2 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
6 - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal
8 - (dtucker) [contrib/cygwin/ssh-user-config] Put keys in authorized_keys
9 rather that authorized_keys2. Patch from vinschen@redhat.com.
12 - (dtucker) OpenBSD CVS Sync
13 - markus@cvs.openbsd.org 2003/08/14 16:08:58
15 exit after primetest, ok djm@
16 - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros,
17 change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for
19 - (dtucker) [configure.ac] Move openpty/ctty test outside of case statement
20 and after normal openpty test.
23 - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge.
24 - (dtucker) OpenBSD CVS Sync
25 - markus@cvs.openbsd.org 2003/08/13 08:33:02
27 use more portable tcsendbreak(3) and ignore break_length;
29 - markus@cvs.openbsd.org 2003/08/13 08:46:31
30 [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
31 ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
32 remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
33 fgsch@, miod@, henning@, jakob@ and others
34 - markus@cvs.openbsd.org 2003/08/13 09:07:10
36 socks4->socks, since with support both 4 and 5; dtucker@zip.com.au
37 - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
38 Add a tcsendbreak function for platforms that don't have one, based on the
42 - (dtucker) OpenBSD CVS Sync
43 (thanks to Simon Wilkinson for help with this -dt)
44 - markus@cvs.openbsd.org 2003/07/16 15:02:06
46 mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
47 otherwise the kerberos credentinal is stored in a memory cache
48 in the privileged sshd. ok jabob@, hin@ (some time ago)
49 - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicate
50 in bsd-cygwin_util.h).
53 - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and
54 AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition
55 separately before defining them.
56 - (dtucker) [auth-pam.c] Don't set PAM_TTY if tty is null. ok djm@
59 - (dtucker) [session.c] Have session_break_req not attempt to send a break
60 if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin).
61 - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is
62 defined (fixes compile error on really old Linuxes).
63 - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if
64 not already defined (eg Linux with some versions of libc5), based on those
66 - (dtucker) [openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
67 Remove incorrect filenames from comments (file names are in Id tags).
68 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.h] Move Cygwin
69 specific defines and includes to bsd-cygwin_util.h. Fixes build error too.
72 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
73 - (dtucker) OpenBSD CVS Sync
74 - markus@cvs.openbsd.org 2003/07/22 13:35:22
75 [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
76 monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
77 ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
78 remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
80 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
81 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
82 - (dtucker) OpenBSD CVS Sync
83 - markus@cvs.openbsd.org 2003/07/23 07:42:43
86 - djm@cvs.openbsd.org 2003/07/28 09:49:56
87 [ssh-keygen.1 ssh-keygen.c]
88 Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen.
89 Based on code from Phil Karn, William Allen Simpson and Niels Provos.
90 ok markus@, thanks jmc@
91 - markus@cvs.openbsd.org 2003/07/29 18:24:00
92 [LICENCE progressmeter.c]
93 replace 4 clause BSD licensed progressmeter code with a replacement
94 from Nils Nordman and myself; ok deraadt@
95 (copied from OpenBSD an re-applied portable changes)
96 - markus@cvs.openbsd.org 2003/07/29 18:26:46
98 fix length for "- stalled -" (included with previous import)
99 - markus@cvs.openbsd.org 2003/07/30 07:44:14
101 use only 4 digits in format_size (included with previous import)
102 - markus@cvs.openbsd.org 2003/07/30 07:53:27
104 whitespace (included with previous import)
105 - markus@cvs.openbsd.org 2003/07/31 09:21:02
107 check whether passwd auth is allowd, similar to proto 1; rob@pitman.co.za
109 - avsm@cvs.openbsd.org 2003/07/31 15:50:16
111 correct comment: atomicio takes vwrite, not write; deraadt@ ok
112 - markus@cvs.openbsd.org 2003/07/31 22:34:03
114 print rate similar old version; round instead truncate;
115 (included in previous progressmeter.c commit)
116 - (dtucker) [openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
117 Add a tcgetpgrp function.
118 - (dtucker) [Makefile.in moduli.c moduli.h] Add new files and to Makefile.
119 - (dtucker) [openbsd-compat/bsd-misc.c] Fix cut-and-paste bug in tcgetpgrp.
122 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
125 - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW ->
126 DISABLE_SHADOW. Fixes HP-UX compile error.
129 - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c
130 openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface,
131 and isolate shadow password functions. Tested in Solaris, but should
132 not break other platforms too badly (except maybe HP =). Also brings
133 auth-passwd.c into full sync with OpenBSD tree.
136 - (dtucker) [configure.ac] Back out change for bug #620.
139 - (dtucker) [configure.ac] Bug #620: Define BROKEN_GETADDRINFO for
140 Solaris/x86. Patch from jrhett at isite.net.
141 - (dtucker) OpenBSD CVS Sync
142 - markus@cvs.openbsd.org 2003/07/14 12:36:37
144 remove undocumented -V option. would be only useful if openssh is used
145 as ssh v1 server for ssh.com's ssh v2.
146 - markus@cvs.openbsd.org 2003/07/16 10:34:53
148 don't exit on multiple -v or -d; ok deraadt@
149 - markus@cvs.openbsd.org 2003/07/16 10:36:28
151 clear IUCLC in enter_raw_mode; from rob@pitman.co.za; ok deraadt@, fgs@
152 - deraadt@cvs.openbsd.org 2003/07/18 01:54:25
154 userid is unsigned, but well, force it anyways; andrushock@korovino.net
155 - djm@cvs.openbsd.org 2003/07/19 00:45:53
157 fix sftp filename parsing for arguments with escaped quotes. bz #517;
159 - djm@cvs.openbsd.org 2003/07/19 00:46:31
160 [regress/sftp-cmds.sh]
161 regress test for sftp arguments with escaped quotes; ok markus
164 - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare
165 loginfailed at all, so assume 3-arg loginfailed if not declared.
166 - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by
168 - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h]
169 Call setauthdb() before loginfailed(), which may load password registry-
170 specific functions. Based on patch by cawlfiel at us.ibm.com.
171 - (dtucker) [port-aix.h] Fix prototypes.
172 - (dtucker) OpenBSD CVS Sync
173 - avsm@cvs.openbsd.org 2003/07/09 13:58:19
175 minor tweak: when generating the hex fingerprint, give strlcat the full
176 bound to the buffer, and add a comment below explaining why the
177 zero-termination is one less than the bound. markus@ ok
178 - markus@cvs.openbsd.org 2003/07/10 14:42:28
180 the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
181 blowfish, etc, so enforce a 1GB limit for small blocksizes.
182 - markus@cvs.openbsd.org 2003/07/10 20:05:55
184 sync usage with manpage, add missing -R
187 - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
188 Include AIX headers for authentication functions and make calls match
189 prototypes. Test for and handle 3-arg and 4-arg variants of loginfailed.
190 - (dtucker) [session.c] Check return value of setpcred().
191 - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
192 Convert aixloginmsg into platform-independant Buffer loginmsg.
195 - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
196 searching libraries for it. Fixes build errors on NCR MP-RAS.
199 - (dtucker) [ssh-rand-helper.c loginrec.c]
200 Apply atomicio typing change to these too.
203 - (dtucker) OpenBSD CVS Sync
204 - djm@cvs.openbsd.org 2003/06/28 07:48:10
206 report pidfile creation errors, based on patch from Roumen Petrov;
208 - deraadt@cvs.openbsd.org 2003/06/28 16:23:06
209 [atomicio.c atomicio.h authfd.c clientloop.c monitor_wrap.c msg.c
210 progressmeter.c scp.c sftp-client.c ssh-keyscan.c ssh.h sshconnect.c
212 deal with typing of write vs read in atomicio
213 - markus@cvs.openbsd.org 2003/06/29 12:44:38
215 memset 0, not \0; andrushock@korovino.net
216 - markus@cvs.openbsd.org 2003/07/02 12:56:34
218 deny dynamic forwarding with -R for v1, too; ok djm@
219 - markus@cvs.openbsd.org 2003/07/02 14:51:16
220 [channels.c ssh.1 ssh_config.5]
221 (re)add socks5 suppport to -D; ok djm@
222 now ssh(1) can act both as a socks 4 and socks 5 server and
223 dynamically forward ports.
224 - markus@cvs.openbsd.org 2003/07/02 20:37:48
226 convert hostkeyalias to lowercase, otherwise uppercase aliases will
227 not match at all; ok henning@
228 - markus@cvs.openbsd.org 2003/07/03 08:21:46
229 [regress/dynamic-forward.sh]
230 add socks5; speedup; reformat; based on patch from dtucker@zip.com.au
231 - markus@cvs.openbsd.org 2003/07/03 08:24:13
233 enable tests for dynamic fwd via socks (-D), uses nc(1)
234 - djm@cvs.openbsd.org 2003/07/03 08:09:06
235 [readconf.c readconf.h ssh-keysign.c ssh.c]
236 fix AddressFamily option in config file, from brent@graveland.net;
240 - (djm) Search for support functions necessary to build our
241 getrrsetbyname() replacement. Patch from Roumen Petrov
244 - (dtucker) [includes.h] Bug #602: move #include of netdb.h to after in.h
245 (fixes compiler warnings on Solaris 2.5.1).
246 - (dtucker) [configure.ac] Add sanity test after system-dependant compiler
250 - (djm) Bug #591: use PKCS#15 private key label as a comment in case
251 of OpenSC. Report and patch from larsch@trustcenter.de
252 - (djm) Bug #593: Sanity check OpenSC card reader number; patch from
254 - (dtucker) OpenBSD CVS Sync
255 - markus@cvs.openbsd.org 2003/06/23 09:02:44
257 document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@
258 - markus@cvs.openbsd.org 2003/06/24 08:23:46
259 [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h
260 monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c]
261 int -> u_int; ok djm@, deraadt@, mouring@
262 - miod@cvs.openbsd.org 2003/06/25 22:39:36
264 Typo police: attribute is better written with an 'r'.
265 - markus@cvs.openbsd.org 2003/06/26 20:08:33
267 do not dump core for 'ssh -o proxycommand host'; ok deraadt@
268 - (dtucker) [regress/dynamic-forward.sh] Import new regression test.
269 - (dtucker) [configure.ac] Bug #570: Have ./configure --enable-FEATURE
270 actually enable the feature, for those normally disabled. Patch by
271 openssh (at) roumenpetrov.info.
274 - (dtucker) Have configure refer the user to config.log and
275 contrib/findssl.sh for OpenSSL header/library mismatches.
278 - (dtucker) OpenBSD CVS Sync
279 - markus@cvs.openbsd.org 2003/06/21 09:14:05
280 [regress/reconfigure.sh]
281 missing $SUDO; from dtucker@zip.com.au
282 - markus@cvs.openbsd.org 2003/06/18 11:28:11
284 backout last change, since it violates pkcs#1
285 switch to share/misc/license.template
286 - djm@cvs.openbsd.org 2003/06/20 05:47:58
288 sync description of protocol 2 cipher proposal; ok markus
289 - djm@cvs.openbsd.org 2003/06/20 05:48:21
291 sync some implemented options; ok markus@
292 - (dtucker) [regress/authorized_keys_root] Remove temp data file from CVS.
293 - (dtucker) [openbsd-compat/setproctitle.c] Ensure SPT_TYPE is defined before
297 - (djm) OpenBSD CVS Sync
298 - markus@cvs.openbsd.org 2003/06/12 07:57:38
299 [monitor.c sshlogin.c sshpty.c]
300 typos; dtucker at zip.com.au
301 - djm@cvs.openbsd.org 2003/06/12 12:22:47
303 mention more copyright holders; ok markus@
304 - nino@cvs.openbsd.org 2003/06/12 15:34:09
307 - markus@cvs.openbsd.org 2003/06/12 19:12:03
308 [scard.c scard.h ssh-agent.c ssh.c]
309 add sc_get_key_label; larsch at trustcenter.de; bugzilla#591
310 - markus@cvs.openbsd.org 2003/06/16 08:22:35
312 make sure the signature has at least the expected length (don't
313 insist on len == hlen + oidlen, since this breaks some smartcards)
314 bugzilla #592; ok djm@
315 - markus@cvs.openbsd.org 2003/06/16 10:22:45
317 print out key comment on each prompt; make ssh-askpass more useable; ok djm@
318 - markus@cvs.openbsd.org 2003/06/17 18:14:23
320 use license from /usr/share/misc/license.template for new code
321 - (dtucker) [reconfigure.sh rekey.sh sftp-badcmds.sh]
322 Import new regression tests from OpenBSD
323 - (dtucker) [regress/copy.1 regress/copy.2] Remove temp data files from CVS.
324 - (dtucker) OpenBSD CVS Sync (regress/)
325 - markus@cvs.openbsd.org 2003/04/02 12:21:13
328 - djm@cvs.openbsd.org 2003/04/04 09:34:22
329 [Makefile sftp-cmds.sh]
330 More regression tests, including recent directory rename bug; ok markus@
331 - markus@cvs.openbsd.org 2003/05/14 22:08:27
332 [ssh-com-client.sh ssh-com-keygen.sh ssh-com-sftp.sh ssh-com.sh]
333 test against some new commerical versions
334 - mouring@cvs.openbsd.org 2003/05/15 04:07:12
336 Advanced put/get testing for sftp. OK @djm
337 - markus@cvs.openbsd.org 2003/06/12 15:40:01
340 - markus@cvs.openbsd.org 2003/06/12 15:43:32
342 test -HUP; dtucker at zip.com.au
345 - (djm) Update license on fake-rfc2553.[ch]; ok itojun@
348 - (djm) Mention portable copyright holders in LICENSE
349 - (djm) Put licenses on substantial header files
350 - (djm) Sync LICENSE against OpenBSD
351 - (djm) OpenBSD CVS Sync
352 - jmc@cvs.openbsd.org 2003/06/10 09:12:11
353 [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5]
354 [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
356 - COMPATIBILITY merge
358 - kill whitespace at EOL
359 - new sentence, new line
361 - deraadt@cvs.openbsd.org 2003/06/10 22:20:52
362 [packet.c progressmeter.c]
363 mostly ansi cleanup; pval ok
364 - jakob@cvs.openbsd.org 2003/06/11 10:16:16
366 clean up check_host_key() and improve SSHFP feedback. ok markus@
367 - jakob@cvs.openbsd.org 2003/06/11 10:18:47
369 sync with check_host_key() change
370 - djm@cvs.openbsd.org 2003/06/11 11:18:38
371 [authfd.c authfd.h ssh-add.c ssh-agent.c]
372 make agent constraints (lifetime, confirm) work with smartcard keys;
377 - (djm) Sync README.smartcard with OpenBSD -current
378 - (djm) Re-merge OpenSC info into README.smartcard
381 - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
384 - (djm) Support AI_NUMERICHOST in fake-getaddrinfo.c. Needed for recent
386 - (djm) Implement paranoid priv dropping checks, based on:
387 "SetUID demystified" - Hao Chen, David Wagner and Drew Dean
388 Proceedings of USENIX Security Symposium 2002
389 - (djm) Don't use xmalloc() or pull in toplevel headers in fake-* code
390 - (djm) Merge all the openbsd/fake-* into fake-rfc2553.[ch]
391 - (djm) Bug #588 - Add scard-opensc.o back to Makefile.in
392 Patch from larsch@trustcenter.de
393 - (djm) Bug #589 - scard-opensc: load only keys with a private keys
394 Patch from larsch@trustcenter.de
395 - (dtucker) Add includes.h to fake-rfc2553.c so it will build.
396 - (dtucker) Define EAI_NONAME in fake-rfc2553.h (used by fake-rfc2553.c).
399 - (djm) Bug #573 - Remove unneeded Krb headers and compat goop. Patch from
400 simon@sxw.org.uk (Also matches a change in OpenBSD a while ago)
401 - (djm) Bug #577 - wrong flag in scard-opensc.c sc_private_decrypt.
402 Patch from larsch@trustcenter.de; ok markus@
403 - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from
404 larsch@trustcenter.de; ok markus@
405 - (djm) OpenBSD CVS Sync
406 - djm@cvs.openbsd.org 2003/06/04 08:25:18
408 disable challenge/response and keyboard-interactive auth methods
409 upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
411 - djm@cvs.openbsd.org 2003/06/04 10:23:48
413 remove duplicated group-dropping code; ok markus@
414 - djm@cvs.openbsd.org 2003/06/04 12:03:59
416 remove bitrotten commet; ok markus@
417 - djm@cvs.openbsd.org 2003/06/04 12:18:49
420 - djm@cvs.openbsd.org 2003/06/04 12:40:39
422 kill ssh process upon receipt of signal, bz #241.
423 based on patch from esb AT hawaii.edu; ok markus@
424 - djm@cvs.openbsd.org 2003/06/04 12:41:22
426 kill ssh process on receipt of signal; ok markus@
427 - (djm) Update to fix of bug #584: lock card before return.
428 From larsch@trustcenter.de
429 - (djm) Always use mysignal() for SIGALRM
432 - (djm) Replace setproctitle replacement with code derived from
434 - (djm) OpenBSD CVS Sync
435 - markus@cvs.openbsd.org 2003/06/02 09:17:34
436 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
437 [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
439 deprecate VerifyReverseMapping since it's dangerous if combined
440 with IP based access control as noted by Mike Harding; replace with
441 a UseDNS option, UseDNS is on by default and includes the
442 VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
444 - millert@cvs.openbsd.org 2003/06/03 02:56:16
446 Remove the advertising clause in the UCB license which Berkeley
447 rescinded 22 July 1999. Proofed by myself and Theo.
448 - (djm) Fix portable-specific uses of verify_reverse_mapping too
449 - (djm) Sync openbsd-compat with OpenBSD CVS.
450 - No more 4-term BSD licenses in linked code
451 - (dtucker) [port-aix.c bsd-cray.c] Fix uses of verify_reverse_mapping.
454 - (djm) Fix segv from bad reordering in auth-pam.c
455 - (djm) Always use saved_argv in sshd.c as compat_init_setproctitle may
457 - (tim) openbsd-compat/xmmap.[ch] License clarifications. Add missing
459 - (djm) Remove "noip6" option from RedHat spec file. This may now be
460 set at runtime using AddressFamily option.
461 - (djm) Fix use of macro before #define in cipher-aes.c
462 - (djm) Sync license on openbsd-compat/bindresvport.c with OpenBSD CVS
463 - (djm) OpenBSD CVS Sync
464 - djm@cvs.openbsd.org 2003/05/26 12:54:40
466 fix format strings; ok markus@
467 - deraadt@cvs.openbsd.org 2003/05/29 16:58:45
469 seteuid and setegid; markus ok
470 - jakob@cvs.openbsd.org 2003/06/02 08:31:10
472 VerifyHostKeyDNS is v2 only. ok markus@
475 - (dtucker) Add missing semicolon in md5crypt.c, patch from openssh at
477 - (dtucker) Define SSHD_ACQUIRES_CTTY for NCR MP-RAS and Reliant Unix.
480 - (djm) Avoid auth2-chall.c warning when compiling without
481 PAM, BSD_AUTH and SKEY
484 - (djm) OpenBSD CVS Sync
485 - djm@cvs.openbsd.org 2003/05/24 09:02:22
487 pass logged data through strnvis; ok markus
488 - djm@cvs.openbsd.org 2003/05/24 09:30:40
489 [authfile.c monitor.c sftp-common.c sshpty.c]
490 cast some types for printing; ok markus@
493 - (dtucker) Correct --osfsia in INSTALL. Patch by skeleten at shillest.net
496 - (djm) Use VIS_SAFE on logged strings rather than default strnvis
497 encoding (which encodes many more characters)
499 - jmc@cvs.openbsd.org 2003/05/20 12:03:35
501 - new sentence, new line
505 - jmc@cvs.openbsd.org 2003/05/20 12:09:31
506 [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1]
507 new sentence, new line
508 - djm@cvs.openbsd.org 2003/05/23 08:29:30
513 - (djm) OpenBSD CVS Sync
514 - deraadt@cvs.openbsd.org 2003/05/18 23:22:01
516 use syslog_r() in a signal handler called place; markus ok
517 - (djm) Configure logic to detect syslog_r and friends
520 - (djm) Sync auth-pam.h with what we actually implement
523 - (djm) Return of the dreaded PAM_TTY_KLUDGE, which went missing in
525 - (djm) OpenBSD CVS Sync
526 - djm@cvs.openbsd.org 2003/05/16 03:27:12
527 [readconf.c ssh_config ssh_config.5 ssh-keysign.c]
528 add AddressFamily option to ssh_config (like -4, -6 on commandline).
529 Portable bug #534; ok markus@
530 - itojun@cvs.openbsd.org 2003/05/17 03:25:58
532 just in case, put numbers to sscanf %s arg.
533 - markus@cvs.openbsd.org 2003/05/17 04:27:52
534 [cipher.c cipher-ctr.c myproposal.h]
535 experimental support for aes-ctr modes from
536 http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt
538 - (djm) Remove IPv4 by default hack now that we can specify AF in config
539 - (djm) Tidy and trim TODO
540 - (djm) Sync openbsd-compat/ with OpenBSD CVS head
541 - (djm) Big KNF on openbsd-compat/
542 - (djm) KNF on md5crypt.[ch]
543 - (djm) KNF on auth-sia.[ch]
546 - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD)
549 - (djm) OpenBSD CVS Sync
550 - djm@cvs.openbsd.org 2003/05/15 13:52:10
552 Make "ssh -V" print the OpenSSL version in a human readable form. Patch
553 from Craig Leres (mindrot at ee.lbl.gov); ok markus@
554 - jakob@cvs.openbsd.org 2003/05/15 14:02:47
555 [readconf.c servconf.c]
556 warn for unsupported config option. ok markus@
557 - markus@cvs.openbsd.org 2003/05/15 14:09:21
559 fix 64bit issue; report itojun@
560 - djm@cvs.openbsd.org 2003/05/15 14:55:25
561 [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c]
562 add a ConnectTimeout option to ssh, based on patch from
563 Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@
564 - (djm) Add warning for UsePAM when built without PAM support
565 - (djm) A few type mismatch fixes from Bug #565
566 - (djm) Guard free_pam_environment against NULL argument. Works around
567 HP/UX PAM problems debugged by dtucker
570 - (djm) OpenBSD CVS Sync
571 - jmc@cvs.openbsd.org 2003/05/14 13:11:56
575 - jakob@cvs.openbsd.org 2003/05/14 18:16:20
576 [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c]
577 [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c]
578 add experimental support for verifying hos keys using DNS as described
579 in draft-ietf-secsh-dns-xx.txt. more information in README.dns.
580 ok markus@ and henning@
581 - markus@cvs.openbsd.org 2003/05/14 22:24:42
582 [clientloop.c session.c ssh.1]
583 allow to send a BREAK to the remote system; ok various
584 - markus@cvs.openbsd.org 2003/05/15 00:28:28
586 cleanup unregister of per-method packet handlers; ok djm@
587 - jakob@cvs.openbsd.org 2003/05/15 01:48:10
588 [readconf.c readconf.h servconf.c servconf.h]
589 always parse kerberos options. ok djm@ markus@
590 - jakob@cvs.openbsd.org 2003/05/15 02:27:15
592 add missing freerrset
593 - markus@cvs.openbsd.org 2003/05/15 03:08:29
594 [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c]
595 split out custom EVP ciphers
596 - djm@cvs.openbsd.org 2003/05/15 03:10:52
598 avoid warning; ok jakob@
599 - mouring@cvs.openbsd.org 2003/05/15 03:39:07
601 Make put/get (globed and nonglobed) code more consistant. OK djm@
602 - mouring@cvs.openbsd.org 2003/05/15 03:43:59
604 Teach ls how to display multiple column display and allow users
605 to return to single column format via 'ls -1'. OK @djm
606 - jakob@cvs.openbsd.org 2003/05/15 04:08:44
607 [readconf.c servconf.c]
608 disable kerberos when not supported. ok markus@
609 - markus@cvs.openbsd.org 2003/05/15 04:08:41
612 - (djm) Always parse UsePAM
613 - (djm) Configure glue for DNS support (code doesn't work in portable yet)
614 - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support)
615 - (djm) Tidy Makefile clean targets
616 - (djm) Adapt README.dns for portable
617 - (djm) Avoid uuencode.c warnings
618 - (djm) Enable UsePAM when built --with-pam
619 - (djm) Only build getrrsetbyname replacement when using --with-dns
620 - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv
622 - (djm) Bug #444: Wrong paths after reconfigure
623 - (dtucker) HP-UX needs to include <sys/strtio.h> for TIOCSBRK
626 - (djm) Bug #117: Don't lie to PAM about username
627 - (djm) RCSID sync w/ OpenBSD
628 - (djm) OpenBSD CVS Sync
629 - djm@cvs.openbsd.org 2003/04/09 12:00:37
631 strip trailing whitespace from config lines before parsing.
632 Fixes bz 528; ok markus@
633 - markus@cvs.openbsd.org 2003/04/12 10:13:57
635 hide cipher details; ok djm@
636 - markus@cvs.openbsd.org 2003/04/12 10:15:36
639 - naddy@cvs.openbsd.org 2003/04/12 11:40:15
641 document -V switch, fix wording; ok markus@
642 - markus@cvs.openbsd.org 2003/04/14 14:17:50
643 [channels.c sshconnect.c sshd.c ssh-keyscan.c]
644 avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP
645 - mouring@cvs.openbsd.org 2003/04/14 21:31:27
647 Missing globfree(&g) in process_put() spotted by Vince Brimhall
648 <VBrimhall@novell.com>. ok@ Theo
649 - markus@cvs.openbsd.org 2003/04/16 14:35:27
651 document struct Authctxt; with solar
652 - deraadt@cvs.openbsd.org 2003/04/26 04:29:49
654 -t in usage(); rogier@quaak.org
655 - mouring@cvs.openbsd.org 2003/04/30 01:16:20
656 [sshd.8 sshd_config.5]
657 Escape ?, * and ! in .Ql for nroff compatibility. OpenSSH Portable
658 Bug #550 and * escaping suggested by jmc@.
659 - david@cvs.openbsd.org 2003/04/30 20:41:07
661 fix invalid .Pf macro usage introduced in previous commit
663 - markus@cvs.openbsd.org 2003/05/11 16:56:48
664 [authfile.c ssh-keygen.c]
665 change key_load_public to try to read a public from:
666 rsa1 private or rsa1 public and ssh2 keys.
667 this makes ssh-keygen -e fail for ssh1 keys more gracefully
668 for example; report from itojun (netbsd pr 20550).
669 - markus@cvs.openbsd.org 2003/05/11 20:30:25
670 [channels.c clientloop.c serverloop.c session.c ssh.c]
671 make channel_new() strdup the 'remote_name' (not the caller); ok theo
672 - markus@cvs.openbsd.org 2003/05/12 16:55:37
674 for pubkey authentication try the user keys in the following order:
675 1. agent keys that are found in the config file
677 3. keys that are only listed in the config file
678 this helps when an agent has many keys, where the server might
679 close the connection before the correct key is used. report & ok pb@
680 - markus@cvs.openbsd.org 2003/05/12 18:35:18
682 typo: DSA keys are of type ssh-dss; Brian Poole
683 - markus@cvs.openbsd.org 2003/05/14 00:52:59
685 ranges for per auth method messages
686 - djm@cvs.openbsd.org 2003/05/14 01:00:44
688 emphasise the batchmode functionality and make reference to pubkey auth,
689 both of which are FAQs; ok markus@
690 - markus@cvs.openbsd.org 2003/05/14 02:15:47
691 [auth2.c monitor.c sshconnect2.c auth2-krb5.c]
692 implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
693 server interops with commercial client; ok jakob@ djm@
694 - jmc@cvs.openbsd.org 2003/05/14 08:25:39
696 - better formatting in SYNOPSIS
699 - markus@cvs.openbsd.org 2003/05/14 08:57:49
701 http://bugzilla.mindrot.org/show_bug.cgi?id=560
702 Privsep child continues to run after monitor killed.
703 Pass monitor signals through to child; Darren Tucker
704 - (djm) Make portable build with MIT krb5 (some issues remain)
705 - (djm) Add new UsePAM configuration directive to allow runtime control
706 over usage of PAM. This allows non-root use of sshd when built with
708 - (djm) Die screaming if start_pam() is called when UsePAM=no
709 - (djm) Avoid KrbV leak for MIT Kerberos
710 - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@
711 - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability
714 - (djm) Redhat spec: Don't install profile.d scripts when not
715 building with GNOME/GTK askpass (patch from bet@rahul.net)
718 - (dtucker) Bug #318: Create ssh_prng_cmds.out during "make" rather than
719 "make install". Patch by roth@feep.net.
720 - (dtucker) Bug #536: Test for and work around openpty/controlling tty
721 problem on Linux (fixes "could not set controlling tty" errors).
722 - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with
723 proper challenge-response module
724 - (djm) 2-clause license on loginrec.c, with permission from
728 - (dtucker) Bug #497: Move #include of bsd-cygwin_util.h to openbsd-compat.h.
729 Patch from vinschen@redhat.com.
732 - (dtucker) Add missing "void" to record_failed_login in bsd-cray.c. Noted
736 - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels,
737 privsep should now work.
738 - (dtucker) Move handling of bad password authentications into a platform
739 specific record_failed_login() function (affects AIX & Unicos). ok mouring@
742 - (djm) Add back radix.o (used by AFS support), after it went missing from
743 Makefile many moons ago
744 - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
745 - (djm) Fix blibpath specification for AIX/gcc
746 - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
749 - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit
753 - (bal) Bug #541: return; was dropped by mistake. Reported by
755 - (bal) Since we don't support platforms lacking u_int_64. We may
756 as well clean out some of those evil #ifdefs
757 - (bal) auth1.c minor resync while looking at the code.
758 - (bal) auth2.c same changed as above.
761 - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report
762 from matth@eecs.berkeley.edu
763 - (djm) Make the spec work with Redhat 9.0 (which renames sharutils)
764 - (djm) OpenBSD CVS Sync
765 - markus@cvs.openbsd.org 2003/04/02 09:48:07
766 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
767 [readconf.h serverloop.c sshconnect2.c]
768 reapply rekeying chage, tested by henning@, ok djm@
769 - markus@cvs.openbsd.org 2003/04/02 14:36:26
771 potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526
772 - itojun@cvs.openbsd.org 2003/04/03 07:25:27
775 - itojun@cvs.openbsd.org 2003/04/03 10:17:35
777 remove $OpenBSD$, as other *.c does not have it.
778 - markus@cvs.openbsd.org 2003/04/07 08:29:57
780 typo: get correct counters; introduced during rekeying change.
781 - millert@cvs.openbsd.org 2003/04/07 21:58:05
783 The UCB copyright here is incorrect. This code did not originate
784 at UCB, it was written by Luke Mewburn. Updated the copyright at
785 the author's request. markus@ OK
786 - itojun@cvs.openbsd.org 2003/04/08 20:21:29
788 rename log() into logit() to avoid name conflict. markus ok, from
790 - (djm) XXX - Performed locally using:
791 "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h"
792 - hin@cvs.openbsd.org 2003/04/09 08:23:52
794 Don't include <krb.h> when compiling with Kerberos 5 support
795 - (djm) Fix up missing include for packet.c
796 - (djm) Fix missed log => logit occurance (reference by function pointer)
799 - (bal) if IP_TOS is not found or broken don't try to compile in
800 packet_set_tos() function call. bug #527
803 - (djm) OpenBSD CVS Sync
804 - jmc@cvs.openbsd.org 2003/03/28 10:11:43
805 [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
806 [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
808 - new sentence new line
811 - markus@cvs.openbsd.org 2003/04/01 10:10:23
812 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
813 [readconf.h serverloop.c sshconnect2.c]
814 rekeying bugfixes and automatic rekeying:
815 * both client and server rekey _automatically_
816 (a) after 2^31 packets, because after 2^32 packets
817 the sequence number for packets wraps
818 (b) after 2^(blocksize_in_bits/4) blocks
819 (see: draft-ietf-secsh-newmodes-00.txt)
820 (a) and (b) are _enabled_ by default, and only disabled for known
821 openssh versions, that don't support rekeying properly.
822 * client option 'RekeyLimit'
823 * do not reply to requests during rekeying
824 - markus@cvs.openbsd.org 2003/04/01 10:22:21
825 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
826 [readconf.h serverloop.c sshconnect2.c]
827 backout rekeying changes (for 3.6.1)
828 - markus@cvs.openbsd.org 2003/04/01 10:31:26
829 [compat.c compat.h kex.c]
830 bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@;
831 tested by ho@ and myself
832 - markus@cvs.openbsd.org 2003/04/01 10:56:46
835 - (djm) Crank spec file versions
836 - (djm) Release 3.6.1p1
839 - (djm) OpenBSD CVS Sync
840 - deraadt@cvs.openbsd.org 2003/03/26 04:02:51
842 one last fix to the tree: race fix broke stuff; pr 3169;
843 srp@srparish.net, help from djm
846 - (djm) Fix getpeerid support for 64 bit BE systems. From
847 Arnd Bergmann <arndb@de.ibm.com>
850 - (djm) OpenBSD CVS Sync
851 - markus@cvs.openbsd.org 2003/03/23 19:02:00
853 unbreak rekeying for privsep; ok millert@
855 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
856 Report from murple@murple.net, diagnosis from dtucker@zip.com.au