2 - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
3 be used to drop privilege to; fixes Solaris GSSAPI crash reported by
4 Magnus Abrante; suggestion and feedback dtucker@
5 NB. this change will require that the privilege separation user must
6 exist on all the time, not just when UsePrivilegeSeparation=yes
7 - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6
10 - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov.
11 - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP.
14 - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native
15 updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius,
19 - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for
20 declaration of writev(2) and declare it ourselves if necessary. Makes
21 the atomiciov() calls build on really old systems. ok djm@
24 - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.
25 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
26 openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
27 openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
28 for hton* and ntoh* macros. Required on (at least) HP-UX since we define
29 _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com.
32 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
33 [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
34 [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
35 [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
36 [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
37 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
38 [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
39 [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
40 [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
41 [sshconnect1.c sshconnect2.c sshd.c]
42 [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
43 [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
44 [openbsd-compat/port-uw.c]
45 Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
46 compile problems reported by rac AT tenzing.org
47 - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
48 [openbsd-compat/rresvport.c] Some more headers: netinet/in.h
49 sys/socket.h and unistd.h in various places
50 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration
51 warnings for binary_open and binary_close. Patch from Corinna Vinschen.
52 - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
53 test for GLOB_NOMATCH and use our glob functions if it's not found.
54 Stops sftp from segfaulting when attempting to get a nonexistent file on
55 Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
56 from and tested by Corinna Vinschen.
57 - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank
61 - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
62 [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
63 [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
64 [openbsd-compat/port-solaris.h] Add support for Solaris process
65 contracts, enabled with --use-solaris-contracts. Patch from Chad
66 Mynhier, tweaked by dtucker@ and myself; ok dtucker@
67 - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege
68 while setting up the ssh service account. Patch from Corinna Vinschen.
71 - (djm) OpenBSD CVS Sync
72 - dtucker@cvs.openbsd.org 2006/08/21 08:14:01
74 Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
76 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57
78 Add more detail about what permissions are and aren't accepted for
79 authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
80 - djm@cvs.openbsd.org 2006/08/29 10:40:19
81 [channels.c session.c]
82 normalise some inconsistent (but harmless) NULL pointer checks
83 spotted by the Stanford SATURN tool, via Isil Dillig;
85 - dtucker@cvs.openbsd.org 2006/08/29 12:02:30
87 Work around a problem in Heimdal that occurs when KRB5CCNAME file is
88 missing, by checking whether or not kerberos allocated us a context
89 before attempting to free it. Patch from Simon Wilkinson, tested by
91 - dtucker@cvs.openbsd.org 2006/08/30 00:06:51
93 Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
94 where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@
95 - djm@cvs.openbsd.org 2006/08/30 00:14:37
98 - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
99 - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
100 loginsuccess on AIX immediately after authentication to clear the failed
101 login count. Previously this would only happen when an interactive
102 session starts (ie when a pty is allocated) but this means that accounts
103 that have primarily non-interactive sessions (eg scp's) may gradually
104 accumulate enough failures to lock out an account. This change may have
105 a side effect of creating two audit records, one with a tty of "ssh"
106 corresponding to the authentication and one with the allocated pty per
110 - (dtucker) [openbsd-compat/basename.c] Include errno.h.
111 - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on
113 - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)
115 - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).
116 - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.
117 - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent
118 unused variable warning when we have a broken or missing mmap(2).
121 - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in
122 Makefile. Patch from santhi.amirta at gmail, ok djm.
125 - (dtucker) [log.c] Move ifdef to prevent unused variable warning.
126 - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore
127 afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl.
128 - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for
129 fixing bug #1181. No changes yet.
130 - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL
131 (0.9.8a and presumably newer) requires -ldl to successfully link.
132 - (dtucker) [configure.ac] Remove errant "-".
135 - (djm) OpenBSD CVS Sync
136 - djm@cvs.openbsd.org 2006/08/18 22:41:29
138 GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
139 - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a
140 single rule for the test progs.
143 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with
144 closefrom.c from sudo.
145 - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.
146 - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.
147 - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the
148 test progs instead; they work better than what we have.
149 - (djm) OpenBSD CVS Sync
150 - stevesk@cvs.openbsd.org 2006/08/06 01:13:32
151 [compress.c monitor.c monitor_wrap.c]
152 "zlib.h" can be <zlib.h>; ok djm@ markus@
153 - miod@cvs.openbsd.org 2006/08/12 20:46:46
154 [monitor.c monitor_wrap.c]
155 Revert previous include file ordering change, for ssh to compile under
156 gcc2 (or until openssl include files are cleaned of parameter names
157 in function prototypes)
158 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
159 [servconf.c servconf.h sshd_config.5]
160 Add ability to match groups to Match keyword in sshd_config. Feedback
161 djm@, stevesk@, ok stevesk@.
162 - djm@cvs.openbsd.org 2006/08/16 11:47:15
164 factor inetd connection, TCP listen and main TCP accept loop out of
165 main() into separate functions to improve readability; ok markus@
166 - deraadt@cvs.openbsd.org 2006/08/18 09:13:26
168 make signal handler termination path shorter; risky code pointed out by
169 mark dowd; ok djm markus
170 - markus@cvs.openbsd.org 2006/08/18 09:15:20
171 [auth.h session.c sshd.c]
172 delay authentication related cleanups until we're authenticated and
173 all alarms have been cancelled; ok deraadt
174 - djm@cvs.openbsd.org 2006/08/18 10:27:16
176 reorder so prototypes are sorted by the files they refer to; no
178 - djm@cvs.openbsd.org 2006/08/18 13:54:54
179 [gss-genr.c ssh-gss.h sshconnect2.c]
180 bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
182 - djm@cvs.openbsd.org 2006/08/18 14:40:34
183 [gss-genr.c ssh-gss.h]
184 constify host argument to match the rest of the GSSAPI functions and
185 unbreak compilation with -Werror
186 - (djm) Disable sigdie() for platforms that cannot safely syslog inside
187 a signal handler (basically all of them, excepting OpenBSD);
191 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
192 Include stdlib.h for malloc and friends.
193 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl
194 for closefrom() on AIX. Pointed out by William Ahern.
195 - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress
196 test for closefrom() in compat code.
199 - (djm) [audit-bsm.c] Sprinkle in some headers
202 - (dtucker) [LICENCE] Add Reyk to the list for the compat dir.
205 - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings
209 - (dtucker) [defines.h] With the includes.h changes we no longer get the
210 name clash on "YES" so we can remove the workaround for it.
211 - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,
212 glob.c}] Include stdlib.h for malloc and friends in compat code.
215 - (djm) OpenBSD CVS Sync
216 - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
218 disable tunnel forwarding when no strict host key checking
219 and key changed; ok djm@ markus@ dtucker@
220 - stevesk@cvs.openbsd.org 2006/07/25 02:01:34
222 need #include <string.h>
223 - stevesk@cvs.openbsd.org 2006/07/25 02:59:21
224 [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c]
225 [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c]
226 move #include <sys/time.h> out of includes.h
227 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
228 [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
229 [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
230 [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
231 [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
232 [uidswap.c xmalloc.c]
233 move #include <sys/param.h> out of includes.h
234 - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
235 [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
236 [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
237 [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
238 [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
239 [sshconnect1.c sshd.c xmalloc.c]
240 move #include <stdlib.h> out of includes.h
241 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
243 avoid confusing wording in HashKnownHosts:
244 originally spotted by alan amesbury;
246 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
248 avoid confusing wording in HashKnownHosts:
249 originally spotted by alan amesbury;
251 - dtucker@cvs.openbsd.org 2006/08/01 11:34:36
253 Allow fallback to known_hosts entries without port qualifiers for
254 non-standard ports too, so that all existing known_hosts entries will be
255 recognised. Requested by, feedback and ok markus@
256 - stevesk@cvs.openbsd.org 2006/08/01 23:22:48
257 [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
258 [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
259 [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
260 [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
261 [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
262 [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
263 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
264 [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
265 [uuencode.h xmalloc.c]
266 move #include <stdio.h> out of includes.h
267 - stevesk@cvs.openbsd.org 2006/08/01 23:36:12
268 [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c]
270 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
271 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
272 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
273 [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
274 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
275 [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
276 [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
277 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
278 [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
279 [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
280 [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
281 [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
282 [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
283 [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
284 [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
285 [serverloop.c session.c session.h sftp-client.c sftp-common.c]
286 [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
287 [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
288 [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
289 [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
290 [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
291 [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
292 almost entirely get rid of the culture of ".h files that include .h files"
293 ok djm, sort of ok stevesk
294 makes the pain stop in one easy step
295 NB. portable commit contains everything *except* removing includes.h, as
296 that will take a fair bit more work as we move headers that are required
297 for portability workarounds to defines.h. (also, this step wasn't "easy")
298 - stevesk@cvs.openbsd.org 2006/08/04 20:46:05
299 [monitor.c session.c ssh-agent.c]
301 - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c
302 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
303 remove last traces of bufaux.h - it was merged into buffer.h in the big
305 - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec
306 - (djm) [openbsd-compat/regress/snprintftest.c]
307 [openbsd-compat/regress/strduptest.c] Add missing includes so they pass
308 compilation with "-Wall -Werror"
309 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
310 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
311 includes for Linux in
312 - (dtucker) [cleanup.c] Need defines.h for __dead.
313 - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.
314 - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of
315 #include stdarg.h, needed for log.h.
316 - (dtucker) [entropy.c] Needs unistd.h too.
317 - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h.
318 - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.
319 - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,
320 otherwise it is implicitly declared as returning an int.
321 - (dtucker) OpenBSD CVS Sync
322 - dtucker@cvs.openbsd.org 2006/08/05 07:52:52
323 [auth2-none.c sshd.c monitor_wrap.c]
324 Add headers required to build with KERBEROS5=no. ok djm@
325 - dtucker@cvs.openbsd.org 2006/08/05 08:00:33
327 Add headers required to build with -DSKEY. ok djm@
328 - dtucker@cvs.openbsd.org 2006/08/05 08:28:24
329 [monitor_wrap.c auth-skey.c auth2-chall.c]
330 Zap unused variables in -DSKEY code. ok djm@
331 - dtucker@cvs.openbsd.org 2006/08/05 08:34:04
334 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile
336 - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.
337 - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h.
338 - (dtucker) [audit.c audit.h] Repair headers.
339 - (dtucker) [audit-bsm.c] Add additional headers now required.
342 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
343 versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
344 rather than just compiling it. Spotted by dlg@.
347 - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.
350 - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.
353 - (djm) OpenBSD CVS Sync
354 - jmc@cvs.openbsd.org 2006/07/12 13:39:55
356 - new sentence, new line
359 - stevesk@cvs.openbsd.org 2006/07/12 22:28:52
360 [auth-options.c canohost.c channels.c includes.h readconf.c]
361 [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
362 move #include <netdb.h> out of includes.h; ok djm@
363 - stevesk@cvs.openbsd.org 2006/07/12 22:42:32
364 [includes.h ssh.c ssh-rand-helper.c]
365 move #include <stddef.h> out of includes.h
366 - stevesk@cvs.openbsd.org 2006/07/14 01:15:28
368 don't need incompletely-typed 'struct passwd' now with
369 #include <pwd.h>; ok markus@
370 - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
371 [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
372 [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
373 [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
374 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
375 [sshconnect.c sshlogin.c sshpty.c uidswap.c]
376 move #include <unistd.h> out of includes.h
377 - dtucker@cvs.openbsd.org 2006/07/17 12:02:24
379 Use '\0' rather than 0 to terminates strings; ok djm@
380 - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
381 [channels.c channels.h servconf.c sshd_config.5]
382 Add PermitOpen directive to sshd_config which is equivalent to the
383 "permitopen" key option. Allows server admin to allow TCP port
384 forwarding only two specific host/port pairs. Useful when combined
386 If permitopen is used in both sshd_config and a key option, both
387 must allow a given connection before it will be permitted.
388 Note that users can still use external forwarders such as netcat,
389 so to be those must be controlled too for the limits to be effective.
390 Feedback & ok djm@, man page corrections & ok jmc@.
391 - jmc@cvs.openbsd.org 2006/07/18 07:50:40
394 - jmc@cvs.openbsd.org 2006/07/18 07:56:28
396 replace DIAGNOSTICS with .Ex;
397 - jmc@cvs.openbsd.org 2006/07/18 08:03:09
398 [ssh-agent.1 sshd_config.5]
399 mark up angle brackets;
400 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
402 Clarify description of Match, with minor correction from jmc@
403 - stevesk@cvs.openbsd.org 2006/07/18 22:27:55
405 remove unneeded includes; ok djm@
406 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
407 [servconf.c sshd_config.5]
408 Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
410 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
411 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
412 Add ForceCommand keyword to sshd_config, equivalent to the "command="
413 key option, man page entry and example in sshd_config.
414 Feedback & ok djm@, man page corrections & ok jmc@
415 - stevesk@cvs.openbsd.org 2006/07/20 15:26:15
416 [auth1.c serverloop.c session.c sshconnect2.c]
417 missed some needed #include <unistd.h> when KERBEROS5=no; issue from
419 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
420 [channels.c channels.h servconf.c servconf.h sshd_config.5]
421 Make PermitOpen take a list of permitted ports and act more like most
422 other keywords (ie the first match is the effective setting). This
423 also makes it easier to override a previously set PermitOpen. ok djm@
424 - stevesk@cvs.openbsd.org 2006/07/21 21:13:30
426 more ARGSUSED (lint) for dispatch table-driven functions; ok djm@
427 - stevesk@cvs.openbsd.org 2006/07/21 21:26:55
429 ARGSUSED for signal handler
430 - stevesk@cvs.openbsd.org 2006/07/22 19:08:54
431 [includes.h moduli.c progressmeter.c scp.c sftp-common.c]
432 [sftp-server.c ssh-agent.c sshlogin.c]
433 move #include <time.h> out of includes.h
434 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
435 [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
436 [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
437 [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
438 [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
439 [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
440 [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
441 [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
442 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
443 [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
444 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
445 [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
446 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
447 [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
448 move #include <string.h> out of includes.h
449 - stevesk@cvs.openbsd.org 2006/07/23 01:11:05
450 [auth.h dispatch.c kex.h sftp-client.c]
451 #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
453 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
454 [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
455 [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
456 [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
457 [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
458 [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
459 [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
460 [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
461 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
462 [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
463 make the portable tree compile again - sprinkle unistd.h and string.h
464 back in. Don't redefine __unused, as it turned out to be used in
465 headers on Linux, and replace its use in auth-pam.c with ARGSUSED
466 - (djm) [openbsd-compat/glob.c]
467 Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles
468 on OpenBSD (or other platforms with a decent glob implementation) with
471 Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on
474 fix compile error with -Werror -Wall: 'path' is only used in
475 do_setup_env() if HAVE_LOGIN_CAP is not defined
476 - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c]
477 [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c]
478 [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c]
479 [openbsd-compat/port-aix.c openbsd-compat/port-irix.c]
480 [openbsd-compat/rresvport.c]
481 These look to need string.h and/or unistd.h (based on a grep for function
483 - (djm) [Makefile.in]
484 Remove generated openbsd-compat/regress/Makefile in distclean target
485 - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
486 [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
487 Sync regress tests to -current; include dtucker@'s new cfgmatch and
488 forcecommand tests. Add cipher-speed.sh test (not linked in yet)
489 - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including
490 system headers before defines.h will cause conflicting definitions.
491 - (dtucker) [regress/forcecommand.sh] Portablize.
494 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
497 - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and
498 O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old
499 Linuxes and probably more.
500 - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h>
502 - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before
504 - (dtucker) OpenBSD CVS Sync
505 - stevesk@cvs.openbsd.org 2006/07/10 16:01:57
506 [sftp-glob.c sftp-common.h sftp.c]
507 buffer.h only needed in sftp-common.h and remove some unneeded
508 user includes; ok djm@
509 - jmc@cvs.openbsd.org 2006/07/10 16:04:21
512 - stevesk@cvs.openbsd.org 2006/07/10 16:37:36
513 [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c
514 auth.c packet.c log.c]
515 move #include <stdarg.h> out of includes.h; ok markus@
516 - dtucker@cvs.openbsd.org 2006/07/11 10:12:07
518 Only copy the part of environment variable that we actually use. Prevents
519 ssh bailing when SendEnv is used and an environment variable with a really
520 long value exists. ok djm@
521 - markus@cvs.openbsd.org 2006/07/11 18:50:48
522 [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
523 channels.h readconf.c]
524 add ExitOnForwardFailure: terminate the connection if ssh(1)
525 cannot set up all requested dynamic, local, and remote port
526 forwardings. ok djm, dtucker, stevesk, jmc
527 - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
528 [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
529 sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
530 includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
531 sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
532 ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
533 move #include <errno.h> out of includes.h; ok markus@
534 - stevesk@cvs.openbsd.org 2006/07/11 20:16:43
536 cast asterisk field precision argument to int to remove warning;
538 - stevesk@cvs.openbsd.org 2006/07/11 20:27:56
540 need <errno.h> here also (it's also included in <openssl/err.h>)
541 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
542 [sshd.c servconf.h servconf.c sshd_config.5 auth.c]
543 Add support for conditional directives to sshd_config via a "Match"
544 keyword, which works similarly to the "Host" directive in ssh_config.
545 Lines after a Match line override the default set in the main section
546 if the condition on the Match line is true, eg
547 AllowTcpForwarding yes
549 AllowTcpForwarding no
550 will allow port forwarding by all users except "anoncvs".
551 Currently only a very small subset of directives are supported.
553 - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c
554 openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c
555 openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>.
556 - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h.
557 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too.
558 - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h.
559 - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c
560 openbsd-compat/rresvport.c] More errno.h.
563 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
564 openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
565 include paths.h. Fixes build error on Solaris.
566 - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably
570 - (dtucker) [INSTALL] New autoconf version: 2.60.
572 - djm@cvs.openbsd.org 2006/06/14 10:50:42
574 limit the number of pre-banner characters we will accept; ok markus@
575 - djm@cvs.openbsd.org 2006/06/26 10:36:15
577 mention optional bind_address in runtime port forwarding setup
578 command-line help. patch from santhi.amirta AT gmail.com
579 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
580 [ssh.1 ssh.c ssh_config.5 sshd_config.5]
581 more details and clarity for tun(4) device forwarding; ok and help
583 - stevesk@cvs.openbsd.org 2006/07/02 18:36:47
584 [gss-serv-krb5.c gss-serv.c]
585 no "servconf.h" needed here
586 (gss-serv-krb5.c change not applied, portable needs the server options)
587 - stevesk@cvs.openbsd.org 2006/07/02 22:45:59
588 [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
589 move #include <grp.h> out of includes.h
590 (portable needed uidswap.c too)
591 - stevesk@cvs.openbsd.org 2006/07/02 23:01:55
593 use -KR[bind_address:]port here; ok djm@
594 - stevesk@cvs.openbsd.org 2006/07/03 08:54:20
595 [includes.h ssh.c sshconnect.c sshd.c]
596 move #include "version.h" out of includes.h; ok markus@
597 - stevesk@cvs.openbsd.org 2006/07/03 17:59:32
598 [channels.c includes.h]
599 move #include <arpa/inet.h> out of includes.h; old ok djm@
600 (portable needed session.c too)
601 - stevesk@cvs.openbsd.org 2006/07/05 02:42:09
602 [canohost.c hostfile.c includes.h misc.c packet.c readconf.c]
603 [serverloop.c sshconnect.c uuencode.c]
604 move #include <netinet/in.h> out of includes.h; ok deraadt@
605 (also ssh-rand-helper.c logintest.c loginrec.c)
606 - djm@cvs.openbsd.org 2006/07/06 10:47:05
607 [servconf.c servconf.h session.c sshd_config.5]
608 support arguments to Subsystem commands; ok markus@
609 - djm@cvs.openbsd.org 2006/07/06 10:47:57
610 [sftp-server.8 sftp-server.c]
611 add commandline options to enable logging of transactions; ok markus@
612 - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
613 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
614 [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
615 [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
616 [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
617 [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
618 [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
620 move #include <pwd.h> out of includes.h; ok markus@
621 - stevesk@cvs.openbsd.org 2006/07/06 16:22:39
623 move #include "dns.h" up
624 - stevesk@cvs.openbsd.org 2006/07/06 17:36:37
627 - stevesk@cvs.openbsd.org 2006/07/08 21:47:12
628 [authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
629 [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
630 [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
631 move #include <sys/socket.h> out of includes.h
632 - stevesk@cvs.openbsd.org 2006/07/08 21:48:53
633 [monitor.c session.c]
634 missed these from last commit:
635 move #include <sys/socket.h> out of includes.h
636 - stevesk@cvs.openbsd.org 2006/07/08 23:30:06
638 move user includes after /usr/include files
639 - stevesk@cvs.openbsd.org 2006/07/09 15:15:11
640 [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
641 [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
642 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
643 [sshlogin.c sshpty.c]
644 move #include <fcntl.h> out of includes.h
645 - stevesk@cvs.openbsd.org 2006/07/09 15:27:59
647 use O_RDONLY vs. 0 in open(); no binary change
648 - djm@cvs.openbsd.org 2006/07/10 11:24:54
650 remove optind - it isn't used here
651 - djm@cvs.openbsd.org 2006/07/10 11:25:53
653 don't log variables that aren't yet set
654 - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]
655 [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h]
656 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
657 [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
659 - djm@cvs.openbsd.org 2006/07/10 12:03:20
661 duplicate argv at the start of main() because it gets modified later;
662 pointed out by deraadt@ ok markus@
663 - djm@cvs.openbsd.org 2006/07/10 12:08:08
665 fix misparsing of SOCKS 5 packets that could result in a crash;
666 reported by mk@ ok markus@
667 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
668 [misc.c misc.h sshd.8 sshconnect.c]
669 Add port identifier to known_hosts for non-default ports, based originally
670 on a patch from Devin Nate in bz#910.
671 For any connection using the default port or using a HostKeyAlias the
672 format is unchanged, otherwise the host name or address is enclosed
673 within square brackets in the same format as sshd's ListenAddress.
674 Tested by many, ok markus@.
675 - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h>
676 for struct sockaddr on platforms that use the fake-rfc stuff.
679 - (dtucker) [configure.ac] Try AIX blibpath test in different order when
680 compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
681 configure would not select the correct libpath linker flags.
682 - (dtucker) [INSTALL] A bit more info on autoconf.
685 - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the
686 target already exists.
689 - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf
690 declaration too. Patch from russ at sludge.net.
691 - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it,
692 prevents warnings on platforms where _res is in the system headers.
693 - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which
697 - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems
698 with autoconf 2.60. Patch from vapier at gentoo.org.
701 - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys
702 only, otherwise sshd can hang exiting non-interactive sessions.
705 - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
706 Works around limitation in Solaris' passwd program for changing passwords
707 where the username is longer than 8 characters. ok djm@
708 - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug
712 - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
713 tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch
714 from reyk@, tested by anil@
715 - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
716 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
717 on the pty slave as zero-length reads on the pty master, which sshd
718 interprets as the descriptor closing. Since most things don't do zero
719 length writes this rarely matters, but occasionally it happens, and when
720 it does the SSH pty session appears to hang, so we add a special case for
721 this condition. ok djm@
724 - (djm) [getput.h] This file has been replaced by functions in misc.c
726 - djm@cvs.openbsd.org 2006/05/08 10:49:48
728 uint32_t -> u_int32_t (which we use everywhere else)
729 (Id sync only - portable already had this)
730 - markus@cvs.openbsd.org 2006/05/16 09:00:00
732 missing free; from Kylene Hall
733 - markus@cvs.openbsd.org 2006/05/17 12:43:34
734 [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
735 fix leak; coverity via Kylene Jo Hall
736 - miod@cvs.openbsd.org 2006/05/18 21:27:25
738 paramter -> parameter
739 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08
741 Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
742 - dtucker@cvs.openbsd.org 2006/05/29 12:56:33
744 Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in
745 sample ssh_config. ok markus@
746 - jmc@cvs.openbsd.org 2006/05/29 16:10:03
748 oops - previous was too long; split the list of auths up
749 - mk@cvs.openbsd.org 2006/05/30 11:46:38
751 Sync usage() with man page and reality.
753 - jmc@cvs.openbsd.org 2006/05/29 16:13:23
755 add GSSAPI to the list of authentication methods supported;
756 - mk@cvs.openbsd.org 2006/05/30 11:46:38
758 Sync usage() with man page and reality.
760 - markus@cvs.openbsd.org 2006/06/01 09:21:48
762 call get_remote_ipaddr() early; fixes logging after client disconnects;
763 report mpf@; ok dtucker@
764 - markus@cvs.openbsd.org 2006/06/06 10:20:20
765 [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
766 replace remaining setuid() calls with permanently_set_uid() and
767 check seteuid() return values; report Marcus Meissner; ok dtucker djm
768 - markus@cvs.openbsd.org 2006/06/08 14:45:49
769 [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
770 do not set the gid, noted by solar; ok djm
771 - djm@cvs.openbsd.org 2006/06/13 01:18:36
773 always use a format string, even when printing a constant
774 - djm@cvs.openbsd.org 2006/06/13 02:17:07
776 revert; i am on drugs. spotted by alexander AT beard.se
779 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
780 and slave, we can remove the special-case handling in the audit hook in
784 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
785 pointer leak. From kjhall at us.ibm.com, found by coverity.
788 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
789 _res, prevents problems on some platforms that have _res as a global but
790 don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
791 georg.schwarz at freenet.de, ok djm@.
792 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
793 default. Patch originally from tim@, ok djm
794 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
795 do not allow kbdint again after the PAM account check fails. ok djm@
798 - (dtucker) OpenBSD CVS Sync
799 - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
800 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
801 Prevent ssh from trying to open private keys with bad permissions more than
802 once or prompting for their passphrases (which it subsequently ignores
803 anyway), similar to a previous change in ssh-add. bz #1186, ok djm@
804 - djm@cvs.openbsd.org 2006/05/04 14:55:23
806 tighter DH exponent checks here too; feedback and ok markus@
807 - djm@cvs.openbsd.org 2006/04/01 05:37:46
809 $OpenBSD$ in here too
810 - dtucker@cvs.openbsd.org 2006/05/06 08:35:40
812 Add $OpenBSD$ in comment here too
815 - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
816 session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
817 openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
818 in Portable-only code; since calloc zeros, remove now-redundant memsets.
819 Also add a couple of sanity checks. With & ok djm@
822 - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h
823 and double including it on IRIX 5.3 causes problems. From Georg Schwarz,
827 - (djm) OpenBSD CVS Sync
828 - deraadt@cvs.openbsd.org 2006/04/01 05:42:20
830 minimal lint cleanup (unused crud, and some size_t); ok djm
831 - djm@cvs.openbsd.org 2006/04/01 05:50:29
833 xasprintification; ok deraadt@
834 - djm@cvs.openbsd.org 2006/04/01 05:51:34
836 ANSIfy; requested deraadt@
837 - dtucker@cvs.openbsd.org 2006/04/02 08:34:52
839 sessionid can be 32 bytes now too when sha256 kex is used; ok djm@
840 - djm@cvs.openbsd.org 2006/04/03 07:10:38
842 GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
843 by dleonard AT vintela.com. use xasprintf() to simplify code while in
844 there; "looks right" deraadt@
845 - djm@cvs.openbsd.org 2006/04/16 00:48:52
846 [buffer.c buffer.h channels.c]
847 Fix condition where we could exit with a fatal error when an input
848 buffer became too large and the remote end had advertised a big window.
849 The problem was a mismatch in the backoff math between the channels code
850 and the buffer code, so make a buffer_check_alloc() function that the
851 channels code can use to propsectivly check whether an incremental
852 allocation will succeed. bz #1131, debugged with the assistance of
853 cove AT wildpackets.com; ok dtucker@ deraadt@
854 - djm@cvs.openbsd.org 2006/04/16 00:52:55
855 [atomicio.c atomicio.h]
856 introduce atomiciov() function that wraps readv/writev to retry
857 interrupted transfers like atomicio() does for read/write;
858 feedback deraadt@ dtucker@ stevesk@ ok deraadt@
859 - djm@cvs.openbsd.org 2006/04/16 00:54:10
861 avoid making a tiny 4-byte write to send the packet length of sftp
862 commands, which would result in a separate tiny packet on the wire by
863 using atomiciov(writev, ...) to write the length and the command in one
865 - djm@cvs.openbsd.org 2006/04/16 07:59:00
867 reorder sanity test so that it cannot dereference past the end of the
868 iov array; well spotted canacar@!
869 - dtucker@cvs.openbsd.org 2006/04/18 10:44:28
870 [bufaux.c bufbn.c Makefile.in]
871 Move Buffer bignum functions into their own file, bufbn.c. This means
872 that sftp and sftp-server (which use the Buffer functions in bufaux.c
873 but not the bignum ones) no longer need to be linked with libcrypto.
875 - djm@cvs.openbsd.org 2006/04/20 09:27:09
876 [auth.h clientloop.c dispatch.c dispatch.h kex.h]
877 replace the last non-sig_atomic_t flag used in a signal handler with a
878 sig_atomic_t, unfortunately with some knock-on effects in other (non-
879 signal) contexts in which it is used; ok markus@
880 - markus@cvs.openbsd.org 2006/04/20 09:47:59
883 - djm@cvs.openbsd.org 2006/04/20 21:53:44
884 [includes.h session.c sftp.c]
885 Switch from using pipes to socketpairs for communication between
886 sftp/scp and ssh, and between sshd and its subprocesses. This saves
887 a file descriptor per session and apparently makes userland ppp over
888 ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this
889 decision on a per-platform basis)
890 - djm@cvs.openbsd.org 2006/04/22 04:06:51
892 use setres[ug]id() to permanently revoke privileges; ok deraadt@
893 (ID Sync only - portable already uses setres[ug]id() whenever possible)
894 - stevesk@cvs.openbsd.org 2006/04/22 18:29:33
897 - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get
901 - (djm) [Makefile.in configure.ac session.c sshpty.c]
902 [contrib/redhat/sshd.init openbsd-compat/Makefile.in]
903 [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
904 [openbsd-compat/port-linux.h] Add support for SELinux, setting
905 the execution and TTY contexts. based on patch from Daniel Walsh,
909 - (djm) [canohost.c] Reorder IP options check so that it isn't broken
910 by mapped addresses; bz #1179 reported by markw wtech-llc.com;
915 - deraadt@cvs.openbsd.org 2006/03/27 01:21:18
917 we can do the size & nmemb check before the integer overflow check;
919 - deraadt@cvs.openbsd.org 2006/03/27 13:03:54
921 use strtonum() instead of atoi(), limit dhg size to 64k; ok djm
922 - djm@cvs.openbsd.org 2006/03/27 23:15:46
924 always use a format string for addargs; spotted by mouring@
925 - deraadt@cvs.openbsd.org 2006/03/28 00:12:31
928 - deraadt@cvs.openbsd.org 2006/03/28 01:52:28
930 do not accept unreasonable X ports numbers; ok djm
931 - deraadt@cvs.openbsd.org 2006/03/28 01:53:43
933 use strtonum() to parse the pid from the file, and range check it
935 - djm@cvs.openbsd.org 2006/03/30 09:41:25
937 ARGSUSED for dispatch table-driven functions
938 - djm@cvs.openbsd.org 2006/03/30 09:58:16
939 [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h]
940 [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c]
941 replace {GET,PUT}_XXBIT macros with functionally similar functions,
942 silencing a heap of lint warnings. also allows them to use
943 __bounded__ checking which can't be applied to macros; requested
944 by and feedback from deraadt@
945 - djm@cvs.openbsd.org 2006/03/30 10:41:25
947 add percent escape chars to the IdentityFile option, bz #1159 based
948 on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
949 - dtucker@cvs.openbsd.org 2006/03/30 11:05:17
951 Correctly handle truncated files while converting keys; ok djm@
952 - dtucker@cvs.openbsd.org 2006/03/30 11:40:21
954 Prevent duplicate log messages when privsep=yes; ok djm@
955 - jmc@cvs.openbsd.org 2006/03/31 09:09:30
957 kill trailing whitespace;
958 - djm@cvs.openbsd.org 2006/03/31 09:13:56
960 remote user escape is %r not %h; spotted by jmc@
964 - jakob@cvs.openbsd.org 2006/03/15 08:46:44
966 if no key file are given when printing the DNS host record, use the
967 host key file(s) as default. ok djm@
968 - biorn@cvs.openbsd.org 2006/03/16 10:31:45
970 Try to display errormessage even if remout == -1
972 - djm@cvs.openbsd.org 2006/03/17 22:31:50
974 another unreachable found by lint
975 - djm@cvs.openbsd.org 2006/03/17 22:31:11
977 unreachanble statement, found by lint
978 - djm@cvs.openbsd.org 2006/03/19 02:22:32
980 memory leaks detected by Coverity via elad AT netbsd.org;
982 - djm@cvs.openbsd.org 2006/03/19 02:22:56
984 more memory leaks detected by Coverity via elad AT netbsd.org;
986 - djm@cvs.openbsd.org 2006/03/19 02:23:26
988 FILE* leak detected by Coverity via elad AT netbsd.org;
990 - djm@cvs.openbsd.org 2006/03/19 02:24:05
991 [dh.c readconf.c servconf.c]
992 potential NULL pointer dereferences detected by Coverity
993 via elad AT netbsd.org; ok deraadt@
994 - djm@cvs.openbsd.org 2006/03/19 07:41:30
996 memory leaks detected by Coverity via elad AT netbsd.org;
998 - dtucker@cvs.openbsd.org 2006/03/19 11:51:52
1000 Correct strdelim null test; ok djm@
1001 - deraadt@cvs.openbsd.org 2006/03/19 18:52:11
1002 [auth1.c authfd.c channels.c]
1004 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
1005 [kex.c kex.h monitor.c myproposal.h session.c]
1007 - deraadt@cvs.openbsd.org 2006/03/19 18:56:41
1008 [clientloop.c progressmeter.c serverloop.c sshd.c]
1009 ARGSUSED for signal handlers
1010 - deraadt@cvs.openbsd.org 2006/03/19 18:59:49
1013 - deraadt@cvs.openbsd.org 2006/03/19 18:59:30
1016 - deraadt@cvs.openbsd.org 2006/03/19 18:59:09
1018 whoever thought that break after return was a good idea needs to
1019 get their head examimed
1020 - djm@cvs.openbsd.org 2006/03/20 04:09:44
1022 memory leaks detected by Coverity via elad AT netbsd.org;
1024 that should be all of them now
1025 - djm@cvs.openbsd.org 2006/03/20 11:38:46
1027 (really) last of the Coverity diffs: avoid possible NULL deref in
1028 key_free. via elad AT netbsd.org; markus@ ok
1029 - deraadt@cvs.openbsd.org 2006/03/20 17:10:19
1030 [auth.c key.c misc.c packet.c ssh-add.c]
1031 in a switch (), break after return or goto is stupid
1032 - deraadt@cvs.openbsd.org 2006/03/20 17:13:16
1035 - deraadt@cvs.openbsd.org 2006/03/20 17:17:23
1037 in a switch (), break after return or goto is stupid
1038 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
1039 [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c]
1040 [ssh.c sshpty.c sshpty.h]
1041 sprinkle u_int throughout pty subsystem, ok markus
1042 - deraadt@cvs.openbsd.org 2006/03/20 18:17:20
1043 [auth1.c auth2.c sshd.c]
1044 sprinkle some ARGSUSED for table driven functions (which sometimes
1045 must ignore their args)
1046 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
1047 [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c]
1048 [ssh-rsa.c ssh.c sshlogin.c]
1049 annoying spacing fixes getting in the way of real diffs
1050 - deraadt@cvs.openbsd.org 2006/03/20 18:27:50
1053 - deraadt@cvs.openbsd.org 2006/03/20 18:35:12
1055 x11_fake_data is only ever used as u_char *
1056 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
1058 cast xstrdup to propert u_char *
1059 - deraadt@cvs.openbsd.org 2006/03/20 18:42:27
1060 [canohost.c match.c ssh.c sshconnect.c]
1061 be strict with tolower() casting
1062 - deraadt@cvs.openbsd.org 2006/03/20 18:48:34
1063 [channels.c fatal.c kex.c packet.c serverloop.c]
1065 - deraadt@cvs.openbsd.org 2006/03/20 21:11:53
1068 - djm@cvs.openbsd.org 2006/03/25 00:05:41
1069 [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
1070 [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
1071 [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
1072 [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
1073 [xmalloc.c xmalloc.h]
1074 introduce xcalloc() and xasprintf() failure-checked allocations
1075 functions and use them throughout openssh
1077 xcalloc is particularly important because malloc(nmemb * size) is a
1078 dangerous idiom (subject to integer overflow) and it is time for it
1081 feedback and ok deraadt@
1082 - djm@cvs.openbsd.org 2006/03/25 01:13:23
1083 [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
1084 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
1086 change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
1087 to xrealloc(p, new_nmemb, new_itemsize).
1089 realloc is particularly prone to integer overflows because it is
1090 almost always allocating "n * size" bytes, so this is a far safer
1092 - djm@cvs.openbsd.org 2006/03/25 01:30:23
1094 "abormally" is a perfectly cromulent word, but "abnormally" is better
1095 - djm@cvs.openbsd.org 2006/03/25 13:17:03
1096 [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
1097 [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
1098 [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
1099 [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
1100 [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
1101 [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
1102 [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
1103 [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
1104 [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
1105 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
1106 [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
1107 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
1108 [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
1109 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
1110 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
1111 [uidswap.c uuencode.c xmalloc.c]
1112 Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
1113 Theo nuked - our scripts to sync -portable need them in the files
1114 - deraadt@cvs.openbsd.org 2006/03/25 18:29:35
1115 [auth-rsa.c authfd.c packet.c]
1116 needed casts (always will be needed)
1117 - deraadt@cvs.openbsd.org 2006/03/25 18:30:55
1118 [clientloop.c serverloop.c]
1120 - deraadt@cvs.openbsd.org 2006/03/25 18:36:15
1121 [sshlogin.c sshlogin.h]
1122 nicer size_t and time_t types
1123 - deraadt@cvs.openbsd.org 2006/03/25 18:40:14
1125 cast strtonum() result to right type
1126 - deraadt@cvs.openbsd.org 2006/03/25 18:41:45
1128 mark two more signal handlers ARGSUSED
1129 - deraadt@cvs.openbsd.org 2006/03/25 18:43:30
1131 use strtonum() instead of atoi() [limit X screens to 400, sorry]
1132 - deraadt@cvs.openbsd.org 2006/03/25 18:56:55
1133 [bufaux.c channels.c packet.c]
1134 remove (char *) casts to a function that accepts void * for the arg
1135 - deraadt@cvs.openbsd.org 2006/03/25 18:58:10
1137 delete cast not required
1138 - djm@cvs.openbsd.org 2006/03/25 22:22:43
1139 [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
1140 [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
1141 [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
1142 [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
1143 [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
1144 [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
1145 [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
1146 [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
1147 [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
1148 [ttymodes.h uidswap.h uuencode.h xmalloc.h]
1149 standardise spacing in $OpenBSD$ tags; requested by deraadt@
1150 - deraadt@cvs.openbsd.org 2006/03/26 01:31:48
1156 - djm@cvs.openbsd.org 2006/03/16 04:24:42
1158 Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs
1159 that OpenSSH supports
1160 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
1161 [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
1162 [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
1163 [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
1164 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
1165 [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
1166 [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
1167 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
1168 [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
1169 [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
1170 [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
1171 [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
1172 [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
1173 [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
1174 [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
1175 [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
1176 [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
1177 [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
1178 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
1179 [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
1180 [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
1181 [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
1182 [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
1183 [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
1185 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
1186 [kex.h myproposal.h]
1188 - djm@cvs.openbsd.org 2006/03/20 04:07:22
1190 GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
1191 reviewed by simon AT sxw.org.uk; deraadt@ ok
1192 - djm@cvs.openbsd.org 2006/03/20 04:07:49
1194 more GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
1195 reviewed by simon AT sxw.org.uk; deraadt@ ok
1196 - djm@cvs.openbsd.org 2006/03/20 04:08:18
1198 last lot of GSSAPI related leaks detected by Coverity via
1199 elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
1200 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
1201 [monitor_wrap.h sshpty.h]
1202 sprinkle u_int throughout pty subsystem, ok markus
1203 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
1205 annoying spacing fixes getting in the way of real diffs
1206 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
1208 cast xstrdup to propert u_char *
1209 - jakob@cvs.openbsd.org 2006/03/22 21:16:24
1211 simplify SSHFP example; ok jmc@
1212 - djm@cvs.openbsd.org 2006/03/22 21:27:15
1213 [deattack.c deattack.h]
1214 remove IV support from the CRC attack detector, OpenSSH has never used
1215 it - it only applied to IDEA-CFB, which we don't support.
1216 prompted by NetBSD Coverity report via elad AT netbsd.org;
1217 feedback markus@ "nuke it" deraadt@
1220 - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
1222 - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take
1223 a LLONG rather than a long. Fixes scp'ing of large files on platforms
1224 with missing/broken snprintfs. Patch from e.borovac at bom.gov.au.
1227 - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
1228 - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
1229 /usr/include/crypto. Hint from djm@.
1230 - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
1231 Disable sha256 when openssl < 0.9.7. Patch from djm@.
1232 - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old
1236 - (djm) OpenBSD CVS Sync:
1237 - msf@cvs.openbsd.org 2006/02/06 15:54:07
1241 - jmc@cvs.openbsd.org 2006/02/06 21:44:47
1243 make this a little less ambiguous...
1244 - stevesk@cvs.openbsd.org 2006/02/07 01:08:04
1245 [auth-rhosts.c includes.h]
1246 move #include <netgroup.h> out of includes.h; ok markus@
1247 - stevesk@cvs.openbsd.org 2006/02/07 01:18:09
1248 [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c]
1249 move #include <sys/queue.h> out of includes.h; ok markus@
1250 - stevesk@cvs.openbsd.org 2006/02/07 01:42:00
1251 [channels.c clientloop.c clientloop.h includes.h packet.h]
1252 [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c]
1253 move #include <termios.h> out of includes.h; ok markus@
1254 - stevesk@cvs.openbsd.org 2006/02/07 01:52:50
1257 - stevesk@cvs.openbsd.org 2006/02/07 03:47:05
1259 "packet.h" not needed
1260 - stevesk@cvs.openbsd.org 2006/02/07 03:59:20
1263 - stevesk@cvs.openbsd.org 2006/02/08 12:15:27
1264 [auth.c clientloop.c includes.h misc.c monitor.c readpass.c]
1265 [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c]
1267 move #include <paths.h> out of includes.h; ok markus@
1268 - stevesk@cvs.openbsd.org 2006/02/08 12:32:49
1270 move #include <netinet/tcp.h> out of includes.h; ok markus@
1271 - stevesk@cvs.openbsd.org 2006/02/08 13:15:44
1272 [gss-serv.c monitor.c]
1274 - stevesk@cvs.openbsd.org 2006/02/08 14:16:59
1276 <openssl/bn.h> not needed
1277 - stevesk@cvs.openbsd.org 2006/02/08 14:31:30
1278 [includes.h ssh-agent.c ssh-keyscan.c ssh.c]
1279 move #include <sys/resource.h> out of includes.h; ok markus@
1280 - stevesk@cvs.openbsd.org 2006/02/08 14:38:18
1281 [includes.h packet.c]
1282 move #include <netinet/in_systm.h> and <netinet/ip.h> out of
1283 includes.h; ok markus@
1284 - stevesk@cvs.openbsd.org 2006/02/08 23:51:24
1285 [includes.h scp.c sftp-glob.c sftp-server.c]
1286 move #include <dirent.h> out of includes.h; ok markus@
1287 - stevesk@cvs.openbsd.org 2006/02/09 00:32:07
1289 #include <sys/endian.h> not needed; ok djm@
1290 NB. ID Sync only - we still need this (but it may move later)
1291 - jmc@cvs.openbsd.org 2006/02/09 10:10:47
1293 - move some text into a CAVEATS section
1294 - merge the COMMAND EXECUTION... section into AUTHENTICATION
1295 - stevesk@cvs.openbsd.org 2006/02/10 00:27:13
1296 [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c]
1297 [ssh.c sshd.c sshpty.c]
1298 move #include <sys/ioctl.h> out of includes.h; ok markus@
1299 - stevesk@cvs.openbsd.org 2006/02/10 01:44:27
1300 [includes.h monitor.c readpass.c scp.c serverloop.c session.c
\7f]
1301 [sftp.c sshconnect.c sshconnect2.c sshd.c]
1302 move #include <sys/wait.h> out of includes.h; ok markus@
1303 - otto@cvs.openbsd.org 2006/02/11 19:31:18
1305 type correctness; from Ray Lai in PR 5011; ok millert@
1306 - djm@cvs.openbsd.org 2006/02/12 06:45:34
1307 [ssh.c ssh_config.5]
1308 add a %l expansion code to the ControlPath, which is filled in with the
1309 local hostname at runtime. Requested by henning@ to avoid some problems
1310 with /home on NFS; ok dtucker@
1311 - djm@cvs.openbsd.org 2006/02/12 10:44:18
1313 raise error when the user specifies a RekeyLimit that is smaller than 16
1314 (the smallest of our cipher's blocksize) or big enough to cause integer
1315 wraparound; ok & feedback dtucker@
1316 - jmc@cvs.openbsd.org 2006/02/12 10:49:44
1318 slight rewording; ok djm
1319 - jmc@cvs.openbsd.org 2006/02/12 10:52:41
1321 rework the description of authorized_keys a little;
1322 - jmc@cvs.openbsd.org 2006/02/12 17:57:19
1324 sort the list of options permissable w/ authorized_keys;
1326 - jmc@cvs.openbsd.org 2006/02/13 10:16:39
1328 no need to subsection the authorized_keys examples - instead, convert
1329 this to look like an actual file. also use proto 2 keys, and use IETF
1331 - jmc@cvs.openbsd.org 2006/02/13 10:21:25
1333 small tweaks for the ssh_known_hosts section;
1334 - jmc@cvs.openbsd.org 2006/02/13 11:02:26
1336 turn this into an example ssh_known_hosts file; ok djm
1337 - jmc@cvs.openbsd.org 2006/02/13 11:08:43
1339 - avoid nasty line split
1340 - `*' does not need to be escaped
1341 - jmc@cvs.openbsd.org 2006/02/13 11:27:25
1343 sort FILES and use a -compact list;
1344 - david@cvs.openbsd.org 2006/02/15 05:08:24
1346 typo in comment; ok djm@
1347 - jmc@cvs.openbsd.org 2006/02/15 16:53:20
1349 remove the IETF draft references and replace them with some updated RFCs;
1350 - jmc@cvs.openbsd.org 2006/02/15 16:55:33
1352 remove ietf draft references; RFC list now maintained in ssh.1;
1353 - jmc@cvs.openbsd.org 2006/02/16 09:05:34
1355 sync some of the FILES entries w/ ssh.1;
1356 - jmc@cvs.openbsd.org 2006/02/19 19:52:10
1358 move the sshrc stuff out of FILES, and into its own section:
1359 FILES is not a good place to document how stuff works;
1360 - jmc@cvs.openbsd.org 2006/02/19 20:02:17
1362 sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
1363 - jmc@cvs.openbsd.org 2006/02/19 20:05:00
1366 - jmc@cvs.openbsd.org 2006/02/19 20:12:25
1368 add some vertical space;
1369 - stevesk@cvs.openbsd.org 2006/02/20 16:36:15
1370 [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c]
1371 move #include <sys/un.h> out of includes.h; ok djm@
1372 - stevesk@cvs.openbsd.org 2006/02/20 17:02:44
1373 [clientloop.c includes.h monitor.c progressmeter.c scp.c]
1374 [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c]
1375 move #include <signal.h> out of includes.h; ok markus@
1376 - stevesk@cvs.openbsd.org 2006/02/20 17:19:54
1377 [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c]
1378 [authfile.c clientloop.c includes.h readconf.c scp.c session.c]
1379 [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c]
1380 [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c]
1381 [sshconnect2.c sshd.c sshpty.c]
1382 move #include <sys/stat.h> out of includes.h; ok markus@
1383 - stevesk@cvs.openbsd.org 2006/02/22 00:04:45
1384 [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c]
1386 move #include <ctype.h> out of includes.h; ok djm@
1387 - jmc@cvs.openbsd.org 2006/02/24 10:25:14
1389 add section on patterns;
1390 from dtucker + myself
1391 - jmc@cvs.openbsd.org 2006/02/24 10:33:54
1393 signpost to PATTERNS;
1394 - jmc@cvs.openbsd.org 2006/02/24 10:37:07
1396 tidy up the refs to PATTERNS;
1397 - jmc@cvs.openbsd.org 2006/02/24 10:39:52
1399 signpost to PATTERNS section;
1400 - jmc@cvs.openbsd.org 2006/02/24 20:22:16
1401 [ssh-keysign.8 ssh_config.5 sshd_config.5]
1402 some consistency fixes;
1403 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
1404 [ssh.1 ssh_config.5 sshd.8 sshd_config.5]
1405 more consistency fixes;
1406 - jmc@cvs.openbsd.org 2006/02/24 23:20:07
1408 some grammar/wording fixes;
1409 - jmc@cvs.openbsd.org 2006/02/24 23:43:57
1411 some grammar/wording fixes;
1412 - jmc@cvs.openbsd.org 2006/02/24 23:51:17
1414 oops - bits i missed;
1415 - jmc@cvs.openbsd.org 2006/02/25 12:26:17
1417 document the possible values for KbdInteractiveDevices;
1419 - jmc@cvs.openbsd.org 2006/02/25 12:28:34
1421 document the order in which allow/deny directives are processed;
1423 - jmc@cvs.openbsd.org 2006/02/26 17:17:18
1425 move PATTERNS to the end of the main body; requested by dtucker
1426 - jmc@cvs.openbsd.org 2006/02/26 18:01:13
1428 subsection is pointless here;
1429 - jmc@cvs.openbsd.org 2006/02/26 18:03:10
1432 - djm@cvs.openbsd.org 2006/02/28 01:10:21
1434 fix logout recording when privilege separation is disabled, analysis and
1435 patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@
1436 NB. ID sync only - patch already in portable
1437 - djm@cvs.openbsd.org 2006/03/04 04:12:58
1439 move a debug() outside of a signal handler; ok markus@ a little while back
1440 - djm@cvs.openbsd.org 2006/03/12 04:23:07
1443 - djm@cvs.openbsd.org 2006/03/13 08:16:00
1445 don't log that we are listening on a socket before the listen() call
1446 actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@
1447 - dtucker@cvs.openbsd.org 2006/03/13 08:33:00
1449 Set TCP_NODELAY for all connections not just "interactive" ones. Fixes
1450 poor performance and protocol stalls under some network conditions (mindrot
1451 bugs #556 and #981). Patch originally from markus@, ok djm@
1452 - dtucker@cvs.openbsd.org 2006/03/13 08:43:16
1454 Make ssh-keygen handle CR and CRLF line termination when converting IETF
1455 format keys, in adition to vanilla LF. mindrot #1157, tested by Chris
1457 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
1458 [misc.c ssh_config.5 sshd_config.5]
1459 Allow config directives to contain whitespace by surrounding them by double
1460 quotes. mindrot #482, man page help from jmc@, ok djm@
1461 - dtucker@cvs.openbsd.org 2006/03/13 10:26:52
1462 [authfile.c authfile.h ssh-add.c]
1463 Make ssh-add check file permissions before attempting to load private
1464 key files multiple times; it will fail anyway and this prevents confusing
1465 multiple prompts and warnings. mindrot #1138, ok djm@
1466 - djm@cvs.openbsd.org 2006/03/14 00:15:39
1468 log the originating address and not just the name when a reverse
1469 mapping check fails, requested by linux AT linuon.com
1470 - markus@cvs.openbsd.org 2006/03/14 16:32:48
1471 [ssh_config.5 sshd_config.5]
1472 *AliveCountMax applies to protcol v2 only; ok dtucker, djm
1473 - djm@cvs.openbsd.org 2006/03/07 09:07:40
1474 [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
1475 Implement the diffie-hellman-group-exchange-sha256 key exchange method
1476 using the SHA256 code in libc (and wrapper to make it into an OpenSSL
1477 EVP), interop tested against CVS PuTTY
1478 NB. no portability bits committed yet
1479 - (djm) [configure.ac defines.h kex.c md-sha256.c]
1480 [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h]
1481 [openbsd-compat/sha2.c] First stab at portability glue for SHA256
1482 KEX support, should work with libc SHA256 support or OpenSSL
1483 EVP_sha256 if present
1484 - (djm) [includes.h] Restore accidentally dropped netinet/in.h
1485 - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files
1486 - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present
1487 - (djm) [regress/.cvsignore] Ignore Makefile here
1488 - (djm) [loginrec.c] Need stat.h
1489 - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with
1491 - (djm) [ssh-rand-helper.c] Needs a bunch of headers
1492 - (djm) [ssh-agent.c] Restore dropped stat.h
1493 - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out
1494 SHA384, which we don't need and doesn't compile without tweaks
1495 - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
1496 [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
1497 [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
1498 [openbsd-compat/glob.c openbsd-compat/mktemp.c]
1499 [openbsd-compat/readpassphrase.c] Lots of include fixes for
1501 - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:"
1502 - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some
1503 includes removed from includes.h
1504 - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE
1505 - (djm) [includes.h] Put back paths.h, it is needed in defines.h
1506 - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs
1507 sys/ioctl.h for struct winsize.
1508 - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD.
1511 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
1512 since not all platforms support it. Instead, use internal equivalent while
1513 computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf*
1514 as it's no longer required. Tested by Bernhard Simon, ok djm@
1517 - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a
1518 file rather than directory, required as Cygwin will be importing lastlog(1).
1519 Also tightens up permissions on the file. Patch from vinschen@redhat.com.
1520 - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h
1521 includes. Patch from gentoo.riverrat at gmail.com.
1524 - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY
1525 patch from kraai at ftbfs.org.
1528 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
1529 reality. Pointed out by tryponraj at gmail.com.
1532 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only
1533 compile in compat code if required.
1536 - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about
1537 redefinition of SSLeay_add_all_algorithms.
1540 - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
1541 Add optional enabling of OpenSSL's (hardware) Engine support, via
1542 configure --with-ssl-engine. Based in part on a diff by michal at
1546 - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/]
1547 Add first attempt at regress tests for compat library. ok djm@
1550 - (tim) [buildpkg.sh.in] Make the names consistent.
1551 s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@
1554 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned
1555 to silence compiler warning, from vinschen at redhat.com.
1556 - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX.
1557 - (dtucker) [README version.h contrib/caldera/openssh.spec
1558 contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version
1559 strings to match 4.3p2 release.
1562 - (tim) [session.c] Logout records were not updated on systems with
1563 post auth privsep disabled due to bug 1086 changes. Analysis and patch
1564 by vinschen at redhat.com. OK tim@, dtucker@.
1565 - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
1566 -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@
1569 - (tim) [configure.ac] Remove unnecessary tests for net/if.h and
1570 netinet/in_systm.h. OK dtucker@.
1573 - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test
1574 for Solaris. OK dtucker@.
1575 - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by
1579 - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
1580 AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
1581 by a platform specific check, builtin standard includes tests will be
1582 skipped on the other platforms.
1583 Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
1587 - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it
1588 works with picky compilers. Patch from alex.kiernan at thus.net.
1591 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
1592 determine the user's login name - needed for regress tests on Solaris
1594 - (djm) OpenBSD CVS Sync
1595 - jmc@cvs.openbsd.org 2006/02/01 09:06:50
1597 - merge sections on protocols 1 and 2 into a single section
1598 - remove configuration file section
1600 - jmc@cvs.openbsd.org 2006/02/01 09:11:41
1603 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
1604 [contrib/suse/openssh.spec] Update versions ahead of release
1605 - markus@cvs.openbsd.org 2006/02/01 11:27:22
1608 - (djm) Release OpenSSH 4.3p1
1611 - (djm) OpenBSD CVS Sync
1612 - jmc@cvs.openbsd.org 2006/01/20 11:21:45
1614 - word change, agreed w/ markus
1616 - jmc@cvs.openbsd.org 2006/01/25 09:04:34
1618 move the options description up the page, and a few additional tweaks
1621 - jmc@cvs.openbsd.org 2006/01/25 09:07:22
1623 move subsections to full sections;
1624 - jmc@cvs.openbsd.org 2006/01/26 08:47:56
1626 add a section on verifying host keys in dns;
1627 written with a lot of help from jakob;
1628 feedback dtucker/markus;
1630 - reyk@cvs.openbsd.org 2006/01/30 12:22:22
1632 mark channel as write failed or dead instead of read failed on error
1633 of the channel output filter.
1635 - jmc@cvs.openbsd.org 2006/01/30 13:37:49
1637 remove an incorrect sentence;
1638 reported by roumen petrov;
1640 - djm@cvs.openbsd.org 2006/01/31 10:19:02
1641 [misc.c misc.h scp.c sftp.c]
1642 fix local arbitrary command execution vulnerability on local/local and
1643 remote/remote copies (CVE-2006-0225, bz #1094), patch by
1644 t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
1645 - djm@cvs.openbsd.org 2006/01/31 10:35:43
1647 "scp a b c" shouldn't clobber "c" when it is not a directory, report and
1648 fix from biorn@; ok markus@
1649 - (djm) Sync regress tests to OpenBSD:
1650 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
1651 [regress/forwarding.sh]
1652 Regress test for ClearAllForwardings (bz #994); ok markus@
1653 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
1654 [regress/multiplex.sh]
1655 Don't call cleanup in multiplex as test-exec will cleanup anyway
1656 found by tim@, ok djm@
1657 NB. ID sync only, we already had this
1658 - djm@cvs.openbsd.org 2005/05/20 23:14:15
1659 [regress/test-exec.sh]
1660 force addressfamily=inet for tests, unbreaking dynamic-forward regress for
1661 recently committed nc SOCKS5 changes
1662 - djm@cvs.openbsd.org 2005/05/24 04:10:54
1663 [regress/try-ciphers.sh]
1664 oops, new arcfour modes here too
1665 - markus@cvs.openbsd.org 2005/06/30 11:02:37
1667 allow SUDO=sudo; from Alexander Bluhm
1668 - grunk@cvs.openbsd.org 2005/11/14 21:25:56
1669 [regress/agent-getpeereid.sh]
1670 all other scripts in this dir use $SUDO, not 'sudo', so pull this even
1672 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
1673 [regress/scp-ssh-wrapper.sh]
1674 Fix assumption about how many args scp will pass; ok djm@
1675 NB. ID sync only, we already had this
1676 - djm@cvs.openbsd.org 2006/01/27 06:49:21
1678 regress test for local to local scp copies; ok dtucker@
1679 - djm@cvs.openbsd.org 2006/01/31 10:23:23
1681 regression test for CVE-2006-0225 written by dtucker@
1682 - djm@cvs.openbsd.org 2006/01/31 10:36:33
1684 regress test for "scp a b c" where "c" is not a directory
1687 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
1688 opensshd.init script interpretter if /sbin/sh does not exist. ok tim@
1691 - (dtucker) OpenBSD CVS Sync
1692 - jmc@cvs.openbsd.org 2006/01/15 17:37:05
1694 correction from deraadt
1695 - jmc@cvs.openbsd.org 2006/01/18 10:53:29
1697 add a section on ssh-based vpn, based on reyk's README.tun;
1698 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
1699 [scp.1 ssh.1 ssh_config.5 sftp.1]
1700 Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
1701 #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
1704 - (djm) OpenBSD CVS Sync
1705 - jmc@cvs.openbsd.org 2006/01/06 13:27:32
1707 weed out some duplicate info in the known_hosts FILES entries;
1709 - jmc@cvs.openbsd.org 2006/01/06 13:29:10
1711 final round of whacking FILES for duplicate info, and some consistency
1714 - jmc@cvs.openbsd.org 2006/01/12 14:44:12
1716 split sections on tcp and x11 forwarding into two sections.
1717 add an example in the tcp section, based on sth i wrote for ssh faq;
1718 help + ok: djm markus dtucker
1719 - jmc@cvs.openbsd.org 2006/01/12 18:48:48
1721 refer to `TCP' rather than `TCP/IP' in the context of connection
1724 - jmc@cvs.openbsd.org 2006/01/12 22:20:00
1726 refer to TCP forwarding, rather than TCP/IP forwarding;
1727 - jmc@cvs.openbsd.org 2006/01/12 22:26:02
1729 refer to TCP forwarding, rather than TCP/IP forwarding;
1730 - jmc@cvs.openbsd.org 2006/01/12 22:34:12
1732 back out a sentence - AUTHENTICATION already documents this;
1735 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
1736 tcpip service so it's always started after IP is up. Patch from
1737 vinschen at redhat.com.
1740 - (djm) OpenBSD CVS Sync
1741 - jmc@cvs.openbsd.org 2006/01/03 16:31:10
1743 move FILES to a -compact list, and make each files an item in that list.
1744 this avoids nastly line wrap when we have long pathnames, and treats
1745 each file as a separate item;
1746 remove the .Pa too, since it is useless.
1747 - jmc@cvs.openbsd.org 2006/01/03 16:35:30
1749 use a larger width for the ENVIRONMENT list;
1750 - jmc@cvs.openbsd.org 2006/01/03 16:52:36
1752 put FILES in some sort of order: sort by pathname
1753 - jmc@cvs.openbsd.org 2006/01/03 16:55:18
1755 tweak the description of ~/.ssh/environment
1756 - jmc@cvs.openbsd.org 2006/01/04 18:42:46
1758 chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
1761 - jmc@cvs.openbsd.org 2006/01/04 18:45:01
1763 remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
1764 - jmc@cvs.openbsd.org 2006/01/04 19:40:24
1766 +.Xr ssh-keyscan 1 ,
1767 - jmc@cvs.openbsd.org 2006/01/04 19:50:09
1770 - djm@cvs.openbsd.org 2006/01/05 23:43:53
1772 check that stdio file descriptors are actually closed before clobbering
1773 them in sanitise_stdfd(). problems occurred when a lower numbered fd was
1774 closed, but higher ones weren't. spotted by, and patch tested by
1778 - (djm) [channels.c] clean up harmless merge error, from reyk@
1781 - (djm) OpenBSD CVS Sync
1782 - jmc@cvs.openbsd.org 2006/01/02 17:09:49
1783 [ssh_config.5 sshd_config.5]
1784 some corrections from michael knudsen;
1787 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
1788 - (djm) OpenBSD CVS Sync
1789 - jmc@cvs.openbsd.org 2005/12/31 10:46:17
1791 merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
1792 AUTHENTICATION" sections into "AUTHENTICATION";
1793 some rewording done to make the text read better, plus some
1794 improvements from djm;
1796 - jmc@cvs.openbsd.org 2005/12/31 13:44:04
1798 clean up ENVIRONMENT a little;
1799 - jmc@cvs.openbsd.org 2005/12/31 13:45:19
1801 .Nm does not require an argument;
1802 - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
1804 move <net/if.h>; ok djm@
1805 - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
1807 no trailing "\n" for debug()
1808 - djm@cvs.openbsd.org 2006/01/02 01:20:31
1809 [sftp-client.c sftp-common.h sftp-server.c]
1810 use a common max. packet length, no binary change
1811 - reyk@cvs.openbsd.org 2006/01/02 07:53:44
1813 clarify tun(4) opening - set the mode and bring the interface up. also
1814 (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
1815 suggested and ok by djm@
1816 - jmc@cvs.openbsd.org 2006/01/02 12:31:06
1818 start to cut some duplicate info from FILES;
1822 - (djm) [Makefile.in configure.ac includes.h misc.c]
1823 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
1824 for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
1825 limited to IPv4 tunnels only, and most versions don't support the
1826 tap(4) device at all.
1827 - (djm) [configure.ac] Fix linux/if_tun.h test
1828 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
1831 - (djm) OpenBSD CVS Sync
1832 - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
1833 [canohost.c channels.c clientloop.c]
1834 use 'break-in' for consistency; ok deraadt@ ok and input jmc@
1835 - reyk@cvs.openbsd.org 2005/12/30 15:56:37
1836 [channels.c channels.h clientloop.c]
1837 add channel output filter interface.
1838 ok djm@, suggested by markus@
1839 - jmc@cvs.openbsd.org 2005/12/30 16:59:00
1841 do not suggest that interactive authentication will work
1843 based on a diff from john l. scarfone;
1845 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
1847 document -MM; ok djm@
1848 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
1849 [serverloop.c ssh.c openbsd-compat/Makefile.in]
1850 [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
1851 compatability support for Linux, diff from reyk@
1852 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
1854 - (djm) [configure.ac] oops, make that linux/if_tun.h
1857 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
1860 - (djm) OpenBSD CVS Sync
1861 - jmc@cvs.openbsd.org 2005/12/20 21:59:43
1863 merge the sections on protocols 1 and 2 into one section on
1865 feedback djm dtucker
1866 ok deraadt markus dtucker
1867 - jmc@cvs.openbsd.org 2005/12/20 22:02:50
1869 .Ss -> .Sh: subsections have not made this page more readable
1870 - jmc@cvs.openbsd.org 2005/12/20 22:09:41
1872 move info on ssh return values and config files up into the main
1874 - jmc@cvs.openbsd.org 2005/12/21 11:48:16
1876 -L and -R descriptions are now above, not below, ~C description;
1877 - jmc@cvs.openbsd.org 2005/12/21 11:57:25
1879 options now described `above', rather than `later';
1880 - jmc@cvs.openbsd.org 2005/12/21 12:53:31
1882 -Y does X11 forwarding too;
1884 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
1886 clarify precedence of -p, Port, ListenAddress; ok and help jmc@
1887 - jmc@cvs.openbsd.org 2005/12/22 10:31:40
1889 put the description of "UsePrivilegedPort" in the correct place;
1890 - jmc@cvs.openbsd.org 2005/12/22 11:23:42
1892 expand the description of -w somewhat;
1894 - jmc@cvs.openbsd.org 2005/12/23 14:55:53
1896 - sync the description of -e w/ synopsis
1897 - simplify the description of -I
1898 - note that -I is only available if support compiled in, and that it
1901 - jmc@cvs.openbsd.org 2005/12/23 23:46:23
1903 less mark up for -c;
1904 - djm@cvs.openbsd.org 2005/12/24 02:27:41
1906 eliminate some code duplicated in privsep and non-privsep paths, and
1907 explicitly clear SIGALRM handler; "groovy" deraadt@
1910 - (dtucker) OpenBSD CVS Sync
1911 - reyk@cvs.openbsd.org 2005/12/13 15:03:02
1913 if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
1914 - jmc@cvs.openbsd.org 2005/12/16 18:07:08
1916 move the option descriptions up the page: start of a restructure;
1918 - jmc@cvs.openbsd.org 2005/12/16 18:08:53
1920 simplify a sentence;
1921 - jmc@cvs.openbsd.org 2005/12/16 18:12:22
1923 make the description of -c a little nicer;
1924 - jmc@cvs.openbsd.org 2005/12/16 18:14:40
1926 signpost the protocol sections;
1927 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
1928 [ssh_config.5 session.c]
1929 spelling: fowarding, fowarded
1930 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
1932 spelling: intented -> intended
1933 - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
1935 exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
1938 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
1939 openbsd-compat/openssl-compat.h] Check for and work around broken AES
1940 ciphers >128bit on (some) Solaris 10 systems. ok djm@
1943 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
1944 scp.c also uses, so undef them here.
1945 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
1946 snprintf replacement can have a conflicting declaration in HP-UX's system
1947 headers (const vs. no const) so we now check for and work around it. Patch
1948 from the dynamic duo of David Leonard and Ted Percival.
1951 - (dtucker) OpenBSD CVS Sync (regress/)
1952 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
1953 [regress/scp-ssh-wrapper.sh]
1954 Fix assumption about how many args scp will pass; ok djm@
1957 - (djm) OpenBSD CVS Sync
1958 - jmc@cvs.openbsd.org 2005/11/30 11:18:27
1960 timezone -> time zone
1961 - jmc@cvs.openbsd.org 2005/11/30 11:45:20
1963 avoid ambiguities in describing TZ;
1965 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
1966 [auth-options.c auth-options.h channels.c channels.h clientloop.c]
1967 [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
1968 [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
1969 [sshconnect.h sshd.8 sshd_config sshd_config.5]
1970 Add support for tun(4) forwarding over OpenSSH, based on an idea and
1971 initial channel code bits by markus@. This is a simple and easy way to
1972 use OpenSSH for ad hoc virtual private network connections, e.g.
1973 administrative tunnels or secure wireless access. It's based on a new
1974 ssh channel and works similar to the existing TCP forwarding support,
1975 except that it depends on the tun(4) network interface on both ends of
1976 the connection for layer 2 or layer 3 tunneling. This diff also adds
1977 support for LocalCommand in the ssh(1) client.
1978 ok djm@, markus@, jmc@ (manpages), tested and discussed with others
1979 - djm@cvs.openbsd.org 2005/12/07 03:52:22
1981 reyk forgot to compile with -Werror (missing header)
1982 - jmc@cvs.openbsd.org 2005/12/07 10:52:13
1984 - avoid line split in SYNOPSIS
1986 - kill trailing whitespace
1987 - jmc@cvs.openbsd.org 2005/12/08 14:59:44
1988 [ssh.1 ssh_config.5]
1989 make `!command' a little clearer;
1991 - jmc@cvs.openbsd.org 2005/12/08 15:06:29
1993 keep options in order;
1994 - reyk@cvs.openbsd.org 2005/12/08 18:34:11
1995 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
1996 [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
1997 two changes to the new ssh tunnel support. this breaks compatibility
1998 with the initial commit but is required for a portable approach.
1999 - make the tunnel id u_int and platform friendly, use predefined types.
2000 - support configuration of layer 2 (ethernet) or layer 3
2001 (point-to-point, default) modes. configuration is done using the
2002 Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
2003 restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
2005 ok djm@, man page bits by jmc@
2006 - jmc@cvs.openbsd.org 2005/12/08 21:37:50
2008 new sentence, new line;
2009 - markus@cvs.openbsd.org 2005/12/12 13:46:18
2010 [channels.c channels.h session.c]
2011 make sure protocol messages for internal channels are ignored.
2012 allow adjust messages for non-open channels; with and ok djm@
2013 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
2014 again by providing a sys_tun_open() function for your platform and
2015 setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match
2016 OpenBSD's tunnel protocol, which prepends the address family to the
2020 - (djm) [envpass.sh] Remove regress script that was accidentally committed
2021 in top level directory and not noticed for over a year :)
2024 - (tim) [ssh-keygen.c] Move DSA length test after setting default when
2026 - (dtucker) OpenBSD CVS Sync
2027 - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
2029 Populate default key sizes before checking them; from & ok tim@
2030 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
2034 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
2035 versions of GNU head. Based on patch from zappaman at buraphalinux.org
2036 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
2037 _GNU_SOURCE instead. Patch from t8m at centrum.cz.
2038 - (dtucker) OpenBSD CVS Sync
2039 - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
2040 [ssh-keygen.1 ssh-keygen.c]
2041 Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
2042 increase minumum RSA key size to 768 bits and update man page to reflect
2043 these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
2044 ok djm@, grudging ok deraadt@.
2045 - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
2047 Update agent socket path templates to reflect reality, correct xref for
2048 time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@
2051 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
2052 when they're available) need the real UID set otherwise pam_chauthtok will
2053 set ADMCHG after changing the password, forcing the user to change it
2057 - (dtucker) [configure.ac] Apply tim's fix for older systems where the
2058 resolver state in resolv.h is "state" not "__res_state". With slight
2059 modification by me to also work on old AIXes. ok djm@
2060 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
2061 snprintf formats, fixes warnings on some 64 bit platforms. Patch from
2062 shaw at vranix.com, ok djm@
2065 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c
2066 openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an
2067 asprintf() implementation, after syncing our {v,}snprintf() implementation
2068 with some extra fixes from Samba's version. With help and debugging from
2069 dtucker and tim; ok dtucker@
2070 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
2071 order in Reliant Unix block. Patch from johane at lysator.liu.se.
2072 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
2073 many and use them only once. Speeds up testing on older/slower hardware.
2076 - (dtucker) OpenBSD CVS Sync
2077 - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
2080 - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
2082 avoid close(-1), as in rcp; ok cloder
2083 - millert@cvs.openbsd.org 2005/11/15 11:59:54
2085 Include sys/queue.h explicitly instead of assuming some other header
2086 will pull it in. At the moment it gets pulled in by sys/select.h
2087 (which ssh has no business including) via event.h. OK markus@
2088 (ID sync only in -portable)
2089 - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
2091 Perform Kerberos calls even for invalid users to prevent leaking
2092 information about account validity. bz #975, patch originally from
2093 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
2095 - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
2097 Correct format/arguments to debug call; spotted by shaw at vranix.com
2099 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
2100 from shaw at vranix.com.
2103 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
2107 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
2108 ifdef lost during sync. Spotted by tim@.
2109 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
2110 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
2111 - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@
2112 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
2113 test: if sshd takes too long to reconfigure the subsequent connection will
2114 fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
2117 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
2118 OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
2120 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
2121 unnecessary prototype.
2122 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
2124 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
2126 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
2127 since they're not useful right now. Patch from djm@.
2128 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
2129 prototypes, removal of "register").
2130 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
2132 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
2133 after the copyright notices. Having them at the top next to the CVSIDs
2134 guarantees a conflict for each and every sync.
2135 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
2136 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
2137 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
2138 Removal of rcsid, "whiteout" inode type.
2139 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
2140 Removal of rcsid, will no longer strlcpy parts of the string.
2141 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
2142 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
2143 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
2144 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
2145 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
2146 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
2147 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
2148 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
2149 with OpenBSD code since we don't support platforms without fstat any more.
2150 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
2151 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
2152 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
2153 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
2154 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
2155 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
2156 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
2157 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
2158 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
2159 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
2160 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
2161 Id and copyright sync only, there were no substantial changes we need.
2162 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
2163 -Wsign-compare fixes from djm.
2164 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
2165 Id and copyright sync only, there were no substantial changes we need.
2166 - (dtucker) [configure.ac] Try to get the gcc version number in a way that
2167 doesn't change between versions, and use a safer default.
2170 - (djm) OpenBSD CVS Sync
2171 - markus@cvs.openbsd.org 2005/10/07 11:13:57
2173 change DSA default back to 1024, as it's defined for 1024 bits only
2174 and this causes interop problems with other clients. moreover,
2175 in order to improve the security of DSA you need to change more
2176 components of DSA key generation (e.g. the internal SHA1 hash);
2178 - djm@cvs.openbsd.org 2005/10/10 10:23:08
2179 [channels.c channels.h clientloop.c serverloop.c session.c]
2180 fix regression I introduced in 4.2: X11 forwardings initiated after
2181 a session has exited (e.g. "(sleep 5; xterm) &") would not start.
2182 bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
2183 - djm@cvs.openbsd.org 2005/10/11 23:37:37
2185 bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
2186 bind() failure when a previous connection's listeners are in TIME_WAIT,
2187 reported by plattner AT inf.ethz.ch; ok dtucker@
2188 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
2189 [auth2-gss.c gss-genr.c gss-serv.c]
2190 remove unneeded #includes; ok markus@
2191 - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
2193 spelling in comments
2194 - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
2195 [gss-serv-krb5.c gss-serv.c]
2196 unused declarations; ok deraadt@
2197 (id sync only for gss-serv-krb5.c)
2198 - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
2200 unneeded #include, unused declaration, little knf; ok deraadt@
2201 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
2202 [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
2204 - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
2205 [ssh-keygen.c ssh.c sshconnect2.c]
2206 no trailing "\n" for log functions; ok djm@
2207 - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
2208 [channels.c clientloop.c]
2209 free()->xfree(); ok djm@
2210 - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
2212 make external definition static; ok deraadt@
2213 - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
2215 fix memory leaks from 2 sources:
2216 1) key_fingerprint_raw()
2217 2) malloc in dns_read_rdata()
2219 - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
2221 remove #ifdef LWRES; ok jakob@
2222 - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
2224 more cleanups; ok jakob@
2225 - djm@cvs.openbsd.org 2005/10/30 01:23:19
2227 mention control socket fallback behaviour, reported by
2228 tryponraj AT gmail.com
2229 - djm@cvs.openbsd.org 2005/10/30 04:01:03
2231 make ssh-keygen discard junk from server before SSH- ident, spotted by
2232 dave AT cirt.net; ok dtucker@
2233 - djm@cvs.openbsd.org 2005/10/30 04:03:24
2235 fix misleading debug message; ok dtucker@
2236 - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
2238 Check for connections with IP options earlier and drop silently. ok djm@
2239 - jmc@cvs.openbsd.org 2005/10/30 08:43:47
2241 remove trailing whitespace;
2242 - djm@cvs.openbsd.org 2005/10/30 08:52:18
2243 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
2244 [ssh.c sshconnect.c sshconnect1.c sshd.c]
2245 no need to escape single quotes in comments, no binary change
2246 - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
2248 Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
2249 - djm@cvs.openbsd.org 2005/10/31 11:12:49
2250 [ssh-keygen.1 ssh-keygen.c]
2251 generate a protocol 2 RSA key by default
2252 - djm@cvs.openbsd.org 2005/10/31 11:48:29
2254 make sure we clean up wtmp, etc. file when we receive a SIGTERM,
2255 SIGINT or SIGQUIT when running without privilege separation (the
2256 normal privsep case is already OK). Patch mainly by dtucker@ and
2257 senthilkumar_sen AT hotpop.com; ok dtucker@
2258 - jmc@cvs.openbsd.org 2005/10/31 19:55:25
2261 - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
2263 Cache reverse lookups with and without DNS separately; ok markus@
2264 - djm@cvs.openbsd.org 2005/11/04 05:15:59
2265 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
2266 remove hardcoded hash lengths in key exchange code, allowing
2267 implementation of KEX methods with different hashes (e.g. SHA-256);
2268 ok markus@ dtucker@ stevesk@
2269 - djm@cvs.openbsd.org 2005/11/05 05:01:15
2271 Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
2272 cs.stanford.edu; ok dtucker@
2273 - (dtucker) [README.platform] Add PAM section.
2274 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
2275 resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
2279 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
2280 Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
2284 - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
2285 sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init
2286 files from imorgan AT nas.nasa.gov
2287 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
2288 enabled, instead allow PAM to handle it. Note that on platforms using PAM,
2289 the pam_nologin module should be added to sshd's session stack in order to
2290 maintain exising behaviour. Based on patch and discussion from t8m at
2294 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
2295 sizeof(long long) checks, to make fixing bug #1104 easier (no changes
2297 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
2298 understand "%lld", even though the compiler has "long long", so handle
2299 it as a special case. Patch tested by mcaskill.scott at epa.gov.
2300 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
2301 prompt. Patch from vinschen at redhat.com.
2304 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
2305 /etc/default/login report and testing from aabaker at iee.org, corrections
2309 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
2310 versions from OpenBSD. ok djm@
2313 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
2314 brian.smith at agilent com.
2315 - (djm) [configure.ac] missing 'test' call for -with-Werror test
2318 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
2319 "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
2320 senthilkumar_sen at hotpop.com.
2323 - (dtucker) OpenBSD CVS Sync
2324 - markus@cvs.openbsd.org 2005/09/07 08:53:53
2326 enforce chanid != NULL; ok djm
2327 - markus@cvs.openbsd.org 2005/09/09 19:18:05
2329 typo; from mark at mcs.vuw.ac.nz, bug #1082
2330 - djm@cvs.openbsd.org 2005/09/13 23:40:07
2331 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
2332 scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
2333 ensure that stdio fds are attached; ok deraadt@
2334 - djm@cvs.openbsd.org 2005/09/19 11:37:34
2335 [ssh_config.5 ssh.1]
2336 mention ability to specify bind_address for DynamicForward and -D options;
2337 bz#1077 spotted by Haruyama Seigo
2338 - djm@cvs.openbsd.org 2005/09/19 11:47:09
2340 stop connection abort on rekey with delayed compression enabled when
2341 post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
2342 - djm@cvs.openbsd.org 2005/09/19 11:48:10
2345 - jmc@cvs.openbsd.org 2005/09/19 15:38:27
2347 some more .Bk/.Ek to avoid ugly line split;
2348 - jmc@cvs.openbsd.org 2005/09/19 15:42:44
2350 update -D usage here too;
2351 - djm@cvs.openbsd.org 2005/09/19 23:31:31
2353 spelling nit from stevesk@
2354 - djm@cvs.openbsd.org 2005/09/21 23:36:54
2356 aquire -> acquire, from stevesk@
2357 - djm@cvs.openbsd.org 2005/09/21 23:37:11
2359 change label at markus@'s request
2360 - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
2362 deploy .An -nosplit; ok jmc
2363 - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
2365 Relocate check_ip_options call to prevent logging of garbage for
2366 connections with IP options set. bz#1092 from David Leonard,
2367 "looks good" deraadt@
2368 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
2369 is required in the system path for the multiplex test to work.
2372 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
2373 for strtoll. Patch from o.flebbe at science-computing.de.
2374 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
2375 child during PAM account check without clearing it. This restores the
2376 post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
2377 with help from several others.
2380 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
2381 introduced during sync.
2384 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
2385 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
2386 PAM via keyboard-interactive. Patch tested by the folks at Vintela.
2389 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
2390 calls, since they can't possibly fail. ok djm@
2391 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
2392 process when sshd relies on ssh-random-helper. Should result in faster
2393 logins on systems without a real random device or prngd. ok djm@
2396 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
2397 duplicate call. ok djm@
2400 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
2401 skeleten at shillest.net.
2402 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
2406 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
2407 AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
2411 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
2415 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
2416 OpenServer 6 and add osr5bigcrypt support so when someone migrates
2417 passwords between UnixWare and OpenServer they will still work. OK dtucker@
2420 - (djm) Update RPM spec file versions
2423 - (djm) OpenBSD CVS Sync
2424 - djm@cvs.openbsd.org 2005/08/30 22:08:05
2425 [gss-serv.c sshconnect2.c]
2426 destroy credentials if krb5_kuserok() call fails. Stops credentials being
2427 delegated to users who are not authorised for GSSAPIAuthentication when
2428 GSSAPIDeletegateCredentials=yes and another authentication mechanism
2429 succeeds; bz#1073 reported by paul.moore AT centrify.com, fix by
2430 simon AT sxw.org.uk, tested todd@ biorn@ jakob@; ok deraadt@
2431 - markus@cvs.openbsd.org 2005/08/31 09:28:42
2434 - (dtucker) [README] Update release note URL to 4.2
2435 - (tim) [configure.ac auth.c defines.h session.c openbsd-compat/port-uw.c
2436 openbsd-compat/port-uw.h openbsd-compat/xcrypt.c] libiaf cleanup. Disable
2437 libiaf bits for OpenServer6. Free memory allocated by ia_get_logpwd().
2438 Feedback and OK dtucker@
2441 - (tim) [configure.ac] Back out last change. It needs to be done differently.
2444 - (tim) [configure.ac] ia_openinfo() seems broken on OSR6. Limit UW long
2445 password support to 7.x for now.
2448 - (tim) [CREDITS LICENCE auth.c configure.ac defines.h includes.h session.c
2449 openbsd-compat/Makefile.in openbsd-compat/openbsd-compat.h
2450 openbsd-compat/xcrypt.c] New files [openssh/openbsd-compat/port-uw.c
2451 openssh/openbsd-compat/port-uw.h] Support long passwords (> 8-char)
2452 on UnixWare 7 from Dhiraj Gulati and Ahsan Rashid. Cleanup and testing
2453 by tim@. Feedback and OK dtucker@
2456 - (dtucker) [regress/test-exec.sh] Do not prepend an extra "/" to a fully-
2457 qualified sshd pathname since some systems (eg Cygwin) may consider "/foo"
2458 and "//foo" to be different. Spotted by vinschen at redhat.com.
2459 - (tim) [configure.ac] Not all gcc's support -Wsign-compare. Enhancements
2461 - (tim) [defines.h] PATH_MAX bits for OpenServer OK dtucker@
2464 - (dtucker) [configure.ac defines.h includes.h sftp.c] Add support for
2465 LynxOS, patch from Olli Savia (ops at iki.fi). ok djm@
2468 - (djm) [ttymodes.c] bugzilla #1025: Fix encoding of _POSIX_VDISABLE,
2469 from Jacob Nevins; ok dtucker@
2472 - (tim) [sftp.c] wrap el_end() in #ifdef USE_LIBEDIT
2473 - (tim) [configure.ac] corrections to libedit tests. Report and patches
2474 by skeleten AT shillest.net
2477 - (djm) OpenBSD CVS Sync
2478 - markus@cvs.openbsd.org 2005/07/28 17:36:22
2480 missing packet_init_compression(); from solar
2481 - djm@cvs.openbsd.org 2005/07/30 01:26:16
2483 fix -D listen_host initialisation, so it picks up gateway_ports setting
2485 - djm@cvs.openbsd.org 2005/07/30 02:03:47
2487 listen_hosts initialisation here too; spotted greg AT y2005.nest.cx
2488 - dtucker@cvs.openbsd.org 2005/08/06 10:03:12
2490 Unbreak sshd ListenAddress for bare IPv6 addresses.
2491 Report from Janusz Mucka; ok djm@
2492 - jaredy@cvs.openbsd.org 2005/08/08 13:22:48
2494 sftp prompt enhancements:
2495 - in non-interactive mode, do not print an empty prompt at the end
2497 - print newline after EOF in editline mode
2498 - call el_end() in editline mode
2502 - (dtucker) [configure.ac] Test libedit library and headers for compatibility.
2503 Report from skeleten AT shillest.net, ok djm@
2504 - (dtucker) [LICENCE configure.ac defines.h openbsd-compat/realpath.c]
2505 Sync current (thread-safe) version of realpath.c from OpenBSD (which is
2506 in turn based on FreeBSD's). ok djm@
2509 - (tim) [configure.ac] Allow --with-audit=no. OK dtucker@
2510 Report by skeleten AT shillest.net
2513 - (dtucker) [openbsd-compat/fake-rfc2553.h] Check for EAI_* defines
2514 individually and use a value less likely to collide with real values from
2515 netdb.h. Fixes compile warnings on FreeBSD 5.3. ok djm@
2516 - (dtucker) [openbsd-compat/fake-rfc2553.h] MAX_INT -> INT_MAX since the
2517 latter is specified in the standard.
2520 - (dtucker) OpenBSD CVS Sync
2521 - dtucker@cvs.openbsd.org 2005/07/27 10:39:03
2522 [scp.c hostfile.c sftp-client.c]
2523 Silence bogus -Wuninitialized warnings; ok djm@
2524 - (dtucker) [configure.ac] Enable -Wuninitialized by default when compiling
2526 - (dtucker) [configure.ac] Add a --with-Werror option to configure for
2527 adding -Werror to CFLAGS when all of the configure tests are done. ok djm@
2530 - (dtucker) [configure.ac] Update zlib warning message too, pointed out by
2532 - (djm) OpenBSD CVS Sync
2533 - otto@cvs.openbsd.org 2005/07/19 15:32:26
2535 auth_usercheck(3) can return NULL, so check for that. Report from
2537 - markus@cvs.openbsd.org 2005/07/25 11:59:40
2538 [kex.c kex.h myproposal.h packet.c packet.h servconf.c session.c]
2539 [sshconnect2.c sshd.c sshd_config sshd_config.5]
2540 add a new compression method that delays compression until the user
2541 has been authenticated successfully and set compression to 'delayed'
2543 this breaks older openssh clients (< 3.5) if they insist on
2544 compression, so you have to re-enable compression in sshd_config.
2548 - (dtucker) [configure.ac] Update zlib version check for CAN-2005-2096.
2552 - djm@cvs.openbsd.org 2005/07/16 01:35:24
2553 [auth1.c channels.c cipher.c clientloop.c kex.c session.c ssh.c]
2556 - (djm) [acss.c auth-pam.c auth-shadow.c auth-skey.c auth1.c canohost.c]
2557 [cipher-acss.c loginrec.c ssh-rand-helper.c sshd.c] Fix whitespace at EOL
2558 in portable too ("perl -p -i -e 's/\s+$/\n/' *.[ch]")
2559 - (djm) [auth-pam.c sftp.c] spaces vs. tabs at start of line
2560 - djm@cvs.openbsd.org 2005/07/17 06:49:04
2561 [channels.c channels.h session.c session.h]
2562 Fix a number of X11 forwarding channel leaks:
2563 1. Refuse multiple X11 forwarding requests on the same session
2564 2. Clean up all listeners after a single_connection X11 forward, not just
2565 the one that made the single connection
2566 3. Destroy X11 listeners when the session owning them goes away
2567 testing and ok dtucker@
2568 - djm@cvs.openbsd.org 2005/07/17 07:17:55
2569 [auth-rh-rsa.c auth-rhosts.c auth2-chall.c auth2-gss.c channels.c]
2570 [cipher-ctr.c gss-genr.c gss-serv.c kex.c moduli.c readconf.c]
2571 [serverloop.c session.c sftp-client.c sftp.c ssh-add.c ssh-keygen.c]
2572 [sshconnect.c sshconnect2.c]
2573 knf says that a 2nd level indent is four (not three or five) spaces
2574 -(djm) [audit.c auth1.c auth2.c entropy.c loginrec.c serverloop.c]
2575 [ssh-rand-helper.c] fix portable 2nd level indents at 4 spaces too
2576 - (djm) [monitor.c monitor_wrap.c] -Wsign-compare for PAM monitor calls
2579 - (dtucker) [auth-pam.c] Ensure that only one side of the authentication
2580 socketpair stays open on in both the monitor and PAM process. Patch from
2584 - (dtucker) OpenBSD CVS Sync
2585 - dtucker@cvs.openbsd.org 2005/07/06 09:33:05
2587 clarify meaning of ssh -b ; with & ok jmc@
2588 - dtucker@cvs.openbsd.org 2005/07/08 09:26:18
2590 Make comment match code; ok djm@
2591 - markus@cvs.openbsd.org 2005/07/08 09:41:33
2593 race when efd gets closed while there is still buffered data:
2594 change CHANNEL_EFD_OUTPUT_ACTIVE()
2595 1) c->efd must always be valid AND
2596 2a) no EOF has been seen OR
2597 2b) there is buffered data
2598 report, initial fix and testing Chuck Cranor
2599 - dtucker@cvs.openbsd.org 2005/07/08 10:20:41
2601 change BindAddress to match recent ssh -b change; prompted by markus@
2602 - jmc@cvs.openbsd.org 2005/07/08 12:53:10
2604 new sentence, new line;
2605 - dtucker@cvs.openbsd.org 2005/07/14 04:00:43
2607 use __sentinel__ attribute; ok deraadt@ djm@ markus@
2608 - (dtucker) [configure.ac defines.h] Define __sentinel__ to nothing if the
2609 compiler doesn't understand it to prevent warnings. If any mainstream
2610 compiler versions acquire it we can test for those versions. Based on
2611 discussion with djm@.
2614 - dtucker [auth-krb5.c auth.h gss-serv-krb5.c] Move KRB5CCNAME generation for
2615 the MIT Kerberos code path into a common function and expand mkstemp
2616 template to be consistent with the rest of OpenSSH. From sxw at
2617 inf.ed.ac.uk, ok djm@
2618 - (dtucker) [auth-krb5.c] There's no guarantee that snprintf will set errno
2619 in the case where the buffer is insufficient, so always return ENOMEM.
2620 Also pointed out by sxw at inf.ed.ac.uk.
2621 - (dtucker) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Remove
2622 calls to krb5_init_ets, which has not been required since krb-1.1.x and
2623 most Kerberos versions no longer export in their public API. From sxw
2624 at inf.ed.ac.uk, ok djm@
2627 - (djm) OpenBSD CVS Sync
2628 - markus@cvs.openbsd.org 2005/07/01 13:19:47
2630 don't free() if getaddrinfo() fails; report mpech@
2631 - djm@cvs.openbsd.org 2005/07/04 00:58:43
2632 [channels.c clientloop.c clientloop.h misc.c misc.h ssh.c ssh_config.5]
2633 implement support for X11 and agent forwarding over multiplex slave
2634 connections. Because of protocol limitations, the slave connections inherit
2635 the master's DISPLAY and SSH_AUTH_SOCK rather than distinctly forwarding
2637 ok dtucker@ "put it in" deraadt@
2638 - jmc@cvs.openbsd.org 2005/07/04 11:29:51
2640 fix Xr and a little grammar;
2641 - markus@cvs.openbsd.org 2005/07/04 14:04:11
2643 don't forget to set x11_saved_display
2646 - (djm) OpenBSD CVS Sync
2647 - djm@cvs.openbsd.org 2005/06/17 22:53:47
2648 [ssh.c sshconnect.c]
2649 Fix ControlPath's %p expanding to "0" for a default port,
2650 spotted dwmw2 AT infradead.org; ok markus@
2651 - djm@cvs.openbsd.org 2005/06/18 04:30:36
2652 [ssh.c ssh_config.5]
2653 allow ControlPath=none, patch from dwmw2 AT infradead.org; ok dtucker@
2654 - djm@cvs.openbsd.org 2005/06/25 22:47:49
2656 do the default port filling code a few lines earlier, so it really
2660 - (djm) OpenBSD CVS Sync
2661 - djm@cvs.openbsd.org 2005/05/20 12:57:01;
2662 [auth1.c] split protocol 1 auth methods into separate functions, makes
2663 authloop much more readable; fixes and ok markus@ (portable ok &
2665 - djm@cvs.openbsd.org 2005/06/17 02:44:33
2666 [auth1.c] make this -Wsign-compare clean; ok avsm@ markus@
2667 - (djm) [loginrec.c ssh-rand-helper.c] Fix -Wsign-compare for portable,
2668 tested and fixes tim@
2671 - (djm) OpenBSD CVS Sync
2672 - djm@cvs.openbsd.org 2005/06/16 03:38:36
2673 [channels.c channels.h clientloop.c clientloop.h ssh.c]
2674 move x11_get_proto from ssh.c to clientloop.c, to make muliplexed xfwd
2675 easier later; ok deraadt@
2676 - markus@cvs.openbsd.org 2005/06/16 08:00:00
2677 [canohost.c channels.c sshd.c]
2678 don't exit if getpeername fails for forwarded ports; bugzilla #1054;
2680 - djm@cvs.openbsd.org 2005/06/17 02:44:33
2681 [auth-rsa.c auth.c auth1.c auth2-chall.c auth2-gss.c authfd.c authfile.c]
2682 [bufaux.c canohost.c channels.c cipher.c clientloop.c dns.c gss-serv.c]
2683 [kex.c kex.h key.c mac.c match.c misc.c packet.c packet.h scp.c]
2684 [servconf.c session.c session.h sftp-client.c sftp-server.c sftp.c]
2685 [ssh-keyscan.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
2686 make this -Wsign-compare clean; ok avsm@ markus@
2687 NB. auth1.c changes not committed yet (conflicts with uncommitted sync)
2688 NB2. more work may be needed to make portable Wsign-compare clean
2689 - (dtucker) [cipher.c openbsd-compat/openbsd-compat.h
2690 openbsd-compat/openssl-compat.c] only include openssl compat stuff where
2691 it's needed as it can cause conflicts elsewhere (eg xcrypt.c). Found by
2695 - (djm) OpenBSD CVS Sync
2696 - jaredy@cvs.openbsd.org 2005/06/07 13:25:23
2698 catch SIGWINCH and resize progress meter accordingly; ok markus dtucker
2699 - djm@cvs.openbsd.org 2005/06/06 11:20:36
2700 [auth.c auth.h misc.c misc.h ssh.c ssh_config.5 sshconnect.c]
2701 introduce a generic %foo expansion function. replace existing % expansion
2702 and add expansion to ControlPath; ok markus@
2703 - djm@cvs.openbsd.org 2005/06/08 03:50:00
2704 [ssh-keygen.1 ssh-keygen.c sshd.8]
2705 increase default rsa/dsa key length from 1024 to 2048 bits;
2707 - djm@cvs.openbsd.org 2005/06/08 11:25:09
2708 [clientloop.c readconf.c readconf.h ssh.c ssh_config.5]
2709 add ControlMaster=auto/autoask options to support opportunistic
2710 multiplexing; tested avsm@ and jakob@, ok markus@
2711 - dtucker@cvs.openbsd.org 2005/06/09 13:43:49
2713 Correctly initialize end of array sentinel; ok djm@
2714 (Id sync only, change already in portable)
2717 - (dtucker) [cipher.c openbsd-compat/Makefile.in
2718 openbsd-compat/openbsd-compat.h openbsd-compat/openssl-compat.{c,h}]
2719 Move compatibility code for supporting older OpenSSL versions to the
2720 compat layer. Suggested by and "no objection" djm@
2723 - (dtucker) [configure.ac] Continue the hunt for LLONG_MIN and LLONG_MAX:
2724 in today's episode we attempt to coax it from limits.h where it may be
2725 hiding, failing that we take the DIY approach. Tested by tim@
2728 - (dtucker) [configure.ac] Only try gcc -std=gnu99 if LLONG_MAX isn't
2729 defined, and check that it helps before keeping it in CFLAGS. Some old
2730 gcc's don't set an error code when encountering an unknown value in -std.
2731 Found and tested by tim@.
2732 - (dtucker) [configure.ac] Point configure's reporting address at the
2733 openssh-unix-dev list. ok tim@ djm@
2736 - (tim) [configure.ac] Some platforms need sys/types.h for arpa/nameser.h.
2737 Take AC_CHECK_HEADERS test out of ultrix section. It caused other platforms
2738 to skip builtin standard includes tests. (first AC_CHECK_HEADERS test
2739 must be run on all platforms) Add missing ;; to case statement. OK dtucker@
2742 - (dtucker) [configure.ac] Look for _getshort and _getlong in
2744 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoll.c]
2745 Add strtoll to the compat library, from OpenBSD.
2746 - (dtucker) OpenBSD CVS Sync
2747 - avsm@cvs.openbsd.org 2005/05/26 02:08:05
2749 If copying multiple files to a target file (which normally fails, as it
2750 must be a target directory), kill the spawned ssh child before exiting.
2751 This stops it trying to authenticate and spewing lots of output.
2753 - dtucker@cvs.openbsd.org 2005/05/26 09:08:12
2755 uint32_t -> u_int32_t for consistency; ok djm@
2756 - djm@cvs.openbsd.org 2005/05/27 08:30:37
2758 fix -O for cases where no ControlPath has been specified or socket at
2759 ControlPath is not contactable; spotted by and ok avsm@
2760 - (tim) [config.guess config.sub] Update to '2005-05-27' version.
2761 - (tim) [configure.ac] set TEST_SHELL for OpenServer 6
2764 - (dtucker) [contrib/aix/pam.conf] Correct comments. From davidl at
2766 - (dtucker) [mdoc2man.awk] Teach it to understand .Ox.
2769 - (dtucker) [README] Link to new release notes. Beter late than never...
2772 - (dtucker) [openbsd-compat/port-aix.c] Bug #1046: AIX 5.3 expects the
2773 argument to passwdexpired to be initialized to NULL. Suggested by tim@
2774 While at it, initialize the other arguments to auth functions in case they
2775 ever acquire this behaviour.
2776 - (dtucker) [openbsd-compat/port-aix.c] Whitespace cleanups while there.
2777 - (dtucker) [openbsd-compat/port-aix.c] Minor correction to debug message,
2781 - (dtucker) [configure.ac] For AC_CHECK_HEADERS() and AC_CHECK_FUNCS() have
2782 one entry per line to make it easier to merge changes. ok djm@
2783 - (dtucker) [configure.ac] strsep() may be defined in string.h, so check
2784 for its presence and include it in the strsep check.
2785 - (dtucker) [configure.ac] getpgrp may be defined in unistd.h, so check for
2786 its presence before doing AC_FUNC_GETPGRP.
2787 - (dtucker) [configure.ac] Merge HP-UX blocks into a common block with minor
2788 version-specific variations as required.
2789 - (dtucker) [openbsd-compat/port-aix.h] Use the HAVE_DECL_* definitions as
2790 per the autoconf man page. Configure should always define them but it
2791 doesn't hurt to check.
2794 - (djm) [defines.h] Use our realpath if we have to define PATH_MAX, spotted by
2795 David Leach; ok dtucker@
2796 - (dtucker) [acconfig.h configure.ac defines.h includes.h sshpty.c
2797 openbsd-compat/bsd-misc.c] Add support for Ultrix. No, that's not a typo.
2798 Required changes from Bernhard Simon, integrated by me. ok djm@
2801 - (djm) [mpaux.c mpaux.h Makefile.in] Remove old mpaux.[ch] code, it has not
2802 been used for a while
2803 - (djm) OpenBSD CVS Sync
2804 - otto@cvs.openbsd.org 2005/04/05 13:45:31
2806 - djm@cvs.openbsd.org 2005/04/06 09:43:59
2808 avoid harmless logspam by not performing setsockopt() on non-socket;
2810 - dtucker@cvs.openbsd.org 2005/04/06 12:26:06
2812 Fix debug call for port forwards; patch from pete at seebeyond.com,
2813 ok djm@ (ID sync only - change already in portable)
2814 - djm@cvs.openbsd.org 2005/04/09 04:32:54
2815 [misc.c misc.h tildexpand.c Makefile.in]
2816 replace tilde_expand_filename with a simpler implementation, ahead of
2817 more whacking; ok deraadt@
2818 - jmc@cvs.openbsd.org 2005/04/14 12:30:30
2820 arg to -b is an address, not if_name;
2822 - jakob@cvs.openbsd.org 2005/04/20 10:05:45
2824 do not try to look up SSHFP for numerical hostname. ok djm@
2825 - djm@cvs.openbsd.org 2005/04/21 06:17:50
2826 [ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 ssh_config.5 sshd.8]
2827 [sshd_config.5] OpenSSH doesn't ever look at the $HOME environment
2828 variable, so don't say that we do (bz #623); ok deraadt@
2829 - djm@cvs.openbsd.org 2005/04/21 11:47:19
2831 don't allocate a pty when -n flag (/dev/null stdin) is set, patch from
2832 ignasi.roca AT fujitsu-siemens.com (bz #829); ok dtucker@
2833 - dtucker@cvs.openbsd.org 2005/04/23 23:43:47
2835 Add debug message if read_passphrase can't open /dev/tty; bz #471;
2837 - jmc@cvs.openbsd.org 2005/04/26 12:59:02
2839 spelling correction in comment from wiz@netbsd;
2840 - jakob@cvs.openbsd.org 2005/04/26 13:08:37
2841 [ssh.c ssh_config.5]
2842 fallback gracefully if client cannot connect to ControlPath. ok djm@
2843 - moritz@cvs.openbsd.org 2005/04/28 10:17:56
2844 [progressmeter.c ssh-keyscan.c]
2845 add snprintf checks. ok djm@ markus@
2846 - markus@cvs.openbsd.org 2005/05/02 21:13:22
2849 - djm@cvs.openbsd.org 2005/05/10 10:28:11
2851 print nice error message for EADDRINUSE as well (ID sync only)
2852 - djm@cvs.openbsd.org 2005/05/10 10:30:43
2854 report real errors on fallback from ControlMaster=no to normal connect
2855 - markus@cvs.openbsd.org 2005/05/16 15:30:51
2856 [readconf.c servconf.c]
2857 check return value from strdelim() for NULL (AddressFamily); mpech
2858 - djm@cvs.openbsd.org 2005/05/19 02:39:55
2860 sort config options, from grunk AT pestilenz.org; ok jmc@
2861 - djm@cvs.openbsd.org 2005/05/19 02:40:52
2863 whitespace nit, from grunk AT pestilenz.org
2864 - djm@cvs.openbsd.org 2005/05/19 02:42:26
2866 fix cast, from grunk AT pestilenz.org
2867 - djm@cvs.openbsd.org 2005/05/20 10:50:55
2869 give a ProxyCommand example using nc(1), with and ok jmc@
2870 - jmc@cvs.openbsd.org 2005/05/20 11:23:32
2872 oops - article and spacing;
2873 - avsm@cvs.openbsd.org 2005/05/23 22:44:01
2874 [moduli.c ssh-keygen.c]
2875 - removes signed/unsigned comparisons in moduli generation
2876 - use strtonum instead of atoi where its easier
2877 - check some strlcpy overflow and fatal instead of truncate
2878 - djm@cvs.openbsd.org 2005/05/23 23:32:46
2879 [cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
2880 add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
2882 - avsm@cvs.openbsd.org 2005/05/24 02:05:09
2884 some style nits from dmiller@, and use a fatal() instead of a printf()/exit
2885 - avsm@cvs.openbsd.org 2005/05/24 17:32:44
2886 [atomicio.c atomicio.h authfd.c monitor_wrap.c msg.c scp.c sftp-client.c]
2887 [ssh-keyscan.c sshconnect.c]
2888 Switch atomicio to use a simpler interface; it now returns a size_t
2889 (containing number of bytes read/written), and indicates error by
2890 returning 0. EOF is signalled by errno==EPIPE.
2891 Typical use now becomes:
2893 if (atomicio(read, ..., len) != len)
2896 ok deraadt@, cloder@, djm@
2897 - (dtucker) [regress/reexec.sh] Add ${EXEEXT} so this test also works on
2899 - (dtucker) [auth-pam.c] Bug #1033: Fix warnings building with PAM on Linux:
2900 warning: dereferencing type-punned pointer will break strict-aliasing rules
2901 warning: passing arg 3 of `pam_get_item' from incompatible pointer type
2902 The type-punned pointer fix is based on a patch from SuSE's rpm. ok djm@
2903 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Bug #1033: Provide
2904 templates for _getshort and _getlong if missing to prevent compiler warnings
2906 - (djm) [configure.ac openbsd-compat/Makefile.in]
2907 [openbsd-compat/openbsd-compat.h openbsd-compat/strtonum.c]
2908 Add strtonum(3) from OpenBSD libc, new code needs it.
2909 Unfortunately Linux forces us to do a bizarre dance with compiler
2910 options to get LLONG_MIN/MAX; Spotted by and ok dtucker@
2913 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
2914 [contrib/suse/openssh.spec] Update spec file versions to 4.1p1
2915 - (dtucker) [auth-pam.c] Since people don't seem to be getting the message
2916 that USE_POSIX_THREADS is unsupported, not recommended and generally a bad
2917 idea, it is now known as UNSUPPORTED_POSIX_THREADS_HACK. Attempting to use
2918 USE_POSIX_THREADS will now generate an error so we don't silently change
2920 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Ensure sufficient memory
2921 allocation when retrieving core Windows environment. Add CYGWIN variable
2922 to propagated variables. Patch from vinschen at redhat.com, ok djm@
2926 - (djm) [openbsd-compat/readpassphrase.c] bz #950: Retry tcsetattr to ensure
2927 terminal modes are reset correctly. Fix from peak AT argo.troja.mff.cuni.cz;
2931 - (tim) [buildpkg.sh.in] missing ${PKG_INSTALL_ROOT} in init script
2932 hard link section. Bug 1038.
2935 - (dtucker) [contrib/cygwin/ssh-host-config] Add a test and warning for a
2936 user-mode mounts in Cygwin installation. Patch from vinschen at redhat.com.
2939 - (djm) [ssh.c] some systems return EADDRINUSE on a bind to an already-used
2940 unix domain socket, so catch that too; from jakob@ ok dtucker@
2943 - (dtucker) [canohost.c] normalise socket addresses returned by
2944 get_remote_hostname(). This means that IPv4 addresses in log messages
2945 on IPv6 enabled machines will no longer be prefixed by "::ffff:" and
2946 AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style
2947 addresses only for 4-in-6 mapped connections, regardless of whether
2948 or not the machine is IPv6 enabled. ok djm@
2951 - (dtucker) [regress/multiplex.sh] Use "kill -0 $pid" to check for the
2952 existence of a process since it's more portable. Found by jbasney at
2953 ncsa.uiuc.edu; ok tim@
2954 - (dtucker) [regress/multiplex.sh] Remove cleanup call since test-exec.sh
2955 will clean up anyway. From tim@
2956 - (dtucker) [regress/multiplex.sh] Put control socket in /tmp so running
2957 "make tests" works even if you're building on a filesystem that doesn't
2958 support sockets. From deengert at anl.gov, ok djm@
2961 - (dtucker) [INSTALL configure.ac] Make zlib version check test for 1.1.4 or
2962 1.2.1.2 or higher. With tim@, ok djm@
2965 - (tim) [config.guess] Add support for OpenServer 6.
2968 - (dtucker) [session.c] Bug #1024: Don't check pam_session_is_open if
2969 UseLogin is set as PAM is not used to establish credentials in that
2970 case. Found by Michael Selvesteen, ok djm@
2973 - (dtucker) [INSTALL] Reference README.privsep for the privilege separation
2974 requirements. Pointed out by Bengt Svensson.
2975 - (dtucker) [INSTALL] Put the s/key text and URL back together.
2976 - (dtucker) [INSTALL] Fix s/key text too.
2979 - (tim) [configure.ac] UnixWare needs PASSWD_NEEDS_USERNAME
2982 - (dtucker) [configure.ac] Define HAVE_SO_PEERCRED if we have it. ok djm@
2983 - (dtucker) [auth-sia.c] Constify sys_auth_passwd, fixes build error on
2984 Tru64. Patch from cmadams at hiwaay.net.
2985 - (dtucker) [auth-passwd.c auth-sia.h] Remove duplicate definitions of
2986 sys_auth_passwd, pointed out by cmadams at hiwaay.net.
2989 - (djm) OpenBSD CVS Sync
2990 - deraadt@cvs.openbsd.org 2005/03/31 18:39:21
2992 copy argv[] element instead of smashing the one that ps will see; ok otto
2993 - djm@cvs.openbsd.org 2005/04/02 12:41:16
2995 since ssh has xstrdup, use it instead of strdup+test. unbreaks -Werror
2997 - (dtucker) [monitor.c] Don't free buffers in audit functions, monitor_read
2998 will free as needed. ok tim@ djm@
3001 - (dtucker) OpenBSD CVS Sync
3002 - jmc@cvs.openbsd.org 2005/03/16 11:10:38
3004 get the syntax right for {Local,Remote}Forward;
3005 based on a diff from markus;
3006 problem report from ponraj;
3007 ok dtucker@ markus@ deraadt@
3008 - markus@cvs.openbsd.org 2005/03/16 21:17:39
3011 - jmc@cvs.openbsd.org 2005/03/18 17:05:00
3014 - (dtucker) [auth.h sshd.c openbsd-compat/port-aix.c] Bug #1006: fix bug in
3015 handling of password expiry messages returned by AIX's authentication
3016 routines, originally reported by robvdwal at sara.nl.
3017 - (dtucker) [ssh.c] Prevent null pointer deref in port forwarding debug
3018 message on some platforms. Patch from pete at seebeyond.com via djm.
3019 - (dtucker) [monitor.c] Remaining part of fix for bug #1006.
3022 - (dtucker) [contrib/aix/buildbff.sh] Bug #1005: Look up only the user we're
3023 interested in which is much faster in large (eg LDAP or NIS) environments.
3024 Patch from dleonard at vintela.com.
3027 - (dtucker) [configure.ac] Prevent configure --with-zlib from adding -Iyes
3028 and -Lyes to CFLAGS and LIBS. Pointed out by peter at slagheap.net,
3030 - (dtucker) [configure.ac] Make configure error out if the user specifies
3031 --with-libedit but the required libs can't be found, rather than silently
3032 ignoring and continuing. ok tim@
3033 - (dtucker) [configure.ac openbsd-compat/port-aix.h] Prevent redefinitions
3034 of setauthdb on AIX 5.3, reported by anders.liljegren at its.uu.se.
3037 - (tim) [configure.ac] Bug 998. Make path for --with-opensc optional.
3038 Make --without-opensc work.
3039 - (tim) [configure.ac] portability changes on test statements. Some shells
3040 have problems with -a operator.
3041 - (tim) [configure.ac] make some configure options a little more error proof.
3042 - (tim) [configure.ac] remove trailing white space.
3045 - (dtucker) OpenBSD CVS Sync
3046 - dtucker@cvs.openbsd.org 2005/03/10 10:15:02
3048 Check listen addresses for null, prevents xfree from dying during
3049 ClearAllForwardings (bz #996). From Craig Leres, ok markus@
3050 - deraadt@cvs.openbsd.org 2005/03/10 22:01:05
3051 [misc.c ssh-keygen.c servconf.c clientloop.c auth-options.c ssh-add.c
3052 monitor.c sftp-client.c bufaux.h hostfile.c ssh.c sshconnect.c channels.c
3053 readconf.c bufaux.c sftp.c]
3055 - deraadt@cvs.openbsd.org 2005/03/10 22:40:38
3058 - markus@cvs.openbsd.org 2005/03/11 14:59:06
3060 typo, missing \n; mpech
3061 - jmc@cvs.openbsd.org 2005/03/12 11:55:03
3063 escape `.' at eol to avoid double spacing issues;
3064 - dtucker@cvs.openbsd.org 2005/03/14 10:09:03
3066 Correct description of -H (bz #997); ok markus@, punctuation jmc@
3067 - dtucker@cvs.openbsd.org 2005/03/14 11:44:42
3069 Populate host for log message for logins denied by AllowUsers and
3070 DenyUsers (bz #999); ok markus@ (patch by tryponraj at gmail.com)
3071 - markus@cvs.openbsd.org 2005/03/14 11:46:56
3072 [buffer.c buffer.h channels.c]
3073 limit input buffer size for channels; bugzilla #896; with and ok dtucker@
3074 - (tim) [contrib/caldera/openssh.spec] links in rc?.d were getting trashed
3078 - (dtucker) [contrib/cygwin/ssh-host-config] Makes the query for the
3079 localized name of the local administrators group more reliable. From
3080 vinschen at redhat.com.
3083 - (dtucker) [regress/test-exec.sh] DEBUG can cause problems where debug
3084 output ends up in the client's output, causing regress failures. Found
3085 by Corinna Vinschen.
3088 - (dtucker) [regress/test-exec.sh] Set BIN_SH=xpg4 on OSF1/Digital Unix/Tru64
3089 so that regress tests behave. From Chris Adams.
3090 - (djm) OpenBSD CVS Sync
3091 - jmc@cvs.openbsd.org 2005/03/07 23:41:54
3092 [ssh.1 ssh_config.5]
3093 more macro simplification;
3094 - djm@cvs.openbsd.org 2005/03/08 23:49:48
3097 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
3098 [contrib/suse/openssh.spec] Update spec file versions
3099 - (djm) [log.c] Fix dumb syntax error; ok dtucker@
3100 - (djm) Release OpenSSH 4.0p1
3103 - (dtucker) [configure.ac] Disable gettext search when configuring with
3104 BSM audit support for the time being. ok djm@
3105 - (dtucker) OpenBSD CVS Sync (regress/)
3106 - fgsch@cvs.openbsd.org 2004/12/10 01:31:30
3107 [Makefile sftp-glob.sh]
3108 some globbing regress; prompted and ok djm@
3109 - david@cvs.openbsd.org 2005/01/14 04:21:18
3110 [Makefile test-exec.sh]
3111 pass the SUDO make variable to the individual sh tests; ok dtucker@ markus@
3112 - dtucker@cvs.openbsd.org 2005/02/27 11:33:30
3113 [multiplex.sh test-exec.sh sshd-log-wrapper.sh]
3114 Add optional capability to log output from regress commands; ok markus@
3115 Use with: make TEST_SSH_LOGFILE=/tmp/regress.log
3116 - djm@cvs.openbsd.org 2005/02/27 23:13:36
3118 avoid nameservice lookups in regress test; ok dtucker@
3119 - djm@cvs.openbsd.org 2005/03/04 08:48:46
3120 [Makefile envpass.sh]
3121 regress test for SendEnv config parsing bug; ok dtucker@
3122 - (dtucker) [regress/test-exec.sh] Put SUDO in the right place.
3123 - (tim) [configure.ac] SCO 3.2v4.2 no longer supported.
3126 - (dtucker) [monitor.c] Bug #125 comment #47: fix errors returned by monitor
3127 when attempting to audit disconnect events. Reported by Phil Dibowitz.
3128 - (dtucker) [session.c sshd.c] Bug #125 comment #49: Send disconnect audit
3129 events earlier, prevents mm_request_send errors reported by Matt Goebel.
3132 - (djm) [contrib/cygwin/README] Improve Cygwin build documentation. Patch
3133 from vinschen at redhat.com
3134 - (djm) OpenBSD CVS Sync
3135 - jmc@cvs.openbsd.org 2005/03/02 11:45:01
3138 - djm@cvs.openbsd.org 2005/03/04 08:48:06
3140 fix SendEnv config parsing bug found by Roumen Petrov; ok dtucker@
3143 - (djm) OpenBSD CVS sync:
3144 - jmc@cvs.openbsd.org 2005/03/01 14:47:58
3146 remove some unneccesary macros;
3147 do not mark up punctuation;
3148 - jmc@cvs.openbsd.org 2005/03/01 14:55:23
3150 do not mark up punctuation;
3152 - jmc@cvs.openbsd.org 2005/03/01 14:59:49
3154 new sentence, new line;
3156 - jmc@cvs.openbsd.org 2005/03/01 15:05:00
3159 - jmc@cvs.openbsd.org 2005/03/01 15:47:14
3160 [ssh-keyscan.1 ssh-keyscan.c]
3161 sort options and sync usage();
3162 - jmc@cvs.openbsd.org 2005/03/01 17:19:35
3164 add HashKnownHosts to -o list;
3166 - jmc@cvs.openbsd.org 2005/03/01 17:22:06
3168 sync usage() w/ man SYNOPSIS;
3170 - jmc@cvs.openbsd.org 2005/03/01 17:32:19
3173 - jmc@cvs.openbsd.org 2005/03/01 18:15:56
3175 sort options (no attempt made at synopsis clean up though);
3176 spelling (occurance -> occurrence);
3177 use prompt before examples;
3179 - djm@cvs.openbsd.org 2005/03/02 01:00:06
3181 fix addition of new hashed hostnames when CheckHostIP=yes;
3182 found and ok dtucker@
3183 - djm@cvs.openbsd.org 2005/03/02 01:27:41
3185 ignore hostnames with metachars when hashing; ok deraadt@
3186 - djm@cvs.openbsd.org 2005/03/02 02:21:07
3188 bz#987: mention ForwardX11Trusted in ssh.1,
3189 reported by andrew.benham AT thus.net; ok deraadt@
3190 - (tim) [regress/agent-ptrace.sh] add another possible gdb error.
3193 - (djm) OpenBSD CVS sync:
3194 - otto@cvs.openbsd.org 2005/02/16 09:56:44
3196 Better diagnostic if an identity file is not accesible. ok markus@ djm@
3197 - djm@cvs.openbsd.org 2005/02/18 03:05:53
3199 better error messages for getnameinfo failures; ok dtucker@
3200 - djm@cvs.openbsd.org 2005/02/20 22:59:06
3202 turn on ssh batch mode when in sftp batch mode, patch from
3203 jdmossh AT nand.net;
3205 - jmc@cvs.openbsd.org 2005/02/25 10:55:13
3207 add /etc/motd and $HOME/.hushlogin to FILES;
3208 from michael knudsen;
3209 - djm@cvs.openbsd.org 2005/02/28 00:54:10
3211 bz#849: document timeout on untrusted x11 forwarding sessions. Reported by
3212 orion AT cora.nwra.com; ok markus@
3213 - djm@cvs.openbsd.org 2005/03/01 10:09:52
3214 [auth-options.c channels.c channels.h clientloop.c compat.c compat.h]
3215 [misc.c misc.h readconf.c readconf.h servconf.c ssh.1 ssh.c ssh_config.5]
3217 bz#413: allow optional specification of bind address for port forwardings.
3218 Patch originally by Dan Astorian, but worked on by several people
3219 Adds GatewayPorts=clientspecified option on server to allow remote
3220 forwards to bind to client-specified ports.
3221 - djm@cvs.openbsd.org 2005/03/01 10:40:27
3222 [hostfile.c hostfile.h readconf.c readconf.h ssh.1 ssh_config.5]
3223 [sshconnect.c sshd.8]
3224 add support for hashing host names and addresses added to known_hosts
3225 files, to improve privacy of which hosts user have been visiting; ok
3227 - djm@cvs.openbsd.org 2005/03/01 10:41:28
3228 [ssh-keyscan.1 ssh-keyscan.c]
3229 option to hash hostnames output by ssh-keyscan; ok markus@ deraadt@
3230 - djm@cvs.openbsd.org 2005/03/01 10:42:49
3231 [ssh-keygen.1 ssh-keygen.c ssh_config.5]
3232 add tools for managing known_hosts files with hashed hostnames, including
3233 hashing existing files and deleting hosts by name; ok markus@ deraadt@
3236 - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c]
3237 Remove two obsolete Cygwin #ifdefs. Patch from vinschen at redhat.com.
3238 - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}]
3239 Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any
3240 more. Patch from vinschen at redhat.com.
3241 - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the
3242 binaries without the config files. Primarily useful for packaging.
3243 Patch from phil at usc.edu. ok djm@
3246 - (djm) [configure.ac] in_addr_t test needs sys/types.h too
3249 - (dtucker) [uidswap.c] Skip uid restore test on Cygwin. Patch from
3250 vinschen at redhat.com.
3253 - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac
3254 defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support. Configure
3255 --with-audit=bsm to enable. Patch originally from Sun Microsystems,
3256 parts by John R. Jackson. ok djm@
3257 - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes
3258 unrelated platforms to be configured incorrectly.
3261 - (djm) write seed to temporary file and atomically rename into place;
3263 - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called
3264 via mkstemp in some configurations. ok djm@
3265 - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined
3266 by the system headers.
3267 - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant
3268 Unix; prevents problems relating to the location of -lresolv in the
3270 - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
3271 authentication early enough to be available to PAM session modules when
3272 privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam
3273 Hartman and similar to Debian's ssh-krb5 package.
3274 - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more
3275 compiler warnings on AIX.
3278 - (dtucker) [config.sh.in] Collect oslevel -r too.
3279 - (dtucker) [README.platform auth.c configure.ac loginrec.c
3280 openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6
3281 on AIX where possible (see README.platform for details) and work around
3282 a misfeature of AIX's getnameinfo. ok djm@
3283 - (dtucker) [loginrec.c] Add missing #include.
3286 - (dtucker) [configure.ac] Tidy up configure --help output.
3287 - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too.
3290 - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the
3291 --disable-etc-default-login configure option.
3294 - (dtucker) OpenBSD CVS Sync
3295 - dtucker@cvs.openbsd.org 2005/01/28 09:45:53
3297 Make it clear that the example entries in ssh_config are only some of the
3298 commonly-used options and refer the user to ssh_config(5) for more
3300 - jmc@cvs.openbsd.org 2005/01/28 15:05:43
3303 - jmc@cvs.openbsd.org 2005/01/28 18:14:09
3307 - dtucker@cvs.openbsd.org 2005/01/30 11:18:08
3309 Make code match intent; ok djm@
3310 - dtucker@cvs.openbsd.org 2005/02/08 22:24:57
3312 Provide reason in error message if getnameinfo fails; ok markus@
3313 - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call
3314 disable_forwarding() from compat library. Prevent linker errrors trying
3315 to resolve it for binaries other than sshd. ok djm@
3316 - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir
3318 - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require
3319 the username to be passed to the passwd command when changing expired
3323 - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the
3324 regress tests so newer versions of GNU head(1) behave themselves. Patch
3326 - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings.
3327 - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c
3328 monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
3329 defines and enums with SSH_ to prevent namespace collisions on some
3333 - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too.
3334 - (dtucker) [auth.c] Fix parens in audit log check.
3337 - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath
3338 rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@
3339 - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}]
3340 Make record_failed_login() call provide hostname rather than having the
3341 implementations having to do lookups themselves. Only affects AIX and
3342 UNICOS (the latter only uses the "user" parameter anyway). ok djm@
3343 - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child
3344 the process. Since we also unset KRB5CCNAME at startup, if it's set after
3345 authentication it must have been set by the platform's native auth system.
3346 This was already done for AIX; this enables it for the general case.
3347 - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c]
3348 Bug #974: Teach sshd to write failed login records to btmp for failed auth
3349 attempts (currently only for password, kbdint and C/R, only on Linux and
3350 HP-UX), based on code from login.c from util-linux. With ashok_kovai at
3351 hotmail.com, ok djm@
3352 - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c
3353 monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
3354 (first stage) Add audit instrumentation to sshd, currently disabled by
3355 default. with suggestions from and ok djm@
3358 - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some
3359 platforms syslog will revert to its default values. This may result in
3360 messages from external libraries (eg libwrap) being sent to a different
3362 - (dtucker) [sshd_config.5] Bug #701: remove warning about
3363 keyboard-interactive since this is no longer the case.
3366 - (dtucker) OpenBSD CVS Sync
3367 - otto@cvs.openbsd.org 2005/01/21 08:32:02
3368 [auth-passwd.c sshd.c]
3369 Warn in advance for password and account expiry; initialize loginmsg
3370 buffer earlier and clear it after privsep fork. ok and help dtucker@
3372 - dtucker@cvs.openbsd.org 2005/01/22 08:17:59
3374 Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
3375 DenyGroups. bz #909, ok djm@
3376 - djm@cvs.openbsd.org 2005/01/23 10:18:12
3378 config option "Ciphers" should be case-sensitive; ok dtucker@
3379 - dtucker@cvs.openbsd.org 2005/01/24 10:22:06
3381 Have scp and sftp wait for the spawned ssh to exit before they exit
3382 themselves. This prevents ssh from being unable to restore terminal
3383 modes (not normally a problem on OpenBSD but common with -Portable
3384 on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
3386 - dtucker@cvs.openbsd.org 2005/01/24 10:29:06
3388 Import new moduli; requested by deraadt@ a week ago
3389 - dtucker@cvs.openbsd.org 2005/01/24 11:47:13
3391 #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@
3394 - (dtucker) OpenBSD CVS Sync
3395 - markus@cvs.openbsd.org 2004/12/23 17:35:48
3397 check for NULL; from mpech
3398 - markus@cvs.openbsd.org 2004/12/23 17:38:07
3401 - djm@cvs.openbsd.org 2004/12/23 23:11:00
3402 [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
3403 bz #898: support AddressFamily in sshd_config. from
3404 peak@argo.troja.mff.cuni.cz; ok deraadt@
3405 - markus@cvs.openbsd.org 2005/01/05 08:51:32
3407 remove dead code, log connect() failures with level error, ok djm@
3408 - jmc@cvs.openbsd.org 2005/01/08 00:41:19
3410 `login'(n) -> `log in'(v);
3411 - dtucker@cvs.openbsd.org 2005/01/17 03:25:46
3413 Correct spelling: SCHNOOR->SCHNORR; ok djm@
3414 - dtucker@cvs.openbsd.org 2005/01/17 22:48:39
3416 Make debugging output continue after reexec; ok djm@
3417 - dtucker@cvs.openbsd.org 2005/01/19 13:11:47
3418 [auth-bsdauth.c auth2-chall.c]
3419 Have keyboard-interactive code call the drivers even for responses for
3420 invalid logins. This allows the drivers themselves to decide how to
3421 handle them and prevent leaking information where possible. Existing
3422 behaviour for bsdauth is maintained by checking authctxt->valid in the
3423 bsdauth driver. Note that any third-party kbdint drivers will now need
3424 to be able to handle responses for invalid logins. ok markus@
3425 - djm@cvs.openbsd.org 2004/12/22 02:13:19
3426 [cipher-ctr.c cipher.c]
3427 remove fallback AES support for old OpenSSL, as OpenBSD has had it for
3428 many years now; ok deraadt@
3429 (Id sync only: Portable will continue to support older OpenSSLs)
3430 - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
3431 existence via keyboard-interactive/pam, in conjunction with previous
3432 auth2-chall.c change; with Colin Watson and djm.
3433 - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128
3434 bytes to prevent errors from login_init_entry() when the username is
3435 exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@
3436 - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from
3437 the list of available kbdint devices if UsePAM=no. ok djm@
3440 - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
3441 "make survey" and "make send-survey". This will provide data on the
3442 configure parameters, platform and platform features to the development
3443 team, which will allow (among other things) better targetting of testing.
3444 It's entirely voluntary and is off be default. ok djm@
3445 - (dtucker) [survey.sh.in] Remove any blank lines from the output of
3446 ccver-v and ccver-V.
3449 - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading
3450 from prngd is enabled at compile time but fails at run time, eg because
3451 prngd is not running. Note that if you have prngd running when OpenSSH is
3452 built, OpenSSL will consider itself internally seeded and rand-helper won't
3453 be built at all unless explicitly enabled via --with-rand-helper. ok djm@
3454 - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since
3455 on some wacky platforms (eg old AIXes), dd will refuse to create an output
3456 file if it doesn't exist.
3459 - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from
3460 amarendra.godbole at ge com.
3463 - (dtucker) OpenBSD CVS Sync
3464 - markus@cvs.openbsd.org 2004/12/06 16:00:43
3466 use 0x00 not \0 since buf[] is a bignum
3467 - fgsch@cvs.openbsd.org 2004/12/10 03:10:42
3469 - fix globbed ls for paths the same lenght as the globbed path when
3470 we have a unique matching.
3471 - fix globbed ls in case of a directory when we have a unique matching.
3472 - as a side effect, if the path does not exist error (used to silently
3474 - don't do extra do_lstat() if we only have one matching file.
3476 - dtucker@cvs.openbsd.org 2004/12/11 01:48:56
3477 [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h]
3478 Fix debug call in error path of authorized_keys processing and fix related
3482 - (tim) [configure.ac] Comment some non obvious platforms in the
3483 target-specific case statement. Suggested and OK by dtucker@
3486 - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test.
3489 - (dtucker) [TODO WARNING.RNG] Update to reflect current reality. ok djm@
3490 - (dtucker) OpenBSD CVS Sync
3491 - markus@cvs.openbsd.org 2004/11/25 22:22:14
3492 [sftp-client.c sftp.c]
3494 - jmc@cvs.openbsd.org 2004/11/29 00:05:17
3497 - djm@cvs.openbsd.org 2004/11/29 07:41:24
3498 [sftp-client.h sftp.c]
3499 Some small fixes from moritz@jodeit.org. ok deraadt@
3500 - jaredy@cvs.openbsd.org 2004/12/05 23:55:07
3502 - explain that patterns can be used as arguments in get/put/ls/etc
3503 commands (prodded by Michael Knudsen)
3504 - describe ls flags as a list
3505 - other minor improvements
3507 - dtucker@cvs.openbsd.org 2004/12/06 11:41:03
3508 [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
3509 Discard over-length authorized_keys entries rather than complaining when
3510 they don't decode. bz #884, with & ok djm@
3511 - (dtucker) OpenBSD CVS Sync (regress/)
3512 - djm@cvs.openbsd.org 2004/06/26 06:16:07
3514 don't change the name of the copied sshd for the reexec fallback test,
3515 makes life simpler for portable
3516 - dtucker@cvs.openbsd.org 2004/07/08 12:59:35
3518 Regress test for bz #863 (scp double-error), requires $SUDO. ok markus@
3519 - david@cvs.openbsd.org 2004/07/09 19:45:43
3521 add a missing CLEANFILES used in the re-exec test
3522 - djm@cvs.openbsd.org 2004/10/08 02:01:50
3524 shrink and tidy; ok dtucker@
3525 - djm@cvs.openbsd.org 2004/10/29 23:59:22
3526 [Makefile added brokenkeys.sh]
3527 regression test for handling of corrupt keys in authorized_keys file
3528 - djm@cvs.openbsd.org 2004/11/07 00:32:41
3530 regression tests for new multiplex commands
3531 - dtucker@cvs.openbsd.org 2004/11/25 09:39:27
3533 Remove obsolete RhostsAuthentication from test config; ok markus@
3534 - dtucker@cvs.openbsd.org 2004/12/06 10:49:56
3536 Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@
3539 - (dtucker) OpenBSD CVS Sync
3540 - jmc@cvs.openbsd.org 2004/11/07 17:42:36
3542 options sort, and whitespace;
3543 - jmc@cvs.openbsd.org 2004/11/07 17:57:30
3547 - sync -S w/ manpage
3549 - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
3550 subsequently denied by the PAM auth stack, send the PAM message to the
3551 user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
3555 - (dtucker) OpenBSD CVS Sync
3556 - djm@cvs.openbsd.org 2004/11/05 12:19:56
3558 command editing and history support via libedit; ok markus@
3559 thanks to hshoexer@ and many testers on tech@ too
3560 - djm@cvs.openbsd.org 2004/11/07 00:01:46
3561 [clientloop.c clientloop.h ssh.1 ssh.c]
3562 add basic control of a running multiplex master connection; including the
3563 ability to check its status and request it to exit; ok markus@
3564 - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure
3565 option and supporting makefile bits and documentation.
3568 - (dtucker) OpenBSD CVS Sync
3569 - markus@cvs.openbsd.org 2004/08/30 09:18:08
3572 - jmc@cvs.openbsd.org 2004/08/30 21:22:49
3574 .Xsession -> .xsession;
3575 originally from a pr from f at obiit dot org, but missed by myself;
3576 ok markus@ matthieu@
3577 - djm@cvs.openbsd.org 2004/09/07 23:41:30
3578 [clientloop.c ssh.c]
3579 cleanup multiplex control socket on SIGHUP too, spotted by sturm@
3581 - deraadt@cvs.openbsd.org 2004/09/15 00:46:01
3583 /* fallthrough */ is something a programmer understands. But
3584 /* FALLTHROUGH */ is also understood by lint, so that is better.
3585 - jaredy@cvs.openbsd.org 2004/09/15 03:25:41
3587 mention PrintLastLog only prints last login time for interactive
3588 sessions, like PrintMotd mentions.
3589 From Michael Knudsen, with wording changed slightly to match the
3590 PrintMotd description.
3592 - mickey@cvs.openbsd.org 2004/09/15 18:42:27
3594 use less doubles in daemons; markus@ ok
3595 - deraadt@cvs.openbsd.org 2004/09/15 18:46:04
3597 scratch that do { } while (0) wrapper in this case
3598 - djm@cvs.openbsd.org 2004/09/23 13:00:04
3600 correctly honour -n in multiplex client mode; spotted by sturm@ ok markus@
3601 - djm@cvs.openbsd.org 2004/09/25 03:45:14
3603 these printf args are no longer double; ok deraadt@ markus@
3604 - djm@cvs.openbsd.org 2004/10/07 10:10:24
3605 [scp.1 sftp.1 ssh.1 ssh_config.5]
3606 document KbdInteractiveDevices; ok markus@
3607 - djm@cvs.openbsd.org 2004/10/07 10:12:36
3609 don't unlink agent socket when bind() fails, spotted by rich AT
3610 rich-paul.net, ok markus@
3611 - markus@cvs.openbsd.org 2004/10/20 11:48:53
3613 disconnect for invalid (out of range) message types.
3614 - djm@cvs.openbsd.org 2004/10/29 21:47:15
3615 [channels.c channels.h clientloop.c]
3616 fix some window size change bugs for multiplexed connections: windows sizes
3617 were not being updated if they had changed after ~^Z suspends and SIGWINCH
3618 was not being processed unless the first connection had requested a tty;
3620 - djm@cvs.openbsd.org 2004/10/29 22:53:56
3621 [clientloop.c misc.h readpass.c ssh-agent.c]
3622 factor out common permission-asking code to separate function; ok markus@
3623 - djm@cvs.openbsd.org 2004/10/29 23:56:17
3624 [bufaux.c bufaux.h buffer.c buffer.h]
3625 introduce a new buffer API that returns an error rather than fatal()ing
3626 when presented with bad data; ok markus@
3627 - djm@cvs.openbsd.org 2004/10/29 23:57:05
3629 use new buffer API to avoid fatal errors on corrupt keys in authorized_keys
3633 - (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX
3634 10.x by testing for conflicts in shadow.h and undef'ing _INCLUDE__STDC__
3635 only if a conflict is detected.
3638 - (dtucker) [uidswap.c] Don't test dropping of gids for the root user or
3639 on Cygwin. Cygwin parts from vinschen at redhat com; ok djm@
3642 - (djm) [auth-pam.c] snprintf->strl*, fix server message length calculations;
3646 - (dtucker) [README.privsep] Bug #939: update info about HP-UX Trusted Mode
3647 and other PAM platforms.
3648 - (dtucker) [monitor_mm.c openbsd-compat/xmmap.c] Bug #940: cast constants
3649 to void * to appease picky compilers (eg Tru64's "cc -std1").
3652 - (dtucker) [configure.ac] Set AC_PACKAGE_NAME. ok djm@
3655 - (dtucker) [openbsd-compat/bsd-snprintf.c] Previous change was off by one,
3656 which could have caused the justification to be wrong. ok djm@
3659 - (dtucker) [openbsd-compat/bsd-snprintf.c] Check for max length too.
3661 - (dtucker) [contrib/cygwin/ssh-host-config] Update to match current Cygwin
3662 install process. Patch from vinschen at redhat.com.
3665 - (djm) [loginrec.c] Start KNF and tidy up of this long-neglected file.
3666 No change in resultant binary
3667 - (djm) [loginrec.c] __func__ifiy
3668 - (djm) [loginrec.c] xmalloc
3669 - (djm) [ssh.c sshd.c version.h] Don't divulge portable version in protocol
3670 banner. Suggested by deraadt@, ok mouring@, dtucker@
3671 - (dtucker) [configure.ac] Fix incorrect quoting and tests for cross-compile.
3672 Partly by & ok djm@.
3675 - (djm) [ssh-agent.c] unifdef some cygwin code; ok dtucker@
3676 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #890: Send output from
3677 failing PAM session modules to user then exit, similar to the way
3678 /etc/nologin is handled. ok djm@
3679 - (dtucker) [auth-pam.c] Relocate sshpam_store_conv(), no code change.
3680 - (djm) [auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c]
3681 Make cygwin code more consistent with that which surrounds it
3682 - (dtucker) [auth-pam.c auth.h auth2-none.c auth2.c monitor.c monitor_wrap.c]
3683 Bug #892: Send messages from failing PAM account modules to the client via
3684 SSH2_MSG_USERAUTH_BANNER messages. Note that this will not happen with
3685 SSH2 kbdint authentication, which need to be dealt with separately. ok djm@
3686 - (dtucker) [session.c] Bug #927: make .hushlogin silent again. ok djm@
3687 - (dtucker) [configure.ac] Bug #321: Add cross-compile support to configure.
3688 Parts by chua at ayrnetworks.com, astrand at lysator.liu.se and me. ok djm@
3689 - (dtucker) [auth-krb5.c] Bug #922: Pass KRB5CCNAME to PAM. From deengert
3693 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.{c,h}] Bug #915: only
3694 copy required environment variables on Cygwin. Patch from vinschen at
3696 - (dtucker) [regress/Makefile] Clean scp-ssh-wrapper.scp too. Patch from
3697 vinschen at redhat.com.
3698 - (dtucker) [Makefile.in contrib/ssh-copy-id] Bug #894: Improve portability
3699 of shell constructs. Patch from cjwatson at debian.org.
3702 - (dtucker) [openbsd-compat/getrrsetbyname.c] Prevent getrrsetbyname from
3703 failing with NOMEMORY if no sigs are returned and malloc(0) returns NULL.
3704 From Martin.Kraemer at Fujitsu-Siemens.com; ok djm@
3705 - (dtucker) OpenBSD CVS Sync
3706 - djm@cvs.openbsd.org 2004/08/23 11:48:09
3708 fix error path, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
3709 - djm@cvs.openbsd.org 2004/08/23 11:48:47
3711 typo, spotted by Martin.Kraemer AT Fujitsu-Siemens.com; ok markus
3712 - dtucker@cvs.openbsd.org 2004/08/23 14:26:38
3713 [ssh-keysign.c ssh.c]
3714 Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
3715 change in Portable; ok markus@ (CVS ID sync only)
3716 - dtucker@cvs.openbsd.org 2004/08/23 14:29:23
3718 Remove duplicate getuid(), suggested by & ok markus@
3719 - markus@cvs.openbsd.org 2004/08/26 16:00:55
3721 get rid of references to rhosts authentication; with jmc@
3722 - djm@cvs.openbsd.org 2004/08/28 01:01:48
3724 don't erroneously close stdin for !reexec case, from Dave Johnson;
3726 - (dtucker) [configure.ac] Include sys/stream.h in sys/ptms.h header check,
3727 fixes configure warning on Solaris reported by wknox at mitre.org.
3728 - (dtucker) [regress/multiplex.sh] Skip test on platforms that do not
3729 support FD passing since multiplex requires it. Noted by tim@
3730 - (dtucker) [regress/dynamic-forward.sh] Allow time for connections to be torn
3731 down, needed on some platforms, should be harmless on others. Patch from
3732 jason at devrandom.org.
3733 - (dtucker) [regress/scp.sh] Make this work on Cygwin too, which doesn't like
3734 files ending in .exe that aren't binaries; patch from vinschen at redhat.com.
3735 - (dtucker) [Makefile.in] Get regress/Makefile symlink right for out-of-tree
3736 builds too, from vinschen at redhat.com.
3737 - (dtucker) [regress/agent-ptrace.sh] Skip ptrace test on OSF1/DUnix/Tru64
3738 too; patch from cmadams at hiwaay.net.
3739 - (dtucker) [configure.ac] Replace non-portable echo \n with extra echo.
3740 - (dtucker) [openbsd-compat/port-aix.c] Bug #712: Explicitly check for
3741 accounts with authentication configs that sshd can't support (ie
3742 SYSTEM=NONE and AUTH1=something).
3745 - (dtucker) [openbsd-compat/mktemp.c] Remove superfluous Cygwin #ifdef; from
3746 vinschen at redhat.com.
3749 - (djm) [ssh-rand-helper.c] Typo. Found by
3750 Martin.Kraemer AT Fujitsu-Siemens.com
3751 - (djm) [loginrec.c] Typo and bad args in error messages; Spotted by
3752 Martin.Kraemer AT Fujitsu-Siemens.com
3755 - (dtucker) [regress/README.regress] Note compatibility issues with GNU head.
3756 - (djm) OpenBSD CVS Sync
3757 - markus@cvs.openbsd.org 2004/08/16 08:17:01
3760 - (djm) Crank RPM spec version numbers
3761 - (djm) Release 3.9p1
3764 - (dtucker) [acconfig.h auth-pam.c configure.ac] Set real uid to non-root
3765 to convince Solaris PAM to honour password complexity rules. ok djm@
3768 - (dtucker) [Makefile.in ssh-keysign.c ssh.c] Use permanently_set_uid() since
3769 it does the right thing on all platforms. ok djm@
3770 - (djm) [acconfig.h configure.ac openbsd-compat/Makefile.in
3771 openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-misc.c
3772 openbsd-compat/bsd-misc.h openbsd-compat/openbsd-compat.h] Use smarter
3773 closefrom() replacement from sudo; ok dtucker@
3774 - (djm) [loginrec.c] Check that seek succeeded here too; ok dtucker
3775 - (dtucker) [Makefile.in] Fix typo.
3778 - (dtucker) [auth-krb5.c gss-serv-krb5.c openbsd-compat/xmmap.c]
3779 Explicitly set umask for mkstemp; ok djm@
3780 - (dtucker) [includes.h] Undef _INCLUDE__STDC__ on HP-UX, otherwise
3781 prot.h and shadow.h provide conflicting declarations of getspnam. ok djm@
3782 - (dtucker) [loginrec.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
3783 Plug AIX login recording into login_write so logins will be recorded for
3787 - (dtucker) [openbsd-compat/bsd-misc.c] Typo in #ifdef; from vinschen at
3789 - (dtucker) OpenBSD CVS Sync
3790 - avsm@cvs.openbsd.org 2004/08/11 21:43:05
3791 [channels.c channels.h clientloop.c misc.c misc.h serverloop.c ssh-agent.c]
3792 some signed/unsigned int comparison cleanups; markus@ ok
3793 - avsm@cvs.openbsd.org 2004/08/11 21:44:32
3794 [authfd.c scp.c ssh-keyscan.c]
3795 use atomicio instead of homegrown equivalents or read/write.
3797 - djm@cvs.openbsd.org 2004/08/12 09:18:24
3799 typo in error message, spotted by moritz AT jodeit.org (Id sync only)
3800 - jakob@cvs.openbsd.org 2004/08/12 21:41:13
3801 [ssh-keygen.1 ssh.1]
3802 improve SSHFP documentation; ok deraadt@
3803 - jmc@cvs.openbsd.org 2004/08/13 00:01:43
3805 kill whitespace at eol;
3806 - djm@cvs.openbsd.org 2004/08/13 02:51:48
3808 extra check for no message case; ok markus, deraadt, hshoexer, henning
3809 - dtucker@cvs.openbsd.org 2004/08/13 11:09:24
3811 Fix line numbers off-by-one in error messages, from tortay at cc.in2p3.fr
3815 - (dtucker) [sshd.c] Remove duplicate variable imported during sync.
3816 - (dtucker) OpenBSD CVS Sync
3817 - markus@cvs.openbsd.org 2004/07/28 08:56:22
3819 call setsid() _before_ re-exec
3820 - markus@cvs.openbsd.org 2004/07/28 09:40:29
3821 [auth.c auth1.c auth2.c cipher.c cipher.h key.c session.c ssh.c
3823 more s/illegal/invalid/
3824 - djm@cvs.openbsd.org 2004/08/04 10:37:52
3826 return group14 when no primes found - fixes hang on empty /etc/moduli;
3828 - dtucker@cvs.openbsd.org 2004/08/11 11:09:54
3830 Fix minor leak; "looks right" deraadt@
3831 - dtucker@cvs.openbsd.org 2004/08/11 11:50:09
3833 Don't try to close startup_pipe if it's not open; ok djm@
3834 - djm@cvs.openbsd.org 2004/08/11 11:59:22
3836 check that lseek went were we told it to; ok markus@
3837 (Id sync only, but similar changes are needed in loginrec.c)
3838 - djm@cvs.openbsd.org 2004/08/11 12:01:16
3840 make store_lastlog_message() static to appease -Wall; ok markus
3841 - (dtucker) [sshd.c] Clear loginmsg in postauth monitor, prevents doubling
3842 messages generated before the postauth privsep split.
3845 - (djm) OpenBSD CVS Sync
3846 - markus@cvs.openbsd.org 2004/07/21 08:56:12
3848 s/Illegal user/Invalid user/; many requests; ok djm, millert, niklas,
3850 - djm@cvs.openbsd.org 2004/07/21 10:33:31
3852 bz#899: Don't display invalid usernames in setproctitle
3853 from peak AT argo.troja.mff.cuni.cz; ok markus@
3854 - djm@cvs.openbsd.org 2004/07/21 10:36:23
3856 fix function declaration
3857 - djm@cvs.openbsd.org 2004/07/21 11:51:29
3859 bz#902: cache remote port so we don't fatal() in auth_log when remote
3860 connection goes away quickly. from peak AT argo.troja.mff.cuni.cz;
3862 - (djm) [auth-pam.c] Portable parts of bz#899: Don't display invalid
3863 usernames in setproctitle from peak AT argo.troja.mff.cuni.cz;
3866 - (djm) [log.c] bz #111: Escape more control characters when sending data
3867 to syslog; from peak AT argo.troja.mff.cuni.cz
3868 - (djm) [contrib/redhat/sshd.pam] bz #903: Remove redundant entries; from
3869 peak AT argo.troja.mff.cuni.cz
3870 - (djm) [regress/README.regress] Remove caveat regarding TCP wrappers, now
3871 that sshd is fixed to behave better; suggested by tim
3874 - (djm) [openbsd-compat/bsd-arc4random.c] Discard early keystream, like OpenBSD
3876 - (djm) [auth-pam.c] Avoid use of xstrdup and friends in conversation function,
3877 instead return PAM_CONV_ERR, avoiding another path to fatal(); ok dtucker@
3878 - (tim) [configure.ac] updwtmpx() on OpenServer seems to add duplicate entry.
3879 Report by rac AT tenzing.org
3882 - (dtucker) [logintest.c scp.c sftp-server.c sftp.c ssh-add.c ssh-agent.c
3883 ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c ssh.c sshd.c
3884 openbsd-compat/bsd-misc.c] Move "char *__progname" to bsd-misc.c. Reduces
3885 diff vs OpenBSD; ok mouring@, tested by tim@ too.
3886 - (dtucker) OpenBSD CVS Sync
3887 - deraadt@cvs.openbsd.org 2004/07/11 17:48:47
3888 [channels.c cipher.c clientloop.c clientloop.h compat.h moduli.c
3889 readconf.c nchan.c pathnames.h progressmeter.c readconf.h servconf.c
3890 session.c sftp-client.c sftp.c ssh-agent.1 ssh-keygen.c ssh.c ssh1.h
3893 - brad@cvs.openbsd.org 2004/07/12 23:34:25
3895 Fix incorrect macro, .I -> .Em
3896 From: Eric S. Raymond <esr at thyrsus dot com>
3898 - dtucker@cvs.openbsd.org 2004/07/17 05:31:41
3899 [monitor.c monitor_wrap.c session.c session.h sshd.c sshlogin.c]
3900 Move "Last logged in at.." message generation to the monitor, right
3901 before recording the new login. Fixes missing lastlog message when
3902 /var/log/lastlog is not world-readable and incorrect datestamp when
3903 multiple sessions are used (bz #463); much assistance & ok markus@
3906 - (dtucker) [auth-pam.c] Check for zero from waitpid() too, which allows
3907 the monitor to properly clean up the PAM thread (Debian bug #252676).
3910 - (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from
3911 vinschen AT redhat.com
3914 - (dtucker) OpenBSD CVS Sync
3915 - dtucker@cvs.openbsd.org 2004/07/03 05:11:33
3916 [sshlogin.c] (RCSID sync only, the corresponding code is not in Portable)
3917 Use '\0' not 0 for string; ok djm@, deraadt@
3918 - dtucker@cvs.openbsd.org 2004/07/03 11:02:25
3920 Put s/key functions inside #ifdef SKEY same as monitor.c,
3921 from des@freebsd via bz #330, ok markus@
3922 - dtucker@cvs.openbsd.org 2004/07/08 12:47:21
3924 Prevent scp from skipping the file following a double-error.
3928 - (dtucker) [mdoc2man.awk] Teach it to ignore .Bk -words, reported by
3929 strube at physik3.gwdg.de a long time ago.
3932 - (dtucker) [session.c] Call display_loginmsg again after do_pam_session.
3933 Ensures messages from PAM modules are displayed when privsep=no.
3934 - (dtucker) [auth-pam.c] Bug #705: Make arguments match PAM specs, fixes
3935 warnings on compliant platforms. From paul.a.bolton at bt.com. ok djm@
3936 - (dtucker) [auth-pam.c] Bug #559 (last piece): Pass DISALLOW_NULL_AUTHTOK
3937 to pam_authenticate for challenge-response auth too. Originally from
3938 fcusack at fcusack.com, ok djm@
3939 - (tim) [buildpkg.sh.in] Add $REV to bump the package revision within
3940 the same version. Handle the case where someone uses --with-privsep-user=
3941 and the user name does not match the group name. ok dtucker@
3944 - (dtucker) [auth-pam.c] Check for buggy PAM modules that return a NULL
3945 appdata_ptr to the conversation function. ok djm@
3946 - (djm) OpenBSD CVS Sync
3947 - jmc@cvs.openbsd.org 2004/06/26 09:03:21
3949 - remove double word
3950 - rearrange .Bk to keep SYNOPSIS nice
3951 - -M before -m in options description
3952 - jmc@cvs.openbsd.org 2004/06/26 09:11:14
3954 punctuation and grammar fixes. also, keep the options in order.
3955 - jmc@cvs.openbsd.org 2004/06/26 09:14:40
3957 new sentence, new line;
3958 - avsm@cvs.openbsd.org 2004/06/26 20:07:16
3960 initialise some fd variables to -1, djm@ ok
3961 - djm@cvs.openbsd.org 2004/06/30 08:36:59
3963 unbreak TTY break, diagnosed by darren AT dazwin.com; ok markus@
3966 - (tim) update README files.
3967 - (dtucker) [mdoc2man.awk] Bug #883: correctly recognise .Pa and .Ev macros.
3968 - (dtucker) [regress/README.regress] Document new variables.
3969 - (dtucker) [acconfig.h configure.ac sftp-server.c] Bug #823: add sftp
3970 rename handling for Linux which returns EPERM for link() on (at least some)
3971 filesystems that do not support hard links. sftp-server will fall back to
3972 stat+rename() in such cases.
3973 - (dtucker) [openbsd-compat/port-aix.c] Missing __func__.
3976 - (djm) OpenBSD CVS Sync
3977 - djm@cvs.openbsd.org 2004/06/25 18:43:36
3979 fix broken fd handling in the re-exec fallback path, particularly when
3980 /dev/crypto is in use; ok deraadt@ markus@
3981 - djm@cvs.openbsd.org 2004/06/25 23:21:38
3983 bz #875: fix bad escape char error message; reported by f_mohr AT yahoo.de
3986 - (dtucker) OpenBSD CVS Sync
3987 - djm@cvs.openbsd.org 2004/06/24 19:30:54
3988 [servconf.c servconf.h sshd.c]
3989 re-exec sshd on accept(); initial work, final debugging and ok markus@
3990 - djm@cvs.openbsd.org 2004/06/25 01:16:09
3992 only perform tcp wrappers checks when the incoming connection is on a
3993 socket. silences useless warnings from regress tests that use
3994 proxycommand="sshd -i". prompted by david@ ok markus@
3995 - djm@cvs.openbsd.org 2004/06/24 19:32:00
3996 [regress/Makefile regress/test-exec.sh, added regress/reexec.sh]
3997 regress test for re-exec corner cases
3998 - djm@cvs.openbsd.org 2004/06/25 01:25:12
3999 [regress/test-exec.sh]
4000 clean reexec-specific junk out of text-exec.sh and simplify; idea markus@
4001 - dtucker@cvs.openbsd.org 2004/06/25 05:38:48
4003 Fall back to stat+rename if filesystem doesn't doesn't support hard
4004 links. bz#823, ok djm@
4005 - (dtucker) [configure.ac openbsd-compat/misc.c [openbsd-compat/misc.h]
4006 Add closefrom() for platforms that don't have it.
4007 - (dtucker) [sshd.c] add line missing from reexec sync.
4010 - (dtucker) [auth1.c] Ensure do_pam_account is called for Protocol 1
4011 connections with empty passwords. Patch from davidwu at nbttech.com,
4013 - (dtucker) OpenBSD CVS Sync
4014 - dtucker@cvs.openbsd.org 2004/06/22 22:42:02
4015 [regress/envpass.sh]
4016 Add quoting for test -z; ok markus@
4017 - dtucker@cvs.openbsd.org 2004/06/22 22:45:52
4018 [regress/test-exec.sh]
4019 Add TEST_SSH_SSHD_CONFOPTS and TEST_SSH_SSH_CONFOPTS to allow adding
4020 arbitary options to sshd_config and ssh_config during tests. ok markus@
4021 - dtucker@cvs.openbsd.org 2004/06/22 22:55:56
4022 [regress/dynamic-forward.sh regress/test-exec.sh]
4023 Allow setting of port for regress from TEST_SSH_PORT variable; ok markus@
4024 - mouring@cvs.openbsd.org 2004/06/23 00:39:38
4026 -Wshadow fix up s/encrypt/do_encrypt/. OK djm@, markus@
4027 - dtucker@cvs.openbsd.org 2004/06/23 14:31:01
4029 Fix counting in master/slave when passing environment variables; ok djm@
4030 - (dtucker) [cipher.c] encrypt->do_encrypt inside SSH_OLD_EVP to match
4032 - (bal) [Makefile.in] Remove opensshd.init on 'make distclean'
4033 - (dtucker) [auth.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
4034 Move loginrestrictions test to port-aix.c, replace with a generic hook.
4035 - (tim) [regress/try-ciphers.sh] "if ! some_command" is not portable.
4036 - (bal) [contrib/README] Removed "mdoc2man.pl" reference and added
4037 reference to "findssl.sh"
4040 - (dtucker) OpenBSD CVS Sync
4041 - djm@cvs.openbsd.org 2004/06/20 17:36:59
4043 filter passed env vars at slave in connection sharing case; ok markus@
4044 - djm@cvs.openbsd.org 2004/06/20 18:53:39
4046 make "ls -l" listings print user/group names, add "ls -n" to show uid/gid
4047 (like /bin/ls); idea & ok markus@
4048 - djm@cvs.openbsd.org 2004/06/20 19:28:12
4051 - avsm@cvs.openbsd.org 2004/06/21 17:36:31
4052 [auth-rsa.c auth2-gss.c auth2-pubkey.c authfile.c canohost.c channels.c
4053 cipher.c dns.c kex.c monitor.c monitor_fdpass.c monitor_wrap.c
4054 monitor_wrap.h nchan.c packet.c progressmeter.c scp.c sftp-server.c sftp.c
4055 ssh-gss.h ssh-keygen.c ssh.c sshconnect.c sshconnect1.c sshlogin.c
4057 make ssh -Wshadow clean, no functional changes
4059 - djm@cvs.openbsd.org 2004/06/21 17:53:03
4061 fix fd leak for multiple subsystem connections; with markus@
4062 - djm@cvs.openbsd.org 2004/06/21 22:02:58
4064 mark fatal and cleanup exit as __dead; ok markus@
4065 - djm@cvs.openbsd.org 2004/06/21 22:04:50
4067 introduce sorting for ls, same options as /bin/ls; ok markus@
4068 - djm@cvs.openbsd.org 2004/06/21 22:30:45
4070 prefix ls option flags with LS_
4071 - djm@cvs.openbsd.org 2004/06/21 22:41:31
4073 document sort options
4074 - djm@cvs.openbsd.org 2004/06/22 01:16:39
4076 don't show .files by default in ls, add -a option to turn them back on;
4078 - markus@cvs.openbsd.org 2004/06/22 03:12:13
4079 [regress/envpass.sh regress/multiplex.sh]
4080 more portable env passing tests
4081 - dtucker@cvs.openbsd.org 2004/06/22 05:05:45
4082 [monitor.c monitor_wrap.c]
4083 Change login->username, will prevent -Wshadow errors in Portable;
4085 - (dtucker) [monitor.c] Fix Portable-specific -Wshadow warnings on "socket".
4086 - (dtucker) [defines.h] Define __dead if not already defined.
4087 - (bal) [auth-passwd.c auth1.c] Clean up unused variables.
4090 - (tim) [configure.ac Makefile.in] Only change TEST_SHELL on broken platforms.
4093 - (dtucker) [auth-pam.c] Don't use PAM namespace for
4094 pam_password_change_required either.
4095 - (tim) [configure.ac buildpkg.sh.in contrib/solaris/README] move opensshd
4096 init script to top level directory. Add opensshd.init.in.
4097 Remove contrib/solaris/buildpkg.sh, contrib/solaris/opensshd.in
4100 - (djm) OpenBSD CVS Sync
4101 - djm@cvs.openbsd.org 2004/06/17 14:52:48
4102 [clientloop.c clientloop.h ssh.c]
4103 support environment passing over shared connections; ok markus@
4104 - djm@cvs.openbsd.org 2004/06/17 15:10:14
4105 [clientloop.c misc.h readconf.c readpass.c ssh.c ssh_config.5]
4106 Add option for confirmation (ControlMaster=ask) via ssh-askpass before
4107 opening shared connections; ok markus@
4108 - djm@cvs.openbsd.org 2004/06/17 14:53:27
4109 [regress/multiplex.sh]
4110 shared connection env passing regress test
4111 - (dtucker) [regress/README.regress] Add detail on how to run a single
4112 test from the top-level Makefile.
4113 - (dtucker) OpenBSD CVS Sync
4114 - djm@cvs.openbsd.org 2004/06/17 23:56:57
4116 sync usage() and SYNPOSIS with connection sharing changes
4117 - dtucker@cvs.openbsd.org 2004/06/18 06:13:25
4119 Use execvp instead of execv so sftp -S ssh works. "makes sense" markus@
4120 - dtucker@cvs.openbsd.org 2004/06/18 06:15:51
4122 Use -S for scp/sftp to force the use of the ssh being tested.
4124 - (djm) OpenBSD CVS Sync
4125 - djm@cvs.openbsd.org 2004/06/18 10:40:19
4127 delay signal handler setup until we have finished talking to the master.
4128 allow interrupting of setup (e.g. if master is stuck); ok markus@
4129 - markus@cvs.openbsd.org 2004/06/18 10:55:43
4131 trim synopsis for -S, allow -S and -oControlMaster, -MM means 'ask';
4133 - djm@cvs.openbsd.org 2004/06/18 11:11:54
4134 [channels.c clientloop.c]
4135 Don't explode in clientloop when we receive a bogus channel id, but
4136 also don't generate them to begin with; ok markus@
4139 - (dtucker) [regress/scp.sh] diff -N is not portable (but needed for some
4140 platforms), so test if diff understands it. Pointed out by tim@, ok djm@
4141 - (dtucker) OpenBSD CVS Sync regress/
4142 - dtucker@cvs.openbsd.org 2004/06/17 05:51:59
4143 [regress/multiplex.sh]
4144 Remove datafile between and after tests, kill sshd rather than wait;
4146 - dtucker@cvs.openbsd.org 2004/06/17 06:00:05
4147 [regress/multiplex.sh]
4148 Use DATA and COPY for test data rather than hard-coded paths; ok djm@
4149 - dtucker@cvs.openbsd.org 2004/06/17 06:19:06
4150 [regress/multiplex.sh]
4151 Add small description of failing test to failure message; ok djm@
4152 - (dtucker) [regress/multiplex.sh] add EXEEXT for those platforms that need
4154 - (dtucker) [regress/multiplex.sh] Increase sleep time to 120 sec (60 is not
4155 enough for slow systems, especially if they don't have a kernel RNG).
4158 - (dtucker) [openbsd-compat/port-aix.c] Expand whitespace -> tabs. No
4160 - (dtucker) OpenBSD CVS Sync regress/
4161 - djm@cvs.openbsd.org 2004/04/27 09:47:30
4162 [regress/Makefile regress/test-exec.sh, added regress/envpass.sh]
4163 regress test for environment passing, SendEnv & AcceptEnv options;
4165 - dtucker@cvs.openbsd.org 2004/06/13 13:51:02
4166 [regress/Makefile regress/test-exec.sh, added regress/scp-ssh-wrapper.sh
4168 Add scp regression test; with & ok markus@
4169 - djm@cvs.openbsd.org 2004/06/13 15:04:08
4170 [regress/Makefile regress/test-exec.sh, added regress/envpass.sh]
4171 regress test for client multiplexing; ok markus@
4172 - djm@cvs.openbsd.org 2004/06/13 15:16:54
4173 [regress/test-exec.sh]
4174 remove duplicate setting of $SCP; spotted by markus@
4175 - dtucker@cvs.openbsd.org 2004/06/16 13:15:09
4177 Make scp -r tests use diff -rN not cmp (which won't do dirs. ok markus@
4178 - dtucker@cvs.openbsd.org 2004/06/16 13:16:40
4179 [regress/multiplex.sh]
4180 Silence multiplex sftp and scp tests. ok markus@
4181 - (dtucker) [regress/test-exec.sh]
4182 Move Portable-only StrictModes to top of list to make syncs easier.
4183 - (dtucker) [regress/README.regress]
4184 Add $TEST_SHELL to readme.
4187 - (djm) OpenBSD CVS Sync
4188 - djm@cvs.openbsd.org 2004/05/26 08:59:57
4190 exit -> _exit in forked child on error; from andrushock AT korovino.net
4191 - markus@cvs.openbsd.org 2004/05/26 23:02:39
4193 missing freeaddrinfo; Andrey Matveev
4194 - dtucker@cvs.openbsd.org 2004/05/27 00:50:13
4196 Kill dead code after fatal(); ok djm@
4197 - dtucker@cvs.openbsd.org 2004/06/01 14:20:45
4199 Remove redundant #include; ok markus@
4200 - pedro@cvs.openbsd.org 2004/06/03 12:22:20
4201 [sftp-client.c sftp.c]
4202 initialize pointers, ok markus@
4203 - djm@cvs.openbsd.org 2004/06/13 12:53:24
4204 [dh.c dh.h kex.c kex.h kexdhc.c kexdhs.c monitor.c myproposal.h]
4205 [ssh-keyscan.c sshconnect2.c sshd.c]
4206 implement diffie-hellman-group14-sha1 kex method (trivial extension to
4207 existing diffie-hellman-group1-sha1); ok markus@
4208 - dtucker@cvs.openbsd.org 2004/06/13 14:01:42
4209 [ssh.1 ssh_config.5 sshd_config.5]
4210 List supported ciphers in man pages, tidy up ssh -c;
4211 "looks fine" jmc@, ok markus@
4212 - djm@cvs.openbsd.org 2004/06/13 15:03:02
4213 [channels.c channels.h clientloop.c clientloop.h includes.h readconf.c]
4214 [readconf.h scp.1 sftp.1 ssh.1 ssh.c ssh_config.5]
4215 implement session multiplexing in the client (the server has supported
4216 this since 2.0); ok markus@
4217 - djm@cvs.openbsd.org 2004/06/14 01:44:39
4218 [channels.c clientloop.c misc.c misc.h packet.c ssh-agent.c ssh-keyscan.c]
4220 set_nonblock() instead of fnctl(...,O_NONBLOCK); "looks sane" deraadt@
4221 - djm@cvs.openbsd.org 2004/06/15 05:45:04
4223 missed one unset_nonblock; spotted by Tim Rice
4224 - (djm) Fix Makefile.in for connection sharing changes
4225 - (djm) [ssh.c] Use separate var for address length
4228 - (dtucker) [auth-pam.c] Don't use pam_* namespace for sshd's PAM functions.
4232 - (djm) [auth-pam.c] Add copyright for local changes
4235 - (dtucker) [auth-pam.c auth-pam.h auth-passwd.c] Bug #874: Re-add PAM
4236 support for PasswordAuthentication=yes. ok djm@
4237 - (dtucker) [auth-pam.c] Use an invalid password for root if
4238 PermitRootLogin != yes or the login is invalid, to prevent leaking
4239 information. Based on Openwall's owl-always-auth patch. ok djm@
4240 - (tim) [configure.ac Makefile.in] Add support for "make package" ok djm@
4241 - (tim) [buildpkg.sh.in] New file. A more flexible version of
4242 contrib/solaris/buildpkg.sh used for "make package".
4243 - (tim) [buildpkg.sh.in] Last minute fix didn't make it in the .in file.
4246 - (dtucker) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec
4247 contrib/README CREDITS INSTALL] Bug #873: Correct URLs for x11-ssh-askpass
4248 and Jim Knoble's email address , from Jim himself.
4251 - (dtucker) OpenBSD CVS Sync
4252 - djm@cvs.openbsd.org 2004/05/19 12:17:33
4253 [sftp-client.c sftp.c]
4254 gracefully abort transfers on receipt of SIGINT, also ignore SIGINT while
4255 waiting for a command; ok markus@
4256 - dtucker@cvs.openbsd.org 2004/05/20 10:58:05
4258 Trivial type fix 0 -> '\0'; ok markus@
4259 - markus@cvs.openbsd.org 2004/05/21 08:43:03
4260 [kex.h moduli.c tildexpand.c]
4261 add prototypes for -Wall; ok djm
4262 - djm@cvs.openbsd.org 2004/05/21 11:33:11
4263 [channels.c channels.h clientloop.c serverloop.c ssh.1]
4264 bz #756: add support for the cancel-tcpip-forward request for the server
4265 and the client (through the ~C commandline). reported by z3p AT
4266 twistedmatrix.com; ok markus@
4267 - djm@cvs.openbsd.org 2004/05/22 06:32:12
4268 [clientloop.c ssh.1]
4269 use '-h' for help in ~C commandline instead of '-?'; inspired by jmc@
4270 - jmc@cvs.openbsd.org 2004/05/22 16:01:05
4272 kill whitespace at eol;
4273 - dtucker@cvs.openbsd.org 2004/05/23 23:59:53
4274 [auth.c auth.h auth1.c auth2.c servconf.c servconf.h sshd_config
4276 Add MaxAuthTries sshd config option; ok markus@
4277 - (dtucker) [auth-pam.c] Bug #839: Ensure that pam authentication "thread"
4278 is terminated if the privsep slave exits during keyboard-interactive
4279 authentication. ok djm@
4280 - (dtucker) [sshd.c] Fix typo in comment.
4283 - (djm) [sshd_config] Explain consequences of UsePAM=yes a little better in
4284 sshd_config; ok dtucker@
4285 - (djm) [configure.ac] Warn if the system has no known way of figuring out
4286 which user is on the other end of a Unix domain socket; ok dtucker@
4287 - (bal) [openbsd-compat/sys-queue.h] Reintroduce machinary to handle
4288 old/broken/incomplete <sys/queue.h>.
4291 - (dtucker) [configure.ac] Bug #867: Additional tests for res_query in
4292 libresolv, fixes problems detecting it on some platforms
4293 (eg Linux/x86-64). From Kurt Roeckx via Debian, ok mouring@
4294 - (dtucker) OpenBSD CVS Sync
4295 - jmc@cvs.openbsd.org 2004/05/04 18:36:07
4298 - jmc@cvs.openbsd.org 2004/05/06 11:24:23
4300 typo from John Cosimano (PR 3770);
4301 - deraadt@cvs.openbsd.org 2004/05/08 00:01:37
4302 [auth.c clientloop.c misc.h servconf.c ssh.c sshpty.h sshtty.c
4303 tildexpand.c], removed: sshtty.h tildexpand.h
4304 make two tiny header files go away; djm ok
4305 - djm@cvs.openbsd.org 2004/05/08 00:21:31
4306 [clientloop.c misc.h readpass.c scard.c ssh-add.c ssh-agent.c ssh-keygen.c
4307 sshconnect.c sshconnect1.c sshconnect2.c] removed: readpass.h
4308 kill a tiny header; ok deraadt@
4309 - djm@cvs.openbsd.org 2004/05/09 00:06:47
4310 [moduli.c ssh-keygen.c] removed: moduli.h
4311 zap another tiny header; ok deraadt@
4312 - djm@cvs.openbsd.org 2004/05/09 01:19:28
4313 [OVERVIEW auth-rsa.c auth1.c kex.c monitor.c session.c sshconnect1.c
4314 sshd.c] removed: mpaux.c mpaux.h
4315 kill some more tiny files; ok deraadt@
4316 - djm@cvs.openbsd.org 2004/05/09 01:26:48
4318 don't overwrite what we are trying to compute
4319 - deraadt@cvs.openbsd.org 2004/05/11 19:01:43
4320 [auth.c auth2-none.c authfile.c channels.c monitor.c monitor_mm.c
4321 packet.c packet.h progressmeter.c session.c openbsd-compat/xmmap.c]
4322 improve some code lint did not like; djm millert ok
4323 - dtucker@cvs.openbsd.org 2004/05/13 02:47:50
4325 Add examples to ssh-agent.1, bz#481 from Ralf Hauser; ok deraadt@
4326 - (dtucker) [sshd.8] Bug #843: Add warning about PasswordAuthentication to
4327 UsePAM section. Parts from djm@ and jmc@.
4328 - (dtucker) [auth-pam.c scard-opensc.c] Tinderbox says auth-pam.c uses
4329 readpass.h, grep says scard-opensc.c does too. Replace with misc.h.
4330 - (dtucker) [openbsd-compat/getrrsetbyname.c] Check that HAVE_DECL_H_ERROR
4331 is defined before using.
4332 - (dtucker) [openbsd-compat/getrrsetbyname.c] Fix typo too: HAVE_DECL_H_ERROR
4333 -> HAVE_DECL_H_ERRNO.
4336 - (dtucker) OpenBSD CVS Sync
4337 - djm@cvs.openbsd.org 2004/04/22 11:56:57
4339 Bugzilla #850: Sophie Germain is the correct name of the French
4340 mathematician, "Sophie Germaine" isn't; from Luc.Maisonobe@c-s.fr
4341 - djm@cvs.openbsd.org 2004/04/27 09:46:37
4342 [readconf.c readconf.h servconf.c servconf.h session.c session.h ssh.c
4343 ssh_config.5 sshd_config.5]
4344 bz #815: implement ability to pass specified environment variables from
4345 the client to the server; ok markus@
4346 - djm@cvs.openbsd.org 2004/04/28 05:17:10
4347 [ssh_config.5 sshd_config.5]
4348 manpage fixes in envpass stuff from Brian Poole (raj AT cerias.purdue.edu)
4349 - jmc@cvs.openbsd.org 2004/04/28 07:02:56
4351 remove unnecessary .Pp;
4352 - jmc@cvs.openbsd.org 2004/04/28 07:13:42
4354 add SendEnv to -o list;
4355 - dtucker@cvs.openbsd.org 2004/05/02 11:54:31
4357 Man page grammar fix (bz #858), from damerell at chiark.greenend.org.uk
4359 - dtucker@cvs.openbsd.org 2004/05/02 11:57:52
4361 ConnectionTimeout -> ConnectTimeout, from m.a.ellis at ncl.ac.uk via
4363 - dtucker@cvs.openbsd.org 2004/05/02 23:02:17
4365 ConnectionTimeout -> ConnectTimeout here too, pointed out by jmc@
4366 - dtucker@cvs.openbsd.org 2004/05/02 23:17:51
4368 ConnectionTimeout -> ConnectTimeout for scp.1 too.
4371 - (dtucker) [configure.ac openbsd-compat/getrrsetbyname.c] Declare h_errno
4372 as extern int if not already declared. Fixes compile errors on old SCO
4374 - (dtucker) [README.platform] List prereqs for building on Cygwin.
4377 - (djm) Update config.guess and config.sub to autoconf-2.59 versions; ok tim@
4380 - (djm) OpenBSD CVS Sync
4381 - henning@cvs.openbsd.org 2004/04/08 16:08:21
4383 swap the last two parameters to TAILQ_FOREACH_REVERSE. matches what
4384 FreeBSD and NetBSD do.
4385 ok millert@ mcbride@ markus@ ho@, checked to not affect ports by naddy@
4386 - djm@cvs.openbsd.org 2004/04/18 23:10:26
4387 [readconf.c readconf.h ssh-keysign.c ssh.c]
4388 perform strict ownership and modes checks for ~/.ssh/config files,
4389 as these can be used to execute arbitrary programs; ok markus@
4390 NB. ssh will now exit when it detects a config with poor permissions
4391 - djm@cvs.openbsd.org 2004/04/19 13:02:40
4392 [ssh.1 ssh_config.5]
4393 document strict permission checks on ~/.ssh/config; prompted by,
4395 - jmc@cvs.openbsd.org 2004/04/19 16:12:14
4397 kill whitespace at eol;
4398 - djm@cvs.openbsd.org 2004/04/19 21:51:49
4400 fix idiot typo that i introduced in my last commit;
4401 spotted by cschneid AT cschneid.com
4402 - (djm) [openbsd-compat/sys-queue.h] Sync with OpenBSD, needed for
4404 - (djm) [configure.ac] Check whether libroken is required when building
4408 - (dtucker) OpenBSD CVS Sync
4409 - dtucker@cvs.openbsd.org 2004/02/29 22:04:45
4410 [regress/login-timeout.sh]
4411 Use sudo when restarting daemon during test. ok markus@
4412 - dtucker@cvs.openbsd.org 2004/03/08 10:17:12
4413 [regress/login-timeout.sh]
4414 Missing OBJ, from tim@. ok markus@ (Already fixed, ID sync only)
4415 - djm@cvs.openbsd.org 2004/03/30 12:41:56
4417 sync comment with reality
4418 - djm@cvs.openbsd.org 2004/03/31 21:58:47
4420 don't skip ip options check when UseDNS=no; ok markus@ (ID sync only)
4421 - markus@cvs.openbsd.org 2004/04/01 12:19:57
4423 limit trust between local and remote rcp/scp process,
4424 noticed by lcamtuf; ok deraadt@, djm@
4427 - (dtucker) [auth-pam.c] Log username and source host for failed PAM
4428 authentication attempts. With & ok djm@
4429 - (djm) [openbsd-compat/bsd-cygwin_util.c] Recent versions of Cygwin allow
4430 change of user context without a password, so relax auth method
4431 restrictions; from vinschen AT redhat.com; ok dtucker@
4434 - (dtucker) [regress/sftp-cmds.sh] Skip quoting test on Cygwin, since
4435 FAT/NTFS does not permit quotes in filenames. From vinschen at redhat.com
4436 - (djm) [auth-krb5.c auth.h session.c] Explicitly refer to Kerberos ccache
4437 file using FILE: method, fixes problems on Mac OSX.
4438 Patch from simon@sxw.org.uk; ok dtucker@
4439 - (tim) [configure.ac] Set SETEUID_BREAKS_SETUID, BROKEN_SETREUID and
4440 BROKEN_SETREGID for SCO OpenServer 3
4443 - (dtucker) [sshd_config.5] Add PermitRootLogin without-password warning
4444 from bug #701 (text from jfh at cise.ufl.edu).
4445 - (dtucker) [acconfig.h configure.ac defines.h] Bug #673: check for 4-arg
4446 skeychallenge(), eg on NetBSD. ok mouring@
4447 - (dtucker) [auth-skey.c defines.h monitor.c] Make skeychallenge explicitly
4448 4-arg, with compatibility for 3-arg versions. From djm@, ok me.
4449 - (djm) [configure.ac] Fix detection of libwrap on OpenBSD; ok dtucker@
4452 - (dtucker) [loginrec.c] Use UT_LINESIZE if available, prevents truncating
4453 pty name on Linux 2.6.x systems. Patch from jpe at eisenmenger.org.
4454 - (bal) [monitor.c monitor_wrap.c] Second try. Put the zlib.h headers
4455 back and #undef TARGET_OS_MAC instead. (Bug report pending with Apple)
4456 - (dtucker) [defines.h loginrec.c] Define UT_LINESIZE if not defined and
4457 simplify loginrec.c. ok tim@
4458 - (bal) [monitor.c monitor_wrap.c] Ok.. Last time. Promise. Tim suggested
4459 limiting scope and dtucker@ agreed.
4462 - (dtucker) [session.c] Flush stdout after displaying loginmsg. From
4464 - (bal) [acconfig.h auth-krb5.c configure.ac gss-serv-krb5.c] Check to see
4465 if Krb5 library exports krb5_init_etc() since some OSes (like MacOS/X)
4466 are starting to restrict it as internal since it is not needed by
4467 developers any more. (Patch based on Apple tree)
4468 - (bal) [monitor.c monitor_wrap.c] monitor_wrap.c] moved zlib.h higher since
4469 krb5 on MacOS/X conflicts. There may be a better solution, but this will
4473 - (dtucker) [acconfig.h configure.ac defines.h] Bug #820: don't use
4474 updwtmpx() on IRIX since it seems to clobber utmp. ok djm@
4475 - (dtucker) [configure.ac] Bug #816, #748 (again): Attempt to detect
4476 broken getaddrinfo and friends on HP-UX. ok djm@
4479 - (dtucker) [configure.ac] Bug #811: Use "!" for LOCKED_PASSWD_PREFIX on
4480 Linuxes, since that's what many use. ok djm@
4481 - (dtucker) [auth-pam.c] rename the_authctxt to sshpam_authctxt in auth-pam.c
4482 to reduce potential confusion with the one in sshd.c. ok djm@
4483 - (djm) Bug #825: Fix ip_options_check() for mapped IPv4/IPv6 connection;
4487 - (dtucker) [session.c] Bug #817: Clear loginmsg after fork to prevent
4488 duplicate login messages for mutli-session logins. ok djm@
4491 - (djm) [sshd.c] Drop supplemental groups if started as root
4492 - (djm) OpenBSD CVS Sync
4493 - markus@cvs.openbsd.org 2004/03/09 22:11:05
4495 increase x11 cookie lifetime to 20 minutes; ok djm
4496 - markus@cvs.openbsd.org 2004/03/10 09:45:06
4498 trim usage to match ssh(1) and look more like unix. ok djm@
4499 - markus@cvs.openbsd.org 2004/03/11 08:36:26
4501 trim usage; ok deraadt
4502 - markus@cvs.openbsd.org 2004/03/11 10:21:17
4504 ssh, sshd: sync version output, ok djm
4505 - markus@cvs.openbsd.org 2004/03/20 10:40:59
4508 - (djm) Crank RPM spec versions
4511 - (djm) [configure.ac] Add standard license to configure.ac; ok ben, dtucker
4514 - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #812: #undef getaddrinfo
4515 before redefining it, silences warnings on Tru64.
4518 - (dtucker) [sshd.c] Back out rev 1.270 as it caused problems on some
4519 platforms (eg SCO, HP-UX) with logging in the wrong TZ. ok djm@
4520 - (dtucker) [configure.ac sshd.c openbsd-compat/bsd-misc.h
4521 openbsd-compat/setenv.c] Unset KRB5CCNAME on AIX to prevent it from being
4522 inherited by the child. ok djm@
4523 - (dtucker) [auth-pam.c auth-pam.h auth1.c auth2.c monitor.c monitor_wrap.c
4524 monitor_wrap.h] Bug #808: Ensure force_pwchange is correctly initialized
4525 even if keyboard-interactive is not used by the client. Prevents
4526 segfaults in some cases where the user's password is expired (note this
4527 is not considered a security exposure). ok djm@
4528 - (djm) OpenBSD CVS Sync
4529 - markus@cvs.openbsd.org 2004/03/03 06:47:52
4531 change proctiltle after accept(2); ok henning, deraadt, djm
4532 - djm@cvs.openbsd.org 2004/03/03 09:30:42
4534 Don't print duplicate messages when progressmeter is off
4535 Spotted by job317 AT mailvault.com; ok markus@
4536 - djm@cvs.openbsd.org 2004/03/03 09:31:20
4538 Fix initialisation of progress meter; ok markus@
4539 - markus@cvs.openbsd.org 2004/03/05 10:53:58
4540 [readconf.c readconf.h scp.1 sftp.1 ssh.1 ssh_config.5 sshconnect2.c]
4541 add IdentitiesOnly; ok djm@, pb@
4542 - djm@cvs.openbsd.org 2004/03/08 09:38:05
4544 explicitly initialise remote_major and remote_minor.
4545 from cjwatson AT debian.org; ok markus@
4546 - dtucker@cvs.openbsd.org 2004/03/08 10:18:57
4548 Document KerberosGetAFSToken; ok markus@
4549 - (tim) [regress/README.regress] Document ssh-rand-helper issue. ok bal
4552 - (tim) [regress/login-timeout.sh] fix building outside of source tree.
4555 - (dtucker) [auth-pam.c] Don't try to export PAM when compiled with
4556 -DUSE_POSIX_THREADS. From antoine.verheijen at ualbert ca. ok djm@
4557 - (dtucker) [auth-pam.c] Reset signal status when starting pam auth thread,
4558 prevent hanging during PAM keyboard-interactive authentications. ok djm@
4559 - (dtucker) [auth-passwd.c auth-sia.c auth-sia.h defines.h
4560 openbsd-compat/xcrypt.c] Bug #802: Fix build error on Tru64 when
4561 configured --with-osfsia. ok djm@
4564 - (djm) [configure.ac ssh-agent.c] Use prctl to prevent ptrace on ssh-agent
4568 - (tim) [configure.ac] Put back bits mistakenly removed from Rev 1.188
4571 - (dtucker) OpenBSD CVS Sync
4572 - djm@cvs.openbsd.org 2004/02/25 00:22:45
4575 - dtucker@cvs.openbsd.org 2004/02/27 22:42:47
4577 Prevent sshd from sending DH groups with a primitive generator of zero or
4578 one, even if they are listed in /etc/moduli. ok markus@
4579 - dtucker@cvs.openbsd.org 2004/02/27 22:44:56
4581 Make /etc/moduli line buffer big enough for 8kbit primes, in case anyone
4582 ever uses one. ok markus@
4583 - dtucker@cvs.openbsd.org 2004/02/27 22:49:27
4585 Reset bit counter at the right time, fixes debug output in the case where
4586 the DH group is rejected. ok markus@
4587 - dtucker@cvs.openbsd.org 2004/02/17 08:23:20
4588 [regress/Makefile regress/login-timeout.sh]
4589 Add regression test for LoginGraceTime; ok markus@
4590 - markus@cvs.openbsd.org 2004/02/24 16:56:30
4591 [regress/test-exec.sh]
4592 allow arguments in ${TEST_SSH_XXX}
4593 - markus@cvs.openbsd.org 2004/02/24 17:06:52
4594 [regress/ssh-com-client.sh regress/ssh-com-keygen.sh
4595 regress/ssh-com-sftp.sh regress/ssh-com.sh]
4596 test against recent ssh.com releases
4597 - dtucker@cvs.openbsd.org 2004/02/28 12:16:57
4598 [regress/dynamic-forward.sh]
4599 Make dynamic-forward understand nc's new output. ok markus@
4600 - dtucker@cvs.openbsd.org 2004/02/28 13:44:45
4601 [regress/try-ciphers.sh]
4602 Test acss too; ok markus@
4603 - (dtucker) [regress/try-ciphers.sh] Skip acss if not compiled in (eg if we
4604 built with openssl < 0.9.7)
4607 - (bal) KNF our sshlogin.c even if the code looks nothing like upstream
4608 code due to diversity issues.
4611 - (djm) Trim ChangeLog
4612 - (djm) Don't specify path to PAM modules in Redhat sshd.pam; from Fedora
4615 - (dtucker) OpenBSD CVS Sync
4616 - markus@cvs.openbsd.org 2004/02/19 21:15:04
4618 switch to new license.template
4619 - markus@cvs.openbsd.org 2004/02/23 12:02:33
4621 backout revision 1.279; set listen socket to non-block; ok henning.
4622 - markus@cvs.openbsd.org 2004/02/23 15:12:46
4624 encode 0 correctly in buffer_put_bignum2; noted by Mikulas Patocka
4625 and drop support for negative BNs; ok otto@
4626 - markus@cvs.openbsd.org 2004/02/23 15:16:46
4629 - (dtucker) [configure.ac gss-serv-krb5.c ssh-gss.h] Define GSSAPI when found
4630 with krb5-config, hunt down gssapi.h and friends. Based partially on patch
4631 from deengert at anl.gov. ok djm@
4632 - (djm) [groupaccess.c uidswap.c] Bug #787: Size group arrays at runtime
4633 using sysconf() if available Based on patches from
4634 holger AT van-lengerich.de and openssh_bugzilla AT hockin.org
4635 - (dtucker) [uidswap.c] Minor KNF. ok djm@
4636 - (tim) [openbsd-compat/getrrsetbyname.c] Make gcc 2.7.2.3 happy. ok djm@
4637 - (djm) Crank RPM spec versions
4638 - (dtucker) [README] Add pointer to release notes. ok djm@
4639 - (dtucker) {README.platform] Add platform-specific notes.
4640 - (tim) [configure.ac] SCO3 needs -lcrypt_i for -lprot
4641 - (djm) Release 3.8p1
4644 - (dtucker) [session.c] Bug #789: Only make setcred call for !privsep in the
4645 non-interactive path. ok djm@
4648 - (dtucker) [auth-shadow.c auth.c auth.h] Move shadow account expiry test
4649 to auth-shadow.c, no functional change. ok djm@
4650 - (dtucker) [auth-shadow.c auth.h] Provide warnings of impending account or
4651 password expiry. ok djm@
4652 - (dtucker) [auth-passwd.c] Only check password expiry once. Prevents
4653 multiple warnings if a wrong password is entered.
4654 - (dtucker) [configure.ac] Apply krb5-config --libs fix to non-gssapi path
4658 - (djm) [openbsd-compat/setproctitle.c] fix comments; from grange@
4661 - (dtucker) [configure.ac] Handle case where krb5-config --libs returns a
4662 path with a "-" in it. From Sergio.Gelato at astro.su.se.
4663 - (djm) OpenBSD CVS Sync
4664 - djm@cvs.openbsd.org 2004/02/17 07:17:29
4665 [sftp-glob.c sftp.c]
4666 Remove useless headers; ok deraadt@
4667 - djm@cvs.openbsd.org 2004/02/17 11:03:08
4669 sftp.c and sftp-int.c, together at last; ok markus@
4670 - jmc@cvs.openbsd.org 2004/02/17 19:35:21
4672 remove cruft left over from RhostsAuthentication removal;
4674 - (djm) [log.c] Correct use of HAVE_OPENLOG_R
4675 - (djm) [log.c] Tighten openlog_r tests
4678 - (djm) Simplify the license on code I have written. No code changes.
4679 - (djm) OpenBSD CVS Sync
4680 - djm@cvs.openbsd.org 2004/02/17 05:39:51
4681 [sftp-client.c sftp-client.h sftp-glob.c sftp-glob.h sftp-int.c]
4683 switch to license.template for code written by me (belated, I know...)
4684 - (djm) Bug #698: Specify FILE: for KRB5CCNAME; patch from
4685 stadal@suse.cz and simon@sxw.org.uk
4686 - (dtucker) [auth-pam.c] Tidy up PAM debugging. ok djm@
4687 - (dtucker) [auth-pam.c] Store output from pam_session and pam_setcred for
4688 display after login. Should fix problems like pam_motd not displaying
4689 anything, noticed by cjwatson at debian.org. ok djm@
4692 - (tim) [Makefile.in regress/sftp-badcmds.sh regress/test-exec.sh]
4693 Portablity fixes. Data sftp transfers needs to be world readable. Some
4694 older shells hang on while loops when doing sh -n some_script. OK dtucker@
4695 - (tim) [configure.ac] Make sure -lcrypto is before -lsocket for sco3.
4699 - (dtucker) [auth-passwd.c auth-shadow.c] Only enable shadow expiry check
4700 if HAS_SHADOW_EXPIRY is set.
4701 - (tim) [configure.ac] Fix comment to match code changes in ver 1.117
4704 - (dtucker) [auth-passwd.c auth.h openbsd-compat/port-aix.c
4705 openbsd-compat/port-aix.h] Bug #14: Use do_pwchange to support AIX's
4706 native password expiry.
4707 - (dtucker) [LICENCE Makefile.in auth-passwd.c auth-shadow.c auth.c auth.h
4708 defines.h] Bug #14: Use do_pwchange to support password expiry and force
4709 change for platforms using /etc/shadow. ok djm@
4710 - (dtucker) [openbsd-compat/fake-rfc2553.h] Bug #563: Prepend ssh_ to compat
4711 functions to avoid conflicts with Heimdal's libroken. ok djm@
4712 - (dtucker) [auth-pam.c auth-pam.h session.c] Bug #14: Use do_pwchange to
4713 change expired PAM passwords for SSHv1 connections without privsep.
4714 pam_chauthtok is still used when privsep is disabled. ok djm@
4715 - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Move
4716 include from port-aix.h to port-aix.c and remove unnecessary function
4717 definition. Fixes build errors on AIX.
4718 - (dtucker) [configure.ac loginrec.c] Bug #464: Use updwtmpx on platforms
4719 that support it. from & ok mouring@
4720 - (dtucker) [configure.ac] Bug #345: Do not disable utmp on HP-UX 10.x.
4724 - (dtucker) OpenBSD CVS Sync
4725 - dtucker@cvs.openbsd.org 2004/02/06 23:41:13
4727 Use EVP_CIPHER_CTX_key_length for key length. ok markus@
4728 (This will fix builds with OpenSSL 0.9.5)
4729 - (dtucker) [cipher.c] enable AES counter modes with OpenSSL 0.9.5.
4733 - (dtucker) [acss.c acss.h] Fix $Id tags.
4734 - (dtucker) [cipher-acss.c cipher.c] Enable acss only if building with
4735 OpenSSL >= 0.9.7. ok djm@
4736 - (dtucker) [session.c] Bug #789: Do not call do_pam_setcred as a non-root
4737 user, since some modules might fail due to lack of privilege. ok djm@
4738 - (dtucker) [configure.ac] Bug #748: Always define BROKEN_GETADDRINFO
4739 for HP-UX 11.11. If there are known-good configs where this is not
4740 required, please report them. ok djm@
4741 - (dtucker) [sshd.c] Bug #757: Clear child's environment to prevent
4742 accidentally inheriting from root's environment. ok djm@
4743 - (dtucker) [openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #796:
4744 Restore previous authdb setting after auth calls. Fixes problems with
4745 setpcred failing on accounts that use AFS or NIS password registries.
4746 - (dtucker) [configure.ac includes.h] Include <sys/stream.h> if present,
4747 required on Solaris 2.5.1 for queue_t, which is used by <sys/ptms.h>.
4748 - (dtucker) OpenBSD CVS Sync
4749 - markus@cvs.openbsd.org 2004/01/30 09:48:57
4750 [auth-passwd.c auth.h pathnames.h session.c]
4751 support for password change; ok dtucker@
4752 (set password-dead=1w in login.conf to use this).
4753 In -Portable, this is currently only platforms using bsdauth.
4754 - dtucker@cvs.openbsd.org 2004/02/05 05:37:17
4756 Pass SIGALRM through to privsep child if LoginGraceTime expires. ok markus@
4757 - markus@cvs.openbsd.org 2004/02/05 15:33:33
4759 fix ETA for > 4GB; bugzilla #791; ok henning@ deraadt@
4762 - (dtucker) OpenBSD CVS Sync regress/
4763 - dtucker@cvs.openbsd.org 2003/10/11 11:49:49
4764 [Makefile banner.sh]
4765 Test missing banner file, suppression of banner with ssh -q, check return
4766 code from ssh. ok markus@
4767 - jmc@cvs.openbsd.org 2003/11/07 10:16:44
4769 adress -> address, and a few more; all from Jonathon Gray;
4770 - djm@cvs.openbsd.org 2004/01/13 09:49:06
4772 - (dtucker) [configure.ac] Add --without-zlib-version-check. Feedback from
4774 - (dtucker) [configure.ac openbsd-compat/bsd-cray.c openbsd-compat/bsd-cray.h]
4775 Bug #775: Cray fixes from wendy at cray.com
4778 - (dtucker) [regress/README.regress] Add tcpwrappers issue, noted by tim@
4779 - (dtucker) [moduli] Import new moduli file from OpenBSD.
4782 - (djm) OpenBSD CVS Sync
4783 - hshoexer@cvs.openbsd.org 2004/01/23 17:06:03
4787 - mouring@cvs.openbsd.org 2004/01/23 17:57:48
4789 Fix issue pointed out with ls not handling large directories
4790 with embeded paths correctly. OK damien@
4791 - hshoexer@cvs.openbsd.org 2004/01/23 19:26:33
4793 rename acss@opebsd.org to acss@openssh.org
4795 - djm@cvs.openbsd.org 2004/01/25 03:49:09
4797 reset nonblocking flag after ConnectTimeout > 0 connect; (bugzilla #785)
4798 from jclonguet AT free.fr; ok millert@
4799 - djm@cvs.openbsd.org 2004/01/27 10:08:10
4801 reorder parsing so user:skey@host:file works (bugzilla #777)
4802 patch from admorten AT umich.edu; ok markus@
4803 - (djm) [acss.c acss.h cipher-acss.c] Portable support for ACSS
4804 if libcrypto lacks it
4807 - (tim) Typo in regress/README.regress
4808 - (tim) [regress/test-exec.sh] RhostsAuthentication is deprecated.
4809 - (tim) [defines.h] Add defines for HFIXEDSZ and T_SIG
4810 - (tim) [configure.ac includes.h] add <sys/ptms.h> for grantpt() and friends.
4811 - (tim) [defines.h openbsd-compat/getrrsetbyname.h] Move defines for HFIXEDSZ
4812 and T_SIG to getrrsetbyname.h
4815 - (djm) Typo in openbsd-compat/bsd-openpty.c; from wendyp AT cray.com
4818 - (djm) Do pam_session processing for systems with HAVE_LOGIN_CAP; from
4819 ralf.hack AT pipex.net; ok dtucker@
4820 - (djm) Bug #776: Update contrib/redhat/openssh.spec to dynamically detect
4821 Kerberos location (and thus work with Fedora Core 1);
4822 from jason AT devrandom.org
4823 - (dtucker) [configure.ac] Bug #788: Test for zlib.h presence and for
4824 zlib >= 1.1.4. Partly from jbasney at ncsa.uiuc.edu. ok djm@
4825 - (dtucker) [contrib/cygwin/README] Document new ssh-host-config options.
4826 Patch from vinschen at redhat.com.
4827 - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c]
4828 Change AFS symbol to USE_AFS to prevent namespace collisions, do not
4829 include kafs.h unless necessary. From deengert at anl.gov.
4830 - (tim) [configure.ac] Remove hard coded -L/usr/local/lib and
4831 -I/usr/local/include. Users can do LDFLAGS="-L/usr/local/lib" \
4832 CPPFLAGS="-I/usr/local/include" ./configure if needed.
4835 - (dtucker) [configure.ac] Use krb5-config where available for Kerberos/
4836 GSSAPI detection, libs and includes. ok djm@
4837 - (dtucker) [session.c] Enable AFS support in conjunction with KRB5 not
4839 - (tim) [contrib/solaris/buildpkg.sh] Allow for the possibility of
4840 /usr/local being a symbolic link. Fixes problem reported by Henry Grebler.
4843 - (djm) OpenBSD CVS Sync
4844 - djm@cvs.openbsd.org 2004/01/13 09:25:05
4845 [sftp-int.c sftp.1 sftp.c]
4846 Tidy sftp batchmode handling, eliminate junk to stderr (bugzilla #754) and
4847 enable use of "-b -" to accept batchfile from stdin; ok markus@
4848 - jmc@cvs.openbsd.org 2004/01/13 12:17:33
4850 remove unnecessary Ic's;
4851 kill whitespace at EOL;
4853 - markus@cvs.openbsd.org 2004/01/13 19:23:15
4854 [compress.c session.c]
4856 - markus@cvs.openbsd.org 2004/01/13 19:45:15
4858 cast for portability; millert@
4859 - markus@cvs.openbsd.org 2004/01/19 09:24:21
4861 fake consumption for half closed channels since the peer is waiting for
4862 window adjust messages; bugzilla #790 Matthew Dillon; test + ok dtucker@
4863 reproduce with sh -c 'ulimit -f 10; ssh host -n od /bsd | cat > foo'
4864 - markus@cvs.openbsd.org 2004/01/19 21:25:15
4865 [auth2-hostbased.c auth2-pubkey.c serverloop.c ssh-keysign.c sshconnect2.c]
4866 fix mem leaks; some fixes from Pete Flugstad; tested dtucker@
4867 - djm@cvs.openbsd.org 2004/01/21 03:07:59
4869 initialise infile in main, rather than statically - from portable
4870 - deraadt@cvs.openbsd.org 2004/01/11 21:55:06
4872 for pty opening, only use the openpty() path. the other stuff only needs
4873 to be in openssh-p; markus ok
4874 - (djm) [openbsd-compat/bsd-openpty.c] Rework old sshpty.c code into an
4875 openpty() replacement
4878 - (dtucker) [auth-pam.c] Have monitor die if PAM authentication thread exits
4879 unexpectedly. with & ok djm@
4880 - (dtucker) [auth-pam.c] Reset signal handler in pthread_cancel too, add
4881 test for case where cleanup has already run.
4882 - (dtucker) [auth-pam.c] Add minor debugging.
4885 - (dtucker) [auth-pam.c] Relocate struct pam_ctxt and prototypes. No
4889 - (dtucker) [auth-pam.c defines.h] Bug #783: move __unused to defines.h and
4890 only define if not already. From des at freebsd.org.
4891 - (dtucker) [configure.ac] Remove extra (typo) comma.
4894 - (dtucker) [contrib/ssh-copy-id] Bug #781: exit if ssh fails. Patch from
4895 cjwatson at debian.org.
4896 - (dtucker) [acconfig.h configure.ac includes.h servconf.c session.c]
4897 Only enable KerberosGetAFSToken if Heimdal's libkafs is found. with jakob@
4900 - (djm) OSX/Darwin needs BIND_8_COMPAT to build getrrsetbyname. Report from
4902 - (djm) Remove useless DNS support configure summary message. from jakob@
4903 - (djm) OSX/Darwin put the PAM headers in a different place, detect this.
4907 - (dtucker) OpenBSD CVS Sync
4908 - djm@cvs.openbsd.org 2003/12/22 09:16:58
4909 [moduli.c ssh-keygen.1 ssh-keygen.c]
4910 tidy up moduli generation debugging, add -v (verbose/debug) option to
4911 ssh-keygen; ok markus@
4912 - markus@cvs.openbsd.org 2003/12/22 20:29:55
4914 EVP_CIPHER_CTX_cleanup() for the des contexts; pruiksma@freesurf.fr
4915 - jakob@cvs.openbsd.org 2003/12/23 16:12:10
4916 [servconf.c servconf.h session.c sshd_config]
4917 implement KerberosGetAFSToken server option. ok markus@, beck@
4918 - millert@cvs.openbsd.org 2003/12/29 16:39:50
4920 KeepAlive has been obsoleted, use TCPKeepAlive instead; markus@ OK
4921 - dtucker@cvs.openbsd.org 2003/12/31 00:24:50
4923 Ignore password change request during password auth (which we currently
4924 don't support) and discard proposed new password. corrections/ok markus@
4925 - (dtucker) [configure.ac] Only test setresuid and setresgid if they exist.
4928 - (dtucker) [defines.h] Bug #458: Define SIZE_T_MAX as UINT_MAX if we
4929 typedef size_t ourselves.
4932 - (dtucker) [configure.ac] Don't use setre[ug]id on DG-UX, from Tom Orban.
4933 - (dtucker) [auth-pam.c] Do PAM chauthtok during SSH2 keyboard-interactive
4934 authentication. Partially fixes bug #423. Feedback & ok djm@
4937 - (djm) OpenBSD CVS Sync
4938 - markus@cvs.openbsd.org 2003/12/09 15:28:43
4940 make ClientKeepAlive work for ssh -N, too (no login shell requested).
4941 1) send a bogus channel request if we find a channel
4942 2) send a bogus global request if we don't have a channel
4944 - markus@cvs.openbsd.org 2003/12/09 17:29:04
4946 fix -o and HUP; ok henning@
4947 - markus@cvs.openbsd.org 2003/12/09 17:30:05
4949 don't modify argv for ssh -o; similar to sshd.c 1.283
4950 - markus@cvs.openbsd.org 2003/12/09 21:53:37
4951 [readconf.c readconf.h scp.1 servconf.c servconf.h sftp.1 ssh.1]
4952 [ssh_config.5 sshconnect.c sshd.c sshd_config.5]
4953 rename keepalive to tcpkeepalive; the old name causes too much
4954 confusion; ok djm, dtucker; with help from jmc@
4955 - dtucker@cvs.openbsd.org 2003/12/09 23:45:32
4957 Clear exit code when ssh -N is terminated with a SIGTERM. ok markus@
4958 - markus@cvs.openbsd.org 2003/12/14 12:37:21
4960 we don't support GSS KEX; from Simon Wilkinson
4961 - markus@cvs.openbsd.org 2003/12/16 15:49:51
4962 [clientloop.c clientloop.h readconf.c readconf.h scp.1 sftp.1 ssh.1]
4963 [ssh.c ssh_config.5]
4964 application layer keep alive (ServerAliveInterval ServerAliveCountMax)
4965 for ssh(1), similar to the sshd(8) option; ok beck@; with help from
4967 - markus@cvs.openbsd.org 2003/12/16 15:51:54
4969 use <= instead of < in dh_estimate; ok provos/hshoexer;
4970 do not return < DH_GRP_MIN
4971 - (dtucker) [acconfig.h configure.ac uidswap.c] Bug #645: Check for
4972 setres[ug]id() present but not implemented (eg some Linux/glibc
4974 - (bal) [openbsd-compat/bsd-misc.c] unset 'signal' defined if we are
4975 using a real 'signal()' (Noticed by a NeXT Compile)
4978 - (dtucker) OpenBSD CVS Sync
4979 - matthieu@cvs.openbsd.org 2003/11/25 23:10:08
4981 ssh-add doesn't need to be a descendant of ssh-agent. Ok markus@, jmc@.
4982 - djm@cvs.openbsd.org 2003/11/26 21:44:29
4984 fix #ifdef before #define; ok markus@
4985 (RCS ID sync only, Portable already had this)
4986 - markus@cvs.openbsd.org 2003/12/02 12:15:10
4988 improvments from andreas@:
4989 * saner speed estimate for transfers that takes less than a second by
4990 rounding the time to 1 second.
4991 * when the transfer is finished calculate the actual total speed
4992 rather than the current speed which is given during the transfer
4993 - markus@cvs.openbsd.org 2003/12/02 17:01:15
4994 [channels.c session.c ssh-agent.c ssh.h sshd.c]
4995 use SSH_LISTEN_BACKLOG (=128) in listen(2).
4996 - djm@cvs.openbsd.org 2003/12/07 06:34:18
4998 remove unused debugging #define templates
4999 - markus@cvs.openbsd.org 2003/12/08 11:00:47
5001 print requested group size in debug; ok djm
5002 - dtucker@cvs.openbsd.org 2003/12/09 13:52:55
5004 Prevent ssh-keygen -T from outputting moduli with a generator of 0, since
5005 they can't be used for Diffie-Hellman. Assistance and ok djm@
5006 - (dtucker) [ssh-keyscan.c] Sync RCSIDs, missed in SSH_SSFDMAX change below.
5009 - (tim) [configure.ac] Bug 770. Fix --without-rpath.
5012 - (djm) [canohost.c] Move IPv4inV6 mapped address normalisation to its own
5013 function and call it unconditionally
5014 - (djm) OpenBSD CVS Sync
5015 - djm@cvs.openbsd.org 2003/11/23 23:17:34
5017 from portable - use sysconf to detect fd limit; ok markus@
5018 (tidy diff by adding SSH_SSFDMAX macro to defines.h)
5019 - djm@cvs.openbsd.org 2003/11/23 23:18:45
5021 consistency PATH_MAX -> MAXPATHLEN; ok markus@
5023 - djm@cvs.openbsd.org 2003/11/23 23:21:21
5025 from portable: rename clashing variable limit-> limit_rate; ok markus@
5027 - dtucker@cvs.openbsd.org 2003/11/24 00:16:35
5029 Make ssh -k mean GSSAPIDelegateCredentials=no. Suggestion & ok markus@
5030 - (djm) Annotate OpenBSD-derived files in openbsd-compat/ with original
5031 source file path (in OpenBSD tree).
5034 - (dtucker) [channels.c] Make AIX write limit code clearer. Suggested by djm@
5035 - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c openbsd-compat/port-aix.h]
5036 Move AIX specific password authentication code to port-aix.c, call
5037 authenticate() until reenter flag is clear.
5038 - (dtucker) [auth-sia.c configure.ac] Tru64 update from cmadams at hiwaay.net.
5039 Use permanently_set_uid for SIA, only define DISABLE_FD_PASSING when SIA
5040 is enabled, rely on SIA to check for locked accounts if enabled. ok djm@
5041 - (djm) [scp.c] Rename limitbw -> limit_rate to match upstreamed patch
5042 - (djm) [sftp-int.c] Remove duplicated code from bogus sync
5043 - (djm) [packet.c] Shuffle #ifdef to reduce conditionally compiled code
5046 - (djm) OpenBSD CVS Sync
5047 - markus@cvs.openbsd.org 2003/11/20 11:39:28
5049 fix rounding errors; from andreas@
5050 - djm@cvs.openbsd.org 2003/11/21 11:57:03
5052 unexpand and delete whitespace at EOL; ok markus@
5053 (done locally and RCS IDs synced)
5056 - (djm) Fix early exit for root auth success when UsePAM=yes and
5058 - (dtucker) [auth-pam.c] Convert chauthtok_conv into a generic tty_conv,
5059 and use it for do_pam_session. Fixes problems like pam_motd not
5060 displaying anything. ok djm@
5061 - (dtucker) [auth-pam.c] Only use pam_putenv if our platform has it. ok djm@
5062 - (djm) OpenBSD CVS Sync
5063 - dtucker@cvs.openbsd.org 2003/11/18 00:40:05
5065 Correct check for authctxt->valid. ok djm@
5066 - djm@cvs.openbsd.org 2003/11/18 10:53:07
5068 unbreak fake authloop for non-existent users (my screwup). Spotted and
5069 tested by dtucker@; ok markus@
5072 - (djm) OpenBSD CVS Sync
5073 - djm@cvs.openbsd.org 2003/11/03 09:03:37
5075 make this a little more idiot-proof; ok markus@
5076 (includes portable-specific changes)
5077 - jakob@cvs.openbsd.org 2003/11/03 09:09:41
5079 move changed key warning into warn_changed_key(). ok markus@
5080 - jakob@cvs.openbsd.org 2003/11/03 09:37:32
5082 do not free static type pointer in warn_changed_key()
5083 - djm@cvs.openbsd.org 2003/11/04 08:54:09
5084 [auth1.c auth2.c auth2-pubkey.c auth.h auth-krb5.c auth-passwd.c]
5085 [auth-rhosts.c auth-rh-rsa.c auth-rsa.c monitor.c serverloop.c]
5087 standardise arguments to auth methods - they should all take authctxt.
5088 check authctxt->valid rather then pw != NULL; ok markus@
5089 - jakob@cvs.openbsd.org 2003/11/08 16:02:40
5091 remove unused variable (pw). ok djm@
5092 (id sync only - still used in portable)
5093 - jmc@cvs.openbsd.org 2003/11/08 19:17:29
5095 typos from Jonathon Gray;
5096 - jakob@cvs.openbsd.org 2003/11/10 16:23:41
5097 [bufaux.c bufaux.h cipher.c cipher.h hostfile.c hostfile.h key.c]
5098 [key.h sftp-common.c sftp-common.h sftp-server.c sshconnect.c sshd.c]
5099 [ssh-dss.c ssh-rsa.c uuencode.c uuencode.h]
5100 constify. ok markus@ & djm@
5101 - dtucker@cvs.openbsd.org 2003/11/12 10:12:15
5103 When called with -q, pass -q to ssh; suppresses SSH2 banner. ok markus@
5104 - jakob@cvs.openbsd.org 2003/11/12 16:39:58
5105 [dns.c dns.h readconf.c ssh_config.5 sshconnect.c]
5106 update SSHFP validation. ok markus@
5107 - jmc@cvs.openbsd.org 2003/11/12 20:14:51
5109 make verb agree with subject, and kill some whitespace;
5110 - markus@cvs.openbsd.org 2003/11/14 13:19:09
5112 cleanup and minor fixes for the client code; from Simon Wilkinson
5113 - djm@cvs.openbsd.org 2003/11/17 09:45:39
5114 [msg.c msg.h sshconnect2.c ssh-keysign.c]
5115 return error on msg send/receive failure (rather than fatal); ok markus@
5116 - markus@cvs.openbsd.org 2003/11/17 11:06:07
5117 [auth2-gss.c gss-genr.c gss-serv.c monitor.c monitor.h monitor_wrap.c]
5118 [monitor_wrap.h sshconnect2.c ssh-gss.h]
5119 replace "gssapi" with "gssapi-with-mic"; from Simon Wilkinson;
5121 - (djm) Bug #632: Don't call pam_end indirectly from within kbd-int
5122 conversation function
5123 - (djm) Export environment variables from authentication subprocess to
5124 parent. Part of Bug #717
5127 - (dtucker) [regress/agent-ptrace.sh] Test for GDB output from Solaris and
5128 HP-UX, skip test on AIX.
5131 - (dtucker) [auth-pam.c] Append newlines to lines output by the
5132 pam_chauthtok_conv().
5133 - (dtucker) [README ssh-host-config ssh-user-config Makefile] (All
5134 contrib/cygwin). Major update from vinschen at redhat.com.
5135 - Makefile provides a `cygwin-postinstall' target to run right after
5137 - Better support for Windows 2003 Server.
5138 - Try to get permissions as correct as possible.
5139 - New command line options to allow full automated host configuration.
5140 - Create configs from skeletons in /etc/defaults/etc.
5141 - Use /bin/bash, allows reading user input with readline support.
5142 - Remove really old configs from /usr/local.
5143 - (dtucker) [auth-pam.c] Add newline to accumulated PAM_TEXT_INFO and
5144 PAM_ERROR_MSG messages.
5147 - (djm) Clarify UsePAM consequences a little more
5150 - (dtucker) [contrib/cygwin/ssh-host-config] Ensure entries in /etc/services
5151 are created correctly with CRLF line terminations. Patch from vinschen at
5153 - (dtucker) OpenBSD CVS Sync
5154 - markus@cvs.openbsd.org 2003/10/15 09:48:45
5156 check pmonitor != NULL
5157 - markus@cvs.openbsd.org 2003/10/21 09:50:06
5159 make sure the doid is larger than 2
5160 - avsm@cvs.openbsd.org 2003/10/26 16:57:43
5162 rename 'supported' static var in userauth_gssapi() to 'gss_supported'
5163 to avoid shadowing the global version. markus@ ok
5164 - markus@cvs.openbsd.org 2003/10/28 09:08:06
5166 error->debug for getsockopt+TCP_NODELAY; several requests
5167 - markus@cvs.openbsd.org 2003/11/02 11:01:03
5168 [auth2-gss.c compat.c compat.h sshconnect2.c]
5169 remove support for SSH_BUG_GSSAPI_BER; simon@sxw.org.uk
5170 - (dtucker) [regress/agent-ptrace.sh] Use numeric uid and gid.
5173 - (dtucker) [INSTALL] Some system crypt() functions support MD5 passwords
5174 directly. Noted by Darren.Moffat at sun.com.
5175 - (dtucker) [regress/agent-ptrace.sh] Skip agent-test unless SUDO is set,
5176 make agent setgid during test.
5179 - (dtucker) [INSTALL] Note that --with-md5 is now required on platforms with
5180 MD5 passwords even if PAM support is enabled. From steev at detritus.net.
5183 - (dtucker) OpenBSD CVS Sync
5184 - jmc@cvs.openbsd.org 2003/10/08 08:27:36
5185 [scp.1 scp.c sftp-server.8 sftp.1 sftp.c ssh.1 sshd.8]
5186 scp and sftp: add options list and sort options. options list requested
5188 sshd: use same format as ssh
5189 ssh: remove wrong option from list
5190 sftp-server: Subsystem is documented in ssh_config(5), not sshd(8)
5192 - markus@cvs.openbsd.org 2003/10/08 15:21:24
5193 [readconf.c ssh_config.5]
5194 default GSS API to no in client, too; ok jakob, deraadt@
5195 - markus@cvs.openbsd.org 2003/10/11 08:24:08
5196 [readconf.c readconf.h ssh.1 ssh.c ssh_config.5]
5197 remote x11 clients are now untrusted by default, uses xauth(8) to generate
5198 untrusted cookies; ForwardX11Trusted=yes restores old behaviour.
5199 ok deraadt; feedback and ok djm/fries
5200 - markus@cvs.openbsd.org 2003/10/11 08:26:43
5202 search keys in reverse order; fixes #684
5203 - markus@cvs.openbsd.org 2003/10/11 11:36:23
5205 return NULL for missing banner; ok djm@
5206 - jmc@cvs.openbsd.org 2003/10/12 13:12:13
5208 note that EnableSSHKeySign should be in the non-hostspecific section;
5209 remove unnecessary .Pp;
5211 - markus@cvs.openbsd.org 2003/10/13 08:22:25
5213 don't refer to options related to forwarding; ok jmc@
5214 - jakob@cvs.openbsd.org 2003/10/14 19:42:10
5215 [dns.c dns.h readconf.c ssh-keygen.c sshconnect.c]
5216 include SSHFP lookup code (not enabled by default). ok markus@
5217 - jakob@cvs.openbsd.org 2003/10/14 19:43:23
5220 - markus@cvs.openbsd.org 2003/10/14 19:54:39
5221 [session.c ssh-agent.c]
5222 10X for mkdtemp; djm@
5223 - (dtucker) [acconfig.h configure.ac dns.c openbsd-compat/getrrsetbyname.c
5224 openbsd-compat/getrrsetbyname.h] DNS fingerprint support is now always
5225 compiled in but disabled in config.
5226 - (dtucker) [auth.c] Check for disabled password expiry on HP-UX Trusted Mode.
5227 - (tim) [regress/banner.sh] portability fix.
5230 - (dtucker) [sshd_config.5] UsePAM defaults to "no". ok djm@
5233 - (dtucker) OpenBSD CVS Sync
5234 - dtucker@cvs.openbsd.org 2003/10/07 01:47:27
5236 Don't use logit for banner, since it truncates to MSGBUFSIZ; bz #668 &
5238 - djm@cvs.openbsd.org 2003/10/07 07:04:16
5240 sftp quoting fix from admorten AT umich.edu; ok markus@
5241 - deraadt@cvs.openbsd.org 2003/10/07 21:58:28
5243 set ptr to NULL after free
5244 - dtucker@cvs.openbsd.org 2003/10/07 01:52:13
5245 [regress/Makefile regress/banner.sh]
5246 Test SSH2 banner. ok markus@
5247 - djm@cvs.openbsd.org 2003/10/07 07:04:52
5248 [regress/sftp-cmds.sh]
5249 more sftp quoting regress tests; ok markus
5252 - (djm) Delete autom4te.cache after autoreconf
5253 - (dtucker) [auth-pam.c auth-pam.h session.c] Make PAM use the new static
5254 cleanup functions. With & ok djm@
5255 - (dtucker) [contrib/redhat/openssh.spec] Bug #714: Now that UsePAM is a
5256 run-time switch, always build --with-md5-passwords.
5257 - (dtucker) [configure.ac openbsd-compat/Makefile.in openbsd-compat/strtoul.c]
5258 Bug #670: add strtoul() to openbsd-compat for platforms lacking it. ok djm@
5259 - (dtucker) [configure.ac] Bug #715: Set BROKEN_SETREUID and BROKEN_SETREGID
5260 on Reliant Unix. Patch from Robert.Dahlem at siemens.com.
5261 - (dtucker) [configure.ac] Bug #710: Check for dlsym() in libdl on
5262 Reliant Unix. Based on patch from Robert.Dahlem at siemens.com.
5265 - (dtucker) OpenBSD CVS Sync
5266 - markus@cvs.openbsd.org 2003/10/02 10:41:59
5268 print openssl version, too, several requests; ok henning/djm.
5269 - markus@cvs.openbsd.org 2003/10/02 08:26:53
5271 missing $OpenBSD:; dtucker
5272 - (tim) [contrib/caldera/openssh.spec] Remove obsolete --with-ipv4-default
5276 - (dtucker) OpenBSD CVS Sync
5277 - markus@cvs.openbsd.org 2003/09/23 20:17:11
5278 [Makefile.in auth1.c auth2.c auth.c auth.h auth-krb5.c canohost.c
5279 cleanup.c clientloop.c fatal.c gss-serv.c log.c log.h monitor.c monitor.h
5280 monitor_wrap.c monitor_wrap.h packet.c serverloop.c session.c session.h
5282 replace fatal_cleanup() and linked list of fatal callbacks with static
5283 cleanup_exit() function. re-refine cleanup_exit() where appropriate,
5284 allocate sshd's authctxt eary to allow simpler cleanup in sshd.
5285 tested by many, ok deraadt@
5286 - markus@cvs.openbsd.org 2003/09/23 20:18:52
5288 don't print trailing \0; bug #709; Robert.Dahlem@siemens.com
5290 - markus@cvs.openbsd.org 2003/09/23 20:41:11
5291 [channels.c channels.h clientloop.c]
5292 move client only agent code to clientloop.c
5293 - markus@cvs.openbsd.org 2003/09/26 08:19:29
5295 no need to set the listen sockets to non-block; ok deraadt@
5296 - jmc@cvs.openbsd.org 2003/09/29 11:40:51
5298 - add list of options to -o and .Xr ssh_config(5)
5299 - some other cleanup
5300 requested by deraadt@;
5302 - markus@cvs.openbsd.org 2003/09/29 20:19:57
5303 [servconf.c sshd_config]
5304 GSSAPICleanupCreds -> GSSAPICleanupCredentials
5305 - (dtucker) [configure.ac] Don't set DISABLE_SHADOW when configuring
5307 - (dtucker) [ssh-gss.h] Prototype change missed in sync.
5308 - (dtucker) [session.c] Fix bus errors on some 64-bit Solaris configurations.
5309 Based on patches by Matthias Koeppe and Thomas Baden. ok djm@
5312 - (bal) Fix issues in openbsd-compat/realpath.c
5315 - (dtucker) [configure.ac openbsd-compat/xcrypt.c] Bug #633: Remove
5316 DISABLE_SHADOW for HP-UX, use getspnam instead of getprpwnam. Patch from
5317 michael_steffens at hp.com, ok djm@
5318 - (tim) [sshd_config] UsePAM defaults to no.
5321 - (djm) Update version.h and spec files for HEAD
5322 - (dtucker) [configure.ac] IRIX5 needs the same setre[ug]id defines as IRIX6.
5325 - (dtucker) [Makefile.in] Bug #644: Fix "make clean" for out-of-tree
5326 builds. Portability corrections from tim@.
5327 - (dtucker) [configure.ac] Bug #665: uid swapping issues on Mac OS X.
5328 Patch from max at quendi.de.
5329 - (dtucker) [configure.ac] Bug #657: uid swapping issues on BSDi.
5330 - (dtucker) [configure.ac] Bug #653: uid swapping issues on Tru64.
5331 - (dtucker) [configure.ac] Bug #693: uid swapping issues on NCR MP-RAS.
5332 Patch from david.haughton at ncr.com
5333 - (dtucker) [configure.ac] Bug #659: uid swapping issues on IRIX 6.
5334 Part of patch supplied by bugzilla-openssh at thewrittenword.com
5335 - (dtucker) [configure.ac openbsd-compat/fake-rfc2553.c
5336 openbsd-compat/fake-rfc2553.h] Bug #659: Test for and handle systems with
5337 where gai_strerror is defined as "const char *". Part of patch supplied
5338 by bugzilla-openssh at thewrittenword.com
5339 - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config] Update
5340 ssh-host-config to match current defaults, bump README version. Patch from
5341 vinschen at redhat.com.
5342 - (dtucker) [uidswap.c] Don't test restoration of uid on Cygwin since the
5343 OS does not support permanently dropping privileges. Patch from
5344 vinschen at redhat.com.
5345 - (dtucker) [openbsd-compat/port-aix.c] Use correct include for xmalloc.h,
5346 add canohost.h to stop warning. Based on patch from openssh-unix-dev at
5348 - (dtucker) [INSTALL] Bug #686: Document requirement for zlib 1.1.4 or
5350 - (tim) Fix typo. s/SETEIUD_BREAKS_SETUID/SETEUID_BREAKS_SETUID/
5351 - (tim) [configure.ac] Bug 665: move 3 new AC_DEFINES outside of AC_TRY_RUN.
5352 Report by distler AT golem ph utexas edu.
5353 - (dtucker) [contrib/aix/pam.conf] Include example pam.conf for AIX from
5354 article by genty at austin.ibm.com, included with the author's permission.
5355 - (dtucker) OpenBSD CVS Sync
5356 - markus@cvs.openbsd.org 2003/09/18 07:52:54
5358 missing {}; bug #656; jclonguet at free.fr
5359 - markus@cvs.openbsd.org 2003/09/18 07:54:48
5361 protect against double free; #660; zardoz at users.sf.net
5362 - markus@cvs.openbsd.org 2003/09/18 07:56:05
5364 missing buffer_free(&encrypted); #662; zardoz at users.sf.net
5365 - markus@cvs.openbsd.org 2003/09/18 08:49:45
5366 [deattack.c misc.c session.c ssh-agent.c]
5367 more buffer allocation fixes; from Solar Designer; CAN-2003-0682;
5369 - miod@cvs.openbsd.org 2003/09/18 13:02:21
5370 [authfd.c bufaux.c dh.c mac.c ssh-keygen.c]
5371 A few signedness fixes for harmless situations; markus@ ok
5372 - markus@cvs.openbsd.org 2003/09/19 09:02:02
5374 buffer_dump only if PACKET_DEBUG is defined; Jedi/Sector One; pr 3471
5375 - markus@cvs.openbsd.org 2003/09/19 09:03:00
5377 sign fix in buffer_dump; Jedi/Sector One; pr 3473
5378 - markus@cvs.openbsd.org 2003/09/19 11:29:40
5380 provide a ssh-agent specific fatal() function; ok deraadt
5381 - markus@cvs.openbsd.org 2003/09/19 11:30:39
5383 avoid fatal_cleanup, just call exit(); ok deraadt
5384 - markus@cvs.openbsd.org 2003/09/19 11:31:33
5386 do not call channel_free_all on fatal; ok deraadt
5387 - markus@cvs.openbsd.org 2003/09/19 11:33:09
5389 do not call packet_close on fatal; ok deraadt
5390 - markus@cvs.openbsd.org 2003/09/19 17:40:20
5392 error handling for remote-remote copy; #638; report Harald Koenig;
5393 ok millert, fgs, henning, deraadt
5394 - markus@cvs.openbsd.org 2003/09/19 17:43:35
5395 [clientloop.c sshtty.c sshtty.h]
5396 remove fatal callbacks from client code; ok deraadt
5397 - (bal) "extration" -> "extraction" in ssh-rand-helper.c; repoted by john
5399 - (tim) [configure.ac] add --disable-etc-default-login option. ok djm
5400 - (djm) Sync with V_3_7 branch:
5401 - (djm) Fix SSH1 challenge kludge
5402 - (djm) Bug #671: Fix builds on OpenBSD
5403 - (djm) Bug #676: Fix PAM stack corruption
5404 - (djm) Fix bad free() in PAM code
5405 - (djm) Don't call pam_end before pam_init
5406 - (djm) Enable build with old OpenSSL again
5407 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
5408 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu