2 - (djm) Bug #629: Mark ssh_config option "pamauthenticationviakbdint"
3 as deprecated. Remove mention from README.privsep. Patch from
5 - (dtucker) OpenBSD CVS Sync
6 - markus@cvs.openbsd.org 2003/08/22 10:56:09
7 [auth2.c auth2-gss.c auth.h compat.c compat.h gss-genr.c gss-serv-krb5.c
8 gss-serv.c monitor.c monitor.h monitor_wrap.c monitor_wrap.h readconf.c
9 readconf.h servconf.c servconf.h session.c session.h ssh-gss.h
10 ssh_config.5 sshconnect2.c sshd_config sshd_config.5]
11 support GSS API user authentication; patches from Simon Wilkinson,
12 stripped down and tested by Jakob and myself.
13 - markus@cvs.openbsd.org 2003/08/22 13:20:03
15 remove support for "kerberos-2@ssh.com"
16 - markus@cvs.openbsd.org 2003/08/22 13:22:27
17 [auth2.c] (auth2-krb5.c removed)
18 nuke "kerberos-2@ssh.com"
19 - (dtucker) [Makefile.in acconfig.h auth-krb5.c auth-pam.c auth-pam.h
20 configure.ac defines.h gss-serv-krb5.c session.c ssh-gss.h sshconnect1.c
21 sshconnect2.c] Add Portable GSSAPI support, patch by Simon Wilkinson.
24 - (djm) Bug #621: Select OpenSC keys by usage attributes. Patch from
26 - (bal) openbsd-compat/ OpenBSD updates. Mostly licensing, ansifications
27 and minor fixes. OK djm@
28 - (bal) redo how we handle 'mysignal()'. Move it to
29 openbsd-compat/bsd-misc.c, s/mysignal/signal/ and #define signal to
30 be our 'mysignal' by default. OK djm@
31 - (dtucker) [acconfig.h auth.c configure.ac sshd.8] Bug #422 again: deny
32 any access to locked accounts. ok djm@
33 - (djm) Bug #564: Perform PAM account checks for all authentications when
34 UsePAM=yes; ok dtucker
35 - (dtucker) [configure.ac] Bug #533, #551: define BROKEN_GETADDRINFO on
36 Tru64, solves getnameinfo and "bad addr or host" errors. ok djm@
37 - (dtucker) [README buildbff.sh inventory.sh] (all in contrib/aix)
38 Update package builder: correctly handle config variables, use lsuser
39 rather than /etc/passwd, fix typos, add Id's.
42 - (djm) s/get_progname/ssh_get_progname/g to avoid conflict with Heimdal
44 - (dtucker) [contrib/cygwin/ssh-user-config] Put keys in authorized_keys
45 rather that authorized_keys2. Patch from vinschen@redhat.com.
48 - (dtucker) OpenBSD CVS Sync
49 - markus@cvs.openbsd.org 2003/08/14 16:08:58
51 exit after primetest, ok djm@
52 - (dtucker) [defines.h] Put CMSG_DATA, CMSG_FIRSTHDR with other CMSG* macros,
53 change CMSG_DATA to use __CMSG_ALIGN (and thus work properly), reformat for
55 - (dtucker) [configure.ac] Move openpty/ctty test outside of case statement
56 and after normal openpty test.
59 - (dtucker) [session.c] Remove #ifdef TIOCSBRK kludge.
60 - (dtucker) OpenBSD CVS Sync
61 - markus@cvs.openbsd.org 2003/08/13 08:33:02
63 use more portable tcsendbreak(3) and ignore break_length;
65 - markus@cvs.openbsd.org 2003/08/13 08:46:31
66 [auth1.c readconf.c readconf.h servconf.c servconf.h ssh.c ssh_config
67 ssh_config.5 sshconnect1.c sshd.8 sshd.c sshd_config sshd_config.5]
68 remove RhostsAuthentication; suggested by djm@ before; ok djm@, deraadt@,
69 fgsch@, miod@, henning@, jakob@ and others
70 - markus@cvs.openbsd.org 2003/08/13 09:07:10
72 socks4->socks, since with support both 4 and 5; dtucker@zip.com.au
73 - (dtucker) [configure.ac openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
74 Add a tcsendbreak function for platforms that don't have one, based on the
78 - (dtucker) OpenBSD CVS Sync
79 (thanks to Simon Wilkinson for help with this -dt)
80 - markus@cvs.openbsd.org 2003/07/16 15:02:06
82 mcc -> fcc; from Love Hörnquist Åstrand <lha@it.su.se>
83 otherwise the kerberos credentinal is stored in a memory cache
84 in the privileged sshd. ok jabob@, hin@ (some time ago)
85 - (dtucker) [openbsd-compat/xcrypt.c] Remove Cygwin #ifdef block (duplicate
86 in bsd-cygwin_util.h).
89 - (dtucker) [openbsd-compat/fake-rfc2553.h] Older Linuxes have AI_PASSIVE and
90 AI_CANONNAME in netdb.h but not AI_NUMERICHOST, so check each definition
91 separately before defining them.
92 - (dtucker) [auth-pam.c] Don't set PAM_TTY if tty is null. ok djm@
95 - (dtucker) [session.c] Have session_break_req not attempt to send a break
96 if TIOCSBRK and TIOCCBRK are not defined (eg Cygwin).
97 - (dtucker) [canohost.c] Bug #336: Only check ip options if IP_OPTIONS is
98 defined (fixes compile error on really old Linuxes).
99 - (dtucker) [defines.h] Bug #336: Add CMSG_DATA and CMSG_FIRSTHDR macros if
100 not already defined (eg Linux with some versions of libc5), based on those
102 - (dtucker) [openbsd-compat/bsd-cygwin_util.c openbsd-compat/bsd-cygwin_util.h]
103 Remove incorrect filenames from comments (file names are in Id tags).
104 - (dtucker) [session.c openbsd-compat/bsd-cygwin_util.h] Move Cygwin
105 specific defines and includes to bsd-cygwin_util.h. Fixes build error too.
108 - (dtucker) [monitor.h monitor_wrap.h] Remove excess ident tags.
109 - (dtucker) OpenBSD CVS Sync
110 - markus@cvs.openbsd.org 2003/07/22 13:35:22
111 [auth1.c auth.h auth-passwd.c monitor.c monitor.h monitor_wrap.c
112 monitor_wrap.h readconf.c readconf.h servconf.c servconf.h session.c ssh.1
113 ssh.c ssh_config.5 sshconnect1.c sshd.c sshd_config.5 ssh.h]
114 remove (already disabled) KRB4/AFS support, re-enable -k in ssh(1);
116 - (dtucker) [Makefile.in acconfig.h configure.ac] Remove KRB4/AFS support.
117 - (dtucker) [auth-krb4.c radix.c radix.h] Remove KRB4/AFS specific files.
118 - (dtucker) OpenBSD CVS Sync
119 - markus@cvs.openbsd.org 2003/07/23 07:42:43
122 - djm@cvs.openbsd.org 2003/07/28 09:49:56
123 [ssh-keygen.1 ssh-keygen.c]
124 Support for generating Diffie-Hellman groups (/etc/moduli) from ssh-keygen.
125 Based on code from Phil Karn, William Allen Simpson and Niels Provos.
126 ok markus@, thanks jmc@
127 - markus@cvs.openbsd.org 2003/07/29 18:24:00
128 [LICENCE progressmeter.c]
129 replace 4 clause BSD licensed progressmeter code with a replacement
130 from Nils Nordman and myself; ok deraadt@
131 (copied from OpenBSD an re-applied portable changes)
132 - markus@cvs.openbsd.org 2003/07/29 18:26:46
134 fix length for "- stalled -" (included with previous import)
135 - markus@cvs.openbsd.org 2003/07/30 07:44:14
137 use only 4 digits in format_size (included with previous import)
138 - markus@cvs.openbsd.org 2003/07/30 07:53:27
140 whitespace (included with previous import)
141 - markus@cvs.openbsd.org 2003/07/31 09:21:02
143 check whether passwd auth is allowd, similar to proto 1; rob@pitman.co.za
145 - avsm@cvs.openbsd.org 2003/07/31 15:50:16
147 correct comment: atomicio takes vwrite, not write; deraadt@ ok
148 - markus@cvs.openbsd.org 2003/07/31 22:34:03
150 print rate similar old version; round instead truncate;
151 (included in previous progressmeter.c commit)
152 - (dtucker) [openbsd-compat/bsd-misc.c openbsd-compat/bsd-misc.h]
153 Add a tcgetpgrp function.
154 - (dtucker) [Makefile.in moduli.c moduli.h] Add new files and to Makefile.
155 - (dtucker) [openbsd-compat/bsd-misc.c] Fix cut-and-paste bug in tcgetpgrp.
158 - (djm) [auth-pam.c] Don't use crappy APIs like sprintf. Thanks bal
161 - (dtucker) [openbsd-compat/xcrypt.c] Fix typo: DISABLED_SHADOW ->
162 DISABLE_SHADOW. Fixes HP-UX compile error.
165 - (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c
166 openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface,
167 and isolate shadow password functions. Tested in Solaris, but should
168 not break other platforms too badly (except maybe HP =). Also brings
169 auth-passwd.c into full sync with OpenBSD tree.
172 - (dtucker) [configure.ac] Back out change for bug #620.
175 - (dtucker) [configure.ac] Bug #620: Define BROKEN_GETADDRINFO for
176 Solaris/x86. Patch from jrhett at isite.net.
177 - (dtucker) OpenBSD CVS Sync
178 - markus@cvs.openbsd.org 2003/07/14 12:36:37
180 remove undocumented -V option. would be only useful if openssh is used
181 as ssh v1 server for ssh.com's ssh v2.
182 - markus@cvs.openbsd.org 2003/07/16 10:34:53
184 don't exit on multiple -v or -d; ok deraadt@
185 - markus@cvs.openbsd.org 2003/07/16 10:36:28
187 clear IUCLC in enter_raw_mode; from rob@pitman.co.za; ok deraadt@, fgs@
188 - deraadt@cvs.openbsd.org 2003/07/18 01:54:25
190 userid is unsigned, but well, force it anyways; andrushock@korovino.net
191 - djm@cvs.openbsd.org 2003/07/19 00:45:53
193 fix sftp filename parsing for arguments with escaped quotes. bz #517;
195 - djm@cvs.openbsd.org 2003/07/19 00:46:31
196 [regress/sftp-cmds.sh]
197 regress test for sftp arguments with escaped quotes; ok markus
200 - (dtucker) [acconfig.h configure.ac port-aix.c] Older AIXes don't declare
201 loginfailed at all, so assume 3-arg loginfailed if not declared.
202 - (dtucker) [port-aix.h] Work around name collision on AIX for r_type by
204 - (dtucker) Bug #543: [configure.ac port-aix.c port-aix.h]
205 Call setauthdb() before loginfailed(), which may load password registry-
206 specific functions. Based on patch by cawlfiel at us.ibm.com.
207 - (dtucker) [port-aix.h] Fix prototypes.
208 - (dtucker) OpenBSD CVS Sync
209 - avsm@cvs.openbsd.org 2003/07/09 13:58:19
211 minor tweak: when generating the hex fingerprint, give strlcat the full
212 bound to the buffer, and add a comment below explaining why the
213 zero-termination is one less than the bound. markus@ ok
214 - markus@cvs.openbsd.org 2003/07/10 14:42:28
216 the 2^(blocksize*2) rekeying limit is too expensive for 3DES,
217 blowfish, etc, so enforce a 1GB limit for small blocksizes.
218 - markus@cvs.openbsd.org 2003/07/10 20:05:55
220 sync usage with manpage, add missing -R
223 - (dtucker) [acconfig.h auth-passwd.c configure.ac session.c port-aix.[ch]]
224 Include AIX headers for authentication functions and make calls match
225 prototypes. Test for and handle 3-arg and 4-arg variants of loginfailed.
226 - (dtucker) [session.c] Check return value of setpcred().
227 - (dtucker) [auth-passwd.c auth.c session.c sshd.c port-aix.c port-aix.h]
228 Convert aixloginmsg into platform-independant Buffer loginmsg.
231 - (dtucker) [configure.ac] Bug #600: Check that getrusage is declared before
232 searching libraries for it. Fixes build errors on NCR MP-RAS.
235 - (dtucker) [ssh-rand-helper.c loginrec.c]
236 Apply atomicio typing change to these too.
239 - (dtucker) OpenBSD CVS Sync
240 - djm@cvs.openbsd.org 2003/06/28 07:48:10
242 report pidfile creation errors, based on patch from Roumen Petrov;
244 - deraadt@cvs.openbsd.org 2003/06/28 16:23:06
245 [atomicio.c atomicio.h authfd.c clientloop.c monitor_wrap.c msg.c
246 progressmeter.c scp.c sftp-client.c ssh-keyscan.c ssh.h sshconnect.c
248 deal with typing of write vs read in atomicio
249 - markus@cvs.openbsd.org 2003/06/29 12:44:38
251 memset 0, not \0; andrushock@korovino.net
252 - markus@cvs.openbsd.org 2003/07/02 12:56:34
254 deny dynamic forwarding with -R for v1, too; ok djm@
255 - markus@cvs.openbsd.org 2003/07/02 14:51:16
256 [channels.c ssh.1 ssh_config.5]
257 (re)add socks5 suppport to -D; ok djm@
258 now ssh(1) can act both as a socks 4 and socks 5 server and
259 dynamically forward ports.
260 - markus@cvs.openbsd.org 2003/07/02 20:37:48
262 convert hostkeyalias to lowercase, otherwise uppercase aliases will
263 not match at all; ok henning@
264 - markus@cvs.openbsd.org 2003/07/03 08:21:46
265 [regress/dynamic-forward.sh]
266 add socks5; speedup; reformat; based on patch from dtucker@zip.com.au
267 - markus@cvs.openbsd.org 2003/07/03 08:24:13
269 enable tests for dynamic fwd via socks (-D), uses nc(1)
270 - djm@cvs.openbsd.org 2003/07/03 08:09:06
271 [readconf.c readconf.h ssh-keysign.c ssh.c]
272 fix AddressFamily option in config file, from brent@graveland.net;
276 - (djm) Search for support functions necessary to build our
277 getrrsetbyname() replacement. Patch from Roumen Petrov
280 - (dtucker) [includes.h] Bug #602: move #include of netdb.h to after in.h
281 (fixes compiler warnings on Solaris 2.5.1).
282 - (dtucker) [configure.ac] Add sanity test after system-dependant compiler
286 - (djm) Bug #591: use PKCS#15 private key label as a comment in case
287 of OpenSC. Report and patch from larsch@trustcenter.de
288 - (djm) Bug #593: Sanity check OpenSC card reader number; patch from
290 - (dtucker) OpenBSD CVS Sync
291 - markus@cvs.openbsd.org 2003/06/23 09:02:44
293 document EnableSSHKeysign; bugzilla #599; ok deraadt@, jmc@
294 - markus@cvs.openbsd.org 2003/06/24 08:23:46
295 [auth2-hostbased.c auth2-pubkey.c auth2.c channels.c key.c key.h
296 monitor.c packet.c packet.h serverloop.c sshconnect2.c sshd.c]
297 int -> u_int; ok djm@, deraadt@, mouring@
298 - miod@cvs.openbsd.org 2003/06/25 22:39:36
300 Typo police: attribute is better written with an 'r'.
301 - markus@cvs.openbsd.org 2003/06/26 20:08:33
303 do not dump core for 'ssh -o proxycommand host'; ok deraadt@
304 - (dtucker) [regress/dynamic-forward.sh] Import new regression test.
305 - (dtucker) [configure.ac] Bug #570: Have ./configure --enable-FEATURE
306 actually enable the feature, for those normally disabled. Patch by
307 openssh (at) roumenpetrov.info.
310 - (dtucker) Have configure refer the user to config.log and
311 contrib/findssl.sh for OpenSSL header/library mismatches.
314 - (dtucker) OpenBSD CVS Sync
315 - markus@cvs.openbsd.org 2003/06/21 09:14:05
316 [regress/reconfigure.sh]
317 missing $SUDO; from dtucker@zip.com.au
318 - markus@cvs.openbsd.org 2003/06/18 11:28:11
320 backout last change, since it violates pkcs#1
321 switch to share/misc/license.template
322 - djm@cvs.openbsd.org 2003/06/20 05:47:58
324 sync description of protocol 2 cipher proposal; ok markus
325 - djm@cvs.openbsd.org 2003/06/20 05:48:21
327 sync some implemented options; ok markus@
328 - (dtucker) [regress/authorized_keys_root] Remove temp data file from CVS.
329 - (dtucker) [openbsd-compat/setproctitle.c] Ensure SPT_TYPE is defined before
333 - (djm) OpenBSD CVS Sync
334 - markus@cvs.openbsd.org 2003/06/12 07:57:38
335 [monitor.c sshlogin.c sshpty.c]
336 typos; dtucker at zip.com.au
337 - djm@cvs.openbsd.org 2003/06/12 12:22:47
339 mention more copyright holders; ok markus@
340 - nino@cvs.openbsd.org 2003/06/12 15:34:09
343 - markus@cvs.openbsd.org 2003/06/12 19:12:03
344 [scard.c scard.h ssh-agent.c ssh.c]
345 add sc_get_key_label; larsch at trustcenter.de; bugzilla#591
346 - markus@cvs.openbsd.org 2003/06/16 08:22:35
348 make sure the signature has at least the expected length (don't
349 insist on len == hlen + oidlen, since this breaks some smartcards)
350 bugzilla #592; ok djm@
351 - markus@cvs.openbsd.org 2003/06/16 10:22:45
353 print out key comment on each prompt; make ssh-askpass more useable; ok djm@
354 - markus@cvs.openbsd.org 2003/06/17 18:14:23
356 use license from /usr/share/misc/license.template for new code
357 - (dtucker) [reconfigure.sh rekey.sh sftp-badcmds.sh]
358 Import new regression tests from OpenBSD
359 - (dtucker) [regress/copy.1 regress/copy.2] Remove temp data files from CVS.
360 - (dtucker) OpenBSD CVS Sync (regress/)
361 - markus@cvs.openbsd.org 2003/04/02 12:21:13
364 - djm@cvs.openbsd.org 2003/04/04 09:34:22
365 [Makefile sftp-cmds.sh]
366 More regression tests, including recent directory rename bug; ok markus@
367 - markus@cvs.openbsd.org 2003/05/14 22:08:27
368 [ssh-com-client.sh ssh-com-keygen.sh ssh-com-sftp.sh ssh-com.sh]
369 test against some new commerical versions
370 - mouring@cvs.openbsd.org 2003/05/15 04:07:12
372 Advanced put/get testing for sftp. OK @djm
373 - markus@cvs.openbsd.org 2003/06/12 15:40:01
376 - markus@cvs.openbsd.org 2003/06/12 15:43:32
378 test -HUP; dtucker at zip.com.au
381 - (djm) Update license on fake-rfc2553.[ch]; ok itojun@
384 - (djm) Mention portable copyright holders in LICENSE
385 - (djm) Put licenses on substantial header files
386 - (djm) Sync LICENSE against OpenBSD
387 - (djm) OpenBSD CVS Sync
388 - jmc@cvs.openbsd.org 2003/06/10 09:12:11
389 [scp.1 sftp-server.8 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5]
390 [sshd.8 sshd_config.5 ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
392 - COMPATIBILITY merge
394 - kill whitespace at EOL
395 - new sentence, new line
397 - deraadt@cvs.openbsd.org 2003/06/10 22:20:52
398 [packet.c progressmeter.c]
399 mostly ansi cleanup; pval ok
400 - jakob@cvs.openbsd.org 2003/06/11 10:16:16
402 clean up check_host_key() and improve SSHFP feedback. ok markus@
403 - jakob@cvs.openbsd.org 2003/06/11 10:18:47
405 sync with check_host_key() change
406 - djm@cvs.openbsd.org 2003/06/11 11:18:38
407 [authfd.c authfd.h ssh-add.c ssh-agent.c]
408 make agent constraints (lifetime, confirm) work with smartcard keys;
413 - (djm) Sync README.smartcard with OpenBSD -current
414 - (djm) Re-merge OpenSC info into README.smartcard
417 - (dtucker) [uidswap.c] Fix setreuid and add missing args to fatal(). ok djm@
420 - (djm) Support AI_NUMERICHOST in fake-getaddrinfo.c. Needed for recent
422 - (djm) Implement paranoid priv dropping checks, based on:
423 "SetUID demystified" - Hao Chen, David Wagner and Drew Dean
424 Proceedings of USENIX Security Symposium 2002
425 - (djm) Don't use xmalloc() or pull in toplevel headers in fake-* code
426 - (djm) Merge all the openbsd/fake-* into fake-rfc2553.[ch]
427 - (djm) Bug #588 - Add scard-opensc.o back to Makefile.in
428 Patch from larsch@trustcenter.de
429 - (djm) Bug #589 - scard-opensc: load only keys with a private keys
430 Patch from larsch@trustcenter.de
431 - (dtucker) Add includes.h to fake-rfc2553.c so it will build.
432 - (dtucker) Define EAI_NONAME in fake-rfc2553.h (used by fake-rfc2553.c).
435 - (djm) Bug #573 - Remove unneeded Krb headers and compat goop. Patch from
436 simon@sxw.org.uk (Also matches a change in OpenBSD a while ago)
437 - (djm) Bug #577 - wrong flag in scard-opensc.c sc_private_decrypt.
438 Patch from larsch@trustcenter.de; ok markus@
439 - (djm) Bug #584: scard-opensc.c doesn't work without PIN. Patch from
440 larsch@trustcenter.de; ok markus@
441 - (djm) OpenBSD CVS Sync
442 - djm@cvs.openbsd.org 2003/06/04 08:25:18
444 disable challenge/response and keyboard-interactive auth methods
445 upon hostkey mismatch. based on patch from fcusack AT fcusack.com.
447 - djm@cvs.openbsd.org 2003/06/04 10:23:48
449 remove duplicated group-dropping code; ok markus@
450 - djm@cvs.openbsd.org 2003/06/04 12:03:59
452 remove bitrotten commet; ok markus@
453 - djm@cvs.openbsd.org 2003/06/04 12:18:49
456 - djm@cvs.openbsd.org 2003/06/04 12:40:39
458 kill ssh process upon receipt of signal, bz #241.
459 based on patch from esb AT hawaii.edu; ok markus@
460 - djm@cvs.openbsd.org 2003/06/04 12:41:22
462 kill ssh process on receipt of signal; ok markus@
463 - (djm) Update to fix of bug #584: lock card before return.
464 From larsch@trustcenter.de
465 - (djm) Always use mysignal() for SIGALRM
468 - (djm) Replace setproctitle replacement with code derived from
470 - (djm) OpenBSD CVS Sync
471 - markus@cvs.openbsd.org 2003/06/02 09:17:34
472 [auth2-hostbased.c auth.c auth-options.c auth-rhosts.c auth-rh-rsa.c]
473 [canohost.c monitor.c servconf.c servconf.h session.c sshd_config]
475 deprecate VerifyReverseMapping since it's dangerous if combined
476 with IP based access control as noted by Mike Harding; replace with
477 a UseDNS option, UseDNS is on by default and includes the
478 VerifyReverseMapping check; with itojun@, provos@, jakob@ and deraadt@
480 - millert@cvs.openbsd.org 2003/06/03 02:56:16
482 Remove the advertising clause in the UCB license which Berkeley
483 rescinded 22 July 1999. Proofed by myself and Theo.
484 - (djm) Fix portable-specific uses of verify_reverse_mapping too
485 - (djm) Sync openbsd-compat with OpenBSD CVS.
486 - No more 4-term BSD licenses in linked code
487 - (dtucker) [port-aix.c bsd-cray.c] Fix uses of verify_reverse_mapping.
490 - (djm) Fix segv from bad reordering in auth-pam.c
491 - (djm) Always use saved_argv in sshd.c as compat_init_setproctitle may
493 - (tim) openbsd-compat/xmmap.[ch] License clarifications. Add missing
495 - (djm) Remove "noip6" option from RedHat spec file. This may now be
496 set at runtime using AddressFamily option.
497 - (djm) Fix use of macro before #define in cipher-aes.c
498 - (djm) Sync license on openbsd-compat/bindresvport.c with OpenBSD CVS
499 - (djm) OpenBSD CVS Sync
500 - djm@cvs.openbsd.org 2003/05/26 12:54:40
502 fix format strings; ok markus@
503 - deraadt@cvs.openbsd.org 2003/05/29 16:58:45
505 seteuid and setegid; markus ok
506 - jakob@cvs.openbsd.org 2003/06/02 08:31:10
508 VerifyHostKeyDNS is v2 only. ok markus@
511 - (dtucker) Add missing semicolon in md5crypt.c, patch from openssh at
513 - (dtucker) Define SSHD_ACQUIRES_CTTY for NCR MP-RAS and Reliant Unix.
516 - (djm) Avoid auth2-chall.c warning when compiling without
517 PAM, BSD_AUTH and SKEY
520 - (djm) OpenBSD CVS Sync
521 - djm@cvs.openbsd.org 2003/05/24 09:02:22
523 pass logged data through strnvis; ok markus
524 - djm@cvs.openbsd.org 2003/05/24 09:30:40
525 [authfile.c monitor.c sftp-common.c sshpty.c]
526 cast some types for printing; ok markus@
529 - (dtucker) Correct --osfsia in INSTALL. Patch by skeleten at shillest.net
532 - (djm) Use VIS_SAFE on logged strings rather than default strnvis
533 encoding (which encodes many more characters)
535 - jmc@cvs.openbsd.org 2003/05/20 12:03:35
537 - new sentence, new line
541 - jmc@cvs.openbsd.org 2003/05/20 12:09:31
542 [ssh.1 ssh_config.5 sshd.8 sshd_config.5 ssh-keygen.1]
543 new sentence, new line
544 - djm@cvs.openbsd.org 2003/05/23 08:29:30
549 - (djm) OpenBSD CVS Sync
550 - deraadt@cvs.openbsd.org 2003/05/18 23:22:01
552 use syslog_r() in a signal handler called place; markus ok
553 - (djm) Configure logic to detect syslog_r and friends
556 - (djm) Sync auth-pam.h with what we actually implement
559 - (djm) Return of the dreaded PAM_TTY_KLUDGE, which went missing in
561 - (djm) OpenBSD CVS Sync
562 - djm@cvs.openbsd.org 2003/05/16 03:27:12
563 [readconf.c ssh_config ssh_config.5 ssh-keysign.c]
564 add AddressFamily option to ssh_config (like -4, -6 on commandline).
565 Portable bug #534; ok markus@
566 - itojun@cvs.openbsd.org 2003/05/17 03:25:58
568 just in case, put numbers to sscanf %s arg.
569 - markus@cvs.openbsd.org 2003/05/17 04:27:52
570 [cipher.c cipher-ctr.c myproposal.h]
571 experimental support for aes-ctr modes from
572 http://www.ietf.org/internet-drafts/draft-ietf-secsh-newmodes-00.txt
574 - (djm) Remove IPv4 by default hack now that we can specify AF in config
575 - (djm) Tidy and trim TODO
576 - (djm) Sync openbsd-compat/ with OpenBSD CVS head
577 - (djm) Big KNF on openbsd-compat/
578 - (djm) KNF on md5crypt.[ch]
579 - (djm) KNF on auth-sia.[ch]
582 - (bal) strcat -> strlcat on openbsd-compat/realpath.c (rev 1.8 OpenBSD)
585 - (djm) OpenBSD CVS Sync
586 - djm@cvs.openbsd.org 2003/05/15 13:52:10
588 Make "ssh -V" print the OpenSSL version in a human readable form. Patch
589 from Craig Leres (mindrot at ee.lbl.gov); ok markus@
590 - jakob@cvs.openbsd.org 2003/05/15 14:02:47
591 [readconf.c servconf.c]
592 warn for unsupported config option. ok markus@
593 - markus@cvs.openbsd.org 2003/05/15 14:09:21
595 fix 64bit issue; report itojun@
596 - djm@cvs.openbsd.org 2003/05/15 14:55:25
597 [readconf.c readconf.h ssh_config ssh_config.5 sshconnect.c]
598 add a ConnectTimeout option to ssh, based on patch from
599 Jean-Charles Longuet (jclonguet at free.fr); portable #207 ok markus@
600 - (djm) Add warning for UsePAM when built without PAM support
601 - (djm) A few type mismatch fixes from Bug #565
602 - (djm) Guard free_pam_environment against NULL argument. Works around
603 HP/UX PAM problems debugged by dtucker
606 - (djm) OpenBSD CVS Sync
607 - jmc@cvs.openbsd.org 2003/05/14 13:11:56
611 - jakob@cvs.openbsd.org 2003/05/14 18:16:20
612 [key.c key.h readconf.c readconf.h ssh_config.5 sshconnect.c]
613 [dns.c dns.h README.dns ssh-keygen.1 ssh-keygen.c]
614 add experimental support for verifying hos keys using DNS as described
615 in draft-ietf-secsh-dns-xx.txt. more information in README.dns.
616 ok markus@ and henning@
617 - markus@cvs.openbsd.org 2003/05/14 22:24:42
618 [clientloop.c session.c ssh.1]
619 allow to send a BREAK to the remote system; ok various
620 - markus@cvs.openbsd.org 2003/05/15 00:28:28
622 cleanup unregister of per-method packet handlers; ok djm@
623 - jakob@cvs.openbsd.org 2003/05/15 01:48:10
624 [readconf.c readconf.h servconf.c servconf.h]
625 always parse kerberos options. ok djm@ markus@
626 - jakob@cvs.openbsd.org 2003/05/15 02:27:15
628 add missing freerrset
629 - markus@cvs.openbsd.org 2003/05/15 03:08:29
630 [cipher.c cipher-bf1.c cipher-aes.c cipher-3des1.c]
631 split out custom EVP ciphers
632 - djm@cvs.openbsd.org 2003/05/15 03:10:52
634 avoid warning; ok jakob@
635 - mouring@cvs.openbsd.org 2003/05/15 03:39:07
637 Make put/get (globed and nonglobed) code more consistant. OK djm@
638 - mouring@cvs.openbsd.org 2003/05/15 03:43:59
640 Teach ls how to display multiple column display and allow users
641 to return to single column format via 'ls -1'. OK @djm
642 - jakob@cvs.openbsd.org 2003/05/15 04:08:44
643 [readconf.c servconf.c]
644 disable kerberos when not supported. ok markus@
645 - markus@cvs.openbsd.org 2003/05/15 04:08:41
648 - (djm) Always parse UsePAM
649 - (djm) Configure glue for DNS support (code doesn't work in portable yet)
650 - (djm) Import getrrsetbyname() function from OpenBSD libc (for DNS support)
651 - (djm) Tidy Makefile clean targets
652 - (djm) Adapt README.dns for portable
653 - (djm) Avoid uuencode.c warnings
654 - (djm) Enable UsePAM when built --with-pam
655 - (djm) Only build getrrsetbyname replacement when using --with-dns
656 - (djm) Bug #529: sshd doesn't work correctly after SIGHUP (copy argv
658 - (djm) Bug #444: Wrong paths after reconfigure
659 - (dtucker) HP-UX needs to include <sys/strtio.h> for TIOCSBRK
662 - (djm) Bug #117: Don't lie to PAM about username
663 - (djm) RCSID sync w/ OpenBSD
664 - (djm) OpenBSD CVS Sync
665 - djm@cvs.openbsd.org 2003/04/09 12:00:37
667 strip trailing whitespace from config lines before parsing.
668 Fixes bz 528; ok markus@
669 - markus@cvs.openbsd.org 2003/04/12 10:13:57
671 hide cipher details; ok djm@
672 - markus@cvs.openbsd.org 2003/04/12 10:15:36
675 - naddy@cvs.openbsd.org 2003/04/12 11:40:15
677 document -V switch, fix wording; ok markus@
678 - markus@cvs.openbsd.org 2003/04/14 14:17:50
679 [channels.c sshconnect.c sshd.c ssh-keyscan.c]
680 avoid hardcoded SOCK_xx; with itojun@; should allow ssh over SCTP
681 - mouring@cvs.openbsd.org 2003/04/14 21:31:27
683 Missing globfree(&g) in process_put() spotted by Vince Brimhall
684 <VBrimhall@novell.com>. ok@ Theo
685 - markus@cvs.openbsd.org 2003/04/16 14:35:27
687 document struct Authctxt; with solar
688 - deraadt@cvs.openbsd.org 2003/04/26 04:29:49
690 -t in usage(); rogier@quaak.org
691 - mouring@cvs.openbsd.org 2003/04/30 01:16:20
692 [sshd.8 sshd_config.5]
693 Escape ?, * and ! in .Ql for nroff compatibility. OpenSSH Portable
694 Bug #550 and * escaping suggested by jmc@.
695 - david@cvs.openbsd.org 2003/04/30 20:41:07
697 fix invalid .Pf macro usage introduced in previous commit
699 - markus@cvs.openbsd.org 2003/05/11 16:56:48
700 [authfile.c ssh-keygen.c]
701 change key_load_public to try to read a public from:
702 rsa1 private or rsa1 public and ssh2 keys.
703 this makes ssh-keygen -e fail for ssh1 keys more gracefully
704 for example; report from itojun (netbsd pr 20550).
705 - markus@cvs.openbsd.org 2003/05/11 20:30:25
706 [channels.c clientloop.c serverloop.c session.c ssh.c]
707 make channel_new() strdup the 'remote_name' (not the caller); ok theo
708 - markus@cvs.openbsd.org 2003/05/12 16:55:37
710 for pubkey authentication try the user keys in the following order:
711 1. agent keys that are found in the config file
713 3. keys that are only listed in the config file
714 this helps when an agent has many keys, where the server might
715 close the connection before the correct key is used. report & ok pb@
716 - markus@cvs.openbsd.org 2003/05/12 18:35:18
718 typo: DSA keys are of type ssh-dss; Brian Poole
719 - markus@cvs.openbsd.org 2003/05/14 00:52:59
721 ranges for per auth method messages
722 - djm@cvs.openbsd.org 2003/05/14 01:00:44
724 emphasise the batchmode functionality and make reference to pubkey auth,
725 both of which are FAQs; ok markus@
726 - markus@cvs.openbsd.org 2003/05/14 02:15:47
727 [auth2.c monitor.c sshconnect2.c auth2-krb5.c]
728 implement kerberos over ssh2 ("kerberos-2@ssh.com"); tested with jakob@
729 server interops with commercial client; ok jakob@ djm@
730 - jmc@cvs.openbsd.org 2003/05/14 08:25:39
732 - better formatting in SYNOPSIS
735 - markus@cvs.openbsd.org 2003/05/14 08:57:49
737 http://bugzilla.mindrot.org/show_bug.cgi?id=560
738 Privsep child continues to run after monitor killed.
739 Pass monitor signals through to child; Darren Tucker
740 - (djm) Make portable build with MIT krb5 (some issues remain)
741 - (djm) Add new UsePAM configuration directive to allow runtime control
742 over usage of PAM. This allows non-root use of sshd when built with
744 - (djm) Die screaming if start_pam() is called when UsePAM=no
745 - (djm) Avoid KrbV leak for MIT Kerberos
746 - (dtucker) Set ai_socktype and ai_protocol in fake-getaddrinfo.c. ok djm@
747 - (djm) Bug #258: sscanf("[0-9]") -> sscanf("[0123456789]") for portability
750 - (djm) Redhat spec: Don't install profile.d scripts when not
751 building with GNOME/GTK askpass (patch from bet@rahul.net)
754 - (dtucker) Bug #318: Create ssh_prng_cmds.out during "make" rather than
755 "make install". Patch by roth@feep.net.
756 - (dtucker) Bug #536: Test for and work around openpty/controlling tty
757 problem on Linux (fixes "could not set controlling tty" errors).
758 - (djm) Merge FreeBSD PAM code: replaces PAM password auth kludge with
759 proper challenge-response module
760 - (djm) 2-clause license on loginrec.c, with permission from
764 - (dtucker) Bug #497: Move #include of bsd-cygwin_util.h to openbsd-compat.h.
765 Patch from vinschen@redhat.com.
768 - (dtucker) Add missing "void" to record_failed_login in bsd-cray.c. Noted
772 - (dtucker) Bug #544: ignore invalid cmsg_type on Linux 2.0 kernels,
773 privsep should now work.
774 - (dtucker) Move handling of bad password authentications into a platform
775 specific record_failed_login() function (affects AIX & Unicos). ok mouring@
778 - (djm) Add back radix.o (used by AFS support), after it went missing from
779 Makefile many moons ago
780 - (djm) Apply "owl-always-auth" patch from Openwall/Solar Designer
781 - (djm) Fix blibpath specification for AIX/gcc
782 - (djm) Some systems have basename in -lgen. Fix from ayamura@ayamura.org
785 - (bal) [defines.h progressmeter.c scp.c] Some more culling of non 64bit
789 - (bal) Bug #541: return; was dropped by mistake. Reported by
791 - (bal) Since we don't support platforms lacking u_int_64. We may
792 as well clean out some of those evil #ifdefs
793 - (bal) auth1.c minor resync while looking at the code.
794 - (bal) auth2.c same changed as above.
797 - (djm) Bug #539: Specify creation mode with O_CREAT for lastlog. Report
798 from matth@eecs.berkeley.edu
799 - (djm) Make the spec work with Redhat 9.0 (which renames sharutils)
800 - (djm) OpenBSD CVS Sync
801 - markus@cvs.openbsd.org 2003/04/02 09:48:07
802 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
803 [readconf.h serverloop.c sshconnect2.c]
804 reapply rekeying chage, tested by henning@, ok djm@
805 - markus@cvs.openbsd.org 2003/04/02 14:36:26
807 potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526
808 - itojun@cvs.openbsd.org 2003/04/03 07:25:27
811 - itojun@cvs.openbsd.org 2003/04/03 10:17:35
813 remove $OpenBSD$, as other *.c does not have it.
814 - markus@cvs.openbsd.org 2003/04/07 08:29:57
816 typo: get correct counters; introduced during rekeying change.
817 - millert@cvs.openbsd.org 2003/04/07 21:58:05
819 The UCB copyright here is incorrect. This code did not originate
820 at UCB, it was written by Luke Mewburn. Updated the copyright at
821 the author's request. markus@ OK
822 - itojun@cvs.openbsd.org 2003/04/08 20:21:29
824 rename log() into logit() to avoid name conflict. markus ok, from
826 - (djm) XXX - Performed locally using:
827 "perl -p -i -e 's/(\s|^)log\(/$1logit\(/g' *.c *.h"
828 - hin@cvs.openbsd.org 2003/04/09 08:23:52
830 Don't include <krb.h> when compiling with Kerberos 5 support
831 - (djm) Fix up missing include for packet.c
832 - (djm) Fix missed log => logit occurance (reference by function pointer)
835 - (bal) if IP_TOS is not found or broken don't try to compile in
836 packet_set_tos() function call. bug #527
839 - (djm) OpenBSD CVS Sync
840 - jmc@cvs.openbsd.org 2003/03/28 10:11:43
841 [scp.1 sftp.1 ssh.1 ssh-add.1 ssh-agent.1 ssh_config.5 sshd_config.5]
842 [ssh-keygen.1 ssh-keyscan.1 ssh-keysign.8]
844 - new sentence new line
847 - markus@cvs.openbsd.org 2003/04/01 10:10:23
848 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
849 [readconf.h serverloop.c sshconnect2.c]
850 rekeying bugfixes and automatic rekeying:
851 * both client and server rekey _automatically_
852 (a) after 2^31 packets, because after 2^32 packets
853 the sequence number for packets wraps
854 (b) after 2^(blocksize_in_bits/4) blocks
855 (see: draft-ietf-secsh-newmodes-00.txt)
856 (a) and (b) are _enabled_ by default, and only disabled for known
857 openssh versions, that don't support rekeying properly.
858 * client option 'RekeyLimit'
859 * do not reply to requests during rekeying
860 - markus@cvs.openbsd.org 2003/04/01 10:22:21
861 [clientloop.c monitor.c monitor_wrap.c packet.c packet.h readconf.c]
862 [readconf.h serverloop.c sshconnect2.c]
863 backout rekeying changes (for 3.6.1)
864 - markus@cvs.openbsd.org 2003/04/01 10:31:26
865 [compat.c compat.h kex.c]
866 bugfix causes stalled connections for ssh.com < 3.0; noticed by ho@;
867 tested by ho@ and myself
868 - markus@cvs.openbsd.org 2003/04/01 10:56:46
871 - (djm) Crank spec file versions
872 - (djm) Release 3.6.1p1
875 - (djm) OpenBSD CVS Sync
876 - deraadt@cvs.openbsd.org 2003/03/26 04:02:51
878 one last fix to the tree: race fix broke stuff; pr 3169;
879 srp@srparish.net, help from djm
882 - (djm) Fix getpeerid support for 64 bit BE systems. From
883 Arnd Bergmann <arndb@de.ibm.com>
886 - (djm) OpenBSD CVS Sync
887 - markus@cvs.openbsd.org 2003/03/23 19:02:00
889 unbreak rekeying for privsep; ok millert@
891 - Fix sshd BindAddress and -b options for systems using fake-getaddrinfo.
892 Report from murple@murple.net, diagnosis from dtucker@zip.com.au