2 - (dtucker) OpenBSD CVS Sync
3 - djm@cvs.openbsd.org 2007/02/20 10:25:14
5 set maximum packet and window sizes the same for multiplexed clients
6 as normal connections; ok markus@
9 - (dtucker) OpenBSD CVS Sync
10 - jmc@cvs.openbsd.org 2007/01/10 13:23:22
12 do not use a list for SYNOPSIS;
13 this is actually part of a larger report sent by eric s. raymond
14 and forwarded by brad, but i only read half of it. spotted by brad.
15 - jmc@cvs.openbsd.org 2007/01/12 20:20:41
16 [ssh-keygen.1 ssh-keygen.c]
17 more secsh -> rfc 4716 updates;
20 - dtucker@cvs.openbsd.org 2007/01/17 23:22:52
22 Honour activep for times (eg ServerAliveInterval) while parsing
23 ssh_config and ~/.ssh/config so they work properly with Host directives.
24 From mario.lorenz@wincor-nixdorf.com via bz #1275. ok markus@
25 - stevesk@cvs.openbsd.org 2007/01/21 01:41:54
26 [auth-skey.c kex.c ssh-keygen.c session.c clientloop.c]
28 - stevesk@cvs.openbsd.org 2007/01/21 01:45:35
31 - djm@cvs.openbsd.org 2007/01/22 11:32:50
33 return error from do_upload() when a write fails. fixes bz#1252: zero
34 exit status from sftp when uploading to a full device. report from
35 jirkat AT atlas.cz; ok dtucker@
36 - djm@cvs.openbsd.org 2007/01/22 13:06:21
38 fix detection of whether we should show progress meter or not: scp
39 tested isatty(stderr) but wrote the progress meter to stdout. This patch
40 makes it test stdout. bz#1265 reported by junkmail AT bitsculpture.com;
42 - stevesk@cvs.openbsd.org 2007/02/14 14:32:00
44 typos in comments; ok jmc@
45 - dtucker@cvs.openbsd.org 2007/02/19 10:45:58
46 [monitor_wrap.c servconf.c servconf.h monitor.c sshd_config.5]
47 Teach Match how handle config directives that are used before
48 authentication. This allows configurations such as permitting password
49 authentication from the local net only while requiring pubkey from
50 offsite. ok djm@, man page bits ok jmc@
51 - (dtucker) [contrib/findssl.sh] Add "which" as a shell function since some
52 platforms don't have it. Patch from dleonard at vintela.com.
53 - (dtucker) [openbsd-compat/getrrsetbyname.c] Don't attempt to calloc
54 an array for signatures when there are none since "calloc(0, n) returns
55 NULL on some platforms (eg Tru64), which is explicitly permitted by
56 POSIX. Diagnosis and patch by svallet genoscope.cns.fr.
59 - (djm) [channels.c serverloop.c] Fix so-called "hang on exit" (bz #52)
60 when closing a tty session when a background process still holds tty
61 fds open. Great detective work and patch by Marc Aurele La France,
62 slightly tweaked by me; ok dtucker@
65 - (dtucker) [openbsd-compat/bsd-snprintf.c] Static declarations for public
66 library interfaces aren't very helpful. Fix up the DOPR_OUTCH macro
67 so it works properly and modify its callers so that they don't pre or
68 post decrement arguments that are conditionally evaluated. While there,
69 put SNPRINTF_CONST back as it prevents build failures in some
70 configurations. ok djm@ (for most of it)
73 - (djm) [ssh-rand-helper.8] manpage nits;
74 from dleonard AT vintela.com (bz#1529)
77 - (dtucker) [packet.c] Re-remove in_systm.h since it's already in includes.h
78 and multiple including it causes problems on old IRIXes. (It snuck back
79 in during a sync.) Found (again) by Georg Schwarz.
82 - (dtucker) [ssh-keygen.c] av -> argv to match earlier sync.
83 - (djm) [openbsd-compat/bsd-snprintf.c] Fix integer overflow in return
84 value of snprintf replacement, similar to bugs in various libc
85 implementations. This overflow is not exploitable in OpenSSH.
86 While I'm fiddling with it, make it a fair bit faster by inlining the
87 append-char routine; ok dtucker@
90 - (djm) OpenBSD CVS Sync
91 - deraadt@cvs.openbsd.org 2006/11/14 19:41:04
93 use argc and argv not some made up short form
94 - ray@cvs.openbsd.org 2006/11/23 01:35:11
96 Don't access buf[strlen(buf) - 1] for zero-length strings.
98 - markus@cvs.openbsd.org 2006/12/11 21:25:46
100 add rfc 4716 (public key format); ok jmc
101 - djm@cvs.openbsd.org 2006/12/12 03:58:42
102 [channels.c compat.c compat.h]
103 bz #1019: some ssh.com versions apparently can't cope with the
104 remote port forwarding bind_address being a hostname, so send
105 them an address for cases where they are not explicitly
106 specified (wildcard or localhost bind). reported by daveroth AT
107 acm.org; ok dtucker@ deraadt@
108 - dtucker@cvs.openbsd.org 2006/12/13 08:34:39
110 Make PermitOpen work with multiple values like the man pages says.
111 bz #1267 with details from peter at dmtz.com, with & ok djm@
112 - dtucker@cvs.openbsd.org 2006/12/14 10:01:14
114 Make "PermitOpen all" first-match within a block to match the way other
115 options work. ok markus@ djm@
116 - jmc@cvs.openbsd.org 2007/01/02 09:57:25
118 do not use lists for SYNOPSIS;
119 from eric s. raymond via brad
120 - stevesk@cvs.openbsd.org 2007/01/03 00:53:38
122 remove small dead code; arnaud.lacombe.1@ulaval.ca via Coverity scan
123 - stevesk@cvs.openbsd.org 2007/01/03 03:01:40
124 [auth2-chall.c channels.c dns.c sftp.c ssh-keygen.c ssh.c]
126 - stevesk@cvs.openbsd.org 2007/01/03 04:09:15
129 - stevesk@cvs.openbsd.org 2007/01/03 07:22:36
134 - (djm) [auth.c] Fix NULL pointer dereference in fakepw(). Crash would
135 occur if the server did not have the privsep user and an invalid user
136 tried to login and both privsep and krb5 auth are disabled; ok dtucker@
137 - (djm) [bsd-asprintf.c] Better test for bad vsnprintf lengths; ok dtucker@
140 - (dtucker) OpenBSD CVS Sync
141 - markus@cvs.openbsd.org 2006/11/07 13:02:07
143 BN_hex2bn returns int; from dtucker@
146 - (dtucker) [sshd.c] Use privsep_pw if we have it, but only require it
147 if we absolutely need it. Pointed out by Corinna, ok djm@
148 - (dtucker) OpenBSD CVS Sync
149 - markus@cvs.openbsd.org 2006/11/06 21:25:28
150 [auth-rsa.c kexgexc.c kexdhs.c key.c ssh-dss.c sshd.c kexgexs.c
151 ssh-keygen.c bufbn.c moduli.c scard.c kexdhc.c sshconnect1.c dh.c rsa.c]
152 add missing checks for openssl return codes; with & ok djm@
153 - markus@cvs.openbsd.org 2006/11/07 10:31:31
154 [monitor.c version.h]
155 correctly check for bad signatures in the monitor, otherwise the monitor
156 and the unpriv process can get out of sync. with dtucker@, ok djm@,
158 - (dtucker) [README contrib/{caldera,redhat,contrib}/openssh.spec] Bump
160 - (dtucker) Release 4.5p1.
163 - (djm) OpenBSD CVS Sync
164 - otto@cvs.openbsd.org 2006/10/28 18:08:10
166 correct/expand example of usage of -w; ok jmc@ stevesk@
167 - markus@cvs.openbsd.org 2006/10/31 16:33:12
168 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c]
169 check DH_compute_key() for -1 even if it should not happen because of
170 earlier calls to dh_pub_is_valid(); report krahmer at suse.de; ok djm
173 - (dtucker) [openbsd-compat/port-solaris.c] Bug #1255: Make only hwerr
174 events fatal in Solaris process contract support and tell it to signal
175 only processes in the same process group when something happens.
176 Based on information from andrew.benham at thus.net and similar to
177 a patch from Chad Mynhier. ok djm@
180 - (djm) [auth.c] gc some dead code
183 - (djm) OpenBSD CVS Sync
184 - ray@cvs.openbsd.org 2006/09/30 17:48:22
186 Clear errno before calling the strtol functions.
187 From Paul Stoeber <x0001 at x dot de1 dot cc>.
189 - djm@cvs.openbsd.org 2006/10/06 02:29:19
190 [ssh-agent.c ssh-keyscan.c ssh.c]
191 sys/resource.h needs sys/time.h; prompted by brad@
192 (NB. Id sync only for portable)
193 - djm@cvs.openbsd.org 2006/10/09 23:36:11
195 xmalloc -> xcalloc that was missed previously, from portable
196 (NB. Id sync only for portable, obviously)
197 - markus@cvs.openbsd.org 2006/10/10 10:12:45
199 sleep before retrying (not after) since sleep changes errno; fixes
200 pr 5250; rad@twig.com; ok dtucker djm
201 - markus@cvs.openbsd.org 2006/10/11 12:38:03
202 [clientloop.c serverloop.c]
203 exit instead of doing a blocking tcp send if we detect a client/server
204 timeout, since the tcp sendqueue might be already full (of alive
205 requests); ok dtucker, report mpf
206 - djm@cvs.openbsd.org 2006/10/22 02:25:50
208 cancel progress meter when upload write fails; ok deraadt@
209 - (tim) [Makefile.in scard/Makefile.in] Add datarootdir= lines to keep
210 autoconf 2.60 from complaining.
213 - (dtucker) OpenBSD CVS Sync
214 - ray@cvs.openbsd.org 2006/09/25 04:55:38
215 [ssh-keyscan.1 ssh.1]
216 Change "a SSH" to "an SSH". Hurray, I'm not the only one who
217 pronounces "SSH" as "ess-ess-aich".
218 OK jmc@ and stevesk@.
219 - (dtucker) [sshd.c] Reshuffle storing of pw struct; prevents warnings
220 on older versions of OS X. ok djm@
223 - (dtucker) [monitor_fdpass.c] Include sys/in.h, required for cmsg macros
224 on older (2.0) Linuxes. Based on patch from thmo-13 at gmx de.
227 - (tim) [buildpkg.sh.in] Use uname -r instead of -v in OS_VER for Solaris.
228 Differentiate between OpenServer 5 and OpenServer 6
229 - (dtucker) [configure.ac] Set put -lselinux into $LIBS while testing for
230 SELinux functions so they're detected correctly. Patch from pebenito at
232 - (tim) [buildpkg.sh.in] Some systems have really limited nawk (OpenServer).
233 Allow setting alternate awk in openssh-config.local.
236 - (tim) [configure.ac] Move CHECK_HEADERS test before platform specific
237 section so additional platform specific CHECK_HEADER tests will work
238 correctly. Fixes "<net/if_tap.h> on FreeBSD" problem report by des AT des.no
239 Feedback and "seems like a good idea" dtucker@
242 - (dtucker) [audit-bsm.c] Include errno.h. Pointed out by des at des.no.
245 - (dtucker) [configure.ac] Bug #1239: Fix configure test for OpenSSH engine
246 support. Patch from andrew.benham at thus net.
249 - (dtucker) [entropy.c] Bug #1238: include signal.h to fix compilation error
250 on Solaris 8 w/out /dev/random or prngd. Patch from rl at
254 - (dtucker) [bufaux.h] nuke bufaux.h; it's already gone from OpenBSD and not
255 referenced any more. ok djm@
256 - (dtucker) [sftp-server.8] Resync; spotted by djm@
257 - (dtucker) Release 4.4p1.
260 - (tim) [configure.ac] Remove CFLAGS hack for UnixWare 1.x/2.x (added
261 to rev 1.308) to work around broken gcc 2.x header file.
264 - (dtucker) [configure.ac] Bug #1234: Put opensc libs into $LIBS rather than
265 $LDFLAGS. Patch from vapier at gentoo org.
268 - (dtucker) [packet.c canohost.c] Include arpa/inet.h for htonl macros on
269 some platforms (eg HP-UX 11.00). From santhi.amirta at gmail com.
272 - (dtucker) OpenBSD CVS Sync
273 - otto@cvs.openbsd.org 2006/09/19 05:52:23
275 Use S_IS* macros insted of masking with S_IF* flags. The latter may
276 have multiple bits set, which lead to surprising results. Spotted by
277 Paul Stoeber, more to come. ok millert@ pedro@ jaredy@ djm@
278 - markus@cvs.openbsd.org 2006/09/19 21:14:08
280 client NULL deref on protocol error; Tavis Ormandy, Google Security Team
281 - (dtucker) [defines.h] Include unistd.h before defining getpgrp; fixes
282 build error on Ultrix. From Bernhard Simon.
285 - (dtucker) [configure.ac] On AIX, check to see if the compiler will allow
286 macro redefinitions, and if not, remove "-qlanglvl=ansi" from the flags.
287 Allows build out of the box with older VAC and XLC compilers. Found by
288 David Bronder and Bernhard Simon.
289 - (dtucker) [openbsd-compat/port-aix.{c,h}] Reduce scope of includes.
290 Prevents macro redefinition warnings of "RDONLY".
294 - djm@cvs.openbsd.org 2006/09/16 19:53:37
295 [deattack.c deattack.h packet.c]
296 limit maximum work performed by the CRC compensation attack detector,
297 problem reported by Tavis Ormandy, Google Security Team;
299 - (djm) Add openssh.xml to .cvsignore and sort it
300 - (dtucker) [auth-pam.c] Propogate TZ environment variable to PAM auth
301 process so that any logging it does is with the right timezone. From
302 Scott Strickler, ok djm@.
303 - (dtucker) [monitor.c] Correctly handle auditing of single commands when
304 using Protocol 1. From jhb at freebsd.
305 - (djm) [sshd.c] Fix warning/API abuse; ok dtucker@
306 - (dtucker) [INSTALL] Add info about audit support.
309 - (djm) [Makefile.in buildpkg.sh.in configure.ac openssh.xml.in]
310 Support SMF in Solaris Packages if enabled by configure. Patch from
311 Chad Mynhier, tested by dtucker@
314 - (dtucker) [cipher-aes.c] Include string.h for memcpy and friends. Noted
318 - (dtucker) [contrib/aix/buildbff.sh] Ensure that perl is available.
319 - (dtucker) [configure.ac] Add -lcrypt to let DragonFly build OOTB.
322 - (dtucker) [openbsd-compat/bsd-snprintf.c] Add stdarg.h.
323 - (dtucker) [contrib/aix/buildbff.sh] Always create privsep user.
324 - (dtucker) [buildpkg.sh.in] Always create privsep user. ok djm@
327 - (dtucker) [auth-sia.c] Add includes required for build on Tru64. Patch
329 - (dtucker) [configure.ac] The BSM header test needs time.h in some cases.
332 - (djm) [sshd.c auth.c] Set up fakepw() with privsep uid/gid, so it can
333 be used to drop privilege to; fixes Solaris GSSAPI crash reported by
334 Magnus Abrante; suggestion and feedback dtucker@
335 NB. this change will require that the privilege separation user must
336 exist on all the time, not just when UsePrivilegeSeparation=yes
337 - (tim) [configure.ac] s/BROKEN_UPDWTMP/BROKEN_UPDWTMPX/ on SCO OSR6
338 - (dtucker) [loginrec.c] Wrap paths.h in HAVE_PATHS_H.
339 - (dtucker) [regress/cfgmatch.sh] stop_client is racy, so give us a better
343 - (dtucker) [configure.ac] s/AC_DEFINES/AC_DEFINE/ spotted by Roumen Petrov.
344 - (dtucker) [loginrec.c] Include paths.h for _PATH_BTMP.
347 - (dtucker) [configure.ac] Define BROKEN_UPDWTMP on SCO OSR6 as the native
348 updwdtmp seems to generate invalid wtmp entries. From Roger Cornelius,
352 - (dtucker) [configure.ac openbsd-compat/openbsd-compat.h] Check for
353 declaration of writev(2) and declare it ourselves if necessary. Makes
354 the atomiciov() calls build on really old systems. ok djm@
357 - (dtucker) [openbsd-compat/port-irix.c] Add errno.h, found by Iain Morgan.
358 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c ssh.c sshconnect.c
359 openbsd-compat/bindresvport.c openbsd-compat/getrrsetbyname.c
360 openbsd-compat/port-tun.c openbsd-compat/rresvport.c] Include <arpa/inet.h>
361 for hton* and ntoh* macros. Required on (at least) HP-UX since we define
362 _XOPEN_SOURCE_EXTENDED. Found by santhi.amirta at gmail com.
365 - (djm) [audit-bsm.c audit.c auth-bsdauth.c auth-chall.c auth-pam.c]
366 [auth-rsa.c auth-shadow.c auth-sia.c auth1.c auth2-chall.c]
367 [auth2-gss.c auth2-kbdint.c auth2-none.c authfd.c authfile.c]
368 [cipher-3des1.c cipher-aes.c cipher-bf1.c cipher-ctr.c clientloop.c]
369 [dh.c dns.c entropy.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
370 [kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c loginrec.c mac.c]
371 [md5crypt.c monitor.c monitor_wrap.c readconf.c rsa.c]
372 [scard-opensc.c scard.c session.c ssh-add.c ssh-agent.c ssh-dss.c]
373 [ssh-keygen.c ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c]
374 [sshconnect1.c sshconnect2.c sshd.c]
375 [openbsd-compat/bsd-cray.c openbsd-compat/port-aix.c]
376 [openbsd-compat/port-linux.c openbsd-compat/port-solaris.c]
377 [openbsd-compat/port-uw.c]
378 Lots of headers for SCO OSR6, mainly adding stdarg.h for log.h;
379 compile problems reported by rac AT tenzing.org
380 - (djm) [includes.h monitor.c openbsd-compat/bindresvport.c]
381 [openbsd-compat/rresvport.c] Some more headers: netinet/in.h
382 sys/socket.h and unistd.h in various places
383 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Fix implict declaration
384 warnings for binary_open and binary_close. Patch from Corinna Vinschen.
385 - (dtucker) [configure.ac includes.h openbsd-compat/glob.{c,h}] Explicitly
386 test for GLOB_NOMATCH and use our glob functions if it's not found.
387 Stops sftp from segfaulting when attempting to get a nonexistent file on
388 Cygwin (previous versions of OpenSSH didn't use the native glob). Partly
389 from and tested by Corinna Vinschen.
390 - (dtucker) [README contrib/{caldera,redhat,suse}/openssh.spec] Crank
394 - (djm) [CREDITS LICENCE Makefile.in auth.c configure.ac includes.h ]
395 [platform.c platform.h sshd.c openbsd-compat/Makefile.in]
396 [openbsd-compat/openbsd-compat.h openbsd-compat/port-solaris.c]
397 [openbsd-compat/port-solaris.h] Add support for Solaris process
398 contracts, enabled with --use-solaris-contracts. Patch from Chad
399 Mynhier, tweaked by dtucker@ and myself; ok dtucker@
400 - (dtucker) [contrib/cygwin/ssh-host-config] Add SeTcbPrivilege privilege
401 while setting up the ssh service account. Patch from Corinna Vinschen.
404 - (djm) OpenBSD CVS Sync
405 - dtucker@cvs.openbsd.org 2006/08/21 08:14:01
407 Document HostbasedUsesNameFromPacketOnly. Corrections from jmc@,
409 - dtucker@cvs.openbsd.org 2006/08/21 08:15:57
411 Add more detail about what permissions are and aren't accepted for
412 authorized_keys files. Corrections jmc@, ok djm@, "looks good" jmc@
413 - djm@cvs.openbsd.org 2006/08/29 10:40:19
414 [channels.c session.c]
415 normalise some inconsistent (but harmless) NULL pointer checks
416 spotted by the Stanford SATURN tool, via Isil Dillig;
418 - dtucker@cvs.openbsd.org 2006/08/29 12:02:30
420 Work around a problem in Heimdal that occurs when KRB5CCNAME file is
421 missing, by checking whether or not kerberos allocated us a context
422 before attempting to free it. Patch from Simon Wilkinson, tested by
424 - dtucker@cvs.openbsd.org 2006/08/30 00:06:51
426 Fix regression where SSH2 banner is printed at loglevels ERROR and FATAL
427 where previously it weren't. bz #1221, found by Dean Kopesky, ok djm@
428 - djm@cvs.openbsd.org 2006/08/30 00:14:37
431 - (djm) [openbsd-compat/xcrypt.c] needs unistd.h
432 - (dtucker) [auth.c openbsd-compat/port-aix.c] Bug #1207: always call
433 loginsuccess on AIX immediately after authentication to clear the failed
434 login count. Previously this would only happen when an interactive
435 session starts (ie when a pty is allocated) but this means that accounts
436 that have primarily non-interactive sessions (eg scp's) may gradually
437 accumulate enough failures to lock out an account. This change may have
438 a side effect of creating two audit records, one with a tty of "ssh"
439 corresponding to the authentication and one with the allocated pty per
443 - (dtucker) [openbsd-compat/basename.c] Include errno.h.
444 - (dtucker) [openbsd-compat/bsd-misc.c] Add includes needed for select(2) on
446 - (dtucker) [openbsd-compat/bsd-misc.c] Include <sys/select.h> for select(2)
448 - (dtucker) [openbsd-compat/bsd-openpty.c] Include for ioctl(2).
449 - (dtucker) [openbsd-compat/rresvport.c] Include <stdlib.h> for malloc.
450 - (dtucker) [openbsd-compat/xmmap.c] Move #define HAVE_MMAP to prevent
451 unused variable warning when we have a broken or missing mmap(2).
454 - (dtucker) [Makefile.in] Bug #1177: fix incorrect path for sshrc in
455 Makefile. Patch from santhi.amirta at gmail, ok djm.
458 - (dtucker) [log.c] Move ifdef to prevent unused variable warning.
459 - (dtucker) [configure.ac] Save $LIBS during PAM library tests and restore
460 afterward. Removes the need to mangle $LIBS later to remove -lpam and -ldl.
461 - (dtucker) [configure.ac] Relocate --with-pam parts in preparation for
462 fixing bug #1181. No changes yet.
463 - (dtucker) [configure.ac] Bug #1181: Explicitly test to see if OpenSSL
464 (0.9.8a and presumably newer) requires -ldl to successfully link.
465 - (dtucker) [configure.ac] Remove errant "-".
468 - (djm) OpenBSD CVS Sync
469 - djm@cvs.openbsd.org 2006/08/18 22:41:29
471 GSSAPI error code should be 0 and not -1; from simon@sxw.org.uk
472 - (dtucker) [openbsd-compat/regress/Makefile.in] Add $(EXEEXT) and add a
473 single rule for the test progs.
476 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Resync with
477 closefrom.c from sudo.
478 - (dtucker) [openbsd-compat/bsd-closefrom.c] Comment out rcsid.
479 - (dtucker) [openbsd-compat/regress/snprintftest.c] Newline on error.
480 - (dtucker) [openbsd-compat/regress/Makefile.in] Use implicit rules for the
481 test progs instead; they work better than what we have.
482 - (djm) OpenBSD CVS Sync
483 - stevesk@cvs.openbsd.org 2006/08/06 01:13:32
484 [compress.c monitor.c monitor_wrap.c]
485 "zlib.h" can be <zlib.h>; ok djm@ markus@
486 - miod@cvs.openbsd.org 2006/08/12 20:46:46
487 [monitor.c monitor_wrap.c]
488 Revert previous include file ordering change, for ssh to compile under
489 gcc2 (or until openssl include files are cleaned of parameter names
490 in function prototypes)
491 - dtucker@cvs.openbsd.org 2006/08/14 12:40:25
492 [servconf.c servconf.h sshd_config.5]
493 Add ability to match groups to Match keyword in sshd_config. Feedback
494 djm@, stevesk@, ok stevesk@.
495 - djm@cvs.openbsd.org 2006/08/16 11:47:15
497 factor inetd connection, TCP listen and main TCP accept loop out of
498 main() into separate functions to improve readability; ok markus@
499 - deraadt@cvs.openbsd.org 2006/08/18 09:13:26
501 make signal handler termination path shorter; risky code pointed out by
502 mark dowd; ok djm markus
503 - markus@cvs.openbsd.org 2006/08/18 09:15:20
504 [auth.h session.c sshd.c]
505 delay authentication related cleanups until we're authenticated and
506 all alarms have been cancelled; ok deraadt
507 - djm@cvs.openbsd.org 2006/08/18 10:27:16
509 reorder so prototypes are sorted by the files they refer to; no
511 - djm@cvs.openbsd.org 2006/08/18 13:54:54
512 [gss-genr.c ssh-gss.h sshconnect2.c]
513 bz #1218 - disable SPNEGO as per RFC4462; diff from simon AT sxw.org.uk
515 - djm@cvs.openbsd.org 2006/08/18 14:40:34
516 [gss-genr.c ssh-gss.h]
517 constify host argument to match the rest of the GSSAPI functions and
518 unbreak compilation with -Werror
519 - (djm) Disable sigdie() for platforms that cannot safely syslog inside
520 a signal handler (basically all of them, excepting OpenBSD);
524 - (dtucker) [openbsd-compat/fake-rfc2553.c openbsd-compat/setproctitle.c]
525 Include stdlib.h for malloc and friends.
526 - (dtucker) [configure.ac openbsd-compat/bsd-closefrom.c] Use F_CLOSEM fcntl
527 for closefrom() on AIX. Pointed out by William Ahern.
528 - (dtucker) [openbsd-compat/regress/{Makefile.in,closefromtest.c}] Regress
529 test for closefrom() in compat code.
532 - (djm) [audit-bsm.c] Sprinkle in some headers
535 - (dtucker) [LICENCE] Add Reyk to the list for the compat dir.
538 - (djm) [openbsd-compat/bsd-getpeereid.c] Add some headers to quiet warnings
542 - (dtucker) [defines.h] With the includes.h changes we no longer get the
543 name clash on "YES" so we can remove the workaround for it.
544 - (dtucker) [openbsd-compat/{bsd-asprintf.c,bsd-openpty.c,bsd-snprintf.c,
545 glob.c}] Include stdlib.h for malloc and friends in compat code.
548 - (djm) OpenBSD CVS Sync
549 - stevesk@cvs.openbsd.org 2006/07/24 13:58:22
551 disable tunnel forwarding when no strict host key checking
552 and key changed; ok djm@ markus@ dtucker@
553 - stevesk@cvs.openbsd.org 2006/07/25 02:01:34
555 need #include <string.h>
556 - stevesk@cvs.openbsd.org 2006/07/25 02:59:21
557 [channels.c clientloop.c packet.c scp.c serverloop.c sftp-client.c]
558 [sftp-server.c ssh-agent.c ssh-keyscan.c sshconnect.c sshd.c]
559 move #include <sys/time.h> out of includes.h
560 - stevesk@cvs.openbsd.org 2006/07/26 02:35:17
561 [atomicio.c auth.c dh.c authfile.c buffer.c clientloop.c kex.c]
562 [groupaccess.c gss-genr.c kexgexs.c misc.c monitor.c monitor_mm.c]
563 [packet.c scp.c serverloop.c session.c sftp-client.c sftp-common.c]
564 [sftp-server.c sftp.c ssh-add.c ssh-agent.c ssh-keygen.c sshlogin.c]
565 [uidswap.c xmalloc.c]
566 move #include <sys/param.h> out of includes.h
567 - stevesk@cvs.openbsd.org 2006/07/26 13:57:17
568 [authfd.c authfile.c dh.c canohost.c channels.c clientloop.c compat.c]
569 [hostfile.c kex.c log.c misc.c moduli.c monitor.c packet.c readpass.c]
570 [scp.c servconf.c session.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
571 [ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c sshconnect.c]
572 [sshconnect1.c sshd.c xmalloc.c]
573 move #include <stdlib.h> out of includes.h
574 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
576 avoid confusing wording in HashKnownHosts:
577 originally spotted by alan amesbury;
579 - jmc@cvs.openbsd.org 2006/07/27 08:00:50
581 avoid confusing wording in HashKnownHosts:
582 originally spotted by alan amesbury;
584 - dtucker@cvs.openbsd.org 2006/08/01 11:34:36
586 Allow fallback to known_hosts entries without port qualifiers for
587 non-standard ports too, so that all existing known_hosts entries will be
588 recognised. Requested by, feedback and ok markus@
589 - stevesk@cvs.openbsd.org 2006/08/01 23:22:48
590 [auth-passwd.c auth-rhosts.c auth-rsa.c auth.c auth.h auth1.c]
591 [auth2-chall.c auth2-pubkey.c authfile.c buffer.c canohost.c]
592 [channels.c clientloop.c dh.c dns.c dns.h hostfile.c kex.c kexdhc.c]
593 [kexgexc.c kexgexs.c key.c key.h log.c misc.c misc.h moduli.c]
594 [monitor_wrap.c packet.c progressmeter.c readconf.c readpass.c scp.c]
595 [servconf.c session.c sftp-client.c sftp-common.c sftp-server.c sftp.c]
596 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh.c sshconnect.c]
597 [sshconnect1.c sshconnect2.c sshd.c sshlogin.c sshtty.c uuencode.c]
598 [uuencode.h xmalloc.c]
599 move #include <stdio.h> out of includes.h
600 - stevesk@cvs.openbsd.org 2006/08/01 23:36:12
601 [authfile.c channels.c progressmeter.c scard.c servconf.c ssh.c]
603 - deraadt@cvs.openbsd.org 2006/08/03 03:34:42
604 [OVERVIEW atomicio.c atomicio.h auth-bsdauth.c auth-chall.c auth-krb5.c]
605 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
606 [auth-rsa.c auth-skey.c auth.c auth.h auth1.c auth2-chall.c auth2-gss.c]
607 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c ]
608 [auth2-pubkey.c auth2.c authfd.c authfd.h authfile.c bufaux.c bufbn.c]
609 [buffer.c buffer.h canohost.c channels.c channels.h cipher-3des1.c]
610 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
611 [compress.c deattack.c dh.c dispatch.c dns.c dns.h fatal.c groupaccess.c]
612 [groupaccess.h gss-genr.c gss-serv-krb5.c gss-serv.c hostfile.c kex.c]
613 [kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c]
614 [key.h log.c log.h mac.c match.c md-sha256.c misc.c misc.h moduli.c]
615 [monitor.c monitor_fdpass.c monitor_mm.c monitor_mm.h monitor_wrap.c]
616 [monitor_wrap.h msg.c nchan.c packet.c progressmeter.c readconf.c]
617 [readconf.h readpass.c rsa.c scard.c scard.h scp.c servconf.c servconf.h]
618 [serverloop.c session.c session.h sftp-client.c sftp-common.c]
619 [sftp-common.h sftp-glob.c sftp-server.c sftp.c ssh-add.c ssh-agent.c]
620 [ssh-dss.c ssh-gss.h ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rsa.c]
621 [ssh.c ssh.h sshconnect.c sshconnect.h sshconnect1.c sshconnect2.c]
622 [sshd.c sshlogin.c sshlogin.h sshpty.c sshpty.h sshtty.c ttymodes.c]
623 [uidswap.c uidswap.h uuencode.c uuencode.h xmalloc.c xmalloc.h]
624 [loginrec.c loginrec.h openbsd-compat/port-aix.c openbsd-compat/port-tun.h]
625 almost entirely get rid of the culture of ".h files that include .h files"
626 ok djm, sort of ok stevesk
627 makes the pain stop in one easy step
628 NB. portable commit contains everything *except* removing includes.h, as
629 that will take a fair bit more work as we move headers that are required
630 for portability workarounds to defines.h. (also, this step wasn't "easy")
631 - stevesk@cvs.openbsd.org 2006/08/04 20:46:05
632 [monitor.c session.c ssh-agent.c]
634 - (djm) [auth-pam.c defines.h] Move PAM related bits to auth-pam.c
635 - (djm) [auth-pam.c auth.c bufaux.h entropy.c openbsd-compat/port-tun.c]
636 remove last traces of bufaux.h - it was merged into buffer.h in the big
638 - (djm) [auth.c loginrec.c] Missing netinet/in.h for loginrec
639 - (djm) [openbsd-compat/regress/snprintftest.c]
640 [openbsd-compat/regress/strduptest.c] Add missing includes so they pass
641 compilation with "-Wall -Werror"
642 - (djm) [auth-pam.c auth-shadow.c auth2-none.c cleanup.c sshd.c]
643 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Sprinkle more
644 includes for Linux in
645 - (dtucker) [cleanup.c] Need defines.h for __dead.
646 - (dtucker) [auth2-gss.c] We still need the #ifdef GSSAPI in -portable.
647 - (dtucker) [openbsd-compat/{bsd-arc4random.c,port-tun.c,xmmap.c}] Lots of
648 #include stdarg.h, needed for log.h.
649 - (dtucker) [entropy.c] Needs unistd.h too.
650 - (dtucker) [ssh-rand-helper.c] Needs stdarg.h for log.h.
651 - (dtucker) [openbsd-compat/getrrsetbyname.c] Nees stdlib.h for malloc.
652 - (dtucker) [openbsd-compat/strtonum.c] Include stdlib.h for strtoll,
653 otherwise it is implicitly declared as returning an int.
654 - (dtucker) OpenBSD CVS Sync
655 - dtucker@cvs.openbsd.org 2006/08/05 07:52:52
656 [auth2-none.c sshd.c monitor_wrap.c]
657 Add headers required to build with KERBEROS5=no. ok djm@
658 - dtucker@cvs.openbsd.org 2006/08/05 08:00:33
660 Add headers required to build with -DSKEY. ok djm@
661 - dtucker@cvs.openbsd.org 2006/08/05 08:28:24
662 [monitor_wrap.c auth-skey.c auth2-chall.c]
663 Zap unused variables in -DSKEY code. ok djm@
664 - dtucker@cvs.openbsd.org 2006/08/05 08:34:04
667 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Add headers required to compile
669 - (dtucker) [openbsd-compat/fake-rfc2553.c] Add headers needed for inet_ntoa.
670 - (dtucker) [auth-skey.c] monitor_wrap.h needs ssh-gss.h.
671 - (dtucker) [audit.c audit.h] Repair headers.
672 - (dtucker) [audit-bsm.c] Add additional headers now required.
675 - (dtucker) [configure.ac] The "crippled AES" test does not work on recent
676 versions of Solaris, so use AC_LINK_IFELSE to actually link the test program
677 rather than just compiling it. Spotted by dlg@.
680 - (dtucker) [openbsd-compat/daemon.c] Add unistd.h for fork() prototype.
683 - (dtucker) [openbsd-compat/xmmap.c] Need fcntl.h for O_RDRW.
686 - (djm) OpenBSD CVS Sync
687 - jmc@cvs.openbsd.org 2006/07/12 13:39:55
689 - new sentence, new line
692 - stevesk@cvs.openbsd.org 2006/07/12 22:28:52
693 [auth-options.c canohost.c channels.c includes.h readconf.c]
694 [servconf.c ssh-keyscan.c ssh.c sshconnect.c sshd.c]
695 move #include <netdb.h> out of includes.h; ok djm@
696 - stevesk@cvs.openbsd.org 2006/07/12 22:42:32
697 [includes.h ssh.c ssh-rand-helper.c]
698 move #include <stddef.h> out of includes.h
699 - stevesk@cvs.openbsd.org 2006/07/14 01:15:28
701 don't need incompletely-typed 'struct passwd' now with
702 #include <pwd.h>; ok markus@
703 - stevesk@cvs.openbsd.org 2006/07/17 01:31:10
704 [authfd.c authfile.c channels.c cleanup.c clientloop.c groupaccess.c]
705 [includes.h log.c misc.c msg.c packet.c progressmeter.c readconf.c]
706 [readpass.c scp.c servconf.c sftp-client.c sftp-server.c sftp.c]
707 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh.c]
708 [sshconnect.c sshlogin.c sshpty.c uidswap.c]
709 move #include <unistd.h> out of includes.h
710 - dtucker@cvs.openbsd.org 2006/07/17 12:02:24
712 Use '\0' rather than 0 to terminates strings; ok djm@
713 - dtucker@cvs.openbsd.org 2006/07/17 12:06:00
714 [channels.c channels.h servconf.c sshd_config.5]
715 Add PermitOpen directive to sshd_config which is equivalent to the
716 "permitopen" key option. Allows server admin to allow TCP port
717 forwarding only two specific host/port pairs. Useful when combined
719 If permitopen is used in both sshd_config and a key option, both
720 must allow a given connection before it will be permitted.
721 Note that users can still use external forwarders such as netcat,
722 so to be those must be controlled too for the limits to be effective.
723 Feedback & ok djm@, man page corrections & ok jmc@.
724 - jmc@cvs.openbsd.org 2006/07/18 07:50:40
727 - jmc@cvs.openbsd.org 2006/07/18 07:56:28
729 replace DIAGNOSTICS with .Ex;
730 - jmc@cvs.openbsd.org 2006/07/18 08:03:09
731 [ssh-agent.1 sshd_config.5]
732 mark up angle brackets;
733 - dtucker@cvs.openbsd.org 2006/07/18 08:22:23
735 Clarify description of Match, with minor correction from jmc@
736 - stevesk@cvs.openbsd.org 2006/07/18 22:27:55
738 remove unneeded includes; ok djm@
739 - dtucker@cvs.openbsd.org 2006/07/19 08:56:41
740 [servconf.c sshd_config.5]
741 Add support for X11Forwaring, X11DisplayOffset and X11UseLocalhost to
743 - dtucker@cvs.openbsd.org 2006/07/19 13:07:10
744 [servconf.c servconf.h session.c sshd.8 sshd_config sshd_config.5]
745 Add ForceCommand keyword to sshd_config, equivalent to the "command="
746 key option, man page entry and example in sshd_config.
747 Feedback & ok djm@, man page corrections & ok jmc@
748 - stevesk@cvs.openbsd.org 2006/07/20 15:26:15
749 [auth1.c serverloop.c session.c sshconnect2.c]
750 missed some needed #include <unistd.h> when KERBEROS5=no; issue from
752 - dtucker@cvs.openbsd.org 2006/07/21 12:43:36
753 [channels.c channels.h servconf.c servconf.h sshd_config.5]
754 Make PermitOpen take a list of permitted ports and act more like most
755 other keywords (ie the first match is the effective setting). This
756 also makes it easier to override a previously set PermitOpen. ok djm@
757 - stevesk@cvs.openbsd.org 2006/07/21 21:13:30
759 more ARGSUSED (lint) for dispatch table-driven functions; ok djm@
760 - stevesk@cvs.openbsd.org 2006/07/21 21:26:55
762 ARGSUSED for signal handler
763 - stevesk@cvs.openbsd.org 2006/07/22 19:08:54
764 [includes.h moduli.c progressmeter.c scp.c sftp-common.c]
765 [sftp-server.c ssh-agent.c sshlogin.c]
766 move #include <time.h> out of includes.h
767 - stevesk@cvs.openbsd.org 2006/07/22 20:48:23
768 [atomicio.c auth-options.c auth-passwd.c auth-rhosts.c auth-rsa.c]
769 [auth.c auth1.c auth2-chall.c auth2-hostbased.c auth2-passwd.c auth2.c]
770 [authfd.c authfile.c bufaux.c bufbn.c buffer.c canohost.c channels.c]
771 [cipher-3des1.c cipher-bf1.c cipher-ctr.c cipher.c clientloop.c]
772 [compat.c deattack.c dh.c dns.c gss-genr.c gss-serv.c hostfile.c]
773 [includes.h kex.c kexdhc.c kexdhs.c kexgexc.c kexgexs.c key.c log.c]
774 [mac.c match.c md-sha256.c misc.c moduli.c monitor.c monitor_fdpass.c]
775 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c rsa.c]
776 [progressmeter.c readconf.c readpass.c scp.c servconf.c serverloop.c]
777 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c sftp.c]
778 [ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
779 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c sshconnect2.c]
780 [sshd.c sshlogin.c sshpty.c ttymodes.c uidswap.c xmalloc.c]
781 move #include <string.h> out of includes.h
782 - stevesk@cvs.openbsd.org 2006/07/23 01:11:05
783 [auth.h dispatch.c kex.h sftp-client.c]
784 #include <signal.h> for sig_atomic_t; need this prior to <sys/param.h>
786 - (djm) [acss.c auth-krb5.c auth-options.c auth-pam.c auth-shadow.c]
787 [canohost.c channels.c cipher-acss.c defines.h dns.c gss-genr.c]
788 [gss-serv-krb5.c gss-serv.c log.h loginrec.c logintest.c readconf.c]
789 [servconf.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c ssh-rand-helper.c]
790 [ssh.c sshconnect.c sshd.c openbsd-compat/bindresvport.c]
791 [openbsd-compat/bsd-arc4random.c openbsd-compat/bsd-misc.c]
792 [openbsd-compat/getrrsetbyname.c openbsd-compat/glob.c]
793 [openbsd-compat/mktemp.c openbsd-compat/port-linux.c]
794 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
795 [openbsd-compat/setproctitle.c openbsd-compat/xmmap.c]
796 make the portable tree compile again - sprinkle unistd.h and string.h
797 back in. Don't redefine __unused, as it turned out to be used in
798 headers on Linux, and replace its use in auth-pam.c with ARGSUSED
799 - (djm) [openbsd-compat/glob.c]
800 Move get_arg_max() into the ifdef HAVE_GLOB block so that it compiles
801 on OpenBSD (or other platforms with a decent glob implementation) with
804 Add resolv.h, is it contains the prototypes for __b64_ntop/__b64_pton on
807 fix compile error with -Werror -Wall: 'path' is only used in
808 do_setup_env() if HAVE_LOGIN_CAP is not defined
809 - (djm) [openbsd-compat/basename.c openbsd-compat/bsd-closefrom.c]
810 [openbsd-compat/bsd-cray.c openbsd-compat/bsd-openpty.c]
811 [openbsd-compat/bsd-snprintf.c openbsd-compat/fake-rfc2553.c]
812 [openbsd-compat/port-aix.c openbsd-compat/port-irix.c]
813 [openbsd-compat/rresvport.c]
814 These look to need string.h and/or unistd.h (based on a grep for function
816 - (djm) [Makefile.in]
817 Remove generated openbsd-compat/regress/Makefile in distclean target
818 - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
819 [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
820 Sync regress tests to -current; include dtucker@'s new cfgmatch and
821 forcecommand tests. Add cipher-speed.sh test (not linked in yet)
822 - (dtucker) [cleanup.c] Since config.h defines _LARGE_FILES on AIX, including
823 system headers before defines.h will cause conflicting definitions.
824 - (dtucker) [regress/forcecommand.sh] Portablize.
827 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
830 - (dtucker) [configure.ac defines.h] Only define SHUT_RD (and friends) and
831 O_NONBLOCK if they're really needed. Fixes build errors on HP-UX, old
832 Linuxes and probably more.
833 - (dtucker) [configure.ac] OpenBSD needs <sys/types.h> before <sys/socket.h>
835 - (dtucker) [openbsd-compat/port-tun.c] OpenBSD needs <netinet/in.h> before
837 - (dtucker) OpenBSD CVS Sync
838 - stevesk@cvs.openbsd.org 2006/07/10 16:01:57
839 [sftp-glob.c sftp-common.h sftp.c]
840 buffer.h only needed in sftp-common.h and remove some unneeded
841 user includes; ok djm@
842 - jmc@cvs.openbsd.org 2006/07/10 16:04:21
845 - stevesk@cvs.openbsd.org 2006/07/10 16:37:36
846 [readpass.c log.h scp.c fatal.c xmalloc.c includes.h ssh-keyscan.c misc.c
847 auth.c packet.c log.c]
848 move #include <stdarg.h> out of includes.h; ok markus@
849 - dtucker@cvs.openbsd.org 2006/07/11 10:12:07
851 Only copy the part of environment variable that we actually use. Prevents
852 ssh bailing when SendEnv is used and an environment variable with a really
853 long value exists. ok djm@
854 - markus@cvs.openbsd.org 2006/07/11 18:50:48
855 [clientloop.c ssh.1 ssh.c channels.c ssh_config.5 readconf.h session.c
856 channels.h readconf.c]
857 add ExitOnForwardFailure: terminate the connection if ssh(1)
858 cannot set up all requested dynamic, local, and remote port
859 forwardings. ok djm, dtucker, stevesk, jmc
860 - stevesk@cvs.openbsd.org 2006/07/11 20:07:25
861 [scp.c auth.c monitor.c serverloop.c sftp-server.c sshpty.c readpass.c
862 sshd.c monitor_wrap.c monitor_fdpass.c ssh-agent.c ttymodes.c atomicio.c
863 includes.h session.c sshlogin.c monitor_mm.c packet.c sshconnect2.c
864 sftp-client.c nchan.c clientloop.c sftp.c misc.c canohost.c channels.c
865 ssh-keygen.c progressmeter.c uidswap.c msg.c readconf.c sshconnect.c]
866 move #include <errno.h> out of includes.h; ok markus@
867 - stevesk@cvs.openbsd.org 2006/07/11 20:16:43
869 cast asterisk field precision argument to int to remove warning;
871 - stevesk@cvs.openbsd.org 2006/07/11 20:27:56
873 need <errno.h> here also (it's also included in <openssl/err.h>)
874 - dtucker@cvs.openbsd.org 2006/07/12 11:34:58
875 [sshd.c servconf.h servconf.c sshd_config.5 auth.c]
876 Add support for conditional directives to sshd_config via a "Match"
877 keyword, which works similarly to the "Host" directive in ssh_config.
878 Lines after a Match line override the default set in the main section
879 if the condition on the Match line is true, eg
880 AllowTcpForwarding yes
882 AllowTcpForwarding no
883 will allow port forwarding by all users except "anoncvs".
884 Currently only a very small subset of directives are supported.
886 - (dtucker) [loginrec.c openbsd-compat/xmmap.c openbsd-compat/bindresvport.c
887 openbsd-compat/glob.c openbsd-compat/mktemp.c openbsd-compat/port-tun.c
888 openbsd-compat/readpassphrase.c openbsd-compat/strtonum.c] Include <errno.h>.
889 - (dtucker) [openbsd-compat/setproctitle.c] Include stdarg.h.
890 - (dtucker) [ssh-keyscan.c ssh-rand-helper.c] More errno.h here too.
891 - (dtucker) [openbsd-compat/openbsd-compat.h] v*printf needs stdarg.h.
892 - (dtucker) [openbsd-compat/bsd-asprintf.c openbsd-compat/port-aix.c
893 openbsd-compat/rresvport.c] More errno.h.
896 - (dtucker) [configure.ac ssh-keygen.c openbsd-compat/bsd-openpty.c
897 openbsd-compat/daemon.c] Add includes needed by open(2). Conditionally
898 include paths.h. Fixes build error on Solaris.
899 - (dtucker) [entropy.c] More fcntl.h, this time on AIX (and probably
903 - (dtucker) [INSTALL] New autoconf version: 2.60.
905 - djm@cvs.openbsd.org 2006/06/14 10:50:42
907 limit the number of pre-banner characters we will accept; ok markus@
908 - djm@cvs.openbsd.org 2006/06/26 10:36:15
910 mention optional bind_address in runtime port forwarding setup
911 command-line help. patch from santhi.amirta AT gmail.com
912 - stevesk@cvs.openbsd.org 2006/07/02 17:12:58
913 [ssh.1 ssh.c ssh_config.5 sshd_config.5]
914 more details and clarity for tun(4) device forwarding; ok and help
916 - stevesk@cvs.openbsd.org 2006/07/02 18:36:47
917 [gss-serv-krb5.c gss-serv.c]
918 no "servconf.h" needed here
919 (gss-serv-krb5.c change not applied, portable needs the server options)
920 - stevesk@cvs.openbsd.org 2006/07/02 22:45:59
921 [groupaccess.c groupaccess.h includes.h session.c sftp-common.c sshpty.c]
922 move #include <grp.h> out of includes.h
923 (portable needed uidswap.c too)
924 - stevesk@cvs.openbsd.org 2006/07/02 23:01:55
926 use -KR[bind_address:]port here; ok djm@
927 - stevesk@cvs.openbsd.org 2006/07/03 08:54:20
928 [includes.h ssh.c sshconnect.c sshd.c]
929 move #include "version.h" out of includes.h; ok markus@
930 - stevesk@cvs.openbsd.org 2006/07/03 17:59:32
931 [channels.c includes.h]
932 move #include <arpa/inet.h> out of includes.h; old ok djm@
933 (portable needed session.c too)
934 - stevesk@cvs.openbsd.org 2006/07/05 02:42:09
935 [canohost.c hostfile.c includes.h misc.c packet.c readconf.c]
936 [serverloop.c sshconnect.c uuencode.c]
937 move #include <netinet/in.h> out of includes.h; ok deraadt@
938 (also ssh-rand-helper.c logintest.c loginrec.c)
939 - djm@cvs.openbsd.org 2006/07/06 10:47:05
940 [servconf.c servconf.h session.c sshd_config.5]
941 support arguments to Subsystem commands; ok markus@
942 - djm@cvs.openbsd.org 2006/07/06 10:47:57
943 [sftp-server.8 sftp-server.c]
944 add commandline options to enable logging of transactions; ok markus@
945 - stevesk@cvs.openbsd.org 2006/07/06 16:03:53
946 [auth-options.c auth-options.h auth-passwd.c auth-rh-rsa.c]
947 [auth-rhosts.c auth-rsa.c auth.c auth.h auth2-hostbased.c]
948 [auth2-pubkey.c auth2.c includes.h misc.c misc.h monitor.c]
949 [monitor_wrap.c monitor_wrap.h scp.c serverloop.c session.c]
950 [session.h sftp-common.c ssh-add.c ssh-keygen.c ssh-keysign.c]
951 [ssh.c sshconnect.c sshconnect.h sshd.c sshpty.c sshpty.h uidswap.c]
953 move #include <pwd.h> out of includes.h; ok markus@
954 - stevesk@cvs.openbsd.org 2006/07/06 16:22:39
956 move #include "dns.h" up
957 - stevesk@cvs.openbsd.org 2006/07/06 17:36:37
960 - stevesk@cvs.openbsd.org 2006/07/08 21:47:12
961 [authfd.c canohost.c clientloop.c dns.c dns.h includes.h]
962 [monitor_fdpass.c nchan.c packet.c servconf.c sftp.c ssh-agent.c]
963 [ssh-keyscan.c ssh.c sshconnect.h sshd.c sshlogin.h]
964 move #include <sys/socket.h> out of includes.h
965 - stevesk@cvs.openbsd.org 2006/07/08 21:48:53
966 [monitor.c session.c]
967 missed these from last commit:
968 move #include <sys/socket.h> out of includes.h
969 - stevesk@cvs.openbsd.org 2006/07/08 23:30:06
971 move user includes after /usr/include files
972 - stevesk@cvs.openbsd.org 2006/07/09 15:15:11
973 [auth2-none.c authfd.c authfile.c includes.h misc.c monitor.c]
974 [readpass.c scp.c serverloop.c sftp-client.c sftp-server.c]
975 [ssh-add.c ssh-agent.c ssh-keygen.c ssh-keysign.c ssh.c sshd.c]
976 [sshlogin.c sshpty.c]
977 move #include <fcntl.h> out of includes.h
978 - stevesk@cvs.openbsd.org 2006/07/09 15:27:59
980 use O_RDONLY vs. 0 in open(); no binary change
981 - djm@cvs.openbsd.org 2006/07/10 11:24:54
983 remove optind - it isn't used here
984 - djm@cvs.openbsd.org 2006/07/10 11:25:53
986 don't log variables that aren't yet set
987 - (djm) [loginrec.c ssh-rand-helper.c sshd.c openbsd-compat/glob.c]
988 [openbsd-compat/mktemp.c openbsd-compat/openbsd-compat.h]
989 [openbsd-compat/port-tun.c openbsd-compat/readpassphrase.c]
990 [openbsd-compat/xcrypt.c] Fix includes.h fallout, mainly fcntl.h
992 - djm@cvs.openbsd.org 2006/07/10 12:03:20
994 duplicate argv at the start of main() because it gets modified later;
995 pointed out by deraadt@ ok markus@
996 - djm@cvs.openbsd.org 2006/07/10 12:08:08
998 fix misparsing of SOCKS 5 packets that could result in a crash;
999 reported by mk@ ok markus@
1000 - dtucker@cvs.openbsd.org 2006/07/10 12:46:51
1001 [misc.c misc.h sshd.8 sshconnect.c]
1002 Add port identifier to known_hosts for non-default ports, based originally
1003 on a patch from Devin Nate in bz#910.
1004 For any connection using the default port or using a HostKeyAlias the
1005 format is unchanged, otherwise the host name or address is enclosed
1006 within square brackets in the same format as sshd's ListenAddress.
1007 Tested by many, ok markus@.
1008 - (dtucker) [openbsd-compat/openbsd-compat.h] Need to include <sys/socket.h>
1009 for struct sockaddr on platforms that use the fake-rfc stuff.
1012 - (dtucker) [configure.ac] Try AIX blibpath test in different order when
1013 compiling with gcc. gcc 4.1.x will accept (but ignore) -b flags so
1014 configure would not select the correct libpath linker flags.
1015 - (dtucker) [INSTALL] A bit more info on autoconf.
1018 - (dtucker) [ssh-rand-helper.c] Don't exit if mkdir fails because the
1019 target already exists.
1022 - (dtucker) [openbsd-compat/openbsd-compat.h] SNPRINTF_CONST for snprintf
1023 declaration too. Patch from russ at sludge.net.
1024 - (dtucker) [openbsd-compat/getrrsetbyname.c] Undef _res before defining it,
1025 prevents warnings on platforms where _res is in the system headers.
1026 - (dtucker) [INSTALL] Bug #1202: Note when autoconf is required and which
1030 - (dtucker) [configure.ac] Bug #1203: Add missing '[', which causes problems
1031 with autoconf 2.60. Patch from vapier at gentoo.org.
1034 - (dtucker) [channels.c serverloop.c] Apply the bug #1102 workaround to ptys
1035 only, otherwise sshd can hang exiting non-interactive sessions.
1038 - (dtucker) [configure.ac] Bug #1193: Define PASSWD_NEEDS_USERNAME on Solaris.
1039 Works around limitation in Solaris' passwd program for changing passwords
1040 where the username is longer than 8 characters. ok djm@
1041 - (dtucker) [serverloop.c] Get ifdef/ifndef the right way around for the bug
1045 - (dtucker) [README.platform configure.ac openbsd-compat/port-tun.c] Add
1046 tunnel support for Mac OS X/Darwin via a third-party tun driver. Patch
1047 from reyk@, tested by anil@
1048 - (dtucker) [channels.c configure.ac serverloop.c] Bug #1102: Around AIX
1049 4.3.3 ML3 or so, the AIX pty layer starting passing zero-length writes
1050 on the pty slave as zero-length reads on the pty master, which sshd
1051 interprets as the descriptor closing. Since most things don't do zero
1052 length writes this rarely matters, but occasionally it happens, and when
1053 it does the SSH pty session appears to hang, so we add a special case for
1054 this condition. ok djm@
1057 - (djm) [getput.h] This file has been replaced by functions in misc.c
1059 - djm@cvs.openbsd.org 2006/05/08 10:49:48
1061 uint32_t -> u_int32_t (which we use everywhere else)
1062 (Id sync only - portable already had this)
1063 - markus@cvs.openbsd.org 2006/05/16 09:00:00
1065 missing free; from Kylene Hall
1066 - markus@cvs.openbsd.org 2006/05/17 12:43:34
1067 [scp.c sftp.c ssh-agent.c ssh-keygen.c sshconnect.c]
1068 fix leak; coverity via Kylene Jo Hall
1069 - miod@cvs.openbsd.org 2006/05/18 21:27:25
1070 [kexdhc.c kexgexc.c]
1071 paramter -> parameter
1072 - dtucker@cvs.openbsd.org 2006/05/29 12:54:08
1074 Add gssapi-with-mic to PreferredAuthentications default list; ok jmc
1075 - dtucker@cvs.openbsd.org 2006/05/29 12:56:33
1077 Add GSSAPIAuthentication and GSSAPIDelegateCredentials to examples in
1078 sample ssh_config. ok markus@
1079 - jmc@cvs.openbsd.org 2006/05/29 16:10:03
1081 oops - previous was too long; split the list of auths up
1082 - mk@cvs.openbsd.org 2006/05/30 11:46:38
1084 Sync usage() with man page and reality.
1086 - jmc@cvs.openbsd.org 2006/05/29 16:13:23
1088 add GSSAPI to the list of authentication methods supported;
1089 - mk@cvs.openbsd.org 2006/05/30 11:46:38
1091 Sync usage() with man page and reality.
1093 - markus@cvs.openbsd.org 2006/06/01 09:21:48
1095 call get_remote_ipaddr() early; fixes logging after client disconnects;
1096 report mpf@; ok dtucker@
1097 - markus@cvs.openbsd.org 2006/06/06 10:20:20
1098 [readpass.c sshconnect.c sshconnect.h sshconnect2.c uidswap.c]
1099 replace remaining setuid() calls with permanently_set_uid() and
1100 check seteuid() return values; report Marcus Meissner; ok dtucker djm
1101 - markus@cvs.openbsd.org 2006/06/08 14:45:49
1102 [readpass.c sshconnect.c sshconnect2.c uidswap.c uidswap.h]
1103 do not set the gid, noted by solar; ok djm
1104 - djm@cvs.openbsd.org 2006/06/13 01:18:36
1106 always use a format string, even when printing a constant
1107 - djm@cvs.openbsd.org 2006/06/13 02:17:07
1109 revert; i am on drugs. spotted by alexander AT beard.se
1112 - (dtucker) [auth.c monitor.c] Now that we don't log from both the monitor
1113 and slave, we can remove the special-case handling in the audit hook in
1117 - (dtucker) [ssh-rand-helper.c] Check return code of mkdir and fix file
1118 pointer leak. From kjhall at us.ibm.com, found by coverity.
1121 - (dtucker) [openbsd-compat/getrrsetbyname.c] Use _compat_res instead of
1122 _res, prevents problems on some platforms that have _res as a global but
1123 don't have getrrsetbyname(), eg IRIX 5.3. Found and tested by
1124 georg.schwarz at freenet.de, ok djm@.
1125 - (dtucker) [defines.h] Find a value for IOV_MAX or use a conservative
1126 default. Patch originally from tim@, ok djm
1127 - (dtucker) [auth-pam.c] Bug #1188: pass result of do_pam_account back and
1128 do not allow kbdint again after the PAM account check fails. ok djm@
1131 - (dtucker) OpenBSD CVS Sync
1132 - dtucker@cvs.openbsd.org 2006/04/25 08:02:27
1133 [authfile.c authfile.h sshconnect2.c ssh.c sshconnect1.c]
1134 Prevent ssh from trying to open private keys with bad permissions more than
1135 once or prompting for their passphrases (which it subsequently ignores
1136 anyway), similar to a previous change in ssh-add. bz #1186, ok djm@
1137 - djm@cvs.openbsd.org 2006/05/04 14:55:23
1139 tighter DH exponent checks here too; feedback and ok markus@
1140 - djm@cvs.openbsd.org 2006/04/01 05:37:46
1142 $OpenBSD$ in here too
1143 - dtucker@cvs.openbsd.org 2006/05/06 08:35:40
1145 Add $OpenBSD$ in comment here too
1148 - (dtucker) [auth-pam.c groupaccess.c monitor.c monitor_wrap.c scard-opensc.c
1149 session.c ssh-rand-helper.c sshd.c openbsd-compat/bsd-cygwin_util.c
1150 openbsd-compat/setproctitle.c] Convert malloc(foo*bar) -> calloc(foo,bar)
1151 in Portable-only code; since calloc zeros, remove now-redundant memsets.
1152 Also add a couple of sanity checks. With & ok djm@
1155 - (dtucker) [packet.c] Remove in_systm.h since it's also in includes.h
1156 and double including it on IRIX 5.3 causes problems. From Georg Schwarz,
1157 "no objections" tim@
1160 - (djm) OpenBSD CVS Sync
1161 - deraadt@cvs.openbsd.org 2006/04/01 05:42:20
1163 minimal lint cleanup (unused crud, and some size_t); ok djm
1164 - djm@cvs.openbsd.org 2006/04/01 05:50:29
1166 xasprintification; ok deraadt@
1167 - djm@cvs.openbsd.org 2006/04/01 05:51:34
1169 ANSIfy; requested deraadt@
1170 - dtucker@cvs.openbsd.org 2006/04/02 08:34:52
1172 sessionid can be 32 bytes now too when sha256 kex is used; ok djm@
1173 - djm@cvs.openbsd.org 2006/04/03 07:10:38
1175 GSSAPI buffers shouldn't be nul-terminated, spotted in bugzilla #1066
1176 by dleonard AT vintela.com. use xasprintf() to simplify code while in
1177 there; "looks right" deraadt@
1178 - djm@cvs.openbsd.org 2006/04/16 00:48:52
1179 [buffer.c buffer.h channels.c]
1180 Fix condition where we could exit with a fatal error when an input
1181 buffer became too large and the remote end had advertised a big window.
1182 The problem was a mismatch in the backoff math between the channels code
1183 and the buffer code, so make a buffer_check_alloc() function that the
1184 channels code can use to propsectivly check whether an incremental
1185 allocation will succeed. bz #1131, debugged with the assistance of
1186 cove AT wildpackets.com; ok dtucker@ deraadt@
1187 - djm@cvs.openbsd.org 2006/04/16 00:52:55
1188 [atomicio.c atomicio.h]
1189 introduce atomiciov() function that wraps readv/writev to retry
1190 interrupted transfers like atomicio() does for read/write;
1191 feedback deraadt@ dtucker@ stevesk@ ok deraadt@
1192 - djm@cvs.openbsd.org 2006/04/16 00:54:10
1194 avoid making a tiny 4-byte write to send the packet length of sftp
1195 commands, which would result in a separate tiny packet on the wire by
1196 using atomiciov(writev, ...) to write the length and the command in one
1198 - djm@cvs.openbsd.org 2006/04/16 07:59:00
1200 reorder sanity test so that it cannot dereference past the end of the
1201 iov array; well spotted canacar@!
1202 - dtucker@cvs.openbsd.org 2006/04/18 10:44:28
1203 [bufaux.c bufbn.c Makefile.in]
1204 Move Buffer bignum functions into their own file, bufbn.c. This means
1205 that sftp and sftp-server (which use the Buffer functions in bufaux.c
1206 but not the bignum ones) no longer need to be linked with libcrypto.
1208 - djm@cvs.openbsd.org 2006/04/20 09:27:09
1209 [auth.h clientloop.c dispatch.c dispatch.h kex.h]
1210 replace the last non-sig_atomic_t flag used in a signal handler with a
1211 sig_atomic_t, unfortunately with some knock-on effects in other (non-
1212 signal) contexts in which it is used; ok markus@
1213 - markus@cvs.openbsd.org 2006/04/20 09:47:59
1216 - djm@cvs.openbsd.org 2006/04/20 21:53:44
1217 [includes.h session.c sftp.c]
1218 Switch from using pipes to socketpairs for communication between
1219 sftp/scp and ssh, and between sshd and its subprocesses. This saves
1220 a file descriptor per session and apparently makes userland ppp over
1221 ssh work; ok markus@ deraadt@ (ID Sync only - portable makes this
1222 decision on a per-platform basis)
1223 - djm@cvs.openbsd.org 2006/04/22 04:06:51
1225 use setres[ug]id() to permanently revoke privileges; ok deraadt@
1226 (ID Sync only - portable already uses setres[ug]id() whenever possible)
1227 - stevesk@cvs.openbsd.org 2006/04/22 18:29:33
1230 - (djm) [auth.h dispatch.h kex.h] sprinkle in signal.h to get
1234 - (djm) [Makefile.in configure.ac session.c sshpty.c]
1235 [contrib/redhat/sshd.init openbsd-compat/Makefile.in]
1236 [openbsd-compat/openbsd-compat.h openbsd-compat/port-linux.c]
1237 [openbsd-compat/port-linux.h] Add support for SELinux, setting
1238 the execution and TTY contexts. based on patch from Daniel Walsh,
1239 bz #880; ok dtucker@
1242 - (djm) [canohost.c] Reorder IP options check so that it isn't broken
1243 by mapped addresses; bz #1179 reported by markw wtech-llc.com;
1248 - deraadt@cvs.openbsd.org 2006/03/27 01:21:18
1250 we can do the size & nmemb check before the integer overflow check;
1252 - deraadt@cvs.openbsd.org 2006/03/27 13:03:54
1254 use strtonum() instead of atoi(), limit dhg size to 64k; ok djm
1255 - djm@cvs.openbsd.org 2006/03/27 23:15:46
1257 always use a format string for addargs; spotted by mouring@
1258 - deraadt@cvs.openbsd.org 2006/03/28 00:12:31
1261 - deraadt@cvs.openbsd.org 2006/03/28 01:52:28
1263 do not accept unreasonable X ports numbers; ok djm
1264 - deraadt@cvs.openbsd.org 2006/03/28 01:53:43
1266 use strtonum() to parse the pid from the file, and range check it
1268 - djm@cvs.openbsd.org 2006/03/30 09:41:25
1270 ARGSUSED for dispatch table-driven functions
1271 - djm@cvs.openbsd.org 2006/03/30 09:58:16
1272 [authfd.c bufaux.c deattack.c gss-serv.c mac.c misc.c misc.h]
1273 [monitor_wrap.c msg.c packet.c sftp-client.c sftp-server.c ssh-agent.c]
1274 replace {GET,PUT}_XXBIT macros with functionally similar functions,
1275 silencing a heap of lint warnings. also allows them to use
1276 __bounded__ checking which can't be applied to macros; requested
1277 by and feedback from deraadt@
1278 - djm@cvs.openbsd.org 2006/03/30 10:41:25
1279 [ssh.c ssh_config.5]
1280 add percent escape chars to the IdentityFile option, bz #1159 based
1281 on a patch by imaging AT math.ualberta.ca; feedback and ok dtucker@
1282 - dtucker@cvs.openbsd.org 2006/03/30 11:05:17
1284 Correctly handle truncated files while converting keys; ok djm@
1285 - dtucker@cvs.openbsd.org 2006/03/30 11:40:21
1287 Prevent duplicate log messages when privsep=yes; ok djm@
1288 - jmc@cvs.openbsd.org 2006/03/31 09:09:30
1290 kill trailing whitespace;
1291 - djm@cvs.openbsd.org 2006/03/31 09:13:56
1293 remote user escape is %r not %h; spotted by jmc@
1297 - jakob@cvs.openbsd.org 2006/03/15 08:46:44
1299 if no key file are given when printing the DNS host record, use the
1300 host key file(s) as default. ok djm@
1301 - biorn@cvs.openbsd.org 2006/03/16 10:31:45
1303 Try to display errormessage even if remout == -1
1305 - djm@cvs.openbsd.org 2006/03/17 22:31:50
1307 another unreachable found by lint
1308 - djm@cvs.openbsd.org 2006/03/17 22:31:11
1310 unreachanble statement, found by lint
1311 - djm@cvs.openbsd.org 2006/03/19 02:22:32
1313 memory leaks detected by Coverity via elad AT netbsd.org;
1314 ok deraadt@ dtucker@
1315 - djm@cvs.openbsd.org 2006/03/19 02:22:56
1317 more memory leaks detected by Coverity via elad AT netbsd.org;
1319 - djm@cvs.openbsd.org 2006/03/19 02:23:26
1321 FILE* leak detected by Coverity via elad AT netbsd.org;
1323 - djm@cvs.openbsd.org 2006/03/19 02:24:05
1324 [dh.c readconf.c servconf.c]
1325 potential NULL pointer dereferences detected by Coverity
1326 via elad AT netbsd.org; ok deraadt@
1327 - djm@cvs.openbsd.org 2006/03/19 07:41:30
1329 memory leaks detected by Coverity via elad AT netbsd.org;
1331 - dtucker@cvs.openbsd.org 2006/03/19 11:51:52
1333 Correct strdelim null test; ok djm@
1334 - deraadt@cvs.openbsd.org 2006/03/19 18:52:11
1335 [auth1.c authfd.c channels.c]
1337 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
1338 [kex.c kex.h monitor.c myproposal.h session.c]
1340 - deraadt@cvs.openbsd.org 2006/03/19 18:56:41
1341 [clientloop.c progressmeter.c serverloop.c sshd.c]
1342 ARGSUSED for signal handlers
1343 - deraadt@cvs.openbsd.org 2006/03/19 18:59:49
1346 - deraadt@cvs.openbsd.org 2006/03/19 18:59:30
1349 - deraadt@cvs.openbsd.org 2006/03/19 18:59:09
1351 whoever thought that break after return was a good idea needs to
1352 get their head examimed
1353 - djm@cvs.openbsd.org 2006/03/20 04:09:44
1355 memory leaks detected by Coverity via elad AT netbsd.org;
1357 that should be all of them now
1358 - djm@cvs.openbsd.org 2006/03/20 11:38:46
1360 (really) last of the Coverity diffs: avoid possible NULL deref in
1361 key_free. via elad AT netbsd.org; markus@ ok
1362 - deraadt@cvs.openbsd.org 2006/03/20 17:10:19
1363 [auth.c key.c misc.c packet.c ssh-add.c]
1364 in a switch (), break after return or goto is stupid
1365 - deraadt@cvs.openbsd.org 2006/03/20 17:13:16
1368 - deraadt@cvs.openbsd.org 2006/03/20 17:17:23
1370 in a switch (), break after return or goto is stupid
1371 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
1372 [channels.c clientloop.c monitor_wrap.c monitor_wrap.h serverloop.c]
1373 [ssh.c sshpty.c sshpty.h]
1374 sprinkle u_int throughout pty subsystem, ok markus
1375 - deraadt@cvs.openbsd.org 2006/03/20 18:17:20
1376 [auth1.c auth2.c sshd.c]
1377 sprinkle some ARGSUSED for table driven functions (which sometimes
1378 must ignore their args)
1379 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
1380 [channels.c monitor.c session.c session.h ssh-agent.c ssh-keygen.c]
1381 [ssh-rsa.c ssh.c sshlogin.c]
1382 annoying spacing fixes getting in the way of real diffs
1383 - deraadt@cvs.openbsd.org 2006/03/20 18:27:50
1386 - deraadt@cvs.openbsd.org 2006/03/20 18:35:12
1388 x11_fake_data is only ever used as u_char *
1389 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
1391 cast xstrdup to propert u_char *
1392 - deraadt@cvs.openbsd.org 2006/03/20 18:42:27
1393 [canohost.c match.c ssh.c sshconnect.c]
1394 be strict with tolower() casting
1395 - deraadt@cvs.openbsd.org 2006/03/20 18:48:34
1396 [channels.c fatal.c kex.c packet.c serverloop.c]
1398 - deraadt@cvs.openbsd.org 2006/03/20 21:11:53
1401 - djm@cvs.openbsd.org 2006/03/25 00:05:41
1402 [auth-bsdauth.c auth-skey.c auth.c auth2-chall.c channels.c]
1403 [clientloop.c deattack.c gss-genr.c kex.c key.c misc.c moduli.c]
1404 [monitor.c monitor_wrap.c packet.c scard.c sftp-server.c ssh-agent.c]
1405 [ssh-keyscan.c ssh.c sshconnect.c sshconnect2.c sshd.c uuencode.c]
1406 [xmalloc.c xmalloc.h]
1407 introduce xcalloc() and xasprintf() failure-checked allocations
1408 functions and use them throughout openssh
1410 xcalloc is particularly important because malloc(nmemb * size) is a
1411 dangerous idiom (subject to integer overflow) and it is time for it
1414 feedback and ok deraadt@
1415 - djm@cvs.openbsd.org 2006/03/25 01:13:23
1416 [buffer.c channels.c deattack.c misc.c scp.c session.c sftp-client.c]
1417 [sftp-server.c ssh-agent.c ssh-rsa.c xmalloc.c xmalloc.h auth-pam.c]
1419 change OpenSSH's xrealloc() function from being xrealloc(p, new_size)
1420 to xrealloc(p, new_nmemb, new_itemsize).
1422 realloc is particularly prone to integer overflows because it is
1423 almost always allocating "n * size" bytes, so this is a far safer
1425 - djm@cvs.openbsd.org 2006/03/25 01:30:23
1427 "abormally" is a perfectly cromulent word, but "abnormally" is better
1428 - djm@cvs.openbsd.org 2006/03/25 13:17:03
1429 [atomicio.c auth-bsdauth.c auth-chall.c auth-options.c auth-passwd.c]
1430 [auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth-skey.c auth.c auth1.c]
1431 [auth2-chall.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
1432 [auth2-passwd.c auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c]
1433 [buffer.c canohost.c channels.c cipher-3des1.c cipher-bf1.c]
1434 [cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c compress.c]
1435 [deattack.c dh.c dispatch.c fatal.c groupaccess.c hostfile.c kex.c]
1436 [kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c]
1437 [mac.c match.c md-sha256.c misc.c monitor.c monitor_fdpass.c]
1438 [monitor_mm.c monitor_wrap.c msg.c nchan.c packet.c progressmeter.c]
1439 [readconf.c readpass.c rsa.c scard.c scp.c servconf.c serverloop.c]
1440 [session.c sftp-client.c sftp-common.c sftp-glob.c sftp-server.c]
1441 [sftp.c ssh-add.c ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c]
1442 [ssh-keysign.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
1443 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
1444 [uidswap.c uuencode.c xmalloc.c]
1445 Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
1446 Theo nuked - our scripts to sync -portable need them in the files
1447 - deraadt@cvs.openbsd.org 2006/03/25 18:29:35
1448 [auth-rsa.c authfd.c packet.c]
1449 needed casts (always will be needed)
1450 - deraadt@cvs.openbsd.org 2006/03/25 18:30:55
1451 [clientloop.c serverloop.c]
1453 - deraadt@cvs.openbsd.org 2006/03/25 18:36:15
1454 [sshlogin.c sshlogin.h]
1455 nicer size_t and time_t types
1456 - deraadt@cvs.openbsd.org 2006/03/25 18:40:14
1458 cast strtonum() result to right type
1459 - deraadt@cvs.openbsd.org 2006/03/25 18:41:45
1461 mark two more signal handlers ARGSUSED
1462 - deraadt@cvs.openbsd.org 2006/03/25 18:43:30
1464 use strtonum() instead of atoi() [limit X screens to 400, sorry]
1465 - deraadt@cvs.openbsd.org 2006/03/25 18:56:55
1466 [bufaux.c channels.c packet.c]
1467 remove (char *) casts to a function that accepts void * for the arg
1468 - deraadt@cvs.openbsd.org 2006/03/25 18:58:10
1470 delete cast not required
1471 - djm@cvs.openbsd.org 2006/03/25 22:22:43
1472 [atomicio.h auth-options.h auth.h auth2-gss.c authfd.h authfile.h]
1473 [bufaux.h buffer.h canohost.h channels.h cipher.h clientloop.h]
1474 [compat.h compress.h crc32.c crc32.h deattack.h dh.h dispatch.h]
1475 [dns.c dns.h getput.h groupaccess.h gss-genr.c gss-serv-krb5.c]
1476 [gss-serv.c hostfile.h includes.h kex.h key.h log.h mac.h match.h]
1477 [misc.h monitor.h monitor_fdpass.h monitor_mm.h monitor_wrap.h msg.h]
1478 [myproposal.h packet.h pathnames.h progressmeter.h readconf.h rsa.h]
1479 [scard.h servconf.h serverloop.h session.h sftp-common.h sftp.h]
1480 [ssh-gss.h ssh.h ssh1.h ssh2.h sshconnect.h sshlogin.h sshpty.h]
1481 [ttymodes.h uidswap.h uuencode.h xmalloc.h]
1482 standardise spacing in $OpenBSD$ tags; requested by deraadt@
1483 - deraadt@cvs.openbsd.org 2006/03/26 01:31:48
1489 - djm@cvs.openbsd.org 2006/03/16 04:24:42
1491 Add RFC4419 (Diffie-Hellman group exchange KEX) to the list of SSH RFCs
1492 that OpenSSH supports
1493 - deraadt@cvs.openbsd.org 2006/03/19 18:51:18
1494 [atomicio.c auth-bsdauth.c auth-chall.c auth-krb5.c auth-options.c]
1495 [auth-pam.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c]
1496 [auth-shadow.c auth-skey.c auth.c auth1.c auth2-chall.c]
1497 [auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c]
1498 [auth2-pubkey.c auth2.c authfd.c authfile.c bufaux.c buffer.c]
1499 [canohost.c channels.c cipher-3des1.c cipher-acss.c cipher-aes.c]
1500 [cipher-bf1.c cipher-ctr.c cipher.c cleanup.c clientloop.c compat.c]
1501 [compress.c deattack.c dh.c dispatch.c dns.c entropy.c fatal.c]
1502 [groupaccess.c hostfile.c includes.h kex.c kexdh.c kexdhc.c]
1503 [kexdhs.c kexgex.c kexgexc.c kexgexs.c key.c log.c loginrec.c]
1504 [loginrec.h logintest.c mac.c match.c md-sha256.c md5crypt.c misc.c]
1505 [monitor.c monitor_fdpass.c monitor_mm.c monitor_wrap.c msg.c]
1506 [nchan.c packet.c progressmeter.c readconf.c readpass.c rsa.c]
1507 [scard.c scp.c servconf.c serverloop.c session.c sftp-client.c]
1508 [sftp-common.c sftp-glob.c sftp-server.c sftp.c ssh-add.c]
1509 [ssh-agent.c ssh-dss.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
1510 [ssh-rand-helper.c ssh-rsa.c ssh.c sshconnect.c sshconnect1.c]
1511 [sshconnect2.c sshd.c sshlogin.c sshpty.c sshtty.c ttymodes.c]
1512 [uidswap.c uuencode.c xmalloc.c openbsd-compat/bsd-arc4random.c]
1513 [openbsd-compat/bsd-closefrom.c openbsd-compat/bsd-cygwin_util.c]
1514 [openbsd-compat/bsd-getpeereid.c openbsd-compat/bsd-misc.c]
1515 [openbsd-compat/bsd-nextstep.c openbsd-compat/bsd-snprintf.c]
1516 [openbsd-compat/bsd-waitpid.c openbsd-compat/fake-rfc2553.c]
1518 - deraadt@cvs.openbsd.org 2006/03/19 18:53:12
1519 [kex.h myproposal.h]
1521 - djm@cvs.openbsd.org 2006/03/20 04:07:22
1523 GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
1524 reviewed by simon AT sxw.org.uk; deraadt@ ok
1525 - djm@cvs.openbsd.org 2006/03/20 04:07:49
1527 more GSSAPI related leaks detected by Coverity via elad AT netbsd.org;
1528 reviewed by simon AT sxw.org.uk; deraadt@ ok
1529 - djm@cvs.openbsd.org 2006/03/20 04:08:18
1531 last lot of GSSAPI related leaks detected by Coverity via
1532 elad AT netbsd.org; reviewed by simon AT sxw.org.uk; deraadt@ ok
1533 - deraadt@cvs.openbsd.org 2006/03/20 18:14:02
1534 [monitor_wrap.h sshpty.h]
1535 sprinkle u_int throughout pty subsystem, ok markus
1536 - deraadt@cvs.openbsd.org 2006/03/20 18:26:55
1538 annoying spacing fixes getting in the way of real diffs
1539 - deraadt@cvs.openbsd.org 2006/03/20 18:41:43
1541 cast xstrdup to propert u_char *
1542 - jakob@cvs.openbsd.org 2006/03/22 21:16:24
1544 simplify SSHFP example; ok jmc@
1545 - djm@cvs.openbsd.org 2006/03/22 21:27:15
1546 [deattack.c deattack.h]
1547 remove IV support from the CRC attack detector, OpenSSH has never used
1548 it - it only applied to IDEA-CFB, which we don't support.
1549 prompted by NetBSD Coverity report via elad AT netbsd.org;
1550 feedback markus@ "nuke it" deraadt@
1553 - (djm) [auth-pam.c] Fix memleak in error path, from Coverity via
1555 - (dtucker) [openbsd-compat/bsd-snprintf.c] Bug #1173: make fmtint() take
1556 a LLONG rather than a long. Fixes scp'ing of large files on platforms
1557 with missing/broken snprintfs. Patch from e.borovac at bom.gov.au.
1560 - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
1561 - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
1562 /usr/include/crypto. Hint from djm@.
1563 - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
1564 Disable sha256 when openssl < 0.9.7. Patch from djm@.
1565 - (djm) [kex.c] Slightly more clean deactivation of dhgex-sha256 on old
1569 - (djm) OpenBSD CVS Sync:
1570 - msf@cvs.openbsd.org 2006/02/06 15:54:07
1574 - jmc@cvs.openbsd.org 2006/02/06 21:44:47
1576 make this a little less ambiguous...
1577 - stevesk@cvs.openbsd.org 2006/02/07 01:08:04
1578 [auth-rhosts.c includes.h]
1579 move #include <netgroup.h> out of includes.h; ok markus@
1580 - stevesk@cvs.openbsd.org 2006/02/07 01:18:09
1581 [includes.h ssh-agent.c ssh-keyscan.c sshconnect2.c]
1582 move #include <sys/queue.h> out of includes.h; ok markus@
1583 - stevesk@cvs.openbsd.org 2006/02/07 01:42:00
1584 [channels.c clientloop.c clientloop.h includes.h packet.h]
1585 [serverloop.c sshpty.c sshpty.h sshtty.c ttymodes.c]
1586 move #include <termios.h> out of includes.h; ok markus@
1587 - stevesk@cvs.openbsd.org 2006/02/07 01:52:50
1590 - stevesk@cvs.openbsd.org 2006/02/07 03:47:05
1592 "packet.h" not needed
1593 - stevesk@cvs.openbsd.org 2006/02/07 03:59:20
1596 - stevesk@cvs.openbsd.org 2006/02/08 12:15:27
1597 [auth.c clientloop.c includes.h misc.c monitor.c readpass.c]
1598 [session.c sftp.c ssh-agent.c ssh-keysign.c ssh.c sshconnect.c]
1600 move #include <paths.h> out of includes.h; ok markus@
1601 - stevesk@cvs.openbsd.org 2006/02/08 12:32:49
1603 move #include <netinet/tcp.h> out of includes.h; ok markus@
1604 - stevesk@cvs.openbsd.org 2006/02/08 13:15:44
1605 [gss-serv.c monitor.c]
1607 - stevesk@cvs.openbsd.org 2006/02/08 14:16:59
1609 <openssl/bn.h> not needed
1610 - stevesk@cvs.openbsd.org 2006/02/08 14:31:30
1611 [includes.h ssh-agent.c ssh-keyscan.c ssh.c]
1612 move #include <sys/resource.h> out of includes.h; ok markus@
1613 - stevesk@cvs.openbsd.org 2006/02/08 14:38:18
1614 [includes.h packet.c]
1615 move #include <netinet/in_systm.h> and <netinet/ip.h> out of
1616 includes.h; ok markus@
1617 - stevesk@cvs.openbsd.org 2006/02/08 23:51:24
1618 [includes.h scp.c sftp-glob.c sftp-server.c]
1619 move #include <dirent.h> out of includes.h; ok markus@
1620 - stevesk@cvs.openbsd.org 2006/02/09 00:32:07
1622 #include <sys/endian.h> not needed; ok djm@
1623 NB. ID Sync only - we still need this (but it may move later)
1624 - jmc@cvs.openbsd.org 2006/02/09 10:10:47
1626 - move some text into a CAVEATS section
1627 - merge the COMMAND EXECUTION... section into AUTHENTICATION
1628 - stevesk@cvs.openbsd.org 2006/02/10 00:27:13
1629 [channels.c clientloop.c includes.h misc.c progressmeter.c sftp.c]
1630 [ssh.c sshd.c sshpty.c]
1631 move #include <sys/ioctl.h> out of includes.h; ok markus@
1632 - stevesk@cvs.openbsd.org 2006/02/10 01:44:27
1633 [includes.h monitor.c readpass.c scp.c serverloop.c session.c
\7f]
1634 [sftp.c sshconnect.c sshconnect2.c sshd.c]
1635 move #include <sys/wait.h> out of includes.h; ok markus@
1636 - otto@cvs.openbsd.org 2006/02/11 19:31:18
1638 type correctness; from Ray Lai in PR 5011; ok millert@
1639 - djm@cvs.openbsd.org 2006/02/12 06:45:34
1640 [ssh.c ssh_config.5]
1641 add a %l expansion code to the ControlPath, which is filled in with the
1642 local hostname at runtime. Requested by henning@ to avoid some problems
1643 with /home on NFS; ok dtucker@
1644 - djm@cvs.openbsd.org 2006/02/12 10:44:18
1646 raise error when the user specifies a RekeyLimit that is smaller than 16
1647 (the smallest of our cipher's blocksize) or big enough to cause integer
1648 wraparound; ok & feedback dtucker@
1649 - jmc@cvs.openbsd.org 2006/02/12 10:49:44
1651 slight rewording; ok djm
1652 - jmc@cvs.openbsd.org 2006/02/12 10:52:41
1654 rework the description of authorized_keys a little;
1655 - jmc@cvs.openbsd.org 2006/02/12 17:57:19
1657 sort the list of options permissable w/ authorized_keys;
1659 - jmc@cvs.openbsd.org 2006/02/13 10:16:39
1661 no need to subsection the authorized_keys examples - instead, convert
1662 this to look like an actual file. also use proto 2 keys, and use IETF
1664 - jmc@cvs.openbsd.org 2006/02/13 10:21:25
1666 small tweaks for the ssh_known_hosts section;
1667 - jmc@cvs.openbsd.org 2006/02/13 11:02:26
1669 turn this into an example ssh_known_hosts file; ok djm
1670 - jmc@cvs.openbsd.org 2006/02/13 11:08:43
1672 - avoid nasty line split
1673 - `*' does not need to be escaped
1674 - jmc@cvs.openbsd.org 2006/02/13 11:27:25
1676 sort FILES and use a -compact list;
1677 - david@cvs.openbsd.org 2006/02/15 05:08:24
1679 typo in comment; ok djm@
1680 - jmc@cvs.openbsd.org 2006/02/15 16:53:20
1682 remove the IETF draft references and replace them with some updated RFCs;
1683 - jmc@cvs.openbsd.org 2006/02/15 16:55:33
1685 remove ietf draft references; RFC list now maintained in ssh.1;
1686 - jmc@cvs.openbsd.org 2006/02/16 09:05:34
1688 sync some of the FILES entries w/ ssh.1;
1689 - jmc@cvs.openbsd.org 2006/02/19 19:52:10
1691 move the sshrc stuff out of FILES, and into its own section:
1692 FILES is not a good place to document how stuff works;
1693 - jmc@cvs.openbsd.org 2006/02/19 20:02:17
1695 sync the (s)hosts.equiv FILES entries w/ those from ssh.1;
1696 - jmc@cvs.openbsd.org 2006/02/19 20:05:00
1699 - jmc@cvs.openbsd.org 2006/02/19 20:12:25
1701 add some vertical space;
1702 - stevesk@cvs.openbsd.org 2006/02/20 16:36:15
1703 [authfd.c channels.c includes.h session.c ssh-agent.c ssh.c]
1704 move #include <sys/un.h> out of includes.h; ok djm@
1705 - stevesk@cvs.openbsd.org 2006/02/20 17:02:44
1706 [clientloop.c includes.h monitor.c progressmeter.c scp.c]
1707 [serverloop.c session.c sftp.c ssh-agent.c ssh.c sshd.c]
1708 move #include <signal.h> out of includes.h; ok markus@
1709 - stevesk@cvs.openbsd.org 2006/02/20 17:19:54
1710 [auth-rhosts.c auth-rsa.c auth.c auth2-none.c auth2-pubkey.c]
1711 [authfile.c clientloop.c includes.h readconf.c scp.c session.c]
1712 [sftp-client.c sftp-common.c sftp-common.h sftp-glob.c]
1713 [sftp-server.c sftp.c ssh-add.c ssh-keygen.c ssh.c sshconnect.c]
1714 [sshconnect2.c sshd.c sshpty.c]
1715 move #include <sys/stat.h> out of includes.h; ok markus@
1716 - stevesk@cvs.openbsd.org 2006/02/22 00:04:45
1717 [canohost.c clientloop.c includes.h match.c readconf.c scp.c ssh.c]
1719 move #include <ctype.h> out of includes.h; ok djm@
1720 - jmc@cvs.openbsd.org 2006/02/24 10:25:14
1722 add section on patterns;
1723 from dtucker + myself
1724 - jmc@cvs.openbsd.org 2006/02/24 10:33:54
1726 signpost to PATTERNS;
1727 - jmc@cvs.openbsd.org 2006/02/24 10:37:07
1729 tidy up the refs to PATTERNS;
1730 - jmc@cvs.openbsd.org 2006/02/24 10:39:52
1732 signpost to PATTERNS section;
1733 - jmc@cvs.openbsd.org 2006/02/24 20:22:16
1734 [ssh-keysign.8 ssh_config.5 sshd_config.5]
1735 some consistency fixes;
1736 - jmc@cvs.openbsd.org 2006/02/24 20:31:31
1737 [ssh.1 ssh_config.5 sshd.8 sshd_config.5]
1738 more consistency fixes;
1739 - jmc@cvs.openbsd.org 2006/02/24 23:20:07
1741 some grammar/wording fixes;
1742 - jmc@cvs.openbsd.org 2006/02/24 23:43:57
1744 some grammar/wording fixes;
1745 - jmc@cvs.openbsd.org 2006/02/24 23:51:17
1747 oops - bits i missed;
1748 - jmc@cvs.openbsd.org 2006/02/25 12:26:17
1750 document the possible values for KbdInteractiveDevices;
1752 - jmc@cvs.openbsd.org 2006/02/25 12:28:34
1754 document the order in which allow/deny directives are processed;
1756 - jmc@cvs.openbsd.org 2006/02/26 17:17:18
1758 move PATTERNS to the end of the main body; requested by dtucker
1759 - jmc@cvs.openbsd.org 2006/02/26 18:01:13
1761 subsection is pointless here;
1762 - jmc@cvs.openbsd.org 2006/02/26 18:03:10
1765 - djm@cvs.openbsd.org 2006/02/28 01:10:21
1767 fix logout recording when privilege separation is disabled, analysis and
1768 patch from vinschen at redhat.com; tested by dtucker@ ok deraadt@
1769 NB. ID sync only - patch already in portable
1770 - djm@cvs.openbsd.org 2006/03/04 04:12:58
1772 move a debug() outside of a signal handler; ok markus@ a little while back
1773 - djm@cvs.openbsd.org 2006/03/12 04:23:07
1776 - djm@cvs.openbsd.org 2006/03/13 08:16:00
1778 don't log that we are listening on a socket before the listen() call
1779 actually succeeds, bz #1162 reported by Senthil Kumar; ok dtucker@
1780 - dtucker@cvs.openbsd.org 2006/03/13 08:33:00
1782 Set TCP_NODELAY for all connections not just "interactive" ones. Fixes
1783 poor performance and protocol stalls under some network conditions (mindrot
1784 bugs #556 and #981). Patch originally from markus@, ok djm@
1785 - dtucker@cvs.openbsd.org 2006/03/13 08:43:16
1787 Make ssh-keygen handle CR and CRLF line termination when converting IETF
1788 format keys, in adition to vanilla LF. mindrot #1157, tested by Chris
1790 - dtucker@cvs.openbsd.org 2006/03/13 10:14:29
1791 [misc.c ssh_config.5 sshd_config.5]
1792 Allow config directives to contain whitespace by surrounding them by double
1793 quotes. mindrot #482, man page help from jmc@, ok djm@
1794 - dtucker@cvs.openbsd.org 2006/03/13 10:26:52
1795 [authfile.c authfile.h ssh-add.c]
1796 Make ssh-add check file permissions before attempting to load private
1797 key files multiple times; it will fail anyway and this prevents confusing
1798 multiple prompts and warnings. mindrot #1138, ok djm@
1799 - djm@cvs.openbsd.org 2006/03/14 00:15:39
1801 log the originating address and not just the name when a reverse
1802 mapping check fails, requested by linux AT linuon.com
1803 - markus@cvs.openbsd.org 2006/03/14 16:32:48
1804 [ssh_config.5 sshd_config.5]
1805 *AliveCountMax applies to protcol v2 only; ok dtucker, djm
1806 - djm@cvs.openbsd.org 2006/03/07 09:07:40
1807 [kex.c kex.h monitor.c myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
1808 Implement the diffie-hellman-group-exchange-sha256 key exchange method
1809 using the SHA256 code in libc (and wrapper to make it into an OpenSSL
1810 EVP), interop tested against CVS PuTTY
1811 NB. no portability bits committed yet
1812 - (djm) [configure.ac defines.h kex.c md-sha256.c]
1813 [openbsd-compat/sha2.h openbsd-compat/openbsd-compat.h]
1814 [openbsd-compat/sha2.c] First stab at portability glue for SHA256
1815 KEX support, should work with libc SHA256 support or OpenSSL
1816 EVP_sha256 if present
1817 - (djm) [includes.h] Restore accidentally dropped netinet/in.h
1818 - (djm) [Makefile.in openbsd-compat/Makefile.in] Add added files
1819 - (djm) [md-sha256.c configure.ac] md-sha256.c needs sha2.h if present
1820 - (djm) [regress/.cvsignore] Ignore Makefile here
1821 - (djm) [loginrec.c] Need stat.h
1822 - (djm) [openbsd-compat/sha2.h] Avoid include macro clash with
1824 - (djm) [ssh-rand-helper.c] Needs a bunch of headers
1825 - (djm) [ssh-agent.c] Restore dropped stat.h
1826 - (djm) [openbsd-compat/sha2.h openbsd-compat/sha2.c] Comment out
1827 SHA384, which we don't need and doesn't compile without tweaks
1828 - (djm) [auth-pam.c clientloop.c includes.h monitor.c session.c]
1829 [sftp-client.c ssh-keysign.c ssh.c sshconnect.c sshconnect2.c]
1830 [sshd.c openbsd-compat/bsd-misc.c openbsd-compat/bsd-openpty.c]
1831 [openbsd-compat/glob.c openbsd-compat/mktemp.c]
1832 [openbsd-compat/readpassphrase.c] Lots of include fixes for
1834 - (tim) [includes.h] put sys/stat.h back in to quiet some "macro redefined:"
1835 - (tim) [openssh/sshpty.c openssh/openbsd-compat/port-tun.c] put in some
1836 includes removed from includes.h
1837 - (dtucker) [configure.ac] Fix glob test conversion to AC_TRY_COMPILE
1838 - (djm) [includes.h] Put back paths.h, it is needed in defines.h
1839 - (dtucker) [openbsd-compat/openbsd-compat.h] AIX (at least) needs
1840 sys/ioctl.h for struct winsize.
1841 - (dtucker) [configure.ac] login_cap.h requires sys/types.h on NetBSD.
1844 - (dtucker) [configure.ac] Bug #1171: Don't use printf("%lld", longlong)
1845 since not all platforms support it. Instead, use internal equivalent while
1846 computing LLONG_MIN and LLONG_MAX. Remove special case for alpha-dec-osf*
1847 as it's no longer required. Tested by Bernhard Simon, ok djm@
1850 - (dtucker) [contrib/cygwin/ssh-host-config] Require use of lastlog as a
1851 file rather than directory, required as Cygwin will be importing lastlog(1).
1852 Also tightens up permissions on the file. Patch from vinschen@redhat.com.
1853 - (dtucker) [gss-serv-krb5.c] Bug #1166: Correct #ifdefs for gssapi_krb5.h
1854 includes. Patch from gentoo.riverrat at gmail.com.
1857 - (dtucker) [configure.ac] Bug #1156: QNX apparently needs SSHD_ACQUIRES_CTTY
1858 patch from kraai at ftbfs.org.
1861 - (dtucker) [sshd_config sshd_config.5] Update UsePAM to reflect current
1862 reality. Pointed out by tryponraj at gmail.com.
1865 - (dtucker) [openbsd-compat/openssl-compat.{c,h}] Minor tidy up: only
1866 compile in compat code if required.
1869 - (dtucker) [openbsd-compat/openssl-compat.h] Prevent warning about
1870 redefinition of SSLeay_add_all_algorithms.
1873 - (dtucker) [INSTALL configure.ac openbsd-compat/openssl-compat.{c,h}]
1874 Add optional enabling of OpenSSL's (hardware) Engine support, via
1875 configure --with-ssl-engine. Based in part on a diff by michal at
1879 - (dtucker) [Makefile.in configure.ac, added openbsd-compat/regress/]
1880 Add first attempt at regress tests for compat library. ok djm@
1883 - (tim) [buildpkg.sh.in] Make the names consistent.
1884 s/pkg_post_make_install_fixes.sh/pkg-post-make-install-fixes.sh/ OK dtucker@
1887 - (dtucker) [openbsd-compat/bsd-cygwin_util.c] Make loop counter unsigned
1888 to silence compiler warning, from vinschen at redhat.com.
1889 - (tim) [configure.ac] Bug #1149. Disable /etc/default/login check for QNX.
1890 - (dtucker) [README version.h contrib/caldera/openssh.spec
1891 contrib/redhat/openssh.spec contrib/suse/openssh.spec] Bump version
1892 strings to match 4.3p2 release.
1895 - (tim) [session.c] Logout records were not updated on systems with
1896 post auth privsep disabled due to bug 1086 changes. Analysis and patch
1897 by vinschen at redhat.com. OK tim@, dtucker@.
1898 - (dtucker) [configure.ac] Typo in Ultrix and NewsOS sections (NEED_SETPRGP
1899 -> NEED_SETPGRP), reported by Bernhard Simon. ok tim@
1902 - (tim) [configure.ac] Remove unnecessary tests for net/if.h and
1903 netinet/in_systm.h. OK dtucker@.
1906 - (tim) [configure.ac] Add AC_REVISION. Add sys/time.h to lastlog.h test
1907 for Solaris. OK dtucker@.
1908 - (tim) [configure.ac] Bug #1149. Changes in QNX section only. Patch by
1912 - (tim) [configure.ac] test for egrep (AC_PROG_EGREP) before first
1913 AC_CHECK_HEADERS test. Without it, if AC_CHECK_HEADERS is first run
1914 by a platform specific check, builtin standard includes tests will be
1915 skipped on the other platforms.
1916 Analysis and suggestion by vinschen at redhat.com, patch by dtucker@.
1920 - (dtucker) [configure.ac] Bug #1148: Fix "crippled AES" test so that it
1921 works with picky compilers. Patch from alex.kiernan at thus.net.
1924 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to
1925 determine the user's login name - needed for regress tests on Solaris
1927 - (djm) OpenBSD CVS Sync
1928 - jmc@cvs.openbsd.org 2006/02/01 09:06:50
1930 - merge sections on protocols 1 and 2 into a single section
1931 - remove configuration file section
1933 - jmc@cvs.openbsd.org 2006/02/01 09:11:41
1936 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
1937 [contrib/suse/openssh.spec] Update versions ahead of release
1938 - markus@cvs.openbsd.org 2006/02/01 11:27:22
1941 - (djm) Release OpenSSH 4.3p1
1944 - (djm) OpenBSD CVS Sync
1945 - jmc@cvs.openbsd.org 2006/01/20 11:21:45
1947 - word change, agreed w/ markus
1949 - jmc@cvs.openbsd.org 2006/01/25 09:04:34
1951 move the options description up the page, and a few additional tweaks
1954 - jmc@cvs.openbsd.org 2006/01/25 09:07:22
1956 move subsections to full sections;
1957 - jmc@cvs.openbsd.org 2006/01/26 08:47:56
1959 add a section on verifying host keys in dns;
1960 written with a lot of help from jakob;
1961 feedback dtucker/markus;
1963 - reyk@cvs.openbsd.org 2006/01/30 12:22:22
1965 mark channel as write failed or dead instead of read failed on error
1966 of the channel output filter.
1968 - jmc@cvs.openbsd.org 2006/01/30 13:37:49
1970 remove an incorrect sentence;
1971 reported by roumen petrov;
1973 - djm@cvs.openbsd.org 2006/01/31 10:19:02
1974 [misc.c misc.h scp.c sftp.c]
1975 fix local arbitrary command execution vulnerability on local/local and
1976 remote/remote copies (CVE-2006-0225, bz #1094), patch by
1977 t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
1978 - djm@cvs.openbsd.org 2006/01/31 10:35:43
1980 "scp a b c" shouldn't clobber "c" when it is not a directory, report and
1981 fix from biorn@; ok markus@
1982 - (djm) Sync regress tests to OpenBSD:
1983 - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
1984 [regress/forwarding.sh]
1985 Regress test for ClearAllForwardings (bz #994); ok markus@
1986 - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
1987 [regress/multiplex.sh]
1988 Don't call cleanup in multiplex as test-exec will cleanup anyway
1989 found by tim@, ok djm@
1990 NB. ID sync only, we already had this
1991 - djm@cvs.openbsd.org 2005/05/20 23:14:15
1992 [regress/test-exec.sh]
1993 force addressfamily=inet for tests, unbreaking dynamic-forward regress for
1994 recently committed nc SOCKS5 changes
1995 - djm@cvs.openbsd.org 2005/05/24 04:10:54
1996 [regress/try-ciphers.sh]
1997 oops, new arcfour modes here too
1998 - markus@cvs.openbsd.org 2005/06/30 11:02:37
2000 allow SUDO=sudo; from Alexander Bluhm
2001 - grunk@cvs.openbsd.org 2005/11/14 21:25:56
2002 [regress/agent-getpeereid.sh]
2003 all other scripts in this dir use $SUDO, not 'sudo', so pull this even
2005 - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
2006 [regress/scp-ssh-wrapper.sh]
2007 Fix assumption about how many args scp will pass; ok djm@
2008 NB. ID sync only, we already had this
2009 - djm@cvs.openbsd.org 2006/01/27 06:49:21
2011 regress test for local to local scp copies; ok dtucker@
2012 - djm@cvs.openbsd.org 2006/01/31 10:23:23
2014 regression test for CVE-2006-0225 written by dtucker@
2015 - djm@cvs.openbsd.org 2006/01/31 10:36:33
2017 regress test for "scp a b c" where "c" is not a directory
2020 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
2021 opensshd.init script interpretter if /sbin/sh does not exist. ok tim@
2024 - (dtucker) OpenBSD CVS Sync
2025 - jmc@cvs.openbsd.org 2006/01/15 17:37:05
2027 correction from deraadt
2028 - jmc@cvs.openbsd.org 2006/01/18 10:53:29
2030 add a section on ssh-based vpn, based on reyk's README.tun;
2031 - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
2032 [scp.1 ssh.1 ssh_config.5 sftp.1]
2033 Document RekeyLimit. Based on patch from jan.iven at cern.ch from mindrot
2034 #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
2037 - (djm) OpenBSD CVS Sync
2038 - jmc@cvs.openbsd.org 2006/01/06 13:27:32
2040 weed out some duplicate info in the known_hosts FILES entries;
2042 - jmc@cvs.openbsd.org 2006/01/06 13:29:10
2044 final round of whacking FILES for duplicate info, and some consistency
2047 - jmc@cvs.openbsd.org 2006/01/12 14:44:12
2049 split sections on tcp and x11 forwarding into two sections.
2050 add an example in the tcp section, based on sth i wrote for ssh faq;
2051 help + ok: djm markus dtucker
2052 - jmc@cvs.openbsd.org 2006/01/12 18:48:48
2054 refer to `TCP' rather than `TCP/IP' in the context of connection
2057 - jmc@cvs.openbsd.org 2006/01/12 22:20:00
2059 refer to TCP forwarding, rather than TCP/IP forwarding;
2060 - jmc@cvs.openbsd.org 2006/01/12 22:26:02
2062 refer to TCP forwarding, rather than TCP/IP forwarding;
2063 - jmc@cvs.openbsd.org 2006/01/12 22:34:12
2065 back out a sentence - AUTHENTICATION already documents this;
2068 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
2069 tcpip service so it's always started after IP is up. Patch from
2070 vinschen at redhat.com.
2073 - (djm) OpenBSD CVS Sync
2074 - jmc@cvs.openbsd.org 2006/01/03 16:31:10
2076 move FILES to a -compact list, and make each files an item in that list.
2077 this avoids nastly line wrap when we have long pathnames, and treats
2078 each file as a separate item;
2079 remove the .Pa too, since it is useless.
2080 - jmc@cvs.openbsd.org 2006/01/03 16:35:30
2082 use a larger width for the ENVIRONMENT list;
2083 - jmc@cvs.openbsd.org 2006/01/03 16:52:36
2085 put FILES in some sort of order: sort by pathname
2086 - jmc@cvs.openbsd.org 2006/01/03 16:55:18
2088 tweak the description of ~/.ssh/environment
2089 - jmc@cvs.openbsd.org 2006/01/04 18:42:46
2091 chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
2094 - jmc@cvs.openbsd.org 2006/01/04 18:45:01
2096 remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
2097 - jmc@cvs.openbsd.org 2006/01/04 19:40:24
2099 +.Xr ssh-keyscan 1 ,
2100 - jmc@cvs.openbsd.org 2006/01/04 19:50:09
2103 - djm@cvs.openbsd.org 2006/01/05 23:43:53
2105 check that stdio file descriptors are actually closed before clobbering
2106 them in sanitise_stdfd(). problems occurred when a lower numbered fd was
2107 closed, but higher ones weren't. spotted by, and patch tested by
2111 - (djm) [channels.c] clean up harmless merge error, from reyk@
2114 - (djm) OpenBSD CVS Sync
2115 - jmc@cvs.openbsd.org 2006/01/02 17:09:49
2116 [ssh_config.5 sshd_config.5]
2117 some corrections from michael knudsen;
2120 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
2121 - (djm) OpenBSD CVS Sync
2122 - jmc@cvs.openbsd.org 2005/12/31 10:46:17
2124 merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
2125 AUTHENTICATION" sections into "AUTHENTICATION";
2126 some rewording done to make the text read better, plus some
2127 improvements from djm;
2129 - jmc@cvs.openbsd.org 2005/12/31 13:44:04
2131 clean up ENVIRONMENT a little;
2132 - jmc@cvs.openbsd.org 2005/12/31 13:45:19
2134 .Nm does not require an argument;
2135 - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
2137 move <net/if.h>; ok djm@
2138 - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
2140 no trailing "\n" for debug()
2141 - djm@cvs.openbsd.org 2006/01/02 01:20:31
2142 [sftp-client.c sftp-common.h sftp-server.c]
2143 use a common max. packet length, no binary change
2144 - reyk@cvs.openbsd.org 2006/01/02 07:53:44
2146 clarify tun(4) opening - set the mode and bring the interface up. also
2147 (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
2148 suggested and ok by djm@
2149 - jmc@cvs.openbsd.org 2006/01/02 12:31:06
2151 start to cut some duplicate info from FILES;
2155 - (djm) [Makefile.in configure.ac includes.h misc.c]
2156 [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
2157 for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
2158 limited to IPv4 tunnels only, and most versions don't support the
2159 tap(4) device at all.
2160 - (djm) [configure.ac] Fix linux/if_tun.h test
2161 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
2164 - (djm) OpenBSD CVS Sync
2165 - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
2166 [canohost.c channels.c clientloop.c]
2167 use 'break-in' for consistency; ok deraadt@ ok and input jmc@
2168 - reyk@cvs.openbsd.org 2005/12/30 15:56:37
2169 [channels.c channels.h clientloop.c]
2170 add channel output filter interface.
2171 ok djm@, suggested by markus@
2172 - jmc@cvs.openbsd.org 2005/12/30 16:59:00
2174 do not suggest that interactive authentication will work
2176 based on a diff from john l. scarfone;
2178 - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
2180 document -MM; ok djm@
2181 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
2182 [serverloop.c ssh.c openbsd-compat/Makefile.in]
2183 [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding
2184 compatability support for Linux, diff from reyk@
2185 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
2187 - (djm) [configure.ac] oops, make that linux/if_tun.h
2190 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
2193 - (djm) OpenBSD CVS Sync
2194 - jmc@cvs.openbsd.org 2005/12/20 21:59:43
2196 merge the sections on protocols 1 and 2 into one section on
2198 feedback djm dtucker
2199 ok deraadt markus dtucker
2200 - jmc@cvs.openbsd.org 2005/12/20 22:02:50
2202 .Ss -> .Sh: subsections have not made this page more readable
2203 - jmc@cvs.openbsd.org 2005/12/20 22:09:41
2205 move info on ssh return values and config files up into the main
2207 - jmc@cvs.openbsd.org 2005/12/21 11:48:16
2209 -L and -R descriptions are now above, not below, ~C description;
2210 - jmc@cvs.openbsd.org 2005/12/21 11:57:25
2212 options now described `above', rather than `later';
2213 - jmc@cvs.openbsd.org 2005/12/21 12:53:31
2215 -Y does X11 forwarding too;
2217 - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
2219 clarify precedence of -p, Port, ListenAddress; ok and help jmc@
2220 - jmc@cvs.openbsd.org 2005/12/22 10:31:40
2222 put the description of "UsePrivilegedPort" in the correct place;
2223 - jmc@cvs.openbsd.org 2005/12/22 11:23:42
2225 expand the description of -w somewhat;
2227 - jmc@cvs.openbsd.org 2005/12/23 14:55:53
2229 - sync the description of -e w/ synopsis
2230 - simplify the description of -I
2231 - note that -I is only available if support compiled in, and that it
2234 - jmc@cvs.openbsd.org 2005/12/23 23:46:23
2236 less mark up for -c;
2237 - djm@cvs.openbsd.org 2005/12/24 02:27:41
2239 eliminate some code duplicated in privsep and non-privsep paths, and
2240 explicitly clear SIGALRM handler; "groovy" deraadt@
2243 - (dtucker) OpenBSD CVS Sync
2244 - reyk@cvs.openbsd.org 2005/12/13 15:03:02
2246 if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
2247 - jmc@cvs.openbsd.org 2005/12/16 18:07:08
2249 move the option descriptions up the page: start of a restructure;
2251 - jmc@cvs.openbsd.org 2005/12/16 18:08:53
2253 simplify a sentence;
2254 - jmc@cvs.openbsd.org 2005/12/16 18:12:22
2256 make the description of -c a little nicer;
2257 - jmc@cvs.openbsd.org 2005/12/16 18:14:40
2259 signpost the protocol sections;
2260 - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
2261 [ssh_config.5 session.c]
2262 spelling: fowarding, fowarded
2263 - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
2265 spelling: intented -> intended
2266 - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
2268 exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
2271 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
2272 openbsd-compat/openssl-compat.h] Check for and work around broken AES
2273 ciphers >128bit on (some) Solaris 10 systems. ok djm@
2276 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
2277 scp.c also uses, so undef them here.
2278 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
2279 snprintf replacement can have a conflicting declaration in HP-UX's system
2280 headers (const vs. no const) so we now check for and work around it. Patch
2281 from the dynamic duo of David Leonard and Ted Percival.
2284 - (dtucker) OpenBSD CVS Sync (regress/)
2285 - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
2286 [regress/scp-ssh-wrapper.sh]
2287 Fix assumption about how many args scp will pass; ok djm@
2290 - (djm) OpenBSD CVS Sync
2291 - jmc@cvs.openbsd.org 2005/11/30 11:18:27
2293 timezone -> time zone
2294 - jmc@cvs.openbsd.org 2005/11/30 11:45:20
2296 avoid ambiguities in describing TZ;
2298 - reyk@cvs.openbsd.org 2005/12/06 22:38:28
2299 [auth-options.c auth-options.h channels.c channels.h clientloop.c]
2300 [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
2301 [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
2302 [sshconnect.h sshd.8 sshd_config sshd_config.5]
2303 Add support for tun(4) forwarding over OpenSSH, based on an idea and
2304 initial channel code bits by markus@. This is a simple and easy way to
2305 use OpenSSH for ad hoc virtual private network connections, e.g.
2306 administrative tunnels or secure wireless access. It's based on a new
2307 ssh channel and works similar to the existing TCP forwarding support,
2308 except that it depends on the tun(4) network interface on both ends of
2309 the connection for layer 2 or layer 3 tunneling. This diff also adds
2310 support for LocalCommand in the ssh(1) client.
2311 ok djm@, markus@, jmc@ (manpages), tested and discussed with others
2312 - djm@cvs.openbsd.org 2005/12/07 03:52:22
2314 reyk forgot to compile with -Werror (missing header)
2315 - jmc@cvs.openbsd.org 2005/12/07 10:52:13
2317 - avoid line split in SYNOPSIS
2319 - kill trailing whitespace
2320 - jmc@cvs.openbsd.org 2005/12/08 14:59:44
2321 [ssh.1 ssh_config.5]
2322 make `!command' a little clearer;
2324 - jmc@cvs.openbsd.org 2005/12/08 15:06:29
2326 keep options in order;
2327 - reyk@cvs.openbsd.org 2005/12/08 18:34:11
2328 [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
2329 [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
2330 two changes to the new ssh tunnel support. this breaks compatibility
2331 with the initial commit but is required for a portable approach.
2332 - make the tunnel id u_int and platform friendly, use predefined types.
2333 - support configuration of layer 2 (ethernet) or layer 3
2334 (point-to-point, default) modes. configuration is done using the
2335 Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
2336 restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
2338 ok djm@, man page bits by jmc@
2339 - jmc@cvs.openbsd.org 2005/12/08 21:37:50
2341 new sentence, new line;
2342 - markus@cvs.openbsd.org 2005/12/12 13:46:18
2343 [channels.c channels.h session.c]
2344 make sure protocol messages for internal channels are ignored.
2345 allow adjust messages for non-open channels; with and ok djm@
2346 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
2347 again by providing a sys_tun_open() function for your platform and
2348 setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match
2349 OpenBSD's tunnel protocol, which prepends the address family to the
2353 - (djm) [envpass.sh] Remove regress script that was accidentally committed
2354 in top level directory and not noticed for over a year :)
2357 - (tim) [ssh-keygen.c] Move DSA length test after setting default when
2359 - (dtucker) OpenBSD CVS Sync
2360 - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
2362 Populate default key sizes before checking them; from & ok tim@
2363 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
2367 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
2368 versions of GNU head. Based on patch from zappaman at buraphalinux.org
2369 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
2370 _GNU_SOURCE instead. Patch from t8m at centrum.cz.
2371 - (dtucker) OpenBSD CVS Sync
2372 - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
2373 [ssh-keygen.1 ssh-keygen.c]
2374 Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
2375 increase minumum RSA key size to 768 bits and update man page to reflect
2376 these. Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
2377 ok djm@, grudging ok deraadt@.
2378 - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
2380 Update agent socket path templates to reflect reality, correct xref for
2381 time formats. bz#1121, patch from openssh at roumenpetrov.info, ok djm@
2384 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
2385 when they're available) need the real UID set otherwise pam_chauthtok will
2386 set ADMCHG after changing the password, forcing the user to change it
2390 - (dtucker) [configure.ac] Apply tim's fix for older systems where the
2391 resolver state in resolv.h is "state" not "__res_state". With slight
2392 modification by me to also work on old AIXes. ok djm@
2393 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
2394 snprintf formats, fixes warnings on some 64 bit platforms. Patch from
2395 shaw at vranix.com, ok djm@
2398 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c
2399 openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an
2400 asprintf() implementation, after syncing our {v,}snprintf() implementation
2401 with some extra fixes from Samba's version. With help and debugging from
2402 dtucker and tim; ok dtucker@
2403 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
2404 order in Reliant Unix block. Patch from johane at lysator.liu.se.
2405 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
2406 many and use them only once. Speeds up testing on older/slower hardware.
2409 - (dtucker) OpenBSD CVS Sync
2410 - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
2413 - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
2415 avoid close(-1), as in rcp; ok cloder
2416 - millert@cvs.openbsd.org 2005/11/15 11:59:54
2418 Include sys/queue.h explicitly instead of assuming some other header
2419 will pull it in. At the moment it gets pulled in by sys/select.h
2420 (which ssh has no business including) via event.h. OK markus@
2421 (ID sync only in -portable)
2422 - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
2424 Perform Kerberos calls even for invalid users to prevent leaking
2425 information about account validity. bz #975, patch originally from
2426 Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
2428 - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
2430 Correct format/arguments to debug call; spotted by shaw at vranix.com
2432 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
2433 from shaw at vranix.com.
2436 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
2440 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
2441 ifdef lost during sync. Spotted by tim@.
2442 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
2443 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
2444 - (dtucker) [configure.ac] Remove duplicate utimes() check. ok djm@
2445 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
2446 test: if sshd takes too long to reconfigure the subsequent connection will
2447 fail. Zap pidfile before HUPing sshd which will rewrite it when it's ready.
2450 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
2451 OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
2453 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
2454 unnecessary prototype.
2455 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
2457 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
2459 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
2460 since they're not useful right now. Patch from djm@.
2461 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
2462 prototypes, removal of "register").
2463 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
2465 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
2466 after the copyright notices. Having them at the top next to the CVSIDs
2467 guarantees a conflict for each and every sync.
2468 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
2469 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
2470 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
2471 Removal of rcsid, "whiteout" inode type.
2472 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
2473 Removal of rcsid, will no longer strlcpy parts of the string.
2474 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
2475 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
2476 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
2477 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
2478 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
2479 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
2480 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
2481 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
2482 with OpenBSD code since we don't support platforms without fstat any more.
2483 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
2484 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
2485 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
2486 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
2487 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
2488 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
2489 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
2490 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
2491 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
2492 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
2493 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
2494 Id and copyright sync only, there were no substantial changes we need.
2495 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
2496 -Wsign-compare fixes from djm.
2497 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
2498 Id and copyright sync only, there were no substantial changes we need.
2499 - (dtucker) [configure.ac] Try to get the gcc version number in a way that
2500 doesn't change between versions, and use a safer default.
2503 - (djm) OpenBSD CVS Sync
2504 - markus@cvs.openbsd.org 2005/10/07 11:13:57
2506 change DSA default back to 1024, as it's defined for 1024 bits only
2507 and this causes interop problems with other clients. moreover,
2508 in order to improve the security of DSA you need to change more
2509 components of DSA key generation (e.g. the internal SHA1 hash);
2511 - djm@cvs.openbsd.org 2005/10/10 10:23:08
2512 [channels.c channels.h clientloop.c serverloop.c session.c]
2513 fix regression I introduced in 4.2: X11 forwardings initiated after
2514 a session has exited (e.g. "(sleep 5; xterm) &") would not start.
2515 bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
2516 - djm@cvs.openbsd.org 2005/10/11 23:37:37
2518 bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
2519 bind() failure when a previous connection's listeners are in TIME_WAIT,
2520 reported by plattner AT inf.ethz.ch; ok dtucker@
2521 - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
2522 [auth2-gss.c gss-genr.c gss-serv.c]
2523 remove unneeded #includes; ok markus@
2524 - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
2526 spelling in comments
2527 - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
2528 [gss-serv-krb5.c gss-serv.c]
2529 unused declarations; ok deraadt@
2530 (id sync only for gss-serv-krb5.c)
2531 - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
2533 unneeded #include, unused declaration, little knf; ok deraadt@
2534 - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
2535 [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
2537 - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
2538 [ssh-keygen.c ssh.c sshconnect2.c]
2539 no trailing "\n" for log functions; ok djm@
2540 - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
2541 [channels.c clientloop.c]
2542 free()->xfree(); ok djm@
2543 - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
2545 make external definition static; ok deraadt@
2546 - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
2548 fix memory leaks from 2 sources:
2549 1) key_fingerprint_raw()
2550 2) malloc in dns_read_rdata()
2552 - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
2554 remove #ifdef LWRES; ok jakob@
2555 - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
2557 more cleanups; ok jakob@
2558 - djm@cvs.openbsd.org 2005/10/30 01:23:19
2560 mention control socket fallback behaviour, reported by
2561 tryponraj AT gmail.com
2562 - djm@cvs.openbsd.org 2005/10/30 04:01:03
2564 make ssh-keygen discard junk from server before SSH- ident, spotted by
2565 dave AT cirt.net; ok dtucker@
2566 - djm@cvs.openbsd.org 2005/10/30 04:03:24
2568 fix misleading debug message; ok dtucker@
2569 - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
2571 Check for connections with IP options earlier and drop silently. ok djm@
2572 - jmc@cvs.openbsd.org 2005/10/30 08:43:47
2574 remove trailing whitespace;
2575 - djm@cvs.openbsd.org 2005/10/30 08:52:18
2576 [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
2577 [ssh.c sshconnect.c sshconnect1.c sshd.c]
2578 no need to escape single quotes in comments, no binary change
2579 - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
2581 Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
2582 - djm@cvs.openbsd.org 2005/10/31 11:12:49
2583 [ssh-keygen.1 ssh-keygen.c]
2584 generate a protocol 2 RSA key by default
2585 - djm@cvs.openbsd.org 2005/10/31 11:48:29
2587 make sure we clean up wtmp, etc. file when we receive a SIGTERM,
2588 SIGINT or SIGQUIT when running without privilege separation (the
2589 normal privsep case is already OK). Patch mainly by dtucker@ and
2590 senthilkumar_sen AT hotpop.com; ok dtucker@
2591 - jmc@cvs.openbsd.org 2005/10/31 19:55:25
2594 - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
2596 Cache reverse lookups with and without DNS separately; ok markus@
2597 - djm@cvs.openbsd.org 2005/11/04 05:15:59
2598 [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
2599 remove hardcoded hash lengths in key exchange code, allowing
2600 implementation of KEX methods with different hashes (e.g. SHA-256);
2601 ok markus@ dtucker@ stevesk@
2602 - djm@cvs.openbsd.org 2005/11/05 05:01:15
2604 Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
2605 cs.stanford.edu; ok dtucker@
2606 - (dtucker) [README.platform] Add PAM section.
2607 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
2608 resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
2612 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
2613 Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
2617 - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
2618 sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init
2619 files from imorgan AT nas.nasa.gov
2620 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
2621 enabled, instead allow PAM to handle it. Note that on platforms using PAM,
2622 the pam_nologin module should be added to sshd's session stack in order to
2623 maintain exising behaviour. Based on patch and discussion from t8m at
2627 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
2628 sizeof(long long) checks, to make fixing bug #1104 easier (no changes
2630 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
2631 understand "%lld", even though the compiler has "long long", so handle
2632 it as a special case. Patch tested by mcaskill.scott at epa.gov.
2633 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
2634 prompt. Patch from vinschen at redhat.com.
2637 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
2638 /etc/default/login report and testing from aabaker at iee.org, corrections
2642 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
2643 versions from OpenBSD. ok djm@
2646 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
2647 brian.smith at agilent com.
2648 - (djm) [configure.ac] missing 'test' call for -with-Werror test
2651 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
2652 "*LOCKED*" string) for FreeBSD. Patch jeremie at le-hen.org and
2653 senthilkumar_sen at hotpop.com.
2656 - (dtucker) OpenBSD CVS Sync
2657 - markus@cvs.openbsd.org 2005/09/07 08:53:53
2659 enforce chanid != NULL; ok djm
2660 - markus@cvs.openbsd.org 2005/09/09 19:18:05
2662 typo; from mark at mcs.vuw.ac.nz, bug #1082
2663 - djm@cvs.openbsd.org 2005/09/13 23:40:07
2664 [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
2665 scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
2666 ensure that stdio fds are attached; ok deraadt@
2667 - djm@cvs.openbsd.org 2005/09/19 11:37:34
2668 [ssh_config.5 ssh.1]
2669 mention ability to specify bind_address for DynamicForward and -D options;
2670 bz#1077 spotted by Haruyama Seigo
2671 - djm@cvs.openbsd.org 2005/09/19 11:47:09
2673 stop connection abort on rekey with delayed compression enabled when
2674 post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
2675 - djm@cvs.openbsd.org 2005/09/19 11:48:10
2678 - jmc@cvs.openbsd.org 2005/09/19 15:38:27
2680 some more .Bk/.Ek to avoid ugly line split;
2681 - jmc@cvs.openbsd.org 2005/09/19 15:42:44
2683 update -D usage here too;
2684 - djm@cvs.openbsd.org 2005/09/19 23:31:31
2686 spelling nit from stevesk@
2687 - djm@cvs.openbsd.org 2005/09/21 23:36:54
2689 aquire -> acquire, from stevesk@
2690 - djm@cvs.openbsd.org 2005/09/21 23:37:11
2692 change label at markus@'s request
2693 - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
2695 deploy .An -nosplit; ok jmc
2696 - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
2698 Relocate check_ip_options call to prevent logging of garbage for
2699 connections with IP options set. bz#1092 from David Leonard,
2700 "looks good" deraadt@
2701 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
2702 is required in the system path for the multiplex test to work.
2705 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
2706 for strtoll. Patch from o.flebbe at science-computing.de.
2707 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
2708 child during PAM account check without clearing it. This restores the
2709 post-login warnings such as LDAP password expiry. Patch from Tomas Mraz
2710 with help from several others.
2713 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
2714 introduced during sync.
2717 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
2718 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
2719 PAM via keyboard-interactive. Patch tested by the folks at Vintela.
2722 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
2723 calls, since they can't possibly fail. ok djm@
2724 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
2725 process when sshd relies on ssh-random-helper. Should result in faster
2726 logins on systems without a real random device or prngd. ok djm@
2729 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
2730 duplicate call. ok djm@
2733 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
2734 skeleten at shillest.net.
2735 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
2739 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
2740 AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
2744 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
2748 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
2749 OpenServer 6 and add osr5bigcrypt support so when someone migrates
2750 passwords between UnixWare and OpenServer they will still work. OK dtucker@