripts to sync -portable need them in the files
1092 - deraadt@cvs.openbsd.org 2006/03/25 18:29:35
1093 [auth-rsa.c authfd.c packet.c]
1094 needed casts (always will be needed)
1095 - deraadt@cvs.openbsd.org 2006/03/25 18:30:55
1096 [clientloop.c serverloop.c]
1098 - deraadt@cvs.openbsd.org 2006/03/25 18:36:15
1099 [sshlogin.c sshlogin.h]
1100 nicer size_t and time_t types
1101 - deraadt@cvs.openbsd.org 2006/03/25 18:40:14
1103 cast strtonum() result to right type
1104 - deraadt@cvs.openbsd.org 2006/03/25 18:41:45
1106 mark two more signal handlers ARGSUSED
1107 - deraadt@cvs.openbsd.org 2006/03/25 18:43:30
1109 use strtonum() instead of atoi() [limit X screens to 400, sorry]
1110 - deraadt@cvs.openbsd.org 2006/03/25 18:56:55
1111 [bufaux.c channels.c packet.c]
1112 remove (char *) casts to a function that accepts void * for the arg
1113 - deraadt@cvs.openbsd.org 2006/03/25 18:58:10
1115 delete cast not required
1116 - djm@cvs.openbsd.org 2006/03/25 22:22:43
1117 [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
1118 [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
1119 [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
1120 [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
1121 [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
1122 [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
1123 [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
1124 [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
1125 [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
1126 [ttymodes.h uidswap.h uuencode.h xmalloc.h]
1127 standardise spacing in $OpenBSD$ tags; requested by deraadt@
1128 - deraadt@cvs.openbsd.org 2006/03/26 01:31:48
1134 - djm@cvs.openbsd.org 2006/03/16 04:24:42
1136 Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs
1137 that OpenSSH supports
1138 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
1139 [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
1140 [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
1141 [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
1142 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
1143 [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
1144 [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
1145 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
1146 [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
1147 [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
1148 [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
1149 [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
1150 [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
1151 [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
1152 [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
1153 [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
1154 [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
1155 [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
1156 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
1157 [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
1158 [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
1159 [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
1160 [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
1161 [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
1163 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
1164 [kex.h myproposal.h]
1166 - djm@cvs.openbsd.org 2006/03/20 04:07:22
1168 GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
1169 reviewed by simon AT sxw.org.uk; deraadt@ ok
1170 - djm@cvs.openbsd.org 2006/03/20 04:07:49
1172 more GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
1173 reviewed by simon AT sxw.org.uk; deraadt@ ok
1174 - djm@cvs.openbsd.org 2006/03/20 04:08:18
1176 last lot of GSSAPI related leaks detected by Coverity via
1177 elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
1178 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
1179 [monitor_wrap.h sshpty.h]
1180 sprinkle u_int throughout pty subsystem, ok markus
1181 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
1183 annoying spacing fixes getting in the way of real diffs
1184 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
1186 cast xstrdup to propert u_char *
1187 - jakob@cvs.openbsd.org 2006/03/22 21:16:24
1189 simplify SSHFP example; ok jmc@
1190 - djm@cvs.openbsd.org 2006/03/22 21:27:15
1191 [deattack.c deattack.h]
1192 remove IV support from the CRC attack detector, OpenSSH has never used
1193 it - it only applied to IDEA-CFB, which we don't support.
1194 prompted by NetBSD Coverity report via elad AT netbsd.org;
1195 feedback markus@ "nuke it" deraadt@
1198 - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
1200 - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take
1201 a LLONG rather than a long. Fixes scp'ing of large files on platforms
1202 with missing/broken snprintfs. Patch from e.borovac at bom.gov.au.
1205 - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
1206 - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
1207 /usr/include/crypto. Hint from djm@.
1208 - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
1209 Disable sha256 when openssl < 0.9.7. Patch from djm@.
1210 - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old
1214 - (djm) OpenBSD CVS Sync:
1215 - msf@cvs.openbsd.org 2006/02/06 15:54:07
1219 - jmc@cvs.openbsd.org 2006/02/06 21:44:47
1221 make this a little less ambiguous...
1222 - stevesk@cvs.openbsd.org 2006/02/07 01:08:04
1223 [auth-rhosts.c includes.h]
1224 move #include <netgroup.h> out of includes.h; ok markus@
1225 - stevesk@cvs.openbsd.org 2006/02/07 01:18:09
1226 [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c]
1227 move #include <sys/queue.h> out of includes.h; ok markus@
1228 - stevesk@cvs.openbsd.org 2006/02/07 01:42:00
1229 [channels.c clientloop.c clientloop.h includes.h packet.h]
1230 [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c]
1231 move #include <termios.h> out of includes.h; ok markus@
1232 - stevesk@cvs.openbsd.org 2006/02/07 01:52:50
1235 - stevesk@cvs.openbsd.org 2006/02/07 03:47:05
1237 "packet.h" not needed
1238 - stevesk@cvs.openbsd.org 2006/02/07 03:59:20
1241 - stevesk@cvs.openbsd.org 2006/02/08 12:15:27
1242 [auth.c clientloop.c includes.h misc.c monitor.c readpass.c]
1243 [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c]
1245 move #include <paths.h> out of includes.h; ok markus@
1246 - stevesk@cvs.openbsd.org 2006/02/08 12:32:49
1248 move #include <netinet/tcp.h> out of includes.h; ok markus@
1249 - stevesk@cvs.openbsd.org 2006/02/08 13:15:44
1250 [gss-serv.c monitor.c]
1252 - stevesk@cvs.openbsd.org 2006/02/08 14:16:59
1254 <openssl/bn.h> not needed
1255 - stevesk@cvs.openbsd.org 2006/02/08 14:31:30
1256 [includes.h ssh-agent.c ssh-keyscan.c ssh.c]
1257 move #include <sys/resource.h> out of includes.h; ok markus@
1258 - stevesk@cvs.openbsd.org 2006/02/08 14:38:18
1259 [includes.h packet.c]
1260 move #include <netinet/in_systm.h> and <netinet/ip.h> out of
1261 includes.h; ok markus@
1262 - stevesk@cvs.openbsd.org 2006/02/08 23:51:24
1263 [includes.h scp.c sftp-glob.c sftp-server.c]
1264 move #include <dirent.h> out of includes.h; ok markus@
1265 - stevesk@cvs.openbsd.org 2006/02/09 00:32:07
1267 #include <sys/endian.h> not needed; ok djm@
1268 NB. ID Sync only - we still need this (but it may move later)
1269 - jmc@cvs.openbsd.org 2006/02/09 10:10:47
1271 - move some text into a CAVEATS section
1272 - merge the COMMAND EXECUTION... section into AUTHENTICATION
1273 - stevesk@cvs.openbsd.org 2006/02/10 00:27:13
1274 [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c]
1275 [ssh.c sshd.c sshpty.c]
1276 move #include <sys/ioctl.h> out of includes.h; ok markus@
1277 - stevesk@cvs.openbsd.org 2006/02/10 01:44:27
1278 [includes.h monitor.c readpass.c scp.c serverloop.c session.c
\7f]
1279 [sftp.c sshconnect.c sshconnect2.c sshd.c]
1280 move #include <sys/wait.h> out of includes.h; ok markus@
1281 - otto@cvs.openbsd.org 2006/02/11 19:31:18
1283 type correctness; from Ray Lai in PR 5011; ok millert@
1284 - djm@cvs.openbsd.org 2006/02/12 06:45:34
1285 [ssh.c ssh_config.5]
1286 add a %l expansion code to the ControlPath, which is filled in with the
1287 local hostname at runtime. Requested by henning@ to avoid some problems
1288 with /home on NFS; ok dtucker@
1289 - djm@cvs.openbsd.org 2006/02/12 10:44:18
1291 raise error when the user specifies a RekeyLimit that is smaller than 16
1292 (the smallest of our cipher's blocksize) or big enough to cause integer
1293 wraparound; ok & feedback dtucker@
1294 - jmc@cvs.openbsd.org 2006/02/12 10:49:44
1296 slight rewording; ok djm
1297 - jmc@cvs.openbsd.org 2006/02/12 10:52:41
1299 rework the description of authorized_keys a little;
1300 - jmc@cvs.openbsd.org 2006/02/12 17:57:19
1302 sort the list of options permissable w/ authorized_keys;
1304 - jmc@cvs.openbsd.org 2006/02/13 10:16:39
1306 no need to subsection the authorized_keys examples - instead, convert
1307 this to look like an actual file. also use proto 2 keys, and use IETF
1309 - jmc@cvs.openbsd.org 2006/02/13 10:21:25
1311 small tweaks for the ssh_known_hosts section;
1312 - jmc@cvs.openbsd.org 2006/02/13 11:02:26
1314 turn this into an example ssh_known_hosts file; ok djm
1315 - jmc@cvs.openbsd.org 2006/02/13 11:08:43
1317 - avoid nasty line split
1318 - `*' does not need to be escaped
1319 - jmc@cvs.openbsd.org 2006/02/13 11:27:25
1321 sort FILES and use a -compact list;
1322 - david@cvs.openbsd.org 2006/02/15 05:08:24
1324 typo in comment; ok djm@
1325 - jmc@cvs.openbsd.org 2006/02/15 16:53:20
1327 remove the IETF draft references and replace them with some updated RFCs;
1328 - jmc@cvs.openbsd.org 2006/02/15 16:55:33
1330 remove ietf draft references; RFC list now maintained in ssh.1;
1331 - jmc@cvs.openbsd.org 2006/02/16 09:05:34
1333 sync some of the FILES entries w/ ssh.1;
1334 - jmc@cvs.openbsd.org 2006/02/19 19:52:10
1336 move the sshrc stuff out of FILES, and into its own section:
1337 FILES is not a good place to document how stuff works;
1338 - jmc@cvs.openbsd.org 2006/02/19 20:02:17
1340 sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
1341 - jmc@cvs.openbsd.org 2006/02/19 20:05:00
1344 - jmc@cvs.openbsd.org 2006/02/19 20:12:25
1346 add some vertical space;
1347 - stevesk@cvs.openbsd.org 2006/02/20 16:36:15
1348 [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c]
1349 move #include <sys/un.h> out of includes.h; ok djm@
1350 - stevesk@cvs.openbsd.org 2006/02/20 17:02:44
1351 [clientloop.c includes.h monitor.c progressmeter.c scp.c]
1352 [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c]
1353 move #include <signal.h> out of includes.h; ok markus@
1354 - stevesk@cvs.openbsd.org 2006/02/20 17:19:54
1355 [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c]
1356 [authfile.c clientloop.c includes.h readconf.c scp.c session.c]
1357 [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c]
1358 [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c]
1359 [sshconnect2.c sshd.c sshpty.c]
1360 move #include <sys/stat.h> out of includes.h; ok markus@
1361 - stevesk@cvs.openbsd.org 2006/02/22 00:04:45
1362 [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c]
1364 move #include <ctype.h> out of includes.h; ok djm@
1365 - jmc@cvs.openbsd.org 2006/02/24 10:25:14
1367 add section on patterns;
1368 from dtucker + myself
1369 - jmc@cvs.openbsd.org 2006/02/24 10:33:54
1371 signpost to PATTERNS;
1372 - jmc@cvs.openbsd.org 2006/02/24 10:37:07
1374 tidy up the refs to PATTERNS;
1375 - jmc@cvs.openbsd.org 2006/02/24 10:39:52
1377 signpost to PATTERNS section;
1378 - jmc@cvs.openbsd.org 2006/02/24 20:22:16
1379 [ssh-keysign.8 ssh_config.5 sshd_config.5]
1380 some consistency fixes;
1381 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
1382 [ssh.1 ssh_config.5 sshd.8 sshd_config.5]
1383 more consistency fixes;
1384 - jmc@cvs.openbsd.org 2006/02/24 23:20:07
1386 some grammar/wording fixes;
1387 - jmc@cvs.openbsd.org 2006/02/24 23:43:57
1389 some grammar/wording fixes;
1390 - jmc@cvs.openbsd.org 2006/02/24 23:51:17
1392 oops - bits i missed;
1393 - jmc@cvs.openbsd.org 2006/02/25 12:26:17
1395 document the possible values for KbdInteractiveDevices;
1397 - jmc@cvs.openbsd.org 2006/02/25 12:28:34
1399 document the order in which allow/deny directives are processed;
1401 - jmc@cvs.openbsd.org 2006/02/26 17:17:18
1403 move PATTERNS to the end of the main body; requested by dtucker
1404 - jmc@cvs.openbsd.org 2006/02/26 18:01:13
1406 subsection is pointless here;
1407 - jmc@cvs.openbsd.org 2006/02/26 18:03:10
1410 - djm@cvs.openbsd.org 2006/02/28 01:10:21
1412 fix logout recording when privilege separation is disabled, analysis and
1413 patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@
1414 NB. ID sync only - patch already in portable
1415 - djm@cvs.openbsd.org 2006/03/04 04:12:58
1417 move a debug() outside of a signal handler; ok markus@ a little while back
1418 - djm@cvs.openbsd.org 2006/03/12 04:23:07
1421 - djm@cvs.openbsd.org 2006/03/13 08:16:00
1423 don't log that we are listening on a socket before the listen() call
1424 actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@
1425 - dtucker@cvs.openbsd.org 2006/03/13 08:33:00
1427 Set TCP_NODELAY for all connections not just "interactive" ones. Fixes
1428 poor performance and protocol stalls under some network conditions (mindrot
1429 bugs #556 and #981). Patch originally from markus@, ok djm@
1430 - dtucker@cvs.openbsd.org 2006/03/13 08:43:16
1432 Make ssh-keygen handle CR and CRLF line termination when converting IETF
1433 format keys, in adition to vanilla LF. mindrot #1157, tested by Chris
1435 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
1436 [misc.c ssh_config.5 sshd_config.5]
1437 Allow config directives to contain whitespace by surrounding them by double
1438 quotes. mindrot #482, man page help from jmc@, ok djm@
1439 - dtucker@cvs.openbsd.org 2006/03/13 10:26:52
1440 [authfile.c authfile.h ssh-add.c]
1441 Make ssh-add check file permissions before attempting to load private
1442 key files multiple times; it will fail anyway and this prevents confusing
1443 multiple prompts and warnings. mindrot #1138, ok djm@
1444 - djm@cvs.openbsd.org 2006/03/14 00:15:39
1446 log the originating address and not just the name when a reverse
1447 mapping check fails, requested by linux AT linuon.com
1448 - markus@cvs.openbsd.org 2006/03/14 16:32:48
1449 [ssh_config.5 sshd_config.5]
1450 *AliveCountMax applies to protcol v2 only; ok dtucker, djm
1451 - djm@cvs.openbsd.org 2006/03/07 09:07:40
1452 [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
1453 Implement the diffie-hellman-group-exchange-sha256 key exchange method
1454 using the SHA256 code in libc (and wrapper to make it into an OpenSSL
1455 EVP), interop tested against CVS PuTTY
1456 NB. no portability bits committed yet
1457 - (djm) [configure.ac defines.h kex.c md-sha256.c]
1458 [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h]
1459 [openbsd-compat/sha2.c] First stab at portability glue for SHA256
1460 KEX support, should work with libc SHA256 support or OpenSSL
1461 EVP_sha256 if present
1462 - (djm) [includes.h] Restore accidentally dropped netinet/in.h
1463 - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files
1464 - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present
1465 - (djm) [regress/.cvsignore] Ignore Makefile here
1466 - (djm) [loginrec.c] Need stat.h
1467 - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with
1469 - (djm) [ssh-rand-helper.c] Needs a bunch of headers
1470 - (djm) [ssh-agent.c] Restore dropped stat.h
1471 - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out
1472 SHA384, which we don't need and doesn't compile without tweaks
1473 - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
1474 [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
1475 [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
1476 [openbsd-compat/glob.c openbsd-compat/mktemp.c]
1477 [openbsd-compat/readpassphrase.c] Lots of include fixes for
1479 - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:"
1480 - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some
1481 includes removed from includes.h
1482 - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE
1483 - (djm) [includes.h] Put back paths.h, it is needed in defines.h
1484 - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs
1485 sys/ioctl.h for struct winsize.
1486 - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD.
1489 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
1490 since not all platforms support it. Instead, use internal equivalent while
1491 computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf*
1492 as it's no longer required. Tested by Bernhard Simon, ok djm@
1495 - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a
1496 file rather than directory, required as Cygwin will be importing lastlog(1).
1497 Also tightens up permissions on the file. Patch from vinschen@redhat.com.
1498 - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h
1499 includes. Patch from gentoo.riverrat at gmail.com.
1502 - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY
1503 patch from kraai at ftbfs.org.
1506 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
1507 reality. Pointed out by tryponraj at gmail.com.
1510 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only
1511 compile in compat code if required.
1514 - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about
1515 redefinition of SSLeay_add_all_algorithms.
1518 - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
1519 Add optional enabling of OpenSSL's (hardware) Engine support, via
1520 configure --with-ssl-engine. Based in part on a diff by michal at
1524 - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/]
1525 Add first attempt at regress tests for compat library. ok djm@
1528 - (tim) [buildpkg.sh.in] Make the names consistent.
1529 s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@
1532 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned
1533 to silence compiler warning, from vinschen at redhat.com.
1534 - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX.
1535 - (dtucker) [README version.h contrib/caldera/openssh.spec
1536 contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version
1537 strings to match 4.3p2 release.
1540 - (tim) [session.c] Logout records were not updated on systems with
1541 post auth privsep disabled due to bug 1086 changes. Analysis and patch
1542 by vinschen at redhat.com. OK tim@, dtucker@.
1543 - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
1544 -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@
1547 - (tim) [configure.ac] Remove unnecessary tests for net/if.h and
1548 netinet/in_systm.h. OK dtucker@.
1551 - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test
1552 for Solaris. OK dtucker@.
1553 - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by
1557 - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
1558 AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
1559 by a platform specific check, builtin standard includes tests will be
1560 skipped on the other platforms.
1561 Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
1565 - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it
1566 works with picky compilers. Patch from alex.kiernan at thus.net.
1569 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
1570 determine the user's login name - needed for regress tests on Solaris
1572 - (djm) OpenBSD CVS Sync
1573 - jmc@cvs.openbsd.org 2006/02/01 09:06:50
1575 - merge sections on protocols 1 and 2 into a single section
1576 - remove configuration file section
1578 - jmc@cvs.openbsd.org 2006/02/01 09:11:41
1581 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
1582 [contrib/suse/openssh.spec] Update versions ahead of release
1583 - markus@cvs.openbsd.org 2006/02/01 11:27:22
1586 - (djm) Release OpenSSH 4.3p1
1589 - (djm) OpenBSD CVS Sync
1590 - jmc@cvs.openbsd.org 2006/01/20 11:21:45
1592 - word change, agreed w/ markus
1594 - jmc@cvs.openbsd.org 2006/01/25 09:04:34
1596 move the options description up the page, and a few additional tweaks
1599 - jmc@cvs.openbsd.org 2006/01/25 09:07:22
1601 move subsections to full sections;
1602 - jmc@cvs.openbsd.org 2006/01/26 08:47:56
1604 add a section on verifying host keys in dns;
1605 written with a lot of help from jakob;
1606 feedback dtucker/markus;
1608 - reyk@cvs.openbsd.org 2006/01/30 12:22:22
1610 mark channel as write failed or dead instead of read failed on error
1611 of the channel output filter.
1613 - jmc@cvs.openbsd.org 2006/01/30 13:37:49
1615 remove an incorrect sentence;
1616 reported by roumen petrov;
1618 - djm@cvs.openbsd.org 2006/01/31 10:19:02
1619 [misc.c misc.h scp.c sftp.c]
1620 fix local arbitrary command execution vulnerability on local/local and
1621 remote/remote copies (CVE-2006-0225, bz #1094), patch by
1622 t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
1623 - djm@cvs.openbsd.org 2006/01/31 10:35:43
1625 "scp a b c" shouldn't clobber "c" when it is not a directory, report and
1626 fix from biorn@; ok markus@
1627 - (djm) Sync regress tests to OpenBSD:
1628 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
1629 [regress/forwarding.sh]
1630 Regress test for ClearAllForwardings (bz #994); ok markus@
1631 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
1632 [regress/multiplex.sh]
1633 Don't call cleanup in multiplex as test-exec will cleanup anyway
1634 found by tim@, ok djm@
1635 NB. ID sync only, we already had this
1636 - djm@cvs.openbsd.org 2005/05/20 23:14:15
1637 [regress/test-exec.sh]
1638 force addressfamily=inet for tests, unbreaking dynamic-forward regress for
1639 recently committed nc SOCKS5 changes
1640 - djm@cvs.openbsd.org 2005/05/24 04:10:54
1641 [regress/try-ciphers.sh]
1642 oops, new arcfour modes here too
1643 - markus@cvs.openbsd.org 2005/06/30 11:02:37
1645 allow SUDO=sudo; from Alexander Bluhm
1646 - grunk@cvs.openbsd.org 2005/11/14 21:25:56
1647 [regress/agent-getpeereid.sh]
1648 all other scripts in this dir use $SUDO, not 'sudo', so pull this even
1650 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
1651 [regress/scp-ssh-wrapper.sh]
1652 Fix assumption about how many args scp will pass; ok djm@
1653 NB. ID sync only, we already had this
1654 - djm@cvs.openbsd.org 2006/01/27 06:49:21
1656 regress test for local to local scp copies; ok dtucker@
1657 - djm@cvs.openbsd.org 2006/01/31 10:23:23
1659 regression test for CVE-2006-0225 written by dtucker@
1660 - djm@cvs.openbsd.org 2006/01/31 10:36:33
1662 regress test for "scp a b c" where "c" is not a directory
1665 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
1666 opensshd.init script interpretter if /sbin/sh does not exist. ok tim@
1669 - (dtucker) OpenBSD CVS Sync
1670 - jmc@cvs.openbsd.org 2006/01/15 17:37:05
1672 correction from deraadt
1673 - jmc@cvs.openbsd.org 2006/01/18 10:53:29
1675 add a section on ssh-based vpn, based on reyk's README.tun;
1676 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
1677 [scp.1 ssh.1 ssh_config.5 sftp.1]
1678 Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
1679 #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
1682 - (djm) OpenBSD CVS Sync
1683 - jmc@cvs.openbsd.org 2006/01/06 13:27:32
1685 weed out some duplicate info in the known_hosts FILES entries;
1687 - jmc@cvs.openbsd.org 2006/01/06 13:29:10
1689 final round of whacking FILES for duplicate info, and some consistency
1692 - jmc@cvs.openbsd.org 2006/01/12 14:44:12
1694 split sections on tcp and x11 forwarding into two sections.
1695 add an example in the tcp section, based on sth i wrote for ssh faq;
1696 help + ok: djm markus dtucker
1697 - jmc@cvs.openbsd.org 2006/01/12 18:48:48
1699 refer to `TCP' rather than `TCP/IP' in the context of connection
1702 - jmc@cvs.openbsd.org 2006/01/12 22:20:00
1704 refer to TCP forwarding, rather than TCP/IP forwarding;
1705 - jmc@cvs.openbsd.org 2006/01/12 22:26:02
1707 refer to TCP forwarding, rather than TCP/IP forwarding;
1708 - jmc@cvs.openbsd.org 2006/01/12 22:34:12
1710 back out a sentence - AUTHENTICATION already documents this;
1713 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
1714 tcpip service so it's always started after IP is up. Patch from
1715 vinschen at redhat.com.
1718 - (djm) OpenBSD CVS Sync
1719 - jmc@cvs.openbsd.org 2006/01/03 16:31:10
1721 move FILES to a -compact list, and make each files an item in that list.
1722 this avoids nastly line wrap when we have long pathnames, and treats
1723 each file as a separate item;
1724 remove the .Pa too, since it is useless.
1725 - jmc@cvs.openbsd.org 2006/01/03 16:35:30
1727 use a larger width for the ENVIRONMENT list;
1728 - jmc@cvs.openbsd.org 2006/01/03 16:52:36
1730 put FILES in some sort of order: sort by pathname
1731 - jmc@cvs.openbsd.org 2006/01/03 16:55:18
1733 tweak the description of ~/.ssh/environment
1734 - jmc@cvs.openbsd.org 2006/01/04 18:42:46
1736 chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
1739 - jmc@cvs.openbsd.org 2006/01/04 18:45:01
1741 remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
1742 - jmc@cvs.openbsd.org 2006/01/04 19:40:24
1744 +.Xr ssh-keyscan 1 ,
1745 - jmc@cvs.openbsd.org 2006/01/04 19:50:09
1748 - djm@cvs.openbsd.org 2006/01/05 23:43:53
1750 check that stdio file descriptors are actually closed before clobbering
1751 them in sanitise_stdfd(). problems occurred when a lower numbered fd was
1752 closed, but higher ones weren't. spotted by, and patch tested by
1756 - (djm) [channels.c] clean up harmless merge error, from reyk@
1759 - (djm) OpenBSD CVS Sync
1760 - jmc@cvs.openbsd.org 2006/01/02 17:09:49
1761 [ssh_config.5 sshd_config.5]
1762 some corrections from michael knudsen;
1765 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
1766 - (djm) OpenBSD CVS Sync
1767 - jmc@cvs.openbsd.org 2005/12/31 10:46:17
1769 merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
1770 AUTHENTICATION" sections into "AUTHENTICATION";
1771 some rewording done to make the text read better, plus some
1772 improvements from djm;
1774 - jmc@cvs.openbsd.org 2005/12/31 13:44:04
1776 clean up ENVIRONMENT a little;
1777 - jmc@cvs.openbsd.org 2005/12/31 13:45:19
1779 .Nm does not require an argument;
1780 - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
1782 move <net/if.h>; ok djm@
1783 - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
1785 no trailing "\n" for debug()
1786 - djm@cvs.openbsd.org 2006/01/02 01:20:31
1787 [sftp-client.c sftp-common.h sftp-server.c]
1788 use a common max. packet length, no binary change
1789 - reyk@cvs.openbsd.org 2006/01/02 07:53:44
1791 clarify tun(4) opening - set the mode and bring the interface up. also
1792 (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
1793 suggested and ok by djm@
1794 - jmc@cvs.openbsd.org 2006/01/02 12:31:06
1796 start to cut some duplicate info from FILES;
1800 - (djm) [Makefile.in configure.ac includes.h misc.c]
1801 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
1802 for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
1803 limited to IPv4 tunnels only, and most versions don't support the
1804 tap(4) device at all.
1805 - (djm) [configure.ac] Fix linux/if_tun.h test
1806 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
1809 - (djm) OpenBSD CVS Sync
1810 - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
1811 [canohost.c channels.c clientloop.c]
1812 use 'break-in' for consistency; ok deraadt@ ok and input jmc@
1813 - reyk@cvs.openbsd.org 2005/12/30 15:56:37
1814 [channels.c channels.h clientloop.c]
1815 add channel output filter interface.
1816 ok djm@, suggested by markus@
1817 - jmc@cvs.openbsd.org 2005/12/30 16:59:00
1819 do not suggest that interactive authentication will work
1821 based on a diff from john l. scarfone;
1823 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
1825 document -MM; ok djm@
1826 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
1827 [serverloop.c ssh.c openbsd-compat/Makefile.in]
1828 [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
1829 compatability support for Linux, diff from reyk@
1830 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
1832 - (djm) [configure.ac] oops, make that linux/if_tun.h
1835 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
1838 - (djm) OpenBSD CVS Sync
1839 - jmc@cvs.openbsd.org 2005/12/20 21:59:43
1841 merge the sections on protocols 1 and 2 into one section on
1843 feedback djm dtucker
1844 ok deraadt markus dtucker
1845 - jmc@cvs.openbsd.org 2005/12/20 22:02:50
1847 .Ss -> .Sh: subsections have not made this page more readable
1848 - jmc@cvs.openbsd.org 2005/12/20 22:09:41
1850 move info on ssh return values and config files up into the main
1852 - jmc@cvs.openbsd.org 2005/12/21 11:48:16
1854 -L and -R descriptions are now above, not below, ~C description;
1855 - jmc@cvs.openbsd.org 2005/12/21 11:57:25
1857 options now described `above', rather than `later';
1858 - jmc@cvs.openbsd.org 2005/12/21 12:53:31
1860 -Y does X11 forwarding too;
1862 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
1864 clarify precedence of -p, Port, ListenAddress; ok and help jmc@
1865 - jmc@cvs.openbsd.org 2005/12/22 10:31:40
1867 put the description of "UsePrivilegedPort" in the correct place;
1868 - jmc@cvs.openbsd.org 2005/12/22 11:23:42
1870 expand the description of -w somewhat;
1872 - jmc@cvs.openbsd.org 2005/12/23 14:55:53
1874 - sync the description of -e w/ synopsis
1875 - simplify the description of -I
1876 - note that -I is only available if support compiled in, and that it
1879 - jmc@cvs.openbsd.org 2005/12/23 23:46:23
1881 less mark up for -c;
1882 - djm@cvs.openbsd.org 2005/12/24 02:27:41
1884 eliminate some code duplicated in privsep and non-privsep paths, and
1885 explicitly clear SIGALRM handler; "groovy" deraadt@
1888 - (dtucker) OpenBSD CVS Sync
1889 - reyk@cvs.openbsd.org 2005/12/13 15:03:02
1891 if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
1892 - jmc@cvs.openbsd.org 2005/12/16 18:07:08
1894 move the option descriptions up the page: start of a restructure;
1896 - jmc@cvs.openbsd.org 2005/12/16 18:08:53
1898 simplify a sentence;
1899 - jmc@cvs.openbsd.org 2005/12/16 18:12:22
1901 make the description of -c a little nicer;
1902 - jmc@cvs.openbsd.org 2005/12/16 18:14:40
1904 signpost the protocol sections;
1905 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
1906 [ssh_config.5 session.c]
1907 spelling: fowarding, fowarded
1908 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
1910 spelling: intented -> intended
1911 - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
1913 exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
1916 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
1917 openbsd-compat/openssl-compat.h] Check for and work around broken AES
1918 ciphers >128bit on (some) Solaris 10 systems. ok djm@
1921 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
1922 scp.c also uses, so undef them here.
1923 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
1924 snprintf replacement can have a conflicting declaration in HP-UX's system
1925 headers (const vs. no const) so we now check for and work around it. Patch
1926 from the dynamic duo of David Leonard and Ted Percival.
1929 - (dtucker) OpenBSD CVS Sync (regress/)
1930 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
1931 [regress/scp-ssh-wrapper.sh]
1932 Fix assumption about how many args scp will pass; ok djm@
1935 - (djm) OpenBSD CVS Sync
1936 - jmc@cvs.openbsd.org 2005/11/30 11:18:27
1938 timezone -> time zone
1939 - jmc@cvs.openbsd.org 2005/11/30 11:45:20
1941 avoid ambiguities in describing TZ;
1943 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
1944 [auth-options.c auth-options.h channels.c channels.h clientloop.c]
1945 [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
1946 [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
1947 [sshconnect.h sshd.8 sshd_config sshd_config.5]
1948 Add support for tun(4) forwarding over OpenSSH, based on an idea and
1949 initial channel code bits by markus@. This is a simple and easy way to
1950 use OpenSSH for ad hoc virtual private network connections, e.g.
1951 administrative tunnels or secure wireless access. It's based on a new
1952 ssh channel and works similar to the existing TCP forwarding support,
1953 except that it depends on the tun(4) network interface on both ends of
1954 the connection for layer 2 or layer 3 tunneling. This diff also adds
1955 support for LocalCommand in the ssh(1) client.
1956 ok djm@, markus@, jmc@ (manpages), tested and discussed with others
1957 - djm@cvs.openbsd.org 2005/12/07 03:52:22
1959 reyk forgot to compile with -Werror (missing header)
1960 - jmc@cvs.openbsd.org 2005/12/07 10:52:13
1962 - avoid line split in SYNOPSIS
1964 - kill trailing whitespace
1965 - jmc@cvs.openbsd.org 2005/12/08 14:59:44
1966 [ssh.1 ssh_config.5]
1967 make `!command' a little clearer;
1969 - jmc@cvs.openbsd.org 2005/12/08 15:06:29
1971 keep options in order;
1972 - reyk@cvs.openbsd.org 2005/12/08 18:34:11
1973 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
1974 [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
1975 two changes to the new ssh tunnel support. this breaks compatibility
1976 with the initial commit but is required for a portable approach.
1977 - make the tunnel id u_int and platform friendly, use predefined types.
1978 - support configuration of layer 2 (ethernet) or layer 3
1979 (point-to-point, default) modes. configuration is done using the
1980 Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
1981 restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
1983 ok djm@, man page bits by jmc@
1984 - jmc@cvs.openbsd.org 2005/12/08 21:37:50
1986 new sentence, new line;
1987 - markus@cvs.openbsd.org 2005/12/12 13:46:18
1988 [channels.c channels.h session.c]
1989 make sure protocol messages for internal channels are ignored.
1990 allow adjust messages for non-open channels; with and ok djm@
1991 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
1992 again by providing a sys_tun_open() function for your platform and
1993 setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match
1994 OpenBSD's tunnel protocol, which prepends the address family to the
1998 - (djm) [envpass.sh] Remove regress script that was accidentally committed
1999 in top level directory and not noticed for over a year :)
2002 - (tim) [ssh-keygen.c] Move DSA length test after setting default when
2004 - (dtucker) OpenBSD CVS Sync
2005 - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
2007 Populate default key sizes before checking them; from & ok tim@
2008 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
2012 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
2013 versions of GNU head. Based on patch from zappaman at buraphalinux.org
2014 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
2015 _GNU_SOURCE instead. Patch from t8m at centrum.cz.
2016 - (dtucker) OpenBSD CVS Sync
2017 - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
2018 [ssh-keygen.1 ssh-keygen.c]
2019 Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
2020 increase minumum RSA key size to 768 bits and update man page to reflect
2021 these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
2022 ok djm@, grudging ok deraadt@.
2023 - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
2025 Update agent socket path templates to reflect reality, correct xref for
2026 time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@
2029 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
2030 when they're available) need the real UID set otherwise pam_chauthtok will
2031 set ADMCHG after changing the password, forcing the user to change it
2035 - (dtucker) [configure.ac] Apply tim's fix for older systems where the
2036 resolver state in resolv.h is "state" not "__res_state". With slight
2037 modification by me to also work on old AIXes. ok djm@
2038 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
2039 snprintf formats, fixes warnings on some 64 bit platforms. Patch from
2040 shaw at vranix.com, ok djm@
2043 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c
2044 openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an
2045 asprintf() implementation, after syncing our {v,}snprintf() implementation
2046 with some extra fixes from Samba's version. With help and debugging from
2047 dtucker and tim; ok dtucker@
2048 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
2049 order in Reliant Unix block. Patch from johane at lysator.liu.se.
2050 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
2051 many and use them only once. Speeds up testing on older/slower hardware.
2054 - (dtucker) OpenBSD CVS Sync
2055 - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
2058 - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
2060 avoid close(-1), as in rcp; ok cloder
2061 - millert@cvs.openbsd.org 2005/11/15 11:59:54
2063 Include sys/queue.h explicitly instead of assuming some other header
2064 will pull it in. At the moment it gets pulled in by sys/select.h
2065 (which ssh has no business including) via event.h. OK markus@
2066 (ID sync only in -portable)
2067 - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
2069 Perform Kerberos calls even for invalid users to prevent leaking
2070 information about account validity. bz #975, patch originally from
2071 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
2073 - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
2075 Correct format/arguments to debug call; spotted by shaw at vranix.com
2077 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
2078 from shaw at vranix.com.
2081 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
2085 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
2086 ifdef lost during sync. Spotted by tim@.
2087 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
2088 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
2089 - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@
2090 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
2091 test: if sshd takes too long to reconfigure the subsequent connection will
2092 fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
2095 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
2096 OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
2098 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
2099 unnecessary prototype.
2100 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
2102 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
2104 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
2105 since they're not useful right now. Patch from djm@.
2106 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
2107 prototypes, removal of "register").
2108 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
2110 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
2111 after the copyright notices. Having them at the top next to the CVSIDs
2112 guarantees a conflict for each and every sync.
2113 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
2114 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
2115 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
2116 Removal of rcsid, "whiteout" inode type.
2117 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
2118 Removal of rcsid, will no longer strlcpy parts of the string.
2119 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
2120 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
2121 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
2122 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
2123 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
2124 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
2125 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
2126 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
2127 with OpenBSD code since we don't support platforms without fstat any more.
2128 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
2129 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
2130 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
2131 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
2132 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
2133 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
2134 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
2135 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
2136 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
2137 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
2138 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
2139 Id and copyright sync only, there were no substantial changes we need.
2140 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
2141 -Wsign-compare fixes from djm.
2142 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
2143 Id and copyright sync only, there were no substantial changes we need.
2144 - (dtucker) [configure.ac] Try to get the gcc version number in a way that
2145 doesn't change between versions, and use a safer default.
2148 - (djm) OpenBSD CVS Sync
2149 - markus@cvs.openbsd.org 2005/10/07 11:13:57
2151 change DSA default back to 1024, as it's defined for 1024 bits only
2152 and this causes interop problems with other clients. moreover,
2153 in order to improve the security of DSA you need to change more
2154 components of DSA key generation (e.g. the internal SHA1 hash);
2156 - djm@cvs.openbsd.org 2005/10/10 10:23:08
2157 [channels.c channels.h clientloop.c serverloop.c session.c]
2158 fix regression I introduced in 4.2: X11 forwardings initiated after
2159 a session has exited (e.g. "(sleep 5; xterm) &") would not start.
2160 bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
2161 - djm@cvs.openbsd.org 2005/10/11 23:37:37
2163 bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
2164 bind() failure when a previous connection's listeners are in TIME_WAIT,
2165 reported by plattner AT inf.ethz.ch; ok dtucker@
2166 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
2167 [auth2-gss.c gss-genr.c gss-serv.c]
2168 remove unneeded #includes; ok markus@
2169 - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
2171 spelling in comments
2172 - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
2173 [gss-serv-krb5.c gss-serv.c]
2174 unused declarations; ok deraadt@
2175 (id sync only for gss-serv-krb5.c)
2176 - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
2178 unneeded #include, unused declaration, little knf; ok deraadt@
2179 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
2180 [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
2182 - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
2183 [ssh-keygen.c ssh.c sshconnect2.c]
2184 no trailing "\n" for log functions; ok djm@
2185 - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
2186 [channels.c clientloop.c]
2187 free()->xfree(); ok djm@
2188 - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
2190 make external definition static; ok deraadt@
2191 - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
2193 fix memory leaks from 2 sources:
2194 1) key_fingerprint_raw()
2195 2) malloc in dns_read_rdata()
2197 - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
2199 remove #ifdef LWRES; ok jakob@
2200 - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
2202 more cleanups; ok jakob@
2203 - djm@cvs.openbsd.org 2005/10/30 01:23:19
2205 mention control socket fallback behaviour, reported by
2206 tryponraj AT gmail.com
2207 - djm@cvs.openbsd.org 2005/10/30 04:01:03
2209 make ssh-keygen discard junk from server before SSH- ident, spotted by
2210 dave AT cirt.net; ok dtucker@
2211 - djm@cvs.openbsd.org 2005/10/30 04:03:24
2213 fix misleading debug message; ok dtucker@
2214 - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
2216 Check for connections with IP options earlier and drop silently. ok djm@
2217 - jmc@cvs.openbsd.org 2005/10/30 08:43:47
2219 remove trailing whitespace;
2220 - djm@cvs.openbsd.org 2005/10/30 08:52:18
2221 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
2222 [ssh.c sshconnect.c sshconnect1.c sshd.c]
2223 no need to escape single quotes in comments, no binary change
2224 - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
2226 Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
2227 - djm@cvs.openbsd.org 2005/10/31 11:12:49
2228 [ssh-keygen.1 ssh-keygen.c]
2229 generate a protocol 2 RSA key by default
2230 - djm@cvs.openbsd.org 2005/10/31 11:48:29
2232 make sure we clean up wtmp, etc. file when we receive a SIGTERM,
2233 SIGINT or SIGQUIT when running without privilege separation (the
2234 normal privsep case is already OK). Patch mainly by dtucker@ and
2235 senthilkumar_sen AT hotpop.com; ok dtucker@
2236 - jmc@cvs.openbsd.org 2005/10/31 19:55:25
2239 - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
2241 Cache reverse lookups with and without DNS separately; ok markus@
2242 - djm@cvs.openbsd.org 2005/11/04 05:15:59
2243 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
2244 remove hardcoded hash lengths in key exchange code, allowing
2245 implementation of KEX methods with different hashes (e.g. SHA-256);
2246 ok markus@ dtucker@ stevesk@
2247 - djm@cvs.openbsd.org 2005/11/05 05:01:15
2249 Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
2250 cs.stanford.edu; ok dtucker@
2251 - (dtucker) [README.platform] Add PAM section.
2252 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
2253 resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
2257 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
2258 Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
2262 - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
2263 sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init
2264 files from imorgan AT nas.nasa.gov
2265 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
2266 enabled, instead allow PAM to handle it. Note that on platforms using PAM,
2267 the pam_nologin module should be added to sshd's session stack in order to
2268 maintain exising behaviour. Based on patch and discussion from t8m at
2272 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
2273 sizeof(long long) checks, to make fixing bug #1104 easier (no changes
2275 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
2276 understand "%lld", even though the compiler has "long long", so handle
2277 it as a special case. Patch tested by mcaskill.scott at epa.gov.
2278 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
2279 prompt. Patch from vinschen at redhat.com.
2282 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
2283 /etc/default/login report and testing from aabaker at iee.org, corrections
2287 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
2288 versions from OpenBSD. ok djm@
2291 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
2292 brian.smith at agilent com.
2293 - (djm) [configure.ac] missing 'test' call for -with-Werror test
2296 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
2297 "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
2298 senthilkumar_sen at hotpop.com.
2301 - (dtucker) OpenBSD CVS Sync
2302 - markus@cvs.openbsd.org 2005/09/07 08:53:53
2304 enforce chanid != NULL; ok djm
2305 - markus@cvs.openbsd.org 2005/09/09 19:18:05
2307 typo; from mark at mcs.vuw.ac.nz, bug #1082
2308 - djm@cvs.openbsd.org 2005/09/13 23:40:07
2309 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
2310 scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
2311 ensure that stdio fds are attached; ok deraadt@
2312 - djm@cvs.openbsd.org 2005/09/19 11:37:34
2313 [ssh_config.5 ssh.1]
2314 mention ability to specify bind_address for DynamicForward and -D options;
2315 bz#1077 spotted by Haruyama Seigo
2316 - djm@cvs.openbsd.org 2005/09/19 11:47:09
2318 stop connection abort on rekey with delayed compression enabled when
2319 post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
2320 - djm@cvs.openbsd.org 2005/09/19 11:48:10
2323 - jmc@cvs.openbsd.org 2005/09/19 15:38:27
2325 some more .Bk/.Ek to avoid ugly line split;
2326 - jmc@cvs.openbsd.org 2005/09/19 15:42:44
2328 update -D usage here too;
2329 - djm@cvs.openbsd.org 2005/09/19 23:31:31
2331 spelling nit from stevesk@
2332 - djm@cvs.openbsd.org 2005/09/21 23:36:54
2334 aquire -> acquire, from stevesk@
2335 - djm@cvs.openbsd.org 2005/09/21 23:37:11
2337 change label at markus@'s request
2338 - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
2340 deploy .An -nosplit; ok jmc
2341 - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
2343 Relocate check_ip_options call to prevent logging of garbage for
2344 connections with IP options set. bz#1092 from David Leonard,
2345 "looks good" deraadt@
2346 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
2347 is required in the system path for the multiplex test to work.
2350 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
2351 for strtoll. Patch from o.flebbe at science-computing.de.
2352 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
2353 child during PAM account check without clearing it. This restores the
2354 post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
2355 with help from several others.
2358 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
2359 introduced during sync.
2362 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
2363 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
2364 PAM via keyboard-interactive. Patch tested by the folks at Vintela.
2367 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
2368 calls, since they can't possibly fail. ok djm@
2369 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
2370 process when sshd relies on ssh-random-helper. Should result in faster
2371 logins on systems without a real random device or prngd. ok djm@
2374 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
2375 duplicate call. ok djm@
2378 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
2379 skeleten at shillest.net.
2380 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
2384 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
2385 AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
2389 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
2393 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
2394 OpenServer 6 and add osr5bigcrypt support so when someone migrates
2395 passwords between UnixWare and OpenServer they will still work. OK dtucker@
2398 - (djm) Update RPM spec file versions
2401 - (djm) OpenBSD CVS Sync
2402 - djm@cvs.openbsd.org 2005/08/30 22:08:05
2403 [gss-serv.c sshconnect2.c]
2404 destroy credentials if krb5_kuserok() call fails. Stops credentials being
2405 delegated to users who are not authorised for GSSAPIAuthentication when
2406 GSSAPIDeletegateCredentials=yes and another authentication mechanism
2407 succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
2408 simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
2409 - markus@cvs.openbsd.org 2005/08/31 09:28:42
2412 - (dtucker) [README] Update release note URL to 4.2
2413 - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
2414 openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
2415 libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
2416 Feedback and OK dtucker@
2419 - (tim) [configure.ac] Back out last change. It needs to be done differently.
2422 - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long
2423 password support to 7.x for now.
2426 - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c
2427 openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
2428 openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c
2429 openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char)
2430 on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing
2431 by tim@. Feedback and OK dtucker@
2434 - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-
2435 qualified sshd pathname since some systems (eg Cygwin) may consider "/foo"
2436 and "//foo" to be different. Spotted by vinschen at redhat.com.
2437 - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements
2439 - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@
2442 - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for
2443 LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@
2446 - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE,
2447 from Jacob Nevins; ok dtucker@
2450 - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT
2451 - (tim) [configure.ac] corrections to libedit tests. Report and patches
2452 by skeleten AT shillest.net
2455 - (djm) OpenBSD CVS Sync
2456 - markus@cvs.openbsd.org 2005/07/28 17:36:22
2458 missing packet_init_compression(); from solar
2459 - djm@cvs.openbsd.org 2005/07/30 01:26:16
2461 fix -D listen_host initialisation, so it picks up gateway_ports setting
2463 - djm@cvs.openbsd.org 2005/07/30 02:03:47
2465 listen_hosts initialisation here too; spotted greg AT y2005.nest.cx
2466 - dtucker@cvs.openbsd.org 2005/08/06 10:03:12
2468 Unbreak sshd ListenAddress for bare IPv6 addresses.
2469 Report from Janusz Mucka; ok djm@
2470 - jaredy@cvs.openbsd.org 2005/08/08 13:22:48
2472 sftp prompt enhancements:
2473 - in non-interactive mode, do not print an empty prompt at the end
2475 - print newline after EOF in editline mode
2476 - call el_end() in editline mode
2480 - (dtucker) [configure.ac] Test libedit library and headers for compatibility.
2481 Report from skeleten AT shillest.net, ok djm@
2482 - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c]
2483 Sync current (thread-safe) version of realpath.c from OpenBSD (which is
2484 in turn based on FreeBSD's). ok djm@
2487 - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@
2488 Report by skeleten AT shillest.net
2491 - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines
2492 individually and use a value less likely to collide with real values from
2493 netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@
2494 - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the
2495 latter is specified in the standard.
2498 - (dtucker) OpenBSD CVS Sync
2499 - dtucker@cvs.openbsd.org 2005/07/27 10:39:03
2500 [scp.c hostfile.c sftp-client.c]
2501 Silence bogus -Wuninitialized warnings; ok djm@
2502 - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling
2504 - (dtucker) [configure.ac] Add a --with-Werror option to configure for
2505 adding -Werror to CFLAGS when all of the configure tests are done. ok djm@
2508 - (dtucker) [configure.ac] Update zlib warning message too, pointed out by
2510 - (djm) OpenBSD CVS Sync
2511 - otto@cvs.openbsd.org 2005/07/19 15:32:26
2513 auth_usercheck(3) can return NULL, so check for that. Report from
2515 - markus@cvs.openbsd.org 2005/07/25 11:59:40
2516 [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
2517 [sshconnect2.c sshd.c sshd_config sshd_config.5]
2518 add a new compression method that delays compression until the user
2519 has been authenticated successfully and set compression to 'delayed'
2521 this breaks older openssh clients (< 3.5) if they insist on
2522 compression, so you have to re-enable compression in sshd_config.
2526 - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096.
2530 - djm@cvs.openbsd.org 2005/07/16 01:35:24
2531 [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c]
2534 - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
2535 [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL
2536 in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
2537 - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line
2538 - djm@cvs.openbsd.org 2005/07/17 06:49:04
2539 [channels.c channels.h session.c session.h]
2540 Fix a number of X11 forwarding channel leaks:
2541 1. Refuse multiple X11 forwarding requests on the same session
2542 2. Clean up all listeners after a single_connection X11 forward, not just
2543 the one that made the single connection
2544 3. Destroy X11 listeners when the session owning them goes away
2545 testing and ok dtucker@
2546 - djm@cvs.openbsd.org 2005/07/17 07:17:55
2547 [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
2548 [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
2549 [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
2550 [sshconnect.c sshconnect2.c]
2551 knf says that a 2nd level indent is four (not three or five) spaces
2552 -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]
2553 [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
2554 - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls
2557 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication
2558 socketpair stays open on in both the monitor and PAM process. Patch from
2562 - (dtucker) OpenBSD CVS Sync
2563 - dtucker@cvs.openbsd.org 2005/07/06 09:33:05
2565 clarify meaning of ssh -b ; with & ok jmc@
2566 - dtucker@cvs.openbsd.org 2005/07/08 09:26:18
2568 Make comment match code; ok djm@
2569 - markus@cvs.openbsd.org 2005/07/08 09:41:33
2571 race when efd gets closed while there is still buffered data:
2572 change CHANNEL_EFD_OUTPUT_ACTIVE()
2573 1) c->efd must always be valid AND
2574 2a) no EOF has been seen OR
2575 2b) there is buffered data
2576 report, initial fix and testing Chuck Cranor
2577 - dtucker@cvs.openbsd.org 2005/07/08 10:20:41
2579 change BindAddress to match recent ssh -b change; prompted by markus@
2580 - jmc@cvs.openbsd.org 2005/07/08 12:53:10
2582 new sentence, new line;
2583 - dtucker@cvs.openbsd.org 2005/07/14 04:00:43
2585 use __sentinel__ attribute; ok deraadt@ djm@ markus@
2586 - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the
2587 compiler doesn't understand it to prevent warnings. If any mainstream
2588 compiler versions acquire it we can test for those versions. Based on
2589 discussion with djm@.
2592 - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for
2593 the MIT Kerberos code path into a common function and expand mkstemp
2594 template to be consistent with the rest of OpenSSH. From sxw at
2595 inf.ed.ac.uk, ok djm@
2596 - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno
2597 in the case where the buffer is insufficient, so always return ENOMEM.
2598 Also pointed out by sxw at inf.ed.ac.uk.
2599 - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove
2600 calls to krb5_init_ets, which has not been required since krb-1.1.x and
2601 most Kerberos versions no longer export in their public API. From sxw
2602 at inf.ed.ac.uk, ok djm@
2605 - (djm) OpenBSD CVS Sync
2606 - markus@cvs.openbsd.org 2005/07/01 13:19:47
2608 don't free() if getaddrinfo() fails; report mpech@
2609 - djm@cvs.openbsd.org 2005/07/04 00:58:43
2610 [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5]
2611 implement support for X11 and agent forwarding over multiplex slave
2612 connections. Because of protocol limitations, the slave connections inherit
2613 the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding
2615 ok dtucker@ "put it in" deraadt@
2616 - jmc@cvs.openbsd.org 2005/07/04 11:29:51
2618 fix Xr and a little grammar;
2619 - markus@cvs.openbsd.org 2005/07/04 14:04:11
2621 don't forget to set x11_saved_display
2624 - (djm) OpenBSD CVS Sync
2625 - djm@cvs.openbsd.org 2005/06/17 22:53:47
2626 [ssh.c sshconnect.c]
2627 Fix ControlPath's %p expanding to "0" for a default port,
2628 spotted dwmw2 AT infradead.org; ok markus@
2629 - djm@cvs.openbsd.org 2005/06/18 04:30:36
2630 [ssh.c ssh_config.5]
2631 allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@
2632 - djm@cvs.openbsd.org 2005/06/25 22:47:49
2634 do the default port filling code a few lines earlier, so it really
2638 - (djm) OpenBSD CVS Sync
2639 - djm@cvs.openbsd.org 2005/05/20 12:57:01;
2640 [auth1.c] split protocol 1 auth methods into separate functions, makes
2641 authloop much more readable; fixes and ok markus@ (portable ok &
2643 - djm@cvs.openbsd.org 2005/06/17 02:44:33
2644 [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@
2645 - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable,
2646 tested and fixes tim@
2649 - (djm) OpenBSD CVS Sync
2650 - djm@cvs.openbsd.org 2005/06/16 03:38:36
2651 [channels.c channels.h clientloop.c clientloop.h ssh.c]
2652 move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd
2653 easier later; ok deraadt@
2654 - markus@cvs.openbsd.org 2005/06/16 08:00:00
2655 [canohost.c channels.c sshd.c]
2656 don't exit if getpeername fails for forwarded ports; bugzilla #1054;
2658 - djm@cvs.openbsd.org 2005/06/17 02:44:33
2659 [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c]
2660 [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c]
2661 [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c]
2662 [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c]
2663 [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
2664 make this -Wsign-compare clean; ok avsm@ markus@
2665 NB. auth1.c changes not committed yet (conflicts with uncommitted sync)
2666 NB2. more work may be needed to make portable Wsign-compare clean
2667 - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h
2668 openbsd-compat/openssl-compat.c] only include openssl compat stuff where
2669 it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by
2673 - (djm) OpenBSD CVS Sync
2674 - jaredy@cvs.openbsd.org 2005/06/07 13:25:23
2676 catch SIGWINCH and resize progress meter accordingly; ok markus dtucker
2677 - djm@cvs.openbsd.org 2005/06/06 11:20:36
2678 [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c]
2679 introduce a generic %foo expansion function. replace existing % expansion
2680 and add expansion to ControlPath; ok markus@
2681 - djm@cvs.openbsd.org 2005/06/08 03:50:00
2682 [ssh-keygen.1 ssh-keygen.c sshd.8]
2683 increase default rsa/dsa key length from 1024 to 2048 bits;
2685 - djm@cvs.openbsd.org 2005/06/08 11:25:09
2686 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
2687 add ControlMaster=auto/autoask options to support opportunistic
2688 multiplexing; tested avsm@ and jakob@, ok markus@
2689 - dtucker@cvs.openbsd.org 2005/06/09 13:43:49
2691 Correctly initialize end of array sentinel; ok djm@
2692 (Id sync only, change already in portable)
2695 - (dtucker) [cipher.c openbsd-compat/Makefile.in
2696 openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}]
2697 Move compatibility code for supporting older OpenSSL versions to the
2698 compat layer. Suggested by and "no objection" djm@
2701 - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX:
2702 in today's episode we attempt to coax it from limits.h where it may be
2703 hiding, failing that we take the DIY approach. Tested by tim@
2706 - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't
2707 defined, and check that it helps before keeping it in CFLAGS. Some old
2708 gcc's don't set an error code when encountering an unknown value in -std.
2709 Found and tested by tim@.
2710 - (dtucker) [configure.ac] Point configure's reporting address at the
2711 openssh-unix-dev list. ok tim@ djm@
2714 - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h.
2715 Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms
2716 to skip builtin standard includes tests. (first AC_CHECK_HEADERS test
2717 must be run on all platforms) Add missing ;; to case statement. OK dtucker@
2720 - (dtucker) [configure.ac] Look for _getshort and _getlong in
2722 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c]
2723 Add strtoll to the compat library, from OpenBSD.
2724 - (dtucker) OpenBSD CVS Sync
2725 - avsm@cvs.openbsd.org 2005/05/26 02:08:05
2727 If copying multiple files to a target file (which normally fails, as it
2728 must be a target directory), kill the spawned ssh child before exiting.
2729 This stops it trying to authenticate and spewing lots of output.
2731 - dtucker@cvs.openbsd.org 2005/05/26 09:08:12
2733 uint32_t -> u_int32_t for consistency; ok djm@
2734 - djm@cvs.openbsd.org 2005/05/27 08:30:37
2736 fix -O for cases where no ControlPath has been specified or socket at
2737 ControlPath is not contactable; spotted by and ok avsm@
2738 - (tim) [config.guess config.sub] Update to '2005-05-27' version.
2739 - (tim) [configure.ac] set TEST_SHELL for OpenServer 6
2742 - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at
2744 - (dtucker) [mdoc2man.awk] Teach it to understand .Ox.
2747 - (dtucker) [README] Link to new release notes. Beter late than never...
2750 - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the
2751 argument to passwdexpired to be initialized to NULL. Suggested by tim@
2752 While at it, initialize the other arguments to auth functions in case they
2753 ever acquire this behaviour.
2754 - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there.
2755 - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message,
2759 - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have
2760 one entry per line to make it easier to merge changes. ok djm@
2761 - (dtucker) [configure.ac] strsep() may be defined in string.h, so check
2762 for its presence and include it in the strsep check.
2763 - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for
2764 its presence before doing AC_FUNC_GETPGRP.
2765 - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor
2766 version-specific variations as required.
2767 - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as
2768 per the autoconf man page. Configure should always define them but it
2769 doesn't hurt to check.
2772 - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by
2773 David Leach; ok dtucker@
2774 - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c
2775 openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo.
2776 Required changes from Bernhard Simon, integrated by me. ok djm@
2779 - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not
2780 been used for a while
2781 - (djm) OpenBSD CVS Sync
2782 - otto@cvs.openbsd.org 2005/04/05 13:45:31
2784 - djm@cvs.openbsd.org 2005/04/06 09:43:59
2786 avoid harmless logspam by not performing setsockopt() on non-socket;
2788 - dtucker@cvs.openbsd.org 2005/04/06 12:26:06
2790 Fix debug call for port forwards; patch from pete at seebeyond.com,
2791 ok djm@ (ID sync only - change already in portable)
2792 - djm@cvs.openbsd.org 2005/04/09 04:32:54
2793 [misc.c misc.h tildexpand.c Makefile.in]
2794 replace tilde_expand_filename with a simpler implementation, ahead of
2795 more whacking; ok deraadt@
2796 - jmc@cvs.openbsd.org 2005/04/14 12:30:30
2798 arg to -b is an address, not if_name;
2800 - jakob@cvs.openbsd.org 2005/04/20 10:05:45
2802 do not try to look up SSHFP for numerical hostname. ok djm@
2803 - djm@cvs.openbsd.org 2005/04/21 06:17:50
2804 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
2805 [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
2806 variable, so don't say that we do (bz #623); ok deraadt@
2807 - djm@cvs.openbsd.org 2005/04/21 11:47:19
2809 don't allocate a pty when -n flag (/dev/null stdin) is set, patch from
2810 ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@
2811 - dtucker@cvs.openbsd.org 2005/04/23 23:43:47
2813 Add debug message if read_passphrase can't open /dev/tty; bz #471;
2815 - jmc@cvs.openbsd.org 2005/04/26 12:59:02
2817 spelling correction in comment from wiz@netbsd;
2818 - jakob@cvs.openbsd.org 2005/04/26 13:08:37
2819 [ssh.c ssh_config.5]
2820 fallback gracefully if client cannot connect to ControlPath. ok djm@
2821 - moritz@cvs.openbsd.org 2005/04/28 10:17:56
2822 [progressmeter.c ssh-keyscan.c]
2823 add snprintf checks. ok djm@ markus@
2824 - markus@cvs.openbsd.org 2005/05/02 21:13:22
2827 - djm@cvs.openbsd.org 2005/05/10 10:28:11
2829 print nice error message for EADDRINUSE as well (ID sync only)
2830 - djm@cvs.openbsd.org 2005/05/10 10:30:43
2832 report real errors on fallback from ControlMaster=no to normal connect
2833 - markus@cvs.openbsd.org 2005/05/16 15:30:51
2834 [readconf.c servconf.c]
2835 check return value from strdelim() for NULL (AddressFamily); mpech
2836 - djm@cvs.openbsd.org 2005/05/19 02:39:55
2838 sort config options, from grunk AT pestilenz.org; ok jmc@
2839 - djm@cvs.openbsd.org 2005/05/19 02:40:52
2841 whitespace nit, from grunk AT pestilenz.org
2842 - djm@cvs.openbsd.org 2005/05/19 02:42:26
2844 fix cast, from grunk AT pestilenz.org
2845 - djm@cvs.openbsd.org 2005/05/20 10:50:55
2847 give a ProxyCommand example using nc(1), with and ok jmc@
2848 - jmc@cvs.openbsd.org 2005/05/20 11:23:32
2850 oops - article and spacing;
2851 - avsm@cvs.openbsd.org 2005/05/23 22:44:01
2852 [moduli.c ssh-keygen.c]
2853 - removes signed/unsigned comparisons in moduli generation
2854 - use strtonum instead of atoi where its easier
2855 - check some strlcpy overflow and fatal instead of truncate
2856 - djm@cvs.openbsd.org 2005/05/23 23:32:46
2857 [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
2858 add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
2860 - avsm@cvs.openbsd.org 2005/05/24 02:05:09
2862 some style nits from dmiller@, and use a fatal() instead of a printf()/exit
2863 - avsm@cvs.openbsd.org 2005/05/24 17:32:44
2864 [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c]
2865 [ssh-keyscan.c sshconnect.c]
2866 Switch atomicio to use a simpler interface; it now returns a size_t
2867 (containing number of bytes read/written), and indicates error by
2868 returning 0. EOF is signalled by errno==EPIPE.
2869 Typical use now becomes:
2871 if (atomicio(read, ..., len) != len)
2874 ok deraadt@, cloder@, djm@
2875 - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on
2877 - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
2878 warning: dereferencing type-punned pointer will break strict-aliasing rules
2879 warning: passing arg 3 of `pam_get_item' from incompatible pointer type
2880 The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@
2881 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide
2882 templates for _getshort and _getlong if missing to prevent compiler warnings
2884 - (djm) [configure.ac openbsd-compat/Makefile.in]
2885 [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c]
2886 Add strtonum(3) from OpenBSD libc, new code needs it.
2887 Unfortunately Linux forces us to do a bizarre dance with compiler
2888 options to get LLONG_MIN/MAX; Spotted by and ok dtucker@
2891 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
2892 [contrib/suse/openssh.spec] Update spec file versions to 4.1p1
2893 - (dtucker) [auth-pam.c] Since people don't seem to be getting the message
2894 that USE_POSIX_THREADS is unsupported, not recommended and generally a bad
2895 idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK. Attempting to use
2896 USE_POSIX_THREADS will now generate an error so we don't silently change
2898 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory
2899 allocation when retrieving core Windows environment. Add CYGWIN variable
2900 to propagated variables. Patch from vinschen at redhat.com, ok djm@
2904 - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure
2905 terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz;
2909 - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script
2910 hard link section. Bug 1038.
2913 - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a
2914 user-mode mounts in Cygwin installation. Patch from vinschen at redhat.com.
2917 - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used
2918 unix domain socket, so catch that too; from jakob@ ok dtucker@
2921 - (dtucker) [canohost.c] normalise socket addresses returned by
2922 get_remote_hostname(). This means that IPv4 addresses in log messages
2923 on IPv6 enabled machines will no longer be prefixed by "::ffff:" and
2924 AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style
2925 addresses only for 4-in-6 mapped connections, regardless of whether
2926 or not the machine is IPv6 enabled. ok djm@
2929 - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the
2930 existence of a process since it's more portable. Found by jbasney at
2931 ncsa.uiuc.edu; ok tim@
2932 - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh
2933 will clean up anyway. From tim@
2934 - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running
2935 "make tests" works even if you're building on a filesystem that doesn't
2936 support sockets. From deengert at anl.gov, ok djm@
2939 - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or
2940 1.2.1.2 or higher. With tim@, ok djm@
2943 - (tim) [config.guess] Add support for OpenServer 6.
2946 - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if
2947 UseLogin is set as PAM is not used to establish credentials in that
2948 case. Found by Michael Selvesteen, ok djm@
2951 - (dtucker) [INSTALL] Reference README.privsep for the privilege separation
2952 requirements. Pointed out by Bengt Svensson.
2953 - (dtucker) [INSTALL] Put the s/key text and URL back together.
2954 - (dtucker) [INSTALL] Fix s/key text too.
2957 - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME
2960 - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it. ok djm@
2961 - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on
2962 Tru64. Patch from cmadams at hiwaay.net.
2963 - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of
2964 sys_auth_passwd, pointed out by cmadams at hiwaay.net.
2967 - (djm) OpenBSD CVS Sync
2968 - deraadt@cvs.openbsd.org 2005/03/31 18:39:21
2970 copy argv[] element instead of smashing the one that ps will see; ok otto
2971 - djm@cvs.openbsd.org 2005/04/02 12:41:16
2973 since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror
2975 - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read
2976 will free as needed. ok tim@ djm@
2979 - (dtucker) OpenBSD CVS Sync
2980 - jmc@cvs.openbsd.org 2005/03/16 11:10:38
2982 get the syntax right for {Local,Remote}Forward;
2983 based on a diff from markus;
2984 problem report from ponraj;
2985 ok dtucker@ markus@ deraadt@
2986 - markus@cvs.openbsd.org 2005/03/16 21:17:39
2989 - jmc@cvs.openbsd.org 2005/03/18 17:05:00
2992 - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in
2993 handling of password expiry messages returned by AIX's authentication
2994 routines, originally reported by robvdwal at sara.nl.
2995 - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug
2996 message on some platforms. Patch from pete at seebeyond.com via djm.
2997 - (dtucker) [monitor.c] Remaining part of fix for bug #1006.
3000 - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're
3001 interested in which is much faster in large (eg LDAP or NIS) environments.
3002 Patch from dleonard at vintela.com.
3005 - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes
3006 and -Lyes to CFLAGS and LIBS. Pointed out by peter at slagheap.net,
3008 - (dtucker) [configure.ac] Make configure error out if the user specifies
3009 --with-libedit but the required libs can't be found, rather than silently
3010 ignoring and continuing. ok tim@
3011 - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions
3012 of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se.
3015 - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional.
3016 Make --without-opensc work.
3017 - (tim) [configure.ac] portability changes on test statements. Some shells
3018 have problems with -a operator.
3019 - (tim) [configure.ac] make some configure options a little more error proof.
3020 - (tim) [configure.ac] remove trailing white space.
3023 - (dtucker) OpenBSD CVS Sync
3024 - dtucker@cvs.openbsd.org 2005/03/10 10:15:02
3026 Check listen addresses for null, prevents xfree from dying during
3027 ClearAllForwardings (bz #996). From Craig Leres, ok markus@
3028 - deraadt@cvs.openbsd.org 2005/03/10 22:01:05
3029 [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c
3030 monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c
3031 readconf.c bufaux.c sftp.c]
3033 - deraadt@cvs.openbsd.org 2005/03/10 22:40:38
3036 - markus@cvs.openbsd.org 2005/03/11 14:59:06
3038 typo, missing \n; mpech
3039 - jmc@cvs.openbsd.org 2005/03/12 11:55:03
3041 escape `.' at eol to avoid double spacing issues;
3042 - dtucker@cvs.openbsd.org 2005/03/14 10:09:03
3044 Correct description of -H (bz #997); ok markus@, punctuation jmc@
3045 - dtucker@cvs.openbsd.org 2005/03/14 11:44:42
3047 Populate host for log message for logins denied by AllowUsers and
3048 DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com)
3049 - markus@cvs.openbsd.org 2005/03/14 11:46:56
3050 [buffer.c buffer.h channels.c]
3051 limit input buffer size for channels; bugzilla #896; with and ok dtucker@
3052 - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed
3056 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
3057 localized name of the local administrators group more reliable. From
3058 vinschen at redhat.com.
3061 - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug
3062 output ends up in the client's output, causing regress failures. Found
3063 by Corinna Vinschen.
3066 - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64
3067 so that regress tests behave. From Chris Adams.
3068 - (djm) OpenBSD CVS Sync
3069 - jmc@cvs.openbsd.org 2005/03/07 23:41:54
3070 [ssh.1 ssh_config.5]
3071 more macro simplification;
3072 - djm@cvs.openbsd.org 2005/03/08 23:49:48
3075 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
3076 [contrib/suse/openssh.spec] Update spec file versions
3077 - (djm) [log.c] Fix dumb syntax error; ok dtucker@
3078 - (djm) Release OpenSSH 4.0p1
3081 - (dtucker) [configure.ac] Disable gettext search when configuring with
3082 BSM audit support for the time being. ok djm@
3083 - (dtucker) OpenBSD CVS Sync (regress/)
3084 - fgsch@cvs.openbsd.org 2004/12/10 01:31:30
3085 [Makefile sftp-glob.sh]
3086 some globbing regress; prompted and ok djm@
3087 - david@cvs.openbsd.org 2005/01/14 04:21:18
3088 [Makefile test-exec.sh]
3089 pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@
3090 - dtucker@cvs.openbsd.org 2005/02/27 11:33:30
3091 [multiplex.sh test-exec.sh sshd-log-wrapper.sh]
3092 Add optional capability to log output from regress commands; ok markus@
3093 Use with: make TEST_SSH_LOGFILE=/tmp/regress.log
3094 - djm@cvs.openbsd.org 2005/02/27 23:13:36
3096 avoid nameservice lookups in regress test; ok dtucker@
3097 - djm@cvs.openbsd.org 2005/03/04 08:48:46
3098 [Makefile envpass.sh]
3099 regress test for SendEnv config parsing bug; ok dtucker@
3100 - (dtucker) [regress/test-exec.sh] Put SUDO in the right place.
3101 - (tim) [configure.ac] SCO 3.2v4.2 no longer supported.
3104 - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor
3105 when attempting to audit disconnect events. Reported by Phil Dibowitz.
3106 - (dtucker) [session.c sshd.c] Bug #125 comment #49: Send disconnect audit
3107 events earlier, prevents mm_request_send errors reported by Matt Goebel.
3110 - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch
3111 from vinschen at redhat.com
3112 - (djm) OpenBSD CVS Sync
3113 - jmc@cvs.openbsd.org 2005/03/02 11:45:01
3116 - djm@cvs.openbsd.org 2005/03/04 08:48:06
3118 fix SendEnv config parsing bug found by Roumen Petrov; ok dtucker@
3121 - (djm) OpenBSD CVS sync:
3122 - jmc@cvs.openbsd.org 2005/03/01 14:47:58
3124 remove some unneccesary macros;
3125 do not mark up punctuation;
3126 - jmc@cvs.openbsd.org 2005/03/01 14:55:23
3128 do not mark up punctuation;
3130 - jmc@cvs.openbsd.org 2005/03/01 14:59:49
3132 new sentence, new line;
3134 - jmc@cvs.openbsd.org 2005/03/01 15:05:00
3137 - jmc@cvs.openbsd.org 2005/03/01 15:47:14
3138 [ssh-keyscan.1 ssh-keyscan.c]
3139 sort options and sync usage();
3140 - jmc@cvs.openbsd.org 2005/03/01 17:19:35
3142 add HashKnownHosts to -o list;
3144 - jmc@cvs.openbsd.org 2005/03/01 17:22:06
3146 sync usage() w/ man SYNOPSIS;
3148 - jmc@cvs.openbsd.org 2005/03/01 17:32:19
3151 - jmc@cvs.openbsd.org 2005/03/01 18:15:56
3153 sort options (no attempt made at synopsis clean up though);
3154 spelling (occurance -> occurrence);
3155 use prompt before examples;
3157 - djm@cvs.openbsd.org 2005/03/02 01:00:06
3159 fix addition of new hashed hostnames when CheckHostIP=yes;
3160 found and ok dtucker@
3161 - djm@cvs.openbsd.org 2005/03/02 01:27:41
3163 ignore hostnames with metachars when hashing; ok deraadt@
3164 - djm@cvs.openbsd.org 2005/03/02 02:21:07
3166 bz#987: mention ForwardX11Trusted in ssh.1,
3167 reported by andrew.benham AT thus.net; ok deraadt@
3168 - (tim) [regress/agent-ptrace.sh] add another possible gdb error.
3171 - (djm) OpenBSD CVS sync:
3172 - otto@cvs.openbsd.org 2005/02/16 09:56:44
3174 Better diagnostic if an identity file is not accesible. ok markus@ djm@
3175 - djm@cvs.openbsd.org 2005/02/18 03:05:53
3177 better error messages for getnameinfo failures; ok dtucker@
3178 - djm@cvs.openbsd.org 2005/02/20 22:59:06
3180 turn on ssh batch mode when in sftp batch mode, patch from
3181 jdmossh AT nand.net;
3183 - jmc@cvs.openbsd.org 2005/02/25 10:55:13
3185 add /etc/motd and $HOME/.hushlogin to FILES;
3186 from michael knudsen;
3187 - djm@cvs.openbsd.org 2005/02/28 00:54:10
3189 bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
3190 orion AT cora.nwra.com; ok markus@
3191 - djm@cvs.openbsd.org 2005/03/01 10:09:52
3192 [auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
3193 [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
3195 bz#413: allow optional specification of bind address for port forwardings.
3196 Patch originally by Dan Astorian, but worked on by several people
3197 Adds GatewayPorts=clientspecified option on server to allow remote
3198 forwards to bind to client-specified ports.
3199 - djm@cvs.openbsd.org 2005/03/01 10:40:27
3200 [hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5]
3201 [sshconnect.c sshd.8]
3202 add support for hashing host names and addresses added to known_hosts
3203 files, to improve privacy of which hosts user have been visiting; ok
3205 - djm@cvs.openbsd.org 2005/03/01 10:41:28
3206 [ssh-keyscan.1 ssh-keyscan.c]
3207 option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@
3208 - djm@cvs.openbsd.org 2005/03/01 10:42:49
3209 [ssh-keygen.1 ssh-keygen.c ssh_config.5]
3210 add tools for managing known_hosts files with hashed hostnames, including
3211 hashing existing files and deleting hosts by name; ok markus@ deraadt@
3214 - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c]
3215 Remove two obsolete Cygwin #ifdefs. Patch from vinschen at redhat.com.
3216 - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}]
3217 Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any
3218 more. Patch from vinschen at redhat.com.
3219 - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the
3220 binaries without the config files. Primarily useful for packaging.
3221 Patch from phil at usc.edu. ok djm@
3224 - (djm) [configure.ac] in_addr_t test needs sys/types.h too
3227 - (dtucker) [uidswap.c] Skip uid restore test on Cygwin. Patch from
3228 vinschen at redhat.com.
3231 - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac
3232 defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support. Configure
3233 --with-audit=bsm to enable. Patch originally from Sun Microsystems,
3234 parts by John R. Jackson. ok djm@
3235 - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes
3236 unrelated platforms to be configured incorrectly.
3239 - (djm) write seed to temporary file and atomically rename into place;
3241 - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called
3242 via mkstemp in some configurations. ok djm@
3243 - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined
3244 by the system headers.
3245 - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant
3246 Unix; prevents problems relating to the location of -lresolv in the
3248 - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
3249 authentication early enough to be available to PAM session modules when
3250 privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam
3251 Hartman and similar to Debian's ssh-krb5 package.
3252 - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more
3253 compiler warnings on AIX.
3256 - (dtucker) [config.sh.in] Collect oslevel -r too.
3257 - (dtucker) [README.platform auth.c configure.ac loginrec.c
3258 openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6
3259 on AIX where possible (see README.platform for details) and work around
3260 a misfeature of AIX's getnameinfo. ok djm@
3261 - (dtucker) [loginrec.c] Add missing #include.
3264 - (dtucker) [configure.ac] Tidy up configure --help output.
3265 - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too.
3268 - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the
3269 --disable-etc-default-login configure option.
3272 - (dtucker) OpenBSD CVS Sync
3273 - dtucker@cvs.openbsd.org 2005/01/28 09:45:53
3275 Make it clear that the example entries in ssh_config are only some of the
3276 commonly-used options and refer the user to ssh_config(5) for more
3278 - jmc@cvs.openbsd.org 2005/01/28 15:05:43
3281 - jmc@cvs.openbsd.org 2005/01/28 18:14:09
3285 - dtucker@cvs.openbsd.org 2005/01/30 11:18:08
3287 Make code match intent; ok djm@
3288 - dtucker@cvs.openbsd.org 2005/02/08 22:24:57
3290 Provide reason in error message if getnameinfo fails; ok markus@
3291 - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call
3292 disable_forwarding() from compat library. Prevent linker errrors trying
3293 to resolve it for binaries other than sshd. ok djm@
3294 - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir
3296 - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require
3297 the username to be passed to the passwd command when changing expired
3301 - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the
3302 regress tests so newer versions of GNU head(1) behave themselves. Patch
3304 - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings.
3305 - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c
3306 monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
3307 defines and enums with SSH_ to prevent namespace collisions on some
3311 - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too.
3312 - (dtucker) [auth.c] Fix parens in audit log check.
3315 - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath
3316 rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@
3317 - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}]
3318 Make record_failed_login() call provide hostname rather than having the
3319 implementations having to do lookups themselves. Only affects AIX and
3320 UNICOS (the latter only uses the "user" parameter anyway). ok djm@
3321 - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child
3322 the process. Since we also unset KRB5CCNAME at startup, if it's set after
3323 authentication it must have been set by the platform's native auth system.
3324 This was already done for AIX; this enables it for the general case.
3325 - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c]
3326 Bug #974: Teach sshd to write failed login records to btmp for failed auth
3327 attempts (currently only for password, kbdint and C/R, only on Linux and
3328 HP-UX), based on code from login.c from util-linux. With ashok_kovai at
3329 hotmail.com, ok djm@
3330 - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c
3331 monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
3332 (first stage) Add audit instrumentation to sshd, currently disabled by
3333 default. with suggestions from and ok djm@
3336 - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some
3337 platforms syslog will revert to its default values. This may result in
3338 messages from external libraries (eg libwrap) being sent to a different
3340 - (dtucker) [sshd_config.5] Bug #701: remove warning about
3341 keyboard-interactive since this is no longer the case.
3344 - (dtucker) OpenBSD CVS Sync
3345 - otto@cvs.openbsd.org 2005/01/21 08:32:02
3346 [auth-passwd.c sshd.c]
3347 Warn in advance for password and account expiry; initialize loginmsg
3348 buffer earlier and clear it after privsep fork. ok and help dtucker@
3350 - dtucker@cvs.openbsd.org 2005/01/22 08:17:59
3352 Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
3353 DenyGroups. bz #909, ok djm@
3354 - djm@cvs.openbsd.org 2005/01/23 10:18:12
3356 config option "Ciphers" should be case-sensitive; ok dtucker@
3357 - dtucker@cvs.openbsd.org 2005/01/24 10:22:06
3359 Have scp and sftp wait for the spawned ssh to exit before they exit
3360 themselves. This prevents ssh from being unable to restore terminal
3361 modes (not normally a problem on OpenBSD but common with -Portable
3362 on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
3364 - dtucker@cvs.openbsd.org 2005/01/24 10:29:06
3366 Import new moduli; requested by deraadt@ a week ago
3367 - dtucker@cvs.openbsd.org 2005/01/24 11:47:13
3369 #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@
3372 - (dtucker) OpenBSD CVS Sync
3373 - markus@cvs.openbsd.org 2004/12/23 17:35:48
3375 check for NULL; from mpech
3376 - markus@cvs.openbsd.org 2004/12/23 17:38:07
3379 - djm@cvs.openbsd.org 2004/12/23 23:11:00
3380 [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
3381 bz #898: support AddressFamily in sshd_config. from
3382 peak@argo.troja.mff.cuni.cz; ok deraadt@
3383 - markus@cvs.openbsd.org 2005/01/05 08:51:32
3385 remove dead code, log connect() failures with level error, ok djm@
3386 - jmc@cvs.openbsd.org 2005/01/08 00:41:19
3388 `login'(n) -> `log in'(v);
3389 - dtucker@cvs.openbsd.org 2005/01/17 03:25:46
3391 Correct spelling: SCHNOOR->SCHNORR; ok djm@
3392 - dtucker@cvs.openbsd.org 2005/01/17 22:48:39
3394 Make debugging output continue after reexec; ok djm@
3395 - dtucker@cvs.openbsd.org 2005/01/19 13:11:47
3396 [auth-bsdauth.c auth2-chall.c]
3397 Have keyboard-interactive code call the drivers even for responses for
3398 invalid logins. This allows the drivers themselves to decide how to
3399 handle them and prevent leaking information where possible. Existing
3400 behaviour for bsdauth is maintained by checking authctxt->valid in the
3401 bsdauth driver. Note that any third-party kbdint drivers will now need
3402 to be able to handle responses for invalid logins. ok markus@
3403 - djm@cvs.openbsd.org 2004/12/22 02:13:19
3404 [cipher-ctr.c cipher.c]
3405 remove fallback AES support for old OpenSSL, as OpenBSD has had it for
3406 many years now; ok deraadt@
3407 (Id sync only: Portable will continue to support older OpenSSLs)
3408 - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
3409 existence via keyboard-interactive/pam, in conjunction with previous
3410 auth2-chall.c change; with Colin Watson and djm.
3411 - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128
3412 bytes to prevent errors from login_init_entry() when the username is
3413 exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@
3414 - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from
3415 the list of available kbdint devices if UsePAM=no. ok djm@
3418 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
3419 "make survey" and "make send-survey". This will provide data on the
3420 configure parameters, platform and platform features to the development
3421 team, which will allow (among other things) better targetting of testing.
3422 It's entirely voluntary and is off be default. ok djm@
3423 - (dtucker) [survey.sh.in] Remove any blank lines from the output of
3424 ccver-v and ccver-V.
3427 - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading
3428 from prngd is enabled at compile time but fails at run time, eg because
3429 prngd is not running. Note that if you have prngd running when OpenSSH is
3430 built, OpenSSL will consider itself internally seeded and rand-helper won't
3431 be built at all unless explicitly enabled via --with-rand-helper. ok djm@
3432 - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since
3433 on some wacky platforms (eg old AIXes), dd will refuse to create an output
3434 file if it doesn't exist.
3437 - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from
3438 amarendra.godbole at ge com.
3441 - (dtucker) OpenBSD CVS Sync
3442 - markus@cvs.openbsd.org 2004/12/06 16:00:43
3444 use 0x00 not \0 since buf[] is a bignum
3445 - fgsch@cvs.openbsd.org 2004/12/10 03:10:42
3447 - fix globbed ls for paths the same lenght as the globbed path when
3448 we have a unique matching.
3449 - fix globbed ls in case of a directory when we have a unique matching.
3450 - as a side effect, if the path does not exist error (used to silently
3452 - don't do extra do_lstat() if we only have one matching file.
3454 - dtucker@cvs.openbsd.org 2004/12/11 01:48:56
3455 [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h]
3456 Fix debug call in error path of authorized_keys processing and fix related
3460 - (tim) [configure.ac] Comment some non obvious platforms in the
3461 target-specific case statement. Suggested and OK by dtucker@
3464 - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test.
3467 - (dtucker) [TODO WARNING.RNG] Update to reflect current reality. ok djm@
3468 - (dtucker) OpenBSD CVS Sync
3469 - markus@cvs.openbsd.org 2004/11/25 22:22:14
3470 [sftp-client.c sftp.c]
3472 - jmc@cvs.openbsd.org 2004/11/29 00:05:17
3475 - djm@cvs.openbsd.org 2004/11/29 07:41:24
3476 [sftp-client.h sftp.c]
3477 Some small fixes from moritz@jodeit.org. ok deraadt@
3478 - jaredy@cvs.openbsd.org 2004/12/05 23:55:07
3480 - explain that patterns can be used as arguments in get/put/ls/etc
3481 commands (prodded by Michael Knudsen)
3482 - describe ls flags as a list
3483 - other minor improvements
3485 - dtucker@cvs.openbsd.org 2004/12/06 11:41:03
3486 [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
3487 Discard over-length authorized_keys entries rather than complaining when
3488 they don't decode. bz #884, with & ok djm@
3489 - (dtucker) OpenBSD CVS Sync (regress/)
3490 - djm@cvs.openbsd.org 2004/06/26 06:16:07
3492 don't change the name of the copied sshd for the reexec fallback test,
3493 makes life simpler for portable
3494 - dtucker@cvs.openbsd.org 2004/07/08 12:59:35
3496 Regress test for bz #863 (scp double-error), requires $SUDO. ok markus@
3497 - david@cvs.openbsd.org 2004/07/09 19:45:43
3499 add a missing CLEANFILES used in the re-exec test
3500 - djm@cvs.openbsd.org 2004/10/08 02:01:50
3502 shrink and tidy; ok dtucker@
3503 - djm@cvs.openbsd.org 2004/10/29 23:59:22
3504 [Makefile added brokenkeys.sh]
3505 regression test for handling of corrupt keys in authorized_keys file
3506 - djm@cvs.openbsd.org 2004/11/07 00:32:41
3508 regression tests for new multiplex commands
3509 - dtucker@cvs.openbsd.org 2004/11/25 09:39:27
3511 Remove obsolete RhostsAuthentication from test config; ok markus@
3512 - dtucker@cvs.openbsd.org 2004/12/06 10:49:56
3514 Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@
3517 - (dtucker) OpenBSD CVS Sync
3518 - jmc@cvs.openbsd.org 2004/11/07 17:42:36
3520 options sort, and whitespace;
3521 - jmc@cvs.openbsd.org 2004/11/07 17:57:30
3525 - sync -S w/ manpage
3527 - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
3528 subsequently denied by the PAM auth stack, send the PAM message to the
3529 user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
3533 - (dtucker) OpenBSD CVS Sync
3534 - djm@cvs.openbsd.org 2004/11/05 12:19:56
3536 command editing and history support via libedit; ok markus@
3537 thanks to hshoexer@ and many testers on tech@ too
3538 - djm@cvs.openbsd.org 2004/11/07 00:01:46
3539 [clientloop.c clientloop.h ssh.1 ssh.c]
3540 add basic control of a running multiplex master connection; including the
3541 ability to check its status and request it to exit; ok markus@
3542 - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure
3543 option and supporting makefile bits and documentation.
3546 - (dtucker) OpenBSD CVS Sync
3547 - markus@cvs.openbsd.org 2004/08/30 09:18:08
3550 - jmc@cvs.openbsd.org 2004/08/30 21:22:49
3552 .Xsession -> .xsession;
3553 originally from a pr from f at obiit dot org, but missed by myself;
3554 ok markus@ matthieu@
3555 - djm@cvs.openbsd.org 2004/09/07 23:41:30
3556 [clientloop.c ssh.c]
3557 cleanup multiplex control socket on SIGHUP too, spotted by sturm@
3559 - deraadt@cvs.openbsd.org 2004/09/15 00:46:01
3561 /* fallthrough */ is something a programmer understands. But
3562 /* FALLTHROUGH */ is also understood by lint, so that is better.
3563 - jaredy@cvs.openbsd.org 2004/09/15 03:25:41
3565 mention PrintLastLog only prints last login time for interactive
3566 sessions, like PrintMotd mentions.
3567 From Michael Knudsen, with wording changed slightly to match the
3568 PrintMotd description.
3570 - mickey@cvs.openbsd.org 2004/09/15 18:42:27
3572 use less doubles in daemons; markus@ ok
3573 - deraadt@cvs.openbsd.org 2004/09/15 18:46:04
3575 scratch that do { } while (0) wrapper in this case
3576 - djm@cvs.openbsd.org 2004/09/23 13:00:04
3578 correctly honour -n in multiplex client mode; spotted by sturm@ ok markus@
3579 - djm@cvs.openbsd.org 2004/09/25 03:45:14
3581 these printf args are no longer double; ok deraadt@ markus@
3582 - djm@cvs.openbsd.org 2004/10/07 10:10:24
3583 [scp.1 sftp.1 ssh.1 ssh_config.5]
3584 document KbdInteractiveDevices; ok markus@
3585 - djm@cvs.openbsd.org 2004/10/07 10:12:36
3587 don't unlink agent socket when bind() fails, spotted by rich AT
3588 rich-paul.net, ok markus@
3589 - markus@cvs.openbsd.org 2004/10/20 11:48:53
3591 disconnect for invalid (out of range) message types.
3592 - djm@cvs.openbsd.org 2004/10/29 21:47:15
3593 [channels.c channels.h clientloop.c]
3594 fix some window size change bugs for multiplexed connections: windows sizes
3595 were not being updated if they had changed after ~^Z suspends and SIGWINCH
3596 was not being processed unless the first connection had requested a tty;
3598 - djm@cvs.openbsd.org 2004/10/29 22:53:56
3599 [clientloop.c misc.h readpass.c ssh-agent.c]
3600 factor out common permission-asking code to separate function; ok markus@
3601 - djm@cvs.openbsd.org 2004/10/29 23:56:17
3602 [bufaux.c bufaux.h buffer.c buffer.h]
3603 introduce a new buffer API that returns an error rather than fatal()ing
3604 when presented with bad data; ok markus@
3605 - djm@cvs.openbsd.org 2004/10/29 23:57:05
3607 use new buffer API to avoid fatal errors on corrupt keys in authorized_keys
3611 - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
3612 10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__
3613 only if a conflict is detected.
3616 - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or
3617 on Cygwin. Cygwin parts from vinschen at redhat com; ok djm@
3620 - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations;
3624 - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode
3625 and other PAM platforms.
3626 - (dtucker) [monitor_mm.c openbsd-compat/xmmap.c] Bug #940: cast constants
3627 to void * to appease picky compilers (eg Tru64's "cc -std1").
3630 - (dtucker) [configure.ac] Set AC_PACKAGE_NAME. ok djm@
3633 - (dtucker) [openbsd-compat/bsd-snprintf.c] Previous change was off by one,
3634 which could have caused the justification to be wrong. ok djm@
3637 - (dtucker) [openbsd-compat/bsd-snprintf.c] Check for max length too.
3639 - (dtucker) [contrib/cygwin/ssh-host-config] Update to match current Cygwin
3640 install process. Patch from vinschen at redhat.com.
3643 - (djm) [loginrec.c] Start KNF and tidy up of this long-neglected file.
3644 No change in resultant binary
3645 - (djm) [loginrec.c] __func__ifiy
3646 - (djm) [loginrec.c] xmalloc
3647 - (djm) [ssh.c sshd.c version.h] Don't divulge portable version in protocol
3648 banner. Suggested by deraadt@, ok mouring@, dtucker@
3649 - (dtucker) [configure.ac] Fix incorrect quoting and tests for cross-compile.
3650 Partly by & ok djm@.
3653 - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@
3654 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
3655 failing PAM session modules to user then exit, similar to the way
3656 /etc/nologin is handled. ok djm@
3657 - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.
3658 - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c]
3659 Make cygwin code more consistent with that which surrounds it
3660 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
3661 Bug #892: Send messages from failing PAM account modules to the client via
3662 SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with
3663 SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
3664 - (dtucker) [session.c] Bug #927: make .hushlogin silent again. ok djm@
3665 - (dtucker) [configure.ac] Bug #321: Add cross-compile support to configure.
3666 Parts by chua at ayrnetworks.com, astrand at lysator.liu.se and me. ok djm@
3667 - (dtucker) [auth-krb5.c] Bug #922: Pass KRB5CCNAME to PAM. From deengert
3671 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
3672 copy required environment variables on Cygwin. Patch from vinschen at
3674 - (dtucker) [regress/Makefile] Clean scp-ssh-wrapper.scp too. Patch from
3675 vinschen at redhat.com.
3676 - (dtucker) [Makefile.in contrib/ssh-copy-id] Bug #894: Improve portability
3677 of shell constructs. Patch from cjwatson at debian.org.
3680 - (dtucker) [openbsd-compat/getrrsetbyname.c] Prevent getrrsetbyname from
3681 failing with NOMEMORY if no sigs are returned and malloc(0) returns NULL.
3682 From Martin.Kraemer at Fujitsu-Siemens.com; ok djm@
3683 - (dtucker) OpenBSD CVS Sync
3684 - djm@cvs.openbsd.org 2004/08/23 11:48:09
3686 fix error path, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
3687 - djm@cvs.openbsd.org 2004/08/23 11:48:47
3689 typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
3690 - dtucker@cvs.openbsd.org 2004/08/23 14:26:38
3691 [ssh-keysign.c ssh.c]
3692 Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
3693 change in Portable; ok markus@ (CVS ID sync only)
3694 - dtucker@cvs.openbsd.org 2004/08/23 14:29:23
3696 Remove duplicate getuid(), suggested by & ok markus@
3697 - markus@cvs.openbsd.org 2004/08/26 16:00:55
3699 get rid of references to rhosts authentication; with jmc@
3700 - djm@cvs.openbsd.org 2004/08/28 01:01:48
3702 don't erroneously close stdin for !reexec case, from Dave Johnson;
3704 - (dtucker) [configure.ac] Include sys/stream.h in sys/ptms.h header check,
3705 fixes configure warning on Solaris reported by wknox at mitre.org.
3706 - (dtucker) [regress/multiplex.sh] Skip test on platforms that do not
3707 support FD passing since multiplex requires it. Noted by tim@
3708 - (dtucker) [regress/dynamic-forward.sh] Allow time for connections to be torn
3709 down, needed on some platforms, should be harmless on others. Patch from
3710 jason at devrandom.org.
3711 - (dtucker) [regress/scp.sh] Make this work on Cygwin too, which doesn't like
3712 files ending in .exe that aren't binaries; patch from vinschen at redhat.com.
3713 - (dtucker) [Makefile.in] Get regress/Makefile symlink right for out-of-tree
3714 builds too, from vinschen at redhat.com.
3715 - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
3716 too; patch from cmadams at hiwaay.net.
3717 - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
3718 - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
3719 accounts with authentication configs that sshd can't support (ie
3720 SYSTEM=NONE and AUTH1=something).
3723 - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
3724 vinschen at redhat.com.
3727 - (djm) [ssh-rand-helper.c] Typo. Found by
3728 Martin.Kraemer AT Fujitsu-Siemens.com
3729 - (djm) [loginrec.c] Typo and bad args in error messages; Spotted by
3730 Martin.Kraemer AT Fujitsu-Siemens.com
3733 - (dtucker) [regress/README.regress] Note compatibility issues with GNU head.
3734 - (djm) OpenBSD CVS Sync
3735 - markus@cvs.openbsd.org 2004/08/16 08:17:01
3738 - (djm) Crank RPM spec version numbers
3739 - (djm) Release 3.9p1
3742 - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
3743 to convince Solaris PAM to honour password complexity rules. ok djm@
3746 - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since
3747 it does the right thing on all platforms. ok djm@
3748 - (djm) [acconfig.h configure.ac openbsd-compat/Makefile.in
3749 openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-misc.c
3750 openbsd-compat/bsd-misc.h openbsd-compat/openbsd-compat.h] Use smarter
3751 closefrom() replacement from sudo; ok dtucker@
3752 - (djm) [loginrec.c] Check that seek succeeded here too; ok dtucker
3753 - (dtucker) [Makefile.in] Fix typo.
3756 - (dtucker) [auth-krb5.c gss-serv-krb5.c openbsd-compat/xmmap.c]
3757 Explicitly set umask for mkstemp; ok djm@
3758 - (dtucker) [includes.h] Undef _INCLUDE__STDC__ on HP-UX, otherwise
3759 prot.h and shadow.h provide conflicting declarations of getspnam. ok djm@
3760 - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
3761 Plug AIX login recording into login_write so logins will be recorded for
3765 - (dtucker) [openbsd-compat/bsd-misc.c] Typo in #ifdef; from vinschen at
3767 - (dtucker) OpenBSD CVS Sync
3768 - avsm@cvs.openbsd.org 2004/08/11 21:43:05
3769 [channels.c channels.h clientloop.c misc.c misc.h serverloop.c ssh-agent.c]
3770 some signed/unsigned int comparison cleanups; markus@ ok
3771 - avsm@cvs.openbsd.org 2004/08/11 21:44:32
3772 [authfd.c scp.c ssh-keyscan.c]
3773 use atomicio instead of homegrown equivalents or read/write.
3775 - djm@cvs.openbsd.org 2004/08/12 09:18:24
3777 typo in error message, spotted by moritz AT jodeit.org (Id sync only)
3778 - jakob@cvs.openbsd.org 2004/08/12 21:41:13
3779 [ssh-keygen.1 ssh.1]
3780 improve SSHFP documentation; ok deraadt@
3781 - jmc@cvs.openbsd.org 2004/08/13 00:01:43
3783 kill whitespace at eol;
3784 - djm@cvs.openbsd.org 2004/08/13 02:51:48
3786 extra check for no message case; ok markus, deraadt, hshoexer, henning
3787 - dtucker@cvs.openbsd.org 2004/08/13 11:09:24
3789 Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr
3793 - (dtucker) [sshd.c] Remove duplicate variable imported during sync.
3794 - (dtucker) OpenBSD CVS Sync
3795 - markus@cvs.openbsd.org 2004/07/28 08:56:22
3797 call setsid() _before_ re-exec
3798 - markus@cvs.openbsd.org 2004/07/28 09:40:29
3799 [auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c
3801 more s/illegal/invalid/
3802 - djm@cvs.openbsd.org 2004/08/04 10:37:52
3804 return group14 when no primes found - fixes hang on empty /etc/moduli;
3806 - dtucker@cvs.openbsd.org 2004/08/11 11:09:54
3808 Fix minor leak; "looks right" deraadt@
3809 - dtucker@cvs.openbsd.org 2004/08/11 11:50:09
3811 Don't try to close startup_pipe if it's not open; ok djm@
3812 - djm@cvs.openbsd.org 2004/08/11 11:59:22
3814 check that lseek went were we told it to; ok markus@
3815 (Id sync only, but similar changes are needed in loginrec.c)
3816 - djm@cvs.openbsd.org 2004/08/11 12:01:16
3818 make store_lastlog_message() static to appease -Wall; ok markus
3819 - (dtucker) [sshd.c] Clear loginmsg in postauth monitor, prevents doubling
3820 messages generated before the postauth privsep split.
3823 - (djm) OpenBSD CVS Sync
3824 - markus@cvs.openbsd.org 2004/07/21 08:56:12
3826 s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas,
3828 - djm@cvs.openbsd.org 2004/07/21 10:33:31
3830 bz#899: Don't display invalid usernames in setproctitle
3831 from peak AT argo.troja.mff.cuni.cz; ok markus@
3832 - djm@cvs.openbsd.org 2004/07/21 10:36:23
3834 fix function declaration
3835 - djm@cvs.openbsd.org 2004/07/21 11:51:29
3837 bz#902: cache remote port so we don't fatal() in auth_log when remote
3838 connection goes away quickly. from peak AT argo.troja.mff.cuni.cz;
3840 - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalid
3841 usernames in setproctitle from peak AT argo.troja.mff.cuni.cz;
3844 - (djm) [log.c] bz #111: Escape more control characters when sending data
3845 to syslog; from peak AT argo.troja.mff.cuni.cz
3846 - (djm) [contrib/redhat/sshd.pam] bz #903: Remove redundant entries; from
3847 peak AT argo.troja.mff.cuni.cz
3848 - (djm) [regress/README.regress] Remove caveat regarding TCP wrappers, now
3849 that sshd is fixed to behave better; suggested by tim
3852 - (djm) [openbsd-compat/bsd-arc4random.c] Discard early keystream, like OpenBSD
3854 - (djm) [auth-pam.c] Avoid use of xstrdup and friends in conversation function,
3855 instead return PAM_CONV_ERR, avoiding another path to fatal(); ok dtucker@
3856 - (tim) [configure.ac] updwtmpx() on OpenServer seems to add duplicate entry.
3857 Report by rac AT tenzing.org
3860 - (dtucker) [logintest.c scp.c sftp-server.c sftp.c ssh-add.c ssh-agent.c
3861 ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c ssh.c sshd.c
3862 openbsd-compat/bsd-misc.c] Move "char *__progname" to bsd-misc.c. Reduces
3863 diff vs OpenBSD; ok mouring@, tested by tim@ too.
3864 - (dtucker) OpenBSD CVS Sync
3865 - deraadt@cvs.openbsd.org 2004/07/11 17:48:47
3866 [channels.c cipher.c clientloop.c clientloop.h compat.h moduli.c
3867 readconf.c nchan.c pathnames.h progressmeter.c readconf.h servconf.c
3868 session.c sftp-client.c sftp.c ssh-agent.1 ssh-keygen.c ssh.c ssh1.h
3871 - brad@cvs.openbsd.org 2004/07/12 23:34:25
3873 Fix incorrect macro, .I -> .Em
3874 From: Eric S. Raymond <esr at thyrsus dot com>
3876 - dtucker@cvs.openbsd.org 2004/07/17 05:31:41
3877 [monitor.c monitor_wrap.c session.c session.h sshd.c sshlogin.c]
3878 Move "Last logged in at.." message generation to the monitor, right
3879 before recording the new login. Fixes missing lastlog message when
3880 /var/log/lastlog is not world-readable and incorrect datestamp when
3881 multiple sessions are used (bz #463); much assistance & ok markus@
3884 - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows
3885 the monitor to properly clean up the PAM thread (Debian bug #252676).
3888 - (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from
3889 vinschen AT redhat.com
3892 - (dtucker) OpenBSD CVS Sync
3893 - dtucker@cvs.openbsd.org 2004/07/03 05:11:33
3894 [sshlogin.c] (RCSID sync only, the corresponding code is not in Portable)
3895 Use '\0' not 0 for string; ok djm@, deraadt@
3896 - dtucker@cvs.openbsd.org 2004/07/03 11:02:25
3898 Put s/key functions inside #ifdef SKEY same as monitor.c,
3899 from des@freebsd via bz #330, ok markus@
3900 - dtucker@cvs.openbsd.org 2004/07/08 12:47:21
3902 Prevent scp from skipping the file following a double-error.
3906 - (dtucker) [mdoc2man.awk] Teach it to ignore .Bk -words, reported by
3907 strube at physik3.gwdg.de a long time ago.
3910 - (dtucker) [session.c] Call display_loginmsg again after do_pam_session.
3911 Ensures messages from PAM modules are displayed when privsep=no.
3912 - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes
3913 warnings on compliant platforms. From paul.a.bolton at bt.com. ok djm@
3914 - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK
3915 to pam_authenticate for challenge-response auth too. Originally from
3916 fcusack at fcusack.com, ok djm@
3917 - (tim) [buildpkg.sh.in] Add $REV to bump the package revision within
3918 the same version. Handle the case where someone uses --with-privsep-user=
3919 and the user name does not match the group name. ok dtucker@
3922 - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL
3923 appdata_ptr to the conversation function. ok djm@
3924 - (djm) OpenBSD CVS Sync
3925 - jmc@cvs.openbsd.org 2004/06/26 09:03:21
3927 - remove double word
3928 - rearrange .Bk to keep SYNOPSIS nice
3929 - -M before -m in options description
3930 - jmc@cvs.openbsd.org 2004/06/26 09:11:14
3932 punctuation and grammar fixes. also, keep the options in order.
3933 - jmc@cvs.openbsd.org 2004/06/26 09:14:40
3935 new sentence, new line;
3936 - avsm@cvs.openbsd.org 2004/06/26 20:07:16
3938 initialise some fd variables to -1, djm@ ok
3939 - djm@cvs.openbsd.org 2004/06/30 08:36:59
3941 unbreak TTY break, diagnosed by darren AT dazwin.com; ok markus@
3944 - (tim) update README files.
3945 - (dtucker) [mdoc2man.awk] Bug #883: correctly recognise .Pa and .Ev macros.
3946 - (dtucker) [regress/README.regress] Document new variables.
3947 - (dtucker) [acconfig.h configure.ac sftp-server.c] Bug #823: add sftp
3948 rename handling for Linux which returns EPERM for link() on (at least some)
3949 filesystems that do not support hard links. sftp-server will fall back to
3950 stat+rename() in such cases.
3951 - (dtucker) [openbsd-compat/port-aix.c] Missing __func__.
3954 - (djm) OpenBSD CVS Sync
3955 - djm@cvs.openbsd.org 2004/06/25 18:43:36
3957 fix broken fd handling in the re-exec fallback path, particularly when
3958 /dev/crypto is in use; ok deraadt@ markus@
3959 - djm@cvs.openbsd.org 2004/06/25 23:21:38
3961 bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de
3964 - (dtucker) OpenBSD CVS Sync
3965 - djm@cvs.openbsd.org 2004/06/24 19:30:54
3966 [servconf.c servconf.h sshd.c]
3967 re-exec sshd on accept(); initial work, final debugging and ok markus@
3968 - djm@cvs.openbsd.org 2004/06/25 01:16:09
3970 only perform tcp wrappers checks when the incoming connection is on a
3971 socket. silences useless warnings from regress tests that use
3972 proxycommand="sshd -i". prompted by david@ ok markus@
3973 - djm@cvs.openbsd.org 2004/06/24 19:32:00
3974 [regress/Makefile regress/test-exec.sh, added regress/reexec.sh]
3975 regress test for re-exec corner cases
3976 - djm@cvs.openbsd.org 2004/06/25 01:25:12
3977 [regress/test-exec.sh]
3978 clean reexec-specific junk out of text-exec.sh and simplify; idea markus@
3979 - dtucker@cvs.openbsd.org 2004/06/25 05:38:48
3981 Fall back to stat+rename if filesystem doesn't doesn't support hard
3982 links. bz#823, ok djm@
3983 - (dtucker) [configure.ac openbsd-compat/misc.c [openbsd-compat/misc.h]
3984 Add closefrom() for platforms that don't have it.
3985 - (dtucker) [sshd.c] add line missing from reexec sync.
3988 - (dtucker) [auth1.c] Ensure do_pam_account is called for Protocol 1
3989 connections with empty passwords. Patch from davidwu at nbttech.com,
3991 - (dtucker) OpenBSD CVS Sync
3992 - dtucker@cvs.openbsd.org 2004/06/22 22:42:02
3993 [regress/envpass.sh]
3994 Add quoting for test -z; ok markus@
3995 - dtucker@cvs.openbsd.org 2004/06/22 22:45:52
3996 [regress/test-exec.sh]
3997 Add TEST_SSH_SSHD_CONFOPTS and TEST_SSH_SSH_CONFOPTS to allow adding
3998 arbitary options to sshd_config and ssh_config during tests. ok markus@
3999 - dtucker@cvs.openbsd.org 2004/06/22 22:55:56
4000 [regress/dynamic-forward.sh regress/test-exec.sh]
4001 Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@
4002 - mouring@cvs.openbsd.org 2004/06/23 00:39:38
4004 -Wshadow fix up s/encrypt/do_encrypt/. OK djm@, markus@
4005 - dtucker@cvs.openbsd.org 2004/06/23 14:31:01
4007 Fix counting in master/slave when passing environment variables; ok djm@
4008 - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match
4010 - (bal) [Makefile.in] Remove opensshd.init on 'make distclean'
4011 - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
4012 Move loginrestrictions test to port-aix.c, replace with a generic hook.
4013 - (tim) [regress/try-ciphers.sh] "if ! some_command" is not portable.
4014 - (bal) [contrib/README] Removed "mdoc2man.pl" reference and added
4015 reference to "findssl.sh"
4018 - (dtucker) OpenBSD CVS Sync
4019 - djm@cvs.openbsd.org 2004/06/20 17:36:59
4021 filter passed env vars at slave in connection sharing case; ok markus@
4022 - djm@cvs.openbsd.org 2004/06/20 18:53:39
4024 make "ls -l" listings print user/group names, add "ls -n" to show uid/gid
4025 (like /bin/ls); idea & ok markus@
4026 - djm@cvs.openbsd.org 2004/06/20 19:28:12
4029 - avsm@cvs.openbsd.org 2004/06/21 17:36:31
4030 [auth-rsa.c auth2-gss.c auth2-pubkey.c authfile.c canohost.c channels.c
4031 cipher.c dns.c kex.c monitor.c monitor_fdpass.c monitor_wrap.c
4032 monitor_wrap.h nchan.c packet.c progressmeter.c scp.c sftp-server.c sftp.c
4033 ssh-gss.h ssh-keygen.c ssh.c sshconnect.c sshconnect1.c sshlogin.c
4035 make ssh -Wshadow clean, no functional changes
4037 - djm@cvs.openbsd.org 2004/06/21 17:53:03
4039 fix fd leak for multiple subsystem connections; with markus@
4040 - djm@cvs.openbsd.org 2004/06/21 22:02:58
4042 mark fatal and cleanup exit as __dead; ok markus@
4043 - djm@cvs.openbsd.org 2004/06/21 22:04:50
4045 introduce sorting for ls, same options as /bin/ls; ok markus@
4046 - djm@cvs.openbsd.org 2004/06/21 22:30:45
4048 prefix ls option flags with LS_
4049 - djm@cvs.openbsd.org 2004/06/21 22:41:31
4051 document sort options
4052 - djm@cvs.openbsd.org 2004/06/22 01:16:39
4054 don't show .files by default in ls, add -a option to turn them back on;
4056 - markus@cvs.openbsd.org 2004/06/22 03:12:13
4057 [regress/envpass.sh regress/multiplex.sh]
4058 more portable env passing tests
4059 - dtucker@cvs.openbsd.org 2004/06/22 05:05:45
4060 [monitor.c monitor_wrap.c]
4061 Change login->username, will prevent -Wshadow errors in Portable;
4063 - (dtucker) [monitor.c] Fix Portable-specific -Wshadow warnings on "socket".
4064 - (dtucker) [defines.h] Define __dead if not already defined.
4065 - (bal) [auth-passwd.c auth1.c] Clean up unused variables.
4068 - (tim) [configure.ac Makefile.in] Only change TEST_SHELL on broken platforms.
4071 - (dtucker) [auth-pam.c] Don't use PAM namespace for
4072 pam_password_change_required either.
4073 - (tim) [configure.ac buildpkg.sh.in contrib/solaris/README] move opensshd
4074 init script to top level directory. Add opensshd.init.in.
4075 Remove contrib/solaris/buildpkg.sh, contrib/solaris/opensshd.in
4078 - (djm) OpenBSD CVS Sync
4079 - djm@cvs.openbsd.org 2004/06/17 14:52:48
4080 [clientloop.c clientloop.h ssh.c]
4081 support environment passing over shared connections; ok markus@
4082 - djm@cvs.openbsd.org 2004/06/17 15:10:14
4083 [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5]
4084 Add option for confirmation (ControlMaster=ask) via ssh-askpass before
4085 opening shared connections; ok markus@
4086 - djm@cvs.openbsd.org 2004/06/17 14:53:27
4087 [regress/multiplex.sh]
4088 shared connection env passing regress test
4089 - (dtucker) [regress/README.regress] Add detail on how to run a single
4090 test from the top-level Makefile.
4091 - (dtucker) OpenBSD CVS Sync
4092 - djm@cvs.openbsd.org 2004/06/17 23:56:57
4094 sync usage() and SYNPOSIS with connection sharing changes
4095 - dtucker@cvs.openbsd.org 2004/06/18 06:13:25
4097 Use execvp instead of execv so sftp -S ssh works. "makes sense" markus@
4098 - dtucker@cvs.openbsd.org 2004/06/18 06:15:51
4100 Use -S for scp/sftp to force the use of the ssh being tested.
4102 - (djm) OpenBSD CVS Sync
4103 - djm@cvs.openbsd.org 2004/06/18 10:40:19
4105 delay signal handler setup until we have finished talking to the master.
4106 allow interrupting of setup (e.g. if master is stuck); ok markus@
4107 - markus@cvs.openbsd.org 2004/06/18 10:55:43
4109 trim synopsis for -S, allow -S and -oControlMaster, -MM means 'ask';
4111 - djm@cvs.openbsd.org 2004/06/18 11:11:54
4112 [channels.c clientloop.c]
4113 Don't explode in clientloop when we receive a bogus channel id, but
4114 also don't generate them to begin with; ok markus@
4117 - (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some
4118 platforms), so test if diff understands it. Pointed out by tim@, ok djm@
4119 - (dtucker) OpenBSD CVS Sync regress/
4120 - dtucker@cvs.openbsd.org 2004/06/17 05:51:59
4121 [regress/multiplex.sh]
4122 Remove datafile between and after tests, kill sshd rather than wait;
4124 - dtucker@cvs.openbsd.org 2004/06/17 06:00:05
4125 [regress/multiplex.sh]
4126 Use DATA and COPY for test data rather than hard-coded paths; ok djm@
4127 - dtucker@cvs.openbsd.org 2004/06/17 06:19:06
4128 [regress/multiplex.sh]
4129 Add small description of failing test to failure message; ok djm@
4130 - (dtucker) [regress/multiplex.sh] add EXEEXT for those platforms that need
4132 - (dtucker) [regress/multiplex.sh] Increase sleep time to 120 sec (60 is not
4133 enough for slow systems, especially if they don't have a kernel RNG).
4136 - (dtucker) [openbsd-compat/port-aix.c] Expand whitespace -> tabs. No
4138 - (dtucker) OpenBSD CVS Sync regress/
4139 - djm@cvs.openbsd.org 2004/04/27 09:47:30
4140 [regress/Makefile regress/test-exec.sh, added regress/envpass.sh]
4141 regress test for environment passing, SendEnv & AcceptEnv options;
4143 - dtucker@cvs.openbsd.org 2004/06/13 13:51:02
4144 [regress/Makefile regress/test-exec.sh, added regress/scp-ssh-wrapper.sh
4146 Add scp regression test; with & ok markus@
4147 - djm@cvs.openbsd.org 2004/06/13 15:04:08
4148 [regress/Makefile regress/test-exec.sh, added regress/envpass.sh]
4149 regress test for client multiplexing; ok markus@
4150 - djm@cvs.openbsd.org 2004/06/13 15:16:54
4151 [regress/test-exec.sh]
4152 remove duplicate setting of $SCP; spotted by markus@
4153 - dtucker@cvs.openbsd.org 2004/06/16 13:15:09
4155 Make scp -r tests use diff -rN not cmp (which won't do dirs. ok markus@
4156 - dtucker@cvs.openbsd.org 2004/06/16 13:16:40
4157 [regress/multiplex.sh]
4158 Silence multiplex sftp and scp tests. ok markus@
4159 - (dtucker) [regress/test-exec.sh]
4160 Move Portable-only StrictModes to top of list to make syncs easier.
4161 - (dtucker) [regress/README.regress]
4162 Add $TEST_SHELL to readme.
4165 - (djm) OpenBSD CVS Sync
4166 - djm@cvs.openbsd.org 2004/05/26 08:59:57
4168 exit -> _exit in forked child on error; from andrushock AT korovino.net
4169 - markus@cvs.openbsd.org 2004/05/26 23:02:39
4171 missing freeaddrinfo; Andrey Matveev
4172 - dtucker@cvs.openbsd.org 2004/05/27 00:50:13
4174 Kill dead code after fatal(); ok djm@
4175 - dtucker@cvs.openbsd.org 2004/06/01 14:20:45
4177 Remove redundant #include; ok markus@
4178 - pedro@cvs.openbsd.org 2004/06/03 12:22:20
4179 [sftp-client.c sftp.c]
4180 initialize pointers, ok markus@
4181 - djm@cvs.openbsd.org 2004/06/13 12:53:24
4182 [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h]
4183 [ssh-keyscan.c sshconnect2.c sshd.c]
4184 implement diffie-hellman-group14-sha1 kex method (trivial extension to
4185 existing diffie-hellman-group1-sha1); ok markus@
4186 - dtucker@cvs.openbsd.org 2004/06/13 14:01:42
4187 [ssh.1 ssh_config.5 sshd_config.5]
4188 List supported ciphers in man pages, tidy up ssh -c;
4189 "looks fine" jmc@, ok markus@
4190 - djm@cvs.openbsd.org 2004/06/13 15:03:02
4191 [channels.c channels.h clientloop.c clientloop.h includes.h readconf.c]
4192 [readconf.h scp.1 sftp.1 ssh.1 ssh.c ssh_config.5]
4193 implement session multiplexing in the client (the server has supported
4194 this since 2.0); ok markus@
4195 - djm@cvs.openbsd.org 2004/06/14 01:44:39
4196 [channels.c clientloop.c misc.c misc.h packet.c ssh-agent.c ssh-keyscan.c]
4198 set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
4199 - djm@cvs.openbsd.org 2004/06/15 05:45:04
4201 missed one unset_nonblock; spotted by Tim Rice
4202 - (djm) Fix Makefile.in for connection sharing changes
4203 - (djm) [ssh.c] Use separate var for address length
4206 - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions.
4210 - (djm) [auth-pam.c] Add copyright for local changes
4213 - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM
4214 support for PasswordAuthentication=yes. ok djm@
4215 - (dtucker) [auth-pam.c] Use an invalid password for root if
4216 PermitRootLogin != yes or the login is invalid, to prevent leaking
4217 information. Based on Openwall's owl-always-auth patch. ok djm@
4218 - (tim) [configure.ac Makefile.in] Add support for "make package" ok djm@
4219 - (tim) [buildpkg.sh.in] New file. A more flexible version of
4220 contrib/solaris/buildpkg.sh used for "make package".
4221 - (tim) [buildpkg.sh.in] Last minute fix didn't make it in the .in file.
4224 - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec
4225 contrib/README CREDITS INSTALL] Bug #873: Correct URLs for x11-ssh-askpass
4226 and Jim Knoble's email address , from Jim himself.
4229 - (dtucker) OpenBSD CVS Sync
4230 - djm@cvs.openbsd.org 2004/05/19 12:17:33
4231 [sftp-client.c sftp.c]
4232 gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while
4233 waiting for a command; ok markus@
4234 - dtucker@cvs.openbsd.org 2004/05/20 10:58:05
4236 Trivial type fix 0 -> '\0'; ok markus@
4237 - markus@cvs.openbsd.org 2004/05/21 08:43:03
4238 [kex.h moduli.c tildexpand.c]
4239 add prototypes for -Wall; ok djm
4240 - djm@cvs.openbsd.org 2004/05/21 11:33:11
4241 [channels.c channels.h clientloop.c serverloop.c ssh.1]
4242 bz #756: add support for the cancel-tcpip-forward request for the server
4243 and the client (through the ~C commandline). reported by z3p AT
4244 twistedmatrix.com; ok markus@
4245 - djm@cvs.openbsd.org 2004/05/22 06:32:12
4246 [clientloop.c ssh.1]
4247 use '-h' for help in ~C commandline instead of '-?'; inspired by jmc@
4248 - jmc@cvs.openbsd.org 2004/05/22 16:01:05
4250 kill whitespace at eol;
4251 - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
4252 [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config
4254 Add MaxAuthTries sshd config option; ok markus@
4255 - (dtucker) [auth-pam.c] Bug #839: Ensure that pam authentication "thread"
4256 is terminated if the privsep slave exits during keyboard-interactive
4257 authentication. ok djm@
4258 - (dtucker) [sshd.c] Fix typo in comment.
4261 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in
4262 sshd_config; ok dtucker@
4263 - (djm) [configure.ac] Warn if the system has no known way of figuring out
4264 which user is on the other end of a Unix domain socket; ok dtucker@
4265 - (bal) [openbsd-compat/sys-queue.h] Reintroduce machinary to handle
4266 old/broken/incomplete <sys/queue.h>.
4269 - (dtucker) [configure.ac] Bug #867: Additional tests for res_query in
4270 libresolv, fixes problems detecting it on some platforms
4271 (eg Linux/x86-64). From Kurt Roeckx via Debian, ok mouring@
4272 - (dtucker) OpenBSD CVS Sync
4273 - jmc@cvs.openbsd.org 2004/05/04 18:36:07
4276 - jmc@cvs.openbsd.org 2004/05/06 11:24:23
4278 typo from John Cosimano (PR 3770);
4279 - deraadt@cvs.openbsd.org 2004/05/08 00:01:37
4280 [auth.c clientloop.c misc.h servconf.c ssh.c sshpty.h sshtty.c
4281 tildexpand.c], removed: sshtty.h tildexpand.h
4282 make two tiny header files go away; djm ok
4283 - djm@cvs.openbsd.org 2004/05/08 00:21:31
4284 [clientloop.c misc.h readpass.c scard.c ssh-add.c ssh-agent.c ssh-keygen.c
4285 sshconnect.c sshconnect1.c sshconnect2.c] removed: readpass.h
4286 kill a tiny header; ok deraadt@
4287 - djm@cvs.openbsd.org 2004/05/09 00:06:47
4288 [moduli.c ssh-keygen.c] removed: moduli.h
4289 zap another tiny header; ok deraadt@
4290 - djm@cvs.openbsd.org 2004/05/09 01:19:28
4291 [OVERVIEW auth-rsa.c auth1.c kex.c monitor.c session.c sshconnect1.c
4292 sshd.c] removed: mpaux.c mpaux.h
4293 kill some more tiny files; ok deraadt@
4294 - djm@cvs.openbsd.org 2004/05/09 01:26:48
4296 don't overwrite what we are trying to compute
4297 - deraadt@cvs.openbsd.org 2004/05/11 19:01:43
4298 [auth.c auth2-none.c authfile.c channels.c monitor.c monitor_mm.c
4299 packet.c packet.h progressmeter.c session.c openbsd-compat/xmmap.c]
4300 improve some code lint did not like; djm millert ok
4301 - dtucker@cvs.openbsd.org 2004/05/13 02:47:50
4303 Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@
4304 - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to
4305 UsePAM section. Parts from djm@ and jmc@.
4306 - (dtucker) [auth-pam.c scard-opensc.c] Tinderbox says auth-pam.c uses
4307 readpass.h, grep says scard-opensc.c does too. Replace with misc.h.
4308 - (dtucker) [openbsd-compat/getrrsetbyname.c] Check that HAVE_DECL_H_ERROR
4309 is defined before using.
4310 - (dtucker) [openbsd-compat/getrrsetbyname.c] Fix typo too: HAVE_DECL_H_ERROR
4311 -> HAVE_DECL_H_ERRNO.
4314 - (dtucker) OpenBSD CVS Sync
4315 - djm@cvs.openbsd.org 2004/04/22 11:56:57
4317 Bugzilla #850: Sophie Germain is the correct name of the French
4318 mathematician, "Sophie Germaine" isn't; from Luc.Maisonobe@c-s.fr
4319 - djm@cvs.openbsd.org 2004/04/27 09:46:37
4320 [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c
4321 ssh_config.5 sshd_config.5]
4322 bz #815: implement ability to pass specified environment variables from
4323 the client to the server; ok markus@
4324 - djm@cvs.openbsd.org 2004/04/28 05:17:10
4325 [ssh_config.5 sshd_config.5]
4326 manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu)
4327 - jmc@cvs.openbsd.org 2004/04/28 07:02:56
4329 remove unnecessary .Pp;
4330 - jmc@cvs.openbsd.org 2004/04/28 07:13:42
4332 add SendEnv to -o list;
4333 - dtucker@cvs.openbsd.org 2004/05/02 11:54:31
4335 Man page grammar fix (bz #858), from damerell at chiark.greenend.org.uk
4337 - dtucker@cvs.openbsd.org 2004/05/02 11:57:52
4339 ConnectionTimeout -> ConnectTimeout, from m.a.ellis at ncl.ac.uk via
4341 - dtucker@cvs.openbsd.org 2004/05/02 23:02:17
4343 ConnectionTimeout -> ConnectTimeout here too, pointed out by jmc@
4344 - dtucker@cvs.openbsd.org 2004/05/02 23:17:51
4346 ConnectionTimeout -> ConnectTimeout for scp.1 too.
4349 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno
4350 as extern int if not already declared. Fixes compile errors on old SCO
4352 - (dtucker) [README.platform] List prereqs for building on Cygwin.
4355 - (djm) Update config.guess and config.sub to autoconf-2.59 versions; ok tim@
4358 - (djm) OpenBSD CVS Sync
4359 - henning@cvs.openbsd.org 2004/04/08 16:08:21
4361 swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what
4362 FreeBSD and NetBSD do.
4363 ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@
4364 - djm@cvs.openbsd.org 2004/04/18 23:10:26
4365 [readconf.c readconf.h ssh-keysign.c ssh.c]
4366 perform strict ownership and modes checks for ~/.ssh/config files,
4367 as these can be used to execute arbitrary programs; ok markus@
4368 NB. ssh will now exit when it detects a config with poor permissions
4369 - djm@cvs.openbsd.org 2004/04/19 13:02:40
4370 [ssh.1 ssh_config.5]
4371 document strict permission checks on ~/.ssh/config; prompted by,
4373 - jmc@cvs.openbsd.org 2004/04/19 16:12:14
4375 kill whitespace at eol;
4376 - djm@cvs.openbsd.org 2004/04/19 21:51:49
4378 fix idiot typo that i introduced in my last commit;
4379 spotted by cschneid AT cschneid.com
4380 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for
4382 - (djm) [configure.ac] Check whether libroken is required when building
4386 - (dtucker) OpenBSD CVS Sync
4387 - dtucker@cvs.openbsd.org 2004/02/29 22:04:45
4388 [regress/login-timeout.sh]
4389 Use sudo when restarting daemon during test. ok markus@
4390 - dtucker@cvs.openbsd.org 2004/03/08 10:17:12
4391 [regress/login-timeout.sh]
4392 Missing OBJ, from tim@. ok markus@ (Already fixed, ID sync only)
4393 - djm@cvs.openbsd.org 2004/03/30 12:41:56
4395 sync comment with reality
4396 - djm@cvs.openbsd.org 2004/03/31 21:58:47
4398 don't skip ip options check when UseDNS=no; ok markus@ (ID sync only)
4399 - markus@cvs.openbsd.org 2004/04/01 12:19:57
4401 limit trust between local and remote rcp/scp process,
4402 noticed by lcamtuf; ok deraadt@, djm@
4405 - (dtucker) [auth-pam.c] Log username and source host for failed PAM
4406 authentication attempts. With & ok djm@
4407 - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow
4408 change of user context without a password, so relax auth method
4409 restrictions; from vinschen AT redhat.com; ok dtucker@
4412 - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since
4413 FAT/NTFS does not permit quotes in filenames. From vinschen at redhat.com
4414 - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache
4415 file using FILE: method, fixes problems on Mac OSX.
4416 Patch from simon@sxw.org.uk; ok dtucker@
4417 - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and
4418 BROKEN_SETREGID for SCO OpenServer 3
4421 - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning
4422 from bug #701 (text from jfh at cise.ufl.edu).
4423 - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg
4424 skeychallenge(), eg on NetBSD. ok mouring@
4425 - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly
4426 4-arg, with compatibility for 3-arg versions. From djm@, ok me.
4427 - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@
4430 - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating
4431 pty name on Linux 2.6.x systems. Patch from jpe at eisenmenger.org.
4432 - (bal) [monitor.c monitor_wrap.c] Second try. Put the zlib.h headers
4433 back and #undef TARGET_OS_MAC instead. (Bug report pending with Apple)
4434 - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and
4435 simplify loginrec.c. ok tim@
4436 - (bal) [monitor.c monitor_wrap.c] Ok.. Last time. Promise. Tim suggested
4437 limiting scope and dtucker@ agreed.
4440 - (dtucker) [session.c] Flush stdout after displaying loginmsg. From
4442 - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see
4443 if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X)
4444 are starting to restrict it as internal since it is not needed by
4445 developers any more. (Patch based on Apple tree)
4446 - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since
4447 krb5 on MacOS/X conflicts. There may be a better solution, but this will
4451 - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use
4452 updwtmpx() on IRIX since it seems to clobber utmp. ok djm@
4453 - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect
4454 broken getaddrinfo and friends on HP-UX. ok djm@
4457 - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on
4458 Linuxes, since that's what many use. ok djm@
4459 - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c
4460 to reduce potential confusion with the one in sshd.c. ok djm@
4461 - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection;
4465 - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent
4466 duplicate login messages for mutli-session logins. ok djm@
4469 - (djm) [sshd.c] Drop supplemental groups if started as root
4470 - (djm) OpenBSD CVS Sync
4471 - markus@cvs.openbsd.org 2004/03/09 22:11:05
4473 increase x11 cookie lifetime to 20 minutes; ok djm
4474 - markus@cvs.openbsd.org 2004/03/10 09:45:06
4476 trim usage to match ssh(1) and look more like unix. ok djm@
4477 - markus@cvs.openbsd.org 2004/03/11 08:36:26
4479 trim usage; ok deraadt
4480 - markus@cvs.openbsd.org 2004/03/11 10:21:17
4482 ssh, sshd: sync version output, ok djm
4483 - markus@cvs.openbsd.org 2004/03/20 10:40:59
4486 - (djm) Crank RPM spec versions
4489 - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker
4492 - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo
4493 before redefining it, silences warnings on Tru64.
4496 - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some
4497 platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@
4498 - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h
4499 openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being
4500 inherited by the child. ok djm@
4501 - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c
4502 monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized
4503 even if keyboard-interactive is not used by the client. Prevents
4504 segfaults in some cases where the user's password is expired (note this
4505 is not considered a security exposure). ok djm@
4506 - (djm) OpenBSD CVS Sync
4507 - markus@cvs.openbsd.org 2004/03/03 06:47:52
4509 change proctiltle after accept(2); ok henning, deraadt, djm
4510 - djm@cvs.openbsd.org 2004/03/03 09:30:42
4512 Don't print duplicate messages when progressmeter is off
4513 Spotted by job317 AT mailvault.com; ok markus@
4514 - djm@cvs.openbsd.org 2004/03/03 09:31:20
4516 Fix initialisation of progress meter; ok markus@
4517 - markus@cvs.openbsd.org 2004/03/05 10:53:58
4518 [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c]
4519 add IdentitiesOnly; ok djm@, pb@
4520 - djm@cvs.openbsd.org 2004/03/08 09:38:05
4522 explicitly initialise remote_major and remote_minor.
4523 from cjwatson AT debian.org; ok markus@
4524 - dtucker@cvs.openbsd.org 2004/03/08 10:18:57
4526 Document KerberosGetAFSToken; ok markus@
4527 - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal
4530 - (tim) [regress/login-timeout.sh] fix building outside of source tree.
4533 - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with
4534 -DUSE_POSIX_THREADS. From antoine.verheijen at ualbert ca. ok djm@
4535 - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread,
4536 prevent hanging during PAM keyboard-interactive authentications. ok djm@
4537 - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h
4538 openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when
4539 configured --with-osfsia. ok djm@
4542 - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent
4546 - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188
4549 - (dtucker) OpenBSD CVS Sync
4550 - djm@cvs.openbsd.org 2004/02/25 00:22:45
4553 - dtucker@cvs.openbsd.org 2004/02/27 22:42:47
4555 Prevent sshd from sending DH groups with a primitive generator of zero or
4556 one, even if they are listed in /etc/moduli. ok markus@
4557 - dtucker@cvs.openbsd.org 2004/02/27 22:44:56
4559 Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone
4560 ever uses one. ok markus@
4561 - dtucker@cvs.openbsd.org 2004/02/27 22:49:27
4563 Reset bit counter at the right time, fixes debug output in the case where
4564 the DH group is rejected. ok markus@
4565 - dtucker@cvs.openbsd.org 2004/02/17 08:23:20
4566 [regress/Makefile regress/login-timeout.sh]
4567 Add regression test for LoginGraceTime; ok markus@
4568 - markus@cvs.openbsd.org 2004/02/24 16:56:30
4569 [regress/test-exec.sh]
4570 allow arguments in ${TEST_SSH_XXX}
4571 - markus@cvs.openbsd.org 2004/02/24 17:06:52
4572 [regress/ssh-com-client.sh regress/ssh-com-keygen.sh
4573 regress/ssh-com-sftp.sh regress/ssh-com.sh]
4574 test against recent ssh.com releases
4575 - dtucker@cvs.openbsd.org 2004/02/28 12:16:57
4576 [regress/dynamic-forward.sh]
4577 Make dynamic-forward understand nc's new output. ok markus@
4578 - dtucker@cvs.openbsd.org 2004/02/28 13:44:45
4579 [regress/try-ciphers.sh]
4580 Test acss too; ok markus@
4581 - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we
4582 built with openssl < 0.9.7)
4585 - (bal) KNF our sshlogin.c even if the code looks nothing like upstream
4586 code due to diversity issues.
4589 - (djm) Trim ChangeLog
4590 - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora
4593 - (dtucker) OpenBSD CVS Sync
4594 - markus@cvs.openbsd.org 2004/02/19 21:15:04
4596 switch to new license.template
4597 - markus@cvs.openbsd.org 2004/02/23 12:02:33
4599 backout revision 1.279; set listen socket to non-block; ok henning.
4600 - markus@cvs.openbsd.org 2004/02/23 15:12:46
4602 encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka
4603 and drop support for negative BNs; ok otto@
4604 - markus@cvs.openbsd.org 2004/02/23 15:16:46
4607 - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found
4608 with krb5-config, hunt down gssapi.h and friends. Based partially on patch
4609 from deengert at anl.gov. ok djm@
4610 - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime
4611 using sysconf() if available Based on patches from
4612 holger AT van-lengerich.de and openssh_bugzilla AT hockin.org
4613 - (dtucker) [uidswap.c] Minor KNF. ok djm@
4614 - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@
4615 - (djm) Crank RPM spec versions
4616 - (dtucker) [README] Add pointer to release notes. ok djm@
4617 - (dtucker) {README.platform] Add platform-specific notes.
4618 - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot
4619 - (djm) Release 3.8p1
4622 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the
4623 non-interactive path. ok djm@
4626 - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test
4627 to auth-shadow.c, no functional change. ok djm@
4628 - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or
4629 password expiry. ok djm@
4630 - (dtucker) [auth-passwd.c] Only check password expiry once. Prevents
4631 multiple warnings if a wrong password is entered.
4632 - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path
4636 - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@
4639 - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a
4640 path with a "-" in it. From Sergio.Gelato at astro.su.se.
4641 - (djm) OpenBSD CVS Sync
4642 - djm@cvs.openbsd.org 2004/02/17 07:17:29
4643 [sftp-glob.c sftp.c]
4644 Remove useless headers; ok deraadt@
4645 - djm@cvs.openbsd.org 2004/02/17 11:03:08
4647 sftp.c and sftp-int.c, together at last; ok markus@
4648 - jmc@cvs.openbsd.org 2004/02/17 19:35:21
4650 remove cruft left over from RhostsAuthentication removal;
4652 - (djm) [log.c] Correct use of HAVE_OPENLOG_R
4653 - (djm) [log.c] Tighten openlog_r tests
4656 - (djm) Simplify the license on code I have written. No code changes.
4657 - (djm) OpenBSD CVS Sync
4658 - djm@cvs.openbsd.org 2004/02/17 05:39:51
4659 [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c]
4661 switch to license.template for code written by me (belated, I know...)
4662 - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from
4663 stadal@suse.cz and simon@sxw.org.uk
4664 - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@
4665 - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for
4666 display after login. Should fix problems like pam_motd not displaying
4667 anything, noticed by cjwatson at debian.org. ok djm@
4670 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh]
4671 Portablity fixes. Data sftp transfers needs to be world readable. Some
4672 older shells hang on while loops when doing sh -n some_script. OK dtucker@
4673 - (tim) [configure.ac] Make sure -lcrypto is before -lsocket for sco3.
4677 - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check
4678 if HAS_SHADOW_EXPIRY is set.
4679 - (tim) [configure.ac] Fix comment to match code changes in ver 1.117
4682 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
4683 openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
4684 native password expiry.
4685 - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
4686 defines.h] Bug #14: Use do_pwchange to support password expiry and force
4687 change for platforms using /etc/shadow. ok djm@
4688 - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat
4689 functions to avoid conflicts with Heimdal's libroken. ok djm@
4690 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
4691 change expired PAM passwords for SSHv1 connections without privsep.
4692 pam_chauthtok is still used when privsep is disabled. ok djm@
4693 - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move
4694 include from port-aix.h to port-aix.c and remove unnecessary function
4695 definition. Fixes build errors on AIX.
4696 - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms
4697 that support it. from & ok mouring@
4698 - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x.
4702 - (dtucker) OpenBSD CVS Sync
4703 - dtucker@cvs.openbsd.org 2004/02/06 23:41:13
4705 Use EVP_CIPHER_CTX_key_length for key length. ok markus@
4706 (This will fix builds with OpenSSL 0.9.5)
4707 - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5.
4711 - (dtucker) [acss.c acss.h] Fix $Id tags.
4712 - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with
4713 OpenSSL >= 0.9.7. ok djm@
4714 - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root
4715 user, since some modules might fail due to lack of privilege. ok djm@
4716 - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO
4717 for HP-UX 11.11. If there are known-good configs where this is not
4718 required, please report them. ok djm@
4719 - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent
4720 accidentally inheriting from root's environment. ok djm@
4721 - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796:
4722 Restore previous authdb setting after auth calls. Fixes problems with
4723 setpcred failing on accounts that use AFS or NIS password registries.
4724 - (dtucker) [configure.ac includes.h] Include <sys/stream.h> if present,
4725 required on Solaris 2.5.1 for queue_t, which is used by <sys/ptms.h>.
4726 - (dtucker) OpenBSD CVS Sync
4727 - markus@cvs.openbsd.org 2004/01/30 09:48:57
4728 [auth-passwd.c auth.h pathnames.h session.c]
4729 support for password change; ok dtucker@
4730 (set password-dead=1w in login.conf to use this).
4731 In -Portable, this is currently only platforms using bsdauth.
4732 - dtucker@cvs.openbsd.org 2004/02/05 05:37:17
4734 Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
4735 - markus@cvs.openbsd.org 2004/02/05 15:33:33
4737 fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@
4740 - (dtucker) OpenBSD CVS Sync regress/
4741 - dtucker@cvs.openbsd.org 2003/10/11 11:49:49
4742 [Makefile banner.sh]
4743 Test missing banner file, suppression of banner with ssh -q, check return
4744 code from ssh. ok markus@
4745 - jmc@cvs.openbsd.org 2003/11/07 10:16:44
4747 adress -> address, and a few more; all from Jonathon Gray;
4748 - djm@cvs.openbsd.org 2004/01/13 09:49:06
4750 - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from
4752 - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h]
4753 Bug #775: Cray fixes from wendy at cray.com
4756 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@
4757 - (dtucker) [moduli] Import new moduli file from OpenBSD.
4760 - (djm) OpenBSD CVS Sync
4761 - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03
4765 - mouring@cvs.openbsd.org 2004/01/23 17:57:48
4767 Fix issue pointed out with ls not handling large directories
4768 with embeded paths correctly. OK damien@
4769 - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33
4771 rename acss@opebsd.org to acss@openssh.org
4773 - djm@cvs.openbsd.org 2004/01/25 03:49:09
4775 reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785)
4776 from jclonguet AT free.fr; ok millert@
4777 - djm@cvs.openbsd.org 2004/01/27 10:08:10
4779 reorder parsing so user:skey@host:file works (bugzilla #777)
4780 patch from admorten AT umich.edu; ok markus@
4781 - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS
4782 if libcrypto lacks it
4785 - (tim) Typo in regress/README.regress
4786 - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated.
4787 - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG
4788 - (tim) [configure.ac includes.h] add <sys/ptms.h> for grantpt() and friends.
4789 - (tim) [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ
4790 and T_SIG to getrrsetbyname.h
4793 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com
4796 - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from
4797 ralf.hack AT pipex.net; ok dtucker@
4798 - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect
4799 Kerberos location (and thus work with Fedora Core 1);
4800 from jason AT devrandom.org
4801 - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for
4802 zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@
4803 - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options.
4804 Patch from vinschen at redhat.com.
4805 - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c]
4806 Change AFS symbol to USE_AFS to prevent namespace collisions, do not
4807 include kafs.h unless necessary. From deengert at anl.gov.
4808 - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and
4809 -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \
4810 CPPFLAGS="-I/usr/local/include" ./configure if needed.
4813 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/
4814 GSSAPI detection, libs and includes. ok djm@
4815 - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not
4817 - (tim) [contrib/solaris/buildpkg.sh] Allow for the possibility of
4818 /usr/local being a symbolic link. Fixes problem reported by Henry Grebler.
4821 - (djm) OpenBSD CVS Sync
4822 - djm@cvs.openbsd.org 2004/01/13 09:25:05
4823 [sftp-int.c sftp.1 sftp.c]
4824 Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and
4825 enable use of "-b -" to accept batchfile from stdin; ok markus@
4826 - jmc@cvs.openbsd.org 2004/01/13 12:17:33
4828 remove unnecessary Ic's;
4829 kill whitespace at EOL;
4831 - markus@cvs.openbsd.org 2004/01/13 19:23:15
4832 [compress.c session.c]
4834 - markus@cvs.openbsd.org 2004/01/13 19:45:15
4836 cast for portability; millert@
4837 - markus@cvs.openbsd.org 2004/01/19 09:24:21
4839 fake consumption for half closed channels since the peer is waiting for
4840 window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@
4841 reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo'
4842 - markus@cvs.openbsd.org 2004/01/19 21:25:15
4843 [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c]
4844 fix mem leaks; some fixes from Pete Flugstad; tested dtucker@
4845 - djm@cvs.openbsd.org 2004/01/21 03:07:59
4847 initialise infile in main, rather than statically - from portable
4848 - deraadt@cvs.openbsd.org 2004/01/11 21:55:06
4850 for pty opening, only use the openpty() path. the other stuff only needs
4851 to be in openssh-p; markus ok
4852 - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an
4853 openpty() replacement
4856 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits
4857 unexpectedly. with & ok djm@
4858 - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add
4859 test for case where cleanup has already run.
4860 - (dtucker) [auth-pam.c] Add minor debugging.
4863 - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No
4867 - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and
4868 only define if not already. From des at freebsd.org.
4869 - (dtucker) [configure.ac] Remove extra (typo) comma.
4872 - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from
4873 cjwatson at debian.org.
4874 - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c]
4875 Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@
4878 - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from
4880 - (djm) Remove useless DNS support configure summary message. from jakob@
4881 - (djm) OSX/Darwin put the PAM headers in a different place, detect this.
4885 - (dtucker) OpenBSD CVS Sync
4886 - djm@cvs.openbsd.org 2003/12/22 09:16:58
4887 [moduli.c ssh-keygen.1 ssh-keygen.c]
4888 tidy up moduli generation debugging, add -v (verbose/debug) option to
4889 ssh-keygen; ok markus@
4890 - markus@cvs.openbsd.org 2003/12/22 20:29:55
4892 EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr
4893 - jakob@cvs.openbsd.org 2003/12/23 16:12:10
4894 [servconf.c servconf.h session.c sshd_config]
4895 implement KerberosGetAFSToken server option. ok markus@, beck@
4896 - millert@cvs.openbsd.org 2003/12/29 16:39:50
4898 KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK
4899 - dtucker@cvs.openbsd.org 2003/12/31 00:24:50
4901 Ignore password change request during password auth (which we currently
4902 don't support) and discard proposed new password. corrections/ok markus@
4903 - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist.
4906 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we
4907 typedef size_t ourselves.
4910 - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban.
4911 - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive
4912 authentication. Partially fixes bug #423. Feedback & ok djm@
4915 - (djm) OpenBSD CVS Sync
4916 - markus@cvs.openbsd.org 2003/12/09 15:28:43
4918 make ClientKeepAlive work for ssh -N, too (no login shell requested).
4919 1) send a bogus channel request if we find a channel
4920 2) send a bogus global request if we don't have a channel
4922 - markus@cvs.openbsd.org 2003/12/09 17:29:04
4924 fix -o and HUP; ok henning@
4925 - markus@cvs.openbsd.org 2003/12/09 17:30:05
4927 don't modify argv for ssh -o; similar to sshd.c 1.283
4928 - markus@cvs.openbsd.org 2003/12/09 21:53:37
4929 [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1]
4930 [ssh_config.5 sshconnect.c sshd.c sshd_config.5]
4931 rename keepalive to tcpkeepalive; the old name causes too much
4932 confusion; ok djm, dtucker; with help from jmc@
4933 - dtucker@cvs.openbsd.org 2003/12/09 23:45:32
4935 Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@
4936 - markus@cvs.openbsd.org 2003/12/14 12:37:21
4938 we don't support GSS KEX; from Simon Wilkinson
4939 - markus@cvs.openbsd.org 2003/12/16 15:49:51
4940 [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1]
4941 [ssh.c ssh_config.5]
4942 application layer keep alive (ServerAliveInterval ServerAliveCountMax)
4943 for ssh(1), similar to the sshd(8) option; ok beck@; with help from
4945 - markus@cvs.openbsd.org 2003/12/16 15:51:54
4947 use <= instead of < in dh_estimate; ok provos/hshoexer;
4948 do not return < DH_GRP_MIN
4949 - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for
4950 setres[ug]id() present but not implemented (eg some Linux/glibc
4952 - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are
4953 using a real 'signal()' (Noticed by a NeXT Compile)
4956 - (dtucker) OpenBSD CVS Sync
4957 - matthieu@cvs.openbsd.org 2003/11/25 23:10:08
4959 ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@.
4960 - djm@cvs.openbsd.org 2003/11/26 21:44:29
4962 fix #ifdef before #define; ok markus@
4963 (RCS ID sync only, Portable already had this)
4964 - markus@cvs.openbsd.org 2003/12/02 12:15:10
4966 improvments from andreas@:
4967 * saner speed estimate for transfers that takes less than a second by
4968 rounding the time to 1 second.
4969 * when the transfer is finished calculate the actual total speed
4970 rather than the current speed which is given during the transfer
4971 - markus@cvs.openbsd.org 2003/12/02 17:01:15
4972 [channels.c session.c ssh-agent.c ssh.h sshd.c]
4973 use SSH_LISTEN_BACKLOG (=128) in listen(2).
4974 - djm@cvs.openbsd.org 2003/12/07 06:34:18
4976 remove unused debugging #define templates
4977 - markus@cvs.openbsd.org 2003/12/08 11:00:47
4979 print requested group size in debug; ok djm
4980 - dtucker@cvs.openbsd.org 2003/12/09 13:52:55
4982 Prevent ssh-keygen -T from outputting moduli with a generator of 0, since
4983 they can't be used for Diffie-Hellman. Assistance and ok djm@
4984 - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below.
4987 - (tim) [configure.ac] Bug 770. Fix --without-rpath.
4990 - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own
4991 function and call it unconditionally
4992 - (djm) OpenBSD CVS Sync
4993 - djm@cvs.openbsd.org 2003/11/23 23:17:34
4995 from portable - use sysconf to detect fd limit; ok markus@
4996 (tidy diff by adding SSH_SSFDMAX macro to defines.h)
4997 - djm@cvs.openbsd.org 2003/11/23 23:18:45
4999 consistency PATH_MAX -> MAXPATHLEN; ok markus@
5001 - djm@cvs.openbsd.org 2003/11/23 23:21:21
5003 from portable: rename clashing variable limit-> limit_rate; ok markus@
5005 - dtucker@cvs.openbsd.org 2003/11/24 00:16:35
5007 Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@
5008 - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original
5009 source file path (in OpenBSD tree).
5012 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@
5013 - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
5014 Move AIX specific password authentication code to port-aix.c, call
5015 authenticate() until reenter flag is clear.
5016 - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net.
5017 Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA
5018 is enabled, rely on SIA to check for locked accounts if enabled. ok djm@
5019 - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch
5020 - (djm) [sftp-int.c] Remove duplicated code from bogus sync
5021 - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code
5024 - (djm) OpenBSD CVS Sync
5025 - markus@cvs.openbsd.org 2003/11/20 11:39:28
5027 fix rounding errors; from andreas@
5028 - djm@cvs.openbsd.org 2003/11/21 11:57:03
5030 unexpand and delete whitespace at EOL; ok markus@
5031 (done locally and RCS IDs synced)
5034 - (djm) Fix early exit for root auth success when UsePAM=yes and
5036 - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
5037 and use it for do_pam_session. Fixes problems like pam_motd not
5038 displaying anything. ok djm@
5039 - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@
5040 - (djm) OpenBSD CVS Sync
5041 - dtucker@cvs.openbsd.org 2003/11/18 00:40:05
5043 Correct check for authctxt->valid. ok djm@
5044 - djm@cvs.openbsd.org 2003/11/18 10:53:07
5046 unbreak fake authloop for non-existent users (my screwup). Spotted and
5047 tested by dtucker@; ok markus@
5050 - (djm) OpenBSD CVS Sync
5051 - djm@cvs.openbsd.org 2003/11/03 09:03:37
5053 make this a little more idiot-proof; ok markus@
5054 (includes portable-specific changes)
5055 - jakob@cvs.openbsd.org 2003/11/03 09:09:41
5057 move changed key warning into warn_changed_key(). ok markus@
5058 - jakob@cvs.openbsd.org 2003/11/03 09:37:32
5060 do not free static type pointer in warn_changed_key()
5061 - djm@cvs.openbsd.org 2003/11/04 08:54:09
5062 [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c]
5063 [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c]
5065 standardise arguments to auth methods - they should all take authctxt.
5066 check authctxt->valid rather then pw != NULL; ok markus@
5067 - jakob@cvs.openbsd.org 2003/11/08 16:02:40
5069 remove unused variable (pw). ok djm@
5070 (id sync only - still used in portable)
5071 - jmc@cvs.openbsd.org 2003/11/08 19:17:29
5073 typos from Jonathon Gray;
5074 - jakob@cvs.openbsd.org 2003/11/10 16:23:41
5075 [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c]
5076 [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c]
5077 [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h]
5078 constify. ok markus@ & djm@
5079 - dtucker@cvs.openbsd.org 2003/11/12 10:12:15
5081 When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@
5082 - jakob@cvs.openbsd.org 2003/11/12 16:39:58
5083 [dns.c dns.h readconf.c ssh_config.5 sshconnect.c]
5084 update SSHFP validation. ok markus@
5085 - jmc@cvs.openbsd.org 2003/11/12 20:14:51
5087 make verb agree with subject, and kill some whitespace;
5088 - markus@cvs.openbsd.org 2003/11/14 13:19:09
5090 cleanup and minor fixes for the client code; from Simon Wilkinson
5091 - djm@cvs.openbsd.org 2003/11/17 09:45:39
5092 [msg.c msg.h sshconnect2.c ssh-keysign.c]
5093 return error on msg send/receive failure (rather than fatal); ok markus@
5094 - markus@cvs.openbsd.org 2003/11/17 11:06:07
5095 [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c]
5096 [monitor_wrap.h sshconnect2.c ssh-gss.h]
5097 replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
5099 - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int
5100 conversation function
5101 - (djm) Export environment variables from authentication subprocess to
5102 parent. Part of Bug #717
5105 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and
5106 HP-UX, skip test on AIX.
5109 - (dtucker) [auth-pam.c] Append newlines to lines output by the
5110 pam_chauthtok_conv().
5111 - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All
5112 contrib/cygwin). Major update from vinschen at redhat.com.
5113 - Makefile provides a `cygwin-postinstall' target to run right after
5115 - Better support for Windows 2003 Server.
5116 - Try to get permissions as correct as possible.
5117 - New command line options to allow full automated host configuration.
5118 - Create configs from skeletons in /etc/defaults/etc.
5119 - Use /bin/bash, allows reading user input with readline support.
5120 - Remove really old configs from /usr/local.
5121 - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and
5122 PAM_ERROR_MSG messages.
5125 - (djm) Clarify UsePAM consequences a little more
5128 - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services
5129 are created correctly with CRLF line terminations. Patch from vinschen at
5131 - (dtucker) OpenBSD CVS Sync
5132 - markus@cvs.openbsd.org 2003/10/15 09:48:45
5134 check pmonitor != NULL
5135 - markus@cvs.openbsd.org 2003/10/21 09:50:06
5137 make sure the doid is larger than 2
5138 - avsm@cvs.openbsd.org 2003/10/26 16:57:43
5140 rename 'supported' static var in userauth_gssapi() to 'gss_supported'
5141 to avoid shadowing the global version. markus@ ok
5142 - markus@cvs.openbsd.org 2003/10/28 09:08:06
5144 error->debug for getsockopt+TCP_NODELAY; several requests
5145 - markus@cvs.openbsd.org 2003/11/02 11:01:03
5146 [auth2-gss.c compat.c compat.h sshconnect2.c]
5147 remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk
5148 - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid.
5151 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords
5152 directly. Noted by Darren.Moffat at sun.com.
5153 - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set,
5154 make agent setgid during test.
5157 - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with
5158 MD5 passwords even if PAM support is enabled. From steev at detritus.net.
5161 - (dtucker) OpenBSD CVS Sync
5162 - jmc@cvs.openbsd.org 2003/10/08 08:27:36
5163 [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8]
5164 scp and sftp: add options list and sort options. options list requested
5166 sshd: use same format as ssh
5167 ssh: remove wrong option from list
5168 sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)
5170 - markus@cvs.openbsd.org 2003/10/08 15:21:24
5171 [readconf.c ssh_config.5]
5172 default GSS API to no in client, too; ok jakob, deraadt@
5173 - markus@cvs.openbsd.org 2003/10/11 08:24:08
5174 [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
5175 remote x11 clients are now untrusted by default, uses xauth(8) to generate
5176 untrusted cookies; ForwardX11Trusted=yes restores old behaviour.
5177 ok deraadt; feedback and ok djm/fries
5178 - markus@cvs.openbsd.org 2003/10/11 08:26:43
5180 search keys in reverse order; fixes #684
5181 - markus@cvs.openbsd.org 2003/10/11 11:36:23
5183 return NULL for missing banner; ok djm@
5184 - jmc@cvs.openbsd.org 2003/10/12 13:12:13
5186 note that EnableSSHKeySign should be in the non-hostspecific section;
5187 remove unnecessary .Pp;
5189 - markus@cvs.openbsd.org 2003/10/13 08:22:25
5191 don't refer to options related to forwarding; ok jmc@
5192 - jakob@cvs.openbsd.org 2003/10/14 19:42:10
5193 [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
5194 include SSHFP lookup code (not enabled by default). ok markus@
5195 - jakob@cvs.openbsd.org 2003/10/14 19:43:23
5198 - markus@cvs.openbsd.org 2003/10/14 19:54:39
5199 [session.c ssh-agent.c]
5200 10X for mkdtemp; djm@
5201 - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c
5202 openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always
5203 compiled in but disabled in config.
5204 - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode.
5205 - (tim) [regress/banner.sh] portability fix.
5208 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@
5211 - (dtucker) OpenBSD CVS Sync
5212 - dtucker@cvs.openbsd.org 2003/10/07 01:47:27
5214 Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 &
5216 - djm@cvs.openbsd.org 2003/10/07 07:04:16
5218 sftp quoting fix from admorten AT umich.edu; ok markus@
5219 - deraadt@cvs.openbsd.org 2003/10/07 21:58:28
5221 set ptr to NULL after free
5222 - dtucker@cvs.openbsd.org 2003/10/07 01:52:13
5223 [regress/Makefile regress/banner.sh]
5224 Test SSH2 banner. ok markus@
5225 - djm@cvs.openbsd.org 2003/10/07 07:04:52
5226 [regress/sftp-cmds.sh]
5227 more sftp quoting regress tests; ok markus
5230 - (djm) Delete autom4te.cache after autoreconf
5231 - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static
5232 cleanup functions. With & ok djm@
5233 - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a
5234 run-time switch, always build --with-md5-passwords.
5235 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c]
5236 Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@
5237 - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID
5238 on Reliant Unix. Patch from Robert.Dahlem at siemens.com.
5239 - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on
5240 Reliant Unix. Based on patch from Robert.Dahlem at siemens.com.
5243 - (dtucker) OpenBSD CVS Sync
5244 - markus@cvs.openbsd.org 2003/10/02 10:41:59
5246 print openssl version, too, several requests; ok henning/djm.
5247 - markus@cvs.openbsd.org 2003/10/02 08:26:53
5249 missing $OpenBSD:; dtucker
5250 - (tim) [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default
5254 - (dtucker) OpenBSD CVS Sync
5255 - markus@cvs.openbsd.org 2003/09/23 20:17:11
5256 [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c
5257 cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h
5258 monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h
5260 replace fatal_cleanup() and linked list of fatal callbacks with static
5261 cleanup_exit() function. re-refine cleanup_exit() where appropriate,
5262 allocate sshd's authctxt eary to allow simpler cleanup in sshd.
5263 tested by many, ok deraadt@
5264 - markus@cvs.openbsd.org 2003/09/23 20:18:52
5266 don't print trailing \0; bug #709; Robert.Dahlem@siemens.com
5268 - markus@cvs.openbsd.org 2003/09/23 20:41:11
5269 [channels.c channels.h clientloop.c]
5270 move client only agent code to clientloop.c
5271 - markus@cvs.openbsd.org 2003/09/26 08:19:29
5273 no need to set the listen sockets to non-block; ok deraadt@
5274 - jmc@cvs.openbsd.org 2003/09/29 11:40:51
5276 - add list of options to -o and .Xr ssh_config(5)
5277 - some other cleanup
5278 requested by deraadt@;
5280 - markus@cvs.openbsd.org 2003/09/29 20:19:57
5281 [servconf.c sshd_config]
5282 GSSAPICleanupCreds -> GSSAPICleanupCredentials
5283 - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring
5285 - (dtucker) [ssh-gss.h] Prototype change missed in sync.
5286 - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations.
5287 Based on patches by Matthias Koeppe and Thomas Baden. ok djm@
5290 - (bal) Fix issues in openbsd-compat/realpath.c
5293 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove
5294 DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from
5295 michael_steffens at hp.com, ok djm@
5296 - (tim) [sshd_config] UsePAM defaults to no.
5299 - (djm) Update version.h and spec files for HEAD
5300 - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6.
5303 - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree
5304 builds. Portability corrections from tim@.
5305 - (dtucker) [configure.ac] Bug #665: uid swapping issues on Mac OS X.
5306 Patch from max at quendi.de.
5307 - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi.
5308 - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64.
5309 - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS.
5310 Patch from david.haughton at ncr.com
5311 - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6.
5312 Part of patch supplied by bugzilla-openssh at thewrittenword.com
5313 - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c
5314 openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with
5315 where gai_strerror is defined as "const char *". Part of patch supplied
5316 by bugzilla-openssh at thewrittenword.com
5317 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update
5318 ssh-host-config to match current defaults, bump README version. Patch from
5319 vinschen at redhat.com.
5320 - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the
5321 OS does not support permanently dropping privileges. Patch from
5322 vinschen at redhat.com.
5323 - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h,
5324 add canohost.h to stop warning. Based on patch from openssh-unix-dev at
5326 - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or
5328 - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/
5329 - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN.
5330 Report by distler AT golem ph utexas edu.
5331 - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from
5332 article by genty at austin.ibm.com, included with the author's permission.
5333 - (dtucker) OpenBSD CVS Sync
5334 - markus@cvs.openbsd.org 2003/09/18 07:52:54
5336 missing {}; bug #656; jclonguet at free.fr
5337 - markus@cvs.openbsd.org 2003/09/18 07:54:48
5339 protect against double free; #660; zardoz at users.sf.net
5340 - markus@cvs.openbsd.org 2003/09/18 07:56:05
5342 missing buffer_free(&encrypted); #662; zardoz at users.sf.net
5343 - markus@cvs.openbsd.org 2003/09/18 08:49:45
5344 [deattack.c misc.c session.c ssh-agent.c]
5345 more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
5347 - miod@cvs.openbsd.org 2003/09/18 13:02:21
5348 [authfd.c bufaux.c dh.c mac.c ssh-keygen.c]
5349 A few signedness fixes for harmless situations; markus@ ok
5350 - markus@cvs.openbsd.org 2003/09/19 09:02:02
5352 buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
5353 - markus@cvs.openbsd.org 2003/09/19 09:03:00
5355 sign fix in buffer_dump; Jedi/Sector One; pr 3473
5356 - markus@cvs.openbsd.org 2003/09/19 11:29:40
5358 provide a ssh-agent specific fatal() function; ok deraadt
5359 - markus@cvs.openbsd.org 2003/09/19 11:30:39
5361 avoid fatal_cleanup, just call exit(); ok deraadt
5362 - markus@cvs.openbsd.org 2003/09/19 11:31:33
5364 do not call channel_free_all on fatal; ok deraadt
5365 - markus@cvs.openbsd.org 2003/09/19 11:33:09
5367 do not call packet_close on fatal; ok deraadt
5368 - markus@cvs.openbsd.org 2003/09/19 17:40:20
5370 error handling for remote-remote copy; #638; report Harald Koenig;
5371 ok millert, fgs, henning, deraadt
5372 - markus@cvs.openbsd.org 2003/09/19 17:43:35
5373 [clientloop.c sshtty.c sshtty.h]
5374 remove fatal callbacks from client code; ok deraadt
5375 - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john
5377 - (tim) [configure.ac] add --disable-etc-default-login option. ok djm
5378 - (djm) Sync with V_3_7 branch:
5379 - (djm) Fix SSH1 challenge kludge
5380 - (djm) Bug #671: Fix builds on OpenBSD
5381 - (djm) Bug #676: Fix PAM stack corruption
5382 - (djm) Fix bad free() in PAM code
5383 - (djm) Don't call pam_end before pam_init
5384 - (djm) Enable build with old OpenSSL again
5385 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
5386 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu