+20091208
+ - (dtucker) OpenBSD CVS Sync
+ - andreas@cvs.openbsd.org 2009/10/24 11:11:58
+ [roaming.h]
+ Declarations needed for upcoming changes.
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:13:54
+ [sshconnect2.c kex.h kex.c]
+ Let the client detect if the server supports roaming by looking
+ for the resume@appgate.com kex algorithm.
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:15:29
+ [clientloop.c]
+ client_loop() must detect if the session has been suspended and resumed,
+ and take appropriate action in that case.
+ From Martin Forssen, maf at appgate dot com
+ - andreas@cvs.openbsd.org 2009/10/24 11:19:17
+ [ssh2.h]
+ Define the KEX messages used when resuming a suspended connection.
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:22:37
+ [roaming_common.c]
+ Do the actual suspend/resume in the client. This won't be useful until
+ the server side supports roaming.
+ Most code from Martin Forssen, maf at appgate dot com. Some changes by
+ me and markus@
+ ok markus@
+ - andreas@cvs.openbsd.org 2009/10/24 11:23:42
+ [ssh.c]
+ Request roaming to be enabled if UseRoaming is true and the server
+ supports it.
+ ok markus@
+ - reyk@cvs.openbsd.org 2009/10/28 16:38:18
+ [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
+ channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
+ sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
+ Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
+ ok markus@
+ - jmc@cvs.openbsd.org 2009/10/28 21:45:08
+ [sshd_config.5 sftp.1]
+ tweak previous;
+ - djm@cvs.openbsd.org 2009/11/10 02:56:22
+ [ssh_config.5]
+ explain the constraints on LocalCommand some more so people don't
+ try to abuse it.
+ - djm@cvs.openbsd.org 2009/11/10 02:58:56
+ [sshd_config.5]
+ clarify that StrictModes does not apply to ChrootDirectory. Permissions
+ and ownership are always checked when chrooting. bz#1532
+ - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
+ [sshconnect2.c channels.c sshconnect.c]
+ Set close-on-exec on various descriptors so they don't get leaked to
+ child processes. bz #1643, patch from jchadima at redhat, ok deraadt.
+ - markus@cvs.openbsd.org 2009/11/11 21:37:03
+ [channels.c channels.h]
+ fix race condition in x11/agent channel allocation: don't read after
+ the end of the select read/write fdset and make sure a reused FD
+ is not touched before the pre-handlers are called.
+ with and ok djm@
+ - djm@cvs.openbsd.org 2009/11/17 05:31:44
+ [clientloop.c]
+ fix incorrect exit status when multiplexing and channel ID 0 is recycled
+ bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
+ - djm@cvs.openbsd.org 2009/11/19 23:39:50
+ [session.c]
+ bz#1606: error when an attempt is made to connect to a server
+ with ForceCommand=internal-sftp with a shell session (i.e. not a
+ subsystem session). Avoids stuck client when attempting to ssh to such a
+ service. ok dtucker@
+ - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
+ [session.c]
+ Warn but do not fail if stat()ing the subsystem binary fails. This helps
+ with chrootdirectory+forcecommand=sftp-server and restricted shells.
+ bz #1599, ok djm.
+ - djm@cvs.openbsd.org 2009/11/20 00:54:01
+ [sftp.c]
+ bz#1588 change "Connecting to host..." message to "Connected to host."
+ and delay it until after the sftp protocol connection has been established.
+ Avoids confusing sequence of messages when the underlying ssh connection
+ experiences problems. ok dtucker@
+ - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
+ [sshconnect2.c]
+ Use the HostKeyAlias when prompting for passwords. bz#1039, ok djm@
+ - djm@cvs.openbsd.org 2009/11/20 03:24:07
+ [misc.c]
+ correct off-by-one in percent_expand(): we would fatal() when trying
+ to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
+ work. Note that nothing in OpenSSH actually uses close to this limit at
+ present. bz#1607 from Jan.Pechanec AT Sun.COM
+ - halex@cvs.openbsd.org 2009/11/22 13:18:00
+ [sftp.c]
+ make passing of zero-length arguments to ssh safe by
+ passing "-<switch>" "<value>" rather than "-<switch><value>"
+ ok dtucker@, guenther@, djm@
+ - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
+ [sshconnect2.c]
+ zap unused variable and strlen; from Steve McClellan, ok djm
+
+20091226
+ - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
+ Gzip all man pages. Patch from Corinna Vinschen.
+
+20091221
+ - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
+ Bug #1583: Use system's kerberos principal name on AIX if it's available.
+ Based on a patch from and tested by Miguel Sanders
+
+20091208
+ - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
+ based on a patch from Vaclav Ovsik and Colin Watson. ok djm.
+
+20091207
+ - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
+ Tested by Martin Paljak.
+ - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.
+
+20091121
+ - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
+ Bug 1628. OK dtucker@
+
+20091120
+ - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
+ line arguments as none are supported. Exit when passed unrecognised
+ commandline flags. bz#1568 from gson AT araneus.fi
+
+20091118
+ - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
+ set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
+ setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
+ bz#1648, report and fix from jan.kratochvil AT redhat.com
+ - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
+ bz#1645, patch from jchadima AT redhat.com
+
+20091107
+ - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
+ keys when built with OpenSSL versions that don't do AES.
+
+20091105
+ - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
+ older versions of OpenSSL.
+
+20091024
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2009/10/11 23:03:15
+ [hostfile.c]
+ mention the host name that we are looking for in check_host_in_hostfile()
+ - sobrado@cvs.openbsd.org 2009/10/17 12:10:39
+ [sftp-server.c]
+ sort flags.
+ - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
+ [ssh.1 ssh-agent.1 ssh-add.1]
+ use the UNIX-related macros (.At and .Ux) where appropriate.
+ ok jmc@
+ - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
+ [ssh-agent.1 ssh-add.1 ssh.1]
+ write UNIX-domain in a more consistent way; while here, replace a
+ few remaining ".Tn UNIX" macros with ".Ux" ones.
+ pointed out by ratchov@, thanks!
+ ok jmc@
+ - djm@cvs.openbsd.org 2009/10/22 22:26:13
+ [authfile.c]
+ switch from 3DES to AES-128 for encryption of passphrase-protected
+ SSH protocol 2 private keys; ok several
+ - djm@cvs.openbsd.org 2009/10/23 01:57:11
+ [sshconnect2.c]
+ disallow a hostile server from checking jpake auth by sending an
+ out-of-sequence success message. (doesn't affect code enabled by default)
+ - dtucker@cvs.openbsd.org 2009/10/24 00:48:34
+ [ssh-keygen.1]
+ ssh-keygen now uses AES-128 for private keys
+ - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
+ - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
+ is enabled set the security context to "sftpd_t" before running the
+ internal sftp server Based on a patch from jchadima at redhat.
+
+20091011
+ - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
+ dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
+ lstat.
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2009/10/08 14:03:41
+ [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
+ disable protocol 1 by default (after a transition period of about 10 years)
+ ok deraadt
+ - jmc@cvs.openbsd.org 2009/10/08 20:42:12
+ [sshd_config.5 ssh_config.5 sshd.8 ssh.1]
+ some tweaks now that protocol 1 is not offered by default; ok markus
+ - dtucker@cvs.openbsd.org 2009/10/11 10:41:26
+ [sftp-client.c]
+ d_type isn't portable so use lstat to get dirent modes. Suggested by and
+ "looks sane" deraadt@
+ - markus@cvs.openbsd.org 2009/10/08 18:04:27
+ [regress/test-exec.sh]
+ re-enable protocol v1 for the tests.
+
+20091007
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2009/08/12 00:13:00
+ [sftp.c sftp.1]
+ support most of scp(1)'s commandline arguments in sftp(1), as a first
+ step towards making sftp(1) a drop-in replacement for scp(1).
+ One conflicting option (-P) has not been changed, pending further
+ discussion.
+ Patch from carlosvsilvapt@gmail.com as part of his work in the
+ Google Summer of Code
+ - jmc@cvs.openbsd.org 2009/08/12 06:31:42
+ [sftp.1]
+ sort options;
+ - djm@cvs.openbsd.org 2009/08/13 01:11:19
+ [sftp.1 sftp.c]
+ Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
+ add "-P port" to match scp(1). Fortunately, the -P option is only really
+ used by our regression scripts.
+ part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
+ of Code work; ok deraadt markus
+ - jmc@cvs.openbsd.org 2009/08/13 13:39:54
+ [sftp.1 sftp.c]
+ sync synopsis and usage();
+ - djm@cvs.openbsd.org 2009/08/14 18:17:49
+ [sftp-client.c]
+ make the "get_handle: ..." error messages vaguely useful by allowing
+ callers to specify their own error message strings.
+ - fgsch@cvs.openbsd.org 2009/08/15 18:56:34
+ [auth.h]
+ remove unused define. markus@ ok.
+ (Id sync only, Portable still uses this.)
+ - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
+ [sshd_config.5]
+ Add PubkeyAuthentication to the list allowed in a Match block (bz #1577)
+ - djm@cvs.openbsd.org 2009/08/18 18:36:21
+ [sftp-client.h sftp.1 sftp-client.c sftp.c]
+ recursive transfer support for get/put and on the commandline
+ work mostly by carlosvsilvapt@gmail.com for the Google Summer of Code
+ with some tweaks by me; "go for it" deraadt@
+ - djm@cvs.openbsd.org 2009/08/18 21:15:59
+ [sftp.1]
+ fix "get" command usage, spotted by jmc@
+ - jmc@cvs.openbsd.org 2009/08/19 04:56:03
+ [sftp.1]
+ ether -> either;
+ - dtucker@cvs.openbsd.org 2009/08/20 23:54:28
+ [mux.c]
+ subsystem_flag is defined in ssh.c so it's extern; ok djm
+ - djm@cvs.openbsd.org 2009/08/27 17:28:52
+ [sftp-server.c]
+ allow setting an explicit umask on the commandline to override whatever
+ default the user has. bz#1229; ok dtucker@ deraadt@ markus@
+ - djm@cvs.openbsd.org 2009/08/27 17:33:49
+ [ssh-keygen.c]
+ force use of correct hash function for random-art signature display
+ as it was inheriting the wrong one when bubblebabble signatures were
+ activated; bz#1611 report and patch from fwojcik+openssh AT besh.com;
+ ok markus@
+ - djm@cvs.openbsd.org 2009/08/27 17:43:00
+ [sftp-server.8]
+ allow setting an explicit umask on the commandline to override whatever
+ default the user has. bz#1229; ok dtucker@ deraadt@ markus@
+ - djm@cvs.openbsd.org 2009/08/27 17:44:52
+ [authfd.c ssh-add.c authfd.h]
+ Do not fall back to adding keys without contraints (ssh-add -c / -t ...)
+ when the agent refuses the constrained add request. This was a useful
+ migration measure back in 2002 when constraints were new, but just
+ adds risk now.
+ bz #1612, report and patch from dkg AT fifthhorseman.net; ok markus@
+ - djm@cvs.openbsd.org 2009/08/31 20:56:02
+ [sftp-server.c]
+ check correct variable for error message, spotted by martynas@
+ - djm@cvs.openbsd.org 2009/08/31 21:01:29
+ [sftp-server.8]
+ document -e and -h; prodded by jmc@
+ - djm@cvs.openbsd.org 2009/09/01 14:43:17
+ [ssh-agent.c]
+ fix a race condition in ssh-agent that could result in a wedged or
+ spinning agent: don't read off the end of the allocated fd_sets, and
+ don't issue blocking read/write on agent sockets - just fall back to
+ select() on retriable read/write errors. bz#1633 reported and tested
+ by "noodle10000 AT googlemail.com"; ok dtucker@ markus@
+ - grunk@cvs.openbsd.org 2009/10/01 11:37:33
+ [dh.c]
+ fix a cast
+ ok djm@ markus@
+ - djm@cvs.openbsd.org 2009/10/06 04:46:40
+ [session.c]
+ bz#1596: fflush(NULL) before exec() to ensure that everying (motd
+ in particular) has made it out before the streams go away.
+ - djm@cvs.openbsd.org 2008/12/07 22:17:48
+ [regress/addrmatch.sh]
+ match string "passwordauthentication" only at start of line, not anywhere
+ in sshd -T output
+ - dtucker@cvs.openbsd.org 2009/05/05 07:51:36
+ [regress/multiplex.sh]
+ Always specify ssh_config for multiplex tests: prevents breakage caused
+ by options in ~/.ssh/config. From Dan Peterson.
+ - djm@cvs.openbsd.org 2009/08/13 00:57:17
+ [regress/Makefile]
+ regression test for port number parsing. written as part of the a2port
+ change that went into 5.2 but I forgot to commit it at the time...
+ - djm@cvs.openbsd.org 2009/08/13 01:11:55
+ [regress/sftp-batch.sh regress/sftp-badcmds.sh regress/sftp.sh
+ regress/sftp-cmds.sh regres/sftp-glob.sh]
+ date: 2009/08/13 01:11:19; author: djm; state: Exp; lines: +10 -7
+ Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
+ add "-P port" to match scp(1). Fortunately, the -P option is only really
+ used by our regression scripts.
+ part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
+ of Code work; ok deraadt markus
+ - djm@cvs.openbsd.org 2009/08/20 18:43:07
+ [regress/ssh-com-sftp.sh]
+ fix one sftp -D ... => sftp -P ... conversion that I missed; from Carlos
+ Silva for Google Summer of Code
+ - dtucker@cvs.openbsd.org 2009/10/06 23:51:49
+ [regress/ssh2putty.sh]
+ Add OpenBSD tag to make syncs easier
+ - (dtucker) [regress/portnum.sh] Import new test.
+ - (dtucker) [configure.ac sftp-client.c] DTOTIF is in fs/ffs/dir.h on at
+ least dragonflybsd.
+ - (dtucker) d_type is not mandated by POSIX, so add fallback code using
+ stat(), needed on at least cygwin.
+
+20091002
+ - (djm) [Makefile.in] Mention readconf.o in ssh-keysign's make deps.
+ spotted by des AT des.no
+
+20090926
+ - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+ [contrib/suse/openssh.spec] Update for release
+ - (djm) [README] update relnotes URL
+ - (djm) [packet.c] Restore EWOULDBLOCK handling that got lost somewhere
+ - (djm) Release 5.3p1
+
+20090911
+ - (dtucker) [configure.ac] Change the -lresolv check so it works on Mac OS X
+ 10.6 (which doesn't have BIND8_COMPAT and thus uses res_9_query). Patch
+ from jbasney at ncsa uiuc edu.
+
+20090908
+ - (djm) [serverloop.c] Fix test for server-assigned remote forwarding port
+ (-R 0:...); bz#1578, spotted and fix by gavin AT emf.net; ok dtucker@
+
+20090901
+ - (dtucker) [configure.ac] Bug #1639: use AC_PATH_PROG to search the path for
+ krb5-config if it's not in the location specified by --with-kerberos5.
+ Patch from jchadima at redhat.
+
+20090829
+ - (dtucker) [README.platform] Add text about development packages, based on
+ text from Chris Pepper in bug #1631.
+
+20090828
+ - dtucker [auth-sia.c] Roll back the change for bug #1241 as it apparently
+ causes problems in some Tru64 configurations.
+ - (djm) [sshd_config.5] downgrade mention of login.conf to be an example
+ and mention PAM as another provider for ChallengeResponseAuthentication;
+ bz#1408; ok dtucker@
+ - (djm) [sftp-server.c] bz#1535: accept ENOSYS as a fallback error when
+ attempting atomic rename(); ok dtucker@
+ - (djm) [Makefile.in] bz#1505: Solaris make(1) doesn't accept make variables
+ in argv, so pass them in the environment; ok dtucker@
+ - (dtucker) [channels.c configure.ac] Bug #1528: skip the tcgetattr call on
+ the pty master on Solaris, since it never succeeds and can hang if large
+ amounts of data is sent to the slave (eg a copy-paste). Based on a patch
+ originally from Doke Scott, ok djm@
+ - (dtucker) [clientloop.c configure.ac defines.h] Make the client's IO buffer
+ size a compile-time option and set it to 64k on Cygwin, since Corinna
+ reports that it makes a significant difference to performance. ok djm@
+ - (dtucker) [configure.ac] Fix the syntax of the Solaris tcgetattr entry.
+
+20090820
+ - (dtucker) [includes.h] Bug #1634: do not include system glob.h if we're not
+ using it since the type conflicts can cause problems on FreeBSD. Patch
+ from Jonathan Chen.
+ - (dtucker) [session.c openbsd-compat/port-aix.h] Bugs #1249 and #1567: move
+ the setpcred call on AIX to immediately before the permanently_set_uid().
+ Ensures that we still have privileges when we call chroot and
+ pam_open_sesson. Based on a patch from David Leonard.
+
+20090817
+ - (dtucker) [configure.ac] Check for headers before libraries for openssl an
+ zlib, which should make the errors slightly more meaningful on platforms
+ where there's separate "-devel" packages for those.
+ - (dtucker) [sshlogin.c openbsd-compat/port-aix.{c,h}] Bug #1595: make
+ PrintLastLog work on AIX. Based in part on a patch from Miguel Sanders.
+
+20090729
+ - (tim) [contrib/cygwin/ssh-user-config] Change script to call correct error
+ function. Patch from Corinna Vinschen.
+