+20050226
+ - (dtucker) [openbsd-compat/bsd-openpty.c openbsd-compat/inet_ntop.c]
+ Remove two obsolete Cygwin #ifdefs. Patch from vinschen at redhat.com.
+ - (dtucker) [acconfig.h configure.ac openbsd-compat/bsd-misc.{c,h}]
+ Remove SETGROUPS_NOOP, was only used by Cygwin, which doesn't need it any
+ more. Patch from vinschen at redhat.com.
+ - (dtucker) [Makefile.in] Add a install-nosysconf target for installing the
+ binaries without the config files. Primarily useful for packaging.
+ Patch from phil at usc.edu. ok djm@
+
+20050224
+ - (djm) [configure.ac] in_addr_t test needs sys/types.h too
+
+20050222
+ - (dtucker) [uidswap.c] Skip uid restore test on Cygwin. Patch from
+ vinschen at redhat.com.
+
+20050220
+ - (dtucker) [LICENCE Makefile.in README.platform audit-bsm.c configure.ac
+ defines.h] Bug #125: Add *EXPERIMENTAL* BSM audit support. Configure
+ --with-audit=bsm to enable. Patch originally from Sun Microsystems,
+ parts by John R. Jackson. ok djm@
+ - (dtucker) [configure.ac] Missing comma in AIX section, somehow causes
+ unrelated platforms to be configured incorrectly.
+
+20050216
+ - (djm) write seed to temporary file and atomically rename into place;
+ ok dtucker@
+ - (dtucker) [ssh-rand-helper.c] Provide seed_rng since it may be called
+ via mkstemp in some configurations. ok djm@
+ - (dtucker) [auth-shadow.c] Prevent compiler warnings if "DAY" is defined
+ by the system headers.
+ - (dtucker) [configure.ac] Bug #893: check for libresolv early on Reliant
+ Unix; prevents problems relating to the location of -lresolv in the
+ link order.
+ - (dtucker) [session.c] Bug #918: store credentials from gssapi-with-mic
+ authentication early enough to be available to PAM session modules when
+ privsep=yes. Patch from deengert at anl.gov, ok'ed in principle by Sam
+ Hartman and similar to Debian's ssh-krb5 package.
+ - (dtucker) [configure.ac openbsd-compat/port-aix.{c,h}] Silence some more
+ compiler warnings on AIX.
+
+20050215
+ - (dtucker) [config.sh.in] Collect oslevel -r too.
+ - (dtucker) [README.platform auth.c configure.ac loginrec.c
+ openbsd-compat/port-aix.c openbsd-compat/port-aix.h] Bug #835: enable IPv6
+ on AIX where possible (see README.platform for details) and work around
+ a misfeature of AIX's getnameinfo. ok djm@
+ - (dtucker) [loginrec.c] Add missing #include.
+
+20050211
+ - (dtucker) [configure.ac] Tidy up configure --help output.
+ - (dtucker) [openbsd-compat/fake-rfc2553.h] We now need EAI_SYSTEM too.
+
+20050210
+ - (dtucker) [configure.ac] Bug #919: Provide visible feedback for the
+ --disable-etc-default-login configure option.
+
+20050209
+ - (dtucker) OpenBSD CVS Sync
+ - dtucker@cvs.openbsd.org 2005/01/28 09:45:53
+ [ssh_config]
+ Make it clear that the example entries in ssh_config are only some of the
+ commonly-used options and refer the user to ssh_config(5) for more
+ details; ok djm@
+ - jmc@cvs.openbsd.org 2005/01/28 15:05:43
+ [ssh_config.5]
+ grammar;
+ - jmc@cvs.openbsd.org 2005/01/28 18:14:09
+ [ssh_config.5]
+ wording;
+ ok markus@
+ - dtucker@cvs.openbsd.org 2005/01/30 11:18:08
+ [monitor.c]
+ Make code match intent; ok djm@
+ - dtucker@cvs.openbsd.org 2005/02/08 22:24:57
+ [sshd.c]
+ Provide reason in error message if getnameinfo fails; ok markus@
+ - (dtucker) [auth-passwd.c openbsd-compat/port-aix.c] Don't call
+ disable_forwarding() from compat library. Prevent linker errrors trying
+ to resolve it for binaries other than sshd. ok djm@
+ - (dtucker) [configure.ac] Bug #854: prepend pwd to relative --with-ssl-dir
+ paths. ok djm@
+ - (dtucker) [configure.ac session.c] Some platforms (eg some SCO) require
+ the username to be passed to the passwd command when changing expired
+ passwords. ok djm@
+
+20050208
+ - (dtucker) [regress/test-exec.sh] Bug #912: Set _POSIX2_VERSION for the
+ regress tests so newer versions of GNU head(1) behave themselves. Patch
+ by djm, so ok me.
+ - (dtucker) [openbsd-compat/port-aix.c] Silence compiler warnings.
+ - (dtucker) [audit.c audit.h auth.c auth1.c auth2.c loginrec.c monitor.c
+ monitor_wrap.c monitor_wrap.h session.c sshd.c]: Prepend all of the audit
+ defines and enums with SSH_ to prevent namespace collisions on some
+ platforms (eg AIX).
+
+20050204
+ - (dtucker) [monitor.c] Permit INVALID_USER audit events from slave too.
+ - (dtucker) [auth.c] Fix parens in audit log check.
+
+20050202
+ - (dtucker) [configure.ac openbsd-compat/realpath.c] Sync up with realpath
+ rev 1.11 from OpenBSD and make it use fchdir if available. ok djm@
+ - (dtucker) [auth.c loginrec.h openbsd-compat/{bsd-cray,port-aix}.{c,h}]
+ Make record_failed_login() call provide hostname rather than having the
+ implementations having to do lookups themselves. Only affects AIX and
+ UNICOS (the latter only uses the "user" parameter anyway). ok djm@
+ - (dtucker) [session.c sshd.c] Bug #445: Propogate KRB5CCNAME if set to child
+ the process. Since we also unset KRB5CCNAME at startup, if it's set after
+ authentication it must have been set by the platform's native auth system.
+ This was already done for AIX; this enables it for the general case.
+ - (dtucker) [auth.c canohost.c canohost.h configure.ac defines.h loginrec.c]
+ Bug #974: Teach sshd to write failed login records to btmp for failed auth
+ attempts (currently only for password, kbdint and C/R, only on Linux and
+ HP-UX), based on code from login.c from util-linux. With ashok_kovai at
+ hotmail.com, ok djm@
+ - (dtucker) [Makefile.in auth.c auth.h auth1.c auth2.c loginrec.c monitor.c
+ monitor.h monitor_wrap.c monitor_wrap.h session.c sshd.c] Bug #125:
+ (first stage) Add audit instrumentation to sshd, currently disabled by
+ default. with suggestions from and ok djm@
+
+20050201
+ - (dtucker) [log.c] Bug #973: force log_init() to open syslog, since on some
+ platforms syslog will revert to its default values. This may result in
+ messages from external libraries (eg libwrap) being sent to a different
+ facility.
+ - (dtucker) [sshd_config.5] Bug #701: remove warning about
+ keyboard-interactive since this is no longer the case.
+
+20050124
+ - (dtucker) OpenBSD CVS Sync
+ - otto@cvs.openbsd.org 2005/01/21 08:32:02
+ [auth-passwd.c sshd.c]
+ Warn in advance for password and account expiry; initialize loginmsg
+ buffer earlier and clear it after privsep fork. ok and help dtucker@
+ markus@
+ - dtucker@cvs.openbsd.org 2005/01/22 08:17:59
+ [auth.c]
+ Log source of connections denied by AllowUsers, DenyUsers, AllowGroups and
+ DenyGroups. bz #909, ok djm@
+ - djm@cvs.openbsd.org 2005/01/23 10:18:12
+ [cipher.c]
+ config option "Ciphers" should be case-sensitive; ok dtucker@
+ - dtucker@cvs.openbsd.org 2005/01/24 10:22:06
+ [scp.c sftp.c]
+ Have scp and sftp wait for the spawned ssh to exit before they exit
+ themselves. This prevents ssh from being unable to restore terminal
+ modes (not normally a problem on OpenBSD but common with -Portable
+ on POSIX platforms). From peak at argo.troja.mff.cuni.cz (bz#950);
+ ok djm@ markus@
+ - dtucker@cvs.openbsd.org 2005/01/24 10:29:06
+ [moduli]
+ Import new moduli; requested by deraadt@ a week ago
+ - dtucker@cvs.openbsd.org 2005/01/24 11:47:13
+ [auth-passwd.c]
+ #if -> #ifdef so builds without HAVE_LOGIN_CAP work too; ok djm@ otto@
+
+20050120
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2004/12/23 17:35:48
+ [session.c]
+ check for NULL; from mpech
+ - markus@cvs.openbsd.org 2004/12/23 17:38:07
+ [ssh-keygen.c]
+ leak; from mpech
+ - djm@cvs.openbsd.org 2004/12/23 23:11:00
+ [servconf.c servconf.h sshd.c sshd_config sshd_config.5]
+ bz #898: support AddressFamily in sshd_config. from
+ peak@argo.troja.mff.cuni.cz; ok deraadt@
+ - markus@cvs.openbsd.org 2005/01/05 08:51:32
+ [sshconnect.c]
+ remove dead code, log connect() failures with level error, ok djm@
+ - jmc@cvs.openbsd.org 2005/01/08 00:41:19
+ [sshd_config.5]
+ `login'(n) -> `log in'(v);
+ - dtucker@cvs.openbsd.org 2005/01/17 03:25:46
+ [moduli.c]
+ Correct spelling: SCHNOOR->SCHNORR; ok djm@
+ - dtucker@cvs.openbsd.org 2005/01/17 22:48:39
+ [sshd.c]
+ Make debugging output continue after reexec; ok djm@
+ - dtucker@cvs.openbsd.org 2005/01/19 13:11:47
+ [auth-bsdauth.c auth2-chall.c]
+ Have keyboard-interactive code call the drivers even for responses for
+ invalid logins. This allows the drivers themselves to decide how to
+ handle them and prevent leaking information where possible. Existing
+ behaviour for bsdauth is maintained by checking authctxt->valid in the
+ bsdauth driver. Note that any third-party kbdint drivers will now need
+ to be able to handle responses for invalid logins. ok markus@
+ - djm@cvs.openbsd.org 2004/12/22 02:13:19
+ [cipher-ctr.c cipher.c]
+ remove fallback AES support for old OpenSSL, as OpenBSD has had it for
+ many years now; ok deraadt@
+ (Id sync only: Portable will continue to support older OpenSSLs)
+ - (dtucker) [auth-pam.c] Bug #971: Prevent leaking information about user
+ existence via keyboard-interactive/pam, in conjunction with previous
+ auth2-chall.c change; with Colin Watson and djm.
+ - (dtucker) [loginrec.h] Bug #952: Increase size of username field to 128
+ bytes to prevent errors from login_init_entry() when the username is
+ exactly 64 bytes(!) long. From brhamon at cisco.com, ok djm@
+ - (dtucker) [auth-chall.c auth.h auth2-chall.c] Bug #936: Remove pam from
+ the list of available kbdint devices if UsePAM=no. ok djm@
+
+20050118
+ - (dtucker) [INSTALL Makefile.in configure.ac survey.sh.in] Implement
+ "make survey" and "make send-survey". This will provide data on the
+ configure parameters, platform and platform features to the development
+ team, which will allow (among other things) better targetting of testing.
+ It's entirely voluntary and is off be default. ok djm@
+ - (dtucker) [survey.sh.in] Remove any blank lines from the output of
+ ccver-v and ccver-V.
+
+20041220
+ - (dtucker) [ssh-rand-helper.c] Fall back to command-based seeding if reading
+ from prngd is enabled at compile time but fails at run time, eg because
+ prngd is not running. Note that if you have prngd running when OpenSSH is
+ built, OpenSSL will consider itself internally seeded and rand-helper won't
+ be built at all unless explicitly enabled via --with-rand-helper. ok djm@
+ - (dtucker) [regress/rekey.sh] Touch datafile before filling with dd, since
+ on some wacky platforms (eg old AIXes), dd will refuse to create an output
+ file if it doesn't exist.
+
+20041213
+ - (dtucker) [contrib/findssh.sh] Clean up on interrupt; from
+ amarendra.godbole at ge com.
+
+20041211
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2004/12/06 16:00:43
+ [bufaux.c]
+ use 0x00 not \0 since buf[] is a bignum
+ - fgsch@cvs.openbsd.org 2004/12/10 03:10:42
+ [sftp.c]
+ - fix globbed ls for paths the same lenght as the globbed path when
+ we have a unique matching.
+ - fix globbed ls in case of a directory when we have a unique matching.
+ - as a side effect, if the path does not exist error (used to silently
+ ignore).
+ - don't do extra do_lstat() if we only have one matching file.
+ djm@ ok
+ - dtucker@cvs.openbsd.org 2004/12/11 01:48:56
+ [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h]
+ Fix debug call in error path of authorized_keys processing and fix related
+ warnings; ok djm@
+
+20041208
+ - (tim) [configure.ac] Comment some non obvious platforms in the
+ target-specific case statement. Suggested and OK by dtucker@
+
+20041207
+ - (dtucker) [regress/scp.sh] Use portable-friendly $DIFFOPTs in new test.
+
+20041206
+ - (dtucker) [TODO WARNING.RNG] Update to reflect current reality. ok djm@
+ - (dtucker) OpenBSD CVS Sync
+ - markus@cvs.openbsd.org 2004/11/25 22:22:14
+ [sftp-client.c sftp.c]
+ leak; from mpech
+ - jmc@cvs.openbsd.org 2004/11/29 00:05:17
+ [sftp.1]
+ missing full stop;
+ - djm@cvs.openbsd.org 2004/11/29 07:41:24
+ [sftp-client.h sftp.c]
+ Some small fixes from moritz@jodeit.org. ok deraadt@
+ - jaredy@cvs.openbsd.org 2004/12/05 23:55:07
+ [sftp.1]
+ - explain that patterns can be used as arguments in get/put/ls/etc
+ commands (prodded by Michael Knudsen)
+ - describe ls flags as a list
+ - other minor improvements
+ ok jmc, djm
+ - dtucker@cvs.openbsd.org 2004/12/06 11:41:03
+ [auth-rsa.c auth2-pubkey.c authfile.c misc.c misc.h ssh.h sshd.8]
+ Discard over-length authorized_keys entries rather than complaining when
+ they don't decode. bz #884, with & ok djm@
+ - (dtucker) OpenBSD CVS Sync (regress/)
+ - djm@cvs.openbsd.org 2004/06/26 06:16:07
+ [reexec.sh]
+ don't change the name of the copied sshd for the reexec fallback test,
+ makes life simpler for portable
+ - dtucker@cvs.openbsd.org 2004/07/08 12:59:35
+ [scp.sh]
+ Regress test for bz #863 (scp double-error), requires $SUDO. ok markus@
+ - david@cvs.openbsd.org 2004/07/09 19:45:43
+ [Makefile]
+ add a missing CLEANFILES used in the re-exec test
+ - djm@cvs.openbsd.org 2004/10/08 02:01:50
+ [reexec.sh]
+ shrink and tidy; ok dtucker@
+ - djm@cvs.openbsd.org 2004/10/29 23:59:22
+ [Makefile added brokenkeys.sh]
+ regression test for handling of corrupt keys in authorized_keys file
+ - djm@cvs.openbsd.org 2004/11/07 00:32:41
+ [multiplex.sh]
+ regression tests for new multiplex commands
+ - dtucker@cvs.openbsd.org 2004/11/25 09:39:27
+ [test-exec.sh]
+ Remove obsolete RhostsAuthentication from test config; ok markus@
+ - dtucker@cvs.openbsd.org 2004/12/06 10:49:56
+ [test-exec.sh]
+ Check if TEST_SSH_SSHD is a full path to sshd before searching; ok markus@
+
+20041203
+ - (dtucker) OpenBSD CVS Sync
+ - jmc@cvs.openbsd.org 2004/11/07 17:42:36
+ [ssh.1]
+ options sort, and whitespace;
+ - jmc@cvs.openbsd.org 2004/11/07 17:57:30
+ [ssh.c]
+ usage():
+ - add -O
+ - sync -S w/ manpage
+ - remove -h
+ - (dtucker) [auth1.c auth2.c] If the user successfully authenticates but is
+ subsequently denied by the PAM auth stack, send the PAM message to the
+ user via packet_disconnect (Protocol 1) or userauth_banner (Protocol 2).
+ ok djm@
+
+20041107
+ - (dtucker) OpenBSD CVS Sync
+ - djm@cvs.openbsd.org 2004/11/05 12:19:56
+ [sftp.c]
+ command editing and history support via libedit; ok markus@
+ thanks to hshoexer@ and many testers on tech@ too
+ - djm@cvs.openbsd.org 2004/11/07 00:01:46
+ [clientloop.c clientloop.h ssh.1 ssh.c]
+ add basic control of a running multiplex master connection; including the
+ ability to check its status and request it to exit; ok markus@
+ - (dtucker) [INSTALL Makefile.in configure.ac] Add --with-libedit configure
+ option and supporting makefile bits and documentation.
+
20041105
- (dtucker) OpenBSD CVS Sync
- markus@cvs.openbsd.org 2004/08/30 09:18:08
- djm@cvs.openbsd.org 2004/10/07 10:10:24
[scp.1 sftp.1 ssh.1 ssh_config.5]
document KbdInteractiveDevices; ok markus@
+ - djm@cvs.openbsd.org 2004/10/07 10:12:36
+ [ssh-agent.c]
+ don't unlink agent socket when bind() fails, spotted by rich AT
+ rich-paul.net, ok markus@
+ - markus@cvs.openbsd.org 2004/10/20 11:48:53
+ [packet.c ssh1.h]
+ disconnect for invalid (out of range) message types.
+ - djm@cvs.openbsd.org 2004/10/29 21:47:15
+ [channels.c channels.h clientloop.c]
+ fix some window size change bugs for multiplexed connections: windows sizes
+ were not being updated if they had changed after ~^Z suspends and SIGWINCH
+ was not being processed unless the first connection had requested a tty;
+ ok markus
+ - djm@cvs.openbsd.org 2004/10/29 22:53:56
+ [clientloop.c misc.h readpass.c ssh-agent.c]
+ factor out common permission-asking code to separate function; ok markus@
+ - djm@cvs.openbsd.org 2004/10/29 23:56:17
+ [bufaux.c bufaux.h buffer.c buffer.h]
+ introduce a new buffer API that returns an error rather than fatal()ing
+ when presented with bad data; ok markus@
+ - djm@cvs.openbsd.org 2004/10/29 23:57:05
+ [key.c]
+ use new buffer API to avoid fatal errors on corrupt keys in authorized_keys
+ files; ok markus@
20041102
- (dtucker) [configure.ac includes.h] Bug #947: Fix compile error on HP-UX